--- /dev/null
+From 58764259ebe0c9efd569194444629f6b26f86583 Mon Sep 17 00:00:00 2001
+From: Armin Wolf <W_Armin@gmx.de>
+Date: Wed, 8 Oct 2025 01:41:44 +0200
+Subject: ACPI: fan: Use ACPI handle when retrieving _FST
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+commit 58764259ebe0c9efd569194444629f6b26f86583 upstream.
+
+Usage of the ACPI device should be phased out in the future, as
+the driver itself is now using the platform bus.
+
+Replace any usage of struct acpi_device in acpi_fan_get_fst() to
+allow users to drop usage of struct acpi_device.
+
+Also extend the integer check to all three package elements.
+
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://patch.msgid.link/20251007234149.2769-2-W_Armin@gmx.de
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/fan.h | 3 ++-
+ drivers/acpi/fan_attr.c | 2 +-
+ drivers/acpi/fan_core.c | 34 ++++++++++++++++++++++------------
+ drivers/acpi/fan_hwmon.c | 3 +--
+ 4 files changed, 26 insertions(+), 16 deletions(-)
+
+--- a/drivers/acpi/fan.h
++++ b/drivers/acpi/fan.h
+@@ -47,6 +47,7 @@ struct acpi_fan_fst {
+ };
+
+ struct acpi_fan {
++ acpi_handle handle;
+ bool acpi4;
+ struct acpi_fan_fif fif;
+ struct acpi_fan_fps *fps;
+@@ -56,7 +57,7 @@ struct acpi_fan {
+ struct device_attribute fine_grain_control;
+ };
+
+-int acpi_fan_get_fst(struct acpi_device *device, struct acpi_fan_fst *fst);
++int acpi_fan_get_fst(acpi_handle handle, struct acpi_fan_fst *fst);
+ int acpi_fan_create_attributes(struct acpi_device *device);
+ void acpi_fan_delete_attributes(struct acpi_device *device);
+
+--- a/drivers/acpi/fan_attr.c
++++ b/drivers/acpi/fan_attr.c
+@@ -55,7 +55,7 @@ static ssize_t show_fan_speed(struct dev
+ struct acpi_fan_fst fst;
+ int status;
+
+- status = acpi_fan_get_fst(acpi_dev, &fst);
++ status = acpi_fan_get_fst(acpi_dev->handle, &fst);
+ if (status)
+ return status;
+
+--- a/drivers/acpi/fan_core.c
++++ b/drivers/acpi/fan_core.c
+@@ -44,25 +44,30 @@ static int fan_get_max_state(struct ther
+ return 0;
+ }
+
+-int acpi_fan_get_fst(struct acpi_device *device, struct acpi_fan_fst *fst)
++int acpi_fan_get_fst(acpi_handle handle, struct acpi_fan_fst *fst)
+ {
+ struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL };
+ union acpi_object *obj;
+ acpi_status status;
+ int ret = 0;
+
+- status = acpi_evaluate_object(device->handle, "_FST", NULL, &buffer);
+- if (ACPI_FAILURE(status)) {
+- dev_err(&device->dev, "Get fan state failed\n");
+- return -ENODEV;
+- }
++ status = acpi_evaluate_object(handle, "_FST", NULL, &buffer);
++ if (ACPI_FAILURE(status))
++ return -EIO;
+
+ obj = buffer.pointer;
+- if (!obj || obj->type != ACPI_TYPE_PACKAGE ||
+- obj->package.count != 3 ||
+- obj->package.elements[1].type != ACPI_TYPE_INTEGER) {
+- dev_err(&device->dev, "Invalid _FST data\n");
+- ret = -EINVAL;
++ if (!obj)
++ return -ENODATA;
++
++ if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count != 3) {
++ ret = -EPROTO;
++ goto err;
++ }
++
++ if (obj->package.elements[0].type != ACPI_TYPE_INTEGER ||
++ obj->package.elements[1].type != ACPI_TYPE_INTEGER ||
++ obj->package.elements[2].type != ACPI_TYPE_INTEGER) {
++ ret = -EPROTO;
+ goto err;
+ }
+
+@@ -81,7 +86,7 @@ static int fan_get_state_acpi4(struct ac
+ struct acpi_fan_fst fst;
+ int status, i;
+
+- status = acpi_fan_get_fst(device, &fst);
++ status = acpi_fan_get_fst(device->handle, &fst);
+ if (status)
+ return status;
+
+@@ -319,11 +324,16 @@ static int acpi_fan_probe(struct platfor
+ struct acpi_device *device = ACPI_COMPANION(&pdev->dev);
+ char *name;
+
++ if (!device)
++ return -ENODEV;
++
+ fan = devm_kzalloc(&pdev->dev, sizeof(*fan), GFP_KERNEL);
+ if (!fan) {
+ dev_err(&device->dev, "No memory for fan\n");
+ return -ENOMEM;
+ }
++
++ fan->handle = device->handle;
+ device->driver_data = fan;
+ platform_set_drvdata(pdev, fan);
+
+--- a/drivers/acpi/fan_hwmon.c
++++ b/drivers/acpi/fan_hwmon.c
+@@ -85,13 +85,12 @@ static umode_t acpi_fan_hwmon_is_visible
+ static int acpi_fan_hwmon_read(struct device *dev, enum hwmon_sensor_types type, u32 attr,
+ int channel, long *val)
+ {
+- struct acpi_device *adev = to_acpi_device(dev->parent);
+ struct acpi_fan *fan = dev_get_drvdata(dev);
+ struct acpi_fan_fps *fps;
+ struct acpi_fan_fst fst;
+ int ret;
+
+- ret = acpi_fan_get_fst(adev, &fst);
++ ret = acpi_fan_get_fst(fan->handle, &fst);
+ if (ret < 0)
+ return ret;
+
--- /dev/null
+From 12a1c9353c47c0fb3464eba2d78cdf649dee1cf7 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Mon, 27 Oct 2025 09:27:32 +0900
+Subject: block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit 12a1c9353c47c0fb3464eba2d78cdf649dee1cf7 upstream.
