From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 27 Nov 2025 13:41:08 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Tag: v6.6.118~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2741c5a44d01f265857256bdce9048ef7fa4cd97;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch
	dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch
	hid-amd_sfh-stop-sensor-before-starting.patch
	maple_tree-fix-tracepoint-string-pointers.patch
	mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch
	mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch
	mm-truncate-unmap-large-folio-on-split-failure.patch
	mptcp-decouple-mptcp-fastclose-from-tcp-close.patch
	mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch
	mptcp-fix-proto-fallback-detection-with-bpf.patch
	pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch
	pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch
	pmdomain-samsung-plug-potential-memleak-during-probe.patch
	selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch
	selftests-mptcp-join-rm-set-backup-flag.patch
	uio_hv_generic-set-event-for-all-channels-on-the-device.patch
---

diff --git a/queue-6.1/ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch b/queue-6.1/ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch
new file mode 100644
index 0000000000..9fe323baa6
--- /dev/null
+++ b/queue-6.1/ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch
@@ -0,0 +1,82 @@
+From stable+bounces-196779-greg=kroah.com@vger.kernel.org Mon Nov 24 19:31:48 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 13:31:40 -0500
+Subject: ata: libata-scsi: Fix system suspend for a security locked drive
+To: stable@vger.kernel.org
+Cc: Niklas Cassel <cassel@kernel.org>, Ilia Baryshnikov <qwelias@gmail.com>, Hannes Reinecke <hare@suse.de>, "Martin K. Petersen" <martin.petersen@oracle.com>, Damien Le Moal <dlemoal@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124183140.4185297-1-sashal@kernel.org>
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit b11890683380a36b8488229f818d5e76e8204587 ]
+
+Commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status
+handling") fixed ata_to_sense_error() to properly generate sense key
+ABORTED COMMAND (without any additional sense code), instead of the
+previous bogus sense key ILLEGAL REQUEST with the additional sense code
+UNALIGNED WRITE COMMAND, for a failed command.
+
+However, this broke suspend for Security locked drives (drives that have
+Security enabled, and have not been Security unlocked by boot firmware).
+
+The reason for this is that the SCSI disk driver, for the Synchronize
+Cache command only, treats any sense data with sense key ILLEGAL REQUEST
+as a successful command (regardless of ASC / ASCQ).
+
+After commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error()
+status handling") the code that treats any sense data with sense key
+ILLEGAL REQUEST as a successful command is no longer applicable, so the
+command fails, which causes the system suspend to be aborted:
+
+  sd 1:0:0:0: PM: dpm_run_callback(): scsi_bus_suspend returns -5
+  sd 1:0:0:0: PM: failed to suspend async: error -5
+  PM: Some devices failed to suspend, or early wake event detected
+
+To make suspend work once again, for a Security locked device only,
+return sense data LOGICAL UNIT ACCESS NOT AUTHORIZED, the actual sense
+data which a real SCSI device would have returned if locked.
+The SCSI disk driver treats this sense data as a successful command.
+
+Cc: stable@vger.kernel.org
+Reported-by: Ilia Baryshnikov <qwelias@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220704
+Fixes: cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling")
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c |    8 ++++++++
+ include/linux/ata.h       |    1 +
+ 2 files changed, 9 insertions(+)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -996,6 +996,14 @@ static void ata_gen_ata_sense(struct ata
+ 		ata_scsi_set_sense(dev, cmd, NOT_READY, 0x04, 0x21);
+ 		return;
+ 	}
++
++	if (ata_id_is_locked(dev->id)) {
++		/* Security locked */
++		/* LOGICAL UNIT ACCESS NOT AUTHORIZED */
++		ata_scsi_set_sense(dev, cmd, DATA_PROTECT, 0x74, 0x71);
++		return;
++	}
++
+ 	/* Use ata_to_sense_error() to map status register bits
+ 	 * onto sense key, asc & ascq.
+ 	 */
+--- a/include/linux/ata.h
++++ b/include/linux/ata.h
+@@ -558,6 +558,7 @@ struct ata_bmdma_prd {
+ #define ata_id_has_ncq(id)	((id)[ATA_ID_SATA_CAPABILITY] & (1 << 8))
+ #define ata_id_queue_depth(id)	(((id)[ATA_ID_QUEUE_DEPTH] & 0x1f) + 1)
+ #define ata_id_removable(id)	((id)[ATA_ID_CONFIG] & (1 << 7))
++#define ata_id_is_locked(id)	(((id)[ATA_ID_DLF] & 0x7) == 0x7)
+ #define ata_id_has_atapi_AN(id)	\
+ 	((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
+ 	  ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
diff --git a/queue-6.1/dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch b/queue-6.1/dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch
new file mode 100644
index 0000000000..48b7fac8b2
--- /dev/null
+++ b/queue-6.1/dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch
@@ -0,0 +1,67 @@
+From stable+bounces-196802-greg=kroah.com@vger.kernel.org Mon Nov 24 22:01:07 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 16:00:59 -0500
+Subject: dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups
+To: stable@vger.kernel.org
+Cc: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>, Conor Dooley <conor.dooley@microchip.com>, Linus Walleij <linus.walleij@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124210059.28607-1-sashal@kernel.org>
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 316e361b5d2cdeb8d778983794a1c6eadcb26814 ]
+
+The "groups" property can hold multiple entries (e.g.
+toshiba/tmpv7708-rm-mbrc.dts file), so allow that by dropping incorrect
+type (pinmux-node.yaml schema already defines that as string-array) and
+adding constraints for items.  This fixes dtbs_check warnings like:
+
+  toshiba/tmpv7708-rm-mbrc.dtb: pinctrl@24190000 (toshiba,tmpv7708-pinctrl):
+    pwm-pins:groups: ['pwm0_gpio16_grp', 'pwm1_gpio17_grp', 'pwm2_gpio18_grp', 'pwm3_gpio19_grp'] is too long
+
+Fixes: 1825c1fe0057 ("pinctrl: Add DT bindings for Toshiba Visconti TMPV7700 SoC")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+[ adjusted $ref context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml |   26 +++++-----
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+--- a/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml
++++ b/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml
+@@ -50,18 +50,20 @@ patternProperties:
+       groups:
+         description:
+           Name of the pin group to use for the functions.
+-        $ref: "/schemas/types.yaml#/definitions/string"
+-        enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp,
+-               i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp,
+-               spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp,
+-               spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp,
+-               uart0_grp, uart1_grp, uart2_grp, uart3_grp,
+-               pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp,
+-               pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp,
+-               pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp,
+-               pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp,
+-               pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp,
+-               pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp]
++        items:
++          enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp,
++                 i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp,
++                 spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp,
++                 spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp,
++                 uart0_grp, uart1_grp, uart2_grp, uart3_grp,
++                 pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp,
++                 pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp,
++                 pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp,
++                 pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp,
++                 pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp,
++                 pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp]
++        minItems: 1
++        maxItems: 8
+ 
+       drive-strength:
+         enum: [2, 4, 6, 8, 16, 24, 32]
diff --git a/queue-6.1/hid-amd_sfh-stop-sensor-before-starting.patch b/queue-6.1/hid-amd_sfh-stop-sensor-before-starting.patch
new file mode 100644
index 0000000000..8609c369fc
--- /dev/null
+++ b/queue-6.1/hid-amd_sfh-stop-sensor-before-starting.patch
@@ -0,0 +1,44 @@
+From stable+bounces-196757-greg=kroah.com@vger.kernel.org Mon Nov 24 16:17:23 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 10:17:15 -0500
+Subject: HID: amd_sfh: Stop sensor before starting
+To: stable@vger.kernel.org
+Cc: "Mario Limonciello (AMD)" <superm1@kernel.org>, Titas <novatitas366@gmail.com>, Jiri Kosina <jkosina@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124151715.4125733-1-sashal@kernel.org>
+
+From: "Mario Limonciello (AMD)" <superm1@kernel.org>
+
+[ Upstream commit 4d3a13afa8b64dc49293b3eab3e7beac11072c12 ]
+
+Titas reports that the accelerometer sensor on their laptop only
+works after a warm boot or unloading/reloading the amd-sfh kernel
+module.
+
+Presumably the sensor is in a bad state on cold boot and failing to
+start, so explicitly stop it before starting.
