--- /dev/null
+From 272d14adc95d5a71746e067efde0bcd328f9adf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 12:09:09 -0500
+Subject: mtd: rawnand: brcmnand: move to polling in pio mode on oops write
+
+From: Kamal Dasu <kdasu.kdev@gmail.com>
+
+[ Upstream commit 22ca05b82d3e3abc2b116a11ee41b6b692b95530 ]
+
+This change makes sure that Broadcom NAND driver moves to interrupt
+polling on the first brcmnand_write() call.
+
+Signed-off-by: Kamal Dasu <kdasu.kdev@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20210311170909.9031-2-kdasu.kdev@gmail.com
+Stable-dep-of: da9ba4dcc01e ("mtd: rawnand: brcmnand: skip DMA during panic write")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/brcmnand/brcmnand.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+index a101df3b19f70..669c332d37ee8 100644
+--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+@@ -2399,6 +2399,10 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip,
+ for (i = 0; i < ctrl->max_oob; i += 4)
+ oob_reg_write(ctrl, i, 0xffffffff);
+
++ if (mtd->oops_panic_write)
++ /* switch to interrupt polling and PIO mode */
++ disable_ctrl_irqs(ctrl);
++
+ if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
+ if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize,
+ CMD_PROGRAM_PAGE))
+--
+2.51.0
+
--- /dev/null
+From 3e84025178a3d614b5390d5e4f0d5647048e5087 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 12:09:08 -0500
+Subject: mtd: rawnand: brcmnand: read/write oob during EDU transfer
+
+From: Kamal Dasu <kdasu.kdev@gmail.com>
+
+[ Upstream commit a071912636cc3420f54e2a6312c1625ac763cf03 ]
+
+Added support to read/write oob during EDU transfers.
+
+Signed-off-by: Kamal Dasu <kdasu.kdev@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20210311170909.9031-1-kdasu.kdev@gmail.com
+Stable-dep-of: da9ba4dcc01e ("mtd: rawnand: brcmnand: skip DMA during panic write")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/brcmnand/brcmnand.c | 59 +++++++++++++++++++++---
+ 1 file changed, 52 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+index cb35090510470..a101df3b19f70 100644
+--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+@@ -245,6 +245,9 @@ struct brcmnand_controller {
+ u32 edu_ext_addr;
+ u32 edu_cmd;
+ u32 edu_config;
++ int sas; /* spare area size, per flash cache */
++ int sector_size_1k;
++ u8 *oob;
+
+ /* flash_dma reg */
+ const u16 *flash_dma_offsets;
+@@ -252,7 +255,7 @@ struct brcmnand_controller {
+ dma_addr_t dma_pa;
+
+ int (*dma_trans)(struct brcmnand_host *host, u64 addr, u32 *buf,
+- u32 len, u8 dma_cmd);
++ u8 *oob, u32 len, u8 dma_cmd);
+
+ /* in-memory cache of the FLASH_CACHE, used only for some commands */
+ u8 flash_cache[FC_BYTES];
+@@ -1527,6 +1530,23 @@ static irqreturn_t brcmnand_edu_irq(int irq, void *data)
+ edu_writel(ctrl, EDU_EXT_ADDR, ctrl->edu_ext_addr);
+ edu_readl(ctrl, EDU_EXT_ADDR);
+
++ if (ctrl->oob) {
++ if (ctrl->edu_cmd == EDU_CMD_READ) {
++ ctrl->oob += read_oob_from_regs(ctrl,
++ ctrl->edu_count + 1,
++ ctrl->oob, ctrl->sas,
++ ctrl->sector_size_1k);
++ } else {
++ brcmnand_write_reg(ctrl, BRCMNAND_CMD_ADDRESS,
++ ctrl->edu_ext_addr);
++ brcmnand_read_reg(ctrl, BRCMNAND_CMD_ADDRESS);
++ ctrl->oob += write_oob_to_regs(ctrl,
++ ctrl->edu_count,
++ ctrl->oob, ctrl->sas,
++ ctrl->sector_size_1k);
++ }
++ }
++
+ mb(); /* flush previous writes */
+ edu_writel(ctrl, EDU_CMD, ctrl->edu_cmd);
+ edu_readl(ctrl, EDU_CMD);
+@@ -1908,9 +1928,10 @@ static void brcmnand_write_buf(struct nand_chip *chip, const uint8_t *buf,
+ * Kick EDU engine
+ */
+ static int brcmnand_edu_trans(struct brcmnand_host *host, u64 addr, u32 *buf,
+- u32 len, u8 cmd)
++ u8 *oob, u32 len, u8 cmd)
+ {
+ struct brcmnand_controller *ctrl = host->ctrl;
++ struct brcmnand_cfg *cfg = &host->hwcfg;
+ unsigned long timeo = msecs_to_jiffies(200);
+ int ret = 0;
+ int dir = (cmd == CMD_PAGE_READ ? DMA_FROM_DEVICE : DMA_TO_DEVICE);
+@@ -1918,6 +1939,9 @@ static int brcmnand_edu_trans(struct brcmnand_host *host, u64 addr, u32 *buf,
+ unsigned int trans = len >> FC_SHIFT;
+ dma_addr_t pa;
+
++ dev_dbg(ctrl->dev, "EDU %s %p:%p\n", ((edu_cmd == EDU_CMD_READ) ?
++ "read" : "write"), buf, oob);
++
+ pa = dma_map_single(ctrl->dev, buf, len, dir);
+ if (dma_mapping_error(ctrl->dev, pa)) {
+ dev_err(ctrl->dev, "unable to map buffer for EDU DMA\n");
+@@ -1929,6 +1953,8 @@ static int brcmnand_edu_trans(struct brcmnand_host *host, u64 addr, u32 *buf,
+ ctrl->edu_ext_addr = addr;
+ ctrl->edu_cmd = edu_cmd;
+ ctrl->edu_count = trans;
++ ctrl->sas = cfg->spare_area_size;
++ ctrl->oob = oob;
+
+ edu_writel(ctrl, EDU_DRAM_ADDR, (u32)ctrl->edu_dram_addr);
+ edu_readl(ctrl, EDU_DRAM_ADDR);
+@@ -1937,6 +1963,16 @@ static int brcmnand_edu_trans(struct brcmnand_host *host, u64 addr, u32 *buf,
+ edu_writel(ctrl, EDU_LENGTH, FC_BYTES);
+ edu_readl(ctrl, EDU_LENGTH);
+
++ if (ctrl->oob && (ctrl->edu_cmd == EDU_CMD_WRITE)) {
++ brcmnand_write_reg(ctrl, BRCMNAND_CMD_ADDRESS,
++ ctrl->edu_ext_addr);
++ brcmnand_read_reg(ctrl, BRCMNAND_CMD_ADDRESS);
++ ctrl->oob += write_oob_to_regs(ctrl,
++ 1,
++ ctrl->oob, ctrl->sas,
++ ctrl->sector_size_1k);
++ }
++
+ /* Start edu engine */
+ mb(); /* flush previous writes */
+ edu_writel(ctrl, EDU_CMD, ctrl->edu_cmd);
+@@ -1951,6 +1987,14 @@ static int brcmnand_edu_trans(struct brcmnand_host *host, u64 addr, u32 *buf,
+
+ dma_unmap_single(ctrl->dev, pa, len, dir);
+
++ /* read last subpage oob */
++ if (ctrl->oob && (ctrl->edu_cmd == EDU_CMD_READ)) {
++ ctrl->oob += read_oob_from_regs(ctrl,
++ 1,
++ ctrl->oob, ctrl->sas,
++ ctrl->sector_size_1k);
++ }
++
+ /* for program page check NAND status */
+ if (((brcmnand_read_reg(ctrl, BRCMNAND_INTFC_STATUS) &
+ INTFC_FLASH_STATUS) & NAND_STATUS_FAIL) &&
+@@ -2060,7 +2104,7 @@ static void brcmnand_dma_run(struct brcmnand_host *host, dma_addr_t desc)
+ }
+
+ static int brcmnand_dma_trans(struct brcmnand_host *host, u64 addr, u32 *buf,
+- u32 len, u8 dma_cmd)
++ u8 *oob, u32 len, u8 dma_cmd)
+ {
+ struct brcmnand_controller *ctrl = host->ctrl;
+ dma_addr_t buf_pa;
+@@ -2205,8 +2249,9 @@ static int brcmnand_read(struct mtd_info *mtd, struct nand_chip *chip,
+ try_dmaread:
+ brcmnand_clear_ecc_addr(ctrl);
+
+- if (ctrl->dma_trans && !oob && flash_dma_buf_ok(buf)) {
+- err = ctrl->dma_trans(host, addr, buf,
++ if (ctrl->dma_trans && (has_edu(ctrl) || !oob) &&
++ flash_dma_buf_ok(buf)) {
++ err = ctrl->dma_trans(host, addr, buf, oob,
+ trans * FC_BYTES,
+ CMD_PAGE_READ);
+
+@@ -2354,8 +2399,8 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip,
+ for (i = 0; i < ctrl->max_oob; i += 4)
+ oob_reg_write(ctrl, i, 0xffffffff);
+
+- if (use_dma(ctrl) && !oob && flash_dma_buf_ok(buf)) {
+- if (ctrl->dma_trans(host, addr, (u32 *)buf, mtd->writesize,
++ if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
++ if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize,
+ CMD_PROGRAM_PAGE))
+
+ ret = -EIO;
+--
+2.51.0
+
--- /dev/null
+From 18179d4aeb3e163135d070deacbfaaa96e374d44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 15:21:57 -0500
+Subject: mtd: rawnand: brcmnand: skip DMA during panic write
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+[ Upstream commit da9ba4dcc01e7cf52b7676f0ee9607b8358c2171 ]
+
+When oops_panic_write is set, the driver disables interrupts and
+switches to PIO polling mode but still falls through into the DMA
+path. DMA cannot be used reliably in panic context, so make the
+DMA path an else branch to ensure only PIO is used during panic
+writes.
+
+Fixes: c1ac2dc34b51 ("mtd: rawnand: brcmnand: When oops in progress use pio and interrupt polling")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+index 669c332d37ee8..e4739d843f7b8 100644
+--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+@@ -2399,14 +2399,12 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip,
+ for (i = 0; i < ctrl->max_oob; i += 4)
+ oob_reg_write(ctrl, i, 0xffffffff);
+
+- if (mtd->oops_panic_write)
++ if (mtd->oops_panic_write) {
+ /* switch to interrupt polling and PIO mode */
+ disable_ctrl_irqs(ctrl);
+-
+- if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
++ } else if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
+ if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize,
+ CMD_PROGRAM_PAGE))
+-
+ ret = -EIO;
+
+ goto out;
+--
+2.51.0
+
--- /dev/null
+From 2d188a53a84e73a9858998c95523afd3c64dcc66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 14:49:06 -0500
+Subject: mtd: rawnand: serialize lock/unlock against other NAND operations
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+[ Upstream commit bab2bc6e850a697a23b9e5f0e21bb8c187615e95 ]
+
+nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area
+without holding the NAND device lock. On controllers that implement
+SET_FEATURES via multiple low-level PIO commands, these can race with
+concurrent UBI/UBIFS background erase/write operations that hold the
+device lock, resulting in cmd_pending conflicts on the NAND controller.
+
+Add nand_get_device()/nand_release_device() around the lock/unlock
+operations to serialize them against all other NAND controller access.
+
+Fixes: 92270086b7e5 ("mtd: rawnand: Add support for manufacturer specific lock/unlock operation")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/nand_base.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c
+index 308fcbe394a5e..b40dc3ac8615a 100644
+--- a/drivers/mtd/nand/raw/nand_base.c
++++ b/drivers/mtd/nand/raw/nand_base.c
+@@ -4383,11 +4383,16 @@ static void nand_shutdown(struct mtd_info *mtd)
+ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int ret;
+
+ if (!chip->ops.lock_area)
+ return -ENOTSUPP;
+
+- return chip->ops.lock_area(chip, ofs, len);
++ nand_get_device(chip);
++ ret = chip->ops.lock_area(chip, ofs, len);
++ nand_release_device(chip);
++
++ return ret;
+ }
+
+ /**
+@@ -4399,11 +4404,16 @@ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ static int nand_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int ret;
+
+ if (!chip->ops.unlock_area)
+ return -ENOTSUPP;
+
+- return chip->ops.unlock_area(chip, ofs, len);
++ nand_get_device(chip);
++ ret = chip->ops.unlock_area(chip, ofs, len);
++ nand_release_device(chip);
++
++ return ret;
+ }
+
+ /* Set default functions */
+--
+2.51.0
+
icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch
hwmon-pmbus-isl68137-fix-unchecked-return-value-and-use-sysfs_emit.patch
i2c-fsi-fix-a-potential-leak-in-fsi_i2c_probe.patch
+mtd-rawnand-serialize-lock-unlock-against-other-nand.patch
+mtd-rawnand-brcmnand-read-write-oob-during-edu-trans.patch
+mtd-rawnand-brcmnand-move-to-polling-in-pio-mode-on-.patch
+mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch
+tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch
--- /dev/null
+From b7dd2a052a3a55a07760fbdde45f6e30e530ad5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 08:43:06 +0900
+Subject: tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
+
+From: Josh Law <objecting@objecting.org>
+
+[ Upstream commit 3b2c2ab4ceb82af484310c3087541eab00ea288b ]
+
+If fstat() fails after open() succeeds, the function returns without
+closing the file descriptor. Also preserve errno across close(), since
+close() may overwrite it before the error is returned.
+
+Link: https://lore.kernel.org/all/20260318155847.78065-3-objecting@objecting.org/
+
+Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command")
+Signed-off-by: Josh Law <objecting@objecting.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bootconfig/main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c
+index 365c022fb7cdd..387cb91862dfc 100644
+--- a/tools/bootconfig/main.c
++++ b/tools/bootconfig/main.c
+@@ -138,8 +138,11 @@ static int load_xbc_file(const char *path, char **buf)
+ if (fd < 0)
+ return -errno;
+ ret = fstat(fd, &stat);
+- if (ret < 0)
+- return -errno;
++ if (ret < 0) {
++ ret = -errno;
++ close(fd);
++ return ret;
++ }
+
+ ret = load_xbc_fd(fd, buf, stat.st_size);
+
+--
+2.51.0
+
--- /dev/null
+From 06243fd24be03b31abe9b223fad82e058faacaeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Feb 2026 10:18:39 +0530
+Subject: drm/i915/gt: Check set_default_submission() before deferencing
+
+From: Rahul Bukte <rahul.bukte@sony.com>
+
+[ Upstream commit 0162ab3220bac870e43e229e6e3024d1a21c3f26 ]
+
+When the i915 driver firmware binaries are not present, the
+set_default_submission pointer is not set. This pointer is
+dereferenced during suspend anyways.
+
+Add a check to make sure it is set before dereferencing.
+
+[ 23.289926] PM: suspend entry (deep)
+[ 23.293558] Filesystems sync: 0.000 seconds
+[ 23.298010] Freezing user space processes
+[ 23.302771] Freezing user space processes completed (elapsed 0.000 seconds)
+[ 23.309766] OOM killer disabled.
+[ 23.313027] Freezing remaining freezable tasks
+[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
+[ 23.342038] serial 00:05: disabled
+[ 23.345719] serial 00:02: disabled
+[ 23.349342] serial 00:01: disabled
+[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache
+[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache
+[ 23.361635] ata1.00: Entering standby power mode
+[ 23.368863] ata2.00: Entering standby power mode
+[ 23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 23.452194] #PF: supervisor instruction fetch in kernel mode
+[ 23.457896] #PF: error_code(0x0010) - not-present page
+[ 23.463065] PGD 0 P4D 0
+[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI
+[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary)
+[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN
+[ 23.496511] Workqueue: async async_run_entry_fn
+[ 23.501087] RIP: 0010:0x0
+[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
+[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246
+[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f
+[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000
+[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff
+[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8
+[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68
+[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000
+[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0
+[ 23.572539] PKRU: 55555554
+[ 23.575281] Call Trace:
+[ 23.577770] <TASK>
+[ 23.579905] intel_engines_reset_default_submission+0x42/0x60
+[ 23.585695] __intel_gt_unset_wedged+0x191/0x200
+[ 23.590360] intel_gt_unset_wedged+0x20/0x40
+[ 23.594675] gt_sanitize+0x15e/0x170
+[ 23.598290] i915_gem_suspend_late+0x6b/0x180
+[ 23.602692] i915_drm_suspend_late+0x35/0xf0
+[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10
+[ 23.611843] dpm_run_callback+0x78/0x1c0
+[ 23.615817] device_suspend_late+0xde/0x2e0
+[ 23.620037] async_suspend_late+0x18/0x30
+[ 23.624082] async_run_entry_fn+0x25/0xa0
+[ 23.628129] process_one_work+0x15b/0x380
+[ 23.632182] worker_thread+0x2a5/0x3c0
+[ 23.635973] ? __pfx_worker_thread+0x10/0x10
+[ 23.640279] kthread+0xf6/0x1f0
+[ 23.643464] ? __pfx_kthread+0x10/0x10
+[ 23.647263] ? __pfx_kthread+0x10/0x10
+[ 23.651045] ret_from_fork+0x131/0x190
+[ 23.654837] ? __pfx_kthread+0x10/0x10
+[ 23.658634] ret_from_fork_asm+0x1a/0x30
+[ 23.662597] </TASK>
+[ 23.664826] Modules linked in:
+[ 23.667914] CR2: 0000000000000000
+[ 23.671271] ------------[ cut here ]------------
+
+Signed-off-by: Rahul Bukte <rahul.bukte@sony.com>
+Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Link: https://patch.msgid.link/20260203044839.1555147-1-suraj.kandpal@intel.com
+(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad)
+Fixes: ff44ad51ebf8 ("drm/i915: Move engine->submit_request selection to a vfunc")
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+index 42cb3ad04d89a..e8e495694c182 100644
+--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c
++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+@@ -1363,7 +1363,8 @@ void intel_engines_reset_default_submission(struct intel_gt *gt)
+ if (engine->sanitize)
+ engine->sanitize(engine);
+
+- engine->set_default_submission(engine);
++ if (engine->set_default_submission)
++ engine->set_default_submission(engine);
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From e171be33d60797625053568d12b85ad27a21140d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:17:02 +0900
+Subject: ksmbd: fix use-after-free of share_conf in compound request
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit c33615f995aee80657b9fdfbc4ee7f49c2bd733d ]
+
+smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without
+validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state ==
+TREE_CONNECTED on the initial lookup path, but the compound reuse path
+bypasses this check entirely.
+
+If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state
+to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(),
+subsequent commands dereference the freed share_conf through
+work->tcon->share_conf.
+
+KASAN report:
+
+[ 4.144653] ==================================================================
+[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70
+[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44
+[ 4.145772]
+[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY
+[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work
+[ 4.145888] Call Trace:
+[ 4.145892] <TASK>
+[ 4.145894] dump_stack_lvl+0x64/0x80
+[ 4.145910] print_report+0xce/0x660
+[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 4.145928] ? smb2_write+0xc74/0xe70
+[ 4.145931] kasan_report+0xce/0x100
+[ 4.145934] ? smb2_write+0xc74/0xe70
+[ 4.145937] smb2_write+0xc74/0xe70
+[ 4.145939] ? __pfx_smb2_write+0x10/0x10
+[ 4.145942] ? _raw_spin_unlock+0xe/0x30
+[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0
+[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480
+[ 4.145951] handle_ksmbd_work+0x40f/0x1080
+[ 4.145953] process_one_work+0x5fa/0xef0
+[ 4.145962] ? assign_work+0x122/0x3e0
+[ 4.145964] worker_thread+0x54b/0xf70
+[ 4.145967] ? __pfx_worker_thread+0x10/0x10
+[ 4.145970] kthread+0x346/0x470
+[ 4.145976] ? recalc_sigpending+0x19b/0x230
+[ 4.145980] ? __pfx_kthread+0x10/0x10
+[ 4.145984] ret_from_fork+0x4fb/0x6c0
+[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10
+[ 4.145995] ? __switch_to+0x36c/0xbe0
+[ 4.145999] ? __pfx_kthread+0x10/0x10
+[ 4.146003] ret_from_fork_asm+0x1a/0x30
+[ 4.146013] </TASK>
+[ 4.146014]
+[ 4.149858] Allocated by task 44:
+[ 4.149953] kasan_save_stack+0x33/0x60
+[ 4.150061] kasan_save_track+0x14/0x30
+[ 4.150169] __kasan_kmalloc+0x8f/0xa0
+[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0
+[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600
+[ 4.150529] smb2_tree_connect+0x2e6/0x1000
+[ 4.150645] handle_ksmbd_work+0x40f/0x1080
+[ 4.150761] process_one_work+0x5fa/0xef0
+[ 4.150873] worker_thread+0x54b/0xf70
+[ 4.150978] kthread+0x346/0x470
+[ 4.151071] ret_from_fork+0x4fb/0x6c0
+[ 4.151176] ret_from_fork_asm+0x1a/0x30
+[ 4.151286]
+[ 4.151332] Freed by task 44:
+[ 4.151418] kasan_save_stack+0x33/0x60
+[ 4.151526] kasan_save_track+0x14/0x30
+[ 4.151634] kasan_save_free_info+0x3b/0x60
+[ 4.151751] __kasan_slab_free+0x43/0x70
+[ 4.151861] kfree+0x1ca/0x430
+[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190
+[ 4.152088] smb2_tree_disconnect+0x1cd/0x480
+[ 4.152211] handle_ksmbd_work+0x40f/0x1080
+[ 4.152326] process_one_work+0x5fa/0xef0
+[ 4.152438] worker_thread+0x54b/0xf70
+[ 4.152545] kthread+0x346/0x470
+[ 4.152638] ret_from_fork+0x4fb/0x6c0
+[ 4.152743] ret_from_fork_asm+0x1a/0x30
+[ 4.152853]
+[ 4.152900] The buggy address belongs to the object at ffff88810430c180
+[ 4.152900] which belongs to the cache kmalloc-96 of size 96
+[ 4.153226] The buggy address is located 20 bytes inside of
+[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0)
+[ 4.153549]
+[ 4.153596] The buggy address belongs to the physical page:
+[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c
+[ 4.154000] flags: 0x100000000000200(workingset|node=0|zone=2)
+[ 4.154160] page_type: f5(slab)
+[ 4.154251] raw: 0100000000000200 ffff888100041280 ffff888100040110 ffff888100040110
+[ 4.154461] raw: ffff88810430ce80 0000000800200009 00000000f5000000 0000000000000000
+[ 4.154668] page dumped because: kasan: bad access detected
+[ 4.154820]
+[ 4.154866] Memory state around the buggy address:
+[ 4.155002] ffff88810430c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155196] ffff88810430c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155391] >ffff88810430c180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+[ 4.155587] ^
+[ 4.155693] ffff88810430c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155891] ffff88810430c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.156087] ==================================================================
+
+Add the same t_state validation to the compound reuse path, consistent
+with ksmbd_tree_conn_lookup().
+
+Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ksmbd/smb2pdu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
+index 222d3a31f5106..1210a3231d1c4 100644
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -116,6 +116,8 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work)
+ pr_err("The first operation in the compound does not have tcon\n");
+ return -EINVAL;
+ }
++ if (work->tcon->t_state != TREE_CONNECTED)
++ return -ENOENT;
+ if (tree_id != UINT_MAX && work->tcon->id != tree_id) {
+ pr_err("tree id(%u) is different with id(%u) in first operation\n",
+ tree_id, work->tcon->id);
+--
+2.51.0
+
--- /dev/null
+From 265ffb9fa784e266ec6ad3177f64523d99ac43ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 08:43:05 +0900
+Subject: lib/bootconfig: check xbc_init_node() return in override path
+
+From: Josh Law <objecting@objecting.org>
+
+[ Upstream commit bb288d7d869e86d382f35a0e26242c5ccb05ca82 ]
+
+The ':=' override path in xbc_parse_kv() calls xbc_init_node() to
+re-initialize an existing value node but does not check the return
+value. If xbc_init_node() fails (data offset out of range), parsing
+silently continues with stale node data.
+
+Add the missing error check to match the xbc_add_node() call path
+which already checks for failure.
+
+In practice, a bootconfig using ':=' to override a value near the
+32KB data limit could silently retain the old value, meaning a
+security-relevant boot parameter override (e.g., a trace filter or
+debug setting) would not take effect as intended.
+
+Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/
+
+Fixes: e5efaeb8a8f5 ("bootconfig: Support mixing a value and subkeys under a key")
+Signed-off-by: Josh Law <objecting@objecting.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/bootconfig.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/bootconfig.c b/lib/bootconfig.c
+index 0579a93cb163e..9873c6372adca 100644
+--- a/lib/bootconfig.c
++++ b/lib/bootconfig.c
+@@ -646,7 +646,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op)
+ if (op == ':') {
+ unsigned short nidx = child->next;
+
+- xbc_init_node(child, v, XBC_VALUE);
++ if (xbc_init_node(child, v, XBC_VALUE) < 0)
++ return xbc_parse_error("Failed to override value", v);
+ child->next = nidx; /* keep subkeys */
+ goto array;
+ }
+--
+2.51.0
+
--- /dev/null
+From 91451bd7fc77de0a67fdd91a20fc36a125d22dab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 15:21:57 -0500
+Subject: mtd: rawnand: brcmnand: skip DMA during panic write
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+[ Upstream commit da9ba4dcc01e7cf52b7676f0ee9607b8358c2171 ]
+
+When oops_panic_write is set, the driver disables interrupts and
+switches to PIO polling mode but still falls through into the DMA
+path. DMA cannot be used reliably in panic context, so make the
+DMA path an else branch to ensure only PIO is used during panic
+writes.
+
+Fixes: c1ac2dc34b51 ("mtd: rawnand: brcmnand: When oops in progress use pio and interrupt polling")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+index aa89fcfd71ea0..4bf91b00a2183 100644
+--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+@@ -2399,14 +2399,12 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip,
+ for (i = 0; i < ctrl->max_oob; i += 4)
+ oob_reg_write(ctrl, i, 0xffffffff);
+
+- if (mtd->oops_panic_write)
++ if (mtd->oops_panic_write) {
+ /* switch to interrupt polling and PIO mode */
+ disable_ctrl_irqs(ctrl);
+-
+- if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
++ } else if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
+ if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize,
+ CMD_PROGRAM_PAGE))
+-
+ ret = -EIO;
+
+ goto out;
+--
+2.51.0
+
--- /dev/null
+From 56ec78c888b96df00644ec1045ea0b1f8aeeb09f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 14:49:06 -0500
+Subject: mtd: rawnand: serialize lock/unlock against other NAND operations
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+[ Upstream commit bab2bc6e850a697a23b9e5f0e21bb8c187615e95 ]
+
+nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area
+without holding the NAND device lock. On controllers that implement
+SET_FEATURES via multiple low-level PIO commands, these can race with
+concurrent UBI/UBIFS background erase/write operations that hold the
+device lock, resulting in cmd_pending conflicts on the NAND controller.
+
+Add nand_get_device()/nand_release_device() around the lock/unlock
+operations to serialize them against all other NAND controller access.
