--- /dev/null
+From e8ab57b56402697a9bef50b71aecc613f0d61846 Mon Sep 17 00:00:00 2001
+From: Karol Wachowski <karol.wachowski@linux.intel.com>
+Date: Mon, 23 Mar 2026 10:50:29 +0100
+Subject: accel/ivpu: Add disable clock relinquish workaround for NVL-A0
+
+From: Karol Wachowski <karol.wachowski@linux.intel.com>
+
+commit e8ab57b56402697a9bef50b71aecc613f0d61846 upstream.
+
+Turn on disable clock relinquish workaround for Nova Lake A0.
+Without this workaround NPU may not power off correctly after
+inference, leading to unexpected system behavior.
+
+Fixes: 550f4dd2cedd ("accel/ivpu: Add support for Nova Lake's NPU")
+Cc: <stable@vger.kernel.org> # v6.19+
+
+Reviewed-by: Lizhi.hou <lizhi.hou@amd.com>
+Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Link: https://patch.msgid.link/20260323095029.64613-1-karol.wachowski@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_drv.h | 1 +
+ drivers/accel/ivpu/ivpu_hw.c | 6 ++++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/accel/ivpu/ivpu_drv.h b/drivers/accel/ivpu/ivpu_drv.h
+index 5b34b6f50e69..f1b6155065ff 100644
+--- a/drivers/accel/ivpu/ivpu_drv.h
++++ b/drivers/accel/ivpu/ivpu_drv.h
+@@ -35,6 +35,7 @@
+ #define IVPU_HW_IP_60XX 60
+
+ #define IVPU_HW_IP_REV_LNL_B0 4
++#define IVPU_HW_IP_REV_NVL_A0 0
+
+ #define IVPU_HW_BTRS_MTL 1
+ #define IVPU_HW_BTRS_LNL 2
+diff --git a/drivers/accel/ivpu/ivpu_hw.c b/drivers/accel/ivpu/ivpu_hw.c
+index d69cd0d93569..d4a9bcda4100 100644
+--- a/drivers/accel/ivpu/ivpu_hw.c
++++ b/drivers/accel/ivpu/ivpu_hw.c
+@@ -70,8 +70,10 @@ static void wa_init(struct ivpu_device *vdev)
+ if (ivpu_hw_btrs_gen(vdev) == IVPU_HW_BTRS_MTL)
+ vdev->wa.interrupt_clear_with_0 = ivpu_hw_btrs_irqs_clear_with_0_mtl(vdev);
+
+- if (ivpu_device_id(vdev) == PCI_DEVICE_ID_LNL &&
+- ivpu_revision(vdev) < IVPU_HW_IP_REV_LNL_B0)
++ if ((ivpu_device_id(vdev) == PCI_DEVICE_ID_LNL &&
++ ivpu_revision(vdev) < IVPU_HW_IP_REV_LNL_B0) ||
++ (ivpu_device_id(vdev) == PCI_DEVICE_ID_NVL &&
++ ivpu_revision(vdev) == IVPU_HW_IP_REV_NVL_A0))
+ vdev->wa.disable_clock_relinquish = true;
+
+ if (ivpu_test_mode & IVPU_TEST_MODE_CLK_RELINQ_ENABLE)
+--
+2.53.0
+
--- /dev/null
+From bb120ad57def62e3f23e3d999c5fbed11f610993 Mon Sep 17 00:00:00 2001
+From: Alexey Nepomnyashih <sdl@nppct.ru>
+Date: Mon, 16 Mar 2026 19:18:22 +0000
+Subject: ALSA: firewire-lib: fix uninitialized local variable
+
+From: Alexey Nepomnyashih <sdl@nppct.ru>
+
+commit bb120ad57def62e3f23e3d999c5fbed11f610993 upstream.
+
+Similar to commit d8dc8720468a ("ALSA: firewire-lib: fix uninitialized
+local variable"), the local variable `curr_cycle_time` in
+process_rx_packets() is declared without initialization.
+
+When the tracepoint event is not probed, the variable may appear to be
+used without being initialized. In practice the value is only relevant
+when the tracepoint is enabled, however initializing it avoids potential
+use of an uninitialized value and improves code safety.
+
+Initialize `curr_cycle_time` to zero.
+
+Fixes: fef4e61b0b76 ("ALSA: firewire-lib: extend tracepoints event including CYCLE_TIME of 1394 OHCI")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexey Nepomnyashih <sdl@nppct.ru>
+Link: https://patch.msgid.link/20260316191824.83249-1-sdl@nppct.ru
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/firewire/amdtp-stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/amdtp-stream.c
++++ b/sound/firewire/amdtp-stream.c
+@@ -1179,7 +1179,7 @@ static void process_rx_packets(struct fw
+ struct pkt_desc *desc = s->packet_descs_cursor;
+ unsigned int pkt_header_length;
+ unsigned int packets;
+- u32 curr_cycle_time;
++ u32 curr_cycle_time = 0;
+ bool need_hw_irq;
+ int i;
+
--- /dev/null
+From 0bdf27abaf8940592207be939142451436afe39f Mon Sep 17 00:00:00 2001
+From: Zhang Heng <zhangheng@kylinos.cn>
+Date: Mon, 16 Mar 2026 10:28:43 +0800
+Subject: ALSA: hda/realtek: add quirk for ASUS Strix G16 G615JMR
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+commit 0bdf27abaf8940592207be939142451436afe39f upstream.
+
+The machine is equipped with ALC294 and requires the
+ALC287_FIXUP_TXNW2781_I2C_ASUS quirk for the amplifier to work properly.
+Since the machine's PCI SSID is also 1043:1204, HDA_CODEC_QUIRK is
+used to retain the previous quirk.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221173
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260316022843.2809968-1-zhangheng@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7203,6 +7203,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x1043, 0x115d, "Asus 1015E", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x1043, 0x1194, "ASUS UM3406KA", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x11c0, "ASUS X556UR", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
++ HDA_CODEC_QUIRK(0x1043, 0x1204, "ASUS Strix G16 G615JMR", ALC287_FIXUP_TXNW2781_I2C_ASUS),
+ SND_PCI_QUIRK(0x1043, 0x1204, "ASUS Strix G615JHR_JMR_JPR", ALC287_FIXUP_TAS2781_I2C),
+ SND_PCI_QUIRK(0x1043, 0x1214, "ASUS Strix G615LH_LM_LP", ALC287_FIXUP_TAS2781_I2C),
+ SND_PCI_QUIRK(0x1043, 0x125e, "ASUS Q524UQK", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
--- /dev/null
+From cfb385a8dc88d86a805a5682eaa68f59fa5c0ec3 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Date: Mon, 23 Mar 2026 23:17:48 +0000
+Subject: ASoC: codecs: wcd934x: fix typo in dt parsing
+
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+
+commit cfb385a8dc88d86a805a5682eaa68f59fa5c0ec3 upstream.
+
+Looks like we ended up with a typo during device tree data parsing
+as part of 4f16b6351bbff ("ASoC: codecs: wcd: add common helper for wcd
+codecs") patch.
+ This will result in not parsing the device tree data and results in
+zero mic bias values.
+
+Fix this by calling wcd_dt_parse_micbias_info instead of
+wcd_dt_parse_mbhc_data.
+
+Fixes: 4f16b6351bbff ("ASoC: codecs: wcd: add common helper for wcd codecs")
+Cc: Stable@vger.kernel.org
+Reported-by: Joel Selvaraj <foss@joelselvaraj.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260323231748.2217967-1-srinivas.kandagatla@oss.qualcomm.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/wcd934x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/codecs/wcd934x.c
++++ b/sound/soc/codecs/wcd934x.c
+@@ -2172,7 +2172,7 @@ static int wcd934x_init_dmic(struct snd_
+ u32 def_dmic_rate, dmic_clk_drv;
+ int ret;
+
+- ret = wcd_dt_parse_mbhc_data(comp->dev, &wcd->mbhc_cfg);
++ ret = wcd_dt_parse_micbias_info(&wcd->common);
+ if (ret)
+ return ret;
+
--- /dev/null
+From fe757092d2329c397ecb32f2bf68a5b1c4bd9193 Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Fri, 13 Mar 2026 12:06:11 +0800
+Subject: ASoC: sma1307: fix double free of devm_kzalloc() memory
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit fe757092d2329c397ecb32f2bf68a5b1c4bd9193 upstream.
+
+A previous change added NULL checks and cleanup for allocation
+failures in sma1307_setting_loaded().