+
+Cc: stable@vger.kernel.org
+Fixes: 93ce5e0231d79 ("HID: amd_sfh: Implement SFH1.1 functionality")
+Reported-by: Titas <novatitas366@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220670
+Tested-by: Titas <novatitas366@gmail.com>
+Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
+@@ -163,6 +163,8 @@ static int amd_sfh1_1_hid_client_init(st
+ 		if (rc)
+ 			goto cleanup;
+ 
++		mp2_ops->stop(privdata, cl_data->sensor_idx[i]);
++		amd_sfh_wait_for_response(privdata, cl_data->sensor_idx[i], DISABLE_SENSOR);
+ 		writel(0, privdata->mmio + AMD_P2C_MSG(0));
+ 		mp2_ops->start(privdata, info);
+ 		status = amd_sfh_wait_for_response
diff --git a/queue-6.1/maple_tree-fix-tracepoint-string-pointers.patch b/queue-6.1/maple_tree-fix-tracepoint-string-pointers.patch
new file mode 100644
index 0000000000..bd59f731c7
--- /dev/null
+++ b/queue-6.1/maple_tree-fix-tracepoint-string-pointers.patch
@@ -0,0 +1,174 @@
+From 91a54090026f84ceffaa12ac53c99b9f162946f6 Mon Sep 17 00:00:00 2001
+From: Martin Kaiser <martin@kaiser.cx>
+Date: Thu, 30 Oct 2025 16:55:05 +0100
+Subject: maple_tree: fix tracepoint string pointers
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+commit 91a54090026f84ceffaa12ac53c99b9f162946f6 upstream.
+
+maple_tree tracepoints contain pointers to function names. Such a pointer
+is saved when a tracepoint logs an event. There's no guarantee that it's
+still valid when the event is parsed later and the pointer is dereferenced.
+
+The kernel warns about these unsafe pointers.
+
+	event 'ma_read' has unsafe pointer field 'fn'
+	WARNING: kernel/trace/trace.c:3779 at ignore_event+0x1da/0x1e4
+
+Mark the function names as tracepoint_string() to fix the events.
+
+One case that doesn't work without my patch would be trace-cmd record
+to save the binary ringbuffer and trace-cmd report to parse it in
+userspace.  The address of __func__ can't be dereferenced from
+userspace but tracepoint_string will add an entry to
+/sys/kernel/tracing/printk_formats
+
+Link: https://lkml.kernel.org/r/20251030155537.87972-1-martin@kaiser.cx
+Fixes: 54a611b60590 ("Maple Tree: add new data structure")
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Acked-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/maple_tree.c |   30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+--- a/lib/maple_tree.c
++++ b/lib/maple_tree.c
+@@ -62,6 +62,8 @@
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/maple_tree.h>
+ 
++#define TP_FCT tracepoint_string(__func__)
++
+ #define MA_ROOT_PARENT 1
+ 
+ /*
+@@ -3165,7 +3167,7 @@ static inline int mas_rebalance(struct m
+ 	MA_STATE(l_mas, mas->tree, mas->index, mas->last);
+ 	MA_STATE(r_mas, mas->tree, mas->index, mas->last);
+ 
+-	trace_ma_op(__func__, mas);
++	trace_ma_op(TP_FCT, mas);
+ 
+ 	/*
+ 	 * Rebalancing occurs if a node is insufficient.  Data is rebalanced
+@@ -3542,7 +3544,7 @@ static int mas_split(struct ma_state *ma
+ 	MA_STATE(prev_r_mas, mas->tree, mas->index, mas->last);
+ 	MA_TOPIARY(mat, mas->tree);
+ 
+-	trace_ma_op(__func__, mas);
++	trace_ma_op(TP_FCT, mas);
+ 	mas->depth = mas_mt_height(mas);
+ 	/* Allocation failures will happen early. */
+ 	mas_node_count(mas, 1 + mas->depth * 2);
+@@ -3786,7 +3788,7 @@ static bool mas_is_span_wr(struct ma_wr_
+ 			return false;
+ 	}
+ 
+-	trace_ma_write(__func__, wr_mas->mas, piv, entry);
++	trace_ma_write(TP_FCT, wr_mas->mas, piv, entry);
+ 
+ 	return true;
+ }
+@@ -4035,7 +4037,7 @@ static inline int mas_wr_spanning_store(
+ 	 * of data may happen.
+ 	 */
+ 	mas = wr_mas->mas;
+-	trace_ma_op(__func__, mas);
++	trace_ma_op(TP_FCT, mas);
+ 
+ 	if (unlikely(!mas->index && mas->last == ULONG_MAX))
+ 		return mas_new_root(mas, wr_mas->entry);
+@@ -4221,7 +4223,7 @@ done:
+ 	} else {
+ 		memcpy(wr_mas->node, newnode, sizeof(struct maple_node));
+ 	}
+-	trace_ma_write(__func__, mas, 0, wr_mas->entry);
++	trace_ma_write(TP_FCT, mas, 0, wr_mas->entry);
+ 	mas_update_gap(mas);
+ 	return true;
+ }
+@@ -4276,7 +4278,7 @@ static inline bool mas_wr_slot_store(str
+ 	mas->offset++; /* Keep mas accurate. */
+ 
+ done:
+-	trace_ma_write(__func__, mas, 0, wr_mas->entry);
++	trace_ma_write(TP_FCT, mas, 0, wr_mas->entry);
+ 	mas_update_gap(mas);
+ 	return true;
+ }
+@@ -4377,7 +4379,7 @@ static void mas_wr_bnode(struct ma_wr_st
+ {
+ 	struct maple_big_node b_node;
+ 
+-	trace_ma_write(__func__, wr_mas->mas, 0, wr_mas->entry);
++	trace_ma_write(TP_FCT, wr_mas->mas, 0, wr_mas->entry);
+ 	memset(&b_node, 0, sizeof(struct maple_big_node));
+ 	mas_store_b_node(wr_mas, &b_node, wr_mas->offset_end);
+ 	mas_commit_b_node(wr_mas, &b_node, wr_mas->node_end);
+@@ -5722,7 +5724,7 @@ void *mas_store(struct ma_state *mas, vo
+ {
+ 	MA_WR_STATE(wr_mas, mas, entry);
+ 
+-	trace_ma_write(__func__, mas, 0, entry);
++	trace_ma_write(TP_FCT, mas, 0, entry);
+ #ifdef CONFIG_DEBUG_MAPLE_TREE
+ 	if (mas->index > mas->last)
+ 		pr_err("Error %lu > %lu %p\n", mas->index, mas->last, entry);
+@@ -5760,7 +5762,7 @@ int mas_store_gfp(struct ma_state *mas,
+ 	MA_WR_STATE(wr_mas, mas, entry);
+ 
+ 	mas_wr_store_setup(&wr_mas);
+-	trace_ma_write(__func__, mas, 0, entry);
++	trace_ma_write(TP_FCT, mas, 0, entry);
+ retry:
+ 	mas_wr_store_entry(&wr_mas);
+ 	if (unlikely(mas_nomem(mas, gfp)))
+@@ -5784,7 +5786,7 @@ void mas_store_prealloc(struct ma_state
+ 	MA_WR_STATE(wr_mas, mas, entry);
+ 
+ 	mas_wr_store_setup(&wr_mas);
+-	trace_ma_write(__func__, mas, 0, entry);
++	trace_ma_write(TP_FCT, mas, 0, entry);
+ 	mas_wr_store_entry(&wr_mas);
+ 	BUG_ON(mas_is_err(mas));
+ 	mas_destroy(mas);
+@@ -6249,7 +6251,7 @@ void *mtree_load(struct maple_tree *mt,
+ 	MA_STATE(mas, mt, index, index);
+ 	void *entry;
+ 
+-	trace_ma_read(__func__, &mas);
++	trace_ma_read(TP_FCT, &mas);
+ 	rcu_read_lock();
+ retry:
+ 	entry = mas_start(&mas);
+@@ -6292,7 +6294,7 @@ int mtree_store_range(struct maple_tree
+ 	MA_STATE(mas, mt, index, last);
+ 	MA_WR_STATE(wr_mas, &mas, entry);
+ 
+-	trace_ma_write(__func__, &mas, 0, entry);
++	trace_ma_write(TP_FCT, &mas, 0, entry);
+ 	if (WARN_ON_ONCE(xa_is_advanced(entry)))
+ 		return -EINVAL;
+ 
+@@ -6467,7 +6469,7 @@ void *mtree_erase(struct maple_tree *mt,
+ 	void *entry = NULL;
+ 
+ 	MA_STATE(mas, mt, index, index);
+-	trace_ma_op(__func__, &mas);
++	trace_ma_op(TP_FCT, &mas);
+ 
+ 	mtree_lock(mt);
+ 	entry = mas_erase(&mas);
+@@ -6527,7 +6529,7 @@ void *mt_find(struct maple_tree *mt, uns
+ 	unsigned long copy = *index;
+ #endif
+ 
+-	trace_ma_read(__func__, &mas);
++	trace_ma_read(TP_FCT, &mas);
+ 
+ 	if ((*index) > max)
+ 		return NULL;
diff --git a/queue-6.1/mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch b/queue-6.1/mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch
new file mode 100644
index 0000000000..c4d25edb68
--- /dev/null
+++ b/queue-6.1/mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch
@@ -0,0 +1,110 @@
+From stable+bounces-196803-greg=kroah.com@vger.kernel.org Mon Nov 24 22:18:31 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 16:18:03 -0500
+Subject: mm/mempool: fix poisoning order>0 pages with HIGHMEM
+To: stable@vger.kernel.org
+Cc: Vlastimil Babka <vbabka@suse.cz>, kernel test robot <oliver.sang@intel.com>, Christoph Hellwig <hch@lst.de>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124211803.34596-2-sashal@kernel.org>
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+[ Upstream commit ec33b59542d96830e3c89845ff833cf7b25ef172 ]
+
+The kernel test has reported:
+
+  BUG: unable to handle page fault for address: fffba000
+  #PF: supervisor write access in kernel mode
