--- /dev/null
+From 6ea3a44cef28add2d93b1ef119d84886cb1e3c9b Mon Sep 17 00:00:00 2001
+From: Pengjie Zhang <zhangpengjie2@huawei.com>
+Date: Wed, 10 Dec 2025 21:22:27 +0800
+Subject: ACPI: CPPC: Fix missing PCC check for guaranteed_perf
+
+From: Pengjie Zhang <zhangpengjie2@huawei.com>
+
+commit 6ea3a44cef28add2d93b1ef119d84886cb1e3c9b upstream.
+
+The current implementation overlooks the 'guaranteed_perf'
+register in this check.
+
+If the Guaranteed Performance register is located in the PCC
+subspace, the function currently attempts to read it without
+acquiring the lock and without sending the CMD_READ doorbell
+to the firmware. This can result in reading stale data.
+
+Fixes: 29523f095397 ("ACPI / CPPC: Add support for guaranteed performance")
+Signed-off-by: Pengjie Zhang <zhangpengjie2@huawei.com>
+Cc: 4.20+ <stable@vger.kernel.org> # 4.20+
+[ rjw: Subject and changelog edits ]
+Link: https://patch.msgid.link/20251210132227.1988380-1-zhangpengjie2@huawei.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/cppc_acpi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/cppc_acpi.c
++++ b/drivers/acpi/cppc_acpi.c
+@@ -1366,7 +1366,8 @@ int cppc_get_perf_caps(int cpunum, struc
+ /* Are any of the regs PCC ?*/
+ if (CPC_IN_PCC(highest_reg) || CPC_IN_PCC(lowest_reg) ||
+ CPC_IN_PCC(lowest_non_linear_reg) || CPC_IN_PCC(nominal_reg) ||
+- CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg)) {
++ CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg) ||
++ CPC_IN_PCC(guaranteed_reg)) {
+ if (pcc_ss_id < 0) {
+ pr_debug("Invalid pcc_ss_id\n");
+ return -ENODEV;
--- /dev/null
+From f103fa127c93016bcd89b05d8e11dc1a84f6990d Mon Sep 17 00:00:00 2001
+From: Pengjie Zhang <zhangpengjie2@huawei.com>
+Date: Wed, 10 Dec 2025 21:26:34 +0800
+Subject: ACPI: PCC: Fix race condition by removing static qualifier
+
+From: Pengjie Zhang <zhangpengjie2@huawei.com>
+
+commit f103fa127c93016bcd89b05d8e11dc1a84f6990d upstream.
+
+Local variable 'ret' in acpi_pcc_address_space_setup() is currently
+declared as 'static'. This can lead to race conditions in a
+multithreaded environment.
+
+Remove the 'static' qualifier to ensure that 'ret' will be allocated
+directly on the stack as a local variable.
+
+Fixes: a10b1c99e2dc ("ACPI: PCC: Setup PCC Opregion handler only if platform interrupt is available")
+Signed-off-by: Pengjie Zhang <zhangpengjie2@huawei.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Acked-by: lihuisong@huawei.com
+Cc: 6.2+ <stable@vger.kernel.org> # 6.2+
+[ rjw: Changelog edits ]
+Link: https://patch.msgid.link/20251210132634.2050033-1-zhangpengjie2@huawei.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpi_pcc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/acpi_pcc.c
++++ b/drivers/acpi/acpi_pcc.c
+@@ -52,7 +52,7 @@ acpi_pcc_address_space_setup(acpi_handle
+ struct pcc_data *data;
+ struct acpi_pcc_info *ctx = handler_context;
+ struct pcc_mbox_chan *pcc_chan;
+- static acpi_status ret;
++ acpi_status ret;
+
+ data = kzalloc(sizeof(*data), GFP_KERNEL);
+ if (!data)
--- /dev/null
+From 3e54d3b4a8437b6783d4145c86962a2aa51022f3 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Mon, 1 Dec 2025 19:26:38 +0100
+Subject: can: gs_usb: gs_can_open(): fix error handling
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 3e54d3b4a8437b6783d4145c86962a2aa51022f3 upstream.
+
+Commit 2603be9e8167 ("can: gs_usb: gs_can_open(): improve error handling")
+added missing error handling to the gs_can_open() function.
+
+The driver uses 2 USB anchors to track the allocated URBs: the TX URBs in
+struct gs_can::tx_submitted for each netdev and the RX URBs in struct
+gs_usb::rx_submitted for the USB device. gs_can_open() allocates the RX
+URBs, while TX URBs are allocated during gs_can_start_xmit().
+
+The cleanup in gs_can_open() kills all anchored dev->tx_submitted
+URBs (which is not necessary since the netdev is not yet registered), but
+misses the parent->rx_submitted URBs.
+
+Fix the problem by killing the rx_submitted instead of the tx_submitted.
+
+Fixes: 2603be9e8167 ("can: gs_usb: gs_can_open(): improve error handling")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251210-gs_usb-fix-error-handling-v1-1-d6a5a03f10bb@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/gs_usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -1074,7 +1074,7 @@ out_usb_free_urb:
+ usb_free_urb(urb);
+ out_usb_kill_anchored_urbs:
+ if (!parent->active_channels) {
+- usb_kill_anchored_urbs(&dev->tx_submitted);
++ usb_kill_anchored_urbs(&parent->rx_submitted);
+
+ if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP)
+ gs_usb_timestamp_stop(parent);
--- /dev/null
+From ed724ea1b82a800af4704311cb89e5ef1b4ea7ac Mon Sep 17 00:00:00 2001
+From: Andrew Jeffery <andrew@codeconstruct.com.au>
+Date: Thu, 11 Dec 2025 17:45:48 +0900
+Subject: dt-bindings: mmc: sdhci-of-aspeed: Switch ref to sdhci-common.yaml
+
+From: Andrew Jeffery <andrew@codeconstruct.com.au>
+
+commit ed724ea1b82a800af4704311cb89e5ef1b4ea7ac upstream.
+
+Enable use of common SDHCI-related properties such as sdhci-caps-mask as
+found in the AST2600 EVB DTS.
