--- /dev/null
+From 61006c540cbdedea83b05577dc7fb7fa18fe1276 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 19 Jan 2026 14:32:07 +0100
+Subject: ALSA: ctxfi: Fix potential OOB access in audio mixer handling
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 61006c540cbdedea83b05577dc7fb7fa18fe1276 upstream.
+
+In the audio mixer handling code of ctxfi driver, the conf field is
+used as a kind of loop index, and it's referred in the index callbacks
+(amixer_index() and sum_index()).
+
+As spotted recently by fuzzers, the current code causes OOB access at
+those functions.
+| UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48
+| index 8 is out of range for type 'unsigned char [8]'
+
+After the analysis, the cause was found to be the lack of the proper
+(re-)initialization of conj field.
+
+This patch addresses those OOB accesses by adding the proper
+initializations of the loop indices.
+
+Reported-by: Salvatore Bonaccorso <carnil@debian.org>
+Tested-by: Karsten Hohmeier <linux@hohmatik.de>
+Closes: https://bugs.debian.org/1121535
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/all/aSk8KJI35H7gFru6@eldamar.lan/
+Link: https://patch.msgid.link/20260119133212.189129-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/ctxfi/ctamixer.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/ctxfi/ctamixer.c
++++ b/sound/pci/ctxfi/ctamixer.c
+@@ -205,6 +205,7 @@ static int amixer_rsc_init(struct amixer
+
+ /* Set amixer specific operations */
+ amixer->rsc.ops = &amixer_basic_rsc_ops;
++ amixer->rsc.conj = 0;
+ amixer->ops = &amixer_ops;
+ amixer->input = NULL;
+ amixer->sum = NULL;
+@@ -369,6 +370,7 @@ static int sum_rsc_init(struct sum *sum,
+ return err;
+
+ sum->rsc.ops = &sum_basic_rsc_ops;
++ sum->rsc.conj = 0;
+
+ return 0;
+ }
--- /dev/null
+From 930e69757b74c3ae083b0c3c7419bfe7f0edc7b2 Mon Sep 17 00:00:00 2001
+From: Berk Cem Goksel <berkcgoksel@gmail.com>
+Date: Tue, 20 Jan 2026 13:28:55 +0300
+Subject: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
+
+From: Berk Cem Goksel <berkcgoksel@gmail.com>
+
+commit 930e69757b74c3ae083b0c3c7419bfe7f0edc7b2 upstream.
+
+When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees
+mixer->id_elems but the controls already added to the card still
+reference the freed memory. Later when snd_card_register() runs,
+the OSS mixer layer calls their callbacks and hits a use-after-free read.
+
+Call trace:
+ get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411
+ get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241
+ mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381
+ snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887
+ ...
+ snd_card_register+0x4ed/0x6d0 sound/core/init.c:923
+ usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025
+
+Fix by calling snd_ctl_remove() for all mixer controls before freeing
+id_elems. We save the next pointer first because snd_ctl_remove()
+frees the current element.
+
+Fixes: 6639b6c2367f ("[ALSA] usb-audio - add mixer control notifications")
+Cc: stable@vger.kernel.org
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Signed-off-by: Berk Cem Goksel <berkcgoksel@gmail.com>
+Link: https://patch.msgid.link/20260120102855.7300-1-berkcgoksel@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2940,10 +2940,23 @@ static int parse_audio_unit(struct mixer
+
+ static void snd_usb_mixer_free(struct usb_mixer_interface *mixer)
+ {
++ struct usb_mixer_elem_list *list, *next;
++ int id;
++
+ /* kill pending URBs */
+ snd_usb_mixer_disconnect(mixer);
+
+- kfree(mixer->id_elems);
++ /* Unregister controls first, snd_ctl_remove() frees the element */
++ if (mixer->id_elems) {
++ for (id = 0; id < MAX_ID_ELEMS; id++) {
++ for (list = mixer->id_elems[id]; list; list = next) {
++ next = list->next_id_elem;
++ if (list->kctl)
++ snd_ctl_remove(mixer->chip->card, list->kctl);
++ }
++ }
++ kfree(mixer->id_elems);
++ }
+ if (mixer->urb) {
+ kfree(mixer->urb->transfer_buffer);
+ usb_free_urb(mixer->urb);
--- /dev/null
+From ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Tue, 20 Jan 2026 14:51:06 +0000
+Subject: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4 upstream.
+
+The code to restore a ZA context doesn't attempt to allocate the task's
+sve_state before setting TIF_SME. Consequently, restoring a ZA context
+can place a task into an invalid state where TIF_SME is set but the
+task's sve_state is NULL.
+
+In legitimate but uncommon cases where the ZA signal context was NOT
+created by the kernel in the context of the same task (e.g. if the task
+is saved/restored with something like CRIU), we have no guarantee that
+sve_state had been allocated previously. In these cases, userspace can
+enter streaming mode without trapping while sve_state is NULL, causing a
+later NULL pointer dereference when the kernel attempts to store the
+register state:
+
+| # ./sigreturn-za
+| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+| Mem abort info:
+| ESR = 0x0000000096000046
+| EC = 0x25: DABT (current EL), IL = 32 bits
+| SET = 0, FnV = 0
+| EA = 0, S1PTW = 0
+| FSC = 0x06: level 2 translation fault
+| Data abort info:
+| ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000
+| CM = 0, WnR = 1, TnD = 0, TagAccess = 0
+| GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+| user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00
+| [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000
+| Internal error: Oops: 0000000096000046 [#1] SMP
+| Modules linked in:
+| CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT
+| Hardware name: linux,dummy-virt (DT)
+| pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
+| pc : sve_save_state+0x4/0xf0
+| lr : fpsimd_save_user_state+0xb0/0x1c0
+| sp : ffff80008070bcc0
+| x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658
+| x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000
+| x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40
+| x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000
+| x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c
+| x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020
+| x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0
+| x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48
+| x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000
+| x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440
+| Call trace:
+| sve_save_state+0x4/0xf0 (P)
+| fpsimd_thread_switch+0x48/0x198
+| __switch_to+0x20/0x1c0
+| __schedule+0x36c/0xce0
+| schedule+0x34/0x11c
+| exit_to_user_mode_loop+0x124/0x188
+| el0_interrupt+0xc8/0xd8
+| __el0_irq_handler_common+0x18/0x24
+| el0t_64_irq_handler+0x10/0x1c
+| el0t_64_irq+0x198/0x19c
+| Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800)
+| ---[ end trace 0000000000000000 ]---
+
+Fix this by having restore_za_context() ensure that the task's sve_state
+is allocated, matching what we do when taking an SME trap. Any live
+SVE/SSVE state (which is restored earlier from a separate signal
+context) must be preserved, and hence this is not zeroed.
+
+Fixes: 39782210eb7e ("arm64/sme: Implement ZA signal handling")
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: <stable@vger.kernel.org>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/signal.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm64/kernel/signal.c
++++ b/arch/arm64/kernel/signal.c
+@@ -433,6 +433,10 @@ static int restore_za_context(struct use
+ fpsimd_flush_task_state(current);
+ /* From now, fpsimd_thread_switch() won't touch thread.sve_state */
+
++ sve_alloc(current, false);
++ if (!current->thread.sve_state)
++ return -ENOMEM;
++
+ sme_alloc(current, true);
+ if (!current->thread.za_state) {
+ current->thread.svcr &= ~SVCR_ZA_MASK;
--- /dev/null
+From e2f8216ca2d8e61a23cb6ec355616339667e0ba6 Mon Sep 17 00:00:00 2001
+From: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
+Date: Thu, 22 Jan 2026 19:49:25 +0800
+Subject: arm64: Set __nocfi on swsusp_arch_resume()
+
+From: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
+
+commit e2f8216ca2d8e61a23cb6ec355616339667e0ba6 upstream.
+
+A DABT is reported[1] on an android based system when resume from hiberate.
+This happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*()
+and does not have a CFI hash, but swsusp_arch_resume() will attempt to
+verify the CFI hash when calling a copy of swsusp_arch_suspend_exit().
