--- /dev/null
+From ad3ac32a3893a2bbcad545efc005a8e4e7ecf10c Mon Sep 17 00:00:00 2001
+From: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Date: Thu, 2 Apr 2026 18:42:20 +0200
+Subject: drm/arcpgu: fix device node leak
+
+From: Luca Ceresoli <luca.ceresoli@bootlin.com>
+
+commit ad3ac32a3893a2bbcad545efc005a8e4e7ecf10c upstream.
+
+This function gets a device_node reference via
+of_graph_get_remote_port_parent() and stores it in encoder_node, but never
+puts that reference. Add it.
+
+There used to be a of_node_put(encoder_node) but it has been removed by
+mistake during a rework in commit 3ea66a794fdc ("drm/arc: Inline
+arcpgu_drm_hdmi_init").
+
+Fixes: 3ea66a794fdc ("drm/arc: Inline arcpgu_drm_hdmi_init")
+Cc: stable@vger.kernel.org
+Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com>
+Link: https://patch.msgid.link/20260402-drm-arcgpu-fix-device-node-leak-v2-1-d773cf754ae5@bootlin.com
+Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tiny/arcpgu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/tiny/arcpgu.c
++++ b/drivers/gpu/drm/tiny/arcpgu.c
+@@ -248,7 +248,8 @@ DEFINE_DRM_GEM_DMA_FOPS(arcpgu_drm_ops);
+ static int arcpgu_load(struct arcpgu_drm_private *arcpgu)
+ {
+ struct platform_device *pdev = to_platform_device(arcpgu->drm.dev);
+- struct device_node *encoder_node = NULL, *endpoint_node = NULL;
++ struct device_node *encoder_node __free(device_node) = NULL;
++ struct device_node *endpoint_node = NULL;
+ struct drm_connector *connector = NULL;
+ struct drm_device *drm = &arcpgu->drm;
+ struct resource *res;
--- /dev/null
+From 4f96b7c68a9904e01049ef610d701b382dca9574 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Wed, 25 Mar 2026 18:19:15 -0700
+Subject: extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 4f96b7c68a9904e01049ef610d701b382dca9574 upstream.
+
+A recent strengthening of -Wunused-but-set-variable (enabled with -Wall)
+in clang under a new subwarning, -Wunused-but-set-global, points out an
+unused static global variable in certs/extract-cert.c:
+
+ certs/extract-cert.c:46:20: error: variable 'key_pass' set but not used [-Werror,-Wunused-but-set-global]
+ 46 | static const char *key_pass;
+ | ^
+
+After commit 558bdc45dfb2 ("sign-file,extract-cert: use pkcs11 provider
+for OPENSSL MAJOR >= 3"), key_pass is only used with the OpenSSL engine
+API, not the new provider API. Wrap key_pass's declaration and
+assignment with '#ifdef USE_PKCS11_ENGINE' so that it is only included
+with its use to clear up the warning. While this is a little uglier than
+just marking key_pass with the unused attribute, this will make it
+easier to clean up all code associated with the use of the engine API if
+it were ever removed in the future. While in the area, use a tab for
+the key_pass assignment line to match the rest of the file.
+
+Cc: stable@vger.kernel.org
+Fixes: 558bdc45dfb2 ("sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3")
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Tested-by: Nick Desaulniers <ndesaulniers@google.com>
+Link: https://patch.msgid.link/20260325-certs-extract-cert-key_pass-unused-but-set-global-v1-1-ecf94326d532@kernel.org
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ certs/extract-cert.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/certs/extract-cert.c
++++ b/certs/extract-cert.c
+@@ -43,7 +43,9 @@ void format(void)
+ exit(2);
+ }
+
++#ifdef USE_PKCS11_ENGINE
+ static const char *key_pass;
++#endif
+ static BIO *wb;
+ static char *cert_dst;
+ static int kbuild_verbose;
+@@ -132,7 +134,9 @@ int main(int argc, char **argv)
+
+ kbuild_verbose = atoi(getenv("KBUILD_VERBOSE")?:"0");
+
+- key_pass = getenv("KBUILD_SIGN_PIN");
++#ifdef USE_PKCS11_ENGINE
++ key_pass = getenv("KBUILD_SIGN_PIN");
++#endif
+
+ if (argc != 3)
+ format();
--- /dev/null
+From 67bf002a2d7387a6312138210d0bd06e3cf4879b Mon Sep 17 00:00:00 2001
+From: Ruide Cao <caoruide123@gmail.com>
+Date: Tue, 21 Apr 2026 12:16:31 +0800
+Subject: ipv4: icmp: validate reply type before using icmp_pointers
+
+From: Ruide Cao <caoruide123@gmail.com>
+
+commit 67bf002a2d7387a6312138210d0bd06e3cf4879b upstream.
+
+Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type.
