--- /dev/null
+From bb120ad57def62e3f23e3d999c5fbed11f610993 Mon Sep 17 00:00:00 2001
+From: Alexey Nepomnyashih <sdl@nppct.ru>
+Date: Mon, 16 Mar 2026 19:18:22 +0000
+Subject: ALSA: firewire-lib: fix uninitialized local variable
+
+From: Alexey Nepomnyashih <sdl@nppct.ru>
+
+commit bb120ad57def62e3f23e3d999c5fbed11f610993 upstream.
+
+Similar to commit d8dc8720468a ("ALSA: firewire-lib: fix uninitialized
+local variable"), the local variable `curr_cycle_time` in
+process_rx_packets() is declared without initialization.
+
+When the tracepoint event is not probed, the variable may appear to be
+used without being initialized. In practice the value is only relevant
+when the tracepoint is enabled, however initializing it avoids potential
+use of an uninitialized value and improves code safety.
+
+Initialize `curr_cycle_time` to zero.
+
+Fixes: fef4e61b0b76 ("ALSA: firewire-lib: extend tracepoints event including CYCLE_TIME of 1394 OHCI")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexey Nepomnyashih <sdl@nppct.ru>
+Link: https://patch.msgid.link/20260316191824.83249-1-sdl@nppct.ru
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/firewire/amdtp-stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/amdtp-stream.c
++++ b/sound/firewire/amdtp-stream.c
+@@ -1179,7 +1179,7 @@ static void process_rx_packets(struct fw
+ struct pkt_desc *desc = s->packet_descs_cursor;
+ unsigned int pkt_header_length;
+ unsigned int packets;
+- u32 curr_cycle_time;
++ u32 curr_cycle_time = 0;
+ bool need_hw_irq;
+ int i;
+
--- /dev/null
+From 0bdf27abaf8940592207be939142451436afe39f Mon Sep 17 00:00:00 2001
+From: Zhang Heng <zhangheng@kylinos.cn>
+Date: Mon, 16 Mar 2026 10:28:43 +0800
+Subject: ALSA: hda/realtek: add quirk for ASUS Strix G16 G615JMR
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+commit 0bdf27abaf8940592207be939142451436afe39f upstream.
+
+The machine is equipped with ALC294 and requires the
+ALC287_FIXUP_TXNW2781_I2C_ASUS quirk for the amplifier to work properly.
+Since the machine's PCI SSID is also 1043:1204, HDA_CODEC_QUIRK is
+used to retain the previous quirk.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221173
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260316022843.2809968-1-zhangheng@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7033,6 +7033,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x1043, 0x115d, "Asus 1015E", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x1043, 0x1194, "ASUS UM3406KA", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x11c0, "ASUS X556UR", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
++ HDA_CODEC_QUIRK(0x1043, 0x1204, "ASUS Strix G16 G615JMR", ALC287_FIXUP_TXNW2781_I2C_ASUS),
+ SND_PCI_QUIRK(0x1043, 0x1204, "ASUS Strix G615JHR_JMR_JPR", ALC287_FIXUP_TAS2781_I2C),
+ SND_PCI_QUIRK(0x1043, 0x1214, "ASUS Strix G615LH_LM_LP", ALC287_FIXUP_TAS2781_I2C),
+ SND_PCI_QUIRK(0x1043, 0x125e, "ASUS Q524UQK", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
--- /dev/null
+From cfb385a8dc88d86a805a5682eaa68f59fa5c0ec3 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Date: Mon, 23 Mar 2026 23:17:48 +0000
+Subject: ASoC: codecs: wcd934x: fix typo in dt parsing
+
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+
+commit cfb385a8dc88d86a805a5682eaa68f59fa5c0ec3 upstream.
+
+Looks like we ended up with a typo during device tree data parsing
+as part of 4f16b6351bbff ("ASoC: codecs: wcd: add common helper for wcd
+codecs") patch.
+ This will result in not parsing the device tree data and results in
+zero mic bias values.
+
+Fix this by calling wcd_dt_parse_micbias_info instead of
+wcd_dt_parse_mbhc_data.
+
+Fixes: 4f16b6351bbff ("ASoC: codecs: wcd: add common helper for wcd codecs")
+Cc: Stable@vger.kernel.org
+Reported-by: Joel Selvaraj <foss@joelselvaraj.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260323231748.2217967-1-srinivas.kandagatla@oss.qualcomm.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/wcd934x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c
+index c8db33f78a1b..bc41a1466c70 100644
+--- a/sound/soc/codecs/wcd934x.c
++++ b/sound/soc/codecs/wcd934x.c
+@@ -2172,7 +2172,7 @@ static int wcd934x_init_dmic(struct snd_soc_component *comp)
+ u32 def_dmic_rate, dmic_clk_drv;
+ int ret;
+
+- ret = wcd_dt_parse_mbhc_data(comp->dev, &wcd->mbhc_cfg);
++ ret = wcd_dt_parse_micbias_info(&wcd->common);
+ if (ret)
+ return ret;
+
+--
+2.53.0
+
--- /dev/null
+From fe757092d2329c397ecb32f2bf68a5b1c4bd9193 Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Fri, 13 Mar 2026 12:06:11 +0800
+Subject: ASoC: sma1307: fix double free of devm_kzalloc() memory
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit fe757092d2329c397ecb32f2bf68a5b1c4bd9193 upstream.
+
+A previous change added NULL checks and cleanup for allocation
+failures in sma1307_setting_loaded().
+
+However, the cleanup for mode_set entries is wrong. Those entries are
+allocated with devm_kzalloc(), so they are device-managed resources and
+must not be freed with kfree(). Manually freeing them in the error path
+can lead to a double free when devres later releases the same memory.
+
+Drop the manual kfree() loop and let devres handle the cleanup.
+
+Fixes: 0ec6bd16705fe ("ASoC: sma1307: Add NULL check in sma1307_setting_loaded()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Link: https://patch.msgid.link/20260313040611.391479-1-lgs201920130244@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/sma1307.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/codecs/sma1307.c
++++ b/sound/soc/codecs/sma1307.c
+@@ -1779,8 +1779,10 @@ static void sma1307_setting_loaded(struc
+ sma1307->set.mode_size * 2 * sizeof(int),
+ GFP_KERNEL);
+ if (!sma1307->set.mode_set[i]) {
+- for (int j = 0; j < i; j++)
+- kfree(sma1307->set.mode_set[j]);
++ for (int j = 0; j < i; j++) {
++ devm_kfree(sma1307->dev, sma1307->set.mode_set[j]);
++ sma1307->set.mode_set[j] = NULL;
++ }
+ sma1307->set.status = false;
+ return;
+ }
--- /dev/null
+From d40a198e2b7821197c5c77b89d0130cc90f400f5 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Date: Thu, 26 Mar 2026 09:56:18 +0200
+Subject: ASoC: SOF: ipc4-topology: Allow bytes controls without initial payload
+
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+
+commit d40a198e2b7821197c5c77b89d0130cc90f400f5 upstream.
