--- /dev/null
+From 82d12088c297fa1cef670e1718b3d24f414c23f7 Mon Sep 17 00:00:00 2001
+From: Tianchu Chen <flynnnchen@tencent.com>
+Date: Fri, 28 Nov 2025 15:53:23 +0800
+Subject: char: applicom: fix NULL pointer dereference in ac_ioctl
+
+From: Tianchu Chen <flynnnchen@tencent.com>
+
+commit 82d12088c297fa1cef670e1718b3d24f414c23f7 upstream.
+
+Discovered by Atuin - Automated Vulnerability Discovery Engine.
+
+In ac_ioctl, the validation of IndexCard and the check for a valid
+RamIO pointer are skipped when cmd is 6. However, the function
+unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the
+end.
+
+If cmd is 6, IndexCard may reference a board that does not exist
+(where RamIO is NULL), leading to a NULL pointer dereference.
+
+Fix this by skipping the readb access when cmd is 6, as this
+command is a global information query and does not target a specific
+board context.
+
+Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/20251128155323.a786fde92ebb926cbe96fcb1@linux.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/applicom.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/applicom.c
++++ b/drivers/char/applicom.c
+@@ -836,7 +836,10 @@ static long ac_ioctl(struct file *file,
+ ret = -ENOTTY;
+ break;
+ }
+- Dummy = readb(apbs[IndexCard].RamIO + VERS);
++
++ if (cmd != 6)
++ Dummy = readb(apbs[IndexCard].RamIO + VERS);
++
+ kfree(adgl);
+ mutex_unlock(&ac_mutex);
+ return ret;
--- /dev/null
+From 9600156bb99852c216a2128cdf9f114eb67c350f Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Mon, 27 Oct 2025 23:04:45 +0800
+Subject: cpufreq: nforce2: fix reference count leak in nforce2
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 9600156bb99852c216a2128cdf9f114eb67c350f upstream.
+
+There are two reference count leaks in this driver:
+
+1. In nforce2_fsb_read(): pci_get_subsys() increases the reference count
+ of the PCI device, but pci_dev_put() is never called to release it,
+ thus leaking the reference.
+
+2. In nforce2_detect_chipset(): pci_get_subsys() gets a reference to the
+ nforce2_dev which is stored in a global variable, but the reference
+ is never released when the module is unloaded.
+
+Fix both by:
+- Adding pci_dev_put(nforce2_sub5) in nforce2_fsb_read() after reading
+ the configuration.
+- Adding pci_dev_put(nforce2_dev) in nforce2_exit() to release the
+ global device reference.
+
+Found via static analysis.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cpufreq-nforce2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/cpufreq/cpufreq-nforce2.c
++++ b/drivers/cpufreq/cpufreq-nforce2.c
+@@ -145,6 +145,8 @@ static unsigned int nforce2_fsb_read(int
+ pci_read_config_dword(nforce2_sub5, NFORCE2_BOOTFSB, &fsb);
+ fsb /= 1000000;
+
++ pci_dev_put(nforce2_sub5);
++
+ /* Check if PLL register is already set */
+ pci_read_config_byte(nforce2_dev, NFORCE2_PLLENABLE, (u8 *)&temp);
+
+@@ -432,6 +434,7 @@ static int __init nforce2_init(void)
+ static void __exit nforce2_exit(void)
+ {
+ cpufreq_unregister_driver(&nforce2_driver);
++ pci_dev_put(nforce2_dev);
+ }
+
+ module_init(nforce2_init);
--- /dev/null
+From 01fba45deaddcce0d0b01c411435d1acf6feab7b Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Wed, 5 Nov 2025 14:50:22 +0800
+Subject: f2fs: fix return value of f2fs_recover_fsync_data()
+
+From: Chao Yu <chao@kernel.org>
+
+commit 01fba45deaddcce0d0b01c411435d1acf6feab7b upstream.
+
+With below scripts, it will trigger panic in f2fs:
+
+mkfs.f2fs -f /dev/vdd
+mount /dev/vdd /mnt/f2fs
+touch /mnt/f2fs/foo
+sync
+echo 111 >> /mnt/f2fs/foo
+f2fs_io fsync /mnt/f2fs/foo
+f2fs_io shutdown 2 /mnt/f2fs
+umount /mnt/f2fs
+mount -o ro,norecovery /dev/vdd /mnt/f2fs
+or
+mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs
+
+F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0
+F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f
+F2FS-fs (vdd): Stopped filesystem due to reason: 0
+F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1
+Filesystem f2fs get_tree() didn't set fc->root, returned 1
+------------[ cut here ]------------
+kernel BUG at fs/super.c:1761!