+
+Given that there's an existing requirement that the entrypoint to
+swsusp_arch_suspend_exit() is the first byte of the .hibernate_exit.text
+section, we cannot fix this by marking swsusp_arch_suspend_exit() with
+SYM_FUNC_*(). The simplest fix for now is to disable the CFI check in
+swsusp_arch_resume().
+
+Mark swsusp_arch_resume() as __nocfi to disable the CFI check.
+
+[1]
+[ 22.991934][ T1] Unable to handle kernel paging request at virtual address 0000000109170ffc
+[ 22.991934][ T1] Mem abort info:
+[ 22.991934][ T1] ESR = 0x0000000096000007
+[ 22.991934][ T1] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 22.991934][ T1] SET = 0, FnV = 0
+[ 22.991934][ T1] EA = 0, S1PTW = 0
+[ 22.991934][ T1] FSC = 0x07: level 3 translation fault
+[ 22.991934][ T1] Data abort info:
+[ 22.991934][ T1] ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
+[ 22.991934][ T1] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+[ 22.991934][ T1] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+[ 22.991934][ T1] [0000000109170ffc] user address but active_mm is swapper
+[ 22.991934][ T1] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP
+[ 22.991934][ T1] Dumping ftrace buffer:
+[ 22.991934][ T1] (ftrace buffer empty)
+[ 22.991934][ T1] Modules linked in:
+[ 22.991934][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.98-android15-8-g0b1d2aee7fc3-dirty-4k #1 688c7060a825a3ac418fe53881730b355915a419
+[ 22.991934][ T1] Hardware name: Unisoc UMS9360-base Board (DT)
+[ 22.991934][ T1] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 22.991934][ T1] pc : swsusp_arch_resume+0x2ac/0x344
+[ 22.991934][ T1] lr : swsusp_arch_resume+0x294/0x344
+[ 22.991934][ T1] sp : ffffffc08006b960
+[ 22.991934][ T1] x29: ffffffc08006b9c0 x28: 0000000000000000 x27: 0000000000000000
+[ 22.991934][ T1] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000820
+[ 22.991934][ T1] x23: ffffffd0817e3000 x22: ffffffd0817e3000 x21: 0000000000000000
+[ 22.991934][ T1] x20: ffffff8089171000 x19: ffffffd08252c8c8 x18: ffffffc080061058
+[ 22.991934][ T1] x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 0000000000000004
+[ 22.991934][ T1] x14: ffffff8178c88000 x13: 0000000000000006 x12: 0000000000000000
+[ 22.991934][ T1] x11: 0000000000000015 x10: 0000000000000001 x9 : ffffffd082533000
+[ 22.991934][ T1] x8 : 0000000109171000 x7 : 205b5d3433393139 x6 : 392e32322020205b
+[ 22.991934][ T1] x5 : 000000010916f000 x4 : 000000008164b000 x3 : ffffff808a4e0530
+[ 22.991934][ T1] x2 : ffffffd08058e784 x1 : 0000000082326000 x0 : 000000010a283000
+[ 22.991934][ T1] Call trace:
+[ 22.991934][ T1] swsusp_arch_resume+0x2ac/0x344
+[ 22.991934][ T1] hibernation_restore+0x158/0x18c
+[ 22.991934][ T1] load_image_and_restore+0xb0/0xec
+[ 22.991934][ T1] software_resume+0xf4/0x19c
+[ 22.991934][ T1] software_resume_initcall+0x34/0x78
+[ 22.991934][ T1] do_one_initcall+0xe8/0x370
+[ 22.991934][ T1] do_initcall_level+0xc8/0x19c
+[ 22.991934][ T1] do_initcalls+0x70/0xc0
+[ 22.991934][ T1] do_basic_setup+0x1c/0x28
+[ 22.991934][ T1] kernel_init_freeable+0xe0/0x148
+[ 22.991934][ T1] kernel_init+0x20/0x1a8
+[ 22.991934][ T1] ret_from_fork+0x10/0x20
+[ 22.991934][ T1] Code: a9400a61 f94013e0 f9438923 f9400a64 (b85fc110)
+
+Co-developed-by: Jeson Gao <jeson.gao@unisoc.com>
+Signed-off-by: Jeson Gao <jeson.gao@unisoc.com>
+Signed-off-by: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
+Acked-by: Will Deacon <will@kernel.org>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Cc: <stable@vger.kernel.org>
+[catalin.marinas@arm.com: commit log updated by Mark Rutland]
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/hibernate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/hibernate.c
++++ b/arch/arm64/kernel/hibernate.c
+@@ -397,7 +397,7 @@ int swsusp_arch_suspend(void)
+ * Memory allocated by get_safe_page() will be dealt with by the hibernate code,
+ * we don't need to free it here.
+ */
+-int swsusp_arch_resume(void)
++int __nocfi swsusp_arch_resume(void)
+ {
+ int rc;
+ void *zero_page;
--- /dev/null
+From 0ce73a0eb5a27070957b67fd74059b6da89cc516 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Sat, 10 Jan 2026 12:52:27 +0100
+Subject: can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 0ce73a0eb5a27070957b67fd74059b6da89cc516 upstream.
+
+Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
+gs_usb_receive_bulk_callback(): fix URB memory leak").
+
+In ems_usb_open(), the URBs for USB-in transfers are allocated, added to
+the dev->rx_submitted anchor and submitted. In the complete callback
+ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
+ems_usb_close() the URBs are freed by calling
+usb_kill_anchored_urbs(&dev->rx_submitted).
+
+However, this does not take into account that the USB framework unanchors
+the URB before the complete function is called. This means that once an
+in-URB has been completed, it is no longer anchored and is ultimately not
+released in ems_usb_close().
+
+Fix the memory leak by anchoring the URB in the
+ems_usb_read_bulk_callback() to the dev->rx_submitted anchor.
+
+Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-1-4b8cb2915571@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/ems_usb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -486,11 +486,17 @@ resubmit_urb:
+ urb->transfer_buffer, RX_BUFFER_SIZE,
+ ems_usb_read_bulk_callback, dev);
+
++ usb_anchor_urb(urb, &dev->rx_submitted);
++
+ retval = usb_submit_urb(urb, GFP_ATOMIC);
++ if (!retval)
++ return;
++
++ usb_unanchor_urb(urb);
+
+ if (retval == -ENODEV)
+ netif_device_detach(netdev);
+- else if (retval)
++ else
+ netdev_err(netdev,
+ "failed resubmitting read bulk urb: %d\n", retval);
+ }
--- /dev/null
+From 248e8e1a125fa875158df521b30f2cc7e27eeeaa Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Sat, 10 Jan 2026 12:52:27 +0100
+Subject: can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 248e8e1a125fa875158df521b30f2cc7e27eeeaa upstream.
+
+Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
+gs_usb_receive_bulk_callback(): fix URB memory leak").
+
+In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the
+URBs for USB-in transfers are allocated, added to the dev->rx_submitted
+anchor and submitted. In the complete callback
+kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
+kvaser_usb_remove_interfaces() the URBs are freed by calling
+usb_kill_anchored_urbs(&dev->rx_submitted).
+
+However, this does not take into account that the USB framework unanchors
+the URB before the complete function is called. This means that once an
+in-URB has been completed, it is no longer anchored and is ultimately not
+released in usb_kill_anchored_urbs().
+
+Fix the memory leak by anchoring the URB in the
+kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor.
+
+Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-3-4b8cb2915571@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+@@ -349,7 +349,14 @@ resubmit_urb:
+ urb->transfer_buffer, KVASER_USB_RX_BUFFER_SIZE,
+ kvaser_usb_read_bulk_callback, dev);
+
++ usb_anchor_urb(urb, &dev->rx_submitted);
++
+ err = usb_submit_urb(urb, GFP_ATOMIC);
++ if (!err)
++ return;
++
++ usb_unanchor_urb(urb);
++
+ if (err == -ENODEV) {
+ for (i = 0; i < dev->nchannels; i++) {
+ if (!dev->nets[i])
+@@ -357,7 +364,7 @@ resubmit_urb:
+
+ netif_device_detach(dev->nets[i]->netdev);
+ }
+- } else if (err) {
++ } else {
+ dev_err(&dev->intf->dev,
+ "Failed resubmitting read bulk urb: %d\n", err);
+ }
--- /dev/null
+From 710a7529fb13c5a470258ff5508ed3c498d54729 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Sat, 10 Jan 2026 12:52:27 +0100
+Subject: can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 710a7529fb13c5a470258ff5508ed3c498d54729 upstream.
