--- /dev/null
+From 38f09c97340cd23f976242e6cb1e7aa4c8ed28d0 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robert.marko@sartura.hr>
+Date: Tue, 27 Jan 2026 13:32:15 +0100
+Subject: arm64: dts: marvell: uDPU: add ethernet aliases
+
+From: Robert Marko <robert.marko@sartura.hr>
+
+commit 38f09c97340cd23f976242e6cb1e7aa4c8ed28d0 upstream.
+
+On eDPU plus, which is an updated revision of eDPU which uses an external
+MV88E6361 switch we are relying on U-Boot to detect the board, and then
+enable and disable the required nodes for that revision.
+
+However, it seems that I missed adding the required aliases for ethernet
+controllers, and this worked as in OpenWrt we had added those locally.
+
+Cc: stable@vger.kernel.org
+Fixes: 660b8b2f3944 ("arm64: dts: marvell: eDPU: add support for version with external switch")
+Signed-off-by: Robert Marko <robert.marko@sartura.hr>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi
++++ b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi
+@@ -15,6 +15,11 @@
+ #include "armada-372x.dtsi"
+
+ / {
++ aliases {
++ ethernet0 = ð0;
++ ethernet1 = ð1;
++ };
++
+ chosen {
+ stdout-path = "serial0:115200n8";
+ };
--- /dev/null
+From ad3ac32a3893a2bbcad545efc005a8e4e7ecf10c Mon Sep 17 00:00:00 2001
+From: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Date: Thu, 2 Apr 2026 18:42:20 +0200
+Subject: drm/arcpgu: fix device node leak
+
+From: Luca Ceresoli <luca.ceresoli@bootlin.com>
+
+commit ad3ac32a3893a2bbcad545efc005a8e4e7ecf10c upstream.
+
+This function gets a device_node reference via
+of_graph_get_remote_port_parent() and stores it in encoder_node, but never
+puts that reference. Add it.
+
+There used to be a of_node_put(encoder_node) but it has been removed by
+mistake during a rework in commit 3ea66a794fdc ("drm/arc: Inline
+arcpgu_drm_hdmi_init").
+
+Fixes: 3ea66a794fdc ("drm/arc: Inline arcpgu_drm_hdmi_init")
+Cc: stable@vger.kernel.org
+Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com>
+Link: https://patch.msgid.link/20260402-drm-arcgpu-fix-device-node-leak-v2-1-d773cf754ae5@bootlin.com
+Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tiny/arcpgu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/tiny/arcpgu.c
++++ b/drivers/gpu/drm/tiny/arcpgu.c
+@@ -248,7 +248,8 @@ DEFINE_DRM_GEM_DMA_FOPS(arcpgu_drm_ops);
+ static int arcpgu_load(struct arcpgu_drm_private *arcpgu)
+ {
+ struct platform_device *pdev = to_platform_device(arcpgu->drm.dev);
+- struct device_node *encoder_node = NULL, *endpoint_node = NULL;
++ struct device_node *encoder_node __free(device_node) = NULL;
++ struct device_node *endpoint_node = NULL;
+ struct drm_connector *connector = NULL;
+ struct drm_device *drm = &arcpgu->drm;
+ struct resource *res;
--- /dev/null
+From 4f96b7c68a9904e01049ef610d701b382dca9574 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Wed, 25 Mar 2026 18:19:15 -0700
+Subject: extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 4f96b7c68a9904e01049ef610d701b382dca9574 upstream.
+
+A recent strengthening of -Wunused-but-set-variable (enabled with -Wall)
+in clang under a new subwarning, -Wunused-but-set-global, points out an
+unused static global variable in certs/extract-cert.c:
+
+ certs/extract-cert.c:46:20: error: variable 'key_pass' set but not used [-Werror,-Wunused-but-set-global]
+ 46 | static const char *key_pass;
+ | ^
+
+After commit 558bdc45dfb2 ("sign-file,extract-cert: use pkcs11 provider
+for OPENSSL MAJOR >= 3"), key_pass is only used with the OpenSSL engine
+API, not the new provider API. Wrap key_pass's declaration and
+assignment with '#ifdef USE_PKCS11_ENGINE' so that it is only included
+with its use to clear up the warning. While this is a little uglier than
+just marking key_pass with the unused attribute, this will make it
+easier to clean up all code associated with the use of the engine API if
+it were ever removed in the future. While in the area, use a tab for
+the key_pass assignment line to match the rest of the file.
+
+Cc: stable@vger.kernel.org
+Fixes: 558bdc45dfb2 ("sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3")
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Tested-by: Nick Desaulniers <ndesaulniers@google.com>
+Link: https://patch.msgid.link/20260325-certs-extract-cert-key_pass-unused-but-set-global-v1-1-ecf94326d532@kernel.org
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ certs/extract-cert.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/certs/extract-cert.c
++++ b/certs/extract-cert.c
+@@ -43,7 +43,9 @@ void format(void)
+ exit(2);
+ }
+
++#ifdef USE_PKCS11_ENGINE
+ static const char *key_pass;
++#endif
+ static BIO *wb;
+ static char *cert_dst;
+ static bool verbose;
+@@ -135,7 +137,9 @@ int main(int argc, char **argv)
+ if (verbose_env && strchr(verbose_env, '1'))
+ verbose = true;
+
+- key_pass = getenv("KBUILD_SIGN_PIN");
++#ifdef USE_PKCS11_ENGINE
++ key_pass = getenv("KBUILD_SIGN_PIN");
++#endif
+
+ if (argc != 3)
+ format();
--- /dev/null
+From 67bf002a2d7387a6312138210d0bd06e3cf4879b Mon Sep 17 00:00:00 2001
+From: Ruide Cao <caoruide123@gmail.com>
+Date: Tue, 21 Apr 2026 12:16:31 +0800
+Subject: ipv4: icmp: validate reply type before using icmp_pointers
+
+From: Ruide Cao <caoruide123@gmail.com>
+
+commit 67bf002a2d7387a6312138210d0bd06e3cf4879b upstream.
+
+Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type.
+That value is outside the range covered by icmp_pointers[], which only
+describes the traditional ICMP types up to NR_ICMP_TYPES.
+
+Avoid consulting icmp_pointers[] for reply types outside that range, and
+use array_index_nospec() for the remaining in-range lookup. Normal ICMP
+replies keep their existing behavior unchanged.
+
+Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Ruide Cao <caoruide123@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/0dace90c01a5978e829ca741ef684dbd7304ce62.1776628519.git.caoruide123@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/icmp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -64,6 +64,7 @@
+ #include <linux/jiffies.h>
+ #include <linux/kernel.h>
+ #include <linux/fcntl.h>
++#include <linux/nospec.h>
+ #include <linux/socket.h>
+ #include <linux/in.h>
+ #include <linux/inet.h>
+@@ -361,7 +362,9 @@ static int icmp_glue_bits(void *from, ch
+ to, len);
+
+ skb->csum = csum_block_add(skb->csum, csum, odd);
+- if (icmp_pointers[icmp_param->data.icmph.type].error)
++ if (icmp_param->data.icmph.type <= NR_ICMP_TYPES &&
++ icmp_pointers[array_index_nospec(icmp_param->data.icmph.type,
++ NR_ICMP_TYPES + 1)].error)
+ nf_ct_attach(skb, icmp_param->skb);
+ return 0;
+ }
--- /dev/null
+From 5199c125d25aeae8615c4fc31652cc0fe624338e Mon Sep 17 00:00:00 2001
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Date: Wed, 18 Mar 2026 18:09:03 +0100
+Subject: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
+
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+
+commit 5199c125d25aeae8615c4fc31652cc0fe624338e upstream.
+
+If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both
+protocol and result, this is currently not treated as an error. In case
+of ac->negotiating == true and ac->protocol > 0, this leads to setting
+ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for
+ac->protocol != protocol returns false, and init_protocol() is not
+called. Subsequently, ac->ops->handle_reply() is called, which leads to
+a null pointer dereference, because ac->ops is still NULL.
