--- /dev/null
+From e0da8a8cac74f4b9f577979d131f0d2b88a84487 Mon Sep 17 00:00:00 2001
+From: Ziqing Chen <chenziqing@xiaomi.com>
+Date: Tue, 14 Apr 2026 21:24:37 +0800
+Subject: ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()
+
+From: Ziqing Chen <chenziqing@xiaomi.com>
+
+commit e0da8a8cac74f4b9f577979d131f0d2b88a84487 upstream.
+
+snd_ctl_elem_init_enum_names() advances pointer p through the names
+buffer while decrementing buf_len. If buf_len reaches zero but items
+remain, the next iteration calls strnlen(p, 0).
+
+While strnlen(p, 0) returns 0 and would hit the existing name_len == 0
+error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks
+maxlen against __builtin_dynamic_object_size(). When Clang loses track
+of p's object size inside the loop, this triggers a BRK exception panic
+before the return value is examined.
+
+Add a buf_len == 0 guard at the loop entry to prevent calling fortified
+strnlen() on an exhausted buffer.
+
+Found by kernel fuzz testing through Xiaomi Smartphone.
+
+Fixes: 8d448162bda5 ("ALSA: control: add support for ENUMERATED user space controls")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ziqing Chen <chenziqing@xiaomi.com>
+Link: https://patch.msgid.link/20260414132437.261304-1-chenziqing@xiaomi.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/control.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -1574,6 +1574,10 @@ static int snd_ctl_elem_init_enum_names(
+ /* check that there are enough valid names */
+ p = names;
+ for (i = 0; i < ue->info.value.enumerated.items; ++i) {
++ if (buf_len == 0) {
++ kvfree(names);
++ return -EINVAL;
++ }
+ name_len = strnlen(p, buf_len);
+ if (name_len == 0 || name_len >= 64 || name_len == buf_len) {
+ kvfree(names);
--- /dev/null
+From 635c3a757a567b2479639237f5f0d4d9439015f1 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Mon, 16 Feb 2026 08:45:51 +0100
+Subject: crypto: atmel-sha204a - Fix OTP sysfs read and error handling
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit 635c3a757a567b2479639237f5f0d4d9439015f1 upstream.
+
+Fix otp_show() to read and print all 64 bytes of the OTP zone.
+Previously, the loop only printed half of the OTP (32 bytes), and
+partial output was returned on read errors.
+
+Propagate the actual error from atmel_sha204a_otp_read() instead of
+producing partial output.
+
+Replace sprintf() with sysfs_emit_at(), which is preferred for
+formatting sysfs output because it provides safer bounds checking.
+
+Cc: stable@vger.kernel.org
+Fixes: 13909a0c8897 ("crypto: atmel-sha204a - provide the otp content")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Reviewed-by: Lothar Rubusch <l.rubusch@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/atmel-sha204a.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/drivers/crypto/atmel-sha204a.c
++++ b/drivers/crypto/atmel-sha204a.c
+@@ -15,6 +15,7 @@
+ #include <linux/module.h>
+ #include <linux/scatterlist.h>
+ #include <linux/slab.h>
++#include <linux/sysfs.h>
+ #include <linux/workqueue.h>
+ #include "atmel-i2c.h"
+
+@@ -120,21 +121,22 @@ static ssize_t otp_show(struct device *d
+ {
+ u16 addr;
+ u8 otp[OTP_ZONE_SIZE];
+- char *str = buf;
+ struct i2c_client *client = to_i2c_client(dev);
+- int i;
++ ssize_t len = 0;
++ int i, ret;
+
+- for (addr = 0; addr < OTP_ZONE_SIZE/4; addr++) {
+- if (atmel_sha204a_otp_read(client, addr, otp + addr * 4) < 0) {
++ for (addr = 0; addr < OTP_ZONE_SIZE / 4; addr++) {
++ ret = atmel_sha204a_otp_read(client, addr, otp + addr * 4);
++ if (ret < 0) {
+ dev_err(dev, "failed to read otp zone\n");
+- break;
++ return ret;
+ }
+ }
+
+- for (i = 0; i < addr*2; i++)
+- str += sprintf(str, "%02X", otp[i]);
+- str += sprintf(str, "\n");
+- return str - buf;
++ for (i = 0; i < OTP_ZONE_SIZE; i++)
++ len += sysfs_emit_at(buf, len, "%02X", otp[i]);
++ len += sysfs_emit_at(buf, len, "\n");
++ return len;
+ }
+ static DEVICE_ATTR_RO(otp);
+
--- /dev/null
+From 9c469240997584449cfac51a75d1d3d71968c76f Mon Sep 17 00:00:00 2001
+From: Swamil Jain <s-jain1@ti.com>
+Date: Wed, 15 Apr 2026 16:34:09 +0530
+Subject: dt-bindings: display: ti, am65x-dss: Fix AM62L DSS reg and clock constraints
+
+From: Swamil Jain <s-jain1@ti.com>
+
+commit 9c469240997584449cfac51a75d1d3d71968c76f upstream.
+
+The AM62L DSS [1] support incorrectly used the same register and
+clock constraints as AM65x, but AM62L has a single video port
+
+Fix this by adding conditional constraints that properly define the
+register regions and clocks for AM62L DSS (single video port) versus
+other AM65x variants (dual video port).
+
+[1]: Section 12.7 (Display Subsystem and Peripherals)
+Link : https://www.ti.com/lit/pdf/sprujb4
+
+Fixes: cb8d4323302c ("dt-bindings: display: ti,am65x-dss: Add support for AM62L DSS")
+Cc: stable@vger.kernel.org
+Signed-off-by: Swamil Jain <s-jain1@ti.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260415110409.2577633-1-s-jain1@ti.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/display/ti/ti,am65x-dss.yaml | 70 +++++++---
+ 1 file changed, 52 insertions(+), 18 deletions(-)
+
+--- a/Documentation/devicetree/bindings/display/ti/ti,am65x-dss.yaml
++++ b/Documentation/devicetree/bindings/display/ti/ti,am65x-dss.yaml
+@@ -36,34 +36,50 @@ properties:
+ reg:
+ description:
+ Addresses to each DSS memory region described in the SoC's TRM.