+
+Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
+gs_usb_receive_bulk_callback(): fix URB memory leak").
+
+In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are
+allocated, added to the priv->rx_submitted anchor and submitted. In the
+complete callback mcba_usb_read_bulk_callback(), the URBs are processed and
+resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by
+calling usb_kill_anchored_urbs(&priv->rx_submitted).
+
+However, this does not take into account that the USB framework unanchors
+the URB before the complete function is called. This means that once an
+in-URB has been completed, it is no longer anchored and is ultimately not
+released in usb_kill_anchored_urbs().
+
+Fix the memory leak by anchoring the URB in the
+mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor.
+
+Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-4-4b8cb2915571@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/mcba_usb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/mcba_usb.c
++++ b/drivers/net/can/usb/mcba_usb.c
+@@ -608,11 +608,17 @@ resubmit_urb:
+ urb->transfer_buffer, MCBA_USB_RX_BUFF_SIZE,
+ mcba_usb_read_bulk_callback, priv);
+
++ usb_anchor_urb(urb, &priv->rx_submitted);
++
+ retval = usb_submit_urb(urb, GFP_ATOMIC);
++ if (!retval)
++ return;
++
++ usb_unanchor_urb(urb);
+
+ if (retval == -ENODEV)
+ netif_device_detach(netdev);
+- else if (retval)
++ else
+ netdev_err(netdev, "failed resubmitting read bulk urb: %d\n",
+ retval);
+ }
--- /dev/null
+From f7a980b3b8f80fe367f679da376cf76e800f9480 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Sat, 10 Jan 2026 12:52:27 +0100
+Subject: can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit f7a980b3b8f80fe367f679da376cf76e800f9480 upstream.
+
+Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
+gs_usb_receive_bulk_callback(): fix URB memory leak").
+
+In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are
+allocated, added to the priv->rx_submitted anchor and submitted. In the
+complete callback usb_8dev_read_bulk_callback(), the URBs are processed and
+resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by
+calling usb_kill_anchored_urbs(&priv->rx_submitted).
+
+However, this does not take into account that the USB framework unanchors
+the URB before the complete function is called. This means that once an
+in-URB has been completed, it is no longer anchored and is ultimately not
+released in usb_kill_anchored_urbs().
+
+Fix the memory leak by anchoring the URB in the
+usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor.
+
+Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-5-4b8cb2915571@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/usb_8dev.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/usb_8dev.c
++++ b/drivers/net/can/usb/usb_8dev.c
+@@ -541,11 +541,17 @@ resubmit_urb:
+ urb->transfer_buffer, RX_BUFFER_SIZE,
+ usb_8dev_read_bulk_callback, priv);
+
++ usb_anchor_urb(urb, &priv->rx_submitted);
++
+ retval = usb_submit_urb(urb, GFP_ATOMIC);
++ if (!retval)
++ return;
++
++ usb_unanchor_urb(urb);
+
+ if (retval == -ENODEV)
+ netif_device_detach(netdev);
+- else if (retval)
++ else
+ netdev_err(netdev,
+ "failed resubmitting read bulk urb: %d\n", retval);
+ }
--- /dev/null
+From 92452b1760ff2d1d411414965d4d06f75e1bda9a Mon Sep 17 00:00:00 2001
+From: Tomas Melin <tomas.melin@vaisala.com>
+Date: Wed, 3 Dec 2025 09:28:11 +0000
+Subject: iio: adc: ad9467: fix ad9434 vref mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tomas Melin <tomas.melin@vaisala.com>
+
+commit 92452b1760ff2d1d411414965d4d06f75e1bda9a upstream.
+
+The mask setting is 5 bits wide for the ad9434
+(ref. data sheet register 0x18 FLEX_VREF). Apparently the settings
+from ad9265 were copied by mistake when support for the device was added
+to the driver.
+
+Fixes: 4606d0f4b05f ("iio: adc: ad9467: add support for AD9434 high-speed ADC")
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Signed-off-by: Tomas Melin <tomas.melin@vaisala.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad9467.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/ad9467.c
++++ b/drivers/iio/adc/ad9467.c
+@@ -90,7 +90,7 @@
+
+ #define CHIPID_AD9434 0x6A
+ #define AD9434_DEF_OUTPUT_MODE 0x00
+-#define AD9434_REG_VREF_MASK 0xC0
++#define AD9434_REG_VREF_MASK GENMASK(4, 0)
+
+ /*
+ * Analog Devices AD9467 16-Bit, 200/250 MSPS ADC
--- /dev/null
+From dbdb442218cd9d613adeab31a88ac973f22c4873 Mon Sep 17 00:00:00 2001
+From: Pei Xiao <xiaopei01@kylinos.cn>
+Date: Wed, 29 Oct 2025 10:40:16 +0800
+Subject: iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver
+
+From: Pei Xiao <xiaopei01@kylinos.cn>
+
+commit dbdb442218cd9d613adeab31a88ac973f22c4873 upstream.
+
+at91_adc_interrupt can call at91_adc_touch_data_handler function
+to start the work by schedule_work(&st->touch_st.workq).
+
+If we remove the module which will call at91_adc_remove to
+make cleanup, it will free indio_dev through iio_device_unregister but
+quite a bit later. While the work mentioned above will be used. The
+sequence of operations that may lead to a UAF bug is as follows:
+
+CPU0 CPU1
+
+ | at91_adc_workq_handler
+at91_adc_remove |
+iio_device_unregister(indio_dev) |
+//free indio_dev a bit later |
+ | iio_push_to_buffers(indio_dev)
+ | //use indio_dev
+
+Fix it by ensuring that the work is canceled before proceeding with
+the cleanup in at91_adc_remove.
+
+Fixes: 23ec2774f1cc ("iio: adc: at91-sama5d2_adc: add support for position and pressure channels")
+Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/at91-sama5d2_adc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/adc/at91-sama5d2_adc.c
++++ b/drivers/iio/adc/at91-sama5d2_adc.c
+@@ -2521,6 +2521,7 @@ static int at91_adc_remove(struct platfo
+ struct at91_adc_state *st = iio_priv(indio_dev);
+
+ iio_device_unregister(indio_dev);
++ cancel_work_sync(&st->touch_st.workq);
+
+ at91_adc_dma_disable(st);
+
--- /dev/null
+From 441ac29923c9172bc5e4b2c4f52ae756192f5715 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?K=C3=BCbrich=2C=20Andreas?=
+ <andreas.kuebrich@spektra-dresden.de>
+Date: Mon, 17 Nov 2025 12:35:13 +0000
+Subject: iio: dac: ad5686: add AD5695R to ad5686_chip_info_tbl
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kübrich, Andreas <andreas.kuebrich@spektra-dresden.de>
+
+commit 441ac29923c9172bc5e4b2c4f52ae756192f5715 upstream.
+
+The chip info for this variant (I2C, four channels, 14 bit, internal
+reference) seems to have been left out due to oversight, so
+ad5686_chip_info_tbl[ID_AD5695R] is all zeroes. Initialisation of an
+AD5695R still succeeds, but the resulting IIO device has no channels and no
+/dev/iio:device* node.
+
+Add the missing chip info to the table.
+
+Fixes: 4177381b4401 ("iio:dac:ad5686: Add AD5671R/75R/94/94R/95R/96/96R support")
+Signed-off-by: Andreas Kübrich <andreas.kuebrich@spektra-dresden.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/dac/ad5686.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/iio/dac/ad5686.c
++++ b/drivers/iio/dac/ad5686.c
+@@ -427,6 +427,12 @@ static const struct ad5686_chip_info ad5
+ .num_channels = 4,
+ .regmap_type = AD5686_REGMAP,
+ },
++ [ID_AD5695R] = {
++ .channels = ad5685r_channels,
++ .int_vref_mv = 2500,
++ .num_channels = 4,
++ .regmap_type = AD5686_REGMAP,
++ },
+ [ID_AD5696] = {
+ .channels = ad5686_channels,
+ .num_channels = 4,
--- /dev/null
+From 95fc36a234da24bbc5f476f8104a5a15f99ed3e3 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 8 Dec 2025 16:35:23 +0100
+Subject: intel_th: fix device leak on output open()
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 95fc36a234da24bbc5f476f8104a5a15f99ed3e3 upstream.
