--- /dev/null
+From 93992667d0ab695ac30ceec91a516fd4bf725d75 Mon Sep 17 00:00:00 2001
+From: Rong Zhang <i@rong.moe>
+Date: Tue, 3 Mar 2026 01:32:59 +0800
+Subject: ALSA: doc: usb-audio: Add doc for QUIRK_FLAG_SKIP_IFACE_SETUP
+
+From: Rong Zhang <i@rong.moe>
+
+commit 93992667d0ab695ac30ceec91a516fd4bf725d75 upstream.
+
+QUIRK_FLAG_SKIP_IFACE_SETUP was introduced into usb-audio before without
+appropriate documentation, so add it.
+
+Fixes: 38c322068a26 ("ALSA: usb-audio: Add QUIRK_FLAG_SKIP_IFACE_SETUP")
+Cc: stable@vger.kernel.org
+Signed-off-by: Rong Zhang <i@rong.moe>
+Link: https://patch.msgid.link/20260302173300.322673-1-i@rong.moe
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/sound/alsa-configuration.rst | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/Documentation/sound/alsa-configuration.rst
++++ b/Documentation/sound/alsa-configuration.rst
+@@ -2372,6 +2372,10 @@ quirk_flags
+ audible volume
+ * bit 25: ``mixer_capture_min_mute``
+ Similar to bit 24 but for capture streams
++ * bit 26: ``skip_iface_setup``
++ Skip the probe-time interface setup (usb_set_interface,
++ init_pitch, init_sample_rate); redundant with
++ snd_usb_endpoint_prepare() at stream-open time
+
+ This module supports multiple devices, autoprobe and hotplugging.
+
--- /dev/null
+From e9fb2028f1eb563e653cff3b0d1c87c5e0203d45 Mon Sep 17 00:00:00 2001
+From: Panagiotis Foliadis <pfoliadis@posteo.net>
+Date: Wed, 25 Feb 2026 14:53:43 +0000
+Subject: ALSA: hda/intel: increase default bdl_pos_adj for Nvidia controllers
+
+From: Panagiotis Foliadis <pfoliadis@posteo.net>
+
+commit e9fb2028f1eb563e653cff3b0d1c87c5e0203d45 upstream.
+
+The default bdl_pos_adj of 32 for Nvidia HDA controllers is
+insufficient on GA102 (and likely other recent Nvidia GPUs) after S3
+suspend/resume. The controller's DMA timing degrades after resume,
+causing premature IRQ detection in azx_position_ok() which results in
+silent HDMI/DP audio output despite userspace reporting a valid
+playback state and correct ELD data.
+
+Increase bdl_pos_adj to 64 for AZX_DRIVER_NVIDIA, matching the value
+already used by Intel Apollo Lake for the same class of timing issue.
+
+Cc: stable@vger.kernel.org
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221069
+Suggested-by: Charalampos Mitrodimas <charmitro@posteo.net>
+Signed-off-by: Panagiotis Foliadis <pfoliadis@posteo.net>
+Link: https://patch.msgid.link/20260225-nvidia-audio-fix-v1-1-b1383c37ec49@posteo.net
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/controllers/intel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/hda/controllers/intel.c
++++ b/sound/hda/controllers/intel.c
+@@ -1751,6 +1751,8 @@ static int default_bdl_pos_adj(struct az
+ return 1;
+ case AZX_DRIVER_ZHAOXINHDMI:
+ return 128;
++ case AZX_DRIVER_NVIDIA:
++ return 64;
+ default:
+ return 32;
+ }
--- /dev/null
+From cbddd303416456db5ceeedaf9e262096f079e861 Mon Sep 17 00:00:00 2001
+From: Panagiotis Foliadis <pfoliadis@posteo.net>
+Date: Sat, 21 Feb 2026 19:40:58 +0000
+Subject: ALSA: hda/realtek: Add quirk for Acer Aspire V3-572G
+
+From: Panagiotis Foliadis <pfoliadis@posteo.net>
+
+commit cbddd303416456db5ceeedaf9e262096f079e861 upstream.
+
+The Acer Aspire V3-572G has a combo jack (ALC283) but the BIOS
+sets pin 0x19 to 0x411111f0 (not connected), so the headset mic
+is not detected.
+
+Add a quirk to override pin 0x19 as a headset mic and enable
+headset mode.
+
+Cc: stable@vger.kernel.org
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221075
+Suggested-by: Charalampos Mitrodimas <charmitro@posteo.net>
+Signed-off-by: Panagiotis Foliadis <pfoliadis@posteo.net>
+Reviewed-by: Charalampos Mitrodimas <charmitro@posteo.net>
+Link: https://patch.msgid.link/20260221-fix-detect-mic-v1-1-b6e427b5275d@posteo.net
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -6591,6 +6591,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x1025, 0x079b, "Acer Aspire V5-573G", ALC282_FIXUP_ASPIRE_V5_PINS),
+ SND_PCI_QUIRK(0x1025, 0x080d, "Acer Aspire V5-122P", ALC269_FIXUP_ASPIRE_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1025, 0x0840, "Acer Aspire E1", ALC269VB_FIXUP_ASPIRE_E1_COEF),
++ SND_PCI_QUIRK(0x1025, 0x0943, "Acer Aspire V3-572G", ALC269_FIXUP_ASPIRE_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1025, 0x100c, "Acer Aspire E5-574G", ALC255_FIXUP_ACER_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x1025, 0x101c, "Acer Veriton N2510G", ALC269_FIXUP_LIFEBOOK),
+ SND_PCI_QUIRK(0x1025, 0x102b, "Acer Aspire C24-860", ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE),
--- /dev/null
+From aa4876fe2d9fcbcaa0592b25f34ec6f6ea7876c1 Mon Sep 17 00:00:00 2001
+From: Zhang Heng <zhangheng@kylinos.cn>
+Date: Mon, 9 Feb 2026 21:41:49 +0800
+Subject: ALSA: hda/realtek: add quirk for Acer Nitro ANV15-51
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+commit aa4876fe2d9fcbcaa0592b25f34ec6f6ea7876c1 upstream.
+
+fix mute/micmute LEDs and headset microphone for Acer Nitro ANV15-51.
