--- /dev/null
+From 69842d1b0593be2b1b3ce5288f65d92a185f7c02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 19:18:22 +0200
+Subject: ALSA: usb-audio: fix control pipe direction
+
+From: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+
+[ Upstream commit 7963891f7c9c6f759cc9ab7da71406b4234f3dd6 ]
+
+Since the requesttype has USB_DIR_OUT the pipe should be
+constructed with usb_sndctrlpipe().
+
+Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c")
+Signed-off-by: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+Link: https://patch.msgid.link/aPPL3tBFE_oU-JHv@ark
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/mixer_s1810c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c
+index c53a9773f310b..457e07f6fc7c8 100644
+--- a/sound/usb/mixer_s1810c.c
++++ b/sound/usb/mixer_s1810c.c
+@@ -181,7 +181,7 @@ snd_sc1810c_get_status_field(struct usb_device *dev,
+
+ pkt_out.fields[SC1810C_STATE_F1_IDX] = SC1810C_SET_STATE_F1;
+ pkt_out.fields[SC1810C_STATE_F2_IDX] = SC1810C_SET_STATE_F2;
+- ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0),
++ ret = snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
+ SC1810C_SET_STATE_REQ,
+ SC1810C_SET_STATE_REQTYPE,
+ (*seqnum), 0, &pkt_out, sizeof(pkt_out));
+--
+2.51.0
+
--- /dev/null
+From 8b51274207f2b4bf202388b221bbe7b0f8a4ef39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 23:33:01 +0530
+Subject: bpf: Sync pending IRQ work before freeing ring buffer
+
+From: Noorain Eqbal <nooraineqbal@gmail.com>
+
+[ Upstream commit 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c ]
+
+Fix a race where irq_work can be queued in bpf_ringbuf_commit()
+but the ring buffer is freed before the work executes.
+In the syzbot reproducer, a BPF program attached to sched_switch
+triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer
+is freed before this work executes, the irq_work thread may accesses
+freed memory.
+Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work
+complete before freeing the buffer.
+
+Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
+Reported-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=2617fc732430968b45d2
+Tested-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com
+Signed-off-by: Noorain Eqbal <nooraineqbal@gmail.com>
+Link: https://lore.kernel.org/r/20251020180301.103366-1-nooraineqbal@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/ringbuf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c
+index eac0026e2fa62..12e2aad376cf5 100644
+--- a/kernel/bpf/ringbuf.c
++++ b/kernel/bpf/ringbuf.c
+@@ -203,6 +203,8 @@ static struct bpf_map *ringbuf_map_alloc(union bpf_attr *attr)
+
+ static void bpf_ringbuf_free(struct bpf_ringbuf *rb)
+ {
++ irq_work_sync(&rb->work);
++
+ /* copy pages pointer and nr_pages to local variable, as we are going
+ * to unmap rb itself with vunmap() below
+ */
+--
+2.51.0
+
--- /dev/null
+From a68bd094781a5af00d5ef1113cb386defc3f1c25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 14:12:21 +0800
+Subject: drm/amd/pm: fix smu table id bound check issue in
+ smu_cmn_update_table()
+
+From: Yang Wang <kevinyang.wang@amd.com>
+
+[ Upstream commit 238d468d3ed18a324bb9d8c99f18c665dbac0511 ]
+
+'table_index' is a variable defined by the smu driver (kmd)
+'table_id' is a variable defined by the hw smu (pmfw)
+
+This code should use table_index as a bounds check.
+
+Fixes: caad2613dc4bd ("drm/amd/powerplay: move table setting common code to smu_cmn.c")
+Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit fca0c66b22303de0d1d6313059baf4dc960a4753)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
+index 92b2ea4c197b8..5219eb685c88e 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
+@@ -587,7 +587,7 @@ int smu_cmn_update_table(struct smu_context *smu,
+ table_index);
+ uint32_t table_size;
+ int ret = 0;
+- if (!table_data || table_id >= SMU_TABLE_COUNT || table_id < 0)
++ if (!table_data || table_index >= SMU_TABLE_COUNT || table_id < 0)
+ return -EINVAL;
+
+ table_size = smu_table->tables[table_index].size;
+--
+2.51.0
+
--- /dev/null
+From 3ade04a214368610e514d4be375695ea12cdfc5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:08:13 +0200
+Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji
+
+From: John Smith <itistotalbotnet@gmail.com>
+
+[ Upstream commit 07a13f913c291d6ec72ee4fc848d13ecfdc0e705 ]
+
+Previously this was initialized with zero which represented PCIe Gen
+1.0 instead of using the
+maximum value from the speed table which is the behaviour of all other
+smumgr implementations.
+
+Fixes: 18edef19ea44 ("drm/amd/powerplay: implement fw image related smu interface for Fiji.")
+Signed-off-by: John Smith <itistotalbotnet@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit c52238c9fb414555c68340cd80e487d982c1921c)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
+index ecb9ee46d6b35..6049edcaf6ce9 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
+@@ -2026,7 +2026,7 @@ static int fiji_init_smc_table(struct pp_hwmgr *hwmgr)
+ table->VoltageResponseTime = 0;
+ table->PhaseResponseTime = 0;
+ table->MemoryThermThrottleEnable = 1;
+- table->PCIeBootLinkLevel = 0; /* 0:Gen1 1:Gen2 2:Gen3*/
++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count);
+ table->PCIeGenInterval = 1;
+ table->VRConfig = 0;
+
+--
+2.51.0
+
--- /dev/null
+From bdf240079836f43a580209134af6eedd3bf1ed81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:09:09 +0200
+Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland
+
+From: John Smith <itistotalbotnet@gmail.com>
+
+[ Upstream commit 501672e3c1576aa9a8364144213c77b98a31a42c ]
+
+Previously this was initialized with zero which represented PCIe Gen
+1.0 instead of using the
+maximum value from the speed table which is the behaviour of all other
+smumgr implementations.
+
+Fixes: 18aafc59b106 ("drm/amd/powerplay: implement fw related smu interface for iceland.")
+Signed-off-by: John Smith <itistotalbotnet@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 92b0a6ae6672857ddeabf892223943d2f0e06c97)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
+index 431ad2fd38df1..06d89fafae55b 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
+@@ -2028,7 +2028,7 @@ static int iceland_init_smc_table(struct pp_hwmgr *hwmgr)
+ table->VoltageResponseTime = 0;
+ table->PhaseResponseTime = 0;
+ table->MemoryThermThrottleEnable = 1;
+- table->PCIeBootLinkLevel = 0;
++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count);
+ table->PCIeGenInterval = 1;
+
+ result = iceland_populate_smc_svi2_config(hwmgr, table);
+--
+2.51.0
+
--- /dev/null
+From 6f2bd885dfd30c77a79e0b7f1de07c3edd582da1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:37:23 +0200
+Subject: drm/etnaviv: fix flush sequence logic
+
+From: Tomeu Vizoso <tomeu@tomeuvizoso.net>
+
+[ Upstream commit a042beac6e6f8ac1e923784cfff98b47cbabb185 ]
+
+The current logic uses the flush sequence from the current address
+space. This is harmless when deducing the flush requirements for the
+current submit, as either the incoming address space is the same one
+as the currently active one or we switch context, in which case the
+flush is unconditional.
+
+However, this sequence is also stored as the current flush sequence
+of the GPU. If we switch context the stored flush sequence will no
+longer belong to the currently active address space. This incoherency
+can then cause missed flushes, resulting in translation errors.
+
+Fixes: 27b67278e007 ("drm/etnaviv: rework MMU handling")
+Signed-off-by: Tomeu Vizoso <tomeu@tomeuvizoso.net>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Christian Gmeiner <cgmeiner@igalia.com>
+Link: https://lore.kernel.org/r/20251021093723.3887980-1-l.stach@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
+index 982174af74b1e..7d897aafb2a6a 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
+@@ -346,7 +346,7 @@ void etnaviv_buffer_queue(struct etnaviv_gpu *gpu, u32 exec_state,
+ u32 link_target, link_dwords;
+ bool switch_context = gpu->exec_state != exec_state;
+ bool switch_mmu_context = gpu->mmu_context != mmu_context;
+- unsigned int new_flush_seq = READ_ONCE(gpu->mmu_context->flush_seq);
++ unsigned int new_flush_seq = READ_ONCE(mmu_context->flush_seq);
+ bool need_flush = switch_mmu_context || gpu->flush_seq != new_flush_seq;
+ bool has_blt = !!(gpu->identity.minor_features5 &
+ chipMinorFeatures5_BLT_ENGINE);
+--
+2.51.0
+
--- /dev/null
+From f3a13384442ec95fe9070cf697ed4c17057ef4c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Sep 2025 02:14:05 +0530
+Subject: drm/msm/a6xx: Fix GMU firmware parser
+
+From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+
+[ Upstream commit b4789aac9d3441d9f830f0a4022d8dc122d6cab3 ]
+
+Current parser logic for GMU firmware assumes a dword aligned payload
+size for every block. This is not true for all GMU firmwares. So, fix
+this by using correct 'size' value in the calculation for the offset
+for the next block's header.
+
+Fixes: c6ed04f856a4 ("drm/msm/a6xx: A640/A650 GMU firmware path")
+Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+Acked-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/674040/
+Message-ID: <20250911-assorted-sept-1-v2-2-a8bf1ee20792@oss.qualcomm.com>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+index f11da95566dab..e3b36e2373567 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+@@ -666,6 +666,9 @@ static bool fw_block_mem(struct a6xx_gmu_bo *bo, const struct block_header *blk)
+ return true;
+ }
+
++#define NEXT_BLK(blk) \
++ ((const struct block_header *)((const char *)(blk) + sizeof(*(blk)) + (blk)->size))
++
+ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu)
+ {
+ struct a6xx_gpu *a6xx_gpu = container_of(gmu, struct a6xx_gpu, gmu);
+@@ -696,7 +699,7 @@ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu)
+
+ for (blk = (const struct block_header *) fw_image->data;
+ (const u8*) blk < fw_image->data + fw_image->size;
+- blk = (const struct block_header *) &blk->data[blk->size >> 2]) {
++ blk = NEXT_BLK(blk)) {
+ if (blk->size == 0)
+ continue;
+
+--
+2.51.0
+
fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch
fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch
asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch
+wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch
+drm-msm-a6xx-fix-gmu-firmware-parser.patch
+alsa-usb-audio-fix-control-pipe-direction.patch
+bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch
+usbnet-prevents-free-active-kevent.patch
+drm-etnaviv-fix-flush-sequence-logic.patch
+drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch
+drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch
+drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-17561
--- /dev/null
+From a960e7881069cce56514de31a22cade9ad7d3cbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 10:40:07 +0800
+Subject: usbnet: Prevents free active kevent
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit 420c84c330d1688b8c764479e5738bbdbf0a33de ]
+
+The root cause of this issue are:
+1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);
+put the kevent work in global workqueue. However, the kevent has not yet
+been scheduled when the usbnet device is unregistered. Therefore, executing
+free_netdev() results in the "free active object (kevent)" error reported
+here.
+
+2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(),
+if the usbnet device is up, ndo_stop() is executed to cancel the kevent.
+However, because the device is not up, ndo_stop() is not executed.
+
+The solution to this problem is to cancel the kevent before executing
+free_netdev().
+
+Fixes: a69e617e533e ("usbnet: Fix linkwatch use-after-free on disconnect")
+Reported-by: Sam Sun <samsun1006219@gmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=8bfd7bcc98f7300afb84
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Link: https://patch.msgid.link/20251022024007.1831898-1-lizhi.xu@windriver.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/usbnet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index ac439f9ccfd46..9ac9fbdad5c08 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1597,6 +1597,8 @@ void usbnet_disconnect (struct usb_interface *intf)
+ net = dev->net;
+ unregister_netdev (net);
+
++ cancel_work_sync(&dev->kevent);
++
+ while ((urb = usb_get_from_anchor(&dev->deferred))) {
+ dev_kfree_skb(urb->context);
+ kfree(urb->sg);
+--
+2.51.0
+
--- /dev/null
+From 0728d9f2ad28c837f18ceb8020c09e6fec633198 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Sep 2025 21:56:56 +0200
+Subject: wifi: ath10k: Fix memory leak on unsupported WMI command
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+[ Upstream commit 2e9c1da4ee9d0acfca2e0a3d78f3d8cb5802da1b ]
+
+ath10k_wmi_cmd_send takes ownership of the passed buffer (skb) and has the
+responsibility to release it in case of error. This patch fixes missing
+free in case of early error due to unhandled WMI command ID.
+
+Tested-on: WCN3990 hw1.0 WLAN.HL.3.3.7.c2-00931-QCAHLSWMTPLZ-1
+
+Fixes: 553215592f14 ("ath10k: warn if give WMI command is not supported")
+Suggested-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250926195656.187970-1-loic.poulain@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
+index c9a74f3e2e601..6293dbc32bde4 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi.c
++++ b/drivers/net/wireless/ath/ath10k/wmi.c
+@@ -1936,6 +1936,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id)
+ if (cmd_id == WMI_CMD_UNSUPPORTED) {
+ ath10k_warn(ar, "wmi command %d is not supported by firmware\n",
+ cmd_id);
++ dev_kfree_skb_any(skb);
+ return ret;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From c2272e83ba24263cd9ac9c49c9ba137548666f83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 19:18:22 +0200
+Subject: ALSA: usb-audio: fix control pipe direction
+
+From: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+
+[ Upstream commit 7963891f7c9c6f759cc9ab7da71406b4234f3dd6 ]
+
+Since the requesttype has USB_DIR_OUT the pipe should be
+constructed with usb_sndctrlpipe().
+
+Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c")
+Signed-off-by: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+Link: https://patch.msgid.link/aPPL3tBFE_oU-JHv@ark
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/mixer_s1810c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c
+index 0255089c9efb1..38e56ad857243 100644
+--- a/sound/usb/mixer_s1810c.c
++++ b/sound/usb/mixer_s1810c.c
+@@ -181,7 +181,7 @@ snd_sc1810c_get_status_field(struct usb_device *dev,
+
+ pkt_out.fields[SC1810C_STATE_F1_IDX] = SC1810C_SET_STATE_F1;
+ pkt_out.fields[SC1810C_STATE_F2_IDX] = SC1810C_SET_STATE_F2;
+- ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0),
++ ret = snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
+ SC1810C_SET_STATE_REQ,
+ SC1810C_SET_STATE_REQTYPE,
+ (*seqnum), 0, &pkt_out, sizeof(pkt_out));
+--
+2.51.0
+
--- /dev/null
+From 69755aa5ee728eb7f9a7d72366c36e1c0cea84ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 14:27:58 +0200
+Subject: bpf: Do not audit capability check in do_jit()
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+[ Upstream commit 881a9c9cb7856b24e390fad9f59acfd73b98b3b2 ]
+
+The failure of this check only results in a security mitigation being
+applied, slightly affecting performance of the compiled BPF program. It
+doesn't result in a failed syscall, an thus auditing a failed LSM
+permission check for it is unwanted. For example with SELinux, it causes
+a denial to be reported for confined processes running as root, which
+tends to be flagged as a problem to be fixed in the policy. Yet
+dontauditing or allowing CAP_SYS_ADMIN to the domain may not be
+desirable, as it would allow/silence also other checks - either going
+against the principle of least privilege or making debugging potentially
+harder.
+
+Fix it by changing it from capable() to ns_capable_noaudit(), which
+instructs the LSMs to not audit the resulting denials.
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326
+Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-by: Paul Moore <paul@paul-moore.com>
+Link: https://lore.kernel.org/r/20251021122758.2659513-1-omosnace@redhat.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index 37a005df0b952..4100eed372486 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -1786,7 +1786,7 @@ st: if (is_imm8(insn->off))
+ ctx->cleanup_addr = proglen;
+
+ if (bpf_prog_was_classic(bpf_prog) &&
+- !capable(CAP_SYS_ADMIN)) {
++ !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) {
+ u8 *ip = image + addrs[i - 1];
+
+ if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog))
+--
+2.51.0
+
--- /dev/null
+From 42a36e23d12ed7392671e16dcef48b1715597355 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 23:33:01 +0530
+Subject: bpf: Sync pending IRQ work before freeing ring buffer
+
+From: Noorain Eqbal <nooraineqbal@gmail.com>
+
+[ Upstream commit 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c ]
+
+Fix a race where irq_work can be queued in bpf_ringbuf_commit()
+but the ring buffer is freed before the work executes.
+In the syzbot reproducer, a BPF program attached to sched_switch
+triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer
+is freed before this work executes, the irq_work thread may accesses
+freed memory.
+Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work
+complete before freeing the buffer.
+
+Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
+Reported-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=2617fc732430968b45d2
+Tested-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com
+Signed-off-by: Noorain Eqbal <nooraineqbal@gmail.com>
+Link: https://lore.kernel.org/r/20251020180301.103366-1-nooraineqbal@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/ringbuf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c
+index eb6ff0d0c06b6..5798d6dbdcb43 100644
+--- a/kernel/bpf/ringbuf.c
++++ b/kernel/bpf/ringbuf.c
+@@ -184,6 +184,8 @@ static struct bpf_map *ringbuf_map_alloc(union bpf_attr *attr)
+
+ static void bpf_ringbuf_free(struct bpf_ringbuf *rb)
+ {
++ irq_work_sync(&rb->work);
++
+ /* copy pages pointer and nr_pages to local variable, as we are going
+ * to unmap rb itself with vunmap() below
+ */
+--
+2.51.0
+
--- /dev/null
+From 8d5d573e066761bf8dcd83418ef0156212f45e91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 14:12:21 +0800
+Subject: drm/amd/pm: fix smu table id bound check issue in
+ smu_cmn_update_table()
+
+From: Yang Wang <kevinyang.wang@amd.com>
+
+[ Upstream commit 238d468d3ed18a324bb9d8c99f18c665dbac0511 ]
+
+'table_index' is a variable defined by the smu driver (kmd)
+'table_id' is a variable defined by the hw smu (pmfw)
+
+This code should use table_index as a bounds check.
+
+Fixes: caad2613dc4bd ("drm/amd/powerplay: move table setting common code to smu_cmn.c")
+Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit fca0c66b22303de0d1d6313059baf4dc960a4753)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
+index 843d2cbfc71d4..fbbbea75c52d4 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
+@@ -883,7 +883,7 @@ int smu_cmn_update_table(struct smu_context *smu,
+ table_index);
+ uint32_t table_size;
+ int ret = 0;
+- if (!table_data || table_id >= SMU_TABLE_COUNT || table_id < 0)
++ if (!table_data || table_index >= SMU_TABLE_COUNT || table_id < 0)
+ return -EINVAL;
+
+ table_size = smu_table->tables[table_index].size;
+--
+2.51.0
+
--- /dev/null
+From 4aa01e2303e1e0b22b34545c164ba36393b296ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:08:13 +0200
+Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji
+
+From: John Smith <itistotalbotnet@gmail.com>
+
+[ Upstream commit 07a13f913c291d6ec72ee4fc848d13ecfdc0e705 ]
+
+Previously this was initialized with zero which represented PCIe Gen
+1.0 instead of using the
+maximum value from the speed table which is the behaviour of all other
+smumgr implementations.
+
+Fixes: 18edef19ea44 ("drm/amd/powerplay: implement fw image related smu interface for Fiji.")
+Signed-off-by: John Smith <itistotalbotnet@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit c52238c9fb414555c68340cd80e487d982c1921c)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
+index 02c094a06605d..50deb4ce767ee 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
+@@ -2024,7 +2024,7 @@ static int fiji_init_smc_table(struct pp_hwmgr *hwmgr)
+ table->VoltageResponseTime = 0;
+ table->PhaseResponseTime = 0;
+ table->MemoryThermThrottleEnable = 1;
+- table->PCIeBootLinkLevel = 0; /* 0:Gen1 1:Gen2 2:Gen3*/
++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count);
+ table->PCIeGenInterval = 1;
+ table->VRConfig = 0;
+
+--
+2.51.0
+
--- /dev/null
+From 54e8855f0a867a8a2a9d95541864717dfa738901 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:09:09 +0200
+Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland
+
+From: John Smith <itistotalbotnet@gmail.com>
+
+[ Upstream commit 501672e3c1576aa9a8364144213c77b98a31a42c ]
+
+Previously this was initialized with zero which represented PCIe Gen
+1.0 instead of using the
+maximum value from the speed table which is the behaviour of all other
+smumgr implementations.
+
+Fixes: 18aafc59b106 ("drm/amd/powerplay: implement fw related smu interface for iceland.")
+Signed-off-by: John Smith <itistotalbotnet@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 92b0a6ae6672857ddeabf892223943d2f0e06c97)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
+index 03df35dee8ba8..6ddf9ce5471e8 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
+@@ -2028,7 +2028,7 @@ static int iceland_init_smc_table(struct pp_hwmgr *hwmgr)
+ table->VoltageResponseTime = 0;
+ table->PhaseResponseTime = 0;
+ table->MemoryThermThrottleEnable = 1;
+- table->PCIeBootLinkLevel = 0;
++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count);
+ table->PCIeGenInterval = 1;
+
+ result = iceland_populate_smc_svi2_config(hwmgr, table);
+--
+2.51.0
+
--- /dev/null
+From fb506b6ba8aea2e8cf737fe6bf3e359275bb4ffe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:37:23 +0200
+Subject: drm/etnaviv: fix flush sequence logic
+
+From: Tomeu Vizoso <tomeu@tomeuvizoso.net>
+
+[ Upstream commit a042beac6e6f8ac1e923784cfff98b47cbabb185 ]
+
+The current logic uses the flush sequence from the current address
+space. This is harmless when deducing the flush requirements for the
+current submit, as either the incoming address space is the same one
+as the currently active one or we switch context, in which case the
+flush is unconditional.
+
+However, this sequence is also stored as the current flush sequence
+of the GPU. If we switch context the stored flush sequence will no
+longer belong to the currently active address space. This incoherency
+can then cause missed flushes, resulting in translation errors.
+
+Fixes: 27b67278e007 ("drm/etnaviv: rework MMU handling")
+Signed-off-by: Tomeu Vizoso <tomeu@tomeuvizoso.net>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Christian Gmeiner <cgmeiner@igalia.com>
+Link: https://lore.kernel.org/r/20251021093723.3887980-1-l.stach@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
+index 982174af74b1e..7d897aafb2a6a 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
+@@ -346,7 +346,7 @@ void etnaviv_buffer_queue(struct etnaviv_gpu *gpu, u32 exec_state,
+ u32 link_target, link_dwords;
+ bool switch_context = gpu->exec_state != exec_state;
+ bool switch_mmu_context = gpu->mmu_context != mmu_context;
+- unsigned int new_flush_seq = READ_ONCE(gpu->mmu_context->flush_seq);
++ unsigned int new_flush_seq = READ_ONCE(mmu_context->flush_seq);
+ bool need_flush = switch_mmu_context || gpu->flush_seq != new_flush_seq;
+ bool has_blt = !!(gpu->identity.minor_features5 &
+ chipMinorFeatures5_BLT_ENGINE);
+--
+2.51.0
+
--- /dev/null
+From bf1c62ce677c941a7734e9246ef5cdc6f2915fb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Sep 2025 02:14:05 +0530
+Subject: drm/msm/a6xx: Fix GMU firmware parser
+
+From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+
+[ Upstream commit b4789aac9d3441d9f830f0a4022d8dc122d6cab3 ]
+
+Current parser logic for GMU firmware assumes a dword aligned payload
+size for every block. This is not true for all GMU firmwares. So, fix
+this by using correct 'size' value in the calculation for the offset
+for the next block's header.
+
+Fixes: c6ed04f856a4 ("drm/msm/a6xx: A640/A650 GMU firmware path")
+Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+Acked-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/674040/
+Message-ID: <20250911-assorted-sept-1-v2-2-a8bf1ee20792@oss.qualcomm.com>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+index 9215322fc915d..8fa2b9e051002 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+@@ -685,6 +685,9 @@ static bool fw_block_mem(struct a6xx_gmu_bo *bo, const struct block_header *blk)
+ return true;
+ }
+
++#define NEXT_BLK(blk) \
++ ((const struct block_header *)((const char *)(blk) + sizeof(*(blk)) + (blk)->size))
++
+ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu)
+ {
+ struct a6xx_gpu *a6xx_gpu = container_of(gmu, struct a6xx_gpu, gmu);
+@@ -715,7 +718,7 @@ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu)
+
+ for (blk = (const struct block_header *) fw_image->data;
+ (const u8*) blk < fw_image->data + fw_image->size;
+- blk = (const struct block_header *) &blk->data[blk->size >> 2]) {
++ blk = NEXT_BLK(blk)) {
+ if (blk->size == 0)
+ continue;
+
+--
+2.51.0
+
--- /dev/null
+From 28351691098576795979ab46c2a454864b926b42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 13:36:43 -0700
+Subject: libbpf: Fix powerpc's stack register definition in bpf_tracing.h
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 7221b9caf84b3294688228a19273d74ea19a2ee4 ]
+
+retsnoop's build on powerpc (ppc64le) architecture ([0]) failed due to
+wrong definition of PT_REGS_SP() macro. Looking at powerpc's
+implementation of stack unwinding in perf_callchain_user_64() clearly
+shows that stack pointer register is gpr[1].
+
+Fix libbpf's definition of __PT_SP_REG for powerpc to fix all this.
+
+ [0] https://kojipkgs.fedoraproject.org/work/tasks/1544/137921544/build.log
+
+Fixes: 138d6153a139 ("samples/bpf: Enable powerpc support")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
+Link: https://lore.kernel.org/r/20251020203643.989467-1-andrii@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf_tracing.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h
+index 20fe06d0acd98..950ce502d655c 100644
+--- a/tools/lib/bpf/bpf_tracing.h
++++ b/tools/lib/bpf/bpf_tracing.h
+@@ -176,7 +176,7 @@
+ #define __PT_RET_REG regs[31]
+ #define __PT_FP_REG __unsupported__
+ #define __PT_RC_REG gpr[3]
+-#define __PT_SP_REG sp
++#define __PT_SP_REG gpr[1]
+ #define __PT_IP_REG nip
+
+ #elif defined(bpf_target_sparc)
+--
+2.51.0
+
--- /dev/null
+From d679b95488653c60604ac524bf85d47d560071ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 13:39:23 -0800
+Subject: libbpf: Normalize PT_REGS_xxx() macro definitions
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 3cc31d794097a0de5ac619d4a20b1975139e6b05 ]
+
+Refactor PT_REGS macros definitions in bpf_tracing.h to avoid excessive
+duplication. We currently have classic PT_REGS_xxx() and CO-RE-enabled
+PT_REGS_xxx_CORE(). We are about to add also _SYSCALL variants, which
+would require excessive copying of all the per-architecture definitions.
+
+Instead, separate architecture-specific field/register names from the
+final macro that utilize them. That way for upcoming _SYSCALL variants
+we'll be able to just define x86_64 exception and otherwise have one
+common set of _SYSCALL macro definitions common for all architectures.
+
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://lore.kernel.org/bpf/20211222213924.1869758-1-andrii@kernel.org
+Stable-dep-of: 7221b9caf84b ("libbpf: Fix powerpc's stack register definition in bpf_tracing.h")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf_tracing.h | 377 +++++++++++++++---------------------
+ 1 file changed, 152 insertions(+), 225 deletions(-)
+
+diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h
+index db05a59371056..20fe06d0acd98 100644
+--- a/tools/lib/bpf/bpf_tracing.h
++++ b/tools/lib/bpf/bpf_tracing.h
+@@ -66,277 +66,204 @@
+
+ #if defined(__KERNEL__) || defined(__VMLINUX_H__)
+
+-#define PT_REGS_PARM1(x) ((x)->di)
+-#define PT_REGS_PARM2(x) ((x)->si)
+-#define PT_REGS_PARM3(x) ((x)->dx)
+-#define PT_REGS_PARM4(x) ((x)->cx)
+-#define PT_REGS_PARM5(x) ((x)->r8)
+-#define PT_REGS_RET(x) ((x)->sp)
+-#define PT_REGS_FP(x) ((x)->bp)
+-#define PT_REGS_RC(x) ((x)->ax)
+-#define PT_REGS_SP(x) ((x)->sp)
+-#define PT_REGS_IP(x) ((x)->ip)
+-
+-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((x), di)
+-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((x), si)
+-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((x), dx)
+-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((x), cx)
+-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((x), r8)
+-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((x), sp)
+-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((x), bp)
+-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((x), ax)
+-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((x), sp)
+-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), ip)
++#define __PT_PARM1_REG di
++#define __PT_PARM2_REG si
++#define __PT_PARM3_REG dx
++#define __PT_PARM4_REG cx
++#define __PT_PARM5_REG r8
++#define __PT_RET_REG sp
++#define __PT_FP_REG bp
++#define __PT_RC_REG ax
++#define __PT_SP_REG sp
++#define __PT_IP_REG ip
+
+ #else
+
+ #ifdef __i386__
+-/* i386 kernel is built with -mregparm=3 */
+-#define PT_REGS_PARM1(x) ((x)->eax)
+-#define PT_REGS_PARM2(x) ((x)->edx)
+-#define PT_REGS_PARM3(x) ((x)->ecx)
+-#define PT_REGS_PARM4(x) 0
+-#define PT_REGS_PARM5(x) 0
+-#define PT_REGS_RET(x) ((x)->esp)
+-#define PT_REGS_FP(x) ((x)->ebp)
+-#define PT_REGS_RC(x) ((x)->eax)
+-#define PT_REGS_SP(x) ((x)->esp)
+-#define PT_REGS_IP(x) ((x)->eip)
+-
+-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((x), eax)
+-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((x), edx)
+-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((x), ecx)
+-#define PT_REGS_PARM4_CORE(x) 0
+-#define PT_REGS_PARM5_CORE(x) 0
+-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((x), esp)
+-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((x), ebp)
+-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((x), eax)
+-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((x), esp)
+-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), eip)
+-
+-#else
+
+-#define PT_REGS_PARM1(x) ((x)->rdi)
+-#define PT_REGS_PARM2(x) ((x)->rsi)
+-#define PT_REGS_PARM3(x) ((x)->rdx)
+-#define PT_REGS_PARM4(x) ((x)->rcx)
+-#define PT_REGS_PARM5(x) ((x)->r8)
+-#define PT_REGS_RET(x) ((x)->rsp)
+-#define PT_REGS_FP(x) ((x)->rbp)
+-#define PT_REGS_RC(x) ((x)->rax)
+-#define PT_REGS_SP(x) ((x)->rsp)
+-#define PT_REGS_IP(x) ((x)->rip)
+-
+-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((x), rdi)
+-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((x), rsi)
+-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((x), rdx)
+-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((x), rcx)
+-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((x), r8)
+-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((x), rsp)
+-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((x), rbp)
+-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((x), rax)
+-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((x), rsp)
+-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), rip)
+-
+-#endif
+-#endif
++#define __PT_PARM1_REG eax
++#define __PT_PARM2_REG edx
++#define __PT_PARM3_REG ecx
++/* i386 kernel is built with -mregparm=3 */
++#define __PT_PARM4_REG __unsupported__
++#define __PT_PARM5_REG __unsupported__
++#define __PT_RET_REG esp
++#define __PT_FP_REG ebp
++#define __PT_RC_REG eax
++#define __PT_SP_REG esp
++#define __PT_IP_REG eip
++
++#else /* __i386__ */
++
++#define __PT_PARM1_REG rdi
++#define __PT_PARM2_REG rsi
++#define __PT_PARM3_REG rdx
++#define __PT_PARM4_REG rcx
++#define __PT_PARM5_REG r8
++#define __PT_RET_REG rsp
++#define __PT_FP_REG rbp
++#define __PT_RC_REG rax
++#define __PT_SP_REG rsp
++#define __PT_IP_REG rip
++
++#endif /* __i386__ */
++
++#endif /* __KERNEL__ || __VMLINUX_H__ */
+
+ #elif defined(bpf_target_s390)
+
+ /* s390 provides user_pt_regs instead of struct pt_regs to userspace */
+-struct pt_regs;
+-#define PT_REGS_S390 const volatile user_pt_regs
+-#define PT_REGS_PARM1(x) (((PT_REGS_S390 *)(x))->gprs[2])
+-#define PT_REGS_PARM2(x) (((PT_REGS_S390 *)(x))->gprs[3])
+-#define PT_REGS_PARM3(x) (((PT_REGS_S390 *)(x))->gprs[4])
+-#define PT_REGS_PARM4(x) (((PT_REGS_S390 *)(x))->gprs[5])
+-#define PT_REGS_PARM5(x) (((PT_REGS_S390 *)(x))->gprs[6])
+-#define PT_REGS_RET(x) (((PT_REGS_S390 *)(x))->gprs[14])
+-/* Works only with CONFIG_FRAME_POINTER */
+-#define PT_REGS_FP(x) (((PT_REGS_S390 *)(x))->gprs[11])
+-#define PT_REGS_RC(x) (((PT_REGS_S390 *)(x))->gprs[2])
+-#define PT_REGS_SP(x) (((PT_REGS_S390 *)(x))->gprs[15])
+-#define PT_REGS_IP(x) (((PT_REGS_S390 *)(x))->psw.addr)
+-
+-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[2])
+-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[3])
+-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[4])
+-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[5])
+-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[6])
+-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[14])
+-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[11])
+-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[2])
+-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[15])
+-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), psw.addr)
++#define __PT_REGS_CAST(x) ((const user_pt_regs *)(x))
++#define __PT_PARM1_REG gprs[2]
++#define __PT_PARM2_REG gprs[3]
++#define __PT_PARM3_REG gprs[4]
++#define __PT_PARM4_REG gprs[5]
++#define __PT_PARM5_REG gprs[6]
++#define __PT_RET_REG grps[14]
++#define __PT_FP_REG gprs[11] /* Works only with CONFIG_FRAME_POINTER */
++#define __PT_RC_REG gprs[2]
++#define __PT_SP_REG gprs[15]
++#define __PT_IP_REG psw.addr
+
+ #elif defined(bpf_target_arm)
+
+-#define PT_REGS_PARM1(x) ((x)->uregs[0])
+-#define PT_REGS_PARM2(x) ((x)->uregs[1])
+-#define PT_REGS_PARM3(x) ((x)->uregs[2])
+-#define PT_REGS_PARM4(x) ((x)->uregs[3])
+-#define PT_REGS_PARM5(x) ((x)->uregs[4])
+-#define PT_REGS_RET(x) ((x)->uregs[14])
+-#define PT_REGS_FP(x) ((x)->uregs[11]) /* Works only with CONFIG_FRAME_POINTER */
+-#define PT_REGS_RC(x) ((x)->uregs[0])
+-#define PT_REGS_SP(x) ((x)->uregs[13])
+-#define PT_REGS_IP(x) ((x)->uregs[12])
+-
+-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((x), uregs[0])
+-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((x), uregs[1])
+-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((x), uregs[2])
+-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((x), uregs[3])
+-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((x), uregs[4])
+-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((x), uregs[14])
+-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((x), uregs[11])
+-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((x), uregs[0])
+-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((x), uregs[13])
+-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), uregs[12])
++#define __PT_PARM1_REG uregs[0]
++#define __PT_PARM2_REG uregs[1]
++#define __PT_PARM3_REG uregs[2]
++#define __PT_PARM4_REG uregs[3]
++#define __PT_PARM5_REG uregs[4]
++#define __PT_RET_REG uregs[14]
++#define __PT_FP_REG uregs[11] /* Works only with CONFIG_FRAME_POINTER */
++#define __PT_RC_REG uregs[0]
++#define __PT_SP_REG uregs[13]
++#define __PT_IP_REG uregs[12]
+
+ #elif defined(bpf_target_arm64)
+
+ /* arm64 provides struct user_pt_regs instead of struct pt_regs to userspace */
+-struct pt_regs;
+-#define PT_REGS_ARM64 const volatile struct user_pt_regs
+-#define PT_REGS_PARM1(x) (((PT_REGS_ARM64 *)(x))->regs[0])
+-#define PT_REGS_PARM2(x) (((PT_REGS_ARM64 *)(x))->regs[1])
+-#define PT_REGS_PARM3(x) (((PT_REGS_ARM64 *)(x))->regs[2])
+-#define PT_REGS_PARM4(x) (((PT_REGS_ARM64 *)(x))->regs[3])
+-#define PT_REGS_PARM5(x) (((PT_REGS_ARM64 *)(x))->regs[4])
+-#define PT_REGS_RET(x) (((PT_REGS_ARM64 *)(x))->regs[30])
+-/* Works only with CONFIG_FRAME_POINTER */
+-#define PT_REGS_FP(x) (((PT_REGS_ARM64 *)(x))->regs[29])
+-#define PT_REGS_RC(x) (((PT_REGS_ARM64 *)(x))->regs[0])
+-#define PT_REGS_SP(x) (((PT_REGS_ARM64 *)(x))->sp)
+-#define PT_REGS_IP(x) (((PT_REGS_ARM64 *)(x))->pc)
+-
+-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[0])
+-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[1])
+-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[2])
+-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[3])
+-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[4])
+-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[30])
+-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[29])
+-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[0])
+-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), sp)
+-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), pc)
++#define __PT_REGS_CAST(x) ((const struct user_pt_regs *)(x))
++#define __PT_PARM1_REG regs[0]
++#define __PT_PARM2_REG regs[1]
++#define __PT_PARM3_REG regs[2]
++#define __PT_PARM4_REG regs[3]
++#define __PT_PARM5_REG regs[4]
++#define __PT_RET_REG regs[30]
++#define __PT_FP_REG regs[29] /* Works only with CONFIG_FRAME_POINTER */
++#define __PT_RC_REG regs[0]
++#define __PT_SP_REG sp
++#define __PT_IP_REG pc
+
+ #elif defined(bpf_target_mips)
+
+-#define PT_REGS_PARM1(x) ((x)->regs[4])
+-#define PT_REGS_PARM2(x) ((x)->regs[5])
+-#define PT_REGS_PARM3(x) ((x)->regs[6])
+-#define PT_REGS_PARM4(x) ((x)->regs[7])
+-#define PT_REGS_PARM5(x) ((x)->regs[8])
+-#define PT_REGS_RET(x) ((x)->regs[31])
+-#define PT_REGS_FP(x) ((x)->regs[30]) /* Works only with CONFIG_FRAME_POINTER */
+-#define PT_REGS_RC(x) ((x)->regs[2])
+-#define PT_REGS_SP(x) ((x)->regs[29])
+-#define PT_REGS_IP(x) ((x)->cp0_epc)
+-
+-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((x), regs[4])
+-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((x), regs[5])
+-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((x), regs[6])
+-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((x), regs[7])
+-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((x), regs[8])
+-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((x), regs[31])
+-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((x), regs[30])
+-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((x), regs[2])
+-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((x), regs[29])
+-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), cp0_epc)
++#define __PT_PARM1_REG regs[4]
++#define __PT_PARM2_REG regs[5]
++#define __PT_PARM3_REG regs[6]
++#define __PT_PARM4_REG regs[7]
++#define __PT_PARM5_REG regs[8]
++#define __PT_RET_REG regs[31]
++#define __PT_FP_REG regs[30] /* Works only with CONFIG_FRAME_POINTER */
++#define __PT_RC_REG regs[2]
++#define __PT_SP_REG regs[29]
++#define __PT_IP_REG cp0_epc
+
+ #elif defined(bpf_target_powerpc)
+
+-#define PT_REGS_PARM1(x) ((x)->gpr[3])
+-#define PT_REGS_PARM2(x) ((x)->gpr[4])
+-#define PT_REGS_PARM3(x) ((x)->gpr[5])
+-#define PT_REGS_PARM4(x) ((x)->gpr[6])
+-#define PT_REGS_PARM5(x) ((x)->gpr[7])
+-#define PT_REGS_RC(x) ((x)->gpr[3])
+-#define PT_REGS_SP(x) ((x)->sp)
+-#define PT_REGS_IP(x) ((x)->nip)
+-
+-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((x), gpr[3])
+-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((x), gpr[4])
+-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((x), gpr[5])
+-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((x), gpr[6])
+-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((x), gpr[7])
+-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((x), gpr[3])
+-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((x), sp)
+-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), nip)
++#define __PT_PARM1_REG gpr[3]
++#define __PT_PARM2_REG gpr[4]
++#define __PT_PARM3_REG gpr[5]
++#define __PT_PARM4_REG gpr[6]
++#define __PT_PARM5_REG gpr[7]
++#define __PT_RET_REG regs[31]
++#define __PT_FP_REG __unsupported__
++#define __PT_RC_REG gpr[3]
++#define __PT_SP_REG sp
++#define __PT_IP_REG nip
+
+ #elif defined(bpf_target_sparc)
+
+-#define PT_REGS_PARM1(x) ((x)->u_regs[UREG_I0])
+-#define PT_REGS_PARM2(x) ((x)->u_regs[UREG_I1])
+-#define PT_REGS_PARM3(x) ((x)->u_regs[UREG_I2])
+-#define PT_REGS_PARM4(x) ((x)->u_regs[UREG_I3])
+-#define PT_REGS_PARM5(x) ((x)->u_regs[UREG_I4])
+-#define PT_REGS_RET(x) ((x)->u_regs[UREG_I7])
+-#define PT_REGS_RC(x) ((x)->u_regs[UREG_I0])
+-#define PT_REGS_SP(x) ((x)->u_regs[UREG_FP])
+-
+-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((x), u_regs[UREG_I0])
+-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((x), u_regs[UREG_I1])
+-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((x), u_regs[UREG_I2])
+-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((x), u_regs[UREG_I3])
+-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((x), u_regs[UREG_I4])
+-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((x), u_regs[UREG_I7])
+-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((x), u_regs[UREG_I0])
+-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((x), u_regs[UREG_FP])
+-
++#define __PT_PARM1_REG u_regs[UREG_I0]
++#define __PT_PARM2_REG u_regs[UREG_I1]
++#define __PT_PARM3_REG u_regs[UREG_I2]
++#define __PT_PARM4_REG u_regs[UREG_I3]
++#define __PT_PARM5_REG u_regs[UREG_I4]
++#define __PT_RET_REG u_regs[UREG_I7]
++#define __PT_FP_REG __unsupported__
++#define __PT_RC_REG u_regs[UREG_I0]
++#define __PT_SP_REG u_regs[UREG_FP]
+ /* Should this also be a bpf_target check for the sparc case? */
+ #if defined(__arch64__)
+-#define PT_REGS_IP(x) ((x)->tpc)
+-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), tpc)
++#define __PT_IP_REG tpc
+ #else
+-#define PT_REGS_IP(x) ((x)->pc)
+-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), pc)
++#define __PT_IP_REG pc
+ #endif
+
+ #elif defined(bpf_target_riscv)
+
++#define __PT_REGS_CAST(x) ((const struct user_regs_struct *)(x))
++#define __PT_PARM1_REG a0
++#define __PT_PARM2_REG a1
++#define __PT_PARM3_REG a2
++#define __PT_PARM4_REG a3
++#define __PT_PARM5_REG a4
++#define __PT_RET_REG ra
++#define __PT_FP_REG fp
++#define __PT_RC_REG a5
++#define __PT_SP_REG sp
++#define __PT_IP_REG epc
++
++#endif
++
++#if defined(bpf_target_defined)
++
+ struct pt_regs;
+-#define PT_REGS_RV const volatile struct user_regs_struct
+-#define PT_REGS_PARM1(x) (((PT_REGS_RV *)(x))->a0)
+-#define PT_REGS_PARM2(x) (((PT_REGS_RV *)(x))->a1)
+-#define PT_REGS_PARM3(x) (((PT_REGS_RV *)(x))->a2)
+-#define PT_REGS_PARM4(x) (((PT_REGS_RV *)(x))->a3)
+-#define PT_REGS_PARM5(x) (((PT_REGS_RV *)(x))->a4)
+-#define PT_REGS_RET(x) (((PT_REGS_RV *)(x))->ra)
+-#define PT_REGS_FP(x) (((PT_REGS_RV *)(x))->s5)
+-#define PT_REGS_RC(x) (((PT_REGS_RV *)(x))->a5)
+-#define PT_REGS_SP(x) (((PT_REGS_RV *)(x))->sp)
+-#define PT_REGS_IP(x) (((PT_REGS_RV *)(x))->epc)
+-
+-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a0)
+-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a1)
+-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a2)
+-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a3)
+-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a4)
+-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), ra)
+-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), fp)
+-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a5)
+-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), sp)
+-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), epc)
+
++/* allow some architecutres to override `struct pt_regs` */
++#ifndef __PT_REGS_CAST
++#define __PT_REGS_CAST(x) (x)
+ #endif
+
++#define PT_REGS_PARM1(x) (__PT_REGS_CAST(x)->__PT_PARM1_REG)
++#define PT_REGS_PARM2(x) (__PT_REGS_CAST(x)->__PT_PARM2_REG)
++#define PT_REGS_PARM3(x) (__PT_REGS_CAST(x)->__PT_PARM3_REG)
++#define PT_REGS_PARM4(x) (__PT_REGS_CAST(x)->__PT_PARM4_REG)
++#define PT_REGS_PARM5(x) (__PT_REGS_CAST(x)->__PT_PARM5_REG)
++#define PT_REGS_RET(x) (__PT_REGS_CAST(x)->__PT_RET_REG)
++#define PT_REGS_FP(x) (__PT_REGS_CAST(x)->__PT_FP_REG)
++#define PT_REGS_RC(x) (__PT_REGS_CAST(x)->__PT_RC_REG)
++#define PT_REGS_SP(x) (__PT_REGS_CAST(x)->__PT_SP_REG)
++#define PT_REGS_IP(x) (__PT_REGS_CAST(x)->__PT_IP_REG)
++
++#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM1_REG)
++#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM2_REG)
++#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM3_REG)
++#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM4_REG)
++#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM5_REG)
++#define PT_REGS_RET_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_RET_REG)
++#define PT_REGS_FP_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_FP_REG)
++#define PT_REGS_RC_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_RC_REG)
++#define PT_REGS_SP_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_SP_REG)
++#define PT_REGS_IP_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_IP_REG)
++
+ #if defined(bpf_target_powerpc)
++
+ #define BPF_KPROBE_READ_RET_IP(ip, ctx) ({ (ip) = (ctx)->link; })
+ #define BPF_KRETPROBE_READ_RET_IP BPF_KPROBE_READ_RET_IP
++
+ #elif defined(bpf_target_sparc)
++
+ #define BPF_KPROBE_READ_RET_IP(ip, ctx) ({ (ip) = PT_REGS_RET(ctx); })
+ #define BPF_KRETPROBE_READ_RET_IP BPF_KPROBE_READ_RET_IP
+-#elif defined(bpf_target_defined)
++
++#else
++
+ #define BPF_KPROBE_READ_RET_IP(ip, ctx) \
+ ({ bpf_probe_read_kernel(&(ip), sizeof(ip), (void *)PT_REGS_RET(ctx)); })
+ #define BPF_KRETPROBE_READ_RET_IP(ip, ctx) \
+- ({ bpf_probe_read_kernel(&(ip), sizeof(ip), \
+- (void *)(PT_REGS_FP(ctx) + sizeof(ip))); })
++ ({ bpf_probe_read_kernel(&(ip), sizeof(ip), (void *)(PT_REGS_FP(ctx) + sizeof(ip))); })
++
+ #endif
+
+-#if !defined(bpf_target_defined)
++#else /* defined(bpf_target_defined) */
+
+ #define PT_REGS_PARM1(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
+ #define PT_REGS_PARM2(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
+@@ -363,7 +290,7 @@ struct pt_regs;
+ #define BPF_KPROBE_READ_RET_IP(ip, ctx) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
+ #define BPF_KRETPROBE_READ_RET_IP(ip, ctx) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
+
+-#endif /* !defined(bpf_target_defined) */
++#endif /* defined(bpf_target_defined) */
+
+ #ifndef ___bpf_concat
+ #define ___bpf_concat(a, b) a ## b
+--
+2.51.0
+
--- /dev/null
+From 4df27f60b2ab223459b2bf856144f518f59bce22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 21:13:37 +0800
+Subject: net: hns3: return error code when function fails
+
+From: Jijie Shao <shaojijie@huawei.com>
+
+[ Upstream commit 03ca7c8c42be913529eb9f188278114430c6abbd ]
+
+Currently, in hclge_mii_ioctl(), the operation to
+read the PHY register (SIOCGMIIREG) always returns 0.