+
+It is unexpected, but allowed to have no initial payload for a bytes
+control and the code is prepared to handle this case, but the size check
+missed this corner case.
+
+Update the check for minimal size to allow the initial size to be 0.
+
+Cc: stable@vger.kernel.org
+Fixes: a653820700b8 ("ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls")
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
+Reviewed-by: Seppo Ingalsuo <seppo.ingalsuo@linux.intel.com>
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Link: https://patch.msgid.link/20260326075618.1603-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sof/ipc4-topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/sof/ipc4-topology.c
++++ b/sound/soc/sof/ipc4-topology.c
+@@ -2880,7 +2880,7 @@ static int sof_ipc4_control_load_bytes(s
+ return -EINVAL;
+ }
+
+- if (scontrol->priv_size < sizeof(struct sof_abi_hdr)) {
++ if (scontrol->priv_size && scontrol->priv_size < sizeof(struct sof_abi_hdr)) {
+ dev_err(sdev->dev,
+ "bytes control %s initial data size %zu is insufficient.\n",
+ scontrol->name, scontrol->priv_size);
--- /dev/null
+From b9c310d72783cc2f30d103eed83920a5a29c671a Mon Sep 17 00:00:00 2001
+From: Ali Norouzi <ali.norouzi@keysight.com>
+Date: Thu, 19 Mar 2026 16:47:44 +0100
+Subject: can: gw: fix OOB heap access in cgw_csum_crc8_rel()
+
+From: Ali Norouzi <ali.norouzi@keysight.com>
+
+commit b9c310d72783cc2f30d103eed83920a5a29c671a upstream.
+
+cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():
+
+ int from = calc_idx(crc8->from_idx, cf->len);
+ int to = calc_idx(crc8->to_idx, cf->len);
+ int res = calc_idx(crc8->result_idx, cf->len);
+
+ if (from < 0 || to < 0 || res < 0)
+ return;
+
+However, the loop and the result write then use the raw s8 fields directly
+instead of the computed variables:
+
+ for (i = crc8->from_idx; ...) /* BUG: raw negative index */
+ cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */
+
+With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,
+calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with
+i = -64, reading cf->data[-64], and the write goes to cf->data[-64].
+This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the
+start of the canfd_frame on the heap.
+
+The companion function cgw_csum_xor_rel() uses `from`/`to`/`res`
+correctly throughout; fix cgw_csum_crc8_rel() to match.
+
+Confirmed with KASAN on linux-7.0-rc2:
+ BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0
+ Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62
+
+To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.
+
+Fixes: 456a8a646b25 ("can: gw: add support for CAN FD frames")
+Cc: stable@vger.kernel.org
+Reported-by: Ali Norouzi <ali.norouzi@keysight.com>
+Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Ali Norouzi <ali.norouzi@keysight.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-1-c45d52c6d2d8@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/gw.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/can/gw.c
++++ b/net/can/gw.c
+@@ -374,10 +374,10 @@ static void cgw_csum_crc8_rel(struct can
+ return;
+
+ if (from <= to) {
+- for (i = crc8->from_idx; i <= crc8->to_idx; i++)
++ for (i = from; i <= to; i++)
+ crc = crc8->crctab[crc ^ cf->data[i]];
+ } else {
+- for (i = crc8->from_idx; i >= crc8->to_idx; i--)
++ for (i = from; i >= to; i--)
+ crc = crc8->crctab[crc ^ cf->data[i]];
+ }
+
+@@ -396,7 +396,7 @@ static void cgw_csum_crc8_rel(struct can
+ break;
+ }
+
+- cf->data[crc8->result_idx] = crc ^ crc8->final_xor_val;
++ cf->data[res] = crc ^ crc8->final_xor_val;
+ }
+
+ static void cgw_csum_crc8_pos(struct canfd_frame *cf,
--- /dev/null
+From 424e95d62110cdbc8fd12b40918f37e408e35a92 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Thu, 19 Mar 2026 16:47:45 +0100
+Subject: can: isotp: fix tx.buf use-after-free in isotp_sendmsg()
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 424e95d62110cdbc8fd12b40918f37e408e35a92 upstream.
+
+isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access
+to so->tx.buf. isotp_release() waits for ISOTP_IDLE via
+wait_event_interruptible() and then calls kfree(so->tx.buf).
+
+If a signal interrupts the wait_event_interruptible() inside close()
+while tx.state is ISOTP_SENDING, the loop exits early and release
+proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf)
+while sendmsg may still be reading so->tx.buf for the final CAN frame
+in isotp_fill_dataframe().
+
+The so->tx.buf can be allocated once when the standard tx.buf length needs
+to be extended. Move the kfree() of this potentially extended tx.buf to
+sk_destruct time when either isotp_sendmsg() and isotp_release() are done.
+
+Fixes: 96d1c81e6a04 ("can: isotp: add module parameter for maximum pdu size")
+Cc: stable@vger.kernel.org
+Reported-by: Ali Norouzi <ali.norouzi@keysight.com>
+Co-developed-by: Ali Norouzi <ali.norouzi@keysight.com>
+Signed-off-by: Ali Norouzi <ali.norouzi@keysight.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-2-c45d52c6d2d8@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/isotp.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -1230,12 +1230,6 @@ static int isotp_release(struct socket *
+ so->ifindex = 0;
+ so->bound = 0;
+
+- if (so->rx.buf != so->rx.sbuf)
+- kfree(so->rx.buf);
+-
+- if (so->tx.buf != so->tx.sbuf)
+- kfree(so->tx.buf);
+-
+ sock_orphan(sk);
+ sock->sk = NULL;
+
+@@ -1604,6 +1598,21 @@ static int isotp_notifier(struct notifie
+ return NOTIFY_DONE;
+ }
+
++static void isotp_sock_destruct(struct sock *sk)
++{
++ struct isotp_sock *so = isotp_sk(sk);
++
++ /* do the standard CAN sock destruct work */
++ can_sock_destruct(sk);
++
++ /* free potential extended PDU buffers */
++ if (so->rx.buf != so->rx.sbuf)
++ kfree(so->rx.buf);
++
++ if (so->tx.buf != so->tx.sbuf)
++ kfree(so->tx.buf);
++}
++
+ static int isotp_init(struct sock *sk)
+ {
+ struct isotp_sock *so = isotp_sk(sk);
+@@ -1648,6 +1657,9 @@ static int isotp_init(struct sock *sk)
+ list_add_tail(&so->notifier, &isotp_notifier_list);
+ spin_unlock(&isotp_notifier_lock);
+
++ /* re-assign default can_sock_destruct() reference */
++ sk->sk_destruct = isotp_sock_destruct;
++
+ return 0;
+ }
+
--- /dev/null
+From cadf6019231b614ebbd9ec2a16e5997ecbd8d016 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Tue, 10 Mar 2026 13:48:03 +0100
+Subject: can: netlink: can_changelink(): add missing error handling to call can_ctrlmode_changelink()
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit cadf6019231b614ebbd9ec2a16e5997ecbd8d016 upstream.