+
+Fixes: 92270086b7e5 ("mtd: rawnand: Add support for manufacturer specific lock/unlock operation")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/nand_base.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c
+index ee8f47feeaf43..60ad72392b9f8 100644
+--- a/drivers/mtd/nand/raw/nand_base.c
++++ b/drivers/mtd/nand/raw/nand_base.c
+@@ -4680,11 +4680,16 @@ static void nand_shutdown(struct mtd_info *mtd)
+ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int ret;
+
+ if (!chip->ops.lock_area)
+ return -ENOTSUPP;
+
+- return chip->ops.lock_area(chip, ofs, len);
++ nand_get_device(chip);
++ ret = chip->ops.lock_area(chip, ofs, len);
++ nand_release_device(chip);
++
++ return ret;
+ }
+
+ /**
+@@ -4696,11 +4701,16 @@ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ static int nand_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int ret;
+
+ if (!chip->ops.unlock_area)
+ return -ENOTSUPP;
+
+- return chip->ops.unlock_area(chip, ofs, len);
++ nand_get_device(chip);
++ ret = chip->ops.unlock_area(chip, ofs, len);
++ nand_release_device(chip);
++
++ return ret;
+ }
+
+ /* Set default functions */
+--
+2.51.0
+
icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch
hwmon-pmbus-isl68137-fix-unchecked-return-value-and-use-sysfs_emit.patch
i2c-fsi-fix-a-potential-leak-in-fsi_i2c_probe.patch
+mtd-rawnand-serialize-lock-unlock-against-other-nand.patch
+mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch
+ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch
+drm-i915-gt-check-set_default_submission-before-defe.patch
+lib-bootconfig-check-xbc_init_node-return-in-overrid.patch
+tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch
--- /dev/null
+From 442be123ad7a3e7f0051ea31666c1614e128d531 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 08:43:06 +0900
+Subject: tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
+
+From: Josh Law <objecting@objecting.org>
+
+[ Upstream commit 3b2c2ab4ceb82af484310c3087541eab00ea288b ]
+
+If fstat() fails after open() succeeds, the function returns without
+closing the file descriptor. Also preserve errno across close(), since
+close() may overwrite it before the error is returned.
+
+Link: https://lore.kernel.org/all/20260318155847.78065-3-objecting@objecting.org/
+
+Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command")
+Signed-off-by: Josh Law <objecting@objecting.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bootconfig/main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c
+index fc922cfdadaa6..78b252ac3817e 100644
+--- a/tools/bootconfig/main.c
++++ b/tools/bootconfig/main.c
+@@ -156,8 +156,11 @@ static int load_xbc_file(const char *path, char **buf)
+ if (fd < 0)
+ return -errno;
+ ret = fstat(fd, &stat);
+- if (ret < 0)
+- return -errno;
++ if (ret < 0) {
++ ret = -errno;
++ close(fd);
++ return ret;
++ }
+
+ ret = load_xbc_fd(fd, buf, stat.st_size);
+
+--
+2.51.0
+
--- /dev/null
+From 061cd4ae0c1edadbe76ba416a84909c17977f4cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Feb 2026 10:18:39 +0530
+Subject: drm/i915/gt: Check set_default_submission() before deferencing
+
+From: Rahul Bukte <rahul.bukte@sony.com>
+
+[ Upstream commit 0162ab3220bac870e43e229e6e3024d1a21c3f26 ]
+
+When the i915 driver firmware binaries are not present, the
+set_default_submission pointer is not set. This pointer is
+dereferenced during suspend anyways.
+
+Add a check to make sure it is set before dereferencing.
+
+[ 23.289926] PM: suspend entry (deep)
+[ 23.293558] Filesystems sync: 0.000 seconds
+[ 23.298010] Freezing user space processes
+[ 23.302771] Freezing user space processes completed (elapsed 0.000 seconds)
+[ 23.309766] OOM killer disabled.
+[ 23.313027] Freezing remaining freezable tasks
+[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
+[ 23.342038] serial 00:05: disabled
+[ 23.345719] serial 00:02: disabled
+[ 23.349342] serial 00:01: disabled
+[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache
+[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache
+[ 23.361635] ata1.00: Entering standby power mode
+[ 23.368863] ata2.00: Entering standby power mode
+[ 23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 23.452194] #PF: supervisor instruction fetch in kernel mode
+[ 23.457896] #PF: error_code(0x0010) - not-present page
+[ 23.463065] PGD 0 P4D 0
+[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI
+[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary)
+[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN
+[ 23.496511] Workqueue: async async_run_entry_fn
+[ 23.501087] RIP: 0010:0x0
+[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
+[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246
+[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f
+[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000
+[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff
+[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8
+[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68
+[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000
+[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0
+[ 23.572539] PKRU: 55555554
+[ 23.575281] Call Trace:
+[ 23.577770] <TASK>
+[ 23.579905] intel_engines_reset_default_submission+0x42/0x60
+[ 23.585695] __intel_gt_unset_wedged+0x191/0x200
+[ 23.590360] intel_gt_unset_wedged+0x20/0x40
+[ 23.594675] gt_sanitize+0x15e/0x170
+[ 23.598290] i915_gem_suspend_late+0x6b/0x180
+[ 23.602692] i915_drm_suspend_late+0x35/0xf0
+[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10
+[ 23.611843] dpm_run_callback+0x78/0x1c0
+[ 23.615817] device_suspend_late+0xde/0x2e0
+[ 23.620037] async_suspend_late+0x18/0x30
+[ 23.624082] async_run_entry_fn+0x25/0xa0
+[ 23.628129] process_one_work+0x15b/0x380
+[ 23.632182] worker_thread+0x2a5/0x3c0
+[ 23.635973] ? __pfx_worker_thread+0x10/0x10
+[ 23.640279] kthread+0xf6/0x1f0
+[ 23.643464] ? __pfx_kthread+0x10/0x10
+[ 23.647263] ? __pfx_kthread+0x10/0x10
+[ 23.651045] ret_from_fork+0x131/0x190
+[ 23.654837] ? __pfx_kthread+0x10/0x10
+[ 23.658634] ret_from_fork_asm+0x1a/0x30
+[ 23.662597] </TASK>
+[ 23.664826] Modules linked in:
+[ 23.667914] CR2: 0000000000000000
+[ 23.671271] ------------[ cut here ]------------
+
+Signed-off-by: Rahul Bukte <rahul.bukte@sony.com>
+Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Link: https://patch.msgid.link/20260203044839.1555147-1-suraj.kandpal@intel.com
+(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad)
+Fixes: ff44ad51ebf8 ("drm/i915: Move engine->submit_request selection to a vfunc")
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+index 07967adce16aa..20d4b9f4a4959 100644
+--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c
++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+@@ -1798,7 +1798,8 @@ void intel_engines_reset_default_submission(struct intel_gt *gt)
+ if (engine->sanitize)
+ engine->sanitize(engine);
+
+- engine->set_default_submission(engine);
++ if (engine->set_default_submission)
++ engine->set_default_submission(engine);
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From ce54d625345f22b9775fa514f94bbbd805c1873d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:17:02 +0900
+Subject: ksmbd: fix use-after-free of share_conf in compound request
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit c33615f995aee80657b9fdfbc4ee7f49c2bd733d ]
+
+smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without
+validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state ==
+TREE_CONNECTED on the initial lookup path, but the compound reuse path
+bypasses this check entirely.
+
+If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state
+to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(),
+subsequent commands dereference the freed share_conf through
+work->tcon->share_conf.
+
+KASAN report:
+
+[ 4.144653] ==================================================================
+[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70
+[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44
+[ 4.145772]
+[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY
+[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work
+[ 4.145888] Call Trace:
+[ 4.145892] <TASK>
+[ 4.145894] dump_stack_lvl+0x64/0x80
+[ 4.145910] print_report+0xce/0x660
+[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 4.145928] ? smb2_write+0xc74/0xe70
+[ 4.145931] kasan_report+0xce/0x100
+[ 4.145934] ? smb2_write+0xc74/0xe70
+[ 4.145937] smb2_write+0xc74/0xe70
+[ 4.145939] ? __pfx_smb2_write+0x10/0x10
+[ 4.145942] ? _raw_spin_unlock+0xe/0x30
+[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0
+[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480
+[ 4.145951] handle_ksmbd_work+0x40f/0x1080
+[ 4.145953] process_one_work+0x5fa/0xef0
+[ 4.145962] ? assign_work+0x122/0x3e0
+[ 4.145964] worker_thread+0x54b/0xf70
+[ 4.145967] ? __pfx_worker_thread+0x10/0x10
+[ 4.145970] kthread+0x346/0x470
+[ 4.145976] ? recalc_sigpending+0x19b/0x230
+[ 4.145980] ? __pfx_kthread+0x10/0x10
+[ 4.145984] ret_from_fork+0x4fb/0x6c0
+[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10
+[ 4.145995] ? __switch_to+0x36c/0xbe0
+[ 4.145999] ? __pfx_kthread+0x10/0x10
+[ 4.146003] ret_from_fork_asm+0x1a/0x30
+[ 4.146013] </TASK>
+[ 4.146014]
+[ 4.149858] Allocated by task 44:
+[ 4.149953] kasan_save_stack+0x33/0x60
+[ 4.150061] kasan_save_track+0x14/0x30
+[ 4.150169] __kasan_kmalloc+0x8f/0xa0
+[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0
+[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600
+[ 4.150529] smb2_tree_connect+0x2e6/0x1000
+[ 4.150645] handle_ksmbd_work+0x40f/0x1080
+[ 4.150761] process_one_work+0x5fa/0xef0
+[ 4.150873] worker_thread+0x54b/0xf70
+[ 4.150978] kthread+0x346/0x470
+[ 4.151071] ret_from_fork+0x4fb/0x6c0
+[ 4.151176] ret_from_fork_asm+0x1a/0x30
+[ 4.151286]
+[ 4.151332] Freed by task 44:
+[ 4.151418] kasan_save_stack+0x33/0x60
+[ 4.151526] kasan_save_track+0x14/0x30
+[ 4.151634] kasan_save_free_info+0x3b/0x60
+[ 4.151751] __kasan_slab_free+0x43/0x70
+[ 4.151861] kfree+0x1ca/0x430
+[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190
+[ 4.152088] smb2_tree_disconnect+0x1cd/0x480
+[ 4.152211] handle_ksmbd_work+0x40f/0x1080
+[ 4.152326] process_one_work+0x5fa/0xef0
+[ 4.152438] worker_thread+0x54b/0xf70
+[ 4.152545] kthread+0x346/0x470
+[ 4.152638] ret_from_fork+0x4fb/0x6c0
+[ 4.152743] ret_from_fork_asm+0x1a/0x30
+[ 4.152853]
+[ 4.152900] The buggy address belongs to the object at ffff88810430c180
+[ 4.152900] which belongs to the cache kmalloc-96 of size 96
+[ 4.153226] The buggy address is located 20 bytes inside of
+[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0)
+[ 4.153549]
+[ 4.153596] The buggy address belongs to the physical page:
+[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c
+[ 4.154000] flags: 0x100000000000200(workingset|node=0|zone=2)
+[ 4.154160] page_type: f5(slab)
+[ 4.154251] raw: 0100000000000200 ffff888100041280 ffff888100040110 ffff888100040110
+[ 4.154461] raw: ffff88810430ce80 0000000800200009 00000000f5000000 0000000000000000
+[ 4.154668] page dumped because: kasan: bad access detected
+[ 4.154820]
+[ 4.154866] Memory state around the buggy address:
+[ 4.155002] ffff88810430c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155196] ffff88810430c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155391] >ffff88810430c180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+[ 4.155587] ^
+[ 4.155693] ffff88810430c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155891] ffff88810430c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.156087] ==================================================================
+
+Add the same t_state validation to the compound reuse path, consistent
+with ksmbd_tree_conn_lookup().
+
+Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index fb756953fec3a..65b55e824aa8b 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -117,6 +117,8 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work)
+ pr_err("The first operation in the compound does not have tcon\n");
+ return -EINVAL;
+ }
++ if (work->tcon->t_state != TREE_CONNECTED)
++ return -ENOENT;
+ if (tree_id != UINT_MAX && work->tcon->id != tree_id) {
+ pr_err("tree id(%u) is different with id(%u) in first operation\n",
+ tree_id, work->tcon->id);
+--
+2.51.0
+
--- /dev/null
+From bc0838e2a5d81a3afd90e0b2f1eef5c38d461169 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 08:43:05 +0900
+Subject: lib/bootconfig: check xbc_init_node() return in override path
+
+From: Josh Law <objecting@objecting.org>
+
+[ Upstream commit bb288d7d869e86d382f35a0e26242c5ccb05ca82 ]
+
+The ':=' override path in xbc_parse_kv() calls xbc_init_node() to
+re-initialize an existing value node but does not check the return
+value. If xbc_init_node() fails (data offset out of range), parsing
+silently continues with stale node data.
+
+Add the missing error check to match the xbc_add_node() call path
+which already checks for failure.
+
+In practice, a bootconfig using ':=' to override a value near the
+32KB data limit could silently retain the old value, meaning a
+security-relevant boot parameter override (e.g., a trace filter or
+debug setting) would not take effect as intended.
+
+Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/
+
+Fixes: e5efaeb8a8f5 ("bootconfig: Support mixing a value and subkeys under a key")
+Signed-off-by: Josh Law <objecting@objecting.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/bootconfig.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/bootconfig.c b/lib/bootconfig.c
+index 82f21a9b0aaba..675f34cf32f0d 100644
+--- a/lib/bootconfig.c
++++ b/lib/bootconfig.c
+@@ -714,7 +714,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op)
+ if (op == ':') {
+ unsigned short nidx = child->next;
+
+- xbc_init_node(child, v, XBC_VALUE);
++ if (xbc_init_node(child, v, XBC_VALUE) < 0)
++ return xbc_parse_error("Failed to override value", v);
+ child->next = nidx; /* keep subkeys */
+ goto array;
+ }
+--
+2.51.0
+
--- /dev/null
+From 9289ab73f43575165ac78fc1283ecc7814e3cdf8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 15:21:57 -0500
+Subject: mtd: rawnand: brcmnand: skip DMA during panic write
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+[ Upstream commit da9ba4dcc01e7cf52b7676f0ee9607b8358c2171 ]
+
+When oops_panic_write is set, the driver disables interrupts and
+switches to PIO polling mode but still falls through into the DMA
+path. DMA cannot be used reliably in panic context, so make the
+DMA path an else branch to ensure only PIO is used during panic
+writes.
+
+Fixes: c1ac2dc34b51 ("mtd: rawnand: brcmnand: When oops in progress use pio and interrupt polling")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+index 20c6aeef107c8..99e0d7aa2f4bd 100644
+--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+@@ -2410,14 +2410,12 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip,
+ for (i = 0; i < ctrl->max_oob; i += 4)
+ oob_reg_write(ctrl, i, 0xffffffff);
+
+- if (mtd->oops_panic_write)
++ if (mtd->oops_panic_write) {
+ /* switch to interrupt polling and PIO mode */
+ disable_ctrl_irqs(ctrl);
+-
+- if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
++ } else if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
+ if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize,
+ CMD_PROGRAM_PAGE))
+-
+ ret = -EIO;
+
+ goto out;
+--
+2.51.0
+
--- /dev/null
+From c00f5d0ebce0f75e3f4a3af90a491210daf6c260 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 14:49:06 -0500
+Subject: mtd: rawnand: serialize lock/unlock against other NAND operations
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+[ Upstream commit bab2bc6e850a697a23b9e5f0e21bb8c187615e95 ]
+
+nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area
+without holding the NAND device lock. On controllers that implement
+SET_FEATURES via multiple low-level PIO commands, these can race with
+concurrent UBI/UBIFS background erase/write operations that hold the
+device lock, resulting in cmd_pending conflicts on the NAND controller.
+
+Add nand_get_device()/nand_release_device() around the lock/unlock
+operations to serialize them against all other NAND controller access.
+
+Fixes: 92270086b7e5 ("mtd: rawnand: Add support for manufacturer specific lock/unlock operation")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/nand_base.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c
+index ea7e37a6e4c07..a545df56a30e7 100644
+--- a/drivers/mtd/nand/raw/nand_base.c
++++ b/drivers/mtd/nand/raw/nand_base.c
+@@ -4692,11 +4692,16 @@ static void nand_shutdown(struct mtd_info *mtd)
+ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int ret;
+
+ if (!chip->ops.lock_area)
+ return -ENOTSUPP;
+
+- return chip->ops.lock_area(chip, ofs, len);
++ nand_get_device(chip);
++ ret = chip->ops.lock_area(chip, ofs, len);
++ nand_release_device(chip);
++
++ return ret;
+ }
+
+ /**
+@@ -4708,11 +4713,16 @@ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ static int nand_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int ret;
+
+ if (!chip->ops.unlock_area)
+ return -ENOTSUPP;
+
+- return chip->ops.unlock_area(chip, ofs, len);
++ nand_get_device(chip);
++ ret = chip->ops.unlock_area(chip, ofs, len);
++ nand_release_device(chip);
++
++ return ret;
+ }
+
+ /* Set default functions */
+--
+2.51.0
+
sched-fair-fix-pelt-clock-sync-when-entering-idle.patch
usb-serial-f81232-fix-incomplete-serial-port-generation.patch
i2c-fsi-fix-a-potential-leak-in-fsi_i2c_probe.patch
+mtd-rawnand-serialize-lock-unlock-against-other-nand.patch
+mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch
+ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch
+drm-i915-gt-check-set_default_submission-before-defe.patch
+lib-bootconfig-check-xbc_init_node-return-in-overrid.patch
+tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch
--- /dev/null
+From f8c37d4990fedbff3dfbbab7876db9db836c78b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 08:43:06 +0900
+Subject: tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
+
+From: Josh Law <objecting@objecting.org>
+
+[ Upstream commit 3b2c2ab4ceb82af484310c3087541eab00ea288b ]
+
+If fstat() fails after open() succeeds, the function returns without
+closing the file descriptor. Also preserve errno across close(), since
+close() may overwrite it before the error is returned.
+
+Link: https://lore.kernel.org/all/20260318155847.78065-3-objecting@objecting.org/
+
+Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command")
+Signed-off-by: Josh Law <objecting@objecting.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bootconfig/main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c
+index 8a48cc2536f56..32cf48f2da9a1 100644
+--- a/tools/bootconfig/main.c
++++ b/tools/bootconfig/main.c
+@@ -157,8 +157,11 @@ static int load_xbc_file(const char *path, char **buf)
+ if (fd < 0)
+ return -errno;
+ ret = fstat(fd, &stat);
+- if (ret < 0)
+- return -errno;
++ if (ret < 0) {
++ ret = -errno;
++ close(fd);
++ return ret;
++ }
+
+ ret = load_xbc_fd(fd, buf, stat.st_size);
+
+--
+2.51.0
+
--- /dev/null
+From f169ca2b0f469e8c3b6b4b79079d8973d40d5ab3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 18:30:26 +0530
+Subject: drm/amd/display: Fix DisplayID not-found handling in
+ parse_edid_displayid_vrr()
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+[ Upstream commit 2323b019651ad81c20a0f7f817c63392b3110652 ]
+
+parse_edid_displayid_vrr() searches the EDID extension blocks for a
+DisplayID extension before parsing the dynamic video timing range.
+
+The code previously checked whether edid_ext was NULL after the search
+loop. However, edid_ext is assigned during each iteration of the loop,
+so it will never be NULL once the loop has executed. If no DisplayID
+extension is found, edid_ext ends up pointing to the last extension
+block, and the NULL check does not correctly detect the failure case.
+
+Instead, check whether the loop completed without finding a matching
+DisplayID block by testing "i == edid->extensions". This ensures the
+function exits early when no DisplayID extension is present and avoids
+parsing an unrelated EDID extension block.
+
+Also simplify the EDID validation check using "!edid ||
+!edid->extensions".
+
+Fixes the below:
+drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:13079 parse_edid_displayid_vrr() warn: variable dereferenced before check 'edid_ext' (see line 13075)
+
+Fixes: a638b837d0e6 ("drm/amd/display: Fix refresh rate range for some panel")
+Cc: Roman Li <roman.li@amd.com>
+Cc: Alex Hung <alex.hung@amd.com>
+Cc: Jerry Zuo <jerry.zuo@amd.com>
+Cc: Sun peng Li <sunpeng.li@amd.com>
+Cc: Tom Chung <chiahsuan.chung@amd.com>
+Cc: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 91c7e6342e98c846b259c57273436fdea4c043f2)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 4d508129a5e65..e092d2372a4e6 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -12318,7 +12318,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector,
+ u16 min_vfreq;
+ u16 max_vfreq;
+
+- if (edid == NULL || edid->extensions == 0)
++ if (!edid || !edid->extensions)
+ return;
+
+ /* Find DisplayID extension */
+@@ -12328,7 +12328,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector,
+ break;
+ }
+
+- if (edid_ext == NULL)
++ if (i == edid->extensions)
+ return;
+
+ while (j < EDID_LENGTH) {
+--
+2.51.0
+
--- /dev/null
+From 59510fc38cb721f2ec8b19c26bd3ede5268fbf6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 17:51:47 +0100
+Subject: drm/amd: fix dcn 2.01 check
+
+From: Andy Nguyen <theofficialflow1996@gmail.com>
+
+[ Upstream commit 39f44f54afa58661ecae9c27e15f5dbce2372892 ]
+
+The ASICREV_IS_BEIGE_GOBY_P check always took precedence, because it includes all chip revisions upto NV_UNKNOWN.
+
+Fixes: 54b822b3eac3 ("drm/amd/display: Use dce_version instead of chip_id")
+Signed-off-by: Andy Nguyen <theofficialflow1996@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 9c7be0efa6f0daa949a5f3e3fdf9ea090b0713cb)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
+index a0c1072c59a23..7de77358e1c08 100644
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
+@@ -255,6 +255,10 @@ struct clk_mgr *dc_clk_mgr_create(struct dc_context *ctx, struct pp_smu_funcs *p
+ BREAK_TO_DEBUGGER();
+ return NULL;
+ }
++ if (ctx->dce_version == DCN_VERSION_2_01) {
++ dcn201_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg);
++ return &clk_mgr->base;
++ }
+ if (ASICREV_IS_SIENNA_CICHLID_P(asic_id.hw_internal_rev)) {
+ dcn3_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg);
+ return &clk_mgr->base;
+@@ -267,10 +271,6 @@ struct clk_mgr *dc_clk_mgr_create(struct dc_context *ctx, struct pp_smu_funcs *p
+ dcn3_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg);
+ return &clk_mgr->base;
+ }
+- if (ctx->dce_version == DCN_VERSION_2_01) {
+- dcn201_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg);
+- return &clk_mgr->base;
+- }
+ dcn20_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg);
+ return &clk_mgr->base;
+ }
+--
+2.51.0
+
--- /dev/null
+From c21ad2bad024bc44d1ebd5a6696f77489aeb0376 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Feb 2026 10:18:39 +0530
+Subject: drm/i915/gt: Check set_default_submission() before deferencing
+
+From: Rahul Bukte <rahul.bukte@sony.com>
+
+[ Upstream commit 0162ab3220bac870e43e229e6e3024d1a21c3f26 ]
+
+When the i915 driver firmware binaries are not present, the
+set_default_submission pointer is not set. This pointer is
+dereferenced during suspend anyways.
+
+Add a check to make sure it is set before dereferencing.
+
+[ 23.289926] PM: suspend entry (deep)
+[ 23.293558] Filesystems sync: 0.000 seconds
+[ 23.298010] Freezing user space processes
+[ 23.302771] Freezing user space processes completed (elapsed 0.000 seconds)
+[ 23.309766] OOM killer disabled.
+[ 23.313027] Freezing remaining freezable tasks
+[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
+[ 23.342038] serial 00:05: disabled
+[ 23.345719] serial 00:02: disabled
+[ 23.349342] serial 00:01: disabled
+[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache
+[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache
+[ 23.361635] ata1.00: Entering standby power mode
+[ 23.368863] ata2.00: Entering standby power mode
+[ 23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 23.452194] #PF: supervisor instruction fetch in kernel mode
+[ 23.457896] #PF: error_code(0x0010) - not-present page
+[ 23.463065] PGD 0 P4D 0
+[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI
+[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary)
+[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN
+[ 23.496511] Workqueue: async async_run_entry_fn
+[ 23.501087] RIP: 0010:0x0
+[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
+[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246
+[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f
+[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000
+[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff
+[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8
+[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68
+[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000
+[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0
+[ 23.572539] PKRU: 55555554
+[ 23.575281] Call Trace:
+[ 23.577770] <TASK>
+[ 23.579905] intel_engines_reset_default_submission+0x42/0x60
+[ 23.585695] __intel_gt_unset_wedged+0x191/0x200
+[ 23.590360] intel_gt_unset_wedged+0x20/0x40
+[ 23.594675] gt_sanitize+0x15e/0x170
+[ 23.598290] i915_gem_suspend_late+0x6b/0x180
+[ 23.602692] i915_drm_suspend_late+0x35/0xf0
+[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10
+[ 23.611843] dpm_run_callback+0x78/0x1c0
+[ 23.615817] device_suspend_late+0xde/0x2e0
+[ 23.620037] async_suspend_late+0x18/0x30
+[ 23.624082] async_run_entry_fn+0x25/0xa0
+[ 23.628129] process_one_work+0x15b/0x380
+[ 23.632182] worker_thread+0x2a5/0x3c0
+[ 23.635973] ? __pfx_worker_thread+0x10/0x10
+[ 23.640279] kthread+0xf6/0x1f0
+[ 23.643464] ? __pfx_kthread+0x10/0x10
+[ 23.647263] ? __pfx_kthread+0x10/0x10
+[ 23.651045] ret_from_fork+0x131/0x190
+[ 23.654837] ? __pfx_kthread+0x10/0x10
+[ 23.658634] ret_from_fork_asm+0x1a/0x30
+[ 23.662597] </TASK>
+[ 23.664826] Modules linked in:
+[ 23.667914] CR2: 0000000000000000
+[ 23.671271] ------------[ cut here ]------------
+
+Signed-off-by: Rahul Bukte <rahul.bukte@sony.com>
+Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Link: https://patch.msgid.link/20260203044839.1555147-1-suraj.kandpal@intel.com
+(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad)
+Fixes: ff44ad51ebf8 ("drm/i915: Move engine->submit_request selection to a vfunc")
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+index 4d30a86016f24..d84b6c2af8607 100644
+--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c
++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+@@ -1970,7 +1970,8 @@ void intel_engines_reset_default_submission(struct intel_gt *gt)
+ if (engine->sanitize)
+ engine->sanitize(engine);
+
+- engine->set_default_submission(engine);
++ if (engine->set_default_submission)
++ engine->set_default_submission(engine);
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 4d699c48e4f2ed2576a6c41a93afd8c20a897e0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 11:36:29 -0700
+Subject: fs/tests: exec: Remove bad test vector
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit c4192754e836e0ffed95833509b6ada975b74418 ]
+
+Drop an unusable test in the bprm stack limits.