+
+This patch changes the check for ac->protocol != protocol to
+!ac->protocol, as this also includes the case when the protocol was set
+to zero in the message. This causes the message to be treated as
+containing a bad auth protocol.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ceph/auth.c
++++ b/net/ceph/auth.c
+@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_a
+ ac->protocol = 0;
+ ac->ops = NULL;
+ }
+- if (ac->protocol != protocol) {
++ if (!ac->protocol) {
+ ret = init_protocol(ac, protocol);
+ if (ret) {
+ pr_err("auth protocol '%s' init failed: %d\n",
--- /dev/null
+From 37e57e8ad96cdec4a57b55fd10bef50f7370a954 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Wed, 22 Apr 2026 15:45:12 +0800
+Subject: LoongArch: Show CPU vulnerabilites correctly
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit 37e57e8ad96cdec4a57b55fd10bef50f7370a954 upstream.
+
+Most LoongArch processors are vulnerable to Spectre-V1 Proof-of-Concept
+(PoC). And the generic mechanism, __user pointer sanitization, can be
+used as a mitigation. This means to use array_index_nospec() to prevent
+out of boundry access in syscall and other critical paths.
+
+Implement the arch-specific cpu_show_spectre_v1() to show CPU Spectre-V1
+vulnerabilites correctly.
+
+Cc: stable@vger.kernel.org
+Link: https://cc-sw.com/chinese-loongarch-architecture-evaluation-part-3-of-3/
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kernel/cpu-probe.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/loongarch/kernel/cpu-probe.c
++++ b/arch/loongarch/kernel/cpu-probe.c
+@@ -7,6 +7,7 @@
+ #include <linux/init.h>
+ #include <linux/kernel.h>
+ #include <linux/ptrace.h>
++#include <linux/cpu.h>
+ #include <linux/smp.h>
+ #include <linux/stddef.h>
+ #include <linux/export.h>
+@@ -352,3 +353,9 @@ void cpu_probe(void)
+
+ cpu_report();
+ }
++
++ssize_t cpu_show_spectre_v1(struct device *dev,
++ struct device_attribute *attr, char *buf)
++{
++ return sysfs_emit(buf, "Mitigation: __user pointer sanitization\n");
++}
--- /dev/null
+From 22230e68b2cf1ab6b027be8cf1198164a949c4fa Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@nabladev.com>
+Date: Thu, 16 Apr 2026 01:09:45 +0200
+Subject: net: ks8851: Avoid excess softirq scheduling
+
+From: Marek Vasut <marex@nabladev.com>
+
+commit 22230e68b2cf1ab6b027be8cf1198164a949c4fa upstream.
+
+The code injects a packet into netif_rx() repeatedly, which will add
+it to its internal NAPI and schedule a softirq, and process it. It is
+more efficient to queue multiple packets and process them all at the
+local_bh_enable() time.
+
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Fixes: e0863634bf9f ("net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Marek Vasut <marex@nabladev.com>
+Link: https://patch.msgid.link/20260415231020.455298-2-marex@nabladev.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/micrel/ks8851_common.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/micrel/ks8851_common.c
++++ b/drivers/net/ethernet/micrel/ks8851_common.c
+@@ -389,9 +389,12 @@ static irqreturn_t ks8851_irq(int irq, v
+ if (status & IRQ_LCI)
+ mii_check_link(&ks->mii);
+
+- if (status & IRQ_RXI)
++ if (status & IRQ_RXI) {
++ local_bh_disable();
+ while ((skb = __skb_dequeue(&rxq)))
+ netif_rx(skb);
++ local_bh_enable();
++ }
+
+ return IRQ_HANDLED;
+ }
--- /dev/null
+From 5c9fcac3c872224316714d0d8914d9af16c76a6d Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@nabladev.com>
+Date: Thu, 16 Apr 2026 01:09:44 +0200
+Subject: net: ks8851: Reinstate disabling of BHs around IRQ handler
+
+From: Marek Vasut <marex@nabladev.com>
+
+commit 5c9fcac3c872224316714d0d8914d9af16c76a6d upstream.
+
+If the driver executes ks8851_irq() AND a TX packet has been sent, then
+the driver enables TX queue via netif_wake_queue() which schedules TX
+softirq to queue packets for this device.
+
+If CONFIG_PREEMPT_RT=y is set AND a packet has also been received by
+the MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to
+allocate SKBs for the received packets. If netdev_alloc_skb_ip_align()
+is called with BH enabled, then local_bh_enable() at the end of
+netdev_alloc_skb_ip_align() will trigger the pending softirq processing,
+which may ultimately call the .xmit callback ks8851_start_xmit_par().
+The ks8851_start_xmit_par() will try to lock struct ks8851_net_par
+.lock spinlock, which is already locked by ks8851_irq() from which
+ks8851_start_xmit_par() was called. This leads to a deadlock, which
+is reported by the kernel, including a trace listed below.
+
+If CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0
+("net: ks8851: Fix deadlock with the SPI chip variant") the deadlock
+can also be triggered without received packet in the RX FIFO. The
+pending softirqs will be processed on return from
+spin_unlock_bh(&ks->statelock) in ks8851_irq(), which triggers the
+deadlock as well.
+
+Fix the problem by disabling BH around critical sections, including the
+IRQ handler, thus preventing the net_tx_action() softirq from triggering
+during these critical sections. The net_tx_action() softirq is triggered
+once BH are re-enabled and at the end of the IRQ handler, once all the
+other IRQ handler actions have been completed.
+
+ __schedule from schedule_rtlock+0x1c/0x34
+ schedule_rtlock from rtlock_slowlock_locked+0x548/0x904
+ rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c
+ rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8
+ ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44
+ netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188
+ dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c
+ sch_direct_xmit from __qdisc_run+0x1f8/0x4ec
+ __qdisc_run from qdisc_run+0x1c/0x28
+ qdisc_run from net_tx_action+0x1f0/0x268
+ net_tx_action from handle_softirqs+0x1a4/0x270
+ handle_softirqs from __local_bh_enable_ip+0xcc/0xe0
+ __local_bh_enable_ip from __alloc_skb+0xd8/0x128
+ __alloc_skb from __netdev_alloc_skb+0x3c/0x19c
+ __netdev_alloc_skb from ks8851_irq+0x388/0x4d4
+ ks8851_irq from irq_thread_fn+0x24/0x64
+ irq_thread_fn from irq_thread+0x178/0x28c
+ irq_thread from kthread+0x12c/0x138
+ kthread from ret_from_fork+0x14/0x28
+
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Fixes: e0863634bf9f ("net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Marek Vasut <marex@nabladev.com>
+Link: https://patch.msgid.link/20260415231020.455298-1-marex@nabladev.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/micrel/ks8851.h | 6 --
+ drivers/net/ethernet/micrel/ks8851_common.c | 64 +++++++++++-----------------
+ drivers/net/ethernet/micrel/ks8851_par.c | 15 ++----
+ drivers/net/ethernet/micrel/ks8851_spi.c | 11 +---
+ 4 files changed, 38 insertions(+), 58 deletions(-)
+
+--- a/drivers/net/ethernet/micrel/ks8851.h
++++ b/drivers/net/ethernet/micrel/ks8851.h
+@@ -408,10 +408,8 @@ struct ks8851_net {
+ struct gpio_desc *gpio;
+ struct mii_bus *mii_bus;
+
+- void (*lock)(struct ks8851_net *ks,
+- unsigned long *flags);
+- void (*unlock)(struct ks8851_net *ks,
+- unsigned long *flags);
++ void (*lock)(struct ks8851_net *ks);
++ void (*unlock)(struct ks8851_net *ks);
+ unsigned int (*rdreg16)(struct ks8851_net *ks,
+ unsigned int reg);