+- items:
+- - description: common DSS register area
+- - description: VIDL1 light video plane
+- - description: VID video plane
+- - description: OVR1 overlay manager for vp1
+- - description: OVR2 overlay manager for vp2
+- - description: VP1 video port 1
+- - description: VP2 video port 2
+- - description: common1 DSS register area
++ oneOf:
++ - items:
++ - description: common DSS register area
++ - description: VIDL1 light video plane
++ - description: VID video plane
++ - description: OVR1 overlay manager for vp1
++ - description: OVR2 overlay manager for vp2
++ - description: VP1 video port 1
++ - description: VP2 video port 2
++ - description: common1 DSS register area
++ - items:
++ - description: common DSS register area
++ - description: VIDL1 light video plane
++ - description: OVR1 overlay manager for vp1
++ - description: VP1 video port 1
++ - description: common1 DSS register area
+
+ reg-names:
+- items:
+- - const: common
+- - const: vidl1
+- - const: vid
+- - const: ovr1
+- - const: ovr2
+- - const: vp1
+- - const: vp2
+- - const: common1
++ oneOf:
++ - items:
++ - const: common
++ - const: vidl1
++ - const: vid
++ - const: ovr1
++ - const: ovr2
++ - const: vp1
++ - const: vp2
++ - const: common1
++ - items:
++ - const: common
++ - const: vidl1
++ - const: ovr1
++ - const: vp1
++ - const: common1
+
+ clocks:
++ minItems: 2
+ items:
+ - description: fck DSS functional clock
+ - description: vp1 Video Port 1 pixel clock
+ - description: vp2 Video Port 2 pixel clock
+
+ clock-names:
++ minItems: 2
+ items:
+ - const: fck
+ - const: vp1
+@@ -179,6 +195,24 @@ allOf:
+ ports:
+ properties:
+ port@1: false
++ reg:
++ maxItems: 5
++ reg-names:
++ maxItems: 5
++ clocks:
++ maxItems: 2
++ clock-names:
++ maxItems: 2
++ else:
++ properties:
++ reg:
++ minItems: 8
++ reg-names:
++ minItems: 8
++ clocks:
++ minItems: 3
++ clock-names:
++ minItems: 3
+
+ - if:
+ properties:
--- /dev/null
+From 5c709b376460ff322580c41600e31c02f7cc0307 Mon Sep 17 00:00:00 2001
+From: Felix Gu <ustc.gu@gmail.com>
+Date: Mon, 23 Mar 2026 00:04:08 +0800
+Subject: EDAC/versalnet: Fix device_node leak in mc_probe()
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+commit 5c709b376460ff322580c41600e31c02f7cc0307 upstream.
+
+of_parse_phandle() returns a device_node reference that must be released with
+of_node_put(). The original code never freed r5_core_node on any exit path,
+causing a memory leak.
+
+Fix this by using the automatic cleanup attribute __free(device_node) which
+ensures of_node_put() is called when the variable goes out of scope.
+
+Fixes: d5fe2fec6c40 ("EDAC: Add a driver for the AMD Versal NET DDR controller")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
+Cc: <stable@kernel.org>
+Link: https://patch.msgid.link/20260323-versalnet-v1-1-4ab3012635ef@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/versalnet_edac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/edac/versalnet_edac.c
++++ b/drivers/edac/versalnet_edac.c
+@@ -868,12 +868,12 @@ static void remove_versalnet(struct mc_p
+
+ static int mc_probe(struct platform_device *pdev)
+ {
+- struct device_node *r5_core_node;
+ struct mc_priv *priv;
+ struct rproc *rp;
+ int rc;
+
+- r5_core_node = of_parse_phandle(pdev->dev.of_node, "amd,rproc", 0);
++ struct device_node *r5_core_node __free(device_node) =
++ of_parse_phandle(pdev->dev.of_node, "amd,rproc", 0);
+ if (!r5_core_node) {
+ dev_err(&pdev->dev, "amd,rproc: invalid phandle\n");
+ return -EINVAL;
--- /dev/null
+From 25947cc5b2374cd5bf627fe3141496444260d04f Mon Sep 17 00:00:00 2001
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+Date: Sat, 4 Apr 2026 18:20:11 +0300
+Subject: ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
+
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+
+commit 25947cc5b2374cd5bf627fe3141496444260d04f upstream.
+
+ext2_iget() already rejects inodes with i_nlink == 0 when i_mode is
+zero or i_dtime is set, treating them as deleted. However, the case of
+i_nlink == 0 with a non-zero mode and zero dtime slips through. Since
+ext2 has no orphan list, such a combination can only result from
+filesystem corruption - a legitimate inode deletion always sets either
+i_dtime or clears i_mode before freeing the inode.
+
+A crafted image can exploit this gap to present such an inode to the
+VFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via
+ext2_unlink(), ext2_rename() and ext2_rmdir():
+
+WARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336
+CPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1
+Call Trace:
+ <TASK>
+ inode_dec_link_count include/linux/fs.h:2518 [inline]
+ ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295
+ vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477
+ do_unlinkat+0x53e/0x730 fs/namei.c:4541
+ __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587
+ do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+WARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336
+CPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1
+Call Trace:
+ <TASK>
+ inode_dec_link_count include/linux/fs.h:2518 [inline]
+ ext2_rename+0x35e/0x850 fs/ext2/namei.c:374
+ vfs_rename+0xf2f/0x2060 fs/namei.c:5021
+ do_renameat2+0xbe2/0xd50 fs/namei.c:5178
+ __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223
+ do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+WARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336
+CPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1
+Call Trace:
+ <TASK>
+ inode_dec_link_count include/linux/fs.h:2518 [inline]
+ ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311
+ vfs_rmdir+0x204/0x690 fs/namei.c:4348
+ do_rmdir+0x372/0x3e0 fs/namei.c:4407
+ __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577
+ do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Extend the existing i_nlink == 0 check to also catch this case,
+reporting the corruption via ext2_error() and returning -EFSCORRUPTED.