+
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Closes: https://lore.kernel.org/all/a3e9b1c2-40c1-45df-9fa2-14ee6a7b3fe2@roeck-us.net
+Fixes: 60371f43e56b ("exec: Add KUnit test for bprm_stack_limits()")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/tests/exec_kunit.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/fs/tests/exec_kunit.c b/fs/tests/exec_kunit.c
+index f412d1a0f6bba..1c32cac098cf5 100644
+--- a/fs/tests/exec_kunit.c
++++ b/fs/tests/exec_kunit.c
+@@ -94,9 +94,6 @@ static const struct bprm_stack_limits_result bprm_stack_limits_results[] = {
+ { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * (_STK_LIM / 4 * 3 + sizeof(void *)),
+ .argc = 0, .envc = 0 },
+ .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) },
+- { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * (_STK_LIM / 4 * + sizeof(void *)),
+- .argc = 0, .envc = 0 },
+- .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) },
+ { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * _STK_LIM,
+ .argc = 0, .envc = 0 },
+ .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) },
+--
+2.51.0
+
--- /dev/null
+From 727b3648e4aba40ffc35f4c7f18a7fed0ef1dcd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 21:31:22 -0700
+Subject: hwmon: (max6639) Fix pulses-per-revolution implementation
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit e7bae9a7a5e1251ab414291f4e9304d702bb9221 ]
+
+The valid range for the pulses-per-revolution devicetree property is
+1..4. The current code checks for a range of 1..5. Fix it.
+
+Declare the variable used to retrieve pulses per revolution from
+devicetree as u32 (unsigned) to match the of_property_read_u32() API.
+
+The current code uses a postfix decrement when writing the pulses per
+resolution into the chip. This has no effect since the value is evaluated
+before it is decremented. Fix it by decrementing before evaluating the
+value.
+
+Fixes: 7506ebcd662b ("hwmon: (max6639) : Configure based on DT property")
+Cc: Naresh Solanki <naresh.solanki@9elements.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/max6639.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/hwmon/max6639.c b/drivers/hwmon/max6639.c
+index 0b0a9f4c2307f..154250099adf1 100644
+--- a/drivers/hwmon/max6639.c
++++ b/drivers/hwmon/max6639.c
+@@ -234,7 +234,7 @@ static int max6639_read_fan(struct device *dev, u32 attr, int channel,
+ static int max6639_set_ppr(struct max6639_data *data, int channel, u8 ppr)
+ {
+ /* Decrement the PPR value and shift left by 6 to match the register format */
+- return regmap_write(data->regmap, MAX6639_REG_FAN_PPR(channel), ppr-- << 6);
++ return regmap_write(data->regmap, MAX6639_REG_FAN_PPR(channel), --ppr << 6);
+ }
+
+ static int max6639_write_fan(struct device *dev, u32 attr, int channel,
+@@ -536,8 +536,8 @@ static int max6639_probe_child_from_dt(struct i2c_client *client,
+
+ {
+ struct device *dev = &client->dev;
+- u32 i;
+- int err, val;
++ u32 i, val;
++ int err;
+
+ err = of_property_read_u32(child, "reg", &i);
+ if (err) {
+@@ -552,8 +552,8 @@ static int max6639_probe_child_from_dt(struct i2c_client *client,
+
+ err = of_property_read_u32(child, "pulses-per-revolution", &val);
+ if (!err) {
+- if (val < 1 || val > 5) {
+- dev_err(dev, "invalid pulses-per-revolution %d of %pOFn\n", val, child);
++ if (val < 1 || val > 4) {
++ dev_err(dev, "invalid pulses-per-revolution %u of %pOFn\n", val, child);
+ return -EINVAL;
+ }
+ data->ppr[i] = val;
+--
+2.51.0
+
--- /dev/null
+From 876a1e98f103fb6b19335d0059bef431e8cf5ac7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:15:51 +0900
+Subject: ksmbd: fix use-after-free in durable v2 replay of active file handles
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit b425e4d0eb321a1116ddbf39636333181675d8f4 ]
+
+parse_durable_handle_context() unconditionally assigns dh_info->fp->conn
+to the current connection when handling a DURABLE_REQ_V2 context with
+SMB2_FLAGS_REPLAY_OPERATION. ksmbd_lookup_fd_cguid() does not filter by
+fp->conn, so it returns file handles that are already actively connected.
+The unconditional overwrite replaces fp->conn, and when the overwriting
+connection is subsequently freed, __ksmbd_close_fd() dereferences the
+stale fp->conn via spin_lock(&fp->conn->llist_lock), causing a
+use-after-free.
+
+KASAN report:
+
+[ 7.349357] ==================================================================
+[ 7.349607] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x75/0xe0
+[ 7.349811] Write of size 4 at addr ffff8881056ac18c by task kworker/1:2/108
+[ 7.350010]
+[ 7.350064] CPU: 1 UID: 0 PID: 108 Comm: kworker/1:2 Not tainted 7.0.0-rc3+ #58 PREEMPTLAZY
+[ 7.350068] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 7.350070] Workqueue: ksmbd-io handle_ksmbd_work
+[ 7.350083] Call Trace:
+[ 7.350087] <TASK>
+[ 7.350087] dump_stack_lvl+0x64/0x80
+[ 7.350094] print_report+0xce/0x660
+[ 7.350100] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 7.350101] ? __pfx___mod_timer+0x10/0x10
+[ 7.350106] ? _raw_spin_lock+0x75/0xe0
+[ 7.350108] kasan_report+0xce/0x100
+[ 7.350109] ? _raw_spin_lock+0x75/0xe0
+[ 7.350114] kasan_check_range+0x105/0x1b0
+[ 7.350116] _raw_spin_lock+0x75/0xe0
+[ 7.350118] ? __pfx__raw_spin_lock+0x10/0x10
+[ 7.350119] ? __call_rcu_common.constprop.0+0x25e/0x780
+[ 7.350125] ? close_id_del_oplock+0x2cc/0x4e0
+[ 7.350128] __ksmbd_close_fd+0x27f/0xaf0
+[ 7.350131] ksmbd_close_fd+0x135/0x1b0
+[ 7.350133] smb2_close+0xb19/0x15b0
+[ 7.350142] ? __pfx_smb2_close+0x10/0x10
+[ 7.350143] ? xas_load+0x18/0x270
+[ 7.350146] ? _raw_spin_lock+0x84/0xe0
+[ 7.350148] ? __pfx__raw_spin_lock+0x10/0x10
+[ 7.350150] ? _raw_spin_unlock+0xe/0x30
+[ 7.350151] ? ksmbd_smb2_check_message+0xeb2/0x24c0
+[ 7.350153] ? ksmbd_tree_conn_lookup+0xcd/0xf0
+[ 7.350154] handle_ksmbd_work+0x40f/0x1080
+[ 7.350156] process_one_work+0x5fa/0xef0
+[ 7.350162] ? assign_work+0x122/0x3e0
+[ 7.350163] worker_thread+0x54b/0xf70
+[ 7.350165] ? __pfx_worker_thread+0x10/0x10
+[ 7.350166] kthread+0x346/0x470
+[ 7.350170] ? recalc_sigpending+0x19b/0x230
+[ 7.350176] ? __pfx_kthread+0x10/0x10
+[ 7.350178] ret_from_fork+0x4fb/0x6c0
+[ 7.350183] ? __pfx_ret_from_fork+0x10/0x10
+[ 7.350185] ? __switch_to+0x36c/0xbe0
+[ 7.350188] ? __pfx_kthread+0x10/0x10
+[ 7.350190] ret_from_fork_asm+0x1a/0x30
+[ 7.350197] </TASK>
+[ 7.350197]
+[ 7.355160] Allocated by task 123:
+[ 7.355261] kasan_save_stack+0x33/0x60
+[ 7.355373] kasan_save_track+0x14/0x30
+[ 7.355484] __kasan_kmalloc+0x8f/0xa0
+[ 7.355593] ksmbd_conn_alloc+0x44/0x6d0
+[ 7.355711] ksmbd_kthread_fn+0x243/0xd70
+[ 7.355839] kthread+0x346/0x470
+[ 7.355942] ret_from_fork+0x4fb/0x6c0
+[ 7.356051] ret_from_fork_asm+0x1a/0x30
+[ 7.356164]
+[ 7.356214] Freed by task 134:
+[ 7.356305] kasan_save_stack+0x33/0x60
+[ 7.356416] kasan_save_track+0x14/0x30
+[ 7.356527] kasan_save_free_info+0x3b/0x60
+[ 7.356646] __kasan_slab_free+0x43/0x70
+[ 7.356761] kfree+0x1ca/0x430
+[ 7.356862] ksmbd_tcp_disconnect+0x59/0xe0
+[ 7.356993] ksmbd_conn_handler_loop+0x77e/0xd40
+[ 7.357138] kthread+0x346/0x470
+[ 7.357240] ret_from_fork+0x4fb/0x6c0
+[ 7.357350] ret_from_fork_asm+0x1a/0x30
+[ 7.357463]
+[ 7.357513] The buggy address belongs to the object at ffff8881056ac000
+[ 7.357513] which belongs to the cache kmalloc-1k of size 1024
+[ 7.357857] The buggy address is located 396 bytes inside of
+[ 7.357857] freed 1024-byte region [ffff8881056ac000, ffff8881056ac400)
+
+Fix by removing the unconditional fp->conn assignment and rejecting the
+replay when fp->conn is non-NULL. This is consistent with
+ksmbd_lookup_durable_fd(), which also rejects file handles with a
+non-NULL fp->conn. For disconnected file handles (fp->conn == NULL),
+ksmbd_reopen_durable_fd() handles setting fp->conn.
+
+Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index 9902f77d10483..63c092328752e 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -2835,7 +2835,11 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
+ goto out;
+ }
+
+- dh_info->fp->conn = conn;
++ if (dh_info->fp->conn) {
++ ksmbd_put_durable_fd(dh_info->fp);
++ err = -EBADF;
++ goto out;
++ }
+ dh_info->reconnected = true;
+ goto out;
+ }
+--
+2.51.0
+
--- /dev/null
+From dbaad32d2f0fd10e038a02d0f7bdaccea393cc20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:17:02 +0900
+Subject: ksmbd: fix use-after-free of share_conf in compound request
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit c33615f995aee80657b9fdfbc4ee7f49c2bd733d ]
+
+smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without
+validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state ==
+TREE_CONNECTED on the initial lookup path, but the compound reuse path
+bypasses this check entirely.
+
+If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state
+to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(),
+subsequent commands dereference the freed share_conf through
+work->tcon->share_conf.
+
+KASAN report:
+
+[ 4.144653] ==================================================================
+[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70
+[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44
+[ 4.145772]
+[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY
+[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work
+[ 4.145888] Call Trace:
+[ 4.145892] <TASK>
+[ 4.145894] dump_stack_lvl+0x64/0x80
+[ 4.145910] print_report+0xce/0x660
+[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 4.145928] ? smb2_write+0xc74/0xe70
+[ 4.145931] kasan_report+0xce/0x100
+[ 4.145934] ? smb2_write+0xc74/0xe70
+[ 4.145937] smb2_write+0xc74/0xe70
+[ 4.145939] ? __pfx_smb2_write+0x10/0x10
+[ 4.145942] ? _raw_spin_unlock+0xe/0x30
+[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0
+[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480
+[ 4.145951] handle_ksmbd_work+0x40f/0x1080
+[ 4.145953] process_one_work+0x5fa/0xef0
+[ 4.145962] ? assign_work+0x122/0x3e0
+[ 4.145964] worker_thread+0x54b/0xf70
+[ 4.145967] ? __pfx_worker_thread+0x10/0x10
+[ 4.145970] kthread+0x346/0x470
+[ 4.145976] ? recalc_sigpending+0x19b/0x230
+[ 4.145980] ? __pfx_kthread+0x10/0x10
+[ 4.145984] ret_from_fork+0x4fb/0x6c0
+[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10
+[ 4.145995] ? __switch_to+0x36c/0xbe0
+[ 4.145999] ? __pfx_kthread+0x10/0x10
+[ 4.146003] ret_from_fork_asm+0x1a/0x30
+[ 4.146013] </TASK>
+[ 4.146014]
+[ 4.149858] Allocated by task 44:
+[ 4.149953] kasan_save_stack+0x33/0x60
+[ 4.150061] kasan_save_track+0x14/0x30
+[ 4.150169] __kasan_kmalloc+0x8f/0xa0
+[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0
+[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600
+[ 4.150529] smb2_tree_connect+0x2e6/0x1000
+[ 4.150645] handle_ksmbd_work+0x40f/0x1080
+[ 4.150761] process_one_work+0x5fa/0xef0
+[ 4.150873] worker_thread+0x54b/0xf70
+[ 4.150978] kthread+0x346/0x470
+[ 4.151071] ret_from_fork+0x4fb/0x6c0
+[ 4.151176] ret_from_fork_asm+0x1a/0x30
+[ 4.151286]
+[ 4.151332] Freed by task 44:
+[ 4.151418] kasan_save_stack+0x33/0x60
+[ 4.151526] kasan_save_track+0x14/0x30
+[ 4.151634] kasan_save_free_info+0x3b/0x60
+[ 4.151751] __kasan_slab_free+0x43/0x70
+[ 4.151861] kfree+0x1ca/0x430
+[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190
+[ 4.152088] smb2_tree_disconnect+0x1cd/0x480
+[ 4.152211] handle_ksmbd_work+0x40f/0x1080
+[ 4.152326] process_one_work+0x5fa/0xef0
+[ 4.152438] worker_thread+0x54b/0xf70
+[ 4.152545] kthread+0x346/0x470
+[ 4.152638] ret_from_fork+0x4fb/0x6c0
+[ 4.152743] ret_from_fork_asm+0x1a/0x30
+[ 4.152853]
+[ 4.152900] The buggy address belongs to the object at ffff88810430c180
+[ 4.152900] which belongs to the cache kmalloc-96 of size 96
+[ 4.153226] The buggy address is located 20 bytes inside of
+[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0)
+[ 4.153549]
+[ 4.153596] The buggy address belongs to the physical page:
+[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c
+[ 4.154000] flags: 0x100000000000200(workingset|node=0|zone=2)
+[ 4.154160] page_type: f5(slab)
+[ 4.154251] raw: 0100000000000200 ffff888100041280 ffff888100040110 ffff888100040110
+[ 4.154461] raw: ffff88810430ce80 0000000800200009 00000000f5000000 0000000000000000
+[ 4.154668] page dumped because: kasan: bad access detected
+[ 4.154820]
+[ 4.154866] Memory state around the buggy address:
+[ 4.155002] ffff88810430c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155196] ffff88810430c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155391] >ffff88810430c180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+[ 4.155587] ^
+[ 4.155693] ffff88810430c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155891] ffff88810430c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.156087] ==================================================================
+
+Add the same t_state validation to the compound reuse path, consistent
+with ksmbd_tree_conn_lookup().
+
+Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index 8574a518014f4..9902f77d10483 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -124,6 +124,8 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work)
+ pr_err("The first operation in the compound does not have tcon\n");
+ return -EINVAL;
+ }
++ if (work->tcon->t_state != TREE_CONNECTED)
++ return -ENOENT;
+ if (tree_id != UINT_MAX && work->tcon->id != tree_id) {
+ pr_err("tree id(%u) is different with id(%u) in first operation\n",
+ tree_id, work->tcon->id);
+--
+2.51.0
+
--- /dev/null
+From 9e2b5f1ae4912caabd880a8458612815e683e600 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 08:43:05 +0900
+Subject: lib/bootconfig: check xbc_init_node() return in override path
+
+From: Josh Law <objecting@objecting.org>
+
+[ Upstream commit bb288d7d869e86d382f35a0e26242c5ccb05ca82 ]
+
+The ':=' override path in xbc_parse_kv() calls xbc_init_node() to
+re-initialize an existing value node but does not check the return
+value. If xbc_init_node() fails (data offset out of range), parsing
+silently continues with stale node data.
+
+Add the missing error check to match the xbc_add_node() call path
+which already checks for failure.
+
+In practice, a bootconfig using ':=' to override a value near the
+32KB data limit could silently retain the old value, meaning a
+security-relevant boot parameter override (e.g., a trace filter or
+debug setting) would not take effect as intended.
+
+Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/
+
+Fixes: e5efaeb8a8f5 ("bootconfig: Support mixing a value and subkeys under a key")
+Signed-off-by: Josh Law <objecting@objecting.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/bootconfig.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/bootconfig.c b/lib/bootconfig.c
+index 0728c4a95249b..5d3802eba52a3 100644
+--- a/lib/bootconfig.c
++++ b/lib/bootconfig.c
+@@ -712,7 +712,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op)
+ if (op == ':') {
+ unsigned short nidx = child->next;
+
+- xbc_init_node(child, v, XBC_VALUE);
++ if (xbc_init_node(child, v, XBC_VALUE) < 0)
++ return xbc_parse_error("Failed to override value", v);
+ child->next = nidx; /* keep subkeys */
+ goto array;
+ }
+--
+2.51.0
+
--- /dev/null
+From ed2730e68ab91f5e34cd21f7f49f403934f38a0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 15:21:57 -0500
+Subject: mtd: rawnand: brcmnand: skip DMA during panic write
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+[ Upstream commit da9ba4dcc01e7cf52b7676f0ee9607b8358c2171 ]
+
+When oops_panic_write is set, the driver disables interrupts and
+switches to PIO polling mode but still falls through into the DMA
+path. DMA cannot be used reliably in panic context, so make the
+DMA path an else branch to ensure only PIO is used during panic
+writes.
+
+Fixes: c1ac2dc34b51 ("mtd: rawnand: brcmnand: When oops in progress use pio and interrupt polling")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+index 2eb44c1428fbc..bbba3cf477e98 100644
+--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+@@ -2303,14 +2303,12 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip,
+ for (i = 0; i < ctrl->max_oob; i += 4)
+ oob_reg_write(ctrl, i, 0xffffffff);
+
+- if (mtd->oops_panic_write)
++ if (mtd->oops_panic_write) {
+ /* switch to interrupt polling and PIO mode */
+ disable_ctrl_irqs(ctrl);
+-
+- if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
++ } else if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
+ if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize,
+ CMD_PROGRAM_PAGE))
+-
+ ret = -EIO;
+
+ goto out;
+--
+2.51.0
+
--- /dev/null
+From a02285aad16b2e7dd3b9f6f18e7025ed75f129d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 14:49:06 -0500
+Subject: mtd: rawnand: serialize lock/unlock against other NAND operations
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+[ Upstream commit bab2bc6e850a697a23b9e5f0e21bb8c187615e95 ]
+
+nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area
+without holding the NAND device lock. On controllers that implement
+SET_FEATURES via multiple low-level PIO commands, these can race with
+concurrent UBI/UBIFS background erase/write operations that hold the
+device lock, resulting in cmd_pending conflicts on the NAND controller.
+
+Add nand_get_device()/nand_release_device() around the lock/unlock
+operations to serialize them against all other NAND controller access.
+
+Fixes: 92270086b7e5 ("mtd: rawnand: Add support for manufacturer specific lock/unlock operation")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/nand_base.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c
+index 3e1844bfb8089..d654e5f52ee09 100644
+--- a/drivers/mtd/nand/raw/nand_base.c
++++ b/drivers/mtd/nand/raw/nand_base.c
+@@ -4868,11 +4868,16 @@ static void nand_shutdown(struct mtd_info *mtd)
+ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int ret;
+
+ if (!chip->ops.lock_area)
+ return -ENOTSUPP;
+
+- return chip->ops.lock_area(chip, ofs, len);
++ nand_get_device(chip);
++ ret = chip->ops.lock_area(chip, ofs, len);
++ nand_release_device(chip);
++
++ return ret;
+ }
+
+ /**
+@@ -4884,11 +4889,16 @@ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ static int nand_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int ret;
+
+ if (!chip->ops.unlock_area)
+ return -ENOTSUPP;
+
+- return chip->ops.unlock_area(chip, ofs, len);
++ nand_get_device(chip);
++ ret = chip->ops.unlock_area(chip, ofs, len);
++ nand_release_device(chip);
++
++ return ret;
+ }
+
+ /* Set default functions */
+--
+2.51.0
+
mm-shmem-avoid-unpaired-folio_unlock-in-shmem_swapin_folio.patch
mm-shmem-swap-improve-cached-mthp-handling-and-fix-potential-hang.patch
mm-shmem-swap-avoid-redundant-xarray-lookup-during-swapin.patch
+mtd-rawnand-serialize-lock-unlock-against-other-nand.patch
+mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch
+drm-amd-display-fix-displayid-not-found-handling-in-.patch
+drm-amd-fix-dcn-2.01-check.patch
+ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch
+ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch
+drm-i915-gt-check-set_default_submission-before-defe.patch
+fs-tests-exec-remove-bad-test-vector.patch
+lib-bootconfig-check-xbc_init_node-return-in-overrid.patch
+tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch
+hwmon-max6639-fix-pulses-per-revolution-implementati.patch
--- /dev/null
+From d6d96ea1e824a5872b72994a77faec558ebb97fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 08:43:06 +0900
+Subject: tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
+
+From: Josh Law <objecting@objecting.org>
+
+[ Upstream commit 3b2c2ab4ceb82af484310c3087541eab00ea288b ]
+
+If fstat() fails after open() succeeds, the function returns without
+closing the file descriptor. Also preserve errno across close(), since
+close() may overwrite it before the error is returned.
+
+Link: https://lore.kernel.org/all/20260318155847.78065-3-objecting@objecting.org/
+
+Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command")
+Signed-off-by: Josh Law <objecting@objecting.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bootconfig/main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c
+index 8a48cc2536f56..32cf48f2da9a1 100644
+--- a/tools/bootconfig/main.c
++++ b/tools/bootconfig/main.c
+@@ -157,8 +157,11 @@ static int load_xbc_file(const char *path, char **buf)
+ if (fd < 0)
+ return -errno;
+ ret = fstat(fd, &stat);
+- if (ret < 0)
+- return -errno;
++ if (ret < 0) {
++ ret = -errno;
++ close(fd);
++ return ret;
++ }
+
+ ret = load_xbc_fd(fd, buf, stat.st_size);
+
+--
+2.51.0
+
--- /dev/null
+From e9a29904002374f7c061fb04a0a497ef8d1b2c67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 16:19:01 +0000
+Subject: arm64: realm: Fix PTE_NS_SHARED for 52bit PA support
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+[ Upstream commit 8c6e9b60f5c7985a9fe41320556a92d7a33451df ]
+
+With LPA/LPA2, the top bits of the PFN (Bits[51:48]) end up in the lower bits
+of the PTE. So, simply creating a mask of the "top IPA bit" doesn't work well
+for these configurations to set the "top" bit at the output of Stage1
+translation.
+
+Fix this by using the __phys_to_pte_val() to do the right thing for all
+configurations.
+
+Tested using, kvmtool, placing the memory at a higher address (-m <size>@<Addr>).
+
+ e.g:
+ # lkvm run --realm -c 4 -m 512M@@128T -k Image --console serial
+
+ sh-5.0# dmesg | grep "LPA2\|RSI"
+[ 0.000000] RME: Using RSI version 1.0
+[ 0.000000] CPU features: detected: 52-bit Virtual Addressing (LPA2)
+[ 0.777354] CPU features: detected: 52-bit Virtual Addressing for KVM (LPA2)
+
+Fixes: 399306954996 ("arm64: realm: Query IPA size from the RMM")
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Steven Price <steven.price@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/rsi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/rsi.c b/arch/arm64/kernel/rsi.c
+index c64a06f58c0bc..9e846ce4ef9ca 100644
+--- a/arch/arm64/kernel/rsi.c
++++ b/arch/arm64/kernel/rsi.c
+@@ -12,6 +12,7 @@
+
+ #include <asm/io.h>
+ #include <asm/mem_encrypt.h>
++#include <asm/pgtable.h>
+ #include <asm/rsi.h>
+
+ static struct realm_config config;
+@@ -146,7 +147,7 @@ void __init arm64_rsi_init(void)
+ return;
+ if (WARN_ON(rsi_get_realm_config(&config)))
+ return;
+- prot_ns_shared = BIT(config.ipa_bits - 1);
++ prot_ns_shared = __phys_to_pte_val(BIT(config.ipa_bits - 1));
+
+ if (arm64_ioremap_prot_hook_register(realm_ioremap_hook))
+ return;
+--
+2.51.0
+
--- /dev/null
+From 2ad2e3bfef0fff666e8bf9f177fa299df3ee9397 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Feb 2026 18:01:05 +0000
+Subject: binfmt_elf_fdpic: fix AUXV size calculation for ELF_HWCAP3 and
+ ELF_HWCAP4
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrei Vagin <avagin@google.com>
+
+[ Upstream commit 4ced4cf5c9d172d91f181df3accdf949d3761aab ]
+
+Commit 4e6e8c2b757f ("binfmt_elf: Wire up AT_HWCAP3 at AT_HWCAP4") added
+support for AT_HWCAP3 and AT_HWCAP4, but it missed updating the AUX
+vector size calculation in create_elf_fdpic_tables() and
+AT_VECTOR_SIZE_BASE in include/linux/auxvec.h.
+
+Similar to the fix for AT_HWCAP2 in commit c6a09e342f8e ("binfmt_elf_fdpic:
+fix AUXV size calculation when ELF_HWCAP2 is defined"), this omission
+leads to a mismatch between the reserved space and the actual number of
+AUX entries, eventually triggering a kernel BUG_ON(csp != sp).
+
+Fix this by incrementing nitems when ELF_HWCAP3 or ELF_HWCAP4 are
+defined and updating AT_VECTOR_SIZE_BASE.
+
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Max Filippov <jcmvbkbc@gmail.com>
+Reviewed-by: Michal Koutný <mkoutny@suse.com>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Reviewed-by: Cyrill Gorcunov <gorcunov@gmail.com>
+Reviewed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
+Fixes: 4e6e8c2b757f ("binfmt_elf: Wire up AT_HWCAP3 at AT_HWCAP4")
+Signed-off-by: Andrei Vagin <avagin@google.com>
+Link: https://patch.msgid.link/20260217180108.1420024-2-avagin@google.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_elf_fdpic.c | 6 ++++++
+ include/linux/auxvec.h | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
+index 48fd2de3bca05..a3d4e6973b299 100644
+--- a/fs/binfmt_elf_fdpic.c
++++ b/fs/binfmt_elf_fdpic.c
+@@ -595,6 +595,12 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm,
+ #ifdef ELF_HWCAP2
+ nitems++;
+ #endif
++#ifdef ELF_HWCAP3
++ nitems++;
++#endif
++#ifdef ELF_HWCAP4
++ nitems++;
++#endif
+
+ csp = sp;
+ sp -= nitems * 2 * sizeof(unsigned long);
+diff --git a/include/linux/auxvec.h b/include/linux/auxvec.h
+index 407f7005e6d60..8bcb9b7262628 100644
+--- a/include/linux/auxvec.h
++++ b/include/linux/auxvec.h
+@@ -4,6 +4,6 @@
+
+ #include <uapi/linux/auxvec.h>
+
+-#define AT_VECTOR_SIZE_BASE 22 /* NEW_AUX_ENT entries in auxiliary table */
++#define AT_VECTOR_SIZE_BASE 24 /* NEW_AUX_ENT entries in auxiliary table */
+ /* number of "#define AT_.*" above, minus {AT_NULL, AT_IGNORE, AT_NOTELF} */
+ #endif /* _LINUX_AUXVEC_H */
+--
+2.51.0
+
--- /dev/null
+From ada2cbb3b7b5f1d9d1cfe71d20941e8a540433bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 18:30:26 +0530
+Subject: drm/amd/display: Fix DisplayID not-found handling in
+ parse_edid_displayid_vrr()
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+[ Upstream commit 2323b019651ad81c20a0f7f817c63392b3110652 ]
+
+parse_edid_displayid_vrr() searches the EDID extension blocks for a
+DisplayID extension before parsing the dynamic video timing range.