+
+In commit e1a5cd9d6665 ("can: netlink: add can_ctrlmode_changelink()") the
+CAN Control Mode (IFLA_CAN_CTRLMODE) handling was factored out into the
+can_ctrlmode_changelink() function. But the call to
+can_ctrlmode_changelink() is missing the error handling.
+
+Add the missing error handling and propagation to the call
+can_ctrlmode_changelink().
+
+Cc: stable@vger.kernel.org
+Fixes: e1a5cd9d6665 ("can: netlink: add can_ctrlmode_changelink()")
+Link: https://patch.msgid.link/20260310-can_ctrlmode_changelink-add-error-handling-v1-1-0daf63d85922@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/dev/netlink.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/dev/netlink.c
++++ b/drivers/net/can/dev/netlink.c
+@@ -407,7 +407,9 @@ static int can_changelink(struct net_dev
+ /* We need synchronization with dev->stop() */
+ ASSERT_RTNL();
+
+- can_ctrlmode_changelink(dev, data, extack);
++ err = can_ctrlmode_changelink(dev, data, extack);
++ if (err)
++ return err;
+
+ if (data[IFLA_CAN_BITTIMING]) {
+ struct can_bittiming bt;
--- /dev/null
+From 6a28fb8cb28b9eb39a392e531d938a889eacafc5 Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Fri, 20 Mar 2026 15:08:14 +0530
+Subject: cpufreq: conservative: Reset requested_freq on limits change
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit 6a28fb8cb28b9eb39a392e531d938a889eacafc5 upstream.
+
+A recently reported issue highlighted that the cached requested_freq
+is not guaranteed to stay in sync with policy->cur. If the platform
+changes the actual CPU frequency after the governor sets one (e.g.
+due to platform-specific frequency scaling) and a re-sync occurs
+later, policy->cur may diverge from requested_freq.
+
+This can lead to incorrect behavior in the conservative governor.
+For example, the governor may assume the CPU is already running at
+the maximum frequency and skip further increases even though there
+is still headroom.
+
+Avoid this by resetting the cached requested_freq to policy->cur on
+detecting a change in policy limits.
+
+Reported-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Tested-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://lore.kernel.org/all/20260210115458.3493646-1-zhenglifeng1@huawei.com/
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
+Cc: All applicable <stable@vger.kernel.org>
+Link: https://patch.msgid.link/d846a141a98ac0482f20560fcd7525c0f0ec2f30.1773999467.git.viresh.kumar@linaro.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cpufreq_conservative.c | 12 ++++++++++++
+ drivers/cpufreq/cpufreq_governor.c | 3 +++
+ drivers/cpufreq/cpufreq_governor.h | 1 +
+ 3 files changed, 16 insertions(+)
+
+--- a/drivers/cpufreq/cpufreq_conservative.c
++++ b/drivers/cpufreq/cpufreq_conservative.c
+@@ -313,6 +313,17 @@ static void cs_start(struct cpufreq_poli
+ dbs_info->requested_freq = policy->cur;
+ }
+
++static void cs_limits(struct cpufreq_policy *policy)
++{
++ struct cs_policy_dbs_info *dbs_info = to_dbs_info(policy->governor_data);
++
++ /*
++ * The limits have changed, so may have the current frequency. Reset
++ * requested_freq to avoid any unintended outcomes due to the mismatch.
++ */
++ dbs_info->requested_freq = policy->cur;
++}
++
+ static struct dbs_governor cs_governor = {
+ .gov = CPUFREQ_DBS_GOVERNOR_INITIALIZER("conservative"),
+ .kobj_type = { .default_groups = cs_groups },
+@@ -322,6 +333,7 @@ static struct dbs_governor cs_governor =
+ .init = cs_init,
+ .exit = cs_exit,
+ .start = cs_start,
++ .limits = cs_limits,
+ };
+
+ #define CPU_FREQ_GOV_CONSERVATIVE (cs_governor.gov)
+--- a/drivers/cpufreq/cpufreq_governor.c
++++ b/drivers/cpufreq/cpufreq_governor.c
+@@ -563,6 +563,7 @@ EXPORT_SYMBOL_GPL(cpufreq_dbs_governor_s
+
+ void cpufreq_dbs_governor_limits(struct cpufreq_policy *policy)
+ {
++ struct dbs_governor *gov = dbs_governor_of(policy);
+ struct policy_dbs_info *policy_dbs;
+
+ /* Protect gov->gdbs_data against cpufreq_dbs_governor_exit() */
+@@ -574,6 +575,8 @@ void cpufreq_dbs_governor_limits(struct
+ mutex_lock(&policy_dbs->update_mutex);
+ cpufreq_policy_apply_limits(policy);
+ gov_update_sample_delay(policy_dbs, 0);
++ if (gov->limits)
++ gov->limits(policy);
+ mutex_unlock(&policy_dbs->update_mutex);
+
+ out:
+--- a/drivers/cpufreq/cpufreq_governor.h
++++ b/drivers/cpufreq/cpufreq_governor.h
+@@ -138,6 +138,7 @@ struct dbs_governor {
+ int (*init)(struct dbs_data *dbs_data);
+ void (*exit)(struct dbs_data *dbs_data);
+ void (*start)(struct cpufreq_policy *policy);
++ void (*limits)(struct cpufreq_policy *policy);
+ };
+
+ static inline struct dbs_governor *dbs_governor_of(struct cpufreq_policy *policy)
--- /dev/null
+From bfe9e314d7574d1c5c851972e7aee342733819d2 Mon Sep 17 00:00:00 2001
+From: Matthew Auld <matthew.auld@intel.com>
+Date: Wed, 18 Mar 2026 10:02:09 +0000
+Subject: drm/xe: always keep track of remap prev/next
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+commit bfe9e314d7574d1c5c851972e7aee342733819d2 upstream.