+
+Cc: stable@vger.kernel.org # v6.2+
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/mmc/aspeed,sdhci.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/mmc/aspeed,sdhci.yaml
++++ b/Documentation/devicetree/bindings/mmc/aspeed,sdhci.yaml
+@@ -41,7 +41,7 @@ properties:
+ patternProperties:
+ "^sdhci@[0-9a-f]+$":
+ type: object
+- $ref: mmc-controller.yaml
++ $ref: sdhci-common.yaml
+ unevaluatedProperties: false
+
+ properties:
--- /dev/null
+From 7953794f741e94d30df9dafaaa4c031c85b891d6 Mon Sep 17 00:00:00 2001
+From: Ping Cheng <pinglinux@gmail.com>
+Date: Mon, 27 Oct 2025 13:37:42 -0700
+Subject: HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen
+
+From: Ping Cheng <pinglinux@gmail.com>
+
+commit 7953794f741e94d30df9dafaaa4c031c85b891d6 upstream.
+
+HID_GD_Z is mapped to ABS_Z for stylus and pen in hid-input.c. But HID_GD_Z
+should be used to report ABS_DISTANCE for stylus and pen as described at:
+Documentation/input/event-codes.rst#n226
+
+* ABS_DISTANCE:
+
+ - Used to describe the distance of a tool from an interaction surface. This
+ event should only be emitted while the tool is hovering, meaning in close
+ proximity of the device and while the value of the BTN_TOUCH code is 0. If
+ the input device may be used freely in three dimensions, consider ABS_Z
+ instead.
+ - BTN_TOOL_<name> should be set to 1 when the tool comes into detectable
+ proximity and set to 0 when the tool leaves detectable proximity.
+ BTN_TOOL_<name> signals the type of tool that is currently detected by the
+ hardware and is otherwise independent of ABS_DISTANCE and/or BTN_TOUCH.
+
+This patch makes the correct mapping. The ABS_DISTANCE is currently not mapped
+by any HID usage in hid-generic driver.
+
+Signed-off-by: Ping Cheng <ping.cheng@wacom.com>
+Cc: stable@kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-input.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -878,7 +878,7 @@ static void hidinput_configure_usage(str
+
+ switch (usage->hid) {
+ /* These usage IDs map directly to the usage codes. */
+- case HID_GD_X: case HID_GD_Y: case HID_GD_Z:
++ case HID_GD_X: case HID_GD_Y:
+ case HID_GD_RX: case HID_GD_RY: case HID_GD_RZ:
+ if (field->flags & HID_MAIN_ITEM_RELATIVE)
+ map_rel(usage->hid & 0xf);
+@@ -886,6 +886,22 @@ static void hidinput_configure_usage(str
+ map_abs_clear(usage->hid & 0xf);
+ break;
+
++ case HID_GD_Z:
++ /* HID_GD_Z is mapped to ABS_DISTANCE for stylus/pen */
++ if (field->flags & HID_MAIN_ITEM_RELATIVE) {
++ map_rel(usage->hid & 0xf);
++ } else {
++ if (field->application == HID_DG_PEN ||
++ field->physical == HID_DG_PEN ||
++ field->logical == HID_DG_STYLUS ||
++ field->physical == HID_DG_STYLUS ||
++ field->application == HID_DG_DIGITIZER)
++ map_abs_clear(ABS_DISTANCE);
++ else
++ map_abs_clear(usage->hid & 0xf);
++ }
++ break;
++
+ case HID_GD_WHEEL:
+ if (field->flags & HID_MAIN_ITEM_RELATIVE) {
+ set_bit(REL_WHEEL, input->relbit);
--- /dev/null
+From bf40644ef8c8a288742fa45580897ed0e0289474 Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Wed, 17 Dec 2025 11:00:17 +0800
+Subject: Input: alps - fix use-after-free bugs caused by dev3_register_work
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit bf40644ef8c8a288742fa45580897ed0e0289474 upstream.
+
+The dev3_register_work delayed work item is initialized within
+alps_reconnect() and scheduled upon receipt of the first bare
+PS/2 packet from an external PS/2 device connected to the ALPS
+touchpad. During device detachment, the original implementation
+calls flush_workqueue() in psmouse_disconnect() to ensure
+completion of dev3_register_work. However, the flush_workqueue()
+in psmouse_disconnect() only blocks and waits for work items that
+were already queued to the workqueue prior to its invocation. Any
+work items submitted after flush_workqueue() is called are not
+included in the set of tasks that the flush operation awaits.
+This means that after flush_workqueue() has finished executing,
+the dev3_register_work could still be scheduled. Although the
+psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),
+the scheduling of dev3_register_work remains unaffected.
+
+The race condition can occur as follows:
+
+CPU 0 (cleanup path) | CPU 1 (delayed work)
+psmouse_disconnect() |
+ psmouse_set_state() |
+ flush_workqueue() | alps_report_bare_ps2_packet()
+ alps_disconnect() | psmouse_queue_work()
+ kfree(priv); // FREE | alps_register_bare_ps2_mouse()
+ | priv = container_of(work...); // USE
+ | priv->dev3 // USE
+
+Add disable_delayed_work_sync() in alps_disconnect() to ensure
+that dev3_register_work is properly canceled and prevented from
+executing after the alps_data structure has been deallocated.
+
+This bug is identified by static analysis.
+
+Fixes: 04aae283ba6a ("Input: ALPS - do not mix trackstick and external PS/2 mouse data")
+Cc: stable@kernel.org
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://patch.msgid.link/b57b0a9ccca51a3f06be141bfc02b9ffe69d1845.1765939397.git.duoming@zju.edu.cn
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/mouse/alps.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/alps.c
++++ b/drivers/input/mouse/alps.c
+@@ -2975,6 +2975,7 @@ static void alps_disconnect(struct psmou
+
+ psmouse_reset(psmouse);
+ timer_shutdown_sync(&priv->timer);
++ disable_delayed_work_sync(&priv->dev3_register_work);
+ if (priv->dev2)
+ input_unregister_device(priv->dev2);
+ if (!IS_ERR_OR_NULL(priv->dev3))
--- /dev/null
+From d579478cee228bdc0029a0c12a1f6a63ea9d1c77 Mon Sep 17 00:00:00 2001
+From: Sasha Finkelstein <fnkl.kernel@gmail.com>
+Date: Thu, 18 Dec 2025 10:15:23 -0800
+Subject: Input: apple_z2 - fix reading incorrect reports after exiting sleep
+
+From: Sasha Finkelstein <fnkl.kernel@gmail.com>
+
+commit d579478cee228bdc0029a0c12a1f6a63ea9d1c77 upstream.
+
+Under certain conditions (more prevalent after a suspend/resume cycle),
+the touchscreen controller can send the "boot complete" interrupt before
+it actually finished booting. In those cases, attempting to read touch
+data resuls in a stream of "not ready" messages being read and
+interpreted as a touch report. Check that the response is in fact a
+touch report and discard it otherwise.