+
+The code previously checked whether edid_ext was NULL after the search
+loop. However, edid_ext is assigned during each iteration of the loop,
+so it will never be NULL once the loop has executed. If no DisplayID
+extension is found, edid_ext ends up pointing to the last extension
+block, and the NULL check does not correctly detect the failure case.
+
+Instead, check whether the loop completed without finding a matching
+DisplayID block by testing "i == edid->extensions". This ensures the
+function exits early when no DisplayID extension is present and avoids
+parsing an unrelated EDID extension block.
+
+Also simplify the EDID validation check using "!edid ||
+!edid->extensions".
+
+Fixes the below:
+drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:13079 parse_edid_displayid_vrr() warn: variable dereferenced before check 'edid_ext' (see line 13075)
+
+Fixes: a638b837d0e6 ("drm/amd/display: Fix refresh rate range for some panel")
+Cc: Roman Li <roman.li@amd.com>
+Cc: Alex Hung <alex.hung@amd.com>
+Cc: Jerry Zuo <jerry.zuo@amd.com>
+Cc: Sun peng Li <sunpeng.li@amd.com>
+Cc: Tom Chung <chiahsuan.chung@amd.com>
+Cc: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 91c7e6342e98c846b259c57273436fdea4c043f2)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 7db2d1a3784bd..77840b6cb2065 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -12864,7 +12864,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector,
+ u16 min_vfreq;
+ u16 max_vfreq;
+
+- if (edid == NULL || edid->extensions == 0)
++ if (!edid || !edid->extensions)
+ return;
+
+ /* Find DisplayID extension */
+@@ -12874,7 +12874,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector,
+ break;
+ }
+
+- if (edid_ext == NULL)
++ if (i == edid->extensions)
+ return;
+
+ while (j < EDID_LENGTH) {
+--
+2.51.0
+
--- /dev/null
+From 96e9f991180a3a8def2551045941544e1530a806 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 17:51:47 +0100
+Subject: drm/amd: fix dcn 2.01 check
+
+From: Andy Nguyen <theofficialflow1996@gmail.com>
+
+[ Upstream commit 39f44f54afa58661ecae9c27e15f5dbce2372892 ]
+
+The ASICREV_IS_BEIGE_GOBY_P check always took precedence, because it includes all chip revisions upto NV_UNKNOWN.
+
+Fixes: 54b822b3eac3 ("drm/amd/display: Use dce_version instead of chip_id")
+Signed-off-by: Andy Nguyen <theofficialflow1996@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 9c7be0efa6f0daa949a5f3e3fdf9ea090b0713cb)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
+index 15cf13ec53026..c450feae5fa5b 100644
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
+@@ -255,6 +255,10 @@ struct clk_mgr *dc_clk_mgr_create(struct dc_context *ctx, struct pp_smu_funcs *p
+ BREAK_TO_DEBUGGER();
+ return NULL;
+ }
++ if (ctx->dce_version == DCN_VERSION_2_01) {
++ dcn201_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg);
++ return &clk_mgr->base;
++ }
+ if (ASICREV_IS_SIENNA_CICHLID_P(asic_id.hw_internal_rev)) {
+ dcn3_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg);
+ return &clk_mgr->base;
+@@ -267,10 +271,6 @@ struct clk_mgr *dc_clk_mgr_create(struct dc_context *ctx, struct pp_smu_funcs *p
+ dcn3_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg);
+ return &clk_mgr->base;
+ }
+- if (ctx->dce_version == DCN_VERSION_2_01) {
+- dcn201_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg);
+- return &clk_mgr->base;
+- }
+ dcn20_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg);
+ return &clk_mgr->base;
+ }
+--
+2.51.0
+
--- /dev/null
+From 6d07d494302b5d80707da7e84f9faf64017610e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Feb 2026 11:28:22 +0000
+Subject: drm/bridge: dw-hdmi-qp: fix multi-channel audio output
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit cffcb42c57686e9a801dfcf37a3d0c62e51c1c3e ]
+
+Channel Allocation (PB4) and Level Shift Information (PB5) are
+configured with values from PB1 and PB2 due to the wrong offset
+being used. This results in missing audio channels or incorrect
+speaker placement when playing multi-channel audio.
+
+Use the correct offset to fix multi-channel audio output.
+
+Fixes: fd0141d1a8a2 ("drm/bridge: synopsys: Add audio support for dw-hdmi-qp")
+Reported-by: Christian Hewitt <christianshewitt@gmail.com>
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
+Reviewed-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Link: https://patch.msgid.link/20260228112822.4056354-1-christianshewitt@gmail.com
+Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c
+index c85eb340e5a35..d302455875167 100644
+--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c
++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c
+@@ -818,7 +818,7 @@ static int dw_hdmi_qp_config_audio_infoframe(struct dw_hdmi_qp *hdmi,
+
+ regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS0, &header_bytes, 1);
+ regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS1, &buffer[3], 1);
+- regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS2, &buffer[4], 1);
++ regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS2, &buffer[7], 1);
+
+ /* Enable ACR, AUDI, AMD */
+ dw_hdmi_qp_mod(hdmi,
+--
+2.51.0
+
--- /dev/null
+From 004d56004ce89fa734477ed11e20caa1000a216a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Feb 2026 10:18:39 +0530
+Subject: drm/i915/gt: Check set_default_submission() before deferencing
+
+From: Rahul Bukte <rahul.bukte@sony.com>
+
+[ Upstream commit 0162ab3220bac870e43e229e6e3024d1a21c3f26 ]
+
+When the i915 driver firmware binaries are not present, the
+set_default_submission pointer is not set. This pointer is
+dereferenced during suspend anyways.
+
+Add a check to make sure it is set before dereferencing.
+
+[ 23.289926] PM: suspend entry (deep)
+[ 23.293558] Filesystems sync: 0.000 seconds
+[ 23.298010] Freezing user space processes
+[ 23.302771] Freezing user space processes completed (elapsed 0.000 seconds)
+[ 23.309766] OOM killer disabled.
+[ 23.313027] Freezing remaining freezable tasks
+[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
+[ 23.342038] serial 00:05: disabled
+[ 23.345719] serial 00:02: disabled
+[ 23.349342] serial 00:01: disabled
+[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache
+[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache
+[ 23.361635] ata1.00: Entering standby power mode
+[ 23.368863] ata2.00: Entering standby power mode
+[ 23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 23.452194] #PF: supervisor instruction fetch in kernel mode
+[ 23.457896] #PF: error_code(0x0010) - not-present page
+[ 23.463065] PGD 0 P4D 0
+[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI
+[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary)
+[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN
+[ 23.496511] Workqueue: async async_run_entry_fn
+[ 23.501087] RIP: 0010:0x0
+[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
+[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246
+[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f
+[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000
+[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff
+[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8
+[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68
+[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000
+[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0
+[ 23.572539] PKRU: 55555554
+[ 23.575281] Call Trace:
+[ 23.577770] <TASK>
+[ 23.579905] intel_engines_reset_default_submission+0x42/0x60
+[ 23.585695] __intel_gt_unset_wedged+0x191/0x200
+[ 23.590360] intel_gt_unset_wedged+0x20/0x40
+[ 23.594675] gt_sanitize+0x15e/0x170
+[ 23.598290] i915_gem_suspend_late+0x6b/0x180
+[ 23.602692] i915_drm_suspend_late+0x35/0xf0
+[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10
+[ 23.611843] dpm_run_callback+0x78/0x1c0
+[ 23.615817] device_suspend_late+0xde/0x2e0
+[ 23.620037] async_suspend_late+0x18/0x30
+[ 23.624082] async_run_entry_fn+0x25/0xa0
+[ 23.628129] process_one_work+0x15b/0x380
+[ 23.632182] worker_thread+0x2a5/0x3c0
+[ 23.635973] ? __pfx_worker_thread+0x10/0x10
+[ 23.640279] kthread+0xf6/0x1f0
+[ 23.643464] ? __pfx_kthread+0x10/0x10
+[ 23.647263] ? __pfx_kthread+0x10/0x10
+[ 23.651045] ret_from_fork+0x131/0x190
+[ 23.654837] ? __pfx_kthread+0x10/0x10
+[ 23.658634] ret_from_fork_asm+0x1a/0x30
+[ 23.662597] </TASK>
+[ 23.664826] Modules linked in:
+[ 23.667914] CR2: 0000000000000000
+[ 23.671271] ------------[ cut here ]------------
+
+Signed-off-by: Rahul Bukte <rahul.bukte@sony.com>
+Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Link: https://patch.msgid.link/20260203044839.1555147-1-suraj.kandpal@intel.com
+(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad)
+Fixes: ff44ad51ebf8 ("drm/i915: Move engine->submit_request selection to a vfunc")
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+index b721bbd233567..ce8cdd517daa1 100644
+--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c
++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+@@ -1969,7 +1969,8 @@ void intel_engines_reset_default_submission(struct intel_gt *gt)
+ if (engine->sanitize)
+ engine->sanitize(engine);
+
+- engine->set_default_submission(engine);
++ if (engine->set_default_submission)
++ engine->set_default_submission(engine);
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From cb2af25f9f4e9b6c5980c51f8feef5684f1e5649 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Mar 2026 14:03:30 -0600
+Subject: drm/vmwgfx: Don't overwrite KMS surface dirty tracker
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ian Forbes <ian.forbes@broadcom.com>
+
+[ Upstream commit c6cb77c474a32265e21c4871c7992468bf5e7638 ]
+
+We were overwriting the surface's dirty tracker here causing a memory leak.
+
+Reported-by: Mika Penttilä <mpenttil@redhat.com>
+Closes: https://lore.kernel.org/dri-devel/8c53f3c6-c6de-46fe-a8ca-d98dd52b3abe@redhat.com/
+Fixes: 965544150d1c ("drm/vmwgfx: Refactor cursor handling")
+Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
+Reviewed-by: Maaz Mombasawala <maaz.mombasawala@broadcom.com>
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Link: https://patch.msgid.link/20260302200330.66763-1-ian.forbes@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+index 535d844191e7a..3e8a2f4a907da 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+@@ -768,7 +768,8 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev,
+ ret = vmw_bo_dirty_add(bo);
+ if (!ret && surface && surface->res.func->dirty_alloc) {
+ surface->res.coherent = true;
+- ret = surface->res.func->dirty_alloc(&surface->res);
++ if (surface->res.dirty == NULL)
++ ret = surface->res.func->dirty_alloc(&surface->res);
+ }
+ ttm_bo_unreserve(&bo->tbo);
+ }
+--
+2.51.0
+
--- /dev/null
+From 51253da732bb3e63b00ca205d01c80cec63fb5b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 11:36:29 -0700
+Subject: fs/tests: exec: Remove bad test vector
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit c4192754e836e0ffed95833509b6ada975b74418 ]
+
+Drop an unusable test in the bprm stack limits.
+
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Closes: https://lore.kernel.org/all/a3e9b1c2-40c1-45df-9fa2-14ee6a7b3fe2@roeck-us.net
+Fixes: 60371f43e56b ("exec: Add KUnit test for bprm_stack_limits()")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/tests/exec_kunit.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/fs/tests/exec_kunit.c b/fs/tests/exec_kunit.c
+index f412d1a0f6bba..1c32cac098cf5 100644
+--- a/fs/tests/exec_kunit.c
++++ b/fs/tests/exec_kunit.c
+@@ -94,9 +94,6 @@ static const struct bprm_stack_limits_result bprm_stack_limits_results[] = {
+ { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * (_STK_LIM / 4 * 3 + sizeof(void *)),
+ .argc = 0, .envc = 0 },
+ .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) },
+- { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * (_STK_LIM / 4 * + sizeof(void *)),
+- .argc = 0, .envc = 0 },
+- .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) },
+ { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * _STK_LIM,
+ .argc = 0, .envc = 0 },
+ .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) },
+--
+2.51.0
+
--- /dev/null
+From 3e33c7b1d2f26f7fe04ec8a6423c8129e7748483 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 21:31:22 -0700
+Subject: hwmon: (max6639) Fix pulses-per-revolution implementation
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit e7bae9a7a5e1251ab414291f4e9304d702bb9221 ]
+
+The valid range for the pulses-per-revolution devicetree property is
+1..4. The current code checks for a range of 1..5. Fix it.
+
+Declare the variable used to retrieve pulses per revolution from
+devicetree as u32 (unsigned) to match the of_property_read_u32() API.
+
+The current code uses a postfix decrement when writing the pulses per
+resolution into the chip. This has no effect since the value is evaluated
+before it is decremented. Fix it by decrementing before evaluating the
+value.
+
+Fixes: 7506ebcd662b ("hwmon: (max6639) : Configure based on DT property")
+Cc: Naresh Solanki <naresh.solanki@9elements.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/max6639.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/hwmon/max6639.c b/drivers/hwmon/max6639.c
+index 1fc12e1463b58..447e8cdbc74c6 100644
+--- a/drivers/hwmon/max6639.c
++++ b/drivers/hwmon/max6639.c
+@@ -235,7 +235,7 @@ static int max6639_read_fan(struct device *dev, u32 attr, int channel,
+ static int max6639_set_ppr(struct max6639_data *data, int channel, u8 ppr)
+ {
+ /* Decrement the PPR value and shift left by 6 to match the register format */
+- return regmap_write(data->regmap, MAX6639_REG_FAN_PPR(channel), ppr-- << 6);
++ return regmap_write(data->regmap, MAX6639_REG_FAN_PPR(channel), --ppr << 6);
+ }
+
+ static int max6639_write_fan(struct device *dev, u32 attr, int channel,
+@@ -537,8 +537,8 @@ static int max6639_probe_child_from_dt(struct i2c_client *client,
+
+ {
+ struct device *dev = &client->dev;
+- u32 i;
+- int err, val;
++ u32 i, val;
++ int err;
+
+ err = of_property_read_u32(child, "reg", &i);
+ if (err) {
+@@ -553,8 +553,8 @@ static int max6639_probe_child_from_dt(struct i2c_client *client,
+
+ err = of_property_read_u32(child, "pulses-per-revolution", &val);
+ if (!err) {
+- if (val < 1 || val > 5) {
+- dev_err(dev, "invalid pulses-per-revolution %d of %pOFn\n", val, child);
++ if (val < 1 || val > 4) {
++ dev_err(dev, "invalid pulses-per-revolution %u of %pOFn\n", val, child);
+ return -EINVAL;
+ }
+ data->ppr[i] = val;
+--
+2.51.0
+
--- /dev/null
+From 923bd4fd6c00dc4814809c88cbf06c63543daf63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 22:18:42 -0800
+Subject: iommu/sva: Fix crash in iommu_sva_unbind_device()
+
+From: Lizhi Hou <lizhi.hou@amd.com>
+
+[ Upstream commit 06e14c36e20b48171df13d51b89fe67c594ed07a ]
+
+domain->mm->iommu_mm can be freed by iommu_domain_free():
+ iommu_domain_free()
+ mmdrop()
+ __mmdrop()
+ mm_pasid_drop()
+After iommu_domain_free() returns, accessing domain->mm->iommu_mm may
+dereference a freed mm structure, leading to a crash.
+
+Fix this by moving the code that accesses domain->mm->iommu_mm to before
+the call to iommu_domain_free().
+
+Fixes: e37d5a2d60a3 ("iommu/sva: invalidate stale IOTLB entries for kernel address space")
+Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Yi Liu <yi.l.liu@intel.com>
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommu-sva.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c
+index e1e63c2be82b2..fd735aaae9e3f 100644
+--- a/drivers/iommu/iommu-sva.c
++++ b/drivers/iommu/iommu-sva.c
+@@ -182,13 +182,13 @@ void iommu_sva_unbind_device(struct iommu_sva *handle)
+ iommu_detach_device_pasid(domain, dev, iommu_mm->pasid);
+ if (--domain->users == 0) {
+ list_del(&domain->next);
+- iommu_domain_free(domain);
+- }
++ if (list_empty(&iommu_mm->sva_domains)) {
++ list_del(&iommu_mm->mm_list_elm);
++ if (list_empty(&iommu_sva_mms))
++ iommu_sva_present = false;
++ }
+
+- if (list_empty(&iommu_mm->sva_domains)) {
+- list_del(&iommu_mm->mm_list_elm);
+- if (list_empty(&iommu_sva_mms))
+- iommu_sva_present = false;
++ iommu_domain_free(domain);
+ }
+
+ mutex_unlock(&iommu_sva_lock);
+--
+2.51.0
+
--- /dev/null
+From ef8f7911fb145e754311e395bb2eadec47d40466 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:15:51 +0900
+Subject: ksmbd: fix use-after-free in durable v2 replay of active file handles
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit b425e4d0eb321a1116ddbf39636333181675d8f4 ]
+
+parse_durable_handle_context() unconditionally assigns dh_info->fp->conn
+to the current connection when handling a DURABLE_REQ_V2 context with
+SMB2_FLAGS_REPLAY_OPERATION. ksmbd_lookup_fd_cguid() does not filter by
+fp->conn, so it returns file handles that are already actively connected.
+The unconditional overwrite replaces fp->conn, and when the overwriting
+connection is subsequently freed, __ksmbd_close_fd() dereferences the
+stale fp->conn via spin_lock(&fp->conn->llist_lock), causing a
+use-after-free.
+
+KASAN report:
+
+[ 7.349357] ==================================================================
+[ 7.349607] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x75/0xe0
+[ 7.349811] Write of size 4 at addr ffff8881056ac18c by task kworker/1:2/108
+[ 7.350010]
+[ 7.350064] CPU: 1 UID: 0 PID: 108 Comm: kworker/1:2 Not tainted 7.0.0-rc3+ #58 PREEMPTLAZY
+[ 7.350068] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 7.350070] Workqueue: ksmbd-io handle_ksmbd_work
+[ 7.350083] Call Trace:
+[ 7.350087] <TASK>
+[ 7.350087] dump_stack_lvl+0x64/0x80
+[ 7.350094] print_report+0xce/0x660
+[ 7.350100] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 7.350101] ? __pfx___mod_timer+0x10/0x10
+[ 7.350106] ? _raw_spin_lock+0x75/0xe0
+[ 7.350108] kasan_report+0xce/0x100
+[ 7.350109] ? _raw_spin_lock+0x75/0xe0
+[ 7.350114] kasan_check_range+0x105/0x1b0
+[ 7.350116] _raw_spin_lock+0x75/0xe0
+[ 7.350118] ? __pfx__raw_spin_lock+0x10/0x10
+[ 7.350119] ? __call_rcu_common.constprop.0+0x25e/0x780
+[ 7.350125] ? close_id_del_oplock+0x2cc/0x4e0
+[ 7.350128] __ksmbd_close_fd+0x27f/0xaf0
+[ 7.350131] ksmbd_close_fd+0x135/0x1b0
+[ 7.350133] smb2_close+0xb19/0x15b0
+[ 7.350142] ? __pfx_smb2_close+0x10/0x10
+[ 7.350143] ? xas_load+0x18/0x270
+[ 7.350146] ? _raw_spin_lock+0x84/0xe0
+[ 7.350148] ? __pfx__raw_spin_lock+0x10/0x10
+[ 7.350150] ? _raw_spin_unlock+0xe/0x30
+[ 7.350151] ? ksmbd_smb2_check_message+0xeb2/0x24c0
+[ 7.350153] ? ksmbd_tree_conn_lookup+0xcd/0xf0
+[ 7.350154] handle_ksmbd_work+0x40f/0x1080
+[ 7.350156] process_one_work+0x5fa/0xef0
+[ 7.350162] ? assign_work+0x122/0x3e0
+[ 7.350163] worker_thread+0x54b/0xf70
+[ 7.350165] ? __pfx_worker_thread+0x10/0x10
+[ 7.350166] kthread+0x346/0x470
+[ 7.350170] ? recalc_sigpending+0x19b/0x230
+[ 7.350176] ? __pfx_kthread+0x10/0x10
+[ 7.350178] ret_from_fork+0x4fb/0x6c0
+[ 7.350183] ? __pfx_ret_from_fork+0x10/0x10
+[ 7.350185] ? __switch_to+0x36c/0xbe0
+[ 7.350188] ? __pfx_kthread+0x10/0x10
+[ 7.350190] ret_from_fork_asm+0x1a/0x30
+[ 7.350197] </TASK>
+[ 7.350197]
+[ 7.355160] Allocated by task 123:
+[ 7.355261] kasan_save_stack+0x33/0x60
+[ 7.355373] kasan_save_track+0x14/0x30
+[ 7.355484] __kasan_kmalloc+0x8f/0xa0
+[ 7.355593] ksmbd_conn_alloc+0x44/0x6d0
+[ 7.355711] ksmbd_kthread_fn+0x243/0xd70
+[ 7.355839] kthread+0x346/0x470
+[ 7.355942] ret_from_fork+0x4fb/0x6c0
+[ 7.356051] ret_from_fork_asm+0x1a/0x30
+[ 7.356164]
+[ 7.356214] Freed by task 134:
+[ 7.356305] kasan_save_stack+0x33/0x60
+[ 7.356416] kasan_save_track+0x14/0x30
+[ 7.356527] kasan_save_free_info+0x3b/0x60
+[ 7.356646] __kasan_slab_free+0x43/0x70
+[ 7.356761] kfree+0x1ca/0x430
+[ 7.356862] ksmbd_tcp_disconnect+0x59/0xe0
+[ 7.356993] ksmbd_conn_handler_loop+0x77e/0xd40
+[ 7.357138] kthread+0x346/0x470
+[ 7.357240] ret_from_fork+0x4fb/0x6c0
+[ 7.357350] ret_from_fork_asm+0x1a/0x30
+[ 7.357463]
+[ 7.357513] The buggy address belongs to the object at ffff8881056ac000
+[ 7.357513] which belongs to the cache kmalloc-1k of size 1024
+[ 7.357857] The buggy address is located 396 bytes inside of
+[ 7.357857] freed 1024-byte region [ffff8881056ac000, ffff8881056ac400)
+
+Fix by removing the unconditional fp->conn assignment and rejecting the
+replay when fp->conn is non-NULL. This is consistent with
+ksmbd_lookup_durable_fd(), which also rejects file handles with a
+non-NULL fp->conn. For disconnected file handles (fp->conn == NULL),
+ksmbd_reopen_durable_fd() handles setting fp->conn.
+
+Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index 6796bc919d580..60a8f53443082 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -2840,7 +2840,11 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
+ goto out;
+ }
+
+- dh_info->fp->conn = conn;
++ if (dh_info->fp->conn) {
++ ksmbd_put_durable_fd(dh_info->fp);
++ err = -EBADF;
++ goto out;
++ }
+ dh_info->reconnected = true;
+ goto out;
+ }
+--
+2.51.0
+
--- /dev/null
+From 1b640ea0a58f902a71d6e104be9cf73972afdac4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:17:02 +0900
+Subject: ksmbd: fix use-after-free of share_conf in compound request
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit c33615f995aee80657b9fdfbc4ee7f49c2bd733d ]
+
+smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without
+validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state ==
+TREE_CONNECTED on the initial lookup path, but the compound reuse path
+bypasses this check entirely.
+
+If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state
+to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(),
+subsequent commands dereference the freed share_conf through
+work->tcon->share_conf.
+
+KASAN report:
+
+[ 4.144653] ==================================================================
+[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70
+[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44
+[ 4.145772]
+[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY
+[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work
+[ 4.145888] Call Trace:
+[ 4.145892] <TASK>
+[ 4.145894] dump_stack_lvl+0x64/0x80
+[ 4.145910] print_report+0xce/0x660
+[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 4.145928] ? smb2_write+0xc74/0xe70
+[ 4.145931] kasan_report+0xce/0x100
+[ 4.145934] ? smb2_write+0xc74/0xe70
+[ 4.145937] smb2_write+0xc74/0xe70
+[ 4.145939] ? __pfx_smb2_write+0x10/0x10
+[ 4.145942] ? _raw_spin_unlock+0xe/0x30
+[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0
+[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480
+[ 4.145951] handle_ksmbd_work+0x40f/0x1080
+[ 4.145953] process_one_work+0x5fa/0xef0
+[ 4.145962] ? assign_work+0x122/0x3e0
+[ 4.145964] worker_thread+0x54b/0xf70
+[ 4.145967] ? __pfx_worker_thread+0x10/0x10
+[ 4.145970] kthread+0x346/0x470
+[ 4.145976] ? recalc_sigpending+0x19b/0x230
+[ 4.145980] ? __pfx_kthread+0x10/0x10
+[ 4.145984] ret_from_fork+0x4fb/0x6c0
+[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10
+[ 4.145995] ? __switch_to+0x36c/0xbe0
+[ 4.145999] ? __pfx_kthread+0x10/0x10
+[ 4.146003] ret_from_fork_asm+0x1a/0x30
+[ 4.146013] </TASK>
+[ 4.146014]
+[ 4.149858] Allocated by task 44:
+[ 4.149953] kasan_save_stack+0x33/0x60
+[ 4.150061] kasan_save_track+0x14/0x30
+[ 4.150169] __kasan_kmalloc+0x8f/0xa0
+[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0
+[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600
+[ 4.150529] smb2_tree_connect+0x2e6/0x1000
+[ 4.150645] handle_ksmbd_work+0x40f/0x1080
+[ 4.150761] process_one_work+0x5fa/0xef0
+[ 4.150873] worker_thread+0x54b/0xf70
+[ 4.150978] kthread+0x346/0x470
+[ 4.151071] ret_from_fork+0x4fb/0x6c0
+[ 4.151176] ret_from_fork_asm+0x1a/0x30
+[ 4.151286]
+[ 4.151332] Freed by task 44:
+[ 4.151418] kasan_save_stack+0x33/0x60
+[ 4.151526] kasan_save_track+0x14/0x30
+[ 4.151634] kasan_save_free_info+0x3b/0x60
+[ 4.151751] __kasan_slab_free+0x43/0x70
+[ 4.151861] kfree+0x1ca/0x430
+[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190
+[ 4.152088] smb2_tree_disconnect+0x1cd/0x480
+[ 4.152211] handle_ksmbd_work+0x40f/0x1080
+[ 4.152326] process_one_work+0x5fa/0xef0
+[ 4.152438] worker_thread+0x54b/0xf70
+[ 4.152545] kthread+0x346/0x470
+[ 4.152638] ret_from_fork+0x4fb/0x6c0
+[ 4.152743] ret_from_fork_asm+0x1a/0x30
+[ 4.152853]
+[ 4.152900] The buggy address belongs to the object at ffff88810430c180
+[ 4.152900] which belongs to the cache kmalloc-96 of size 96
+[ 4.153226] The buggy address is located 20 bytes inside of
+[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0)
+[ 4.153549]
+[ 4.153596] The buggy address belongs to the physical page:
+[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c
+[ 4.154000] flags: 0x100000000000200(workingset|node=0|zone=2)
+[ 4.154160] page_type: f5(slab)
+[ 4.154251] raw: 0100000000000200 ffff888100041280 ffff888100040110 ffff888100040110
+[ 4.154461] raw: ffff88810430ce80 0000000800200009 00000000f5000000 0000000000000000
+[ 4.154668] page dumped because: kasan: bad access detected
+[ 4.154820]
+[ 4.154866] Memory state around the buggy address:
+[ 4.155002] ffff88810430c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155196] ffff88810430c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155391] >ffff88810430c180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+[ 4.155587] ^
+[ 4.155693] ffff88810430c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155891] ffff88810430c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.156087] ==================================================================
+
+Add the same t_state validation to the compound reuse path, consistent
+with ksmbd_tree_conn_lookup().
