--- /dev/null
+From 67ec5f8336fcc7baa1d19422c3a44496af602122 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 16:00:14 +0800
+Subject: af_unix: read UNIX_DIAG_VFS data under unix_state_lock
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+[ Upstream commit 39897df386376912d561d4946499379effa1e7ef ]
+
+Exact UNIX diag lookups hold a reference to the socket, but not to
+u->path. Meanwhile, unix_release_sock() clears u->path under
+unix_state_lock() and drops the path reference after unlocking.
+
+Read the inode and device numbers for UNIX_DIAG_VFS while holding
+unix_state_lock(), then emit the netlink attribute after dropping the
+lock.
+
+This keeps the VFS data stable while the reply is being built.
+
+Fixes: 5f7b0569460b ("unix_diag: Unix inode info NLA")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/diag.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index 486276a1782ed..699fba7b7591d 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -25,18 +25,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb)
+
+ static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb)
+ {
+- struct dentry *dentry = unix_sk(sk)->path.dentry;
++ struct unix_diag_vfs uv;
++ struct dentry *dentry;
++ bool have_vfs = false;
+
++ unix_state_lock(sk);
++ dentry = unix_sk(sk)->path.dentry;
+ if (dentry) {
+- struct unix_diag_vfs uv = {
+- .udiag_vfs_ino = d_backing_inode(dentry)->i_ino,
+- .udiag_vfs_dev = dentry->d_sb->s_dev,
+- };
+-
+- return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
++ uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino;
++ uv.udiag_vfs_dev = dentry->d_sb->s_dev;
++ have_vfs = true;
+ }
++ unix_state_unlock(sk);
+
+- return 0;
++ if (!have_vfs)
++ return 0;
++
++ return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
+ }
+
+ static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb)
+--
+2.53.0
+
--- /dev/null
+From 1435ca34ba65840dfec09bb78183c73a237479fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 13:40:07 +0100
+Subject: ALSA: asihpi: avoid write overflow check warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 591721223be9e28f83489a59289579493b8e3d83 ]
+
+clang-22 rightfully warns that the memcpy() in adapter_prepare() copies
+between different structures, crossing the boundary of nested
+structures inside it:
+
+In file included from sound/pci/asihpi/hpimsgx.c:13:
+In file included from include/linux/string.h:386:
+include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
+ 569 | __write_overflow_field(p_size_field, size);
+
+The two structures seem to refer to the same layout, despite the
+separate definitions, so the code is in fact correct.
+
+Avoid the warning by copying the two inner structures separately.
+I see the same pattern happens in other functions in the same file,
+so there is a chance that this may come back in the future, but
+this instance is the only one that I saw in practice, hitting it
+multiple times per day in randconfig build.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/asihpi/hpimsgx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c
+index 761fc62f68f16..85a354cf082ff 100644
+--- a/sound/pci/asihpi/hpimsgx.c
++++ b/sound/pci/asihpi/hpimsgx.c
+@@ -586,8 +586,10 @@ static u16 adapter_prepare(u16 adapter)
+ HPI_ADAPTER_OPEN);
+ hm.adapter_index = adapter;
+ hw_entry_point(&hm, &hr);
+- memcpy(&rESP_HPI_ADAPTER_OPEN[adapter], &hr,
+- sizeof(rESP_HPI_ADAPTER_OPEN[0]));
++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].h, &hr,
++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].h));
++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].a, &hr.u.ax.info,
++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].a));
+ if (hr.error)
+ return hr.error;
+
+--
+2.53.0
+
--- /dev/null
+From 3debc275bba22b668d99e624107ebd827ccec156 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Mar 2026 10:36:03 -0500
+Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: César Montoya <sprit152009@gmail.com>
+
+[ Upstream commit 2f388b4e8fdd6b0f27cafd281658daacfd85807e ]
+
+The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek
+ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The
+existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly,
+but the subsystem ID was missing from the quirk table.
+
+GPIO pin confirmed via manual hda-verb testing:
+ hda-verb SET_GPIO_MASK 0x10
+ hda-verb SET_GPIO_DIRECTION 0x10
+ hda-verb SET_GPIO_DATA 0x10
+
+Signed-off-by: César Montoya <sprit152009@gmail.com>
+Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 7ea036f820f54..d673e8934b775 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9291,6 +9291,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x87cb, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+--
+2.53.0
+
--- /dev/null
+From 7c42efeee061c4952707a5c0763384c6c04b202f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jan 2026 00:28:28 +0100
+Subject: arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+[ Upstream commit 1f99b5d93d99ca17d50b386a674d0ce1f20932d8 ]
+
+According to i.MX 8M Quad Reference Manual, GPU_AHB_CLK_ROOT's maximum
+frequency is 400MHz.
+
+Fixes: 45d2c84eb3a2 ("arm64: dts: imx8mq: add GPU node")
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+index 8d0d41973ff54..995cbe6cf0a26 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+@@ -1137,7 +1137,7 @@ gpu: gpu@38000000 {
+ <&clk IMX8MQ_GPU_PLL_OUT>,
+ <&clk IMX8MQ_GPU_PLL>;
+ assigned-clock-rates = <800000000>, <800000000>,
+- <800000000>, <800000000>, <0>;
++ <800000000>, <400000000>, <0>;
+ power-domains = <&pgc_gpu>;
+ };
+
+--
+2.53.0
+
--- /dev/null
+From daf16002d334c9e44ec40bf0059b3bbca2748fa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 02:43:54 +0000
+Subject: ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit b9eff9732cb0f86a68c9d1592a98ceab47c01e95 ]
+
+Component has "card_aux_list" which is added/deled in bind/unbind aux dev
+function (A), and used in for_each_card_auxs() loop (B).
+
+ static void soc_unbind_aux_dev(...)
+ {
+ ...
+ for_each_card_auxs_safe(...) {
+ ...
+(A) list_del(&component->card_aux_list);
+ } ^^^^^^^^^^^^^
+ }
+
+ static int soc_bind_aux_dev(...)
+ {
+ ...
+ for_each_card_pre_auxs(...) {
+ ...
+(A) list_add(&component->card_aux_list, ...);
+ } ^^^^^^^^^^^^^
+ ...
+ }
+
+ #define for_each_card_auxs(card, component) \
+(B) list_for_each_entry(component, ..., card_aux_list)
+ ^^^^^^^^^^^^^
+
+But it has been used without calling INIT_LIST_HEAD().
+
+ > git grep card_aux_list sound/soc
+ sound/soc/soc-core.c: list_del(&component->card_aux_list);
+ sound/soc/soc-core.c: list_add(&component->card_aux_list, ...);
+
+call missing INIT_LIST_HEAD() for it.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index e7310642be6a5..de81858dee34a 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -2628,6 +2628,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component,
+ INIT_LIST_HEAD(&component->dobj_list);
+ INIT_LIST_HEAD(&component->card_list);
+ INIT_LIST_HEAD(&component->list);
++ INIT_LIST_HEAD(&component->card_aux_list);
+ mutex_init(&component->io_mutex);
+
+ component->name = fmt_single_name(dev, &component->id);
+--
+2.53.0
+
--- /dev/null
+From f990e2f722bf2bd15d323544c6c87b57ebec20f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 21:45:26 -0300
+Subject: ASoC: SOF: topology: reject invalid vendor array size in token parser
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+[ Upstream commit 215e5fe75881a7e2425df04aeeed47a903d5cd5d ]
+
+sof_parse_token_sets() accepts array->size values that can be invalid
+for a vendor tuple array header. In particular, a zero size does not
+advance the parser state and can lead to non-progress parsing on
+malformed topology data.
+
+Validate array->size against the minimum header size and reject values
+smaller than sizeof(*array) before parsing. This preserves behavior for
+valid topologies and hardens malformed-input handling.
+
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
+index e3aa9fa0f112f..b1682879253f6 100644
+--- a/sound/soc/sof/topology.c
++++ b/sound/soc/sof/topology.c
+@@ -941,7 +941,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
+ asize = le32_to_cpu(array->size);
+
+ /* validate asize */
+- if (asize < 0) { /* FIXME: A zero-size array makes no sense */
++ if (asize < sizeof(*array)) {
+ dev_err(scomp->dev, "error: invalid array size 0x%x\n",
+ asize);
+ return -EINVAL;
+--
+2.53.0
+
--- /dev/null
+From b7648468915f2c0e426c401c81d980fb877cb963 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 10:40:56 +0200
+Subject: ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
+
+From: Tomasz Merta <tomasz.merta@arrow.com>
+
+[ Upstream commit 0669631dbccd41cf3ca7aa70213fcd8bb41c4b38 ]
+
+The STM32 SAI driver do not set the clock strobing bit (CKSTR) for DSP_A,
+DSP_B and LEFT_J formats, causing data to be sampled on the wrong BCLK
+edge when SND_SOC_DAIFMT_NB_NF is used.
+
+Per ALSA convention, NB_NF requires sampling on the rising BCLK edge.
+The STM32MP25 SAI reference manual states that CKSTR=1 is required for
+signals received by the SAI to be sampled on the SCK rising edge.
+Without setting CKSTR=1, the SAI samples on the falling edge, violating
+the NB_NF convention. For comparison, the NXP FSL SAI driver correctly
+sets FSL_SAI_CR2_BCP for DSP_A, DSP_B and LEFT_J, consistent with its
+I2S handling.
+
+This patch adds SAI_XCR1_CKSTR for DSP_A, DSP_B and LEFT_J in
+stm32_sai_set_dai_fmt which was verified empirically with a cs47l35 codec.
+RIGHT_J (LSB) is not investigated and addressed by this patch.
+
+Note: the STM32 I2S driver (stm32_i2s_set_dai_fmt) may have the same issue
+for DSP_A mode, as I2S_CGFR_CKPOL is not set. This has not been verified
+and is left for a separate investigation.
+
+Signed-off-by: Tomasz Merta <tommerta@gmail.com>
+Link: https://patch.msgid.link/20260408084056.20588-1-tommerta@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/stm/stm32_sai_sub.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c
+index 1810c43d0833f..962e5606c2c9a 100644
+--- a/sound/soc/stm/stm32_sai_sub.c
++++ b/sound/soc/stm/stm32_sai_sub.c
+@@ -671,6 +671,7 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
+ break;
+ /* Left justified */
+ case SND_SOC_DAIFMT_MSB:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
+ break;
+ /* Right justified */
+@@ -678,9 +679,11 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
+ break;
+ case SND_SOC_DAIFMT_DSP_A:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSOFF;
+ break;
+ case SND_SOC_DAIFMT_DSP_B:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL;
+ break;
+ default:
+--
+2.53.0
+
--- /dev/null
+From b00650d031f1b814c4ce18cd1028190cd5cae554 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 15:23:35 -0700
+Subject: ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
+
+From: Arthur Husband <artmoty@gmail.com>
+
+[ Upstream commit 105c42566a550e2d05fc14f763216a8765ee5d0e ]
+
+The JMicron JMB585 (and JMB582) SATA controllers advertise 64-bit DMA
+support via the S64A bit in the AHCI CAP register, but their 64-bit DMA
+implementation is defective. Under sustained I/O, DMA transfers targeting
+addresses above 4GB silently corrupt data -- writes land at incorrect
+memory addresses with no errors logged.
+
+The failure pattern is similar to the ASMedia ASM1061
+(commit 20730e9b2778 ("ahci: add 43-bit DMA address quirk for ASMedia
+ASM1061 controllers")), which also falsely advertised full 64-bit DMA
+support. However, the JMB585 requires a stricter 32-bit DMA mask rather
+than 43-bit, as corruption occurs with any address above 4GB.
+
+On the Minisforum N5 Pro specifically, the combination of the JMB585's
+broken 64-bit DMA with the AMD Family 1Ah (Strix Point) IOMMU causes
+silent data corruption that is only detectable via checksumming
+filesystems (BTRFS/ZFS scrub). The corruption occurs when 32-bit IOVA
+space is exhausted and the kernel transparently switches to 64-bit DMA
+addresses.
+
+Add device-specific PCI ID entries for the JMB582 (0x0582) and JMB585
+(0x0585) before the generic JMicron class match, using a new board type
+that combines AHCI_HFLAG_IGN_IRQ_IF_ERR (preserving existing behavior)
+with AHCI_HFLAG_32BIT_ONLY to force 32-bit DMA masks.
+
+Signed-off-by: Arthur Husband <artmoty@gmail.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/ahci.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index 2bb9555663e75..b3661495906f2 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -61,6 +61,7 @@ enum board_ids {
+ /* board IDs for specific chipsets in alphabetical order */
+ board_ahci_al,
+ board_ahci_avn,
++ board_ahci_jmb585,
+ board_ahci_mcp65,
+ board_ahci_mcp77,
+ board_ahci_mcp89,
+@@ -200,6 +201,15 @@ static const struct ata_port_info ahci_port_info[] = {
+ .udma_mask = ATA_UDMA6,
+ .port_ops = &ahci_avn_ops,
+ },
++ /* JMicron JMB582/585: 64-bit DMA is broken, force 32-bit */
++ [board_ahci_jmb585] = {
++ AHCI_HFLAGS (AHCI_HFLAG_IGN_IRQ_IF_ERR |
++ AHCI_HFLAG_32BIT_ONLY),
++ .flags = AHCI_FLAG_COMMON,
++ .pio_mask = ATA_PIO4,
++ .udma_mask = ATA_UDMA6,
++ .port_ops = &ahci_ops,
++ },
+ [board_ahci_mcp65] = {
+ AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP |
+ AHCI_HFLAG_YES_NCQ),
+@@ -436,6 +446,10 @@ static const struct pci_device_id ahci_pci_tbl[] = {
+ /* Elkhart Lake IDs 0x4b60 & 0x4b62 https://sata-io.org/product/8803 not tested yet */
+ { PCI_VDEVICE(INTEL, 0x4b63), board_ahci_low_power }, /* Elkhart Lake AHCI */
+
++ /* JMicron JMB582/585: force 32-bit DMA (broken 64-bit implementation) */
++ { PCI_VDEVICE(JMICRON, 0x0582), board_ahci_jmb585 },
++ { PCI_VDEVICE(JMICRON, 0x0585), board_ahci_jmb585 },
++
+ /* JMicron 360/1/3/5/6, match class to avoid IDE function */
+ { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
+ PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr },
+--
+2.53.0
+
--- /dev/null
+From 945505901eff36c4c5c50ff3f7be6ea457d16105 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 14:11:39 -0400
+Subject: btrfs: tracepoints: get correct superblock from dentry in event
+ btrfs_sync_file()
+
+From: Goldwyn Rodrigues <rgoldwyn@suse.de>
+
+[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ]
+
+If overlay is used on top of btrfs, dentry->d_sb translates to overlay's
+super block and fsid assignment will lead to a crash.
+
+Use file_inode(file)->i_sb to always get btrfs_sb.
+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/btrfs.h | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h
+index d8aa1d3570243..7e6fcbc6c6c55 100644
+--- a/include/trace/events/btrfs.h
++++ b/include/trace/events/btrfs.h
+@@ -697,12 +697,15 @@ TRACE_EVENT(btrfs_sync_file,
+ ),
+
+ TP_fast_assign(
+- const struct dentry *dentry = file->f_path.dentry;
+- const struct inode *inode = d_inode(dentry);
++ struct dentry *dentry = file_dentry(file);
++ struct inode *inode = file_inode(file);
++ struct dentry *parent = dget_parent(dentry);
++ struct inode *parent_inode = d_inode(parent);
+
+- TP_fast_assign_fsid(btrfs_sb(file->f_path.dentry->d_sb));
++ dput(parent);
++ TP_fast_assign_fsid(btrfs_sb(inode->i_sb));
+ __entry->ino = btrfs_ino(BTRFS_I(inode));
+- __entry->parent = btrfs_ino(BTRFS_I(d_inode(dentry->d_parent)));
++ __entry->parent = btrfs_ino(BTRFS_I(parent_inode));
+ __entry->datasync = datasync;
+ __entry->root_objectid =
+ BTRFS_I(inode)->root->root_key.objectid;
+--
+2.53.0
+
--- /dev/null
+From 6b68638680c16b62472e725c6dd73e68f103d910 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 00:00:22 +0800
+Subject: can: mcp251x: add error handling for power enable in open and resume
+
+From: Wenyuan Li <2063309626@qq.com>
+
+[ Upstream commit 7a57354756c7df223abe2c33774235ad70cb4231 ]
+
+Add missing error handling for mcp251x_power_enable() calls in both
+mcp251x_open() and mcp251x_can_resume() functions.
+
+In mcp251x_open(), if power enable fails, jump to error path to close
+candev without attempting to disable power again.
+
+In mcp251x_can_resume(), properly check return values of power enable calls
+for both power and transceiver regulators. If any fails, return the error
+code to the PM framework and log the failure.
+
+This ensures the driver properly handles power control failures and
+maintains correct device state.
+
+Signed-off-by: Wenyuan Li <2063309626@qq.com>
+Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com
+[mkl: fix patch description]
+[mkl: mcp251x_can_resume(): replace goto by return]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/spi/mcp251x.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
+index b06b15debafac..e4d5f60f13f47 100644
+--- a/drivers/net/can/spi/mcp251x.c
++++ b/drivers/net/can/spi/mcp251x.c
+@@ -1218,7 +1218,11 @@ static int mcp251x_open(struct net_device *net)
+ }
+
+ mutex_lock(&priv->mcp_lock);
+- mcp251x_power_enable(priv->transceiver, 1);
++ ret = mcp251x_power_enable(priv->transceiver, 1);
++ if (ret) {
++ dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret));
++ goto out_close_candev;
++ }
+
+ priv->force_quit = 0;
+ priv->tx_skb = NULL;
+@@ -1267,6 +1271,7 @@ static int mcp251x_open(struct net_device *net)
+ mcp251x_hw_sleep(spi);
+ out_close:
+ mcp251x_power_enable(priv->transceiver, 0);
++out_close_candev:
+ close_candev(net);
+ mutex_unlock(&priv->mcp_lock);
+ if (release_irq)
+@@ -1505,11 +1510,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev)
+ {
+ struct spi_device *spi = to_spi_device(dev);
+ struct mcp251x_priv *priv = spi_get_drvdata(spi);
++ int ret = 0;
+
+- if (priv->after_suspend & AFTER_SUSPEND_POWER)
+- mcp251x_power_enable(priv->power, 1);
+- if (priv->after_suspend & AFTER_SUSPEND_UP)
+- mcp251x_power_enable(priv->transceiver, 1);
++ if (priv->after_suspend & AFTER_SUSPEND_POWER) {
++ ret = mcp251x_power_enable(priv->power, 1);
++ if (ret) {
++ dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret));
++ return ret;
++ }
++ }
++
++ if (priv->after_suspend & AFTER_SUSPEND_UP) {
++ ret = mcp251x_power_enable(priv->transceiver, 1);
++ if (ret) {
++ dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret));
++ if (priv->after_suspend & AFTER_SUSPEND_POWER)
++ mcp251x_power_enable(priv->power, 0);
++ return ret;
++ }
++ }
+
+ if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP))
+ queue_work(priv->wq, &priv->restart_work);
+--
+2.53.0
+
--- /dev/null
+From 885290a37a84fd51c1466b08b32f9524a46e8087 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 13:32:21 +0800
+Subject: crypto: algif_aead - Fix minimum RX size check for decryption
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ]
+
+The check for the minimum receive buffer size did not take the
+tag size into account during decryption. Fix this by adding the
+required extra length.
+
+Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
+Reported-by: Daniel Pouzzner <douzzer@mega.nu>
+Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/algif_aead.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
+index 42493b4d8ce46..cb3959e2c435e 100644
+--- a/crypto/algif_aead.c
++++ b/crypto/algif_aead.c
+@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
+ if (usedpages < outlen) {
+ size_t less = outlen - usedpages;
+
+- if (used < less) {
++ if (used < less + (ctx->enc ? 0 : as)) {
+ err = -EINVAL;
+ goto free;
+ }
+--
+2.53.0
+
--- /dev/null
+From 48fcf5b58a76a6b3d0cd10b61832964f4d4655ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:45 -0300
+Subject: drm/vc4: Fix a memory leak in hang state error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 9525d169e5fd481538cf8c663cc5839e54f2e481 ]
+
+When vc4_save_hang_state() encounters an early return condition, it
+returns without freeing the previously allocated `kernel_state`,
+leaking memory.
+
+Add the missing kfree() calls by consolidating the early return paths
+into a single place.
+
+Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-3-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index 788f64154119b..e4f20b93c33e7 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -166,10 +166,8 @@ vc4_save_hang_state(struct drm_device *dev)
+ spin_lock_irqsave(&vc4->job_lock, irqflags);
+ exec[0] = vc4_first_bin_job(vc4);
+ exec[1] = vc4_first_render_job(vc4);
+- if (!exec[0] && !exec[1]) {
+- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+- return;
+- }
++ if (!exec[0] && !exec[1])
++ goto err_free_state;
+
+ /* Get the bos from both binner and renderer into hang state. */
+ state->bo_count = 0;
+@@ -186,10 +184,8 @@ vc4_save_hang_state(struct drm_device *dev)
+ kernel_state->bo = kcalloc(state->bo_count,
+ sizeof(*kernel_state->bo), GFP_ATOMIC);
+
+- if (!kernel_state->bo) {
+- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+- return;
+- }
++ if (!kernel_state->bo)
++ goto err_free_state;
+
+ k = 0;
+ for (i = 0; i < 2; i++) {
+@@ -281,6 +277,12 @@ vc4_save_hang_state(struct drm_device *dev)
+ vc4->hang_state = kernel_state;
+ spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+ }
++
++ return;
++
++err_free_state:
++ spin_unlock_irqrestore(&vc4->job_lock, irqflags);
++ kfree(kernel_state);
+ }
+
+ static void
+--
+2.53.0
+
--- /dev/null
+From 799e41324ae0f0220c4fba8c148fd6eab40af0f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:44 -0300
+Subject: drm/vc4: Fix memory leak of BO array in hang state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit f4dfd6847b3e5d24e336bca6057485116d17aea4 ]
+
+The hang state's BO array is allocated separately with kzalloc() in
+vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the
+missing kfree() for the BO array before freeing the hang state struct.
+
+Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-2-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index b641252939d87..788f64154119b 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -60,6 +60,7 @@ vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state)
+ for (i = 0; i < state->user_state.bo_count; i++)
+ drm_gem_object_put(state->bo[i]);
+
++ kfree(state->bo);
+ kfree(state);
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 502fd10cadd3549fa261c67533e154d7ff1b0296 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:46 -0300
+Subject: drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ]
+
+The mmap callback reads bo->madv without holding madv_lock, racing with
+concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under
+the same lock. Add the missing locking to prevent the data race.
+
+Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_bo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
+index 9006b9861c90c..437084f7973c6 100644
+--- a/drivers/gpu/drm/vc4/vc4_bo.c
++++ b/drivers/gpu/drm/vc4/vc4_bo.c
+@@ -719,12 +719,15 @@ int vc4_mmap(struct file *filp, struct vm_area_struct *vma)
+ return -EINVAL;
+ }
+
++ mutex_lock(&bo->madv_lock);
+ if (bo->madv != VC4_MADV_WILLNEED) {
+ DRM_DEBUG("mmaping of %s BO not allowed\n",
+ bo->madv == VC4_MADV_DONTNEED ?
+ "purgeable" : "purged");
++ mutex_unlock(&bo->madv_lock);
+ return -EINVAL;
+ }
++ mutex_unlock(&bo->madv_lock);
+
+ /*
+ * Clear the VM_PFNMAP flag that was set by drm_gem_mmap(), and set the
+--
+2.53.0
+
--- /dev/null
+From 33cce7d686405918857da70ccb3fbe6fba9c1fab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 15:05:05 +0300
+Subject: e1000: check return value of e1000_read_eeprom
+
+From: Agalakov Daniil <ade@amicon.ru>
+
+[ Upstream commit d3baa34a470771399c1495bc04b1e26ac15d598e ]
+
+[Why]
+e1000_set_eeprom() performs a read-modify-write operation when the write
+range is not word-aligned. This requires reading the first and last words
+of the range from the EEPROM to preserve the unmodified bytes.
+
+However, the code does not check the return value of e1000_read_eeprom().
+If the read fails, the operation continues using uninitialized data from
+eeprom_buff. This results in corrupted data being written back to the
+EEPROM for the boundary words.
+
+Add the missing error checks and abort the operation if reading fails.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Co-developed-by: Iskhakov Daniil <dish@amicon.ru>
+Signed-off-by: Iskhakov Daniil <dish@amicon.ru>
+Signed-off-by: Agalakov Daniil <ade@amicon.ru>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+index f976e9daa3d88..3a06834e57221 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+@@ -496,14 +496,19 @@ static int e1000_set_eeprom(struct net_device *netdev,
+ */
+ ret_val = e1000_read_eeprom(hw, first_word, 1,
+ &eeprom_buff[0]);
++ if (ret_val)
++ goto out;
++
+ ptr++;
+ }
+- if (((eeprom->offset + eeprom->len) & 1) && (ret_val == 0)) {
++ if ((eeprom->offset + eeprom->len) & 1) {
+ /* need read/modify/write of last changed EEPROM word
+ * only the first byte of the word is being modified
+ */
+ ret_val = e1000_read_eeprom(hw, last_word, 1,
+ &eeprom_buff[last_word - first_word]);
++ if (ret_val)
++ goto out;
+ }
+
+ /* Device's eeprom is always little-endian, word addressable */
+@@ -522,6 +527,7 @@ static int e1000_set_eeprom(struct net_device *netdev,
+ if ((ret_val == 0) && (first_word <= EEPROM_CHECKSUM_REG))
+ e1000_update_eeprom_checksum(hw);
+
++out:
+ kfree(eeprom_buff);
+ return ret_val;
+ }
+--
+2.53.0
+
--- /dev/null
+From f1139567a514365dced79b1595665c4fd41d3812 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 13:36:59 -0500
+Subject: HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
+
+From: leo vriska <leo@60228.dev>
+
+[ Upstream commit 532743944324a873bbaf8620fcabcd0e69e30c36 ]
+
+According to a mailing list report [1], this controller's predecessor
+has the same issue. However, it uses the xpad driver instead of HID, so
+this quirk wouldn't apply.
+
+[1]: https://lore.kernel.org/linux-input/unufo3$det$1@ciao.gmane.io/
+
+Signed-off-by: leo vriska <leo@60228.dev>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 4b07b8be5c43e..549675b200b9b 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -22,6 +22,9 @@
+ #define USB_DEVICE_ID_3M2256 0x0502
+ #define USB_DEVICE_ID_3M3266 0x0506
+
++#define USB_VENDOR_ID_8BITDO 0x2dc8
++#define USB_DEVICE_ID_8BITDO_PRO_3 0x6009
++
+ #define USB_VENDOR_ID_A4TECH 0x09da
+ #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006
+ #define USB_DEVICE_ID_A4TECH_X5_005D 0x000a
+diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
+index 85d81b07b6d47..84a9c9e761bcd 100644
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -25,6 +25,7 @@
+ */
+
+ static const struct hid_device_id hid_quirks[] = {
++ { HID_USB_DEVICE(USB_VENDOR_ID_8BITDO, USB_DEVICE_ID_8BITDO_PRO_3), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL },
+--
+2.53.0
+
--- /dev/null
+From c234cbd17331f74a0ffb15213f54e2fd6cf5b5d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 16:11:07 +0000
+Subject: HID: roccat: fix use-after-free in roccat_report_event
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benoît Sevens <bsevens@google.com>
+
+[ Upstream commit d802d848308b35220f21a8025352f0c0aba15c12 ]
+
+roccat_report_event() iterates over the device->readers list without
+holding the readers_lock. This allows a concurrent roccat_release() to
+remove and free a reader while it's still being accessed, leading to a
+use-after-free.
+
+Protect the readers list traversal with the readers_lock mutex.
+
+Signed-off-by: Benoît Sevens <bsevens@google.com>
+Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-roccat.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c
+index 6da80e442fdd1..420e4335c3e83 100644
+--- a/drivers/hid/hid-roccat.c
++++ b/drivers/hid/hid-roccat.c
+@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data)
+ if (!new_value)
+ return -ENOMEM;
+
++ mutex_lock(&device->readers_lock);
+ mutex_lock(&device->cbuf_lock);
+
+ report = &device->cbuf[device->cbuf_end];
+@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data)
+ }
+
+ mutex_unlock(&device->cbuf_lock);
++ mutex_unlock(&device->readers_lock);
+
+ wake_up_interruptible(&device->wait);
+ return 0;
+--
+2.53.0
+
--- /dev/null
+From b8570614ed8baeb0e550bfb78bc68086181c652e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 20:49:49 +0300
+Subject: l2tp: Drop large packets with UDP encap
+
+From: Alice Mikityanska <alice@isovalent.com>
+
+[ Upstream commit ebe560ea5f54134279356703e73b7f867c89db13 ]
+
+syzbot reported a WARN on my patch series [1]. The actual issue is an
+overflow of 16-bit UDP length field, and it exists in the upstream code.
+My series added a debug WARN with an overflow check that exposed the
+issue, that's why syzbot tripped on my patches, rather than on upstream
+code.
+
+syzbot's repro:
+
+r0 = socket$pppl2tp(0x18, 0x1, 0x1)
+r1 = socket$inet6_udp(0xa, 0x2, 0x0)
+connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c)
+connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
+writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1)
+
+It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP
+encapsulation, and l2tp_xmit_core doesn't check for overflows when it
+assigns the UDP length field. The value gets trimmed to 16 bites.
+
+Add an overflow check that drops oversized packets and avoids sending
+packets with trimmed UDP length to the wire.
+
+syzbot's stack trace (with my patch applied):
+
+len >= 65536u
+WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957
+WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957
+WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957
+Modules linked in:
+CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
+RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline]
+RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline]
+RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327
+Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f
+RSP: 0018:ffffc90003d67878 EFLAGS: 00010293
+RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000
+RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff
+RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
+R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900
+R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000
+FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ sock_write_iter+0x503/0x550 net/socket.c:1195
+ do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1
+ vfs_writev+0x33c/0x990 fs/read_write.c:1059
+ do_writev+0x154/0x2e0 fs/read_write.c:1105
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f636479c629
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
+RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629
+RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003
+RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0
+ </TASK>
+
+[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/
+
+Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
+Reported-by: syzbot+ci3edea60a44225dec@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/69a1dfba.050a0220.3a55be.0026.GAE@google.com/
+Signed-off-by: Alice Mikityanska <alice@isovalent.com>
+Link: https://patch.msgid.link/20260403174949.843941-1-alice.kernel@fastmail.im
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index 83615f5968dd5..b03de90e3d418 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1083,6 +1083,11 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns
+ uh->source = inet->inet_sport;
+ uh->dest = inet->inet_dport;
+ udp_len = uhlen + session->hdr_len + data_len;
++ if (udp_len > U16_MAX) {
++ kfree_skb(skb);
++ ret = NET_XMIT_DROP;
++ goto out_unlock;
++ }
+ uh->len = htons(udp_len);
+
+ /* Calculate UDP checksum if configured to do so */
+--
+2.53.0
+
--- /dev/null
+From 353d17604763b2d17d7c5763272247cae0349827 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 18:57:23 +0000
+Subject: MIPS: mm: Suppress TLB uniquification on EHINV hardware
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+[ Upstream commit 74283cfe216392c7b776ebf6045b5b15ed9dffcd ]
+
+Hardware that supports the EHINV feature, mandatory for R6 ISA and FTLB
+implementation, lets software mark TLB entries invalid, which eliminates
+the need to ensure no duplicate matching entries are ever created. This
+feature is already used by local_flush_tlb_all(), via the UNIQUE_ENTRYHI
+macro, making the preceding call to r4k_tlb_uniquify() superfluous.
+
+The next change will also modify uniquification code such that it'll
+become incompatible with the FTLB and MMID features, as well as MIPSr6
+CPUs that do not implement 4KiB pages.
+
+Therefore prevent r4k_tlb_uniquify() from being used on EHINV hardware,
+as denoted by `cpu_has_tlbinv'.
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/mm/tlb-r4k.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/mm/tlb-r4k.c b/arch/mips/mm/tlb-r4k.c
+index d9a5ede8869bd..8a49adfef8b86 100644
+--- a/arch/mips/mm/tlb-r4k.c
++++ b/arch/mips/mm/tlb-r4k.c
+@@ -616,7 +616,8 @@ static void r4k_tlb_configure(void)
+ temp_tlb_entry = current_cpu_data.tlbsize - 1;
+
+ /* From this point on the ARC firmware is dead. */
+- r4k_tlb_uniquify();
++ if (!cpu_has_tlbinv)
++ r4k_tlb_uniquify();
+ local_flush_tlb_all();
+
+ /* Did I tell you that ARC SUCKS? */
+--
+2.53.0
+
--- /dev/null
+From 6cd7cc6d02ed6dc39814ab39f5dbd4cd1a12e6d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Mar 2021 12:07:47 -0700
+Subject: net: lapbether: Close the LAPB device before its underlying Ethernet
+ device closes
+
+From: Xie He <xie.he.0141@gmail.com>
+
+[ Upstream commit 536e1004d273cf55d0e6c6ab6bfe74dc60464cd2 ]
+
+When a virtual LAPB device's underlying Ethernet device closes, the LAPB
+device is also closed.
+
+However, currently the LAPB device is closed after the Ethernet device
+closes. It would be better to close it before the Ethernet device closes.
+This would allow the LAPB device to transmit a last frame to notify the
+other side that it is disconnecting.
+
+Signed-off-by: Xie He <xie.he.0141@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: b120e4432f9f ("net: lapbether: handle NETDEV_PRE_TYPE_CHANGE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lapbether.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index 24c53cc0c112f..1276071f93c04 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -415,8 +415,8 @@ static int lapbeth_device_event(struct notifier_block *this,
+ if (lapbeth_get_x25_dev(dev) == NULL)
+ lapbeth_new_device(dev);
+ break;
+- case NETDEV_DOWN:
+- /* ethernet device closed -> close LAPB interface */
++ case NETDEV_GOING_DOWN:
++ /* ethernet device closes -> close LAPB interface */
+ lapbeth = lapbeth_get_x25_dev(dev);
+ if (lapbeth)
+ dev_close(lapbeth->axdev);
+--
+2.53.0
+
--- /dev/null
+From c30043982dc0c7f0bd663b07745d99e3ee584ae2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 10:35:19 +0000
+Subject: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b120e4432f9f56c7103133d6a11245e617695adb ]
+
+lapbeth_data_transmit() expects the underlying device type
+to be ARPHRD_ETHER.
+
+Returning NOTIFY_BAD from lapbeth_device_event() makes sure
+bonding driver can not break this expectation.
+
+Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
+Reported-by: syzbot+d8c285748fa7292580a9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/69cd22a1.050a0220.70c3a.0002.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Martin Schiller <ms@dev.tdt.de>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260402103519.1201565-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lapbether.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index 4f89693313175..dd300179dcc56 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -400,33 +400,36 @@ static void lapbeth_free_device(struct lapbethdev *lapbeth)
+ static int lapbeth_device_event(struct notifier_block *this,
+ unsigned long event, void *ptr)
+ {
+- struct lapbethdev *lapbeth;
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
++ struct lapbethdev *lapbeth;
+
+ if (dev_net(dev) != &init_net)
+ return NOTIFY_DONE;
+
+- if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev))
++ lapbeth = lapbeth_get_x25_dev(dev);
++ if (!dev_is_ethdev(dev) && !lapbeth)
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
+ /* New ethernet device -> new LAPB interface */
+- if (!lapbeth_get_x25_dev(dev))
++ if (!lapbeth)
+ lapbeth_new_device(dev);
+ break;
+ case NETDEV_GOING_DOWN:
+ /* ethernet device closes -> close LAPB interface */
+- lapbeth = lapbeth_get_x25_dev(dev);
+ if (lapbeth)
+ dev_close(lapbeth->axdev);
+ break;
+ case NETDEV_UNREGISTER:
+ /* ethernet device disappears -> remove LAPB interface */
+- lapbeth = lapbeth_get_x25_dev(dev);
+ if (lapbeth)
+ lapbeth_free_device(lapbeth);
+ break;
++ case NETDEV_PRE_TYPE_CHANGE:
++ /* Our underlying device type must not change. */
++ if (lapbeth)
++ return NOTIFY_BAD;
+ }
+
+ return NOTIFY_DONE;
+--
+2.53.0
+
--- /dev/null
+From 62f0aa622b861dfc343f8df0a26198ae4371dce9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 17:39:50 +0800
+Subject: net: lapbether: remove trailing whitespaces
+
+From: Peng Li <lipeng321@huawei.com>
+
+[ Upstream commit 2e350780ae4f2be8a2525929b6c69c2dd9591a20 ]
+
+This patch removes trailing whitespaces.
+
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: b120e4432f9f ("net: lapbether: handle NETDEV_PRE_TYPE_CHANGE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lapbether.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index 1276071f93c04..f77cd8b69afe1 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -6,7 +6,7 @@
+ *
+ * This is a "pseudo" network driver to allow LAPB over Ethernet.
+ *
+- * This driver can use any ethernet destination address, and can be
++ * This driver can use any ethernet destination address, and can be
+ * limited to accept frames from one dedicated ethernet card only.
+ *
+ * History
+@@ -67,7 +67,7 @@ static struct lapbethdev *lapbeth_get_x25_dev(struct net_device *dev)
+ struct lapbethdev *lapbeth;
+
+ list_for_each_entry_rcu(lapbeth, &lapbeth_devices, node, lockdep_rtnl_is_held()) {
+- if (lapbeth->ethdev == dev)
++ if (lapbeth->ethdev == dev)
+ return lapbeth;
+ }
+ return NULL;
+@@ -418,7 +418,7 @@ static int lapbeth_device_event(struct notifier_block *this,
+ case NETDEV_GOING_DOWN:
+ /* ethernet device closes -> close LAPB interface */
+ lapbeth = lapbeth_get_x25_dev(dev);
+- if (lapbeth)
++ if (lapbeth)
+ dev_close(lapbeth->axdev);
+ break;
+ case NETDEV_UNREGISTER:
+--
+2.53.0
+
--- /dev/null
+From bdfe8d403f877d38c263b5fddeb422de1ee33835 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 17:39:53 +0800
+Subject: net: lapbether: replace comparison to NULL with "lapbeth_get_x25_dev"
+
+From: Peng Li <lipeng321@huawei.com>
+
+[ Upstream commit d49859601d72baef143703c6944a4e41921f7e6e ]
+
+According to the chackpatch.pl, comparison to NULL could
+be written "lapbeth_get_x25_dev".
+
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: b120e4432f9f ("net: lapbether: handle NETDEV_PRE_TYPE_CHANGE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lapbether.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index f77cd8b69afe1..4f89693313175 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -412,7 +412,7 @@ static int lapbeth_device_event(struct notifier_block *this,
+ switch (event) {
+ case NETDEV_UP:
+ /* New ethernet device -> new LAPB interface */
+- if (lapbeth_get_x25_dev(dev) == NULL)
++ if (!lapbeth_get_x25_dev(dev))
+ lapbeth_new_device(dev);
+ break;
+ case NETDEV_GOING_DOWN:
+--
+2.53.0
+
--- /dev/null
+From 7d9cd02537c8c7f57334c57f55bb70e615f6d9b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 22:46:20 +0800
+Subject: net: sched: act_csum: validate nested VLAN headers
+
+From: Ruide Cao <caoruide123@gmail.com>
+
+[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ]
+
+tcf_csum_act() walks nested VLAN headers directly from skb->data when an
+skb still carries in-payload VLAN tags. The current code reads
+vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without
+first ensuring that the full VLAN header is present in the linear area.
+
+If only part of an inner VLAN header is linearized, accessing
+h_vlan_encapsulated_proto reads past the linear area, and the following
+skb_pull(VLAN_HLEN) may violate skb invariants.
+
+Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and
+pulling each nested VLAN header. If the header still is not fully
+available, drop the packet through the existing error path.
+
+Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Ruide Cao <caoruide123@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_csum.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
+index 4fa4fcb842ba7..107dc690de051 100644
+--- a/net/sched/act_csum.c
++++ b/net/sched/act_csum.c
+@@ -602,8 +602,12 @@ static int tcf_csum_act(struct sk_buff *skb, const struct tc_action *a,
+ protocol = skb->protocol;
+ orig_vlan_tag_present = true;
+ } else {
+- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data;
++ struct vlan_hdr *vlan;
+
++ if (!pskb_may_pull(skb, VLAN_HLEN))
++ goto drop;
++
++ vlan = (struct vlan_hdr *)skb->data;
+ protocol = vlan->h_vlan_encapsulated_proto;
+ skb_pull(skb, VLAN_HLEN);
+ skb_reset_network_header(skb);
+--
+2.53.0
+
--- /dev/null
+From 5b241fdc4cc6aeef14aa448f525e37a8e43d081c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 17:39:47 +0800
+Subject: netfilter: ip6t_eui64: reject invalid MAC header for all packets
+
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+
+[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ]
+
+`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
+and compares it with the low 64 bits of the IPv6 source address.
+
+The existing guard only rejects an invalid MAC header when
+`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
+can still reach `eth_hdr(skb)` even when the MAC header is not valid.
+
+Fix this by removing the `par->fragoff != 0` condition so that packets
+with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/ip6t_eui64.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
+index d704f7ed300c2..da69a27e8332c 100644
+--- a/net/ipv6/netfilter/ip6t_eui64.c
++++ b/net/ipv6/netfilter/ip6t_eui64.c
+@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
+ unsigned char eui64[8];
+
+ if (!(skb_mac_header(skb) >= skb->head &&
+- skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
+- par->fragoff != 0) {
++ skb_mac_header(skb) + ETH_HLEN <= skb->data)) {
+ par->hotdrop = true;
+ return false;
+ }
+--
+2.53.0
+
--- /dev/null
+From 01f0bf1c00c989edeccf4af13684a2e361ae8563 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 14:20:57 -0700
+Subject: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE
+ terminator
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit 1f3083aec8836213da441270cdb1ab612dd82cf4 ]
+
+When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send()
+appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via
+nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put()
+helper only zeroes alignment padding after the payload, not the payload
+itself, so four bytes of stale kernel heap data are leaked to userspace
+in the NLMSG_DONE message body.
+
+Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes
+the nfgenmsg payload via nfnl_fill_hdr(), consistent with how
+__build_packet_message() already constructs NFULNL_MSG_PACKET headers.
+
+Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_log.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
+index d41560d4812d0..8c967bd772ec3 100644
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -346,10 +346,10 @@ static void
+ __nfulnl_send(struct nfulnl_instance *inst)
+ {
+ if (inst->qlen > 1) {
+- struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0,
+- NLMSG_DONE,
+- sizeof(struct nfgenmsg),
+- 0);
++ struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0,
++ NLMSG_DONE, 0,
++ AF_UNSPEC, NFNETLINK_V0,
++ htons(inst->group_num));
+ if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n",
+ inst->skb->len, skb_tailroom(inst->skb))) {
+ kfree_skb(inst->skb);
+--
+2.53.0
+
--- /dev/null
+From 1739b7a27f5c2e1455db94544666ea669623be3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Mar 2026 14:10:55 +0100
+Subject: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
+ expiry
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit d3c0037ffe1273fa1961e779ff6906234d6cf53c ]
+
+New test case fails unexpectedly when avx2 matching functions are used.
+
+The test first loads a ranomly generated pipapo set
+with 'ipv4 . port' key, i.e. nft -f foo.
+
+This works. Then, it reloads the set after a flush:
+(echo flush set t s; cat foo) | nft -f -
+
+This is expected to work, because its the same set after all and it was
+already loaded once.
+
+But with avx2, this fails: nft reports a clashing element.
+
+The reported clash is of following form:
+
+ We successfully re-inserted
+ a . b
+ c . d
+
+Then we try to insert a . d
+
+avx2 finds the already existing a . d, which (due to 'flush set') is marked
+as invalid in the new generation. It skips the element and moves to next.
+
+Due to incorrect masking, the skip-step finds the next matching
+element *only considering the first field*,
+
+i.e. we return the already reinserted "a . b", even though the
+last field is different and the entry should not have been matched.
+
+No such error is reported for the generic c implementation (no avx2) or when
+the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.
+
+Bisection points to
+7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection")
+but that fix merely uncovers this bug.
+
+Before this commit, the wrong element is returned, but erronously
+reported as a full, identical duplicate.
+
+The root-cause is too early return in the avx2 match functions.
+When we process the last field, we should continue to process data
+until the entire input size has been consumed to make sure no stale
+bits remain in the map.
+
+Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
+index 7da371587f9a8..3f01952a3e10b 100644
+--- a/net/netfilter/nft_set_pipapo_avx2.c
++++ b/net/netfilter/nft_set_pipapo_avx2.c
+@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -318,7 +318,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -412,7 +412,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -502,7 +502,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -637,7 +637,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -694,7 +694,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -758,7 +758,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -832,7 +832,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -917,7 +917,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -1010,7 +1010,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+--
+2.53.0
+
--- /dev/null
+From 1c19f0b48ac7c297c1afe70197c074d497819687 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 23:52:52 +0800
+Subject: netfilter: xt_multiport: validate range encoding in checkentry
+
+From: Ren Wei <n05ec@lzu.edu.cn>
+
+[ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ]
+
+ports_match_v1() treats any non-zero pflags entry as the start of a
+port range and unconditionally consumes the next ports[] element as
+the range end.
+
+The checkentry path currently validates protocol, flags and count, but
+it does not validate the range encoding itself. As a result, malformed
+rules can mark the last slot as a range start or place two range starts
+back to back, leaving ports_match_v1() to step past the last valid
+ports[] element while interpreting the rule.
+
+Reject malformed multiport v1 rules in checkentry by validating that
+each range start has a following element and that the following element
+is not itself marked as another range start.
+
+Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Yuhang Zheng <z1652074432@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
+index 44a00f5acde8a..a1691ff405d3c 100644
+--- a/net/netfilter/xt_multiport.c
++++ b/net/netfilter/xt_multiport.c
+@@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
+ return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1]));
+ }
+
++static bool
++multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo)
++{
++ unsigned int i;
++
++ for (i = 0; i < multiinfo->count; i++) {
++ if (!multiinfo->pflags[i])
++ continue;
++
++ if (++i >= multiinfo->count)
++ return false;
++
++ if (multiinfo->pflags[i])
++ return false;
++
++ if (multiinfo->ports[i - 1] > multiinfo->ports[i])
++ return false;
++ }
++
++ return true;
++}
++
+ static inline bool
+ check(u_int16_t proto,
+ u_int8_t ip_invflags,
+@@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par)
+ const struct ipt_ip *ip = par->entryinfo;
+ const struct xt_multiport_v1 *multiinfo = par->matchinfo;
+
+- return check(ip->proto, ip->invflags, multiinfo->flags,
+- multiinfo->count) ? 0 : -EINVAL;
++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
++ return -EINVAL;
++
++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
+ }
+
+ static int multiport_mt6_check(const struct xt_mtchk_param *par)
+@@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par)
+ const struct ip6t_ip6 *ip = par->entryinfo;
+ const struct xt_multiport_v1 *multiinfo = par->matchinfo;
+
+- return check(ip->proto, ip->invflags, multiinfo->flags,
+- multiinfo->count) ? 0 : -EINVAL;
++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
++ return -EINVAL;
++
++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
+ }
+
+ static struct xt_match multiport_mt_reg[] __read_mostly = {
+--
+2.53.0
+
--- /dev/null
+From 4c7fa4d18222c7d76833e8d068e7ae35a11119c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 14:07:42 -0700
+Subject: PCI: hv: Set default NUMA node to 0 for devices without affinity info
+
+From: Long Li <longli@microsoft.com>
+
+[ Upstream commit 7b3b1e5a87b2f5e35c52b5386d7c327be869454f ]
+
+When hv_pci_assign_numa_node() processes a device that does not have
+HV_PCI_DEVICE_FLAG_NUMA_AFFINITY set or has an out-of-range
+virtual_numa_node, the device NUMA node is left unset. On x86_64,
+the uninitialized default happens to be 0, but on ARM64 it is
+NUMA_NO_NODE (-1).
+
+Tests show that when no NUMA information is available from the Hyper-V
+host, devices perform best when assigned to node 0. With NUMA_NO_NODE
+the kernel may spread work across NUMA nodes, which degrades
+performance on Hyper-V, particularly for high-throughput devices like
+MANA.
+
+Always set the device NUMA node to 0 before the conditional NUMA
+affinity check, so that devices get a performant default when the host
+provides no NUMA information, and behavior is consistent on both
+x86_64 and ARM64.
+
+Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2")
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-hyperv.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c
+index e41726ec407c6..bb328fe817937 100644
+--- a/drivers/pci/controller/pci-hyperv.c
++++ b/drivers/pci/controller/pci-hyperv.c
+@@ -1901,6 +1901,14 @@ static void hv_pci_assign_numa_node(struct hv_pcibus_device *hbus)
+ if (!hv_dev)
+ continue;
+
++ /*
++ * If the Hyper-V host doesn't provide a NUMA node for the
++ * device, default to node 0. With NUMA_NO_NODE the kernel
++ * may spread work across NUMA nodes, which degrades
++ * performance on Hyper-V.
++ */
++ set_dev_node(&dev->dev, 0);
++
+ if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY &&
+ hv_dev->desc.virtual_numa_node < num_possible_nodes())
+ /*
+--
+2.53.0
+
--- /dev/null
+alsa-asihpi-avoid-write-overflow-check-warning.patch
+asoc-sof-topology-reject-invalid-vendor-array-size-i.patch
+can-mcp251x-add-error-handling-for-power-enable-in-o.patch
+btrfs-tracepoints-get-correct-superblock-from-dentry.patch
+alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch
+srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch
+netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch
+wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch
+asoc-soc-core-call-missing-init_list_head-for-card_a.patch
+mips-mm-suppress-tlb-uniquification-on-ehinv-hardwar.patch
+hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch
+hid-roccat-fix-use-after-free-in-roccat_report_event.patch
+ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch
+wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch
+asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch
+arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch
+pci-hv-set-default-numa-node-to-0-for-devices-withou.patch
+drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch
+drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch
+drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch
+net-sched-act_csum-validate-nested-vlan-headers.patch
+net-lapbether-close-the-lapb-device-before-its-under.patch
+net-lapbether-remove-trailing-whitespaces.patch
+net-lapbether-replace-comparison-to-null-with-lapbet.patch
+net-lapbether-handle-netdev_pre_type_change.patch
+tracing-probe-reject-non-closed-empty-immediate-stri.patch
+e1000-check-return-value-of-e1000_read_eeprom.patch
+xsk-tighten-umem-headroom-validation-to-account-for-.patch
+xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch
+xfrm_user-fix-info-leak-in-build_mapping.patch
+netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch
+netfilter-xt_multiport-validate-range-encoding-in-ch.patch
+netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch
+af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch
+l2tp-drop-large-packets-with-udp-encap.patch
+crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch
--- /dev/null
+From 64e2c425983d9dc106dbbb935f6dd6ecd281f8c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 20:14:18 -0400
+Subject: srcu: Use irq_work to start GP in tiny SRCU
+
+From: Joel Fernandes <joelagnelf@nvidia.com>
+
+[ Upstream commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af ]
+
+Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(),
+which acquires the workqueue pool->lock.
+
+This causes a lockdep splat when call_srcu() is called with a scheduler
+lock held, due to:
+
+ call_srcu() [holding pi_lock]
+ srcu_gp_start_if_needed()
+ schedule_work() -> pool->lock
+
+ workqueue_init() / create_worker() [holding pool->lock]
+ wake_up_process() -> try_to_wake_up() -> pi_lock
+
+Also add irq_work_sync() to cleanup_srcu_struct() to prevent a
+use-after-free if a queued irq_work fires after cleanup begins.
+
+Tested with rcutorture SRCU-T and no lockdep warnings.
+
+[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work
+to start process_srcu()" ]
+
+Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
+Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Boqun Feng <boqun@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/srcutiny.h | 4 ++++
+ kernel/rcu/srcutiny.c | 19 ++++++++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/srcutiny.h b/include/linux/srcutiny.h
+index 0e0cf4d6a72a0..0419b3b9664a8 100644
+--- a/include/linux/srcutiny.h
++++ b/include/linux/srcutiny.h
+@@ -11,6 +11,7 @@
+ #ifndef _LINUX_SRCU_TINY_H
+ #define _LINUX_SRCU_TINY_H
+
++#include <linux/irq_work_types.h>
+ #include <linux/swait.h>
+
+ struct srcu_struct {
+@@ -24,18 +25,21 @@ struct srcu_struct {
+ struct rcu_head *srcu_cb_head; /* Pending callbacks: Head. */
+ struct rcu_head **srcu_cb_tail; /* Pending callbacks: Tail. */
+ struct work_struct srcu_work; /* For driving grace periods. */
++ struct irq_work srcu_irq_work; /* Defer schedule_work() to irq work. */
+ #ifdef CONFIG_DEBUG_LOCK_ALLOC
+ struct lockdep_map dep_map;
+ #endif /* #ifdef CONFIG_DEBUG_LOCK_ALLOC */
+ };
+
+ void srcu_drive_gp(struct work_struct *wp);
++void srcu_tiny_irq_work(struct irq_work *irq_work);
+
+ #define __SRCU_STRUCT_INIT(name, __ignored) \
+ { \
+ .srcu_wq = __SWAIT_QUEUE_HEAD_INITIALIZER(name.srcu_wq), \
+ .srcu_cb_tail = &name.srcu_cb_head, \
+ .srcu_work = __WORK_INITIALIZER(name.srcu_work, srcu_drive_gp), \
++ .srcu_irq_work = { .func = srcu_tiny_irq_work }, \
+ __SRCU_DEP_MAP_INIT(name) \
+ }
+
+diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c
+index 26344dc6483b0..427cc2f1c5b02 100644
+--- a/kernel/rcu/srcutiny.c
++++ b/kernel/rcu/srcutiny.c
+@@ -9,6 +9,7 @@
+ */
+
+ #include <linux/export.h>
++#include <linux/irq_work.h>
+ #include <linux/mutex.h>
+ #include <linux/preempt.h>
+ #include <linux/rcupdate_wait.h>
+@@ -37,6 +38,7 @@ static int init_srcu_struct_fields(struct srcu_struct *ssp)
+ ssp->srcu_idx_max = 0;
+ INIT_WORK(&ssp->srcu_work, srcu_drive_gp);
+ INIT_LIST_HEAD(&ssp->srcu_work.entry);
++ init_irq_work(&ssp->srcu_irq_work, srcu_tiny_irq_work);
+ return 0;
+ }
+
+@@ -80,6 +82,7 @@ EXPORT_SYMBOL_GPL(init_srcu_struct);
+ void cleanup_srcu_struct(struct srcu_struct *ssp)
+ {
+ WARN_ON(ssp->srcu_lock_nesting[0] || ssp->srcu_lock_nesting[1]);
++ irq_work_sync(&ssp->srcu_irq_work);
+ flush_work(&ssp->srcu_work);
+ WARN_ON(ssp->srcu_gp_running);
+ WARN_ON(ssp->srcu_gp_waiting);
+@@ -155,6 +158,20 @@ void srcu_drive_gp(struct work_struct *wp)
+ }
+ EXPORT_SYMBOL_GPL(srcu_drive_gp);
+
++/*
++ * Use an irq_work to defer schedule_work() to avoid acquiring the workqueue
++ * pool->lock while the caller might hold scheduler locks, causing lockdep
++ * splats due to workqueue_init() doing a wakeup.
++ */
++void srcu_tiny_irq_work(struct irq_work *irq_work)
++{
++ struct srcu_struct *ssp;
++
++ ssp = container_of(irq_work, struct srcu_struct, srcu_irq_work);
++ schedule_work(&ssp->srcu_work);
++}
++EXPORT_SYMBOL_GPL(srcu_tiny_irq_work);
++
+ static void srcu_gp_start_if_needed(struct srcu_struct *ssp)
+ {
+ unsigned short cookie;
+@@ -165,7 +182,7 @@ static void srcu_gp_start_if_needed(struct srcu_struct *ssp)
+ WRITE_ONCE(ssp->srcu_idx_max, cookie);
+ if (!READ_ONCE(ssp->srcu_gp_running)) {
+ if (likely(srcu_init_done))
+- schedule_work(&ssp->srcu_work);
++ irq_work_queue(&ssp->srcu_irq_work);
+ else if (list_empty(&ssp->srcu_work.entry))
+ list_add(&ssp->srcu_work.entry, &srcu_boot_list);
+ }
+--
+2.53.0
+
--- /dev/null
+From 5d1af8065fe927c415acabd23a93f75b0e2c5e3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 00:03:15 +0800
+Subject: tracing/probe: reject non-closed empty immediate strings
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ]
+
+parse_probe_arg() accepts quoted immediate strings and passes the body
+after the opening quote to __parse_imm_string(). That helper currently
+computes strlen(str) and immediately dereferences str[len - 1], which
+underflows when the body is empty and not closed with double-quotation.
+
+Reject empty non-closed immediate strings before checking for the closing quote.
+
+Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/
+
+Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support")
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_probe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
+index 1893fe5460acb..698eb997b37ea 100644
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -341,7 +341,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs)
+ {
+ size_t len = strlen(str);
+
+- if (str[len - 1] != '"') {
++ if (!len || str[len - 1] != '"') {
+ trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE);
+ return -EINVAL;
+ }
+--
+2.53.0
+
--- /dev/null
+From 933da6bc467773fc8c71cf6fa789a6ba330884e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 15:45:51 +0800
+Subject: wifi: brcmfmac: validate bsscfg indices in IF events
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ]
+
+brcmf_fweh_handle_if_event() validates the firmware-provided interface
+index before it touches drvr->iflist[], but it still uses the raw
+bsscfgidx field as an array index without a matching range check.
+
+Reject IF events whose bsscfg index does not fit in drvr->iflist[]
+before indexing the interface array.
+
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn
+[add missing wifi prefix]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+index 1285d3685c4f5..51260a0c8e0a7 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -151,6 +151,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr,
+ bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx);
+ return;
+ }
++ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) {
++ bphy_err(drvr, "invalid bsscfg index: %u\n",
++ ifevent->bsscfgidx);
++ return;
++ }
+
+ ifp = drvr->iflist[ifevent->bsscfgidx];
+
+--
+2.53.0
+
--- /dev/null
+From 9e788f09b6a8c87fb2a36c5786b5f6d9b8f23d55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 16:08:45 +0800
+Subject: wifi: wl1251: validate packet IDs before indexing tx_frames
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 ]
+
+wl1251_tx_packet_cb() uses the firmware completion ID directly to index
+the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the
+completion block, and the callback does not currently verify that it
+fits the array before dereferencing it.
+
+Reject completion IDs that fall outside wl->tx_frames[] and keep the
+existing NULL check in the same guard. This keeps the fix local to the
+trust boundary and avoids touching the rest of the completion flow.
+
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl1251/tx.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c
+index 5771f61392efb..7f406c086ca56 100644
+--- a/drivers/net/wireless/ti/wl1251/tx.c
++++ b/drivers/net/wireless/ti/wl1251/tx.c
+@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl,
+ int hdrlen;
+ u8 *frame;
+
+- skb = wl->tx_frames[result->id];
+- if (skb == NULL) {
+- wl1251_error("SKB for packet %d is NULL", result->id);
++ if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) ||
++ wl->tx_frames[result->id] == NULL)) {
++ wl1251_error("invalid packet id %u", result->id);
+ return;
+ }
+
++ skb = wl->tx_frames[result->id];
++
+ info = IEEE80211_SKB_CB(skb);
+
+ if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) &&
+--
+2.53.0
+
--- /dev/null
+From a827b545eb118d6c950519f79aeaa66b34aa97c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 13:31:04 +0200
+Subject: xfrm: Wait for RCU readers during policy netns exit
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit 069daad4f2ae9c5c108131995529d5f02392c446 ]
+
+xfrm_policy_fini() frees the policy_bydst hash tables after flushing the
+policy work items and deleting all policies, but it does not wait for
+concurrent RCU readers to leave their read-side critical sections first.
+
+The policy_bydst tables are published via rcu_assign_pointer() and are
+looked up through rcu_dereference_check(), so netns teardown must also
+wait for an RCU grace period before freeing the table memory.
+
+Fix this by adding synchronize_rcu() before freeing the policy hash tables.
+
+Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index c4ebfaa0b2ed0..56956abd38180 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -4166,6 +4166,8 @@ static void xfrm_policy_fini(struct net *net)
+ #endif
+ xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);
+
++ synchronize_rcu();
++
+ WARN_ON(!list_empty(&net->xfrm.policy_all));
+
+ for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
+--
+2.53.0
+
--- /dev/null
+From 561fbfb27849c7fe9ac8122a0ab4abdd6675b346 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 17:33:03 +0200
+Subject: xfrm_user: fix info leak in build_mapping()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit 1beb76b2053b68c491b78370794b8ff63c8f8c02 ]
+
+struct xfrm_usersa_id has a one-byte padding hole after the proto
+field, which ends up never getting set to zero before copying out to
+userspace. Fix that up by zeroing out the whole structure before
+setting individual variables.
+
+Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink")
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Simon Horman <horms@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index a55f8fe3e052f..ab79a739b3638 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -3493,6 +3493,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x,
+
+ um = nlmsg_data(nlh);
+
++ memset(&um->id, 0, sizeof(um->id));
+ memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr));
+ um->id.spi = x->id.spi;
+ um->id.family = x->props.family;
+--
+2.53.0
+
--- /dev/null
+From ed2bdf6c4b022e76c5cfdb0fa34a0da02814344c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:51 +0200
+Subject: xsk: tighten UMEM headroom validation to account for tailroom and min
+ frame
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit a315e022a72d95ef5f1d4e58e903cb492b0ad931 ]
+
+The current headroom validation in xdp_umem_reg() could leave us with
+insufficient space dedicated to even receive minimum-sized ethernet
+frame. Furthermore if multi-buffer would come to play then
+skb_shared_info stored at the end of XSK frame would be corrupted.
+
+HW typically works with 128-aligned sizes so let us provide this value
+as bare minimum.
+
+Multi-buffer setting is known later in the configuration process so
+besides accounting for 128 bytes, let us also take care of tailroom space
+upfront.
+
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Fixes: 99e3a236dd43 ("xsk: Add missing check on user supplied headroom size")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-2-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xdp_umem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
+index 42b19feb2b6e5..79df583b6ce06 100644
+--- a/net/xdp/xdp_umem.c
++++ b/net/xdp/xdp_umem.c
+@@ -199,7 +199,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+ if (!unaligned_chunks && chunks_rem)
+ return -EINVAL;
+
+- if (headroom >= chunk_size - XDP_PACKET_HEADROOM)
++ if (headroom > chunk_size - XDP_PACKET_HEADROOM -
++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - 128)
+ return -EINVAL;
+
+ umem->size = size;
+--
+2.53.0
+
--- /dev/null
+From 41726aca6fa6c382d0edf668d52935117c5df488 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 16:00:14 +0800
+Subject: af_unix: read UNIX_DIAG_VFS data under unix_state_lock
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+[ Upstream commit 39897df386376912d561d4946499379effa1e7ef ]
+
+Exact UNIX diag lookups hold a reference to the socket, but not to
+u->path. Meanwhile, unix_release_sock() clears u->path under
+unix_state_lock() and drops the path reference after unlocking.
+
+Read the inode and device numbers for UNIX_DIAG_VFS while holding
+unix_state_lock(), then emit the netlink attribute after dropping the
+lock.
+
+This keeps the VFS data stable while the reply is being built.
+
+Fixes: 5f7b0569460b ("unix_diag: Unix inode info NLA")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/diag.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index 486276a1782ed..699fba7b7591d 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -25,18 +25,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb)
+
+ static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb)
+ {
+- struct dentry *dentry = unix_sk(sk)->path.dentry;
++ struct unix_diag_vfs uv;
++ struct dentry *dentry;
++ bool have_vfs = false;
+
++ unix_state_lock(sk);
++ dentry = unix_sk(sk)->path.dentry;
+ if (dentry) {
+- struct unix_diag_vfs uv = {
+- .udiag_vfs_ino = d_backing_inode(dentry)->i_ino,
+- .udiag_vfs_dev = dentry->d_sb->s_dev,
+- };
+-
+- return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
++ uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino;
++ uv.udiag_vfs_dev = dentry->d_sb->s_dev;
++ have_vfs = true;
+ }
++ unix_state_unlock(sk);
+
+- return 0;
++ if (!have_vfs)
++ return 0;
++
++ return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
+ }
+
+ static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb)
+--
+2.53.0
+
--- /dev/null
+From a7b16cede35533d4156a7468a5d365accaac758b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 13:40:07 +0100
+Subject: ALSA: asihpi: avoid write overflow check warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 591721223be9e28f83489a59289579493b8e3d83 ]
+
+clang-22 rightfully warns that the memcpy() in adapter_prepare() copies
+between different structures, crossing the boundary of nested
+structures inside it:
+
+In file included from sound/pci/asihpi/hpimsgx.c:13:
+In file included from include/linux/string.h:386:
+include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
+ 569 | __write_overflow_field(p_size_field, size);
+
+The two structures seem to refer to the same layout, despite the
+separate definitions, so the code is in fact correct.
+
+Avoid the warning by copying the two inner structures separately.
+I see the same pattern happens in other functions in the same file,
+so there is a chance that this may come back in the future, but
+this instance is the only one that I saw in practice, hitting it
+multiple times per day in randconfig build.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/asihpi/hpimsgx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c
+index 761fc62f68f16..85a354cf082ff 100644
+--- a/sound/pci/asihpi/hpimsgx.c
++++ b/sound/pci/asihpi/hpimsgx.c
+@@ -586,8 +586,10 @@ static u16 adapter_prepare(u16 adapter)
+ HPI_ADAPTER_OPEN);
+ hm.adapter_index = adapter;
+ hw_entry_point(&hm, &hr);
+- memcpy(&rESP_HPI_ADAPTER_OPEN[adapter], &hr,
+- sizeof(rESP_HPI_ADAPTER_OPEN[0]));
++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].h, &hr,
++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].h));
++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].a, &hr.u.ax.info,
++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].a));
+ if (hr.error)
+ return hr.error;
+
+--
+2.53.0
+
--- /dev/null
+From e7127073e935fa029ddc6903fc8955308d589d23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Mar 2026 10:36:03 -0500
+Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: César Montoya <sprit152009@gmail.com>
+
+[ Upstream commit 2f388b4e8fdd6b0f27cafd281658daacfd85807e ]
+
+The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek
+ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The
+existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly,
+but the subsystem ID was missing from the quirk table.
+
+GPIO pin confirmed via manual hda-verb testing:
+ hda-verb SET_GPIO_MASK 0x10
+ hda-verb SET_GPIO_DIRECTION 0x10
+ hda-verb SET_GPIO_DATA 0x10
+
+Signed-off-by: César Montoya <sprit152009@gmail.com>
+Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 38fda5dbd75ba..9cb5705577f72 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9354,6 +9354,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x87cb, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+--
+2.53.0
+
--- /dev/null
+From ac53a895cf692922363981193a1dc2ff1876d562 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Mar 2026 08:07:34 +0000
+Subject: ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex
+
+From: Phil Willoughby <willerz@gmail.com>
+
+[ Upstream commit bc5b4e5ae1a67700a618328217b6a3bd0f296e97 ]
+
+The NeuralDSP Quad Cortex does not support DSD playback. We need
+this product-specific entry with zero quirks because otherwise it
+falls through to the vendor-specific entry which marks it as
+supporting DSD playback.
+
+Cc: Yue Wang <yuleopen@gmail.com>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Signed-off-by: Phil Willoughby <willerz@gmail.com>
+Link: https://patch.msgid.link/20260328080921.3310-1-willerz@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 33a1a35485721..4cf2f48b401ee 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1863,6 +1863,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
+ QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB),
+ DEVICE_FLG(0x13e5, 0x0001, /* Serato Phono */
+ QUIRK_FLAG_IGNORE_CTL_ERROR),
++ DEVICE_FLG(0x152a, 0x880a, /* NeuralDSP Quad Cortex */
++ 0), /* Doesn't have the vendor quirk which would otherwise apply */
+ DEVICE_FLG(0x154e, 0x1002, /* Denon DCD-1500RE */
+ QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY),
+ DEVICE_FLG(0x154e, 0x1003, /* Denon DA-300USB */
+--
+2.53.0
+
--- /dev/null
+From 9b85c052c3a55d146df32aecabd2231626c1bae0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jan 2026 00:28:28 +0100
+Subject: arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+[ Upstream commit 1f99b5d93d99ca17d50b386a674d0ce1f20932d8 ]
+
+According to i.MX 8M Quad Reference Manual, GPU_AHB_CLK_ROOT's maximum
+frequency is 400MHz.
+
+Fixes: 45d2c84eb3a2 ("arm64: dts: imx8mq: add GPU node")
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+index e41e1c553bd37..12a33ac9e7543 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+@@ -1362,7 +1362,7 @@ gpu: gpu@38000000 {
+ <&clk IMX8MQ_GPU_PLL_OUT>,
+ <&clk IMX8MQ_GPU_PLL>;
+ assigned-clock-rates = <800000000>, <800000000>,
+- <800000000>, <800000000>, <0>;
++ <800000000>, <400000000>, <0>;
+ power-domains = <&pgc_gpu>;
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 7351941f449a908d9df11c8072525b3ee762c012 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 02:43:54 +0000
+Subject: ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit b9eff9732cb0f86a68c9d1592a98ceab47c01e95 ]
+
+Component has "card_aux_list" which is added/deled in bind/unbind aux dev
+function (A), and used in for_each_card_auxs() loop (B).
+
+ static void soc_unbind_aux_dev(...)
+ {
+ ...
+ for_each_card_auxs_safe(...) {
+ ...
+(A) list_del(&component->card_aux_list);
+ } ^^^^^^^^^^^^^
+ }
+
+ static int soc_bind_aux_dev(...)
+ {
+ ...
+ for_each_card_pre_auxs(...) {
+ ...
+(A) list_add(&component->card_aux_list, ...);
+ } ^^^^^^^^^^^^^
+ ...
+ }
+
+ #define for_each_card_auxs(card, component) \
+(B) list_for_each_entry(component, ..., card_aux_list)
+ ^^^^^^^^^^^^^
+
+But it has been used without calling INIT_LIST_HEAD().
+
+ > git grep card_aux_list sound/soc
+ sound/soc/soc-core.c: list_del(&component->card_aux_list);
+ sound/soc/soc-core.c: list_add(&component->card_aux_list, ...);
+
+call missing INIT_LIST_HEAD() for it.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index af8554e96035f..da652f2f09b61 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -2646,6 +2646,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component,
+ INIT_LIST_HEAD(&component->dobj_list);
+ INIT_LIST_HEAD(&component->card_list);
+ INIT_LIST_HEAD(&component->list);
++ INIT_LIST_HEAD(&component->card_aux_list);
+ mutex_init(&component->io_mutex);
+
+ component->name = fmt_single_name(dev, &component->id);
+--
+2.53.0
+
--- /dev/null
+From 4f8916e8b21927a009d69184ca5cd1b9bf54157e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 21:45:26 -0300
+Subject: ASoC: SOF: topology: reject invalid vendor array size in token parser
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+[ Upstream commit 215e5fe75881a7e2425df04aeeed47a903d5cd5d ]
+
+sof_parse_token_sets() accepts array->size values that can be invalid
+for a vendor tuple array header. In particular, a zero size does not
+advance the parser state and can lead to non-progress parsing on
+malformed topology data.
+
+Validate array->size against the minimum header size and reject values
+smaller than sizeof(*array) before parsing. This preserves behavior for
+valid topologies and hardens malformed-input handling.
+
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
+index 1bb2dcf37ffe9..16feb5d268022 100644
+--- a/sound/soc/sof/topology.c
++++ b/sound/soc/sof/topology.c
+@@ -941,7 +941,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
+ asize = le32_to_cpu(array->size);
+
+ /* validate asize */
+- if (asize < 0) { /* FIXME: A zero-size array makes no sense */
++ if (asize < sizeof(*array)) {
+ dev_err(scomp->dev, "error: invalid array size 0x%x\n",
+ asize);
+ return -EINVAL;
+--
+2.53.0
+
--- /dev/null
+From f1a67f2a53e77786a1ca183e6b1ac9cb3056638d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 10:40:56 +0200
+Subject: ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
+
+From: Tomasz Merta <tomasz.merta@arrow.com>
+
+[ Upstream commit 0669631dbccd41cf3ca7aa70213fcd8bb41c4b38 ]
+
+The STM32 SAI driver do not set the clock strobing bit (CKSTR) for DSP_A,
+DSP_B and LEFT_J formats, causing data to be sampled on the wrong BCLK
+edge when SND_SOC_DAIFMT_NB_NF is used.
+
+Per ALSA convention, NB_NF requires sampling on the rising BCLK edge.
+The STM32MP25 SAI reference manual states that CKSTR=1 is required for
+signals received by the SAI to be sampled on the SCK rising edge.
+Without setting CKSTR=1, the SAI samples on the falling edge, violating
+the NB_NF convention. For comparison, the NXP FSL SAI driver correctly
+sets FSL_SAI_CR2_BCP for DSP_A, DSP_B and LEFT_J, consistent with its
+I2S handling.
+
+This patch adds SAI_XCR1_CKSTR for DSP_A, DSP_B and LEFT_J in
+stm32_sai_set_dai_fmt which was verified empirically with a cs47l35 codec.
+RIGHT_J (LSB) is not investigated and addressed by this patch.
+
+Note: the STM32 I2S driver (stm32_i2s_set_dai_fmt) may have the same issue
+for DSP_A mode, as I2S_CGFR_CKPOL is not set. This has not been verified
+and is left for a separate investigation.
+
+Signed-off-by: Tomasz Merta <tommerta@gmail.com>
+Link: https://patch.msgid.link/20260408084056.20588-1-tommerta@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/stm/stm32_sai_sub.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c
+index 5a4551f1a40dd..fa6f06f1d3842 100644
+--- a/sound/soc/stm/stm32_sai_sub.c
++++ b/sound/soc/stm/stm32_sai_sub.c
+@@ -671,6 +671,7 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
+ break;
+ /* Left justified */
+ case SND_SOC_DAIFMT_MSB:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
+ break;
+ /* Right justified */
+@@ -678,9 +679,11 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
+ break;
+ case SND_SOC_DAIFMT_DSP_A:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSOFF;
+ break;
+ case SND_SOC_DAIFMT_DSP_B:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL;
+ break;
+ default:
+--
+2.53.0
+
--- /dev/null
+From 739bef3f229620180dda42259f905795cdc5fb9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 15:23:35 -0700
+Subject: ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
+
+From: Arthur Husband <artmoty@gmail.com>
+
+[ Upstream commit 105c42566a550e2d05fc14f763216a8765ee5d0e ]
+
+The JMicron JMB585 (and JMB582) SATA controllers advertise 64-bit DMA
+support via the S64A bit in the AHCI CAP register, but their 64-bit DMA
+implementation is defective. Under sustained I/O, DMA transfers targeting
+addresses above 4GB silently corrupt data -- writes land at incorrect
+memory addresses with no errors logged.
+
+The failure pattern is similar to the ASMedia ASM1061
+(commit 20730e9b2778 ("ahci: add 43-bit DMA address quirk for ASMedia
+ASM1061 controllers")), which also falsely advertised full 64-bit DMA
+support. However, the JMB585 requires a stricter 32-bit DMA mask rather
+than 43-bit, as corruption occurs with any address above 4GB.
+
+On the Minisforum N5 Pro specifically, the combination of the JMB585's
+broken 64-bit DMA with the AMD Family 1Ah (Strix Point) IOMMU causes
+silent data corruption that is only detectable via checksumming
+filesystems (BTRFS/ZFS scrub). The corruption occurs when 32-bit IOVA
+space is exhausted and the kernel transparently switches to 64-bit DMA
+addresses.
+
+Add device-specific PCI ID entries for the JMB582 (0x0582) and JMB585
+(0x0585) before the generic JMicron class match, using a new board type
+that combines AHCI_HFLAG_IGN_IRQ_IF_ERR (preserving existing behavior)
+with AHCI_HFLAG_32BIT_ONLY to force 32-bit DMA masks.
+
+Signed-off-by: Arthur Husband <artmoty@gmail.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/ahci.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index 408a25956f6e0..d87b0da31dc25 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -61,6 +61,7 @@ enum board_ids {
+ /* board IDs for specific chipsets in alphabetical order */
+ board_ahci_al,
+ board_ahci_avn,
++ board_ahci_jmb585,
+ board_ahci_mcp65,
+ board_ahci_mcp77,
+ board_ahci_mcp89,
+@@ -200,6 +201,15 @@ static const struct ata_port_info ahci_port_info[] = {
+ .udma_mask = ATA_UDMA6,
+ .port_ops = &ahci_avn_ops,
+ },
++ /* JMicron JMB582/585: 64-bit DMA is broken, force 32-bit */
++ [board_ahci_jmb585] = {
++ AHCI_HFLAGS (AHCI_HFLAG_IGN_IRQ_IF_ERR |
++ AHCI_HFLAG_32BIT_ONLY),
++ .flags = AHCI_FLAG_COMMON,
++ .pio_mask = ATA_PIO4,
++ .udma_mask = ATA_UDMA6,
++ .port_ops = &ahci_ops,
++ },
+ [board_ahci_mcp65] = {
+ AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP |
+ AHCI_HFLAG_YES_NCQ),
+@@ -436,6 +446,10 @@ static const struct pci_device_id ahci_pci_tbl[] = {
+ /* Elkhart Lake IDs 0x4b60 & 0x4b62 https://sata-io.org/product/8803 not tested yet */
+ { PCI_VDEVICE(INTEL, 0x4b63), board_ahci_low_power }, /* Elkhart Lake AHCI */
+
++ /* JMicron JMB582/585: force 32-bit DMA (broken 64-bit implementation) */
++ { PCI_VDEVICE(JMICRON, 0x0582), board_ahci_jmb585 },
++ { PCI_VDEVICE(JMICRON, 0x0585), board_ahci_jmb585 },
++
+ /* JMicron 360/1/3/5/6, match class to avoid IDE function */
+ { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
+ PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr },
+--
+2.53.0
+
--- /dev/null
+From 5b9206cde6bb8d76554ae77de1104a707c98d3c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 14:11:39 -0400
+Subject: btrfs: tracepoints: get correct superblock from dentry in event
+ btrfs_sync_file()
+
+From: Goldwyn Rodrigues <rgoldwyn@suse.de>
+
+[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ]
+
+If overlay is used on top of btrfs, dentry->d_sb translates to overlay's
+super block and fsid assignment will lead to a crash.
+
+Use file_inode(file)->i_sb to always get btrfs_sb.
+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/btrfs.h | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h
+index a5f77b685c55f..058c85534f3f1 100644
+--- a/include/trace/events/btrfs.h
++++ b/include/trace/events/btrfs.h
+@@ -695,12 +695,15 @@ TRACE_EVENT(btrfs_sync_file,
+ ),
+
+ TP_fast_assign(
+- const struct dentry *dentry = file->f_path.dentry;
+- const struct inode *inode = d_inode(dentry);
++ struct dentry *dentry = file_dentry(file);
++ struct inode *inode = file_inode(file);
++ struct dentry *parent = dget_parent(dentry);
++ struct inode *parent_inode = d_inode(parent);
+
+- TP_fast_assign_fsid(btrfs_sb(file->f_path.dentry->d_sb));
++ dput(parent);
++ TP_fast_assign_fsid(btrfs_sb(inode->i_sb));
+ __entry->ino = btrfs_ino(BTRFS_I(inode));
+- __entry->parent = btrfs_ino(BTRFS_I(d_inode(dentry->d_parent)));
++ __entry->parent = btrfs_ino(BTRFS_I(parent_inode));
+ __entry->datasync = datasync;
+ __entry->root_objectid =
+ BTRFS_I(inode)->root->root_key.objectid;
+--
+2.53.0
+
--- /dev/null
+From dfa586a93b502f18bcf60cf611c6d28ce544c5e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 00:00:22 +0800
+Subject: can: mcp251x: add error handling for power enable in open and resume
+
+From: Wenyuan Li <2063309626@qq.com>
+
+[ Upstream commit 7a57354756c7df223abe2c33774235ad70cb4231 ]
+
+Add missing error handling for mcp251x_power_enable() calls in both
+mcp251x_open() and mcp251x_can_resume() functions.
+
+In mcp251x_open(), if power enable fails, jump to error path to close
+candev without attempting to disable power again.
+
+In mcp251x_can_resume(), properly check return values of power enable calls
+for both power and transceiver regulators. If any fails, return the error
+code to the PM framework and log the failure.
+
+This ensures the driver properly handles power control failures and
+maintains correct device state.
+
+Signed-off-by: Wenyuan Li <2063309626@qq.com>
+Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com
+[mkl: fix patch description]
+[mkl: mcp251x_can_resume(): replace goto by return]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/spi/mcp251x.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
+index e71edca7afbb2..2810583b818a3 100644
+--- a/drivers/net/can/spi/mcp251x.c
++++ b/drivers/net/can/spi/mcp251x.c
+@@ -1218,7 +1218,11 @@ static int mcp251x_open(struct net_device *net)
+ }
+
+ mutex_lock(&priv->mcp_lock);
+- mcp251x_power_enable(priv->transceiver, 1);
++ ret = mcp251x_power_enable(priv->transceiver, 1);
++ if (ret) {
++ dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret));
++ goto out_close_candev;
++ }
+
+ priv->force_quit = 0;
+ priv->tx_skb = NULL;
+@@ -1267,6 +1271,7 @@ static int mcp251x_open(struct net_device *net)
+ mcp251x_hw_sleep(spi);
+ out_close:
+ mcp251x_power_enable(priv->transceiver, 0);
++out_close_candev:
+ close_candev(net);
+ mutex_unlock(&priv->mcp_lock);
+ if (release_irq)
+@@ -1505,11 +1510,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev)
+ {
+ struct spi_device *spi = to_spi_device(dev);
+ struct mcp251x_priv *priv = spi_get_drvdata(spi);
++ int ret = 0;
+
+- if (priv->after_suspend & AFTER_SUSPEND_POWER)
+- mcp251x_power_enable(priv->power, 1);
+- if (priv->after_suspend & AFTER_SUSPEND_UP)
+- mcp251x_power_enable(priv->transceiver, 1);
++ if (priv->after_suspend & AFTER_SUSPEND_POWER) {
++ ret = mcp251x_power_enable(priv->power, 1);
++ if (ret) {
++ dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret));
++ return ret;
++ }
++ }
++
++ if (priv->after_suspend & AFTER_SUSPEND_UP) {
++ ret = mcp251x_power_enable(priv->transceiver, 1);
++ if (ret) {
++ dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret));
++ if (priv->after_suspend & AFTER_SUSPEND_POWER)
++ mcp251x_power_enable(priv->power, 0);
++ return ret;
++ }
++ }
+
+ if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP))
+ queue_work(priv->wq, &priv->restart_work);
+--
+2.53.0
+
--- /dev/null
+From 4b95adf98f5c5c0219c6eba726aa9626cdb3a351 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 10:54:17 +0200
+Subject: clockevents: Prevent timer interrupt starvation
+
+From: Thomas Gleixner <tglx@kernel.org>
+
+[ Upstream commit d6e152d905bdb1f32f9d99775e2f453350399a6a ]
+
+Calvin reported an odd NMI watchdog lockup which claims that the CPU locked
+up in user space. He provided a reproducer, which sets up a timerfd based
+timer and then rearms it in a loop with an absolute expiry time of 1ns.
+
+As the expiry time is in the past, the timer ends up as the first expiring
+timer in the per CPU hrtimer base and the clockevent device is programmed
+with the minimum delta value. If the machine is fast enough, this ends up
+in a endless loop of programming the delta value to the minimum value
+defined by the clock event device, before the timer interrupt can fire,
+which starves the interrupt and consequently triggers the lockup detector
+because the hrtimer callback of the lockup mechanism is never invoked.
+
+As a first step to prevent this, avoid reprogramming the clock event device
+when:
+ - a forced minimum delta event is pending
+ - the new expiry delta is less then or equal to the minimum delta
+
+Thanks to Calvin for providing the reproducer and to Borislav for testing
+and providing data from his Zen5 machine.
+
+The problem is not limited to Zen5, but depending on the underlying
+clock event device (e.g. TSC deadline timer on Intel) and the CPU speed
+not necessarily observable.
+
+This change serves only as the last resort and further changes will be made
+to prevent this scenario earlier in the call chain as far as possible.
+
+[ tglx: Updated to restore the old behaviour vs. !force and delta <= 0 and
+ fixed up the tick-broadcast handlers as pointed out by Borislav ]
+
+Fixes: d316c57ff6bf ("[PATCH] clockevents: add core functionality")
+Reported-by: Calvin Owens <calvin@wbinvd.org>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Tested-by: Calvin Owens <calvin@wbinvd.org>
+Tested-by: Borislav Petkov <bp@alien8.de>
+Link: https://lore.kernel.org/lkml/acMe-QZUel-bBYUh@mozart.vkv.me/
+Link: https://patch.msgid.link/20260407083247.562657657@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/clockchips.h | 2 ++
+ kernel/time/clockevents.c | 27 +++++++++++++++++++--------
+ kernel/time/hrtimer.c | 1 +
+ kernel/time/tick-broadcast.c | 8 +++++++-
+ kernel/time/tick-common.c | 1 +
+ kernel/time/tick-sched.c | 1 +
+ 6 files changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/clockchips.h b/include/linux/clockchips.h
+index 8ae9a95ebf5b5..046c6d8d91a69 100644
+--- a/include/linux/clockchips.h
++++ b/include/linux/clockchips.h
+@@ -80,6 +80,7 @@ enum clock_event_state {
+ * @shift: nanoseconds to cycles divisor (power of two)
+ * @state_use_accessors:current state of the device, assigned by the core code
+ * @features: features
++ * @next_event_forced: True if the last programming was a forced event
+ * @retries: number of forced programming retries
+ * @set_state_periodic: switch state to periodic
+ * @set_state_oneshot: switch state to oneshot
+@@ -108,6 +109,7 @@ struct clock_event_device {
+ u32 shift;
+ enum clock_event_state state_use_accessors;
+ unsigned int features;
++ unsigned int next_event_forced;
+ unsigned long retries;
+
+ int (*set_state_periodic)(struct clock_event_device *);
+diff --git a/kernel/time/clockevents.c b/kernel/time/clockevents.c
+index 003ccf338d201..a41701ae38126 100644
+--- a/kernel/time/clockevents.c
++++ b/kernel/time/clockevents.c
+@@ -172,6 +172,7 @@ void clockevents_shutdown(struct clock_event_device *dev)
+ {
+ clockevents_switch_state(dev, CLOCK_EVT_STATE_SHUTDOWN);
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+ }
+
+ /**
+@@ -305,7 +306,6 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires,
+ {
+ unsigned long long clc;
+ int64_t delta;
+- int rc;
+
+ if (WARN_ON_ONCE(expires < 0))
+ return -ETIME;
+@@ -324,16 +324,27 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires,
+ return dev->set_next_ktime(expires, dev);
+
+ delta = ktime_to_ns(ktime_sub(expires, ktime_get()));
+- if (delta <= 0)
+- return force ? clockevents_program_min_delta(dev) : -ETIME;
+
+- delta = min(delta, (int64_t) dev->max_delta_ns);
+- delta = max(delta, (int64_t) dev->min_delta_ns);
++ /* Required for tick_periodic() during early boot */
++ if (delta <= 0 && !force)
++ return -ETIME;
++
++ if (delta > (int64_t)dev->min_delta_ns) {
++ delta = min(delta, (int64_t) dev->max_delta_ns);
++ clc = ((unsigned long long) delta * dev->mult) >> dev->shift;
++ if (!dev->set_next_event((unsigned long) clc, dev))
++ return 0;
++ }
+
+- clc = ((unsigned long long) delta * dev->mult) >> dev->shift;
+- rc = dev->set_next_event((unsigned long) clc, dev);
++ if (dev->next_event_forced)
++ return 0;
+
+- return (rc && force) ? clockevents_program_min_delta(dev) : rc;
++ if (dev->set_next_event(dev->min_delta_ticks, dev)) {
++ if (!force || clockevents_program_min_delta(dev))
++ return -ETIME;
++ }
++ dev->next_event_forced = 1;
++ return 0;
+ }
+
+ /*
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 0246b32e907d2..459bd5ab95101 100644
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -1788,6 +1788,7 @@ void hrtimer_interrupt(struct clock_event_device *dev)
+ BUG_ON(!cpu_base->hres_active);
+ cpu_base->nr_events++;
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+
+ raw_spin_lock_irqsave(&cpu_base->lock, flags);
+ entry_time = now = hrtimer_update_base(cpu_base);
+diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c
+index 13a71a894cc16..369f7e52b5e51 100644
+--- a/kernel/time/tick-broadcast.c
++++ b/kernel/time/tick-broadcast.c
+@@ -76,8 +76,10 @@ const struct clock_event_device *tick_get_wakeup_device(int cpu)
+ */
+ static void tick_broadcast_start_periodic(struct clock_event_device *bc)
+ {
+- if (bc)
++ if (bc) {
++ bc->next_event_forced = 0;
+ tick_setup_periodic(bc, 1);
++ }
+ }
+
+ /*
+@@ -403,6 +405,7 @@ static void tick_handle_periodic_broadcast(struct clock_event_device *dev)
+ bool bc_local;
+
+ raw_spin_lock(&tick_broadcast_lock);
++ tick_broadcast_device.evtdev->next_event_forced = 0;
+
+ /* Handle spurious interrupts gracefully */
+ if (clockevent_state_shutdown(tick_broadcast_device.evtdev)) {
+@@ -692,6 +695,7 @@ static void tick_handle_oneshot_broadcast(struct clock_event_device *dev)
+
+ raw_spin_lock(&tick_broadcast_lock);
+ dev->next_event = KTIME_MAX;
++ tick_broadcast_device.evtdev->next_event_forced = 0;
+ next_event = KTIME_MAX;
+ cpumask_clear(tmpmask);
+ now = ktime_get();
+@@ -1057,6 +1061,7 @@ static void tick_broadcast_setup_oneshot(struct clock_event_device *bc,
+
+
+ bc->event_handler = tick_handle_oneshot_broadcast;
++ bc->next_event_forced = 0;
+ bc->next_event = KTIME_MAX;
+
+ /*
+@@ -1169,6 +1174,7 @@ void hotplug_cpu__broadcast_tick_pull(int deadcpu)
+ }
+
+ /* This moves the broadcast assignment to this CPU: */
++ bc->next_event_forced = 0;
+ clockevents_program_event(bc, bc->next_event, 1);
+ }
+ raw_spin_unlock_irqrestore(&tick_broadcast_lock, flags);
+diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c
+index 7f2b17fc8ce40..79ae1adf635bd 100644
+--- a/kernel/time/tick-common.c
++++ b/kernel/time/tick-common.c
+@@ -109,6 +109,7 @@ void tick_handle_periodic(struct clock_event_device *dev)
+ int cpu = smp_processor_id();
+ ktime_t next = dev->next_event;
+
++ dev->next_event_forced = 0;
+ tick_periodic(cpu);
+
+ #if defined(CONFIG_HIGH_RES_TIMERS) || defined(CONFIG_NO_HZ_COMMON)
+diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c
+index ae1b207c64479..6a3d0c0c8ffaf 100644
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -1354,6 +1354,7 @@ static void tick_nohz_handler(struct clock_event_device *dev)
+ ktime_t now = ktime_get();
+
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+
+ tick_sched_do_timer(ts, now);
+ tick_sched_handle(ts, regs);
+--
+2.53.0
+
--- /dev/null
+From f6ae8b47a19b534a5ee12a0eda3717f2cf48635d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 13:32:21 +0800
+Subject: crypto: algif_aead - Fix minimum RX size check for decryption
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ]
+
+The check for the minimum receive buffer size did not take the
+tag size into account during decryption. Fix this by adding the
+required extra length.
+
+Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
+Reported-by: Daniel Pouzzner <douzzer@mega.nu>
+Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/algif_aead.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
+index 42493b4d8ce46..cb3959e2c435e 100644
+--- a/crypto/algif_aead.c
++++ b/crypto/algif_aead.c
+@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
+ if (usedpages < outlen) {
+ size_t less = outlen - usedpages;
+
+- if (used < less) {
++ if (used < less + (ctx->enc ? 0 : as)) {
+ err = -EINVAL;
+ goto free;
+ }
+--
+2.53.0
+
--- /dev/null
+From 83f37f7d4764bb9f3e340e592a4df8ee8cb95535 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:45 -0300
+Subject: drm/vc4: Fix a memory leak in hang state error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 9525d169e5fd481538cf8c663cc5839e54f2e481 ]
+
+When vc4_save_hang_state() encounters an early return condition, it
+returns without freeing the previously allocated `kernel_state`,
+leaking memory.
+
+Add the missing kfree() calls by consolidating the early return paths
+into a single place.
+
+Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-3-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index 87900248d9f8d..a52736cf1f7a3 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -166,10 +166,8 @@ vc4_save_hang_state(struct drm_device *dev)
+ spin_lock_irqsave(&vc4->job_lock, irqflags);
+ exec[0] = vc4_first_bin_job(vc4);
+ exec[1] = vc4_first_render_job(vc4);
+- if (!exec[0] && !exec[1]) {
+- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+- return;
+- }
++ if (!exec[0] && !exec[1])
++ goto err_free_state;
+
+ /* Get the bos from both binner and renderer into hang state. */
+ state->bo_count = 0;
+@@ -186,10 +184,8 @@ vc4_save_hang_state(struct drm_device *dev)
+ kernel_state->bo = kcalloc(state->bo_count,
+ sizeof(*kernel_state->bo), GFP_ATOMIC);
+
+- if (!kernel_state->bo) {
+- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+- return;
+- }
++ if (!kernel_state->bo)
++ goto err_free_state;
+
+ k = 0;
+ for (i = 0; i < 2; i++) {
+@@ -281,6 +277,12 @@ vc4_save_hang_state(struct drm_device *dev)
+ vc4->hang_state = kernel_state;
+ spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+ }
++
++ return;
++
++err_free_state:
++ spin_unlock_irqrestore(&vc4->job_lock, irqflags);
++ kfree(kernel_state);
+ }
+
+ static void
+--
+2.53.0
+
--- /dev/null
+From 1e72262eb3cd103f7f47bb8d0f246f80a60abea9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:44 -0300
+Subject: drm/vc4: Fix memory leak of BO array in hang state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit f4dfd6847b3e5d24e336bca6057485116d17aea4 ]
+
+The hang state's BO array is allocated separately with kzalloc() in
+vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the
+missing kfree() for the BO array before freeing the hang state struct.
+
+Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-2-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index 445d3bab89e0a..87900248d9f8d 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -60,6 +60,7 @@ vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state)
+ for (i = 0; i < state->user_state.bo_count; i++)
+ drm_gem_object_put(state->bo[i]);
+
++ kfree(state->bo);
+ kfree(state);
+ }
+
+--
+2.53.0
+
--- /dev/null
+From d2c1b97f009898d30094fe91e165f64c86c742fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:46 -0300
+Subject: drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ]
+
+The mmap callback reads bo->madv without holding madv_lock, racing with
+concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under
+the same lock. Add the missing locking to prevent the data race.
+
+Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_bo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
+index f642bd6e71ff4..4703f180cde60 100644
+--- a/drivers/gpu/drm/vc4/vc4_bo.c
++++ b/drivers/gpu/drm/vc4/vc4_bo.c
+@@ -713,12 +713,15 @@ static int vc4_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct
+ return -EINVAL;
+ }
+
++ mutex_lock(&bo->madv_lock);
+ if (bo->madv != VC4_MADV_WILLNEED) {
+ DRM_DEBUG("mmaping of %s BO not allowed\n",
+ bo->madv == VC4_MADV_DONTNEED ?
+ "purgeable" : "purged");
++ mutex_unlock(&bo->madv_lock);
+ return -EINVAL;
+ }
++ mutex_unlock(&bo->madv_lock);
+
+ return drm_gem_cma_mmap(obj, vma);
+ }
+--
+2.53.0
+
--- /dev/null
+From d7d8eb37dbdcee8ce8cfb6be7be5e22538e74595 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 15:05:05 +0300
+Subject: e1000: check return value of e1000_read_eeprom
+
+From: Agalakov Daniil <ade@amicon.ru>
+
+[ Upstream commit d3baa34a470771399c1495bc04b1e26ac15d598e ]
+
+[Why]
+e1000_set_eeprom() performs a read-modify-write operation when the write
+range is not word-aligned. This requires reading the first and last words
+of the range from the EEPROM to preserve the unmodified bytes.
+
+However, the code does not check the return value of e1000_read_eeprom().
+If the read fails, the operation continues using uninitialized data from
+eeprom_buff. This results in corrupted data being written back to the
+EEPROM for the boundary words.
+
+Add the missing error checks and abort the operation if reading fails.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Co-developed-by: Iskhakov Daniil <dish@amicon.ru>
+Signed-off-by: Iskhakov Daniil <dish@amicon.ru>
+Signed-off-by: Agalakov Daniil <ade@amicon.ru>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+index 0a57172dfcbc4..631165b895b61 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+@@ -496,14 +496,19 @@ static int e1000_set_eeprom(struct net_device *netdev,
+ */
+ ret_val = e1000_read_eeprom(hw, first_word, 1,
+ &eeprom_buff[0]);
++ if (ret_val)
++ goto out;
++
+ ptr++;
+ }
+- if (((eeprom->offset + eeprom->len) & 1) && (ret_val == 0)) {
++ if ((eeprom->offset + eeprom->len) & 1) {
+ /* need read/modify/write of last changed EEPROM word
+ * only the first byte of the word is being modified
+ */
+ ret_val = e1000_read_eeprom(hw, last_word, 1,
+ &eeprom_buff[last_word - first_word]);
++ if (ret_val)
++ goto out;
+ }
+
+ /* Device's eeprom is always little-endian, word addressable */
+@@ -522,6 +527,7 @@ static int e1000_set_eeprom(struct net_device *netdev,
+ if ((ret_val == 0) && (first_word <= EEPROM_CHECKSUM_REG))
+ e1000_update_eeprom_checksum(hw);
+
++out:
+ kfree(eeprom_buff);
+ return ret_val;
+ }
+--
+2.53.0
+
--- /dev/null
+From 11f9a062e665f6c98c98f4265993f29b9082565e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Mar 2023 17:57:02 +0100
+Subject: epoll: use refcount to reduce ep_mutex contention
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 58c9b016e12855286370dfb704c08498edbc857a ]
+
+We are observing huge contention on the epmutex during an http
+connection/rate test:
+
+ 83.17% 0.25% nginx [kernel.kallsyms] [k] entry_SYSCALL_64_after_hwframe
+[...]
+ |--66.96%--__fput
+ |--60.04%--eventpoll_release_file
+ |--58.41%--__mutex_lock.isra.6
+ |--56.56%--osq_lock
+
+The application is multi-threaded, creates a new epoll entry for
+each incoming connection, and does not delete it before the
+connection shutdown - that is, before the connection's fd close().
+
+Many different threads compete frequently for the epmutex lock,
+affecting the overall performance.
+
+To reduce the contention this patch introduces explicit reference counting
+for the eventpoll struct. Each registered event acquires a reference,
+and references are released at ep_remove() time.
+
+The eventpoll struct is released by whoever - among EP file close() and
+and the monitored file close() drops its last reference.
+
+Additionally, this introduces a new 'dying' flag to prevent races between
+the EP file close() and the monitored file close().
+ep_eventpoll_release() marks, under f_lock spinlock, each epitem as dying
+before removing it, while EP file close() does not touch dying epitems.
+
+The above is needed as both close operations could run concurrently and
+drop the EP reference acquired via the epitem entry. Without the above
+flag, the monitored file close() could reach the EP struct via the epitem
+list while the epitem is still listed and then try to put it after its
+disposal.
+
+An alternative could be avoiding touching the references acquired via
+the epitems at EP file close() time, but that could leave the EP struct
+alive for potentially unlimited time after EP file close(), with nasty
+side effects.
+
+With all the above in place, we can drop the epmutex usage at disposal time.
+
+Overall this produces a significant performance improvement in the
+mentioned connection/rate scenario: the mutex operations disappear from
+the topmost offenders in the perf report, and the measured connections/rate
+grows by ~60%.
+
+To make the change more readable this additionally renames ep_free() to
+ep_clear_and_put(), and moves the actual memory cleanup in a separate
+ep_free() helper.
+
+Link: https://lkml.kernel.org/r/4a57788dcaf28f5eb4f8dfddcc3a8b172a7357bb.1679504153.git.pabeni@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Co-developed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Tested-by: Xiumei Mu <xmu@redhiat.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Reviewed-by: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Carlos Maiolino <cmaiolino@redhat.com>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Eric Biggers <ebiggers@kernel.org>
+Cc: Jacob Keller <jacob.e.keller@intel.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 07712db80857 ("eventpoll: defer struct eventpoll free to RCU grace period")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/eventpoll.c | 195 +++++++++++++++++++++++++++++++------------------
+ 1 file changed, 123 insertions(+), 72 deletions(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index fb5e2af47f02d..217b8016a6b50 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -57,13 +57,7 @@
+ * we need a lock that will allow us to sleep. This lock is a
+ * mutex (ep->mtx). It is acquired during the event transfer loop,
+ * during epoll_ctl(EPOLL_CTL_DEL) and during eventpoll_release_file().
+- * Then we also need a global mutex to serialize eventpoll_release_file()
+- * and ep_free().
+- * This mutex is acquired by ep_free() during the epoll file
+- * cleanup path and it is also acquired by eventpoll_release_file()
+- * if a file has been pushed inside an epoll set and it is then
+- * close()d without a previous call to epoll_ctl(EPOLL_CTL_DEL).
+- * It is also acquired when inserting an epoll fd onto another epoll
++ * The epmutex is acquired when inserting an epoll fd onto another epoll
+ * fd. We do this so that we walk the epoll tree and ensure that this
+ * insertion does not create a cycle of epoll file descriptors, which
+ * could lead to deadlock. We need a global mutex to prevent two
+@@ -153,6 +147,13 @@ struct epitem {
+ /* The file descriptor information this item refers to */
+ struct epoll_filefd ffd;
+
++ /*
++ * Protected by file->f_lock, true for to-be-released epitem already
++ * removed from the "struct file" items list; together with
++ * eventpoll->refcount orchestrates "struct eventpoll" disposal
++ */
++ bool dying;
++
+ /* List containing poll wait queues */
+ struct eppoll_entry *pwqlist;
+
+@@ -218,6 +219,12 @@ struct eventpoll {
+ struct hlist_head refs;
+ u8 loop_check_depth;
+
++ /*
++ * usage count, used together with epitem->dying to
++ * orchestrate the disposal of this struct
++ */
++ refcount_t refcount;
++
+ #ifdef CONFIG_NET_RX_BUSY_POLL
+ /* used to track busy poll napi_id */
+ unsigned int napi_id;
+@@ -241,9 +248,7 @@ struct ep_pqueue {
+ /* Maximum number of epoll watched descriptors, per user */
+ static long max_user_watches __read_mostly;
+
+-/*
+- * This mutex is used to serialize ep_free() and eventpoll_release_file().
+- */
++/* Used for cycles detection */
+ static DEFINE_MUTEX(epmutex);
+
+ static u64 loop_check_gen = 0;
+@@ -551,8 +556,7 @@ static void ep_remove_wait_queue(struct eppoll_entry *pwq)
+
+ /*
+ * This function unregisters poll callbacks from the associated file
+- * descriptor. Must be called with "mtx" held (or "epmutex" if called from
+- * ep_free).
++ * descriptor. Must be called with "mtx" held.
+ */
+ static void ep_unregister_pollwait(struct eventpoll *ep, struct epitem *epi)
+ {
+@@ -675,11 +679,40 @@ static void epi_rcu_free(struct rcu_head *head)
+ kmem_cache_free(epi_cache, epi);
+ }
+
++static void ep_get(struct eventpoll *ep)
++{
++ refcount_inc(&ep->refcount);
++}
++
++/*
++ * Returns true if the event poll can be disposed
++ */
++static bool ep_refcount_dec_and_test(struct eventpoll *ep)
++{
++ if (!refcount_dec_and_test(&ep->refcount))
++ return false;
++
++ WARN_ON_ONCE(!RB_EMPTY_ROOT(&ep->rbr.rb_root));
++ return true;
++}
++
++static void ep_free(struct eventpoll *ep)
++{
++ mutex_destroy(&ep->mtx);
++ free_uid(ep->user);
++ wakeup_source_unregister(ep->ws);
++ kfree(ep);
++}
++
+ /*
+ * Removes a "struct epitem" from the eventpoll RB tree and deallocates
+ * all the associated resources. Must be called with "mtx" held.
++ * If the dying flag is set, do the removal only if force is true.
++ * This prevents ep_clear_and_put() from dropping all the ep references
++ * while running concurrently with eventpoll_release_file().
++ * Returns true if the eventpoll can be disposed.
+ */
+-static int ep_remove(struct eventpoll *ep, struct epitem *epi)
++static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force)
+ {
+ struct file *file = epi->ffd.file;
+ struct epitems_head *to_free;
+@@ -694,6 +727,11 @@ static int ep_remove(struct eventpoll *ep, struct epitem *epi)
+
+ /* Remove the current item from the list of epoll hooks */
+ spin_lock(&file->f_lock);
++ if (epi->dying && !force) {
++ spin_unlock(&file->f_lock);
++ return false;
++ }
++
+ to_free = NULL;
+ head = file->f_ep;
+ if (head->first == &epi->fllink && !epi->fllink.next) {
+@@ -728,28 +766,28 @@ static int ep_remove(struct eventpoll *ep, struct epitem *epi)
+ call_rcu(&epi->rcu, epi_rcu_free);
+
+ percpu_counter_dec(&ep->user->epoll_watches);
++ return ep_refcount_dec_and_test(ep);
++}
+
+- return 0;
++/*
++ * ep_remove variant for callers owing an additional reference to the ep
++ */
++static void ep_remove_safe(struct eventpoll *ep, struct epitem *epi)
++{
++ WARN_ON_ONCE(__ep_remove(ep, epi, false));
+ }
+
+-static void ep_free(struct eventpoll *ep)
++static void ep_clear_and_put(struct eventpoll *ep)
+ {
+- struct rb_node *rbp;
++ struct rb_node *rbp, *next;
+ struct epitem *epi;
++ bool dispose;
+
+ /* We need to release all tasks waiting for these file */
+ if (waitqueue_active(&ep->poll_wait))
+ ep_poll_safewake(ep, NULL, 0);
+
+- /*
+- * We need to lock this because we could be hit by
+- * eventpoll_release_file() while we're freeing the "struct eventpoll".
+- * We do not need to hold "ep->mtx" here because the epoll file
+- * is on the way to be removed and no one has references to it
+- * anymore. The only hit might come from eventpoll_release_file() but
+- * holding "epmutex" is sufficient here.
+- */
+- mutex_lock(&epmutex);
++ mutex_lock(&ep->mtx);
+
+ /*
+ * Walks through the whole tree by unregistering poll callbacks.
+@@ -762,26 +800,25 @@ static void ep_free(struct eventpoll *ep)
+ }
+
+ /*
+- * Walks through the whole tree by freeing each "struct epitem". At this
+- * point we are sure no poll callbacks will be lingering around, and also by
+- * holding "epmutex" we can be sure that no file cleanup code will hit
+- * us during this operation. So we can avoid the lock on "ep->lock".
+- * We do not need to lock ep->mtx, either, we only do it to prevent
+- * a lockdep warning.
++ * Walks through the whole tree and try to free each "struct epitem".
++ * Note that ep_remove_safe() will not remove the epitem in case of a
++ * racing eventpoll_release_file(); the latter will do the removal.
++ * At this point we are sure no poll callbacks will be lingering around.
++ * Since we still own a reference to the eventpoll struct, the loop can't
++ * dispose it.
+ */
+- mutex_lock(&ep->mtx);
+- while ((rbp = rb_first_cached(&ep->rbr)) != NULL) {
++ for (rbp = rb_first_cached(&ep->rbr); rbp; rbp = next) {
++ next = rb_next(rbp);
+ epi = rb_entry(rbp, struct epitem, rbn);
+- ep_remove(ep, epi);
++ ep_remove_safe(ep, epi);
+ cond_resched();
+ }
++
++ dispose = ep_refcount_dec_and_test(ep);
+ mutex_unlock(&ep->mtx);
+
+- mutex_unlock(&epmutex);
+- mutex_destroy(&ep->mtx);
+- free_uid(ep->user);
+- wakeup_source_unregister(ep->ws);
+- kfree(ep);
++ if (dispose)
++ ep_free(ep);
+ }
+
+ static int ep_eventpoll_release(struct inode *inode, struct file *file)
+@@ -789,7 +826,7 @@ static int ep_eventpoll_release(struct inode *inode, struct file *file)
+ struct eventpoll *ep = file->private_data;
+
+ if (ep)
+- ep_free(ep);
++ ep_clear_and_put(ep);
+
+ return 0;
+ }
+@@ -937,33 +974,34 @@ void eventpoll_release_file(struct file *file)
+ {
+ struct eventpoll *ep;
+ struct epitem *epi;
+- struct hlist_node *next;
++ bool dispose;
+
+ /*
+- * We don't want to get "file->f_lock" because it is not
+- * necessary. It is not necessary because we're in the "struct file"
+- * cleanup path, and this means that no one is using this file anymore.
+- * So, for example, epoll_ctl() cannot hit here since if we reach this
+- * point, the file counter already went to zero and fget() would fail.
+- * The only hit might come from ep_free() but by holding the mutex
+- * will correctly serialize the operation. We do need to acquire
+- * "ep->mtx" after "epmutex" because ep_remove() requires it when called
+- * from anywhere but ep_free().
+- *
+- * Besides, ep_remove() acquires the lock, so we can't hold it here.
++ * Use the 'dying' flag to prevent a concurrent ep_clear_and_put() from
++ * touching the epitems list before eventpoll_release_file() can access
++ * the ep->mtx.
+ */
+- mutex_lock(&epmutex);
+- if (unlikely(!file->f_ep)) {
+- mutex_unlock(&epmutex);
+- return;
+- }
+- hlist_for_each_entry_safe(epi, next, file->f_ep, fllink) {
++again:
++ spin_lock(&file->f_lock);
++ if (file->f_ep && file->f_ep->first) {
++ epi = hlist_entry(file->f_ep->first, struct epitem, fllink);
++ epi->dying = true;
++ spin_unlock(&file->f_lock);
++
++ /*
++ * ep access is safe as we still own a reference to the ep
++ * struct
++ */
+ ep = epi->ep;
+- mutex_lock_nested(&ep->mtx, 0);
+- ep_remove(ep, epi);
++ mutex_lock(&ep->mtx);
++ dispose = __ep_remove(ep, epi, true);
+ mutex_unlock(&ep->mtx);
++
++ if (dispose)
++ ep_free(ep);
++ goto again;
+ }
+- mutex_unlock(&epmutex);
++ spin_unlock(&file->f_lock);
+ }
+
+ static int ep_alloc(struct eventpoll **pep)
+@@ -986,6 +1024,7 @@ static int ep_alloc(struct eventpoll **pep)
+ ep->rbr = RB_ROOT_CACHED;
+ ep->ovflist = EP_UNACTIVE_PTR;
+ ep->user = user;
++ refcount_set(&ep->refcount, 1);
+
+ *pep = ep;
+
+@@ -1257,10 +1296,10 @@ static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, v
+ */
+ list_del_init(&wait->entry);
+ /*
+- * ->whead != NULL protects us from the race with ep_free()
+- * or ep_remove(), ep_remove_wait_queue() takes whead->lock
+- * held by the caller. Once we nullify it, nothing protects
+- * ep/epi or even wait.
++ * ->whead != NULL protects us from the race with
++ * ep_clear_and_put() or ep_remove(), ep_remove_wait_queue()
++ * takes whead->lock held by the caller. Once we nullify it,
++ * nothing protects ep/epi or even wait.
+ */
+ smp_store_release(&ep_pwq_from_wait(wait)->whead, NULL);
+ }
+@@ -1531,16 +1570,22 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event,
+ if (tep)
+ mutex_unlock(&tep->mtx);
+
++ /*
++ * ep_remove_safe() calls in the later error paths can't lead to
++ * ep_free() as the ep file itself still holds an ep reference.
++ */
++ ep_get(ep);
++
+ /* now check if we've created too many backpaths */
+ if (unlikely(full_check && reverse_path_check())) {
+- ep_remove(ep, epi);
++ ep_remove_safe(ep, epi);
+ return -EINVAL;
+ }
+
+ if (epi->event.events & EPOLLWAKEUP) {
+ error = ep_create_wakeup_source(epi);
+ if (error) {
+- ep_remove(ep, epi);
++ ep_remove_safe(ep, epi);
+ return error;
+ }
+ }
+@@ -1564,7 +1609,7 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event,
+ * high memory pressure.
+ */
+ if (unlikely(!epq.epi)) {
+- ep_remove(ep, epi);
++ ep_remove_safe(ep, epi);
+ return -ENOMEM;
+ }
+
+@@ -2096,7 +2141,7 @@ static int do_epoll_create(int flags)
+ out_free_fd:
+ put_unused_fd(fd);
+ out_free_ep:
+- ep_free(ep);
++ ep_clear_and_put(ep);
+ return error;
+ }
+
+@@ -2238,10 +2283,16 @@ int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds,
+ error = -EEXIST;
+ break;
+ case EPOLL_CTL_DEL:
+- if (epi)
+- error = ep_remove(ep, epi);
+- else
++ if (epi) {
++ /*
++ * The eventpoll itself is still alive: the refcount
++ * can't go to zero here.
++ */
++ ep_remove_safe(ep, epi);
++ error = 0;
++ } else {
+ error = -ENOENT;
++ }
+ break;
+ case EPOLL_CTL_MOD:
+ if (epi) {
+--
+2.53.0
+
--- /dev/null
+From 952d100093f9eb3cccc3e48c3ecb7f056742eb0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2026 15:25:32 +0200
+Subject: eventpoll: defer struct eventpoll free to RCU grace period
+
+From: Nicholas Carlini <nicholas@carlini.com>
+
+[ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ]
+
+In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
+eventpoll struct while it still being used by another concurrent thread.
+Defer the kfree() to an RCU callback to prevent UAF.
+
+Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
+Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/eventpoll.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index 217b8016a6b50..8762d09086376 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -225,6 +225,9 @@ struct eventpoll {
+ */
+ refcount_t refcount;
+
++ /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */
++ struct rcu_head rcu;
++
+ #ifdef CONFIG_NET_RX_BUSY_POLL
+ /* used to track busy poll napi_id */
+ unsigned int napi_id;
+@@ -701,7 +704,8 @@ static void ep_free(struct eventpoll *ep)
+ mutex_destroy(&ep->mtx);
+ free_uid(ep->user);
+ wakeup_source_unregister(ep->ws);
+- kfree(ep);
++ /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */
++ kfree_rcu(ep, rcu);
+ }
+
+ /*
+--
+2.53.0
+
--- /dev/null
+From b985751edf7e15f06d3cd34c24817e6c77d61582 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 13:11:27 -0700
+Subject: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
+
+From: Fredric Cover <FredTheDude@proton.me>
+
+[ Upstream commit 78ec5bf2f589ec7fd8f169394bfeca541b077317 ]
+
+When cifs_sanitize_prepath is called with an empty string or a string
+containing only delimiters (e.g., "/"), the current logic attempts to
+check *(cursor2 - 1) before cursor2 has advanced. This results in an
+out-of-bounds read.
+
+This patch adds an early exit check after stripping prepended
+delimiters. If no path content remains, the function returns NULL.
+
+The bug was identified via manual audit and verified using a
+standalone test case compiled with AddressSanitizer, which
+triggered a SEGV on affected inputs.
+
+Signed-off-by: Fredric Cover <FredTheDude@proton.me>
+Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/fs_context.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c
+index c3a71c69d3395..0336580062067 100644
+--- a/fs/cifs/fs_context.c
++++ b/fs/cifs/fs_context.c
+@@ -450,6 +450,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp)
+ while (IS_DELIM(*cursor1))
+ cursor1++;
+
++ /* exit in case of only delimiters */
++ if (!*cursor1)
++ return NULL;
++
+ /* copy the first letter */
+ *cursor2 = *cursor1;
+
+--
+2.53.0
+
--- /dev/null
+From 25411dde85bad46d56d8a92b2f1653a411f10d13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 14:02:47 -0700
+Subject: gpio: tegra: fix irq_release_resources calling enable instead of
+ disable
+
+From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+
+[ Upstream commit 1561d96f5f55c1bca9ff047ace5813f4f244eea6 ]
+
+tegra_gpio_irq_release_resources() erroneously calls tegra_gpio_enable()
+instead of tegra_gpio_disable(). When IRQ resources are released, the
+GPIO configuration bit (CNF) should be cleared to deconfigure the pin as
+a GPIO. Leaving it enabled wastes power and can cause unexpected behavior
+if the pin is later reused for an alternate function via pinctrl.
+
+Fixes: 66fecef5bde0 ("gpio: tegra: Convert to gpio_irq_chip")
+Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+Link: https://patch.msgid.link/20260407210247.1737938-1-samasth.norway.ananda@oracle.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-tegra.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-tegra.c b/drivers/gpio/gpio-tegra.c
+index 7f5bc10a64792..ae769a29bf169 100644
+--- a/drivers/gpio/gpio-tegra.c
++++ b/drivers/gpio/gpio-tegra.c
+@@ -598,7 +598,7 @@ static void tegra_gpio_irq_release_resources(struct irq_data *d)
+ struct tegra_gpio_info *tgi = gpiochip_get_data(chip);
+
+ gpiochip_relres_irq(chip, d->hwirq);
+- tegra_gpio_enable(tgi, d->hwirq);
++ tegra_gpio_disable(tgi, d->hwirq);
+ }
+
+ #ifdef CONFIG_DEBUG_FS
+--
+2.53.0
+
--- /dev/null
+From 7e7328b83ae13aa068f5bbda21af5f38d72601f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 13:36:59 -0500
+Subject: HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
+
+From: leo vriska <leo@60228.dev>
+
+[ Upstream commit 532743944324a873bbaf8620fcabcd0e69e30c36 ]
+
+According to a mailing list report [1], this controller's predecessor
+has the same issue. However, it uses the xpad driver instead of HID, so
+this quirk wouldn't apply.
+
+[1]: https://lore.kernel.org/linux-input/unufo3$det$1@ciao.gmane.io/
+
+Signed-off-by: leo vriska <leo@60228.dev>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 37beb969268c3..66df53c20ed08 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -22,6 +22,9 @@
+ #define USB_DEVICE_ID_3M2256 0x0502
+ #define USB_DEVICE_ID_3M3266 0x0506
+
++#define USB_VENDOR_ID_8BITDO 0x2dc8
++#define USB_DEVICE_ID_8BITDO_PRO_3 0x6009
++
+ #define USB_VENDOR_ID_A4TECH 0x09da
+ #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006
+ #define USB_DEVICE_ID_A4TECH_X5_005D 0x000a
+diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
+index 2a07db02ad932..9eb4d02cc6d77 100644
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -25,6 +25,7 @@
+ */
+
+ static const struct hid_device_id hid_quirks[] = {
++ { HID_USB_DEVICE(USB_VENDOR_ID_8BITDO, USB_DEVICE_ID_8BITDO_PRO_3), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL },
+--
+2.53.0
+
--- /dev/null
+From c149171d6c01d513dec50f7a9b8df8fba22094d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 16:11:07 +0000
+Subject: HID: roccat: fix use-after-free in roccat_report_event
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benoît Sevens <bsevens@google.com>
+
+[ Upstream commit d802d848308b35220f21a8025352f0c0aba15c12 ]
+
+roccat_report_event() iterates over the device->readers list without
+holding the readers_lock. This allows a concurrent roccat_release() to
+remove and free a reader while it's still being accessed, leading to a
+use-after-free.
+
+Protect the readers list traversal with the readers_lock mutex.
+
+Signed-off-by: Benoît Sevens <bsevens@google.com>
+Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-roccat.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c
+index 6da80e442fdd1..420e4335c3e83 100644
+--- a/drivers/hid/hid-roccat.c
++++ b/drivers/hid/hid-roccat.c
+@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data)
+ if (!new_value)
+ return -ENOMEM;
+
++ mutex_lock(&device->readers_lock);
+ mutex_lock(&device->cbuf_lock);
+
+ report = &device->cbuf[device->cbuf_end];
+@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data)
+ }
+
+ mutex_unlock(&device->cbuf_lock);
++ mutex_unlock(&device->readers_lock);
+
+ wake_up_interruptible(&device->wait);
+ return 0;
+--
+2.53.0
+
--- /dev/null
+From 0c37268918a9021e57e97a2a26afbd525c6ba1e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 15:04:19 +0800
+Subject: ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
+
+From: Yiqi Sun <sunyiqixm@gmail.com>
+
+[ Upstream commit fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 ]
+
+ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
+IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
+this error pointer to dev_hold() will cause a kernel crash with
+null-ptr-deref.
+
+Instead, silently discard the request. RFC 8335 does not appear to
+define a specific response for the case where an IPv6 interface
+identifier is syntactically valid but the implementation cannot perform
+the lookup at runtime, and silently dropping the request may safer than
+misreporting "No Such Interface".
+
+Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
+Signed-off-by: Yiqi Sun <sunyiqixm@gmail.com>
+Link: https://patch.msgid.link/20260402070419.2291578-1-sunyiqixm@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 0215e2510670a..4dae803fc7c71 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -1108,6 +1108,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
+ if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
+ goto send_mal_query;
+ dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
++ /*
++ * If IPv6 identifier lookup is unavailable, silently
++ * discard the request instead of misreporting NO_IF.
++ */
++ if (IS_ERR(dev))
++ return false;
++
+ dev_hold(dev);
+ break;
+ #endif
+--
+2.53.0
+
--- /dev/null
+From 5f531db0aeb3381ab65e67ac08b6fe317bf2b56c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 20:49:49 +0300
+Subject: l2tp: Drop large packets with UDP encap
+
+From: Alice Mikityanska <alice@isovalent.com>
+
+[ Upstream commit ebe560ea5f54134279356703e73b7f867c89db13 ]
+
+syzbot reported a WARN on my patch series [1]. The actual issue is an
+overflow of 16-bit UDP length field, and it exists in the upstream code.
+My series added a debug WARN with an overflow check that exposed the
+issue, that's why syzbot tripped on my patches, rather than on upstream
+code.
+
+syzbot's repro:
+
+r0 = socket$pppl2tp(0x18, 0x1, 0x1)
+r1 = socket$inet6_udp(0xa, 0x2, 0x0)
+connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c)
+connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
+writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1)
+
+It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP
+encapsulation, and l2tp_xmit_core doesn't check for overflows when it
+assigns the UDP length field. The value gets trimmed to 16 bites.
+
+Add an overflow check that drops oversized packets and avoids sending
+packets with trimmed UDP length to the wire.
+
+syzbot's stack trace (with my patch applied):
+
+len >= 65536u
+WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957
+WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957
+WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957
+Modules linked in:
+CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
+RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline]
+RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline]
+RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327
+Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f
+RSP: 0018:ffffc90003d67878 EFLAGS: 00010293
+RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000
+RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff
+RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
+R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900
+R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000
+FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ sock_write_iter+0x503/0x550 net/socket.c:1195
+ do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1
+ vfs_writev+0x33c/0x990 fs/read_write.c:1059
+ do_writev+0x154/0x2e0 fs/read_write.c:1105
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f636479c629
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
+RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629
+RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003
+RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0
+ </TASK>
+
+[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/
+
+Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
+Reported-by: syzbot+ci3edea60a44225dec@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/69a1dfba.050a0220.3a55be.0026.GAE@google.com/
+Signed-off-by: Alice Mikityanska <alice@isovalent.com>
+Link: https://patch.msgid.link/20260403174949.843941-1-alice.kernel@fastmail.im
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index 7e242ebac664a..e429a0749ffea 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1083,6 +1083,11 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns
+ uh->source = inet->inet_sport;
+ uh->dest = inet->inet_dport;
+ udp_len = uhlen + session->hdr_len + data_len;
++ if (udp_len > U16_MAX) {
++ kfree_skb(skb);
++ ret = NET_XMIT_DROP;
++ goto out_unlock;
++ }
+ uh->len = htons(udp_len);
+
+ /* Calculate UDP checksum if configured to do so */
+--
+2.53.0
+
--- /dev/null
+From 27961de2993d658472010c56bb7b02321685d08f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 18:57:23 +0000
+Subject: MIPS: mm: Suppress TLB uniquification on EHINV hardware
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+[ Upstream commit 74283cfe216392c7b776ebf6045b5b15ed9dffcd ]
+
+Hardware that supports the EHINV feature, mandatory for R6 ISA and FTLB
+implementation, lets software mark TLB entries invalid, which eliminates
+the need to ensure no duplicate matching entries are ever created. This
+feature is already used by local_flush_tlb_all(), via the UNIQUE_ENTRYHI
+macro, making the preceding call to r4k_tlb_uniquify() superfluous.
+
+The next change will also modify uniquification code such that it'll
+become incompatible with the FTLB and MMID features, as well as MIPSr6
+CPUs that do not implement 4KiB pages.
+
+Therefore prevent r4k_tlb_uniquify() from being used on EHINV hardware,
+as denoted by `cpu_has_tlbinv'.
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/mm/tlb-r4k.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/mm/tlb-r4k.c b/arch/mips/mm/tlb-r4k.c
+index d9a5ede8869bd..8a49adfef8b86 100644
+--- a/arch/mips/mm/tlb-r4k.c
++++ b/arch/mips/mm/tlb-r4k.c
+@@ -616,7 +616,8 @@ static void r4k_tlb_configure(void)
+ temp_tlb_entry = current_cpu_data.tlbsize - 1;
+
+ /* From this point on the ARC firmware is dead. */
+- r4k_tlb_uniquify();
++ if (!cpu_has_tlbinv)
++ r4k_tlb_uniquify();
+ local_flush_tlb_all();
+
+ /* Did I tell you that ARC SUCKS? */
+--
+2.53.0
+
--- /dev/null
+From e0e03a01aafd44f5c25ef23079c13ceada6f791e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 10:35:19 +0000
+Subject: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b120e4432f9f56c7103133d6a11245e617695adb ]
+
+lapbeth_data_transmit() expects the underlying device type
+to be ARPHRD_ETHER.
+
+Returning NOTIFY_BAD from lapbeth_device_event() makes sure
+bonding driver can not break this expectation.
+
+Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
+Reported-by: syzbot+d8c285748fa7292580a9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/69cd22a1.050a0220.70c3a.0002.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Martin Schiller <ms@dev.tdt.de>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260402103519.1201565-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lapbether.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index 75613ac26641f..033d8cdde38a3 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -444,33 +444,36 @@ static void lapbeth_free_device(struct lapbethdev *lapbeth)
+ static int lapbeth_device_event(struct notifier_block *this,
+ unsigned long event, void *ptr)
+ {
+- struct lapbethdev *lapbeth;
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
++ struct lapbethdev *lapbeth;
+
+ if (dev_net(dev) != &init_net)
+ return NOTIFY_DONE;
+
+- if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev))
++ lapbeth = lapbeth_get_x25_dev(dev);
++ if (!dev_is_ethdev(dev) && !lapbeth)
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
+ /* New ethernet device -> new LAPB interface */
+- if (!lapbeth_get_x25_dev(dev))
++ if (!lapbeth)
+ lapbeth_new_device(dev);
+ break;
+ case NETDEV_GOING_DOWN:
+ /* ethernet device closes -> close LAPB interface */
+- lapbeth = lapbeth_get_x25_dev(dev);
+ if (lapbeth)
+ dev_close(lapbeth->axdev);
+ break;
+ case NETDEV_UNREGISTER:
+ /* ethernet device disappears -> remove LAPB interface */
+- lapbeth = lapbeth_get_x25_dev(dev);
+ if (lapbeth)
+ lapbeth_free_device(lapbeth);
+ break;
++ case NETDEV_PRE_TYPE_CHANGE:
++ /* Our underlying device type must not change. */
++ if (lapbeth)
++ return NOTIFY_BAD;
+ }
+
+ return NOTIFY_DONE;
+--
+2.53.0
+
--- /dev/null
+From ce41107db21766e0495431272d12975e2e2f4680 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 22:46:20 +0800
+Subject: net: sched: act_csum: validate nested VLAN headers
+
+From: Ruide Cao <caoruide123@gmail.com>
+
+[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ]
+
+tcf_csum_act() walks nested VLAN headers directly from skb->data when an
+skb still carries in-payload VLAN tags. The current code reads
+vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without
+first ensuring that the full VLAN header is present in the linear area.
+
+If only part of an inner VLAN header is linearized, accessing
+h_vlan_encapsulated_proto reads past the linear area, and the following
+skb_pull(VLAN_HLEN) may violate skb invariants.
+
+Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and
+pulling each nested VLAN header. If the header still is not fully
+available, drop the packet through the existing error path.
+
+Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Ruide Cao <caoruide123@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_csum.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
+index 2f2fb0f7cc714..277f6a93cc66e 100644
+--- a/net/sched/act_csum.c
++++ b/net/sched/act_csum.c
+@@ -602,8 +602,12 @@ static int tcf_csum_act(struct sk_buff *skb, const struct tc_action *a,
+ protocol = skb->protocol;
+ orig_vlan_tag_present = true;
+ } else {
+- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data;
++ struct vlan_hdr *vlan;
+
++ if (!pskb_may_pull(skb, VLAN_HLEN))
++ goto drop;
++
++ vlan = (struct vlan_hdr *)skb->data;
+ protocol = vlan->h_vlan_encapsulated_proto;
+ skb_pull(skb, VLAN_HLEN);
+ skb_reset_network_header(skb);
+--
+2.53.0
+
--- /dev/null
+From 428b47191c254eedcb0621284df3067696475bb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 17:39:47 +0800
+Subject: netfilter: ip6t_eui64: reject invalid MAC header for all packets
+
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+
+[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ]
+
+`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
+and compares it with the low 64 bits of the IPv6 source address.
+
+The existing guard only rejects an invalid MAC header when
+`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
+can still reach `eth_hdr(skb)` even when the MAC header is not valid.
+
+Fix this by removing the `par->fragoff != 0` condition so that packets
+with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/ip6t_eui64.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
+index d704f7ed300c2..da69a27e8332c 100644
+--- a/net/ipv6/netfilter/ip6t_eui64.c
++++ b/net/ipv6/netfilter/ip6t_eui64.c
+@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
+ unsigned char eui64[8];
+
+ if (!(skb_mac_header(skb) >= skb->head &&
+- skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
+- par->fragoff != 0) {
++ skb_mac_header(skb) + ETH_HLEN <= skb->data)) {
+ par->hotdrop = true;
+ return false;
+ }
+--
+2.53.0
+
--- /dev/null
+From c27d8e60e781dbe32a9a5622f0d60f259ee3824e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 14:20:57 -0700
+Subject: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE
+ terminator
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit 1f3083aec8836213da441270cdb1ab612dd82cf4 ]
+
+When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send()
+appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via
+nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put()
+helper only zeroes alignment padding after the payload, not the payload
+itself, so four bytes of stale kernel heap data are leaked to userspace
+in the NLMSG_DONE message body.
+
+Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes
+the nfgenmsg payload via nfnl_fill_hdr(), consistent with how
+__build_packet_message() already constructs NFULNL_MSG_PACKET headers.
+
+Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_log.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
+index 37d10c3d19b60..db309c4167427 100644
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -350,10 +350,10 @@ static void
+ __nfulnl_send(struct nfulnl_instance *inst)
+ {
+ if (inst->qlen > 1) {
+- struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0,
+- NLMSG_DONE,
+- sizeof(struct nfgenmsg),
+- 0);
++ struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0,
++ NLMSG_DONE, 0,
++ AF_UNSPEC, NFNETLINK_V0,
++ htons(inst->group_num));
+ if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n",
+ inst->skb->len, skb_tailroom(inst->skb))) {
+ kfree_skb(inst->skb);
+--
+2.53.0
+
--- /dev/null
+From 038b423fc3a65ecb408155e447660bc537708d08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Mar 2026 14:10:55 +0100
+Subject: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
+ expiry
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit d3c0037ffe1273fa1961e779ff6906234d6cf53c ]
+
+New test case fails unexpectedly when avx2 matching functions are used.
+
+The test first loads a ranomly generated pipapo set
+with 'ipv4 . port' key, i.e. nft -f foo.
+
+This works. Then, it reloads the set after a flush:
+(echo flush set t s; cat foo) | nft -f -
+
+This is expected to work, because its the same set after all and it was
+already loaded once.
+
+But with avx2, this fails: nft reports a clashing element.
+
+The reported clash is of following form:
+
+ We successfully re-inserted
+ a . b
+ c . d
+
+Then we try to insert a . d
+
+avx2 finds the already existing a . d, which (due to 'flush set') is marked
+as invalid in the new generation. It skips the element and moves to next.
+
+Due to incorrect masking, the skip-step finds the next matching
+element *only considering the first field*,
+
+i.e. we return the already reinserted "a . b", even though the
+last field is different and the entry should not have been matched.
+
+No such error is reported for the generic c implementation (no avx2) or when
+the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.
+
+Bisection points to
+7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection")
+but that fix merely uncovers this bug.
+
+Before this commit, the wrong element is returned, but erronously
+reported as a full, identical duplicate.
+
+The root-cause is too early return in the avx2 match functions.
+When we process the last field, we should continue to process data
+until the entire input size has been consumed to make sure no stale
+bits remain in the map.
+
+Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
+index cf5683afaf833..650bb3a457073 100644
+--- a/net/netfilter/nft_set_pipapo_avx2.c
++++ b/net/netfilter/nft_set_pipapo_avx2.c
+@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -319,7 +319,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -414,7 +414,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -505,7 +505,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -641,7 +641,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -699,7 +699,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -764,7 +764,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -839,7 +839,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -925,7 +925,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -1019,7 +1019,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+--
+2.53.0
+
--- /dev/null
+From d4d7dff4e05f9109541353edc67fba70ee236330 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 23:52:52 +0800
+Subject: netfilter: xt_multiport: validate range encoding in checkentry
+
+From: Ren Wei <n05ec@lzu.edu.cn>
+
+[ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ]
+
+ports_match_v1() treats any non-zero pflags entry as the start of a
+port range and unconditionally consumes the next ports[] element as
+the range end.
+
+The checkentry path currently validates protocol, flags and count, but
+it does not validate the range encoding itself. As a result, malformed
+rules can mark the last slot as a range start or place two range starts
+back to back, leaving ports_match_v1() to step past the last valid
+ports[] element while interpreting the rule.
+
+Reject malformed multiport v1 rules in checkentry by validating that
+each range start has a following element and that the following element
+is not itself marked as another range start.
+
+Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Yuhang Zheng <z1652074432@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
+index 44a00f5acde8a..a1691ff405d3c 100644
+--- a/net/netfilter/xt_multiport.c
++++ b/net/netfilter/xt_multiport.c
+@@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
+ return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1]));
+ }
+
++static bool
++multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo)
++{
++ unsigned int i;
++
++ for (i = 0; i < multiinfo->count; i++) {
++ if (!multiinfo->pflags[i])
++ continue;
++
++ if (++i >= multiinfo->count)
++ return false;
++
++ if (multiinfo->pflags[i])
++ return false;
++
++ if (multiinfo->ports[i - 1] > multiinfo->ports[i])
++ return false;
++ }
++
++ return true;
++}
++
+ static inline bool
+ check(u_int16_t proto,
+ u_int8_t ip_invflags,
+@@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par)
+ const struct ipt_ip *ip = par->entryinfo;
+ const struct xt_multiport_v1 *multiinfo = par->matchinfo;
+
+- return check(ip->proto, ip->invflags, multiinfo->flags,
+- multiinfo->count) ? 0 : -EINVAL;
++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
++ return -EINVAL;
++
++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
+ }
+
+ static int multiport_mt6_check(const struct xt_mtchk_param *par)
+@@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par)
+ const struct ip6t_ip6 *ip = par->entryinfo;
+ const struct xt_multiport_v1 *multiinfo = par->matchinfo;
+
+- return check(ip->proto, ip->invflags, multiinfo->flags,
+- multiinfo->count) ? 0 : -EINVAL;
++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
++ return -EINVAL;
++
++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
+ }
+
+ static struct xt_match multiport_mt_reg[] __read_mostly = {
+--
+2.53.0
+
--- /dev/null
+From 4a4ed5811c8553b53f3279215a618d3a15fcf109 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 12:21:48 +0800
+Subject: nfc: s3fwrn5: allocate rx skb before consuming bytes
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 5c14a19d5b1645cce1cb1252833d70b23635b632 ]
+
+s3fwrn82_uart_read() reports the number of accepted bytes to the serdev
+core. The current code consumes bytes into recv_skb and may already
+deliver a complete frame before allocating a fresh receive buffer.
+
+If that alloc_skb() fails, the callback returns 0 even though it has
+already consumed bytes, and it leaves recv_skb as NULL for the next
+receive callback. That breaks the receive_buf() accounting contract and
+can also lead to a NULL dereference on the next skb_put_u8().
+
+Allocate the receive skb lazily before consuming the next byte instead.
+If allocation fails, return the number of bytes already accepted.
+
+Fixes: 3f52c2cb7e3a ("nfc: s3fwrn5: Support a UART interface")
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Link: https://patch.msgid.link/20260402042148.65236-1-pengpeng@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/s3fwrn5/uart.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nfc/s3fwrn5/uart.c b/drivers/nfc/s3fwrn5/uart.c
+index 82ea35d748a5d..dde1a87ed1e47 100644
+--- a/drivers/nfc/s3fwrn5/uart.c
++++ b/drivers/nfc/s3fwrn5/uart.c
+@@ -59,6 +59,12 @@ static int s3fwrn82_uart_read(struct serdev_device *serdev,
+ size_t i;
+
+ for (i = 0; i < count; i++) {
++ if (!phy->recv_skb) {
++ phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
++ if (!phy->recv_skb)
++ return i;
++ }
++
+ skb_put_u8(phy->recv_skb, *data++);
+
+ if (phy->recv_skb->len < S3FWRN82_NCI_HEADER)
+@@ -70,9 +76,7 @@ static int s3fwrn82_uart_read(struct serdev_device *serdev,
+
+ s3fwrn5_recv_frame(phy->common.ndev, phy->recv_skb,
+ phy->common.mode);
+- phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
+- if (!phy->recv_skb)
+- return 0;
++ phy->recv_skb = NULL;
+ }
+
+ return i;
+--
+2.53.0
+
--- /dev/null
+From 5ec726c1e1de34ff794e72175b7acfc43d322069 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 14:07:42 -0700
+Subject: PCI: hv: Set default NUMA node to 0 for devices without affinity info
+
+From: Long Li <longli@microsoft.com>
+
+[ Upstream commit 7b3b1e5a87b2f5e35c52b5386d7c327be869454f ]
+
+When hv_pci_assign_numa_node() processes a device that does not have
+HV_PCI_DEVICE_FLAG_NUMA_AFFINITY set or has an out-of-range
+virtual_numa_node, the device NUMA node is left unset. On x86_64,
+the uninitialized default happens to be 0, but on ARM64 it is
+NUMA_NO_NODE (-1).
+
+Tests show that when no NUMA information is available from the Hyper-V
+host, devices perform best when assigned to node 0. With NUMA_NO_NODE
+the kernel may spread work across NUMA nodes, which degrades
+performance on Hyper-V, particularly for high-throughput devices like
+MANA.
+
+Always set the device NUMA node to 0 before the conditional NUMA
+affinity check, so that devices get a performant default when the host
+provides no NUMA information, and behavior is consistent on both
+x86_64 and ARM64.
+
+Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2")
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-hyperv.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c
+index ac47a6ee2e93b..7917ed426f6a7 100644
+--- a/drivers/pci/controller/pci-hyperv.c
++++ b/drivers/pci/controller/pci-hyperv.c
+@@ -1963,6 +1963,14 @@ static void hv_pci_assign_numa_node(struct hv_pcibus_device *hbus)
+ if (!hv_dev)
+ continue;
+
++ /*
++ * If the Hyper-V host doesn't provide a NUMA node for the
++ * device, default to node 0. With NUMA_NO_NODE the kernel
++ * may spread work across NUMA nodes, which degrades
++ * performance on Hyper-V.
++ */
++ set_dev_node(&dev->dev, 0);
++
+ if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY &&
+ hv_dev->desc.virtual_numa_node < num_possible_nodes())
+ /*
+--
+2.53.0
+
--- /dev/null
+From be4787f999f6cf06abe132f53b308492930919f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 10:40:48 -0700
+Subject: perf/x86/intel/uncore: Skip discovery table for offline dies
+
+From: Zide Chen <zide.chen@intel.com>
+
+[ Upstream commit 7b568e9eba2fad89a696f22f0413d44cf4a1f892 ]
+
+This warning can be triggered if NUMA is disabled and the system
+boots with fewer CPUs than the number of CPUs in die 0.
+
+WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore]
+
+Currently, the discovery table continues to be parsed even if all CPUs
+in the associated die are offline. This can lead to an array overflow
+at "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may
+trigger the warning above or cause other issues.
+
+Fixes: edae1f06c2cd ("perf/x86/intel/uncore: Parse uncore discovery tables")
+Reported-by: Steve Wahl <steve.wahl@hpe.com>
+Signed-off-by: Zide Chen <zide.chen@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Tested-by: Steve Wahl <steve.wahl@hpe.com>
+Link: https://patch.msgid.link/20260313174050.171704-3-zide.chen@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_discovery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c
+index c8e1f9f0b466d..be7a63808462e 100644
+--- a/arch/x86/events/intel/uncore_discovery.c
++++ b/arch/x86/events/intel/uncore_discovery.c
+@@ -303,7 +303,7 @@ bool intel_uncore_has_discovery_tables(void)
+ (val & UNCORE_DISCOVERY_DVSEC2_BIR_MASK) * UNCORE_DISCOVERY_BIR_STEP;
+
+ die = get_device_die_id(dev);
+- if (die < 0)
++ if ((die < 0) || (die >= uncore_max_dies()))
+ continue;
+
+ parse_discovery_table(dev, die, bar_offset, &parsed);
+--
+2.53.0
+
--- /dev/null
+From 586954e30002594980059a3e273c175c7568fd7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 18:14:04 +0100
+Subject: pinctrl: intel: Fix the revision for new features (1kOhm PD, HW
+ debouncer)
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit a4337a24d13e9e3b98a113e71d6b80dc5ed5f8c4 ]
+
+The 1kOhm pull down and hardware debouncer are features of the revision 0.92
+of the Chassis specification. Fix that in the code accordingly.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/intel/pinctrl-intel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c
+index cc64eda155f57..3854600329628 100644
+--- a/drivers/pinctrl/intel/pinctrl-intel.c
++++ b/drivers/pinctrl/intel/pinctrl-intel.c
+@@ -1532,7 +1532,7 @@ static int intel_pinctrl_probe(struct platform_device *pdev,
+ value = readl(regs + REVID);
+ if (value == ~0u)
+ return -ENODEV;
+- if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x94) {
++ if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x92) {
+ community->features |= PINCTRL_FEATURE_DEBOUNCE;
+ community->features |= PINCTRL_FEATURE_1K_PD;
+ }
+--
+2.53.0
+
--- /dev/null
+alsa-asihpi-avoid-write-overflow-check-warning.patch
+asoc-sof-topology-reject-invalid-vendor-array-size-i.patch
+can-mcp251x-add-error-handling-for-power-enable-in-o.patch
+btrfs-tracepoints-get-correct-superblock-from-dentry.patch
+alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch
+srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch
+netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch
+wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch
+asoc-soc-core-call-missing-init_list_head-for-card_a.patch
+alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch
+fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch
+mips-mm-suppress-tlb-uniquification-on-ehinv-hardwar.patch
+pinctrl-intel-fix-the-revision-for-new-features-1koh.patch
+hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch
+hid-roccat-fix-use-after-free-in-roccat_report_event.patch
+ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch
+wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch
+asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch
+soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch
+arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch
+pci-hv-set-default-numa-node-to-0-for-devices-withou.patch
+drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch
+drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch
+drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch
+epoll-use-refcount-to-reduce-ep_mutex-contention.patch
+eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch
+net-sched-act_csum-validate-nested-vlan-headers.patch
+net-lapbether-handle-netdev_pre_type_change.patch
+ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch
+nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch
+tracing-probe-reject-non-closed-empty-immediate-stri.patch
+e1000-check-return-value-of-e1000_read_eeprom.patch
+xsk-tighten-umem-headroom-validation-to-account-for-.patch
+xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch
+xfrm_user-fix-info-leak-in-build_mapping.patch
+netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch
+netfilter-xt_multiport-validate-range-encoding-in-ch.patch
+netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch
+af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch
+l2tp-drop-large-packets-with-udp-encap.patch
+gpio-tegra-fix-irq_release_resources-calling-enable-.patch
+perf-x86-intel-uncore-skip-discovery-table-for-offli.patch
+clockevents-prevent-timer-interrupt-starvation.patch
+crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch
--- /dev/null
+From 102ef67d71ca0adc4a0d72757b68b7b73c0dde5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jan 2026 16:37:56 +0800
+Subject: soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching
+
+From: Potin Lai <potin.lai.pt@gmail.com>
+
+[ Upstream commit 7ec1bd3d9be671d04325b9e06149b8813f6a4836 ]
+
+The siliconid_to_name() function currently masks the input silicon ID
+with 0xff00ffff, but compares it against unmasked table entries. This
+causes matching to fail if the table entries contain non-zero values in
+the bits covered by the mask (bits 16-23).
+
+Update the logic to apply the 0xff00ffff mask to the table entries
+during comparison. This ensures that only the relevant model and
+revision bits are considered, providing a consistent match across
+different manufacturing batches.
+
+[arj: Add Fixes: tag, fix 'soninfo' typo, clarify function reference]
+
+Fixes: e0218dca5787 ("soc: aspeed: Add soc info driver")
+Signed-off-by: Potin Lai <potin.lai.pt@gmail.com>
+Link: https://patch.msgid.link/20260122-soc_aspeed_name_fix-v1-1-33a847f2581c@gmail.com
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/aspeed/aspeed-socinfo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c
+index 67e9ac3d08ecc..a90b100f4d101 100644
+--- a/drivers/soc/aspeed/aspeed-socinfo.c
++++ b/drivers/soc/aspeed/aspeed-socinfo.c
+@@ -39,7 +39,7 @@ static const char *siliconid_to_name(u32 siliconid)
+ unsigned int i;
+
+ for (i = 0 ; i < ARRAY_SIZE(rev_table) ; ++i) {
+- if (rev_table[i].id == id)
++ if ((rev_table[i].id & 0xff00ffff) == id)
+ return rev_table[i].name;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 5efe1d8f2b1319e92136ce32ebcf1ad65ed65431 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 20:14:18 -0400
+Subject: srcu: Use irq_work to start GP in tiny SRCU
+
+From: Joel Fernandes <joelagnelf@nvidia.com>
+
+[ Upstream commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af ]
+
+Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(),
+which acquires the workqueue pool->lock.
+
+This causes a lockdep splat when call_srcu() is called with a scheduler
+lock held, due to:
+
+ call_srcu() [holding pi_lock]
+ srcu_gp_start_if_needed()
+ schedule_work() -> pool->lock
+
+ workqueue_init() / create_worker() [holding pool->lock]
+ wake_up_process() -> try_to_wake_up() -> pi_lock
+
+Also add irq_work_sync() to cleanup_srcu_struct() to prevent a
+use-after-free if a queued irq_work fires after cleanup begins.
+
+Tested with rcutorture SRCU-T and no lockdep warnings.
+
+[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work
+to start process_srcu()" ]
+
+Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
+Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Boqun Feng <boqun@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/srcutiny.h | 4 ++++
+ kernel/rcu/srcutiny.c | 19 ++++++++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/srcutiny.h b/include/linux/srcutiny.h
+index 6cfaa0a9a9b96..db649b742fad5 100644
+--- a/include/linux/srcutiny.h
++++ b/include/linux/srcutiny.h
+@@ -11,6 +11,7 @@
+ #ifndef _LINUX_SRCU_TINY_H
+ #define _LINUX_SRCU_TINY_H
+
++#include <linux/irq_work_types.h>
+ #include <linux/swait.h>
+
+ struct srcu_struct {
+@@ -24,18 +25,21 @@ struct srcu_struct {
+ struct rcu_head *srcu_cb_head; /* Pending callbacks: Head. */
+ struct rcu_head **srcu_cb_tail; /* Pending callbacks: Tail. */
+ struct work_struct srcu_work; /* For driving grace periods. */
++ struct irq_work srcu_irq_work; /* Defer schedule_work() to irq work. */
+ #ifdef CONFIG_DEBUG_LOCK_ALLOC
+ struct lockdep_map dep_map;
+ #endif /* #ifdef CONFIG_DEBUG_LOCK_ALLOC */
+ };
+
+ void srcu_drive_gp(struct work_struct *wp);
++void srcu_tiny_irq_work(struct irq_work *irq_work);
+
+ #define __SRCU_STRUCT_INIT(name, __ignored) \
+ { \
+ .srcu_wq = __SWAIT_QUEUE_HEAD_INITIALIZER(name.srcu_wq), \
+ .srcu_cb_tail = &name.srcu_cb_head, \
+ .srcu_work = __WORK_INITIALIZER(name.srcu_work, srcu_drive_gp), \
++ .srcu_irq_work = { .func = srcu_tiny_irq_work }, \
+ __SRCU_DEP_MAP_INIT(name) \
+ }
+
+diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c
+index a0ba2ed49bc61..f51436aab1951 100644
+--- a/kernel/rcu/srcutiny.c
++++ b/kernel/rcu/srcutiny.c
+@@ -9,6 +9,7 @@
+ */
+
+ #include <linux/export.h>
++#include <linux/irq_work.h>
+ #include <linux/mutex.h>
+ #include <linux/preempt.h>
+ #include <linux/rcupdate_wait.h>
+@@ -37,6 +38,7 @@ static int init_srcu_struct_fields(struct srcu_struct *ssp)
+ ssp->srcu_idx_max = 0;
+ INIT_WORK(&ssp->srcu_work, srcu_drive_gp);
+ INIT_LIST_HEAD(&ssp->srcu_work.entry);
++ init_irq_work(&ssp->srcu_irq_work, srcu_tiny_irq_work);
+ return 0;
+ }
+
+@@ -80,6 +82,7 @@ EXPORT_SYMBOL_GPL(init_srcu_struct);
+ void cleanup_srcu_struct(struct srcu_struct *ssp)
+ {
+ WARN_ON(ssp->srcu_lock_nesting[0] || ssp->srcu_lock_nesting[1]);
++ irq_work_sync(&ssp->srcu_irq_work);
+ flush_work(&ssp->srcu_work);
+ WARN_ON(ssp->srcu_gp_running);
+ WARN_ON(ssp->srcu_gp_waiting);
+@@ -155,6 +158,20 @@ void srcu_drive_gp(struct work_struct *wp)
+ }
+ EXPORT_SYMBOL_GPL(srcu_drive_gp);
+
++/*
++ * Use an irq_work to defer schedule_work() to avoid acquiring the workqueue
++ * pool->lock while the caller might hold scheduler locks, causing lockdep
++ * splats due to workqueue_init() doing a wakeup.