+
+Reported-by: pitust <piotr@stelmaszek.com>
+Closes: https://oftc.catirclogs.org/asahi/2025-12-17#34878715;
+Fixes: 471a92f8a21a ("Input: apple_z2 - add a driver for Apple Z2 touchscreens")
+Signed-off-by: Sasha Finkelstein <fnkl.kernel@gmail.com>
+Link: https://patch.msgid.link/20251218-z2-init-fix-v1-1-48e3aa239caf@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/apple_z2.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/input/touchscreen/apple_z2.c
++++ b/drivers/input/touchscreen/apple_z2.c
+@@ -21,6 +21,7 @@
+ #define APPLE_Z2_TOUCH_STARTED 3
+ #define APPLE_Z2_TOUCH_MOVED 4
+ #define APPLE_Z2_CMD_READ_INTERRUPT_DATA 0xEB
++#define APPLE_Z2_REPLY_INTERRUPT_DATA 0xE1
+ #define APPLE_Z2_HBPP_CMD_BLOB 0x3001
+ #define APPLE_Z2_FW_MAGIC 0x5746325A
+ #define LOAD_COMMAND_INIT_PAYLOAD 0
+@@ -142,6 +143,9 @@ static int apple_z2_read_packet(struct a
+ if (error)
+ return error;
+
++ if (z2->rx_buf[0] != APPLE_Z2_REPLY_INTERRUPT_DATA)
++ return 0;
++
+ pkt_len = (get_unaligned_le16(z2->rx_buf + 1) + 8) & 0xfffffffc;
+
+ error = spi_read(z2->spidev, z2->rx_buf, pkt_len);
--- /dev/null
+From aed3716db7fff74919cc5775ca3a80c8bb246489 Mon Sep 17 00:00:00 2001
+From: Christoffer Sandberg <cs@tuxedo.de>
+Date: Mon, 24 Nov 2025 21:31:34 +0100
+Subject: Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table
+
+From: Christoffer Sandberg <cs@tuxedo.de>
+
+commit aed3716db7fff74919cc5775ca3a80c8bb246489 upstream.
+
+The device occasionally wakes up from suspend with missing input on the
+internal keyboard and the following suspend attempt results in an instant
+wake-up. The quirks fix both issues for this device.
+
+Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251124203336.64072-1-wse@tuxedocomputers.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/serio/i8042-acpipnpio.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/serio/i8042-acpipnpio.h
++++ b/drivers/input/serio/i8042-acpipnpio.h
+@@ -1169,6 +1169,13 @@ static const struct dmi_system_id i8042_
+ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS |
+ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
+ },
++ {
++ .matches = {
++ DMI_MATCH(DMI_BOARD_NAME, "X5KK45xS_X5SP45xS"),
++ },
++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS |
++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
++ },
+ /*
+ * A lot of modern Clevo barebones have touchpad and/or keyboard issues
+ * after suspend fixable with the forcenorestore quirk.
--- /dev/null
+From e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c Mon Sep 17 00:00:00 2001
+From: Minseong Kim <ii4gsp@gmail.com>
+Date: Fri, 12 Dec 2025 00:29:23 -0800
+Subject: Input: lkkbd - disable pending work before freeing device
+
+From: Minseong Kim <ii4gsp@gmail.com>
+
+commit e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c upstream.
+
+lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work
+handler lkkbd_reinit() dereferences the lkkbd structure and its
+serio/input_dev fields.
+
+lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd
+structure without preventing the reinit work from being queued again
+until serio_close() returns. This can allow the work handler to run
+after the structure has been freed, leading to a potential use-after-free.
+
+Use disable_work_sync() instead of cancel_work_sync() to ensure the
+reinit work cannot be re-queued, and call it both in lkkbd_disconnect()
+and in lkkbd_connect() error paths after serio_open().
+
+Signed-off-by: Minseong Kim <ii4gsp@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251212052314.16139-1-ii4gsp@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/lkkbd.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/keyboard/lkkbd.c
++++ b/drivers/input/keyboard/lkkbd.c
+@@ -670,7 +670,8 @@ static int lkkbd_connect(struct serio *s
+
+ return 0;
+
+- fail3: serio_close(serio);
++ fail3: disable_work_sync(&lk->tq);
++ serio_close(serio);
+ fail2: serio_set_drvdata(serio, NULL);
+ fail1: input_free_device(input_dev);
+ kfree(lk);
+@@ -684,6 +685,8 @@ static void lkkbd_disconnect(struct seri
+ {
+ struct lkkbd *lk = serio_get_drvdata(serio);
+
++ disable_work_sync(&lk->tq);
++
+ input_get_device(lk->dev);
+ input_unregister_device(lk->dev);
+ serio_close(serio);
--- /dev/null
+From 248d3a73a0167dce15ba100477c3e778c4787178 Mon Sep 17 00:00:00 2001
+From: Junjie Cao <junjie.cao@intel.com>
+Date: Thu, 18 Dec 2025 21:56:59 -0800
+Subject: Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
+
+From: Junjie Cao <junjie.cao@intel.com>
+
+commit 248d3a73a0167dce15ba100477c3e778c4787178 upstream.
+
+The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows
+wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds
+access when used as index in 'config_pins[wire_order[i]]'.
+
+Since config_pins has 4 elements (indices 0-3), the valid range for
+wire_order should be 0-3. Fix the off-by-one error by using >= instead
+of > in the validation check.
+
+Signed-off-by: Junjie Cao <junjie.cao@intel.com>
+Link: https://patch.msgid.link/20251114062817.852698-1-junjie.cao@intel.com
+Fixes: bb76dc09ddfc ("input: ti_am33x_tsc: Order of TSC wires, made configurable")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/ti_am335x_tsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/ti_am335x_tsc.c
++++ b/drivers/input/touchscreen/ti_am335x_tsc.c
+@@ -85,7 +85,7 @@ static int titsc_config_wires(struct tit
+ wire_order[i] = ts_dev->config_inp[i] & 0x0F;
+ if (WARN_ON(analog_line[i] > 7))
+ return -EINVAL;
+- if (WARN_ON(wire_order[i] > ARRAY_SIZE(config_pins)))
++ if (WARN_ON(wire_order[i] >= ARRAY_SIZE(config_pins)))
+ return -EINVAL;
+ }
+
--- /dev/null
+From 806ec7b797adc1cc9b11535307638a55ddfb873c Mon Sep 17 00:00:00 2001
+From: Sanjay Govind <sanjay.govind9@gmail.com>
+Date: Sat, 29 Nov 2025 20:37:11 +1300
+Subject: Input: xpad - add support for CRKD Guitars
+
+From: Sanjay Govind <sanjay.govind9@gmail.com>
+
+commit 806ec7b797adc1cc9b11535307638a55ddfb873c upstream.