+That value is outside the range covered by icmp_pointers[], which only
+describes the traditional ICMP types up to NR_ICMP_TYPES.
+
+Avoid consulting icmp_pointers[] for reply types outside that range, and
+use array_index_nospec() for the remaining in-range lookup. Normal ICMP
+replies keep their existing behavior unchanged.
+
+Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Ruide Cao <caoruide123@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/0dace90c01a5978e829ca741ef684dbd7304ce62.1776628519.git.caoruide123@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/icmp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -64,6 +64,7 @@
+ #include <linux/jiffies.h>
+ #include <linux/kernel.h>
+ #include <linux/fcntl.h>
++#include <linux/nospec.h>
+ #include <linux/socket.h>
+ #include <linux/in.h>
+ #include <linux/inet.h>
+@@ -359,7 +360,9 @@ static int icmp_glue_bits(void *from, ch
+ to, len);
+
+ skb->csum = csum_block_add(skb->csum, csum, odd);
+- if (icmp_pointers[icmp_param->data.icmph.type].error)
++ if (icmp_param->data.icmph.type <= NR_ICMP_TYPES &&
++ icmp_pointers[array_index_nospec(icmp_param->data.icmph.type,
++ NR_ICMP_TYPES + 1)].error)
+ nf_ct_attach(skb, icmp_param->skb);
+ return 0;
+ }
--- /dev/null
+From 5199c125d25aeae8615c4fc31652cc0fe624338e Mon Sep 17 00:00:00 2001
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Date: Wed, 18 Mar 2026 18:09:03 +0100
+Subject: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
+
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+
+commit 5199c125d25aeae8615c4fc31652cc0fe624338e upstream.
+
+If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both
+protocol and result, this is currently not treated as an error. In case
+of ac->negotiating == true and ac->protocol > 0, this leads to setting
+ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for
+ac->protocol != protocol returns false, and init_protocol() is not
+called. Subsequently, ac->ops->handle_reply() is called, which leads to
+a null pointer dereference, because ac->ops is still NULL.
+
+This patch changes the check for ac->protocol != protocol to
+!ac->protocol, as this also includes the case when the protocol was set
+to zero in the message. This causes the message to be treated as
+containing a bad auth protocol.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ceph/auth.c
++++ b/net/ceph/auth.c
+@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_a
+ ac->protocol = 0;
+ ac->ops = NULL;
+ }
+- if (ac->protocol != protocol) {
++ if (!ac->protocol) {
+ ret = init_protocol(ac, protocol);
+ if (ret) {
+ pr_err("auth protocol '%s' init failed: %d\n",
--- /dev/null
+From 37e57e8ad96cdec4a57b55fd10bef50f7370a954 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Wed, 22 Apr 2026 15:45:12 +0800
+Subject: LoongArch: Show CPU vulnerabilites correctly
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit 37e57e8ad96cdec4a57b55fd10bef50f7370a954 upstream.
+
+Most LoongArch processors are vulnerable to Spectre-V1 Proof-of-Concept
+(PoC). And the generic mechanism, __user pointer sanitization, can be
+used as a mitigation. This means to use array_index_nospec() to prevent
+out of boundry access in syscall and other critical paths.
+
+Implement the arch-specific cpu_show_spectre_v1() to show CPU Spectre-V1
+vulnerabilites correctly.
+
+Cc: stable@vger.kernel.org
+Link: https://cc-sw.com/chinese-loongarch-architecture-evaluation-part-3-of-3/
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kernel/cpu-probe.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/loongarch/kernel/cpu-probe.c
++++ b/arch/loongarch/kernel/cpu-probe.c
+@@ -7,6 +7,7 @@
+ #include <linux/init.h>
+ #include <linux/kernel.h>
+ #include <linux/ptrace.h>
++#include <linux/cpu.h>
+ #include <linux/smp.h>
+ #include <linux/stddef.h>
+ #include <linux/export.h>
+@@ -297,3 +298,9 @@ void cpu_probe(void)
+
+ cpu_report();
+ }
++
++ssize_t cpu_show_spectre_v1(struct device *dev,
++ struct device_attribute *attr, char *buf)
++{
++ return sysfs_emit(buf, "Mitigation: __user pointer sanitization\n");
++}
--- /dev/null
+From 22230e68b2cf1ab6b027be8cf1198164a949c4fa Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@nabladev.com>
+Date: Thu, 16 Apr 2026 01:09:45 +0200
+Subject: net: ks8851: Avoid excess softirq scheduling
+
+From: Marek Vasut <marex@nabladev.com>
+
+commit 22230e68b2cf1ab6b027be8cf1198164a949c4fa upstream.
+
+The code injects a packet into netif_rx() repeatedly, which will add
+it to its internal NAPI and schedule a softirq, and process it. It is
+more efficient to queue multiple packets and process them all at the
+local_bh_enable() time.