+
+[ The headset microphone issue is solved by Kailang]
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=220279
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20260209134149.3076957-1-zhangheng@kylinos.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -4056,6 +4056,7 @@ enum {
+ ALC236_FIXUP_HP_MUTE_LED_MICMUTE_GPIO,
+ ALC233_FIXUP_LENOVO_GPIO2_MIC_HOTKEY,
+ ALC245_FIXUP_BASS_HP_DAC,
++ ALC245_FIXUP_ACER_MICMUTE_LED,
+ };
+
+ /* A special fixup for Lenovo C940 and Yoga Duet 7;
+@@ -6576,6 +6577,12 @@ static const struct hda_fixup alc269_fix
+ /* Borrow the DAC routing selected for those Thinkpads */
+ .v.func = alc285_fixup_thinkpad_x1_gen7,
+ },
++ [ALC245_FIXUP_ACER_MICMUTE_LED] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc285_fixup_hp_coef_micmute_led,
++ .chained = true,
++ .chain_id = ALC2XX_FIXUP_HEADSET_MIC,
++ }
+ };
+
+ static const struct hda_quirk alc269_fixup_tbl[] = {
+@@ -6628,6 +6635,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x1025, 0x159c, "Acer Nitro 5 AN515-58", ALC2XX_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1025, 0x1597, "Acer Nitro 5 AN517-55", ALC2XX_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1025, 0x169a, "Acer Swift SFG16", ALC256_FIXUP_ACER_SFG16_MICMUTE_LED),
++ SND_PCI_QUIRK(0x1025, 0x171e, "Acer Nitro ANV15-51", ALC245_FIXUP_ACER_MICMUTE_LED),
+ SND_PCI_QUIRK(0x1025, 0x1826, "Acer Helios ZPC", ALC287_FIXUP_PREDATOR_SPK_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1025, 0x182c, "Acer Helios ZPD", ALC287_FIXUP_PREDATOR_SPK_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1025, 0x1844, "Acer Helios ZPS", ALC287_FIXUP_PREDATOR_SPK_CS35L41_I2C_2),
--- /dev/null
+From 068641bc9dc3d680d1ec4f6ee9199d4812041dff Mon Sep 17 00:00:00 2001
+From: Zhang Heng <zhangheng@kylinos.cn>
+Date: Fri, 27 Feb 2026 20:13:27 +0800
+Subject: ALSA: hda/realtek: Add quirk for HP Pavilion 15-eh1xxx to enable mute LED
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+commit 068641bc9dc3d680d1ec4f6ee9199d4812041dff upstream.
+
+The HP Pavilion 15-eh1xxx series uses the HP mainboard 88D1 with ALC245
+and needs the ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT quirk to make the
+mute led working.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215978
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Link: https://patch.msgid.link/20260227121327.3751341-1-zhangheng@kylinos.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -6872,6 +6872,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x103c, 0x8898, "HP EliteBook 845 G8 Notebook PC", ALC285_FIXUP_HP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x103c, 0x88b3, "HP ENVY x360 Convertible 15-es0xxx", ALC245_FIXUP_HP_ENVY_X360_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x88d0, "HP Pavilion 15-eh1xxx (mainboard 88D0)", ALC287_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x88d1, "HP Pavilion 15-eh1xxx (mainboard 88D1)", ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x88dd, "HP Pavilion 15z-ec200", ALC285_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x88eb, "HP Victus 16-e0xxx", ALC245_FIXUP_HP_MUTE_LED_V2_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8902, "HP OMEN 16", ALC285_FIXUP_HP_MUTE_LED),
--- /dev/null
+From 9fb16a5c5ff93058851099a2b80a899b0c53fe3f Mon Sep 17 00:00:00 2001
+From: Juhyung Park <qkrwngud825@gmail.com>
+Date: Sun, 22 Feb 2026 21:26:09 +0900
+Subject: ALSA: hda/realtek: add quirk for Samsung Galaxy Book Flex (NT950QCT-A38A)
+
+From: Juhyung Park <qkrwngud825@gmail.com>
+
+commit 9fb16a5c5ff93058851099a2b80a899b0c53fe3f upstream.
+
+Similar to other Samsung laptops, NT950QCT also requires the
+ALC298_FIXUP_SAMSUNG_AMP quirk applied.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Juhyung Park <qkrwngud825@gmail.com>
+Link: https://patch.msgid.link/20260222122609.281191-2-qkrwngud825@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7313,6 +7313,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC),
+ SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_AMP),
++ SND_PCI_QUIRK(0x144d, 0xc188, "Samsung Galaxy Book Flex (NT950QCT-A38A)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Book Flex (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP),
--- /dev/null
+From 43a44fb7f2fa163926b23149805e989ba2395db1 Mon Sep 17 00:00:00 2001
+From: Juhyung Park <qkrwngud825@gmail.com>
+Date: Sun, 22 Feb 2026 21:26:08 +0900
+Subject: ALSA: hda/realtek: fix model name typo for Samsung Galaxy Book Flex (NT950QCG-X716)
+
+From: Juhyung Park <qkrwngud825@gmail.com>
+
+commit 43a44fb7f2fa163926b23149805e989ba2395db1 upstream.
+
+There's no product named "Samsung Galaxy Flex Book".
+Use the correct "Samsung Galaxy Book Flex" name.
+
+Link: https://www.samsung.com/sec/support/model/NT950QCG-X716
+Link: https://www.samsung.com/us/computing/galaxy-books/galaxy-book-flex/galaxy-book-flex-15-6-qled-512gb-storage-s-pen-included-np950qcg-k01us
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Juhyung Park <qkrwngud825@gmail.com>
+Link: https://patch.msgid.link/20260222122609.281191-1-qkrwngud825@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/realtek/alc269.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/hda/codecs/realtek/alc269.c
++++ b/sound/hda/codecs/realtek/alc269.c
+@@ -7312,7 +7312,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC),
+ SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_AMP),
+- SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP),
++ SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Book Flex (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc1a4, "Samsung Galaxy Book Pro 360 (NT935QBD)", ALC298_FIXUP_SAMSUNG_AMP),
--- /dev/null
+From 54f9d645a5453d0bfece0c465d34aaf072ea99fa Mon Sep 17 00:00:00 2001
+From: Jun Seo <jun.seo.93@proton.me>
+Date: Thu, 26 Feb 2026 10:08:20 +0900
+Subject: ALSA: usb-audio: Use correct version for UAC3 header validation
+
+From: Jun Seo <jun.seo.93@proton.me>
+
+commit 54f9d645a5453d0bfece0c465d34aaf072ea99fa upstream.
+
+The entry of the validators table for UAC3 AC header descriptor is
+defined with the wrong protocol version UAC_VERSION_2, while it should
+have been UAC_VERSION_3. This results in the validator never matching
+for actual UAC3 devices (protocol == UAC_VERSION_3), causing their
+header descriptors to bypass validation entirely. A malicious USB
+device presenting a truncated UAC3 header could exploit this to cause
+out-of-bounds reads when the driver later accesses unvalidated
+descriptor fields.
+
+The bug was introduced in the same commit as the recently fixed UAC3
+feature unit sub-type typo, and appears to be from the same copy-paste
+error when the UAC3 section was created from the UAC2 section.
+
+Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jun Seo <jun.seo.93@proton.me>
+Link: https://patch.msgid.link/20260226010820.36529-1-jun.seo.93@proton.me
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/validate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/validate.c
++++ b/sound/usb/validate.c
+@@ -281,7 +281,7 @@ static const struct usb_desc_validator a
+ /* UAC_VERSION_2, UAC2_SAMPLE_RATE_CONVERTER: not implemented yet */
+
+ /* UAC3 */
+- FIXED(UAC_VERSION_2, UAC_HEADER, struct uac3_ac_header_descriptor),
++ FIXED(UAC_VERSION_3, UAC_HEADER, struct uac3_ac_header_descriptor),
+ FIXED(UAC_VERSION_3, UAC_INPUT_TERMINAL,
+ struct uac3_input_terminal_descriptor),
+ FIXED(UAC_VERSION_3, UAC_OUTPUT_TERMINAL,
--- /dev/null
+From 8a85b3131225a8c8143ba2ae29c0eef8c1f9117f Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Mon, 23 Feb 2026 17:45:30 +0000
+Subject: arm64: gcs: Do not set PTE_SHARED on GCS mappings if FEAT_LPA2 is enabled
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit 8a85b3131225a8c8143ba2ae29c0eef8c1f9117f upstream.
