--- /dev/null
+From b66829b17f6385cc9ffbcbe2476d532d2e3121ad Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+Date: Tue, 5 May 2026 13:12:59 +0000
+Subject: firmware: samsung: acpm: Fix mailbox channel leak on probe error
+
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+
+commit b66829b17f6385cc9ffbcbe2476d532d2e3121ad upstream.
+
+Sashiko identified the leak at [1].
+
+The ACPM driver allocates hardware mailbox channels using
+`mbox_request_channel()` during `acpm_channels_init()`. However, the
+driver lacked a `.remove` callback and did not free these channels on
+subsequent error paths inside `acpm_probe()`.
+
+Additionally, if `acpm_achan_alloc_cmds()` failed during the channel
+initialization loop, the function returned immediately, bypassing the
+manual cleanup and permanently leaking any channels successfully
+requested in previous loop iterations.
+
+Fix this by modifying `acpm_free_mbox_chans()` to match the `devres`
+action signature and registering it via `devm_add_action_or_reset()`.
+
+Cc: stable@vger.kernel.org
+Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver")
+Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%40linaro.org [1]
+Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Link: https://patch.msgid.link/20260505-acpm-fixes-sashiko-reports-v5-2-43b5ee7f1674@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/samsung/exynos-acpm.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/firmware/samsung/exynos-acpm.c
++++ b/drivers/firmware/samsung/exynos-acpm.c
+@@ -523,10 +523,11 @@ static int acpm_achan_alloc_cmds(struct
+
+ /**
+ * acpm_free_mbox_chans() - free mailbox channels.
+- * @acpm: pointer to driver data.
++ * @data: pointer to driver data.
+ */
+-static void acpm_free_mbox_chans(struct acpm_info *acpm)
++static void acpm_free_mbox_chans(void *data)
+ {
++ struct acpm_info *acpm = data;
+ int i;
+
+ for (i = 0; i < acpm->num_chans; i++)
+@@ -554,6 +555,10 @@ static int acpm_channels_init(struct acp
+ if (!acpm->chans)
+ return -ENOMEM;
+
++ ret = devm_add_action_or_reset(dev, acpm_free_mbox_chans, acpm);
++ if (ret)
++ return dev_err_probe(dev, ret, "Failed to add mbox free action.\n");
++
+ chans_shmem = acpm->sram_base + readl(&shmem->chans);
+
+ for (i = 0; i < acpm->num_chans; i++) {
+@@ -575,10 +580,8 @@ static int acpm_channels_init(struct acp
+ cl->dev = dev;
+
+ achan->chan = mbox_request_channel(cl, 0);
+- if (IS_ERR(achan->chan)) {
+- acpm_free_mbox_chans(acpm);
++ if (IS_ERR(achan->chan))
+ return PTR_ERR(achan->chan);
+- }
+ }
+
+ return 0;
--- /dev/null
+From 89c4a1167f3a0a0efd2ec3e1801036d2eb65ae1a Mon Sep 17 00:00:00 2001
+From: Arpith Kalaginanavoor <arpithk@nvidia.com>
+Date: Tue, 26 May 2026 05:38:58 -0700
+Subject: fs/qnx6: fix pointer arithmetic in directory iteration
+
+From: Arpith Kalaginanavoor <arpithk@nvidia.com>
+
+commit 89c4a1167f3a0a0efd2ec3e1801036d2eb65ae1a upstream.
+
+The conversion to qnx6_get_folio() in commit b2aa61556fcf
+("qnx6: Convert qnx6_get_page() to qnx6_get_folio()")
+introduced a regression in directory iteration. The pointer 'de'
+and the 'limit' address were calculated using byte offsets from
+a char pointer without scaling by the size of a QNX6 directory
+entry.
+
+This causes the driver to read from incorrect memory offsets,
+leading to "invalid direntry size" errors and premature
+termination of directory scans.
+
+Fix this by casting 'kaddr' to 'struct qnx6_dir_entry *' before
+applying the offset and last_entry(...) increments. This allows the
+compiler to correctly scale the pointer arithmetic by the 32-byte
+stride of the directory entry structure.
+
+Fixes: b2aa61556fcf ("qnx6: Convert qnx6_get_page() to qnx6_get_folio()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Arpith Kalaginanavoor <arpithk@nvidia.com>
+Link: https://patch.msgid.link/20260526123858.1683035-1-arpithk@nvidia.com
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/qnx6/dir.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/qnx6/dir.c
++++ b/fs/qnx6/dir.c
+@@ -131,16 +131,16 @@ static int qnx6_readdir(struct file *fil
+ struct qnx6_dir_entry *de;
+ struct folio *folio;
+ char *kaddr = qnx6_get_folio(inode, n, &folio);
+- char *limit;
++ struct qnx6_dir_entry *limit;
+
+ if (IS_ERR(kaddr)) {
+ pr_err("%s(): read failed\n", __func__);
+ ctx->pos = (n + 1) << PAGE_SHIFT;
+ return PTR_ERR(kaddr);
+ }
+- de = (struct qnx6_dir_entry *)(kaddr + offset);
+- limit = kaddr + last_entry(inode, n);
+- for (; (char *)de < limit; de++, ctx->pos += QNX6_DIR_ENTRY_SIZE) {
++ de = (struct qnx6_dir_entry *)kaddr + offset;
++ limit = (struct qnx6_dir_entry *)kaddr + last_entry(inode, n);
++ for (; de < limit; de++, ctx->pos += QNX6_DIR_ENTRY_SIZE) {
+ int size = de->de_size;
+ u32 no_inode = fs32_to_cpu(sbi, de->de_inode);
+
--- /dev/null
+From 4e3d1b2c48ca6c55f1e9ca7f8dccc76f120f276c Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 19 May 2026 16:40:34 +0200
+Subject: fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios
+
+From: Jann Horn <jannh@google.com>
+
+commit 4e3d1b2c48ca6c55f1e9ca7f8dccc76f120f276c upstream.
+
+FUSE_NOTIFY_RETRIEVE must be limited to uptodate folios; !uptodate folios
+can contain uninitialized data.
+Since FUSE_NOTIFY_RETRIEVE is intended to only return data that is already
+in the page cache and not wait for data from the FUSE daemon, treat
+!uptodate folios as if they weren't present.
+
+This only has security impact on systems that don't enable automatic
+zero-initialization of all page allocations via
+CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1.
+
+Cc: stable@kernel.org
+Fixes: 2d45ba381a74 ("fuse: add retrieve request")
+Signed-off-by: Jann Horn <jannh@google.com>
+Link: https://patch.msgid.link/20260519-fuse-retrieve-uptodate-v1-1-a7a1912a37f9@google.com
+Acked-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/dev.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1928,6 +1928,10 @@ static int fuse_retrieve(struct fuse_mou
+ folio = filemap_get_folio(mapping, index);
+ if (IS_ERR(folio))
+ break;
++ if (!folio_test_uptodate(folio)) {
++ folio_put(folio);
++ break;
++ }
+
+ folio_offset = ((index - folio->index) << PAGE_SHIFT) + offset;
+ nr_bytes = min(folio_size(folio) - folio_offset, num);
--- /dev/null
+From 9c954499d43aefac01c5dfb57a82b13d2dcf4b94 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 19 May 2026 16:29:38 +0200
+Subject: fuse: reject fuse_notify() pagecache ops on directories
+
+From: Jann Horn <jannh@google.com>
+
+commit 9c954499d43aefac01c5dfb57a82b13d2dcf4b94 upstream.
+
+The operations FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE allow the
+FUSE daemon to actively write/read pagecache contents.
+
+For directories with FOPEN_CACHE_DIR, the pagecache is used as
+kernel-internal cache storage, and userspace is not supposed to have
+direct access to this cache - in particular, fuse_parse_cache() will hit
+WARN_ON() if the cache contains bogus data.
+
+Reject FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE on anything other than
+regular files with -EINVAL.
+
+Fixes: 5d7bc7e8680c ("fuse: allow using readdir cache")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Link: https://patch.msgid.link/20260519-fuse-dir-pagecache-v2-1-5428fa48e175@google.com
+Acked-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/dev.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1798,6 +1798,10 @@ static int fuse_notify_store(struct fuse
+ inode = fuse_ilookup(fc, nodeid, NULL);
+ if (!inode)
+ goto out_up_killsb;
++ if (!S_ISREG(inode->i_mode)) {
++ err = -EINVAL;
++ goto out_iput;
++ }
+
+ mapping = inode->i_mapping;
+ index = outarg.offset >> PAGE_SHIFT;
+@@ -1977,7 +1981,10 @@ static int fuse_notify_retrieve(struct f
+
+ inode = fuse_ilookup(fc, nodeid, &fm);
+ if (inode) {
+- err = fuse_retrieve(fm, inode, &outarg);
++ if (!S_ISREG(inode->i_mode))
++ err = -EINVAL;
++ else
++ err = fuse_retrieve(fm, inode, &outarg);
+ iput(inode);
+ }
+ up_read(&fc->killsb);
--- /dev/null
+From 74e144274af39935b0f410c0ee4d2b91c3730414 Mon Sep 17 00:00:00 2001
+From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+Date: Tue, 2 Jun 2026 09:12:04 +0000
+Subject: futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock
+
+From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+
+commit 74e144274af39935b0f410c0ee4d2b91c3730414 upstream.
+
+When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the
+target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting
+waiter->task.
+
+The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences
+the NULL waiter->task, causing a kernel crash.
+
+Add a self-deadlock check for non-top waiters before calling
+rt_mutex_start_proxy_lock(), analogous to the top-waiter check in
+futex_lock_pi_atomic().