+
+Make sure to drop the reference taken when looking up the th device
+during output device open() on errors and on close().
+
+Note that a recent commit fixed the leak in a couple of open() error
+paths but not all of them, and the reference is still leaking on
+successful open().
+
+Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices")
+Fixes: 6d5925b667e4 ("intel_th: Fix error handling in intel_th_output_open")
+Cc: stable@vger.kernel.org # 4.4: 6d5925b667e4
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20251208153524.68637-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/intel_th/core.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwtracing/intel_th/core.c
++++ b/drivers/hwtracing/intel_th/core.c
+@@ -810,9 +810,12 @@ static int intel_th_output_open(struct i
+ int err;
+
+ dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev);
+- if (!dev || !dev->driver) {
++ if (!dev)
++ return -ENODEV;
++
++ if (!dev->driver) {
+ err = -ENODEV;
+- goto out_no_device;
++ goto out_put_device;
+ }
+
+ thdrv = to_intel_th_driver(dev->driver);
+@@ -836,12 +839,22 @@ static int intel_th_output_open(struct i
+
+ out_put_device:
+ put_device(dev);
+-out_no_device:
++
+ return err;
+ }
+
++static int intel_th_output_release(struct inode *inode, struct file *file)
++{
++ struct intel_th_device *thdev = file->private_data;
++
++ put_device(&thdev->dev);
++
++ return 0;
++}
++
+ static const struct file_operations intel_th_output_fops = {
+ .open = intel_th_output_open,
++ .release = intel_th_output_release,
+ .llseek = noop_llseek,
+ };
+
--- /dev/null
+From 8d76a7d89c12d08382b66e2f21f20d0627d14859 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 19 Jan 2026 21:15:12 +0100
+Subject: irqchip/gic-v3-its: Avoid truncating memory addresses
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 8d76a7d89c12d08382b66e2f21f20d0627d14859 upstream.
+
+On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem
+allocations to be backed by addresses physical memory above the 32-bit
+address limit, as found while experimenting with larger VMSPLIT
+configurations.
+
+This caused the qemu virt model to crash in the GICv3 driver, which
+allocates the 'itt' object using GFP_KERNEL. Since all memory below
+the 4GB physical address limit is in ZONE_DMA in this configuration,
+kmalloc() defaults to higher addresses for ZONE_NORMAL, and the
+ITS driver stores the physical address in a 32-bit 'unsigned long'
+variable.
+
+Change the itt_addr variable to the correct phys_addr_t type instead,
+along with all other variables in this driver that hold a physical
+address.
+
+The gicv5 driver correctly uses u64 variables, while all other irqchip
+drivers don't call virt_to_phys or similar interfaces. It's expected that
+other device drivers have similar issues, but fixing this one is
+sufficient for booting a virtio based guest.
+
+Fixes: cc2d3216f53c ("irqchip: GICv3: ITS command queue")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260119201603.2713066-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -613,7 +613,7 @@ static struct its_collection *its_build_
+ struct its_cmd_block *cmd,
+ struct its_cmd_desc *desc)
+ {
+- unsigned long itt_addr;
++ phys_addr_t itt_addr;
+ u8 size = ilog2(desc->its_mapd_cmd.dev->nr_ites);
+
+ itt_addr = virt_to_phys(desc->its_mapd_cmd.dev->itt);
+@@ -784,7 +784,7 @@ static struct its_vpe *its_build_vmapp_c
+ struct its_cmd_desc *desc)
+ {
+ struct its_vpe *vpe = valid_vpe(its, desc->its_vmapp_cmd.vpe);
+- unsigned long vpt_addr, vconf_addr;
++ phys_addr_t vpt_addr, vconf_addr;
+ u64 target;
+ bool alloc;
+
+@@ -2399,10 +2399,10 @@ retry_baser:
+ baser->psz = psz;
+ tmp = indirect ? GITS_LVL1_ENTRY_SIZE : esz;
+
+- pr_info("ITS@%pa: allocated %d %s @%lx (%s, esz %d, psz %dK, shr %d)\n",
++ pr_info("ITS@%pa: allocated %d %s @%llx (%s, esz %d, psz %dK, shr %d)\n",
+ &its->phys_base, (int)(PAGE_ORDER_TO_SIZE(order) / (int)tmp),
+ its_base_type_string[type],
+- (unsigned long)virt_to_phys(base),
++ (u64)virt_to_phys(base),
+ indirect ? "indirect" : "flat", (int)esz,
+ psz / SZ_1K, (int)shr >> GITS_BASER_SHAREABILITY_SHIFT);
+
--- /dev/null
+From d1883cefd31752f0504b94c3bcfa1f6d511d6e87 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <johannes.goede@oss.qualcomm.com>
+Date: Thu, 11 Dec 2025 17:37:27 +0100
+Subject: leds: led-class: Only Add LED to leds_list when it is fully ready
+
+From: Hans de Goede <johannes.goede@oss.qualcomm.com>
+
+commit d1883cefd31752f0504b94c3bcfa1f6d511d6e87 upstream.
+
+Before this change the LED was added to leds_list before led_init_core()
+gets called adding it the list before led_classdev.set_brightness_work gets
+initialized.
+
+This leaves a window where led_trigger_register() of a LED's default
+trigger will call led_trigger_set() which calls led_set_brightness()
+which in turn will end up queueing the *uninitialized*
+led_classdev.set_brightness_work.
+
+This race gets hit by the lenovo-thinkpad-t14s EC driver which registers
+2 LEDs with a default trigger provided by snd_ctl_led.ko in quick
+succession. The first led_classdev_register() causes an async modprobe of
+snd_ctl_led to run and that async modprobe manages to exactly hit
+the window where the second LED is on the leds_list without led_init_core()
+being called for it, resulting in:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390
+ Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025
+ ...
+ Call trace:
+ __flush_work+0x344/0x390 (P)
+ flush_work+0x2c/0x50
+ led_trigger_set+0x1c8/0x340
+ led_trigger_register+0x17c/0x1c0
+ led_trigger_register_simple+0x84/0xe8
+ snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]
+ do_one_initcall+0x5c/0x318
+ do_init_module+0x9c/0x2b8
+ load_module+0x7e0/0x998
+
+Close the race window by moving the adding of the LED to leds_list to
+after the led_init_core() call.
+
+Cc: stable@vger.kernel.org
+Fixes: d23a22a74fde ("leds: delay led_set_brightness if stopping soft-blink")
+Signed-off-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
+Reviewed-by: Sebastian Reichel <sre@kernel.org>
+Link: https://patch.msgid.link/20251211163727.366441-1-johannes.goede@oss.qualcomm.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/leds/led-class.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/leds/led-class.c
++++ b/drivers/leds/led-class.c
+@@ -410,11 +410,6 @@ int led_classdev_register_ext(struct dev
+ #ifdef CONFIG_LEDS_BRIGHTNESS_HW_CHANGED
+ led_cdev->brightness_hw_changed = -1;
+ #endif
+- /* add to the list of leds */
+- down_write(&leds_list_lock);
+- list_add_tail(&led_cdev->node, &leds_list);
+- up_write(&leds_list_lock);
+-
+ if (!led_cdev->max_brightness)
+ led_cdev->max_brightness = LED_FULL;
+
+@@ -422,6 +417,11 @@ int led_classdev_register_ext(struct dev
+
+ led_init_core(led_cdev);
+
++ /* add to the list of leds */
++ down_write(&leds_list_lock);
++ list_add_tail(&led_cdev->node, &leds_list);
++ up_write(&leds_list_lock);
++
+ #ifdef CONFIG_LEDS_TRIGGERS
+ led_trigger_set_default(led_cdev);
+ #endif
--- /dev/null
+From 122610220134b32c742cc056eaf64f7017ac8cd9 Mon Sep 17 00:00:00 2001
+From: Matthew Schwartz <matthew.schwartz@linux.dev>
+Date: Mon, 29 Dec 2025 12:45:26 -0800
+Subject: mmc: rtsx_pci_sdmmc: implement sdmmc_card_busy function
+
+From: Matthew Schwartz <matthew.schwartz@linux.dev>
+
+commit 122610220134b32c742cc056eaf64f7017ac8cd9 upstream.