+
+However, the cleanup for mode_set entries is wrong. Those entries are
+allocated with devm_kzalloc(), so they are device-managed resources and
+must not be freed with kfree(). Manually freeing them in the error path
+can lead to a double free when devres later releases the same memory.
+
+Drop the manual kfree() loop and let devres handle the cleanup.
+
+Fixes: 0ec6bd16705fe ("ASoC: sma1307: Add NULL check in sma1307_setting_loaded()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Link: https://patch.msgid.link/20260313040611.391479-1-lgs201920130244@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/sma1307.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/codecs/sma1307.c
++++ b/sound/soc/codecs/sma1307.c
+@@ -1759,8 +1759,10 @@ static void sma1307_setting_loaded(struc
+ sma1307->set.mode_size * 2 * sizeof(int),
+ GFP_KERNEL);
+ if (!sma1307->set.mode_set[i]) {
+- for (int j = 0; j < i; j++)
+- kfree(sma1307->set.mode_set[j]);
++ for (int j = 0; j < i; j++) {
++ devm_kfree(sma1307->dev, sma1307->set.mode_set[j]);
++ sma1307->set.mode_set[j] = NULL;
++ }
+ sma1307->set.status = false;
+ return;
+ }
--- /dev/null
+From d40a198e2b7821197c5c77b89d0130cc90f400f5 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Date: Thu, 26 Mar 2026 09:56:18 +0200
+Subject: ASoC: SOF: ipc4-topology: Allow bytes controls without initial payload
+
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+
+commit d40a198e2b7821197c5c77b89d0130cc90f400f5 upstream.
+
+It is unexpected, but allowed to have no initial payload for a bytes
+control and the code is prepared to handle this case, but the size check
+missed this corner case.
+
+Update the check for minimal size to allow the initial size to be 0.
+
+Cc: stable@vger.kernel.org
+Fixes: a653820700b8 ("ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls")
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
+Reviewed-by: Seppo Ingalsuo <seppo.ingalsuo@linux.intel.com>
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Link: https://patch.msgid.link/20260326075618.1603-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sof/ipc4-topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/sof/ipc4-topology.c
++++ b/sound/soc/sof/ipc4-topology.c
+@@ -2889,7 +2889,7 @@ static int sof_ipc4_control_load_bytes(s
+ return -EINVAL;
+ }
+
+- if (scontrol->priv_size < sizeof(struct sof_abi_hdr)) {
++ if (scontrol->priv_size && scontrol->priv_size < sizeof(struct sof_abi_hdr)) {
+ dev_err(sdev->dev,
+ "bytes control %s initial data size %zu is insufficient.\n",
+ scontrol->name, scontrol->priv_size);
--- /dev/null
+From b9c310d72783cc2f30d103eed83920a5a29c671a Mon Sep 17 00:00:00 2001
+From: Ali Norouzi <ali.norouzi@keysight.com>
+Date: Thu, 19 Mar 2026 16:47:44 +0100
+Subject: can: gw: fix OOB heap access in cgw_csum_crc8_rel()
+
+From: Ali Norouzi <ali.norouzi@keysight.com>
+
+commit b9c310d72783cc2f30d103eed83920a5a29c671a upstream.
+
+cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():
+
+ int from = calc_idx(crc8->from_idx, cf->len);
+ int to = calc_idx(crc8->to_idx, cf->len);
+ int res = calc_idx(crc8->result_idx, cf->len);
+
+ if (from < 0 || to < 0 || res < 0)
+ return;
+
+However, the loop and the result write then use the raw s8 fields directly
+instead of the computed variables:
+
+ for (i = crc8->from_idx; ...) /* BUG: raw negative index */
+ cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */
+
+With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,
+calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with
+i = -64, reading cf->data[-64], and the write goes to cf->data[-64].
+This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the
+start of the canfd_frame on the heap.
+
+The companion function cgw_csum_xor_rel() uses `from`/`to`/`res`
+correctly throughout; fix cgw_csum_crc8_rel() to match.
+
+Confirmed with KASAN on linux-7.0-rc2:
+ BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0
+ Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62
+
+To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.
+
+Fixes: 456a8a646b25 ("can: gw: add support for CAN FD frames")
+Cc: stable@vger.kernel.org
+Reported-by: Ali Norouzi <ali.norouzi@keysight.com>
+Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Ali Norouzi <ali.norouzi@keysight.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-1-c45d52c6d2d8@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/gw.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/can/gw.c
++++ b/net/can/gw.c
+@@ -374,10 +374,10 @@ static void cgw_csum_crc8_rel(struct can
+ return;
+
+ if (from <= to) {
+- for (i = crc8->from_idx; i <= crc8->to_idx; i++)
++ for (i = from; i <= to; i++)
+ crc = crc8->crctab[crc ^ cf->data[i]];
+ } else {
+- for (i = crc8->from_idx; i >= crc8->to_idx; i--)
++ for (i = from; i >= to; i--)
+ crc = crc8->crctab[crc ^ cf->data[i]];
+ }
+
+@@ -396,7 +396,7 @@ static void cgw_csum_crc8_rel(struct can
+ break;
+ }
+
+- cf->data[crc8->result_idx] = crc ^ crc8->final_xor_val;
++ cf->data[res] = crc ^ crc8->final_xor_val;
+ }
+
+ static void cgw_csum_crc8_pos(struct canfd_frame *cf,
--- /dev/null
+From 424e95d62110cdbc8fd12b40918f37e408e35a92 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Thu, 19 Mar 2026 16:47:45 +0100
+Subject: can: isotp: fix tx.buf use-after-free in isotp_sendmsg()
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 424e95d62110cdbc8fd12b40918f37e408e35a92 upstream.
+
+isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access
+to so->tx.buf. isotp_release() waits for ISOTP_IDLE via
+wait_event_interruptible() and then calls kfree(so->tx.buf).
+
+If a signal interrupts the wait_event_interruptible() inside close()
+while tx.state is ISOTP_SENDING, the loop exits early and release
+proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf)
+while sendmsg may still be reading so->tx.buf for the final CAN frame
+in isotp_fill_dataframe().
+
+The so->tx.buf can be allocated once when the standard tx.buf length needs
+to be extended. Move the kfree() of this potentially extended tx.buf to
+sk_destruct time when either isotp_sendmsg() and isotp_release() are done.
+
+Fixes: 96d1c81e6a04 ("can: isotp: add module parameter for maximum pdu size")
+Cc: stable@vger.kernel.org
+Reported-by: Ali Norouzi <ali.norouzi@keysight.com>
+Co-developed-by: Ali Norouzi <ali.norouzi@keysight.com>
+Signed-off-by: Ali Norouzi <ali.norouzi@keysight.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-2-c45d52c6d2d8@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/isotp.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -1230,12 +1230,6 @@ static int isotp_release(struct socket *
+ so->ifindex = 0;
+ so->bound = 0;
+
+- if (so->rx.buf != so->rx.sbuf)
+- kfree(so->rx.buf);
+-
+- if (so->tx.buf != so->tx.sbuf)
+- kfree(so->tx.buf);
+-
+ sock_orphan(sk);
+ sock->sk = NULL;
+
+@@ -1604,6 +1598,21 @@ static int isotp_notifier(struct notifie
+ return NOTIFY_DONE;
+ }
+
++static void isotp_sock_destruct(struct sock *sk)
++{
++ struct isotp_sock *so = isotp_sk(sk);
++
++ /* do the standard CAN sock destruct work */
++ can_sock_destruct(sk);
++
++ /* free potential extended PDU buffers */
++ if (so->rx.buf != so->rx.sbuf)
++ kfree(so->rx.buf);
++
++ if (so->tx.buf != so->tx.sbuf)
++ kfree(so->tx.buf);
++}
++
+ static int isotp_init(struct sock *sk)
+ {
+ struct isotp_sock *so = isotp_sk(sk);
+@@ -1648,6 +1657,9 @@ static int isotp_init(struct sock *sk)
+ list_add_tail(&so->notifier, &isotp_notifier_list);
+ spin_unlock(&isotp_notifier_lock);
+
++ /* re-assign default can_sock_destruct() reference */
++ sk->sk_destruct = isotp_sock_destruct;
++
+ return 0;
+ }
+
--- /dev/null
+From cadf6019231b614ebbd9ec2a16e5997ecbd8d016 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Tue, 10 Mar 2026 13:48:03 +0100
+Subject: can: netlink: can_changelink(): add missing error handling to call can_ctrlmode_changelink()
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit cadf6019231b614ebbd9ec2a16e5997ecbd8d016 upstream.