++ */
++void srcu_tiny_irq_work(struct irq_work *irq_work)
++{
++ struct srcu_struct *ssp;
++
++ ssp = container_of(irq_work, struct srcu_struct, srcu_irq_work);
++ schedule_work(&ssp->srcu_work);
++}
++EXPORT_SYMBOL_GPL(srcu_tiny_irq_work);
++
+ static void srcu_gp_start_if_needed(struct srcu_struct *ssp)
+ {
+ unsigned short cookie;
+@@ -165,7 +182,7 @@ static void srcu_gp_start_if_needed(struct srcu_struct *ssp)
+ WRITE_ONCE(ssp->srcu_idx_max, cookie);
+ if (!READ_ONCE(ssp->srcu_gp_running)) {
+ if (likely(srcu_init_done))
+- schedule_work(&ssp->srcu_work);
++ irq_work_queue(&ssp->srcu_irq_work);
+ else if (list_empty(&ssp->srcu_work.entry))
+ list_add(&ssp->srcu_work.entry, &srcu_boot_list);
+ }
+--
+2.53.0
+
--- /dev/null
+From cca9b160402aaf65fd9cf8ab88c25e85567d3209 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 00:03:15 +0800
+Subject: tracing/probe: reject non-closed empty immediate strings
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ]
+
+parse_probe_arg() accepts quoted immediate strings and passes the body
+after the opening quote to __parse_imm_string(). That helper currently
+computes strlen(str) and immediately dereferences str[len - 1], which
+underflows when the body is empty and not closed with double-quotation.
+
+Reject empty non-closed immediate strings before checking for the closing quote.
+
+Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/
+
+Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support")
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_probe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
+index 38fa6cc118daf..47044927a7269 100644
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -362,7 +362,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs)
+ {
+ size_t len = strlen(str);
+
+- if (str[len - 1] != '"') {
++ if (!len || str[len - 1] != '"') {
+ trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE);
+ return -EINVAL;
+ }
+--
+2.53.0
+
--- /dev/null
+From 0712bb2e79d8cf23f0cecf6bb40e610329358b34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 15:45:51 +0800
+Subject: wifi: brcmfmac: validate bsscfg indices in IF events
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ]
+
+brcmf_fweh_handle_if_event() validates the firmware-provided interface
+index before it touches drvr->iflist[], but it still uses the raw
+bsscfgidx field as an array index without a matching range check.
+
+Reject IF events whose bsscfg index does not fit in drvr->iflist[]
+before indexing the interface array.
+
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn
+[add missing wifi prefix]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+index dac7eb77799bd..e6be192dc0af2 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -151,6 +151,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr,
+ bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx);
+ return;
+ }
++ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) {
++ bphy_err(drvr, "invalid bsscfg index: %u\n",
++ ifevent->bsscfgidx);
++ return;
++ }
+
+ ifp = drvr->iflist[ifevent->bsscfgidx];
+
+--
+2.53.0
+
--- /dev/null
+From 6ed77c1e8cfbd45427c5473798413356704a6240 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 16:08:45 +0800
+Subject: wifi: wl1251: validate packet IDs before indexing tx_frames
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 ]
+
+wl1251_tx_packet_cb() uses the firmware completion ID directly to index
+the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the
+completion block, and the callback does not currently verify that it
+fits the array before dereferencing it.
+
+Reject completion IDs that fall outside wl->tx_frames[] and keep the
+existing NULL check in the same guard. This keeps the fix local to the
+trust boundary and avoids touching the rest of the completion flow.
+
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl1251/tx.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c
+index 5771f61392efb..7f406c086ca56 100644
+--- a/drivers/net/wireless/ti/wl1251/tx.c
++++ b/drivers/net/wireless/ti/wl1251/tx.c
+@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl,
+ int hdrlen;
+ u8 *frame;
+
+- skb = wl->tx_frames[result->id];
+- if (skb == NULL) {
+- wl1251_error("SKB for packet %d is NULL", result->id);
++ if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) ||
++ wl->tx_frames[result->id] == NULL)) {
++ wl1251_error("invalid packet id %u", result->id);
+ return;
+ }
+
++ skb = wl->tx_frames[result->id];
++
+ info = IEEE80211_SKB_CB(skb);
+
+ if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) &&
+--
+2.53.0
+
--- /dev/null
+From 826fc42aff385f6259f9aa52e996dafe873e0abc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 13:31:04 +0200
+Subject: xfrm: Wait for RCU readers during policy netns exit
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit 069daad4f2ae9c5c108131995529d5f02392c446 ]
+
+xfrm_policy_fini() frees the policy_bydst hash tables after flushing the
+policy work items and deleting all policies, but it does not wait for
+concurrent RCU readers to leave their read-side critical sections first.
+
+The policy_bydst tables are published via rcu_assign_pointer() and are
+looked up through rcu_dereference_check(), so netns teardown must also
+wait for an RCU grace period before freeing the table memory.
+
+Fix this by adding synchronize_rcu() before freeing the policy hash tables.
+
+Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 851029a5383a2..29b3db09e19cf 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -4125,6 +4125,8 @@ static void xfrm_policy_fini(struct net *net)
+ #endif
+ xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);
+
++ synchronize_rcu();
++
+ WARN_ON(!list_empty(&net->xfrm.policy_all));
+
+ for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
+--
+2.53.0
+
--- /dev/null
+From a4c27a1f999d9dfd5be1a7462f9674025b196237 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 17:33:03 +0200
+Subject: xfrm_user: fix info leak in build_mapping()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit 1beb76b2053b68c491b78370794b8ff63c8f8c02 ]
+
+struct xfrm_usersa_id has a one-byte padding hole after the proto
+field, which ends up never getting set to zero before copying out to
+userspace. Fix that up by zeroing out the whole structure before
+setting individual variables.
+
+Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink")
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Simon Horman <horms@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index dcf433894951d..7e09ab9c34af8 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -3592,6 +3592,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x,
+
+ um = nlmsg_data(nlh);
+
++ memset(&um->id, 0, sizeof(um->id));
+ memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr));
+ um->id.spi = x->id.spi;
+ um->id.family = x->props.family;
+--
+2.53.0
+
--- /dev/null
+From 5537170f675b1c81f40dde7ad15afe1516836d24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:51 +0200
+Subject: xsk: tighten UMEM headroom validation to account for tailroom and min
+ frame
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit a315e022a72d95ef5f1d4e58e903cb492b0ad931 ]
+
+The current headroom validation in xdp_umem_reg() could leave us with
+insufficient space dedicated to even receive minimum-sized ethernet
+frame. Furthermore if multi-buffer would come to play then
+skb_shared_info stored at the end of XSK frame would be corrupted.
+
+HW typically works with 128-aligned sizes so let us provide this value
+as bare minimum.
+
+Multi-buffer setting is known later in the configuration process so
+besides accounting for 128 bytes, let us also take care of tailroom space
+upfront.
+
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Fixes: 99e3a236dd43 ("xsk: Add missing check on user supplied headroom size")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-2-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xdp_umem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
+index 65f918d29531d..f247fc4de9e10 100644
+--- a/net/xdp/xdp_umem.c
++++ b/net/xdp/xdp_umem.c
+@@ -198,7 +198,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+ if (!unaligned_chunks && chunks_rem)
+ return -EINVAL;
+
+- if (headroom >= chunk_size - XDP_PACKET_HEADROOM)
++ if (headroom > chunk_size - XDP_PACKET_HEADROOM -
++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - 128)
+ return -EINVAL;
+
+ umem->size = size;
+--
+2.53.0
+
--- /dev/null
+From 3a4774206b7a25022ad87be5b14297ef9adb261b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 16:00:14 +0800
+Subject: af_unix: read UNIX_DIAG_VFS data under unix_state_lock
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+[ Upstream commit 39897df386376912d561d4946499379effa1e7ef ]
+
+Exact UNIX diag lookups hold a reference to the socket, but not to
+u->path. Meanwhile, unix_release_sock() clears u->path under
+unix_state_lock() and drops the path reference after unlocking.
+
+Read the inode and device numbers for UNIX_DIAG_VFS while holding
+unix_state_lock(), then emit the netlink attribute after dropping the
+lock.
+
+This keeps the VFS data stable while the reply is being built.
+
+Fixes: 5f7b0569460b ("unix_diag: Unix inode info NLA")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/diag.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index a6bd861314df0..169d068064bba 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -26,18 +26,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb)
+
+ static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb)
+ {
+- struct dentry *dentry = unix_sk(sk)->path.dentry;
++ struct unix_diag_vfs uv;
++ struct dentry *dentry;
++ bool have_vfs = false;
+
++ unix_state_lock(sk);
++ dentry = unix_sk(sk)->path.dentry;
+ if (dentry) {
+- struct unix_diag_vfs uv = {
+- .udiag_vfs_ino = d_backing_inode(dentry)->i_ino,
+- .udiag_vfs_dev = dentry->d_sb->s_dev,
+- };
+-
+- return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
++ uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino;
++ uv.udiag_vfs_dev = dentry->d_sb->s_dev;
++ have_vfs = true;
+ }
++ unix_state_unlock(sk);
+
+- return 0;
++ if (!have_vfs)
++ return 0;
++
++ return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
+ }
+
+ static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb)
+--
+2.53.0
+
--- /dev/null
+From 3ecb98935171b8ca25ad11e553994bb75b5f532d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 13:40:07 +0100
+Subject: ALSA: asihpi: avoid write overflow check warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 591721223be9e28f83489a59289579493b8e3d83 ]
+
+clang-22 rightfully warns that the memcpy() in adapter_prepare() copies
+between different structures, crossing the boundary of nested
+structures inside it:
+
+In file included from sound/pci/asihpi/hpimsgx.c:13:
+In file included from include/linux/string.h:386:
+include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
+ 569 | __write_overflow_field(p_size_field, size);
+
+The two structures seem to refer to the same layout, despite the
+separate definitions, so the code is in fact correct.
+
+Avoid the warning by copying the two inner structures separately.
+I see the same pattern happens in other functions in the same file,
+so there is a chance that this may come back in the future, but
+this instance is the only one that I saw in practice, hitting it
+multiple times per day in randconfig build.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/asihpi/hpimsgx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c
+index b68e6bfbbfbab..ed1c7b7744361 100644
+--- a/sound/pci/asihpi/hpimsgx.c
++++ b/sound/pci/asihpi/hpimsgx.c
+@@ -581,8 +581,10 @@ static u16 adapter_prepare(u16 adapter)
+ HPI_ADAPTER_OPEN);
+ hm.adapter_index = adapter;
+ hw_entry_point(&hm, &hr);
+- memcpy(&rESP_HPI_ADAPTER_OPEN[adapter], &hr,
+- sizeof(rESP_HPI_ADAPTER_OPEN[0]));
++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].h, &hr,
++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].h));
++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].a, &hr.u.ax.info,
++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].a));
+ if (hr.error)
+ return hr.error;
+
+--
+2.53.0
+
--- /dev/null
+From e728f6a1dc55b5edbad647409104edb4759ab905 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 01:08:51 +0000
+Subject: ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk
+
+From: Andrii Kovalchuk <coderpy4@proton.me>
+
+[ Upstream commit 793b008cd39516385791a1d1d223d817e947a471 ]
+
+Add a PCI quirk for HP ENVY Laptop 13-ba0xxx (PCI device ID 0x8756)
+to enable proper mute LED and mic mute behavior using the
+ALC245_FIXUP_HP_X360_MUTE_LEDS fixup.
+
+Signed-off-by: Andrii Kovalchuk <coderpy4@proton.me>
+Link: https://patch.msgid.link/u0s-uRVegF9BN0t-4JnOUwsIAR-mVc4U4FJfJHdEHX7ro_laErHD9y35NebWybcN16gVaVHPJo1ap3AoJ1a2gqJImPvThgeNt_SYVY1KaDw=@proton.me
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 9d6b3a6b8ed26..6048ad6319e3b 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9938,6 +9938,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8735, "HP ProBook 435 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT),
++ SND_PCI_QUIRK(0x103c, 0x8756, "HP ENVY Laptop 13-ba0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS),
+ SND_PCI_QUIRK(0x103c, 0x8760, "HP EliteBook 8{4,5}5 G7", ALC285_FIXUP_HP_BEEP_MICMUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x876e, "HP ENVY x360 Convertible 13-ay0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS),
+ SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED),
+--
+2.53.0
+
--- /dev/null
+From e825d39b6b4ecf452902e372fb01757a4e5d38e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Mar 2026 10:36:03 -0500
+Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: César Montoya <sprit152009@gmail.com>
+
+[ Upstream commit 2f388b4e8fdd6b0f27cafd281658daacfd85807e ]
+
+The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek
+ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The
+existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly,
+but the subsystem ID was missing from the quirk table.
+
+GPIO pin confirmed via manual hda-verb testing:
+ hda-verb SET_GPIO_MASK 0x10
+ hda-verb SET_GPIO_DIRECTION 0x10
+ hda-verb SET_GPIO_DATA 0x10
+
+Signed-off-by: César Montoya <sprit152009@gmail.com>
+Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 6048ad6319e3b..6bffce599c961 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9952,6 +9952,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x87cb, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+--
+2.53.0
+
--- /dev/null
+From 6e850e01ca1e7cdf9db9ae9fb718e03691dba0e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 10:54:40 -0500
+Subject: ALSA: hda/realtek: add quirk for Framework F111:000F
+
+From: Dustin L. Howett <dustin@howett.net>
+
+[ Upstream commit bac1e57adf08c9ee33e95fb09cd032f330294e70 ]
+
+Similar to commit 7b509910b3ad ("ALSA hda/realtek: Add quirk for
+Framework F111:000C") and previous quirks for Framework systems with
+Realtek codecs.
+
+000F is another new platform with an ALC285 which needs the same quirk.
+
+Signed-off-by: Dustin L. Howett <dustin@howett.net>
+Link: https://patch.msgid.link/20260327-framework-alsa-000f-v1-1-74013aba1c00@howett.net
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 6bffce599c961..82de15e176746 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10474,6 +10474,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0xf111, 0x000f, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+
+ #if 0
+ /* Below is a quirk table taken from the old code.
+--
+2.53.0
+
--- /dev/null
+From 28a06398ea01ee5445cfd17a5b966f2e9e54328f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 09:26:51 +0800
+Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10
+
+From: songxiebing <songxiebing@kylinos.cn>
+
+[ Upstream commit f0541edb2e7333f320642c7b491a67912c1f65db ]
+
+The bass speakers are not working, and add the following entry
+in /etc/modprobe.d/snd.conf:
+options snd-sof-intel-hda-generic hda_model=alc287-yoga9-bass-spk-pin
+Fixes the bass speakers.
+
+So add the quick ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN here.
+
+Reported-by: Fernando Garcia Corona <fgarcor@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221317
+Signed-off-by: songxiebing <songxiebing@kylinos.cn>
+Link: https://patch.msgid.link/20260405012651.133838-1-songxiebing@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 82de15e176746..0889dfd80fa44 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10396,6 +10396,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x3869, "Lenovo Yoga7 14IAL7", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
++ SND_PCI_QUIRK(0x17aa, 0x3911, "Lenovo Yoga Pro 7 14IAH10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC),
+ SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
+ SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+--
+2.53.0
+
--- /dev/null
+From 83c28432042805f2c1524d38b53d2ab833a218b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Mar 2026 08:07:34 +0000
+Subject: ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex
+
+From: Phil Willoughby <willerz@gmail.com>
+
+[ Upstream commit bc5b4e5ae1a67700a618328217b6a3bd0f296e97 ]
+
+The NeuralDSP Quad Cortex does not support DSD playback. We need
+this product-specific entry with zero quirks because otherwise it
+falls through to the vendor-specific entry which marks it as
+supporting DSD playback.
+
+Cc: Yue Wang <yuleopen@gmail.com>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Signed-off-by: Phil Willoughby <willerz@gmail.com>
+Link: https://patch.msgid.link/20260328080921.3310-1-willerz@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 74828de545e22..23361e78189d0 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -2177,6 +2177,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
+ QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB),
+ DEVICE_FLG(0x13e5, 0x0001, /* Serato Phono */
+ QUIRK_FLAG_IGNORE_CTL_ERROR),
++ DEVICE_FLG(0x152a, 0x880a, /* NeuralDSP Quad Cortex */
++ 0), /* Doesn't have the vendor quirk which would otherwise apply */
+ DEVICE_FLG(0x154e, 0x1002, /* Denon DCD-1500RE */
+ QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY),
+ DEVICE_FLG(0x154e, 0x1003, /* Denon DA-300USB */
+--
+2.53.0
+
--- /dev/null
+From 5d4920ace48fb96e599e34938bc9126b9cb1e444 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jan 2026 00:28:28 +0100
+Subject: arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+[ Upstream commit 1f99b5d93d99ca17d50b386a674d0ce1f20932d8 ]
+
+According to i.MX 8M Quad Reference Manual, GPU_AHB_CLK_ROOT's maximum
+frequency is 400MHz.
+
+Fixes: 45d2c84eb3a2 ("arm64: dts: imx8mq: add GPU node")
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+index e642cb7d54d77..25b0017eb7363 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+@@ -1411,7 +1411,7 @@ gpu: gpu@38000000 {
+ <&clk IMX8MQ_GPU_PLL_OUT>,
+ <&clk IMX8MQ_GPU_PLL>;
+ assigned-clock-rates = <800000000>, <800000000>,
+- <800000000>, <800000000>, <0>;
++ <800000000>, <400000000>, <0>;
+ power-domains = <&pgc_gpu>;
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 2ff3acbaf1bfe7cb7597d3967f6fe2b9a1132121 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 02:43:48 +0100
+Subject: ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gilson Marquato Júnior <gilsonmandalogo@hotmail.com>
+
+[ Upstream commit 8ec017cf31299c4b6287ebe27afe81c986aeef88 ]
+
+The HP Laptop 15-fc0xxx (subsystem ID 0x103c8dc9) has an internal
+DMIC connected to the AMD ACP6x audio coprocessor. Add a DMI quirk
+entry so the internal microphone is properly detected on this model.
+
+Tested on HP Laptop 15-fc0237ns with Fedora 43 (kernel 6.19.9).
+
+Signed-off-by: Gilson Marquato Júnior <gilsonmandalogo@hotmail.com>
+Link: https://patch.msgid.link/20260330-hp-15-fc0xxx-dmic-v2-v1-1-6dd6f53a1917@hotmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index d650091d3f302..c9bc2289d3661 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -45,6 +45,13 @@ static struct snd_soc_card acp6x_card = {
+ };
+
+ static const struct dmi_system_id yc_acp_quirk_table[] = {
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Laptop 15-fc0xxx"),
++ }
++ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+--
+2.53.0
+
--- /dev/null
+From 5c52fb28d1af9084560ef6ca5a682ee9d5ed7f2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 21:25:12 +0700
+Subject: ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA
+
+From: Vee Satayamas <vsatayamas@gmail.com>
+
+[ Upstream commit f200b2f9a810c440c6750b56fc647b73337749a1 ]
+
+Add a DMI quirk for the Asus Expertbook BM1403CDA to resolve the issue of the
+internal microphone not being detected.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221236
+Signed-off-by: Vee Satayamas <vsatayamas@gmail.com>
+Reviewed-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260315142511.66029-2-vsatayamas@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index 991f8777cc859..be510328c5a0c 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -563,6 +563,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "PM1503CDA"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"),
++ }
++ },
+ {}
+ };
+
+--
+2.53.0
+
--- /dev/null
+From fdaced64edc35e45e3233dc1b387e081be994256 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 16:02:18 +0800
+Subject: ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+[ Upstream commit 1f182ec9d7084db7dfdb2372d453c28f0e5c3f0a ]
+
+Add a DMI quirk for the Thin A15 B7VF fixing the issue where
+the internal microphone was not detected.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=220833
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260316080218.2931304-1-zhangheng@kylinos.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index be510328c5a0c..d650091d3f302 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -570,6 +570,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Thin A15 B7VE"),
++ }
++ },
+ {}
+ };
+
+--
+2.53.0
+
--- /dev/null
+From fefb8e3c00bb11f2133f960c283c429cc9b306c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 02:43:54 +0000
+Subject: ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit b9eff9732cb0f86a68c9d1592a98ceab47c01e95 ]
+
+Component has "card_aux_list" which is added/deled in bind/unbind aux dev
+function (A), and used in for_each_card_auxs() loop (B).
+
+ static void soc_unbind_aux_dev(...)
+ {
+ ...
+ for_each_card_auxs_safe(...) {
+ ...
+(A) list_del(&component->card_aux_list);
+ } ^^^^^^^^^^^^^
+ }
+
+ static int soc_bind_aux_dev(...)
+ {
+ ...
+ for_each_card_pre_auxs(...) {
+ ...
+(A) list_add(&component->card_aux_list, ...);
+ } ^^^^^^^^^^^^^
+ ...
+ }
+
+ #define for_each_card_auxs(card, component) \
+(B) list_for_each_entry(component, ..., card_aux_list)
+ ^^^^^^^^^^^^^
+
+But it has been used without calling INIT_LIST_HEAD().
+
+ > git grep card_aux_list sound/soc
+ sound/soc/soc-core.c: list_del(&component->card_aux_list);
+ sound/soc/soc-core.c: list_add(&component->card_aux_list, ...);
+
+call missing INIT_LIST_HEAD() for it.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index dfd58d9db7c1f..33c991e578629 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -2618,6 +2618,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component,
+ INIT_LIST_HEAD(&component->dobj_list);
+ INIT_LIST_HEAD(&component->card_list);
+ INIT_LIST_HEAD(&component->list);
++ INIT_LIST_HEAD(&component->card_aux_list);
+ mutex_init(&component->io_mutex);
+
+ component->name = fmt_single_name(dev, &component->id);
+--
+2.53.0
+
--- /dev/null
+From 2604ef8eef5f29edb873a2b178923e253b7aa20e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 21:45:26 -0300
+Subject: ASoC: SOF: topology: reject invalid vendor array size in token parser
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+[ Upstream commit 215e5fe75881a7e2425df04aeeed47a903d5cd5d ]
+
+sof_parse_token_sets() accepts array->size values that can be invalid
+for a vendor tuple array header. In particular, a zero size does not
+advance the parser state and can lead to non-progress parsing on
+malformed topology data.
+
+Validate array->size against the minimum header size and reject values
+smaller than sizeof(*array) before parsing. This preserves behavior for
+valid topologies and hardens malformed-input handling.
+
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
+index 374c8b1d69584..d803111e36385 100644
+--- a/sound/soc/sof/topology.c
++++ b/sound/soc/sof/topology.c
+@@ -678,7 +678,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
+ asize = le32_to_cpu(array->size);
+
+ /* validate asize */
+- if (asize < 0) { /* FIXME: A zero-size array makes no sense */
++ if (asize < sizeof(*array)) {
+ dev_err(scomp->dev, "error: invalid array size 0x%x\n",
+ asize);
+ return -EINVAL;
+--
+2.53.0
+
--- /dev/null
+From 15f47f178f95b693e0bcf87874ff98f03169948f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 10:40:56 +0200
+Subject: ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
+
+From: Tomasz Merta <tomasz.merta@arrow.com>
+
+[ Upstream commit 0669631dbccd41cf3ca7aa70213fcd8bb41c4b38 ]
+
+The STM32 SAI driver do not set the clock strobing bit (CKSTR) for DSP_A,
+DSP_B and LEFT_J formats, causing data to be sampled on the wrong BCLK
+edge when SND_SOC_DAIFMT_NB_NF is used.
+
+Per ALSA convention, NB_NF requires sampling on the rising BCLK edge.
+The STM32MP25 SAI reference manual states that CKSTR=1 is required for
+signals received by the SAI to be sampled on the SCK rising edge.
+Without setting CKSTR=1, the SAI samples on the falling edge, violating
+the NB_NF convention. For comparison, the NXP FSL SAI driver correctly
+sets FSL_SAI_CR2_BCP for DSP_A, DSP_B and LEFT_J, consistent with its
+I2S handling.
+
+This patch adds SAI_XCR1_CKSTR for DSP_A, DSP_B and LEFT_J in
+stm32_sai_set_dai_fmt which was verified empirically with a cs47l35 codec.
+RIGHT_J (LSB) is not investigated and addressed by this patch.
+
+Note: the STM32 I2S driver (stm32_i2s_set_dai_fmt) may have the same issue
+for DSP_A mode, as I2S_CGFR_CKPOL is not set. This has not been verified
+and is left for a separate investigation.
+
+Signed-off-by: Tomasz Merta <tommerta@gmail.com>
+Link: https://patch.msgid.link/20260408084056.20588-1-tommerta@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/stm/stm32_sai_sub.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c
+index 8653be3c206ea..927834b4123f5 100644
+--- a/sound/soc/stm/stm32_sai_sub.c
++++ b/sound/soc/stm/stm32_sai_sub.c
+@@ -669,6 +669,7 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
+ break;
+ /* Left justified */
+ case SND_SOC_DAIFMT_MSB:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
+ break;
+ /* Right justified */
+@@ -676,9 +677,11 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
+ break;
+ case SND_SOC_DAIFMT_DSP_A:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSOFF;
+ break;
+ case SND_SOC_DAIFMT_DSP_B:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL;
+ break;
+ default:
+--
+2.53.0
+
--- /dev/null
+From 25381bbb67f1ca782c5c5d1ee132af06c7abaa32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 15:23:35 -0700
+Subject: ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
+
+From: Arthur Husband <artmoty@gmail.com>
+
+[ Upstream commit 105c42566a550e2d05fc14f763216a8765ee5d0e ]
+
+The JMicron JMB585 (and JMB582) SATA controllers advertise 64-bit DMA
+support via the S64A bit in the AHCI CAP register, but their 64-bit DMA
+implementation is defective. Under sustained I/O, DMA transfers targeting
+addresses above 4GB silently corrupt data -- writes land at incorrect
+memory addresses with no errors logged.
+
+The failure pattern is similar to the ASMedia ASM1061
+(commit 20730e9b2778 ("ahci: add 43-bit DMA address quirk for ASMedia
+ASM1061 controllers")), which also falsely advertised full 64-bit DMA
+support. However, the JMB585 requires a stricter 32-bit DMA mask rather
+than 43-bit, as corruption occurs with any address above 4GB.
+
+On the Minisforum N5 Pro specifically, the combination of the JMB585's
+broken 64-bit DMA with the AMD Family 1Ah (Strix Point) IOMMU causes
+silent data corruption that is only detectable via checksumming
+filesystems (BTRFS/ZFS scrub). The corruption occurs when 32-bit IOVA
+space is exhausted and the kernel transparently switches to 64-bit DMA
+addresses.
+
+Add device-specific PCI ID entries for the JMB582 (0x0582) and JMB585
+(0x0585) before the generic JMicron class match, using a new board type
+that combines AHCI_HFLAG_IGN_IRQ_IF_ERR (preserving existing behavior)
+with AHCI_HFLAG_32BIT_ONLY to force 32-bit DMA masks.
+
+Signed-off-by: Arthur Husband <artmoty@gmail.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/ahci.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index a4b0a499b67d4..c9fbf824901e2 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -61,6 +61,7 @@ enum board_ids {
+ /* board IDs for specific chipsets in alphabetical order */
+ board_ahci_al,
+ board_ahci_avn,
++ board_ahci_jmb585,
+ board_ahci_mcp65,
+ board_ahci_mcp77,
+ board_ahci_mcp89,
+@@ -200,6 +201,15 @@ static const struct ata_port_info ahci_port_info[] = {
+ .udma_mask = ATA_UDMA6,
+ .port_ops = &ahci_avn_ops,
+ },
++ /* JMicron JMB582/585: 64-bit DMA is broken, force 32-bit */
++ [board_ahci_jmb585] = {
++ AHCI_HFLAGS (AHCI_HFLAG_IGN_IRQ_IF_ERR |
++ AHCI_HFLAG_32BIT_ONLY),
++ .flags = AHCI_FLAG_COMMON,
++ .pio_mask = ATA_PIO4,
++ .udma_mask = ATA_UDMA6,
++ .port_ops = &ahci_ops,
++ },
+ [board_ahci_mcp65] = {
+ AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP |
+ AHCI_HFLAG_YES_NCQ),
+@@ -433,6 +443,10 @@ static const struct pci_device_id ahci_pci_tbl[] = {
+ /* Elkhart Lake IDs 0x4b60 & 0x4b62 https://sata-io.org/product/8803 not tested yet */
+ { PCI_VDEVICE(INTEL, 0x4b63), board_ahci_low_power }, /* Elkhart Lake AHCI */
+
++ /* JMicron JMB582/585: force 32-bit DMA (broken 64-bit implementation) */
++ { PCI_VDEVICE(JMICRON, 0x0582), board_ahci_jmb585 },
++ { PCI_VDEVICE(JMICRON, 0x0585), board_ahci_jmb585 },
++
+ /* JMicron 360/1/3/5/6, match class to avoid IDE function */
+ { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
+ PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr },
+--
+2.53.0
+
--- /dev/null
+From f3a677a3c1a7ba1fb2e4dcb2ae37274216f111b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 14:11:39 -0400
+Subject: btrfs: tracepoints: get correct superblock from dentry in event
+ btrfs_sync_file()
+
+From: Goldwyn Rodrigues <rgoldwyn@suse.de>
+
+[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ]
+
+If overlay is used on top of btrfs, dentry->d_sb translates to overlay's
+super block and fsid assignment will lead to a crash.
+
+Use file_inode(file)->i_sb to always get btrfs_sb.
+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/btrfs.h | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h
+index 31847ccae4936..8054ce54807de 100644
+--- a/include/trace/events/btrfs.h
++++ b/include/trace/events/btrfs.h
+@@ -760,12 +760,15 @@ TRACE_EVENT(btrfs_sync_file,
+ ),
+
+ TP_fast_assign(
+- const struct dentry *dentry = file->f_path.dentry;
+- const struct inode *inode = d_inode(dentry);
++ struct dentry *dentry = file_dentry(file);
++ struct inode *inode = file_inode(file);
++ struct dentry *parent = dget_parent(dentry);
++ struct inode *parent_inode = d_inode(parent);
+
+- TP_fast_assign_fsid(btrfs_sb(file->f_path.dentry->d_sb));
++ dput(parent);
++ TP_fast_assign_fsid(btrfs_sb(inode->i_sb));
+ __entry->ino = btrfs_ino(BTRFS_I(inode));
+- __entry->parent = btrfs_ino(BTRFS_I(d_inode(dentry->d_parent)));
++ __entry->parent = btrfs_ino(BTRFS_I(parent_inode));
+ __entry->datasync = datasync;
+ __entry->root_objectid =
+ BTRFS_I(inode)->root->root_key.objectid;
+--
+2.53.0
+
--- /dev/null
+From fe3d1989616ccc738401b4ac5d8b0c532136ef41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 00:00:22 +0800
+Subject: can: mcp251x: add error handling for power enable in open and resume
+
+From: Wenyuan Li <2063309626@qq.com>
+
+[ Upstream commit 7a57354756c7df223abe2c33774235ad70cb4231 ]
+
+Add missing error handling for mcp251x_power_enable() calls in both
+mcp251x_open() and mcp251x_can_resume() functions.
+
+In mcp251x_open(), if power enable fails, jump to error path to close
+candev without attempting to disable power again.
+
+In mcp251x_can_resume(), properly check return values of power enable calls
+for both power and transceiver regulators. If any fails, return the error
+code to the PM framework and log the failure.
+
+This ensures the driver properly handles power control failures and
+maintains correct device state.
+
+Signed-off-by: Wenyuan Li <2063309626@qq.com>
+Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com
+[mkl: fix patch description]
+[mkl: mcp251x_can_resume(): replace goto by return]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/spi/mcp251x.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
+index 72ae17b2313ec..d3ffab297b77b 100644
+--- a/drivers/net/can/spi/mcp251x.c
++++ b/drivers/net/can/spi/mcp251x.c
+@@ -1213,7 +1213,11 @@ static int mcp251x_open(struct net_device *net)
+ }
+
+ mutex_lock(&priv->mcp_lock);
+- mcp251x_power_enable(priv->transceiver, 1);
++ ret = mcp251x_power_enable(priv->transceiver, 1);
++ if (ret) {
++ dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret));
++ goto out_close_candev;
++ }
+
+ priv->force_quit = 0;
+ priv->tx_skb = NULL;
+@@ -1260,6 +1264,7 @@ static int mcp251x_open(struct net_device *net)
+ mcp251x_hw_sleep(spi);
+ out_close:
+ mcp251x_power_enable(priv->transceiver, 0);
++out_close_candev:
+ close_candev(net);
+ mutex_unlock(&priv->mcp_lock);
+ if (release_irq)
+@@ -1499,11 +1504,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev)
+ {
+ struct spi_device *spi = to_spi_device(dev);
+ struct mcp251x_priv *priv = spi_get_drvdata(spi);
++ int ret = 0;
+
+- if (priv->after_suspend & AFTER_SUSPEND_POWER)
+- mcp251x_power_enable(priv->power, 1);
+- if (priv->after_suspend & AFTER_SUSPEND_UP)
+- mcp251x_power_enable(priv->transceiver, 1);
++ if (priv->after_suspend & AFTER_SUSPEND_POWER) {
++ ret = mcp251x_power_enable(priv->power, 1);
++ if (ret) {
++ dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret));
++ return ret;
++ }
++ }
++
++ if (priv->after_suspend & AFTER_SUSPEND_UP) {
++ ret = mcp251x_power_enable(priv->transceiver, 1);
++ if (ret) {
++ dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret));
++ if (priv->after_suspend & AFTER_SUSPEND_POWER)
++ mcp251x_power_enable(priv->power, 0);
++ return ret;
++ }
++ }
+
+ if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP))
+ queue_work(priv->wq, &priv->restart_work);
+--
+2.53.0
+
--- /dev/null
+From a53e2c11e05c64e57807aea194c2c4819d1369dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 10:54:17 +0200
+Subject: clockevents: Prevent timer interrupt starvation
+
+From: Thomas Gleixner <tglx@kernel.org>
+
+[ Upstream commit d6e152d905bdb1f32f9d99775e2f453350399a6a ]
+
+Calvin reported an odd NMI watchdog lockup which claims that the CPU locked
+up in user space. He provided a reproducer, which sets up a timerfd based
+timer and then rearms it in a loop with an absolute expiry time of 1ns.
+
+As the expiry time is in the past, the timer ends up as the first expiring
+timer in the per CPU hrtimer base and the clockevent device is programmed
+with the minimum delta value. If the machine is fast enough, this ends up
+in a endless loop of programming the delta value to the minimum value
+defined by the clock event device, before the timer interrupt can fire,
+which starves the interrupt and consequently triggers the lockup detector
+because the hrtimer callback of the lockup mechanism is never invoked.
+
+As a first step to prevent this, avoid reprogramming the clock event device
+when:
+ - a forced minimum delta event is pending
+ - the new expiry delta is less then or equal to the minimum delta
+
+Thanks to Calvin for providing the reproducer and to Borislav for testing
+and providing data from his Zen5 machine.
+
+The problem is not limited to Zen5, but depending on the underlying
+clock event device (e.g. TSC deadline timer on Intel) and the CPU speed
+not necessarily observable.
+
+This change serves only as the last resort and further changes will be made
+to prevent this scenario earlier in the call chain as far as possible.
+
+[ tglx: Updated to restore the old behaviour vs. !force and delta <= 0 and
+ fixed up the tick-broadcast handlers as pointed out by Borislav ]
+
+Fixes: d316c57ff6bf ("[PATCH] clockevents: add core functionality")
+Reported-by: Calvin Owens <calvin@wbinvd.org>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Tested-by: Calvin Owens <calvin@wbinvd.org>
+Tested-by: Borislav Petkov <bp@alien8.de>
+Link: https://lore.kernel.org/lkml/acMe-QZUel-bBYUh@mozart.vkv.me/
+Link: https://patch.msgid.link/20260407083247.562657657@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/clockchips.h | 2 ++
+ kernel/time/clockevents.c | 27 +++++++++++++++++++--------
+ kernel/time/hrtimer.c | 1 +
+ kernel/time/tick-broadcast.c | 8 +++++++-
+ kernel/time/tick-common.c | 1 +
+ kernel/time/tick-sched.c | 1 +
+ 6 files changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/clockchips.h b/include/linux/clockchips.h
+index 8ae9a95ebf5b5..046c6d8d91a69 100644
+--- a/include/linux/clockchips.h
++++ b/include/linux/clockchips.h
+@@ -80,6 +80,7 @@ enum clock_event_state {
+ * @shift: nanoseconds to cycles divisor (power of two)
+ * @state_use_accessors:current state of the device, assigned by the core code
+ * @features: features
++ * @next_event_forced: True if the last programming was a forced event
+ * @retries: number of forced programming retries
+ * @set_state_periodic: switch state to periodic
+ * @set_state_oneshot: switch state to oneshot
+@@ -108,6 +109,7 @@ struct clock_event_device {
+ u32 shift;
+ enum clock_event_state state_use_accessors;
+ unsigned int features;
++ unsigned int next_event_forced;
+ unsigned long retries;
+
+ int (*set_state_periodic)(struct clock_event_device *);
+diff --git a/kernel/time/clockevents.c b/kernel/time/clockevents.c
+index 5d85014d59b5f..78cd81a99ea03 100644
+--- a/kernel/time/clockevents.c
++++ b/kernel/time/clockevents.c
+@@ -172,6 +172,7 @@ void clockevents_shutdown(struct clock_event_device *dev)
+ {
+ clockevents_switch_state(dev, CLOCK_EVT_STATE_SHUTDOWN);
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+ }
+
+ /**
+@@ -305,7 +306,6 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires,
+ {
+ unsigned long long clc;
+ int64_t delta;
+- int rc;
+
+ if (WARN_ON_ONCE(expires < 0))
+ return -ETIME;
+@@ -324,16 +324,27 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires,
+ return dev->set_next_ktime(expires, dev);
+
+ delta = ktime_to_ns(ktime_sub(expires, ktime_get()));
+- if (delta <= 0)
+- return force ? clockevents_program_min_delta(dev) : -ETIME;
+
+- delta = min(delta, (int64_t) dev->max_delta_ns);
+- delta = max(delta, (int64_t) dev->min_delta_ns);
++ /* Required for tick_periodic() during early boot */
++ if (delta <= 0 && !force)
++ return -ETIME;
++
++ if (delta > (int64_t)dev->min_delta_ns) {
++ delta = min(delta, (int64_t) dev->max_delta_ns);
++ clc = ((unsigned long long) delta * dev->mult) >> dev->shift;
++ if (!dev->set_next_event((unsigned long) clc, dev))
++ return 0;
++ }
+
+- clc = ((unsigned long long) delta * dev->mult) >> dev->shift;
+- rc = dev->set_next_event((unsigned long) clc, dev);
++ if (dev->next_event_forced)
++ return 0;
+
+- return (rc && force) ? clockevents_program_min_delta(dev) : rc;
++ if (dev->set_next_event(dev->min_delta_ticks, dev)) {
++ if (!force || clockevents_program_min_delta(dev))
++ return -ETIME;
++ }
++ dev->next_event_forced = 1;
++ return 0;
+ }
+
+ /*
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 002b29e566cb3..d5bb051d6e167 100644
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -1850,6 +1850,7 @@ void hrtimer_interrupt(struct clock_event_device *dev)
+ BUG_ON(!cpu_base->hres_active);
+ cpu_base->nr_events++;
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+
+ raw_spin_lock_irqsave(&cpu_base->lock, flags);
+ entry_time = now = hrtimer_update_base(cpu_base);
+diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c
+index 13a71a894cc16..369f7e52b5e51 100644
+--- a/kernel/time/tick-broadcast.c
++++ b/kernel/time/tick-broadcast.c
+@@ -76,8 +76,10 @@ const struct clock_event_device *tick_get_wakeup_device(int cpu)
+ */
+ static void tick_broadcast_start_periodic(struct clock_event_device *bc)
+ {
+- if (bc)
++ if (bc) {
++ bc->next_event_forced = 0;
+ tick_setup_periodic(bc, 1);
++ }
+ }
+
+ /*
+@@ -403,6 +405,7 @@ static void tick_handle_periodic_broadcast(struct clock_event_device *dev)
+ bool bc_local;
+
+ raw_spin_lock(&tick_broadcast_lock);
++ tick_broadcast_device.evtdev->next_event_forced = 0;
+
+ /* Handle spurious interrupts gracefully */
+ if (clockevent_state_shutdown(tick_broadcast_device.evtdev)) {
+@@ -692,6 +695,7 @@ static void tick_handle_oneshot_broadcast(struct clock_event_device *dev)
+
+ raw_spin_lock(&tick_broadcast_lock);
+ dev->next_event = KTIME_MAX;
++ tick_broadcast_device.evtdev->next_event_forced = 0;
+ next_event = KTIME_MAX;
+ cpumask_clear(tmpmask);
+ now = ktime_get();
+@@ -1057,6 +1061,7 @@ static void tick_broadcast_setup_oneshot(struct clock_event_device *bc,
+
+
+ bc->event_handler = tick_handle_oneshot_broadcast;
++ bc->next_event_forced = 0;
+ bc->next_event = KTIME_MAX;
+
+ /*
+@@ -1169,6 +1174,7 @@ void hotplug_cpu__broadcast_tick_pull(int deadcpu)
+ }
+
+ /* This moves the broadcast assignment to this CPU: */
++ bc->next_event_forced = 0;
+ clockevents_program_event(bc, bc->next_event, 1);
+ }
+ raw_spin_unlock_irqrestore(&tick_broadcast_lock, flags);
+diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c
+index 7f2b17fc8ce40..79ae1adf635bd 100644
+--- a/kernel/time/tick-common.c
++++ b/kernel/time/tick-common.c
+@@ -109,6 +109,7 @@ void tick_handle_periodic(struct clock_event_device *dev)
+ int cpu = smp_processor_id();
+ ktime_t next = dev->next_event;
+
++ dev->next_event_forced = 0;
+ tick_periodic(cpu);
+
+ #if defined(CONFIG_HIGH_RES_TIMERS) || defined(CONFIG_NO_HZ_COMMON)
+diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c
+index 8cfdc6b978d76..3a017b5555250 100644
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -1382,6 +1382,7 @@ static void tick_nohz_handler(struct clock_event_device *dev)
+ ktime_t now = ktime_get();
+
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+
+ tick_sched_do_timer(ts, now);
+ tick_sched_handle(ts, regs);
+--
+2.53.0
+
--- /dev/null
+From dbc10c174fbadb68b2d3e5fd7e4b2c432576b643 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 13:32:21 +0800
+Subject: crypto: algif_aead - Fix minimum RX size check for decryption
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ]
+
+The check for the minimum receive buffer size did not take the
+tag size into account during decryption. Fix this by adding the
+required extra length.
+
+Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
+Reported-by: Daniel Pouzzner <douzzer@mega.nu>
+Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/algif_aead.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
+index 42493b4d8ce46..cb3959e2c435e 100644
+--- a/crypto/algif_aead.c
++++ b/crypto/algif_aead.c
+@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
+ if (usedpages < outlen) {
+ size_t less = outlen - usedpages;
+
+- if (used < less) {
++ if (used < less + (ctx->enc ? 0 : as)) {
+ err = -EINVAL;
+ goto free;
+ }
+--
+2.53.0
+
--- /dev/null
+From 22d8ef1ee196aa0c1f2edbf95fe34deff6895909 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:45 -0300
+Subject: drm/vc4: Fix a memory leak in hang state error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 9525d169e5fd481538cf8c663cc5839e54f2e481 ]
+
+When vc4_save_hang_state() encounters an early return condition, it
+returns without freeing the previously allocated `kernel_state`,
+leaking memory.
+
+Add the missing kfree() calls by consolidating the early return paths
+into a single place.
+
+Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-3-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index c446684a72183..0d88226b17deb 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -169,10 +169,8 @@ vc4_save_hang_state(struct drm_device *dev)
+ spin_lock_irqsave(&vc4->job_lock, irqflags);
+ exec[0] = vc4_first_bin_job(vc4);
+ exec[1] = vc4_first_render_job(vc4);
+- if (!exec[0] && !exec[1]) {
+- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+- return;
+- }
++ if (!exec[0] && !exec[1])
++ goto err_free_state;
+
+ /* Get the bos from both binner and renderer into hang state. */
+ state->bo_count = 0;
+@@ -189,10 +187,8 @@ vc4_save_hang_state(struct drm_device *dev)
+ kernel_state->bo = kcalloc(state->bo_count,
+ sizeof(*kernel_state->bo), GFP_ATOMIC);
+
+- if (!kernel_state->bo) {
+- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+- return;
+- }
++ if (!kernel_state->bo)
++ goto err_free_state;
+
+ k = 0;
+ for (i = 0; i < 2; i++) {
+@@ -284,6 +280,12 @@ vc4_save_hang_state(struct drm_device *dev)
+ vc4->hang_state = kernel_state;
+ spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+ }
++
++ return;
++
++err_free_state:
++ spin_unlock_irqrestore(&vc4->job_lock, irqflags);
++ kfree(kernel_state);
+ }
+
+ static void
+--
+2.53.0
+
--- /dev/null
+From f56aa71a2c7dd36fb5ac7dcd9c44449e1e183b06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:44 -0300
+Subject: drm/vc4: Fix memory leak of BO array in hang state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit f4dfd6847b3e5d24e336bca6057485116d17aea4 ]
+
+The hang state's BO array is allocated separately with kzalloc() in
+vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the
+missing kfree() for the BO array before freeing the hang state struct.
+
+Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-2-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index 628d40ff3aa1c..c446684a72183 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -60,6 +60,7 @@ vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state)
+ for (i = 0; i < state->user_state.bo_count; i++)
+ drm_gem_object_put(state->bo[i]);
+
++ kfree(state->bo);
+ kfree(state);
+ }
+
+--
+2.53.0
+
--- /dev/null
+From ea81f45c8776f596adb593e4423b2bbfffc68f11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:46 -0300
+Subject: drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ]
+
+The mmap callback reads bo->madv without holding madv_lock, racing with
+concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under
+the same lock. Add the missing locking to prevent the data race.
+
+Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_bo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
+index ce0ea446bd707..9028a56dd12b8 100644
+--- a/drivers/gpu/drm/vc4/vc4_bo.c
++++ b/drivers/gpu/drm/vc4/vc4_bo.c
+@@ -738,12 +738,15 @@ static int vc4_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct
+ return -EINVAL;
+ }
+
++ mutex_lock(&bo->madv_lock);
+ if (bo->madv != VC4_MADV_WILLNEED) {
+ DRM_DEBUG("mmaping of %s BO not allowed\n",
+ bo->madv == VC4_MADV_DONTNEED ?
+ "purgeable" : "purged");
++ mutex_unlock(&bo->madv_lock);
+ return -EINVAL;
+ }
++ mutex_unlock(&bo->madv_lock);
+
+ return drm_gem_dma_mmap(&bo->base, vma);
+ }
+--
+2.53.0
+
--- /dev/null
+From 2730ba8883f7301f785b7508e935a42f5084e993 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:43 -0300
+Subject: drm/vc4: Release runtime PM reference after binding V3D
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit aaefbdde9abdc43699e110679c0e10972a5e1c59 ]
+
+The vc4_v3d_bind() function acquires a runtime PM reference via
+pm_runtime_resume_and_get() to access V3D registers during setup.
+However, this reference is never released after a successful bind.
+This prevents the device from ever runtime suspending, since the
+reference count never reaches zero.
+
+Release the runtime PM reference by adding pm_runtime_put_autosuspend()
+after autosuspend is configured, allowing the device to runtime suspend
+after the delay.
+
+Fixes: 266cff37d7fc ("drm/vc4: v3d: Rework the runtime_pm setup")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-1-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_v3d.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_v3d.c b/drivers/gpu/drm/vc4/vc4_v3d.c
+index 56abb0d6bc39b..a39e6f8eff0a6 100644
+--- a/drivers/gpu/drm/vc4/vc4_v3d.c
++++ b/drivers/gpu/drm/vc4/vc4_v3d.c
+@@ -497,6 +497,7 @@ static int vc4_v3d_bind(struct device *dev, struct device *master, void *data)
+
+ pm_runtime_use_autosuspend(dev);
+ pm_runtime_set_autosuspend_delay(dev, 40); /* a little over 2 frames. */
++ pm_runtime_put_autosuspend(dev);
+
+ return 0;
+
+--
+2.53.0
+
--- /dev/null
+From 19032ab7747740ea3330db0d110e23d65855af5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 11:29:40 +0100
+Subject: dt-bindings: net: Fix Tegra234 MGBE PTP clock
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+[ Upstream commit fb22b1fc5bca3c0aad95388933497ceb30f1fb26 ]
+
+The PTP clock for the Tegra234 MGBE device is incorrectly named
+'ptp-ref' and should be 'ptp_ref'. This is causing the following
+warning to be observed on Tegra234 platforms that use this device:
+
+ ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate
+ WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed
+
+Although this constitutes an ABI breakage in the binding for this
+device, PTP support has clearly never worked and so fix this now
+so we can correct the device-tree for this device. Note that the
+MGBE driver still supports the legacy 'ptp-ref' clock name and so
+older/existing device-trees will still work, but given that this
+is not the correct name, there is no point to advertise this in the
+binding.
+
+Fixes: 189c2e5c7669 ("dt-bindings: net: Add Tegra234 MGBE")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260401102941.17466-3-jonathanh@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../devicetree/bindings/net/nvidia,tegra234-mgbe.yaml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
+index 2bd3efff2485e..215f14d1897d2 100644
+--- a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
++++ b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
+@@ -42,7 +42,7 @@ properties:
+ - const: mgbe
+ - const: mac
+ - const: mac-divider
+- - const: ptp-ref
++ - const: ptp_ref
+ - const: rx-input-m
+ - const: rx-input
+ - const: tx
+@@ -133,7 +133,7 @@ examples:
+ <&bpmp TEGRA234_CLK_MGBE0_RX_PCS_M>,
+ <&bpmp TEGRA234_CLK_MGBE0_RX_PCS>,
+ <&bpmp TEGRA234_CLK_MGBE0_TX_PCS>;
+- clock-names = "mgbe", "mac", "mac-divider", "ptp-ref", "rx-input-m",
++ clock-names = "mgbe", "mac", "mac-divider", "ptp_ref", "rx-input-m",
+ "rx-input", "tx", "eee-pcs", "rx-pcs-input", "rx-pcs-m",
+ "rx-pcs", "tx-pcs";
+ resets = <&bpmp TEGRA234_RESET_MGBE0_MAC>,
+--
+2.53.0
+
--- /dev/null
+From 1167851e947f983b2a374e7637c50e954b255713 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 15:05:05 +0300
+Subject: e1000: check return value of e1000_read_eeprom
+
+From: Agalakov Daniil <ade@amicon.ru>
+
+[ Upstream commit d3baa34a470771399c1495bc04b1e26ac15d598e ]
+
+[Why]
+e1000_set_eeprom() performs a read-modify-write operation when the write
+range is not word-aligned. This requires reading the first and last words
+of the range from the EEPROM to preserve the unmodified bytes.
+
+However, the code does not check the return value of e1000_read_eeprom().
+If the read fails, the operation continues using uninitialized data from
+eeprom_buff. This results in corrupted data being written back to the
+EEPROM for the boundary words.
+
+Add the missing error checks and abort the operation if reading fails.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Co-developed-by: Iskhakov Daniil <dish@amicon.ru>
+Signed-off-by: Iskhakov Daniil <dish@amicon.ru>
+Signed-off-by: Agalakov Daniil <ade@amicon.ru>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+index d06d29c6c0370..c7b50059663d9 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+@@ -496,14 +496,19 @@ static int e1000_set_eeprom(struct net_device *netdev,
+ */
+ ret_val = e1000_read_eeprom(hw, first_word, 1,
+ &eeprom_buff[0]);
++ if (ret_val)
++ goto out;
++
+ ptr++;
+ }
+- if (((eeprom->offset + eeprom->len) & 1) && (ret_val == 0)) {
++ if ((eeprom->offset + eeprom->len) & 1) {
+ /* need read/modify/write of last changed EEPROM word
+ * only the first byte of the word is being modified
+ */
+ ret_val = e1000_read_eeprom(hw, last_word, 1,
+ &eeprom_buff[last_word - first_word]);
++ if (ret_val)
++ goto out;
+ }
+
+ /* Device's eeprom is always little-endian, word addressable */
+@@ -522,6 +527,7 @@ static int e1000_set_eeprom(struct net_device *netdev,
+ if ((ret_val == 0) && (first_word <= EEPROM_CHECKSUM_REG))
+ e1000_update_eeprom_checksum(hw);
+
++out:
+ kfree(eeprom_buff);
+ return ret_val;
+ }
+--
+2.53.0
+
--- /dev/null
+From ac1197ebab173f3518a8ee3bcb3b9f07e86b9a60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Mar 2023 17:57:02 +0100
+Subject: epoll: use refcount to reduce ep_mutex contention
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 58c9b016e12855286370dfb704c08498edbc857a ]
+
+We are observing huge contention on the epmutex during an http
+connection/rate test:
+
+ 83.17% 0.25% nginx [kernel.kallsyms] [k] entry_SYSCALL_64_after_hwframe
+[...]
+ |--66.96%--__fput
+ |--60.04%--eventpoll_release_file
+ |--58.41%--__mutex_lock.isra.6
+ |--56.56%--osq_lock
+
+The application is multi-threaded, creates a new epoll entry for
+each incoming connection, and does not delete it before the
+connection shutdown - that is, before the connection's fd close().
+
+Many different threads compete frequently for the epmutex lock,
+affecting the overall performance.
+
+To reduce the contention this patch introduces explicit reference counting
+for the eventpoll struct. Each registered event acquires a reference,
+and references are released at ep_remove() time.
+
+The eventpoll struct is released by whoever - among EP file close() and
+and the monitored file close() drops its last reference.
+
+Additionally, this introduces a new 'dying' flag to prevent races between
+the EP file close() and the monitored file close().
+ep_eventpoll_release() marks, under f_lock spinlock, each epitem as dying
+before removing it, while EP file close() does not touch dying epitems.
+
+The above is needed as both close operations could run concurrently and
+drop the EP reference acquired via the epitem entry. Without the above
+flag, the monitored file close() could reach the EP struct via the epitem
+list while the epitem is still listed and then try to put it after its
+disposal.
+
+An alternative could be avoiding touching the references acquired via
+the epitems at EP file close() time, but that could leave the EP struct
+alive for potentially unlimited time after EP file close(), with nasty
+side effects.
+
+With all the above in place, we can drop the epmutex usage at disposal time.
+
+Overall this produces a significant performance improvement in the
+mentioned connection/rate scenario: the mutex operations disappear from
+the topmost offenders in the perf report, and the measured connections/rate
+grows by ~60%.
+
+To make the change more readable this additionally renames ep_free() to
+ep_clear_and_put(), and moves the actual memory cleanup in a separate
+ep_free() helper.
+
+Link: https://lkml.kernel.org/r/4a57788dcaf28f5eb4f8dfddcc3a8b172a7357bb.1679504153.git.pabeni@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Co-developed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Tested-by: Xiumei Mu <xmu@redhiat.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Reviewed-by: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Carlos Maiolino <cmaiolino@redhat.com>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Eric Biggers <ebiggers@kernel.org>
+Cc: Jacob Keller <jacob.e.keller@intel.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 07712db80857 ("eventpoll: defer struct eventpoll free to RCU grace period")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/eventpoll.c | 195 +++++++++++++++++++++++++++++++------------------
+ 1 file changed, 123 insertions(+), 72 deletions(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index 4c590e988d4a2..f20a35775cf66 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -57,13 +57,7 @@
+ * we need a lock that will allow us to sleep. This lock is a
+ * mutex (ep->mtx). It is acquired during the event transfer loop,
+ * during epoll_ctl(EPOLL_CTL_DEL) and during eventpoll_release_file().
+- * Then we also need a global mutex to serialize eventpoll_release_file()
+- * and ep_free().
+- * This mutex is acquired by ep_free() during the epoll file
+- * cleanup path and it is also acquired by eventpoll_release_file()
+- * if a file has been pushed inside an epoll set and it is then
+- * close()d without a previous call to epoll_ctl(EPOLL_CTL_DEL).
+- * It is also acquired when inserting an epoll fd onto another epoll
++ * The epmutex is acquired when inserting an epoll fd onto another epoll
+ * fd. We do this so that we walk the epoll tree and ensure that this
+ * insertion does not create a cycle of epoll file descriptors, which
+ * could lead to deadlock. We need a global mutex to prevent two
+@@ -153,6 +147,13 @@ struct epitem {
+ /* The file descriptor information this item refers to */
+ struct epoll_filefd ffd;
+
++ /*
++ * Protected by file->f_lock, true for to-be-released epitem already
++ * removed from the "struct file" items list; together with
++ * eventpoll->refcount orchestrates "struct eventpoll" disposal
++ */
++ bool dying;
++
+ /* List containing poll wait queues */
+ struct eppoll_entry *pwqlist;
+
+@@ -218,6 +219,12 @@ struct eventpoll {
+ struct hlist_head refs;
+ u8 loop_check_depth;
+
++ /*
++ * usage count, used together with epitem->dying to
++ * orchestrate the disposal of this struct
++ */
++ refcount_t refcount;
++
+ #ifdef CONFIG_NET_RX_BUSY_POLL
+ /* used to track busy poll napi_id */
+ unsigned int napi_id;
+@@ -241,9 +248,7 @@ struct ep_pqueue {
+ /* Maximum number of epoll watched descriptors, per user */
+ static long max_user_watches __read_mostly;
+
+-/*
+- * This mutex is used to serialize ep_free() and eventpoll_release_file().
+- */
++/* Used for cycles detection */
+ static DEFINE_MUTEX(epmutex);
+
+ static u64 loop_check_gen = 0;
+@@ -558,8 +563,7 @@ static void ep_remove_wait_queue(struct eppoll_entry *pwq)
+
+ /*
+ * This function unregisters poll callbacks from the associated file
+- * descriptor. Must be called with "mtx" held (or "epmutex" if called from
+- * ep_free).
++ * descriptor. Must be called with "mtx" held.
+ */
+ static void ep_unregister_pollwait(struct eventpoll *ep, struct epitem *epi)
+ {
+@@ -682,11 +686,40 @@ static void epi_rcu_free(struct rcu_head *head)
+ kmem_cache_free(epi_cache, epi);
+ }
+
++static void ep_get(struct eventpoll *ep)
++{
++ refcount_inc(&ep->refcount);
++}
++
++/*
++ * Returns true if the event poll can be disposed
++ */
++static bool ep_refcount_dec_and_test(struct eventpoll *ep)
++{
++ if (!refcount_dec_and_test(&ep->refcount))
++ return false;
++
++ WARN_ON_ONCE(!RB_EMPTY_ROOT(&ep->rbr.rb_root));
++ return true;
++}
++
++static void ep_free(struct eventpoll *ep)
++{
++ mutex_destroy(&ep->mtx);
++ free_uid(ep->user);
++ wakeup_source_unregister(ep->ws);
++ kfree(ep);
++}
++
+ /*
+ * Removes a "struct epitem" from the eventpoll RB tree and deallocates
+ * all the associated resources. Must be called with "mtx" held.
++ * If the dying flag is set, do the removal only if force is true.
++ * This prevents ep_clear_and_put() from dropping all the ep references
++ * while running concurrently with eventpoll_release_file().
++ * Returns true if the eventpoll can be disposed.
+ */
+-static int ep_remove(struct eventpoll *ep, struct epitem *epi)
++static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force)
+ {
+ struct file *file = epi->ffd.file;
+ struct epitems_head *to_free;
+@@ -701,6 +734,11 @@ static int ep_remove(struct eventpoll *ep, struct epitem *epi)
+
+ /* Remove the current item from the list of epoll hooks */
+ spin_lock(&file->f_lock);
++ if (epi->dying && !force) {
++ spin_unlock(&file->f_lock);
++ return false;
++ }
++
+ to_free = NULL;
+ head = file->f_ep;
+ if (head->first == &epi->fllink && !epi->fllink.next) {
+@@ -735,28 +773,28 @@ static int ep_remove(struct eventpoll *ep, struct epitem *epi)
+ call_rcu(&epi->rcu, epi_rcu_free);
+
+ percpu_counter_dec(&ep->user->epoll_watches);
++ return ep_refcount_dec_and_test(ep);
++}
+
+- return 0;
++/*
++ * ep_remove variant for callers owing an additional reference to the ep
++ */
++static void ep_remove_safe(struct eventpoll *ep, struct epitem *epi)
++{
++ WARN_ON_ONCE(__ep_remove(ep, epi, false));
+ }
+
+-static void ep_free(struct eventpoll *ep)
++static void ep_clear_and_put(struct eventpoll *ep)
+ {
+- struct rb_node *rbp;
++ struct rb_node *rbp, *next;
+ struct epitem *epi;
++ bool dispose;
+
+ /* We need to release all tasks waiting for these file */
+ if (waitqueue_active(&ep->poll_wait))
+ ep_poll_safewake(ep, NULL, 0);
+
+- /*
+- * We need to lock this because we could be hit by
+- * eventpoll_release_file() while we're freeing the "struct eventpoll".
+- * We do not need to hold "ep->mtx" here because the epoll file
+- * is on the way to be removed and no one has references to it
+- * anymore. The only hit might come from eventpoll_release_file() but
+- * holding "epmutex" is sufficient here.
+- */
+- mutex_lock(&epmutex);
++ mutex_lock(&ep->mtx);
+
+ /*
+ * Walks through the whole tree by unregistering poll callbacks.
+@@ -769,26 +807,25 @@ static void ep_free(struct eventpoll *ep)
+ }
+
+ /*
+- * Walks through the whole tree by freeing each "struct epitem". At this
+- * point we are sure no poll callbacks will be lingering around, and also by
+- * holding "epmutex" we can be sure that no file cleanup code will hit
+- * us during this operation. So we can avoid the lock on "ep->lock".
+- * We do not need to lock ep->mtx, either, we only do it to prevent
+- * a lockdep warning.
++ * Walks through the whole tree and try to free each "struct epitem".
++ * Note that ep_remove_safe() will not remove the epitem in case of a
++ * racing eventpoll_release_file(); the latter will do the removal.
++ * At this point we are sure no poll callbacks will be lingering around.
++ * Since we still own a reference to the eventpoll struct, the loop can't
++ * dispose it.
+ */
+- mutex_lock(&ep->mtx);
+- while ((rbp = rb_first_cached(&ep->rbr)) != NULL) {
++ for (rbp = rb_first_cached(&ep->rbr); rbp; rbp = next) {
++ next = rb_next(rbp);
+ epi = rb_entry(rbp, struct epitem, rbn);
+- ep_remove(ep, epi);
++ ep_remove_safe(ep, epi);
+ cond_resched();
+ }
++
++ dispose = ep_refcount_dec_and_test(ep);
+ mutex_unlock(&ep->mtx);
+
+- mutex_unlock(&epmutex);
+- mutex_destroy(&ep->mtx);
+- free_uid(ep->user);
+- wakeup_source_unregister(ep->ws);
+- kfree(ep);
++ if (dispose)
++ ep_free(ep);
+ }
+
+ static int ep_eventpoll_release(struct inode *inode, struct file *file)
+@@ -796,7 +833,7 @@ static int ep_eventpoll_release(struct inode *inode, struct file *file)
+ struct eventpoll *ep = file->private_data;
+
+ if (ep)
+- ep_free(ep);
++ ep_clear_and_put(ep);
+
+ return 0;
+ }
+@@ -944,33 +981,34 @@ void eventpoll_release_file(struct file *file)
+ {
+ struct eventpoll *ep;
+ struct epitem *epi;
+- struct hlist_node *next;
++ bool dispose;
+
+ /*
+- * We don't want to get "file->f_lock" because it is not
+- * necessary. It is not necessary because we're in the "struct file"
+- * cleanup path, and this means that no one is using this file anymore.
+- * So, for example, epoll_ctl() cannot hit here since if we reach this
+- * point, the file counter already went to zero and fget() would fail.
+- * The only hit might come from ep_free() but by holding the mutex
+- * will correctly serialize the operation. We do need to acquire
+- * "ep->mtx" after "epmutex" because ep_remove() requires it when called
+- * from anywhere but ep_free().
+- *
+- * Besides, ep_remove() acquires the lock, so we can't hold it here.
++ * Use the 'dying' flag to prevent a concurrent ep_clear_and_put() from
++ * touching the epitems list before eventpoll_release_file() can access
++ * the ep->mtx.
+ */
+- mutex_lock(&epmutex);
+- if (unlikely(!file->f_ep)) {
+- mutex_unlock(&epmutex);
+- return;
+- }
+- hlist_for_each_entry_safe(epi, next, file->f_ep, fllink) {
++again:
++ spin_lock(&file->f_lock);
++ if (file->f_ep && file->f_ep->first) {
++ epi = hlist_entry(file->f_ep->first, struct epitem, fllink);
++ epi->dying = true;
++ spin_unlock(&file->f_lock);
++
++ /*
++ * ep access is safe as we still own a reference to the ep
++ * struct
++ */
+ ep = epi->ep;
+- mutex_lock_nested(&ep->mtx, 0);
+- ep_remove(ep, epi);
++ mutex_lock(&ep->mtx);
++ dispose = __ep_remove(ep, epi, true);
+ mutex_unlock(&ep->mtx);
++
++ if (dispose)
++ ep_free(ep);
++ goto again;
+ }
+- mutex_unlock(&epmutex);
++ spin_unlock(&file->f_lock);
+ }
+
+ static int ep_alloc(struct eventpoll **pep)
+@@ -993,6 +1031,7 @@ static int ep_alloc(struct eventpoll **pep)
+ ep->rbr = RB_ROOT_CACHED;
+ ep->ovflist = EP_UNACTIVE_PTR;
+ ep->user = user;
++ refcount_set(&ep->refcount, 1);
+
+ *pep = ep;
+
+@@ -1177,10 +1216,10 @@ static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, v
+ */
+ list_del_init(&wait->entry);
+ /*
+- * ->whead != NULL protects us from the race with ep_free()
+- * or ep_remove(), ep_remove_wait_queue() takes whead->lock
+- * held by the caller. Once we nullify it, nothing protects
+- * ep/epi or even wait.
++ * ->whead != NULL protects us from the race with
++ * ep_clear_and_put() or ep_remove(), ep_remove_wait_queue()
++ * takes whead->lock held by the caller. Once we nullify it,
++ * nothing protects ep/epi or even wait.
+ */
+ smp_store_release(&ep_pwq_from_wait(wait)->whead, NULL);
+ }
+@@ -1451,16 +1490,22 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event,
+ if (tep)
+ mutex_unlock(&tep->mtx);
+
++ /*
++ * ep_remove_safe() calls in the later error paths can't lead to
++ * ep_free() as the ep file itself still holds an ep reference.
++ */
++ ep_get(ep);
++
+ /* now check if we've created too many backpaths */
+ if (unlikely(full_check && reverse_path_check())) {
+- ep_remove(ep, epi);
++ ep_remove_safe(ep, epi);
+ return -EINVAL;
+ }
+
+ if (epi->event.events & EPOLLWAKEUP) {
+ error = ep_create_wakeup_source(epi);
+ if (error) {
+- ep_remove(ep, epi);
++ ep_remove_safe(ep, epi);
+ return error;
+ }
+ }
+@@ -1484,7 +1529,7 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event,
+ * high memory pressure.
+ */
+ if (unlikely(!epq.epi)) {
+- ep_remove(ep, epi);
++ ep_remove_safe(ep, epi);
+ return -ENOMEM;
+ }
+
+@@ -2016,7 +2061,7 @@ static int do_epoll_create(int flags)
+ out_free_fd:
+ put_unused_fd(fd);
+ out_free_ep:
+- ep_free(ep);
++ ep_clear_and_put(ep);
+ return error;
+ }
+
+@@ -2158,10 +2203,16 @@ int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds,
+ error = -EEXIST;
+ break;
+ case EPOLL_CTL_DEL:
+- if (epi)
+- error = ep_remove(ep, epi);
+- else
++ if (epi) {
++ /*
++ * The eventpoll itself is still alive: the refcount
++ * can't go to zero here.
++ */
++ ep_remove_safe(ep, epi);
++ error = 0;
++ } else {
+ error = -ENOENT;
++ }
+ break;
+ case EPOLL_CTL_MOD:
+ if (epi) {
+--
+2.53.0
+
--- /dev/null
+From c76e0b4ef3c9d32282c7ddac04b1747d7beaa05d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2026 15:25:32 +0200
+Subject: eventpoll: defer struct eventpoll free to RCU grace period
+
+From: Nicholas Carlini <nicholas@carlini.com>
+
+[ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ]
+
+In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
+eventpoll struct while it still being used by another concurrent thread.
+Defer the kfree() to an RCU callback to prevent UAF.
+
+Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
+Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/eventpoll.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index f20a35775cf66..f6038819fe79f 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -225,6 +225,9 @@ struct eventpoll {
+ */
+ refcount_t refcount;
+
++ /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */
++ struct rcu_head rcu;
++
+ #ifdef CONFIG_NET_RX_BUSY_POLL
+ /* used to track busy poll napi_id */
+ unsigned int napi_id;
+@@ -708,7 +711,8 @@ static void ep_free(struct eventpoll *ep)
+ mutex_destroy(&ep->mtx);
+ free_uid(ep->user);
+ wakeup_source_unregister(ep->ws);
+- kfree(ep);
++ /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */
++ kfree_rcu(ep, rcu);
+ }
+
+ /*
+--
+2.53.0
+
--- /dev/null
+From a9cfbd642e7583c0e01d6b6917ec55816747c080 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 13:11:27 -0700
+Subject: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
+
+From: Fredric Cover <FredTheDude@proton.me>
+
+[ Upstream commit 78ec5bf2f589ec7fd8f169394bfeca541b077317 ]
+
+When cifs_sanitize_prepath is called with an empty string or a string
+containing only delimiters (e.g., "/"), the current logic attempts to
+check *(cursor2 - 1) before cursor2 has advanced. This results in an
+out-of-bounds read.
+
+This patch adds an early exit check after stripping prepended
+delimiters. If no path content remains, the function returns NULL.
+
+The bug was identified via manual audit and verified using a
+standalone test case compiled with AddressSanitizer, which
+triggered a SEGV on affected inputs.
+
+Signed-off-by: Fredric Cover <FredTheDude@proton.me>
+Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/fs_context.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
+index 9000299e98cb4..35f2c94aafd14 100644
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -454,6 +454,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp)
+ while (IS_DELIM(*cursor1))
+ cursor1++;
+
++ /* exit in case of only delimiters */
++ if (!*cursor1)
++ return NULL;
++
+ /* copy the first letter */
+ *cursor2 = *cursor1;
+
+--
+2.53.0
+
--- /dev/null
+From 53f07053b7e3540577eb6e9d857c4e150cc97ba7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 14:02:47 -0700
+Subject: gpio: tegra: fix irq_release_resources calling enable instead of
+ disable
+
+From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+
+[ Upstream commit 1561d96f5f55c1bca9ff047ace5813f4f244eea6 ]
+
+tegra_gpio_irq_release_resources() erroneously calls tegra_gpio_enable()
+instead of tegra_gpio_disable(). When IRQ resources are released, the
+GPIO configuration bit (CNF) should be cleared to deconfigure the pin as
+a GPIO. Leaving it enabled wastes power and can cause unexpected behavior
+if the pin is later reused for an alternate function via pinctrl.
+
+Fixes: 66fecef5bde0 ("gpio: tegra: Convert to gpio_irq_chip")
+Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+Link: https://patch.msgid.link/20260407210247.1737938-1-samasth.norway.ananda@oracle.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-tegra.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-tegra.c b/drivers/gpio/gpio-tegra.c
+index 5b265a6fd3c18..49ff77c3ad198 100644
+--- a/drivers/gpio/gpio-tegra.c
++++ b/drivers/gpio/gpio-tegra.c
+@@ -597,7 +597,7 @@ static void tegra_gpio_irq_release_resources(struct irq_data *d)
+ struct tegra_gpio_info *tgi = gpiochip_get_data(chip);
+
+ gpiochip_relres_irq(chip, d->hwirq);
+- tegra_gpio_enable(tgi, d->hwirq);
++ tegra_gpio_disable(tgi, d->hwirq);
+ }
+
+ static void tegra_gpio_irq_print_chip(struct irq_data *d, struct seq_file *s)
+--
+2.53.0
+
--- /dev/null
+From 2cba1ec91ac654e8e04227c541d76f08bc182100 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 13:36:59 -0500
+Subject: HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
+
+From: leo vriska <leo@60228.dev>
+
+[ Upstream commit 532743944324a873bbaf8620fcabcd0e69e30c36 ]
+
+According to a mailing list report [1], this controller's predecessor
+has the same issue. However, it uses the xpad driver instead of HID, so
+this quirk wouldn't apply.
+
+[1]: https://lore.kernel.org/linux-input/unufo3$det$1@ciao.gmane.io/
+
+Signed-off-by: leo vriska <leo@60228.dev>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index fd3198d4b7c5b..23adda52f6ef5 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -22,6 +22,9 @@
+ #define USB_DEVICE_ID_3M2256 0x0502
+ #define USB_DEVICE_ID_3M3266 0x0506
+
++#define USB_VENDOR_ID_8BITDO 0x2dc8
++#define USB_DEVICE_ID_8BITDO_PRO_3 0x6009
++
+ #define USB_VENDOR_ID_A4TECH 0x09da
+ #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006
+ #define USB_DEVICE_ID_A4TECH_X5_005D 0x000a
+diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
+index 030ad260e7566..99fca77d16641 100644
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -25,6 +25,7 @@
+ */
+
+ static const struct hid_device_id hid_quirks[] = {
++ { HID_USB_DEVICE(USB_VENDOR_ID_8BITDO, USB_DEVICE_ID_8BITDO_PRO_3), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL },
+--
+2.53.0
+
--- /dev/null
+From 2aa978de0e72acb4e4e21bdf2100b0e2ab47a7fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 16:11:07 +0000
+Subject: HID: roccat: fix use-after-free in roccat_report_event
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benoît Sevens <bsevens@google.com>
+
+[ Upstream commit d802d848308b35220f21a8025352f0c0aba15c12 ]
+
+roccat_report_event() iterates over the device->readers list without
+holding the readers_lock. This allows a concurrent roccat_release() to
+remove and free a reader while it's still being accessed, leading to a
+use-after-free.
+
+Protect the readers list traversal with the readers_lock mutex.
+
+Signed-off-by: Benoît Sevens <bsevens@google.com>
+Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-roccat.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c
+index 6da80e442fdd1..420e4335c3e83 100644
+--- a/drivers/hid/hid-roccat.c
++++ b/drivers/hid/hid-roccat.c
+@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data)
+ if (!new_value)
+ return -ENOMEM;
+
++ mutex_lock(&device->readers_lock);
+ mutex_lock(&device->cbuf_lock);
+
+ report = &device->cbuf[device->cbuf_end];
+@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data)
+ }
+
+ mutex_unlock(&device->cbuf_lock);
++ mutex_unlock(&device->readers_lock);
+
+ wake_up_interruptible(&device->wait);
+ return 0;
+--
+2.53.0
+
--- /dev/null
+From 580209ddd3675b147c951e9a14dffdaf1dde1681 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 15:04:19 +0800
+Subject: ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
+
+From: Yiqi Sun <sunyiqixm@gmail.com>
+
+[ Upstream commit fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 ]
+
+ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
+IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
+this error pointer to dev_hold() will cause a kernel crash with
+null-ptr-deref.
+
+Instead, silently discard the request. RFC 8335 does not appear to
+define a specific response for the case where an IPv6 interface
+identifier is syntactically valid but the implementation cannot perform
+the lookup at runtime, and silently dropping the request may safer than
+misreporting "No Such Interface".
+
+Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
+Signed-off-by: Yiqi Sun <sunyiqixm@gmail.com>
+Link: https://patch.msgid.link/20260402070419.2291578-1-sunyiqixm@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 309d22f2858cc..7a6e4853cf98d 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -1130,6 +1130,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
+ if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
+ goto send_mal_query;
+ dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
++ /*
++ * If IPv6 identifier lookup is unavailable, silently
++ * discard the request instead of misreporting NO_IF.
++ */
++ if (IS_ERR(dev))
++ return false;
++
+ dev_hold(dev);
+ break;
+ #endif
+--
+2.53.0
+
--- /dev/null
+From b2be2946e0927b629bfd8a2d18f27d52e4afe5d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 09:22:29 +0100
+Subject: ixgbevf: add missing negotiate_features op to Hyper-V ops table
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 4821d563cd7f251ae728be1a6d04af82a294a5b9 ]
+
+Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by
+negotiating supported features") added the .negotiate_features callback
+to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot
+to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL
+on Hyper-V VMs.
+
+During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(),
+which unconditionally dereferences hw->mac.ops.negotiate_features().
+On Hyper-V this results in a NULL pointer dereference:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ [...]
+ Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...]
+ Workqueue: events work_for_cpu_fn
+ RIP: 0010:0x0
+ [...]
+ Call Trace:
+ ixgbevf_negotiate_api+0x66/0x160 [ixgbevf]
+ ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf]
+ ixgbevf_probe+0x20f/0x4a0 [ixgbevf]
+ local_pci_probe+0x50/0xa0
+ work_for_cpu_fn+0x1a/0x30
+ [...]
+
+Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and
+wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP
+gracefully.
+
+Fixes: a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features")
+Reported-by: Xiaoqiang Xiong <xxiong@redhat.com>
+Closes: https://issues.redhat.com/browse/RHEL-155455
+Assisted-by: Claude:claude-4.6-opus-high Cursor
+Tested-by: Xiaoqiang Xiong <xxiong@redhat.com>
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbevf/vf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c
+index 708d5dd921acc..70dfda13b7885 100644
+--- a/drivers/net/ethernet/intel/ixgbevf/vf.c
++++ b/drivers/net/ethernet/intel/ixgbevf/vf.c
+@@ -709,6 +709,12 @@ static int ixgbevf_negotiate_features_vf(struct ixgbe_hw *hw, u32 *pf_features)
+ return err;
+ }
+
++static int ixgbevf_hv_negotiate_features_vf(struct ixgbe_hw *hw,
++ u32 *pf_features)
++{
++ return -EOPNOTSUPP;
++}
++
+ /**
+ * ixgbevf_set_vfta_vf - Set/Unset VLAN filter table address
+ * @hw: pointer to the HW structure
+@@ -1142,6 +1148,7 @@ static const struct ixgbe_mac_operations ixgbevf_hv_mac_ops = {
+ .setup_link = ixgbevf_setup_mac_link_vf,
+ .check_link = ixgbevf_hv_check_mac_link_vf,
+ .negotiate_api_version = ixgbevf_hv_negotiate_api_version_vf,
++ .negotiate_features = ixgbevf_hv_negotiate_features_vf,
+ .set_rar = ixgbevf_hv_set_rar_vf,
+ .update_mc_addr_list = ixgbevf_hv_update_mc_addr_list_vf,
+ .update_xcast_mode = ixgbevf_hv_update_xcast_mode,
+--
+2.53.0
+
--- /dev/null
+From 92a2551b38958b6812e8cd15081c8bf94b867ad7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 20:49:49 +0300
+Subject: l2tp: Drop large packets with UDP encap
+
+From: Alice Mikityanska <alice@isovalent.com>
+
+[ Upstream commit ebe560ea5f54134279356703e73b7f867c89db13 ]
+
+syzbot reported a WARN on my patch series [1]. The actual issue is an
+overflow of 16-bit UDP length field, and it exists in the upstream code.
+My series added a debug WARN with an overflow check that exposed the
+issue, that's why syzbot tripped on my patches, rather than on upstream
+code.
+
+syzbot's repro:
+
+r0 = socket$pppl2tp(0x18, 0x1, 0x1)
+r1 = socket$inet6_udp(0xa, 0x2, 0x0)
+connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c)
+connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
+writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1)
+
+It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP
+encapsulation, and l2tp_xmit_core doesn't check for overflows when it
+assigns the UDP length field. The value gets trimmed to 16 bites.
+
+Add an overflow check that drops oversized packets and avoids sending
+packets with trimmed UDP length to the wire.
+
+syzbot's stack trace (with my patch applied):
+
+len >= 65536u
+WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957
+WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957
+WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957
+Modules linked in:
+CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
+RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline]
+RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline]
+RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327
+Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f
+RSP: 0018:ffffc90003d67878 EFLAGS: 00010293
+RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000
+RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff
+RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
+R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900
+R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000
+FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ sock_write_iter+0x503/0x550 net/socket.c:1195
+ do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1
+ vfs_writev+0x33c/0x990 fs/read_write.c:1059
+ do_writev+0x154/0x2e0 fs/read_write.c:1105
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f636479c629
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
+RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629
+RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003
+RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0
+ </TASK>
+
+[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/
+
+Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
+Reported-by: syzbot+ci3edea60a44225dec@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/69a1dfba.050a0220.3a55be.0026.GAE@google.com/
+Signed-off-by: Alice Mikityanska <alice@isovalent.com>
+Link: https://patch.msgid.link/20260403174949.843941-1-alice.kernel@fastmail.im
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index e0ca08ebd16a9..3c701795fa100 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1083,6 +1083,11 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns
+ uh->source = inet->inet_sport;
+ uh->dest = inet->inet_dport;
+ udp_len = uhlen + session->hdr_len + data_len;
++ if (udp_len > U16_MAX) {
++ kfree_skb(skb);
++ ret = NET_XMIT_DROP;
++ goto out_unlock;
++ }
+ uh->len = htons(udp_len);
+
+ /* Calculate UDP checksum if configured to do so */
+--
+2.53.0
+
--- /dev/null
+From 7dae2792d097c3dc0fe60e08e07a47ccb505fc44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Feb 2026 10:47:51 +0100
+Subject: media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit c03b7dec3c4ddc97872fa12bfca75bae9cb46510 ]
+
+The deeply nested loop in rkvdec_init_v4l2_vp9_count_tbl() needs a lot
+of registers, so when the clang register allocator runs out, it ends up
+spilling countless temporaries to the stack:
+
+drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c:966:12: error: stack frame size (1472) exceeds limit (1280) in 'rkvdec_vp9_start' [-Werror,-Wframe-larger-than]
+
+Marking this function as noinline_for_stack keeps it out of
+rkvdec_vp9_start(), giving the compiler more room for optimization.
+
+The resulting code is good enough that both the total stack usage
+and the loop get enough better to stay under the warning limit,
+though it's still slow, and would need a larger rework if this
+function ends up being called in a fast path.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/rkvdec/rkvdec-vp9.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/rkvdec/rkvdec-vp9.c b/drivers/staging/media/rkvdec/rkvdec-vp9.c
+index cfae99b40ccb4..dc3e6354c7974 100644
+--- a/drivers/staging/media/rkvdec/rkvdec-vp9.c
++++ b/drivers/staging/media/rkvdec/rkvdec-vp9.c
+@@ -924,7 +924,8 @@ static void rkvdec_vp9_done(struct rkvdec_ctx *ctx,
+ update_ctx_last_info(vp9_ctx);
+ }
+
+-static void rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx)
++static noinline_for_stack void
++rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx)
+ {
+ struct rkvdec_vp9_ctx *vp9_ctx = ctx->priv;
+ struct rkvdec_vp9_intra_frame_symbol_counts *intra_cnts = vp9_ctx->count_tbl.cpu;
+--
+2.53.0
+
--- /dev/null
+From 8751d140d1bc9ed87f5fb6c446cd19b2e219bee6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 10:35:19 +0000
+Subject: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b120e4432f9f56c7103133d6a11245e617695adb ]
+
+lapbeth_data_transmit() expects the underlying device type
+to be ARPHRD_ETHER.
+
+Returning NOTIFY_BAD from lapbeth_device_event() makes sure
+bonding driver can not break this expectation.
+
+Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
+Reported-by: syzbot+d8c285748fa7292580a9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/69cd22a1.050a0220.70c3a.0002.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Martin Schiller <ms@dev.tdt.de>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260402103519.1201565-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lapbether.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index 56326f38fe8a3..da61716a66c46 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -444,33 +444,36 @@ static void lapbeth_free_device(struct lapbethdev *lapbeth)
+ static int lapbeth_device_event(struct notifier_block *this,
+ unsigned long event, void *ptr)
+ {
+- struct lapbethdev *lapbeth;
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
++ struct lapbethdev *lapbeth;
+
+ if (dev_net(dev) != &init_net)
+ return NOTIFY_DONE;
+
+- if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev))
++ lapbeth = lapbeth_get_x25_dev(dev);
++ if (!dev_is_ethdev(dev) && !lapbeth)
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
+ /* New ethernet device -> new LAPB interface */
+- if (!lapbeth_get_x25_dev(dev))
++ if (!lapbeth)
+ lapbeth_new_device(dev);
+ break;
+ case NETDEV_GOING_DOWN:
+ /* ethernet device closes -> close LAPB interface */
+- lapbeth = lapbeth_get_x25_dev(dev);
+ if (lapbeth)
+ dev_close(lapbeth->axdev);
+ break;
+ case NETDEV_UNREGISTER:
+ /* ethernet device disappears -> remove LAPB interface */
+- lapbeth = lapbeth_get_x25_dev(dev);
+ if (lapbeth)
+ lapbeth_free_device(lapbeth);
+ break;
++ case NETDEV_PRE_TYPE_CHANGE:
++ /* Our underlying device type must not change. */
++ if (lapbeth)
++ return NOTIFY_BAD;
+ }
+
+ return NOTIFY_DONE;
+--
+2.53.0
+
--- /dev/null
+From 91fe9d47a09c5872bfb8210556109127a65c1378 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 22:46:20 +0800
+Subject: net: sched: act_csum: validate nested VLAN headers
+
+From: Ruide Cao <caoruide123@gmail.com>
+
+[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ]
+
+tcf_csum_act() walks nested VLAN headers directly from skb->data when an
+skb still carries in-payload VLAN tags. The current code reads
+vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without
+first ensuring that the full VLAN header is present in the linear area.
+
+If only part of an inner VLAN header is linearized, accessing
+h_vlan_encapsulated_proto reads past the linear area, and the following
+skb_pull(VLAN_HLEN) may violate skb invariants.
+
+Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and
+pulling each nested VLAN header. If the header still is not fully
+available, drop the packet through the existing error path.
+
+Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Ruide Cao <caoruide123@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_csum.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
+index 1366adf9b9091..bcef42a3ad645 100644
+--- a/net/sched/act_csum.c
++++ b/net/sched/act_csum.c
+@@ -602,8 +602,12 @@ static int tcf_csum_act(struct sk_buff *skb, const struct tc_action *a,
+ protocol = skb->protocol;
+ orig_vlan_tag_present = true;
+ } else {
+- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data;
++ struct vlan_hdr *vlan;
+
++ if (!pskb_may_pull(skb, VLAN_HLEN))
++ goto drop;
++
++ vlan = (struct vlan_hdr *)skb->data;
+ protocol = vlan->h_vlan_encapsulated_proto;
+ skb_pull(skb, VLAN_HLEN);
+ skb_reset_network_header(skb);
+--
+2.53.0
+
--- /dev/null
+From 1e3192760ea32ffeb5533a6851aa7af5066f55e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 17:39:47 +0800
+Subject: netfilter: ip6t_eui64: reject invalid MAC header for all packets
+
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+
+[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ]
+
+`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
+and compares it with the low 64 bits of the IPv6 source address.
+
+The existing guard only rejects an invalid MAC header when
+`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
+can still reach `eth_hdr(skb)` even when the MAC header is not valid.
+
+Fix this by removing the `par->fragoff != 0` condition so that packets
+with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/ip6t_eui64.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
+index d704f7ed300c2..da69a27e8332c 100644
+--- a/net/ipv6/netfilter/ip6t_eui64.c
++++ b/net/ipv6/netfilter/ip6t_eui64.c
+@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
+ unsigned char eui64[8];
+
+ if (!(skb_mac_header(skb) >= skb->head &&
+- skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
+- par->fragoff != 0) {
++ skb_mac_header(skb) + ETH_HLEN <= skb->data)) {
+ par->hotdrop = true;
+ return false;
+ }
+--
+2.53.0
+
--- /dev/null
+From 16486484502ba8b84d62ff6772a2503b6e3c3bc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 14:20:57 -0700
+Subject: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE
+ terminator
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit 1f3083aec8836213da441270cdb1ab612dd82cf4 ]
+
+When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send()
+appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via
+nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put()
+helper only zeroes alignment padding after the payload, not the payload
+itself, so four bytes of stale kernel heap data are leaked to userspace
+in the NLMSG_DONE message body.
+
+Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes
+the nfgenmsg payload via nfnl_fill_hdr(), consistent with how
+__build_packet_message() already constructs NFULNL_MSG_PACKET headers.
+
+Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_log.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
+index 6bf7d7bea1fc2..b7528fa74f3af 100644
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -351,10 +351,10 @@ static void
+ __nfulnl_send(struct nfulnl_instance *inst)
+ {
+ if (inst->qlen > 1) {
+- struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0,
+- NLMSG_DONE,
+- sizeof(struct nfgenmsg),
+- 0);
++ struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0,
++ NLMSG_DONE, 0,
++ AF_UNSPEC, NFNETLINK_V0,
++ htons(inst->group_num));
+ if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n",
+ inst->skb->len, skb_tailroom(inst->skb))) {
+ kfree_skb(inst->skb);
+--
+2.53.0
+
--- /dev/null
+From 34b19fa4cae1bf0b844d8229e36aeb3de2c96784 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Mar 2026 14:10:55 +0100
+Subject: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
+ expiry
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit d3c0037ffe1273fa1961e779ff6906234d6cf53c ]
+
+New test case fails unexpectedly when avx2 matching functions are used.
+
+The test first loads a ranomly generated pipapo set
+with 'ipv4 . port' key, i.e. nft -f foo.
+
+This works. Then, it reloads the set after a flush:
+(echo flush set t s; cat foo) | nft -f -
+
+This is expected to work, because its the same set after all and it was
+already loaded once.
+
+But with avx2, this fails: nft reports a clashing element.
+
+The reported clash is of following form:
+
+ We successfully re-inserted
+ a . b
+ c . d
+
+Then we try to insert a . d
+
+avx2 finds the already existing a . d, which (due to 'flush set') is marked
+as invalid in the new generation. It skips the element and moves to next.
+
+Due to incorrect masking, the skip-step finds the next matching
+element *only considering the first field*,
+
+i.e. we return the already reinserted "a . b", even though the
+last field is different and the entry should not have been matched.
+
+No such error is reported for the generic c implementation (no avx2) or when
+the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.
+
+Bisection points to
+7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection")
+but that fix merely uncovers this bug.
+
+Before this commit, the wrong element is returned, but erronously
+reported as a full, identical duplicate.
+
+The root-cause is too early return in the avx2 match functions.
+When we process the last field, we should continue to process data
+until the entire input size has been consumed to make sure no stale
+bits remain in the map.
+
+Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
+index be7c16c79f711..2a761a644d4da 100644
+--- a/net/netfilter/nft_set_pipapo_avx2.c
++++ b/net/netfilter/nft_set_pipapo_avx2.c
+@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -319,7 +319,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -414,7 +414,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -505,7 +505,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -641,7 +641,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -699,7 +699,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -764,7 +764,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -839,7 +839,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -925,7 +925,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -1019,7 +1019,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+--
+2.53.0
+
--- /dev/null
+From 7e8f06155482ee318c1a48ace915c360e4d53b9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 23:52:52 +0800
+Subject: netfilter: xt_multiport: validate range encoding in checkentry
+
+From: Ren Wei <n05ec@lzu.edu.cn>
+
+[ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ]
+
+ports_match_v1() treats any non-zero pflags entry as the start of a
+port range and unconditionally consumes the next ports[] element as
+the range end.
+
+The checkentry path currently validates protocol, flags and count, but
+it does not validate the range encoding itself. As a result, malformed
+rules can mark the last slot as a range start or place two range starts
+back to back, leaving ports_match_v1() to step past the last valid
+ports[] element while interpreting the rule.
+
+Reject malformed multiport v1 rules in checkentry by validating that
+each range start has a following element and that the following element
+is not itself marked as another range start.
+
+Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Yuhang Zheng <z1652074432@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
+index 44a00f5acde8a..a1691ff405d3c 100644
+--- a/net/netfilter/xt_multiport.c
++++ b/net/netfilter/xt_multiport.c
+@@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
+ return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1]));
+ }
+
++static bool
++multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo)
++{
++ unsigned int i;
++
++ for (i = 0; i < multiinfo->count; i++) {
++ if (!multiinfo->pflags[i])
++ continue;
++
++ if (++i >= multiinfo->count)
++ return false;
++
++ if (multiinfo->pflags[i])
++ return false;
++
++ if (multiinfo->ports[i - 1] > multiinfo->ports[i])
++ return false;
++ }
++
++ return true;
++}
++
+ static inline bool
+ check(u_int16_t proto,
+ u_int8_t ip_invflags,
+@@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par)
+ const struct ipt_ip *ip = par->entryinfo;
+ const struct xt_multiport_v1 *multiinfo = par->matchinfo;
+
+- return check(ip->proto, ip->invflags, multiinfo->flags,
+- multiinfo->count) ? 0 : -EINVAL;
++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
++ return -EINVAL;
++
++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
+ }
+
+ static int multiport_mt6_check(const struct xt_mtchk_param *par)
+@@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par)
+ const struct ip6t_ip6 *ip = par->entryinfo;
+ const struct xt_multiport_v1 *multiinfo = par->matchinfo;
+
+- return check(ip->proto, ip->invflags, multiinfo->flags,
+- multiinfo->count) ? 0 : -EINVAL;
++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
++ return -EINVAL;
++
++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
+ }
+
+ static struct xt_match multiport_mt_reg[] __read_mostly = {
+--
+2.53.0
+
--- /dev/null
+From ece5aa912830392813a1a13a7c2771c1eb388958 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 12:21:48 +0800
+Subject: nfc: s3fwrn5: allocate rx skb before consuming bytes
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 5c14a19d5b1645cce1cb1252833d70b23635b632 ]
+
+s3fwrn82_uart_read() reports the number of accepted bytes to the serdev
+core. The current code consumes bytes into recv_skb and may already
+deliver a complete frame before allocating a fresh receive buffer.
+
+If that alloc_skb() fails, the callback returns 0 even though it has
+already consumed bytes, and it leaves recv_skb as NULL for the next
+receive callback. That breaks the receive_buf() accounting contract and
+can also lead to a NULL dereference on the next skb_put_u8().
+
+Allocate the receive skb lazily before consuming the next byte instead.
+If allocation fails, return the number of bytes already accepted.
+
+Fixes: 3f52c2cb7e3a ("nfc: s3fwrn5: Support a UART interface")
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Link: https://patch.msgid.link/20260402042148.65236-1-pengpeng@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/s3fwrn5/uart.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nfc/s3fwrn5/uart.c b/drivers/nfc/s3fwrn5/uart.c
+index 82ea35d748a5d..dde1a87ed1e47 100644
+--- a/drivers/nfc/s3fwrn5/uart.c
++++ b/drivers/nfc/s3fwrn5/uart.c
+@@ -59,6 +59,12 @@ static int s3fwrn82_uart_read(struct serdev_device *serdev,
+ size_t i;
+
+ for (i = 0; i < count; i++) {
++ if (!phy->recv_skb) {
++ phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
++ if (!phy->recv_skb)
++ return i;
++ }
++
+ skb_put_u8(phy->recv_skb, *data++);
+
+ if (phy->recv_skb->len < S3FWRN82_NCI_HEADER)
+@@ -70,9 +76,7 @@ static int s3fwrn82_uart_read(struct serdev_device *serdev,
+
+ s3fwrn5_recv_frame(phy->common.ndev, phy->recv_skb,
+ phy->common.mode);
+- phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
+- if (!phy->recv_skb)
+- return 0;
++ phy->recv_skb = NULL;
+ }
+
+ return i;
+--
+2.53.0
+
--- /dev/null
+From 70bde1e8781dbac58888d0c2440e498ccf58abf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 14:07:42 -0700
+Subject: PCI: hv: Set default NUMA node to 0 for devices without affinity info
+
+From: Long Li <longli@microsoft.com>
+
+[ Upstream commit 7b3b1e5a87b2f5e35c52b5386d7c327be869454f ]
+
+When hv_pci_assign_numa_node() processes a device that does not have
+HV_PCI_DEVICE_FLAG_NUMA_AFFINITY set or has an out-of-range
+virtual_numa_node, the device NUMA node is left unset. On x86_64,
+the uninitialized default happens to be 0, but on ARM64 it is
+NUMA_NO_NODE (-1).
+
+Tests show that when no NUMA information is available from the Hyper-V
+host, devices perform best when assigned to node 0. With NUMA_NO_NODE
+the kernel may spread work across NUMA nodes, which degrades
+performance on Hyper-V, particularly for high-throughput devices like
+MANA.
+
+Always set the device NUMA node to 0 before the conditional NUMA
+affinity check, so that devices get a performant default when the host
+provides no NUMA information, and behavior is consistent on both
+x86_64 and ARM64.
+
+Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2")
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-hyperv.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c
+index 09491d06589ee..58430ca37bbdf 100644
+--- a/drivers/pci/controller/pci-hyperv.c
++++ b/drivers/pci/controller/pci-hyperv.c
+@@ -2291,6 +2291,14 @@ static void hv_pci_assign_numa_node(struct hv_pcibus_device *hbus)
+ if (!hv_dev)
+ continue;
+
++ /*
++ * If the Hyper-V host doesn't provide a NUMA node for the
++ * device, default to node 0. With NUMA_NO_NODE the kernel
++ * may spread work across NUMA nodes, which degrades
++ * performance on Hyper-V.
++ */
++ set_dev_node(&dev->dev, 0);
++
+ if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY &&
+ hv_dev->desc.virtual_numa_node < num_possible_nodes())
+ /*
+--
+2.53.0
+
--- /dev/null
+From 2a16b37b9cd34b9aa5c9226d340f12781a4e96cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 10:40:48 -0700
+Subject: perf/x86/intel/uncore: Skip discovery table for offline dies
+
+From: Zide Chen <zide.chen@intel.com>
+
+[ Upstream commit 7b568e9eba2fad89a696f22f0413d44cf4a1f892 ]
+
+This warning can be triggered if NUMA is disabled and the system
+boots with fewer CPUs than the number of CPUs in die 0.
+
+WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore]
+
+Currently, the discovery table continues to be parsed even if all CPUs
+in the associated die are offline. This can lead to an array overflow
+at "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may
+trigger the warning above or cause other issues.
+
+Fixes: edae1f06c2cd ("perf/x86/intel/uncore: Parse uncore discovery tables")
+Reported-by: Steve Wahl <steve.wahl@hpe.com>
+Signed-off-by: Zide Chen <zide.chen@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Tested-by: Steve Wahl <steve.wahl@hpe.com>
+Link: https://patch.msgid.link/20260313174050.171704-3-zide.chen@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_discovery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c
+index 7d454141433c8..a78899a27dcb4 100644
+--- a/arch/x86/events/intel/uncore_discovery.c
++++ b/arch/x86/events/intel/uncore_discovery.c
+@@ -311,7 +311,7 @@ bool intel_uncore_has_discovery_tables(void)
+ (val & UNCORE_DISCOVERY_DVSEC2_BIR_MASK) * UNCORE_DISCOVERY_BIR_STEP;
+
+ die = get_device_die_id(dev);
+- if (die < 0)
++ if ((die < 0) || (die >= uncore_max_dies()))
+ continue;
+
+ parse_discovery_table(dev, die, bar_offset, &parsed);
+--
+2.53.0
+
--- /dev/null
+From 3e1188fa84d4c71f8c5f5767bc32584d9a06a3b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 18:14:04 +0100
+Subject: pinctrl: intel: Fix the revision for new features (1kOhm PD, HW
+ debouncer)
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit a4337a24d13e9e3b98a113e71d6b80dc5ed5f8c4 ]
+
+The 1kOhm pull down and hardware debouncer are features of the revision 0.92
+of the Chassis specification. Fix that in the code accordingly.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/intel/pinctrl-intel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c
+index 8542053d4d6d0..2c357a69e0345 100644
+--- a/drivers/pinctrl/intel/pinctrl-intel.c
++++ b/drivers/pinctrl/intel/pinctrl-intel.c
+@@ -1547,7 +1547,7 @@ static int intel_pinctrl_probe(struct platform_device *pdev,
+ value = readl(regs + REVID);
+ if (value == ~0u)
+ return -ENODEV;
+- if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x94) {
++ if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x92) {
+ community->features |= PINCTRL_FEATURE_DEBOUNCE;
+ community->features |= PINCTRL_FEATURE_1K_PD;
+ }
+--
+2.53.0
+
--- /dev/null
+From 9a7aa012563bbff7078eebb4631b1388d65acc19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 22:29:19 +0100
+Subject: selftests: net: bridge_vlan_mcast: wait for h1 before querier check
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit efaa71faf212324ecbf6d5339e9717fe53254f58 ]
+
+The querier-interval test adds h1 (currently a slave of the VRF created
+by simple_if_init) to a temporary bridge br1 acting as an outside IGMP
+querier. The kernel VRF driver (drivers/net/vrf.c) calls cycle_netdev()
+on every slave add and remove, toggling the interface admin-down then up.
+Phylink takes the PHY down during the admin-down half of that cycle.
+Since h1 and swp1 are cable-connected, swp1 also loses its link may need
+several seconds to re-negotiate.
+
+Use setup_wait_dev $h1 0 which waits for h1 to return to UP state, so the
+test can rely on the link being back up at this point.
+
+Fixes: 4d8610ee8bd77 ("selftests: net: bridge: add vlan mcast_querier_interval tests")
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Reviewed-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Link: https://patch.msgid.link/c830f130860fd2efae08bfb9e5b25fd028e58ce5.1775424423.git.daniel@makrotopia.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
+index 8748d1b1d95b7..cc0a6e46457d9 100755
+--- a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
++++ b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
+@@ -411,6 +411,7 @@ vlmc_querier_intvl_test()
+ bridge vlan add vid 10 dev br1 self pvid untagged
+ ip link set dev $h1 master br1
+ ip link set dev br1 up
++ setup_wait_dev $h1 0
+ bridge vlan add vid 10 dev $h1 master
+ bridge vlan global set vid 10 dev br1 mcast_snooping 1 mcast_querier 1
+ sleep 2
+--
+2.53.0
+
--- /dev/null
+asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch
+alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch
+media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch
+alsa-asihpi-avoid-write-overflow-check-warning.patch
+asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch
+asoc-sof-topology-reject-invalid-vendor-array-size-i.patch
+can-mcp251x-add-error-handling-for-power-enable-in-o.patch
+btrfs-tracepoints-get-correct-superblock-from-dentry.patch
+alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch
+srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch
+netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch
+alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch
+wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch
+asoc-soc-core-call-missing-init_list_head-for-card_a.patch
+alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch
+fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch
+asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch
+pinctrl-intel-fix-the-revision-for-new-features-1koh.patch
+hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch
+alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch
+hid-roccat-fix-use-after-free-in-roccat_report_event.patch
+ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch
+wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch
+asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch
+soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch
+arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch
+pci-hv-set-default-numa-node-to-0-for-devices-withou.patch
+drm-vc4-release-runtime-pm-reference-after-binding-v.patch
+drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch
+drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch
+drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch
+epoll-use-refcount-to-reduce-ep_mutex-contention.patch
+eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch
+net-sched-act_csum-validate-nested-vlan-headers.patch
+net-lapbether-handle-netdev_pre_type_change.patch
+ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch
+nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch
+dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch
+tracing-probe-reject-non-closed-empty-immediate-stri.patch
+ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch
+e1000-check-return-value-of-e1000_read_eeprom.patch
+xsk-tighten-umem-headroom-validation-to-account-for-.patch
+xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch
+xfrm_user-fix-info-leak-in-build_mapping.patch
+selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch
+netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch
+netfilter-xt_multiport-validate-range-encoding-in-ch.patch
+netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch
+af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch
+l2tp-drop-large-packets-with-udp-encap.patch
+gpio-tegra-fix-irq_release_resources-calling-enable-.patch
+perf-x86-intel-uncore-skip-discovery-table-for-offli.patch
+clockevents-prevent-timer-interrupt-starvation.patch
+crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch
--- /dev/null
+From 7c571ce36b7d86dad67087efa36a81649e153ad5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jan 2026 16:37:56 +0800
+Subject: soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching
+
+From: Potin Lai <potin.lai.pt@gmail.com>
+
+[ Upstream commit 7ec1bd3d9be671d04325b9e06149b8813f6a4836 ]
+
+The siliconid_to_name() function currently masks the input silicon ID
+with 0xff00ffff, but compares it against unmasked table entries. This
+causes matching to fail if the table entries contain non-zero values in
+the bits covered by the mask (bits 16-23).
+
+Update the logic to apply the 0xff00ffff mask to the table entries
+during comparison. This ensures that only the relevant model and
+revision bits are considered, providing a consistent match across
+different manufacturing batches.
+
+[arj: Add Fixes: tag, fix 'soninfo' typo, clarify function reference]
+
+Fixes: e0218dca5787 ("soc: aspeed: Add soc info driver")
+Signed-off-by: Potin Lai <potin.lai.pt@gmail.com>
+Link: https://patch.msgid.link/20260122-soc_aspeed_name_fix-v1-1-33a847f2581c@gmail.com
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/aspeed/aspeed-socinfo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c
+index 67e9ac3d08ecc..a90b100f4d101 100644
+--- a/drivers/soc/aspeed/aspeed-socinfo.c
++++ b/drivers/soc/aspeed/aspeed-socinfo.c
+@@ -39,7 +39,7 @@ static const char *siliconid_to_name(u32 siliconid)
+ unsigned int i;
+
+ for (i = 0 ; i < ARRAY_SIZE(rev_table) ; ++i) {
+- if (rev_table[i].id == id)
++ if ((rev_table[i].id & 0xff00ffff) == id)
+ return rev_table[i].name;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 23a2bb06dfb4a8f3ed5996cb57df6f5eb7aa53e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 20:14:18 -0400
+Subject: srcu: Use irq_work to start GP in tiny SRCU
+
+From: Joel Fernandes <joelagnelf@nvidia.com>
+
+[ Upstream commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af ]
+
+Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(),
+which acquires the workqueue pool->lock.
+
+This causes a lockdep splat when call_srcu() is called with a scheduler
+lock held, due to:
+
+ call_srcu() [holding pi_lock]
+ srcu_gp_start_if_needed()
+ schedule_work() -> pool->lock
+
+ workqueue_init() / create_worker() [holding pool->lock]
+ wake_up_process() -> try_to_wake_up() -> pi_lock
+
+Also add irq_work_sync() to cleanup_srcu_struct() to prevent a
+use-after-free if a queued irq_work fires after cleanup begins.
+
+Tested with rcutorture SRCU-T and no lockdep warnings.
+
+[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work
+to start process_srcu()" ]
+
+Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
+Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Boqun Feng <boqun@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/srcutiny.h | 4 ++++
+ kernel/rcu/srcutiny.c | 19 ++++++++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/srcutiny.h b/include/linux/srcutiny.h
+index 5aa5e0faf6a12..a351d0a365c4b 100644
+--- a/include/linux/srcutiny.h
++++ b/include/linux/srcutiny.h
+@@ -11,6 +11,7 @@
+ #ifndef _LINUX_SRCU_TINY_H
+ #define _LINUX_SRCU_TINY_H
+
++#include <linux/irq_work_types.h>
+ #include <linux/swait.h>
+
+ struct srcu_struct {
+@@ -24,18 +25,21 @@ struct srcu_struct {
+ struct rcu_head *srcu_cb_head; /* Pending callbacks: Head. */
+ struct rcu_head **srcu_cb_tail; /* Pending callbacks: Tail. */
+ struct work_struct srcu_work; /* For driving grace periods. */
++ struct irq_work srcu_irq_work; /* Defer schedule_work() to irq work. */
+ #ifdef CONFIG_DEBUG_LOCK_ALLOC
+ struct lockdep_map dep_map;
+ #endif /* #ifdef CONFIG_DEBUG_LOCK_ALLOC */
+ };
+
+ void srcu_drive_gp(struct work_struct *wp);
++void srcu_tiny_irq_work(struct irq_work *irq_work);
+
+ #define __SRCU_STRUCT_INIT(name, __ignored) \
+ { \
+ .srcu_wq = __SWAIT_QUEUE_HEAD_INITIALIZER(name.srcu_wq), \
+ .srcu_cb_tail = &name.srcu_cb_head, \
+ .srcu_work = __WORK_INITIALIZER(name.srcu_work, srcu_drive_gp), \
++ .srcu_irq_work = { .func = srcu_tiny_irq_work }, \
+ __SRCU_DEP_MAP_INIT(name) \
+ }
+
+diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c
+index 5e7f336baa06a..9c416bfe6cc80 100644
+--- a/kernel/rcu/srcutiny.c
++++ b/kernel/rcu/srcutiny.c
+@@ -9,6 +9,7 @@
+ */
+
+ #include <linux/export.h>
++#include <linux/irq_work.h>
+ #include <linux/mutex.h>
+ #include <linux/preempt.h>
+ #include <linux/rcupdate_wait.h>
+@@ -37,6 +38,7 @@ static int init_srcu_struct_fields(struct srcu_struct *ssp)
+ ssp->srcu_idx_max = 0;
+ INIT_WORK(&ssp->srcu_work, srcu_drive_gp);
+ INIT_LIST_HEAD(&ssp->srcu_work.entry);
++ init_irq_work(&ssp->srcu_irq_work, srcu_tiny_irq_work);
+ return 0;
+ }
+
+@@ -80,6 +82,7 @@ EXPORT_SYMBOL_GPL(init_srcu_struct);
+ void cleanup_srcu_struct(struct srcu_struct *ssp)
+ {
+ WARN_ON(ssp->srcu_lock_nesting[0] || ssp->srcu_lock_nesting[1]);
++ irq_work_sync(&ssp->srcu_irq_work);
+ flush_work(&ssp->srcu_work);
+ WARN_ON(ssp->srcu_gp_running);
+ WARN_ON(ssp->srcu_gp_waiting);
+@@ -156,6 +159,20 @@ void srcu_drive_gp(struct work_struct *wp)
+ }
+ EXPORT_SYMBOL_GPL(srcu_drive_gp);
+
++/*
++ * Use an irq_work to defer schedule_work() to avoid acquiring the workqueue
++ * pool->lock while the caller might hold scheduler locks, causing lockdep
++ * splats due to workqueue_init() doing a wakeup.
++ */
++void srcu_tiny_irq_work(struct irq_work *irq_work)
++{
++ struct srcu_struct *ssp;
++
++ ssp = container_of(irq_work, struct srcu_struct, srcu_irq_work);
++ schedule_work(&ssp->srcu_work);
++}
++EXPORT_SYMBOL_GPL(srcu_tiny_irq_work);
++
+ static void srcu_gp_start_if_needed(struct srcu_struct *ssp)
+ {
+ unsigned long cookie;
+@@ -166,7 +183,7 @@ static void srcu_gp_start_if_needed(struct srcu_struct *ssp)
+ WRITE_ONCE(ssp->srcu_idx_max, cookie);
+ if (!READ_ONCE(ssp->srcu_gp_running)) {
+ if (likely(srcu_init_done))
+- schedule_work(&ssp->srcu_work);
++ irq_work_queue(&ssp->srcu_irq_work);
+ else if (list_empty(&ssp->srcu_work.entry))
+ list_add(&ssp->srcu_work.entry, &srcu_boot_list);
+ }
+--
+2.53.0
+
--- /dev/null
+From 8cc5bdf18e358afbb90cfc26ed73edb725a5df09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 00:03:15 +0800
+Subject: tracing/probe: reject non-closed empty immediate strings
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ]
+
+parse_probe_arg() accepts quoted immediate strings and passes the body
+after the opening quote to __parse_imm_string(). That helper currently
+computes strlen(str) and immediately dereferences str[len - 1], which
+underflows when the body is empty and not closed with double-quotation.
+
+Reject empty non-closed immediate strings before checking for the closing quote.
+
+Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/
+
+Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support")
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_probe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
+index 3888a59c9dfe9..280e3d0f61b29 100644
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -366,7 +366,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs)
+ {
+ size_t len = strlen(str);
+
+- if (str[len - 1] != '"') {
++ if (!len || str[len - 1] != '"') {
+ trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE);
+ return -EINVAL;
+ }
+--
+2.53.0
+
--- /dev/null
+From f979d6958c1b6e91b82427f8db3263fcec7a760b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 15:45:51 +0800
+Subject: wifi: brcmfmac: validate bsscfg indices in IF events
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ]
+
+brcmf_fweh_handle_if_event() validates the firmware-provided interface
+index before it touches drvr->iflist[], but it still uses the raw
+bsscfgidx field as an array index without a matching range check.
+
+Reject IF events whose bsscfg index does not fit in drvr->iflist[]
+before indexing the interface array.
+
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn
+[add missing wifi prefix]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+index dac7eb77799bd..e6be192dc0af2 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -151,6 +151,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr,
+ bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx);
+ return;
+ }
++ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) {
++ bphy_err(drvr, "invalid bsscfg index: %u\n",
++ ifevent->bsscfgidx);
++ return;
++ }
+
+ ifp = drvr->iflist[ifevent->bsscfgidx];
+
+--
+2.53.0
+
--- /dev/null
+From 988fd9cfa7fa215876975f07d7c4afea7e2574c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 16:08:45 +0800
+Subject: wifi: wl1251: validate packet IDs before indexing tx_frames
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 ]
+
+wl1251_tx_packet_cb() uses the firmware completion ID directly to index
+the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the
+completion block, and the callback does not currently verify that it
+fits the array before dereferencing it.
+
+Reject completion IDs that fall outside wl->tx_frames[] and keep the
+existing NULL check in the same guard. This keeps the fix local to the
+trust boundary and avoids touching the rest of the completion flow.
+
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl1251/tx.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c
+index 06dc74cc6cb52..2b316c78eefc9 100644
+--- a/drivers/net/wireless/ti/wl1251/tx.c
++++ b/drivers/net/wireless/ti/wl1251/tx.c
+@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl,
+ int hdrlen;
+ u8 *frame;
+
+- skb = wl->tx_frames[result->id];
+- if (skb == NULL) {
+- wl1251_error("SKB for packet %d is NULL", result->id);
++ if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) ||
++ wl->tx_frames[result->id] == NULL)) {
++ wl1251_error("invalid packet id %u", result->id);
+ return;
+ }
+
++ skb = wl->tx_frames[result->id];
++
+ info = IEEE80211_SKB_CB(skb);
+
+ if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) &&
+--
+2.53.0
+
--- /dev/null
+From e62b6de563ec799c4b8321961dd7628c12bc529d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 13:31:04 +0200
+Subject: xfrm: Wait for RCU readers during policy netns exit
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit 069daad4f2ae9c5c108131995529d5f02392c446 ]
+
+xfrm_policy_fini() frees the policy_bydst hash tables after flushing the
+policy work items and deleting all policies, but it does not wait for
+concurrent RCU readers to leave their read-side critical sections first.
+
+The policy_bydst tables are published via rcu_assign_pointer() and are
+looked up through rcu_dereference_check(), so netns teardown must also
+wait for an RCU grace period before freeing the table memory.
+
+Fix this by adding synchronize_rcu() before freeing the policy hash tables.
+
+Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index cd534803a0e42..7b9151f4eccfd 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -4129,6 +4129,8 @@ static void xfrm_policy_fini(struct net *net)
+ #endif
+ xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);
+
++ synchronize_rcu();
++
+ WARN_ON(!list_empty(&net->xfrm.policy_all));
+
+ for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
+--
+2.53.0
+
--- /dev/null
+From 35c261ca8985403264d9a5e705c720c9c674a4d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 17:33:03 +0200
+Subject: xfrm_user: fix info leak in build_mapping()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit 1beb76b2053b68c491b78370794b8ff63c8f8c02 ]
+
+struct xfrm_usersa_id has a one-byte padding hole after the proto
+field, which ends up never getting set to zero before copying out to
+userspace. Fix that up by zeroing out the whole structure before
+setting individual variables.
+
+Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink")
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Simon Horman <horms@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 64137facd128e..9d22a7753f080 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -3729,6 +3729,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x,
+
+ um = nlmsg_data(nlh);
+
++ memset(&um->id, 0, sizeof(um->id));
+ memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr));
+ um->id.spi = x->id.spi;
+ um->id.family = x->props.family;
+--
+2.53.0
+
--- /dev/null
+From c074c246194446b4afb0b3afb24a418a06fada2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:51 +0200
+Subject: xsk: tighten UMEM headroom validation to account for tailroom and min
+ frame
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit a315e022a72d95ef5f1d4e58e903cb492b0ad931 ]
+
+The current headroom validation in xdp_umem_reg() could leave us with
+insufficient space dedicated to even receive minimum-sized ethernet
+frame. Furthermore if multi-buffer would come to play then
+skb_shared_info stored at the end of XSK frame would be corrupted.
+
+HW typically works with 128-aligned sizes so let us provide this value
+as bare minimum.
+
+Multi-buffer setting is known later in the configuration process so
+besides accounting for 128 bytes, let us also take care of tailroom space
+upfront.
+
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Fixes: 99e3a236dd43 ("xsk: Add missing check on user supplied headroom size")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-2-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xdp_umem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
+index 02207e852d796..561290f9e68b5 100644
+--- a/net/xdp/xdp_umem.c
++++ b/net/xdp/xdp_umem.c
+@@ -196,7 +196,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+ if (!unaligned_chunks && chunks_rem)
+ return -EINVAL;
+
+- if (headroom >= chunk_size - XDP_PACKET_HEADROOM)
++ if (headroom > chunk_size - XDP_PACKET_HEADROOM -
++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - 128)
+ return -EINVAL;
+
+ umem->size = size;
+--
+2.53.0
+
--- /dev/null
+From f18995fcfbb9e2639f0d302ca2cd8216e118ef07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 16:00:14 +0800
+Subject: af_unix: read UNIX_DIAG_VFS data under unix_state_lock
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+[ Upstream commit 39897df386376912d561d4946499379effa1e7ef ]
+
+Exact UNIX diag lookups hold a reference to the socket, but not to
+u->path. Meanwhile, unix_release_sock() clears u->path under
+unix_state_lock() and drops the path reference after unlocking.
+
+Read the inode and device numbers for UNIX_DIAG_VFS while holding
+unix_state_lock(), then emit the netlink attribute after dropping the
+lock.
+
+This keeps the VFS data stable while the reply is being built.
+
+Fixes: 5f7b0569460b ("unix_diag: Unix inode info NLA")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/diag.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index 9138af8b465e0..6a06a251a2348 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -26,18 +26,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb)
+
+ static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb)
+ {
+- struct dentry *dentry = unix_sk(sk)->path.dentry;
++ struct unix_diag_vfs uv;
++ struct dentry *dentry;
++ bool have_vfs = false;
+
++ unix_state_lock(sk);
++ dentry = unix_sk(sk)->path.dentry;
+ if (dentry) {
+- struct unix_diag_vfs uv = {
+- .udiag_vfs_ino = d_backing_inode(dentry)->i_ino,
+- .udiag_vfs_dev = dentry->d_sb->s_dev,
+- };
+-
+- return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
++ uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino;
++ uv.udiag_vfs_dev = dentry->d_sb->s_dev;
++ have_vfs = true;
+ }
++ unix_state_unlock(sk);
+
+- return 0;
++ if (!have_vfs)
++ return 0;
++
++ return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
+ }
+
+ static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb)
+--
+2.53.0
+
--- /dev/null
+From bf1fbcc3bb22597b036bf6203ded9535e8da8eb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 13:40:07 +0100
+Subject: ALSA: asihpi: avoid write overflow check warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 591721223be9e28f83489a59289579493b8e3d83 ]
+
+clang-22 rightfully warns that the memcpy() in adapter_prepare() copies
+between different structures, crossing the boundary of nested
+structures inside it:
+
+In file included from sound/pci/asihpi/hpimsgx.c:13:
+In file included from include/linux/string.h:386:
+include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
+ 569 | __write_overflow_field(p_size_field, size);
+
+The two structures seem to refer to the same layout, despite the
+separate definitions, so the code is in fact correct.
+
+Avoid the warning by copying the two inner structures separately.
+I see the same pattern happens in other functions in the same file,
+so there is a chance that this may come back in the future, but
+this instance is the only one that I saw in practice, hitting it
+multiple times per day in randconfig build.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/asihpi/hpimsgx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c
+index b68e6bfbbfbab..ed1c7b7744361 100644
+--- a/sound/pci/asihpi/hpimsgx.c
++++ b/sound/pci/asihpi/hpimsgx.c
+@@ -581,8 +581,10 @@ static u16 adapter_prepare(u16 adapter)
+ HPI_ADAPTER_OPEN);
+ hm.adapter_index = adapter;
+ hw_entry_point(&hm, &hr);
+- memcpy(&rESP_HPI_ADAPTER_OPEN[adapter], &hr,
+- sizeof(rESP_HPI_ADAPTER_OPEN[0]));
++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].h, &hr,
++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].h));
++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].a, &hr.u.ax.info,
++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].a));
+ if (hr.error)
+ return hr.error;
+
+--
+2.53.0
+
--- /dev/null
+From 0c8ced7b198d47919f77e8b44a1e1fb3ed845804 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 01:08:51 +0000
+Subject: ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk
+
+From: Andrii Kovalchuk <coderpy4@proton.me>
+
+[ Upstream commit 793b008cd39516385791a1d1d223d817e947a471 ]
+
+Add a PCI quirk for HP ENVY Laptop 13-ba0xxx (PCI device ID 0x8756)
+to enable proper mute LED and mic mute behavior using the
+ALC245_FIXUP_HP_X360_MUTE_LEDS fixup.
+
+Signed-off-by: Andrii Kovalchuk <coderpy4@proton.me>
+Link: https://patch.msgid.link/u0s-uRVegF9BN0t-4JnOUwsIAR-mVc4U4FJfJHdEHX7ro_laErHD9y35NebWybcN16gVaVHPJo1ap3AoJ1a2gqJImPvThgeNt_SYVY1KaDw=@proton.me
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index fad159187f445..0dd789119f96b 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10895,6 +10895,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8735, "HP ProBook 435 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT),
++ SND_PCI_QUIRK(0x103c, 0x8756, "HP ENVY Laptop 13-ba0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS),
+ SND_PCI_QUIRK(0x103c, 0x8760, "HP EliteBook 8{4,5}5 G7", ALC285_FIXUP_HP_BEEP_MICMUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x876e, "HP ENVY x360 Convertible 13-ay0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS),
+ SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED),
+--
+2.53.0
+
--- /dev/null
+From a0362a43f1f2fb4fcb8990839d6aeedbf94fc17f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Mar 2026 10:36:03 -0500
+Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: César Montoya <sprit152009@gmail.com>
+
+[ Upstream commit 2f388b4e8fdd6b0f27cafd281658daacfd85807e ]
+
+The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek
+ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The
+existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly,
+but the subsystem ID was missing from the quirk table.
+
+GPIO pin confirmed via manual hda-verb testing:
+ hda-verb SET_GPIO_MASK 0x10
+ hda-verb SET_GPIO_DIRECTION 0x10
+ hda-verb SET_GPIO_DATA 0x10
+
+Signed-off-by: César Montoya <sprit152009@gmail.com>
+Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 96df0d12b68dc..440ec4e1528ae 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10909,6 +10909,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x87cb, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+--
+2.53.0
+
--- /dev/null
+From 14bc5c1f22a357f6988133a271dd4dfd422b2974 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 10:25:03 -0700
+Subject: ALSA: hda/realtek: Add quirk for ASUS ROG Flow Z13-KJP GZ302EAC
+
+From: Matthew Schwartz <matthew.schwartz@linux.dev>
+
+[ Upstream commit 59f68dc1d8df3142cb58fd2568966a9bb7b0ed8a ]
+
+Fixes lack of audio output on the ASUS ROG Flow Z13-KJP GZ302EAC model,
+similar to the ASUS ROG Flow Z13 GZ302EA.
+
+Signed-off-by: Matthew Schwartz <matthew.schwartz@linux.dev>
+Link: https://patch.msgid.link/20260313172503.285846-1-matthew.schwartz@linux.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 0dd789119f96b..96df0d12b68dc 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11197,6 +11197,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1043, 0x14e3, "ASUS G513PI/PU/PV", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x14f2, "ASUS VivoBook X515JA", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1043, 0x1503, "ASUS G733PY/PZ/PZV/PYV", ALC287_FIXUP_CS35L41_I2C_2),
++ SND_PCI_QUIRK(0x1043, 0x1514, "ASUS ROG Flow Z13 GZ302EAC", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A),
+ SND_PCI_QUIRK(0x1043, 0x1533, "ASUS GV302XA/XJ/XQ/XU/XV/XI", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x1573, "ASUS GZ301VV/VQ/VU/VJ/VA/VC/VE/VVC/VQC/VUC/VJC/VEC/VCC", ALC285_FIXUP_ASUS_HEADSET_MIC),
+--
+2.53.0
+
--- /dev/null
+From 023b4ea94fc10754c8bb23ba4003b489e234d3d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 10:54:40 -0500
+Subject: ALSA: hda/realtek: add quirk for Framework F111:000F
+
+From: Dustin L. Howett <dustin@howett.net>
+
+[ Upstream commit bac1e57adf08c9ee33e95fb09cd032f330294e70 ]
+
+Similar to commit 7b509910b3ad ("ALSA hda/realtek: Add quirk for
+Framework F111:000C") and previous quirks for Framework systems with
+Realtek codecs.
+
+000F is another new platform with an ALC285 which needs the same quirk.
+
+Signed-off-by: Dustin L. Howett <dustin@howett.net>
+Link: https://patch.msgid.link/20260327-framework-alsa-000f-v1-1-74013aba1c00@howett.net
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 440ec4e1528ae..2a32e1ead5e86 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11671,6 +11671,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0xf111, 0x000f, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+
+ #if 0
+ /* Below is a quirk table taken from the old code.
+--
+2.53.0
+
--- /dev/null
+From 552931f0e407ed3caba6cf1a51de67d4e8a3e121 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2026 11:29:28 +0300
+Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IMH9
+
+From: Alexander Savenko <alex.sav4387@gmail.com>
+
+[ Upstream commit 217d5bc9f96272316ac5a3215c7cc32a5127bbf3 ]
+
+The Lenovo Yoga Pro 7 14IMH9 (DMI: 83E2) shares PCI SSID 17aa:3847
+with the Legion 7 16ACHG6, but has a different codec subsystem ID
+(17aa:38cf). The existing SND_PCI_QUIRK for 17aa:3847 applies
+ALC287_FIXUP_LEGION_16ACHG6, which attempts to initialize an external
+I2C amplifier (CLSA0100) that is not present on the Yoga Pro 7 14IMH9.
+
+As a result, pin 0x17 (bass speakers) is connected to DAC 0x06 which
+has no volume control, making hardware volume adjustment completely
+non-functional. Audio is either silent or at maximum volume regardless
+of the slider position.
+
+Add a HDA_CODEC_QUIRK entry using the codec subsystem ID (17aa:38cf)
+to correctly identify the Yoga Pro 7 14IMH9 and apply
+ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN, which redirects pin 0x17 to
+DAC 0x02 and restores proper volume control. The existing Legion entry
+is preserved unchanged.
+
+This follows the same pattern used for 17aa:386e, where Legion Y9000X
+and Yoga Pro 7 14ARP8 share a PCI SSID but are distinguished via
+HDA_CODEC_QUIRK.
+
+Link: https://github.com/nomad4tech/lenovo-yoga-pro-7-linux
+Tested-by: Alexander Savenko <alex.sav4387@gmail.com>
+Signed-off-by: Alexander Savenko <alex.sav4387@gmail.com>
+Link: https://patch.msgid.link/20260331082929.44890-1-alex.sav4387@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 04e10da997b53..b73c2741f8ae7 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11524,6 +11524,10 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x3834, "Lenovo IdeaPad Slim 9i 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS),
+ SND_PCI_QUIRK(0x17aa, 0x383d, "Legion Y9000X 2019", ALC285_FIXUP_LEGION_Y9000X_SPEAKERS),
+ SND_PCI_QUIRK(0x17aa, 0x3843, "Lenovo Yoga 9i / Yoga Book 9i", ALC287_FIXUP_LENOVO_YOGA_BOOK_9I),
++ /* Yoga Pro 7 14IMH9 shares PCI SSID 17aa:3847 with Legion 7 16ACHG6;
++ * use codec SSID to distinguish them
++ */
++ HDA_CODEC_QUIRK(0x17aa, 0x38cf, "Lenovo Yoga Pro 7 14IMH9", ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3847, "Legion 7 16ACHG6", ALC287_FIXUP_LEGION_16ACHG6),
+ SND_PCI_QUIRK(0x17aa, 0x384a, "Lenovo Yoga 7 15ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS),
+ SND_PCI_QUIRK(0x17aa, 0x3852, "Lenovo Yoga 7 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS),
+--
+2.53.0
+
--- /dev/null
+From 6b358c6c1a89f075ed34024e5f9bb2baef4714b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 09:26:51 +0800
+Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10
+
+From: songxiebing <songxiebing@kylinos.cn>
+
+[ Upstream commit f0541edb2e7333f320642c7b491a67912c1f65db ]
+
+The bass speakers are not working, and add the following entry
+in /etc/modprobe.d/snd.conf:
+options snd-sof-intel-hda-generic hda_model=alc287-yoga9-bass-spk-pin
+Fixes the bass speakers.
+
+So add the quick ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN here.
+
+Reported-by: Fernando Garcia Corona <fgarcor@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221317
+Signed-off-by: songxiebing <songxiebing@kylinos.cn>
+Link: https://patch.msgid.link/20260405012651.133838-1-songxiebing@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index b73c2741f8ae7..4cab9696fdab0 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11587,6 +11587,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x38fd, "ThinkBook plus Gen5 Hybrid", ALC287_FIXUP_TAS2781_I2C),
+ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
++ SND_PCI_QUIRK(0x17aa, 0x3911, "Lenovo Yoga Pro 7 14IAH10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC),
+ SND_PCI_QUIRK(0x17aa, 0x391f, "Yoga S990-16 pro Quad YC Quad", ALC287_FIXUP_TAS2781_I2C),
+ SND_PCI_QUIRK(0x17aa, 0x3920, "Yoga S990-16 pro Quad VECO Quad", ALC287_FIXUP_TAS2781_I2C),
+--
+2.53.0
+
--- /dev/null
+From dbee0af6d8e358aeec021a64130630242403240d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 18:22:20 +0200
+Subject: ALSA: hda/realtek: Add quirk for Samsung Book2 Pro 360 (NP950QED)
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit ea31be8a2c8c99eac198f3b7f2dc770111f2b182 ]
+
+There is another Book2 Pro model (NP950QED) that seems equipped with
+the same speaker module as the non-360 model, which requires
+ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS quirk.
+
+Reported-by: Throw <zakkabj@gmail.com>
+Link: https://patch.msgid.link/20260330162249.147665-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 2a32e1ead5e86..04e10da997b53 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11335,6 +11335,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP),
++ SND_PCI_QUIRK(0x144d, 0xc1ac, "Samsung Galaxy Book2 Pro 360 (NP950QED)", ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS),
+ SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc1a4, "Samsung Galaxy Book Pro 360 (NT935QBD)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc1a6, "Samsung Galaxy Book Pro 360 (NP930QBD)", ALC298_FIXUP_SAMSUNG_AMP),
+--
+2.53.0
+
--- /dev/null
+From 8519c8a9b1fbdef3be0d7cccebbb41dad5cbef9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Mar 2026 08:07:34 +0000
+Subject: ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex
+
+From: Phil Willoughby <willerz@gmail.com>
+
+[ Upstream commit bc5b4e5ae1a67700a618328217b6a3bd0f296e97 ]
+
+The NeuralDSP Quad Cortex does not support DSD playback. We need
+this product-specific entry with zero quirks because otherwise it
+falls through to the vendor-specific entry which marks it as
+supporting DSD playback.
+
+Cc: Yue Wang <yuleopen@gmail.com>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Signed-off-by: Phil Willoughby <willerz@gmail.com>
+Link: https://patch.msgid.link/20260328080921.3310-1-willerz@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 5c3a97ea46e04..fb81dcd6ca2ac 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -2285,6 +2285,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
+ QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB),
+ DEVICE_FLG(0x13e5, 0x0001, /* Serato Phono */
+ QUIRK_FLAG_IGNORE_CTL_ERROR),
++ DEVICE_FLG(0x152a, 0x880a, /* NeuralDSP Quad Cortex */
++ 0), /* Doesn't have the vendor quirk which would otherwise apply */
+ DEVICE_FLG(0x154e, 0x1002, /* Denon DCD-1500RE */
+ QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY),
+ DEVICE_FLG(0x154e, 0x1003, /* Denon DA-300USB */
+--
+2.53.0
+
--- /dev/null
+From 2ff8c8e667a15b7ae3d6eea1f616099f92472a2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jan 2026 00:28:28 +0100
+Subject: arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+[ Upstream commit 1f99b5d93d99ca17d50b386a674d0ce1f20932d8 ]
+
+According to i.MX 8M Quad Reference Manual, GPU_AHB_CLK_ROOT's maximum
+frequency is 400MHz.
+
+Fixes: 45d2c84eb3a2 ("arm64: dts: imx8mq: add GPU node")
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+index e03186bbc4152..c4395de0df762 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+@@ -1636,7 +1636,7 @@ gpu: gpu@38000000 {
+ <&clk IMX8MQ_GPU_PLL_OUT>,
+ <&clk IMX8MQ_GPU_PLL>;
+ assigned-clock-rates = <800000000>, <800000000>,
+- <800000000>, <800000000>, <0>;
++ <800000000>, <400000000>, <0>;
+ power-domains = <&pgc_gpu>;
+ };
+
+--
+2.53.0
+
--- /dev/null
+From a60666dea5bb69d4fcdd2218aab05620606dd0d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Feb 2026 19:23:08 +0800
+Subject: arm64: dts: imx93-9x9-qsb: change usdhc tuning step for eMMC and SD
+
+From: Luke Wang <ziniu.wang_1@nxp.com>
+
+[ Upstream commit 08903184553def7ba1ad6ba4fa8afe1ba2ee0a21 ]
+
+During system resume, the following errors occurred:
+
+ [ 430.638625] mmc1: error -84 writing Cache Enable bit
+ [ 430.643618] mmc1: error -84 doing runtime resume
+
+For eMMC and SD, there are two tuning pass windows and the gap between
+those two windows may only have one cell. If tuning step > 1, the gap may
+just be skipped and host assumes those two windows as a continuous
+windows. This will cause a wrong delay cell near the gap to be selected.
+
+Set the tuning step to 1 to avoid selecting the wrong delay cell.
+
+For SDIO, the gap is sufficiently large, so the default tuning step does
+not cause this issue.
+
+Fixes: 0565d20cd8c2 ("arm64: dts: freescale: Support i.MX93 9x9 Quick Start Board")
+Signed-off-by: Luke Wang <ziniu.wang_1@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts b/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts
+index f8a73612fa051..8856835834a04 100644
+--- a/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts
++++ b/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts
+@@ -311,6 +311,7 @@ &usdhc1 {
+ pinctrl-2 = <&pinctrl_usdhc1_200mhz>;
+ bus-width = <8>;
+ non-removable;
++ fsl,tuning-step = <1>;
+ status = "okay";
+ };
+
+@@ -323,6 +324,7 @@ &usdhc2 {
+ vmmc-supply = <®_usdhc2_vmmc>;
+ bus-width = <4>;
+ no-mmc;
++ fsl,tuning-step = <1>;
+ status = "okay";
+ };
+
+--
+2.53.0
+
--- /dev/null
+From b221bcfd91dc2c03cf34bc07eabf2d1a60c46df2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Feb 2026 16:50:14 +0100
+Subject: arm64: dts: imx93-tqma9352: improve eMMC pad configuration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Markus Niebel <Markus.Niebel@ew.tq-group.com>
+
+[ Upstream commit b6c94c71f349479b76fcc0ef0dc7147f3f326dff ]
+
+Use DSE x4 an PullUp for CMD an DAT, DSE x4 and PullDown for CLK to improve
+stability and detection at low temperatures under -25°C.
+
+Fixes: 0b5fdfaa8e45 ("arm64: dts: freescale: imx93-tqma9352: set SION for cmd and data pad of USDHC")
+Signed-off-by: Markus Niebel <Markus.Niebel@ew.tq-group.com>
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/freescale/imx93-tqma9352.dtsi | 26 +++++++++----------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi
+index 09385b058664c..f189685370cc8 100644
+--- a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi
+@@ -273,21 +273,21 @@ MX93_PAD_SD2_RESET_B__GPIO3_IO07 0x106
+ /* enable SION for data and cmd pad due to ERR052021 */
+ pinctrl_usdhc1: usdhc1grp {
+ fsl,pins = <
+- /* PD | FSEL 3 | DSE X5 */
+- MX93_PAD_SD1_CLK__USDHC1_CLK 0x5be
++ /* PD | FSEL 3 | DSE X4 */
++ MX93_PAD_SD1_CLK__USDHC1_CLK 0x59e
+ /* HYS | FSEL 0 | no drive */
+ MX93_PAD_SD1_STROBE__USDHC1_STROBE 0x1000
+- /* HYS | FSEL 3 | X5 */
+- MX93_PAD_SD1_CMD__USDHC1_CMD 0x400011be
+- /* HYS | FSEL 3 | X4 */
+- MX93_PAD_SD1_DATA0__USDHC1_DATA0 0x4000119e
+- MX93_PAD_SD1_DATA1__USDHC1_DATA1 0x4000119e
+- MX93_PAD_SD1_DATA2__USDHC1_DATA2 0x4000119e
+- MX93_PAD_SD1_DATA3__USDHC1_DATA3 0x4000119e
+- MX93_PAD_SD1_DATA4__USDHC1_DATA4 0x4000119e
+- MX93_PAD_SD1_DATA5__USDHC1_DATA5 0x4000119e
+- MX93_PAD_SD1_DATA6__USDHC1_DATA6 0x4000119e
+- MX93_PAD_SD1_DATA7__USDHC1_DATA7 0x4000119e
++ /* HYS | PU | FSEL 3 | DSE X4 */
++ MX93_PAD_SD1_CMD__USDHC1_CMD 0x4000139e
++ /* HYS | PU | FSEL 3 | DSE X4 */
++ MX93_PAD_SD1_DATA0__USDHC1_DATA0 0x4000139e
++ MX93_PAD_SD1_DATA1__USDHC1_DATA1 0x4000139e
++ MX93_PAD_SD1_DATA2__USDHC1_DATA2 0x4000139e
++ MX93_PAD_SD1_DATA3__USDHC1_DATA3 0x4000139e
++ MX93_PAD_SD1_DATA4__USDHC1_DATA4 0x4000139e
++ MX93_PAD_SD1_DATA5__USDHC1_DATA5 0x4000139e
++ MX93_PAD_SD1_DATA6__USDHC1_DATA6 0x4000139e
++ MX93_PAD_SD1_DATA7__USDHC1_DATA7 0x4000139e
+ >;
+ };
+
+--
+2.53.0
+
--- /dev/null
+From c134611700e7b77a5cff6cc0e5f800308f12bddf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Feb 2026 20:44:58 +0800
+Subject: arm64: dts: qcom: hamoa/x1: fix idle exit latency
+
+From: Daniel J Blueman <daniel@quora.org>
+
+[ Upstream commit 3ecea84d2b90bbf934d5ca75514fa902fd71e03f ]
+
+Designs based on the Qualcomm X1 Hamoa reference platform report:
+driver: Idle state 1 target residency too low
+
+This is because the declared X1 idle entry plus exit latency of 680us
+exceeds the declared minimum 600us residency time:
+ entry-latency-us = <180>;
+ exit-latency-us = <500>;
+ min-residency-us = <600>;
+
+Fix this to be 320us so the sum of the entry and exit latencies matches
+the downstream 500us exit latency, as directed by Maulik.
+
+Tested on a Lenovo Yoga Slim 7x with Qualcomm X1E-80-100.
+
+Fixes: 2e65616ef07f ("arm64: dts: qcom: x1e80100: Update C4/C5 residency/exit numbers")
+Signed-off-by: Daniel J Blueman <daniel@quora.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20260220124626.8611-1-daniel@quora.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/x1e80100.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/x1e80100.dtsi b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
+index 6eef89ccdd121..8843dac449000 100644
+--- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi
++++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
+@@ -280,7 +280,7 @@ CLUSTER_C4: cpu-sleep-0 {
+ idle-state-name = "ret";
+ arm,psci-suspend-param = <0x00000004>;
+ entry-latency-us = <180>;
+- exit-latency-us = <500>;
++ exit-latency-us = <320>;
+ min-residency-us = <600>;
+ };
+ };
+--
+2.53.0
+
--- /dev/null
+From 8fa8c62ccb1eb7ffc3e7244cf6500046329472f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 02:43:48 +0100
+Subject: ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gilson Marquato Júnior <gilsonmandalogo@hotmail.com>
+
+[ Upstream commit 8ec017cf31299c4b6287ebe27afe81c986aeef88 ]
+
+The HP Laptop 15-fc0xxx (subsystem ID 0x103c8dc9) has an internal
+DMIC connected to the AMD ACP6x audio coprocessor. Add a DMI quirk
+entry so the internal microphone is properly detected on this model.
+
+Tested on HP Laptop 15-fc0237ns with Fedora 43 (kernel 6.19.9).
+
+Signed-off-by: Gilson Marquato Júnior <gilsonmandalogo@hotmail.com>
+Link: https://patch.msgid.link/20260330-hp-15-fc0xxx-dmic-v2-v1-1-6dd6f53a1917@hotmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index 2414c1bba0789..6e41d14e5f3af 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -45,6 +45,13 @@ static struct snd_soc_card acp6x_card = {
+ };
+
+ static const struct dmi_system_id yc_acp_quirk_table[] = {
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Laptop 15-fc0xxx"),
++ }
++ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+--
+2.53.0
+
--- /dev/null
+From 0c15e43ff97cde54d83aff19cf33a28dd1e99c6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 21:25:12 +0700
+Subject: ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA
+
+From: Vee Satayamas <vsatayamas@gmail.com>
+
+[ Upstream commit f200b2f9a810c440c6750b56fc647b73337749a1 ]
+
+Add a DMI quirk for the Asus Expertbook BM1403CDA to resolve the issue of the
+internal microphone not being detected.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221236
+Signed-off-by: Vee Satayamas <vsatayamas@gmail.com>
+Reviewed-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260315142511.66029-2-vsatayamas@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index 51a0de248497e..b8a957602b0a0 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -710,6 +710,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "PM1503CDA"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"),
++ }
++ },
+ {}
+ };
+
+--
+2.53.0
+
--- /dev/null
+From c631d36b8efd23785a96a40112de404f951432cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 16:02:18 +0800
+Subject: ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+[ Upstream commit 1f182ec9d7084db7dfdb2372d453c28f0e5c3f0a ]
+
+Add a DMI quirk for the Thin A15 B7VF fixing the issue where
+the internal microphone was not detected.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=220833
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260316080218.2931304-1-zhangheng@kylinos.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index b8a957602b0a0..2414c1bba0789 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -717,6 +717,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Thin A15 B7VE"),
++ }
++ },
+ {}
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 5f383d949ecafe059603b7fe61d531fe66374cbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 02:43:54 +0000
+Subject: ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit b9eff9732cb0f86a68c9d1592a98ceab47c01e95 ]
+
+Component has "card_aux_list" which is added/deled in bind/unbind aux dev
+function (A), and used in for_each_card_auxs() loop (B).
+
+ static void soc_unbind_aux_dev(...)
+ {
+ ...
+ for_each_card_auxs_safe(...) {
+ ...
+(A) list_del(&component->card_aux_list);
+ } ^^^^^^^^^^^^^
+ }
+
+ static int soc_bind_aux_dev(...)
+ {
+ ...
+ for_each_card_pre_auxs(...) {
+ ...
+(A) list_add(&component->card_aux_list, ...);
+ } ^^^^^^^^^^^^^
+ ...
+ }
+
+ #define for_each_card_auxs(card, component) \
+(B) list_for_each_entry(component, ..., card_aux_list)
+ ^^^^^^^^^^^^^
+
+But it has been used without calling INIT_LIST_HEAD().
+
+ > git grep card_aux_list sound/soc
+ sound/soc/soc-core.c: list_del(&component->card_aux_list);
+ sound/soc/soc-core.c: list_add(&component->card_aux_list, ...);
+
+call missing INIT_LIST_HEAD() for it.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index a1e3829914268..5097b287b889a 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -2801,6 +2801,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component,
+ INIT_LIST_HEAD(&component->dobj_list);
+ INIT_LIST_HEAD(&component->card_list);
+ INIT_LIST_HEAD(&component->list);
++ INIT_LIST_HEAD(&component->card_aux_list);
+ mutex_init(&component->io_mutex);
+
+ if (!component->name) {
+--
+2.53.0
+
--- /dev/null
+From 5835b0fa06b12ceff761d94e3ae02e71eab9b9d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 21:45:26 -0300
+Subject: ASoC: SOF: topology: reject invalid vendor array size in token parser
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+[ Upstream commit 215e5fe75881a7e2425df04aeeed47a903d5cd5d ]
+
+sof_parse_token_sets() accepts array->size values that can be invalid
+for a vendor tuple array header. In particular, a zero size does not
+advance the parser state and can lead to non-progress parsing on
+malformed topology data.
+
+Validate array->size against the minimum header size and reject values
+smaller than sizeof(*array) before parsing. This preserves behavior for
+valid topologies and hardens malformed-input handling.
+
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
+index 0104257df930e..cdf8e56fd8a02 100644
+--- a/sound/soc/sof/topology.c
++++ b/sound/soc/sof/topology.c
+@@ -724,7 +724,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
+ asize = le32_to_cpu(array->size);
+
+ /* validate asize */
+- if (asize < 0) { /* FIXME: A zero-size array makes no sense */
++ if (asize < sizeof(*array)) {
+ dev_err(scomp->dev, "error: invalid array size 0x%x\n",
+ asize);
+ return -EINVAL;
+--
+2.53.0
+
--- /dev/null
+From 51decec6f6ea528bdd4bce47b0f1f942db84514e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 10:40:56 +0200
+Subject: ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
+
+From: Tomasz Merta <tomasz.merta@arrow.com>
+
+[ Upstream commit 0669631dbccd41cf3ca7aa70213fcd8bb41c4b38 ]
+
+The STM32 SAI driver do not set the clock strobing bit (CKSTR) for DSP_A,
+DSP_B and LEFT_J formats, causing data to be sampled on the wrong BCLK
+edge when SND_SOC_DAIFMT_NB_NF is used.
+
+Per ALSA convention, NB_NF requires sampling on the rising BCLK edge.
+The STM32MP25 SAI reference manual states that CKSTR=1 is required for
+signals received by the SAI to be sampled on the SCK rising edge.
+Without setting CKSTR=1, the SAI samples on the falling edge, violating
+the NB_NF convention. For comparison, the NXP FSL SAI driver correctly
+sets FSL_SAI_CR2_BCP for DSP_A, DSP_B and LEFT_J, consistent with its
+I2S handling.
+
+This patch adds SAI_XCR1_CKSTR for DSP_A, DSP_B and LEFT_J in
+stm32_sai_set_dai_fmt which was verified empirically with a cs47l35 codec.
+RIGHT_J (LSB) is not investigated and addressed by this patch.
+
+Note: the STM32 I2S driver (stm32_i2s_set_dai_fmt) may have the same issue
+for DSP_A mode, as I2S_CGFR_CKPOL is not set. This has not been verified
+and is left for a separate investigation.
+
+Signed-off-by: Tomasz Merta <tommerta@gmail.com>
+Link: https://patch.msgid.link/20260408084056.20588-1-tommerta@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/stm/stm32_sai_sub.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c
+index fb1bd9844b550..f4f751b19429a 100644
+--- a/sound/soc/stm/stm32_sai_sub.c
++++ b/sound/soc/stm/stm32_sai_sub.c
+@@ -677,6 +677,7 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
+ break;
+ /* Left justified */
+ case SND_SOC_DAIFMT_MSB:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
+ break;
+ /* Right justified */
+@@ -684,9 +685,11 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
+ break;
+ case SND_SOC_DAIFMT_DSP_A:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSOFF;
+ break;
+ case SND_SOC_DAIFMT_DSP_B:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL;
+ break;
+ default:
+--
+2.53.0
+
--- /dev/null
+From 6eb9b059d50050beda1c0898e097d1a9becebb64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 15:23:35 -0700
+Subject: ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
+
+From: Arthur Husband <artmoty@gmail.com>
+
+[ Upstream commit 105c42566a550e2d05fc14f763216a8765ee5d0e ]
+
+The JMicron JMB585 (and JMB582) SATA controllers advertise 64-bit DMA
+support via the S64A bit in the AHCI CAP register, but their 64-bit DMA
+implementation is defective. Under sustained I/O, DMA transfers targeting
+addresses above 4GB silently corrupt data -- writes land at incorrect
+memory addresses with no errors logged.