+
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Fixes: e0863634bf9f ("net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Marek Vasut <marex@nabladev.com>
+Link: https://patch.msgid.link/20260415231020.455298-2-marex@nabladev.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/micrel/ks8851_common.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/micrel/ks8851_common.c
++++ b/drivers/net/ethernet/micrel/ks8851_common.c
+@@ -389,9 +389,12 @@ static irqreturn_t ks8851_irq(int irq, v
+ if (status & IRQ_LCI)
+ mii_check_link(&ks->mii);
+
+- if (status & IRQ_RXI)
++ if (status & IRQ_RXI) {
++ local_bh_disable();
+ while ((skb = __skb_dequeue(&rxq)))
+ netif_rx(skb);
++ local_bh_enable();
++ }
+
+ return IRQ_HANDLED;
+ }
--- /dev/null
+From 5c9fcac3c872224316714d0d8914d9af16c76a6d Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@nabladev.com>
+Date: Thu, 16 Apr 2026 01:09:44 +0200
+Subject: net: ks8851: Reinstate disabling of BHs around IRQ handler
+
+From: Marek Vasut <marex@nabladev.com>
+
+commit 5c9fcac3c872224316714d0d8914d9af16c76a6d upstream.
+
+If the driver executes ks8851_irq() AND a TX packet has been sent, then
+the driver enables TX queue via netif_wake_queue() which schedules TX
+softirq to queue packets for this device.
+
+If CONFIG_PREEMPT_RT=y is set AND a packet has also been received by
+the MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to
+allocate SKBs for the received packets. If netdev_alloc_skb_ip_align()
+is called with BH enabled, then local_bh_enable() at the end of
+netdev_alloc_skb_ip_align() will trigger the pending softirq processing,
+which may ultimately call the .xmit callback ks8851_start_xmit_par().
+The ks8851_start_xmit_par() will try to lock struct ks8851_net_par
+.lock spinlock, which is already locked by ks8851_irq() from which
+ks8851_start_xmit_par() was called. This leads to a deadlock, which
+is reported by the kernel, including a trace listed below.
+
+If CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0
+("net: ks8851: Fix deadlock with the SPI chip variant") the deadlock
+can also be triggered without received packet in the RX FIFO. The
+pending softirqs will be processed on return from
+spin_unlock_bh(&ks->statelock) in ks8851_irq(), which triggers the
+deadlock as well.
+
+Fix the problem by disabling BH around critical sections, including the
+IRQ handler, thus preventing the net_tx_action() softirq from triggering
+during these critical sections. The net_tx_action() softirq is triggered
+once BH are re-enabled and at the end of the IRQ handler, once all the
+other IRQ handler actions have been completed.
+
+ __schedule from schedule_rtlock+0x1c/0x34
+ schedule_rtlock from rtlock_slowlock_locked+0x548/0x904
+ rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c
+ rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8
+ ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44
+ netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188
+ dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c
+ sch_direct_xmit from __qdisc_run+0x1f8/0x4ec
+ __qdisc_run from qdisc_run+0x1c/0x28
+ qdisc_run from net_tx_action+0x1f0/0x268
+ net_tx_action from handle_softirqs+0x1a4/0x270
+ handle_softirqs from __local_bh_enable_ip+0xcc/0xe0
+ __local_bh_enable_ip from __alloc_skb+0xd8/0x128
+ __alloc_skb from __netdev_alloc_skb+0x3c/0x19c
+ __netdev_alloc_skb from ks8851_irq+0x388/0x4d4
+ ks8851_irq from irq_thread_fn+0x24/0x64
+ irq_thread_fn from irq_thread+0x178/0x28c
+ irq_thread from kthread+0x12c/0x138
+ kthread from ret_from_fork+0x14/0x28
+
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Fixes: e0863634bf9f ("net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Marek Vasut <marex@nabladev.com>
+Link: https://patch.msgid.link/20260415231020.455298-1-marex@nabladev.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/micrel/ks8851.h | 6 --
+ drivers/net/ethernet/micrel/ks8851_common.c | 64 +++++++++++-----------------
+ drivers/net/ethernet/micrel/ks8851_par.c | 15 ++----
+ drivers/net/ethernet/micrel/ks8851_spi.c | 11 +---