+
+Add support for various CRKD Guitar Controllers.
+
+Signed-off-by: Sanjay Govind <sanjay.govind9@gmail.com>
+Link: https://patch.msgid.link/20251129073720.2750-2-sanjay.govind9@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joystick/xpad.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -133,6 +133,8 @@ static const struct xpad_device {
+ } xpad_device[] = {
+ /* Please keep this list sorted by vendor and product ID. */
+ { 0x0079, 0x18d4, "GPD Win 2 X-Box Controller", 0, XTYPE_XBOX360 },
++ { 0x0351, 0x1000, "CRKD LP Blueberry Burst Pro Edition (Xbox)", 0, XTYPE_XBOX360 },
++ { 0x0351, 0x2000, "CRKD LP Black Tribal Edition (Xbox) ", 0, XTYPE_XBOX360 },
+ { 0x03eb, 0xff01, "Wooting One (Legacy)", 0, XTYPE_XBOX360 },
+ { 0x03eb, 0xff02, "Wooting Two (Legacy)", 0, XTYPE_XBOX360 },
+ { 0x03f0, 0x038D, "HyperX Clutch", 0, XTYPE_XBOX360 }, /* wired */
+@@ -420,6 +422,7 @@ static const struct xpad_device {
+ { 0x3285, 0x0663, "Nacon Evol-X", 0, XTYPE_XBOXONE },
+ { 0x3537, 0x1004, "GameSir T4 Kaleid", 0, XTYPE_XBOX360 },
+ { 0x3537, 0x1010, "GameSir G7 SE", 0, XTYPE_XBOXONE },
++ { 0x3651, 0x1000, "CRKD SG", 0, XTYPE_XBOX360 },
+ { 0x366c, 0x0005, "ByoWave Proteus Controller", MAP_SHARE_BUTTON, XTYPE_XBOXONE, FLAG_DELAY_INIT },
+ { 0x3767, 0x0101, "Fanatec Speedster 3 Forceshock Wheel", 0, XTYPE_XBOX },
+ { 0x37d7, 0x2501, "Flydigi Apex 5", 0, XTYPE_XBOX360 },
+@@ -518,6 +521,7 @@ static const struct usb_device_id xpad_t
+ */
+ { USB_INTERFACE_INFO('X', 'B', 0) }, /* Xbox USB-IF not-approved class */
+ XPAD_XBOX360_VENDOR(0x0079), /* GPD Win 2 controller */
++ XPAD_XBOX360_VENDOR(0x0351), /* CRKD Controllers */
+ XPAD_XBOX360_VENDOR(0x03eb), /* Wooting Keyboards (Legacy) */
+ XPAD_XBOX360_VENDOR(0x03f0), /* HP HyperX Xbox 360 controllers */
+ XPAD_XBOXONE_VENDOR(0x03f0), /* HP HyperX Xbox One controllers */
+@@ -578,6 +582,7 @@ static const struct usb_device_id xpad_t
+ XPAD_XBOXONE_VENDOR(0x3285), /* Nacon Evol-X */
+ XPAD_XBOX360_VENDOR(0x3537), /* GameSir Controllers */
+ XPAD_XBOXONE_VENDOR(0x3537), /* GameSir Controllers */
++ XPAD_XBOX360_VENDOR(0x3651), /* CRKD Controllers */
+ XPAD_XBOXONE_VENDOR(0x366c), /* ByoWave controllers */
+ XPAD_XBOX360_VENDOR(0x37d7), /* Flydigi Controllers */
+ XPAD_XBOX360_VENDOR(0x413d), /* Black Shark Green Ghost Controller */
--- /dev/null
+From 95d7a890e4b03e198836d49d699408fd1867cb55 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sun, 14 Dec 2025 15:06:34 +0900
+Subject: ksmbd: fix buffer validation by including null terminator size in EA length
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 95d7a890e4b03e198836d49d699408fd1867cb55 upstream.
+
+The smb2_set_ea function, which handles Extended Attributes (EA),
+was performing buffer validation checks that incorrectly omitted the size
+of the null terminating character (+1 byte) for EA Name.
+This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where
+the null terminator is expected to be present in the buffer, ensuring
+the validation accurately reflects the total required buffer size.
+
+Cc: stable@vger.kernel.org
+Reported-by: Roger <roger.andersen@protonmail.com>
+Reported-by: Stanislas Polu <spolu@dust.tt>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -2373,7 +2373,7 @@ static int smb2_set_ea(struct smb2_ea_in
+ int rc = 0;
+ unsigned int next = 0;
+
+- if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength +
++ if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + 1 +
+ le16_to_cpu(eabuf->EaValueLength))
+ return -EINVAL;
+
+@@ -2450,7 +2450,7 @@ next:
+ break;
+ }
+
+- if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength +
++ if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + 1 +
+ le16_to_cpu(eabuf->EaValueLength)) {
+ rc = -EINVAL;
+ break;
--- /dev/null
+From cafb57f7bdd57abba87725eb4e82bbdca4959644 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sun, 14 Dec 2025 15:05:56 +0900
+Subject: ksmbd: Fix refcount leak when invalid session is found on session lookup
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit cafb57f7bdd57abba87725eb4e82bbdca4959644 upstream.
+
+When a session is found but its state is not SMB2_SESSION_VALID, It
+indicates that no valid session was found, but it is missing to decrement
+the reference count acquired by the session lookup, which results in
+a reference count leak. This patch fixes the issue by explicitly calling
+ksmbd_user_session_put to release the reference to the session.
+
+Cc: stable@vger.kernel.org
+Reported-by: Alexandre <roger.andersen@protonmail.com>
+Reported-by: Stanislas Polu <spolu@dust.tt>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/mgmt/user_session.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -325,8 +325,10 @@ struct ksmbd_session *ksmbd_session_look
+ sess = ksmbd_session_lookup(conn, id);
+ if (!sess && conn->binding)
+ sess = ksmbd_session_lookup_slowpath(id);
+- if (sess && sess->state != SMB2_SESSION_VALID)
++ if (sess && sess->state != SMB2_SESSION_VALID) {
++ ksmbd_user_session_put(sess);
+ sess = NULL;
++ }
+ return sess;
+ }
+
--- /dev/null
+From 5d510ac31626ed157d2182149559430350cf2104 Mon Sep 17 00:00:00 2001
+From: Qianchang Zhao <pioooooooooip@gmail.com>
+Date: Sun, 9 Nov 2025 10:00:55 +0900
+Subject: ksmbd: skip lock-range check on equal size to avoid size==0 underflow
+
+From: Qianchang Zhao <pioooooooooip@gmail.com>
+
+commit 5d510ac31626ed157d2182149559430350cf2104 upstream.