+
+Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index 1f04b761a8cf8..6796bc919d580 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -125,6 +125,8 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work)
+ pr_err("The first operation in the compound does not have tcon\n");
+ return -EINVAL;
+ }
++ if (work->tcon->t_state != TREE_CONNECTED)
++ return -ENOENT;
+ if (tree_id != UINT_MAX && work->tcon->id != tree_id) {
+ pr_err("tree id(%u) is different with id(%u) in first operation\n",
+ tree_id, work->tcon->id);
+--
+2.51.0
+
--- /dev/null
+From a785fa6f20d4688dcf6a9ca7979a50952e86515d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 08:43:05 +0900
+Subject: lib/bootconfig: check xbc_init_node() return in override path
+
+From: Josh Law <objecting@objecting.org>
+
+[ Upstream commit bb288d7d869e86d382f35a0e26242c5ccb05ca82 ]
+
+The ':=' override path in xbc_parse_kv() calls xbc_init_node() to
+re-initialize an existing value node but does not check the return
+value. If xbc_init_node() fails (data offset out of range), parsing
+silently continues with stale node data.
+
+Add the missing error check to match the xbc_add_node() call path
+which already checks for failure.
+
+In practice, a bootconfig using ':=' to override a value near the
+32KB data limit could silently retain the old value, meaning a
+security-relevant boot parameter override (e.g., a trace filter or
+debug setting) would not take effect as intended.
+
+Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/
+
+Fixes: e5efaeb8a8f5 ("bootconfig: Support mixing a value and subkeys under a key")
+Signed-off-by: Josh Law <objecting@objecting.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/bootconfig.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/bootconfig.c b/lib/bootconfig.c
+index 0728c4a95249b..5d3802eba52a3 100644
+--- a/lib/bootconfig.c
++++ b/lib/bootconfig.c
+@@ -712,7 +712,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op)
+ if (op == ':') {
+ unsigned short nidx = child->next;
+
+- xbc_init_node(child, v, XBC_VALUE);
++ if (xbc_init_node(child, v, XBC_VALUE) < 0)
++ return xbc_parse_error("Failed to override value", v);
+ child->next = nidx; /* keep subkeys */
+ goto array;
+ }
+--
+2.51.0
+
--- /dev/null
+From 6aae98dd67c24d75444b64fb3d87ea1f0a015543 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 15:21:57 -0500
+Subject: mtd: rawnand: brcmnand: skip DMA during panic write
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+[ Upstream commit da9ba4dcc01e7cf52b7676f0ee9607b8358c2171 ]
+
+When oops_panic_write is set, the driver disables interrupts and
+switches to PIO polling mode but still falls through into the DMA
+path. DMA cannot be used reliably in panic context, so make the
+DMA path an else branch to ensure only PIO is used during panic
+writes.
+
+Fixes: c1ac2dc34b51 ("mtd: rawnand: brcmnand: When oops in progress use pio and interrupt polling")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+index 835653bdd5abc..8f4d001377a1c 100644
+--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+@@ -2350,14 +2350,12 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip,
+ for (i = 0; i < ctrl->max_oob; i += 4)
+ oob_reg_write(ctrl, i, 0xffffffff);
+
+- if (mtd->oops_panic_write)
++ if (mtd->oops_panic_write) {
+ /* switch to interrupt polling and PIO mode */
+ disable_ctrl_irqs(ctrl);
+-
+- if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
++ } else if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
+ if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize,
+ CMD_PROGRAM_PAGE))
+-
+ ret = -EIO;
+
+ goto out;
+--
+2.51.0
+
--- /dev/null
+From 5c51306805fcd1e24c60069db4f80e4d01178e09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 14:49:06 -0500
+Subject: mtd: rawnand: serialize lock/unlock against other NAND operations
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+[ Upstream commit bab2bc6e850a697a23b9e5f0e21bb8c187615e95 ]
+
+nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area
+without holding the NAND device lock. On controllers that implement
+SET_FEATURES via multiple low-level PIO commands, these can race with
+concurrent UBI/UBIFS background erase/write operations that hold the
+device lock, resulting in cmd_pending conflicts on the NAND controller.
+
+Add nand_get_device()/nand_release_device() around the lock/unlock
+operations to serialize them against all other NAND controller access.
+
+Fixes: 92270086b7e5 ("mtd: rawnand: Add support for manufacturer specific lock/unlock operation")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/nand_base.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c
+index ad6d66309597b..b4bd73d7cd05c 100644
+--- a/drivers/mtd/nand/raw/nand_base.c
++++ b/drivers/mtd/nand/raw/nand_base.c
+@@ -4737,11 +4737,16 @@ static void nand_shutdown(struct mtd_info *mtd)
+ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int ret;
+
+ if (!chip->ops.lock_area)
+ return -ENOTSUPP;
+
+- return chip->ops.lock_area(chip, ofs, len);
++ nand_get_device(chip);
++ ret = chip->ops.lock_area(chip, ofs, len);
++ nand_release_device(chip);
++
++ return ret;
+ }
+
+ /**
+@@ -4753,11 +4758,16 @@ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ static int nand_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int ret;
+
+ if (!chip->ops.unlock_area)
+ return -ENOTSUPP;
+
+- return chip->ops.unlock_area(chip, ofs, len);
++ nand_get_device(chip);
++ ret = chip->ops.unlock_area(chip, ofs, len);
++ nand_release_device(chip);
++
++ return ret;
+ }
+
+ /* Set default functions */
+--
+2.51.0
+
ring-buffer-fix-to-update-per-subbuf-entries-of-persistent-ring-buffer.patch
tracing-fix-failure-to-read-user-space-from-system-call-trace-events.patch
x86-platform-uv-handle-deconfigured-sockets.patch
+binfmt_elf_fdpic-fix-auxv-size-calculation-for-elf_h.patch
+mtd-rawnand-serialize-lock-unlock-against-other-nand.patch
+mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch
+spi-amlogic-spifc-a4-remove-redundant-clock-cleanup.patch
+spi-amlogic-spisg-fix-memory-leak-in-aml_spisg_probe.patch
+drm-vmwgfx-don-t-overwrite-kms-surface-dirty-tracker.patch
+iommu-sva-fix-crash-in-iommu_sva_unbind_device.patch
+drm-amd-display-fix-displayid-not-found-handling-in-.patch
+drm-amd-fix-dcn-2.01-check.patch
+drm-bridge-dw-hdmi-qp-fix-multi-channel-audio-output.patch
+ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch
+ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch
+drm-i915-gt-check-set_default_submission-before-defe.patch
+fs-tests-exec-remove-bad-test-vector.patch
+lib-bootconfig-check-xbc_init_node-return-in-overrid.patch
+tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch
+arm64-realm-fix-pte_ns_shared-for-52bit-pa-support.patch
+hwmon-max6639-fix-pulses-per-revolution-implementati.patch
--- /dev/null
+From b07c96cb011f602ea19b9de0df10d01c13c34ddd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Mar 2026 21:34:55 +0800
+Subject: spi: amlogic: spifc-a4: Remove redundant clock cleanup
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit a00da54d06f435dbbeacb84f9121dbbe6d6eda74 ]
+
+The driver uses devm_clk_get_enabled() which enables the clock and
+registers a callback to automatically disable it when the device
+is unbound.
+
+Remove the redundant aml_sfc_disable_clk() call in the error paths
+and remove callback.
+
+Fixes: 4670db6f32e9 ("spi: amlogic: add driver for Amlogic SPI Flash Controller")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Link: https://patch.msgid.link/20260308-spifc-a4-1-v1-1-77e286c26832@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-amlogic-spifc-a4.c | 46 +++++-------------------------
+ 1 file changed, 7 insertions(+), 39 deletions(-)
+
+diff --git a/drivers/spi/spi-amlogic-spifc-a4.c b/drivers/spi/spi-amlogic-spifc-a4.c
+index f324aa39a8976..b2589fe2425cc 100644
+--- a/drivers/spi/spi-amlogic-spifc-a4.c
++++ b/drivers/spi/spi-amlogic-spifc-a4.c
+@@ -1083,14 +1083,6 @@ static int aml_sfc_clk_init(struct aml_sfc *sfc)
+ return clk_set_rate(sfc->core_clk, SFC_BUS_DEFAULT_CLK);
+ }
+
+-static int aml_sfc_disable_clk(struct aml_sfc *sfc)
+-{
+- clk_disable_unprepare(sfc->core_clk);
+- clk_disable_unprepare(sfc->gate_clk);
+-
+- return 0;
+-}
+-
+ static int aml_sfc_probe(struct platform_device *pdev)
+ {
+ struct device_node *np = pdev->dev.of_node;
+@@ -1141,16 +1133,12 @@ static int aml_sfc_probe(struct platform_device *pdev)
+
+ /* Enable Amlogic flash controller spi mode */
+ ret = regmap_write(sfc->regmap_base, SFC_SPI_CFG, SPI_MODE_EN);
+- if (ret) {
+- dev_err(dev, "failed to enable SPI mode\n");
+- goto err_out;
+- }
++ if (ret)
++ return dev_err_probe(dev, ret, "failed to enable SPI mode\n");
+
+ ret = dma_set_mask(sfc->dev, DMA_BIT_MASK(32));
+- if (ret) {
+- dev_err(sfc->dev, "failed to set dma mask\n");
+- goto err_out;
+- }
++ if (ret)
++ return dev_err_probe(sfc->dev, ret, "failed to set dma mask\n");
+
+ sfc->ecc_eng.dev = &pdev->dev;
+ sfc->ecc_eng.integration = NAND_ECC_ENGINE_INTEGRATION_PIPELINED;
+@@ -1158,10 +1146,8 @@ static int aml_sfc_probe(struct platform_device *pdev)
+ sfc->ecc_eng.priv = sfc;
+
+ ret = nand_ecc_register_on_host_hw_engine(&sfc->ecc_eng);
+- if (ret) {
+- dev_err(&pdev->dev, "failed to register Aml host ecc engine.\n");
+- goto err_out;
+- }
++ if (ret)
++ return dev_err_probe(&pdev->dev, ret, "failed to register Aml host ecc engine.\n");
+
+ ret = of_property_read_u32(np, "amlogic,rx-adj", &val);
+ if (!ret)
+@@ -1177,24 +1163,7 @@ static int aml_sfc_probe(struct platform_device *pdev)
+ ctrl->min_speed_hz = SFC_MIN_FREQUENCY;
+ ctrl->num_chipselect = SFC_MAX_CS_NUM;
+
+- ret = devm_spi_register_controller(dev, ctrl);
+- if (ret)
+- goto err_out;
+-
+- return 0;
+-
+-err_out:
+- aml_sfc_disable_clk(sfc);
+-
+- return ret;
+-}
+-
+-static void aml_sfc_remove(struct platform_device *pdev)
+-{
+- struct spi_controller *ctlr = platform_get_drvdata(pdev);
+- struct aml_sfc *sfc = spi_controller_get_devdata(ctlr);
+-
+- aml_sfc_disable_clk(sfc);
++ return devm_spi_register_controller(dev, ctrl);
+ }
+
+ static const struct of_device_id aml_sfc_of_match[] = {
+@@ -1212,7 +1181,6 @@ static struct platform_driver aml_sfc_driver = {
+ .of_match_table = aml_sfc_of_match,
+ },
+ .probe = aml_sfc_probe,
+- .remove = aml_sfc_remove,
+ };
+ module_platform_driver(aml_sfc_driver);
+
+--
+2.51.0
+
--- /dev/null
+From f308c6ffdbb1f1b0c00e20e689d43f573ad05162 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Mar 2026 14:49:21 +0800
+Subject: spi: amlogic-spisg: Fix memory leak in aml_spisg_probe()
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit b8db9552997924b750e727a625a30eaa4603bbb9 ]
+
+In aml_spisg_probe(), ctlr is allocated by
+spi_alloc_target()/spi_alloc_host(), but fails to call
+spi_controller_put() in several error paths. This leads
+to a memory leak whenever the driver fails to probe after
+the initial allocation.
+
+Convert to use devm_spi_alloc_host()/devm_spi_alloc_target()
+to fix the memory leak.
+
+Fixes: cef9991e04ae ("spi: Add Amlogic SPISG driver")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Link: https://patch.msgid.link/20260308-spisg-v1-1-2cace5cafc24@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-amlogic-spisg.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/spi/spi-amlogic-spisg.c b/drivers/spi/spi-amlogic-spisg.c
+index bcd7ec291ad07..6045c89c37c83 100644
+--- a/drivers/spi/spi-amlogic-spisg.c
++++ b/drivers/spi/spi-amlogic-spisg.c
+@@ -729,9 +729,9 @@ static int aml_spisg_probe(struct platform_device *pdev)
+ };
+
+ if (of_property_read_bool(dev->of_node, "spi-slave"))
+- ctlr = spi_alloc_target(dev, sizeof(*spisg));
++ ctlr = devm_spi_alloc_target(dev, sizeof(*spisg));
+ else
+- ctlr = spi_alloc_host(dev, sizeof(*spisg));
++ ctlr = devm_spi_alloc_host(dev, sizeof(*spisg));
+ if (!ctlr)
+ return -ENOMEM;
+
+@@ -750,10 +750,8 @@ static int aml_spisg_probe(struct platform_device *pdev)
+ return dev_err_probe(dev, PTR_ERR(spisg->map), "regmap init failed\n");
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq < 0) {
+- ret = irq;
+- goto out_controller;
+- }
++ if (irq < 0)
++ return irq;
+
+ ret = device_reset_optional(dev);
+ if (ret)
+@@ -818,8 +816,6 @@ static int aml_spisg_probe(struct platform_device *pdev)
+ if (spisg->core)
+ clk_disable_unprepare(spisg->core);
+ clk_disable_unprepare(spisg->pclk);
+-out_controller:
+- spi_controller_put(ctlr);
+
+ return ret;
+ }
+--
+2.51.0
+
--- /dev/null
+From 9a140ef58d6c35b6ebbf568d3c5667f1c5cb55a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 08:43:06 +0900
+Subject: tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
+
+From: Josh Law <objecting@objecting.org>
+
+[ Upstream commit 3b2c2ab4ceb82af484310c3087541eab00ea288b ]
+
+If fstat() fails after open() succeeds, the function returns without
+closing the file descriptor. Also preserve errno across close(), since
+close() may overwrite it before the error is returned.
+
+Link: https://lore.kernel.org/all/20260318155847.78065-3-objecting@objecting.org/
+
+Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command")
+Signed-off-by: Josh Law <objecting@objecting.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bootconfig/main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c
+index 55d59ed507d54..643f707b8f1da 100644
+--- a/tools/bootconfig/main.c
++++ b/tools/bootconfig/main.c
+@@ -162,8 +162,11 @@ static int load_xbc_file(const char *path, char **buf)
+ if (fd < 0)
+ return -errno;
+ ret = fstat(fd, &stat);
+- if (ret < 0)
+- return -errno;
++ if (ret < 0) {
++ ret = -errno;
++ close(fd);
++ return ret;
++ }
+
+ ret = load_xbc_fd(fd, buf, stat.st_size);
+
+--
+2.51.0
+
--- /dev/null
+From 74855fa8456fe725760ca0afb1ebaf888e7d4b66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 16:19:01 +0000
+Subject: arm64: realm: Fix PTE_NS_SHARED for 52bit PA support
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+[ Upstream commit 8c6e9b60f5c7985a9fe41320556a92d7a33451df ]
+
+With LPA/LPA2, the top bits of the PFN (Bits[51:48]) end up in the lower bits
+of the PTE. So, simply creating a mask of the "top IPA bit" doesn't work well
+for these configurations to set the "top" bit at the output of Stage1
+translation.
+
+Fix this by using the __phys_to_pte_val() to do the right thing for all
+configurations.
+
+Tested using, kvmtool, placing the memory at a higher address (-m <size>@<Addr>).
+
+ e.g:
+ # lkvm run --realm -c 4 -m 512M@@128T -k Image --console serial
+
+ sh-5.0# dmesg | grep "LPA2\|RSI"
+[ 0.000000] RME: Using RSI version 1.0
+[ 0.000000] CPU features: detected: 52-bit Virtual Addressing (LPA2)
+[ 0.777354] CPU features: detected: 52-bit Virtual Addressing for KVM (LPA2)
+
+Fixes: 399306954996 ("arm64: realm: Query IPA size from the RMM")
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Steven Price <steven.price@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/rsi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/rsi.c b/arch/arm64/kernel/rsi.c
+index c64a06f58c0bc..9e846ce4ef9ca 100644
+--- a/arch/arm64/kernel/rsi.c
++++ b/arch/arm64/kernel/rsi.c
+@@ -12,6 +12,7 @@
+
+ #include <asm/io.h>
+ #include <asm/mem_encrypt.h>
++#include <asm/pgtable.h>
+ #include <asm/rsi.h>
+
+ static struct realm_config config;
+@@ -146,7 +147,7 @@ void __init arm64_rsi_init(void)
+ return;
+ if (WARN_ON(rsi_get_realm_config(&config)))
+ return;
+- prot_ns_shared = BIT(config.ipa_bits - 1);
++ prot_ns_shared = __phys_to_pte_val(BIT(config.ipa_bits - 1));
+
+ if (arm64_ioremap_prot_hook_register(realm_ioremap_hook))
+ return;
+--
+2.51.0
+
--- /dev/null
+From f8f314840b1c3ff9ab8aac2fc1e86b240a196b9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Mar 2026 18:27:16 +0000
+Subject: arm_mpam: Fix null pointer dereference when restoring bandwidth
+ counters
+
+From: Ben Horgan <ben.horgan@arm.com>
+
+[ Upstream commit 4ad79c874e53ebb7fe3b8ae7ac6c858a2121f415 ]
+
+When an MSC supporting memory bandwidth monitoring is brought offline and
+then online, mpam_restore_mbwu_state() calls __ris_msmon_read() via ipi to
+restore the configuration of the bandwidth counters. It doesn't care about
+the value read, mbwu_arg.val, and doesn't set it leading to a null pointer
+dereference when __ris_msmon_read() adds to it. This results in a kernel
+oops with a call trace such as:
+
+Call trace:
+__ris_msmon_read+0x19c/0x64c (P)
+mpam_restore_mbwu_state+0xa0/0xe8
+smp_call_on_cpu_callback+0x1c/0x38
+process_one_work+0x154/0x4b4
+worker_thread+0x188/0x310
+kthread+0x11c/0x130
+ret_from_fork+0x10/0x20
+
+Provide a local variable for val to avoid __ris_msmon_read() dereferencing
+a null pointer when adding to val.
+
+Fixes: 41e8a14950e1 ("arm_mpam: Track bandwidth counter state for power management")
+Signed-off-by: Ben Horgan <ben.horgan@arm.com>
+Reviewed-by: James Morse <james.morse@arm.com>
+Signed-off-by: James Morse <james.morse@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/resctrl/mpam_devices.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/resctrl/mpam_devices.c b/drivers/resctrl/mpam_devices.c
+index b495d52918681..41fe421171813 100644
+--- a/drivers/resctrl/mpam_devices.c
++++ b/drivers/resctrl/mpam_devices.c
+@@ -1428,6 +1428,7 @@ static void mpam_reprogram_ris_partid(struct mpam_msc_ris *ris, u16 partid,
+ static int mpam_restore_mbwu_state(void *_ris)
+ {
+ int i;
++ u64 val;
+ struct mon_read mwbu_arg;
+ struct mpam_msc_ris *ris = _ris;
+ struct mpam_class *class = ris->vmsc->comp->class;
+@@ -1437,6 +1438,7 @@ static int mpam_restore_mbwu_state(void *_ris)
+ mwbu_arg.ris = ris;
+ mwbu_arg.ctx = &ris->mbwu_state[i].cfg;
+ mwbu_arg.type = mpam_msmon_choose_counter(class);
++ mwbu_arg.val = &val;
+
+ __ris_msmon_read(&mwbu_arg);
+ }
+--
+2.51.0
+
--- /dev/null
+From d4331a69a085d8d86422618bc7017933dcbde408 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Feb 2026 18:01:05 +0000
+Subject: binfmt_elf_fdpic: fix AUXV size calculation for ELF_HWCAP3 and
+ ELF_HWCAP4
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrei Vagin <avagin@google.com>
+
+[ Upstream commit 4ced4cf5c9d172d91f181df3accdf949d3761aab ]
+
+Commit 4e6e8c2b757f ("binfmt_elf: Wire up AT_HWCAP3 at AT_HWCAP4") added
+support for AT_HWCAP3 and AT_HWCAP4, but it missed updating the AUX
+vector size calculation in create_elf_fdpic_tables() and
+AT_VECTOR_SIZE_BASE in include/linux/auxvec.h.
+
+Similar to the fix for AT_HWCAP2 in commit c6a09e342f8e ("binfmt_elf_fdpic:
+fix AUXV size calculation when ELF_HWCAP2 is defined"), this omission
+leads to a mismatch between the reserved space and the actual number of
+AUX entries, eventually triggering a kernel BUG_ON(csp != sp).
+
+Fix this by incrementing nitems when ELF_HWCAP3 or ELF_HWCAP4 are
+defined and updating AT_VECTOR_SIZE_BASE.
+
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Max Filippov <jcmvbkbc@gmail.com>
+Reviewed-by: Michal Koutný <mkoutny@suse.com>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Reviewed-by: Cyrill Gorcunov <gorcunov@gmail.com>
+Reviewed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
+Fixes: 4e6e8c2b757f ("binfmt_elf: Wire up AT_HWCAP3 at AT_HWCAP4")
+Signed-off-by: Andrei Vagin <avagin@google.com>
+Link: https://patch.msgid.link/20260217180108.1420024-2-avagin@google.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_elf_fdpic.c | 6 ++++++
+ include/linux/auxvec.h | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
+index 48fd2de3bca05..a3d4e6973b299 100644
+--- a/fs/binfmt_elf_fdpic.c
++++ b/fs/binfmt_elf_fdpic.c
+@@ -595,6 +595,12 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm,
+ #ifdef ELF_HWCAP2
+ nitems++;
+ #endif
++#ifdef ELF_HWCAP3
++ nitems++;
++#endif
++#ifdef ELF_HWCAP4
++ nitems++;
++#endif
+
+ csp = sp;
+ sp -= nitems * 2 * sizeof(unsigned long);
+diff --git a/include/linux/auxvec.h b/include/linux/auxvec.h
+index 407f7005e6d60..8bcb9b7262628 100644
+--- a/include/linux/auxvec.h
++++ b/include/linux/auxvec.h
+@@ -4,6 +4,6 @@
+
+ #include <uapi/linux/auxvec.h>
+
+-#define AT_VECTOR_SIZE_BASE 22 /* NEW_AUX_ENT entries in auxiliary table */
++#define AT_VECTOR_SIZE_BASE 24 /* NEW_AUX_ENT entries in auxiliary table */
+ /* number of "#define AT_.*" above, minus {AT_NULL, AT_IGNORE, AT_NOTELF} */
+ #endif /* _LINUX_AUXVEC_H */
+--
+2.51.0
+
--- /dev/null
+From 53e0b514c630223428882eb17623a989fd2734a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 18:30:26 +0530
+Subject: drm/amd/display: Fix DisplayID not-found handling in
+ parse_edid_displayid_vrr()
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+[ Upstream commit 2323b019651ad81c20a0f7f817c63392b3110652 ]
+
+parse_edid_displayid_vrr() searches the EDID extension blocks for a
+DisplayID extension before parsing the dynamic video timing range.
+
+The code previously checked whether edid_ext was NULL after the search
+loop. However, edid_ext is assigned during each iteration of the loop,
+so it will never be NULL once the loop has executed. If no DisplayID
+extension is found, edid_ext ends up pointing to the last extension
+block, and the NULL check does not correctly detect the failure case.
+
+Instead, check whether the loop completed without finding a matching
+DisplayID block by testing "i == edid->extensions". This ensures the
+function exits early when no DisplayID extension is present and avoids
+parsing an unrelated EDID extension block.
+
+Also simplify the EDID validation check using "!edid ||
+!edid->extensions".
+
+Fixes the below:
+drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:13079 parse_edid_displayid_vrr() warn: variable dereferenced before check 'edid_ext' (see line 13075)
+
+Fixes: a638b837d0e6 ("drm/amd/display: Fix refresh rate range for some panel")
+Cc: Roman Li <roman.li@amd.com>
+Cc: Alex Hung <alex.hung@amd.com>
+Cc: Jerry Zuo <jerry.zuo@amd.com>
+Cc: Sun peng Li <sunpeng.li@amd.com>
+Cc: Tom Chung <chiahsuan.chung@amd.com>
+Cc: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 91c7e6342e98c846b259c57273436fdea4c043f2)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index e84ec4365ca6b..5a54d3f4a3de5 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -13101,7 +13101,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector,
+ u16 min_vfreq;
+ u16 max_vfreq;
+
+- if (edid == NULL || edid->extensions == 0)
++ if (!edid || !edid->extensions)
+ return;
+
+ /* Find DisplayID extension */
+@@ -13111,7 +13111,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector,
+ break;
+ }
+
+- if (edid_ext == NULL)
++ if (i == edid->extensions)
+ return;
+
+ while (j < EDID_LENGTH) {
+--
+2.51.0
+
--- /dev/null
+From 92a6aecaafec7cef360a3f1442fc1b46daa415b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 17:51:47 +0100
+Subject: drm/amd: fix dcn 2.01 check
+
+From: Andy Nguyen <theofficialflow1996@gmail.com>
+
+[ Upstream commit 39f44f54afa58661ecae9c27e15f5dbce2372892 ]
+
+The ASICREV_IS_BEIGE_GOBY_P check always took precedence, because it includes all chip revisions upto NV_UNKNOWN.
+
+Fixes: 54b822b3eac3 ("drm/amd/display: Use dce_version instead of chip_id")
+Signed-off-by: Andy Nguyen <theofficialflow1996@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 9c7be0efa6f0daa949a5f3e3fdf9ea090b0713cb)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
+index 15cf13ec53026..c450feae5fa5b 100644
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
+@@ -255,6 +255,10 @@ struct clk_mgr *dc_clk_mgr_create(struct dc_context *ctx, struct pp_smu_funcs *p
+ BREAK_TO_DEBUGGER();
+ return NULL;
+ }
++ if (ctx->dce_version == DCN_VERSION_2_01) {
++ dcn201_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg);
++ return &clk_mgr->base;
++ }
+ if (ASICREV_IS_SIENNA_CICHLID_P(asic_id.hw_internal_rev)) {
+ dcn3_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg);
+ return &clk_mgr->base;
+@@ -267,10 +271,6 @@ struct clk_mgr *dc_clk_mgr_create(struct dc_context *ctx, struct pp_smu_funcs *p
+ dcn3_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg);
+ return &clk_mgr->base;
+ }
+- if (ctx->dce_version == DCN_VERSION_2_01) {
+- dcn201_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg);
+- return &clk_mgr->base;
+- }
+ dcn20_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg);
+ return &clk_mgr->base;
+ }
+--
+2.51.0
+
--- /dev/null
+From 47200bccfc571ccf9c6bc349a4337234eb0386c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Feb 2026 11:28:22 +0000
+Subject: drm/bridge: dw-hdmi-qp: fix multi-channel audio output
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit cffcb42c57686e9a801dfcf37a3d0c62e51c1c3e ]
+
+Channel Allocation (PB4) and Level Shift Information (PB5) are
+configured with values from PB1 and PB2 due to the wrong offset
+being used. This results in missing audio channels or incorrect
+speaker placement when playing multi-channel audio.