+ void (*wrreg16)(struct ks8851_net *ks,
+--- a/drivers/net/ethernet/micrel/ks8851_common.c
++++ b/drivers/net/ethernet/micrel/ks8851_common.c
+@@ -28,25 +28,23 @@
+ /**
+ * ks8851_lock - register access lock
+ * @ks: The chip state
+- * @flags: Spinlock flags
+ *
+ * Claim chip register access lock
+ */
+-static void ks8851_lock(struct ks8851_net *ks, unsigned long *flags)
++static void ks8851_lock(struct ks8851_net *ks)
+ {
+- ks->lock(ks, flags);
++ ks->lock(ks);
+ }
+
+ /**
+ * ks8851_unlock - register access unlock
+ * @ks: The chip state
+- * @flags: Spinlock flags
+ *
+ * Release chip register access lock
+ */
+-static void ks8851_unlock(struct ks8851_net *ks, unsigned long *flags)
++static void ks8851_unlock(struct ks8851_net *ks)
+ {
+- ks->unlock(ks, flags);
++ ks->unlock(ks);
+ }
+
+ /**
+@@ -129,11 +127,10 @@ static void ks8851_set_powermode(struct
+ static int ks8851_write_mac_addr(struct net_device *dev)
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+- unsigned long flags;
+ u16 val;
+ int i;
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+
+ /*
+ * Wake up chip in case it was powered off when stopped; otherwise,
+@@ -149,7 +146,7 @@ static int ks8851_write_mac_addr(struct
+ if (!netif_running(dev))
+ ks8851_set_powermode(ks, PMECR_PM_SOFTDOWN);
+
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+
+ return 0;
+ }
+@@ -163,12 +160,11 @@ static int ks8851_write_mac_addr(struct
+ static void ks8851_read_mac_addr(struct net_device *dev)
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+- unsigned long flags;
+ u8 addr[ETH_ALEN];
+ u16 reg;
+ int i;
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+
+ for (i = 0; i < ETH_ALEN; i += 2) {
+ reg = ks8851_rdreg16(ks, KS_MAR(i));
+@@ -177,7 +173,7 @@ static void ks8851_read_mac_addr(struct
+ }
+ eth_hw_addr_set(dev, addr);
+
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+ }
+
+ /**
+@@ -328,11 +324,10 @@ static irqreturn_t ks8851_irq(int irq, v
+ {
+ struct ks8851_net *ks = _ks;
+ struct sk_buff_head rxq;
+- unsigned long flags;
+ unsigned int status;
+ struct sk_buff *skb;
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+
+ status = ks8851_rdreg16(ks, KS_ISR);
+ ks8851_wrreg16(ks, KS_ISR, status);
+@@ -389,7 +384,7 @@ static irqreturn_t ks8851_irq(int irq, v
+ ks8851_wrreg16(ks, KS_RXCR1, rxc->rxcr1);
+ }
+
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+
+ if (status & IRQ_LCI)
+ mii_check_link(&ks->mii);
+@@ -421,7 +416,6 @@ static void ks8851_flush_tx_work(struct
+ static int ks8851_net_open(struct net_device *dev)
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+- unsigned long flags;
+ int ret;
+
+ ret = request_threaded_irq(dev->irq, NULL, ks8851_irq,
+@@ -434,7 +428,7 @@ static int ks8851_net_open(struct net_de
+
+ /* lock the card, even if we may not actually be doing anything
+ * else at the moment */
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+
+ netif_dbg(ks, ifup, ks->netdev, "opening\n");
+
+@@ -487,7 +481,7 @@ static int ks8851_net_open(struct net_de
+
+ netif_dbg(ks, ifup, ks->netdev, "network device up\n");
+
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+ mii_check_link(&ks->mii);
+ return 0;
+ }
+@@ -503,23 +497,22 @@ static int ks8851_net_open(struct net_de
+ static int ks8851_net_stop(struct net_device *dev)
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+- unsigned long flags;
+
+ netif_info(ks, ifdown, dev, "shutting down\n");
+
+ netif_stop_queue(dev);
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+ /* turn off the IRQs and ack any outstanding */
+ ks8851_wrreg16(ks, KS_IER, 0x0000);
+ ks8851_wrreg16(ks, KS_ISR, 0xffff);
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+
+ /* stop any outstanding work */
+ ks8851_flush_tx_work(ks);
+ flush_work(&ks->rxctrl_work);
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+ /* shutdown RX process */
+ ks8851_wrreg16(ks, KS_RXCR1, 0x0000);
+
+@@ -528,7 +521,7 @@ static int ks8851_net_stop(struct net_de
+
+ /* set powermode to soft power down to save power */
+ ks8851_set_powermode(ks, PMECR_PM_SOFTDOWN);
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+
+ /* ensure any queued tx buffers are dumped */
+ while (!skb_queue_empty(&ks->txq)) {
+@@ -582,14 +575,13 @@ static netdev_tx_t ks8851_start_xmit(str
+ static void ks8851_rxctrl_work(struct work_struct *work)
+ {
+ struct ks8851_net *ks = container_of(work, struct ks8851_net, rxctrl_work);
+- unsigned long flags;
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+
+ /* need to shutdown RXQ before modifying filter parameters */
+ ks8851_wrreg16(ks, KS_RXCR1, 0x00);
+
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+ }
+
+ static void ks8851_set_rx_mode(struct net_device *dev)
+@@ -796,7 +788,6 @@ static int ks8851_set_eeprom(struct net_
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+ int offset = ee->offset;
+- unsigned long flags;
+ int len = ee->len;
+ u16 tmp;
+
+@@ -810,7 +801,7 @@ static int ks8851_set_eeprom(struct net_
+ if (!(ks->rc_ccr & CCR_EEPROM))
+ return -ENOENT;
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+
+ ks8851_eeprom_claim(ks);
+
+@@ -833,7 +824,7 @@ static int ks8851_set_eeprom(struct net_
+ eeprom_93cx6_wren(&ks->eeprom, false);
+
+ ks8851_eeprom_release(ks);
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+
+ return 0;
+ }
+@@ -843,7 +834,6 @@ static int ks8851_get_eeprom(struct net_
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+ int offset = ee->offset;
+- unsigned long flags;
+ int len = ee->len;
+
+ /* must be 2 byte aligned */
+@@ -853,7 +843,7 @@ static int ks8851_get_eeprom(struct net_
+ if (!(ks->rc_ccr & CCR_EEPROM))
+ return -ENOENT;
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+
+ ks8851_eeprom_claim(ks);
+
+@@ -861,7 +851,7 @@ static int ks8851_get_eeprom(struct net_
+
+ eeprom_93cx6_multiread(&ks->eeprom, offset/2, (__le16 *)data, len/2);
+ ks8851_eeprom_release(ks);
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+
+ return 0;
+ }
+@@ -920,7 +910,6 @@ static int ks8851_phy_reg(int reg)
+ static int ks8851_phy_read_common(struct net_device *dev, int phy_addr, int reg)
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+- unsigned long flags;
+ int result;
+ int ksreg;
+
+@@ -928,9 +917,9 @@ static int ks8851_phy_read_common(struct
+ if (ksreg < 0)
+ return ksreg;
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+ result = ks8851_rdreg16(ks, ksreg);
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+
+ return result;
+ }
+@@ -965,14 +954,13 @@ static void ks8851_phy_write(struct net_
+ int phy, int reg, int value)
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+- unsigned long flags;
+ int ksreg;
+
+ ksreg = ks8851_phy_reg(reg);
+ if (ksreg >= 0) {
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+ ks8851_wrreg16(ks, ksreg, value);
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+ }
+ }
+
+--- a/drivers/net/ethernet/micrel/ks8851_par.c
++++ b/drivers/net/ethernet/micrel/ks8851_par.c
+@@ -55,29 +55,27 @@ struct ks8851_net_par {
+ /**
+ * ks8851_lock_par - register access lock
+ * @ks: The chip state
+- * @flags: Spinlock flags
+ *
+ * Claim chip register access lock
+ */
+-static void ks8851_lock_par(struct ks8851_net *ks, unsigned long *flags)