+
+When size equals the current i_size (including 0), the code used to call
+check_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1`
+and can underflow for size==0. Skip the equal case.
+
+Cc: stable@vger.kernel.org
+Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
+Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
+Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/vfs.c
++++ b/fs/smb/server/vfs.c
+@@ -324,6 +324,9 @@ static int check_lock_range(struct file
+ struct file_lock_context *ctx = locks_inode_context(file_inode(filp));
+ int error = 0;
+
++ if (start == end)
++ return 0;
++
+ if (!ctx || list_empty_careful(&ctx->flc_posix))
+ return 0;
+
+@@ -828,7 +831,7 @@ int ksmbd_vfs_truncate(struct ksmbd_work
+ if (size < inode->i_size) {
+ err = check_lock_range(filp, size,
+ inode->i_size - 1, WRITE);
+- } else {
++ } else if (size > inode->i_size) {
+ err = check_lock_range(filp, inode->i_size,
+ size - 1, WRITE);
+ }
--- /dev/null
+From d3ecb12e2e04ce53c95f933c462f2d8b150b965b Mon Sep 17 00:00:00 2001
+From: Jared Kangas <jkangas@redhat.com>
+Date: Fri, 12 Dec 2025 07:03:17 -0800
+Subject: mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig
+
+From: Jared Kangas <jkangas@redhat.com>
+
+commit d3ecb12e2e04ce53c95f933c462f2d8b150b965b upstream.
+
+MMC_SDHCI_ESDHC_IMX requires ARCH_MXC despite also being used on
+ARCH_S32, which results in unmet dependencies when compiling strictly
+for ARCH_S32. Resolve this by adding ARCH_S32 as an alternative to
+ARCH_MXC in the driver's dependencies.
+
+Fixes: 5c4f00627c9a ("mmc: sdhci-esdhc-imx: add NXP S32G2 support")
+Cc: stable@bvger.kernel.org
+Signed-off-by: Jared Kangas <jkangas@redhat.com>
+Reviewed-by: Haibo Chen <haibo.chen@nxp.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/Kconfig
++++ b/drivers/mmc/host/Kconfig
+@@ -315,14 +315,14 @@ config MMC_SDHCI_ESDHC_MCF
+
+ config MMC_SDHCI_ESDHC_IMX
+ tristate "SDHCI support for the Freescale eSDHC/uSDHC i.MX controller"
+- depends on ARCH_MXC || COMPILE_TEST
++ depends on ARCH_MXC || ARCH_S32 || COMPILE_TEST
+ depends on MMC_SDHCI_PLTFM
+ depends on OF
+ select MMC_SDHCI_IO_ACCESSORS
+ select MMC_CQHCI
+ help
+ This selects the Freescale eSDHC/uSDHC controller support
+- found on i.MX25, i.MX35 i.MX5x and i.MX6x.
++ found on i.MX25, i.MX35, i.MX5x, i.MX6x, and S32G.
+
+ If you have a controller with this interface, say Y or M here.
+
--- /dev/null
+From a9c4c9085ec8ce3ce01be21b75184789e74f5f19 Mon Sep 17 00:00:00 2001
+From: Sai Krishna Potthuri <sai.krishna.potthuri@amd.com>
+Date: Fri, 12 Dec 2025 12:05:09 +0530
+Subject: mmc: sdhci-of-arasan: Increase CD stable timeout to 2 seconds
+
+From: Sai Krishna Potthuri <sai.krishna.potthuri@amd.com>
+
+commit a9c4c9085ec8ce3ce01be21b75184789e74f5f19 upstream.
+
+On Xilinx/AMD platforms, the CD stable bit take slightly longer than
+one second(about an additional 100ms) to assert after a host
+controller reset. Although no functional failure observed with the
+existing one second delay but to ensure reliable initialization, increase
+the CD stable timeout to 2 seconds.
+
+Fixes: e251709aaddb ("mmc: sdhci-of-arasan: Ensure CD logic stabilization before power-up")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sai Krishna Potthuri <sai.krishna.potthuri@amd.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-of-arasan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-of-arasan.c
++++ b/drivers/mmc/host/sdhci-of-arasan.c
+@@ -99,7 +99,7 @@
+ #define HIWORD_UPDATE(val, mask, shift) \
+ ((val) << (shift) | (mask) << ((shift) + 16))
+
+-#define CD_STABLE_TIMEOUT_US 1000000
++#define CD_STABLE_TIMEOUT_US 2000000
+ #define CD_STABLE_MAX_SLEEP_US 10
+
+ /**
--- /dev/null
+From 188e0fa5a679570ea35474575e724d8211423d17 Mon Sep 17 00:00:00 2001
+From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+Date: Sat, 29 Nov 2025 15:07:18 +0530
+Subject: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
+
+From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+
+commit 188e0fa5a679570ea35474575e724d8211423d17 upstream.
+
+prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std
+but doesn't check if the allocation failed. If __pskb_copy() returns
+NULL, skb_clone() is called with a NULL pointer, causing a crash:
+
+Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI
+KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
+CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041
+Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c
+RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207
+RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480
+RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000
+RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee
+R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000
+R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00
+FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0
+Call Trace:
+ <TASK>
+ hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]
+ hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741
+ hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84
+ __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966
+ __netif_receive_skb_one_core net/core/dev.c:6077 [inline]
+ __netif_receive_skb+0x72/0x380 net/core/dev.c:6192
+ netif_receive_skb_internal net/core/dev.c:6278 [inline]
+ netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337
+ tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485
+ tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953
+ tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x5c9/0xb30 fs/read_write.c:686
+ ksys_write+0x145/0x250 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f0449f8e1ff
+Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
+RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff
+RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8
+RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000
+R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001
+R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003
+ </TASK>
+
+Add a NULL check immediately after __pskb_copy() to handle allocation
+failures gracefully.
