--- /dev/null
+From f15fb3d41543244d1179f423da4a4832a55bc050 Mon Sep 17 00:00:00 2001
+From: Mark Harmstone <mark@harmstone.com>
+Date: Fri, 20 Feb 2026 12:53:17 +0000
+Subject: btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies()
+
+From: Mark Harmstone <mark@harmstone.com>
+
+commit f15fb3d41543244d1179f423da4a4832a55bc050 upstream.
+
+Fix a chunk map leak in btrfs_map_block(): if we return early with -EINVAL,
+we're not freeing the chunk map that we've just looked up.
+
+Fixes: 0ae653fbec2b ("btrfs: reduce chunk_map lookups in btrfs_map_block()")
+CC: stable@vger.kernel.org # 6.12+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Mark Harmstone <mark@harmstone.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -6522,8 +6522,10 @@ int btrfs_map_block(struct btrfs_fs_info
+ return PTR_ERR(map);
+
+ num_copies = btrfs_chunk_map_num_copies(map);
+- if (io_geom.mirror_num > num_copies)
+- return -EINVAL;
++ if (io_geom.mirror_num > num_copies) {
++ ret = -EINVAL;
++ goto out;
++ }
+
+ map_offset = logical - map->start;
+ io_geom.raid56_full_stripe_start = (u64)-1;
--- /dev/null
+From 2692c614f8f05929d692b3dbfd3faef1f00fbaf0 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Tue, 10 Feb 2026 14:58:22 +0100
+Subject: device property: Allow secondary lookup in fwnode_get_next_child_node()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 2692c614f8f05929d692b3dbfd3faef1f00fbaf0 upstream.
+
+When device_get_child_node_count() got split to the fwnode and device
+respective APIs, the fwnode didn't inherit the ability to traverse over
+the secondary fwnode. Hence any user, that switches from device to fwnode
+API misses this feature. In particular, this was revealed by the commit
+1490cbb9dbfd ("device property: Split fwnode_get_child_node_count()")
+that effectively broke the GPIO enumeration on Intel Galileo boards.
+Fix this by moving the secondary lookup from device to fwnode API.
+
+Note, in general no device_*() API should go into the depth of the fwnode
+implementation.
+
+Fixes: 114dbb4fa7c4 ("drivers property: When no children in primary, try secondary")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Link: https://patch.msgid.link/20260210135822.47335-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/property.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+--- a/drivers/base/property.c
++++ b/drivers/base/property.c
+@@ -759,7 +759,18 @@ struct fwnode_handle *
+ fwnode_get_next_child_node(const struct fwnode_handle *fwnode,
+ struct fwnode_handle *child)
+ {
+- return fwnode_call_ptr_op(fwnode, get_next_child_node, child);
++ struct fwnode_handle *next;
++
++ if (IS_ERR_OR_NULL(fwnode))
++ return NULL;
++
++ /* Try to find a child in primary fwnode */
++ next = fwnode_call_ptr_op(fwnode, get_next_child_node, child);
++ if (next)
++ return next;
++
++ /* When no more children in primary, continue with secondary */
++ return fwnode_call_ptr_op(fwnode->secondary, get_next_child_node, child);
+ }
+ EXPORT_SYMBOL_GPL(fwnode_get_next_child_node);
+
+@@ -803,19 +814,7 @@ EXPORT_SYMBOL_GPL(fwnode_get_next_availa
+ struct fwnode_handle *device_get_next_child_node(const struct device *dev,
+ struct fwnode_handle *child)
+ {
+- const struct fwnode_handle *fwnode = dev_fwnode(dev);
+- struct fwnode_handle *next;
+-
+- if (IS_ERR_OR_NULL(fwnode))
+- return NULL;
+-
+- /* Try to find a child in primary fwnode */
+- next = fwnode_get_next_child_node(fwnode, child);
+- if (next)
+- return next;
+-
+- /* When no more children in primary, continue with secondary */
+- return fwnode_get_next_child_node(fwnode->secondary, child);
++ return fwnode_get_next_child_node(dev_fwnode(dev), child);
+ }
+ EXPORT_SYMBOL_GPL(device_get_next_child_node);
+
--- /dev/null
+From 6b0d812971370c64b837a2db4275410f478272fe Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Wed, 25 Feb 2026 10:51:16 -0600
+Subject: drm/amd: Disable MES LR compute W/A
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 6b0d812971370c64b837a2db4275410f478272fe upstream.