+
+When FEAT_LPA2 is enabled, bits 8-9 of the PTE replace the
+shareability attribute with bits 50-51 of the output address. The
+_PAGE_GCS{,_RO} definitions include the PTE_SHARED bits as 0b11 (this
+matches the other _PAGE_* definitions) but using this macro directly
+leads to the following panic when enabling GCS on a system/model with
+LPA2:
+
+ Unable to handle kernel paging request at virtual address fffff1ffc32d8008
+ Mem abort info:
+ ESR = 0x0000000096000004
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x04: level 0 translation fault
+ Data abort info:
+ ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+ CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+ GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+ swapper pgtable: 4k pages, 52-bit VAs, pgdp=0000000060f4d000
+ [fffff1ffc32d8008] pgd=100000006184b003, p4d=0000000000000000
+ Internal error: Oops: 0000000096000004 [#1] SMP
+ CPU: 0 UID: 0 PID: 513 Comm: gcs_write_fault Tainted: G M 7.0.0-rc1 #1 PREEMPT
+ Tainted: [M]=MACHINE_CHECK
+ Hardware name: QEMU QEMU Virtual Machine, BIOS 2025.02-8+deb13u1 11/08/2025
+ pstate: 03402005 (nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
+ pc : zap_huge_pmd+0x168/0x468
+ lr : zap_huge_pmd+0x2c/0x468
+ sp : ffff800080beb660
+ x29: ffff800080beb660 x28: fff00000c2058180 x27: ffff800080beb898
+ x26: fff00000c2058180 x25: ffff800080beb820 x24: 00c800010b600f41
+ x23: ffffc1ffc30af1a8 x22: fff00000c2058180 x21: 0000ffff8dc00000
+ x20: fff00000c2bc6370 x19: ffff800080beb898 x18: ffff800080bebb60
+ x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000007
+ x14: 000000000000000a x13: 0000aaaacbbbffff x12: 0000000000000000
+ x11: 0000ffff8ddfffff x10: 00000000000001fe x9 : 0000ffff8ddfffff
+ x8 : 0000ffff8de00000 x7 : 0000ffff8da00000 x6 : fff00000c2bc6370
+ x5 : 0000ffff8da00000 x4 : 000000010b600000 x3 : ffffc1ffc0000000
+ x2 : fff00000c2058180 x1 : fffff1ffc32d8000 x0 : 000000c00010b600
+ Call trace:
+ zap_huge_pmd+0x168/0x468 (P)
+ unmap_page_range+0xd70/0x1560
+ unmap_single_vma+0x48/0x80
+ unmap_vmas+0x90/0x180
+ unmap_region+0x88/0xe4
+ vms_complete_munmap_vmas+0xf8/0x1e0
+ do_vmi_align_munmap+0x158/0x180
+ do_vmi_munmap+0xac/0x160
+ __vm_munmap+0xb0/0x138
+ vm_munmap+0x14/0x20
+ gcs_free+0x70/0x80
+ mm_release+0x1c/0xc8
+ exit_mm_release+0x28/0x38
+ do_exit+0x190/0x8ec
+ do_group_exit+0x34/0x90
+ get_signal+0x794/0x858
+ arch_do_signal_or_restart+0x11c/0x3e0
+ exit_to_user_mode_loop+0x10c/0x17c
+ el0_da+0x8c/0x9c
+ el0t_64_sync_handler+0xd0/0xf0
+ el0t_64_sync+0x198/0x19c
+ Code: aa1603e2 d34cfc00 cb813001 8b011861 (f9400420)
+
+Similarly to how the kernel handles protection_map[], use a
+gcs_page_prot variable to store the protection bits and clear PTE_SHARED
+if LPA2 is enabled.
+
+Also remove the unused PAGE_GCS{,_RO} macros.
+
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Fixes: 6497b66ba694 ("arm64/mm: Map pages for guarded control stack")
+Reported-by: Emanuele Rocca <emanuele.rocca@arm.com>
+Cc: stable@vger.kernel.org
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Reviewed-by: David Hildenbrand (Arm) <david@kernel.org>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/pgtable-prot.h | 3 ---
+ arch/arm64/mm/mmap.c | 8 ++++++--
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/include/asm/pgtable-prot.h
++++ b/arch/arm64/include/asm/pgtable-prot.h
+@@ -164,9 +164,6 @@ static inline bool __pure lpa2_is_enable
+ #define _PAGE_GCS (_PAGE_DEFAULT | PTE_NG | PTE_UXN | PTE_WRITE | PTE_USER)
+ #define _PAGE_GCS_RO (_PAGE_DEFAULT | PTE_NG | PTE_UXN | PTE_USER)
+
+-#define PAGE_GCS __pgprot(_PAGE_GCS)
+-#define PAGE_GCS_RO __pgprot(_PAGE_GCS_RO)
+-
+ #define PIE_E0 ( \
+ PIRx_ELx_PERM_PREP(pte_pi_index(_PAGE_GCS), PIE_GCS) | \
+ PIRx_ELx_PERM_PREP(pte_pi_index(_PAGE_GCS_RO), PIE_R) | \
+--- a/arch/arm64/mm/mmap.c
++++ b/arch/arm64/mm/mmap.c
+@@ -34,6 +34,8 @@ static pgprot_t protection_map[16] __ro_
+ [VM_SHARED | VM_EXEC | VM_WRITE | VM_READ] = PAGE_SHARED_EXEC
+ };
+
++static ptdesc_t gcs_page_prot __ro_after_init = _PAGE_GCS_RO;
++
+ /*
+ * You really shouldn't be using read() or write() on /dev/mem. This might go
+ * away in the future.
+@@ -73,9 +75,11 @@ static int __init adjust_protection_map(
+ protection_map[VM_EXEC | VM_SHARED] = PAGE_EXECONLY;
+ }
+
+- if (lpa2_is_enabled())
++ if (lpa2_is_enabled()) {
+ for (int i = 0; i < ARRAY_SIZE(protection_map); i++)
+ pgprot_val(protection_map[i]) &= ~PTE_SHARED;
++ gcs_page_prot &= ~PTE_SHARED;
++ }
+
+ return 0;
+ }
+@@ -87,7 +91,7 @@ pgprot_t vm_get_page_prot(vm_flags_t vm_
+
+ /* Short circuit GCS to avoid bloating the table. */
+ if (system_supports_gcs() && (vm_flags & VM_SHADOW_STACK)) {
+- prot = _PAGE_GCS_RO;
++ prot = gcs_page_prot;
+ } else {
+ prot = pgprot_val(protection_map[vm_flags &
+ (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]);
--- /dev/null
+From 21e4271e65094172aadd5beb8caea95dd0fbf6d7 Mon Sep 17 00:00:00 2001
+From: Heitor Alves de Siqueira <halves@igalia.com>
+Date: Wed, 11 Feb 2026 15:03:35 -0300
+Subject: Bluetooth: purge error queues in socket destructors
+
+From: Heitor Alves de Siqueira <halves@igalia.com>
+
+commit 21e4271e65094172aadd5beb8caea95dd0fbf6d7 upstream.
+
+When TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued
+into sk_error_queue and will stay there until consumed. If userspace never
+gets to read the timestamps, or if the controller is removed unexpectedly,
+these SKBs will leak.
+
+Fix by adding skb_queue_purge() calls for sk_error_queue in affected
+bluetooth destructors. RFCOMM does not currently use sk_error_queue.