+ 4 files changed, 38 insertions(+), 58 deletions(-)
+
+--- a/drivers/net/ethernet/micrel/ks8851.h
++++ b/drivers/net/ethernet/micrel/ks8851.h
+@@ -408,10 +408,8 @@ struct ks8851_net {
+ struct gpio_desc *gpio;
+ struct mii_bus *mii_bus;
+
+- void (*lock)(struct ks8851_net *ks,
+- unsigned long *flags);
+- void (*unlock)(struct ks8851_net *ks,
+- unsigned long *flags);
++ void (*lock)(struct ks8851_net *ks);
++ void (*unlock)(struct ks8851_net *ks);
+ unsigned int (*rdreg16)(struct ks8851_net *ks,
+ unsigned int reg);
+ void (*wrreg16)(struct ks8851_net *ks,
+--- a/drivers/net/ethernet/micrel/ks8851_common.c
++++ b/drivers/net/ethernet/micrel/ks8851_common.c
+@@ -28,25 +28,23 @@
+ /**
+ * ks8851_lock - register access lock
+ * @ks: The chip state
+- * @flags: Spinlock flags
+ *
+ * Claim chip register access lock
+ */
+-static void ks8851_lock(struct ks8851_net *ks, unsigned long *flags)
++static void ks8851_lock(struct ks8851_net *ks)
+ {
+- ks->lock(ks, flags);
++ ks->lock(ks);
+ }
+
+ /**
+ * ks8851_unlock - register access unlock
+ * @ks: The chip state
+- * @flags: Spinlock flags
+ *
+ * Release chip register access lock
+ */
+-static void ks8851_unlock(struct ks8851_net *ks, unsigned long *flags)
++static void ks8851_unlock(struct ks8851_net *ks)
+ {
+- ks->unlock(ks, flags);
++ ks->unlock(ks);
+ }
+
+ /**
+@@ -129,11 +127,10 @@ static void ks8851_set_powermode(struct
+ static int ks8851_write_mac_addr(struct net_device *dev)
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+- unsigned long flags;
+ u16 val;
+ int i;
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+
+ /*
+ * Wake up chip in case it was powered off when stopped; otherwise,
+@@ -149,7 +146,7 @@ static int ks8851_write_mac_addr(struct
+ if (!netif_running(dev))
+ ks8851_set_powermode(ks, PMECR_PM_SOFTDOWN);
+
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+
+ return 0;
+ }
+@@ -163,12 +160,11 @@ static int ks8851_write_mac_addr(struct
+ static void ks8851_read_mac_addr(struct net_device *dev)
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+- unsigned long flags;
+ u8 addr[ETH_ALEN];
+ u16 reg;
+ int i;
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+
+ for (i = 0; i < ETH_ALEN; i += 2) {
+ reg = ks8851_rdreg16(ks, KS_MAR(i));
+@@ -177,7 +173,7 @@ static void ks8851_read_mac_addr(struct
+ }
+ eth_hw_addr_set(dev, addr);
+
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+ }
+
+ /**
+@@ -328,11 +324,10 @@ static irqreturn_t ks8851_irq(int irq, v
+ {
+ struct ks8851_net *ks = _ks;
+ struct sk_buff_head rxq;
+- unsigned long flags;
+ unsigned int status;
+ struct sk_buff *skb;
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+
+ status = ks8851_rdreg16(ks, KS_ISR);
+ ks8851_wrreg16(ks, KS_ISR, status);
+@@ -389,7 +384,7 @@ static irqreturn_t ks8851_irq(int irq, v
+ ks8851_wrreg16(ks, KS_RXCR1, rxc->rxcr1);
+ }
+
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+
+ if (status & IRQ_LCI)
+ mii_check_link(&ks->mii);
+@@ -421,7 +416,6 @@ static void ks8851_flush_tx_work(struct
+ static int ks8851_net_open(struct net_device *dev)
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+- unsigned long flags;
+ int ret;
+
+ ret = request_threaded_irq(dev->irq, NULL, ks8851_irq,
+@@ -434,7 +428,7 @@ static int ks8851_net_open(struct net_de
+
+ /* lock the card, even if we may not actually be doing anything
+ * else at the moment */
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+
+ netif_dbg(ks, ifup, ks->netdev, "opening\n");
+
+@@ -487,7 +481,7 @@ static int ks8851_net_open(struct net_de
+
+ netif_dbg(ks, ifup, ks->netdev, "network device up\n");
+
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+ mii_check_link(&ks->mii);
+ return 0;
+ }
+@@ -503,23 +497,22 @@ static int ks8851_net_open(struct net_de
+ static int ks8851_net_stop(struct net_device *dev)
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+- unsigned long flags;
+
+ netif_info(ks, ifdown, dev, "shutting down\n");
+
+ netif_stop_queue(dev);
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+ /* turn off the IRQs and ack any outstanding */
+ ks8851_wrreg16(ks, KS_IER, 0x0000);