+
+REQ_OP_ZONE_RESET_ALL is a zone management request. Fix
+op_is_zone_mgmt() to return true for that operation, like it already
+does for REQ_OP_ZONE_RESET.
+
+While no problems were reported without this fix, this change allows
+strengthening checks in various block device drivers (scsi sd,
+virtioblk, DM) where op_is_zone_mgmt() is used to verify that a zone
+management command is not being issued to a regular block device.
+
+Fixes: 6c1b1da58f8c ("block: add zone open, close and finish operations")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/blk_types.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/linux/blk_types.h
++++ b/include/linux/blk_types.h
+@@ -473,6 +473,7 @@ static inline bool op_is_zone_mgmt(enum
+ {
+ switch (op & REQ_OP_MASK) {
+ case REQ_OP_ZONE_RESET:
++ case REQ_OP_ZONE_RESET_ALL:
+ case REQ_OP_ZONE_OPEN:
+ case REQ_OP_ZONE_CLOSE:
+ case REQ_OP_ZONE_FINISH:
--- /dev/null
+From 19de03b312d69a7e9bacb51c806c6e3f4207376c Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Mon, 27 Oct 2025 09:27:33 +0900
+Subject: block: make REQ_OP_ZONE_OPEN a write operation
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit 19de03b312d69a7e9bacb51c806c6e3f4207376c upstream.
+
+A REQ_OP_OPEN_ZONE request changes the condition of a sequential zone of
+a zoned block device to the explicitly open condition
+(BLK_ZONE_COND_EXP_OPEN). As such, it should be considered a write
+operation.
+
+Change this operation code to be an odd number to reflect this. The
+following operation numbers are changed to keep the numbering compact.
+
+No problems were reported without this change as this operation has no
+data. However, this unifies the zone operation to reflect that they
+modify the device state and also allows strengthening checks in the
+block layer, e.g. checking if this operation is not issued against a
+read-only device.
+
+Fixes: 6c1b1da58f8c ("block: add zone open, close and finish operations")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/blk_types.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/include/linux/blk_types.h
++++ b/include/linux/blk_types.h
+@@ -338,15 +338,15 @@ enum req_op {
+ /* write the zero filled sector many times */
+ REQ_OP_WRITE_ZEROES = (__force blk_opf_t)9,
+ /* Open a zone */
+- REQ_OP_ZONE_OPEN = (__force blk_opf_t)10,
++ REQ_OP_ZONE_OPEN = (__force blk_opf_t)11,
+ /* Close a zone */
+- REQ_OP_ZONE_CLOSE = (__force blk_opf_t)11,
++ REQ_OP_ZONE_CLOSE = (__force blk_opf_t)13,
+ /* Transition a zone to full */
+- REQ_OP_ZONE_FINISH = (__force blk_opf_t)13,
++ REQ_OP_ZONE_FINISH = (__force blk_opf_t)15,
+ /* reset a zone write pointer */
+- REQ_OP_ZONE_RESET = (__force blk_opf_t)15,
++ REQ_OP_ZONE_RESET = (__force blk_opf_t)17,
+ /* reset all the zone present on the device */
+- REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)17,
++ REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)19,
+
+ /* Driver private requests */
+ REQ_OP_DRV_IN = (__force blk_opf_t)34,
--- /dev/null
+From ba10f8d92a2c026b1052b4c0fa2cd7538838c965 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Thu, 16 Oct 2025 13:55:27 -0500
+Subject: drm/amd: Check that VPE has reached DPM0 in idle handler
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit ba10f8d92a2c026b1052b4c0fa2cd7538838c965 upstream.
+
+[Why]
+Newer VPE microcode has functionality that will decrease DPM level
+only when a workload has run for 2 or more seconds. If VPE is turned
+off before this DPM decrease and the PMFW doesn't reset it when
+power gating VPE, the SOC can get stuck with a higher DPM level.