+Oops: invalid opcode: 0000 [#1] SMP PTI
+CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+RIP: 0010:vfs_get_tree.cold+0x18/0x1a
+Call Trace:
+ <TASK>
+ fc_mount+0x13/0xa0
+ path_mount+0x34e/0xc50
+ __x64_sys_mount+0x121/0x150
+ do_syscall_64+0x84/0x800
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+RIP: 0033:0x7fa6cc126cfe
+
+The root cause is we missed to handle error number returned from
+f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or
+ro,disable_roll_forward mount option, result in returning a positive
+error number to vfs_get_tree(), fix it.
+
+Cc: stable@kernel.org
+Fixes: 6781eabba1bd ("f2fs: give -EINVAL for norecovery and rw mount")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/super.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -4497,11 +4497,15 @@ try_onemore:
+ }
+ } else {
+ err = f2fs_recover_fsync_data(sbi, true);
+-
+- if (!f2fs_readonly(sb) && err > 0) {
+- err = -EINVAL;
+- f2fs_err(sbi, "Need to recover fsync data");
+- goto free_meta;
++ if (err > 0) {
++ if (!f2fs_readonly(sb)) {
++ f2fs_err(sbi, "Need to recover fsync data");
++ err = -EINVAL;
++ goto free_meta;
++ } else {
++ f2fs_info(sbi, "drop all fsynced data");
++ err = 0;
++ }
+ }
+ }
+
--- /dev/null
+From d33f89b34aa313f50f9a512d58dd288999f246b0 Mon Sep 17 00:00:00 2001
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+Date: Mon, 27 Oct 2025 18:36:34 +0530
+Subject: f2fs: invalidate dentry cache on failed whiteout creation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+commit d33f89b34aa313f50f9a512d58dd288999f246b0 upstream.
+
+F2FS can mount filesystems with corrupted directory depth values that
+get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT
+operations are performed on such directories, f2fs_rename performs
+directory modifications (updating target entry and deleting source
+entry) before attempting to add the whiteout entry via f2fs_add_link.
+
+If f2fs_add_link fails due to the corrupted directory structure, the
+function returns an error to VFS, but the partial directory
+modifications have already been committed to disk. VFS assumes the
+entire rename operation failed and does not update the dentry cache,
+leaving stale mappings.
+
+In the error path, VFS does not call d_move() to update the dentry
+cache. This results in new_dentry still pointing to the old inode
+(new_inode) which has already had its i_nlink decremented to zero.
+The stale cache causes subsequent operations to incorrectly reference
+the freed inode.
+
+This causes subsequent operations to use cached dentry information that
+no longer matches the on-disk state. When a second rename targets the
+same entry, VFS attempts to decrement i_nlink on the stale inode, which
+may already have i_nlink=0, triggering a WARNING in drop_nlink().
+
+Example sequence:
+1. First rename (RENAME_WHITEOUT): file2 → file1
+ - f2fs updates file1 entry on disk (points to inode 8)
+ - f2fs deletes file2 entry on disk
+ - f2fs_add_link(whiteout) fails (corrupted directory)
+ - Returns error to VFS
+ - VFS does not call d_move() due to error
+ - VFS cache still has: file1 → inode 7 (stale!)
+ - inode 7 has i_nlink=0 (already decremented)
+
+2. Second rename: file3 → file1
+ - VFS uses stale cache: file1 → inode 7
+ - Tries to drop_nlink on inode 7 (i_nlink already 0)
+ - WARNING in drop_nlink()
+
+Fix this by explicitly invalidating old_dentry and new_dentry when
+f2fs_add_link fails during whiteout creation. This forces VFS to
+refresh from disk on subsequent operations, ensuring cache consistency
+even when the rename partially succeeds.