+ ks8851_wrreg16(ks, KS_ISR, 0xffff);
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+
+ /* stop any outstanding work */
+ ks8851_flush_tx_work(ks);
+ flush_work(&ks->rxctrl_work);
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+ /* shutdown RX process */
+ ks8851_wrreg16(ks, KS_RXCR1, 0x0000);
+
+@@ -528,7 +521,7 @@ static int ks8851_net_stop(struct net_de
+
+ /* set powermode to soft power down to save power */
+ ks8851_set_powermode(ks, PMECR_PM_SOFTDOWN);
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+
+ /* ensure any queued tx buffers are dumped */
+ while (!skb_queue_empty(&ks->txq)) {
+@@ -582,14 +575,13 @@ static netdev_tx_t ks8851_start_xmit(str
+ static void ks8851_rxctrl_work(struct work_struct *work)
+ {
+ struct ks8851_net *ks = container_of(work, struct ks8851_net, rxctrl_work);
+- unsigned long flags;
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+
+ /* need to shutdown RXQ before modifying filter parameters */
+ ks8851_wrreg16(ks, KS_RXCR1, 0x00);
+
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+ }
+
+ static void ks8851_set_rx_mode(struct net_device *dev)
+@@ -796,7 +788,6 @@ static int ks8851_set_eeprom(struct net_
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+ int offset = ee->offset;
+- unsigned long flags;
+ int len = ee->len;
+ u16 tmp;
+
+@@ -810,7 +801,7 @@ static int ks8851_set_eeprom(struct net_
+ if (!(ks->rc_ccr & CCR_EEPROM))
+ return -ENOENT;
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+
+ ks8851_eeprom_claim(ks);
+
+@@ -833,7 +824,7 @@ static int ks8851_set_eeprom(struct net_
+ eeprom_93cx6_wren(&ks->eeprom, false);
+
+ ks8851_eeprom_release(ks);
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+
+ return 0;
+ }
+@@ -843,7 +834,6 @@ static int ks8851_get_eeprom(struct net_
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+ int offset = ee->offset;
+- unsigned long flags;
+ int len = ee->len;
+
+ /* must be 2 byte aligned */
+@@ -853,7 +843,7 @@ static int ks8851_get_eeprom(struct net_
+ if (!(ks->rc_ccr & CCR_EEPROM))
+ return -ENOENT;
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+
+ ks8851_eeprom_claim(ks);
+
+@@ -861,7 +851,7 @@ static int ks8851_get_eeprom(struct net_
+
+ eeprom_93cx6_multiread(&ks->eeprom, offset/2, (__le16 *)data, len/2);
+ ks8851_eeprom_release(ks);
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+
+ return 0;
+ }
+@@ -920,7 +910,6 @@ static int ks8851_phy_reg(int reg)
+ static int ks8851_phy_read_common(struct net_device *dev, int phy_addr, int reg)
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+- unsigned long flags;
+ int result;
+ int ksreg;
+
+@@ -928,9 +917,9 @@ static int ks8851_phy_read_common(struct
+ if (ksreg < 0)
+ return ksreg;
+
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+ result = ks8851_rdreg16(ks, ksreg);
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+
+ return result;
+ }
+@@ -965,14 +954,13 @@ static void ks8851_phy_write(struct net_
+ int phy, int reg, int value)
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+- unsigned long flags;
+ int ksreg;
+
+ ksreg = ks8851_phy_reg(reg);
+ if (ksreg >= 0) {
+- ks8851_lock(ks, &flags);
++ ks8851_lock(ks);
+ ks8851_wrreg16(ks, ksreg, value);
+- ks8851_unlock(ks, &flags);
++ ks8851_unlock(ks);
+ }
+ }
+
+--- a/drivers/net/ethernet/micrel/ks8851_par.c
++++ b/drivers/net/ethernet/micrel/ks8851_par.c
+@@ -55,29 +55,27 @@ struct ks8851_net_par {
+ /**
+ * ks8851_lock_par - register access lock
+ * @ks: The chip state
+- * @flags: Spinlock flags
+ *
+ * Claim chip register access lock
+ */
+-static void ks8851_lock_par(struct ks8851_net *ks, unsigned long *flags)
++static void ks8851_lock_par(struct ks8851_net *ks)
+ {
+ struct ks8851_net_par *ksp = to_ks8851_par(ks);
+
+- spin_lock_irqsave(&ksp->lock, *flags);
++ spin_lock_bh(&ksp->lock);
+ }
+
+ /**
+ * ks8851_unlock_par - register access unlock
+ * @ks: The chip state
+- * @flags: Spinlock flags
+ *
+ * Release chip register access lock
+ */
+-static void ks8851_unlock_par(struct ks8851_net *ks, unsigned long *flags)
++static void ks8851_unlock_par(struct ks8851_net *ks)