+
+Use the correct offset to fix multi-channel audio output.
+
+Fixes: fd0141d1a8a2 ("drm/bridge: synopsys: Add audio support for dw-hdmi-qp")
+Reported-by: Christian Hewitt <christianshewitt@gmail.com>
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
+Reviewed-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Link: https://patch.msgid.link/20260228112822.4056354-1-christianshewitt@gmail.com
+Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c
+index 60166919c5b54..ace9d8bcdd197 100644
+--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c
++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c
+@@ -838,7 +838,7 @@ static int dw_hdmi_qp_config_audio_infoframe(struct dw_hdmi_qp *hdmi,
+
+ regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS0, &header_bytes, 1);
+ regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS1, &buffer[3], 1);
+- regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS2, &buffer[4], 1);
++ regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS2, &buffer[7], 1);
+
+ /* Enable ACR, AUDI, AMD */
+ dw_hdmi_qp_mod(hdmi,
+--
+2.51.0
+
--- /dev/null
+From 3b7db3385309b10341747b8f95dd46504b6aa1ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Feb 2026 10:18:39 +0530
+Subject: drm/i915/gt: Check set_default_submission() before deferencing
+
+From: Rahul Bukte <rahul.bukte@sony.com>
+
+[ Upstream commit 0162ab3220bac870e43e229e6e3024d1a21c3f26 ]
+
+When the i915 driver firmware binaries are not present, the
+set_default_submission pointer is not set. This pointer is
+dereferenced during suspend anyways.
+
+Add a check to make sure it is set before dereferencing.
+
+[ 23.289926] PM: suspend entry (deep)
+[ 23.293558] Filesystems sync: 0.000 seconds
+[ 23.298010] Freezing user space processes
+[ 23.302771] Freezing user space processes completed (elapsed 0.000 seconds)
+[ 23.309766] OOM killer disabled.
+[ 23.313027] Freezing remaining freezable tasks
+[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
+[ 23.342038] serial 00:05: disabled
+[ 23.345719] serial 00:02: disabled
+[ 23.349342] serial 00:01: disabled
+[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache
+[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache
+[ 23.361635] ata1.00: Entering standby power mode
+[ 23.368863] ata2.00: Entering standby power mode
+[ 23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 23.452194] #PF: supervisor instruction fetch in kernel mode
+[ 23.457896] #PF: error_code(0x0010) - not-present page
+[ 23.463065] PGD 0 P4D 0
+[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI
+[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary)
+[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN
+[ 23.496511] Workqueue: async async_run_entry_fn
+[ 23.501087] RIP: 0010:0x0
+[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
+[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246
+[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f
+[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000
+[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff
+[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8
+[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68
+[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000
+[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0
+[ 23.572539] PKRU: 55555554
+[ 23.575281] Call Trace:
+[ 23.577770] <TASK>
+[ 23.579905] intel_engines_reset_default_submission+0x42/0x60
+[ 23.585695] __intel_gt_unset_wedged+0x191/0x200
+[ 23.590360] intel_gt_unset_wedged+0x20/0x40
+[ 23.594675] gt_sanitize+0x15e/0x170
+[ 23.598290] i915_gem_suspend_late+0x6b/0x180
+[ 23.602692] i915_drm_suspend_late+0x35/0xf0
+[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10
+[ 23.611843] dpm_run_callback+0x78/0x1c0
+[ 23.615817] device_suspend_late+0xde/0x2e0
+[ 23.620037] async_suspend_late+0x18/0x30
+[ 23.624082] async_run_entry_fn+0x25/0xa0
+[ 23.628129] process_one_work+0x15b/0x380
+[ 23.632182] worker_thread+0x2a5/0x3c0
+[ 23.635973] ? __pfx_worker_thread+0x10/0x10
+[ 23.640279] kthread+0xf6/0x1f0
+[ 23.643464] ? __pfx_kthread+0x10/0x10
+[ 23.647263] ? __pfx_kthread+0x10/0x10
+[ 23.651045] ret_from_fork+0x131/0x190
+[ 23.654837] ? __pfx_kthread+0x10/0x10
+[ 23.658634] ret_from_fork_asm+0x1a/0x30
+[ 23.662597] </TASK>
+[ 23.664826] Modules linked in:
+[ 23.667914] CR2: 0000000000000000
+[ 23.671271] ------------[ cut here ]------------
+
+Signed-off-by: Rahul Bukte <rahul.bukte@sony.com>
+Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Link: https://patch.msgid.link/20260203044839.1555147-1-suraj.kandpal@intel.com
+(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad)
+Fixes: ff44ad51ebf8 ("drm/i915: Move engine->submit_request selection to a vfunc")
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+index b721bbd233567..ce8cdd517daa1 100644
+--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c
++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+@@ -1969,7 +1969,8 @@ void intel_engines_reset_default_submission(struct intel_gt *gt)
+ if (engine->sanitize)
+ engine->sanitize(engine);
+
+- engine->set_default_submission(engine);
++ if (engine->set_default_submission)
++ engine->set_default_submission(engine);
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 89642906a7c32b501907e491aef809bff002c00d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Mar 2026 14:03:30 -0600
+Subject: drm/vmwgfx: Don't overwrite KMS surface dirty tracker
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ian Forbes <ian.forbes@broadcom.com>
+
+[ Upstream commit c6cb77c474a32265e21c4871c7992468bf5e7638 ]
+
+We were overwriting the surface's dirty tracker here causing a memory leak.
+
+Reported-by: Mika Penttilä <mpenttil@redhat.com>
+Closes: https://lore.kernel.org/dri-devel/8c53f3c6-c6de-46fe-a8ca-d98dd52b3abe@redhat.com/
+Fixes: 965544150d1c ("drm/vmwgfx: Refactor cursor handling")
+Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
+Reviewed-by: Maaz Mombasawala <maaz.mombasawala@broadcom.com>
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Link: https://patch.msgid.link/20260302200330.66763-1-ian.forbes@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+index bc51b5d55e38a..35c7277521a90 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+@@ -771,7 +771,8 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev,
+ ret = vmw_bo_dirty_add(bo);
+ if (!ret && surface && surface->res.func->dirty_alloc) {
+ surface->res.coherent = true;
+- ret = surface->res.func->dirty_alloc(&surface->res);
++ if (surface->res.dirty == NULL)
++ ret = surface->res.func->dirty_alloc(&surface->res);
+ }
+ ttm_bo_unreserve(&bo->tbo);
+ }
+--
+2.51.0
+
--- /dev/null
+From e56811bd2fe3f0c14845d7137b0dd4313b33eec0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Mar 2026 16:17:33 -0800
+Subject: drm/xe/guc: Fail immediately on GuC load error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
+
+[ Upstream commit 9b72283ec9b8685acdb3467de8fbc3352fdb70bb ]
+
+By using the same variable for both the return of poll_timeout_us and
+the return of the polled function guc_wait_ucode, the return value of
+the latter is overwritten and lost after exiting the polling loop. Since
+guc_wait_ucode returns -1 on GuC load failure, we lose that information
+and always continue as if the GuC had been loaded correctly.
+
+This is fixed by simply using 2 separate variables.
+
+Fixes: a4916b4da448 ("drm/xe/guc: Refactor GuC load to use poll_timeout_us()")
+Signed-off-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Signed-off-by: Vinay Belgaumkar <vinay.belgaumkar@intel.com>
+Link: https://patch.msgid.link/20260303001732.2540493-2-daniele.ceraolospurio@intel.com
+(cherry picked from commit c85ec5c5753a46b5c2aea1292536487be9470ffe)
+Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_guc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_guc.c b/drivers/gpu/drm/xe/xe_guc.c
+index edb939f262685..2eaa009ba2d8d 100644
+--- a/drivers/gpu/drm/xe/xe_guc.c
++++ b/drivers/gpu/drm/xe/xe_guc.c
+@@ -1121,14 +1121,14 @@ static int guc_wait_ucode(struct xe_guc *guc)
+ struct xe_guc_pc *guc_pc = >->uc.guc.pc;
+ u32 before_freq, act_freq, cur_freq;
+ u32 status = 0, tries = 0;
++ int load_result, ret;
+ ktime_t before;
+ u64 delta_ms;
+- int ret;
+
+ before_freq = xe_guc_pc_get_act_freq(guc_pc);
+ before = ktime_get();
+
+- ret = poll_timeout_us(ret = guc_load_done(gt, &status, &tries), ret,
++ ret = poll_timeout_us(load_result = guc_load_done(gt, &status, &tries), load_result,
+ 10 * USEC_PER_MSEC,
+ GUC_LOAD_TIMEOUT_SEC * USEC_PER_SEC, false);
+
+@@ -1136,7 +1136,7 @@ static int guc_wait_ucode(struct xe_guc *guc)
+ act_freq = xe_guc_pc_get_act_freq(guc_pc);
+ cur_freq = xe_guc_pc_get_cur_freq_fw(guc_pc);
+
+- if (ret) {
++ if (ret || load_result <= 0) {
+ xe_gt_err(gt, "load failed: status = 0x%08X, time = %lldms, freq = %dMHz (req %dMHz)\n",
+ status, delta_ms, xe_guc_pc_get_act_freq(guc_pc),
+ xe_guc_pc_get_cur_freq_fw(guc_pc));
+--
+2.51.0
+
--- /dev/null
+From bf475bcc9705d0f7a7f2f2b9869ea6fd40e99af8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 11:36:29 -0700
+Subject: fs/tests: exec: Remove bad test vector
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit c4192754e836e0ffed95833509b6ada975b74418 ]
+
+Drop an unusable test in the bprm stack limits.
+
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Closes: https://lore.kernel.org/all/a3e9b1c2-40c1-45df-9fa2-14ee6a7b3fe2@roeck-us.net
+Fixes: 60371f43e56b ("exec: Add KUnit test for bprm_stack_limits()")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/tests/exec_kunit.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/fs/tests/exec_kunit.c b/fs/tests/exec_kunit.c
+index f412d1a0f6bba..1c32cac098cf5 100644
+--- a/fs/tests/exec_kunit.c
++++ b/fs/tests/exec_kunit.c
+@@ -94,9 +94,6 @@ static const struct bprm_stack_limits_result bprm_stack_limits_results[] = {
+ { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * (_STK_LIM / 4 * 3 + sizeof(void *)),
+ .argc = 0, .envc = 0 },
+ .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) },
+- { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * (_STK_LIM / 4 * + sizeof(void *)),
+- .argc = 0, .envc = 0 },
+- .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) },
+ { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * _STK_LIM,
+ .argc = 0, .envc = 0 },
+ .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) },
+--
+2.51.0
+
--- /dev/null
+From 1fd0f7327b6c2ee0e46454b19739cb580fb67cf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 21:31:22 -0700
+Subject: hwmon: (max6639) Fix pulses-per-revolution implementation
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit e7bae9a7a5e1251ab414291f4e9304d702bb9221 ]
+
+The valid range for the pulses-per-revolution devicetree property is
+1..4. The current code checks for a range of 1..5. Fix it.
+
+Declare the variable used to retrieve pulses per revolution from
+devicetree as u32 (unsigned) to match the of_property_read_u32() API.
+
+The current code uses a postfix decrement when writing the pulses per
+resolution into the chip. This has no effect since the value is evaluated
+before it is decremented. Fix it by decrementing before evaluating the
+value.
+
+Fixes: 7506ebcd662b ("hwmon: (max6639) : Configure based on DT property")
+Cc: Naresh Solanki <naresh.solanki@9elements.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/max6639.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/hwmon/max6639.c b/drivers/hwmon/max6639.c
+index 48fde4f1a1561..b6b32286d967a 100644
+--- a/drivers/hwmon/max6639.c
++++ b/drivers/hwmon/max6639.c
+@@ -232,7 +232,7 @@ static int max6639_read_fan(struct device *dev, u32 attr, int channel,
+ static int max6639_set_ppr(struct max6639_data *data, int channel, u8 ppr)
+ {
+ /* Decrement the PPR value and shift left by 6 to match the register format */
+- return regmap_write(data->regmap, MAX6639_REG_FAN_PPR(channel), ppr-- << 6);
++ return regmap_write(data->regmap, MAX6639_REG_FAN_PPR(channel), --ppr << 6);
+ }
+
+ static int max6639_write_fan(struct device *dev, u32 attr, int channel,
+@@ -524,8 +524,8 @@ static int max6639_probe_child_from_dt(struct i2c_client *client,
+
+ {
+ struct device *dev = &client->dev;
+- u32 i;
+- int err, val;
++ u32 i, val;
++ int err;
+
+ err = of_property_read_u32(child, "reg", &i);
+ if (err) {
+@@ -540,8 +540,8 @@ static int max6639_probe_child_from_dt(struct i2c_client *client,
+
+ err = of_property_read_u32(child, "pulses-per-revolution", &val);
+ if (!err) {
+- if (val < 1 || val > 5) {
+- dev_err(dev, "invalid pulses-per-revolution %d of %pOFn\n", val, child);
++ if (val < 1 || val > 4) {
++ dev_err(dev, "invalid pulses-per-revolution %u of %pOFn\n", val, child);
+ return -EINVAL;
+ }
+ data->ppr[i] = val;
+--
+2.51.0
+
--- /dev/null
+From 5e6153083a47cc52ca5b8bec42d37c2daa1b920c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Mar 2026 16:52:33 -0700
+Subject: iommu/amd: Block identity domain when SNP enabled
+
+From: Joe Damato <joe@dama.to>
+
+[ Upstream commit ba17de98545d07285d15ce4fe2afe98283338fb0 ]
+
+Previously, commit 8388f7df936b ("iommu/amd: Do not support
+IOMMU_DOMAIN_IDENTITY after SNP is enabled") prevented users from
+changing the IOMMU domain to identity if SNP was enabled.
+
+This resulted in an error when writing to sysfs:
+
+ # echo "identity" > /sys/kernel/iommu_groups/50/type
+ -bash: echo: write error: Cannot allocate memory
+
+However, commit 4402f2627d30 ("iommu/amd: Implement global identity
+domain") changed the flow of the code, skipping the SNP guard and
+allowing users to change the IOMMU domain to identity after a machine
+has booted.
+
+Once the user does that, they will probably try to bind and the
+device/driver will start to do DMA which will trigger errors:
+
+ iommu ivhd3: AMD-Vi: Event logged [ILLEGAL_DEV_TABLE_ENTRY device=0000:43:00.0 pasid=0x00000 address=0x3737b01000 flags=0x0020]
+ iommu ivhd3: AMD-Vi: Control Reg : 0xc22000142148d
+ AMD-Vi: DTE[0]: 6000000000000003
+ AMD-Vi: DTE[1]: 0000000000000001
+ AMD-Vi: DTE[2]: 2000003088b3e013
+ AMD-Vi: DTE[3]: 0000000000000000
+ bnxt_en 0000:43:00.0 (unnamed net_device) (uninitialized): Error (timeout: 500015) msg {0x0 0x0} len:0
+ iommu ivhd3: AMD-Vi: Event logged [ILLEGAL_DEV_TABLE_ENTRY device=0000:43:00.0 pasid=0x00000 address=0x3737b01000 flags=0x0020]
+ iommu ivhd3: AMD-Vi: Control Reg : 0xc22000142148d
+ AMD-Vi: DTE[0]: 6000000000000003
+ AMD-Vi: DTE[1]: 0000000000000001
+ AMD-Vi: DTE[2]: 2000003088b3e013
+ AMD-Vi: DTE[3]: 0000000000000000
+ bnxt_en 0000:43:00.0: probe with driver bnxt_en failed with error -16
+
+To prevent this from happening, create an attach wrapper for
+identity_domain_ops which returns EINVAL if amd_iommu_snp_en is true.
+
+With this commit applied:
+
+ # echo "identity" > /sys/kernel/iommu_groups/62/type
+ -bash: echo: write error: Invalid argument
+
+Fixes: 4402f2627d30 ("iommu/amd: Implement global identity domain")
+Signed-off-by: Joe Damato <joe@dama.to>
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/iommu.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
+index e216b5a13d49d..cdcce33336826 100644
+--- a/drivers/iommu/amd/iommu.c
++++ b/drivers/iommu/amd/iommu.c
+@@ -2854,8 +2854,21 @@ static struct iommu_domain blocked_domain = {
+
+ static struct protection_domain identity_domain;
+
++static int amd_iommu_identity_attach(struct iommu_domain *dom, struct device *dev,
++ struct iommu_domain *old)
++{
++ /*
++ * Don't allow attaching a device to the identity domain if SNP is
++ * enabled.
++ */
++ if (amd_iommu_snp_en)
++ return -EINVAL;
++
++ return amd_iommu_attach_device(dom, dev, old);
++}
++
+ static const struct iommu_domain_ops identity_domain_ops = {
+- .attach_dev = amd_iommu_attach_device,
++ .attach_dev = amd_iommu_identity_attach,
+ };
+
+ void amd_iommu_init_identity_domain(void)
+--
+2.51.0
+
--- /dev/null
+From 7caafd76c5f43cff4878625a0d2dcea3448eaee1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 09:06:37 +0100
+Subject: iommu: Fix mapping check for 0x0 to avoid re-mapping it
+
+From: Antheas Kapenekakis <lkml@antheas.dev>
+
+[ Upstream commit 0a4d00e2e99a39a5698e4b63c394415dcbb39d90 ]
+
+Commit 789a5913b29c ("iommu/amd: Use the generic iommu page table")
+introduces the shared iommu page table for AMD IOMMU. Some bioses
+contain an identity mapping for address 0x0, which is not parsed
+properly (e.g., certain Strix Halo devices). This causes the DMA
+components of the device to fail to initialize (e.g., the NVMe SSD
+controller), leading to a failed post.
+
+Specifically, on the GPD Win 5, the NVME and SSD GPU fail to mount,
+making collecting errors difficult. While debugging, it was found that
+a -EADDRINUSE error was emitted and its source was traced to
+iommu_iova_to_phys(). After adding some debug prints, it was found that
+phys_addr becomes 0, which causes the code to try to re-map the 0
+address and fail, causing a cascade leading to a failed post. This is
+because the GPD Win 5 contains a 0x0-0x1 identity mapping for DMA
+devices, causing it to be repeated for each device.
+
+The cause of this failure is the following check in
+iommu_create_device_direct_mappings(), where address aliasing is handled
+via the following check:
+
+```
+phys_addr = iommu_iova_to_phys(domain, addr);
+if (!phys_addr) {
+ map_size += pg_size;
+ continue;
+}
+````
+
+Obviously, the iommu_iova_to_phys() signature is faulty and aliases
+unmapped and 0 together, causing the allocation code to try to
+re-allocate the 0 address per device. However, it has too many
+instantiations to fix. Therefore, use a ternary so that when addr
+is 0, the check is done for address 1 instead.
+
+Suggested-by: Robin Murphy <robin.murphy@arm.com>
+Fixes: 789a5913b29c ("iommu/amd: Use the generic iommu page table")
+Signed-off-by: Antheas Kapenekakis <lkml@antheas.dev>
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
+index 2ca990dfbb884..3a0c0e4b42fff 100644
+--- a/drivers/iommu/iommu.c
++++ b/drivers/iommu/iommu.c
+@@ -1207,7 +1207,11 @@ static int iommu_create_device_direct_mappings(struct iommu_domain *domain,
+ if (addr == end)
+ goto map_end;
+
+- phys_addr = iommu_iova_to_phys(domain, addr);
++ /*
++ * Return address by iommu_iova_to_phys for 0 is
++ * ambiguous. Offset to address 1 if addr is 0.
++ */
++ phys_addr = iommu_iova_to_phys(domain, addr ? addr : 1);
+ if (!phys_addr) {
+ map_size += pg_size;
+ continue;
+--
+2.51.0
+
--- /dev/null
+From 789ac296d4f06c76213eeeec2a80a7f53a56590d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 22:18:42 -0800
+Subject: iommu/sva: Fix crash in iommu_sva_unbind_device()
+
+From: Lizhi Hou <lizhi.hou@amd.com>
+
+[ Upstream commit 06e14c36e20b48171df13d51b89fe67c594ed07a ]
+
+domain->mm->iommu_mm can be freed by iommu_domain_free():
+ iommu_domain_free()
+ mmdrop()
+ __mmdrop()
+ mm_pasid_drop()
+After iommu_domain_free() returns, accessing domain->mm->iommu_mm may
+dereference a freed mm structure, leading to a crash.
+
+Fix this by moving the code that accesses domain->mm->iommu_mm to before
+the call to iommu_domain_free().
+
+Fixes: e37d5a2d60a3 ("iommu/sva: invalidate stale IOTLB entries for kernel address space")
+Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Yi Liu <yi.l.liu@intel.com>
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommu-sva.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c
+index e1e63c2be82b2..fd735aaae9e3f 100644
+--- a/drivers/iommu/iommu-sva.c
++++ b/drivers/iommu/iommu-sva.c
+@@ -182,13 +182,13 @@ void iommu_sva_unbind_device(struct iommu_sva *handle)
+ iommu_detach_device_pasid(domain, dev, iommu_mm->pasid);
+ if (--domain->users == 0) {
+ list_del(&domain->next);
+- iommu_domain_free(domain);
+- }
++ if (list_empty(&iommu_mm->sva_domains)) {
++ list_del(&iommu_mm->mm_list_elm);
++ if (list_empty(&iommu_sva_mms))
++ iommu_sva_present = false;
++ }
+
+- if (list_empty(&iommu_mm->sva_domains)) {
+- list_del(&iommu_mm->mm_list_elm);
+- if (list_empty(&iommu_sva_mms))
+- iommu_sva_present = false;
++ iommu_domain_free(domain);
+ }
+
+ mutex_unlock(&iommu_sva_lock);
+--
+2.51.0
+
--- /dev/null
+From b191aa1613499dc7b2a7a1c5b6b5c7ffcfd5d911 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:15:51 +0900
+Subject: ksmbd: fix use-after-free in durable v2 replay of active file handles
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit b425e4d0eb321a1116ddbf39636333181675d8f4 ]
+
+parse_durable_handle_context() unconditionally assigns dh_info->fp->conn
+to the current connection when handling a DURABLE_REQ_V2 context with
+SMB2_FLAGS_REPLAY_OPERATION. ksmbd_lookup_fd_cguid() does not filter by
+fp->conn, so it returns file handles that are already actively connected.
+The unconditional overwrite replaces fp->conn, and when the overwriting
+connection is subsequently freed, __ksmbd_close_fd() dereferences the
+stale fp->conn via spin_lock(&fp->conn->llist_lock), causing a
+use-after-free.
+
+KASAN report:
+
+[ 7.349357] ==================================================================
+[ 7.349607] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x75/0xe0
+[ 7.349811] Write of size 4 at addr ffff8881056ac18c by task kworker/1:2/108
+[ 7.350010]
+[ 7.350064] CPU: 1 UID: 0 PID: 108 Comm: kworker/1:2 Not tainted 7.0.0-rc3+ #58 PREEMPTLAZY
+[ 7.350068] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 7.350070] Workqueue: ksmbd-io handle_ksmbd_work
+[ 7.350083] Call Trace:
+[ 7.350087] <TASK>
+[ 7.350087] dump_stack_lvl+0x64/0x80
+[ 7.350094] print_report+0xce/0x660
+[ 7.350100] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 7.350101] ? __pfx___mod_timer+0x10/0x10
+[ 7.350106] ? _raw_spin_lock+0x75/0xe0
+[ 7.350108] kasan_report+0xce/0x100
+[ 7.350109] ? _raw_spin_lock+0x75/0xe0
+[ 7.350114] kasan_check_range+0x105/0x1b0
+[ 7.350116] _raw_spin_lock+0x75/0xe0
+[ 7.350118] ? __pfx__raw_spin_lock+0x10/0x10
+[ 7.350119] ? __call_rcu_common.constprop.0+0x25e/0x780
+[ 7.350125] ? close_id_del_oplock+0x2cc/0x4e0
+[ 7.350128] __ksmbd_close_fd+0x27f/0xaf0
+[ 7.350131] ksmbd_close_fd+0x135/0x1b0
+[ 7.350133] smb2_close+0xb19/0x15b0
+[ 7.350142] ? __pfx_smb2_close+0x10/0x10
+[ 7.350143] ? xas_load+0x18/0x270
+[ 7.350146] ? _raw_spin_lock+0x84/0xe0
+[ 7.350148] ? __pfx__raw_spin_lock+0x10/0x10
+[ 7.350150] ? _raw_spin_unlock+0xe/0x30
+[ 7.350151] ? ksmbd_smb2_check_message+0xeb2/0x24c0
+[ 7.350153] ? ksmbd_tree_conn_lookup+0xcd/0xf0
+[ 7.350154] handle_ksmbd_work+0x40f/0x1080
+[ 7.350156] process_one_work+0x5fa/0xef0
+[ 7.350162] ? assign_work+0x122/0x3e0
+[ 7.350163] worker_thread+0x54b/0xf70
+[ 7.350165] ? __pfx_worker_thread+0x10/0x10
+[ 7.350166] kthread+0x346/0x470
+[ 7.350170] ? recalc_sigpending+0x19b/0x230
+[ 7.350176] ? __pfx_kthread+0x10/0x10
+[ 7.350178] ret_from_fork+0x4fb/0x6c0
+[ 7.350183] ? __pfx_ret_from_fork+0x10/0x10
+[ 7.350185] ? __switch_to+0x36c/0xbe0
+[ 7.350188] ? __pfx_kthread+0x10/0x10
+[ 7.350190] ret_from_fork_asm+0x1a/0x30
+[ 7.350197] </TASK>
+[ 7.350197]
+[ 7.355160] Allocated by task 123:
+[ 7.355261] kasan_save_stack+0x33/0x60
+[ 7.355373] kasan_save_track+0x14/0x30
+[ 7.355484] __kasan_kmalloc+0x8f/0xa0
+[ 7.355593] ksmbd_conn_alloc+0x44/0x6d0
+[ 7.355711] ksmbd_kthread_fn+0x243/0xd70
+[ 7.355839] kthread+0x346/0x470
+[ 7.355942] ret_from_fork+0x4fb/0x6c0
+[ 7.356051] ret_from_fork_asm+0x1a/0x30
+[ 7.356164]
+[ 7.356214] Freed by task 134:
+[ 7.356305] kasan_save_stack+0x33/0x60
+[ 7.356416] kasan_save_track+0x14/0x30
+[ 7.356527] kasan_save_free_info+0x3b/0x60
+[ 7.356646] __kasan_slab_free+0x43/0x70
+[ 7.356761] kfree+0x1ca/0x430
+[ 7.356862] ksmbd_tcp_disconnect+0x59/0xe0
+[ 7.356993] ksmbd_conn_handler_loop+0x77e/0xd40
+[ 7.357138] kthread+0x346/0x470
+[ 7.357240] ret_from_fork+0x4fb/0x6c0
+[ 7.357350] ret_from_fork_asm+0x1a/0x30
+[ 7.357463]
+[ 7.357513] The buggy address belongs to the object at ffff8881056ac000
+[ 7.357513] which belongs to the cache kmalloc-1k of size 1024
+[ 7.357857] The buggy address is located 396 bytes inside of
+[ 7.357857] freed 1024-byte region [ffff8881056ac000, ffff8881056ac400)
+
+Fix by removing the unconditional fp->conn assignment and rejecting the
+replay when fp->conn is non-NULL. This is consistent with
+ksmbd_lookup_durable_fd(), which also rejects file handles with a
+non-NULL fp->conn. For disconnected file handles (fp->conn == NULL),
+ksmbd_reopen_durable_fd() handles setting fp->conn.