+  #PF: error_code(0x0002) - not-present page
+  *pde = 03171067 *pte = 00000000
+  Oops: Oops: 0002 [#1]
+  CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G                T   6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE  a1d066dfe789f54bc7645c7989957d2bdee593ca
+  Tainted: [T]=RANDSTRUCT
+  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+  EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17)
+  Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 <f3> aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56
+  EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b
+  ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8
+  DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287
+  CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690
+  Call Trace:
+   poison_element (mm/mempool.c:83 mm/mempool.c:102)
+   mempool_init_node (mm/mempool.c:142 mm/mempool.c:226)
+   mempool_init_noprof (mm/mempool.c:250 (discriminator 1))
+   ? mempool_alloc_pages (mm/mempool.c:640)
+   bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8))
+   ? mempool_alloc_pages (mm/mempool.c:640)
+   do_one_initcall (init/main.c:1283)
+
+Christoph found out this is due to the poisoning code not dealing
+properly with CONFIG_HIGHMEM because only the first page is mapped but
+then the whole potentially high-order page is accessed.
+
+We could give up on HIGHMEM here, but it's straightforward to fix this
+with a loop that's mapping, poisoning or checking and unmapping
+individual pages.
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202511111411.9ebfa1ba-lkp@intel.com
+Analyzed-by: Christoph Hellwig <hch@lst.de>
+Fixes: bdfedb76f4f5 ("mm, mempool: poison elements backed by slab allocator")
+Cc: stable@vger.kernel.org
+Tested-by: kernel test robot <oliver.sang@intel.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://patch.msgid.link/20251113-mempool-poison-v1-1-233b3ef984c3@suse.cz
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mempool.c |   32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+--- a/mm/mempool.c
++++ b/mm/mempool.c
+@@ -62,10 +62,20 @@ static void check_element(mempool_t *poo
+ 	} else if (pool->free == mempool_free_pages) {
+ 		/* Mempools backed by page allocator */
+ 		int order = (int)(long)pool->pool_data;
+-		void *addr = kmap_local_page((struct page *)element);
+ 
+-		__check_element(pool, addr, 1UL << (PAGE_SHIFT + order));
+-		kunmap_local(addr);
++#ifdef CONFIG_HIGHMEM
++		for (int i = 0; i < (1 << order); i++) {
++			struct page *page = (struct page *)element;
++			void *addr = kmap_local_page(page + i);
++
++			__check_element(pool, addr, PAGE_SIZE);
++			kunmap_local(addr);
++		}
++#else
++		void *addr = page_address((struct page *)element);
++
++		__check_element(pool, addr, PAGE_SIZE << order);
++#endif
+ 	}
+ }
+ 
+@@ -85,10 +95,20 @@ static void poison_element(mempool_t *po
+ 	} else if (pool->alloc == mempool_alloc_pages) {
+ 		/* Mempools backed by page allocator */
+ 		int order = (int)(long)pool->pool_data;
+-		void *addr = kmap_local_page((struct page *)element);
+ 
+-		__poison_element(addr, 1UL << (PAGE_SHIFT + order));
+-		kunmap_local(addr);
++#ifdef CONFIG_HIGHMEM
++		for (int i = 0; i < (1 << order); i++) {
++			struct page *page = (struct page *)element;
++			void *addr = kmap_local_page(page + i);
++
++			__poison_element(addr, PAGE_SIZE);
++			kunmap_local(addr);
++		}
++#else
++		void *addr = page_address((struct page *)element);
++
++		__poison_element(addr, PAGE_SIZE << order);
++#endif
+ 	}
+ }
+ #else /* CONFIG_DEBUG_SLAB || CONFIG_SLUB_DEBUG_ON */
diff --git a/queue-6.1/mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch b/queue-6.1/mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch
new file mode 100644
index 0000000000..851dc8ad09
--- /dev/null
+++ b/queue-6.1/mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch
@@ -0,0 +1,71 @@
+From stable+bounces-196804-greg=kroah.com@vger.kernel.org Mon Nov 24 22:18:32 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 16:18:02 -0500
+Subject: mm/mempool: replace kmap_atomic() with kmap_local_page()
+To: stable@vger.kernel.org
+Cc: "Fabio M. De Francesco" <fabio.maria.de.francesco@linux.intel.com>, Ira Weiny <ira.weiny@intel.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124211803.34596-1-sashal@kernel.org>
+
+From: "Fabio M. De Francesco" <fabio.maria.de.francesco@linux.intel.com>
+
+[ Upstream commit f2bcc99a5e901a13b754648d1dbab60f4adf9375 ]
+
+kmap_atomic() has been deprecated in favor of kmap_local_page().
+
+Therefore, replace kmap_atomic() with kmap_local_page().
+
+kmap_atomic() is implemented like a kmap_local_page() which also disables
+page-faults and preemption (the latter only in !PREEMPT_RT kernels).  The
+kernel virtual addresses returned by these two API are only valid in the
+context of the callers (i.e., they cannot be handed to other threads).
+
+With kmap_local_page() the mappings are per thread and CPU local like in
+kmap_atomic(); however, they can handle page-faults and can be called from
+any context (including interrupts).  The tasks that call kmap_local_page()
+can be preempted and, when they are scheduled to run again, the kernel
+virtual addresses are restored and are still valid.
+
+The code blocks between the mappings and un-mappings don't rely on the
+above-mentioned side effects of kmap_atomic(), so that mere replacements
+of the old API with the new one is all that they require (i.e., there is
+no need to explicitly call pagefault_disable() and/or preempt_disable()).
+
+Link: https://lkml.kernel.org/r/20231120142640.7077-1-fabio.maria.de.francesco@linux.intel.com
+Signed-off-by: Fabio M. De Francesco <fabio.maria.de.francesco@linux.intel.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: ec33b59542d9 ("mm/mempool: fix poisoning order>0 pages with HIGHMEM")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mempool.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/mm/mempool.c
++++ b/mm/mempool.c
+@@ -62,10 +62,10 @@ static void check_element(mempool_t *poo
+ 	} else if (pool->free == mempool_free_pages) {
+ 		/* Mempools backed by page allocator */
+ 		int order = (int)(long)pool->pool_data;
+-		void *addr = kmap_atomic((struct page *)element);
++		void *addr = kmap_local_page((struct page *)element);
+ 
+ 		__check_element(pool, addr, 1UL << (PAGE_SHIFT + order));
+-		kunmap_atomic(addr);
++		kunmap_local(addr);
+ 	}
+ }
+ 
+@@ -85,10 +85,10 @@ static void poison_element(mempool_t *po
+ 	} else if (pool->alloc == mempool_alloc_pages) {
+ 		/* Mempools backed by page allocator */
+ 		int order = (int)(long)pool->pool_data;
+-		void *addr = kmap_atomic((struct page *)element);
++		void *addr = kmap_local_page((struct page *)element);
+ 
+ 		__poison_element(addr, 1UL << (PAGE_SHIFT + order));
+-		kunmap_atomic(addr);
++		kunmap_local(addr);
+ 	}
+ }
+ #else /* CONFIG_DEBUG_SLAB || CONFIG_SLUB_DEBUG_ON */
diff --git a/queue-6.1/mm-truncate-unmap-large-folio-on-split-failure.patch b/queue-6.1/mm-truncate-unmap-large-folio-on-split-failure.patch
new file mode 100644
index 0000000000..476515c8f2
--- /dev/null
+++ b/queue-6.1/mm-truncate-unmap-large-folio-on-split-failure.patch
@@ -0,0 +1,99 @@
+From fa04f5b60fda62c98a53a60de3a1e763f11feb41 Mon Sep 17 00:00:00 2001
+From: Kiryl Shutsemau <kas@kernel.org>
+Date: Mon, 27 Oct 2025 11:56:36 +0000
+Subject: mm/truncate: unmap large folio on split failure
+
+From: Kiryl Shutsemau <kas@kernel.org>
+
+commit fa04f5b60fda62c98a53a60de3a1e763f11feb41 upstream.