+
+This patch changes the return type of hclge_read_phy_reg(),
+returning an error code when the function fails.
+
+Fixes: 024712f51e57 ("net: hns3: add ioctl support for imp-controlled PHYs")
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Link: https://patch.msgid.link/20251023131338.2642520-2-shaojijie@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +--
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 9 ++++++---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h | 2 +-
+ 3 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index d228e37f8b3d9..492a754f84a94 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -9562,8 +9562,7 @@ static int hclge_mii_ioctl(struct hclge_dev *hdev, struct ifreq *ifr, int cmd)
+ /* this command reads phy id and register at the same time */
+ fallthrough;
+ case SIOCGMIIREG:
+- data->val_out = hclge_read_phy_reg(hdev, data->reg_num);
+- return 0;
++ return hclge_read_phy_reg(hdev, data->reg_num, &data->val_out);
+
+ case SIOCSMIIREG:
+ return hclge_write_phy_reg(hdev, data->reg_num, data->val_in);
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+index 63d2be4349e3e..87a196256864f 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+@@ -271,7 +271,7 @@ void hclge_mac_stop_phy(struct hclge_dev *hdev)
+ phy_stop(phydev);
+ }
+
+-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr)
++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val)
+ {
+ struct hclge_phy_reg_cmd *req;
+ struct hclge_desc desc;
+@@ -283,11 +283,14 @@ u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr)
+ req->reg_addr = cpu_to_le16(reg_addr);
+
+ ret = hclge_cmd_send(&hdev->hw, &desc, 1);
+- if (ret)
++ if (ret) {
+ dev_err(&hdev->pdev->dev,
+ "failed to read phy reg, ret = %d.\n", ret);
++ return ret;
++ }
+
+- return le16_to_cpu(req->reg_val);
++ *val = le16_to_cpu(req->reg_val);
++ return 0;
+ }
+
+ int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val)
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h
+index fd0e20190b90f..baeee805a9510 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h
+@@ -9,7 +9,7 @@ int hclge_mac_connect_phy(struct hnae3_handle *handle);
+ void hclge_mac_disconnect_phy(struct hnae3_handle *handle);
+ void hclge_mac_start_phy(struct hclge_dev *hdev);
+ void hclge_mac_stop_phy(struct hclge_dev *hdev);
+-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr);
++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val);
+ int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val);
+
+ #endif
+--
+2.51.0
+
--- /dev/null
+From 017aa0830867825c5f459829d1126d1f797b7e60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 18:10:56 +0200
+Subject: riscv, libbpf: Add RISC-V (RV64) support to bpf_tracing.h
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Björn Töpel <bjorn@kernel.org>
+
+[ Upstream commit 589fed479ba1e93f94d9772aa6162cd81f7e491c ]
+
+Add macros for 64-bit RISC-V PT_REGS to bpf_tracing.h.
+
+Signed-off-by: Björn Töpel <bjorn@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20211028161057.520552-4-bjorn@kernel.org
+Stable-dep-of: 7221b9caf84b ("libbpf: Fix powerpc's stack register definition in bpf_tracing.h")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf_tracing.h | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h
+index d6bfbe009296c..db05a59371056 100644
+--- a/tools/lib/bpf/bpf_tracing.h
++++ b/tools/lib/bpf/bpf_tracing.h
+@@ -24,6 +24,9 @@
+ #elif defined(__TARGET_ARCH_sparc)
+ #define bpf_target_sparc
+ #define bpf_target_defined
++#elif defined(__TARGET_ARCH_riscv)
++ #define bpf_target_riscv
++ #define bpf_target_defined
+ #else
+
+ /* Fall back to what the compiler says */
+@@ -48,6 +51,9 @@
+ #elif defined(__sparc__)
+ #define bpf_target_sparc
+ #define bpf_target_defined
++#elif defined(__riscv) && __riscv_xlen == 64
++ #define bpf_target_riscv
++ #define bpf_target_defined
+ #endif /* no compiler target */
+
+ #endif
+@@ -288,6 +294,32 @@ struct pt_regs;
+ #define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), pc)
+ #endif
+
++#elif defined(bpf_target_riscv)
++
++struct pt_regs;
++#define PT_REGS_RV const volatile struct user_regs_struct
++#define PT_REGS_PARM1(x) (((PT_REGS_RV *)(x))->a0)
++#define PT_REGS_PARM2(x) (((PT_REGS_RV *)(x))->a1)
++#define PT_REGS_PARM3(x) (((PT_REGS_RV *)(x))->a2)
++#define PT_REGS_PARM4(x) (((PT_REGS_RV *)(x))->a3)
++#define PT_REGS_PARM5(x) (((PT_REGS_RV *)(x))->a4)
++#define PT_REGS_RET(x) (((PT_REGS_RV *)(x))->ra)
++#define PT_REGS_FP(x) (((PT_REGS_RV *)(x))->s5)
++#define PT_REGS_RC(x) (((PT_REGS_RV *)(x))->a5)
++#define PT_REGS_SP(x) (((PT_REGS_RV *)(x))->sp)
++#define PT_REGS_IP(x) (((PT_REGS_RV *)(x))->epc)
++
++#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a0)
++#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a1)
++#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a2)
++#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a3)
++#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a4)
++#define PT_REGS_RET_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), ra)
++#define PT_REGS_FP_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), fp)
++#define PT_REGS_RC_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a5)
++#define PT_REGS_SP_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), sp)
++#define PT_REGS_IP_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), epc)
++
+ #endif
+
+ #if defined(bpf_target_powerpc)
+--
+2.51.0
+
fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch
mptcp-restore-window-probe.patch
asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch
+wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch
+drm-msm-a6xx-fix-gmu-firmware-parser.patch
+alsa-usb-audio-fix-control-pipe-direction.patch
+bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch
+bpf-do-not-audit-capability-check-in-do_jit.patch
+riscv-libbpf-add-risc-v-rv64-support-to-bpf_tracing..patch
+libbpf-normalize-pt_regs_xxx-macro-definitions.patch
+libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch
+usbnet-prevents-free-active-kevent.patch
+drm-etnaviv-fix-flush-sequence-logic.patch
+net-hns3-return-error-code-when-function-fails.patch
+drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch
+drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch
+drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-3340
--- /dev/null
+From 554e84731d4ae7eeeff7ae4c6c2c15a3dc9b52ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 10:40:07 +0800
+Subject: usbnet: Prevents free active kevent
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit 420c84c330d1688b8c764479e5738bbdbf0a33de ]
+
+The root cause of this issue are:
+1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);
+put the kevent work in global workqueue. However, the kevent has not yet
+been scheduled when the usbnet device is unregistered. Therefore, executing
+free_netdev() results in the "free active object (kevent)" error reported
+here.
+
+2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(),
+if the usbnet device is up, ndo_stop() is executed to cancel the kevent.
+However, because the device is not up, ndo_stop() is not executed.
+
+The solution to this problem is to cancel the kevent before executing
+free_netdev().
+
+Fixes: a69e617e533e ("usbnet: Fix linkwatch use-after-free on disconnect")
+Reported-by: Sam Sun <samsun1006219@gmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=8bfd7bcc98f7300afb84
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Link: https://patch.msgid.link/20251022024007.1831898-1-lizhi.xu@windriver.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/usbnet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 21f5fdbce0747..aceec2381e802 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1648,6 +1648,8 @@ void usbnet_disconnect (struct usb_interface *intf)
+ net = dev->net;
+ unregister_netdev (net);
+
++ cancel_work_sync(&dev->kevent);
++
+ while ((urb = usb_get_from_anchor(&dev->deferred))) {
+ dev_kfree_skb(urb->context);
+ kfree(urb->sg);
+--
+2.51.0
+
--- /dev/null
+From bee315ce17cec141d163a1a7831cc62a38afa3c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Sep 2025 21:56:56 +0200
+Subject: wifi: ath10k: Fix memory leak on unsupported WMI command
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+[ Upstream commit 2e9c1da4ee9d0acfca2e0a3d78f3d8cb5802da1b ]
+
+ath10k_wmi_cmd_send takes ownership of the passed buffer (skb) and has the
+responsibility to release it in case of error. This patch fixes missing
+free in case of early error due to unhandled WMI command ID.
+
+Tested-on: WCN3990 hw1.0 WLAN.HL.3.3.7.c2-00931-QCAHLSWMTPLZ-1
+
+Fixes: 553215592f14 ("ath10k: warn if give WMI command is not supported")
+Suggested-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250926195656.187970-1-loic.poulain@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
+index 5817501b0c3fe..f07788092b269 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi.c
++++ b/drivers/net/wireless/ath/ath10k/wmi.c
+@@ -1935,6 +1935,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id)
+ if (cmd_id == WMI_CMD_UNSUPPORTED) {
+ ath10k_warn(ar, "wmi command %d is not supported by firmware\n",
+ cmd_id);
++ dev_kfree_skb_any(skb);
+ return ret;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 2522fad1e20ec3ae436ea9b88d4fbcc32c620d9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:37:23 +0200
+Subject: drm/etnaviv: fix flush sequence logic
+
+From: Tomeu Vizoso <tomeu@tomeuvizoso.net>
+
+[ Upstream commit a042beac6e6f8ac1e923784cfff98b47cbabb185 ]
+
+The current logic uses the flush sequence from the current address
+space. This is harmless when deducing the flush requirements for the
+current submit, as either the incoming address space is the same one
+as the currently active one or we switch context, in which case the
+flush is unconditional.
+
+However, this sequence is also stored as the current flush sequence
+of the GPU. If we switch context the stored flush sequence will no
+longer belong to the currently active address space. This incoherency
+can then cause missed flushes, resulting in translation errors.
+
+Fixes: 27b67278e007 ("drm/etnaviv: rework MMU handling")
+Signed-off-by: Tomeu Vizoso <tomeu@tomeuvizoso.net>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Christian Gmeiner <cgmeiner@igalia.com>
+Link: https://lore.kernel.org/r/20251021093723.3887980-1-l.stach@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
+index 194af3979679d..9991150c8201a 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
+@@ -346,7 +346,7 @@ void etnaviv_buffer_queue(struct etnaviv_gpu *gpu, u32 exec_state,
+ u32 link_target, link_dwords;
+ bool switch_context = gpu->exec_state != exec_state;
+ bool switch_mmu_context = gpu->mmu_context != mmu_context;
+- unsigned int new_flush_seq = READ_ONCE(gpu->mmu_context->flush_seq);
++ unsigned int new_flush_seq = READ_ONCE(mmu_context->flush_seq);
+ bool need_flush = switch_mmu_context || gpu->flush_seq != new_flush_seq;
+ bool has_blt = !!(gpu->identity.minor_features5 &
+ chipMinorFeatures5_BLT_ENGINE);
+--
+2.51.0
+
fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch
fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch
asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch
+wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch
+usbnet-prevents-free-active-kevent.patch
+drm-etnaviv-fix-flush-sequence-logic.patch
--- /dev/null
+From cc0b573714aa191dc0108979e14bac9bc7aa049f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 10:40:07 +0800
+Subject: usbnet: Prevents free active kevent
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit 420c84c330d1688b8c764479e5738bbdbf0a33de ]
+
+The root cause of this issue are:
+1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);
+put the kevent work in global workqueue. However, the kevent has not yet
+been scheduled when the usbnet device is unregistered. Therefore, executing
+free_netdev() results in the "free active object (kevent)" error reported
+here.
+
+2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(),
+if the usbnet device is up, ndo_stop() is executed to cancel the kevent.
+However, because the device is not up, ndo_stop() is not executed.
+
+The solution to this problem is to cancel the kevent before executing
+free_netdev().
+
+Fixes: a69e617e533e ("usbnet: Fix linkwatch use-after-free on disconnect")
+Reported-by: Sam Sun <samsun1006219@gmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=8bfd7bcc98f7300afb84
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Link: https://patch.msgid.link/20251022024007.1831898-1-lizhi.xu@windriver.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/usbnet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 87c0bcfef4801..f0dd0d7b51dc1 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1615,6 +1615,8 @@ void usbnet_disconnect (struct usb_interface *intf)
+ net = dev->net;
+ unregister_netdev (net);
+
++ cancel_work_sync(&dev->kevent);
++
+ while ((urb = usb_get_from_anchor(&dev->deferred))) {
+ dev_kfree_skb(urb->context);
+ kfree(urb->sg);
+--
+2.51.0
+
--- /dev/null
+From 80dd07be050d53d6475fc3b167576bddf5cb3c88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Sep 2025 21:56:56 +0200
+Subject: wifi: ath10k: Fix memory leak on unsupported WMI command
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+[ Upstream commit 2e9c1da4ee9d0acfca2e0a3d78f3d8cb5802da1b ]
+
+ath10k_wmi_cmd_send takes ownership of the passed buffer (skb) and has the
+responsibility to release it in case of error. This patch fixes missing
+free in case of early error due to unhandled WMI command ID.
+
+Tested-on: WCN3990 hw1.0 WLAN.HL.3.3.7.c2-00931-QCAHLSWMTPLZ-1
+
+Fixes: 553215592f14 ("ath10k: warn if give WMI command is not supported")
+Suggested-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250926195656.187970-1-loic.poulain@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
+index ed6316c41cb78..a445a192b30f3 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi.c
++++ b/drivers/net/wireless/ath/ath10k/wmi.c
+@@ -1894,6 +1894,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id)
+ if (cmd_id == WMI_CMD_UNSUPPORTED) {
+ ath10k_warn(ar, "wmi command %d is not supported by firmware\n",
+ cmd_id);
++ dev_kfree_skb_any(skb);
+ return ret;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 61123352f476245e5a275a7a1d61803b8d483d71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 19:18:22 +0200
+Subject: ALSA: usb-audio: fix control pipe direction
+
+From: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+
+[ Upstream commit 7963891f7c9c6f759cc9ab7da71406b4234f3dd6 ]
+
+Since the requesttype has USB_DIR_OUT the pipe should be
+constructed with usb_sndctrlpipe().
+
+Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c")
+Signed-off-by: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+Link: https://patch.msgid.link/aPPL3tBFE_oU-JHv@ark
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/mixer_s1810c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c
+index fac4bbc6b2757..65bdda0841048 100644
+--- a/sound/usb/mixer_s1810c.c
++++ b/sound/usb/mixer_s1810c.c
+@@ -181,7 +181,7 @@ snd_sc1810c_get_status_field(struct usb_device *dev,
+
+ pkt_out.fields[SC1810C_STATE_F1_IDX] = SC1810C_SET_STATE_F1;
+ pkt_out.fields[SC1810C_STATE_F2_IDX] = SC1810C_SET_STATE_F2;
+- ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0),
++ ret = snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
+ SC1810C_SET_STATE_REQ,
+ SC1810C_SET_STATE_REQTYPE,
+ (*seqnum), 0, &pkt_out, sizeof(pkt_out));
+--
+2.51.0
+
--- /dev/null
+From b9a150fb5409763c49d2049f2ae7e707725df3e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 14:45:37 +0800
+Subject: ASoC: fsl_sai: fix bit order for DSD format
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit d9fbe5b0bf7e2d1e20d53e4e2274f9f61bdcca98 ]
+
+The DSD little endian format requires the msb first, because oldest bit
+is in msb.
+found this issue by testing with pipewire.
+
+Fixes: c111c2ddb3fd ("ASoC: fsl_sai: Add PDM daifmt support")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://patch.msgid.link/20251023064538.368850-2-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_sai.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
+index e622c8375a465..f5266be2bbc22 100644
+--- a/sound/soc/fsl/fsl_sai.c
++++ b/sound/soc/fsl/fsl_sai.c
+@@ -322,7 +322,6 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai,
+ break;
+ case SND_SOC_DAIFMT_PDM:
+ val_cr2 |= FSL_SAI_CR2_BCP;
+- val_cr4 &= ~FSL_SAI_CR4_MF;
+ sai->is_pdm_mode = true;
+ break;
+ case SND_SOC_DAIFMT_RIGHT_J:
+@@ -597,7 +596,7 @@ static int fsl_sai_hw_params(struct snd_pcm_substream *substream,
+ val_cr5 |= FSL_SAI_CR5_WNW(slot_width);
+ val_cr5 |= FSL_SAI_CR5_W0W(slot_width);
+
+- if (sai->is_lsb_first || sai->is_pdm_mode)
++ if (sai->is_lsb_first)
+ val_cr5 |= FSL_SAI_CR5_FBT(0);
+ else
+ val_cr5 |= FSL_SAI_CR5_FBT(word_width - 1);
+--
+2.51.0
+
--- /dev/null
+From d98e499a79a7b4ddb19e8b4a5f4b421f8fbc4af1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 11:23:46 +0200
+Subject: ASoC: Intel: avs: Unprepare a stream when XRUN occurs
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit cfca1637bc2b6b1e4f191d2f0b25f12402fbbb26 ]
+
+The pcm->prepare() function may be called multiple times in a row by the
+userspace, as mentioned in the documentation. The driver shall take that
+into account and prevent redundancy. However, the exact same function is
+called during XRUNs and in such case, the particular stream shall be
+reset and setup anew.
+
+Fixes: 9114700b496c ("ASoC: Intel: avs: Generic PCM FE operations")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20251023092348.3119313-2-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/pcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/intel/avs/pcm.c b/sound/soc/intel/avs/pcm.c
+index 07428b5755b8a..9d3c0ea99a298 100644
+--- a/sound/soc/intel/avs/pcm.c
++++ b/sound/soc/intel/avs/pcm.c
+@@ -556,6 +556,8 @@ static int avs_dai_fe_prepare(struct snd_pcm_substream *substream, struct snd_so
+ data = snd_soc_dai_get_dma_data(dai, substream);
+ host_stream = data->host_stream;
+
++ if (runtime->state == SNDRV_PCM_STATE_XRUN)
++ hdac_stream(host_stream)->prepared = false;
+ if (hdac_stream(host_stream)->prepared)
+ return 0;
+
+--
+2.51.0
+
--- /dev/null
+From 9621c34542c8bdac219b6c7729a45f57b8e4713d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Sep 2025 13:39:33 +0800
+Subject: Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during
+ reset
+
+From: Chris Lu <chris.lu@mediatek.com>
+
+[ Upstream commit 77343b8b4f87560f8f03e77b98a81ff3a147b262 ]
+
+This patch adds logic to handle power management control when the
+Bluetooth function is closed during the SDIO reset sequence.
+
+Specifically, if BT is closed before reset, the driver enables the
+SDIO function and sets driver pmctrl. After reset, if BT remains
+closed, the driver sets firmware pmctrl and disables the SDIO function.
+
+These changes ensure proper power management and device state consistency
+across the reset flow.
+
+Fixes: 8fafe702253d ("Bluetooth: mt7921s: support bluetooth reset mechanism")
+Signed-off-by: Chris Lu <chris.lu@mediatek.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btmtksdio.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c
+index f9a3444753c2b..97659b4792e69 100644
+--- a/drivers/bluetooth/btmtksdio.c
++++ b/drivers/bluetooth/btmtksdio.c
+@@ -1257,6 +1257,12 @@ static void btmtksdio_cmd_timeout(struct hci_dev *hdev)
+
+ sdio_claim_host(bdev->func);
+
++ /* set drv_pmctrl if BT is closed before doing reset */
++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) {
++ sdio_enable_func(bdev->func);
++ btmtksdio_drv_pmctrl(bdev);
++ }
++
+ sdio_writel(bdev->func, C_INT_EN_CLR, MTK_REG_CHLPCR, NULL);
+ skb_queue_purge(&bdev->txq);
+ cancel_work_sync(&bdev->txrx_work);
+@@ -1272,6 +1278,12 @@ static void btmtksdio_cmd_timeout(struct hci_dev *hdev)
+ goto err;
+ }
+
++ /* set fw_pmctrl back if BT is closed after doing reset */
++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) {
++ btmtksdio_fw_pmctrl(bdev);
++ sdio_disable_func(bdev->func);
++ }
++
+ clear_bit(BTMTKSDIO_PATCH_ENABLED, &bdev->tx_state);
+ err:
+ sdio_release_host(bdev->func);
+--
+2.51.0
+
--- /dev/null
+From b3dfef70b5fd19d7e3eed94631e40bfd77ed3fb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Oct 2025 10:55:58 -0400
+Subject: Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 0d92808024b4e9868cef68d16f121d509843e80e ]
+
+This fixes the state tracking of advertisement set/instance 0x00 which
+is considered a legacy instance and is not tracked individually by
+adv_instances list, previously it was assumed that hci_dev itself would
+track it via HCI_LE_ADV but that is a global state not specifc to
+instance 0x00, so to fix it a new flag is introduced that only tracks the
+state of instance 0x00.
+
+Fixes: 1488af7b8b5f ("Bluetooth: hci_sync: Fix hci_resume_advertising_sync")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci.h | 1 +
+ net/bluetooth/hci_event.c | 4 ++++
+ net/bluetooth/hci_sync.c | 5 ++---
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
+index 09bc4bf805c62..1a20fb1fa157b 100644
+--- a/include/net/bluetooth/hci.h
++++ b/include/net/bluetooth/hci.h
+@@ -372,6 +372,7 @@ enum {
+ HCI_USER_CHANNEL,
+ HCI_EXT_CONFIGURED,
+ HCI_LE_ADV,
++ HCI_LE_ADV_0,
+ HCI_LE_PER_ADV,
+ HCI_LE_SCAN,
+ HCI_SSP_ENABLED,
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index a0ce0a1e3258e..e1f1be4dfe97a 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -1655,6 +1655,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
+
+ if (adv)
+ adv->enabled = true;
++ else if (!set->handle)
++ hci_dev_set_flag(hdev, HCI_LE_ADV_0);
+
+ conn = hci_lookup_le_connect(hdev);
+ if (conn)
+@@ -1665,6 +1667,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
+ if (cp->num_of_sets) {
+ if (adv)
+ adv->enabled = false;
++ else if (!set->handle)
++ hci_dev_clear_flag(hdev, HCI_LE_ADV_0);
+
+ /* If just one instance was disabled check if there are
+ * any other instance enabled before clearing HCI_LE_ADV
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 2937e7a37bcba..5ad09900f8ff1 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -2607,9 +2607,8 @@ static int hci_resume_advertising_sync(struct hci_dev *hdev)
+ /* If current advertising instance is set to instance 0x00
+ * then we need to re-enable it.
+ */
+- if (!hdev->cur_adv_instance)
+- err = hci_enable_ext_advertising_sync(hdev,
+- hdev->cur_adv_instance);
++ if (hci_dev_test_and_clear_flag(hdev, HCI_LE_ADV_0))
++ err = hci_enable_ext_advertising_sync(hdev, 0x00);
+ } else {
+ /* Schedule for most recent instance to be restarted and begin
+ * the software rotation loop
+--
+2.51.0
+
--- /dev/null
+From fcbbf7351930fac85c294f5a72dfa3bc17fbb55a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 05:30:17 +0000
+Subject: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
+
+From: Cen Zhang <zzzccc427@163.com>
+
+[ Upstream commit 09b0cd1297b4dbfe736aeaa0ceeab2265f47f772 ]
+
+hci_cmd_sync_dequeue_once() does lookup and then cancel
+the entry under two separate lock sections. Meanwhile,
+hci_cmd_sync_work() can also delete the same entry,
+leading to double list_del() and "UAF".
+
+Fix this by holding cmd_sync_work_lock across both
+lookup and cancel, so that the entry cannot be removed
+concurrently.
+
+Fixes: 505ea2b29592 ("Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue")
+Reported-by: Cen Zhang <zzzccc427@163.com>
+Signed-off-by: Cen Zhang <zzzccc427@163.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 851a43a5aee0c..2937e7a37bcba 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -838,11 +838,17 @@ bool hci_cmd_sync_dequeue_once(struct hci_dev *hdev,
+ {
+ struct hci_cmd_sync_work_entry *entry;
+
+- entry = hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
+- if (!entry)
++ mutex_lock(&hdev->cmd_sync_work_lock);
++
++ entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
++ if (!entry) {
++ mutex_unlock(&hdev->cmd_sync_work_lock);
+ return false;
++ }
+
+- hci_cmd_sync_cancel_entry(hdev, entry);
++ _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
++
++ mutex_unlock(&hdev->cmd_sync_work_lock);
+
+ return true;
+ }
+--
+2.51.0
+
--- /dev/null
+From 523527970585126b68190c3a2c96023a317f08f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Jun 2023 12:59:28 +0300
+Subject: Bluetooth: ISO: Add support for periodic adv reports processing
+
+From: Claudia Draghicescu <claudia.rosu@nxp.com>
+
+[ Upstream commit 9c0826310bfb784c9bac7d1d9454e304185446c5 ]
+
+In the case of a Periodic Synchronized Receiver,
+the PA report received from a Broadcaster contains the BASE,
+which has information about codec and other parameters of a BIG.
+This isnformation is stored and the application can retrieve it
+using getsockopt(BT_ISO_BASE).
+
+Signed-off-by: Claudia Draghicescu <claudia.rosu@nxp.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Stable-dep-of: c403da5e98b0 ("Bluetooth: ISO: Fix another instance of dst_type handling")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci.h | 11 +++++++++++
+ net/bluetooth/hci_event.c | 23 +++++++++++++++++++++++
+ net/bluetooth/iso.c | 28 +++++++++++++++++++++++++++-
+ 3 files changed, 61 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
+index 1a20fb1fa157b..018fc64329fc6 100644
+--- a/include/net/bluetooth/hci.h
++++ b/include/net/bluetooth/hci.h
+@@ -2768,6 +2768,17 @@ struct hci_ev_le_enh_conn_complete {
+ __u8 clk_accurancy;
+ } __packed;
+
++#define HCI_EV_LE_PER_ADV_REPORT 0x0f
++struct hci_ev_le_per_adv_report {
++ __le16 sync_handle;
++ __u8 tx_power;
++ __u8 rssi;
++ __u8 cte_type;
++ __u8 data_status;
++ __u8 length;
++ __u8 data[];
++} __packed;
++
+ #define HCI_EV_LE_EXT_ADV_SET_TERM 0x12
+ struct hci_evt_le_ext_adv_set_term {
+ __u8 status;
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index e1f1be4dfe97a..e516b169b12fb 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -6469,6 +6469,24 @@ static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
+ hci_dev_unlock(hdev);
+ }
+
++static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data,
++ struct sk_buff *skb)
++{
++ struct hci_ev_le_per_adv_report *ev = data;
++ int mask = hdev->link_mode;
++ __u8 flags = 0;
++
++ bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
++
++ hci_dev_lock(hdev);
++
++ mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
++ if (!(mask & HCI_LM_ACCEPT))
++ hci_le_pa_term_sync(hdev, ev->sync_handle);
++
++ hci_dev_unlock(hdev);
++}
++
+ static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
+ struct sk_buff *skb)
+ {
+@@ -7002,6 +7020,11 @@ static const struct hci_le_ev {
+ HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
+ hci_le_pa_sync_estabilished_evt,
+ sizeof(struct hci_ev_le_pa_sync_established)),
++ /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */
++ HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT,
++ hci_le_per_adv_report_evt,
++ sizeof(struct hci_ev_le_per_adv_report),
++ HCI_MAX_EVENT_SIZE),
+ /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
+ HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
+ sizeof(struct hci_evt_le_ext_adv_set_term)),
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index c542497f040cc..bf7692e15deef 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -1314,7 +1314,8 @@ static int iso_sock_getsockopt(struct socket *sock, int level, int optname,
+ break;
+
+ case BT_ISO_BASE:
+- if (sk->sk_state == BT_CONNECTED) {
++ if (sk->sk_state == BT_CONNECTED &&
++ !bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) {
+ base_len = iso_pi(sk)->conn->hcon->le_per_adv_data_len;
+ base = iso_pi(sk)->conn->hcon->le_per_adv_data;
+ } else {
+@@ -1487,6 +1488,9 @@ static void iso_conn_ready(struct iso_conn *conn)
+
+ bacpy(&iso_pi(sk)->dst, &hcon->dst);
+ iso_pi(sk)->dst_type = hcon->dst_type;
++ iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle;
++ memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len);
++ iso_pi(sk)->base_len = iso_pi(parent)->base_len;
+
+ hci_conn_hold(hcon);
+ iso_chan_add(conn, sk, parent);
+@@ -1517,12 +1521,20 @@ static bool iso_match_sync_handle(struct sock *sk, void *data)
+ return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle;
+ }
+
++static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data)
++{
++ struct hci_ev_le_per_adv_report *ev = data;
++
++ return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle;
++}
++
+ /* ----- ISO interface with lower layer (HCI) ----- */
+
+ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
+ {
+ struct hci_ev_le_pa_sync_established *ev1;
+ struct hci_evt_le_big_info_adv_report *ev2;
++ struct hci_ev_le_per_adv_report *ev3;
+ struct sock *sk;
+ int lm = 0;
+
+@@ -1538,6 +1550,9 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
+ * 2. HCI_EVT_LE_BIG_INFO_ADV_REPORT: When connect_ind is triggered by a
+ * a BIG Info it attempts to check if there any listening socket with
+ * the same sync_handle and if it does then attempt to create a sync.
++ * 3. HCI_EV_LE_PER_ADV_REPORT: When a PA report is received, it is stored
++ * in iso_pi(sk)->base so it can be passed up to user, in the case of a
++ * broadcast sink.
+ */
+ ev1 = hci_recv_event_data(hdev, HCI_EV_LE_PA_SYNC_ESTABLISHED);
+ if (ev1) {
+@@ -1570,6 +1585,17 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
+ sk = NULL;
+ }
+ }
++ }
++
++ ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT);
++ if (ev3) {
++ sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr,
++ iso_match_sync_handle_pa_report, ev3);
++
++ if (sk) {
++ memcpy(iso_pi(sk)->base, ev3->data, ev3->length);
++ iso_pi(sk)->base_len = ev3->length;
++ }
+ } else {
+ sk = iso_get_sock_listen(&hdev->bdaddr, BDADDR_ANY, NULL, NULL);
+ }
+--
+2.51.0
+
--- /dev/null
+From 32bb600c42d912dfff7dd1cd85c1d7e1a0c0fc43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Oct 2025 13:29:15 -0400
+Subject: Bluetooth: ISO: Fix another instance of dst_type handling
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit c403da5e98b04a2aec9cfb25cbeeb28d7ce29975 ]
+
+Socket dst_type cannot be directly assigned to hci_conn->type since
+there domain is different which may lead to the wrong address type being
+used.
+
+Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/iso.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index bf7692e15deef..7d521ffc66767 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -1487,7 +1487,13 @@ static void iso_conn_ready(struct iso_conn *conn)
+ }
+
+ bacpy(&iso_pi(sk)->dst, &hcon->dst);
+- iso_pi(sk)->dst_type = hcon->dst_type;
++
++ /* Convert from HCI to three-value type */
++ if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
++ iso_pi(sk)->dst_type = BDADDR_LE_PUBLIC;
++ else
++ iso_pi(sk)->dst_type = BDADDR_LE_RANDOM;
++
+ iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle;
+ memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len);
+ iso_pi(sk)->base_len = iso_pi(parent)->base_len;
+--
+2.51.0
+
--- /dev/null
+From 152e5253e9cb7f895d070622e93bd97db7068ccb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 14:27:58 +0200
+Subject: bpf: Do not audit capability check in do_jit()
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+[ Upstream commit 881a9c9cb7856b24e390fad9f59acfd73b98b3b2 ]
+
+The failure of this check only results in a security mitigation being
+applied, slightly affecting performance of the compiled BPF program. It
+doesn't result in a failed syscall, an thus auditing a failed LSM
+permission check for it is unwanted. For example with SELinux, it causes
+a denial to be reported for confined processes running as root, which
+tends to be flagged as a problem to be fixed in the policy. Yet
+dontauditing or allowing CAP_SYS_ADMIN to the domain may not be
+desirable, as it would allow/silence also other checks - either going
+against the principle of least privilege or making debugging potentially
+harder.
+
+Fix it by changing it from capable() to ns_capable_noaudit(), which
+instructs the LSMs to not audit the resulting denials.
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326
+Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-by: Paul Moore <paul@paul-moore.com>
+Link: https://lore.kernel.org/r/20251021122758.2659513-1-omosnace@redhat.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index f3068bb53c4db..095fec941bb73 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -1809,7 +1809,7 @@ st: if (is_imm8(insn->off))
+ ctx->cleanup_addr = proglen;
+
+ if (bpf_prog_was_classic(bpf_prog) &&
+- !capable(CAP_SYS_ADMIN)) {
++ !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) {
+ u8 *ip = image + addrs[i - 1];
+
+ if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog))
+--
+2.51.0
+
--- /dev/null
+From 763f9e82619ce88277964d43e6eeca6cc31ec200 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 23:33:01 +0530
+Subject: bpf: Sync pending IRQ work before freeing ring buffer
+
+From: Noorain Eqbal <nooraineqbal@gmail.com>
+
+[ Upstream commit 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c ]
+
+Fix a race where irq_work can be queued in bpf_ringbuf_commit()
+but the ring buffer is freed before the work executes.
+In the syzbot reproducer, a BPF program attached to sched_switch
+triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer
+is freed before this work executes, the irq_work thread may accesses
+freed memory.
+Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work
+complete before freeing the buffer.
+
+Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
+Reported-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=2617fc732430968b45d2
+Tested-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com
+Signed-off-by: Noorain Eqbal <nooraineqbal@gmail.com>
+Link: https://lore.kernel.org/r/20251020180301.103366-1-nooraineqbal@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/ringbuf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c
+index 095416e40df3c..1d49e77a6a01b 100644
+--- a/kernel/bpf/ringbuf.c
++++ b/kernel/bpf/ringbuf.c
+@@ -218,6 +218,8 @@ static struct bpf_map *ringbuf_map_alloc(union bpf_attr *attr)
+
+ static void bpf_ringbuf_free(struct bpf_ringbuf *rb)
+ {
++ irq_work_sync(&rb->work);
++
+ /* copy pages pointer and nr_pages to local variable, as we are going
+ * to unmap rb itself with vunmap() below
+ */
+--
+2.51.0
+
--- /dev/null
+From a602413cb4eecb1023e62af91e8edb66ce9ecec3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 14:12:21 +0800
+Subject: drm/amd/pm: fix smu table id bound check issue in
+ smu_cmn_update_table()
+
+From: Yang Wang <kevinyang.wang@amd.com>
+
+[ Upstream commit 238d468d3ed18a324bb9d8c99f18c665dbac0511 ]
+
+'table_index' is a variable defined by the smu driver (kmd)
+'table_id' is a variable defined by the hw smu (pmfw)
+
+This code should use table_index as a bounds check.
+
+Fixes: caad2613dc4bd ("drm/amd/powerplay: move table setting common code to smu_cmn.c")
+Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit fca0c66b22303de0d1d6313059baf4dc960a4753)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
+index fd1faa840ec09..24b39a80481a8 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
+@@ -862,7 +862,7 @@ int smu_cmn_update_table(struct smu_context *smu,
+ table_index);
+ uint32_t table_size;
+ int ret = 0;
+- if (!table_data || table_id >= SMU_TABLE_COUNT || table_id < 0)
++ if (!table_data || table_index >= SMU_TABLE_COUNT || table_id < 0)
+ return -EINVAL;
+
+ table_size = smu_table->tables[table_index].size;
+--
+2.51.0
+
--- /dev/null
+From 775b5bd5ca95393fca518dca7cfae57874e739fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:08:13 +0200
+Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji
+
+From: John Smith <itistotalbotnet@gmail.com>
+
+[ Upstream commit 07a13f913c291d6ec72ee4fc848d13ecfdc0e705 ]
+
+Previously this was initialized with zero which represented PCIe Gen
+1.0 instead of using the
+maximum value from the speed table which is the behaviour of all other
+smumgr implementations.
+
+Fixes: 18edef19ea44 ("drm/amd/powerplay: implement fw image related smu interface for Fiji.")
+Signed-off-by: John Smith <itistotalbotnet@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit c52238c9fb414555c68340cd80e487d982c1921c)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
+index 02c094a06605d..50deb4ce767ee 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
+@@ -2024,7 +2024,7 @@ static int fiji_init_smc_table(struct pp_hwmgr *hwmgr)
+ table->VoltageResponseTime = 0;
+ table->PhaseResponseTime = 0;
+ table->MemoryThermThrottleEnable = 1;
+- table->PCIeBootLinkLevel = 0; /* 0:Gen1 1:Gen2 2:Gen3*/
++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count);
+ table->PCIeGenInterval = 1;
+ table->VRConfig = 0;
+
+--
+2.51.0
+
--- /dev/null
+From ff5fca6c8f2f064e1b2d67f7eb78763f818f18ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:09:09 +0200
+Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland
+
+From: John Smith <itistotalbotnet@gmail.com>
+
+[ Upstream commit 501672e3c1576aa9a8364144213c77b98a31a42c ]
+
+Previously this was initialized with zero which represented PCIe Gen
+1.0 instead of using the
+maximum value from the speed table which is the behaviour of all other
+smumgr implementations.
+
+Fixes: 18aafc59b106 ("drm/amd/powerplay: implement fw related smu interface for iceland.")
+Signed-off-by: John Smith <itistotalbotnet@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 92b0a6ae6672857ddeabf892223943d2f0e06c97)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
+index 03df35dee8ba8..6ddf9ce5471e8 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
+@@ -2028,7 +2028,7 @@ static int iceland_init_smc_table(struct pp_hwmgr *hwmgr)
+ table->VoltageResponseTime = 0;
+ table->PhaseResponseTime = 0;
+ table->MemoryThermThrottleEnable = 1;
+- table->PCIeBootLinkLevel = 0;
++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count);
+ table->PCIeGenInterval = 1;
+
+ result = iceland_populate_smc_svi2_config(hwmgr, table);
+--
+2.51.0
+
--- /dev/null
+From 0b317b1da5add65d598b3ef83c2d980f4ea2fdc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:37:23 +0200
+Subject: drm/etnaviv: fix flush sequence logic
+
+From: Tomeu Vizoso <tomeu@tomeuvizoso.net>
+
+[ Upstream commit a042beac6e6f8ac1e923784cfff98b47cbabb185 ]
+
+The current logic uses the flush sequence from the current address
+space. This is harmless when deducing the flush requirements for the
+current submit, as either the incoming address space is the same one
+as the currently active one or we switch context, in which case the
+flush is unconditional.
+
+However, this sequence is also stored as the current flush sequence
+of the GPU. If we switch context the stored flush sequence will no
+longer belong to the currently active address space. This incoherency
+can then cause missed flushes, resulting in translation errors.
+
+Fixes: 27b67278e007 ("drm/etnaviv: rework MMU handling")
+Signed-off-by: Tomeu Vizoso <tomeu@tomeuvizoso.net>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Christian Gmeiner <cgmeiner@igalia.com>
+Link: https://lore.kernel.org/r/20251021093723.3887980-1-l.stach@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
+index 982174af74b1e..7d897aafb2a6a 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
+@@ -346,7 +346,7 @@ void etnaviv_buffer_queue(struct etnaviv_gpu *gpu, u32 exec_state,
+ u32 link_target, link_dwords;
+ bool switch_context = gpu->exec_state != exec_state;
+ bool switch_mmu_context = gpu->mmu_context != mmu_context;
+- unsigned int new_flush_seq = READ_ONCE(gpu->mmu_context->flush_seq);
++ unsigned int new_flush_seq = READ_ONCE(mmu_context->flush_seq);
+ bool need_flush = switch_mmu_context || gpu->flush_seq != new_flush_seq;
+ bool has_blt = !!(gpu->identity.minor_features5 &
+ chipMinorFeatures5_BLT_ENGINE);
+--
+2.51.0
+
--- /dev/null
+From 211c6c3e751eea81d5857ffd163915d94f7a50a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Sep 2025 02:14:05 +0530
+Subject: drm/msm/a6xx: Fix GMU firmware parser
+
+From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+
+[ Upstream commit b4789aac9d3441d9f830f0a4022d8dc122d6cab3 ]
+
+Current parser logic for GMU firmware assumes a dword aligned payload
+size for every block. This is not true for all GMU firmwares. So, fix
+this by using correct 'size' value in the calculation for the offset
+for the next block's header.
+
+Fixes: c6ed04f856a4 ("drm/msm/a6xx: A640/A650 GMU firmware path")
+Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+Acked-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/674040/
+Message-ID: <20250911-assorted-sept-1-v2-2-a8bf1ee20792@oss.qualcomm.com>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+index cd1d11104607c..7c1894e5627f8 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+@@ -689,6 +689,9 @@ static bool fw_block_mem(struct a6xx_gmu_bo *bo, const struct block_header *blk)
+ return true;
+ }
+
++#define NEXT_BLK(blk) \
++ ((const struct block_header *)((const char *)(blk) + sizeof(*(blk)) + (blk)->size))
++
+ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu)
+ {
+ struct a6xx_gpu *a6xx_gpu = container_of(gmu, struct a6xx_gpu, gmu);
+@@ -719,7 +722,7 @@ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu)
+
+ for (blk = (const struct block_header *) fw_image->data;
+ (const u8*) blk < fw_image->data + fw_image->size;
+- blk = (const struct block_header *) &blk->data[blk->size >> 2]) {
++ blk = NEXT_BLK(blk)) {
+ if (blk->size == 0)
+ continue;
+
+--
+2.51.0
+
--- /dev/null
+From 64b99917a69f825166c7a0b98d0007785fdf8b5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 13:36:43 -0700
+Subject: libbpf: Fix powerpc's stack register definition in bpf_tracing.h
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 7221b9caf84b3294688228a19273d74ea19a2ee4 ]
+
+retsnoop's build on powerpc (ppc64le) architecture ([0]) failed due to
+wrong definition of PT_REGS_SP() macro. Looking at powerpc's
+implementation of stack unwinding in perf_callchain_user_64() clearly
+shows that stack pointer register is gpr[1].
+
+Fix libbpf's definition of __PT_SP_REG for powerpc to fix all this.
