--- /dev/null
+From stable+bounces-196499-greg=kroah.com@vger.kernel.org Fri Nov 21 16:20:41 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 10:11:40 -0500
+Subject: crash: fix crashkernel resource shrink
+To: stable@vger.kernel.org
+Cc: Sourabh Jain <sourabhjain@linux.ibm.com>, Baoquan He <bhe@redhat.com>, Zhen Lei <thunder.leizhen@huawei.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121151140.2560469-1-sashal@kernel.org>
+
+From: Sourabh Jain <sourabhjain@linux.ibm.com>
+
+[ Upstream commit 00fbff75c5acb4755f06f08bd1071879c63940c5 ]
+
+When crashkernel is configured with a high reservation, shrinking its
+value below the low crashkernel reservation causes two issues:
+
+1. Invalid crashkernel resource objects
+2. Kernel crash if crashkernel shrinking is done twice
+
+For example, with crashkernel=200M,high, the kernel reserves 200MB of high
+memory and some default low memory (say 256MB). The reservation appears
+as:
+
+cat /proc/iomem | grep -i crash
+af000000-beffffff : Crash kernel
+433000000-43f7fffff : Crash kernel
+
+If crashkernel is then shrunk to 50MB (echo 52428800 >
+/sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved:
+af000000-beffffff : Crash kernel
+
+Instead, it should show 50MB:
+af000000-b21fffff : Crash kernel
+
+Further shrinking crashkernel to 40MB causes a kernel crash with the
+following trace (x86):
+
+BUG: kernel NULL pointer dereference, address: 0000000000000038
+PGD 0 P4D 0
+Oops: 0000 [#1] PREEMPT SMP NOPTI
+<snip...>
+Call Trace: <TASK>
+? __die_body.cold+0x19/0x27
+? page_fault_oops+0x15a/0x2f0
+? search_module_extables+0x19/0x60
+? search_bpf_extables+0x5f/0x80
+? exc_page_fault+0x7e/0x180
+? asm_exc_page_fault+0x26/0x30
+? __release_resource+0xd/0xb0
+release_resource+0x26/0x40
+__crash_shrink_memory+0xe5/0x110
+crash_shrink_memory+0x12a/0x190
+kexec_crash_size_store+0x41/0x80
+kernfs_fop_write_iter+0x141/0x1f0
+vfs_write+0x294/0x460
+ksys_write+0x6d/0xf0
+<snip...>
+
+This happens because __crash_shrink_memory()/kernel/crash_core.c
+incorrectly updates the crashk_res resource object even when
+crashk_low_res should be updated.
+
+Fix this by ensuring the correct crashkernel resource object is updated
+when shrinking crashkernel memory.
+
+Link: https://lkml.kernel.org/r/20251101193741.289252-1-sourabhjain@linux.ibm.com
+Fixes: 16c6006af4d4 ("kexec: enable kexec_crash_size to support two crash kernel regions")
+Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
+Acked-by: Baoquan He <bhe@redhat.com>
+Cc: Zhen Lei <thunder.leizhen@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+[ Applied fix to `kernel/kexec_core.c` instead of `kernel/crash_core.c` ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kexec_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/kexec_core.c
++++ b/kernel/kexec_core.c
+@@ -1132,7 +1132,7 @@ static int __crash_shrink_memory(struct
+ old_res->start = 0;
+ old_res->end = 0;
+ } else {
+- crashk_res.end = ram_res->start - 1;
++ old_res->end = ram_res->start - 1;
+ }
+
+ crash_free_reserved_phys_range(ram_res->start, ram_res->end);
--- /dev/null
+From stable+bounces-196504-greg=kroah.com@vger.kernel.org Fri Nov 21 16:28:53 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 10:20:00 -0500
+Subject: ftrace: Fix BPF fexit with livepatch
+To: stable@vger.kernel.org
+Cc: Song Liu <song@kernel.org>, Andrey Grodzovsky <andrey.grodzovsky@crowdstrike.com>, "Steven Rostedt (Google)" <rostedt@goodmis.org>, "Masami Hiramatsu (Google)" <mhiramat@kernel.org>, Jiri Olsa <jolsa@kernel.org>, Alexei Starovoitov <ast@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121152000.2567643-1-sashal@kernel.org>
+
+From: Song Liu <song@kernel.org>
+
+[ Upstream commit 56b3c85e153b84f27e6cff39623ba40a1ad299d3 ]
+
+When livepatch is attached to the same function as bpf trampoline with
+a fexit program, bpf trampoline code calls register_ftrace_direct()
+twice. The first time will fail with -EAGAIN, and the second time it
+will succeed. This requires register_ftrace_direct() to unregister
+the address on the first attempt. Otherwise, the bpf trampoline cannot
+attach. Here is an easy way to reproduce this issue:
+
+ insmod samples/livepatch/livepatch-sample.ko
+ bpftrace -e 'fexit:cmdline_proc_show {}'
+ ERROR: Unable to attach probe: fexit:vmlinux:cmdline_proc_show...
+
+Fix this by cleaning up the hash when register_ftrace_function_nolock hits
+errors.
+
+Also, move the code that resets ops->func and ops->trampoline to the error
+path of register_ftrace_direct(); and add a helper function reset_direct()
+in register_ftrace_direct() and unregister_ftrace_direct().
+
+Fixes: d05cb470663a ("ftrace: Fix modification of direct_function hash while in use")
+Cc: stable@vger.kernel.org # v6.6+
+Reported-by: Andrey Grodzovsky <andrey.grodzovsky@crowdstrike.com>
+Closes: https://lore.kernel.org/live-patching/c5058315a39d4615b333e485893345be@crowdstrike.com/
+Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
+Cc: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Acked-and-tested-by: Andrey Grodzovsky <andrey.grodzovsky@crowdstrike.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Reviewed-by: Jiri Olsa <jolsa@kernel.org>
+Link: https://lore.kernel.org/r/20251027175023.1521602-2-song@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+[ moved cleanup to reset_direct() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/trampoline.c | 4 ----
+ kernel/trace/ftrace.c | 20 ++++++++++++++------
+ 2 files changed, 14 insertions(+), 10 deletions(-)
+
+--- a/kernel/bpf/trampoline.c
++++ b/kernel/bpf/trampoline.c
+@@ -460,10 +460,6 @@ again:
+ * BPF_TRAMP_F_SHARE_IPMODIFY is set, we can generate the
+ * trampoline again, and retry register.