+ {
+ struct ks8851_net_par *ksp = to_ks8851_par(ks);
+
+- spin_unlock_irqrestore(&ksp->lock, *flags);
++ spin_unlock_bh(&ksp->lock);
+ }
+
+ /**
+@@ -233,7 +231,6 @@ static netdev_tx_t ks8851_start_xmit_par
+ {
+ struct ks8851_net *ks = netdev_priv(dev);
+ netdev_tx_t ret = NETDEV_TX_OK;
+- unsigned long flags;
+ unsigned int txqcr;
+ u16 txmir;
+ int err;
+@@ -241,7 +238,7 @@ static netdev_tx_t ks8851_start_xmit_par
+ netif_dbg(ks, tx_queued, ks->netdev,
+ "%s: skb %p, %d@%p\n", __func__, skb, skb->len, skb->data);
+
+- ks8851_lock_par(ks, &flags);
++ ks8851_lock_par(ks);
+
+ txmir = ks8851_rdreg16_par(ks, KS_TXMIR) & 0x1fff;
+
+@@ -262,7 +259,7 @@ static netdev_tx_t ks8851_start_xmit_par
+ ret = NETDEV_TX_BUSY;
+ }
+
+- ks8851_unlock_par(ks, &flags);
++ ks8851_unlock_par(ks);
+
+ return ret;
+ }
+--- a/drivers/net/ethernet/micrel/ks8851_spi.c
++++ b/drivers/net/ethernet/micrel/ks8851_spi.c
+@@ -73,11 +73,10 @@ struct ks8851_net_spi {
+ /**
+ * ks8851_lock_spi - register access lock
+ * @ks: The chip state
+- * @flags: Spinlock flags
+ *
+ * Claim chip register access lock
+ */
+-static void ks8851_lock_spi(struct ks8851_net *ks, unsigned long *flags)
++static void ks8851_lock_spi(struct ks8851_net *ks)
+ {
+ struct ks8851_net_spi *kss = to_ks8851_spi(ks);
+
+@@ -87,11 +86,10 @@ static void ks8851_lock_spi(struct ks885
+ /**
+ * ks8851_unlock_spi - register access unlock
+ * @ks: The chip state
+- * @flags: Spinlock flags
+ *
+ * Release chip register access lock
+ */
+-static void ks8851_unlock_spi(struct ks8851_net *ks, unsigned long *flags)
++static void ks8851_unlock_spi(struct ks8851_net *ks)
+ {
+ struct ks8851_net_spi *kss = to_ks8851_spi(ks);
+
+@@ -311,7 +309,6 @@ static void ks8851_tx_work(struct work_s
+ struct ks8851_net_spi *kss;
+ unsigned short tx_space;
+ struct ks8851_net *ks;
+- unsigned long flags;
+ struct sk_buff *txb;
+ bool last;
+
+@@ -319,7 +316,7 @@ static void ks8851_tx_work(struct work_s
+ ks = &kss->ks8851;
+ last = skb_queue_empty(&ks->txq);
+
+- ks8851_lock_spi(ks, &flags);
++ ks8851_lock_spi(ks);
+
+ while (!last) {
+ txb = skb_dequeue(&ks->txq);
+@@ -345,7 +342,7 @@ static void ks8851_tx_work(struct work_s
+ ks->tx_space = tx_space;
+ spin_unlock_bh(&ks->statelock);
+
+- ks8851_unlock_spi(ks, &flags);
++ ks8851_unlock_spi(ks);
+ }
+
+ /**
--- /dev/null
+From 8141a2dc70080eda1aedc0389ed2db2b292af5bd Mon Sep 17 00:00:00 2001
+From: Ao Zhou <draw51280@163.com>
+Date: Wed, 22 Apr 2026 22:52:07 +0800
+Subject: net: rds: fix MR cleanup on copy error
+
+From: Ao Zhou <draw51280@163.com>
+
+commit 8141a2dc70080eda1aedc0389ed2db2b292af5bd upstream.
+
+__rds_rdma_map() hands sg/pages ownership to the transport after
+get_mr() succeeds. If copying the generated cookie back to user space
+fails after that point, the error path must not free those resources
+again before dropping the MR reference.
+
+Remove the duplicate unpin/free from the put_user() failure branch so
+that MR teardown is handled only through the existing final cleanup
+path.
+
+Fixes: 0d4597c8c5ab ("net/rds: Track user mapped pages through special API")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Ao Zhou <draw51280@163.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Allison Henderson <achender@kernel.org>
+Link: https://patch.msgid.link/79c8ef73ec8e5844d71038983940cc2943099baf.1776764247.git.draw51280@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/rdma.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -326,10 +326,6 @@ static int __rds_rdma_map(struct rds_soc
+
+ if (args->cookie_addr &&
+ put_user(cookie, (u64 __user *)(unsigned long)args->cookie_addr)) {
+- if (!need_odp) {
+- unpin_user_pages(pages, nr_pages);
+- kfree(sg);
+- }
+ ret = -EFAULT;
+ goto out;
+ }
--- /dev/null
+From 5a8db80f721deee8e916c2cfdee78decda02ce4f Mon Sep 17 00:00:00 2001
+From: Ruijie Li <ruijieli51@gmail.com>
+Date: Wed, 22 Apr 2026 23:40:18 +0800
+Subject: net/smc: avoid early lgr access in smc_clc_wait_msg
+
+From: Ruijie Li <ruijieli51@gmail.com>
+
+commit 5a8db80f721deee8e916c2cfdee78decda02ce4f upstream.