+
+Fixes: 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 ("rtmutex: Use waiter::task instead of current in remove_waiter()")
+Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/futex/requeue.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/kernel/futex/requeue.c
++++ b/kernel/futex/requeue.c
+@@ -643,6 +643,12 @@ retry_private:
+ continue;
+ }
+
++ /* Self-deadlock: non-top waiter already owns the PI futex. */
++ if (rt_mutex_owner(&pi_state->pi_mutex) == this->task) {
++ ret = -EDEADLK;
++ break;
++ }
++
+ ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex,
+ this->rt_waiter,
+ this->task);
--- /dev/null
+From 8783fb8031799f1230997c16df8c8dce9fcd1841 Mon Sep 17 00:00:00 2001
+From: Carlos Song <carlos.song@nxp.com>
+Date: Thu, 21 May 2026 14:50:38 +0800
+Subject: i2c: imx: fix clock and pinctrl state inconsistency in runtime PM
+
+From: Carlos Song <carlos.song@nxp.com>
+
+commit 8783fb8031799f1230997c16df8c8dce9fcd1841 upstream.
+
+In i2c_imx_runtime_suspend(), the clock is disabled before switching
+the pinctrl state to sleep. If pinctrl_pm_select_sleep_state() fails,
+the runtime suspend is aborted but the clock remains disabled, causing
+a system crash when the hardware is subsequently accessed.
+
+Fix this by switching the pinctrl state before disabling the clock so
+that a pinctrl failure leaves the clock enabled and the hardware
+accessible.
+
+In i2c_imx_runtime_resume(), restore the pinctrl state back to sleep
+if clk_enable() fails to keep the consistent.
+
+Fixes: 576eba03c994 ("i2c: imx: switch different pinctrl state in different system power status")
+Signed-off-by: Carlos Song <carlos.song@nxp.com>
+Cc: <stable@vger.kernel.org> # v6.14+
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260521065038.2954998-1-carlos.song@oss.nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-imx.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-imx.c
++++ b/drivers/i2c/busses/i2c-imx.c
+@@ -1892,9 +1892,15 @@ static void i2c_imx_remove(struct platfo
+ static int i2c_imx_runtime_suspend(struct device *dev)
+ {
+ struct imx_i2c_struct *i2c_imx = dev_get_drvdata(dev);
++ int ret;
++
++ ret = pinctrl_pm_select_sleep_state(dev);
++ if (ret)
++ return ret;
+
+ clk_disable(i2c_imx->clk);
+- return pinctrl_pm_select_sleep_state(dev);
++
++ return 0;
+ }
+
+ static int i2c_imx_runtime_resume(struct device *dev)
+@@ -1907,10 +1913,13 @@ static int i2c_imx_runtime_resume(struct
+ return ret;
+
+ ret = clk_enable(i2c_imx->clk);
+- if (ret)
++ if (ret) {
+ dev_err(dev, "can't enable I2C clock, ret=%d\n", ret);
++ pinctrl_pm_select_sleep_state(dev);
++ return ret;
++ }
+
+- return ret;
++ return 0;
+ }
+
+ static int i2c_imx_suspend(struct device *dev)
--- /dev/null
+From 695fcefd4a81466ef9c529790b4e96f1ea2ba051 Mon Sep 17 00:00:00 2001
+From: Carlos Song <carlos.song@nxp.com>
+Date: Wed, 20 May 2026 17:33:23 +0800
+Subject: i2c: imx-lpi2c: fix resource leaks switching to devm_dma_request_chan()
+
+From: Carlos Song <carlos.song@nxp.com>
+
+commit 695fcefd4a81466ef9c529790b4e96f1ea2ba051 upstream.
+
+The LPI2C driver requests DMA channels using dma_request_chan(), but
+never releases them in lpi2c_imx_remove(), resulting in DMA channel
+leaks every time the driver is unloaded.
+
+Additionally, when lpi2c_dma_init() successfully requests the TX DMA
+channel but fails to request the RX DMA channel, the probe falls back
+to PIO mode and completes successfully. Since probe succeeds, the devres
+framework will not trigger any cleanup, leaving the TX DMA channel and
+the memory allocated for the dma structure held for the lifetime of the
+device even though DMA is never used.
+
+Switch to devm_dma_request_chan() to let the device core manage DMA
+channel lifetime automatically. Wrap all allocations within a devres
+group so that devres_release_group() can release all partially acquired
+resources when DMA init fails and probe continues in PIO mode.
+
+Fixes: a09c8b3f9047 ("i2c: imx-lpi2c: add eDMA mode support for LPI2C")
+Signed-off-by: Carlos Song <carlos.song@nxp.com>
+Cc: <stable@vger.kernel.org> # v6.14+
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260520093323.2882070-1-carlos.song@oss.nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-imx-lpi2c.c | 53 ++++++++++++++++++++++---------------
+ 1 file changed, 32 insertions(+), 21 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-imx-lpi2c.c
++++ b/drivers/i2c/busses/i2c-imx-lpi2c.c
+@@ -1362,55 +1362,66 @@ static int lpi2c_imx_init_recovery_info(
+ return 0;
+ }
+
+-static void dma_exit(struct device *dev, struct lpi2c_imx_dma *dma)
+-{
+- if (dma->chan_rx)
+- dma_release_channel(dma->chan_rx);
+-
+- if (dma->chan_tx)
+- dma_release_channel(dma->chan_tx);
+-
+- devm_kfree(dev, dma);
+-}
+-
+ static int lpi2c_dma_init(struct device *dev, dma_addr_t phy_addr)
+ {
+ struct lpi2c_imx_struct *lpi2c_imx = dev_get_drvdata(dev);
+ struct lpi2c_imx_dma *dma;
++ void *group;
+ int ret;
+
+- dma = devm_kzalloc(dev, sizeof(*dma), GFP_KERNEL);
+- if (!dma)
++ /*
++ * Open a devres group so that all resources allocated within
++ * this function can be released together if DMA init fails but
++ * probe continues in PIO mode.
++ */
++ group = devres_open_group(dev, NULL, GFP_KERNEL);
++ if (!group)
+ return -ENOMEM;
+
++ dma = devm_kzalloc(dev, sizeof(*dma), GFP_KERNEL);
++ if (!dma) {
++ ret = -ENOMEM;
++ goto release_group;
++ }
++
+ dma->phy_addr = phy_addr;
+
+ /* Prepare for TX DMA: */
+- dma->chan_tx = dma_request_chan(dev, "tx");
++ dma->chan_tx = devm_dma_request_chan(dev, "tx");
+ if (IS_ERR(dma->chan_tx)) {
+ ret = PTR_ERR(dma->chan_tx);
+ if (ret != -ENODEV && ret != -EPROBE_DEFER)
+ dev_err(dev, "can't request DMA tx channel (%d)\n", ret);
+- dma->chan_tx = NULL;
+- goto dma_exit;
++ goto release_group;
+ }
+
+ /* Prepare for RX DMA: */
+- dma->chan_rx = dma_request_chan(dev, "rx");
++ dma->chan_rx = devm_dma_request_chan(dev, "rx");
+ if (IS_ERR(dma->chan_rx)) {
+ ret = PTR_ERR(dma->chan_rx);
+ if (ret != -ENODEV && ret != -EPROBE_DEFER)
+ dev_err(dev, "can't request DMA rx channel (%d)\n", ret);
+- dma->chan_rx = NULL;
+- goto dma_exit;
++ goto release_group;
+ }
+
++ /*
++ * DMA init succeeded. Remove the group marker but keep all resources
++ * bound to the device, they will be freed at device removal.
++ */
++ devres_remove_group(dev, group);
++
+ lpi2c_imx->can_use_dma = true;
+ lpi2c_imx->dma = dma;
+ return 0;
+
+-dma_exit:
+- dma_exit(dev, dma);
++release_group:
++ /*
++ * DMA init failed. Release ALL resources allocated inside this
++ * group (dma memory, TX channel if already acquired, etc.) so
++ * that a successful PIO-mode probe does not hold unused resources
++ * for the entire device lifetime.
++ */
++ devres_release_group(dev, group);
+ return ret;
+ }
+
--- /dev/null
+From 729ac5a4b966aac42e08a94dea966f4429008548 Mon Sep 17 00:00:00 2001
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Date: Sat, 16 May 2026 02:41:18 +0300
+Subject: i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
+
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+
+commit 729ac5a4b966aac42e08a94dea966f4429008548 upstream.
+
+On all modern platforms Qualcomm CCI controller provides two I2C masters,
+and on particular boards only one I2C master may be initialized, and in
+such cases the device unbinding or driver removal causes a NULL pointer
+dereference, because cci_halt() is called for all two I2C masters, but
+a completion is initialized only for the single enabled master:
+
+ % rmmod i2c-qcom-cci
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+ <snip>
+ Call trace:
+ __wait_for_common+0x194/0x1a8 (P)
+ wait_for_completion_timeout+0x20/0x2c
+ cci_remove+0xc4/0x138 [i2c_qcom_cci]
+ platform_remove+0x20/0x30
+ device_remove+0x4c/0x80
+ device_release_driver_internal+0x1c8/0x224
+ driver_detach+0x50/0x98
+ bus_remove_driver+0x6c/0xbc
+ driver_unregister+0x30/0x60
+ platform_driver_unregister+0x14/0x20
+ qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci]
+ ....