+
+Reported-by: syzbot+2fa344348a579b779e05@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=2fa344348a579b779e05
+Fixes: f266a683a480 ("net/hsr: Better frame dispatch")
+Cc: stable@vger.kernel.org
+Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+Reviewed-by: Felix Maurer <fmaurer@redhat.com>
+Tested-by: Felix Maurer <fmaurer@redhat.com>
+Link: https://patch.msgid.link/20251129093718.25320-1-ssrane_b23@ee.vjti.ac.in
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/hsr/hsr_forward.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -205,6 +205,8 @@ struct sk_buff *prp_get_untagged_frame(s
+ __pskb_copy(frame->skb_prp,
+ skb_headroom(frame->skb_prp),
+ GFP_ATOMIC);
++ if (!frame->skb_std)
++ return NULL;
+ } else {
+ /* Unexpected */
+ WARN_ONCE(1, "%s:%d: Unexpected frame received (port_src %s)\n",
--- /dev/null
+From 611cf41ef6ac8301d23daadd8e78b013db0c5071 Mon Sep 17 00:00:00 2001
+From: Yongxin Liu <yongxin.liu@windriver.com>
+Date: Fri, 28 Nov 2025 18:24:38 +0800
+Subject: platform/x86: intel_pmc_ipc: fix ACPI buffer memory leak
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yongxin Liu <yongxin.liu@windriver.com>
+
+commit 611cf41ef6ac8301d23daadd8e78b013db0c5071 upstream.
+
+The intel_pmc_ipc() function uses ACPI_ALLOCATE_BUFFER to allocate memory
+for the ACPI evaluation result but never frees it, causing a 192-byte
+memory leak on each call.
+
+This leak is triggered during network interface initialization when the
+stmmac driver calls intel_mac_finish() -> intel_pmc_ipc().
+
+ unreferenced object 0xffff96a848d6ea80 (size 192):
+ comm "dhcpcd", pid 541, jiffies 4294684345
+ hex dump (first 32 bytes):
+ 04 00 00 00 05 00 00 00 98 ea d6 48 a8 96 ff ff ...........H....
+ 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
+ backtrace (crc b1564374):
+ kmemleak_alloc+0x2d/0x40
+ __kmalloc_noprof+0x2fa/0x730
+ acpi_ut_initialize_buffer+0x83/0xc0
+ acpi_evaluate_object+0x29a/0x2f0
+ intel_pmc_ipc+0xfd/0x170
+ intel_mac_finish+0x168/0x230
+ stmmac_mac_finish+0x3d/0x50
+ phylink_major_config+0x22b/0x5b0
+ phylink_mac_initial_config.constprop.0+0xf1/0x1b0
+ phylink_start+0x8e/0x210
+ __stmmac_open+0x12c/0x2b0
+ stmmac_open+0x23c/0x380
+ __dev_open+0x11d/0x2c0
+ __dev_change_flags+0x1d2/0x250
+ netif_change_flags+0x2b/0x70
+ dev_change_flags+0x40/0xb0
+
+Add __free(kfree) for ACPI object to properly release the allocated buffer.
+
+Cc: stable@vger.kernel.org
+Fixes: 7e2f7e25f6ff ("arch: x86: add IPC mailbox accessor function and add SoC register access")
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+Link: https://patch.msgid.link/20251128102437.3412891-2-yongxin.liu@windriver.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/platform_data/x86/intel_pmc_ipc.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/platform_data/x86/intel_pmc_ipc.h
++++ b/include/linux/platform_data/x86/intel_pmc_ipc.h
+@@ -9,6 +9,7 @@
+ #ifndef INTEL_PMC_IPC_H
+ #define INTEL_PMC_IPC_H
+ #include <linux/acpi.h>
++#include <linux/cleanup.h>
+
+ #define IPC_SOC_REGISTER_ACCESS 0xAA
+ #define IPC_SOC_SUB_CMD_READ 0x00
+@@ -48,7 +49,6 @@ static inline int intel_pmc_ipc(struct p
+ {.type = ACPI_TYPE_INTEGER,},
+ };
+ struct acpi_object_list arg_list = { PMC_IPCS_PARAM_COUNT, params };
+- union acpi_object *obj;
+ int status;
+
+ if (!ipc_cmd || !rbuf)
+@@ -72,7 +72,7 @@ static inline int intel_pmc_ipc(struct p
+ if (ACPI_FAILURE(status))
+ return -ENODEV;
+
+- obj = buffer.pointer;
++ union acpi_object *obj __free(kfree) = buffer.pointer;
+
+ if (obj && obj->type == ACPI_TYPE_PACKAGE &&
+ obj->package.count == VALID_IPC_RESPONSE) {
amd-iommu-preserve-domain-ids-inside-the-kdump-kerne.patch
arm64-dts-mediatek-apply-mt8395-radxa-dt-overlay-at-.patch
hwmon-ltc4282-fix-reset_history-file-permissions.patch
+ksmbd-skip-lock-range-check-on-equal-size-to-avoid-size-0-underflow.patch
+ksmbd-fix-refcount-leak-when-invalid-session-is-found-on-session-lookup.patch
+ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch
+hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch
+input-apple_z2-fix-reading-incorrect-reports-after-exiting-sleep.patch
+input-xpad-add-support-for-crkd-guitars.patch
+input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch
+input-lkkbd-disable-pending-work-before-freeing-device.patch
+input-alps-fix-use-after-free-bugs-caused-by-dev3_register_work.patch
+input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch
+xfs-don-t-leak-a-locked-dquot-when-xfs_dquot_attach_buf-fails.patch
+can-gs_usb-gs_can_open-fix-error-handling.patch
+soc-tegra-fuse-do-not-register-soc-device-on-acpi-boot.patch
+platform-x86-intel_pmc_ipc-fix-acpi-buffer-memory-leak.patch
+acpi-pcc-fix-race-condition-by-removing-static-qualifier.patch
+acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch
+spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch
+mmc-sdhci-esdhc-imx-add-alternate-arch_s32-dependency-to-kconfig.patch
+mmc-sdhci-of-arasan-increase-cd-stable-timeout-to-2-seconds.patch
+dt-bindings-mmc-sdhci-of-aspeed-switch-ref-to-sdhci-common.yaml.patch
+net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch
+x86-bug-fix-old-gcc-compile-fails.patch
+x86-msi-make-irq_retrigger-functional-for-posted-msi.patch
--- /dev/null
+From c87f820bc4748fdd4d50969e8930cd88d1b61582 Mon Sep 17 00:00:00 2001
+From: Kartik Rajput <kkartik@nvidia.com>
+Date: Wed, 8 Oct 2025 16:46:18 +0530
+Subject: soc/tegra: fuse: Do not register SoC device on ACPI boot
+
+From: Kartik Rajput <kkartik@nvidia.com>
+
+commit c87f820bc4748fdd4d50969e8930cd88d1b61582 upstream.