+
+During 3D workload, user is reporting hitting:
+
+[ 413.361679] WARNING: drivers/gpu/drm/xe/xe_vm.c:1217 at vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe], CPU#7: vkd3d_queue/9925
+[ 413.361944] CPU: 7 UID: 1000 PID: 9925 Comm: vkd3d_queue Kdump: loaded Not tainted 7.0.0-070000rc3-generic #202603090038 PREEMPT(lazy)
+[ 413.361949] RIP: 0010:vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe]
+[ 413.362074] RSP: 0018:ffffd4c25c3df930 EFLAGS: 00010282
+[ 413.362077] RAX: 0000000000000000 RBX: ffff8f3ee817ed10 RCX: 0000000000000000
+[ 413.362078] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+[ 413.362079] RBP: ffffd4c25c3df980 R08: 0000000000000000 R09: 0000000000000000
+[ 413.362081] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8f41fbf99380
+[ 413.362082] R13: ffff8f3ee817e968 R14: 00000000ffffffef R15: ffff8f43d00bd380
+[ 413.362083] FS: 00000001040ff6c0(0000) GS:ffff8f4696d89000(0000) knlGS:00000000330b0000
+[ 413.362085] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
+[ 413.362086] CR2: 00007ddfc4747000 CR3: 00000002e6262005 CR4: 0000000000f72ef0
+[ 413.362088] PKRU: 55555554
+[ 413.362089] Call Trace:
+[ 413.362092] <TASK>
+[ 413.362096] xe_vm_bind_ioctl+0xa9a/0xc60 [xe]
+
+Which seems to hint that the vma we are re-inserting for the ops unwind
+is either invalid or overlapping with something already inserted in the
+vm. It shouldn't be invalid since this is a re-insertion, so must have
+worked before. Leaving the likely culprit as something already placed
+where we want to insert the vma.
+
+Following from that, for the case where we do something like a rebind in
+the middle of a vma, and one or both mapped ends are already compatible,
+we skip doing the rebind of those vma and set next/prev to NULL. As well
+as then adjust the original unmap va range, to avoid unmapping the ends.
+However, if we trigger the unwind path, we end up with three va, with
+the two ends never being removed and the original va range in the middle
+still being the shrunken size.
+
+If this occurs, one failure mode is when another unwind op needs to
+interact with that range, which can happen with a vector of binds. For
+example, if we need to re-insert something in place of the original va.
+In this case the va is still the shrunken version, so when removing it
+and then doing a re-insert it can overlap with the ends, which were
+never removed, triggering a warning like above, plus leaving the vm in a
+bad state.
+
+With that, we need two things here:
+
+ 1) Stop nuking the prev/next tracking for the skip cases. Instead
+ relying on checking for skip prev/next, where needed. That way on the
+ unwind path, we now correctly remove both ends.
+
+ 2) Undo the unmap va shrinkage, on the unwind path. With the two ends
+ now removed the unmap va should expand back to the original size again,
+ before re-insertion.
+
+v2:
+ - Update the explanation in the commit message, based on an actual IGT of
+ triggering this issue, rather than conjecture.
+ - Also undo the unmap shrinkage, for the skip case. With the two ends
+ now removed, the original unmap va range should expand back to the
+ original range.
+v3:
+ - Track the old start/range separately. vma_size/start() uses the va
+ info directly.
+
+Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/7602
+Fixes: 8f33b4f054fc ("drm/xe: Avoid doing rebinds")
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Cc: Matthew Brost <matthew.brost@intel.com>
+Cc: <stable@vger.kernel.org> # v6.8+
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Link: https://patch.msgid.link/20260318100208.78097-2-matthew.auld@intel.com
+(cherry picked from commit aec6969f75afbf4e01fd5fb5850ed3e9c27043ac)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_pt.c | 12 ++++++------
+ drivers/gpu/drm/xe/xe_vm.c | 22 ++++++++++++++++++----
+ drivers/gpu/drm/xe/xe_vm_types.h | 4 ++++
+ 3 files changed, 28 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpu/drm/xe/xe_pt.c
++++ b/drivers/gpu/drm/xe/xe_pt.c
+@@ -1451,9 +1451,9 @@ static int op_check_svm_userptr(struct x
+ err = vma_check_userptr(vm, op->map.vma, pt_update);
+ break;
+ case DRM_GPUVA_OP_REMAP:
+- if (op->remap.prev)
++ if (op->remap.prev && !op->remap.skip_prev)
+ err = vma_check_userptr(vm, op->remap.prev, pt_update);
+- if (!err && op->remap.next)
++ if (!err && op->remap.next && !op->remap.skip_next)
+ err = vma_check_userptr(vm, op->remap.next, pt_update);
+ break;
+ case DRM_GPUVA_OP_UNMAP:
+@@ -2038,12 +2038,12 @@ static int op_prepare(struct xe_vm *vm,
+
+ err = unbind_op_prepare(tile, pt_update_ops, old);
+
+- if (!err && op->remap.prev) {
++ if (!err && op->remap.prev && !op->remap.skip_prev) {
+ err = bind_op_prepare(vm, tile, pt_update_ops,
+ op->remap.prev, false);
+ pt_update_ops->wait_vm_bookkeep = true;
+ }
+- if (!err && op->remap.next) {
++ if (!err && op->remap.next && !op->remap.skip_next) {
+ err = bind_op_prepare(vm, tile, pt_update_ops,
+ op->remap.next, false);
+ pt_update_ops->wait_vm_bookkeep = true;
+@@ -2267,10 +2267,10 @@ static void op_commit(struct xe_vm *vm,
+
+ unbind_op_commit(vm, tile, pt_update_ops, old, fence, fence2);
+
+- if (op->remap.prev)
++ if (op->remap.prev && !op->remap.skip_prev)
+ bind_op_commit(vm, tile, pt_update_ops, op->remap.prev,
+ fence, fence2, false);
+- if (op->remap.next)
++ if (op->remap.next && !op->remap.skip_next)
+ bind_op_commit(vm, tile, pt_update_ops, op->remap.next,
+ fence, fence2, false);
+ break;
+--- a/drivers/gpu/drm/xe/xe_vm.c
++++ b/drivers/gpu/drm/xe/xe_vm.c
+@@ -2503,7 +2503,6 @@ static int xe_vma_op_commit(struct xe_vm
+ if (!err && op->remap.skip_prev) {
+ op->remap.prev->tile_present =
+ tile_present;
+- op->remap.prev = NULL;
+ }
+ }
+ if (op->remap.next) {
+@@ -2513,11 +2512,13 @@ static int xe_vma_op_commit(struct xe_vm
+ if (!err && op->remap.skip_next) {
+ op->remap.next->tile_present =
+ tile_present;
+- op->remap.next = NULL;
+ }
+ }
+
+- /* Adjust for partial unbind after removing VMA from VM */
++ /*
++ * Adjust for partial unbind after removing VMA from VM. In case
++ * of unwind we might need to undo this later.