+
+In commit e1a5cd9d6665 ("can: netlink: add can_ctrlmode_changelink()") the
+CAN Control Mode (IFLA_CAN_CTRLMODE) handling was factored out into the
+can_ctrlmode_changelink() function. But the call to
+can_ctrlmode_changelink() is missing the error handling.
+
+Add the missing error handling and propagation to the call
+can_ctrlmode_changelink().
+
+Cc: stable@vger.kernel.org
+Fixes: e1a5cd9d6665 ("can: netlink: add can_ctrlmode_changelink()")
+Link: https://patch.msgid.link/20260310-can_ctrlmode_changelink-add-error-handling-v1-1-0daf63d85922@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/dev/netlink.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/dev/netlink.c
++++ b/drivers/net/can/dev/netlink.c
+@@ -601,7 +601,9 @@ static int can_changelink(struct net_dev
+ /* We need synchronization with dev->stop() */
+ ASSERT_RTNL();
+
+- can_ctrlmode_changelink(dev, data, extack);
++ err = can_ctrlmode_changelink(dev, data, extack);
++ if (err)
++ return err;
+
+ if (data[IFLA_CAN_BITTIMING]) {
+ struct can_bittiming bt;
--- /dev/null
+From 6a28fb8cb28b9eb39a392e531d938a889eacafc5 Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Fri, 20 Mar 2026 15:08:14 +0530
+Subject: cpufreq: conservative: Reset requested_freq on limits change
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit 6a28fb8cb28b9eb39a392e531d938a889eacafc5 upstream.
+
+A recently reported issue highlighted that the cached requested_freq
+is not guaranteed to stay in sync with policy->cur. If the platform
+changes the actual CPU frequency after the governor sets one (e.g.
+due to platform-specific frequency scaling) and a re-sync occurs
+later, policy->cur may diverge from requested_freq.
+
+This can lead to incorrect behavior in the conservative governor.
+For example, the governor may assume the CPU is already running at
+the maximum frequency and skip further increases even though there
+is still headroom.
+
+Avoid this by resetting the cached requested_freq to policy->cur on
+detecting a change in policy limits.
+
+Reported-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Tested-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://lore.kernel.org/all/20260210115458.3493646-1-zhenglifeng1@huawei.com/
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
+Cc: All applicable <stable@vger.kernel.org>
+Link: https://patch.msgid.link/d846a141a98ac0482f20560fcd7525c0f0ec2f30.1773999467.git.viresh.kumar@linaro.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cpufreq_conservative.c | 12 ++++++++++++
+ drivers/cpufreq/cpufreq_governor.c | 3 +++
+ drivers/cpufreq/cpufreq_governor.h | 1 +
+ 3 files changed, 16 insertions(+)
+
+--- a/drivers/cpufreq/cpufreq_conservative.c
++++ b/drivers/cpufreq/cpufreq_conservative.c
+@@ -313,6 +313,17 @@ static void cs_start(struct cpufreq_poli
+ dbs_info->requested_freq = policy->cur;
+ }
+
++static void cs_limits(struct cpufreq_policy *policy)
++{
++ struct cs_policy_dbs_info *dbs_info = to_dbs_info(policy->governor_data);
++
++ /*
++ * The limits have changed, so may have the current frequency. Reset
++ * requested_freq to avoid any unintended outcomes due to the mismatch.
++ */
++ dbs_info->requested_freq = policy->cur;
++}
++
+ static struct dbs_governor cs_governor = {
+ .gov = CPUFREQ_DBS_GOVERNOR_INITIALIZER("conservative"),
+ .kobj_type = { .default_groups = cs_groups },
+@@ -322,6 +333,7 @@ static struct dbs_governor cs_governor =
+ .init = cs_init,
+ .exit = cs_exit,
+ .start = cs_start,
++ .limits = cs_limits,
+ };
+
+ #define CPU_FREQ_GOV_CONSERVATIVE (cs_governor.gov)
+--- a/drivers/cpufreq/cpufreq_governor.c
++++ b/drivers/cpufreq/cpufreq_governor.c
+@@ -563,6 +563,7 @@ EXPORT_SYMBOL_GPL(cpufreq_dbs_governor_s
+
+ void cpufreq_dbs_governor_limits(struct cpufreq_policy *policy)
+ {
++ struct dbs_governor *gov = dbs_governor_of(policy);
+ struct policy_dbs_info *policy_dbs;
+
+ /* Protect gov->gdbs_data against cpufreq_dbs_governor_exit() */
+@@ -574,6 +575,8 @@ void cpufreq_dbs_governor_limits(struct
+ mutex_lock(&policy_dbs->update_mutex);
+ cpufreq_policy_apply_limits(policy);
+ gov_update_sample_delay(policy_dbs, 0);
++ if (gov->limits)
++ gov->limits(policy);
+ mutex_unlock(&policy_dbs->update_mutex);
+
+ out:
+--- a/drivers/cpufreq/cpufreq_governor.h
++++ b/drivers/cpufreq/cpufreq_governor.h
+@@ -138,6 +138,7 @@ struct dbs_governor {
+ int (*init)(struct dbs_data *dbs_data);
+ void (*exit)(struct dbs_data *dbs_data);
+ void (*start)(struct cpufreq_policy *policy);
++ void (*limits)(struct cpufreq_policy *policy);
+ };
+
+ static inline struct dbs_governor *dbs_governor_of(struct cpufreq_policy *policy)
--- /dev/null
+From 8f13c0c6cb75cc4421d5a60fc060e9e6fd9d1097 Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Fri, 20 Mar 2026 14:54:06 +0530
+Subject: cpufreq: Don't skip cpufreq_frequency_table_cpuinfo()
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit 8f13c0c6cb75cc4421d5a60fc060e9e6fd9d1097 upstream.
+
+The commit 6db0f533d320 ("cpufreq: preserve freq_table_sorted
+across suspend/hibernate") unintentionally made a change where
+cpufreq_frequency_table_cpuinfo() isn't getting called anymore
+for old policies getting re-initialized.
+
+This leads to potentially invalid values of policy->max and
+policy->cpuinfo_max_freq.
+
+Fix the issue by reverting the original commit and adding the condition
+for just the sorting function.
+
+Fixes: 6db0f533d320 ("cpufreq: preserve freq_table_sorted across suspend/hibernate")
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: 6.19+ <stable@vger.kernel.org> # 6.19+
+Link: https://patch.msgid.link/65ba5c45749267c82e8a87af3dc788b37a0b3f48.1773998611.git.viresh.kumar@linaro.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cpufreq.c | 9 +++------
+ drivers/cpufreq/freq_table.c | 4 ++++
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1421,12 +1421,9 @@ static int cpufreq_policy_online(struct
+ * If there is a problem with its frequency table, take it
+ * offline and drop it.
+ */
+- if (policy->freq_table_sorted != CPUFREQ_TABLE_SORTED_ASCENDING &&
+- policy->freq_table_sorted != CPUFREQ_TABLE_SORTED_DESCENDING) {
+- ret = cpufreq_table_validate_and_sort(policy);
+- if (ret)
+- goto out_offline_policy;
+- }
++ ret = cpufreq_table_validate_and_sort(policy);
++ if (ret)
++ goto out_offline_policy;
+
+ /* related_cpus should at least include policy->cpus. */
+ cpumask_copy(policy->related_cpus, policy->cpus);
+--- a/drivers/cpufreq/freq_table.c
++++ b/drivers/cpufreq/freq_table.c
+@@ -360,6 +360,10 @@ int cpufreq_table_validate_and_sort(stru
+ if (policy_has_boost_freq(policy))
+ policy->boost_supported = true;
+
++ if (policy->freq_table_sorted == CPUFREQ_TABLE_SORTED_ASCENDING ||
++ policy->freq_table_sorted == CPUFREQ_TABLE_SORTED_DESCENDING)
++ return 0;
++
+ return set_freq_table_sorted(policy);
+ }
+
--- /dev/null
+From bfe9e314d7574d1c5c851972e7aee342733819d2 Mon Sep 17 00:00:00 2001
+From: Matthew Auld <matthew.auld@intel.com>
+Date: Wed, 18 Mar 2026 10:02:09 +0000
+Subject: drm/xe: always keep track of remap prev/next
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+commit bfe9e314d7574d1c5c851972e7aee342733819d2 upstream.