+This rejects the inode at load time and prevents it from reaching any
+of the namei.c paths.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Link: https://patch.msgid.link/20260404152011.2590197-1-kovalev@altlinux.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext2/inode.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/fs/ext2/inode.c
++++ b/fs/ext2/inode.c
+@@ -1430,9 +1430,17 @@ struct inode *ext2_iget (struct super_bl
+ * the test is that same one that e2fsck uses
+ * NeilBrown 1999oct15
+ */
+- if (inode->i_nlink == 0 && (inode->i_mode == 0 || ei->i_dtime)) {
+- /* this inode is deleted */
+- ret = -ESTALE;
++ if (inode->i_nlink == 0) {
++ if (inode->i_mode == 0 || ei->i_dtime) {
++ /* this inode is deleted */
++ ret = -ESTALE;
++ } else {
++ ext2_error(sb, __func__,
++ "inode %lu has zero i_nlink with mode 0%o and no dtime, "
++ "filesystem may be corrupt",
++ ino, inode->i_mode);
++ ret = -EFSCORRUPTED;
++ }
+ goto bad_inode;
+ }
+ inode->i_blocks = le32_to_cpu(raw_inode->i_blocks);
--- /dev/null
+From b66437cb20a2d9ef201f40b675569f8ea7787c9f Mon Sep 17 00:00:00 2001
+From: Sanman Pradhan <psanman@juniper.net>
+Date: Fri, 10 Apr 2026 00:25:41 +0000
+Subject: hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt
+
+From: Sanman Pradhan <psanman@juniper.net>
+
+commit b66437cb20a2d9ef201f40b675569f8ea7787c9f upstream.
+
+wait_for_completion_interruptible_timeout() returns -ERESTARTSYS when
+interrupted. This needs to abort the URB and return an error. No data
+has been received from the device so any reads from the transfer
+buffer are invalid.
+
+The original code tests !ret, which only catches the timeout case (0).
+On signal delivery (-ERESTARTSYS), !ret is false so the function skips
+usb_kill_urb() and falls through to read from the unfilled transfer
+buffer.
+
+Fix by capturing the return value into a long (matching the function
+return type) and handling signal (negative) and timeout (zero) cases
+with separate checks that both call usb_kill_urb() before returning.
+
+Fixes: 4381a36abdf1c ("hwmon: add POWER-Z driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sanman Pradhan <psanman@juniper.net>
+Link: https://lore.kernel.org/r/20260410002521.422645-3-sanman.pradhan@hpe.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/powerz.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/hwmon/powerz.c
++++ b/drivers/hwmon/powerz.c
+@@ -106,6 +106,7 @@ static void powerz_usb_cmd_complete(stru
+
+ static int powerz_read_data(struct usb_device *udev, struct powerz_priv *priv)
+ {
++ long rc;
+ int ret;
+
+ if (!priv->urb)
+@@ -127,8 +128,14 @@ static int powerz_read_data(struct usb_d
+ if (ret)
+ return ret;
+
+- if (!wait_for_completion_interruptible_timeout
+- (&priv->completion, msecs_to_jiffies(5))) {
++ rc = wait_for_completion_interruptible_timeout(&priv->completion,
++ msecs_to_jiffies(5));
++ if (rc < 0) {
++ usb_kill_urb(priv->urb);
++ return rc;
++ }
++
++ if (rc == 0) {
+ usb_kill_urb(priv->urb);
+ return -EIO;
+ }
--- /dev/null
+From 8cdf30813ea8ce881cecc08664144416dbdb3e16 Mon Sep 17 00:00:00 2001
+From: Josh Law <objecting@objecting.org>
+Date: Sun, 8 Mar 2026 20:20:28 +0000
+Subject: lib/ts_kmp: fix integer overflow in pattern length calculation
+
+From: Josh Law <objecting@objecting.org>
+
+commit 8cdf30813ea8ce881cecc08664144416dbdb3e16 upstream.
+
+The ts_kmp algorithm stores its prefix_tbl[] table and pattern in a single
+allocation sized from the pattern length. If the prefix_tbl[] size
+calculation wraps, the resulting allocation can be too small and
+subsequent pattern copies can overflow it.
+
+Fix this by rejecting zero-length patterns and by using overflow helpers
+before calculating the combined allocation size.
+
+
+This fixes a potential heap overflow. The pattern length calculation can
+wrap during a size_t addition, leading to an undersized allocation.
+Because the textsearch library is reachable from userspace via Netfilter's
+xt_string module, this is a security risk that should be backported to LTS
+kernels.
+
+Link: https://lkml.kernel.org/r/20260308202028.2889285-2-objecting@objecting.org
+Signed-off-by: Josh Law <objecting@objecting.org>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/ts_kmp.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/lib/ts_kmp.c
++++ b/lib/ts_kmp.c
+@@ -94,8 +94,22 @@ static struct ts_config *kmp_init(const
+ struct ts_config *conf;
+ struct ts_kmp *kmp;
+ int i;
+- unsigned int prefix_tbl_len = len * sizeof(unsigned int);
+- size_t priv_size = sizeof(*kmp) + len + prefix_tbl_len;
++ unsigned int prefix_tbl_len;
++ size_t priv_size;
++
++ /* Zero-length patterns would make kmp_find() read beyond kmp->pattern. */
++ if (unlikely(!len))
++ return ERR_PTR(-EINVAL);
++
++ /*
++ * kmp->pattern is stored immediately after the prefix_tbl[] table.
++ * Reject lengths that would wrap while sizing either region.
++ */
++ if (unlikely(check_mul_overflow(len, sizeof(*kmp->prefix_tbl),
++ &prefix_tbl_len) ||
++ check_add_overflow(sizeof(*kmp), (size_t)len, &priv_size) ||
++ check_add_overflow(priv_size, prefix_tbl_len, &priv_size)))
++ return ERR_PTR(-EINVAL);
+
+ conf = alloc_ts_config(priv_size, gfp_mask);
+ if (IS_ERR(conf))
--- /dev/null
+From 8cd35ceadcfc8c5da2eb7f7ce24525ce9d4ee62e Mon Sep 17 00:00:00 2001
+From: Ming Qian <ming.qian@oss.nxp.com>
+Date: Fri, 6 Mar 2026 14:59:50 +0800
+Subject: media: amphion: Fix race between m2m job_abort and device_run
+
+From: Ming Qian <ming.qian@oss.nxp.com>
+
+commit 8cd35ceadcfc8c5da2eb7f7ce24525ce9d4ee62e upstream.
+
+Fix kernel panic caused by race condition where v4l2_m2m_ctx_release()
+frees m2m_ctx while v4l2_m2m_try_run() is about to call device_run
+with the same context.