+
+Reproducer:
+1. Mount F2FS image with corrupted i_current_depth
+2. renameat2(file2, file1, RENAME_WHITEOUT)
+3. renameat2(file3, file1, 0)
+4. System triggers WARNING in drop_nlink()
+
+Fixes: 7e01e7ad746b ("f2fs: support RENAME_WHITEOUT")
+Reported-by: syzbot+632cf32276a9a564188d@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=632cf32276a9a564188d
+Suggested-by: Chao Yu <chao@kernel.org>
+Link: https://lore.kernel.org/all/20251022233349.102728-1-kartikey406@gmail.com/ [v1]
+Cc: stable@vger.kernel.org
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/namei.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -1028,9 +1028,11 @@ static int f2fs_rename(struct user_names
+ if (whiteout) {
+ set_inode_flag(whiteout, FI_INC_LINK);
+ err = f2fs_add_link(old_dentry, whiteout);
+- if (err)
++ if (err) {
++ d_invalidate(old_dentry);
++ d_invalidate(new_dentry);
+ goto put_out_dir;
+-
++ }
+ spin_lock(&whiteout->i_lock);
+ whiteout->i_state &= ~I_LINKABLE;
+ spin_unlock(&whiteout->i_lock);
--- /dev/null
+From 6d5925b667e4ed9e77c8278cc215191d29454a3f Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Wed, 12 Nov 2025 17:17:23 +0800
+Subject: intel_th: Fix error handling in intel_th_output_open
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 6d5925b667e4ed9e77c8278cc215191d29454a3f upstream.
+
+intel_th_output_open() calls bus_find_device_by_devt() which
+internally increments the device reference count via get_device(), but
+this reference is not properly released in several error paths. When
+device driver is unavailable, file operations cannot be obtained, or
+the driver's open method fails, the function returns without calling
+put_device(), leading to a permanent device reference count leak. This
+prevents the device from being properly released and could cause
+resource exhaustion over time.
+
+Found by code review.
+
+Cc: stable <stable@kernel.org>
+Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Link: https://patch.msgid.link/20251112091723.35963-1-make24@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/intel_th/core.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+--- a/drivers/hwtracing/intel_th/core.c
++++ b/drivers/hwtracing/intel_th/core.c
+@@ -810,13 +810,17 @@ static int intel_th_output_open(struct i
+ int err;
+
+ dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev);
+- if (!dev || !dev->driver)
+- return -ENODEV;
++ if (!dev || !dev->driver) {
++ err = -ENODEV;
++ goto out_no_device;
++ }
+
+ thdrv = to_intel_th_driver(dev->driver);
+ fops = fops_get(thdrv->fops);
+- if (!fops)
+- return -ENODEV;
++ if (!fops) {
++ err = -ENODEV;
++ goto out_put_device;
++ }
+
+ replace_fops(file, fops);
+
+@@ -824,10 +828,16 @@ static int intel_th_output_open(struct i
+
+ if (file->f_op->open) {
+ err = file->f_op->open(inode, file);
+- return err;
++ if (err)
++ goto out_put_device;
+ }
+
+ return 0;
++
++out_put_device:
++ put_device(dev);
++out_no_device:
++ return err;
+ }
+
+ static const struct file_operations intel_th_output_fops = {
--- /dev/null
+From b91e6aafe8d356086cc621bc03e35ba2299e4788 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Mon, 21 Apr 2025 21:52:44 +0900
+Subject: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit b91e6aafe8d356086cc621bc03e35ba2299e4788 upstream.
+
+rlen value is a user-controlled value, but dtv5100_i2c_msg() does not
+check the size of the rlen value. Therefore, if it is set to a value
+larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data.
+
+Therefore, we need to add proper range checking to prevent this vuln.
+
+Fixes: 60688d5e6e6e ("V4L/DVB (8735): dtv5100: replace dummy frontend by zl10353")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/dvb-usb/dtv5100.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/media/usb/dvb-usb/dtv5100.c
++++ b/drivers/media/usb/dvb-usb/dtv5100.c
+@@ -55,6 +55,11 @@ static int dtv5100_i2c_msg(struct dvb_us
+ }
+ index = (addr << 8) + wbuf[0];
+
++ if (rlen > sizeof(st->data)) {
++ warn("rlen = %x is too big!\n", rlen);
++ return -EINVAL;
++ }
++
+ memcpy(st->data, rbuf, rlen);
+ msleep(1); /* avoid I2C errors */
+ return usb_control_msg(d->udev, pipe, request,
--- /dev/null
+From be440980eace19c035a0745fd6b6e42707bc4f49 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.i.king@gmail.com>
+Date: Wed, 3 Sep 2025 09:44:16 +0100
+Subject: media: pvrusb2: Fix incorrect variable used in trace message
+
+From: Colin Ian King <colin.i.king@gmail.com>
+
+commit be440980eace19c035a0745fd6b6e42707bc4f49 upstream.
+
+The pvr2_trace message is reporting an error about control read
+transfers, however it is using the incorrect variable write_len
+instead of read_lean. Fix this by using the correct variable
+read_len.