+
+During 3D workload, user is reporting hitting:
+
+[ 413.361679] WARNING: drivers/gpu/drm/xe/xe_vm.c:1217 at vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe], CPU#7: vkd3d_queue/9925
+[ 413.361944] CPU: 7 UID: 1000 PID: 9925 Comm: vkd3d_queue Kdump: loaded Not tainted 7.0.0-070000rc3-generic #202603090038 PREEMPT(lazy)
+[ 413.361949] RIP: 0010:vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe]
+[ 413.362074] RSP: 0018:ffffd4c25c3df930 EFLAGS: 00010282
+[ 413.362077] RAX: 0000000000000000 RBX: ffff8f3ee817ed10 RCX: 0000000000000000
+[ 413.362078] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+[ 413.362079] RBP: ffffd4c25c3df980 R08: 0000000000000000 R09: 0000000000000000
+[ 413.362081] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8f41fbf99380
+[ 413.362082] R13: ffff8f3ee817e968 R14: 00000000ffffffef R15: ffff8f43d00bd380
+[ 413.362083] FS: 00000001040ff6c0(0000) GS:ffff8f4696d89000(0000) knlGS:00000000330b0000
+[ 413.362085] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
+[ 413.362086] CR2: 00007ddfc4747000 CR3: 00000002e6262005 CR4: 0000000000f72ef0
+[ 413.362088] PKRU: 55555554
+[ 413.362089] Call Trace:
+[ 413.362092] <TASK>
+[ 413.362096] xe_vm_bind_ioctl+0xa9a/0xc60 [xe]
+
+Which seems to hint that the vma we are re-inserting for the ops unwind
+is either invalid or overlapping with something already inserted in the
+vm. It shouldn't be invalid since this is a re-insertion, so must have
+worked before. Leaving the likely culprit as something already placed
+where we want to insert the vma.
+
+Following from that, for the case where we do something like a rebind in
+the middle of a vma, and one or both mapped ends are already compatible,
+we skip doing the rebind of those vma and set next/prev to NULL. As well
+as then adjust the original unmap va range, to avoid unmapping the ends.
+However, if we trigger the unwind path, we end up with three va, with
+the two ends never being removed and the original va range in the middle
+still being the shrunken size.
+
+If this occurs, one failure mode is when another unwind op needs to
+interact with that range, which can happen with a vector of binds. For
+example, if we need to re-insert something in place of the original va.
+In this case the va is still the shrunken version, so when removing it
+and then doing a re-insert it can overlap with the ends, which were
+never removed, triggering a warning like above, plus leaving the vm in a
+bad state.
+
+With that, we need two things here:
+
+ 1) Stop nuking the prev/next tracking for the skip cases. Instead
+ relying on checking for skip prev/next, where needed. That way on the
+ unwind path, we now correctly remove both ends.
+
+ 2) Undo the unmap va shrinkage, on the unwind path. With the two ends
+ now removed the unmap va should expand back to the original size again,
+ before re-insertion.
+
+v2:
+ - Update the explanation in the commit message, based on an actual IGT of
+ triggering this issue, rather than conjecture.
+ - Also undo the unmap shrinkage, for the skip case. With the two ends
+ now removed, the original unmap va range should expand back to the
+ original range.
+v3:
+ - Track the old start/range separately. vma_size/start() uses the va
+ info directly.
+
+Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/7602
+Fixes: 8f33b4f054fc ("drm/xe: Avoid doing rebinds")
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Cc: Matthew Brost <matthew.brost@intel.com>
+Cc: <stable@vger.kernel.org> # v6.8+
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Link: https://patch.msgid.link/20260318100208.78097-2-matthew.auld@intel.com
+(cherry picked from commit aec6969f75afbf4e01fd5fb5850ed3e9c27043ac)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_pt.c | 12 ++++++------
+ drivers/gpu/drm/xe/xe_vm.c | 22 ++++++++++++++++++----
+ drivers/gpu/drm/xe/xe_vm_types.h | 4 ++++
+ 3 files changed, 28 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpu/drm/xe/xe_pt.c
++++ b/drivers/gpu/drm/xe/xe_pt.c
+@@ -1442,9 +1442,9 @@ static int op_check_svm_userptr(struct x
+ err = vma_check_userptr(vm, op->map.vma, pt_update);
+ break;
+ case DRM_GPUVA_OP_REMAP:
+- if (op->remap.prev)
++ if (op->remap.prev && !op->remap.skip_prev)
+ err = vma_check_userptr(vm, op->remap.prev, pt_update);
+- if (!err && op->remap.next)
++ if (!err && op->remap.next && !op->remap.skip_next)
+ err = vma_check_userptr(vm, op->remap.next, pt_update);
+ break;
+ case DRM_GPUVA_OP_UNMAP:
+@@ -2029,12 +2029,12 @@ static int op_prepare(struct xe_vm *vm,
+
+ err = unbind_op_prepare(tile, pt_update_ops, old);
+
+- if (!err && op->remap.prev) {
++ if (!err && op->remap.prev && !op->remap.skip_prev) {
+ err = bind_op_prepare(vm, tile, pt_update_ops,
+ op->remap.prev, false);
+ pt_update_ops->wait_vm_bookkeep = true;
+ }
+- if (!err && op->remap.next) {
++ if (!err && op->remap.next && !op->remap.skip_next) {
+ err = bind_op_prepare(vm, tile, pt_update_ops,
+ op->remap.next, false);
+ pt_update_ops->wait_vm_bookkeep = true;
+@@ -2258,10 +2258,10 @@ static void op_commit(struct xe_vm *vm,
+
+ unbind_op_commit(vm, tile, pt_update_ops, old, fence, fence2);
+
+- if (op->remap.prev)
++ if (op->remap.prev && !op->remap.skip_prev)
+ bind_op_commit(vm, tile, pt_update_ops, op->remap.prev,
+ fence, fence2, false);
+- if (op->remap.next)
++ if (op->remap.next && !op->remap.skip_next)
+ bind_op_commit(vm, tile, pt_update_ops, op->remap.next,
+ fence, fence2, false);
+ break;
+--- a/drivers/gpu/drm/xe/xe_vm.c
++++ b/drivers/gpu/drm/xe/xe_vm.c
+@@ -2532,7 +2532,6 @@ static int xe_vma_op_commit(struct xe_vm
+ if (!err && op->remap.skip_prev) {
+ op->remap.prev->tile_present =
+ tile_present;
+- op->remap.prev = NULL;
+ }
+ }
+ if (op->remap.next) {
+@@ -2542,11 +2541,13 @@ static int xe_vma_op_commit(struct xe_vm
+ if (!err && op->remap.skip_next) {
+ op->remap.next->tile_present =
+ tile_present;
+- op->remap.next = NULL;
+ }
+ }
+
+- /* Adjust for partial unbind after removing VMA from VM */
++ /*
++ * Adjust for partial unbind after removing VMA from VM. In case
++ * of unwind we might need to undo this later.
++ */
+ if (!err) {
+ op->base.remap.unmap->va->va.addr = op->remap.start;
+ op->base.remap.unmap->va->va.range = op->remap.range;
+@@ -2665,6 +2666,8 @@ static int vm_bind_ioctl_ops_parse(struc
+
+ op->remap.start = xe_vma_start(old);
+ op->remap.range = xe_vma_size(old);
++ op->remap.old_start = op->remap.start;
++ op->remap.old_range = op->remap.range;
+
+ flags |= op->base.remap.unmap->va->flags & XE_VMA_CREATE_MASK;
+ if (op->base.remap.prev) {
+@@ -2812,8 +2815,19 @@ static void xe_vma_op_unwind(struct xe_v
+ xe_svm_notifier_lock(vm);
+ vma->gpuva.flags &= ~XE_VMA_DESTROYED;
+ xe_svm_notifier_unlock(vm);
+- if (post_commit)
++ if (post_commit) {
++ /*
++ * Restore the old va range, in case of the
++ * prev/next skip optimisation. Otherwise what
++ * we re-insert here could be smaller than the
++ * original range.
++ */
++ op->base.remap.unmap->va->va.addr =
++ op->remap.old_start;
++ op->base.remap.unmap->va->va.range =
++ op->remap.old_range;
+ xe_vm_insert_vma(vm, vma);
++ }
+ }
+ break;
+ }
+--- a/drivers/gpu/drm/xe/xe_vm_types.h
++++ b/drivers/gpu/drm/xe/xe_vm_types.h
+@@ -360,6 +360,10 @@ struct xe_vma_op_remap {
+ u64 start;
+ /** @range: range of the VMA unmap */
+ u64 range;
++ /** @old_start: Original start of the VMA we unmap */
++ u64 old_start;
++ /** @old_range: Original range of the VMA we unmap */
++ u64 old_range;
+ /** @skip_prev: skip prev rebind */
+ bool skip_prev;
+ /** @skip_next: skip next rebind */
--- /dev/null
+From a76e30c2479ce6ffa2aa6c8a8462897afc82bc90 Mon Sep 17 00:00:00 2001
+From: Charles Mirabile <cmirabil@redhat.com>
+Date: Sat, 7 Mar 2026 23:43:30 -0500
+Subject: kbuild: Delete .builtin-dtbs.S when running make clean
+
+From: Charles Mirabile <cmirabil@redhat.com>
+
+commit a76e30c2479ce6ffa2aa6c8a8462897afc82bc90 upstream.