+
+Fixes: 134f4b39df7b ("Bluetooth: add support for skb TX SND/COMPLETION timestamping")
+Reported-by: syzbot+7ff4013eabad1407b70a@syzkaller.appspotmail.com
+Closes: https://syzbot.org/bug?extid=7ff4013eabad1407b70a
+Cc: stable@vger.kernel.org
+Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sock.c | 1 +
+ net/bluetooth/iso.c | 1 +
+ net/bluetooth/l2cap_sock.c | 1 +
+ net/bluetooth/sco.c | 1 +
+ 4 files changed, 4 insertions(+)
+
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -2166,6 +2166,7 @@ static void hci_sock_destruct(struct soc
+ mgmt_cleanup(sk);
+ skb_queue_purge(&sk->sk_receive_queue);
+ skb_queue_purge(&sk->sk_write_queue);
++ skb_queue_purge(&sk->sk_error_queue);
+ }
+
+ static const struct proto_ops hci_sock_ops = {
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -746,6 +746,7 @@ static void iso_sock_destruct(struct soc
+
+ skb_queue_purge(&sk->sk_receive_queue);
+ skb_queue_purge(&sk->sk_write_queue);
++ skb_queue_purge(&sk->sk_error_queue);
+ }
+
+ static void iso_sock_cleanup_listen(struct sock *parent)
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1806,6 +1806,7 @@ static void l2cap_sock_destruct(struct s
+
+ skb_queue_purge(&sk->sk_receive_queue);
+ skb_queue_purge(&sk->sk_write_queue);
++ skb_queue_purge(&sk->sk_error_queue);
+ }
+
+ static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -470,6 +470,7 @@ static void sco_sock_destruct(struct soc
+
+ skb_queue_purge(&sk->sk_receive_queue);
+ skb_queue_purge(&sk->sk_write_queue);
++ skb_queue_purge(&sk->sk_error_queue);
+ }
+
+ static void sco_sock_cleanup_listen(struct sock *parent)
--- /dev/null
+From 6b050482ec40569429d963ac52afa878691b04c9 Mon Sep 17 00:00:00 2001
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Date: Tue, 24 Feb 2026 16:17:52 -0800
+Subject: cpufreq: intel_pstate: Fix crash during turbo disable
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+commit 6b050482ec40569429d963ac52afa878691b04c9 upstream.
+
+When the system is booted with kernel command line argument "nosmt" or
+"maxcpus" to limit the number of CPUs, disabling turbo via:
+
+ echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo
+
+results in a crash:
+
+ PF: supervisor read access in kernel mode
+ PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: Oops: 0000 [#1] SMP PTI
+ ...
+ RIP: 0010:store_no_turbo+0x100/0x1f0
+ ...
+
+This occurs because for_each_possible_cpu() returns CPUs even if they
+are not online. For those CPUs, all_cpu_data[] will be NULL. Since
+commit 973207ae3d7c ("cpufreq: intel_pstate: Rearrange max frequency
+updates handling code"), all_cpu_data[] is dereferenced even for CPUs
+which are not online, causing the NULL pointer dereference.
+
+To fix that, pass CPU number to intel_pstate_update_max_freq() and use
+all_cpu_data[] for those CPUs for which there is a valid cpufreq policy.
+
+Fixes: 973207ae3d7c ("cpufreq: intel_pstate: Rearrange max frequency updates handling code")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221068
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Cc: 6.16+ <stable@vger.kernel.org> # 6.16+
+Link: https://patch.msgid.link/20260225001752.890164-1-srinivas.pandruvada@linux.intel.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/intel_pstate.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -1476,13 +1476,13 @@ static void __intel_pstate_update_max_fr
+ refresh_frequency_limits(policy);
+ }
+
+-static bool intel_pstate_update_max_freq(struct cpudata *cpudata)
++static bool intel_pstate_update_max_freq(int cpu)
+ {
+- struct cpufreq_policy *policy __free(put_cpufreq_policy) = cpufreq_cpu_get(cpudata->cpu);
++ struct cpufreq_policy *policy __free(put_cpufreq_policy) = cpufreq_cpu_get(cpu);
+ if (!policy)
+ return false;
+
+- __intel_pstate_update_max_freq(policy, cpudata);
++ __intel_pstate_update_max_freq(policy, all_cpu_data[cpu]);
+
+ return true;
+ }
+@@ -1501,7 +1501,7 @@ static void intel_pstate_update_limits_f
+ int cpu;
+
+ for_each_possible_cpu(cpu)
+- intel_pstate_update_max_freq(all_cpu_data[cpu]);
++ intel_pstate_update_max_freq(cpu);
+
+ mutex_lock(&hybrid_capacity_lock);
+
+@@ -1908,7 +1908,7 @@ static void intel_pstate_notify_work(str
+ struct cpudata *cpudata =
+ container_of(to_delayed_work(work), struct cpudata, hwp_notify_work);
+
+- if (intel_pstate_update_max_freq(cpudata)) {
++ if (intel_pstate_update_max_freq(cpudata->cpu)) {
+ /*
+ * The driver will not be unregistered while this function is
+ * running, so update the capacity without acquiring the driver
--- /dev/null
+From ab140365fb62c0bdab22b2f516aff563b2559e3b Mon Sep 17 00:00:00 2001
+From: Lars Ellenberg <lars.ellenberg@linbit.com>
+Date: Thu, 19 Feb 2026 15:20:12 +0100
+Subject: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lars Ellenberg <lars.ellenberg@linbit.com>
+
+commit ab140365fb62c0bdab22b2f516aff563b2559e3b upstream.
+
+Even though we check that we "should" be able to do lc_get_cumulative()
+while holding the device->al_lock spinlock, it may still fail,
+if some other code path decided to do lc_try_lock() with bad timing.
+
+If that happened, we logged "LOGIC BUG for enr=...",
+but still did not return an error.
+
+The rest of the code now assumed that this request has references
+for the relevant activity log extents.
+
+The implcations are that during an active resync, mutual exclusivity of
+resync versus application IO is not guaranteed. And a potential crash
+at this point may not realizs that these extents could have been target
+of in-flight IO and would need to be resynced just in case.
+
+Also, once the request completes, it will give up activity log references it
+does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().
+
+Fix:
+
+Do not crash the kernel for a condition that is harmless during normal
+operation: also catch "e->refcnt == 0", not only "e == NULL"
+when being noisy about "al_complete_io() called on inactive extent %u\n".
+
+And do not try to be smart and "guess" whether something will work, then
+be surprised when it does not.
+Deal with the fact that it may or may not work. If it does not, remember a
+possible "partially in activity log" state (only possible for requests that
+cross extent boundaries), and return an error code from
+drbd_al_begin_io_nonblock().
+
+A latter call for the same request will then resume from where we left off.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
+Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/drbd/drbd_actlog.c | 53 ++++++++++++++++---------------------
+ drivers/block/drbd/drbd_interval.h | 5 ++-
+ 2 files changed, 27 insertions(+), 31 deletions(-)
+
+--- a/drivers/block/drbd/drbd_actlog.c
++++ b/drivers/block/drbd/drbd_actlog.c
+@@ -483,38 +483,20 @@ void drbd_al_begin_io(struct drbd_device
+
+ int drbd_al_begin_io_nonblock(struct drbd_device *device, struct drbd_interval *i)
+ {
+- struct lru_cache *al = device->act_log;
+ /* for bios crossing activity log extent boundaries,
+ * we may need to activate two extents in one go */
+ unsigned first = i->sector >> (AL_EXTENT_SHIFT-9);
+ unsigned last = i->size == 0 ? first : (i->sector + (i->size >> 9) - 1) >> (AL_EXTENT_SHIFT-9);
+- unsigned nr_al_extents;
+- unsigned available_update_slots;
+ unsigned enr;
+
+- D_ASSERT(device, first <= last);
+-
+- nr_al_extents = 1 + last - first; /* worst case: all touched extends are cold. */
+- available_update_slots = min(al->nr_elements - al->used,
+- al->max_pending_changes - al->pending_changes);
+-
+- /* We want all necessary updates for a given request within the same transaction
+- * We could first check how many updates are *actually* needed,
+- * and use that instead of the worst-case nr_al_extents */
+- if (available_update_slots < nr_al_extents) {
+- /* Too many activity log extents are currently "hot".