+
+Accesses within VMA, but beyond i_size rounded up to PAGE_SIZE are
+supposed to generate SIGBUS.
+
+This behavior might not be respected on truncation.
+
+During truncation, the kernel splits a large folio in order to reclaim
+memory.  As a side effect, it unmaps the folio and destroys PMD mappings
+of the folio.  The folio will be refaulted as PTEs and SIGBUS semantics
+are preserved.
+
+However, if the split fails, PMD mappings are preserved and the user will
+not receive SIGBUS on any accesses within the PMD.
+
+Unmap the folio on split failure.  It will lead to refault as PTEs and
+preserve SIGBUS semantics.
+
+Make an exception for shmem/tmpfs that for long time intentionally mapped
+with PMDs across i_size.
+
+Link: https://lkml.kernel.org/r/20251027115636.82382-3-kirill@shutemov.name
+Fixes: b9a8a4195c7d ("truncate,shmem: Handle truncates that split large folios")
+Signed-off-by: Kiryl Shutsemau <kas@kernel.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: "Darrick J. Wong" <djwong@kernel.org>
+Cc: Dave Chinner <david@fromorbit.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Shakeel Butt <shakeel.butt@linux.dev>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Kiryl Shutsemau <kas@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/truncate.c |   27 ++++++++++++++++++++++++++-
+ 1 file changed, 26 insertions(+), 1 deletion(-)
+
+--- a/mm/truncate.c
++++ b/mm/truncate.c
+@@ -196,6 +196,31 @@ int truncate_inode_folio(struct address_
+ 	return 0;
+ }
+ 
++static int try_folio_split_or_unmap(struct folio *folio)
++{
++	enum ttu_flags ttu_flags =
++		TTU_SYNC |
++		TTU_SPLIT_HUGE_PMD |
++		TTU_IGNORE_MLOCK;
++	int ret;
++
++	ret = split_folio(folio);
++
++	/*
++	 * If the split fails, unmap the folio, so it will be refaulted
++	 * with PTEs to respect SIGBUS semantics.
++	 *
++	 * Make an exception for shmem/tmpfs that for long time
++	 * intentionally mapped with PMDs across i_size.
++	 */
++	if (ret && !shmem_mapping(folio->mapping)) {
++		try_to_unmap(folio, ttu_flags);
++		WARN_ON(folio_mapped(folio));
++	}
++
++	return ret;
++}
++
+ /*
+  * Handle partial folios.  The folio may be entirely within the
+  * range if a split has raced with us.  If not, we zero the part of the
+@@ -239,7 +264,7 @@ bool truncate_inode_partial_folio(struct
+ 		folio_invalidate(folio, offset, length);
+ 	if (!folio_test_large(folio))
+ 		return true;
+-	if (split_folio(folio) == 0)
++	if (try_folio_split_or_unmap(folio) == 0)
+ 		return true;
+ 	if (folio_test_dirty(folio))
+ 		return false;
diff --git a/queue-6.1/mptcp-decouple-mptcp-fastclose-from-tcp-close.patch b/queue-6.1/mptcp-decouple-mptcp-fastclose-from-tcp-close.patch
new file mode 100644
index 0000000000..7aee631d2b
--- /dev/null
+++ b/queue-6.1/mptcp-decouple-mptcp-fastclose-from-tcp-close.patch
@@ -0,0 +1,102 @@
+From stable+bounces-196920-greg=kroah.com@vger.kernel.org Tue Nov 25 16:54:45 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Nov 2025 10:54:29 -0500
+Subject: mptcp: decouple mptcp fastclose from tcp close
+To: stable@vger.kernel.org
+Cc: Paolo Abeni <pabeni@redhat.com>, Geliang Tang <geliang@kernel.org>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251125155429.693062-1-sashal@kernel.org>
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit fff0c87996672816a84c3386797a5e69751c5888 ]
+
+With the current fastclose implementation, the mptcp_do_fastclose()
+helper is in charge of two distinct actions: send the fastclose reset
+and cleanup the subflows.
+
+Formally decouple the two steps, ensuring that mptcp explicitly closes
+all the subflows after the mentioned helper.
+
+This will make the upcoming fix simpler, and allows dropping the 2nd
+argument from mptcp_destroy_common(). The Fixes tag is then the same as
+in the next commit to help with the backports.
+
+Fixes: d21f83485518 ("mptcp: use fastclose on more edge scenarios")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-5-806d3781c95f@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c |   13 +++++++++----
+ net/mptcp/protocol.h |    2 +-
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -2826,8 +2826,12 @@ static void mptcp_worker(struct work_str
+ 		__mptcp_close_subflow(sk);
+ 
+ 	if (mptcp_close_tout_expired(sk)) {
++		struct mptcp_subflow_context *subflow, *tmp;
++
+ 		inet_sk_state_store(sk, TCP_CLOSE);
+ 		mptcp_do_fastclose(sk);
++		mptcp_for_each_subflow_safe(msk, subflow, tmp)
++			__mptcp_close_ssk(sk, subflow->tcp_sock, subflow, 0);
+ 		mptcp_close_wake_up(sk);
+ 	}
+ 
+@@ -3233,7 +3237,8 @@ static int mptcp_disconnect(struct sock
+ 	/* msk->subflow is still intact, the following will not free the first
+ 	 * subflow
+ 	 */
+-	mptcp_destroy_common(msk, MPTCP_CF_FASTCLOSE);
++	mptcp_do_fastclose(sk);
++	mptcp_destroy_common(msk);
+ 	msk->last_snd = NULL;
+ 
+ 	/* The first subflow is already in TCP_CLOSE status, the following
+@@ -3456,7 +3461,7 @@ out:
+ 	return newsk;
+ }
+ 
+-void mptcp_destroy_common(struct mptcp_sock *msk, unsigned int flags)
++void mptcp_destroy_common(struct mptcp_sock *msk)
+ {
+ 	struct mptcp_subflow_context *subflow, *tmp;
+ 	struct sock *sk = (struct sock *)msk;
+@@ -3465,7 +3470,7 @@ void mptcp_destroy_common(struct mptcp_s
+ 
+ 	/* join list will be eventually flushed (with rst) at sock lock release time */
+ 	mptcp_for_each_subflow_safe(msk, subflow, tmp)
+-		__mptcp_close_ssk(sk, mptcp_subflow_tcp_sock(subflow), subflow, flags);
++		__mptcp_close_ssk(sk, mptcp_subflow_tcp_sock(subflow), subflow, 0);
+ 
+ 	/* move to sk_receive_queue, sk_stream_kill_queues will purge it */
+ 	mptcp_data_lock(sk);
+@@ -3492,7 +3497,7 @@ static void mptcp_destroy(struct sock *s
+ 
+ 	/* allow the following to close even the initial subflow */
+ 	msk->free_first = 1;
+-	mptcp_destroy_common(msk, 0);
++	mptcp_destroy_common(msk);
+ 	sk_sockets_allocated_dec(sk);
+ }
+ 
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -762,7 +762,7 @@ static inline void mptcp_write_space(str
+ 	}
+ }
+ 
+-void mptcp_destroy_common(struct mptcp_sock *msk, unsigned int flags);
++void mptcp_destroy_common(struct mptcp_sock *msk);
+ 
+ #define MPTCP_TOKEN_MAX_RETRIES	4
+ 
diff --git a/queue-6.1/mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch b/queue-6.1/mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch
new file mode 100644
index 0000000000..a1aa4b1fdb
--- /dev/null
+++ b/queue-6.1/mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch
@@ -0,0 +1,199 @@
+From stable+bounces-196837-greg=kroah.com@vger.kernel.org Tue Nov 25 03:14:16 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 21:14:06 -0500
+Subject: mptcp: fix a race in mptcp_pm_del_add_timer()
+To: stable@vger.kernel.org
+Cc: Eric Dumazet <edumazet@google.com>, syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com, Geliang Tang <geliang@kernel.org>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251125021407.267435-1-sashal@kernel.org>
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 426358d9be7ce3518966422f87b96f1bad27295f ]
+
+mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer)
+while another might have free entry already, as reported by syzbot.