+
+The makefile tries to delete a file named ".builtin-dtb.S" but the file
+created by scripts/Makefile.vmlinux is actually called ".builtin-dtbs.S".
+
+Fixes: 654102df2ac2a ("kbuild: add generic support for built-in boot DTBs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Charles Mirabile <cmirabil@redhat.com>
+Reviewed-by: Nicolas Schier <nsc@kernel.org>
+Link: https://patch.msgid.link/20260308044338.181403-1-cmirabil@redhat.com
+[nathan: Small commit message adjustments]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -1622,7 +1622,7 @@ CLEAN_FILES += vmlinux.symvers modules-o
+ modules.builtin.ranges vmlinux.o.map vmlinux.unstripped \
+ compile_commands.json rust/test \
+ rust-project.json .vmlinux.objs .vmlinux.export.c \
+- .builtin-dtbs-list .builtin-dtb.S
++ .builtin-dtbs-list .builtin-dtbs.S
+
+ # Directories & files removed with 'make mrproper'
+ MRPROPER_FILES += include/config include/generated \
--- /dev/null
+From 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 Mon Sep 17 00:00:00 2001
+From: Hyunwoo Kim <imv4bel@gmail.com>
+Date: Tue, 17 Mar 2026 08:52:01 +0900
+Subject: ksmbd: do not expire session on binding failure
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+commit 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 upstream.
+
+When a multichannel session binding request fails (e.g. wrong password),
+the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED.
+However, during binding, sess points to the target session looked up via
+ksmbd_session_lookup_slowpath() -- which belongs to another connection's
+user. This allows a remote attacker to invalidate any active session by
+simply sending a binding request with a wrong password (DoS).
+
+Fix this by skipping session expiration when the failed request was
+a binding attempt, since the session does not belong to the current
+connection. The reference taken by ksmbd_session_lookup_slowpath() is
+still correctly released via ksmbd_user_session_put().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1938,8 +1938,14 @@ out_err:
+ if (sess->user && sess->user->flags & KSMBD_USER_FLAG_DELAY_SESSION)
+ try_delay = true;
+
+- sess->last_active = jiffies;
+- sess->state = SMB2_SESSION_EXPIRED;
++ /*
++ * For binding requests, session belongs to another
++ * connection. Do not expire it.
++ */
++ if (!(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) {
++ sess->last_active = jiffies;
++ sess->state = SMB2_SESSION_EXPIRED;
++ }
+ ksmbd_user_session_put(sess);
+ work->sess = NULL;
+ if (try_delay) {
--- /dev/null
+From 309b44ed684496ed3f9c5715d10b899338623512 Mon Sep 17 00:00:00 2001
+From: Werner Kasselman <werner@verivus.com>
+Date: Tue, 17 Mar 2026 07:55:37 +0000
+Subject: ksmbd: fix memory leaks and NULL deref in smb2_lock()
+
+From: Werner Kasselman <werner@verivus.com>
+
+commit 309b44ed684496ed3f9c5715d10b899338623512 upstream.
+
+smb2_lock() has three error handling issues after list_del() detaches
+smb_lock from lock_list at no_check_cl:
+
+1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK
+ path, goto out leaks smb_lock and its flock because the out:
+ handler only iterates lock_list and rollback_list, neither of
+ which contains the detached smb_lock.
+
+2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out
+ leaks smb_lock and flock for the same reason. The error code
+ returned to the dispatcher is also stale.
+
+3) In the rollback path, smb_flock_init() can return NULL on
+ allocation failure. The result is dereferenced unconditionally,
+ causing a kernel NULL pointer dereference. Add a NULL check to
+ prevent the crash and clean up the bookkeeping; the VFS lock
+ itself cannot be rolled back without the allocation and will be
+ released at file or connection teardown.
+
+Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before
+the if(!rc) check in the UNLOCK branch so all exit paths share one
+free site, and by freeing smb_lock and flock before goto out in the
+non-UNLOCK branch. Propagate the correct error code in both cases.
+Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding
+a NULL check for locks_free_lock(rlock) in the shared cleanup.
+
+Found via call-graph analysis using sqry.
+
+Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
+Cc: stable@vger.kernel.org
+Suggested-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
+Signed-off-by: Werner Kasselman <werner@verivus.com>
+Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 29 +++++++++++++++++++----------
+ 1 file changed, 19 insertions(+), 10 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -7600,14 +7600,15 @@ retry:
+ rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL);
+ skip:
+ if (smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) {
++ locks_free_lock(flock);
++ kfree(smb_lock);
+ if (!rc) {
+ ksmbd_debug(SMB, "File unlocked\n");
+ } else if (rc == -ENOENT) {
+ rsp->hdr.Status = STATUS_NOT_LOCKED;
++ err = rc;
+ goto out;
+ }
+- locks_free_lock(flock);
+- kfree(smb_lock);
+ } else {
+ if (rc == FILE_LOCK_DEFERRED) {
+ void **argv;
+@@ -7676,6 +7677,9 @@ skip:
+ spin_unlock(&work->conn->llist_lock);
+ ksmbd_debug(SMB, "successful in taking lock\n");
+ } else {
++ locks_free_lock(flock);
++ kfree(smb_lock);
++ err = rc;
+ goto out;
+ }
+ }
+@@ -7706,13 +7710,17 @@ out:
+ struct file_lock *rlock = NULL;
+
+ rlock = smb_flock_init(filp);
+- rlock->c.flc_type = F_UNLCK;
+- rlock->fl_start = smb_lock->start;
+- rlock->fl_end = smb_lock->end;
+-
+- rc = vfs_lock_file(filp, F_SETLK, rlock, NULL);
+- if (rc)
+- pr_err("rollback unlock fail : %d\n", rc);
++ if (rlock) {
++ rlock->c.flc_type = F_UNLCK;
++ rlock->fl_start = smb_lock->start;
++ rlock->fl_end = smb_lock->end;
++
++ rc = vfs_lock_file(filp, F_SETLK, rlock, NULL);
++ if (rc)
++ pr_err("rollback unlock fail : %d\n", rc);
++ } else {
++ pr_err("rollback unlock alloc failed\n");
++ }
+
+ list_del(&smb_lock->llist);
+ spin_lock(&work->conn->llist_lock);
+@@ -7722,7 +7730,8 @@ out:
+ spin_unlock(&work->conn->llist_lock);
+
+ locks_free_lock(smb_lock->fl);
+- locks_free_lock(rlock);
++ if (rlock)
++ locks_free_lock(rlock);
+ kfree(smb_lock);
+ }
+ out2:
--- /dev/null
+From beef2634f81f1c086208191f7228bce1d366493d Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 19 Mar 2026 21:00:02 +0900
+Subject: ksmbd: fix potencial OOB in get_file_all_info() for compound requests
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit beef2634f81f1c086208191f7228bce1d366493d upstream.
+
+When a compound request consists of QUERY_DIRECTORY + QUERY_INFO
+(FILE_ALL_INFORMATION) and the first command consumes nearly the entire
+max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16()
+with PATH_MAX, causing out-of-bounds write beyond the response buffer.
+In get_file_all_info(), there was a missing validation check for
+the client-provided OutputBufferLength before copying the filename into
+FileName field of the smb2_file_all_info structure.
+If the filename length exceeds the available buffer space, it could lead to
+potential buffer overflows or memory corruption during smbConvertToUTF16
+conversion. This calculating the actual free buffer size using
+smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is
+insufficient and updating smbConvertToUTF16 to use the actual filename
+length (clamped by PATH_MAX) to ensure a safe copy operation.