+
+The failure pattern is similar to the ASMedia ASM1061
+(commit 20730e9b2778 ("ahci: add 43-bit DMA address quirk for ASMedia
+ASM1061 controllers")), which also falsely advertised full 64-bit DMA
+support. However, the JMB585 requires a stricter 32-bit DMA mask rather
+than 43-bit, as corruption occurs with any address above 4GB.
+
+On the Minisforum N5 Pro specifically, the combination of the JMB585's
+broken 64-bit DMA with the AMD Family 1Ah (Strix Point) IOMMU causes
+silent data corruption that is only detectable via checksumming
+filesystems (BTRFS/ZFS scrub). The corruption occurs when 32-bit IOVA
+space is exhausted and the kernel transparently switches to 64-bit DMA
+addresses.
+
+Add device-specific PCI ID entries for the JMB582 (0x0582) and JMB585
+(0x0585) before the generic JMicron class match, using a new board type
+that combines AHCI_HFLAG_IGN_IRQ_IF_ERR (preserving existing behavior)
+with AHCI_HFLAG_32BIT_ONLY to force 32-bit DMA masks.
+
+Signed-off-by: Arthur Husband <artmoty@gmail.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/ahci.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index e78b97fe81708..57a7a2b68aaab 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -68,6 +68,7 @@ enum board_ids {
+ /* board IDs for specific chipsets in alphabetical order */
+ board_ahci_al,
+ board_ahci_avn,
++ board_ahci_jmb585,
+ board_ahci_mcp65,
+ board_ahci_mcp77,
+ board_ahci_mcp89,
+@@ -212,6 +213,15 @@ static const struct ata_port_info ahci_port_info[] = {
+ .udma_mask = ATA_UDMA6,
+ .port_ops = &ahci_avn_ops,
+ },
++ /* JMicron JMB582/585: 64-bit DMA is broken, force 32-bit */
++ [board_ahci_jmb585] = {
++ AHCI_HFLAGS (AHCI_HFLAG_IGN_IRQ_IF_ERR |
++ AHCI_HFLAG_32BIT_ONLY),
++ .flags = AHCI_FLAG_COMMON,
++ .pio_mask = ATA_PIO4,
++ .udma_mask = ATA_UDMA6,
++ .port_ops = &ahci_ops,
++ },
+ [board_ahci_mcp65] = {
+ AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP |
+ AHCI_HFLAG_YES_NCQ),
+@@ -439,6 +449,10 @@ static const struct pci_device_id ahci_pci_tbl[] = {
+ /* Elkhart Lake IDs 0x4b60 & 0x4b62 https://sata-io.org/product/8803 not tested yet */
+ { PCI_VDEVICE(INTEL, 0x4b63), board_ahci_pcs_quirk }, /* Elkhart Lake AHCI */
+
++ /* JMicron JMB582/585: force 32-bit DMA (broken 64-bit implementation) */
++ { PCI_VDEVICE(JMICRON, 0x0582), board_ahci_jmb585 },
++ { PCI_VDEVICE(JMICRON, 0x0585), board_ahci_jmb585 },
++
+ /* JMicron 360/1/3/5/6, match class to avoid IDE function */
+ { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
+ PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr },
+--
+2.53.0
+
--- /dev/null
+From ef04a0123f943287ac4aa597386e0c756b7db05a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 20:07:26 +0800
+Subject: Bluetooth: hci_sync: annotate data-races around hdev->req_status
+
+From: Cen Zhang <zzzccc427@gmail.com>
+
+[ Upstream commit b6807cfc195ef99e1ac37b2e1e60df40295daa8c ]
+
+__hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock:
+
+ hdev->req_status = HCI_REQ_PEND;
+
+However, several other functions read or write hdev->req_status without
+holding any lock:
+
+ - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue)
+ - hci_cmd_sync_complete() reads/writes from HCI event completion
+ - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write
+ - hci_abort_conn() reads in connection abort path
+
+Since __hci_cmd_sync_sk() runs on hdev->req_workqueue while
+hci_send_cmd_sync() runs on hdev->workqueue, these are different
+workqueues that can execute concurrently on different CPUs. The plain
+C accesses constitute a data race.
+
+Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses
+to hdev->req_status to prevent potential compiler optimizations that
+could affect correctness (e.g., load fusing in the wait_event
+condition or store reordering).
+
+Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 2 +-
+ net/bluetooth/hci_core.c | 2 +-
+ net/bluetooth/hci_sync.c | 20 ++++++++++----------
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index b36fa056e8796..bf1c39be05211 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -2887,7 +2887,7 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason)
+ * hci_connect_le serializes the connection attempts so only one
+ * connection can be in BT_CONNECT at time.
+ */
+- if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
++ if (conn->state == BT_CONNECT && READ_ONCE(hdev->req_status) == HCI_REQ_PEND) {
+ switch (hci_skb_event(hdev->sent_cmd)) {
+ case HCI_EV_CONN_COMPLETE:
+ case HCI_EV_LE_CONN_COMPLETE:
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index ba01d0fa07193..677f51edb2775 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -4103,7 +4103,7 @@ static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
+ kfree_skb(skb);
+ }
+
+- if (hdev->req_status == HCI_REQ_PEND &&
++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND &&
+ !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) {
+ kfree_skb(hdev->req_skb);
+ hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 7339c36d58582..fbcb3bbfef4fd 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -25,11 +25,11 @@ static void hci_cmd_sync_complete(struct hci_dev *hdev, u8 result, u16 opcode,
+ {
+ bt_dev_dbg(hdev, "result 0x%2.2x", result);
+
+- if (hdev->req_status != HCI_REQ_PEND)
++ if (READ_ONCE(hdev->req_status) != HCI_REQ_PEND)
+ return;
+
+ hdev->req_result = result;
+- hdev->req_status = HCI_REQ_DONE;
++ WRITE_ONCE(hdev->req_status, HCI_REQ_DONE);
+
+ /* Free the request command so it is not used as response */
+ kfree_skb(hdev->req_skb);
+@@ -167,20 +167,20 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
+
+ hci_cmd_sync_add(&req, opcode, plen, param, event, sk);
+
+- hdev->req_status = HCI_REQ_PEND;
++ WRITE_ONCE(hdev->req_status, HCI_REQ_PEND);
+
+ err = hci_req_sync_run(&req);
+ if (err < 0)
+ return ERR_PTR(err);
+
+ err = wait_event_interruptible_timeout(hdev->req_wait_q,
+- hdev->req_status != HCI_REQ_PEND,
++ READ_ONCE(hdev->req_status) != HCI_REQ_PEND,
+ timeout);
+
+ if (err == -ERESTARTSYS)
+ return ERR_PTR(-EINTR);
+
+- switch (hdev->req_status) {
++ switch (READ_ONCE(hdev->req_status)) {
+ case HCI_REQ_DONE:
+ err = -bt_to_errno(hdev->req_result);
+ break;
+@@ -194,7 +194,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
+ break;
+ }
+
+- hdev->req_status = 0;
++ WRITE_ONCE(hdev->req_status, 0);
+ hdev->req_result = 0;
+ skb = hdev->req_rsp;
+ hdev->req_rsp = NULL;
+@@ -665,9 +665,9 @@ void hci_cmd_sync_cancel(struct hci_dev *hdev, int err)
+ {
+ bt_dev_dbg(hdev, "err 0x%2.2x", err);
+
+- if (hdev->req_status == HCI_REQ_PEND) {
++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND) {
+ hdev->req_result = err;
+- hdev->req_status = HCI_REQ_CANCELED;
++ WRITE_ONCE(hdev->req_status, HCI_REQ_CANCELED);
+
+ queue_work(hdev->workqueue, &hdev->cmd_sync_cancel_work);
+ }
+@@ -683,12 +683,12 @@ void hci_cmd_sync_cancel_sync(struct hci_dev *hdev, int err)
+ {
+ bt_dev_dbg(hdev, "err 0x%2.2x", err);
+
+- if (hdev->req_status == HCI_REQ_PEND) {
++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND) {
+ /* req_result is __u32 so error must be positive to be properly
+ * propagated.
+ */
+ hdev->req_result = err < 0 ? -err : err;
+- hdev->req_status = HCI_REQ_CANCELED;
++ WRITE_ONCE(hdev->req_status, HCI_REQ_CANCELED);
+
+ wake_up_interruptible(&hdev->req_wait_q);
+ }
+--
+2.53.0
+
--- /dev/null
+From f8eb9a3649e18c7242a8636fc407a88be0425f6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 14:11:39 -0400
+Subject: btrfs: tracepoints: get correct superblock from dentry in event
+ btrfs_sync_file()
+
+From: Goldwyn Rodrigues <rgoldwyn@suse.de>
+
+[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ]
+
+If overlay is used on top of btrfs, dentry->d_sb translates to overlay's
+super block and fsid assignment will lead to a crash.
+
+Use file_inode(file)->i_sb to always get btrfs_sb.
+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/btrfs.h | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h
+index 0ca86909ce5bd..b964cba4169c2 100644
+--- a/include/trace/events/btrfs.h
++++ b/include/trace/events/btrfs.h
+@@ -771,12 +771,15 @@ TRACE_EVENT(btrfs_sync_file,
+ ),
+
+ TP_fast_assign(
+- const struct dentry *dentry = file->f_path.dentry;
+- const struct inode *inode = d_inode(dentry);
++ struct dentry *dentry = file_dentry(file);
++ struct inode *inode = file_inode(file);
++ struct dentry *parent = dget_parent(dentry);
++ struct inode *parent_inode = d_inode(parent);
+
+- TP_fast_assign_fsid(btrfs_sb(file->f_path.dentry->d_sb));
++ dput(parent);
++ TP_fast_assign_fsid(btrfs_sb(inode->i_sb));
+ __entry->ino = btrfs_ino(BTRFS_I(inode));
+- __entry->parent = btrfs_ino(BTRFS_I(d_inode(dentry->d_parent)));
++ __entry->parent = btrfs_ino(BTRFS_I(parent_inode));
+ __entry->datasync = datasync;
+ __entry->root_objectid = btrfs_root_id(BTRFS_I(inode)->root);
+ ),
+--
+2.53.0
+
--- /dev/null
+From 3ac2cee7766bf2786d7a8968fa50ef93591775c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 00:00:22 +0800
+Subject: can: mcp251x: add error handling for power enable in open and resume
+
+From: Wenyuan Li <2063309626@qq.com>
+
+[ Upstream commit 7a57354756c7df223abe2c33774235ad70cb4231 ]
+
+Add missing error handling for mcp251x_power_enable() calls in both
+mcp251x_open() and mcp251x_can_resume() functions.
+
+In mcp251x_open(), if power enable fails, jump to error path to close
+candev without attempting to disable power again.
+
+In mcp251x_can_resume(), properly check return values of power enable calls
+for both power and transceiver regulators. If any fails, return the error
+code to the PM framework and log the failure.
+
+This ensures the driver properly handles power control failures and
+maintains correct device state.
+
+Signed-off-by: Wenyuan Li <2063309626@qq.com>
+Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com
+[mkl: fix patch description]
+[mkl: mcp251x_can_resume(): replace goto by return]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/spi/mcp251x.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
+index 74906aa98be3e..b241953d2ef61 100644
+--- a/drivers/net/can/spi/mcp251x.c
++++ b/drivers/net/can/spi/mcp251x.c
+@@ -1212,7 +1212,11 @@ static int mcp251x_open(struct net_device *net)
+ }
+
+ mutex_lock(&priv->mcp_lock);
+- mcp251x_power_enable(priv->transceiver, 1);
++ ret = mcp251x_power_enable(priv->transceiver, 1);
++ if (ret) {
++ dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret));
++ goto out_close_candev;
++ }
+
+ priv->force_quit = 0;
+ priv->tx_skb = NULL;
+@@ -1259,6 +1263,7 @@ static int mcp251x_open(struct net_device *net)
+ mcp251x_hw_sleep(spi);
+ out_close:
+ mcp251x_power_enable(priv->transceiver, 0);
++out_close_candev:
+ close_candev(net);
+ mutex_unlock(&priv->mcp_lock);
+ if (release_irq)
+@@ -1494,11 +1499,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev)
+ {
+ struct spi_device *spi = to_spi_device(dev);
+ struct mcp251x_priv *priv = spi_get_drvdata(spi);
++ int ret = 0;
+
+- if (priv->after_suspend & AFTER_SUSPEND_POWER)
+- mcp251x_power_enable(priv->power, 1);
+- if (priv->after_suspend & AFTER_SUSPEND_UP)
+- mcp251x_power_enable(priv->transceiver, 1);
++ if (priv->after_suspend & AFTER_SUSPEND_POWER) {
++ ret = mcp251x_power_enable(priv->power, 1);
++ if (ret) {
++ dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret));
++ return ret;
++ }
++ }
++
++ if (priv->after_suspend & AFTER_SUSPEND_UP) {
++ ret = mcp251x_power_enable(priv->transceiver, 1);
++ if (ret) {
++ dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret));
++ if (priv->after_suspend & AFTER_SUSPEND_POWER)
++ mcp251x_power_enable(priv->power, 0);
++ return ret;
++ }
++ }
+
+ if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP))
+ queue_work(priv->wq, &priv->restart_work);
+--
+2.53.0
+
--- /dev/null
+From f0aa641eb7fe25dd725ef6835dde2dd178fc55e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 10:54:17 +0200
+Subject: clockevents: Prevent timer interrupt starvation
+
+From: Thomas Gleixner <tglx@kernel.org>
+
+[ Upstream commit d6e152d905bdb1f32f9d99775e2f453350399a6a ]
+
+Calvin reported an odd NMI watchdog lockup which claims that the CPU locked
+up in user space. He provided a reproducer, which sets up a timerfd based
+timer and then rearms it in a loop with an absolute expiry time of 1ns.
+
+As the expiry time is in the past, the timer ends up as the first expiring
+timer in the per CPU hrtimer base and the clockevent device is programmed
+with the minimum delta value. If the machine is fast enough, this ends up
+in a endless loop of programming the delta value to the minimum value
+defined by the clock event device, before the timer interrupt can fire,
+which starves the interrupt and consequently triggers the lockup detector
+because the hrtimer callback of the lockup mechanism is never invoked.
+
+As a first step to prevent this, avoid reprogramming the clock event device
+when:
+ - a forced minimum delta event is pending
+ - the new expiry delta is less then or equal to the minimum delta
+
+Thanks to Calvin for providing the reproducer and to Borislav for testing
+and providing data from his Zen5 machine.
+
+The problem is not limited to Zen5, but depending on the underlying
+clock event device (e.g. TSC deadline timer on Intel) and the CPU speed
+not necessarily observable.
+
+This change serves only as the last resort and further changes will be made
+to prevent this scenario earlier in the call chain as far as possible.
+
+[ tglx: Updated to restore the old behaviour vs. !force and delta <= 0 and
+ fixed up the tick-broadcast handlers as pointed out by Borislav ]
+
+Fixes: d316c57ff6bf ("[PATCH] clockevents: add core functionality")
+Reported-by: Calvin Owens <calvin@wbinvd.org>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Tested-by: Calvin Owens <calvin@wbinvd.org>
+Tested-by: Borislav Petkov <bp@alien8.de>
+Link: https://lore.kernel.org/lkml/acMe-QZUel-bBYUh@mozart.vkv.me/
+Link: https://patch.msgid.link/20260407083247.562657657@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/clockchips.h | 2 ++
+ kernel/time/clockevents.c | 27 +++++++++++++++++++--------
+ kernel/time/hrtimer.c | 1 +
+ kernel/time/tick-broadcast.c | 8 +++++++-
+ kernel/time/tick-common.c | 1 +
+ kernel/time/tick-sched.c | 1 +
+ 6 files changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/clockchips.h b/include/linux/clockchips.h
+index b0df28ddd394b..50cdc9da8d32a 100644
+--- a/include/linux/clockchips.h
++++ b/include/linux/clockchips.h
+@@ -80,6 +80,7 @@ enum clock_event_state {
+ * @shift: nanoseconds to cycles divisor (power of two)
+ * @state_use_accessors:current state of the device, assigned by the core code
+ * @features: features
++ * @next_event_forced: True if the last programming was a forced event
+ * @retries: number of forced programming retries
+ * @set_state_periodic: switch state to periodic
+ * @set_state_oneshot: switch state to oneshot
+@@ -108,6 +109,7 @@ struct clock_event_device {
+ u32 shift;
+ enum clock_event_state state_use_accessors;
+ unsigned int features;
++ unsigned int next_event_forced;
+ unsigned long retries;
+
+ int (*set_state_periodic)(struct clock_event_device *);
+diff --git a/kernel/time/clockevents.c b/kernel/time/clockevents.c
+index 78c7bd64d0ddf..6f4257e63bba8 100644
+--- a/kernel/time/clockevents.c
++++ b/kernel/time/clockevents.c
+@@ -172,6 +172,7 @@ void clockevents_shutdown(struct clock_event_device *dev)
+ {
+ clockevents_switch_state(dev, CLOCK_EVT_STATE_SHUTDOWN);
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+ }
+
+ /**
+@@ -305,7 +306,6 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires,
+ {
+ unsigned long long clc;
+ int64_t delta;
+- int rc;
+
+ if (WARN_ON_ONCE(expires < 0))
+ return -ETIME;
+@@ -324,16 +324,27 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires,
+ return dev->set_next_ktime(expires, dev);
+
+ delta = ktime_to_ns(ktime_sub(expires, ktime_get()));
+- if (delta <= 0)
+- return force ? clockevents_program_min_delta(dev) : -ETIME;
+
+- delta = min(delta, (int64_t) dev->max_delta_ns);
+- delta = max(delta, (int64_t) dev->min_delta_ns);
++ /* Required for tick_periodic() during early boot */
++ if (delta <= 0 && !force)
++ return -ETIME;
++
++ if (delta > (int64_t)dev->min_delta_ns) {
++ delta = min(delta, (int64_t) dev->max_delta_ns);
++ clc = ((unsigned long long) delta * dev->mult) >> dev->shift;
++ if (!dev->set_next_event((unsigned long) clc, dev))
++ return 0;
++ }
+
+- clc = ((unsigned long long) delta * dev->mult) >> dev->shift;
+- rc = dev->set_next_event((unsigned long) clc, dev);
++ if (dev->next_event_forced)
++ return 0;
+
+- return (rc && force) ? clockevents_program_min_delta(dev) : rc;
++ if (dev->set_next_event(dev->min_delta_ticks, dev)) {
++ if (!force || clockevents_program_min_delta(dev))
++ return -ETIME;
++ }
++ dev->next_event_forced = 1;
++ return 0;
+ }
+
+ /*
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 640d2ea4bd1fa..7c57fe7d20d9a 100644
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -1852,6 +1852,7 @@ void hrtimer_interrupt(struct clock_event_device *dev)
+ BUG_ON(!cpu_base->hres_active);
+ cpu_base->nr_events++;
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+
+ raw_spin_lock_irqsave(&cpu_base->lock, flags);
+ entry_time = now = hrtimer_update_base(cpu_base);
+diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c
+index ed58eebb4e8f4..99d2978ef9b98 100644
+--- a/kernel/time/tick-broadcast.c
++++ b/kernel/time/tick-broadcast.c
+@@ -76,8 +76,10 @@ const struct clock_event_device *tick_get_wakeup_device(int cpu)
+ */
+ static void tick_broadcast_start_periodic(struct clock_event_device *bc)
+ {
+- if (bc)
++ if (bc) {
++ bc->next_event_forced = 0;
+ tick_setup_periodic(bc, 1);
++ }
+ }
+
+ /*
+@@ -403,6 +405,7 @@ static void tick_handle_periodic_broadcast(struct clock_event_device *dev)
+ bool bc_local;
+
+ raw_spin_lock(&tick_broadcast_lock);
++ tick_broadcast_device.evtdev->next_event_forced = 0;
+
+ /* Handle spurious interrupts gracefully */
+ if (clockevent_state_shutdown(tick_broadcast_device.evtdev)) {
+@@ -696,6 +699,7 @@ static void tick_handle_oneshot_broadcast(struct clock_event_device *dev)
+
+ raw_spin_lock(&tick_broadcast_lock);
+ dev->next_event = KTIME_MAX;
++ tick_broadcast_device.evtdev->next_event_forced = 0;
+ next_event = KTIME_MAX;
+ cpumask_clear(tmpmask);
+ now = ktime_get();
+@@ -1061,6 +1065,7 @@ static void tick_broadcast_setup_oneshot(struct clock_event_device *bc,
+
+
+ bc->event_handler = tick_handle_oneshot_broadcast;
++ bc->next_event_forced = 0;
+ bc->next_event = KTIME_MAX;
+
+ /*
+@@ -1173,6 +1178,7 @@ void hotplug_cpu__broadcast_tick_pull(int deadcpu)
+ }
+
+ /* This moves the broadcast assignment to this CPU: */
++ bc->next_event_forced = 0;
+ clockevents_program_event(bc, bc->next_event, 1);
+ }
+ raw_spin_unlock_irqrestore(&tick_broadcast_lock, flags);
+diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c
+index 9a3859443c042..4b5a42192afa2 100644
+--- a/kernel/time/tick-common.c
++++ b/kernel/time/tick-common.c
+@@ -110,6 +110,7 @@ void tick_handle_periodic(struct clock_event_device *dev)
+ int cpu = smp_processor_id();
+ ktime_t next = dev->next_event;
+
++ dev->next_event_forced = 0;
+ tick_periodic(cpu);
+
+ /*
+diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c
+index f203f000da1ad..e385555b456e8 100644
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -1488,6 +1488,7 @@ static void tick_nohz_lowres_handler(struct clock_event_device *dev)
+ struct tick_sched *ts = this_cpu_ptr(&tick_cpu_sched);
+
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+
+ if (likely(tick_nohz_handler(&ts->sched_timer) == HRTIMER_RESTART))
+ tick_program_event(hrtimer_get_expires(&ts->sched_timer), 1);
+--
+2.53.0
+
--- /dev/null
+From f7892d41a9f107d8bdacbf96e34c5ebc27b71efa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 23:34:55 +0800
+Subject: crypto: af_alg - limit RX SG extraction by receive buffer budget
+
+From: Douya Le <ldy3087146292@gmail.com>
+
+[ Upstream commit 8eceab19eba9dcbfd2a0daec72e1bf48aa100170 ]
+
+Make af_alg_get_rsgl() limit each RX scatterlist extraction to the
+remaining receive buffer budget.
+
+af_alg_get_rsgl() currently uses af_alg_readable() only as a gate
+before extracting data into the RX scatterlist. Limit each extraction
+to the remaining af_alg_rcvbuf(sk) budget so that receive-side
+accounting matches the amount of data attached to the request.
+
+If skcipher cannot obtain enough RX space for at least one chunk while
+more data remains to be processed, reject the recvmsg call instead of
+rounding the request length down to zero.
+
+Fixes: e870456d8e7c8d57c059ea479b5aadbb55ff4c3a ("crypto: algif_skcipher - overhaul memory management")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Douya Le <ldy3087146292@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/af_alg.c | 2 ++
+ crypto/algif_skcipher.c | 5 +++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/crypto/af_alg.c b/crypto/af_alg.c
+index 78e995dddf879..0530dc85e4f87 100644
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -1258,6 +1258,8 @@ int af_alg_get_rsgl(struct sock *sk, struct msghdr *msg, int flags,
+
+ seglen = min_t(size_t, (maxsize - len),
+ msg_data_left(msg));
++ /* Never pin more pages than the remaining RX accounting budget. */
++ seglen = min_t(size_t, seglen, af_alg_rcvbuf(sk));
+
+ if (list_empty(&areq->rsgl_list)) {
+ rsgl = &areq->first_rsgl;
+diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
+index 125d395c5e009..3549ad1cc42e6 100644
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -130,6 +130,11 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
+ * full block size buffers.
+ */
+ if (ctx->more || len < ctx->used) {
++ if (len < bs) {
++ err = -EINVAL;
++ goto free;
++ }
++
+ len -= len % bs;
+ cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
+ }
+--
+2.53.0
+
--- /dev/null
+From d0f962563be16d2357490d671ef0f90b647c91b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 13:32:21 +0800
+Subject: crypto: algif_aead - Fix minimum RX size check for decryption
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ]
+
+The check for the minimum receive buffer size did not take the
+tag size into account during decryption. Fix this by adding the
+required extra length.
+
+Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
+Reported-by: Daniel Pouzzner <douzzer@mega.nu>
+Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/algif_aead.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
+index 7d58cbbce4af2..481e66f8708bb 100644
+--- a/crypto/algif_aead.c
++++ b/crypto/algif_aead.c
+@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
+ if (usedpages < outlen) {
+ size_t less = outlen - usedpages;
+
+- if (used < less) {
++ if (used < less + (ctx->enc ? 0 : as)) {
+ err = -EINVAL;
+ goto free;
+ }
+--
+2.53.0
+
--- /dev/null
+From 1d9b437a1c5bb8800fcf334297d03f9328d7c4ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 09:58:36 +0530
+Subject: drm/amdgpu: Handle GPU page faults correctly on non-4K page systems
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Donet Tom <donettom@linux.ibm.com>
+
+[ Upstream commit 4e9597f22a3cb8600c72fc266eaac57981d834c8 ]
+
+During a GPU page fault, the driver restores the SVM range and then maps it
+into the GPU page tables. The current implementation passes a GPU-page-size
+(4K-based) PFN to svm_range_restore_pages() to restore the range.
+
+SVM ranges are tracked using system-page-size PFNs. On systems where the
+system page size is larger than 4K, using GPU-page-size PFNs to restore the
+range causes two problems:
+
+Range lookup fails:
+Because the restore function receives PFNs in GPU (4K) units, the SVM
+range lookup does not find the existing range. This will result in a
+duplicate SVM range being created.
+
+VMA lookup failure:
+The restore function also tries to locate the VMA for the faulting address.
+It converts the GPU-page-size PFN into an address using the system page
+size, which results in an incorrect address on non-4K page-size systems.
+As a result, the VMA lookup fails with the message: "address 0xxxx VMA is
+removed".
+
+This patch passes the system-page-size PFN to svm_range_restore_pages() so
+that the SVM range is restored correctly on non-4K page systems.
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Donet Tom <donettom@linux.ibm.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 074fe395fb13247b057f60004c7ebcca9f38ef46)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+index 13252c27cf55e..a29d01202b5b3 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+@@ -2806,14 +2806,14 @@ bool amdgpu_vm_handle_fault(struct amdgpu_device *adev, u32 pasid,
+ if (!root)
+ return false;
+
+- addr /= AMDGPU_GPU_PAGE_SIZE;
+-
+ if (is_compute_context && !svm_range_restore_pages(adev, pasid, vmid,
+- node_id, addr, ts, write_fault)) {
++ node_id, addr >> PAGE_SHIFT, ts, write_fault)) {
+ amdgpu_bo_unref(&root);
+ return true;
+ }
+
++ addr /= AMDGPU_GPU_PAGE_SIZE;
++
+ r = amdgpu_bo_reserve(root, true);
+ if (r)
+ goto error_unref;
+--
+2.53.0
+
--- /dev/null
+From 55c757d61491f95df70e7e2db84a257259df4b95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:45 -0300
+Subject: drm/vc4: Fix a memory leak in hang state error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 9525d169e5fd481538cf8c663cc5839e54f2e481 ]
+
+When vc4_save_hang_state() encounters an early return condition, it
+returns without freeing the previously allocated `kernel_state`,
+leaking memory.
+
+Add the missing kfree() calls by consolidating the early return paths
+into a single place.
+
+Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-3-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index 373d310c7b6a5..62d19601ef356 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -169,10 +169,8 @@ vc4_save_hang_state(struct drm_device *dev)
+ spin_lock_irqsave(&vc4->job_lock, irqflags);
+ exec[0] = vc4_first_bin_job(vc4);
+ exec[1] = vc4_first_render_job(vc4);
+- if (!exec[0] && !exec[1]) {
+- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+- return;
+- }
++ if (!exec[0] && !exec[1])
++ goto err_free_state;
+
+ /* Get the bos from both binner and renderer into hang state. */
+ state->bo_count = 0;
+@@ -189,10 +187,8 @@ vc4_save_hang_state(struct drm_device *dev)
+ kernel_state->bo = kcalloc(state->bo_count,
+ sizeof(*kernel_state->bo), GFP_ATOMIC);
+
+- if (!kernel_state->bo) {
+- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+- return;
+- }
++ if (!kernel_state->bo)
++ goto err_free_state;
+
+ k = 0;
+ for (i = 0; i < 2; i++) {
+@@ -284,6 +280,12 @@ vc4_save_hang_state(struct drm_device *dev)
+ vc4->hang_state = kernel_state;
+ spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+ }
++
++ return;
++
++err_free_state:
++ spin_unlock_irqrestore(&vc4->job_lock, irqflags);
++ kfree(kernel_state);
+ }
+
+ static void
+--
+2.53.0
+
--- /dev/null
+From b1a2057c737d5f6078ddbf5daf923bb9942a1fad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:44 -0300
+Subject: drm/vc4: Fix memory leak of BO array in hang state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit f4dfd6847b3e5d24e336bca6057485116d17aea4 ]
+
+The hang state's BO array is allocated separately with kzalloc() in
+vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the
+missing kfree() for the BO array before freeing the hang state struct.
+
+Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-2-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index be9c0b72ebe86..373d310c7b6a5 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -60,6 +60,7 @@ vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state)
+ for (i = 0; i < state->user_state.bo_count; i++)
+ drm_gem_object_put(state->bo[i]);
+
++ kfree(state->bo);
+ kfree(state);
+ }
+
+--
+2.53.0
+
--- /dev/null
+From c46999896580fd7317f5fda9e5ba860553794cd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:46 -0300
+Subject: drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ]
+
+The mmap callback reads bo->madv without holding madv_lock, racing with
+concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under
+the same lock. Add the missing locking to prevent the data race.
+
+Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_bo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
+index 2a85d08b19852..3740e0552960d 100644
+--- a/drivers/gpu/drm/vc4/vc4_bo.c
++++ b/drivers/gpu/drm/vc4/vc4_bo.c
+@@ -738,12 +738,15 @@ static int vc4_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct
+ return -EINVAL;
+ }
+
++ mutex_lock(&bo->madv_lock);
+ if (bo->madv != VC4_MADV_WILLNEED) {
+ DRM_DEBUG("mmapping of %s BO not allowed\n",
+ bo->madv == VC4_MADV_DONTNEED ?
+ "purgeable" : "purged");
++ mutex_unlock(&bo->madv_lock);
+ return -EINVAL;
+ }
++ mutex_unlock(&bo->madv_lock);
+
+ return drm_gem_dma_mmap(&bo->base, vma);
+ }
+--
+2.53.0
+
--- /dev/null
+From 011ba73738857a14d7a33bdd3fecd50230b53d2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:43 -0300
+Subject: drm/vc4: Release runtime PM reference after binding V3D
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit aaefbdde9abdc43699e110679c0e10972a5e1c59 ]
+
+The vc4_v3d_bind() function acquires a runtime PM reference via
+pm_runtime_resume_and_get() to access V3D registers during setup.
+However, this reference is never released after a successful bind.
+This prevents the device from ever runtime suspending, since the
+reference count never reaches zero.
+
+Release the runtime PM reference by adding pm_runtime_put_autosuspend()
+after autosuspend is configured, allowing the device to runtime suspend
+after the delay.
+
+Fixes: 266cff37d7fc ("drm/vc4: v3d: Rework the runtime_pm setup")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-1-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_v3d.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_v3d.c b/drivers/gpu/drm/vc4/vc4_v3d.c
+index 43f69d74e8761..334d2cfe3433b 100644
+--- a/drivers/gpu/drm/vc4/vc4_v3d.c
++++ b/drivers/gpu/drm/vc4/vc4_v3d.c
+@@ -479,6 +479,7 @@ static int vc4_v3d_bind(struct device *dev, struct device *master, void *data)
+
+ pm_runtime_use_autosuspend(dev);
+ pm_runtime_set_autosuspend_delay(dev, 40); /* a little over 2 frames. */
++ pm_runtime_put_autosuspend(dev);
+
+ return 0;
+
+--
+2.53.0
+
--- /dev/null
+From 36aa077fc0ea5cc98f14b5f187f6a24f57edc7f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 11:29:40 +0100
+Subject: dt-bindings: net: Fix Tegra234 MGBE PTP clock
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+[ Upstream commit fb22b1fc5bca3c0aad95388933497ceb30f1fb26 ]
+
+The PTP clock for the Tegra234 MGBE device is incorrectly named
+'ptp-ref' and should be 'ptp_ref'. This is causing the following
+warning to be observed on Tegra234 platforms that use this device:
+
+ ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate
+ WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed
+
+Although this constitutes an ABI breakage in the binding for this
+device, PTP support has clearly never worked and so fix this now
+so we can correct the device-tree for this device. Note that the
+MGBE driver still supports the legacy 'ptp-ref' clock name and so
+older/existing device-trees will still work, but given that this
+is not the correct name, there is no point to advertise this in the
+binding.
+
+Fixes: 189c2e5c7669 ("dt-bindings: net: Add Tegra234 MGBE")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260401102941.17466-3-jonathanh@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../devicetree/bindings/net/nvidia,tegra234-mgbe.yaml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
+index 2bd3efff2485e..215f14d1897d2 100644
+--- a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
++++ b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
+@@ -42,7 +42,7 @@ properties:
+ - const: mgbe
+ - const: mac
+ - const: mac-divider
+- - const: ptp-ref
++ - const: ptp_ref
+ - const: rx-input-m
+ - const: rx-input
+ - const: tx
+@@ -133,7 +133,7 @@ examples:
+ <&bpmp TEGRA234_CLK_MGBE0_RX_PCS_M>,
+ <&bpmp TEGRA234_CLK_MGBE0_RX_PCS>,
+ <&bpmp TEGRA234_CLK_MGBE0_TX_PCS>;
+- clock-names = "mgbe", "mac", "mac-divider", "ptp-ref", "rx-input-m",
++ clock-names = "mgbe", "mac", "mac-divider", "ptp_ref", "rx-input-m",
+ "rx-input", "tx", "eee-pcs", "rx-pcs-input", "rx-pcs-m",
+ "rx-pcs", "tx-pcs";
+ resets = <&bpmp TEGRA234_RESET_MGBE0_MAC>,
+--
+2.53.0
+
--- /dev/null
+From 1201f4de5a1813393c7677a33016486956b55712 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 15:05:05 +0300
+Subject: e1000: check return value of e1000_read_eeprom
+
+From: Agalakov Daniil <ade@amicon.ru>
+
+[ Upstream commit d3baa34a470771399c1495bc04b1e26ac15d598e ]
+
+[Why]
+e1000_set_eeprom() performs a read-modify-write operation when the write
+range is not word-aligned. This requires reading the first and last words
+of the range from the EEPROM to preserve the unmodified bytes.
+
+However, the code does not check the return value of e1000_read_eeprom().
+If the read fails, the operation continues using uninitialized data from
+eeprom_buff. This results in corrupted data being written back to the
+EEPROM for the boundary words.
+
+Add the missing error checks and abort the operation if reading fails.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Co-developed-by: Iskhakov Daniil <dish@amicon.ru>
+Signed-off-by: Iskhakov Daniil <dish@amicon.ru>
+Signed-off-by: Agalakov Daniil <ade@amicon.ru>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+index d06d29c6c0370..c7b50059663d9 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+@@ -496,14 +496,19 @@ static int e1000_set_eeprom(struct net_device *netdev,
+ */
+ ret_val = e1000_read_eeprom(hw, first_word, 1,
+ &eeprom_buff[0]);
++ if (ret_val)
++ goto out;
++
+ ptr++;
+ }
+- if (((eeprom->offset + eeprom->len) & 1) && (ret_val == 0)) {
++ if ((eeprom->offset + eeprom->len) & 1) {
+ /* need read/modify/write of last changed EEPROM word
+ * only the first byte of the word is being modified
+ */
+ ret_val = e1000_read_eeprom(hw, last_word, 1,
+ &eeprom_buff[last_word - first_word]);
++ if (ret_val)
++ goto out;
+ }
+
+ /* Device's eeprom is always little-endian, word addressable */
+@@ -522,6 +527,7 @@ static int e1000_set_eeprom(struct net_device *netdev,
+ if ((ret_val == 0) && (first_word <= EEPROM_CHECKSUM_REG))
+ e1000_update_eeprom_checksum(hw);
+
++out:
+ kfree(eeprom_buff);
+ return ret_val;
+ }
+--
+2.53.0
+
--- /dev/null
+From db4d28310bb76fce8a90df7e67a2b605293fd3e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2026 15:25:32 +0200
+Subject: eventpoll: defer struct eventpoll free to RCU grace period
+
+From: Nicholas Carlini <nicholas@carlini.com>
+
+[ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ]
+
+In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
+eventpoll struct while it still being used by another concurrent thread.
+Defer the kfree() to an RCU callback to prevent UAF.
+
+Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
+Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/eventpoll.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index aa4318271eee4..075aa8793aaa9 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -226,6 +226,9 @@ struct eventpoll {
+ */
+ refcount_t refcount;
+
++ /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */
++ struct rcu_head rcu;
++
+ #ifdef CONFIG_NET_RX_BUSY_POLL
+ /* used to track busy poll napi_id */
+ unsigned int napi_id;
+@@ -790,7 +793,8 @@ static void ep_free(struct eventpoll *ep)
+ mutex_destroy(&ep->mtx);
+ free_uid(ep->user);
+ wakeup_source_unregister(ep->ws);
+- kfree(ep);
++ /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */
++ kfree_rcu(ep, rcu);
+ }
+
+ /*
+--
+2.53.0
+
--- /dev/null
+From ff66b12b7424379480989edab832f76774df801b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 13:11:27 -0700
+Subject: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
+
+From: Fredric Cover <FredTheDude@proton.me>
+
+[ Upstream commit 78ec5bf2f589ec7fd8f169394bfeca541b077317 ]
+
+When cifs_sanitize_prepath is called with an empty string or a string
+containing only delimiters (e.g., "/"), the current logic attempts to
+check *(cursor2 - 1) before cursor2 has advanced. This results in an
+out-of-bounds read.
+
+This patch adds an early exit check after stripping prepended
+delimiters. If no path content remains, the function returns NULL.
+
+The bug was identified via manual audit and verified using a
+standalone test case compiled with AddressSanitizer, which
+triggered a SEGV on affected inputs.
+
+Signed-off-by: Fredric Cover <FredTheDude@proton.me>
+Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/fs_context.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
+index 39e48e86b9b4f..769380020d41a 100644
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -527,6 +527,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp)
+ while (IS_DELIM(*cursor1))
+ cursor1++;
+
++ /* exit in case of only delimiters */
++ if (!*cursor1)
++ return NULL;
++
+ /* copy the first letter */
+ *cursor2 = *cursor1;
+
+--
+2.53.0
+
--- /dev/null
+From b994d518f5f408f062108e1a57a19017ae5741e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 14:02:47 -0700
+Subject: gpio: tegra: fix irq_release_resources calling enable instead of
+ disable
+
+From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+
+[ Upstream commit 1561d96f5f55c1bca9ff047ace5813f4f244eea6 ]
+
+tegra_gpio_irq_release_resources() erroneously calls tegra_gpio_enable()
+instead of tegra_gpio_disable(). When IRQ resources are released, the
+GPIO configuration bit (CNF) should be cleared to deconfigure the pin as
+a GPIO. Leaving it enabled wastes power and can cause unexpected behavior
+if the pin is later reused for an alternate function via pinctrl.
+
+Fixes: 66fecef5bde0 ("gpio: tegra: Convert to gpio_irq_chip")
+Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+Link: https://patch.msgid.link/20260407210247.1737938-1-samasth.norway.ananda@oracle.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-tegra.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-tegra.c b/drivers/gpio/gpio-tegra.c
+index 6d3a39a03f58e..cc7435ecada80 100644
+--- a/drivers/gpio/gpio-tegra.c
++++ b/drivers/gpio/gpio-tegra.c
+@@ -593,7 +593,7 @@ static void tegra_gpio_irq_release_resources(struct irq_data *d)
+ struct tegra_gpio_info *tgi = gpiochip_get_data(chip);
+
+ gpiochip_relres_irq(chip, d->hwirq);
+- tegra_gpio_enable(tgi, d->hwirq);
++ tegra_gpio_disable(tgi, d->hwirq);
+ }
+
+ static void tegra_gpio_irq_print_chip(struct irq_data *d, struct seq_file *s)
+--
+2.53.0
+
--- /dev/null
+From 46a44f84062b11c440f81a66b52c814aaf630601 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 09:25:22 +0100
+Subject: HID: amd_sfh: don't log error when device discovery fails with
+ -EOPNOTSUPP
+
+From: Maximilian Pezzullo <maximilianpezzullo@gmail.com>
+
+[ Upstream commit 743677a8cb30b09f16a7f167f497c2c927891b5a ]
+
+When sensor discovery fails on systems without AMD SFH sensors, the
+code already emits a warning via dev_warn() in amd_sfh_hid_client_init().
+The subsequent dev_err() in sfh_init_work() for the same -EOPNOTSUPP
+return value is redundant and causes unnecessary alarm.
+
+Suppress the dev_err() for -EOPNOTSUPP to avoid confusing users who
+have no AMD SFH sensors.
+
+Fixes: 2105e8e00da4 ("HID: amd_sfh: Improve boot time when SFH is available")
+Reported-by: Casey Croy <ccroy@bugzilla.kernel.org>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221099
+Signed-off-by: Maximilian Pezzullo <maximilianpezzullo@gmail.com>
+Acked-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/amd-sfh-hid/amd_sfh_pcie.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c b/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c
+index 9739f66e925c0..33ba9af1a249f 100644
+--- a/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c
++++ b/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c
+@@ -352,7 +352,8 @@ static void sfh_init_work(struct work_struct *work)
+ rc = amd_sfh_hid_client_init(mp2);
+ if (rc) {
+ amd_sfh_clear_intr(mp2);
+- dev_err(&pdev->dev, "amd_sfh_hid_client_init failed err %d\n", rc);
++ if (rc != -EOPNOTSUPP)
++ dev_err(&pdev->dev, "amd_sfh_hid_client_init failed err %d\n", rc);
+ return;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 7ab5f82aca54d05d8d75d60a698113f8e8e14090 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 13:36:59 -0500
+Subject: HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
+
+From: leo vriska <leo@60228.dev>
+
+[ Upstream commit 532743944324a873bbaf8620fcabcd0e69e30c36 ]
+
+According to a mailing list report [1], this controller's predecessor
+has the same issue. However, it uses the xpad driver instead of HID, so
+this quirk wouldn't apply.
+
+[1]: https://lore.kernel.org/linux-input/unufo3$det$1@ciao.gmane.io/
+
+Signed-off-by: leo vriska <leo@60228.dev>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 25eb5cc7de70e..475e6eb4702af 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -22,6 +22,9 @@
+ #define USB_DEVICE_ID_3M2256 0x0502
+ #define USB_DEVICE_ID_3M3266 0x0506
+
++#define USB_VENDOR_ID_8BITDO 0x2dc8
++#define USB_DEVICE_ID_8BITDO_PRO_3 0x6009
++
+ #define USB_VENDOR_ID_A4TECH 0x09da
+ #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006
+ #define USB_DEVICE_ID_A4TECH_X5_005D 0x000a
+diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
+index 7a3e0675d9ba2..d9e33dde89899 100644
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -25,6 +25,7 @@
+ */
+
+ static const struct hid_device_id hid_quirks[] = {
++ { HID_USB_DEVICE(USB_VENDOR_ID_8BITDO, USB_DEVICE_ID_8BITDO_PRO_3), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL },
+--
+2.53.0
+
--- /dev/null
+From 3b0afaee719616d33677c683db33841ba7cc0753 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 16:11:07 +0000
+Subject: HID: roccat: fix use-after-free in roccat_report_event
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benoît Sevens <bsevens@google.com>
+
+[ Upstream commit d802d848308b35220f21a8025352f0c0aba15c12 ]
+
+roccat_report_event() iterates over the device->readers list without
+holding the readers_lock. This allows a concurrent roccat_release() to
+remove and free a reader while it's still being accessed, leading to a
+use-after-free.
+
+Protect the readers list traversal with the readers_lock mutex.
+
+Signed-off-by: Benoît Sevens <bsevens@google.com>
+Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-roccat.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c
+index c7f7562e22e56..e413662f75082 100644
+--- a/drivers/hid/hid-roccat.c
++++ b/drivers/hid/hid-roccat.c
+@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data)
+ if (!new_value)
+ return -ENOMEM;
+
++ mutex_lock(&device->readers_lock);
+ mutex_lock(&device->cbuf_lock);
+
+ report = &device->cbuf[device->cbuf_end];
+@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data)
+ }
+
+ mutex_unlock(&device->cbuf_lock);
++ mutex_unlock(&device->readers_lock);
+
+ wake_up_interruptible(&device->wait);
+ return 0;
+--
+2.53.0
+
--- /dev/null
+From 6feb22341f212d14befd1be770a22ab6017753e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 15:04:19 +0800
+Subject: ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
+
+From: Yiqi Sun <sunyiqixm@gmail.com>
+
+[ Upstream commit fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 ]
+
+ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
+IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
+this error pointer to dev_hold() will cause a kernel crash with
+null-ptr-deref.
+
+Instead, silently discard the request. RFC 8335 does not appear to
+define a specific response for the case where an IPv6 interface
+identifier is syntactically valid but the implementation cannot perform
+the lookup at runtime, and silently dropping the request may safer than
+misreporting "No Such Interface".
+
+Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
+Signed-off-by: Yiqi Sun <sunyiqixm@gmail.com>
+Link: https://patch.msgid.link/20260402070419.2291578-1-sunyiqixm@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 58feb21ff967d..8e53b595a4194 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -1143,6 +1143,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
+ if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
+ goto send_mal_query;
+ dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
++ /*
++ * If IPv6 identifier lookup is unavailable, silently
++ * discard the request instead of misreporting NO_IF.
++ */
++ if (IS_ERR(dev))
++ return false;
++
+ dev_hold(dev);
+ break;
+ #endif
+--
+2.53.0
+
--- /dev/null
+From 6b5a087e916dceceb8aa505cc2f1af89dca4c53f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 09:26:13 +0200
+Subject: ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()
+
+From: Fernando Fernandez Mancera <fmancera@suse.de>
+
+[ Upstream commit 14cf0cd35361f4e94824bf8a42f72713d7702a73 ]
+
+When querying a nexthop object via RTM_GETNEXTHOP, the kernel currently
+allocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient for
+single nexthops and small Equal-Cost Multi-Path groups, this fixed
+allocation fails for large nexthop groups like 512 nexthops.
+
+This results in the following warning splat:
+
+ WARNING: net/ipv4/nexthop.c:3395 at rtm_get_nexthop+0x176/0x1c0, CPU#20: rep/4608
+ [...]
+ RIP: 0010:rtm_get_nexthop (net/ipv4/nexthop.c:3395)
+ [...]
+ Call Trace:
+ <TASK>
+ rtnetlink_rcv_msg (net/core/rtnetlink.c:6989)
+ netlink_rcv_skb (net/netlink/af_netlink.c:2550)
+ netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
+ netlink_sendmsg (net/netlink/af_netlink.c:1894)
+ ____sys_sendmsg (net/socket.c:721 net/socket.c:736 net/socket.c:2585)
+ ___sys_sendmsg (net/socket.c:2641)
+ __sys_sendmsg (net/socket.c:2671)
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+ </TASK>
+
+Fix this by allocating the size dynamically using nh_nlmsg_size() and
+using nlmsg_new(), this is consistent with nexthop_notify() behavior. In
+addition, adjust nh_nlmsg_size_grp() so it calculates the size needed
+based on flags passed. While at it, also add the size of NHA_FDB for
+nexthop group size calculation as it was missing too.
+
+This cannot be reproduced via iproute2 as the group size is currently
+limited and the command fails as follows:
+
+addattr_l ERROR: message exceeded bound of 1048
+
+Fixes: 430a049190de ("nexthop: Add support for nexthop groups")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Closes: https://lore.kernel.org/netdev/CAL_bE8Li2h4KO+AQFXW4S6Yb_u5X4oSKnkywW+LPFjuErhqELA@mail.gmail.com/
+Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20260402072613.25262-2-fmancera@suse.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/nexthop.c | 38 +++++++++++++++++++++++++++-----------
+ 1 file changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
+index fe4ebafb7da14..f1d499a3e2748 100644
+--- a/net/ipv4/nexthop.c
++++ b/net/ipv4/nexthop.c
+@@ -1006,16 +1006,32 @@ static size_t nh_nlmsg_size_grp_res(struct nh_group *nhg)
+ nla_total_size_64bit(8);/* NHA_RES_GROUP_UNBALANCED_TIME */
+ }
+
+-static size_t nh_nlmsg_size_grp(struct nexthop *nh)
++static size_t nh_nlmsg_size_grp(struct nexthop *nh, u32 op_flags)
+ {
+ struct nh_group *nhg = rtnl_dereference(nh->nh_grp);
+ size_t sz = sizeof(struct nexthop_grp) * nhg->num_nh;
+ size_t tot = nla_total_size(sz) +
+- nla_total_size(2); /* NHA_GROUP_TYPE */
++ nla_total_size(2) + /* NHA_GROUP_TYPE */
++ nla_total_size(0); /* NHA_FDB */
+
+ if (nhg->resilient)
+ tot += nh_nlmsg_size_grp_res(nhg);
+
++ if (op_flags & NHA_OP_FLAG_DUMP_STATS) {
++ tot += nla_total_size(0) + /* NHA_GROUP_STATS */
++ nla_total_size(4); /* NHA_HW_STATS_ENABLE */
++ tot += nhg->num_nh *
++ (nla_total_size(0) + /* NHA_GROUP_STATS_ENTRY */
++ nla_total_size(4) + /* NHA_GROUP_STATS_ENTRY_ID */
++ nla_total_size_64bit(8)); /* NHA_GROUP_STATS_ENTRY_PACKETS */
++
++ if (op_flags & NHA_OP_FLAG_DUMP_HW_STATS) {
++ tot += nhg->num_nh *
++ nla_total_size_64bit(8); /* NHA_GROUP_STATS_ENTRY_PACKETS_HW */
++ tot += nla_total_size(4); /* NHA_HW_STATS_USED */
++ }
++ }
++
+ return tot;
+ }
+
+@@ -1050,14 +1066,14 @@ static size_t nh_nlmsg_size_single(struct nexthop *nh)
+ return sz;
+ }
+
+-static size_t nh_nlmsg_size(struct nexthop *nh)
++static size_t nh_nlmsg_size(struct nexthop *nh, u32 op_flags)
+ {
+ size_t sz = NLMSG_ALIGN(sizeof(struct nhmsg));
+
+ sz += nla_total_size(4); /* NHA_ID */
+
+ if (nh->is_group)
+- sz += nh_nlmsg_size_grp(nh) +
++ sz += nh_nlmsg_size_grp(nh, op_flags) +
+ nla_total_size(4) + /* NHA_OP_FLAGS */
+ 0;
+ else
+@@ -1073,7 +1089,7 @@ static void nexthop_notify(int event, struct nexthop *nh, struct nl_info *info)
+ struct sk_buff *skb;
+ int err = -ENOBUFS;
+
+- skb = nlmsg_new(nh_nlmsg_size(nh), gfp_any());
++ skb = nlmsg_new(nh_nlmsg_size(nh, 0), gfp_any());
+ if (!skb)
+ goto errout;
+
+@@ -3333,15 +3349,15 @@ static int rtm_get_nexthop(struct sk_buff *in_skb, struct nlmsghdr *nlh,
+ if (err)
+ return err;
+
+- err = -ENOBUFS;
+- skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
+- if (!skb)
+- goto out;
+-
+ err = -ENOENT;
+ nh = nexthop_find_by_id(net, id);
+ if (!nh)
+- goto errout_free;
++ goto out;
++
++ err = -ENOBUFS;
++ skb = nlmsg_new(nh_nlmsg_size(nh, op_flags), GFP_KERNEL);
++ if (!skb)
++ goto out;
+
+ err = nh_fill_node(skb, nh, RTM_NEWNEXTHOP, NETLINK_CB(in_skb).portid,
+ nlh->nlmsg_seq, 0, op_flags);
+--
+2.53.0
+
--- /dev/null
+From c675e7f4761813137480fe484cd5e50e8261e9b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 09:26:12 +0200
+Subject: ipv4: nexthop: avoid duplicate NHA_HW_STATS_ENABLE on nexthop group
+ dump
+
+From: Fernando Fernandez Mancera <fmancera@suse.de>
+
+[ Upstream commit 06aaf04ca815f7a1f17762fd847b7bc14b8833fb ]
+
+Currently NHA_HW_STATS_ENABLE is included twice everytime a dump of
+nexthop group is performed with NHA_OP_FLAG_DUMP_STATS. As all the stats
+querying were moved to nla_put_nh_group_stats(), leave only that
+instance of the attribute querying.
+
+Fixes: 5072ae00aea4 ("net: nexthop: Expose nexthop group HW stats to user space")
+Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20260402072613.25262-1-fmancera@suse.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/nexthop.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
+index e3e3f3ee9a5be..fe4ebafb7da14 100644
+--- a/net/ipv4/nexthop.c
++++ b/net/ipv4/nexthop.c
+@@ -904,8 +904,7 @@ static int nla_put_nh_group(struct sk_buff *skb, struct nexthop *nh,
+ goto nla_put_failure;
+
+ if (op_flags & NHA_OP_FLAG_DUMP_STATS &&
+- (nla_put_u32(skb, NHA_HW_STATS_ENABLE, nhg->hw_stats) ||
+- nla_put_nh_group_stats(skb, nh, op_flags)))
++ nla_put_nh_group_stats(skb, nh, op_flags))
+ goto nla_put_failure;
+
+ return 0;
+--
+2.53.0
+
--- /dev/null
+From 0d47f7d9163eab3cbd4be1ab1a8256984b714ec4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 15:58:01 +0800
+Subject: ipvs: fix NULL deref in ip_vs_add_service error path
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit 9a91797e61d286805ae10a92cc48959c30800556 ]
+
+When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local
+variable sched is set to NULL. If ip_vs_start_estimator() subsequently
+fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched)
+with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL
+check (because svc->scheduler was set by the successful bind) but then
+dereferences the NULL sched parameter at sched->done_service, causing a
+kernel panic at offset 0x30 from NULL.
+
+ Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
+ RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69)
+ Call Trace:
+ <TASK>
+ ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500)
+ do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809)
+ nf_setsockopt (net/netfilter/nf_sockopt.c:102)
+ [..]
+
+Fix by simply not clearing the local sched variable after a successful
+bind. ip_vs_unbind_scheduler() already detects whether a scheduler is
+installed via svc->scheduler, and keeping sched non-NULL ensures the
+error path passes the correct pointer to both ip_vs_unbind_scheduler()
+and ip_vs_scheduler_put().
+
+While the bug is older, the problem popups in more recent kernels (6.2),
+when the new error path is taken after the ip_vs_start_estimator() call.
+
+Fixes: 705dd3444081 ("ipvs: use kthreads for stats estimation")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Acked-by: Simon Horman <horms@kernel.org>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 3219338feca4d..efa845ce616d9 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -1452,7 +1452,6 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
+ ret = ip_vs_bind_scheduler(svc, sched);
+ if (ret)
+ goto out_err;
+- sched = NULL;
+ }
+
+ ret = ip_vs_start_estimator(ipvs, &svc->stats);
+--
+2.53.0
+
--- /dev/null
+From 42d5de90e4cb707a605cce59a9473f9a500d3e8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 09:22:29 +0100
+Subject: ixgbevf: add missing negotiate_features op to Hyper-V ops table
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 4821d563cd7f251ae728be1a6d04af82a294a5b9 ]
+
+Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by
+negotiating supported features") added the .negotiate_features callback
+to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot
+to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL
+on Hyper-V VMs.
+
+During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(),
+which unconditionally dereferences hw->mac.ops.negotiate_features().
+On Hyper-V this results in a NULL pointer dereference:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ [...]
+ Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...]
+ Workqueue: events work_for_cpu_fn
+ RIP: 0010:0x0
+ [...]
+ Call Trace:
+ ixgbevf_negotiate_api+0x66/0x160 [ixgbevf]
+ ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf]
+ ixgbevf_probe+0x20f/0x4a0 [ixgbevf]
+ local_pci_probe+0x50/0xa0
+ work_for_cpu_fn+0x1a/0x30
+ [...]
+
+Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and
+wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP
+gracefully.
+
+Fixes: a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features")
+Reported-by: Xiaoqiang Xiong <xxiong@redhat.com>
+Closes: https://issues.redhat.com/browse/RHEL-155455
+Assisted-by: Claude:claude-4.6-opus-high Cursor
+Tested-by: Xiaoqiang Xiong <xxiong@redhat.com>
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbevf/vf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c
+index 708d5dd921acc..70dfda13b7885 100644
+--- a/drivers/net/ethernet/intel/ixgbevf/vf.c
++++ b/drivers/net/ethernet/intel/ixgbevf/vf.c
+@@ -709,6 +709,12 @@ static int ixgbevf_negotiate_features_vf(struct ixgbe_hw *hw, u32 *pf_features)
+ return err;
+ }
+
++static int ixgbevf_hv_negotiate_features_vf(struct ixgbe_hw *hw,
++ u32 *pf_features)
++{
++ return -EOPNOTSUPP;
++}
++
+ /**
+ * ixgbevf_set_vfta_vf - Set/Unset VLAN filter table address
+ * @hw: pointer to the HW structure
+@@ -1142,6 +1148,7 @@ static const struct ixgbe_mac_operations ixgbevf_hv_mac_ops = {
+ .setup_link = ixgbevf_setup_mac_link_vf,
+ .check_link = ixgbevf_hv_check_mac_link_vf,
+ .negotiate_api_version = ixgbevf_hv_negotiate_api_version_vf,
++ .negotiate_features = ixgbevf_hv_negotiate_features_vf,
+ .set_rar = ixgbevf_hv_set_rar_vf,
+ .update_mc_addr_list = ixgbevf_hv_update_mc_addr_list_vf,
+ .update_xcast_mode = ixgbevf_hv_update_xcast_mode,
+--
+2.53.0
+
--- /dev/null
+From d88bd53a44e6031d331d455f51a35bd9f1940baf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 20:49:49 +0300
+Subject: l2tp: Drop large packets with UDP encap
+
+From: Alice Mikityanska <alice@isovalent.com>
+
+[ Upstream commit ebe560ea5f54134279356703e73b7f867c89db13 ]
+
+syzbot reported a WARN on my patch series [1]. The actual issue is an
+overflow of 16-bit UDP length field, and it exists in the upstream code.
+My series added a debug WARN with an overflow check that exposed the
+issue, that's why syzbot tripped on my patches, rather than on upstream
+code.
+
+syzbot's repro:
+
+r0 = socket$pppl2tp(0x18, 0x1, 0x1)
+r1 = socket$inet6_udp(0xa, 0x2, 0x0)
+connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c)
+connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
+writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1)
+
+It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP
+encapsulation, and l2tp_xmit_core doesn't check for overflows when it
+assigns the UDP length field. The value gets trimmed to 16 bites.
+
+Add an overflow check that drops oversized packets and avoids sending
+packets with trimmed UDP length to the wire.
+
+syzbot's stack trace (with my patch applied):
+
+len >= 65536u
+WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957
+WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957
+WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957
+Modules linked in:
+CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
+RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline]
+RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline]
+RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327
+Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f
+RSP: 0018:ffffc90003d67878 EFLAGS: 00010293
+RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000
+RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff
+RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
+R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900
+R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000
+FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ sock_write_iter+0x503/0x550 net/socket.c:1195
+ do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1
+ vfs_writev+0x33c/0x990 fs/read_write.c:1059
+ do_writev+0x154/0x2e0 fs/read_write.c:1105
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f636479c629
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
+RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629
+RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003
+RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0
+ </TASK>
+
+[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/
+
+Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
+Reported-by: syzbot+ci3edea60a44225dec@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/69a1dfba.050a0220.3a55be.0026.GAE@google.com/
+Signed-off-by: Alice Mikityanska <alice@isovalent.com>
+Link: https://patch.msgid.link/20260403174949.843941-1-alice.kernel@fastmail.im
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index 95060ff7adc5f..87f29ebed5887 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1290,6 +1290,11 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns
+ uh->source = inet->inet_sport;
+ uh->dest = inet->inet_dport;
+ udp_len = uhlen + session->hdr_len + data_len;
++ if (udp_len > U16_MAX) {
++ kfree_skb(skb);
++ ret = NET_XMIT_DROP;
++ goto out_unlock;
++ }
+ uh->len = htons(udp_len);
+
+ /* Calculate UDP checksum if configured to do so */
+--
+2.53.0
+
--- /dev/null
+From cb3eb535ddf27af85a56d19a609ce360bc05cb63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Feb 2026 10:47:51 +0100
+Subject: media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit c03b7dec3c4ddc97872fa12bfca75bae9cb46510 ]
+
+The deeply nested loop in rkvdec_init_v4l2_vp9_count_tbl() needs a lot
+of registers, so when the clang register allocator runs out, it ends up
+spilling countless temporaries to the stack:
+
+drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c:966:12: error: stack frame size (1472) exceeds limit (1280) in 'rkvdec_vp9_start' [-Werror,-Wframe-larger-than]
+
+Marking this function as noinline_for_stack keeps it out of
+rkvdec_vp9_start(), giving the compiler more room for optimization.
+
+The resulting code is good enough that both the total stack usage
+and the loop get enough better to stay under the warning limit,
+though it's still slow, and would need a larger rework if this
+function ends up being called in a fast path.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/rkvdec/rkvdec-vp9.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/rkvdec/rkvdec-vp9.c b/drivers/staging/media/rkvdec/rkvdec-vp9.c
+index 0e7e16f20eeb0..bc74d2d824ef2 100644
+--- a/drivers/staging/media/rkvdec/rkvdec-vp9.c
++++ b/drivers/staging/media/rkvdec/rkvdec-vp9.c
+@@ -923,7 +923,8 @@ static void rkvdec_vp9_done(struct rkvdec_ctx *ctx,
+ update_ctx_last_info(vp9_ctx);
+ }
+
+-static void rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx)
++static noinline_for_stack void
++rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx)
+ {
+ struct rkvdec_vp9_ctx *vp9_ctx = ctx->priv;
+ struct rkvdec_vp9_intra_frame_symbol_counts *intra_cnts = vp9_ctx->count_tbl.cpu;
+--
+2.53.0
+
--- /dev/null
+From 00588c308e3683942e641c20dec52469b4cd6448 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:23:16 -0500
+Subject: net: increase IP_TUNNEL_RECURSION_LIMIT to 5
+
+From: Chris J Arges <carges@cloudflare.com>
+
+[ Upstream commit 77facb35227c421467cdb49268de433168c2dcef ]
+
+In configurations with multiple tunnel layers and MPLS lwtunnel routing, a
+single tunnel hop can increment the counter beyond this limit. This causes
+packets to be dropped with the "Dead loop on virtual device" message even
+when a routing loop doesn't exist.
+
+Increase IP_TUNNEL_RECURSION_LIMIT from 4 to 5 to handle this use-case.
+
+Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions")
+Link: https://lore.kernel.org/netdev/88deb91b-ef1b-403c-8eeb-0f971f27e34f@redhat.com/
+Signed-off-by: Chris J Arges <carges@cloudflare.com>
+Link: https://patch.msgid.link/20260402222401.3408368-1-carges@cloudflare.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip_tunnels.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
+index 0a5556ef16729..583fd1afd2387 100644
+--- a/include/net/ip_tunnels.h
++++ b/include/net/ip_tunnels.h
+@@ -29,7 +29,7 @@
+ * recursion involves route lookups and full IP output, consuming much
+ * more stack per level, so a lower limit is needed.
+ */
+-#define IP_TUNNEL_RECURSION_LIMIT 4
++#define IP_TUNNEL_RECURSION_LIMIT 5
+
+ /* Keep error state on tunnel for 30 sec */
+ #define IPTUNNEL_ERR_TIMEO (30*HZ)
+--
+2.53.0
+
--- /dev/null
+From e5a6a474e1c4e94f006fa0a9ef6918fa8801725a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 18:43:48 +0200
+Subject: net: ipa: fix event ring index not programmed for IPA v5.0+
+
+From: Alexander Koskovich <akoskovich@pm.me>
+
+[ Upstream commit 56007972c0b1e783ca714d6f1f4d6e66e531d21f ]
+
+For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to
+CH_C_CNTXT_1. The v5.0 register definition intended to define this
+field in the CH_C_CNTXT_1 fmask array but used the old identifier of
+ERINDEX instead of CH_ERINDEX.
+
+Without a valid event ring, GSI channels could never signal transfer
+completions. This caused gsi_channel_trans_quiesce() to block
+forever in wait_for_completion().
+
+At least for IPA v5.2 this resolves an issue seen where runtime
+suspend, system suspend, and remoteproc stop all hanged forever. It
+also meant the IPA data path was completely non functional.
+
+Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions")
+Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260403-milos-ipa-v1-2-01e9e4e03d3e@fairphone.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/reg/gsi_reg-v5.0.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+index 3334d8e20ad28..6c4a7fbe4de94 100644
+--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c
++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+@@ -30,7 +30,7 @@ REG_STRIDE_FIELDS(CH_C_CNTXT_0, ch_c_cntxt_0,
+
+ static const u32 reg_ch_c_cntxt_1_fmask[] = {
+ [CH_R_LENGTH] = GENMASK(23, 0),
+- [ERINDEX] = GENMASK(31, 24),
++ [CH_ERINDEX] = GENMASK(31, 24),
+ };
+
+ REG_STRIDE_FIELDS(CH_C_CNTXT_1, ch_c_cntxt_1,
+--
+2.53.0
+
--- /dev/null
+From 03fc6a5113872e897ed075b344d9a7f1fdbbb574 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 18:43:47 +0200
+Subject: net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+
+
+From: Alexander Koskovich <akoskovich@pm.me>
+
+[ Upstream commit 9709b56d908acc120fe8b4ae250b3c9d749ea832 ]
+
+Fix the field masks to match the hardware layout documented in
+downstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*).
+
+Notably this fixes a WARN I was seeing when I tried to send "stop"
+to the MPSS remoteproc while IPA was up.
+
+Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions")
+Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260403-milos-ipa-v1-1-01e9e4e03d3e@fairphone.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/reg/gsi_reg-v5.0.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+index 36d1e65df71bb..3334d8e20ad28 100644
+--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c
++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+@@ -156,9 +156,10 @@ REG_FIELDS(EV_CH_CMD, ev_ch_cmd, 0x00025010 + 0x12000 * GSI_EE_AP);
+
+ static const u32 reg_generic_cmd_fmask[] = {
+ [GENERIC_OPCODE] = GENMASK(4, 0),
+- [GENERIC_CHID] = GENMASK(9, 5),
+- [GENERIC_EE] = GENMASK(13, 10),
+- /* Bits 14-31 reserved */
++ [GENERIC_CHID] = GENMASK(12, 5),
++ [GENERIC_EE] = GENMASK(16, 13),
++ /* Bits 17-23 reserved */
++ [GENERIC_PARAMS] = GENMASK(31, 24),
+ };
+
+ REG_FIELDS(GENERIC_CMD, generic_cmd, 0x00025018 + 0x12000 * GSI_EE_AP);
+--
+2.53.0
+
--- /dev/null
+From e02b2bab129ca3810fea3c7fe48e7bfb9025c35b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 10:35:19 +0000
+Subject: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b120e4432f9f56c7103133d6a11245e617695adb ]
+
+lapbeth_data_transmit() expects the underlying device type
+to be ARPHRD_ETHER.
+
+Returning NOTIFY_BAD from lapbeth_device_event() makes sure
+bonding driver can not break this expectation.
+
+Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
+Reported-by: syzbot+d8c285748fa7292580a9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/69cd22a1.050a0220.70c3a.0002.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Martin Schiller <ms@dev.tdt.de>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260402103519.1201565-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lapbether.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index 56326f38fe8a3..da61716a66c46 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -444,33 +444,36 @@ static void lapbeth_free_device(struct lapbethdev *lapbeth)
+ static int lapbeth_device_event(struct notifier_block *this,
+ unsigned long event, void *ptr)
+ {
+- struct lapbethdev *lapbeth;
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
++ struct lapbethdev *lapbeth;
+
+ if (dev_net(dev) != &init_net)
+ return NOTIFY_DONE;
+
+- if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev))
++ lapbeth = lapbeth_get_x25_dev(dev);
++ if (!dev_is_ethdev(dev) && !lapbeth)
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
+ /* New ethernet device -> new LAPB interface */
+- if (!lapbeth_get_x25_dev(dev))
++ if (!lapbeth)
+ lapbeth_new_device(dev);
+ break;
+ case NETDEV_GOING_DOWN:
+ /* ethernet device closes -> close LAPB interface */
+- lapbeth = lapbeth_get_x25_dev(dev);
+ if (lapbeth)
+ dev_close(lapbeth->axdev);
+ break;
+ case NETDEV_UNREGISTER:
+ /* ethernet device disappears -> remove LAPB interface */
+- lapbeth = lapbeth_get_x25_dev(dev);
+ if (lapbeth)
+ lapbeth_free_device(lapbeth);
+ break;
++ case NETDEV_PRE_TYPE_CHANGE:
++ /* Our underlying device type must not change. */
++ if (lapbeth)
++ return NOTIFY_BAD;
+ }
+
+ return NOTIFY_DONE;
+--
+2.53.0
+
--- /dev/null
+From 12cb5488f2a5a8f85ce8e10b31869a1175edac96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 22:46:20 +0800
+Subject: net: sched: act_csum: validate nested VLAN headers
+
+From: Ruide Cao <caoruide123@gmail.com>
+
+[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ]
+
+tcf_csum_act() walks nested VLAN headers directly from skb->data when an
+skb still carries in-payload VLAN tags. The current code reads
+vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without
+first ensuring that the full VLAN header is present in the linear area.
+
+If only part of an inner VLAN header is linearized, accessing
+h_vlan_encapsulated_proto reads past the linear area, and the following
+skb_pull(VLAN_HLEN) may violate skb invariants.
+
+Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and
+pulling each nested VLAN header. If the header still is not fully
+available, drop the packet through the existing error path.
+
+Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Ruide Cao <caoruide123@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_csum.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
+index 5cc8e407e7911..8ea37c2c3c549 100644
+--- a/net/sched/act_csum.c
++++ b/net/sched/act_csum.c
+@@ -603,8 +603,12 @@ TC_INDIRECT_SCOPE int tcf_csum_act(struct sk_buff *skb,
+ protocol = skb->protocol;
+ orig_vlan_tag_present = true;
+ } else {
+- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data;
++ struct vlan_hdr *vlan;
+
++ if (!pskb_may_pull(skb, VLAN_HLEN))
++ goto drop;
++
++ vlan = (struct vlan_hdr *)skb->data;
+ protocol = vlan->h_vlan_encapsulated_proto;
+ skb_pull(skb, VLAN_HLEN);
+ skb_reset_network_header(skb);
+--
+2.53.0
+
--- /dev/null
+From 0630bb99c61e90c2a85eeb131cfc7b57c0f93742 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 13:23:33 +0000
+Subject: net: sfp: add quirks for Hisense and HSGQ GPON ONT SFP modules
+
+From: John Pavlick <jspavlick@posteo.net>
+
+[ Upstream commit 95aca8602ef70ffd3d971675751c81826e124f90 ]
+
+Several GPON ONT SFP sticks based on Realtek RTL960x report
+1000BASE-LX at 1300MBd in their EEPROM but can operate at 2500base-X.
+On hosts capable of 2500base-X (e.g. Banana Pi R3 / MT7986), the
+kernel negotiates only 1G because it trusts the incorrect EEPROM data.
+
+Add quirks for:
+- Hisense-Leox LXT-010S-H
+- Hisense ZNID-GPON-2311NA
+- HSGQ HSGQ-XPON-Stick
+
+Each quirk advertises 2500base-X and ignores TX_FAULT during the
+module's ~40s Linux boot time.
+
+Tested on Banana Pi R3 (MT7986) with OpenWrt 25.12.1, confirmed
+2.5Gbps link and full throughput with flow offloading.
+
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Suggested-by: Marcin Nita <marcin.nita@leolabs.pl>
+Signed-off-by: John Pavlick <jspavlick@posteo.net>
+Link: https://patch.msgid.link/20260406132321.72563-1-jspavlick@posteo.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/sfp.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
+index 9d9c1779da900..90ffba8f79520 100644
+--- a/drivers/net/phy/sfp.c
++++ b/drivers/net/phy/sfp.c
+@@ -536,6 +536,22 @@ static const struct sfp_quirk sfp_quirks[] = {
+ SFP_QUIRK("HUAWEI", "MA5671A", sfp_quirk_2500basex,
+ sfp_fixup_ignore_tx_fault_and_los),
+
++ // Hisense LXT-010S-H is a GPON ONT SFP (sold as LEOX LXT-010S-H) that
++ // can operate at 2500base-X, but reports 1000BASE-LX / 1300MBd in its
++ // EEPROM
++ SFP_QUIRK("Hisense-Leox", "LXT-010S-H", sfp_quirk_2500basex,
++ sfp_fixup_ignore_tx_fault),
++
++ // Hisense ZNID-GPON-2311NA can operate at 2500base-X, but reports
++ // 1000BASE-LX / 1300MBd in its EEPROM
++ SFP_QUIRK("Hisense", "ZNID-GPON-2311NA", sfp_quirk_2500basex,
++ sfp_fixup_ignore_tx_fault),
++
++ // HSGQ HSGQ-XPON-Stick can operate at 2500base-X, but reports
++ // 1000BASE-LX / 1300MBd in its EEPROM
++ SFP_QUIRK("HSGQ", "HSGQ-XPON-Stick", sfp_quirk_2500basex,
++ sfp_fixup_ignore_tx_fault),
++
+ // Lantech 8330-262D-E and 8330-265D can operate at 2500base-X, but
+ // incorrectly report 2500MBd NRZ in their EEPROM.
+ // Some 8330-265D modules have inverted LOS, while all of them report
+--
+2.53.0
+
--- /dev/null
+From 395d3e862d7c47c263527f7eb326c66a9f0547f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 11:29:39 +0100
+Subject: net: stmmac: Fix PTP ref clock for Tegra234
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+[ Upstream commit 1345e9f4e3f3bc7d8a0a2138ae29e205a857a555 ]
+
+Since commit 030ce919e114 ("net: stmmac: make sure that ptp_rate is not
+0 before configuring timestamping") was added the following error is
+observed on Tegra234:
+
+ ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate
+ WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed
+
+It turns out that the Tegra234 device-tree binding defines the PTP ref
+clock name as 'ptp-ref' and not 'ptp_ref' and the above commit now
+exposes this and that the PTP clock is not configured correctly.
+
+In order to update device-tree to use the correct 'ptp_ref' name, update
+the Tegra MGBE driver to use 'ptp_ref' by default and fallback to using
+'ptp-ref' if this clock name is present.
+
+Fixes: d8ca113724e7 ("net: stmmac: tegra: Add MGBE support")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260401102941.17466-2-jonathanh@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/dwmac-tegra.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
+index 2996bcdea9a28..1e28ac9344771 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
+@@ -9,7 +9,7 @@
+ #include "stmmac_platform.h"
+
+ static const char *const mgbe_clks[] = {
+- "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp-ref", "mac"
++ "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp_ref", "mac"
+ };
+
+ struct tegra_mgbe {
+@@ -215,6 +215,7 @@ static int tegra_mgbe_probe(struct platform_device *pdev)
+ {
+ struct plat_stmmacenet_data *plat;
+ struct stmmac_resources res;
++ bool use_legacy_ptp = false;
+ struct tegra_mgbe *mgbe;
+ int irq, err, i;
+ u32 value;
+@@ -257,9 +258,23 @@ static int tegra_mgbe_probe(struct platform_device *pdev)
+ if (!mgbe->clks)
+ return -ENOMEM;
+
+- for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++)
++ /* Older device-trees use 'ptp-ref' rather than 'ptp_ref'.
++ * Fall back when the legacy name is present.
++ */
++ if (of_property_match_string(pdev->dev.of_node, "clock-names",
++ "ptp-ref") >= 0)
++ use_legacy_ptp = true;
++
++ for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++) {
+ mgbe->clks[i].id = mgbe_clks[i];
+
++ if (use_legacy_ptp && !strcmp(mgbe_clks[i], "ptp_ref")) {
++ dev_warn(mgbe->dev,
++ "Device-tree update needed for PTP clock!\n");
++ mgbe->clks[i].id = "ptp-ref";
++ }
++ }
++
+ err = devm_clk_bulk_get(mgbe->dev, ARRAY_SIZE(mgbe_clks), mgbe->clks);
+ if (err < 0)
+ return err;
+--
+2.53.0
+
--- /dev/null
+From 69a25f1e4133f816ff17461f2502b6fb99bad78b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 23:20:13 +0100
+Subject: net: txgbe: leave space for null terminators on property_entry
+
+From: Fabio Baltieri <fabio.baltieri@gmail.com>
+
+[ Upstream commit 5a37d228799b0ec2c277459c83c814a59d310bc3 ]
+
+Lists of struct property_entry are supposed to be terminated with an
+empty property, this driver currently seems to be allocating exactly the
+amount of entry used.
+
+Change the struct definition to leave an extra element for all
+property_entry.
+
+Fixes: c3e382ad6d15 ("net: txgbe: Add software nodes to support phylink")
+Signed-off-by: Fabio Baltieri <fabio.baltieri@gmail.com>
+Tested-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Link: https://patch.msgid.link/20260405222013.5347-1-fabio.baltieri@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h
+index 5fe415f3f2ca9..27f8db89a5c7e 100644
+--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h
++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h
+@@ -295,10 +295,10 @@ struct txgbe_nodes {
+ char i2c_name[32];
+ char sfp_name[32];
+ char phylink_name[32];
+- struct property_entry gpio_props[1];
+- struct property_entry i2c_props[3];
+- struct property_entry sfp_props[8];
+- struct property_entry phylink_props[2];
++ struct property_entry gpio_props[2];
++ struct property_entry i2c_props[4];
++ struct property_entry sfp_props[9];
++ struct property_entry phylink_props[3];
+ struct software_node_ref_args i2c_ref[1];
+ struct software_node_ref_args gpio0_ref[1];
+ struct software_node_ref_args gpio1_ref[1];
+--
+2.53.0
+
--- /dev/null
+From 0910f5d215de89acf8c15ec047a92c76a6379ed3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 17:39:47 +0800
+Subject: netfilter: ip6t_eui64: reject invalid MAC header for all packets
+
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+
+[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ]
+
+`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
+and compares it with the low 64 bits of the IPv6 source address.
+
+The existing guard only rejects an invalid MAC header when
+`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
+can still reach `eth_hdr(skb)` even when the MAC header is not valid.
+
+Fix this by removing the `par->fragoff != 0` condition so that packets
+with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/ip6t_eui64.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
+index d704f7ed300c2..da69a27e8332c 100644
+--- a/net/ipv6/netfilter/ip6t_eui64.c
++++ b/net/ipv6/netfilter/ip6t_eui64.c
+@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
+ unsigned char eui64[8];
+
+ if (!(skb_mac_header(skb) >= skb->head &&
+- skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
+- par->fragoff != 0) {
++ skb_mac_header(skb) + ETH_HLEN <= skb->data)) {
+ par->hotdrop = true;
+ return false;
+ }
+--
+2.53.0
+
--- /dev/null
+From 6b88de03c5c7964bd768d951f4ee486cff01ad97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 14:20:57 -0700
+Subject: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE
+ terminator
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit 1f3083aec8836213da441270cdb1ab612dd82cf4 ]
+
+When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send()
+appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via
+nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put()
+helper only zeroes alignment padding after the payload, not the payload
+itself, so four bytes of stale kernel heap data are leaked to userspace
+in the NLMSG_DONE message body.
+
+Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes
+the nfgenmsg payload via nfnl_fill_hdr(), consistent with how
+__build_packet_message() already constructs NFULNL_MSG_PACKET headers.
+
+Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_log.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
+index f96421ad14afb..3da32d2f68e09 100644
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -361,10 +361,10 @@ static void
+ __nfulnl_send(struct nfulnl_instance *inst)
+ {
+ if (inst->qlen > 1) {
+- struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0,
+- NLMSG_DONE,
+- sizeof(struct nfgenmsg),
+- 0);
++ struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0,
++ NLMSG_DONE, 0,
++ AF_UNSPEC, NFNETLINK_V0,
++ htons(inst->group_num));
+ if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n",
+ inst->skb->len, skb_tailroom(inst->skb))) {
+ kfree_skb(inst->skb);
+--
+2.53.0
+
--- /dev/null
+From b5d33c89d512a5aa10d68fb6dc8e12009d212e98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 17:00:01 +0200
+Subject: netfilter: nfnetlink_queue: make hash table per queue
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 936206e3f6ff411581e615e930263d6f8b78df9d ]
+
+Sharing a global hash table among all queues is tempting, but
+it can cause crash:
+
+BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]
+[..]
+ nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]
+ nfnetlink_rcv_msg+0x46a/0x930
+ kmem_cache_alloc_node_noprof+0x11e/0x450
+
+struct nf_queue_entry is freed via kfree, but parallel cpu can still
+encounter such an nf_queue_entry when walking the list.
+
+Alternative fix is to free the nf_queue_entry via kfree_rcu() instead,
+but as we have to alloc/free for each skb this will cause more mem
+pressure.
+
+Cc: Scott Mitchell <scott.k.mitch1@gmail.com>
+Fixes: e19079adcd26 ("netfilter: nfnetlink_queue: optimize verdict lookup with hash table")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_queue.h | 1 -
+ net/netfilter/nfnetlink_queue.c | 139 +++++++++++--------------------
+ 2 files changed, 49 insertions(+), 91 deletions(-)
+
+diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
+index 45eb26b2e95b3..d17035d14d96c 100644
+--- a/include/net/netfilter/nf_queue.h
++++ b/include/net/netfilter/nf_queue.h
+@@ -23,7 +23,6 @@ struct nf_queue_entry {
+ struct nf_hook_state state;
+ bool nf_ct_is_unconfirmed;
+ u16 size; /* sizeof(entry) + saved route keys */
+- u16 queue_num;
+
+ /* extra space to store route keys */
+ };
+diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
+index 5ab750556e992..cc52ff7b7bcfc 100644
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -49,8 +49,8 @@
+ #endif
+
+ #define NFQNL_QMAX_DEFAULT 1024
+-#define NFQNL_HASH_MIN 1024
+-#define NFQNL_HASH_MAX 1048576
++#define NFQNL_HASH_MIN 8
++#define NFQNL_HASH_MAX 32768
+
+ /* We're using struct nlattr which has 16bit nla_len. Note that nla_len
+ * includes the header length. Thus, the maximum packet length that we
+@@ -60,29 +60,10 @@
+ */
+ #define NFQNL_MAX_COPY_RANGE (0xffff - NLA_HDRLEN)
+
+-/* Composite key for packet lookup: (net, queue_num, packet_id) */
+-struct nfqnl_packet_key {
+- possible_net_t net;
+- u32 packet_id;
+- u16 queue_num;
+-} __aligned(sizeof(u32)); /* jhash2 requires 32-bit alignment */
+-
+-/* Global rhashtable - one for entire system, all netns */
+-static struct rhashtable nfqnl_packet_map __read_mostly;
+-
+-/* Helper to initialize composite key */
+-static inline void nfqnl_init_key(struct nfqnl_packet_key *key,
+- struct net *net, u32 packet_id, u16 queue_num)
+-{
+- memset(key, 0, sizeof(*key));
+- write_pnet(&key->net, net);
+- key->packet_id = packet_id;
+- key->queue_num = queue_num;
+-}
+-
+ struct nfqnl_instance {
+ struct hlist_node hlist; /* global list of queues */
+- struct rcu_head rcu;
++ struct rhashtable nfqnl_packet_map;
++ struct rcu_work rwork;
+
+ u32 peer_portid;
+ unsigned int queue_maxlen;
+@@ -106,6 +87,7 @@ struct nfqnl_instance {
+
+ typedef int (*nfqnl_cmpfn)(struct nf_queue_entry *, unsigned long);
+
++static struct workqueue_struct *nfq_cleanup_wq __read_mostly;
+ static unsigned int nfnl_queue_net_id __read_mostly;
+
+ #define INSTANCE_BUCKETS 16
+@@ -124,34 +106,10 @@ static inline u_int8_t instance_hashfn(u_int16_t queue_num)
+ return ((queue_num >> 8) ^ queue_num) % INSTANCE_BUCKETS;
+ }
+
+-/* Extract composite key from nf_queue_entry for hashing */
+-static u32 nfqnl_packet_obj_hashfn(const void *data, u32 len, u32 seed)
+-{
+- const struct nf_queue_entry *entry = data;
+- struct nfqnl_packet_key key;
+-
+- nfqnl_init_key(&key, entry->state.net, entry->id, entry->queue_num);
+-
+- return jhash2((u32 *)&key, sizeof(key) / sizeof(u32), seed);
+-}
+-
+-/* Compare stack-allocated key against entry */
+-static int nfqnl_packet_obj_cmpfn(struct rhashtable_compare_arg *arg,
+- const void *obj)
+-{
+- const struct nfqnl_packet_key *key = arg->key;
+- const struct nf_queue_entry *entry = obj;
+-
+- return !net_eq(entry->state.net, read_pnet(&key->net)) ||
+- entry->queue_num != key->queue_num ||
+- entry->id != key->packet_id;
+-}
+-
+ static const struct rhashtable_params nfqnl_rhashtable_params = {
+ .head_offset = offsetof(struct nf_queue_entry, hash_node),
+- .key_len = sizeof(struct nfqnl_packet_key),
+- .obj_hashfn = nfqnl_packet_obj_hashfn,
+- .obj_cmpfn = nfqnl_packet_obj_cmpfn,
++ .key_offset = offsetof(struct nf_queue_entry, id),
++ .key_len = sizeof(u32),
+ .automatic_shrinking = true,
+ .min_size = NFQNL_HASH_MIN,
+ .max_size = NFQNL_HASH_MAX,
+@@ -190,6 +148,10 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+ spin_lock_init(&inst->lock);
+ INIT_LIST_HEAD(&inst->queue_list);
+
++ err = rhashtable_init(&inst->nfqnl_packet_map, &nfqnl_rhashtable_params);
++ if (err < 0)
++ goto out_free;
++
+ spin_lock(&q->instances_lock);
+ if (instance_lookup(q, queue_num)) {
+ err = -EEXIST;
+@@ -210,6 +172,8 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+
+ out_unlock:
+ spin_unlock(&q->instances_lock);
++ rhashtable_destroy(&inst->nfqnl_packet_map);
++out_free:
+ kfree(inst);
+ return ERR_PTR(err);
+ }
+@@ -217,15 +181,18 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+ static void nfqnl_flush(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn,
+ unsigned long data);
+
+-static void
+-instance_destroy_rcu(struct rcu_head *head)
++static void instance_destroy_work(struct work_struct *work)
+ {
+- struct nfqnl_instance *inst = container_of(head, struct nfqnl_instance,
+- rcu);
++ struct nfqnl_instance *inst;
+
++ inst = container_of(to_rcu_work(work), struct nfqnl_instance,
++ rwork);
+ rcu_read_lock();
+ nfqnl_flush(inst, NULL, 0);
+ rcu_read_unlock();
++
++ rhashtable_destroy(&inst->nfqnl_packet_map);
++
+ kfree(inst);
+ module_put(THIS_MODULE);
+ }
+@@ -234,7 +201,9 @@ static void
+ __instance_destroy(struct nfqnl_instance *inst)
+ {
+ hlist_del_rcu(&inst->hlist);
+- call_rcu(&inst->rcu, instance_destroy_rcu);
++
++ INIT_RCU_WORK(&inst->rwork, instance_destroy_work);
++ queue_rcu_work(nfq_cleanup_wq, &inst->rwork);
+ }
+
+ static void
+@@ -250,9 +219,7 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)
+ {
+ int err;
+
+- entry->queue_num = queue->queue_num;
+-
+- err = rhashtable_insert_fast(&nfqnl_packet_map, &entry->hash_node,
++ err = rhashtable_insert_fast(&queue->nfqnl_packet_map, &entry->hash_node,
+ nfqnl_rhashtable_params);
+ if (unlikely(err))
+ return err;
+@@ -266,23 +233,19 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)
+ static void
+ __dequeue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)
+ {
+- rhashtable_remove_fast(&nfqnl_packet_map, &entry->hash_node,
++ rhashtable_remove_fast(&queue->nfqnl_packet_map, &entry->hash_node,
+ nfqnl_rhashtable_params);
+ list_del(&entry->list);
+ queue->queue_total--;
+ }
+
+ static struct nf_queue_entry *
+-find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id,
+- struct net *net)
++find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id)
+ {
+- struct nfqnl_packet_key key;
+ struct nf_queue_entry *entry;
+
+- nfqnl_init_key(&key, net, id, queue->queue_num);
+-
+ spin_lock_bh(&queue->lock);
+- entry = rhashtable_lookup_fast(&nfqnl_packet_map, &key,
++ entry = rhashtable_lookup_fast(&queue->nfqnl_packet_map, &id,
+ nfqnl_rhashtable_params);
+
+ if (entry)
+@@ -1529,7 +1492,7 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info,
+
+ verdict = ntohl(vhdr->verdict);
+
+- entry = find_dequeue_entry(queue, ntohl(vhdr->id), info->net);
++ entry = find_dequeue_entry(queue, ntohl(vhdr->id));
+ if (entry == NULL)
+ return -ENOENT;
+
+@@ -1878,40 +1841,38 @@ static int __init nfnetlink_queue_init(void)
+ {
+ int status;
+
+- status = rhashtable_init(&nfqnl_packet_map, &nfqnl_rhashtable_params);
+- if (status < 0)
+- return status;
++ nfq_cleanup_wq = alloc_ordered_workqueue("nfq_workqueue", 0);
++ if (!nfq_cleanup_wq)
++ return -ENOMEM;
+
+ status = register_pernet_subsys(&nfnl_queue_net_ops);
+- if (status < 0) {
+- pr_err("failed to register pernet ops\n");
+- goto cleanup_rhashtable;
+- }
++ if (status < 0)
++ goto cleanup_pernet_subsys;
+
+- netlink_register_notifier(&nfqnl_rtnl_notifier);
+- status = nfnetlink_subsys_register(&nfqnl_subsys);
+- if (status < 0) {
+- pr_err("failed to create netlink socket\n");
+- goto cleanup_netlink_notifier;
+- }
++ status = netlink_register_notifier(&nfqnl_rtnl_notifier);
++ if (status < 0)
++ goto cleanup_rtnl_notifier;
+
+ status = register_netdevice_notifier(&nfqnl_dev_notifier);
+- if (status < 0) {
+- pr_err("failed to register netdevice notifier\n");
+- goto cleanup_netlink_subsys;
+- }
++ if (status < 0)
++ goto cleanup_dev_notifier;
++
++ status = nfnetlink_subsys_register(&nfqnl_subsys);
++ if (status < 0)
++ goto cleanup_nfqnl_subsys;
+
+ nf_register_queue_handler(&nfqh);
+
+ return status;
+
+-cleanup_netlink_subsys:
+- nfnetlink_subsys_unregister(&nfqnl_subsys);
+-cleanup_netlink_notifier:
++cleanup_nfqnl_subsys:
++ unregister_netdevice_notifier(&nfqnl_dev_notifier);
++cleanup_dev_notifier:
+ netlink_unregister_notifier(&nfqnl_rtnl_notifier);
++cleanup_rtnl_notifier:
+ unregister_pernet_subsys(&nfnl_queue_net_ops);
+-cleanup_rhashtable:
+- rhashtable_destroy(&nfqnl_packet_map);
++cleanup_pernet_subsys:
++ destroy_workqueue(nfq_cleanup_wq);
+ return status;
+ }
+
+@@ -1922,9 +1883,7 @@ static void __exit nfnetlink_queue_fini(void)
+ nfnetlink_subsys_unregister(&nfqnl_subsys);
+ netlink_unregister_notifier(&nfqnl_rtnl_notifier);
+ unregister_pernet_subsys(&nfnl_queue_net_ops);
+-
+- rhashtable_destroy(&nfqnl_packet_map);
+-
++ destroy_workqueue(nfq_cleanup_wq);
+ rcu_barrier(); /* Wait for completion of call_rcu()'s */
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 9a80bd4b2e47dc47267455d475171a2a7e6c27f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jan 2026 09:32:30 -0800
+Subject: netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC ->
+ GFP_KERNEL_ACCOUNT allocation
+
+From: Scott Mitchell <scott.k.mitch1@gmail.com>
+
+[ Upstream commit a4400a5b343d1bc4aa8f685608515413238e7ee2 ]
+
+Currently, instance_create() uses GFP_ATOMIC because it's called while
+holding instances_lock spinlock. This makes allocation more likely to
+fail under memory pressure.
+
+Refactor nfqnl_recv_config() to drop RCU lock after instance_lookup()
+and peer_portid verification. A socket cannot simultaneously send a
+message and close, so the queue owned by the sending socket cannot be
+destroyed while processing its CONFIG message. This allows
+instance_create() to allocate with GFP_KERNEL_ACCOUNT before taking
+the spinlock.
+
+Suggested-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Scott Mitchell <scott.k.mitch1@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Stable-dep-of: 936206e3f6ff ("netfilter: nfnetlink_queue: make hash table per queue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_queue.c | 75 +++++++++++++++------------------
+ 1 file changed, 34 insertions(+), 41 deletions(-)
+
+diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
+index df0232cf24ce2..5ab750556e992 100644
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -178,17 +178,9 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+ unsigned int h;
+ int err;
+
+- spin_lock(&q->instances_lock);
+- if (instance_lookup(q, queue_num)) {
+- err = -EEXIST;
+- goto out_unlock;
+- }
+-
+- inst = kzalloc(sizeof(*inst), GFP_ATOMIC);
+- if (!inst) {
+- err = -ENOMEM;
+- goto out_unlock;
+- }
++ inst = kzalloc(sizeof(*inst), GFP_KERNEL_ACCOUNT);
++ if (!inst)
++ return ERR_PTR(-ENOMEM);
+
+ inst->queue_num = queue_num;
+ inst->peer_portid = portid;
+@@ -198,9 +190,15 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+ spin_lock_init(&inst->lock);
+ INIT_LIST_HEAD(&inst->queue_list);
+
++ spin_lock(&q->instances_lock);
++ if (instance_lookup(q, queue_num)) {
++ err = -EEXIST;
++ goto out_unlock;
++ }
++
+ if (!try_module_get(THIS_MODULE)) {
+ err = -EAGAIN;
+- goto out_free;
++ goto out_unlock;
+ }
+
+ h = instance_hashfn(queue_num);
+@@ -210,10 +208,9 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+
+ return inst;
+
+-out_free:
+- kfree(inst);
+ out_unlock:
+ spin_unlock(&q->instances_lock);
++ kfree(inst);
+ return ERR_PTR(err);
+ }
+
+@@ -1602,7 +1599,8 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info,
+ struct nfqnl_msg_config_cmd *cmd = NULL;
+ struct nfqnl_instance *queue;
+ __u32 flags = 0, mask = 0;
+- int ret = 0;
++
++ WARN_ON_ONCE(!lockdep_nfnl_is_held(NFNL_SUBSYS_QUEUE));
+
+ if (nfqa[NFQA_CFG_CMD]) {
+ cmd = nla_data(nfqa[NFQA_CFG_CMD]);
+@@ -1648,47 +1646,44 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info,
+ }
+ }
+
++ /* Lookup queue under RCU. After peer_portid check (or for new queue
++ * in BIND case), the queue is owned by the socket sending this message.
++ * A socket cannot simultaneously send a message and close, so while
++ * processing this CONFIG message, nfqnl_rcv_nl_event() (triggered by
++ * socket close) cannot destroy this queue. Safe to use without RCU.
++ */
+ rcu_read_lock();
+ queue = instance_lookup(q, queue_num);
+ if (queue && queue->peer_portid != NETLINK_CB(skb).portid) {
+- ret = -EPERM;
+- goto err_out_unlock;
++ rcu_read_unlock();
++ return -EPERM;
+ }
++ rcu_read_unlock();
+
+ if (cmd != NULL) {
+ switch (cmd->command) {
+ case NFQNL_CFG_CMD_BIND:
+- if (queue) {
+- ret = -EBUSY;
+- goto err_out_unlock;
+- }
+- queue = instance_create(q, queue_num,
+- NETLINK_CB(skb).portid);
+- if (IS_ERR(queue)) {
+- ret = PTR_ERR(queue);
+- goto err_out_unlock;
+- }
++ if (queue)
++ return -EBUSY;
++ queue = instance_create(q, queue_num, NETLINK_CB(skb).portid);
++ if (IS_ERR(queue))
++ return PTR_ERR(queue);
+ break;
+ case NFQNL_CFG_CMD_UNBIND:
+- if (!queue) {
+- ret = -ENODEV;
+- goto err_out_unlock;
+- }
++ if (!queue)
++ return -ENODEV;
+ instance_destroy(q, queue);
+- goto err_out_unlock;
++ return 0;
+ case NFQNL_CFG_CMD_PF_BIND:
+ case NFQNL_CFG_CMD_PF_UNBIND:
+ break;
+ default:
+- ret = -ENOTSUPP;
+- goto err_out_unlock;
++ return -EOPNOTSUPP;
+ }
+ }
+
+- if (!queue) {
+- ret = -ENODEV;
+- goto err_out_unlock;
+- }
++ if (!queue)
++ return -ENODEV;
+
+ if (nfqa[NFQA_CFG_PARAMS]) {
+ struct nfqnl_msg_config_params *params =
+@@ -1713,9 +1708,7 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info,
+ spin_unlock_bh(&queue->lock);
+ }
+
+-err_out_unlock:
+- rcu_read_unlock();
+- return ret;
++ return 0;
+ }
+
+ static const struct nfnl_callback nfqnl_cb[NFQNL_MSG_MAX] = {
+--
+2.53.0
+
--- /dev/null
+From d95d7c8dcd9e00e31095fdbba1fb96878bb520a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Mar 2026 14:10:55 +0100
+Subject: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
+ expiry
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit d3c0037ffe1273fa1961e779ff6906234d6cf53c ]
+
+New test case fails unexpectedly when avx2 matching functions are used.
+
+The test first loads a ranomly generated pipapo set
+with 'ipv4 . port' key, i.e. nft -f foo.
+
+This works. Then, it reloads the set after a flush:
+(echo flush set t s; cat foo) | nft -f -
+
+This is expected to work, because its the same set after all and it was
+already loaded once.
+
+But with avx2, this fails: nft reports a clashing element.
+
+The reported clash is of following form:
+
+ We successfully re-inserted
+ a . b
+ c . d
+
+Then we try to insert a . d
+
+avx2 finds the already existing a . d, which (due to 'flush set') is marked
+as invalid in the new generation. It skips the element and moves to next.
+
+Due to incorrect masking, the skip-step finds the next matching
+element *only considering the first field*,
+
+i.e. we return the already reinserted "a . b", even though the
+last field is different and the entry should not have been matched.
+
+No such error is reported for the generic c implementation (no avx2) or when
+the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.
+
+Bisection points to
+7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection")
+but that fix merely uncovers this bug.
+
+Before this commit, the wrong element is returned, but erronously
+reported as a full, identical duplicate.
+
+The root-cause is too early return in the avx2 match functions.
+When we process the last field, we should continue to process data
+until the entire input size has been consumed to make sure no stale
+bits remain in the map.
+
+Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
+index 39e356c9687a9..9d5ada57aa6fe 100644
+--- a/net/netfilter/nft_set_pipapo_avx2.c
++++ b/net/netfilter/nft_set_pipapo_avx2.c
+@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -319,7 +319,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -414,7 +414,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -505,7 +505,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -641,7 +641,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -699,7 +699,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -764,7 +764,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -839,7 +839,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -925,7 +925,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -1019,7 +1019,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+--
+2.53.0
+
--- /dev/null
+From 964b0fcd7be43fb526d8f148f4049dd942d0f7d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 23:52:52 +0800
+Subject: netfilter: xt_multiport: validate range encoding in checkentry
+
+From: Ren Wei <n05ec@lzu.edu.cn>
+
+[ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ]
+
+ports_match_v1() treats any non-zero pflags entry as the start of a
+port range and unconditionally consumes the next ports[] element as
+the range end.
+
+The checkentry path currently validates protocol, flags and count, but
+it does not validate the range encoding itself. As a result, malformed
+rules can mark the last slot as a range start or place two range starts
+back to back, leaving ports_match_v1() to step past the last valid
+ports[] element while interpreting the rule.
+
+Reject malformed multiport v1 rules in checkentry by validating that
+each range start has a following element and that the following element
+is not itself marked as another range start.
+
+Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Yuhang Zheng <z1652074432@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
+index 44a00f5acde8a..a1691ff405d3c 100644
+--- a/net/netfilter/xt_multiport.c
++++ b/net/netfilter/xt_multiport.c
+@@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
+ return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1]));
+ }
+
++static bool
++multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo)
++{
++ unsigned int i;
++
++ for (i = 0; i < multiinfo->count; i++) {
++ if (!multiinfo->pflags[i])
++ continue;
++
++ if (++i >= multiinfo->count)
++ return false;
++
++ if (multiinfo->pflags[i])
++ return false;
++
++ if (multiinfo->ports[i - 1] > multiinfo->ports[i])
++ return false;
++ }
++
++ return true;
++}
++
+ static inline bool
+ check(u_int16_t proto,
+ u_int8_t ip_invflags,
+@@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par)
+ const struct ipt_ip *ip = par->entryinfo;
+ const struct xt_multiport_v1 *multiinfo = par->matchinfo;
+
+- return check(ip->proto, ip->invflags, multiinfo->flags,
+- multiinfo->count) ? 0 : -EINVAL;
++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
++ return -EINVAL;
++
++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
+ }
+
+ static int multiport_mt6_check(const struct xt_mtchk_param *par)
+@@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par)
+ const struct ip6t_ip6 *ip = par->entryinfo;
+ const struct xt_multiport_v1 *multiinfo = par->matchinfo;
+
+- return check(ip->proto, ip->invflags, multiinfo->flags,
+- multiinfo->count) ? 0 : -EINVAL;
++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
++ return -EINVAL;
++
++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
+ }
+
+ static struct xt_match multiport_mt_reg[] __read_mostly = {
+--
+2.53.0
+
--- /dev/null
+From b5a32b46055a43cc823e3f3529942c7db8802c2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 12:21:48 +0800
+Subject: nfc: s3fwrn5: allocate rx skb before consuming bytes
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 5c14a19d5b1645cce1cb1252833d70b23635b632 ]
+
+s3fwrn82_uart_read() reports the number of accepted bytes to the serdev
+core. The current code consumes bytes into recv_skb and may already
+deliver a complete frame before allocating a fresh receive buffer.
+
+If that alloc_skb() fails, the callback returns 0 even though it has
+already consumed bytes, and it leaves recv_skb as NULL for the next
+receive callback. That breaks the receive_buf() accounting contract and
+can also lead to a NULL dereference on the next skb_put_u8().
+
+Allocate the receive skb lazily before consuming the next byte instead.
+If allocation fails, return the number of bytes already accepted.
+
+Fixes: 3f52c2cb7e3a ("nfc: s3fwrn5: Support a UART interface")
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Link: https://patch.msgid.link/20260402042148.65236-1-pengpeng@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/s3fwrn5/uart.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nfc/s3fwrn5/uart.c b/drivers/nfc/s3fwrn5/uart.c
+index 9c09c10c2a464..4ee481bd7e965 100644
+--- a/drivers/nfc/s3fwrn5/uart.c
++++ b/drivers/nfc/s3fwrn5/uart.c
+@@ -58,6 +58,12 @@ static size_t s3fwrn82_uart_read(struct serdev_device *serdev,
+ size_t i;
+
+ for (i = 0; i < count; i++) {
++ if (!phy->recv_skb) {
++ phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
++ if (!phy->recv_skb)
++ return i;
++ }
++
+ skb_put_u8(phy->recv_skb, *data++);
+
+ if (phy->recv_skb->len < S3FWRN82_NCI_HEADER)
+@@ -69,9 +75,7 @@ static size_t s3fwrn82_uart_read(struct serdev_device *serdev,
+
+ s3fwrn5_recv_frame(phy->common.ndev, phy->recv_skb,
+ phy->common.mode);
+- phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
+- if (!phy->recv_skb)
+- return 0;
++ phy->recv_skb = NULL;
+ }
+
+ return i;
+--
+2.53.0
+
--- /dev/null
+From c7cf1c792550296a7c59d0d2879e5f017075ac66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 14:07:42 -0700
+Subject: PCI: hv: Set default NUMA node to 0 for devices without affinity info
+
+From: Long Li <longli@microsoft.com>
+
+[ Upstream commit 7b3b1e5a87b2f5e35c52b5386d7c327be869454f ]
+
+When hv_pci_assign_numa_node() processes a device that does not have
+HV_PCI_DEVICE_FLAG_NUMA_AFFINITY set or has an out-of-range
+virtual_numa_node, the device NUMA node is left unset. On x86_64,
+the uninitialized default happens to be 0, but on ARM64 it is
+NUMA_NO_NODE (-1).
+
+Tests show that when no NUMA information is available from the Hyper-V
+host, devices perform best when assigned to node 0. With NUMA_NO_NODE
+the kernel may spread work across NUMA nodes, which degrades
+performance on Hyper-V, particularly for high-throughput devices like
+MANA.
+
+Always set the device NUMA node to 0 before the conditional NUMA
+affinity check, so that devices get a performant default when the host
+provides no NUMA information, and behavior is consistent on both
+x86_64 and ARM64.
+
+Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2")
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-hyperv.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c
+index cdd5be16021dd..e87e54acff4b0 100644
+--- a/drivers/pci/controller/pci-hyperv.c
++++ b/drivers/pci/controller/pci-hyperv.c
+@@ -2364,6 +2364,14 @@ static void hv_pci_assign_numa_node(struct hv_pcibus_device *hbus)
+ if (!hv_dev)
+ continue;
+
++ /*
++ * If the Hyper-V host doesn't provide a NUMA node for the
++ * device, default to node 0. With NUMA_NO_NODE the kernel
++ * may spread work across NUMA nodes, which degrades
++ * performance on Hyper-V.
++ */
++ set_dev_node(&dev->dev, 0);
++
+ if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY &&
+ hv_dev->desc.virtual_numa_node < num_possible_nodes())
+ /*
+--
+2.53.0
+
--- /dev/null
+From 7c04f1c79a469467c39e85f9e30a81f0d4ea25ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 10:40:48 -0700
+Subject: perf/x86/intel/uncore: Skip discovery table for offline dies
+
+From: Zide Chen <zide.chen@intel.com>
+
+[ Upstream commit 7b568e9eba2fad89a696f22f0413d44cf4a1f892 ]
+
+This warning can be triggered if NUMA is disabled and the system
+boots with fewer CPUs than the number of CPUs in die 0.
+
+WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore]
+
+Currently, the discovery table continues to be parsed even if all CPUs
+in the associated die are offline. This can lead to an array overflow
+at "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may
+trigger the warning above or cause other issues.
+
+Fixes: edae1f06c2cd ("perf/x86/intel/uncore: Parse uncore discovery tables")
+Reported-by: Steve Wahl <steve.wahl@hpe.com>
+Signed-off-by: Zide Chen <zide.chen@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Tested-by: Steve Wahl <steve.wahl@hpe.com>
+Link: https://patch.msgid.link/20260313174050.171704-3-zide.chen@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_discovery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c
+index 571e44b496910..aad35190ccf64 100644
+--- a/arch/x86/events/intel/uncore_discovery.c
++++ b/arch/x86/events/intel/uncore_discovery.c
+@@ -374,7 +374,7 @@ bool intel_uncore_has_discovery_tables(int *ignore)
+ (val & UNCORE_DISCOVERY_DVSEC2_BIR_MASK) * UNCORE_DISCOVERY_BIR_STEP;
+
+ die = get_device_die_id(dev);
+- if (die < 0)
++ if ((die < 0) || (die >= uncore_max_dies()))
+ continue;
+
+ parse_discovery_table(dev, die, bar_offset, &parsed, ignore);
+--
+2.53.0
+
--- /dev/null
+From ffdf32a806bf489767abf7fdb1773e175cc6d263 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 18:14:04 +0100
+Subject: pinctrl: intel: Fix the revision for new features (1kOhm PD, HW
+ debouncer)
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit a4337a24d13e9e3b98a113e71d6b80dc5ed5f8c4 ]
+
+The 1kOhm pull down and hardware debouncer are features of the revision 0.92
+of the Chassis specification. Fix that in the code accordingly.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/intel/pinctrl-intel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c
+index f8abc69a39d16..5d147a3a49389 100644
+--- a/drivers/pinctrl/intel/pinctrl-intel.c
++++ b/drivers/pinctrl/intel/pinctrl-intel.c
+@@ -1588,7 +1588,7 @@ int intel_pinctrl_probe(struct platform_device *pdev,
+ value = readl(regs + REVID);
+ if (value == ~0u)
+ return -ENODEV;
+- if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x94) {
++ if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x92) {
+ community->features |= PINCTRL_FEATURE_DEBOUNCE;
+ community->features |= PINCTRL_FEATURE_1K_PD;
+ }
+--
+2.53.0
+
--- /dev/null
+From 8b28f6f2d623c4f1537a2d8aed2e81f095db11f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Mar 2026 16:16:41 -0500
+Subject: platform/x86/amd: pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 1a9452c428a6b76f0b797bae21daa454fccef1a2 ]
+
+This platform is a similar vintage of platforms that had a BIOS bug
+leading to a 10s delay at resume from s0i3.
+
+Add a quirk for it.
+
+Reported-by: Imrane <ihalim.me@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221273
+Tested-by: Imrane <ihalim.me@gmail.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/20260324211647.357924-1-mario.limonciello@amd.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+index a6006b4ec2cc0..a3921f8106c12 100644
+--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c
++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+@@ -197,6 +197,15 @@ static const struct dmi_system_id fwbug_list[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "82XQ"),
+ }
+ },
++ /* https://bugzilla.kernel.org/show_bug.cgi?id=221273 */
++ {
++ .ident = "Thinkpad L14 Gen3",
++ .driver_data = &quirk_s2idle_bug,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21C6"),
++ }
++ },
+ /* https://gitlab.freedesktop.org/drm/amd/-/issues/4434 */
+ {
+ .ident = "Lenovo Yoga 6 13ALC6",
+--
+2.53.0
+
--- /dev/null
+From 6c1b424f1480f5407a9d73cb6b6c15233f215b3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:22:46 -0700
+Subject: platform/x86: asus-nb-wmi: add DMI quirk for ASUS ROG Flow Z13-KJP
+ GZ302EAC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Schwartz <matthew.schwartz@linux.dev>
+
+[ Upstream commit 0198d2743207d67f995cd6df89e267e1b9f5e1f1 ]
+
+The ASUS ROG Flow Z13-KJP GZ302EAC model uses sys_vendor name ASUS
+rather than ASUSTeK COMPUTER INC., but it needs the same folio quirk as
+the other ROG Flow Z13. To keep things simple, just match on sys_vendor
+ASUS since it covers both.
+
+Signed-off-by: Matthew Schwartz <matthew.schwartz@linux.dev>
+Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
+Reviewed-by: Denis Benato <denis.benato@linux.dev>
+Link: https://patch.msgid.link/20260312212246.1608080-1-matthew.schwartz@linux.dev
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/asus-nb-wmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c
+index 1955495ea95f4..10bdb1a431819 100644
+--- a/drivers/platform/x86/asus-nb-wmi.c
++++ b/drivers/platform/x86/asus-nb-wmi.c
+@@ -547,7 +547,7 @@ static const struct dmi_system_id asus_quirks[] = {
+ .callback = dmi_matched,
+ .ident = "ASUS ROG Z13",
+ .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUS"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "ROG Flow Z13"),
+ },
+ .driver_data = &quirk_asus_z13,
+--
+2.53.0
+
--- /dev/null
+From 01acaa5e2e0eeb324e1f4e2023313be706d4f942 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 15:27:43 +0000
+Subject: RDMA/irdma: Fix double free related to rereg_user_mr
+
+From: Jacob Moroni <jmoroni@google.com>
+
+[ Upstream commit 29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2 ]
+
+If IB_MR_REREG_TRANS is set during rereg_user_mr, the
+umem will be released and a new one will be allocated
+in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans
+fails after the new umem is allocated, it releases the umem,
+but does not set iwmr->region to NULL. The problem is that
+this failure is propagated to the user, who will then call
+ibv_dereg_mr (as they should). Then, the dereg_mr path will
+see a non-NULL umem and attempt to call ib_umem_release again.
+
+Fix this by setting iwmr->region to NULL after ib_umem_release.
+
+Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region")
+Signed-off-by: Jacob Moroni <jmoroni@google.com>
+Link: https://patch.msgid.link/20260227152743.1183388-1-jmoroni@google.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index 1f267dea6460e..0b9cf175ed73b 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -3210,6 +3210,7 @@ static int irdma_rereg_mr_trans(struct irdma_mr *iwmr, u64 start, u64 len,
+
+ err:
+ ib_umem_release(region);
++ iwmr->region = NULL;
+ return err;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From b97ef761d8d543a392f0a6b782f294bcba2326b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 12:22:44 +0200
+Subject: sched/deadline: Use revised wakeup rule for dl_server
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 14a857056466be9d3d907a94e92a704ac1be149b ]
+
+John noted that commit 115135422562 ("sched/deadline: Fix 'stuck' dl_server")
+unfixed the issue from commit a3a70caf7906 ("sched/deadline: Fix dl_server
+behaviour").
+
+The issue in commit 115135422562 was for wakeups of the server after the
+deadline; in which case you *have* to start a new period. The case for
+a3a70caf7906 is wakeups before the deadline.
+
+Now, because the server is effectively running a least-laxity policy, it means
+that any wakeup during the runnable phase means dl_entity_overflow() will be
+true. This means we need to adjust the runtime to allow it to still run until
+the existing deadline expires.
+
+Use the revised wakeup rule for dl_defer entities.
+
+Fixes: 115135422562 ("sched/deadline: Fix 'stuck' dl_server")
+Reported-by: John Stultz <jstultz@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Juri Lelli <juri.lelli@redhat.com>
+Tested-by: John Stultz <jstultz@google.com>
+Link: https://patch.msgid.link/20260404102244.GB22575@noisy.programming.kicks-ass.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/deadline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index 8acdd97538546..1ef891f8e3f2f 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -1079,7 +1079,7 @@ static void update_dl_entity(struct sched_dl_entity *dl_se)
+ if (dl_time_before(dl_se->deadline, rq_clock(rq)) ||
+ dl_entity_overflow(dl_se, rq_clock(rq))) {
+
+- if (unlikely(!dl_is_implicit(dl_se) &&
++ if (unlikely((!dl_is_implicit(dl_se) || dl_se->dl_defer) &&
+ !dl_time_before(dl_se->deadline, rq_clock(rq)) &&
+ !is_dl_boosted(dl_se))) {
+ update_dl_revised_wakeup(dl_se, rq);
+--
+2.53.0
+
--- /dev/null
+From 87cd701c21dca17e347b386181e869e72c2fdf80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 22:29:19 +0100
+Subject: selftests: net: bridge_vlan_mcast: wait for h1 before querier check
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit efaa71faf212324ecbf6d5339e9717fe53254f58 ]
+
+The querier-interval test adds h1 (currently a slave of the VRF created
+by simple_if_init) to a temporary bridge br1 acting as an outside IGMP
+querier. The kernel VRF driver (drivers/net/vrf.c) calls cycle_netdev()
+on every slave add and remove, toggling the interface admin-down then up.
+Phylink takes the PHY down during the admin-down half of that cycle.
+Since h1 and swp1 are cable-connected, swp1 also loses its link may need
+several seconds to re-negotiate.
+
+Use setup_wait_dev $h1 0 which waits for h1 to return to UP state, so the
+test can rely on the link being back up at this point.
+
+Fixes: 4d8610ee8bd77 ("selftests: net: bridge: add vlan mcast_querier_interval tests")
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Reviewed-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Link: https://patch.msgid.link/c830f130860fd2efae08bfb9e5b25fd028e58ce5.1775424423.git.daniel@makrotopia.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
+index 72dfbeaf56b92..e8031f68200ad 100755
+--- a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
++++ b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
+@@ -414,6 +414,7 @@ vlmc_querier_intvl_test()
+ bridge vlan add vid 10 dev br1 self pvid untagged
+ ip link set dev $h1 master br1
+ ip link set dev br1 up
++ setup_wait_dev $h1 0
+ bridge vlan add vid 10 dev $h1 master
+ bridge vlan global set vid 10 dev br1 mcast_snooping 1 mcast_querier 1
+ sleep 2
+--
+2.53.0
+
--- /dev/null
+rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch
+asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch
+alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch
+alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch
+media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch
+alsa-asihpi-avoid-write-overflow-check-warning.patch
+bluetooth-hci_sync-annotate-data-races-around-hdev-r.patch
+asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch
+asoc-sof-topology-reject-invalid-vendor-array-size-i.patch
+can-mcp251x-add-error-handling-for-power-enable-in-o.patch
+platform-x86-asus-nb-wmi-add-dmi-quirk-for-asus-rog-.patch
+btrfs-tracepoints-get-correct-superblock-from-dentry.patch
+alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch
+drm-amdgpu-handle-gpu-page-faults-correctly-on-non-4.patch
+srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch
+netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch
+alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch
+wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch
+asoc-soc-core-call-missing-init_list_head-for-card_a.patch
+alsa-hda-realtek-add-quirk-for-samsung-book2-pro-360.patch
+alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch
+fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch
+asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch
+alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch
+pinctrl-intel-fix-the-revision-for-new-features-1koh.patch
+platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch
+hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch
+alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch-5945
+hid-roccat-fix-use-after-free-in-roccat_report_event.patch
+ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch
+wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch
+net-sfp-add-quirks-for-hisense-and-hsgq-gpon-ont-sfp.patch
+asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch
+soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch
+arm64-dts-qcom-hamoa-x1-fix-idle-exit-latency.patch
+arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch
+arm64-dts-imx93-9x9-qsb-change-usdhc-tuning-step-for.patch
+arm64-dts-imx93-tqma9352-improve-emmc-pad-configurat.patch
+soc-qcom-pd-mapper-fix-element-length-in-servreg_loc.patch
+tools-power-turbostat-fix-microcode-patch-level-outp.patch
+pci-hv-set-default-numa-node-to-0-for-devices-withou.patch
+hid-amd_sfh-don-t-log-error-when-device-discovery-fa.patch
+xfrm-account-xfrma_if_id-in-aevent-size-calculation.patch
+drm-vc4-release-runtime-pm-reference-after-binding-v.patch
+drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch
+drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch
+drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch
+eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch
+net-sched-act_csum-validate-nested-vlan-headers.patch
+net-lapbether-handle-netdev_pre_type_change.patch
+ipv4-nexthop-avoid-duplicate-nha_hw_stats_enable-on-.patch
+ipv4-nexthop-allocate-skb-dynamically-in-rtm_get_nex.patch
+ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch
+net-increase-ip_tunnel_recursion_limit-to-5.patch
+nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch
+net-stmmac-fix-ptp-ref-clock-for-tegra234.patch
+dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch
+tracing-probe-reject-non-closed-empty-immediate-stri.patch
+ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch
+e1000-check-return-value-of-e1000_read_eeprom.patch
+xsk-tighten-umem-headroom-validation-to-account-for-.patch
+xsk-respect-tailroom-for-zc-setups.patch
+xsk-fix-xdp_umem_sg_flag-issues.patch
+xsk-validate-mtu-against-usable-frame-size-on-bind.patch
+xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch
+xfrm-fix-refcount-leak-in-xfrm_migrate_policy_find.patch
+xfrm_user-fix-info-leak-in-build_mapping.patch
+selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch
+ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch
+netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch
+netfilter-xt_multiport-validate-range-encoding-in-ch.patch
+netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch
+netfilter-nfnetlink_queue-nfqnl_instance-gfp_atomic-.patch
+netfilter-nfnetlink_queue-make-hash-table-per-queue.patch
+net-txgbe-leave-space-for-null-terminators-on-proper.patch
+af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch
+net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch
+net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch
+l2tp-drop-large-packets-with-udp-encap.patch
+gpio-tegra-fix-irq_release_resources-calling-enable-.patch
+crypto-af_alg-limit-rx-sg-extraction-by-receive-buff.patch
+perf-x86-intel-uncore-skip-discovery-table-for-offli.patch
+sched-deadline-use-revised-wakeup-rule-for-dl_server.patch
+clockevents-prevent-timer-interrupt-starvation.patch
+crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch
--- /dev/null
+From 6bfe47b12319df64f77d1a8b0887c66dd2cd3199 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jan 2026 16:37:56 +0800
+Subject: soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching
+
+From: Potin Lai <potin.lai.pt@gmail.com>
+
+[ Upstream commit 7ec1bd3d9be671d04325b9e06149b8813f6a4836 ]
+
+The siliconid_to_name() function currently masks the input silicon ID
+with 0xff00ffff, but compares it against unmasked table entries. This
+causes matching to fail if the table entries contain non-zero values in
+the bits covered by the mask (bits 16-23).
+
+Update the logic to apply the 0xff00ffff mask to the table entries
+during comparison. This ensures that only the relevant model and
+revision bits are considered, providing a consistent match across
+different manufacturing batches.
+
+[arj: Add Fixes: tag, fix 'soninfo' typo, clarify function reference]
+
+Fixes: e0218dca5787 ("soc: aspeed: Add soc info driver")
+Signed-off-by: Potin Lai <potin.lai.pt@gmail.com>
+Link: https://patch.msgid.link/20260122-soc_aspeed_name_fix-v1-1-33a847f2581c@gmail.com
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/aspeed/aspeed-socinfo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c
+index 67e9ac3d08ecc..a90b100f4d101 100644
+--- a/drivers/soc/aspeed/aspeed-socinfo.c
++++ b/drivers/soc/aspeed/aspeed-socinfo.c
+@@ -39,7 +39,7 @@ static const char *siliconid_to_name(u32 siliconid)
+ unsigned int i;
+
+ for (i = 0 ; i < ARRAY_SIZE(rev_table) ; ++i) {
+- if (rev_table[i].id == id)
++ if ((rev_table[i].id & 0xff00ffff) == id)
+ return rev_table[i].name;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 072b856a00bd7eb44ba3dd98cfcafb750eeeea57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jan 2026 20:53:20 +0530
+Subject: soc: qcom: pd-mapper: Fix element length in servreg_loc_pfr_req_ei
+
+From: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+
+[ Upstream commit 641f6fda143b879da1515f821ee475073678cf2a ]
+
+It looks element length declared in servreg_loc_pfr_req_ei for reason
+not matching servreg_loc_pfr_req's reason field due which we could
+observe decoding error on PD crash.
+
+ qmi_decode_string_elem: String len 81 >= Max Len 65
+
+Fix this by matching with servreg_loc_pfr_req's reason field.
+
+Fixes: 1ebcde047c54 ("soc: qcom: add pd-mapper implementation")
+Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Tested-by: Nikita Travkin <nikita@trvn.ru>
+Link: https://lore.kernel.org/r/20260129152320.3658053-2-mukesh.ojha@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/pdr_internal.h | 2 +-
+ drivers/soc/qcom/qcom_pdr_msg.c | 2 +-
+ include/linux/soc/qcom/pdr.h | 1 +
+ 3 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/qcom/pdr_internal.h b/drivers/soc/qcom/pdr_internal.h
+index 8d17f7fb79e78..f5499663e5887 100644
+--- a/drivers/soc/qcom/pdr_internal.h
++++ b/drivers/soc/qcom/pdr_internal.h
+@@ -84,7 +84,7 @@ struct servreg_set_ack_resp {
+
+ struct servreg_loc_pfr_req {
+ char service[SERVREG_NAME_LENGTH + 1];
+- char reason[257];
++ char reason[SERVREG_PFR_LENGTH + 1];
+ };
+
+ struct servreg_loc_pfr_resp {
+diff --git a/drivers/soc/qcom/qcom_pdr_msg.c b/drivers/soc/qcom/qcom_pdr_msg.c
+index bf3e4a47165e3..6e65f1e9f5ec9 100644
+--- a/drivers/soc/qcom/qcom_pdr_msg.c
++++ b/drivers/soc/qcom/qcom_pdr_msg.c
+@@ -326,7 +326,7 @@ const struct qmi_elem_info servreg_loc_pfr_req_ei[] = {
+ },
+ {
+ .data_type = QMI_STRING,
+- .elem_len = SERVREG_NAME_LENGTH + 1,
++ .elem_len = SERVREG_PFR_LENGTH + 1,
+ .elem_size = sizeof(char),
+ .array_type = VAR_LEN_ARRAY,
+ .tlv_type = 0x02,
+diff --git a/include/linux/soc/qcom/pdr.h b/include/linux/soc/qcom/pdr.h
+index 83a8ea612e69a..2b7691e47c2a9 100644
+--- a/include/linux/soc/qcom/pdr.h
++++ b/include/linux/soc/qcom/pdr.h
+@@ -5,6 +5,7 @@
+ #include <linux/soc/qcom/qmi.h>
+
+ #define SERVREG_NAME_LENGTH 64
++#define SERVREG_PFR_LENGTH 256
+
+ struct pdr_service;
+ struct pdr_handle;
+--
+2.53.0
+
--- /dev/null
+From a5f2a6e457ca8fe205976269d9d835b398a03f94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 20:14:18 -0400
+Subject: srcu: Use irq_work to start GP in tiny SRCU
+
+From: Joel Fernandes <joelagnelf@nvidia.com>
+
+[ Upstream commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af ]
+
+Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(),
+which acquires the workqueue pool->lock.
+
+This causes a lockdep splat when call_srcu() is called with a scheduler
+lock held, due to:
+
+ call_srcu() [holding pi_lock]
+ srcu_gp_start_if_needed()
+ schedule_work() -> pool->lock
+
+ workqueue_init() / create_worker() [holding pool->lock]
+ wake_up_process() -> try_to_wake_up() -> pi_lock
+
+Also add irq_work_sync() to cleanup_srcu_struct() to prevent a
+use-after-free if a queued irq_work fires after cleanup begins.
+
+Tested with rcutorture SRCU-T and no lockdep warnings.
+
+[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work
+to start process_srcu()" ]
+
+Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
+Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Boqun Feng <boqun@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/srcutiny.h | 4 ++++
+ kernel/rcu/srcutiny.c | 19 ++++++++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/srcutiny.h b/include/linux/srcutiny.h
+index 4d96bbdb45f08..6f39d3d8ef879 100644
+--- a/include/linux/srcutiny.h
++++ b/include/linux/srcutiny.h
+@@ -11,6 +11,7 @@
+ #ifndef _LINUX_SRCU_TINY_H
+ #define _LINUX_SRCU_TINY_H
+
++#include <linux/irq_work_types.h>
+ #include <linux/swait.h>
+
+ struct srcu_struct {
+@@ -24,18 +25,21 @@ struct srcu_struct {
+ struct rcu_head *srcu_cb_head; /* Pending callbacks: Head. */
+ struct rcu_head **srcu_cb_tail; /* Pending callbacks: Tail. */
+ struct work_struct srcu_work; /* For driving grace periods. */
++ struct irq_work srcu_irq_work; /* Defer schedule_work() to irq work. */
+ #ifdef CONFIG_DEBUG_LOCK_ALLOC
+ struct lockdep_map dep_map;
+ #endif /* #ifdef CONFIG_DEBUG_LOCK_ALLOC */
+ };
+
+ void srcu_drive_gp(struct work_struct *wp);
++void srcu_tiny_irq_work(struct irq_work *irq_work);
+
+ #define __SRCU_STRUCT_INIT(name, __ignored, ___ignored) \
+ { \
+ .srcu_wq = __SWAIT_QUEUE_HEAD_INITIALIZER(name.srcu_wq), \
+ .srcu_cb_tail = &name.srcu_cb_head, \
+ .srcu_work = __WORK_INITIALIZER(name.srcu_work, srcu_drive_gp), \
++ .srcu_irq_work = { .func = srcu_tiny_irq_work }, \
+ __SRCU_DEP_MAP_INIT(name) \
+ }
+
+diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c
+index 4dcbf8aa80ff7..ddea40b68e5f6 100644
+--- a/kernel/rcu/srcutiny.c
++++ b/kernel/rcu/srcutiny.c
+@@ -9,6 +9,7 @@
+ */
+
+ #include <linux/export.h>
++#include <linux/irq_work.h>
+ #include <linux/mutex.h>
+ #include <linux/preempt.h>
+ #include <linux/rcupdate_wait.h>
+@@ -37,6 +38,7 @@ static int init_srcu_struct_fields(struct srcu_struct *ssp)
+ ssp->srcu_idx_max = 0;
+ INIT_WORK(&ssp->srcu_work, srcu_drive_gp);
+ INIT_LIST_HEAD(&ssp->srcu_work.entry);
++ init_irq_work(&ssp->srcu_irq_work, srcu_tiny_irq_work);
+ return 0;
+ }
+
+@@ -80,6 +82,7 @@ EXPORT_SYMBOL_GPL(init_srcu_struct);
+ void cleanup_srcu_struct(struct srcu_struct *ssp)
+ {
+ WARN_ON(ssp->srcu_lock_nesting[0] || ssp->srcu_lock_nesting[1]);
++ irq_work_sync(&ssp->srcu_irq_work);
+ flush_work(&ssp->srcu_work);
+ WARN_ON(ssp->srcu_gp_running);
+ WARN_ON(ssp->srcu_gp_waiting);
+@@ -168,6 +171,20 @@ void srcu_drive_gp(struct work_struct *wp)
+ }
+ EXPORT_SYMBOL_GPL(srcu_drive_gp);
+
++/*
++ * Use an irq_work to defer schedule_work() to avoid acquiring the workqueue
++ * pool->lock while the caller might hold scheduler locks, causing lockdep
++ * splats due to workqueue_init() doing a wakeup.
++ */
++void srcu_tiny_irq_work(struct irq_work *irq_work)
++{
++ struct srcu_struct *ssp;
++
++ ssp = container_of(irq_work, struct srcu_struct, srcu_irq_work);
++ schedule_work(&ssp->srcu_work);
++}
++EXPORT_SYMBOL_GPL(srcu_tiny_irq_work);
++
+ static void srcu_gp_start_if_needed(struct srcu_struct *ssp)
+ {
+ unsigned long cookie;
+@@ -181,7 +198,7 @@ static void srcu_gp_start_if_needed(struct srcu_struct *ssp)
+ WRITE_ONCE(ssp->srcu_idx_max, cookie);
+ if (!READ_ONCE(ssp->srcu_gp_running)) {
+ if (likely(srcu_init_done))
+- schedule_work(&ssp->srcu_work);
++ irq_work_queue(&ssp->srcu_irq_work);
+ else if (list_empty(&ssp->srcu_work.entry))
+ list_add(&ssp->srcu_work.entry, &srcu_boot_list);
+ }
+--
+2.53.0
+
--- /dev/null
+From feedb06ba6fa11416fa6dc46adc398b9439a5801 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:16:03 -0500
+Subject: tools/power/turbostat: Fix microcode patch level output for AMD/Hygon
+
+From: Serhii Pievniev <spevnev16@gmail.com>
+
+[ Upstream commit a444083286434ec1fd127c5da11a3091e6013008 ]
+
+turbostat always used the same logic to read the microcode patch level,
+which is correct for Intel but not for AMD/Hygon.
+While Intel stores the patch level in the upper 32 bits of MSR, AMD
+stores it in the lower 32 bits, which causes turbostat to report the
+microcode version as 0x0 on AMD/Hygon.
+
+Fix by shifting right by 32 for non-AMD/Hygon, preserving the existing
+behavior for Intel and unknown vendors.
+
+Fixes: 3e4048466c39 ("tools/power turbostat: Add --no-msr option")
+Signed-off-by: Serhii Pievniev <spevnev16@gmail.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 86ffe7e06a146..fb1c65f6ff9de 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -8058,10 +8058,13 @@ void process_cpuid()
+ edx_flags = edx;
+
+ if (!no_msr) {
+- if (get_msr(sched_getcpu(), MSR_IA32_UCODE_REV, &ucode_patch))
++ if (get_msr(sched_getcpu(), MSR_IA32_UCODE_REV, &ucode_patch)) {
+ warnx("get_msr(UCODE)");
+- else
++ } else {
+ ucode_patch_valid = true;
++ if (!authentic_amd && !hygon_genuine)
++ ucode_patch >>= 32;
++ }
+ }
+
+ /*
+@@ -8076,7 +8079,7 @@ void process_cpuid()
+ fprintf(outf, "CPUID(1): family:model:stepping 0x%x:%x:%x (%d:%d:%d)",
+ family, model, stepping, family, model, stepping);
+ if (ucode_patch_valid)
+- fprintf(outf, " microcode 0x%x", (unsigned int)((ucode_patch >> 32) & 0xFFFFFFFF));
++ fprintf(outf, " microcode 0x%x", (unsigned int)ucode_patch);
+ fputc('\n', outf);
+
+ fprintf(outf, "CPUID(0x80000000): max_extended_levels: 0x%x\n", max_extended_level);
+--
+2.53.0
+
--- /dev/null
+From 27c53eb9c2f574425c43f5bd55c0a648de8db3d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 00:03:15 +0800
+Subject: tracing/probe: reject non-closed empty immediate strings
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ]
+
+parse_probe_arg() accepts quoted immediate strings and passes the body
+after the opening quote to __parse_imm_string(). That helper currently
+computes strlen(str) and immediately dereferences str[len - 1], which
+underflows when the body is empty and not closed with double-quotation.
+
+Reject empty non-closed immediate strings before checking for the closing quote.
+
+Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/
+
+Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support")
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_probe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
+index 055f5164bd96f..1b937923d118b 100644
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -1040,7 +1040,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs)
+ {
+ size_t len = strlen(str);
+
+- if (str[len - 1] != '"') {
++ if (!len || str[len - 1] != '"') {
+ trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE);
+ return -EINVAL;
+ }
+--
+2.53.0
+
--- /dev/null
+From 77ba8a7d10526752d6d123aaf9be517982c7ef2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 15:45:51 +0800
+Subject: wifi: brcmfmac: validate bsscfg indices in IF events
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ]
+
+brcmf_fweh_handle_if_event() validates the firmware-provided interface
+index before it touches drvr->iflist[], but it still uses the raw
+bsscfgidx field as an array index without a matching range check.
+
+Reject IF events whose bsscfg index does not fit in drvr->iflist[]
+before indexing the interface array.
+
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn
+[add missing wifi prefix]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+index f0b6a7607f160..0e44615964669 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -152,6 +152,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr,
+ bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx);
+ return;
+ }
++ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) {
++ bphy_err(drvr, "invalid bsscfg index: %u\n",
++ ifevent->bsscfgidx);
++ return;
++ }
+
+ ifp = drvr->iflist[ifevent->bsscfgidx];
+
+--
+2.53.0
+
--- /dev/null
+From 7c766f48d0299e80efec9ca07d6f6025118b37d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 16:08:45 +0800
+Subject: wifi: wl1251: validate packet IDs before indexing tx_frames
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 ]
+
+wl1251_tx_packet_cb() uses the firmware completion ID directly to index
+the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the
+completion block, and the callback does not currently verify that it
+fits the array before dereferencing it.
+
+Reject completion IDs that fall outside wl->tx_frames[] and keep the
+existing NULL check in the same guard. This keeps the fix local to the
+trust boundary and avoids touching the rest of the completion flow.
+
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl1251/tx.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c
+index adb4840b04893..c264d83e71d9c 100644
+--- a/drivers/net/wireless/ti/wl1251/tx.c
++++ b/drivers/net/wireless/ti/wl1251/tx.c
+@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl,
+ int hdrlen;
+ u8 *frame;
+
+- skb = wl->tx_frames[result->id];
+- if (skb == NULL) {
+- wl1251_error("SKB for packet %d is NULL", result->id);
++ if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) ||
++ wl->tx_frames[result->id] == NULL)) {
++ wl1251_error("invalid packet id %u", result->id);
+ return;
+ }
+
++ skb = wl->tx_frames[result->id];
++
+ info = IEEE80211_SKB_CB(skb);
+
+ if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) &&
+--
+2.53.0
+
--- /dev/null
+From 4492f9bdfc073c091a4b9fa88c1ff60123f46626 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Mar 2026 20:36:39 +0800
+Subject: xfrm: account XFRMA_IF_ID in aevent size calculation
+
+From: Keenan Dong <keenanat2000@gmail.com>
+
+[ Upstream commit 7081d46d32312f1a31f0e0e99c6835a394037599 ]
+
+xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then
+build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is
+set.
+
+xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states
+with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0)
+in xfrm_get_ae(), turning a malformed netlink interaction into a kernel
+panic.
+
+Account XFRMA_IF_ID in the size calculation unconditionally and replace
+the BUG_ON with normal error unwinding.
+
+Fixes: 7e6526404ade ("xfrm: Add a new lookup key to match xfrm interfaces.")
+Reported-by: Keenan Dong <keenanat2000@gmail.com>
+Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 6aed7ae900130..9516655e92f19 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -2601,7 +2601,8 @@ static inline unsigned int xfrm_aevent_msgsize(struct xfrm_state *x)
+ + nla_total_size(4) /* XFRM_AE_RTHR */
+ + nla_total_size(4) /* XFRM_AE_ETHR */
+ + nla_total_size(sizeof(x->dir)) /* XFRMA_SA_DIR */
+- + nla_total_size(4); /* XFRMA_SA_PCPU */
++ + nla_total_size(4) /* XFRMA_SA_PCPU */
++ + nla_total_size(sizeof(x->if_id)); /* XFRMA_IF_ID */
+ }
+
+ static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c)
+@@ -2713,7 +2714,12 @@ static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
+ c.portid = nlh->nlmsg_pid;
+
+ err = build_aevent(r_skb, x, &c);
+- BUG_ON(err < 0);
++ if (err < 0) {
++ spin_unlock_bh(&x->lock);
++ xfrm_state_put(x);
++ kfree_skb(r_skb);
++ return err;
++ }
+
+ err = nlmsg_unicast(net->xfrm.nlsk, r_skb, NETLINK_CB(skb).portid);
+ spin_unlock_bh(&x->lock);
+--
+2.53.0
+
--- /dev/null
+From 1720bcc7e3f03267a28799a1d760ea80d2974d25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 12:05:20 +0300
+Subject: xfrm: fix refcount leak in xfrm_migrate_policy_find
+
+From: Kotlyarov Mihail <mihailkotlyarow@gmail.com>
+
+[ Upstream commit 83317cce60a032c49480dcdabe146435bd689d03 ]
+
+syzkaller reported a memory leak in xfrm_policy_alloc:
+
+ BUG: memory leak
+ unreferenced object 0xffff888114d79000 (size 1024):
+ comm "syz.1.17", pid 931
+ ...
+ xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432
+
+The root cause is a double call to xfrm_pol_hold_rcu() in
+xfrm_migrate_policy_find(). The lookup function already returns
+a policy with held reference, making the second call redundant.
+
+Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount
+imbalance and prevent the memory leak.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 563d5ca93e88 ("xfrm: switch migrate to xfrm_policy_lookup_bytype")
+Signed-off-by: Kotlyarov Mihail <mihailkotlyarow@gmail.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 5fa648a5abe96..fca07f8e60749 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -4516,9 +4516,6 @@ static struct xfrm_policy *xfrm_migrate_policy_find(const struct xfrm_selector *
+ pol = xfrm_policy_lookup_bytype(net, type, &fl, sel->family, dir, if_id);
+ if (IS_ERR_OR_NULL(pol))
+ goto out_unlock;
+-
+- if (!xfrm_pol_hold_rcu(pol))
+- pol = NULL;
+ out_unlock:
+ rcu_read_unlock();
+ return pol;
+--
+2.53.0
+
--- /dev/null
+From 4f1b431c0d202fd57fdc675540f55cbb548ee62e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 13:31:04 +0200
+Subject: xfrm: Wait for RCU readers during policy netns exit
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit 069daad4f2ae9c5c108131995529d5f02392c446 ]
+
+xfrm_policy_fini() frees the policy_bydst hash tables after flushing the
+policy work items and deleting all policies, but it does not wait for
+concurrent RCU readers to leave their read-side critical sections first.
+
+The policy_bydst tables are published via rcu_assign_pointer() and are
+looked up through rcu_dereference_check(), so netns teardown must also
+wait for an RCU grace period before freeing the table memory.
+
+Fix this by adding synchronize_rcu() before freeing the policy hash tables.
+
+Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index f4713ab7996f2..5fa648a5abe96 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -4278,6 +4278,8 @@ static void xfrm_policy_fini(struct net *net)
+ #endif
+ xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);
+
++ synchronize_rcu();
++
+ WARN_ON(!list_empty(&net->xfrm.policy_all));
+
+ for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
+--
+2.53.0
+
--- /dev/null
+From 300dd8c40477ada8a0b80d03a3a890f8bae2e45e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 17:33:03 +0200
+Subject: xfrm_user: fix info leak in build_mapping()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit 1beb76b2053b68c491b78370794b8ff63c8f8c02 ]
+
+struct xfrm_usersa_id has a one-byte padding hole after the proto
+field, which ends up never getting set to zero before copying out to
+userspace. Fix that up by zeroing out the whole structure before
+setting individual variables.
+
+Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink")
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Simon Horman <horms@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 9516655e92f19..c00c33c39f20c 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -4062,6 +4062,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x,
+
+ um = nlmsg_data(nlh);
+
++ memset(&um->id, 0, sizeof(um->id));
+ memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr));
+ um->id.spi = x->id.spi;
+ um->id.family = x->props.family;
+--
+2.53.0
+
--- /dev/null
+From 4acc23285a0156590944fa692cab1816d1914e19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:53 +0200
+Subject: xsk: fix XDP_UMEM_SG_FLAG issues
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 93e84fe45b752d17a5a46b306ed78f0133bbc719 ]
+
+Currently xp_assign_dev_shared() is missing XDP_USE_SG being propagated
+to flags so set it in order to preserve mtu check that is supposed to be
+done only when no multi-buffer setup is in picture.
+
+Also, this flag has the same value as XDP_UMEM_TX_SW_CSUM so we could
+get unexpected SG setups for software Tx checksums. Since csum flag is
+UAPI, modify value of XDP_UMEM_SG_FLAG.
+
+Fixes: d609f3d228a8 ("xsk: add multi-buffer support for sockets sharing umem")
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-4-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xdp_sock.h | 2 +-
+ net/xdp/xsk_buff_pool.c | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/xdp_sock.h b/include/net/xdp_sock.h
+index df3f5f07bc7c2..98491d774d826 100644
+--- a/include/net/xdp_sock.h
++++ b/include/net/xdp_sock.h
+@@ -14,7 +14,7 @@
+ #include <linux/mm.h>
+ #include <net/sock.h>
+
+-#define XDP_UMEM_SG_FLAG (1 << 1)
++#define XDP_UMEM_SG_FLAG BIT(3)
+
+ struct net_device;
+ struct xsk_queue;
+diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
+index 9db08365fcb00..a9d8aa83f8000 100644
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -255,6 +255,10 @@ int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_sock *umem_xs,
+ return -EINVAL;
+
+ flags = umem->zc ? XDP_ZEROCOPY : XDP_COPY;
++
++ if (umem->flags & XDP_UMEM_SG_FLAG)
++ flags |= XDP_USE_SG;
++
+ if (umem_xs->pool->uses_need_wakeup)
+ flags |= XDP_USE_NEED_WAKEUP;
+
+--
+2.53.0
+
--- /dev/null
+From 582408a91c38d360f86de8b5308f8321fba90479 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:52 +0200
+Subject: xsk: respect tailroom for ZC setups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 1ee1605138fc94cc8f8f273321dd2471c64977f9 ]
+
+Multi-buffer XDP stores information about frags in skb_shared_info that
+sits at the tailroom of a packet. The storage space is reserved via
+xdp_data_hard_end():
+
+ ((xdp)->data_hard_start + (xdp)->frame_sz - \
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)))
+
+and then we refer to it via macro below:
+
+static inline struct skb_shared_info *
+xdp_get_shared_info_from_buff(const struct xdp_buff *xdp)
+{
+ return (struct skb_shared_info *)xdp_data_hard_end(xdp);
+}
+
+Currently we do not respect this tailroom space in multi-buffer AF_XDP
+ZC scenario. To address this, introduce xsk_pool_get_tailroom() and use
+it within xsk_pool_get_rx_frame_size() which is used in ZC drivers to
+configure length of HW Rx buffer.
+
+Typically drivers on Rx Hw buffers side work on 128 byte alignment so
+let us align the value returned by xsk_pool_get_rx_frame_size() in order
+to avoid addressing this on driver's side. This addresses the fact that
+idpf uses mentioned function *before* pool->dev being set so we were at
+risk that after subtracting tailroom we would not provide 128-byte
+aligned value to HW.
+
+Since xsk_pool_get_rx_frame_size() is actively used in xsk_rcv_check()
+and __xsk_rcv(), add a variant of this routine that will not include 128
+byte alignment and therefore old behavior is preserved.
+
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-3-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xdp_sock_drv.h | 23 ++++++++++++++++++++++-
+ net/xdp/xsk.c | 4 ++--
+ 2 files changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/xdp_sock_drv.h b/include/net/xdp_sock_drv.h
+index 997e28dd38963..075bc09046463 100644
+--- a/include/net/xdp_sock_drv.h
++++ b/include/net/xdp_sock_drv.h
+@@ -37,16 +37,37 @@ static inline u32 xsk_pool_get_headroom(struct xsk_buff_pool *pool)
+ return XDP_PACKET_HEADROOM + pool->headroom;
+ }
+
++static inline u32 xsk_pool_get_tailroom(bool mbuf)
++{
++ return mbuf ? SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) : 0;
++}
++
+ static inline u32 xsk_pool_get_chunk_size(struct xsk_buff_pool *pool)
+ {
+ return pool->chunk_size;
+ }
+
+-static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool)
++static inline u32 __xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool)
+ {
+ return xsk_pool_get_chunk_size(pool) - xsk_pool_get_headroom(pool);
+ }
+
++static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool)
++{
++ u32 frame_size = __xsk_pool_get_rx_frame_size(pool);
++ struct xdp_umem *umem = pool->umem;
++ bool mbuf;
++
++ /* Reserve tailroom only for zero-copy pools that opted into
++ * multi-buffer. The reserved area is used for skb_shared_info,
++ * matching the XDP core's xdp_data_hard_end() layout.
++ */
++ mbuf = pool->dev && (umem->flags & XDP_UMEM_SG_FLAG);
++ frame_size -= xsk_pool_get_tailroom(mbuf);
++
++ return ALIGN_DOWN(frame_size, 128);
++}
++
+ static inline u32 xsk_pool_get_rx_frag_step(struct xsk_buff_pool *pool)
+ {
+ return pool->unaligned ? 0 : xsk_pool_get_chunk_size(pool);
+diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
+index ed1aeaded9be7..da7e11e3bfad2 100644
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -231,7 +231,7 @@ static u32 xsk_copy_xdp(void *to, void **from, u32 to_len,
+
+ static int __xsk_rcv(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len)
+ {
+- u32 frame_size = xsk_pool_get_rx_frame_size(xs->pool);
++ u32 frame_size = __xsk_pool_get_rx_frame_size(xs->pool);
+ void *copy_from = xsk_copy_xdp_start(xdp), *copy_to;
+ u32 from_len, meta_len, rem, num_desc;
+ struct xdp_buff_xsk *xskb;
+@@ -323,7 +323,7 @@ static int xsk_rcv_check(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len)
+ if (xs->dev != xdp->rxq->dev || xs->queue_id != xdp->rxq->queue_index)
+ return -EINVAL;
+
+- if (len > xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) {
++ if (len > __xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) {
+ xs->rx_dropped++;
+ return -ENOSPC;
+ }
+--
+2.53.0
+
--- /dev/null
+From 9ab9f9f12a971916fc2a6df5824cad1c932bfc09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:51 +0200
+Subject: xsk: tighten UMEM headroom validation to account for tailroom and min
+ frame
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit a315e022a72d95ef5f1d4e58e903cb492b0ad931 ]
+
+The current headroom validation in xdp_umem_reg() could leave us with
+insufficient space dedicated to even receive minimum-sized ethernet
+frame. Furthermore if multi-buffer would come to play then
+skb_shared_info stored at the end of XSK frame would be corrupted.
+
+HW typically works with 128-aligned sizes so let us provide this value
+as bare minimum.
+
+Multi-buffer setting is known later in the configuration process so
+besides accounting for 128 bytes, let us also take care of tailroom space
+upfront.
+
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Fixes: 99e3a236dd43 ("xsk: Add missing check on user supplied headroom size")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-2-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xdp_umem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
+index 9f76ca591d54f..9ec7bd948acc7 100644
+--- a/net/xdp/xdp_umem.c
++++ b/net/xdp/xdp_umem.c
+@@ -202,7 +202,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+ if (!unaligned_chunks && chunks_rem)
+ return -EINVAL;
+
+- if (headroom >= chunk_size - XDP_PACKET_HEADROOM)
++ if (headroom > chunk_size - XDP_PACKET_HEADROOM -
++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - 128)
+ return -EINVAL;
+
+ if (mr->flags & XDP_UMEM_TX_METADATA_LEN) {
+--
+2.53.0
+
--- /dev/null
+From 02f86df8900c5858454003a0883f1168d8e4c05f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:54 +0200
+Subject: xsk: validate MTU against usable frame size on bind
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 36ee60b569ba0dfb6f961333b90d19ab5b323fa9 ]
+
+AF_XDP bind currently accepts zero-copy pool configurations without
+verifying that the device MTU fits into the usable frame space provided
+by the UMEM chunk.
+
+This becomes a problem since we started to respect tailroom which is
+subtracted from chunk_size (among with headroom). 2k chunk size might
+not provide enough space for standard 1500 MTU, so let us catch such
+settings at bind time. Furthermore, validate whether underlying HW will
+be able to satisfy configured MTU wrt XSK's frame size multiplied by
+supported Rx buffer chain length (that is exposed via
+net_device::xdp_zc_max_segs).