+
+Race sequence:
+ v4l2_m2m_try_run(): v4l2_m2m_ctx_release():
+ lock/unlock v4l2_m2m_cancel_job()
+ job_abort()
+ v4l2_m2m_job_finish()
+ kfree(m2m_ctx) <- frees ctx
+ device_run() <- use-after-free crash at 0x538
+
+Crash trace:
+ Unable to handle kernel read from unreadable memory at virtual address
+ 0000000000000538
+ v4l2_m2m_try_run+0x78/0x138
+ v4l2_m2m_device_run_work+0x14/0x20
+
+The amphion vpu driver does not rely on the m2m framework's device_run
+callback to perform encode/decode operations.
+
+Fix the race by preventing m2m framework job scheduling entirely:
+- Add job_ready callback returning 0 (no jobs ready for m2m framework)
+- Remove job_abort callback to avoid the race condition
+
+Fixes: 3cd084519c6f ("media: amphion: add vpu v4l2 m2m support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/amphion/vpu_v4l2.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/platform/amphion/vpu_v4l2.c
++++ b/drivers/media/platform/amphion/vpu_v4l2.c
+@@ -447,17 +447,14 @@ static void vpu_m2m_device_run(void *pri
+ {
+ }
+
+-static void vpu_m2m_job_abort(void *priv)
++static int vpu_m2m_job_ready(void *priv)
+ {
+- struct vpu_inst *inst = priv;
+- struct v4l2_m2m_ctx *m2m_ctx = inst->fh.m2m_ctx;
+-
+- v4l2_m2m_job_finish(m2m_ctx->m2m_dev, m2m_ctx);
++ return 0;
+ }
+
+ static const struct v4l2_m2m_ops vpu_m2m_ops = {
+ .device_run = vpu_m2m_device_run,
+- .job_abort = vpu_m2m_job_abort
++ .job_ready = vpu_m2m_job_ready,
+ };
+
+ static int vpu_vb2_queue_setup(struct vb2_queue *vq,
--- /dev/null
+From 943b1f27a3eead21b22e2531a5432ea5910b60eb Mon Sep 17 00:00:00 2001
+From: Chen Ni <nichen@iscas.ac.cn>
+Date: Wed, 4 Feb 2026 10:48:59 +0800
+Subject: media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe()
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+commit 943b1f27a3eead21b22e2531a5432ea5910b60eb upstream.
+
+The devm_gpiod_get_optional() function may return an error pointer
+(ERR_PTR) in case of a genuine failure during GPIO acquisition,
+not just NULL which indicates the legitimate absence of an optional
+GPIO.
+
+Add an IS_ERR() check after the function call to catch such errors and
+propagate them to the probe function, ensuring the driver fails to load
+safely rather than proceeding with an invalid pointer.
+
+Fixes: 1283b3b8f82b ("media: i2c: Add driver for Sony IMX219 sensor")
+Cc: stable@vger.kernel.org
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Reviewed-by: Jai Luthra <jai.luthra@ideasonboard.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/imx219.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/i2c/imx219.c
++++ b/drivers/media/i2c/imx219.c
+@@ -1218,6 +1218,9 @@ static int imx219_probe(struct i2c_clien
+ /* Request optional enable pin */
+ imx219->reset_gpio = devm_gpiod_get_optional(dev, "reset",
+ GPIOD_OUT_HIGH);
++ if (IS_ERR(imx219->reset_gpio))
++ return dev_err_probe(dev, PTR_ERR(imx219->reset_gpio),
++ "failed to get reset gpio\n");
+
+ /*
+ * The sensor must be powered for imx219_identify_module()
--- /dev/null
+From 34c519feef3e4fcff1078dc8bdb25fbbbd10303f Mon Sep 17 00:00:00 2001
+From: Fan Wu <fanwu01@zju.edu.cn>
+Date: Wed, 4 Mar 2026 03:19:34 +0000
+Subject: media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
+
+From: Fan Wu <fanwu01@zju.edu.cn>
+
+commit 34c519feef3e4fcff1078dc8bdb25fbbbd10303f upstream.
+
+The mtk_jpeg_release() function frees the context structure (ctx) without
+first cancelling any pending or running work in ctx->jpeg_work. This
+creates a race window where the workqueue callback may still be accessing
+the context memory after it has been freed.
+
+Race condition:
+
+ CPU 0 (release) CPU 1 (workqueue)
+ ---------------- ------------------
+ close()
+ mtk_jpeg_release()
+ mtk_jpegenc_worker()
+ ctx = work->data
+ // accessing ctx
+
+ kfree(ctx) // freed!
+ access ctx // UAF!
+
+The work is queued via queue_work() during JPEG encode/decode operations
+(via mtk_jpeg_device_run). If the device is closed while work is pending
+or running, the work handler will access freed memory.
+
+Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This
+ordering is critical: if cancel_work_sync() is called after mutex_lock(),
+and the work handler also tries to acquire the same mutex, it would cause
+a deadlock.
+
+Note: The open error path does NOT need cancel_work_sync() because
+INIT_WORK() only initializes the work structure - it does not schedule
+it. Work is only scheduled later during ioctl operations.
+
+Fixes: 5fb1c2361e56 ("mtk-jpegenc: add jpeg encode worker interface")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
++++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
+@@ -1202,6 +1202,7 @@ static int mtk_jpeg_release(struct file
+ struct mtk_jpeg_dev *jpeg = video_drvdata(file);
+ struct mtk_jpeg_ctx *ctx = mtk_jpeg_file_to_ctx(file);
+
++ cancel_work_sync(&ctx->jpeg_work);
+ mutex_lock(&jpeg->lock);
+ v4l2_m2m_ctx_release(ctx->fh.m2m_ctx);
+ v4l2_ctrl_handler_free(&ctx->ctrl_hdl);
--- /dev/null
+From 4fb61d95ad21c3b6f1c09f357ff49d70abb0535e Mon Sep 17 00:00:00 2001
+From: Shigeru Yoshida <syoshida@redhat.com>
+Date: Sat, 21 Mar 2026 22:29:11 +0900
+Subject: mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+commit 4fb61d95ad21c3b6f1c09f357ff49d70abb0535e upstream.
+
+zs_page_migrate() uses copy_page() to copy the contents of a zspage page
+during migration. However, copy_page() is not instrumented by KMSAN, so
+the shadow and origin metadata of the destination page are not updated.
+
+As a result, subsequent accesses to the migrated page are reported as
+use-after-free by KMSAN, despite the data being correctly copied.