+
+A CLC decline can be received while the handshake is still in an early
+stage, before the connection has been associated with a link group.
+
+The decline handling in smc_clc_wait_msg() updates link-group level sync
+state for first-contact declines, but that state only exists after link
+group setup has completed. Guard the link-group update accordingly and
+keep the per-socket peer diagnosis handling unchanged.
+
+This preserves the existing sync_err handling for established link-group
+contexts and avoids touching link-group state before it is available.
+
+Fixes: 0cfdd8f92cac ("smc: connection and link group creation")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Link: https://patch.msgid.link/08c68a5c817acf198cce63d22517e232e8d60718.1776850759.git.ruijieli51@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/smc_clc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -764,8 +764,8 @@ int smc_clc_wait_msg(struct smc_sock *sm
+ dclc = (struct smc_clc_msg_decline *)clcm;
+ reason_code = SMC_CLC_DECL_PEERDECL;
+ smc->peer_diagnosis = ntohl(dclc->peer_diagnosis);
+- if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 &
+- SMC_FIRST_CONTACT_MASK) {
++ if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) &&
++ smc->conn.lgr) {
+ smc->conn.lgr->sync_err = 1;
+ smc_lgr_terminate_sched(smc->conn.lgr);
+ }
--- /dev/null
+From 658342fd75b582cbb06544d513171c3d645faead Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Date: Fri, 20 Feb 2026 18:49:39 +0100
+Subject: power: supply: axp288_charger: Do not cancel work before initializing it
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+
+commit 658342fd75b582cbb06544d513171c3d645faead upstream.
+
+Driver registered devm handler to cancel_work_sync() before even the
+work was initialized, thus leading to possible warning from
+kernel/workqueue.c on (!work->func) check, if the error path was hit
+before the initialization happened.
+
+Use devm_work_autocancel() on each work item independently, which
+handles the initialization and handler to cancel work.
+
+Fixes: 165c2357744e ("power: supply: axp288_charger: Properly stop work on probe-error / remove")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
+Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
+Reviewed-by: Chen-Yu Tsai <wens@kernel.org>
+Link: https://patch.msgid.link/20260220174938.672883-5-krzysztof.kozlowski@oss.qualcomm.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/axp288_charger.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+--- a/drivers/power/supply/axp288_charger.c
++++ b/drivers/power/supply/axp288_charger.c
+@@ -10,6 +10,7 @@
+ #include <linux/acpi.h>
+ #include <linux/bitops.h>
+ #include <linux/module.h>
++#include <linux/devm-helpers.h>
+ #include <linux/device.h>
+ #include <linux/regmap.h>
+ #include <linux/workqueue.h>
+@@ -821,14 +822,6 @@ static int charger_init_hw_regs(struct a
+ return 0;
+ }
+
+-static void axp288_charger_cancel_work(void *data)
+-{
+- struct axp288_chrg_info *info = data;
+-
+- cancel_work_sync(&info->otg.work);
+- cancel_work_sync(&info->cable.work);
+-}
+-
+ static int axp288_charger_probe(struct platform_device *pdev)
+ {
+ int ret, i, pirq;
+@@ -900,12 +893,12 @@ static int axp288_charger_probe(struct p
+ }
+
+ /* Cancel our work on cleanup, register this before the notifiers */
+- ret = devm_add_action(dev, axp288_charger_cancel_work, info);
++ ret = devm_work_autocancel(dev, &info->cable.work,
++ axp288_charger_extcon_evt_worker);
+ if (ret)
+ return ret;
+
+ /* Register for extcon notification */
+- INIT_WORK(&info->cable.work, axp288_charger_extcon_evt_worker);
+ info->cable.nb.notifier_call = axp288_charger_handle_cable_evt;
+ ret = devm_extcon_register_notifier_all(dev, info->cable.edev,
+ &info->cable.nb);
+@@ -915,8 +908,12 @@ static int axp288_charger_probe(struct p
+ }
+ schedule_work(&info->cable.work);
+
++ ret = devm_work_autocancel(dev, &info->otg.work,
++ axp288_charger_otg_evt_worker);
++ if (ret)
++ return ret;
++
+ /* Register for OTG notification */
+- INIT_WORK(&info->otg.work, axp288_charger_otg_evt_worker);
+ info->otg.id_nb.notifier_call = axp288_charger_handle_otg_evt;
+ if (info->otg.cable) {
+ ret = devm_extcon_register_notifier(dev, info->otg.cable,
--- /dev/null
+From 7244491dab347f648e661da96dc0febadd9daec3 Mon Sep 17 00:00:00 2001
+From: hkbinbin <hkbinbinbin@gmail.com>
+Date: Wed, 1 Apr 2026 12:19:07 +0000
+Subject: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
+
+From: hkbinbin <hkbinbinbin@gmail.com>
+
+commit 7244491dab347f648e661da96dc0febadd9daec3 upstream.