+
+Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX")
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-5-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk_buff_pool.c | 28 +++++++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
+index a9d8aa83f8000..04fe499f76782 100644
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -8,6 +8,8 @@
+ #include "xdp_umem.h"
+ #include "xsk.h"
+
++#define ETH_PAD_LEN (ETH_HLEN + 2 * VLAN_HLEN + ETH_FCS_LEN)
++
+ void xp_add_xsk(struct xsk_buff_pool *pool, struct xdp_sock *xs)
+ {
+ unsigned long flags;
+@@ -163,8 +165,12 @@ static void xp_disable_drv_zc(struct xsk_buff_pool *pool)
+ int xp_assign_dev(struct xsk_buff_pool *pool,
+ struct net_device *netdev, u16 queue_id, u16 flags)
+ {
++ u32 needed = netdev->mtu + ETH_PAD_LEN;
++ u32 segs = netdev->xdp_zc_max_segs;
++ bool mbuf = flags & XDP_USE_SG;
+ bool force_zc, force_copy;
+ struct netdev_bpf bpf;
++ u32 frame_size;
+ int err = 0;
+
+ ASSERT_RTNL();
+@@ -184,7 +190,7 @@ int xp_assign_dev(struct xsk_buff_pool *pool,
+ if (err)
+ return err;
+
+- if (flags & XDP_USE_SG)
++ if (mbuf)
+ pool->umem->flags |= XDP_UMEM_SG_FLAG;
+
+ if (flags & XDP_USE_NEED_WAKEUP)
+@@ -206,8 +212,24 @@ int xp_assign_dev(struct xsk_buff_pool *pool,
+ goto err_unreg_pool;
+ }
+
+- if (netdev->xdp_zc_max_segs == 1 && (flags & XDP_USE_SG)) {
+- err = -EOPNOTSUPP;
++ if (mbuf) {
++ if (segs == 1) {
++ err = -EOPNOTSUPP;
++ goto err_unreg_pool;
++ }
++ } else {
++ segs = 1;
++ }
++
++ /* open-code xsk_pool_get_rx_frame_size() as pool->dev is not
++ * set yet at this point; we are before getting down to driver
++ */
++ frame_size = __xsk_pool_get_rx_frame_size(pool) -
++ xsk_pool_get_tailroom(mbuf);
++ frame_size = ALIGN_DOWN(frame_size, 128);
++
++ if (needed > frame_size * segs) {
++ err = -EINVAL;
+ goto err_unreg_pool;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 12d9c81e785f361326ff4b188955594440f9479f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 16:00:14 +0800
+Subject: af_unix: read UNIX_DIAG_VFS data under unix_state_lock
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+[ Upstream commit 39897df386376912d561d4946499379effa1e7ef ]
+
+Exact UNIX diag lookups hold a reference to the socket, but not to
+u->path. Meanwhile, unix_release_sock() clears u->path under
+unix_state_lock() and drops the path reference after unlocking.
+
+Read the inode and device numbers for UNIX_DIAG_VFS while holding
+unix_state_lock(), then emit the netlink attribute after dropping the
+lock.
+
+This keeps the VFS data stable while the reply is being built.
+
+Fixes: 5f7b0569460b ("unix_diag: Unix inode info NLA")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/diag.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index ca34730261510..c9c1e51c44196 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -28,18 +28,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb)
+
+ static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb)
+ {
+- struct dentry *dentry = unix_sk(sk)->path.dentry;
++ struct unix_diag_vfs uv;
++ struct dentry *dentry;
++ bool have_vfs = false;
+
++ unix_state_lock(sk);
++ dentry = unix_sk(sk)->path.dentry;
+ if (dentry) {
+- struct unix_diag_vfs uv = {
+- .udiag_vfs_ino = d_backing_inode(dentry)->i_ino,
+- .udiag_vfs_dev = dentry->d_sb->s_dev,
+- };
+-
+- return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
++ uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino;
++ uv.udiag_vfs_dev = dentry->d_sb->s_dev;
++ have_vfs = true;
+ }
++ unix_state_unlock(sk);
+
+- return 0;
++ if (!have_vfs)
++ return 0;
++
++ return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
+ }
+
+ static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb)
+--
+2.53.0
+
--- /dev/null
+From f04ce8fa1f356b8a39da64962b55424a0ffb5a22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 13:40:07 +0100
+Subject: ALSA: asihpi: avoid write overflow check warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 591721223be9e28f83489a59289579493b8e3d83 ]
+
+clang-22 rightfully warns that the memcpy() in adapter_prepare() copies
+between different structures, crossing the boundary of nested
+structures inside it:
+
+In file included from sound/pci/asihpi/hpimsgx.c:13:
+In file included from include/linux/string.h:386:
+include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
+ 569 | __write_overflow_field(p_size_field, size);
+
+The two structures seem to refer to the same layout, despite the
+separate definitions, so the code is in fact correct.
+
+Avoid the warning by copying the two inner structures separately.
+I see the same pattern happens in other functions in the same file,
+so there is a chance that this may come back in the future, but
+this instance is the only one that I saw in practice, hitting it
+multiple times per day in randconfig build.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/asihpi/hpimsgx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c
+index b68e6bfbbfbab..ed1c7b7744361 100644
+--- a/sound/pci/asihpi/hpimsgx.c
++++ b/sound/pci/asihpi/hpimsgx.c
+@@ -581,8 +581,10 @@ static u16 adapter_prepare(u16 adapter)
+ HPI_ADAPTER_OPEN);
+ hm.adapter_index = adapter;
+ hw_entry_point(&hm, &hr);
+- memcpy(&rESP_HPI_ADAPTER_OPEN[adapter], &hr,
+- sizeof(rESP_HPI_ADAPTER_OPEN[0]));
++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].h, &hr,
++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].h));
++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].a, &hr.u.ax.info,
++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].a));
+ if (hr.error)
+ return hr.error;
+
+--
+2.53.0
+
--- /dev/null
+From b7e3c0f957c5ad2dd74904eba92c55b23a2c3da6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 01:08:51 +0000
+Subject: ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk
+
+From: Andrii Kovalchuk <coderpy4@proton.me>
+
+[ Upstream commit 793b008cd39516385791a1d1d223d817e947a471 ]
+
+Add a PCI quirk for HP ENVY Laptop 13-ba0xxx (PCI device ID 0x8756)
+to enable proper mute LED and mic mute behavior using the
+ALC245_FIXUP_HP_X360_MUTE_LEDS fixup.
+
+Signed-off-by: Andrii Kovalchuk <coderpy4@proton.me>
+Link: https://patch.msgid.link/u0s-uRVegF9BN0t-4JnOUwsIAR-mVc4U4FJfJHdEHX7ro_laErHD9y35NebWybcN16gVaVHPJo1ap3AoJ1a2gqJImPvThgeNt_SYVY1KaDw=@proton.me
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index 0654850687447..1b64292220ac8 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -6732,6 +6732,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8735, "HP ProBook 435 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT),
++ SND_PCI_QUIRK(0x103c, 0x8756, "HP ENVY Laptop 13-ba0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS),
+ SND_PCI_QUIRK(0x103c, 0x8760, "HP EliteBook 8{4,5}5 G7", ALC285_FIXUP_HP_BEEP_MICMUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x876e, "HP ENVY x360 Convertible 13-ay0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS),
+ SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED),
+--
+2.53.0
+
--- /dev/null
+From 67ee51e8abc5aa81a531daafd73e4254c7e46b5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 22:07:50 +0530
+Subject: ALSA: hda/realtek: add HP Laptop 15-fd0xxx mute LED quirk
+
+From: Kshamendra Kumar Mishra <kshamendrakumarmishra@gmail.com>
+
+[ Upstream commit faceb5cf5d7a08f4a40335d22d833bb75f05d99e ]
+
+HP Laptop 15-fd0xxx with ALC236 codec does not handle the toggling of
+the mute LED.
+This patch adds a quirk entry for subsystem ID 0x8dd7 using
+ALC236_FIXUP_HP_MUTE_LED_COEFBIT2 fixup, enabling correct mute LED
+behavior.
+
+Signed-off-by: Kshamendra Kumar Mishra <kshamendrakumarmishra@gmail.com>
+Link: https://patch.msgid.link/DHAB51ISUM96.2K9SZIABIDEQ0@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index c782a35f9239d..0c975005793e7 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -6977,6 +6977,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8da7, "HP 14 Enstrom OmniBook X", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8da8, "HP 16 Piston OmniBook X", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8dd4, "HP EliteStudio 8 AIO", ALC274_FIXUP_HP_AIO_BIND_DACS),
++ SND_PCI_QUIRK(0x103c, 0x8dd7, "HP Laptop 15-fd0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x8de8, "HP Gemtree", ALC245_FIXUP_TAS2781_SPI_2),
+ SND_PCI_QUIRK(0x103c, 0x8de9, "HP Gemtree", ALC245_FIXUP_TAS2781_SPI_2),
+ SND_PCI_QUIRK(0x103c, 0x8dec, "HP EliteBook 640 G12", ALC236_FIXUP_HP_GPIO_LED),
+--
+2.53.0
+
--- /dev/null
+From 8435a302b6fb251a01424c6767b23d6ce649dfa1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Mar 2026 10:36:03 -0500
+Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: César Montoya <sprit152009@gmail.com>
+
+[ Upstream commit 2f388b4e8fdd6b0f27cafd281658daacfd85807e ]
+
+The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek
+ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The
+existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly,
+but the subsystem ID was missing from the quirk table.
+
+GPIO pin confirmed via manual hda-verb testing:
+ hda-verb SET_GPIO_MASK 0x10
+ hda-verb SET_GPIO_DIRECTION 0x10
+ hda-verb SET_GPIO_DATA 0x10
+
+Signed-off-by: César Montoya <sprit152009@gmail.com>
+Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index 1959adb6c5189..c782a35f9239d 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -6746,6 +6746,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x87cb, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+--
+2.53.0
+
--- /dev/null
+From e79bf418cd60d375877382f8e5b1a22b3e10b340 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 10:25:03 -0700
+Subject: ALSA: hda/realtek: Add quirk for ASUS ROG Flow Z13-KJP GZ302EAC
+
+From: Matthew Schwartz <matthew.schwartz@linux.dev>
+
+[ Upstream commit 59f68dc1d8df3142cb58fd2568966a9bb7b0ed8a ]
+
+Fixes lack of audio output on the ASUS ROG Flow Z13-KJP GZ302EAC model,
+similar to the ASUS ROG Flow Z13 GZ302EA.
+
+Signed-off-by: Matthew Schwartz <matthew.schwartz@linux.dev>
+Link: https://patch.msgid.link/20260313172503.285846-1-matthew.schwartz@linux.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index 4b06cb48252e2..1959adb6c5189 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7065,6 +7065,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1043, 0x14e3, "ASUS G513PI/PU/PV", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x14f2, "ASUS VivoBook X515JA", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1043, 0x1503, "ASUS G733PY/PZ/PZV/PYV", ALC287_FIXUP_CS35L41_I2C_2),
++ SND_PCI_QUIRK(0x1043, 0x1514, "ASUS ROG Flow Z13 GZ302EAC", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A),
+ SND_PCI_QUIRK(0x1043, 0x1533, "ASUS GV302XA/XJ/XQ/XU/XV/XI", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x1573, "ASUS GZ301VV/VQ/VU/VJ/VA/VC/VE/VVC/VQC/VUC/VJC/VEC/VCC", ALC285_FIXUP_ASUS_HEADSET_MIC),
+--
+2.53.0
+
--- /dev/null
+From e2e4b930d22053f2e81ce192e74ed775f75c835f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 10:54:40 -0500
+Subject: ALSA: hda/realtek: add quirk for Framework F111:000F
+
+From: Dustin L. Howett <dustin@howett.net>
+
+[ Upstream commit bac1e57adf08c9ee33e95fb09cd032f330294e70 ]
+
+Similar to commit 7b509910b3ad ("ALSA hda/realtek: Add quirk for
+Framework F111:000C") and previous quirks for Framework systems with
+Realtek codecs.
+
+000F is another new platform with an ALC285 which needs the same quirk.
+
+Signed-off-by: Dustin L. Howett <dustin@howett.net>
+Link: https://patch.msgid.link/20260327-framework-alsa-000f-v1-1-74013aba1c00@howett.net
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index 0c975005793e7..e7f7b148b40e5 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7555,6 +7555,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0xf111, 0x000f, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+
+ #if 0
+ /* Below is a quirk table taken from the old code.
+--
+2.53.0
+
--- /dev/null
+From 1b6852fd108dc6bbfc5c95c416278b3f46cec6a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 16:06:24 +0800
+Subject: ALSA: hda/realtek: add quirk for Lenovo Yoga 7 2-in-1 16AKP10
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+[ Upstream commit 7bae956cac0433c4d41aac9f1d04e42694e0b706 ]
+
+This machine is equipped with ALC287 and requires the quirk
+ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN to fix the issue
+where the bass speakers are not configured and the speaker
+volume cannot be controlled.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221210
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260313080624.1395362-1-zhangheng@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index 1b64292220ac8..4b06cb48252e2 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7429,6 +7429,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x38ab, "Thinkbook 16P", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD),
+ SND_PCI_QUIRK(0x17aa, 0x38b4, "Legion Slim 7 16IRH8", ALC287_FIXUP_CS35L41_I2C_2),
+ HDA_CODEC_QUIRK(0x17aa, 0x391c, "Lenovo Yoga 7 2-in-1 14AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
++ HDA_CODEC_QUIRK(0x17aa, 0x391d, "Lenovo Yoga 7 2-in-1 16AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x38b5, "Legion Slim 7 16IRH8", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x17aa, 0x38b6, "Legion Slim 7 16APH8", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x17aa, 0x38b7, "Legion Slim 7 16APH8", ALC287_FIXUP_CS35L41_I2C_2),
+--
+2.53.0
+
--- /dev/null
+From 805b9d5a2e440d9bc204648edda1d4e61a387aad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2026 11:29:28 +0300
+Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IMH9
+
+From: Alexander Savenko <alex.sav4387@gmail.com>
+
+[ Upstream commit 217d5bc9f96272316ac5a3215c7cc32a5127bbf3 ]
+
+The Lenovo Yoga Pro 7 14IMH9 (DMI: 83E2) shares PCI SSID 17aa:3847
+with the Legion 7 16ACHG6, but has a different codec subsystem ID
+(17aa:38cf). The existing SND_PCI_QUIRK for 17aa:3847 applies
+ALC287_FIXUP_LEGION_16ACHG6, which attempts to initialize an external
+I2C amplifier (CLSA0100) that is not present on the Yoga Pro 7 14IMH9.
+
+As a result, pin 0x17 (bass speakers) is connected to DAC 0x06 which
+has no volume control, making hardware volume adjustment completely
+non-functional. Audio is either silent or at maximum volume regardless
+of the slider position.
+
+Add a HDA_CODEC_QUIRK entry using the codec subsystem ID (17aa:38cf)
+to correctly identify the Yoga Pro 7 14IMH9 and apply
+ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN, which redirects pin 0x17 to
+DAC 0x02 and restores proper volume control. The existing Legion entry
+is preserved unchanged.
+
+This follows the same pattern used for 17aa:386e, where Legion Y9000X
+and Yoga Pro 7 14ARP8 share a PCI SSID but are distinguished via
+HDA_CODEC_QUIRK.
+
+Link: https://github.com/nomad4tech/lenovo-yoga-pro-7-linux
+Tested-by: Alexander Savenko <alex.sav4387@gmail.com>
+Signed-off-by: Alexander Savenko <alex.sav4387@gmail.com>
+Link: https://patch.msgid.link/20260331082929.44890-1-alex.sav4387@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index 1c8ee8263ab3a..2e89528e5cec1 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7402,6 +7402,10 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x3834, "Lenovo IdeaPad Slim 9i 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS),
+ SND_PCI_QUIRK(0x17aa, 0x383d, "Legion Y9000X 2019", ALC285_FIXUP_LEGION_Y9000X_SPEAKERS),
+ SND_PCI_QUIRK(0x17aa, 0x3843, "Lenovo Yoga 9i / Yoga Book 9i", ALC287_FIXUP_LENOVO_YOGA_BOOK_9I),
++ /* Yoga Pro 7 14IMH9 shares PCI SSID 17aa:3847 with Legion 7 16ACHG6;
++ * use codec SSID to distinguish them
++ */
++ HDA_CODEC_QUIRK(0x17aa, 0x38cf, "Lenovo Yoga Pro 7 14IMH9", ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3847, "Legion 7 16ACHG6", ALC287_FIXUP_LEGION_16ACHG6),
+ SND_PCI_QUIRK(0x17aa, 0x384a, "Lenovo Yoga 7 15ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS),
+ SND_PCI_QUIRK(0x17aa, 0x3852, "Lenovo Yoga 7 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS),
+--
+2.53.0
+
--- /dev/null
+From ef4114428cbef327ace57b82d7ec6c989369c599 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 09:26:51 +0800
+Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10
+
+From: songxiebing <songxiebing@kylinos.cn>
+
+[ Upstream commit f0541edb2e7333f320642c7b491a67912c1f65db ]
+
+The bass speakers are not working, and add the following entry
+in /etc/modprobe.d/snd.conf:
+options snd-sof-intel-hda-generic hda_model=alc287-yoga9-bass-spk-pin
+Fixes the bass speakers.
+
+So add the quick ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN here.
+
+Reported-by: Fernando Garcia Corona <fgarcor@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221317
+Signed-off-by: songxiebing <songxiebing@kylinos.cn>
+Link: https://patch.msgid.link/20260405012651.133838-1-songxiebing@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index 2e89528e5cec1..6b53a7d90932d 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7467,6 +7467,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x38fd, "ThinkBook plus Gen5 Hybrid", ALC287_FIXUP_TAS2781_I2C),
+ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
++ SND_PCI_QUIRK(0x17aa, 0x3911, "Lenovo Yoga Pro 7 14IAH10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC),
+ SND_PCI_QUIRK(0x17aa, 0x391a, "Lenovo Yoga Slim 7 14AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x391f, "Yoga S990-16 pro Quad YC Quad", ALC287_FIXUP_TXNW2781_I2C),
+--
+2.53.0
+
--- /dev/null
+From b20c2a5c5955bf805d93b331fff1fba7b9d663ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2026 11:36:50 +0800
+Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Slim 7 14AKP10
+
+From: songxiebing <songxiebing@kylinos.cn>
+
+[ Upstream commit e6c888202297eca21860b669edb74fc600e679d9 ]
+
+The Pin Complex 0x17 (bass/woofer speakers) is incorrectly reported as
+unconnected in the BIOS (pin default 0x411111f0 = N/A). This causes the
+kernel to configure speaker_outs=0, meaning only the tweeters (pin 0x14)
+are used. The result is very low, tinny audio with no bass.
+
+The existing quirk ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN (already present
+in patch_realtek.c for SSID 0x17aa3801) fixes the issue completely.
+
+Reported-by: Garcicasti <andresgarciacastilla@gmail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221298
+Signed-off-by: songxiebing <songxiebing@kylinos.cn>
+Link: https://patch.msgid.link/20260331033650.285601-1-songxiebing@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index c76d339009a9b..1c8ee8263ab3a 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7464,6 +7464,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC),
++ SND_PCI_QUIRK(0x17aa, 0x391a, "Lenovo Yoga Slim 7 14AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x391f, "Yoga S990-16 pro Quad YC Quad", ALC287_FIXUP_TXNW2781_I2C),
+ SND_PCI_QUIRK(0x17aa, 0x3920, "Yoga S990-16 pro Quad VECO Quad", ALC287_FIXUP_TXNW2781_I2C),
+ SND_PCI_QUIRK(0x17aa, 0x3929, "Thinkbook 13x Gen 5", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD),
+--
+2.53.0
+
--- /dev/null
+From 9d4938f47251385da140a190b120eb238337b668 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 18:22:20 +0200
+Subject: ALSA: hda/realtek: Add quirk for Samsung Book2 Pro 360 (NP950QED)
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit ea31be8a2c8c99eac198f3b7f2dc770111f2b182 ]
+
+There is another Book2 Pro model (NP950QED) that seems equipped with
+the same speaker module as the non-360 model, which requires
+ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS quirk.
+
+Reported-by: Throw <zakkabj@gmail.com>
+Link: https://patch.msgid.link/20260330162249.147665-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index e7f7b148b40e5..c76d339009a9b 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7211,6 +7211,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x144d, 0xc188, "Samsung Galaxy Book Flex (NT950QCT-A38A)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Book Flex (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP),
++ SND_PCI_QUIRK(0x144d, 0xc1ac, "Samsung Galaxy Book2 Pro 360 (NP950QED)", ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS),
+ SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc1a4, "Samsung Galaxy Book Pro 360 (NT935QBD)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc1a6, "Samsung Galaxy Book Pro 360 (NP930QBD)", ALC298_FIXUP_SAMSUNG_AMP),
+--
+2.53.0
+
--- /dev/null
+From 593c6ff74e60ea4ef4636a119ef8cca524e16835 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Mar 2026 08:07:34 +0000
+Subject: ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex
+
+From: Phil Willoughby <willerz@gmail.com>
+
+[ Upstream commit bc5b4e5ae1a67700a618328217b6a3bd0f296e97 ]
+
+The NeuralDSP Quad Cortex does not support DSD playback. We need
+this product-specific entry with zero quirks because otherwise it
+falls through to the vendor-specific entry which marks it as
+supporting DSD playback.
+
+Cc: Yue Wang <yuleopen@gmail.com>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Signed-off-by: Phil Willoughby <willerz@gmail.com>
+Link: https://patch.msgid.link/20260328080921.3310-1-willerz@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 9f585dbc770cb..a2c039a1b3cd6 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -2296,6 +2296,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
+ QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB),
+ DEVICE_FLG(0x13e5, 0x0001, /* Serato Phono */
+ QUIRK_FLAG_IGNORE_CTL_ERROR),
++ DEVICE_FLG(0x152a, 0x880a, /* NeuralDSP Quad Cortex */
++ 0), /* Doesn't have the vendor quirk which would otherwise apply */
+ DEVICE_FLG(0x154e, 0x1002, /* Denon DCD-1500RE */
+ QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY),
+ DEVICE_FLG(0x154e, 0x1003, /* Denon DA-300USB */
+--
+2.53.0
+
--- /dev/null
+From f29aa13ab21e63c211bf26168e1634e410500e98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 18:25:27 +0800
+Subject: ALSA:usb:qcom: add AUXILIARY_BUS to Kconfig dependencies
+
+From: Frank Zhang <rmxpzlb@gmail.com>
+
+[ Upstream commit b8bee48e38f2ddbdba5e58bc54ef54bb7d8d341b ]
+
+The build can fail with:
+
+ERROR: modpost: "__auxiliary_driver_register"
+[sound/usb/qcom/snd-usb-audio-qmi.ko] undefined!
+ERROR: modpost: "auxiliary_driver_unregister"
+[sound/usb/qcom/snd-usb-audio-qmi.ko] undefined!
+
+Select AUXILIARY_BUS when SND_USB_AUDIO_QMI is enabled.
+
+Signed-off-by: Frank Zhang <rmxpzlb@gmail.com>
+Link: https://patch.msgid.link/20260317102527.556248-1-rmxpzlb@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/usb/Kconfig b/sound/usb/Kconfig
+index 9b890abd96d34..b4588915efa11 100644
+--- a/sound/usb/Kconfig
++++ b/sound/usb/Kconfig
+@@ -192,6 +192,7 @@ config SND_USB_AUDIO_QMI
+ tristate "Qualcomm Audio Offload driver"
+ depends on QCOM_QMI_HELPERS && SND_USB_AUDIO && SND_SOC_USB
+ depends on USB_XHCI_HCD && USB_XHCI_SIDEBAND
++ select AUXILIARY_BUS
+ help
+ Say Y here to enable the Qualcomm USB audio offloading feature.
+
+--
+2.53.0
+
--- /dev/null
+From f498641478cca5c9295b43699a4ee9c68ee43aef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Feb 2026 11:07:35 +0200
+Subject: ARM: dts: microchip: sam9x7: fix gpio-lines count for pioB
+
+From: Mihai Sain <mihai.sain@microchip.com>
+
+[ Upstream commit 907150bbe566e23714a25d7bcb910f236c3c44c0 ]
+
+The pioB controller on the SAM9X7 SoC actually supports 27 GPIO lines.
+The previous value of 26 was incorrect, leading to the last pin being
+unavailable for use by the GPIO subsystem.
+Update the #gpio-lines property to reflect
+the correct hardware specification.
+
+Fixes: 41af45af8bc3 ("ARM: dts: at91: sam9x7: add device tree for SoC")
+Signed-off-by: Mihai Sain <mihai.sain@microchip.com>
+Link: https://lore.kernel.org/r/20260209090735.2016-1-mihai.sain@microchip.com
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/microchip/sam9x7.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/microchip/sam9x7.dtsi b/arch/arm/boot/dts/microchip/sam9x7.dtsi
+index 46dacbbd201dd..d242d7a934d0f 100644
+--- a/arch/arm/boot/dts/microchip/sam9x7.dtsi
++++ b/arch/arm/boot/dts/microchip/sam9x7.dtsi
+@@ -1226,7 +1226,7 @@ pioB: gpio@fffff600 {
+ interrupt-controller;
+ #gpio-cells = <2>;
+ gpio-controller;
+- #gpio-lines = <26>;
++ #gpio-lines = <27>;
+ clocks = <&pmc PMC_TYPE_PERIPHERAL 3>;
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 5e4df537ce5fd4bf7e6860f0220b3a5ab335e7d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jan 2026 00:28:28 +0100
+Subject: arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+[ Upstream commit 1f99b5d93d99ca17d50b386a674d0ce1f20932d8 ]
+
+According to i.MX 8M Quad Reference Manual, GPU_AHB_CLK_ROOT's maximum
+frequency is 400MHz.
+
+Fixes: 45d2c84eb3a2 ("arm64: dts: imx8mq: add GPU node")
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+index 607962f807beb..6a25e219832ce 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+@@ -1632,7 +1632,7 @@ gpu: gpu@38000000 {
+ <&clk IMX8MQ_GPU_PLL_OUT>,
+ <&clk IMX8MQ_GPU_PLL>;
+ assigned-clock-rates = <800000000>, <800000000>,
+- <800000000>, <800000000>, <0>;
++ <800000000>, <400000000>, <0>;
+ power-domains = <&pgc_gpu>;
+ };
+
+--
+2.53.0
+
--- /dev/null
+From e6e3c7388452aeb188bf0a690831725022ba71ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Feb 2026 16:50:13 +0100
+Subject: arm64: dts: imx91-tqma9131: improve eMMC pad configuration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Markus Niebel <Markus.Niebel@ew.tq-group.com>
+
+[ Upstream commit 44db7bc66eb38e85bb32777c5fd3a4e7baa84147 ]
+
+Use DSE x4 an PullUp for CMD an DAT, DSE x4 and PullDown for CLK to improve
+stability and detection at low temperatures under -25°C.
+
+Fixes: e71db39f0c7c ("arm64: dts: freescale: add initial device tree for TQMa91xx/MBa91xxCA")
+Signed-off-by: Markus Niebel <Markus.Niebel@ew.tq-group.com>
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/freescale/imx91-tqma9131.dtsi | 20 +++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi b/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi
+index 5792952b7a8e1..c99d7bc168483 100644
+--- a/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi
+@@ -272,20 +272,20 @@ pinctrl_reg_usdhc2_vmmc: regusdhc2vmmcgrp {
+ /* enable SION for data and cmd pad due to ERR052021 */
+ pinctrl_usdhc1: usdhc1grp {
+ fsl,pins = /* PD | FSEL 3 | DSE X5 */
+- <MX91_PAD_SD1_CLK__USDHC1_CLK 0x5be>,
++ <MX91_PAD_SD1_CLK__USDHC1_CLK 0x59e>,
+ /* HYS | FSEL 0 | no drive */
+ <MX91_PAD_SD1_STROBE__USDHC1_STROBE 0x1000>,
+ /* HYS | FSEL 3 | X5 */
+- <MX91_PAD_SD1_CMD__USDHC1_CMD 0x400011be>,
++ <MX91_PAD_SD1_CMD__USDHC1_CMD 0x4000139e>,
+ /* HYS | FSEL 3 | X4 */
+- <MX91_PAD_SD1_DATA0__USDHC1_DATA0 0x4000119e>,
+- <MX91_PAD_SD1_DATA1__USDHC1_DATA1 0x4000119e>,
+- <MX91_PAD_SD1_DATA2__USDHC1_DATA2 0x4000119e>,
+- <MX91_PAD_SD1_DATA3__USDHC1_DATA3 0x4000119e>,
+- <MX91_PAD_SD1_DATA4__USDHC1_DATA4 0x4000119e>,
+- <MX91_PAD_SD1_DATA5__USDHC1_DATA5 0x4000119e>,
+- <MX91_PAD_SD1_DATA6__USDHC1_DATA6 0x4000119e>,
+- <MX91_PAD_SD1_DATA7__USDHC1_DATA7 0x4000119e>;
++ <MX91_PAD_SD1_DATA0__USDHC1_DATA0 0x4000139e>,
++ <MX91_PAD_SD1_DATA1__USDHC1_DATA1 0x4000139e>,
++ <MX91_PAD_SD1_DATA2__USDHC1_DATA2 0x4000139e>,
++ <MX91_PAD_SD1_DATA3__USDHC1_DATA3 0x4000139e>,
++ <MX91_PAD_SD1_DATA4__USDHC1_DATA4 0x4000139e>,
++ <MX91_PAD_SD1_DATA5__USDHC1_DATA5 0x4000139e>,
++ <MX91_PAD_SD1_DATA6__USDHC1_DATA6 0x4000139e>,
++ <MX91_PAD_SD1_DATA7__USDHC1_DATA7 0x4000139e>;
+ };
+
+ pinctrl_wdog: wdoggrp {
+--
+2.53.0
+
--- /dev/null
+From 9ff76109b059383d0a1b500bc605b7b36f574f2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Feb 2026 19:23:08 +0800
+Subject: arm64: dts: imx93-9x9-qsb: change usdhc tuning step for eMMC and SD
+
+From: Luke Wang <ziniu.wang_1@nxp.com>
+
+[ Upstream commit 08903184553def7ba1ad6ba4fa8afe1ba2ee0a21 ]
+
+During system resume, the following errors occurred:
+
+ [ 430.638625] mmc1: error -84 writing Cache Enable bit
+ [ 430.643618] mmc1: error -84 doing runtime resume
+
+For eMMC and SD, there are two tuning pass windows and the gap between
+those two windows may only have one cell. If tuning step > 1, the gap may
+just be skipped and host assumes those two windows as a continuous
+windows. This will cause a wrong delay cell near the gap to be selected.
+
+Set the tuning step to 1 to avoid selecting the wrong delay cell.
+
+For SDIO, the gap is sufficiently large, so the default tuning step does
+not cause this issue.
+
+Fixes: 0565d20cd8c2 ("arm64: dts: freescale: Support i.MX93 9x9 Quick Start Board")
+Signed-off-by: Luke Wang <ziniu.wang_1@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts b/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts
+index 0852067eab2cb..197c8f8b7f669 100644
+--- a/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts
++++ b/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts
+@@ -507,6 +507,7 @@ &usdhc1 {
+ pinctrl-2 = <&pinctrl_usdhc1_200mhz>;
+ bus-width = <8>;
+ non-removable;
++ fsl,tuning-step = <1>;
+ status = "okay";
+ };
+
+@@ -519,6 +520,7 @@ &usdhc2 {
+ vmmc-supply = <®_usdhc2_vmmc>;
+ bus-width = <4>;
+ no-mmc;
++ fsl,tuning-step = <1>;
+ status = "okay";
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 1668c8b9ef5b91d8f3c6a10b93e94b8adadfa4f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Feb 2026 16:50:14 +0100
+Subject: arm64: dts: imx93-tqma9352: improve eMMC pad configuration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Markus Niebel <Markus.Niebel@ew.tq-group.com>
+
+[ Upstream commit b6c94c71f349479b76fcc0ef0dc7147f3f326dff ]
+
+Use DSE x4 an PullUp for CMD an DAT, DSE x4 and PullDown for CLK to improve
+stability and detection at low temperatures under -25°C.
+
+Fixes: 0b5fdfaa8e45 ("arm64: dts: freescale: imx93-tqma9352: set SION for cmd and data pad of USDHC")
+Signed-off-by: Markus Niebel <Markus.Niebel@ew.tq-group.com>
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/freescale/imx93-tqma9352.dtsi | 26 +++++++++----------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi
+index 82914ca148d3a..c095d7f115c21 100644
+--- a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi
+@@ -270,21 +270,21 @@ MX93_PAD_SD2_RESET_B__GPIO3_IO07 0x106
+ /* enable SION for data and cmd pad due to ERR052021 */
+ pinctrl_usdhc1: usdhc1grp {
+ fsl,pins = <
+- /* PD | FSEL 3 | DSE X5 */
+- MX93_PAD_SD1_CLK__USDHC1_CLK 0x5be
++ /* PD | FSEL 3 | DSE X4 */
++ MX93_PAD_SD1_CLK__USDHC1_CLK 0x59e
+ /* HYS | FSEL 0 | no drive */
+ MX93_PAD_SD1_STROBE__USDHC1_STROBE 0x1000
+- /* HYS | FSEL 3 | X5 */
+- MX93_PAD_SD1_CMD__USDHC1_CMD 0x400011be
+- /* HYS | FSEL 3 | X4 */
+- MX93_PAD_SD1_DATA0__USDHC1_DATA0 0x4000119e
+- MX93_PAD_SD1_DATA1__USDHC1_DATA1 0x4000119e
+- MX93_PAD_SD1_DATA2__USDHC1_DATA2 0x4000119e
+- MX93_PAD_SD1_DATA3__USDHC1_DATA3 0x4000119e
+- MX93_PAD_SD1_DATA4__USDHC1_DATA4 0x4000119e
+- MX93_PAD_SD1_DATA5__USDHC1_DATA5 0x4000119e
+- MX93_PAD_SD1_DATA6__USDHC1_DATA6 0x4000119e
+- MX93_PAD_SD1_DATA7__USDHC1_DATA7 0x4000119e
++ /* HYS | PU | FSEL 3 | DSE X4 */
++ MX93_PAD_SD1_CMD__USDHC1_CMD 0x4000139e
++ /* HYS | PU | FSEL 3 | DSE X4 */
++ MX93_PAD_SD1_DATA0__USDHC1_DATA0 0x4000139e
++ MX93_PAD_SD1_DATA1__USDHC1_DATA1 0x4000139e
++ MX93_PAD_SD1_DATA2__USDHC1_DATA2 0x4000139e
++ MX93_PAD_SD1_DATA3__USDHC1_DATA3 0x4000139e
++ MX93_PAD_SD1_DATA4__USDHC1_DATA4 0x4000139e
++ MX93_PAD_SD1_DATA5__USDHC1_DATA5 0x4000139e
++ MX93_PAD_SD1_DATA6__USDHC1_DATA6 0x4000139e
++ MX93_PAD_SD1_DATA7__USDHC1_DATA7 0x4000139e
+ >;
+ };
+
+--
+2.53.0
+
--- /dev/null
+From f82cca5bd54138636f2dbe127d6675f75f09b66e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Feb 2026 20:44:58 +0800
+Subject: arm64: dts: qcom: hamoa/x1: fix idle exit latency
+
+From: Daniel J Blueman <daniel@quora.org>
+
+[ Upstream commit 3ecea84d2b90bbf934d5ca75514fa902fd71e03f ]
+
+Designs based on the Qualcomm X1 Hamoa reference platform report:
+driver: Idle state 1 target residency too low
+
+This is because the declared X1 idle entry plus exit latency of 680us
+exceeds the declared minimum 600us residency time:
+ entry-latency-us = <180>;
+ exit-latency-us = <500>;
+ min-residency-us = <600>;
+
+Fix this to be 320us so the sum of the entry and exit latencies matches
+the downstream 500us exit latency, as directed by Maulik.
+
+Tested on a Lenovo Yoga Slim 7x with Qualcomm X1E-80-100.
+
+Fixes: 2e65616ef07f ("arm64: dts: qcom: x1e80100: Update C4/C5 residency/exit numbers")
+Signed-off-by: Daniel J Blueman <daniel@quora.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20260220124626.8611-1-daniel@quora.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/x1e80100.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/x1e80100.dtsi b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
+index 6d97329995fe7..efe8d5e7079fe 100644
+--- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi
++++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
+@@ -281,7 +281,7 @@ cluster_c4: cpu-sleep-0 {
+ idle-state-name = "ret";
+ arm,psci-suspend-param = <0x00000004>;
+ entry-latency-us = <180>;
+- exit-latency-us = <500>;
++ exit-latency-us = <320>;
+ min-residency-us = <600>;
+ };
+ };
+--
+2.53.0
+
--- /dev/null
+From 9422f6a6cf06049ff08871d8fad3c31df04c898b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Feb 2026 16:56:11 +0100
+Subject: arm64: dts: qcom: monaco: Fix UART10 pinconf
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+[ Upstream commit 5b2a16ab0dbd090dc545c05ee79a077cc7a9c1e0 ]
+
+UART10 RTS and TX pins were incorrectly mapped to gpio84 and gpio85.
+Correct them to gpio85 (RTS) and gpio86 (TX) to match the hardware
+I/O mapping.
+
+Fixes: 467284a3097f ("arm64: dts: qcom: qcs8300: Add QUPv3 configuration")
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20260202155611.1568-1-loic.poulain@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/qcs8300.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/qcs8300.dtsi b/arch/arm64/boot/dts/qcom/qcs8300.dtsi
+index 8d78ccac411e4..b8d4a75baee22 100644
+--- a/arch/arm64/boot/dts/qcom/qcs8300.dtsi
++++ b/arch/arm64/boot/dts/qcom/qcs8300.dtsi
+@@ -5430,12 +5430,12 @@ qup_uart10_cts: qup-uart10-cts-state {
+ };
+
+ qup_uart10_rts: qup-uart10-rts-state {
+- pins = "gpio84";
++ pins = "gpio85";
+ function = "qup1_se2";
+ };
+
+ qup_uart10_tx: qup-uart10-tx-state {
+- pins = "gpio85";
++ pins = "gpio86";
+ function = "qup1_se2";
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 2ff8fdefdd03db98a3b4ad54ae40b6673667801c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Mar 2026 15:26:03 +0100
+Subject: arm64: dts: qcom: monaco: Reserve full Gunyah metadata region
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+[ Upstream commit 85d98669fa7f1d3041d962515e45ee6e392db6f8 ]
+
+We observe spurious "Synchronous External Abort" exceptions
+(ESR=0x96000010) and kernel crashes on Monaco-based platforms.
+These faults are caused by the kernel inadvertently accessing
+hypervisor-owned memory that is not properly marked as reserved.
+
+>From boot log, The Qualcomm hypervisor reports the memory range
+at 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned:
+qhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0
+
+However, the EFI memory map provided by firmware only reserves the
+subrange 0x91a40000–0x91a87fff (288 KiB). The remaining portion
+(0x91a88000–0x91afffff) is incorrectly reported as conventional
+memory (from efi debug):
+efi: 0x000091a40000-0x000091a87fff [Reserved...]
+efi: 0x000091a88000-0x0000938fffff [Conventional...]
+
+As a result, the allocator may hand out PFNs inside the hypervisor
+owned region, causing fatal aborts when the kernel accesses those
+addresses.
+
+Add a reserved-memory carveout for the Gunyah hypervisor metadata
+at 0x91a80000 (512 KiB) and mark it as no-map so Linux does not
+map or allocate from this area.
+
+For the record:
+Hyp version: gunyah-e78adb36e debug (2025-11-17 05:38:05 UTC)
+UEFI Ver: 6.0.260122.BOOT.MXF.1.0.c1-00449-KODIAKLA-1
+
+Fixes: 7be190e4bdd2 ("arm64: dts: qcom: add QCS8300 platform")
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20260302142603.1113355-1-loic.poulain@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/qcs8300.dtsi | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/qcs8300.dtsi b/arch/arm64/boot/dts/qcom/qcs8300.dtsi
+index b8d4a75baee22..7a4c3e872d8ee 100644
+--- a/arch/arm64/boot/dts/qcom/qcs8300.dtsi
++++ b/arch/arm64/boot/dts/qcom/qcs8300.dtsi
+@@ -756,6 +756,11 @@ smem_mem: smem@90900000 {
+ hwlocks = <&tcsr_mutex 3>;
+ };
+
++ gunyah_md_mem: gunyah-md-region@91a80000 {
++ reg = <0x0 0x91a80000 0x0 0x80000>;
++ no-map;
++ };
++
+ lpass_machine_learning_mem: lpass-machine-learning-region@93b00000 {
+ reg = <0x0 0x93b00000 0x0 0xf00000>;
+ no-map;
+--
+2.53.0
+
--- /dev/null
+From 22be70afcd2666bf52c17f0de37a7e609b624415 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Feb 2026 14:32:20 +0530
+Subject: arm64: dts: qcom: qcm6490-idp: Fix WCD9370 reset GPIO polarity
+
+From: Ravi Hothi <ravi.hothi@oss.qualcomm.com>
+
+[ Upstream commit b7df21c59739cceb7b866c6c5e8a6ba03875ab71 ]
+
+The WCD9370 audio codec reset line on QCM6490 IDP should be active-low, but
+the device tree described it as active-high. As a result, the codec is
+kept in reset and fails to reset the SoundWire, leading to timeouts
+and ASoC card probe failure (-ETIMEDOUT).
+
+Fix the reset GPIO polarity to GPIO_ACTIVE_LOW so the codec can properly
+initialize.
+
+Fixes: aa04c298619f ("arm64: dts: qcom: qcm6490-idp: Add WSA8830 speakers and WCD9370 headset codec")
+Signed-off-by: Ravi Hothi <ravi.hothi@oss.qualcomm.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20260220090220.2992193-1-ravi.hothi@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/qcm6490-idp.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/qcm6490-idp.dts b/arch/arm64/boot/dts/qcom/qcm6490-idp.dts
+index 73fce639370cd..214671b462770 100644
+--- a/arch/arm64/boot/dts/qcom/qcm6490-idp.dts
++++ b/arch/arm64/boot/dts/qcom/qcm6490-idp.dts
+@@ -177,7 +177,7 @@ wcd9370: audio-codec-0 {
+ pinctrl-0 = <&wcd_default>;
+ pinctrl-names = "default";
+
+- reset-gpios = <&tlmm 83 GPIO_ACTIVE_HIGH>;
++ reset-gpios = <&tlmm 83 GPIO_ACTIVE_LOW>;
+
+ vdd-buck-supply = <&vreg_l17b_1p7>;
+ vdd-rxtx-supply = <&vreg_l18b_1p8>;
+--
+2.53.0
+
--- /dev/null
+From 2c26b75e9231766d2edf3737ef8dc57ccadbc663 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Mar 2026 01:33:21 +0900
+Subject: ASoC: amd: acp: add ASUS HN7306EA quirk for legacy SDW machine
+
+From: Hasun Park <hasunpark@gmail.com>
+
+[ Upstream commit 2594196f4e3bd70782e7cf1e22e3e398cdb74f78 ]
+
+Add a DMI quirk entry for ASUS HN7306EA in the ACP SoundWire legacy
+machine driver.
+
+Set driver_data to ASOC_SDW_ACP_DMIC for this board so the
+platform-specific DMIC quirk path is selected.
+
+Signed-off-by: Hasun Park <hasunpark@gmail.com>
+Link: https://patch.msgid.link/20260319163321.30326-1-hasunpark@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/acp/acp-sdw-legacy-mach.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/sound/soc/amd/acp/acp-sdw-legacy-mach.c b/sound/soc/amd/acp/acp-sdw-legacy-mach.c
+index 86c534d827448..504b700200660 100644
+--- a/sound/soc/amd/acp/acp-sdw-legacy-mach.c
++++ b/sound/soc/amd/acp/acp-sdw-legacy-mach.c
+@@ -111,6 +111,14 @@ static const struct dmi_system_id soc_sdw_quirk_table[] = {
+ },
+ .driver_data = (void *)(ASOC_SDW_CODEC_SPKR),
+ },
++ {
++ .callback = soc_sdw_quirk_cb,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HN7306EA"),
++ },
++ .driver_data = (void *)(ASOC_SDW_ACP_DMIC),
++ },
+ {}
+ };
+
+--
+2.53.0
+
--- /dev/null
+From f1eb46012983e27704805c0059e0c844a03c4fe0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 19:00:06 +0530
+Subject: ASoC: amd: acp: update DMI quirk and add ACP DMIC for Lenovo
+ platforms
+
+From: Syed Saba Kareem <Syed.SabaKareem@amd.com>
+
+[ Upstream commit 6b6f7263d626886a96fce6352f94dfab7a24c339 ]
+
+Replace DMI_EXACT_MATCH with DMI_MATCH for Lenovo SKU entries (21YW,
+21YX) so the quirk applies to all variants of these models, not just
+exact SKU matches.
+
+Add ASOC_SDW_ACP_DMIC flag alongside ASOC_SDW_CODEC_SPKR in driver_data
+for these Lenovo platform entries, as these platforms use ACP PDM DMIC
+instead of SoundWire DMIC for digital microphone support.
+
+Fixes: 3acf517e1ae0 ("ASoC: amd: amd_sdw: add machine driver quirk for Lenovo models")
+Tested-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Signed-off-by: Syed Saba Kareem <Syed.SabaKareem@amd.com>
+Reviewed-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
+Link: https://patch.msgid.link/20260408133029.1368317-1-syed.sabakareem@amd.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/acp/acp-sdw-legacy-mach.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/amd/acp/acp-sdw-legacy-mach.c b/sound/soc/amd/acp/acp-sdw-legacy-mach.c
+index 504b700200660..2b2910b1856d5 100644
+--- a/sound/soc/amd/acp/acp-sdw-legacy-mach.c
++++ b/sound/soc/amd/acp/acp-sdw-legacy-mach.c
+@@ -99,17 +99,17 @@ static const struct dmi_system_id soc_sdw_quirk_table[] = {
+ .callback = soc_sdw_quirk_cb,
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+- DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "21YW"),
++ DMI_MATCH(DMI_PRODUCT_SKU, "21YW"),
+ },
+- .driver_data = (void *)(ASOC_SDW_CODEC_SPKR),
++ .driver_data = (void *)((ASOC_SDW_CODEC_SPKR) | (ASOC_SDW_ACP_DMIC)),
+ },
+ {
+ .callback = soc_sdw_quirk_cb,
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+- DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "21YX"),
++ DMI_MATCH(DMI_PRODUCT_SKU, "21YX"),
+ },
+- .driver_data = (void *)(ASOC_SDW_CODEC_SPKR),
++ .driver_data = (void *)((ASOC_SDW_CODEC_SPKR) | (ASOC_SDW_ACP_DMIC)),
+ },
+ {
+ .callback = soc_sdw_quirk_cb,
+--
+2.53.0
+
--- /dev/null
+From bc35732e6ce0921f37eff4b2990fc4736c639a2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 02:43:48 +0100
+Subject: ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gilson Marquato Júnior <gilsonmandalogo@hotmail.com>
+
+[ Upstream commit 8ec017cf31299c4b6287ebe27afe81c986aeef88 ]
+
+The HP Laptop 15-fc0xxx (subsystem ID 0x103c8dc9) has an internal
+DMIC connected to the AMD ACP6x audio coprocessor. Add a DMI quirk
+entry so the internal microphone is properly detected on this model.
+
+Tested on HP Laptop 15-fc0237ns with Fedora 43 (kernel 6.19.9).
+
+Signed-off-by: Gilson Marquato Júnior <gilsonmandalogo@hotmail.com>
+Link: https://patch.msgid.link/20260330-hp-15-fc0xxx-dmic-v2-v1-1-6dd6f53a1917@hotmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index 6f1c105ca77e3..4c0acdad13ea1 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -45,6 +45,13 @@ static struct snd_soc_card acp6x_card = {
+ };
+
+ static const struct dmi_system_id yc_acp_quirk_table[] = {
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Laptop 15-fc0xxx"),
++ }
++ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+--
+2.53.0
+
--- /dev/null
+From b9d17e80fec87207528cd80076356cbab60b7d86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 21:25:12 +0700
+Subject: ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA
+
+From: Vee Satayamas <vsatayamas@gmail.com>
+
+[ Upstream commit f200b2f9a810c440c6750b56fc647b73337749a1 ]
+
+Add a DMI quirk for the Asus Expertbook BM1403CDA to resolve the issue of the
+internal microphone not being detected.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221236
+Signed-off-by: Vee Satayamas <vsatayamas@gmail.com>
+Reviewed-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260315142511.66029-2-vsatayamas@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index 1324543b42d72..c536de1bb94ad 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -717,6 +717,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "PM1503CDA"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"),
++ }
++ },
+ {}
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 5d7f93620dfaacc9b6bcd7e8bf86f143cc3bc7c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 16:02:18 +0800
+Subject: ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+[ Upstream commit 1f182ec9d7084db7dfdb2372d453c28f0e5c3f0a ]
+
+Add a DMI quirk for the Thin A15 B7VF fixing the issue where
+the internal microphone was not detected.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=220833
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260316080218.2931304-1-zhangheng@kylinos.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index c536de1bb94ad..6f1c105ca77e3 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -724,6 +724,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Thin A15 B7VE"),
++ }
++ },
+ {}
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 3e2067bb57aa9fb05f7c2d13861465c5f333c0d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 10:54:58 +0200
+Subject: ASoC: Intel: avs: Fix memory leak in avs_register_i2s_test_boards()
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit c5408d818316061d6063c11a4f47f1ba25a3a708 ]
+
+Caller is responsible for freeing array allocated with
+parse_int_array().
+
+Found out by Coverity.
+
+Fixes: 7d859189de13 ("ASoC: Intel: avs: Allow to specify custom configurations with i2s_test")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20260407085459.400628-1-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/board_selection.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/intel/avs/board_selection.c b/sound/soc/intel/avs/board_selection.c
+index 52e6266a7cb86..96dc637ccb20c 100644
+--- a/sound/soc/intel/avs/board_selection.c
++++ b/sound/soc/intel/avs/board_selection.c
+@@ -520,7 +520,8 @@ static int avs_register_i2s_test_boards(struct avs_dev *adev)
+ if (num_elems > max_ssps) {
+ dev_err(adev->dev, "board supports only %d SSP, %d specified\n",
+ max_ssps, num_elems);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto exit;
+ }
+
+ for (ssp_port = 0; ssp_port < num_elems; ssp_port++) {
+@@ -528,11 +529,13 @@ static int avs_register_i2s_test_boards(struct avs_dev *adev)
+ for_each_set_bit(tdm_slot, &tdm_slots, 16) {
+ ret = avs_register_i2s_test_board(adev, ssp_port, tdm_slot);
+ if (ret)
+- return ret;
++ goto exit;
+ }
+ }
+
+- return 0;
++exit:
++ kfree(array);
++ return ret;
+ }
+
+ static int avs_register_i2s_board(struct avs_dev *adev, struct snd_soc_acpi_mach *mach)
+--
+2.53.0
+
--- /dev/null
+From 8a55328359182556b81c8bb826c2cf66b514ae45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 10:38:31 +0100
+Subject: ASoC: SDCA: Fix overwritten var within for loop
+
+From: Maciej Strozek <mstrozek@opensource.cirrus.com>
+
+[ Upstream commit 23e0cbe55736de222ed975863cf06baf29bee5fe ]
+
+mask variable should not be overwritten within the for loop or it will
+skip certain bits. Change to using BIT() macro.
+
+Fixes: b9ab3b618241 ("ASoC: SDCA: Add some initial IRQ handlers")
+Signed-off-by: Maciej Strozek <mstrozek@opensource.cirrus.com>
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://patch.msgid.link/20260408093835.2881486-2-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sdca/sdca_interrupts.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/sound/soc/sdca/sdca_interrupts.c b/sound/soc/sdca/sdca_interrupts.c
+index f83413587da5a..4189efdfe2747 100644
+--- a/sound/soc/sdca/sdca_interrupts.c
++++ b/sound/soc/sdca/sdca_interrupts.c
+@@ -104,9 +104,7 @@ static irqreturn_t function_status_handler(int irq, void *data)
+
+ status = val;
+ for_each_set_bit(mask, &status, BITS_PER_BYTE) {
+- mask = 1 << mask;
+-
+- switch (mask) {
++ switch (BIT(mask)) {
+ case SDCA_CTL_ENTITY_0_FUNCTION_NEEDS_INITIALIZATION:
+ //FIXME: Add init writes
+ break;
+--
+2.53.0
+
--- /dev/null
+From b36cc64b5cdc98aea8612e4cbe2d75b4e8154e32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 02:43:54 +0000
+Subject: ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit b9eff9732cb0f86a68c9d1592a98ceab47c01e95 ]
+
+Component has "card_aux_list" which is added/deled in bind/unbind aux dev
+function (A), and used in for_each_card_auxs() loop (B).
+
+ static void soc_unbind_aux_dev(...)
+ {
+ ...
+ for_each_card_auxs_safe(...) {
+ ...
+(A) list_del(&component->card_aux_list);
+ } ^^^^^^^^^^^^^
+ }
+
+ static int soc_bind_aux_dev(...)
+ {
+ ...
+ for_each_card_pre_auxs(...) {
+ ...
+(A) list_add(&component->card_aux_list, ...);
+ } ^^^^^^^^^^^^^
+ ...
+ }
+
+ #define for_each_card_auxs(card, component) \
+(B) list_for_each_entry(component, ..., card_aux_list)
+ ^^^^^^^^^^^^^
+
+But it has been used without calling INIT_LIST_HEAD().
+
+ > git grep card_aux_list sound/soc
+ sound/soc/soc-core.c: list_del(&component->card_aux_list);
+ sound/soc/soc-core.c: list_add(&component->card_aux_list, ...);
+
+call missing INIT_LIST_HEAD() for it.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index 7a6b4ec3a6990..feecf3e4e38b4 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -2845,6 +2845,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component,
+ INIT_LIST_HEAD(&component->dobj_list);
+ INIT_LIST_HEAD(&component->card_list);
+ INIT_LIST_HEAD(&component->list);
++ INIT_LIST_HEAD(&component->card_aux_list);
+ mutex_init(&component->io_mutex);
+
+ if (!component->name) {
+--
+2.53.0
+
--- /dev/null
+From 331f261d30b1b8dd431b2cd68f993eff93b933e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 21:45:26 -0300
+Subject: ASoC: SOF: topology: reject invalid vendor array size in token parser
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+[ Upstream commit 215e5fe75881a7e2425df04aeeed47a903d5cd5d ]
+
+sof_parse_token_sets() accepts array->size values that can be invalid
+for a vendor tuple array header. In particular, a zero size does not
+advance the parser state and can lead to non-progress parsing on
+malformed topology data.
+
+Validate array->size against the minimum header size and reject values
+smaller than sizeof(*array) before parsing. This preserves behavior for
+valid topologies and hardens malformed-input handling.
+
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
+index b6d5c8024f8cf..4c8dba285408a 100644
+--- a/sound/soc/sof/topology.c
++++ b/sound/soc/sof/topology.c
+@@ -736,7 +736,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
+ asize = le32_to_cpu(array->size);
+
+ /* validate asize */
+- if (asize < 0) { /* FIXME: A zero-size array makes no sense */
++ if (asize < sizeof(*array)) {
+ dev_err(scomp->dev, "error: invalid array size 0x%x\n",
+ asize);
+ return -EINVAL;
+--
+2.53.0
+
--- /dev/null
+From e846d7fbd1ce7db29c5f8c26286e2a0fde483336 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 10:40:56 +0200
+Subject: ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
+
+From: Tomasz Merta <tomasz.merta@arrow.com>
+
+[ Upstream commit 0669631dbccd41cf3ca7aa70213fcd8bb41c4b38 ]
+
+The STM32 SAI driver do not set the clock strobing bit (CKSTR) for DSP_A,
+DSP_B and LEFT_J formats, causing data to be sampled on the wrong BCLK
+edge when SND_SOC_DAIFMT_NB_NF is used.
+
+Per ALSA convention, NB_NF requires sampling on the rising BCLK edge.
+The STM32MP25 SAI reference manual states that CKSTR=1 is required for
+signals received by the SAI to be sampled on the SCK rising edge.
+Without setting CKSTR=1, the SAI samples on the falling edge, violating
+the NB_NF convention. For comparison, the NXP FSL SAI driver correctly
+sets FSL_SAI_CR2_BCP for DSP_A, DSP_B and LEFT_J, consistent with its
+I2S handling.
+
+This patch adds SAI_XCR1_CKSTR for DSP_A, DSP_B and LEFT_J in
+stm32_sai_set_dai_fmt which was verified empirically with a cs47l35 codec.
+RIGHT_J (LSB) is not investigated and addressed by this patch.
+
+Note: the STM32 I2S driver (stm32_i2s_set_dai_fmt) may have the same issue
+for DSP_A mode, as I2S_CGFR_CKPOL is not set. This has not been verified
+and is left for a separate investigation.
+
+Signed-off-by: Tomasz Merta <tommerta@gmail.com>
+Link: https://patch.msgid.link/20260408084056.20588-1-tommerta@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/stm/stm32_sai_sub.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c
+index 5ae4d2577f28b..c2540383ab86f 100644
+--- a/sound/soc/stm/stm32_sai_sub.c
++++ b/sound/soc/stm/stm32_sai_sub.c
+@@ -802,6 +802,7 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
+ break;
+ /* Left justified */
+ case SND_SOC_DAIFMT_MSB:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
+ break;
+ /* Right justified */
+@@ -809,9 +810,11 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
+ break;
+ case SND_SOC_DAIFMT_DSP_A:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSOFF;
+ break;
+ case SND_SOC_DAIFMT_DSP_B:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL;
+ break;
+ default:
+--
+2.53.0
+
--- /dev/null
+From 4dd444c34b682cdecd550e9a274a3f36b086a28e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 15:23:35 -0700
+Subject: ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
+
+From: Arthur Husband <artmoty@gmail.com>
+
+[ Upstream commit 105c42566a550e2d05fc14f763216a8765ee5d0e ]
+
+The JMicron JMB585 (and JMB582) SATA controllers advertise 64-bit DMA
+support via the S64A bit in the AHCI CAP register, but their 64-bit DMA
+implementation is defective. Under sustained I/O, DMA transfers targeting
+addresses above 4GB silently corrupt data -- writes land at incorrect
+memory addresses with no errors logged.
+
+The failure pattern is similar to the ASMedia ASM1061
+(commit 20730e9b2778 ("ahci: add 43-bit DMA address quirk for ASMedia
+ASM1061 controllers")), which also falsely advertised full 64-bit DMA
+support. However, the JMB585 requires a stricter 32-bit DMA mask rather
+than 43-bit, as corruption occurs with any address above 4GB.
+
+On the Minisforum N5 Pro specifically, the combination of the JMB585's
+broken 64-bit DMA with the AMD Family 1Ah (Strix Point) IOMMU causes
+silent data corruption that is only detectable via checksumming
+filesystems (BTRFS/ZFS scrub). The corruption occurs when 32-bit IOVA
+space is exhausted and the kernel transparently switches to 64-bit DMA
+addresses.
+
+Add device-specific PCI ID entries for the JMB582 (0x0582) and JMB585
+(0x0585) before the generic JMicron class match, using a new board type
+that combines AHCI_HFLAG_IGN_IRQ_IF_ERR (preserving existing behavior)
+with AHCI_HFLAG_32BIT_ONLY to force 32-bit DMA masks.
+
+Signed-off-by: Arthur Husband <artmoty@gmail.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/ahci.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index 931d0081169b9..1d73a53370cf3 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -68,6 +68,7 @@ enum board_ids {
+ /* board IDs for specific chipsets in alphabetical order */
+ board_ahci_al,
+ board_ahci_avn,
++ board_ahci_jmb585,
+ board_ahci_mcp65,
+ board_ahci_mcp77,
+ board_ahci_mcp89,
+@@ -212,6 +213,15 @@ static const struct ata_port_info ahci_port_info[] = {
+ .udma_mask = ATA_UDMA6,
+ .port_ops = &ahci_avn_ops,
+ },
++ /* JMicron JMB582/585: 64-bit DMA is broken, force 32-bit */
++ [board_ahci_jmb585] = {
++ AHCI_HFLAGS (AHCI_HFLAG_IGN_IRQ_IF_ERR |
++ AHCI_HFLAG_32BIT_ONLY),
++ .flags = AHCI_FLAG_COMMON,
++ .pio_mask = ATA_PIO4,
++ .udma_mask = ATA_UDMA6,
++ .port_ops = &ahci_ops,
++ },
+ [board_ahci_mcp65] = {
+ AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP |
+ AHCI_HFLAG_YES_NCQ),
+@@ -439,6 +449,10 @@ static const struct pci_device_id ahci_pci_tbl[] = {
+ /* Elkhart Lake IDs 0x4b60 & 0x4b62 https://sata-io.org/product/8803 not tested yet */
+ { PCI_VDEVICE(INTEL, 0x4b63), board_ahci_pcs_quirk }, /* Elkhart Lake AHCI */
+
++ /* JMicron JMB582/585: force 32-bit DMA (broken 64-bit implementation) */
++ { PCI_VDEVICE(JMICRON, 0x0582), board_ahci_jmb585 },
++ { PCI_VDEVICE(JMICRON, 0x0585), board_ahci_jmb585 },
++
+ /* JMicron 360/1/3/5/6, match class to avoid IDE function */
+ { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
+ PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr },
+--
+2.53.0
+
--- /dev/null
+From 000f04ac77588ec2f0eda8a5331b2a113552a0d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 20:07:26 +0800
+Subject: Bluetooth: hci_sync: annotate data-races around hdev->req_status
+
+From: Cen Zhang <zzzccc427@gmail.com>
+
+[ Upstream commit b6807cfc195ef99e1ac37b2e1e60df40295daa8c ]
+
+__hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock:
+
+ hdev->req_status = HCI_REQ_PEND;
+
+However, several other functions read or write hdev->req_status without
+holding any lock:
+
+ - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue)
+ - hci_cmd_sync_complete() reads/writes from HCI event completion
+ - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write
+ - hci_abort_conn() reads in connection abort path
+
+Since __hci_cmd_sync_sk() runs on hdev->req_workqueue while
+hci_send_cmd_sync() runs on hdev->workqueue, these are different
+workqueues that can execute concurrently on different CPUs. The plain
+C accesses constitute a data race.
+
+Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses
+to hdev->req_status to prevent potential compiler optimizations that
+could affect correctness (e.g., load fusing in the wait_event
+condition or store reordering).
+
+Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 2 +-
+ net/bluetooth/hci_core.c | 2 +-
+ net/bluetooth/hci_sync.c | 20 ++++++++++----------
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index 24b71ec8897ff..71a24be2a6d67 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -2967,7 +2967,7 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason)
+ * hci_connect_le serializes the connection attempts so only one
+ * connection can be in BT_CONNECT at time.
+ */
+- if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
++ if (conn->state == BT_CONNECT && READ_ONCE(hdev->req_status) == HCI_REQ_PEND) {
+ switch (hci_skb_event(hdev->sent_cmd)) {
+ case HCI_EV_CONN_COMPLETE:
+ case HCI_EV_LE_CONN_COMPLETE:
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 8ccec73dce45c..0f86b81b39730 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -4125,7 +4125,7 @@ static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
+ kfree_skb(skb);
+ }
+
+- if (hdev->req_status == HCI_REQ_PEND &&
++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND &&
+ !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) {
+ kfree_skb(hdev->req_skb);
+ hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 9a7bd4a4b14c4..f498ab28f1aa0 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -25,11 +25,11 @@ static void hci_cmd_sync_complete(struct hci_dev *hdev, u8 result, u16 opcode,
+ {
+ bt_dev_dbg(hdev, "result 0x%2.2x", result);
+
+- if (hdev->req_status != HCI_REQ_PEND)
++ if (READ_ONCE(hdev->req_status) != HCI_REQ_PEND)
+ return;
+
+ hdev->req_result = result;
+- hdev->req_status = HCI_REQ_DONE;
++ WRITE_ONCE(hdev->req_status, HCI_REQ_DONE);
+
+ /* Free the request command so it is not used as response */
+ kfree_skb(hdev->req_skb);
+@@ -167,20 +167,20 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
+
+ hci_cmd_sync_add(&req, opcode, plen, param, event, sk);
+
+- hdev->req_status = HCI_REQ_PEND;
++ WRITE_ONCE(hdev->req_status, HCI_REQ_PEND);
+
+ err = hci_req_sync_run(&req);
+ if (err < 0)
+ return ERR_PTR(err);
+
+ err = wait_event_interruptible_timeout(hdev->req_wait_q,
+- hdev->req_status != HCI_REQ_PEND,
++ READ_ONCE(hdev->req_status) != HCI_REQ_PEND,
+ timeout);
+
+ if (err == -ERESTARTSYS)
+ return ERR_PTR(-EINTR);
+
+- switch (hdev->req_status) {
++ switch (READ_ONCE(hdev->req_status)) {
+ case HCI_REQ_DONE:
+ err = -bt_to_errno(hdev->req_result);
+ break;
+@@ -194,7 +194,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
+ break;
+ }
+
+- hdev->req_status = 0;
++ WRITE_ONCE(hdev->req_status, 0);
+ hdev->req_result = 0;
+ skb = hdev->req_rsp;
+ hdev->req_rsp = NULL;
+@@ -665,9 +665,9 @@ void hci_cmd_sync_cancel(struct hci_dev *hdev, int err)
+ {
+ bt_dev_dbg(hdev, "err 0x%2.2x", err);
+
+- if (hdev->req_status == HCI_REQ_PEND) {
++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND) {
+ hdev->req_result = err;
+- hdev->req_status = HCI_REQ_CANCELED;
++ WRITE_ONCE(hdev->req_status, HCI_REQ_CANCELED);
+
+ queue_work(hdev->workqueue, &hdev->cmd_sync_cancel_work);
+ }
+@@ -683,12 +683,12 @@ void hci_cmd_sync_cancel_sync(struct hci_dev *hdev, int err)
+ {
+ bt_dev_dbg(hdev, "err 0x%2.2x", err);
+
+- if (hdev->req_status == HCI_REQ_PEND) {
++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND) {
+ /* req_result is __u32 so error must be positive to be properly
+ * propagated.
+ */
+ hdev->req_result = err < 0 ? -err : err;
+- hdev->req_status = HCI_REQ_CANCELED;
++ WRITE_ONCE(hdev->req_status, HCI_REQ_CANCELED);
+
+ wake_up_interruptible(&hdev->req_wait_q);
+ }
+--
+2.53.0
+
--- /dev/null
+From e648e5e6a5587e49fd47872c4010f629cfef0b50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 07:01:53 -0700
+Subject: bridge: guard local VLAN-0 FDB helpers against NULL vlan group
+
+From: Zijing Yin <yzjaurora@gmail.com>
+
+[ Upstream commit 1979645e1842cb7017525a61a0e0e0beb924d02a ]
+
+When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and
+nbp_vlan_group() return NULL (br_private.h stub definitions). The
+BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and
+reaches br_fdb_delete_locals_per_vlan_port() and
+br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer
+is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist).
+
+The observed crash is in the delete path, triggered when creating a
+bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0
+via RTM_NEWLINK. The insert helper has the same bug pattern.
+
+ Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]
+ RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310
+ Call Trace:
+ br_fdb_toggle_local_vlan_0+0x452/0x4c0
+ br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276
+ br_boolopt_toggle net/bridge/br.c:313
+ br_boolopt_multi_toggle net/bridge/br.c:364
+ br_changelink net/bridge/br_netlink.c:1542
+ br_dev_newlink net/bridge/br_netlink.c:1575
+
+Add NULL checks for the vlan group pointer in both helpers, returning
+early when there are no VLANs to iterate. This matches the existing
+pattern used by other bridge FDB functions such as br_fdb_add() and
+br_fdb_delete().
+
+Fixes: 21446c06b441 ("net: bridge: Introduce UAPI for BR_BOOLOPT_FDB_LOCAL_VLAN_0")
+Signed-off-by: Zijing Yin <yzjaurora@gmail.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20260402140153.3925663-1-yzjaurora@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 0501ffcb8a3dd..e2c17f620f009 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -597,6 +597,9 @@ static void br_fdb_delete_locals_per_vlan_port(struct net_bridge *br,
+ dev = br->dev;
+ }
+
++ if (!vg)
++ return;
++
+ list_for_each_entry(v, &vg->vlan_list, vlist)
+ br_fdb_find_delete_local(br, p, dev->dev_addr, v->vid);
+ }
+@@ -630,6 +633,9 @@ static int br_fdb_insert_locals_per_vlan_port(struct net_bridge *br,
+ dev = br->dev;
+ }
+
++ if (!vg)
++ return 0;
++
+ list_for_each_entry(v, &vg->vlan_list, vlist) {
+ if (!br_vlan_should_use(v))
+ continue;
+--
+2.53.0
+
--- /dev/null
+From 90707f34107f80b4591ad8564b674a5876d39d1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Feb 2026 14:46:50 +0000
+Subject: btrfs: fix zero size inode with non-zero size after log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 5254d4181add9dfaa5e3519edd71cc8f752b2f85 ]
+
+When logging that an inode exists, as part of logging a new name or
+logging new dir entries for a directory, we always set the generation of
+the logged inode item to 0. This is to signal during log replay (in
+overwrite_item()), that we should not set the i_size since we only logged
+that an inode exists, so the i_size of the inode in the subvolume tree
+must be preserved (as when we log new names or that an inode exists, we
+don't log extents).
+
+This works fine except when we have already logged an inode in full mode
+or it's the first time we are logging an inode created in a past
+transaction, that inode has a new i_size of 0 and then we log a new name
+for the inode (due to a new hardlink or a rename), in which case we log
+an i_size of 0 for the inode and a generation of 0, which causes the log
+replay code to not update the inode's i_size to 0 (in overwrite_item()).
+
+An example scenario:
+
+ mkdir /mnt/dir
+ xfs_io -f -c "pwrite 0 64K" /mnt/dir/foo
+
+ sync
+
+ xfs_io -c "truncate 0" -c "fsync" /mnt/dir/foo
+
+ ln /mnt/dir/foo /mnt/dir/bar
+
+ xfs_io -c "fsync" /mnt/dir
+
+ <power fail>
+
+After log replay the file remains with a size of 64K. This is because when
+we first log the inode, when we fsync file foo, we log its current i_size
+of 0, and then when we create a hard link we log again the inode in exists
+mode (LOG_INODE_EXISTS) but we set a generation of 0 for the inode item we
+add to the log tree, so during log replay overwrite_item() sees that the
+generation is 0 and i_size is 0 so we skip updating the inode's i_size
+from 64K to 0.
+
+Fix this by making sure at fill_inode_item() we always log the real
+generation of the inode if it was logged in the current transaction with
+the i_size we logged before. Also if an inode created in a previous
+transaction is logged in exists mode only, make sure we log the i_size
+stored in the inode item located from the commit root, so that if we log
+multiple times that the inode exists we get the correct i_size.
+
+A test case for fstests will follow soon.
+
+Reported-by: Vyacheslav Kovalevsky <slava.kovalevskiy.2014@gmail.com>
+Link: https://lore.kernel.org/linux-btrfs/af8c15fa-4e41-4bb2-885c-0bc4e97532a6@gmail.com/
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 98 ++++++++++++++++++++++++++++++---------------
+ 1 file changed, 65 insertions(+), 33 deletions(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 7505a87522fd7..c45c5112c0350 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -4608,21 +4608,32 @@ static void fill_inode_item(struct btrfs_trans_handle *trans,
+ struct inode *inode, bool log_inode_only,
+ u64 logged_isize)
+ {
++ u64 gen = BTRFS_I(inode)->generation;
+ u64 flags;
+
+ if (log_inode_only) {
+- /* set the generation to zero so the recover code
+- * can tell the difference between an logging
+- * just to say 'this inode exists' and a logging
+- * to say 'update this inode with these values'
++ /*
++ * Set the generation to zero so the recover code can tell the
++ * difference between a logging just to say 'this inode exists'
++ * and a logging to say 'update this inode with these values'.
++ * But only if the inode was not already logged before.
++ * We access ->logged_trans directly since it was already set
++ * up in the call chain by btrfs_log_inode(), and data_race()
++ * to avoid false alerts from KCSAN and since it was set already
++ * and one can set it to 0 since that only happens on eviction
++ * and we are holding a ref on the inode.
+ */
+- btrfs_set_inode_generation(leaf, item, 0);
++ ASSERT(data_race(BTRFS_I(inode)->logged_trans) > 0);
++ if (data_race(BTRFS_I(inode)->logged_trans) < trans->transid)
++ gen = 0;
++
+ btrfs_set_inode_size(leaf, item, logged_isize);
+ } else {
+- btrfs_set_inode_generation(leaf, item, BTRFS_I(inode)->generation);
+ btrfs_set_inode_size(leaf, item, inode->i_size);
+ }
+
++ btrfs_set_inode_generation(leaf, item, gen);
++
+ btrfs_set_inode_uid(leaf, item, i_uid_read(inode));
+ btrfs_set_inode_gid(leaf, item, i_gid_read(inode));
+ btrfs_set_inode_mode(leaf, item, inode->i_mode);
+@@ -5428,42 +5439,63 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans,
+ return 0;
+ }
+
+-static int logged_inode_size(struct btrfs_root *log, struct btrfs_inode *inode,
+- struct btrfs_path *path, u64 *size_ret)
++static int get_inode_size_to_log(struct btrfs_trans_handle *trans,
++ struct btrfs_inode *inode,
++ struct btrfs_path *path, u64 *size_ret)
+ {
+ struct btrfs_key key;
++ struct btrfs_inode_item *item;
+ int ret;
+
+ key.objectid = btrfs_ino(inode);
+ key.type = BTRFS_INODE_ITEM_KEY;
+ key.offset = 0;
+
+- ret = btrfs_search_slot(NULL, log, &key, path, 0, 0);
+- if (ret < 0) {
+- return ret;
+- } else if (ret > 0) {
+- *size_ret = 0;
+- } else {
+- struct btrfs_inode_item *item;
++ /*
++ * Our caller called inode_logged(), so logged_trans is up to date.
++ * Use data_race() to silence any warning from KCSAN. Once logged_trans
++ * is set, it can only be reset to 0 after inode eviction.
++ */
++ if (data_race(inode->logged_trans) == trans->transid) {
++ ret = btrfs_search_slot(NULL, inode->root->log_root, &key, path, 0, 0);
++ } else if (inode->generation < trans->transid) {
++ path->search_commit_root = true;
++ path->skip_locking = true;
++ ret = btrfs_search_slot(NULL, inode->root, &key, path, 0, 0);
++ path->search_commit_root = false;
++ path->skip_locking = false;
+
+- item = btrfs_item_ptr(path->nodes[0], path->slots[0],
+- struct btrfs_inode_item);
+- *size_ret = btrfs_inode_size(path->nodes[0], item);
+- /*
+- * If the in-memory inode's i_size is smaller then the inode
+- * size stored in the btree, return the inode's i_size, so
+- * that we get a correct inode size after replaying the log
+- * when before a power failure we had a shrinking truncate
+- * followed by addition of a new name (rename / new hard link).
+- * Otherwise return the inode size from the btree, to avoid
+- * data loss when replaying a log due to previously doing a
+- * write that expands the inode's size and logging a new name
+- * immediately after.
+- */
+- if (*size_ret > inode->vfs_inode.i_size)
+- *size_ret = inode->vfs_inode.i_size;
++ } else {
++ *size_ret = 0;
++ return 0;
+ }
+
++ /*
++ * If the inode was logged before or is from a past transaction, then
++ * its inode item must exist in the log root or in the commit root.
++ */
++ ASSERT(ret <= 0);
++ if (WARN_ON_ONCE(ret > 0))
++ ret = -ENOENT;
++
++ if (ret < 0)
++ return ret;
++
++ item = btrfs_item_ptr(path->nodes[0], path->slots[0],
++ struct btrfs_inode_item);
++ *size_ret = btrfs_inode_size(path->nodes[0], item);
++ /*
++ * If the in-memory inode's i_size is smaller then the inode size stored
++ * in the btree, return the inode's i_size, so that we get a correct
++ * inode size after replaying the log when before a power failure we had
++ * a shrinking truncate followed by addition of a new name (rename / new
++ * hard link). Otherwise return the inode size from the btree, to avoid
++ * data loss when replaying a log due to previously doing a write that
++ * expands the inode's size and logging a new name immediately after.
++ */
++ if (*size_ret > inode->vfs_inode.i_size)
++ *size_ret = inode->vfs_inode.i_size;
++
+ btrfs_release_path(path);
+ return 0;
+ }
+@@ -6978,7 +7010,7 @@ static int btrfs_log_inode(struct btrfs_trans_handle *trans,
+ ret = drop_inode_items(trans, log, path, inode,
+ BTRFS_XATTR_ITEM_KEY);
+ } else {
+- if (inode_only == LOG_INODE_EXISTS && ctx->logged_before) {
++ if (inode_only == LOG_INODE_EXISTS) {
+ /*
+ * Make sure the new inode item we write to the log has
+ * the same isize as the current one (if it exists).
+@@ -6992,7 +7024,7 @@ static int btrfs_log_inode(struct btrfs_trans_handle *trans,
+ * (zeroes), as if an expanding truncate happened,
+ * instead of getting a file of 4Kb only.
+ */
+- ret = logged_inode_size(log, inode, path, &logged_isize);
++ ret = get_inode_size_to_log(trans, inode, path, &logged_isize);
+ if (ret)
+ goto out_unlock;
+ }
+--
+2.53.0
+
--- /dev/null
+From ed296a905d6164291593d3b472ad451b4cfeca50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 14:11:39 -0400
+Subject: btrfs: tracepoints: get correct superblock from dentry in event
+ btrfs_sync_file()
+
+From: Goldwyn Rodrigues <rgoldwyn@suse.de>
+
+[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ]
+
+If overlay is used on top of btrfs, dentry->d_sb translates to overlay's
+super block and fsid assignment will lead to a crash.
+
+Use file_inode(file)->i_sb to always get btrfs_sb.
+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/btrfs.h | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h
+index 125bdc166bfed..0864700f76e0a 100644
+--- a/include/trace/events/btrfs.h
++++ b/include/trace/events/btrfs.h
+@@ -769,12 +769,15 @@ TRACE_EVENT(btrfs_sync_file,
+ ),
+
+ TP_fast_assign(
+- const struct dentry *dentry = file->f_path.dentry;
+- const struct inode *inode = d_inode(dentry);
++ struct dentry *dentry = file_dentry(file);
++ struct inode *inode = file_inode(file);
++ struct dentry *parent = dget_parent(dentry);
++ struct inode *parent_inode = d_inode(parent);
+
+- TP_fast_assign_fsid(btrfs_sb(file->f_path.dentry->d_sb));
++ dput(parent);
++ TP_fast_assign_fsid(btrfs_sb(inode->i_sb));
+ __entry->ino = btrfs_ino(BTRFS_I(inode));
+- __entry->parent = btrfs_ino(BTRFS_I(d_inode(dentry->d_parent)));
++ __entry->parent = btrfs_ino(BTRFS_I(parent_inode));
+ __entry->datasync = datasync;
+ __entry->root_objectid = btrfs_root_id(BTRFS_I(inode)->root);
+ ),
+--
+2.53.0
+
--- /dev/null
+From 8cb85856e3aaceae2ecc39c245fac5a74a47f511 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 00:00:22 +0800
+Subject: can: mcp251x: add error handling for power enable in open and resume
+
+From: Wenyuan Li <2063309626@qq.com>
+
+[ Upstream commit 7a57354756c7df223abe2c33774235ad70cb4231 ]
+
+Add missing error handling for mcp251x_power_enable() calls in both
+mcp251x_open() and mcp251x_can_resume() functions.
+
+In mcp251x_open(), if power enable fails, jump to error path to close
+candev without attempting to disable power again.
+
+In mcp251x_can_resume(), properly check return values of power enable calls
+for both power and transceiver regulators. If any fails, return the error
+code to the PM framework and log the failure.
+
+This ensures the driver properly handles power control failures and
+maintains correct device state.
+
+Signed-off-by: Wenyuan Li <2063309626@qq.com>
+Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com
+[mkl: fix patch description]
+[mkl: mcp251x_can_resume(): replace goto by return]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/spi/mcp251x.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
+index b46262e791301..5a7aa02092c7e 100644
+--- a/drivers/net/can/spi/mcp251x.c
++++ b/drivers/net/can/spi/mcp251x.c
+@@ -1225,7 +1225,11 @@ static int mcp251x_open(struct net_device *net)
+ }
+
+ mutex_lock(&priv->mcp_lock);
+- mcp251x_power_enable(priv->transceiver, 1);
++ ret = mcp251x_power_enable(priv->transceiver, 1);
++ if (ret) {
++ dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret));
++ goto out_close_candev;
++ }
+
+ priv->force_quit = 0;
+ priv->tx_skb = NULL;
+@@ -1272,6 +1276,7 @@ static int mcp251x_open(struct net_device *net)
+ mcp251x_hw_sleep(spi);
+ out_close:
+ mcp251x_power_enable(priv->transceiver, 0);
++out_close_candev:
+ close_candev(net);
+ mutex_unlock(&priv->mcp_lock);
+ if (release_irq)
+@@ -1508,11 +1513,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev)
+ {
+ struct spi_device *spi = to_spi_device(dev);
+ struct mcp251x_priv *priv = spi_get_drvdata(spi);
++ int ret = 0;
+
+- if (priv->after_suspend & AFTER_SUSPEND_POWER)
+- mcp251x_power_enable(priv->power, 1);
+- if (priv->after_suspend & AFTER_SUSPEND_UP)
+- mcp251x_power_enable(priv->transceiver, 1);
++ if (priv->after_suspend & AFTER_SUSPEND_POWER) {
++ ret = mcp251x_power_enable(priv->power, 1);
++ if (ret) {
++ dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret));
++ return ret;
++ }
++ }
++
++ if (priv->after_suspend & AFTER_SUSPEND_UP) {
++ ret = mcp251x_power_enable(priv->transceiver, 1);
++ if (ret) {
++ dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret));
++ if (priv->after_suspend & AFTER_SUSPEND_POWER)
++ mcp251x_power_enable(priv->power, 0);
++ return ret;
++ }
++ }
+
+ if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP))
+ queue_work(priv->wq, &priv->restart_work);
+--
+2.53.0
+
--- /dev/null
+From ff3638ff00c87218340038cfcb28b7446240b4bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 10:54:17 +0200
+Subject: clockevents: Prevent timer interrupt starvation
+
+From: Thomas Gleixner <tglx@kernel.org>
+
+[ Upstream commit d6e152d905bdb1f32f9d99775e2f453350399a6a ]
+
+Calvin reported an odd NMI watchdog lockup which claims that the CPU locked
+up in user space. He provided a reproducer, which sets up a timerfd based
+timer and then rearms it in a loop with an absolute expiry time of 1ns.
+
+As the expiry time is in the past, the timer ends up as the first expiring
+timer in the per CPU hrtimer base and the clockevent device is programmed
+with the minimum delta value. If the machine is fast enough, this ends up
+in a endless loop of programming the delta value to the minimum value
+defined by the clock event device, before the timer interrupt can fire,
+which starves the interrupt and consequently triggers the lockup detector
+because the hrtimer callback of the lockup mechanism is never invoked.
+
+As a first step to prevent this, avoid reprogramming the clock event device
+when:
+ - a forced minimum delta event is pending
+ - the new expiry delta is less then or equal to the minimum delta
+
+Thanks to Calvin for providing the reproducer and to Borislav for testing
+and providing data from his Zen5 machine.
+
+The problem is not limited to Zen5, but depending on the underlying
+clock event device (e.g. TSC deadline timer on Intel) and the CPU speed
+not necessarily observable.
+
+This change serves only as the last resort and further changes will be made
+to prevent this scenario earlier in the call chain as far as possible.
+
+[ tglx: Updated to restore the old behaviour vs. !force and delta <= 0 and
+ fixed up the tick-broadcast handlers as pointed out by Borislav ]
+
+Fixes: d316c57ff6bf ("[PATCH] clockevents: add core functionality")
+Reported-by: Calvin Owens <calvin@wbinvd.org>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Tested-by: Calvin Owens <calvin@wbinvd.org>
+Tested-by: Borislav Petkov <bp@alien8.de>
+Link: https://lore.kernel.org/lkml/acMe-QZUel-bBYUh@mozart.vkv.me/
+Link: https://patch.msgid.link/20260407083247.562657657@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/clockchips.h | 2 ++
+ kernel/time/clockevents.c | 27 +++++++++++++++++++--------
+ kernel/time/hrtimer.c | 1 +
+ kernel/time/tick-broadcast.c | 8 +++++++-
+ kernel/time/tick-common.c | 1 +
+ kernel/time/tick-sched.c | 1 +
+ 6 files changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/clockchips.h b/include/linux/clockchips.h
+index b0df28ddd394b..50cdc9da8d32a 100644
+--- a/include/linux/clockchips.h
++++ b/include/linux/clockchips.h
+@@ -80,6 +80,7 @@ enum clock_event_state {
+ * @shift: nanoseconds to cycles divisor (power of two)
+ * @state_use_accessors:current state of the device, assigned by the core code
+ * @features: features
++ * @next_event_forced: True if the last programming was a forced event
+ * @retries: number of forced programming retries
+ * @set_state_periodic: switch state to periodic
+ * @set_state_oneshot: switch state to oneshot
+@@ -108,6 +109,7 @@ struct clock_event_device {
+ u32 shift;
+ enum clock_event_state state_use_accessors;
+ unsigned int features;
++ unsigned int next_event_forced;
+ unsigned long retries;
+
+ int (*set_state_periodic)(struct clock_event_device *);
+diff --git a/kernel/time/clockevents.c b/kernel/time/clockevents.c
+index a59bc75ab7c5b..e7b0163eeeb44 100644
+--- a/kernel/time/clockevents.c
++++ b/kernel/time/clockevents.c
+@@ -172,6 +172,7 @@ void clockevents_shutdown(struct clock_event_device *dev)
+ {
+ clockevents_switch_state(dev, CLOCK_EVT_STATE_SHUTDOWN);
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+ }
+
+ /**
+@@ -305,7 +306,6 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires,
+ {
+ unsigned long long clc;
+ int64_t delta;
+- int rc;
+
+ if (WARN_ON_ONCE(expires < 0))
+ return -ETIME;
+@@ -324,16 +324,27 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires,
+ return dev->set_next_ktime(expires, dev);
+
+ delta = ktime_to_ns(ktime_sub(expires, ktime_get()));
+- if (delta <= 0)
+- return force ? clockevents_program_min_delta(dev) : -ETIME;
+
+- delta = min(delta, (int64_t) dev->max_delta_ns);
+- delta = max(delta, (int64_t) dev->min_delta_ns);
++ /* Required for tick_periodic() during early boot */
++ if (delta <= 0 && !force)
++ return -ETIME;
++
++ if (delta > (int64_t)dev->min_delta_ns) {
++ delta = min(delta, (int64_t) dev->max_delta_ns);
++ clc = ((unsigned long long) delta * dev->mult) >> dev->shift;
++ if (!dev->set_next_event((unsigned long) clc, dev))
++ return 0;
++ }
+
+- clc = ((unsigned long long) delta * dev->mult) >> dev->shift;
+- rc = dev->set_next_event((unsigned long) clc, dev);
++ if (dev->next_event_forced)
++ return 0;
+
+- return (rc && force) ? clockevents_program_min_delta(dev) : rc;
++ if (dev->set_next_event(dev->min_delta_ticks, dev)) {
++ if (!force || clockevents_program_min_delta(dev))
++ return -ETIME;
++ }
++ dev->next_event_forced = 1;
++ return 0;
+ }
+
+ /*
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 21b6d93401480..fde64bfed98fe 100644
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -1880,6 +1880,7 @@ void hrtimer_interrupt(struct clock_event_device *dev)
+ BUG_ON(!cpu_base->hres_active);
+ cpu_base->nr_events++;
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+
+ raw_spin_lock_irqsave(&cpu_base->lock, flags);
+ entry_time = now = hrtimer_update_base(cpu_base);
+diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c
+index 0207868c8b4d2..e411a378db949 100644
+--- a/kernel/time/tick-broadcast.c
++++ b/kernel/time/tick-broadcast.c
+@@ -76,8 +76,10 @@ const struct clock_event_device *tick_get_wakeup_device(int cpu)
+ */
+ static void tick_broadcast_start_periodic(struct clock_event_device *bc)
+ {
+- if (bc)
++ if (bc) {
++ bc->next_event_forced = 0;
+ tick_setup_periodic(bc, 1);
++ }
+ }
+
+ /*
+@@ -403,6 +405,7 @@ static void tick_handle_periodic_broadcast(struct clock_event_device *dev)
+ bool bc_local;
+
+ raw_spin_lock(&tick_broadcast_lock);
++ tick_broadcast_device.evtdev->next_event_forced = 0;
+
+ /* Handle spurious interrupts gracefully */
+ if (clockevent_state_shutdown(tick_broadcast_device.evtdev)) {
+@@ -696,6 +699,7 @@ static void tick_handle_oneshot_broadcast(struct clock_event_device *dev)
+
+ raw_spin_lock(&tick_broadcast_lock);
+ dev->next_event = KTIME_MAX;
++ tick_broadcast_device.evtdev->next_event_forced = 0;
+ next_event = KTIME_MAX;
+ cpumask_clear(tmpmask);
+ now = ktime_get();
+@@ -1063,6 +1067,7 @@ static void tick_broadcast_setup_oneshot(struct clock_event_device *bc,
+
+
+ bc->event_handler = tick_handle_oneshot_broadcast;
++ bc->next_event_forced = 0;
+ bc->next_event = KTIME_MAX;
+
+ /*
+@@ -1175,6 +1180,7 @@ void hotplug_cpu__broadcast_tick_pull(int deadcpu)
+ }
+
+ /* This moves the broadcast assignment to this CPU: */
++ bc->next_event_forced = 0;
+ clockevents_program_event(bc, bc->next_event, 1);
+ }
+ raw_spin_unlock_irqrestore(&tick_broadcast_lock, flags);
+diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c
+index 7e33d3f2e889b..b0c669a7745a7 100644
+--- a/kernel/time/tick-common.c
++++ b/kernel/time/tick-common.c
+@@ -110,6 +110,7 @@ void tick_handle_periodic(struct clock_event_device *dev)
+ int cpu = smp_processor_id();
+ ktime_t next = dev->next_event;
+
++ dev->next_event_forced = 0;
+ tick_periodic(cpu);
+
+ /*
+diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c
+index 466e083c82721..36f27a8ae6c03 100644
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -1482,6 +1482,7 @@ static void tick_nohz_lowres_handler(struct clock_event_device *dev)
+ struct tick_sched *ts = this_cpu_ptr(&tick_cpu_sched);
+
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+
+ if (likely(tick_nohz_handler(&ts->sched_timer) == HRTIMER_RESTART))
+ tick_program_event(hrtimer_get_expires(&ts->sched_timer), 1);
+--
+2.53.0
+
--- /dev/null
+From e9da25e29b3905023b0dfb5ffc4882a73fb12320 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 08:29:58 +0800
+Subject: crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 31d00156e50ecad37f2cb6cbf04aaa9a260505ef ]
+
+When page reassignment was added to af_alg_pull_tsgl the original
+loop wasn't updated so it may try to reassign one more page than
+necessary.
+
+Add the check to the reassignment so that this does not happen.
+
+Also update the comment which still refers to the obsolete offset
+argument.
+
+Reported-by: syzbot+d23888375c2737c17ba5@syzkaller.appspotmail.com
+Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/af_alg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/af_alg.c b/crypto/af_alg.c
+index 6867d177f2a2d..b61c3ba126ed1 100644
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -705,8 +705,8 @@ void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst)
+ * Assumption: caller created af_alg_count_tsgl(len)
+ * SG entries in dst.
+ */
+- if (dst) {
+- /* reassign page to dst after offset */
++ if (dst && plen) {
++ /* reassign page to dst */
+ get_page(page);
+ sg_set_page(dst + j, page, plen, sg[i].offset);
+ j++;
+--
+2.53.0
+
--- /dev/null
+From c2b477593ad2b19d860ceb7c6b0cd2f3beacd327 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 23:34:55 +0800
+Subject: crypto: af_alg - limit RX SG extraction by receive buffer budget
+
+From: Douya Le <ldy3087146292@gmail.com>
+
+[ Upstream commit 8eceab19eba9dcbfd2a0daec72e1bf48aa100170 ]
+
+Make af_alg_get_rsgl() limit each RX scatterlist extraction to the
+remaining receive buffer budget.
+
+af_alg_get_rsgl() currently uses af_alg_readable() only as a gate
+before extracting data into the RX scatterlist. Limit each extraction
+to the remaining af_alg_rcvbuf(sk) budget so that receive-side
+accounting matches the amount of data attached to the request.
+
+If skcipher cannot obtain enough RX space for at least one chunk while
+more data remains to be processed, reject the recvmsg call instead of
+rounding the request length down to zero.
+
+Fixes: e870456d8e7c8d57c059ea479b5aadbb55ff4c3a ("crypto: algif_skcipher - overhaul memory management")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Douya Le <ldy3087146292@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/af_alg.c | 2 ++
+ crypto/algif_skcipher.c | 5 +++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/crypto/af_alg.c b/crypto/af_alg.c
+index 3236601aa6dc0..6867d177f2a2d 100644
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -1229,6 +1229,8 @@ int af_alg_get_rsgl(struct sock *sk, struct msghdr *msg, int flags,
+
+ seglen = min_t(size_t, (maxsize - len),
+ msg_data_left(msg));
++ /* Never pin more pages than the remaining RX accounting budget. */
++ seglen = min_t(size_t, seglen, af_alg_rcvbuf(sk));
+
+ if (list_empty(&areq->rsgl_list)) {
+ rsgl = &areq->first_rsgl;
+diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
+index 82735e51be108..ba0a17fd95aca 100644
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -130,6 +130,11 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
+ * full block size buffers.
+ */
+ if (ctx->more || len < ctx->used) {
++ if (len < bs) {
++ err = -EINVAL;
++ goto free;
++ }
++
+ len -= len % bs;
+ cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
+ }
+--
+2.53.0
+
--- /dev/null
+From 17e74a9c0e1b5ee289a241477800a8ce2c1c5108 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 13:32:21 +0800
+Subject: crypto: algif_aead - Fix minimum RX size check for decryption
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ]
+
+The check for the minimum receive buffer size did not take the
+tag size into account during decryption. Fix this by adding the
+required extra length.
+
+Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
+Reported-by: Daniel Pouzzner <douzzer@mega.nu>
+Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/algif_aead.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
+index dda15bb05e892..f8bd45f7dc839 100644
+--- a/crypto/algif_aead.c
++++ b/crypto/algif_aead.c
+@@ -144,7 +144,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
+ if (usedpages < outlen) {
+ size_t less = outlen - usedpages;
+
+- if (used < less) {
++ if (used < less + (ctx->enc ? 0 : as)) {
+ err = -EINVAL;
+ goto free;
+ }
+--
+2.53.0
+
--- /dev/null
+From 9f813313e8457f4a4c60fa0a36da4ca8a5fe2bdf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 22:27:30 -0400
+Subject: devlink: Fix incorrect skb socket family dumping
+
+From: Li RongQing <lirongqing@baidu.com>
+
+[ Upstream commit 0006c6f1091bbeea88b8a88a6548b9fb2f803c74 ]
+
+The devlink_fmsg_dump_skb function was incorrectly using the socket
+type (sk->sk_type) instead of the socket family (sk->sk_family)
+when filling the "family" field in the fast message dump.
+
+This patch fixes this to properly display the socket family.
+
+Fixes: 3dbfde7f6bc7b8 ("devlink: add devlink_fmsg_dump_skb() function")
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Link: https://patch.msgid.link/20260407022730.2393-1-lirongqing@baidu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/devlink/health.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/devlink/health.c b/net/devlink/health.c
+index 136a67c36a20d..0798c82096bdc 100644
+--- a/net/devlink/health.c
++++ b/net/devlink/health.c
+@@ -1327,7 +1327,7 @@ void devlink_fmsg_dump_skb(struct devlink_fmsg *fmsg, const struct sk_buff *skb)
+ if (sk) {
+ devlink_fmsg_pair_nest_start(fmsg, "sk");
+ devlink_fmsg_obj_nest_start(fmsg);
+- devlink_fmsg_put(fmsg, "family", sk->sk_type);
++ devlink_fmsg_put(fmsg, "family", sk->sk_family);
+ devlink_fmsg_put(fmsg, "type", sk->sk_type);
+ devlink_fmsg_put(fmsg, "proto", sk->sk_protocol);
+ devlink_fmsg_obj_nest_end(fmsg);
+--
+2.53.0
+
--- /dev/null
+From de0e66f68ed8e905b62cfaaa8b9ee1f5528e5f04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 17:41:56 +0500
+Subject: dma-debug: suppress cacheline overlap warning when arch has no DMA
+ alignment requirement
+
+From: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+
+[ Upstream commit 3d48c9fd78dd0b1809669ec49c4d0997b8127512 ]
+
+When CONFIG_DMA_API_DEBUG is enabled, the DMA debug infrastructure
+tracks active mappings per cacheline and warns if two different DMA
+mappings share the same cacheline ("cacheline tracking EEXIST,
+overlapping mappings aren't supported").
+
+On x86_64, ARCH_KMALLOC_MINALIGN defaults to 8, so small kmalloc
+allocations (e.g. the 8-byte hub->buffer and hub->status in the USB
+hub driver) frequently land in the same 64-byte cacheline. When both
+are DMA-mapped, this triggers a false positive warning.
+
+This has been reported repeatedly since v5.14 (when the EEXIST check
+was added) across various USB host controllers and devices including
+xhci_hcd with USB hubs, USB audio devices, and USB ethernet adapters.
+
+The cacheline overlap is only a real concern on architectures that
+require DMA buffer alignment to cacheline boundaries (i.e. where
+ARCH_DMA_MINALIGN >= L1_CACHE_BYTES). On architectures like x86_64
+where dma_get_cache_alignment() returns 1, the hardware is
+cache-coherent and overlapping cacheline mappings are harmless.
+
+Suppress the EEXIST warning when dma_get_cache_alignment() is less
+than L1_CACHE_BYTES, indicating the architecture does not require
+cacheline-aligned DMA buffers.
+
+Verified with a kernel module reproducer that performs two kmalloc(8)
+allocations back-to-back and DMA-maps both:
+
+ Before: allocations share a cacheline, EEXIST fires within ~50 pairs
+ After: same cacheline pair found, but no warning emitted
+
+Fixes: 2b4bbc6231d7 ("dma-debug: report -EEXIST errors in add_dma_entry")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215740
+Suggested-by: Harry Yoo <harry@kernel.org>
+Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Link: https://lore.kernel.org/r/20260327124156.24820-1-mikhail.v.gavrilov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/dma/debug.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c
+index 43d6a996d7a78..596ea7abbda15 100644
+--- a/kernel/dma/debug.c
++++ b/kernel/dma/debug.c
+@@ -614,6 +614,7 @@ static void add_dma_entry(struct dma_debug_entry *entry, unsigned long attrs)
+ } else if (rc == -EEXIST &&
+ !(attrs & DMA_ATTR_SKIP_CPU_SYNC) &&
+ !(entry->is_cache_clean && overlap_cache_clean) &&
++ dma_get_cache_alignment() >= L1_CACHE_BYTES &&
+ !(IS_ENABLED(CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC) &&
+ is_swiotlb_active(entry->dev))) {
+ err_printk(entry->dev, entry,
+--
+2.53.0
+
--- /dev/null
+From f6af8c4088b3693fd09b166fc071f52f5dc5a54f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Dec 2025 14:38:31 -0500
+Subject: dma-debug: track cache clean flag in entries
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+[ Upstream commit d5d846513128c1a3bc2f2d371f6e903177dea443 ]
+
+If a driver is buggy and has 2 overlapping mappings but only
+sets cache clean flag on the 1st one of them, we warn.
+But if it only does it for the 2nd one, we don't.
+
+Fix by tracking cache clean flag in the entry.
+
+Message-ID: <0ffb3513d18614539c108b4548cdfbc64274a7d1.1767601130.git.mst@redhat.com>
+Reviewed-by: Petr Tesarik <ptesarik@suse.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: 3d48c9fd78dd ("dma-debug: suppress cacheline overlap warning when arch has no DMA alignment requirement")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/dma/debug.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c
+index 7e66d863d573f..43d6a996d7a78 100644
+--- a/kernel/dma/debug.c
++++ b/kernel/dma/debug.c
+@@ -63,6 +63,7 @@ enum map_err_types {
+ * @sg_mapped_ents: 'mapped_ents' from dma_map_sg
+ * @paddr: physical start address of the mapping
+ * @map_err_type: track whether dma_mapping_error() was checked
++ * @is_cache_clean: driver promises not to write to buffer while mapped
+ * @stack_len: number of backtrace entries in @stack_entries
+ * @stack_entries: stack of backtrace history
+ */
+@@ -76,7 +77,8 @@ struct dma_debug_entry {
+ int sg_call_ents;
+ int sg_mapped_ents;
+ phys_addr_t paddr;
+- enum map_err_types map_err_type;
++ enum map_err_types map_err_type;
++ bool is_cache_clean;
+ #ifdef CONFIG_STACKTRACE
+ unsigned int stack_len;
+ unsigned long stack_entries[DMA_DEBUG_STACKTRACE_ENTRIES];
+@@ -472,12 +474,15 @@ static int active_cacheline_dec_overlap(phys_addr_t cln)
+ return active_cacheline_set_overlap(cln, --overlap);
+ }
+
+-static int active_cacheline_insert(struct dma_debug_entry *entry)
++static int active_cacheline_insert(struct dma_debug_entry *entry,
++ bool *overlap_cache_clean)
+ {
+ phys_addr_t cln = to_cacheline_number(entry);
+ unsigned long flags;
+ int rc;
+
++ *overlap_cache_clean = false;
++
+ /* If the device is not writing memory then we don't have any
+ * concerns about the cpu consuming stale data. This mitigates
+ * legitimate usages of overlapping mappings.
+@@ -487,8 +492,16 @@ static int active_cacheline_insert(struct dma_debug_entry *entry)
+
+ spin_lock_irqsave(&radix_lock, flags);
+ rc = radix_tree_insert(&dma_active_cacheline, cln, entry);
+- if (rc == -EEXIST)
++ if (rc == -EEXIST) {
++ struct dma_debug_entry *existing;
++
+ active_cacheline_inc_overlap(cln);
++ existing = radix_tree_lookup(&dma_active_cacheline, cln);
++ /* A lookup failure here after we got -EEXIST is unexpected. */
++ WARN_ON(!existing);
++ if (existing)
++ *overlap_cache_clean = existing->is_cache_clean;
++ }
+ spin_unlock_irqrestore(&radix_lock, flags);
+
+ return rc;
+@@ -583,20 +596,24 @@ DEFINE_SHOW_ATTRIBUTE(dump);
+ */
+ static void add_dma_entry(struct dma_debug_entry *entry, unsigned long attrs)
+ {
++ bool overlap_cache_clean;
+ struct hash_bucket *bucket;
+ unsigned long flags;
+ int rc;
+
++ entry->is_cache_clean = !!(attrs & DMA_ATTR_CPU_CACHE_CLEAN);
++
+ bucket = get_hash_bucket(entry, &flags);
+ hash_bucket_add(bucket, entry);
+ put_hash_bucket(bucket, flags);
+
+- rc = active_cacheline_insert(entry);
++ rc = active_cacheline_insert(entry, &overlap_cache_clean);
+ if (rc == -ENOMEM) {
+ pr_err_once("cacheline tracking ENOMEM, dma-debug disabled\n");
+ global_disable = true;
+ } else if (rc == -EEXIST &&
+- !(attrs & (DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_CPU_CACHE_CLEAN)) &&
++ !(attrs & DMA_ATTR_SKIP_CPU_SYNC) &&
++ !(entry->is_cache_clean && overlap_cache_clean) &&
+ !(IS_ENABLED(CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC) &&
+ is_swiotlb_active(entry->dev))) {
+ err_printk(entry->dev, entry,
+--
+2.53.0
+
--- /dev/null
+From 74bb2d846875e2b9dcafe45e8a3b68cee4136ee9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Dec 2025 07:28:43 -0500
+Subject: dma-mapping: add DMA_ATTR_CPU_CACHE_CLEAN
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+[ Upstream commit 61868dc55a119a5e4b912d458fc2c48ba80a35fe ]
+
+When multiple small DMA_FROM_DEVICE or DMA_BIDIRECTIONAL buffers share a
+cacheline, and DMA_API_DEBUG is enabled, we get this warning:
+ cacheline tracking EEXIST, overlapping mappings aren't supported.
+
+This is because when one of the mappings is removed, while another one
+is active, CPU might write into the buffer.
+
+Add an attribute for the driver to promise not to do this, making the
+overlapping safe, and suppressing the warning.
+
+Message-ID: <2d5d091f9d84b68ea96abd545b365dd1d00bbf48.1767601130.git.mst@redhat.com>
+Reviewed-by: Petr Tesarik <ptesarik@suse.com>
+Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: 3d48c9fd78dd ("dma-debug: suppress cacheline overlap warning when arch has no DMA alignment requirement")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/dma-mapping.h | 7 +++++++
+ kernel/dma/debug.c | 3 ++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/dma-mapping.h b/include/linux/dma-mapping.h
+index 190eab9f5e8c2..3e63046b899bc 100644
+--- a/include/linux/dma-mapping.h
++++ b/include/linux/dma-mapping.h
+@@ -78,6 +78,13 @@
+ */
+ #define DMA_ATTR_MMIO (1UL << 10)
+
++/*
++ * DMA_ATTR_CPU_CACHE_CLEAN: Indicates the CPU will not dirty any cacheline
++ * overlapping this buffer while it is mapped for DMA. All mappings sharing
++ * a cacheline must have this attribute for this to be considered safe.
++ */
++#define DMA_ATTR_CPU_CACHE_CLEAN (1UL << 11)
++
+ /*
+ * A dma_addr_t can hold any valid DMA or bus address for the platform. It can
+ * be given to a device to use as a DMA source or target. It is specific to a
+diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c
+index 138ede653de40..7e66d863d573f 100644
+--- a/kernel/dma/debug.c
++++ b/kernel/dma/debug.c
+@@ -595,7 +595,8 @@ static void add_dma_entry(struct dma_debug_entry *entry, unsigned long attrs)
+ if (rc == -ENOMEM) {
+ pr_err_once("cacheline tracking ENOMEM, dma-debug disabled\n");
+ global_disable = true;
+- } else if (rc == -EEXIST && !(attrs & DMA_ATTR_SKIP_CPU_SYNC) &&
++ } else if (rc == -EEXIST &&
++ !(attrs & (DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_CPU_CACHE_CLEAN)) &&
+ !(IS_ENABLED(CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC) &&
+ is_swiotlb_active(entry->dev))) {
+ err_printk(entry->dev, entry,
+--
+2.53.0
+
--- /dev/null
+From a1c936ee5c8b5f3518acea807d8468a81b996d5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 10:34:27 -0800
+Subject: dmaengine: idxd: Fix lockdep warnings when calling
+ idxd_device_config()
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit caf91cdf2de8b7134749d32cd4ae5520b108abb7 ]
+
+Move the check for IDXD_FLAG_CONFIGURABLE and the locking to "inside"
+idxd_device_config(), as this is common to all callers, and the one
+that wasn't holding the lock was an error (that was causing the
+lockdep warning).
+
+Suggested-by: Dave Jiang <dave.jiang@intel.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-1-7ed70658a9d1@intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/idxd/device.c | 17 +++++++----------
+ drivers/dma/idxd/init.c | 10 ++++------
+ 2 files changed, 11 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c
+index 646d7f767afa3..746d9edbba164 100644
+--- a/drivers/dma/idxd/device.c
++++ b/drivers/dma/idxd/device.c
+@@ -1106,7 +1106,11 @@ int idxd_device_config(struct idxd_device *idxd)
+ {
+ int rc;
+
+- lockdep_assert_held(&idxd->dev_lock);
++ guard(spinlock)(&idxd->dev_lock);
++
++ if (!test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags))
++ return 0;
++
+ rc = idxd_wqs_setup(idxd);
+ if (rc < 0)
+ return rc;
+@@ -1433,11 +1437,7 @@ int idxd_drv_enable_wq(struct idxd_wq *wq)
+ }
+ }
+
+- rc = 0;
+- spin_lock(&idxd->dev_lock);
+- if (test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags))
+- rc = idxd_device_config(idxd);
+- spin_unlock(&idxd->dev_lock);
++ rc = idxd_device_config(idxd);
+ if (rc < 0) {
+ dev_dbg(dev, "Writing wq %d config failed: %d\n", wq->id, rc);
+ goto err;
+@@ -1532,10 +1532,7 @@ int idxd_device_drv_probe(struct idxd_dev *idxd_dev)
+ }
+
+ /* Device configuration */
+- spin_lock(&idxd->dev_lock);
+- if (test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags))
+- rc = idxd_device_config(idxd);
+- spin_unlock(&idxd->dev_lock);
++ rc = idxd_device_config(idxd);
+ if (rc < 0)
+ return -ENXIO;
+
+diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c
+index f2b37c63a964c..afba88f9c3e43 100644
+--- a/drivers/dma/idxd/init.c
++++ b/drivers/dma/idxd/init.c
+@@ -1094,12 +1094,10 @@ static void idxd_reset_done(struct pci_dev *pdev)
+ idxd_device_config_restore(idxd, idxd->idxd_saved);
+
+ /* Re-configure IDXD device if allowed. */
+- if (test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags)) {
+- rc = idxd_device_config(idxd);
+- if (rc < 0) {
+- dev_err(dev, "HALT: %s config fails\n", idxd_name);
+- goto out;
+- }
++ rc = idxd_device_config(idxd);
++ if (rc < 0) {
++ dev_err(dev, "HALT: %s config fails\n", idxd_name);
++ goto out;
+ }
+
+ /* Bind IDXD device to driver. */
+--
+2.53.0
+
--- /dev/null
+From dcd9a3b712c68c132d4b915d72e6a585017f0b21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 09:58:36 +0530
+Subject: drm/amdgpu: Handle GPU page faults correctly on non-4K page systems
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Donet Tom <donettom@linux.ibm.com>
+
+[ Upstream commit 4e9597f22a3cb8600c72fc266eaac57981d834c8 ]
+
+During a GPU page fault, the driver restores the SVM range and then maps it
+into the GPU page tables. The current implementation passes a GPU-page-size
+(4K-based) PFN to svm_range_restore_pages() to restore the range.
+
+SVM ranges are tracked using system-page-size PFNs. On systems where the
+system page size is larger than 4K, using GPU-page-size PFNs to restore the
+range causes two problems:
+
+Range lookup fails:
+Because the restore function receives PFNs in GPU (4K) units, the SVM
+range lookup does not find the existing range. This will result in a
+duplicate SVM range being created.
+
+VMA lookup failure:
+The restore function also tries to locate the VMA for the faulting address.
+It converts the GPU-page-size PFN into an address using the system page
+size, which results in an incorrect address on non-4K page-size systems.
+As a result, the VMA lookup fails with the message: "address 0xxxx VMA is
+removed".
+
+This patch passes the system-page-size PFN to svm_range_restore_pages() so
+that the SVM range is restored correctly on non-4K page systems.
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Donet Tom <donettom@linux.ibm.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 074fe395fb13247b057f60004c7ebcca9f38ef46)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+index f2e00f408156c..69080e3734891 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+@@ -2960,14 +2960,14 @@ bool amdgpu_vm_handle_fault(struct amdgpu_device *adev, u32 pasid,
+ if (!root)
+ return false;
+
+- addr /= AMDGPU_GPU_PAGE_SIZE;
+-
+ if (is_compute_context && !svm_range_restore_pages(adev, pasid, vmid,
+- node_id, addr, ts, write_fault)) {
++ node_id, addr >> PAGE_SHIFT, ts, write_fault)) {
+ amdgpu_bo_unref(&root);
+ return true;
+ }
+
++ addr /= AMDGPU_GPU_PAGE_SIZE;
++
+ r = amdgpu_bo_reserve(root, true);
+ if (r)
+ goto error_unref;
+--
+2.53.0
+
--- /dev/null
+From 817481b1f6844dbe154d5c1f9a47efa5f1d62e0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 09:58:39 +0530
+Subject: drm/amdkfd: Fix queue preemption/eviction failures by aligning
+ control stack size to GPU page size
+
+From: Donet Tom <donettom@linux.ibm.com>
+
+[ Upstream commit 78746a474e92fc7aaed12219bec7c78ae1bd6156 ]
+
+The control stack size is calculated based on the number of CUs and
+waves, and is then aligned to PAGE_SIZE. When the resulting control
+stack size is aligned to 64 KB, GPU hangs and queue preemption
+failures are observed while running RCCL unit tests on systems with
+more than two GPUs.
+
+amdgpu 0048:0f:00.0: amdgpu: Queue preemption failed for queue with
+doorbell_id: 80030008
+amdgpu 0048:0f:00.0: amdgpu: Failed to evict process queues
+amdgpu 0048:0f:00.0: amdgpu: GPU reset begin!. Source: 4
+amdgpu 0048:0f:00.0: amdgpu: Queue preemption failed for queue with
+doorbell_id: 80030008
+amdgpu 0048:0f:00.0: amdgpu: Failed to evict process queues
+amdgpu 0048:0f:00.0: amdgpu: Failed to restore process queues
+
+This issue is observed on both 4 KB and 64 KB system page-size
+configurations.
+
+This patch fixes the issue by aligning the control stack size to
+AMDGPU_GPU_PAGE_SIZE instead of PAGE_SIZE, so the control stack size
+will not be 64 KB on systems with a 64 KB page size and queue
+preemption works correctly.
+
+Additionally, In the current code, wg_data_size is aligned to PAGE_SIZE,
+which can waste memory if the system page size is large. In this patch,
+wg_data_size is aligned to AMDGPU_GPU_PAGE_SIZE. The cwsr_size, calculated
+from wg_data_size and the control stack size, is aligned to PAGE_SIZE.
+
+Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
+Signed-off-by: Donet Tom <donettom@linux.ibm.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit a3e14436304392fbada359edd0f1d1659850c9b7)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_queue.c b/drivers/gpu/drm/amd/amdkfd/kfd_queue.c
+index 2822c90bd7be4..b97f4a51db6e3 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_queue.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_queue.c
+@@ -444,10 +444,11 @@ void kfd_queue_ctx_save_restore_size(struct kfd_topology_device *dev)
+ min(cu_num * 40, props->array_count / props->simd_arrays_per_engine * 512)
+ : cu_num * 32;
+
+- wg_data_size = ALIGN(cu_num * WG_CONTEXT_DATA_SIZE_PER_CU(gfxv, props), PAGE_SIZE);
++ wg_data_size = ALIGN(cu_num * WG_CONTEXT_DATA_SIZE_PER_CU(gfxv, props),
++ AMDGPU_GPU_PAGE_SIZE);
+ ctl_stack_size = wave_num * CNTL_STACK_BYTES_PER_WAVE(gfxv) + 8;
+ ctl_stack_size = ALIGN(SIZEOF_HSA_USER_CONTEXT_SAVE_AREA_HEADER + ctl_stack_size,
+- PAGE_SIZE);
++ AMDGPU_GPU_PAGE_SIZE);
+
+ if ((gfxv / 10000 * 10000) == 100000) {
+ /* HW design limits control stack size to 0x7000.
+@@ -459,7 +460,7 @@ void kfd_queue_ctx_save_restore_size(struct kfd_topology_device *dev)
+
+ props->ctl_stack_size = ctl_stack_size;
+ props->debug_memory_size = ALIGN(wave_num * DEBUGGER_BYTES_PER_WAVE, DEBUGGER_BYTES_ALIGN);
+- props->cwsr_size = ctl_stack_size + wg_data_size;
++ props->cwsr_size = ALIGN(ctl_stack_size + wg_data_size, PAGE_SIZE);
+
+ if (gfxv == 80002) /* GFX_VERSION_TONGA */
+ props->eop_buffer_size = 0x8000;
+--
+2.53.0
+
--- /dev/null
+From 49126120cf4942cb01fff5b4c7d9dab1b0e40efe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:45 -0300
+Subject: drm/vc4: Fix a memory leak in hang state error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 9525d169e5fd481538cf8c663cc5839e54f2e481 ]
+
+When vc4_save_hang_state() encounters an early return condition, it
+returns without freeing the previously allocated `kernel_state`,
+leaking memory.
+
+Add the missing kfree() calls by consolidating the early return paths
+into a single place.
+
+Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-3-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index 6238630e46793..6887631f2d8be 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -170,10 +170,8 @@ vc4_save_hang_state(struct drm_device *dev)
+ spin_lock_irqsave(&vc4->job_lock, irqflags);
+ exec[0] = vc4_first_bin_job(vc4);
+ exec[1] = vc4_first_render_job(vc4);
+- if (!exec[0] && !exec[1]) {
+- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+- return;
+- }
++ if (!exec[0] && !exec[1])
++ goto err_free_state;
+
+ /* Get the bos from both binner and renderer into hang state. */
+ state->bo_count = 0;
+@@ -190,10 +188,8 @@ vc4_save_hang_state(struct drm_device *dev)
+ kernel_state->bo = kcalloc(state->bo_count,
+ sizeof(*kernel_state->bo), GFP_ATOMIC);
+
+- if (!kernel_state->bo) {
+- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+- return;
+- }
++ if (!kernel_state->bo)
++ goto err_free_state;
+
+ k = 0;
+ for (i = 0; i < 2; i++) {
+@@ -285,6 +281,12 @@ vc4_save_hang_state(struct drm_device *dev)
+ vc4->hang_state = kernel_state;
+ spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+ }
++
++ return;
++
++err_free_state:
++ spin_unlock_irqrestore(&vc4->job_lock, irqflags);
++ kfree(kernel_state);
+ }
+
+ static void
+--
+2.53.0
+
--- /dev/null
+From a66901f5a898555c3ae9abf82cdcfc389b211fd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:44 -0300
+Subject: drm/vc4: Fix memory leak of BO array in hang state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit f4dfd6847b3e5d24e336bca6057485116d17aea4 ]
+
+The hang state's BO array is allocated separately with kzalloc() in
+vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the
+missing kfree() for the BO array before freeing the hang state struct.
+
+Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-2-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index 255e5817618e3..6238630e46793 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -61,6 +61,7 @@ vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state)
+ for (i = 0; i < state->user_state.bo_count; i++)
+ drm_gem_object_put(state->bo[i]);
+
++ kfree(state->bo);
+ kfree(state);
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 62c9e80de5fefcf8811368f918a54532712cfbf8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:46 -0300
+Subject: drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ]
+
+The mmap callback reads bo->madv without holding madv_lock, racing with
+concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under
+the same lock. Add the missing locking to prevent the data race.
+
+Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_bo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
+index 4aaa587be3a5e..a1efda9c39f92 100644
+--- a/drivers/gpu/drm/vc4/vc4_bo.c
++++ b/drivers/gpu/drm/vc4/vc4_bo.c
+@@ -738,12 +738,15 @@ static int vc4_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct
+ return -EINVAL;
+ }
+
++ mutex_lock(&bo->madv_lock);
+ if (bo->madv != VC4_MADV_WILLNEED) {
+ DRM_DEBUG("mmapping of %s BO not allowed\n",
+ bo->madv == VC4_MADV_DONTNEED ?
+ "purgeable" : "purged");
++ mutex_unlock(&bo->madv_lock);
+ return -EINVAL;
+ }
++ mutex_unlock(&bo->madv_lock);
+
+ return drm_gem_dma_mmap(&bo->base, vma);
+ }
+--
+2.53.0
+
--- /dev/null
+From 649bf7adec8fe0c3131ac4c9739bfb4206468c28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:43 -0300
+Subject: drm/vc4: Release runtime PM reference after binding V3D
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit aaefbdde9abdc43699e110679c0e10972a5e1c59 ]
+
+The vc4_v3d_bind() function acquires a runtime PM reference via
+pm_runtime_resume_and_get() to access V3D registers during setup.
+However, this reference is never released after a successful bind.
+This prevents the device from ever runtime suspending, since the
+reference count never reaches zero.
+
+Release the runtime PM reference by adding pm_runtime_put_autosuspend()
+after autosuspend is configured, allowing the device to runtime suspend
+after the delay.
+
+Fixes: 266cff37d7fc ("drm/vc4: v3d: Rework the runtime_pm setup")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-1-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_v3d.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_v3d.c b/drivers/gpu/drm/vc4/vc4_v3d.c
+index bb09df5000bda..e470412851cc8 100644
+--- a/drivers/gpu/drm/vc4/vc4_v3d.c
++++ b/drivers/gpu/drm/vc4/vc4_v3d.c
+@@ -479,6 +479,7 @@ static int vc4_v3d_bind(struct device *dev, struct device *master, void *data)
+
+ pm_runtime_use_autosuspend(dev);
+ pm_runtime_set_autosuspend_delay(dev, 40); /* a little over 2 frames. */
++ pm_runtime_put_autosuspend(dev);
+
+ return 0;
+
+--
+2.53.0
+
--- /dev/null
+From e95fa168d91d6a3eb85e407fdc4be4398ce88255 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2026 18:27:10 -0700
+Subject: drm/xe: Fix bug in idledly unit conversion
+
+From: Vinay Belgaumkar <vinay.belgaumkar@intel.com>
+
+[ Upstream commit 7596459f3c93d8d45a1bf12d4d7526b50c15baa2 ]
+
+We only need to convert to picosecond units before writing to RING_IDLEDLY.
+
+Fixes: 7c53ff050ba8 ("drm/xe: Apply Wa_16023105232")
+Cc: Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu@intel.com>
+Acked-by: Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu@intel.com>
+Signed-off-by: Vinay Belgaumkar <vinay.belgaumkar@intel.com>
+Link: https://patch.msgid.link/20260401012710.4165547-1-vinay.belgaumkar@intel.com
+(cherry picked from commit 13743bd628bc9d9a0e2fe53488b2891aedf7cc74)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_hw_engine.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_hw_engine.c b/drivers/gpu/drm/xe/xe_hw_engine.c
+index 1cf623b4a5bcc..d8f16e25b817d 100644
+--- a/drivers/gpu/drm/xe/xe_hw_engine.c
++++ b/drivers/gpu/drm/xe/xe_hw_engine.c
+@@ -587,9 +587,8 @@ static void adjust_idledly(struct xe_hw_engine *hwe)
+ maxcnt *= maxcnt_units_ns;
+
+ if (xe_gt_WARN_ON(gt, idledly >= maxcnt || inhibit_switch)) {
+- idledly = DIV_ROUND_CLOSEST(((maxcnt - 1) * maxcnt_units_ns),
++ idledly = DIV_ROUND_CLOSEST(((maxcnt - 1) * 1000),
+ idledly_units_ps);
+- idledly = DIV_ROUND_CLOSEST(idledly, 1000);
+ xe_mmio_write32(>->mmio, RING_IDLEDLY(hwe->mmio_base), idledly);
+ }
+ }
+--
+2.53.0
+
--- /dev/null
+From 5c43566c87068194b6194a6de35bee6b742022fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 11:29:40 +0100
+Subject: dt-bindings: net: Fix Tegra234 MGBE PTP clock
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+[ Upstream commit fb22b1fc5bca3c0aad95388933497ceb30f1fb26 ]
+
+The PTP clock for the Tegra234 MGBE device is incorrectly named
+'ptp-ref' and should be 'ptp_ref'. This is causing the following
+warning to be observed on Tegra234 platforms that use this device:
+
+ ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate
+ WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed
+
+Although this constitutes an ABI breakage in the binding for this
+device, PTP support has clearly never worked and so fix this now
+so we can correct the device-tree for this device. Note that the
+MGBE driver still supports the legacy 'ptp-ref' clock name and so
+older/existing device-trees will still work, but given that this
+is not the correct name, there is no point to advertise this in the
+binding.
+
+Fixes: 189c2e5c7669 ("dt-bindings: net: Add Tegra234 MGBE")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260401102941.17466-3-jonathanh@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../devicetree/bindings/net/nvidia,tegra234-mgbe.yaml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
+index 2bd3efff2485e..215f14d1897d2 100644
+--- a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
++++ b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
+@@ -42,7 +42,7 @@ properties:
+ - const: mgbe
+ - const: mac
+ - const: mac-divider
+- - const: ptp-ref
++ - const: ptp_ref
+ - const: rx-input-m
+ - const: rx-input
+ - const: tx
+@@ -133,7 +133,7 @@ examples:
+ <&bpmp TEGRA234_CLK_MGBE0_RX_PCS_M>,
+ <&bpmp TEGRA234_CLK_MGBE0_RX_PCS>,
+ <&bpmp TEGRA234_CLK_MGBE0_TX_PCS>;
+- clock-names = "mgbe", "mac", "mac-divider", "ptp-ref", "rx-input-m",
++ clock-names = "mgbe", "mac", "mac-divider", "ptp_ref", "rx-input-m",
+ "rx-input", "tx", "eee-pcs", "rx-pcs-input", "rx-pcs-m",
+ "rx-pcs", "tx-pcs";
+ resets = <&bpmp TEGRA234_RESET_MGBE0_MAC>,
+--
+2.53.0
+
--- /dev/null
+From dac8de542335da59fbbb53e384d27515183b6f7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 15:05:05 +0300
+Subject: e1000: check return value of e1000_read_eeprom
+
+From: Agalakov Daniil <ade@amicon.ru>
+
+[ Upstream commit d3baa34a470771399c1495bc04b1e26ac15d598e ]
+
+[Why]
+e1000_set_eeprom() performs a read-modify-write operation when the write
+range is not word-aligned. This requires reading the first and last words
+of the range from the EEPROM to preserve the unmodified bytes.
+
+However, the code does not check the return value of e1000_read_eeprom().
+If the read fails, the operation continues using uninitialized data from
+eeprom_buff. This results in corrupted data being written back to the
+EEPROM for the boundary words.
+
+Add the missing error checks and abort the operation if reading fails.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Co-developed-by: Iskhakov Daniil <dish@amicon.ru>
+Signed-off-by: Iskhakov Daniil <dish@amicon.ru>
+Signed-off-by: Agalakov Daniil <ade@amicon.ru>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+index 726365c567ef3..75d0bfa7530b4 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+@@ -496,14 +496,19 @@ static int e1000_set_eeprom(struct net_device *netdev,
+ */
+ ret_val = e1000_read_eeprom(hw, first_word, 1,
+ &eeprom_buff[0]);
++ if (ret_val)
++ goto out;
++
+ ptr++;
+ }
+- if (((eeprom->offset + eeprom->len) & 1) && (ret_val == 0)) {
++ if ((eeprom->offset + eeprom->len) & 1) {
+ /* need read/modify/write of last changed EEPROM word
+ * only the first byte of the word is being modified
+ */
+ ret_val = e1000_read_eeprom(hw, last_word, 1,
+ &eeprom_buff[last_word - first_word]);
++ if (ret_val)
++ goto out;
+ }
+
+ /* Device's eeprom is always little-endian, word addressable */
+@@ -522,6 +527,7 @@ static int e1000_set_eeprom(struct net_device *netdev,
+ if ((ret_val == 0) && (first_word <= EEPROM_CHECKSUM_REG))
+ e1000_update_eeprom_checksum(hw);
+
++out:
+ kfree(eeprom_buff);
+ return ret_val;
+ }
+--
+2.53.0
+
--- /dev/null
+From 4c5e6901ccd81a18553e461c3d444a2b3c1e0f9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2026 15:25:32 +0200
+Subject: eventpoll: defer struct eventpoll free to RCU grace period
+
+From: Nicholas Carlini <nicholas@carlini.com>
+
+[ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ]
+
+In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
+eventpoll struct while it still being used by another concurrent thread.
+Defer the kfree() to an RCU callback to prevent UAF.
+
+Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
+Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/eventpoll.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index bcc7dcbefc419..a8e30414d996c 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -226,6 +226,9 @@ struct eventpoll {
+ */
+ refcount_t refcount;
+
++ /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */
++ struct rcu_head rcu;
++
+ #ifdef CONFIG_NET_RX_BUSY_POLL
+ /* used to track busy poll napi_id */
+ unsigned int napi_id;
+@@ -819,7 +822,8 @@ static void ep_free(struct eventpoll *ep)
+ mutex_destroy(&ep->mtx);
+ free_uid(ep->user);
+ wakeup_source_unregister(ep->ws);
+- kfree(ep);
++ /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */
++ kfree_rcu(ep, rcu);
+ }
+
+ /*
+--
+2.53.0
+
--- /dev/null
+From 682b8078d32c929836669424d62155d4255fe583 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 13:11:27 -0700
+Subject: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
+
+From: Fredric Cover <FredTheDude@proton.me>
+
+[ Upstream commit 78ec5bf2f589ec7fd8f169394bfeca541b077317 ]
+
+When cifs_sanitize_prepath is called with an empty string or a string
+containing only delimiters (e.g., "/"), the current logic attempts to
+check *(cursor2 - 1) before cursor2 has advanced. This results in an
+out-of-bounds read.
+
+This patch adds an early exit check after stripping prepended
+delimiters. If no path content remains, the function returns NULL.
+
+The bug was identified via manual audit and verified using a
+standalone test case compiled with AddressSanitizer, which
+triggered a SEGV on affected inputs.
+
+Signed-off-by: Fredric Cover <FredTheDude@proton.me>
+Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/fs_context.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
+index be82acacc41d6..f207c7cef0467 100644
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -589,6 +589,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp)
+ while (IS_DELIM(*cursor1))
+ cursor1++;
+
++ /* exit in case of only delimiters */
++ if (!*cursor1)
++ return NULL;
++
+ /* copy the first letter */
+ *cursor2 = *cursor1;
+
+--
+2.53.0
+
--- /dev/null
+From 3bed58f496cfd4a5c319f8efe50f95701c8770be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 14:02:47 -0700
+Subject: gpio: tegra: fix irq_release_resources calling enable instead of
+ disable
+
+From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+
+[ Upstream commit 1561d96f5f55c1bca9ff047ace5813f4f244eea6 ]
+
+tegra_gpio_irq_release_resources() erroneously calls tegra_gpio_enable()
+instead of tegra_gpio_disable(). When IRQ resources are released, the
+GPIO configuration bit (CNF) should be cleared to deconfigure the pin as
+a GPIO. Leaving it enabled wastes power and can cause unexpected behavior
+if the pin is later reused for an alternate function via pinctrl.
+
+Fixes: 66fecef5bde0 ("gpio: tegra: Convert to gpio_irq_chip")
+Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+Link: https://patch.msgid.link/20260407210247.1737938-1-samasth.norway.ananda@oracle.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-tegra.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-tegra.c b/drivers/gpio/gpio-tegra.c
+index 15a5762a82c25..b14052fe64ac6 100644
+--- a/drivers/gpio/gpio-tegra.c
++++ b/drivers/gpio/gpio-tegra.c
+@@ -595,7 +595,7 @@ static void tegra_gpio_irq_release_resources(struct irq_data *d)
+ struct tegra_gpio_info *tgi = gpiochip_get_data(chip);
+
+ gpiochip_relres_irq(chip, d->hwirq);
+- tegra_gpio_enable(tgi, d->hwirq);
++ tegra_gpio_disable(tgi, d->hwirq);
+ }
+
+ static void tegra_gpio_irq_print_chip(struct irq_data *d, struct seq_file *s)
+--
+2.53.0
+
--- /dev/null
+From 57b0ce35d582d6184dbcb5e1ce7e271297f4dbb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 09:25:22 +0100
+Subject: HID: amd_sfh: don't log error when device discovery fails with
+ -EOPNOTSUPP
+
+From: Maximilian Pezzullo <maximilianpezzullo@gmail.com>
+
+[ Upstream commit 743677a8cb30b09f16a7f167f497c2c927891b5a ]
+
+When sensor discovery fails on systems without AMD SFH sensors, the
+code already emits a warning via dev_warn() in amd_sfh_hid_client_init().
+The subsequent dev_err() in sfh_init_work() for the same -EOPNOTSUPP
+return value is redundant and causes unnecessary alarm.
+
+Suppress the dev_err() for -EOPNOTSUPP to avoid confusing users who
+have no AMD SFH sensors.
+
+Fixes: 2105e8e00da4 ("HID: amd_sfh: Improve boot time when SFH is available")
+Reported-by: Casey Croy <ccroy@bugzilla.kernel.org>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221099
+Signed-off-by: Maximilian Pezzullo <maximilianpezzullo@gmail.com>
+Acked-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/amd-sfh-hid/amd_sfh_pcie.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c b/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c
+index 1d9f955573aa4..4b81cebdc3359 100644
+--- a/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c
++++ b/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c
+@@ -413,7 +413,8 @@ static void sfh_init_work(struct work_struct *work)
+ rc = amd_sfh_hid_client_init(mp2);
+ if (rc) {
+ amd_sfh_clear_intr(mp2);
+- dev_err(&pdev->dev, "amd_sfh_hid_client_init failed err %d\n", rc);
++ if (rc != -EOPNOTSUPP)
++ dev_err(&pdev->dev, "amd_sfh_hid_client_init failed err %d\n", rc);
+ return;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From b5f6a57342ecd64ffd1f10fa18ab26cf6d646956 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 13:56:29 +0800
+Subject: HID: Intel-thc-hid: Intel-quickspi: Add NVL Device IDs
+
+From: Even Xu <even.xu@intel.com>
+
+[ Upstream commit 48e91af0cbe942d50ef6257d850accdca1d01378 ]
+
+Add Nova Lake THC QuickSPI device IDs to support list.
+
+Signed-off-by: Even Xu <even.xu@intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c | 6 ++++++
+ drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h | 2 ++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c b/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c
+index 14cabd5dc6ddb..f0830a56d556b 100644
+--- a/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c
++++ b/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c
+@@ -37,6 +37,10 @@ struct quickspi_driver_data arl = {
+ .max_packet_size_value = MAX_PACKET_SIZE_VALUE_MTL,
+ };
+
++struct quickspi_driver_data nvl = {
++ .max_packet_size_value = MAX_PACKET_SIZE_VALUE_LNL,
++};
++
+ /* THC QuickSPI ACPI method to get device properties */
+ /* HIDSPI Method: {6e2ac436-0fcf-41af-a265-b32a220dcfab} */
+ static guid_t hidspi_guid =
+@@ -984,6 +988,8 @@ static const struct pci_device_id quickspi_pci_tbl[] = {
+ {PCI_DEVICE_DATA(INTEL, THC_WCL_DEVICE_ID_SPI_PORT2, &ptl), },
+ {PCI_DEVICE_DATA(INTEL, THC_ARL_DEVICE_ID_SPI_PORT1, &arl), },
+ {PCI_DEVICE_DATA(INTEL, THC_ARL_DEVICE_ID_SPI_PORT2, &arl), },
++ {PCI_DEVICE_DATA(INTEL, THC_NVL_H_DEVICE_ID_SPI_PORT1, &nvl), },
++ {PCI_DEVICE_DATA(INTEL, THC_NVL_H_DEVICE_ID_SPI_PORT2, &nvl), },
+ {}
+ };
+ MODULE_DEVICE_TABLE(pci, quickspi_pci_tbl);
+diff --git a/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h b/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h
+index c30e1a42eb098..bf5e18f5a5f42 100644
+--- a/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h
++++ b/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h
+@@ -23,6 +23,8 @@
+ #define PCI_DEVICE_ID_INTEL_THC_WCL_DEVICE_ID_SPI_PORT2 0x4D4B
+ #define PCI_DEVICE_ID_INTEL_THC_ARL_DEVICE_ID_SPI_PORT1 0x7749
+ #define PCI_DEVICE_ID_INTEL_THC_ARL_DEVICE_ID_SPI_PORT2 0x774B
++#define PCI_DEVICE_ID_INTEL_THC_NVL_H_DEVICE_ID_SPI_PORT1 0xD349
++#define PCI_DEVICE_ID_INTEL_THC_NVL_H_DEVICE_ID_SPI_PORT2 0xD34B
+
+ /* HIDSPI special ACPI parameters DSM methods */
+ #define ACPI_QUICKSPI_REVISION_NUM 2
+--
+2.53.0
+
--- /dev/null
+From 1bbca9c339985242e26bd1835f49e306c75df4de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 13:36:59 -0500
+Subject: HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
+
+From: leo vriska <leo@60228.dev>
+
+[ Upstream commit 532743944324a873bbaf8620fcabcd0e69e30c36 ]
+
+According to a mailing list report [1], this controller's predecessor
+has the same issue. However, it uses the xpad driver instead of HID, so
+this quirk wouldn't apply.
+
+[1]: https://lore.kernel.org/linux-input/unufo3$det$1@ciao.gmane.io/
+
+Signed-off-by: leo vriska <leo@60228.dev>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index d9d354f1b8847..a245928933454 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -22,6 +22,9 @@
+ #define USB_DEVICE_ID_3M2256 0x0502
+ #define USB_DEVICE_ID_3M3266 0x0506
+
++#define USB_VENDOR_ID_8BITDO 0x2dc8
++#define USB_DEVICE_ID_8BITDO_PRO_3 0x6009
++
+ #define USB_VENDOR_ID_A4TECH 0x09da
+ #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006
+ #define USB_DEVICE_ID_A4TECH_X5_005D 0x000a
+diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
+index 3217e436c052c..f6be3ffee0232 100644
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -25,6 +25,7 @@
+ */
+
+ static const struct hid_device_id hid_quirks[] = {
++ { HID_USB_DEVICE(USB_VENDOR_ID_8BITDO, USB_DEVICE_ID_8BITDO_PRO_3), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL },
+--
+2.53.0
+
--- /dev/null
+From 45beeb7b08a18ed28f0cb24ffb93c61ca414418f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 16:11:07 +0000
+Subject: HID: roccat: fix use-after-free in roccat_report_event
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benoît Sevens <bsevens@google.com>
+
+[ Upstream commit d802d848308b35220f21a8025352f0c0aba15c12 ]
+
+roccat_report_event() iterates over the device->readers list without
+holding the readers_lock. This allows a concurrent roccat_release() to
+remove and free a reader while it's still being accessed, leading to a
+use-after-free.
+
+Protect the readers list traversal with the readers_lock mutex.
+
+Signed-off-by: Benoît Sevens <bsevens@google.com>
+Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-roccat.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c
+index c7f7562e22e56..e413662f75082 100644
+--- a/drivers/hid/hid-roccat.c
++++ b/drivers/hid/hid-roccat.c
+@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data)
+ if (!new_value)
+ return -ENOMEM;
+
++ mutex_lock(&device->readers_lock);
+ mutex_lock(&device->cbuf_lock);
+
+ report = &device->cbuf[device->cbuf_end];
+@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data)
+ }
+
+ mutex_unlock(&device->cbuf_lock);
++ mutex_unlock(&device->readers_lock);
+
+ wake_up_interruptible(&device->wait);
+ return 0;
+--
+2.53.0
+
--- /dev/null
+From 4f63f6f4d88c80916e43964b4ed3cbc12ed948b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Feb 2026 14:14:00 +0000
+Subject: ice: ptp: don't WARN when controlling PF is unavailable
+
+From: Kohei Enju <kohei@enjuk.jp>
+
+[ Upstream commit bb3f21edc7056cdf44a7f7bd7ba65af40741838c ]
+
+In VFIO passthrough setups, it is possible to pass through only a PF
+which doesn't own the source timer. In that case the PTP controlling PF
+(adapter->ctrl_pf) is never initialized in the VM, so ice_get_ctrl_ptp()
+returns NULL and triggers WARN_ON() in ice_ptp_setup_pf().
+
+Since this is an expected behavior in that configuration, replace
+WARN_ON() with an informational message and return -EOPNOTSUPP.
+
+Fixes: e800654e85b5 ("ice: Use ice_adapter for PTP shared data instead of auxdev")
+Signed-off-by: Kohei Enju <kohei@enjuk.jp>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ptp.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c
+index df38345b12d72..02517772fb5f4 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ptp.c
++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c
+@@ -3041,7 +3041,13 @@ static int ice_ptp_setup_pf(struct ice_pf *pf)
+ struct ice_ptp *ctrl_ptp = ice_get_ctrl_ptp(pf);
+ struct ice_ptp *ptp = &pf->ptp;
+
+- if (WARN_ON(!ctrl_ptp) || pf->hw.mac_type == ICE_MAC_UNKNOWN)
++ if (!ctrl_ptp) {
++ dev_info(ice_pf_to_dev(pf),
++ "PTP unavailable: no controlling PF\n");
++ return -EOPNOTSUPP;
++ }
++
++ if (pf->hw.mac_type == ICE_MAC_UNKNOWN)
+ return -ENODEV;
+
+ INIT_LIST_HEAD(&ptp->port.list_node);
+--
+2.53.0
+
--- /dev/null
+From c6f79824b3dbb49f6009d721362db6cdf9a39826 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 15:04:19 +0800
+Subject: ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
+
+From: Yiqi Sun <sunyiqixm@gmail.com>
+
+[ Upstream commit fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 ]
+
+ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
+IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
+this error pointer to dev_hold() will cause a kernel crash with
+null-ptr-deref.
+
+Instead, silently discard the request. RFC 8335 does not appear to
+define a specific response for the case where an IPv6 interface
+identifier is syntactically valid but the implementation cannot perform
+the lookup at runtime, and silently dropping the request may safer than
+misreporting "No Such Interface".
+
+Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
+Signed-off-by: Yiqi Sun <sunyiqixm@gmail.com>
+Link: https://patch.msgid.link/20260402070419.2291578-1-sunyiqixm@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index b39176b620785..980aa17f3534d 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -1145,6 +1145,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
+ if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
+ goto send_mal_query;
+ dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
++ /*
++ * If IPv6 identifier lookup is unavailable, silently
++ * discard the request instead of misreporting NO_IF.
++ */
++ if (IS_ERR(dev))
++ return false;
++
+ dev_hold(dev);
+ break;
+ #endif
+--
+2.53.0
+
--- /dev/null
+From 7a05584d016359e566d12d5090132ec0ee005762 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 09:26:13 +0200
+Subject: ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()
+
+From: Fernando Fernandez Mancera <fmancera@suse.de>
+
+[ Upstream commit 14cf0cd35361f4e94824bf8a42f72713d7702a73 ]
+
+When querying a nexthop object via RTM_GETNEXTHOP, the kernel currently
+allocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient for
+single nexthops and small Equal-Cost Multi-Path groups, this fixed
+allocation fails for large nexthop groups like 512 nexthops.
+
+This results in the following warning splat:
+
+ WARNING: net/ipv4/nexthop.c:3395 at rtm_get_nexthop+0x176/0x1c0, CPU#20: rep/4608
+ [...]
+ RIP: 0010:rtm_get_nexthop (net/ipv4/nexthop.c:3395)
+ [...]
+ Call Trace:
+ <TASK>
+ rtnetlink_rcv_msg (net/core/rtnetlink.c:6989)
+ netlink_rcv_skb (net/netlink/af_netlink.c:2550)
+ netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
+ netlink_sendmsg (net/netlink/af_netlink.c:1894)
+ ____sys_sendmsg (net/socket.c:721 net/socket.c:736 net/socket.c:2585)
+ ___sys_sendmsg (net/socket.c:2641)
+ __sys_sendmsg (net/socket.c:2671)
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+ </TASK>
+
+Fix this by allocating the size dynamically using nh_nlmsg_size() and
+using nlmsg_new(), this is consistent with nexthop_notify() behavior. In
+addition, adjust nh_nlmsg_size_grp() so it calculates the size needed
+based on flags passed. While at it, also add the size of NHA_FDB for
+nexthop group size calculation as it was missing too.
+
+This cannot be reproduced via iproute2 as the group size is currently
+limited and the command fails as follows:
+
+addattr_l ERROR: message exceeded bound of 1048
+
+Fixes: 430a049190de ("nexthop: Add support for nexthop groups")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Closes: https://lore.kernel.org/netdev/CAL_bE8Li2h4KO+AQFXW4S6Yb_u5X4oSKnkywW+LPFjuErhqELA@mail.gmail.com/
+Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20260402072613.25262-2-fmancera@suse.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/nexthop.c | 38 +++++++++++++++++++++++++++-----------
+ 1 file changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
+index aa53a74ac2389..c958b8edfe540 100644
+--- a/net/ipv4/nexthop.c
++++ b/net/ipv4/nexthop.c
+@@ -1006,16 +1006,32 @@ static size_t nh_nlmsg_size_grp_res(struct nh_group *nhg)
+ nla_total_size_64bit(8);/* NHA_RES_GROUP_UNBALANCED_TIME */
+ }
+
+-static size_t nh_nlmsg_size_grp(struct nexthop *nh)
++static size_t nh_nlmsg_size_grp(struct nexthop *nh, u32 op_flags)
+ {
+ struct nh_group *nhg = rtnl_dereference(nh->nh_grp);
+ size_t sz = sizeof(struct nexthop_grp) * nhg->num_nh;
+ size_t tot = nla_total_size(sz) +
+- nla_total_size(2); /* NHA_GROUP_TYPE */
++ nla_total_size(2) + /* NHA_GROUP_TYPE */
++ nla_total_size(0); /* NHA_FDB */
+
+ if (nhg->resilient)
+ tot += nh_nlmsg_size_grp_res(nhg);
+
++ if (op_flags & NHA_OP_FLAG_DUMP_STATS) {
++ tot += nla_total_size(0) + /* NHA_GROUP_STATS */
++ nla_total_size(4); /* NHA_HW_STATS_ENABLE */
++ tot += nhg->num_nh *
++ (nla_total_size(0) + /* NHA_GROUP_STATS_ENTRY */
++ nla_total_size(4) + /* NHA_GROUP_STATS_ENTRY_ID */
++ nla_total_size_64bit(8)); /* NHA_GROUP_STATS_ENTRY_PACKETS */
++
++ if (op_flags & NHA_OP_FLAG_DUMP_HW_STATS) {
++ tot += nhg->num_nh *
++ nla_total_size_64bit(8); /* NHA_GROUP_STATS_ENTRY_PACKETS_HW */
++ tot += nla_total_size(4); /* NHA_HW_STATS_USED */
++ }
++ }
++
+ return tot;
+ }
+
+@@ -1050,14 +1066,14 @@ static size_t nh_nlmsg_size_single(struct nexthop *nh)
+ return sz;
+ }
+
+-static size_t nh_nlmsg_size(struct nexthop *nh)
++static size_t nh_nlmsg_size(struct nexthop *nh, u32 op_flags)
+ {
+ size_t sz = NLMSG_ALIGN(sizeof(struct nhmsg));
+
+ sz += nla_total_size(4); /* NHA_ID */
+
+ if (nh->is_group)
+- sz += nh_nlmsg_size_grp(nh) +
++ sz += nh_nlmsg_size_grp(nh, op_flags) +
+ nla_total_size(4) + /* NHA_OP_FLAGS */
+ 0;
+ else
+@@ -1073,7 +1089,7 @@ static void nexthop_notify(int event, struct nexthop *nh, struct nl_info *info)
+ struct sk_buff *skb;
+ int err = -ENOBUFS;
+
+- skb = nlmsg_new(nh_nlmsg_size(nh), gfp_any());
++ skb = nlmsg_new(nh_nlmsg_size(nh, 0), gfp_any());
+ if (!skb)
+ goto errout;
+
+@@ -3379,15 +3395,15 @@ static int rtm_get_nexthop(struct sk_buff *in_skb, struct nlmsghdr *nlh,
+ if (err)
+ return err;
+
+- err = -ENOBUFS;
+- skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
+- if (!skb)
+- goto out;
+-
+ err = -ENOENT;
+ nh = nexthop_find_by_id(net, id);
+ if (!nh)
+- goto errout_free;
++ goto out;
++
++ err = -ENOBUFS;
++ skb = nlmsg_new(nh_nlmsg_size(nh, op_flags), GFP_KERNEL);
++ if (!skb)
++ goto out;
+
+ err = nh_fill_node(skb, nh, RTM_NEWNEXTHOP, NETLINK_CB(in_skb).portid,
+ nlh->nlmsg_seq, 0, op_flags);
+--
+2.53.0
+
--- /dev/null
+From 168ce12028dca60686aeddcd8f04e623962d3713 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 09:26:12 +0200
+Subject: ipv4: nexthop: avoid duplicate NHA_HW_STATS_ENABLE on nexthop group
+ dump
+
+From: Fernando Fernandez Mancera <fmancera@suse.de>
+
+[ Upstream commit 06aaf04ca815f7a1f17762fd847b7bc14b8833fb ]
+
+Currently NHA_HW_STATS_ENABLE is included twice everytime a dump of
+nexthop group is performed with NHA_OP_FLAG_DUMP_STATS. As all the stats
+querying were moved to nla_put_nh_group_stats(), leave only that
+instance of the attribute querying.
+
+Fixes: 5072ae00aea4 ("net: nexthop: Expose nexthop group HW stats to user space")
+Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20260402072613.25262-1-fmancera@suse.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/nexthop.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
+index 427c201175949..aa53a74ac2389 100644
+--- a/net/ipv4/nexthop.c
++++ b/net/ipv4/nexthop.c
+@@ -905,8 +905,7 @@ static int nla_put_nh_group(struct sk_buff *skb, struct nexthop *nh,
+ goto nla_put_failure;
+
+ if (op_flags & NHA_OP_FLAG_DUMP_STATS &&
+- (nla_put_u32(skb, NHA_HW_STATS_ENABLE, nhg->hw_stats) ||
+- nla_put_nh_group_stats(skb, nh, op_flags)))
++ nla_put_nh_group_stats(skb, nh, op_flags))
+ goto nla_put_failure;
+
+ return 0;
+--
+2.53.0
+
--- /dev/null
+From 7d76d2cb8f87b50808ae8c1ebda321ccd0f4ca71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 10:17:32 +0000
+Subject: ipv6: ioam: fix potential NULL dereferences in
+ __ioam6_fill_trace_data()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4e65a8b8daa18d63255ec58964dd192c7fdd9f8b ]
+
+We need to check __in6_dev_get() for possible NULL value, as
+suggested by Yiming Qian.
+
+Also add skb_dst_dev_rcu() instead of skb_dst_dev(),
+and two missing READ_ONCE().
+
+Note that @dev can't be NULL.