+
+A workaround was introduced in commit 1fb710793ce2 ("drm/amdgpu: Enable
+MES lr_compute_wa by default") to help with some hangs observed in gfx1151.
+
+This WA didn't fully fix the issue. It was actually fixed by adjusting
+the VGPR size to the correct value that matched the hardware in commit
+b42f3bf9536c ("drm/amdkfd: bump minimum vgpr size for gfx1151").
+
+There are reports of instability on other products with newer GC microcode
+versions, and I believe they're caused by this workaround. As we don't
+need the workaround any more, remove it.
+
+Fixes: b42f3bf9536c ("drm/amdkfd: bump minimum vgpr size for gfx1151")
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 9973e64bd6ee7642860a6f3b6958cbf14e89cabd)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 5 -----
+ drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 5 -----
+ 2 files changed, 10 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c
+@@ -677,11 +677,6 @@ static int mes_v11_0_set_hw_resources(st
+ mes_set_hw_res_pkt.enable_reg_active_poll = 1;
+ mes_set_hw_res_pkt.enable_level_process_quantum_check = 1;
+ mes_set_hw_res_pkt.oversubscription_timer = 50;
+- if ((mes->adev->mes.sched_version & AMDGPU_MES_VERSION_MASK) >= 0x7f)
+- mes_set_hw_res_pkt.enable_lr_compute_wa = 1;
+- else
+- dev_info_once(mes->adev->dev,
+- "MES FW version must be >= 0x7f to enable LR compute workaround.\n");
+
+ if (amdgpu_mes_log_enable) {
+ mes_set_hw_res_pkt.enable_mes_event_int_logging = 1;
+--- a/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c
+@@ -615,11 +615,6 @@ static int mes_v12_0_set_hw_resources(st
+ mes_set_hw_res_pkt.use_different_vmid_compute = 1;
+ mes_set_hw_res_pkt.enable_reg_active_poll = 1;
+ mes_set_hw_res_pkt.enable_level_process_quantum_check = 1;
+- if ((mes->adev->mes.sched_version & AMDGPU_MES_VERSION_MASK) >= 0x82)
+- mes_set_hw_res_pkt.enable_lr_compute_wa = 1;
+- else
+- dev_info_once(adev->dev,
+- "MES FW version must be >= 0x82 to enable LR compute workaround.\n");
+
+ /*
+ * Keep oversubscribe timer for sdma . When we have unmapped doorbell
--- /dev/null
+From 803ec1faf7c1823e6e3b1f2aaa81be18528c9436 Mon Sep 17 00:00:00 2001
+From: Osama Abdelkader <osama.abdelkader@gmail.com>
+Date: Mon, 9 Feb 2026 19:41:14 +0100
+Subject: drm/bridge: samsung-dsim: Fix memory leak in error path
+
+From: Osama Abdelkader <osama.abdelkader@gmail.com>
+
+commit 803ec1faf7c1823e6e3b1f2aaa81be18528c9436 upstream.
+
+In samsung_dsim_host_attach(), drm_bridge_add() is called to add the
+bridge. However, if samsung_dsim_register_te_irq() or
+pdata->host_ops->attach() fails afterwards, the function returns
+without removing the bridge, causing a memory leak.
+
+Fix this by adding proper error handling with goto labels to ensure
+drm_bridge_remove() is called in all error paths. Also ensure that
+samsung_dsim_unregister_te_irq() is called if the attach operation
+fails after the TE IRQ has been registered.
+
+samsung_dsim_unregister_te_irq() function is moved without changes
+to be before samsung_dsim_host_attach() to avoid forward declaration.