+
+On Tegra platforms using ACPI, the SMCCC driver already registers the
+SoC device. This makes the registration performed by the Tegra fuse
+driver redundant.
+
+When booted via ACPI, skip registering the SoC device and suppress
+printing SKU information from the Tegra fuse driver, as this information
+is already provided by the SMCCC driver.
+
+Fixes: 972167c69080 ("soc/tegra: fuse: Add ACPI support for Tegra194 and Tegra234")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kartik Rajput <kkartik@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/tegra/fuse/fuse-tegra.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/soc/tegra/fuse/fuse-tegra.c
++++ b/drivers/soc/tegra/fuse/fuse-tegra.c
+@@ -182,8 +182,6 @@ static int tegra_fuse_probe(struct platf
+ }
+
+ fuse->soc->init(fuse);
+- tegra_fuse_print_sku_info(&tegra_sku_info);
+- tegra_soc_device_register();
+
+ err = tegra_fuse_add_lookups(fuse);
+ if (err)
--- /dev/null
+From 1417927df8049a0194933861e9b098669a95c762 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+Date: Thu, 20 Nov 2025 09:34:49 +0100
+Subject: spi: fsl-cpm: Check length parity before switching to 16 bit mode
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+commit 1417927df8049a0194933861e9b098669a95c762 upstream.
+
+Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers
+with even size") failed to make sure that the size is really even
+before switching to 16 bit mode. Until recently the problem went
+unnoticed because kernfs uses a pre-allocated bounce buffer of size
+PAGE_SIZE for reading EEPROM.
+
+But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API")
+introduced an additional dynamically allocated bounce buffer whose size
+is exactly the size of the transfer, leading to a buffer overrun in
+the fsl-cpm driver when that size is odd.
+
+Add the missing length parity verification and remain in 8 bit mode
+when the length is not even.
+
+Fixes: fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size")
+Cc: stable@vger.kernel.org
+Closes: https://lore.kernel.org/all/638496dd-ec60-4e53-bad7-eb657f67d580@csgroup.eu/
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Reviewed-by: Sverdlin Alexander <alexander.sverdlin@siemens.com>
+Link: https://patch.msgid.link/3c4d81c3923c93f95ec56702a454744a4bad3cfc.1763627618.git.christophe.leroy@csgroup.eu
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-fsl-spi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-fsl-spi.c
++++ b/drivers/spi/spi-fsl-spi.c
+@@ -335,7 +335,7 @@ static int fsl_spi_prepare_message(struc
+ if (t->bits_per_word == 16 || t->bits_per_word == 32)
+ t->bits_per_word = 8; /* pretend its 8 bits */
+ if (t->bits_per_word == 8 && t->len >= 256 &&
+- (mpc8xxx_spi->flags & SPI_CPM1))
++ !(t->len & 1) && (mpc8xxx_spi->flags & SPI_CPM1))
+ t->bits_per_word = 16;
+ }
+ }
--- /dev/null
+From c56a12c71ad38f381105f6e5036dede64ad2dfee Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 18 Dec 2025 11:47:38 +0100
+Subject: x86/bug: Fix old GCC compile fails
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit c56a12c71ad38f381105f6e5036dede64ad2dfee upstream.
+
+For some mysterious reasons the GCC 8 and 9 preprocessor manages to
+sporadically fumble _ASM_BYTES(0x0f, 0x0b):
+
+$ grep ".byte[ ]*0x0f" defconfig-build/drivers/net/wireless/realtek/rtlwifi/base.s
+ 1: .byte0x0f,0x0b ;
+ 1: .byte 0x0f,0x0b ;
+
+which makes the assembler upset and all that. While there are more
+_ASM_BYTES() users (notably the NOP instructions), those don't seem
+affected. Therefore replace the offending ASM_UD2 with one using the
+ud2 mnemonic.
+
+Reported-by: Jean Delvare <jdelvare@suse.de>
+Suggested-by: Uros Bizjak <ubizjak@gmail.com>
+Fixes: 85a2d4a890dc ("x86,ibt: Use UDB instead of 0xEA")
+Cc: stable@kernel.org
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://patch.msgid.link/20251218104659.GT3911114@noisy.programming.kicks-ass.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/bug.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/bug.h
++++ b/arch/x86/include/asm/bug.h
+@@ -10,7 +10,7 @@
+ /*
+ * Despite that some emulators terminate on UD2, we use it for WARN().
+ */
+-#define ASM_UD2 _ASM_BYTES(0x0f, 0x0b)
++#define ASM_UD2 __ASM_FORM(ud2)
+ #define INSN_UD2 0x0b0f
+ #define LEN_UD2 2
+
--- /dev/null
+From 0edc78b82bea85e1b2165d8e870a5c3535919695 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 25 Nov 2025 22:50:45 +0100
+Subject: x86/msi: Make irq_retrigger() functional for posted MSI
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 0edc78b82bea85e1b2165d8e870a5c3535919695 upstream.
+
+Luigi reported that retriggering a posted MSI interrupt does not work
+correctly.
+
+The reason is that the retrigger happens at the vector domain by sending an
+IPI to the actual vector on the target CPU. That works correctly exactly
+once because the posted MSI interrupt chip does not issue an EOI as that's
+only required for the posted MSI notification vector itself.
+
+As a consequence the vector becomes stale in the ISR, which not only
+affects this vector but also any lower priority vector in the affected
+APIC because the ISR bit is not cleared.
+
+Luigi proposed to set the vector in the remap PIR bitmap and raise the
+posted MSI notification vector. That works, but that still does not cure a
+related problem:
+
+ If there is ever a stray interrupt on such a vector, then the related
+ APIC ISR bit becomes stale due to the lack of EOI as described above.
+ Unlikely to happen, but if it happens it's not debuggable at all.
+
+So instead of playing games with the PIR, this can be actually solved
+for both cases by:
+
+ 1) Keeping track of the posted interrupt vector handler state
+
+ 2) Implementing a posted MSI specific irq_ack() callback which checks that
+ state. If the posted vector handler is inactive it issues an EOI,
+ otherwise it delegates that to the posted handler.