+
+Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
+Link: https://patch.msgid.link/20260402101732.1188059-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ioam6.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/net/ipv6/ioam6.c b/net/ipv6/ioam6.c
+index 8db7f965696aa..12350e1e18bde 100644
+--- a/net/ipv6/ioam6.c
++++ b/net/ipv6/ioam6.c
+@@ -710,7 +710,9 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb,
+ struct ioam6_schema *sc,
+ unsigned int sclen, bool is_input)
+ {
+- struct net_device *dev = skb_dst_dev(skb);
++ /* Note: skb_dst_dev_rcu() can't be NULL at this point. */
++ struct net_device *dev = skb_dst_dev_rcu(skb);
++ struct inet6_dev *i_skb_dev, *idev;
+ struct timespec64 ts;
+ ktime_t tstamp;
+ u64 raw64;
+@@ -721,13 +723,16 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb,
+
+ data = trace->data + trace->remlen * 4 - trace->nodelen * 4 - sclen * 4;
+
++ i_skb_dev = skb->dev ? __in6_dev_get(skb->dev) : NULL;
++ idev = __in6_dev_get(dev);
++
+ /* hop_lim and node_id */
+ if (trace->type.bit0) {
+ byte = ipv6_hdr(skb)->hop_limit;
+ if (is_input)
+ byte--;
+
+- raw32 = dev_net(dev)->ipv6.sysctl.ioam6_id;
++ raw32 = READ_ONCE(dev_net(dev)->ipv6.sysctl.ioam6_id);
+
+ *(__be32 *)data = cpu_to_be32((byte << 24) | raw32);
+ data += sizeof(__be32);
+@@ -735,18 +740,18 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb,
+
+ /* ingress_if_id and egress_if_id */
+ if (trace->type.bit1) {
+- if (!skb->dev)
++ if (!i_skb_dev)
+ raw16 = IOAM6_U16_UNAVAILABLE;
+ else
+- raw16 = (__force u16)READ_ONCE(__in6_dev_get(skb->dev)->cnf.ioam6_id);
++ raw16 = (__force u16)READ_ONCE(i_skb_dev->cnf.ioam6_id);
+
+ *(__be16 *)data = cpu_to_be16(raw16);
+ data += sizeof(__be16);
+
+- if (dev->flags & IFF_LOOPBACK)
++ if ((dev->flags & IFF_LOOPBACK) || !idev)
+ raw16 = IOAM6_U16_UNAVAILABLE;
+ else
+- raw16 = (__force u16)READ_ONCE(__in6_dev_get(dev)->cnf.ioam6_id);
++ raw16 = (__force u16)READ_ONCE(idev->cnf.ioam6_id);
+
+ *(__be16 *)data = cpu_to_be16(raw16);
+ data += sizeof(__be16);
+@@ -822,7 +827,7 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb,
+ if (is_input)
+ byte--;
+
+- raw64 = dev_net(dev)->ipv6.sysctl.ioam6_id_wide;
++ raw64 = READ_ONCE(dev_net(dev)->ipv6.sysctl.ioam6_id_wide);
+
+ *(__be64 *)data = cpu_to_be64(((u64)byte << 56) | raw64);
+ data += sizeof(__be64);
+@@ -830,18 +835,18 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb,
+
+ /* ingress_if_id and egress_if_id (wide) */
+ if (trace->type.bit9) {
+- if (!skb->dev)
++ if (!i_skb_dev)
+ raw32 = IOAM6_U32_UNAVAILABLE;
+ else
+- raw32 = READ_ONCE(__in6_dev_get(skb->dev)->cnf.ioam6_id_wide);
++ raw32 = READ_ONCE(i_skb_dev->cnf.ioam6_id_wide);
+
+ *(__be32 *)data = cpu_to_be32(raw32);
+ data += sizeof(__be32);
+
+- if (dev->flags & IFF_LOOPBACK)
++ if ((dev->flags & IFF_LOOPBACK) || !idev)
+ raw32 = IOAM6_U32_UNAVAILABLE;
+ else
+- raw32 = READ_ONCE(__in6_dev_get(dev)->cnf.ioam6_id_wide);
++ raw32 = READ_ONCE(idev->cnf.ioam6_id_wide);
+
+ *(__be32 *)data = cpu_to_be32(raw32);
+ data += sizeof(__be32);
+--
+2.53.0
+
--- /dev/null
+From fbc4d7fa213b120a7695924fd04dcfb4a7a5e7ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 15:58:01 +0800
+Subject: ipvs: fix NULL deref in ip_vs_add_service error path
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit 9a91797e61d286805ae10a92cc48959c30800556 ]
+
+When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local
+variable sched is set to NULL. If ip_vs_start_estimator() subsequently
+fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched)
+with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL
+check (because svc->scheduler was set by the successful bind) but then
+dereferences the NULL sched parameter at sched->done_service, causing a
+kernel panic at offset 0x30 from NULL.
+
+ Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
+ RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69)
+ Call Trace:
+ <TASK>
+ ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500)
+ do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809)
+ nf_setsockopt (net/netfilter/nf_sockopt.c:102)
+ [..]
+
+Fix by simply not clearing the local sched variable after a successful
+bind. ip_vs_unbind_scheduler() already detects whether a scheduler is
+installed via svc->scheduler, and keeping sched non-NULL ensures the
+error path passes the correct pointer to both ip_vs_unbind_scheduler()
+and ip_vs_scheduler_put().
+
+While the bug is older, the problem popups in more recent kernels (6.2),
+when the new error path is taken after the ip_vs_start_estimator() call.
+
+Fixes: 705dd3444081 ("ipvs: use kthreads for stats estimation")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Acked-by: Simon Horman <horms@kernel.org>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 4c8fa22be88ad..e442ba6033d5f 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -1453,7 +1453,6 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
+ ret = ip_vs_bind_scheduler(svc, sched);
+ if (ret)
+ goto out_err;
+- sched = NULL;
+ }
+
+ ret = ip_vs_start_estimator(ipvs, &svc->stats);
+--
+2.53.0
+
--- /dev/null
+From d30bea4fd78e7d459c9418448fff740eed6ac40d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 09:42:32 +0100
+Subject: ixgbe: stop re-reading flash on every get_drvinfo for e610
+
+From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+
+[ Upstream commit d8ae40dc20cbd7bb6e6b36a928e2db2296060ad2 ]
+
+ixgbe_get_drvinfo() calls ixgbe_refresh_fw_version() on every ethtool
+query for e610 adapters. That ends up in ixgbe_discover_flash_size(),
+which bisects the full 16 MB NVM space issuing one ACI command per
+step (~20 ms each, ~24 steps total = ~500 ms).
+
+Profiling on an idle E610-XAT2 system with telegraf scraping ethtool
+stats every 10 seconds:
+
+ kretprobe:ixgbe_get_drvinfo took 527603 us
+ kretprobe:ixgbe_get_drvinfo took 523978 us
+ kretprobe:ixgbe_get_drvinfo took 552975 us
+ kretprobe:ice_get_drvinfo took 3 us
+ kretprobe:igb_get_drvinfo took 2 us
+ kretprobe:i40e_get_drvinfo took 5 us
+
+The half-second stall happens under the RTNL lock, causing visible
+latency on ip-link and friends.
+
+The FW version can only change after an EMPR reset. All flash data is
+already populated at probe time and the cached adapter->eeprom_id is
+what get_drvinfo should be returning. The only place that needs to
+trigger a re-read is ixgbe_devlink_reload_empr_finish(), right after
+the EMPR completes and new firmware is running. Additionally, refresh
+the FW version in ixgbe_reinit_locked() so that any PF that undergoes a
+reinit after an EMPR (e.g. triggered by another PF's devlink reload)
+also picks up the new version in adapter->eeprom_id.
+
+ixgbe_devlink_info_get() keeps its refresh call for explicit
+"devlink dev info" queries, which is fine given those are user-initiated.
+
+Fixes: c9e563cae19e ("ixgbe: add support for devlink reload")
+Co-developed-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/devlink/devlink.c | 2 +-
+ drivers/net/ethernet/intel/ixgbe/ixgbe.h | 2 +-
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 13 +++++++------
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 10 ++++++++++
+ 4 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c b/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c
+index d227f4d2a2d17..f32e640ef4ac0 100644
+--- a/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c
++++ b/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c
+@@ -474,7 +474,7 @@ static int ixgbe_devlink_reload_empr_finish(struct devlink *devlink,
+ adapter->flags2 &= ~(IXGBE_FLAG2_API_MISMATCH |
+ IXGBE_FLAG2_FW_ROLLBACK);
+
+- return 0;
++ return ixgbe_refresh_fw_version(adapter);
+ }
+
+ static const struct devlink_ops ixgbe_devlink_ops = {
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h
+index dce4936708eb4..047f04045585a 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h
+@@ -973,7 +973,7 @@ int ixgbe_init_interrupt_scheme(struct ixgbe_adapter *adapter);
+ bool ixgbe_wol_supported(struct ixgbe_adapter *adapter, u16 device_id,
+ u16 subdevice_id);
+ void ixgbe_set_fw_version_e610(struct ixgbe_adapter *adapter);
+-void ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter);
++int ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter);
+ #ifdef CONFIG_PCI_IOV
+ void ixgbe_full_sync_mac_table(struct ixgbe_adapter *adapter);
+ #endif
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+index 2d660e9edb80a..0c8f310689776 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+@@ -1153,12 +1153,17 @@ static int ixgbe_set_eeprom(struct net_device *netdev,
+ return ret_val;
+ }
+
+-void ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter)
++int ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter)
+ {
+ struct ixgbe_hw *hw = &adapter->hw;
++ int err;
++
++ err = ixgbe_get_flash_data(hw);
++ if (err)
++ return err;
+
+- ixgbe_get_flash_data(hw);
+ ixgbe_set_fw_version_e610(adapter);
++ return 0;
+ }
+
+ static void ixgbe_get_drvinfo(struct net_device *netdev,
+@@ -1166,10 +1171,6 @@ static void ixgbe_get_drvinfo(struct net_device *netdev,
+ {
+ struct ixgbe_adapter *adapter = ixgbe_from_netdev(netdev);
+
+- /* need to refresh info for e610 in case fw reloads in runtime */
+- if (adapter->hw.mac.type == ixgbe_mac_e610)
+- ixgbe_refresh_fw_version(adapter);
+-
+ strscpy(drvinfo->driver, ixgbe_driver_name, sizeof(drvinfo->driver));
+
+ strscpy(drvinfo->fw_version, adapter->eeprom_id,
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 501216970e611..240f7cc3f213f 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -6289,6 +6289,16 @@ void ixgbe_reinit_locked(struct ixgbe_adapter *adapter)
+ if (adapter->flags & IXGBE_FLAG_SRIOV_ENABLED)
+ msleep(2000);
+ ixgbe_up(adapter);
++
++ /* E610 has no FW event to notify all PFs of an EMPR reset, so
++ * refresh the FW version here to pick up any new FW version after
++ * a hardware reset (e.g. EMPR triggered by another PF's devlink
++ * reload). ixgbe_refresh_fw_version() updates both hw->flash and
++ * adapter->eeprom_id so ethtool -i reports the correct string.
++ */
++ if (adapter->hw.mac.type == ixgbe_mac_e610)
++ (void)ixgbe_refresh_fw_version(adapter);
++
+ clear_bit(__IXGBE_RESETTING, &adapter->state);
+ }
+
+--
+2.53.0
+
--- /dev/null
+From f5898d3e87e7fb2e244bf491f1ab324e984b9d23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 09:22:29 +0100
+Subject: ixgbevf: add missing negotiate_features op to Hyper-V ops table
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 4821d563cd7f251ae728be1a6d04af82a294a5b9 ]
+
+Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by
+negotiating supported features") added the .negotiate_features callback
+to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot
+to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL
+on Hyper-V VMs.
+
+During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(),
+which unconditionally dereferences hw->mac.ops.negotiate_features().
+On Hyper-V this results in a NULL pointer dereference:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ [...]
+ Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...]
+ Workqueue: events work_for_cpu_fn
+ RIP: 0010:0x0
+ [...]
+ Call Trace:
+ ixgbevf_negotiate_api+0x66/0x160 [ixgbevf]
+ ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf]
+ ixgbevf_probe+0x20f/0x4a0 [ixgbevf]
+ local_pci_probe+0x50/0xa0
+ work_for_cpu_fn+0x1a/0x30
+ [...]
+
+Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and
+wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP
+gracefully.
+
+Fixes: a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features")
+Reported-by: Xiaoqiang Xiong <xxiong@redhat.com>
+Closes: https://issues.redhat.com/browse/RHEL-155455
+Assisted-by: Claude:claude-4.6-opus-high Cursor
+Tested-by: Xiaoqiang Xiong <xxiong@redhat.com>
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbevf/vf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c
+index b67b580f7f1c9..f6df86d124b9e 100644
+--- a/drivers/net/ethernet/intel/ixgbevf/vf.c
++++ b/drivers/net/ethernet/intel/ixgbevf/vf.c
+@@ -709,6 +709,12 @@ static int ixgbevf_negotiate_features_vf(struct ixgbe_hw *hw, u32 *pf_features)
+ return err;
+ }
+
++static int ixgbevf_hv_negotiate_features_vf(struct ixgbe_hw *hw,
++ u32 *pf_features)
++{
++ return -EOPNOTSUPP;
++}
++
+ /**
+ * ixgbevf_set_vfta_vf - Set/Unset VLAN filter table address
+ * @hw: pointer to the HW structure
+@@ -1142,6 +1148,7 @@ static const struct ixgbe_mac_operations ixgbevf_hv_mac_ops = {
+ .setup_link = ixgbevf_setup_mac_link_vf,
+ .check_link = ixgbevf_hv_check_mac_link_vf,
+ .negotiate_api_version = ixgbevf_hv_negotiate_api_version_vf,
++ .negotiate_features = ixgbevf_hv_negotiate_features_vf,
+ .set_rar = ixgbevf_hv_set_rar_vf,
+ .update_mc_addr_list = ixgbevf_hv_update_mc_addr_list_vf,
+ .update_xcast_mode = ixgbevf_hv_update_xcast_mode,
+--
+2.53.0
+
--- /dev/null
+From 21c5f7aa70bcb080b998a37eeb1237fbfcc0d1bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 20:49:49 +0300
+Subject: l2tp: Drop large packets with UDP encap
+
+From: Alice Mikityanska <alice@isovalent.com>
+
+[ Upstream commit ebe560ea5f54134279356703e73b7f867c89db13 ]
+
+syzbot reported a WARN on my patch series [1]. The actual issue is an
+overflow of 16-bit UDP length field, and it exists in the upstream code.
+My series added a debug WARN with an overflow check that exposed the
+issue, that's why syzbot tripped on my patches, rather than on upstream
+code.
+
+syzbot's repro:
+
+r0 = socket$pppl2tp(0x18, 0x1, 0x1)
+r1 = socket$inet6_udp(0xa, 0x2, 0x0)
+connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c)
+connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
+writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1)
+
+It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP
+encapsulation, and l2tp_xmit_core doesn't check for overflows when it
+assigns the UDP length field. The value gets trimmed to 16 bites.
+
+Add an overflow check that drops oversized packets and avoids sending
+packets with trimmed UDP length to the wire.
+
+syzbot's stack trace (with my patch applied):
+
+len >= 65536u
+WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957
+WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957
+WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957
+Modules linked in:
+CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
+RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline]
+RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline]
+RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327
+Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f
+RSP: 0018:ffffc90003d67878 EFLAGS: 00010293
+RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000
+RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff
+RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
+R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900
+R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000
+FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ sock_write_iter+0x503/0x550 net/socket.c:1195
+ do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1
+ vfs_writev+0x33c/0x990 fs/read_write.c:1059
+ do_writev+0x154/0x2e0 fs/read_write.c:1105
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f636479c629
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
+RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629
+RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003
+RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0
+ </TASK>
+
+[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/
+
+Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
+Reported-by: syzbot+ci3edea60a44225dec@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/69a1dfba.050a0220.3a55be.0026.GAE@google.com/
+Signed-off-by: Alice Mikityanska <alice@isovalent.com>
+Link: https://patch.msgid.link/20260403174949.843941-1-alice.kernel@fastmail.im
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index a0682e63fc637..9156a937334ae 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1290,6 +1290,11 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns
+ uh->source = inet->inet_sport;
+ uh->dest = inet->inet_dport;
+ udp_len = uhlen + session->hdr_len + data_len;
++ if (udp_len > U16_MAX) {
++ kfree_skb(skb);
++ ret = NET_XMIT_DROP;
++ goto out_unlock;
++ }
+ uh->len = htons(udp_len);
+
+ /* Calculate UDP checksum if configured to do so */
+--
+2.53.0
+
--- /dev/null
+From b6b021e762fa638b8f45a632f0222bc000aadd0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Feb 2026 10:47:51 +0100
+Subject: media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit c03b7dec3c4ddc97872fa12bfca75bae9cb46510 ]
+
+The deeply nested loop in rkvdec_init_v4l2_vp9_count_tbl() needs a lot
+of registers, so when the clang register allocator runs out, it ends up
+spilling countless temporaries to the stack:
+
+drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c:966:12: error: stack frame size (1472) exceeds limit (1280) in 'rkvdec_vp9_start' [-Werror,-Wframe-larger-than]
+
+Marking this function as noinline_for_stack keeps it out of
+rkvdec_vp9_start(), giving the compiler more room for optimization.
+
+The resulting code is good enough that both the total stack usage
+and the loop get enough better to stay under the warning limit,
+though it's still slow, and would need a larger rework if this
+function ends up being called in a fast path.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c b/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c
+index 0e7e16f20eeb0..bc74d2d824ef2 100644
+--- a/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c
++++ b/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c
+@@ -923,7 +923,8 @@ static void rkvdec_vp9_done(struct rkvdec_ctx *ctx,
+ update_ctx_last_info(vp9_ctx);
+ }
+
+-static void rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx)
++static noinline_for_stack void
++rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx)
+ {
+ struct rkvdec_vp9_ctx *vp9_ctx = ctx->priv;
+ struct rkvdec_vp9_intra_frame_symbol_counts *intra_cnts = vp9_ctx->count_tbl.cpu;
+--
+2.53.0
+
--- /dev/null
+From 482e39081a9352c1aa482263483c1fa4cb5fa022 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 14:57:10 +0200
+Subject: net: airoha: Fix memory leak in airoha_qdma_rx_process()
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 285fa6b1e03cff78ead0383e1b259c44b95faf90 ]
+
+If an error occurs on the subsequents buffers belonging to the
+non-linear part of the skb (e.g. due to an error in the payload length
+reported by the NIC or if we consumed all the available fragments for
+the skb), the page_pool fragment will not be linked to the skb so it will
+not return to the pool in the airoha_qdma_rx_process() error path. Fix the
+memory leak partially reverting commit 'd6d2b0e1538d ("net: airoha: Fix
+page recycling in airoha_qdma_rx_process()")' and always running
+page_pool_put_full_page routine in the airoha_qdma_rx_process() error
+path.
+
+Fixes: d6d2b0e1538d ("net: airoha: Fix page recycling in airoha_qdma_rx_process()")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260402-airoha_qdma_rx_process-mem-leak-fix-v1-1-b5706f402d3c@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/airoha/airoha_eth.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
+index 4fc6bd282b465..bdf600fea9508 100644
+--- a/drivers/net/ethernet/airoha/airoha_eth.c
++++ b/drivers/net/ethernet/airoha/airoha_eth.c
+@@ -709,9 +709,8 @@ static int airoha_qdma_rx_process(struct airoha_queue *q, int budget)
+ if (q->skb) {
+ dev_kfree_skb(q->skb);
+ q->skb = NULL;
+- } else {
+- page_pool_put_full_page(q->page_pool, page, true);
+ }
++ page_pool_put_full_page(q->page_pool, page, true);
+ }
+ airoha_qdma_fill_rx_queue(q);
+
+--
+2.53.0
+
--- /dev/null
+From 6d04ed26ece1a914496456c6be4f4bfa5399c622 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:23:16 -0500
+Subject: net: increase IP_TUNNEL_RECURSION_LIMIT to 5
+
+From: Chris J Arges <carges@cloudflare.com>
+
+[ Upstream commit 77facb35227c421467cdb49268de433168c2dcef ]
+
+In configurations with multiple tunnel layers and MPLS lwtunnel routing, a
+single tunnel hop can increment the counter beyond this limit. This causes
+packets to be dropped with the "Dead loop on virtual device" message even
+when a routing loop doesn't exist.
+
+Increase IP_TUNNEL_RECURSION_LIMIT from 4 to 5 to handle this use-case.
+
+Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions")
+Link: https://lore.kernel.org/netdev/88deb91b-ef1b-403c-8eeb-0f971f27e34f@redhat.com/
+Signed-off-by: Chris J Arges <carges@cloudflare.com>
+Link: https://patch.msgid.link/20260402222401.3408368-1-carges@cloudflare.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip_tunnels.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
+index 80662f8120803..253ed3930f6ef 100644
+--- a/include/net/ip_tunnels.h
++++ b/include/net/ip_tunnels.h
+@@ -32,7 +32,7 @@
+ * recursion involves route lookups and full IP output, consuming much
+ * more stack per level, so a lower limit is needed.
+ */
+-#define IP_TUNNEL_RECURSION_LIMIT 4
++#define IP_TUNNEL_RECURSION_LIMIT 5
+
+ /* Keep error state on tunnel for 30 sec */
+ #define IPTUNNEL_ERR_TIMEO (30*HZ)
+--
+2.53.0
+
--- /dev/null
+From b9714440953068cd3abb1f5651a65d2d39d0d82c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 15:41:37 +0200
+Subject: net: ioam6: fix OOB and missing lock
+
+From: Justin Iurman <justin.iurman@gmail.com>
+
+[ Upstream commit b30b1675aa2bcf0491fd3830b051df4e08a7c8ca ]
+
+When trace->type.bit6 is set:
+
+ if (trace->type.bit6) {
+ ...
+ queue = skb_get_tx_queue(dev, skb);
+ qdisc = rcu_dereference(queue->qdisc);
+
+This code can lead to an out-of-bounds access of the dev->_tx[] array
+when is_input is true. In such a case, the packet is on the RX path and
+skb->queue_mapping contains the RX queue index of the ingress device. If
+the ingress device has more RX queues than the egress device (dev) has
+TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues.
+Add a check to avoid this situation since skb_get_tx_queue() does not
+clamp the index. This issue has also revealed that per queue visibility
+cannot be accurate and will be replaced later as a new feature.
+
+While at it, add missing lock around qdisc_qstats_qlen_backlog(). The
+function __ioam6_fill_trace_data() is called from both softirq and
+process contexts, hence the use of spin_lock_bh() here.
+
+Fixes: b63c5478e9cb ("ipv6: ioam: Support for Queue depth data field")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/netdev/20260403214418.2233266-2-kuba@kernel.org/
+Signed-off-by: Justin Iurman <justin.iurman@gmail.com>
+Link: https://patch.msgid.link/20260404134137.24553-1-justin.iurman@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ioam6.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ioam6.c b/net/ipv6/ioam6.c
+index 12350e1e18bde..b91de51ffa9ea 100644
+--- a/net/ipv6/ioam6.c
++++ b/net/ipv6/ioam6.c
+@@ -803,12 +803,16 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb,
+ struct Qdisc *qdisc;
+ __u32 qlen, backlog;
+
+- if (dev->flags & IFF_LOOPBACK) {
++ if (dev->flags & IFF_LOOPBACK ||
++ skb_get_queue_mapping(skb) >= dev->num_tx_queues) {
+ *(__be32 *)data = cpu_to_be32(IOAM6_U32_UNAVAILABLE);
+ } else {
+ queue = skb_get_tx_queue(dev, skb);
+ qdisc = rcu_dereference(queue->qdisc);
++
++ spin_lock_bh(qdisc_lock(qdisc));
+ qdisc_qstats_qlen_backlog(qdisc, &qlen, &backlog);
++ spin_unlock_bh(qdisc_lock(qdisc));
+
+ *(__be32 *)data = cpu_to_be32(backlog);
+ }
+--
+2.53.0
+
--- /dev/null
+From b5759c525ff976a3339213e33351bc8440966e4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 18:43:48 +0200
+Subject: net: ipa: fix event ring index not programmed for IPA v5.0+
+
+From: Alexander Koskovich <akoskovich@pm.me>
+
+[ Upstream commit 56007972c0b1e783ca714d6f1f4d6e66e531d21f ]
+
+For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to
+CH_C_CNTXT_1. The v5.0 register definition intended to define this
+field in the CH_C_CNTXT_1 fmask array but used the old identifier of
+ERINDEX instead of CH_ERINDEX.
+
+Without a valid event ring, GSI channels could never signal transfer
+completions. This caused gsi_channel_trans_quiesce() to block
+forever in wait_for_completion().
+
+At least for IPA v5.2 this resolves an issue seen where runtime
+suspend, system suspend, and remoteproc stop all hanged forever. It
+also meant the IPA data path was completely non functional.
+
+Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions")
+Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260403-milos-ipa-v1-2-01e9e4e03d3e@fairphone.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/reg/gsi_reg-v5.0.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+index 3334d8e20ad28..6c4a7fbe4de94 100644
+--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c
++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+@@ -30,7 +30,7 @@ REG_STRIDE_FIELDS(CH_C_CNTXT_0, ch_c_cntxt_0,
+
+ static const u32 reg_ch_c_cntxt_1_fmask[] = {
+ [CH_R_LENGTH] = GENMASK(23, 0),
+- [ERINDEX] = GENMASK(31, 24),
++ [CH_ERINDEX] = GENMASK(31, 24),
+ };
+
+ REG_STRIDE_FIELDS(CH_C_CNTXT_1, ch_c_cntxt_1,
+--
+2.53.0
+
--- /dev/null
+From d121da637fe9f5dda8bfc1470a847651c3d9ba6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 18:43:47 +0200
+Subject: net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+
+
+From: Alexander Koskovich <akoskovich@pm.me>
+
+[ Upstream commit 9709b56d908acc120fe8b4ae250b3c9d749ea832 ]
+
+Fix the field masks to match the hardware layout documented in
+downstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*).
+
+Notably this fixes a WARN I was seeing when I tried to send "stop"
+to the MPSS remoteproc while IPA was up.
+
+Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions")
+Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260403-milos-ipa-v1-1-01e9e4e03d3e@fairphone.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/reg/gsi_reg-v5.0.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+index 36d1e65df71bb..3334d8e20ad28 100644
+--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c
++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+@@ -156,9 +156,10 @@ REG_FIELDS(EV_CH_CMD, ev_ch_cmd, 0x00025010 + 0x12000 * GSI_EE_AP);
+
+ static const u32 reg_generic_cmd_fmask[] = {
+ [GENERIC_OPCODE] = GENMASK(4, 0),
+- [GENERIC_CHID] = GENMASK(9, 5),
+- [GENERIC_EE] = GENMASK(13, 10),
+- /* Bits 14-31 reserved */
++ [GENERIC_CHID] = GENMASK(12, 5),
++ [GENERIC_EE] = GENMASK(16, 13),
++ /* Bits 17-23 reserved */
++ [GENERIC_PARAMS] = GENMASK(31, 24),
+ };
+
+ REG_FIELDS(GENERIC_CMD, generic_cmd, 0x00025018 + 0x12000 * GSI_EE_AP);
+--
+2.53.0
+
--- /dev/null
+From ce4b11d2dec827adefe401d6416389e2fd672dc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 10:35:19 +0000
+Subject: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b120e4432f9f56c7103133d6a11245e617695adb ]
+
+lapbeth_data_transmit() expects the underlying device type
+to be ARPHRD_ETHER.
+
+Returning NOTIFY_BAD from lapbeth_device_event() makes sure
+bonding driver can not break this expectation.
+
+Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
+Reported-by: syzbot+d8c285748fa7292580a9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/69cd22a1.050a0220.70c3a.0002.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Martin Schiller <ms@dev.tdt.de>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260402103519.1201565-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lapbether.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index f357a7ac70ac4..9861c99ea56c4 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -446,33 +446,36 @@ static void lapbeth_free_device(struct lapbethdev *lapbeth)
+ static int lapbeth_device_event(struct notifier_block *this,
+ unsigned long event, void *ptr)
+ {
+- struct lapbethdev *lapbeth;
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
++ struct lapbethdev *lapbeth;
+
+ if (dev_net(dev) != &init_net)
+ return NOTIFY_DONE;
+
+- if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev))
++ lapbeth = lapbeth_get_x25_dev(dev);
++ if (!dev_is_ethdev(dev) && !lapbeth)
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
+ /* New ethernet device -> new LAPB interface */
+- if (!lapbeth_get_x25_dev(dev))
++ if (!lapbeth)
+ lapbeth_new_device(dev);
+ break;
+ case NETDEV_GOING_DOWN:
+ /* ethernet device closes -> close LAPB interface */
+- lapbeth = lapbeth_get_x25_dev(dev);
+ if (lapbeth)
+ dev_close(lapbeth->axdev);
+ break;
+ case NETDEV_UNREGISTER:
+ /* ethernet device disappears -> remove LAPB interface */
+- lapbeth = lapbeth_get_x25_dev(dev);
+ if (lapbeth)
+ lapbeth_free_device(lapbeth);
+ break;
++ case NETDEV_PRE_TYPE_CHANGE:
++ /* Our underlying device type must not change. */
++ if (lapbeth)
++ return NOTIFY_BAD;
+ }
+
+ return NOTIFY_DONE;
+--
+2.53.0
+
--- /dev/null
+From 0bc691e839c75bb13b70fb95849fc6780df6036b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 14:51:52 +0800
+Subject: net: mdio: realtek-rtl9300: use scoped device_for_each_child_node
+ loop
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit c09ea768bdb975e828f8e17293c397c3d14ad85d ]
+
+Switch to device_for_each_child_node_scoped() to auto-release fwnode
+references on early exit.
+
+Fixes: 24e31e474769 ("net: mdio: Add RTL9300 MDIO driver")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20260405-rtl9300-v1-1-08e4499cf944@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/mdio-realtek-rtl9300.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/mdio/mdio-realtek-rtl9300.c b/drivers/net/mdio/mdio-realtek-rtl9300.c
+index 405a07075dd11..8d5fb014ca06c 100644
+--- a/drivers/net/mdio/mdio-realtek-rtl9300.c
++++ b/drivers/net/mdio/mdio-realtek-rtl9300.c
+@@ -466,7 +466,6 @@ static int rtl9300_mdiobus_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+ struct rtl9300_mdio_priv *priv;
+- struct fwnode_handle *child;
+ int err;
+
+ priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
+@@ -487,7 +486,7 @@ static int rtl9300_mdiobus_probe(struct platform_device *pdev)
+ if (err)
+ return err;
+
+- device_for_each_child_node(dev, child) {
++ device_for_each_child_node_scoped(dev, child) {
+ err = rtl9300_mdiobus_probe_one(dev, priv, child);
+ if (err)
+ return err;
+--
+2.53.0
+
--- /dev/null
+From 85a85dd605536b2b9ddc01cfc2257d4bcac37a26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 22:46:20 +0800
+Subject: net: sched: act_csum: validate nested VLAN headers
+
+From: Ruide Cao <caoruide123@gmail.com>
+
+[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ]
+
+tcf_csum_act() walks nested VLAN headers directly from skb->data when an
+skb still carries in-payload VLAN tags. The current code reads
+vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without
+first ensuring that the full VLAN header is present in the linear area.
+
+If only part of an inner VLAN header is linearized, accessing
+h_vlan_encapsulated_proto reads past the linear area, and the following
+skb_pull(VLAN_HLEN) may violate skb invariants.
+
+Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and
+pulling each nested VLAN header. If the header still is not fully
+available, drop the packet through the existing error path.
+
+Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Ruide Cao <caoruide123@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_csum.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
+index 0939e6b2ba4d1..3a377604ad343 100644
+--- a/net/sched/act_csum.c
++++ b/net/sched/act_csum.c
+@@ -604,8 +604,12 @@ TC_INDIRECT_SCOPE int tcf_csum_act(struct sk_buff *skb,
+ protocol = skb->protocol;
+ orig_vlan_tag_present = true;
+ } else {
+- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data;
++ struct vlan_hdr *vlan;
+
++ if (!pskb_may_pull(skb, VLAN_HLEN))
++ goto drop;
++
++ vlan = (struct vlan_hdr *)skb->data;
+ protocol = vlan->h_vlan_encapsulated_proto;
+ skb_pull(skb, VLAN_HLEN);
+ skb_reset_network_header(skb);
+--
+2.53.0
+
--- /dev/null
+From 6022e4cb680c39b20bf5d0c15faf5471d936cbb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 13:23:33 +0000
+Subject: net: sfp: add quirks for Hisense and HSGQ GPON ONT SFP modules
+
+From: John Pavlick <jspavlick@posteo.net>
+
+[ Upstream commit 95aca8602ef70ffd3d971675751c81826e124f90 ]
+
+Several GPON ONT SFP sticks based on Realtek RTL960x report
+1000BASE-LX at 1300MBd in their EEPROM but can operate at 2500base-X.
+On hosts capable of 2500base-X (e.g. Banana Pi R3 / MT7986), the
+kernel negotiates only 1G because it trusts the incorrect EEPROM data.
+
+Add quirks for:
+- Hisense-Leox LXT-010S-H
+- Hisense ZNID-GPON-2311NA
+- HSGQ HSGQ-XPON-Stick
+
+Each quirk advertises 2500base-X and ignores TX_FAULT during the
+module's ~40s Linux boot time.
+
+Tested on Banana Pi R3 (MT7986) with OpenWrt 25.12.1, confirmed
+2.5Gbps link and full throughput with flow offloading.
+
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Suggested-by: Marcin Nita <marcin.nita@leolabs.pl>
+Signed-off-by: John Pavlick <jspavlick@posteo.net>
+Link: https://patch.msgid.link/20260406132321.72563-1-jspavlick@posteo.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/sfp.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
+index 7a85b758fb1e6..c62e3f364ea73 100644
+--- a/drivers/net/phy/sfp.c
++++ b/drivers/net/phy/sfp.c
+@@ -543,6 +543,22 @@ static const struct sfp_quirk sfp_quirks[] = {
+ SFP_QUIRK("HUAWEI", "MA5671A", sfp_quirk_2500basex,
+ sfp_fixup_ignore_tx_fault_and_los),
+
++ // Hisense LXT-010S-H is a GPON ONT SFP (sold as LEOX LXT-010S-H) that
++ // can operate at 2500base-X, but reports 1000BASE-LX / 1300MBd in its
++ // EEPROM
++ SFP_QUIRK("Hisense-Leox", "LXT-010S-H", sfp_quirk_2500basex,
++ sfp_fixup_ignore_tx_fault),
++
++ // Hisense ZNID-GPON-2311NA can operate at 2500base-X, but reports
++ // 1000BASE-LX / 1300MBd in its EEPROM
++ SFP_QUIRK("Hisense", "ZNID-GPON-2311NA", sfp_quirk_2500basex,
++ sfp_fixup_ignore_tx_fault),
++
++ // HSGQ HSGQ-XPON-Stick can operate at 2500base-X, but reports
++ // 1000BASE-LX / 1300MBd in its EEPROM
++ SFP_QUIRK("HSGQ", "HSGQ-XPON-Stick", sfp_quirk_2500basex,
++ sfp_fixup_ignore_tx_fault),
++
+ // Lantech 8330-262D-E and 8330-265D can operate at 2500base-X, but
+ // incorrectly report 2500MBd NRZ in their EEPROM.
+ // Some 8330-265D modules have inverted LOS, while all of them report
+--
+2.53.0
+
--- /dev/null
+From 9f65df779c80334679d06a6d2ae214e0a7b62507 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 11:29:39 +0100
+Subject: net: stmmac: Fix PTP ref clock for Tegra234
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+[ Upstream commit 1345e9f4e3f3bc7d8a0a2138ae29e205a857a555 ]
+
+Since commit 030ce919e114 ("net: stmmac: make sure that ptp_rate is not
+0 before configuring timestamping") was added the following error is
+observed on Tegra234:
+
+ ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate
+ WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed
+
+It turns out that the Tegra234 device-tree binding defines the PTP ref
+clock name as 'ptp-ref' and not 'ptp_ref' and the above commit now
+exposes this and that the PTP clock is not configured correctly.
+
+In order to update device-tree to use the correct 'ptp_ref' name, update
+the Tegra MGBE driver to use 'ptp_ref' by default and fallback to using
+'ptp-ref' if this clock name is present.
+
+Fixes: d8ca113724e7 ("net: stmmac: tegra: Add MGBE support")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260401102941.17466-2-jonathanh@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/dwmac-tegra.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
+index d765acbe37548..21a0a11fc0118 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
+@@ -9,7 +9,7 @@
+ #include "stmmac_platform.h"
+
+ static const char *const mgbe_clks[] = {
+- "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp-ref", "mac"
++ "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp_ref", "mac"
+ };
+
+ struct tegra_mgbe {
+@@ -215,6 +215,7 @@ static int tegra_mgbe_probe(struct platform_device *pdev)
+ {
+ struct plat_stmmacenet_data *plat;
+ struct stmmac_resources res;
++ bool use_legacy_ptp = false;
+ struct tegra_mgbe *mgbe;
+ int irq, err, i;
+ u32 value;
+@@ -257,9 +258,23 @@ static int tegra_mgbe_probe(struct platform_device *pdev)
+ if (!mgbe->clks)
+ return -ENOMEM;
+
+- for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++)
++ /* Older device-trees use 'ptp-ref' rather than 'ptp_ref'.
++ * Fall back when the legacy name is present.
++ */
++ if (of_property_match_string(pdev->dev.of_node, "clock-names",
++ "ptp-ref") >= 0)
++ use_legacy_ptp = true;
++
++ for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++) {
+ mgbe->clks[i].id = mgbe_clks[i];
+
++ if (use_legacy_ptp && !strcmp(mgbe_clks[i], "ptp_ref")) {
++ dev_warn(mgbe->dev,
++ "Device-tree update needed for PTP clock!\n");
++ mgbe->clks[i].id = "ptp-ref";
++ }
++ }
++
+ err = devm_clk_bulk_get(mgbe->dev, ARRAY_SIZE(mgbe_clks), mgbe->clks);
+ if (err < 0)
+ return err;
+--
+2.53.0
+
--- /dev/null
+From a8d6335e6e29a65fa86ee6f79821a49526c4f674 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 23:20:13 +0100
+Subject: net: txgbe: leave space for null terminators on property_entry
+
+From: Fabio Baltieri <fabio.baltieri@gmail.com>
+
+[ Upstream commit 5a37d228799b0ec2c277459c83c814a59d310bc3 ]
+
+Lists of struct property_entry are supposed to be terminated with an
+empty property, this driver currently seems to be allocating exactly the
+amount of entry used.
+
+Change the struct definition to leave an extra element for all
+property_entry.
+
+Fixes: c3e382ad6d15 ("net: txgbe: Add software nodes to support phylink")
+Signed-off-by: Fabio Baltieri <fabio.baltieri@gmail.com>
+Tested-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Link: https://patch.msgid.link/20260405222013.5347-1-fabio.baltieri@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h
+index 41915d7dd372a..be78f8f61a795 100644
+--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h
++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h
+@@ -399,10 +399,10 @@ struct txgbe_nodes {
+ char i2c_name[32];
+ char sfp_name[32];
+ char phylink_name[32];
+- struct property_entry gpio_props[1];
+- struct property_entry i2c_props[3];
+- struct property_entry sfp_props[8];
+- struct property_entry phylink_props[2];
++ struct property_entry gpio_props[2];
++ struct property_entry i2c_props[4];
++ struct property_entry sfp_props[9];
++ struct property_entry phylink_props[3];
+ struct software_node_ref_args i2c_ref[1];
+ struct software_node_ref_args gpio0_ref[1];
+ struct software_node_ref_args gpio1_ref[1];
+--
+2.53.0
+
--- /dev/null
+From a803c76b7cc7c1fa4a45766bc624a6e1ed137ae7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Mar 2026 14:11:04 +0100
+Subject: netfilter: ctnetlink: ensure safe access to master conntrack
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5 ]
+
+Holding reference on the expectation is not sufficient, the master
+conntrack object can just go away, making exp->master invalid.
+
+To access exp->master safely:
+
+- Grab the nf_conntrack_expect_lock, this gets serialized with
+ clean_from_lists() which also holds this lock when the master
+ conntrack goes away.
+
+- Hold reference on master conntrack via nf_conntrack_find_get().
+ Not so easy since the master tuple to look up for the master conntrack
+ is not available in the existing problematic paths.
+
+This patch goes for extending the nf_conntrack_expect_lock section
+to address this issue for simplicity, in the cases that are described
+below this is just slightly extending the lock section.
+
+The add expectation command already holds a reference to the master
+conntrack from ctnetlink_create_expect().
+
+However, the delete expectation command needs to grab the spinlock
+before looking up for the expectation. Expand the existing spinlock
+section to address this to cover the expectation lookup. Note that,
+the nf_ct_expect_iterate_net() calls already grabs the spinlock while
+iterating over the expectation table, which is correct.
+
+The get expectation command needs to grab the spinlock to ensure master
+conntrack does not go away. This also expands the existing spinlock
+section to cover the expectation lookup too. I needed to move the
+netlink skb allocation out of the spinlock to keep it GFP_KERNEL.
+
+For the expectation events, the IPEXP_DESTROY event is already delivered
+under the spinlock, just move the delivery of IPEXP_NEW under the
+spinlock too because the master conntrack event cache is reached through
+exp->master.
+
+While at it, add lockdep notations to help identify what codepaths need
+to grab the spinlock.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_conntrack_core.h | 5 ++++
+ net/netfilter/nf_conntrack_ecache.c | 2 ++
+ net/netfilter/nf_conntrack_expect.c | 10 +++++++-
+ net/netfilter/nf_conntrack_netlink.c | 28 +++++++++++++++--------
+ 4 files changed, 35 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
+index 3384859a89210..8883575adcc1e 100644
+--- a/include/net/netfilter/nf_conntrack_core.h
++++ b/include/net/netfilter/nf_conntrack_core.h
+@@ -83,6 +83,11 @@ void nf_conntrack_lock(spinlock_t *lock);
+
+ extern spinlock_t nf_conntrack_expect_lock;
+
++static inline void lockdep_nfct_expect_lock_held(void)
++{
++ lockdep_assert_held(&nf_conntrack_expect_lock);
++}
++
+ /* ctnetlink code shared by both ctnetlink and nf_conntrack_bpf */
+
+ static inline void __nf_ct_set_timeout(struct nf_conn *ct, u64 timeout)
+diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
+index 81baf20826046..9df159448b897 100644
+--- a/net/netfilter/nf_conntrack_ecache.c
++++ b/net/netfilter/nf_conntrack_ecache.c
+@@ -247,6 +247,8 @@ void nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
+ struct nf_ct_event_notifier *notify;
+ struct nf_conntrack_ecache *e;
+
++ lockdep_nfct_expect_lock_held();
++
+ rcu_read_lock();
+ notify = rcu_dereference(net->ct.nf_conntrack_event_cb);
+ if (!notify)
+diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
+index 2234c444a320e..24d0576d84b7f 100644
+--- a/net/netfilter/nf_conntrack_expect.c
++++ b/net/netfilter/nf_conntrack_expect.c
+@@ -51,6 +51,7 @@ void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp,
+ struct net *net = nf_ct_exp_net(exp);
+ struct nf_conntrack_net *cnet;
+
++ lockdep_nfct_expect_lock_held();
+ WARN_ON(!master_help);
+ WARN_ON(timer_pending(&exp->timeout));
+
+@@ -118,6 +119,8 @@ nf_ct_exp_equal(const struct nf_conntrack_tuple *tuple,
+
+ bool nf_ct_remove_expect(struct nf_conntrack_expect *exp)
+ {
++ lockdep_nfct_expect_lock_held();
++
+ if (timer_delete(&exp->timeout)) {
+ nf_ct_unlink_expect(exp);
+ nf_ct_expect_put(exp);
+@@ -177,6 +180,8 @@ nf_ct_find_expectation(struct net *net,
+ struct nf_conntrack_expect *i, *exp = NULL;
+ unsigned int h;
+
++ lockdep_nfct_expect_lock_held();
++
+ if (!cnet->expect_count)
+ return NULL;
+
+@@ -459,6 +464,8 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect,
+ unsigned int h;
+ int ret = 0;
+
++ lockdep_nfct_expect_lock_held();
++
+ if (!master_help) {
+ ret = -ESHUTDOWN;
+ goto out;
+@@ -515,8 +522,9 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
+
+ nf_ct_expect_insert(expect);
+
+- spin_unlock_bh(&nf_conntrack_expect_lock);
+ nf_ct_expect_event_report(IPEXP_NEW, expect, portid, report);
++ spin_unlock_bh(&nf_conntrack_expect_lock);
++
+ return 0;
+ out:
+ spin_unlock_bh(&nf_conntrack_expect_lock);
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 879413b9fa06a..becffc15e7579 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3337,31 +3337,37 @@ static int ctnetlink_get_expect(struct sk_buff *skb,
+ if (err < 0)
+ return err;
+
++ skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
++ if (!skb2)
++ return -ENOMEM;
++
++ spin_lock_bh(&nf_conntrack_expect_lock);
+ exp = nf_ct_expect_find_get(info->net, &zone, &tuple);
+- if (!exp)
++ if (!exp) {
++ spin_unlock_bh(&nf_conntrack_expect_lock);
++ kfree_skb(skb2);
+ return -ENOENT;
++ }
+
+ if (cda[CTA_EXPECT_ID]) {
+ __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
+
+ if (id != nf_expect_get_id(exp)) {
+ nf_ct_expect_put(exp);
++ spin_unlock_bh(&nf_conntrack_expect_lock);
++ kfree_skb(skb2);
+ return -ENOENT;
+ }
+ }
+
+- skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+- if (!skb2) {
+- nf_ct_expect_put(exp);
+- return -ENOMEM;
+- }
+-
+ rcu_read_lock();
+ err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,
+ info->nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
+ exp);
+ rcu_read_unlock();
+ nf_ct_expect_put(exp);
++ spin_unlock_bh(&nf_conntrack_expect_lock);
++
+ if (err <= 0) {
+ kfree_skb(skb2);
+ return -ENOMEM;
+@@ -3408,22 +3414,26 @@ static int ctnetlink_del_expect(struct sk_buff *skb,
+ if (err < 0)
+ return err;
+
++ spin_lock_bh(&nf_conntrack_expect_lock);
++
+ /* bump usage count to 2 */
+ exp = nf_ct_expect_find_get(info->net, &zone, &tuple);
+- if (!exp)
++ if (!exp) {
++ spin_unlock_bh(&nf_conntrack_expect_lock);
+ return -ENOENT;
++ }
+
+ if (cda[CTA_EXPECT_ID]) {
+ __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
+
+ if (id != nf_expect_get_id(exp)) {
+ nf_ct_expect_put(exp);
++ spin_unlock_bh(&nf_conntrack_expect_lock);
+ return -ENOENT;
+ }
+ }
+
+ /* after list removal, usage count == 1 */
+- spin_lock_bh(&nf_conntrack_expect_lock);
+ if (timer_delete(&exp->timeout)) {
+ nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,
+ nlmsg_report(info->nlh));
+--
+2.53.0
+
--- /dev/null
+From b5c7cddbb6233330aef646e6b1106f648f5b69e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 17:39:47 +0800
+Subject: netfilter: ip6t_eui64: reject invalid MAC header for all packets
+
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+
+[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ]
+
+`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
+and compares it with the low 64 bits of the IPv6 source address.
+
+The existing guard only rejects an invalid MAC header when
+`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
+can still reach `eth_hdr(skb)` even when the MAC header is not valid.
+
+Fix this by removing the `par->fragoff != 0` condition so that packets
+with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/ip6t_eui64.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
+index d704f7ed300c2..da69a27e8332c 100644
+--- a/net/ipv6/netfilter/ip6t_eui64.c
++++ b/net/ipv6/netfilter/ip6t_eui64.c
+@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
+ unsigned char eui64[8];
+
+ if (!(skb_mac_header(skb) >= skb->head &&
+- skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
+- par->fragoff != 0) {
++ skb_mac_header(skb) + ETH_HLEN <= skb->data)) {
+ par->hotdrop = true;
+ return false;
+ }
+--
+2.53.0
+
--- /dev/null
+From afbbe800b0768e68982da75c60b2dabbceae3ea1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 14:20:57 -0700
+Subject: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE
+ terminator
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit 1f3083aec8836213da441270cdb1ab612dd82cf4 ]
+
+When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send()
+appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via
+nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put()
+helper only zeroes alignment padding after the payload, not the payload
+itself, so four bytes of stale kernel heap data are leaked to userspace
+in the NLMSG_DONE message body.
+
+Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes
+the nfgenmsg payload via nfnl_fill_hdr(), consistent with how
+__build_packet_message() already constructs NFULNL_MSG_PACKET headers.
+
+Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_log.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
+index dcd2493a9a404..b1f3eda85989c 100644
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -361,10 +361,10 @@ static void
+ __nfulnl_send(struct nfulnl_instance *inst)
+ {
+ if (inst->qlen > 1) {
+- struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0,
+- NLMSG_DONE,
+- sizeof(struct nfgenmsg),
+- 0);
++ struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0,
++ NLMSG_DONE, 0,
++ AF_UNSPEC, NFNETLINK_V0,
++ htons(inst->group_num));
+ if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n",
+ inst->skb->len, skb_tailroom(inst->skb))) {
+ kfree_skb(inst->skb);
+--
+2.53.0
+
--- /dev/null
+From 86351c47a837a6a1bd32531828cb06dbc71f55c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 17:00:01 +0200
+Subject: netfilter: nfnetlink_queue: make hash table per queue
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 936206e3f6ff411581e615e930263d6f8b78df9d ]
+
+Sharing a global hash table among all queues is tempting, but
+it can cause crash:
+
+BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]
+[..]
+ nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]
+ nfnetlink_rcv_msg+0x46a/0x930
+ kmem_cache_alloc_node_noprof+0x11e/0x450
+
+struct nf_queue_entry is freed via kfree, but parallel cpu can still
+encounter such an nf_queue_entry when walking the list.
+
+Alternative fix is to free the nf_queue_entry via kfree_rcu() instead,
+but as we have to alloc/free for each skb this will cause more mem
+pressure.
+
+Cc: Scott Mitchell <scott.k.mitch1@gmail.com>
+Fixes: e19079adcd26 ("netfilter: nfnetlink_queue: optimize verdict lookup with hash table")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_queue.h | 1 -
+ net/netfilter/nfnetlink_queue.c | 139 +++++++++++--------------------
+ 2 files changed, 49 insertions(+), 91 deletions(-)
+
+diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
+index 45eb26b2e95b3..d17035d14d96c 100644
+--- a/include/net/netfilter/nf_queue.h
++++ b/include/net/netfilter/nf_queue.h
+@@ -23,7 +23,6 @@ struct nf_queue_entry {
+ struct nf_hook_state state;
+ bool nf_ct_is_unconfirmed;
+ u16 size; /* sizeof(entry) + saved route keys */
+- u16 queue_num;
+
+ /* extra space to store route keys */
+ };
+diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
+index a39d3b989063c..fe5942535245d 100644
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -49,8 +49,8 @@
+ #endif
+
+ #define NFQNL_QMAX_DEFAULT 1024
+-#define NFQNL_HASH_MIN 1024
+-#define NFQNL_HASH_MAX 1048576
++#define NFQNL_HASH_MIN 8
++#define NFQNL_HASH_MAX 32768
+
+ /* We're using struct nlattr which has 16bit nla_len. Note that nla_len
+ * includes the header length. Thus, the maximum packet length that we
+@@ -60,29 +60,10 @@
+ */
+ #define NFQNL_MAX_COPY_RANGE (0xffff - NLA_HDRLEN)
+
+-/* Composite key for packet lookup: (net, queue_num, packet_id) */
+-struct nfqnl_packet_key {
+- possible_net_t net;
+- u32 packet_id;
+- u16 queue_num;
+-} __aligned(sizeof(u32)); /* jhash2 requires 32-bit alignment */
+-
+-/* Global rhashtable - one for entire system, all netns */
+-static struct rhashtable nfqnl_packet_map __read_mostly;
+-
+-/* Helper to initialize composite key */
+-static inline void nfqnl_init_key(struct nfqnl_packet_key *key,
+- struct net *net, u32 packet_id, u16 queue_num)
+-{
+- memset(key, 0, sizeof(*key));
+- write_pnet(&key->net, net);
+- key->packet_id = packet_id;
+- key->queue_num = queue_num;
+-}
+-
+ struct nfqnl_instance {
+ struct hlist_node hlist; /* global list of queues */
+- struct rcu_head rcu;
++ struct rhashtable nfqnl_packet_map;
++ struct rcu_work rwork;
+
+ u32 peer_portid;
+ unsigned int queue_maxlen;
+@@ -106,6 +87,7 @@ struct nfqnl_instance {
+
+ typedef int (*nfqnl_cmpfn)(struct nf_queue_entry *, unsigned long);
+
++static struct workqueue_struct *nfq_cleanup_wq __read_mostly;
+ static unsigned int nfnl_queue_net_id __read_mostly;
+
+ #define INSTANCE_BUCKETS 16
+@@ -124,34 +106,10 @@ static inline u_int8_t instance_hashfn(u_int16_t queue_num)
+ return ((queue_num >> 8) ^ queue_num) % INSTANCE_BUCKETS;
+ }
+
+-/* Extract composite key from nf_queue_entry for hashing */
+-static u32 nfqnl_packet_obj_hashfn(const void *data, u32 len, u32 seed)
+-{
+- const struct nf_queue_entry *entry = data;
+- struct nfqnl_packet_key key;
+-
+- nfqnl_init_key(&key, entry->state.net, entry->id, entry->queue_num);
+-
+- return jhash2((u32 *)&key, sizeof(key) / sizeof(u32), seed);
+-}
+-
+-/* Compare stack-allocated key against entry */
+-static int nfqnl_packet_obj_cmpfn(struct rhashtable_compare_arg *arg,
+- const void *obj)
+-{
+- const struct nfqnl_packet_key *key = arg->key;
+- const struct nf_queue_entry *entry = obj;
+-
+- return !net_eq(entry->state.net, read_pnet(&key->net)) ||
+- entry->queue_num != key->queue_num ||
+- entry->id != key->packet_id;
+-}
+-
+ static const struct rhashtable_params nfqnl_rhashtable_params = {
+ .head_offset = offsetof(struct nf_queue_entry, hash_node),
+- .key_len = sizeof(struct nfqnl_packet_key),
+- .obj_hashfn = nfqnl_packet_obj_hashfn,
+- .obj_cmpfn = nfqnl_packet_obj_cmpfn,
++ .key_offset = offsetof(struct nf_queue_entry, id),
++ .key_len = sizeof(u32),
+ .automatic_shrinking = true,
+ .min_size = NFQNL_HASH_MIN,
+ .max_size = NFQNL_HASH_MAX,
+@@ -190,6 +148,10 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+ spin_lock_init(&inst->lock);
+ INIT_LIST_HEAD(&inst->queue_list);
+
++ err = rhashtable_init(&inst->nfqnl_packet_map, &nfqnl_rhashtable_params);
++ if (err < 0)
++ goto out_free;
++
+ spin_lock(&q->instances_lock);
+ if (instance_lookup(q, queue_num)) {
+ err = -EEXIST;
+@@ -210,6 +172,8 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+
+ out_unlock:
+ spin_unlock(&q->instances_lock);
++ rhashtable_destroy(&inst->nfqnl_packet_map);
++out_free:
+ kfree(inst);
+ return ERR_PTR(err);
+ }
+@@ -217,15 +181,18 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+ static void nfqnl_flush(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn,
+ unsigned long data);
+
+-static void
+-instance_destroy_rcu(struct rcu_head *head)
++static void instance_destroy_work(struct work_struct *work)
+ {
+- struct nfqnl_instance *inst = container_of(head, struct nfqnl_instance,
+- rcu);
++ struct nfqnl_instance *inst;
+
++ inst = container_of(to_rcu_work(work), struct nfqnl_instance,
++ rwork);
+ rcu_read_lock();
+ nfqnl_flush(inst, NULL, 0);
+ rcu_read_unlock();
++
++ rhashtable_destroy(&inst->nfqnl_packet_map);
++
+ kfree(inst);
+ module_put(THIS_MODULE);
+ }
+@@ -234,7 +201,9 @@ static void
+ __instance_destroy(struct nfqnl_instance *inst)
+ {
+ hlist_del_rcu(&inst->hlist);
+- call_rcu(&inst->rcu, instance_destroy_rcu);
++
++ INIT_RCU_WORK(&inst->rwork, instance_destroy_work);
++ queue_rcu_work(nfq_cleanup_wq, &inst->rwork);
+ }
+
+ static void
+@@ -250,9 +219,7 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)
+ {
+ int err;
+
+- entry->queue_num = queue->queue_num;
+-
+- err = rhashtable_insert_fast(&nfqnl_packet_map, &entry->hash_node,
++ err = rhashtable_insert_fast(&queue->nfqnl_packet_map, &entry->hash_node,
+ nfqnl_rhashtable_params);
+ if (unlikely(err))
+ return err;
+@@ -266,23 +233,19 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)
+ static void
+ __dequeue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)
+ {
+- rhashtable_remove_fast(&nfqnl_packet_map, &entry->hash_node,
++ rhashtable_remove_fast(&queue->nfqnl_packet_map, &entry->hash_node,
+ nfqnl_rhashtable_params);
+ list_del(&entry->list);
+ queue->queue_total--;
+ }
+
+ static struct nf_queue_entry *
+-find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id,
+- struct net *net)
++find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id)
+ {
+- struct nfqnl_packet_key key;
+ struct nf_queue_entry *entry;
+
+- nfqnl_init_key(&key, net, id, queue->queue_num);
+-
+ spin_lock_bh(&queue->lock);
+- entry = rhashtable_lookup_fast(&nfqnl_packet_map, &key,
++ entry = rhashtable_lookup_fast(&queue->nfqnl_packet_map, &id,
+ nfqnl_rhashtable_params);
+
+ if (entry)
+@@ -1531,7 +1494,7 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info,
+
+ verdict = ntohl(vhdr->verdict);
+
+- entry = find_dequeue_entry(queue, ntohl(vhdr->id), info->net);
++ entry = find_dequeue_entry(queue, ntohl(vhdr->id));
+ if (entry == NULL)
+ return -ENOENT;
+
+@@ -1880,40 +1843,38 @@ static int __init nfnetlink_queue_init(void)
+ {
+ int status;
+
+- status = rhashtable_init(&nfqnl_packet_map, &nfqnl_rhashtable_params);
+- if (status < 0)
+- return status;
++ nfq_cleanup_wq = alloc_ordered_workqueue("nfq_workqueue", 0);
++ if (!nfq_cleanup_wq)
++ return -ENOMEM;
+
+ status = register_pernet_subsys(&nfnl_queue_net_ops);
+- if (status < 0) {
+- pr_err("failed to register pernet ops\n");
+- goto cleanup_rhashtable;
+- }
++ if (status < 0)
++ goto cleanup_pernet_subsys;
+
+- netlink_register_notifier(&nfqnl_rtnl_notifier);
+- status = nfnetlink_subsys_register(&nfqnl_subsys);
+- if (status < 0) {
+- pr_err("failed to create netlink socket\n");
+- goto cleanup_netlink_notifier;
+- }
++ status = netlink_register_notifier(&nfqnl_rtnl_notifier);
++ if (status < 0)
++ goto cleanup_rtnl_notifier;
+
+ status = register_netdevice_notifier(&nfqnl_dev_notifier);
+- if (status < 0) {
+- pr_err("failed to register netdevice notifier\n");
+- goto cleanup_netlink_subsys;
+- }
++ if (status < 0)
++ goto cleanup_dev_notifier;
++
++ status = nfnetlink_subsys_register(&nfqnl_subsys);
++ if (status < 0)
++ goto cleanup_nfqnl_subsys;
+
+ nf_register_queue_handler(&nfqh);
+
+ return status;
+
+-cleanup_netlink_subsys:
+- nfnetlink_subsys_unregister(&nfqnl_subsys);
+-cleanup_netlink_notifier:
++cleanup_nfqnl_subsys:
++ unregister_netdevice_notifier(&nfqnl_dev_notifier);
++cleanup_dev_notifier:
+ netlink_unregister_notifier(&nfqnl_rtnl_notifier);
++cleanup_rtnl_notifier:
+ unregister_pernet_subsys(&nfnl_queue_net_ops);
+-cleanup_rhashtable:
+- rhashtable_destroy(&nfqnl_packet_map);
++cleanup_pernet_subsys:
++ destroy_workqueue(nfq_cleanup_wq);
+ return status;
+ }
+
+@@ -1924,9 +1885,7 @@ static void __exit nfnetlink_queue_fini(void)
+ nfnetlink_subsys_unregister(&nfqnl_subsys);
+ netlink_unregister_notifier(&nfqnl_rtnl_notifier);
+ unregister_pernet_subsys(&nfnl_queue_net_ops);
+-
+- rhashtable_destroy(&nfqnl_packet_map);
+-
++ destroy_workqueue(nfq_cleanup_wq);
+ rcu_barrier(); /* Wait for completion of call_rcu()'s */
+ }
+
+--
+2.53.0
+
--- /dev/null
+From d2c4a9f596b4efff543deedcd12c54bacb9d6f8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jan 2026 09:32:30 -0800
+Subject: netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC ->
+ GFP_KERNEL_ACCOUNT allocation
+
+From: Scott Mitchell <scott.k.mitch1@gmail.com>
+
+[ Upstream commit a4400a5b343d1bc4aa8f685608515413238e7ee2 ]
+
+Currently, instance_create() uses GFP_ATOMIC because it's called while
+holding instances_lock spinlock. This makes allocation more likely to
+fail under memory pressure.
+
+Refactor nfqnl_recv_config() to drop RCU lock after instance_lookup()
+and peer_portid verification. A socket cannot simultaneously send a
+message and close, so the queue owned by the sending socket cannot be
+destroyed while processing its CONFIG message. This allows
+instance_create() to allocate with GFP_KERNEL_ACCOUNT before taking
+the spinlock.
+
+Suggested-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Scott Mitchell <scott.k.mitch1@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Stable-dep-of: 936206e3f6ff ("netfilter: nfnetlink_queue: make hash table per queue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_queue.c | 75 +++++++++++++++------------------
+ 1 file changed, 34 insertions(+), 41 deletions(-)
+
+diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
+index 0b96d20bacb73..a39d3b989063c 100644
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -178,17 +178,9 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+ unsigned int h;
+ int err;
+
+- spin_lock(&q->instances_lock);
+- if (instance_lookup(q, queue_num)) {
+- err = -EEXIST;
+- goto out_unlock;
+- }
+-
+- inst = kzalloc(sizeof(*inst), GFP_ATOMIC);
+- if (!inst) {
+- err = -ENOMEM;
+- goto out_unlock;
+- }
++ inst = kzalloc(sizeof(*inst), GFP_KERNEL_ACCOUNT);
++ if (!inst)
++ return ERR_PTR(-ENOMEM);
+
+ inst->queue_num = queue_num;
+ inst->peer_portid = portid;
+@@ -198,9 +190,15 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+ spin_lock_init(&inst->lock);
+ INIT_LIST_HEAD(&inst->queue_list);
+
++ spin_lock(&q->instances_lock);
++ if (instance_lookup(q, queue_num)) {
++ err = -EEXIST;
++ goto out_unlock;
++ }
++
+ if (!try_module_get(THIS_MODULE)) {
+ err = -EAGAIN;
+- goto out_free;
++ goto out_unlock;
+ }
+
+ h = instance_hashfn(queue_num);
+@@ -210,10 +208,9 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+
+ return inst;
+
+-out_free:
+- kfree(inst);
+ out_unlock:
+ spin_unlock(&q->instances_lock);
++ kfree(inst);
+ return ERR_PTR(err);
+ }
+
+@@ -1604,7 +1601,8 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info,
+ struct nfqnl_msg_config_cmd *cmd = NULL;
+ struct nfqnl_instance *queue;
+ __u32 flags = 0, mask = 0;
+- int ret = 0;
++
++ WARN_ON_ONCE(!lockdep_nfnl_is_held(NFNL_SUBSYS_QUEUE));
+
+ if (nfqa[NFQA_CFG_CMD]) {
+ cmd = nla_data(nfqa[NFQA_CFG_CMD]);
+@@ -1650,47 +1648,44 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info,
+ }
+ }
+
++ /* Lookup queue under RCU. After peer_portid check (or for new queue
++ * in BIND case), the queue is owned by the socket sending this message.
++ * A socket cannot simultaneously send a message and close, so while
++ * processing this CONFIG message, nfqnl_rcv_nl_event() (triggered by
++ * socket close) cannot destroy this queue. Safe to use without RCU.
++ */
+ rcu_read_lock();
+ queue = instance_lookup(q, queue_num);
+ if (queue && queue->peer_portid != NETLINK_CB(skb).portid) {
+- ret = -EPERM;
+- goto err_out_unlock;
++ rcu_read_unlock();
++ return -EPERM;
+ }
++ rcu_read_unlock();
+
+ if (cmd != NULL) {
+ switch (cmd->command) {
+ case NFQNL_CFG_CMD_BIND:
+- if (queue) {
+- ret = -EBUSY;
+- goto err_out_unlock;
+- }
+- queue = instance_create(q, queue_num,
+- NETLINK_CB(skb).portid);
+- if (IS_ERR(queue)) {
+- ret = PTR_ERR(queue);
+- goto err_out_unlock;
+- }
++ if (queue)
++ return -EBUSY;
++ queue = instance_create(q, queue_num, NETLINK_CB(skb).portid);
++ if (IS_ERR(queue))
++ return PTR_ERR(queue);
+ break;
+ case NFQNL_CFG_CMD_UNBIND:
+- if (!queue) {
+- ret = -ENODEV;
+- goto err_out_unlock;
+- }
++ if (!queue)
++ return -ENODEV;
+ instance_destroy(q, queue);
+- goto err_out_unlock;
++ return 0;
+ case NFQNL_CFG_CMD_PF_BIND:
+ case NFQNL_CFG_CMD_PF_UNBIND:
+ break;
+ default:
+- ret = -ENOTSUPP;
+- goto err_out_unlock;
++ return -EOPNOTSUPP;
+ }
+ }
+
+- if (!queue) {
+- ret = -ENODEV;
+- goto err_out_unlock;
+- }
++ if (!queue)
++ return -ENODEV;
+
+ if (nfqa[NFQA_CFG_PARAMS]) {
+ struct nfqnl_msg_config_params *params =
+@@ -1715,9 +1710,7 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info,
+ spin_unlock_bh(&queue->lock);
+ }
+
+-err_out_unlock:
+- rcu_read_unlock();
+- return ret;
++ return 0;
+ }
+
+ static const struct nfnl_callback nfqnl_cb[NFQNL_MSG_MAX] = {
+--
+2.53.0
+
--- /dev/null
+From 0baffed0c792c7638ffc89977667645240cdcaed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Mar 2026 14:10:55 +0100
+Subject: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
+ expiry
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit d3c0037ffe1273fa1961e779ff6906234d6cf53c ]
+
+New test case fails unexpectedly when avx2 matching functions are used.
+
+The test first loads a ranomly generated pipapo set
+with 'ipv4 . port' key, i.e. nft -f foo.
+
+This works. Then, it reloads the set after a flush:
+(echo flush set t s; cat foo) | nft -f -
+
+This is expected to work, because its the same set after all and it was
+already loaded once.
+
+But with avx2, this fails: nft reports a clashing element.
+
+The reported clash is of following form:
+
+ We successfully re-inserted
+ a . b
+ c . d
+
+Then we try to insert a . d
+
+avx2 finds the already existing a . d, which (due to 'flush set') is marked
+as invalid in the new generation. It skips the element and moves to next.
+
+Due to incorrect masking, the skip-step finds the next matching
+element *only considering the first field*,
+
+i.e. we return the already reinserted "a . b", even though the
+last field is different and the entry should not have been matched.
+
+No such error is reported for the generic c implementation (no avx2) or when
+the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.
+
+Bisection points to
+7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection")
+but that fix merely uncovers this bug.
+
+Before this commit, the wrong element is returned, but erronously
+reported as a full, identical duplicate.
+
+The root-cause is too early return in the avx2 match functions.
+When we process the last field, we should continue to process data
+until the entire input size has been consumed to make sure no stale
+bits remain in the map.
+
+Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
+index 7ff90325c97fa..6395982e4d95c 100644
+--- a/net/netfilter/nft_set_pipapo_avx2.c
++++ b/net/netfilter/nft_set_pipapo_avx2.c
+@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -319,7 +319,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -414,7 +414,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -505,7 +505,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -641,7 +641,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -699,7 +699,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -764,7 +764,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -839,7 +839,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -925,7 +925,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -1019,7 +1019,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+--
+2.53.0
+
--- /dev/null
+From 0f424e8857b35f4f52917964e5714d8afe1d73ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 23:52:52 +0800
+Subject: netfilter: xt_multiport: validate range encoding in checkentry
+
+From: Ren Wei <n05ec@lzu.edu.cn>
+
+[ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ]
+
+ports_match_v1() treats any non-zero pflags entry as the start of a
+port range and unconditionally consumes the next ports[] element as
+the range end.
+
+The checkentry path currently validates protocol, flags and count, but
+it does not validate the range encoding itself. As a result, malformed
+rules can mark the last slot as a range start or place two range starts
+back to back, leaving ports_match_v1() to step past the last valid
+ports[] element while interpreting the rule.
+
+Reject malformed multiport v1 rules in checkentry by validating that
+each range start has a following element and that the following element
+is not itself marked as another range start.
+
+Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Yuhang Zheng <z1652074432@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
+index 44a00f5acde8a..a1691ff405d3c 100644
+--- a/net/netfilter/xt_multiport.c
++++ b/net/netfilter/xt_multiport.c
+@@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
+ return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1]));
+ }
+
++static bool
++multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo)
++{
++ unsigned int i;
++
++ for (i = 0; i < multiinfo->count; i++) {
++ if (!multiinfo->pflags[i])
++ continue;
++
++ if (++i >= multiinfo->count)
++ return false;
++
++ if (multiinfo->pflags[i])
++ return false;
++
++ if (multiinfo->ports[i - 1] > multiinfo->ports[i])
++ return false;
++ }
++
++ return true;
++}
++
+ static inline bool
+ check(u_int16_t proto,
+ u_int8_t ip_invflags,
+@@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par)
+ const struct ipt_ip *ip = par->entryinfo;
+ const struct xt_multiport_v1 *multiinfo = par->matchinfo;
+
+- return check(ip->proto, ip->invflags, multiinfo->flags,
+- multiinfo->count) ? 0 : -EINVAL;
++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
++ return -EINVAL;
++
++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
+ }
+
+ static int multiport_mt6_check(const struct xt_mtchk_param *par)
+@@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par)
+ const struct ip6t_ip6 *ip = par->entryinfo;
+ const struct xt_multiport_v1 *multiinfo = par->matchinfo;
+
+- return check(ip->proto, ip->invflags, multiinfo->flags,
+- multiinfo->count) ? 0 : -EINVAL;
++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
++ return -EINVAL;
++
++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
+ }
+
+ static struct xt_match multiport_mt_reg[] __read_mostly = {
+--
+2.53.0
+
--- /dev/null
+From 1788495453b55fa2bbb9482071a5daac594cba42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 12:21:48 +0800
+Subject: nfc: s3fwrn5: allocate rx skb before consuming bytes
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 5c14a19d5b1645cce1cb1252833d70b23635b632 ]
+
+s3fwrn82_uart_read() reports the number of accepted bytes to the serdev
+core. The current code consumes bytes into recv_skb and may already
+deliver a complete frame before allocating a fresh receive buffer.
+
+If that alloc_skb() fails, the callback returns 0 even though it has
+already consumed bytes, and it leaves recv_skb as NULL for the next
+receive callback. That breaks the receive_buf() accounting contract and
+can also lead to a NULL dereference on the next skb_put_u8().
+
+Allocate the receive skb lazily before consuming the next byte instead.
+If allocation fails, return the number of bytes already accepted.
+
+Fixes: 3f52c2cb7e3a ("nfc: s3fwrn5: Support a UART interface")
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Link: https://patch.msgid.link/20260402042148.65236-1-pengpeng@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/s3fwrn5/uart.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nfc/s3fwrn5/uart.c b/drivers/nfc/s3fwrn5/uart.c
+index 9c09c10c2a464..4ee481bd7e965 100644
+--- a/drivers/nfc/s3fwrn5/uart.c
++++ b/drivers/nfc/s3fwrn5/uart.c
+@@ -58,6 +58,12 @@ static size_t s3fwrn82_uart_read(struct serdev_device *serdev,
+ size_t i;
+
+ for (i = 0; i < count; i++) {
++ if (!phy->recv_skb) {
++ phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
++ if (!phy->recv_skb)
++ return i;
++ }
++
+ skb_put_u8(phy->recv_skb, *data++);
+
+ if (phy->recv_skb->len < S3FWRN82_NCI_HEADER)
+@@ -69,9 +75,7 @@ static size_t s3fwrn82_uart_read(struct serdev_device *serdev,
+
+ s3fwrn5_recv_frame(phy->common.ndev, phy->recv_skb,
+ phy->common.mode);
+- phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
+- if (!phy->recv_skb)
+- return 0;
++ phy->recv_skb = NULL;
+ }
+
+ return i;
+--
+2.53.0
+
--- /dev/null
+From 95f2e0541c75caffda049e9338b0a725c59fd4c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 14:07:42 -0700
+Subject: PCI: hv: Set default NUMA node to 0 for devices without affinity info
+
+From: Long Li <longli@microsoft.com>
+
+[ Upstream commit 7b3b1e5a87b2f5e35c52b5386d7c327be869454f ]
+
+When hv_pci_assign_numa_node() processes a device that does not have
+HV_PCI_DEVICE_FLAG_NUMA_AFFINITY set or has an out-of-range
+virtual_numa_node, the device NUMA node is left unset. On x86_64,
+the uninitialized default happens to be 0, but on ARM64 it is
+NUMA_NO_NODE (-1).
+
+Tests show that when no NUMA information is available from the Hyper-V
+host, devices perform best when assigned to node 0. With NUMA_NO_NODE
+the kernel may spread work across NUMA nodes, which degrades
+performance on Hyper-V, particularly for high-throughput devices like
+MANA.
+
+Always set the device NUMA node to 0 before the conditional NUMA
+affinity check, so that devices get a performant default when the host
+provides no NUMA information, and behavior is consistent on both
+x86_64 and ARM64.
+
+Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2")
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-hyperv.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c
+index 146b43981b278..28b1572974879 100644
+--- a/drivers/pci/controller/pci-hyperv.c
++++ b/drivers/pci/controller/pci-hyperv.c
+@@ -2486,6 +2486,14 @@ static void hv_pci_assign_numa_node(struct hv_pcibus_device *hbus)
+ if (!hv_dev)
+ continue;
+
++ /*
++ * If the Hyper-V host doesn't provide a NUMA node for the
++ * device, default to node 0. With NUMA_NO_NODE the kernel
++ * may spread work across NUMA nodes, which degrades
++ * performance on Hyper-V.
++ */
++ set_dev_node(&dev->dev, 0);
++
+ if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY &&
+ hv_dev->desc.virtual_numa_node < num_possible_nodes())
+ /*
+--
+2.53.0
+
--- /dev/null
+From 17d7c44d20eac7289b7422b01e3d3bc5cc928dce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 10:40:48 -0700
+Subject: perf/x86/intel/uncore: Skip discovery table for offline dies
+
+From: Zide Chen <zide.chen@intel.com>
+
+[ Upstream commit 7b568e9eba2fad89a696f22f0413d44cf4a1f892 ]
+
+This warning can be triggered if NUMA is disabled and the system
+boots with fewer CPUs than the number of CPUs in die 0.
+
+WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore]
+
+Currently, the discovery table continues to be parsed even if all CPUs
+in the associated die are offline. This can lead to an array overflow
+at "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may
+trigger the warning above or cause other issues.
+
+Fixes: edae1f06c2cd ("perf/x86/intel/uncore: Parse uncore discovery tables")
+Reported-by: Steve Wahl <steve.wahl@hpe.com>
+Signed-off-by: Zide Chen <zide.chen@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Tested-by: Steve Wahl <steve.wahl@hpe.com>
+Link: https://patch.msgid.link/20260313174050.171704-3-zide.chen@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_discovery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c
+index 7d57ce706feb1..c5adbe4409047 100644
+--- a/arch/x86/events/intel/uncore_discovery.c
++++ b/arch/x86/events/intel/uncore_discovery.c
+@@ -383,7 +383,7 @@ static bool intel_uncore_has_discovery_tables_pci(int *ignore)
+ (val & UNCORE_DISCOVERY_DVSEC2_BIR_MASK) * UNCORE_DISCOVERY_BIR_STEP;
+
+ die = get_device_die_id(dev);
+- if (die < 0)
++ if ((die < 0) || (die >= uncore_max_dies()))
+ continue;
+
+ parse_discovery_table(dev, die, bar_offset, &parsed, ignore);
+--
+2.53.0
+
--- /dev/null
+From c35554032152e5804df8cb615f38c7ef29a61f8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 18:14:04 +0100
+Subject: pinctrl: intel: Fix the revision for new features (1kOhm PD, HW
+ debouncer)
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit a4337a24d13e9e3b98a113e71d6b80dc5ed5f8c4 ]
+
+The 1kOhm pull down and hardware debouncer are features of the revision 0.92
+of the Chassis specification. Fix that in the code accordingly.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/intel/pinctrl-intel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c
+index d68cef4ec52ac..103eccc742a53 100644
+--- a/drivers/pinctrl/intel/pinctrl-intel.c
++++ b/drivers/pinctrl/intel/pinctrl-intel.c
+@@ -1606,7 +1606,7 @@ int intel_pinctrl_probe(struct platform_device *pdev,
+ value = readl(regs + REVID);
+ if (value == ~0u)
+ return -ENODEV;
+- if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x94) {
++ if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x92) {
+ community->features |= PINCTRL_FEATURE_DEBOUNCE;
+ community->features |= PINCTRL_FEATURE_1K_PD;
+ }
+--
+2.53.0
+
--- /dev/null
+From d00709c687b6e4f93eac438706f670c82d138155 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Mar 2026 16:16:41 -0500
+Subject: platform/x86/amd: pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 1a9452c428a6b76f0b797bae21daa454fccef1a2 ]
+
+This platform is a similar vintage of platforms that had a BIOS bug
+leading to a 10s delay at resume from s0i3.
+
+Add a quirk for it.
+
+Reported-by: Imrane <ihalim.me@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221273
+Tested-by: Imrane <ihalim.me@gmail.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/20260324211647.357924-1-mario.limonciello@amd.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+index ed285afaf9b0d..24506e3429430 100644
+--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c
++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+@@ -203,6 +203,15 @@ static const struct dmi_system_id fwbug_list[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "82XQ"),
+ }
+ },
++ /* https://bugzilla.kernel.org/show_bug.cgi?id=221273 */
++ {
++ .ident = "Thinkpad L14 Gen3",
++ .driver_data = &quirk_s2idle_bug,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21C6"),
++ }
++ },
+ /* https://gitlab.freedesktop.org/drm/amd/-/issues/4434 */
+ {
+ .ident = "Lenovo Yoga 6 13ALC6",
+--
+2.53.0
+
--- /dev/null
+From 8d23dc93864c6547452562138504aa6c51d480ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:22:46 -0700
+Subject: platform/x86: asus-nb-wmi: add DMI quirk for ASUS ROG Flow Z13-KJP
+ GZ302EAC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Schwartz <matthew.schwartz@linux.dev>
+
+[ Upstream commit 0198d2743207d67f995cd6df89e267e1b9f5e1f1 ]
+
+The ASUS ROG Flow Z13-KJP GZ302EAC model uses sys_vendor name ASUS
+rather than ASUSTeK COMPUTER INC., but it needs the same folio quirk as
+the other ROG Flow Z13. To keep things simple, just match on sys_vendor
+ASUS since it covers both.
+
+Signed-off-by: Matthew Schwartz <matthew.schwartz@linux.dev>
+Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
+Reviewed-by: Denis Benato <denis.benato@linux.dev>
+Link: https://patch.msgid.link/20260312212246.1608080-1-matthew.schwartz@linux.dev
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/asus-nb-wmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c
+index 6a62bc5b02fda..8dad7bdb8f612 100644
+--- a/drivers/platform/x86/asus-nb-wmi.c
++++ b/drivers/platform/x86/asus-nb-wmi.c
+@@ -548,7 +548,7 @@ static const struct dmi_system_id asus_quirks[] = {
+ .callback = dmi_matched,
+ .ident = "ASUS ROG Z13",
+ .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUS"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "ROG Flow Z13"),
+ },
+ .driver_data = &quirk_asus_z13,
+--
+2.53.0
+
--- /dev/null
+From 8f4fe7a4756e4c3d4d2babb8b93008570fbb0ede Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 21:11:06 +0530
+Subject: platform/x86: hp-wmi: Add support for Omen 16-wf1xxx (8C76)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krishna Chomal <krishna.chomal108@gmail.com>
+
+[ Upstream commit 84d29bfd1929d08f092851162a3d055a2134d043 ]
+
+The HP Omen 16-wf1xxx (board ID: 8C76) has the same WMI interface as
+other Victus S boards, but requires quirks for correctly switching
+thermal profile (similar to board 8C78).
+
+Add the DMI board name to victus_s_thermal_profile_boards[] table and
+map it to omen_v1_thermal_params.
+
+Testing on board 8C76 confirmed that platform profile is registered
+successfully and fan RPMs are readable and controllable.
+
+Tested-by: WJ Enderlava <jie7172585@gmail.com>
+Reported-by: WJ Enderlava <jie7172585@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221149
+Signed-off-by: Krishna Chomal <krishna.chomal108@gmail.com>
+Link: https://patch.msgid.link/20260227154106.226809-1-krishna.chomal108@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/hp/hp-wmi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/platform/x86/hp/hp-wmi.c b/drivers/platform/x86/hp/hp-wmi.c
+index 008f3364230e2..31d099bd8db43 100644
+--- a/drivers/platform/x86/hp/hp-wmi.c
++++ b/drivers/platform/x86/hp/hp-wmi.c
+@@ -174,6 +174,10 @@ static const struct dmi_system_id victus_s_thermal_profile_boards[] __initconst
+ .matches = { DMI_MATCH(DMI_BOARD_NAME, "8BD5") },
+ .driver_data = (void *)&victus_s_thermal_params,
+ },
++ {
++ .matches = { DMI_MATCH(DMI_BOARD_NAME, "8C76") },
++ .driver_data = (void *)&omen_v1_thermal_params,
++ },
+ {
+ .matches = { DMI_MATCH(DMI_BOARD_NAME, "8C78") },
+ .driver_data = (void *)&omen_v1_thermal_params,
+--
+2.53.0
+
--- /dev/null
+From 3f9e8864286a212749ed08b2b4a8dfcc77037024 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 15:27:43 +0000
+Subject: RDMA/irdma: Fix double free related to rereg_user_mr
+
+From: Jacob Moroni <jmoroni@google.com>
+
+[ Upstream commit 29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2 ]
+
+If IB_MR_REREG_TRANS is set during rereg_user_mr, the
+umem will be released and a new one will be allocated
+in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans
+fails after the new umem is allocated, it releases the umem,
+but does not set iwmr->region to NULL. The problem is that
+this failure is propagated to the user, who will then call
+ibv_dereg_mr (as they should). Then, the dereg_mr path will
+see a non-NULL umem and attempt to call ib_umem_release again.
+
+Fix this by setting iwmr->region to NULL after ib_umem_release.
+
+Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region")
+Signed-off-by: Jacob Moroni <jmoroni@google.com>
+Link: https://patch.msgid.link/20260227152743.1183388-1-jmoroni@google.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index c77d6d0eafdec..c399aa07bcae8 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -3714,6 +3714,7 @@ static int irdma_rereg_mr_trans(struct irdma_mr *iwmr, u64 start, u64 len,
+
+ err:
+ ib_umem_release(region);
++ iwmr->region = NULL;
+ return err;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 19d8e730b72249916165ed111d4f1adaf99ada45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 20:14:32 +0200
+Subject: rtnetlink: add missing netlink_ns_capable() check for peer netns
+
+From: Nikolaos Gkarlis <nickgarlis@gmail.com>
+
+[ Upstream commit 7b735ef81286007794a227ce2539419479c02a5f ]
+
+rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer
+network namespace when creating paired devices (veth, vxcan,
+netkit). This allows an unprivileged user with a user namespace
+to create interfaces in arbitrary network namespaces, including
+init_net.
+
+Add a netlink_ns_capable() check for CAP_NET_ADMIN in the peer
+namespace before allowing device creation to proceed.
+
+Fixes: 81adee47dfb6 ("net: Support specifying the network namespace upon device creation.")
+Signed-off-by: Nikolaos Gkarlis <nickgarlis@gmail.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260402181432.4126920-1-nickgarlis@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 40 +++++++++++++++++++++++++++-------------
+ 1 file changed, 27 insertions(+), 13 deletions(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index f3b22d5526fe6..f4ed60bd9a256 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -3887,28 +3887,42 @@ static int rtnl_newlink_create(struct sk_buff *skb, struct ifinfomsg *ifm,
+ goto out;
+ }
+
+-static struct net *rtnl_get_peer_net(const struct rtnl_link_ops *ops,
++static struct net *rtnl_get_peer_net(struct sk_buff *skb,
++ const struct rtnl_link_ops *ops,
+ struct nlattr *tbp[],
+ struct nlattr *data[],
+ struct netlink_ext_ack *extack)
+ {
+- struct nlattr *tb[IFLA_MAX + 1];
++ struct nlattr *tb[IFLA_MAX + 1], **attrs;
++ struct net *net;
+ int err;
+
+- if (!data || !data[ops->peer_type])
+- return rtnl_link_get_net_ifla(tbp);
+-
+- err = rtnl_nla_parse_ifinfomsg(tb, data[ops->peer_type], extack);
+- if (err < 0)
+- return ERR_PTR(err);
+-
+- if (ops->validate) {
+- err = ops->validate(tb, NULL, extack);
++ if (!data || !data[ops->peer_type]) {
++ attrs = tbp;
++ } else {
++ err = rtnl_nla_parse_ifinfomsg(tb, data[ops->peer_type], extack);
+ if (err < 0)
+ return ERR_PTR(err);
++
++ if (ops->validate) {
++ err = ops->validate(tb, NULL, extack);
++ if (err < 0)
++ return ERR_PTR(err);
++ }
++
++ attrs = tb;
+ }
+
+- return rtnl_link_get_net_ifla(tb);
++ net = rtnl_link_get_net_ifla(attrs);
++ if (IS_ERR_OR_NULL(net))
++ return net;
++
++ if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) {
++ put_net(net);
++ return ERR_PTR(-EPERM);
++ }
++
++ return net;
+ }
+
+ static int __rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
+@@ -4047,7 +4061,7 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
+ }
+
+ if (ops->peer_type) {
+- peer_net = rtnl_get_peer_net(ops, tb, data, extack);
++ peer_net = rtnl_get_peer_net(skb, ops, tb, data, extack);
+ if (IS_ERR(peer_net)) {
+ ret = PTR_ERR(peer_net);
+ goto put_ops;
+--
+2.53.0
+
--- /dev/null
+From a3495685a4bfd42cf22dd171139b4ee78afe0f0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 12:22:44 +0200
+Subject: sched/deadline: Use revised wakeup rule for dl_server
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 14a857056466be9d3d907a94e92a704ac1be149b ]
+
+John noted that commit 115135422562 ("sched/deadline: Fix 'stuck' dl_server")
+unfixed the issue from commit a3a70caf7906 ("sched/deadline: Fix dl_server
+behaviour").
+
+The issue in commit 115135422562 was for wakeups of the server after the
+deadline; in which case you *have* to start a new period. The case for
+a3a70caf7906 is wakeups before the deadline.
+
+Now, because the server is effectively running a least-laxity policy, it means
+that any wakeup during the runnable phase means dl_entity_overflow() will be
+true. This means we need to adjust the runtime to allow it to still run until
+the existing deadline expires.
+
+Use the revised wakeup rule for dl_defer entities.
+
+Fixes: 115135422562 ("sched/deadline: Fix 'stuck' dl_server")
+Reported-by: John Stultz <jstultz@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Juri Lelli <juri.lelli@redhat.com>
+Tested-by: John Stultz <jstultz@google.com>
+Link: https://patch.msgid.link/20260404102244.GB22575@noisy.programming.kicks-ass.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/deadline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index 72499cf2a1db5..d5052f238adf7 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -1036,7 +1036,7 @@ static void update_dl_entity(struct sched_dl_entity *dl_se)
+ if (dl_time_before(dl_se->deadline, rq_clock(rq)) ||
+ dl_entity_overflow(dl_se, rq_clock(rq))) {
+
+- if (unlikely(!dl_is_implicit(dl_se) &&
++ if (unlikely((!dl_is_implicit(dl_se) || dl_se->dl_defer) &&
+ !dl_time_before(dl_se->deadline, rq_clock(rq)) &&
+ !is_dl_boosted(dl_se))) {
+ update_dl_revised_wakeup(dl_se, rq);
+--
+2.53.0
+
--- /dev/null
+From 74d2ba9a4ddf6822c8c39ffdb1dceadb3104e8c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 22:29:19 +0100
+Subject: selftests: net: bridge_vlan_mcast: wait for h1 before querier check
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit efaa71faf212324ecbf6d5339e9717fe53254f58 ]
+
+The querier-interval test adds h1 (currently a slave of the VRF created
+by simple_if_init) to a temporary bridge br1 acting as an outside IGMP
+querier. The kernel VRF driver (drivers/net/vrf.c) calls cycle_netdev()
+on every slave add and remove, toggling the interface admin-down then up.
+Phylink takes the PHY down during the admin-down half of that cycle.
+Since h1 and swp1 are cable-connected, swp1 also loses its link may need
+several seconds to re-negotiate.
+
+Use setup_wait_dev $h1 0 which waits for h1 to return to UP state, so the
+test can rely on the link being back up at this point.
+
+Fixes: 4d8610ee8bd77 ("selftests: net: bridge: add vlan mcast_querier_interval tests")
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Reviewed-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Link: https://patch.msgid.link/c830f130860fd2efae08bfb9e5b25fd028e58ce5.1775424423.git.daniel@makrotopia.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
+index 72dfbeaf56b92..e8031f68200ad 100755
+--- a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
++++ b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
+@@ -414,6 +414,7 @@ vlmc_querier_intvl_test()
+ bridge vlan add vid 10 dev br1 self pvid untagged
+ ip link set dev $h1 master br1
+ ip link set dev br1 up
++ setup_wait_dev $h1 0
+ bridge vlan add vid 10 dev $h1 master
+ bridge vlan global set vid 10 dev br1 mcast_snooping 1 mcast_querier 1
+ sleep 2
+--
+2.53.0
+
--- /dev/null
+dmaengine-idxd-fix-lockdep-warnings-when-calling-idx.patch
+rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch
+asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch
+alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch
+alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch
+alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch
+media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch
+alsa-asihpi-avoid-write-overflow-check-warning.patch
+bluetooth-hci_sync-annotate-data-races-around-hdev-r.patch
+asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch
+asoc-sof-topology-reject-invalid-vendor-array-size-i.patch
+can-mcp251x-add-error-handling-for-power-enable-in-o.patch
+asoc-amd-acp-add-asus-hn7306ea-quirk-for-legacy-sdw-.patch
+alsa-usb-qcom-add-auxiliary_bus-to-kconfig-dependenc.patch
+platform-x86-asus-nb-wmi-add-dmi-quirk-for-asus-rog-.patch
+btrfs-fix-zero-size-inode-with-non-zero-size-after-l.patch
+platform-x86-hp-wmi-add-support-for-omen-16-wf1xxx-8.patch
+btrfs-tracepoints-get-correct-superblock-from-dentry.patch
+alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch
+netfilter-ctnetlink-ensure-safe-access-to-master-con.patch
+drm-amdgpu-handle-gpu-page-faults-correctly-on-non-4.patch
+srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch
+alsa-hda-realtek-add-hp-laptop-15-fd0xxx-mute-led-qu.patch
+netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch
+alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch
+wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch
+asoc-soc-core-call-missing-init_list_head-for-card_a.patch
+alsa-hda-realtek-add-quirk-for-samsung-book2-pro-360.patch
+alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch
+alsa-hda-realtek-add-quirk-for-lenovo-yoga-slim-7-14.patch
+drm-amdkfd-fix-queue-preemption-eviction-failures-by.patch
+fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch
+asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch
+alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch
+pinctrl-intel-fix-the-revision-for-new-features-1koh.patch
+platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch
+hid-intel-thc-hid-intel-quickspi-add-nvl-device-ids.patch
+hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch
+alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch-29200
+hid-roccat-fix-use-after-free-in-roccat_report_event.patch
+ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch
+wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch
+net-sfp-add-quirks-for-hisense-and-hsgq-gpon-ont-sfp.patch
+x86-shadow-stacks-proper-error-handling-for-mmap-loc.patch
+asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch
+soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch
+arm64-dts-qcom-hamoa-x1-fix-idle-exit-latency.patch
+arm64-dts-qcom-qcm6490-idp-fix-wcd9370-reset-gpio-po.patch
+arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch
+arm64-dts-imx93-9x9-qsb-change-usdhc-tuning-step-for.patch
+arm64-dts-imx91-tqma9131-improve-emmc-pad-configurat.patch
+arm64-dts-imx93-tqma9352-improve-emmc-pad-configurat.patch
+arm64-dts-qcom-monaco-fix-uart10-pinconf.patch
+soc-qcom-pd-mapper-fix-element-length-in-servreg_loc.patch
+tools-power-turbostat-fix-microcode-patch-level-outp.patch
+tools-power-turbostat-fix-show-hide-for-individual-c.patch
+arm64-dts-qcom-monaco-reserve-full-gunyah-metadata-r.patch
+arm-dts-microchip-sam9x7-fix-gpio-lines-count-for-pi.patch
+pci-hv-set-default-numa-node-to-0-for-devices-withou.patch
+hid-amd_sfh-don-t-log-error-when-device-discovery-fa.patch
+xfrm-account-xfrma_if_id-in-aevent-size-calculation.patch
+dma-mapping-add-dma_attr_cpu_cache_clean.patch
+dma-debug-track-cache-clean-flag-in-entries.patch
+dma-debug-suppress-cacheline-overlap-warning-when-ar.patch
+drm-vc4-release-runtime-pm-reference-after-binding-v.patch
+drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch
+drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch
+drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch
+eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch
+net-sched-act_csum-validate-nested-vlan-headers.patch
+net-lapbether-handle-netdev_pre_type_change.patch
+net-airoha-fix-memory-leak-in-airoha_qdma_rx_process.patch
+ipv6-ioam-fix-potential-null-dereferences-in-__ioam6.patch
+bridge-guard-local-vlan-0-fdb-helpers-against-null-v.patch
+rtnetlink-add-missing-netlink_ns_capable-check-for-p.patch
+ipv4-nexthop-avoid-duplicate-nha_hw_stats_enable-on-.patch
+ipv4-nexthop-allocate-skb-dynamically-in-rtm_get_nex.patch
+ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch
+net-increase-ip_tunnel_recursion_limit-to-5.patch
+nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch
+net-stmmac-fix-ptp-ref-clock-for-tegra234.patch
+dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch
+tracing-probe-reject-non-closed-empty-immediate-stri.patch
+ice-ptp-don-t-warn-when-controlling-pf-is-unavailabl.patch
+ixgbe-stop-re-reading-flash-on-every-get_drvinfo-for.patch
+ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch
+e1000-check-return-value-of-e1000_read_eeprom.patch
+xsk-tighten-umem-headroom-validation-to-account-for-.patch
+xsk-respect-tailroom-for-zc-setups.patch
+xsk-fix-xdp_umem_sg_flag-issues.patch
+xsk-validate-mtu-against-usable-frame-size-on-bind.patch
+xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch
+xfrm-fix-refcount-leak-in-xfrm_migrate_policy_find.patch
+xfrm_user-fix-info-leak-in-build_mapping.patch
+asoc-intel-avs-fix-memory-leak-in-avs_register_i2s_t.patch
+drm-xe-fix-bug-in-idledly-unit-conversion.patch
+selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch
+ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch
+netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch
+netfilter-xt_multiport-validate-range-encoding-in-ch.patch
+netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch
+netfilter-nfnetlink_queue-nfqnl_instance-gfp_atomic-.patch
+netfilter-nfnetlink_queue-make-hash-table-per-queue.patch
+asoc-sdca-fix-overwritten-var-within-for-loop.patch
+asoc-amd-acp-update-dmi-quirk-and-add-acp-dmic-for-l.patch
+net-mdio-realtek-rtl9300-use-scoped-device_for_each_.patch
+net-ioam6-fix-oob-and-missing-lock.patch
+net-txgbe-leave-space-for-null-terminators-on-proper.patch
+af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch
+devlink-fix-incorrect-skb-socket-family-dumping.patch
+net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch
+net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch
+l2tp-drop-large-packets-with-udp-encap.patch
+gpio-tegra-fix-irq_release_resources-calling-enable-.patch
+crypto-af_alg-limit-rx-sg-extraction-by-receive-buff.patch
+perf-x86-intel-uncore-skip-discovery-table-for-offli.patch
+sched-deadline-use-revised-wakeup-rule-for-dl_server.patch
+clockevents-prevent-timer-interrupt-starvation.patch
+crypto-af_alg-fix-page-reassignment-overflow-in-af_a.patch
+crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch
--- /dev/null
+From f391bba7f30f8d2341617f24b18dcf8e6c45a560 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jan 2026 16:37:56 +0800
+Subject: soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching
+
+From: Potin Lai <potin.lai.pt@gmail.com>
+
+[ Upstream commit 7ec1bd3d9be671d04325b9e06149b8813f6a4836 ]
+
+The siliconid_to_name() function currently masks the input silicon ID
+with 0xff00ffff, but compares it against unmasked table entries. This
+causes matching to fail if the table entries contain non-zero values in
+the bits covered by the mask (bits 16-23).
+
+Update the logic to apply the 0xff00ffff mask to the table entries
+during comparison. This ensures that only the relevant model and
+revision bits are considered, providing a consistent match across
+different manufacturing batches.
+
+[arj: Add Fixes: tag, fix 'soninfo' typo, clarify function reference]
+
+Fixes: e0218dca5787 ("soc: aspeed: Add soc info driver")
+Signed-off-by: Potin Lai <potin.lai.pt@gmail.com>
+Link: https://patch.msgid.link/20260122-soc_aspeed_name_fix-v1-1-33a847f2581c@gmail.com
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/aspeed/aspeed-socinfo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c
+index 67e9ac3d08ecc..a90b100f4d101 100644
+--- a/drivers/soc/aspeed/aspeed-socinfo.c
++++ b/drivers/soc/aspeed/aspeed-socinfo.c
+@@ -39,7 +39,7 @@ static const char *siliconid_to_name(u32 siliconid)
+ unsigned int i;
+
+ for (i = 0 ; i < ARRAY_SIZE(rev_table) ; ++i) {
+- if (rev_table[i].id == id)
++ if ((rev_table[i].id & 0xff00ffff) == id)
+ return rev_table[i].name;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From f64e0344f7efb2d328238bebf3acbf8f9547394b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jan 2026 20:53:20 +0530
+Subject: soc: qcom: pd-mapper: Fix element length in servreg_loc_pfr_req_ei
+
+From: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+
+[ Upstream commit 641f6fda143b879da1515f821ee475073678cf2a ]
+
+It looks element length declared in servreg_loc_pfr_req_ei for reason
+not matching servreg_loc_pfr_req's reason field due which we could
+observe decoding error on PD crash.
+
+ qmi_decode_string_elem: String len 81 >= Max Len 65
+
+Fix this by matching with servreg_loc_pfr_req's reason field.
+
+Fixes: 1ebcde047c54 ("soc: qcom: add pd-mapper implementation")
+Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Tested-by: Nikita Travkin <nikita@trvn.ru>
+Link: https://lore.kernel.org/r/20260129152320.3658053-2-mukesh.ojha@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/pdr_internal.h | 2 +-
+ drivers/soc/qcom/qcom_pdr_msg.c | 2 +-
+ include/linux/soc/qcom/pdr.h | 1 +
+ 3 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/qcom/pdr_internal.h b/drivers/soc/qcom/pdr_internal.h
+index 039508c1bbf7d..047c0160b6178 100644
+--- a/drivers/soc/qcom/pdr_internal.h
++++ b/drivers/soc/qcom/pdr_internal.h
+@@ -84,7 +84,7 @@ struct servreg_set_ack_resp {
+
+ struct servreg_loc_pfr_req {
+ char service[SERVREG_NAME_LENGTH + 1];
+- char reason[257];
++ char reason[SERVREG_PFR_LENGTH + 1];
+ };
+
+ struct servreg_loc_pfr_resp {
+diff --git a/drivers/soc/qcom/qcom_pdr_msg.c b/drivers/soc/qcom/qcom_pdr_msg.c
+index ca98932140d87..02022b11ecf05 100644
+--- a/drivers/soc/qcom/qcom_pdr_msg.c
++++ b/drivers/soc/qcom/qcom_pdr_msg.c
+@@ -325,7 +325,7 @@ const struct qmi_elem_info servreg_loc_pfr_req_ei[] = {
+ },
+ {
+ .data_type = QMI_STRING,
+- .elem_len = SERVREG_NAME_LENGTH + 1,
++ .elem_len = SERVREG_PFR_LENGTH + 1,
+ .elem_size = sizeof(char),
+ .array_type = VAR_LEN_ARRAY,
+ .tlv_type = 0x02,
+diff --git a/include/linux/soc/qcom/pdr.h b/include/linux/soc/qcom/pdr.h
+index 83a8ea612e69a..2b7691e47c2a9 100644
+--- a/include/linux/soc/qcom/pdr.h
++++ b/include/linux/soc/qcom/pdr.h
+@@ -5,6 +5,7 @@
+ #include <linux/soc/qcom/qmi.h>
+
+ #define SERVREG_NAME_LENGTH 64
++#define SERVREG_PFR_LENGTH 256
+
+ struct pdr_service;
+ struct pdr_handle;
+--
+2.53.0
+
--- /dev/null
+From f68f47e5fae690168594593de043d7b16c8b235c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 20:14:18 -0400
+Subject: srcu: Use irq_work to start GP in tiny SRCU
+
+From: Joel Fernandes <joelagnelf@nvidia.com>
+
+[ Upstream commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af ]
+
+Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(),
+which acquires the workqueue pool->lock.
+
+This causes a lockdep splat when call_srcu() is called with a scheduler
+lock held, due to:
+
+ call_srcu() [holding pi_lock]
+ srcu_gp_start_if_needed()
+ schedule_work() -> pool->lock
+
+ workqueue_init() / create_worker() [holding pool->lock]
+ wake_up_process() -> try_to_wake_up() -> pi_lock
+
+Also add irq_work_sync() to cleanup_srcu_struct() to prevent a
+use-after-free if a queued irq_work fires after cleanup begins.
+
+Tested with rcutorture SRCU-T and no lockdep warnings.
+
+[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work
+to start process_srcu()" ]
+
+Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
+Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Boqun Feng <boqun@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/srcutiny.h | 4 ++++
+ kernel/rcu/srcutiny.c | 19 ++++++++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/srcutiny.h b/include/linux/srcutiny.h
+index 51ce25f07930e..1f9a226e6fd81 100644
+--- a/include/linux/srcutiny.h
++++ b/include/linux/srcutiny.h
+@@ -11,6 +11,7 @@
+ #ifndef _LINUX_SRCU_TINY_H
+ #define _LINUX_SRCU_TINY_H
+
++#include <linux/irq_work_types.h>
+ #include <linux/swait.h>
+
+ struct srcu_struct {
+@@ -24,18 +25,21 @@ struct srcu_struct {
+ struct rcu_head *srcu_cb_head; /* Pending callbacks: Head. */
+ struct rcu_head **srcu_cb_tail; /* Pending callbacks: Tail. */
+ struct work_struct srcu_work; /* For driving grace periods. */
++ struct irq_work srcu_irq_work; /* Defer schedule_work() to irq work. */
+ #ifdef CONFIG_DEBUG_LOCK_ALLOC
+ struct lockdep_map dep_map;
+ #endif /* #ifdef CONFIG_DEBUG_LOCK_ALLOC */
+ };
+
+ void srcu_drive_gp(struct work_struct *wp);
++void srcu_tiny_irq_work(struct irq_work *irq_work);
+
+ #define __SRCU_STRUCT_INIT(name, __ignored, ___ignored) \
+ { \
+ .srcu_wq = __SWAIT_QUEUE_HEAD_INITIALIZER(name.srcu_wq), \
+ .srcu_cb_tail = &name.srcu_cb_head, \
+ .srcu_work = __WORK_INITIALIZER(name.srcu_work, srcu_drive_gp), \
++ .srcu_irq_work = { .func = srcu_tiny_irq_work }, \
+ __SRCU_DEP_MAP_INIT(name) \
+ }
+
+diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c
+index e3b64a5e0ec7e..d9c11d5f0ea45 100644
+--- a/kernel/rcu/srcutiny.c
++++ b/kernel/rcu/srcutiny.c
+@@ -9,6 +9,7 @@
+ */
+
+ #include <linux/export.h>
++#include <linux/irq_work.h>
+ #include <linux/mutex.h>
+ #include <linux/preempt.h>
+ #include <linux/rcupdate_wait.h>
+@@ -41,6 +42,7 @@ static int init_srcu_struct_fields(struct srcu_struct *ssp)
+ ssp->srcu_idx_max = 0;
+ INIT_WORK(&ssp->srcu_work, srcu_drive_gp);
+ INIT_LIST_HEAD(&ssp->srcu_work.entry);
++ init_irq_work(&ssp->srcu_irq_work, srcu_tiny_irq_work);
+ return 0;
+ }
+
+@@ -84,6 +86,7 @@ EXPORT_SYMBOL_GPL(init_srcu_struct);
+ void cleanup_srcu_struct(struct srcu_struct *ssp)
+ {
+ WARN_ON(ssp->srcu_lock_nesting[0] || ssp->srcu_lock_nesting[1]);
++ irq_work_sync(&ssp->srcu_irq_work);
+ flush_work(&ssp->srcu_work);
+ WARN_ON(ssp->srcu_gp_running);
+ WARN_ON(ssp->srcu_gp_waiting);
+@@ -172,6 +175,20 @@ void srcu_drive_gp(struct work_struct *wp)
+ }
+ EXPORT_SYMBOL_GPL(srcu_drive_gp);
+
++/*
++ * Use an irq_work to defer schedule_work() to avoid acquiring the workqueue
++ * pool->lock while the caller might hold scheduler locks, causing lockdep
++ * splats due to workqueue_init() doing a wakeup.
++ */
++void srcu_tiny_irq_work(struct irq_work *irq_work)
++{
++ struct srcu_struct *ssp;
++
++ ssp = container_of(irq_work, struct srcu_struct, srcu_irq_work);
++ schedule_work(&ssp->srcu_work);
++}
++EXPORT_SYMBOL_GPL(srcu_tiny_irq_work);
++
+ static void srcu_gp_start_if_needed(struct srcu_struct *ssp)
+ {
+ unsigned long cookie;
+@@ -184,7 +201,7 @@ static void srcu_gp_start_if_needed(struct srcu_struct *ssp)
+ WRITE_ONCE(ssp->srcu_idx_max, cookie);
+ if (!READ_ONCE(ssp->srcu_gp_running)) {
+ if (likely(srcu_init_done))
+- schedule_work(&ssp->srcu_work);
++ irq_work_queue(&ssp->srcu_irq_work);
+ else if (list_empty(&ssp->srcu_work.entry))
+ list_add(&ssp->srcu_work.entry, &srcu_boot_list);
+ }
+--
+2.53.0
+
--- /dev/null
+From 2f0dca17b48905a034565a7404846ee76904e920 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:16:03 -0500
+Subject: tools/power/turbostat: Fix microcode patch level output for AMD/Hygon
+
+From: Serhii Pievniev <spevnev16@gmail.com>
+
+[ Upstream commit a444083286434ec1fd127c5da11a3091e6013008 ]
+
+turbostat always used the same logic to read the microcode patch level,
+which is correct for Intel but not for AMD/Hygon.
+While Intel stores the patch level in the upper 32 bits of MSR, AMD
+stores it in the lower 32 bits, which causes turbostat to report the
+microcode version as 0x0 on AMD/Hygon.
+
+Fix by shifting right by 32 for non-AMD/Hygon, preserving the existing
+behavior for Intel and unknown vendors.
+
+Fixes: 3e4048466c39 ("tools/power turbostat: Add --no-msr option")
+Signed-off-by: Serhii Pievniev <spevnev16@gmail.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 1b5ca2f4e92ff..67dfd3eaad014 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -8842,10 +8842,13 @@ void process_cpuid()
+ edx_flags = edx;
+
+ if (!no_msr) {
+- if (get_msr(sched_getcpu(), MSR_IA32_UCODE_REV, &ucode_patch))
++ if (get_msr(sched_getcpu(), MSR_IA32_UCODE_REV, &ucode_patch)) {
+ warnx("get_msr(UCODE)");
+- else
++ } else {
+ ucode_patch_valid = true;
++ if (!authentic_amd && !hygon_genuine)
++ ucode_patch >>= 32;
++ }
+ }
+
+ /*
+@@ -8860,7 +8863,7 @@ void process_cpuid()
+ fprintf(outf, "CPUID(1): family:model:stepping 0x%x:%x:%x (%d:%d:%d)",
+ family, model, stepping, family, model, stepping);
+ if (ucode_patch_valid)
+- fprintf(outf, " microcode 0x%x", (unsigned int)((ucode_patch >> 32) & 0xFFFFFFFF));
++ fprintf(outf, " microcode 0x%x", (unsigned int)ucode_patch);
+ fputc('\n', outf);
+
+ fprintf(outf, "CPUID(0x80000000): max_extended_levels: 0x%x\n", max_extended_level);
+--
+2.53.0
+
--- /dev/null
+From 844df2ffb4b4fc5a86791ee47d0d54459bfc3158 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 11:00:33 +0200
+Subject: tools/power turbostat: Fix --show/--hide for individual cpuidle
+ counters
+
+From: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+
+[ Upstream commit b6398bc2ef3a78f1be37ba01ae0a5eedaee47803 ]
+
+Problem: individual swidle counter names (C1, C1+, C1-, etc.) cannot be
+selected via --show/--hide due to two bugs in probe_cpuidle_counts():
+1. The function returns immediately when BIC_cpuidle is not enabled,
+ without checking deferred_add_index.
+2. The deferred name check runs against name_buf before the trailing
+ newline is stripped, so is_deferred_add("C1\n") never matches "C1".
+
+Fix:
+1. Relax the early return to pass through when deferred names are
+ queued.
+2. Strip the trailing newline from name_buf before performing deferred
+ name checks.
+3. Check each suffixed variant (C1+, C1, C1-) individually so that
+ e.g. "--show C1+" enables only the requested metric.
+
+In addition, introduce a helper function to avoid repeating the
+condition (readability cleanup).
+
+Fixes: ec4acd3166d8 ("tools/power turbostat: disable "cpuidle" invocation counters, by default")
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 35 ++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 67dfd3eaad014..48677f1846347 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -10890,6 +10890,14 @@ void probe_cpuidle_residency(void)
+ }
+ }
+
++static bool cpuidle_counter_wanted(char *name)
++{
++ if (is_deferred_skip(name))
++ return false;
++
++ return DO_BIC(BIC_cpuidle) || is_deferred_add(name);
++}
++
+ void probe_cpuidle_counts(void)
+ {
+ char path[64];
+@@ -10899,7 +10907,7 @@ void probe_cpuidle_counts(void)
+ int min_state = 1024, max_state = 0;
+ char *sp;
+
+- if (!DO_BIC(BIC_cpuidle))
++ if (!DO_BIC(BIC_cpuidle) && !deferred_add_index)
+ return;
+
+ for (state = 10; state >= 0; --state) {
+@@ -10914,12 +10922,6 @@ void probe_cpuidle_counts(void)
+
+ remove_underbar(name_buf);
+
+- if (!DO_BIC(BIC_cpuidle) && !is_deferred_add(name_buf))
+- continue;
+-
+- if (is_deferred_skip(name_buf))
+- continue;
+-
+ /* truncate "C1-HSW\n" to "C1", or truncate "C1\n" to "C1" */
+ sp = strchr(name_buf, '-');
+ if (!sp)
+@@ -10934,16 +10936,19 @@ void probe_cpuidle_counts(void)
+ * Add 'C1+' for C1, and so on. The 'below' sysfs file always contains 0 for
+ * the last state, so do not add it.
+ */
+-
+ *sp = '+';
+ *(sp + 1) = '\0';
+- sprintf(path, "cpuidle/state%d/below", state);
+- add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0);
++ if (cpuidle_counter_wanted(name_buf)) {
++ sprintf(path, "cpuidle/state%d/below", state);
++ add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0);
++ }
+ }
+
+ *sp = '\0';
+- sprintf(path, "cpuidle/state%d/usage", state);
+- add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0);
++ if (cpuidle_counter_wanted(name_buf)) {
++ sprintf(path, "cpuidle/state%d/usage", state);
++ add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0);
++ }
+
+ /*
+ * The 'above' sysfs file always contains 0 for the shallowest state (smallest
+@@ -10952,8 +10957,10 @@ void probe_cpuidle_counts(void)
+ if (state != min_state) {
+ *sp = '-';
+ *(sp + 1) = '\0';
+- sprintf(path, "cpuidle/state%d/above", state);
+- add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0);
++ if (cpuidle_counter_wanted(name_buf)) {
++ sprintf(path, "cpuidle/state%d/above", state);
++ add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0);
++ }
+ }
+ }
+ }
+--
+2.53.0
+
--- /dev/null
+From 819881db484fdc719eee2574f91f1842794e62bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 00:03:15 +0800
+Subject: tracing/probe: reject non-closed empty immediate strings
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ]
+
+parse_probe_arg() accepts quoted immediate strings and passes the body
+after the opening quote to __parse_imm_string(). That helper currently
+computes strlen(str) and immediately dereferences str[len - 1], which
+underflows when the body is empty and not closed with double-quotation.
+
+Reject empty non-closed immediate strings before checking for the closing quote.
+
+Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/
+
+Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support")
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_probe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
+index 5cbdc423afebc..d7adbf1536c8b 100644
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -1068,7 +1068,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs)
+ {
+ size_t len = strlen(str);
+
+- if (str[len - 1] != '"') {
++ if (!len || str[len - 1] != '"') {
+ trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE);
+ return -EINVAL;
+ }
+--
+2.53.0
+
--- /dev/null
+From 780bf332be71de220ad68d60fd50c64fd7eb1de5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 15:45:51 +0800
+Subject: wifi: brcmfmac: validate bsscfg indices in IF events
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ]
+
+brcmf_fweh_handle_if_event() validates the firmware-provided interface
+index before it touches drvr->iflist[], but it still uses the raw
+bsscfgidx field as an array index without a matching range check.
+
+Reject IF events whose bsscfg index does not fit in drvr->iflist[]
+before indexing the interface array.
+
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn
+[add missing wifi prefix]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+index c2d98ee6652f3..1d25dc9ebca8b 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -153,6 +153,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr,
+ bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx);
+ return;
+ }
++ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) {
++ bphy_err(drvr, "invalid bsscfg index: %u\n",
++ ifevent->bsscfgidx);
++ return;
++ }
+
+ ifp = drvr->iflist[ifevent->bsscfgidx];
+
+--
+2.53.0
+
--- /dev/null
+From 35b22fbdb6a981f2841b03c1fee05b4e3de4012d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 16:08:45 +0800
+Subject: wifi: wl1251: validate packet IDs before indexing tx_frames
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 ]
+
+wl1251_tx_packet_cb() uses the firmware completion ID directly to index
+the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the
+completion block, and the callback does not currently verify that it
+fits the array before dereferencing it.
+
+Reject completion IDs that fall outside wl->tx_frames[] and keep the
+existing NULL check in the same guard. This keeps the fix local to the
+trust boundary and avoids touching the rest of the completion flow.
+
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl1251/tx.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c
+index adb4840b04893..c264d83e71d9c 100644
+--- a/drivers/net/wireless/ti/wl1251/tx.c
++++ b/drivers/net/wireless/ti/wl1251/tx.c
+@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl,
+ int hdrlen;
+ u8 *frame;
+
+- skb = wl->tx_frames[result->id];
+- if (skb == NULL) {
+- wl1251_error("SKB for packet %d is NULL", result->id);
++ if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) ||
++ wl->tx_frames[result->id] == NULL)) {
++ wl1251_error("invalid packet id %u", result->id);
+ return;
+ }
+
++ skb = wl->tx_frames[result->id];
++
+ info = IEEE80211_SKB_CB(skb);
+
+ if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) &&
+--
+2.53.0
+
--- /dev/null
+From 84722120c966e93bae5f32025a118626e226c65b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 13:18:57 -0700
+Subject: x86: shadow stacks: proper error handling for mmap lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit 52f657e34d7b21b47434d9d8b26fa7f6778b63a0 ]
+
+김영민 reports that shstk_pop_sigframe() doesn't check for errors from
+mmap_read_lock_killable(), which is a silly oversight, and also shows
+that we haven't marked those functions with "__must_check", which would
+have immediately caught it.
+
+So let's fix both issues.
+
+Reported-by: 김영민 <osori@hspace.io>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Dave Hansen <dave.hansen@intel.com>
+Acked-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/shstk.c | 3 ++-
+ include/linux/mmap_lock.h | 6 +++---
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
+index 978232b6d48d7..ff8edea8511b4 100644
+--- a/arch/x86/kernel/shstk.c
++++ b/arch/x86/kernel/shstk.c
+@@ -351,7 +351,8 @@ static int shstk_pop_sigframe(unsigned long *ssp)
+ need_to_check_vma = PAGE_ALIGN(*ssp) == *ssp;
+
+ if (need_to_check_vma)
+- mmap_read_lock_killable(current->mm);
++ if (mmap_read_lock_killable(current->mm))
++ return -EINTR;
+
+ err = get_shstk_data(&token_addr, (unsigned long __user *)*ssp);
+ if (unlikely(err))
+diff --git a/include/linux/mmap_lock.h b/include/linux/mmap_lock.h
+index 2c9fffa58714f..95ee1f224c492 100644
+--- a/include/linux/mmap_lock.h
++++ b/include/linux/mmap_lock.h
+@@ -322,7 +322,7 @@ static inline void mmap_write_lock_nested(struct mm_struct *mm, int subclass)
+ __mmap_lock_trace_acquire_returned(mm, true, true);
+ }
+
+-static inline int mmap_write_lock_killable(struct mm_struct *mm)
++static inline int __must_check mmap_write_lock_killable(struct mm_struct *mm)
+ {
+ int ret;
+
+@@ -369,7 +369,7 @@ static inline void mmap_read_lock(struct mm_struct *mm)
+ __mmap_lock_trace_acquire_returned(mm, false, true);
+ }
+
+-static inline int mmap_read_lock_killable(struct mm_struct *mm)
++static inline int __must_check mmap_read_lock_killable(struct mm_struct *mm)
+ {
+ int ret;
+
+@@ -379,7 +379,7 @@ static inline int mmap_read_lock_killable(struct mm_struct *mm)
+ return ret;
+ }
+
+-static inline bool mmap_read_trylock(struct mm_struct *mm)
++static inline bool __must_check mmap_read_trylock(struct mm_struct *mm)
+ {
+ bool ret;
+
+--
+2.53.0
+
--- /dev/null
+From f9068404e3ff49c73caa9a491f859289b47caf61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Mar 2026 20:36:39 +0800
+Subject: xfrm: account XFRMA_IF_ID in aevent size calculation
+
+From: Keenan Dong <keenanat2000@gmail.com>
+
+[ Upstream commit 7081d46d32312f1a31f0e0e99c6835a394037599 ]
+
+xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then
+build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is
+set.
+
+xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states
+with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0)
+in xfrm_get_ae(), turning a malformed netlink interaction into a kernel
+panic.
+
+Account XFRMA_IF_ID in the size calculation unconditionally and replace
+the BUG_ON with normal error unwinding.
+
+Fixes: 7e6526404ade ("xfrm: Add a new lookup key to match xfrm interfaces.")
+Reported-by: Keenan Dong <keenanat2000@gmail.com>
+Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 306e4f65ce264..1ddcf2a1eff7a 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -2668,7 +2668,8 @@ static inline unsigned int xfrm_aevent_msgsize(struct xfrm_state *x)
+ + nla_total_size(4) /* XFRM_AE_RTHR */
+ + nla_total_size(4) /* XFRM_AE_ETHR */
+ + nla_total_size(sizeof(x->dir)) /* XFRMA_SA_DIR */
+- + nla_total_size(4); /* XFRMA_SA_PCPU */
++ + nla_total_size(4) /* XFRMA_SA_PCPU */
++ + nla_total_size(sizeof(x->if_id)); /* XFRMA_IF_ID */
+ }
+
+ static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c)
+@@ -2780,7 +2781,12 @@ static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
+ c.portid = nlh->nlmsg_pid;
+
+ err = build_aevent(r_skb, x, &c);
+- BUG_ON(err < 0);
++ if (err < 0) {
++ spin_unlock_bh(&x->lock);
++ xfrm_state_put(x);
++ kfree_skb(r_skb);
++ return err;
++ }
+
+ err = nlmsg_unicast(net->xfrm.nlsk, r_skb, NETLINK_CB(skb).portid);
+ spin_unlock_bh(&x->lock);
+--
+2.53.0
+
--- /dev/null
+From 65e5fcb78d57265a2aba49b74eb7e65edd961810 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 12:05:20 +0300
+Subject: xfrm: fix refcount leak in xfrm_migrate_policy_find
+
+From: Kotlyarov Mihail <mihailkotlyarow@gmail.com>
+
+[ Upstream commit 83317cce60a032c49480dcdabe146435bd689d03 ]
+
+syzkaller reported a memory leak in xfrm_policy_alloc:
+
+ BUG: memory leak
+ unreferenced object 0xffff888114d79000 (size 1024):
+ comm "syz.1.17", pid 931
+ ...
+ xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432
+
+The root cause is a double call to xfrm_pol_hold_rcu() in
+xfrm_migrate_policy_find(). The lookup function already returns
+a policy with held reference, making the second call redundant.
+
+Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount
+imbalance and prevent the memory leak.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 563d5ca93e88 ("xfrm: switch migrate to xfrm_policy_lookup_bytype")
+Signed-off-by: Kotlyarov Mihail <mihailkotlyarow@gmail.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 4526c9078b136..29c94ee0ceb25 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -4528,9 +4528,6 @@ static struct xfrm_policy *xfrm_migrate_policy_find(const struct xfrm_selector *
+ pol = xfrm_policy_lookup_bytype(net, type, &fl, sel->family, dir, if_id);
+ if (IS_ERR_OR_NULL(pol))
+ goto out_unlock;
+-
+- if (!xfrm_pol_hold_rcu(pol))
+- pol = NULL;
+ out_unlock:
+ rcu_read_unlock();
+ return pol;
+--
+2.53.0
+
--- /dev/null
+From 3d73d3a790d62294288c597540de45598950bade Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 13:31:04 +0200
+Subject: xfrm: Wait for RCU readers during policy netns exit
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit 069daad4f2ae9c5c108131995529d5f02392c446 ]
+
+xfrm_policy_fini() frees the policy_bydst hash tables after flushing the
+policy work items and deleting all policies, but it does not wait for
+concurrent RCU readers to leave their read-side critical sections first.
+
+The policy_bydst tables are published via rcu_assign_pointer() and are
+looked up through rcu_dereference_check(), so netns teardown must also
+wait for an RCU grace period before freeing the table memory.
+
+Fix this by adding synchronize_rcu() before freeing the policy hash tables.
+
+Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index c32d34c441ee0..4526c9078b136 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -4290,6 +4290,8 @@ static void xfrm_policy_fini(struct net *net)
+ #endif
+ xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);
+
++ synchronize_rcu();
++
+ WARN_ON(!list_empty(&net->xfrm.policy_all));
+
+ for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
+--
+2.53.0
+
--- /dev/null
+From e1be3e8b05ab4cacbe8529323b34f31c13087d05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 17:33:03 +0200
+Subject: xfrm_user: fix info leak in build_mapping()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit 1beb76b2053b68c491b78370794b8ff63c8f8c02 ]
+
+struct xfrm_usersa_id has a one-byte padding hole after the proto
+field, which ends up never getting set to zero before copying out to
+userspace. Fix that up by zeroing out the whole structure before
+setting individual variables.
+
+Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink")
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Simon Horman <horms@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 1ddcf2a1eff7a..b3f69c0760d4c 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -4164,6 +4164,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x,
+
+ um = nlmsg_data(nlh);
+
++ memset(&um->id, 0, sizeof(um->id));
+ memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr));
+ um->id.spi = x->id.spi;
+ um->id.family = x->props.family;
+--
+2.53.0
+
--- /dev/null
+From 7f925409e6ad12695469eafc2b399b0241c554f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:53 +0200
+Subject: xsk: fix XDP_UMEM_SG_FLAG issues
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 93e84fe45b752d17a5a46b306ed78f0133bbc719 ]
+
+Currently xp_assign_dev_shared() is missing XDP_USE_SG being propagated
+to flags so set it in order to preserve mtu check that is supposed to be
+done only when no multi-buffer setup is in picture.
+
+Also, this flag has the same value as XDP_UMEM_TX_SW_CSUM so we could
+get unexpected SG setups for software Tx checksums. Since csum flag is
+UAPI, modify value of XDP_UMEM_SG_FLAG.
+
+Fixes: d609f3d228a8 ("xsk: add multi-buffer support for sockets sharing umem")
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-4-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xdp_sock.h | 2 +-
+ net/xdp/xsk_buff_pool.c | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/xdp_sock.h b/include/net/xdp_sock.h
+index ce587a2256618..7c2bc46c67050 100644
+--- a/include/net/xdp_sock.h
++++ b/include/net/xdp_sock.h
+@@ -14,7 +14,7 @@
+ #include <linux/mm.h>
+ #include <net/sock.h>
+
+-#define XDP_UMEM_SG_FLAG (1 << 1)
++#define XDP_UMEM_SG_FLAG BIT(3)
+
+ struct net_device;
+ struct xsk_queue;
+diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
+index aa9788f20d0db..677c7d00f8c32 100644
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -259,6 +259,10 @@ int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_sock *umem_xs,
+ return -EINVAL;
+
+ flags = umem->zc ? XDP_ZEROCOPY : XDP_COPY;
++
++ if (umem->flags & XDP_UMEM_SG_FLAG)
++ flags |= XDP_USE_SG;
++
+ if (umem_xs->pool->uses_need_wakeup)
+ flags |= XDP_USE_NEED_WAKEUP;
+
+--
+2.53.0
+
--- /dev/null
+From 99f84c314d103d6ea1745c694f826b18eba7042f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:52 +0200
+Subject: xsk: respect tailroom for ZC setups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 1ee1605138fc94cc8f8f273321dd2471c64977f9 ]
+
+Multi-buffer XDP stores information about frags in skb_shared_info that
+sits at the tailroom of a packet. The storage space is reserved via
+xdp_data_hard_end():
+
+ ((xdp)->data_hard_start + (xdp)->frame_sz - \
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)))
+
+and then we refer to it via macro below:
+
+static inline struct skb_shared_info *
+xdp_get_shared_info_from_buff(const struct xdp_buff *xdp)
+{
+ return (struct skb_shared_info *)xdp_data_hard_end(xdp);
+}
+
+Currently we do not respect this tailroom space in multi-buffer AF_XDP
+ZC scenario. To address this, introduce xsk_pool_get_tailroom() and use
+it within xsk_pool_get_rx_frame_size() which is used in ZC drivers to
+configure length of HW Rx buffer.
+
+Typically drivers on Rx Hw buffers side work on 128 byte alignment so
+let us align the value returned by xsk_pool_get_rx_frame_size() in order
+to avoid addressing this on driver's side. This addresses the fact that
+idpf uses mentioned function *before* pool->dev being set so we were at
+risk that after subtracting tailroom we would not provide 128-byte
+aligned value to HW.
+
+Since xsk_pool_get_rx_frame_size() is actively used in xsk_rcv_check()
+and __xsk_rcv(), add a variant of this routine that will not include 128
+byte alignment and therefore old behavior is preserved.
+
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-3-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xdp_sock_drv.h | 23 ++++++++++++++++++++++-
+ net/xdp/xsk.c | 4 ++--
+ 2 files changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/xdp_sock_drv.h b/include/net/xdp_sock_drv.h
+index 33e072768de9d..dd1d3a6e1b780 100644
+--- a/include/net/xdp_sock_drv.h
++++ b/include/net/xdp_sock_drv.h
+@@ -37,16 +37,37 @@ static inline u32 xsk_pool_get_headroom(struct xsk_buff_pool *pool)
+ return XDP_PACKET_HEADROOM + pool->headroom;
+ }
+
++static inline u32 xsk_pool_get_tailroom(bool mbuf)
++{
++ return mbuf ? SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) : 0;
++}
++
+ static inline u32 xsk_pool_get_chunk_size(struct xsk_buff_pool *pool)
+ {
+ return pool->chunk_size;
+ }
+
+-static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool)
++static inline u32 __xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool)
+ {
+ return xsk_pool_get_chunk_size(pool) - xsk_pool_get_headroom(pool);
+ }
+
++static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool)
++{
++ u32 frame_size = __xsk_pool_get_rx_frame_size(pool);
++ struct xdp_umem *umem = pool->umem;
++ bool mbuf;
++
++ /* Reserve tailroom only for zero-copy pools that opted into
++ * multi-buffer. The reserved area is used for skb_shared_info,
++ * matching the XDP core's xdp_data_hard_end() layout.
++ */
++ mbuf = pool->dev && (umem->flags & XDP_UMEM_SG_FLAG);
++ frame_size -= xsk_pool_get_tailroom(mbuf);
++
++ return ALIGN_DOWN(frame_size, 128);
++}
++
+ static inline u32 xsk_pool_get_rx_frag_step(struct xsk_buff_pool *pool)
+ {
+ return pool->unaligned ? 0 : xsk_pool_get_chunk_size(pool);
+diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
+index a78cdc3356937..259ad9a3abcc4 100644
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -239,7 +239,7 @@ static u32 xsk_copy_xdp(void *to, void **from, u32 to_len,
+
+ static int __xsk_rcv(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len)
+ {
+- u32 frame_size = xsk_pool_get_rx_frame_size(xs->pool);
++ u32 frame_size = __xsk_pool_get_rx_frame_size(xs->pool);
+ void *copy_from = xsk_copy_xdp_start(xdp), *copy_to;
+ u32 from_len, meta_len, rem, num_desc;
+ struct xdp_buff_xsk *xskb;
+@@ -338,7 +338,7 @@ static int xsk_rcv_check(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len)
+ if (xs->dev != xdp->rxq->dev || xs->queue_id != xdp->rxq->queue_index)
+ return -EINVAL;
+
+- if (len > xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) {
++ if (len > __xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) {
+ xs->rx_dropped++;
+ return -ENOSPC;
+ }
+--
+2.53.0
+
--- /dev/null
+From 65816e29943d79ec0d4308f8e14290f16589b8c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:51 +0200
+Subject: xsk: tighten UMEM headroom validation to account for tailroom and min
+ frame
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit a315e022a72d95ef5f1d4e58e903cb492b0ad931 ]
+
+The current headroom validation in xdp_umem_reg() could leave us with
+insufficient space dedicated to even receive minimum-sized ethernet
+frame. Furthermore if multi-buffer would come to play then
+skb_shared_info stored at the end of XSK frame would be corrupted.
+
+HW typically works with 128-aligned sizes so let us provide this value
+as bare minimum.
+
+Multi-buffer setting is known later in the configuration process so
+besides accounting for 128 bytes, let us also take care of tailroom space
+upfront.
+
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Fixes: 99e3a236dd43 ("xsk: Add missing check on user supplied headroom size")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-2-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xdp_umem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
+index 9f76ca591d54f..9ec7bd948acc7 100644
+--- a/net/xdp/xdp_umem.c
++++ b/net/xdp/xdp_umem.c
+@@ -202,7 +202,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+ if (!unaligned_chunks && chunks_rem)
+ return -EINVAL;
+
+- if (headroom >= chunk_size - XDP_PACKET_HEADROOM)
++ if (headroom > chunk_size - XDP_PACKET_HEADROOM -
++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - 128)
+ return -EINVAL;
+
+ if (mr->flags & XDP_UMEM_TX_METADATA_LEN) {
+--
+2.53.0
+
--- /dev/null
+From e76fd8d1b687d6f3b3475f2bf5ee669fe6b498e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:54 +0200
+Subject: xsk: validate MTU against usable frame size on bind
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 36ee60b569ba0dfb6f961333b90d19ab5b323fa9 ]
+
+AF_XDP bind currently accepts zero-copy pool configurations without
+verifying that the device MTU fits into the usable frame space provided
+by the UMEM chunk.
+
+This becomes a problem since we started to respect tailroom which is
+subtracted from chunk_size (among with headroom). 2k chunk size might
+not provide enough space for standard 1500 MTU, so let us catch such
+settings at bind time. Furthermore, validate whether underlying HW will
+be able to satisfy configured MTU wrt XSK's frame size multiplied by
+supported Rx buffer chain length (that is exposed via
+net_device::xdp_zc_max_segs).
+
+Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX")
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-5-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk_buff_pool.c | 28 +++++++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
+index 677c7d00f8c32..a129ce6f1c25f 100644
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -10,6 +10,8 @@
+ #include "xdp_umem.h"
+ #include "xsk.h"
+
++#define ETH_PAD_LEN (ETH_HLEN + 2 * VLAN_HLEN + ETH_FCS_LEN)
++
+ void xp_add_xsk(struct xsk_buff_pool *pool, struct xdp_sock *xs)
+ {
+ unsigned long flags;
+@@ -165,8 +167,12 @@ static void xp_disable_drv_zc(struct xsk_buff_pool *pool)
+ int xp_assign_dev(struct xsk_buff_pool *pool,
+ struct net_device *netdev, u16 queue_id, u16 flags)
+ {
++ u32 needed = netdev->mtu + ETH_PAD_LEN;
++ u32 segs = netdev->xdp_zc_max_segs;
++ bool mbuf = flags & XDP_USE_SG;
+ bool force_zc, force_copy;
+ struct netdev_bpf bpf;
++ u32 frame_size;
+ int err = 0;
+
+ ASSERT_RTNL();
+@@ -186,7 +192,7 @@ int xp_assign_dev(struct xsk_buff_pool *pool,
+ if (err)
+ return err;
+
+- if (flags & XDP_USE_SG)
++ if (mbuf)
+ pool->umem->flags |= XDP_UMEM_SG_FLAG;
+
+ if (flags & XDP_USE_NEED_WAKEUP)
+@@ -208,8 +214,24 @@ int xp_assign_dev(struct xsk_buff_pool *pool,
+ goto err_unreg_pool;
+ }
+
+- if (netdev->xdp_zc_max_segs == 1 && (flags & XDP_USE_SG)) {
+- err = -EOPNOTSUPP;
++ if (mbuf) {
++ if (segs == 1) {
++ err = -EOPNOTSUPP;
++ goto err_unreg_pool;
++ }
++ } else {
++ segs = 1;
++ }
++
++ /* open-code xsk_pool_get_rx_frame_size() as pool->dev is not
++ * set yet at this point; we are before getting down to driver
++ */
++ frame_size = __xsk_pool_get_rx_frame_size(pool) -
++ xsk_pool_get_tailroom(mbuf);
++ frame_size = ALIGN_DOWN(frame_size, 128);
++
++ if (needed > frame_size * segs) {
++ err = -EINVAL;
+ goto err_unreg_pool;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 024e9d9a45af1fc9282fa5a7a3cbfba7296131ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 16:00:14 +0800
+Subject: af_unix: read UNIX_DIAG_VFS data under unix_state_lock
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+[ Upstream commit 39897df386376912d561d4946499379effa1e7ef ]
+
+Exact UNIX diag lookups hold a reference to the socket, but not to
+u->path. Meanwhile, unix_release_sock() clears u->path under
+unix_state_lock() and drops the path reference after unlocking.
+
+Read the inode and device numbers for UNIX_DIAG_VFS while holding
+unix_state_lock(), then emit the netlink attribute after dropping the
+lock.
+
+This keeps the VFS data stable while the reply is being built.
+
+Fixes: 5f7b0569460b ("unix_diag: Unix inode info NLA")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/diag.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index ca34730261510..c9c1e51c44196 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -28,18 +28,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb)
+
+ static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb)
+ {
+- struct dentry *dentry = unix_sk(sk)->path.dentry;
++ struct unix_diag_vfs uv;
++ struct dentry *dentry;
++ bool have_vfs = false;
+
++ unix_state_lock(sk);
++ dentry = unix_sk(sk)->path.dentry;
+ if (dentry) {
+- struct unix_diag_vfs uv = {
+- .udiag_vfs_ino = d_backing_inode(dentry)->i_ino,
+- .udiag_vfs_dev = dentry->d_sb->s_dev,
+- };
+-
+- return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
++ uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino;
++ uv.udiag_vfs_dev = dentry->d_sb->s_dev;
++ have_vfs = true;
+ }
++ unix_state_unlock(sk);
+
+- return 0;
++ if (!have_vfs)
++ return 0;
++
++ return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
+ }
+
+ static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb)
+--
+2.53.0
+
--- /dev/null
+From 2ff0998f9ce7c19dd4d9198683c2a83c377f8636 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 13:40:07 +0100
+Subject: ALSA: asihpi: avoid write overflow check warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 591721223be9e28f83489a59289579493b8e3d83 ]
+
+clang-22 rightfully warns that the memcpy() in adapter_prepare() copies
+between different structures, crossing the boundary of nested
+structures inside it:
+
+In file included from sound/pci/asihpi/hpimsgx.c:13:
+In file included from include/linux/string.h:386:
+include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
+ 569 | __write_overflow_field(p_size_field, size);
+
+The two structures seem to refer to the same layout, despite the
+separate definitions, so the code is in fact correct.
+
+Avoid the warning by copying the two inner structures separately.
+I see the same pattern happens in other functions in the same file,
+so there is a chance that this may come back in the future, but
+this instance is the only one that I saw in practice, hitting it
+multiple times per day in randconfig build.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/asihpi/hpimsgx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c
+index b68e6bfbbfbab..ed1c7b7744361 100644
+--- a/sound/pci/asihpi/hpimsgx.c
++++ b/sound/pci/asihpi/hpimsgx.c
+@@ -581,8 +581,10 @@ static u16 adapter_prepare(u16 adapter)
+ HPI_ADAPTER_OPEN);
+ hm.adapter_index = adapter;
+ hw_entry_point(&hm, &hr);
+- memcpy(&rESP_HPI_ADAPTER_OPEN[adapter], &hr,
+- sizeof(rESP_HPI_ADAPTER_OPEN[0]));
++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].h, &hr,
++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].h));
++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].a, &hr.u.ax.info,
++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].a));
+ if (hr.error)
+ return hr.error;
+
+--
+2.53.0
+
--- /dev/null
+From 874941e4a61832a8e6dc87e607e7a07550bb2be3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 01:08:51 +0000
+Subject: ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk
+
+From: Andrii Kovalchuk <coderpy4@proton.me>
+
+[ Upstream commit 793b008cd39516385791a1d1d223d817e947a471 ]
+
+Add a PCI quirk for HP ENVY Laptop 13-ba0xxx (PCI device ID 0x8756)
+to enable proper mute LED and mic mute behavior using the
+ALC245_FIXUP_HP_X360_MUTE_LEDS fixup.
+
+Signed-off-by: Andrii Kovalchuk <coderpy4@proton.me>
+Link: https://patch.msgid.link/u0s-uRVegF9BN0t-4JnOUwsIAR-mVc4U4FJfJHdEHX7ro_laErHD9y35NebWybcN16gVaVHPJo1ap3AoJ1a2gqJImPvThgeNt_SYVY1KaDw=@proton.me
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index cb39054bfe79c..cbe4bbf9b1171 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -6888,6 +6888,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8735, "HP ProBook 435 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT),
++ SND_PCI_QUIRK(0x103c, 0x8756, "HP ENVY Laptop 13-ba0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS),
+ SND_PCI_QUIRK(0x103c, 0x8760, "HP EliteBook 8{4,5}5 G7", ALC285_FIXUP_HP_BEEP_MICMUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x876e, "HP ENVY x360 Convertible 13-ay0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS),
+ SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED),
+--
+2.53.0
+
--- /dev/null
+From 7b8e1eee8083c98f8f0b579f935912d8c5f0c20b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 22:07:50 +0530
+Subject: ALSA: hda/realtek: add HP Laptop 15-fd0xxx mute LED quirk
+
+From: Kshamendra Kumar Mishra <kshamendrakumarmishra@gmail.com>
+
+[ Upstream commit faceb5cf5d7a08f4a40335d22d833bb75f05d99e ]
+
+HP Laptop 15-fd0xxx with ALC236 codec does not handle the toggling of
+the mute LED.
+This patch adds a quirk entry for subsystem ID 0x8dd7 using
+ALC236_FIXUP_HP_MUTE_LED_COEFBIT2 fixup, enabling correct mute LED
+behavior.
+
+Signed-off-by: Kshamendra Kumar Mishra <kshamendrakumarmishra@gmail.com>
+Link: https://patch.msgid.link/DHAB51ISUM96.2K9SZIABIDEQ0@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index 504edaf14d39a..8733f57c4aafe 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7135,6 +7135,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8da7, "HP 14 Enstrom OmniBook X", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8da8, "HP 16 Piston OmniBook X", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8dd4, "HP EliteStudio 8 AIO", ALC274_FIXUP_HP_AIO_BIND_DACS),
++ SND_PCI_QUIRK(0x103c, 0x8dd7, "HP Laptop 15-fd0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x8de8, "HP Gemtree", ALC245_FIXUP_TAS2781_SPI_2),
+ SND_PCI_QUIRK(0x103c, 0x8de9, "HP Gemtree", ALC245_FIXUP_TAS2781_SPI_2),
+ SND_PCI_QUIRK(0x103c, 0x8dec, "HP EliteBook 640 G12", ALC236_FIXUP_HP_GPIO_LED),
+--
+2.53.0
+
--- /dev/null
+From 378c61dd2819660868628664d9586b9a1f9c4201 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Mar 2026 10:36:03 -0500
+Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: César Montoya <sprit152009@gmail.com>
+
+[ Upstream commit 2f388b4e8fdd6b0f27cafd281658daacfd85807e ]
+
+The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek
+ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The
+existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly,
+but the subsystem ID was missing from the quirk table.
+
+GPIO pin confirmed via manual hda-verb testing:
+ hda-verb SET_GPIO_MASK 0x10
+ hda-verb SET_GPIO_DIRECTION 0x10
+ hda-verb SET_GPIO_DATA 0x10
+
+Signed-off-by: César Montoya <sprit152009@gmail.com>
+Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index 26e2e7befd60d..504edaf14d39a 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -6902,6 +6902,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x87cb, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+--
+2.53.0
+
--- /dev/null
+From 0d443741ddbe44b17e205b44745ba30ed4974dd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 10:25:03 -0700
+Subject: ALSA: hda/realtek: Add quirk for ASUS ROG Flow Z13-KJP GZ302EAC
+
+From: Matthew Schwartz <matthew.schwartz@linux.dev>
+
+[ Upstream commit 59f68dc1d8df3142cb58fd2568966a9bb7b0ed8a ]
+
+Fixes lack of audio output on the ASUS ROG Flow Z13-KJP GZ302EAC model,
+similar to the ASUS ROG Flow Z13 GZ302EA.
+
+Signed-off-by: Matthew Schwartz <matthew.schwartz@linux.dev>
+Link: https://patch.msgid.link/20260313172503.285846-1-matthew.schwartz@linux.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index ce9cb7614bec7..26e2e7befd60d 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7243,6 +7243,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1043, 0x14e3, "ASUS G513PI/PU/PV", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x14f2, "ASUS VivoBook X515JA", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1043, 0x1503, "ASUS G733PY/PZ/PZV/PYV", ALC287_FIXUP_CS35L41_I2C_2),
++ SND_PCI_QUIRK(0x1043, 0x1514, "ASUS ROG Flow Z13 GZ302EAC", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A),
+ SND_PCI_QUIRK(0x1043, 0x1533, "ASUS GV302XA/XJ/XQ/XU/XV/XI", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x1573, "ASUS GZ301VV/VQ/VU/VJ/VA/VC/VE/VVC/VQC/VUC/VJC/VEC/VCC", ALC285_FIXUP_ASUS_HEADSET_MIC),
+--
+2.53.0
+
--- /dev/null
+From 33a18fd8f58e8a242bdd507f4e7cc4f0acfdccc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 10:54:40 -0500
+Subject: ALSA: hda/realtek: add quirk for Framework F111:000F
+
+From: Dustin L. Howett <dustin@howett.net>
+
+[ Upstream commit bac1e57adf08c9ee33e95fb09cd032f330294e70 ]
+
+Similar to commit 7b509910b3ad ("ALSA hda/realtek: Add quirk for
+Framework F111:000C") and previous quirks for Framework systems with
+Realtek codecs.
+
+000F is another new platform with an ALC285 which needs the same quirk.
+
+Signed-off-by: Dustin L. Howett <dustin@howett.net>
+Link: https://patch.msgid.link/20260327-framework-alsa-000f-v1-1-74013aba1c00@howett.net
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index 1791ed0f3b4df..e3277293dac6a 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7760,6 +7760,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0xf111, 0x000f, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+
+ #if 0
+ /* Below is a quirk table taken from the old code.
+--
+2.53.0
+
--- /dev/null
+From e5302f0eb733db1dea156070e5002c9d16c9edaa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 16:06:24 +0800
+Subject: ALSA: hda/realtek: add quirk for Lenovo Yoga 7 2-in-1 16AKP10
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+[ Upstream commit 7bae956cac0433c4d41aac9f1d04e42694e0b706 ]
+
+This machine is equipped with ALC287 and requires the quirk
+ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN to fix the issue
+where the bass speakers are not configured and the speaker
+volume cannot be controlled.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221210
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260313080624.1395362-1-zhangheng@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index cbe4bbf9b1171..ce9cb7614bec7 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7613,6 +7613,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x38ab, "Thinkbook 16P", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD),
+ SND_PCI_QUIRK(0x17aa, 0x38b4, "Legion Slim 7 16IRH8", ALC287_FIXUP_CS35L41_I2C_2),
+ HDA_CODEC_QUIRK(0x17aa, 0x391c, "Lenovo Yoga 7 2-in-1 14AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
++ HDA_CODEC_QUIRK(0x17aa, 0x391d, "Lenovo Yoga 7 2-in-1 16AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x38b5, "Legion Slim 7 16IRH8", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x17aa, 0x38b6, "Legion Slim 7 16APH8", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x17aa, 0x38b7, "Legion Slim 7 16APH8", ALC287_FIXUP_CS35L41_I2C_2),
+--
+2.53.0
+
--- /dev/null
+From c81ae8bd4ad62c829fd8561f77e84a3b1523b262 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2026 11:29:28 +0300
+Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IMH9
+
+From: Alexander Savenko <alex.sav4387@gmail.com>
+
+[ Upstream commit 217d5bc9f96272316ac5a3215c7cc32a5127bbf3 ]
+
+The Lenovo Yoga Pro 7 14IMH9 (DMI: 83E2) shares PCI SSID 17aa:3847
+with the Legion 7 16ACHG6, but has a different codec subsystem ID
+(17aa:38cf). The existing SND_PCI_QUIRK for 17aa:3847 applies
+ALC287_FIXUP_LEGION_16ACHG6, which attempts to initialize an external
+I2C amplifier (CLSA0100) that is not present on the Yoga Pro 7 14IMH9.
+
+As a result, pin 0x17 (bass speakers) is connected to DAC 0x06 which
+has no volume control, making hardware volume adjustment completely
+non-functional. Audio is either silent or at maximum volume regardless
+of the slider position.
+
+Add a HDA_CODEC_QUIRK entry using the codec subsystem ID (17aa:38cf)
+to correctly identify the Yoga Pro 7 14IMH9 and apply
+ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN, which redirects pin 0x17 to
+DAC 0x02 and restores proper volume control. The existing Legion entry
+is preserved unchanged.
+
+This follows the same pattern used for 17aa:386e, where Legion Y9000X
+and Yoga Pro 7 14ARP8 share a PCI SSID but are distinguished via
+HDA_CODEC_QUIRK.
+
+Link: https://github.com/nomad4tech/lenovo-yoga-pro-7-linux
+Tested-by: Alexander Savenko <alex.sav4387@gmail.com>
+Signed-off-by: Alexander Savenko <alex.sav4387@gmail.com>
+Link: https://patch.msgid.link/20260331082929.44890-1-alex.sav4387@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index edbac69d3d99d..26bf942f0afb0 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7606,6 +7606,10 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x3834, "Lenovo IdeaPad Slim 9i 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS),
+ SND_PCI_QUIRK(0x17aa, 0x383d, "Legion Y9000X 2019", ALC285_FIXUP_LEGION_Y9000X_SPEAKERS),
+ SND_PCI_QUIRK(0x17aa, 0x3843, "Lenovo Yoga 9i / Yoga Book 9i", ALC287_FIXUP_LENOVO_YOGA_BOOK_9I),
++ /* Yoga Pro 7 14IMH9 shares PCI SSID 17aa:3847 with Legion 7 16ACHG6;
++ * use codec SSID to distinguish them
++ */
++ HDA_CODEC_QUIRK(0x17aa, 0x38cf, "Lenovo Yoga Pro 7 14IMH9", ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3847, "Legion 7 16ACHG6", ALC287_FIXUP_LEGION_16ACHG6),
+ SND_PCI_QUIRK(0x17aa, 0x384a, "Lenovo Yoga 7 15ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS),
+ SND_PCI_QUIRK(0x17aa, 0x3852, "Lenovo Yoga 7 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS),
+--
+2.53.0
+
--- /dev/null
+From 22a38adf356262222cf0e720c5c33fe8f4ab946a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 09:26:51 +0800
+Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10
+
+From: songxiebing <songxiebing@kylinos.cn>
+
+[ Upstream commit f0541edb2e7333f320642c7b491a67912c1f65db ]
+
+The bass speakers are not working, and add the following entry
+in /etc/modprobe.d/snd.conf:
+options snd-sof-intel-hda-generic hda_model=alc287-yoga9-bass-spk-pin
+Fixes the bass speakers.