+
+ [0] https://kojipkgs.fedoraproject.org/work/tasks/1544/137921544/build.log
+
+Fixes: 138d6153a139 ("samples/bpf: Enable powerpc support")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
+Link: https://lore.kernel.org/r/20251020203643.989467-1-andrii@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf_tracing.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h
+index 9c1b1689068d1..8f87a1765c80a 100644
+--- a/tools/lib/bpf/bpf_tracing.h
++++ b/tools/lib/bpf/bpf_tracing.h
+@@ -202,7 +202,7 @@ struct pt_regs___arm64 {
+ #define __PT_RET_REG regs[31]
+ #define __PT_FP_REG __unsupported__
+ #define __PT_RC_REG gpr[3]
+-#define __PT_SP_REG sp
++#define __PT_SP_REG gpr[1]
+ #define __PT_IP_REG nip
+ /* powerpc does not select ARCH_HAS_SYSCALL_WRAPPER. */
+ #define PT_REGS_SYSCALL_REGS(ctx) ctx
+--
+2.51.0
+
--- /dev/null
+From 5ea18a90ce9a04f9b07be85bb7c682ed5810e935 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 21:13:37 +0800
+Subject: net: hns3: return error code when function fails
+
+From: Jijie Shao <shaojijie@huawei.com>
+
+[ Upstream commit 03ca7c8c42be913529eb9f188278114430c6abbd ]
+
+Currently, in hclge_mii_ioctl(), the operation to
+read the PHY register (SIOCGMIIREG) always returns 0.
+
+This patch changes the return type of hclge_read_phy_reg(),
+returning an error code when the function fails.
+
+Fixes: 024712f51e57 ("net: hns3: add ioctl support for imp-controlled PHYs")
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Link: https://patch.msgid.link/20251023131338.2642520-2-shaojijie@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +--
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 9 ++++++---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h | 2 +-
+ 3 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index c509c1e12109f..c45340f26ee49 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -9452,8 +9452,7 @@ static int hclge_mii_ioctl(struct hclge_dev *hdev, struct ifreq *ifr, int cmd)
+ /* this command reads phy id and register at the same time */
+ fallthrough;
+ case SIOCGMIIREG:
+- data->val_out = hclge_read_phy_reg(hdev, data->reg_num);
+- return 0;
++ return hclge_read_phy_reg(hdev, data->reg_num, &data->val_out);
+
+ case SIOCSMIIREG:
+ return hclge_write_phy_reg(hdev, data->reg_num, data->val_in);
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+index 80079657afebe..b8dbf932caf94 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+@@ -274,7 +274,7 @@ void hclge_mac_stop_phy(struct hclge_dev *hdev)
+ phy_stop(phydev);
+ }
+
+-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr)
++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val)
+ {
+ struct hclge_phy_reg_cmd *req;
+ struct hclge_desc desc;
+@@ -286,11 +286,14 @@ u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr)
+ req->reg_addr = cpu_to_le16(reg_addr);
+
+ ret = hclge_cmd_send(&hdev->hw, &desc, 1);
+- if (ret)
++ if (ret) {
+ dev_err(&hdev->pdev->dev,
+ "failed to read phy reg, ret = %d.\n", ret);
++ return ret;
++ }
+
+- return le16_to_cpu(req->reg_val);
++ *val = le16_to_cpu(req->reg_val);
++ return 0;
+ }
+
+ int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val)
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h
+index 4200d0b6d9317..21d434c82475b 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h
+@@ -13,7 +13,7 @@ int hclge_mac_connect_phy(struct hnae3_handle *handle);
+ void hclge_mac_disconnect_phy(struct hnae3_handle *handle);
+ void hclge_mac_start_phy(struct hclge_dev *hdev);
+ void hclge_mac_stop_phy(struct hclge_dev *hdev);
+-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr);
++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val);
+ int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val);
+
+ #endif
+--
+2.51.0
+
--- /dev/null
+From 8db883fad44a77557fb496701b2542ca040885e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 15:15:38 +0900
+Subject: scsi: ufs: core: Initialize value of an attribute returned by uic cmd
+
+From: Wonkon Kim <wkon.kim@samsung.com>
+
+[ Upstream commit 6fe4c679dde3075cb481beb3945269bb2ef8b19a ]
+
+If ufshcd_send_cmd() fails, *mib_val may have a garbage value. It can
+get an unintended value of an attribute.
+
+Make ufshcd_dme_get_attr() always initialize *mib_val.
+
+Fixes: 12b4fdb4f6bc ("[SCSI] ufs: add dme configuration primitives")
+Signed-off-by: Wonkon Kim <wkon.kim@samsung.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20251020061539.28661-2-wkon.kim@samsung.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufshcd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index f9adb11067470..d78ac2817c1ff 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -4027,8 +4027,8 @@ int ufshcd_dme_get_attr(struct ufs_hba *hba, u32 attr_sel,
+ get, UIC_GET_ATTR_ID(attr_sel),
+ UFS_UIC_COMMAND_RETRIES - retries);
+
+- if (mib_val && !ret)
+- *mib_val = uic_cmd.argument3;
++ if (mib_val)
++ *mib_val = ret == 0 ? uic_cmd.argument3 : 0;
+
+ if (peer && (hba->quirks & UFSHCD_QUIRK_DME_PEER_ACCESS_AUTO_MODE)
+ && pwr_mode_change)
+--
+2.51.0
+
mptcp-restore-window-probe.patch
asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch
x86-fpu-ensure-xfd-state-on-signal-delivery.patch
+wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch
+drm-msm-a6xx-fix-gmu-firmware-parser.patch
+alsa-usb-audio-fix-control-pipe-direction.patch
+bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch
+scsi-ufs-core-initialize-value-of-an-attribute-retur.patch
+bpf-do-not-audit-capability-check-in-do_jit.patch
+asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch
+asoc-fsl_sai-fix-bit-order-for-dsd-format.patch
+libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch
+usbnet-prevents-free-active-kevent.patch
+bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch
+bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch
+bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch
+bluetooth-iso-add-support-for-periodic-adv-reports-p.patch
+bluetooth-iso-fix-another-instance-of-dst_type-handl.patch
+drm-etnaviv-fix-flush-sequence-logic.patch
+net-hns3-return-error-code-when-function-fails.patch
+drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch
+drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch
+drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-16017
--- /dev/null
+From e61ac15d6de5088f64bc575e33c771c045c9b2e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 10:40:07 +0800
+Subject: usbnet: Prevents free active kevent
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit 420c84c330d1688b8c764479e5738bbdbf0a33de ]
+
+The root cause of this issue are:
+1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);
+put the kevent work in global workqueue. However, the kevent has not yet
+been scheduled when the usbnet device is unregistered. Therefore, executing
+free_netdev() results in the "free active object (kevent)" error reported
+here.
+
+2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(),
+if the usbnet device is up, ndo_stop() is executed to cancel the kevent.
+However, because the device is not up, ndo_stop() is not executed.
+
+The solution to this problem is to cancel the kevent before executing
+free_netdev().
+
+Fixes: a69e617e533e ("usbnet: Fix linkwatch use-after-free on disconnect")
+Reported-by: Sam Sun <samsun1006219@gmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=8bfd7bcc98f7300afb84
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Link: https://patch.msgid.link/20251022024007.1831898-1-lizhi.xu@windriver.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/usbnet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index a68fead887207..6bdf035e35f56 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1645,6 +1645,8 @@ void usbnet_disconnect (struct usb_interface *intf)
+ net = dev->net;
+ unregister_netdev (net);
+
++ cancel_work_sync(&dev->kevent);
++
+ while ((urb = usb_get_from_anchor(&dev->deferred))) {
+ dev_kfree_skb(urb->context);
+ kfree(urb->sg);
+--
+2.51.0
+
--- /dev/null
+From f88bcc23e6a64ed88f7bd0d0a896c1fc98d22c47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Sep 2025 21:56:56 +0200
+Subject: wifi: ath10k: Fix memory leak on unsupported WMI command
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+[ Upstream commit 2e9c1da4ee9d0acfca2e0a3d78f3d8cb5802da1b ]
+
+ath10k_wmi_cmd_send takes ownership of the passed buffer (skb) and has the
+responsibility to release it in case of error. This patch fixes missing
+free in case of early error due to unhandled WMI command ID.
+
+Tested-on: WCN3990 hw1.0 WLAN.HL.3.3.7.c2-00931-QCAHLSWMTPLZ-1
+
+Fixes: 553215592f14 ("ath10k: warn if give WMI command is not supported")
+Suggested-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250926195656.187970-1-loic.poulain@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
+index 2fda5ca3e6ee9..22ce8b529067d 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi.c
++++ b/drivers/net/wireless/ath/ath10k/wmi.c
+@@ -1935,6 +1935,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id)
+ if (cmd_id == WMI_CMD_UNSUPPORTED) {
+ ath10k_warn(ar, "wmi command %d is not supported by firmware\n",
+ cmd_id);
++ dev_kfree_skb_any(skb);
+ return ret;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 500c8c503277832ea5f17a1e03d1ed6f8db3b0b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 19:18:22 +0200
+Subject: ALSA: usb-audio: fix control pipe direction
+
+From: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+
+[ Upstream commit 7963891f7c9c6f759cc9ab7da71406b4234f3dd6 ]
+
+Since the requesttype has USB_DIR_OUT the pipe should be
+constructed with usb_sndctrlpipe().
+
+Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c")
+Signed-off-by: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+Link: https://patch.msgid.link/aPPL3tBFE_oU-JHv@ark
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/mixer_s1810c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c
+index fac4bbc6b2757..65bdda0841048 100644
+--- a/sound/usb/mixer_s1810c.c
++++ b/sound/usb/mixer_s1810c.c
+@@ -181,7 +181,7 @@ snd_sc1810c_get_status_field(struct usb_device *dev,
+
+ pkt_out.fields[SC1810C_STATE_F1_IDX] = SC1810C_SET_STATE_F1;
+ pkt_out.fields[SC1810C_STATE_F2_IDX] = SC1810C_SET_STATE_F2;
+- ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0),
++ ret = snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
+ SC1810C_SET_STATE_REQ,
+ SC1810C_SET_STATE_REQTYPE,
+ (*seqnum), 0, &pkt_out, sizeof(pkt_out));
+--
+2.51.0
+
--- /dev/null
+From bdc458556485ed02cf14672da5892d87f5b18ef0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Oct 2025 10:48:44 +0100
+Subject: ASoC: cs-amp-lib-test: Fix missing include of kunit/test-bug.h
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit ec20584f25233bfe292c8e18f9a429dfaff58a49 ]
+
+cs-amp-lib-test uses functions from kunit/test-bug.h but wasn't
+including it.
+
+This error was found by smatch.
+
+Fixes: 177862317a98 ("ASoC: cs-amp-lib: Add KUnit test for calibration helpers")
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Link: https://patch.msgid.link/20251016094844.92796-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs-amp-lib-test.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/codecs/cs-amp-lib-test.c b/sound/soc/codecs/cs-amp-lib-test.c
+index a6e8348a1bd53..1bc43a4cfe09c 100644
+--- a/sound/soc/codecs/cs-amp-lib-test.c
++++ b/sound/soc/codecs/cs-amp-lib-test.c
+@@ -6,6 +6,7 @@
+ // Cirrus Logic International Semiconductor Ltd.
+
+ #include <kunit/test.h>
++#include <kunit/test-bug.h>
+ #include <kunit/static_stub.h>
+ #include <linux/firmware/cirrus/cs_dsp.h>
+ #include <linux/firmware/cirrus/wmfw.h>
+--
+2.51.0
+
--- /dev/null
+From 6f39c36906a200a16c394ba7c50897586bd4d83b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 14:45:37 +0800
+Subject: ASoC: fsl_sai: fix bit order for DSD format
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit d9fbe5b0bf7e2d1e20d53e4e2274f9f61bdcca98 ]
+
+The DSD little endian format requires the msb first, because oldest bit
+is in msb.
+found this issue by testing with pipewire.
+
+Fixes: c111c2ddb3fd ("ASoC: fsl_sai: Add PDM daifmt support")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://patch.msgid.link/20251023064538.368850-2-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_sai.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
+index 57614c0b711ea..7e4338762f085 100644
+--- a/sound/soc/fsl/fsl_sai.c
++++ b/sound/soc/fsl/fsl_sai.c
+@@ -321,7 +321,6 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai,
+ break;
+ case SND_SOC_DAIFMT_PDM:
+ val_cr2 |= FSL_SAI_CR2_BCP;
+- val_cr4 &= ~FSL_SAI_CR4_MF;
+ sai->is_pdm_mode = true;
+ break;
+ case SND_SOC_DAIFMT_RIGHT_J:
+@@ -606,7 +605,7 @@ static int fsl_sai_hw_params(struct snd_pcm_substream *substream,
+ val_cr5 |= FSL_SAI_CR5_WNW(slot_width);
+ val_cr5 |= FSL_SAI_CR5_W0W(slot_width);
+
+- if (sai->is_lsb_first || sai->is_pdm_mode)
++ if (sai->is_lsb_first)
+ val_cr5 |= FSL_SAI_CR5_FBT(0);
+ else
+ val_cr5 |= FSL_SAI_CR5_FBT(word_width - 1);
+--
+2.51.0
+
--- /dev/null
+From b3e5a1cba0f90d83f549efb01c33a39348e88581 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 15:57:15 +0200
+Subject: ASoC: fsl_sai: Fix sync error in consumer mode
+
+From: Maarten Zanders <maarten@zanders.be>
+
+[ Upstream commit b2dd1d0d322dce5f331961c927e775b84014d5ab ]
+
+When configured for default synchronisation (Rx syncs to Tx) and the
+SAI operates in consumer mode (clocks provided externally to Tx), a
+synchronisation error occurs on Tx on the first attempt after device
+initialisation when the playback stream is started while a capture
+stream is already active. This results in channel shift/swap on the
+playback stream.
+Subsequent streams (ie after that first failing one) always work
+correctly, no matter the order, with or without the other stream active.
+
+This issue was observed (and fix tested) on an i.MX6UL board connected
+to an ADAU1761 codec, where the codec provides both frame and bit clock
+(connected to TX pins).
+
+To fix this, always initialize the 'other' xCR4 and xCR5 registers when
+we're starting a stream which is synced to the opposite one, irregardless
+of the producer/consumer status.
+
+Fixes: 51659ca069ce ("ASoC: fsl-sai: set xCR4/xCR5/xMR for SAI master mode")
+
+Signed-off-by: Maarten Zanders <maarten@zanders.be>
+Reviewed-by: Shengjiu Wang <shengjiu.wang@gmail.com>
+Link: https://patch.msgid.link/20251024135716.584265-1-maarten@zanders.be
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_sai.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
+index 7e4338762f085..bc3bf1c55d3c1 100644
+--- a/sound/soc/fsl/fsl_sai.c
++++ b/sound/soc/fsl/fsl_sai.c
+@@ -620,12 +620,12 @@ static int fsl_sai_hw_params(struct snd_pcm_substream *substream,
+ val_cr4 |= FSL_SAI_CR4_CHMOD;
+
+ /*
+- * For SAI provider mode, when Tx(Rx) sync with Rx(Tx) clock, Rx(Tx) will
+- * generate bclk and frame clock for Tx(Rx), we should set RCR4(TCR4),
+- * RCR5(TCR5) for playback(capture), or there will be sync error.
++ * When Tx(Rx) sync with Rx(Tx) clock, Rx(Tx) will provide bclk and
++ * frame clock for Tx(Rx). We should set RCR4(TCR4), RCR5(TCR5)
++ * for playback(capture), or there will be sync error.
+ */
+
+- if (!sai->is_consumer_mode[tx] && fsl_sai_dir_is_synced(sai, adir)) {
++ if (fsl_sai_dir_is_synced(sai, adir)) {
+ regmap_update_bits(sai->regmap, FSL_SAI_xCR4(!tx, ofs),
+ FSL_SAI_CR4_SYWD_MASK | FSL_SAI_CR4_FRSZ_MASK |
+ FSL_SAI_CR4_CHMOD_MASK,
+--
+2.51.0
+
--- /dev/null
+From 3f0cbc4a27345c8906340483f64d2a6507fcc47f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 11:23:47 +0200
+Subject: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 845f716dc5f354c719f6fda35048b6c2eca99331 ]
+
+avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio
+stream while period-elapsed work services its IRQs. As the former
+frees the DAI's private context, these two operations shall be
+synchronized to avoid slab-use-after-free or worse errors.
+
+Fixes: 0dbb186c3510 ("ASoC: Intel: avs: Update stream status in a separate thread")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20251023092348.3119313-3-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/pcm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/intel/avs/pcm.c b/sound/soc/intel/avs/pcm.c
+index 3041717632ed0..dee871910d211 100644
+--- a/sound/soc/intel/avs/pcm.c
++++ b/sound/soc/intel/avs/pcm.c
+@@ -551,6 +551,7 @@ static void avs_dai_fe_shutdown(struct snd_pcm_substream *substream, struct snd_
+
+ data = snd_soc_dai_get_dma_data(dai, substream);
+
++ disable_work_sync(&data->period_elapsed_work);
+ snd_hdac_ext_stream_release(data->host_stream, HDAC_EXT_STREAM_TYPE_HOST);
+ avs_dai_shutdown(substream, dai);
+ }
+--
+2.51.0
+
--- /dev/null
+From 1624cc38d8b31154280790535bc647b530937c8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 11:23:46 +0200
+Subject: ASoC: Intel: avs: Unprepare a stream when XRUN occurs
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit cfca1637bc2b6b1e4f191d2f0b25f12402fbbb26 ]
+
+The pcm->prepare() function may be called multiple times in a row by the
+userspace, as mentioned in the documentation. The driver shall take that
+into account and prevent redundancy. However, the exact same function is
+called during XRUNs and in such case, the particular stream shall be
+reset and setup anew.
+
+Fixes: 9114700b496c ("ASoC: Intel: avs: Generic PCM FE operations")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20251023092348.3119313-2-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/pcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/intel/avs/pcm.c b/sound/soc/intel/avs/pcm.c
+index 15defce0f3eb8..3041717632ed0 100644
+--- a/sound/soc/intel/avs/pcm.c
++++ b/sound/soc/intel/avs/pcm.c
+@@ -653,6 +653,8 @@ static int avs_dai_fe_prepare(struct snd_pcm_substream *substream, struct snd_so
+ data = snd_soc_dai_get_dma_data(dai, substream);
+ host_stream = data->host_stream;
+
++ if (runtime->state == SNDRV_PCM_STATE_XRUN)
++ hdac_stream(host_stream)->prepared = false;
+ if (hdac_stream(host_stream)->prepared)
+ return 0;
+
+--
+2.51.0
+
--- /dev/null
+From 6af98161d379b2e22bc5e5faf8254c59f5b79d51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Sep 2025 13:39:33 +0800
+Subject: Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during
+ reset
+
+From: Chris Lu <chris.lu@mediatek.com>
+
+[ Upstream commit 77343b8b4f87560f8f03e77b98a81ff3a147b262 ]
+
+This patch adds logic to handle power management control when the
+Bluetooth function is closed during the SDIO reset sequence.
+
+Specifically, if BT is closed before reset, the driver enables the
+SDIO function and sets driver pmctrl. After reset, if BT remains
+closed, the driver sets firmware pmctrl and disables the SDIO function.
+
+These changes ensure proper power management and device state consistency
+across the reset flow.
+
+Fixes: 8fafe702253d ("Bluetooth: mt7921s: support bluetooth reset mechanism")
+Signed-off-by: Chris Lu <chris.lu@mediatek.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btmtksdio.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c
+index 13dcc0077732b..206de38fc1c82 100644
+--- a/drivers/bluetooth/btmtksdio.c
++++ b/drivers/bluetooth/btmtksdio.c
+@@ -1270,6 +1270,12 @@ static void btmtksdio_cmd_timeout(struct hci_dev *hdev)
+
+ sdio_claim_host(bdev->func);
+
++ /* set drv_pmctrl if BT is closed before doing reset */
++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) {
++ sdio_enable_func(bdev->func);
++ btmtksdio_drv_pmctrl(bdev);
++ }
++
+ sdio_writel(bdev->func, C_INT_EN_CLR, MTK_REG_CHLPCR, NULL);
+ skb_queue_purge(&bdev->txq);
+ cancel_work_sync(&bdev->txrx_work);
+@@ -1285,6 +1291,12 @@ static void btmtksdio_cmd_timeout(struct hci_dev *hdev)
+ goto err;
+ }
+
++ /* set fw_pmctrl back if BT is closed after doing reset */
++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) {
++ btmtksdio_fw_pmctrl(bdev);
++ sdio_disable_func(bdev->func);
++ }
++
+ clear_bit(BTMTKSDIO_PATCH_ENABLED, &bdev->tx_state);
+ err:
+ sdio_release_host(bdev->func);
+--
+2.51.0
+
--- /dev/null
+From ecd77dafa8719a3d9c345c3435fb0ccefff7cc6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Oct 2025 10:55:58 -0400
+Subject: Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 0d92808024b4e9868cef68d16f121d509843e80e ]
+
+This fixes the state tracking of advertisement set/instance 0x00 which
+is considered a legacy instance and is not tracked individually by
+adv_instances list, previously it was assumed that hci_dev itself would
+track it via HCI_LE_ADV but that is a global state not specifc to
+instance 0x00, so to fix it a new flag is introduced that only tracks the
+state of instance 0x00.
+
+Fixes: 1488af7b8b5f ("Bluetooth: hci_sync: Fix hci_resume_advertising_sync")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci.h | 1 +
+ net/bluetooth/hci_event.c | 4 ++++
+ net/bluetooth/hci_sync.c | 5 ++---
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
+index 4b3200542fe66..999ac27050993 100644
+--- a/include/net/bluetooth/hci.h
++++ b/include/net/bluetooth/hci.h
+@@ -424,6 +424,7 @@ enum {
+ HCI_USER_CHANNEL,
+ HCI_EXT_CONFIGURED,
+ HCI_LE_ADV,
++ HCI_LE_ADV_0,
+ HCI_LE_PER_ADV,
+ HCI_LE_SCAN,
+ HCI_SSP_ENABLED,
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index debe9cc2f72d9..176565ef47c63 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -1600,6 +1600,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
+
+ if (adv && !adv->periodic)
+ adv->enabled = true;
++ else if (!set->handle)
++ hci_dev_set_flag(hdev, HCI_LE_ADV_0);
+
+ conn = hci_lookup_le_connect(hdev);
+ if (conn)
+@@ -1610,6 +1612,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
+ if (cp->num_of_sets) {
+ if (adv)
+ adv->enabled = false;
++ else if (!set->handle)
++ hci_dev_clear_flag(hdev, HCI_LE_ADV_0);
+
+ /* If just one instance was disabled check if there are
+ * any other instance enabled before clearing HCI_LE_ADV
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index c08e46ee70b24..06d8ab997bd85 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -2616,9 +2616,8 @@ static int hci_resume_advertising_sync(struct hci_dev *hdev)
+ /* If current advertising instance is set to instance 0x00
+ * then we need to re-enable it.
+ */
+- if (!hdev->cur_adv_instance)
+- err = hci_enable_ext_advertising_sync(hdev,
+- hdev->cur_adv_instance);
++ if (hci_dev_test_and_clear_flag(hdev, HCI_LE_ADV_0))
++ err = hci_enable_ext_advertising_sync(hdev, 0x00);
+ } else {
+ /* Schedule for most recent instance to be restarted and begin
+ * the software rotation loop
+--
+2.51.0
+
--- /dev/null
+From 60023a34467d1c07eb9ee5ad15a00491c709ed4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 16:03:19 -0400
+Subject: Bluetooth: hci_core: Fix tracking of periodic advertisement
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 751463ceefc3397566d03c8b64ef4a77f5fd88ac ]
+
+Periodic advertising enabled flag cannot be tracked by the enabled
+flag since advertising and periodic advertising each can be
+enabled/disabled separately from one another causing the states to be
+inconsistent when for example an advertising set is disabled its
+enabled flag is set to false which is then used for periodic which has
+not being disabled.
+
+Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 1 +
+ net/bluetooth/hci_event.c | 7 +++++--
+ net/bluetooth/hci_sync.c | 4 ++--
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index ca75c71b58588..35b5f58b562cb 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -240,6 +240,7 @@ struct adv_info {
+ bool enabled;
+ bool pending;
+ bool periodic;
++ bool periodic_enabled;
+ __u8 mesh;
+ __u8 instance;
+ __u8 handle;
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 176565ef47c63..ccc73742de356 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -1598,7 +1598,7 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
+
+ hci_dev_set_flag(hdev, HCI_LE_ADV);
+
+- if (adv && !adv->periodic)
++ if (adv)
+ adv->enabled = true;
+ else if (!set->handle)
+ hci_dev_set_flag(hdev, HCI_LE_ADV_0);
+@@ -3955,8 +3955,11 @@ static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
+ hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
+
+ if (adv)
+- adv->enabled = true;
++ adv->periodic_enabled = true;
+ } else {
++ if (adv)
++ adv->periodic_enabled = false;
++
+ /* If just one instance was disabled check if there are
+ * any other instance enabled before clearing HCI_LE_PER_ADV.
+ * The current periodic adv instance will be marked as
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 06d8ab997bd85..f79b38603205c 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -1605,7 +1605,7 @@ int hci_disable_per_advertising_sync(struct hci_dev *hdev, u8 instance)
+
+ /* If periodic advertising already disabled there is nothing to do. */
+ adv = hci_find_adv_instance(hdev, instance);
+- if (!adv || !adv->periodic || !adv->enabled)
++ if (!adv || !adv->periodic_enabled)
+ return 0;
+
+ memset(&cp, 0, sizeof(cp));
+@@ -1670,7 +1670,7 @@ static int hci_enable_per_advertising_sync(struct hci_dev *hdev, u8 instance)
+
+ /* If periodic advertising already enabled there is nothing to do. */
+ adv = hci_find_adv_instance(hdev, instance);
+- if (adv && adv->periodic && adv->enabled)
++ if (adv && adv->periodic_enabled)
+ return 0;
+
+ memset(&cp, 0, sizeof(cp));
+--
+2.51.0
+
--- /dev/null
+From 082a5a3557006ec1f2b37911a3e12b8f08c89170 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 05:30:17 +0000
+Subject: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
+
+From: Cen Zhang <zzzccc427@163.com>
+
+[ Upstream commit 09b0cd1297b4dbfe736aeaa0ceeab2265f47f772 ]
+
+hci_cmd_sync_dequeue_once() does lookup and then cancel
+the entry under two separate lock sections. Meanwhile,
+hci_cmd_sync_work() can also delete the same entry,
+leading to double list_del() and "UAF".
+
+Fix this by holding cmd_sync_work_lock across both
+lookup and cancel, so that the entry cannot be removed
+concurrently.
+
+Fixes: 505ea2b29592 ("Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue")
+Reported-by: Cen Zhang <zzzccc427@163.com>
+Signed-off-by: Cen Zhang <zzzccc427@163.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 853acfa8e9433..c08e46ee70b24 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -863,11 +863,17 @@ bool hci_cmd_sync_dequeue_once(struct hci_dev *hdev,
+ {
+ struct hci_cmd_sync_work_entry *entry;
+
+- entry = hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
+- if (!entry)
++ mutex_lock(&hdev->cmd_sync_work_lock);
++
++ entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
++ if (!entry) {
++ mutex_unlock(&hdev->cmd_sync_work_lock);
+ return false;
++ }
+
+- hci_cmd_sync_cancel_entry(hdev, entry);
++ _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
++
++ mutex_unlock(&hdev->cmd_sync_work_lock);
+
+ return true;
+ }
+--
+2.51.0
+
--- /dev/null
+From c4c1744d39b462c89176329831df7980de1cf725 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Oct 2025 13:29:15 -0400
+Subject: Bluetooth: ISO: Fix another instance of dst_type handling
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit c403da5e98b04a2aec9cfb25cbeeb28d7ce29975 ]
+
+Socket dst_type cannot be directly assigned to hci_conn->type since
+there domain is different which may lead to the wrong address type being
+used.
+
+Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/iso.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index c9a262f97678b..a48a2868a728b 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -1939,7 +1939,13 @@ static void iso_conn_ready(struct iso_conn *conn)
+ }
+
+ bacpy(&iso_pi(sk)->dst, &hcon->dst);
+- iso_pi(sk)->dst_type = hcon->dst_type;
++
++ /* Convert from HCI to three-value type */
++ if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
++ iso_pi(sk)->dst_type = BDADDR_LE_PUBLIC;
++ else
++ iso_pi(sk)->dst_type = BDADDR_LE_RANDOM;
++
+ iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle;
+ memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len);
+ iso_pi(sk)->base_len = iso_pi(parent)->base_len;
+--
+2.51.0
+
--- /dev/null
+From 650b116a085bca7cecd829eea6e409b6328b565f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Sep 2025 11:48:50 -0400
+Subject: Bluetooth: ISO: Fix BIS connection dst_type handling
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit f0c200a4a537f8f374584a974518b0ce69eda76c ]
+
+Socket dst_type cannot be directly assigned to hci_conn->type since
+there domain is different which may lead to the wrong address type being
+used.
+
+Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/iso.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index f48a694b004ab..c9a262f97678b 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -1927,7 +1927,7 @@ static void iso_conn_ready(struct iso_conn *conn)
+ */
+ if (!bacmp(&hcon->dst, BDADDR_ANY)) {
+ bacpy(&hcon->dst, &iso_pi(parent)->dst);
+- hcon->dst_type = iso_pi(parent)->dst_type;
++ hcon->dst_type = le_addr_type(iso_pi(parent)->dst_type);
+ }
+
+ if (ev3) {
+--
+2.51.0
+
--- /dev/null
+From 175f7671195efaabe09e6dcd82a097db35ef1690 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2024 10:23:39 +0200
+Subject: Bluetooth: ISO: Update hci_conn_hash_lookup_big for Broadcast slave
+
+From: Iulia Tanasescu <iulia.tanasescu@nxp.com>
+
+[ Upstream commit 83d328a72eff3268ea4c19deb0a6cf4c7da15746 ]
+
+Currently, hci_conn_hash_lookup_big only checks for BIS master connections,
+by filtering out connections with the destination address set. This commit
+updates this function to also consider BIS slave connections, since it is
+also used for a Broadcast Receiver to set an available BIG handle before
+issuing the LE BIG Create Sync command.
+
+Signed-off-by: Iulia Tanasescu <iulia.tanasescu@nxp.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Stable-dep-of: f0c200a4a537 ("Bluetooth: ISO: Fix BIS connection dst_type handling")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 12 +++++++++++-
+ net/bluetooth/hci_event.c | 1 +
+ net/bluetooth/iso.c | 1 -
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 69a1d8b12beff..ca75c71b58588 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -1315,7 +1315,17 @@ static inline struct hci_conn *hci_conn_hash_lookup_big(struct hci_dev *hdev,
+ rcu_read_lock();
+
+ list_for_each_entry_rcu(c, &h->list, list) {
+- if (bacmp(&c->dst, BDADDR_ANY) || c->type != ISO_LINK)
++ if (c->type != ISO_LINK)
++ continue;
++
++ /* An ISO_LINK hcon with BDADDR_ANY as destination
++ * address is a Broadcast connection. A Broadcast
++ * slave connection is associated with a PA train,
++ * so the sync_handle can be used to differentiate
++ * from unicast.
++ */
++ if (bacmp(&c->dst, BDADDR_ANY) &&
++ c->sync_handle == HCI_SYNC_HANDLE_INVALID)
+ continue;
+
+ if (handle == c->iso_qos.bcast.big) {
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 1e537ed83ba4b..debe9cc2f72d9 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -6976,6 +6976,7 @@ static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
+ /* Mark PA sync as established */
+ set_bit(HCI_CONN_PA_SYNC, &bis->flags);
+
++ bis->sync_handle = conn->sync_handle;
+ bis->iso_qos.bcast.big = ev->handle;
+ memset(&interval, 0, sizeof(interval));
+ memcpy(&interval, ev->latency, sizeof(ev->latency));
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index 2cd0b963c96bd..f48a694b004ab 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -1928,7 +1928,6 @@ static void iso_conn_ready(struct iso_conn *conn)
+ if (!bacmp(&hcon->dst, BDADDR_ANY)) {
+ bacpy(&hcon->dst, &iso_pi(parent)->dst);
+ hcon->dst_type = iso_pi(parent)->dst_type;
+- hcon->sync_handle = iso_pi(parent)->sync_handle;
+ }
+
+ if (ev3) {
+--
+2.51.0
+
--- /dev/null
+From 46c8df2e2779509435be4f825a3f1a086c41adc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 14:27:58 +0200
+Subject: bpf: Do not audit capability check in do_jit()
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+[ Upstream commit 881a9c9cb7856b24e390fad9f59acfd73b98b3b2 ]
+
+The failure of this check only results in a security mitigation being
+applied, slightly affecting performance of the compiled BPF program. It
+doesn't result in a failed syscall, an thus auditing a failed LSM
+permission check for it is unwanted. For example with SELinux, it causes
+a denial to be reported for confined processes running as root, which
+tends to be flagged as a problem to be fixed in the policy. Yet
+dontauditing or allowing CAP_SYS_ADMIN to the domain may not be
+desirable, as it would allow/silence also other checks - either going
+against the principle of least privilege or making debugging potentially
+harder.
+
+Fix it by changing it from capable() to ns_capable_noaudit(), which
+instructs the LSMs to not audit the resulting denials.
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326
+Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-by: Paul Moore <paul@paul-moore.com>
+Link: https://lore.kernel.org/r/20251021122758.2659513-1-omosnace@redhat.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index 9a861ac77f8eb..8cbc26081bdb2 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -2453,7 +2453,7 @@ st: if (is_imm8(insn->off))
+ /* Update cleanup_addr */
+ ctx->cleanup_addr = proglen;
+ if (bpf_prog_was_classic(bpf_prog) &&
+- !capable(CAP_SYS_ADMIN)) {
++ !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) {
+ u8 *ip = image + addrs[i - 1];
+
+ if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog))
+--
+2.51.0
+
--- /dev/null
+From 6c50a937e4047fee3fe1498ec93478e855c7e4a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Nov 2024 08:39:07 -0800
+Subject: bpf: Find eligible subprogs for private stack support
+
+From: Yonghong Song <yonghong.song@linux.dev>
+
+[ Upstream commit a76ab5731e32d50ff5b1ae97e9dc4b23f41c23f5 ]
+
+Private stack will be allocated with percpu allocator in jit time.
+To avoid complexity at runtime, only one copy of private stack is
+available per cpu per prog. So runtime recursion check is necessary
+to avoid stack corruption.
+
+Current private stack only supports kprobe/perf_event/tp/raw_tp
+which has recursion check in the kernel, and prog types that use
+bpf trampoline recursion check. For trampoline related prog types,
+currently only tracing progs have recursion checking.
+
+To avoid complexity, all async_cb subprogs use normal kernel stack
+including those subprogs used by both main prog subtree and async_cb
+subtree. Any prog having tail call also uses kernel stack.
+
+To avoid jit penalty with private stack support, a subprog stack
+size threshold is set such that only if the stack size is no less
+than the threshold, private stack is supported. The current threshold
+is 64 bytes. This avoids jit penality if the stack usage is small.
+
+A useless 'continue' is also removed from a loop in func
+check_max_stack_depth().
+
+Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
+Link: https://lore.kernel.org/r/20241112163907.2223839-1-yonghong.song@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: 881a9c9cb785 ("bpf: Do not audit capability check in do_jit()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf_verifier.h | 7 +++
+ include/linux/filter.h | 1 +
+ kernel/bpf/core.c | 5 ++
+ kernel/bpf/verifier.c | 96 ++++++++++++++++++++++++++++++++----
+ 4 files changed, 99 insertions(+), 10 deletions(-)
+
+diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
+index fb33458f2fc77..1a9b69743cb15 100644
+--- a/include/linux/bpf_verifier.h
++++ b/include/linux/bpf_verifier.h
+@@ -654,6 +654,12 @@ struct bpf_subprog_arg_info {
+ };
+ };
+
++enum priv_stack_mode {
++ PRIV_STACK_UNKNOWN,
++ NO_PRIV_STACK,
++ PRIV_STACK_ADAPTIVE,
++};
++
+ struct bpf_subprog_info {
+ /* 'start' has to be the first field otherwise find_subprog() won't work */
+ u32 start; /* insn idx of function entry point */
+@@ -675,6 +681,7 @@ struct bpf_subprog_info {
+ bool keep_fastcall_stack: 1;
+ bool changes_pkt_data: 1;
+
++ enum priv_stack_mode priv_stack_mode;
+ u8 arg_cnt;
+ struct bpf_subprog_arg_info args[MAX_BPF_FUNC_REG_ARGS];
+ };
+diff --git a/include/linux/filter.h b/include/linux/filter.h
+index 5118caf8aa1c7..0477254bc2d30 100644
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -1119,6 +1119,7 @@ bool bpf_jit_supports_exceptions(void);
+ bool bpf_jit_supports_ptr_xchg(void);
+ bool bpf_jit_supports_arena(void);
+ bool bpf_jit_supports_insn(struct bpf_insn *insn, bool in_arena);
++bool bpf_jit_supports_private_stack(void);
+ u64 bpf_arch_uaddress_limit(void);
+ void arch_bpf_stack_walk(bool (*consume_fn)(void *cookie, u64 ip, u64 sp, u64 bp), void *cookie);
+ bool bpf_helper_changes_pkt_data(enum bpf_func_id func_id);
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index 08bdb623f4f91..76dfa9ab43a5d 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -3094,6 +3094,11 @@ bool __weak bpf_jit_supports_exceptions(void)
+ return false;
+ }
+
++bool __weak bpf_jit_supports_private_stack(void)
++{
++ return false;
++}
++
+ void __weak arch_bpf_stack_walk(bool (*consume_fn)(void *cookie, u64 ip, u64 sp, u64 bp), void *cookie)
+ {
+ }
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 96640a80fd9c4..709151d33e5e4 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -194,6 +194,8 @@ struct bpf_verifier_stack_elem {
+
+ #define BPF_GLOBAL_PERCPU_MA_MAX_SIZE 512
+
++#define BPF_PRIV_STACK_MIN_SIZE 64
++
+ static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx);
+ static int release_reference(struct bpf_verifier_env *env, int ref_obj_id);
+ static void invalidate_non_owning_refs(struct bpf_verifier_env *env);
+@@ -6027,6 +6029,34 @@ static int check_ptr_alignment(struct bpf_verifier_env *env,
+ strict);
+ }
+
++static enum priv_stack_mode bpf_enable_priv_stack(struct bpf_prog *prog)
++{
++ if (!bpf_jit_supports_private_stack())
++ return NO_PRIV_STACK;
++
++ /* bpf_prog_check_recur() checks all prog types that use bpf trampoline
++ * while kprobe/tp/perf_event/raw_tp don't use trampoline hence checked
++ * explicitly.
++ */
++ switch (prog->type) {
++ case BPF_PROG_TYPE_KPROBE:
++ case BPF_PROG_TYPE_TRACEPOINT:
++ case BPF_PROG_TYPE_PERF_EVENT:
++ case BPF_PROG_TYPE_RAW_TRACEPOINT:
++ return PRIV_STACK_ADAPTIVE;
++ case BPF_PROG_TYPE_TRACING:
++ case BPF_PROG_TYPE_LSM:
++ case BPF_PROG_TYPE_STRUCT_OPS:
++ if (bpf_prog_check_recur(prog))
++ return PRIV_STACK_ADAPTIVE;
++ fallthrough;
++ default:
++ break;
++ }
++
++ return NO_PRIV_STACK;
++}
++
+ static int round_up_stack_depth(struct bpf_verifier_env *env, int stack_depth)
+ {
+ if (env->prog->jit_requested)
+@@ -6044,17 +6074,20 @@ static int round_up_stack_depth(struct bpf_verifier_env *env, int stack_depth)
+ * Since recursion is prevented by check_cfg() this algorithm
+ * only needs a local stack of MAX_CALL_FRAMES to remember callsites
+ */
+-static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx)
++static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx,
++ bool priv_stack_supported)
+ {
+ struct bpf_subprog_info *subprog = env->subprog_info;
+ struct bpf_insn *insn = env->prog->insnsi;
+- int depth = 0, frame = 0, i, subprog_end;
++ int depth = 0, frame = 0, i, subprog_end, subprog_depth;
+ bool tail_call_reachable = false;
+ int ret_insn[MAX_CALL_FRAMES];
+ int ret_prog[MAX_CALL_FRAMES];
+ int j;
+
+ i = subprog[idx].start;
++ if (!priv_stack_supported)
++ subprog[idx].priv_stack_mode = NO_PRIV_STACK;
+ process_func:
+ /* protect against potential stack overflow that might happen when
+ * bpf2bpf calls get combined with tailcalls. Limit the caller's stack
+@@ -6081,11 +6114,31 @@ static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx)
+ depth);
+ return -EACCES;
+ }
+- depth += round_up_stack_depth(env, subprog[idx].stack_depth);
+- if (depth > MAX_BPF_STACK) {
+- verbose(env, "combined stack size of %d calls is %d. Too large\n",
+- frame + 1, depth);
+- return -EACCES;
++
++ subprog_depth = round_up_stack_depth(env, subprog[idx].stack_depth);
++ if (priv_stack_supported) {
++ /* Request private stack support only if the subprog stack
++ * depth is no less than BPF_PRIV_STACK_MIN_SIZE. This is to
++ * avoid jit penalty if the stack usage is small.
++ */
++ if (subprog[idx].priv_stack_mode == PRIV_STACK_UNKNOWN &&
++ subprog_depth >= BPF_PRIV_STACK_MIN_SIZE)
++ subprog[idx].priv_stack_mode = PRIV_STACK_ADAPTIVE;
++ }
++
++ if (subprog[idx].priv_stack_mode == PRIV_STACK_ADAPTIVE) {
++ if (subprog_depth > MAX_BPF_STACK) {
++ verbose(env, "stack size of subprog %d is %d. Too large\n",
++ idx, subprog_depth);
++ return -EACCES;
++ }
++ } else {
++ depth += subprog_depth;
++ if (depth > MAX_BPF_STACK) {
++ verbose(env, "combined stack size of %d calls is %d. Too large\n",
++ frame + 1, depth);
++ return -EACCES;
++ }
+ }
+ continue_func:
+ subprog_end = subprog[idx + 1].start;
+@@ -6142,6 +6195,8 @@ static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx)
+ }
+ i = next_insn;
+ idx = sidx;
++ if (!priv_stack_supported)
++ subprog[idx].priv_stack_mode = NO_PRIV_STACK;
+
+ if (subprog[idx].has_tail_call)
+ tail_call_reachable = true;
+@@ -6175,7 +6230,8 @@ static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx)
+ */
+ if (frame == 0)
+ return 0;
+- depth -= round_up_stack_depth(env, subprog[idx].stack_depth);
++ if (subprog[idx].priv_stack_mode != PRIV_STACK_ADAPTIVE)
++ depth -= round_up_stack_depth(env, subprog[idx].stack_depth);
+ frame--;
+ i = ret_insn[frame];
+ idx = ret_prog[frame];
+@@ -6184,16 +6240,36 @@ static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx)
+
+ static int check_max_stack_depth(struct bpf_verifier_env *env)
+ {
++ enum priv_stack_mode priv_stack_mode = PRIV_STACK_UNKNOWN;
+ struct bpf_subprog_info *si = env->subprog_info;
++ bool priv_stack_supported;
+ int ret;
+
+ for (int i = 0; i < env->subprog_cnt; i++) {
++ if (si[i].has_tail_call) {
++ priv_stack_mode = NO_PRIV_STACK;
++ break;
++ }
++ }
++
++ if (priv_stack_mode == PRIV_STACK_UNKNOWN)
++ priv_stack_mode = bpf_enable_priv_stack(env->prog);
++
++ /* All async_cb subprogs use normal kernel stack. If a particular
++ * subprog appears in both main prog and async_cb subtree, that
++ * subprog will use normal kernel stack to avoid potential nesting.
++ * The reverse subprog traversal ensures when main prog subtree is
++ * checked, the subprogs appearing in async_cb subtrees are already
++ * marked as using normal kernel stack, so stack size checking can
++ * be done properly.
++ */
++ for (int i = env->subprog_cnt - 1; i >= 0; i--) {
+ if (!i || si[i].is_async_cb) {
+- ret = check_max_stack_depth_subprog(env, i);
++ priv_stack_supported = !i && priv_stack_mode == PRIV_STACK_ADAPTIVE;
++ ret = check_max_stack_depth_subprog(env, i, priv_stack_supported);
+ if (ret < 0)
+ return ret;
+ }
+- continue;
+ }
+ return 0;
+ }
+--
+2.51.0
+
--- /dev/null
+From af55b76a4ae6be368e72345dab752bf765c7da5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 23:33:01 +0530
+Subject: bpf: Sync pending IRQ work before freeing ring buffer
+
+From: Noorain Eqbal <nooraineqbal@gmail.com>
+
+[ Upstream commit 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c ]
+
+Fix a race where irq_work can be queued in bpf_ringbuf_commit()
+but the ring buffer is freed before the work executes.
+In the syzbot reproducer, a BPF program attached to sched_switch
+triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer
+is freed before this work executes, the irq_work thread may accesses
+freed memory.
+Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work
+complete before freeing the buffer.
+
+Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
+Reported-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=2617fc732430968b45d2
+Tested-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com
+Signed-off-by: Noorain Eqbal <nooraineqbal@gmail.com>
+Link: https://lore.kernel.org/r/20251020180301.103366-1-nooraineqbal@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/ringbuf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c
+index 1499d8caa9a35..1f2c504809023 100644
+--- a/kernel/bpf/ringbuf.c
++++ b/kernel/bpf/ringbuf.c
+@@ -215,6 +215,8 @@ static struct bpf_map *ringbuf_map_alloc(union bpf_attr *attr)
+
+ static void bpf_ringbuf_free(struct bpf_ringbuf *rb)
+ {
++ irq_work_sync(&rb->work);
++
+ /* copy pages pointer and nr_pages to local variable, as we are going
+ * to unmap rb itself with vunmap() below
+ */
+--
+2.51.0
+
--- /dev/null
+From 73c3baa62051650ebfbba3e50e98d71c45e4e54e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Nov 2024 08:39:17 -0800
+Subject: bpf, x86: Avoid repeated usage of bpf_prog->aux->stack_depth
+
+From: Yonghong Song <yonghong.song@linux.dev>
+
+[ Upstream commit f4b21ed0b9d6c9fe155451a1fb3531fb44b0afa8 ]
+
+Refactor the code to avoid repeated usage of bpf_prog->aux->stack_depth
+in do_jit() func. If the private stack is used, the stack_depth will be
+0 for that prog. Refactoring make it easy to adjust stack_depth.