++ */
+ if (!err) {
+ op->base.remap.unmap->va->va.addr = op->remap.start;
+ op->base.remap.unmap->va->va.range = op->remap.range;
+@@ -2636,6 +2637,8 @@ static int vm_bind_ioctl_ops_parse(struc
+
+ op->remap.start = xe_vma_start(old);
+ op->remap.range = xe_vma_size(old);
++ op->remap.old_start = op->remap.start;
++ op->remap.old_range = op->remap.range;
+
+ flags |= op->base.remap.unmap->va->flags & XE_VMA_CREATE_MASK;
+ if (op->base.remap.prev) {
+@@ -2783,8 +2786,19 @@ static void xe_vma_op_unwind(struct xe_v
+ xe_svm_notifier_lock(vm);
+ vma->gpuva.flags &= ~XE_VMA_DESTROYED;
+ xe_svm_notifier_unlock(vm);
+- if (post_commit)
++ if (post_commit) {
++ /*
++ * Restore the old va range, in case of the
++ * prev/next skip optimisation. Otherwise what
++ * we re-insert here could be smaller than the
++ * original range.
++ */
++ op->base.remap.unmap->va->va.addr =
++ op->remap.old_start;
++ op->base.remap.unmap->va->va.range =
++ op->remap.old_range;
+ xe_vm_insert_vma(vm, vma);
++ }
+ }
+ break;
+ }
+--- a/drivers/gpu/drm/xe/xe_vm_types.h
++++ b/drivers/gpu/drm/xe/xe_vm_types.h
+@@ -365,6 +365,10 @@ struct xe_vma_op_remap {
+ u64 start;
+ /** @range: range of the VMA unmap */
+ u64 range;
++ /** @old_start: Original start of the VMA we unmap */
++ u64 old_start;
++ /** @old_range: Original range of the VMA we unmap */
++ u64 old_range;
+ /** @skip_prev: skip prev rebind */
+ bool skip_prev;
+ /** @skip_next: skip next rebind */
--- /dev/null
+From a76e30c2479ce6ffa2aa6c8a8462897afc82bc90 Mon Sep 17 00:00:00 2001
+From: Charles Mirabile <cmirabil@redhat.com>
+Date: Sat, 7 Mar 2026 23:43:30 -0500
+Subject: kbuild: Delete .builtin-dtbs.S when running make clean
+
+From: Charles Mirabile <cmirabil@redhat.com>
+
+commit a76e30c2479ce6ffa2aa6c8a8462897afc82bc90 upstream.
+
+The makefile tries to delete a file named ".builtin-dtb.S" but the file
+created by scripts/Makefile.vmlinux is actually called ".builtin-dtbs.S".
+
+Fixes: 654102df2ac2a ("kbuild: add generic support for built-in boot DTBs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Charles Mirabile <cmirabil@redhat.com>
+Reviewed-by: Nicolas Schier <nsc@kernel.org>
+Link: https://patch.msgid.link/20260308044338.181403-1-cmirabil@redhat.com
+[nathan: Small commit message adjustments]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -1588,7 +1588,7 @@ CLEAN_FILES += vmlinux.symvers modules-o
+ modules.builtin.ranges vmlinux.o.map vmlinux.unstripped \
+ compile_commands.json rust/test \
+ rust-project.json .vmlinux.objs .vmlinux.export.c \
+- .builtin-dtbs-list .builtin-dtb.S
++ .builtin-dtbs-list .builtin-dtbs.S
+
+ # Directories & files removed with 'make mrproper'
+ MRPROPER_FILES += include/config include/generated \
--- /dev/null
+From 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 Mon Sep 17 00:00:00 2001
+From: Hyunwoo Kim <imv4bel@gmail.com>
+Date: Tue, 17 Mar 2026 08:52:01 +0900
+Subject: ksmbd: do not expire session on binding failure
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+commit 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 upstream.
+
+When a multichannel session binding request fails (e.g. wrong password),
+the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED.
+However, during binding, sess points to the target session looked up via
+ksmbd_session_lookup_slowpath() -- which belongs to another connection's
+user. This allows a remote attacker to invalidate any active session by
+simply sending a binding request with a wrong password (DoS).
+
+Fix this by skipping session expiration when the failed request was
+a binding attempt, since the session does not belong to the current
+connection. The reference taken by ksmbd_session_lookup_slowpath() is
+still correctly released via ksmbd_user_session_put().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1948,8 +1948,14 @@ out_err:
+ if (sess->user && sess->user->flags & KSMBD_USER_FLAG_DELAY_SESSION)
+ try_delay = true;
+
+- sess->last_active = jiffies;
+- sess->state = SMB2_SESSION_EXPIRED;
++ /*
++ * For binding requests, session belongs to another
++ * connection. Do not expire it.
++ */
++ if (!(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) {
++ sess->last_active = jiffies;
++ sess->state = SMB2_SESSION_EXPIRED;
++ }
+ ksmbd_user_session_put(sess);
+ work->sess = NULL;
+ if (try_delay) {
--- /dev/null
+From 309b44ed684496ed3f9c5715d10b899338623512 Mon Sep 17 00:00:00 2001
+From: Werner Kasselman <werner@verivus.com>
+Date: Tue, 17 Mar 2026 07:55:37 +0000
+Subject: ksmbd: fix memory leaks and NULL deref in smb2_lock()
+
+From: Werner Kasselman <werner@verivus.com>
+
+commit 309b44ed684496ed3f9c5715d10b899338623512 upstream.
+
+smb2_lock() has three error handling issues after list_del() detaches
+smb_lock from lock_list at no_check_cl:
+
+1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK
+ path, goto out leaks smb_lock and its flock because the out:
+ handler only iterates lock_list and rollback_list, neither of
+ which contains the detached smb_lock.
+
+2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out
+ leaks smb_lock and flock for the same reason. The error code
+ returned to the dispatcher is also stale.
+
+3) In the rollback path, smb_flock_init() can return NULL on
+ allocation failure. The result is dereferenced unconditionally,
+ causing a kernel NULL pointer dereference. Add a NULL check to
+ prevent the crash and clean up the bookkeeping; the VFS lock
+ itself cannot be rolled back without the allocation and will be
+ released at file or connection teardown.
+
+Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before
+the if(!rc) check in the UNLOCK branch so all exit paths share one
+free site, and by freeing smb_lock and flock before goto out in the
+non-UNLOCK branch. Propagate the correct error code in both cases.
+Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding
+a NULL check for locks_free_lock(rlock) in the shared cleanup.
+
+Found via call-graph analysis using sqry.