+
+Add RCU protection to fix this issue.
+
+Also change confusing add_timer variable with stop_timer boolean.
+
+syzbot report:
+
+BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
+Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44
+
+CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
+Workqueue: events mptcp_worker
+Call Trace:
+ <TASK>
+  dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
+  print_address_description mm/kasan/report.c:378 [inline]
+  print_report+0xca/0x240 mm/kasan/report.c:482
+  kasan_report+0x118/0x150 mm/kasan/report.c:595
+  __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
+  sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631
+  mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362
+  mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174
+  tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361
+  tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441
+  tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931
+  tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374
+  ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205
+  ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239
+  NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+  NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+  __netif_receive_skb_one_core net/core/dev.c:6079 [inline]
+  __netif_receive_skb+0x143/0x380 net/core/dev.c:6192
+  process_backlog+0x31e/0x900 net/core/dev.c:6544
+  __napi_poll+0xb6/0x540 net/core/dev.c:7594
+  napi_poll net/core/dev.c:7657 [inline]
+  net_rx_action+0x5f7/0xda0 net/core/dev.c:7784
+  handle_softirqs+0x22f/0x710 kernel/softirq.c:622
+  __do_softirq kernel/softirq.c:656 [inline]
+  __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302
+  mptcp_pm_send_ack net/mptcp/pm.c:210 [inline]
+ mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1
+  mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002
+  mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762
+  process_one_work kernel/workqueue.c:3263 [inline]
+  process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
+  worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
+  kthread+0x711/0x8a0 kernel/kthread.c:463
+  ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
+  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+ </TASK>
+
+Allocated by task 44:
+  kasan_save_stack mm/kasan/common.c:56 [inline]
+  kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
+  poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
+  __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
+  kasan_kmalloc include/linux/kasan.h:262 [inline]
+  __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748
+  kmalloc_noprof include/linux/slab.h:957 [inline]
+  mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385
+  mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355
+  mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline]
+  __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529
+  mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008
+  mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762
+  process_one_work kernel/workqueue.c:3263 [inline]
+  process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
+  worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
+  kthread+0x711/0x8a0 kernel/kthread.c:463
+  ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
+  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+
+Freed by task 6630:
+  kasan_save_stack mm/kasan/common.c:56 [inline]
+  kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
+  __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
+  kasan_save_free_info mm/kasan/kasan.h:406 [inline]
+  poison_slab_object mm/kasan/common.c:252 [inline]
+  __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
+  kasan_slab_free include/linux/kasan.h:234 [inline]
+  slab_free_hook mm/slub.c:2523 [inline]
+  slab_free mm/slub.c:6611 [inline]
+  kfree+0x197/0x950 mm/slub.c:6818
+  mptcp_remove_anno_list_by_saddr+0x2d/0x40 net/mptcp/pm.c:158
+  mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_kernel.c:1209 [inline]
+  mptcp_nl_flush_addrs_list net/mptcp/pm_kernel.c:1240 [inline]
+  mptcp_pm_nl_flush_addrs_doit+0x593/0xbb0 net/mptcp/pm_kernel.c:1281
+  genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
+  genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
+  genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
+  netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
+  genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
+  netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
+  netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346
+  netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
+  sock_sendmsg_nosec net/socket.c:727 [inline]
+  __sock_sendmsg+0x21c/0x270 net/socket.c:742
+  ____sys_sendmsg+0x508/0x820 net/socket.c:2630
+  ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684
+  __sys_sendmsg net/socket.c:2716 [inline]
+  __do_sys_sendmsg net/socket.c:2721 [inline]
+  __se_sys_sendmsg net/socket.c:2719 [inline]
+  __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2719
+  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+  do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Cc: stable@vger.kernel.org
+Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
+Reported-by: syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/691ad3c3.a70a0220.f6df1.0004.GAE@google.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Geliang Tang <geliang@kernel.org>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251117100745.1913963-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ applied changes to pm_netlink.c instead of pm.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c |   20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -28,6 +28,7 @@ struct mptcp_pm_add_entry {
+ 	struct timer_list	add_timer;
+ 	struct mptcp_sock	*sock;
+ 	u8			retrans_times;
++	struct rcu_head		rcu;
+ };
+ 
+ struct pm_nl_pernet {
+@@ -354,22 +355,27 @@ mptcp_pm_del_add_timer(struct mptcp_sock
+ {
+ 	struct mptcp_pm_add_entry *entry;
+ 	struct sock *sk = (struct sock *)msk;
+-	struct timer_list *add_timer = NULL;
++	bool stop_timer = false;
++
++	rcu_read_lock();
+ 
+ 	spin_lock_bh(&msk->pm.lock);
+ 	entry = mptcp_lookup_anno_list_by_saddr(msk, addr);
+ 	if (entry && (!check_id || entry->addr.id == addr->id)) {
+ 		entry->retrans_times = ADD_ADDR_RETRANS_MAX;
+-		add_timer = &entry->add_timer;
++		stop_timer = true;
+ 	}
+ 	if (!check_id && entry)
+ 		list_del(&entry->list);
+ 	spin_unlock_bh(&msk->pm.lock);
+ 
+-	/* no lock, because sk_stop_timer_sync() is calling del_timer_sync() */
+-	if (add_timer)
+-		sk_stop_timer_sync(sk, add_timer);
++	/* Note: entry might have been removed by another thread.
++	 * We hold rcu_read_lock() to ensure it is not freed under us.
++	 */
++	if (stop_timer)
++		sk_stop_timer_sync(sk, &entry->add_timer);
+ 
++	rcu_read_unlock();
+ 	return entry;
+ }
+ 
+@@ -425,7 +431,7 @@ void mptcp_pm_free_anno_list(struct mptc
+ 
+ 	list_for_each_entry_safe(entry, tmp, &free_list, list) {
+ 		sk_stop_timer_sync(sk, &entry->add_timer);
+-		kfree(entry);
++		kfree_rcu(entry, rcu);
+ 	}
+ }
+ 
+@@ -1569,7 +1575,7 @@ static bool remove_anno_list_by_saddr(st
+ 
+ 	entry = mptcp_pm_del_add_timer(msk, addr, false);
+ 	if (entry) {
+-		kfree(entry);
++		kfree_rcu(entry, rcu);
+ 		return true;
+ 	}
+ 
diff --git a/queue-6.1/mptcp-fix-proto-fallback-detection-with-bpf.patch b/queue-6.1/mptcp-fix-proto-fallback-detection-with-bpf.patch
new file mode 100644
index 0000000000..b177de651f
--- /dev/null
+++ b/queue-6.1/mptcp-fix-proto-fallback-detection-with-bpf.patch
@@ -0,0 +1,101 @@
+From stable+bounces-196771-greg=kroah.com@vger.kernel.org Mon Nov 24 18:18:14 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 12:18:02 -0500
+Subject: mptcp: Fix proto fallback detection with BPF
+To: stable@vger.kernel.org
+Cc: Jiayuan Chen <jiayuan.chen@linux.dev>, Martin KaFai Lau <martin.lau@kernel.org>, Jakub Sitnicki <jakub@cloudflare.com>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124171802.4158681-1-sashal@kernel.org>
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit c77b3b79a92e3345aa1ee296180d1af4e7031f8f ]
+
+The sockmap feature allows bpf syscall from userspace, or based
+on bpf sockops, replacing the sk_prot of sockets during protocol stack
+processing with sockmap's custom read/write interfaces.