+
+Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
+Link: https://lore.kernel.org/r/20241112163917.2224189-1-yonghong.song@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: 881a9c9cb785 ("bpf: Do not audit capability check in do_jit()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index ccb2f7703c33c..9a861ac77f8eb 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -1472,14 +1472,17 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image, u8 *rw_image
+ int i, excnt = 0;
+ int ilen, proglen = 0;
+ u8 *prog = temp;
++ u32 stack_depth;
+ int err;
+
++ stack_depth = bpf_prog->aux->stack_depth;
++
+ arena_vm_start = bpf_arena_get_kern_vm_start(bpf_prog->aux->arena);
+ user_vm_start = bpf_arena_get_user_vm_start(bpf_prog->aux->arena);
+
+ detect_reg_usage(insn, insn_cnt, callee_regs_used);
+
+- emit_prologue(&prog, bpf_prog->aux->stack_depth,
++ emit_prologue(&prog, stack_depth,
+ bpf_prog_was_classic(bpf_prog), tail_call_reachable,
+ bpf_is_subprog(bpf_prog), bpf_prog->aux->exception_cb);
+ /* Exception callback will clobber callee regs for its own use, and
+@@ -2175,7 +2178,7 @@ st: if (is_imm8(insn->off))
+
+ func = (u8 *) __bpf_call_base + imm32;
+ if (tail_call_reachable) {
+- LOAD_TAIL_CALL_CNT_PTR(bpf_prog->aux->stack_depth);
++ LOAD_TAIL_CALL_CNT_PTR(stack_depth);
+ ip += 7;
+ }
+ if (!imm32)
+@@ -2192,13 +2195,13 @@ st: if (is_imm8(insn->off))
+ &bpf_prog->aux->poke_tab[imm32 - 1],
+ &prog, image + addrs[i - 1],
+ callee_regs_used,
+- bpf_prog->aux->stack_depth,
++ stack_depth,
+ ctx);
+ else
+ emit_bpf_tail_call_indirect(bpf_prog,
+ &prog,
+ callee_regs_used,
+- bpf_prog->aux->stack_depth,
++ stack_depth,
+ image + addrs[i - 1],
+ ctx);
+ break;
+--
+2.51.0
+
--- /dev/null
+From 31049422317c24982494158324e3cb0788501b8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 18:11:09 +0800
+Subject: crypto: aspeed - fix double free caused by devm
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit 3c9bf72cc1ced1297b235f9422d62b613a3fdae9 ]
+
+The clock obtained via devm_clk_get_enabled() is automatically managed
+by devres and will be disabled and freed on driver detach. Manually
+calling clk_disable_unprepare() in error path and remove function
+causes double free.
+
+Remove the manual clock cleanup in both aspeed_acry_probe()'s error
+path and aspeed_acry_remove().
+
+Fixes: 2f1cf4e50c95 ("crypto: aspeed - Add ACRY RSA driver")
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/aspeed/aspeed-acry.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/crypto/aspeed/aspeed-acry.c b/drivers/crypto/aspeed/aspeed-acry.c
+index b4613bd4ad964..8ca0913d94abf 100644
+--- a/drivers/crypto/aspeed/aspeed-acry.c
++++ b/drivers/crypto/aspeed/aspeed-acry.c
+@@ -789,7 +789,6 @@ static int aspeed_acry_probe(struct platform_device *pdev)
+ err_engine_rsa_start:
+ crypto_engine_exit(acry_dev->crypt_engine_rsa);
+ clk_exit:
+- clk_disable_unprepare(acry_dev->clk);
+
+ return rc;
+ }
+@@ -801,7 +800,6 @@ static void aspeed_acry_remove(struct platform_device *pdev)
+ aspeed_acry_unregister(acry_dev);
+ crypto_engine_exit(acry_dev->crypt_engine_rsa);
+ tasklet_kill(&acry_dev->done_task);
+- clk_disable_unprepare(acry_dev->clk);
+ }
+
+ MODULE_DEVICE_TABLE(of, aspeed_acry_of_matches);
+--
+2.51.0
+
--- /dev/null
+From f7b8adc8a1d569e0c0b6c6cbd55c0094a48922d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 20:55:12 +0200
+Subject: dpll: spec: add missing module-name and clock-id to pin-get reply
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit 520ad9e96937e825a117e9f00dd35a3e199d67b5 ]
+
+The dpll.yaml spec incorrectly omitted module-name and clock-id from the
+pin-get operation reply specification, even though the kernel DPLL
+implementation has always included these attributes in pin-get responses
+since the initial implementation.
+
+This spec inconsistency caused issues with the C YNL code generator.
+The generated dpll_pin_get_rsp structure was missing these fields.
+
+Fix the spec by adding module-name and clock-id to the pin-attrs reply
+specification to match the actual kernel behavior.
+
+Fixes: 3badff3a25d8 ("dpll: spec: Add Netlink spec in YAML")
+Signed-off-by: Petr Oros <poros@redhat.com>
+Reviewed-by: Ivan Vecera <ivecera@redhat.com>
+Link: https://patch.msgid.link/20251024185512.363376-1-poros@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/netlink/specs/dpll.yaml | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Documentation/netlink/specs/dpll.yaml b/Documentation/netlink/specs/dpll.yaml
+index f2894ca35de84..860350e61edb5 100644
+--- a/Documentation/netlink/specs/dpll.yaml
++++ b/Documentation/netlink/specs/dpll.yaml
+@@ -517,6 +517,8 @@ operations:
+ reply: &pin-attrs
+ attributes:
+ - id
++ - module-name
++ - clock-id
+ - board-label
+ - panel-label
+ - package-label
+--
+2.51.0
+
--- /dev/null
+From 761508840499034900f32beded5d32b2c8b0aa55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 14:12:21 +0800
+Subject: drm/amd/pm: fix smu table id bound check issue in
+ smu_cmn_update_table()
+
+From: Yang Wang <kevinyang.wang@amd.com>
+
+[ Upstream commit 238d468d3ed18a324bb9d8c99f18c665dbac0511 ]
+
+'table_index' is a variable defined by the smu driver (kmd)
+'table_id' is a variable defined by the hw smu (pmfw)
+
+This code should use table_index as a bounds check.
+
+Fixes: caad2613dc4bd ("drm/amd/powerplay: move table setting common code to smu_cmn.c")
+Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit fca0c66b22303de0d1d6313059baf4dc960a4753)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
+index 0ce1766c859f5..d2f11d82312f0 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
+@@ -955,7 +955,7 @@ int smu_cmn_update_table(struct smu_context *smu,
+ table_index);
+ uint32_t table_size;
+ int ret = 0;
+- if (!table_data || table_id >= SMU_TABLE_COUNT || table_id < 0)
++ if (!table_data || table_index >= SMU_TABLE_COUNT || table_id < 0)
+ return -EINVAL;
+
+ table_size = smu_table->tables[table_index].size;
+--
+2.51.0
+
--- /dev/null
+From 8231b560f66dab8bcb3cb3a0e4a45f5e45de80e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:08:13 +0200
+Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji
+
+From: John Smith <itistotalbotnet@gmail.com>
+
+[ Upstream commit 07a13f913c291d6ec72ee4fc848d13ecfdc0e705 ]
+
+Previously this was initialized with zero which represented PCIe Gen
+1.0 instead of using the
+maximum value from the speed table which is the behaviour of all other
+smumgr implementations.
+
+Fixes: 18edef19ea44 ("drm/amd/powerplay: implement fw image related smu interface for Fiji.")
+Signed-off-by: John Smith <itistotalbotnet@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit c52238c9fb414555c68340cd80e487d982c1921c)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
+index 5e43ad2b29564..e7e497b166b3e 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
+@@ -2024,7 +2024,7 @@ static int fiji_init_smc_table(struct pp_hwmgr *hwmgr)
+ table->VoltageResponseTime = 0;
+ table->PhaseResponseTime = 0;
+ table->MemoryThermThrottleEnable = 1;
+- table->PCIeBootLinkLevel = 0; /* 0:Gen1 1:Gen2 2:Gen3*/
++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count);
+ table->PCIeGenInterval = 1;
+ table->VRConfig = 0;
+
+--
+2.51.0
+
--- /dev/null
+From 91c1cf92e6a63d61748947ab3644a016160b9ba7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:09:09 +0200
+Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland
+
+From: John Smith <itistotalbotnet@gmail.com>
+
+[ Upstream commit 501672e3c1576aa9a8364144213c77b98a31a42c ]
+
+Previously this was initialized with zero which represented PCIe Gen
+1.0 instead of using the
+maximum value from the speed table which is the behaviour of all other
+smumgr implementations.
+
+Fixes: 18aafc59b106 ("drm/amd/powerplay: implement fw related smu interface for iceland.")
+Signed-off-by: John Smith <itistotalbotnet@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 92b0a6ae6672857ddeabf892223943d2f0e06c97)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
+index 17d2f5bff4a7e..49c32183878de 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
+@@ -2028,7 +2028,7 @@ static int iceland_init_smc_table(struct pp_hwmgr *hwmgr)
+ table->VoltageResponseTime = 0;
+ table->PhaseResponseTime = 0;
+ table->MemoryThermThrottleEnable = 1;
+- table->PCIeBootLinkLevel = 0;
++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count);
+ table->PCIeGenInterval = 1;
+
+ result = iceland_populate_smc_svi2_config(hwmgr, table);
+--
+2.51.0
+
--- /dev/null
+From 629d998484cbe6eb3d45cb8e90b1b826ca099a17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:37:23 +0200
+Subject: drm/etnaviv: fix flush sequence logic
+
+From: Tomeu Vizoso <tomeu@tomeuvizoso.net>
+
+[ Upstream commit a042beac6e6f8ac1e923784cfff98b47cbabb185 ]
+
+The current logic uses the flush sequence from the current address
+space. This is harmless when deducing the flush requirements for the
+current submit, as either the incoming address space is the same one
+as the currently active one or we switch context, in which case the
+flush is unconditional.
+
+However, this sequence is also stored as the current flush sequence
+of the GPU. If we switch context the stored flush sequence will no
+longer belong to the currently active address space. This incoherency
+can then cause missed flushes, resulting in translation errors.
+
+Fixes: 27b67278e007 ("drm/etnaviv: rework MMU handling")
+Signed-off-by: Tomeu Vizoso <tomeu@tomeuvizoso.net>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Christian Gmeiner <cgmeiner@igalia.com>
+Link: https://lore.kernel.org/r/20251021093723.3887980-1-l.stach@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
+index b13a17276d07c..88385dc3b30d8 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
+@@ -347,7 +347,7 @@ void etnaviv_buffer_queue(struct etnaviv_gpu *gpu, u32 exec_state,
+ u32 link_target, link_dwords;
+ bool switch_context = gpu->exec_state != exec_state;
+ bool switch_mmu_context = gpu->mmu_context != mmu_context;
+- unsigned int new_flush_seq = READ_ONCE(gpu->mmu_context->flush_seq);
++ unsigned int new_flush_seq = READ_ONCE(mmu_context->flush_seq);
+ bool need_flush = switch_mmu_context || gpu->flush_seq != new_flush_seq;
+ bool has_blt = !!(gpu->identity.minor_features5 &
+ chipMinorFeatures5_BLT_ENGINE);
+--
+2.51.0
+
--- /dev/null
+From 2d71cb003a20652218298638d705579ce45943da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Sep 2025 02:14:05 +0530
+Subject: drm/msm/a6xx: Fix GMU firmware parser
+
+From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+
+[ Upstream commit b4789aac9d3441d9f830f0a4022d8dc122d6cab3 ]
+
+Current parser logic for GMU firmware assumes a dword aligned payload
+size for every block. This is not true for all GMU firmwares. So, fix
+this by using correct 'size' value in the calculation for the offset
+for the next block's header.
+
+Fixes: c6ed04f856a4 ("drm/msm/a6xx: A640/A650 GMU firmware path")
+Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+Acked-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/674040/
+Message-ID: <20250911-assorted-sept-1-v2-2-a8bf1ee20792@oss.qualcomm.com>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+index 8609fa38058ea..bfb1225a47c50 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+@@ -730,6 +730,9 @@ static bool fw_block_mem(struct a6xx_gmu_bo *bo, const struct block_header *blk)
+ return true;
+ }
+
++#define NEXT_BLK(blk) \
++ ((const struct block_header *)((const char *)(blk) + sizeof(*(blk)) + (blk)->size))
++
+ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu)
+ {
+ struct a6xx_gpu *a6xx_gpu = container_of(gmu, struct a6xx_gpu, gmu);
+@@ -760,7 +763,7 @@ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu)
+
+ for (blk = (const struct block_header *) fw_image->data;
+ (const u8*) blk < fw_image->data + fw_image->size;
+- blk = (const struct block_header *) &blk->data[blk->size >> 2]) {
++ blk = NEXT_BLK(blk)) {
+ if (blk->size == 0)
+ continue;
+
+--
+2.51.0
+
--- /dev/null
+From ede77b0bbb1721a1ede08662c7ce9ff1f2a01cff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 14:44:50 +0900
+Subject: drm/radeon: Do not kfree() devres managed rdev
+
+From: Daniel Palmer <daniel@0x0f.com>
+
+[ Upstream commit 3328443363a0895fd9c096edfe8ecd372ca9145e ]
+
+Since the allocation of the drivers main structure was changed to
+devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling
+kfree() on it.
+
+This fixes things exploding if the driver probe fails and devres cleans up
+the rdev after we already free'd it.
+
+Fixes: a9ed2f052c5c ("drm/radeon: change drm_dev_alloc to devm_drm_dev_alloc")
+Signed-off-by: Daniel Palmer <daniel@0x0f.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_kms.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
+index 645e33bf7947e..ba1446acd7032 100644
+--- a/drivers/gpu/drm/radeon/radeon_kms.c
++++ b/drivers/gpu/drm/radeon/radeon_kms.c
+@@ -84,7 +84,6 @@ void radeon_driver_unload_kms(struct drm_device *dev)
+ rdev->agp = NULL;
+
+ done_free:
+- kfree(rdev);
+ dev->dev_private = NULL;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 459cf349eacd109ca0f0d389bb511440717b397f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 14:44:51 +0900
+Subject: drm/radeon: Remove calls to drm_put_dev()
+
+From: Daniel Palmer <daniel@0x0f.com>
+
+[ Upstream commit 745bae76acdd71709773c129a69deca01036250b ]
+
+Since the allocation of the drivers main structure was changed to
+devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd
+should be done by devres.
+
+However, drm_put_dev() is still in the probe error and device remove
+paths. When the driver fails to probe warnings like the following are
+shown because devres is trying to drm_put_dev() after the driver
+already did it.
+
+[ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22
+[ 5.649605] ------------[ cut here ]------------
+[ 5.649607] refcount_t: underflow; use-after-free.
+[ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110
+
+Fixes: a9ed2f052c5c ("drm/radeon: change drm_dev_alloc to devm_drm_dev_alloc")
+Signed-off-by: Daniel Palmer <daniel@0x0f.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_drv.c | 25 ++++---------------------
+ 1 file changed, 4 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c
+index e5a6f3e7c75b6..31fac034a17e6 100644
+--- a/drivers/gpu/drm/radeon/radeon_drv.c
++++ b/drivers/gpu/drm/radeon/radeon_drv.c
+@@ -312,46 +312,30 @@ static int radeon_pci_probe(struct pci_dev *pdev,
+
+ ret = pci_enable_device(pdev);
+ if (ret)
+- goto err_free;
++ return ret;
+
+ pci_set_drvdata(pdev, ddev);
+
+ ret = radeon_driver_load_kms(ddev, flags);
+ if (ret)
+- goto err_agp;
++ goto err;
+
+ ret = drm_dev_register(ddev, flags);
+ if (ret)
+- goto err_agp;
++ goto err;
+
+ radeon_fbdev_setup(ddev->dev_private);
+
+ return 0;
+
+-err_agp:
++err:
+ pci_disable_device(pdev);
+-err_free:
+- drm_dev_put(ddev);
+ return ret;
+ }
+
+-static void
+-radeon_pci_remove(struct pci_dev *pdev)
+-{
+- struct drm_device *dev = pci_get_drvdata(pdev);
+-
+- drm_put_dev(dev);
+-}
+-
+ static void
+ radeon_pci_shutdown(struct pci_dev *pdev)
+ {
+- /* if we are running in a VM, make sure the device
+- * torn down properly on reboot/shutdown
+- */
+- if (radeon_device_is_virtual())
+- radeon_pci_remove(pdev);
+-
+ #if defined(CONFIG_PPC64) || defined(CONFIG_MACH_LOONGSON64)
+ /*
+ * Some adapters need to be suspended before a
+@@ -603,7 +587,6 @@ static struct pci_driver radeon_kms_pci_driver = {
+ .name = DRIVER_NAME,
+ .id_table = pciidlist,
+ .probe = radeon_pci_probe,
+- .remove = radeon_pci_remove,
+ .shutdown = radeon_pci_shutdown,
+ .driver.pm = &radeon_pm_ops,
+ };
+--
+2.51.0
+
--- /dev/null
+From ec564688929570526de41ae2d60008f6c90fa1ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 11:28:14 +0200
+Subject: kunit: test_dev_action: Correctly cast 'priv' pointer to long*
+
+From: Florian Schmaus <florian.schmaus@codasip.com>
+
+[ Upstream commit 2551a1eedc09f5a86f94b038dc1bb16855c256f1 ]
+
+The previous implementation incorrectly assumed the original type of
+'priv' was void**, leading to an unnecessary and misleading
+cast. Correct the cast of the 'priv' pointer in test_dev_action() to
+its actual type, long*, removing an unnecessary cast.
+
+As an additional benefit, this fixes an out-of-bounds CHERI fault on
+hardware with architectural capabilities. The original implementation
+tried to store a capability-sized pointer using the priv
+pointer. However, the priv pointer's capability only granted access to
+the memory region of its original long type, leading to a bounds
+violation since the size of a long is smaller than the size of a
+capability. This change ensures that the pointer usage respects the
+capabilities' bounds.
+
+Link: https://lore.kernel.org/r/20251017092814.80022-1-florian.schmaus@codasip.com
+Fixes: d03c720e03bd ("kunit: Add APIs for managing devices")
+Reviewed-by: David Gow <davidgow@google.com>
+Signed-off-by: Florian Schmaus <florian.schmaus@codasip.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/kunit/kunit-test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/kunit/kunit-test.c b/lib/kunit/kunit-test.c
+index d9c781c859fde..580374e081071 100644
+--- a/lib/kunit/kunit-test.c
++++ b/lib/kunit/kunit-test.c
+@@ -735,7 +735,7 @@ static struct kunit_case kunit_current_test_cases[] = {
+
+ static void test_dev_action(void *priv)
+ {
+- *(void **)priv = (void *)1;
++ *(long *)priv = 1;
+ }
+
+ static void kunit_device_test(struct kunit *test)
+--
+2.51.0
+
--- /dev/null
+From 609d89957cf1c7881dd0f1cd86be06f58ac3dc15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 13:36:43 -0700
+Subject: libbpf: Fix powerpc's stack register definition in bpf_tracing.h
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 7221b9caf84b3294688228a19273d74ea19a2ee4 ]
+
+retsnoop's build on powerpc (ppc64le) architecture ([0]) failed due to
+wrong definition of PT_REGS_SP() macro. Looking at powerpc's
+implementation of stack unwinding in perf_callchain_user_64() clearly
+shows that stack pointer register is gpr[1].
+
+Fix libbpf's definition of __PT_SP_REG for powerpc to fix all this.
+
+ [0] https://kojipkgs.fedoraproject.org/work/tasks/1544/137921544/build.log
+
+Fixes: 138d6153a139 ("samples/bpf: Enable powerpc support")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
+Link: https://lore.kernel.org/r/20251020203643.989467-1-andrii@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf_tracing.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h
+index a8f6cd4841b03..dbe32a5d02cd7 100644
+--- a/tools/lib/bpf/bpf_tracing.h
++++ b/tools/lib/bpf/bpf_tracing.h
+@@ -311,7 +311,7 @@ struct pt_regs___arm64 {
+ #define __PT_RET_REG regs[31]
+ #define __PT_FP_REG __unsupported__
+ #define __PT_RC_REG gpr[3]
+-#define __PT_SP_REG sp
++#define __PT_SP_REG gpr[1]
+ #define __PT_IP_REG nip
+
+ #elif defined(bpf_target_sparc)
+--
+2.51.0
+
--- /dev/null
+From 24de4285a07cdef3028bdd096397849964e85ae5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 21:13:37 +0800
+Subject: net: hns3: return error code when function fails
+
+From: Jijie Shao <shaojijie@huawei.com>
+
+[ Upstream commit 03ca7c8c42be913529eb9f188278114430c6abbd ]
+
+Currently, in hclge_mii_ioctl(), the operation to
+read the PHY register (SIOCGMIIREG) always returns 0.
+
+This patch changes the return type of hclge_read_phy_reg(),
+returning an error code when the function fails.
+
+Fixes: 024712f51e57 ("net: hns3: add ioctl support for imp-controlled PHYs")
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Link: https://patch.msgid.link/20251023131338.2642520-2-shaojijie@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +--
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 9 ++++++---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h | 2 +-
+ 3 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index 407ad0b985b4f..f5eafd1ded413 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -9439,8 +9439,7 @@ static int hclge_mii_ioctl(struct hclge_dev *hdev, struct ifreq *ifr, int cmd)
+ /* this command reads phy id and register at the same time */
+ fallthrough;
+ case SIOCGMIIREG:
+- data->val_out = hclge_read_phy_reg(hdev, data->reg_num);
+- return 0;
++ return hclge_read_phy_reg(hdev, data->reg_num, &data->val_out);
+
+ case SIOCSMIIREG:
+ return hclge_write_phy_reg(hdev, data->reg_num, data->val_in);
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+index 80079657afebe..b8dbf932caf94 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+@@ -274,7 +274,7 @@ void hclge_mac_stop_phy(struct hclge_dev *hdev)
+ phy_stop(phydev);
+ }
+
+-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr)
++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val)
+ {
+ struct hclge_phy_reg_cmd *req;
+ struct hclge_desc desc;
+@@ -286,11 +286,14 @@ u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr)
+ req->reg_addr = cpu_to_le16(reg_addr);
+
+ ret = hclge_cmd_send(&hdev->hw, &desc, 1);
+- if (ret)
++ if (ret) {
+ dev_err(&hdev->pdev->dev,
+ "failed to read phy reg, ret = %d.\n", ret);
++ return ret;
++ }
+
+- return le16_to_cpu(req->reg_val);
++ *val = le16_to_cpu(req->reg_val);
++ return 0;
+ }
+
+ int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val)
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h
+index 4200d0b6d9317..21d434c82475b 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h
+@@ -13,7 +13,7 @@ int hclge_mac_connect_phy(struct hnae3_handle *handle);
+ void hclge_mac_disconnect_phy(struct hnae3_handle *handle);
+ void hclge_mac_start_phy(struct hclge_dev *hdev);
+ void hclge_mac_stop_phy(struct hclge_dev *hdev);
+-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr);
++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val);
+ int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val);
+
+ #endif
+--
+2.51.0
+
--- /dev/null
+From bb38de588699678dbe1606b8525fe24e534d84f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 15:15:38 +0900
+Subject: scsi: ufs: core: Initialize value of an attribute returned by uic cmd
+
+From: Wonkon Kim <wkon.kim@samsung.com>
+
+[ Upstream commit 6fe4c679dde3075cb481beb3945269bb2ef8b19a ]
+
+If ufshcd_send_cmd() fails, *mib_val may have a garbage value. It can
+get an unintended value of an attribute.
+
+Make ufshcd_dme_get_attr() always initialize *mib_val.
+
+Fixes: 12b4fdb4f6bc ("[SCSI] ufs: add dme configuration primitives")
+Signed-off-by: Wonkon Kim <wkon.kim@samsung.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20251020061539.28661-2-wkon.kim@samsung.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufshcd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index e079cb5d9ec69..2d07902ce7f1b 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -4239,8 +4239,8 @@ int ufshcd_dme_get_attr(struct ufs_hba *hba, u32 attr_sel,
+ get, UIC_GET_ATTR_ID(attr_sel),
+ UFS_UIC_COMMAND_RETRIES - retries);
+
+- if (mib_val && !ret)
+- *mib_val = uic_cmd.argument3;
++ if (mib_val)
++ *mib_val = ret == 0 ? uic_cmd.argument3 : 0;
+
+ if (peer && (hba->quirks & UFSHCD_QUIRK_DME_PEER_ACCESS_AUTO_MODE)
+ && pwr_mode_change)
+--
+2.51.0
+
s390-pci-restore-irq-unconditionally-for-the-zpci-device.patch
smb-client-fix-potential-cfid-uaf-in-smb2_query_info_compound.patch
x86-fpu-ensure-xfd-state-on-signal-delivery.patch
+wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch
+wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch
+wifi-ath12k-free-skb-during-idr-cleanup-callback.patch
+wifi-ath11k-add-support-for-mu-edca.patch
+wifi-ath11k-avoid-bit-operation-on-key-flags.patch
+drm-msm-a6xx-fix-gmu-firmware-parser.patch
+alsa-usb-audio-fix-control-pipe-direction.patch
+asoc-cs-amp-lib-test-fix-missing-include-of-kunit-te.patch
+wifi-mac80211-don-t-mark-keys-for-inactive-links-as-.patch
+wifi-mac80211-fix-key-tailroom-accounting-leak.patch
+kunit-test_dev_action-correctly-cast-priv-pointer-to.patch
+bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch
+scsi-ufs-core-initialize-value-of-an-attribute-retur.patch
+bpf-find-eligible-subprogs-for-private-stack-support.patch
+bpf-x86-avoid-repeated-usage-of-bpf_prog-aux-stack_d.patch
+bpf-do-not-audit-capability-check-in-do_jit.patch
+crypto-aspeed-fix-double-free-caused-by-devm.patch
+asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch
+asoc-intel-avs-disable-periods-elapsed-work-when-clo.patch
+asoc-fsl_sai-fix-bit-order-for-dsd-format.patch
+libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch
+usbnet-prevents-free-active-kevent.patch
+bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch
+bluetooth-iso-update-hci_conn_hash_lookup_big-for-br.patch
+bluetooth-iso-fix-bis-connection-dst_type-handling.patch
+bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch
+bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch
+bluetooth-iso-fix-another-instance-of-dst_type-handl.patch
+bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch
+drm-etnaviv-fix-flush-sequence-logic.patch
+tools-ynl-fix-string-attribute-length-to-include-nul.patch
+net-hns3-return-error-code-when-function-fails.patch
+sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch
+dpll-spec-add-missing-module-name-and-clock-id-to-pi.patch
+asoc-fsl_sai-fix-sync-error-in-consumer-mode.patch
+drm-radeon-do-not-kfree-devres-managed-rdev.patch
+drm-radeon-remove-calls-to-drm_put_dev.patch
+drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch
+drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch
+drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-18241
--- /dev/null
+From 16c543cd85152ce72e5981871abcdc8fc7b6e0bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 19:48:42 +0530
+Subject: sfc: fix potential memory leak in efx_mae_process_mport()
+
+From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
+
+[ Upstream commit 46a499aaf8c27476fd05e800f3e947bfd71aa724 ]
+
+In efx_mae_enumerate_mports(), memory allocated for mae_mport_desc is
+passed as a argument to efx_mae_process_mport(), but when the error path
+in efx_mae_process_mport() gets executed, the memory allocated for desc
+gets leaked.
+
+Fix that by freeing the memory allocation before returning error.
+
+Fixes: a6a15aca4207 ("sfc: enumerate mports in ef100")
+Acked-by: Edward Cree <ecree.xilinx@gmail.com>
+Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
+Link: https://patch.msgid.link/20251023141844.25847-1-nihaal@cse.iitm.ac.in
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/mae.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/sfc/mae.c b/drivers/net/ethernet/sfc/mae.c
+index 10709d828a636..21d5596460732 100644
+--- a/drivers/net/ethernet/sfc/mae.c
++++ b/drivers/net/ethernet/sfc/mae.c
+@@ -1101,6 +1101,9 @@ void efx_mae_remove_mport(void *desc, void *arg)
+ kfree(mport);
+ }
+
++/*
++ * Takes ownership of @desc, even if it returns an error
++ */
+ static int efx_mae_process_mport(struct efx_nic *efx,
+ struct mae_mport_desc *desc)
+ {
+@@ -1111,6 +1114,7 @@ static int efx_mae_process_mport(struct efx_nic *efx,
+ if (!IS_ERR_OR_NULL(mport)) {
+ netif_err(efx, drv, efx->net_dev,
+ "mport with id %u does exist!!!\n", desc->mport_id);
++ kfree(desc);
+ return -EEXIST;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 40a494ed1b9e63c9fdba38775b86a2acdc792f4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 15:24:38 +0200
+Subject: tools: ynl: fix string attribute length to include null terminator
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit 65f9c4c5888913c2cf5d2fc9454c83f9930d537d ]
+
+The ynl_attr_put_str() function was not including the null terminator
+in the attribute length calculation. This caused kernel to reject
+CTRL_CMD_GETFAMILY requests with EINVAL:
+"Attribute failed policy validation".
+
+For a 4-character family name like "dpll":
+- Sent: nla_len=8 (4 byte header + 4 byte string without null)
+- Expected: nla_len=9 (4 byte header + 5 byte string with null)
+
+The bug was introduced in commit 15d2540e0d62 ("tools: ynl: check for
+overflow of constructed messages") when refactoring from stpcpy() to
+strlen(). The original code correctly included the null terminator:
+
+ end = stpcpy(ynl_attr_data(attr), str);
+ attr->nla_len = NLA_HDRLEN + NLA_ALIGN(end -
+ (char *)ynl_attr_data(attr));
+
+Since stpcpy() returns a pointer past the null terminator, the length
+included it. The refactored version using strlen() omitted the +1.
+
+The fix also removes NLA_ALIGN() from nla_len calculation, since
+nla_len should contain actual attribute length, not aligned length.
+Alignment is only for calculating next attribute position. This makes
+the code consistent with ynl_attr_put().
+
+CTRL_ATTR_FAMILY_NAME uses NLA_NUL_STRING policy which requires
+null terminator. Kernel validates with memchr() and rejects if not
+found.
+
+Fixes: 15d2540e0d62 ("tools: ynl: check for overflow of constructed messages")
+Signed-off-by: Petr Oros <poros@redhat.com>
+Tested-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Ivan Vecera <ivecera@redhat.com>
+Link: https://lore.kernel.org/20251018151737.365485-3-zahari.doychev@linux.com
+Link: https://patch.msgid.link/20251024132438.351290-1-poros@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/net/ynl/lib/ynl-priv.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/net/ynl/lib/ynl-priv.h b/tools/net/ynl/lib/ynl-priv.h
+index 3c09a7bbfba59..baafc66a61855 100644
+--- a/tools/net/ynl/lib/ynl-priv.h
++++ b/tools/net/ynl/lib/ynl-priv.h
+@@ -301,7 +301,7 @@ ynl_attr_put_str(struct nlmsghdr *nlh, unsigned int attr_type, const char *str)
+ struct nlattr *attr;
+ size_t len;
+
+- len = strlen(str);
++ len = strlen(str) + 1;
+ if (__ynl_attr_put_overflow(nlh, len))
+ return;
+
+@@ -309,7 +309,7 @@ ynl_attr_put_str(struct nlmsghdr *nlh, unsigned int attr_type, const char *str)
+ attr->nla_type = attr_type;
+
+ strcpy((char *)ynl_attr_data(attr), str);
+- attr->nla_len = NLA_HDRLEN + NLA_ALIGN(len);
++ attr->nla_len = NLA_HDRLEN + len;
+
+ nlh->nlmsg_len += NLMSG_ALIGN(attr->nla_len);
+ }
+--
+2.51.0
+
--- /dev/null
+From 67cdcd4e1afdc673add2e56d29d61403a530ac86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 10:40:07 +0800
+Subject: usbnet: Prevents free active kevent
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit 420c84c330d1688b8c764479e5738bbdbf0a33de ]
+
+The root cause of this issue are:
+1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);
+put the kevent work in global workqueue. However, the kevent has not yet
+been scheduled when the usbnet device is unregistered. Therefore, executing
+free_netdev() results in the "free active object (kevent)" error reported
+here.
+
+2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(),
+if the usbnet device is up, ndo_stop() is executed to cancel the kevent.
+However, because the device is not up, ndo_stop() is not executed.
+
+The solution to this problem is to cancel the kevent before executing
+free_netdev().
+
+Fixes: a69e617e533e ("usbnet: Fix linkwatch use-after-free on disconnect")
+Reported-by: Sam Sun <samsun1006219@gmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=8bfd7bcc98f7300afb84
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Link: https://patch.msgid.link/20251022024007.1831898-1-lizhi.xu@windriver.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/usbnet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index ccf45ca2feb56..0ff7357c3c91c 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1650,6 +1650,8 @@ void usbnet_disconnect (struct usb_interface *intf)
+ net = dev->net;
+ unregister_netdev (net);
+
++ cancel_work_sync(&dev->kevent);
++
+ while ((urb = usb_get_from_anchor(&dev->deferred))) {
+ dev_kfree_skb(urb->context);
+ kfree(urb->sg);
+--
+2.51.0
+
--- /dev/null
+From dc1bfc1ea1c6ba2ebfead8b9448deeaecfb16bea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Sep 2025 21:56:56 +0200
+Subject: wifi: ath10k: Fix memory leak on unsupported WMI command
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+[ Upstream commit 2e9c1da4ee9d0acfca2e0a3d78f3d8cb5802da1b ]
+
+ath10k_wmi_cmd_send takes ownership of the passed buffer (skb) and has the
+responsibility to release it in case of error. This patch fixes missing
+free in case of early error due to unhandled WMI command ID.
+
+Tested-on: WCN3990 hw1.0 WLAN.HL.3.3.7.c2-00931-QCAHLSWMTPLZ-1
+
+Fixes: 553215592f14 ("ath10k: warn if give WMI command is not supported")
+Suggested-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250926195656.187970-1-loic.poulain@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
+index fdab67a56e438..32754f894f0b0 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi.c
++++ b/drivers/net/wireless/ath/ath10k/wmi.c
+@@ -1937,6 +1937,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id)
+ if (cmd_id == WMI_CMD_UNSUPPORTED) {
+ ath10k_warn(ar, "wmi command %d is not supported by firmware\n",
+ cmd_id);
++ dev_kfree_skb_any(skb);
+ return ret;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 0d43a8784cb08d558c32c65f4a73e1c7013caa01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 15:21:35 -0400
+Subject: wifi: ath11k: Add missing platform IDs for quirk table
+
+From: Mark Pearson <mpearson-lenovo@squebb.ca>
+
+[ Upstream commit 0eb002c93c3b47f88244cecb1e356eaeab61a6bf ]
+
+Lenovo platforms can come with one of two different IDs.
+The pm_quirk table was missing the second ID for each platform.
+
+Add missing ID and some extra platform identification comments.
+Reported on https://bugzilla.kernel.org/show_bug.cgi?id=219196
+
+Tested-on: P14s G4 AMD.
+
+Fixes: ce8669a27016 ("wifi: ath11k: determine PM policy based on machine model")
+Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219196
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250929192146.1789648-1-mpearson-lenovo@squebb.ca
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.c | 54 +++++++++++++++++++++++---
+ 1 file changed, 48 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
+index afac4a1e9a1db..735032c353b2d 100644
+--- a/drivers/net/wireless/ath/ath11k/core.c
++++ b/drivers/net/wireless/ath/ath11k/core.c
+@@ -814,42 +814,84 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+ static const struct dmi_system_id ath11k_pm_quirk_table[] = {
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* X13 G4 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21J3"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* X13 G4 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21J4"),
+ },
+ },
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* T14 G4 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21K3"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* T14 G4 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21K4"),
+ },
+ },
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* P14s G4 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21K5"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* P14s G4 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21K6"),
+ },
+ },
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* T16 G2 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21K7"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* T16 G2 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21K8"),
+ },
+ },
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* P16s G2 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21K9"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* P16s G2 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21KA"),
+ },
+ },
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* T14s G4 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21F8"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* T14s G4 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21F9"),
+ },
+--
+2.51.0
+
--- /dev/null
+From 7f07216d9ea8d7c87286dac9fadd0afc48eb7e8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jan 2025 14:13:43 +0800
+Subject: wifi: ath11k: add support for MU EDCA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Zhang(Yuriy) <quic_yuzha@quicinc.com>
+
+[ Upstream commit b78c02f7c7104f1e77ade12ebde267e6fb388ca9 ]
+
+The current code does not have the MU EDCA feature, so it cannot support
+the use of EDCA by STA in specific UL MU HE TB PPDU transmissions. Refer
+to IEEE Std 802.11ax-2021 "9.4.2.251 MU EDCA Parameter Set element",
+"26.2.7 EDCA operation using MU EDCA parameters".
+
+Add ath11k_mac_op_conf_tx_mu_edca() to construct the MU EDCA parameters
+received from mac80211 into WMI WMM parameters,and send to the firmware
+according to the different WMM type flags.
+
+Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-04523-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1
+
+Signed-off-by: Yu Zhang (Yuriy) <quic_yuzha@quicinc.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250124061343.2263467-1-quic_yuzha@quicinc.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Stable-dep-of: 9c78e747dd4f ("wifi: ath11k: avoid bit operation on key flags")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.h | 3 +-
+ drivers/net/wireless/ath/ath11k/mac.c | 53 +++++++++++++++++++++++++-
+ drivers/net/wireless/ath/ath11k/wmi.c | 11 +++---
+ drivers/net/wireless/ath/ath11k/wmi.h | 10 ++++-
+ 4 files changed, 67 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
+index cd9f9fb6ab68e..7394b46835e1a 100644
+--- a/drivers/net/wireless/ath/ath11k/core.h
++++ b/drivers/net/wireless/ath/ath11k/core.h
+@@ -1,7 +1,7 @@
+ /* SPDX-License-Identifier: BSD-3-Clause-Clear */
+ /*
+ * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
+- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
++ * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved.
+ */
+
+ #ifndef ATH11K_CORE_H
+@@ -372,6 +372,7 @@ struct ath11k_vif {
+
+ u16 tx_seq_no;
+ struct wmi_wmm_params_all_arg wmm_params;
++ struct wmi_wmm_params_all_arg muedca_params;
+ struct list_head list;
+ union {
+ struct {
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 9db3369d32048..3889f08822d41 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -1,7 +1,7 @@
+ // SPDX-License-Identifier: BSD-3-Clause-Clear
+ /*
+ * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
+- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
++ * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved.
+ */
+
+ #include <net/mac80211.h>
+@@ -5283,6 +5283,45 @@ static int ath11k_conf_tx_uapsd(struct ath11k *ar, struct ieee80211_vif *vif,
+ return ret;
+ }
+
++static int ath11k_mac_op_conf_tx_mu_edca(struct ieee80211_hw *hw,
++ struct ieee80211_vif *vif,
++ unsigned int link_id, u16 ac,
++ const struct ieee80211_tx_queue_params *params)
++{
++ struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif);
++ struct ath11k *ar = hw->priv;
++ struct wmi_wmm_params_arg *p;
++ int ret;
++
++ switch (ac) {
++ case IEEE80211_AC_VO:
++ p = &arvif->muedca_params.ac_vo;
++ break;
++ case IEEE80211_AC_VI:
++ p = &arvif->muedca_params.ac_vi;
++ break;
++ case IEEE80211_AC_BE:
++ p = &arvif->muedca_params.ac_be;
++ break;
++ case IEEE80211_AC_BK:
++ p = &arvif->muedca_params.ac_bk;
++ break;
++ default:
++ ath11k_warn(ar->ab, "error ac: %d", ac);
++ return -EINVAL;
++ }
++
++ p->cwmin = u8_get_bits(params->mu_edca_param_rec.ecw_min_max, GENMASK(3, 0));
++ p->cwmax = u8_get_bits(params->mu_edca_param_rec.ecw_min_max, GENMASK(7, 4));
++ p->aifs = u8_get_bits(params->mu_edca_param_rec.aifsn, GENMASK(3, 0));
++ p->txop = params->mu_edca_param_rec.mu_edca_timer;
++
++ ret = ath11k_wmi_send_wmm_update_cmd_tlv(ar, arvif->vdev_id,
++ &arvif->muedca_params,
++ WMI_WMM_PARAM_TYPE_11AX_MU_EDCA);
++ return ret;
++}
++
+ static int ath11k_mac_op_conf_tx(struct ieee80211_hw *hw,
+ struct ieee80211_vif *vif,
+ unsigned int link_id, u16 ac,
+@@ -5321,12 +5360,22 @@ static int ath11k_mac_op_conf_tx(struct ieee80211_hw *hw,
+ p->txop = params->txop;
+
+ ret = ath11k_wmi_send_wmm_update_cmd_tlv(ar, arvif->vdev_id,
+- &arvif->wmm_params);
++ &arvif->wmm_params,
++ WMI_WMM_PARAM_TYPE_LEGACY);
+ if (ret) {
+ ath11k_warn(ar->ab, "failed to set wmm params: %d\n", ret);
+ goto exit;
+ }
+
++ if (params->mu_edca) {
++ ret = ath11k_mac_op_conf_tx_mu_edca(hw, vif, link_id, ac,
++ params);
++ if (ret) {
++ ath11k_warn(ar->ab, "failed to set mu_edca params: %d\n", ret);
++ goto exit;
++ }
++ }
++
+ ret = ath11k_conf_tx_uapsd(ar, vif, ac, params->uapsd);
+
+ if (ret)
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index 5f7edf622de7a..98811726d33bf 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -1,7 +1,7 @@
+ // SPDX-License-Identifier: BSD-3-Clause-Clear
+ /*
+ * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
+- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
++ * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved.
+ */
+ #include <linux/skbuff.h>
+ #include <linux/ctype.h>
+@@ -2662,7 +2662,8 @@ int ath11k_wmi_send_scan_chan_list_cmd(struct ath11k *ar,
+ }
+
+ int ath11k_wmi_send_wmm_update_cmd_tlv(struct ath11k *ar, u32 vdev_id,
+- struct wmi_wmm_params_all_arg *param)
++ struct wmi_wmm_params_all_arg *param,
++ enum wmi_wmm_params_type wmm_param_type)
+ {
+ struct ath11k_pdev_wmi *wmi = ar->wmi;
+ struct wmi_vdev_set_wmm_params_cmd *cmd;
+@@ -2681,7 +2682,7 @@ int ath11k_wmi_send_wmm_update_cmd_tlv(struct ath11k *ar, u32 vdev_id,
+ FIELD_PREP(WMI_TLV_LEN, sizeof(*cmd) - TLV_HDR_SIZE);
+
+ cmd->vdev_id = vdev_id;
+- cmd->wmm_param_type = 0;
++ cmd->wmm_param_type = wmm_param_type;
+
+ for (ac = 0; ac < WME_NUM_AC; ac++) {
+ switch (ac) {
+@@ -2714,8 +2715,8 @@ int ath11k_wmi_send_wmm_update_cmd_tlv(struct ath11k *ar, u32 vdev_id,
+ wmm_param->no_ack = wmi_wmm_arg->no_ack;
+
+ ath11k_dbg(ar->ab, ATH11K_DBG_WMI,
+- "wmm set ac %d aifs %d cwmin %d cwmax %d txop %d acm %d no_ack %d\n",
+- ac, wmm_param->aifs, wmm_param->cwmin,
++ "wmm set type %d ac %d aifs %d cwmin %d cwmax %d txop %d acm %d no_ack %d\n",
++ wmm_param_type, ac, wmm_param->aifs, wmm_param->cwmin,
+ wmm_param->cwmax, wmm_param->txoplimit,
+ wmm_param->acm, wmm_param->no_ack);
+ }
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.h b/drivers/net/wireless/ath/ath11k/wmi.h
+index 30b4b0c176826..9fcffaa2f383c 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.h
++++ b/drivers/net/wireless/ath/ath11k/wmi.h
+@@ -1,7 +1,7 @@
+ /* SPDX-License-Identifier: BSD-3-Clause-Clear */
+ /*
+ * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
+- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
++ * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved.