+
+Fixes: e7447128ca4a ("drm: bridge: Generalize Exynos-DSI driver into a Samsung DSIM bridge")
+Cc: stable@vger.kernel.org
+Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
+Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Link: https://patch.msgid.link/20260209184115.10937-1-osama.abdelkader@gmail.com
+Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/samsung-dsim.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+--- a/drivers/gpu/drm/bridge/samsung-dsim.c
++++ b/drivers/gpu/drm/bridge/samsung-dsim.c
+@@ -1697,6 +1697,14 @@ static int samsung_dsim_register_te_irq(
+ return 0;
+ }
+
++static void samsung_dsim_unregister_te_irq(struct samsung_dsim *dsi)
++{
++ if (dsi->te_gpio) {
++ free_irq(gpiod_to_irq(dsi->te_gpio), dsi);
++ gpiod_put(dsi->te_gpio);
++ }
++}
++
+ static int samsung_dsim_host_attach(struct mipi_dsi_host *host,
+ struct mipi_dsi_device *device)
+ {
+@@ -1771,13 +1779,13 @@ of_find_panel_or_bridge:
+ if (!(device->mode_flags & MIPI_DSI_MODE_VIDEO)) {
+ ret = samsung_dsim_register_te_irq(dsi, &device->dev);
+ if (ret)
+- return ret;
++ goto err_remove_bridge;
+ }
+
+ if (pdata->host_ops && pdata->host_ops->attach) {
+ ret = pdata->host_ops->attach(dsi, device);
+ if (ret)
+- return ret;
++ goto err_unregister_te_irq;
+ }
+
+ dsi->lanes = device->lanes;
+@@ -1785,14 +1793,13 @@ of_find_panel_or_bridge:
+ dsi->mode_flags = device->mode_flags;
+
+ return 0;
+-}
+
+-static void samsung_dsim_unregister_te_irq(struct samsung_dsim *dsi)
+-{
+- if (dsi->te_gpio) {
+- free_irq(gpiod_to_irq(dsi->te_gpio), dsi);
+- gpiod_put(dsi->te_gpio);
+- }
++err_unregister_te_irq:
++ if (!(device->mode_flags & MIPI_DSI_MODE_VIDEO))
++ samsung_dsim_unregister_te_irq(dsi);
++err_remove_bridge:
++ drm_bridge_remove(&dsi->bridge);
++ return ret;
+ }
+
+ static int samsung_dsim_host_detach(struct mipi_dsi_host *host,
--- /dev/null
+From 0b87d51690dd5131cbe9fbd23746b037aab89815 Mon Sep 17 00:00:00 2001
+From: Franz Schnyder <franz.schnyder@toradex.com>
+Date: Fri, 6 Feb 2026 13:37:36 +0100
+Subject: drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used
+
+From: Franz Schnyder <franz.schnyder@toradex.com>
+
+commit 0b87d51690dd5131cbe9fbd23746b037aab89815 upstream.
+
+Fallback to polling to detect hotplug events on systems without
+interrupts.
+
+On systems where the interrupt line of the bridge is not connected,
+the bridge cannot notify hotplug events. Only add the
+DRM_BRIDGE_OP_HPD flag if an interrupt has been registered
+otherwise remain in polling mode.