+
+Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver")
+Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Cc: <stable@vger.kernel.org> # v5.8+
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260515234121.1607425-2-vladimir.zapolskiy@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-qcom-cci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-qcom-cci.c
++++ b/drivers/i2c/busses/i2c-qcom-cci.c
+@@ -663,8 +663,8 @@ static void cci_remove(struct platform_d
+ if (cci->master[i].cci) {
+ i2c_del_adapter(&cci->master[i].adap);
+ of_node_put(cci->master[i].adap.dev.of_node);
++ cci_halt(cci, i);
+ }
+- cci_halt(cci, i);
+ }
+
+ disable_irq(cci->irq);
--- /dev/null
+From a124579c0763da7bc408f4cd7e8f606cadc94855 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guillermo=20Rodr=C3=ADguez?= <guille.rodriguez@gmail.com>
+Date: Tue, 26 May 2026 11:12:09 +0200
+Subject: i2c: stm32f7: fix timing computation ignoring i2c-analog-filter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Guillermo RodrĂguez <guille.rodriguez@gmail.com>
+
+commit a124579c0763da7bc408f4cd7e8f606cadc94855 upstream.
+
+stm32f7_i2c_compute_timing() uses i2c_dev->analog_filter to pick
+the analog filter delay, but i2c_dev->analog_filter is parsed from
+the "i2c-analog-filter" DT property only after the compute_timing
+loop in stm32f7_i2c_setup_timing(), so in practice the timing
+calculations always ignore the analog filter. On an STM32MP1 board
+with clock-frequency = <400000> and i2c-analog-filter set, measured
+SCL frequency was ~382 kHz.
+
+This also affects (widens) the computed SDADEL range. At high bus
+clock speeds, this can select an SDADEL value that violates tVD;DAT
+(data valid time).
+
+Fix by parsing "i2c-analog-filter" before the compute_timing loop.
+
+Fixes: 83c3408f7b9c ("i2c: stm32f7: support DT binding i2c-analog-filter")
+Signed-off-by: Guillermo RodrĂguez <guille.rodriguez@gmail.com>
+Cc: <stable@vger.kernel.org> # v5.13+
+Acked-by: Alain Volmat <alain.volmat@foss.st.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260526091210.20383-1-guille.rodriguez@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-stm32f7.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-stm32f7.c
++++ b/drivers/i2c/busses/i2c-stm32f7.c
+@@ -694,6 +694,9 @@ static int stm32f7_i2c_setup_timing(stru
+ if (!of_property_read_bool(i2c_dev->dev->of_node, "i2c-digital-filter"))
+ i2c_dev->dnf_dt = STM32F7_I2C_DNF_DEFAULT;
+
++ i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node,
++ "i2c-analog-filter");
++
+ do {
+ ret = stm32f7_i2c_compute_timing(i2c_dev, setup,
+ &i2c_dev->timing);
+@@ -715,9 +718,6 @@ static int stm32f7_i2c_setup_timing(stru
+ return ret;
+ }
+
+- i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node,
+- "i2c-analog-filter");
+-
+ dev_dbg(i2c_dev->dev, "I2C Speed(%i), Clk Source(%i)\n",
+ setup->speed_freq, setup->clock_src);
+ dev_dbg(i2c_dev->dev, "I2C Rise(%i) and Fall(%i) Time\n",
--- /dev/null
+From 656646b3847ac6a21b074a813223feef2aadd6e2 Mon Sep 17 00:00:00 2001
+From: Akhil R <akhilrajeev@nvidia.com>
+Date: Mon, 18 May 2026 17:10:13 +0530
+Subject: i2c: tegra: Fix NOIRQ suspend/resume
+
+From: Akhil R <akhilrajeev@nvidia.com>
+
+commit 656646b3847ac6a21b074a813223feef2aadd6e2 upstream.
+
+The Tegra I2C driver relies on runtime PM to wake up the controller before
+each transfer. However, runtime PM is disabled between the system suspend
+and NOIRQ suspend. If an I2C device initiates a transfer during this
+window, the I2C controller fails to wake up and the transfer fails. To
+handle this, the controller must be kept available for this period to
+allow transfers.
+
+Rework the I2C controller's system PM callbacks such that the controller
+is resumed from runtime suspend during system suspend and it stays
+RPM_ACTIVE throughout the suspend-resume cycle until it is runtime
+suspended back in the system resume. The clocks are disabled in NOIRQ
+suspend and enabled back in NOIRQ resume by calling the controller's
+runtime PM functions directly.
+
+Fixes: 8ebf15e9c869 ("i2c: tegra: Move suspend handling to NOIRQ phase")
+Assisted-by: Cursor:claude-4.6-opus
+Signed-off-by: Akhil R <akhilrajeev@nvidia.com>
+Cc: <stable@vger.kernel.org> # v5.4+
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260518114013.62065-5-akhilrajeev@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-tegra.c | 53 +++++++++++++++++++++++------------------
+ 1 file changed, 30 insertions(+), 23 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-tegra.c
++++ b/drivers/i2c/busses/i2c-tegra.c
+@@ -1938,28 +1938,37 @@ static int __maybe_unused tegra_i2c_runt
+
+ static int __maybe_unused tegra_i2c_suspend(struct device *dev)
+ {
++ /*
++ * Bring the controller up and hold a usage count so it stays
++ * available until the noirq phase.
++ */
++ return pm_runtime_resume_and_get(dev);
++}
++
++static int __maybe_unused tegra_i2c_suspend_noirq(struct device *dev)
++{
+ struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev);
+- int err;
+
+ i2c_mark_adapter_suspended(&i2c_dev->adapter);
+
+- if (!pm_runtime_status_suspended(dev)) {
+- err = tegra_i2c_runtime_suspend(dev);
+- if (err)
+- return err;
+- }
+-
+- return 0;
++ /*
++ * Runtime PM is already disabled at this point, so invoke the
++ * runtime_suspend callback directly to put the controller down.
++ */
++ return tegra_i2c_runtime_suspend(dev);
+ }
+
+-static int __maybe_unused tegra_i2c_resume(struct device *dev)
++static int __maybe_unused tegra_i2c_resume_noirq(struct device *dev)
+ {
+ struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev);
+ int err;
+
+ /*
+- * We need to ensure that clocks are enabled so that registers can be
+- * restored in tegra_i2c_init().
++ * Runtime PM is still disabled at this point, so invoke the
++ * runtime_resume callback directly to bring the controller back up
++ * before re-initializing the hardware. The adapter is then marked
++ * resumed so that consumers can issue transfers from their own
++ * resume_noirq() handlers and onwards.
+ */
+ err = tegra_i2c_runtime_resume(dev);
+ if (err)
+@@ -1969,24 +1978,22 @@ static int __maybe_unused tegra_i2c_resu
+ if (err)
+ return err;
+
+- /*
+- * In case we are runtime suspended, disable clocks again so that we
+- * don't unbalance the clock reference counts during the next runtime
+- * resume transition.
+- */
+- if (pm_runtime_status_suspended(dev)) {
+- err = tegra_i2c_runtime_suspend(dev);
+- if (err)
+- return err;
+- }
+-
+ i2c_mark_adapter_resumed(&i2c_dev->adapter);
+
+ return 0;
+ }
+
++static int __maybe_unused tegra_i2c_resume(struct device *dev)
++{
++ pm_runtime_put(dev);
++
++ return 0;
++}
++
+ static const struct dev_pm_ops tegra_i2c_pm = {
+- SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume)
++ SET_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume)
++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend_noirq,
++ tegra_i2c_resume_noirq)
+ SET_RUNTIME_PM_OPS(tegra_i2c_runtime_suspend, tegra_i2c_runtime_resume,
+ NULL)
+ };
--- /dev/null
+From ad0979fe053e9f2db82da82188256ef6eb41095a Mon Sep 17 00:00:00 2001
+From: Zeyu WANG <zeyu.thomas.wang@gmail.com>
+Date: Wed, 3 Jun 2026 01:09:09 +0800
+Subject: Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
+
+From: Zeyu WANG <zeyu.thomas.wang@gmail.com>
+
+commit ad0979fe053e9f2db82da82188256ef6eb41095a upstream.
+
+The Lenovo Yoga Air 14 (83QK) laptop keyboard becomes unresponsive
+after the standard atkbd init sequence. Controlled testing on the
+actual hardware shows the F5 (ATKBD_CMD_RESET_DIS / deactivate)
+command specifically corrupts the EC state, causing zero IRQ1
+interrupts after init.
+
+Skipping only the deactivate command (while keeping F4 ENABLE)
+resolves the issue completely: both keystroke input and CapsLock
+LED toggle work correctly. The reverse test - skipping only F4
+while keeping F5 - makes the problem worse (zero keystroke
+interrupts), confirming F5 is the sole culprit.
+
+Add a DMI quirk entry for LENOVO/83QK using the existing
+atkbd_deactivate_fixup callback, consistent with the existing
+entries for LG Electronics and HONOR FMB-P that address the
+same EC F5 deactivate issue.
+
+Signed-off-by: Zeyu WANG <zeyu.thomas.wang@gmail.com>
+Link: https://patch.msgid.link/20260602170909.14725-1-zeyu.thomas.wang@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/atkbd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/input/keyboard/atkbd.c
++++ b/drivers/input/keyboard/atkbd.c
+@@ -1937,6 +1937,14 @@ static const struct dmi_system_id atkbd_
+ },
+ .callback = atkbd_deactivate_fixup,
+ },
++ {
++ /* Lenovo Yoga Air 14 (83QK) */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "83QK"),
++ },
++ .callback = atkbd_deactivate_fixup,
++ },
+ { }
+ };
+
--- /dev/null
+From fb402386af4cdce108ff991a796386de55439735 Mon Sep 17 00:00:00 2001
+From: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
+Date: Fri, 5 Jun 2026 15:27:21 +0800
+Subject: Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard
+
+From: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
+
+commit fb402386af4cdce108ff991a796386de55439735 upstream.
+
+After commit 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd -
+do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID"), HONOR
+BCC-N, aka HONOR MagicBook 14 2026's internal keyboard stops
+working. Adding the atkbd_deactivate_fixup quirk fixes it.