+ */
+
+ #ifndef ATH11K_WMI_H
+@@ -6347,6 +6347,11 @@ enum wmi_sta_keepalive_method {
+ #define WMI_STA_KEEPALIVE_INTERVAL_DEFAULT 30
+ #define WMI_STA_KEEPALIVE_INTERVAL_DISABLE 0
+
++enum wmi_wmm_params_type {
++ WMI_WMM_PARAM_TYPE_LEGACY = 0,
++ WMI_WMM_PARAM_TYPE_11AX_MU_EDCA = 1,
++};
++
+ const void **ath11k_wmi_tlv_parse_alloc(struct ath11k_base *ab,
+ struct sk_buff *skb, gfp_t gfp);
+ int ath11k_wmi_cmd_send(struct ath11k_pdev_wmi *wmi, struct sk_buff *skb,
+@@ -6403,7 +6408,8 @@ int ath11k_wmi_send_scan_start_cmd(struct ath11k *ar,
+ int ath11k_wmi_send_scan_stop_cmd(struct ath11k *ar,
+ struct scan_cancel_param *param);
+ int ath11k_wmi_send_wmm_update_cmd_tlv(struct ath11k *ar, u32 vdev_id,
+- struct wmi_wmm_params_all_arg *param);
++ struct wmi_wmm_params_all_arg *param,
++ enum wmi_wmm_params_type wmm_param_type);
+ int ath11k_wmi_pdev_suspend(struct ath11k *ar, u32 suspend_opt,
+ u32 pdev_id);
+ int ath11k_wmi_pdev_resume(struct ath11k *ar, u32 pdev_id);
+--
+2.51.0
+
--- /dev/null
+From 60bf61f1280d3c361b274af528aa416b0cf3bacf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Oct 2025 14:51:58 +0530
+Subject: wifi: ath11k: avoid bit operation on key flags
+
+From: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+
+[ Upstream commit 9c78e747dd4fee6c36fcc926212e20032055cf9d ]
+
+Bitwise operations with WMI_KEY_PAIRWISE (defined as 0) are ineffective
+and misleading. This results in pairwise key validations added in
+commit 97acb0259cc9 ("wifi: ath11k: fix group data packet drops
+during rekey") to always evaluate false and clear key commands for
+pairwise keys are not honored.
+
+Since firmware supports overwriting the new key without explicitly
+clearing the previous one, there is no visible impact currently.
+However, to restore consistency with the previous behavior and improve
+clarity, replace bitwise operations with direct assignments and
+comparisons for key flags.
+
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.9.0.1-02146-QCAHKSWPL_SILICONZ-1
+Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/linux-wireless/aLlaetkalDvWcB7b@stanley.mountain
+Fixes: 97acb0259cc9 ("wifi: ath11k: fix group data packet drops during rekey")
+Signed-off-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251003092158.1080637-1-rameshkumar.sundaram@oss.qualcomm.com
+[update copyright per current guidance]
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 3889f08822d41..419c9497800af 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -1,7 +1,7 @@
+ // SPDX-License-Identifier: BSD-3-Clause-Clear
+ /*
+ * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
+- * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved.
++ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
+ */
+
+ #include <net/mac80211.h>
+@@ -4407,9 +4407,9 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ }
+
+ if (key->flags & IEEE80211_KEY_FLAG_PAIRWISE)
+- flags |= WMI_KEY_PAIRWISE;
++ flags = WMI_KEY_PAIRWISE;
+ else
+- flags |= WMI_KEY_GROUP;
++ flags = WMI_KEY_GROUP;
+
+ ath11k_dbg(ar->ab, ATH11K_DBG_MAC,
+ "%s for peer %pM on vdev %d flags 0x%X, type = %d, num_sta %d\n",
+@@ -4446,7 +4446,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+
+ is_ap_with_no_sta = (vif->type == NL80211_IFTYPE_AP &&
+ !arvif->num_stations);
+- if ((flags & WMI_KEY_PAIRWISE) || cmd == SET_KEY || is_ap_with_no_sta) {
++ if (flags == WMI_KEY_PAIRWISE || cmd == SET_KEY || is_ap_with_no_sta) {
+ ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags);
+ if (ret) {
+ ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret);
+@@ -4460,7 +4460,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ goto exit;
+ }
+
+- if ((flags & WMI_KEY_GROUP) && cmd == SET_KEY && is_ap_with_no_sta)
++ if (flags == WMI_KEY_GROUP && cmd == SET_KEY && is_ap_with_no_sta)
+ arvif->reinstall_group_keys = true;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 4d2295474ebe5bb8774ac66919e2f49b5ca18faa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Sep 2025 15:03:16 -0700
+Subject: wifi: ath12k: free skb during idr cleanup callback
+
+From: Karthik M <quic_karm@quicinc.com>
+
+[ Upstream commit 92282074e1d2e7b6da5c05fe38a7cc974187fe14 ]
+
+ath12k just like ath11k [1] did not handle skb cleanup during idr
+cleanup callback. Both ath12k_mac_vif_txmgmt_idr_remove() and
+ath12k_mac_tx_mgmt_pending_free() performed idr cleanup and DMA
+unmapping for skb but only ath12k_mac_tx_mgmt_pending_free() freed
+skb. As a result, during vdev deletion a memory leak occurs.
+
+Refactor all clean up steps into a new function. New function
+ath12k_mac_tx_mgmt_free() creates a centralized area where idr
+cleanup, DMA unmapping for skb and freeing skb is performed. Utilize
+skb pointer given by idr_remove(), instead of passed as a function
+argument because IDR will be protected by locking. This will prevent
+concurrent modification of the same IDR.
+
+Now ath12k_mac_tx_mgmt_pending_free() and
+ath12k_mac_vif_txmgmt_idr_remove() call ath12k_mac_tx_mgmt_free().
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
+
+Link: https://lore.kernel.org/r/1637832614-13831-1-git-send-email-quic_srirrama@quicinc.com > # [1]
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Signed-off-by: Karthik M <quic_karm@quicinc.com>
+Signed-off-by: Muna Sinada <muna.sinada@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250923220316.1595758-1-muna.sinada@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/mac.c | 34 ++++++++++++++-------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
+index c15eecf2a1882..8e8defddc8fa9 100644
+--- a/drivers/net/wireless/ath/ath12k/mac.c
++++ b/drivers/net/wireless/ath/ath12k/mac.c
+@@ -5677,23 +5677,32 @@ static void ath12k_mgmt_over_wmi_tx_drop(struct ath12k *ar, struct sk_buff *skb)
+ wake_up(&ar->txmgmt_empty_waitq);
+ }
+
+-int ath12k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx)
++static void ath12k_mac_tx_mgmt_free(struct ath12k *ar, int buf_id)
+ {
+- struct sk_buff *msdu = skb;
++ struct sk_buff *msdu;
+ struct ieee80211_tx_info *info;
+- struct ath12k *ar = ctx;
+- struct ath12k_base *ab = ar->ab;
+
+ spin_lock_bh(&ar->txmgmt_idr_lock);
+- idr_remove(&ar->txmgmt_idr, buf_id);
++ msdu = idr_remove(&ar->txmgmt_idr, buf_id);
+ spin_unlock_bh(&ar->txmgmt_idr_lock);
+- dma_unmap_single(ab->dev, ATH12K_SKB_CB(msdu)->paddr, msdu->len,
++
++ if (!msdu)
++ return;
++
++ dma_unmap_single(ar->ab->dev, ATH12K_SKB_CB(msdu)->paddr, msdu->len,
+ DMA_TO_DEVICE);
+
+ info = IEEE80211_SKB_CB(msdu);
+ memset(&info->status, 0, sizeof(info->status));
+
+- ath12k_mgmt_over_wmi_tx_drop(ar, skb);
++ ath12k_mgmt_over_wmi_tx_drop(ar, msdu);
++}
++
++int ath12k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx)
++{
++ struct ath12k *ar = ctx;
++
++ ath12k_mac_tx_mgmt_free(ar, buf_id);
+
+ return 0;
+ }
+@@ -5702,17 +5711,10 @@ static int ath12k_mac_vif_txmgmt_idr_remove(int buf_id, void *skb, void *ctx)
+ {
+ struct ieee80211_vif *vif = ctx;
+ struct ath12k_skb_cb *skb_cb = ATH12K_SKB_CB(skb);
+- struct sk_buff *msdu = skb;
+ struct ath12k *ar = skb_cb->ar;
+- struct ath12k_base *ab = ar->ab;
+
+- if (skb_cb->vif == vif) {
+- spin_lock_bh(&ar->txmgmt_idr_lock);
+- idr_remove(&ar->txmgmt_idr, buf_id);
+- spin_unlock_bh(&ar->txmgmt_idr_lock);
+- dma_unmap_single(ab->dev, skb_cb->paddr, msdu->len,
+- DMA_TO_DEVICE);
+- }
++ if (skb_cb->vif == vif)
++ ath12k_mac_tx_mgmt_free(ar, buf_id);
+
+ return 0;
+ }
+--
+2.51.0
+
--- /dev/null
+From beec878ef36a711e3924a453b3c8d828a521b297 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 23:38:00 +0300
+Subject: wifi: mac80211: don't mark keys for inactive links as uploaded
+
+From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+
+[ Upstream commit 63df3956903748c5f374a0dfe7a89490714a4625 ]
+
+During resume, the driver can call ieee80211_add_gtk_rekey for keys that
+are not programmed into the device, e.g. keys of inactive links.
+Don't mark such a key as uploaded to avoid removing it later from the
+driver/device.
+
+Reviewed-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250709233537.655094412b0b.Iacae31af3ba2a705da0a9baea976c2f799d65dc4@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: ed6a47346ec6 ("wifi: mac80211: fix key tailroom accounting leak")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/key.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/key.c b/net/mac80211/key.c
+index 67ecfea229829..7809fac6bae5d 100644
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -510,7 +510,8 @@ static int ieee80211_key_replace(struct ieee80211_sub_if_data *sdata,
+ } else {
+ if (!new->local->wowlan)
+ ret = ieee80211_key_enable_hw_accel(new);
+- else
++ else if (link_id < 0 || !sdata->vif.active_links ||
++ BIT(link_id) & sdata->vif.active_links)
+ new->flags |= KEY_FLAG_UPLOADED_TO_HARDWARE;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 17594920df1f80255dfb84a949a3bfa248f76acd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Oct 2025 11:54:27 +0300
+Subject: wifi: mac80211: fix key tailroom accounting leak
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit ed6a47346ec69e7f1659e0a1a3558293f60d5dd7 ]
+
+For keys added by ieee80211_gtk_rekey_add(), we assume that
+they're already present in the hardware and set the flag
+KEY_FLAG_UPLOADED_TO_HARDWARE. However, setting this flag
+needs to be paired with decrementing the tailroom needed,
+which was missed.
+
+Fixes: f52a0b408ed1 ("wifi: mac80211: mark keys as uploaded when added by the driver")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20251019115358.c88eafb4083e.I69e9d4d78a756a133668c55b5570cf15a4b0e6a4@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/key.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/key.c b/net/mac80211/key.c
+index 7809fac6bae5d..b679ef23d28fd 100644
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -508,11 +508,16 @@ static int ieee80211_key_replace(struct ieee80211_sub_if_data *sdata,
+ ret = ieee80211_key_enable_hw_accel(new);
+ }
+ } else {
+- if (!new->local->wowlan)
++ if (!new->local->wowlan) {
+ ret = ieee80211_key_enable_hw_accel(new);
+- else if (link_id < 0 || !sdata->vif.active_links ||
+- BIT(link_id) & sdata->vif.active_links)
++ } else if (link_id < 0 || !sdata->vif.active_links ||
++ BIT(link_id) & sdata->vif.active_links) {
+ new->flags |= KEY_FLAG_UPLOADED_TO_HARDWARE;
++ if (!(new->conf.flags & (IEEE80211_KEY_FLAG_GENERATE_MMIC |
++ IEEE80211_KEY_FLAG_PUT_MIC_SPACE |
++ IEEE80211_KEY_FLAG_RESERVE_TAILROOM)))
++ decrease_tailroom_need_count(sdata, 1);
++ }
+ }
+
+ if (ret)
+--
+2.51.0
+
--- /dev/null
+From 105827c3bd2a7b90aed928f45e4c8f01f0508bf1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 13:45:23 -0700
+Subject: ACPI: MRRM: Check revision of MRRM table
+
+From: Tony Luck <tony.luck@intel.com>
+
+[ Upstream commit dc131bcd8d9219f7da533918abcb0d32951b7702 ]
+
+Before trying to parse the MRRM table, check that the table revision
+is the one that is expected.
+
+Fixes: b9020bdb9f76 ("ACPI: MRRM: Minimal parse of ACPI MRRM table")
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Link: https://patch.msgid.link/20251022204523.10752-1-tony.luck@intel.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_mrrm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/acpi/acpi_mrrm.c b/drivers/acpi/acpi_mrrm.c
+index 47ea3ccc21424..a6dbf623e5571 100644
+--- a/drivers/acpi/acpi_mrrm.c
++++ b/drivers/acpi/acpi_mrrm.c
+@@ -63,6 +63,9 @@ static __init int acpi_parse_mrrm(struct acpi_table_header *table)
+ if (!mrrm)
+ return -ENODEV;
+
++ if (mrrm->header.revision != 1)
++ return -EINVAL;
++
+ if (mrrm->flags & ACPI_MRRM_FLAGS_REGION_ASSIGNMENT_OS)
+ return -EOPNOTSUPP;
+
+--
+2.51.0
+
--- /dev/null
+From 2d50629034d38ba445cfd96a6ab5fcd2e0a07d88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Sep 2025 17:27:30 +0200
+Subject: ALSA: usb-audio: add mono main switch to Presonus S1824c
+
+From: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+
+[ Upstream commit 659169c4eb21f8d9646044a4f4e1bc314f6f9d0c ]
+
+The 1824c does not have the A/B switch that the 1810c has,
+but instead it has a mono main switch that sums the two
+main output channels to mono.
+
+Signed-off-by: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Stable-dep-of: 75cdae446ddf ("ALSA: usb-audio: don't log messages meant for 1810c when initializing 1824c")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/mixer_s1810c.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c
+index 65bdda0841048..2413a6d96971c 100644
+--- a/sound/usb/mixer_s1810c.c
++++ b/sound/usb/mixer_s1810c.c
+@@ -93,6 +93,7 @@ struct s1810c_ctl_packet {
+
+ #define SC1810C_CTL_LINE_SW 0
+ #define SC1810C_CTL_MUTE_SW 1
++#define SC1824C_CTL_MONO_SW 2
+ #define SC1810C_CTL_AB_SW 3
+ #define SC1810C_CTL_48V_SW 4
+
+@@ -123,6 +124,7 @@ struct s1810c_state_packet {
+ #define SC1810C_STATE_48V_SW 58
+ #define SC1810C_STATE_LINE_SW 59
+ #define SC1810C_STATE_MUTE_SW 60
++#define SC1824C_STATE_MONO_SW 61
+ #define SC1810C_STATE_AB_SW 62
+
+ struct s1810_mixer_state {
+@@ -502,6 +504,15 @@ static const struct snd_kcontrol_new snd_s1810c_mute_sw = {
+ .private_value = (SC1810C_STATE_MUTE_SW | SC1810C_CTL_MUTE_SW << 8)
+ };
+
++static const struct snd_kcontrol_new snd_s1824c_mono_sw = {
++ .iface = SNDRV_CTL_ELEM_IFACE_MIXER,
++ .name = "Mono Main Out Switch",
++ .info = snd_ctl_boolean_mono_info,
++ .get = snd_s1810c_switch_get,
++ .put = snd_s1810c_switch_set,
++ .private_value = (SC1824C_STATE_MONO_SW | SC1824C_CTL_MONO_SW << 8)
++};
++
+ static const struct snd_kcontrol_new snd_s1810c_48v_sw = {
+ .iface = SNDRV_CTL_ELEM_IFACE_MIXER,
+ .name = "48V Phantom Power On Mic Inputs Switch",
+@@ -588,8 +599,17 @@ int snd_sc1810_init_mixer(struct usb_mixer_interface *mixer)
+ if (ret < 0)
+ return ret;
+
+- ret = snd_s1810c_switch_init(mixer, &snd_s1810c_ab_sw);
+- if (ret < 0)
+- return ret;
++ // The 1824c has a Mono Main switch instead of a
++ // A/B select switch.
++ if (mixer->chip->usb_id == USB_ID(0x194f, 0x010d)) {
++ ret = snd_s1810c_switch_init(mixer, &snd_s1824c_mono_sw);
++ if (ret < 0)
++ return ret;
++ } else if (mixer->chip->usb_id == USB_ID(0x194f, 0x010c)) {
++ ret = snd_s1810c_switch_init(mixer, &snd_s1810c_ab_sw);
++ if (ret < 0)
++ return ret;
++ }
++
+ return ret;
+ }
+--
+2.51.0
+
--- /dev/null
+From 1a3ebf8f884e6c516c3a299585d1602c0bb10fd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 22:15:08 +0200
+Subject: ALSA: usb-audio: don't log messages meant for 1810c when initializing
+ 1824c
+
+From: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+
+[ Upstream commit 75cdae446ddffe0a6a991bbb146dee51d9d4c865 ]
+
+The log messages for the PreSonus STUDIO 1810c about
+device_setup are not applicable to the 1824c, and should
+not be logged when 1824c initializes.
+
+Refactor from if statement to switch statement as there
+might be more STUDIO series devices added later.
+
+Fixes: 080564558eb1 ("ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file")
+Signed-off-by: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+Link: https://patch.msgid.link/aPaYTP7ceuABf8c7@ark
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/mixer_s1810c.c | 33 ++++++++++++++++++---------------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c
+index 2413a6d96971c..5b187f89c7f8e 100644
+--- a/sound/usb/mixer_s1810c.c
++++ b/sound/usb/mixer_s1810c.c
+@@ -562,15 +562,6 @@ int snd_sc1810_init_mixer(struct usb_mixer_interface *mixer)
+ if (!list_empty(&chip->mixer_list))
+ return 0;
+
+- dev_info(&dev->dev,
+- "Presonus Studio 1810c, device_setup: %u\n", chip->setup);
+- if (chip->setup == 1)
+- dev_info(&dev->dev, "(8out/18in @ 48kHz)\n");
+- else if (chip->setup == 2)
+- dev_info(&dev->dev, "(6out/8in @ 192kHz)\n");
+- else
+- dev_info(&dev->dev, "(8out/14in @ 96kHz)\n");
+-
+ ret = snd_s1810c_init_mixer_maps(chip);
+ if (ret < 0)
+ return ret;
+@@ -599,16 +590,28 @@ int snd_sc1810_init_mixer(struct usb_mixer_interface *mixer)
+ if (ret < 0)
+ return ret;
+
+- // The 1824c has a Mono Main switch instead of a
+- // A/B select switch.
+- if (mixer->chip->usb_id == USB_ID(0x194f, 0x010d)) {
+- ret = snd_s1810c_switch_init(mixer, &snd_s1824c_mono_sw);
++ switch (chip->usb_id) {
++ case USB_ID(0x194f, 0x010c): /* Presonus Studio 1810c */
++ dev_info(&dev->dev,
++ "Presonus Studio 1810c, device_setup: %u\n", chip->setup);
++ if (chip->setup == 1)
++ dev_info(&dev->dev, "(8out/18in @ 48kHz)\n");
++ else if (chip->setup == 2)
++ dev_info(&dev->dev, "(6out/8in @ 192kHz)\n");
++ else
++ dev_info(&dev->dev, "(8out/14in @ 96kHz)\n");
++
++ ret = snd_s1810c_switch_init(mixer, &snd_s1810c_ab_sw);
+ if (ret < 0)
+ return ret;
+- } else if (mixer->chip->usb_id == USB_ID(0x194f, 0x010c)) {
+- ret = snd_s1810c_switch_init(mixer, &snd_s1810c_ab_sw);
++
++ break;
++ case USB_ID(0x194f, 0x010d): /* Presonus Studio 1824c */
++ ret = snd_s1810c_switch_init(mixer, &snd_s1824c_mono_sw);
+ if (ret < 0)
+ return ret;
++
++ break;
+ }
+
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From bdd1ce4cf630778f463ea1fbe1c1ac93c53784c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 19:18:22 +0200
+Subject: ALSA: usb-audio: fix control pipe direction
+
+From: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+
+[ Upstream commit 7963891f7c9c6f759cc9ab7da71406b4234f3dd6 ]
+
+Since the requesttype has USB_DIR_OUT the pipe should be
+constructed with usb_sndctrlpipe().
+
+Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c")
+Signed-off-by: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+Link: https://patch.msgid.link/aPPL3tBFE_oU-JHv@ark
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/mixer_s1810c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c
+index fac4bbc6b2757..65bdda0841048 100644
+--- a/sound/usb/mixer_s1810c.c
++++ b/sound/usb/mixer_s1810c.c
+@@ -181,7 +181,7 @@ snd_sc1810c_get_status_field(struct usb_device *dev,
+
+ pkt_out.fields[SC1810C_STATE_F1_IDX] = SC1810C_SET_STATE_F1;
+ pkt_out.fields[SC1810C_STATE_F2_IDX] = SC1810C_SET_STATE_F2;
+- ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0),
++ ret = snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
+ SC1810C_SET_STATE_REQ,
+ SC1810C_SET_STATE_REQTYPE,
+ (*seqnum), 0, &pkt_out, sizeof(pkt_out));
+--
+2.51.0
+
--- /dev/null
+From 1228c95afb6fcf2568d4136c2d5f502915519ca9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Oct 2025 10:48:44 +0100
+Subject: ASoC: cs-amp-lib-test: Fix missing include of kunit/test-bug.h
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit ec20584f25233bfe292c8e18f9a429dfaff58a49 ]
+
+cs-amp-lib-test uses functions from kunit/test-bug.h but wasn't
+including it.
+
+This error was found by smatch.
+
+Fixes: 177862317a98 ("ASoC: cs-amp-lib: Add KUnit test for calibration helpers")
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Link: https://patch.msgid.link/20251016094844.92796-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs-amp-lib-test.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/codecs/cs-amp-lib-test.c b/sound/soc/codecs/cs-amp-lib-test.c
+index f53650128fc3d..a1a9758a73eb6 100644
+--- a/sound/soc/codecs/cs-amp-lib-test.c
++++ b/sound/soc/codecs/cs-amp-lib-test.c
+@@ -7,6 +7,7 @@
+
+ #include <kunit/resource.h>
+ #include <kunit/test.h>
++#include <kunit/test-bug.h>
+ #include <kunit/static_stub.h>
+ #include <linux/device/faux.h>
+ #include <linux/firmware/cirrus/cs_dsp.h>
+--
+2.51.0
+
--- /dev/null
+From aa3f800397e157dd4bbfd50586114ad0fd581171 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 14:45:38 +0800
+Subject: ASoC: fsl_micfil: correct the endian format for DSD
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit ba3a5e1aeaa01ea67067d725710a839114214fc6 ]
+
+The DSD format supported by micfil is that oldest bit is in bit 31, so
+the format should be DSD little endian format.
+
+Fixes: 21aa330fec31 ("ASoC: fsl_micfil: Add decimation filter bypass mode support")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
+Link: https://patch.msgid.link/20251023064538.368850-3-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_micfil.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
+index aabd90a8b3eca..cac26ba0aa4b0 100644
+--- a/sound/soc/fsl/fsl_micfil.c
++++ b/sound/soc/fsl/fsl_micfil.c
+@@ -131,7 +131,7 @@ static struct fsl_micfil_soc_data fsl_micfil_imx943 = {
+ .fifos = 8,
+ .fifo_depth = 32,
+ .dataline = 0xf,
+- .formats = SNDRV_PCM_FMTBIT_S32_LE | SNDRV_PCM_FMTBIT_DSD_U32_BE,
++ .formats = SNDRV_PCM_FMTBIT_S32_LE | SNDRV_PCM_FMTBIT_DSD_U32_LE,
+ .use_edma = true,
+ .use_verid = true,
+ .volume_sx = false,
+@@ -823,7 +823,7 @@ static int fsl_micfil_hw_params(struct snd_pcm_substream *substream,
+ break;
+ }
+
+- if (format == SNDRV_PCM_FORMAT_DSD_U32_BE) {
++ if (format == SNDRV_PCM_FORMAT_DSD_U32_LE) {
+ micfil->dec_bypass = true;
+ /*
+ * According to equation 29 in RM:
+--
+2.51.0
+
--- /dev/null
+From 26c1a8a091b0736a5de0819eab8725a7c36a7aec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 14:45:37 +0800
+Subject: ASoC: fsl_sai: fix bit order for DSD format
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit d9fbe5b0bf7e2d1e20d53e4e2274f9f61bdcca98 ]
+
+The DSD little endian format requires the msb first, because oldest bit
+is in msb.
+found this issue by testing with pipewire.
+
+Fixes: c111c2ddb3fd ("ASoC: fsl_sai: Add PDM daifmt support")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://patch.msgid.link/20251023064538.368850-2-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_sai.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
+index d0367b21f7757..6c0ae4b33aa4f 100644
+--- a/sound/soc/fsl/fsl_sai.c
++++ b/sound/soc/fsl/fsl_sai.c
+@@ -353,7 +353,6 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai,
+ break;
+ case SND_SOC_DAIFMT_PDM:
+ val_cr2 |= FSL_SAI_CR2_BCP;
+- val_cr4 &= ~FSL_SAI_CR4_MF;
+ sai->is_pdm_mode = true;
+ break;
+ case SND_SOC_DAIFMT_RIGHT_J:
+@@ -638,7 +637,7 @@ static int fsl_sai_hw_params(struct snd_pcm_substream *substream,
+ val_cr5 |= FSL_SAI_CR5_WNW(slot_width);
+ val_cr5 |= FSL_SAI_CR5_W0W(slot_width);
+
+- if (sai->is_lsb_first || sai->is_pdm_mode)
++ if (sai->is_lsb_first)
+ val_cr5 |= FSL_SAI_CR5_FBT(0);
+ else
+ val_cr5 |= FSL_SAI_CR5_FBT(word_width - 1);
+--
+2.51.0
+
--- /dev/null
+From 61397afc1db1733d17c24a3fac31935488daf531 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 15:57:15 +0200
+Subject: ASoC: fsl_sai: Fix sync error in consumer mode
+
+From: Maarten Zanders <maarten@zanders.be>
+
+[ Upstream commit b2dd1d0d322dce5f331961c927e775b84014d5ab ]
+
+When configured for default synchronisation (Rx syncs to Tx) and the
+SAI operates in consumer mode (clocks provided externally to Tx), a
+synchronisation error occurs on Tx on the first attempt after device
+initialisation when the playback stream is started while a capture
+stream is already active. This results in channel shift/swap on the
+playback stream.
+Subsequent streams (ie after that first failing one) always work
+correctly, no matter the order, with or without the other stream active.
+
+This issue was observed (and fix tested) on an i.MX6UL board connected
+to an ADAU1761 codec, where the codec provides both frame and bit clock
+(connected to TX pins).
+
+To fix this, always initialize the 'other' xCR4 and xCR5 registers when
+we're starting a stream which is synced to the opposite one, irregardless
+of the producer/consumer status.
+
+Fixes: 51659ca069ce ("ASoC: fsl-sai: set xCR4/xCR5/xMR for SAI master mode")
+
+Signed-off-by: Maarten Zanders <maarten@zanders.be>
+Reviewed-by: Shengjiu Wang <shengjiu.wang@gmail.com>
+Link: https://patch.msgid.link/20251024135716.584265-1-maarten@zanders.be
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_sai.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
+index 6c0ae4b33aa4f..b6c72c4bd3cd3 100644
+--- a/sound/soc/fsl/fsl_sai.c
++++ b/sound/soc/fsl/fsl_sai.c
+@@ -652,12 +652,12 @@ static int fsl_sai_hw_params(struct snd_pcm_substream *substream,
+ val_cr4 |= FSL_SAI_CR4_CHMOD;
+
+ /*
+- * For SAI provider mode, when Tx(Rx) sync with Rx(Tx) clock, Rx(Tx) will
+- * generate bclk and frame clock for Tx(Rx), we should set RCR4(TCR4),
+- * RCR5(TCR5) for playback(capture), or there will be sync error.
++ * When Tx(Rx) sync with Rx(Tx) clock, Rx(Tx) will provide bclk and
++ * frame clock for Tx(Rx). We should set RCR4(TCR4), RCR5(TCR5)
++ * for playback(capture), or there will be sync error.
+ */
+
+- if (!sai->is_consumer_mode[tx] && fsl_sai_dir_is_synced(sai, adir)) {
++ if (fsl_sai_dir_is_synced(sai, adir)) {
+ regmap_update_bits(sai->regmap, FSL_SAI_xCR4(!tx, ofs),
+ FSL_SAI_CR4_SYWD_MASK | FSL_SAI_CR4_FRSZ_MASK |
+ FSL_SAI_CR4_CHMOD_MASK,
+--
+2.51.0
+
--- /dev/null
+From 2f61b93dd82ce0792fc9b46a4d93447407d5e34f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 11:23:47 +0200
+Subject: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 845f716dc5f354c719f6fda35048b6c2eca99331 ]
+
+avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio
+stream while period-elapsed work services its IRQs. As the former
+frees the DAI's private context, these two operations shall be
+synchronized to avoid slab-use-after-free or worse errors.
+
+Fixes: 0dbb186c3510 ("ASoC: Intel: avs: Update stream status in a separate thread")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20251023092348.3119313-3-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/pcm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/intel/avs/pcm.c b/sound/soc/intel/avs/pcm.c
+index 0d7862910eedd..0180cf7d5fe15 100644
+--- a/sound/soc/intel/avs/pcm.c
++++ b/sound/soc/intel/avs/pcm.c
+@@ -651,6 +651,7 @@ static void avs_dai_fe_shutdown(struct snd_pcm_substream *substream, struct snd_
+
+ data = snd_soc_dai_get_dma_data(dai, substream);
+
++ disable_work_sync(&data->period_elapsed_work);
+ snd_hdac_ext_stream_release(data->host_stream, HDAC_EXT_STREAM_TYPE_HOST);
+ avs_dai_shutdown(substream, dai);
+ }
+--
+2.51.0
+
--- /dev/null
+From d828fd37ac75e9fe8e5d60f681f35f179fa410eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 11:23:46 +0200
+Subject: ASoC: Intel: avs: Unprepare a stream when XRUN occurs
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit cfca1637bc2b6b1e4f191d2f0b25f12402fbbb26 ]
+
+The pcm->prepare() function may be called multiple times in a row by the
+userspace, as mentioned in the documentation. The driver shall take that
+into account and prevent redundancy. However, the exact same function is
+called during XRUNs and in such case, the particular stream shall be
+reset and setup anew.
+
+Fixes: 9114700b496c ("ASoC: Intel: avs: Generic PCM FE operations")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20251023092348.3119313-2-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/pcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/intel/avs/pcm.c b/sound/soc/intel/avs/pcm.c
+index 67ce6675eea75..0d7862910eedd 100644
+--- a/sound/soc/intel/avs/pcm.c
++++ b/sound/soc/intel/avs/pcm.c
+@@ -754,6 +754,8 @@ static int avs_dai_fe_prepare(struct snd_pcm_substream *substream, struct snd_so
+ data = snd_soc_dai_get_dma_data(dai, substream);
+ host_stream = data->host_stream;
+
++ if (runtime->state == SNDRV_PCM_STATE_XRUN)
++ hdac_stream(host_stream)->prepared = false;
+ if (hdac_stream(host_stream)->prepared)
+ return 0;
+
+--
+2.51.0
+
--- /dev/null
+From a25f4c1fab3fd2bb68b2b861bbddf02a6629fca1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 01:04:40 +0800
+Subject: ASoC: mediatek: Fix double pm_runtime_disable in remove functions
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit 79a6f2da168543c0431ade57428f673c19c5b72f ]
+
+Both mt8195-afe-pcm and mt8365-afe-pcm drivers use devm_pm_runtime_enable()
+in probe function, which automatically calls pm_runtime_disable() on device
+removal via devres mechanism. However, the remove callbacks explicitly call
+pm_runtime_disable() again, resulting in double pm_runtime_disable() calls.
+
+Fix by removing the redundant pm_runtime_disable() calls from remove
+functions, letting the devres framework handle it automatically.
+
+Fixes: 2ca0ec01d49c ("ASoC: mediatek: mt8195-afe-pcm: Simplify runtime PM during probe")
+Fixes: e1991d102bc2 ("ASoC: mediatek: mt8365: Add the AFE driver support")
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Link: https://patch.msgid.link/20251020170440.585-1-vulab@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/mediatek/mt8195/mt8195-afe-pcm.c | 1 -
+ sound/soc/mediatek/mt8365/mt8365-afe-pcm.c | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c b/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c
+index 5d025ad72263f..c63b3444bc176 100644
+--- a/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c
++++ b/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c
+@@ -3176,7 +3176,6 @@ static int mt8195_afe_pcm_dev_probe(struct platform_device *pdev)
+
+ static void mt8195_afe_pcm_dev_remove(struct platform_device *pdev)
+ {
+- pm_runtime_disable(&pdev->dev);
+ if (!pm_runtime_status_suspended(&pdev->dev))
+ mt8195_afe_runtime_suspend(&pdev->dev);
+ }
+diff --git a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c
+index 10793bbe9275d..d48252cd96ac4 100644
+--- a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c
++++ b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c
+@@ -2238,7 +2238,6 @@ static void mt8365_afe_pcm_dev_remove(struct platform_device *pdev)
+
+ mt8365_afe_disable_top_cg(afe, MT8365_TOP_CG_AFE);
+
+- pm_runtime_disable(&pdev->dev);
+ if (!pm_runtime_status_suspended(&pdev->dev))
+ mt8365_afe_runtime_suspend(&pdev->dev);
+ }
+--
+2.51.0
+
--- /dev/null
+From 43a7d516ad4d533564f98178085754b10e320a67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Oct 2025 22:00:12 +0800
+Subject: ASoC: soc_sdw_utils: remove cs42l43 component_name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bard Liao <yung-chuan.liao@linux.intel.com>
+
+[ Upstream commit 45f5c9eec43a9bf448f46562f146810831916cc9 ]
+
+"spk:cs42l43-spk" component string will be added conditionally by
+asoc_sdw_cs42l43_spk_rtd_init(). We should not add "spk:cs42l43"
+unconditionally.
+
+Fixes: c61da55412a0 ("ASoC: sdw_utils: Add missed component_name strings for speaker amps")
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://patch.msgid.link/20251027140012.966306-1-yung-chuan.liao@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sdw_utils/soc_sdw_utils.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/soc/sdw_utils/soc_sdw_utils.c b/sound/soc/sdw_utils/soc_sdw_utils.c
+index 1580331cd34c5..0c95700b8715a 100644
+--- a/sound/soc/sdw_utils/soc_sdw_utils.c
++++ b/sound/soc/sdw_utils/soc_sdw_utils.c
+@@ -600,7 +600,6 @@ struct asoc_sdw_codec_info codec_info_list[] = {
+ {
+ .direction = {true, false},
+ .dai_name = "cs42l43-dp6",
+- .component_name = "cs42l43",
+ .dai_type = SOC_SDW_DAI_TYPE_AMP,
+ .dailink = {SOC_SDW_AMP_OUT_DAI_ID, SOC_SDW_UNUSED_DAI_ID},
+ .init = asoc_sdw_cs42l43_spk_init,
+--
+2.51.0
+
--- /dev/null
+From 005a3b1ee485d145e8e411511f6efeb6005529f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Oct 2025 10:00:43 +0530
+Subject: Bluetooth: btintel_pcie: Fix event packet loss issue
+
+From: Kiran K <kiran.k@intel.com>
+
+[ Upstream commit 057b6ca5961203f16a2a02fb0592661a7a959a84 ]
+
+In the current btintel_pcie driver implementation, when an interrupt is
+received, the driver checks for the alive cause before the TX/RX cause.
+Handling the alive cause involves resetting the TX/RX queue indices.
+This flow works correctly when the causes are mutually exclusive.
+However, if both cause bits are set simultaneously, the alive cause
+resets the queue indices, resulting in an event packet drop and a
+command timeout. To fix this issue, the driver is modified to handle all
+other causes before checking for the alive cause.
+
+Test case:
+Issue is seen with stress reboot scenario - 50x run
+
+[20.337589] Bluetooth: hci0: Device revision is 0
+[20.346750] Bluetooth: hci0: Secure boot is enabled
+[20.346752] Bluetooth: hci0: OTP lock is disabled
+[20.346752] Bluetooth: hci0: API lock is enabled
+[20.346752] Bluetooth: hci0: Debug lock is disabled
+[20.346753] Bluetooth: hci0: Minimum firmware build 1 week 10 2014
+[20.346754] Bluetooth: hci0: Bootloader timestamp 2023.43 buildtype 1 build 11631
+[20.359070] Bluetooth: hci0: Found device firmware: intel/ibt-00a0-00a1-iml.sfi
+[20.371499] Bluetooth: hci0: Boot Address: 0xb02ff800
+[20.385769] Bluetooth: hci0: Firmware Version: 166-34.25
+[20.538257] Bluetooth: hci0: Waiting for firmware download to complete
+[20.554424] Bluetooth: hci0: Firmware loaded in 178651 usecs
+[21.081588] Bluetooth: hci0: Timeout (500 ms) on tx completion
+[21.096541] Bluetooth: hci0: Failed to send frame (-62)
+[21.110240] Bluetooth: hci0: sending frame failed (-62)
+[21.138551] Bluetooth: hci0: Failed to send Intel Reset command
+[21.170153] Bluetooth: hci0: Intel Soft Reset failed (-62)
+
+Signed-off-by: Kiran K <kiran.k@intel.com>
+Signed-off-by: Sai Teja Aluvala <aluvala.sai.teja@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Fixes: c2b636b3f788 ("Bluetooth: btintel_pcie: Add support for PCIe transport")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btintel_pcie.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
+index 585de143ab255..562acaf023f55 100644
+--- a/drivers/bluetooth/btintel_pcie.c
++++ b/drivers/bluetooth/btintel_pcie.c
+@@ -1462,11 +1462,6 @@ static irqreturn_t btintel_pcie_irq_msix_handler(int irq, void *dev_id)
+ if (intr_hw & BTINTEL_PCIE_MSIX_HW_INT_CAUSES_GP1)
+ btintel_pcie_msix_gp1_handler(data);
+
+- /* This interrupt is triggered by the firmware after updating
+- * boot_stage register and image_response register
+- */
+- if (intr_hw & BTINTEL_PCIE_MSIX_HW_INT_CAUSES_GP0)
+- btintel_pcie_msix_gp0_handler(data);
+
+ /* For TX */
+ if (intr_fh & BTINTEL_PCIE_MSIX_FH_INT_CAUSES_0) {
+@@ -1482,6 +1477,12 @@ static irqreturn_t btintel_pcie_irq_msix_handler(int irq, void *dev_id)
+ btintel_pcie_msix_tx_handle(data);
+ }
+
++ /* This interrupt is triggered by the firmware after updating
++ * boot_stage register and image_response register
++ */
++ if (intr_hw & BTINTEL_PCIE_MSIX_HW_INT_CAUSES_GP0)
++ btintel_pcie_msix_gp0_handler(data);
++
+ /*
+ * Before sending the interrupt the HW disables it to prevent a nested
+ * interrupt. This is done by writing 1 to the corresponding bit in
+--
+2.51.0
+
--- /dev/null
+From 292f8877cde50c949bd4494d438064e1bb0f5114 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Sep 2025 13:39:33 +0800
+Subject: Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during
+ reset
+
+From: Chris Lu <chris.lu@mediatek.com>
+
+[ Upstream commit 77343b8b4f87560f8f03e77b98a81ff3a147b262 ]
+
+This patch adds logic to handle power management control when the
+Bluetooth function is closed during the SDIO reset sequence.
+
+Specifically, if BT is closed before reset, the driver enables the
+SDIO function and sets driver pmctrl. After reset, if BT remains
+closed, the driver sets firmware pmctrl and disables the SDIO function.
+
+These changes ensure proper power management and device state consistency
+across the reset flow.
+
+Fixes: 8fafe702253d ("Bluetooth: mt7921s: support bluetooth reset mechanism")
+Signed-off-by: Chris Lu <chris.lu@mediatek.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btmtksdio.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c
+index 4fc673640bfce..24ce1bf660669 100644
+--- a/drivers/bluetooth/btmtksdio.c
++++ b/drivers/bluetooth/btmtksdio.c
+@@ -1270,6 +1270,12 @@ static void btmtksdio_reset(struct hci_dev *hdev)
+
+ sdio_claim_host(bdev->func);
+
++ /* set drv_pmctrl if BT is closed before doing reset */
++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) {
++ sdio_enable_func(bdev->func);
++ btmtksdio_drv_pmctrl(bdev);
++ }
++
+ sdio_writel(bdev->func, C_INT_EN_CLR, MTK_REG_CHLPCR, NULL);
+ skb_queue_purge(&bdev->txq);
+ cancel_work_sync(&bdev->txrx_work);
+@@ -1285,6 +1291,12 @@ static void btmtksdio_reset(struct hci_dev *hdev)
+ goto err;
+ }
+
++ /* set fw_pmctrl back if BT is closed after doing reset */
++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) {
++ btmtksdio_fw_pmctrl(bdev);
++ sdio_disable_func(bdev->func);
++ }
++
+ clear_bit(BTMTKSDIO_PATCH_ENABLED, &bdev->tx_state);
+ err:
+ sdio_release_host(bdev->func);
+--
+2.51.0
+
--- /dev/null
+From 73a626477eee5d9a5c0568e817055f93ccb86ea2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Oct 2025 10:55:58 -0400
+Subject: Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 0d92808024b4e9868cef68d16f121d509843e80e ]
+
+This fixes the state tracking of advertisement set/instance 0x00 which
+is considered a legacy instance and is not tracked individually by
+adv_instances list, previously it was assumed that hci_dev itself would
+track it via HCI_LE_ADV but that is a global state not specifc to
+instance 0x00, so to fix it a new flag is introduced that only tracks the
+state of instance 0x00.
+
+Fixes: 1488af7b8b5f ("Bluetooth: hci_sync: Fix hci_resume_advertising_sync")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci.h | 1 +
+ net/bluetooth/hci_event.c | 4 ++++
+ net/bluetooth/hci_sync.c | 5 ++---
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
+index df1847b74e55e..dca650cede3c4 100644
+--- a/include/net/bluetooth/hci.h
++++ b/include/net/bluetooth/hci.h
+@@ -434,6 +434,7 @@ enum {
+ HCI_USER_CHANNEL,
+ HCI_EXT_CONFIGURED,
+ HCI_LE_ADV,
++ HCI_LE_ADV_0,
+ HCI_LE_PER_ADV,
+ HCI_LE_SCAN,
+ HCI_SSP_ENABLED,
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index fe49e8a7969ff..e1b7eabe72744 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -1609,6 +1609,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
+
+ if (adv && !adv->periodic)
+ adv->enabled = true;
++ else if (!set->handle)
++ hci_dev_set_flag(hdev, HCI_LE_ADV_0);
+
+ conn = hci_lookup_le_connect(hdev);
+ if (conn)
+@@ -1619,6 +1621,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
+ if (cp->num_of_sets) {
+ if (adv)
+ adv->enabled = false;
++ else if (!set->handle)
++ hci_dev_clear_flag(hdev, HCI_LE_ADV_0);
+
+ /* If just one instance was disabled check if there are
+ * any other instance enabled before clearing HCI_LE_ADV
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index d160e5e1fe8ab..28ad08cd7d706 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -2606,9 +2606,8 @@ static int hci_resume_advertising_sync(struct hci_dev *hdev)
+ /* If current advertising instance is set to instance 0x00
+ * then we need to re-enable it.
+ */
+- if (!hdev->cur_adv_instance)
+- err = hci_enable_ext_advertising_sync(hdev,
+- hdev->cur_adv_instance);
++ if (hci_dev_test_and_clear_flag(hdev, HCI_LE_ADV_0))
++ err = hci_enable_ext_advertising_sync(hdev, 0x00);
+ } else {
+ /* Schedule for most recent instance to be restarted and begin
+ * the software rotation loop
+--
+2.51.0
+
--- /dev/null
+From a76c4c5b3c92b19f692905248d7b18101ac25991 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 16:29:41 -0400
+Subject: Bluetooth: hci_conn: Fix connection cleanup with BIG with 2 or more
+ BIS
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 857eb0fabc389be5159e0e17d84bc122614b5b98 ]
+
+This fixes bis_cleanup not considering connections in BT_OPEN state
+before attempting to remove the BIG causing the following error:
+
+btproxy[20110]: < HCI Command: LE Terminate Broadcast Isochronous Group (0x08|0x006a) plen 2
+ BIG Handle: 0x01
+ Reason: Connection Terminated By Local Host (0x16)
+> HCI Event: Command Status (0x0f) plen 4
+ LE Terminate Broadcast Isochronous Group (0x08|0x006a) ncmd 1
+ Status: Unknown Advertising Identifier (0x42)
+
+Fixes: fa224d0c094a ("Bluetooth: ISO: Reassociate a socket with an active BIS")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index e524bb59bff23..63ae62fe20bbc 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -843,6 +843,13 @@ static void bis_cleanup(struct hci_conn *conn)
+ if (bis)
+ return;
+
++ bis = hci_conn_hash_lookup_big_state(hdev,
++ conn->iso_qos.bcast.big,
++ BT_OPEN,
++ HCI_ROLE_MASTER);
++ if (bis)
++ return;
++
+ hci_le_terminate_big(hdev, conn);
+ } else {
+ hci_le_big_terminate(hdev, conn->iso_qos.bcast.big,
+--
+2.51.0
+
--- /dev/null
+From 21b78ea5cdc88134e18fe6f454fb8e56f1d24351 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 16:03:19 -0400
+Subject: Bluetooth: hci_core: Fix tracking of periodic advertisement
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 751463ceefc3397566d03c8b64ef4a77f5fd88ac ]
+
+Periodic advertising enabled flag cannot be tracked by the enabled
+flag since advertising and periodic advertising each can be
+enabled/disabled separately from one another causing the states to be
+inconsistent when for example an advertising set is disabled its
+enabled flag is set to false which is then used for periodic which has
+not being disabled.