+
+This can happen from amdgpu's ring buffer test because it's a short
+quick workload for VPE and VPE is turned off after 1s.
+
+[How]
+In idle handler besides checking fences are drained check PMFW version
+to determine if it will reset DPM when power gating VPE. If PMFW will
+not do this, then check VPE DPM level. If it is not DPM0 reschedule
+delayed work again until it is.
+
+v2: squash in return fix (Alex)
+
+Cc: Peyton.Lee@amd.com
+Reported-by: Sultan Alsawaf <sultan@kerneltoast.com>
+Reviewed-by: Sultan Alsawaf <sultan@kerneltoast.com>
+Tested-by: Sultan Alsawaf <sultan@kerneltoast.com>
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4615
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 3ac635367eb589bee8edcc722f812a89970e14b7)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c | 34 ++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c
+@@ -321,6 +321,26 @@ static int vpe_early_init(void *handle)
+ return 0;
+ }
+
++static bool vpe_need_dpm0_at_power_down(struct amdgpu_device *adev)
++{
++ switch (amdgpu_ip_version(adev, VPE_HWIP, 0)) {
++ case IP_VERSION(6, 1, 1):
++ return adev->pm.fw_version < 0x0a640500;
++ default:
++ return false;
++ }
++}
++
++static int vpe_get_dpm_level(struct amdgpu_device *adev)
++{
++ struct amdgpu_vpe *vpe = &adev->vpe;
++
++ if (!adev->pm.dpm_enabled)
++ return 0;
++
++ return RREG32(vpe_get_reg_offset(vpe, 0, vpe->regs.dpm_request_lv));
++}
++
+ static void vpe_idle_work_handler(struct work_struct *work)
+ {
+ struct amdgpu_device *adev =
+@@ -328,11 +348,17 @@ static void vpe_idle_work_handler(struct
+ unsigned int fences = 0;
+
+ fences += amdgpu_fence_count_emitted(&adev->vpe.ring);
++ if (fences)
++ goto reschedule;
++
++ if (vpe_need_dpm0_at_power_down(adev) && vpe_get_dpm_level(adev) != 0)
++ goto reschedule;
++
++ amdgpu_device_ip_set_powergating_state(adev, AMD_IP_BLOCK_TYPE_VPE, AMD_PG_STATE_GATE);
++ return;
+
+- if (fences == 0)
+- amdgpu_device_ip_set_powergating_state(adev, AMD_IP_BLOCK_TYPE_VPE, AMD_PG_STATE_GATE);
+- else
+- schedule_delayed_work(&adev->vpe.idle_work, VPE_IDLE_TIMEOUT);
++reschedule:
++ schedule_delayed_work(&adev->vpe.idle_work, VPE_IDLE_TIMEOUT);
+ }
+
+ static int vpe_common_init(struct amdgpu_vpe *vpe)
--- /dev/null
+From b3656b355b5522cef1b52a7469010009c98156db Mon Sep 17 00:00:00 2001
+From: Ivan Lipski <ivan.lipski@amd.com>
+Date: Wed, 17 Sep 2025 11:00:02 -0400
+Subject: drm/amd/display: Fix incorrect return of vblank enable on unconfigured crtc
+
+From: Ivan Lipski <ivan.lipski@amd.com>
+
+commit b3656b355b5522cef1b52a7469010009c98156db upstream.
+
+[Why&How]
+Return -EINVAL when userspace asks us to enable vblank on a crtc that is
+not yet enabled.
+
+Suggested-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/1856
+Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
+Signed-off-by: Wayne Lin <wayne.lin@amd.com>
+Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit cb57b8cdb072dc37723b6906da1c37ff9cbc2da4)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c
+@@ -296,8 +296,12 @@ static inline int amdgpu_dm_crtc_set_vbl
+ int irq_type;
+ int rc = 0;
+
+- if (acrtc->otg_inst == -1)
+- goto skip;
++ if (enable && !acrtc->base.enabled) {
++ drm_dbg_vbl(crtc->dev,
++ "Reject vblank enable on unconfigured CRTC %d (enabled=%d)\n",
++ acrtc->crtc_id, acrtc->base.enabled);
++ return -EINVAL;
++ }
+
+ irq_type = amdgpu_display_crtc_idx_to_irq_type(adev, acrtc->crtc_id);
+
+@@ -378,7 +382,7 @@ static inline int amdgpu_dm_crtc_set_vbl
+ return rc;
+ }
+ #endif
+-skip:
++
+ if (amdgpu_in_reset(adev))
+ return 0;
+
--- /dev/null
+From a9fb41b5def8e1e0103d5fd1453787993587281e Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Fri, 24 Oct 2025 09:35:53 +0200
+Subject: drm/ast: Clear preserved bits from register output value
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit a9fb41b5def8e1e0103d5fd1453787993587281e upstream.
+
+Preserve the I/O register bits in __ast_write8_i_masked() as specified
+by preserve_mask. Accidentally OR-ing the output value into these will
+overwrite the register's previous settings.