+
+Cc: stable@vger.kernel.org
+Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
+Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -4933,7 +4933,8 @@ static int get_file_all_info(struct ksmb
+ int conv_len;
+ char *filename;
+ u64 time;
+- int ret;
++ int ret, buf_free_len, filename_len;
++ struct smb2_query_info_req *req = ksmbd_req_buf_next(work);
+
+ if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) {
+ ksmbd_debug(SMB, "no right to read the attributes : 0x%x\n",
+@@ -4945,6 +4946,16 @@ static int get_file_all_info(struct ksmb
+ if (IS_ERR(filename))
+ return PTR_ERR(filename);
+
++ filename_len = strlen(filename);
++ buf_free_len = smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_info_rsp, Buffer) +
++ offsetof(struct smb2_file_all_info, FileName),
++ le32_to_cpu(req->OutputBufferLength));
++ if (buf_free_len < (filename_len + 1) * 2) {
++ kfree(filename);
++ return -EINVAL;
++ }
++
+ ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS,
+ AT_STATX_SYNC_AS_STAT);
+ if (ret) {
+@@ -4988,7 +4999,8 @@ static int get_file_all_info(struct ksmb
+ file_info->Mode = fp->coption;
+ file_info->AlignmentRequirement = 0;
+ conv_len = smbConvertToUTF16((__le16 *)file_info->FileName, filename,
+- PATH_MAX, conn->local_nls, 0);
++ min(filename_len, PATH_MAX),
++ conn->local_nls, 0);
+ conv_len *= 2;
+ file_info->FileNameLength = cpu_to_le32(conv_len);
+ rsp->OutputBufferLength =
--- /dev/null
+From 0e55f63dd08f09651d39e1b709a91705a8a0ddcb Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 13 Mar 2026 14:45:58 +0900
+Subject: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 0e55f63dd08f09651d39e1b709a91705a8a0ddcb upstream.
+
+After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"),
+response buffer management was changed to use dynamic iov array.
+In the new design, smb2_calc_max_out_buf_len() expects the second
+argument (hdr2_len) to be the offset of ->Buffer field in the
+response structure, not a hardcoded magic number.
+Fix the remaining call sites to use the correct offsetof() value.
+
+Cc: stable@vger.kernel.org
+Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -4445,8 +4445,9 @@ int smb2_query_dir(struct ksmbd_work *wo
+ d_info.wptr = (char *)rsp->Buffer;
+ d_info.rptr = (char *)rsp->Buffer;
+ d_info.out_buf_len =
+- smb2_calc_max_out_buf_len(work, 8,
+- le32_to_cpu(req->OutputBufferLength));
++ smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_directory_rsp, Buffer),
++ le32_to_cpu(req->OutputBufferLength));
+ if (d_info.out_buf_len < 0) {
+ rc = -EINVAL;
+ goto err_out;
+@@ -4713,8 +4714,9 @@ static int smb2_get_ea(struct ksmbd_work
+ }
+
+ buf_free_len =
+- smb2_calc_max_out_buf_len(work, 8,
+- le32_to_cpu(req->OutputBufferLength));
++ smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_info_rsp, Buffer),
++ le32_to_cpu(req->OutputBufferLength));
+ if (buf_free_len < 0)
+ return -EINVAL;
+
+@@ -5040,8 +5042,9 @@ static int get_file_stream_info(struct k
+ file_info = (struct smb2_file_stream_info *)rsp->Buffer;
+
+ buf_free_len =
+- smb2_calc_max_out_buf_len(work, 8,
+- le32_to_cpu(req->OutputBufferLength));
++ smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_info_rsp, Buffer),
++ le32_to_cpu(req->OutputBufferLength));
+ if (buf_free_len < 0)
+ goto out;
+
+@@ -8190,8 +8193,9 @@ int smb2_ioctl(struct ksmbd_work *work)
+ buffer = (char *)req + le32_to_cpu(req->InputOffset);
+
+ cnt_code = le32_to_cpu(req->CtlCode);
+- ret = smb2_calc_max_out_buf_len(work, 48,
+- le32_to_cpu(req->MaxOutputResponse));
++ ret = smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_ioctl_rsp, Buffer),
++ le32_to_cpu(req->MaxOutputResponse));
+ if (ret < 0) {
+ rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+ goto out;
--- /dev/null
+From 84481e705ab07ed46e56587fe846af194acacafe Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sj@kernel.org>
+Date: Mon, 16 Mar 2026 16:51:17 -0700
+Subject: mm/damon/stat: monitor all System RAM resources
+
+From: SeongJae Park <sj@kernel.org>
+
+commit 84481e705ab07ed46e56587fe846af194acacafe upstream.
+
+DAMON_STAT usage document (Documentation/admin-guide/mm/damon/stat.rst)
+says it monitors the system's entire physical memory. But, it is
+monitoring only the biggest System RAM resource of the system. When there
+are multiple System RAM resources, this results in monitoring only an
+unexpectedly small fraction of the physical memory. For example, suppose
+the system has a 500 GiB System RAM, 10 MiB non-System RAM, and 500 GiB
+System RAM resources in order on the physical address space. DAMON_STAT
+will monitor only the first 500 GiB System RAM. This situation is
+particularly common on NUMA systems.
+
+Select a physical address range that covers all System RAM areas of the
+system, to fix this issue and make it work as documented.
+
+[sj@kernel.org: return error if monitoring target region is invalid]
+ Link: https://lkml.kernel.org/r/20260317053631.87907-1-sj@kernel.org
+Link: https://lkml.kernel.org/r/20260316235118.873-1-sj@kernel.org
+Fixes: 369c415e6073 ("mm/damon: introduce DAMON_STAT module")
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Cc: <stable@vger.kernel.org> [6.17+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/stat.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 50 insertions(+), 3 deletions(-)
+
+--- a/mm/damon/stat.c
++++ b/mm/damon/stat.c
+@@ -145,12 +145,59 @@ static int damon_stat_damon_call_fn(void
+ return 0;
+ }
+
++struct damon_stat_system_ram_range_walk_arg {
++ bool walked;
++ struct resource res;
++};
++
++static int damon_stat_system_ram_walk_fn(struct resource *res, void *arg)
++{
++ struct damon_stat_system_ram_range_walk_arg *a = arg;
++
++ if (!a->walked) {
++ a->walked = true;
++ a->res.start = res->start;
++ }
++ a->res.end = res->end;
++ return 0;
++}
++
++static unsigned long damon_stat_res_to_core_addr(resource_size_t ra,
++ unsigned long addr_unit)
++{
++ /*
++ * Use div_u64() for avoiding linking errors related with __udivdi3,
++ * __aeabi_uldivmod, or similar problems. This should also improve the
++ * performance optimization (read div_u64() comment for the detail).
++ */
++ if (sizeof(ra) == 8 && sizeof(addr_unit) == 4)
++ return div_u64(ra, addr_unit);
++ return ra / addr_unit;
++}
++
++static int damon_stat_set_monitoring_region(struct damon_target *t,
++ unsigned long addr_unit, unsigned long min_region_sz)
++{
++ struct damon_addr_range addr_range;
++ struct damon_stat_system_ram_range_walk_arg arg = {};
++
++ walk_system_ram_res(0, -1, &arg, damon_stat_system_ram_walk_fn);
++ if (!arg.walked)
++ return -EINVAL;
++ addr_range.start = damon_stat_res_to_core_addr(
++ arg.res.start, addr_unit);
++ addr_range.end = damon_stat_res_to_core_addr(
++ arg.res.end + 1, addr_unit);
++ if (addr_range.end <= addr_range.start)
++ return -EINVAL;
++ return damon_set_regions(t, &addr_range, 1, min_region_sz);
++}
++
+ static struct damon_ctx *damon_stat_build_ctx(void)
+ {
+ struct damon_ctx *ctx;
+ struct damon_attrs attrs;
+ struct damon_target *target;
+- unsigned long start = 0, end = 0;
+
+ ctx = damon_new_ctx();
+ if (!ctx)
+@@ -188,8 +235,8 @@ static struct damon_ctx *damon_stat_buil
+ if (!target)
+ goto free_out;
+ damon_add_target(ctx, target);
+- if (damon_set_region_biggest_system_ram_default(target, &start, &end,
+- ctx->min_region_sz))
++ if (damon_stat_set_monitoring_region(target, ctx->addr_unit,
++ ctx->min_region_sz))
+ goto free_out;
+ return ctx;
+ free_out:
--- /dev/null
+From ed4da361bf943b9041fc63e5cb6af01b3c0de978 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Thu, 26 Mar 2026 14:05:38 -0500
+Subject: Revert "ALSA: hda/intel: Add MSI X870E Tomahawk to denylist"
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit ed4da361bf943b9041fc63e5cb6af01b3c0de978 upstream.
+
+commit 30b3211aa2416 ("ALSA: hda/intel: Add MSI X870E Tomahawk
+to denylist") was added to silence a warning, but this effectively
+reintroduced commit df42ee7e22f03 ("ALSA: hda: Add ASRock
+X670E Taichi to denylist") which was already reported to cause
+problems and reverted in commit ee8f1613596ad ("Revert "ALSA: hda:
+Add ASRock X670E Taichi to denylist"")
+
+Revert it yet again.