+
+So add the quick ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN here.
+
+Reported-by: Fernando Garcia Corona <fgarcor@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221317
+Signed-off-by: songxiebing <songxiebing@kylinos.cn>
+Link: https://patch.msgid.link/20260405012651.133838-1-songxiebing@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index 26bf942f0afb0..d954de3fd225e 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7671,6 +7671,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x38fd, "ThinkBook plus Gen5 Hybrid", ALC287_FIXUP_TAS2781_I2C),
+ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
++ SND_PCI_QUIRK(0x17aa, 0x3911, "Lenovo Yoga Pro 7 14IAH10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC),
+ SND_PCI_QUIRK(0x17aa, 0x391a, "Lenovo Yoga Slim 7 14AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x391f, "Yoga S990-16 pro Quad YC Quad", ALC287_FIXUP_TXNW2781_I2C),
+--
+2.53.0
+
--- /dev/null
+From b94400dd85bbb6424efebb45c1b1b2ab538bd6ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2026 11:36:50 +0800
+Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Slim 7 14AKP10
+
+From: songxiebing <songxiebing@kylinos.cn>
+
+[ Upstream commit e6c888202297eca21860b669edb74fc600e679d9 ]
+
+The Pin Complex 0x17 (bass/woofer speakers) is incorrectly reported as
+unconnected in the BIOS (pin default 0x411111f0 = N/A). This causes the
+kernel to configure speaker_outs=0, meaning only the tweeters (pin 0x14)
+are used. The result is very low, tinny audio with no bass.
+
+The existing quirk ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN (already present
+in patch_realtek.c for SSID 0x17aa3801) fixes the issue completely.
+
+Reported-by: Garcicasti <andresgarciacastilla@gmail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221298
+Signed-off-by: songxiebing <songxiebing@kylinos.cn>
+Link: https://patch.msgid.link/20260331033650.285601-1-songxiebing@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index 61ca80ff3757b..edbac69d3d99d 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7668,6 +7668,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC),
++ SND_PCI_QUIRK(0x17aa, 0x391a, "Lenovo Yoga Slim 7 14AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x391f, "Yoga S990-16 pro Quad YC Quad", ALC287_FIXUP_TXNW2781_I2C),
+ SND_PCI_QUIRK(0x17aa, 0x3920, "Yoga S990-16 pro Quad VECO Quad", ALC287_FIXUP_TXNW2781_I2C),
+ SND_PCI_QUIRK(0x17aa, 0x3929, "Thinkbook 13x Gen 5", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD),
+--
+2.53.0
+
--- /dev/null
+From c5dfc7cc7aedda14cd074e9faae29cd7ad6070c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 18:22:20 +0200
+Subject: ALSA: hda/realtek: Add quirk for Samsung Book2 Pro 360 (NP950QED)
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit ea31be8a2c8c99eac198f3b7f2dc770111f2b182 ]
+
+There is another Book2 Pro model (NP950QED) that seems equipped with
+the same speaker module as the non-360 model, which requires
+ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS quirk.
+
+Reported-by: Throw <zakkabj@gmail.com>
+Link: https://patch.msgid.link/20260330162249.147665-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index e3277293dac6a..61ca80ff3757b 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7410,6 +7410,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x144d, 0xc188, "Samsung Galaxy Book Flex (NT950QCT-A38A)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Book Flex (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP),
++ SND_PCI_QUIRK(0x144d, 0xc1ac, "Samsung Galaxy Book2 Pro 360 (NP950QED)", ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS),
+ SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc1a4, "Samsung Galaxy Book Pro 360 (NT935QBD)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc1a6, "Samsung Galaxy Book Pro 360 (NP930QBD)", ALC298_FIXUP_SAMSUNG_AMP),
+--
+2.53.0
+
--- /dev/null
+From 3efe2344bd164e720f4708bb93a4009e42f2c2ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 15:49:46 +0800
+Subject: ALSA: hda/realtek - Fixed Speaker Mute LED for HP EliteBoard G1a
+ platform
+
+From: Kailang Yang <kailang@realtek.com>
+
+[ Upstream commit d3be95efc6a1e03230ef646b498050152efe2888 ]
+
+On the HP EliteBoard G1a platform (models without a headphone jack).
+the speaker mute LED failed to function. The Sysfs ctl-led info showed
+empty values because the standard LED registration couldn't correctly
+bind to the master switch.
+Adding this patch will fix and enable the speaker mute LED feature.
+
+Tested-by: Chris Chiu <chris.chiu@canonical.com>
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Link: https://lore.kernel.org/279e929e884849df84687dbd67f20037@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
+index 8733f57c4aafe..1791ed0f3b4df 100644
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -3725,22 +3725,42 @@ static void alc245_tas2781_spi_hp_fixup_muteled(struct hda_codec *codec,
+ alc_fixup_hp_gpio_led(codec, action, 0x04, 0x0);
+ alc285_fixup_hp_coef_micmute_led(codec, fix, action);
+ }
++
++static void alc245_hp_spk_mute_led_update(void *private_data, int enabled)
++{
++ struct hda_codec *codec = private_data;
++ unsigned int val;
++
++ val = enabled ? 0x08 : 0x04; /* 0x08 led on, 0x04 led off */
++ alc_update_coef_idx(codec, 0x0b, 0x0c, val);
++}
++
+ /* JD2: mute led GPIO3: micmute led */
+ static void alc245_tas2781_i2c_hp_fixup_muteled(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+ struct alc_spec *spec = codec->spec;
++ hda_nid_t hp_pin = alc_get_hp_pin(spec);
+ static const hda_nid_t conn[] = { 0x02 };
+
+ switch (action) {
+ case HDA_FIXUP_ACT_PRE_PROBE:
++ if (!hp_pin) {
++ spec->gen.vmaster_mute.hook = alc245_hp_spk_mute_led_update;
++ spec->gen.vmaster_mute_led = 1;
++ }
+ spec->gen.auto_mute_via_amp = 1;
+ snd_hda_override_conn_list(codec, 0x17, ARRAY_SIZE(conn), conn);
+ break;
++ case HDA_FIXUP_ACT_INIT:
++ if (!hp_pin)
++ alc245_hp_spk_mute_led_update(codec, !spec->gen.master_mute);
++ break;
+ }
+
+ tas2781_fixup_txnw_i2c(codec, fix, action);
+- alc245_fixup_hp_mute_led_coefbit(codec, fix, action);
++ if (hp_pin)
++ alc245_fixup_hp_mute_led_coefbit(codec, fix, action);
+ alc285_fixup_hp_coef_micmute_led(codec, fix, action);
+ }
+ /*
+--
+2.53.0
+
--- /dev/null
+From 3ce4e45298664247a0555e4fa0015e7ca0d1e898 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Mar 2026 08:07:34 +0000
+Subject: ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex
+
+From: Phil Willoughby <willerz@gmail.com>
+
+[ Upstream commit bc5b4e5ae1a67700a618328217b6a3bd0f296e97 ]
+
+The NeuralDSP Quad Cortex does not support DSD playback. We need
+this product-specific entry with zero quirks because otherwise it
+falls through to the vendor-specific entry which marks it as
+supporting DSD playback.
+
+Cc: Yue Wang <yuleopen@gmail.com>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Signed-off-by: Phil Willoughby <willerz@gmail.com>
+Link: https://patch.msgid.link/20260328080921.3310-1-willerz@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index a56fb8ef987ea..1686022db0adf 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -2299,6 +2299,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
+ QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB),
+ DEVICE_FLG(0x13e5, 0x0001, /* Serato Phono */
+ QUIRK_FLAG_IGNORE_CTL_ERROR),
++ DEVICE_FLG(0x152a, 0x880a, /* NeuralDSP Quad Cortex */
++ 0), /* Doesn't have the vendor quirk which would otherwise apply */
+ DEVICE_FLG(0x154e, 0x1002, /* Denon DCD-1500RE */
+ QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY),
+ DEVICE_FLG(0x154e, 0x1003, /* Denon DA-300USB */
+--
+2.53.0
+
--- /dev/null
+From d699e8c9bb887593fee4d232233952ec36ae28a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 18:25:27 +0800
+Subject: ALSA:usb:qcom: add AUXILIARY_BUS to Kconfig dependencies
+
+From: Frank Zhang <rmxpzlb@gmail.com>
+
+[ Upstream commit b8bee48e38f2ddbdba5e58bc54ef54bb7d8d341b ]
+
+The build can fail with:
+
+ERROR: modpost: "__auxiliary_driver_register"
+[sound/usb/qcom/snd-usb-audio-qmi.ko] undefined!
+ERROR: modpost: "auxiliary_driver_unregister"
+[sound/usb/qcom/snd-usb-audio-qmi.ko] undefined!
+
+Select AUXILIARY_BUS when SND_USB_AUDIO_QMI is enabled.
+
+Signed-off-by: Frank Zhang <rmxpzlb@gmail.com>
+Link: https://patch.msgid.link/20260317102527.556248-1-rmxpzlb@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/usb/Kconfig b/sound/usb/Kconfig
+index 9b890abd96d34..b4588915efa11 100644
+--- a/sound/usb/Kconfig
++++ b/sound/usb/Kconfig
+@@ -192,6 +192,7 @@ config SND_USB_AUDIO_QMI
+ tristate "Qualcomm Audio Offload driver"
+ depends on QCOM_QMI_HELPERS && SND_USB_AUDIO && SND_SOC_USB
+ depends on USB_XHCI_HCD && USB_XHCI_SIDEBAND
++ select AUXILIARY_BUS
+ help
+ Say Y here to enable the Qualcomm USB audio offloading feature.
+
+--
+2.53.0
+
--- /dev/null
+From 0084c20c7b7994d9861a5618271a0c231f4d005f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Feb 2026 11:07:35 +0200
+Subject: ARM: dts: microchip: sam9x7: fix gpio-lines count for pioB
+
+From: Mihai Sain <mihai.sain@microchip.com>
+
+[ Upstream commit 907150bbe566e23714a25d7bcb910f236c3c44c0 ]
+
+The pioB controller on the SAM9X7 SoC actually supports 27 GPIO lines.
+The previous value of 26 was incorrect, leading to the last pin being
+unavailable for use by the GPIO subsystem.
+Update the #gpio-lines property to reflect
+the correct hardware specification.
+
+Fixes: 41af45af8bc3 ("ARM: dts: at91: sam9x7: add device tree for SoC")
+Signed-off-by: Mihai Sain <mihai.sain@microchip.com>
+Link: https://lore.kernel.org/r/20260209090735.2016-1-mihai.sain@microchip.com
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/microchip/sam9x7.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/microchip/sam9x7.dtsi b/arch/arm/boot/dts/microchip/sam9x7.dtsi
+index 46dacbbd201dd..d242d7a934d0f 100644
+--- a/arch/arm/boot/dts/microchip/sam9x7.dtsi
++++ b/arch/arm/boot/dts/microchip/sam9x7.dtsi
+@@ -1226,7 +1226,7 @@ pioB: gpio@fffff600 {
+ interrupt-controller;
+ #gpio-cells = <2>;
+ gpio-controller;
+- #gpio-lines = <26>;
++ #gpio-lines = <27>;
+ clocks = <&pmc PMC_TYPE_PERIPHERAL 3>;
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 97053d550e131c6277b191714c9bcf3312fdb06a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jan 2026 00:28:28 +0100
+Subject: arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+[ Upstream commit 1f99b5d93d99ca17d50b386a674d0ce1f20932d8 ]
+
+According to i.MX 8M Quad Reference Manual, GPU_AHB_CLK_ROOT's maximum
+frequency is 400MHz.
+
+Fixes: 45d2c84eb3a2 ("arm64: dts: imx8mq: add GPU node")
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+index 607962f807beb..6a25e219832ce 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+@@ -1632,7 +1632,7 @@ gpu: gpu@38000000 {
+ <&clk IMX8MQ_GPU_PLL_OUT>,
+ <&clk IMX8MQ_GPU_PLL>;
+ assigned-clock-rates = <800000000>, <800000000>,
+- <800000000>, <800000000>, <0>;
++ <800000000>, <400000000>, <0>;
+ power-domains = <&pgc_gpu>;
+ };
+
+--
+2.53.0
+
--- /dev/null
+From a2e5551a4dc8733e73d8dcb4192fcaf78d9c8784 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Feb 2026 16:50:13 +0100
+Subject: arm64: dts: imx91-tqma9131: improve eMMC pad configuration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Markus Niebel <Markus.Niebel@ew.tq-group.com>
+
+[ Upstream commit 44db7bc66eb38e85bb32777c5fd3a4e7baa84147 ]
+
+Use DSE x4 an PullUp for CMD an DAT, DSE x4 and PullDown for CLK to improve
+stability and detection at low temperatures under -25°C.
+
+Fixes: e71db39f0c7c ("arm64: dts: freescale: add initial device tree for TQMa91xx/MBa91xxCA")
+Signed-off-by: Markus Niebel <Markus.Niebel@ew.tq-group.com>
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/freescale/imx91-tqma9131.dtsi | 20 +++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi b/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi
+index 5792952b7a8e1..c99d7bc168483 100644
+--- a/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi
+@@ -272,20 +272,20 @@ pinctrl_reg_usdhc2_vmmc: regusdhc2vmmcgrp {
+ /* enable SION for data and cmd pad due to ERR052021 */
+ pinctrl_usdhc1: usdhc1grp {
+ fsl,pins = /* PD | FSEL 3 | DSE X5 */
+- <MX91_PAD_SD1_CLK__USDHC1_CLK 0x5be>,
++ <MX91_PAD_SD1_CLK__USDHC1_CLK 0x59e>,
+ /* HYS | FSEL 0 | no drive */
+ <MX91_PAD_SD1_STROBE__USDHC1_STROBE 0x1000>,
+ /* HYS | FSEL 3 | X5 */
+- <MX91_PAD_SD1_CMD__USDHC1_CMD 0x400011be>,
++ <MX91_PAD_SD1_CMD__USDHC1_CMD 0x4000139e>,
+ /* HYS | FSEL 3 | X4 */
+- <MX91_PAD_SD1_DATA0__USDHC1_DATA0 0x4000119e>,
+- <MX91_PAD_SD1_DATA1__USDHC1_DATA1 0x4000119e>,
+- <MX91_PAD_SD1_DATA2__USDHC1_DATA2 0x4000119e>,
+- <MX91_PAD_SD1_DATA3__USDHC1_DATA3 0x4000119e>,
+- <MX91_PAD_SD1_DATA4__USDHC1_DATA4 0x4000119e>,
+- <MX91_PAD_SD1_DATA5__USDHC1_DATA5 0x4000119e>,
+- <MX91_PAD_SD1_DATA6__USDHC1_DATA6 0x4000119e>,
+- <MX91_PAD_SD1_DATA7__USDHC1_DATA7 0x4000119e>;
++ <MX91_PAD_SD1_DATA0__USDHC1_DATA0 0x4000139e>,
++ <MX91_PAD_SD1_DATA1__USDHC1_DATA1 0x4000139e>,
++ <MX91_PAD_SD1_DATA2__USDHC1_DATA2 0x4000139e>,
++ <MX91_PAD_SD1_DATA3__USDHC1_DATA3 0x4000139e>,
++ <MX91_PAD_SD1_DATA4__USDHC1_DATA4 0x4000139e>,
++ <MX91_PAD_SD1_DATA5__USDHC1_DATA5 0x4000139e>,
++ <MX91_PAD_SD1_DATA6__USDHC1_DATA6 0x4000139e>,
++ <MX91_PAD_SD1_DATA7__USDHC1_DATA7 0x4000139e>;
+ };
+
+ pinctrl_wdog: wdoggrp {
+--
+2.53.0
+
--- /dev/null
+From 2dcf28e0a81ab21a613794825f0c358c73f18745 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Feb 2026 19:23:08 +0800
+Subject: arm64: dts: imx93-9x9-qsb: change usdhc tuning step for eMMC and SD
+
+From: Luke Wang <ziniu.wang_1@nxp.com>
+
+[ Upstream commit 08903184553def7ba1ad6ba4fa8afe1ba2ee0a21 ]
+
+During system resume, the following errors occurred:
+
+ [ 430.638625] mmc1: error -84 writing Cache Enable bit
+ [ 430.643618] mmc1: error -84 doing runtime resume
+
+For eMMC and SD, there are two tuning pass windows and the gap between
+those two windows may only have one cell. If tuning step > 1, the gap may
+just be skipped and host assumes those two windows as a continuous
+windows. This will cause a wrong delay cell near the gap to be selected.
+
+Set the tuning step to 1 to avoid selecting the wrong delay cell.
+
+For SDIO, the gap is sufficiently large, so the default tuning step does
+not cause this issue.
+
+Fixes: 0565d20cd8c2 ("arm64: dts: freescale: Support i.MX93 9x9 Quick Start Board")
+Signed-off-by: Luke Wang <ziniu.wang_1@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts b/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts
+index 0852067eab2cb..197c8f8b7f669 100644
+--- a/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts
++++ b/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts
+@@ -507,6 +507,7 @@ &usdhc1 {
+ pinctrl-2 = <&pinctrl_usdhc1_200mhz>;
+ bus-width = <8>;
+ non-removable;
++ fsl,tuning-step = <1>;
+ status = "okay";
+ };
+
+@@ -519,6 +520,7 @@ &usdhc2 {
+ vmmc-supply = <®_usdhc2_vmmc>;
+ bus-width = <4>;
+ no-mmc;
++ fsl,tuning-step = <1>;
+ status = "okay";
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 0e8f1ab308fa1b5288750befad0686ad5d4b4c2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Feb 2026 16:50:14 +0100
+Subject: arm64: dts: imx93-tqma9352: improve eMMC pad configuration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Markus Niebel <Markus.Niebel@ew.tq-group.com>
+
+[ Upstream commit b6c94c71f349479b76fcc0ef0dc7147f3f326dff ]
+
+Use DSE x4 an PullUp for CMD an DAT, DSE x4 and PullDown for CLK to improve
+stability and detection at low temperatures under -25°C.
+
+Fixes: 0b5fdfaa8e45 ("arm64: dts: freescale: imx93-tqma9352: set SION for cmd and data pad of USDHC")
+Signed-off-by: Markus Niebel <Markus.Niebel@ew.tq-group.com>
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/freescale/imx93-tqma9352.dtsi | 26 +++++++++----------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi
+index 3a23e2eb9febe..ce34a296495c4 100644
+--- a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi
+@@ -271,21 +271,21 @@ MX93_PAD_SD2_RESET_B__GPIO3_IO07 0x106
+ /* enable SION for data and cmd pad due to ERR052021 */
+ pinctrl_usdhc1: usdhc1grp {
+ fsl,pins = <
+- /* PD | FSEL 3 | DSE X5 */
+- MX93_PAD_SD1_CLK__USDHC1_CLK 0x5be
++ /* PD | FSEL 3 | DSE X4 */
++ MX93_PAD_SD1_CLK__USDHC1_CLK 0x59e
+ /* HYS | FSEL 0 | no drive */
+ MX93_PAD_SD1_STROBE__USDHC1_STROBE 0x1000
+- /* HYS | FSEL 3 | X5 */
+- MX93_PAD_SD1_CMD__USDHC1_CMD 0x400011be
+- /* HYS | FSEL 3 | X4 */
+- MX93_PAD_SD1_DATA0__USDHC1_DATA0 0x4000119e
+- MX93_PAD_SD1_DATA1__USDHC1_DATA1 0x4000119e
+- MX93_PAD_SD1_DATA2__USDHC1_DATA2 0x4000119e
+- MX93_PAD_SD1_DATA3__USDHC1_DATA3 0x4000119e
+- MX93_PAD_SD1_DATA4__USDHC1_DATA4 0x4000119e
+- MX93_PAD_SD1_DATA5__USDHC1_DATA5 0x4000119e
+- MX93_PAD_SD1_DATA6__USDHC1_DATA6 0x4000119e
+- MX93_PAD_SD1_DATA7__USDHC1_DATA7 0x4000119e
++ /* HYS | PU | FSEL 3 | DSE X4 */
++ MX93_PAD_SD1_CMD__USDHC1_CMD 0x4000139e
++ /* HYS | PU | FSEL 3 | DSE X4 */
++ MX93_PAD_SD1_DATA0__USDHC1_DATA0 0x4000139e
++ MX93_PAD_SD1_DATA1__USDHC1_DATA1 0x4000139e
++ MX93_PAD_SD1_DATA2__USDHC1_DATA2 0x4000139e
++ MX93_PAD_SD1_DATA3__USDHC1_DATA3 0x4000139e
++ MX93_PAD_SD1_DATA4__USDHC1_DATA4 0x4000139e
++ MX93_PAD_SD1_DATA5__USDHC1_DATA5 0x4000139e
++ MX93_PAD_SD1_DATA6__USDHC1_DATA6 0x4000139e
++ MX93_PAD_SD1_DATA7__USDHC1_DATA7 0x4000139e
+ >;
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 2847d8e6fb20429a445db8e73548f2c012d7da1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Feb 2026 20:44:58 +0800
+Subject: arm64: dts: qcom: hamoa/x1: fix idle exit latency
+
+From: Daniel J Blueman <daniel@quora.org>
+
+[ Upstream commit 3ecea84d2b90bbf934d5ca75514fa902fd71e03f ]
+
+Designs based on the Qualcomm X1 Hamoa reference platform report:
+driver: Idle state 1 target residency too low
+
+This is because the declared X1 idle entry plus exit latency of 680us
+exceeds the declared minimum 600us residency time:
+ entry-latency-us = <180>;
+ exit-latency-us = <500>;
+ min-residency-us = <600>;
+
+Fix this to be 320us so the sum of the entry and exit latencies matches
+the downstream 500us exit latency, as directed by Maulik.
+
+Tested on a Lenovo Yoga Slim 7x with Qualcomm X1E-80-100.
+
+Fixes: 2e65616ef07f ("arm64: dts: qcom: x1e80100: Update C4/C5 residency/exit numbers")
+Signed-off-by: Daniel J Blueman <daniel@quora.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20260220124626.8611-1-daniel@quora.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/hamoa.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/hamoa.dtsi b/arch/arm64/boot/dts/qcom/hamoa.dtsi
+index 9e0934b302c3e..f1ebb99d94241 100644
+--- a/arch/arm64/boot/dts/qcom/hamoa.dtsi
++++ b/arch/arm64/boot/dts/qcom/hamoa.dtsi
+@@ -269,7 +269,7 @@ cluster_c4: cpu-sleep-0 {
+ idle-state-name = "ret";
+ arm,psci-suspend-param = <0x00000004>;
+ entry-latency-us = <180>;
+- exit-latency-us = <500>;
++ exit-latency-us = <320>;
+ min-residency-us = <600>;
+ };
+ };
+--
+2.53.0
+
--- /dev/null
+From eb238addb7a241cf77b682bddb4e048ab22a10cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Feb 2026 16:56:11 +0100
+Subject: arm64: dts: qcom: monaco: Fix UART10 pinconf
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+[ Upstream commit 5b2a16ab0dbd090dc545c05ee79a077cc7a9c1e0 ]
+
+UART10 RTS and TX pins were incorrectly mapped to gpio84 and gpio85.
+Correct them to gpio85 (RTS) and gpio86 (TX) to match the hardware
+I/O mapping.
+
+Fixes: 467284a3097f ("arm64: dts: qcom: qcs8300: Add QUPv3 configuration")
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20260202155611.1568-1-loic.poulain@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/monaco.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/monaco.dtsi b/arch/arm64/boot/dts/qcom/monaco.dtsi
+index 816fa2af8a9a6..f74045be62420 100644
+--- a/arch/arm64/boot/dts/qcom/monaco.dtsi
++++ b/arch/arm64/boot/dts/qcom/monaco.dtsi
+@@ -5437,12 +5437,12 @@ qup_uart10_cts: qup-uart10-cts-state {
+ };
+
+ qup_uart10_rts: qup-uart10-rts-state {
+- pins = "gpio84";
++ pins = "gpio85";
+ function = "qup1_se2";
+ };
+
+ qup_uart10_tx: qup-uart10-tx-state {
+- pins = "gpio85";
++ pins = "gpio86";
+ function = "qup1_se2";
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 0453e536daf7161baa773fd5e79041e345634714 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Mar 2026 15:26:03 +0100
+Subject: arm64: dts: qcom: monaco: Reserve full Gunyah metadata region
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+[ Upstream commit 85d98669fa7f1d3041d962515e45ee6e392db6f8 ]
+
+We observe spurious "Synchronous External Abort" exceptions
+(ESR=0x96000010) and kernel crashes on Monaco-based platforms.
+These faults are caused by the kernel inadvertently accessing
+hypervisor-owned memory that is not properly marked as reserved.
+
+>From boot log, The Qualcomm hypervisor reports the memory range
+at 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned:
+qhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0
+
+However, the EFI memory map provided by firmware only reserves the
+subrange 0x91a40000–0x91a87fff (288 KiB). The remaining portion
+(0x91a88000–0x91afffff) is incorrectly reported as conventional
+memory (from efi debug):
+efi: 0x000091a40000-0x000091a87fff [Reserved...]
+efi: 0x000091a88000-0x0000938fffff [Conventional...]
+
+As a result, the allocator may hand out PFNs inside the hypervisor
+owned region, causing fatal aborts when the kernel accesses those
+addresses.
+
+Add a reserved-memory carveout for the Gunyah hypervisor metadata
+at 0x91a80000 (512 KiB) and mark it as no-map so Linux does not
+map or allocate from this area.
+
+For the record:
+Hyp version: gunyah-e78adb36e debug (2025-11-17 05:38:05 UTC)
+UEFI Ver: 6.0.260122.BOOT.MXF.1.0.c1-00449-KODIAKLA-1
+
+Fixes: 7be190e4bdd2 ("arm64: dts: qcom: add QCS8300 platform")
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20260302142603.1113355-1-loic.poulain@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/monaco.dtsi | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/monaco.dtsi b/arch/arm64/boot/dts/qcom/monaco.dtsi
+index f74045be62420..a407f80bc5e1f 100644
+--- a/arch/arm64/boot/dts/qcom/monaco.dtsi
++++ b/arch/arm64/boot/dts/qcom/monaco.dtsi
+@@ -757,6 +757,11 @@ smem_mem: smem@90900000 {
+ hwlocks = <&tcsr_mutex 3>;
+ };
+
++ gunyah_md_mem: gunyah-md-region@91a80000 {
++ reg = <0x0 0x91a80000 0x0 0x80000>;
++ no-map;
++ };
++
+ lpass_machine_learning_mem: lpass-machine-learning-region@93b00000 {
+ reg = <0x0 0x93b00000 0x0 0xf00000>;
+ no-map;
+--
+2.53.0
+
--- /dev/null
+From 2edd24bc6a2b022d2c7aad63c28ebd203e1282b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Feb 2026 14:32:20 +0530
+Subject: arm64: dts: qcom: qcm6490-idp: Fix WCD9370 reset GPIO polarity
+
+From: Ravi Hothi <ravi.hothi@oss.qualcomm.com>
+
+[ Upstream commit b7df21c59739cceb7b866c6c5e8a6ba03875ab71 ]
+
+The WCD9370 audio codec reset line on QCM6490 IDP should be active-low, but
+the device tree described it as active-high. As a result, the codec is
+kept in reset and fails to reset the SoundWire, leading to timeouts
+and ASoC card probe failure (-ETIMEDOUT).
+
+Fix the reset GPIO polarity to GPIO_ACTIVE_LOW so the codec can properly
+initialize.
+
+Fixes: aa04c298619f ("arm64: dts: qcom: qcm6490-idp: Add WSA8830 speakers and WCD9370 headset codec")
+Signed-off-by: Ravi Hothi <ravi.hothi@oss.qualcomm.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20260220090220.2992193-1-ravi.hothi@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/qcm6490-idp.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/qcm6490-idp.dts b/arch/arm64/boot/dts/qcom/qcm6490-idp.dts
+index 089a027c57d5c..b2f00e107643d 100644
+--- a/arch/arm64/boot/dts/qcom/qcm6490-idp.dts
++++ b/arch/arm64/boot/dts/qcom/qcm6490-idp.dts
+@@ -177,7 +177,7 @@ wcd9370: audio-codec-0 {
+ pinctrl-0 = <&wcd_default>;
+ pinctrl-names = "default";
+
+- reset-gpios = <&tlmm 83 GPIO_ACTIVE_HIGH>;
++ reset-gpios = <&tlmm 83 GPIO_ACTIVE_LOW>;
+
+ vdd-buck-supply = <&vreg_l17b_1p7>;
+ vdd-rxtx-supply = <&vreg_l18b_1p8>;
+--
+2.53.0
+
--- /dev/null
+From 85b64988db22a6c1d12c2d4ddb832bb765ee64e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Mar 2026 01:33:21 +0900
+Subject: ASoC: amd: acp: add ASUS HN7306EA quirk for legacy SDW machine
+
+From: Hasun Park <hasunpark@gmail.com>
+
+[ Upstream commit 2594196f4e3bd70782e7cf1e22e3e398cdb74f78 ]
+
+Add a DMI quirk entry for ASUS HN7306EA in the ACP SoundWire legacy
+machine driver.
+
+Set driver_data to ASOC_SDW_ACP_DMIC for this board so the
+platform-specific DMIC quirk path is selected.
+
+Signed-off-by: Hasun Park <hasunpark@gmail.com>
+Link: https://patch.msgid.link/20260319163321.30326-1-hasunpark@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/acp/acp-sdw-legacy-mach.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/sound/soc/amd/acp/acp-sdw-legacy-mach.c b/sound/soc/amd/acp/acp-sdw-legacy-mach.c
+index 4f92de33a71a0..2e0f751afe250 100644
+--- a/sound/soc/amd/acp/acp-sdw-legacy-mach.c
++++ b/sound/soc/amd/acp/acp-sdw-legacy-mach.c
+@@ -111,6 +111,14 @@ static const struct dmi_system_id soc_sdw_quirk_table[] = {
+ },
+ .driver_data = (void *)(ASOC_SDW_CODEC_SPKR),
+ },
++ {
++ .callback = soc_sdw_quirk_cb,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HN7306EA"),
++ },
++ .driver_data = (void *)(ASOC_SDW_ACP_DMIC),
++ },
+ {}
+ };
+
+--
+2.53.0
+
--- /dev/null
+From e4593b60f9f4cc820675a8326fcf1f22a1f43a27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 19:00:06 +0530
+Subject: ASoC: amd: acp: update DMI quirk and add ACP DMIC for Lenovo
+ platforms
+
+From: Syed Saba Kareem <Syed.SabaKareem@amd.com>
+
+[ Upstream commit 6b6f7263d626886a96fce6352f94dfab7a24c339 ]
+
+Replace DMI_EXACT_MATCH with DMI_MATCH for Lenovo SKU entries (21YW,
+21YX) so the quirk applies to all variants of these models, not just
+exact SKU matches.
+
+Add ASOC_SDW_ACP_DMIC flag alongside ASOC_SDW_CODEC_SPKR in driver_data
+for these Lenovo platform entries, as these platforms use ACP PDM DMIC
+instead of SoundWire DMIC for digital microphone support.
+
+Fixes: 3acf517e1ae0 ("ASoC: amd: amd_sdw: add machine driver quirk for Lenovo models")
+Tested-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Signed-off-by: Syed Saba Kareem <Syed.SabaKareem@amd.com>
+Reviewed-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
+Link: https://patch.msgid.link/20260408133029.1368317-1-syed.sabakareem@amd.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/acp/acp-sdw-legacy-mach.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/amd/acp/acp-sdw-legacy-mach.c b/sound/soc/amd/acp/acp-sdw-legacy-mach.c
+index 2e0f751afe250..9d67443672768 100644
+--- a/sound/soc/amd/acp/acp-sdw-legacy-mach.c
++++ b/sound/soc/amd/acp/acp-sdw-legacy-mach.c
+@@ -99,17 +99,17 @@ static const struct dmi_system_id soc_sdw_quirk_table[] = {
+ .callback = soc_sdw_quirk_cb,
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+- DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "21YW"),
++ DMI_MATCH(DMI_PRODUCT_SKU, "21YW"),
+ },
+- .driver_data = (void *)(ASOC_SDW_CODEC_SPKR),
++ .driver_data = (void *)((ASOC_SDW_CODEC_SPKR) | (ASOC_SDW_ACP_DMIC)),
+ },
+ {
+ .callback = soc_sdw_quirk_cb,
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+- DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "21YX"),
++ DMI_MATCH(DMI_PRODUCT_SKU, "21YX"),
+ },
+- .driver_data = (void *)(ASOC_SDW_CODEC_SPKR),
++ .driver_data = (void *)((ASOC_SDW_CODEC_SPKR) | (ASOC_SDW_ACP_DMIC)),
+ },
+ {
+ .callback = soc_sdw_quirk_cb,
+--
+2.53.0
+
--- /dev/null
+From 87f2a043abb61674f5c64f4f1aa1a54d26e083a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 02:43:48 +0100
+Subject: ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gilson Marquato Júnior <gilsonmandalogo@hotmail.com>
+
+[ Upstream commit 8ec017cf31299c4b6287ebe27afe81c986aeef88 ]
+
+The HP Laptop 15-fc0xxx (subsystem ID 0x103c8dc9) has an internal
+DMIC connected to the AMD ACP6x audio coprocessor. Add a DMI quirk
+entry so the internal microphone is properly detected on this model.
+
+Tested on HP Laptop 15-fc0237ns with Fedora 43 (kernel 6.19.9).
+
+Signed-off-by: Gilson Marquato Júnior <gilsonmandalogo@hotmail.com>
+Link: https://patch.msgid.link/20260330-hp-15-fc0xxx-dmic-v2-v1-1-6dd6f53a1917@hotmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index 6f1c105ca77e3..4c0acdad13ea1 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -45,6 +45,13 @@ static struct snd_soc_card acp6x_card = {
+ };
+
+ static const struct dmi_system_id yc_acp_quirk_table[] = {
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Laptop 15-fc0xxx"),
++ }
++ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+--
+2.53.0
+
--- /dev/null
+From f8ed14adef73d4f431d5da54b0f3939abfc100a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 21:25:12 +0700
+Subject: ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA
+
+From: Vee Satayamas <vsatayamas@gmail.com>
+
+[ Upstream commit f200b2f9a810c440c6750b56fc647b73337749a1 ]
+
+Add a DMI quirk for the Asus Expertbook BM1403CDA to resolve the issue of the
+internal microphone not being detected.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221236
+Signed-off-by: Vee Satayamas <vsatayamas@gmail.com>
+Reviewed-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260315142511.66029-2-vsatayamas@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index 1324543b42d72..c536de1bb94ad 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -717,6 +717,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "PM1503CDA"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"),
++ }
++ },
+ {}
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 1c9db30cd2bd699d67f29e2e25c957462c2cb049 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 16:02:18 +0800
+Subject: ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+[ Upstream commit 1f182ec9d7084db7dfdb2372d453c28f0e5c3f0a ]
+
+Add a DMI quirk for the Thin A15 B7VF fixing the issue where
+the internal microphone was not detected.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=220833
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260316080218.2931304-1-zhangheng@kylinos.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index c536de1bb94ad..6f1c105ca77e3 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -724,6 +724,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Thin A15 B7VE"),
++ }
++ },
+ {}
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 2e0bbea1525c7fc77fee4acaf92bc98659f09e74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 10:54:58 +0200
+Subject: ASoC: Intel: avs: Fix memory leak in avs_register_i2s_test_boards()
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit c5408d818316061d6063c11a4f47f1ba25a3a708 ]
+
+Caller is responsible for freeing array allocated with
+parse_int_array().
+
+Found out by Coverity.
+
+Fixes: 7d859189de13 ("ASoC: Intel: avs: Allow to specify custom configurations with i2s_test")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20260407085459.400628-1-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/board_selection.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/intel/avs/board_selection.c b/sound/soc/intel/avs/board_selection.c
+index 52e6266a7cb86..96dc637ccb20c 100644
+--- a/sound/soc/intel/avs/board_selection.c
++++ b/sound/soc/intel/avs/board_selection.c
+@@ -520,7 +520,8 @@ static int avs_register_i2s_test_boards(struct avs_dev *adev)
+ if (num_elems > max_ssps) {
+ dev_err(adev->dev, "board supports only %d SSP, %d specified\n",
+ max_ssps, num_elems);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto exit;
+ }
+
+ for (ssp_port = 0; ssp_port < num_elems; ssp_port++) {
+@@ -528,11 +529,13 @@ static int avs_register_i2s_test_boards(struct avs_dev *adev)
+ for_each_set_bit(tdm_slot, &tdm_slots, 16) {
+ ret = avs_register_i2s_test_board(adev, ssp_port, tdm_slot);
+ if (ret)
+- return ret;
++ goto exit;
+ }
+ }
+
+- return 0;
++exit:
++ kfree(array);
++ return ret;
+ }
+
+ static int avs_register_i2s_board(struct avs_dev *adev, struct snd_soc_acpi_mach *mach)
+--
+2.53.0
+
--- /dev/null
+From 396b7eacf9e178392860b90f285bc47ec154d3e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Dec 2025 15:36:49 +0000
+Subject: ASoC: SDCA: Add ASoC jack hookup in class driver
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit 99a3ef1e81cd1775bc1f8cc2ad188b1fc755d5cd ]
+
+Add the necessary calls to the class driver to connect the ASoC jack
+from the machine driver.
+
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://patch.msgid.link/20251215153650.3913117-4-ckeepax@opensource.cirrus.com
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: 4e53116437e9 ("ASoC: SDCA: Fix errors in IRQ cleanup")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sdca/sdca_class_function.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/sound/soc/sdca/sdca_class_function.c b/sound/soc/sdca/sdca_class_function.c
+index 0028482a1e752..416948cfb5cb9 100644
+--- a/sound/soc/sdca/sdca_class_function.c
++++ b/sound/soc/sdca/sdca_class_function.c
+@@ -19,6 +19,7 @@
+ #include <sound/sdca_fdl.h>
+ #include <sound/sdca_function.h>
+ #include <sound/sdca_interrupts.h>
++#include <sound/sdca_jack.h>
+ #include <sound/sdca_regmap.h>
+ #include <sound/sdw.h>
+ #include <sound/soc-component.h>
+@@ -195,6 +196,15 @@ static int class_function_component_probe(struct snd_soc_component *component)
+ return sdca_irq_populate(drv->function, component, core->irq_info);
+ }
+
++static int class_function_set_jack(struct snd_soc_component *component,
++ struct snd_soc_jack *jack, void *d)
++{
++ struct class_function_drv *drv = snd_soc_component_get_drvdata(component);
++ struct sdca_class_drv *core = drv->core;
++
++ return sdca_jack_set_jack(core->irq_info, jack);
++}
++
+ static const struct snd_soc_component_driver class_function_component_drv = {
+ .probe = class_function_component_probe,
+ .endianness = 1,
+@@ -351,6 +361,9 @@ static int class_function_probe(struct auxiliary_device *auxdev,
+ return dev_err_probe(dev, PTR_ERR(drv->regmap),
+ "failed to create regmap");
+
++ if (desc->type == SDCA_FUNCTION_TYPE_UAJ)
++ cmp_drv->set_jack = class_function_set_jack;
++
+ ret = sdca_asoc_populate_component(dev, drv->function, cmp_drv,
+ &dais, &num_dais,
+ &class_function_sdw_ops);
+--
+2.53.0
+
--- /dev/null
+From e32810cf7d569dc690ee9d2e0a99baefdec1542e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 14:14:49 +0000
+Subject: ASoC: SDCA: Fix errors in IRQ cleanup
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit 4e53116437e919c4b9a9d95fb73ae14fe0cfc8f9 ]
+
+IRQs are enabled through sdca_irq_populate() from component probe
+using devm_request_threaded_irq(), this however means the IRQs can
+persist if the sound card is torn down. Some of the IRQ handlers
+store references to the card and the kcontrols which can then
+fail. Some detail of the crash was explained in [1].
+
+Generally it is not advised to use devm outside of bus probe, so
+the code is updated to not use devm. The IRQ requests are not moved
+to bus probe time as it makes passing the snd_soc_component into
+the IRQs very awkward and would the require a second step once the
+component is available, so it is simpler to just register the IRQs
+at this point, even though that necessitates some manual cleanup.
+
+Link: https://lore.kernel.org/linux-sound/20260310183829.2907805-1-gaggery.tsai@intel.com/ [1]
+Fixes: b126394d9ec6 ("ASoC: SDCA: Generic interrupt support")
+Reported-by: Gaggery Tsai <gaggery.tsai@intel.com>
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://patch.msgid.link/20260316141449.2950215-1-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/sound/sdca_interrupts.h | 5 ++
+ sound/soc/sdca/sdca_class_function.c | 9 ++++
+ sound/soc/sdca/sdca_interrupts.c | 77 ++++++++++++++++++++++++++--
+ 3 files changed, 87 insertions(+), 4 deletions(-)
+
+diff --git a/include/sound/sdca_interrupts.h b/include/sound/sdca_interrupts.h
+index 8f13417d129ab..90651fea5b212 100644
+--- a/include/sound/sdca_interrupts.h
++++ b/include/sound/sdca_interrupts.h
+@@ -69,6 +69,8 @@ struct sdca_interrupt_info {
+ int sdca_irq_request(struct device *dev, struct sdca_interrupt_info *interrupt_info,
+ int sdca_irq, const char *name, irq_handler_t handler,
+ void *data);
++void sdca_irq_free(struct device *dev, struct sdca_interrupt_info *interrupt_info,
++ int sdca_irq, const char *name, void *data);
+ int sdca_irq_data_populate(struct device *dev, struct regmap *function_regmap,
+ struct snd_soc_component *component,
+ struct sdca_function_data *function,
+@@ -81,6 +83,9 @@ int sdca_irq_populate_early(struct device *dev, struct regmap *function_regmap,
+ int sdca_irq_populate(struct sdca_function_data *function,
+ struct snd_soc_component *component,
+ struct sdca_interrupt_info *info);
++void sdca_irq_cleanup(struct sdca_function_data *function,
++ struct snd_soc_component *component,
++ struct sdca_interrupt_info *info);
+ struct sdca_interrupt_info *sdca_irq_allocate(struct device *dev,
+ struct regmap *regmap, int irq);
+
+diff --git a/sound/soc/sdca/sdca_class_function.c b/sound/soc/sdca/sdca_class_function.c
+index 416948cfb5cb9..8b6b4ca998272 100644
+--- a/sound/soc/sdca/sdca_class_function.c
++++ b/sound/soc/sdca/sdca_class_function.c
+@@ -196,6 +196,14 @@ static int class_function_component_probe(struct snd_soc_component *component)
+ return sdca_irq_populate(drv->function, component, core->irq_info);
+ }
+
++static void class_function_component_remove(struct snd_soc_component *component)
++{
++ struct class_function_drv *drv = snd_soc_component_get_drvdata(component);
++ struct sdca_class_drv *core = drv->core;
++
++ sdca_irq_cleanup(drv->function, component, core->irq_info);
++}
++
+ static int class_function_set_jack(struct snd_soc_component *component,
+ struct snd_soc_jack *jack, void *d)
+ {
+@@ -207,6 +215,7 @@ static int class_function_set_jack(struct snd_soc_component *component,
+
+ static const struct snd_soc_component_driver class_function_component_drv = {
+ .probe = class_function_component_probe,
++ .remove = class_function_component_remove,
+ .endianness = 1,
+ };
+
+diff --git a/sound/soc/sdca/sdca_interrupts.c b/sound/soc/sdca/sdca_interrupts.c
+index 49b675e601433..be269f204d623 100644
+--- a/sound/soc/sdca/sdca_interrupts.c
++++ b/sound/soc/sdca/sdca_interrupts.c
+@@ -233,8 +233,7 @@ static int sdca_irq_request_locked(struct device *dev,
+ if (irq < 0)
+ return irq;
+
+- ret = devm_request_threaded_irq(dev, irq, NULL, handler,
+- IRQF_ONESHOT, name, data);
++ ret = request_threaded_irq(irq, NULL, handler, IRQF_ONESHOT, name, data);
+ if (ret)
+ return ret;
+
+@@ -245,6 +244,22 @@ static int sdca_irq_request_locked(struct device *dev,
+ return 0;
+ }
+
++static void sdca_irq_free_locked(struct device *dev, struct sdca_interrupt_info *info,
++ int sdca_irq, const char *name, void *data)
++{
++ int irq;
++
++ irq = regmap_irq_get_virq(info->irq_data, sdca_irq);
++ if (irq < 0)
++ return;
++
++ free_irq(irq, data);
++
++ info->irqs[sdca_irq].irq = 0;
++
++ dev_dbg(dev, "freed irq %d for %s\n", irq, name);
++}
++
+ /**
+ * sdca_irq_request - request an individual SDCA interrupt
+ * @dev: Pointer to the struct device against which things should be allocated.
+@@ -283,6 +298,30 @@ int sdca_irq_request(struct device *dev, struct sdca_interrupt_info *info,
+ }
+ EXPORT_SYMBOL_NS_GPL(sdca_irq_request, "SND_SOC_SDCA");
+
++/**
++ * sdca_irq_free - free an individual SDCA interrupt
++ * @dev: Pointer to the struct device.
++ * @info: Pointer to the interrupt information structure.
++ * @sdca_irq: SDCA interrupt position.
++ * @name: Name to be given to the IRQ.
++ * @data: Private data pointer that will be passed to the handler.
++ *
++ * Typically this is handled internally by sdca_irq_cleanup, however if
++ * a device requires custom IRQ handling this can be called manually before
++ * calling sdca_irq_cleanup, which will then skip that IRQ whilst processing.
++ */
++void sdca_irq_free(struct device *dev, struct sdca_interrupt_info *info,
++ int sdca_irq, const char *name, void *data)
++{
++ if (sdca_irq < 0 || sdca_irq >= SDCA_MAX_INTERRUPTS)
++ return;
++
++ guard(mutex)(&info->irq_lock);
++
++ sdca_irq_free_locked(dev, info, sdca_irq, name, data);
++}
++EXPORT_SYMBOL_NS_GPL(sdca_irq_free, "SND_SOC_SDCA");
++
+ /**
+ * sdca_irq_data_populate - Populate common interrupt data
+ * @dev: Pointer to the Function device.
+@@ -309,8 +348,8 @@ int sdca_irq_data_populate(struct device *dev, struct regmap *regmap,
+ if (!dev)
+ return -ENODEV;
+
+- name = devm_kasprintf(dev, GFP_KERNEL, "%s %s %s", function->desc->name,
+- entity->label, control->label);
++ name = kasprintf(GFP_KERNEL, "%s %s %s", function->desc->name,
++ entity->label, control->label);
+ if (!name)
+ return -ENOMEM;
+
+@@ -497,6 +536,36 @@ int sdca_irq_populate(struct sdca_function_data *function,
+ }
+ EXPORT_SYMBOL_NS_GPL(sdca_irq_populate, "SND_SOC_SDCA");
+
++/**
++ * sdca_irq_cleanup - Free all the individual IRQs for an SDCA Function
++ * @function: Pointer to the SDCA Function.
++ * @component: Pointer to the ASoC component for the Function.
++ * @info: Pointer to the SDCA interrupt info for this device.
++ *
++ * Typically this would be called from the driver for a single SDCA Function.
++ */
++void sdca_irq_cleanup(struct sdca_function_data *function,
++ struct snd_soc_component *component,
++ struct sdca_interrupt_info *info)
++{
++ struct device *dev = component->dev;
++ int i;
++
++ guard(mutex)(&info->irq_lock);
++
++ for (i = 0; i < SDCA_MAX_INTERRUPTS; i++) {
++ struct sdca_interrupt *interrupt = &info->irqs[i];
++
++ if (interrupt->function != function || !interrupt->irq)
++ continue;
++
++ sdca_irq_free_locked(dev, info, i, interrupt->name, interrupt);
++
++ kfree(interrupt->name);
++ }
++}
++EXPORT_SYMBOL_NS_GPL(sdca_irq_cleanup, "SND_SOC_SDCA");
++
+ /**
+ * sdca_irq_allocate - allocate an SDCA interrupt structure for a device
+ * @sdev: Device pointer against which things should be allocated.
+--
+2.53.0
+
--- /dev/null
+From ca0e8a369d6c7003b86c7411d43cdb1c7f27af87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 10:38:31 +0100
+Subject: ASoC: SDCA: Fix overwritten var within for loop
+
+From: Maciej Strozek <mstrozek@opensource.cirrus.com>
+
+[ Upstream commit 23e0cbe55736de222ed975863cf06baf29bee5fe ]
+
+mask variable should not be overwritten within the for loop or it will
+skip certain bits. Change to using BIT() macro.
+
+Fixes: b9ab3b618241 ("ASoC: SDCA: Add some initial IRQ handlers")
+Signed-off-by: Maciej Strozek <mstrozek@opensource.cirrus.com>
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://patch.msgid.link/20260408093835.2881486-2-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sdca/sdca_interrupts.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/sound/soc/sdca/sdca_interrupts.c b/sound/soc/sdca/sdca_interrupts.c
+index be269f204d623..4739fabb75f23 100644
+--- a/sound/soc/sdca/sdca_interrupts.c
++++ b/sound/soc/sdca/sdca_interrupts.c
+@@ -117,9 +117,7 @@ static irqreturn_t function_status_handler(int irq, void *data)
+
+ status = val;
+ for_each_set_bit(mask, &status, BITS_PER_BYTE) {
+- mask = 1 << mask;
+-
+- switch (mask) {
++ switch (BIT(mask)) {
+ case SDCA_CTL_ENTITY_0_FUNCTION_NEEDS_INITIALIZATION:
+ //FIXME: Add init writes
+ break;
+--
+2.53.0
+
--- /dev/null
+From 98095437f7bf05cba1ee011a486b585c4f44ee62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 10:38:34 +0100
+Subject: ASoC: SDCA: Unregister IRQ handlers on module remove
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 0b8757b220f94421bd4ff50cce03886387c4e71c ]
+
+Ensure that all interrupt handlers are unregistered before the parent
+regmap_irq is unregistered.
+
+sdca_irq_cleanup() was only called from the component_remove(). If the
+module was loaded and removed without ever being component probed the
+FDL interrupts would not be unregistered and this would hit a WARN
+when devm called regmap_del_irq_chip() during the removal of the
+parent IRQ.
+
+Fixes: 4e53116437e9 ("ASoC: SDCA: Fix errors in IRQ cleanup")
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://patch.msgid.link/20260408093835.2881486-5-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/sound/sdca_interrupts.h | 4 ++--
+ sound/soc/sdca/sdca_class_function.c | 10 +++++++++-
+ sound/soc/sdca/sdca_interrupts.c | 7 +++----
+ 3 files changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/include/sound/sdca_interrupts.h b/include/sound/sdca_interrupts.h
+index 90651fea5b212..109e7826ce38c 100644
+--- a/include/sound/sdca_interrupts.h
++++ b/include/sound/sdca_interrupts.h
+@@ -83,8 +83,8 @@ int sdca_irq_populate_early(struct device *dev, struct regmap *function_regmap,
+ int sdca_irq_populate(struct sdca_function_data *function,
+ struct snd_soc_component *component,
+ struct sdca_interrupt_info *info);
+-void sdca_irq_cleanup(struct sdca_function_data *function,
+- struct snd_soc_component *component,
++void sdca_irq_cleanup(struct device *dev,
++ struct sdca_function_data *function,
+ struct sdca_interrupt_info *info);
+ struct sdca_interrupt_info *sdca_irq_allocate(struct device *dev,
+ struct regmap *regmap, int irq);
+diff --git a/sound/soc/sdca/sdca_class_function.c b/sound/soc/sdca/sdca_class_function.c
+index 8b6b4ca998272..92600f419db43 100644
+--- a/sound/soc/sdca/sdca_class_function.c
++++ b/sound/soc/sdca/sdca_class_function.c
+@@ -201,7 +201,7 @@ static void class_function_component_remove(struct snd_soc_component *component)
+ struct class_function_drv *drv = snd_soc_component_get_drvdata(component);
+ struct sdca_class_drv *core = drv->core;
+
+- sdca_irq_cleanup(drv->function, component, core->irq_info);
++ sdca_irq_cleanup(component->dev, drv->function, core->irq_info);
+ }
+
+ static int class_function_set_jack(struct snd_soc_component *component,
+@@ -402,6 +402,13 @@ static int class_function_probe(struct auxiliary_device *auxdev,
+ return 0;
+ }
+
++static void class_function_remove(struct auxiliary_device *auxdev)
++{
++ struct class_function_drv *drv = auxiliary_get_drvdata(auxdev);
++
++ sdca_irq_cleanup(drv->dev, drv->function, drv->core->irq_info);
++}
++
+ static int class_function_runtime_suspend(struct device *dev)
+ {
+ struct auxiliary_device *auxdev = to_auxiliary_dev(dev);
+@@ -473,6 +480,7 @@ static struct auxiliary_driver class_function_drv = {
+ },
+
+ .probe = class_function_probe,
++ .remove = class_function_remove,
+ .id_table = class_function_id_table
+ };
+ module_auxiliary_driver(class_function_drv);
+diff --git a/sound/soc/sdca/sdca_interrupts.c b/sound/soc/sdca/sdca_interrupts.c
+index 4739fabb75f23..76f50a0f6b0ef 100644
+--- a/sound/soc/sdca/sdca_interrupts.c
++++ b/sound/soc/sdca/sdca_interrupts.c
+@@ -536,17 +536,16 @@ EXPORT_SYMBOL_NS_GPL(sdca_irq_populate, "SND_SOC_SDCA");
+
+ /**
+ * sdca_irq_cleanup - Free all the individual IRQs for an SDCA Function
++ * @sdev: Device pointer against which the sdca_interrupt_info was allocated.
+ * @function: Pointer to the SDCA Function.
+- * @component: Pointer to the ASoC component for the Function.
+ * @info: Pointer to the SDCA interrupt info for this device.
+ *
+ * Typically this would be called from the driver for a single SDCA Function.
+ */
+-void sdca_irq_cleanup(struct sdca_function_data *function,
+- struct snd_soc_component *component,
++void sdca_irq_cleanup(struct device *dev,
++ struct sdca_function_data *function,
+ struct sdca_interrupt_info *info)
+ {
+- struct device *dev = component->dev;
+ int i;
+
+ guard(mutex)(&info->irq_lock);
+--
+2.53.0
+
--- /dev/null
+From 6ec9ec9ed137e7452506588e7d2526213131db23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 02:43:54 +0000
+Subject: ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit b9eff9732cb0f86a68c9d1592a98ceab47c01e95 ]
+
+Component has "card_aux_list" which is added/deled in bind/unbind aux dev
+function (A), and used in for_each_card_auxs() loop (B).
+
+ static void soc_unbind_aux_dev(...)
+ {
+ ...
+ for_each_card_auxs_safe(...) {
+ ...
+(A) list_del(&component->card_aux_list);
+ } ^^^^^^^^^^^^^
+ }
+
+ static int soc_bind_aux_dev(...)
+ {
+ ...
+ for_each_card_pre_auxs(...) {
+ ...
+(A) list_add(&component->card_aux_list, ...);
+ } ^^^^^^^^^^^^^
+ ...
+ }
+
+ #define for_each_card_auxs(card, component) \
+(B) list_for_each_entry(component, ..., card_aux_list)
+ ^^^^^^^^^^^^^
+
+But it has been used without calling INIT_LIST_HEAD().
+
+ > git grep card_aux_list sound/soc
+ sound/soc/soc-core.c: list_del(&component->card_aux_list);
+ sound/soc/soc-core.c: list_add(&component->card_aux_list, ...);
+
+call missing INIT_LIST_HEAD() for it.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index 23ba821cd759d..c9a6471661ad7 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -2849,6 +2849,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component,
+ INIT_LIST_HEAD(&component->dobj_list);
+ INIT_LIST_HEAD(&component->card_list);
+ INIT_LIST_HEAD(&component->list);
++ INIT_LIST_HEAD(&component->card_aux_list);
+ mutex_init(&component->io_mutex);
+
+ if (!component->name) {
+--
+2.53.0
+
--- /dev/null
+From 3ec708ca49b113ab670673cc4b6c77f1a0201779 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 14:45:30 +0800
+Subject: ASoC: SOF: Intel: Fix endpoint index if endpoints are missing
+
+From: Maciej Strozek <mstrozek@opensource.cirrus.com>
+
+[ Upstream commit 86facd80a2a37536937f06de637abf9e8cabdb4b ]
+
+In case of missing endpoints, the sequential numbering will cause wrong
+mapping. Instead, assign the original DAI index from codec_info_list.
+
+Fixes: 5226d19d4cae ("ASoC: SOF: Intel: use sof_sdw as default SDW machine driver")
+Signed-off-by: Maciej Strozek <mstrozek@opensource.cirrus.com>
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Link: https://patch.msgid.link/20260402064531.2287261-2-yung-chuan.liao@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/intel/hda.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/intel/hda.c b/sound/soc/sof/intel/hda.c
+index 686ecc040867a..882198308319e 100644
+--- a/sound/soc/sof/intel/hda.c
++++ b/sound/soc/sof/intel/hda.c
+@@ -1197,7 +1197,7 @@ static struct snd_soc_acpi_adr_device *find_acpi_adr_device(struct device *dev,
+ codec_info_list[i].dais[j].dai_type))
+ continue;
+
+- endpoints[ep_index].num = ep_index;
++ endpoints[ep_index].num = j;
+ if (codec_info_list[i].dais[j].dai_type == SOC_SDW_DAI_TYPE_AMP) {
+ /* Assume all amp are aggregated */
+ endpoints[ep_index].aggregated = 1;
+--
+2.53.0
+
--- /dev/null
+From bac89407d9aa202a573164c14036e91b77606302 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 14:45:31 +0800
+Subject: ASoC: SOF: Intel: fix iteration in is_endpoint_present()
+
+From: Maciej Strozek <mstrozek@opensource.cirrus.com>
+
+[ Upstream commit 1de6ddcddc954a69f96b1c23205e03ddd603e3c8 ]
+
+is_endpoint_present() iterates over sdca_data.num_functions, but checks
+the dai_type according to codec info list, which will cause problems if
+not all endpoints from the codec info list are present. Make sure the
+type of actually present functions is compared against target dai_type.
+
+Fixes: 5226d19d4cae ("ASoC: SOF: Intel: use sof_sdw as default SDW machine driver")
+Signed-off-by: Maciej Strozek <mstrozek@opensource.cirrus.com>
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Link: https://patch.msgid.link/20260402064531.2287261-3-yung-chuan.liao@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/intel/hda.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/sound/soc/sof/intel/hda.c b/sound/soc/sof/intel/hda.c
+index 882198308319e..b039306454da2 100644
+--- a/sound/soc/sof/intel/hda.c
++++ b/sound/soc/sof/intel/hda.c
+@@ -1133,13 +1133,12 @@ static void hda_generic_machine_select(struct snd_sof_dev *sdev,
+
+ #if IS_ENABLED(CONFIG_SND_SOC_SOF_INTEL_SOUNDWIRE)
+
+-static bool is_endpoint_present(struct sdw_slave *sdw_device,
+- struct asoc_sdw_codec_info *dai_info, int dai_type)
++static bool is_endpoint_present(struct sdw_slave *sdw_device, int dai_type)
+ {
+ int i;
+
+ for (i = 0; i < sdw_device->sdca_data.num_functions; i++) {
+- if (dai_type == dai_info->dais[i].dai_type)
++ if (dai_type == asoc_sdw_get_dai_type(sdw_device->sdca_data.function[i].type))
+ return true;
+ }
+ dev_dbg(&sdw_device->dev, "Endpoint DAI type %d not found\n", dai_type);
+@@ -1193,8 +1192,7 @@ static struct snd_soc_acpi_adr_device *find_acpi_adr_device(struct device *dev,
+ }
+ for (j = 0; j < codec_info_list[i].dai_num; j++) {
+ /* Check if the endpoint is present by the SDCA DisCo table */
+- if (!is_endpoint_present(sdw_device, &codec_info_list[i],
+- codec_info_list[i].dais[j].dai_type))
++ if (!is_endpoint_present(sdw_device, codec_info_list[i].dais[j].dai_type))
+ continue;
+
+ endpoints[ep_index].num = j;
+--
+2.53.0
+
--- /dev/null
+From 959f73247d66f3577fa23fc815b765f9772f31fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 21:45:26 -0300
+Subject: ASoC: SOF: topology: reject invalid vendor array size in token parser
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+[ Upstream commit 215e5fe75881a7e2425df04aeeed47a903d5cd5d ]
+
+sof_parse_token_sets() accepts array->size values that can be invalid
+for a vendor tuple array header. In particular, a zero size does not
+advance the parser state and can lead to non-progress parsing on
+malformed topology data.
+
+Validate array->size against the minimum header size and reject values
+smaller than sizeof(*array) before parsing. This preserves behavior for
+valid topologies and hardens malformed-input handling.
+
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
+index 9bf8ab610a7ea..8880ac5d8d6ff 100644
+--- a/sound/soc/sof/topology.c
++++ b/sound/soc/sof/topology.c
+@@ -736,7 +736,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
+ asize = le32_to_cpu(array->size);
+
+ /* validate asize */
+- if (asize < 0) { /* FIXME: A zero-size array makes no sense */
++ if (asize < sizeof(*array)) {
+ dev_err(scomp->dev, "error: invalid array size 0x%x\n",
+ asize);
+ return -EINVAL;
+--
+2.53.0
+
--- /dev/null
+From f6e9ece807f030e4a2b7ec7f4dbaf057b69797db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 10:40:56 +0200
+Subject: ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
+
+From: Tomasz Merta <tomasz.merta@arrow.com>
+
+[ Upstream commit 0669631dbccd41cf3ca7aa70213fcd8bb41c4b38 ]
+
+The STM32 SAI driver do not set the clock strobing bit (CKSTR) for DSP_A,
+DSP_B and LEFT_J formats, causing data to be sampled on the wrong BCLK
+edge when SND_SOC_DAIFMT_NB_NF is used.
+
+Per ALSA convention, NB_NF requires sampling on the rising BCLK edge.
+The STM32MP25 SAI reference manual states that CKSTR=1 is required for
+signals received by the SAI to be sampled on the SCK rising edge.
+Without setting CKSTR=1, the SAI samples on the falling edge, violating
+the NB_NF convention. For comparison, the NXP FSL SAI driver correctly
+sets FSL_SAI_CR2_BCP for DSP_A, DSP_B and LEFT_J, consistent with its
+I2S handling.
+
+This patch adds SAI_XCR1_CKSTR for DSP_A, DSP_B and LEFT_J in
+stm32_sai_set_dai_fmt which was verified empirically with a cs47l35 codec.
+RIGHT_J (LSB) is not investigated and addressed by this patch.
+
+Note: the STM32 I2S driver (stm32_i2s_set_dai_fmt) may have the same issue
+for DSP_A mode, as I2S_CGFR_CKPOL is not set. This has not been verified
+and is left for a separate investigation.
+
+Signed-off-by: Tomasz Merta <tommerta@gmail.com>
+Link: https://patch.msgid.link/20260408084056.20588-1-tommerta@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/stm/stm32_sai_sub.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c
+index 450e1585edeee..3e82fa90e719a 100644
+--- a/sound/soc/stm/stm32_sai_sub.c
++++ b/sound/soc/stm/stm32_sai_sub.c
+@@ -802,6 +802,7 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
+ break;
+ /* Left justified */
+ case SND_SOC_DAIFMT_MSB:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
+ break;
+ /* Right justified */
+@@ -809,9 +810,11 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
+ break;
+ case SND_SOC_DAIFMT_DSP_A:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSOFF;
+ break;
+ case SND_SOC_DAIFMT_DSP_B:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL;
+ break;
+ default:
+--
+2.53.0
+
--- /dev/null
+From 7ae0ba794dc1950c282bdf174a87d10fef8962be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 15:23:35 -0700
+Subject: ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
+
+From: Arthur Husband <artmoty@gmail.com>
+
+[ Upstream commit 105c42566a550e2d05fc14f763216a8765ee5d0e ]
+
+The JMicron JMB585 (and JMB582) SATA controllers advertise 64-bit DMA
+support via the S64A bit in the AHCI CAP register, but their 64-bit DMA
+implementation is defective. Under sustained I/O, DMA transfers targeting
+addresses above 4GB silently corrupt data -- writes land at incorrect
+memory addresses with no errors logged.
+
+The failure pattern is similar to the ASMedia ASM1061
+(commit 20730e9b2778 ("ahci: add 43-bit DMA address quirk for ASMedia
+ASM1061 controllers")), which also falsely advertised full 64-bit DMA
+support. However, the JMB585 requires a stricter 32-bit DMA mask rather
+than 43-bit, as corruption occurs with any address above 4GB.
+
+On the Minisforum N5 Pro specifically, the combination of the JMB585's
+broken 64-bit DMA with the AMD Family 1Ah (Strix Point) IOMMU causes
+silent data corruption that is only detectable via checksumming
+filesystems (BTRFS/ZFS scrub). The corruption occurs when 32-bit IOVA
+space is exhausted and the kernel transparently switches to 64-bit DMA
+addresses.
+
+Add device-specific PCI ID entries for the JMB582 (0x0582) and JMB585
+(0x0585) before the generic JMicron class match, using a new board type
+that combines AHCI_HFLAG_IGN_IRQ_IF_ERR (preserving existing behavior)
+with AHCI_HFLAG_32BIT_ONLY to force 32-bit DMA masks.
+
+Signed-off-by: Arthur Husband <artmoty@gmail.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/ahci.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index 931d0081169b9..1d73a53370cf3 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -68,6 +68,7 @@ enum board_ids {
+ /* board IDs for specific chipsets in alphabetical order */
+ board_ahci_al,
+ board_ahci_avn,
++ board_ahci_jmb585,
+ board_ahci_mcp65,
+ board_ahci_mcp77,
+ board_ahci_mcp89,
+@@ -212,6 +213,15 @@ static const struct ata_port_info ahci_port_info[] = {
+ .udma_mask = ATA_UDMA6,
+ .port_ops = &ahci_avn_ops,
+ },
++ /* JMicron JMB582/585: 64-bit DMA is broken, force 32-bit */
++ [board_ahci_jmb585] = {
++ AHCI_HFLAGS (AHCI_HFLAG_IGN_IRQ_IF_ERR |
++ AHCI_HFLAG_32BIT_ONLY),
++ .flags = AHCI_FLAG_COMMON,
++ .pio_mask = ATA_PIO4,
++ .udma_mask = ATA_UDMA6,
++ .port_ops = &ahci_ops,
++ },
+ [board_ahci_mcp65] = {
+ AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP |
+ AHCI_HFLAG_YES_NCQ),
+@@ -439,6 +449,10 @@ static const struct pci_device_id ahci_pci_tbl[] = {
+ /* Elkhart Lake IDs 0x4b60 & 0x4b62 https://sata-io.org/product/8803 not tested yet */
+ { PCI_VDEVICE(INTEL, 0x4b63), board_ahci_pcs_quirk }, /* Elkhart Lake AHCI */
+
++ /* JMicron JMB582/585: force 32-bit DMA (broken 64-bit implementation) */
++ { PCI_VDEVICE(JMICRON, 0x0582), board_ahci_jmb585 },
++ { PCI_VDEVICE(JMICRON, 0x0585), board_ahci_jmb585 },
++
+ /* JMicron 360/1/3/5/6, match class to avoid IDE function */
+ { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
+ PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr },
+--
+2.53.0
+
--- /dev/null
+From 57764c090df583af15ba2cc5b088fa33f06e8c23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 20:07:26 +0800
+Subject: Bluetooth: hci_sync: annotate data-races around hdev->req_status
+
+From: Cen Zhang <zzzccc427@gmail.com>
+
+[ Upstream commit b6807cfc195ef99e1ac37b2e1e60df40295daa8c ]
+
+__hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock:
+
+ hdev->req_status = HCI_REQ_PEND;
+
+However, several other functions read or write hdev->req_status without
+holding any lock:
+
+ - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue)
+ - hci_cmd_sync_complete() reads/writes from HCI event completion
+ - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write
+ - hci_abort_conn() reads in connection abort path
+
+Since __hci_cmd_sync_sk() runs on hdev->req_workqueue while
+hci_send_cmd_sync() runs on hdev->workqueue, these are different
+workqueues that can execute concurrently on different CPUs. The plain
+C accesses constitute a data race.
+
+Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses
+to hdev->req_status to prevent potential compiler optimizations that
+could affect correctness (e.g., load fusing in the wait_event
+condition or store reordering).
+
+Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 2 +-
+ net/bluetooth/hci_core.c | 2 +-
+ net/bluetooth/hci_sync.c | 20 ++++++++++----------
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index a966d36d0e798..92dcd9d21b7c9 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -3100,7 +3100,7 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason)
+ * hci_connect_le serializes the connection attempts so only one
+ * connection can be in BT_CONNECT at time.
+ */
+- if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
++ if (conn->state == BT_CONNECT && READ_ONCE(hdev->req_status) == HCI_REQ_PEND) {
+ switch (hci_skb_event(hdev->sent_cmd)) {
+ case HCI_EV_CONN_COMPLETE:
+ case HCI_EV_LE_CONN_COMPLETE:
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 8ccec73dce45c..0f86b81b39730 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -4125,7 +4125,7 @@ static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
+ kfree_skb(skb);
+ }
+
+- if (hdev->req_status == HCI_REQ_PEND &&
++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND &&
+ !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) {
+ kfree_skb(hdev->req_skb);
+ hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index d638e62f30021..74339358d5994 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -25,11 +25,11 @@ static void hci_cmd_sync_complete(struct hci_dev *hdev, u8 result, u16 opcode,
+ {
+ bt_dev_dbg(hdev, "result 0x%2.2x", result);
+
+- if (hdev->req_status != HCI_REQ_PEND)
++ if (READ_ONCE(hdev->req_status) != HCI_REQ_PEND)
+ return;
+
+ hdev->req_result = result;
+- hdev->req_status = HCI_REQ_DONE;
++ WRITE_ONCE(hdev->req_status, HCI_REQ_DONE);
+
+ /* Free the request command so it is not used as response */
+ kfree_skb(hdev->req_skb);
+@@ -167,20 +167,20 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
+
+ hci_cmd_sync_add(&req, opcode, plen, param, event, sk);
+
+- hdev->req_status = HCI_REQ_PEND;
++ WRITE_ONCE(hdev->req_status, HCI_REQ_PEND);
+
+ err = hci_req_sync_run(&req);
+ if (err < 0)
+ return ERR_PTR(err);
+
+ err = wait_event_interruptible_timeout(hdev->req_wait_q,
+- hdev->req_status != HCI_REQ_PEND,
++ READ_ONCE(hdev->req_status) != HCI_REQ_PEND,
+ timeout);
+
+ if (err == -ERESTARTSYS)
+ return ERR_PTR(-EINTR);
+
+- switch (hdev->req_status) {
++ switch (READ_ONCE(hdev->req_status)) {
+ case HCI_REQ_DONE:
+ err = -bt_to_errno(hdev->req_result);
+ break;
+@@ -194,7 +194,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
+ break;
+ }
+
+- hdev->req_status = 0;
++ WRITE_ONCE(hdev->req_status, 0);
+ hdev->req_result = 0;
+ skb = hdev->req_rsp;
+ hdev->req_rsp = NULL;
+@@ -665,9 +665,9 @@ void hci_cmd_sync_cancel(struct hci_dev *hdev, int err)
+ {
+ bt_dev_dbg(hdev, "err 0x%2.2x", err);
+
+- if (hdev->req_status == HCI_REQ_PEND) {
++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND) {
+ hdev->req_result = err;
+- hdev->req_status = HCI_REQ_CANCELED;
++ WRITE_ONCE(hdev->req_status, HCI_REQ_CANCELED);
+
+ queue_work(hdev->workqueue, &hdev->cmd_sync_cancel_work);
+ }
+@@ -683,12 +683,12 @@ void hci_cmd_sync_cancel_sync(struct hci_dev *hdev, int err)
+ {
+ bt_dev_dbg(hdev, "err 0x%2.2x", err);
+
+- if (hdev->req_status == HCI_REQ_PEND) {
++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND) {
+ /* req_result is __u32 so error must be positive to be properly
+ * propagated.
+ */
+ hdev->req_result = err < 0 ? -err : err;
+- hdev->req_status = HCI_REQ_CANCELED;
++ WRITE_ONCE(hdev->req_status, HCI_REQ_CANCELED);
+
+ wake_up_interruptible(&hdev->req_wait_q);
+ }
+--
+2.53.0
+
--- /dev/null
+From e12e269146db0470612afa5143994c3b686ba820 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 07:01:53 -0700
+Subject: bridge: guard local VLAN-0 FDB helpers against NULL vlan group
+
+From: Zijing Yin <yzjaurora@gmail.com>
+
+[ Upstream commit 1979645e1842cb7017525a61a0e0e0beb924d02a ]
+
+When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and
+nbp_vlan_group() return NULL (br_private.h stub definitions). The
+BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and
+reaches br_fdb_delete_locals_per_vlan_port() and
+br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer
+is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist).
+
+The observed crash is in the delete path, triggered when creating a
+bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0
+via RTM_NEWLINK. The insert helper has the same bug pattern.
+
+ Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]
+ RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310
+ Call Trace:
+ br_fdb_toggle_local_vlan_0+0x452/0x4c0
+ br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276
+ br_boolopt_toggle net/bridge/br.c:313
+ br_boolopt_multi_toggle net/bridge/br.c:364
+ br_changelink net/bridge/br_netlink.c:1542
+ br_dev_newlink net/bridge/br_netlink.c:1575
+
+Add NULL checks for the vlan group pointer in both helpers, returning
+early when there are no VLANs to iterate. This matches the existing
+pattern used by other bridge FDB functions such as br_fdb_add() and
+br_fdb_delete().
+
+Fixes: 21446c06b441 ("net: bridge: Introduce UAPI for BR_BOOLOPT_FDB_LOCAL_VLAN_0")
+Signed-off-by: Zijing Yin <yzjaurora@gmail.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20260402140153.3925663-1-yzjaurora@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 0501ffcb8a3dd..e2c17f620f009 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -597,6 +597,9 @@ static void br_fdb_delete_locals_per_vlan_port(struct net_bridge *br,
+ dev = br->dev;
+ }
+
++ if (!vg)
++ return;
++
+ list_for_each_entry(v, &vg->vlan_list, vlist)
+ br_fdb_find_delete_local(br, p, dev->dev_addr, v->vid);
+ }
+@@ -630,6 +633,9 @@ static int br_fdb_insert_locals_per_vlan_port(struct net_bridge *br,
+ dev = br->dev;
+ }
+
++ if (!vg)
++ return 0;
++
+ list_for_each_entry(v, &vg->vlan_list, vlist) {
+ if (!br_vlan_should_use(v))
+ continue;
+--
+2.53.0
+
--- /dev/null
+From b82a549b4e9cb8d91cbf2da7e540b1b61391f9ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Feb 2026 14:46:50 +0000
+Subject: btrfs: fix zero size inode with non-zero size after log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 5254d4181add9dfaa5e3519edd71cc8f752b2f85 ]
+
+When logging that an inode exists, as part of logging a new name or
+logging new dir entries for a directory, we always set the generation of
+the logged inode item to 0. This is to signal during log replay (in
+overwrite_item()), that we should not set the i_size since we only logged
+that an inode exists, so the i_size of the inode in the subvolume tree
+must be preserved (as when we log new names or that an inode exists, we
+don't log extents).
+
+This works fine except when we have already logged an inode in full mode
+or it's the first time we are logging an inode created in a past
+transaction, that inode has a new i_size of 0 and then we log a new name
+for the inode (due to a new hardlink or a rename), in which case we log
+an i_size of 0 for the inode and a generation of 0, which causes the log
+replay code to not update the inode's i_size to 0 (in overwrite_item()).
+
+An example scenario:
+
+ mkdir /mnt/dir
+ xfs_io -f -c "pwrite 0 64K" /mnt/dir/foo
+
+ sync
+
+ xfs_io -c "truncate 0" -c "fsync" /mnt/dir/foo
+
+ ln /mnt/dir/foo /mnt/dir/bar
+
+ xfs_io -c "fsync" /mnt/dir
+
+ <power fail>
+
+After log replay the file remains with a size of 64K. This is because when
+we first log the inode, when we fsync file foo, we log its current i_size
+of 0, and then when we create a hard link we log again the inode in exists
+mode (LOG_INODE_EXISTS) but we set a generation of 0 for the inode item we
+add to the log tree, so during log replay overwrite_item() sees that the
+generation is 0 and i_size is 0 so we skip updating the inode's i_size
+from 64K to 0.
+
+Fix this by making sure at fill_inode_item() we always log the real
+generation of the inode if it was logged in the current transaction with
+the i_size we logged before. Also if an inode created in a previous
+transaction is logged in exists mode only, make sure we log the i_size
+stored in the inode item located from the commit root, so that if we log
+multiple times that the inode exists we get the correct i_size.
+
+A test case for fstests will follow soon.
+
+Reported-by: Vyacheslav Kovalevsky <slava.kovalevskiy.2014@gmail.com>
+Link: https://lore.kernel.org/linux-btrfs/af8c15fa-4e41-4bb2-885c-0bc4e97532a6@gmail.com/
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 98 ++++++++++++++++++++++++++++++---------------
+ 1 file changed, 65 insertions(+), 33 deletions(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 6c40f48cc194d..4cea0489f121c 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -4609,21 +4609,32 @@ static void fill_inode_item(struct btrfs_trans_handle *trans,
+ struct inode *inode, bool log_inode_only,
+ u64 logged_isize)
+ {
++ u64 gen = BTRFS_I(inode)->generation;
+ u64 flags;
+
+ if (log_inode_only) {
+- /* set the generation to zero so the recover code
+- * can tell the difference between an logging
+- * just to say 'this inode exists' and a logging
+- * to say 'update this inode with these values'
++ /*
++ * Set the generation to zero so the recover code can tell the
++ * difference between a logging just to say 'this inode exists'
++ * and a logging to say 'update this inode with these values'.
++ * But only if the inode was not already logged before.
++ * We access ->logged_trans directly since it was already set
++ * up in the call chain by btrfs_log_inode(), and data_race()
++ * to avoid false alerts from KCSAN and since it was set already
++ * and one can set it to 0 since that only happens on eviction
++ * and we are holding a ref on the inode.
+ */
+- btrfs_set_inode_generation(leaf, item, 0);
++ ASSERT(data_race(BTRFS_I(inode)->logged_trans) > 0);
++ if (data_race(BTRFS_I(inode)->logged_trans) < trans->transid)
++ gen = 0;
++
+ btrfs_set_inode_size(leaf, item, logged_isize);
+ } else {
+- btrfs_set_inode_generation(leaf, item, BTRFS_I(inode)->generation);
+ btrfs_set_inode_size(leaf, item, inode->i_size);
+ }
+
++ btrfs_set_inode_generation(leaf, item, gen);
++
+ btrfs_set_inode_uid(leaf, item, i_uid_read(inode));
+ btrfs_set_inode_gid(leaf, item, i_gid_read(inode));
+ btrfs_set_inode_mode(leaf, item, inode->i_mode);
+@@ -5427,42 +5438,63 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans,
+ return 0;
+ }
+
+-static int logged_inode_size(struct btrfs_root *log, struct btrfs_inode *inode,
+- struct btrfs_path *path, u64 *size_ret)
++static int get_inode_size_to_log(struct btrfs_trans_handle *trans,
++ struct btrfs_inode *inode,
++ struct btrfs_path *path, u64 *size_ret)
+ {
+ struct btrfs_key key;
++ struct btrfs_inode_item *item;
+ int ret;
+
+ key.objectid = btrfs_ino(inode);
+ key.type = BTRFS_INODE_ITEM_KEY;
+ key.offset = 0;
+
+- ret = btrfs_search_slot(NULL, log, &key, path, 0, 0);
+- if (ret < 0) {
+- return ret;
+- } else if (ret > 0) {
+- *size_ret = 0;
+- } else {
+- struct btrfs_inode_item *item;
++ /*
++ * Our caller called inode_logged(), so logged_trans is up to date.
++ * Use data_race() to silence any warning from KCSAN. Once logged_trans
++ * is set, it can only be reset to 0 after inode eviction.
++ */
++ if (data_race(inode->logged_trans) == trans->transid) {
++ ret = btrfs_search_slot(NULL, inode->root->log_root, &key, path, 0, 0);
++ } else if (inode->generation < trans->transid) {
++ path->search_commit_root = true;
++ path->skip_locking = true;
++ ret = btrfs_search_slot(NULL, inode->root, &key, path, 0, 0);
++ path->search_commit_root = false;
++ path->skip_locking = false;
+
+- item = btrfs_item_ptr(path->nodes[0], path->slots[0],
+- struct btrfs_inode_item);
+- *size_ret = btrfs_inode_size(path->nodes[0], item);
+- /*
+- * If the in-memory inode's i_size is smaller then the inode
+- * size stored in the btree, return the inode's i_size, so
+- * that we get a correct inode size after replaying the log
+- * when before a power failure we had a shrinking truncate
+- * followed by addition of a new name (rename / new hard link).
+- * Otherwise return the inode size from the btree, to avoid
+- * data loss when replaying a log due to previously doing a
+- * write that expands the inode's size and logging a new name
+- * immediately after.
+- */
+- if (*size_ret > inode->vfs_inode.i_size)
+- *size_ret = inode->vfs_inode.i_size;
++ } else {
++ *size_ret = 0;
++ return 0;
+ }
+
++ /*
++ * If the inode was logged before or is from a past transaction, then
++ * its inode item must exist in the log root or in the commit root.
++ */
++ ASSERT(ret <= 0);
++ if (WARN_ON_ONCE(ret > 0))
++ ret = -ENOENT;
++
++ if (ret < 0)
++ return ret;
++
++ item = btrfs_item_ptr(path->nodes[0], path->slots[0],
++ struct btrfs_inode_item);
++ *size_ret = btrfs_inode_size(path->nodes[0], item);
++ /*
++ * If the in-memory inode's i_size is smaller then the inode size stored
++ * in the btree, return the inode's i_size, so that we get a correct
++ * inode size after replaying the log when before a power failure we had
++ * a shrinking truncate followed by addition of a new name (rename / new
++ * hard link). Otherwise return the inode size from the btree, to avoid
++ * data loss when replaying a log due to previously doing a write that
++ * expands the inode's size and logging a new name immediately after.
++ */
++ if (*size_ret > inode->vfs_inode.i_size)
++ *size_ret = inode->vfs_inode.i_size;
++
+ btrfs_release_path(path);
+ return 0;
+ }
+@@ -6975,7 +7007,7 @@ static int btrfs_log_inode(struct btrfs_trans_handle *trans,
+ ret = drop_inode_items(trans, log, path, inode,
+ BTRFS_XATTR_ITEM_KEY);
+ } else {
+- if (inode_only == LOG_INODE_EXISTS && ctx->logged_before) {
++ if (inode_only == LOG_INODE_EXISTS) {
+ /*
+ * Make sure the new inode item we write to the log has
+ * the same isize as the current one (if it exists).
+@@ -6989,7 +7021,7 @@ static int btrfs_log_inode(struct btrfs_trans_handle *trans,
+ * (zeroes), as if an expanding truncate happened,
+ * instead of getting a file of 4Kb only.
+ */
+- ret = logged_inode_size(log, inode, path, &logged_isize);
++ ret = get_inode_size_to_log(trans, inode, path, &logged_isize);
+ if (ret)
+ goto out_unlock;
+ }
+--
+2.53.0
+
--- /dev/null
+From e79df36782150b3ef87edea7f6dcdba4d92fc635 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 14:11:39 -0400
+Subject: btrfs: tracepoints: get correct superblock from dentry in event
+ btrfs_sync_file()
+
+From: Goldwyn Rodrigues <rgoldwyn@suse.de>
+
+[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ]
+
+If overlay is used on top of btrfs, dentry->d_sb translates to overlay's
+super block and fsid assignment will lead to a crash.
+
+Use file_inode(file)->i_sb to always get btrfs_sb.
+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/btrfs.h | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h
+index 125bdc166bfed..0864700f76e0a 100644
+--- a/include/trace/events/btrfs.h
++++ b/include/trace/events/btrfs.h
+@@ -769,12 +769,15 @@ TRACE_EVENT(btrfs_sync_file,
+ ),
+
+ TP_fast_assign(
+- const struct dentry *dentry = file->f_path.dentry;
+- const struct inode *inode = d_inode(dentry);
++ struct dentry *dentry = file_dentry(file);
++ struct inode *inode = file_inode(file);
++ struct dentry *parent = dget_parent(dentry);
++ struct inode *parent_inode = d_inode(parent);
+
+- TP_fast_assign_fsid(btrfs_sb(file->f_path.dentry->d_sb));
++ dput(parent);
++ TP_fast_assign_fsid(btrfs_sb(inode->i_sb));
+ __entry->ino = btrfs_ino(BTRFS_I(inode));
+- __entry->parent = btrfs_ino(BTRFS_I(d_inode(dentry->d_parent)));
++ __entry->parent = btrfs_ino(BTRFS_I(parent_inode));
+ __entry->datasync = datasync;
+ __entry->root_objectid = btrfs_root_id(BTRFS_I(inode)->root);
+ ),
+--
+2.53.0
+
--- /dev/null
+From 97a511bc79af0ba1b40800b3ecb08b5de51e1b80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 09:18:21 +1100
+Subject: cachefiles: fix incorrect dentry refcount in cachefiles_cull()
+
+From: NeilBrown <neilb@ownmail.net>
+
+[ Upstream commit 1635c2acdde86c4f555b627aec873c8677c421ed ]
+
+The patch mentioned below changed cachefiles_bury_object() to expect 2
+references to the 'rep' dentry. Three of the callers were changed to
+use start_removing_dentry() which takes an extra reference so in those
+cases the call gets the expected references.
+
+However there is another call to cachefiles_bury_object() in
+cachefiles_cull() which did not need to be changed to use
+start_removing_dentry() and so was not properly considered.
+It still passed the dentry with just one reference so the net result is
+that a reference is lost.
+
+To meet the expectations of cachefiles_bury_object(), cachefiles_cull()
+must take an extra reference before the call. It will be dropped by
+cachefiles_bury_object().
+
+Reported-by: Marc Dionne <marc.dionne@auristor.com>
+Fixes: 7bb1eb45e43c ("VFS: introduce start_removing_dentry()")
+Signed-off-by: NeilBrown <neil@brown.name>
+Link: https://patch.msgid.link/177456350181.1851489.16359967086642190170@noble.neil.brown.name
+Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cachefiles/namei.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
+index e5ec90dccc27f..eb9eb7683e3cc 100644
+--- a/fs/cachefiles/namei.c
++++ b/fs/cachefiles/namei.c
+@@ -810,6 +810,11 @@ int cachefiles_cull(struct cachefiles_cache *cache, struct dentry *dir,
+ if (ret < 0)
+ goto error_unlock;
+
++ /*
++ * cachefiles_bury_object() expects 2 references to 'victim',
++ * and drops one.
++ */
++ dget(victim);
+ ret = cachefiles_bury_object(cache, NULL, dir, victim,
+ FSCACHE_OBJECT_WAS_CULLED);
+ dput(victim);
+--
+2.53.0
+
--- /dev/null
+From f1b4cac5af861b0a4f7ac050f40e81caa88149d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 00:00:22 +0800
+Subject: can: mcp251x: add error handling for power enable in open and resume
+
+From: Wenyuan Li <2063309626@qq.com>
+
+[ Upstream commit 7a57354756c7df223abe2c33774235ad70cb4231 ]
+
+Add missing error handling for mcp251x_power_enable() calls in both
+mcp251x_open() and mcp251x_can_resume() functions.
+
+In mcp251x_open(), if power enable fails, jump to error path to close
+candev without attempting to disable power again.
+
+In mcp251x_can_resume(), properly check return values of power enable calls
+for both power and transceiver regulators. If any fails, return the error
+code to the PM framework and log the failure.
+
+This ensures the driver properly handles power control failures and
+maintains correct device state.
+
+Signed-off-by: Wenyuan Li <2063309626@qq.com>
+Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com
+[mkl: fix patch description]
+[mkl: mcp251x_can_resume(): replace goto by return]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/spi/mcp251x.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
+index bb7782582f401..0d0190ae094a1 100644
+--- a/drivers/net/can/spi/mcp251x.c
++++ b/drivers/net/can/spi/mcp251x.c
+@@ -1225,7 +1225,11 @@ static int mcp251x_open(struct net_device *net)
+ }
+
+ mutex_lock(&priv->mcp_lock);
+- mcp251x_power_enable(priv->transceiver, 1);
++ ret = mcp251x_power_enable(priv->transceiver, 1);
++ if (ret) {
++ dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret));
++ goto out_close_candev;
++ }
+
+ priv->force_quit = 0;
+ priv->tx_skb = NULL;
+@@ -1272,6 +1276,7 @@ static int mcp251x_open(struct net_device *net)
+ mcp251x_hw_sleep(spi);
+ out_close:
+ mcp251x_power_enable(priv->transceiver, 0);
++out_close_candev:
+ close_candev(net);
+ mutex_unlock(&priv->mcp_lock);
+ if (release_irq)
+@@ -1516,11 +1521,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev)
+ {
+ struct spi_device *spi = to_spi_device(dev);
+ struct mcp251x_priv *priv = spi_get_drvdata(spi);
++ int ret = 0;
+
+- if (priv->after_suspend & AFTER_SUSPEND_POWER)
+- mcp251x_power_enable(priv->power, 1);
+- if (priv->after_suspend & AFTER_SUSPEND_UP)
+- mcp251x_power_enable(priv->transceiver, 1);
++ if (priv->after_suspend & AFTER_SUSPEND_POWER) {
++ ret = mcp251x_power_enable(priv->power, 1);
++ if (ret) {
++ dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret));
++ return ret;
++ }
++ }
++
++ if (priv->after_suspend & AFTER_SUSPEND_UP) {
++ ret = mcp251x_power_enable(priv->transceiver, 1);
++ if (ret) {
++ dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret));
++ if (priv->after_suspend & AFTER_SUSPEND_POWER)
++ mcp251x_power_enable(priv->power, 0);
++ return ret;
++ }
++ }
+
+ if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP))
+ queue_work(priv->wq, &priv->restart_work);
+--
+2.53.0
+
--- /dev/null
+From 8c7a391b93a21a2bbf1e6e8f6e685affdf59b886 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 10:54:17 +0200
+Subject: clockevents: Prevent timer interrupt starvation
+
+From: Thomas Gleixner <tglx@kernel.org>
+
+[ Upstream commit d6e152d905bdb1f32f9d99775e2f453350399a6a ]
+
+Calvin reported an odd NMI watchdog lockup which claims that the CPU locked
+up in user space. He provided a reproducer, which sets up a timerfd based
+timer and then rearms it in a loop with an absolute expiry time of 1ns.
+
+As the expiry time is in the past, the timer ends up as the first expiring
+timer in the per CPU hrtimer base and the clockevent device is programmed
+with the minimum delta value. If the machine is fast enough, this ends up
+in a endless loop of programming the delta value to the minimum value
+defined by the clock event device, before the timer interrupt can fire,
+which starves the interrupt and consequently triggers the lockup detector
+because the hrtimer callback of the lockup mechanism is never invoked.
+
+As a first step to prevent this, avoid reprogramming the clock event device
+when:
+ - a forced minimum delta event is pending
+ - the new expiry delta is less then or equal to the minimum delta
+
+Thanks to Calvin for providing the reproducer and to Borislav for testing
+and providing data from his Zen5 machine.
+
+The problem is not limited to Zen5, but depending on the underlying
+clock event device (e.g. TSC deadline timer on Intel) and the CPU speed
+not necessarily observable.
+
+This change serves only as the last resort and further changes will be made
+to prevent this scenario earlier in the call chain as far as possible.
+
+[ tglx: Updated to restore the old behaviour vs. !force and delta <= 0 and
+ fixed up the tick-broadcast handlers as pointed out by Borislav ]
+
+Fixes: d316c57ff6bf ("[PATCH] clockevents: add core functionality")
+Reported-by: Calvin Owens <calvin@wbinvd.org>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Tested-by: Calvin Owens <calvin@wbinvd.org>
+Tested-by: Borislav Petkov <bp@alien8.de>
+Link: https://lore.kernel.org/lkml/acMe-QZUel-bBYUh@mozart.vkv.me/
+Link: https://patch.msgid.link/20260407083247.562657657@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/clockchips.h | 2 ++
+ kernel/time/clockevents.c | 27 +++++++++++++++++++--------
+ kernel/time/hrtimer.c | 1 +
+ kernel/time/tick-broadcast.c | 8 +++++++-
+ kernel/time/tick-common.c | 1 +
+ kernel/time/tick-sched.c | 1 +
+ 6 files changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/clockchips.h b/include/linux/clockchips.h
+index b0df28ddd394b..50cdc9da8d32a 100644
+--- a/include/linux/clockchips.h
++++ b/include/linux/clockchips.h
+@@ -80,6 +80,7 @@ enum clock_event_state {
+ * @shift: nanoseconds to cycles divisor (power of two)
+ * @state_use_accessors:current state of the device, assigned by the core code
+ * @features: features
++ * @next_event_forced: True if the last programming was a forced event
+ * @retries: number of forced programming retries
+ * @set_state_periodic: switch state to periodic
+ * @set_state_oneshot: switch state to oneshot
+@@ -108,6 +109,7 @@ struct clock_event_device {
+ u32 shift;
+ enum clock_event_state state_use_accessors;
+ unsigned int features;
++ unsigned int next_event_forced;
+ unsigned long retries;
+
+ int (*set_state_periodic)(struct clock_event_device *);
+diff --git a/kernel/time/clockevents.c b/kernel/time/clockevents.c
+index eaae1ce9f0600..38570998a19b8 100644
+--- a/kernel/time/clockevents.c
++++ b/kernel/time/clockevents.c
+@@ -172,6 +172,7 @@ void clockevents_shutdown(struct clock_event_device *dev)
+ {
+ clockevents_switch_state(dev, CLOCK_EVT_STATE_SHUTDOWN);
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+ }
+
+ /**
+@@ -305,7 +306,6 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires,
+ {
+ unsigned long long clc;
+ int64_t delta;
+- int rc;
+
+ if (WARN_ON_ONCE(expires < 0))
+ return -ETIME;
+@@ -324,16 +324,27 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires,
+ return dev->set_next_ktime(expires, dev);
+
+ delta = ktime_to_ns(ktime_sub(expires, ktime_get()));
+- if (delta <= 0)
+- return force ? clockevents_program_min_delta(dev) : -ETIME;
+
+- delta = min(delta, (int64_t) dev->max_delta_ns);
+- delta = max(delta, (int64_t) dev->min_delta_ns);
++ /* Required for tick_periodic() during early boot */
++ if (delta <= 0 && !force)
++ return -ETIME;
++
++ if (delta > (int64_t)dev->min_delta_ns) {
++ delta = min(delta, (int64_t) dev->max_delta_ns);
++ clc = ((unsigned long long) delta * dev->mult) >> dev->shift;
++ if (!dev->set_next_event((unsigned long) clc, dev))
++ return 0;
++ }
+
+- clc = ((unsigned long long) delta * dev->mult) >> dev->shift;
+- rc = dev->set_next_event((unsigned long) clc, dev);
++ if (dev->next_event_forced)
++ return 0;
+
+- return (rc && force) ? clockevents_program_min_delta(dev) : rc;
++ if (dev->set_next_event(dev->min_delta_ticks, dev)) {
++ if (!force || clockevents_program_min_delta(dev))
++ return -ETIME;
++ }
++ dev->next_event_forced = 1;
++ return 0;
+ }
+
+ /*
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 84c8ab2a0cebf..141b2beac63a4 100644
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -1880,6 +1880,7 @@ void hrtimer_interrupt(struct clock_event_device *dev)
+ BUG_ON(!cpu_base->hres_active);
+ cpu_base->nr_events++;
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+
+ raw_spin_lock_irqsave(&cpu_base->lock, flags);
+ entry_time = now = hrtimer_update_base(cpu_base);
+diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c
+index f63c65881364d..7e57fa31ee26f 100644
+--- a/kernel/time/tick-broadcast.c
++++ b/kernel/time/tick-broadcast.c
+@@ -76,8 +76,10 @@ const struct clock_event_device *tick_get_wakeup_device(int cpu)
+ */
+ static void tick_broadcast_start_periodic(struct clock_event_device *bc)
+ {
+- if (bc)
++ if (bc) {
++ bc->next_event_forced = 0;
+ tick_setup_periodic(bc, 1);
++ }
+ }
+
+ /*
+@@ -403,6 +405,7 @@ static void tick_handle_periodic_broadcast(struct clock_event_device *dev)
+ bool bc_local;
+
+ raw_spin_lock(&tick_broadcast_lock);
++ tick_broadcast_device.evtdev->next_event_forced = 0;
+
+ /* Handle spurious interrupts gracefully */
+ if (clockevent_state_shutdown(tick_broadcast_device.evtdev)) {
+@@ -696,6 +699,7 @@ static void tick_handle_oneshot_broadcast(struct clock_event_device *dev)
+
+ raw_spin_lock(&tick_broadcast_lock);
+ dev->next_event = KTIME_MAX;
++ tick_broadcast_device.evtdev->next_event_forced = 0;
+ next_event = KTIME_MAX;
+ cpumask_clear(tmpmask);
+ now = ktime_get();
+@@ -1063,6 +1067,7 @@ static void tick_broadcast_setup_oneshot(struct clock_event_device *bc,
+
+
+ bc->event_handler = tick_handle_oneshot_broadcast;
++ bc->next_event_forced = 0;
+ bc->next_event = KTIME_MAX;
+
+ /*
+@@ -1175,6 +1180,7 @@ void hotplug_cpu__broadcast_tick_pull(int deadcpu)
+ }
+
+ /* This moves the broadcast assignment to this CPU: */
++ bc->next_event_forced = 0;
+ clockevents_program_event(bc, bc->next_event, 1);
+ }
+ raw_spin_unlock_irqrestore(&tick_broadcast_lock, flags);
+diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c
+index d305d85218961..6a9198a4279b5 100644
+--- a/kernel/time/tick-common.c
++++ b/kernel/time/tick-common.c
+@@ -110,6 +110,7 @@ void tick_handle_periodic(struct clock_event_device *dev)
+ int cpu = smp_processor_id();
+ ktime_t next = dev->next_event;
+
++ dev->next_event_forced = 0;
+ tick_periodic(cpu);
+
+ /*
+diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c
+index 2f8a7923fa279..6e2f239a4813f 100644
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -1504,6 +1504,7 @@ static void tick_nohz_lowres_handler(struct clock_event_device *dev)
+ struct tick_sched *ts = this_cpu_ptr(&tick_cpu_sched);
+
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+
+ if (likely(tick_nohz_handler(&ts->sched_timer) == HRTIMER_RESTART))
+ tick_program_event(hrtimer_get_expires(&ts->sched_timer), 1);
+--
+2.53.0
+
--- /dev/null
+From a0a0bffedd06ee07b3206f5f5448c5a30983ab6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 08:29:58 +0800
+Subject: crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 31d00156e50ecad37f2cb6cbf04aaa9a260505ef ]
+
+When page reassignment was added to af_alg_pull_tsgl the original
+loop wasn't updated so it may try to reassign one more page than
+necessary.
+
+Add the check to the reassignment so that this does not happen.
+
+Also update the comment which still refers to the obsolete offset
+argument.
+
+Reported-by: syzbot+d23888375c2737c17ba5@syzkaller.appspotmail.com
+Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/af_alg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/af_alg.c b/crypto/af_alg.c
+index 7373f7dd8f417..8953e2ffd55ce 100644
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -705,8 +705,8 @@ void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst)
+ * Assumption: caller created af_alg_count_tsgl(len)
+ * SG entries in dst.
+ */
+- if (dst) {
+- /* reassign page to dst after offset */
++ if (dst && plen) {
++ /* reassign page to dst */
+ get_page(page);
+ sg_set_page(dst + j, page, plen, sg[i].offset);
+ j++;
+--
+2.53.0
+
--- /dev/null
+From 5f2b6622c2f910ce24c250cd4a4cabe72bf1fee9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 23:34:55 +0800
+Subject: crypto: af_alg - limit RX SG extraction by receive buffer budget
+
+From: Douya Le <ldy3087146292@gmail.com>
+
+[ Upstream commit 8eceab19eba9dcbfd2a0daec72e1bf48aa100170 ]
+
+Make af_alg_get_rsgl() limit each RX scatterlist extraction to the
+remaining receive buffer budget.
+
+af_alg_get_rsgl() currently uses af_alg_readable() only as a gate
+before extracting data into the RX scatterlist. Limit each extraction
+to the remaining af_alg_rcvbuf(sk) budget so that receive-side
+accounting matches the amount of data attached to the request.
+
+If skcipher cannot obtain enough RX space for at least one chunk while
+more data remains to be processed, reject the recvmsg call instead of
+rounding the request length down to zero.
+
+Fixes: e870456d8e7c8d57c059ea479b5aadbb55ff4c3a ("crypto: algif_skcipher - overhaul memory management")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Douya Le <ldy3087146292@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/af_alg.c | 2 ++
+ crypto/algif_skcipher.c | 5 +++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/crypto/af_alg.c b/crypto/af_alg.c
+index bc78c915eabc4..7373f7dd8f417 100644
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -1229,6 +1229,8 @@ int af_alg_get_rsgl(struct sock *sk, struct msghdr *msg, int flags,
+
+ seglen = min_t(size_t, (maxsize - len),
+ msg_data_left(msg));
++ /* Never pin more pages than the remaining RX accounting budget. */
++ seglen = min_t(size_t, seglen, af_alg_rcvbuf(sk));
+
+ if (list_empty(&areq->rsgl_list)) {
+ rsgl = &areq->first_rsgl;
+diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
+index 82735e51be108..ba0a17fd95aca 100644
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -130,6 +130,11 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
+ * full block size buffers.
+ */
+ if (ctx->more || len < ctx->used) {
++ if (len < bs) {
++ err = -EINVAL;
++ goto free;
++ }
++
+ len -= len % bs;
+ cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
+ }
+--
+2.53.0
+
--- /dev/null
+From 122a4bf016d606745e600a162445a99ecef17728 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 13:32:21 +0800
+Subject: crypto: algif_aead - Fix minimum RX size check for decryption
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ]
+
+The check for the minimum receive buffer size did not take the
+tag size into account during decryption. Fix this by adding the
+required extra length.
+
+Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
+Reported-by: Daniel Pouzzner <douzzer@mega.nu>
+Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/algif_aead.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
+index dda15bb05e892..f8bd45f7dc839 100644
+--- a/crypto/algif_aead.c
++++ b/crypto/algif_aead.c
+@@ -144,7 +144,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
+ if (usedpages < outlen) {
+ size_t less = outlen - usedpages;
+
+- if (used < less) {
++ if (used < less + (ctx->enc ? 0 : as)) {
+ err = -EINVAL;
+ goto free;
+ }
+--
+2.53.0
+
--- /dev/null
+From 9f3da6e62c499c77560df650281b010552f96a1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 22:27:30 -0400
+Subject: devlink: Fix incorrect skb socket family dumping
+
+From: Li RongQing <lirongqing@baidu.com>
+
+[ Upstream commit 0006c6f1091bbeea88b8a88a6548b9fb2f803c74 ]
+
+The devlink_fmsg_dump_skb function was incorrectly using the socket
+type (sk->sk_type) instead of the socket family (sk->sk_family)
+when filling the "family" field in the fast message dump.
+
+This patch fixes this to properly display the socket family.
+
+Fixes: 3dbfde7f6bc7b8 ("devlink: add devlink_fmsg_dump_skb() function")
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Link: https://patch.msgid.link/20260407022730.2393-1-lirongqing@baidu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/devlink/health.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/devlink/health.c b/net/devlink/health.c
+index 136a67c36a20d..0798c82096bdc 100644
+--- a/net/devlink/health.c
++++ b/net/devlink/health.c
+@@ -1327,7 +1327,7 @@ void devlink_fmsg_dump_skb(struct devlink_fmsg *fmsg, const struct sk_buff *skb)
+ if (sk) {
+ devlink_fmsg_pair_nest_start(fmsg, "sk");
+ devlink_fmsg_obj_nest_start(fmsg);
+- devlink_fmsg_put(fmsg, "family", sk->sk_type);
++ devlink_fmsg_put(fmsg, "family", sk->sk_family);
+ devlink_fmsg_put(fmsg, "type", sk->sk_type);
+ devlink_fmsg_put(fmsg, "proto", sk->sk_protocol);
+ devlink_fmsg_obj_nest_end(fmsg);
+--
+2.53.0
+
--- /dev/null
+From 4d66ef8d1e5726f887067f4f7283ad12b0c049f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 17:41:56 +0500
+Subject: dma-debug: suppress cacheline overlap warning when arch has no DMA
+ alignment requirement
+
+From: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+
+[ Upstream commit 3d48c9fd78dd0b1809669ec49c4d0997b8127512 ]
+
+When CONFIG_DMA_API_DEBUG is enabled, the DMA debug infrastructure
+tracks active mappings per cacheline and warns if two different DMA
+mappings share the same cacheline ("cacheline tracking EEXIST,
+overlapping mappings aren't supported").
+
+On x86_64, ARCH_KMALLOC_MINALIGN defaults to 8, so small kmalloc
+allocations (e.g. the 8-byte hub->buffer and hub->status in the USB
+hub driver) frequently land in the same 64-byte cacheline. When both
+are DMA-mapped, this triggers a false positive warning.
+
+This has been reported repeatedly since v5.14 (when the EEXIST check
+was added) across various USB host controllers and devices including
+xhci_hcd with USB hubs, USB audio devices, and USB ethernet adapters.
+
+The cacheline overlap is only a real concern on architectures that
+require DMA buffer alignment to cacheline boundaries (i.e. where
+ARCH_DMA_MINALIGN >= L1_CACHE_BYTES). On architectures like x86_64
+where dma_get_cache_alignment() returns 1, the hardware is
+cache-coherent and overlapping cacheline mappings are harmless.
+
+Suppress the EEXIST warning when dma_get_cache_alignment() is less
+than L1_CACHE_BYTES, indicating the architecture does not require
+cacheline-aligned DMA buffers.
+
+Verified with a kernel module reproducer that performs two kmalloc(8)
+allocations back-to-back and DMA-maps both:
+
+ Before: allocations share a cacheline, EEXIST fires within ~50 pairs
+ After: same cacheline pair found, but no warning emitted
+
+Fixes: 2b4bbc6231d7 ("dma-debug: report -EEXIST errors in add_dma_entry")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215740
+Suggested-by: Harry Yoo <harry@kernel.org>
+Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Link: https://lore.kernel.org/r/20260327124156.24820-1-mikhail.v.gavrilov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/dma/debug.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c
+index 43d6a996d7a78..596ea7abbda15 100644
+--- a/kernel/dma/debug.c
++++ b/kernel/dma/debug.c
+@@ -614,6 +614,7 @@ static void add_dma_entry(struct dma_debug_entry *entry, unsigned long attrs)
+ } else if (rc == -EEXIST &&
+ !(attrs & DMA_ATTR_SKIP_CPU_SYNC) &&
+ !(entry->is_cache_clean && overlap_cache_clean) &&
++ dma_get_cache_alignment() >= L1_CACHE_BYTES &&
+ !(IS_ENABLED(CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC) &&
+ is_swiotlb_active(entry->dev))) {
+ err_printk(entry->dev, entry,
+--
+2.53.0
+
--- /dev/null
+From f05e3ada76e06a6f62480631d621e4f1f2990d33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Dec 2025 14:38:31 -0500
+Subject: dma-debug: track cache clean flag in entries
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+[ Upstream commit d5d846513128c1a3bc2f2d371f6e903177dea443 ]
+
+If a driver is buggy and has 2 overlapping mappings but only
+sets cache clean flag on the 1st one of them, we warn.
+But if it only does it for the 2nd one, we don't.
+
+Fix by tracking cache clean flag in the entry.
+
+Message-ID: <0ffb3513d18614539c108b4548cdfbc64274a7d1.1767601130.git.mst@redhat.com>
+Reviewed-by: Petr Tesarik <ptesarik@suse.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: 3d48c9fd78dd ("dma-debug: suppress cacheline overlap warning when arch has no DMA alignment requirement")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/dma/debug.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c
+index 7e66d863d573f..43d6a996d7a78 100644
+--- a/kernel/dma/debug.c
++++ b/kernel/dma/debug.c
+@@ -63,6 +63,7 @@ enum map_err_types {
+ * @sg_mapped_ents: 'mapped_ents' from dma_map_sg
+ * @paddr: physical start address of the mapping
+ * @map_err_type: track whether dma_mapping_error() was checked
++ * @is_cache_clean: driver promises not to write to buffer while mapped
+ * @stack_len: number of backtrace entries in @stack_entries
+ * @stack_entries: stack of backtrace history
+ */
+@@ -76,7 +77,8 @@ struct dma_debug_entry {
+ int sg_call_ents;
+ int sg_mapped_ents;
+ phys_addr_t paddr;
+- enum map_err_types map_err_type;
++ enum map_err_types map_err_type;
++ bool is_cache_clean;
+ #ifdef CONFIG_STACKTRACE
+ unsigned int stack_len;
+ unsigned long stack_entries[DMA_DEBUG_STACKTRACE_ENTRIES];
+@@ -472,12 +474,15 @@ static int active_cacheline_dec_overlap(phys_addr_t cln)
+ return active_cacheline_set_overlap(cln, --overlap);
+ }
+
+-static int active_cacheline_insert(struct dma_debug_entry *entry)
++static int active_cacheline_insert(struct dma_debug_entry *entry,
++ bool *overlap_cache_clean)
+ {
+ phys_addr_t cln = to_cacheline_number(entry);
+ unsigned long flags;
+ int rc;
+
++ *overlap_cache_clean = false;
++
+ /* If the device is not writing memory then we don't have any
+ * concerns about the cpu consuming stale data. This mitigates
+ * legitimate usages of overlapping mappings.
+@@ -487,8 +492,16 @@ static int active_cacheline_insert(struct dma_debug_entry *entry)
+
+ spin_lock_irqsave(&radix_lock, flags);
+ rc = radix_tree_insert(&dma_active_cacheline, cln, entry);
+- if (rc == -EEXIST)
++ if (rc == -EEXIST) {
++ struct dma_debug_entry *existing;
++
+ active_cacheline_inc_overlap(cln);
++ existing = radix_tree_lookup(&dma_active_cacheline, cln);
++ /* A lookup failure here after we got -EEXIST is unexpected. */
++ WARN_ON(!existing);
++ if (existing)
++ *overlap_cache_clean = existing->is_cache_clean;
++ }
+ spin_unlock_irqrestore(&radix_lock, flags);
+
+ return rc;
+@@ -583,20 +596,24 @@ DEFINE_SHOW_ATTRIBUTE(dump);
+ */
+ static void add_dma_entry(struct dma_debug_entry *entry, unsigned long attrs)
+ {
++ bool overlap_cache_clean;
+ struct hash_bucket *bucket;
+ unsigned long flags;
+ int rc;
+
++ entry->is_cache_clean = !!(attrs & DMA_ATTR_CPU_CACHE_CLEAN);
++
+ bucket = get_hash_bucket(entry, &flags);
+ hash_bucket_add(bucket, entry);
+ put_hash_bucket(bucket, flags);
+
+- rc = active_cacheline_insert(entry);
++ rc = active_cacheline_insert(entry, &overlap_cache_clean);
+ if (rc == -ENOMEM) {
+ pr_err_once("cacheline tracking ENOMEM, dma-debug disabled\n");
+ global_disable = true;
+ } else if (rc == -EEXIST &&
+- !(attrs & (DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_CPU_CACHE_CLEAN)) &&
++ !(attrs & DMA_ATTR_SKIP_CPU_SYNC) &&
++ !(entry->is_cache_clean && overlap_cache_clean) &&
+ !(IS_ENABLED(CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC) &&
+ is_swiotlb_active(entry->dev))) {
+ err_printk(entry->dev, entry,
+--
+2.53.0
+
--- /dev/null
+From 5263d7c05b46b41d239e5ef334c435535e6fc1d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Dec 2025 07:28:43 -0500
+Subject: dma-mapping: add DMA_ATTR_CPU_CACHE_CLEAN
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+[ Upstream commit 61868dc55a119a5e4b912d458fc2c48ba80a35fe ]
+
+When multiple small DMA_FROM_DEVICE or DMA_BIDIRECTIONAL buffers share a
+cacheline, and DMA_API_DEBUG is enabled, we get this warning:
+ cacheline tracking EEXIST, overlapping mappings aren't supported.
+
+This is because when one of the mappings is removed, while another one
+is active, CPU might write into the buffer.
+
+Add an attribute for the driver to promise not to do this, making the
+overlapping safe, and suppressing the warning.
+
+Message-ID: <2d5d091f9d84b68ea96abd545b365dd1d00bbf48.1767601130.git.mst@redhat.com>
+Reviewed-by: Petr Tesarik <ptesarik@suse.com>
+Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: 3d48c9fd78dd ("dma-debug: suppress cacheline overlap warning when arch has no DMA alignment requirement")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/dma-mapping.h | 7 +++++++
+ kernel/dma/debug.c | 3 ++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/dma-mapping.h b/include/linux/dma-mapping.h
+index 190eab9f5e8c2..3e63046b899bc 100644
+--- a/include/linux/dma-mapping.h
++++ b/include/linux/dma-mapping.h
+@@ -78,6 +78,13 @@
+ */
+ #define DMA_ATTR_MMIO (1UL << 10)
+
++/*
++ * DMA_ATTR_CPU_CACHE_CLEAN: Indicates the CPU will not dirty any cacheline
++ * overlapping this buffer while it is mapped for DMA. All mappings sharing
++ * a cacheline must have this attribute for this to be considered safe.
++ */
++#define DMA_ATTR_CPU_CACHE_CLEAN (1UL << 11)
++
+ /*
+ * A dma_addr_t can hold any valid DMA or bus address for the platform. It can
+ * be given to a device to use as a DMA source or target. It is specific to a
+diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c
+index 138ede653de40..7e66d863d573f 100644
+--- a/kernel/dma/debug.c
++++ b/kernel/dma/debug.c
+@@ -595,7 +595,8 @@ static void add_dma_entry(struct dma_debug_entry *entry, unsigned long attrs)
+ if (rc == -ENOMEM) {
+ pr_err_once("cacheline tracking ENOMEM, dma-debug disabled\n");
+ global_disable = true;
+- } else if (rc == -EEXIST && !(attrs & DMA_ATTR_SKIP_CPU_SYNC) &&
++ } else if (rc == -EEXIST &&
++ !(attrs & (DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_CPU_CACHE_CLEAN)) &&
+ !(IS_ENABLED(CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC) &&
+ is_swiotlb_active(entry->dev))) {
+ err_printk(entry->dev, entry,
+--
+2.53.0
+
--- /dev/null
+From 4b0deec15c9c716733af6685cc6ac2593fda62f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 10:34:27 -0800
+Subject: dmaengine: idxd: Fix lockdep warnings when calling
+ idxd_device_config()
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit caf91cdf2de8b7134749d32cd4ae5520b108abb7 ]
+
+Move the check for IDXD_FLAG_CONFIGURABLE and the locking to "inside"
+idxd_device_config(), as this is common to all callers, and the one
+that wasn't holding the lock was an error (that was causing the
+lockdep warning).
+
+Suggested-by: Dave Jiang <dave.jiang@intel.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-1-7ed70658a9d1@intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/idxd/device.c | 17 +++++++----------
+ drivers/dma/idxd/init.c | 10 ++++------
+ 2 files changed, 11 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c
+index 4013f970cb3b2..f4b134c865163 100644
+--- a/drivers/dma/idxd/device.c
++++ b/drivers/dma/idxd/device.c
+@@ -1121,7 +1121,11 @@ int idxd_device_config(struct idxd_device *idxd)
+ {
+ int rc;
+
+- lockdep_assert_held(&idxd->dev_lock);
++ guard(spinlock)(&idxd->dev_lock);
++
++ if (!test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags))
++ return 0;
++
+ rc = idxd_wqs_setup(idxd);
+ if (rc < 0)
+ return rc;
+@@ -1448,11 +1452,7 @@ int idxd_drv_enable_wq(struct idxd_wq *wq)
+ }
+ }
+
+- rc = 0;
+- spin_lock(&idxd->dev_lock);
+- if (test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags))
+- rc = idxd_device_config(idxd);
+- spin_unlock(&idxd->dev_lock);
++ rc = idxd_device_config(idxd);
+ if (rc < 0) {
+ dev_dbg(dev, "Writing wq %d config failed: %d\n", wq->id, rc);
+ goto err;
+@@ -1547,10 +1547,7 @@ int idxd_device_drv_probe(struct idxd_dev *idxd_dev)
+ }
+
+ /* Device configuration */
+- spin_lock(&idxd->dev_lock);
+- if (test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags))
+- rc = idxd_device_config(idxd);
+- spin_unlock(&idxd->dev_lock);
++ rc = idxd_device_config(idxd);
+ if (rc < 0)
+ return -ENXIO;
+
+diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c
+index f2b37c63a964c..afba88f9c3e43 100644
+--- a/drivers/dma/idxd/init.c
++++ b/drivers/dma/idxd/init.c
+@@ -1094,12 +1094,10 @@ static void idxd_reset_done(struct pci_dev *pdev)
+ idxd_device_config_restore(idxd, idxd->idxd_saved);
+
+ /* Re-configure IDXD device if allowed. */
+- if (test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags)) {
+- rc = idxd_device_config(idxd);
+- if (rc < 0) {
+- dev_err(dev, "HALT: %s config fails\n", idxd_name);
+- goto out;
+- }
++ rc = idxd_device_config(idxd);
++ if (rc < 0) {
++ dev_err(dev, "HALT: %s config fails\n", idxd_name);
++ goto out;
+ }
+
+ /* Bind IDXD device to driver. */
+--
+2.53.0
+
--- /dev/null
+From 971034b8e3be32d68ec7c6f29858f76bf18f8f6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 09:58:36 +0530
+Subject: drm/amdgpu: Handle GPU page faults correctly on non-4K page systems
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Donet Tom <donettom@linux.ibm.com>
+
+[ Upstream commit 4e9597f22a3cb8600c72fc266eaac57981d834c8 ]
+
+During a GPU page fault, the driver restores the SVM range and then maps it
+into the GPU page tables. The current implementation passes a GPU-page-size
+(4K-based) PFN to svm_range_restore_pages() to restore the range.
+
+SVM ranges are tracked using system-page-size PFNs. On systems where the
+system page size is larger than 4K, using GPU-page-size PFNs to restore the
+range causes two problems:
+
+Range lookup fails:
+Because the restore function receives PFNs in GPU (4K) units, the SVM
+range lookup does not find the existing range. This will result in a
+duplicate SVM range being created.
+
+VMA lookup failure:
+The restore function also tries to locate the VMA for the faulting address.
+It converts the GPU-page-size PFN into an address using the system page
+size, which results in an incorrect address on non-4K page-size systems.
+As a result, the VMA lookup fails with the message: "address 0xxxx VMA is
+removed".
+
+This patch passes the system-page-size PFN to svm_range_restore_pages() so
+that the SVM range is restored correctly on non-4K page systems.
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Donet Tom <donettom@linux.ibm.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 074fe395fb13247b057f60004c7ebcca9f38ef46)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+index 7df6e75bd7014..636a0cbbb1447 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+@@ -2974,14 +2974,14 @@ bool amdgpu_vm_handle_fault(struct amdgpu_device *adev, u32 pasid,
+ if (!root)
+ return false;
+
+- addr /= AMDGPU_GPU_PAGE_SIZE;
+-
+ if (is_compute_context && !svm_range_restore_pages(adev, pasid, vmid,
+- node_id, addr, ts, write_fault)) {
++ node_id, addr >> PAGE_SHIFT, ts, write_fault)) {
+ amdgpu_bo_unref(&root);
+ return true;
+ }
+
++ addr /= AMDGPU_GPU_PAGE_SIZE;
++
+ r = amdgpu_bo_reserve(root, true);
+ if (r)
+ goto error_unref;
+--
+2.53.0
+
--- /dev/null
+From 4ad13e18c46d5bd04eeb797db53c276375ef6446 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 09:58:39 +0530
+Subject: drm/amdkfd: Fix queue preemption/eviction failures by aligning
+ control stack size to GPU page size
+
+From: Donet Tom <donettom@linux.ibm.com>
+
+[ Upstream commit 78746a474e92fc7aaed12219bec7c78ae1bd6156 ]
+
+The control stack size is calculated based on the number of CUs and
+waves, and is then aligned to PAGE_SIZE. When the resulting control
+stack size is aligned to 64 KB, GPU hangs and queue preemption
+failures are observed while running RCCL unit tests on systems with
+more than two GPUs.
+
+amdgpu 0048:0f:00.0: amdgpu: Queue preemption failed for queue with
+doorbell_id: 80030008
+amdgpu 0048:0f:00.0: amdgpu: Failed to evict process queues
+amdgpu 0048:0f:00.0: amdgpu: GPU reset begin!. Source: 4
+amdgpu 0048:0f:00.0: amdgpu: Queue preemption failed for queue with
+doorbell_id: 80030008
+amdgpu 0048:0f:00.0: amdgpu: Failed to evict process queues
+amdgpu 0048:0f:00.0: amdgpu: Failed to restore process queues
+
+This issue is observed on both 4 KB and 64 KB system page-size
+configurations.
+
+This patch fixes the issue by aligning the control stack size to
+AMDGPU_GPU_PAGE_SIZE instead of PAGE_SIZE, so the control stack size
+will not be 64 KB on systems with a 64 KB page size and queue
+preemption works correctly.
+
+Additionally, In the current code, wg_data_size is aligned to PAGE_SIZE,
+which can waste memory if the system page size is large. In this patch,
+wg_data_size is aligned to AMDGPU_GPU_PAGE_SIZE. The cwsr_size, calculated
+from wg_data_size and the control stack size, is aligned to PAGE_SIZE.
+
+Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
+Signed-off-by: Donet Tom <donettom@linux.ibm.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit a3e14436304392fbada359edd0f1d1659850c9b7)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_queue.c b/drivers/gpu/drm/amd/amdkfd/kfd_queue.c
+index 2822c90bd7be4..b97f4a51db6e3 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_queue.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_queue.c
+@@ -444,10 +444,11 @@ void kfd_queue_ctx_save_restore_size(struct kfd_topology_device *dev)
+ min(cu_num * 40, props->array_count / props->simd_arrays_per_engine * 512)
+ : cu_num * 32;
+
+- wg_data_size = ALIGN(cu_num * WG_CONTEXT_DATA_SIZE_PER_CU(gfxv, props), PAGE_SIZE);
++ wg_data_size = ALIGN(cu_num * WG_CONTEXT_DATA_SIZE_PER_CU(gfxv, props),
++ AMDGPU_GPU_PAGE_SIZE);
+ ctl_stack_size = wave_num * CNTL_STACK_BYTES_PER_WAVE(gfxv) + 8;
+ ctl_stack_size = ALIGN(SIZEOF_HSA_USER_CONTEXT_SAVE_AREA_HEADER + ctl_stack_size,
+- PAGE_SIZE);
++ AMDGPU_GPU_PAGE_SIZE);
+
+ if ((gfxv / 10000 * 10000) == 100000) {
+ /* HW design limits control stack size to 0x7000.
+@@ -459,7 +460,7 @@ void kfd_queue_ctx_save_restore_size(struct kfd_topology_device *dev)
+
+ props->ctl_stack_size = ctl_stack_size;
+ props->debug_memory_size = ALIGN(wave_num * DEBUGGER_BYTES_PER_WAVE, DEBUGGER_BYTES_ALIGN);
+- props->cwsr_size = ctl_stack_size + wg_data_size;
++ props->cwsr_size = ALIGN(ctl_stack_size + wg_data_size, PAGE_SIZE);
+
+ if (gfxv == 80002) /* GFX_VERSION_TONGA */
+ props->eop_buffer_size = 0x8000;
+--
+2.53.0
+
--- /dev/null
+From a2c22694466379f5759850e16fbe4a86380cd690 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:45 -0300
+Subject: drm/vc4: Fix a memory leak in hang state error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 9525d169e5fd481538cf8c663cc5839e54f2e481 ]
+
+When vc4_save_hang_state() encounters an early return condition, it
+returns without freeing the previously allocated `kernel_state`,
+leaking memory.
+
+Add the missing kfree() calls by consolidating the early return paths
+into a single place.
+
+Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-3-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index 0562f78e28357..840aadb14b518 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -171,10 +171,8 @@ vc4_save_hang_state(struct drm_device *dev)
+ spin_lock_irqsave(&vc4->job_lock, irqflags);
+ exec[0] = vc4_first_bin_job(vc4);
+ exec[1] = vc4_first_render_job(vc4);
+- if (!exec[0] && !exec[1]) {
+- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+- return;
+- }
++ if (!exec[0] && !exec[1])
++ goto err_free_state;
+
+ /* Get the bos from both binner and renderer into hang state. */
+ state->bo_count = 0;
+@@ -191,10 +189,8 @@ vc4_save_hang_state(struct drm_device *dev)
+ kernel_state->bo = kcalloc(state->bo_count,
+ sizeof(*kernel_state->bo), GFP_ATOMIC);
+
+- if (!kernel_state->bo) {
+- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+- return;
+- }
++ if (!kernel_state->bo)
++ goto err_free_state;
+
+ k = 0;
+ for (i = 0; i < 2; i++) {
+@@ -286,6 +282,12 @@ vc4_save_hang_state(struct drm_device *dev)
+ vc4->hang_state = kernel_state;
+ spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+ }
++
++ return;
++
++err_free_state:
++ spin_unlock_irqrestore(&vc4->job_lock, irqflags);
++ kfree(kernel_state);
+ }
+
+ static void
+--
+2.53.0
+
--- /dev/null
+From 899fcf293c6734d6908adf821b941e3cc6a61354 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:44 -0300
+Subject: drm/vc4: Fix memory leak of BO array in hang state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit f4dfd6847b3e5d24e336bca6057485116d17aea4 ]
+
+The hang state's BO array is allocated separately with kzalloc() in
+vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the
+missing kfree() for the BO array before freeing the hang state struct.
+
+Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-2-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index ab16164b5edaf..0562f78e28357 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -62,6 +62,7 @@ vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state)
+ for (i = 0; i < state->user_state.bo_count; i++)
+ drm_gem_object_put(state->bo[i]);
+
++ kfree(state->bo);
+ kfree(state);
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 40f1e210198bb70ae33e9d9ea5791ba8bb32f63d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:46 -0300
+Subject: drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ]
+
+The mmap callback reads bo->madv without holding madv_lock, racing with
+concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under
+the same lock. Add the missing locking to prevent the data race.
+
+Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_bo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
+index 46b4474ac41d4..44b1f2b00f9b0 100644
+--- a/drivers/gpu/drm/vc4/vc4_bo.c
++++ b/drivers/gpu/drm/vc4/vc4_bo.c
+@@ -739,12 +739,15 @@ static int vc4_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct
+ return -EINVAL;
+ }
+
++ mutex_lock(&bo->madv_lock);
+ if (bo->madv != VC4_MADV_WILLNEED) {
+ DRM_DEBUG("mmapping of %s BO not allowed\n",
+ bo->madv == VC4_MADV_DONTNEED ?
+ "purgeable" : "purged");
++ mutex_unlock(&bo->madv_lock);
+ return -EINVAL;
+ }
++ mutex_unlock(&bo->madv_lock);
+
+ return drm_gem_dma_mmap(&bo->base, vma);
+ }
+--
+2.53.0
+
--- /dev/null
+From db9fd831e6819d561182311e395ca6325b2163d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:43 -0300
+Subject: drm/vc4: Release runtime PM reference after binding V3D
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit aaefbdde9abdc43699e110679c0e10972a5e1c59 ]
+
+The vc4_v3d_bind() function acquires a runtime PM reference via
+pm_runtime_resume_and_get() to access V3D registers during setup.
+However, this reference is never released after a successful bind.
+This prevents the device from ever runtime suspending, since the
+reference count never reaches zero.
+
+Release the runtime PM reference by adding pm_runtime_put_autosuspend()
+after autosuspend is configured, allowing the device to runtime suspend
+after the delay.
+
+Fixes: 266cff37d7fc ("drm/vc4: v3d: Rework the runtime_pm setup")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-1-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_v3d.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_v3d.c b/drivers/gpu/drm/vc4/vc4_v3d.c
+index 3ffe09bc89d27..d31b906cb8e78 100644
+--- a/drivers/gpu/drm/vc4/vc4_v3d.c
++++ b/drivers/gpu/drm/vc4/vc4_v3d.c
+@@ -481,6 +481,7 @@ static int vc4_v3d_bind(struct device *dev, struct device *master, void *data)
+
+ pm_runtime_use_autosuspend(dev);
+ pm_runtime_set_autosuspend_delay(dev, 40); /* a little over 2 frames. */
++ pm_runtime_put_autosuspend(dev);
+
+ return 0;
+
+--
+2.53.0
+
--- /dev/null
+From 6e609e4a00ae03e6437d3337715b03b75ce26046 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2026 18:27:10 -0700
+Subject: drm/xe: Fix bug in idledly unit conversion
+
+From: Vinay Belgaumkar <vinay.belgaumkar@intel.com>
+
+[ Upstream commit 7596459f3c93d8d45a1bf12d4d7526b50c15baa2 ]
+
+We only need to convert to picosecond units before writing to RING_IDLEDLY.
+
+Fixes: 7c53ff050ba8 ("drm/xe: Apply Wa_16023105232")
+Cc: Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu@intel.com>
+Acked-by: Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu@intel.com>
+Signed-off-by: Vinay Belgaumkar <vinay.belgaumkar@intel.com>
+Link: https://patch.msgid.link/20260401012710.4165547-1-vinay.belgaumkar@intel.com
+(cherry picked from commit 13743bd628bc9d9a0e2fe53488b2891aedf7cc74)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_hw_engine.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_hw_engine.c b/drivers/gpu/drm/xe/xe_hw_engine.c
+index 6a9e2a4272dde..3e928b6c098f2 100644
+--- a/drivers/gpu/drm/xe/xe_hw_engine.c
++++ b/drivers/gpu/drm/xe/xe_hw_engine.c
+@@ -596,9 +596,8 @@ static void adjust_idledly(struct xe_hw_engine *hwe)
+ maxcnt *= maxcnt_units_ns;
+
+ if (xe_gt_WARN_ON(gt, idledly >= maxcnt || inhibit_switch)) {
+- idledly = DIV_ROUND_CLOSEST(((maxcnt - 1) * maxcnt_units_ns),
++ idledly = DIV_ROUND_CLOSEST(((maxcnt - 1) * 1000),
+ idledly_units_ps);
+- idledly = DIV_ROUND_CLOSEST(idledly, 1000);
+ xe_mmio_write32(>->mmio, RING_IDLEDLY(hwe->mmio_base), idledly);
+ }
+ }
+--
+2.53.0
+
--- /dev/null
+From 394afacea24a50c368006d81f9d0d609c4bda5bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 11:29:40 +0100
+Subject: dt-bindings: net: Fix Tegra234 MGBE PTP clock
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+[ Upstream commit fb22b1fc5bca3c0aad95388933497ceb30f1fb26 ]
+
+The PTP clock for the Tegra234 MGBE device is incorrectly named
+'ptp-ref' and should be 'ptp_ref'. This is causing the following
+warning to be observed on Tegra234 platforms that use this device:
+
+ ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate
+ WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed
+
+Although this constitutes an ABI breakage in the binding for this
+device, PTP support has clearly never worked and so fix this now
+so we can correct the device-tree for this device. Note that the
+MGBE driver still supports the legacy 'ptp-ref' clock name and so
+older/existing device-trees will still work, but given that this
+is not the correct name, there is no point to advertise this in the
+binding.
+
+Fixes: 189c2e5c7669 ("dt-bindings: net: Add Tegra234 MGBE")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260401102941.17466-3-jonathanh@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../devicetree/bindings/net/nvidia,tegra234-mgbe.yaml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
+index 2bd3efff2485e..215f14d1897d2 100644
+--- a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
++++ b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
+@@ -42,7 +42,7 @@ properties:
+ - const: mgbe
+ - const: mac
+ - const: mac-divider
+- - const: ptp-ref
++ - const: ptp_ref
+ - const: rx-input-m
+ - const: rx-input
+ - const: tx
+@@ -133,7 +133,7 @@ examples:
+ <&bpmp TEGRA234_CLK_MGBE0_RX_PCS_M>,
+ <&bpmp TEGRA234_CLK_MGBE0_RX_PCS>,
+ <&bpmp TEGRA234_CLK_MGBE0_TX_PCS>;
+- clock-names = "mgbe", "mac", "mac-divider", "ptp-ref", "rx-input-m",
++ clock-names = "mgbe", "mac", "mac-divider", "ptp_ref", "rx-input-m",
+ "rx-input", "tx", "eee-pcs", "rx-pcs-input", "rx-pcs-m",
+ "rx-pcs", "tx-pcs";
+ resets = <&bpmp TEGRA234_RESET_MGBE0_MAC>,
+--
+2.53.0
+
--- /dev/null
+From e777a6a0994741b1a63a709836591bae54afbccc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 15:05:05 +0300
+Subject: e1000: check return value of e1000_read_eeprom
+
+From: Agalakov Daniil <ade@amicon.ru>
+
+[ Upstream commit d3baa34a470771399c1495bc04b1e26ac15d598e ]
+
+[Why]
+e1000_set_eeprom() performs a read-modify-write operation when the write
+range is not word-aligned. This requires reading the first and last words
+of the range from the EEPROM to preserve the unmodified bytes.
+
+However, the code does not check the return value of e1000_read_eeprom().
+If the read fails, the operation continues using uninitialized data from
+eeprom_buff. This results in corrupted data being written back to the
+EEPROM for the boundary words.
+
+Add the missing error checks and abort the operation if reading fails.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Co-developed-by: Iskhakov Daniil <dish@amicon.ru>
+Signed-off-by: Iskhakov Daniil <dish@amicon.ru>
+Signed-off-by: Agalakov Daniil <ade@amicon.ru>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+index 726365c567ef3..75d0bfa7530b4 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+@@ -496,14 +496,19 @@ static int e1000_set_eeprom(struct net_device *netdev,
+ */
+ ret_val = e1000_read_eeprom(hw, first_word, 1,
+ &eeprom_buff[0]);
++ if (ret_val)
++ goto out;
++
+ ptr++;
+ }
+- if (((eeprom->offset + eeprom->len) & 1) && (ret_val == 0)) {
++ if ((eeprom->offset + eeprom->len) & 1) {
+ /* need read/modify/write of last changed EEPROM word
+ * only the first byte of the word is being modified
+ */
+ ret_val = e1000_read_eeprom(hw, last_word, 1,
+ &eeprom_buff[last_word - first_word]);
++ if (ret_val)
++ goto out;
+ }
+
+ /* Device's eeprom is always little-endian, word addressable */
+@@ -522,6 +527,7 @@ static int e1000_set_eeprom(struct net_device *netdev,
+ if ((ret_val == 0) && (first_word <= EEPROM_CHECKSUM_REG))
+ e1000_update_eeprom_checksum(hw);
+
++out:
+ kfree(eeprom_buff);
+ return ret_val;
+ }
+--
+2.53.0
+
--- /dev/null
+From 3f743b874e182838e8c56c0288964f8116d3982c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2026 15:25:32 +0200
+Subject: eventpoll: defer struct eventpoll free to RCU grace period
+
+From: Nicholas Carlini <nicholas@carlini.com>
+
+[ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ]
+
+In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
+eventpoll struct while it still being used by another concurrent thread.
+Defer the kfree() to an RCU callback to prevent UAF.
+
+Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
+Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/eventpoll.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index d20917b03161b..3bdbaf202d4db 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -226,6 +226,9 @@ struct eventpoll {
+ */
+ refcount_t refcount;
+
++ /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */
++ struct rcu_head rcu;
++
+ #ifdef CONFIG_NET_RX_BUSY_POLL
+ /* used to track busy poll napi_id */
+ unsigned int napi_id;
+@@ -819,7 +822,8 @@ static void ep_free(struct eventpoll *ep)
+ mutex_destroy(&ep->mtx);
+ free_uid(ep->user);
+ wakeup_source_unregister(ep->ws);
+- kfree(ep);
++ /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */
++ kfree_rcu(ep, rcu);
+ }
+
+ /*
+--
+2.53.0
+
--- /dev/null
+From a21cf07f9d62a86e60159f1d5a09bfdccf654ca5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 13:11:27 -0700
+Subject: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
+
+From: Fredric Cover <FredTheDude@proton.me>
+
+[ Upstream commit 78ec5bf2f589ec7fd8f169394bfeca541b077317 ]
+
+When cifs_sanitize_prepath is called with an empty string or a string
+containing only delimiters (e.g., "/"), the current logic attempts to
+check *(cursor2 - 1) before cursor2 has advanced. This results in an
+out-of-bounds read.
+
+This patch adds an early exit check after stripping prepended
+delimiters. If no path content remains, the function returns NULL.
+
+The bug was identified via manual audit and verified using a
+standalone test case compiled with AddressSanitizer, which
+triggered a SEGV on affected inputs.
+
+Signed-off-by: Fredric Cover <FredTheDude@proton.me>
+Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/fs_context.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
+index e0d2cd78c82f1..e61bb6ac1d111 100644
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -589,6 +589,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp)
+ while (IS_DELIM(*cursor1))
+ cursor1++;
+
++ /* exit in case of only delimiters */
++ if (!*cursor1)
++ return NULL;
++
+ /* copy the first letter */
+ *cursor2 = *cursor1;
+
+--
+2.53.0
+
--- /dev/null
+From 7433cfd6721430e68cb3a274ea501820659d9915 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 14:02:47 -0700
+Subject: gpio: tegra: fix irq_release_resources calling enable instead of
+ disable
+
+From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+
+[ Upstream commit 1561d96f5f55c1bca9ff047ace5813f4f244eea6 ]
+
+tegra_gpio_irq_release_resources() erroneously calls tegra_gpio_enable()
+instead of tegra_gpio_disable(). When IRQ resources are released, the
+GPIO configuration bit (CNF) should be cleared to deconfigure the pin as
+a GPIO. Leaving it enabled wastes power and can cause unexpected behavior
+if the pin is later reused for an alternate function via pinctrl.
+
+Fixes: 66fecef5bde0 ("gpio: tegra: Convert to gpio_irq_chip")
+Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+Link: https://patch.msgid.link/20260407210247.1737938-1-samasth.norway.ananda@oracle.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-tegra.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-tegra.c b/drivers/gpio/gpio-tegra.c
+index 15a5762a82c25..b14052fe64ac6 100644
+--- a/drivers/gpio/gpio-tegra.c
++++ b/drivers/gpio/gpio-tegra.c
+@@ -595,7 +595,7 @@ static void tegra_gpio_irq_release_resources(struct irq_data *d)
+ struct tegra_gpio_info *tgi = gpiochip_get_data(chip);
+
+ gpiochip_relres_irq(chip, d->hwirq);
+- tegra_gpio_enable(tgi, d->hwirq);
++ tegra_gpio_disable(tgi, d->hwirq);
+ }
+
+ static void tegra_gpio_irq_print_chip(struct irq_data *d, struct seq_file *s)
+--
+2.53.0
+
--- /dev/null
+From 4b743865db1a1b638a77bfeef36ea79e47217dc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 09:25:22 +0100
+Subject: HID: amd_sfh: don't log error when device discovery fails with
+ -EOPNOTSUPP
+
+From: Maximilian Pezzullo <maximilianpezzullo@gmail.com>
+
+[ Upstream commit 743677a8cb30b09f16a7f167f497c2c927891b5a ]
+
+When sensor discovery fails on systems without AMD SFH sensors, the
+code already emits a warning via dev_warn() in amd_sfh_hid_client_init().
+The subsequent dev_err() in sfh_init_work() for the same -EOPNOTSUPP
+return value is redundant and causes unnecessary alarm.
+
+Suppress the dev_err() for -EOPNOTSUPP to avoid confusing users who
+have no AMD SFH sensors.
+
+Fixes: 2105e8e00da4 ("HID: amd_sfh: Improve boot time when SFH is available")
+Reported-by: Casey Croy <ccroy@bugzilla.kernel.org>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221099
+Signed-off-by: Maximilian Pezzullo <maximilianpezzullo@gmail.com>
+Acked-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/amd-sfh-hid/amd_sfh_pcie.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c b/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c
+index 1d9f955573aa4..4b81cebdc3359 100644
+--- a/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c
++++ b/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c
+@@ -413,7 +413,8 @@ static void sfh_init_work(struct work_struct *work)
+ rc = amd_sfh_hid_client_init(mp2);
+ if (rc) {
+ amd_sfh_clear_intr(mp2);
+- dev_err(&pdev->dev, "amd_sfh_hid_client_init failed err %d\n", rc);
++ if (rc != -EOPNOTSUPP)
++ dev_err(&pdev->dev, "amd_sfh_hid_client_init failed err %d\n", rc);
+ return;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 0e065385ce4181d3ee13acabebf6af496a31ea4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 13:56:29 +0800
+Subject: HID: Intel-thc-hid: Intel-quickspi: Add NVL Device IDs
+
+From: Even Xu <even.xu@intel.com>
+
+[ Upstream commit 48e91af0cbe942d50ef6257d850accdca1d01378 ]
+
+Add Nova Lake THC QuickSPI device IDs to support list.
+
+Signed-off-by: Even Xu <even.xu@intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c | 6 ++++++
+ drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h | 2 ++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c b/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c
+index ad6bd59963b28..b6a69995692cb 100644
+--- a/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c
++++ b/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c
+@@ -37,6 +37,10 @@ struct quickspi_driver_data arl = {
+ .max_packet_size_value = MAX_PACKET_SIZE_VALUE_MTL,
+ };
+
++struct quickspi_driver_data nvl = {
++ .max_packet_size_value = MAX_PACKET_SIZE_VALUE_LNL,
++};
++
+ /* THC QuickSPI ACPI method to get device properties */
+ /* HIDSPI Method: {6e2ac436-0fcf-41af-a265-b32a220dcfab} */
+ static guid_t hidspi_guid =
+@@ -982,6 +986,8 @@ static const struct pci_device_id quickspi_pci_tbl[] = {
+ {PCI_DEVICE_DATA(INTEL, THC_WCL_DEVICE_ID_SPI_PORT2, &ptl), },
+ {PCI_DEVICE_DATA(INTEL, THC_ARL_DEVICE_ID_SPI_PORT1, &arl), },
+ {PCI_DEVICE_DATA(INTEL, THC_ARL_DEVICE_ID_SPI_PORT2, &arl), },
++ {PCI_DEVICE_DATA(INTEL, THC_NVL_H_DEVICE_ID_SPI_PORT1, &nvl), },
++ {PCI_DEVICE_DATA(INTEL, THC_NVL_H_DEVICE_ID_SPI_PORT2, &nvl), },
+ {}
+ };
+ MODULE_DEVICE_TABLE(pci, quickspi_pci_tbl);
+diff --git a/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h b/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h
+index c30e1a42eb098..bf5e18f5a5f42 100644
+--- a/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h
++++ b/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h
+@@ -23,6 +23,8 @@
+ #define PCI_DEVICE_ID_INTEL_THC_WCL_DEVICE_ID_SPI_PORT2 0x4D4B
+ #define PCI_DEVICE_ID_INTEL_THC_ARL_DEVICE_ID_SPI_PORT1 0x7749
+ #define PCI_DEVICE_ID_INTEL_THC_ARL_DEVICE_ID_SPI_PORT2 0x774B
++#define PCI_DEVICE_ID_INTEL_THC_NVL_H_DEVICE_ID_SPI_PORT1 0xD349
++#define PCI_DEVICE_ID_INTEL_THC_NVL_H_DEVICE_ID_SPI_PORT2 0xD34B
+
+ /* HIDSPI special ACPI parameters DSM methods */
+ #define ACPI_QUICKSPI_REVISION_NUM 2
+--
+2.53.0
+
--- /dev/null
+From 92bb5f880484c68834a7ae5d0c926698d9723e29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 13:36:59 -0500
+Subject: HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
+
+From: leo vriska <leo@60228.dev>
+
+[ Upstream commit 532743944324a873bbaf8620fcabcd0e69e30c36 ]
+
+According to a mailing list report [1], this controller's predecessor
+has the same issue. However, it uses the xpad driver instead of HID, so
+this quirk wouldn't apply.
+
+[1]: https://lore.kernel.org/linux-input/unufo3$det$1@ciao.gmane.io/
+
+Signed-off-by: leo vriska <leo@60228.dev>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 7fd67745ee010..666ce30c83b42 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -22,6 +22,9 @@
+ #define USB_DEVICE_ID_3M2256 0x0502
+ #define USB_DEVICE_ID_3M3266 0x0506
+
++#define USB_VENDOR_ID_8BITDO 0x2dc8
++#define USB_DEVICE_ID_8BITDO_PRO_3 0x6009
++
+ #define USB_VENDOR_ID_A4TECH 0x09da
+ #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006
+ #define USB_DEVICE_ID_A4TECH_X5_005D 0x000a
+diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
+index 3217e436c052c..f6be3ffee0232 100644
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -25,6 +25,7 @@
+ */
+
+ static const struct hid_device_id hid_quirks[] = {
++ { HID_USB_DEVICE(USB_VENDOR_ID_8BITDO, USB_DEVICE_ID_8BITDO_PRO_3), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL },
+--
+2.53.0
+
--- /dev/null
+From 54452139742ae35e2cecb33f236fb748cd32e0b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 16:11:07 +0000
+Subject: HID: roccat: fix use-after-free in roccat_report_event
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benoît Sevens <bsevens@google.com>
+
+[ Upstream commit d802d848308b35220f21a8025352f0c0aba15c12 ]
+
+roccat_report_event() iterates over the device->readers list without
+holding the readers_lock. This allows a concurrent roccat_release() to
+remove and free a reader while it's still being accessed, leading to a
+use-after-free.
+
+Protect the readers list traversal with the readers_lock mutex.
+
+Signed-off-by: Benoît Sevens <bsevens@google.com>
+Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-roccat.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c
+index c7f7562e22e56..e413662f75082 100644
+--- a/drivers/hid/hid-roccat.c
++++ b/drivers/hid/hid-roccat.c
+@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data)
+ if (!new_value)
+ return -ENOMEM;
+
++ mutex_lock(&device->readers_lock);
+ mutex_lock(&device->cbuf_lock);
+
+ report = &device->cbuf[device->cbuf_end];
+@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data)
+ }
+
+ mutex_unlock(&device->cbuf_lock);
++ mutex_unlock(&device->readers_lock);
+
+ wake_up_interruptible(&device->wait);
+ return 0;
+--
+2.53.0
+
--- /dev/null
+From bf7d2b5d11748d2604b825c4786a0a5f0165473d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Feb 2026 14:14:00 +0000
+Subject: ice: ptp: don't WARN when controlling PF is unavailable
+
+From: Kohei Enju <kohei@enjuk.jp>
+
+[ Upstream commit bb3f21edc7056cdf44a7f7bd7ba65af40741838c ]
+
+In VFIO passthrough setups, it is possible to pass through only a PF
+which doesn't own the source timer. In that case the PTP controlling PF
+(adapter->ctrl_pf) is never initialized in the VM, so ice_get_ctrl_ptp()
+returns NULL and triggers WARN_ON() in ice_ptp_setup_pf().
+
+Since this is an expected behavior in that configuration, replace
+WARN_ON() with an informational message and return -EOPNOTSUPP.
+
+Fixes: e800654e85b5 ("ice: Use ice_adapter for PTP shared data instead of auxdev")
+Signed-off-by: Kohei Enju <kohei@enjuk.jp>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ptp.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c
+index 2726830014762..082313023024c 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ptp.c
++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c
+@@ -3048,7 +3048,13 @@ static int ice_ptp_setup_pf(struct ice_pf *pf)
+ struct ice_ptp *ctrl_ptp = ice_get_ctrl_ptp(pf);
+ struct ice_ptp *ptp = &pf->ptp;
+
+- if (WARN_ON(!ctrl_ptp) || pf->hw.mac_type == ICE_MAC_UNKNOWN)
++ if (!ctrl_ptp) {
++ dev_info(ice_pf_to_dev(pf),
++ "PTP unavailable: no controlling PF\n");
++ return -EOPNOTSUPP;
++ }
++
++ if (pf->hw.mac_type == ICE_MAC_UNKNOWN)
+ return -ENODEV;
+
+ INIT_LIST_HEAD(&ptp->port.list_node);
+--
+2.53.0
+
--- /dev/null
+From 26e0aff7d4ce21bd23d39af00510dce2149992b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 15:04:19 +0800
+Subject: ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
+
+From: Yiqi Sun <sunyiqixm@gmail.com>
+
+[ Upstream commit fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 ]
+
+ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
+IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
+this error pointer to dev_hold() will cause a kernel crash with
+null-ptr-deref.
+
+Instead, silently discard the request. RFC 8335 does not appear to
+define a specific response for the case where an IPv6 interface
+identifier is syntactically valid but the implementation cannot perform
+the lookup at runtime, and silently dropping the request may safer than
+misreporting "No Such Interface".
+
+Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
+Signed-off-by: Yiqi Sun <sunyiqixm@gmail.com>
+Link: https://patch.msgid.link/20260402070419.2291578-1-sunyiqixm@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index e619b73f5063e..11bda6c9eaa44 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -1333,6 +1333,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
+ if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
+ goto send_mal_query;
+ dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
++ /*
++ * If IPv6 identifier lookup is unavailable, silently
++ * discard the request instead of misreporting NO_IF.
++ */
++ if (IS_ERR(dev))
++ return false;
++
+ dev_hold(dev);
+ break;
+ #endif
+--
+2.53.0
+
--- /dev/null
+From 164399a145ba91af66d32e4334fe5145b472abe9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 09:26:13 +0200
+Subject: ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()
+
+From: Fernando Fernandez Mancera <fmancera@suse.de>
+
+[ Upstream commit 14cf0cd35361f4e94824bf8a42f72713d7702a73 ]
+
+When querying a nexthop object via RTM_GETNEXTHOP, the kernel currently
+allocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient for
+single nexthops and small Equal-Cost Multi-Path groups, this fixed
+allocation fails for large nexthop groups like 512 nexthops.