+- *
+- * If we have accumulated pending changes already,
+- * we made progress.
+- *
+- * If we cannot get even a single pending change through,
+- * stop the fast path until we made some progress,
+- * or requests to "cold" extents could be starved. */
+- if (!al->pending_changes)
+- __set_bit(__LC_STARVING, &device->act_log->flags);
+- return -ENOBUFS;
++ if (i->partially_in_al_next_enr) {
++ D_ASSERT(device, first < i->partially_in_al_next_enr);
++ D_ASSERT(device, last >= i->partially_in_al_next_enr);
++ first = i->partially_in_al_next_enr;
+ }
+
++ D_ASSERT(device, first <= last);
++
+ /* Is resync active in this area? */
+ for (enr = first; enr <= last; enr++) {
+ struct lc_element *tmp;
+@@ -529,14 +511,21 @@ int drbd_al_begin_io_nonblock(struct drb
+ }
+ }
+
+- /* Checkout the refcounts.
+- * Given that we checked for available elements and update slots above,
+- * this has to be successful. */
++ /* Try to checkout the refcounts. */
+ for (enr = first; enr <= last; enr++) {
+ struct lc_element *al_ext;
+ al_ext = lc_get_cumulative(device->act_log, enr);
+- if (!al_ext)
+- drbd_info(device, "LOGIC BUG for enr=%u\n", enr);
++
++ if (!al_ext) {
++ /* Did not work. We may have exhausted the possible
++ * changes per transaction. Or raced with someone
++ * "locking" it against changes.
++ * Remember where to continue from.
++ */
++ if (enr > first)
++ i->partially_in_al_next_enr = enr;
++ return -ENOBUFS;
++ }
+ }
+ return 0;
+ }
+@@ -556,7 +545,11 @@ void drbd_al_complete_io(struct drbd_dev
+
+ for (enr = first; enr <= last; enr++) {
+ extent = lc_find(device->act_log, enr);
+- if (!extent) {
++ /* Yes, this masks a bug elsewhere. However, during normal
++ * operation this is harmless, so no need to crash the kernel
++ * by the BUG_ON(refcount == 0) in lc_put().
++ */
++ if (!extent || extent->refcnt == 0) {
+ drbd_err(device, "al_complete_io() called on inactive extent %u\n", enr);
+ continue;
+ }
+--- a/drivers/block/drbd/drbd_interval.h
++++ b/drivers/block/drbd/drbd_interval.h
+@@ -8,12 +8,15 @@
+ struct drbd_interval {
+ struct rb_node rb;
+ sector_t sector; /* start sector of the interval */
+- unsigned int size; /* size in bytes */
+ sector_t end; /* highest interval end in subtree */
++ unsigned int size; /* size in bytes */
+ unsigned int local:1 /* local or remote request? */;
+ unsigned int waiting:1; /* someone is waiting for completion */
+ unsigned int completed:1; /* this has been completed already;
+ * ignore for conflict detection */
++
++ /* to resume a partially successful drbd_al_begin_io_nonblock(); */
++ unsigned int partially_in_al_next_enr;
+ };
+
+ static inline void drbd_clear_interval(struct drbd_interval *i)
--- /dev/null
+From 0d195d3b205ca90db30d70d09d7bb6909aac178f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christoph=20B=C3=B6hmwalder?=
+ <christoph.boehmwalder@linbit.com>
+Date: Fri, 20 Feb 2026 12:39:37 +0100
+Subject: drbd: fix null-pointer dereference on local read error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+
+commit 0d195d3b205ca90db30d70d09d7bb6909aac178f upstream.
+
+In drbd_request_endio(), READ_COMPLETED_WITH_ERROR is passed to
+__req_mod() with a NULL peer_device:
+
+ __req_mod(req, what, NULL, &m);
+
+The READ_COMPLETED_WITH_ERROR handler then unconditionally passes this
+NULL peer_device to drbd_set_out_of_sync(), which dereferences it,
+causing a null-pointer dereference.
+
+Fix this by obtaining the peer_device via first_peer_device(device),
+matching how drbd_req_destroy() handles the same situation.
+
+Cc: stable@vger.kernel.org
+Reported-by: Tuo Li <islituo@gmail.com>
+Link: https://lore.kernel.org/linux-block/20260104165355.151864-1-islituo@gmail.com
+Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/drbd/drbd_req.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/drbd/drbd_req.c
++++ b/drivers/block/drbd/drbd_req.c
+@@ -621,7 +621,8 @@ int __req_mod(struct drbd_request *req,
+ break;
+
+ case READ_COMPLETED_WITH_ERROR:
+- drbd_set_out_of_sync(peer_device, req->i.sector, req->i.size);
++ drbd_set_out_of_sync(first_peer_device(device),
++ req->i.sector, req->i.size);
+ drbd_report_io_error(device, req);
+ __drbd_chk_io_error(device, DRBD_READ_ERROR);
+ fallthrough;
--- /dev/null
+From fb868db5f4bccd7a78219313ab2917429f715cea Mon Sep 17 00:00:00 2001
+From: Ankit Garg <nktgrg@google.com>
+Date: Fri, 20 Feb 2026 13:53:24 -0800
+Subject: gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL
+
+From: Ankit Garg <nktgrg@google.com>
+
+commit fb868db5f4bccd7a78219313ab2917429f715cea upstream.
+
+In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA
+buffer cleanup path. It iterates num_bufs times and attempts to unmap
+entries in the dma array.
+
+This leads to two issues:
+1. The dma array shares storage with tx_qpl_buf_ids (union).
+ Interpreting buffer IDs as DMA addresses results in attempting to
+ unmap incorrect memory locations.
+2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed
+ the size of the dma array, causing out-of-bounds access warnings
+(trace below is how we noticed this issue).
+
+UBSAN: array-index-out-of-bounds in
+drivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of
+range for type 'dma_addr_t[18]' (aka 'unsigned long long[18]')
+Workqueue: gve gve_service_task [gve]
+Call Trace:
+<TASK>
+dump_stack_lvl+0x33/0xa0
+__ubsan_handle_out_of_bounds+0xdc/0x110
+gve_tx_stop_ring_dqo+0x182/0x200 [gve]
+gve_close+0x1be/0x450 [gve]
+gve_reset+0x99/0x120 [gve]
+gve_service_task+0x61/0x100 [gve]
+process_scheduled_works+0x1e9/0x380
+
+Fix this by properly checking for QPL mode and delegating to
+gve_free_tx_qpl_bufs() to reclaim the buffers.