+
+rtsx_pci_sdmmc does not have an sdmmc_card_busy function, so any voltage
+switches cause a kernel warning, "mmc0: cannot verify signal voltage
+switch."
+
+Copy the sdmmc_card_busy function from rtsx_pci_usb to rtsx_pci_sdmmc to
+fix this.
+
+Fixes: ff984e57d36e ("mmc: Add realtek pcie sdmmc host driver")
+Signed-off-by: Matthew Schwartz <matthew.schwartz@linux.dev>
+Tested-by: Ricky WU <ricky_wu@realtek.com>
+Reviewed-by: Ricky WU <ricky_wu@realtek.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/rtsx_pci_sdmmc.c | 41 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+--- a/drivers/mmc/host/rtsx_pci_sdmmc.c
++++ b/drivers/mmc/host/rtsx_pci_sdmmc.c
+@@ -1307,6 +1307,46 @@ out:
+ return err;
+ }
+
++static int sdmmc_card_busy(struct mmc_host *mmc)
++{
++ struct realtek_pci_sdmmc *host = mmc_priv(mmc);
++ struct rtsx_pcr *pcr = host->pcr;
++ int err;
++ u8 stat;
++ u8 mask = SD_DAT3_STATUS | SD_DAT2_STATUS | SD_DAT1_STATUS
++ | SD_DAT0_STATUS;
++
++ mutex_lock(&pcr->pcr_mutex);
++
++ rtsx_pci_start_run(pcr);
++
++ err = rtsx_pci_write_register(pcr, SD_BUS_STAT,
++ SD_CLK_TOGGLE_EN | SD_CLK_FORCE_STOP,
++ SD_CLK_TOGGLE_EN);
++ if (err)
++ goto out;
++
++ mdelay(1);
++
++ err = rtsx_pci_read_register(pcr, SD_BUS_STAT, &stat);
++ if (err)
++ goto out;
++
++ err = rtsx_pci_write_register(pcr, SD_BUS_STAT,
++ SD_CLK_TOGGLE_EN | SD_CLK_FORCE_STOP, 0);
++out:
++ mutex_unlock(&pcr->pcr_mutex);
++
++ if (err)
++ return err;
++
++ /* check if any pin between dat[0:3] is low */
++ if ((stat & mask) != mask)
++ return 1;
++ else
++ return 0;
++}
++
+ static int sdmmc_execute_tuning(struct mmc_host *mmc, u32 opcode)
+ {
+ struct realtek_pci_sdmmc *host = mmc_priv(mmc);
+@@ -1405,6 +1445,7 @@ static const struct mmc_host_ops realtek
+ .get_ro = sdmmc_get_ro,
+ .get_cd = sdmmc_get_cd,
+ .start_signal_voltage_switch = sdmmc_switch_voltage,
++ .card_busy = sdmmc_card_busy,
+ .execute_tuning = sdmmc_execute_tuning,
+ .init_sd_express = sdmmc_init_sd_express,
+ };
--- /dev/null
+From ba1096c315283ee3292765f6aea4cca15816c4f7 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Mon, 19 Jan 2026 15:33:59 +0900
+Subject: netrom: fix double-free in nr_route_frame()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit ba1096c315283ee3292765f6aea4cca15816c4f7 upstream.
+
+In nr_route_frame(), old_skb is immediately freed without checking if
+nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL,
+the caller function will free old_skb again, causing a double-free bug.
+
+Therefore, to prevent this, we need to modify it to check whether
+nr_neigh->ax25 is NULL before freeing old_skb.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: syzbot+999115c3bf275797dc27@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0029.GAE@google.com/
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Link: https://patch.msgid.link/20260119063359.10604-1-aha310510@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netrom/nr_route.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/net/netrom/nr_route.c
++++ b/net/netrom/nr_route.c
+@@ -752,7 +752,7 @@ int nr_route_frame(struct sk_buff *skb,
+ unsigned char *dptr;
+ ax25_cb *ax25s;
+ int ret;
+- struct sk_buff *skbn;
++ struct sk_buff *nskb, *oskb;
+
+ /*
+ * Reject malformed packets early. Check that it contains at least 2
+@@ -811,14 +811,16 @@ int nr_route_frame(struct sk_buff *skb,
+ /* We are going to change the netrom headers so we should get our
+ own skb, we also did not know until now how much header space
+ we had to reserve... - RXQ */
+- if ((skbn=skb_copy_expand(skb, dev->hard_header_len, 0, GFP_ATOMIC)) == NULL) {
++ nskb = skb_copy_expand(skb, dev->hard_header_len, 0, GFP_ATOMIC);
++
++ if (!nskb) {
+ nr_node_unlock(nr_node);
+ nr_node_put(nr_node);
+ dev_put(dev);
+ return 0;
+ }
+- kfree_skb(skb);
+- skb=skbn;
++ oskb = skb;
++ skb = nskb;
+ skb->data[14]--;
+
+ dptr = skb_push(skb, 1);
+@@ -837,6 +839,9 @@ int nr_route_frame(struct sk_buff *skb,
+ nr_node_unlock(nr_node);
+ nr_node_put(nr_node);
+
++ if (ret)
++ kfree_skb(oskb);
++
+ return ret;
+ }
+
--- /dev/null
+From d998b0e5afffa90d0f03770bad31083767079858 Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Wed, 14 Jan 2026 13:31:06 +0100
+Subject: octeontx2: Fix otx2_dma_map_page() error return code
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit d998b0e5afffa90d0f03770bad31083767079858 upstream.
+
+0 is a valid DMA address [1] so using it as the error value can lead to
+errors. The error value of dma_map_XXX() functions is DMA_MAPPING_ERROR
+which is ~0. The callers of otx2_dma_map_page() use dma_mapping_error()
+to test the return value of otx2_dma_map_page(). This means that they
+would not detect an error in otx2_dma_map_page().
+
+Make otx2_dma_map_page() return the raw value of dma_map_page_attrs().
+
+[1] https://lore.kernel.org/all/f977f68b-cec5-4ab7-b4bd-2cf6aca46267@intel.com
+
+Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20260114123107.42387-2-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
+@@ -864,13 +864,8 @@ static inline dma_addr_t otx2_dma_map_pa
+ size_t offset, size_t size,
+ enum dma_data_direction dir)
+ {
+- dma_addr_t iova;
+-
+- iova = dma_map_page_attrs(pfvf->dev, page,
++ return dma_map_page_attrs(pfvf->dev, page,
+ offset, size, dir, DMA_ATTR_SKIP_CPU_SYNC);
+- if (unlikely(dma_mapping_error(pfvf->dev, iova)))
+- return (dma_addr_t)NULL;
+- return iova;
+ }
+
+ static inline void otx2_dma_unmap_page(struct otx2_nic *pfvf,
--- /dev/null
+From 81122fba08fa3ccafab6ed272a5c6f2203923a7e Mon Sep 17 00:00:00 2001
+From: Weigang He <geoffreyhe2@gmail.com>
+Date: Sat, 17 Jan 2026 09:12:38 +0000
+Subject: of: fix reference count leak in of_alias_scan()
+
+From: Weigang He <geoffreyhe2@gmail.com>
+
+commit 81122fba08fa3ccafab6ed272a5c6f2203923a7e upstream.
+
+of_find_node_by_path() returns a device_node with its refcount
+incremented. When kstrtoint() fails or dt_alloc() fails, the function
+continues to the next iteration without calling of_node_put(), causing
+a reference count leak.
+
+Add of_node_put(np) before continue on both error paths to properly
+release the device_node reference.