++static void ks8851_lock_par(struct ks8851_net *ks)
+ {
+ struct ks8851_net_par *ksp = to_ks8851_par(ks);
+
+- spin_lock_irqsave(&ksp->lock, *flags);
++ spin_lock_bh(&ksp->lock);
+ }
+
+ /**
+ * ks8851_unlock_par - register access unlock
+ * @ks: The chip state
+- * @flags: Spinlock flags
+ *
+ * Release chip register access lock
+ */
+-static void ks8851_unlock_par(struct ks8851_net *ks, unsigned long *flags)
++static void ks8851_unlock_par(struct ks8851_net *ks)
+ {
+ struct ks8851_net_par *ksp = to_ks8851_par(ks);
+
+- spin_unlock_irqrestore(&ksp->lock, *flags);
++ spin_unlock_bh(&ksp->lock);
+ }
+
+ /**
+@@ -233,7 +231,6 @@ static netdev_tx_t ks8851_start_xmit_par
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+ netdev_tx_t ret = NETDEV_TX_OK;
+- unsigned long flags;
+ unsigned int txqcr;
+ u16 txmir;
+ int err;
+@@ -241,7 +238,7 @@ static netdev_tx_t ks8851_start_xmit_par
+ netif_dbg(ks, tx_queued, ks->netdev,
+ "%s: skb %p, %d@%p\n", __func__, skb, skb->len, skb->data);
+
+- ks8851_lock_par(ks, &flags);
++ ks8851_lock_par(ks);
+
+ txmir = ks8851_rdreg16_par(ks, KS_TXMIR) & 0x1fff;
+
+@@ -262,7 +259,7 @@ static netdev_tx_t ks8851_start_xmit_par
+ ret = NETDEV_TX_BUSY;
+ }
+
+- ks8851_unlock_par(ks, &flags);
++ ks8851_unlock_par(ks);
+
+ return ret;
+ }
+--- a/drivers/net/ethernet/micrel/ks8851_spi.c
++++ b/drivers/net/ethernet/micrel/ks8851_spi.c
+@@ -73,11 +73,10 @@ struct ks8851_net_spi {
+ /**
+ * ks8851_lock_spi - register access lock
+ * @ks: The chip state
+- * @flags: Spinlock flags
+ *
+ * Claim chip register access lock
+ */
+-static void ks8851_lock_spi(struct ks8851_net *ks, unsigned long *flags)
++static void ks8851_lock_spi(struct ks8851_net *ks)
+ {
+ struct ks8851_net_spi *kss = to_ks8851_spi(ks);
+
+@@ -87,11 +86,10 @@ static void ks8851_lock_spi(struct ks885
+ /**
+ * ks8851_unlock_spi - register access unlock
+ * @ks: The chip state
+- * @flags: Spinlock flags
+ *
+ * Release chip register access lock
+ */
+-static void ks8851_unlock_spi(struct ks8851_net *ks, unsigned long *flags)
++static void ks8851_unlock_spi(struct ks8851_net *ks)
+ {
+ struct ks8851_net_spi *kss = to_ks8851_spi(ks);
+
+@@ -311,7 +309,6 @@ static void ks8851_tx_work(struct work_s
+ struct ks8851_net_spi *kss;
+ unsigned short tx_space;
+ struct ks8851_net *ks;
+- unsigned long flags;
+ struct sk_buff *txb;
+ bool last;
+
+@@ -319,7 +316,7 @@ static void ks8851_tx_work(struct work_s
+ ks = &kss->ks8851;
+ last = skb_queue_empty(&ks->txq);
+
+- ks8851_lock_spi(ks, &flags);
++ ks8851_lock_spi(ks);
+
+ while (!last) {
+ txb = skb_dequeue(&ks->txq);
+@@ -345,7 +342,7 @@ static void ks8851_tx_work(struct work_s
+ ks->tx_space = tx_space;
+ spin_unlock_bh(&ks->statelock);
+
+- ks8851_unlock_spi(ks, &flags);
++ ks8851_unlock_spi(ks);
+ }
+
+ /**
--- /dev/null
+From 68efba36446a7774ea5b971257ade049272a07ac Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Date: Thu, 9 Apr 2026 23:04:14 +0530
+Subject: net: qrtr: ns: Free the node during ctrl_cmd_bye()
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+
+commit 68efba36446a7774ea5b971257ade049272a07ac upstream.
+
+A node sends the BYE packet when it is about to go down. So the nameserver
+should advertise the removal of the node to all remote and local observers
+and free the node finally. But currently, the nameserver doesn't free the
+node memory even after processing the BYE packet. This causes the node
+memory to leak.
+
+Hence, remove the node from Xarray list and free the node memory during
+both success and failure case of ctrl_cmd_bye().
+
+Cc: stable@vger.kernel.org
+Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260409-qrtr-fix-v3-3-00a8a5ff2b51@oss.qualcomm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/qrtr/ns.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+--- a/net/qrtr/ns.c
++++ b/net/qrtr/ns.c
+@@ -342,7 +342,7 @@ static int ctrl_cmd_bye(struct sockaddr_
+ struct qrtr_node *node;
+ unsigned long index;
+ struct kvec iv;
+- int ret;
++ int ret = 0;
+
+ iv.iov_base = &pkt;
+ iv.iov_len = sizeof(pkt);
+@@ -357,8 +357,10 @@ static int ctrl_cmd_bye(struct sockaddr_
+
+ /* Advertise the removal of this client to all local servers */
+ local_node = node_get(qrtr_ns.local_node);
+- if (!local_node)
+- return 0;
++ if (!local_node) {
++ ret = 0;
++ goto delete_node;
++ }
+
+ memset(&pkt, 0, sizeof(pkt));
+ pkt.cmd = cpu_to_le32(QRTR_TYPE_BYE);
+@@ -375,10 +377,18 @@ static int ctrl_cmd_bye(struct sockaddr_
+ ret = kernel_sendmsg(qrtr_ns.sock, &msg, &iv, 1, sizeof(pkt));
+ if (ret < 0 && ret != -ENODEV) {
+ pr_err("failed to send bye cmd\n");
+- return ret;
++ goto delete_node;
+ }
+ }
+- return 0;
++
++ /* Ignore -ENODEV */
++ ret = 0;
++
++delete_node:
++ xa_erase(&nodes, from->sq_node);
++ kfree(node);
++
++ return ret;
+ }
+
+ static int ctrl_cmd_del_client(struct sockaddr_qrtr *from,
--- /dev/null
+From 8141a2dc70080eda1aedc0389ed2db2b292af5bd Mon Sep 17 00:00:00 2001
+From: Ao Zhou <draw51280@163.com>
+Date: Wed, 22 Apr 2026 22:52:07 +0800
+Subject: net: rds: fix MR cleanup on copy error
+
+From: Ao Zhou <draw51280@163.com>
+
+commit 8141a2dc70080eda1aedc0389ed2db2b292af5bd upstream.
+
+__rds_rdma_map() hands sg/pages ownership to the transport after
+get_mr() succeeds. If copying the generated cookie back to user space
+fails after that point, the error path must not free those resources
+again before dropping the MR reference.
+
+Remove the duplicate unpin/free from the put_user() failure branch so
+that MR teardown is handled only through the existing final cleanup
+path.
+
+Fixes: 0d4597c8c5ab ("net/rds: Track user mapped pages through special API")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Ao Zhou <draw51280@163.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Allison Henderson <achender@kernel.org>
+Link: https://patch.msgid.link/79c8ef73ec8e5844d71038983940cc2943099baf.1776764247.git.draw51280@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/rdma.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -326,10 +326,6 @@ static int __rds_rdma_map(struct rds_soc
+
+ if (args->cookie_addr &&
+ put_user(cookie, (u64 __user *)(unsigned long)args->cookie_addr)) {
+- if (!need_odp) {
+- unpin_user_pages(pages, nr_pages);
+- kfree(sg);
+- }
+ ret = -EFAULT;
+ goto out;
+ }
--- /dev/null
+From 5a8db80f721deee8e916c2cfdee78decda02ce4f Mon Sep 17 00:00:00 2001
+From: Ruijie Li <ruijieli51@gmail.com>
+Date: Wed, 22 Apr 2026 23:40:18 +0800
+Subject: net/smc: avoid early lgr access in smc_clc_wait_msg
+
+From: Ruijie Li <ruijieli51@gmail.com>
+
+commit 5a8db80f721deee8e916c2cfdee78decda02ce4f upstream.
+
+A CLC decline can be received while the handshake is still in an early
+stage, before the connection has been associated with a link group.
+
+The decline handling in smc_clc_wait_msg() updates link-group level sync
+state for first-contact declines, but that state only exists after link
+group setup has completed. Guard the link-group update accordingly and
+keep the per-socket peer diagnosis handling unchanged.
+
+This preserves the existing sync_err handling for established link-group
+contexts and avoids touching link-group state before it is available.