+ */
+- /* reset fops->func and fops->trampoline for re-register */
+- tr->fops->func = NULL;
+- tr->fops->trampoline = 0;
+-
+ /* reset im->image memory attr for arch_prepare_bpf_trampoline */
+ set_memory_nx((long)im->image, 1);
+ set_memory_rw((long)im->image, 1);
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -5370,6 +5370,17 @@ static void remove_direct_functions_hash
+ }
+ }
+
++static void reset_direct(struct ftrace_ops *ops, unsigned long addr)
++{
++ struct ftrace_hash *hash = ops->func_hash->filter_hash;
++
++ remove_direct_functions_hash(hash, addr);
++
++ /* cleanup for possible another register call */
++ ops->func = NULL;
++ ops->trampoline = 0;
++}
++
+ /**
+ * register_ftrace_direct - Call a custom trampoline directly
+ * for multiple functions registered in @ops
+@@ -5465,6 +5476,8 @@ int register_ftrace_direct(struct ftrace
+ ops->direct_call = addr;
+
+ err = register_ftrace_function_nolock(ops);
++ if (err)
++ reset_direct(ops, addr);
+
+ out_unlock:
+ mutex_unlock(&direct_mutex);
+@@ -5497,7 +5510,6 @@ EXPORT_SYMBOL_GPL(register_ftrace_direct
+ int unregister_ftrace_direct(struct ftrace_ops *ops, unsigned long addr,
+ bool free_filters)
+ {
+- struct ftrace_hash *hash = ops->func_hash->filter_hash;
+ int err;
+
+ if (check_direct_multi(ops))
+@@ -5507,13 +5519,9 @@ int unregister_ftrace_direct(struct ftra
+
+ mutex_lock(&direct_mutex);
+ err = unregister_ftrace_function(ops);
+- remove_direct_functions_hash(hash, addr);
++ reset_direct(ops, addr);
+ mutex_unlock(&direct_mutex);
+
+- /* cleanup for possible another register call */
+- ops->func = NULL;
+- ops->trampoline = 0;
+-
+ if (free_filters)
+ ftrace_free_filter(ops);
+ return err;
--- /dev/null
+From stable+bounces-196754-greg=kroah.com@vger.kernel.org Mon Nov 24 15:56:48 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 09:54:31 -0500
+Subject: HID: amd_sfh: Stop sensor before starting
+To: stable@vger.kernel.org
+Cc: "Mario Limonciello (AMD)" <superm1@kernel.org>, Titas <novatitas366@gmail.com>, Jiri Kosina <jkosina@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124145431.4116539-1-sashal@kernel.org>
+
+From: "Mario Limonciello (AMD)" <superm1@kernel.org>
+
+[ Upstream commit 4d3a13afa8b64dc49293b3eab3e7beac11072c12 ]
+
+Titas reports that the accelerometer sensor on their laptop only
+works after a warm boot or unloading/reloading the amd-sfh kernel
+module.
+
+Presumably the sensor is in a bad state on cold boot and failing to
+start, so explicitly stop it before starting.
+
+Cc: stable@vger.kernel.org
+Fixes: 93ce5e0231d79 ("HID: amd_sfh: Implement SFH1.1 functionality")
+Reported-by: Titas <novatitas366@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220670
+Tested-by: Titas <novatitas366@gmail.com>
+Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
+@@ -163,6 +163,8 @@ static int amd_sfh1_1_hid_client_init(st
+ if (rc)
+ goto cleanup;
+
++ mp2_ops->stop(privdata, cl_data->sensor_idx[i]);
++ amd_sfh_wait_for_response(privdata, cl_data->sensor_idx[i], DISABLE_SENSOR);
+ writel(0, privdata->mmio + AMD_P2C_MSG(0));
+ mp2_ops->start(privdata, info);
+ status = amd_sfh_wait_for_response
--- /dev/null
+From 103e17aac09cdd358133f9e00998b75d6c1f1518 Mon Sep 17 00:00:00 2001
+From: Sebastian Ene <sebastianene@google.com>
+Date: Fri, 17 Oct 2025 07:57:10 +0000
+Subject: KVM: arm64: Check the untrusted offset in FF-A memory share
+
+From: Sebastian Ene <sebastianene@google.com>
+
+commit 103e17aac09cdd358133f9e00998b75d6c1f1518 upstream.
+
+Verify the offset to prevent OOB access in the hypervisor
+FF-A buffer in case an untrusted large enough value
+[U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX]
+is set from the host kernel.
+
+Signed-off-by: Sebastian Ene <sebastianene@google.com>
+Acked-by: Will Deacon <will@kernel.org>
+Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kvm/hyp/nvhe/ffa.c
++++ b/arch/arm64/kvm/hyp/nvhe/ffa.c
+@@ -425,7 +425,7 @@ static void __do_ffa_mem_xfer(const u64
+ DECLARE_REG(u32, npages_mbz, ctxt, 4);
+ struct ffa_composite_mem_region *reg;
+ struct ffa_mem_region *buf;
+- u32 offset, nr_ranges;
++ u32 offset, nr_ranges, checked_offset;
+ int ret = 0;
+
+ if (addr_mbz || npages_mbz || fraglen > len ||
+@@ -460,7 +460,12 @@ static void __do_ffa_mem_xfer(const u64
+ goto out_unlock;
+ }
+
+- if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) {
++ if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) {
++ ret = FFA_RET_INVALID_PARAMETERS;
++ goto out_unlock;
++ }
++
++ if (fraglen < checked_offset) {
+ ret = FFA_RET_INVALID_PARAMETERS;
+ goto out_unlock;
+ }
--- /dev/null
+From 91a54090026f84ceffaa12ac53c99b9f162946f6 Mon Sep 17 00:00:00 2001
+From: Martin Kaiser <martin@kaiser.cx>
+Date: Thu, 30 Oct 2025 16:55:05 +0100
+Subject: maple_tree: fix tracepoint string pointers
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+commit 91a54090026f84ceffaa12ac53c99b9f162946f6 upstream.
+
+maple_tree tracepoints contain pointers to function names. Such a pointer
+is saved when a tracepoint logs an event. There's no guarantee that it's
+still valid when the event is parsed later and the pointer is dereferenced.
+
+The kernel warns about these unsafe pointers.
+
+ event 'ma_read' has unsafe pointer field 'fn'
+ WARNING: kernel/trace/trace.c:3779 at ignore_event+0x1da/0x1e4
+
+Mark the function names as tracepoint_string() to fix the events.