+
+Fixes: 611cad720148 ("dt: add of_alias_scan and of_alias_get_id")
+Cc: stable@vger.kernel.org
+Signed-off-by: Weigang He <geoffreyhe2@gmail.com>
+Link: https://patch.msgid.link/20260117091238.481243-1-geoffreyhe2@gmail.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/base.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -1956,13 +1956,17 @@ void of_alias_scan(void * (*dt_alloc)(u6
+ end--;
+ len = end - start;
+
+- if (kstrtoint(end, 10, &id) < 0)
++ if (kstrtoint(end, 10, &id) < 0) {
++ of_node_put(np);
+ continue;
++ }
+
+ /* Allocate an alias_prop with enough space for the stem */
+ ap = dt_alloc(sizeof(*ap) + len + 1, __alignof__(*ap));
+- if (!ap)
++ if (!ap) {
++ of_node_put(np);
+ continue;
++ }
+ memset(ap, 0, sizeof(*ap) + len + 1);
+ ap->alias = start;
+ of_alias_add(ap, np, id, start, len);
--- /dev/null
+From 48e6a9c4a20870e09f85ff1a3628275d6bce31c0 Mon Sep 17 00:00:00 2001
+From: "Rob Herring (Arm)" <robh@kernel.org>
+Date: Tue, 13 Jan 2026 19:51:58 -0600
+Subject: of: platform: Use default match table for /firmware
+
+From: Rob Herring (Arm) <robh@kernel.org>
+
+commit 48e6a9c4a20870e09f85ff1a3628275d6bce31c0 upstream.
+
+Calling of_platform_populate() without a match table will only populate
+the immediate child nodes under /firmware. This is usually fine, but in
+the case of something like a "simple-mfd" node such as
+"raspberrypi,bcm2835-firmware", those child nodes will not be populated.
+And subsequent calls won't work either because the /firmware node is
+marked as processed already.
+
+Switch the call to of_platform_default_populate() to solve this problem.
+It should be a nop for existing cases.
+
+Fixes: 3aa0582fdb82 ("of: platform: populate /firmware/ node from of_platform_default_populate_init()")
+Cc: stable@vger.kernel.org
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Link: https://patch.msgid.link/20260114015158.692170-2-robh@kernel.org
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/platform.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/of/platform.c
++++ b/drivers/of/platform.c
+@@ -587,7 +587,7 @@ static int __init of_platform_default_po
+
+ node = of_find_node_by_path("/firmware");
+ if (node) {
+- of_platform_populate(node, NULL, NULL, NULL);
++ of_platform_default_populate(node, NULL, NULL);
+ of_node_put(node);
+ }
+
--- /dev/null
+From 91dcfae0ff2b9b9ab03c1ec95babaceefbffb9f4 Mon Sep 17 00:00:00 2001
+From: Fernand Sieber <sieberf@amazon.com>
+Date: Thu, 11 Dec 2025 20:36:04 +0200
+Subject: perf/x86/intel: Do not enable BTS for guests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Fernand Sieber <sieberf@amazon.com>
+
+commit 91dcfae0ff2b9b9ab03c1ec95babaceefbffb9f4 upstream.
+
+By default when users program perf to sample branch instructions
+(PERF_COUNT_HW_BRANCH_INSTRUCTIONS) with a sample period of 1, perf
+interprets this as a special case and enables BTS (Branch Trace Store)
+as an optimization to avoid taking an interrupt on every branch.
+
+Since BTS doesn't virtualize, this optimization doesn't make sense when
+the request originates from a guest. Add an additional check that
+prevents this optimization for virtualized events (exclude_host).
+
+Reported-by: Jan H. Schönherr <jschoenh@amazon.de>
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Fernand Sieber <sieberf@amazon.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20251211183604.868641-1-sieberf@amazon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/perf_event.h | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/events/perf_event.h
++++ b/arch/x86/events/perf_event.h
+@@ -1421,13 +1421,22 @@ static inline bool intel_pmu_has_bts_per
+ struct hw_perf_event *hwc = &event->hw;
+ unsigned int hw_event, bts_event;
+
+- if (event->attr.freq)
++ /*
++ * Only use BTS for fixed rate period==1 events.
++ */
++ if (event->attr.freq || period != 1)
++ return false;
++
++ /*
++ * BTS doesn't virtualize.
++ */
++ if (event->attr.exclude_host)
+ return false;
+
+ hw_event = hwc->config & INTEL_ARCH_EVENT_MASK;
+ bts_event = x86_pmu.event_map(PERF_COUNT_HW_BRANCH_INSTRUCTIONS);
+
+- return hw_event == bts_event && period == 1;
++ return hw_event == bts_event;
+ }
+
+ static inline bool intel_pmu_has_bts(struct perf_event *event)
vsock-virtio-cap-tx-credit-to-local-buffer-size.patch
net-sched-act_ife-avoid-possible-null-deref.patch
x86-make-page-fault-handling-disable-interrupts-prop.patch
+leds-led-class-only-add-led-to-leds_list-when-it-is-fully-ready.patch
+of-fix-reference-count-leak-in-of_alias_scan.patch
+of-platform-use-default-match-table-for-firmware.patch
+iio-adc-ad9467-fix-ad9434-vref-mask.patch
+iio-adc-at91-sama5d2_adc-fix-potential-use-after-free-in-sama5d2_adc-driver.patch
+iio-dac-ad5686-add-ad5695r-to-ad5686_chip_info_tbl.patch
+alsa-ctxfi-fix-potential-oob-access-in-audio-mixer-handling.patch
+alsa-usb-audio-fix-use-after-free-in-snd_usb_mixer_free.patch
+mmc-rtsx_pci_sdmmc-implement-sdmmc_card_busy-function.patch
+wifi-ath10k-fix-dma_free_coherent-pointer.patch
+wifi-mwifiex-fix-a-loop-in-mwifiex_update_ampdu_rxwinsize.patch
+wifi-rsi-fix-memory-corruption-due-to-not-set-vif-driver-data-size.patch
+arm64-fpsimd-signal-allocate-ssve-storage-when-restoring-za.patch
+arm64-set-__nocfi-on-swsusp_arch_resume.patch
+octeontx2-fix-otx2_dma_map_page-error-return-code.patch
+slimbus-core-fix-runtime-pm-imbalance-on-report-present.patch
+slimbus-core-fix-device-reference-leak-on-report-present.patch
+intel_th-fix-device-leak-on-output-open.patch
+uacce-fix-cdev-handling-in-the-cleanup-path.patch
+uacce-implement-mremap-in-uacce_vm_ops-to-return-eperm.patch
+uacce-ensure-safe-queue-release-with-state-management.patch
+netrom-fix-double-free-in-nr_route_frame.patch
+perf-x86-intel-do-not-enable-bts-for-guests.patch
+irqchip-gic-v3-its-avoid-truncating-memory-addresses.patch
+can-ems_usb-ems_usb_read_bulk_callback-fix-urb-memory-leak.patch
+can-kvaser_usb-kvaser_usb_read_bulk_callback-fix-urb-memory-leak.patch
+can-mcba_usb-mcba_usb_read_bulk_callback-fix-urb-memory-leak.patch
+can-usb_8dev-usb_8dev_read_bulk_callback-fix-urb-memory-leak.patch
--- /dev/null
+From 9391380eb91ea5ac792aae9273535c8da5b9aa01 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 26 Nov 2025 15:53:26 +0100
+Subject: slimbus: core: fix device reference leak on report present
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 9391380eb91ea5ac792aae9273535c8da5b9aa01 upstream.
+
+Slimbus devices can be allocated dynamically upon reception of
+report-present messages.
+
+Make sure to drop the reference taken when looking up already registered
+devices.
+
+Note that this requires taking an extra reference in case the device has
+not yet been registered and has to be allocated.