+
+Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
+Cc: stable@vger.kernel.org
+Suggested-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
+Signed-off-by: Werner Kasselman <werner@verivus.com>
+Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 29 +++++++++++++++++++----------
+ 1 file changed, 19 insertions(+), 10 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -7602,14 +7602,15 @@ retry:
+ rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL);
+ skip:
+ if (smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) {
++ locks_free_lock(flock);
++ kfree(smb_lock);
+ if (!rc) {
+ ksmbd_debug(SMB, "File unlocked\n");
+ } else if (rc == -ENOENT) {
+ rsp->hdr.Status = STATUS_NOT_LOCKED;
++ err = rc;
+ goto out;
+ }
+- locks_free_lock(flock);
+- kfree(smb_lock);
+ } else {
+ if (rc == FILE_LOCK_DEFERRED) {
+ void **argv;
+@@ -7678,6 +7679,9 @@ skip:
+ spin_unlock(&work->conn->llist_lock);
+ ksmbd_debug(SMB, "successful in taking lock\n");
+ } else {
++ locks_free_lock(flock);
++ kfree(smb_lock);
++ err = rc;
+ goto out;
+ }
+ }
+@@ -7708,13 +7712,17 @@ out:
+ struct file_lock *rlock = NULL;
+
+ rlock = smb_flock_init(filp);
+- rlock->c.flc_type = F_UNLCK;
+- rlock->fl_start = smb_lock->start;
+- rlock->fl_end = smb_lock->end;
+-
+- rc = vfs_lock_file(filp, F_SETLK, rlock, NULL);
+- if (rc)
+- pr_err("rollback unlock fail : %d\n", rc);
++ if (rlock) {
++ rlock->c.flc_type = F_UNLCK;
++ rlock->fl_start = smb_lock->start;
++ rlock->fl_end = smb_lock->end;
++
++ rc = vfs_lock_file(filp, F_SETLK, rlock, NULL);
++ if (rc)
++ pr_err("rollback unlock fail : %d\n", rc);
++ } else {
++ pr_err("rollback unlock alloc failed\n");
++ }
+
+ list_del(&smb_lock->llist);
+ spin_lock(&work->conn->llist_lock);
+@@ -7724,7 +7732,8 @@ out:
+ spin_unlock(&work->conn->llist_lock);
+
+ locks_free_lock(smb_lock->fl);
+- locks_free_lock(rlock);
++ if (rlock)
++ locks_free_lock(rlock);
+ kfree(smb_lock);
+ }
+ out2:
--- /dev/null
+From beef2634f81f1c086208191f7228bce1d366493d Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 19 Mar 2026 21:00:02 +0900
+Subject: ksmbd: fix potencial OOB in get_file_all_info() for compound requests
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit beef2634f81f1c086208191f7228bce1d366493d upstream.
+
+When a compound request consists of QUERY_DIRECTORY + QUERY_INFO
+(FILE_ALL_INFORMATION) and the first command consumes nearly the entire
+max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16()
+with PATH_MAX, causing out-of-bounds write beyond the response buffer.
+In get_file_all_info(), there was a missing validation check for
+the client-provided OutputBufferLength before copying the filename into
+FileName field of the smb2_file_all_info structure.
+If the filename length exceeds the available buffer space, it could lead to
+potential buffer overflows or memory corruption during smbConvertToUTF16
+conversion. This calculating the actual free buffer size using
+smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is
+insufficient and updating smbConvertToUTF16 to use the actual filename
+length (clamped by PATH_MAX) to ensure a safe copy operation.
+
+Cc: stable@vger.kernel.org
+Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
+Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -4943,7 +4943,8 @@ static int get_file_all_info(struct ksmb
+ int conv_len;
+ char *filename;
+ u64 time;
+- int ret;
++ int ret, buf_free_len, filename_len;
++ struct smb2_query_info_req *req = ksmbd_req_buf_next(work);
+
+ if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) {
+ ksmbd_debug(SMB, "no right to read the attributes : 0x%x\n",
+@@ -4955,6 +4956,16 @@ static int get_file_all_info(struct ksmb
+ if (IS_ERR(filename))
+ return PTR_ERR(filename);
+
++ filename_len = strlen(filename);
++ buf_free_len = smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_info_rsp, Buffer) +
++ offsetof(struct smb2_file_all_info, FileName),
++ le32_to_cpu(req->OutputBufferLength));
++ if (buf_free_len < (filename_len + 1) * 2) {
++ kfree(filename);
++ return -EINVAL;
++ }
++
+ ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS,
+ AT_STATX_SYNC_AS_STAT);
+ if (ret) {
+@@ -4998,7 +5009,8 @@ static int get_file_all_info(struct ksmb
+ file_info->Mode = fp->coption;
+ file_info->AlignmentRequirement = 0;
+ conv_len = smbConvertToUTF16((__le16 *)file_info->FileName, filename,
+- PATH_MAX, conn->local_nls, 0);
++ min(filename_len, PATH_MAX),
++ conn->local_nls, 0);
+ conv_len *= 2;
+ file_info->FileNameLength = cpu_to_le32(conv_len);
+ rsp->OutputBufferLength =
--- /dev/null
+From 0e55f63dd08f09651d39e1b709a91705a8a0ddcb Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 13 Mar 2026 14:45:58 +0900
+Subject: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 0e55f63dd08f09651d39e1b709a91705a8a0ddcb upstream.
+
+After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"),
+response buffer management was changed to use dynamic iov array.
+In the new design, smb2_calc_max_out_buf_len() expects the second
+argument (hdr2_len) to be the offset of ->Buffer field in the
+response structure, not a hardcoded magic number.
+Fix the remaining call sites to use the correct offsetof() value.