+'''
+tcp_rcv_state_process()
+  syn_recv_sock()/subflow_syn_recv_sock()
+    tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)
+      bpf_skops_established       <== sockops
+        bpf_sock_map_update(sk)   <== call bpf helper
+          tcp_bpf_update_proto()  <== update sk_prot
+'''
+
+When the server has MPTCP enabled but the client sends a TCP SYN
+without MPTCP, subflow_syn_recv_sock() performs a fallback on the
+subflow, replacing the subflow sk's sk_prot with the native sk_prot.
+'''
+subflow_syn_recv_sock()
+  subflow_ulp_fallback()
+    subflow_drop_ctx()
+      mptcp_subflow_ops_undo_override()
+'''
+
+Then, this subflow can be normally used by sockmap, which replaces the
+native sk_prot with sockmap's custom sk_prot. The issue occurs when the
+user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().
+Here, it uses sk->sk_prot to compare with the native sk_prot, but this
+is incorrect when sockmap is used, as we may incorrectly set
+sk->sk_socket->ops.
+
+This fix uses the more generic sk_family for the comparison instead.
+
+Additionally, this also prevents a WARNING from occurring:
+
+result from ./scripts/decode_stacktrace.sh:
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \
+(net/mptcp/protocol.c:4005)
+Modules linked in:
+...
+
+PKRU: 55555554
+Call Trace:
+<TASK>
+do_accept (net/socket.c:1989)
+__sys_accept4 (net/socket.c:2028 net/socket.c:2057)
+__x64_sys_accept (net/socket.c:2067)
+x64_sys_call (arch/x86/entry/syscall_64.c:41)
+do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+RIP: 0033:0x7f87ac92b83d
+
+---[ end trace 0000000000000000 ]---
+
+Fixes: 0b4f33def7bb ("mptcp: fix tcp fallback crash")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20251111060307.194196-3-jiayuan.chen@linux.dev
+[ applied fix to mptcp_is_tcpsk() instead of mptcp_fallback_tcp_ops() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -79,8 +79,9 @@ static u64 mptcp_wnd_end(const struct mp
+ static bool mptcp_is_tcpsk(struct sock *sk)
+ {
+ 	struct socket *sock = sk->sk_socket;
++	unsigned short family = READ_ONCE(sk->sk_family);
+ 
+-	if (unlikely(sk->sk_prot == &tcp_prot)) {
++	if (unlikely(family == AF_INET)) {
+ 		/* we are being invoked after mptcp_accept() has
+ 		 * accepted a non-mp-capable flow: sk is a tcp_sk,
+ 		 * not an mptcp one.
+@@ -91,7 +92,7 @@ static bool mptcp_is_tcpsk(struct sock *
+ 		sock->ops = &inet_stream_ops;
+ 		return true;
+ #if IS_ENABLED(CONFIG_MPTCP_IPV6)
+-	} else if (unlikely(sk->sk_prot == &tcpv6_prot)) {
++	} else if (unlikely(family == AF_INET6)) {
+ 		sock->ops = &inet6_stream_ops;
+ 		return true;
+ #endif
diff --git a/queue-6.1/pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch b/queue-6.1/pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch
new file mode 100644
index 0000000000..436649cb39
--- /dev/null
+++ b/queue-6.1/pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch
@@ -0,0 +1,82 @@
+From stable+bounces-196514-greg=kroah.com@vger.kernel.org Fri Nov 21 17:05:26 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 11:04:16 -0500
+Subject: pmdomain: arm: scmi: Fix genpd leak on provider registration failure
+To: stable@vger.kernel.org
+Cc: Sudeep Holla <sudeep.holla@arm.com>, Peng Fan <peng.fan@nxp.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121160416.2587981-1-sashal@kernel.org>
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 7458f72cc28f9eb0de811effcb5376d0ec19094a ]
+
+If of_genpd_add_provider_onecell() fails during probe, the previously
+created generic power domains are not removed, leading to a memory leak
+and potential kernel crash later in genpd_debug_add().
+
+Add proper error handling to unwind the initialized domains before
+returning from probe to ensure all resources are correctly released on
+failure.
+
+Example crash trace observed without this fix:
+
+  | Unable to handle kernel paging request at virtual address fffffffffffffc70
+  | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT
+  | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform
+  | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+  | pc : genpd_debug_add+0x2c/0x160
+  | lr : genpd_debug_init+0x74/0x98
+  | Call trace:
+  |  genpd_debug_add+0x2c/0x160 (P)
+  |  genpd_debug_init+0x74/0x98
+  |  do_one_initcall+0xd0/0x2d8
+  |  do_initcall_level+0xa0/0x140
+  |  do_initcalls+0x60/0xa8
+  |  do_basic_setup+0x28/0x40
+  |  kernel_init_freeable+0xe8/0x170
+  |  kernel_init+0x2c/0x140
+  |  ret_from_fork+0x10/0x20
+
+Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd")
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ drivers/pmdomain/arm/scmi_pm_domain.c -> drivers/firmware/arm_scmi/scmi_pm_domain.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/arm_scmi/scmi_pm_domain.c |   13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/firmware/arm_scmi/scmi_pm_domain.c
++++ b/drivers/firmware/arm_scmi/scmi_pm_domain.c
+@@ -54,7 +54,7 @@ static int scmi_pd_power_off(struct gene
+ 
+ static int scmi_pm_domain_probe(struct scmi_device *sdev)
+ {
+-	int num_domains, i;
++	int num_domains, i, ret;
+ 	struct device *dev = &sdev->dev;
+ 	struct device_node *np = dev->of_node;
+ 	struct scmi_pm_domain *scmi_pd;
+@@ -112,9 +112,18 @@ static int scmi_pm_domain_probe(struct s
+ 	scmi_pd_data->domains = domains;
+ 	scmi_pd_data->num_domains = num_domains;
+ 
++	ret = of_genpd_add_provider_onecell(np, scmi_pd_data);
++	if (ret)
++		goto err_rm_genpds;
++
+ 	dev_set_drvdata(dev, scmi_pd_data);
+ 
+-	return of_genpd_add_provider_onecell(np, scmi_pd_data);
++	return 0;
++err_rm_genpds:
++	for (i = num_domains - 1; i >= 0; i--)
++		pm_genpd_remove(domains[i]);
++
++	return ret;
+ }
+ 
+ static void scmi_pm_domain_remove(struct scmi_device *sdev)
diff --git a/queue-6.1/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch b/queue-6.1/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch
new file mode 100644
index 0000000000..6f5065c132
--- /dev/null
+++ b/queue-6.1/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch
@@ -0,0 +1,38 @@
+From stable+bounces-196517-greg=kroah.com@vger.kernel.org Fri Nov 21 17:04:57 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 11:04:48 -0500
+Subject: pmdomain: imx: Fix reference count leak in imx_gpc_remove
+To: stable@vger.kernel.org
+Cc: Miaoqian Lin <linmq006@gmail.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121160448.2588409-1-sashal@kernel.org>
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 ]
+
+of_get_child_by_name() returns a node pointer with refcount incremented, we
+should use of_node_put() on it when not needed anymore. Add the missing
+of_node_put() to avoid refcount leak.
+
+Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ drivers/pmdomain/imx/gpc.c -> drivers/soc/imx/gpc.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/imx/gpc.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/soc/imx/gpc.c
++++ b/drivers/soc/imx/gpc.c
+@@ -541,6 +541,8 @@ static int imx_gpc_remove(struct platfor
+ 			return ret;
+ 	}
+ 
++	of_node_put(pgc_node);
++
+ 	return 0;
+ }
+ 
diff --git a/queue-6.1/pmdomain-samsung-plug-potential-memleak-during-probe.patch b/queue-6.1/pmdomain-samsung-plug-potential-memleak-during-probe.patch
new file mode 100644
index 0000000000..5b6ca3606e
--- /dev/null
+++ b/queue-6.1/pmdomain-samsung-plug-potential-memleak-during-probe.patch
@@ -0,0 +1,69 @@
+From stable+bounces-196537-greg=kroah.com@vger.kernel.org Fri Nov 21 18:03:15 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 11:58:38 -0500
+Subject: pmdomain: samsung: plug potential memleak during probe
+To: stable@vger.kernel.org
+Cc: "André Draszik" <andre.draszik@linaro.org>, "Peter Griffin" <peter.griffin@linaro.org>, "Krzysztof Kozlowski" <krzysztof.kozlowski@linaro.org>, "Marek Szyprowski" <m.szyprowski@samsung.com>, "Ulf Hansson" <ulf.hansson@linaro.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20251121165838.2606571-1-sashal@kernel.org>
+
+From: André Draszik <andre.draszik@linaro.org>
+
+[ Upstream commit 90c82941adf1986364e0f82c35cf59f2bf5f6a1d ]
+
+of_genpd_add_provider_simple() could fail, in which case this code
+leaks the domain name, pd->pd.name.