+
+Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18")
+Cc: stable@vger.kernel.org
+Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+@@ -3620,7 +3620,7 @@ static int pvr2_send_request_ex(struct p
+ pvr2_trace(
+ PVR2_TRACE_ERROR_LEGS,
+ "Attempted to execute %d byte control-read transfer (limit=%d)",
+- write_len,PVR2_CTL_BUFFSIZE);
++ read_len, PVR2_CTL_BUFFSIZE);
+ return -EINVAL;
+ }
+ if ((!write_len) && (!read_len)) {
--- /dev/null
+From 6f52063db9aabdaabea929b1e998af98c2e8d917 Mon Sep 17 00:00:00 2001
+From: Dai Ngo <dai.ngo@oracle.com>
+Date: Wed, 5 Nov 2025 12:45:54 -0800
+Subject: NFSD: use correct reservation type in nfsd4_scsi_fence_client
+
+From: Dai Ngo <dai.ngo@oracle.com>
+
+commit 6f52063db9aabdaabea929b1e998af98c2e8d917 upstream.
+
+The reservation type argument for the pr_preempt call should match the
+one used in nfsd4_block_get_device_info_scsi.
+
+Fixes: f99d4fbdae67 ("nfsd: add SCSI layout support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/blocklayout.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/blocklayout.c
++++ b/fs/nfsd/blocklayout.c
+@@ -334,7 +334,8 @@ nfsd4_scsi_fence_client(struct nfs4_layo
+ struct block_device *bdev = ls->ls_file->nf_file->f_path.mnt->mnt_sb->s_bdev;
+
+ bdev->bd_disk->fops->pr_ops->pr_preempt(bdev, NFSD_MDS_PR_KEY,
+- nfsd4_scsi_pr_key(clp), 0, true);
++ nfsd4_scsi_pr_key(clp),
++ PR_EXCLUSIVE_ACCESS_REG_ONLY, true);
+ }
+
+ const struct nfsd4_layout_ops scsi_layout_ops = {
--- /dev/null
+From 356d1924b9a6bc2164ce2bf1fad147b0c37ae085 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Oct 2025 07:45:37 +0200
+Subject: phy: broadcom: bcm63xx-usbh: fix section mismatches
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 356d1924b9a6bc2164ce2bf1fad147b0c37ae085 upstream.
+
+Platform drivers can be probed after their init sections have been
+discarded (e.g. on probe deferral or manual rebind through sysfs) so the
+probe function and match table must not live in init.
+
+Fixes: 783f6d3dcf35 ("phy: bcm63xx-usbh: Add BCM63xx USBH driver")
+Cc: stable@vger.kernel.org # 5.9
+Cc: Álvaro Fernández Rojas <noltari@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patch.msgid.link/20251017054537.6884-1-johan@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/broadcom/phy-bcm63xx-usbh.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/phy/broadcom/phy-bcm63xx-usbh.c
++++ b/drivers/phy/broadcom/phy-bcm63xx-usbh.c
+@@ -374,7 +374,7 @@ static struct phy *bcm63xx_usbh_phy_xlat
+ return of_phy_simple_xlate(dev, args);
+ }
+
+-static int __init bcm63xx_usbh_phy_probe(struct platform_device *pdev)
++static int bcm63xx_usbh_phy_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+ struct bcm63xx_usbh_phy *usbh;
+@@ -431,7 +431,7 @@ static int __init bcm63xx_usbh_phy_probe
+ return 0;
+ }
+
+-static const struct of_device_id bcm63xx_usbh_phy_ids[] __initconst = {
++static const struct of_device_id bcm63xx_usbh_phy_ids[] = {
+ { .compatible = "brcm,bcm6318-usbh-phy", .data = &usbh_bcm6318 },
+ { .compatible = "brcm,bcm6328-usbh-phy", .data = &usbh_bcm6328 },
+ { .compatible = "brcm,bcm6358-usbh-phy", .data = &usbh_bcm6358 },
+@@ -442,7 +442,7 @@ static const struct of_device_id bcm63xx
+ };
+ MODULE_DEVICE_TABLE(of, bcm63xx_usbh_phy_ids);
+
+-static struct platform_driver bcm63xx_usbh_phy_driver __refdata = {
++static struct platform_driver bcm63xx_usbh_phy_driver = {
+ .driver = {
+ .name = "bcm63xx-usbh-phy",
+ .of_match_table = bcm63xx_usbh_phy_ids,
--- /dev/null
+From f6ab594672d4cba08540919a4e6be2e202b60007 Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Wed, 29 Oct 2025 00:29:04 +0800
+Subject: scsi: aic94xx: fix use-after-free in device removal path
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit f6ab594672d4cba08540919a4e6be2e202b60007 upstream.