+
+This is correct versus affinity changes and concurrent events on the posted
+vector as the actual handler invocation is serialized through the interrupt
+descriptor lock.
+
+Fixes: ed1e48ea4370 ("iommu/vt-d: Enable posted mode for device MSIs")
+Reported-by: Luigi Rizzo <lrizzo@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Luigi Rizzo <lrizzo@google.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251125214631.044440658@linutronix.de
+Closes: https://lore.kernel.org/lkml/20251124104836.3685533-1-lrizzo@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/irq_remapping.h | 7 +++++++
+ arch/x86/kernel/irq.c | 23 +++++++++++++++++++++++
+ drivers/iommu/intel/irq_remapping.c | 8 ++++----
+ 3 files changed, 34 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/include/asm/irq_remapping.h
++++ b/arch/x86/include/asm/irq_remapping.h
+@@ -87,4 +87,11 @@ static inline void panic_if_irq_remap(co
+ }
+
+ #endif /* CONFIG_IRQ_REMAP */
++
++#ifdef CONFIG_X86_POSTED_MSI
++void intel_ack_posted_msi_irq(struct irq_data *irqd);
++#else
++#define intel_ack_posted_msi_irq NULL
++#endif
++
+ #endif /* __X86_IRQ_REMAPPING_H */
+--- a/arch/x86/kernel/irq.c
++++ b/arch/x86/kernel/irq.c
+@@ -396,6 +396,7 @@ DEFINE_IDTENTRY_SYSVEC_SIMPLE(sysvec_kvm
+
+ /* Posted Interrupt Descriptors for coalesced MSIs to be posted */
+ DEFINE_PER_CPU_ALIGNED(struct pi_desc, posted_msi_pi_desc);
++static DEFINE_PER_CPU_CACHE_HOT(bool, posted_msi_handler_active);
+
+ void intel_posted_msi_init(void)
+ {
+@@ -413,6 +414,25 @@ void intel_posted_msi_init(void)
+ this_cpu_write(posted_msi_pi_desc.ndst, destination);
+ }
+
++void intel_ack_posted_msi_irq(struct irq_data *irqd)
++{
++ irq_move_irq(irqd);
++
++ /*
++ * Handle the rare case that irq_retrigger() raised the actual
++ * assigned vector on the target CPU, which means that it was not
++ * invoked via the posted MSI handler below. In that case APIC EOI
++ * is required as otherwise the ISR entry becomes stale and lower
++ * priority interrupts are never going to be delivered after that.
++ *
++ * If the posted handler invoked the device interrupt handler then
++ * the EOI would be premature because it would acknowledge the
++ * posted vector.
++ */
++ if (unlikely(!__this_cpu_read(posted_msi_handler_active)))
++ apic_eoi();
++}
++
+ static __always_inline bool handle_pending_pir(unsigned long *pir, struct pt_regs *regs)
+ {
+ unsigned long pir_copy[NR_PIR_WORDS];
+@@ -445,6 +465,8 @@ DEFINE_IDTENTRY_SYSVEC(sysvec_posted_msi
+
+ pid = this_cpu_ptr(&posted_msi_pi_desc);
+
++ /* Mark the handler active for intel_ack_posted_msi_irq() */
++ __this_cpu_write(posted_msi_handler_active, true);
+ inc_irq_stat(posted_msi_notification_count);
+ irq_enter();
+
+@@ -473,6 +495,7 @@ DEFINE_IDTENTRY_SYSVEC(sysvec_posted_msi
+
+ apic_eoi();
+ irq_exit();
++ __this_cpu_write(posted_msi_handler_active, false);
+ set_irq_regs(old_regs);
+ }
+ #endif /* X86_POSTED_MSI */
+--- a/drivers/iommu/intel/irq_remapping.c
++++ b/drivers/iommu/intel/irq_remapping.c
+@@ -1303,17 +1303,17 @@ static struct irq_chip intel_ir_chip = {
+ * irq_enter();
+ * handle_edge_irq()
+ * irq_chip_ack_parent()
+- * irq_move_irq(); // No EOI
++ * intel_ack_posted_msi_irq(); // No EOI
+ * handle_irq_event()
+ * driver_handler()
+ * handle_edge_irq()
+ * irq_chip_ack_parent()
+- * irq_move_irq(); // No EOI
++ * intel_ack_posted_msi_irq(); // No EOI
+ * handle_irq_event()
+ * driver_handler()
+ * handle_edge_irq()
+ * irq_chip_ack_parent()
+- * irq_move_irq(); // No EOI
++ * intel_ack_posted_msi_irq(); // No EOI
+ * handle_irq_event()
+ * driver_handler()
+ * apic_eoi()
+@@ -1322,7 +1322,7 @@ static struct irq_chip intel_ir_chip = {
+ */
+ static struct irq_chip intel_ir_chip_post_msi = {
+ .name = "INTEL-IR-POST",
+- .irq_ack = irq_move_irq,
++ .irq_ack = intel_ack_posted_msi_irq,
+ .irq_set_affinity = intel_ir_set_affinity,
+ .irq_compose_msi_msg = intel_ir_compose_msi_msg,
+ .irq_set_vcpu_affinity = intel_ir_set_vcpu_affinity,
--- /dev/null
+From 204c8f77e8d4a3006f8abe40331f221a597ce608 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Mon, 10 Nov 2025 14:22:53 +0100
+Subject: xfs: don't leak a locked dquot when xfs_dquot_attach_buf fails
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 204c8f77e8d4a3006f8abe40331f221a597ce608 upstream.
+
+xfs_qm_quotacheck_dqadjust acquired the dquot through xfs_qm_dqget,
+which means it owns a reference and holds q_qlock. Both need to
+be dropped on an error exit.
+
+Cc: <stable@vger.kernel.org> # v6.13
+Fixes: ca378189fdfa ("xfs: convert quotacheck to attach dquot buffers")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_qm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/xfs/xfs_qm.c
++++ b/fs/xfs/xfs_qm.c
+@@ -1318,7 +1318,7 @@ xfs_qm_quotacheck_dqadjust(
+
+ error = xfs_dquot_attach_buf(NULL, dqp);
+ if (error)
+- return error;
++ goto out_unlock;
+
+ trace_xfs_dqadjust(dqp);
+
+@@ -1348,8 +1348,9 @@ xfs_qm_quotacheck_dqadjust(
+ }
+
+ dqp->q_flags |= XFS_DQFLAG_DIRTY;
++out_unlock:
+ xfs_qm_dqput(dqp);
+- return 0;
++ return error;
+ }
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