+
+rxe_rcv() currently checks only that the incoming packet is at least
+header_size(pkt) bytes long before payload_size() is used.
+
+However, payload_size() subtracts both the attacker-controlled BTH pad
+field and RXE_ICRC_SIZE from pkt->paylen:
+
+ payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)
+ - RXE_ICRC_SIZE
+
+This means a short packet can still make payload_size() underflow even
+if it includes enough bytes for the fixed headers. Simply requiring
+header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a
+packet with a forged non-zero BTH pad can still leave payload_size()
+negative and pass an underflowed value to later receive-path users.
+
+Fix this by validating pkt->paylen against the full minimum length
+required by payload_size(): header_size(pkt) + bth_pad(pkt) +
+RXE_ICRC_SIZE.
+
+Cc: stable@vger.kernel.org
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Link: https://patch.msgid.link/r/20260401121907.1468366-1-hkbinbinbin@gmail.com
+Signed-off-by: hkbinbin <hkbinbinbin@gmail.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/rxe/rxe_recv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_recv.c
++++ b/drivers/infiniband/sw/rxe/rxe_recv.c
+@@ -322,7 +322,8 @@ void rxe_rcv(struct sk_buff *skb)
+ pkt->qp = NULL;
+ pkt->mask |= rxe_opcode[pkt->opcode].mask;
+
+- if (unlikely(skb->len < header_size(pkt)))
++ if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) +
++ RXE_ICRC_SIZE))
+ goto drop;
+
+ err = hdr_check(pkt);
alsa-6fire-fix-input-volume-change-detection.patch
iio-adc-ad7768-1-fix-one-shot-mode-data-acquisition.patch
tools-accounting-handle-truncated-taskstats-netlink-messages.patch
+net-rds-fix-mr-cleanup-on-copy-error.patch
+net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch
+net-ks8851-reinstate-disabling-of-bhs-around-irq-handler.patch
+net-ks8851-avoid-excess-softirq-scheduling.patch
+drm-arcpgu-fix-device-node-leak.patch
+rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch
+ipv4-icmp-validate-reply-type-before-using-icmp_pointers.patch
+libceph-prevent-potential-null-ptr-deref-in-ceph_handle_auth_reply.patch
+extract-cert-wrap-key_pass-with-ifdef-use_pkcs11_engine.patch
+tpm-avoid-wunused-but-set-variable.patch
+loongarch-show-cpu-vulnerabilites-correctly.patch
+power-supply-axp288_charger-do-not-cancel-work-before-initializing-it.patch
--- /dev/null
+From 6f1d4d2ecfcd1b577dc87350ea965fe81f272e83 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Mar 2024 14:22:48 +0100
+Subject: tpm: avoid -Wunused-but-set-variable
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 6f1d4d2ecfcd1b577dc87350ea965fe81f272e83 upstream.
+
+Outside of the EFI tpm code, the TPM_MEMREMAP()/TPM_MEMUNMAP functions are
+defined as trivial macros, leading to the mapping_size variable ending
+up unused:
+
+In file included from drivers/char/tpm/tpm-sysfs.c:16:
+In file included from drivers/char/tpm/tpm.h:28:
+include/linux/tpm_eventlog.h:167:6: error: variable 'mapping_size' set but not used [-Werror,-Wunused-but-set-variable]
+ 167 | int mapping_size;
+
+Turn the stubs into inline functions to avoid this warning.
+
+Cc: stable@vger.kernel.org # v5.3+
+Fixes: c46f3405692d ("tpm: Reserve the TPM final events table")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Thorsten Blum <thorsten.blum@linux.dev>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/tpm_eventlog.h | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/linux/tpm_eventlog.h
++++ b/include/linux/tpm_eventlog.h
+@@ -131,11 +131,16 @@ struct tcg_algorithm_info {
+ };
+
+ #ifndef TPM_MEMREMAP
+-#define TPM_MEMREMAP(start, size) NULL
++static inline void *TPM_MEMREMAP(unsigned long start, size_t size)
++{
++ return NULL;
++}
+ #endif
+
+ #ifndef TPM_MEMUNMAP
+-#define TPM_MEMUNMAP(start, size) do{} while(0)
++static inline void TPM_MEMUNMAP(void *mapping, size_t size)
++{
++}
+ #endif
+
+ /**
projects / thirdparty / kernel / stable-queue.git / commitdiff