+
+Fixes: 46a2bb5a7f7e ("slimbus: core: Add slim controllers support")
+Cc: stable@vger.kernel.org # 4.16
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20251126145329.5022-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/slimbus/core.c
++++ b/drivers/slimbus/core.c
+@@ -378,6 +378,8 @@ struct slim_device *slim_get_device(stru
+ sbdev = slim_alloc_device(ctrl, e_addr, NULL);
+ if (!sbdev)
+ return ERR_PTR(-ENOMEM);
++
++ get_device(&sbdev->dev);
+ }
+
+ return sbdev;
+@@ -512,6 +514,7 @@ int slim_device_report_present(struct sl
+ ret = slim_device_alloc_laddr(sbdev, true);
+ }
+
++ put_device(&sbdev->dev);
+ out_put_rpm:
+ pm_runtime_mark_last_busy(ctrl->dev);
+ pm_runtime_put_autosuspend(ctrl->dev);
--- /dev/null
+From 0eb4ff6596114aabba1070a66afa2c2f5593739f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 26 Nov 2025 15:53:25 +0100
+Subject: slimbus: core: fix runtime PM imbalance on report present
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 0eb4ff6596114aabba1070a66afa2c2f5593739f upstream.
+
+Make sure to balance the runtime PM usage count in case slimbus device
+or address allocation fails on report present, which would otherwise
+prevent the controller from suspending.
+
+Fixes: 4b14e62ad3c9 ("slimbus: Add support for 'clock-pause' feature")
+Cc: stable@vger.kernel.org # 4.16
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20251126145329.5022-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/core.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/drivers/slimbus/core.c
++++ b/drivers/slimbus/core.c
+@@ -496,21 +496,23 @@ int slim_device_report_present(struct sl
+ if (ctrl->sched.clk_state != SLIM_CLK_ACTIVE) {
+ dev_err(ctrl->dev, "slim ctrl not active,state:%d, ret:%d\n",
+ ctrl->sched.clk_state, ret);
+- goto slimbus_not_active;
++ goto out_put_rpm;
+ }
+
+ sbdev = slim_get_device(ctrl, e_addr);
+- if (IS_ERR(sbdev))
+- return -ENODEV;
++ if (IS_ERR(sbdev)) {
++ ret = -ENODEV;
++ goto out_put_rpm;
++ }
+
+ if (sbdev->is_laddr_valid) {
+ *laddr = sbdev->laddr;
+- return 0;
++ ret = 0;
++ } else {
++ ret = slim_device_alloc_laddr(sbdev, true);
+ }
+
+- ret = slim_device_alloc_laddr(sbdev, true);
+-
+-slimbus_not_active:
++out_put_rpm:
+ pm_runtime_mark_last_busy(ctrl->dev);
+ pm_runtime_put_autosuspend(ctrl->dev);
+ return ret;
--- /dev/null
+From 26c08dabe5475d99a13f353d8dd70e518de45663 Mon Sep 17 00:00:00 2001
+From: Chenghai Huang <huangchenghai2@huawei.com>
+Date: Tue, 2 Dec 2025 14:12:56 +0800
+Subject: uacce: ensure safe queue release with state management
+
+From: Chenghai Huang <huangchenghai2@huawei.com>
+
+commit 26c08dabe5475d99a13f353d8dd70e518de45663 upstream.
+
+Directly calling `put_queue` carries risks since it cannot
+guarantee that resources of `uacce_queue` have been fully released
+beforehand. So adding a `stop_queue` operation for the
+UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to
+the final resource release ensures safety.
+
+Queue states are defined as follows:
+- UACCE_Q_ZOMBIE: Initial state
+- UACCE_Q_INIT: After opening `uacce`
+- UACCE_Q_STARTED: After `start` is issued via `ioctl`
+
+When executing `poweroff -f` in virt while accelerator are still
+working, `uacce_fops_release` and `uacce_remove` may execute
+concurrently. This can cause `uacce_put_queue` within
+`uacce_fops_release` to access a NULL `ops` pointer. Therefore, add
+state checks to prevent accessing freed pointers.
+
+Fixes: 015d239ac014 ("uacce: add uacce driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
+Signed-off-by: Yang Shen <shenyang39@huawei.com>
+Acked-by: Zhangfei Gao <zhangfei.gao@linaro.org>
+Link: https://patch.msgid.link/20251202061256.4158641-5-huangchenghai2@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/uacce/uacce.c | 28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+--- a/drivers/misc/uacce/uacce.c
++++ b/drivers/misc/uacce/uacce.c
+@@ -37,20 +37,34 @@ static int uacce_start_queue(struct uacc
+ return 0;
+ }
+
+-static int uacce_put_queue(struct uacce_queue *q)
++static int uacce_stop_queue(struct uacce_queue *q)
+ {
+ struct uacce_device *uacce = q->uacce;
+
+- if ((q->state == UACCE_Q_STARTED) && uacce->ops->stop_queue)
++ if (q->state != UACCE_Q_STARTED)
++ return 0;
++
++ if (uacce->ops->stop_queue)
+ uacce->ops->stop_queue(q);
+
+- if ((q->state == UACCE_Q_INIT || q->state == UACCE_Q_STARTED) &&
+- uacce->ops->put_queue)
++ q->state = UACCE_Q_INIT;
++
++ return 0;
++}
++
++static void uacce_put_queue(struct uacce_queue *q)
++{
++ struct uacce_device *uacce = q->uacce;
++
++ uacce_stop_queue(q);
++
++ if (q->state != UACCE_Q_INIT)
++ return;
++
++ if (uacce->ops->put_queue)
+ uacce->ops->put_queue(q);
+
+ q->state = UACCE_Q_ZOMBIE;
+-
+- return 0;
+ }
+
+ static long uacce_fops_unl_ioctl(struct file *filep,
+@@ -77,7 +91,7 @@ static long uacce_fops_unl_ioctl(struct
+ ret = uacce_start_queue(q);
+ break;
+ case UACCE_CMD_PUT_Q:
+- ret = uacce_put_queue(q);
++ ret = uacce_stop_queue(q);
+ break;
+ default:
+ if (uacce->ops->ioctl)
--- /dev/null
+From a3bece3678f6c88db1f44c602b2a63e84b4040ac Mon Sep 17 00:00:00 2001
+From: Wenkai Lin <linwenkai6@hisilicon.com>
+Date: Tue, 2 Dec 2025 14:12:53 +0800
+Subject: uacce: fix cdev handling in the cleanup path
+
+From: Wenkai Lin <linwenkai6@hisilicon.com>
+
+commit a3bece3678f6c88db1f44c602b2a63e84b4040ac upstream.
+
+When cdev_device_add fails, it internally releases the cdev memory,
+and if cdev_device_del is then executed, it will cause a hang error.
+To fix it, we check the return value of cdev_device_add() and clear
+uacce->cdev to avoid calling cdev_device_del in the uacce_remove.
+
+Fixes: 015d239ac014 ("uacce: add uacce driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Wenkai Lin <linwenkai6@hisilicon.com>
+Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
+Acked-by: Zhangfei Gao <zhangfei.gao@linaro.org>
+Link: https://patch.msgid.link/20251202061256.4158641-2-huangchenghai2@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/uacce/uacce.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/uacce/uacce.c
++++ b/drivers/misc/uacce/uacce.c
+@@ -500,6 +500,8 @@ EXPORT_SYMBOL_GPL(uacce_alloc);
+ */
+ int uacce_register(struct uacce_device *uacce)
+ {
++ int ret;
++
+ if (!uacce)
+ return -ENODEV;
+
+@@ -510,7 +512,11 @@ int uacce_register(struct uacce_device *
+ uacce->cdev->ops = &uacce_fops;
+ uacce->cdev->owner = THIS_MODULE;
+
+- return cdev_device_add(uacce->cdev, &uacce->dev);
++ ret = cdev_device_add(uacce->cdev, &uacce->dev);
++ if (ret)
++ uacce->cdev = NULL;
++
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(uacce_register);
+
--- /dev/null
+From 02695347be532b628f22488300d40c4eba48b9b7 Mon Sep 17 00:00:00 2001
+From: Yang Shen <shenyang39@huawei.com>
+Date: Tue, 2 Dec 2025 14:12:55 +0800
+Subject: uacce: implement mremap in uacce_vm_ops to return -EPERM
+
+From: Yang Shen <shenyang39@huawei.com>
+
+commit 02695347be532b628f22488300d40c4eba48b9b7 upstream.
+
+The current uacce_vm_ops does not support the mremap operation of
+vm_operations_struct. Implement .mremap to return -EPERM to remind
+users.