+
+The asd_pci_remove() function fails to synchronize with pending tasklets
+before freeing the asd_ha structure, leading to a potential
+use-after-free vulnerability.
+
+When a device removal is triggered (via hot-unplug or module unload),
+race condition can occur.
+
+The fix adds tasklet_kill() before freeing the asd_ha structure,
+ensuring all scheduled tasklets complete before cleanup proceeds.
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/ME2PR01MB3156AB7DCACA206C845FC7E8AFFDA@ME2PR01MB3156.ausprd01.prod.outlook.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/aic94xx/aic94xx_init.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/aic94xx/aic94xx_init.c
++++ b/drivers/scsi/aic94xx/aic94xx_init.c
+@@ -897,6 +897,9 @@ static void asd_pci_remove(struct pci_de
+
+ asd_disable_ints(asd_ha);
+
++ /* Ensure all scheduled tasklets complete before freeing resources */
++ tasklet_kill(&asd_ha->seq.dl_tasklet);
++
+ asd_remove_dev_attrs(asd_ha);
+
+ /* XXX more here as needed */
--- /dev/null
+From b57fbc88715b6d18f379463f48a15b560b087ffe Mon Sep 17 00:00:00 2001
+From: Tony Battersby <tonyb@cybernetics.com>
+Date: Mon, 10 Nov 2025 10:47:35 -0500
+Subject: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
+
+From: Tony Battersby <tonyb@cybernetics.com>
+
+commit b57fbc88715b6d18f379463f48a15b560b087ffe upstream.
+
+This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.
+
+The commit being reverted added code to __qla2x00_abort_all_cmds() to
+call sp->done() without holding a spinlock. But unlike the older code
+below it, this new code failed to check sp->cmd_type and just assumed
+TYPE_SRB, which results in a jump to an invalid pointer in target-mode
+with TYPE_TGT_CMD:
+
+qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success
+ 0000000009f7a79b
+qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h
+ mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.
+qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer
+qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event
+ 0x8002 occurred
+qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -
+ ha=0000000058183fda.
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+PF: supervisor instruction fetch in kernel mode
+PF: error_code(0x0010) - not-present page
+PGD 0 P4D 0
+Oops: 0010 [#1] SMP
+CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1
+Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023
+RIP: 0010:0x0
+Code: Unable to access opcode bytes at 0xffffffffffffffd6.
+RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206
+RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000
+RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0
+RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045
+R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40
+R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400
+FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ? __die+0x4d/0x8b
+ ? page_fault_oops+0x91/0x180
+ ? trace_buffer_unlock_commit_regs+0x38/0x1a0
+ ? exc_page_fault+0x391/0x5e0
+ ? asm_exc_page_fault+0x22/0x30
+ __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]
+ qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]
+ qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]
+ qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]
+ qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]
+ kthread+0xa8/0xd0
+ </TASK>
+
+Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within
+lock") added the spinlock back, because not having the lock caused a
+race and a crash. But qla2x00_abort_srb() in the switch below already
+checks for qla2x00_chip_is_down() and handles it the same way, so the
+code above the switch is now redundant and still buggy in target-mode.
+Remove it.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
+Link: https://patch.msgid.link/3a8022dc-bcfd-4b01-9f9b-7a9ec61fa2a3@cybernetics.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -1869,12 +1869,6 @@ __qla2x00_abort_all_cmds(struct qla_qpai
+ for (cnt = 1; cnt < req->num_outstanding_cmds; cnt++) {
+ sp = req->outstanding_cmds[cnt];
+ if (sp) {
+- if (qla2x00_chip_is_down(vha)) {
+- req->outstanding_cmds[cnt] = NULL;
+- sp->done(sp, res);
+- continue;
+- }
+-
+ switch (sp->cmd_type) {
+ case TYPE_SRB:
+ qla2x00_abort_srb(qp, sp, res, &flags);
--- /dev/null
+From 5053eab38a4c4543522d0c320c639c56a8b59908 Mon Sep 17 00:00:00 2001
+From: Andrey Vatoropin <a.vatoropin@crpt.ru>
+Date: Tue, 18 Nov 2025 08:42:31 +0000
+Subject: scsi: target: Reset t_task_cdb pointer in error case
+
+From: Andrey Vatoropin <a.vatoropin@crpt.ru>
+
+commit 5053eab38a4c4543522d0c320c639c56a8b59908 upstream.
+
+If allocation of cmd->t_task_cdb fails, it remains NULL but is later
+dereferenced in the 'err' path.