+
+Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index 80ca55e28a972..8d18a97eed275 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -2830,7 +2830,11 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
+ goto out;
+ }
+
+- dh_info->fp->conn = conn;
++ if (dh_info->fp->conn) {
++ ksmbd_put_durable_fd(dh_info->fp);
++ err = -EBADF;
++ goto out;
++ }
+ dh_info->reconnected = true;
+ goto out;
+ }
+--
+2.51.0
+
--- /dev/null
+From 9683fa581bcf82dd2666bf25e7e14dbc46deed06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:17:02 +0900
+Subject: ksmbd: fix use-after-free of share_conf in compound request
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit c33615f995aee80657b9fdfbc4ee7f49c2bd733d ]
+
+smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without
+validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state ==
+TREE_CONNECTED on the initial lookup path, but the compound reuse path
+bypasses this check entirely.
+
+If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state
+to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(),
+subsequent commands dereference the freed share_conf through
+work->tcon->share_conf.
+
+KASAN report:
+
+[ 4.144653] ==================================================================
+[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70
+[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44
+[ 4.145772]
+[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY
+[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work
+[ 4.145888] Call Trace:
+[ 4.145892] <TASK>
+[ 4.145894] dump_stack_lvl+0x64/0x80
+[ 4.145910] print_report+0xce/0x660
+[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 4.145928] ? smb2_write+0xc74/0xe70
+[ 4.145931] kasan_report+0xce/0x100
+[ 4.145934] ? smb2_write+0xc74/0xe70
+[ 4.145937] smb2_write+0xc74/0xe70
+[ 4.145939] ? __pfx_smb2_write+0x10/0x10
+[ 4.145942] ? _raw_spin_unlock+0xe/0x30
+[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0
+[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480
+[ 4.145951] handle_ksmbd_work+0x40f/0x1080
+[ 4.145953] process_one_work+0x5fa/0xef0
+[ 4.145962] ? assign_work+0x122/0x3e0
+[ 4.145964] worker_thread+0x54b/0xf70
+[ 4.145967] ? __pfx_worker_thread+0x10/0x10
+[ 4.145970] kthread+0x346/0x470
+[ 4.145976] ? recalc_sigpending+0x19b/0x230
+[ 4.145980] ? __pfx_kthread+0x10/0x10
+[ 4.145984] ret_from_fork+0x4fb/0x6c0
+[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10
+[ 4.145995] ? __switch_to+0x36c/0xbe0
+[ 4.145999] ? __pfx_kthread+0x10/0x10
+[ 4.146003] ret_from_fork_asm+0x1a/0x30
+[ 4.146013] </TASK>
+[ 4.146014]
+[ 4.149858] Allocated by task 44:
+[ 4.149953] kasan_save_stack+0x33/0x60
+[ 4.150061] kasan_save_track+0x14/0x30
+[ 4.150169] __kasan_kmalloc+0x8f/0xa0
+[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0
+[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600
+[ 4.150529] smb2_tree_connect+0x2e6/0x1000
+[ 4.150645] handle_ksmbd_work+0x40f/0x1080
+[ 4.150761] process_one_work+0x5fa/0xef0
+[ 4.150873] worker_thread+0x54b/0xf70
+[ 4.150978] kthread+0x346/0x470
+[ 4.151071] ret_from_fork+0x4fb/0x6c0
+[ 4.151176] ret_from_fork_asm+0x1a/0x30
+[ 4.151286]
+[ 4.151332] Freed by task 44:
+[ 4.151418] kasan_save_stack+0x33/0x60
+[ 4.151526] kasan_save_track+0x14/0x30
+[ 4.151634] kasan_save_free_info+0x3b/0x60
+[ 4.151751] __kasan_slab_free+0x43/0x70
+[ 4.151861] kfree+0x1ca/0x430
+[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190
+[ 4.152088] smb2_tree_disconnect+0x1cd/0x480
+[ 4.152211] handle_ksmbd_work+0x40f/0x1080
+[ 4.152326] process_one_work+0x5fa/0xef0
+[ 4.152438] worker_thread+0x54b/0xf70
+[ 4.152545] kthread+0x346/0x470
+[ 4.152638] ret_from_fork+0x4fb/0x6c0
+[ 4.152743] ret_from_fork_asm+0x1a/0x30
+[ 4.152853]
+[ 4.152900] The buggy address belongs to the object at ffff88810430c180
+[ 4.152900] which belongs to the cache kmalloc-96 of size 96
+[ 4.153226] The buggy address is located 20 bytes inside of
+[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0)
+[ 4.153549]
+[ 4.153596] The buggy address belongs to the physical page:
+[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c
+[ 4.154000] flags: 0x100000000000200(workingset|node=0|zone=2)
+[ 4.154160] page_type: f5(slab)
+[ 4.154251] raw: 0100000000000200 ffff888100041280 ffff888100040110 ffff888100040110
+[ 4.154461] raw: ffff88810430ce80 0000000800200009 00000000f5000000 0000000000000000
+[ 4.154668] page dumped because: kasan: bad access detected
+[ 4.154820]
+[ 4.154866] Memory state around the buggy address:
+[ 4.155002] ffff88810430c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155196] ffff88810430c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155391] >ffff88810430c180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+[ 4.155587] ^
+[ 4.155693] ffff88810430c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155891] ffff88810430c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.156087] ==================================================================
+
+Add the same t_state validation to the compound reuse path, consistent
+with ksmbd_tree_conn_lookup().
+
+Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index 1ec9060ffe912..80ca55e28a972 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -125,6 +125,8 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work)
+ pr_err("The first operation in the compound does not have tcon\n");
+ return -EINVAL;
+ }
++ if (work->tcon->t_state != TREE_CONNECTED)
++ return -ENOENT;
+ if (tree_id != UINT_MAX && work->tcon->id != tree_id) {
+ pr_err("tree id(%u) is different with id(%u) in first operation\n",
+ tree_id, work->tcon->id);
+--
+2.51.0
+
--- /dev/null
+From 97d0b91f0412645e31409254fd5f76a8f10c3571 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 08:43:05 +0900
+Subject: lib/bootconfig: check xbc_init_node() return in override path
+
+From: Josh Law <objecting@objecting.org>
+
+[ Upstream commit bb288d7d869e86d382f35a0e26242c5ccb05ca82 ]
+
+The ':=' override path in xbc_parse_kv() calls xbc_init_node() to
+re-initialize an existing value node but does not check the return
+value. If xbc_init_node() fails (data offset out of range), parsing
+silently continues with stale node data.
+
+Add the missing error check to match the xbc_add_node() call path
+which already checks for failure.
+
+In practice, a bootconfig using ':=' to override a value near the
+32KB data limit could silently retain the old value, meaning a
+security-relevant boot parameter override (e.g., a trace filter or
+debug setting) would not take effect as intended.
+
+Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/
+
+Fixes: e5efaeb8a8f5 ("bootconfig: Support mixing a value and subkeys under a key")
+Signed-off-by: Josh Law <objecting@objecting.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/bootconfig.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/bootconfig.c b/lib/bootconfig.c
+index 0728c4a95249b..5d3802eba52a3 100644
+--- a/lib/bootconfig.c
++++ b/lib/bootconfig.c
+@@ -712,7 +712,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op)
+ if (op == ':') {
+ unsigned short nidx = child->next;
+
+- xbc_init_node(child, v, XBC_VALUE);
++ if (xbc_init_node(child, v, XBC_VALUE) < 0)
++ return xbc_parse_error("Failed to override value", v);
+ child->next = nidx; /* keep subkeys */
+ goto array;
+ }
+--
+2.51.0
+
--- /dev/null
+From 0b2e7c2e72664e8c0623eb9bd483260483c414a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 16:02:53 +0000
+Subject: mshv: Fix use-after-free in mshv_map_user_memory error path
+
+From: Stanislav Kinsburskii <skinsburskii@linux.microsoft.com>
+
+[ Upstream commit 6922db250422a0dfee34de322f86b7a73d713d33 ]
+
+In the error path of mshv_map_user_memory(), calling vfree() directly on
+the region leaves the MMU notifier registered. When userspace later unmaps
+the memory, the notifier fires and accesses the freed region, causing a
+use-after-free and potential kernel panic.
+
+Replace vfree() with mshv_partition_put() to properly unregister
+the MMU notifier before freeing the region.
+
+Fixes: b9a66cd5ccbb9 ("mshv: Add support for movable memory regions")
+Signed-off-by: Stanislav Kinsburskii <skinsburskii@linux.microsoft.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/mshv_root_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hv/mshv_root_main.c b/drivers/hv/mshv_root_main.c
+index d3e8a66443ad6..45cf086ad430d 100644
+--- a/drivers/hv/mshv_root_main.c
++++ b/drivers/hv/mshv_root_main.c
+@@ -1334,7 +1334,7 @@ mshv_map_user_memory(struct mshv_partition *partition,
+ return 0;
+
+ errout:
+- vfree(region);
++ mshv_region_put(region);
+ return ret;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From b6e9c7f58f55554607e871c48ac7b77fd7797e95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 15:21:57 -0500
+Subject: mtd: rawnand: brcmnand: skip DMA during panic write
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+[ Upstream commit da9ba4dcc01e7cf52b7676f0ee9607b8358c2171 ]
+
+When oops_panic_write is set, the driver disables interrupts and
+switches to PIO polling mode but still falls through into the DMA
+path. DMA cannot be used reliably in panic context, so make the
+DMA path an else branch to ensure only PIO is used during panic
+writes.
+
+Fixes: c1ac2dc34b51 ("mtd: rawnand: brcmnand: When oops in progress use pio and interrupt polling")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+index 835653bdd5abc..8f4d001377a1c 100644
+--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+@@ -2350,14 +2350,12 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip,
+ for (i = 0; i < ctrl->max_oob; i += 4)
+ oob_reg_write(ctrl, i, 0xffffffff);
+
+- if (mtd->oops_panic_write)
++ if (mtd->oops_panic_write) {
+ /* switch to interrupt polling and PIO mode */
+ disable_ctrl_irqs(ctrl);
+-
+- if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
++ } else if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
+ if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize,
+ CMD_PROGRAM_PAGE))
+-
+ ret = -EIO;
+
+ goto out;
+--
+2.51.0
+
--- /dev/null
+From e39c1dd107b67fcf2b22304d4e56ecade8f05f2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 14:49:06 -0500
+Subject: mtd: rawnand: serialize lock/unlock against other NAND operations
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+[ Upstream commit bab2bc6e850a697a23b9e5f0e21bb8c187615e95 ]
+
+nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area
+without holding the NAND device lock. On controllers that implement
+SET_FEATURES via multiple low-level PIO commands, these can race with
+concurrent UBI/UBIFS background erase/write operations that hold the
+device lock, resulting in cmd_pending conflicts on the NAND controller.
+
+Add nand_get_device()/nand_release_device() around the lock/unlock
+operations to serialize them against all other NAND controller access.
+
+Fixes: 92270086b7e5 ("mtd: rawnand: Add support for manufacturer specific lock/unlock operation")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/nand_base.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c
+index f2322de93ab41..19e3bbf42931d 100644
+--- a/drivers/mtd/nand/raw/nand_base.c
++++ b/drivers/mtd/nand/raw/nand_base.c
+@@ -4737,11 +4737,16 @@ static void nand_shutdown(struct mtd_info *mtd)
+ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int ret;
+
+ if (!chip->ops.lock_area)
+ return -ENOTSUPP;
+
+- return chip->ops.lock_area(chip, ofs, len);
++ nand_get_device(chip);
++ ret = chip->ops.lock_area(chip, ofs, len);
++ nand_release_device(chip);
++
++ return ret;
+ }
+
+ /**
+@@ -4753,11 +4758,16 @@ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ static int nand_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int ret;
+
+ if (!chip->ops.unlock_area)
+ return -ENOTSUPP;
+
+- return chip->ops.unlock_area(chip, ofs, len);
++ nand_get_device(chip);
++ ret = chip->ops.unlock_area(chip, ofs, len);
++ nand_release_device(chip);
++
++ return ret;
+ }
+
+ /* Set default functions */
+--
+2.51.0
+
tracing-fix-trace_marker-copy-link-list-updates.patch
x86-mce-amd-check-smca-feature-bit-before-accessing-smca-msrs.patch
x86-platform-uv-handle-deconfigured-sockets.patch
+binfmt_elf_fdpic-fix-auxv-size-calculation-for-elf_h.patch
+mtd-rawnand-serialize-lock-unlock-against-other-nand.patch
+mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch
+x86-hyperv-use-__naked-attribute-to-fix-stackless-c-.patch
+arm_mpam-fix-null-pointer-dereference-when-restoring.patch
+mshv-fix-use-after-free-in-mshv_map_user_memory-erro.patch
+spi-amlogic-spifc-a4-remove-redundant-clock-cleanup.patch
+spi-amlogic-spisg-fix-memory-leak-in-aml_spisg_probe.patch
+drm-vmwgfx-don-t-overwrite-kms-surface-dirty-tracker.patch
+iommu-fix-mapping-check-for-0x0-to-avoid-re-mapping-.patch
+iommu-sva-fix-crash-in-iommu_sva_unbind_device.patch
+iommu-amd-block-identity-domain-when-snp-enabled.patch
+drm-amd-display-fix-displayid-not-found-handling-in-.patch
+drm-amd-fix-dcn-2.01-check.patch
+drm-bridge-dw-hdmi-qp-fix-multi-channel-audio-output.patch
+ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch
+ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch
+drm-i915-gt-check-set_default_submission-before-defe.patch
+fs-tests-exec-remove-bad-test-vector.patch
+lib-bootconfig-check-xbc_init_node-return-in-overrid.patch
+tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch
+arm64-realm-fix-pte_ns_shared-for-52bit-pa-support.patch
+drm-xe-guc-fail-immediately-on-guc-load-error.patch
+hwmon-max6639-fix-pulses-per-revolution-implementati.patch
--- /dev/null
+From 4d4af37097631fd3c22de7505bf20a064c48f588 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Mar 2026 21:34:55 +0800
+Subject: spi: amlogic: spifc-a4: Remove redundant clock cleanup
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit a00da54d06f435dbbeacb84f9121dbbe6d6eda74 ]
+
+The driver uses devm_clk_get_enabled() which enables the clock and
+registers a callback to automatically disable it when the device
+is unbound.
+
+Remove the redundant aml_sfc_disable_clk() call in the error paths
+and remove callback.
+
+Fixes: 4670db6f32e9 ("spi: amlogic: add driver for Amlogic SPI Flash Controller")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Link: https://patch.msgid.link/20260308-spifc-a4-1-v1-1-77e286c26832@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-amlogic-spifc-a4.c | 46 +++++-------------------------
+ 1 file changed, 7 insertions(+), 39 deletions(-)
+
+diff --git a/drivers/spi/spi-amlogic-spifc-a4.c b/drivers/spi/spi-amlogic-spifc-a4.c
+index f324aa39a8976..b2589fe2425cc 100644
+--- a/drivers/spi/spi-amlogic-spifc-a4.c
++++ b/drivers/spi/spi-amlogic-spifc-a4.c
+@@ -1083,14 +1083,6 @@ static int aml_sfc_clk_init(struct aml_sfc *sfc)
+ return clk_set_rate(sfc->core_clk, SFC_BUS_DEFAULT_CLK);
+ }
+
+-static int aml_sfc_disable_clk(struct aml_sfc *sfc)
+-{
+- clk_disable_unprepare(sfc->core_clk);
+- clk_disable_unprepare(sfc->gate_clk);
+-
+- return 0;
+-}
+-
+ static int aml_sfc_probe(struct platform_device *pdev)
+ {
+ struct device_node *np = pdev->dev.of_node;
+@@ -1141,16 +1133,12 @@ static int aml_sfc_probe(struct platform_device *pdev)
+
+ /* Enable Amlogic flash controller spi mode */
+ ret = regmap_write(sfc->regmap_base, SFC_SPI_CFG, SPI_MODE_EN);
+- if (ret) {
+- dev_err(dev, "failed to enable SPI mode\n");
+- goto err_out;
+- }
++ if (ret)
++ return dev_err_probe(dev, ret, "failed to enable SPI mode\n");
+
+ ret = dma_set_mask(sfc->dev, DMA_BIT_MASK(32));
+- if (ret) {
+- dev_err(sfc->dev, "failed to set dma mask\n");
+- goto err_out;
+- }
++ if (ret)
++ return dev_err_probe(sfc->dev, ret, "failed to set dma mask\n");
+
+ sfc->ecc_eng.dev = &pdev->dev;
+ sfc->ecc_eng.integration = NAND_ECC_ENGINE_INTEGRATION_PIPELINED;
+@@ -1158,10 +1146,8 @@ static int aml_sfc_probe(struct platform_device *pdev)
+ sfc->ecc_eng.priv = sfc;
+
+ ret = nand_ecc_register_on_host_hw_engine(&sfc->ecc_eng);
+- if (ret) {
+- dev_err(&pdev->dev, "failed to register Aml host ecc engine.\n");
+- goto err_out;
+- }
++ if (ret)
++ return dev_err_probe(&pdev->dev, ret, "failed to register Aml host ecc engine.\n");
+
+ ret = of_property_read_u32(np, "amlogic,rx-adj", &val);
+ if (!ret)
+@@ -1177,24 +1163,7 @@ static int aml_sfc_probe(struct platform_device *pdev)
+ ctrl->min_speed_hz = SFC_MIN_FREQUENCY;
+ ctrl->num_chipselect = SFC_MAX_CS_NUM;
+
+- ret = devm_spi_register_controller(dev, ctrl);
+- if (ret)
+- goto err_out;
+-
+- return 0;
+-
+-err_out:
+- aml_sfc_disable_clk(sfc);
+-
+- return ret;
+-}
+-
+-static void aml_sfc_remove(struct platform_device *pdev)
+-{
+- struct spi_controller *ctlr = platform_get_drvdata(pdev);
+- struct aml_sfc *sfc = spi_controller_get_devdata(ctlr);
+-
+- aml_sfc_disable_clk(sfc);
++ return devm_spi_register_controller(dev, ctrl);
+ }
+
+ static const struct of_device_id aml_sfc_of_match[] = {
+@@ -1212,7 +1181,6 @@ static struct platform_driver aml_sfc_driver = {
+ .of_match_table = aml_sfc_of_match,
+ },
+ .probe = aml_sfc_probe,
+- .remove = aml_sfc_remove,
+ };
+ module_platform_driver(aml_sfc_driver);
+
+--
+2.51.0
+
--- /dev/null
+From 481c88ef698a3bd724f6f72b1e85d46ee75b578d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Mar 2026 14:49:21 +0800
+Subject: spi: amlogic-spisg: Fix memory leak in aml_spisg_probe()
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit b8db9552997924b750e727a625a30eaa4603bbb9 ]
+
+In aml_spisg_probe(), ctlr is allocated by
+spi_alloc_target()/spi_alloc_host(), but fails to call
+spi_controller_put() in several error paths. This leads
+to a memory leak whenever the driver fails to probe after
+the initial allocation.
+
+Convert to use devm_spi_alloc_host()/devm_spi_alloc_target()
+to fix the memory leak.
+
+Fixes: cef9991e04ae ("spi: Add Amlogic SPISG driver")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Link: https://patch.msgid.link/20260308-spisg-v1-1-2cace5cafc24@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-amlogic-spisg.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/spi/spi-amlogic-spisg.c b/drivers/spi/spi-amlogic-spisg.c
+index bcd7ec291ad07..6045c89c37c83 100644
+--- a/drivers/spi/spi-amlogic-spisg.c
++++ b/drivers/spi/spi-amlogic-spisg.c
+@@ -729,9 +729,9 @@ static int aml_spisg_probe(struct platform_device *pdev)
+ };
+
+ if (of_property_read_bool(dev->of_node, "spi-slave"))
+- ctlr = spi_alloc_target(dev, sizeof(*spisg));
++ ctlr = devm_spi_alloc_target(dev, sizeof(*spisg));
+ else
+- ctlr = spi_alloc_host(dev, sizeof(*spisg));
++ ctlr = devm_spi_alloc_host(dev, sizeof(*spisg));
+ if (!ctlr)
+ return -ENOMEM;
+
+@@ -750,10 +750,8 @@ static int aml_spisg_probe(struct platform_device *pdev)
+ return dev_err_probe(dev, PTR_ERR(spisg->map), "regmap init failed\n");
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq < 0) {
+- ret = irq;
+- goto out_controller;
+- }
++ if (irq < 0)
++ return irq;
+
+ ret = device_reset_optional(dev);
+ if (ret)
+@@ -818,8 +816,6 @@ static int aml_spisg_probe(struct platform_device *pdev)
+ if (spisg->core)
+ clk_disable_unprepare(spisg->core);
+ clk_disable_unprepare(spisg->pclk);
+-out_controller:
+- spi_controller_put(ctlr);
+
+ return ret;
+ }
+--
+2.51.0
+
--- /dev/null
+From 5b83f955ede737447d552aa9afa1e9b1cd433cae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 08:43:06 +0900
+Subject: tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
+
+From: Josh Law <objecting@objecting.org>
+
+[ Upstream commit 3b2c2ab4ceb82af484310c3087541eab00ea288b ]
+
+If fstat() fails after open() succeeds, the function returns without
+closing the file descriptor. Also preserve errno across close(), since
+close() may overwrite it before the error is returned.
+
+Link: https://lore.kernel.org/all/20260318155847.78065-3-objecting@objecting.org/
+
+Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command")
+Signed-off-by: Josh Law <objecting@objecting.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bootconfig/main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c
+index 55d59ed507d54..643f707b8f1da 100644
+--- a/tools/bootconfig/main.c
++++ b/tools/bootconfig/main.c
+@@ -162,8 +162,11 @@ static int load_xbc_file(const char *path, char **buf)
+ if (fd < 0)
+ return -errno;
+ ret = fstat(fd, &stat);
+- if (ret < 0)
+- return -errno;
++ if (ret < 0) {
++ ret = -errno;
++ close(fd);
++ return ret;
++ }
+
+ ret = load_xbc_fd(fd, buf, stat.st_size);
+
+--
+2.51.0
+
--- /dev/null
+From b85df51191992e1116c46a50ca12dd35d3c57738 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Mar 2026 17:45:31 +0100
+Subject: x86/hyperv: Use __naked attribute to fix stackless C function
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit 3fde5281b805370a6c3bd2ef462ebff70a0ea2c6 ]
+
+hv_crash_c_entry() is a C function that is entered without a stack,
+and this is only allowed for functions that have the __naked attribute,
+which informs the compiler that it must not emit the usual prologue and
+epilogue or emit any other kind of instrumentation that relies on a
+stack frame.
+
+So split up the function, and set the __naked attribute on the initial
+part that sets up the stack, GDT, IDT and other pieces that are needed
+for ordinary C execution. Given that function calls are not permitted
+either, use the existing long return coded in an asm() block to call the
+second part of the function, which is an ordinary function that is
+permitted to call other functions as usual.
+
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> # asm parts, not hv parts
+Reviewed-by: Mukesh Rathor <mrathor@linux.microsoft.com>
+Acked-by: Uros Bizjak <ubizjak@gmail.com>
+Cc: Wei Liu <wei.liu@kernel.org>
+Cc: linux-hyperv@vger.kernel.org
+Fixes: 94212d34618c ("x86/hyperv: Implement hypervisor RAM collection into vmcore")
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/hyperv/hv_crash.c | 82 ++++++++++++++++++++------------------
+ 1 file changed, 43 insertions(+), 39 deletions(-)
+
+diff --git a/arch/x86/hyperv/hv_crash.c b/arch/x86/hyperv/hv_crash.c
+index a78e4fed57203..1d91051daa3de 100644
+--- a/arch/x86/hyperv/hv_crash.c
++++ b/arch/x86/hyperv/hv_crash.c
+@@ -107,14 +107,12 @@ static void __noreturn hv_panic_timeout_reboot(void)
+ cpu_relax();
+ }
+
+-/* This cannot be inlined as it needs stack */
+-static noinline __noclone void hv_crash_restore_tss(void)
++static void hv_crash_restore_tss(void)
+ {
+ load_TR_desc();
+ }
+
+-/* This cannot be inlined as it needs stack */
+-static noinline void hv_crash_clear_kernpt(void)
++static void hv_crash_clear_kernpt(void)
+ {
+ pgd_t *pgd;
+ p4d_t *p4d;
+@@ -125,6 +123,25 @@ static noinline void hv_crash_clear_kernpt(void)
+ native_p4d_clear(p4d);
+ }
+
++
++static void __noreturn hv_crash_handle(void)
++{
++ hv_crash_restore_tss();
++ hv_crash_clear_kernpt();
++
++ /* we are now fully in devirtualized normal kernel mode */
++ __crash_kexec(NULL);
++
++ hv_panic_timeout_reboot();
++}
++
++/*
++ * __naked functions do not permit function calls, not even to __always_inline
++ * functions that only contain asm() blocks themselves. So use a macro instead.
++ */
++#define hv_wrmsr(msr, val) \
++ asm volatile("wrmsr" :: "c"(msr), "a"((u32)val), "d"((u32)(val >> 32)) : "memory")
++
+ /*
+ * This is the C entry point from the asm glue code after the disable hypercall.
+ * We enter here in IA32-e long mode, ie, full 64bit mode running on kernel
+@@ -133,51 +150,38 @@ static noinline void hv_crash_clear_kernpt(void)
+ * available. We restore kernel GDT, and rest of the context, and continue
+ * to kexec.