+
+DMI: HONOR BCC-N/BCC-N-PCB, BIOS 1.04 04/07/2026
+
+Fixes: 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID")
+Reported-by: Hongfei Ren <lcrhf@outlook.com>
+Link: https://github.com/colorcube/Linux-on-Honor-Magicbook-14-Pro/issues/1#issuecomment-4562679891
+Tested-by: Hongfei Ren <lcrhf@outlook.com>
+Cc: stable@kernel.org
+Signed-off-by: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
+Link: https://patch.msgid.link/20260605-honor-v1-1-78e05e491193@linux.dev
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/atkbd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/keyboard/atkbd.c
++++ b/drivers/input/keyboard/atkbd.c
+@@ -1945,6 +1945,13 @@ static const struct dmi_system_id atkbd_
+ },
+ .callback = atkbd_deactivate_fixup,
+ },
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "HONOR"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "BCC-N"),
++ },
++ .callback = atkbd_deactivate_fixup,
++ },
+ { }
+ };
+
--- /dev/null
+From 6ec91df8aff77e2e8fe3179c1f3fc15b43a40ba3 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Mon, 8 Jun 2026 15:10:04 -0300
+Subject: iommu/dma: Do not try to iommu_map a 0 length region in swiotlb
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit 6ec91df8aff77e2e8fe3179c1f3fc15b43a40ba3 upstream.
+
+iommu_dma_iova_link_swiotlb() processes a mapping that is unaligned in three
+parts, the head, middle and trailer. If the middle is empty because there
+are no aligned pages it will call down to iommu_map() with a 0 size
+which the iommupt implementation will fail as illegal.
+
+It then tries to do an error unwind and starts from the wrong spot
+corrupting the mapping so the eventual destruction triggers a WARN_ON.
+
+Check for 0 length and avoid mapping and use offset not 0 as the starting
+point to unlink.
+
+This is frequently triggered by using some kinds of thunderbolt NVMe
+drives that trigger forced SWIOTLB for unaligned memory. NVMe seems to
+pass in oddly aligned buffers for the passthrough commands from smartctl
+that hit this condition.
+
+Cc: stable@vger.kernel.org
+Fixes: 433a76207dcf ("dma-mapping: Implement link/unlink ranges API")
+Reported-by: Mark Lord <mlord@pobox.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Samiullah Khawaja <skhawaja@google.com>
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Link: https://lore.kernel.org/r/0-v1-8536728bc89f+469-swiotlb_warn_jgg@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/dma-iommu.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+--- a/drivers/iommu/dma-iommu.c
++++ b/drivers/iommu/dma-iommu.c
+@@ -1894,12 +1894,18 @@ static int iommu_dma_iova_link_swiotlb(s
+ return 0;
+ }
+
++ /*
++ * After removing the partial head and tail, there may be no aligned
++ * middle left to map. The tail still gets bounced below.
++ */
+ size -= iova_end_pad;
+- error = __dma_iova_link(dev, addr + mapped, phys + mapped, size, dir,
+- attrs);
+- if (error)
+- goto out_unmap;
+- mapped += size;
++ if (size) {
++ error = __dma_iova_link(dev, addr + mapped, phys + mapped,
++ size, dir, attrs);
++ if (error)
++ goto out_unmap;
++ mapped += size;
++ }
+
+ if (iova_end_pad) {
+ error = iommu_dma_iova_bounce_and_link(dev, addr + mapped,
+@@ -1912,7 +1918,8 @@ static int iommu_dma_iova_link_swiotlb(s
+ return 0;
+
+ out_unmap:
+- dma_iova_unlink(dev, state, 0, mapped, dir, attrs);
++ if (mapped)
++ dma_iova_unlink(dev, state, offset, mapped, dir, attrs);
+ return error;
+ }
+
--- /dev/null
+From 2e5c6f4fd4001562781e99bbfc7f1f0127187542 Mon Sep 17 00:00:00 2001
+From: Yilin Zhu <zylzyl2333@gmail.com>
+Date: Thu, 30 Apr 2026 13:21:34 +0800
+Subject: ipc/shm: serialize orphan cleanup with shm_nattch updates
+
+From: Yilin Zhu <zylzyl2333@gmail.com>
+
+commit 2e5c6f4fd4001562781e99bbfc7f1f0127187542 upstream.
+
+shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that
+does not serialize all fields tested by shm_may_destroy(). In particular,
+shm_nattch is updated while holding shm_perm.lock, and attach paths can do
+that without holding the rwsem.
+
+Do not decide that an orphaned segment is unused before taking the object
+lock. Move the shm_may_destroy() check under shm_perm.lock, matching the
+other destroy paths, and unlock the segment when it no longer qualifies
+for removal.
+
+Link: https://lore.kernel.org/9d97cc1031de2d0bace0edf3a668818aa2f4eca6.1777410234.git.zylzyl2333@gmail.com
+Fixes: 4c677e2eefdb ("shm: optimize locking and ipc_namespace getting")
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Yilin Zhu <zylzyl2333@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Jeongjun Park <aha310510@gmail.com>
+Cc: Kees Cook <kees@kernel.org>
+Cc: Liam Howlett <liam@infradead.org>
+Cc: Lorenzo Stoakes <ljs@kernel.org>
+Cc: Serge Hallyn <sergeh@kernel.org>
+Cc: Vasiliy Kulikov <segoon@openwall.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ ipc/shm.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -418,15 +418,17 @@ static int shm_try_destroy_orphaned(int
+ * We want to destroy segments without users and with already
+ * exit'ed originating process.
+ *
+- * As shp->* are changed under rwsem, it's safe to skip shp locking.
++ * shm_nattch can be changed under shm_perm.lock without holding the
++ * rwsem, so take the object lock before checking shm_may_destroy().
+ */
+ if (!list_empty(&shp->shm_clist))
+ return 0;
+
+- if (shm_may_destroy(shp)) {
+- shm_lock_by_ptr(shp);
++ shm_lock_by_ptr(shp);
++ if (shm_may_destroy(shp))
+ shm_destroy(ns, shp);
+- }
++ else
++ shm_unlock(shp);
+ return 0;
+ }
+
--- /dev/null
+From 40a25d59e85b3c8709ac2424d44f65610467871e Mon Sep 17 00:00:00 2001
+From: Davidlohr Bueso <dave@stgolabs.net>
+Date: Thu, 7 May 2026 04:29:13 -0700
+Subject: locking/rtmutex: Skip remove_waiter() when waiter is not enqueued
+
+From: Davidlohr Bueso <dave@stgolabs.net>
+
+commit 40a25d59e85b3c8709ac2424d44f65610467871e upstream.
+
+syzbot triggered the following splat in remove_waiter() via
+FUTEX_CMP_REQUEUE_PI:
+
+ KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f]
+ class_raw_spinlock_constructor
+ remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561
+ rt_mutex_start_proxy_lock+0x103/0x120
+ futex_requeue+0x10e4/0x20d0
+ __x64_sys_futex+0x34f/0x4d0
+
+task_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection,
+leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead
+of current in remove_waiter()") made this fatal.
+
+Furthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter()
+upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock
+return correctly"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock()
+(where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to
+account for try_to_take_rt_mutex().
+
+Fixes: 3bfdc63936dd ("rtmutex: Use waiter::task instead of current in remove_waiter()")
+Reported-by: syzbot+78147abe6c524f183ee9@syzkaller.appspotmail.com
+Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Cc: stable@vger.kernel.org
+Closes: https://lore.kernel.org/all/69f114ac.050a0220.ac8b.0003.GAE@google.com/
+Link: https://patch.msgid.link/20260507112913.1019537-1-dave@stgolabs.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/locking/rtmutex.c | 3 +++
+ kernel/locking/rtmutex_api.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/locking/rtmutex.c
++++ b/kernel/locking/rtmutex.c
+@@ -1548,6 +1548,9 @@ static void __sched remove_waiter(struct
+
+ lockdep_assert_held(&lock->wait_lock);
+
++ if (!waiter_task) /* never enqueued */
++ return;
++
+ scoped_guard(raw_spinlock, &waiter_task->pi_lock) {
+ rt_mutex_dequeue(lock, waiter);
+ waiter_task->pi_blocked_on = NULL;
+--- a/kernel/locking/rtmutex_api.c
++++ b/kernel/locking/rtmutex_api.c
+@@ -365,7 +365,7 @@ int __sched rt_mutex_start_proxy_lock(st
+
+ raw_spin_lock_irq(&lock->wait_lock);
+ ret = __rt_mutex_start_proxy_lock(lock, waiter, task, &wake_q);
+- if (unlikely(ret))
++ if (unlikely(ret < 0))
+ remove_waiter(lock, waiter);
+ preempt_disable();
+ raw_spin_unlock_irq(&lock->wait_lock);
--- /dev/null
+From c0cafe24d3f6534294c4b2bc2d47734ff7cbd313 Mon Sep 17 00:00:00 2001
+From: Shakeel Butt <shakeel.butt@linux.dev>
+Date: Thu, 21 May 2026 15:37:51 -0700
+Subject: memcg: use round-robin victim selection in refill_stock
+
+From: Shakeel Butt <shakeel.butt@linux.dev>
+
+commit c0cafe24d3f6534294c4b2bc2d47734ff7cbd313 upstream.
+
+Harry Yoo reported that get_random_u32_below() is not safe to call in the
+nmi context and memcg charge draining can happen in nmi context.
+
+More specifically get_random_u32_below() is neither reentrant- nor
+NMI-safe: it acquires a per-cpu local_lock via local_lock_irqsave() on the
+batched_entropy_u32 state. An NMI that lands on a CPU mid-update of the
+ChaCha batch state and recurses into the random subsystem would corrupt
+that state. The memcg_stock local_trylock prevents re-entry on the percpu
+stock itself, but cannot protect an unrelated subsystem's per-cpu lock.