+
+In case of error, reset NULL t_task_cdb value to point at the default
+fixed-size buffer.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 9e95fb805dc0 ("scsi: target: Fix NULL pointer dereference")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Link: https://patch.msgid.link/20251118084014.324940-1-a.vatoropin@crpt.ru
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_transport.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -1524,6 +1524,7 @@ target_cmd_init_cdb(struct se_cmd *cmd,
+ if (scsi_command_size(cdb) > sizeof(cmd->__t_task_cdb)) {
+ cmd->t_task_cdb = kzalloc(scsi_command_size(cdb), gfp);
+ if (!cmd->t_task_cdb) {
++ cmd->t_task_cdb = &cmd->__t_task_cdb[0];
+ pr_err("Unable to allocate cmd->t_task_cdb"
+ " %u > sizeof(cmd->__t_task_cdb): %lu ops\n",
+ scsi_command_size(cdb),
ext4-align-max-orphan-file-size-with-e2fsprogs-limit.patch
jbd2-use-a-weaker-annotation-in-journal-handling.patch
media-v4l2-mem2mem-fix-outdated-documentation.patch
+usb-usb-storage-maintain-minimal-modifications-to-the-bcddevice-range.patch
+media-dvb-usb-dtv5100-fix-out-of-bounds-in-dtv5100_i2c_msg.patch
+media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch
+phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch
+usb-lpc32xx_udc-fix-error-handling-in-probe.patch
+usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch
+usb-phy-isp1301-fix-non-of-device-reference-imbalance.patch
+usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch
+usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch
+char-applicom-fix-null-pointer-dereference-in-ac_ioctl.patch
+intel_th-fix-error-handling-in-intel_th_output_open.patch
+cpufreq-nforce2-fix-reference-count-leak-in-nforce2.patch
+scsi-revert-scsi-qla2xxx-perform-lockless-command-completion-in-abort-path.patch
+scsi-aic94xx-fix-use-after-free-in-device-removal-path.patch
+nfsd-use-correct-reservation-type-in-nfsd4_scsi_fence_client.patch
+scsi-target-reset-t_task_cdb-pointer-in-error-case.patch
+f2fs-invalidate-dentry-cache-on-failed-whiteout-creation.patch
+f2fs-fix-return-value-of-f2fs_recover_fsync_data.patch
--- /dev/null
+From 3b4961313d31e200c9e974bb1536cdea217f78b5 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Thu, 11 Dec 2025 10:49:36 +0400
+Subject: usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 3b4961313d31e200c9e974bb1536cdea217f78b5 upstream.
+
+When clk_bulk_prepare_enable() fails, the error path jumps to
+err_resetc_assert, skipping clk_bulk_put_all() and leaking the
+clock references acquired by clk_bulk_get_all().
+
+Add err_clk_put_all label to properly release clock resources
+in all error paths.
+
+Found via static analysis and code review.
+
+Fixes: c0c61471ef86 ("usb: dwc3: of-simple: Convert to bulk clk API")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://patch.msgid.link/20251211064937.2360510-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/dwc3-of-simple.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/dwc3/dwc3-of-simple.c
++++ b/drivers/usb/dwc3/dwc3-of-simple.c
+@@ -71,11 +71,11 @@ static int dwc3_of_simple_probe(struct p
+ simple->num_clocks = ret;
+ ret = clk_bulk_prepare_enable(simple->num_clocks, simple->clks);
+ if (ret)
+- goto err_resetc_assert;
++ goto err_clk_put_all;
+
+ ret = of_platform_populate(np, NULL, NULL, dev);
+ if (ret)
+- goto err_clk_put;
++ goto err_clk_disable;
+
+ pm_runtime_set_active(dev);
+ pm_runtime_enable(dev);
+@@ -83,8 +83,9 @@ static int dwc3_of_simple_probe(struct p
+
+ return 0;
+
+-err_clk_put:
++err_clk_disable:
+ clk_bulk_disable_unprepare(simple->num_clocks, simple->clks);
++err_clk_put_all:
+ clk_bulk_put_all(simple->num_clocks, simple->clks);
+
+ err_resetc_assert:
--- /dev/null
+From c84117912bddd9e5d87e68daf182410c98181407 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Mon, 15 Dec 2025 10:09:31 +0800
+Subject: USB: lpc32xx_udc: Fix error handling in probe
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit c84117912bddd9e5d87e68daf182410c98181407 upstream.