+
+Cc: stable@vger.kernel.org
+Fixes: a6fb8d5a8b69 ("gve: Tx path for DQO-QPL")
+Signed-off-by: Ankit Garg <nktgrg@google.com>
+Reviewed-by: Jordan Rhee <jordanrhee@google.com>
+Reviewed-by: Harshitha Ramamurthy <hramamurthy@google.com>
+Signed-off-by: Joshua Washington <joshwash@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260220215324.1631350-1-joshwash@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/google/gve/gve_tx_dqo.c | 54 ++++++++++++---------------
+ 1 file changed, 24 insertions(+), 30 deletions(-)
+
+--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c
++++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
+@@ -167,6 +167,25 @@ gve_free_pending_packet(struct gve_tx_ri
+ }
+ }
+
++static void gve_unmap_packet(struct device *dev,
++ struct gve_tx_pending_packet_dqo *pkt)
++{
++ int i;
++
++ if (!pkt->num_bufs)
++ return;
++
++ /* SKB linear portion is guaranteed to be mapped */
++ dma_unmap_single(dev, dma_unmap_addr(pkt, dma[0]),
++ dma_unmap_len(pkt, len[0]), DMA_TO_DEVICE);
++ for (i = 1; i < pkt->num_bufs; i++) {
++ netmem_dma_unmap_page_attrs(dev, dma_unmap_addr(pkt, dma[i]),
++ dma_unmap_len(pkt, len[i]),
++ DMA_TO_DEVICE, 0);
++ }
++ pkt->num_bufs = 0;
++}
++
+ /* gve_tx_free_desc - Cleans up all pending tx requests and buffers.
+ */
+ static void gve_tx_clean_pending_packets(struct gve_tx_ring *tx)
+@@ -176,21 +195,12 @@ static void gve_tx_clean_pending_packets
+ for (i = 0; i < tx->dqo.num_pending_packets; i++) {
+ struct gve_tx_pending_packet_dqo *cur_state =
+ &tx->dqo.pending_packets[i];
+- int j;
+
+- for (j = 0; j < cur_state->num_bufs; j++) {
+- if (j == 0) {
+- dma_unmap_single(tx->dev,
+- dma_unmap_addr(cur_state, dma[j]),
+- dma_unmap_len(cur_state, len[j]),
+- DMA_TO_DEVICE);
+- } else {
+- dma_unmap_page(tx->dev,
+- dma_unmap_addr(cur_state, dma[j]),
+- dma_unmap_len(cur_state, len[j]),
+- DMA_TO_DEVICE);
+- }
+- }
++ if (tx->dqo.qpl)
++ gve_free_tx_qpl_bufs(tx, cur_state);
++ else
++ gve_unmap_packet(tx->dev, cur_state);
++
+ if (cur_state->skb) {
+ dev_consume_skb_any(cur_state->skb);
+ cur_state->skb = NULL;
+@@ -1160,22 +1170,6 @@ static void remove_from_list(struct gve_
+ }
+ }
+
+-static void gve_unmap_packet(struct device *dev,
+- struct gve_tx_pending_packet_dqo *pkt)
+-{
+- int i;
+-
+- /* SKB linear portion is guaranteed to be mapped */
+- dma_unmap_single(dev, dma_unmap_addr(pkt, dma[0]),
+- dma_unmap_len(pkt, len[0]), DMA_TO_DEVICE);
+- for (i = 1; i < pkt->num_bufs; i++) {
+- netmem_dma_unmap_page_attrs(dev, dma_unmap_addr(pkt, dma[i]),
+- dma_unmap_len(pkt, len[i]),
+- DMA_TO_DEVICE, 0);
+- }
+- pkt->num_bufs = 0;
+-}
+-
+ /* Completion types and expected behavior:
+ * No Miss compl + Packet compl = Packet completed normally.
+ * Miss compl + Re-inject compl = Packet completed normally.
--- /dev/null
+From 117942ca43e2e3c3d121faae530989931b7f67e1 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Mon, 16 Feb 2026 11:02:48 -0400
+Subject: IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit 117942ca43e2e3c3d121faae530989931b7f67e1 upstream.
+
+Fix a user triggerable leak on the system call failure path.
+
+Cc: stable@vger.kernel.org
+Fixes: ec34a922d243 ("[PATCH] IB/mthca: Add SRQ implementation")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://patch.msgid.link/2-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mthca/mthca_provider.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/mthca/mthca_provider.c
++++ b/drivers/infiniband/hw/mthca/mthca_provider.c
+@@ -428,6 +428,8 @@ static int mthca_create_srq(struct ib_sr
+
+ if (context && ib_copy_to_udata(udata, &srq->srqn, sizeof(__u32))) {
+ mthca_free_srq(to_mdev(ibsrq->device), srq);
++ mthca_unmap_user_db(to_mdev(ibsrq->device), &context->uar,
++ context->db_tab, ucmd.db_index);
+ return -EFAULT;
+ }
+
+@@ -436,6 +438,7 @@ static int mthca_create_srq(struct ib_sr
+
+ static int mthca_destroy_srq(struct ib_srq *srq, struct ib_udata *udata)
+ {
++ mthca_free_srq(to_mdev(srq->device), to_msrq(srq));
+ if (udata) {
+ struct mthca_ucontext *context =
+ rdma_udata_to_drv_context(
+@@ -446,8 +449,6 @@ static int mthca_destroy_srq(struct ib_s
+ mthca_unmap_user_db(to_mdev(srq->device), &context->uar,
+ context->db_tab, to_msrq(srq)->db_index);
+ }
+-
+- mthca_free_srq(to_mdev(srq->device), to_msrq(srq));
+ return 0;
+ }
+
--- /dev/null
+From fdb12c8a24a453bdd6759979b6ef1e04ebd4beb4 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Fri, 27 Feb 2026 22:40:48 -0700
+Subject: kbuild: Leave objtool binary around with 'make clean'
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit fdb12c8a24a453bdd6759979b6ef1e04ebd4beb4 upstream.
+
+The difference between 'make clean' and 'make mrproper' is documented in
+'make help' as:
+
+ clean - Remove most generated files but keep the config and
+ enough build support to build external modules
+ mrproper - Remove all generated files + config + various backup files
+
+After commit 68b4fe32d737 ("kbuild: Add objtool to top-level clean
+target"), running 'make clean' then attempting to build an external
+module with the resulting build directory fails with
+
+ $ make ARCH=x86_64 O=build clean
+
+ $ make -C build M=... MO=...
+ ...
+ /bin/sh: line 1: .../build/tools/objtool/objtool: No such file or directory
+
+as 'make clean' removes the objtool binary.
+
+Split the objtool clean target into mrproper and clean like Kbuild does
+and remove all generated artifacts with 'make clean' except for the
+objtool binary, which is removed with 'make mrproper'. To avoid a small
+race when running the objtool clean target through both objtool_mrproper
+and objtool_clean when running 'make mrproper', modify objtool's clean
+up find command to avoid using find's '-delete' command by piping the
+files into 'xargs rm -f' like the rest of Kbuild does.