+
+One case that doesn't work without my patch would be trace-cmd record
+to save the binary ringbuffer and trace-cmd report to parse it in
+userspace. The address of __func__ can't be dereferenced from
+userspace but tracepoint_string will add an entry to
+/sys/kernel/tracing/printk_formats
+
+Link: https://lkml.kernel.org/r/20251030155537.87972-1-martin@kaiser.cx
+Fixes: 54a611b60590 ("Maple Tree: add new data structure")
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Acked-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/maple_tree.c | 32 +++++++++++++++++---------------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+--- a/lib/maple_tree.c
++++ b/lib/maple_tree.c
+@@ -62,6 +62,8 @@
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/maple_tree.h>
+
++#define TP_FCT tracepoint_string(__func__)
++
+ #define MA_ROOT_PARENT 1
+
+ /*
+@@ -2990,7 +2992,7 @@ static inline int mas_rebalance(struct m
+ MA_STATE(l_mas, mas->tree, mas->index, mas->last);
+ MA_STATE(r_mas, mas->tree, mas->index, mas->last);
+
+- trace_ma_op(__func__, mas);
++ trace_ma_op(TP_FCT, mas);
+
+ /*
+ * Rebalancing occurs if a node is insufficient. Data is rebalanced
+@@ -3365,7 +3367,7 @@ static int mas_split(struct ma_state *ma
+ MA_STATE(prev_l_mas, mas->tree, mas->index, mas->last);
+ MA_STATE(prev_r_mas, mas->tree, mas->index, mas->last);
+
+- trace_ma_op(__func__, mas);
++ trace_ma_op(TP_FCT, mas);
+ mas->depth = mas_mt_height(mas);
+ /* Allocation failures will happen early. */
+ mas_node_count(mas, 1 + mas->depth * 2);
+@@ -3598,7 +3600,7 @@ static bool mas_is_span_wr(struct ma_wr_
+ return false;
+ }
+
+- trace_ma_write(__func__, wr_mas->mas, wr_mas->r_max, entry);
++ trace_ma_write(TP_FCT, wr_mas->mas, wr_mas->r_max, entry);
+ return true;
+ }
+
+@@ -3845,7 +3847,7 @@ static inline int mas_wr_spanning_store(
+ * of data may happen.
+ */
+ mas = wr_mas->mas;
+- trace_ma_op(__func__, mas);
++ trace_ma_op(TP_FCT, mas);
+
+ if (unlikely(!mas->index && mas->last == ULONG_MAX))
+ return mas_new_root(mas, wr_mas->entry);
+@@ -3996,7 +3998,7 @@ done:
+ } else {
+ memcpy(wr_mas->node, newnode, sizeof(struct maple_node));
+ }
+- trace_ma_write(__func__, mas, 0, wr_mas->entry);
++ trace_ma_write(TP_FCT, mas, 0, wr_mas->entry);
+ mas_update_gap(mas);
+ return true;
+ }
+@@ -4042,7 +4044,7 @@ static inline bool mas_wr_slot_store(str
+ return false;
+ }
+
+- trace_ma_write(__func__, mas, 0, wr_mas->entry);
++ trace_ma_write(TP_FCT, mas, 0, wr_mas->entry);
+ /*
+ * Only update gap when the new entry is empty or there is an empty
+ * entry in the original two ranges.
+@@ -4178,7 +4180,7 @@ static inline bool mas_wr_append(struct
+ if (!wr_mas->content || !wr_mas->entry)
+ mas_update_gap(mas);
+
+- trace_ma_write(__func__, mas, new_end, wr_mas->entry);
++ trace_ma_write(TP_FCT, mas, new_end, wr_mas->entry);
+ return true;
+ }
+
+@@ -4192,7 +4194,7 @@ static void mas_wr_bnode(struct ma_wr_st
+ {
+ struct maple_big_node b_node;
+
+- trace_ma_write(__func__, wr_mas->mas, 0, wr_mas->entry);
++ trace_ma_write(TP_FCT, wr_mas->mas, 0, wr_mas->entry);
+ memset(&b_node, 0, sizeof(struct maple_big_node));
+ mas_store_b_node(wr_mas, &b_node, wr_mas->offset_end);
+ mas_commit_b_node(wr_mas, &b_node, wr_mas->node_end);
+@@ -5395,7 +5397,7 @@ void *mas_store(struct ma_state *mas, vo
+ {
+ MA_WR_STATE(wr_mas, mas, entry);
+
+- trace_ma_write(__func__, mas, 0, entry);
++ trace_ma_write(TP_FCT, mas, 0, entry);
+ #ifdef CONFIG_DEBUG_MAPLE_TREE
+ if (MAS_WARN_ON(mas, mas->index > mas->last))
+ pr_err("Error %lX > %lX %p\n", mas->index, mas->last, entry);
+@@ -5433,7 +5435,7 @@ int mas_store_gfp(struct ma_state *mas,
+ MA_WR_STATE(wr_mas, mas, entry);
+
+ mas_wr_store_setup(&wr_mas);
+- trace_ma_write(__func__, mas, 0, entry);
++ trace_ma_write(TP_FCT, mas, 0, entry);
+ retry:
+ mas_wr_store_entry(&wr_mas);
+ if (unlikely(mas_nomem(mas, gfp)))
+@@ -5457,7 +5459,7 @@ void mas_store_prealloc(struct ma_state
+ MA_WR_STATE(wr_mas, mas, entry);
+
+ mas_wr_store_setup(&wr_mas);
+- trace_ma_write(__func__, mas, 0, entry);
++ trace_ma_write(TP_FCT, mas, 0, entry);
+ mas_wr_store_entry(&wr_mas);
+ MAS_WR_BUG_ON(&wr_mas, mas_is_err(mas));
+ mas_destroy(mas);
+@@ -6245,7 +6247,7 @@ void *mtree_load(struct maple_tree *mt,
+ MA_STATE(mas, mt, index, index);
+ void *entry;
+
+- trace_ma_read(__func__, &mas);
++ trace_ma_read(TP_FCT, &mas);
+ rcu_read_lock();
+ retry:
+ entry = mas_start(&mas);
+@@ -6288,7 +6290,7 @@ int mtree_store_range(struct maple_tree
+ MA_STATE(mas, mt, index, last);
+ MA_WR_STATE(wr_mas, &mas, entry);
+
+- trace_ma_write(__func__, &mas, 0, entry);
++ trace_ma_write(TP_FCT, &mas, 0, entry);
+ if (WARN_ON_ONCE(xa_is_advanced(entry)))
+ return -EINVAL;
+
+@@ -6470,7 +6472,7 @@ void *mtree_erase(struct maple_tree *mt,
+ void *entry = NULL;
+
+ MA_STATE(mas, mt, index, index);
+- trace_ma_op(__func__, &mas);
++ trace_ma_op(TP_FCT, &mas);
+
+ mtree_lock(mt);
+ entry = mas_erase(&mas);
+@@ -6536,7 +6538,7 @@ void *mt_find(struct maple_tree *mt, uns
+ unsigned long copy = *index;
+ #endif
+
+- trace_ma_read(__func__, &mas);
++ trace_ma_read(TP_FCT, &mas);
+
+ if ((*index) > max)
+ return NULL;
--- /dev/null
+From stable+bounces-196801-greg=kroah.com@vger.kernel.org Mon Nov 24 21:59:50 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 15:59:41 -0500
+Subject: mm/mempool: fix poisoning order>0 pages with HIGHMEM
+To: stable@vger.kernel.org
+Cc: Vlastimil Babka <vbabka@suse.cz>, kernel test robot <oliver.sang@intel.com>, Christoph Hellwig <hch@lst.de>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124205941.27830-2-sashal@kernel.org>
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+[ Upstream commit ec33b59542d96830e3c89845ff833cf7b25ef172 ]
+
+The kernel test has reported:
+
+ BUG: unable to handle page fault for address: fffba000
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ *pde = 03171067 *pte = 00000000
+ Oops: Oops: 0002 [#1]
+ CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca
+ Tainted: [T]=RANDSTRUCT
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+ EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17)
+ Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 <f3> aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56
+ EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b
+ ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8
+ DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287
+ CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690
+ Call Trace:
+ poison_element (mm/mempool.c:83 mm/mempool.c:102)
+ mempool_init_node (mm/mempool.c:142 mm/mempool.c:226)
+ mempool_init_noprof (mm/mempool.c:250 (discriminator 1))
+ ? mempool_alloc_pages (mm/mempool.c:640)
+ bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8))
+ ? mempool_alloc_pages (mm/mempool.c:640)
+ do_one_initcall (init/main.c:1283)
+
+Christoph found out this is due to the poisoning code not dealing
+properly with CONFIG_HIGHMEM because only the first page is mapped but
+then the whole potentially high-order page is accessed.