+
+Fixes: 0cfdd8f92cac ("smc: connection and link group creation")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Link: https://patch.msgid.link/08c68a5c817acf198cce63d22517e232e8d60718.1776850759.git.ruijieli51@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/smc_clc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -785,8 +785,8 @@ int smc_clc_wait_msg(struct smc_sock *sm
+ dclc = (struct smc_clc_msg_decline *)clcm;
+ reason_code = SMC_CLC_DECL_PEERDECL;
+ smc->peer_diagnosis = ntohl(dclc->peer_diagnosis);
+- if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 &
+- SMC_FIRST_CONTACT_MASK) {
++ if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) &&
++ smc->conn.lgr) {
+ smc->conn.lgr->sync_err = 1;
+ smc_lgr_terminate_sched(smc->conn.lgr);
+ }
--- /dev/null
+From c263f644add3d6ad81f9d62a99284fde408f0caa Mon Sep 17 00:00:00 2001
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+Date: Wed, 22 Apr 2026 15:18:37 +0800
+Subject: net: txgbe: fix firmware version check
+
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+
+commit c263f644add3d6ad81f9d62a99284fde408f0caa upstream.
+
+For the device SP, the firmware version is a 32-bit value where the
+lower 20 bits represent the base version number. And the customized
+firmware version populates the upper 12 bits with a specific
+identification number.
+
+For other devices AML 25G and 40G, the upper 12 bits of the firmware
+version is always non-zero, and they have other naming conventions.
+
+Only SP devices need to check this to tell if XPCS will work properly.
+So the judgement of MAC type is added here.
+
+And the original logic compared the entire 32-bit value against 0x20010,
+which caused the outdated base firmwares bypass the version check
+without a warning. Apply a mask 0xfffff to isolate the lower 20 bits for
+an accurate base version comparison.
+
+Fixes: ab928c24e6cd ("net: txgbe: add FW version warning")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/C787AA5C07598B13+20260422071837.372731-1-jiawenwu@trustnetic.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/wangxun/txgbe/txgbe_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c
++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c
+@@ -668,7 +668,8 @@ static int txgbe_probe(struct pci_dev *p
+ "0x%08x", etrack_id);
+ }
+
+- if (etrack_id < 0x20010)
++ if (wx->mac.type == wx_mac_sp &&
++ ((etrack_id & 0xfffff) < 0x20010))
+ dev_warn(&pdev->dev, "Please upgrade the firmware to 0x20010 or above.\n");
+
+ txgbe = devm_kzalloc(&pdev->dev, sizeof(*txgbe), GFP_KERNEL);
--- /dev/null
+From 7079c8c13f2d33992bc846240517d88f4ab07781 Mon Sep 17 00:00:00 2001
+From: Breno Leitao <leitao@debian.org>
+Date: Mon, 20 Apr 2026 03:18:36 -0700
+Subject: netconsole: avoid out-of-bounds access on empty string in trim_newline()
+
+From: Breno Leitao <leitao@debian.org>
+
+commit 7079c8c13f2d33992bc846240517d88f4ab07781 upstream.
+
+trim_newline() unconditionally dereferences s[len - 1] after computing
+len = strnlen(s, maxlen). When the string is empty, len is 0 and the
+expression underflows to s[(size_t)-1], reading (and potentially
+writing) one byte before the buffer.
+
+The two callers feed trim_newline() with the result of strscpy() from
+configfs store callbacks (dev_name_store, userdatum_value_store).
+configfs guarantees count >= 1 reaches the callback, but the byte
+itself can be NUL: a userspace write(fd, "\0", 1) leaves the
+destination empty after strscpy() and triggers the underflow. The OOB
+write only fires if the adjacent byte happens to be '\n', so this is
+not a security issue, but the access is undefined behaviour either way.
+
+This pattern is commonly flagged by LLM-based code reviewers. While it
+is not a security fix, the underlying access is undefined behaviour and
+the change is small and self-contained, so it is a reasonable candidate
+for the stable trees.
+
+Guard the dereference on a non-zero length.
+
+Fixes: ae001dc67907 ("net: netconsole: move newline trimming to function")
+Cc: stable@vger.kernel.org
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reviewed-by: Gustavo Luiz Duarte <gustavold@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260420-netcons_trim_newline-v1-1-dc35889aeedf@debian.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/netconsole.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/netconsole.c
++++ b/drivers/net/netconsole.c
+@@ -300,6 +300,8 @@ static void trim_newline(char *s, size_t
+ size_t len;
+
+ len = strnlen(s, maxlen);
++ if (!len)
++ return;
+ if (s[len - 1] == '\n')
+ s[len - 1] = '\0';
+ }
--- /dev/null
+From 658342fd75b582cbb06544d513171c3d645faead Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Date: Fri, 20 Feb 2026 18:49:39 +0100
+Subject: power: supply: axp288_charger: Do not cancel work before initializing it
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+
+commit 658342fd75b582cbb06544d513171c3d645faead upstream.
+
+Driver registered devm handler to cancel_work_sync() before even the
+work was initialized, thus leading to possible warning from
+kernel/workqueue.c on (!work->func) check, if the error path was hit
+before the initialization happened.
+
+Use devm_work_autocancel() on each work item independently, which
+handles the initialization and handler to cancel work.
+
+Fixes: 165c2357744e ("power: supply: axp288_charger: Properly stop work on probe-error / remove")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
+Reviewed-by: Chen-Yu Tsai <wens@kernel.org>
+Link: https://patch.msgid.link/20260220174938.672883-5-krzysztof.kozlowski@oss.qualcomm.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/axp288_charger.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+--- a/drivers/power/supply/axp288_charger.c
++++ b/drivers/power/supply/axp288_charger.c
+@@ -10,6 +10,7 @@
+ #include <linux/acpi.h>
+ #include <linux/bitops.h>
+ #include <linux/module.h>
++#include <linux/devm-helpers.h>
+ #include <linux/device.h>
+ #include <linux/regmap.h>
+ #include <linux/workqueue.h>
+@@ -821,14 +822,6 @@ static int charger_init_hw_regs(struct a
+ return 0;
+ }
+
+-static void axp288_charger_cancel_work(void *data)
+-{
+- struct axp288_chrg_info *info = data;
+-
+- cancel_work_sync(&info->otg.work);
+- cancel_work_sync(&info->cable.work);
+-}
+-
+ static int axp288_charger_probe(struct platform_device *pdev)
+ {
+ int ret, i, pirq;
+@@ -911,12 +904,12 @@ static int axp288_charger_probe(struct p
+ }
+
+ /* Cancel our work on cleanup, register this before the notifiers */
+- ret = devm_add_action(dev, axp288_charger_cancel_work, info);
++ ret = devm_work_autocancel(dev, &info->cable.work,
++ axp288_charger_extcon_evt_worker);
+ if (ret)
+ return ret;
+
+ /* Register for extcon notification */
+- INIT_WORK(&info->cable.work, axp288_charger_extcon_evt_worker);
+ info->cable.nb.notifier_call = axp288_charger_handle_cable_evt;
+ ret = devm_extcon_register_notifier_all(dev, info->cable.edev,
+ &info->cable.nb);
+@@ -926,8 +919,12 @@ static int axp288_charger_probe(struct p
+ }
+ schedule_work(&info->cable.work);
+
++ ret = devm_work_autocancel(dev, &info->otg.work,
++ axp288_charger_otg_evt_worker);
++ if (ret)
++ return ret;
++
+ /* Register for OTG notification */
+- INIT_WORK(&info->otg.work, axp288_charger_otg_evt_worker);
+ info->otg.id_nb.notifier_call = axp288_charger_handle_otg_evt;
+ if (info->otg.cable) {
+ ret = devm_extcon_register_notifier(dev, info->otg.cable,
--- /dev/null
+From 7244491dab347f648e661da96dc0febadd9daec3 Mon Sep 17 00:00:00 2001
+From: hkbinbin <hkbinbinbin@gmail.com>
+Date: Wed, 1 Apr 2026 12:19:07 +0000
+Subject: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
+
+From: hkbinbin <hkbinbinbin@gmail.com>
+
+commit 7244491dab347f648e661da96dc0febadd9daec3 upstream.