+
+Cc: stable@vger.kernel.org
+Fixes: 68b4fe32d737 ("kbuild: Add objtool to top-level clean target")
+Reported-by: Michal Suchanek <msuchanek@suse.de>
+Closes: https://lore.kernel.org/20260225112633.6123-1-msuchanek@suse.de/
+Reported-by: Rainer Fiebig <jrf@mailbox.org>
+Closes: https://lore.kernel.org/62d12399-76e5-3d40-126a-7490b4795b17@mailbox.org/
+Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Nicolas Schier <nsc@kernel.org>
+Tested-by: Nicolas Schier <nsc@kernel.org>
+Link: https://patch.msgid.link/20260227-avoid-objtool-binary-removal-clean-v1-1-122f3e55eae9@kernel.org
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile | 8 ++++----
+ tools/objtool/Makefile | 8 +++++---
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -1474,13 +1474,13 @@ ifneq ($(wildcard $(resolve_btfids_O)),)
+ $(Q)$(MAKE) -sC $(srctree)/tools/bpf/resolve_btfids O=$(resolve_btfids_O) clean
+ endif
+
+-PHONY += objtool_clean
++PHONY += objtool_clean objtool_mrproper
+
+ objtool_O = $(abspath $(objtree))/tools/objtool
+
+-objtool_clean:
++objtool_clean objtool_mrproper:
+ ifneq ($(wildcard $(objtool_O)),)
+- $(Q)$(MAKE) -sC $(abs_srctree)/tools/objtool O=$(objtool_O) srctree=$(abs_srctree) clean
++ $(Q)$(MAKE) -sC $(abs_srctree)/tools/objtool O=$(objtool_O) srctree=$(abs_srctree) $(patsubst objtool_%,%,$@)
+ endif
+
+ tools/: FORCE
+@@ -1657,7 +1657,7 @@ PHONY += $(mrproper-dirs) mrproper
+ $(mrproper-dirs):
+ $(Q)$(MAKE) $(clean)=$(patsubst _mrproper_%,%,$@)
+
+-mrproper: clean $(mrproper-dirs)
++mrproper: clean objtool_mrproper $(mrproper-dirs)
+ $(call cmd,rmfiles)
+ @find . $(RCS_FIND_IGNORE) \
+ \( -name '*.rmeta' \) \
+--- a/tools/objtool/Makefile
++++ b/tools/objtool/Makefile
+@@ -142,13 +142,15 @@ $(LIBSUBCMD)-clean:
+ $(Q)$(RM) -r -- $(LIBSUBCMD_OUTPUT)
+
+ clean: $(LIBSUBCMD)-clean
+- $(call QUIET_CLEAN, objtool) $(RM) $(OBJTOOL)
+- $(Q)find $(OUTPUT) -name '*.o' -delete -o -name '\.*.cmd' -delete -o -name '\.*.d' -delete
++ $(Q)find $(OUTPUT) \( -name '*.o' -o -name '\.*.cmd' -o -name '\.*.d' \) -type f -print | xargs $(RM)
+ $(Q)$(RM) $(OUTPUT)arch/x86/lib/cpu-feature-names.c $(OUTPUT)fixdep
+ $(Q)$(RM) $(OUTPUT)arch/x86/lib/inat-tables.c $(OUTPUT)fixdep
+ $(Q)$(RM) -- $(OUTPUT)FEATURE-DUMP.objtool
+ $(Q)$(RM) -r -- $(OUTPUT)feature
+
++mrproper: clean
++ $(call QUIET_CLEAN, objtool) $(RM) $(OBJTOOL)
++
+ FORCE:
+
+-.PHONY: clean FORCE
++.PHONY: clean mrproper FORCE
--- /dev/null
+From 8678591b47469fe16357234efef9b260317b8be4 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Wed, 25 Feb 2026 15:02:51 -0700
+Subject: kbuild: Split .modinfo out from ELF_DETAILS
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 8678591b47469fe16357234efef9b260317b8be4 upstream.
+
+Commit 3e86e4d74c04 ("kbuild: keep .modinfo section in
+vmlinux.unstripped") added .modinfo to ELF_DETAILS while removing it
+from COMMON_DISCARDS, as it was needed in vmlinux.unstripped and
+ELF_DETAILS was present in all architecture specific vmlinux linker
+scripts. While this shuffle is fine for vmlinux, ELF_DETAILS and
+COMMON_DISCARDS may be used by other linker scripts, such as the s390
+and x86 compressed boot images, which may not expect to have a .modinfo
+section. In certain circumstances, this could result in a bootloader
+failing to load the compressed kernel [1].
+
+Commit ddc6cbef3ef1 ("s390/boot/vmlinux.lds.S: Ensure bzImage ends with
+SecureBoot trailer") recently addressed this for the s390 bzImage but
+the same bug remains for arm, parisc, and x86. The presence of .modinfo
+in the x86 bzImage was the root cause of the issue worked around with
+commit d50f21091358 ("kbuild: align modinfo section for Secureboot
+Authenticode EDK2 compat"). misc.c in arch/x86/boot/compressed includes
+lib/decompress_unzstd.c, which in turn includes lib/xxhash.c and its
+MODULE_LICENSE / MODULE_DESCRIPTION macros due to the STATIC definition.
+
+Split .modinfo out from ELF_DETAILS into its own macro and handle it in
+all vmlinux linker scripts. Discard .modinfo in the places where it was
+previously being discarded from being in COMMON_DISCARDS, as it has
+never been necessary in those uses.
+
+Cc: stable@vger.kernel.org
+Fixes: 3e86e4d74c04 ("kbuild: keep .modinfo section in vmlinux.unstripped")
+Reported-by: Ed W <lists@wildgooses.com>
+Closes: https://lore.kernel.org/587f25e0-a80e-46a5-9f01-87cb40cfa377@wildgooses.com/ [1]
+Tested-by: Ed W <lists@wildgooses.com> # x86_64
+Link: https://patch.msgid.link/20260225-separate-modinfo-from-elf-details-v1-1-387ced6baf4b@kernel.org
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/alpha/kernel/vmlinux.lds.S | 1 +
+ arch/arc/kernel/vmlinux.lds.S | 1 +
+ arch/arm/boot/compressed/vmlinux.lds.S | 1 +
+ arch/arm/kernel/vmlinux-xip.lds.S | 1 +
+ arch/arm/kernel/vmlinux.lds.S | 1 +
+ arch/arm64/kernel/vmlinux.lds.S | 1 +
+ arch/csky/kernel/vmlinux.lds.S | 1 +
+ arch/hexagon/kernel/vmlinux.lds.S | 1 +
+ arch/loongarch/kernel/vmlinux.lds.S | 1 +
+ arch/m68k/kernel/vmlinux-nommu.lds | 1 +
+ arch/m68k/kernel/vmlinux-std.lds | 1 +
+ arch/m68k/kernel/vmlinux-sun3.lds | 1 +
+ arch/mips/kernel/vmlinux.lds.S | 1 +
+ arch/nios2/kernel/vmlinux.lds.S | 1 +
+ arch/openrisc/kernel/vmlinux.lds.S | 1 +
+ arch/parisc/boot/compressed/vmlinux.lds.S | 1 +
+ arch/parisc/kernel/vmlinux.lds.S | 1 +
+ arch/powerpc/kernel/vmlinux.lds.S | 1 +
+ arch/riscv/kernel/vmlinux.lds.S | 1 +
+ arch/s390/kernel/vmlinux.lds.S | 1 +
+ arch/sh/kernel/vmlinux.lds.S | 1 +