+
+Use devm_kstrdup_const() to plug this leak. As a side-effect, we can
+simplify existing error handling.
+
+Fixes: c09a3e6c97f0 ("soc: samsung: pm_domains: Convert to regular platform driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Peter Griffin <peter.griffin@linaro.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: André Draszik <andre.draszik@linaro.org>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ drivers/pmdomain/samsung/exynos-pm-domains.c -> drivers/soc/samsung/pm_domains.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/samsung/pm_domains.c |   11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/soc/samsung/pm_domains.c
++++ b/drivers/soc/samsung/pm_domains.c
+@@ -91,13 +91,14 @@ static const struct of_device_id exynos_
+ 	{ },
+ };
+ 
+-static const char *exynos_get_domain_name(struct device_node *node)
++static const char *exynos_get_domain_name(struct device *dev,
++					  struct device_node *node)
+ {
+ 	const char *name;
+ 
+ 	if (of_property_read_string(node, "label", &name) < 0)
+ 		name = kbasename(node->full_name);
+-	return kstrdup_const(name, GFP_KERNEL);
++	return devm_kstrdup_const(dev, name, GFP_KERNEL);
+ }
+ 
+ static int exynos_pd_probe(struct platform_device *pdev)
+@@ -114,15 +115,13 @@ static int exynos_pd_probe(struct platfo
+ 	if (!pd)
+ 		return -ENOMEM;
+ 
+-	pd->pd.name = exynos_get_domain_name(np);
++	pd->pd.name = exynos_get_domain_name(dev, np);
+ 	if (!pd->pd.name)
+ 		return -ENOMEM;
+ 
+ 	pd->base = of_iomap(np, 0);
+-	if (!pd->base) {
+-		kfree_const(pd->pd.name);
++	if (!pd->base)
+ 		return -ENODEV;
+-	}
+ 
+ 	pd->pd.power_off = exynos_pd_power_off;
+ 	pd->pd.power_on = exynos_pd_power_on;
diff --git a/queue-6.1/selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch b/queue-6.1/selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch
new file mode 100644
index 0000000000..2d86e71807
--- /dev/null
+++ b/queue-6.1/selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch
@@ -0,0 +1,45 @@
+From stable+bounces-196548-greg=kroah.com@vger.kernel.org Fri Nov 21 19:10:22 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 13:04:36 -0500
+Subject: selftests: mptcp: connect: fix fallback note due to OoO
+To: stable@vger.kernel.org
+Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Geliang Tang <geliang@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121180436.2635827-1-sashal@kernel.org>
+
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+
+[ Upstream commit 63c643aa7b7287fdbb0167063785f89ece3f000f ]
+
+The "fallback due to TCP OoO" was never printed because the stat_ooo_now
+variable was checked twice: once in the parent if-statement, and one in
+the child one. The second condition was then always true then, and the
+'else' branch was never taken.
+
+The idea is that when there are more ACK + MP_CAPABLE than expected, the
+test either fails if there was no out of order packets, or a notice is
+printed.
+
+Fixes: 69ca3d29a755 ("mptcp: update selftest for fallback due to OoO")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-1-a4332c714e10@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Different operators used ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_connect.sh |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh
+@@ -523,7 +523,7 @@ do_transfer()
+ 			"${stat_synrx_now_l}" "${expect_synrx}" 1>&2
+ 		retc=1
+ 	fi
+-	if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} -a ${stat_ooo_now} -eq 0 ]; then
++	if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} ]; then
+ 		if [ ${stat_ooo_now} -eq 0 ]; then
+ 			printf "[ FAIL ] lower MPC ACK rx (%d) than expected (%d)\n" \
+ 				"${stat_ackrx_now_l}" "${expect_ackrx}" 1>&2
diff --git a/queue-6.1/selftests-mptcp-join-rm-set-backup-flag.patch b/queue-6.1/selftests-mptcp-join-rm-set-backup-flag.patch
new file mode 100644
index 0000000000..aa872f46e2
--- /dev/null
+++ b/queue-6.1/selftests-mptcp-join-rm-set-backup-flag.patch
@@ -0,0 +1,170 @@
+From stable+bounces-196549-greg=kroah.com@vger.kernel.org Fri Nov 21 19:10:52 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 13:06:53 -0500
+Subject: selftests: mptcp: join: rm: set backup flag
+To: stable@vger.kernel.org
+Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Geliang Tang <geliang@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121180653.2636754-1-sashal@kernel.org>
+
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+
+[ Upstream commit aea73bae662a0e184393d6d7d0feb18d2577b9b9 ]
+
+Some of these 'remove' tests rarely fail because a subflow has been
+reset instead of cleanly removed. This can happen when one extra subflow
+which has never carried data is being closed (FIN) on one side, while
+the other is sending data for the first time.
+
+To avoid such subflows to be used right at the end, the backup flag has
+been added. With that, data will be only carried on the initial subflow.
+
+Fixes: d2c4333a801c ("selftests: mptcp: add testcases for removing addrs")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-2-a4332c714e10@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh |   54 ++++++++++++------------
+ 1 file changed, 27 insertions(+), 27 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -2332,7 +2332,7 @@ remove_tests()
+ 	if reset "remove single subflow"; then
+ 		pm_nl_set_limits $ns1 0 1
+ 		pm_nl_set_limits $ns2 0 1
+-		pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
++		pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
+ 		run_tests $ns1 $ns2 10.0.1.1 0 0 -1 slow
+ 		chk_join_nr 1 1 1
+ 		chk_rm_nr 1 1
+@@ -2343,8 +2343,8 @@ remove_tests()
+ 	if reset "remove multiple subflows"; then
+ 		pm_nl_set_limits $ns1 0 2
+ 		pm_nl_set_limits $ns2 0 2
+-		pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow
+-		pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
++		pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow,backup
++		pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
+ 		run_tests $ns1 $ns2 10.0.1.1 0 0 -2 slow
+ 		chk_join_nr 2 2 2
+ 		chk_rm_nr 2 2
+@@ -2354,7 +2354,7 @@ remove_tests()
+ 	# single address, remove
+ 	if reset "remove single address"; then
+ 		pm_nl_set_limits $ns1 0 1
+-		pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
++		pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup
+ 		pm_nl_set_limits $ns2 1 1
+ 		run_tests $ns1 $ns2 10.0.1.1 0 -1 0 slow
+ 		chk_join_nr 1 1 1
+@@ -2366,9 +2366,9 @@ remove_tests()
+ 	# subflow and signal, remove
+ 	if reset "remove subflow and signal"; then
+ 		pm_nl_set_limits $ns1 0 2
+-		pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
++		pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup
+ 		pm_nl_set_limits $ns2 1 2
+-		pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
++		pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
+ 		run_tests $ns1 $ns2 10.0.1.1 0 -1 -1 slow
+ 		chk_join_nr 2 2 2
+ 		chk_add_nr 1 1
+@@ -2379,10 +2379,10 @@ remove_tests()
+ 	# subflows and signal, remove
+ 	if reset "remove subflows and signal"; then
+ 		pm_nl_set_limits $ns1 0 3
+-		pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
++		pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup
+ 		pm_nl_set_limits $ns2 1 3
+-		pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
+-		pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow
++		pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
++		pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow,backup
+ 		run_tests $ns1 $ns2 10.0.1.1 0 -1 -2 speed_10
+ 		chk_join_nr 3 3 3
+ 		chk_add_nr 1 1
+@@ -2393,9 +2393,9 @@ remove_tests()
+ 	# addresses remove
+ 	if reset "remove addresses"; then
+ 		pm_nl_set_limits $ns1 3 3