+
+Fixes display output on the AST2300, where the screen can go blank at
+boot. The driver's original commit 312fec1405dd ("drm: Initial KMS
+driver for AST (ASpeed Technologies) 2000 series (v2)") already added
+the broken code. Commit 6f719373b943 ("drm/ast: Blank with VGACR17 sync
+enable, always clear VGACRB6 sync off") triggered the bug.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reported-by: Peter Schneider <pschneider1968@googlemail.com>
+Closes: https://lore.kernel.org/dri-devel/a40caf8e-58ad-4f9c-af7f-54f6f69c29bb@googlemail.com/
+Tested-by: Peter Schneider <pschneider1968@googlemail.com>
+Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
+Fixes: 6f719373b943 ("drm/ast: Blank with VGACR17 sync enable, always clear VGACRB6 sync off")
+Fixes: 312fec1405dd ("drm: Initial KMS driver for AST (ASpeed Technologies) 2000 series (v2)")
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Nick Bowler <nbowler@draconx.ca>
+Cc: Douglas Anderson <dianders@chromium.org>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Jocelyn Falempe <jfalempe@redhat.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v3.5+
+Link: https://patch.msgid.link/20251024073626.129032-1-tzimmermann@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/ast/ast_drv.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/ast/ast_drv.h
++++ b/drivers/gpu/drm/ast/ast_drv.h
+@@ -286,13 +286,13 @@ static inline void __ast_write8_i(void _
+ __ast_write8(addr, reg + 1, val);
+ }
+
+-static inline void __ast_write8_i_masked(void __iomem *addr, u32 reg, u8 index, u8 read_mask,
++static inline void __ast_write8_i_masked(void __iomem *addr, u32 reg, u8 index, u8 preserve_mask,
+ u8 val)
+ {
+- u8 tmp = __ast_read8_i_masked(addr, reg, index, read_mask);
++ u8 tmp = __ast_read8_i_masked(addr, reg, index, preserve_mask);
+
+- tmp |= val;
+- __ast_write8_i(addr, reg, index, tmp);
++ val &= ~preserve_mask;
++ __ast_write8_i(addr, reg, index, tmp | val);
+ }
+
+ static inline u32 ast_read32(struct ast_device *ast, u32 reg)
--- /dev/null
+From 926d002e6d7e2f1fd5c1b53cf6208153ee7d380d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 6 Oct 2025 11:39:37 +0200
+Subject: drm/mediatek: Fix device use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 926d002e6d7e2f1fd5c1b53cf6208153ee7d380d upstream.
+
+A recent change fixed device reference leaks when looking up drm
+platform device driver data during bind() but failed to remove a partial
+fix which had been added by commit 80805b62ea5b ("drm/mediatek: Fix
+kobject put for component sub-drivers").
+
+This results in a reference imbalance on component bind() failures and
+on unbind() which could lead to a user-after-free.
+
+Make sure to only drop the references after retrieving the driver data
+by effectively reverting the previous partial fix.
+
+Note that holding a reference to a device does not prevent its driver
+data from going away so there is no point in keeping the reference.
+
+Fixes: 1f403699c40f ("drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv")
+Reported-by: Sjoerd Simons <sjoerd@collabora.com>
+Closes: https://lore.kernel.org/r/20251003-mtk-drm-refcount-v1-1-3b3f2813b0db@collabora.com
+Cc: stable@vger.kernel.org
+Cc: Ma Ke <make24@iscas.ac.cn>
+Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: Sjoerd Simons <sjoerd@collabora.com>
+Tested-by: Sjoerd Simons <sjoerd@collabora.com>
+Tested-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>
+Reviewed-by: CK Hu <ck.hu@mediatek.com>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20251006093937.27869-1-johan@kernel.org/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_drv.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+@@ -684,10 +684,6 @@ err_free:
+ for (i = 0; i < private->data->mmsys_dev_num; i++)
+ private->all_drm_private[i]->drm = NULL;
+ err_put_dev:
+- for (i = 0; i < private->data->mmsys_dev_num; i++) {
+- /* For device_find_child in mtk_drm_get_all_priv() */
+- put_device(private->all_drm_private[i]->dev);
+- }
+ put_device(private->mutex_dev);
+ return ret;
+ }
+@@ -695,18 +691,12 @@ err_put_dev:
+ static void mtk_drm_unbind(struct device *dev)
+ {
+ struct mtk_drm_private *private = dev_get_drvdata(dev);
+- int i;
+
+ /* for multi mmsys dev, unregister drm dev in mmsys master */
+ if (private->drm_master) {
+ drm_dev_unregister(private->drm);
+ mtk_drm_kms_deinit(private->drm);
+ drm_dev_put(private->drm);
+-
+- for (i = 0; i < private->data->mmsys_dev_num; i++) {
+- /* For device_find_child in mtk_drm_get_all_priv() */
+- put_device(private->all_drm_private[i]->dev);
+- }
+ put_device(private->mutex_dev);
+ }
+ private->mtk_drm_bound = false;
--- /dev/null
+From e0023c8a74028739643aa14bd201c41a99866ca4 Mon Sep 17 00:00:00 2001
+From: Philipp Stanner <phasta@kernel.org>
+Date: Fri, 24 Oct 2025 18:12:22 +0200
+Subject: drm/nouveau: Fix race in nouveau_sched_fini()
+
+From: Philipp Stanner <phasta@kernel.org>
+
+commit e0023c8a74028739643aa14bd201c41a99866ca4 upstream.