+
+lpc32xx_udc_probe() acquires an i2c_client reference through
+isp1301_get_client() but fails to release it in both error handling
+paths and the normal removal path. This could result in a reference
+count leak for the I2C device, preventing proper cleanup and potentially
+leading to resource exhaustion. Add put_device() to release the
+reference in the probe failure path and in the remove function.
+
+Calling path: isp1301_get_client() -> of_find_i2c_device_by_node() ->
+i2c_find_device_by_fwnode(). As comments of i2c_find_device_by_fwnode()
+says, 'The user must call put_device(&client->dev) once done with the
+i2c client.'
+
+Found by code review.
+
+Cc: stable <stable@kernel.org>
+Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Link: https://patch.msgid.link/20251215020931.15324-1-make24@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/lpc32xx_udc.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
++++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
+@@ -3027,7 +3027,7 @@ static int lpc32xx_udc_probe(struct plat
+ pdev->dev.dma_mask = &lpc32xx_usbd_dmamask;
+ retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
+ if (retval)
+- return retval;
++ goto i2c_fail;
+
+ udc->board = &lpc32xx_usbddata;
+
+@@ -3045,28 +3045,32 @@ static int lpc32xx_udc_probe(struct plat
+ /* Get IRQs */
+ for (i = 0; i < 4; i++) {
+ udc->udp_irq[i] = platform_get_irq(pdev, i);
+- if (udc->udp_irq[i] < 0)
+- return udc->udp_irq[i];
++ if (udc->udp_irq[i] < 0) {
++ retval = udc->udp_irq[i];
++ goto i2c_fail;
++ }
+ }
+
+ udc->udp_baseaddr = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(udc->udp_baseaddr)) {
+ dev_err(udc->dev, "IO map failure\n");
+- return PTR_ERR(udc->udp_baseaddr);
++ retval = PTR_ERR(udc->udp_baseaddr);
++ goto i2c_fail;
+ }
+
+ /* Get USB device clock */
+ udc->usb_slv_clk = devm_clk_get(&pdev->dev, NULL);
+ if (IS_ERR(udc->usb_slv_clk)) {
+ dev_err(udc->dev, "failed to acquire USB device clock\n");
+- return PTR_ERR(udc->usb_slv_clk);
++ retval = PTR_ERR(udc->usb_slv_clk);
++ goto i2c_fail;
+ }
+
+ /* Enable USB device clock */
+ retval = clk_prepare_enable(udc->usb_slv_clk);
+ if (retval < 0) {
+ dev_err(udc->dev, "failed to start USB device clock\n");
+- return retval;
++ goto i2c_fail;
+ }
+
+ /* Setup deferred workqueue data */
+@@ -3168,6 +3172,8 @@ dma_alloc_fail:
+ dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
+ udc->udca_v_base, udc->udca_p_base);
+ i2c_fail:
++ if (udc->isp1301_i2c_client)
++ put_device(&udc->isp1301_i2c_client->dev);
+ clk_disable_unprepare(udc->usb_slv_clk);
+ dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval);
+
+@@ -3193,6 +3199,9 @@ static int lpc32xx_udc_remove(struct pla
+ dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
+ udc->udca_v_base, udc->udca_p_base);
+
++ if (udc->isp1301_i2c_client)
++ put_device(&udc->isp1301_i2c_client->dev);
++
+ clk_disable_unprepare(udc->usb_slv_clk);
+
+ return 0;
--- /dev/null
+From 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Fri, 5 Dec 2025 11:48:31 +0800
+Subject: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f upstream.
+
+The delayed work item otg_event is initialized in fsl_otg_conf() and
+scheduled under two conditions:
+1. When a host controller binds to the OTG controller.
+2. When the USB ID pin state changes (cable insertion/removal).
+
+A race condition occurs when the device is removed via fsl_otg_remove():
+the fsl_otg instance may be freed while the delayed work is still pending
+or executing. This leads to use-after-free when the work function
+fsl_otg_event() accesses the already freed memory.
+
+The problematic scenario:
+
+(detach thread) | (delayed work)
+fsl_otg_remove() |
+ kfree(fsl_otg_dev) //FREE| fsl_otg_event()
+ | og = container_of(...) //USE
+ | og-> //USE
+
+Fix this by calling disable_delayed_work_sync() in fsl_otg_remove()
+before deallocating the fsl_otg structure. This ensures the delayed work
+is properly canceled and completes execution prior to memory deallocation.
+
+This bug was identified through static analysis.