+
+Add a kmsan_copy_page_meta() call after copy_page() to propagate the KMSAN
+metadata to the new page, matching what copy_highpage() does internally.
+
+Link: https://lkml.kernel.org/r/20260321132912.93434-1-syoshida@redhat.com
+Fixes: afb2d666d025 ("zsmalloc: use copy_page for full page copy")
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/zsmalloc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/zsmalloc.c
++++ b/mm/zsmalloc.c
+@@ -1741,6 +1741,7 @@ static int zs_page_migrate(struct page *
+ */
+ d_addr = kmap_local_zpdesc(newzpdesc);
+ copy_page(d_addr, s_addr);
++ kmsan_copy_page_meta(zpdesc_page(newzpdesc), zpdesc_page(zpdesc));
+ kunmap_local(d_addr);
+
+ for (addr = s_addr + offset; addr < s_addr + PAGE_SIZE;
--- /dev/null
+From f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8 Mon Sep 17 00:00:00 2001
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+Date: Sat, 11 Apr 2026 23:10:26 +0800
+Subject: net: caif: clear client service pointer on teardown
+
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+
+commit f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8 upstream.
+
+`caif_connect()` can tear down an existing client after remote shutdown by
+calling `caif_disconnect_client()` followed by `caif_free_client()`.
+`caif_free_client()` releases the service layer referenced by
+`adap_layer->dn`, but leaves that pointer stale.
+
+When the socket is later destroyed, `caif_sock_destructor()` calls
+`caif_free_client()` again and dereferences the freed service pointer.
+
+Clear the client/service links before releasing the service object so
+repeated teardown becomes harmless.
+
+Fixes: 43e369210108 ("caif: Move refcount from service layer to sock and dev.")
+Cc: stable@kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Link: https://patch.msgid.link/9f3d37847c0037568aae698ca23cd47c6691acb0.1775897577.git.zcliangcn@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/cfsrvl.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/net/caif/cfsrvl.c
++++ b/net/caif/cfsrvl.c
+@@ -191,10 +191,20 @@ bool cfsrvl_phyid_match(struct cflayer *
+
+ void caif_free_client(struct cflayer *adap_layer)
+ {
++ struct cflayer *serv_layer;
+ struct cfsrvl *servl;
+- if (adap_layer == NULL || adap_layer->dn == NULL)
++
++ if (!adap_layer)
++ return;
++
++ serv_layer = adap_layer->dn;
++ if (!serv_layer)
+ return;
+- servl = container_obj(adap_layer->dn);
++
++ layer_set_dn(adap_layer, NULL);
++ layer_set_up(serv_layer, NULL);
++
++ servl = container_obj(serv_layer);
+ servl->release(&servl->layer);
+ }
+ EXPORT_SYMBOL(caif_free_client);
--- /dev/null
+From 7809fea20c9404bfcfa6112ec08d1fe1d3520beb Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Date: Thu, 9 Apr 2026 23:04:16 +0530
+Subject: net: qrtr: ns: Fix use-after-free in driver remove()
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+
+commit 7809fea20c9404bfcfa6112ec08d1fe1d3520beb upstream.
+
+In the remove callback, if a packet arrives after destroy_workqueue() is
+called, but before sock_release(), the qrtr_ns_data_ready() callback will
+try to queue the work, causing use-after-free issue.
+
+Fix this issue by saving the default 'sk_data_ready' callback during
+qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at
+the start of remove(). This ensures that even if a packet arrives after
+destroy_workqueue(), the work struct will not be dereferenced.
+
+Note that it is also required to ensure that the RX threads are completed
+before destroying the workqueue, because the threads could be using the
+qrtr_ns_data_ready() callback.
+
+Cc: stable@vger.kernel.org
+Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260409-qrtr-fix-v3-5-00a8a5ff2b51@oss.qualcomm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/qrtr/ns.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/net/qrtr/ns.c
++++ b/net/qrtr/ns.c
+@@ -24,6 +24,7 @@ static struct {
+ struct list_head lookups;
+ struct workqueue_struct *workqueue;
+ struct work_struct work;
++ void (*saved_data_ready)(struct sock *sk);
+ int local_node;
+ } qrtr_ns;
+
+@@ -709,6 +710,7 @@ int qrtr_ns_init(void)
+ goto err_sock;
+ }
+
++ qrtr_ns.saved_data_ready = qrtr_ns.sock->sk->sk_data_ready;
+ qrtr_ns.sock->sk->sk_data_ready = qrtr_ns_data_ready;
+
+ sq.sq_port = QRTR_PORT_CTRL;
+@@ -749,6 +751,10 @@ int qrtr_ns_init(void)
+ return 0;
+
+ err_wq:
++ write_lock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
++ qrtr_ns.sock->sk->sk_data_ready = qrtr_ns.saved_data_ready;
++ write_unlock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
++
+ destroy_workqueue(qrtr_ns.workqueue);
+ err_sock:
+ sock_release(qrtr_ns.sock);
+@@ -758,7 +764,12 @@ EXPORT_SYMBOL_GPL(qrtr_ns_init);
+
+ void qrtr_ns_remove(void)
+ {
++ write_lock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
++ qrtr_ns.sock->sk->sk_data_ready = qrtr_ns.saved_data_ready;
++ write_unlock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
++
+ cancel_work_sync(&qrtr_ns.work);
++ synchronize_net();
+ destroy_workqueue(qrtr_ns.workqueue);
+
+ /* sock_release() expects the two references that were put during
--- /dev/null
+From fe72340daaf1af588be88056faf98965f39e6032 Mon Sep 17 00:00:00 2001
+From: Luxiao Xu <rakukuip@gmail.com>
+Date: Sat, 11 Apr 2026 23:10:10 +0800
+Subject: net: strparser: fix skb_head leak in strp_abort_strp()
+
+From: Luxiao Xu <rakukuip@gmail.com>
+
+commit fe72340daaf1af588be88056faf98965f39e6032 upstream.
+
+When the stream parser is aborted, for example after a message assembly timeout,
+it can still hold a reference to a partially assembled message in
+strp->skb_head.
+
+That skb is not released in strp_abort_strp(), which leaks the partially
+assembled message and can be triggered repeatedly to exhaust memory.
+
+Fix this by freeing strp->skb_head and resetting the parser state in the
+abort path. Leave strp_stop() unchanged so final cleanup still happens in
+strp_done() after the work and timer have been synchronized.