+
+Fixes: 55e8ff842051 ("drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type")
+Cc: stable@vger.kernel.org # 6.16: 9133bc3f0564: drm/bridge: ti-sn65dsi86: Add
+Signed-off-by: Franz Schnyder <franz.schnyder@toradex.com>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+[dianders: Adjusted Fixes/stable line based on discussion]
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://patch.msgid.link/20260206123758.374555-1-fra.schnyder@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/ti-sn65dsi86.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+@@ -1326,6 +1326,7 @@ static int ti_sn_bridge_probe(struct aux
+ {
+ struct ti_sn65dsi86 *pdata = dev_get_drvdata(adev->dev.parent);
+ struct device_node *np = pdata->dev->of_node;
++ const struct i2c_client *client = to_i2c_client(pdata->dev);
+ int ret;
+
+ pdata->next_bridge = devm_drm_of_get_bridge(&adev->dev, np, 1, 0);
+@@ -1345,8 +1346,9 @@ static int ti_sn_bridge_probe(struct aux
+ ? DRM_MODE_CONNECTOR_DisplayPort : DRM_MODE_CONNECTOR_eDP;
+
+ if (pdata->bridge.type == DRM_MODE_CONNECTOR_DisplayPort) {
+- pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT |
+- DRM_BRIDGE_OP_HPD;
++ pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT;
++ if (client->irq)
++ pdata->bridge.ops |= DRM_BRIDGE_OP_HPD;
+ /*
+ * If comms were already enabled they would have been enabled
+ * with the wrong value of HPD_DISABLE. Update it now. Comms
--- /dev/null
+From 326256c0a72d4877cec1d4df85357da106233128 Mon Sep 17 00:00:00 2001
+From: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
+Date: Tue, 13 Jan 2026 20:38:16 +0100
+Subject: ice: reintroduce retry mechanism for indirect AQ
+
+From: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
+
+commit 326256c0a72d4877cec1d4df85357da106233128 upstream.
+
+Add retry mechanism for indirect Admin Queue (AQ) commands. To do so we
+need to keep the command buffer.
+
+This technically reverts commit 43a630e37e25
+("ice: remove unused buffer copy code in ice_sq_send_cmd_retry()"),
+but combines it with a fix in the logic by using a kmemdup() call,
+making it more robust and less likely to break in the future due to
+programmer error.
+
+Cc: Michal Schmidt <mschmidt@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 3056df93f7a8 ("ice: Re-send some AQ commands, as result of EBUSY AQ error")
+Signed-off-by: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
+Co-developed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
+Signed-off-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_common.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/intel/ice/ice_common.c
++++ b/drivers/net/ethernet/intel/ice/ice_common.c
+@@ -1579,6 +1579,7 @@ ice_sq_send_cmd_retry(struct ice_hw *hw,
+ {
+ struct ice_aq_desc desc_cpy;
+ bool is_cmd_for_retry;
++ u8 *buf_cpy = NULL;
+ u8 idx = 0;
+ u16 opcode;
+ int status;
+@@ -1588,8 +1589,11 @@ ice_sq_send_cmd_retry(struct ice_hw *hw,
+ memset(&desc_cpy, 0, sizeof(desc_cpy));
+
+ if (is_cmd_for_retry) {
+- /* All retryable cmds are direct, without buf. */
+- WARN_ON(buf);
++ if (buf) {
++ buf_cpy = kmemdup(buf, buf_size, GFP_KERNEL);
++ if (!buf_cpy)
++ return -ENOMEM;
++ }
+
+ memcpy(&desc_cpy, desc, sizeof(desc_cpy));
+ }
+@@ -1601,12 +1605,14 @@ ice_sq_send_cmd_retry(struct ice_hw *hw,
+ hw->adminq.sq_last_status != ICE_AQ_RC_EBUSY)
+ break;
+
++ if (buf_cpy)
++ memcpy(buf, buf_cpy, buf_size);
+ memcpy(desc, &desc_cpy, sizeof(desc_cpy));
+-
+ msleep(ICE_SQ_SEND_DELAY_TIME_MS);
+
+ } while (++idx < ICE_SQ_SEND_MAX_EXECUTE);
+
++ kfree(buf_cpy);
+ return status;
+ }
+
--- /dev/null
+From ce9e40a9a5e5cff0b1b0d2fa582b3d71a8ce68e8 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Fri, 6 Feb 2026 15:48:16 +0000
+Subject: irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit ce9e40a9a5e5cff0b1b0d2fa582b3d71a8ce68e8 upstream.
+
+The ITS driver blindly assumes that EventIDs are in abundant supply, to the
+point where it never checks how many the hardware actually supports.
+
+It turns out that some pretty esoteric integrations make it so that only a
+few bits are available, all the way down to a single bit.