+
+rxe_rcv() currently checks only that the incoming packet is at least
+header_size(pkt) bytes long before payload_size() is used.
+
+However, payload_size() subtracts both the attacker-controlled BTH pad
+field and RXE_ICRC_SIZE from pkt->paylen:
+
+ payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)
+ - RXE_ICRC_SIZE
+
+This means a short packet can still make payload_size() underflow even
+if it includes enough bytes for the fixed headers. Simply requiring
+header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a
+packet with a forged non-zero BTH pad can still leave payload_size()
+negative and pass an underflowed value to later receive-path users.
+
+Fix this by validating pkt->paylen against the full minimum length
+required by payload_size(): header_size(pkt) + bth_pad(pkt) +
+RXE_ICRC_SIZE.
+
+Cc: stable@vger.kernel.org
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Link: https://patch.msgid.link/r/20260401121907.1468366-1-hkbinbinbin@gmail.com
+Signed-off-by: hkbinbin <hkbinbinbin@gmail.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/rxe/rxe_recv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_recv.c
++++ b/drivers/infiniband/sw/rxe/rxe_recv.c
+@@ -330,7 +330,8 @@ void rxe_rcv(struct sk_buff *skb)
+ pkt->qp = NULL;
+ pkt->mask |= rxe_opcode[pkt->opcode].mask;
+
+- if (unlikely(skb->len < header_size(pkt)))
++ if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) +
++ RXE_ICRC_SIZE))
+ goto drop;
+
+ err = hdr_check(pkt);
--- /dev/null
+From 34f61a07e0cdefaecd3ec03bb5fb22215643678f Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 22 Apr 2026 17:14:30 +0100
+Subject: rxrpc: Fix memory leaks in rxkad_verify_response()
+
+From: David Howells <dhowells@redhat.com>
+
+commit 34f61a07e0cdefaecd3ec03bb5fb22215643678f upstream.
+
+Fix rxkad_verify_response() to free the ticket and the server key under all
+circumstances by initialising the ticket pointer to NULL and then making
+all paths through the function after the first allocation has been done go
+through a single common epilogue that just releases everything - where all
+the releases skip on a NULL pointer.
+
+Fixes: 57af281e5389 ("rxrpc: Tidy up abort generation infrastructure")
+Fixes: ec832bd06d6f ("rxrpc: Don't retain the server key in the connection")
+Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Jeffrey Altman <jaltman@auristor.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/20260422161438.2593376-2-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/rxkad.c | 103 ++++++++++++++++++++++--------------------------------
+ 1 file changed, 42 insertions(+), 61 deletions(-)
+
+--- a/net/rxrpc/rxkad.c
++++ b/net/rxrpc/rxkad.c
+@@ -1048,7 +1048,7 @@ static int rxkad_verify_response(struct
+ struct rxrpc_crypt session_key;
+ struct key *server_key;
+ time64_t expiry;
+- void *ticket;
++ void *ticket = NULL;
+ u32 version, kvno, ticket_len, level;
+ __be32 csum;
+ int ret, i;
+@@ -1074,13 +1074,13 @@ static int rxkad_verify_response(struct
+ ret = -ENOMEM;
+ response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
+ if (!response)
+- goto temporary_error;
++ goto error;
+
+ if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
+ response, sizeof(*response)) < 0) {
+- rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
+- rxkad_abort_resp_short);
+- goto protocol_error;
++ ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
++ rxkad_abort_resp_short);
++ goto error;
+ }
+
+ version = ntohl(response->version);
+@@ -1090,62 +1090,62 @@ static int rxkad_verify_response(struct
+ trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
+
+ if (version != RXKAD_VERSION) {
+- rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
+- rxkad_abort_resp_version);
+- goto protocol_error;
++ ret = rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
++ rxkad_abort_resp_version);
++ goto error;
+ }
+
+ if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) {
+- rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO,
+- rxkad_abort_resp_tkt_len);
+- goto protocol_error;
++ ret = rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO,
++ rxkad_abort_resp_tkt_len);
++ goto error;
+ }
+
+ if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) {
+- rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO,
+- rxkad_abort_resp_unknown_tkt);
+- goto protocol_error;
++ ret = rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO,
++ rxkad_abort_resp_unknown_tkt);
++ goto error;
+ }
+
+ /* extract the kerberos ticket and decrypt and decode it */
+ ret = -ENOMEM;
+ ticket = kmalloc(ticket_len, GFP_NOFS);
+ if (!ticket)
+- goto temporary_error_free_resp;
++ goto error;
+
+ if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
+ ticket, ticket_len) < 0) {
+- rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
+- rxkad_abort_resp_short_tkt);
+- goto protocol_error;
++ ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
++ rxkad_abort_resp_short_tkt);
++ goto error;
+ }
+
+ ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len,
+ &session_key, &expiry);
+ if (ret < 0)
+- goto temporary_error_free_ticket;
++ goto error;
+
+ /* use the session key from inside the ticket to decrypt the
+ * response */
+ ret = rxkad_decrypt_response(conn, response, &session_key);
+ if (ret < 0)
+- goto temporary_error_free_ticket;
++ goto error;
+
+ if (ntohl(response->encrypted.epoch) != conn->proto.epoch ||
+ ntohl(response->encrypted.cid) != conn->proto.cid ||
+ ntohl(response->encrypted.securityIndex) != conn->security_ix) {
+- rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
+- rxkad_abort_resp_bad_param);
+- goto protocol_error_free;
++ ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
++ rxkad_abort_resp_bad_param);
++ goto error;
+ }
+
+ csum = response->encrypted.checksum;
+ response->encrypted.checksum = 0;
+ rxkad_calc_response_checksum(response);
+ if (response->encrypted.checksum != csum) {
+- rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
+- rxkad_abort_resp_bad_checksum);
+- goto protocol_error_free;
++ ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
++ rxkad_abort_resp_bad_checksum);
++ goto error;
+ }
+
+ for (i = 0; i < RXRPC_MAXCALLS; i++) {
+@@ -1153,38 +1153,38 @@ static int rxkad_verify_response(struct
+ u32 counter = READ_ONCE(conn->channels[i].call_counter);
+
+ if (call_id > INT_MAX) {
+- rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
+- rxkad_abort_resp_bad_callid);
+- goto protocol_error_free;
++ ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
++ rxkad_abort_resp_bad_callid);
++ goto error;
+ }
+
+ if (call_id < counter) {
+- rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
+- rxkad_abort_resp_call_ctr);
+- goto protocol_error_free;
++ ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
++ rxkad_abort_resp_call_ctr);
++ goto error;
+ }
+
+ if (call_id > counter) {
+ if (conn->channels[i].call) {
+- rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
++ ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
+ rxkad_abort_resp_call_state);
+- goto protocol_error_free;
++ goto error;
+ }
+ conn->channels[i].call_counter = call_id;
+ }
+ }
+
+ if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) {
+- rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO,
+- rxkad_abort_resp_ooseq);
+- goto protocol_error_free;
++ ret = rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO,
++ rxkad_abort_resp_ooseq);
++ goto error;
+ }
+
+ level = ntohl(response->encrypted.level);
+ if (level > RXRPC_SECURITY_ENCRYPT) {
+- rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO,
+- rxkad_abort_resp_level);
+- goto protocol_error_free;
++ ret = rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO,
++ rxkad_abort_resp_level);
++ goto error;
+ }
+ conn->security_level = level;
+
+@@ -1192,31 +1192,12 @@ static int rxkad_verify_response(struct
+ * this the connection security can be handled in exactly the same way
+ * as for a client connection */
+ ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
+- if (ret < 0)
+- goto temporary_error_free_ticket;
+-
+- kfree(ticket);
+- kfree(response);
+- _leave(" = 0");
+- return 0;
+-
+-protocol_error_free:
+- kfree(ticket);
+-protocol_error:
+- kfree(response);
+- key_put(server_key);
+- return -EPROTO;
+
+-temporary_error_free_ticket:
++error:
+ kfree(ticket);
+-temporary_error_free_resp:
+ kfree(response);
+-temporary_error:
+- /* Ignore the response packet if we got a temporary error such as
+- * ENOMEM. We just want to send the challenge again. Note that we
+- * also come out this way if the ticket decryption fails.