+
+Replace the random pick with a per-cpu round-robin counter stored in
+memcg_stock_pcp and serialized by the same local_trylock that already
+guards cached[] and nr_pages[]. No atomics, no random calls, no extra
+locks needed.
+
+Link: https://lore.kernel.org/20260521223751.3794625-1-shakeel.butt@linux.dev
+Fixes: f735eebe55f8f ("memcg: multi-memcg percpu charge cache")
+Signed-off-by: Shakeel Butt <shakeel.butt@linux.dev>
+Reported-by: Harry Yoo <harry@kernel.org>
+Closes: https://lore.kernel.org/4e20f643-6983-4b6e-b12d-c6c4eb20ae0c@kernel.org/
+Acked-by: Harry Yoo (Oracle) <harry@kernel.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Roman Gushchin <roman.gushchin@linux.dev>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memcontrol.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -1754,6 +1754,7 @@ struct memcg_stock_pcp {
+
+ struct work_struct work;
+ unsigned long flags;
++ uint8_t drain_idx;
+ };
+
+ static DEFINE_PER_CPU_ALIGNED(struct memcg_stock_pcp, memcg_stock) = {
+@@ -1937,7 +1938,9 @@ static void refill_stock(struct mem_cgro
+ if (!success) {
+ i = empty_slot;
+ if (i == -1) {
+- i = get_random_u32_below(NR_MEMCG_STOCK);
++ i = stock->drain_idx++;
++ if (stock->drain_idx == NR_MEMCG_STOCK)
++ stock->drain_idx = 0;
+ drain_stock(stock, i);
+ }
+ css_get(&memcg->css);
--- /dev/null
+From 464c6ad2aa16e1e1df9d559289199356493d1e00 Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Sat, 30 May 2026 21:45:26 +0100
+Subject: misc: fastrpc: fix DMA address corruption due to find_vma misuse
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit 464c6ad2aa16e1e1df9d559289199356493d1e00 upstream.
+
+fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided
+pointer and compute a DMA address offset. When the address falls in a gap
+before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows,
+corrupting the DMA address sent to the DSP.
+
+Replace find_vma() with vma_lookup(), which returns NULL when the address
+is not contained within any VMA.
+
+Cc: stable@vger.kernel.org
+Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204528.116920-3-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -1058,7 +1058,7 @@ static int fastrpc_get_args(u32 kernel,
+ pages[i].addr = ctx->maps[i]->phys;
+
+ mmap_read_lock(current->mm);
+- vma = find_vma(current->mm, ctx->args[i].ptr);
++ vma = vma_lookup(current->mm, ctx->args[i].ptr);
+ if (vma)
+ pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) -
+ vma->vm_start;
--- /dev/null
+From 5401fb4fe10fac6134c308495df18ed74aebb9c4 Mon Sep 17 00:00:00 2001
+From: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Date: Sat, 30 May 2026 21:45:27 +0100
+Subject: misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
+
+From: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+
+commit 5401fb4fe10fac6134c308495df18ed74aebb9c4 upstream.
+
+A NULL pointer dereference was observed on Hawi at boot when the DSP
+sends a glink message before fastrpc_rpmsg_probe() has completed
+initialization:
+
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178
+ pc : _raw_spin_lock_irqsave+0x34/0x8c
+ lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
+ ...
+ Call trace:
+ _raw_spin_lock_irqsave+0x34/0x8c (P)
+ fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
+ qcom_glink_native_rx+0x538/0x6a4
+ qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem]
+
+The faulting address 0x178 corresponds to the lock variable inside
+struct fastrpc_channel_ctx, confirming that cctx is NULL when
+fastrpc_rpmsg_callback() attempts to take the spinlock.
+
+There are two issues here. First, dev_set_drvdata() is called before
+spin_lock_init() and idr_init(), leaving a window where the callback
+can retrieve a valid cctx pointer but operate on an uninitialized
+spinlock. Second, the rpmsg channel becomes live as soon as the driver
+is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata()
+is called at all, resulting in dev_get_drvdata() returning NULL.
+
+Fix both issues by moving all cctx initialization ahead of
+dev_set_drvdata() so the structure is fully initialized before it
+becomes visible to the callback, and add a NULL check in
+fastrpc_rpmsg_callback() as a guard against any remaining window.
+
+Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204528.116920-4-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -2404,7 +2404,6 @@ static int fastrpc_rpmsg_probe(struct rp
+
+ kref_init(&data->refcount);
+
+- dev_set_drvdata(&rpdev->dev, data);
+ rdev->dma_mask = &data->dma_mask;
+ dma_set_mask_and_coherent(rdev, DMA_BIT_MASK(32));
+ INIT_LIST_HEAD(&data->users);
+@@ -2413,6 +2412,7 @@ static int fastrpc_rpmsg_probe(struct rp
+ idr_init(&data->ctx_idr);
+ data->domain_id = domain_id;
+ data->rpdev = rpdev;
++ dev_set_drvdata(&rpdev->dev, data);
+
+ err = of_platform_populate(rdev->of_node, NULL, NULL, rdev);
+ if (err)
+@@ -2486,6 +2486,9 @@ static int fastrpc_rpmsg_callback(struct
+ if (len < sizeof(*rsp))
+ return -EINVAL;
+
++ if (!cctx)
++ return -ENODEV;
++
+ ctxid = ((rsp->ctx & FASTRPC_CTXID_MASK) >> 4);
+
+ spin_lock_irqsave(&cctx->lock, flags);
--- /dev/null
+From e85eb5feca8e254905ffa6c57a3c99c89a674a0f Mon Sep 17 00:00:00 2001
+From: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
+Date: Sat, 30 May 2026 21:45:25 +0100
+Subject: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
+
+commit e85eb5feca8e254905ffa6c57a3c99c89a674a0f upstream.
+
+There is a race between fastrpc_device_release() and the workqueue
+that processes DSP responses. When the user closes the file descriptor,
+fastrpc_device_release() frees the fastrpc_user structure. Concurrently,
+an in-flight DSP invocation can complete and fastrpc_rpmsg_callback()
+schedules context cleanup via schedule_work(&ctx->put_work). If the
+workqueue runs fastrpc_context_free() in parallel with or after
+fastrpc_device_release() has freed the user structure, it dereferences
+the freed fastrpc_user. Depending on the state of the context at the
+time of the race, any one of the following accesses can be hit:
+
+ 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...)
+ to strip the SID bits from the stored IOVA before passing the
+ physical address to dma_free_coherent().
+
+ 2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to
+ reconstruct the source permission bitmask needed for the
+ qcom_scm_assign_mem() call that returns memory from the DSP VM
+ back to HLOS.
+
+ 3. fastrpc_free_map() acquires map->fl->lock to safely remove the
+ map node from the fl->maps list.
+
+The resulting use-after-free manifests as:
+
+ pc : fastrpc_buf_free+0x38/0x80 [fastrpc]
+ lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]
+ fastrpc_context_free+0xa8/0x1b0 [fastrpc]
+ fastrpc_context_put_wq+0x78/0xa0 [fastrpc]
+ process_one_work+0x180/0x450
+ worker_thread+0x26c/0x388
+
+Add kref-based reference counting to fastrpc_user. Have each invoke
+context take a reference on the user at allocation time and release it
+when the context is freed. Release the initial reference in
+fastrpc_device_release() at file close. Move the teardown of the user
+structure — freeing pending contexts, maps, mmaps, and the channel
+context reference — into the kref release callback fastrpc_user_free(),
+so that it runs only when the last reference is dropped, regardless of
+whether that happens at device close or after the final in-flight
+context completes.