+
+nouveau_sched_fini() uses a memory barrier before wait_event().
+wait_event(), however, is a macro which expands to a loop which might
+check the passed condition several times. The barrier would only take
+effect for the first check.
+
+Replace the barrier with a function which takes the spinlock.
+
+Cc: stable@vger.kernel.org # v6.8+
+Fixes: 5f03a507b29e ("drm/nouveau: implement 1:1 scheduler - entity relationship")
+Acked-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Philipp Stanner <phasta@kernel.org>
+Link: https://patch.msgid.link/20251024161221.196155-2-phasta@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_sched.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_sched.c
++++ b/drivers/gpu/drm/nouveau/nouveau_sched.c
+@@ -475,6 +475,17 @@ nouveau_sched_create(struct nouveau_sche
+ return 0;
+ }
+
++static bool
++nouveau_sched_job_list_empty(struct nouveau_sched *sched)
++{
++ bool empty;
++
++ spin_lock(&sched->job.list.lock);
++ empty = list_empty(&sched->job.list.head);
++ spin_unlock(&sched->job.list.lock);
++
++ return empty;
++}
+
+ static void
+ nouveau_sched_fini(struct nouveau_sched *sched)
+@@ -482,8 +493,7 @@ nouveau_sched_fini(struct nouveau_sched
+ struct drm_gpu_scheduler *drm_sched = &sched->base;
+ struct drm_sched_entity *entity = &sched->entity;
+
+- rmb(); /* for list_empty to work without lock */
+- wait_event(sched->job.wq, list_empty(&sched->job.list.head));
++ wait_event(sched->job.wq, nouveau_sched_job_list_empty(sched));
+
+ drm_sched_entity_fini(entity);
+ drm_sched_fini(drm_sched);
--- /dev/null
+From 9e8b3201c7302d5b522ba3535630bed21cc03c27 Mon Sep 17 00:00:00 2001
+From: David Rosca <david.rosca@amd.com>
+Date: Wed, 15 Oct 2025 16:01:28 +0200
+Subject: drm/sched: avoid killing parent entity on child SIGKILL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Rosca <david.rosca@amd.com>
+
+commit 9e8b3201c7302d5b522ba3535630bed21cc03c27 upstream.
+
+The DRM scheduler tracks who last uses an entity and when that process
+is killed blocks all further submissions to that entity.
+
+The problem is that we didn't track who initially created an entity, so
+when a process accidently leaked its file descriptor to a child and
+that child got killed, we killed the parent's entities.
+
+Avoid that and instead initialize the entities last user on entity
+creation. This also allows to drop the extra NULL check.
+
+Signed-off-by: David Rosca <david.rosca@amd.com>
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4568
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+CC: stable@vger.kernel.org
+Acked-by: Philipp Stanner <phasta@kernel.org>
+Link: https://lore.kernel.org/r/20251015140128.1470-1-christian.koenig@amd.com
+Signed-off-by: Philipp Stanner <phasta@kernel.org>
+Link: https://patch.msgid.link/20251015140128.1470-1-christian.koenig@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/scheduler/sched_entity.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/scheduler/sched_entity.c
++++ b/drivers/gpu/drm/scheduler/sched_entity.c
+@@ -71,6 +71,7 @@ int drm_sched_entity_init(struct drm_sch
+ entity->guilty = guilty;
+ entity->num_sched_list = num_sched_list;
+ entity->priority = priority;
++ entity->last_user = current->group_leader;
+ /*
+ * It's perfectly valid to initialize an entity without having a valid
+ * scheduler attached. It's just not valid to use the scheduler before it
+@@ -315,7 +316,7 @@ long drm_sched_entity_flush(struct drm_s
+
+ /* For killed process disable any more IBs enqueue right now */
+ last_user = cmpxchg(&entity->last_user, current->group_leader, NULL);
+- if ((!last_user || last_user == current->group_leader) &&
++ if (last_user == current->group_leader &&
+ (current->flags & PF_EXITING) && (current->exit_code == SIGKILL))
+ drm_sched_entity_kill(entity);
+
--- /dev/null
+From 14e02ed3876f4ab0ed6d3f41972175f8b8df3d70 Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Fri, 17 Oct 2025 11:13:36 +0200
+Subject: drm/sysfb: Do not dereference NULL pointer in plane reset
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit 14e02ed3876f4ab0ed6d3f41972175f8b8df3d70 upstream.