+
+Cc: stable@vger.kernel.org
+Reported-by: Juhyun Song <juju6985@outlook.kr>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221274
+Cc: Stuart Hayhurst <stuart.a.hayhurst@gmail.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/20260326190542.524515-1-mario.limonciello@amd.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/controllers/intel.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/sound/hda/controllers/intel.c
++++ b/sound/hda/controllers/intel.c
+@@ -2077,7 +2077,6 @@ static const struct pci_device_id driver
+ { PCI_DEVICE_SUB(0x1022, 0x1487, 0x1043, 0x874f) }, /* ASUS ROG Zenith II / Strix */
+ { PCI_DEVICE_SUB(0x1022, 0x1487, 0x1462, 0xcb59) }, /* MSI TRX40 Creator */
+ { PCI_DEVICE_SUB(0x1022, 0x1487, 0x1462, 0xcb60) }, /* MSI TRX40 */
+- { PCI_DEVICE_SUB(0x1022, 0x15e3, 0x1462, 0xee59) }, /* MSI X870E Tomahawk WiFi */
+ {}
+ };
+
--- /dev/null
+From c5c0a268b38adffbb2e70e6957017537ff54c157 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Thu, 26 Mar 2026 14:38:44 +0100
+Subject: s390/barrier: Make array_index_mask_nospec() __always_inline
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit c5c0a268b38adffbb2e70e6957017537ff54c157 upstream.
+
+Mark array_index_mask_nospec() as __always_inline to guarantee the
+mitigation is emitted inline regardless of compiler inlining decisions.
+
+Fixes: e2dd833389cc ("s390: add optimized array_index_mask_nospec")
+Cc: stable@kernel.org
+Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/barrier.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/include/asm/barrier.h
++++ b/arch/s390/include/asm/barrier.h
+@@ -62,8 +62,8 @@ do { \
+ * @size: number of elements in array
+ */
+ #define array_index_mask_nospec array_index_mask_nospec
+-static inline unsigned long array_index_mask_nospec(unsigned long index,
+- unsigned long size)
++static __always_inline unsigned long array_index_mask_nospec(unsigned long index,
++ unsigned long size)
+ {
+ unsigned long mask;
+
--- /dev/null
+From 0738d395aab8fae3b5a3ad3fc640630c91693c27 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Thu, 26 Mar 2026 19:50:14 +0100
+Subject: s390/entry: Scrub r12 register on kernel entry
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit 0738d395aab8fae3b5a3ad3fc640630c91693c27 upstream.
+
+Before commit f33f2d4c7c80 ("s390/bp: remove TIF_ISOLATE_BP"),
+all entry handlers loaded r12 with the current task pointer
+(lg %r12,__LC_CURRENT) for use by the BPENTER/BPEXIT macros. That
+commit removed TIF_ISOLATE_BP, dropping both the branch prediction
+macros and the r12 load, but did not add r12 to the register clearing
+sequence.
+
+Add the missing xgr %r12,%r12 to make the register scrub consistent
+across all entry points.
+
+Fixes: f33f2d4c7c80 ("s390/bp: remove TIF_ISOLATE_BP")
+Cc: stable@kernel.org
+Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/entry.S | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/s390/kernel/entry.S
++++ b/arch/s390/kernel/entry.S
+@@ -260,6 +260,7 @@ SYM_CODE_START(system_call)
+ xgr %r9,%r9
+ xgr %r10,%r10
+ xgr %r11,%r11
++ xgr %r12,%r12
+ la %r2,STACK_FRAME_OVERHEAD(%r15) # pointer to pt_regs
+ mvc __PT_R8(64,%r2),__LC_SAVE_AREA(%r13)
+ MBEAR %r2,%r13
+@@ -396,6 +397,7 @@ SYM_CODE_START(\name)
+ xgr %r6,%r6
+ xgr %r7,%r7
+ xgr %r10,%r10
++ xgr %r12,%r12
+ xc __PT_FLAGS(8,%r11),__PT_FLAGS(%r11)
+ mvc __PT_R8(64,%r11),__LC_SAVE_AREA(%r13)
+ MBEAR %r11,%r13
+@@ -485,6 +487,7 @@ SYM_CODE_START(mcck_int_handler)
+ xgr %r6,%r6
+ xgr %r7,%r7
+ xgr %r10,%r10
++ xgr %r12,%r12
+ stmg %r8,%r9,__PT_PSW(%r11)
+ xc __PT_FLAGS(8,%r11),__PT_FLAGS(%r11)
+ xc __SF_BACKCHAIN(8,%r15),__SF_BACKCHAIN(%r15)
--- /dev/null
+From 48b8814e25d073dd84daf990a879a820bad2bcbd Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 24 Mar 2026 17:34:05 +0100
+Subject: s390/syscalls: Add spectre boundary for syscall dispatch table
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 48b8814e25d073dd84daf990a879a820bad2bcbd upstream.
+
+The s390 syscall number is directly controlled by userspace, but does
+not have an array_index_nospec() boundary to prevent access past the
+syscall function pointer tables.
+
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Fixes: 56e62a737028 ("s390: convert to generic entry")
+Cc: stable@kernel.org
+Assisted-by: gkh_clanker_2000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Link: https://lore.kernel.org/r/2026032404-sterling-swoosh-43e6@gregkh
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/syscall.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kernel/syscall.c
++++ b/arch/s390/kernel/syscall.c
+@@ -13,6 +13,7 @@
+ */
+
+ #include <linux/cpufeature.h>
++#include <linux/nospec.h>
+ #include <linux/errno.h>
+ #include <linux/sched.h>
+ #include <linux/mm.h>
+@@ -131,8 +132,10 @@ void noinstr __do_syscall(struct pt_regs
+ if (unlikely(test_and_clear_pt_regs_flag(regs, PIF_SYSCALL_RET_SET)))
+ goto out;
+ regs->gprs[2] = -ENOSYS;
+- if (likely(nr < NR_syscalls))
++ if (likely(nr < NR_syscalls)) {
++ nr = array_index_nospec(nr, NR_syscalls);
+ regs->gprs[2] = sys_call_table[nr](regs);
++ }
+ out:
+ syscall_exit_to_user_mode(regs);
+ }
io_uring-fdinfo-fix-sqe_mixed-sqe-displaying.patch
io_uring-fdinfo-fix-oob-read-in-sqe_mixed-wrap-check.patch
alsa-usb-audio-exclude-scarlett-2i4-1st-gen-from-ski.patch
+s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch
+s390-barrier-make-array_index_mask_nospec-__always_inline.patch
+s390-entry-scrub-r12-register-on-kernel-entry.patch
+tracing-drain-deferred-trigger-frees-if-kthread-creation-fails.patch
+tracing-fix-potential-deadlock-in-cpu-hotplug-with-osnoise.patch
+drm-xe-always-keep-track-of-remap-prev-next.patch
+ksmbd-replace-hardcoded-hdr2_len-with-offsetof-in-smb2_calc_max_out_buf_len.patch
+ksmbd-fix-potencial-oob-in-get_file_all_info-for-compound-requests.patch
+ksmbd-fix-memory-leaks-and-null-deref-in-smb2_lock.patch
+ksmbd-do-not-expire-session-on-binding-failure.patch
+revert-alsa-hda-intel-add-msi-x870e-tomahawk-to-denylist.patch
+alsa-hda-realtek-add-quirk-for-asus-strix-g16-g615jmr.patch
+alsa-firewire-lib-fix-uninitialized-local-variable.patch
+accel-ivpu-add-disable-clock-relinquish-workaround-for-nvl-a0.patch
+asoc-codecs-wcd934x-fix-typo-in-dt-parsing.patch
+asoc-sma1307-fix-double-free-of-devm_kzalloc-memory.patch
+asoc-sof-ipc4-topology-allow-bytes-controls-without-initial-payload.patch
+can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch
+can-isotp-fix-tx.buf-use-after-free-in-isotp_sendmsg.patch
+can-netlink-can_changelink-add-missing-error-handling-to-call-can_ctrlmode_changelink.patch
+cpufreq-don-t-skip-cpufreq_frequency_table_cpuinfo.patch
+cpufreq-conservative-reset-requested_freq-on-limits-change.patch
+kbuild-delete-.builtin-dtbs.s-when-running-make-clean.patch
+mm-damon-stat-monitor-all-system-ram-resources.patch
--- /dev/null
+From 250ab25391edeeab8462b68be42e4904506c409c Mon Sep 17 00:00:00 2001
+From: Wesley Atwell <atwellwea@gmail.com>
+Date: Tue, 24 Mar 2026 16:13:26 -0600
+Subject: tracing: Drain deferred trigger frees if kthread creation fails
+
+From: Wesley Atwell <atwellwea@gmail.com>
+
+commit 250ab25391edeeab8462b68be42e4904506c409c upstream.