+
+Cc: stable@vger.kernel.org
+Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -4455,8 +4455,9 @@ int smb2_query_dir(struct ksmbd_work *wo
+ d_info.wptr = (char *)rsp->Buffer;
+ d_info.rptr = (char *)rsp->Buffer;
+ d_info.out_buf_len =
+- smb2_calc_max_out_buf_len(work, 8,
+- le32_to_cpu(req->OutputBufferLength));
++ smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_directory_rsp, Buffer),
++ le32_to_cpu(req->OutputBufferLength));
+ if (d_info.out_buf_len < 0) {
+ rc = -EINVAL;
+ goto err_out;
+@@ -4723,8 +4724,9 @@ static int smb2_get_ea(struct ksmbd_work
+ }
+
+ buf_free_len =
+- smb2_calc_max_out_buf_len(work, 8,
+- le32_to_cpu(req->OutputBufferLength));
++ smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_info_rsp, Buffer),
++ le32_to_cpu(req->OutputBufferLength));
+ if (buf_free_len < 0)
+ return -EINVAL;
+
+@@ -5050,8 +5052,9 @@ static int get_file_stream_info(struct k
+ file_info = (struct smb2_file_stream_info *)rsp->Buffer;
+
+ buf_free_len =
+- smb2_calc_max_out_buf_len(work, 8,
+- le32_to_cpu(req->OutputBufferLength));
++ smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_info_rsp, Buffer),
++ le32_to_cpu(req->OutputBufferLength));
+ if (buf_free_len < 0)
+ goto out;
+
+@@ -8192,8 +8195,9 @@ int smb2_ioctl(struct ksmbd_work *work)
+ buffer = (char *)req + le32_to_cpu(req->InputOffset);
+
+ cnt_code = le32_to_cpu(req->CtlCode);
+- ret = smb2_calc_max_out_buf_len(work, 48,
+- le32_to_cpu(req->MaxOutputResponse));
++ ret = smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_ioctl_rsp, Buffer),
++ le32_to_cpu(req->MaxOutputResponse));
+ if (ret < 0) {
+ rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+ goto out;
--- /dev/null
+From ed4da361bf943b9041fc63e5cb6af01b3c0de978 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Thu, 26 Mar 2026 14:05:38 -0500
+Subject: Revert "ALSA: hda/intel: Add MSI X870E Tomahawk to denylist"
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit ed4da361bf943b9041fc63e5cb6af01b3c0de978 upstream.
+
+commit 30b3211aa2416 ("ALSA: hda/intel: Add MSI X870E Tomahawk
+to denylist") was added to silence a warning, but this effectively
+reintroduced commit df42ee7e22f03 ("ALSA: hda: Add ASRock
+X670E Taichi to denylist") which was already reported to cause
+problems and reverted in commit ee8f1613596ad ("Revert "ALSA: hda:
+Add ASRock X670E Taichi to denylist"")
+
+Revert it yet again.
+
+Cc: stable@vger.kernel.org
+Reported-by: Juhyun Song <juju6985@outlook.kr>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221274
+Cc: Stuart Hayhurst <stuart.a.hayhurst@gmail.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/20260326190542.524515-1-mario.limonciello@amd.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/controllers/intel.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/sound/hda/controllers/intel.c
++++ b/sound/hda/controllers/intel.c
+@@ -2077,7 +2077,6 @@ static const struct pci_device_id driver
+ { PCI_DEVICE_SUB(0x1022, 0x1487, 0x1043, 0x874f) }, /* ASUS ROG Zenith II / Strix */
+ { PCI_DEVICE_SUB(0x1022, 0x1487, 0x1462, 0xcb59) }, /* MSI TRX40 Creator */
+ { PCI_DEVICE_SUB(0x1022, 0x1487, 0x1462, 0xcb60) }, /* MSI TRX40 */
+- { PCI_DEVICE_SUB(0x1022, 0x15e3, 0x1462, 0xee59) }, /* MSI X870E Tomahawk WiFi */
+ {}
+ };
+
--- /dev/null
+From c5c0a268b38adffbb2e70e6957017537ff54c157 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Thu, 26 Mar 2026 14:38:44 +0100
+Subject: s390/barrier: Make array_index_mask_nospec() __always_inline
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit c5c0a268b38adffbb2e70e6957017537ff54c157 upstream.
+
+Mark array_index_mask_nospec() as __always_inline to guarantee the
+mitigation is emitted inline regardless of compiler inlining decisions.
+
+Fixes: e2dd833389cc ("s390: add optimized array_index_mask_nospec")
+Cc: stable@kernel.org
+Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/barrier.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/include/asm/barrier.h
++++ b/arch/s390/include/asm/barrier.h
+@@ -62,8 +62,8 @@ do { \
+ * @size: number of elements in array
+ */
+ #define array_index_mask_nospec array_index_mask_nospec
+-static inline unsigned long array_index_mask_nospec(unsigned long index,
+- unsigned long size)
++static __always_inline unsigned long array_index_mask_nospec(unsigned long index,
++ unsigned long size)
+ {
+ unsigned long mask;
+
--- /dev/null
+From 0738d395aab8fae3b5a3ad3fc640630c91693c27 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Thu, 26 Mar 2026 19:50:14 +0100
+Subject: s390/entry: Scrub r12 register on kernel entry
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit 0738d395aab8fae3b5a3ad3fc640630c91693c27 upstream.
+
+Before commit f33f2d4c7c80 ("s390/bp: remove TIF_ISOLATE_BP"),
+all entry handlers loaded r12 with the current task pointer
+(lg %r12,__LC_CURRENT) for use by the BPENTER/BPEXIT macros. That
+commit removed TIF_ISOLATE_BP, dropping both the branch prediction
+macros and the r12 load, but did not add r12 to the register clearing
+sequence.
+
+Add the missing xgr %r12,%r12 to make the register scrub consistent
+across all entry points.
+
+Fixes: f33f2d4c7c80 ("s390/bp: remove TIF_ISOLATE_BP")
+Cc: stable@kernel.org
+Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/entry.S | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/s390/kernel/entry.S
++++ b/arch/s390/kernel/entry.S
+@@ -254,6 +254,7 @@ SYM_CODE_START(system_call)
+ xgr %r9,%r9
+ xgr %r10,%r10
+ xgr %r11,%r11
++ xgr %r12,%r12
+ la %r2,STACK_FRAME_OVERHEAD(%r15) # pointer to pt_regs
+ mvc __PT_R8(64,%r2),__LC_SAVE_AREA(%r13)
+ MBEAR %r2,%r13
+@@ -390,6 +391,7 @@ SYM_CODE_START(\name)
+ xgr %r6,%r6
+ xgr %r7,%r7
+ xgr %r10,%r10
++ xgr %r12,%r12
+ xc __PT_FLAGS(8,%r11),__PT_FLAGS(%r11)
+ mvc __PT_R8(64,%r11),__LC_SAVE_AREA(%r13)
+ MBEAR %r11,%r13
+@@ -479,6 +481,7 @@ SYM_CODE_START(mcck_int_handler)
+ xgr %r6,%r6
+ xgr %r7,%r7
+ xgr %r10,%r10
++ xgr %r12,%r12
+ stmg %r8,%r9,__PT_PSW(%r11)
+ xc __PT_FLAGS(8,%r11),__PT_FLAGS(%r11)
+ xc __SF_BACKCHAIN(8,%r15),__SF_BACKCHAIN(%r15)
--- /dev/null
+From 48b8814e25d073dd84daf990a879a820bad2bcbd Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 24 Mar 2026 17:34:05 +0100
+Subject: s390/syscalls: Add spectre boundary for syscall dispatch table
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 48b8814e25d073dd84daf990a879a820bad2bcbd upstream.