+
+We could give up on HIGHMEM here, but it's straightforward to fix this
+with a loop that's mapping, poisoning or checking and unmapping
+individual pages.
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202511111411.9ebfa1ba-lkp@intel.com
+Analyzed-by: Christoph Hellwig <hch@lst.de>
+Fixes: bdfedb76f4f5 ("mm, mempool: poison elements backed by slab allocator")
+Cc: stable@vger.kernel.org
+Tested-by: kernel test robot <oliver.sang@intel.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://patch.msgid.link/20251113-mempool-poison-v1-1-233b3ef984c3@suse.cz
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mempool.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+--- a/mm/mempool.c
++++ b/mm/mempool.c
+@@ -64,10 +64,20 @@ static void check_element(mempool_t *poo
+ } else if (pool->free == mempool_free_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_local_page((struct page *)element);
+
+- __check_element(pool, addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_local(addr);
++#ifdef CONFIG_HIGHMEM
++ for (int i = 0; i < (1 << order); i++) {
++ struct page *page = (struct page *)element;
++ void *addr = kmap_local_page(page + i);
++
++ __check_element(pool, addr, PAGE_SIZE);
++ kunmap_local(addr);
++ }
++#else
++ void *addr = page_address((struct page *)element);
++
++ __check_element(pool, addr, PAGE_SIZE << order);
++#endif
+ }
+ }
+
+@@ -89,10 +99,20 @@ static void poison_element(mempool_t *po
+ } else if (pool->alloc == mempool_alloc_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_local_page((struct page *)element);
+
+- __poison_element(addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_local(addr);
++#ifdef CONFIG_HIGHMEM
++ for (int i = 0; i < (1 << order); i++) {
++ struct page *page = (struct page *)element;
++ void *addr = kmap_local_page(page + i);
++
++ __poison_element(addr, PAGE_SIZE);
++ kunmap_local(addr);
++ }
++#else
++ void *addr = page_address((struct page *)element);
++
++ __poison_element(addr, PAGE_SIZE << order);
++#endif
+ }
+ }
+ #else /* CONFIG_DEBUG_SLAB || CONFIG_SLUB_DEBUG_ON */
--- /dev/null
+From stable+bounces-196800-greg=kroah.com@vger.kernel.org Mon Nov 24 21:59:49 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 15:59:40 -0500
+Subject: mm/mempool: replace kmap_atomic() with kmap_local_page()
+To: stable@vger.kernel.org
+Cc: "Fabio M. De Francesco" <fabio.maria.de.francesco@linux.intel.com>, Ira Weiny <ira.weiny@intel.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124205941.27830-1-sashal@kernel.org>
+
+From: "Fabio M. De Francesco" <fabio.maria.de.francesco@linux.intel.com>
+
+[ Upstream commit f2bcc99a5e901a13b754648d1dbab60f4adf9375 ]
+
+kmap_atomic() has been deprecated in favor of kmap_local_page().
+
+Therefore, replace kmap_atomic() with kmap_local_page().
+
+kmap_atomic() is implemented like a kmap_local_page() which also disables
+page-faults and preemption (the latter only in !PREEMPT_RT kernels). The
+kernel virtual addresses returned by these two API are only valid in the
+context of the callers (i.e., they cannot be handed to other threads).
+
+With kmap_local_page() the mappings are per thread and CPU local like in
+kmap_atomic(); however, they can handle page-faults and can be called from
+any context (including interrupts). The tasks that call kmap_local_page()
+can be preempted and, when they are scheduled to run again, the kernel
+virtual addresses are restored and are still valid.
+
+The code blocks between the mappings and un-mappings don't rely on the
+above-mentioned side effects of kmap_atomic(), so that mere replacements
+of the old API with the new one is all that they require (i.e., there is
+no need to explicitly call pagefault_disable() and/or preempt_disable()).
+
+Link: https://lkml.kernel.org/r/20231120142640.7077-1-fabio.maria.de.francesco@linux.intel.com
+Signed-off-by: Fabio M. De Francesco <fabio.maria.de.francesco@linux.intel.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: ec33b59542d9 ("mm/mempool: fix poisoning order>0 pages with HIGHMEM")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mempool.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/mm/mempool.c
++++ b/mm/mempool.c
+@@ -64,10 +64,10 @@ static void check_element(mempool_t *poo
+ } else if (pool->free == mempool_free_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_atomic((struct page *)element);
++ void *addr = kmap_local_page((struct page *)element);
+
+ __check_element(pool, addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_atomic(addr);
++ kunmap_local(addr);
+ }
+ }
+
+@@ -89,10 +89,10 @@ static void poison_element(mempool_t *po
+ } else if (pool->alloc == mempool_alloc_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_atomic((struct page *)element);
++ void *addr = kmap_local_page((struct page *)element);
+
+ __poison_element(addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_atomic(addr);
++ kunmap_local(addr);
+ }
+ }
+ #else /* CONFIG_DEBUG_SLAB || CONFIG_SLUB_DEBUG_ON */
--- /dev/null
+From stable+bounces-196831-greg=kroah.com@vger.kernel.org Tue Nov 25 01:46:41 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 19:46:33 -0500
+Subject: mptcp: fix a race in mptcp_pm_del_add_timer()
+To: stable@vger.kernel.org
+Cc: Eric Dumazet <edumazet@google.com>, syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com, Geliang Tang <geliang@kernel.org>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251125004633.189471-1-sashal@kernel.org>
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 426358d9be7ce3518966422f87b96f1bad27295f ]
+
+mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer)
+while another might have free entry already, as reported by syzbot.