+- */
+ key_put(server_key);
++ _leave(" = %d", ret);
+ return ret;
+ }
+
--- /dev/null
+From 0422e7a4883f25101903f3e8105c0808aa5f4ce9 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 23 Apr 2026 21:09:07 +0100
+Subject: rxrpc: Fix re-decryption of RESPONSE packets
+
+From: David Howells <dhowells@redhat.com>
+
+commit 0422e7a4883f25101903f3e8105c0808aa5f4ce9 upstream.
+
+If a RESPONSE packet gets a temporary failure during processing, it may end
+up in a partially decrypted state - and then get requeued for a retry.
+
+Fix this by just discarding the packet; we will send another CHALLENGE
+packet and thereby elicit a further response. Similarly, discard an
+incoming CHALLENGE packet if we get an error whilst generating a RESPONSE;
+the server will send another CHALLENGE.
+
+Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
+Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Jeffrey Altman <jaltman@auristor.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/20260423200909.3049438-3-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/trace/events/rxrpc.h | 1 -
+ net/rxrpc/conn_event.c | 14 ++------------
+ 2 files changed, 2 insertions(+), 13 deletions(-)
+
+--- a/include/trace/events/rxrpc.h
++++ b/include/trace/events/rxrpc.h
+@@ -236,7 +236,6 @@
+ EM(rxrpc_conn_put_unidle, "PUT unidle ") \
+ EM(rxrpc_conn_put_work, "PUT work ") \
+ EM(rxrpc_conn_queue_challenge, "QUE chall ") \
+- EM(rxrpc_conn_queue_retry_work, "QUE retry-wk") \
+ EM(rxrpc_conn_queue_rx_work, "QUE rx-work ") \
+ EM(rxrpc_conn_see_new_service_conn, "SEE new-svc ") \
+ EM(rxrpc_conn_see_reap_service, "SEE reap-svc") \
+--- a/net/rxrpc/conn_event.c
++++ b/net/rxrpc/conn_event.c
+@@ -344,7 +344,6 @@ again:
+ static void rxrpc_do_process_connection(struct rxrpc_connection *conn)
+ {
+ struct sk_buff *skb;
+- int ret;
+
+ if (test_and_clear_bit(RXRPC_CONN_EV_CHALLENGE, &conn->events))
+ rxrpc_secure_connection(conn);
+@@ -353,17 +352,8 @@ static void rxrpc_do_process_connection(
+ * connection that each one has when we've finished with it */
+ while ((skb = skb_dequeue(&conn->rx_queue))) {
+ rxrpc_see_skb(skb, rxrpc_skb_see_conn_work);
+- ret = rxrpc_process_event(conn, skb);
+- switch (ret) {
+- case -ENOMEM:
+- case -EAGAIN:
+- skb_queue_head(&conn->rx_queue, skb);
+- rxrpc_queue_conn(conn, rxrpc_conn_queue_retry_work);
+- break;
+- default:
+- rxrpc_free_skb(skb, rxrpc_skb_put_conn_work);
+- break;
+- }
++ rxrpc_process_event(conn, skb);
++ rxrpc_free_skb(skb, rxrpc_skb_put_conn_work);
+ }
+ }
+
--- /dev/null
+From def304aae2edf321d2671fd6ca766a93c21f877e Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 22 Apr 2026 17:14:31 +0100
+Subject: rxrpc: Fix rxkad crypto unalignment handling
+
+From: David Howells <dhowells@redhat.com>
+
+commit def304aae2edf321d2671fd6ca766a93c21f877e upstream.
+
+Fix handling of a packet with a misaligned crypto length. Also handle
+non-ENOMEM errors from decryption by aborting. Further, remove the
+WARN_ON_ONCE() so that it can't be remotely triggered (a trace line can
+still be emitted).
+
+Fixes: f93af41b9f5f ("rxrpc: Fix missing error checks for rxkad encryption/decryption failure")
+Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Jeffrey Altman <jaltman@auristor.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/20260422161438.2593376-3-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/trace/events/rxrpc.h | 1 +
+ net/rxrpc/rxkad.c | 9 +++++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/include/trace/events/rxrpc.h
++++ b/include/trace/events/rxrpc.h
+@@ -36,6 +36,7 @@
+ EM(rxkad_abort_1_short_encdata, "rxkad1-short-encdata") \
+ EM(rxkad_abort_1_short_header, "rxkad1-short-hdr") \
+ EM(rxkad_abort_2_short_check, "rxkad2-short-check") \
++ EM(rxkad_abort_2_crypto_unaligned, "rxkad2-crypto-unaligned") \
+ EM(rxkad_abort_2_short_data, "rxkad2-short-data") \
+ EM(rxkad_abort_2_short_header, "rxkad2-short-hdr") \
+ EM(rxkad_abort_2_short_len, "rxkad2-short-len") \
+--- a/net/rxrpc/rxkad.c
++++ b/net/rxrpc/rxkad.c
+@@ -494,6 +494,9 @@ static int rxkad_verify_packet_2(struct
+ return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
+ rxkad_abort_2_short_header);
+
++ /* Don't let the crypto algo see a misaligned length. */
++ sp->len = round_down(sp->len, 8);
++
+ /* Decrypt the skbuff in-place. TODO: We really want to decrypt
+ * directly into the target buffer.
+ */
+@@ -527,8 +530,10 @@ static int rxkad_verify_packet_2(struct
+ if (sg != _sg)
+ kfree(sg);
+ if (ret < 0) {
+- WARN_ON_ONCE(ret != -ENOMEM);
+- return ret;
++ if (ret == -ENOMEM)
++ return ret;
++ return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
++ rxkad_abort_2_crypto_unaligned);
+ }
+
+ /* Extract the decrypted packet length */
alsa-pcmtest-fix-reference-leak-on-failed-device-registration.patch
alsa-pcmtest-fix-resource-leaks-in-module-init-error-paths.patch
iio-adc-ad7768-1-fix-one-shot-mode-data-acquisition.patch
+rxrpc-fix-memory-leaks-in-rxkad_verify_response.patch
+rxrpc-fix-rxkad-crypto-unalignment-handling.patch
+rxrpc-fix-re-decryption-of-response-packets.patch
+tools-accounting-handle-truncated-taskstats-netlink-messages.patch
+arm64-dts-marvell-udpu-add-ethernet-aliases.patch
+net-qrtr-ns-free-the-node-during-ctrl_cmd_bye.patch
+net-rds-fix-mr-cleanup-on-copy-error.patch
+net-txgbe-fix-firmware-version-check.patch
+net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch
+net-ks8851-reinstate-disabling-of-bhs-around-irq-handler.patch
+netconsole-avoid-out-of-bounds-access-on-empty-string-in-trim_newline.patch
+net-ks8851-avoid-excess-softirq-scheduling.patch
+drm-arcpgu-fix-device-node-leak.patch
+rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch
+ipv4-icmp-validate-reply-type-before-using-icmp_pointers.patch
+libceph-prevent-potential-null-ptr-deref-in-ceph_handle_auth_reply.patch
+extract-cert-wrap-key_pass-with-ifdef-use_pkcs11_engine.patch
+tpm-avoid-wunused-but-set-variable.patch
+loongarch-show-cpu-vulnerabilites-correctly.patch
+power-supply-axp288_charger-do-not-cancel-work-before-initializing-it.patch
--- /dev/null
+From cc82b3dcc6a8fa259fbda12ab00d6fc00908a49e Mon Sep 17 00:00:00 2001
+From: Yiyang Chen <cyyzero16@gmail.com>
+Date: Mon, 30 Mar 2026 03:00:41 +0800
+Subject: tools/accounting: handle truncated taskstats netlink messages
+
+From: Yiyang Chen <cyyzero16@gmail.com>
+
+commit cc82b3dcc6a8fa259fbda12ab00d6fc00908a49e upstream.
+
+procacct and getdelays use a fixed receive buffer for taskstats generic
+netlink messages. A multi-threaded process exit can emit a single
+PID+TGID notification large enough to exceed that buffer on newer kernels.
+
+Switch to recvmsg() so MSG_TRUNC is detected explicitly, increase the
+message buffer size, and report truncated datagrams clearly instead of
+misparsing them as fatal netlink errors.