+-		pm_nl_add_endpoint $ns1 10.0.2.1 flags signal id 250
+-		pm_nl_add_endpoint $ns1 10.0.3.1 flags signal
+-		pm_nl_add_endpoint $ns1 10.0.4.1 flags signal
++		pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup id 250
++		pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup
++		pm_nl_add_endpoint $ns1 10.0.4.1 flags signal,backup
+ 		pm_nl_set_limits $ns2 3 3
+ 		run_tests $ns1 $ns2 10.0.1.1 0 -3 0 speed_10
+ 		chk_join_nr 3 3 3
+@@ -2407,10 +2407,10 @@ remove_tests()
+ 	# invalid addresses remove
+ 	if reset "remove invalid addresses"; then
+ 		pm_nl_set_limits $ns1 3 3
+-		pm_nl_add_endpoint $ns1 10.0.12.1 flags signal
++		pm_nl_add_endpoint $ns1 10.0.12.1 flags signal,backup
+ 		# broadcast IP: no packet for this address will be received on ns1
+-		pm_nl_add_endpoint $ns1 224.0.0.1 flags signal
+-		pm_nl_add_endpoint $ns1 10.0.3.1 flags signal
++		pm_nl_add_endpoint $ns1 224.0.0.1 flags signal,backup
++		pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup
+ 		pm_nl_set_limits $ns2 2 2
+ 		run_tests $ns1 $ns2 10.0.1.1 0 -3 0 speed_10
+ 		chk_join_nr 1 1 1
+@@ -2422,10 +2422,10 @@ remove_tests()
+ 	# subflows and signal, flush
+ 	if reset "flush subflows and signal"; then
+ 		pm_nl_set_limits $ns1 0 3
+-		pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
++		pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup
+ 		pm_nl_set_limits $ns2 1 3
+-		pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
+-		pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow
++		pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
++		pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow,backup
+ 		run_tests $ns1 $ns2 10.0.1.1 0 -8 -8 slow
+ 		chk_join_nr 3 3 3
+ 		chk_add_nr 1 1
+@@ -2437,9 +2437,9 @@ remove_tests()
+ 	if reset "flush subflows"; then
+ 		pm_nl_set_limits $ns1 3 3
+ 		pm_nl_set_limits $ns2 3 3
+-		pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow id 150
+-		pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
+-		pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow
++		pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow,backup id 150
++		pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
++		pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow,backup
+ 		run_tests $ns1 $ns2 10.0.1.1 0 -8 -8 slow
+ 		chk_join_nr 3 3 3
+ 
+@@ -2454,9 +2454,9 @@ remove_tests()
+ 	# addresses flush
+ 	if reset "flush addresses"; then
+ 		pm_nl_set_limits $ns1 3 3
+-		pm_nl_add_endpoint $ns1 10.0.2.1 flags signal id 250
+-		pm_nl_add_endpoint $ns1 10.0.3.1 flags signal
+-		pm_nl_add_endpoint $ns1 10.0.4.1 flags signal
++		pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup id 250
++		pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup
++		pm_nl_add_endpoint $ns1 10.0.4.1 flags signal,backup
+ 		pm_nl_set_limits $ns2 3 3
+ 		run_tests $ns1 $ns2 10.0.1.1 0 -8 -8 slow
+ 		chk_join_nr 3 3 3
+@@ -2468,9 +2468,9 @@ remove_tests()
+ 	# invalid addresses flush
+ 	if reset "flush invalid addresses"; then
+ 		pm_nl_set_limits $ns1 3 3
+-		pm_nl_add_endpoint $ns1 10.0.12.1 flags signal
+-		pm_nl_add_endpoint $ns1 10.0.3.1 flags signal
+-		pm_nl_add_endpoint $ns1 10.0.14.1 flags signal
++		pm_nl_add_endpoint $ns1 10.0.12.1 flags signal,backup
++		pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup
++		pm_nl_add_endpoint $ns1 10.0.14.1 flags signal,backup
+ 		pm_nl_set_limits $ns2 3 3
+ 		run_tests $ns1 $ns2 10.0.1.1 0 -8 0 slow
+ 		chk_join_nr 1 1 1
diff --git a/queue-6.1/series b/queue-6.1/series
index e5598c4471..1a4a1c212d 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -476,3 +476,19 @@ mm-mm_init-fix-hash-table-order-logging-in-alloc_lar.patch
 alsa-usb-audio-fix-uac2-clock-source-at-terminal-par.patch
 net-ethernet-ti-netcp-standardize-knav_dma_open_chan.patch
 tracing-tools-fix-incorrcet-short-option-in-usage-te.patch
+uio_hv_generic-set-event-for-all-channels-on-the-device.patch
+mm-truncate-unmap-large-folio-on-split-failure.patch
+maple_tree-fix-tracepoint-string-pointers.patch
+mptcp-decouple-mptcp-fastclose-from-tcp-close.patch
+mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch
+mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch
+mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch
+dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch
+ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch
+mptcp-fix-proto-fallback-detection-with-bpf.patch
+hid-amd_sfh-stop-sensor-before-starting.patch
+selftests-mptcp-join-rm-set-backup-flag.patch
+selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch
+pmdomain-samsung-plug-potential-memleak-during-probe.patch
+pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch
+pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch
diff --git a/queue-6.1/uio_hv_generic-set-event-for-all-channels-on-the-device.patch b/queue-6.1/uio_hv_generic-set-event-for-all-channels-on-the-device.patch
new file mode 100644
index 0000000000..7152ae9abe
--- /dev/null
+++ b/queue-6.1/uio_hv_generic-set-event-for-all-channels-on-the-device.patch
@@ -0,0 +1,74 @@
+From d062463edf1770427dc2d637df4088df4835aa47 Mon Sep 17 00:00:00 2001
+From: Long Li <longli@microsoft.com>
+Date: Mon, 10 Mar 2025 15:12:01 -0700
+Subject: uio_hv_generic: Set event for all channels on the device
+
+From: Long Li <longli@microsoft.com>
+
+commit d062463edf1770427dc2d637df4088df4835aa47 upstream.
+
+Hyper-V may offer a non latency sensitive device with subchannels without
+monitor bit enabled. The decision is entirely on the Hyper-V host not
+configurable within guest.
+
+When a device has subchannels, also signal events for the subchannel
+if its monitor bit is disabled.
+
+This patch also removes the memory barrier when monitor bit is enabled
+as it is not necessary. The memory barrier is only needed between
+setting up interrupt mask and calling vmbus_set_event() when monitor
+bit is disabled.
+
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Reviewed-by: Saurabh Sengar <ssengar@linux.microsoft.com>
+Link: https://lore.kernel.org/r/1741644721-20389-1-git-send-email-longli@linuxonhyperv.com
+Fixes: b15b7d2a1b09 ("uio_hv_generic: Let userspace take care of interrupt mask")
+Closes: https://bugs.debian.org/1120602
+Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio_hv_generic.c |   21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+--- a/drivers/uio/uio_hv_generic.c
++++ b/drivers/uio/uio_hv_generic.c
+@@ -80,9 +80,15 @@ hv_uio_irqcontrol(struct uio_info *info,
+ {
+ 	struct hv_uio_private_data *pdata = info->priv;
+ 	struct hv_device *dev = pdata->device;
++	struct vmbus_channel *primary, *sc;
+ 
+-	dev->channel->inbound.ring_buffer->interrupt_mask = !irq_state;
+-	virt_mb();
++	primary = dev->channel;
++	primary->inbound.ring_buffer->interrupt_mask = !irq_state;
++
++	mutex_lock(&vmbus_connection.channel_mutex);
++	list_for_each_entry(sc, &primary->sc_list, sc_list)
++		sc->inbound.ring_buffer->interrupt_mask = !irq_state;
++	mutex_unlock(&vmbus_connection.channel_mutex);
+ 
+ 	return 0;
+ }
+@@ -93,11 +99,18 @@ hv_uio_irqcontrol(struct uio_info *info,
+ static void hv_uio_channel_cb(void *context)
+ {
+ 	struct vmbus_channel *chan = context;
+-	struct hv_device *hv_dev = chan->device_obj;
+-	struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev);
++	struct hv_device *hv_dev;
++	struct hv_uio_private_data *pdata;
+ 
+ 	virt_mb();
+ 
++	/*
++	 * The callback may come from a subchannel, in which case look
++	 * for the hv device in the primary channel
++	 */
++	hv_dev = chan->primary_channel ?
++		 chan->primary_channel->device_obj : chan->device_obj;
++	pdata = hv_get_drvdata(hv_dev);
+ 	uio_event_notify(&pdata->info);
+ }
+