+
+Enforce the advertised limitation at the point of allocating the device
+structure, and hope that the endpoint driver can deal with such limitation.
+
+Fixes: 84a6a2e7fc18d ("irqchip: GICv3: ITS: device allocation and configuration")
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed-by: Zenghui Yu <zenghui.yu@linux.dev>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260206154816.3582887-1-maz@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 4 ++++
+ include/linux/irqchip/arm-gic-v3.h | 1 +
+ 2 files changed, 5 insertions(+)
+
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -3393,6 +3393,7 @@ static struct its_device *its_create_dev
+ int lpi_base;
+ int nr_lpis;
+ int nr_ites;
++ int id_bits;
+ int sz;
+
+ if (!its_alloc_device_table(its, dev_id))
+@@ -3405,7 +3406,10 @@ static struct its_device *its_create_dev
+ /*
+ * Even if the device wants a single LPI, the ITT must be
+ * sized as a power of two (and you need at least one bit...).
++ * Also honor the ITS's own EID limit.
+ */
++ id_bits = FIELD_GET(GITS_TYPER_IDBITS, its->typer) + 1;
++ nvecs = min_t(unsigned int, nvecs, BIT(id_bits));
+ nr_ites = max(2, nvecs);
+ sz = nr_ites * (FIELD_GET(GITS_TYPER_ITT_ENTRY_SIZE, its->typer) + 1);
+ sz = max(sz, ITS_ITT_ALIGN) + ITS_ITT_ALIGN - 1;
+--- a/include/linux/irqchip/arm-gic-v3.h
++++ b/include/linux/irqchip/arm-gic-v3.h
+@@ -394,6 +394,7 @@
+ #define GITS_TYPER_VLPIS (1UL << 1)
+ #define GITS_TYPER_ITT_ENTRY_SIZE_SHIFT 4
+ #define GITS_TYPER_ITT_ENTRY_SIZE GENMASK_ULL(7, 4)
++#define GITS_TYPER_IDBITS GENMASK_ULL(12, 8)
+ #define GITS_TYPER_IDBITS_SHIFT 8
+ #define GITS_TYPER_DEVBITS_SHIFT 13
+ #define GITS_TYPER_DEVBITS GENMASK_ULL(17, 13)
--- /dev/null
+From feae40a6a178bb525a15f19288016e5778102a99 Mon Sep 17 00:00:00 2001
+From: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+Date: Wed, 10 Dec 2025 12:26:51 +0100
+Subject: ixgbevf: fix link setup issue
+
+From: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+
+commit feae40a6a178bb525a15f19288016e5778102a99 upstream.
+
+It may happen that VF spawned for E610 adapter has problem with setting
+link up. This happens when ixgbevf supporting mailbox API 1.6 cooperates
+with PF driver which doesn't support this version of API, and hence
+doesn't support new approach for getting PF link data.
+
+In that case VF asks PF to provide link data but as PF doesn't support
+it, returns -EOPNOTSUPP what leads to early bail from link configuration
+sequence.
+
+Avoid such situation by using legacy VFLINKS approach whenever negotiated
+API version is less than 1.6.
+
+To reproduce the issue just create VF and set its link up - adapter must
+be any from the E610 family, ixgbevf must support API 1.6 or higher while
+ixgbevf must not.
+
+Fixes: 53f0eb62b4d2 ("ixgbevf: fix getting link speed data for E610 devices")
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Piotr Kwapulinski <piotr.kwapulinski@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ixgbevf/vf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/ixgbevf/vf.c
++++ b/drivers/net/ethernet/intel/ixgbevf/vf.c
+@@ -852,7 +852,8 @@ static s32 ixgbevf_check_mac_link_vf(str
+ if (!mac->get_link_status)
+ goto out;
+
+- if (hw->mac.type == ixgbe_mac_e610_vf) {
++ if (hw->mac.type == ixgbe_mac_e610_vf &&
++ hw->api_version >= ixgbe_mbox_api_16) {
+ ret_val = ixgbevf_get_pf_link_state(hw, speed, link_up);
+ if (ret_val)
+ goto out;
--- /dev/null
+From 92978c83bb4eef55d02a6c990c01c423131eefa7 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Sat, 24 Jan 2026 04:18:41 +0000
+Subject: nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+commit 92978c83bb4eef55d02a6c990c01c423131eefa7 upstream.