+
+Add RCU protection to fix this issue.
+
+Also change confusing add_timer variable with stop_timer boolean.
+
+syzbot report:
+
+BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
+Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44
+
+CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
+Workqueue: events mptcp_worker
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
+ sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631
+ mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362
+ mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174
+ tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361
+ tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441
+ tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931
+ tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374
+ ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205
+ ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ __netif_receive_skb_one_core net/core/dev.c:6079 [inline]
+ __netif_receive_skb+0x143/0x380 net/core/dev.c:6192
+ process_backlog+0x31e/0x900 net/core/dev.c:6544
+ __napi_poll+0xb6/0x540 net/core/dev.c:7594
+ napi_poll net/core/dev.c:7657 [inline]
+ net_rx_action+0x5f7/0xda0 net/core/dev.c:7784
+ handle_softirqs+0x22f/0x710 kernel/softirq.c:622
+ __do_softirq kernel/softirq.c:656 [inline]
+ __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302
+ mptcp_pm_send_ack net/mptcp/pm.c:210 [inline]
+ mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1
+ mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002
+ mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762
+ process_one_work kernel/workqueue.c:3263 [inline]
+ process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+ </TASK>
+
+Allocated by task 44:
+ kasan_save_stack mm/kasan/common.c:56 [inline]
+ kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
+ poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
+ __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
+ kasan_kmalloc include/linux/kasan.h:262 [inline]
+ __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748
+ kmalloc_noprof include/linux/slab.h:957 [inline]
+ mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385
+ mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355
+ mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline]
+ __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529
+ mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008
+ mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762
+ process_one_work kernel/workqueue.c:3263 [inline]
+ process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+
+Freed by task 6630:
+ kasan_save_stack mm/kasan/common.c:56 [inline]
+ kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
+ __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
+ kasan_save_free_info mm/kasan/kasan.h:406 [inline]
+ poison_slab_object mm/kasan/common.c:252 [inline]
+ __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
+ kasan_slab_free include/linux/kasan.h:234 [inline]
+ slab_free_hook mm/slub.c:2523 [inline]
+ slab_free mm/slub.c:6611 [inline]
+ kfree+0x197/0x950 mm/slub.c:6818
+ mptcp_remove_anno_list_by_saddr+0x2d/0x40 net/mptcp/pm.c:158
+ mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_kernel.c:1209 [inline]
+ mptcp_nl_flush_addrs_list net/mptcp/pm_kernel.c:1240 [inline]
+ mptcp_pm_nl_flush_addrs_doit+0x593/0xbb0 net/mptcp/pm_kernel.c:1281
+ genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
+ genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
+ genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
+ netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
+ netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
+ netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346
+ netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg+0x21c/0x270 net/socket.c:742
+ ____sys_sendmsg+0x508/0x820 net/socket.c:2630
+ ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684
+ __sys_sendmsg net/socket.c:2716 [inline]
+ __do_sys_sendmsg net/socket.c:2721 [inline]
+ __se_sys_sendmsg net/socket.c:2719 [inline]
+ __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2719
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Cc: stable@vger.kernel.org
+Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
+Reported-by: syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/691ad3c3.a70a0220.f6df1.0004.GAE@google.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Geliang Tang <geliang@kernel.org>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251117100745.1913963-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -29,6 +29,7 @@ struct mptcp_pm_add_entry {
+ u8 retrans_times;
+ struct timer_list add_timer;
+ struct mptcp_sock *sock;
++ struct rcu_head rcu;
+ };
+
+ struct pm_nl_pernet {
+@@ -344,22 +345,27 @@ mptcp_pm_del_add_timer(struct mptcp_sock
+ {
+ struct mptcp_pm_add_entry *entry;
+ struct sock *sk = (struct sock *)msk;
+- struct timer_list *add_timer = NULL;
++ bool stop_timer = false;
++
++ rcu_read_lock();
+
+ spin_lock_bh(&msk->pm.lock);
+ entry = mptcp_lookup_anno_list_by_saddr(msk, addr);
+ if (entry && (!check_id || entry->addr.id == addr->id)) {
+ entry->retrans_times = ADD_ADDR_RETRANS_MAX;
+- add_timer = &entry->add_timer;
++ stop_timer = true;
+ }
+ if (!check_id && entry)
+ list_del(&entry->list);
+ spin_unlock_bh(&msk->pm.lock);
+
+- /* no lock, because sk_stop_timer_sync() is calling del_timer_sync() */
+- if (add_timer)
+- sk_stop_timer_sync(sk, add_timer);
++ /* Note: entry might have been removed by another thread.
++ * We hold rcu_read_lock() to ensure it is not freed under us.
++ */
++ if (stop_timer)
++ sk_stop_timer_sync(sk, &entry->add_timer);
+
++ rcu_read_unlock();
+ return entry;
+ }
+
+@@ -415,7 +421,7 @@ void mptcp_pm_free_anno_list(struct mptc
+
+ list_for_each_entry_safe(entry, tmp, &free_list, list) {
+ sk_stop_timer_sync(sk, &entry->add_timer);
+- kfree(entry);
++ kfree_rcu(entry, rcu);
+ }
+ }
+
+@@ -1573,7 +1579,7 @@ static bool remove_anno_list_by_saddr(st
+
+ entry = mptcp_pm_del_add_timer(msk, addr, false);
+ if (entry) {
+- kfree(entry);
++ kfree_rcu(entry, rcu);
+ return true;
+ }
+
--- /dev/null
+From stable+bounces-196511-greg=kroah.com@vger.kernel.org Fri Nov 21 16:43:53 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 10:43:01 -0500
+Subject: pmdomain: arm: scmi: Fix genpd leak on provider registration failure
+To: stable@vger.kernel.org
+Cc: Sudeep Holla <sudeep.holla@arm.com>, Peng Fan <peng.fan@nxp.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121154301.2580293-1-sashal@kernel.org>
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 7458f72cc28f9eb0de811effcb5376d0ec19094a ]
+
+If of_genpd_add_provider_onecell() fails during probe, the previously
+created generic power domains are not removed, leading to a memory leak
+and potential kernel crash later in genpd_debug_add().