+
+Fixes: 43a0c6751a32 ("strparser: Stream parser for messages")
+Cc: stable@kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Link: https://patch.msgid.link/ade3857a9404999ce9a1c27ec523efc896072678.1775482694.git.rakukuip@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/strparser/strparser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/strparser/strparser.c
++++ b/net/strparser/strparser.c
+@@ -45,6 +45,14 @@ static void strp_abort_strp(struct strpa
+
+ strp->stopped = 1;
+
++ if (strp->skb_head) {
++ kfree_skb(strp->skb_head);
++ strp->skb_head = NULL;
++ }
++
++ strp->skb_nextp = NULL;
++ strp->need_bytes = 0;
++
+ if (strp->sk) {
+ struct sock *sk = strp->sk;
+
--- /dev/null
+From faecdd423c27f0d6090156a435ba9dbbac0eaddb Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Thu, 9 Apr 2026 02:22:33 +0000
+Subject: of: unittest: fix use-after-free in of_unittest_changeset()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit faecdd423c27f0d6090156a435ba9dbbac0eaddb upstream.
+
+The variable 'parent' is assigned the value of 'nchangeset' earlier in the
+function, meaning both point to the same struct device_node. The call to
+of_node_put(nchangeset) can decrement the reference count to zero and
+free the node if there are no other holders. After that, the code still
+uses 'parent' to check for the presence of a property and to read a
+string property, leading to a use-after-free.
+
+Fix this by moving the of_node_put() call after the last access to
+'parent', avoiding the UAF.
+
+Fixes: 1c668ea65506 ("of: unittest: Use of_property_present()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Link: https://patch.msgid.link/20260409022233.418103-1-vulab@iscas.ac.cn
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/unittest.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -896,8 +896,6 @@ static void __init of_unittest_changeset
+
+ unittest(!of_changeset_apply(&chgset), "apply failed\n");
+
+- of_node_put(nchangeset);
+-
+ /* Make sure node names are constructed correctly */
+ unittest((np = of_find_node_by_path("/testcase-data/changeset/n2/n21")),
+ "'%pOF' not added\n", n21);
+@@ -919,6 +917,7 @@ static void __init of_unittest_changeset
+ if (!ret)
+ unittest(strcmp(propstr, "hello") == 0, "original value not in updated property after revert");
+
++ of_node_put(nchangeset);
+ of_changeset_destroy(&chgset);
+
+ of_node_put(n1);
--- /dev/null
+From 07fd339b2c253205794bea5d9b4b7548a4546c56 Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Thu, 9 Apr 2026 03:48:59 +0000
+Subject: of: unittest: fix use-after-free in testdrv_probe()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit 07fd339b2c253205794bea5d9b4b7548a4546c56 upstream.
+
+The function testdrv_probe() retrieves the device_node from the PCI
+device, applies an overlay, and then immediately calls of_node_put(dn).
+This releases the reference held by the PCI core, potentially freeing
+the node if the reference count drops to zero. Later, the same freed
+pointer 'dn' is passed to of_platform_default_populate(), leading to a
+use-after-free.
+
+The reference to pdev->dev.of_node is owned by the device model and
+should not be released by the driver. Remove the erroneous of_node_put()
+to prevent premature freeing.
+
+Fixes: 26409dd04589 ("of: unittest: Add pci_dt_testdrv pci driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Link: https://patch.msgid.link/20260409034859.429071-1-vulab@iscas.ac.cn
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/unittest.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -4317,7 +4317,6 @@ static int testdrv_probe(struct pci_dev
+
+ size = info->dtbo_end - info->dtbo_begin;
+ ret = of_overlay_fdt_apply(info->dtbo_begin, size, &ovcs_id, dn);
+- of_node_put(dn);
+ if (ret)
+ return ret;
+
--- /dev/null
+From 3446beddba450c8d6f9aca2f028712ac527fead3 Mon Sep 17 00:00:00 2001
+From: Koichiro Den <den@valinux.co.jp>
+Date: Thu, 26 Feb 2026 17:41:39 +0900
+Subject: PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
+
+From: Koichiro Den <den@valinux.co.jp>
+
+commit 3446beddba450c8d6f9aca2f028712ac527fead3 upstream.
+
+epf_ntb_epc_destroy() duplicates the teardown that the caller is
+supposed to do later. This leads to an oops when .allow_link fails or
+when .drop_link is performed. Remove the helper.
+
+Also drop pci_epc_put(). EPC device refcounting is tied to configfs EPC
+group lifetime, and pci_epc_put() in the .drop_link path is sufficient.
+
+Fixes: 8b821cf76150 ("PCI: endpoint: Add EP function driver to provide NTB functionality")
+Signed-off-by: Koichiro Den <den@valinux.co.jp>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260226084142.2226875-3-den@valinux.co.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/functions/pci-epf-ntb.c | 56 ---------------------------
+ 1 file changed, 2 insertions(+), 54 deletions(-)
+
+--- a/drivers/pci/endpoint/functions/pci-epf-ntb.c
++++ b/drivers/pci/endpoint/functions/pci-epf-ntb.c
+@@ -1495,47 +1495,6 @@ err_alloc_peer_mem:
+ }
+
+ /**
+- * epf_ntb_epc_destroy_interface() - Cleanup NTB EPC interface
+- * @ntb: NTB device that facilitates communication between HOST1 and HOST2
+- * @type: PRIMARY interface or SECONDARY interface
+- *
+- * Unbind NTB function device from EPC and relinquish reference to pci_epc
+- * for each of the interface.