+
+Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 1 +
+ net/bluetooth/hci_event.c | 7 +++++--
+ net/bluetooth/hci_sync.c | 4 ++--
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 6560b32f31255..8a4b2ac15f470 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -244,6 +244,7 @@ struct adv_info {
+ bool enabled;
+ bool pending;
+ bool periodic;
++ bool periodic_enabled;
+ __u8 mesh;
+ __u8 instance;
+ __u8 handle;
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index e1b7eabe72744..429f5a858a14b 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -1607,7 +1607,7 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
+
+ hci_dev_set_flag(hdev, HCI_LE_ADV);
+
+- if (adv && !adv->periodic)
++ if (adv)
+ adv->enabled = true;
+ else if (!set->handle)
+ hci_dev_set_flag(hdev, HCI_LE_ADV_0);
+@@ -3963,8 +3963,11 @@ static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
+ hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
+
+ if (adv)
+- adv->enabled = true;
++ adv->periodic_enabled = true;
+ } else {
++ if (adv)
++ adv->periodic_enabled = false;
++
+ /* If just one instance was disabled check if there are
+ * any other instance enabled before clearing HCI_LE_PER_ADV.
+ * The current periodic adv instance will be marked as
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 28ad08cd7d706..73fc41b68b687 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -1607,7 +1607,7 @@ int hci_disable_per_advertising_sync(struct hci_dev *hdev, u8 instance)
+
+ /* If periodic advertising already disabled there is nothing to do. */
+ adv = hci_find_adv_instance(hdev, instance);
+- if (!adv || !adv->periodic || !adv->enabled)
++ if (!adv || !adv->periodic_enabled)
+ return 0;
+
+ memset(&cp, 0, sizeof(cp));
+@@ -1672,7 +1672,7 @@ static int hci_enable_per_advertising_sync(struct hci_dev *hdev, u8 instance)
+
+ /* If periodic advertising already enabled there is nothing to do. */
+ adv = hci_find_adv_instance(hdev, instance);
+- if (adv && adv->periodic && adv->enabled)
++ if (adv && adv->periodic_enabled)
+ return 0;
+
+ memset(&cp, 0, sizeof(cp));
+--
+2.51.0
+
--- /dev/null
+From 6af7550763e06ef7d1f5b890600b590ff03352cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 05:30:17 +0000
+Subject: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
+
+From: Cen Zhang <zzzccc427@163.com>
+
+[ Upstream commit 09b0cd1297b4dbfe736aeaa0ceeab2265f47f772 ]
+
+hci_cmd_sync_dequeue_once() does lookup and then cancel
+the entry under two separate lock sections. Meanwhile,
+hci_cmd_sync_work() can also delete the same entry,
+leading to double list_del() and "UAF".
+
+Fix this by holding cmd_sync_work_lock across both
+lookup and cancel, so that the entry cannot be removed
+concurrently.
+
+Fixes: 505ea2b29592 ("Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue")
+Reported-by: Cen Zhang <zzzccc427@163.com>
+Signed-off-by: Cen Zhang <zzzccc427@163.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index eefdb6134ca53..d160e5e1fe8ab 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -863,11 +863,17 @@ bool hci_cmd_sync_dequeue_once(struct hci_dev *hdev,
+ {
+ struct hci_cmd_sync_work_entry *entry;
+
+- entry = hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
+- if (!entry)
++ mutex_lock(&hdev->cmd_sync_work_lock);
++
++ entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
++ if (!entry) {
++ mutex_unlock(&hdev->cmd_sync_work_lock);
+ return false;
++ }
+
+- hci_cmd_sync_cancel_entry(hdev, entry);
++ _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
++
++ mutex_unlock(&hdev->cmd_sync_work_lock);
+
+ return true;
+ }
+--
+2.51.0
+
--- /dev/null
+From a4f558aeabb4591952c18c0a8816c9cf5478b8a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Oct 2025 13:29:15 -0400
+Subject: Bluetooth: ISO: Fix another instance of dst_type handling
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit c403da5e98b04a2aec9cfb25cbeeb28d7ce29975 ]
+
+Socket dst_type cannot be directly assigned to hci_conn->type since
+there domain is different which may lead to the wrong address type being
+used.
+
+Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/iso.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index 4351b0b794e57..6e2923b301505 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -2035,7 +2035,13 @@ static void iso_conn_ready(struct iso_conn *conn)
+ }
+
+ bacpy(&iso_pi(sk)->dst, &hcon->dst);
+- iso_pi(sk)->dst_type = hcon->dst_type;
++
++ /* Convert from HCI to three-value type */
++ if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
++ iso_pi(sk)->dst_type = BDADDR_LE_PUBLIC;
++ else
++ iso_pi(sk)->dst_type = BDADDR_LE_RANDOM;
++
+ iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle;
+ memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len);
+ iso_pi(sk)->base_len = iso_pi(parent)->base_len;
+--
+2.51.0
+
--- /dev/null
+From 5857d84bae03636cf9d3939c3c82279a13b00edb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Sep 2025 11:48:50 -0400
+Subject: Bluetooth: ISO: Fix BIS connection dst_type handling
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit f0c200a4a537f8f374584a974518b0ce69eda76c ]
+
+Socket dst_type cannot be directly assigned to hci_conn->type since
+there domain is different which may lead to the wrong address type being
+used.
+
+Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/iso.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index 88602f19decac..4351b0b794e57 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -2021,7 +2021,7 @@ static void iso_conn_ready(struct iso_conn *conn)
+ */
+ if (!bacmp(&hcon->dst, BDADDR_ANY)) {
+ bacpy(&hcon->dst, &iso_pi(parent)->dst);
+- hcon->dst_type = iso_pi(parent)->dst_type;
++ hcon->dst_type = le_addr_type(iso_pi(parent)->dst_type);
+ }
+
+ if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) {
+--
+2.51.0
+
--- /dev/null
+From b8e68e76a72aa107309f26f78ccd405f0d559be1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Oct 2025 22:07:32 +0300
+Subject: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete
+
+From: Pauli Virtanen <pav@iki.fi>
+
+[ Upstream commit e8785404de06a69d89dcdd1e9a0b6ea42dc6d327 ]
+
+There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to
+memcpy from badly declared on-stack flexible array.
+
+Another crash is in set_mesh_complete() due to double list_del via
+mgmt_pending_valid + mgmt_pending_remove.
+
+Use DEFINE_FLEX to declare the flexible array right, and don't memcpy
+outside bounds.
+
+As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free,
+and also report status on error.
+
+Fixes: 302a1f674c00d ("Bluetooth: MGMT: Fix possible UAFs")
+Signed-off-by: Pauli Virtanen <pav@iki.fi>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/mgmt.h | 2 +-
+ net/bluetooth/mgmt.c | 26 +++++++++++++++-----------
+ 2 files changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h
+index 3575cd16049a8..6095cbb03811d 100644
+--- a/include/net/bluetooth/mgmt.h
++++ b/include/net/bluetooth/mgmt.h
+@@ -848,7 +848,7 @@ struct mgmt_cp_set_mesh {
+ __le16 window;
+ __le16 period;
+ __u8 num_ad_types;
+- __u8 ad_types[];
++ __u8 ad_types[] __counted_by(num_ad_types);
+ } __packed;
+ #define MGMT_SET_MESH_RECEIVER_SIZE 6
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index a3d16eece0d23..24e335e3a7271 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -2175,19 +2175,24 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
+ sk = cmd->sk;
+
+ if (status) {
++ mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
++ status);
+ mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true,
+ cmd_status_rsp, &status);
+- return;
++ goto done;
+ }
+
+- mgmt_pending_remove(cmd);
+ mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, 0, NULL, 0);
++
++done:
++ mgmt_pending_free(cmd);
+ }
+
+ static int set_mesh_sync(struct hci_dev *hdev, void *data)
+ {
+ struct mgmt_pending_cmd *cmd = data;
+- struct mgmt_cp_set_mesh cp;
++ DEFINE_FLEX(struct mgmt_cp_set_mesh, cp, ad_types, num_ad_types,
++ sizeof(hdev->mesh_ad_types));
+ size_t len;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
+@@ -2197,27 +2202,26 @@ static int set_mesh_sync(struct hci_dev *hdev, void *data)
+ return -ECANCELED;
+ }
+
+- memcpy(&cp, cmd->param, sizeof(cp));
++ len = cmd->param_len;
++ memcpy(cp, cmd->param, min(__struct_size(cp), len));
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
+- len = cmd->param_len;
+-
+ memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types));
+
+- if (cp.enable)
++ if (cp->enable)
+ hci_dev_set_flag(hdev, HCI_MESH);
+ else
+ hci_dev_clear_flag(hdev, HCI_MESH);
+
+- hdev->le_scan_interval = __le16_to_cpu(cp.period);
+- hdev->le_scan_window = __le16_to_cpu(cp.window);
++ hdev->le_scan_interval = __le16_to_cpu(cp->period);
++ hdev->le_scan_window = __le16_to_cpu(cp->window);
+
+- len -= sizeof(cp);
++ len -= sizeof(struct mgmt_cp_set_mesh);
+
+ /* If filters don't fit, forward all adv pkts */
+ if (len <= sizeof(hdev->mesh_ad_types))
+- memcpy(hdev->mesh_ad_types, cp.ad_types, len);
++ memcpy(hdev->mesh_ad_types, cp->ad_types, len);
+
+ hci_update_passive_scan_sync(hdev);
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From c87cd82b0858bf98bc4377f8a70f8faef0b0ab03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 17:14:36 +0200
+Subject: bpf: Conditionally include dynptr copy kfuncs
+
+From: Malin Jonsson <malin.jonsson@est.tech>
+
+[ Upstream commit 8ce93aabbf75171470e3d1be56bf1a6937dc5db8 ]
+
+Since commit a498ee7576de ("bpf: Implement dynptr copy kfuncs"), if
+CONFIG_BPF_EVENTS is not enabled, but BPF_SYSCALL and DEBUG_INFO_BTF are,
+the build will break like so:
+
+ BTFIDS vmlinux.unstripped
+WARN: resolve_btfids: unresolved symbol bpf_probe_read_user_str_dynptr
+WARN: resolve_btfids: unresolved symbol bpf_probe_read_user_dynptr
+WARN: resolve_btfids: unresolved symbol bpf_probe_read_kernel_str_dynptr
+WARN: resolve_btfids: unresolved symbol bpf_probe_read_kernel_dynptr
+WARN: resolve_btfids: unresolved symbol bpf_copy_from_user_task_str_dynptr
+WARN: resolve_btfids: unresolved symbol bpf_copy_from_user_task_dynptr
+WARN: resolve_btfids: unresolved symbol bpf_copy_from_user_str_dynptr
+WARN: resolve_btfids: unresolved symbol bpf_copy_from_user_dynptr
+make[2]: *** [scripts/Makefile.vmlinux:72: vmlinux.unstripped] Error 255
+make[2]: *** Deleting file 'vmlinux.unstripped'
+make[1]: *** [/repo/malin/upstream/linux/Makefile:1242: vmlinux] Error 2
+make: *** [Makefile:248: __sub-make] Error 2
+
+Guard these symbols with #ifdef CONFIG_BPF_EVENTS to resolve the problem.
+
+Fixes: a498ee7576de ("bpf: Implement dynptr copy kfuncs")
+Reported-by: Yong Gu <yong.g.gu@ericsson.com>
+Acked-by: Mykyta Yatsenko <yatsenko@meta.com>
+Signed-off-by: Malin Jonsson <malin.jonsson@est.tech>
+Link: https://lore.kernel.org/r/20251024151436.139131-1-malin.jonsson@est.tech
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/helpers.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index 9c750a6a895bf..a12f4fa444086 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -3816,6 +3816,7 @@ BTF_ID_FLAGS(func, bpf_iter_kmem_cache_next, KF_ITER_NEXT | KF_RET_NULL | KF_SLE
+ BTF_ID_FLAGS(func, bpf_iter_kmem_cache_destroy, KF_ITER_DESTROY | KF_SLEEPABLE)
+ BTF_ID_FLAGS(func, bpf_local_irq_save)
+ BTF_ID_FLAGS(func, bpf_local_irq_restore)
++#ifdef CONFIG_BPF_EVENTS
+ BTF_ID_FLAGS(func, bpf_probe_read_user_dynptr)
+ BTF_ID_FLAGS(func, bpf_probe_read_kernel_dynptr)
+ BTF_ID_FLAGS(func, bpf_probe_read_user_str_dynptr)
+@@ -3824,6 +3825,7 @@ BTF_ID_FLAGS(func, bpf_copy_from_user_dynptr, KF_SLEEPABLE)
+ BTF_ID_FLAGS(func, bpf_copy_from_user_str_dynptr, KF_SLEEPABLE)
+ BTF_ID_FLAGS(func, bpf_copy_from_user_task_dynptr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
+ BTF_ID_FLAGS(func, bpf_copy_from_user_task_str_dynptr, KF_SLEEPABLE | KF_TRUSTED_ARGS)
++#endif
+ #ifdef CONFIG_DMA_SHARED_BUFFER
+ BTF_ID_FLAGS(func, bpf_iter_dmabuf_new, KF_ITER_NEW | KF_SLEEPABLE)
+ BTF_ID_FLAGS(func, bpf_iter_dmabuf_next, KF_ITER_NEXT | KF_RET_NULL | KF_SLEEPABLE)
+--
+2.51.0
+
--- /dev/null
+From 5aac23cf837cd20a3249c21f4e13cf4ce3ae40b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 14:27:58 +0200
+Subject: bpf: Do not audit capability check in do_jit()
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+[ Upstream commit 881a9c9cb7856b24e390fad9f59acfd73b98b3b2 ]
+
+The failure of this check only results in a security mitigation being
+applied, slightly affecting performance of the compiled BPF program. It
+doesn't result in a failed syscall, an thus auditing a failed LSM
+permission check for it is unwanted. For example with SELinux, it causes
+a denial to be reported for confined processes running as root, which
+tends to be flagged as a problem to be fixed in the policy. Yet
+dontauditing or allowing CAP_SYS_ADMIN to the domain may not be
+desirable, as it would allow/silence also other checks - either going
+against the principle of least privilege or making debugging potentially
+harder.
+
+Fix it by changing it from capable() to ns_capable_noaudit(), which
+instructs the LSMs to not audit the resulting denials.
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326
+Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-by: Paul Moore <paul@paul-moore.com>
+Link: https://lore.kernel.org/r/20251021122758.2659513-1-omosnace@redhat.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index 7e3fca1646203..574586a6d97f8 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -2592,7 +2592,7 @@ st: if (is_imm8(insn->off))
+ /* Update cleanup_addr */
+ ctx->cleanup_addr = proglen;
+ if (bpf_prog_was_classic(bpf_prog) &&
+- !capable(CAP_SYS_ADMIN)) {
++ !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) {
+ u8 *ip = image + addrs[i - 1];
+
+ if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog))
+--
+2.51.0
+
--- /dev/null
+From ad3685da4429a5e7012d2c5a1fcb0a35e27790c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 23:33:01 +0530
+Subject: bpf: Sync pending IRQ work before freeing ring buffer
+
+From: Noorain Eqbal <nooraineqbal@gmail.com>
+
+[ Upstream commit 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c ]
+
+Fix a race where irq_work can be queued in bpf_ringbuf_commit()
+but the ring buffer is freed before the work executes.
+In the syzbot reproducer, a BPF program attached to sched_switch
+triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer
+is freed before this work executes, the irq_work thread may accesses
+freed memory.
+Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work
+complete before freeing the buffer.
+
+Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
+Reported-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=2617fc732430968b45d2
+Tested-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com
+Signed-off-by: Noorain Eqbal <nooraineqbal@gmail.com>
+Link: https://lore.kernel.org/r/20251020180301.103366-1-nooraineqbal@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/ringbuf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c
+index 719d73299397b..d706c4b7f532d 100644
+--- a/kernel/bpf/ringbuf.c
++++ b/kernel/bpf/ringbuf.c
+@@ -216,6 +216,8 @@ static struct bpf_map *ringbuf_map_alloc(union bpf_attr *attr)
+
+ static void bpf_ringbuf_free(struct bpf_ringbuf *rb)
+ {
++ irq_work_sync(&rb->work);
++
+ /* copy pages pointer and nr_pages to local variable, as we are going
+ * to unmap rb itself with vunmap() below
+ */
+--
+2.51.0
+
--- /dev/null
+From 2b8863693bd362d9116e5b525e895153af53ce05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 18:11:09 +0800
+Subject: crypto: aspeed - fix double free caused by devm
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit 3c9bf72cc1ced1297b235f9422d62b613a3fdae9 ]
+
+The clock obtained via devm_clk_get_enabled() is automatically managed
+by devres and will be disabled and freed on driver detach. Manually
+calling clk_disable_unprepare() in error path and remove function
+causes double free.
+
+Remove the manual clock cleanup in both aspeed_acry_probe()'s error
+path and aspeed_acry_remove().
+
+Fixes: 2f1cf4e50c95 ("crypto: aspeed - Add ACRY RSA driver")
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/aspeed/aspeed-acry.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/crypto/aspeed/aspeed-acry.c b/drivers/crypto/aspeed/aspeed-acry.c
+index 8d1c79aaca07d..5993bcba97163 100644
+--- a/drivers/crypto/aspeed/aspeed-acry.c
++++ b/drivers/crypto/aspeed/aspeed-acry.c
+@@ -787,7 +787,6 @@ static int aspeed_acry_probe(struct platform_device *pdev)
+ err_engine_rsa_start:
+ crypto_engine_exit(acry_dev->crypt_engine_rsa);
+ clk_exit:
+- clk_disable_unprepare(acry_dev->clk);
+
+ return rc;
+ }
+@@ -799,7 +798,6 @@ static void aspeed_acry_remove(struct platform_device *pdev)
+ aspeed_acry_unregister(acry_dev);
+ crypto_engine_exit(acry_dev->crypt_engine_rsa);
+ tasklet_kill(&acry_dev->done_task);
+- clk_disable_unprepare(acry_dev->clk);
+ }
+
+ MODULE_DEVICE_TABLE(of, aspeed_acry_of_matches);
+--
+2.51.0
+
--- /dev/null
+From 3c48f895141a8f9984c67d94aaf84ad3d2fc538e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 14:32:54 +0200
+Subject: crypto: s390/phmac - Do not modify the req->nbytes value
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+[ Upstream commit 3ac2939bc4341ac28700a2ed0c345ba7e7bdb6fd ]
+
+The phmac implementation used the req->nbytes field on combined
+operations (finup, digest) to track the state:
+with req->nbytes > 0 the update needs to be processed,
+while req->nbytes == 0 means to do the final operation. For
+this purpose the req->nbytes field was set to 0 after successful
+update operation. However, aead uses the req->nbytes field after a
+successful hash operation to determine the amount of data to
+en/decrypt. So an implementation must not modify the nbytes field.
+
+Fixed by a slight rework on the phmac implementation. There is
+now a new field async_op in the request context which tracks
+the (asynch) operation to process. So the 'state' via req->nbytes
+is not needed any more and now this field is untouched and may
+be evaluated even after a request is processed by the phmac
+implementation.
+
+Fixes: cbbc675506cc ("crypto: s390 - New s390 specific protected key hash phmac")
+Reported-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Tested-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/crypto/phmac_s390.c | 52 +++++++++++++++++++++++------------
+ 1 file changed, 34 insertions(+), 18 deletions(-)
+
+diff --git a/arch/s390/crypto/phmac_s390.c b/arch/s390/crypto/phmac_s390.c
+index 7ecfdc4fba2d0..89f3e6d8fd897 100644
+--- a/arch/s390/crypto/phmac_s390.c
++++ b/arch/s390/crypto/phmac_s390.c
+@@ -169,11 +169,18 @@ struct kmac_sha2_ctx {
+ u64 buflen[2];
+ };
+
++enum async_op {
++ OP_NOP = 0,
++ OP_UPDATE,
++ OP_FINAL,
++ OP_FINUP,
++};
++
+ /* phmac request context */
+ struct phmac_req_ctx {
+ struct hash_walk_helper hwh;
+ struct kmac_sha2_ctx kmac_ctx;
+- bool final;
++ enum async_op async_op;
+ };
+
+ /*
+@@ -610,6 +617,7 @@ static int phmac_update(struct ahash_request *req)
+ * using engine to serialize requests.
+ */
+ if (rc == 0 || rc == -EKEYEXPIRED) {
++ req_ctx->async_op = OP_UPDATE;
+ atomic_inc(&tfm_ctx->via_engine_ctr);
+ rc = crypto_transfer_hash_request_to_engine(phmac_crypto_engine, req);
+ if (rc != -EINPROGRESS)
+@@ -647,8 +655,7 @@ static int phmac_final(struct ahash_request *req)
+ * using engine to serialize requests.
+ */
+ if (rc == 0 || rc == -EKEYEXPIRED) {
+- req->nbytes = 0;
+- req_ctx->final = true;
++ req_ctx->async_op = OP_FINAL;
+ atomic_inc(&tfm_ctx->via_engine_ctr);
+ rc = crypto_transfer_hash_request_to_engine(phmac_crypto_engine, req);
+ if (rc != -EINPROGRESS)
+@@ -676,13 +683,16 @@ static int phmac_finup(struct ahash_request *req)
+ if (rc)
+ goto out;
+
++ req_ctx->async_op = OP_FINUP;
++
+ /* Try synchronous operations if no active engine usage */
+ if (!atomic_read(&tfm_ctx->via_engine_ctr)) {
+ rc = phmac_kmac_update(req, false);
+ if (rc == 0)
+- req->nbytes = 0;
++ req_ctx->async_op = OP_FINAL;
+ }
+- if (!rc && !req->nbytes && !atomic_read(&tfm_ctx->via_engine_ctr)) {
++ if (!rc && req_ctx->async_op == OP_FINAL &&
++ !atomic_read(&tfm_ctx->via_engine_ctr)) {
+ rc = phmac_kmac_final(req, false);
+ if (rc == 0)
+ goto out;
+@@ -694,7 +704,7 @@ static int phmac_finup(struct ahash_request *req)
+ * using engine to serialize requests.
+ */
+ if (rc == 0 || rc == -EKEYEXPIRED) {
+- req_ctx->final = true;
++ /* req->async_op has been set to either OP_FINUP or OP_FINAL */
+ atomic_inc(&tfm_ctx->via_engine_ctr);
+ rc = crypto_transfer_hash_request_to_engine(phmac_crypto_engine, req);
+ if (rc != -EINPROGRESS)
+@@ -855,15 +865,16 @@ static int phmac_do_one_request(struct crypto_engine *engine, void *areq)
+
+ /*
+ * Three kinds of requests come in here:
+- * update when req->nbytes > 0 and req_ctx->final is false
+- * final when req->nbytes = 0 and req_ctx->final is true
+- * finup when req->nbytes > 0 and req_ctx->final is true
+- * For update and finup the hwh walk needs to be prepared and
+- * up to date but the actual nr of bytes in req->nbytes may be
+- * any non zero number. For final there is no hwh walk needed.
++ * 1. req->async_op == OP_UPDATE with req->nbytes > 0
++ * 2. req->async_op == OP_FINUP with req->nbytes > 0
++ * 3. req->async_op == OP_FINAL
++ * For update and finup the hwh walk has already been prepared
++ * by the caller. For final there is no hwh walk needed.
+ */
+
+- if (req->nbytes) {
++ switch (req_ctx->async_op) {
++ case OP_UPDATE:
++ case OP_FINUP:
+ rc = phmac_kmac_update(req, true);
+ if (rc == -EKEYEXPIRED) {
+ /*
+@@ -880,10 +891,11 @@ static int phmac_do_one_request(struct crypto_engine *engine, void *areq)
+ hwh_advance(hwh, rc);
+ goto out;
+ }
+- req->nbytes = 0;
+- }
+-
+- if (req_ctx->final) {
++ if (req_ctx->async_op == OP_UPDATE)
++ break;
++ req_ctx->async_op = OP_FINAL;
++ fallthrough;
++ case OP_FINAL:
+ rc = phmac_kmac_final(req, true);
+ if (rc == -EKEYEXPIRED) {
+ /*
+@@ -897,10 +909,14 @@ static int phmac_do_one_request(struct crypto_engine *engine, void *areq)
+ cond_resched();
+ return -ENOSPC;
+ }
++ break;
++ default:
++ /* unknown/unsupported/unimplemented asynch op */
++ return -EOPNOTSUPP;
+ }
+
+ out:
+- if (rc || req_ctx->final)
++ if (rc || req_ctx->async_op == OP_FINAL)
+ memzero_explicit(kmac_ctx, sizeof(*kmac_ctx));
+ pr_debug("request complete with rc=%d\n", rc);
+ local_bh_disable();
+--
+2.51.0
+
--- /dev/null
+From 4be9ff852b98ca9a20d5376d8a9159b7f79f40e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 20:55:12 +0200
+Subject: dpll: spec: add missing module-name and clock-id to pin-get reply
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit 520ad9e96937e825a117e9f00dd35a3e199d67b5 ]
+
+The dpll.yaml spec incorrectly omitted module-name and clock-id from the
+pin-get operation reply specification, even though the kernel DPLL
+implementation has always included these attributes in pin-get responses
+since the initial implementation.
+
+This spec inconsistency caused issues with the C YNL code generator.
+The generated dpll_pin_get_rsp structure was missing these fields.
+
+Fix the spec by adding module-name and clock-id to the pin-attrs reply
+specification to match the actual kernel behavior.
+
+Fixes: 3badff3a25d8 ("dpll: spec: Add Netlink spec in YAML")
+Signed-off-by: Petr Oros <poros@redhat.com>
+Reviewed-by: Ivan Vecera <ivecera@redhat.com>
+Link: https://patch.msgid.link/20251024185512.363376-1-poros@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/netlink/specs/dpll.yaml | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Documentation/netlink/specs/dpll.yaml b/Documentation/netlink/specs/dpll.yaml
+index 5decee61a2c4c..0159091dde966 100644
+--- a/Documentation/netlink/specs/dpll.yaml
++++ b/Documentation/netlink/specs/dpll.yaml
+@@ -599,6 +599,8 @@ operations:
+ reply: &pin-attrs
+ attributes:
+ - id
++ - module-name
++ - clock-id
+ - board-label
+ - panel-label
+ - package-label
+--
+2.51.0
+
--- /dev/null
+From f1f45571ad6fea3e7d873faebde279dcce240598 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 14:12:21 +0800
+Subject: drm/amd/pm: fix smu table id bound check issue in
+ smu_cmn_update_table()
+
+From: Yang Wang <kevinyang.wang@amd.com>
+
+[ Upstream commit 238d468d3ed18a324bb9d8c99f18c665dbac0511 ]
+
+'table_index' is a variable defined by the smu driver (kmd)
+'table_id' is a variable defined by the hw smu (pmfw)
+
+This code should use table_index as a bounds check.
+
+Fixes: caad2613dc4bd ("drm/amd/powerplay: move table setting common code to smu_cmn.c")
+Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit fca0c66b22303de0d1d6313059baf4dc960a4753)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
+index 59f9abd0f7b8c..00f6c6acc3e68 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
+@@ -965,7 +965,7 @@ int smu_cmn_update_table(struct smu_context *smu,
+ table_index);
+ uint32_t table_size;
+ int ret = 0;
+- if (!table_data || table_id >= SMU_TABLE_COUNT || table_id < 0)
++ if (!table_data || table_index >= SMU_TABLE_COUNT || table_id < 0)
+ return -EINVAL;
+
+ table_size = smu_table->tables[table_index].size;
+--
+2.51.0
+
--- /dev/null
+From fa8280f6503eeae9da0189581ce4ac18f166d144 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:08:13 +0200
+Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji
+
+From: John Smith <itistotalbotnet@gmail.com>
+
+[ Upstream commit 07a13f913c291d6ec72ee4fc848d13ecfdc0e705 ]
+
+Previously this was initialized with zero which represented PCIe Gen
+1.0 instead of using the
+maximum value from the speed table which is the behaviour of all other
+smumgr implementations.
+
+Fixes: 18edef19ea44 ("drm/amd/powerplay: implement fw image related smu interface for Fiji.")
+Signed-off-by: John Smith <itistotalbotnet@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit c52238c9fb414555c68340cd80e487d982c1921c)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
+index 5e43ad2b29564..e7e497b166b3e 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
+@@ -2024,7 +2024,7 @@ static int fiji_init_smc_table(struct pp_hwmgr *hwmgr)
+ table->VoltageResponseTime = 0;
+ table->PhaseResponseTime = 0;
+ table->MemoryThermThrottleEnable = 1;
+- table->PCIeBootLinkLevel = 0; /* 0:Gen1 1:Gen2 2:Gen3*/
++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count);
+ table->PCIeGenInterval = 1;
+ table->VRConfig = 0;
+
+--
+2.51.0
+
--- /dev/null
+From d39310d4479145ef56cc7596b61353d2010e8297 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:09:09 +0200
+Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland
+
+From: John Smith <itistotalbotnet@gmail.com>
+
+[ Upstream commit 501672e3c1576aa9a8364144213c77b98a31a42c ]
+
+Previously this was initialized with zero which represented PCIe Gen
+1.0 instead of using the
+maximum value from the speed table which is the behaviour of all other
+smumgr implementations.
+
+Fixes: 18aafc59b106 ("drm/amd/powerplay: implement fw related smu interface for iceland.")
+Signed-off-by: John Smith <itistotalbotnet@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 92b0a6ae6672857ddeabf892223943d2f0e06c97)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
+index 17d2f5bff4a7e..49c32183878de 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
+@@ -2028,7 +2028,7 @@ static int iceland_init_smc_table(struct pp_hwmgr *hwmgr)
+ table->VoltageResponseTime = 0;
+ table->PhaseResponseTime = 0;
+ table->MemoryThermThrottleEnable = 1;
+- table->PCIeBootLinkLevel = 0;
++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count);
+ table->PCIeGenInterval = 1;
+
+ result = iceland_populate_smc_svi2_config(hwmgr, table);
+--
+2.51.0
+
--- /dev/null
+From dd4ee3420280f5b96f94e00f63ea51e4001d4874 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 09:14:55 -0400
+Subject: drm/amdgpu: fix SPDX header on amd_cper.h
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 964f8ff276a54ad7fb09168141fb6a8d891d548a ]
+
+This should be MIT. The driver in general is MIT and
+the license text at the top of the file is MIT so fix
+it.
+
+Fixes: 523b69c65445 ("drm/amd/include: Add amd cper header")
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4654
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 72c5482cb0f3d3c772c9de50e5a4265258a53f81)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/include/amd_cper.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/include/amd_cper.h b/drivers/gpu/drm/amd/include/amd_cper.h
+index 086869264425c..a252ee4c7874c 100644
+--- a/drivers/gpu/drm/amd/include/amd_cper.h
++++ b/drivers/gpu/drm/amd/include/amd_cper.h
+@@ -1,4 +1,4 @@
+-/* SPDX-License-Identifier: GPL-2.0 */
++/* SPDX-License-Identifier: MIT */
+ /*
+ * Copyright 2025 Advanced Micro Devices, Inc.
+ *
+--
+2.51.0
+
--- /dev/null
+From 07ecd51a1a4d9519c3a40e14c9897bc1becfe6c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 09:17:37 -0400
+Subject: drm/amdgpu: fix SPDX header on irqsrcs_vcn_5_0.h
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 8284a9e91722d3214aac5d54b4e0d2c91af0fdfc ]
+
+This should be MIT. The driver in general is MIT and
+the license text at the top of the file is MIT so fix
+it.
+
+Fixes: d1bb64651095 ("drm/amdgpu: add irq source ids for VCN5_0/JPEG5_0")
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4654
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 68c20d7b1779f97d600e61b9e95726c0cd609e2a)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/include/ivsrcid/vcn/irqsrcs_vcn_5_0.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/include/ivsrcid/vcn/irqsrcs_vcn_5_0.h b/drivers/gpu/drm/amd/include/ivsrcid/vcn/irqsrcs_vcn_5_0.h
+index 64b553e7de1ae..e7fdcee22a714 100644
+--- a/drivers/gpu/drm/amd/include/ivsrcid/vcn/irqsrcs_vcn_5_0.h
++++ b/drivers/gpu/drm/amd/include/ivsrcid/vcn/irqsrcs_vcn_5_0.h
+@@ -1,4 +1,4 @@
+-/* SPDX-License-Identifier: GPL-2.0 */
++/* SPDX-License-Identifier: MIT */
+
+ /*
+ * Copyright 2024 Advanced Micro Devices, Inc. All rights reserved.
+--
+2.51.0
+
--- /dev/null
+From df64584112854ab3d4f9b939a2dad2042e6d3b08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 09:12:54 -0400
+Subject: drm/amdgpu: fix SPDX headers on amdgpu_cper.c/h
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit f3b37ebf2c94e3a3d7bbf5e3788ad86cf30fc7be ]
+
+These should be MIT. The driver in general is MIT and
+the license text at the top of the files is MIT so fix
+it.
+
+Fixes: 92d5d2a09de1 ("drm/amdgpu: Introduce funcs for populating CPER")
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4654
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit abd3f876404cafb107cb34bacb74706bfee11cbe)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cper.c | 2 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cper.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.c
+index 25252231a68a9..48a8aa1044b15 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.c
+@@ -1,4 +1,4 @@
+-// SPDX-License-Identifier: GPL-2.0
++// SPDX-License-Identifier: MIT
+ /*
+ * Copyright 2025 Advanced Micro Devices, Inc.
+ *
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.h
+index bcb97d245673b..353421807387e 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.h
+@@ -1,4 +1,4 @@
+-/* SPDX-License-Identifier: GPL-2.0 */
++/* SPDX-License-Identifier: MIT */
+ /*
+ * Copyright 2025 Advanced Micro Devices, Inc.
+ *
+--
+2.51.0
+
--- /dev/null
+From c2e5f8f1bcc84a8af4b6f6eaf8caffc44504e7b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:37:23 +0200
+Subject: drm/etnaviv: fix flush sequence logic
+
+From: Tomeu Vizoso <tomeu@tomeuvizoso.net>
+
+[ Upstream commit a042beac6e6f8ac1e923784cfff98b47cbabb185 ]
+
+The current logic uses the flush sequence from the current address
+space. This is harmless when deducing the flush requirements for the
+current submit, as either the incoming address space is the same one
+as the currently active one or we switch context, in which case the
+flush is unconditional.
+
+However, this sequence is also stored as the current flush sequence
+of the GPU. If we switch context the stored flush sequence will no
+longer belong to the currently active address space. This incoherency
+can then cause missed flushes, resulting in translation errors.
+
+Fixes: 27b67278e007 ("drm/etnaviv: rework MMU handling")
+Signed-off-by: Tomeu Vizoso <tomeu@tomeuvizoso.net>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Christian Gmeiner <cgmeiner@igalia.com>
+Link: https://lore.kernel.org/r/20251021093723.3887980-1-l.stach@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
+index b13a17276d07c..88385dc3b30d8 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
+@@ -347,7 +347,7 @@ void etnaviv_buffer_queue(struct etnaviv_gpu *gpu, u32 exec_state,
+ u32 link_target, link_dwords;
+ bool switch_context = gpu->exec_state != exec_state;
+ bool switch_mmu_context = gpu->mmu_context != mmu_context;
+- unsigned int new_flush_seq = READ_ONCE(gpu->mmu_context->flush_seq);
++ unsigned int new_flush_seq = READ_ONCE(mmu_context->flush_seq);
+ bool need_flush = switch_mmu_context || gpu->flush_seq != new_flush_seq;
+ bool has_blt = !!(gpu->identity.minor_features5 &
+ chipMinorFeatures5_BLT_ENGINE);
+--
+2.51.0
+
--- /dev/null
+From 907a2ca0352d896eba6d3b921c07786f3332a67d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Sep 2025 02:14:05 +0530
+Subject: drm/msm/a6xx: Fix GMU firmware parser
+
+From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+
+[ Upstream commit b4789aac9d3441d9f830f0a4022d8dc122d6cab3 ]
+
+Current parser logic for GMU firmware assumes a dword aligned payload
+size for every block. This is not true for all GMU firmwares. So, fix
+this by using correct 'size' value in the calculation for the offset
+for the next block's header.
+
+Fixes: c6ed04f856a4 ("drm/msm/a6xx: A640/A650 GMU firmware path")
+Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+Acked-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/674040/
+Message-ID: <20250911-assorted-sept-1-v2-2-a8bf1ee20792@oss.qualcomm.com>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+index 3369a03978d53..ee82489025c3c 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+@@ -766,6 +766,9 @@ static bool fw_block_mem(struct a6xx_gmu_bo *bo, const struct block_header *blk)
+ return true;
+ }
+
++#define NEXT_BLK(blk) \
++ ((const struct block_header *)((const char *)(blk) + sizeof(*(blk)) + (blk)->size))
++
+ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu)
+ {
+ struct a6xx_gpu *a6xx_gpu = container_of(gmu, struct a6xx_gpu, gmu);
+@@ -797,7 +800,7 @@ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu)
+
+ for (blk = (const struct block_header *) fw_image->data;
+ (const u8*) blk < fw_image->data + fw_image->size;
+- blk = (const struct block_header *) &blk->data[blk->size >> 2]) {
++ blk = NEXT_BLK(blk)) {
+ if (blk->size == 0)
+ continue;
+
+--
+2.51.0
+
--- /dev/null
+From c6b8d317de677f401be6354e053e1fd21489d02e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 15:20:38 -0700
+Subject: drm/msm: Ensure vm is created in VM_BIND ioctl
+
+From: Rob Clark <robin.clark@oss.qualcomm.com>
+
+[ Upstream commit 00d5f09719aa6c37545be5c05d25a1eaf8f3da7e ]
+
+Since the vm is lazily created, to allow userspace to opt-in to a
+VM_BIND context, we can't assume it is already created.
+
+Fixes: 2e6a8a1fe2b2 ("drm/msm: Add VM_BIND ioctl")
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/682939/
+Message-ID: <20251022222039.9937-1-robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem_vma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem_vma.c b/drivers/gpu/drm/msm/msm_gem_vma.c
+index 381a0853c05ba..b6248f86a5ab1 100644
+--- a/drivers/gpu/drm/msm/msm_gem_vma.c
++++ b/drivers/gpu/drm/msm/msm_gem_vma.c
+@@ -1401,7 +1401,7 @@ msm_ioctl_vm_bind(struct drm_device *dev, void *data, struct drm_file *file)
+ * Maybe we could allow just UNMAP ops? OTOH userspace should just
+ * immediately close the device file and all will be torn down.
+ */
+- if (to_msm_vm(ctx->vm)->unusable)
++ if (to_msm_vm(msm_context_vm(dev, ctx))->unusable)
+ return UERR(EPIPE, dev, "context is unusable");
+
+ /*
+--
+2.51.0
+
--- /dev/null
+From 94cfa3e2919d5feb5777dc5617e9ccfec2680242 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Sep 2025 07:04:40 -0700
+Subject: drm/msm: Fix GEM free for imported dma-bufs
+
+From: Rob Clark <robin.clark@oss.qualcomm.com>
+
+[ Upstream commit c34e08ba6c0037a72a7433741225b020c989e4ae ]
+
+Imported dma-bufs also have obj->resv != &obj->_resv. So we should
+check both this condition in addition to flags for handling the
+_NO_SHARE case.
+
+Fixes this splat that was reported with IRIS video playback:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm]
+ CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT
+ pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
+ pc : msm_gem_free_object+0x1f8/0x264 [msm]
+ lr : msm_gem_free_object+0x138/0x264 [msm]
+ sp : ffff800092a1bb30
+ x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08
+ x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6
+ x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200
+ x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000
+ x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540
+ x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+ x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f
+ x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020
+ x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032
+ x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8
+ Call trace:
+ msm_gem_free_object+0x1f8/0x264 [msm] (P)
+ drm_gem_object_free+0x1c/0x30 [drm]
+ drm_gem_object_handle_put_unlocked+0x138/0x150 [drm]
+ drm_gem_object_release_handle+0x5c/0xcc [drm]
+ drm_gem_handle_delete+0x68/0xbc [drm]
+ drm_gem_close_ioctl+0x34/0x40 [drm]
+ drm_ioctl_kernel+0xc0/0x130 [drm]
+ drm_ioctl+0x360/0x4e0 [drm]
+ __arm64_sys_ioctl+0xac/0x104
+ invoke_syscall+0x48/0x104
+ el0_svc_common.constprop.0+0x40/0xe0
+ do_el0_svc+0x1c/0x28
+ el0_svc+0x34/0xec
+ el0t_64_sync_handler+0xa0/0xe4
+ el0t_64_sync+0x198/0x19c
+ ---[ end trace 0000000000000000 ]---
+ ------------[ cut here ]------------
+
+Reported-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Fixes: de651b6e040b ("drm/msm: Fix refcnt underflow in error path")
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Tested-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Tested-by: Luca Weiss <luca.weiss@fairphone.com>
+Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # qrb5165-rb5
+Patchwork: https://patchwork.freedesktop.org/patch/676273/
+Message-ID: <20250923140441.746081-1-robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
+index e7631f4ef5309..0745d958f3987 100644
+--- a/drivers/gpu/drm/msm/msm_gem.c
++++ b/drivers/gpu/drm/msm/msm_gem.c
+@@ -1120,12 +1120,16 @@ static void msm_gem_free_object(struct drm_gem_object *obj)
+ put_pages(obj);
+ }
+
+- if (obj->resv != &obj->_resv) {
++ /*
++ * In error paths, we could end up here before msm_gem_new_handle()
++ * has changed obj->resv to point to the shared resv. In this case,
++ * we don't want to drop a ref to the shared r_obj that we haven't
++ * taken yet.
++ */
++ if ((msm_obj->flags & MSM_BO_NO_SHARE) && (obj->resv != &obj->_resv)) {
+ struct drm_gem_object *r_obj =
+ container_of(obj->resv, struct drm_gem_object, _resv);
+
+- WARN_ON(!(msm_obj->flags & MSM_BO_NO_SHARE));
+-
+ /* Drop reference we hold to shared resv obj: */
+ drm_gem_object_put(r_obj);
+ }
+--
+2.51.0
+
--- /dev/null
+From 1163b415add2e2f6ba148b69ad8bdee1a1747d36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Oct 2025 15:45:10 +0200
+Subject: drm/msm: make sure last_fence is always updated
+
+From: Anna Maniscalco <anna.maniscalco2000@gmail.com>
+
+[ Upstream commit 86404a9e3013d814a772ac407573be5d3cd4ee0d ]
+
+Update last_fence in the vm-bind path instead of kernel managed path.
+
+last_fence is used to wait for work to finish in vm_bind contexts but not
+used for kernel managed contexts.
+
+This fixes a bug where last_fence is not waited on context close leading
+to faults as resources are freed while in use.
+
+Fixes: 92395af63a99 ("drm/msm: Add VM_BIND submitqueue")
+Signed-off-by: Anna Maniscalco <anna.maniscalco2000@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/680080/
+Message-ID: <20251011-close_fence_wait_fix-v3-1-5134787755ff@gmail.com>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
+index 3ab3b27134f93..75d9f35743700 100644
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -414,6 +414,11 @@ static void submit_attach_object_fences(struct msm_gem_submit *submit)
+ submit->user_fence,
+ DMA_RESV_USAGE_BOOKKEEP,
+ DMA_RESV_USAGE_BOOKKEEP);
++
++ last_fence = vm->last_fence;
++ vm->last_fence = dma_fence_unwrap_merge(submit->user_fence, last_fence);
++ dma_fence_put(last_fence);
++
+ return;
+ }
+
+@@ -427,10 +432,6 @@ static void submit_attach_object_fences(struct msm_gem_submit *submit)
+ dma_resv_add_fence(obj->resv, submit->user_fence,
+ DMA_RESV_USAGE_READ);
+ }
+-
+- last_fence = vm->last_fence;
+- vm->last_fence = dma_fence_unwrap_merge(submit->user_fence, last_fence);
+- dma_fence_put(last_fence);
+ }
+
+ static int submit_bo(struct msm_gem_submit *submit, uint32_t idx,
+--
+2.51.0
+
--- /dev/null
+From 9d794132ce3e2ac8e8e9d8eecfb6cba600b689c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 14:44:50 +0900
+Subject: drm/radeon: Do not kfree() devres managed rdev
+
+From: Daniel Palmer <daniel@0x0f.com>
+
+[ Upstream commit 3328443363a0895fd9c096edfe8ecd372ca9145e ]
+
+Since the allocation of the drivers main structure was changed to
+devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling
+kfree() on it.
+
+This fixes things exploding if the driver probe fails and devres cleans up
+the rdev after we already free'd it.
+
+Fixes: a9ed2f052c5c ("drm/radeon: change drm_dev_alloc to devm_drm_dev_alloc")
+Signed-off-by: Daniel Palmer <daniel@0x0f.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_kms.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
+index 645e33bf7947e..ba1446acd7032 100644
+--- a/drivers/gpu/drm/radeon/radeon_kms.c
++++ b/drivers/gpu/drm/radeon/radeon_kms.c
+@@ -84,7 +84,6 @@ void radeon_driver_unload_kms(struct drm_device *dev)
+ rdev->agp = NULL;
+
+ done_free:
+- kfree(rdev);
+ dev->dev_private = NULL;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From e9e4793ac31b1c32d7f4975cc0b347a280b1383e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 14:44:51 +0900
+Subject: drm/radeon: Remove calls to drm_put_dev()
+
+From: Daniel Palmer <daniel@0x0f.com>
+
+[ Upstream commit 745bae76acdd71709773c129a69deca01036250b ]
+
+Since the allocation of the drivers main structure was changed to
+devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd
+should be done by devres.