+
+Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter")
+Cc: stable@kernel.org
+Signed-off-by: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204528.116920-2-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 75 +++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 52 insertions(+), 23 deletions(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -303,6 +303,8 @@ struct fastrpc_user {
+ spinlock_t lock;
+ /* lock for allocations */
+ struct mutex mutex;
++ /* Reference count */
++ struct kref refcount;
+ };
+
+ static void fastrpc_free_map(struct kref *ref)
+@@ -471,15 +473,57 @@ static void fastrpc_channel_ctx_put(stru
+ kref_put(&cctx->refcount, fastrpc_channel_ctx_free);
+ }
+
++static void fastrpc_context_put(struct fastrpc_invoke_ctx *ctx);
++
++static void fastrpc_user_free(struct kref *ref)
++{
++ struct fastrpc_user *fl = container_of(ref, struct fastrpc_user, refcount);
++ struct fastrpc_invoke_ctx *ctx, *n;
++ struct fastrpc_map *map, *m;
++ struct fastrpc_buf *buf, *b;
++
++ if (fl->init_mem)
++ fastrpc_buf_free(fl->init_mem);
++
++ list_for_each_entry_safe(ctx, n, &fl->pending, node) {
++ list_del(&ctx->node);
++ fastrpc_context_put(ctx);
++ }
++
++ list_for_each_entry_safe(map, m, &fl->maps, node)
++ fastrpc_map_put(map);
++
++ list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
++ list_del(&buf->node);
++ fastrpc_buf_free(buf);
++ }
++
++ fastrpc_channel_ctx_put(fl->cctx);
++ mutex_destroy(&fl->mutex);
++ kfree(fl);
++}
++
++static void fastrpc_user_get(struct fastrpc_user *fl)
++{
++ kref_get(&fl->refcount);
++}
++
++static void fastrpc_user_put(struct fastrpc_user *fl)
++{
++ kref_put(&fl->refcount, fastrpc_user_free);
++}
++
+ static void fastrpc_context_free(struct kref *ref)
+ {
+ struct fastrpc_invoke_ctx *ctx;
+ struct fastrpc_channel_ctx *cctx;
++ struct fastrpc_user *fl;
+ unsigned long flags;
+ int i;
+
+ ctx = container_of(ref, struct fastrpc_invoke_ctx, refcount);
+ cctx = ctx->cctx;
++ fl = ctx->fl;
+
+ for (i = 0; i < ctx->nbufs; i++)
+ fastrpc_map_put(ctx->maps[i]);
+@@ -495,6 +539,8 @@ static void fastrpc_context_free(struct
+ kfree(ctx->olaps);
+ kfree(ctx);
+
++ /* Release the reference taken in fastrpc_context_alloc() */
++ fastrpc_user_put(fl);
+ fastrpc_channel_ctx_put(cctx);
+ }
+
+@@ -604,6 +650,8 @@ static struct fastrpc_invoke_ctx *fastrp
+
+ /* Released in fastrpc_context_put() */
+ fastrpc_channel_ctx_get(cctx);
++ /* Take a reference to user, released in fastrpc_context_free() */
++ fastrpc_user_get(user);
+
+ ctx->sc = sc;
+ ctx->retval = -1;
+@@ -634,6 +682,7 @@ err_idr:
+ spin_lock(&user->lock);
+ list_del(&ctx->node);
+ spin_unlock(&user->lock);
++ fastrpc_user_put(user);
+ fastrpc_channel_ctx_put(cctx);
+ kfree(ctx->maps);
+ kfree(ctx->olaps);
+@@ -1548,9 +1597,6 @@ static int fastrpc_device_release(struct
+ {
+ struct fastrpc_user *fl = (struct fastrpc_user *)file->private_data;
+ struct fastrpc_channel_ctx *cctx = fl->cctx;
+- struct fastrpc_invoke_ctx *ctx, *n;
+- struct fastrpc_map *map, *m;
+- struct fastrpc_buf *buf, *b;
+ unsigned long flags;
+
+ fastrpc_release_current_dsp_process(fl);
+@@ -1559,28 +1605,10 @@ static int fastrpc_device_release(struct
+ list_del(&fl->user);
+ spin_unlock_irqrestore(&cctx->lock, flags);
+
+- if (fl->init_mem)
+- fastrpc_buf_free(fl->init_mem);
+-
+- list_for_each_entry_safe(ctx, n, &fl->pending, node) {
+- list_del(&ctx->node);
+- fastrpc_context_put(ctx);
+- }
+-
+- list_for_each_entry_safe(map, m, &fl->maps, node)
+- fastrpc_map_put(map);
+-
+- list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
+- list_del(&buf->node);
+- fastrpc_buf_free(buf);
+- }
+-
+ fastrpc_session_free(cctx, fl->sctx);
+- fastrpc_channel_ctx_put(cctx);
+-
+- mutex_destroy(&fl->mutex);
+- kfree(fl);
+ file->private_data = NULL;
++ /* Release the reference taken in fastrpc_device_open */
++ fastrpc_user_put(fl);
+
+ return 0;
+ }
+@@ -1624,6 +1652,7 @@ static int fastrpc_device_open(struct in
+ spin_lock_irqsave(&cctx->lock, flags);
+ list_add_tail(&fl->user, &cctx->users);
+ spin_unlock_irqrestore(&cctx->lock, flags);
++ kref_init(&fl->refcount);
+
+ return 0;
+ }
--- /dev/null
+From 07ebe87915d8accdaba20c4f88c5ae430fe62fbb Mon Sep 17 00:00:00 2001
+From: Zhenghang Xiao <kipreyyy@gmail.com>
+Date: Sat, 30 May 2026 21:45:28 +0100
+Subject: misc: fastrpc: fix use-after-free race in fastrpc_map_create
+
+From: Zhenghang Xiao <kipreyyy@gmail.com>
+
+commit 07ebe87915d8accdaba20c4f88c5ae430fe62fbb upstream.
+
+fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The
+caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero)
+on this unprotected pointer. A concurrent MEM_UNMAP can free the map
+between the lock release and the kref operation, resulting in a
+use-after-free on the freed slab object.
+
+Restore the take_ref parameter to fastrpc_map_lookup so the reference
+is acquired atomically under fl->lock before the pointer is exposed to
+the caller.
+
+Fixes: 10df039834f8 ("misc: fastrpc: Skip reference for DMA handles")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204528.116920-5-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 25 +++++++++++--------------
+ 1 file changed, 11 insertions(+), 14 deletions(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -362,7 +362,7 @@ static int fastrpc_map_get(struct fastrp
+
+
+ static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd,
+- struct fastrpc_map **ppmap)
++ struct fastrpc_map **ppmap, bool take_ref)
+ {
+ struct fastrpc_map *map = NULL;
+ struct dma_buf *buf;
+@@ -377,6 +377,12 @@ static int fastrpc_map_lookup(struct fas
+ if (map->fd != fd || map->buf != buf)
+ continue;
+
++ if (take_ref) {
++ ret = fastrpc_map_get(map);
++ if (ret)
++ break;
++ }
++
+ *ppmap = map;
+ ret = 0;
+ break;
+@@ -891,19 +897,10 @@ get_err:
+ static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
+ u64 len, u32 attr, struct fastrpc_map **ppmap)
+ {
+- struct fastrpc_session_ctx *sess = fl->sctx;
+- int err = 0;
++ if (!fastrpc_map_lookup(fl, fd, ppmap, true))
++ return 0;
+
+- if (!fastrpc_map_lookup(fl, fd, ppmap)) {
+- if (!fastrpc_map_get(*ppmap))
+- return 0;
+- dev_dbg(sess->dev, "%s: Failed to get map fd=%d\n",
+- __func__, fd);
+- }
+-
+- err = fastrpc_map_attach(fl, fd, len, attr, ppmap);
+-
+- return err;
++ return fastrpc_map_attach(fl, fd, len, attr, ppmap);
+ }
+
+ /*
+@@ -1173,7 +1170,7 @@ cleanup_fdlist:
+ for (i = 0; i < FASTRPC_MAX_FDLIST; i++) {
+ if (!fdlist[i])
+ break;
+- if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap))
++ if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap, false))
+ fastrpc_map_put(mmap);
+ }
+
--- /dev/null
+From f9f25118faa4dd2b6e3d14a03d123bbdbd59925d Mon Sep 17 00:00:00 2001
+From: ZhaoJinming <zhaojinming@uniontech.com>
+Date: Thu, 4 Jun 2026 15:03:52 +0800
+Subject: net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues()
+
+From: ZhaoJinming <zhaojinming@uniontech.com>
+
+commit f9f25118faa4dd2b6e3d14a03d123bbdbd59925d upstream.
+
+of_reserved_mem_lookup() may return NULL if the reserved memory region
+referenced by the "memory-region" phandle is not found in the reserved
+memory table (e.g. due to a misconfigured DTS or a removed
+memory-region node). The current code dereferences the returned
+pointer without checking for NULL, leading to a kernel NULL pointer
+dereference at the following lines:
+
+ dma_addr = rmem->base; // line 1156
+ num_desc = div_u64(rmem->size, buf_size); // line 1160
+
+Add a NULL check after of_reserved_mem_lookup() and return -ENODEV if
+the lookup fails, which is consistent with the existing error handling
+for of_parse_phandle() failure in the same code block.
+
+Fixes: 3a1ce9e3d01b ("net: airoha: Add the capability to allocate hwfd buffers via reserved-memory")
+Cc: stable@vger.kernel.org
+Signed-off-by: ZhaoJinming <zhaojinming@uniontech.com>
+Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/airoha/airoha_eth.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/airoha/airoha_eth.c
++++ b/drivers/net/ethernet/airoha/airoha_eth.c
+@@ -1172,6 +1172,9 @@ static int airoha_qdma_init_hfwd_queues(
+
+ rmem = of_reserved_mem_lookup(np);
+ of_node_put(np);
++ if (!rmem)
++ return -ENODEV;
++
+ dma_addr = rmem->base;
+ /* Compute the number of hw descriptors according to the
+ * reserved memory size and the payload buffer size
--- /dev/null
+From a764b0e8317a863006e05732e1aefe821b9d8c2d Mon Sep 17 00:00:00 2001
+From: ZhaoJinming <zhaojinming@uniontech.com>
+Date: Mon, 1 Jun 2026 16:56:49 +0800
+Subject: net: bonding: fix NULL pointer dereference in bond_do_ioctl()
+
+From: ZhaoJinming <zhaojinming@uniontech.com>
+
+commit a764b0e8317a863006e05732e1aefe821b9d8c2d upstream.
+
+In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which
+can return NULL if the requested interface name does not exist. However,
+the subsequent slave_dbg() call is placed before the NULL check:
+
+ slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
+ slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here
+ if (!slave_dev)
+ return -ENODEV;
+
+The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt,
+(slave_dev)->name, ...) which unconditionally dereferences slave_dev->name
+before the NULL check is performed. This results in a NULL pointer
+dereference kernel oops when a user calls bonding ioctl (e.g.
+SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave
+interface name.
+
+This is reachable from userspace via the bonding ioctl interface with
+CAP_NET_ADMIN capability, making it a potential local denial-of-service
+vector.
+
+Fix by moving the slave_dbg() call after the NULL check.