+
+Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://patch.msgid.link/20251205034831.12846-1-duoming@zju.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/phy/phy-fsl-usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/phy/phy-fsl-usb.c
++++ b/drivers/usb/phy/phy-fsl-usb.c
+@@ -987,6 +987,7 @@ static int fsl_otg_remove(struct platfor
+ {
+ struct fsl_usb2_platform_data *pdata = dev_get_platdata(&pdev->dev);
+
++ disable_delayed_work_sync(&fsl_otg_dev->otg_event);
+ usb_remove_phy(&fsl_otg_dev->phy);
+ free_irq(fsl_otg_dev->irq, fsl_otg_dev);
+
--- /dev/null
+From b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 18 Dec 2025 16:35:16 +0100
+Subject: usb: phy: isp1301: fix non-OF device reference imbalance
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 upstream.
+
+A recent change fixing a device reference leak in a UDC driver
+introduced a potential use-after-free in the non-OF case as the
+isp1301_get_client() helper only increases the reference count for the
+returned I2C device in the OF case.
+
+Increment the reference count also for non-OF so that the caller can
+decrement it unconditionally.
+
+Note that this is inherently racy just as using the returned I2C device
+is since nothing is preventing the PHY driver from being unbound while
+in use.
+
+Fixes: c84117912bdd ("USB: lpc32xx_udc: Fix error handling in probe")
+Cc: stable@vger.kernel.org
+Cc: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
+Link: https://patch.msgid.link/20251218153519.19453-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/phy/phy-isp1301.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/phy/phy-isp1301.c
++++ b/drivers/usb/phy/phy-isp1301.c
+@@ -150,7 +150,12 @@ struct i2c_client *isp1301_get_client(st
+ return client;
+
+ /* non-DT: only one ISP1301 chip supported */
+- return isp1301_i2c_client;
++ if (isp1301_i2c_client) {
++ get_device(&isp1301_i2c_client->dev);
++ return isp1301_i2c_client;
++ }
++
++ return NULL;
+ }
+ EXPORT_SYMBOL_GPL(isp1301_get_client);
+
--- /dev/null
+From 36cc7e09df9e43db21b46519b740145410dd9f4a Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Thu, 4 Dec 2025 21:21:29 +0800
+Subject: usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 36cc7e09df9e43db21b46519b740145410dd9f4a upstream.
+
+usbhsp_get_pipe() set pipe's flags to IS_USED. In error paths,
+usbhsp_put_pipe() is required to clear pipe's flags to prevent
+pipe exhaustion.
+
+Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Link: https://patch.msgid.link/20251204132129.109234-1-haoxiang_li2024@163.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/renesas_usbhs/pipe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/renesas_usbhs/pipe.c
++++ b/drivers/usb/renesas_usbhs/pipe.c
+@@ -713,11 +713,13 @@ struct usbhs_pipe *usbhs_pipe_malloc(str
+ /* make sure pipe is not busy */
+ ret = usbhsp_pipe_barrier(pipe);
+ if (ret < 0) {
++ usbhsp_put_pipe(pipe);
+ dev_err(dev, "pipe setup failed %d\n", usbhs_pipe_number(pipe));
+ return NULL;
+ }
+
+ if (usbhsp_setup_pipecfg(pipe, is_host, dir_in, &pipecfg)) {
++ usbhsp_put_pipe(pipe);
+ dev_err(dev, "can't setup pipe\n");
+ return NULL;
+ }
--- /dev/null
+From 0831269b5f71594882accfceb02638124f88955d Mon Sep 17 00:00:00 2001
+From: Chen Changcheng <chenchangcheng@kylinos.cn>
+Date: Thu, 18 Dec 2025 09:23:18 +0800
+Subject: usb: usb-storage: Maintain minimal modifications to the bcdDevice range.
+
+From: Chen Changcheng <chenchangcheng@kylinos.cn>
+
+commit 0831269b5f71594882accfceb02638124f88955d upstream.
+
+We cannot determine which models require the NO_ATA_1X and
+IGNORE_RESIDUE quirks aside from the EL-R12 optical drive device.
+
+Fixes: 955a48a5353f ("usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.")
+Signed-off-by: Chen Changcheng <chenchangcheng@kylinos.cn>
+Link: https://patch.msgid.link/20251218012318.15978-1-chenchangcheng@kylinos.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/unusual_uas.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -98,7 +98,7 @@ UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x01
+ US_FL_NO_ATA_1X),
+
+ /* Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> */
+-UNUSUAL_DEV(0x13fd, 0x3940, 0x0309, 0x0309,
++UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x0309,
+ "Initio Corporation",
+ "INIC-3069",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
projects / thirdparty / kernel / stable-queue.git / commitdiff