+- */
+-static void epf_ntb_epc_destroy_interface(struct epf_ntb *ntb,
+- enum pci_epc_interface_type type)
+-{
+- struct epf_ntb_epc *ntb_epc;
+- struct pci_epc *epc;
+- struct pci_epf *epf;
+-
+- if (type < 0)
+- return;
+-
+- epf = ntb->epf;
+- ntb_epc = ntb->epc[type];
+- if (!ntb_epc)
+- return;
+- epc = ntb_epc->epc;
+- pci_epc_remove_epf(epc, epf, type);
+- pci_epc_put(epc);
+-}
+-
+-/**
+- * epf_ntb_epc_destroy() - Cleanup NTB EPC interface
+- * @ntb: NTB device that facilitates communication between HOST1 and HOST2
+- *
+- * Wrapper for epf_ntb_epc_destroy_interface() to cleanup all the NTB interfaces
+- */
+-static void epf_ntb_epc_destroy(struct epf_ntb *ntb)
+-{
+- enum pci_epc_interface_type type;
+-
+- for (type = PRIMARY_INTERFACE; type <= SECONDARY_INTERFACE; type++)
+- epf_ntb_epc_destroy_interface(ntb, type);
+-}
+-
+-/**
+ * epf_ntb_epc_create_interface() - Create and initialize NTB EPC interface
+ * @ntb: NTB device that facilitates communication between HOST1 and HOST2
+ * @epc: struct pci_epc to which a particular NTB interface should be associated
+@@ -1614,15 +1573,8 @@ static int epf_ntb_epc_create(struct epf
+
+ ret = epf_ntb_epc_create_interface(ntb, epf->sec_epc,
+ SECONDARY_INTERFACE);
+- if (ret) {
++ if (ret)
+ dev_err(dev, "SECONDARY intf: Fail to create NTB EPC\n");
+- goto err_epc_create;
+- }
+-
+- return 0;
+-
+-err_epc_create:
+- epf_ntb_epc_destroy_interface(ntb, PRIMARY_INTERFACE);
+
+ return ret;
+ }
+@@ -1887,7 +1839,7 @@ static int epf_ntb_bind(struct pci_epf *
+ ret = epf_ntb_init_epc_bar(ntb);
+ if (ret) {
+ dev_err(dev, "Failed to create NTB EPC\n");
+- goto err_bar_init;
++ return ret;
+ }
+
+ ret = epf_ntb_config_spad_bar_alloc_interface(ntb);
+@@ -1909,9 +1861,6 @@ static int epf_ntb_bind(struct pci_epf *
+ err_bar_alloc:
+ epf_ntb_config_spad_bar_free(ntb);
+
+-err_bar_init:
+- epf_ntb_epc_destroy(ntb);
+-
+ return ret;
+ }
+
+@@ -1927,7 +1876,6 @@ static void epf_ntb_unbind(struct pci_ep
+
+ epf_ntb_epc_cleanup(ntb);
+ epf_ntb_config_spad_bar_free(ntb);
+- epf_ntb_epc_destroy(ntb);
+ }
+
+ #define EPF_NTB_R(_name) \
--- /dev/null
+From 36bfc3642b19a98f1302aed4437c331df9b481f0 Mon Sep 17 00:00:00 2001
+From: Daniel Hodges <git@danielhodges.dev>
+Date: Fri, 6 Feb 2026 15:05:29 -0500
+Subject: PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete
+
+From: Daniel Hodges <git@danielhodges.dev>
+
+commit 36bfc3642b19a98f1302aed4437c331df9b481f0 upstream.
+
+pci_epf_mhi_edma_read() and pci_epf_mhi_edma_write() start DMA
+operations and wait for completion with a timeout.
+
+On successful completion, they previously returned the remaining
+timeout, which callers may treat as an error. In particular,
+mhi_ep_ring_add_element(), which calls pci_epf_mhi_edma_write() via
+mhi_cntrl->write_sync(), interprets any non-zero return value as
+failure.
+
+Return 0 on success instead of the remaining timeout to prevent
+mhi_ep_ring_add_element() from treating successful completion as an
+error.
+
+Fixes: 7b99aaaddabb ("PCI: epf-mhi: Add eDMA support")
+Signed-off-by: Daniel Hodges <git@danielhodges.dev>
+[mani: changed commit log as per https://lore.kernel.org/linux-pci/20260227191510.GA3904799@bhelgaas]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260206200529.10784-1-git@danielhodges.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/functions/pci-epf-mhi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/endpoint/functions/pci-epf-mhi.c
++++ b/drivers/pci/endpoint/functions/pci-epf-mhi.c
+@@ -367,6 +367,8 @@ static int pci_epf_mhi_edma_read(struct
+ dev_err(dev, "DMA transfer timeout\n");
+ dmaengine_terminate_sync(chan);
+ ret = -ETIMEDOUT;
++ } else {
++ ret = 0;
+ }
+
+ err_unmap:
+@@ -438,6 +440,8 @@ static int pci_epf_mhi_edma_write(struct
+ dev_err(dev, "DMA transfer timeout\n");
+ dmaengine_terminate_sync(chan);
+ ret = -ETIMEDOUT;
++ } else {
++ ret = 0;
+ }
+
+ err_unmap:
--- /dev/null
+From 5f73cf1db829c21b7fd44a8d2587cd395b1b2d76 Mon Sep 17 00:00:00 2001
+From: Richard Zhu <hongxing.zhu@nxp.com>
+Date: Sat, 28 Feb 2026 16:09:25 +0800
+Subject: PCI: imx6: Skip waiting for L2/L3 Ready on i.MX6SX
+
+From: Richard Zhu <hongxing.zhu@nxp.com>
+
+commit 5f73cf1db829c21b7fd44a8d2587cd395b1b2d76 upstream.
+
+On i.MX6SX, the LTSSM registers become inaccessible after the
+PME_Turn_Off message is sent to the link. So there is no way to verify
+whether the link has entered L2/L3 Ready state or not.
+
+Hence, set IMX_PCIE_FLAG_SKIP_L23_READY flag for i.MX6SX SoC to skip the
+L2/L3 Ready state polling and let the DWC core wait for 10ms after sending
+the PME_Turn_Off message as per the PCIe spec r6.0, sec 5.3.3.2.1.
+
+Fixes: a528d1a72597 ("PCI: imx6: Use DWC common suspend resume method")
+Signed-off-by: Richard Zhu <hongxing.zhu@nxp.com>
+[mani: commit log]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260228080925.1558395-1-hongxing.zhu@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pci-imx6.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pci/controller/dwc/pci-imx6.c
++++ b/drivers/pci/controller/dwc/pci-imx6.c
+@@ -1876,6 +1876,7 @@ static const struct imx_pcie_drvdata drv
+ .variant = IMX6SX,
+ .flags = IMX_PCIE_FLAG_IMX_PHY |
+ IMX_PCIE_FLAG_SPEED_CHANGE_WORKAROUND |
++ IMX_PCIE_FLAG_SKIP_L23_READY |
+ IMX_PCIE_FLAG_SUPPORTS_SUSPEND,
+ .gpr = "fsl,imx6q-iomuxc-gpr",
+ .ltssm_off = IOMUXC_GPR12,
--- /dev/null
+From 520a98bdf7ae0130e22d8adced3d69a2e211b41f Mon Sep 17 00:00:00 2001
+From: Elson Serrao <elson.serrao@oss.qualcomm.com>
+Date: Tue, 17 Feb 2026 12:11:30 -0800
+Subject: phy: qcom: m31-eusb2: clear PLL_EN during init
+
+From: Elson Serrao <elson.serrao@oss.qualcomm.com>
+
+commit 520a98bdf7ae0130e22d8adced3d69a2e211b41f upstream.