+
+The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not
+deref that pointer, but forward NULL to the other plane-reset helpers.
+Clears plane->state to NULL.
+
+v2:
+- fix typo in commit description (Javier)
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Fixes: b71565022031 ("drm/gem: Export implementation of shadow-plane helpers")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/dri-devel/aPIDAsHIUHp_qSW4@stanley.mountain/
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Melissa Wen <melissa.srw@gmail.com>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Maxime Ripard <mripard@kernel.org>
+Cc: David Airlie <airlied@gmail.com>
+Cc: Simona Vetter <simona@ffwll.ch>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v5.15+
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://patch.msgid.link/20251017091407.58488-1-tzimmermann@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_gem_atomic_helper.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/drm_gem_atomic_helper.c
++++ b/drivers/gpu/drm/drm_gem_atomic_helper.c
+@@ -309,8 +309,12 @@ EXPORT_SYMBOL(drm_gem_destroy_shadow_pla
+ void __drm_gem_reset_shadow_plane(struct drm_plane *plane,
+ struct drm_shadow_plane_state *shadow_plane_state)
+ {
+- __drm_atomic_helper_plane_reset(plane, &shadow_plane_state->base);
+- drm_format_conv_state_init(&shadow_plane_state->fmtcnv_state);
++ if (shadow_plane_state) {
++ __drm_atomic_helper_plane_reset(plane, &shadow_plane_state->base);
++ drm_format_conv_state_init(&shadow_plane_state->fmtcnv_state);
++ } else {
++ __drm_atomic_helper_plane_reset(plane, NULL);
++ }
+ }
+ EXPORT_SYMBOL(__drm_gem_reset_shadow_plane);
+
--- /dev/null
+From b3fbda1a630a9439c885b2a5dc5230cc49a87e9e Mon Sep 17 00:00:00 2001
+From: Matthew Brost <matthew.brost@intel.com>
+Date: Tue, 21 Oct 2025 17:55:37 -0700
+Subject: drm/xe: Do not wake device during a GT reset
+
+From: Matthew Brost <matthew.brost@intel.com>
+
+commit b3fbda1a630a9439c885b2a5dc5230cc49a87e9e upstream.
+
+Waking the device during a GT reset can lead to unintended memory
+allocation, which is not allowed since GT resets occur in the reclaim
+path. Prevent this by holding a PM reference while a reset is in flight.
+
+Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Matthew Brost <matthew.brost@intel.com>
+Reviewed-by: Matthew Auld <matthew.auld@intel.com>
+Link: https://lore.kernel.org/r/20251022005538.828980-3-matthew.brost@intel.com
+(cherry picked from commit 480b358e7d8ef69fd8f1b0cad6e07c7d70a36ee4)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_gt.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/xe/xe_gt.c
++++ b/drivers/gpu/drm/xe/xe_gt.c
+@@ -746,17 +746,19 @@ static int gt_reset(struct xe_gt *gt)
+ {
+ int err;
+
+- if (xe_device_wedged(gt_to_xe(gt)))
+- return -ECANCELED;
++ if (xe_device_wedged(gt_to_xe(gt))) {
++ err = -ECANCELED;
++ goto err_pm_put;
++ }
+
+ /* We only support GT resets with GuC submission */
+- if (!xe_device_uc_enabled(gt_to_xe(gt)))
+- return -ENODEV;
++ if (!xe_device_uc_enabled(gt_to_xe(gt))) {
++ err = -ENODEV;
++ goto err_pm_put;
++ }
+
+ xe_gt_info(gt, "reset started\n");
+
+- xe_pm_runtime_get(gt_to_xe(gt));
+-
+ if (xe_fault_inject_gt_reset()) {
+ err = -ECANCELED;
+ goto err_fail;
+@@ -803,6 +805,7 @@ err_fail:
+ xe_gt_err(gt, "reset failed (%pe)\n", ERR_PTR(err));
+
+ xe_device_declare_wedged(gt_to_xe(gt));
++err_pm_put:
+ xe_pm_runtime_put(gt_to_xe(gt));
+
+ return err;
+@@ -824,7 +827,9 @@ void xe_gt_reset_async(struct xe_gt *gt)
+ return;
+
+ xe_gt_info(gt, "reset queued\n");
+- queue_work(gt->ordered_wq, >->reset.worker);
++ xe_pm_runtime_get_noresume(gt_to_xe(gt));
++ if (!queue_work(gt->ordered_wq, >->reset.worker))
++ xe_pm_runtime_put(gt_to_xe(gt));
+ }
+
+ void xe_gt_suspend_prepare(struct xe_gt *gt)
--- /dev/null
+From 0ba6502ce167fc3d598c08c2cc3b4ed7ca5aa251 Mon Sep 17 00:00:00 2001
+From: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Date: Tue, 28 Oct 2025 14:42:14 +0800
+Subject: perf/x86/intel: Fix KASAN global-out-of-bounds warning
+
+From: Dapeng Mi <dapeng1.mi@linux.intel.com>
+
+commit 0ba6502ce167fc3d598c08c2cc3b4ed7ca5aa251 upstream.