+
+This results in the following warning splat:
+
+ WARNING: net/ipv4/nexthop.c:3395 at rtm_get_nexthop+0x176/0x1c0, CPU#20: rep/4608
+ [...]
+ RIP: 0010:rtm_get_nexthop (net/ipv4/nexthop.c:3395)
+ [...]
+ Call Trace:
+ <TASK>
+ rtnetlink_rcv_msg (net/core/rtnetlink.c:6989)
+ netlink_rcv_skb (net/netlink/af_netlink.c:2550)
+ netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
+ netlink_sendmsg (net/netlink/af_netlink.c:1894)
+ ____sys_sendmsg (net/socket.c:721 net/socket.c:736 net/socket.c:2585)
+ ___sys_sendmsg (net/socket.c:2641)
+ __sys_sendmsg (net/socket.c:2671)
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+ </TASK>
+
+Fix this by allocating the size dynamically using nh_nlmsg_size() and
+using nlmsg_new(), this is consistent with nexthop_notify() behavior. In
+addition, adjust nh_nlmsg_size_grp() so it calculates the size needed
+based on flags passed. While at it, also add the size of NHA_FDB for
+nexthop group size calculation as it was missing too.
+
+This cannot be reproduced via iproute2 as the group size is currently
+limited and the command fails as follows:
+
+addattr_l ERROR: message exceeded bound of 1048
+
+Fixes: 430a049190de ("nexthop: Add support for nexthop groups")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Closes: https://lore.kernel.org/netdev/CAL_bE8Li2h4KO+AQFXW4S6Yb_u5X4oSKnkywW+LPFjuErhqELA@mail.gmail.com/
+Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20260402072613.25262-2-fmancera@suse.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/nexthop.c | 38 +++++++++++++++++++++++++++-----------
+ 1 file changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
+index aa53a74ac2389..c958b8edfe540 100644
+--- a/net/ipv4/nexthop.c
++++ b/net/ipv4/nexthop.c
+@@ -1006,16 +1006,32 @@ static size_t nh_nlmsg_size_grp_res(struct nh_group *nhg)
+ nla_total_size_64bit(8);/* NHA_RES_GROUP_UNBALANCED_TIME */
+ }
+
+-static size_t nh_nlmsg_size_grp(struct nexthop *nh)
++static size_t nh_nlmsg_size_grp(struct nexthop *nh, u32 op_flags)
+ {
+ struct nh_group *nhg = rtnl_dereference(nh->nh_grp);
+ size_t sz = sizeof(struct nexthop_grp) * nhg->num_nh;
+ size_t tot = nla_total_size(sz) +
+- nla_total_size(2); /* NHA_GROUP_TYPE */
++ nla_total_size(2) + /* NHA_GROUP_TYPE */
++ nla_total_size(0); /* NHA_FDB */
+
+ if (nhg->resilient)
+ tot += nh_nlmsg_size_grp_res(nhg);
+
++ if (op_flags & NHA_OP_FLAG_DUMP_STATS) {
++ tot += nla_total_size(0) + /* NHA_GROUP_STATS */
++ nla_total_size(4); /* NHA_HW_STATS_ENABLE */
++ tot += nhg->num_nh *
++ (nla_total_size(0) + /* NHA_GROUP_STATS_ENTRY */
++ nla_total_size(4) + /* NHA_GROUP_STATS_ENTRY_ID */
++ nla_total_size_64bit(8)); /* NHA_GROUP_STATS_ENTRY_PACKETS */
++
++ if (op_flags & NHA_OP_FLAG_DUMP_HW_STATS) {
++ tot += nhg->num_nh *
++ nla_total_size_64bit(8); /* NHA_GROUP_STATS_ENTRY_PACKETS_HW */
++ tot += nla_total_size(4); /* NHA_HW_STATS_USED */
++ }
++ }
++
+ return tot;
+ }
+
+@@ -1050,14 +1066,14 @@ static size_t nh_nlmsg_size_single(struct nexthop *nh)
+ return sz;
+ }
+
+-static size_t nh_nlmsg_size(struct nexthop *nh)
++static size_t nh_nlmsg_size(struct nexthop *nh, u32 op_flags)
+ {
+ size_t sz = NLMSG_ALIGN(sizeof(struct nhmsg));
+
+ sz += nla_total_size(4); /* NHA_ID */
+
+ if (nh->is_group)
+- sz += nh_nlmsg_size_grp(nh) +
++ sz += nh_nlmsg_size_grp(nh, op_flags) +
+ nla_total_size(4) + /* NHA_OP_FLAGS */
+ 0;
+ else
+@@ -1073,7 +1089,7 @@ static void nexthop_notify(int event, struct nexthop *nh, struct nl_info *info)
+ struct sk_buff *skb;
+ int err = -ENOBUFS;
+
+- skb = nlmsg_new(nh_nlmsg_size(nh), gfp_any());
++ skb = nlmsg_new(nh_nlmsg_size(nh, 0), gfp_any());
+ if (!skb)
+ goto errout;
+
+@@ -3379,15 +3395,15 @@ static int rtm_get_nexthop(struct sk_buff *in_skb, struct nlmsghdr *nlh,
+ if (err)
+ return err;
+
+- err = -ENOBUFS;
+- skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
+- if (!skb)
+- goto out;
+-
+ err = -ENOENT;
+ nh = nexthop_find_by_id(net, id);
+ if (!nh)
+- goto errout_free;
++ goto out;
++
++ err = -ENOBUFS;
++ skb = nlmsg_new(nh_nlmsg_size(nh, op_flags), GFP_KERNEL);
++ if (!skb)
++ goto out;
+
+ err = nh_fill_node(skb, nh, RTM_NEWNEXTHOP, NETLINK_CB(in_skb).portid,
+ nlh->nlmsg_seq, 0, op_flags);
+--
+2.53.0
+
--- /dev/null
+From 0f0320480e227bef2a32de6529436d700b4409a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 09:26:12 +0200
+Subject: ipv4: nexthop: avoid duplicate NHA_HW_STATS_ENABLE on nexthop group
+ dump
+
+From: Fernando Fernandez Mancera <fmancera@suse.de>
+
+[ Upstream commit 06aaf04ca815f7a1f17762fd847b7bc14b8833fb ]
+
+Currently NHA_HW_STATS_ENABLE is included twice everytime a dump of
+nexthop group is performed with NHA_OP_FLAG_DUMP_STATS. As all the stats
+querying were moved to nla_put_nh_group_stats(), leave only that
+instance of the attribute querying.
+
+Fixes: 5072ae00aea4 ("net: nexthop: Expose nexthop group HW stats to user space")
+Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20260402072613.25262-1-fmancera@suse.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/nexthop.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
+index 427c201175949..aa53a74ac2389 100644
+--- a/net/ipv4/nexthop.c
++++ b/net/ipv4/nexthop.c
+@@ -905,8 +905,7 @@ static int nla_put_nh_group(struct sk_buff *skb, struct nexthop *nh,
+ goto nla_put_failure;
+
+ if (op_flags & NHA_OP_FLAG_DUMP_STATS &&
+- (nla_put_u32(skb, NHA_HW_STATS_ENABLE, nhg->hw_stats) ||
+- nla_put_nh_group_stats(skb, nh, op_flags)))
++ nla_put_nh_group_stats(skb, nh, op_flags))
+ goto nla_put_failure;
+
+ return 0;
+--
+2.53.0
+
--- /dev/null
+From 12d7039ab78b8f4351648a89e5c1050649869405 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 10:17:32 +0000
+Subject: ipv6: ioam: fix potential NULL dereferences in
+ __ioam6_fill_trace_data()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4e65a8b8daa18d63255ec58964dd192c7fdd9f8b ]
+
+We need to check __in6_dev_get() for possible NULL value, as
+suggested by Yiming Qian.
+
+Also add skb_dst_dev_rcu() instead of skb_dst_dev(),
+and two missing READ_ONCE().
+
+Note that @dev can't be NULL.
+
+Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
+Link: https://patch.msgid.link/20260402101732.1188059-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ioam6.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/net/ipv6/ioam6.c b/net/ipv6/ioam6.c
+index 8db7f965696aa..12350e1e18bde 100644
+--- a/net/ipv6/ioam6.c
++++ b/net/ipv6/ioam6.c
+@@ -710,7 +710,9 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb,
+ struct ioam6_schema *sc,
+ unsigned int sclen, bool is_input)
+ {
+- struct net_device *dev = skb_dst_dev(skb);
++ /* Note: skb_dst_dev_rcu() can't be NULL at this point. */
++ struct net_device *dev = skb_dst_dev_rcu(skb);
++ struct inet6_dev *i_skb_dev, *idev;
+ struct timespec64 ts;
+ ktime_t tstamp;
+ u64 raw64;
+@@ -721,13 +723,16 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb,
+
+ data = trace->data + trace->remlen * 4 - trace->nodelen * 4 - sclen * 4;
+
++ i_skb_dev = skb->dev ? __in6_dev_get(skb->dev) : NULL;
++ idev = __in6_dev_get(dev);
++
+ /* hop_lim and node_id */
+ if (trace->type.bit0) {
+ byte = ipv6_hdr(skb)->hop_limit;
+ if (is_input)
+ byte--;
+
+- raw32 = dev_net(dev)->ipv6.sysctl.ioam6_id;
++ raw32 = READ_ONCE(dev_net(dev)->ipv6.sysctl.ioam6_id);
+
+ *(__be32 *)data = cpu_to_be32((byte << 24) | raw32);
+ data += sizeof(__be32);
+@@ -735,18 +740,18 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb,
+
+ /* ingress_if_id and egress_if_id */
+ if (trace->type.bit1) {
+- if (!skb->dev)
++ if (!i_skb_dev)
+ raw16 = IOAM6_U16_UNAVAILABLE;
+ else
+- raw16 = (__force u16)READ_ONCE(__in6_dev_get(skb->dev)->cnf.ioam6_id);
++ raw16 = (__force u16)READ_ONCE(i_skb_dev->cnf.ioam6_id);
+
+ *(__be16 *)data = cpu_to_be16(raw16);
+ data += sizeof(__be16);
+
+- if (dev->flags & IFF_LOOPBACK)
++ if ((dev->flags & IFF_LOOPBACK) || !idev)
+ raw16 = IOAM6_U16_UNAVAILABLE;
+ else
+- raw16 = (__force u16)READ_ONCE(__in6_dev_get(dev)->cnf.ioam6_id);
++ raw16 = (__force u16)READ_ONCE(idev->cnf.ioam6_id);
+
+ *(__be16 *)data = cpu_to_be16(raw16);
+ data += sizeof(__be16);
+@@ -822,7 +827,7 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb,
+ if (is_input)
+ byte--;
+
+- raw64 = dev_net(dev)->ipv6.sysctl.ioam6_id_wide;
++ raw64 = READ_ONCE(dev_net(dev)->ipv6.sysctl.ioam6_id_wide);
+
+ *(__be64 *)data = cpu_to_be64(((u64)byte << 56) | raw64);
+ data += sizeof(__be64);
+@@ -830,18 +835,18 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb,
+
+ /* ingress_if_id and egress_if_id (wide) */
+ if (trace->type.bit9) {
+- if (!skb->dev)
++ if (!i_skb_dev)
+ raw32 = IOAM6_U32_UNAVAILABLE;
+ else
+- raw32 = READ_ONCE(__in6_dev_get(skb->dev)->cnf.ioam6_id_wide);
++ raw32 = READ_ONCE(i_skb_dev->cnf.ioam6_id_wide);
+
+ *(__be32 *)data = cpu_to_be32(raw32);
+ data += sizeof(__be32);
+
+- if (dev->flags & IFF_LOOPBACK)
++ if ((dev->flags & IFF_LOOPBACK) || !idev)
+ raw32 = IOAM6_U32_UNAVAILABLE;
+ else
+- raw32 = READ_ONCE(__in6_dev_get(dev)->cnf.ioam6_id_wide);
++ raw32 = READ_ONCE(idev->cnf.ioam6_id_wide);
+
+ *(__be32 *)data = cpu_to_be32(raw32);
+ data += sizeof(__be32);
+--
+2.53.0
+
--- /dev/null
+From c5a02ad6953eb2d0cbfa6dc2e3e4f9178a77758b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 15:58:01 +0800
+Subject: ipvs: fix NULL deref in ip_vs_add_service error path
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit 9a91797e61d286805ae10a92cc48959c30800556 ]
+
+When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local
+variable sched is set to NULL. If ip_vs_start_estimator() subsequently
+fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched)
+with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL
+check (because svc->scheduler was set by the successful bind) but then
+dereferences the NULL sched parameter at sched->done_service, causing a
+kernel panic at offset 0x30 from NULL.
+
+ Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
+ RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69)
+ Call Trace:
+ <TASK>
+ ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500)
+ do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809)
+ nf_setsockopt (net/netfilter/nf_sockopt.c:102)
+ [..]
+
+Fix by simply not clearing the local sched variable after a successful
+bind. ip_vs_unbind_scheduler() already detects whether a scheduler is
+installed via svc->scheduler, and keeping sched non-NULL ensures the
+error path passes the correct pointer to both ip_vs_unbind_scheduler()
+and ip_vs_scheduler_put().
+
+While the bug is older, the problem popups in more recent kernels (6.2),
+when the new error path is taken after the ip_vs_start_estimator() call.
+
+Fixes: 705dd3444081 ("ipvs: use kthreads for stats estimation")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Acked-by: Simon Horman <horms@kernel.org>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 0687028943774..ce217a25a6af7 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -1452,7 +1452,6 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
+ ret = ip_vs_bind_scheduler(svc, sched);
+ if (ret)
+ goto out_err;
+- sched = NULL;
+ }
+
+ ret = ip_vs_start_estimator(ipvs, &svc->stats);
+--
+2.53.0
+
--- /dev/null
+From de1d089f822f5b5096d80693973577c25c69e6d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 09:42:32 +0100
+Subject: ixgbe: stop re-reading flash on every get_drvinfo for e610
+
+From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+
+[ Upstream commit d8ae40dc20cbd7bb6e6b36a928e2db2296060ad2 ]
+
+ixgbe_get_drvinfo() calls ixgbe_refresh_fw_version() on every ethtool
+query for e610 adapters. That ends up in ixgbe_discover_flash_size(),
+which bisects the full 16 MB NVM space issuing one ACI command per
+step (~20 ms each, ~24 steps total = ~500 ms).
+
+Profiling on an idle E610-XAT2 system with telegraf scraping ethtool
+stats every 10 seconds:
+
+ kretprobe:ixgbe_get_drvinfo took 527603 us
+ kretprobe:ixgbe_get_drvinfo took 523978 us
+ kretprobe:ixgbe_get_drvinfo took 552975 us
+ kretprobe:ice_get_drvinfo took 3 us
+ kretprobe:igb_get_drvinfo took 2 us
+ kretprobe:i40e_get_drvinfo took 5 us
+
+The half-second stall happens under the RTNL lock, causing visible
+latency on ip-link and friends.
+
+The FW version can only change after an EMPR reset. All flash data is
+already populated at probe time and the cached adapter->eeprom_id is
+what get_drvinfo should be returning. The only place that needs to
+trigger a re-read is ixgbe_devlink_reload_empr_finish(), right after
+the EMPR completes and new firmware is running. Additionally, refresh
+the FW version in ixgbe_reinit_locked() so that any PF that undergoes a
+reinit after an EMPR (e.g. triggered by another PF's devlink reload)
+also picks up the new version in adapter->eeprom_id.
+
+ixgbe_devlink_info_get() keeps its refresh call for explicit
+"devlink dev info" queries, which is fine given those are user-initiated.
+
+Fixes: c9e563cae19e ("ixgbe: add support for devlink reload")
+Co-developed-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/devlink/devlink.c | 2 +-
+ drivers/net/ethernet/intel/ixgbe/ixgbe.h | 2 +-
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 13 +++++++------
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 10 ++++++++++
+ 4 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c b/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c
+index d227f4d2a2d17..f32e640ef4ac0 100644
+--- a/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c
++++ b/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c
+@@ -474,7 +474,7 @@ static int ixgbe_devlink_reload_empr_finish(struct devlink *devlink,
+ adapter->flags2 &= ~(IXGBE_FLAG2_API_MISMATCH |
+ IXGBE_FLAG2_FW_ROLLBACK);
+
+- return 0;
++ return ixgbe_refresh_fw_version(adapter);
+ }
+
+ static const struct devlink_ops ixgbe_devlink_ops = {
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h
+index dce4936708eb4..047f04045585a 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h
+@@ -973,7 +973,7 @@ int ixgbe_init_interrupt_scheme(struct ixgbe_adapter *adapter);
+ bool ixgbe_wol_supported(struct ixgbe_adapter *adapter, u16 device_id,
+ u16 subdevice_id);
+ void ixgbe_set_fw_version_e610(struct ixgbe_adapter *adapter);
+-void ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter);
++int ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter);
+ #ifdef CONFIG_PCI_IOV
+ void ixgbe_full_sync_mac_table(struct ixgbe_adapter *adapter);
+ #endif
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+index 2ad81f687a844..d82c51f673ec8 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+@@ -1153,12 +1153,17 @@ static int ixgbe_set_eeprom(struct net_device *netdev,
+ return ret_val;
+ }
+
+-void ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter)
++int ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter)
+ {
+ struct ixgbe_hw *hw = &adapter->hw;
++ int err;
++
++ err = ixgbe_get_flash_data(hw);
++ if (err)
++ return err;
+
+- ixgbe_get_flash_data(hw);
+ ixgbe_set_fw_version_e610(adapter);
++ return 0;
+ }
+
+ static void ixgbe_get_drvinfo(struct net_device *netdev,
+@@ -1166,10 +1171,6 @@ static void ixgbe_get_drvinfo(struct net_device *netdev,
+ {
+ struct ixgbe_adapter *adapter = ixgbe_from_netdev(netdev);
+
+- /* need to refresh info for e610 in case fw reloads in runtime */
+- if (adapter->hw.mac.type == ixgbe_mac_e610)
+- ixgbe_refresh_fw_version(adapter);
+-
+ strscpy(drvinfo->driver, ixgbe_driver_name, sizeof(drvinfo->driver));
+
+ strscpy(drvinfo->fw_version, adapter->eeprom_id,
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index c58051e4350be..60eadef423ca7 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -6289,6 +6289,16 @@ void ixgbe_reinit_locked(struct ixgbe_adapter *adapter)
+ if (adapter->flags & IXGBE_FLAG_SRIOV_ENABLED)
+ msleep(2000);
+ ixgbe_up(adapter);
++
++ /* E610 has no FW event to notify all PFs of an EMPR reset, so
++ * refresh the FW version here to pick up any new FW version after
++ * a hardware reset (e.g. EMPR triggered by another PF's devlink
++ * reload). ixgbe_refresh_fw_version() updates both hw->flash and
++ * adapter->eeprom_id so ethtool -i reports the correct string.
++ */
++ if (adapter->hw.mac.type == ixgbe_mac_e610)
++ (void)ixgbe_refresh_fw_version(adapter);
++
+ clear_bit(__IXGBE_RESETTING, &adapter->state);
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 7b56272396efc7f59ca26646d48c0101a6118567 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 09:22:29 +0100
+Subject: ixgbevf: add missing negotiate_features op to Hyper-V ops table
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 4821d563cd7f251ae728be1a6d04af82a294a5b9 ]
+
+Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by
+negotiating supported features") added the .negotiate_features callback
+to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot
+to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL
+on Hyper-V VMs.
+
+During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(),
+which unconditionally dereferences hw->mac.ops.negotiate_features().
+On Hyper-V this results in a NULL pointer dereference:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ [...]
+ Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...]
+ Workqueue: events work_for_cpu_fn
+ RIP: 0010:0x0
+ [...]
+ Call Trace:
+ ixgbevf_negotiate_api+0x66/0x160 [ixgbevf]
+ ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf]
+ ixgbevf_probe+0x20f/0x4a0 [ixgbevf]
+ local_pci_probe+0x50/0xa0
+ work_for_cpu_fn+0x1a/0x30
+ [...]
+
+Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and
+wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP
+gracefully.
+
+Fixes: a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features")
+Reported-by: Xiaoqiang Xiong <xxiong@redhat.com>
+Closes: https://issues.redhat.com/browse/RHEL-155455
+Assisted-by: Claude:claude-4.6-opus-high Cursor
+Tested-by: Xiaoqiang Xiong <xxiong@redhat.com>
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbevf/vf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c
+index b67b580f7f1c9..f6df86d124b9e 100644
+--- a/drivers/net/ethernet/intel/ixgbevf/vf.c
++++ b/drivers/net/ethernet/intel/ixgbevf/vf.c
+@@ -709,6 +709,12 @@ static int ixgbevf_negotiate_features_vf(struct ixgbe_hw *hw, u32 *pf_features)
+ return err;
+ }
+
++static int ixgbevf_hv_negotiate_features_vf(struct ixgbe_hw *hw,
++ u32 *pf_features)
++{
++ return -EOPNOTSUPP;
++}
++
+ /**
+ * ixgbevf_set_vfta_vf - Set/Unset VLAN filter table address
+ * @hw: pointer to the HW structure
+@@ -1142,6 +1148,7 @@ static const struct ixgbe_mac_operations ixgbevf_hv_mac_ops = {
+ .setup_link = ixgbevf_setup_mac_link_vf,
+ .check_link = ixgbevf_hv_check_mac_link_vf,
+ .negotiate_api_version = ixgbevf_hv_negotiate_api_version_vf,
++ .negotiate_features = ixgbevf_hv_negotiate_features_vf,
+ .set_rar = ixgbevf_hv_set_rar_vf,
+ .update_mc_addr_list = ixgbevf_hv_update_mc_addr_list_vf,
+ .update_xcast_mode = ixgbevf_hv_update_xcast_mode,
+--
+2.53.0
+
--- /dev/null
+From af6e134c7089b25908fa0aefbe44e83fbd03b63a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 20:49:49 +0300
+Subject: l2tp: Drop large packets with UDP encap
+
+From: Alice Mikityanska <alice@isovalent.com>
+
+[ Upstream commit ebe560ea5f54134279356703e73b7f867c89db13 ]
+
+syzbot reported a WARN on my patch series [1]. The actual issue is an
+overflow of 16-bit UDP length field, and it exists in the upstream code.
+My series added a debug WARN with an overflow check that exposed the
+issue, that's why syzbot tripped on my patches, rather than on upstream
+code.
+
+syzbot's repro:
+
+r0 = socket$pppl2tp(0x18, 0x1, 0x1)
+r1 = socket$inet6_udp(0xa, 0x2, 0x0)
+connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c)
+connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
+writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1)
+
+It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP
+encapsulation, and l2tp_xmit_core doesn't check for overflows when it
+assigns the UDP length field. The value gets trimmed to 16 bites.
+
+Add an overflow check that drops oversized packets and avoids sending
+packets with trimmed UDP length to the wire.
+
+syzbot's stack trace (with my patch applied):
+
+len >= 65536u
+WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957
+WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957
+WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957
+Modules linked in:
+CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
+RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline]
+RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline]
+RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327
+Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f
+RSP: 0018:ffffc90003d67878 EFLAGS: 00010293
+RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000
+RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff
+RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
+R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900
+R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000
+FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ sock_write_iter+0x503/0x550 net/socket.c:1195
+ do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1
+ vfs_writev+0x33c/0x990 fs/read_write.c:1059
+ do_writev+0x154/0x2e0 fs/read_write.c:1105
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f636479c629
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
+RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629
+RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003
+RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0
+ </TASK>
+
+[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/
+
+Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
+Reported-by: syzbot+ci3edea60a44225dec@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/69a1dfba.050a0220.3a55be.0026.GAE@google.com/
+Signed-off-by: Alice Mikityanska <alice@isovalent.com>
+Link: https://patch.msgid.link/20260403174949.843941-1-alice.kernel@fastmail.im
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index f9b0f666600f1..336e447897bd6 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1290,6 +1290,11 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns
+ uh->source = inet->inet_sport;
+ uh->dest = inet->inet_dport;
+ udp_len = uhlen + session->hdr_len + data_len;
++ if (udp_len > U16_MAX) {
++ kfree_skb(skb);
++ ret = NET_XMIT_DROP;
++ goto out_unlock;
++ }
+ uh->len = htons(udp_len);
+
+ /* Calculate UDP checksum if configured to do so */
+--
+2.53.0
+
--- /dev/null
+From 6924b14636d40f3730f4cd1457a7930e889c9b8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Feb 2026 10:47:51 +0100
+Subject: media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit c03b7dec3c4ddc97872fa12bfca75bae9cb46510 ]
+
+The deeply nested loop in rkvdec_init_v4l2_vp9_count_tbl() needs a lot
+of registers, so when the clang register allocator runs out, it ends up
+spilling countless temporaries to the stack:
+
+drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c:966:12: error: stack frame size (1472) exceeds limit (1280) in 'rkvdec_vp9_start' [-Werror,-Wframe-larger-than]
+
+Marking this function as noinline_for_stack keeps it out of
+rkvdec_vp9_start(), giving the compiler more room for optimization.
+
+The resulting code is good enough that both the total stack usage
+and the loop get enough better to stay under the warning limit,
+though it's still slow, and would need a larger rework if this
+function ends up being called in a fast path.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c b/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c
+index b4bf01e839eff..8fb6a1624a14f 100644
+--- a/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c
++++ b/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c
+@@ -927,7 +927,8 @@ static void rkvdec_vp9_done(struct rkvdec_ctx *ctx,
+ update_ctx_last_info(vp9_ctx);
+ }
+
+-static void rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx)
++static noinline_for_stack void
++rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx)
+ {
+ struct rkvdec_vp9_ctx *vp9_ctx = ctx->priv;
+ struct rkvdec_vp9_intra_frame_symbol_counts *intra_cnts = vp9_ctx->count_tbl.cpu;
+--
+2.53.0
+
--- /dev/null
+From 90d802d8712ac8431a1649979dd047df3fe96a37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Mar 2026 23:57:40 +0000
+Subject: mshv: Fix infinite fault loop on permission-denied GPA intercepts
+
+From: Stanislav Kinsburskii <skinsburskii@linux.microsoft.com>
+
+[ Upstream commit 16cbec24897624051b324aa3a85859c38ca65fde ]
+
+Prevent infinite fault loops when guests access memory regions without
+proper permissions. Currently, mshv_handle_gpa_intercept() attempts to
+remap pages for all faults on movable memory regions, regardless of
+whether the access type is permitted. When a guest writes to a read-only
+region, the remap succeeds but the region remains read-only, causing
+immediate re-fault and spinning the vCPU indefinitely.
+
+Validate intercept access type against region permissions before
+attempting remaps. Reject writes to non-writable regions and executes to
+non-executable regions early, returning false to let the VMM handle the
+intercept appropriately.
+
+This also closes a potential DoS vector where malicious guests could
+intentionally trigger these fault loops to consume host resources.
+
+Fixes: b9a66cd5ccbb ("mshv: Add support for movable memory regions")
+Signed-off-by: Stanislav Kinsburskii <skinsburskii@linux.microsoft.com>
+Reviewed-by: Anirudh Rayabharam (Microsoft) <anirudh@anirudhrb.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/mshv_root_main.c | 15 ++++++++++++---
+ include/hyperv/hvgdk_mini.h | 6 ++++++
+ include/hyperv/hvhdk.h | 4 ++--
+ 3 files changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/hv/mshv_root_main.c b/drivers/hv/mshv_root_main.c
+index 45cf086ad430d..5611be36f6a8e 100644
+--- a/drivers/hv/mshv_root_main.c
++++ b/drivers/hv/mshv_root_main.c
+@@ -642,7 +642,7 @@ static bool mshv_handle_gpa_intercept(struct mshv_vp *vp)
+ {
+ struct mshv_partition *p = vp->vp_partition;
+ struct mshv_mem_region *region;
+- bool ret;
++ bool ret = false;
+ u64 gfn;
+ #if defined(CONFIG_X86_64)
+ struct hv_x64_memory_intercept_message *msg =
+@@ -653,6 +653,8 @@ static bool mshv_handle_gpa_intercept(struct mshv_vp *vp)
+ (struct hv_arm64_memory_intercept_message *)
+ vp->vp_intercept_msg_page->u.payload;
+ #endif
++ enum hv_intercept_access_type access_type =
++ msg->header.intercept_access_type;
+
+ gfn = HVPFN_DOWN(msg->guest_physical_address);
+
+@@ -660,12 +662,19 @@ static bool mshv_handle_gpa_intercept(struct mshv_vp *vp)
+ if (!region)
+ return false;
+
++ if (access_type == HV_INTERCEPT_ACCESS_WRITE &&
++ !(region->hv_map_flags & HV_MAP_GPA_WRITABLE))
++ goto put_region;
++
++ if (access_type == HV_INTERCEPT_ACCESS_EXECUTE &&
++ !(region->hv_map_flags & HV_MAP_GPA_EXECUTABLE))
++ goto put_region;
++
+ /* Only movable memory ranges are supported for GPA intercepts */
+ if (region->type == MSHV_REGION_TYPE_MEM_MOVABLE)
+ ret = mshv_region_handle_gfn_fault(region, gfn);
+- else
+- ret = false;
+
++put_region:
+ mshv_region_put(region);
+
+ return ret;
+diff --git a/include/hyperv/hvgdk_mini.h b/include/hyperv/hvgdk_mini.h
+index 30fbbde81c5c4..9c523ee57a358 100644
+--- a/include/hyperv/hvgdk_mini.h
++++ b/include/hyperv/hvgdk_mini.h
+@@ -1528,4 +1528,10 @@ struct hv_mmio_write_input {
+ u8 data[HV_HYPERCALL_MMIO_MAX_DATA_LENGTH];
+ } __packed;
+
++enum hv_intercept_access_type {
++ HV_INTERCEPT_ACCESS_READ = 0,
++ HV_INTERCEPT_ACCESS_WRITE = 1,
++ HV_INTERCEPT_ACCESS_EXECUTE = 2
++};
++
+ #endif /* _HV_HVGDK_MINI_H */
+diff --git a/include/hyperv/hvhdk.h b/include/hyperv/hvhdk.h
+index 08965970c17df..84ebe56f1f8db 100644
+--- a/include/hyperv/hvhdk.h
++++ b/include/hyperv/hvhdk.h
+@@ -770,7 +770,7 @@ struct hv_x64_intercept_message_header {
+ u32 vp_index;
+ u8 instruction_length:4;
+ u8 cr8:4; /* Only set for exo partitions */
+- u8 intercept_access_type;
++ u8 intercept_access_type; /* enum hv_intercept_access_type */
+ union hv_x64_vp_execution_state execution_state;
+ struct hv_x64_segment_register cs_segment;
+ u64 rip;
+@@ -816,7 +816,7 @@ union hv_arm64_vp_execution_state {
+ struct hv_arm64_intercept_message_header {
+ u32 vp_index;
+ u8 instruction_length;
+- u8 intercept_access_type;
++ u8 intercept_access_type; /* enum hv_intercept_access_type */
+ union hv_arm64_vp_execution_state execution_state;
+ u64 pc;
+ u64 cpsr;
+--
+2.53.0
+
--- /dev/null
+From b6a87ee52cb9a6217970ecf9368640e90d1b5cd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Mar 2026 11:46:08 -0700
+Subject: net: af_key: zero aligned sockaddr tail in PF_KEY exports
+
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+
+[ Upstream commit 426c355742f02cf743b347d9d7dbdc1bfbfa31ef ]
+
+PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr
+payload space, so IPv6 addresses occupy 32 bytes on the wire. However,
+`pfkey_sockaddr_fill()` initializes only the first 28 bytes of
+`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized.
+
+Not every PF_KEY message is affected. The state and policy dump builders
+already zero the whole message buffer before filling the sockaddr
+payloads. Keep the fix to the export paths that still append aligned
+sockaddr payloads with plain `skb_put()`:
+
+ - `SADB_ACQUIRE`
+ - `SADB_X_NAT_T_NEW_MAPPING`
+ - `SADB_X_MIGRATE`
+
+Fix those paths by clearing only the aligned sockaddr tail after
+`pfkey_sockaddr_fill()`.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Fixes: 08de61beab8a ("[PFKEYV2]: Extension for dynamic update of endpoint address(es)")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Xiao Liu <lx24@stu.ynu.edu.cn>
+Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/key/af_key.c | 52 +++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 34 insertions(+), 18 deletions(-)
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index bc91aeeb74bbf..a6a9a40717ee8 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -757,6 +757,22 @@ static unsigned int pfkey_sockaddr_fill(const xfrm_address_t *xaddr, __be16 port
+ return 0;
+ }
+
++static unsigned int pfkey_sockaddr_fill_zero_tail(const xfrm_address_t *xaddr,
++ __be16 port,
++ struct sockaddr *sa,
++ unsigned short family)
++{
++ unsigned int prefixlen;
++ int sockaddr_len = pfkey_sockaddr_len(family);
++ int sockaddr_size = pfkey_sockaddr_size(family);
++
++ prefixlen = pfkey_sockaddr_fill(xaddr, port, sa, family);
++ if (sockaddr_size > sockaddr_len)
++ memset((u8 *)sa + sockaddr_len, 0, sockaddr_size - sockaddr_len);
++
++ return prefixlen;
++}
++
+ static struct sk_buff *__pfkey_xfrm_state2msg(const struct xfrm_state *x,
+ int add_keys, int hsc)
+ {
+@@ -3206,9 +3222,9 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
+ addr->sadb_address_proto = 0;
+ addr->sadb_address_reserved = 0;
+ addr->sadb_address_prefixlen =
+- pfkey_sockaddr_fill(&x->props.saddr, 0,
+- (struct sockaddr *) (addr + 1),
+- x->props.family);
++ pfkey_sockaddr_fill_zero_tail(&x->props.saddr, 0,
++ (struct sockaddr *)(addr + 1),
++ x->props.family);
+ if (!addr->sadb_address_prefixlen)
+ BUG();
+
+@@ -3221,9 +3237,9 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
+ addr->sadb_address_proto = 0;
+ addr->sadb_address_reserved = 0;
+ addr->sadb_address_prefixlen =
+- pfkey_sockaddr_fill(&x->id.daddr, 0,
+- (struct sockaddr *) (addr + 1),
+- x->props.family);
++ pfkey_sockaddr_fill_zero_tail(&x->id.daddr, 0,
++ (struct sockaddr *)(addr + 1),
++ x->props.family);
+ if (!addr->sadb_address_prefixlen)
+ BUG();
+
+@@ -3421,9 +3437,9 @@ static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr,
+ addr->sadb_address_proto = 0;
+ addr->sadb_address_reserved = 0;
+ addr->sadb_address_prefixlen =
+- pfkey_sockaddr_fill(&x->props.saddr, 0,
+- (struct sockaddr *) (addr + 1),
+- x->props.family);
++ pfkey_sockaddr_fill_zero_tail(&x->props.saddr, 0,
++ (struct sockaddr *)(addr + 1),
++ x->props.family);
+ if (!addr->sadb_address_prefixlen)
+ BUG();
+
+@@ -3443,9 +3459,9 @@ static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr,
+ addr->sadb_address_proto = 0;
+ addr->sadb_address_reserved = 0;
+ addr->sadb_address_prefixlen =
+- pfkey_sockaddr_fill(ipaddr, 0,
+- (struct sockaddr *) (addr + 1),
+- x->props.family);
++ pfkey_sockaddr_fill_zero_tail(ipaddr, 0,
++ (struct sockaddr *)(addr + 1),
++ x->props.family);
+ if (!addr->sadb_address_prefixlen)
+ BUG();
+
+@@ -3474,15 +3490,15 @@ static int set_sadb_address(struct sk_buff *skb, int sasize, int type,
+ switch (type) {
+ case SADB_EXT_ADDRESS_SRC:
+ addr->sadb_address_prefixlen = sel->prefixlen_s;
+- pfkey_sockaddr_fill(&sel->saddr, 0,
+- (struct sockaddr *)(addr + 1),
+- sel->family);
++ pfkey_sockaddr_fill_zero_tail(&sel->saddr, 0,
++ (struct sockaddr *)(addr + 1),
++ sel->family);
+ break;
+ case SADB_EXT_ADDRESS_DST:
+ addr->sadb_address_prefixlen = sel->prefixlen_d;
+- pfkey_sockaddr_fill(&sel->daddr, 0,
+- (struct sockaddr *)(addr + 1),
+- sel->family);
++ pfkey_sockaddr_fill_zero_tail(&sel->daddr, 0,
++ (struct sockaddr *)(addr + 1),
++ sel->family);
+ break;
+ default:
+ return -EINVAL;
+--
+2.53.0
+
--- /dev/null
+From eebbefa3e84819f9302262aba615bd27b807553b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 14:57:10 +0200
+Subject: net: airoha: Fix memory leak in airoha_qdma_rx_process()
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 285fa6b1e03cff78ead0383e1b259c44b95faf90 ]
+
+If an error occurs on the subsequents buffers belonging to the
+non-linear part of the skb (e.g. due to an error in the payload length
+reported by the NIC or if we consumed all the available fragments for
+the skb), the page_pool fragment will not be linked to the skb so it will
+not return to the pool in the airoha_qdma_rx_process() error path. Fix the
+memory leak partially reverting commit 'd6d2b0e1538d ("net: airoha: Fix
+page recycling in airoha_qdma_rx_process()")' and always running
+page_pool_put_full_page routine in the airoha_qdma_rx_process() error
+path.
+
+Fixes: d6d2b0e1538d ("net: airoha: Fix page recycling in airoha_qdma_rx_process()")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260402-airoha_qdma_rx_process-mem-leak-fix-v1-1-b5706f402d3c@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/airoha/airoha_eth.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
+index 454d7dcf198d9..fee5b2eddebb0 100644
+--- a/drivers/net/ethernet/airoha/airoha_eth.c
++++ b/drivers/net/ethernet/airoha/airoha_eth.c
+@@ -697,9 +697,8 @@ static int airoha_qdma_rx_process(struct airoha_queue *q, int budget)
+ if (q->skb) {
+ dev_kfree_skb(q->skb);
+ q->skb = NULL;
+- } else {
+- page_pool_put_full_page(q->page_pool, page, true);
+ }
++ page_pool_put_full_page(q->page_pool, page, true);
+ }
+ airoha_qdma_fill_rx_queue(q);
+
+--
+2.53.0
+
--- /dev/null
+From 1c9fff8f4e93cad1bdcabceeed64cab651be0b5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 16:10:40 +0200
+Subject: net: fec: make FIXED_PHY dependency unconditional
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit e16a0d36777b572196de4944aaa196adf828eb8e ]
+
+When CONFIG_FIXED_PHY is in a loadable module, the fec driver cannot be
+built-in any more:
+
+x86_64-linux-ld: vmlinux.o: in function `fec_enet_mii_probe':
+fec_main.c:(.text+0xc4f367): undefined reference to `fixed_phy_unregister'
+x86_64-linux-ld: vmlinux.o: in function `fec_enet_close':
+fec_main.c:(.text+0xc59591): undefined reference to `fixed_phy_unregister'
+x86_64-linux-ld: vmlinux.o: in function `fec_enet_mii_probe.cold':
+
+Select the fixed phy support on all targets to make this build
+correctly, not just on coldfire.
+
+Notat that Essentially the stub helpers in include/linux/phy_fixed.h
+cannot be used correctly because of this build time dependency,
+and we could just remove them to hit the build failure more often
+when a driver uses them without the 'select FIXED_PHY'.
+
+Fixes: dc86b621e1b4 ("net: fec: register a fixed phy using fixed_phy_register_100fd if needed")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260402141048.2713445-1-arnd@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/Kconfig b/drivers/net/ethernet/freescale/Kconfig
+index e2a591cf9601f..11edbb46a1180 100644
+--- a/drivers/net/ethernet/freescale/Kconfig
++++ b/drivers/net/ethernet/freescale/Kconfig
+@@ -28,7 +28,7 @@ config FEC
+ depends on PTP_1588_CLOCK_OPTIONAL
+ select CRC32
+ select PHYLIB
+- select FIXED_PHY if M5272
++ select FIXED_PHY
+ select PAGE_POOL
+ imply PAGE_POOL_STATS
+ imply NET_SELFTESTS
+--
+2.53.0
+
--- /dev/null
+From 3e1066ba497a12b498b90265dafee8b169bafc01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:23:16 -0500
+Subject: net: increase IP_TUNNEL_RECURSION_LIMIT to 5
+
+From: Chris J Arges <carges@cloudflare.com>
+
+[ Upstream commit 77facb35227c421467cdb49268de433168c2dcef ]
+
+In configurations with multiple tunnel layers and MPLS lwtunnel routing, a
+single tunnel hop can increment the counter beyond this limit. This causes
+packets to be dropped with the "Dead loop on virtual device" message even
+when a routing loop doesn't exist.
+
+Increase IP_TUNNEL_RECURSION_LIMIT from 4 to 5 to handle this use-case.
+
+Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions")
+Link: https://lore.kernel.org/netdev/88deb91b-ef1b-403c-8eeb-0f971f27e34f@redhat.com/
+Signed-off-by: Chris J Arges <carges@cloudflare.com>
+Link: https://patch.msgid.link/20260402222401.3408368-1-carges@cloudflare.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip_tunnels.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
+index 1f577a4f8ce9b..d708b66e55cda 100644
+--- a/include/net/ip_tunnels.h
++++ b/include/net/ip_tunnels.h
+@@ -32,7 +32,7 @@
+ * recursion involves route lookups and full IP output, consuming much
+ * more stack per level, so a lower limit is needed.
+ */
+-#define IP_TUNNEL_RECURSION_LIMIT 4
++#define IP_TUNNEL_RECURSION_LIMIT 5
+
+ /* Keep error state on tunnel for 30 sec */
+ #define IPTUNNEL_ERR_TIMEO (30*HZ)
+--
+2.53.0
+
--- /dev/null
+From 78fe94343403f29815932a6524742c6f2ab4b8f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 15:41:37 +0200
+Subject: net: ioam6: fix OOB and missing lock
+
+From: Justin Iurman <justin.iurman@gmail.com>
+
+[ Upstream commit b30b1675aa2bcf0491fd3830b051df4e08a7c8ca ]
+
+When trace->type.bit6 is set:
+
+ if (trace->type.bit6) {
+ ...
+ queue = skb_get_tx_queue(dev, skb);
+ qdisc = rcu_dereference(queue->qdisc);
+
+This code can lead to an out-of-bounds access of the dev->_tx[] array
+when is_input is true. In such a case, the packet is on the RX path and
+skb->queue_mapping contains the RX queue index of the ingress device. If
+the ingress device has more RX queues than the egress device (dev) has
+TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues.
+Add a check to avoid this situation since skb_get_tx_queue() does not
+clamp the index. This issue has also revealed that per queue visibility
+cannot be accurate and will be replaced later as a new feature.
+
+While at it, add missing lock around qdisc_qstats_qlen_backlog(). The
+function __ioam6_fill_trace_data() is called from both softirq and
+process contexts, hence the use of spin_lock_bh() here.
+
+Fixes: b63c5478e9cb ("ipv6: ioam: Support for Queue depth data field")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/netdev/20260403214418.2233266-2-kuba@kernel.org/
+Signed-off-by: Justin Iurman <justin.iurman@gmail.com>
+Link: https://patch.msgid.link/20260404134137.24553-1-justin.iurman@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ioam6.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ioam6.c b/net/ipv6/ioam6.c
+index 12350e1e18bde..b91de51ffa9ea 100644
+--- a/net/ipv6/ioam6.c
++++ b/net/ipv6/ioam6.c
+@@ -803,12 +803,16 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb,
+ struct Qdisc *qdisc;
+ __u32 qlen, backlog;
+
+- if (dev->flags & IFF_LOOPBACK) {
++ if (dev->flags & IFF_LOOPBACK ||
++ skb_get_queue_mapping(skb) >= dev->num_tx_queues) {
+ *(__be32 *)data = cpu_to_be32(IOAM6_U32_UNAVAILABLE);
+ } else {
+ queue = skb_get_tx_queue(dev, skb);
+ qdisc = rcu_dereference(queue->qdisc);
++
++ spin_lock_bh(qdisc_lock(qdisc));
+ qdisc_qstats_qlen_backlog(qdisc, &qlen, &backlog);
++ spin_unlock_bh(qdisc_lock(qdisc));
+
+ *(__be32 *)data = cpu_to_be32(backlog);
+ }
+--
+2.53.0
+
--- /dev/null
+From 2ef4b658da1dddc1b1f434ee06102777b5c99679 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 18:43:48 +0200
+Subject: net: ipa: fix event ring index not programmed for IPA v5.0+
+
+From: Alexander Koskovich <akoskovich@pm.me>
+
+[ Upstream commit 56007972c0b1e783ca714d6f1f4d6e66e531d21f ]
+
+For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to
+CH_C_CNTXT_1. The v5.0 register definition intended to define this
+field in the CH_C_CNTXT_1 fmask array but used the old identifier of
+ERINDEX instead of CH_ERINDEX.
+
+Without a valid event ring, GSI channels could never signal transfer
+completions. This caused gsi_channel_trans_quiesce() to block
+forever in wait_for_completion().
+
+At least for IPA v5.2 this resolves an issue seen where runtime
+suspend, system suspend, and remoteproc stop all hanged forever. It
+also meant the IPA data path was completely non functional.
+
+Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions")
+Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260403-milos-ipa-v1-2-01e9e4e03d3e@fairphone.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/reg/gsi_reg-v5.0.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+index 3334d8e20ad28..6c4a7fbe4de94 100644
+--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c
++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+@@ -30,7 +30,7 @@ REG_STRIDE_FIELDS(CH_C_CNTXT_0, ch_c_cntxt_0,
+
+ static const u32 reg_ch_c_cntxt_1_fmask[] = {
+ [CH_R_LENGTH] = GENMASK(23, 0),
+- [ERINDEX] = GENMASK(31, 24),
++ [CH_ERINDEX] = GENMASK(31, 24),
+ };
+
+ REG_STRIDE_FIELDS(CH_C_CNTXT_1, ch_c_cntxt_1,
+--
+2.53.0
+
--- /dev/null
+From 2446346ef97f41b180aa3c03fd7c33943f3baf63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 18:43:47 +0200
+Subject: net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+
+
+From: Alexander Koskovich <akoskovich@pm.me>
+
+[ Upstream commit 9709b56d908acc120fe8b4ae250b3c9d749ea832 ]
+
+Fix the field masks to match the hardware layout documented in
+downstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*).
+
+Notably this fixes a WARN I was seeing when I tried to send "stop"
+to the MPSS remoteproc while IPA was up.
+
+Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions")
+Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260403-milos-ipa-v1-1-01e9e4e03d3e@fairphone.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/reg/gsi_reg-v5.0.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+index 36d1e65df71bb..3334d8e20ad28 100644
+--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c
++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+@@ -156,9 +156,10 @@ REG_FIELDS(EV_CH_CMD, ev_ch_cmd, 0x00025010 + 0x12000 * GSI_EE_AP);
+
+ static const u32 reg_generic_cmd_fmask[] = {
+ [GENERIC_OPCODE] = GENMASK(4, 0),
+- [GENERIC_CHID] = GENMASK(9, 5),
+- [GENERIC_EE] = GENMASK(13, 10),
+- /* Bits 14-31 reserved */
++ [GENERIC_CHID] = GENMASK(12, 5),
++ [GENERIC_EE] = GENMASK(16, 13),
++ /* Bits 17-23 reserved */
++ [GENERIC_PARAMS] = GENMASK(31, 24),
+ };
+
+ REG_FIELDS(GENERIC_CMD, generic_cmd, 0x00025018 + 0x12000 * GSI_EE_AP);
+--
+2.53.0
+
--- /dev/null
+From fe6393127881535693110587d8944f71d5acdf4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 10:35:19 +0000
+Subject: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b120e4432f9f56c7103133d6a11245e617695adb ]
+
+lapbeth_data_transmit() expects the underlying device type
+to be ARPHRD_ETHER.
+
+Returning NOTIFY_BAD from lapbeth_device_event() makes sure
+bonding driver can not break this expectation.
+
+Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
+Reported-by: syzbot+d8c285748fa7292580a9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/69cd22a1.050a0220.70c3a.0002.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Martin Schiller <ms@dev.tdt.de>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260402103519.1201565-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lapbether.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index f357a7ac70ac4..9861c99ea56c4 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -446,33 +446,36 @@ static void lapbeth_free_device(struct lapbethdev *lapbeth)
+ static int lapbeth_device_event(struct notifier_block *this,
+ unsigned long event, void *ptr)
+ {
+- struct lapbethdev *lapbeth;
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
++ struct lapbethdev *lapbeth;
+
+ if (dev_net(dev) != &init_net)
+ return NOTIFY_DONE;
+
+- if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev))
++ lapbeth = lapbeth_get_x25_dev(dev);
++ if (!dev_is_ethdev(dev) && !lapbeth)
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
+ /* New ethernet device -> new LAPB interface */
+- if (!lapbeth_get_x25_dev(dev))
++ if (!lapbeth)
+ lapbeth_new_device(dev);
+ break;
+ case NETDEV_GOING_DOWN:
+ /* ethernet device closes -> close LAPB interface */
+- lapbeth = lapbeth_get_x25_dev(dev);
+ if (lapbeth)
+ dev_close(lapbeth->axdev);
+ break;
+ case NETDEV_UNREGISTER:
+ /* ethernet device disappears -> remove LAPB interface */
+- lapbeth = lapbeth_get_x25_dev(dev);
+ if (lapbeth)
+ lapbeth_free_device(lapbeth);
+ break;
++ case NETDEV_PRE_TYPE_CHANGE:
++ /* Our underlying device type must not change. */
++ if (lapbeth)
++ return NOTIFY_BAD;
+ }
+
+ return NOTIFY_DONE;
+--
+2.53.0
+
--- /dev/null
+From 9f726d533fbe09370bcd59170e4d2206883c6529 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 14:51:52 +0800
+Subject: net: mdio: realtek-rtl9300: use scoped device_for_each_child_node
+ loop
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit c09ea768bdb975e828f8e17293c397c3d14ad85d ]
+
+Switch to device_for_each_child_node_scoped() to auto-release fwnode
+references on early exit.
+
+Fixes: 24e31e474769 ("net: mdio: Add RTL9300 MDIO driver")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20260405-rtl9300-v1-1-08e4499cf944@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/mdio-realtek-rtl9300.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/mdio/mdio-realtek-rtl9300.c b/drivers/net/mdio/mdio-realtek-rtl9300.c
+index 405a07075dd11..8d5fb014ca06c 100644
+--- a/drivers/net/mdio/mdio-realtek-rtl9300.c
++++ b/drivers/net/mdio/mdio-realtek-rtl9300.c
+@@ -466,7 +466,6 @@ static int rtl9300_mdiobus_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+ struct rtl9300_mdio_priv *priv;
+- struct fwnode_handle *child;
+ int err;
+
+ priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
+@@ -487,7 +486,7 @@ static int rtl9300_mdiobus_probe(struct platform_device *pdev)
+ if (err)
+ return err;
+
+- device_for_each_child_node(dev, child) {
++ device_for_each_child_node_scoped(dev, child) {
+ err = rtl9300_mdiobus_probe_one(dev, priv, child);
+ if (err)
+ return err;
+--
+2.53.0
+
--- /dev/null
+From 5f165fe478c6f7878b96162f2d1efff72bff4dcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 22:46:20 +0800
+Subject: net: sched: act_csum: validate nested VLAN headers
+
+From: Ruide Cao <caoruide123@gmail.com>
+
+[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ]
+
+tcf_csum_act() walks nested VLAN headers directly from skb->data when an
+skb still carries in-payload VLAN tags. The current code reads
+vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without
+first ensuring that the full VLAN header is present in the linear area.
+
+If only part of an inner VLAN header is linearized, accessing
+h_vlan_encapsulated_proto reads past the linear area, and the following
+skb_pull(VLAN_HLEN) may violate skb invariants.
+
+Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and
+pulling each nested VLAN header. If the header still is not fully
+available, drop the packet through the existing error path.
+
+Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Ruide Cao <caoruide123@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_csum.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
+index 0939e6b2ba4d1..3a377604ad343 100644
+--- a/net/sched/act_csum.c
++++ b/net/sched/act_csum.c
+@@ -604,8 +604,12 @@ TC_INDIRECT_SCOPE int tcf_csum_act(struct sk_buff *skb,
+ protocol = skb->protocol;
+ orig_vlan_tag_present = true;
+ } else {
+- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data;
++ struct vlan_hdr *vlan;
+
++ if (!pskb_may_pull(skb, VLAN_HLEN))
++ goto drop;
++
++ vlan = (struct vlan_hdr *)skb->data;
+ protocol = vlan->h_vlan_encapsulated_proto;
+ skb_pull(skb, VLAN_HLEN);
+ skb_reset_network_header(skb);
+--
+2.53.0
+
--- /dev/null
+From 7288dd98472a1745b97789f43840f61887fe747a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 13:23:33 +0000
+Subject: net: sfp: add quirks for Hisense and HSGQ GPON ONT SFP modules
+
+From: John Pavlick <jspavlick@posteo.net>
+
+[ Upstream commit 95aca8602ef70ffd3d971675751c81826e124f90 ]
+
+Several GPON ONT SFP sticks based on Realtek RTL960x report
+1000BASE-LX at 1300MBd in their EEPROM but can operate at 2500base-X.
+On hosts capable of 2500base-X (e.g. Banana Pi R3 / MT7986), the
+kernel negotiates only 1G because it trusts the incorrect EEPROM data.
+
+Add quirks for:
+- Hisense-Leox LXT-010S-H
+- Hisense ZNID-GPON-2311NA
+- HSGQ HSGQ-XPON-Stick
+
+Each quirk advertises 2500base-X and ignores TX_FAULT during the
+module's ~40s Linux boot time.
+
+Tested on Banana Pi R3 (MT7986) with OpenWrt 25.12.1, confirmed
+2.5Gbps link and full throughput with flow offloading.
+
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Suggested-by: Marcin Nita <marcin.nita@leolabs.pl>
+Signed-off-by: John Pavlick <jspavlick@posteo.net>
+Link: https://patch.msgid.link/20260406132321.72563-1-jspavlick@posteo.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/sfp.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
+index 7a85b758fb1e6..c62e3f364ea73 100644
+--- a/drivers/net/phy/sfp.c
++++ b/drivers/net/phy/sfp.c
+@@ -543,6 +543,22 @@ static const struct sfp_quirk sfp_quirks[] = {
+ SFP_QUIRK("HUAWEI", "MA5671A", sfp_quirk_2500basex,
+ sfp_fixup_ignore_tx_fault_and_los),
+
++ // Hisense LXT-010S-H is a GPON ONT SFP (sold as LEOX LXT-010S-H) that
++ // can operate at 2500base-X, but reports 1000BASE-LX / 1300MBd in its
++ // EEPROM
++ SFP_QUIRK("Hisense-Leox", "LXT-010S-H", sfp_quirk_2500basex,
++ sfp_fixup_ignore_tx_fault),
++
++ // Hisense ZNID-GPON-2311NA can operate at 2500base-X, but reports
++ // 1000BASE-LX / 1300MBd in its EEPROM
++ SFP_QUIRK("Hisense", "ZNID-GPON-2311NA", sfp_quirk_2500basex,
++ sfp_fixup_ignore_tx_fault),
++
++ // HSGQ HSGQ-XPON-Stick can operate at 2500base-X, but reports
++ // 1000BASE-LX / 1300MBd in its EEPROM
++ SFP_QUIRK("HSGQ", "HSGQ-XPON-Stick", sfp_quirk_2500basex,
++ sfp_fixup_ignore_tx_fault),
++
+ // Lantech 8330-262D-E and 8330-265D can operate at 2500base-X, but
+ // incorrectly report 2500MBd NRZ in their EEPROM.
+ // Some 8330-265D modules have inverted LOS, while all of them report
+--
+2.53.0
+
--- /dev/null
+From f654d55052d7e9fd1bbdf876d14cf97d8388c188 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 11:29:39 +0100
+Subject: net: stmmac: Fix PTP ref clock for Tegra234
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+[ Upstream commit 1345e9f4e3f3bc7d8a0a2138ae29e205a857a555 ]
+
+Since commit 030ce919e114 ("net: stmmac: make sure that ptp_rate is not
+0 before configuring timestamping") was added the following error is
+observed on Tegra234:
+
+ ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate
+ WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed
+
+It turns out that the Tegra234 device-tree binding defines the PTP ref
+clock name as 'ptp-ref' and not 'ptp_ref' and the above commit now
+exposes this and that the PTP clock is not configured correctly.
+
+In order to update device-tree to use the correct 'ptp_ref' name, update
+the Tegra MGBE driver to use 'ptp_ref' by default and fallback to using
+'ptp-ref' if this clock name is present.
+
+Fixes: d8ca113724e7 ("net: stmmac: tegra: Add MGBE support")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260401102941.17466-2-jonathanh@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/dwmac-tegra.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
+index d765acbe37548..21a0a11fc0118 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
+@@ -9,7 +9,7 @@
+ #include "stmmac_platform.h"
+
+ static const char *const mgbe_clks[] = {
+- "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp-ref", "mac"
++ "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp_ref", "mac"
+ };
+
+ struct tegra_mgbe {
+@@ -215,6 +215,7 @@ static int tegra_mgbe_probe(struct platform_device *pdev)
+ {
+ struct plat_stmmacenet_data *plat;
+ struct stmmac_resources res;
++ bool use_legacy_ptp = false;
+ struct tegra_mgbe *mgbe;
+ int irq, err, i;
+ u32 value;
+@@ -257,9 +258,23 @@ static int tegra_mgbe_probe(struct platform_device *pdev)
+ if (!mgbe->clks)
+ return -ENOMEM;
+
+- for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++)
++ /* Older device-trees use 'ptp-ref' rather than 'ptp_ref'.
++ * Fall back when the legacy name is present.
++ */
++ if (of_property_match_string(pdev->dev.of_node, "clock-names",
++ "ptp-ref") >= 0)
++ use_legacy_ptp = true;
++
++ for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++) {
+ mgbe->clks[i].id = mgbe_clks[i];
+
++ if (use_legacy_ptp && !strcmp(mgbe_clks[i], "ptp_ref")) {
++ dev_warn(mgbe->dev,
++ "Device-tree update needed for PTP clock!\n");
++ mgbe->clks[i].id = "ptp-ref";
++ }
++ }
++
+ err = devm_clk_bulk_get(mgbe->dev, ARRAY_SIZE(mgbe_clks), mgbe->clks);
+ if (err < 0)
+ return err;
+--
+2.53.0
+
--- /dev/null
+From 07e75b1fd869b5fa38bc83510133dd15c263e230 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 23:20:13 +0100
+Subject: net: txgbe: leave space for null terminators on property_entry
+
+From: Fabio Baltieri <fabio.baltieri@gmail.com>
+
+[ Upstream commit 5a37d228799b0ec2c277459c83c814a59d310bc3 ]
+
+Lists of struct property_entry are supposed to be terminated with an
+empty property, this driver currently seems to be allocating exactly the
+amount of entry used.
+
+Change the struct definition to leave an extra element for all
+property_entry.
+
+Fixes: c3e382ad6d15 ("net: txgbe: Add software nodes to support phylink")
+Signed-off-by: Fabio Baltieri <fabio.baltieri@gmail.com>
+Tested-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Link: https://patch.msgid.link/20260405222013.5347-1-fabio.baltieri@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h
+index 82433e9cb0e33..6b05f32b4a010 100644
+--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h
++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h
+@@ -424,10 +424,10 @@ struct txgbe_nodes {
+ char i2c_name[32];
+ char sfp_name[32];
+ char phylink_name[32];
+- struct property_entry gpio_props[1];
+- struct property_entry i2c_props[3];
+- struct property_entry sfp_props[8];
+- struct property_entry phylink_props[2];
++ struct property_entry gpio_props[2];
++ struct property_entry i2c_props[4];
++ struct property_entry sfp_props[9];
++ struct property_entry phylink_props[3];
+ struct software_node_ref_args i2c_ref[1];
+ struct software_node_ref_args gpio0_ref[1];
+ struct software_node_ref_args gpio1_ref[1];
+--
+2.53.0
+
--- /dev/null
+From 4d8b583750990b4e72ba0a3467313e004329e3e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Mar 2026 14:11:04 +0100
+Subject: netfilter: ctnetlink: ensure safe access to master conntrack
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5 ]
+
+Holding reference on the expectation is not sufficient, the master
+conntrack object can just go away, making exp->master invalid.
+
+To access exp->master safely:
+
+- Grab the nf_conntrack_expect_lock, this gets serialized with
+ clean_from_lists() which also holds this lock when the master
+ conntrack goes away.
+
+- Hold reference on master conntrack via nf_conntrack_find_get().
+ Not so easy since the master tuple to look up for the master conntrack
+ is not available in the existing problematic paths.
+
+This patch goes for extending the nf_conntrack_expect_lock section
+to address this issue for simplicity, in the cases that are described
+below this is just slightly extending the lock section.
+
+The add expectation command already holds a reference to the master
+conntrack from ctnetlink_create_expect().
+
+However, the delete expectation command needs to grab the spinlock
+before looking up for the expectation. Expand the existing spinlock
+section to address this to cover the expectation lookup. Note that,
+the nf_ct_expect_iterate_net() calls already grabs the spinlock while
+iterating over the expectation table, which is correct.
+
+The get expectation command needs to grab the spinlock to ensure master
+conntrack does not go away. This also expands the existing spinlock
+section to cover the expectation lookup too. I needed to move the
+netlink skb allocation out of the spinlock to keep it GFP_KERNEL.
+
+For the expectation events, the IPEXP_DESTROY event is already delivered
+under the spinlock, just move the delivery of IPEXP_NEW under the
+spinlock too because the master conntrack event cache is reached through
+exp->master.
+
+While at it, add lockdep notations to help identify what codepaths need
+to grab the spinlock.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_conntrack_core.h | 5 ++++
+ net/netfilter/nf_conntrack_ecache.c | 2 ++
+ net/netfilter/nf_conntrack_expect.c | 10 +++++++-
+ net/netfilter/nf_conntrack_netlink.c | 28 +++++++++++++++--------
+ 4 files changed, 35 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
+index 3384859a89210..8883575adcc1e 100644
+--- a/include/net/netfilter/nf_conntrack_core.h
++++ b/include/net/netfilter/nf_conntrack_core.h
+@@ -83,6 +83,11 @@ void nf_conntrack_lock(spinlock_t *lock);
+
+ extern spinlock_t nf_conntrack_expect_lock;
+
++static inline void lockdep_nfct_expect_lock_held(void)
++{
++ lockdep_assert_held(&nf_conntrack_expect_lock);
++}
++
+ /* ctnetlink code shared by both ctnetlink and nf_conntrack_bpf */
+
+ static inline void __nf_ct_set_timeout(struct nf_conn *ct, u64 timeout)
+diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
+index 81baf20826046..9df159448b897 100644
+--- a/net/netfilter/nf_conntrack_ecache.c
++++ b/net/netfilter/nf_conntrack_ecache.c
+@@ -247,6 +247,8 @@ void nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
+ struct nf_ct_event_notifier *notify;
+ struct nf_conntrack_ecache *e;
+
++ lockdep_nfct_expect_lock_held();
++
+ rcu_read_lock();
+ notify = rcu_dereference(net->ct.nf_conntrack_event_cb);
+ if (!notify)
+diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
+index 2234c444a320e..24d0576d84b7f 100644
+--- a/net/netfilter/nf_conntrack_expect.c
++++ b/net/netfilter/nf_conntrack_expect.c
+@@ -51,6 +51,7 @@ void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp,
+ struct net *net = nf_ct_exp_net(exp);
+ struct nf_conntrack_net *cnet;
+
++ lockdep_nfct_expect_lock_held();
+ WARN_ON(!master_help);
+ WARN_ON(timer_pending(&exp->timeout));
+
+@@ -118,6 +119,8 @@ nf_ct_exp_equal(const struct nf_conntrack_tuple *tuple,
+
+ bool nf_ct_remove_expect(struct nf_conntrack_expect *exp)
+ {
++ lockdep_nfct_expect_lock_held();
++
+ if (timer_delete(&exp->timeout)) {
+ nf_ct_unlink_expect(exp);
+ nf_ct_expect_put(exp);
+@@ -177,6 +180,8 @@ nf_ct_find_expectation(struct net *net,
+ struct nf_conntrack_expect *i, *exp = NULL;
+ unsigned int h;
+
++ lockdep_nfct_expect_lock_held();
++
+ if (!cnet->expect_count)
+ return NULL;
+
+@@ -459,6 +464,8 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect,
+ unsigned int h;
+ int ret = 0;
+
++ lockdep_nfct_expect_lock_held();
++
+ if (!master_help) {
+ ret = -ESHUTDOWN;
+ goto out;
+@@ -515,8 +522,9 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
+
+ nf_ct_expect_insert(expect);
+
+- spin_unlock_bh(&nf_conntrack_expect_lock);
+ nf_ct_expect_event_report(IPEXP_NEW, expect, portid, report);
++ spin_unlock_bh(&nf_conntrack_expect_lock);
++
+ return 0;
+ out:
+ spin_unlock_bh(&nf_conntrack_expect_lock);
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 2bb9eb2d25fb0..fbe9e3f1036f8 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3337,31 +3337,37 @@ static int ctnetlink_get_expect(struct sk_buff *skb,
+ if (err < 0)
+ return err;
+
++ skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
++ if (!skb2)
++ return -ENOMEM;
++
++ spin_lock_bh(&nf_conntrack_expect_lock);
+ exp = nf_ct_expect_find_get(info->net, &zone, &tuple);
+- if (!exp)
++ if (!exp) {
++ spin_unlock_bh(&nf_conntrack_expect_lock);
++ kfree_skb(skb2);
+ return -ENOENT;
++ }
+
+ if (cda[CTA_EXPECT_ID]) {
+ __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
+
+ if (id != nf_expect_get_id(exp)) {
+ nf_ct_expect_put(exp);
++ spin_unlock_bh(&nf_conntrack_expect_lock);
++ kfree_skb(skb2);
+ return -ENOENT;
+ }
+ }
+
+- skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+- if (!skb2) {
+- nf_ct_expect_put(exp);
+- return -ENOMEM;
+- }
+-
+ rcu_read_lock();
+ err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,
+ info->nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
+ exp);
+ rcu_read_unlock();
+ nf_ct_expect_put(exp);
++ spin_unlock_bh(&nf_conntrack_expect_lock);
++
+ if (err <= 0) {
+ kfree_skb(skb2);
+ return -ENOMEM;
+@@ -3408,22 +3414,26 @@ static int ctnetlink_del_expect(struct sk_buff *skb,
+ if (err < 0)
+ return err;
+
++ spin_lock_bh(&nf_conntrack_expect_lock);
++
+ /* bump usage count to 2 */
+ exp = nf_ct_expect_find_get(info->net, &zone, &tuple);
+- if (!exp)
++ if (!exp) {
++ spin_unlock_bh(&nf_conntrack_expect_lock);
+ return -ENOENT;
++ }
+
+ if (cda[CTA_EXPECT_ID]) {
+ __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
+
+ if (id != nf_expect_get_id(exp)) {
+ nf_ct_expect_put(exp);
++ spin_unlock_bh(&nf_conntrack_expect_lock);
+ return -ENOENT;
+ }
+ }
+
+ /* after list removal, usage count == 1 */
+- spin_lock_bh(&nf_conntrack_expect_lock);
+ if (timer_delete(&exp->timeout)) {
+ nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,
+ nlmsg_report(info->nlh));
+--
+2.53.0
+
--- /dev/null
+From ed006728aa46e6329e606fcfbb18c882ea59aa6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 17:39:47 +0800
+Subject: netfilter: ip6t_eui64: reject invalid MAC header for all packets
+
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+
+[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ]
+
+`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
+and compares it with the low 64 bits of the IPv6 source address.
+
+The existing guard only rejects an invalid MAC header when
+`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
+can still reach `eth_hdr(skb)` even when the MAC header is not valid.
+
+Fix this by removing the `par->fragoff != 0` condition so that packets
+with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/ip6t_eui64.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
+index d704f7ed300c2..da69a27e8332c 100644
+--- a/net/ipv6/netfilter/ip6t_eui64.c
++++ b/net/ipv6/netfilter/ip6t_eui64.c
+@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
+ unsigned char eui64[8];
+
+ if (!(skb_mac_header(skb) >= skb->head &&
+- skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
+- par->fragoff != 0) {
++ skb_mac_header(skb) + ETH_HLEN <= skb->data)) {
+ par->hotdrop = true;
+ return false;
+ }
+--
+2.53.0
+
--- /dev/null
+From bf93972a4caa53ade35b6e39e2dbe13558fb5c17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 14:20:57 -0700
+Subject: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE
+ terminator
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit 1f3083aec8836213da441270cdb1ab612dd82cf4 ]
+
+When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send()
+appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via
+nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put()
+helper only zeroes alignment padding after the payload, not the payload
+itself, so four bytes of stale kernel heap data are leaked to userspace
+in the NLMSG_DONE message body.
+
+Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes
+the nfgenmsg payload via nfnl_fill_hdr(), consistent with how
+__build_packet_message() already constructs NFULNL_MSG_PACKET headers.
+
+Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_log.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
+index dcd2493a9a404..b1f3eda85989c 100644
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -361,10 +361,10 @@ static void
+ __nfulnl_send(struct nfulnl_instance *inst)
+ {
+ if (inst->qlen > 1) {
+- struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0,
+- NLMSG_DONE,
+- sizeof(struct nfgenmsg),
+- 0);
++ struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0,
++ NLMSG_DONE, 0,
++ AF_UNSPEC, NFNETLINK_V0,
++ htons(inst->group_num));
+ if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n",
+ inst->skb->len, skb_tailroom(inst->skb))) {
+ kfree_skb(inst->skb);
+--
+2.53.0
+
--- /dev/null
+From 7f9b88f1b756f1386a9c0b50d7412f00c8ab9cb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 17:00:01 +0200
+Subject: netfilter: nfnetlink_queue: make hash table per queue
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 936206e3f6ff411581e615e930263d6f8b78df9d ]
+
+Sharing a global hash table among all queues is tempting, but
+it can cause crash:
+
+BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]
+[..]
+ nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]
+ nfnetlink_rcv_msg+0x46a/0x930
+ kmem_cache_alloc_node_noprof+0x11e/0x450
+
+struct nf_queue_entry is freed via kfree, but parallel cpu can still
+encounter such an nf_queue_entry when walking the list.
+
+Alternative fix is to free the nf_queue_entry via kfree_rcu() instead,
+but as we have to alloc/free for each skb this will cause more mem
+pressure.
+
+Cc: Scott Mitchell <scott.k.mitch1@gmail.com>
+Fixes: e19079adcd26 ("netfilter: nfnetlink_queue: optimize verdict lookup with hash table")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_queue.h | 1 -
+ net/netfilter/nfnetlink_queue.c | 139 +++++++++++--------------------
+ 2 files changed, 49 insertions(+), 91 deletions(-)
+
+diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
+index 45eb26b2e95b3..d17035d14d96c 100644
+--- a/include/net/netfilter/nf_queue.h
++++ b/include/net/netfilter/nf_queue.h
+@@ -23,7 +23,6 @@ struct nf_queue_entry {
+ struct nf_hook_state state;
+ bool nf_ct_is_unconfirmed;
+ u16 size; /* sizeof(entry) + saved route keys */
+- u16 queue_num;
+
+ /* extra space to store route keys */
+ };
+diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
+index a39d3b989063c..fe5942535245d 100644
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -49,8 +49,8 @@
+ #endif
+
+ #define NFQNL_QMAX_DEFAULT 1024
+-#define NFQNL_HASH_MIN 1024
+-#define NFQNL_HASH_MAX 1048576
++#define NFQNL_HASH_MIN 8
++#define NFQNL_HASH_MAX 32768
+
+ /* We're using struct nlattr which has 16bit nla_len. Note that nla_len
+ * includes the header length. Thus, the maximum packet length that we
+@@ -60,29 +60,10 @@
+ */
+ #define NFQNL_MAX_COPY_RANGE (0xffff - NLA_HDRLEN)
+
+-/* Composite key for packet lookup: (net, queue_num, packet_id) */
+-struct nfqnl_packet_key {
+- possible_net_t net;
+- u32 packet_id;
+- u16 queue_num;
+-} __aligned(sizeof(u32)); /* jhash2 requires 32-bit alignment */
+-
+-/* Global rhashtable - one for entire system, all netns */
+-static struct rhashtable nfqnl_packet_map __read_mostly;
+-
+-/* Helper to initialize composite key */
+-static inline void nfqnl_init_key(struct nfqnl_packet_key *key,
+- struct net *net, u32 packet_id, u16 queue_num)
+-{
+- memset(key, 0, sizeof(*key));
+- write_pnet(&key->net, net);
+- key->packet_id = packet_id;
+- key->queue_num = queue_num;
+-}
+-
+ struct nfqnl_instance {
+ struct hlist_node hlist; /* global list of queues */
+- struct rcu_head rcu;
++ struct rhashtable nfqnl_packet_map;
++ struct rcu_work rwork;
+
+ u32 peer_portid;
+ unsigned int queue_maxlen;
+@@ -106,6 +87,7 @@ struct nfqnl_instance {
+
+ typedef int (*nfqnl_cmpfn)(struct nf_queue_entry *, unsigned long);
+
++static struct workqueue_struct *nfq_cleanup_wq __read_mostly;
+ static unsigned int nfnl_queue_net_id __read_mostly;
+
+ #define INSTANCE_BUCKETS 16
+@@ -124,34 +106,10 @@ static inline u_int8_t instance_hashfn(u_int16_t queue_num)
+ return ((queue_num >> 8) ^ queue_num) % INSTANCE_BUCKETS;
+ }
+
+-/* Extract composite key from nf_queue_entry for hashing */
+-static u32 nfqnl_packet_obj_hashfn(const void *data, u32 len, u32 seed)
+-{
+- const struct nf_queue_entry *entry = data;
+- struct nfqnl_packet_key key;
+-
+- nfqnl_init_key(&key, entry->state.net, entry->id, entry->queue_num);
+-
+- return jhash2((u32 *)&key, sizeof(key) / sizeof(u32), seed);
+-}
+-
+-/* Compare stack-allocated key against entry */
+-static int nfqnl_packet_obj_cmpfn(struct rhashtable_compare_arg *arg,
+- const void *obj)
+-{
+- const struct nfqnl_packet_key *key = arg->key;
+- const struct nf_queue_entry *entry = obj;
+-
+- return !net_eq(entry->state.net, read_pnet(&key->net)) ||
+- entry->queue_num != key->queue_num ||
+- entry->id != key->packet_id;
+-}
+-
+ static const struct rhashtable_params nfqnl_rhashtable_params = {
+ .head_offset = offsetof(struct nf_queue_entry, hash_node),
+- .key_len = sizeof(struct nfqnl_packet_key),
+- .obj_hashfn = nfqnl_packet_obj_hashfn,
+- .obj_cmpfn = nfqnl_packet_obj_cmpfn,
++ .key_offset = offsetof(struct nf_queue_entry, id),
++ .key_len = sizeof(u32),
+ .automatic_shrinking = true,
+ .min_size = NFQNL_HASH_MIN,
+ .max_size = NFQNL_HASH_MAX,
+@@ -190,6 +148,10 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+ spin_lock_init(&inst->lock);
+ INIT_LIST_HEAD(&inst->queue_list);
+
++ err = rhashtable_init(&inst->nfqnl_packet_map, &nfqnl_rhashtable_params);
++ if (err < 0)
++ goto out_free;
++
+ spin_lock(&q->instances_lock);
+ if (instance_lookup(q, queue_num)) {
+ err = -EEXIST;
+@@ -210,6 +172,8 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+
+ out_unlock:
+ spin_unlock(&q->instances_lock);
++ rhashtable_destroy(&inst->nfqnl_packet_map);
++out_free:
+ kfree(inst);
+ return ERR_PTR(err);
+ }
+@@ -217,15 +181,18 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+ static void nfqnl_flush(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn,
+ unsigned long data);
+
+-static void
+-instance_destroy_rcu(struct rcu_head *head)
++static void instance_destroy_work(struct work_struct *work)
+ {
+- struct nfqnl_instance *inst = container_of(head, struct nfqnl_instance,
+- rcu);
++ struct nfqnl_instance *inst;
+
++ inst = container_of(to_rcu_work(work), struct nfqnl_instance,
++ rwork);
+ rcu_read_lock();
+ nfqnl_flush(inst, NULL, 0);
+ rcu_read_unlock();
++
++ rhashtable_destroy(&inst->nfqnl_packet_map);
++
+ kfree(inst);
+ module_put(THIS_MODULE);
+ }
+@@ -234,7 +201,9 @@ static void
+ __instance_destroy(struct nfqnl_instance *inst)
+ {
+ hlist_del_rcu(&inst->hlist);
+- call_rcu(&inst->rcu, instance_destroy_rcu);
++
++ INIT_RCU_WORK(&inst->rwork, instance_destroy_work);
++ queue_rcu_work(nfq_cleanup_wq, &inst->rwork);
+ }
+
+ static void
+@@ -250,9 +219,7 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)
+ {
+ int err;
+
+- entry->queue_num = queue->queue_num;
+-
+- err = rhashtable_insert_fast(&nfqnl_packet_map, &entry->hash_node,
++ err = rhashtable_insert_fast(&queue->nfqnl_packet_map, &entry->hash_node,
+ nfqnl_rhashtable_params);
+ if (unlikely(err))
+ return err;
+@@ -266,23 +233,19 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)
+ static void
+ __dequeue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)
+ {
+- rhashtable_remove_fast(&nfqnl_packet_map, &entry->hash_node,
++ rhashtable_remove_fast(&queue->nfqnl_packet_map, &entry->hash_node,
+ nfqnl_rhashtable_params);
+ list_del(&entry->list);
+ queue->queue_total--;
+ }
+
+ static struct nf_queue_entry *
+-find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id,
+- struct net *net)
++find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id)
+ {
+- struct nfqnl_packet_key key;
+ struct nf_queue_entry *entry;
+
+- nfqnl_init_key(&key, net, id, queue->queue_num);
+-
+ spin_lock_bh(&queue->lock);
+- entry = rhashtable_lookup_fast(&nfqnl_packet_map, &key,
++ entry = rhashtable_lookup_fast(&queue->nfqnl_packet_map, &id,
+ nfqnl_rhashtable_params);
+
+ if (entry)
+@@ -1531,7 +1494,7 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info,
+
+ verdict = ntohl(vhdr->verdict);
+
+- entry = find_dequeue_entry(queue, ntohl(vhdr->id), info->net);
++ entry = find_dequeue_entry(queue, ntohl(vhdr->id));
+ if (entry == NULL)
+ return -ENOENT;
+
+@@ -1880,40 +1843,38 @@ static int __init nfnetlink_queue_init(void)
+ {
+ int status;
+
+- status = rhashtable_init(&nfqnl_packet_map, &nfqnl_rhashtable_params);
+- if (status < 0)
+- return status;
++ nfq_cleanup_wq = alloc_ordered_workqueue("nfq_workqueue", 0);
++ if (!nfq_cleanup_wq)
++ return -ENOMEM;
+
+ status = register_pernet_subsys(&nfnl_queue_net_ops);
+- if (status < 0) {
+- pr_err("failed to register pernet ops\n");
+- goto cleanup_rhashtable;
+- }
++ if (status < 0)
++ goto cleanup_pernet_subsys;
+
+- netlink_register_notifier(&nfqnl_rtnl_notifier);
+- status = nfnetlink_subsys_register(&nfqnl_subsys);
+- if (status < 0) {
+- pr_err("failed to create netlink socket\n");
+- goto cleanup_netlink_notifier;
+- }
++ status = netlink_register_notifier(&nfqnl_rtnl_notifier);
++ if (status < 0)
++ goto cleanup_rtnl_notifier;
+
+ status = register_netdevice_notifier(&nfqnl_dev_notifier);
+- if (status < 0) {
+- pr_err("failed to register netdevice notifier\n");
+- goto cleanup_netlink_subsys;
+- }
++ if (status < 0)
++ goto cleanup_dev_notifier;
++
++ status = nfnetlink_subsys_register(&nfqnl_subsys);
++ if (status < 0)
++ goto cleanup_nfqnl_subsys;
+
+ nf_register_queue_handler(&nfqh);
+
+ return status;
+
+-cleanup_netlink_subsys:
+- nfnetlink_subsys_unregister(&nfqnl_subsys);
+-cleanup_netlink_notifier:
++cleanup_nfqnl_subsys:
++ unregister_netdevice_notifier(&nfqnl_dev_notifier);
++cleanup_dev_notifier:
+ netlink_unregister_notifier(&nfqnl_rtnl_notifier);
++cleanup_rtnl_notifier:
+ unregister_pernet_subsys(&nfnl_queue_net_ops);
+-cleanup_rhashtable:
+- rhashtable_destroy(&nfqnl_packet_map);
++cleanup_pernet_subsys:
++ destroy_workqueue(nfq_cleanup_wq);
+ return status;
+ }
+
+@@ -1924,9 +1885,7 @@ static void __exit nfnetlink_queue_fini(void)
+ nfnetlink_subsys_unregister(&nfqnl_subsys);
+ netlink_unregister_notifier(&nfqnl_rtnl_notifier);
+ unregister_pernet_subsys(&nfnl_queue_net_ops);
+-
+- rhashtable_destroy(&nfqnl_packet_map);
+-
++ destroy_workqueue(nfq_cleanup_wq);
+ rcu_barrier(); /* Wait for completion of call_rcu()'s */
+ }
+
+--
+2.53.0
+
--- /dev/null
+From e0f0b59cf3706c5e775b613fbd2ef329dde228cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jan 2026 09:32:30 -0800
+Subject: netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC ->
+ GFP_KERNEL_ACCOUNT allocation
+
+From: Scott Mitchell <scott.k.mitch1@gmail.com>
+
+[ Upstream commit a4400a5b343d1bc4aa8f685608515413238e7ee2 ]
+
+Currently, instance_create() uses GFP_ATOMIC because it's called while
+holding instances_lock spinlock. This makes allocation more likely to
+fail under memory pressure.
+
+Refactor nfqnl_recv_config() to drop RCU lock after instance_lookup()
+and peer_portid verification. A socket cannot simultaneously send a
+message and close, so the queue owned by the sending socket cannot be
+destroyed while processing its CONFIG message. This allows
+instance_create() to allocate with GFP_KERNEL_ACCOUNT before taking
+the spinlock.
+
+Suggested-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Scott Mitchell <scott.k.mitch1@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Stable-dep-of: 936206e3f6ff ("netfilter: nfnetlink_queue: make hash table per queue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_queue.c | 75 +++++++++++++++------------------
+ 1 file changed, 34 insertions(+), 41 deletions(-)
+
+diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
+index 0b96d20bacb73..a39d3b989063c 100644
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -178,17 +178,9 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+ unsigned int h;
+ int err;
+
+- spin_lock(&q->instances_lock);
+- if (instance_lookup(q, queue_num)) {
+- err = -EEXIST;
+- goto out_unlock;
+- }
+-
+- inst = kzalloc(sizeof(*inst), GFP_ATOMIC);
+- if (!inst) {
+- err = -ENOMEM;
+- goto out_unlock;
+- }
++ inst = kzalloc(sizeof(*inst), GFP_KERNEL_ACCOUNT);
++ if (!inst)
++ return ERR_PTR(-ENOMEM);
+
+ inst->queue_num = queue_num;
+ inst->peer_portid = portid;
+@@ -198,9 +190,15 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+ spin_lock_init(&inst->lock);
+ INIT_LIST_HEAD(&inst->queue_list);
+
++ spin_lock(&q->instances_lock);
++ if (instance_lookup(q, queue_num)) {
++ err = -EEXIST;
++ goto out_unlock;
++ }
++
+ if (!try_module_get(THIS_MODULE)) {
+ err = -EAGAIN;
+- goto out_free;
++ goto out_unlock;
+ }
+
+ h = instance_hashfn(queue_num);
+@@ -210,10 +208,9 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)
+
+ return inst;
+
+-out_free:
+- kfree(inst);
+ out_unlock:
+ spin_unlock(&q->instances_lock);
++ kfree(inst);
+ return ERR_PTR(err);
+ }
+
+@@ -1604,7 +1601,8 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info,
+ struct nfqnl_msg_config_cmd *cmd = NULL;
+ struct nfqnl_instance *queue;
+ __u32 flags = 0, mask = 0;
+- int ret = 0;
++
++ WARN_ON_ONCE(!lockdep_nfnl_is_held(NFNL_SUBSYS_QUEUE));
+
+ if (nfqa[NFQA_CFG_CMD]) {
+ cmd = nla_data(nfqa[NFQA_CFG_CMD]);
+@@ -1650,47 +1648,44 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info,
+ }
+ }
+
++ /* Lookup queue under RCU. After peer_portid check (or for new queue
++ * in BIND case), the queue is owned by the socket sending this message.
++ * A socket cannot simultaneously send a message and close, so while
++ * processing this CONFIG message, nfqnl_rcv_nl_event() (triggered by
++ * socket close) cannot destroy this queue. Safe to use without RCU.
++ */
+ rcu_read_lock();
+ queue = instance_lookup(q, queue_num);
+ if (queue && queue->peer_portid != NETLINK_CB(skb).portid) {
+- ret = -EPERM;
+- goto err_out_unlock;
++ rcu_read_unlock();
++ return -EPERM;
+ }
++ rcu_read_unlock();
+
+ if (cmd != NULL) {
+ switch (cmd->command) {
+ case NFQNL_CFG_CMD_BIND:
+- if (queue) {
+- ret = -EBUSY;
+- goto err_out_unlock;
+- }
+- queue = instance_create(q, queue_num,
+- NETLINK_CB(skb).portid);
+- if (IS_ERR(queue)) {
+- ret = PTR_ERR(queue);
+- goto err_out_unlock;
+- }
++ if (queue)
++ return -EBUSY;
++ queue = instance_create(q, queue_num, NETLINK_CB(skb).portid);
++ if (IS_ERR(queue))
++ return PTR_ERR(queue);
+ break;
+ case NFQNL_CFG_CMD_UNBIND:
+- if (!queue) {
+- ret = -ENODEV;
+- goto err_out_unlock;
+- }
++ if (!queue)
++ return -ENODEV;
+ instance_destroy(q, queue);
+- goto err_out_unlock;
++ return 0;
+ case NFQNL_CFG_CMD_PF_BIND:
+ case NFQNL_CFG_CMD_PF_UNBIND:
+ break;
+ default:
+- ret = -ENOTSUPP;
+- goto err_out_unlock;
++ return -EOPNOTSUPP;
+ }
+ }
+
+- if (!queue) {
+- ret = -ENODEV;
+- goto err_out_unlock;
+- }
++ if (!queue)
++ return -ENODEV;
+
+ if (nfqa[NFQA_CFG_PARAMS]) {
+ struct nfqnl_msg_config_params *params =
+@@ -1715,9 +1710,7 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info,
+ spin_unlock_bh(&queue->lock);
+ }
+
+-err_out_unlock:
+- rcu_read_unlock();
+- return ret;
++ return 0;
+ }
+
+ static const struct nfnl_callback nfqnl_cb[NFQNL_MSG_MAX] = {
+--
+2.53.0
+
--- /dev/null
+From 468b9012e2cef4e9b72362571136004ebbb3c71d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Mar 2026 14:10:55 +0100
+Subject: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
+ expiry
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit d3c0037ffe1273fa1961e779ff6906234d6cf53c ]
+
+New test case fails unexpectedly when avx2 matching functions are used.
+
+The test first loads a ranomly generated pipapo set
+with 'ipv4 . port' key, i.e. nft -f foo.
+
+This works. Then, it reloads the set after a flush:
+(echo flush set t s; cat foo) | nft -f -
+
+This is expected to work, because its the same set after all and it was
+already loaded once.
+
+But with avx2, this fails: nft reports a clashing element.
+
+The reported clash is of following form:
+
+ We successfully re-inserted
+ a . b
+ c . d
+
+Then we try to insert a . d
+
+avx2 finds the already existing a . d, which (due to 'flush set') is marked
+as invalid in the new generation. It skips the element and moves to next.
+
+Due to incorrect masking, the skip-step finds the next matching
+element *only considering the first field*,
+
+i.e. we return the already reinserted "a . b", even though the
+last field is different and the entry should not have been matched.
+
+No such error is reported for the generic c implementation (no avx2) or when
+the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.
+
+Bisection points to
+7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection")
+but that fix merely uncovers this bug.
+
+Before this commit, the wrong element is returned, but erronously
+reported as a full, identical duplicate.
+
+The root-cause is too early return in the avx2 match functions.
+When we process the last field, we should continue to process data
+until the entire input size has been consumed to make sure no stale
+bits remain in the map.
+
+Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
+index 7ff90325c97fa..6395982e4d95c 100644
+--- a/net/netfilter/nft_set_pipapo_avx2.c
++++ b/net/netfilter/nft_set_pipapo_avx2.c
+@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -319,7 +319,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -414,7 +414,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -505,7 +505,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -641,7 +641,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -699,7 +699,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -764,7 +764,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -839,7 +839,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -925,7 +925,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -1019,7 +1019,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+--
+2.53.0
+
--- /dev/null
+From 8e7f4f01b63b5aa8f5944db69bada7887d1a322e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 23:52:52 +0800
+Subject: netfilter: xt_multiport: validate range encoding in checkentry
+
+From: Ren Wei <n05ec@lzu.edu.cn>
+
+[ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ]
+
+ports_match_v1() treats any non-zero pflags entry as the start of a
+port range and unconditionally consumes the next ports[] element as
+the range end.
+
+The checkentry path currently validates protocol, flags and count, but
+it does not validate the range encoding itself. As a result, malformed
+rules can mark the last slot as a range start or place two range starts
+back to back, leaving ports_match_v1() to step past the last valid
+ports[] element while interpreting the rule.
+
+Reject malformed multiport v1 rules in checkentry by validating that
+each range start has a following element and that the following element
+is not itself marked as another range start.
+
+Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Yuhang Zheng <z1652074432@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
+index 44a00f5acde8a..a1691ff405d3c 100644
+--- a/net/netfilter/xt_multiport.c
++++ b/net/netfilter/xt_multiport.c
+@@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
+ return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1]));
+ }
+
++static bool
++multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo)
++{
++ unsigned int i;
++
++ for (i = 0; i < multiinfo->count; i++) {
++ if (!multiinfo->pflags[i])
++ continue;
++
++ if (++i >= multiinfo->count)
++ return false;
++
++ if (multiinfo->pflags[i])
++ return false;
++
++ if (multiinfo->ports[i - 1] > multiinfo->ports[i])
++ return false;
++ }
++
++ return true;
++}
++
+ static inline bool
+ check(u_int16_t proto,
+ u_int8_t ip_invflags,
+@@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par)
+ const struct ipt_ip *ip = par->entryinfo;
+ const struct xt_multiport_v1 *multiinfo = par->matchinfo;
+
+- return check(ip->proto, ip->invflags, multiinfo->flags,
+- multiinfo->count) ? 0 : -EINVAL;
++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
++ return -EINVAL;
++
++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
+ }
+
+ static int multiport_mt6_check(const struct xt_mtchk_param *par)
+@@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par)
+ const struct ip6t_ip6 *ip = par->entryinfo;
+ const struct xt_multiport_v1 *multiinfo = par->matchinfo;
+
+- return check(ip->proto, ip->invflags, multiinfo->flags,
+- multiinfo->count) ? 0 : -EINVAL;
++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
++ return -EINVAL;
++
++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
+ }
+
+ static struct xt_match multiport_mt_reg[] __read_mostly = {
+--
+2.53.0
+
--- /dev/null
+From 8ad8a869572014a5cdd3e61ef6ed9f904e926979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 12:21:48 +0800
+Subject: nfc: s3fwrn5: allocate rx skb before consuming bytes
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 5c14a19d5b1645cce1cb1252833d70b23635b632 ]
+
+s3fwrn82_uart_read() reports the number of accepted bytes to the serdev
+core. The current code consumes bytes into recv_skb and may already
+deliver a complete frame before allocating a fresh receive buffer.
+
+If that alloc_skb() fails, the callback returns 0 even though it has
+already consumed bytes, and it leaves recv_skb as NULL for the next
+receive callback. That breaks the receive_buf() accounting contract and
+can also lead to a NULL dereference on the next skb_put_u8().
+
+Allocate the receive skb lazily before consuming the next byte instead.
+If allocation fails, return the number of bytes already accepted.
+
+Fixes: 3f52c2cb7e3a ("nfc: s3fwrn5: Support a UART interface")
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Link: https://patch.msgid.link/20260402042148.65236-1-pengpeng@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/s3fwrn5/uart.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nfc/s3fwrn5/uart.c b/drivers/nfc/s3fwrn5/uart.c
+index 9c09c10c2a464..4ee481bd7e965 100644
+--- a/drivers/nfc/s3fwrn5/uart.c
++++ b/drivers/nfc/s3fwrn5/uart.c
+@@ -58,6 +58,12 @@ static size_t s3fwrn82_uart_read(struct serdev_device *serdev,
+ size_t i;
+
+ for (i = 0; i < count; i++) {
++ if (!phy->recv_skb) {
++ phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
++ if (!phy->recv_skb)
++ return i;
++ }
++
+ skb_put_u8(phy->recv_skb, *data++);
+
+ if (phy->recv_skb->len < S3FWRN82_NCI_HEADER)
+@@ -69,9 +75,7 @@ static size_t s3fwrn82_uart_read(struct serdev_device *serdev,
+
+ s3fwrn5_recv_frame(phy->common.ndev, phy->recv_skb,
+ phy->common.mode);
+- phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
+- if (!phy->recv_skb)
+- return 0;
++ phy->recv_skb = NULL;
+ }
+
+ return i;
+--
+2.53.0
+
--- /dev/null
+From 770fb0d409602b48dd81bf87bca7283213d475bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 05:09:29 -0700
+Subject: PCI: hv: Fix double ida_free in hv_pci_probe error path
+
+From: Sahil Chandna <sahilchandna@linux.microsoft.com>
+
+[ Upstream commit b6422dff0e518245019233432b6bccfc30b73e2f ]
+
+If hv_pci_probe() fails after storing the domain number in
+hbus->bridge->domain_nr, there is a call to free this domain_nr via
+pci_bus_release_emul_domain_nr(), however, during cleanup, the bridge
+release callback pci_release_host_bridge_dev() also frees the domain_nr
+causing ida_free to be called on same ID twice and triggering following
+warning:
+
+ ida_free called for id=28971 which is not allocated.
+ WARNING: lib/idr.c:594 at ida_free+0xdf/0x160, CPU#0: kworker/0:2/198
+ Call Trace:
+ pci_bus_release_emul_domain_nr+0x17/0x20
+ pci_release_host_bridge_dev+0x4b/0x60
+ device_release+0x3b/0xa0
+ kobject_put+0x8e/0x220
+ devm_pci_alloc_host_bridge_release+0xe/0x20
+ devres_release_all+0x9a/0xd0
+ device_unbind_cleanup+0x12/0xa0
+ really_probe+0x1c5/0x3f0
+ vmbus_add_channel_work+0x135/0x1a0
+
+Fix this by letting pci core handle the free domain_nr and remove
+the explicit free called in pci-hyperv driver.
+
+Fixes: bcce8c74f1ce ("PCI: Enable host bridge emulation for PCI_DOMAINS_GENERIC platforms")
+Signed-off-by: Sahil Chandna <sahilchandna@linux.microsoft.com>
+Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Saurabh Sengar <ssengar@linux.microsoft.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-hyperv.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c
+index 85631c9794db6..7f1c1a2e5c69d 100644
+--- a/drivers/pci/controller/pci-hyperv.c
++++ b/drivers/pci/controller/pci-hyperv.c
+@@ -3789,7 +3789,7 @@ static int hv_pci_probe(struct hv_device *hdev,
+ hbus->bridge->domain_nr);
+ if (!hbus->wq) {
+ ret = -ENOMEM;
+- goto free_dom;
++ goto free_bus;
+ }
+
+ hdev->channel->next_request_id_callback = vmbus_next_request_id;
+@@ -3885,8 +3885,6 @@ static int hv_pci_probe(struct hv_device *hdev,
+ vmbus_close(hdev->channel);
+ destroy_wq:
+ destroy_workqueue(hbus->wq);
+-free_dom:
+- pci_bus_release_emul_domain_nr(hbus->bridge->domain_nr);
+ free_bus:
+ kfree(hbus);
+ return ret;
+--
+2.53.0
+
--- /dev/null
+From 59ae8cb64a74274dcc27a6f7224fbfdf4866b858 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 14:07:42 -0700
+Subject: PCI: hv: Set default NUMA node to 0 for devices without affinity info
+
+From: Long Li <longli@microsoft.com>
+
+[ Upstream commit 7b3b1e5a87b2f5e35c52b5386d7c327be869454f ]
+
+When hv_pci_assign_numa_node() processes a device that does not have
+HV_PCI_DEVICE_FLAG_NUMA_AFFINITY set or has an out-of-range
+virtual_numa_node, the device NUMA node is left unset. On x86_64,
+the uninitialized default happens to be 0, but on ARM64 it is
+NUMA_NO_NODE (-1).
+
+Tests show that when no NUMA information is available from the Hyper-V
+host, devices perform best when assigned to node 0. With NUMA_NO_NODE
+the kernel may spread work across NUMA nodes, which degrades
+performance on Hyper-V, particularly for high-throughput devices like
+MANA.
+
+Always set the device NUMA node to 0 before the conditional NUMA
+affinity check, so that devices get a performant default when the host
+provides no NUMA information, and behavior is consistent on both
+x86_64 and ARM64.
+
+Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2")
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-hyperv.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c
+index 1e237d3538f9c..85631c9794db6 100644
+--- a/drivers/pci/controller/pci-hyperv.c
++++ b/drivers/pci/controller/pci-hyperv.c
+@@ -2486,6 +2486,14 @@ static void hv_pci_assign_numa_node(struct hv_pcibus_device *hbus)
+ if (!hv_dev)
+ continue;
+
++ /*
++ * If the Hyper-V host doesn't provide a NUMA node for the
++ * device, default to node 0. With NUMA_NO_NODE the kernel
++ * may spread work across NUMA nodes, which degrades
++ * performance on Hyper-V.
++ */
++ set_dev_node(&dev->dev, 0);
++
+ if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY &&
+ hv_dev->desc.virtual_numa_node < num_possible_nodes())
+ /*
+--
+2.53.0
+
--- /dev/null
+From 92dff9344e865b2333a4402eb9bdd505646bcb0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 10:40:49 -0700
+Subject: perf/x86/intel/uncore: Fix die ID init and look up bugs
+
+From: Zide Chen <zide.chen@intel.com>
+
+[ Upstream commit a16d1ec4dd0cdcf689f324adde6067083bce9099 ]
+
+In snbep_pci2phy_map_init(), in the nr_node_ids > 8 path,
+uncore_device_to_die() may return -1 when all CPUs associated
+with the UBOX device are offline.
+
+Remove the WARN_ON_ONCE(die_id == -1) check for two reasons:
+
+- The current code breaks out of the loop. This is incorrect because
+ pci_get_device() does not guarantee iteration in domain or bus order,
+ so additional UBOX devices may be skipped during the scan.
+
+- Returning -EINVAL is incorrect, since marking offline buses with
+ die_id == -1 is expected and should not be treated as an error.
+
+Separately, when NUMA is disabled on a NUMA-capable platform,
+pcibus_to_node() returns NUMA_NO_NODE, causing uncore_device_to_die()
+to return -1 for all PCI devices. As a result,
+spr_update_device_location(), used on Intel SPR and EMR, ignores the
+corresponding PMON units and does not add them to the RB tree.
+
+Fix this by using uncore_pcibus_to_dieid(), which retrieves topology
+from the UBOX GIDNIDMAP register and works regardless of whether NUMA
+is enabled in Linux. This requires snbep_pci2phy_map_init() to be
+added in spr_uncore_pci_init().
+
+Keep uncore_device_to_die() only for the nr_node_ids > 8 case, where
+NUMA is expected to be enabled.
+
+Fixes: 9a7832ce3d92 ("perf/x86/intel/uncore: With > 8 nodes, get pci bus die id from NUMA info")
+Fixes: 65248a9a9ee1 ("perf/x86/uncore: Add a quirk for UPI on SPR")
+Signed-off-by: Zide Chen <zide.chen@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Tested-by: Steve Wahl <steve.wahl@hpe.com>
+Link: https://patch.msgid.link/20260313174050.171704-4-zide.chen@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore.c | 1 +
+ arch/x86/events/intel/uncore_snbep.c | 13 ++++++-------
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
+index e228e564b15ea..8301a589d9a61 100644
+--- a/arch/x86/events/intel/uncore.c
++++ b/arch/x86/events/intel/uncore.c
+@@ -67,6 +67,7 @@ int uncore_die_to_segment(int die)
+ return bus ? pci_domain_nr(bus) : -EINVAL;
+ }
+
++/* Note: This API can only be used when NUMA information is available. */
+ int uncore_device_to_die(struct pci_dev *dev)
+ {
+ int node = pcibus_to_node(dev->bus);
+diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
+index a338ee01bb242..0182785cad1fe 100644
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -1475,13 +1475,7 @@ static int snbep_pci2phy_map_init(int devid, int nodeid_loc, int idmap_loc, bool
+ }
+
+ map->pbus_to_dieid[bus] = die_id = uncore_device_to_die(ubox_dev);
+-
+ raw_spin_unlock(&pci2phy_map_lock);
+-
+- if (WARN_ON_ONCE(die_id == -1)) {
+- err = -EINVAL;
+- break;
+- }
+ }
+ }
+
+@@ -6533,7 +6527,7 @@ static void spr_update_device_location(int type_id)
+
+ while ((dev = pci_get_device(PCI_VENDOR_ID_INTEL, device, dev)) != NULL) {
+
+- die = uncore_device_to_die(dev);
++ die = uncore_pcibus_to_dieid(dev->bus);
+ if (die < 0)
+ continue;
+
+@@ -6557,6 +6551,11 @@ static void spr_update_device_location(int type_id)
+
+ int spr_uncore_pci_init(void)
+ {
++ int ret = snbep_pci2phy_map_init(0x3250, SKX_CPUNODEID, SKX_GIDNIDMAP, true);
++
++ if (ret)
++ return ret;
++
+ /*
+ * The discovery table of UPI on some SPR variant is broken,
+ * which impacts the detection of both UPI and M3UPI uncore PMON.
+--
+2.53.0
+
--- /dev/null
+From 7c04f7f99e97eb06d92b78dc31a3a9868c90661d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 10:40:48 -0700
+Subject: perf/x86/intel/uncore: Skip discovery table for offline dies
+
+From: Zide Chen <zide.chen@intel.com>
+
+[ Upstream commit 7b568e9eba2fad89a696f22f0413d44cf4a1f892 ]
+
+This warning can be triggered if NUMA is disabled and the system
+boots with fewer CPUs than the number of CPUs in die 0.
+
+WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore]
+
+Currently, the discovery table continues to be parsed even if all CPUs
+in the associated die are offline. This can lead to an array overflow
+at "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may
+trigger the warning above or cause other issues.
+
+Fixes: edae1f06c2cd ("perf/x86/intel/uncore: Parse uncore discovery tables")
+Reported-by: Steve Wahl <steve.wahl@hpe.com>
+Signed-off-by: Zide Chen <zide.chen@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Tested-by: Steve Wahl <steve.wahl@hpe.com>
+Link: https://patch.msgid.link/20260313174050.171704-3-zide.chen@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_discovery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c
+index 7d57ce706feb1..c5adbe4409047 100644
+--- a/arch/x86/events/intel/uncore_discovery.c
++++ b/arch/x86/events/intel/uncore_discovery.c
+@@ -383,7 +383,7 @@ static bool intel_uncore_has_discovery_tables_pci(int *ignore)
+ (val & UNCORE_DISCOVERY_DVSEC2_BIR_MASK) * UNCORE_DISCOVERY_BIR_STEP;
+
+ die = get_device_die_id(dev);
+- if (die < 0)
++ if ((die < 0) || (die >= uncore_max_dies()))
+ continue;
+
+ parse_discovery_table(dev, die, bar_offset, &parsed, ignore);
+--
+2.53.0
+
--- /dev/null
+From c696b1616e4b45cb54c80b8cb5cc9858a01a29d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 18:14:04 +0100
+Subject: pinctrl: intel: Fix the revision for new features (1kOhm PD, HW
+ debouncer)
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit a4337a24d13e9e3b98a113e71d6b80dc5ed5f8c4 ]
+
+The 1kOhm pull down and hardware debouncer are features of the revision 0.92
+of the Chassis specification. Fix that in the code accordingly.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/intel/pinctrl-intel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c
+index cf9db8ac0f42e..106835b5ee5a5 100644
+--- a/drivers/pinctrl/intel/pinctrl-intel.c
++++ b/drivers/pinctrl/intel/pinctrl-intel.c
+@@ -1610,7 +1610,7 @@ int intel_pinctrl_probe(struct platform_device *pdev,
+ value = readl(regs + REVID);
+ if (value == ~0u)
+ return -ENODEV;
+- if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x94) {
++ if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x92) {
+ community->features |= PINCTRL_FEATURE_DEBOUNCE;
+ community->features |= PINCTRL_FEATURE_1K_PD;
+ }
+--
+2.53.0
+
--- /dev/null
+From 14b5b2790c6b4828d93fc6a6af8d0b82d75842e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 18:19:14 +0200
+Subject: pinctrl: mcp23s08: Disable all pin interrupts during probe
+
+From: Francesco Lavra <flavra@baylibre.com>
+
+[ Upstream commit db5b8cecbdf479ad13156af750377e5b43853fab ]
+
+A chip being probed may have the interrupt-on-change feature enabled on
+some of its pins, for example after a reboot. This can cause the chip to
+generate interrupts for pins that don't have a registered nested handler,
+which leads to a kernel crash such as below:
+
+[ 7.928897] Unable to handle kernel read from unreadable memory at virtual address 00000000000000ac
+[ 7.932314] Mem abort info:
+[ 7.935081] ESR = 0x0000000096000004
+[ 7.938808] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 7.944094] SET = 0, FnV = 0
+[ 7.947127] EA = 0, S1PTW = 0
+[ 7.950247] FSC = 0x04: level 0 translation fault
+[ 7.955101] Data abort info:
+[ 7.957961] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+[ 7.963421] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+[ 7.968447] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+[ 7.973734] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000089b7000
+[ 7.980148] [00000000000000ac] pgd=0000000000000000, p4d=0000000000000000
+[ 7.986913] Internal error: Oops: 0000000096000004 [#1] SMP
+[ 7.992545] Modules linked in:
+[ 8.073678] CPU: 0 UID: 0 PID: 81 Comm: irq/18-4-0025 Not tainted 7.0.0-rc6-gd2b5a1f931c8-dirty #199
+[ 8.073689] Hardware name: Khadas VIM3 (DT)
+[ 8.073692] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 8.094639] pc : _raw_spin_lock_irq+0x40/0x80
+[ 8.098970] lr : handle_nested_irq+0x2c/0x168
+[ 8.098979] sp : ffff800082b2bd20
+[ 8.106599] x29: ffff800082b2bd20 x28: ffff800080107920 x27: ffff800080104d88
+[ 8.106611] x26: ffff000003298080 x25: 0000000000000001 x24: 000000000000ff00
+[ 8.113707] x23: 0000000000000001 x22: 0000000000000000 x21: 000000000000000e
+[ 8.120850] x20: 0000000000000000 x19: 00000000000000ac x18: 0000000000000000
+[ 8.135046] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
+[ 8.135062] x14: ffff800081567ea8 x13: ffffffffffffffff x12: 0000000000000000
+[ 8.135070] x11: 00000000000000c0 x10: 0000000000000b60 x9 : ffff800080109e0c
+[ 8.135078] x8 : 1fffe0000069dbc1 x7 : 0000000000000001 x6 : ffff0000034ede00
+[ 8.135086] x5 : 0000000000000000 x4 : ffff0000034ede08 x3 : 0000000000000001
+[ 8.163460] x2 : 0000000000000000 x1 : 0000000000000001 x0 : 00000000000000ac
+[ 8.170560] Call trace:
+[ 8.180094] _raw_spin_lock_irq+0x40/0x80 (P)
+[ 8.184443] mcp23s08_irq+0x248/0x358
+[ 8.184462] irq_thread_fn+0x34/0xb8
+[ 8.184470] irq_thread+0x1a4/0x310
+[ 8.195093] kthread+0x13c/0x150
+[ 8.198309] ret_from_fork+0x10/0x20
+[ 8.201850] Code: d65f03c0 d2800002 52800023 f9800011 (885ffc01)
+[ 8.207931] ---[ end trace 0000000000000000 ]---
+
+This issue has always been present, but has been latent until commit
+"f9f4fda15e72" ("pinctrl: mcp23s08: init reg_defaults from HW at probe and
+switch cache type"), which correctly removed reg_defaults from the regmap
+and as a side effect changed the behavior of the interrupt handler so that
+the real value of the MCP_GPINTEN register is now being read from the chip
+instead of using a bogus 0 default value; a non-zero value for this
+register can trigger the invocation of a nested handler which may not exist
+(yet).
+Fix this issue by disabling all pin interrupts during initialization.
+
+Fixes: f9f4fda15e72 ("pinctrl: mcp23s08: init reg_defaults from HW at probe and switch cache type")
+Signed-off-by: Francesco Lavra <flavra@baylibre.com>
+Signed-off-by: Linus Walleij <linusw@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-mcp23s08.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c
+index 586f2f67c6177..b89b3169e8be5 100644
+--- a/drivers/pinctrl/pinctrl-mcp23s08.c
++++ b/drivers/pinctrl/pinctrl-mcp23s08.c
+@@ -664,6 +664,15 @@ int mcp23s08_probe_one(struct mcp23s08 *mcp, struct device *dev,
+ if (mcp->irq && mcp->irq_controller) {
+ struct gpio_irq_chip *girq = &mcp->chip.irq;
+
++ /*
++ * Disable all pin interrupts, to prevent the interrupt handler from
++ * calling nested handlers for any currently-enabled interrupts that
++ * do not (yet) have an actual handler.
++ */
++ ret = mcp_write(mcp, MCP_GPINTEN, 0);
++ if (ret < 0)
++ return dev_err_probe(dev, ret, "can't disable interrupts\n");
++
+ gpio_irq_chip_set_chip(girq, &mcp23s08_irq_chip);
+ /* This will let us handle the parent IRQ in the driver */
+ girq->parent_handler = NULL;
+--
+2.53.0
+
--- /dev/null
+From 6e6ded743279a77961fcd1e078801ee520d73f19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Mar 2026 16:16:41 -0500
+Subject: platform/x86/amd: pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 1a9452c428a6b76f0b797bae21daa454fccef1a2 ]
+
+This platform is a similar vintage of platforms that had a BIOS bug
+leading to a 10s delay at resume from s0i3.
+
+Add a quirk for it.
+
+Reported-by: Imrane <ihalim.me@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221273
+Tested-by: Imrane <ihalim.me@gmail.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/20260324211647.357924-1-mario.limonciello@amd.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+index ed285afaf9b0d..24506e3429430 100644
+--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c
++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+@@ -203,6 +203,15 @@ static const struct dmi_system_id fwbug_list[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "82XQ"),
+ }
+ },
++ /* https://bugzilla.kernel.org/show_bug.cgi?id=221273 */
++ {
++ .ident = "Thinkpad L14 Gen3",
++ .driver_data = &quirk_s2idle_bug,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21C6"),
++ }
++ },
+ /* https://gitlab.freedesktop.org/drm/amd/-/issues/4434 */
+ {
+ .ident = "Lenovo Yoga 6 13ALC6",
+--
+2.53.0
+
--- /dev/null
+From af91f5fa506dc54b512ff0ba096d10ad919a1127 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:22:46 -0700
+Subject: platform/x86: asus-nb-wmi: add DMI quirk for ASUS ROG Flow Z13-KJP
+ GZ302EAC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Schwartz <matthew.schwartz@linux.dev>
+
+[ Upstream commit 0198d2743207d67f995cd6df89e267e1b9f5e1f1 ]
+
+The ASUS ROG Flow Z13-KJP GZ302EAC model uses sys_vendor name ASUS
+rather than ASUSTeK COMPUTER INC., but it needs the same folio quirk as
+the other ROG Flow Z13. To keep things simple, just match on sys_vendor
+ASUS since it covers both.
+
+Signed-off-by: Matthew Schwartz <matthew.schwartz@linux.dev>
+Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
+Reviewed-by: Denis Benato <denis.benato@linux.dev>
+Link: https://patch.msgid.link/20260312212246.1608080-1-matthew.schwartz@linux.dev
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/asus-nb-wmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c
+index a38a65f5c550d..b4677c5bba5b4 100644
+--- a/drivers/platform/x86/asus-nb-wmi.c
++++ b/drivers/platform/x86/asus-nb-wmi.c
+@@ -548,7 +548,7 @@ static const struct dmi_system_id asus_quirks[] = {
+ .callback = dmi_matched,
+ .ident = "ASUS ROG Z13",
+ .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUS"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "ROG Flow Z13"),
+ },
+ .driver_data = &quirk_asus_z13,
+--
+2.53.0
+
--- /dev/null
+From 8f13ac4d35d05423ac92b5043c3ae1d1e380d34a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 21:11:06 +0530
+Subject: platform/x86: hp-wmi: Add support for Omen 16-wf1xxx (8C76)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krishna Chomal <krishna.chomal108@gmail.com>
+
+[ Upstream commit 84d29bfd1929d08f092851162a3d055a2134d043 ]
+
+The HP Omen 16-wf1xxx (board ID: 8C76) has the same WMI interface as
+other Victus S boards, but requires quirks for correctly switching
+thermal profile (similar to board 8C78).
+
+Add the DMI board name to victus_s_thermal_profile_boards[] table and
+map it to omen_v1_thermal_params.
+
+Testing on board 8C76 confirmed that platform profile is registered
+successfully and fan RPMs are readable and controllable.
+
+Tested-by: WJ Enderlava <jie7172585@gmail.com>
+Reported-by: WJ Enderlava <jie7172585@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221149
+Signed-off-by: Krishna Chomal <krishna.chomal108@gmail.com>
+Link: https://patch.msgid.link/20260227154106.226809-1-krishna.chomal108@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/hp/hp-wmi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/platform/x86/hp/hp-wmi.c b/drivers/platform/x86/hp/hp-wmi.c
+index e3a7ac2485d68..7d03903cf221a 100644
+--- a/drivers/platform/x86/hp/hp-wmi.c
++++ b/drivers/platform/x86/hp/hp-wmi.c
+@@ -182,6 +182,10 @@ static const struct dmi_system_id victus_s_thermal_profile_boards[] __initconst
+ .matches = { DMI_MATCH(DMI_BOARD_NAME, "8BD5") },
+ .driver_data = (void *)&victus_s_thermal_params,
+ },
++ {
++ .matches = { DMI_MATCH(DMI_BOARD_NAME, "8C76") },
++ .driver_data = (void *)&omen_v1_thermal_params,
++ },
+ {
+ .matches = { DMI_MATCH(DMI_BOARD_NAME, "8C78") },
+ .driver_data = (void *)&omen_v1_thermal_params,
+--
+2.53.0
+
--- /dev/null
+From 678f7e2adb2795c43d06bb2e98e6c2769c98377a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 15:27:43 +0000
+Subject: RDMA/irdma: Fix double free related to rereg_user_mr
+
+From: Jacob Moroni <jmoroni@google.com>
+
+[ Upstream commit 29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2 ]
+
+If IB_MR_REREG_TRANS is set during rereg_user_mr, the
+umem will be released and a new one will be allocated
+in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans
+fails after the new umem is allocated, it releases the umem,
+but does not set iwmr->region to NULL. The problem is that
+this failure is propagated to the user, who will then call
+ibv_dereg_mr (as they should). Then, the dereg_mr path will
+see a non-NULL umem and attempt to call ib_umem_release again.
+
+Fix this by setting iwmr->region to NULL after ib_umem_release.
+
+Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region")
+Signed-off-by: Jacob Moroni <jmoroni@google.com>
+Link: https://patch.msgid.link/20260227152743.1183388-1-jmoroni@google.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index c454a006c78e0..496d3fedaa9e6 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -3721,6 +3721,7 @@ static int irdma_rereg_mr_trans(struct irdma_mr *iwmr, u64 start, u64 len,
+
+ err:
+ ib_umem_release(region);
++ iwmr->region = NULL;
+ return err;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 214752a2826fdfd22ae24d58c35ebe17e82877b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 20:14:32 +0200
+Subject: rtnetlink: add missing netlink_ns_capable() check for peer netns
+
+From: Nikolaos Gkarlis <nickgarlis@gmail.com>
+
+[ Upstream commit 7b735ef81286007794a227ce2539419479c02a5f ]
+
+rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer
+network namespace when creating paired devices (veth, vxcan,
+netkit). This allows an unprivileged user with a user namespace
+to create interfaces in arbitrary network namespaces, including
+init_net.
+
+Add a netlink_ns_capable() check for CAP_NET_ADMIN in the peer
+namespace before allowing device creation to proceed.
+
+Fixes: 81adee47dfb6 ("net: Support specifying the network namespace upon device creation.")
+Signed-off-by: Nikolaos Gkarlis <nickgarlis@gmail.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260402181432.4126920-1-nickgarlis@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 40 +++++++++++++++++++++++++++-------------
+ 1 file changed, 27 insertions(+), 13 deletions(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 11cdad3972ad8..c2ada5107dff0 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -3894,28 +3894,42 @@ static int rtnl_newlink_create(struct sk_buff *skb, struct ifinfomsg *ifm,
+ goto out;
+ }
+
+-static struct net *rtnl_get_peer_net(const struct rtnl_link_ops *ops,
++static struct net *rtnl_get_peer_net(struct sk_buff *skb,
++ const struct rtnl_link_ops *ops,
+ struct nlattr *tbp[],
+ struct nlattr *data[],
+ struct netlink_ext_ack *extack)
+ {
+- struct nlattr *tb[IFLA_MAX + 1];
++ struct nlattr *tb[IFLA_MAX + 1], **attrs;
++ struct net *net;
+ int err;
+
+- if (!data || !data[ops->peer_type])
+- return rtnl_link_get_net_ifla(tbp);
+-
+- err = rtnl_nla_parse_ifinfomsg(tb, data[ops->peer_type], extack);
+- if (err < 0)
+- return ERR_PTR(err);
+-
+- if (ops->validate) {
+- err = ops->validate(tb, NULL, extack);
++ if (!data || !data[ops->peer_type]) {
++ attrs = tbp;
++ } else {
++ err = rtnl_nla_parse_ifinfomsg(tb, data[ops->peer_type], extack);
+ if (err < 0)
+ return ERR_PTR(err);
++
++ if (ops->validate) {
++ err = ops->validate(tb, NULL, extack);
++ if (err < 0)
++ return ERR_PTR(err);
++ }
++
++ attrs = tb;
+ }
+
+- return rtnl_link_get_net_ifla(tb);
++ net = rtnl_link_get_net_ifla(attrs);
++ if (IS_ERR_OR_NULL(net))
++ return net;
++
++ if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) {
++ put_net(net);
++ return ERR_PTR(-EPERM);
++ }
++
++ return net;
+ }
+
+ static int __rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
+@@ -4054,7 +4068,7 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
+ }
+
+ if (ops->peer_type) {
+- peer_net = rtnl_get_peer_net(ops, tb, data, extack);
++ peer_net = rtnl_get_peer_net(skb, ops, tb, data, extack);
+ if (IS_ERR(peer_net)) {
+ ret = PTR_ERR(peer_net);
+ goto put_ops;
+--
+2.53.0
+
--- /dev/null
+From bf6aba498cab8e2f01fa1b4799d78e7195ea2afc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 12:22:44 +0200
+Subject: sched/deadline: Use revised wakeup rule for dl_server
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 14a857056466be9d3d907a94e92a704ac1be149b ]
+
+John noted that commit 115135422562 ("sched/deadline: Fix 'stuck' dl_server")
+unfixed the issue from commit a3a70caf7906 ("sched/deadline: Fix dl_server
+behaviour").
+
+The issue in commit 115135422562 was for wakeups of the server after the
+deadline; in which case you *have* to start a new period. The case for
+a3a70caf7906 is wakeups before the deadline.
+
+Now, because the server is effectively running a least-laxity policy, it means
+that any wakeup during the runnable phase means dl_entity_overflow() will be
+true. This means we need to adjust the runtime to allow it to still run until
+the existing deadline expires.
+
+Use the revised wakeup rule for dl_defer entities.
+
+Fixes: 115135422562 ("sched/deadline: Fix 'stuck' dl_server")
+Reported-by: John Stultz <jstultz@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Juri Lelli <juri.lelli@redhat.com>
+Tested-by: John Stultz <jstultz@google.com>
+Link: https://patch.msgid.link/20260404102244.GB22575@noisy.programming.kicks-ass.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/deadline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index e3a6b8ed1d6db..3f80411972067 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -1027,7 +1027,7 @@ static void update_dl_entity(struct sched_dl_entity *dl_se)
+ if (dl_time_before(dl_se->deadline, rq_clock(rq)) ||
+ dl_entity_overflow(dl_se, rq_clock(rq))) {
+
+- if (unlikely(!dl_is_implicit(dl_se) &&
++ if (unlikely((!dl_is_implicit(dl_se) || dl_se->dl_defer) &&
+ !dl_time_before(dl_se->deadline, rq_clock(rq)) &&
+ !is_dl_boosted(dl_se))) {
+ update_dl_revised_wakeup(dl_se, rq);
+--
+2.53.0
+
--- /dev/null
+From 3247b4adfaf2ff16be3c377de970d09424943752 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 22:29:19 +0100
+Subject: selftests: net: bridge_vlan_mcast: wait for h1 before querier check
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit efaa71faf212324ecbf6d5339e9717fe53254f58 ]
+
+The querier-interval test adds h1 (currently a slave of the VRF created
+by simple_if_init) to a temporary bridge br1 acting as an outside IGMP
+querier. The kernel VRF driver (drivers/net/vrf.c) calls cycle_netdev()
+on every slave add and remove, toggling the interface admin-down then up.
+Phylink takes the PHY down during the admin-down half of that cycle.
+Since h1 and swp1 are cable-connected, swp1 also loses its link may need
+several seconds to re-negotiate.
+
+Use setup_wait_dev $h1 0 which waits for h1 to return to UP state, so the
+test can rely on the link being back up at this point.
+
+Fixes: 4d8610ee8bd77 ("selftests: net: bridge: add vlan mcast_querier_interval tests")
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Reviewed-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Link: https://patch.msgid.link/c830f130860fd2efae08bfb9e5b25fd028e58ce5.1775424423.git.daniel@makrotopia.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
+index 72dfbeaf56b92..e8031f68200ad 100755
+--- a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
++++ b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
+@@ -414,6 +414,7 @@ vlmc_querier_intvl_test()
+ bridge vlan add vid 10 dev br1 self pvid untagged
+ ip link set dev $h1 master br1
+ ip link set dev br1 up
++ setup_wait_dev $h1 0
+ bridge vlan add vid 10 dev $h1 master
+ bridge vlan global set vid 10 dev br1 mcast_snooping 1 mcast_querier 1
+ sleep 2
+--
+2.53.0
+
--- /dev/null
+dmaengine-idxd-fix-lockdep-warnings-when-calling-idx.patch
+rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch
+asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch
+alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch
+alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch
+alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch
+media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch
+alsa-asihpi-avoid-write-overflow-check-warning.patch
+bluetooth-hci_sync-annotate-data-races-around-hdev-r.patch
+asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch
+asoc-sof-topology-reject-invalid-vendor-array-size-i.patch
+can-mcp251x-add-error-handling-for-power-enable-in-o.patch
+asoc-amd-acp-add-asus-hn7306ea-quirk-for-legacy-sdw-.patch
+alsa-usb-qcom-add-auxiliary_bus-to-kconfig-dependenc.patch
+platform-x86-asus-nb-wmi-add-dmi-quirk-for-asus-rog-.patch
+btrfs-fix-zero-size-inode-with-non-zero-size-after-l.patch
+platform-x86-hp-wmi-add-support-for-omen-16-wf1xxx-8.patch
+btrfs-tracepoints-get-correct-superblock-from-dentry.patch
+alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch
+netfilter-ctnetlink-ensure-safe-access-to-master-con.patch
+drm-amdgpu-handle-gpu-page-faults-correctly-on-non-4.patch
+srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch
+alsa-hda-realtek-add-hp-laptop-15-fd0xxx-mute-led-qu.patch
+netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch
+alsa-hda-realtek-fixed-speaker-mute-led-for-hp-elite.patch
+alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch
+wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch
+asoc-soc-core-call-missing-init_list_head-for-card_a.patch
+alsa-hda-realtek-add-quirk-for-samsung-book2-pro-360.patch
+alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch
+alsa-hda-realtek-add-quirk-for-lenovo-yoga-slim-7-14.patch
+drm-amdkfd-fix-queue-preemption-eviction-failures-by.patch
+fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch
+asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch
+alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch
+pinctrl-intel-fix-the-revision-for-new-features-1koh.patch
+platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch
+hid-intel-thc-hid-intel-quickspi-add-nvl-device-ids.patch
+hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch
+alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch-618
+hid-roccat-fix-use-after-free-in-roccat_report_event.patch
+ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch
+wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch
+net-sfp-add-quirks-for-hisense-and-hsgq-gpon-ont-sfp.patch
+x86-shadow-stacks-proper-error-handling-for-mmap-loc.patch
+asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch
+soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch
+arm64-dts-qcom-hamoa-x1-fix-idle-exit-latency.patch
+arm64-dts-qcom-qcm6490-idp-fix-wcd9370-reset-gpio-po.patch
+arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch
+arm64-dts-imx93-9x9-qsb-change-usdhc-tuning-step-for.patch
+arm64-dts-imx91-tqma9131-improve-emmc-pad-configurat.patch
+arm64-dts-imx93-tqma9352-improve-emmc-pad-configurat.patch
+arm64-dts-qcom-monaco-fix-uart10-pinconf.patch
+soc-qcom-pd-mapper-fix-element-length-in-servreg_loc.patch
+tools-power-turbostat-fix-swidle-header-vs-data-disp.patch
+tools-power-turbostat-fix-microcode-patch-level-outp.patch
+tools-power-turbostat-fix-incorrect-format-variable.patch
+tools-power-turbostat-fix-show-hide-for-individual-c.patch
+arm64-dts-qcom-monaco-reserve-full-gunyah-metadata-r.patch
+tools-power-turbostat-fix-delimiter-bug-in-print-fun.patch
+soc-microchip-mpfs-control-scb-fix-resource-leak-on-.patch
+soc-microchip-mpfs-mss-top-sysreg-fix-resource-leak-.patch
+arm-dts-microchip-sam9x7-fix-gpio-lines-count-for-pi.patch
+pci-hv-set-default-numa-node-to-0-for-devices-withou.patch
+hid-amd_sfh-don-t-log-error-when-device-discovery-fa.patch
+xfrm-account-xfrma_if_id-in-aevent-size-calculation.patch
+dma-mapping-add-dma_attr_cpu_cache_clean.patch
+dma-debug-track-cache-clean-flag-in-entries.patch
+dma-debug-suppress-cacheline-overlap-warning-when-ar.patch
+cachefiles-fix-incorrect-dentry-refcount-in-cachefil.patch
+drm-vc4-release-runtime-pm-reference-after-binding-v.patch
+drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch
+drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch
+drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch
+eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch
+net-sched-act_csum-validate-nested-vlan-headers.patch
+net-fec-make-fixed_phy-dependency-unconditional.patch
+net-lapbether-handle-netdev_pre_type_change.patch
+net-airoha-fix-memory-leak-in-airoha_qdma_rx_process.patch
+ipv6-ioam-fix-potential-null-dereferences-in-__ioam6.patch
+bridge-guard-local-vlan-0-fdb-helpers-against-null-v.patch
+rtnetlink-add-missing-netlink_ns_capable-check-for-p.patch
+ipv4-nexthop-avoid-duplicate-nha_hw_stats_enable-on-.patch
+ipv4-nexthop-allocate-skb-dynamically-in-rtm_get_nex.patch
+ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch
+net-increase-ip_tunnel_recursion_limit-to-5.patch
+nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch
+net-stmmac-fix-ptp-ref-clock-for-tegra234.patch
+dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch
+pci-hv-fix-double-ida_free-in-hv_pci_probe-error-pat.patch
+mshv-fix-infinite-fault-loop-on-permission-denied-gp.patch
+tracing-probe-reject-non-closed-empty-immediate-stri.patch
+asoc-sdca-add-asoc-jack-hookup-in-class-driver.patch
+asoc-sdca-fix-errors-in-irq-cleanup.patch
+asoc-sof-intel-fix-endpoint-index-if-endpoints-are-m.patch
+asoc-sof-intel-fix-iteration-in-is_endpoint_present.patch
+ice-ptp-don-t-warn-when-controlling-pf-is-unavailabl.patch
+ixgbe-stop-re-reading-flash-on-every-get_drvinfo-for.patch
+ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch
+e1000-check-return-value-of-e1000_read_eeprom.patch
+xsk-tighten-umem-headroom-validation-to-account-for-.patch
+xsk-respect-tailroom-for-zc-setups.patch
+xsk-fix-xdp_umem_sg_flag-issues.patch
+xsk-validate-mtu-against-usable-frame-size-on-bind.patch
+vsock-test-fix-send_buf-recv_buf-eintr-handling.patch
+xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch
+xfrm-fix-refcount-leak-in-xfrm_migrate_policy_find.patch
+xfrm_user-fix-info-leak-in-build_mapping.patch
+net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch
+pinctrl-mcp23s08-disable-all-pin-interrupts-during-p.patch
+asoc-intel-avs-fix-memory-leak-in-avs_register_i2s_t.patch
+drm-xe-fix-bug-in-idledly-unit-conversion.patch
+selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch
+ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch
+netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch
+netfilter-xt_multiport-validate-range-encoding-in-ch.patch
+netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch
+netfilter-nfnetlink_queue-nfqnl_instance-gfp_atomic-.patch
+netfilter-nfnetlink_queue-make-hash-table-per-queue.patch
+asoc-sdca-fix-overwritten-var-within-for-loop.patch
+asoc-sdca-unregister-irq-handlers-on-module-remove.patch
+asoc-amd-acp-update-dmi-quirk-and-add-acp-dmic-for-l.patch
+net-mdio-realtek-rtl9300-use-scoped-device_for_each_.patch
+net-ioam6-fix-oob-and-missing-lock.patch
+net-txgbe-leave-space-for-null-terminators-on-proper.patch
+af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch
+devlink-fix-incorrect-skb-socket-family-dumping.patch
+net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch
+net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch
+l2tp-drop-large-packets-with-udp-encap.patch
+gpio-tegra-fix-irq_release_resources-calling-enable-.patch
+crypto-af_alg-limit-rx-sg-extraction-by-receive-buff.patch
+perf-x86-intel-uncore-skip-discovery-table-for-offli.patch
+perf-x86-intel-uncore-fix-die-id-init-and-look-up-bu.patch
+sched-deadline-use-revised-wakeup-rule-for-dl_server.patch
+clockevents-prevent-timer-interrupt-starvation.patch
+crypto-af_alg-fix-page-reassignment-overflow-in-af_a.patch
+crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch
--- /dev/null
+From 44713a93d79751961f2ed1671c30a5c41494003c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jan 2026 16:37:56 +0800
+Subject: soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching
+
+From: Potin Lai <potin.lai.pt@gmail.com>
+
+[ Upstream commit 7ec1bd3d9be671d04325b9e06149b8813f6a4836 ]
+
+The siliconid_to_name() function currently masks the input silicon ID
+with 0xff00ffff, but compares it against unmasked table entries. This
+causes matching to fail if the table entries contain non-zero values in
+the bits covered by the mask (bits 16-23).
+
+Update the logic to apply the 0xff00ffff mask to the table entries
+during comparison. This ensures that only the relevant model and
+revision bits are considered, providing a consistent match across
+different manufacturing batches.
+
+[arj: Add Fixes: tag, fix 'soninfo' typo, clarify function reference]
+
+Fixes: e0218dca5787 ("soc: aspeed: Add soc info driver")
+Signed-off-by: Potin Lai <potin.lai.pt@gmail.com>
+Link: https://patch.msgid.link/20260122-soc_aspeed_name_fix-v1-1-33a847f2581c@gmail.com
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/aspeed/aspeed-socinfo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c
+index 67e9ac3d08ecc..a90b100f4d101 100644
+--- a/drivers/soc/aspeed/aspeed-socinfo.c
++++ b/drivers/soc/aspeed/aspeed-socinfo.c
+@@ -39,7 +39,7 @@ static const char *siliconid_to_name(u32 siliconid)
+ unsigned int i;
+
+ for (i = 0 ; i < ARRAY_SIZE(rev_table) ; ++i) {
+- if (rev_table[i].id == id)
++ if ((rev_table[i].id & 0xff00ffff) == id)
+ return rev_table[i].name;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From afcddd1974dc9c49317d0afab8e396bb58d2b9f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Mar 2026 20:16:14 +0800
+Subject: soc: microchip: mpfs-control-scb: Fix resource leak on driver unbind
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit 27459f86a43792d5c29f267a41dbd387601e772b ]
+
+Use devm_mfd_add_devices() instead of mfd_add_devices() to ensure
+child devices are properly removed when the driver unbinds.
+
+Fixes: 4aac11c9a6e7 ("soc: microchip: add mfd drivers for two syscon regions on PolarFire SoC")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/microchip/mpfs-control-scb.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/microchip/mpfs-control-scb.c b/drivers/soc/microchip/mpfs-control-scb.c
+index f0b84b1f49cbc..8dda5704a389f 100644
+--- a/drivers/soc/microchip/mpfs-control-scb.c
++++ b/drivers/soc/microchip/mpfs-control-scb.c
+@@ -14,8 +14,10 @@ static int mpfs_control_scb_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+
+- return mfd_add_devices(dev, PLATFORM_DEVID_NONE, mpfs_control_scb_devs,
+- ARRAY_SIZE(mpfs_control_scb_devs), NULL, 0, NULL);
++ return devm_mfd_add_devices(dev, PLATFORM_DEVID_NONE,
++ mpfs_control_scb_devs,
++ ARRAY_SIZE(mpfs_control_scb_devs), NULL, 0,
++ NULL);
+ }
+
+ static const struct of_device_id mpfs_control_scb_of_match[] = {
+--
+2.53.0
+
--- /dev/null
+From e8f85fc751a4e37773c91d08e76cd15c54911aa4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Mar 2026 20:16:15 +0800
+Subject: soc: microchip: mpfs-mss-top-sysreg: Fix resource leak on driver
+ unbind
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit 3bfc213d4675736567a4e263c51c25144d565949 ]
+
+Use devm_mfd_add_devices() instead of mfd_add_devices() to ensure
+child devices are properly removed when the driver unbinds.
+
+Fixes: 4aac11c9a6e7 ("soc: microchip: add mfd drivers for two syscon regions on PolarFire SoC")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/microchip/mpfs-mss-top-sysreg.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/microchip/mpfs-mss-top-sysreg.c b/drivers/soc/microchip/mpfs-mss-top-sysreg.c
+index b2244e44ff0fa..b0f42b8dd3ed6 100644
+--- a/drivers/soc/microchip/mpfs-mss-top-sysreg.c
++++ b/drivers/soc/microchip/mpfs-mss-top-sysreg.c
+@@ -16,8 +16,10 @@ static int mpfs_mss_top_sysreg_probe(struct platform_device *pdev)
+ struct device *dev = &pdev->dev;
+ int ret;
+
+- ret = mfd_add_devices(dev, PLATFORM_DEVID_NONE, mpfs_mss_top_sysreg_devs,
+- ARRAY_SIZE(mpfs_mss_top_sysreg_devs) , NULL, 0, NULL);
++ ret = devm_mfd_add_devices(dev, PLATFORM_DEVID_NONE,
++ mpfs_mss_top_sysreg_devs,
++ ARRAY_SIZE(mpfs_mss_top_sysreg_devs), NULL,
++ 0, NULL);
+ if (ret)
+ return ret;
+
+--
+2.53.0
+
--- /dev/null
+From 9a55c6886842347ce29dc5927928ce41e72b0c3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jan 2026 20:53:20 +0530
+Subject: soc: qcom: pd-mapper: Fix element length in servreg_loc_pfr_req_ei
+
+From: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+
+[ Upstream commit 641f6fda143b879da1515f821ee475073678cf2a ]
+
+It looks element length declared in servreg_loc_pfr_req_ei for reason
+not matching servreg_loc_pfr_req's reason field due which we could
+observe decoding error on PD crash.
+
+ qmi_decode_string_elem: String len 81 >= Max Len 65
+
+Fix this by matching with servreg_loc_pfr_req's reason field.
+
+Fixes: 1ebcde047c54 ("soc: qcom: add pd-mapper implementation")
+Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Tested-by: Nikita Travkin <nikita@trvn.ru>
+Link: https://lore.kernel.org/r/20260129152320.3658053-2-mukesh.ojha@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/pdr_internal.h | 2 +-
+ drivers/soc/qcom/qcom_pdr_msg.c | 2 +-
+ include/linux/soc/qcom/pdr.h | 1 +
+ 3 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/qcom/pdr_internal.h b/drivers/soc/qcom/pdr_internal.h
+index 039508c1bbf7d..047c0160b6178 100644
+--- a/drivers/soc/qcom/pdr_internal.h
++++ b/drivers/soc/qcom/pdr_internal.h
+@@ -84,7 +84,7 @@ struct servreg_set_ack_resp {
+
+ struct servreg_loc_pfr_req {
+ char service[SERVREG_NAME_LENGTH + 1];
+- char reason[257];
++ char reason[SERVREG_PFR_LENGTH + 1];
+ };
+
+ struct servreg_loc_pfr_resp {
+diff --git a/drivers/soc/qcom/qcom_pdr_msg.c b/drivers/soc/qcom/qcom_pdr_msg.c
+index ca98932140d87..02022b11ecf05 100644
+--- a/drivers/soc/qcom/qcom_pdr_msg.c
++++ b/drivers/soc/qcom/qcom_pdr_msg.c
+@@ -325,7 +325,7 @@ const struct qmi_elem_info servreg_loc_pfr_req_ei[] = {
+ },
+ {
+ .data_type = QMI_STRING,
+- .elem_len = SERVREG_NAME_LENGTH + 1,
++ .elem_len = SERVREG_PFR_LENGTH + 1,
+ .elem_size = sizeof(char),
+ .array_type = VAR_LEN_ARRAY,
+ .tlv_type = 0x02,
+diff --git a/include/linux/soc/qcom/pdr.h b/include/linux/soc/qcom/pdr.h
+index 83a8ea612e69a..2b7691e47c2a9 100644
+--- a/include/linux/soc/qcom/pdr.h
++++ b/include/linux/soc/qcom/pdr.h
+@@ -5,6 +5,7 @@
+ #include <linux/soc/qcom/qmi.h>
+
+ #define SERVREG_NAME_LENGTH 64
++#define SERVREG_PFR_LENGTH 256
+
+ struct pdr_service;
+ struct pdr_handle;
+--
+2.53.0
+
--- /dev/null
+From c713f03911e727720f671be2f88a4bc2624d8376 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 20:14:18 -0400
+Subject: srcu: Use irq_work to start GP in tiny SRCU
+
+From: Joel Fernandes <joelagnelf@nvidia.com>
+
+[ Upstream commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af ]
+
+Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(),
+which acquires the workqueue pool->lock.
+
+This causes a lockdep splat when call_srcu() is called with a scheduler
+lock held, due to:
+
+ call_srcu() [holding pi_lock]
+ srcu_gp_start_if_needed()
+ schedule_work() -> pool->lock
+
+ workqueue_init() / create_worker() [holding pool->lock]
+ wake_up_process() -> try_to_wake_up() -> pi_lock
+
+Also add irq_work_sync() to cleanup_srcu_struct() to prevent a
+use-after-free if a queued irq_work fires after cleanup begins.
+
+Tested with rcutorture SRCU-T and no lockdep warnings.
+
+[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work
+to start process_srcu()" ]
+
+Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
+Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Boqun Feng <boqun@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/srcutiny.h | 4 ++++
+ kernel/rcu/srcutiny.c | 19 ++++++++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/srcutiny.h b/include/linux/srcutiny.h
+index e0698024667a7..313a0e17f22fe 100644
+--- a/include/linux/srcutiny.h
++++ b/include/linux/srcutiny.h
+@@ -11,6 +11,7 @@
+ #ifndef _LINUX_SRCU_TINY_H
+ #define _LINUX_SRCU_TINY_H
+
++#include <linux/irq_work_types.h>
+ #include <linux/swait.h>
+
+ struct srcu_struct {
+@@ -24,18 +25,21 @@ struct srcu_struct {
+ struct rcu_head *srcu_cb_head; /* Pending callbacks: Head. */
+ struct rcu_head **srcu_cb_tail; /* Pending callbacks: Tail. */
+ struct work_struct srcu_work; /* For driving grace periods. */
++ struct irq_work srcu_irq_work; /* Defer schedule_work() to irq work. */
+ #ifdef CONFIG_DEBUG_LOCK_ALLOC
+ struct lockdep_map dep_map;
+ #endif /* #ifdef CONFIG_DEBUG_LOCK_ALLOC */
+ };
+
+ void srcu_drive_gp(struct work_struct *wp);
++void srcu_tiny_irq_work(struct irq_work *irq_work);
+
+ #define __SRCU_STRUCT_INIT(name, __ignored, ___ignored, ____ignored) \
+ { \
+ .srcu_wq = __SWAIT_QUEUE_HEAD_INITIALIZER(name.srcu_wq), \
+ .srcu_cb_tail = &name.srcu_cb_head, \
+ .srcu_work = __WORK_INITIALIZER(name.srcu_work, srcu_drive_gp), \
++ .srcu_irq_work = { .func = srcu_tiny_irq_work }, \
+ __SRCU_DEP_MAP_INIT(name) \
+ }
+
+diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c
+index 3450c3751ef7a..a2e2d516e51b9 100644
+--- a/kernel/rcu/srcutiny.c
++++ b/kernel/rcu/srcutiny.c
+@@ -9,6 +9,7 @@
+ */
+
+ #include <linux/export.h>
++#include <linux/irq_work.h>
+ #include <linux/mutex.h>
+ #include <linux/preempt.h>
+ #include <linux/rcupdate_wait.h>
+@@ -41,6 +42,7 @@ static int init_srcu_struct_fields(struct srcu_struct *ssp)
+ ssp->srcu_idx_max = 0;
+ INIT_WORK(&ssp->srcu_work, srcu_drive_gp);
+ INIT_LIST_HEAD(&ssp->srcu_work.entry);
++ init_irq_work(&ssp->srcu_irq_work, srcu_tiny_irq_work);
+ return 0;
+ }
+
+@@ -84,6 +86,7 @@ EXPORT_SYMBOL_GPL(init_srcu_struct);
+ void cleanup_srcu_struct(struct srcu_struct *ssp)
+ {
+ WARN_ON(ssp->srcu_lock_nesting[0] || ssp->srcu_lock_nesting[1]);
++ irq_work_sync(&ssp->srcu_irq_work);
+ flush_work(&ssp->srcu_work);
+ WARN_ON(ssp->srcu_gp_running);
+ WARN_ON(ssp->srcu_gp_waiting);
+@@ -177,6 +180,20 @@ void srcu_drive_gp(struct work_struct *wp)
+ }
+ EXPORT_SYMBOL_GPL(srcu_drive_gp);
+
++/*
++ * Use an irq_work to defer schedule_work() to avoid acquiring the workqueue
++ * pool->lock while the caller might hold scheduler locks, causing lockdep
++ * splats due to workqueue_init() doing a wakeup.
++ */
++void srcu_tiny_irq_work(struct irq_work *irq_work)
++{
++ struct srcu_struct *ssp;
++
++ ssp = container_of(irq_work, struct srcu_struct, srcu_irq_work);
++ schedule_work(&ssp->srcu_work);
++}
++EXPORT_SYMBOL_GPL(srcu_tiny_irq_work);
++
+ static void srcu_gp_start_if_needed(struct srcu_struct *ssp)
+ {
+ unsigned long cookie;
+@@ -189,7 +206,7 @@ static void srcu_gp_start_if_needed(struct srcu_struct *ssp)
+ WRITE_ONCE(ssp->srcu_idx_max, cookie);
+ if (!READ_ONCE(ssp->srcu_gp_running)) {
+ if (likely(srcu_init_done))
+- schedule_work(&ssp->srcu_work);
++ irq_work_queue(&ssp->srcu_irq_work);
+ else if (list_empty(&ssp->srcu_work.entry))
+ list_add(&ssp->srcu_work.entry, &srcu_boot_list);
+ }
+--
+2.53.0
+
--- /dev/null
+From 686d1407479119a315087e7689f661e948b34cc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 11:00:34 +0200
+Subject: tools/power turbostat: Fix delimiter bug in print functions
+
+From: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+
+[ Upstream commit cdbefe9d4029d4834d404f7ba13a960b38a69e88 ]
+
+Commands that add counters, such as 'turbostat --show C1,C1+'
+display merged columns without a delimiter.
+
+This is caused by the bad syntax: '(*printed++ ? delim : "")', shared by
+print_name()/print_hex_value()/print_decimal_value()/print_float_value()
+
+Use '((*printed)++ ? delim : "")' to correctly increment the value at *printed.
+
+[lenb: fix code and commit message typo, re-word]
+Fixes: 56dbb878507b ("tools/power turbostat: Refactor added column header printing")
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index b01a905bd24a7..c6060f65eaaf1 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -2732,29 +2732,29 @@ static inline int print_name(int width, int *printed, char *delim, char *name, e
+ UNUSED(type);
+
+ if (format == FORMAT_RAW && width >= 64)
+- return (sprintf(outp, "%s%-8s", (*printed++ ? delim : ""), name));
++ return (sprintf(outp, "%s%-8s", ((*printed)++ ? delim : ""), name));
+ else
+- return (sprintf(outp, "%s%s", (*printed++ ? delim : ""), name));
++ return (sprintf(outp, "%s%s", ((*printed)++ ? delim : ""), name));
+ }
+
+ static inline int print_hex_value(int width, int *printed, char *delim, unsigned long long value)
+ {
+ if (width <= 32)
+- return (sprintf(outp, "%s%08x", (*printed++ ? delim : ""), (unsigned int)value));
++ return (sprintf(outp, "%s%08x", ((*printed)++ ? delim : ""), (unsigned int)value));
+ else
+- return (sprintf(outp, "%s%016llx", (*printed++ ? delim : ""), value));
++ return (sprintf(outp, "%s%016llx", ((*printed)++ ? delim : ""), value));
+ }
+
+ static inline int print_decimal_value(int width, int *printed, char *delim, unsigned long long value)
+ {
+ UNUSED(width);
+
+- return (sprintf(outp, "%s%lld", (*printed++ ? delim : ""), value));
++ return (sprintf(outp, "%s%lld", ((*printed)++ ? delim : ""), value));
+ }
+
+ static inline int print_float_value(int *printed, char *delim, double value)
+ {
+- return (sprintf(outp, "%s%0.2f", (*printed++ ? delim : ""), value));
++ return (sprintf(outp, "%s%0.2f", ((*printed)++ ? delim : ""), value));
+ }
+
+ void print_header(char *delim)
+--
+2.53.0
+
--- /dev/null
+From 29cf5f506e9e8ec7302dc319365d0ce84190b708 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 11:00:32 +0200
+Subject: tools/power turbostat: Fix incorrect format variable
+
+From: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+
+[ Upstream commit 23cb4f5c81766e70e5f32ed0987ee8fb5ab2e00a ]
+
+In the perf thread, core, and package counter loops, an incorrect
+'mp->format' variable is used instead of 'pp->format'.
+
+[lenb: edit commit message]
+Fixes: 696d15cbd8c2 ("tools/power turbostat: Refactor floating point printout code")
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 83a90f413f976..603651e74dacf 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -3330,7 +3330,7 @@ int format_counters(PER_THREAD_PARAMS)
+ for (i = 0, pp = sys.perf_tp; pp; ++i, pp = pp->next) {
+ if (pp->format == FORMAT_RAW)
+ outp += print_hex_value(pp->width, &printed, delim, t->perf_counter[i]);
+- else if (pp->format == FORMAT_DELTA || mp->format == FORMAT_AVERAGE)
++ else if (pp->format == FORMAT_DELTA || pp->format == FORMAT_AVERAGE)
+ outp += print_decimal_value(pp->width, &printed, delim, t->perf_counter[i]);
+ else if (pp->format == FORMAT_PERCENT) {
+ if (pp->type == COUNTER_USEC)
+@@ -3400,7 +3400,7 @@ int format_counters(PER_THREAD_PARAMS)
+ for (i = 0, pp = sys.perf_cp; pp; i++, pp = pp->next) {
+ if (pp->format == FORMAT_RAW)
+ outp += print_hex_value(pp->width, &printed, delim, c->perf_counter[i]);
+- else if (pp->format == FORMAT_DELTA || mp->format == FORMAT_AVERAGE)
++ else if (pp->format == FORMAT_DELTA || pp->format == FORMAT_AVERAGE)
+ outp += print_decimal_value(pp->width, &printed, delim, c->perf_counter[i]);
+ else if (pp->format == FORMAT_PERCENT)
+ outp += print_float_value(&printed, delim, pct(c->perf_counter[i], tsc));
+@@ -3558,7 +3558,7 @@ int format_counters(PER_THREAD_PARAMS)
+ outp += print_hex_value(pp->width, &printed, delim, p->perf_counter[i]);
+ else if (pp->type == COUNTER_K2M)
+ outp += sprintf(outp, "%s%d", (printed++ ? delim : ""), (unsigned int)p->perf_counter[i] / 1000);
+- else if (pp->format == FORMAT_DELTA || mp->format == FORMAT_AVERAGE)
++ else if (pp->format == FORMAT_DELTA || pp->format == FORMAT_AVERAGE)
+ outp += print_decimal_value(pp->width, &printed, delim, p->perf_counter[i]);
+ else if (pp->format == FORMAT_PERCENT)
+ outp += print_float_value(&printed, delim, pct(p->perf_counter[i], tsc));
+--
+2.53.0
+
--- /dev/null
+From cfd11b0b28f93407dad7926043942935b1f73406 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:16:03 -0500
+Subject: tools/power/turbostat: Fix microcode patch level output for AMD/Hygon
+
+From: Serhii Pievniev <spevnev16@gmail.com>
+
+[ Upstream commit a444083286434ec1fd127c5da11a3091e6013008 ]
+
+turbostat always used the same logic to read the microcode patch level,
+which is correct for Intel but not for AMD/Hygon.