+
+The driver currently sets bit 0 of USB_PHY_CFG1 (PLL_EN) during PHY
+initialization. According to the M31 EUSB2 PHY hardware documentation,
+this bit is intended only for test/debug scenarios and does not control
+mission mode operation. Keeping PLL_EN asserted causes the PHY to draw
+additional current during USB bus suspend. Clearing this bit results in
+lower suspend power consumption without affecting normal operation.
+
+Update the driver to leave PLL_EN cleared as recommended by the hardware
+documentation.
+
+Fixes: 9c8504861cc4 ("phy: qcom: Add M31 based eUSB2 PHY driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Elson Serrao <elson.serrao@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260217201130.2804550-1-elson.serrao@oss.qualcomm.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/qualcomm/phy-qcom-m31-eusb2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/phy/qualcomm/phy-qcom-m31-eusb2.c
++++ b/drivers/phy/qualcomm/phy-qcom-m31-eusb2.c
+@@ -83,7 +83,7 @@ static const struct m31_phy_tbl_entry m3
+ M31_EUSB_PHY_INIT_CFG(USB_PHY_CFG0, UTMI_PHY_CMN_CTRL_OVERRIDE_EN, 1),
+ M31_EUSB_PHY_INIT_CFG(USB_PHY_UTMI_CTRL5, POR, 1),
+ M31_EUSB_PHY_INIT_CFG(USB_PHY_HS_PHY_CTRL_COMMON0, PHY_ENABLE, 1),
+- M31_EUSB_PHY_INIT_CFG(USB_PHY_CFG1, PLL_EN, 1),
++ M31_EUSB_PHY_INIT_CFG(USB_PHY_CFG1, PLL_EN, 0),
+ M31_EUSB_PHY_INIT_CFG(USB_PHY_FSEL_SEL, FSEL_SEL, 1),
+ };
+
--- /dev/null
+From 41d78cb724f4b40b7548af420ccfe524b14023bb Mon Sep 17 00:00:00 2001
+From: Rong Zhang <i@rong.moe>
+Date: Wed, 4 Mar 2026 03:47:56 +0800
+Subject: Revert "ALSA: usb: Increase volume range that triggers a warning"
+
+From: Rong Zhang <i@rong.moe>
+
+commit 41d78cb724f4b40b7548af420ccfe524b14023bb upstream.
+
+UAC uses 2 bytes to store volume values, so the maximum volume range is
+0xFFFF (65535, val = -32768/32767/1).
+
+The reverted commit bumpped the range of triggering the warning to >
+65535, effectively making the range check a no-op. It didn't fix
+anything but covered any potential problems and deviated from the
+original intention of the range check.
+
+This reverts commit 6b971191fcfc9e3c2c0143eea22534f1f48dbb62.
+
+Fixes: 6b971191fcfc ("ALSA: usb: Increase volume range that triggers a warning")
+Cc: stable@vger.kernel.org
+Signed-off-by: Rong Zhang <i@rong.moe>
+Acked-by: Arun Raghavan <arunr@valvesoftware.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20260303194805.266158-2-i@rong.moe
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1820,10 +1820,11 @@ static void __build_feature_ctl(struct u
+
+ range = (cval->max - cval->min) / cval->res;
+ /*
+- * There are definitely devices with a range of ~20,000, so let's be
+- * conservative and allow for a bit more.
++ * Are there devices with volume range more than 255? I use a bit more
++ * to be sure. 384 is a resolution magic number found on Logitech
++ * devices. It will definitively catch all buggy Logitech devices.
+ */
+- if (range > 65535) {
++ if (range > 384) {
+ usb_audio_warn(mixer->chip,
+ "Warning! Unlikely big volume range (=%u), cval->res is probably wrong.",
+ range);
spi-ch341-fix-memory-leaks-on-probe-failures.patch
crypto-algif_aead-snapshot-iv-for-async-aead-requests.patch
crypto-pcrypt-fix-handling-of-may_backlog-requests.patch
+dt-bindings-display-ti-am65x-dss-fix-am62l-dss-reg-and-clock-constraints.patch
+of-unittest-fix-use-after-free-in-of_unittest_changeset.patch
+of-unittest-fix-use-after-free-in-testdrv_probe.patch
+hwmon-powerz-fix-missing-usb_kill_urb-on-signal-interrupt.patch
+edac-versalnet-fix-device_node-leak-in-mc_probe.patch
+pci-imx6-skip-waiting-for-l2-l3-ready-on-i.mx6sx.patch
+media-amphion-fix-race-between-m2m-job_abort-and-device_run.patch
+alsa-control-validate-buf_len-before-strnlen-in-snd_ctl_elem_init_enum_names.patch
+net-caif-clear-client-service-pointer-on-teardown.patch
+net-strparser-fix-skb_head-leak-in-strp_abort_strp.patch
+media-mtk-jpeg-fix-use-after-free-in-release-path-due-to-uncancelled-work.patch
+crypto-atmel-sha204a-fix-otp-sysfs-read-and-error-handling.patch
+pci-endpoint-pci-epf-ntb-remove-duplicate-resource-teardown.patch
+revert-alsa-usb-increase-volume-range-that-triggers-a-warning.patch
+phy-qcom-m31-eusb2-clear-pll_en-during-init.patch
+pci-epf-mhi-return-0-not-remaining-timeout-when-edma-ops-complete.patch
+lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch
+media-i2c-imx219-check-return-value-of-devm_gpiod_get_optional-in-imx219_probe.patch
+net-qrtr-ns-fix-use-after-free-in-driver-remove.patch
+ext2-reject-inodes-with-zero-i_nlink-and-valid-mode-in-ext2_iget.patch
+mm-zsmalloc-copy-kmsan-metadata-in-zs_page_migrate.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