+
+Boot-time trigger registration can fail before the trigger-data cleanup
+kthread exists. Deferring those frees until late init is fine, but the
+post-boot fallback must still drain the deferred list if kthread
+creation never succeeds.
+
+Otherwise, boot-deferred nodes can accumulate on
+trigger_data_free_list, later frees fall back to synchronously freeing
+only the current object, and the older queued entries are leaked
+forever.
+
+To trigger this, add the following to the kernel command line:
+
+ trace_event=sched_switch trace_trigger=sched_switch.traceon,sched_switch.traceon
+
+The second traceon trigger will fail and be freed. This triggers a NULL
+pointer dereference and crashes the kernel.
+
+Keep the deferred boot-time behavior, but when kthread creation fails,
+drain the whole queued list synchronously. Do the same in the late-init
+drain path so queued entries are not stranded there either.
+
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260324221326.1395799-3-atwellwea@gmail.com
+Fixes: 61d445af0a7c ("tracing: Add bulk garbage collection of freeing event_trigger_data")
+Signed-off-by: Wesley Atwell <atwellwea@gmail.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_trigger.c | 79 ++++++++++++++++++++++++++++++------
+ 1 file changed, 66 insertions(+), 13 deletions(-)
+
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -22,6 +22,39 @@ static struct task_struct *trigger_kthre
+ static struct llist_head trigger_data_free_list;
+ static DEFINE_MUTEX(trigger_data_kthread_mutex);
+
++static int trigger_kthread_fn(void *ignore);
++
++static void trigger_create_kthread_locked(void)
++{
++ lockdep_assert_held(&trigger_data_kthread_mutex);
++
++ if (!trigger_kthread) {
++ struct task_struct *kthread;
++
++ kthread = kthread_create(trigger_kthread_fn, NULL,
++ "trigger_data_free");
++ if (!IS_ERR(kthread))
++ WRITE_ONCE(trigger_kthread, kthread);
++ }
++}
++
++static void trigger_data_free_queued_locked(void)
++{
++ struct event_trigger_data *data, *tmp;
++ struct llist_node *llnodes;
++
++ lockdep_assert_held(&trigger_data_kthread_mutex);
++
++ llnodes = llist_del_all(&trigger_data_free_list);
++ if (!llnodes)
++ return;
++
++ tracepoint_synchronize_unregister();
++
++ llist_for_each_entry_safe(data, tmp, llnodes, llist)
++ kfree(data);
++}
++
+ /* Bulk garbage collection of event_trigger_data elements */
+ static int trigger_kthread_fn(void *ignore)
+ {
+@@ -56,30 +89,50 @@ void trigger_data_free(struct event_trig
+ if (data->cmd_ops->set_filter)
+ data->cmd_ops->set_filter(NULL, data, NULL);
+
++ /*
++ * Boot-time trigger registration can fail before kthread creation
++ * works. Keep the deferred-free semantics during boot and let late
++ * init start the kthread to drain the list.
++ */
++ if (system_state == SYSTEM_BOOTING && !trigger_kthread) {
++ llist_add(&data->llist, &trigger_data_free_list);
++ return;
++ }
++
+ if (unlikely(!trigger_kthread)) {
+ guard(mutex)(&trigger_data_kthread_mutex);
++
++ trigger_create_kthread_locked();
+ /* Check again after taking mutex */
+ if (!trigger_kthread) {
+- struct task_struct *kthread;
+-
+- kthread = kthread_create(trigger_kthread_fn, NULL,
+- "trigger_data_free");
+- if (!IS_ERR(kthread))
+- WRITE_ONCE(trigger_kthread, kthread);
++ llist_add(&data->llist, &trigger_data_free_list);
++ /* Drain the queued frees synchronously if creation failed. */
++ trigger_data_free_queued_locked();
++ return;
+ }
+ }
+
+- if (!trigger_kthread) {
+- /* Do it the slow way */
+- tracepoint_synchronize_unregister();
+- kfree(data);
+- return;
+- }
+-
+ llist_add(&data->llist, &trigger_data_free_list);
+ wake_up_process(trigger_kthread);
+ }
+
++static int __init trigger_data_free_init(void)
++{
++ guard(mutex)(&trigger_data_kthread_mutex);
++
++ if (llist_empty(&trigger_data_free_list))
++ return 0;
++
++ trigger_create_kthread_locked();
++ if (trigger_kthread)
++ wake_up_process(trigger_kthread);
++ else
++ trigger_data_free_queued_locked();
++
++ return 0;
++}
++late_initcall(trigger_data_free_init);
++
+ static inline void data_ops_trigger(struct event_trigger_data *data,
+ struct trace_buffer *buffer, void *rec,
+ struct ring_buffer_event *event)
--- /dev/null
+From 1f9885732248d22f788e4992c739a98c88ab8a55 Mon Sep 17 00:00:00 2001
+From: Luo Haiyang <luo.haiyang@zte.com.cn>
+Date: Thu, 26 Mar 2026 14:19:53 +0800
+Subject: tracing: Fix potential deadlock in cpu hotplug with osnoise
+
+From: Luo Haiyang <luo.haiyang@zte.com.cn>
+
+commit 1f9885732248d22f788e4992c739a98c88ab8a55 upstream.
+
+The following sequence may leads deadlock in cpu hotplug:
+
+ task1 task2 task3
+ ----- ----- -----
+
+ mutex_lock(&interface_lock)
+
+ [CPU GOING OFFLINE]
+
+ cpus_write_lock();
+ osnoise_cpu_die();
+ kthread_stop(task3);
+ wait_for_completion();
+
+ osnoise_sleep();
+ mutex_lock(&interface_lock);
+
+ cpus_read_lock();
+
+ [DEAD LOCK]
+
+Fix by swap the order of cpus_read_lock() and mutex_lock(&interface_lock).
+
+Cc: stable@vger.kernel.org
+Cc: <mathieu.desnoyers@efficios.com>
+Cc: <zhang.run@zte.com.cn>
+Cc: <yang.tao172@zte.com.cn>
+Cc: <ran.xiaokai@zte.com.cn>
+Fixes: bce29ac9ce0bb ("trace: Add osnoise tracer")
+Link: https://patch.msgid.link/20260326141953414bVSj33dAYktqp9Oiyizq8@zte.com.cn
+Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Luo Haiyang <luo.haiyang@zte.com.cn>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_osnoise.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/trace/trace_osnoise.c
++++ b/kernel/trace/trace_osnoise.c
+@@ -2073,8 +2073,8 @@ static void osnoise_hotplug_workfn(struc
+ if (!osnoise_has_registered_instances())
+ return;
+
+- guard(mutex)(&interface_lock);
+ guard(cpus_read_lock)();
++ guard(mutex)(&interface_lock);
+
+ if (!cpu_online(cpu))
+ return;
+@@ -2237,11 +2237,11 @@ static ssize_t osnoise_options_write(str
+ if (running)
+ stop_per_cpu_kthreads();
+
+- mutex_lock(&interface_lock);
+ /*
+ * avoid CPU hotplug operations that might read options.
+ */
+ cpus_read_lock();
++ mutex_lock(&interface_lock);
+
+ retval = cnt;
+
+@@ -2257,8 +2257,8 @@ static ssize_t osnoise_options_write(str
+ clear_bit(option, &osnoise_options);
+ }
+
+- cpus_read_unlock();
+ mutex_unlock(&interface_lock);
++ cpus_read_unlock();
+
+ if (running)
+ start_per_cpu_kthreads();
+@@ -2345,16 +2345,16 @@ osnoise_cpus_write(struct file *filp, co
+ if (running)
+ stop_per_cpu_kthreads();
+
+- mutex_lock(&interface_lock);
+ /*
+ * osnoise_cpumask is read by CPU hotplug operations.
+ */
+ cpus_read_lock();
++ mutex_lock(&interface_lock);
+
+ cpumask_copy(&osnoise_cpumask, osnoise_cpumask_new);
+
+- cpus_read_unlock();
+ mutex_unlock(&interface_lock);
++ cpus_read_unlock();
+
+ if (running)
+ start_per_cpu_kthreads();
projects / thirdparty / kernel / stable-queue.git / commitdiff