+
+However, drm_put_dev() is still in the probe error and device remove
+paths. When the driver fails to probe warnings like the following are
+shown because devres is trying to drm_put_dev() after the driver
+already did it.
+
+[ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22
+[ 5.649605] ------------[ cut here ]------------
+[ 5.649607] refcount_t: underflow; use-after-free.
+[ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110
+
+Fixes: a9ed2f052c5c ("drm/radeon: change drm_dev_alloc to devm_drm_dev_alloc")
+Signed-off-by: Daniel Palmer <daniel@0x0f.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_drv.c | 25 ++++---------------------
+ 1 file changed, 4 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c
+index 88e821d67af77..9c8907bc61d9f 100644
+--- a/drivers/gpu/drm/radeon/radeon_drv.c
++++ b/drivers/gpu/drm/radeon/radeon_drv.c
+@@ -314,17 +314,17 @@ static int radeon_pci_probe(struct pci_dev *pdev,
+
+ ret = pci_enable_device(pdev);
+ if (ret)
+- goto err_free;
++ return ret;
+
+ pci_set_drvdata(pdev, ddev);
+
+ ret = radeon_driver_load_kms(ddev, flags);
+ if (ret)
+- goto err_agp;
++ goto err;
+
+ ret = drm_dev_register(ddev, flags);
+ if (ret)
+- goto err_agp;
++ goto err;
+
+ if (rdev->mc.real_vram_size <= (8 * 1024 * 1024))
+ format = drm_format_info(DRM_FORMAT_C8);
+@@ -337,30 +337,14 @@ static int radeon_pci_probe(struct pci_dev *pdev,
+
+ return 0;
+
+-err_agp:
++err:
+ pci_disable_device(pdev);
+-err_free:
+- drm_dev_put(ddev);
+ return ret;
+ }
+
+-static void
+-radeon_pci_remove(struct pci_dev *pdev)
+-{
+- struct drm_device *dev = pci_get_drvdata(pdev);
+-
+- drm_put_dev(dev);
+-}
+-
+ static void
+ radeon_pci_shutdown(struct pci_dev *pdev)
+ {
+- /* if we are running in a VM, make sure the device
+- * torn down properly on reboot/shutdown
+- */
+- if (radeon_device_is_virtual())
+- radeon_pci_remove(pdev);
+-
+ #if defined(CONFIG_PPC64) || defined(CONFIG_MACH_LOONGSON64)
+ /*
+ * Some adapters need to be suspended before a
+@@ -613,7 +597,6 @@ static struct pci_driver radeon_kms_pci_driver = {
+ .name = DRIVER_NAME,
+ .id_table = pciidlist,
+ .probe = radeon_pci_probe,
+- .remove = radeon_pci_remove,
+ .shutdown = radeon_pci_shutdown,
+ .driver.pm = &radeon_pm_ops,
+ };
+--
+2.51.0
+
--- /dev/null
+From 1c06e7d4d9779754313d2dd218835f28111d1514 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 11:28:14 +0200
+Subject: kunit: test_dev_action: Correctly cast 'priv' pointer to long*
+
+From: Florian Schmaus <florian.schmaus@codasip.com>
+
+[ Upstream commit 2551a1eedc09f5a86f94b038dc1bb16855c256f1 ]
+
+The previous implementation incorrectly assumed the original type of
+'priv' was void**, leading to an unnecessary and misleading
+cast. Correct the cast of the 'priv' pointer in test_dev_action() to
+its actual type, long*, removing an unnecessary cast.
+
+As an additional benefit, this fixes an out-of-bounds CHERI fault on
+hardware with architectural capabilities. The original implementation
+tried to store a capability-sized pointer using the priv
+pointer. However, the priv pointer's capability only granted access to
+the memory region of its original long type, leading to a bounds
+violation since the size of a long is smaller than the size of a
+capability. This change ensures that the pointer usage respects the
+capabilities' bounds.
+
+Link: https://lore.kernel.org/r/20251017092814.80022-1-florian.schmaus@codasip.com
+Fixes: d03c720e03bd ("kunit: Add APIs for managing devices")
+Reviewed-by: David Gow <davidgow@google.com>
+Signed-off-by: Florian Schmaus <florian.schmaus@codasip.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/kunit/kunit-test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/kunit/kunit-test.c b/lib/kunit/kunit-test.c
+index 8c01eabd4eaf2..63130a48e2371 100644
+--- a/lib/kunit/kunit-test.c
++++ b/lib/kunit/kunit-test.c
+@@ -739,7 +739,7 @@ static struct kunit_case kunit_current_test_cases[] = {
+
+ static void test_dev_action(void *priv)
+ {
+- *(void **)priv = (void *)1;
++ *(long *)priv = 1;
+ }
+
+ static void kunit_device_test(struct kunit *test)
+--
+2.51.0
+
--- /dev/null
+From caa5b7b0e148e88f461e35e34b781a74b391ce17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 13:36:43 -0700
+Subject: libbpf: Fix powerpc's stack register definition in bpf_tracing.h
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 7221b9caf84b3294688228a19273d74ea19a2ee4 ]
+
+retsnoop's build on powerpc (ppc64le) architecture ([0]) failed due to
+wrong definition of PT_REGS_SP() macro. Looking at powerpc's
+implementation of stack unwinding in perf_callchain_user_64() clearly
+shows that stack pointer register is gpr[1].
+
+Fix libbpf's definition of __PT_SP_REG for powerpc to fix all this.
+
+ [0] https://kojipkgs.fedoraproject.org/work/tasks/1544/137921544/build.log
+
+Fixes: 138d6153a139 ("samples/bpf: Enable powerpc support")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
+Link: https://lore.kernel.org/r/20251020203643.989467-1-andrii@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf_tracing.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h
+index a8f6cd4841b03..dbe32a5d02cd7 100644
+--- a/tools/lib/bpf/bpf_tracing.h
++++ b/tools/lib/bpf/bpf_tracing.h
+@@ -311,7 +311,7 @@ struct pt_regs___arm64 {
+ #define __PT_RET_REG regs[31]
+ #define __PT_FP_REG __unsupported__
+ #define __PT_RC_REG gpr[3]
+-#define __PT_SP_REG sp
++#define __PT_SP_REG gpr[1]
+ #define __PT_IP_REG nip
+
+ #elif defined(bpf_target_sparc)
+--
+2.51.0
+
--- /dev/null
+From d51628f99aee52132ac466f198ef1a7783ed3efa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 21:13:37 +0800
+Subject: net: hns3: return error code when function fails
+
+From: Jijie Shao <shaojijie@huawei.com>
+
+[ Upstream commit 03ca7c8c42be913529eb9f188278114430c6abbd ]
+
+Currently, in hclge_mii_ioctl(), the operation to
+read the PHY register (SIOCGMIIREG) always returns 0.
+
+This patch changes the return type of hclge_read_phy_reg(),
+returning an error code when the function fails.
+
+Fixes: 024712f51e57 ("net: hns3: add ioctl support for imp-controlled PHYs")
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Link: https://patch.msgid.link/20251023131338.2642520-2-shaojijie@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +--
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 9 ++++++---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h | 2 +-
+ 3 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index f209a05e2033b..d3d17f9e5457b 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -9429,8 +9429,7 @@ static int hclge_mii_ioctl(struct hclge_dev *hdev, struct ifreq *ifr, int cmd)
+ /* this command reads phy id and register at the same time */
+ fallthrough;
+ case SIOCGMIIREG:
+- data->val_out = hclge_read_phy_reg(hdev, data->reg_num);
+- return 0;
++ return hclge_read_phy_reg(hdev, data->reg_num, &data->val_out);
+
+ case SIOCSMIIREG:
+ return hclge_write_phy_reg(hdev, data->reg_num, data->val_in);
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+index 96553109f44c9..cf881108fa570 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+@@ -274,7 +274,7 @@ void hclge_mac_stop_phy(struct hclge_dev *hdev)
+ phy_stop(phydev);
+ }
+
+-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr)
++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val)
+ {
+ struct hclge_phy_reg_cmd *req;
+ struct hclge_desc desc;
+@@ -286,11 +286,14 @@ u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr)
+ req->reg_addr = cpu_to_le16(reg_addr);
+
+ ret = hclge_cmd_send(&hdev->hw, &desc, 1);
+- if (ret)
++ if (ret) {
+ dev_err(&hdev->pdev->dev,
+ "failed to read phy reg, ret = %d.\n", ret);
++ return ret;
++ }
+
+- return le16_to_cpu(req->reg_val);
++ *val = le16_to_cpu(req->reg_val);
++ return 0;
+ }
+
+ int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val)
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h
+index 4200d0b6d9317..21d434c82475b 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h
+@@ -13,7 +13,7 @@ int hclge_mac_connect_phy(struct hnae3_handle *handle);
+ void hclge_mac_disconnect_phy(struct hnae3_handle *handle);
+ void hclge_mac_start_phy(struct hclge_dev *hdev);
+ void hclge_mac_stop_phy(struct hclge_dev *hdev);
+-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr);
++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val);
+ int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val);
+
+ #endif
+--
+2.51.0
+
--- /dev/null
+From 73a2708822d00823493029ac039126892d4b97f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 09:59:24 +0200
+Subject: nvmet-auth: update sc_c in host response
+
+From: Hannes Reinecke <hare@suse.de>
+
+[ Upstream commit 60ad1de8e59278656092f56e87189ec82f078d12 ]
+
+The target code should set the sc_c bit in calculating the host response
+based on the status of the 'concat' setting, otherwise we'll get an
+authentication mismatch for hosts setting that bit correctly.
+
+Fixes: 7e091add9c43 ("nvme-auth: update sc_c in host response")
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/auth.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c
+index b340380f38922..ceba21684e82c 100644
+--- a/drivers/nvme/target/auth.c
++++ b/drivers/nvme/target/auth.c
+@@ -298,7 +298,7 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response,
+ const char *hash_name;
+ u8 *challenge = req->sq->dhchap_c1;
+ struct nvme_dhchap_key *transformed_key;
+- u8 buf[4];
++ u8 buf[4], sc_c = ctrl->concat ? 1 : 0;
+ int ret;
+
+ hash_name = nvme_auth_hmac_name(ctrl->shash_id);
+@@ -367,13 +367,14 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response,
+ ret = crypto_shash_update(shash, buf, 2);
+ if (ret)
+ goto out;
+- memset(buf, 0, 4);
++ *buf = sc_c;
+ ret = crypto_shash_update(shash, buf, 1);
+ if (ret)
+ goto out;
+ ret = crypto_shash_update(shash, "HostHost", 8);
+ if (ret)
+ goto out;
++ memset(buf, 0, 4);
+ ret = crypto_shash_update(shash, ctrl->hostnqn, strlen(ctrl->hostnqn));
+ if (ret)
+ goto out;
+--
+2.51.0
+
--- /dev/null
+From 99d23a926535f4f427ffc17712eecf992fc2c1ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 15:02:43 -0700
+Subject: scsi: core: Fix the unit attention counter implementation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit d54c676d4fe0543d1642ab7a68ffdd31e8639a5d ]
+
+scsi_decide_disposition() may call scsi_check_sense().
+scsi_decide_disposition() calls are not serialized. Hence, counter
+updates by scsi_check_sense() must be serialized. Hence this patch that
+makes the counters updated by scsi_check_sense() atomic.
+
+Cc: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
+Fixes: a5d518cd4e3e ("scsi: core: Add counters for New Media and Power On/Reset UNIT ATTENTIONs")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Link: https://patch.msgid.link/20251014220244.3689508-1-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_error.c | 4 ++--
+ include/scsi/scsi_device.h | 10 ++++------
+ 2 files changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
+index 746ff6a1f309a..1c13812a3f035 100644
+--- a/drivers/scsi/scsi_error.c
++++ b/drivers/scsi/scsi_error.c
+@@ -554,9 +554,9 @@ enum scsi_disposition scsi_check_sense(struct scsi_cmnd *scmd)
+ * happened, even if someone else gets the sense data.
+ */
+ if (sshdr.asc == 0x28)
+- scmd->device->ua_new_media_ctr++;
++ atomic_inc(&sdev->ua_new_media_ctr);
+ else if (sshdr.asc == 0x29)
+- scmd->device->ua_por_ctr++;
++ atomic_inc(&sdev->ua_por_ctr);
+ }
+
+ if (scsi_sense_is_deferred(&sshdr))
+diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
+index 6d6500148c4b7..993008cdea65f 100644
+--- a/include/scsi/scsi_device.h
++++ b/include/scsi/scsi_device.h
+@@ -252,8 +252,8 @@ struct scsi_device {
+ unsigned int queue_stopped; /* request queue is quiesced */
+ bool offline_already; /* Device offline message logged */
+
+- unsigned int ua_new_media_ctr; /* Counter for New Media UNIT ATTENTIONs */
+- unsigned int ua_por_ctr; /* Counter for Power On / Reset UAs */
++ atomic_t ua_new_media_ctr; /* Counter for New Media UNIT ATTENTIONs */
++ atomic_t ua_por_ctr; /* Counter for Power On / Reset UAs */
+
+ atomic_t disk_events_disable_depth; /* disable depth for disk events */
+
+@@ -693,10 +693,8 @@ static inline int scsi_device_busy(struct scsi_device *sdev)
+ }
+
+ /* Macros to access the UNIT ATTENTION counters */
+-#define scsi_get_ua_new_media_ctr(sdev) \
+- ((const unsigned int)(sdev->ua_new_media_ctr))
+-#define scsi_get_ua_por_ctr(sdev) \
+- ((const unsigned int)(sdev->ua_por_ctr))
++#define scsi_get_ua_new_media_ctr(sdev) atomic_read(&sdev->ua_new_media_ctr)
++#define scsi_get_ua_por_ctr(sdev) atomic_read(&sdev->ua_por_ctr)
+
+ #define MODULE_ALIAS_SCSI_DEVICE(type) \
+ MODULE_ALIAS("scsi:t-" __stringify(type) "*")
+--
+2.51.0
+
--- /dev/null
+From 3edf95ddeff56efc083bbe7168adca49efd270a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 15:15:38 +0900
+Subject: scsi: ufs: core: Initialize value of an attribute returned by uic cmd
+
+From: Wonkon Kim <wkon.kim@samsung.com>
+
+[ Upstream commit 6fe4c679dde3075cb481beb3945269bb2ef8b19a ]
+
+If ufshcd_send_cmd() fails, *mib_val may have a garbage value. It can
+get an unintended value of an attribute.
+
+Make ufshcd_dme_get_attr() always initialize *mib_val.
+
+Fixes: 12b4fdb4f6bc ("[SCSI] ufs: add dme configuration primitives")
+Signed-off-by: Wonkon Kim <wkon.kim@samsung.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20251020061539.28661-2-wkon.kim@samsung.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufshcd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index 465e66dbe08e8..52f2c599a348e 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -4278,8 +4278,8 @@ int ufshcd_dme_get_attr(struct ufs_hba *hba, u32 attr_sel,
+ get, UIC_GET_ATTR_ID(attr_sel),
+ UFS_UIC_COMMAND_RETRIES - retries);
+
+- if (mib_val && !ret)
+- *mib_val = uic_cmd.argument3;
++ if (mib_val)
++ *mib_val = ret == 0 ? uic_cmd.argument3 : 0;
+
+ if (peer && (hba->quirks & UFSHCD_QUIRK_DME_PEER_ACCESS_AUTO_MODE)
+ && pwr_mode_change)
+--
+2.51.0
+
x86-build-disable-sse4a.patch
x86-cpu-amd-add-rdseed-fix-for-zen5.patch
x86-fpu-ensure-xfd-state-on-signal-delivery.patch
+wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch
+wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch
+wifi-ath12k-free-skb-during-idr-cleanup-callback.patch
+wifi-ath11k-avoid-bit-operation-on-key-flags.patch
+drm-msm-fix-gem-free-for-imported-dma-bufs.patch
+drm-msm-a6xx-fix-gmu-firmware-parser.patch
+drm-msm-make-sure-last_fence-is-always-updated.patch
+alsa-usb-audio-fix-control-pipe-direction.patch
+wifi-iwlwifi-fix-potential-use-after-free-in-iwl_mld.patch
+asoc-cs-amp-lib-test-fix-missing-include-of-kunit-te.patch
+wifi-mac80211-reset-fils-discovery-and-unsol-probe-r.patch
+wifi-mac80211-fix-key-tailroom-accounting-leak.patch
+wifi-nl80211-call-kfree-without-a-null-check.patch
+kunit-test_dev_action-correctly-cast-priv-pointer-to.patch
+bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch
+scsi-ufs-core-initialize-value-of-an-attribute-retur.patch
+scsi-core-fix-the-unit-attention-counter-implementat.patch
+bpf-do-not-audit-capability-check-in-do_jit.patch
+nvmet-auth-update-sc_c-in-host-response.patch
+crypto-s390-phmac-do-not-modify-the-req-nbytes-value.patch
+crypto-aspeed-fix-double-free-caused-by-devm.patch
+asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch
+asoc-intel-avs-disable-periods-elapsed-work-when-clo.patch
+asoc-fsl_sai-fix-bit-order-for-dsd-format.patch
+asoc-fsl_micfil-correct-the-endian-format-for-dsd.patch
+libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch
+asoc-mediatek-fix-double-pm_runtime_disable-in-remov.patch
+usbnet-prevents-free-active-kevent.patch
+bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch
+bluetooth-iso-fix-bis-connection-dst_type-handling.patch
+bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch
+bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch
+bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_me.patch
+bluetooth-iso-fix-another-instance-of-dst_type-handl.patch
+bluetooth-btintel_pcie-fix-event-packet-loss-issue.patch
+bluetooth-hci_conn-fix-connection-cleanup-with-big-w.patch
+bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch
+bpf-conditionally-include-dynptr-copy-kfuncs.patch
+drm-msm-ensure-vm-is-created-in-vm_bind-ioctl.patch
+alsa-usb-audio-add-mono-main-switch-to-presonus-s182.patch
+alsa-usb-audio-don-t-log-messages-meant-for-1810c-wh.patch
+acpi-mrrm-check-revision-of-mrrm-table.patch
+drm-etnaviv-fix-flush-sequence-logic.patch
+tools-ynl-fix-string-attribute-length-to-include-nul.patch
+net-hns3-return-error-code-when-function-fails.patch
+sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch
+tools-ynl-avoid-print_field-when-there-is-no-reply.patch
+dpll-spec-add-missing-module-name-and-clock-id-to-pi.patch
+asoc-fsl_sai-fix-sync-error-in-consumer-mode.patch
+asoc-soc_sdw_utils-remove-cs42l43-component_name.patch
+drm-radeon-do-not-kfree-devres-managed-rdev.patch
+drm-radeon-remove-calls-to-drm_put_dev.patch
+drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch
+drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch
+drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-25933
+drm-amdgpu-fix-spdx-headers-on-amdgpu_cper.c-h.patch
+drm-amdgpu-fix-spdx-header-on-amd_cper.h.patch
+drm-amdgpu-fix-spdx-header-on-irqsrcs_vcn_5_0.h.patch
--- /dev/null
+From c7fb25b152d30651571993227245d4576a9cfbae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 19:48:42 +0530
+Subject: sfc: fix potential memory leak in efx_mae_process_mport()
+
+From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
+
+[ Upstream commit 46a499aaf8c27476fd05e800f3e947bfd71aa724 ]
+
+In efx_mae_enumerate_mports(), memory allocated for mae_mport_desc is
+passed as a argument to efx_mae_process_mport(), but when the error path
+in efx_mae_process_mport() gets executed, the memory allocated for desc
+gets leaked.
+
+Fix that by freeing the memory allocation before returning error.
+
+Fixes: a6a15aca4207 ("sfc: enumerate mports in ef100")
+Acked-by: Edward Cree <ecree.xilinx@gmail.com>
+Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
+Link: https://patch.msgid.link/20251023141844.25847-1-nihaal@cse.iitm.ac.in
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/mae.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/sfc/mae.c b/drivers/net/ethernet/sfc/mae.c
+index 6fd0c1e9a7d54..7cfd9000f79de 100644
+--- a/drivers/net/ethernet/sfc/mae.c
++++ b/drivers/net/ethernet/sfc/mae.c
+@@ -1090,6 +1090,9 @@ void efx_mae_remove_mport(void *desc, void *arg)
+ kfree(mport);
+ }
+
++/*
++ * Takes ownership of @desc, even if it returns an error
++ */
+ static int efx_mae_process_mport(struct efx_nic *efx,
+ struct mae_mport_desc *desc)
+ {
+@@ -1100,6 +1103,7 @@ static int efx_mae_process_mport(struct efx_nic *efx,
+ if (!IS_ERR_OR_NULL(mport)) {
+ netif_err(efx, drv, efx->net_dev,
+ "mport with id %u does exist!!!\n", desc->mport_id);
++ kfree(desc);
+ return -EEXIST;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From cdc99c3a8b1ee8c964fbe91d4379af5ffd521f38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 12:58:53 +0000
+Subject: tools: ynl: avoid print_field when there is no reply
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit e3966940559d52aa1800a008dcfeec218dd31f88 ]
+
+When request a none support device operation, there will be no reply.
+In this case, the len(desc) check will always be true, causing print_field
+to enter an infinite loop and crash the program. Example reproducer:
+
+ # ethtool.py -c veth0
+
+To fix this, return immediately if there is no reply.
+
+Fixes: f3d07b02b2b8 ("tools: ynl: ethtool testing tool")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://patch.msgid.link/20251024125853.102916-1-liuhangbin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/net/ynl/pyynl/ethtool.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/net/ynl/pyynl/ethtool.py b/tools/net/ynl/pyynl/ethtool.py
+index cab6b576c8762..87bb561080056 100755
+--- a/tools/net/ynl/pyynl/ethtool.py
++++ b/tools/net/ynl/pyynl/ethtool.py
+@@ -45,6 +45,9 @@ def print_field(reply, *desc):
+ Pretty-print a set of fields from the reply. desc specifies the
+ fields and the optional type (bool/yn).
+ """
++ if not reply:
++ return
++
+ if len(desc) == 0:
+ return print_field(reply, *zip(reply.keys(), reply.keys()))
+
+--
+2.51.0
+
--- /dev/null
+From 219dc9751ce7cb01d9ff1960de588f4216dfa7e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 15:24:38 +0200
+Subject: tools: ynl: fix string attribute length to include null terminator
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit 65f9c4c5888913c2cf5d2fc9454c83f9930d537d ]
+
+The ynl_attr_put_str() function was not including the null terminator
+in the attribute length calculation. This caused kernel to reject
+CTRL_CMD_GETFAMILY requests with EINVAL:
+"Attribute failed policy validation".
+
+For a 4-character family name like "dpll":
+- Sent: nla_len=8 (4 byte header + 4 byte string without null)
+- Expected: nla_len=9 (4 byte header + 5 byte string with null)
+
+The bug was introduced in commit 15d2540e0d62 ("tools: ynl: check for
+overflow of constructed messages") when refactoring from stpcpy() to
+strlen(). The original code correctly included the null terminator:
+
+ end = stpcpy(ynl_attr_data(attr), str);
+ attr->nla_len = NLA_HDRLEN + NLA_ALIGN(end -
+ (char *)ynl_attr_data(attr));
+
+Since stpcpy() returns a pointer past the null terminator, the length
+included it. The refactored version using strlen() omitted the +1.
+
+The fix also removes NLA_ALIGN() from nla_len calculation, since
+nla_len should contain actual attribute length, not aligned length.
+Alignment is only for calculating next attribute position. This makes
+the code consistent with ynl_attr_put().
+
+CTRL_ATTR_FAMILY_NAME uses NLA_NUL_STRING policy which requires
+null terminator. Kernel validates with memchr() and rejects if not
+found.
+
+Fixes: 15d2540e0d62 ("tools: ynl: check for overflow of constructed messages")
+Signed-off-by: Petr Oros <poros@redhat.com>
+Tested-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Ivan Vecera <ivecera@redhat.com>
+Link: https://lore.kernel.org/20251018151737.365485-3-zahari.doychev@linux.com
+Link: https://patch.msgid.link/20251024132438.351290-1-poros@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/net/ynl/lib/ynl-priv.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/net/ynl/lib/ynl-priv.h b/tools/net/ynl/lib/ynl-priv.h
+index 824777d7e05ea..fca519d7ec9a7 100644
+--- a/tools/net/ynl/lib/ynl-priv.h
++++ b/tools/net/ynl/lib/ynl-priv.h
+@@ -314,7 +314,7 @@ ynl_attr_put_str(struct nlmsghdr *nlh, unsigned int attr_type, const char *str)
+ struct nlattr *attr;
+ size_t len;
+
+- len = strlen(str);
++ len = strlen(str) + 1;
+ if (__ynl_attr_put_overflow(nlh, len))
+ return;
+
+@@ -322,7 +322,7 @@ ynl_attr_put_str(struct nlmsghdr *nlh, unsigned int attr_type, const char *str)
+ attr->nla_type = attr_type;
+
+ strcpy((char *)ynl_attr_data(attr), str);
+- attr->nla_len = NLA_HDRLEN + NLA_ALIGN(len);
++ attr->nla_len = NLA_HDRLEN + len;
+
+ nlh->nlmsg_len += NLMSG_ALIGN(attr->nla_len);
+ }
+--
+2.51.0
+
--- /dev/null
+From f66b6edfada66de4efe5ad557c475f973c75535c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 10:40:07 +0800
+Subject: usbnet: Prevents free active kevent
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit 420c84c330d1688b8c764479e5738bbdbf0a33de ]
+
+The root cause of this issue are:
+1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);
+put the kevent work in global workqueue. However, the kevent has not yet
+been scheduled when the usbnet device is unregistered. Therefore, executing
+free_netdev() results in the "free active object (kevent)" error reported
+here.
+
+2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(),
+if the usbnet device is up, ndo_stop() is executed to cancel the kevent.
+However, because the device is not up, ndo_stop() is not executed.
+
+The solution to this problem is to cancel the kevent before executing
+free_netdev().
+
+Fixes: a69e617e533e ("usbnet: Fix linkwatch use-after-free on disconnect")
+Reported-by: Sam Sun <samsun1006219@gmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=8bfd7bcc98f7300afb84
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Link: https://patch.msgid.link/20251022024007.1831898-1-lizhi.xu@windriver.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/usbnet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index bf01f27285318..697cd9d866d3d 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1659,6 +1659,8 @@ void usbnet_disconnect (struct usb_interface *intf)
+ net = dev->net;
+ unregister_netdev (net);
+
++ cancel_work_sync(&dev->kevent);
++
+ while ((urb = usb_get_from_anchor(&dev->deferred))) {
+ dev_kfree_skb(urb->context);
+ kfree(urb->sg);
+--
+2.51.0
+
--- /dev/null
+From 26a778bde0ebea9cbb4585bf1182bc2002955386 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Sep 2025 21:56:56 +0200
+Subject: wifi: ath10k: Fix memory leak on unsupported WMI command
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+[ Upstream commit 2e9c1da4ee9d0acfca2e0a3d78f3d8cb5802da1b ]
+
+ath10k_wmi_cmd_send takes ownership of the passed buffer (skb) and has the
+responsibility to release it in case of error. This patch fixes missing
+free in case of early error due to unhandled WMI command ID.
+
+Tested-on: WCN3990 hw1.0 WLAN.HL.3.3.7.c2-00931-QCAHLSWMTPLZ-1
+
+Fixes: 553215592f14 ("ath10k: warn if give WMI command is not supported")
+Suggested-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250926195656.187970-1-loic.poulain@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
+index e595b0979a56d..b3b00d324075b 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi.c
++++ b/drivers/net/wireless/ath/ath10k/wmi.c
+@@ -1937,6 +1937,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id)
+ if (cmd_id == WMI_CMD_UNSUPPORTED) {
+ ath10k_warn(ar, "wmi command %d is not supported by firmware\n",
+ cmd_id);
++ dev_kfree_skb_any(skb);
+ return ret;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 7dfe8c053dac0f28b922d24ed04acecb1a924ee0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 15:21:35 -0400
+Subject: wifi: ath11k: Add missing platform IDs for quirk table
+
+From: Mark Pearson <mpearson-lenovo@squebb.ca>
+
+[ Upstream commit 0eb002c93c3b47f88244cecb1e356eaeab61a6bf ]
+
+Lenovo platforms can come with one of two different IDs.
+The pm_quirk table was missing the second ID for each platform.
+
+Add missing ID and some extra platform identification comments.
+Reported on https://bugzilla.kernel.org/show_bug.cgi?id=219196
+
+Tested-on: P14s G4 AMD.
+
+Fixes: ce8669a27016 ("wifi: ath11k: determine PM policy based on machine model")
+Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219196
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250929192146.1789648-1-mpearson-lenovo@squebb.ca
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.c | 54 +++++++++++++++++++++++---
+ 1 file changed, 48 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
+index 2810752260f2f..812686173ac8a 100644
+--- a/drivers/net/wireless/ath/ath11k/core.c
++++ b/drivers/net/wireless/ath/ath11k/core.c
+@@ -912,42 +912,84 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+ static const struct dmi_system_id ath11k_pm_quirk_table[] = {
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* X13 G4 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21J3"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* X13 G4 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21J4"),
+ },
+ },
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* T14 G4 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21K3"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* T14 G4 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21K4"),
+ },
+ },
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* P14s G4 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21K5"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* P14s G4 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21K6"),
+ },
+ },
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* T16 G2 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21K7"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* T16 G2 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21K8"),
+ },
+ },
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* P16s G2 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21K9"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* P16s G2 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21KA"),
+ },
+ },
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* T14s G4 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21F8"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* T14s G4 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21F9"),
+ },
+--
+2.51.0
+
--- /dev/null
+From 42cd6d8894be0e6d4deded905a050697dc0b4770 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Oct 2025 14:51:58 +0530
+Subject: wifi: ath11k: avoid bit operation on key flags
+
+From: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+
+[ Upstream commit 9c78e747dd4fee6c36fcc926212e20032055cf9d ]
+
+Bitwise operations with WMI_KEY_PAIRWISE (defined as 0) are ineffective
+and misleading. This results in pairwise key validations added in
+commit 97acb0259cc9 ("wifi: ath11k: fix group data packet drops
+during rekey") to always evaluate false and clear key commands for
+pairwise keys are not honored.
+
+Since firmware supports overwriting the new key without explicitly
+clearing the previous one, there is no visible impact currently.
+However, to restore consistency with the previous behavior and improve
+clarity, replace bitwise operations with direct assignments and
+comparisons for key flags.
+
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.9.0.1-02146-QCAHKSWPL_SILICONZ-1
+Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/linux-wireless/aLlaetkalDvWcB7b@stanley.mountain
+Fixes: 97acb0259cc9 ("wifi: ath11k: fix group data packet drops during rekey")
+Signed-off-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251003092158.1080637-1-rameshkumar.sundaram@oss.qualcomm.com
+[update copyright per current guidance]
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 106e2530b64e9..0e41b5a91d66d 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -1,7 +1,7 @@
+ // SPDX-License-Identifier: BSD-3-Clause-Clear
+ /*
+ * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
+- * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved.
++ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
+ */
+
+ #include <net/mac80211.h>
+@@ -4417,9 +4417,9 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ }
+
+ if (key->flags & IEEE80211_KEY_FLAG_PAIRWISE)
+- flags |= WMI_KEY_PAIRWISE;
++ flags = WMI_KEY_PAIRWISE;
+ else
+- flags |= WMI_KEY_GROUP;
++ flags = WMI_KEY_GROUP;
+
+ ath11k_dbg(ar->ab, ATH11K_DBG_MAC,
+ "%s for peer %pM on vdev %d flags 0x%X, type = %d, num_sta %d\n",
+@@ -4456,7 +4456,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+
+ is_ap_with_no_sta = (vif->type == NL80211_IFTYPE_AP &&
+ !arvif->num_stations);
+- if ((flags & WMI_KEY_PAIRWISE) || cmd == SET_KEY || is_ap_with_no_sta) {
++ if (flags == WMI_KEY_PAIRWISE || cmd == SET_KEY || is_ap_with_no_sta) {
+ ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags);
+ if (ret) {
+ ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret);
+@@ -4470,7 +4470,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ goto exit;
+ }
+
+- if ((flags & WMI_KEY_GROUP) && cmd == SET_KEY && is_ap_with_no_sta)
++ if (flags == WMI_KEY_GROUP && cmd == SET_KEY && is_ap_with_no_sta)
+ arvif->reinstall_group_keys = true;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 1a7bf410430a52c13123122b0ad4d920c6446883 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Sep 2025 15:03:16 -0700
+Subject: wifi: ath12k: free skb during idr cleanup callback
+
+From: Karthik M <quic_karm@quicinc.com>
+
+[ Upstream commit 92282074e1d2e7b6da5c05fe38a7cc974187fe14 ]
+
+ath12k just like ath11k [1] did not handle skb cleanup during idr
+cleanup callback. Both ath12k_mac_vif_txmgmt_idr_remove() and
+ath12k_mac_tx_mgmt_pending_free() performed idr cleanup and DMA
+unmapping for skb but only ath12k_mac_tx_mgmt_pending_free() freed
+skb. As a result, during vdev deletion a memory leak occurs.
+
+Refactor all clean up steps into a new function. New function
+ath12k_mac_tx_mgmt_free() creates a centralized area where idr
+cleanup, DMA unmapping for skb and freeing skb is performed. Utilize
+skb pointer given by idr_remove(), instead of passed as a function
+argument because IDR will be protected by locking. This will prevent
+concurrent modification of the same IDR.
+
+Now ath12k_mac_tx_mgmt_pending_free() and
+ath12k_mac_vif_txmgmt_idr_remove() call ath12k_mac_tx_mgmt_free().
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
+
+Link: https://lore.kernel.org/r/1637832614-13831-1-git-send-email-quic_srirrama@quicinc.com > # [1]
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Signed-off-by: Karthik M <quic_karm@quicinc.com>
+Signed-off-by: Muna Sinada <muna.sinada@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250923220316.1595758-1-muna.sinada@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/mac.c | 34 ++++++++++++++-------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
+index 2644b5d4b0bc8..d717e74b01c89 100644
+--- a/drivers/net/wireless/ath/ath12k/mac.c
++++ b/drivers/net/wireless/ath/ath12k/mac.c
+@@ -8304,23 +8304,32 @@ static void ath12k_mgmt_over_wmi_tx_drop(struct ath12k *ar, struct sk_buff *skb)
+ wake_up(&ar->txmgmt_empty_waitq);
+ }
+
+-int ath12k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx)
++static void ath12k_mac_tx_mgmt_free(struct ath12k *ar, int buf_id)
+ {
+- struct sk_buff *msdu = skb;
++ struct sk_buff *msdu;
+ struct ieee80211_tx_info *info;
+- struct ath12k *ar = ctx;
+- struct ath12k_base *ab = ar->ab;
+
+ spin_lock_bh(&ar->txmgmt_idr_lock);
+- idr_remove(&ar->txmgmt_idr, buf_id);
++ msdu = idr_remove(&ar->txmgmt_idr, buf_id);
+ spin_unlock_bh(&ar->txmgmt_idr_lock);
+- dma_unmap_single(ab->dev, ATH12K_SKB_CB(msdu)->paddr, msdu->len,
++
++ if (!msdu)
++ return;
++
++ dma_unmap_single(ar->ab->dev, ATH12K_SKB_CB(msdu)->paddr, msdu->len,
+ DMA_TO_DEVICE);
+
+ info = IEEE80211_SKB_CB(msdu);
+ memset(&info->status, 0, sizeof(info->status));
+
+- ath12k_mgmt_over_wmi_tx_drop(ar, skb);
++ ath12k_mgmt_over_wmi_tx_drop(ar, msdu);
++}
++
++int ath12k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx)
++{
++ struct ath12k *ar = ctx;
++
++ ath12k_mac_tx_mgmt_free(ar, buf_id);
+
+ return 0;
+ }
+@@ -8329,17 +8338,10 @@ static int ath12k_mac_vif_txmgmt_idr_remove(int buf_id, void *skb, void *ctx)
+ {
+ struct ieee80211_vif *vif = ctx;
+ struct ath12k_skb_cb *skb_cb = ATH12K_SKB_CB(skb);
+- struct sk_buff *msdu = skb;
+ struct ath12k *ar = skb_cb->ar;
+- struct ath12k_base *ab = ar->ab;
+
+- if (skb_cb->vif == vif) {
+- spin_lock_bh(&ar->txmgmt_idr_lock);
+- idr_remove(&ar->txmgmt_idr, buf_id);
+- spin_unlock_bh(&ar->txmgmt_idr_lock);
+- dma_unmap_single(ab->dev, skb_cb->paddr, msdu->len,
+- DMA_TO_DEVICE);
+- }
++ if (skb_cb->vif == vif)
++ ath12k_mac_tx_mgmt_free(ar, buf_id);
+
+ return 0;
+ }
+--
+2.51.0
+
--- /dev/null
+From 5597b48255c0bc23a65767ddad3438cf0fc62022 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Sep 2025 14:20:16 +0300
+Subject: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 77e67d5daaf155f7d0f99f4e797c4842169ec19e ]
+
+This code frees "link" by calling kfree_rcu(link, rcu_head) and then it
+dereferences "link" to get the "link->fw_id". Save the "link->fw_id"
+first to avoid a potential use after free.
+
+Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/aNKCcKlbSkkS4_gO@stanley.mountain
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mld/link.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mld/link.c b/drivers/net/wireless/intel/iwlwifi/mld/link.c
+index 782fc41aa1c31..960dcd208f005 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mld/link.c
++++ b/drivers/net/wireless/intel/iwlwifi/mld/link.c
+@@ -501,6 +501,7 @@ void iwl_mld_remove_link(struct iwl_mld *mld,
+ struct iwl_mld_vif *mld_vif = iwl_mld_vif_from_mac80211(bss_conf->vif);
+ struct iwl_mld_link *link = iwl_mld_link_from_mac80211(bss_conf);
+ bool is_deflink = link == &mld_vif->deflink;
++ u8 fw_id = link->fw_id;
+
+ if (WARN_ON(!link || link->active))
+ return;
+@@ -513,10 +514,10 @@ void iwl_mld_remove_link(struct iwl_mld *mld,
+
+ RCU_INIT_POINTER(mld_vif->link[bss_conf->link_id], NULL);
+
+- if (WARN_ON(link->fw_id >= mld->fw->ucode_capa.num_links))
++ if (WARN_ON(fw_id >= mld->fw->ucode_capa.num_links))
+ return;
+
+- RCU_INIT_POINTER(mld->fw_id_to_bss_conf[link->fw_id], NULL);
++ RCU_INIT_POINTER(mld->fw_id_to_bss_conf[fw_id], NULL);
+ }
+
+ void iwl_mld_handle_missed_beacon_notif(struct iwl_mld *mld,
+--
+2.51.0
+
--- /dev/null
+From e8c9e9615005e3bde16163431559ff612a9deb9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Oct 2025 11:54:27 +0300
+Subject: wifi: mac80211: fix key tailroom accounting leak
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit ed6a47346ec69e7f1659e0a1a3558293f60d5dd7 ]
+
+For keys added by ieee80211_gtk_rekey_add(), we assume that
+they're already present in the hardware and set the flag
+KEY_FLAG_UPLOADED_TO_HARDWARE. However, setting this flag
+needs to be paired with decrementing the tailroom needed,
+which was missed.
+
+Fixes: f52a0b408ed1 ("wifi: mac80211: mark keys as uploaded when added by the driver")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20251019115358.c88eafb4083e.I69e9d4d78a756a133668c55b5570cf15a4b0e6a4@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/key.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/key.c b/net/mac80211/key.c
+index b14e9cd9713ff..d5da7ccea66e0 100644
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -508,11 +508,16 @@ static int ieee80211_key_replace(struct ieee80211_sub_if_data *sdata,
+ ret = ieee80211_key_enable_hw_accel(new);
+ }
+ } else {
+- if (!new->local->wowlan)
++ if (!new->local->wowlan) {
+ ret = ieee80211_key_enable_hw_accel(new);
+- else if (link_id < 0 || !sdata->vif.active_links ||
+- BIT(link_id) & sdata->vif.active_links)
++ } else if (link_id < 0 || !sdata->vif.active_links ||
++ BIT(link_id) & sdata->vif.active_links) {
+ new->flags |= KEY_FLAG_UPLOADED_TO_HARDWARE;
++ if (!(new->conf.flags & (IEEE80211_KEY_FLAG_GENERATE_MMIC |
++ IEEE80211_KEY_FLAG_PUT_MIC_SPACE |
++ IEEE80211_KEY_FLAG_RESERVE_TAILROOM)))
++ decrease_tailroom_need_count(sdata, 1);
++ }
+ }
+
+ if (ret)
+--
+2.51.0
+
--- /dev/null
+From ab390dab7004b6f7fcab3172b59b85d70b178f9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Sep 2025 18:30:14 +0530
+Subject: wifi: mac80211: reset FILS discovery and unsol probe resp intervals
+
+From: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
+
+[ Upstream commit 607844761454e3c17e928002e126ccf21c83f6aa ]
+
+When ieee80211_stop_ap() deletes the FILS discovery and unsolicited
+broadcast probe response templates, the associated interval values
+are not reset. This can lead to drivers subsequently operating with
+the non-zero values, leading to unexpected behavior.
+
+Trigger repeated retrieval attempts of the FILS discovery template in
+ath12k, resulting in excessive log messages such as:
+
+mac vdev 0 failed to retrieve FILS discovery template
+mac vdev 4 failed to retrieve FILS discovery template
+
+Fix this by resetting the intervals in ieee80211_stop_ap() to ensure
+proper cleanup of FILS discovery and unsolicited broadcast probe
+response templates.
+
+Fixes: 295b02c4be74 ("mac80211: Add FILS discovery support")
+Fixes: 632189a0180f ("mac80211: Unsolicited broadcast probe response support")
+Signed-off-by: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
+Signed-off-by: Aaradhana Sahu <aaradhana.sahu@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250924130014.2575533-1-aaradhana.sahu@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 7609c7c31df74..e5e82e0b48ff1 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1772,6 +1772,9 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev,
+ link_conf->nontransmitted = false;
+ link_conf->ema_ap = false;
+ link_conf->bssid_indicator = 0;
++ link_conf->fils_discovery.min_interval = 0;
++ link_conf->fils_discovery.max_interval = 0;
++ link_conf->unsol_bcast_probe_resp_interval = 0;
+
+ __sta_info_flush(sdata, true, link_id, NULL);
+
+--
+2.51.0
+
--- /dev/null
+From 92f94611e4aa47a5164b4d2eae9dea9ea1c56155 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 10:57:45 +0300
+Subject: wifi: nl80211: call kfree without a NULL check
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit 249e1443e3d57e059925bdb698f53e4d008fc106 ]
+
+Coverity is unhappy because we may leak old_radio_rts_threshold. Since
+this pointer is only valid in the context of the function and kfree is
+NULL pointer safe, don't check and just call kfree.
+Note that somehow, we were checking old_rts_threshold to free
+old_radio_rts_threshold which is a bit odd.
+
+Fixes: 264637941cf4 ("wifi: cfg80211: Add Support to Set RTS Threshold for each Radio")
+Reviewed-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Link: https://patch.msgid.link/20251020075745.44168-1-emmanuel.grumbach@intel.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 852573423e52d..46b29ed0bd2e4 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -4012,8 +4012,7 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
+ rdev->wiphy.txq_quantum = old_txq_quantum;
+ }
+
+- if (old_rts_threshold)
+- kfree(old_radio_rts_threshold);
++ kfree(old_radio_rts_threshold);
+ return result;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 8ae79a91ad0f0f5871f0a9526106d26f0c2559f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 19:18:22 +0200
+Subject: ALSA: usb-audio: fix control pipe direction
+
+From: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+
+[ Upstream commit 7963891f7c9c6f759cc9ab7da71406b4234f3dd6 ]
+
+Since the requesttype has USB_DIR_OUT the pipe should be
+constructed with usb_sndctrlpipe().
+
+Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c")
+Signed-off-by: Roy Vegard Ovesen <roy.vegard.ovesen@gmail.com>
+Link: https://patch.msgid.link/aPPL3tBFE_oU-JHv@ark
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/mixer_s1810c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c
+index fac4bbc6b2757..65bdda0841048 100644
+--- a/sound/usb/mixer_s1810c.c
++++ b/sound/usb/mixer_s1810c.c
+@@ -181,7 +181,7 @@ snd_sc1810c_get_status_field(struct usb_device *dev,
+
+ pkt_out.fields[SC1810C_STATE_F1_IDX] = SC1810C_SET_STATE_F1;
+ pkt_out.fields[SC1810C_STATE_F2_IDX] = SC1810C_SET_STATE_F2;
+- ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0),
++ ret = snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
+ SC1810C_SET_STATE_REQ,
+ SC1810C_SET_STATE_REQTYPE,
+ (*seqnum), 0, &pkt_out, sizeof(pkt_out));
+--
+2.51.0
+
--- /dev/null
+From 2f3398b5efe322049cb0a9e0226960e2a0080c81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 14:45:37 +0800
+Subject: ASoC: fsl_sai: fix bit order for DSD format
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit d9fbe5b0bf7e2d1e20d53e4e2274f9f61bdcca98 ]
+
+The DSD little endian format requires the msb first, because oldest bit
+is in msb.