+
+The s390 syscall number is directly controlled by userspace, but does
+not have an array_index_nospec() boundary to prevent access past the
+syscall function pointer tables.
+
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Fixes: 56e62a737028 ("s390: convert to generic entry")
+Cc: stable@kernel.org
+Assisted-by: gkh_clanker_2000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Link: https://lore.kernel.org/r/2026032404-sterling-swoosh-43e6@gregkh
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/syscall.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kernel/syscall.c
++++ b/arch/s390/kernel/syscall.c
+@@ -13,6 +13,7 @@
+ */
+
+ #include <linux/cpufeature.h>
++#include <linux/nospec.h>
+ #include <linux/errno.h>
+ #include <linux/sched.h>
+ #include <linux/mm.h>
+@@ -121,8 +122,10 @@ void noinstr __do_syscall(struct pt_regs
+ if (unlikely(test_and_clear_pt_regs_flag(regs, PIF_SYSCALL_RET_SET)))
+ goto out;
+ regs->gprs[2] = -ENOSYS;
+- if (likely(nr < NR_syscalls))
++ if (likely(nr < NR_syscalls)) {
++ nr = array_index_nospec(nr, NR_syscalls);
+ regs->gprs[2] = current->thread.sys_call_table[nr](regs);
++ }
+ out:
+ syscall_exit_to_user_mode(regs);
+ }
asoc-adau1372-fix-clock-leak-on-pll-lock-failure.patch
spi-spi-fsl-lpspi-fix-teardown-order-issue-uaf.patch
alsa-usb-audio-exclude-scarlett-2i4-1st-gen-from-ski.patch
+s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch
+s390-barrier-make-array_index_mask_nospec-__always_inline.patch
+s390-entry-scrub-r12-register-on-kernel-entry.patch
+tracing-fix-potential-deadlock-in-cpu-hotplug-with-osnoise.patch
+drm-xe-always-keep-track-of-remap-prev-next.patch
+ksmbd-replace-hardcoded-hdr2_len-with-offsetof-in-smb2_calc_max_out_buf_len.patch
+ksmbd-fix-potencial-oob-in-get_file_all_info-for-compound-requests.patch
+ksmbd-fix-memory-leaks-and-null-deref-in-smb2_lock.patch
+ksmbd-do-not-expire-session-on-binding-failure.patch
+revert-alsa-hda-intel-add-msi-x870e-tomahawk-to-denylist.patch
+alsa-hda-realtek-add-quirk-for-asus-strix-g16-g615jmr.patch
+alsa-firewire-lib-fix-uninitialized-local-variable.patch
+asoc-codecs-wcd934x-fix-typo-in-dt-parsing.patch
+asoc-sma1307-fix-double-free-of-devm_kzalloc-memory.patch
+asoc-sof-ipc4-topology-allow-bytes-controls-without-initial-payload.patch
+can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch
+can-isotp-fix-tx.buf-use-after-free-in-isotp_sendmsg.patch
+can-netlink-can_changelink-add-missing-error-handling-to-call-can_ctrlmode_changelink.patch
+cpufreq-conservative-reset-requested_freq-on-limits-change.patch
+kbuild-delete-.builtin-dtbs.s-when-running-make-clean.patch
--- /dev/null
+From 1f9885732248d22f788e4992c739a98c88ab8a55 Mon Sep 17 00:00:00 2001
+From: Luo Haiyang <luo.haiyang@zte.com.cn>
+Date: Thu, 26 Mar 2026 14:19:53 +0800
+Subject: tracing: Fix potential deadlock in cpu hotplug with osnoise
+
+From: Luo Haiyang <luo.haiyang@zte.com.cn>
+
+commit 1f9885732248d22f788e4992c739a98c88ab8a55 upstream.
+
+The following sequence may leads deadlock in cpu hotplug:
+
+ task1 task2 task3
+ ----- ----- -----
+
+ mutex_lock(&interface_lock)
+
+ [CPU GOING OFFLINE]
+
+ cpus_write_lock();
+ osnoise_cpu_die();
+ kthread_stop(task3);
+ wait_for_completion();
+
+ osnoise_sleep();
+ mutex_lock(&interface_lock);
+
+ cpus_read_lock();
+
+ [DEAD LOCK]
+
+Fix by swap the order of cpus_read_lock() and mutex_lock(&interface_lock).
+
+Cc: stable@vger.kernel.org
+Cc: <mathieu.desnoyers@efficios.com>
+Cc: <zhang.run@zte.com.cn>
+Cc: <yang.tao172@zte.com.cn>
+Cc: <ran.xiaokai@zte.com.cn>
+Fixes: bce29ac9ce0bb ("trace: Add osnoise tracer")
+Link: https://patch.msgid.link/20260326141953414bVSj33dAYktqp9Oiyizq8@zte.com.cn
+Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Luo Haiyang <luo.haiyang@zte.com.cn>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_osnoise.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/trace/trace_osnoise.c
++++ b/kernel/trace/trace_osnoise.c
+@@ -2073,8 +2073,8 @@ static void osnoise_hotplug_workfn(struc
+ if (!osnoise_has_registered_instances())
+ return;
+
+- guard(mutex)(&interface_lock);
+ guard(cpus_read_lock)();
++ guard(mutex)(&interface_lock);
+
+ if (!cpu_online(cpu))
+ return;
+@@ -2237,11 +2237,11 @@ static ssize_t osnoise_options_write(str
+ if (running)
+ stop_per_cpu_kthreads();
+
+- mutex_lock(&interface_lock);
+ /*
+ * avoid CPU hotplug operations that might read options.
+ */
+ cpus_read_lock();
++ mutex_lock(&interface_lock);
+
+ retval = cnt;
+
+@@ -2257,8 +2257,8 @@ static ssize_t osnoise_options_write(str
+ clear_bit(option, &osnoise_options);
+ }
+
+- cpus_read_unlock();
+ mutex_unlock(&interface_lock);
++ cpus_read_unlock();
+
+ if (running)
+ start_per_cpu_kthreads();
+@@ -2345,16 +2345,16 @@ osnoise_cpus_write(struct file *filp, co
+ if (running)
+ stop_per_cpu_kthreads();
+
+- mutex_lock(&interface_lock);
+ /*
+ * osnoise_cpumask is read by CPU hotplug operations.
+ */
+ cpus_read_lock();
++ mutex_lock(&interface_lock);
+
+ cpumask_copy(&osnoise_cpumask, osnoise_cpumask_new);
+
+- cpus_read_unlock();
+ mutex_unlock(&interface_lock);
++ cpus_read_unlock();
+
+ if (running)
+ start_per_cpu_kthreads();
projects / thirdparty / kernel / stable-queue.git / commitdiff