+
+Add proper error handling to unwind the initialized domains before
+returning from probe to ensure all resources are correctly released on
+failure.
+
+Example crash trace observed without this fix:
+
+ | Unable to handle kernel paging request at virtual address fffffffffffffc70
+ | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT
+ | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform
+ | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ | pc : genpd_debug_add+0x2c/0x160
+ | lr : genpd_debug_init+0x74/0x98
+ | Call trace:
+ | genpd_debug_add+0x2c/0x160 (P)
+ | genpd_debug_init+0x74/0x98
+ | do_one_initcall+0xd0/0x2d8
+ | do_initcall_level+0xa0/0x140
+ | do_initcalls+0x60/0xa8
+ | do_basic_setup+0x28/0x40
+ | kernel_init_freeable+0xe8/0x170
+ | kernel_init+0x2c/0x140
+ | ret_from_fork+0x10/0x20
+
+Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd")
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ drivers/pmdomain/arm/scmi_pm_domain.c -> drivers/firmware/arm_scmi/scmi_pm_domain.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/arm_scmi/scmi_pm_domain.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/firmware/arm_scmi/scmi_pm_domain.c
++++ b/drivers/firmware/arm_scmi/scmi_pm_domain.c
+@@ -54,7 +54,7 @@ static int scmi_pd_power_off(struct gene
+
+ static int scmi_pm_domain_probe(struct scmi_device *sdev)
+ {
+- int num_domains, i;
++ int num_domains, i, ret;
+ struct device *dev = &sdev->dev;
+ struct device_node *np = dev->of_node;
+ struct scmi_pm_domain *scmi_pd;
+@@ -112,9 +112,18 @@ static int scmi_pm_domain_probe(struct s
+ scmi_pd_data->domains = domains;
+ scmi_pd_data->num_domains = num_domains;
+
++ ret = of_genpd_add_provider_onecell(np, scmi_pd_data);
++ if (ret)
++ goto err_rm_genpds;
++
+ dev_set_drvdata(dev, scmi_pd_data);
+
+- return of_genpd_add_provider_onecell(np, scmi_pd_data);
++ return 0;
++err_rm_genpds:
++ for (i = num_domains - 1; i >= 0; i--)
++ pm_genpd_remove(domains[i]);
++
++ return ret;
+ }
+
+ static void scmi_pm_domain_remove(struct scmi_device *sdev)
--- /dev/null
+From stable+bounces-196509-greg=kroah.com@vger.kernel.org Fri Nov 21 16:40:52 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 10:40:41 -0500
+Subject: pmdomain: imx: Fix reference count leak in imx_gpc_remove
+To: stable@vger.kernel.org
+Cc: Miaoqian Lin <linmq006@gmail.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121154041.2577393-2-sashal@kernel.org>
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 ]
+
+of_get_child_by_name() returns a node pointer with refcount incremented, we
+should use of_node_put() on it when not needed anymore. Add the missing
+of_node_put() to avoid refcount leak.
+
+Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pmdomain/imx/gpc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/pmdomain/imx/gpc.c
++++ b/drivers/pmdomain/imx/gpc.c
+@@ -546,6 +546,8 @@ static void imx_gpc_remove(struct platfo
+ return;
+ }
+ }
++
++ of_node_put(pgc_node);
+ }
+
+ static struct platform_driver imx_gpc_driver = {
--- /dev/null
+From stable+bounces-196510-greg=kroah.com@vger.kernel.org Fri Nov 21 16:45:28 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 10:40:40 -0500
+Subject: pmdomain: imx-gpc: Convert to platform remove callback returning void
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>, "Ulf Hansson" <ulf.hansson@linaro.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20251121154041.2577393-1-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit da07c5871d18157608a0d0702cb093168d79080a ]
+
+The .remove() callback for a platform driver returns an int which makes
+many driver authors wrongly assume it's possible to do error handling by
+returning an error code. However the value returned is ignored (apart
+from emitting a warning) and this typically results in resource leaks.
+
+To improve here there is a quest to make the remove callback return
+void. In the first step of this quest all drivers are converted to
+.remove_new(), which already returns void. Eventually after all drivers
+are converted, .remove_new() will be renamed to .remove().
+
+In the error path emit an error message replacing the (less useful)
+message by the core. Apart from the improved error message there is no
+change in behaviour.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20231124080623.564924-3-u.kleine-koenig@pengutronix.de
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Stable-dep-of: bbde14682eba ("pmdomain: imx: Fix reference count leak in imx_gpc_remove")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pmdomain/imx/gpc.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+--- a/drivers/pmdomain/imx/gpc.c
++++ b/drivers/pmdomain/imx/gpc.c
+@@ -512,7 +512,7 @@ static int imx_gpc_probe(struct platform
+ return 0;
+ }
+
+-static int imx_gpc_remove(struct platform_device *pdev)
++static void imx_gpc_remove(struct platform_device *pdev)
+ {
+ struct device_node *pgc_node;
+ int ret;
+@@ -522,7 +522,7 @@ static int imx_gpc_remove(struct platfor
+ /* bail out if DT too old and doesn't provide the necessary info */
+ if (!of_property_read_bool(pdev->dev.of_node, "#power-domain-cells") &&
+ !pgc_node)
+- return 0;
++ return;
+
+ /*
+ * If the old DT binding is used the toplevel driver needs to
+@@ -532,16 +532,20 @@ static int imx_gpc_remove(struct platfor
+ of_genpd_del_provider(pdev->dev.of_node);
+
+ ret = pm_genpd_remove(&imx_gpc_domains[GPC_PGC_DOMAIN_PU].base);
+- if (ret)
+- return ret;
++ if (ret) {
++ dev_err(&pdev->dev, "Failed to remove PU power domain (%pe)\n",
++ ERR_PTR(ret));
++ return;
++ }
+ imx_pgc_put_clocks(&imx_gpc_domains[GPC_PGC_DOMAIN_PU]);
+
+ ret = pm_genpd_remove(&imx_gpc_domains[GPC_PGC_DOMAIN_ARM].base);
+- if (ret)
+- return ret;
++ if (ret) {
++ dev_err(&pdev->dev, "Failed to remove ARM power domain (%pe)\n",
++ ERR_PTR(ret));
++ return;
++ }
+ }
+-
+- return 0;
+ }
+
+ static struct platform_driver imx_gpc_driver = {
+@@ -550,6 +554,6 @@ static struct platform_driver imx_gpc_dr
+ .of_match_table = imx_gpc_dt_ids,
+ },
+ .probe = imx_gpc_probe,
+- .remove = imx_gpc_remove,
++ .remove_new = imx_gpc_remove,
+ };
+ builtin_platform_driver(imx_gpc_driver)
--- /dev/null
+From stable+bounces-196624-greg=kroah.com@vger.kernel.org Sun Nov 23 17:56:05 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Nov 2025 11:55:57 -0500
+Subject: selftests: mptcp: join: endpoints: longer transfer
+To: stable@vger.kernel.org
+Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Geliang Tang <geliang@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251123165557.3491636-1-sashal@kernel.org>
+
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+
+[ Upstream commit 6457595db9870298ee30b6d75287b8548e33fe19 ]
+
+In rare cases, when the test environment is very slow, some userspace
+tests can fail because some expected events have not been seen.