+While Intel stores the patch level in the upper 32 bits of MSR, AMD
+stores it in the lower 32 bits, which causes turbostat to report the
+microcode version as 0x0 on AMD/Hygon.
+
+Fix by shifting right by 32 for non-AMD/Hygon, preserving the existing
+behavior for Intel and unknown vendors.
+
+Fixes: 3e4048466c39 ("tools/power turbostat: Add --no-msr option")
+Signed-off-by: Serhii Pievniev <spevnev16@gmail.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 903943d30f713..83a90f413f976 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -8812,10 +8812,13 @@ void process_cpuid()
+ edx_flags = edx;
+
+ if (!no_msr) {
+- if (get_msr(sched_getcpu(), MSR_IA32_UCODE_REV, &ucode_patch))
++ if (get_msr(sched_getcpu(), MSR_IA32_UCODE_REV, &ucode_patch)) {
+ warnx("get_msr(UCODE)");
+- else
++ } else {
+ ucode_patch_valid = true;
++ if (!authentic_amd && !hygon_genuine)
++ ucode_patch >>= 32;
++ }
+ }
+
+ /*
+@@ -8829,7 +8832,7 @@ void process_cpuid()
+ if (!quiet) {
+ fprintf(outf, "CPUID(1): family:model:stepping 0x%x:%x:%x (%d:%d:%d)", family, model, stepping, family, model, stepping);
+ if (ucode_patch_valid)
+- fprintf(outf, " microcode 0x%x", (unsigned int)((ucode_patch >> 32) & 0xFFFFFFFF));
++ fprintf(outf, " microcode 0x%x", (unsigned int)ucode_patch);
+ fputc('\n', outf);
+
+ fprintf(outf, "CPUID(0x80000000): max_extended_levels: 0x%x\n", max_extended_level);
+--
+2.53.0
+
--- /dev/null
+From 59e31b96beae32393335336db64b8869d048fabd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 11:00:33 +0200
+Subject: tools/power turbostat: Fix --show/--hide for individual cpuidle
+ counters
+
+From: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+
+[ Upstream commit b6398bc2ef3a78f1be37ba01ae0a5eedaee47803 ]
+
+Problem: individual swidle counter names (C1, C1+, C1-, etc.) cannot be
+selected via --show/--hide due to two bugs in probe_cpuidle_counts():
+1. The function returns immediately when BIC_cpuidle is not enabled,
+ without checking deferred_add_index.
+2. The deferred name check runs against name_buf before the trailing
+ newline is stripped, so is_deferred_add("C1\n") never matches "C1".
+
+Fix:
+1. Relax the early return to pass through when deferred names are
+ queued.
+2. Strip the trailing newline from name_buf before performing deferred
+ name checks.
+3. Check each suffixed variant (C1+, C1, C1-) individually so that
+ e.g. "--show C1+" enables only the requested metric.
+
+In addition, introduce a helper function to avoid repeating the
+condition (readability cleanup).
+
+Fixes: ec4acd3166d8 ("tools/power turbostat: disable "cpuidle" invocation counters, by default")
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 35 ++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 603651e74dacf..b01a905bd24a7 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -10908,6 +10908,14 @@ void probe_cpuidle_residency(void)
+ }
+ }
+
++static bool cpuidle_counter_wanted(char *name)
++{
++ if (is_deferred_skip(name))
++ return false;
++
++ return DO_BIC(BIC_cpuidle) || is_deferred_add(name);
++}
++
+ void probe_cpuidle_counts(void)
+ {
+ char path[64];
+@@ -10917,7 +10925,7 @@ void probe_cpuidle_counts(void)
+ int min_state = 1024, max_state = 0;
+ char *sp;
+
+- if (!DO_BIC(BIC_cpuidle))
++ if (!DO_BIC(BIC_cpuidle) && !deferred_add_index)
+ return;
+
+ for (state = 10; state >= 0; --state) {
+@@ -10932,12 +10940,6 @@ void probe_cpuidle_counts(void)
+
+ remove_underbar(name_buf);
+
+- if (!DO_BIC(BIC_cpuidle) && !is_deferred_add(name_buf))
+- continue;
+-
+- if (is_deferred_skip(name_buf))
+- continue;
+-
+ /* truncate "C1-HSW\n" to "C1", or truncate "C1\n" to "C1" */
+ sp = strchr(name_buf, '-');
+ if (!sp)
+@@ -10952,16 +10954,19 @@ void probe_cpuidle_counts(void)
+ * Add 'C1+' for C1, and so on. The 'below' sysfs file always contains 0 for
+ * the last state, so do not add it.
+ */
+-
+ *sp = '+';
+ *(sp + 1) = '\0';
+- sprintf(path, "cpuidle/state%d/below", state);
+- add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0);
++ if (cpuidle_counter_wanted(name_buf)) {
++ sprintf(path, "cpuidle/state%d/below", state);
++ add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0);
++ }
+ }
+
+ *sp = '\0';
+- sprintf(path, "cpuidle/state%d/usage", state);
+- add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0);
++ if (cpuidle_counter_wanted(name_buf)) {
++ sprintf(path, "cpuidle/state%d/usage", state);
++ add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0);
++ }
+
+ /*
+ * The 'above' sysfs file always contains 0 for the shallowest state (smallest
+@@ -10970,8 +10975,10 @@ void probe_cpuidle_counts(void)
+ if (state != min_state) {
+ *sp = '-';
+ *(sp + 1) = '\0';
+- sprintf(path, "cpuidle/state%d/above", state);
+- add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0);
++ if (cpuidle_counter_wanted(name_buf)) {
++ sprintf(path, "cpuidle/state%d/above", state);
++ add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0);
++ }
+ }
+ }
+ }
+--
+2.53.0
+
--- /dev/null
+From ab69ffa670f74ffaa6adee39a18d56ad245bb1d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Mar 2026 21:43:11 -0500
+Subject: tools/power turbostat: Fix swidle header vs data display
+
+From: Len Brown <len.brown@intel.com>
+
+[ Upstream commit b8ead30e2b2c7f32c8d2782e805160b110766592 ]
+
+I changed my mind about displaying swidle statistics,
+which are "added counters". Recently I reverted the
+column headers to 8-columns, but kept print_decimal_value()
+padding out to 16-columns for all 64-bit counters.
+
+Simplify by keeping print_decimial_value() at %lld -- which
+will often fit into 8-columns, and live with the fact
+that it can overflow and shift the other columns,
+which continue to tab-delimited.
+
+This is a better compromise than inserting a bunch
+of space characters that most users don't like.
+
+Fixes: 1a23ba6a1ba2 ("tools/power turbostat: Print wide names only for RAW 64-bit columns")
+Reported-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 1b26d94c373fb..903943d30f713 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -2747,10 +2747,9 @@ static inline int print_hex_value(int width, int *printed, char *delim, unsigned
+
+ static inline int print_decimal_value(int width, int *printed, char *delim, unsigned long long value)
+ {
+- if (width <= 32)
+- return (sprintf(outp, "%s%d", (*printed++ ? delim : ""), (unsigned int)value));
+- else
+- return (sprintf(outp, "%s%-8lld", (*printed++ ? delim : ""), value));
++ UNUSED(width);
++
++ return (sprintf(outp, "%s%lld", (*printed++ ? delim : ""), value));
+ }
+
+ static inline int print_float_value(int *printed, char *delim, double value)
+--
+2.53.0
+
--- /dev/null
+From caae6d3890e222727907066bc461c1109ae71047 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 00:03:15 +0800
+Subject: tracing/probe: reject non-closed empty immediate strings
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ]
+
+parse_probe_arg() accepts quoted immediate strings and passes the body
+after the opening quote to __parse_imm_string(). That helper currently
+computes strlen(str) and immediately dereferences str[len - 1], which
+underflows when the body is empty and not closed with double-quotation.
+
+Reject empty non-closed immediate strings before checking for the closing quote.
+
+Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/
+
+Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support")
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_probe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
+index 2f571083ce9ec..8dc495561c3f9 100644
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -1069,7 +1069,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs)
+ {
+ size_t len = strlen(str);
+
+- if (str[len - 1] != '"') {
++ if (!len || str[len - 1] != '"') {
+ trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE);
+ return -EINVAL;
+ }
+--
+2.53.0
+
--- /dev/null
+From 9b4f7fa19e62896ae0536d8bdca894592913c070 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 11:32:51 +0200
+Subject: vsock/test: fix send_buf()/recv_buf() EINTR handling
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit 24ad7ff668896325591fa0b570f2cca6c55f136f ]
+
+When send() or recv() returns -1 with errno == EINTR, the code skips
+the break but still adds the return value to nwritten/nread, making it
+decrease by 1. This leads to wrong buffer offsets and wrong bytes count.
+
+Fix it by explicitly continuing the loop on EINTR, so the return value
+is only added when it is positive.
+
+Fixes: a8ed71a27ef5 ("vsock/test: add recv_buf() utility function")
+Fixes: 12329bd51fdc ("vsock/test: add send_buf() utility function")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Link: https://patch.msgid.link/20260403093251.30662-1-sgarzare@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/vsock/util.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/vsock/util.c b/tools/testing/vsock/util.c
+index 9430ef5b8bc3e..1fe1338c79cd1 100644
+--- a/tools/testing/vsock/util.c
++++ b/tools/testing/vsock/util.c
+@@ -344,7 +344,9 @@ void send_buf(int fd, const void *buf, size_t len, int flags,
+ ret = send(fd, buf + nwritten, len - nwritten, flags);
+ timeout_check("send");
+
+- if (ret == 0 || (ret < 0 && errno != EINTR))
++ if (ret < 0 && errno == EINTR)
++ continue;
++ if (ret <= 0)
+ break;
+
+ nwritten += ret;
+@@ -396,7 +398,9 @@ void recv_buf(int fd, void *buf, size_t len, int flags, ssize_t expected_ret)
+ ret = recv(fd, buf + nread, len - nread, flags);
+ timeout_check("recv");
+
+- if (ret == 0 || (ret < 0 && errno != EINTR))
++ if (ret < 0 && errno == EINTR)
++ continue;
++ if (ret <= 0)
+ break;
+
+ nread += ret;
+--
+2.53.0
+
--- /dev/null
+From 39b293eabbfac892122b7338c62691dc01c90f8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 15:45:51 +0800
+Subject: wifi: brcmfmac: validate bsscfg indices in IF events
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ]
+
+brcmf_fweh_handle_if_event() validates the firmware-provided interface
+index before it touches drvr->iflist[], but it still uses the raw
+bsscfgidx field as an array index without a matching range check.
+
+Reject IF events whose bsscfg index does not fit in drvr->iflist[]
+before indexing the interface array.
+
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn
+[add missing wifi prefix]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+index c2d98ee6652f3..1d25dc9ebca8b 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -153,6 +153,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr,
+ bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx);
+ return;
+ }
++ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) {
++ bphy_err(drvr, "invalid bsscfg index: %u\n",
++ ifevent->bsscfgidx);
++ return;
++ }
+
+ ifp = drvr->iflist[ifevent->bsscfgidx];
+
+--
+2.53.0
+
--- /dev/null
+From e9b2c82320e90476df22245d09588e1636d84748 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 16:08:45 +0800
+Subject: wifi: wl1251: validate packet IDs before indexing tx_frames
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 ]
+
+wl1251_tx_packet_cb() uses the firmware completion ID directly to index
+the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the
+completion block, and the callback does not currently verify that it
+fits the array before dereferencing it.
+
+Reject completion IDs that fall outside wl->tx_frames[] and keep the
+existing NULL check in the same guard. This keeps the fix local to the
+trust boundary and avoids touching the rest of the completion flow.
+
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl1251/tx.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c
+index adb4840b04893..c264d83e71d9c 100644
+--- a/drivers/net/wireless/ti/wl1251/tx.c
++++ b/drivers/net/wireless/ti/wl1251/tx.c
+@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl,
+ int hdrlen;
+ u8 *frame;
+
+- skb = wl->tx_frames[result->id];
+- if (skb == NULL) {
+- wl1251_error("SKB for packet %d is NULL", result->id);
++ if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) ||
++ wl->tx_frames[result->id] == NULL)) {
++ wl1251_error("invalid packet id %u", result->id);
+ return;
+ }
+
++ skb = wl->tx_frames[result->id];
++
+ info = IEEE80211_SKB_CB(skb);
+
+ if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) &&
+--
+2.53.0
+
--- /dev/null
+From 96ecbd19c3a2cf3e6a23924f41170968a5abd30c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 13:18:57 -0700
+Subject: x86: shadow stacks: proper error handling for mmap lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit 52f657e34d7b21b47434d9d8b26fa7f6778b63a0 ]
+
+김영민 reports that shstk_pop_sigframe() doesn't check for errors from
+mmap_read_lock_killable(), which is a silly oversight, and also shows
+that we haven't marked those functions with "__must_check", which would
+have immediately caught it.
+
+So let's fix both issues.
+
+Reported-by: 김영민 <osori@hspace.io>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Dave Hansen <dave.hansen@intel.com>
+Acked-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/shstk.c | 3 ++-
+ include/linux/mmap_lock.h | 6 +++---
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
+index 978232b6d48d7..ff8edea8511b4 100644
+--- a/arch/x86/kernel/shstk.c
++++ b/arch/x86/kernel/shstk.c
+@@ -351,7 +351,8 @@ static int shstk_pop_sigframe(unsigned long *ssp)
+ need_to_check_vma = PAGE_ALIGN(*ssp) == *ssp;
+
+ if (need_to_check_vma)
+- mmap_read_lock_killable(current->mm);
++ if (mmap_read_lock_killable(current->mm))
++ return -EINTR;
+
+ err = get_shstk_data(&token_addr, (unsigned long __user *)*ssp);
+ if (unlikely(err))
+diff --git a/include/linux/mmap_lock.h b/include/linux/mmap_lock.h
+index d53f72dba7fee..81fcfde3563dd 100644
+--- a/include/linux/mmap_lock.h
++++ b/include/linux/mmap_lock.h
+@@ -345,7 +345,7 @@ static inline void mmap_write_lock_nested(struct mm_struct *mm, int subclass)
+ __mmap_lock_trace_acquire_returned(mm, true, true);
+ }
+
+-static inline int mmap_write_lock_killable(struct mm_struct *mm)
++static inline int __must_check mmap_write_lock_killable(struct mm_struct *mm)
+ {
+ int ret;
+
+@@ -392,7 +392,7 @@ static inline void mmap_read_lock(struct mm_struct *mm)
+ __mmap_lock_trace_acquire_returned(mm, false, true);
+ }
+
+-static inline int mmap_read_lock_killable(struct mm_struct *mm)
++static inline int __must_check mmap_read_lock_killable(struct mm_struct *mm)
+ {
+ int ret;
+
+@@ -402,7 +402,7 @@ static inline int mmap_read_lock_killable(struct mm_struct *mm)
+ return ret;
+ }
+
+-static inline bool mmap_read_trylock(struct mm_struct *mm)
++static inline bool __must_check mmap_read_trylock(struct mm_struct *mm)
+ {
+ bool ret;
+
+--
+2.53.0
+
--- /dev/null
+From 3326b3300786c9a56be544aeea3577768e188035 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Mar 2026 20:36:39 +0800
+Subject: xfrm: account XFRMA_IF_ID in aevent size calculation
+
+From: Keenan Dong <keenanat2000@gmail.com>
+
+[ Upstream commit 7081d46d32312f1a31f0e0e99c6835a394037599 ]
+
+xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then
+build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is
+set.
+
+xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states
+with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0)
+in xfrm_get_ae(), turning a malformed netlink interaction into a kernel
+panic.
+
+Account XFRMA_IF_ID in the size calculation unconditionally and replace
+the BUG_ON with normal error unwinding.
+
+Fixes: 7e6526404ade ("xfrm: Add a new lookup key to match xfrm interfaces.")
+Reported-by: Keenan Dong <keenanat2000@gmail.com>
+Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 306e4f65ce264..1ddcf2a1eff7a 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -2668,7 +2668,8 @@ static inline unsigned int xfrm_aevent_msgsize(struct xfrm_state *x)
+ + nla_total_size(4) /* XFRM_AE_RTHR */
+ + nla_total_size(4) /* XFRM_AE_ETHR */
+ + nla_total_size(sizeof(x->dir)) /* XFRMA_SA_DIR */
+- + nla_total_size(4); /* XFRMA_SA_PCPU */
++ + nla_total_size(4) /* XFRMA_SA_PCPU */
++ + nla_total_size(sizeof(x->if_id)); /* XFRMA_IF_ID */
+ }
+
+ static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c)
+@@ -2780,7 +2781,12 @@ static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
+ c.portid = nlh->nlmsg_pid;
+
+ err = build_aevent(r_skb, x, &c);
+- BUG_ON(err < 0);
++ if (err < 0) {
++ spin_unlock_bh(&x->lock);
++ xfrm_state_put(x);
++ kfree_skb(r_skb);
++ return err;
++ }
+
+ err = nlmsg_unicast(net->xfrm.nlsk, r_skb, NETLINK_CB(skb).portid);
+ spin_unlock_bh(&x->lock);
+--
+2.53.0
+
--- /dev/null
+From 35422b8e72bb7fde4be3fecb66265d4e52750f8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 12:05:20 +0300
+Subject: xfrm: fix refcount leak in xfrm_migrate_policy_find
+
+From: Kotlyarov Mihail <mihailkotlyarow@gmail.com>
+
+[ Upstream commit 83317cce60a032c49480dcdabe146435bd689d03 ]
+
+syzkaller reported a memory leak in xfrm_policy_alloc:
+
+ BUG: memory leak
+ unreferenced object 0xffff888114d79000 (size 1024):
+ comm "syz.1.17", pid 931
+ ...
+ xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432
+
+The root cause is a double call to xfrm_pol_hold_rcu() in
+xfrm_migrate_policy_find(). The lookup function already returns
+a policy with held reference, making the second call redundant.
+
+Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount
+imbalance and prevent the memory leak.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 563d5ca93e88 ("xfrm: switch migrate to xfrm_policy_lookup_bytype")
+Signed-off-by: Kotlyarov Mihail <mihailkotlyarow@gmail.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 4526c9078b136..29c94ee0ceb25 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -4528,9 +4528,6 @@ static struct xfrm_policy *xfrm_migrate_policy_find(const struct xfrm_selector *
+ pol = xfrm_policy_lookup_bytype(net, type, &fl, sel->family, dir, if_id);
+ if (IS_ERR_OR_NULL(pol))
+ goto out_unlock;
+-
+- if (!xfrm_pol_hold_rcu(pol))
+- pol = NULL;
+ out_unlock:
+ rcu_read_unlock();
+ return pol;
+--
+2.53.0
+
--- /dev/null
+From d31214db4618bca6ec785e5fb3c437781922c37a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 13:31:04 +0200
+Subject: xfrm: Wait for RCU readers during policy netns exit
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit 069daad4f2ae9c5c108131995529d5f02392c446 ]
+
+xfrm_policy_fini() frees the policy_bydst hash tables after flushing the
+policy work items and deleting all policies, but it does not wait for
+concurrent RCU readers to leave their read-side critical sections first.
+
+The policy_bydst tables are published via rcu_assign_pointer() and are
+looked up through rcu_dereference_check(), so netns teardown must also
+wait for an RCU grace period before freeing the table memory.
+
+Fix this by adding synchronize_rcu() before freeing the policy hash tables.
+
+Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index c32d34c441ee0..4526c9078b136 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -4290,6 +4290,8 @@ static void xfrm_policy_fini(struct net *net)
+ #endif
+ xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);
+
++ synchronize_rcu();
++
+ WARN_ON(!list_empty(&net->xfrm.policy_all));
+
+ for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
+--
+2.53.0
+
--- /dev/null
+From 7aab604abce60829f34bae46d556521766081e5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 17:33:03 +0200
+Subject: xfrm_user: fix info leak in build_mapping()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit 1beb76b2053b68c491b78370794b8ff63c8f8c02 ]
+
+struct xfrm_usersa_id has a one-byte padding hole after the proto
+field, which ends up never getting set to zero before copying out to
+userspace. Fix that up by zeroing out the whole structure before
+setting individual variables.
+
+Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink")
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Simon Horman <horms@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 1ddcf2a1eff7a..b3f69c0760d4c 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -4164,6 +4164,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x,
+
+ um = nlmsg_data(nlh);
+
++ memset(&um->id, 0, sizeof(um->id));
+ memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr));
+ um->id.spi = x->id.spi;
+ um->id.family = x->props.family;
+--
+2.53.0
+
--- /dev/null
+From 82da6c071f88345a24356ce4b39f2dd58732acb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:53 +0200
+Subject: xsk: fix XDP_UMEM_SG_FLAG issues
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 93e84fe45b752d17a5a46b306ed78f0133bbc719 ]
+
+Currently xp_assign_dev_shared() is missing XDP_USE_SG being propagated
+to flags so set it in order to preserve mtu check that is supposed to be
+done only when no multi-buffer setup is in picture.
+
+Also, this flag has the same value as XDP_UMEM_TX_SW_CSUM so we could
+get unexpected SG setups for software Tx checksums. Since csum flag is
+UAPI, modify value of XDP_UMEM_SG_FLAG.
+
+Fixes: d609f3d228a8 ("xsk: add multi-buffer support for sockets sharing umem")
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-4-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xdp_sock.h | 2 +-
+ net/xdp/xsk_buff_pool.c | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/xdp_sock.h b/include/net/xdp_sock.h
+index 23e8861e8b25e..ebac60a3d8a17 100644
+--- a/include/net/xdp_sock.h
++++ b/include/net/xdp_sock.h
+@@ -14,7 +14,7 @@
+ #include <linux/mm.h>
+ #include <net/sock.h>
+
+-#define XDP_UMEM_SG_FLAG (1 << 1)
++#define XDP_UMEM_SG_FLAG BIT(3)
+
+ struct net_device;
+ struct xsk_queue;
+diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
+index 51526034c42ac..6799ab6672f3e 100644
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -252,6 +252,10 @@ int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_sock *umem_xs,
+ return -EINVAL;
+
+ flags = umem->zc ? XDP_ZEROCOPY : XDP_COPY;
++
++ if (umem->flags & XDP_UMEM_SG_FLAG)
++ flags |= XDP_USE_SG;
++
+ if (umem_xs->pool->uses_need_wakeup)
+ flags |= XDP_USE_NEED_WAKEUP;
+
+--
+2.53.0
+
--- /dev/null
+From 6b954ec914c8b821ba6c0dc996801bfd5b43c46b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:52 +0200
+Subject: xsk: respect tailroom for ZC setups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 1ee1605138fc94cc8f8f273321dd2471c64977f9 ]
+
+Multi-buffer XDP stores information about frags in skb_shared_info that
+sits at the tailroom of a packet. The storage space is reserved via
+xdp_data_hard_end():
+
+ ((xdp)->data_hard_start + (xdp)->frame_sz - \
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)))
+
+and then we refer to it via macro below:
+
+static inline struct skb_shared_info *
+xdp_get_shared_info_from_buff(const struct xdp_buff *xdp)
+{
+ return (struct skb_shared_info *)xdp_data_hard_end(xdp);
+}
+
+Currently we do not respect this tailroom space in multi-buffer AF_XDP
+ZC scenario. To address this, introduce xsk_pool_get_tailroom() and use
+it within xsk_pool_get_rx_frame_size() which is used in ZC drivers to
+configure length of HW Rx buffer.
+
+Typically drivers on Rx Hw buffers side work on 128 byte alignment so
+let us align the value returned by xsk_pool_get_rx_frame_size() in order
+to avoid addressing this on driver's side. This addresses the fact that
+idpf uses mentioned function *before* pool->dev being set so we were at
+risk that after subtracting tailroom we would not provide 128-byte
+aligned value to HW.
+
+Since xsk_pool_get_rx_frame_size() is actively used in xsk_rcv_check()
+and __xsk_rcv(), add a variant of this routine that will not include 128
+byte alignment and therefore old behavior is preserved.
+
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-3-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xdp_sock_drv.h | 23 ++++++++++++++++++++++-
+ net/xdp/xsk.c | 4 ++--
+ 2 files changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/xdp_sock_drv.h b/include/net/xdp_sock_drv.h
+index 6b9ebae2dc952..46797645a0c24 100644
+--- a/include/net/xdp_sock_drv.h
++++ b/include/net/xdp_sock_drv.h
+@@ -41,16 +41,37 @@ static inline u32 xsk_pool_get_headroom(struct xsk_buff_pool *pool)
+ return XDP_PACKET_HEADROOM + pool->headroom;
+ }
+
++static inline u32 xsk_pool_get_tailroom(bool mbuf)
++{
++ return mbuf ? SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) : 0;
++}
++
+ static inline u32 xsk_pool_get_chunk_size(struct xsk_buff_pool *pool)
+ {
+ return pool->chunk_size;
+ }
+
+-static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool)
++static inline u32 __xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool)
+ {
+ return xsk_pool_get_chunk_size(pool) - xsk_pool_get_headroom(pool);
+ }
+
++static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool)
++{
++ u32 frame_size = __xsk_pool_get_rx_frame_size(pool);
++ struct xdp_umem *umem = pool->umem;
++ bool mbuf;
++
++ /* Reserve tailroom only for zero-copy pools that opted into
++ * multi-buffer. The reserved area is used for skb_shared_info,
++ * matching the XDP core's xdp_data_hard_end() layout.
++ */
++ mbuf = pool->dev && (umem->flags & XDP_UMEM_SG_FLAG);
++ frame_size -= xsk_pool_get_tailroom(mbuf);
++
++ return ALIGN_DOWN(frame_size, 128);
++}
++
+ static inline u32 xsk_pool_get_rx_frag_step(struct xsk_buff_pool *pool)
+ {
+ return pool->unaligned ? 0 : xsk_pool_get_chunk_size(pool);
+diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
+index a6d3938154f21..4a1cc44ab305a 100644
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -239,7 +239,7 @@ static u32 xsk_copy_xdp(void *to, void **from, u32 to_len,
+
+ static int __xsk_rcv(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len)
+ {
+- u32 frame_size = xsk_pool_get_rx_frame_size(xs->pool);
++ u32 frame_size = __xsk_pool_get_rx_frame_size(xs->pool);
+ void *copy_from = xsk_copy_xdp_start(xdp), *copy_to;
+ u32 from_len, meta_len, rem, num_desc;
+ struct xdp_buff_xsk *xskb;
+@@ -338,7 +338,7 @@ static int xsk_rcv_check(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len)
+ if (xs->dev != xdp->rxq->dev || xs->queue_id != xdp->rxq->queue_index)
+ return -EINVAL;
+
+- if (len > xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) {
++ if (len > __xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) {
+ xs->rx_dropped++;
+ return -ENOSPC;
+ }
+--
+2.53.0
+
--- /dev/null
+From e8458741a7764754f6ddc5afad82b605f31e9c0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:51 +0200
+Subject: xsk: tighten UMEM headroom validation to account for tailroom and min
+ frame
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit a315e022a72d95ef5f1d4e58e903cb492b0ad931 ]
+
+The current headroom validation in xdp_umem_reg() could leave us with
+insufficient space dedicated to even receive minimum-sized ethernet
+frame. Furthermore if multi-buffer would come to play then
+skb_shared_info stored at the end of XSK frame would be corrupted.
+
+HW typically works with 128-aligned sizes so let us provide this value
+as bare minimum.
+
+Multi-buffer setting is known later in the configuration process so
+besides accounting for 128 bytes, let us also take care of tailroom space
+upfront.
+
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Fixes: 99e3a236dd43 ("xsk: Add missing check on user supplied headroom size")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-2-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xdp_umem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
+index 9f76ca591d54f..9ec7bd948acc7 100644
+--- a/net/xdp/xdp_umem.c
++++ b/net/xdp/xdp_umem.c
+@@ -202,7 +202,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+ if (!unaligned_chunks && chunks_rem)
+ return -EINVAL;
+
+- if (headroom >= chunk_size - XDP_PACKET_HEADROOM)
++ if (headroom > chunk_size - XDP_PACKET_HEADROOM -
++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - 128)
+ return -EINVAL;
+
+ if (mr->flags & XDP_UMEM_TX_METADATA_LEN) {
+--
+2.53.0
+
--- /dev/null
+From fc7b026274c6e6b02c40209ea802b0dd8e0652ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:54 +0200
+Subject: xsk: validate MTU against usable frame size on bind
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 36ee60b569ba0dfb6f961333b90d19ab5b323fa9 ]
+
+AF_XDP bind currently accepts zero-copy pool configurations without
+verifying that the device MTU fits into the usable frame space provided
+by the UMEM chunk.
+
+This becomes a problem since we started to respect tailroom which is
+subtracted from chunk_size (among with headroom). 2k chunk size might
+not provide enough space for standard 1500 MTU, so let us catch such
+settings at bind time. Furthermore, validate whether underlying HW will
+be able to satisfy configured MTU wrt XSK's frame size multiplied by
+supported Rx buffer chain length (that is exposed via
+net_device::xdp_zc_max_segs).
+
+Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX")
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-5-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk_buff_pool.c | 28 +++++++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
+index 6799ab6672f3e..1f96bdf1e7a60 100644
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -10,6 +10,8 @@
+ #include "xdp_umem.h"
+ #include "xsk.h"
+
++#define ETH_PAD_LEN (ETH_HLEN + 2 * VLAN_HLEN + ETH_FCS_LEN)
++
+ void xp_add_xsk(struct xsk_buff_pool *pool, struct xdp_sock *xs)
+ {
+ if (!xs->tx)
+@@ -158,8 +160,12 @@ static void xp_disable_drv_zc(struct xsk_buff_pool *pool)
+ int xp_assign_dev(struct xsk_buff_pool *pool,
+ struct net_device *netdev, u16 queue_id, u16 flags)
+ {
++ u32 needed = netdev->mtu + ETH_PAD_LEN;
++ u32 segs = netdev->xdp_zc_max_segs;
++ bool mbuf = flags & XDP_USE_SG;
+ bool force_zc, force_copy;
+ struct netdev_bpf bpf;
++ u32 frame_size;
+ int err = 0;
+
+ ASSERT_RTNL();
+@@ -179,7 +185,7 @@ int xp_assign_dev(struct xsk_buff_pool *pool,
+ if (err)
+ return err;
+
+- if (flags & XDP_USE_SG)
++ if (mbuf)
+ pool->umem->flags |= XDP_UMEM_SG_FLAG;
+
+ if (flags & XDP_USE_NEED_WAKEUP)
+@@ -201,8 +207,24 @@ int xp_assign_dev(struct xsk_buff_pool *pool,
+ goto err_unreg_pool;
+ }
+
+- if (netdev->xdp_zc_max_segs == 1 && (flags & XDP_USE_SG)) {
+- err = -EOPNOTSUPP;
++ if (mbuf) {
++ if (segs == 1) {
++ err = -EOPNOTSUPP;
++ goto err_unreg_pool;
++ }
++ } else {
++ segs = 1;
++ }
++
++ /* open-code xsk_pool_get_rx_frame_size() as pool->dev is not
++ * set yet at this point; we are before getting down to driver
++ */
++ frame_size = __xsk_pool_get_rx_frame_size(pool) -
++ xsk_pool_get_tailroom(mbuf);
++ frame_size = ALIGN_DOWN(frame_size, 128);
++
++ if (needed > frame_size * segs) {
++ err = -EINVAL;
+ goto err_unreg_pool;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 7362c2e79c9845b282bf05ca36f1b7b8d8f06212 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 16:00:14 +0800
+Subject: af_unix: read UNIX_DIAG_VFS data under unix_state_lock
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+[ Upstream commit 39897df386376912d561d4946499379effa1e7ef ]
+
+Exact UNIX diag lookups hold a reference to the socket, but not to
+u->path. Meanwhile, unix_release_sock() clears u->path under
+unix_state_lock() and drops the path reference after unlocking.
+
+Read the inode and device numbers for UNIX_DIAG_VFS while holding
+unix_state_lock(), then emit the netlink attribute after dropping the
+lock.
+
+This keeps the VFS data stable while the reply is being built.
+
+Fixes: 5f7b0569460b ("unix_diag: Unix inode info NLA")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/diag.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index a6bd861314df0..169d068064bba 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -26,18 +26,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb)
+
+ static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb)
+ {
+- struct dentry *dentry = unix_sk(sk)->path.dentry;
++ struct unix_diag_vfs uv;
++ struct dentry *dentry;
++ bool have_vfs = false;
+
++ unix_state_lock(sk);
++ dentry = unix_sk(sk)->path.dentry;
+ if (dentry) {
+- struct unix_diag_vfs uv = {
+- .udiag_vfs_ino = d_backing_inode(dentry)->i_ino,
+- .udiag_vfs_dev = dentry->d_sb->s_dev,
+- };
+-
+- return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
++ uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino;
++ uv.udiag_vfs_dev = dentry->d_sb->s_dev;
++ have_vfs = true;
+ }
++ unix_state_unlock(sk);
+
+- return 0;
++ if (!have_vfs)
++ return 0;
++
++ return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);
+ }
+
+ static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb)
+--
+2.53.0
+
--- /dev/null
+From 8a469cd1b986eb4128216318ffa7209e7cf2e304 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 13:40:07 +0100
+Subject: ALSA: asihpi: avoid write overflow check warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 591721223be9e28f83489a59289579493b8e3d83 ]
+
+clang-22 rightfully warns that the memcpy() in adapter_prepare() copies
+between different structures, crossing the boundary of nested
+structures inside it:
+
+In file included from sound/pci/asihpi/hpimsgx.c:13:
+In file included from include/linux/string.h:386:
+include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
+ 569 | __write_overflow_field(p_size_field, size);
+
+The two structures seem to refer to the same layout, despite the
+separate definitions, so the code is in fact correct.
+
+Avoid the warning by copying the two inner structures separately.
+I see the same pattern happens in other functions in the same file,
+so there is a chance that this may come back in the future, but
+this instance is the only one that I saw in practice, hitting it
+multiple times per day in randconfig build.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/asihpi/hpimsgx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c
+index b68e6bfbbfbab..ed1c7b7744361 100644
+--- a/sound/pci/asihpi/hpimsgx.c
++++ b/sound/pci/asihpi/hpimsgx.c
+@@ -581,8 +581,10 @@ static u16 adapter_prepare(u16 adapter)
+ HPI_ADAPTER_OPEN);
+ hm.adapter_index = adapter;
+ hw_entry_point(&hm, &hr);
+- memcpy(&rESP_HPI_ADAPTER_OPEN[adapter], &hr,
+- sizeof(rESP_HPI_ADAPTER_OPEN[0]));
++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].h, &hr,
++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].h));
++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].a, &hr.u.ax.info,
++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].a));
+ if (hr.error)
+ return hr.error;
+
+--
+2.53.0
+
--- /dev/null
+From f45164da3a483a99b9c892b40a36bc2d62a25c7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 01:08:51 +0000
+Subject: ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk
+
+From: Andrii Kovalchuk <coderpy4@proton.me>
+
+[ Upstream commit 793b008cd39516385791a1d1d223d817e947a471 ]
+
+Add a PCI quirk for HP ENVY Laptop 13-ba0xxx (PCI device ID 0x8756)
+to enable proper mute LED and mic mute behavior using the
+ALC245_FIXUP_HP_X360_MUTE_LEDS fixup.
+
+Signed-off-by: Andrii Kovalchuk <coderpy4@proton.me>
+Link: https://patch.msgid.link/u0s-uRVegF9BN0t-4JnOUwsIAR-mVc4U4FJfJHdEHX7ro_laErHD9y35NebWybcN16gVaVHPJo1ap3AoJ1a2gqJImPvThgeNt_SYVY1KaDw=@proton.me
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 1a5e2fb0c842b..a3def674103b3 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10094,6 +10094,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8735, "HP ProBook 435 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT),
++ SND_PCI_QUIRK(0x103c, 0x8756, "HP ENVY Laptop 13-ba0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS),
+ SND_PCI_QUIRK(0x103c, 0x8760, "HP EliteBook 8{4,5}5 G7", ALC285_FIXUP_HP_BEEP_MICMUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x876e, "HP ENVY x360 Convertible 13-ay0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS),
+ SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED),
+--
+2.53.0
+
--- /dev/null
+From aa2c2caec454650a7c3e0dc45e979ea15d3b4b50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Mar 2026 10:36:03 -0500
+Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: César Montoya <sprit152009@gmail.com>
+
+[ Upstream commit 2f388b4e8fdd6b0f27cafd281658daacfd85807e ]
+
+The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek
+ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The
+existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly,
+but the subsystem ID was missing from the quirk table.
+
+GPIO pin confirmed via manual hda-verb testing:
+ hda-verb SET_GPIO_MASK 0x10
+ hda-verb SET_GPIO_DIRECTION 0x10
+ hda-verb SET_GPIO_DATA 0x10
+
+Signed-off-by: César Montoya <sprit152009@gmail.com>
+Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index cd30f749c79b4..0efc2b8aedb4a 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10108,6 +10108,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x87cb, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+--
+2.53.0
+
--- /dev/null
+From 3c85ef7dcb3c9f6eab824a8ed6aeec0164100d2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 10:25:03 -0700
+Subject: ALSA: hda/realtek: Add quirk for ASUS ROG Flow Z13-KJP GZ302EAC
+
+From: Matthew Schwartz <matthew.schwartz@linux.dev>
+
+[ Upstream commit 59f68dc1d8df3142cb58fd2568966a9bb7b0ed8a ]
+
+Fixes lack of audio output on the ASUS ROG Flow Z13-KJP GZ302EAC model,
+similar to the ASUS ROG Flow Z13 GZ302EA.
+
+Signed-off-by: Matthew Schwartz <matthew.schwartz@linux.dev>
+Link: https://patch.msgid.link/20260313172503.285846-1-matthew.schwartz@linux.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index a3def674103b3..cd30f749c79b4 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10290,6 +10290,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1043, 0x14e3, "ASUS G513PI/PU/PV", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x14f2, "ASUS VivoBook X515JA", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1043, 0x1503, "ASUS G733PY/PZ/PZV/PYV", ALC287_FIXUP_CS35L41_I2C_2),
++ SND_PCI_QUIRK(0x1043, 0x1514, "ASUS ROG Flow Z13 GZ302EAC", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A),
+ SND_PCI_QUIRK(0x1043, 0x1533, "ASUS GV302XA/XJ/XQ/XU/XV/XI", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x1573, "ASUS GZ301VV/VQ/VU/VJ/VA/VC/VE/VVC/VQC/VUC/VJC/VEC/VCC", ALC285_FIXUP_ASUS_HEADSET_MIC),
+--
+2.53.0
+
--- /dev/null
+From 09dfd8e381ca8998425996b302d9a9287ca37965 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 10:54:40 -0500
+Subject: ALSA: hda/realtek: add quirk for Framework F111:000F
+
+From: Dustin L. Howett <dustin@howett.net>
+
+[ Upstream commit bac1e57adf08c9ee33e95fb09cd032f330294e70 ]
+
+Similar to commit 7b509910b3ad ("ALSA hda/realtek: Add quirk for
+Framework F111:000C") and previous quirks for Framework systems with
+Realtek codecs.
+
+000F is another new platform with an ALC285 which needs the same quirk.
+
+Signed-off-by: Dustin L. Howett <dustin@howett.net>
+Link: https://patch.msgid.link/20260327-framework-alsa-000f-v1-1-74013aba1c00@howett.net
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 0efc2b8aedb4a..0ac8846326abe 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10671,6 +10671,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0xf111, 0x000f, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+
+ #if 0
+ /* Below is a quirk table taken from the old code.
+--
+2.53.0
+
--- /dev/null
+From 2eb20359b3fc939d946c1de9068c8751e4c9ceb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 09:26:51 +0800
+Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10
+
+From: songxiebing <songxiebing@kylinos.cn>
+
+[ Upstream commit f0541edb2e7333f320642c7b491a67912c1f65db ]
+
+The bass speakers are not working, and add the following entry
+in /etc/modprobe.d/snd.conf:
+options snd-sof-intel-hda-generic hda_model=alc287-yoga9-bass-spk-pin
+Fixes the bass speakers.
+
+So add the quick ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN here.
+
+Reported-by: Fernando Garcia Corona <fgarcor@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221317
+Signed-off-by: songxiebing <songxiebing@kylinos.cn>
+Link: https://patch.msgid.link/20260405012651.133838-1-songxiebing@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 0ac8846326abe..6ef859f59f8d1 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10593,6 +10593,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x38fa, "Thinkbook 16P Gen5", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
++ SND_PCI_QUIRK(0x17aa, 0x3911, "Lenovo Yoga Pro 7 14IAH10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC),
+ SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
+ SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+--
+2.53.0
+
--- /dev/null
+From 890e9056410a4c18542c38e6a1ba1d1647b56aa2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Mar 2026 08:07:34 +0000
+Subject: ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex
+
+From: Phil Willoughby <willerz@gmail.com>
+
+[ Upstream commit bc5b4e5ae1a67700a618328217b6a3bd0f296e97 ]
+
+The NeuralDSP Quad Cortex does not support DSD playback. We need
+this product-specific entry with zero quirks because otherwise it
+falls through to the vendor-specific entry which marks it as
+supporting DSD playback.
+
+Cc: Yue Wang <yuleopen@gmail.com>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Signed-off-by: Phil Willoughby <willerz@gmail.com>
+Link: https://patch.msgid.link/20260328080921.3310-1-willerz@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 04896ab01f372..847878438b8b7 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -2185,6 +2185,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
+ QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB),
+ DEVICE_FLG(0x13e5, 0x0001, /* Serato Phono */
+ QUIRK_FLAG_IGNORE_CTL_ERROR),
++ DEVICE_FLG(0x152a, 0x880a, /* NeuralDSP Quad Cortex */
++ 0), /* Doesn't have the vendor quirk which would otherwise apply */
+ DEVICE_FLG(0x154e, 0x1002, /* Denon DCD-1500RE */
+ QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY),
+ DEVICE_FLG(0x154e, 0x1003, /* Denon DA-300USB */
+--
+2.53.0
+
--- /dev/null
+From 32bdb341a41495f8c9eaab682bb776f19d9425d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jan 2026 00:28:28 +0100
+Subject: arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+[ Upstream commit 1f99b5d93d99ca17d50b386a674d0ce1f20932d8 ]
+
+According to i.MX 8M Quad Reference Manual, GPU_AHB_CLK_ROOT's maximum
+frequency is 400MHz.
+
+Fixes: 45d2c84eb3a2 ("arm64: dts: imx8mq: add GPU node")
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+index 052ba9baa400f..6b93fff5e97d0 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+@@ -1629,7 +1629,7 @@ gpu: gpu@38000000 {
+ <&clk IMX8MQ_GPU_PLL_OUT>,
+ <&clk IMX8MQ_GPU_PLL>;
+ assigned-clock-rates = <800000000>, <800000000>,
+- <800000000>, <800000000>, <0>;
++ <800000000>, <400000000>, <0>;
+ power-domains = <&pgc_gpu>;
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 02eba3509425ff3d9b863956778d2ea9e3346ef0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 02:43:48 +0100
+Subject: ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gilson Marquato Júnior <gilsonmandalogo@hotmail.com>
+
+[ Upstream commit 8ec017cf31299c4b6287ebe27afe81c986aeef88 ]
+
+The HP Laptop 15-fc0xxx (subsystem ID 0x103c8dc9) has an internal
+DMIC connected to the AMD ACP6x audio coprocessor. Add a DMI quirk
+entry so the internal microphone is properly detected on this model.
+
+Tested on HP Laptop 15-fc0237ns with Fedora 43 (kernel 6.19.9).
+
+Signed-off-by: Gilson Marquato Júnior <gilsonmandalogo@hotmail.com>
+Link: https://patch.msgid.link/20260330-hp-15-fc0xxx-dmic-v2-v1-1-6dd6f53a1917@hotmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index 05aff73408d51..aaa0f44ef9e01 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -45,6 +45,13 @@ static struct snd_soc_card acp6x_card = {
+ };
+
+ static const struct dmi_system_id yc_acp_quirk_table[] = {
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Laptop 15-fc0xxx"),
++ }
++ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+--
+2.53.0
+
--- /dev/null
+From 8fd6cdf05cc9928a66d0a60c5ed65f539ccdb598 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 21:25:12 +0700
+Subject: ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA
+
+From: Vee Satayamas <vsatayamas@gmail.com>
+
+[ Upstream commit f200b2f9a810c440c6750b56fc647b73337749a1 ]
+
+Add a DMI quirk for the Asus Expertbook BM1403CDA to resolve the issue of the
+internal microphone not being detected.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221236
+Signed-off-by: Vee Satayamas <vsatayamas@gmail.com>
+Reviewed-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260315142511.66029-2-vsatayamas@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index ab75349d1063d..8a666989a8f3d 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -710,6 +710,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "PM1503CDA"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"),
++ }
++ },
+ {}
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 017b8657119f037c727f15ffbaa8d21747757ef2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 16:02:18 +0800
+Subject: ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+[ Upstream commit 1f182ec9d7084db7dfdb2372d453c28f0e5c3f0a ]
+
+Add a DMI quirk for the Thin A15 B7VF fixing the issue where
+the internal microphone was not detected.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=220833
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260316080218.2931304-1-zhangheng@kylinos.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index 8a666989a8f3d..05aff73408d51 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -717,6 +717,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Thin A15 B7VE"),
++ }
++ },
+ {}
+ };
+
+--
+2.53.0
+
--- /dev/null
+From 4958d26a95f2b7704f171f9a1fe75e59a7f7d2eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 02:43:54 +0000
+Subject: ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit b9eff9732cb0f86a68c9d1592a98ceab47c01e95 ]
+
+Component has "card_aux_list" which is added/deled in bind/unbind aux dev
+function (A), and used in for_each_card_auxs() loop (B).
+
+ static void soc_unbind_aux_dev(...)
+ {
+ ...
+ for_each_card_auxs_safe(...) {
+ ...
+(A) list_del(&component->card_aux_list);
+ } ^^^^^^^^^^^^^
+ }
+
+ static int soc_bind_aux_dev(...)
+ {
+ ...
+ for_each_card_pre_auxs(...) {
+ ...
+(A) list_add(&component->card_aux_list, ...);
+ } ^^^^^^^^^^^^^
+ ...
+ }
+
+ #define for_each_card_auxs(card, component) \
+(B) list_for_each_entry(component, ..., card_aux_list)
+ ^^^^^^^^^^^^^
+
+But it has been used without calling INIT_LIST_HEAD().
+
+ > git grep card_aux_list sound/soc
+ sound/soc/soc-core.c: list_del(&component->card_aux_list);
+ sound/soc/soc-core.c: list_add(&component->card_aux_list, ...);
+
+call missing INIT_LIST_HEAD() for it.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index 696f5501a27bc..9cebe0ff9c07d 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -2681,6 +2681,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component,
+ INIT_LIST_HEAD(&component->dobj_list);
+ INIT_LIST_HEAD(&component->card_list);
+ INIT_LIST_HEAD(&component->list);
++ INIT_LIST_HEAD(&component->card_aux_list);
+ mutex_init(&component->io_mutex);
+
+ component->name = fmt_single_name(dev, &component->id);
+--
+2.53.0
+
--- /dev/null
+From 851ef5a373c4a6970c53d6e6dcbd4a8c78d02e3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 21:45:26 -0300
+Subject: ASoC: SOF: topology: reject invalid vendor array size in token parser
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+[ Upstream commit 215e5fe75881a7e2425df04aeeed47a903d5cd5d ]
+
+sof_parse_token_sets() accepts array->size values that can be invalid
+for a vendor tuple array header. In particular, a zero size does not
+advance the parser state and can lead to non-progress parsing on
+malformed topology data.
+
+Validate array->size against the minimum header size and reject values
+smaller than sizeof(*array) before parsing. This preserves behavior for
+valid topologies and hardens malformed-input handling.
+
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
+index c18a1fdd40ee3..51a29d2de5ed4 100644
+--- a/sound/soc/sof/topology.c
++++ b/sound/soc/sof/topology.c
+@@ -722,7 +722,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
+ asize = le32_to_cpu(array->size);
+
+ /* validate asize */
+- if (asize < 0) { /* FIXME: A zero-size array makes no sense */
++ if (asize < sizeof(*array)) {
+ dev_err(scomp->dev, "error: invalid array size 0x%x\n",
+ asize);
+ return -EINVAL;
+--
+2.53.0
+
--- /dev/null
+From 74d1c44e17a65601c07662c0180c3e2107885edd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 10:40:56 +0200
+Subject: ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
+
+From: Tomasz Merta <tomasz.merta@arrow.com>
+
+[ Upstream commit 0669631dbccd41cf3ca7aa70213fcd8bb41c4b38 ]
+
+The STM32 SAI driver do not set the clock strobing bit (CKSTR) for DSP_A,
+DSP_B and LEFT_J formats, causing data to be sampled on the wrong BCLK
+edge when SND_SOC_DAIFMT_NB_NF is used.
+
+Per ALSA convention, NB_NF requires sampling on the rising BCLK edge.
+The STM32MP25 SAI reference manual states that CKSTR=1 is required for
+signals received by the SAI to be sampled on the SCK rising edge.
+Without setting CKSTR=1, the SAI samples on the falling edge, violating
+the NB_NF convention. For comparison, the NXP FSL SAI driver correctly
+sets FSL_SAI_CR2_BCP for DSP_A, DSP_B and LEFT_J, consistent with its
+I2S handling.
+
+This patch adds SAI_XCR1_CKSTR for DSP_A, DSP_B and LEFT_J in
+stm32_sai_set_dai_fmt which was verified empirically with a cs47l35 codec.
+RIGHT_J (LSB) is not investigated and addressed by this patch.
+
+Note: the STM32 I2S driver (stm32_i2s_set_dai_fmt) may have the same issue
+for DSP_A mode, as I2S_CGFR_CKPOL is not set. This has not been verified
+and is left for a separate investigation.
+
+Signed-off-by: Tomasz Merta <tommerta@gmail.com>
+Link: https://patch.msgid.link/20260408084056.20588-1-tommerta@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/stm/stm32_sai_sub.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c
+index c47f23634e957..03788bd869197 100644
+--- a/sound/soc/stm/stm32_sai_sub.c
++++ b/sound/soc/stm/stm32_sai_sub.c
+@@ -677,6 +677,7 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
+ break;
+ /* Left justified */
+ case SND_SOC_DAIFMT_MSB:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
+ break;
+ /* Right justified */
+@@ -684,9 +685,11 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt)
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF;
+ break;
+ case SND_SOC_DAIFMT_DSP_A:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSOFF;
+ break;
+ case SND_SOC_DAIFMT_DSP_B:
++ cr1 |= SAI_XCR1_CKSTR;
+ frcr |= SAI_XFRCR_FSPOL;
+ break;
+ default:
+--
+2.53.0
+
--- /dev/null
+From 5be7985089c3cd4ccc42f09126ea663c6af2ade6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 15:23:35 -0700
+Subject: ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
+
+From: Arthur Husband <artmoty@gmail.com>
+
+[ Upstream commit 105c42566a550e2d05fc14f763216a8765ee5d0e ]
+
+The JMicron JMB585 (and JMB582) SATA controllers advertise 64-bit DMA
+support via the S64A bit in the AHCI CAP register, but their 64-bit DMA
+implementation is defective. Under sustained I/O, DMA transfers targeting
+addresses above 4GB silently corrupt data -- writes land at incorrect
+memory addresses with no errors logged.
+
+The failure pattern is similar to the ASMedia ASM1061
+(commit 20730e9b2778 ("ahci: add 43-bit DMA address quirk for ASMedia
+ASM1061 controllers")), which also falsely advertised full 64-bit DMA
+support. However, the JMB585 requires a stricter 32-bit DMA mask rather
+than 43-bit, as corruption occurs with any address above 4GB.
+
+On the Minisforum N5 Pro specifically, the combination of the JMB585's
+broken 64-bit DMA with the AMD Family 1Ah (Strix Point) IOMMU causes
+silent data corruption that is only detectable via checksumming
+filesystems (BTRFS/ZFS scrub). The corruption occurs when 32-bit IOVA
+space is exhausted and the kernel transparently switches to 64-bit DMA
+addresses.
+
+Add device-specific PCI ID entries for the JMB582 (0x0582) and JMB585
+(0x0585) before the generic JMicron class match, using a new board type
+that combines AHCI_HFLAG_IGN_IRQ_IF_ERR (preserving existing behavior)
+with AHCI_HFLAG_32BIT_ONLY to force 32-bit DMA masks.
+
+Signed-off-by: Arthur Husband <artmoty@gmail.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/ahci.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index 98104d0b842bd..9d59e6e2d63ba 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -60,6 +60,7 @@ enum board_ids {
+ /* board IDs for specific chipsets in alphabetical order */
+ board_ahci_al,
+ board_ahci_avn,
++ board_ahci_jmb585,
+ board_ahci_mcp65,
+ board_ahci_mcp77,
+ board_ahci_mcp89,
+@@ -199,6 +200,15 @@ static const struct ata_port_info ahci_port_info[] = {
+ .udma_mask = ATA_UDMA6,
+ .port_ops = &ahci_avn_ops,
+ },
++ /* JMicron JMB582/585: 64-bit DMA is broken, force 32-bit */
++ [board_ahci_jmb585] = {
++ AHCI_HFLAGS (AHCI_HFLAG_IGN_IRQ_IF_ERR |
++ AHCI_HFLAG_32BIT_ONLY),
++ .flags = AHCI_FLAG_COMMON,
++ .pio_mask = ATA_PIO4,
++ .udma_mask = ATA_UDMA6,
++ .port_ops = &ahci_ops,
++ },
+ [board_ahci_mcp65] = {
+ AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP |
+ AHCI_HFLAG_YES_NCQ),
+@@ -432,6 +442,10 @@ static const struct pci_device_id ahci_pci_tbl[] = {
+ /* Elkhart Lake IDs 0x4b60 & 0x4b62 https://sata-io.org/product/8803 not tested yet */
+ { PCI_VDEVICE(INTEL, 0x4b63), board_ahci_low_power }, /* Elkhart Lake AHCI */
+
++ /* JMicron JMB582/585: force 32-bit DMA (broken 64-bit implementation) */
++ { PCI_VDEVICE(JMICRON, 0x0582), board_ahci_jmb585 },
++ { PCI_VDEVICE(JMICRON, 0x0585), board_ahci_jmb585 },
++
+ /* JMicron 360/1/3/5/6, match class to avoid IDE function */
+ { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
+ PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr },
+--
+2.53.0
+
--- /dev/null
+From d2cf643aca2bf95f0e96e0f94164d094db2eed7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 14:11:39 -0400
+Subject: btrfs: tracepoints: get correct superblock from dentry in event
+ btrfs_sync_file()
+
+From: Goldwyn Rodrigues <rgoldwyn@suse.de>
+
+[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ]
+
+If overlay is used on top of btrfs, dentry->d_sb translates to overlay's
+super block and fsid assignment will lead to a crash.
+
+Use file_inode(file)->i_sb to always get btrfs_sb.
+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/btrfs.h | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h
+index eb762cc7bec53..2364c68df76c4 100644
+--- a/include/trace/events/btrfs.h
++++ b/include/trace/events/btrfs.h
+@@ -789,12 +789,15 @@ TRACE_EVENT(btrfs_sync_file,
+ ),
+
+ TP_fast_assign(
+- const struct dentry *dentry = file->f_path.dentry;
+- const struct inode *inode = d_inode(dentry);
++ struct dentry *dentry = file_dentry(file);
++ struct inode *inode = file_inode(file);
++ struct dentry *parent = dget_parent(dentry);
++ struct inode *parent_inode = d_inode(parent);
+
+- TP_fast_assign_fsid(btrfs_sb(file->f_path.dentry->d_sb));
++ dput(parent);
++ TP_fast_assign_fsid(btrfs_sb(inode->i_sb));
+ __entry->ino = btrfs_ino(BTRFS_I(inode));
+- __entry->parent = btrfs_ino(BTRFS_I(d_inode(dentry->d_parent)));
++ __entry->parent = btrfs_ino(BTRFS_I(parent_inode));
+ __entry->datasync = datasync;
+ __entry->root_objectid =
+ BTRFS_I(inode)->root->root_key.objectid;
+--
+2.53.0
+
--- /dev/null
+From 0e28d94e3e38631b8cb89e6154388e1042cc1062 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 00:00:22 +0800
+Subject: can: mcp251x: add error handling for power enable in open and resume
+
+From: Wenyuan Li <2063309626@qq.com>
+
+[ Upstream commit 7a57354756c7df223abe2c33774235ad70cb4231 ]
+
+Add missing error handling for mcp251x_power_enable() calls in both
+mcp251x_open() and mcp251x_can_resume() functions.
+
+In mcp251x_open(), if power enable fails, jump to error path to close
+candev without attempting to disable power again.
+
+In mcp251x_can_resume(), properly check return values of power enable calls
+for both power and transceiver regulators. If any fails, return the error
+code to the PM framework and log the failure.
+
+This ensures the driver properly handles power control failures and
+maintains correct device state.
+
+Signed-off-by: Wenyuan Li <2063309626@qq.com>
+Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com
+[mkl: fix patch description]
+[mkl: mcp251x_can_resume(): replace goto by return]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/spi/mcp251x.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
+index 72ae17b2313ec..d3ffab297b77b 100644
+--- a/drivers/net/can/spi/mcp251x.c
++++ b/drivers/net/can/spi/mcp251x.c
+@@ -1213,7 +1213,11 @@ static int mcp251x_open(struct net_device *net)
+ }
+
+ mutex_lock(&priv->mcp_lock);
+- mcp251x_power_enable(priv->transceiver, 1);
++ ret = mcp251x_power_enable(priv->transceiver, 1);
++ if (ret) {
++ dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret));
++ goto out_close_candev;
++ }
+
+ priv->force_quit = 0;
+ priv->tx_skb = NULL;
+@@ -1260,6 +1264,7 @@ static int mcp251x_open(struct net_device *net)
+ mcp251x_hw_sleep(spi);
+ out_close:
+ mcp251x_power_enable(priv->transceiver, 0);
++out_close_candev:
+ close_candev(net);
+ mutex_unlock(&priv->mcp_lock);
+ if (release_irq)
+@@ -1499,11 +1504,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev)
+ {
+ struct spi_device *spi = to_spi_device(dev);
+ struct mcp251x_priv *priv = spi_get_drvdata(spi);
++ int ret = 0;
+
+- if (priv->after_suspend & AFTER_SUSPEND_POWER)
+- mcp251x_power_enable(priv->power, 1);
+- if (priv->after_suspend & AFTER_SUSPEND_UP)
+- mcp251x_power_enable(priv->transceiver, 1);
++ if (priv->after_suspend & AFTER_SUSPEND_POWER) {
++ ret = mcp251x_power_enable(priv->power, 1);
++ if (ret) {
++ dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret));
++ return ret;
++ }
++ }
++
++ if (priv->after_suspend & AFTER_SUSPEND_UP) {
++ ret = mcp251x_power_enable(priv->transceiver, 1);
++ if (ret) {
++ dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret));
++ if (priv->after_suspend & AFTER_SUSPEND_POWER)
++ mcp251x_power_enable(priv->power, 0);
++ return ret;
++ }
++ }
+
+ if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP))
+ queue_work(priv->wq, &priv->restart_work);
+--
+2.53.0
+
--- /dev/null
+From 051fea00173d929d0ed32c7ffa323fbe431d8242 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 10:54:17 +0200
+Subject: clockevents: Prevent timer interrupt starvation
+
+From: Thomas Gleixner <tglx@kernel.org>
+
+[ Upstream commit d6e152d905bdb1f32f9d99775e2f453350399a6a ]
+
+Calvin reported an odd NMI watchdog lockup which claims that the CPU locked
+up in user space. He provided a reproducer, which sets up a timerfd based
+timer and then rearms it in a loop with an absolute expiry time of 1ns.
+
+As the expiry time is in the past, the timer ends up as the first expiring
+timer in the per CPU hrtimer base and the clockevent device is programmed
+with the minimum delta value. If the machine is fast enough, this ends up
+in a endless loop of programming the delta value to the minimum value
+defined by the clock event device, before the timer interrupt can fire,
+which starves the interrupt and consequently triggers the lockup detector
+because the hrtimer callback of the lockup mechanism is never invoked.
+
+As a first step to prevent this, avoid reprogramming the clock event device
+when:
+ - a forced minimum delta event is pending
+ - the new expiry delta is less then or equal to the minimum delta
+
+Thanks to Calvin for providing the reproducer and to Borislav for testing
+and providing data from his Zen5 machine.
+
+The problem is not limited to Zen5, but depending on the underlying
+clock event device (e.g. TSC deadline timer on Intel) and the CPU speed
+not necessarily observable.
+
+This change serves only as the last resort and further changes will be made
+to prevent this scenario earlier in the call chain as far as possible.
+
+[ tglx: Updated to restore the old behaviour vs. !force and delta <= 0 and
+ fixed up the tick-broadcast handlers as pointed out by Borislav ]
+
+Fixes: d316c57ff6bf ("[PATCH] clockevents: add core functionality")
+Reported-by: Calvin Owens <calvin@wbinvd.org>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Tested-by: Calvin Owens <calvin@wbinvd.org>
+Tested-by: Borislav Petkov <bp@alien8.de>
+Link: https://lore.kernel.org/lkml/acMe-QZUel-bBYUh@mozart.vkv.me/
+Link: https://patch.msgid.link/20260407083247.562657657@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/clockchips.h | 2 ++
+ kernel/time/clockevents.c | 27 +++++++++++++++++++--------
+ kernel/time/hrtimer.c | 1 +
+ kernel/time/tick-broadcast.c | 8 +++++++-
+ kernel/time/tick-common.c | 1 +
+ kernel/time/tick-sched.c | 1 +
+ 6 files changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/clockchips.h b/include/linux/clockchips.h
+index 9aac31d856f39..c0d767b8f4bd5 100644
+--- a/include/linux/clockchips.h
++++ b/include/linux/clockchips.h
+@@ -80,6 +80,7 @@ enum clock_event_state {
+ * @shift: nanoseconds to cycles divisor (power of two)
+ * @state_use_accessors:current state of the device, assigned by the core code
+ * @features: features
++ * @next_event_forced: True if the last programming was a forced event
+ * @retries: number of forced programming retries
+ * @set_state_periodic: switch state to periodic
+ * @set_state_oneshot: switch state to oneshot
+@@ -108,6 +109,7 @@ struct clock_event_device {
+ u32 shift;
+ enum clock_event_state state_use_accessors;
+ unsigned int features;
++ unsigned int next_event_forced;
+ unsigned long retries;
+
+ int (*set_state_periodic)(struct clock_event_device *);
+diff --git a/kernel/time/clockevents.c b/kernel/time/clockevents.c
+index 960143b183cdb..0869b3902605e 100644
+--- a/kernel/time/clockevents.c
++++ b/kernel/time/clockevents.c
+@@ -172,6 +172,7 @@ void clockevents_shutdown(struct clock_event_device *dev)
+ {
+ clockevents_switch_state(dev, CLOCK_EVT_STATE_SHUTDOWN);
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+ }
+
+ /**
+@@ -305,7 +306,6 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires,
+ {
+ unsigned long long clc;
+ int64_t delta;
+- int rc;
+
+ if (WARN_ON_ONCE(expires < 0))
+ return -ETIME;
+@@ -324,16 +324,27 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires,
+ return dev->set_next_ktime(expires, dev);
+
+ delta = ktime_to_ns(ktime_sub(expires, ktime_get()));
+- if (delta <= 0)
+- return force ? clockevents_program_min_delta(dev) : -ETIME;
+
+- delta = min(delta, (int64_t) dev->max_delta_ns);
+- delta = max(delta, (int64_t) dev->min_delta_ns);
++ /* Required for tick_periodic() during early boot */
++ if (delta <= 0 && !force)
++ return -ETIME;
++
++ if (delta > (int64_t)dev->min_delta_ns) {
++ delta = min(delta, (int64_t) dev->max_delta_ns);
++ clc = ((unsigned long long) delta * dev->mult) >> dev->shift;
++ if (!dev->set_next_event((unsigned long) clc, dev))
++ return 0;
++ }
+
+- clc = ((unsigned long long) delta * dev->mult) >> dev->shift;
+- rc = dev->set_next_event((unsigned long) clc, dev);
++ if (dev->next_event_forced)
++ return 0;
+
+- return (rc && force) ? clockevents_program_min_delta(dev) : rc;
++ if (dev->set_next_event(dev->min_delta_ticks, dev)) {
++ if (!force || clockevents_program_min_delta(dev))
++ return -ETIME;
++ }
++ dev->next_event_forced = 1;
++ return 0;
+ }
+
+ /*
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 03f488f93cddf..9a8a2d36b9db6 100644
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -1853,6 +1853,7 @@ void hrtimer_interrupt(struct clock_event_device *dev)
+ BUG_ON(!cpu_base->hres_active);
+ cpu_base->nr_events++;
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+
+ raw_spin_lock_irqsave(&cpu_base->lock, flags);
+ entry_time = now = hrtimer_update_base(cpu_base);
+diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c
+index ed58eebb4e8f4..99d2978ef9b98 100644
+--- a/kernel/time/tick-broadcast.c
++++ b/kernel/time/tick-broadcast.c
+@@ -76,8 +76,10 @@ const struct clock_event_device *tick_get_wakeup_device(int cpu)
+ */
+ static void tick_broadcast_start_periodic(struct clock_event_device *bc)
+ {
+- if (bc)
++ if (bc) {
++ bc->next_event_forced = 0;
+ tick_setup_periodic(bc, 1);
++ }
+ }
+
+ /*
+@@ -403,6 +405,7 @@ static void tick_handle_periodic_broadcast(struct clock_event_device *dev)
+ bool bc_local;
+
+ raw_spin_lock(&tick_broadcast_lock);
++ tick_broadcast_device.evtdev->next_event_forced = 0;
+
+ /* Handle spurious interrupts gracefully */
+ if (clockevent_state_shutdown(tick_broadcast_device.evtdev)) {
+@@ -696,6 +699,7 @@ static void tick_handle_oneshot_broadcast(struct clock_event_device *dev)
+
+ raw_spin_lock(&tick_broadcast_lock);
+ dev->next_event = KTIME_MAX;
++ tick_broadcast_device.evtdev->next_event_forced = 0;
+ next_event = KTIME_MAX;
+ cpumask_clear(tmpmask);
+ now = ktime_get();
+@@ -1061,6 +1065,7 @@ static void tick_broadcast_setup_oneshot(struct clock_event_device *bc,
+
+
+ bc->event_handler = tick_handle_oneshot_broadcast;
++ bc->next_event_forced = 0;
+ bc->next_event = KTIME_MAX;
+
+ /*
+@@ -1173,6 +1178,7 @@ void hotplug_cpu__broadcast_tick_pull(int deadcpu)
+ }
+
+ /* This moves the broadcast assignment to this CPU: */
++ bc->next_event_forced = 0;
+ clockevents_program_event(bc, bc->next_event, 1);
+ }
+ raw_spin_unlock_irqrestore(&tick_broadcast_lock, flags);
+diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c
+index ecdb8c2b2cab2..d5c9af9c6c333 100644
+--- a/kernel/time/tick-common.c
++++ b/kernel/time/tick-common.c
+@@ -109,6 +109,7 @@ void tick_handle_periodic(struct clock_event_device *dev)
+ int cpu = smp_processor_id();
+ ktime_t next = dev->next_event;
+
++ dev->next_event_forced = 0;
+ tick_periodic(cpu);
+
+ #if defined(CONFIG_HIGH_RES_TIMERS) || defined(CONFIG_NO_HZ_COMMON)
+diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c
+index 55cbc49f70d14..bf3ff0dbf2a28 100644
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -1373,6 +1373,7 @@ static void tick_nohz_handler(struct clock_event_device *dev)
+ ktime_t now = ktime_get();
+
+ dev->next_event = KTIME_MAX;
++ dev->next_event_forced = 0;
+
+ tick_sched_do_timer(ts, now);
+ tick_sched_handle(ts, regs);
+--
+2.53.0
+
--- /dev/null
+From 43dd663b11e9cceed1ad3a53895b06b2879b1f54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 13:32:21 +0800
+Subject: crypto: algif_aead - Fix minimum RX size check for decryption
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ]
+
+The check for the minimum receive buffer size did not take the
+tag size into account during decryption. Fix this by adding the
+required extra length.
+
+Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
+Reported-by: Daniel Pouzzner <douzzer@mega.nu>
+Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/algif_aead.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
+index 7d58cbbce4af2..481e66f8708bb 100644
+--- a/crypto/algif_aead.c
++++ b/crypto/algif_aead.c
+@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
+ if (usedpages < outlen) {
+ size_t less = outlen - usedpages;
+
+- if (used < less) {
++ if (used < less + (ctx->enc ? 0 : as)) {
+ err = -EINVAL;
+ goto free;
+ }
+--
+2.53.0
+
--- /dev/null
+From 1794f1c289a7ab31c938b58aed5345e494d1db6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:45 -0300
+Subject: drm/vc4: Fix a memory leak in hang state error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 9525d169e5fd481538cf8c663cc5839e54f2e481 ]
+
+When vc4_save_hang_state() encounters an early return condition, it
+returns without freeing the previously allocated `kernel_state`,
+leaking memory.
+
+Add the missing kfree() calls by consolidating the early return paths
+into a single place.
+
+Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-3-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index fe535c6fc95a8..cede3bf3d722a 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -169,10 +169,8 @@ vc4_save_hang_state(struct drm_device *dev)
+ spin_lock_irqsave(&vc4->job_lock, irqflags);
+ exec[0] = vc4_first_bin_job(vc4);
+ exec[1] = vc4_first_render_job(vc4);
+- if (!exec[0] && !exec[1]) {
+- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+- return;
+- }
++ if (!exec[0] && !exec[1])
++ goto err_free_state;
+
+ /* Get the bos from both binner and renderer into hang state. */
+ state->bo_count = 0;
+@@ -189,10 +187,8 @@ vc4_save_hang_state(struct drm_device *dev)
+ kernel_state->bo = kcalloc(state->bo_count,
+ sizeof(*kernel_state->bo), GFP_ATOMIC);
+
+- if (!kernel_state->bo) {
+- spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+- return;
+- }
++ if (!kernel_state->bo)
++ goto err_free_state;
+
+ k = 0;
+ for (i = 0; i < 2; i++) {
+@@ -284,6 +280,12 @@ vc4_save_hang_state(struct drm_device *dev)
+ vc4->hang_state = kernel_state;
+ spin_unlock_irqrestore(&vc4->job_lock, irqflags);
+ }
++
++ return;
++
++err_free_state:
++ spin_unlock_irqrestore(&vc4->job_lock, irqflags);
++ kfree(kernel_state);
+ }
+
+ static void
+--
+2.53.0
+
--- /dev/null
+From 7eb9c21da83c91588df1cae6005d68bc1e521142 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:44 -0300
+Subject: drm/vc4: Fix memory leak of BO array in hang state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit f4dfd6847b3e5d24e336bca6057485116d17aea4 ]
+
+The hang state's BO array is allocated separately with kzalloc() in
+vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the
+missing kfree() for the BO array before freeing the hang state struct.
+
+Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-2-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index 03648f954985e..fe535c6fc95a8 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -60,6 +60,7 @@ vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state)
+ for (i = 0; i < state->user_state.bo_count; i++)
+ drm_gem_object_put(state->bo[i]);
+
++ kfree(state->bo);
+ kfree(state);
+ }
+
+--
+2.53.0
+
--- /dev/null
+From f04bb49418754f02a05092177a1f4f096777de1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:46 -0300
+Subject: drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ]
+
+The mmap callback reads bo->madv without holding madv_lock, racing with
+concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under
+the same lock. Add the missing locking to prevent the data race.
+
+Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_bo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
+index 86d629e45307d..84ad6a952b5d3 100644
+--- a/drivers/gpu/drm/vc4/vc4_bo.c
++++ b/drivers/gpu/drm/vc4/vc4_bo.c
+@@ -738,12 +738,15 @@ static int vc4_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct
+ return -EINVAL;
+ }
+
++ mutex_lock(&bo->madv_lock);
+ if (bo->madv != VC4_MADV_WILLNEED) {
+ DRM_DEBUG("mmapping of %s BO not allowed\n",
+ bo->madv == VC4_MADV_DONTNEED ?
+ "purgeable" : "purged");
++ mutex_unlock(&bo->madv_lock);
+ return -EINVAL;
+ }
++ mutex_unlock(&bo->madv_lock);
+
+ return drm_gem_dma_mmap(&bo->base, vma);
+ }
+--
+2.53.0
+
--- /dev/null
+From 7e96c10a1cc3f97e1984a388ae6002092d6575f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 14:51:43 -0300
+Subject: drm/vc4: Release runtime PM reference after binding V3D
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit aaefbdde9abdc43699e110679c0e10972a5e1c59 ]
+
+The vc4_v3d_bind() function acquires a runtime PM reference via
+pm_runtime_resume_and_get() to access V3D registers during setup.
+However, this reference is never released after a successful bind.
+This prevents the device from ever runtime suspending, since the
+reference count never reaches zero.
+
+Release the runtime PM reference by adding pm_runtime_put_autosuspend()
+after autosuspend is configured, allowing the device to runtime suspend
+after the delay.
+
+Fixes: 266cff37d7fc ("drm/vc4: v3d: Rework the runtime_pm setup")
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-1-92defc940a29@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_v3d.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_v3d.c b/drivers/gpu/drm/vc4/vc4_v3d.c
+index 04ac7805e6d5f..b1de828e2f90e 100644
+--- a/drivers/gpu/drm/vc4/vc4_v3d.c
++++ b/drivers/gpu/drm/vc4/vc4_v3d.c
+@@ -491,6 +491,7 @@ static int vc4_v3d_bind(struct device *dev, struct device *master, void *data)
+
+ pm_runtime_use_autosuspend(dev);
+ pm_runtime_set_autosuspend_delay(dev, 40); /* a little over 2 frames. */
++ pm_runtime_put_autosuspend(dev);
+
+ return 0;
+
+--
+2.53.0
+
--- /dev/null
+From eead08648ad3c2949035c7cbb76d9faa00ed7de1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 11:29:40 +0100
+Subject: dt-bindings: net: Fix Tegra234 MGBE PTP clock
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+[ Upstream commit fb22b1fc5bca3c0aad95388933497ceb30f1fb26 ]
+
+The PTP clock for the Tegra234 MGBE device is incorrectly named
+'ptp-ref' and should be 'ptp_ref'. This is causing the following
+warning to be observed on Tegra234 platforms that use this device:
+
+ ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate
+ WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed
+
+Although this constitutes an ABI breakage in the binding for this
+device, PTP support has clearly never worked and so fix this now
+so we can correct the device-tree for this device. Note that the
+MGBE driver still supports the legacy 'ptp-ref' clock name and so
+older/existing device-trees will still work, but given that this
+is not the correct name, there is no point to advertise this in the
+binding.
+
+Fixes: 189c2e5c7669 ("dt-bindings: net: Add Tegra234 MGBE")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260401102941.17466-3-jonathanh@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../devicetree/bindings/net/nvidia,tegra234-mgbe.yaml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
+index 2bd3efff2485e..215f14d1897d2 100644
+--- a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
++++ b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml
+@@ -42,7 +42,7 @@ properties:
+ - const: mgbe
+ - const: mac
+ - const: mac-divider
+- - const: ptp-ref
++ - const: ptp_ref
+ - const: rx-input-m
+ - const: rx-input
+ - const: tx
+@@ -133,7 +133,7 @@ examples:
+ <&bpmp TEGRA234_CLK_MGBE0_RX_PCS_M>,
+ <&bpmp TEGRA234_CLK_MGBE0_RX_PCS>,
+ <&bpmp TEGRA234_CLK_MGBE0_TX_PCS>;
+- clock-names = "mgbe", "mac", "mac-divider", "ptp-ref", "rx-input-m",
++ clock-names = "mgbe", "mac", "mac-divider", "ptp_ref", "rx-input-m",
+ "rx-input", "tx", "eee-pcs", "rx-pcs-input", "rx-pcs-m",
+ "rx-pcs", "tx-pcs";
+ resets = <&bpmp TEGRA234_RESET_MGBE0_MAC>,
+--
+2.53.0
+
--- /dev/null
+From 172029b1b4b8bb4321d44a306589f65d6aeed05b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 15:05:05 +0300
+Subject: e1000: check return value of e1000_read_eeprom
+
+From: Agalakov Daniil <ade@amicon.ru>
+
+[ Upstream commit d3baa34a470771399c1495bc04b1e26ac15d598e ]
+
+[Why]
+e1000_set_eeprom() performs a read-modify-write operation when the write
+range is not word-aligned. This requires reading the first and last words
+of the range from the EEPROM to preserve the unmodified bytes.
+
+However, the code does not check the return value of e1000_read_eeprom().
+If the read fails, the operation continues using uninitialized data from
+eeprom_buff. This results in corrupted data being written back to the
+EEPROM for the boundary words.
+
+Add the missing error checks and abort the operation if reading fails.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Co-developed-by: Iskhakov Daniil <dish@amicon.ru>
+Signed-off-by: Iskhakov Daniil <dish@amicon.ru>
+Signed-off-by: Agalakov Daniil <ade@amicon.ru>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+index d06d29c6c0370..c7b50059663d9 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+@@ -496,14 +496,19 @@ static int e1000_set_eeprom(struct net_device *netdev,
+ */
+ ret_val = e1000_read_eeprom(hw, first_word, 1,
+ &eeprom_buff[0]);
++ if (ret_val)
++ goto out;
++
+ ptr++;
+ }
+- if (((eeprom->offset + eeprom->len) & 1) && (ret_val == 0)) {
++ if ((eeprom->offset + eeprom->len) & 1) {
+ /* need read/modify/write of last changed EEPROM word
+ * only the first byte of the word is being modified
+ */
+ ret_val = e1000_read_eeprom(hw, last_word, 1,
+ &eeprom_buff[last_word - first_word]);
++ if (ret_val)
++ goto out;
+ }
+
+ /* Device's eeprom is always little-endian, word addressable */
+@@ -522,6 +527,7 @@ static int e1000_set_eeprom(struct net_device *netdev,
+ if ((ret_val == 0) && (first_word <= EEPROM_CHECKSUM_REG))
+ e1000_update_eeprom_checksum(hw);
+
++out:
+ kfree(eeprom_buff);
+ return ret_val;
+ }
+--
+2.53.0
+
--- /dev/null
+From 258e04ce524c8bcfeb510d80c9b417dad80b24db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2026 15:25:32 +0200
+Subject: eventpoll: defer struct eventpoll free to RCU grace period
+
+From: Nicholas Carlini <nicholas@carlini.com>
+
+[ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ]
+
+In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
+eventpoll struct while it still being used by another concurrent thread.
+Defer the kfree() to an RCU callback to prevent UAF.
+
+Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
+Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/eventpoll.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index 3c6c646fb3c49..8a556560a5b2f 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -225,6 +225,9 @@ struct eventpoll {
+ */
+ refcount_t refcount;
+
++ /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */
++ struct rcu_head rcu;
++
+ #ifdef CONFIG_NET_RX_BUSY_POLL
+ /* used to track busy poll napi_id */
+ unsigned int napi_id;
+@@ -708,7 +711,8 @@ static void ep_free(struct eventpoll *ep)
+ mutex_destroy(&ep->mtx);
+ free_uid(ep->user);
+ wakeup_source_unregister(ep->ws);
+- kfree(ep);
++ /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */
++ kfree_rcu(ep, rcu);
+ }
+
+ /*
+--
+2.53.0
+
--- /dev/null
+From b4ba0d74aa7996739d6dc9963221e477bc8f7edb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2026 13:11:27 -0700
+Subject: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
+
+From: Fredric Cover <FredTheDude@proton.me>
+
+[ Upstream commit 78ec5bf2f589ec7fd8f169394bfeca541b077317 ]
+
+When cifs_sanitize_prepath is called with an empty string or a string
+containing only delimiters (e.g., "/"), the current logic attempts to
+check *(cursor2 - 1) before cursor2 has advanced. This results in an
+out-of-bounds read.
+
+This patch adds an early exit check after stripping prepended
+delimiters. If no path content remains, the function returns NULL.
+
+The bug was identified via manual audit and verified using a
+standalone test case compiled with AddressSanitizer, which
+triggered a SEGV on affected inputs.
+
+Signed-off-by: Fredric Cover <FredTheDude@proton.me>
+Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/fs_context.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
+index 930f9c17a8d6d..0812af0014173 100644
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -495,6 +495,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp)
+ while (IS_DELIM(*cursor1))
+ cursor1++;
+
++ /* exit in case of only delimiters */
++ if (!*cursor1)
++ return NULL;
++
+ /* copy the first letter */
+ *cursor2 = *cursor1;
+
+--
+2.53.0
+
--- /dev/null
+From b284585d68168723f3b2e7a2768ffb64fab593e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Apr 2026 14:02:47 -0700
+Subject: gpio: tegra: fix irq_release_resources calling enable instead of
+ disable
+
+From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+
+[ Upstream commit 1561d96f5f55c1bca9ff047ace5813f4f244eea6 ]
+
+tegra_gpio_irq_release_resources() erroneously calls tegra_gpio_enable()
+instead of tegra_gpio_disable(). When IRQ resources are released, the
+GPIO configuration bit (CNF) should be cleared to deconfigure the pin as
+a GPIO. Leaving it enabled wastes power and can cause unexpected behavior
+if the pin is later reused for an alternate function via pinctrl.
+
+Fixes: 66fecef5bde0 ("gpio: tegra: Convert to gpio_irq_chip")
+Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+Link: https://patch.msgid.link/20260407210247.1737938-1-samasth.norway.ananda@oracle.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-tegra.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-tegra.c b/drivers/gpio/gpio-tegra.c
+index ea715582bcf34..dc2a4d3d56a10 100644
+--- a/drivers/gpio/gpio-tegra.c
++++ b/drivers/gpio/gpio-tegra.c
+@@ -597,7 +597,7 @@ static void tegra_gpio_irq_release_resources(struct irq_data *d)
+ struct tegra_gpio_info *tgi = gpiochip_get_data(chip);
+
+ gpiochip_relres_irq(chip, d->hwirq);
+- tegra_gpio_enable(tgi, d->hwirq);
++ tegra_gpio_disable(tgi, d->hwirq);
+ }
+
+ static void tegra_gpio_irq_print_chip(struct irq_data *d, struct seq_file *s)
+--
+2.53.0
+
--- /dev/null
+From 446bc132bb794875734662f44228c2b5980b7b73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 13:36:59 -0500
+Subject: HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
+
+From: leo vriska <leo@60228.dev>
+
+[ Upstream commit 532743944324a873bbaf8620fcabcd0e69e30c36 ]
+
+According to a mailing list report [1], this controller's predecessor
+has the same issue. However, it uses the xpad driver instead of HID, so
+this quirk wouldn't apply.
+
+[1]: https://lore.kernel.org/linux-input/unufo3$det$1@ciao.gmane.io/
+
+Signed-off-by: leo vriska <leo@60228.dev>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 2057546b26823..2565a7425442a 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -22,6 +22,9 @@
+ #define USB_DEVICE_ID_3M2256 0x0502
+ #define USB_DEVICE_ID_3M3266 0x0506
+
++#define USB_VENDOR_ID_8BITDO 0x2dc8
++#define USB_DEVICE_ID_8BITDO_PRO_3 0x6009
++
+ #define USB_VENDOR_ID_A4TECH 0x09da
+ #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006
+ #define USB_DEVICE_ID_A4TECH_X5_005D 0x000a
+diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
+index 7a3e0675d9ba2..d9e33dde89899 100644
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -25,6 +25,7 @@
+ */
+
+ static const struct hid_device_id hid_quirks[] = {
++ { HID_USB_DEVICE(USB_VENDOR_ID_8BITDO, USB_DEVICE_ID_8BITDO_PRO_3), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL },
+--
+2.53.0
+
--- /dev/null
+From 6613606eb60cf5ab7e864c9380432b6249ea1c84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 16:11:07 +0000
+Subject: HID: roccat: fix use-after-free in roccat_report_event
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benoît Sevens <bsevens@google.com>
+
+[ Upstream commit d802d848308b35220f21a8025352f0c0aba15c12 ]
+
+roccat_report_event() iterates over the device->readers list without
+holding the readers_lock. This allows a concurrent roccat_release() to
+remove and free a reader while it's still being accessed, leading to a
+use-after-free.
+
+Protect the readers list traversal with the readers_lock mutex.
+
+Signed-off-by: Benoît Sevens <bsevens@google.com>
+Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-roccat.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c
+index c7f7562e22e56..e413662f75082 100644
+--- a/drivers/hid/hid-roccat.c
++++ b/drivers/hid/hid-roccat.c
+@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data)
+ if (!new_value)
+ return -ENOMEM;
+
++ mutex_lock(&device->readers_lock);
+ mutex_lock(&device->cbuf_lock);
+
+ report = &device->cbuf[device->cbuf_end];
+@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data)
+ }
+
+ mutex_unlock(&device->cbuf_lock);
++ mutex_unlock(&device->readers_lock);
+
+ wake_up_interruptible(&device->wait);
+ return 0;
+--
+2.53.0
+
--- /dev/null
+From a0112cc3b03db1092c9080f8105af8d42af759d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 15:04:19 +0800
+Subject: ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
+
+From: Yiqi Sun <sunyiqixm@gmail.com>
+
+[ Upstream commit fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 ]
+
+ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
+IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
+this error pointer to dev_hold() will cause a kernel crash with
+null-ptr-deref.
+
+Instead, silently discard the request. RFC 8335 does not appear to
+define a specific response for the case where an IPv6 interface
+identifier is syntactically valid but the implementation cannot perform
+the lookup at runtime, and silently dropping the request may safer than
+misreporting "No Such Interface".
+
+Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
+Signed-off-by: Yiqi Sun <sunyiqixm@gmail.com>
+Link: https://patch.msgid.link/20260402070419.2291578-1-sunyiqixm@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 64a0bc633a3eb..3171392c8c066 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -1136,6 +1136,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
+ if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
+ goto send_mal_query;
+ dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
++ /*
++ * If IPv6 identifier lookup is unavailable, silently
++ * discard the request instead of misreporting NO_IF.
++ */
++ if (IS_ERR(dev))
++ return false;
++
+ dev_hold(dev);
+ break;
+ #endif
+--
+2.53.0
+
--- /dev/null
+From 23acde06184fa5700c04ce81df795482e0667921 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 15:58:01 +0800
+Subject: ipvs: fix NULL deref in ip_vs_add_service error path
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit 9a91797e61d286805ae10a92cc48959c30800556 ]
+
+When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local
+variable sched is set to NULL. If ip_vs_start_estimator() subsequently
+fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched)
+with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL
+check (because svc->scheduler was set by the successful bind) but then
+dereferences the NULL sched parameter at sched->done_service, causing a
+kernel panic at offset 0x30 from NULL.
+
+ Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
+ RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69)
+ Call Trace:
+ <TASK>
+ ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500)
+ do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809)
+ nf_setsockopt (net/netfilter/nf_sockopt.c:102)
+ [..]
+
+Fix by simply not clearing the local sched variable after a successful
+bind. ip_vs_unbind_scheduler() already detects whether a scheduler is
+installed via svc->scheduler, and keeping sched non-NULL ensures the
+error path passes the correct pointer to both ip_vs_unbind_scheduler()
+and ip_vs_scheduler_put().
+
+While the bug is older, the problem popups in more recent kernels (6.2),
+when the new error path is taken after the ip_vs_start_estimator() call.
+
+Fixes: 705dd3444081 ("ipvs: use kthreads for stats estimation")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Acked-by: Simon Horman <horms@kernel.org>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index c82dcbb4dabce..25f586fab2bcc 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -1452,7 +1452,6 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
+ ret = ip_vs_bind_scheduler(svc, sched);
+ if (ret)
+ goto out_err;
+- sched = NULL;
+ }
+
+ ret = ip_vs_start_estimator(ipvs, &svc->stats);
+--
+2.53.0
+
--- /dev/null
+From a0cee186e298ba7b99d85512d9c3c9e483202d66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 09:22:29 +0100
+Subject: ixgbevf: add missing negotiate_features op to Hyper-V ops table
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 4821d563cd7f251ae728be1a6d04af82a294a5b9 ]
+
+Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by
+negotiating supported features") added the .negotiate_features callback
+to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot
+to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL
+on Hyper-V VMs.
+
+During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(),
+which unconditionally dereferences hw->mac.ops.negotiate_features().
+On Hyper-V this results in a NULL pointer dereference:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ [...]
+ Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...]
+ Workqueue: events work_for_cpu_fn
+ RIP: 0010:0x0
+ [...]
+ Call Trace:
+ ixgbevf_negotiate_api+0x66/0x160 [ixgbevf]
+ ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf]
+ ixgbevf_probe+0x20f/0x4a0 [ixgbevf]
+ local_pci_probe+0x50/0xa0
+ work_for_cpu_fn+0x1a/0x30
+ [...]
+
+Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and
+wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP
+gracefully.
+
+Fixes: a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features")
+Reported-by: Xiaoqiang Xiong <xxiong@redhat.com>
+Closes: https://issues.redhat.com/browse/RHEL-155455
+Assisted-by: Claude:claude-4.6-opus-high Cursor
+Tested-by: Xiaoqiang Xiong <xxiong@redhat.com>
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbevf/vf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c
+index 708d5dd921acc..70dfda13b7885 100644
+--- a/drivers/net/ethernet/intel/ixgbevf/vf.c
++++ b/drivers/net/ethernet/intel/ixgbevf/vf.c
+@@ -709,6 +709,12 @@ static int ixgbevf_negotiate_features_vf(struct ixgbe_hw *hw, u32 *pf_features)
+ return err;
+ }
+
++static int ixgbevf_hv_negotiate_features_vf(struct ixgbe_hw *hw,
++ u32 *pf_features)
++{
++ return -EOPNOTSUPP;
++}
++
+ /**
+ * ixgbevf_set_vfta_vf - Set/Unset VLAN filter table address
+ * @hw: pointer to the HW structure
+@@ -1142,6 +1148,7 @@ static const struct ixgbe_mac_operations ixgbevf_hv_mac_ops = {
+ .setup_link = ixgbevf_setup_mac_link_vf,
+ .check_link = ixgbevf_hv_check_mac_link_vf,
+ .negotiate_api_version = ixgbevf_hv_negotiate_api_version_vf,
++ .negotiate_features = ixgbevf_hv_negotiate_features_vf,
+ .set_rar = ixgbevf_hv_set_rar_vf,
+ .update_mc_addr_list = ixgbevf_hv_update_mc_addr_list_vf,
+ .update_xcast_mode = ixgbevf_hv_update_xcast_mode,
+--
+2.53.0
+
--- /dev/null
+From a606cf2f531f2eb71566e9b9291816ddbc1067c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 20:49:49 +0300
+Subject: l2tp: Drop large packets with UDP encap
+
+From: Alice Mikityanska <alice@isovalent.com>
+
+[ Upstream commit ebe560ea5f54134279356703e73b7f867c89db13 ]
+
+syzbot reported a WARN on my patch series [1]. The actual issue is an
+overflow of 16-bit UDP length field, and it exists in the upstream code.
+My series added a debug WARN with an overflow check that exposed the
+issue, that's why syzbot tripped on my patches, rather than on upstream
+code.
+
+syzbot's repro:
+
+r0 = socket$pppl2tp(0x18, 0x1, 0x1)
+r1 = socket$inet6_udp(0xa, 0x2, 0x0)
+connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c)
+connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
+writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1)
+
+It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP
+encapsulation, and l2tp_xmit_core doesn't check for overflows when it
+assigns the UDP length field. The value gets trimmed to 16 bites.
+
+Add an overflow check that drops oversized packets and avoids sending
+packets with trimmed UDP length to the wire.
+
+syzbot's stack trace (with my patch applied):
+
+len >= 65536u
+WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957
+WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957
+WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957
+Modules linked in:
+CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
+RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline]
+RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline]
+RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327
+Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f
+RSP: 0018:ffffc90003d67878 EFLAGS: 00010293
+RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000
+RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff
+RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
+R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900
+R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000
+FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ sock_write_iter+0x503/0x550 net/socket.c:1195
+ do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1
+ vfs_writev+0x33c/0x990 fs/read_write.c:1059
+ do_writev+0x154/0x2e0 fs/read_write.c:1105
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f636479c629
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
+RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629
+RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003
+RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0
+ </TASK>
+
+[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/
+
+Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
+Reported-by: syzbot+ci3edea60a44225dec@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/69a1dfba.050a0220.3a55be.0026.GAE@google.com/
+Signed-off-by: Alice Mikityanska <alice@isovalent.com>
+Link: https://patch.msgid.link/20260403174949.843941-1-alice.kernel@fastmail.im
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index e0ca08ebd16a9..3c701795fa100 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1083,6 +1083,11 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns
+ uh->source = inet->inet_sport;
+ uh->dest = inet->inet_dport;
+ udp_len = uhlen + session->hdr_len + data_len;
++ if (udp_len > U16_MAX) {
++ kfree_skb(skb);
++ ret = NET_XMIT_DROP;
++ goto out_unlock;
++ }
+ uh->len = htons(udp_len);
+
+ /* Calculate UDP checksum if configured to do so */
+--
+2.53.0
+
--- /dev/null
+From ee72d650606a76cd191ca62accd1a9128e3467dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Feb 2026 10:47:51 +0100
+Subject: media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit c03b7dec3c4ddc97872fa12bfca75bae9cb46510 ]
+
+The deeply nested loop in rkvdec_init_v4l2_vp9_count_tbl() needs a lot
+of registers, so when the clang register allocator runs out, it ends up
+spilling countless temporaries to the stack:
+
+drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c:966:12: error: stack frame size (1472) exceeds limit (1280) in 'rkvdec_vp9_start' [-Werror,-Wframe-larger-than]
+
+Marking this function as noinline_for_stack keeps it out of
+rkvdec_vp9_start(), giving the compiler more room for optimization.
+
+The resulting code is good enough that both the total stack usage
+and the loop get enough better to stay under the warning limit,
+though it's still slow, and would need a larger rework if this
+function ends up being called in a fast path.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/rkvdec/rkvdec-vp9.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/rkvdec/rkvdec-vp9.c b/drivers/staging/media/rkvdec/rkvdec-vp9.c
+index 0e7e16f20eeb0..bc74d2d824ef2 100644
+--- a/drivers/staging/media/rkvdec/rkvdec-vp9.c
++++ b/drivers/staging/media/rkvdec/rkvdec-vp9.c
+@@ -923,7 +923,8 @@ static void rkvdec_vp9_done(struct rkvdec_ctx *ctx,
+ update_ctx_last_info(vp9_ctx);
+ }
+
+-static void rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx)
++static noinline_for_stack void
++rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx)
+ {
+ struct rkvdec_vp9_ctx *vp9_ctx = ctx->priv;
+ struct rkvdec_vp9_intra_frame_symbol_counts *intra_cnts = vp9_ctx->count_tbl.cpu;
+--
+2.53.0
+
--- /dev/null
+From c4012f6d0405114974db3e7d3449940776918476 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 18:43:48 +0200
+Subject: net: ipa: fix event ring index not programmed for IPA v5.0+
+
+From: Alexander Koskovich <akoskovich@pm.me>
+
+[ Upstream commit 56007972c0b1e783ca714d6f1f4d6e66e531d21f ]
+
+For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to
+CH_C_CNTXT_1. The v5.0 register definition intended to define this
+field in the CH_C_CNTXT_1 fmask array but used the old identifier of
+ERINDEX instead of CH_ERINDEX.
+
+Without a valid event ring, GSI channels could never signal transfer
+completions. This caused gsi_channel_trans_quiesce() to block
+forever in wait_for_completion().
+
+At least for IPA v5.2 this resolves an issue seen where runtime
+suspend, system suspend, and remoteproc stop all hanged forever. It
+also meant the IPA data path was completely non functional.
+
+Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions")
+Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260403-milos-ipa-v1-2-01e9e4e03d3e@fairphone.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/reg/gsi_reg-v5.0.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+index eac3913297c27..cbc7cd5b34f31 100644
+--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c
++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+@@ -28,7 +28,7 @@ REG_STRIDE_FIELDS(CH_C_CNTXT_0, ch_c_cntxt_0,
+
+ static const u32 reg_ch_c_cntxt_1_fmask[] = {
+ [CH_R_LENGTH] = GENMASK(23, 0),
+- [ERINDEX] = GENMASK(31, 24),
++ [CH_ERINDEX] = GENMASK(31, 24),
+ };
+
+ REG_STRIDE_FIELDS(CH_C_CNTXT_1, ch_c_cntxt_1,
+--
+2.53.0
+
--- /dev/null
+From 23583a43e3a82e2bd5cc6d6d2895b89a84d91821 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 18:43:47 +0200
+Subject: net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+
+
+From: Alexander Koskovich <akoskovich@pm.me>
+
+[ Upstream commit 9709b56d908acc120fe8b4ae250b3c9d749ea832 ]
+
+Fix the field masks to match the hardware layout documented in
+downstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*).
+
+Notably this fixes a WARN I was seeing when I tried to send "stop"
+to the MPSS remoteproc while IPA was up.
+
+Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions")
+Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260403-milos-ipa-v1-1-01e9e4e03d3e@fairphone.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/reg/gsi_reg-v5.0.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+index 145eb0bd096d6..eac3913297c27 100644
+--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c
++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c
+@@ -154,9 +154,10 @@ REG_FIELDS(EV_CH_CMD, ev_ch_cmd, 0x00025010 + 0x12000 * GSI_EE_AP);
+
+ static const u32 reg_generic_cmd_fmask[] = {
+ [GENERIC_OPCODE] = GENMASK(4, 0),
+- [GENERIC_CHID] = GENMASK(9, 5),
+- [GENERIC_EE] = GENMASK(13, 10),
+- /* Bits 14-31 reserved */
++ [GENERIC_CHID] = GENMASK(12, 5),
++ [GENERIC_EE] = GENMASK(16, 13),
++ /* Bits 17-23 reserved */
++ [GENERIC_PARAMS] = GENMASK(31, 24),
+ };
+
+ REG_FIELDS(GENERIC_CMD, generic_cmd, 0x00025018 + 0x12000 * GSI_EE_AP);
+--
+2.53.0
+
--- /dev/null
+From eb69d1334041509d6491a2f46222a016c61a510f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 10:35:19 +0000
+Subject: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b120e4432f9f56c7103133d6a11245e617695adb ]
+
+lapbeth_data_transmit() expects the underlying device type
+to be ARPHRD_ETHER.
+
+Returning NOTIFY_BAD from lapbeth_device_event() makes sure
+bonding driver can not break this expectation.
+
+Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
+Reported-by: syzbot+d8c285748fa7292580a9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/69cd22a1.050a0220.70c3a.0002.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Martin Schiller <ms@dev.tdt.de>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260402103519.1201565-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lapbether.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index 56326f38fe8a3..da61716a66c46 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -444,33 +444,36 @@ static void lapbeth_free_device(struct lapbethdev *lapbeth)
+ static int lapbeth_device_event(struct notifier_block *this,
+ unsigned long event, void *ptr)
+ {
+- struct lapbethdev *lapbeth;
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
++ struct lapbethdev *lapbeth;
+
+ if (dev_net(dev) != &init_net)
+ return NOTIFY_DONE;
+
+- if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev))
++ lapbeth = lapbeth_get_x25_dev(dev);
++ if (!dev_is_ethdev(dev) && !lapbeth)
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
+ /* New ethernet device -> new LAPB interface */
+- if (!lapbeth_get_x25_dev(dev))
++ if (!lapbeth)
+ lapbeth_new_device(dev);
+ break;
+ case NETDEV_GOING_DOWN:
+ /* ethernet device closes -> close LAPB interface */
+- lapbeth = lapbeth_get_x25_dev(dev);
+ if (lapbeth)
+ dev_close(lapbeth->axdev);
+ break;
+ case NETDEV_UNREGISTER:
+ /* ethernet device disappears -> remove LAPB interface */
+- lapbeth = lapbeth_get_x25_dev(dev);
+ if (lapbeth)
+ lapbeth_free_device(lapbeth);
+ break;
++ case NETDEV_PRE_TYPE_CHANGE:
++ /* Our underlying device type must not change. */
++ if (lapbeth)
++ return NOTIFY_BAD;
+ }
+
+ return NOTIFY_DONE;
+--
+2.53.0
+
--- /dev/null
+From 32c82ac9255805b719b41dc37338fa979c0f0731 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 22:46:20 +0800
+Subject: net: sched: act_csum: validate nested VLAN headers
+
+From: Ruide Cao <caoruide123@gmail.com>
+
+[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ]
+
+tcf_csum_act() walks nested VLAN headers directly from skb->data when an
+skb still carries in-payload VLAN tags. The current code reads
+vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without
+first ensuring that the full VLAN header is present in the linear area.
+
+If only part of an inner VLAN header is linearized, accessing
+h_vlan_encapsulated_proto reads past the linear area, and the following
+skb_pull(VLAN_HLEN) may violate skb invariants.
+
+Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and
+pulling each nested VLAN header. If the header still is not fully
+available, drop the packet through the existing error path.
+
+Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Ruide Cao <caoruide123@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_csum.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
+index 8ed285023a40a..e8583dc721b6a 100644
+--- a/net/sched/act_csum.c
++++ b/net/sched/act_csum.c
+@@ -603,8 +603,12 @@ TC_INDIRECT_SCOPE int tcf_csum_act(struct sk_buff *skb,
+ protocol = skb->protocol;
+ orig_vlan_tag_present = true;
+ } else {
+- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data;
++ struct vlan_hdr *vlan;
+
++ if (!pskb_may_pull(skb, VLAN_HLEN))
++ goto drop;
++
++ vlan = (struct vlan_hdr *)skb->data;
+ protocol = vlan->h_vlan_encapsulated_proto;
+ skb_pull(skb, VLAN_HLEN);
+ skb_reset_network_header(skb);
+--
+2.53.0
+
--- /dev/null
+From 017cfd493b44fe81be5e8fc8894072398aa992a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 11:29:39 +0100
+Subject: net: stmmac: Fix PTP ref clock for Tegra234
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+[ Upstream commit 1345e9f4e3f3bc7d8a0a2138ae29e205a857a555 ]
+
+Since commit 030ce919e114 ("net: stmmac: make sure that ptp_rate is not
+0 before configuring timestamping") was added the following error is
+observed on Tegra234:
+
+ ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate
+ WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed
+
+It turns out that the Tegra234 device-tree binding defines the PTP ref
+clock name as 'ptp-ref' and not 'ptp_ref' and the above commit now
+exposes this and that the PTP clock is not configured correctly.
+
+In order to update device-tree to use the correct 'ptp_ref' name, update
+the Tegra MGBE driver to use 'ptp_ref' by default and fallback to using
+'ptp-ref' if this clock name is present.
+
+Fixes: d8ca113724e7 ("net: stmmac: tegra: Add MGBE support")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260401102941.17466-2-jonathanh@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/dwmac-tegra.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
+index 760405b805f40..e950016d10914 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c
+@@ -9,7 +9,7 @@
+ #include "stmmac_platform.h"
+
+ static const char *const mgbe_clks[] = {
+- "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp-ref", "mac"
++ "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp_ref", "mac"
+ };
+
+ struct tegra_mgbe {
+@@ -215,6 +215,7 @@ static int tegra_mgbe_probe(struct platform_device *pdev)
+ {
+ struct plat_stmmacenet_data *plat;
+ struct stmmac_resources res;
++ bool use_legacy_ptp = false;
+ struct tegra_mgbe *mgbe;
+ int irq, err, i;
+ u32 value;
+@@ -257,9 +258,23 @@ static int tegra_mgbe_probe(struct platform_device *pdev)
+ if (!mgbe->clks)
+ return -ENOMEM;
+
+- for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++)
++ /* Older device-trees use 'ptp-ref' rather than 'ptp_ref'.
++ * Fall back when the legacy name is present.
++ */
++ if (of_property_match_string(pdev->dev.of_node, "clock-names",
++ "ptp-ref") >= 0)
++ use_legacy_ptp = true;
++
++ for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++) {
+ mgbe->clks[i].id = mgbe_clks[i];
+
++ if (use_legacy_ptp && !strcmp(mgbe_clks[i], "ptp_ref")) {
++ dev_warn(mgbe->dev,
++ "Device-tree update needed for PTP clock!\n");
++ mgbe->clks[i].id = "ptp-ref";
++ }
++ }
++
+ err = devm_clk_bulk_get(mgbe->dev, ARRAY_SIZE(mgbe_clks), mgbe->clks);
+ if (err < 0)
+ return err;
+--
+2.53.0
+
--- /dev/null
+From 86cda283fb3ab8ed37ad64a53c13994474df9a23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 23:20:13 +0100
+Subject: net: txgbe: leave space for null terminators on property_entry
+
+From: Fabio Baltieri <fabio.baltieri@gmail.com>
+
+[ Upstream commit 5a37d228799b0ec2c277459c83c814a59d310bc3 ]
+
+Lists of struct property_entry are supposed to be terminated with an
+empty property, this driver currently seems to be allocating exactly the
+amount of entry used.
+
+Change the struct definition to leave an extra element for all
+property_entry.
+
+Fixes: c3e382ad6d15 ("net: txgbe: Add software nodes to support phylink")
+Signed-off-by: Fabio Baltieri <fabio.baltieri@gmail.com>
+Tested-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Link: https://patch.msgid.link/20260405222013.5347-1-fabio.baltieri@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h
+index 51199c355f95c..b0554c8f25213 100644
+--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h
++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h
+@@ -161,10 +161,10 @@ struct txgbe_nodes {
+ char i2c_name[32];
+ char sfp_name[32];
+ char phylink_name[32];
+- struct property_entry gpio_props[1];
+- struct property_entry i2c_props[3];
+- struct property_entry sfp_props[8];
+- struct property_entry phylink_props[2];
++ struct property_entry gpio_props[2];
++ struct property_entry i2c_props[4];
++ struct property_entry sfp_props[9];
++ struct property_entry phylink_props[3];
+ struct software_node_ref_args i2c_ref[1];
+ struct software_node_ref_args gpio0_ref[1];
+ struct software_node_ref_args gpio1_ref[1];
+--
+2.53.0
+
--- /dev/null
+From a24c33df38e899cdb72a3e7f97117d85a480091b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Apr 2026 17:39:47 +0800
+Subject: netfilter: ip6t_eui64: reject invalid MAC header for all packets
+
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+
+[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ]
+
+`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
+and compares it with the low 64 bits of the IPv6 source address.
+
+The existing guard only rejects an invalid MAC header when
+`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
+can still reach `eth_hdr(skb)` even when the MAC header is not valid.
+
+Fix this by removing the `par->fragoff != 0` condition so that packets
+with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/ip6t_eui64.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
+index d704f7ed300c2..da69a27e8332c 100644
+--- a/net/ipv6/netfilter/ip6t_eui64.c
++++ b/net/ipv6/netfilter/ip6t_eui64.c
+@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
+ unsigned char eui64[8];
+
+ if (!(skb_mac_header(skb) >= skb->head &&
+- skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
+- par->fragoff != 0) {
++ skb_mac_header(skb) + ETH_HLEN <= skb->data)) {
+ par->hotdrop = true;
+ return false;
+ }
+--
+2.53.0
+
--- /dev/null
+From fc289a653867b35723ec6a10eab48e8c80b51ed3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2026 14:20:57 -0700
+Subject: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE
+ terminator
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit 1f3083aec8836213da441270cdb1ab612dd82cf4 ]
+
+When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send()
+appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via
+nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put()
+helper only zeroes alignment padding after the payload, not the payload
+itself, so four bytes of stale kernel heap data are leaked to userspace
+in the NLMSG_DONE message body.
+
+Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes
+the nfgenmsg payload via nfnl_fill_hdr(), consistent with how
+__build_packet_message() already constructs NFULNL_MSG_PACKET headers.
+
+Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_log.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
+index f96421ad14afb..3da32d2f68e09 100644
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -361,10 +361,10 @@ static void
+ __nfulnl_send(struct nfulnl_instance *inst)
+ {
+ if (inst->qlen > 1) {
+- struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0,
+- NLMSG_DONE,
+- sizeof(struct nfgenmsg),
+- 0);
++ struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0,
++ NLMSG_DONE, 0,
++ AF_UNSPEC, NFNETLINK_V0,
++ htons(inst->group_num));
+ if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n",
+ inst->skb->len, skb_tailroom(inst->skb))) {
+ kfree_skb(inst->skb);
+--
+2.53.0
+
--- /dev/null
+From 9eaead2c0dc37ead34f9792540b9a62f955bf291 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Mar 2026 14:10:55 +0100
+Subject: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
+ expiry
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit d3c0037ffe1273fa1961e779ff6906234d6cf53c ]
+
+New test case fails unexpectedly when avx2 matching functions are used.
+
+The test first loads a ranomly generated pipapo set
+with 'ipv4 . port' key, i.e. nft -f foo.
+
+This works. Then, it reloads the set after a flush:
+(echo flush set t s; cat foo) | nft -f -
+
+This is expected to work, because its the same set after all and it was
+already loaded once.
+
+But with avx2, this fails: nft reports a clashing element.
+
+The reported clash is of following form:
+
+ We successfully re-inserted
+ a . b
+ c . d
+
+Then we try to insert a . d
+
+avx2 finds the already existing a . d, which (due to 'flush set') is marked
+as invalid in the new generation. It skips the element and moves to next.
+
+Due to incorrect masking, the skip-step finds the next matching
+element *only considering the first field*,
+
+i.e. we return the already reinserted "a . b", even though the
+last field is different and the entry should not have been matched.
+
+No such error is reported for the generic c implementation (no avx2) or when
+the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.
+
+Bisection points to
+7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection")
+but that fix merely uncovers this bug.
+
+Before this commit, the wrong element is returned, but erronously
+reported as a full, identical duplicate.
+
+The root-cause is too early return in the avx2 match functions.
+When we process the last field, we should continue to process data
+until the entire input size has been consumed to make sure no stale
+bits remain in the map.
+
+Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
+index be7c16c79f711..2a761a644d4da 100644
+--- a/net/netfilter/nft_set_pipapo_avx2.c
++++ b/net/netfilter/nft_set_pipapo_avx2.c
+@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -319,7 +319,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -414,7 +414,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -505,7 +505,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -641,7 +641,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -699,7 +699,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -764,7 +764,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -839,7 +839,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -925,7 +925,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+@@ -1019,7 +1019,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
+
+ b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last);
+ if (last)
+- return b;
++ ret = b;
+
+ if (unlikely(ret == -1))
+ ret = b / XSAVE_YMM_SIZE;
+--
+2.53.0
+
--- /dev/null
+From bc3d2c62a6577b2c64e956738b78dfe2234606b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Apr 2026 23:52:52 +0800
+Subject: netfilter: xt_multiport: validate range encoding in checkentry
+
+From: Ren Wei <n05ec@lzu.edu.cn>
+
+[ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ]
+
+ports_match_v1() treats any non-zero pflags entry as the start of a
+port range and unconditionally consumes the next ports[] element as
+the range end.
+
+The checkentry path currently validates protocol, flags and count, but
+it does not validate the range encoding itself. As a result, malformed
+rules can mark the last slot as a range start or place two range starts
+back to back, leaving ports_match_v1() to step past the last valid
+ports[] element while interpreting the rule.
+
+Reject malformed multiport v1 rules in checkentry by validating that
+each range start has a following element and that the following element
+is not itself marked as another range start.
+
+Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Yuhang Zheng <z1652074432@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
+index 44a00f5acde8a..a1691ff405d3c 100644
+--- a/net/netfilter/xt_multiport.c
++++ b/net/netfilter/xt_multiport.c
+@@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
+ return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1]));
+ }
+
++static bool
++multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo)
++{
++ unsigned int i;
++
++ for (i = 0; i < multiinfo->count; i++) {
++ if (!multiinfo->pflags[i])
++ continue;
++
++ if (++i >= multiinfo->count)
++ return false;
++
++ if (multiinfo->pflags[i])
++ return false;
++
++ if (multiinfo->ports[i - 1] > multiinfo->ports[i])
++ return false;
++ }
++
++ return true;
++}
++
+ static inline bool
+ check(u_int16_t proto,
+ u_int8_t ip_invflags,
+@@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par)
+ const struct ipt_ip *ip = par->entryinfo;
+ const struct xt_multiport_v1 *multiinfo = par->matchinfo;
+
+- return check(ip->proto, ip->invflags, multiinfo->flags,
+- multiinfo->count) ? 0 : -EINVAL;
++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
++ return -EINVAL;
++
++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
+ }
+
+ static int multiport_mt6_check(const struct xt_mtchk_param *par)
+@@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par)
+ const struct ip6t_ip6 *ip = par->entryinfo;
+ const struct xt_multiport_v1 *multiinfo = par->matchinfo;
+
+- return check(ip->proto, ip->invflags, multiinfo->flags,
+- multiinfo->count) ? 0 : -EINVAL;
++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count))
++ return -EINVAL;
++
++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL;
+ }
+
+ static struct xt_match multiport_mt_reg[] __read_mostly = {
+--
+2.53.0
+
--- /dev/null
+From 0c4c63e8ef5dbb9c27e740ee227b69cb3a7b8f66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 12:21:48 +0800
+Subject: nfc: s3fwrn5: allocate rx skb before consuming bytes
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 5c14a19d5b1645cce1cb1252833d70b23635b632 ]
+
+s3fwrn82_uart_read() reports the number of accepted bytes to the serdev
+core. The current code consumes bytes into recv_skb and may already
+deliver a complete frame before allocating a fresh receive buffer.
+
+If that alloc_skb() fails, the callback returns 0 even though it has
+already consumed bytes, and it leaves recv_skb as NULL for the next
+receive callback. That breaks the receive_buf() accounting contract and
+can also lead to a NULL dereference on the next skb_put_u8().
+
+Allocate the receive skb lazily before consuming the next byte instead.
+If allocation fails, return the number of bytes already accepted.
+
+Fixes: 3f52c2cb7e3a ("nfc: s3fwrn5: Support a UART interface")
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Link: https://patch.msgid.link/20260402042148.65236-1-pengpeng@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/s3fwrn5/uart.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nfc/s3fwrn5/uart.c b/drivers/nfc/s3fwrn5/uart.c
+index 82ea35d748a5d..dde1a87ed1e47 100644
+--- a/drivers/nfc/s3fwrn5/uart.c
++++ b/drivers/nfc/s3fwrn5/uart.c
+@@ -59,6 +59,12 @@ static int s3fwrn82_uart_read(struct serdev_device *serdev,
+ size_t i;
+
+ for (i = 0; i < count; i++) {
++ if (!phy->recv_skb) {
++ phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
++ if (!phy->recv_skb)
++ return i;
++ }
++
+ skb_put_u8(phy->recv_skb, *data++);
+
+ if (phy->recv_skb->len < S3FWRN82_NCI_HEADER)
+@@ -70,9 +76,7 @@ static int s3fwrn82_uart_read(struct serdev_device *serdev,
+
+ s3fwrn5_recv_frame(phy->common.ndev, phy->recv_skb,
+ phy->common.mode);
+- phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
+- if (!phy->recv_skb)
+- return 0;
++ phy->recv_skb = NULL;
+ }
+
+ return i;
+--
+2.53.0
+
--- /dev/null
+From 86ad5e3fb263118c591e51b345d7c78e5d294544 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 14:07:42 -0700
+Subject: PCI: hv: Set default NUMA node to 0 for devices without affinity info
+
+From: Long Li <longli@microsoft.com>
+
+[ Upstream commit 7b3b1e5a87b2f5e35c52b5386d7c327be869454f ]
+
+When hv_pci_assign_numa_node() processes a device that does not have
+HV_PCI_DEVICE_FLAG_NUMA_AFFINITY set or has an out-of-range
+virtual_numa_node, the device NUMA node is left unset. On x86_64,
+the uninitialized default happens to be 0, but on ARM64 it is
+NUMA_NO_NODE (-1).
+
+Tests show that when no NUMA information is available from the Hyper-V
+host, devices perform best when assigned to node 0. With NUMA_NO_NODE
+the kernel may spread work across NUMA nodes, which degrades
+performance on Hyper-V, particularly for high-throughput devices like
+MANA.
+
+Always set the device NUMA node to 0 before the conditional NUMA
+affinity check, so that devices get a performant default when the host
+provides no NUMA information, and behavior is consistent on both
+x86_64 and ARM64.
+
+Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2")
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-hyperv.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c
+index 4c34909810d8e..e379ed9b5d2eb 100644
+--- a/drivers/pci/controller/pci-hyperv.c
++++ b/drivers/pci/controller/pci-hyperv.c
+@@ -2371,6 +2371,14 @@ static void hv_pci_assign_numa_node(struct hv_pcibus_device *hbus)
+ if (!hv_dev)
+ continue;
+
++ /*
++ * If the Hyper-V host doesn't provide a NUMA node for the
++ * device, default to node 0. With NUMA_NO_NODE the kernel
++ * may spread work across NUMA nodes, which degrades
++ * performance on Hyper-V.
++ */
++ set_dev_node(&dev->dev, 0);
++
+ if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY &&
+ hv_dev->desc.virtual_numa_node < num_possible_nodes())
+ /*
+--
+2.53.0
+
--- /dev/null
+From 5e5719666771b068452a01360c45bb88b5e97689 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 10:40:48 -0700
+Subject: perf/x86/intel/uncore: Skip discovery table for offline dies
+
+From: Zide Chen <zide.chen@intel.com>
+
+[ Upstream commit 7b568e9eba2fad89a696f22f0413d44cf4a1f892 ]
+
+This warning can be triggered if NUMA is disabled and the system
+boots with fewer CPUs than the number of CPUs in die 0.
+
+WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore]
+
+Currently, the discovery table continues to be parsed even if all CPUs
+in the associated die are offline. This can lead to an array overflow
+at "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may
+trigger the warning above or cause other issues.
+
+Fixes: edae1f06c2cd ("perf/x86/intel/uncore: Parse uncore discovery tables")
+Reported-by: Steve Wahl <steve.wahl@hpe.com>
+Signed-off-by: Zide Chen <zide.chen@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Tested-by: Steve Wahl <steve.wahl@hpe.com>
+Link: https://patch.msgid.link/20260313174050.171704-3-zide.chen@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_discovery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c
+index cb488e41807c7..3f6b20fa14eeb 100644
+--- a/arch/x86/events/intel/uncore_discovery.c
++++ b/arch/x86/events/intel/uncore_discovery.c
+@@ -319,7 +319,7 @@ bool intel_uncore_has_discovery_tables(int *ignore)
+ (val & UNCORE_DISCOVERY_DVSEC2_BIR_MASK) * UNCORE_DISCOVERY_BIR_STEP;
+
+ die = get_device_die_id(dev);
+- if (die < 0)
++ if ((die < 0) || (die >= uncore_max_dies()))
+ continue;
+
+ parse_discovery_table(dev, die, bar_offset, &parsed, ignore);
+--
+2.53.0
+
--- /dev/null
+From 4795fa30ffa75d0f9247ce8c0a2f1430d968c5fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 18:14:04 +0100
+Subject: pinctrl: intel: Fix the revision for new features (1kOhm PD, HW
+ debouncer)
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit a4337a24d13e9e3b98a113e71d6b80dc5ed5f8c4 ]
+
+The 1kOhm pull down and hardware debouncer are features of the revision 0.92
+of the Chassis specification. Fix that in the code accordingly.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/intel/pinctrl-intel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c
+index 9775f6be1c1e6..b1ce3daae8e85 100644
+--- a/drivers/pinctrl/intel/pinctrl-intel.c
++++ b/drivers/pinctrl/intel/pinctrl-intel.c
+@@ -1581,7 +1581,7 @@ static int intel_pinctrl_probe(struct platform_device *pdev,
+ value = readl(regs + REVID);
+ if (value == ~0u)
+ return -ENODEV;
+- if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x94) {
++ if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x92) {
+ community->features |= PINCTRL_FEATURE_DEBOUNCE;
+ community->features |= PINCTRL_FEATURE_1K_PD;
+ }
+--
+2.53.0
+
--- /dev/null
+From 83af31bb4773558b5949cc56efe335a62c1bbfd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Mar 2026 16:16:41 -0500
+Subject: platform/x86/amd: pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 1a9452c428a6b76f0b797bae21daa454fccef1a2 ]
+
+This platform is a similar vintage of platforms that had a BIOS bug
+leading to a 10s delay at resume from s0i3.
+
+Add a quirk for it.
+
+Reported-by: Imrane <ihalim.me@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221273
+Tested-by: Imrane <ihalim.me@gmail.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/20260324211647.357924-1-mario.limonciello@amd.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+index a6006b4ec2cc0..a3921f8106c12 100644
+--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c
++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+@@ -197,6 +197,15 @@ static const struct dmi_system_id fwbug_list[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "82XQ"),
+ }
+ },
++ /* https://bugzilla.kernel.org/show_bug.cgi?id=221273 */
++ {
++ .ident = "Thinkpad L14 Gen3",
++ .driver_data = &quirk_s2idle_bug,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21C6"),
++ }
++ },
+ /* https://gitlab.freedesktop.org/drm/amd/-/issues/4434 */
+ {
+ .ident = "Lenovo Yoga 6 13ALC6",
+--
+2.53.0
+
--- /dev/null
+From 739c4ca8dadbc030f3c4aff8b4b11116f0febef2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 15:27:43 +0000
+Subject: RDMA/irdma: Fix double free related to rereg_user_mr
+
+From: Jacob Moroni <jmoroni@google.com>
+
+[ Upstream commit 29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2 ]
+
+If IB_MR_REREG_TRANS is set during rereg_user_mr, the
+umem will be released and a new one will be allocated
+in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans
+fails after the new umem is allocated, it releases the umem,
+but does not set iwmr->region to NULL. The problem is that
+this failure is propagated to the user, who will then call
+ibv_dereg_mr (as they should). Then, the dereg_mr path will
+see a non-NULL umem and attempt to call ib_umem_release again.
+
+Fix this by setting iwmr->region to NULL after ib_umem_release.
+
+Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region")
+Signed-off-by: Jacob Moroni <jmoroni@google.com>
+Link: https://patch.msgid.link/20260227152743.1183388-1-jmoroni@google.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index 532b36b25e919..a18b249fe550e 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -3209,6 +3209,7 @@ static int irdma_rereg_mr_trans(struct irdma_mr *iwmr, u64 start, u64 len,
+
+ err:
+ ib_umem_release(region);
++ iwmr->region = NULL;
+ return err;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 1e0f8a254f8bbd35ea4b893828a0d5f22b7c1f4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2026 22:29:19 +0100
+Subject: selftests: net: bridge_vlan_mcast: wait for h1 before querier check
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit efaa71faf212324ecbf6d5339e9717fe53254f58 ]
+
+The querier-interval test adds h1 (currently a slave of the VRF created
+by simple_if_init) to a temporary bridge br1 acting as an outside IGMP
+querier. The kernel VRF driver (drivers/net/vrf.c) calls cycle_netdev()
+on every slave add and remove, toggling the interface admin-down then up.
+Phylink takes the PHY down during the admin-down half of that cycle.
+Since h1 and swp1 are cable-connected, swp1 also loses its link may need
+several seconds to re-negotiate.
+
+Use setup_wait_dev $h1 0 which waits for h1 to return to UP state, so the
+test can rely on the link being back up at this point.
+
+Fixes: 4d8610ee8bd77 ("selftests: net: bridge: add vlan mcast_querier_interval tests")
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Reviewed-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Link: https://patch.msgid.link/c830f130860fd2efae08bfb9e5b25fd028e58ce5.1775424423.git.daniel@makrotopia.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
+index 72dfbeaf56b92..e8031f68200ad 100755
+--- a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
++++ b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh
+@@ -414,6 +414,7 @@ vlmc_querier_intvl_test()
+ bridge vlan add vid 10 dev br1 self pvid untagged
+ ip link set dev $h1 master br1
+ ip link set dev br1 up
++ setup_wait_dev $h1 0
+ bridge vlan add vid 10 dev $h1 master
+ bridge vlan global set vid 10 dev br1 mcast_snooping 1 mcast_querier 1
+ sleep 2
+--
+2.53.0
+
--- /dev/null
+rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch
+asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch
+alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch
+alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch
+media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch
+alsa-asihpi-avoid-write-overflow-check-warning.patch
+asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch
+asoc-sof-topology-reject-invalid-vendor-array-size-i.patch
+can-mcp251x-add-error-handling-for-power-enable-in-o.patch
+btrfs-tracepoints-get-correct-superblock-from-dentry.patch
+alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch
+srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch
+netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch
+alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch
+wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch
+asoc-soc-core-call-missing-init_list_head-for-card_a.patch
+alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch
+fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch
+asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch
+pinctrl-intel-fix-the-revision-for-new-features-1koh.patch
+platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch
+hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch
+alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch
+hid-roccat-fix-use-after-free-in-roccat_report_event.patch
+ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch
+wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch
+asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch
+soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch
+arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch
+pci-hv-set-default-numa-node-to-0-for-devices-withou.patch
+drm-vc4-release-runtime-pm-reference-after-binding-v.patch
+drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch
+drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch
+drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch
+eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch
+net-sched-act_csum-validate-nested-vlan-headers.patch
+net-lapbether-handle-netdev_pre_type_change.patch
+ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch
+nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch
+net-stmmac-fix-ptp-ref-clock-for-tegra234.patch
+dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch
+tracing-probe-reject-non-closed-empty-immediate-stri.patch
+ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch
+e1000-check-return-value-of-e1000_read_eeprom.patch
+xsk-tighten-umem-headroom-validation-to-account-for-.patch
+xsk-respect-tailroom-for-zc-setups.patch
+xsk-fix-xdp_umem_sg_flag-issues.patch
+xsk-validate-mtu-against-usable-frame-size-on-bind.patch
+xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch
+xfrm_user-fix-info-leak-in-build_mapping.patch
+selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch
+ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch
+netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch
+netfilter-xt_multiport-validate-range-encoding-in-ch.patch
+netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch
+net-txgbe-leave-space-for-null-terminators-on-proper.patch
+af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch
+net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch
+net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch
+l2tp-drop-large-packets-with-udp-encap.patch
+gpio-tegra-fix-irq_release_resources-calling-enable-.patch
+perf-x86-intel-uncore-skip-discovery-table-for-offli.patch
+clockevents-prevent-timer-interrupt-starvation.patch
+crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch
--- /dev/null
+From ab8a9d1e5bb2ae8315948def4b74b9638b7dad68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jan 2026 16:37:56 +0800
+Subject: soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching
+
+From: Potin Lai <potin.lai.pt@gmail.com>
+
+[ Upstream commit 7ec1bd3d9be671d04325b9e06149b8813f6a4836 ]
+
+The siliconid_to_name() function currently masks the input silicon ID
+with 0xff00ffff, but compares it against unmasked table entries. This
+causes matching to fail if the table entries contain non-zero values in
+the bits covered by the mask (bits 16-23).
+
+Update the logic to apply the 0xff00ffff mask to the table entries
+during comparison. This ensures that only the relevant model and
+revision bits are considered, providing a consistent match across
+different manufacturing batches.
+
+[arj: Add Fixes: tag, fix 'soninfo' typo, clarify function reference]
+
+Fixes: e0218dca5787 ("soc: aspeed: Add soc info driver")
+Signed-off-by: Potin Lai <potin.lai.pt@gmail.com>
+Link: https://patch.msgid.link/20260122-soc_aspeed_name_fix-v1-1-33a847f2581c@gmail.com
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/aspeed/aspeed-socinfo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c
+index 67e9ac3d08ecc..a90b100f4d101 100644
+--- a/drivers/soc/aspeed/aspeed-socinfo.c
++++ b/drivers/soc/aspeed/aspeed-socinfo.c
+@@ -39,7 +39,7 @@ static const char *siliconid_to_name(u32 siliconid)
+ unsigned int i;
+
+ for (i = 0 ; i < ARRAY_SIZE(rev_table) ; ++i) {
+- if (rev_table[i].id == id)
++ if ((rev_table[i].id & 0xff00ffff) == id)
+ return rev_table[i].name;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 0f6bb6e1c79ff359ace8bc2b5ab20a92133cbd6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 20:14:18 -0400
+Subject: srcu: Use irq_work to start GP in tiny SRCU
+
+From: Joel Fernandes <joelagnelf@nvidia.com>
+
+[ Upstream commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af ]
+
+Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(),
+which acquires the workqueue pool->lock.
+
+This causes a lockdep splat when call_srcu() is called with a scheduler
+lock held, due to:
+
+ call_srcu() [holding pi_lock]
+ srcu_gp_start_if_needed()
+ schedule_work() -> pool->lock
+
+ workqueue_init() / create_worker() [holding pool->lock]
+ wake_up_process() -> try_to_wake_up() -> pi_lock
+
+Also add irq_work_sync() to cleanup_srcu_struct() to prevent a
+use-after-free if a queued irq_work fires after cleanup begins.
+
+Tested with rcutorture SRCU-T and no lockdep warnings.
+
+[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work
+to start process_srcu()" ]
+
+Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
+Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Boqun Feng <boqun@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/srcutiny.h | 4 ++++
+ kernel/rcu/srcutiny.c | 19 ++++++++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/srcutiny.h b/include/linux/srcutiny.h
+index 447133171d95f..bad5fd0f1ddb6 100644
+--- a/include/linux/srcutiny.h
++++ b/include/linux/srcutiny.h
+@@ -11,6 +11,7 @@
+ #ifndef _LINUX_SRCU_TINY_H
+ #define _LINUX_SRCU_TINY_H
+
++#include <linux/irq_work_types.h>
+ #include <linux/swait.h>
+
+ struct srcu_struct {
+@@ -24,18 +25,21 @@ struct srcu_struct {
+ struct rcu_head *srcu_cb_head; /* Pending callbacks: Head. */
+ struct rcu_head **srcu_cb_tail; /* Pending callbacks: Tail. */
+ struct work_struct srcu_work; /* For driving grace periods. */
++ struct irq_work srcu_irq_work; /* Defer schedule_work() to irq work. */
+ #ifdef CONFIG_DEBUG_LOCK_ALLOC
+ struct lockdep_map dep_map;
+ #endif /* #ifdef CONFIG_DEBUG_LOCK_ALLOC */
+ };
+
+ void srcu_drive_gp(struct work_struct *wp);
++void srcu_tiny_irq_work(struct irq_work *irq_work);
+
+ #define __SRCU_STRUCT_INIT(name, __ignored, ___ignored) \
+ { \
+ .srcu_wq = __SWAIT_QUEUE_HEAD_INITIALIZER(name.srcu_wq), \
+ .srcu_cb_tail = &name.srcu_cb_head, \
+ .srcu_work = __WORK_INITIALIZER(name.srcu_work, srcu_drive_gp), \
++ .srcu_irq_work = { .func = srcu_tiny_irq_work }, \
+ __SRCU_DEP_MAP_INIT(name) \
+ }
+
+diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c
+index c38e5933a5d69..24aa302b3269a 100644
+--- a/kernel/rcu/srcutiny.c
++++ b/kernel/rcu/srcutiny.c
+@@ -9,6 +9,7 @@
+ */
+
+ #include <linux/export.h>
++#include <linux/irq_work.h>
+ #include <linux/mutex.h>
+ #include <linux/preempt.h>
+ #include <linux/rcupdate_wait.h>
+@@ -37,6 +38,7 @@ static int init_srcu_struct_fields(struct srcu_struct *ssp)
+ ssp->srcu_idx_max = 0;
+ INIT_WORK(&ssp->srcu_work, srcu_drive_gp);
+ INIT_LIST_HEAD(&ssp->srcu_work.entry);
++ init_irq_work(&ssp->srcu_irq_work, srcu_tiny_irq_work);
+ return 0;
+ }
+
+@@ -80,6 +82,7 @@ EXPORT_SYMBOL_GPL(init_srcu_struct);
+ void cleanup_srcu_struct(struct srcu_struct *ssp)
+ {
+ WARN_ON(ssp->srcu_lock_nesting[0] || ssp->srcu_lock_nesting[1]);
++ irq_work_sync(&ssp->srcu_irq_work);
+ flush_work(&ssp->srcu_work);
+ WARN_ON(ssp->srcu_gp_running);
+ WARN_ON(ssp->srcu_gp_waiting);
+@@ -156,6 +159,20 @@ void srcu_drive_gp(struct work_struct *wp)
+ }
+ EXPORT_SYMBOL_GPL(srcu_drive_gp);
+
++/*
++ * Use an irq_work to defer schedule_work() to avoid acquiring the workqueue
++ * pool->lock while the caller might hold scheduler locks, causing lockdep
++ * splats due to workqueue_init() doing a wakeup.
++ */
++void srcu_tiny_irq_work(struct irq_work *irq_work)
++{
++ struct srcu_struct *ssp;
++
++ ssp = container_of(irq_work, struct srcu_struct, srcu_irq_work);
++ schedule_work(&ssp->srcu_work);
++}
++EXPORT_SYMBOL_GPL(srcu_tiny_irq_work);
++
+ static void srcu_gp_start_if_needed(struct srcu_struct *ssp)
+ {
+ unsigned long cookie;
+@@ -166,7 +183,7 @@ static void srcu_gp_start_if_needed(struct srcu_struct *ssp)
+ WRITE_ONCE(ssp->srcu_idx_max, cookie);
+ if (!READ_ONCE(ssp->srcu_gp_running)) {
+ if (likely(srcu_init_done))
+- schedule_work(&ssp->srcu_work);
++ irq_work_queue(&ssp->srcu_irq_work);
+ else if (list_empty(&ssp->srcu_work.entry))
+ list_add(&ssp->srcu_work.entry, &srcu_boot_list);
+ }
+--
+2.53.0
+
--- /dev/null
+From e48ef72d3c5a4b6ea66a59068bade75711005b82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 00:03:15 +0800
+Subject: tracing/probe: reject non-closed empty immediate strings
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ]
+
+parse_probe_arg() accepts quoted immediate strings and passes the body
+after the opening quote to __parse_imm_string(). That helper currently
+computes strlen(str) and immediately dereferences str[len - 1], which
+underflows when the body is empty and not closed with double-quotation.
+
+Reject empty non-closed immediate strings before checking for the closing quote.
+
+Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/
+
+Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support")
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_probe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
+index 187b1fc403c13..d46a1033ba5b3 100644
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -1039,7 +1039,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs)
+ {
+ size_t len = strlen(str);
+
+- if (str[len - 1] != '"') {
++ if (!len || str[len - 1] != '"') {
+ trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE);
+ return -EINVAL;
+ }
+--
+2.53.0
+
--- /dev/null
+From 28afb338e08f3eb15850495ee53067a9f004cf4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 15:45:51 +0800
+Subject: wifi: brcmfmac: validate bsscfg indices in IF events
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ]
+
+brcmf_fweh_handle_if_event() validates the firmware-provided interface
+index before it touches drvr->iflist[], but it still uses the raw
+bsscfgidx field as an array index without a matching range check.
+
+Reject IF events whose bsscfg index does not fit in drvr->iflist[]
+before indexing the interface array.
+
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn
+[add missing wifi prefix]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+index dac7eb77799bd..e6be192dc0af2 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -151,6 +151,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr,
+ bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx);
+ return;
+ }
++ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) {
++ bphy_err(drvr, "invalid bsscfg index: %u\n",
++ ifevent->bsscfgidx);
++ return;
++ }
+
+ ifp = drvr->iflist[ifevent->bsscfgidx];
+
+--
+2.53.0
+
--- /dev/null
+From 9280e6eab1b6fb95348025543fc20ead048df420 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 16:08:45 +0800
+Subject: wifi: wl1251: validate packet IDs before indexing tx_frames
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+[ Upstream commit 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 ]
+
+wl1251_tx_packet_cb() uses the firmware completion ID directly to index
+the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the
+completion block, and the callback does not currently verify that it
+fits the array before dereferencing it.
+
+Reject completion IDs that fall outside wl->tx_frames[] and keep the
+existing NULL check in the same guard. This keeps the fix local to the
+trust boundary and avoids touching the rest of the completion flow.
+
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl1251/tx.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c
+index 06dc74cc6cb52..2b316c78eefc9 100644
+--- a/drivers/net/wireless/ti/wl1251/tx.c
++++ b/drivers/net/wireless/ti/wl1251/tx.c
+@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl,
+ int hdrlen;
+ u8 *frame;
+
+- skb = wl->tx_frames[result->id];
+- if (skb == NULL) {
+- wl1251_error("SKB for packet %d is NULL", result->id);
++ if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) ||
++ wl->tx_frames[result->id] == NULL)) {
++ wl1251_error("invalid packet id %u", result->id);
+ return;
+ }
+
++ skb = wl->tx_frames[result->id];
++
+ info = IEEE80211_SKB_CB(skb);
+
+ if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) &&
+--
+2.53.0
+
--- /dev/null
+From 8c03c101d25c0dc91011a41f81356f7c602a59b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 13:31:04 +0200
+Subject: xfrm: Wait for RCU readers during policy netns exit
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit 069daad4f2ae9c5c108131995529d5f02392c446 ]
+
+xfrm_policy_fini() frees the policy_bydst hash tables after flushing the
+policy work items and deleting all policies, but it does not wait for
+concurrent RCU readers to leave their read-side critical sections first.
+
+The policy_bydst tables are published via rcu_assign_pointer() and are
+looked up through rcu_dereference_check(), so netns teardown must also
+wait for an RCU grace period before freeing the table memory.
+
+Fix this by adding synchronize_rcu() before freeing the policy hash tables.
+
+Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 45851f822ec4a..82854aa258ea6 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -4215,6 +4215,8 @@ static void xfrm_policy_fini(struct net *net)
+ #endif
+ xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);
+
++ synchronize_rcu();
++
+ WARN_ON(!list_empty(&net->xfrm.policy_all));
+
+ for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
+--
+2.53.0
+
--- /dev/null
+From 61209c82bd16f21b976b51726dae0cab2d5b2d0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2026 17:33:03 +0200
+Subject: xfrm_user: fix info leak in build_mapping()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit 1beb76b2053b68c491b78370794b8ff63c8f8c02 ]
+
+struct xfrm_usersa_id has a one-byte padding hole after the proto
+field, which ends up never getting set to zero before copying out to
+userspace. Fix that up by zeroing out the whole structure before
+setting individual variables.
+
+Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink")
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Simon Horman <horms@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 74bee718573db..fd6330984f881 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -3790,6 +3790,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x,
+
+ um = nlmsg_data(nlh);
+
++ memset(&um->id, 0, sizeof(um->id));
+ memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr));
+ um->id.spi = x->id.spi;
+ um->id.family = x->props.family;
+--
+2.53.0
+
--- /dev/null
+From 8fa72989bfc3d57e2afcd575e95086ba7e688cef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:53 +0200
+Subject: xsk: fix XDP_UMEM_SG_FLAG issues
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 93e84fe45b752d17a5a46b306ed78f0133bbc719 ]
+
+Currently xp_assign_dev_shared() is missing XDP_USE_SG being propagated
+to flags so set it in order to preserve mtu check that is supposed to be
+done only when no multi-buffer setup is in picture.
+
+Also, this flag has the same value as XDP_UMEM_TX_SW_CSUM so we could
+get unexpected SG setups for software Tx checksums. Since csum flag is
+UAPI, modify value of XDP_UMEM_SG_FLAG.
+
+Fixes: d609f3d228a8 ("xsk: add multi-buffer support for sockets sharing umem")
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-4-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xdp_sock.h | 2 +-
+ net/xdp/xsk_buff_pool.c | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/xdp_sock.h b/include/net/xdp_sock.h
+index 660c22521a292..84ff9bb4bfae4 100644
+--- a/include/net/xdp_sock.h
++++ b/include/net/xdp_sock.h
+@@ -14,7 +14,7 @@
+ #include <linux/mm.h>
+ #include <net/sock.h>
+
+-#define XDP_UMEM_SG_FLAG (1 << 1)
++#define XDP_UMEM_SG_FLAG BIT(3)
+
+ struct net_device;
+ struct xsk_queue;
+diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
+index 6789d99fd99e0..52c4204bc224e 100644
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -236,6 +236,10 @@ int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_sock *umem_xs,
+ return -EINVAL;
+
+ flags = umem->zc ? XDP_ZEROCOPY : XDP_COPY;
++
++ if (umem->flags & XDP_UMEM_SG_FLAG)
++ flags |= XDP_USE_SG;
++
+ if (umem_xs->pool->uses_need_wakeup)
+ flags |= XDP_USE_NEED_WAKEUP;
+
+--
+2.53.0
+
--- /dev/null
+From 946b41e1c0a6d277041fdcdfe3e8fa1fcdc88c28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:52 +0200
+Subject: xsk: respect tailroom for ZC setups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 1ee1605138fc94cc8f8f273321dd2471c64977f9 ]
+
+Multi-buffer XDP stores information about frags in skb_shared_info that
+sits at the tailroom of a packet. The storage space is reserved via
+xdp_data_hard_end():
+
+ ((xdp)->data_hard_start + (xdp)->frame_sz - \
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)))
+
+and then we refer to it via macro below:
+
+static inline struct skb_shared_info *
+xdp_get_shared_info_from_buff(const struct xdp_buff *xdp)
+{
+ return (struct skb_shared_info *)xdp_data_hard_end(xdp);
+}
+
+Currently we do not respect this tailroom space in multi-buffer AF_XDP
+ZC scenario. To address this, introduce xsk_pool_get_tailroom() and use
+it within xsk_pool_get_rx_frame_size() which is used in ZC drivers to
+configure length of HW Rx buffer.
+
+Typically drivers on Rx Hw buffers side work on 128 byte alignment so
+let us align the value returned by xsk_pool_get_rx_frame_size() in order
+to avoid addressing this on driver's side. This addresses the fact that
+idpf uses mentioned function *before* pool->dev being set so we were at
+risk that after subtracting tailroom we would not provide 128-byte
+aligned value to HW.
+
+Since xsk_pool_get_rx_frame_size() is actively used in xsk_rcv_check()
+and __xsk_rcv(), add a variant of this routine that will not include 128
+byte alignment and therefore old behavior is preserved.
+
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-3-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xdp_sock_drv.h | 23 ++++++++++++++++++++++-
+ net/xdp/xsk.c | 4 ++--
+ 2 files changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/xdp_sock_drv.h b/include/net/xdp_sock_drv.h
+index 7dc08a4646242..f7c0ee03d4fa1 100644
+--- a/include/net/xdp_sock_drv.h
++++ b/include/net/xdp_sock_drv.h
+@@ -31,16 +31,37 @@ static inline u32 xsk_pool_get_headroom(struct xsk_buff_pool *pool)
+ return XDP_PACKET_HEADROOM + pool->headroom;
+ }
+
++static inline u32 xsk_pool_get_tailroom(bool mbuf)
++{
++ return mbuf ? SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) : 0;
++}
++
+ static inline u32 xsk_pool_get_chunk_size(struct xsk_buff_pool *pool)
+ {
+ return pool->chunk_size;
+ }
+
+-static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool)
++static inline u32 __xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool)
+ {
+ return xsk_pool_get_chunk_size(pool) - xsk_pool_get_headroom(pool);
+ }
+
++static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool)
++{
++ u32 frame_size = __xsk_pool_get_rx_frame_size(pool);
++ struct xdp_umem *umem = pool->umem;
++ bool mbuf;
++
++ /* Reserve tailroom only for zero-copy pools that opted into
++ * multi-buffer. The reserved area is used for skb_shared_info,
++ * matching the XDP core's xdp_data_hard_end() layout.
++ */
++ mbuf = pool->dev && (umem->flags & XDP_UMEM_SG_FLAG);
++ frame_size -= xsk_pool_get_tailroom(mbuf);
++
++ return ALIGN_DOWN(frame_size, 128);
++}
++
+ static inline u32 xsk_pool_get_rx_frag_step(struct xsk_buff_pool *pool)
+ {
+ return pool->unaligned ? 0 : xsk_pool_get_chunk_size(pool);
+diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
+index 9e1ac917f9708..aed8338d591de 100644
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -232,7 +232,7 @@ static u32 xsk_copy_xdp(void *to, void **from, u32 to_len,
+
+ static int __xsk_rcv(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len)
+ {
+- u32 frame_size = xsk_pool_get_rx_frame_size(xs->pool);
++ u32 frame_size = __xsk_pool_get_rx_frame_size(xs->pool);
+ void *copy_from = xsk_copy_xdp_start(xdp), *copy_to;
+ u32 from_len, meta_len, rem, num_desc;
+ struct xdp_buff_xsk *xskb;
+@@ -324,7 +324,7 @@ static int xsk_rcv_check(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len)
+ if (xs->dev != xdp->rxq->dev || xs->queue_id != xdp->rxq->queue_index)
+ return -EINVAL;
+
+- if (len > xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) {
++ if (len > __xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) {
+ xs->rx_dropped++;
+ return -ENOSPC;
+ }
+--
+2.53.0
+
--- /dev/null
+From df8382b47353d192dfb3425d09a9852f991bf7b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:51 +0200
+Subject: xsk: tighten UMEM headroom validation to account for tailroom and min
+ frame
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit a315e022a72d95ef5f1d4e58e903cb492b0ad931 ]
+
+The current headroom validation in xdp_umem_reg() could leave us with
+insufficient space dedicated to even receive minimum-sized ethernet
+frame. Furthermore if multi-buffer would come to play then
+skb_shared_info stored at the end of XSK frame would be corrupted.
+
+HW typically works with 128-aligned sizes so let us provide this value
+as bare minimum.
+
+Multi-buffer setting is known later in the configuration process so
+besides accounting for 128 bytes, let us also take care of tailroom space
+upfront.
+
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Fixes: 99e3a236dd43 ("xsk: Add missing check on user supplied headroom size")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-2-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xdp_umem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
+index 06cead2b8e349..e3c3bab76a5d0 100644
+--- a/net/xdp/xdp_umem.c
++++ b/net/xdp/xdp_umem.c
+@@ -196,7 +196,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+ if (!unaligned_chunks && chunks_rem)
+ return -EINVAL;
+
+- if (headroom >= chunk_size - XDP_PACKET_HEADROOM)
++ if (headroom > chunk_size - XDP_PACKET_HEADROOM -
++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - 128)
+ return -EINVAL;
+
+ umem->size = size;
+--
+2.53.0
+
--- /dev/null
+From 4ae892de6cccaa13e21ee66b3cacd213ba54ab67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2026 17:49:54 +0200
+Subject: xsk: validate MTU against usable frame size on bind
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 36ee60b569ba0dfb6f961333b90d19ab5b323fa9 ]
+
+AF_XDP bind currently accepts zero-copy pool configurations without
+verifying that the device MTU fits into the usable frame space provided
+by the UMEM chunk.
+
+This becomes a problem since we started to respect tailroom which is
+subtracted from chunk_size (among with headroom). 2k chunk size might
+not provide enough space for standard 1500 MTU, so let us catch such
+settings at bind time. Furthermore, validate whether underlying HW will
+be able to satisfy configured MTU wrt XSK's frame size multiplied by
+supported Rx buffer chain length (that is exposed via
+net_device::xdp_zc_max_segs).
+
+Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX")
+Reviewed-by: Björn Töpel <bjorn@kernel.org>
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://patch.msgid.link/20260402154958.562179-5-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk_buff_pool.c | 28 +++++++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
+index 52c4204bc224e..bb9dfbe419e7c 100644
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -8,6 +8,8 @@
+ #include "xdp_umem.h"
+ #include "xsk.h"
+
++#define ETH_PAD_LEN (ETH_HLEN + 2 * VLAN_HLEN + ETH_FCS_LEN)
++
+ void xp_add_xsk(struct xsk_buff_pool *pool, struct xdp_sock *xs)
+ {
+ unsigned long flags;
+@@ -149,8 +151,12 @@ static void xp_disable_drv_zc(struct xsk_buff_pool *pool)
+ int xp_assign_dev(struct xsk_buff_pool *pool,
+ struct net_device *netdev, u16 queue_id, u16 flags)
+ {
++ u32 needed = netdev->mtu + ETH_PAD_LEN;
++ u32 segs = netdev->xdp_zc_max_segs;
++ bool mbuf = flags & XDP_USE_SG;
+ bool force_zc, force_copy;
+ struct netdev_bpf bpf;
++ u32 frame_size;
+ int err = 0;
+
+ ASSERT_RTNL();
+@@ -170,7 +176,7 @@ int xp_assign_dev(struct xsk_buff_pool *pool,
+ if (err)
+ return err;
+
+- if (flags & XDP_USE_SG)
++ if (mbuf)
+ pool->umem->flags |= XDP_UMEM_SG_FLAG;
+
+ if (flags & XDP_USE_NEED_WAKEUP)
+@@ -192,8 +198,24 @@ int xp_assign_dev(struct xsk_buff_pool *pool,
+ goto err_unreg_pool;
+ }
+
+- if (netdev->xdp_zc_max_segs == 1 && (flags & XDP_USE_SG)) {
+- err = -EOPNOTSUPP;
++ if (mbuf) {
++ if (segs == 1) {
++ err = -EOPNOTSUPP;
++ goto err_unreg_pool;
++ }
++ } else {
++ segs = 1;
++ }
++
++ /* open-code xsk_pool_get_rx_frame_size() as pool->dev is not
++ * set yet at this point; we are before getting down to driver
++ */
++ frame_size = __xsk_pool_get_rx_frame_size(pool) -
++ xsk_pool_get_tailroom(mbuf);
++ frame_size = ALIGN_DOWN(frame_size, 128);
++
++ if (needed > frame_size * segs) {
++ err = -EINVAL;
+ goto err_unreg_pool;
+ }
+
+--
+2.53.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