+
+Fixes: e2a7420df2e0 ("bonding/main: convert to using slave printk macros")
+Cc: stable@vger.kernel.org # v5.2+
+Signed-off-by: ZhaoJinming <zhaojinming@uniontech.com>
+Link: https://patch.msgid.link/20260601085649.4029067-1-zhaojinming@uniontech.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -4595,11 +4595,11 @@ static int bond_do_ioctl(struct net_devi
+
+ slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
+
+- slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev);
+-
+ if (!slave_dev)
+ return -ENODEV;
+
++ slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev);
++
+ switch (cmd) {
+ case SIOCBONDENSLAVE:
+ res = bond_enslave(bond_dev, slave_dev, NULL);
--- /dev/null
+From 02896a7fa4cd3ec61d60ba30136841e4f04bdeac Mon Sep 17 00:00:00 2001
+From: Nikolay Kuratov <kniv@yandex-team.ru>
+Date: Tue, 26 May 2026 19:29:32 +0300
+Subject: net/mlx5: Reorder completion before putting command entry in cmd_work_handler
+
+From: Nikolay Kuratov <kniv@yandex-team.ru>
+
+commit 02896a7fa4cd3ec61d60ba30136841e4f04bdeac upstream.
+
+Assuming callback != NULL && !page_queue, cmd_work_handler takes
+command entry with refcnt == 1 from mlx5_cmd_invoke.
+If either semaphore timeout or index allocation error happens,
+it does final cmd_ent_put(ent). To avoid access to freed memory,
+notify slotted completion before cmd_ent_put.
+
+This is theoretical issue found by Svace static analyser.
+
+Cc: stable@vger.kernel.org
+Fixes: 485d65e135712 ("net/mlx5: Add a timeout to acquire the command queue semaphore")
+Fixes: 0e2909c6bec90 ("net/mlx5: Fix variable not being completed when function returns")
+Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
+Reviewed-by: Md Haris Iqbal <haris.iqbal@linux.dev>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Acked-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260526162932.501584-1-kniv@yandex-team.ru
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1000,12 +1000,13 @@ static void cmd_work_handler(struct work
+ ent->callback(-EBUSY, ent->context);
+ mlx5_free_cmd_msg(dev, ent->out);
+ free_msg(dev, ent->in);
++ complete(&ent->slotted);
+ cmd_ent_put(ent);
+ } else {
+ ent->ret = -EBUSY;
+ complete(&ent->done);
++ complete(&ent->slotted);
+ }
+- complete(&ent->slotted);
+ return;
+ }
+ alloc_ret = cmd_alloc_index(cmd, ent);
+@@ -1015,13 +1016,14 @@ static void cmd_work_handler(struct work
+ ent->callback(-EAGAIN, ent->context);
+ mlx5_free_cmd_msg(dev, ent->out);
+ free_msg(dev, ent->in);
++ complete(&ent->slotted);
+ cmd_ent_put(ent);
+ } else {
+ ent->ret = -EAGAIN;
+ complete(&ent->done);
++ complete(&ent->slotted);
+ }
+ up(&cmd->vars.sem);
+- complete(&ent->slotted);
+ return;
+ }
+ } else {
--- /dev/null
+From 4aacf509e537a711fa71bca9f234e5eb6968850e Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Date: Tue, 2 Jun 2026 09:34:14 +0200
+Subject: net: mv643xx: fix OF node refcount
+
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+
+commit 4aacf509e537a711fa71bca9f234e5eb6968850e upstream.
+
+Platform devices created with platform_device_alloc() call
+platform_device_release() when the last reference to the device's
+kobject is dropped. This function calls of_node_put() unconditionally.
+This works fine for devices created with platform_device_register_full()
+but users of the split approach (platform_device_alloc() +
+platform_device_add()) must bump the reference of the of_node they
+assign manually. Add the missing call to of_node_get().
+
+Cc: stable@vger.kernel.org
+Fixes: 76723bca2802 ("net: mv643xx_eth: add DT parsing support")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260602073414.22500-1-bartosz.golaszewski@oss.qualcomm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
+@@ -2781,7 +2781,7 @@ static int mv643xx_eth_shared_of_add_por
+ goto put_err;
+ }
+ ppdev->dev.coherent_dma_mask = DMA_BIT_MASK(32);
+- ppdev->dev.of_node = pnp;
++ ppdev->dev.of_node = of_node_get(pnp);
+
+ ret = platform_device_add_resources(ppdev, &res, 1);
+ if (ret)
--- /dev/null
+From 71de0177b28da751f407581a4515cf4d762f6296 Mon Sep 17 00:00:00 2001
+From: Santosh Kalluri <santosh.kalluri129@gmail.com>
+Date: Wed, 3 Jun 2026 17:08:43 -0700
+Subject: net: phonet: free phonet_device after RCU grace period
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Santosh Kalluri <santosh.kalluri129@gmail.com>
+
+commit 71de0177b28da751f407581a4515cf4d762f6296 upstream.
+
+phonet_device_destroy() removes a phonet_device from the per-net device
+list with list_del_rcu(), but frees it immediately. RCU readers walking
+the same list can still hold a pointer to the object after it has been
+removed, leading to a slab-use-after-free.
+
+Use kfree_rcu(), matching the lifetime rule already used by
+phonet_address_del() for the same object type.
+
+Fixes: eeb74a9d45f7 ("Phonet: convert devices list to RCU")
+Cc: stable@vger.kernel.org
+Signed-off-by: Santosh Kalluri <santosh.kalluri129@gmail.com>
+Acked-by: RĂ©mi Denis-Courmont <remi@remlab.net>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/phonet/pn_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/phonet/pn_dev.c
++++ b/net/phonet/pn_dev.c
+@@ -108,7 +108,7 @@ static void phonet_device_destroy(struct
+ for_each_set_bit(addr, pnd->addrs, 64)
+ phonet_address_notify(net, RTM_DELADDR, ifindex, addr);
+
+- kfree(pnd);
++ kfree_rcu(pnd, rcu);
+ }
+ }
+
--- /dev/null
+From 20cf0fb715c41111469577e85e35d15f099473e0 Mon Sep 17 00:00:00 2001
+From: Yuqi Xu <xuyq21@lenovo.com>
+Date: Fri, 29 May 2026 21:01:44 +0800
+Subject: net: rds: clear i_sends on setup unwind
+
+From: Yuqi Xu <xuyq21@lenovo.com>
+
+commit 20cf0fb715c41111469577e85e35d15f099473e0 upstream.
+
+The RDS IB connection teardown path is written so it can run during
+partial startup and on repeated shutdown attempts. It uses NULL
+pointers to distinguish resources that are still owned from resources
+that have already been released.
+
+When rds_ib_setup_qp() fails after allocating i_sends but before
+allocating i_recvs, the sends_out path frees i_sends without clearing
+the pointer. A later shutdown pass can still treat that stale pointer
+as a live send ring allocation.
+
+Clear i_sends after vfree() in the error unwind path so the existing
+shutdown logic continues to use the correct ownership state.
+
+Fixes: 3b12f73a5c29 ("rds: ib: add error handle")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Allison Henderson <achender@kernel.org>
+Link: https://patch.msgid.link/5a0f7624bb9845a7b67d26166a150b59e7f394ce.1779632468.git.xuyq21@lenovo.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/ib_cm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rds/ib_cm.c
++++ b/net/rds/ib_cm.c
+@@ -656,6 +656,7 @@ static int rds_ib_setup_qp(struct rds_co
+
+ sends_out:
+ vfree(ic->i_sends);
++ ic->i_sends = NULL;
+
+ ack_dma_out:
+ rds_dma_hdr_free(rds_ibdev->dev, ic->i_ack, ic->i_ack_dma,
--- /dev/null
+From 56d0885514491e5ed8f7593400879ab77c52504c Mon Sep 17 00:00:00 2001
+From: Jonas Jelonek <jelonek.jonas@gmail.com>
+Date: Thu, 28 May 2026 20:52:40 +0000
+Subject: net: sfp: initialize i2c_block_size at adapter configure time
+
+From: Jonas Jelonek <jelonek.jonas@gmail.com>
+
+commit 56d0885514491e5ed8f7593400879ab77c52504c upstream.
+
+sfp->i2c_block_size is only assigned in sfp_sm_mod_probe(), which runs
+from the state machine timer after SFP_F_PRESENT has been set. Between
+those two points, sfp_module_eeprom() (the ethtool -m callback) gates
+only on SFP_F_PRESENT and can be entered with i2c_block_size still at
+its kzalloc'd value of 0.
+
+On a pure-I2C adapter, sfp_i2c_read() then issues an i2c_transfer()
+with msgs[1].len = 0 inside a loop that subtracts this_len from len
+each iteration; on adapters that succeed a zero-length read the loop
+never advances, spinning while holding rtnl_lock.
+
+This was previously addressed by initializing i2c_block_size in
+sfp_alloc() (commit 813c2dd78618), but the initialization was dropped
+when i2c_block_size was split from i2c_max_block_size.
+
+Initialize sfp->i2c_block_size from sfp->i2c_max_block_size in
+sfp_i2c_configure(), so the field is valid as soon as the adapter is
+known. sfp_sm_mod_probe() still reassigns it on each module insertion
+to recover from a per-module clamp to 1 (sfp_id_needs_byte_io).
+
+Fixes: 7662abf4db94 ("net: phy: sfp: Add support for SMBus module access")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
+Link: https://patch.msgid.link/20260528205242.971410-2-jelonek.jonas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/sfp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/phy/sfp.c
++++ b/drivers/net/phy/sfp.c
+@@ -820,6 +820,7 @@ static int sfp_i2c_configure(struct sfp
+ return -EINVAL;
+ }
+
++ sfp->i2c_block_size = sfp->i2c_max_block_size;
+ return 0;
+ }
+
--- /dev/null
+From 5b6b6fc491899d583eaa75344e094796ae9b530b Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Date: Sat, 30 May 2026 21:43:40 +0100
+Subject: nvmem: core: fix use-after-free bugs in error paths
+
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+
+commit 5b6b6fc491899d583eaa75344e094796ae9b530b upstream.