+
+Because the tests are expecting a long on-going connection, and they are
+not waiting for the end of the transfer, it is fine to make the
+connection longer. This connection will be killed at the end, after the
+verifications, so making it longer doesn't change anything, apart from
+avoid it to end before the end of the verifications
+
+To play it safe, all endpoints tests not waiting for the end of the
+transfer are now sharing a longer file (128KB) at slow speed.
+
+Fixes: 69c6ce7b6eca ("selftests: mptcp: add implicit endpoint test case")
+Cc: stable@vger.kernel.org
+Fixes: e274f7154008 ("selftests: mptcp: add subflow limits test-cases")
+Fixes: b5e2fb832f48 ("selftests: mptcp: add explicit test case for remove/readd")
+Fixes: e06959e9eebd ("selftests: mptcp: join: test for flush/re-add endpoints")
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-3-a4332c714e10@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ removed curly braces and stderr redirection ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -3741,7 +3741,7 @@ endpoint_tests()
+ pm_nl_set_limits $ns1 2 2
+ pm_nl_set_limits $ns2 2 2
+ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
+- speed=slow \
++ test_linkfail=128 speed=slow \
+ run_tests $ns1 $ns2 10.0.1.1 &
+ local tests_pid=$!
+
+@@ -3768,7 +3768,7 @@ endpoint_tests()
+ pm_nl_set_limits $ns2 0 3
+ pm_nl_add_endpoint $ns2 10.0.1.2 id 1 dev ns2eth1 flags subflow
+ pm_nl_add_endpoint $ns2 10.0.2.2 id 2 dev ns2eth2 flags subflow
+- test_linkfail=4 speed=5 \
++ test_linkfail=128 speed=5 \
+ run_tests $ns1 $ns2 10.0.1.1 &
+ local tests_pid=$!
+
+@@ -3845,7 +3845,7 @@ endpoint_tests()
+ # broadcast IP: no packet for this address will be received on ns1
+ pm_nl_add_endpoint $ns1 224.0.0.1 id 2 flags signal
+ pm_nl_add_endpoint $ns1 10.0.1.1 id 42 flags signal
+- test_linkfail=4 speed=5 \
++ test_linkfail=128 speed=5 \
+ run_tests $ns1 $ns2 10.0.1.1 &
+ local tests_pid=$!
+
+@@ -3917,7 +3917,7 @@ endpoint_tests()
+ # broadcast IP: no packet for this address will be received on ns1
+ pm_nl_add_endpoint $ns1 224.0.0.1 id 2 flags signal
+ pm_nl_add_endpoint $ns2 10.0.3.2 id 3 flags subflow
+- test_linkfail=4 speed=20 \
++ test_linkfail=128 speed=20 \
+ run_tests $ns1 $ns2 10.0.1.1 &
+ local tests_pid=$!
+
alsa-usb-audio-fix-uac2-clock-source-at-terminal-par.patch
net-ethernet-ti-netcp-standardize-knav_dma_open_chan.patch
tracing-tools-fix-incorrcet-short-option-in-usage-te.patch
+smb-client-fix-incomplete-backport-in-cfids_invalidation_worker.patch
+kvm-arm64-check-the-untrusted-offset-in-ff-a-memory-share.patch
+uio_hv_generic-set-event-for-all-channels-on-the-device.patch
+maple_tree-fix-tracepoint-string-pointers.patch
+wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch
+crash-fix-crashkernel-resource-shrink.patch
+ftrace-fix-bpf-fexit-with-livepatch.patch
+pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch
+pmdomain-imx-gpc-convert-to-platform-remove-callback-returning-void.patch
+pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch
+selftests-mptcp-join-endpoints-longer-transfer.patch
+hid-amd_sfh-stop-sensor-before-starting.patch
+mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch
+mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch
+mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch
--- /dev/null
+From 38ef85145fd3655cd4ac16578871afdc0aa6636f Mon Sep 17 00:00:00 2001
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+Date: Wed, 26 Nov 2025 10:55:53 -0300
+Subject: smb: client: fix incomplete backport in cfids_invalidation_worker()
+
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+
+The previous commit bdb596ceb4b7 ("smb: client: fix potential UAF in
+smb2_close_cached_fid()") was an incomplete backport and missed one
+kref_put() call in cfids_invalidation_worker() that should have been
+converted to close_cached_dir().
+
+Fixes: cb52d9c86d70 ("smb: client: fix potential UAF in smb2_close_cached_fid()")"
+Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cached_dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/smb/client/cached_dir.c
++++ b/fs/smb/client/cached_dir.c
+@@ -727,7 +727,7 @@ static void cfids_invalidation_worker(st
+ list_for_each_entry_safe(cfid, q, &entry, entry) {
+ list_del(&cfid->entry);
+ /* Drop the ref-count acquired in invalidate_all_cached_dirs */
+- kref_put(&cfid->refcount, smb2_close_cached_fid);
++ close_cached_dir(cfid);
+ }
+ }
+
--- /dev/null
+From d062463edf1770427dc2d637df4088df4835aa47 Mon Sep 17 00:00:00 2001
+From: Long Li <longli@microsoft.com>
+Date: Mon, 10 Mar 2025 15:12:01 -0700
+Subject: uio_hv_generic: Set event for all channels on the device
+
+From: Long Li <longli@microsoft.com>
+
+commit d062463edf1770427dc2d637df4088df4835aa47 upstream.
+
+Hyper-V may offer a non latency sensitive device with subchannels without
+monitor bit enabled. The decision is entirely on the Hyper-V host not
+configurable within guest.
+
+When a device has subchannels, also signal events for the subchannel
+if its monitor bit is disabled.