+
+Also print the taskstats version in debug output to make version
+mismatches easier to diagnose while inspecting taskstats traffic.
+
+Link: https://lkml.kernel.org/r/520308bb4cbbaf8dc2c7296b5f60f11e12fb30a5.1774810498.git.cyyzero16@gmail.com
+Signed-off-by: Yiyang Chen <cyyzero16@gmail.com>
+Cc: Balbir Singh <bsingharora@gmail.com>
+Cc: Dr. Thomas Orgis <thomas.orgis@uni-hamburg.de>
+Cc: Fan Yu <fan.yu9@zte.com.cn>
+Cc: Wang Yaxin <wang.yaxin@zte.com.cn>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/accounting/getdelays.c | 41 +++++++++++++++++++++++++++++++++++++----
+ tools/accounting/procacct.c | 40 ++++++++++++++++++++++++++++++++++++----
+ 2 files changed, 73 insertions(+), 8 deletions(-)
+
+--- a/tools/accounting/getdelays.c
++++ b/tools/accounting/getdelays.c
+@@ -59,7 +59,7 @@ int print_task_context_switch_counts;
+ }
+
+ /* Maximum size of response requested or message sent */
+-#define MAX_MSG_SIZE 1024
++#define MAX_MSG_SIZE 2048
+ /* Maximum number of cpus expected to be specified in a cpumask */
+ #define MAX_CPUS 32
+
+@@ -114,6 +114,32 @@ error:
+ return -1;
+ }
+
++static int recv_taskstats_msg(int sd, struct msgtemplate *msg)
++{
++ struct sockaddr_nl nladdr;
++ struct iovec iov = {
++ .iov_base = msg,
++ .iov_len = sizeof(*msg),
++ };
++ struct msghdr hdr = {
++ .msg_name = &nladdr,
++ .msg_namelen = sizeof(nladdr),
++ .msg_iov = &iov,
++ .msg_iovlen = 1,
++ };
++ int ret;
++
++ ret = recvmsg(sd, &hdr, 0);
++ if (ret < 0)
++ return -1;
++ if (hdr.msg_flags & MSG_TRUNC) {
++ errno = EMSGSIZE;
++ return -1;
++ }
++
++ return ret;
++}
++
+
+ static int send_cmd(int sd, __u16 nlmsg_type, __u32 nlmsg_pid,
+ __u8 genl_cmd, __u16 nla_type,
+@@ -465,12 +491,16 @@ int main(int argc, char *argv[])
+ }
+
+ do {
+- rep_len = recv(nl_sd, &msg, sizeof(msg), 0);
++ rep_len = recv_taskstats_msg(nl_sd, &msg);
+ PRINTF("received %d bytes\n", rep_len);
+
+ if (rep_len < 0) {
+- fprintf(stderr, "nonfatal reply error: errno %d\n",
+- errno);
++ if (errno == EMSGSIZE)
++ fprintf(stderr,
++ "dropped truncated taskstats netlink message, please increase MAX_MSG_SIZE\n");
++ else
++ fprintf(stderr, "nonfatal reply error: errno %d\n",
++ errno);
+ continue;
+ }
+ if (msg.n.nlmsg_type == NLMSG_ERROR ||
+@@ -512,6 +542,9 @@ int main(int argc, char *argv[])
+ printf("TGID\t%d\n", rtid);
+ break;
+ case TASKSTATS_TYPE_STATS:
++ PRINTF("version %u\n",
++ ((struct taskstats *)
++ NLA_DATA(na))->version);
+ if (print_delays)
+ print_delayacct((struct taskstats *) NLA_DATA(na));
+ if (print_io_accounting)
+--- a/tools/accounting/procacct.c
++++ b/tools/accounting/procacct.c
+@@ -71,7 +71,7 @@ int print_task_context_switch_counts;
+ }
+
+ /* Maximum size of response requested or message sent */
+-#define MAX_MSG_SIZE 1024
++#define MAX_MSG_SIZE 2048
+ /* Maximum number of cpus expected to be specified in a cpumask */
+ #define MAX_CPUS 32
+
+@@ -121,6 +121,32 @@ error:
+ return -1;
+ }
+
++static int recv_taskstats_msg(int sd, struct msgtemplate *msg)
++{
++ struct sockaddr_nl nladdr;
++ struct iovec iov = {
++ .iov_base = msg,
++ .iov_len = sizeof(*msg),
++ };
++ struct msghdr hdr = {
++ .msg_name = &nladdr,
++ .msg_namelen = sizeof(nladdr),
++ .msg_iov = &iov,
++ .msg_iovlen = 1,
++ };
++ int ret;
++
++ ret = recvmsg(sd, &hdr, 0);
++ if (ret < 0)
++ return -1;
++ if (hdr.msg_flags & MSG_TRUNC) {
++ errno = EMSGSIZE;
++ return -1;
++ }
++
++ return ret;
++}
++
+
+ static int send_cmd(int sd, __u16 nlmsg_type, __u32 nlmsg_pid,
+ __u8 genl_cmd, __u16 nla_type,
+@@ -239,6 +265,8 @@ void handle_aggr(int mother, struct nlat
+ PRINTF("TGID\t%d\n", rtid);
+ break;
+ case TASKSTATS_TYPE_STATS:
++ PRINTF("version %u\n",
++ ((struct taskstats *)NLA_DATA(na))->version);
+ if (mother == TASKSTATS_TYPE_AGGR_PID)
+ print_procacct((struct taskstats *) NLA_DATA(na));
+ if (fd) {
+@@ -348,12 +376,16 @@ int main(int argc, char *argv[])
+ }
+
+ do {
+- rep_len = recv(nl_sd, &msg, sizeof(msg), 0);
++ rep_len = recv_taskstats_msg(nl_sd, &msg);
+ PRINTF("received %d bytes\n", rep_len);
+
+ if (rep_len < 0) {
+- fprintf(stderr, "nonfatal reply error: errno %d\n",
+- errno);
++ if (errno == EMSGSIZE)
++ fprintf(stderr,
++ "dropped truncated taskstats netlink message, please increase MAX_MSG_SIZE\n");
++ else
++ fprintf(stderr, "nonfatal reply error: errno %d\n",
++ errno);
+ continue;
+ }
+ if (msg.n.nlmsg_type == NLMSG_ERROR ||
--- /dev/null
+From 6f1d4d2ecfcd1b577dc87350ea965fe81f272e83 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Mar 2024 14:22:48 +0100
+Subject: tpm: avoid -Wunused-but-set-variable
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 6f1d4d2ecfcd1b577dc87350ea965fe81f272e83 upstream.
+
+Outside of the EFI tpm code, the TPM_MEMREMAP()/TPM_MEMUNMAP functions are
+defined as trivial macros, leading to the mapping_size variable ending
+up unused:
+
+In file included from drivers/char/tpm/tpm-sysfs.c:16:
+In file included from drivers/char/tpm/tpm.h:28:
+include/linux/tpm_eventlog.h:167:6: error: variable 'mapping_size' set but not used [-Werror,-Wunused-but-set-variable]
+ 167 | int mapping_size;
+
+Turn the stubs into inline functions to avoid this warning.
+
+Cc: stable@vger.kernel.org # v5.3+
+Fixes: c46f3405692d ("tpm: Reserve the TPM final events table")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Thorsten Blum <thorsten.blum@linux.dev>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/tpm_eventlog.h | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/linux/tpm_eventlog.h
++++ b/include/linux/tpm_eventlog.h
+@@ -131,11 +131,16 @@ struct tcg_algorithm_info {
+ };
+
+ #ifndef TPM_MEMREMAP
+-#define TPM_MEMREMAP(start, size) NULL
++static inline void *TPM_MEMREMAP(unsigned long start, size_t size)
++{
++ return NULL;
++}
+ #endif
+
+ #ifndef TPM_MEMUNMAP
+-#define TPM_MEMUNMAP(start, size) do{} while(0)
++static inline void TPM_MEMUNMAP(void *mapping, size_t size)
++{
++}
+ #endif
+
+ /**
projects / thirdparty / kernel / stable-queue.git / commitdiff