+
+Fix several instances of error paths in which we call
+__nvmem_device_put() - which may end up freeing the underlying memory
+and other resources - and then keep on using the nvmem structure. Always
+put the reference to the nvmem device as the last step before returning
+the error code.
+
+Cc: stable@vger.kernel.org
+Fixes: 7ae6478b304b ("nvmem: core: rework nvmem cell instance creation")
+Fixes: e888d445ac33 ("nvmem: resolve cells from DT at registration time")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204340.116743-3-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/core.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/drivers/nvmem/core.c
++++ b/drivers/nvmem/core.c
+@@ -1472,18 +1472,16 @@ struct nvmem_cell *of_nvmem_cell_get(str
+ cell_entry = nvmem_find_cell_entry_by_node(nvmem, cell_np);
+ of_node_put(cell_np);
+ if (!cell_entry) {
+- __nvmem_device_put(nvmem);
+ nvmem_layout_module_put(nvmem);
+- if (nvmem->layout)
+- return ERR_PTR(-EPROBE_DEFER);
+- else
+- return ERR_PTR(-ENOENT);
++ ret = nvmem->layout ? -EPROBE_DEFER : -ENOENT;
++ __nvmem_device_put(nvmem);
++ return ERR_PTR(ret);
+ }
+
+ cell = nvmem_create_cell(cell_entry, id, cell_index);
+ if (IS_ERR(cell)) {
+- __nvmem_device_put(nvmem);
+ nvmem_layout_module_put(nvmem);
++ __nvmem_device_put(nvmem);
+ }
+
+ return cell;
+@@ -1597,8 +1595,8 @@ void nvmem_cell_put(struct nvmem_cell *c
+ kfree_const(cell->id);
+
+ kfree(cell);
+- __nvmem_device_put(nvmem);
+ nvmem_layout_module_put(nvmem);
++ __nvmem_device_put(nvmem);
+ }
+ EXPORT_SYMBOL_GPL(nvmem_cell_put);
+
--- /dev/null
+From ea41020b9018e31c2ea7e9d89021e3e6d7470883 Mon Sep 17 00:00:00 2001
+From: Andre Heider <a.heider@gmail.com>
+Date: Sat, 30 May 2026 21:43:39 +0100
+Subject: nvmem: layouts: onie-tlv: fix hang on unknown types
+
+From: Andre Heider <a.heider@gmail.com>
+
+commit ea41020b9018e31c2ea7e9d89021e3e6d7470883 upstream.
+
+The EEPROM on my board has a vendor specific entry of type 0x41. When
+stumbling upon that, this driver hangs in an endless loop.
+
+Fix it by keep incrementing the offset on unknown entries, so the loop
+will eventually stop.
+
+Fixes: d3c0d12f6474 ("nvmem: layouts: onie-tlv: Add new layout driver")
+Cc: Stable@vger.kernel.org
+Signed-off-by: Andre Heider <a.heider@gmail.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204340.116743-2-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/layouts/onie-tlv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvmem/layouts/onie-tlv.c
++++ b/drivers/nvmem/layouts/onie-tlv.c
+@@ -119,7 +119,7 @@ static int onie_tlv_add_cells(struct dev
+
+ cell.name = onie_tlv_cell_name(tlv.type);
+ if (!cell.name)
+- continue;
++ goto next;
+
+ cell.offset = hdr_len + offset + sizeof(tlv.type) + sizeof(tlv.len);
+ cell.bytes = tlv.len;
+@@ -132,6 +132,7 @@ static int onie_tlv_add_cells(struct dev
+ return ret;
+ }
+
++next:
+ offset += sizeof(tlv) + tlv.len;
+ }
+
--- /dev/null
+From 09a5bf856aa759513afc4afd233d15bcc711b84e Mon Sep 17 00:00:00 2001
+From: Dawei Feng <dawei.feng@seu.edu.cn>
+Date: Thu, 4 Jun 2026 22:37:56 +0800
+Subject: octeontx2-af: fix memory leak in rvu_setup_hw_resources()
+
+From: Dawei Feng <dawei.feng@seu.edu.cn>
+
+commit 09a5bf856aa759513afc4afd233d15bcc711b84e upstream.
+
+If rvu_npc_exact_init() fails in rvu_setup_hw_resources(), the function
+returns directly instead of jumping to the error handling path. This
+causes a resource leak for the previously initialized CGX, NPC, fwdata,
+and MSI-X states.
+
+Fix this by replacing the direct return with goto cgx_err to ensure
+proper cleanup.
+
+The bug was first flagged by an experimental analysis tool we are
+developing for kernel memory-management bugs while analyzing
+v6.13-rc1. The tool is still under development and is not yet publicly
+available. Manual inspection confirms that the bug is still present in
+v7.1-rc6.
+
+An x86_64 allyesconfig build showed no new warnings. As we do not have
+access to Marvell OcteonTX2 RVU AF hardware to test with, no runtime
+testing was able to be performed.
+
+Fixes: 3571fe07a090 ("octeontx2-af: Drop rules for NPC MCAM")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Link: https://patch.msgid.link/20260604143756.1524482-1-dawei.feng@seu.edu.cn
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
+@@ -1135,7 +1135,7 @@ cpt:
+ err = rvu_npc_exact_init(rvu);
+ if (err) {
+ dev_err(rvu->dev, "failed to initialize exact match table\n");
+- return err;
++ goto cgx_err;
+ }
+
+ /* Assign MACs for CGX mapped functions */
--- /dev/null
+From b0c13ec17438577f90b379d448dfed1233e2c0a4 Mon Sep 17 00:00:00 2001
+From: Judith Mendez <jm@ti.com>
+Date: Wed, 13 May 2026 18:11:54 -0500
+Subject: pinctrl: mcp23s08: Read spi-present-mask as u8 not u32
+
+From: Judith Mendez <jm@ti.com>
+
+commit b0c13ec17438577f90b379d448dfed1233e2c0a4 upstream.
+
+The binding (microchip,mcp23s08) specifies microchip,spi-present-mask
+as uint8, but driver would read u32, causing type mismatch. Use
+device_property_read_u8 to match binding spec, hardware (8 chips max),
+& prevent probe failure.
+
+Cc: stable@vger.kernel.org
+Fixes: 3ad8d3ec6d87 ("dt-bindings: pinctrl: convert pinctrl-mcp23s08.txt to yaml format")
+Signed-off-by: Judith Mendez <jm@ti.com>
+Signed-off-by: Linus Walleij <linusw@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-mcp23s08_spi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-mcp23s08_spi.c
++++ b/drivers/pinctrl/pinctrl-mcp23s08_spi.c
+@@ -143,13 +143,13 @@ static int mcp23s08_probe(struct spi_dev
+ unsigned int addr;
+ int chips;
+ int ret;
+- u32 v;
++ u8 v;
+
+ info = spi_get_device_match_data(spi);
+
+- ret = device_property_read_u32(dev, "microchip,spi-present-mask", &v);
++ ret = device_property_read_u8(dev, "microchip,spi-present-mask", &v);
+ if (ret) {
+- ret = device_property_read_u32(dev, "mcp,spi-present-mask", &v);
++ ret = device_property_read_u8(dev, "mcp,spi-present-mask", &v);
+ if (ret) {
+ dev_err(dev, "missing spi-present-mask");
+ return ret;
ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch
inet-frags-fix-use-after-free-caused-by-the-fqdir_pre_exit-flush.patch
pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch
+fs-qnx6-fix-pointer-arithmetic-in-directory-iteration.patch
+fuse-reject-fuse_notify-pagecache-ops-on-directories.patch
+fuse-limit-fuse_notify_retrieve-to-uptodate-folios.patch
+futex-requeue-prevent-null-pointer-dereference-in-remove_waiter-on-self-deadlock.patch
+i2c-imx-lpi2c-fix-resource-leaks-switching-to-devm_dma_request_chan.patch
+i2c-imx-fix-clock-and-pinctrl-state-inconsistency-in-runtime-pm.patch
+i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch
+i2c-stm32f7-fix-timing-computation-ignoring-i2c-analog-filter.patch
+i2c-tegra-fix-noirq-suspend-resume.patch
+input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch
+input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch
+iommu-dma-do-not-try-to-iommu_map-a-0-length-region-in-swiotlb.patch
+ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch
+locking-rtmutex-skip-remove_waiter-when-waiter-is-not-enqueued.patch
+memcg-use-round-robin-victim-selection-in-refill_stock.patch
+misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch
+misc-fastrpc-fix-use-after-free-race-in-fastrpc_map_create.patch
+misc-fastrpc-fix-dma-address-corruption-due-to-find_vma-misuse.patch
+misc-fastrpc-fix-null-pointer-dereference-in-rpmsg-callback.patch
+firmware-samsung-acpm-fix-mailbox-channel-leak-on-probe-error.patch
+net-mlx5-reorder-completion-before-putting-command-entry-in-cmd_work_handler.patch
+net-airoha-add-null-check-for-of_reserved_mem_lookup-in-airoha_qdma_init_hfwd_queues.patch
+net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch
+net-mv643xx-fix-of-node-refcount.patch
+net-phonet-free-phonet_device-after-rcu-grace-period.patch
+net-rds-clear-i_sends-on-setup-unwind.patch
+net-sfp-initialize-i2c_block_size-at-adapter-configure-time.patch
+nvmem-core-fix-use-after-free-bugs-in-error-paths.patch
+nvmem-layouts-onie-tlv-fix-hang-on-unknown-types.patch
+octeontx2-af-fix-memory-leak-in-rvu_setup_hw_resources.patch
+pinctrl-mcp23s08-read-spi-present-mask-as-u8-not-u32.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