+
+When running "perf mem record" command on CWF, the below KASAN
+global-out-of-bounds warning is seen.
+
+ ==================================================================
+ BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0
+ Read of size 4 at addr ffffffffb721d000 by task dtlb/9850
+
+ Call Trace:
+
+ kasan_report+0xb8/0xf0
+ cmt_latency_data+0x176/0x1b0
+ setup_arch_pebs_sample_data+0xf49/0x2560
+ intel_pmu_drain_arch_pebs+0x577/0xb00
+ handle_pmi_common+0x6c4/0xc80
+
+The issue is caused by below code in __grt_latency_data(). The code
+tries to access x86_hybrid_pmu structure which doesn't exist on
+non-hybrid platform like CWF.
+
+ WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big)
+
+So add is_hybrid() check before calling this WARN_ON_ONCE to fix the
+global-out-of-bounds access issue.
+
+Fixes: 090262439f66 ("perf/x86/intel: Rename model-specific pebs_latency_data functions")
+Reported-by: Xudong Hao <xudong.hao@intel.com>
+Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Zide Chen <zide.chen@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251028064214.1451968-1-dapeng1.mi@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/ds.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/events/intel/ds.c
++++ b/arch/x86/events/intel/ds.c
+@@ -305,7 +305,8 @@ static u64 __grt_latency_data(struct per
+ {
+ u64 val;
+
+- WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big);
++ WARN_ON_ONCE(is_hybrid() &&
++ hybrid_pmu(event->pmu)->pmu_type == hybrid_big);
+
+ dse &= PERF_PEBS_DATA_SOURCE_GRT_MASK;
+ val = hybrid_var(event->pmu, pebs_data_source)[dse];
--- /dev/null
+From 434f7349a1f00618a620b316f091bd13a12bc8d2 Mon Sep 17 00:00:00 2001
+From: Alexey Klimov <alexey.klimov@linaro.org>
+Date: Wed, 22 Oct 2025 21:10:12 +0100
+Subject: regmap: slimbus: fix bus_context pointer in regmap init calls
+
+From: Alexey Klimov <alexey.klimov@linaro.org>
+
+commit 434f7349a1f00618a620b316f091bd13a12bc8d2 upstream.
+
+Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in
+wcd934x_codec_parse_data()") revealed the problem in the slimbus regmap.
+That commit breaks audio playback, for instance, on sdm845 Thundercomm
+Dragonboard 845c board:
+
+ Unable to handle kernel paging request at virtual address ffff8000847cbad4
+ ...
+ CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT
+ Hardware name: Thundercomm Dragonboard 845c (DT)
+ ...
+ Call trace:
+ slim_xfer_msg+0x24/0x1ac [slimbus] (P)
+ slim_read+0x48/0x74 [slimbus]
+ regmap_slimbus_read+0x18/0x24 [regmap_slimbus]
+ _regmap_raw_read+0xe8/0x174
+ _regmap_bus_read+0x44/0x80
+ _regmap_read+0x60/0xd8
+ _regmap_update_bits+0xf4/0x140
+ _regmap_select_page+0xa8/0x124
+ _regmap_raw_write_impl+0x3b8/0x65c
+ _regmap_bus_raw_write+0x60/0x80
+ _regmap_write+0x58/0xc0
+ regmap_write+0x4c/0x80
+ wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x]
+ snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core]
+ __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core]
+ dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core]
+ dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core]
+ snd_pcm_hw_params+0x124/0x464 [snd_pcm]
+ snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm]
+ snd_pcm_ioctl+0x34/0x4c [snd_pcm]
+ __arm64_sys_ioctl+0xac/0x104
+ invoke_syscall+0x48/0x104
+ el0_svc_common.constprop.0+0x40/0xe0
+ do_el0_svc+0x1c/0x28
+ el0_svc+0x34/0xec
+ el0t_64_sync_handler+0xa0/0xf0
+ el0t_64_sync+0x198/0x19c
+
+The __devm_regmap_init_slimbus() started to be used instead of
+__regmap_init_slimbus() after the commit mentioned above and turns out
+the incorrect bus_context pointer (3rd argument) was used in
+__devm_regmap_init_slimbus(). It should be just "slimbus" (which is equal
+to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or
+the first user of devm_regmap_init_slimbus() but we should fix it till
+the point where __devm_regmap_init_slimbus() was introduced therefore
+two "Fixes" tags.
+
+While at this, also correct the same argument in __regmap_init_slimbus().