+
+This patch also removes the memory barrier when monitor bit is enabled
+as it is not necessary. The memory barrier is only needed between
+setting up interrupt mask and calling vmbus_set_event() when monitor
+bit is disabled.
+
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Reviewed-by: Saurabh Sengar <ssengar@linux.microsoft.com>
+Link: https://lore.kernel.org/r/1741644721-20389-1-git-send-email-longli@linuxonhyperv.com
+Fixes: b15b7d2a1b09 ("uio_hv_generic: Let userspace take care of interrupt mask")
+Closes: https://bugs.debian.org/1120602
+Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio_hv_generic.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+--- a/drivers/uio/uio_hv_generic.c
++++ b/drivers/uio/uio_hv_generic.c
+@@ -80,9 +80,15 @@ hv_uio_irqcontrol(struct uio_info *info,
+ {
+ struct hv_uio_private_data *pdata = info->priv;
+ struct hv_device *dev = pdata->device;
++ struct vmbus_channel *primary, *sc;
+
+- dev->channel->inbound.ring_buffer->interrupt_mask = !irq_state;
+- virt_mb();
++ primary = dev->channel;
++ primary->inbound.ring_buffer->interrupt_mask = !irq_state;
++
++ mutex_lock(&vmbus_connection.channel_mutex);
++ list_for_each_entry(sc, &primary->sc_list, sc_list)
++ sc->inbound.ring_buffer->interrupt_mask = !irq_state;
++ mutex_unlock(&vmbus_connection.channel_mutex);
+
+ return 0;
+ }
+@@ -93,11 +99,18 @@ hv_uio_irqcontrol(struct uio_info *info,
+ static void hv_uio_channel_cb(void *context)
+ {
+ struct vmbus_channel *chan = context;
+- struct hv_device *hv_dev = chan->device_obj;
+- struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev);
++ struct hv_device *hv_dev;
++ struct hv_uio_private_data *pdata;
+
+ virt_mb();
+
++ /*
++ * The callback may come from a subchannel, in which case look
++ * for the hv device in the primary channel
++ */
++ hv_dev = chan->primary_channel ?
++ chan->primary_channel->device_obj : chan->device_obj;
++ pdata = hv_get_drvdata(hv_dev);
+ uio_event_notify(&pdata->info);
+ }
+
--- /dev/null
+From 2c5dee15239f3f3e31aa5c8808f18996c039e2c1 Mon Sep 17 00:00:00 2001
+From: Alexander Wetzel <Alexander@wetzel-home.de>
+Date: Thu, 17 Jul 2025 18:25:45 +0200
+Subject: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()
+
+From: Alexander Wetzel <Alexander@wetzel-home.de>
+
+commit 2c5dee15239f3f3e31aa5c8808f18996c039e2c1 upstream.
+
+Callers of wdev_chandef() must hold the wiphy mutex.
+
+But the worker cfg80211_propagate_cac_done_wk() never takes the lock.
+Which triggers the warning below with the mesh_peer_connected_dfs
+test from hostapd and not (yet) released mac80211 code changes:
+
+WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165
+Modules linked in:
+CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf
+Workqueue: cfg80211 cfg80211_propagate_cac_done_wk
+Stack:
+ 00000000 00000001 ffffff00 6093267c
+ 00000000 6002ec30 6d577c50 60037608
+ 00000000 67e8d108 6063717b 00000000
+Call Trace:
+ [<6002ec30>] ? _printk+0x0/0x98
+ [<6003c2b3>] show_stack+0x10e/0x11a
+ [<6002ec30>] ? _printk+0x0/0x98
+ [<60037608>] dump_stack_lvl+0x71/0xb8
+ [<6063717b>] ? wdev_chandef+0x60/0x165
+ [<6003766d>] dump_stack+0x1e/0x20
+ [<6005d1b7>] __warn+0x101/0x20f
+ [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d
+ [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec
+ [<60751191>] ? __this_cpu_preempt_check+0x0/0x16
+ [<600b11a2>] ? mark_held_locks+0x5a/0x6e
+ [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d
+ [<60052e53>] ? unblock_signals+0x3a/0xe7
+ [<60052f2d>] ? um_set_signals+0x2d/0x43
+ [<60751191>] ? __this_cpu_preempt_check+0x0/0x16
+ [<607508b2>] ? lock_is_held_type+0x207/0x21f
+ [<6063717b>] wdev_chandef+0x60/0x165
+ [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f
+ [<60052f00>] ? um_set_signals+0x0/0x43
+ [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a
+ [<6007e460>] process_scheduled_works+0x3bc/0x60e
+ [<6007d0ec>] ? move_linked_works+0x4d/0x81
+ [<6007d120>] ? assign_work+0x0/0xaa
+ [<6007f81f>] worker_thread+0x220/0x2dc
+ [<600786ef>] ? set_pf_worker+0x0/0x57
+ [<60087c96>] ? to_kthread+0x0/0x43
+ [<6008ab3c>] kthread+0x2d3/0x2e2
+ [<6007f5ff>] ? worker_thread+0x0/0x2dc
+ [<6006c05b>] ? calculate_sigpending+0x0/0x56
+ [<6003b37d>] new_thread_handler+0x4a/0x64
+irq event stamp: 614611
+hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf
+hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf
+softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985
+softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985
+
+Fixes: 26ec17a1dc5e ("cfg80211: Fix radar event during another phy CAC")
+Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
+Link: https://patch.msgid.link/20250717162547.94582-1-Alexander@wetzel-home.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+[ The author recommends that when porting to older kernels, we should use wiphy_lock()
+and wiphy_unlock() instead of guard(). ]
+Signed-off-by: Alva Lan <alvalan9@foxmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/reg.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -4208,6 +4208,9 @@ EXPORT_SYMBOL(regulatory_pre_cac_allowed
+ static void cfg80211_check_and_end_cac(struct cfg80211_registered_device *rdev)
+ {
+ struct wireless_dev *wdev;
++
++ wiphy_lock(&rdev->wiphy);
++
+ /* If we finished CAC or received radar, we should end any
+ * CAC running on the same channels.
+ * the check !cfg80211_chandef_dfs_usable contain 2 options:
+@@ -4231,6 +4234,8 @@ static void cfg80211_check_and_end_cac(s
+ if (!cfg80211_chandef_dfs_usable(&rdev->wiphy, chandef))
+ rdev_end_cac(rdev, wdev->netdev);
+ }
++
++ wiphy_unlock(&rdev->wiphy);
+ }
+
+ void regulatory_propagate_dfs_state(struct wiphy *wiphy,
projects / thirdparty / kernel / stable-queue.git / commitdiff