+
+nfsd_nl_listener_set_doit() uses get_current_cred() without
+put_cred().
+
+As we can see from other callers, svc_xprt_create_from_sa()
+does not require the extra refcount.
+
+nfsd_nl_listener_set_doit() is always in the process context,
+sendmsg(), and current->cred does not go away.
+
+Let's use current_cred() in nfsd_nl_listener_set_doit().
+
+Fixes: 16a471177496 ("NFSD: add listener-{set,get} netlink command")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfsctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -2081,7 +2081,7 @@ int nfsd_nl_listener_set_doit(struct sk_
+ }
+
+ ret = svc_xprt_create_from_sa(serv, xcl_name, net, sa, 0,
+- get_current_cred());
++ current_cred());
+ /* always save the latest error */
+ if (ret < 0)
+ err = ret;
--- /dev/null
+From d879ac6756b662a085a743e76023c768c3241579 Mon Sep 17 00:00:00 2001
+From: Alexander Gordeev <agordeev@linux.ibm.com>
+Date: Tue, 24 Feb 2026 07:41:07 +0100
+Subject: s390/pfault: Fix virtual vs physical address confusion
+
+From: Alexander Gordeev <agordeev@linux.ibm.com>
+
+commit d879ac6756b662a085a743e76023c768c3241579 upstream.
+
+When Linux is running as guest, runs a user space process and the
+user space process accesses a page that the host has paged out,
+the guest gets a pfault interrupt and schedules a different process.
+Without this mechanism the host would have to suspend the whole
+virtual CPU until the page has been paged in.
+
+To setup the pfault interrupt the real address of parameter list
+should be passed to DIAGNOSE 0x258, but a virtual address is passed
+instead.
+
+That has a performance impact, since the pfault setup never succeeds,
+the interrupt is never delivered to a guest and the whole virtual CPU
+is suspended as result.
+
+Cc: stable@vger.kernel.org
+Fixes: c98d2ecae08f ("s390/mm: Uncouple physical vs virtual address spaces")
+Reported-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/mm/pfault.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/mm/pfault.c
++++ b/arch/s390/mm/pfault.c
+@@ -61,7 +61,7 @@ int __pfault_init(void)
+ "0: nopr %%r7\n"
+ EX_TABLE(0b, 0b)
+ : [rc] "+d" (rc)
+- : [refbk] "a" (&pfault_init_refbk), "m" (pfault_init_refbk)
++ : [refbk] "a" (virt_to_phys(&pfault_init_refbk)), "m" (pfault_init_refbk)
+ : "cc");
+ return rc;
+ }
+@@ -83,7 +83,7 @@ void __pfault_fini(void)
+ "0: nopr %%r7\n"
+ EX_TABLE(0b, 0b)
+ :
+- : [refbk] "a" (&pfault_fini_refbk), "m" (pfault_fini_refbk)
++ : [refbk] "a" (virt_to_phys(&pfault_fini_refbk)), "m" (pfault_fini_refbk)
+ : "cc");
+ }
+
kbuild-disable-cc_has_asm_goto_output-on-clang-17.patch
fix-cc_has_asm_goto_output-on-non-x86-architectures.patch
revert-tcpm-allow-looking-for-role_sw-device-in-the-main-node.patch
+drm-amd-disable-mes-lr-compute-w-a.patch
+drm-bridge-samsung-dsim-fix-memory-leak-in-error-path.patch
+drm-bridge-ti-sn65dsi86-enable-hpd-polling-if-irq-is-not-used.patch
+s390-pfault-fix-virtual-vs-physical-address-confusion.patch
+nfsd-fix-cred-ref-leak-in-nfsd_nl_listener_set_doit.patch
+device-property-allow-secondary-lookup-in-fwnode_get_next_child_node.patch
+irqchip-gic-v3-its-limit-number-of-per-device-msis-to-the-range-the-its-supports.patch
+btrfs-fix-chunk-map-leak-in-btrfs_map_block-after-btrfs_chunk_map_num_copies.patch
+ice-reintroduce-retry-mechanism-for-indirect-aq.patch
+ixgbevf-fix-link-setup-issue.patch
+staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch
+staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch
--- /dev/null
+From a75281626fc8fa6dc6c9cc314ee423e8bc45203b Mon Sep 17 00:00:00 2001
+From: Luka Gejak <luka.gejak@linux.dev>
+Date: Tue, 24 Feb 2026 14:26:47 +0100
+Subject: staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
+
+From: Luka Gejak <luka.gejak@linux.dev>
+
+commit a75281626fc8fa6dc6c9cc314ee423e8bc45203b upstream.