+found this issue by testing with pipewire.
+
+Fixes: c111c2ddb3fd ("ASoC: fsl_sai: Add PDM daifmt support")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://patch.msgid.link/20251023064538.368850-2-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_sai.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
+index a6948a57636ab..0de878d64a3bd 100644
+--- a/sound/soc/fsl/fsl_sai.c
++++ b/sound/soc/fsl/fsl_sai.c
+@@ -322,7 +322,6 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai,
+ break;
+ case SND_SOC_DAIFMT_PDM:
+ val_cr2 |= FSL_SAI_CR2_BCP;
+- val_cr4 &= ~FSL_SAI_CR4_MF;
+ sai->is_pdm_mode = true;
+ break;
+ case SND_SOC_DAIFMT_RIGHT_J:
+@@ -597,7 +596,7 @@ static int fsl_sai_hw_params(struct snd_pcm_substream *substream,
+ val_cr5 |= FSL_SAI_CR5_WNW(slot_width);
+ val_cr5 |= FSL_SAI_CR5_W0W(slot_width);
+
+- if (sai->is_lsb_first || sai->is_pdm_mode)
++ if (sai->is_lsb_first)
+ val_cr5 |= FSL_SAI_CR5_FBT(0);
+ else
+ val_cr5 |= FSL_SAI_CR5_FBT(word_width - 1);
+--
+2.51.0
+
--- /dev/null
+From a3253f2cd9a8efc1340e0d545730dd52d1e3bc50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 11:23:46 +0200
+Subject: ASoC: Intel: avs: Unprepare a stream when XRUN occurs
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit cfca1637bc2b6b1e4f191d2f0b25f12402fbbb26 ]
+
+The pcm->prepare() function may be called multiple times in a row by the
+userspace, as mentioned in the documentation. The driver shall take that
+into account and prevent redundancy. However, the exact same function is
+called during XRUNs and in such case, the particular stream shall be
+reset and setup anew.
+
+Fixes: 9114700b496c ("ASoC: Intel: avs: Generic PCM FE operations")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20251023092348.3119313-2-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/pcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/intel/avs/pcm.c b/sound/soc/intel/avs/pcm.c
+index 781019685b941..9251c38cf9d12 100644
+--- a/sound/soc/intel/avs/pcm.c
++++ b/sound/soc/intel/avs/pcm.c
+@@ -611,6 +611,8 @@ static int avs_dai_fe_prepare(struct snd_pcm_substream *substream, struct snd_so
+ data = snd_soc_dai_get_dma_data(dai, substream);
+ host_stream = data->host_stream;
+
++ if (runtime->state == SNDRV_PCM_STATE_XRUN)
++ hdac_stream(host_stream)->prepared = false;
+ if (hdac_stream(host_stream)->prepared)
+ return 0;
+
+--
+2.51.0
+
--- /dev/null
+From f6626797d59505853fea5188476215d4ca6d2b5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Sep 2025 13:39:33 +0800
+Subject: Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during
+ reset
+
+From: Chris Lu <chris.lu@mediatek.com>
+
+[ Upstream commit 77343b8b4f87560f8f03e77b98a81ff3a147b262 ]
+
+This patch adds logic to handle power management control when the
+Bluetooth function is closed during the SDIO reset sequence.
+
+Specifically, if BT is closed before reset, the driver enables the
+SDIO function and sets driver pmctrl. After reset, if BT remains
+closed, the driver sets firmware pmctrl and disables the SDIO function.
+
+These changes ensure proper power management and device state consistency
+across the reset flow.
+
+Fixes: 8fafe702253d ("Bluetooth: mt7921s: support bluetooth reset mechanism")
+Signed-off-by: Chris Lu <chris.lu@mediatek.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btmtksdio.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c
+index f9a3444753c2b..97659b4792e69 100644
+--- a/drivers/bluetooth/btmtksdio.c
++++ b/drivers/bluetooth/btmtksdio.c
+@@ -1257,6 +1257,12 @@ static void btmtksdio_cmd_timeout(struct hci_dev *hdev)
+
+ sdio_claim_host(bdev->func);
+
++ /* set drv_pmctrl if BT is closed before doing reset */
++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) {
++ sdio_enable_func(bdev->func);
++ btmtksdio_drv_pmctrl(bdev);
++ }
++
+ sdio_writel(bdev->func, C_INT_EN_CLR, MTK_REG_CHLPCR, NULL);
+ skb_queue_purge(&bdev->txq);
+ cancel_work_sync(&bdev->txrx_work);
+@@ -1272,6 +1278,12 @@ static void btmtksdio_cmd_timeout(struct hci_dev *hdev)
+ goto err;
+ }
+
++ /* set fw_pmctrl back if BT is closed after doing reset */
++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) {
++ btmtksdio_fw_pmctrl(bdev);
++ sdio_disable_func(bdev->func);
++ }
++
+ clear_bit(BTMTKSDIO_PATCH_ENABLED, &bdev->tx_state);
+ err:
+ sdio_release_host(bdev->func);
+--
+2.51.0
+
--- /dev/null
+From f2455847bb7a98deff5d265447578f6566d9b6cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Oct 2025 10:55:58 -0400
+Subject: Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 0d92808024b4e9868cef68d16f121d509843e80e ]
+
+This fixes the state tracking of advertisement set/instance 0x00 which
+is considered a legacy instance and is not tracked individually by
+adv_instances list, previously it was assumed that hci_dev itself would
+track it via HCI_LE_ADV but that is a global state not specifc to
+instance 0x00, so to fix it a new flag is introduced that only tracks the
+state of instance 0x00.
+
+Fixes: 1488af7b8b5f ("Bluetooth: hci_sync: Fix hci_resume_advertising_sync")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci.h | 1 +
+ net/bluetooth/hci_event.c | 4 ++++
+ net/bluetooth/hci_sync.c | 5 ++---
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
+index 4c084a03d6bb7..b25746b91986c 100644
+--- a/include/net/bluetooth/hci.h
++++ b/include/net/bluetooth/hci.h
+@@ -392,6 +392,7 @@ enum {
+ HCI_USER_CHANNEL,
+ HCI_EXT_CONFIGURED,
+ HCI_LE_ADV,
++ HCI_LE_ADV_0,
+ HCI_LE_PER_ADV,
+ HCI_LE_SCAN,
+ HCI_SSP_ENABLED,
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 7bda00dcb0b2f..064fde4fb70ff 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -1598,6 +1598,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
+
+ if (adv && !adv->periodic)
+ adv->enabled = true;
++ else if (!set->handle)
++ hci_dev_set_flag(hdev, HCI_LE_ADV_0);
+
+ conn = hci_lookup_le_connect(hdev);
+ if (conn)
+@@ -1608,6 +1610,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
+ if (cp->num_of_sets) {
+ if (adv)
+ adv->enabled = false;
++ else if (!set->handle)
++ hci_dev_clear_flag(hdev, HCI_LE_ADV_0);
+
+ /* If just one instance was disabled check if there are
+ * any other instance enabled before clearing HCI_LE_ADV
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 47924f20565d4..f5bbcbbcfbd7b 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -2651,9 +2651,8 @@ static int hci_resume_advertising_sync(struct hci_dev *hdev)
+ /* If current advertising instance is set to instance 0x00
+ * then we need to re-enable it.
+ */
+- if (!hdev->cur_adv_instance)
+- err = hci_enable_ext_advertising_sync(hdev,
+- hdev->cur_adv_instance);
++ if (hci_dev_test_and_clear_flag(hdev, HCI_LE_ADV_0))
++ err = hci_enable_ext_advertising_sync(hdev, 0x00);
+ } else {
+ /* Schedule for most recent instance to be restarted and begin
+ * the software rotation loop
+--
+2.51.0
+
--- /dev/null
+From 77e37c0bcc0672e86c54f00408f1f31122ced15d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 16:03:19 -0400
+Subject: Bluetooth: hci_core: Fix tracking of periodic advertisement
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 751463ceefc3397566d03c8b64ef4a77f5fd88ac ]
+
+Periodic advertising enabled flag cannot be tracked by the enabled
+flag since advertising and periodic advertising each can be
+enabled/disabled separately from one another causing the states to be
+inconsistent when for example an advertising set is disabled its
+enabled flag is set to false which is then used for periodic which has
+not being disabled.
+
+Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 1 +
+ net/bluetooth/hci_event.c | 7 +++++--
+ net/bluetooth/hci_sync.c | 4 ++--
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 62135b7782f5b..7672d8d6005d1 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -240,6 +240,7 @@ struct adv_info {
+ bool enabled;
+ bool pending;
+ bool periodic;
++ bool periodic_enabled;
+ __u8 mesh;
+ __u8 instance;
+ __u32 flags;
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 064fde4fb70ff..4e70b85647035 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -1596,7 +1596,7 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
+
+ hci_dev_set_flag(hdev, HCI_LE_ADV);
+
+- if (adv && !adv->periodic)
++ if (adv)
+ adv->enabled = true;
+ else if (!set->handle)
+ hci_dev_set_flag(hdev, HCI_LE_ADV_0);
+@@ -3953,8 +3953,11 @@ static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
+ hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
+
+ if (adv)
+- adv->enabled = true;
++ adv->periodic_enabled = true;
+ } else {
++ if (adv)
++ adv->periodic_enabled = false;
++
+ /* If just one instance was disabled check if there are
+ * any other instance enabled before clearing HCI_LE_PER_ADV.
+ * The current periodic adv instance will be marked as
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index f5bbcbbcfbd7b..f0eb52d5c0581 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -1631,7 +1631,7 @@ int hci_disable_per_advertising_sync(struct hci_dev *hdev, u8 instance)
+
+ /* If periodic advertising already disabled there is nothing to do. */
+ adv = hci_find_adv_instance(hdev, instance);
+- if (!adv || !adv->periodic || !adv->enabled)
++ if (!adv || !adv->periodic_enabled)
+ return 0;
+
+ memset(&cp, 0, sizeof(cp));
+@@ -1700,7 +1700,7 @@ static int hci_enable_per_advertising_sync(struct hci_dev *hdev, u8 instance)
+
+ /* If periodic advertising already enabled there is nothing to do. */
+ adv = hci_find_adv_instance(hdev, instance);
+- if (adv && adv->periodic && adv->enabled)
++ if (adv && adv->periodic_enabled)
+ return 0;
+
+ memset(&cp, 0, sizeof(cp));
+--
+2.51.0
+
--- /dev/null
+From 1ecf65003252282dd8c7a974b90172090feb1971 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 05:30:17 +0000
+Subject: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
+
+From: Cen Zhang <zzzccc427@163.com>
+
+[ Upstream commit 09b0cd1297b4dbfe736aeaa0ceeab2265f47f772 ]
+
+hci_cmd_sync_dequeue_once() does lookup and then cancel
+the entry under two separate lock sections. Meanwhile,
+hci_cmd_sync_work() can also delete the same entry,
+leading to double list_del() and "UAF".
+
+Fix this by holding cmd_sync_work_lock across both
+lookup and cancel, so that the entry cannot be removed
+concurrently.
+
+Fixes: 505ea2b29592 ("Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue")
+Reported-by: Cen Zhang <zzzccc427@163.com>
+Signed-off-by: Cen Zhang <zzzccc427@163.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index a128e5709fa15..47924f20565d4 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -881,11 +881,17 @@ bool hci_cmd_sync_dequeue_once(struct hci_dev *hdev,
+ {
+ struct hci_cmd_sync_work_entry *entry;
+
+- entry = hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
+- if (!entry)
++ mutex_lock(&hdev->cmd_sync_work_lock);
++
++ entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
++ if (!entry) {
++ mutex_unlock(&hdev->cmd_sync_work_lock);
+ return false;
++ }
+
+- hci_cmd_sync_cancel_entry(hdev, entry);
++ _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
++
++ mutex_unlock(&hdev->cmd_sync_work_lock);
+
+ return true;
+ }
+--
+2.51.0
+
--- /dev/null
+From 74853574c7966dd1434bbdaeaa531d82a7f201a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Oct 2025 13:29:15 -0400
+Subject: Bluetooth: ISO: Fix another instance of dst_type handling
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit c403da5e98b04a2aec9cfb25cbeeb28d7ce29975 ]
+
+Socket dst_type cannot be directly assigned to hci_conn->type since
+there domain is different which may lead to the wrong address type being
+used.
+
+Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/iso.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index 69529a3049e74..1469e9b69e631 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -1782,7 +1782,13 @@ static void iso_conn_ready(struct iso_conn *conn)
+ }
+
+ bacpy(&iso_pi(sk)->dst, &hcon->dst);
+- iso_pi(sk)->dst_type = hcon->dst_type;
++
++ /* Convert from HCI to three-value type */
++ if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
++ iso_pi(sk)->dst_type = BDADDR_LE_PUBLIC;
++ else
++ iso_pi(sk)->dst_type = BDADDR_LE_RANDOM;
++
+ iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle;
+ memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len);
+ iso_pi(sk)->base_len = iso_pi(parent)->base_len;
+--
+2.51.0
+
--- /dev/null
+From d101d60686c68828eaf108e4ee46c2a99f9ece15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 14:27:58 +0200
+Subject: bpf: Do not audit capability check in do_jit()
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+[ Upstream commit 881a9c9cb7856b24e390fad9f59acfd73b98b3b2 ]
+
+The failure of this check only results in a security mitigation being
+applied, slightly affecting performance of the compiled BPF program. It
+doesn't result in a failed syscall, an thus auditing a failed LSM
+permission check for it is unwanted. For example with SELinux, it causes
+a denial to be reported for confined processes running as root, which
+tends to be flagged as a problem to be fixed in the policy. Yet
+dontauditing or allowing CAP_SYS_ADMIN to the domain may not be
+desirable, as it would allow/silence also other checks - either going
+against the principle of least privilege or making debugging potentially
+harder.
+
+Fix it by changing it from capable() to ns_capable_noaudit(), which
+instructs the LSMs to not audit the resulting denials.
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326
+Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-by: Paul Moore <paul@paul-moore.com>
+Link: https://lore.kernel.org/r/20251021122758.2659513-1-omosnace@redhat.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index 07592eef253c2..0be138fbd0a05 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -1995,7 +1995,7 @@ st: if (is_imm8(insn->off))
+ ctx->cleanup_addr = proglen;
+
+ if (bpf_prog_was_classic(bpf_prog) &&
+- !capable(CAP_SYS_ADMIN)) {
++ !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) {
+ u8 *ip = image + addrs[i - 1];
+
+ if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog))
+--
+2.51.0
+
--- /dev/null
+From 851cf49068fae368ce8a2000c028aaa7b25f5309 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 23:33:01 +0530
+Subject: bpf: Sync pending IRQ work before freeing ring buffer
+
+From: Noorain Eqbal <nooraineqbal@gmail.com>
+
+[ Upstream commit 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c ]
+
+Fix a race where irq_work can be queued in bpf_ringbuf_commit()
+but the ring buffer is freed before the work executes.
+In the syzbot reproducer, a BPF program attached to sched_switch
+triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer
+is freed before this work executes, the irq_work thread may accesses
+freed memory.
+Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work
+complete before freeing the buffer.
+
+Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
+Reported-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=2617fc732430968b45d2
+Tested-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com
+Signed-off-by: Noorain Eqbal <nooraineqbal@gmail.com>
+Link: https://lore.kernel.org/r/20251020180301.103366-1-nooraineqbal@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/ringbuf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c
+index 6aff5ee483b60..c0c5e9b313e43 100644
+--- a/kernel/bpf/ringbuf.c
++++ b/kernel/bpf/ringbuf.c
+@@ -215,6 +215,8 @@ static struct bpf_map *ringbuf_map_alloc(union bpf_attr *attr)
+
+ static void bpf_ringbuf_free(struct bpf_ringbuf *rb)
+ {
++ irq_work_sync(&rb->work);
++
+ /* copy pages pointer and nr_pages to local variable, as we are going
+ * to unmap rb itself with vunmap() below
+ */
+--
+2.51.0
+
--- /dev/null
+From 9c25132cec500026feb326a3d0b498a8ee79a825 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 09:55:28 +0200
+Subject: crypto: aspeed-acry - Convert to platform remove callback returning
+ void
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 8819da7e685008de2c1926c067a388b1ecaeb8aa ]
+
+The .remove() callback for a platform driver returns an int which makes
+many driver authors wrongly assume it's possible to do error handling by
+returning an error code. However the value returned is ignored (apart
+from emitting a warning) and this typically results in resource leaks.
+
+To improve here there is a quest to make the remove callback return
+void. In the first step of this quest all drivers are converted to
+.remove_new(), which already returns void. Eventually after all drivers
+are converted, .remove_new() will be renamed to .remove().
+
+Trivially convert this driver from always returning zero in the remove
+callback to the void returning variant.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Stable-dep-of: 3c9bf72cc1ce ("crypto: aspeed - fix double free caused by devm")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/aspeed/aspeed-acry.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/crypto/aspeed/aspeed-acry.c b/drivers/crypto/aspeed/aspeed-acry.c
+index 247c568aa8dfe..b4613bd4ad964 100644
+--- a/drivers/crypto/aspeed/aspeed-acry.c
++++ b/drivers/crypto/aspeed/aspeed-acry.c
+@@ -794,7 +794,7 @@ static int aspeed_acry_probe(struct platform_device *pdev)
+ return rc;
+ }
+
+-static int aspeed_acry_remove(struct platform_device *pdev)
++static void aspeed_acry_remove(struct platform_device *pdev)
+ {
+ struct aspeed_acry_dev *acry_dev = platform_get_drvdata(pdev);
+
+@@ -802,15 +802,13 @@ static int aspeed_acry_remove(struct platform_device *pdev)
+ crypto_engine_exit(acry_dev->crypt_engine_rsa);
+ tasklet_kill(&acry_dev->done_task);
+ clk_disable_unprepare(acry_dev->clk);
+-
+- return 0;
+ }
+
+ MODULE_DEVICE_TABLE(of, aspeed_acry_of_matches);
+
+ static struct platform_driver aspeed_acry_driver = {
+ .probe = aspeed_acry_probe,
+- .remove = aspeed_acry_remove,
++ .remove_new = aspeed_acry_remove,
+ .driver = {
+ .name = KBUILD_MODNAME,
+ .of_match_table = aspeed_acry_of_matches,
+--
+2.51.0
+
--- /dev/null
+From d2c868e8d3a675ff826434e7c5c1b1595a47c37c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 18:11:09 +0800
+Subject: crypto: aspeed - fix double free caused by devm
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+[ Upstream commit 3c9bf72cc1ced1297b235f9422d62b613a3fdae9 ]
+
+The clock obtained via devm_clk_get_enabled() is automatically managed
+by devres and will be disabled and freed on driver detach. Manually
+calling clk_disable_unprepare() in error path and remove function
+causes double free.
+
+Remove the manual clock cleanup in both aspeed_acry_probe()'s error
+path and aspeed_acry_remove().
+
+Fixes: 2f1cf4e50c95 ("crypto: aspeed - Add ACRY RSA driver")
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/aspeed/aspeed-acry.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/crypto/aspeed/aspeed-acry.c b/drivers/crypto/aspeed/aspeed-acry.c
+index b4613bd4ad964..8ca0913d94abf 100644
+--- a/drivers/crypto/aspeed/aspeed-acry.c
++++ b/drivers/crypto/aspeed/aspeed-acry.c
+@@ -789,7 +789,6 @@ static int aspeed_acry_probe(struct platform_device *pdev)
+ err_engine_rsa_start:
+ crypto_engine_exit(acry_dev->crypt_engine_rsa);
+ clk_exit:
+- clk_disable_unprepare(acry_dev->clk);
+
+ return rc;
+ }
+@@ -801,7 +800,6 @@ static void aspeed_acry_remove(struct platform_device *pdev)
+ aspeed_acry_unregister(acry_dev);
+ crypto_engine_exit(acry_dev->crypt_engine_rsa);
+ tasklet_kill(&acry_dev->done_task);
+- clk_disable_unprepare(acry_dev->clk);
+ }
+
+ MODULE_DEVICE_TABLE(of, aspeed_acry_of_matches);
+--
+2.51.0
+
--- /dev/null
+From c9c5920efb553e65709a13aacdd0270c03f83b46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 14:12:21 +0800
+Subject: drm/amd/pm: fix smu table id bound check issue in
+ smu_cmn_update_table()
+
+From: Yang Wang <kevinyang.wang@amd.com>
+
+[ Upstream commit 238d468d3ed18a324bb9d8c99f18c665dbac0511 ]
+
+'table_index' is a variable defined by the smu driver (kmd)
+'table_id' is a variable defined by the hw smu (pmfw)
+
+This code should use table_index as a bounds check.
+
+Fixes: caad2613dc4bd ("drm/amd/powerplay: move table setting common code to smu_cmn.c")
+Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit fca0c66b22303de0d1d6313059baf4dc960a4753)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
+index c1962f1974c6f..2c9612b5f1568 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c
+@@ -870,7 +870,7 @@ int smu_cmn_update_table(struct smu_context *smu,
+ table_index);
+ uint32_t table_size;
+ int ret = 0;
+- if (!table_data || table_id >= SMU_TABLE_COUNT || table_id < 0)
++ if (!table_data || table_index >= SMU_TABLE_COUNT || table_id < 0)
+ return -EINVAL;
+
+ table_size = smu_table->tables[table_index].size;
+--
+2.51.0
+
--- /dev/null
+From 40a0153d7c989785f2107680be47aea954855d05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:08:13 +0200
+Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji
+
+From: John Smith <itistotalbotnet@gmail.com>
+
+[ Upstream commit 07a13f913c291d6ec72ee4fc848d13ecfdc0e705 ]
+
+Previously this was initialized with zero which represented PCIe Gen
+1.0 instead of using the
+maximum value from the speed table which is the behaviour of all other
+smumgr implementations.
+
+Fixes: 18edef19ea44 ("drm/amd/powerplay: implement fw image related smu interface for Fiji.")
+Signed-off-by: John Smith <itistotalbotnet@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit c52238c9fb414555c68340cd80e487d982c1921c)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
+index 5e43ad2b29564..e7e497b166b3e 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c
+@@ -2024,7 +2024,7 @@ static int fiji_init_smc_table(struct pp_hwmgr *hwmgr)
+ table->VoltageResponseTime = 0;
+ table->PhaseResponseTime = 0;
+ table->MemoryThermThrottleEnable = 1;
+- table->PCIeBootLinkLevel = 0; /* 0:Gen1 1:Gen2 2:Gen3*/
++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count);
+ table->PCIeGenInterval = 1;
+ table->VRConfig = 0;
+
+--
+2.51.0
+
--- /dev/null
+From 18a15f4864e3cfe9007cae42488da177278db596 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:09:09 +0200
+Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland
+
+From: John Smith <itistotalbotnet@gmail.com>
+
+[ Upstream commit 501672e3c1576aa9a8364144213c77b98a31a42c ]
+
+Previously this was initialized with zero which represented PCIe Gen
+1.0 instead of using the
+maximum value from the speed table which is the behaviour of all other
+smumgr implementations.
+
+Fixes: 18aafc59b106 ("drm/amd/powerplay: implement fw related smu interface for iceland.")
+Signed-off-by: John Smith <itistotalbotnet@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 92b0a6ae6672857ddeabf892223943d2f0e06c97)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
+index 97d9802fe6731..43458f1b0077d 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c
+@@ -2028,7 +2028,7 @@ static int iceland_init_smc_table(struct pp_hwmgr *hwmgr)
+ table->VoltageResponseTime = 0;
+ table->PhaseResponseTime = 0;
+ table->MemoryThermThrottleEnable = 1;
+- table->PCIeBootLinkLevel = 0;
++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count);
+ table->PCIeGenInterval = 1;
+
+ result = iceland_populate_smc_svi2_config(hwmgr, table);
+--
+2.51.0
+
--- /dev/null
+From 818c76fbc16efb9c936657f9de819b8d78f87eaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 11:37:23 +0200
+Subject: drm/etnaviv: fix flush sequence logic
+
+From: Tomeu Vizoso <tomeu@tomeuvizoso.net>
+
+[ Upstream commit a042beac6e6f8ac1e923784cfff98b47cbabb185 ]
+
+The current logic uses the flush sequence from the current address
+space. This is harmless when deducing the flush requirements for the
+current submit, as either the incoming address space is the same one
+as the currently active one or we switch context, in which case the
+flush is unconditional.
+
+However, this sequence is also stored as the current flush sequence
+of the GPU. If we switch context the stored flush sequence will no
+longer belong to the currently active address space. This incoherency
+can then cause missed flushes, resulting in translation errors.
+
+Fixes: 27b67278e007 ("drm/etnaviv: rework MMU handling")
+Signed-off-by: Tomeu Vizoso <tomeu@tomeuvizoso.net>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Christian Gmeiner <cgmeiner@igalia.com>
+Link: https://lore.kernel.org/r/20251021093723.3887980-1-l.stach@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
+index b13a17276d07c..88385dc3b30d8 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c
+@@ -347,7 +347,7 @@ void etnaviv_buffer_queue(struct etnaviv_gpu *gpu, u32 exec_state,
+ u32 link_target, link_dwords;
+ bool switch_context = gpu->exec_state != exec_state;
+ bool switch_mmu_context = gpu->mmu_context != mmu_context;
+- unsigned int new_flush_seq = READ_ONCE(gpu->mmu_context->flush_seq);
++ unsigned int new_flush_seq = READ_ONCE(mmu_context->flush_seq);
+ bool need_flush = switch_mmu_context || gpu->flush_seq != new_flush_seq;
+ bool has_blt = !!(gpu->identity.minor_features5 &
+ chipMinorFeatures5_BLT_ENGINE);
+--
+2.51.0
+
--- /dev/null
+From b71a30efaa87d4503fae2315a944490f148ad5e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Sep 2025 02:14:05 +0530
+Subject: drm/msm/a6xx: Fix GMU firmware parser
+
+From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+
+[ Upstream commit b4789aac9d3441d9f830f0a4022d8dc122d6cab3 ]
+
+Current parser logic for GMU firmware assumes a dword aligned payload
+size for every block. This is not true for all GMU firmwares. So, fix
+this by using correct 'size' value in the calculation for the offset
+for the next block's header.
+
+Fixes: c6ed04f856a4 ("drm/msm/a6xx: A640/A650 GMU firmware path")
+Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+Acked-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/674040/
+Message-ID: <20250911-assorted-sept-1-v2-2-a8bf1ee20792@oss.qualcomm.com>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+index c50aafa0ecdb6..e816ddcac2f8d 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+@@ -693,6 +693,9 @@ static bool fw_block_mem(struct a6xx_gmu_bo *bo, const struct block_header *blk)
+ return true;
+ }
+
++#define NEXT_BLK(blk) \
++ ((const struct block_header *)((const char *)(blk) + sizeof(*(blk)) + (blk)->size))
++
+ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu)
+ {
+ struct a6xx_gpu *a6xx_gpu = container_of(gmu, struct a6xx_gpu, gmu);
+@@ -723,7 +726,7 @@ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu)
+
+ for (blk = (const struct block_header *) fw_image->data;
+ (const u8*) blk < fw_image->data + fw_image->size;
+- blk = (const struct block_header *) &blk->data[blk->size >> 2]) {
++ blk = NEXT_BLK(blk)) {
+ if (blk->size == 0)
+ continue;
+
+--
+2.51.0
+
--- /dev/null
+From 648f39c3cf7720cfaf4daba915697f51d8ec78dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 13:36:43 -0700
+Subject: libbpf: Fix powerpc's stack register definition in bpf_tracing.h
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 7221b9caf84b3294688228a19273d74ea19a2ee4 ]
+
+retsnoop's build on powerpc (ppc64le) architecture ([0]) failed due to
+wrong definition of PT_REGS_SP() macro. Looking at powerpc's
+implementation of stack unwinding in perf_callchain_user_64() clearly
+shows that stack pointer register is gpr[1].
+
+Fix libbpf's definition of __PT_SP_REG for powerpc to fix all this.
+
+ [0] https://kojipkgs.fedoraproject.org/work/tasks/1544/137921544/build.log
+
+Fixes: 138d6153a139 ("samples/bpf: Enable powerpc support")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
+Link: https://lore.kernel.org/r/20251020203643.989467-1-andrii@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf_tracing.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h
+index 1c13f8e88833b..66b925bd954eb 100644
+--- a/tools/lib/bpf/bpf_tracing.h
++++ b/tools/lib/bpf/bpf_tracing.h
+@@ -311,7 +311,7 @@ struct pt_regs___arm64 {
+ #define __PT_RET_REG regs[31]
+ #define __PT_FP_REG __unsupported__
+ #define __PT_RC_REG gpr[3]
+-#define __PT_SP_REG sp
++#define __PT_SP_REG gpr[1]
+ #define __PT_IP_REG nip
+
+ #elif defined(bpf_target_sparc)
+--
+2.51.0
+
--- /dev/null
+From 4283a0b1ec7862308a67cf05ec189f1ed07e9334 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 21:13:37 +0800
+Subject: net: hns3: return error code when function fails
+
+From: Jijie Shao <shaojijie@huawei.com>
+
+[ Upstream commit 03ca7c8c42be913529eb9f188278114430c6abbd ]
+
+Currently, in hclge_mii_ioctl(), the operation to
+read the PHY register (SIOCGMIIREG) always returns 0.
+
+This patch changes the return type of hclge_read_phy_reg(),
+returning an error code when the function fails.
+
+Fixes: 024712f51e57 ("net: hns3: add ioctl support for imp-controlled PHYs")
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Link: https://patch.msgid.link/20251023131338.2642520-2-shaojijie@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +--
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 9 ++++++---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h | 2 +-
+ 3 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index 789f72d1067f8..2fa64099e8be2 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -9346,8 +9346,7 @@ static int hclge_mii_ioctl(struct hclge_dev *hdev, struct ifreq *ifr, int cmd)
+ /* this command reads phy id and register at the same time */
+ fallthrough;
+ case SIOCGMIIREG:
+- data->val_out = hclge_read_phy_reg(hdev, data->reg_num);
+- return 0;
++ return hclge_read_phy_reg(hdev, data->reg_num, &data->val_out);
+
+ case SIOCSMIIREG:
+ return hclge_write_phy_reg(hdev, data->reg_num, data->val_in);
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+index 80079657afebe..b8dbf932caf94 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+@@ -274,7 +274,7 @@ void hclge_mac_stop_phy(struct hclge_dev *hdev)
+ phy_stop(phydev);
+ }
+
+-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr)
++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val)
+ {
+ struct hclge_phy_reg_cmd *req;
+ struct hclge_desc desc;
+@@ -286,11 +286,14 @@ u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr)
+ req->reg_addr = cpu_to_le16(reg_addr);
+
+ ret = hclge_cmd_send(&hdev->hw, &desc, 1);
+- if (ret)
++ if (ret) {
+ dev_err(&hdev->pdev->dev,
+ "failed to read phy reg, ret = %d.\n", ret);
++ return ret;
++ }
+
+- return le16_to_cpu(req->reg_val);
++ *val = le16_to_cpu(req->reg_val);
++ return 0;
+ }
+
+ int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val)
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h
+index 4200d0b6d9317..21d434c82475b 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h
+@@ -13,7 +13,7 @@ int hclge_mac_connect_phy(struct hnae3_handle *handle);
+ void hclge_mac_disconnect_phy(struct hnae3_handle *handle);
+ void hclge_mac_start_phy(struct hclge_dev *hdev);
+ void hclge_mac_stop_phy(struct hclge_dev *hdev);
+-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr);
++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val);
+ int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val);
+
+ #endif
+--
+2.51.0
+
--- /dev/null
+From ead7f030e7f0486ff7628b7ff753c3b5be54d1b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 15:15:38 +0900
+Subject: scsi: ufs: core: Initialize value of an attribute returned by uic cmd
+
+From: Wonkon Kim <wkon.kim@samsung.com>
+
+[ Upstream commit 6fe4c679dde3075cb481beb3945269bb2ef8b19a ]
+
+If ufshcd_send_cmd() fails, *mib_val may have a garbage value. It can
+get an unintended value of an attribute.
+
+Make ufshcd_dme_get_attr() always initialize *mib_val.
+
+Fixes: 12b4fdb4f6bc ("[SCSI] ufs: add dme configuration primitives")
+Signed-off-by: Wonkon Kim <wkon.kim@samsung.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20251020061539.28661-2-wkon.kim@samsung.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufshcd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index 7dcdaac31546b..2080b251580c8 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -4176,8 +4176,8 @@ int ufshcd_dme_get_attr(struct ufs_hba *hba, u32 attr_sel,
+ get, UIC_GET_ATTR_ID(attr_sel),
+ UFS_UIC_COMMAND_RETRIES - retries);
+
+- if (mib_val && !ret)
+- *mib_val = uic_cmd.argument3;
++ if (mib_val)
++ *mib_val = ret == 0 ? uic_cmd.argument3 : 0;
+
+ if (peer && (hba->quirks & UFSHCD_QUIRK_DME_PEER_ACCESS_AUTO_MODE)
+ && pwr_mode_change)
+--
+2.51.0
+
asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch
smb-client-fix-potential-cfid-uaf-in-smb2_query_info_compound.patch
x86-fpu-ensure-xfd-state-on-signal-delivery.patch
+wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch
+wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch
+wifi-ath12k-free-skb-during-idr-cleanup-callback.patch
+drm-msm-a6xx-fix-gmu-firmware-parser.patch
+alsa-usb-audio-fix-control-pipe-direction.patch
+bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch
+scsi-ufs-core-initialize-value-of-an-attribute-retur.patch
+bpf-do-not-audit-capability-check-in-do_jit.patch
+crypto-aspeed-acry-convert-to-platform-remove-callba.patch
+crypto-aspeed-fix-double-free-caused-by-devm.patch
+asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch
+asoc-fsl_sai-fix-bit-order-for-dsd-format.patch
+libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch
+usbnet-prevents-free-active-kevent.patch
+bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch
+bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch
+bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch
+bluetooth-iso-fix-another-instance-of-dst_type-handl.patch
+bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch
+drm-etnaviv-fix-flush-sequence-logic.patch
+net-hns3-return-error-code-when-function-fails.patch
+sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch
+drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch
+drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch
+drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-21603
--- /dev/null
+From b4380e0b51a289e1f547bd3fcaeb856c0d0dd8aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 19:48:42 +0530
+Subject: sfc: fix potential memory leak in efx_mae_process_mport()
+
+From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
+
+[ Upstream commit 46a499aaf8c27476fd05e800f3e947bfd71aa724 ]
+
+In efx_mae_enumerate_mports(), memory allocated for mae_mport_desc is
+passed as a argument to efx_mae_process_mport(), but when the error path
+in efx_mae_process_mport() gets executed, the memory allocated for desc
+gets leaked.
+
+Fix that by freeing the memory allocation before returning error.
+
+Fixes: a6a15aca4207 ("sfc: enumerate mports in ef100")
+Acked-by: Edward Cree <ecree.xilinx@gmail.com>
+Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
+Link: https://patch.msgid.link/20251023141844.25847-1-nihaal@cse.iitm.ac.in
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/mae.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/sfc/mae.c b/drivers/net/ethernet/sfc/mae.c
+index c3e2b4a21d105..3b08e36e1ef87 100644
+--- a/drivers/net/ethernet/sfc/mae.c
++++ b/drivers/net/ethernet/sfc/mae.c
+@@ -1101,6 +1101,9 @@ void efx_mae_remove_mport(void *desc, void *arg)
+ kfree(mport);
+ }
+
++/*
++ * Takes ownership of @desc, even if it returns an error
++ */
+ static int efx_mae_process_mport(struct efx_nic *efx,
+ struct mae_mport_desc *desc)
+ {
+@@ -1111,6 +1114,7 @@ static int efx_mae_process_mport(struct efx_nic *efx,
+ if (!IS_ERR_OR_NULL(mport)) {
+ netif_err(efx, drv, efx->net_dev,
+ "mport with id %u does exist!!!\n", desc->mport_id);
++ kfree(desc);
+ return -EEXIST;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 78dfd1e740296713ad4a9665fe96edcefe6705a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 10:40:07 +0800
+Subject: usbnet: Prevents free active kevent
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit 420c84c330d1688b8c764479e5738bbdbf0a33de ]
+
+The root cause of this issue are:
+1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);
+put the kevent work in global workqueue. However, the kevent has not yet
+been scheduled when the usbnet device is unregistered. Therefore, executing
+free_netdev() results in the "free active object (kevent)" error reported
+here.
+
+2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(),
+if the usbnet device is up, ndo_stop() is executed to cancel the kevent.
+However, because the device is not up, ndo_stop() is not executed.
+
+The solution to this problem is to cancel the kevent before executing
+free_netdev().
+
+Fixes: a69e617e533e ("usbnet: Fix linkwatch use-after-free on disconnect")
+Reported-by: Sam Sun <samsun1006219@gmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=8bfd7bcc98f7300afb84
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Link: https://patch.msgid.link/20251022024007.1831898-1-lizhi.xu@windriver.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/usbnet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index fd6b5865ac513..e6a1864f03f94 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1650,6 +1650,8 @@ void usbnet_disconnect (struct usb_interface *intf)
+ net = dev->net;
+ unregister_netdev (net);
+
++ cancel_work_sync(&dev->kevent);
++
+ while ((urb = usb_get_from_anchor(&dev->deferred))) {
+ dev_kfree_skb(urb->context);
+ kfree(urb->sg);
+--
+2.51.0
+
--- /dev/null
+From aaf403ce9eed5e0cf5ae71ed85a870bf703e1c43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Sep 2025 21:56:56 +0200
+Subject: wifi: ath10k: Fix memory leak on unsupported WMI command
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+[ Upstream commit 2e9c1da4ee9d0acfca2e0a3d78f3d8cb5802da1b ]
+
+ath10k_wmi_cmd_send takes ownership of the passed buffer (skb) and has the
+responsibility to release it in case of error. This patch fixes missing
+free in case of early error due to unhandled WMI command ID.
+
+Tested-on: WCN3990 hw1.0 WLAN.HL.3.3.7.c2-00931-QCAHLSWMTPLZ-1
+
+Fixes: 553215592f14 ("ath10k: warn if give WMI command is not supported")
+Suggested-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250926195656.187970-1-loic.poulain@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
+index 340502c47a10d..a15b73d502c0d 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi.c
++++ b/drivers/net/wireless/ath/ath10k/wmi.c
+@@ -1936,6 +1936,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id)
+ if (cmd_id == WMI_CMD_UNSUPPORTED) {
+ ath10k_warn(ar, "wmi command %d is not supported by firmware\n",
+ cmd_id);
++ dev_kfree_skb_any(skb);
+ return ret;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 57bfe34c60658e9b38799e369b85f045dbe3de06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 15:21:35 -0400
+Subject: wifi: ath11k: Add missing platform IDs for quirk table
+
+From: Mark Pearson <mpearson-lenovo@squebb.ca>
+
+[ Upstream commit 0eb002c93c3b47f88244cecb1e356eaeab61a6bf ]
+
+Lenovo platforms can come with one of two different IDs.
+The pm_quirk table was missing the second ID for each platform.
+
+Add missing ID and some extra platform identification comments.
+Reported on https://bugzilla.kernel.org/show_bug.cgi?id=219196
+
+Tested-on: P14s G4 AMD.
+
+Fixes: ce8669a27016 ("wifi: ath11k: determine PM policy based on machine model")
+Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219196
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250929192146.1789648-1-mpearson-lenovo@squebb.ca
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.c | 54 +++++++++++++++++++++++---
+ 1 file changed, 48 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
+index 3a340cb2b205f..355424baeedde 100644
+--- a/drivers/net/wireless/ath/ath11k/core.c
++++ b/drivers/net/wireless/ath/ath11k/core.c
+@@ -707,42 +707,84 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+ static const struct dmi_system_id ath11k_pm_quirk_table[] = {
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* X13 G4 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21J3"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* X13 G4 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21J4"),
+ },
+ },
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* T14 G4 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21K3"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* T14 G4 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21K4"),
+ },
+ },
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* P14s G4 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21K5"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* P14s G4 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21K6"),
+ },
+ },
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* T16 G2 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21K7"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* T16 G2 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21K8"),
+ },
+ },
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* P16s G2 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21K9"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* P16s G2 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21KA"),
+ },
+ },
+ {
+ .driver_data = (void *)ATH11K_PM_WOW,
+- .matches = {
++ .matches = { /* T14s G4 AMD #1 */
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21F8"),
++ },
++ },
++ {
++ .driver_data = (void *)ATH11K_PM_WOW,
++ .matches = { /* T14s G4 AMD #2 */
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "21F9"),
+ },
+--
+2.51.0
+
--- /dev/null
+From bf1e1845604bc61b339c25d46c082a35b9bd58f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Sep 2025 15:03:16 -0700
+Subject: wifi: ath12k: free skb during idr cleanup callback
+
+From: Karthik M <quic_karm@quicinc.com>
+
+[ Upstream commit 92282074e1d2e7b6da5c05fe38a7cc974187fe14 ]
+
+ath12k just like ath11k [1] did not handle skb cleanup during idr
+cleanup callback. Both ath12k_mac_vif_txmgmt_idr_remove() and
+ath12k_mac_tx_mgmt_pending_free() performed idr cleanup and DMA
+unmapping for skb but only ath12k_mac_tx_mgmt_pending_free() freed
+skb. As a result, during vdev deletion a memory leak occurs.
+
+Refactor all clean up steps into a new function. New function
+ath12k_mac_tx_mgmt_free() creates a centralized area where idr
+cleanup, DMA unmapping for skb and freeing skb is performed. Utilize
+skb pointer given by idr_remove(), instead of passed as a function
+argument because IDR will be protected by locking. This will prevent
+concurrent modification of the same IDR.
+
+Now ath12k_mac_tx_mgmt_pending_free() and
+ath12k_mac_vif_txmgmt_idr_remove() call ath12k_mac_tx_mgmt_free().
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
+
+Link: https://lore.kernel.org/r/1637832614-13831-1-git-send-email-quic_srirrama@quicinc.com > # [1]
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Signed-off-by: Karthik M <quic_karm@quicinc.com>
+Signed-off-by: Muna Sinada <muna.sinada@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250923220316.1595758-1-muna.sinada@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/mac.c | 34 ++++++++++++++-------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
+index e1db6e69d2207..010413bfdb141 100644
+--- a/drivers/net/wireless/ath/ath12k/mac.c
++++ b/drivers/net/wireless/ath/ath12k/mac.c
+@@ -4743,23 +4743,32 @@ static void ath12k_mgmt_over_wmi_tx_drop(struct ath12k *ar, struct sk_buff *skb)
+ wake_up(&ar->txmgmt_empty_waitq);
+ }
+
+-int ath12k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx)
++static void ath12k_mac_tx_mgmt_free(struct ath12k *ar, int buf_id)
+ {
+- struct sk_buff *msdu = skb;
++ struct sk_buff *msdu;
+ struct ieee80211_tx_info *info;
+- struct ath12k *ar = ctx;
+- struct ath12k_base *ab = ar->ab;
+
+ spin_lock_bh(&ar->txmgmt_idr_lock);
+- idr_remove(&ar->txmgmt_idr, buf_id);
++ msdu = idr_remove(&ar->txmgmt_idr, buf_id);
+ spin_unlock_bh(&ar->txmgmt_idr_lock);
+- dma_unmap_single(ab->dev, ATH12K_SKB_CB(msdu)->paddr, msdu->len,
++
++ if (!msdu)
++ return;
++
++ dma_unmap_single(ar->ab->dev, ATH12K_SKB_CB(msdu)->paddr, msdu->len,
+ DMA_TO_DEVICE);
+
+ info = IEEE80211_SKB_CB(msdu);
+ memset(&info->status, 0, sizeof(info->status));
+
+- ath12k_mgmt_over_wmi_tx_drop(ar, skb);
++ ath12k_mgmt_over_wmi_tx_drop(ar, msdu);
++}
++
++int ath12k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx)
++{
++ struct ath12k *ar = ctx;
++
++ ath12k_mac_tx_mgmt_free(ar, buf_id);
+
+ return 0;
+ }
+@@ -4768,17 +4777,10 @@ static int ath12k_mac_vif_txmgmt_idr_remove(int buf_id, void *skb, void *ctx)
+ {
+ struct ieee80211_vif *vif = ctx;
+ struct ath12k_skb_cb *skb_cb = ATH12K_SKB_CB(skb);
+- struct sk_buff *msdu = skb;
+ struct ath12k *ar = skb_cb->ar;
+- struct ath12k_base *ab = ar->ab;
+
+- if (skb_cb->vif == vif) {
+- spin_lock_bh(&ar->txmgmt_idr_lock);
+- idr_remove(&ar->txmgmt_idr, buf_id);
+- spin_unlock_bh(&ar->txmgmt_idr_lock);
+- dma_unmap_single(ab->dev, skb_cb->paddr, msdu->len,
+- DMA_TO_DEVICE);
+- }
++ if (skb_cb->vif == vif)
++ ath12k_mac_tx_mgmt_free(ar, buf_id);
+
+ return 0;
+ }
+--
+2.51.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