+
+The reason we need to explicitly disable mremap is that when the
+driver does not implement .mremap, it uses the default mremap
+method. This could lead to a risk scenario:
+
+An application might first mmap address p1, then mremap to p2,
+followed by munmap(p1), and finally munmap(p2). Since the default
+mremap copies the original vma's vm_private_data (i.e., q) to the
+new vma, both munmap operations would trigger vma_close, causing
+q->qfr to be freed twice(qfr will be set to null here, so repeated
+release is ok).
+
+Fixes: 015d239ac014 ("uacce: add uacce driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yang Shen <shenyang39@huawei.com>
+Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
+Acked-by: Zhangfei Gao <zhangfei.gao@linaro.org>
+Link: https://patch.msgid.link/20251202061256.4158641-4-huangchenghai2@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/uacce/uacce.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/misc/uacce/uacce.c
++++ b/drivers/misc/uacce/uacce.c
+@@ -208,8 +208,14 @@ static void uacce_vma_close(struct vm_ar
+ kfree(qfr);
+ }
+
++static int uacce_vma_mremap(struct vm_area_struct *area)
++{
++ return -EPERM;
++}
++
+ static const struct vm_operations_struct uacce_vm_ops = {
+ .close = uacce_vma_close,
++ .mremap = uacce_vma_mremap,
+ };
+
+ static int uacce_fops_mmap(struct file *filep, struct vm_area_struct *vma)
--- /dev/null
+From 9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Mon, 5 Jan 2026 22:04:38 +0100
+Subject: wifi: ath10k: fix dma_free_coherent() pointer
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit 9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f upstream.
+
+dma_alloc_coherent() allocates a DMA mapped buffer and stores the
+addresses in XXX_unaligned fields. Those should be reused when freeing
+the buffer rather than the aligned addresses.
+
+Fixes: 2a1e1ad3fd37 ("ath10k: Add support for 64 bit ce descriptor")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260105210439.20131-2-fourier.thomas@gmail.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/ce.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/ce.c
++++ b/drivers/net/wireless/ath/ath10k/ce.c
+@@ -1791,8 +1791,8 @@ static void _ath10k_ce_free_pipe(struct
+ (ce_state->src_ring->nentries *
+ sizeof(struct ce_desc) +
+ CE_DESC_RING_ALIGN),
+- ce_state->src_ring->base_addr_owner_space,
+- ce_state->src_ring->base_addr_ce_space);
++ ce_state->src_ring->base_addr_owner_space_unaligned,
++ ce_state->src_ring->base_addr_ce_space_unaligned);
+ kfree(ce_state->src_ring);
+ }
+
+@@ -1801,8 +1801,8 @@ static void _ath10k_ce_free_pipe(struct
+ (ce_state->dest_ring->nentries *
+ sizeof(struct ce_desc) +
+ CE_DESC_RING_ALIGN),
+- ce_state->dest_ring->base_addr_owner_space,
+- ce_state->dest_ring->base_addr_ce_space);
++ ce_state->dest_ring->base_addr_owner_space_unaligned,
++ ce_state->dest_ring->base_addr_ce_space_unaligned);
+ kfree(ce_state->dest_ring);
+ }
+
+@@ -1822,8 +1822,8 @@ static void _ath10k_ce_free_pipe_64(stru
+ (ce_state->src_ring->nentries *
+ sizeof(struct ce_desc_64) +
+ CE_DESC_RING_ALIGN),
+- ce_state->src_ring->base_addr_owner_space,
+- ce_state->src_ring->base_addr_ce_space);
++ ce_state->src_ring->base_addr_owner_space_unaligned,
++ ce_state->src_ring->base_addr_ce_space_unaligned);
+ kfree(ce_state->src_ring);
+ }
+
+@@ -1832,8 +1832,8 @@ static void _ath10k_ce_free_pipe_64(stru
+ (ce_state->dest_ring->nentries *
+ sizeof(struct ce_desc_64) +
+ CE_DESC_RING_ALIGN),
+- ce_state->dest_ring->base_addr_owner_space,
+- ce_state->dest_ring->base_addr_ce_space);
++ ce_state->dest_ring->base_addr_owner_space_unaligned,
++ ce_state->dest_ring->base_addr_ce_space_unaligned);
+ kfree(ce_state->dest_ring);
+ }
+
--- /dev/null
+From 2120f3a3738a65730c81bf10447b1ff776078915 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Thu, 8 Jan 2026 23:00:24 +0300
+Subject: wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 2120f3a3738a65730c81bf10447b1ff776078915 upstream.
+
+The "i" iterator variable is used to count two different things but
+unfortunately we can't store two different numbers in the same variable.
+Use "i" for the outside loop and "j" for the inside loop.
+
+Cc: stable@vger.kernel.org
+Fixes: d219b7eb3792 ("mwifiex: handle BT coex event to adjust Rx BA window size")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Jeff Chen <jeff.chen_1@nxp.com>
+Link: https://patch.msgid.link/aWAM2MGUWRP0zWUd@stanley.mountain
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
++++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
+@@ -827,7 +827,7 @@ void mwifiex_update_rxreor_flags(struct
+ static void mwifiex_update_ampdu_rxwinsize(struct mwifiex_adapter *adapter,
+ bool coex_flag)
+ {
+- u8 i;
++ u8 i, j;
+ u32 rx_win_size;
+ struct mwifiex_private *priv;
+
+@@ -867,8 +867,8 @@ static void mwifiex_update_ampdu_rxwinsi
+ if (rx_win_size != priv->add_ba_param.rx_win_size) {
+ if (!priv->media_connected)
+ continue;
+- for (i = 0; i < MAX_NUM_TID; i++)
+- mwifiex_11n_delba(priv, i);
++ for (j = 0; j < MAX_NUM_TID; j++)
++ mwifiex_11n_delba(priv, j);
+ }
+ }
+ }
--- /dev/null
+From 4f431d88ea8093afc7ba55edf4652978c5a68f33 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@nabladev.com>
+Date: Sat, 10 Jan 2026 00:56:29 +0100
+Subject: wifi: rsi: Fix memory corruption due to not set vif driver data size
+
+From: Marek Vasut <marex@nabladev.com>
+
+commit 4f431d88ea8093afc7ba55edf4652978c5a68f33 upstream.
+
+The struct ieee80211_vif contains trailing space for vif driver data,
+when struct ieee80211_vif is allocated, the total memory size that is
+allocated is sizeof(struct ieee80211_vif) + size of vif driver data.
+The size of vif driver data is set by each WiFi driver as needed.
+
+The RSI911x driver does not set vif driver data size, no trailing space
+for vif driver data is therefore allocated past struct ieee80211_vif .
+The RSI911x driver does however use the vif driver data to store its
+vif driver data structure "struct vif_priv". An access to vif->drv_priv
+leads to access out of struct ieee80211_vif bounds and corruption of
+some memory.
+
+In case of the failure observed locally, rsi_mac80211_add_interface()
+would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv;
+vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member
+struct list_head new_flows . The flow = list_first_entry(head, struct
+fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus
+address, which when accessed causes a crash.
+
+The trigger is very simple, boot the machine with init=/bin/sh , mount
+devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1",
+"ip link set wlan0 down" and the crash occurs.
+
+Fix this by setting the correct size of vif driver data, which is the
+size of "struct vif_priv", so that memory is allocated and the driver
+can store its driver data in it, instead of corrupting memory around
+it.
+
+Cc: stable@vger.kernel.org
+Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver")
+Signed-off-by: Marek Vasut <marex@nabladev.com>
+Link: https://patch.msgid.link/20260109235817.150330-1-marex@nabladev.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_mac80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c
++++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c
+@@ -2022,6 +2022,7 @@ int rsi_mac80211_attach(struct rsi_commo
+
+ hw->queues = MAX_HW_QUEUES;
+ hw->extra_tx_headroom = RSI_NEEDED_HEADROOM;
++ hw->vif_data_size = sizeof(struct vif_priv);
+
+ hw->max_rates = 1;
+ hw->max_rate_tries = MAX_RETRIES;
projects / thirdparty / kernel / stable-queue.git / commitdiff