+
+Fixes: 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()")
+Fixes: 7d6f7fb053ad ("regmap: add SLIMbus support")
+Cc: stable@vger.kernel.org
+Cc: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Cc: Ma Ke <make24@iscas.ac.cn>
+Cc: Steev Klimaszewski <steev@kali.org>
+Cc: Srinivas Kandagatla <srini@kernel.org>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Alexey Klimov <alexey.klimov@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251022201013.1740211-1-alexey.klimov@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/regmap/regmap-slimbus.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/base/regmap/regmap-slimbus.c
++++ b/drivers/base/regmap/regmap-slimbus.c
+@@ -48,8 +48,7 @@ struct regmap *__regmap_init_slimbus(str
+ if (IS_ERR(bus))
+ return ERR_CAST(bus);
+
+- return __regmap_init(&slimbus->dev, bus, &slimbus->dev, config,
+- lock_key, lock_name);
++ return __regmap_init(&slimbus->dev, bus, slimbus, config, lock_key, lock_name);
+ }
+ EXPORT_SYMBOL_GPL(__regmap_init_slimbus);
+
+@@ -63,8 +62,7 @@ struct regmap *__devm_regmap_init_slimbu
+ if (IS_ERR(bus))
+ return ERR_CAST(bus);
+
+- return __devm_regmap_init(&slimbus->dev, bus, &slimbus, config,
+- lock_key, lock_name);
++ return __devm_regmap_init(&slimbus->dev, bus, slimbus, config, lock_key, lock_name);
+ }
+ EXPORT_SYMBOL_GPL(__devm_regmap_init_slimbus);
+
--- /dev/null
+From 07ad45e06b4039adf96882aefcb1d3299fb7c305 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Mon, 27 Oct 2025 23:08:38 +0800
+Subject: s390/mm: Fix memory leak in add_marker() when kvrealloc() fails
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 07ad45e06b4039adf96882aefcb1d3299fb7c305 upstream.
+
+The function has a memory leak when kvrealloc() fails.
+The function directly assigns NULL to the markers pointer, losing the
+reference to the previously allocated memory. This causes kvfree() in
+pt_dump_init() to free NULL instead of the leaked memory.
+
+Fix by:
+1. Using kvrealloc() uniformly for all allocations
+2. Using a temporary variable to preserve the original pointer until
+ allocation succeeds
+3. Removing the error path that sets markers_cnt=0 to keep
+ consistency between markers and markers_cnt
+
+Found via static analysis and this is similar to commit 42378a9ca553
+("bpf, verifier: Fix memory leak in array reallocation for stack state")
+
+Fixes: d0e7915d2ad3 ("s390/mm/ptdump: Generate address marker array dynamically")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/mm/dump_pagetables.c | 19 +++++++------------
+ 1 file changed, 7 insertions(+), 12 deletions(-)
+
+--- a/arch/s390/mm/dump_pagetables.c
++++ b/arch/s390/mm/dump_pagetables.c
+@@ -247,16 +247,14 @@ static int ptdump_cmp(const void *a, con
+
+ static int add_marker(unsigned long start, unsigned long end, const char *name)
+ {
+- size_t oldsize, newsize;
++ struct addr_marker *new;
++ size_t newsize;
+
+- oldsize = markers_cnt * sizeof(*markers);
+- newsize = oldsize + 2 * sizeof(*markers);
+- if (!oldsize)
+- markers = kvmalloc(newsize, GFP_KERNEL);
+- else
+- markers = kvrealloc(markers, newsize, GFP_KERNEL);
+- if (!markers)
+- goto error;
++ newsize = (markers_cnt + 2) * sizeof(*markers);
++ new = kvrealloc(markers, newsize, GFP_KERNEL);
++ if (!new)
++ return -ENOMEM;
++ markers = new;
+ markers[markers_cnt].is_start = 1;
+ markers[markers_cnt].start_address = start;
+ markers[markers_cnt].size = end - start;
+@@ -268,9 +266,6 @@ static int add_marker(unsigned long star
+ markers[markers_cnt].name = name;
+ markers_cnt++;
+ return 0;
+-error:
+- markers_cnt = 0;
+- return -ENOMEM;
+ }
+
+ static int pt_dump_init(void)
drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch
drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch
drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-18241
+acpi-fan-use-acpi-handle-when-retrieving-_fst.patch
+block-fix-op_is_zone_mgmt-to-handle-req_op_zone_reset_all.patch
+block-make-req_op_zone_open-a-write-operation.patch
+perf-x86-intel-fix-kasan-global-out-of-bounds-warning.patch
+regmap-slimbus-fix-bus_context-pointer-in-regmap-init-calls.patch
+s390-mm-fix-memory-leak-in-add_marker-when-kvrealloc-fails.patch
+drm-xe-do-not-wake-device-during-a-gt-reset.patch
+drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch
+drm-sched-avoid-killing-parent-entity-on-child-sigkill.patch
+drm-nouveau-fix-race-in-nouveau_sched_fini.patch
+drm-mediatek-fix-device-use-after-free-on-unbind.patch
+drm-ast-clear-preserved-bits-from-register-output-value.patch
+drm-amd-check-that-vpe-has-reached-dpm0-in-idle-handler.patch
+drm-amd-display-fix-incorrect-return-of-vblank-enable-on-unconfigured-crtc.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