+
+The current code checks 'i + 5 < in_len' at the end of the if statement.
+However, it accesses 'in_ie[i + 5]' before that check, which can lead
+to an out-of-bounds read. Move the length check to the beginning of the
+conditional to ensure the index is within bounds before accessing the
+array.
+
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/20260224132647.11642-2-luka.gejak@linux.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
++++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
+@@ -1929,7 +1929,10 @@ int rtw_restruct_wmm_ie(struct adapter *
+ while (i < in_len) {
+ ielength = initial_out_len;
+
+- if (in_ie[i] == 0xDD && in_ie[i+2] == 0x00 && in_ie[i+3] == 0x50 && in_ie[i+4] == 0xF2 && in_ie[i+5] == 0x02 && i+5 < in_len) { /* WMM element ID and OUI */
++ if (i + 5 < in_len &&
++ in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 &&
++ in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 &&
++ in_ie[i + 5] == 0x02) {
+ for (j = i; j < i + 9; j++) {
+ out_ie[ielength] = in_ie[j];
+ ielength++;
--- /dev/null
+From f0109b9d3e1e455429279d602f6276e34689750a Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 23 Feb 2026 14:31:35 +0100
+Subject: staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit f0109b9d3e1e455429279d602f6276e34689750a upstream.
+
+Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-bounds
+read in rtw_get_ie() parser"), we don't trust the data in the frame so
+we should check the length better before acting on it
+
+Cc: stable <stable@kernel.org>
+Assisted-by: gkh_clanker_2000
+Tested-by: Navaneeth K <knavaneeth786@gmail.com>
+Reviewed-by: Navaneeth K <knavaneeth786@gmail.com>
+Link: https://patch.msgid.link/2026022336-arrange-footwork-6e54@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
++++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+@@ -187,20 +187,25 @@ u8 *rtw_get_ie_ex(u8 *in_ie, uint in_len
+
+ cnt = 0;
+
+- while (cnt < in_len) {
++ while (cnt + 2 <= in_len) {
++ u8 ie_len = in_ie[cnt + 1];
++
++ if (cnt + 2 + ie_len > in_len)
++ break;
++
+ if (eid == in_ie[cnt]
+- && (!oui || !memcmp(&in_ie[cnt+2], oui, oui_len))) {
++ && (!oui || (ie_len >= oui_len && !memcmp(&in_ie[cnt + 2], oui, oui_len)))) {
+ target_ie = &in_ie[cnt];
+
+ if (ie)
+- memcpy(ie, &in_ie[cnt], in_ie[cnt+1]+2);
++ memcpy(ie, &in_ie[cnt], ie_len + 2);
+
+ if (ielen)
+- *ielen = in_ie[cnt+1]+2;
++ *ielen = ie_len + 2;
+
+ break;
+ }
+- cnt += in_ie[cnt+1]+2; /* goto next */
++ cnt += ie_len + 2; /* goto next */
+ }
+
+ return target_ie;
projects / thirdparty / kernel / stable-queue.git / commitdiff