+ */
+-static asmlinkage void __noreturn hv_crash_c_entry(void)
++static void __naked hv_crash_c_entry(void)
+ {
+- struct hv_crash_ctxt *ctxt = &hv_crash_ctxt;
+-
+ /* first thing, restore kernel gdt */
+- native_load_gdt(&ctxt->gdtr);
++ asm volatile("lgdt %0" : : "m" (hv_crash_ctxt.gdtr));
+
+- asm volatile("movw %%ax, %%ss" : : "a"(ctxt->ss));
+- asm volatile("movq %0, %%rsp" : : "m"(ctxt->rsp));
++ asm volatile("movw %0, %%ss\n\t"
++ "movq %1, %%rsp"
++ :: "m"(hv_crash_ctxt.ss), "m"(hv_crash_ctxt.rsp));
+
+- asm volatile("movw %%ax, %%ds" : : "a"(ctxt->ds));
+- asm volatile("movw %%ax, %%es" : : "a"(ctxt->es));
+- asm volatile("movw %%ax, %%fs" : : "a"(ctxt->fs));
+- asm volatile("movw %%ax, %%gs" : : "a"(ctxt->gs));
++ asm volatile("movw %0, %%ds" : : "m"(hv_crash_ctxt.ds));
++ asm volatile("movw %0, %%es" : : "m"(hv_crash_ctxt.es));
++ asm volatile("movw %0, %%fs" : : "m"(hv_crash_ctxt.fs));
++ asm volatile("movw %0, %%gs" : : "m"(hv_crash_ctxt.gs));
+
+- native_wrmsrq(MSR_IA32_CR_PAT, ctxt->pat);
+- asm volatile("movq %0, %%cr0" : : "r"(ctxt->cr0));
++ hv_wrmsr(MSR_IA32_CR_PAT, hv_crash_ctxt.pat);
++ asm volatile("movq %0, %%cr0" : : "r"(hv_crash_ctxt.cr0));
+
+- asm volatile("movq %0, %%cr8" : : "r"(ctxt->cr8));
+- asm volatile("movq %0, %%cr4" : : "r"(ctxt->cr4));
+- asm volatile("movq %0, %%cr2" : : "r"(ctxt->cr4));
++ asm volatile("movq %0, %%cr8" : : "r"(hv_crash_ctxt.cr8));
++ asm volatile("movq %0, %%cr4" : : "r"(hv_crash_ctxt.cr4));
++ asm volatile("movq %0, %%cr2" : : "r"(hv_crash_ctxt.cr2));
+
+- native_load_idt(&ctxt->idtr);
+- native_wrmsrq(MSR_GS_BASE, ctxt->gsbase);
+- native_wrmsrq(MSR_EFER, ctxt->efer);
++ asm volatile("lidt %0" : : "m" (hv_crash_ctxt.idtr));
++ hv_wrmsr(MSR_GS_BASE, hv_crash_ctxt.gsbase);
++ hv_wrmsr(MSR_EFER, hv_crash_ctxt.efer);
+
+ /* restore the original kernel CS now via far return */
+- asm volatile("movzwq %0, %%rax\n\t"
+- "pushq %%rax\n\t"
+- "pushq $1f\n\t"
+- "lretq\n\t"
+- "1:nop\n\t" : : "m"(ctxt->cs) : "rax");
+-
+- /* We are in asmlinkage without stack frame, hence make C function
+- * calls which will buy stack frames.
+- */
+- hv_crash_restore_tss();
+- hv_crash_clear_kernpt();
+-
+- /* we are now fully in devirtualized normal kernel mode */
+- __crash_kexec(NULL);
+-
+- hv_panic_timeout_reboot();
++ asm volatile("pushq %q0\n\t"
++ "pushq %q1\n\t"
++ "lretq"
++ :: "r"(hv_crash_ctxt.cs), "r"(hv_crash_handle));
+ }
+-/* Tell gcc we are using lretq long jump in the above function intentionally */
++/* Tell objtool we are using lretq long jump in the above function intentionally */
+ STACK_FRAME_NON_STANDARD(hv_crash_c_entry);
+
+ static void hv_mark_tss_not_busy(void)
+--
+2.51.0
+
--- /dev/null
+From a05fcfa5110f0d50d1bbbe41f6b1f82612ac4afd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 18:30:26 +0530
+Subject: drm/amd/display: Fix DisplayID not-found handling in
+ parse_edid_displayid_vrr()
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+[ Upstream commit 2323b019651ad81c20a0f7f817c63392b3110652 ]
+
+parse_edid_displayid_vrr() searches the EDID extension blocks for a
+DisplayID extension before parsing the dynamic video timing range.
+
+The code previously checked whether edid_ext was NULL after the search
+loop. However, edid_ext is assigned during each iteration of the loop,
+so it will never be NULL once the loop has executed. If no DisplayID
+extension is found, edid_ext ends up pointing to the last extension
+block, and the NULL check does not correctly detect the failure case.
+
+Instead, check whether the loop completed without finding a matching
+DisplayID block by testing "i == edid->extensions". This ensures the
+function exits early when no DisplayID extension is present and avoids
+parsing an unrelated EDID extension block.
+
+Also simplify the EDID validation check using "!edid ||
+!edid->extensions".
+
+Fixes the below:
+drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:13079 parse_edid_displayid_vrr() warn: variable dereferenced before check 'edid_ext' (see line 13075)
+
+Fixes: a638b837d0e6 ("drm/amd/display: Fix refresh rate range for some panel")
+Cc: Roman Li <roman.li@amd.com>
+Cc: Alex Hung <alex.hung@amd.com>
+Cc: Jerry Zuo <jerry.zuo@amd.com>
+Cc: Sun peng Li <sunpeng.li@amd.com>
+Cc: Tom Chung <chiahsuan.chung@amd.com>
+Cc: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 91c7e6342e98c846b259c57273436fdea4c043f2)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 26047109726eb..f51c3921cbc26 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -10695,7 +10695,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector,
+ u16 min_vfreq;
+ u16 max_vfreq;
+
+- if (edid == NULL || edid->extensions == 0)
++ if (!edid || !edid->extensions)
+ return;
+
+ /* Find DisplayID extension */
+@@ -10705,7 +10705,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector,
+ break;
+ }
+
+- if (edid_ext == NULL)
++ if (i == edid->extensions)
+ return;
+
+ while (j < EDID_LENGTH) {
+--
+2.51.0
+
--- /dev/null
+From 8c5ff58ff19e3aa43a17d201ea3b56301db77ffe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Feb 2026 10:18:39 +0530
+Subject: drm/i915/gt: Check set_default_submission() before deferencing
+
+From: Rahul Bukte <rahul.bukte@sony.com>
+
+[ Upstream commit 0162ab3220bac870e43e229e6e3024d1a21c3f26 ]
+
+When the i915 driver firmware binaries are not present, the
+set_default_submission pointer is not set. This pointer is
+dereferenced during suspend anyways.
+
+Add a check to make sure it is set before dereferencing.
+
+[ 23.289926] PM: suspend entry (deep)
+[ 23.293558] Filesystems sync: 0.000 seconds
+[ 23.298010] Freezing user space processes
+[ 23.302771] Freezing user space processes completed (elapsed 0.000 seconds)
+[ 23.309766] OOM killer disabled.
+[ 23.313027] Freezing remaining freezable tasks
+[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
+[ 23.342038] serial 00:05: disabled
+[ 23.345719] serial 00:02: disabled
+[ 23.349342] serial 00:01: disabled
+[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache
+[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache
+[ 23.361635] ata1.00: Entering standby power mode
+[ 23.368863] ata2.00: Entering standby power mode
+[ 23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 23.452194] #PF: supervisor instruction fetch in kernel mode
+[ 23.457896] #PF: error_code(0x0010) - not-present page
+[ 23.463065] PGD 0 P4D 0
+[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI
+[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary)
+[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN
+[ 23.496511] Workqueue: async async_run_entry_fn
+[ 23.501087] RIP: 0010:0x0
+[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
+[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246
+[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f
+[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000
+[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff
+[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8
+[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68
+[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000
+[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0
+[ 23.572539] PKRU: 55555554
+[ 23.575281] Call Trace:
+[ 23.577770] <TASK>
+[ 23.579905] intel_engines_reset_default_submission+0x42/0x60
+[ 23.585695] __intel_gt_unset_wedged+0x191/0x200
+[ 23.590360] intel_gt_unset_wedged+0x20/0x40
+[ 23.594675] gt_sanitize+0x15e/0x170
+[ 23.598290] i915_gem_suspend_late+0x6b/0x180
+[ 23.602692] i915_drm_suspend_late+0x35/0xf0
+[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10
+[ 23.611843] dpm_run_callback+0x78/0x1c0
+[ 23.615817] device_suspend_late+0xde/0x2e0
+[ 23.620037] async_suspend_late+0x18/0x30
+[ 23.624082] async_run_entry_fn+0x25/0xa0
+[ 23.628129] process_one_work+0x15b/0x380
+[ 23.632182] worker_thread+0x2a5/0x3c0
+[ 23.635973] ? __pfx_worker_thread+0x10/0x10
+[ 23.640279] kthread+0xf6/0x1f0
+[ 23.643464] ? __pfx_kthread+0x10/0x10
+[ 23.647263] ? __pfx_kthread+0x10/0x10
+[ 23.651045] ret_from_fork+0x131/0x190
+[ 23.654837] ? __pfx_kthread+0x10/0x10
+[ 23.658634] ret_from_fork_asm+0x1a/0x30
+[ 23.662597] </TASK>
+[ 23.664826] Modules linked in:
+[ 23.667914] CR2: 0000000000000000
+[ 23.671271] ------------[ cut here ]------------
+
+Signed-off-by: Rahul Bukte <rahul.bukte@sony.com>
+Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Link: https://patch.msgid.link/20260203044839.1555147-1-suraj.kandpal@intel.com
+(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad)
+Fixes: ff44ad51ebf8 ("drm/i915: Move engine->submit_request selection to a vfunc")
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+index 0729ab5955171..6ea2c14f78160 100644
+--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c
++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+@@ -1973,7 +1973,8 @@ void intel_engines_reset_default_submission(struct intel_gt *gt)
+ if (engine->sanitize)
+ engine->sanitize(engine);
+
+- engine->set_default_submission(engine);
++ if (engine->set_default_submission)
++ engine->set_default_submission(engine);
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 5b0173d6e769ac4fd0bd53621683e3ac707d828f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:15:51 +0900
+Subject: ksmbd: fix use-after-free in durable v2 replay of active file handles
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit b425e4d0eb321a1116ddbf39636333181675d8f4 ]
+
+parse_durable_handle_context() unconditionally assigns dh_info->fp->conn
+to the current connection when handling a DURABLE_REQ_V2 context with
+SMB2_FLAGS_REPLAY_OPERATION. ksmbd_lookup_fd_cguid() does not filter by
+fp->conn, so it returns file handles that are already actively connected.
+The unconditional overwrite replaces fp->conn, and when the overwriting
+connection is subsequently freed, __ksmbd_close_fd() dereferences the
+stale fp->conn via spin_lock(&fp->conn->llist_lock), causing a
+use-after-free.
+
+KASAN report:
+
+[ 7.349357] ==================================================================
+[ 7.349607] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x75/0xe0
+[ 7.349811] Write of size 4 at addr ffff8881056ac18c by task kworker/1:2/108
+[ 7.350010]
+[ 7.350064] CPU: 1 UID: 0 PID: 108 Comm: kworker/1:2 Not tainted 7.0.0-rc3+ #58 PREEMPTLAZY
+[ 7.350068] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 7.350070] Workqueue: ksmbd-io handle_ksmbd_work
+[ 7.350083] Call Trace:
+[ 7.350087] <TASK>
+[ 7.350087] dump_stack_lvl+0x64/0x80
+[ 7.350094] print_report+0xce/0x660
+[ 7.350100] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 7.350101] ? __pfx___mod_timer+0x10/0x10
+[ 7.350106] ? _raw_spin_lock+0x75/0xe0
+[ 7.350108] kasan_report+0xce/0x100
+[ 7.350109] ? _raw_spin_lock+0x75/0xe0
+[ 7.350114] kasan_check_range+0x105/0x1b0
+[ 7.350116] _raw_spin_lock+0x75/0xe0
+[ 7.350118] ? __pfx__raw_spin_lock+0x10/0x10
+[ 7.350119] ? __call_rcu_common.constprop.0+0x25e/0x780
+[ 7.350125] ? close_id_del_oplock+0x2cc/0x4e0
+[ 7.350128] __ksmbd_close_fd+0x27f/0xaf0
+[ 7.350131] ksmbd_close_fd+0x135/0x1b0
+[ 7.350133] smb2_close+0xb19/0x15b0
+[ 7.350142] ? __pfx_smb2_close+0x10/0x10
+[ 7.350143] ? xas_load+0x18/0x270
+[ 7.350146] ? _raw_spin_lock+0x84/0xe0
+[ 7.350148] ? __pfx__raw_spin_lock+0x10/0x10
+[ 7.350150] ? _raw_spin_unlock+0xe/0x30
+[ 7.350151] ? ksmbd_smb2_check_message+0xeb2/0x24c0
+[ 7.350153] ? ksmbd_tree_conn_lookup+0xcd/0xf0
+[ 7.350154] handle_ksmbd_work+0x40f/0x1080
+[ 7.350156] process_one_work+0x5fa/0xef0
+[ 7.350162] ? assign_work+0x122/0x3e0
+[ 7.350163] worker_thread+0x54b/0xf70
+[ 7.350165] ? __pfx_worker_thread+0x10/0x10
+[ 7.350166] kthread+0x346/0x470
+[ 7.350170] ? recalc_sigpending+0x19b/0x230
+[ 7.350176] ? __pfx_kthread+0x10/0x10
+[ 7.350178] ret_from_fork+0x4fb/0x6c0
+[ 7.350183] ? __pfx_ret_from_fork+0x10/0x10
+[ 7.350185] ? __switch_to+0x36c/0xbe0
+[ 7.350188] ? __pfx_kthread+0x10/0x10
+[ 7.350190] ret_from_fork_asm+0x1a/0x30
+[ 7.350197] </TASK>
+[ 7.350197]
+[ 7.355160] Allocated by task 123:
+[ 7.355261] kasan_save_stack+0x33/0x60
+[ 7.355373] kasan_save_track+0x14/0x30
+[ 7.355484] __kasan_kmalloc+0x8f/0xa0
+[ 7.355593] ksmbd_conn_alloc+0x44/0x6d0
+[ 7.355711] ksmbd_kthread_fn+0x243/0xd70
+[ 7.355839] kthread+0x346/0x470
+[ 7.355942] ret_from_fork+0x4fb/0x6c0
+[ 7.356051] ret_from_fork_asm+0x1a/0x30
+[ 7.356164]
+[ 7.356214] Freed by task 134:
+[ 7.356305] kasan_save_stack+0x33/0x60
+[ 7.356416] kasan_save_track+0x14/0x30
+[ 7.356527] kasan_save_free_info+0x3b/0x60
+[ 7.356646] __kasan_slab_free+0x43/0x70
+[ 7.356761] kfree+0x1ca/0x430
+[ 7.356862] ksmbd_tcp_disconnect+0x59/0xe0
+[ 7.356993] ksmbd_conn_handler_loop+0x77e/0xd40
+[ 7.357138] kthread+0x346/0x470
+[ 7.357240] ret_from_fork+0x4fb/0x6c0
+[ 7.357350] ret_from_fork_asm+0x1a/0x30
+[ 7.357463]
+[ 7.357513] The buggy address belongs to the object at ffff8881056ac000
+[ 7.357513] which belongs to the cache kmalloc-1k of size 1024
+[ 7.357857] The buggy address is located 396 bytes inside of
+[ 7.357857] freed 1024-byte region [ffff8881056ac000, ffff8881056ac400)
+
+Fix by removing the unconditional fp->conn assignment and rejecting the
+replay when fp->conn is non-NULL. This is consistent with
+ksmbd_lookup_durable_fd(), which also rejects file handles with a
+non-NULL fp->conn. For disconnected file handles (fp->conn == NULL),
+ksmbd_reopen_durable_fd() handles setting fp->conn.
+
+Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index a647662ca7681..bdd2214c79f98 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -2813,7 +2813,11 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
+ goto out;
+ }
+
+- dh_info->fp->conn = conn;
++ if (dh_info->fp->conn) {
++ ksmbd_put_durable_fd(dh_info->fp);
++ err = -EBADF;
++ goto out;
++ }
+ dh_info->reconnected = true;
+ goto out;
+ }
+--
+2.51.0
+
--- /dev/null
+From eb6982af20dc17bac222ab048c718600bcb9d577 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:17:02 +0900
+Subject: ksmbd: fix use-after-free of share_conf in compound request
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit c33615f995aee80657b9fdfbc4ee7f49c2bd733d ]
+
+smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without
+validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state ==
+TREE_CONNECTED on the initial lookup path, but the compound reuse path
+bypasses this check entirely.
+
+If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state
+to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(),
+subsequent commands dereference the freed share_conf through
+work->tcon->share_conf.
+
+KASAN report:
+
+[ 4.144653] ==================================================================
+[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70
+[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44
+[ 4.145772]
+[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY
+[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work
+[ 4.145888] Call Trace:
+[ 4.145892] <TASK>
+[ 4.145894] dump_stack_lvl+0x64/0x80
+[ 4.145910] print_report+0xce/0x660
+[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 4.145928] ? smb2_write+0xc74/0xe70
+[ 4.145931] kasan_report+0xce/0x100
+[ 4.145934] ? smb2_write+0xc74/0xe70
+[ 4.145937] smb2_write+0xc74/0xe70
+[ 4.145939] ? __pfx_smb2_write+0x10/0x10
+[ 4.145942] ? _raw_spin_unlock+0xe/0x30
+[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0
+[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480
+[ 4.145951] handle_ksmbd_work+0x40f/0x1080
+[ 4.145953] process_one_work+0x5fa/0xef0
+[ 4.145962] ? assign_work+0x122/0x3e0
+[ 4.145964] worker_thread+0x54b/0xf70
+[ 4.145967] ? __pfx_worker_thread+0x10/0x10
+[ 4.145970] kthread+0x346/0x470
+[ 4.145976] ? recalc_sigpending+0x19b/0x230
+[ 4.145980] ? __pfx_kthread+0x10/0x10
+[ 4.145984] ret_from_fork+0x4fb/0x6c0
+[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10
+[ 4.145995] ? __switch_to+0x36c/0xbe0
+[ 4.145999] ? __pfx_kthread+0x10/0x10
+[ 4.146003] ret_from_fork_asm+0x1a/0x30
+[ 4.146013] </TASK>
+[ 4.146014]
+[ 4.149858] Allocated by task 44:
+[ 4.149953] kasan_save_stack+0x33/0x60
+[ 4.150061] kasan_save_track+0x14/0x30
+[ 4.150169] __kasan_kmalloc+0x8f/0xa0
+[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0
+[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600
+[ 4.150529] smb2_tree_connect+0x2e6/0x1000
+[ 4.150645] handle_ksmbd_work+0x40f/0x1080
+[ 4.150761] process_one_work+0x5fa/0xef0
+[ 4.150873] worker_thread+0x54b/0xf70
+[ 4.150978] kthread+0x346/0x470
+[ 4.151071] ret_from_fork+0x4fb/0x6c0
+[ 4.151176] ret_from_fork_asm+0x1a/0x30
+[ 4.151286]
+[ 4.151332] Freed by task 44:
+[ 4.151418] kasan_save_stack+0x33/0x60
+[ 4.151526] kasan_save_track+0x14/0x30
+[ 4.151634] kasan_save_free_info+0x3b/0x60
+[ 4.151751] __kasan_slab_free+0x43/0x70
+[ 4.151861] kfree+0x1ca/0x430
+[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190
+[ 4.152088] smb2_tree_disconnect+0x1cd/0x480
+[ 4.152211] handle_ksmbd_work+0x40f/0x1080
+[ 4.152326] process_one_work+0x5fa/0xef0
+[ 4.152438] worker_thread+0x54b/0xf70
+[ 4.152545] kthread+0x346/0x470
+[ 4.152638] ret_from_fork+0x4fb/0x6c0
+[ 4.152743] ret_from_fork_asm+0x1a/0x30
+[ 4.152853]
+[ 4.152900] The buggy address belongs to the object at ffff88810430c180
+[ 4.152900] which belongs to the cache kmalloc-96 of size 96
+[ 4.153226] The buggy address is located 20 bytes inside of
+[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0)
+[ 4.153549]
+[ 4.153596] The buggy address belongs to the physical page:
+[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c
+[ 4.154000] flags: 0x100000000000200(workingset|node=0|zone=2)
+[ 4.154160] page_type: f5(slab)
+[ 4.154251] raw: 0100000000000200 ffff888100041280 ffff888100040110 ffff888100040110
+[ 4.154461] raw: ffff88810430ce80 0000000800200009 00000000f5000000 0000000000000000
+[ 4.154668] page dumped because: kasan: bad access detected
+[ 4.154820]
+[ 4.154866] Memory state around the buggy address:
+[ 4.155002] ffff88810430c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155196] ffff88810430c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155391] >ffff88810430c180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+[ 4.155587] ^
+[ 4.155693] ffff88810430c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.155891] ffff88810430c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 4.156087] ==================================================================
+
+Add the same t_state validation to the compound reuse path, consistent
+with ksmbd_tree_conn_lookup().
+
+Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index e52a05ea25ccc..a647662ca7681 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -118,6 +118,8 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work)
+ pr_err("The first operation in the compound does not have tcon\n");
+ return -EINVAL;
+ }
++ if (work->tcon->t_state != TREE_CONNECTED)
++ return -ENOENT;
+ if (tree_id != UINT_MAX && work->tcon->id != tree_id) {
+ pr_err("tree id(%u) is different with id(%u) in first operation\n",
+ tree_id, work->tcon->id);
+--
+2.51.0
+
--- /dev/null
+From f2b4bfb2d52199d11ab31fa9a51c81324020c4b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 08:43:05 +0900
+Subject: lib/bootconfig: check xbc_init_node() return in override path
+
+From: Josh Law <objecting@objecting.org>
+
+[ Upstream commit bb288d7d869e86d382f35a0e26242c5ccb05ca82 ]
+
+The ':=' override path in xbc_parse_kv() calls xbc_init_node() to
+re-initialize an existing value node but does not check the return
+value. If xbc_init_node() fails (data offset out of range), parsing
+silently continues with stale node data.
+
+Add the missing error check to match the xbc_add_node() call path
+which already checks for failure.
+
+In practice, a bootconfig using ':=' to override a value near the
+32KB data limit could silently retain the old value, meaning a
+security-relevant boot parameter override (e.g., a trace filter or
+debug setting) would not take effect as intended.
+
+Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/
+
+Fixes: e5efaeb8a8f5 ("bootconfig: Support mixing a value and subkeys under a key")
+Signed-off-by: Josh Law <objecting@objecting.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/bootconfig.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/bootconfig.c b/lib/bootconfig.c
+index 82f21a9b0aaba..675f34cf32f0d 100644
+--- a/lib/bootconfig.c
++++ b/lib/bootconfig.c
+@@ -714,7 +714,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op)
+ if (op == ':') {
+ unsigned short nidx = child->next;
+
+- xbc_init_node(child, v, XBC_VALUE);
++ if (xbc_init_node(child, v, XBC_VALUE) < 0)
++ return xbc_parse_error("Failed to override value", v);
+ child->next = nidx; /* keep subkeys */
+ goto array;
+ }
+--
+2.51.0
+
--- /dev/null
+From 1c1f332294aa53707a2c0066d25e07651eb991e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 15:21:57 -0500
+Subject: mtd: rawnand: brcmnand: skip DMA during panic write
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+[ Upstream commit da9ba4dcc01e7cf52b7676f0ee9607b8358c2171 ]
+
+When oops_panic_write is set, the driver disables interrupts and
+switches to PIO polling mode but still falls through into the DMA
+path. DMA cannot be used reliably in panic context, so make the
+DMA path an else branch to ensure only PIO is used during panic
+writes.
+
+Fixes: c1ac2dc34b51 ("mtd: rawnand: brcmnand: When oops in progress use pio and interrupt polling")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+index 03d7e26d49537..ece399705bd73 100644
+--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+@@ -2411,14 +2411,12 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip,
+ for (i = 0; i < ctrl->max_oob; i += 4)
+ oob_reg_write(ctrl, i, 0xffffffff);
+
+- if (mtd->oops_panic_write)
++ if (mtd->oops_panic_write) {
+ /* switch to interrupt polling and PIO mode */
+ disable_ctrl_irqs(ctrl);
+-
+- if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
++ } else if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) {
+ if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize,
+ CMD_PROGRAM_PAGE))
+-
+ ret = -EIO;
+
+ goto out;
+--
+2.51.0
+
--- /dev/null
+From 5574356a21c48989303fdda53f372cd1322e4820 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 14:49:06 -0500
+Subject: mtd: rawnand: serialize lock/unlock against other NAND operations
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+[ Upstream commit bab2bc6e850a697a23b9e5f0e21bb8c187615e95 ]
+
+nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area
+without holding the NAND device lock. On controllers that implement
+SET_FEATURES via multiple low-level PIO commands, these can race with
+concurrent UBI/UBIFS background erase/write operations that hold the
+device lock, resulting in cmd_pending conflicts on the NAND controller.
+
+Add nand_get_device()/nand_release_device() around the lock/unlock
+operations to serialize them against all other NAND controller access.
+
+Fixes: 92270086b7e5 ("mtd: rawnand: Add support for manufacturer specific lock/unlock operation")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/nand_base.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c
+index fe0b298f8425e..896a7d819e3c7 100644
+--- a/drivers/mtd/nand/raw/nand_base.c
++++ b/drivers/mtd/nand/raw/nand_base.c
+@@ -4849,11 +4849,16 @@ static void nand_shutdown(struct mtd_info *mtd)
+ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int ret;
+
+ if (!chip->ops.lock_area)
+ return -ENOTSUPP;
+
+- return chip->ops.lock_area(chip, ofs, len);
++ nand_get_device(chip);
++ ret = chip->ops.lock_area(chip, ofs, len);
++ nand_release_device(chip);
++
++ return ret;
+ }
+
+ /**
+@@ -4865,11 +4870,16 @@ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ static int nand_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
++ int ret;
+
+ if (!chip->ops.unlock_area)
+ return -ENOTSUPP;
+
+- return chip->ops.unlock_area(chip, ofs, len);
++ nand_get_device(chip);
++ ret = chip->ops.unlock_area(chip, ofs, len);
++ nand_release_device(chip);
++
++ return ret;
+ }
+
+ /* Set default functions */
+--
+2.51.0
+
i2c-fsi-fix-a-potential-leak-in-fsi_i2c_probe.patch
i2c-pxa-defer-reset-on-armada-3700-when-recovery-is-used.patch
x86-platform-uv-handle-deconfigured-sockets.patch
+mtd-rawnand-serialize-lock-unlock-against-other-nand.patch
+mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch
+drm-amd-display-fix-displayid-not-found-handling-in-.patch
+ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch
+ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch
+drm-i915-gt-check-set_default_submission-before-defe.patch
+lib-bootconfig-check-xbc_init_node-return-in-overrid.patch
+tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch
--- /dev/null
+From d7adb2d28fe3a723e8e27245a6354d7edf57fa45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 08:43:06 +0900
+Subject: tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
+
+From: Josh Law <objecting@objecting.org>
+
+[ Upstream commit 3b2c2ab4ceb82af484310c3087541eab00ea288b ]
+
+If fstat() fails after open() succeeds, the function returns without
+closing the file descriptor. Also preserve errno across close(), since
+close() may overwrite it before the error is returned.
+
+Link: https://lore.kernel.org/all/20260318155847.78065-3-objecting@objecting.org/
+
+Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command")
+Signed-off-by: Josh Law <objecting@objecting.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bootconfig/main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c
+index 8a48cc2536f56..32cf48f2da9a1 100644
+--- a/tools/bootconfig/main.c
++++ b/tools/bootconfig/main.c
+@@ -157,8 +157,11 @@ static int load_xbc_file(const char *path, char **buf)
+ if (fd < 0)
+ return -errno;
+ ret = fstat(fd, &stat);
+- if (ret < 0)
+- return -errno;
++ if (ret < 0) {
++ ret = -errno;
++ close(fd);
++ return ret;
++ }
+
+ ret = load_xbc_fd(fd, buf, stat.st_size);
+
+--
+2.51.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