+ arch/sparc/kernel/vmlinux.lds.S | 1 +
+ arch/um/kernel/dyn.lds.S | 1 +
+ arch/um/kernel/uml.lds.S | 1 +
+ arch/x86/boot/compressed/vmlinux.lds.S | 2 +-
+ arch/x86/kernel/vmlinux.lds.S | 1 +
+ include/asm-generic/vmlinux.lds.h | 4 +++-
+ 27 files changed, 29 insertions(+), 2 deletions(-)
+
+--- a/arch/alpha/kernel/vmlinux.lds.S
++++ b/arch/alpha/kernel/vmlinux.lds.S
+@@ -71,6 +71,7 @@ SECTIONS
+
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ DISCARDS
+--- a/arch/arc/kernel/vmlinux.lds.S
++++ b/arch/arc/kernel/vmlinux.lds.S
+@@ -123,6 +123,7 @@ SECTIONS
+ _end = . ;
+
+ STABS_DEBUG
++ MODINFO
+ ELF_DETAILS
+ DISCARDS
+
+--- a/arch/arm/boot/compressed/vmlinux.lds.S
++++ b/arch/arm/boot/compressed/vmlinux.lds.S
+@@ -21,6 +21,7 @@ SECTIONS
+ COMMON_DISCARDS
+ *(.ARM.exidx*)
+ *(.ARM.extab*)
++ *(.modinfo)
+ *(.note.*)
+ *(.rel.*)
+ *(.printk_index)
+--- a/arch/arm/kernel/vmlinux-xip.lds.S
++++ b/arch/arm/kernel/vmlinux-xip.lds.S
+@@ -154,6 +154,7 @@ SECTIONS
+
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ARM_DETAILS
+
+ ARM_ASSERTS
+--- a/arch/arm/kernel/vmlinux.lds.S
++++ b/arch/arm/kernel/vmlinux.lds.S
+@@ -153,6 +153,7 @@ SECTIONS
+
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ARM_DETAILS
+
+ ARM_ASSERTS
+--- a/arch/arm64/kernel/vmlinux.lds.S
++++ b/arch/arm64/kernel/vmlinux.lds.S
+@@ -349,6 +349,7 @@ SECTIONS
+
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ HEAD_SYMBOLS
+--- a/arch/csky/kernel/vmlinux.lds.S
++++ b/arch/csky/kernel/vmlinux.lds.S
+@@ -109,6 +109,7 @@ SECTIONS
+
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ DISCARDS
+--- a/arch/hexagon/kernel/vmlinux.lds.S
++++ b/arch/hexagon/kernel/vmlinux.lds.S
+@@ -62,6 +62,7 @@ SECTIONS
+
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ELF_DETAILS
+ .hexagon.attributes 0 : { *(.hexagon.attributes) }
+
+--- a/arch/loongarch/kernel/vmlinux.lds.S
++++ b/arch/loongarch/kernel/vmlinux.lds.S
+@@ -147,6 +147,7 @@ SECTIONS
+
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ #ifdef CONFIG_EFI_STUB
+--- a/arch/m68k/kernel/vmlinux-nommu.lds
++++ b/arch/m68k/kernel/vmlinux-nommu.lds
+@@ -85,6 +85,7 @@ SECTIONS {
+ _end = .;
+
+ STABS_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ /* Sections to be discarded */
+--- a/arch/m68k/kernel/vmlinux-std.lds
++++ b/arch/m68k/kernel/vmlinux-std.lds
+@@ -58,6 +58,7 @@ SECTIONS
+ _end = . ;
+
+ STABS_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ /* Sections to be discarded */
+--- a/arch/m68k/kernel/vmlinux-sun3.lds
++++ b/arch/m68k/kernel/vmlinux-sun3.lds
+@@ -51,6 +51,7 @@ __init_begin = .;
+ _end = . ;
+
+ STABS_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ /* Sections to be discarded */
+--- a/arch/mips/kernel/vmlinux.lds.S
++++ b/arch/mips/kernel/vmlinux.lds.S
+@@ -217,6 +217,7 @@ SECTIONS
+
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ /* These must appear regardless of . */
+--- a/arch/nios2/kernel/vmlinux.lds.S
++++ b/arch/nios2/kernel/vmlinux.lds.S
+@@ -57,6 +57,7 @@ SECTIONS
+
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ DISCARDS
+--- a/arch/openrisc/kernel/vmlinux.lds.S
++++ b/arch/openrisc/kernel/vmlinux.lds.S
+@@ -101,6 +101,7 @@ SECTIONS
+ /* Throw in the debugging sections */
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ /* Sections to be discarded -- must be last */
+--- a/arch/parisc/boot/compressed/vmlinux.lds.S
++++ b/arch/parisc/boot/compressed/vmlinux.lds.S
+@@ -90,6 +90,7 @@ SECTIONS
+ /* Sections to be discarded */
+ DISCARDS
+ /DISCARD/ : {
++ *(.modinfo)
+ #ifdef CONFIG_64BIT
+ /* temporary hack until binutils is fixed to not emit these
+ * for static binaries
+--- a/arch/parisc/kernel/vmlinux.lds.S
++++ b/arch/parisc/kernel/vmlinux.lds.S
+@@ -165,6 +165,7 @@ SECTIONS
+ _end = . ;
+
+ STABS_DEBUG
++ MODINFO
+ ELF_DETAILS
+ .note 0 : { *(.note) }
+
+--- a/arch/powerpc/kernel/vmlinux.lds.S
++++ b/arch/powerpc/kernel/vmlinux.lds.S
+@@ -397,6 +397,7 @@ SECTIONS
+ _end = . ;
+
+ DWARF_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ DISCARDS
+--- a/arch/riscv/kernel/vmlinux.lds.S
++++ b/arch/riscv/kernel/vmlinux.lds.S
+@@ -170,6 +170,7 @@ SECTIONS
+
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ELF_DETAILS
+ .riscv.attributes 0 : { *(.riscv.attributes) }
+
+--- a/arch/s390/kernel/vmlinux.lds.S
++++ b/arch/s390/kernel/vmlinux.lds.S
+@@ -221,6 +221,7 @@ SECTIONS
+ /* Debugging sections. */
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ /*
+--- a/arch/sh/kernel/vmlinux.lds.S
++++ b/arch/sh/kernel/vmlinux.lds.S
+@@ -89,6 +89,7 @@ SECTIONS
+
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ DISCARDS
+--- a/arch/sparc/kernel/vmlinux.lds.S
++++ b/arch/sparc/kernel/vmlinux.lds.S
+@@ -191,6 +191,7 @@ SECTIONS
+
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ DISCARDS
+--- a/arch/um/kernel/dyn.lds.S
++++ b/arch/um/kernel/dyn.lds.S
+@@ -172,6 +172,7 @@ SECTIONS
+
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ DISCARDS
+--- a/arch/um/kernel/uml.lds.S
++++ b/arch/um/kernel/uml.lds.S
+@@ -113,6 +113,7 @@ SECTIONS
+
+ STABS_DEBUG
+ DWARF_DEBUG
++ MODINFO
+ ELF_DETAILS
+
+ DISCARDS
+--- a/arch/x86/boot/compressed/vmlinux.lds.S
++++ b/arch/x86/boot/compressed/vmlinux.lds.S
+@@ -88,7 +88,7 @@ SECTIONS
+ /DISCARD/ : {
+ *(.dynamic) *(.dynsym) *(.dynstr) *(.dynbss)
+ *(.hash) *(.gnu.hash)
+- *(.note.*)
++ *(.note.*) *(.modinfo)
+ }
+
+ .got.plt (INFO) : {
+--- a/arch/x86/kernel/vmlinux.lds.S
++++ b/arch/x86/kernel/vmlinux.lds.S
+@@ -424,6 +424,7 @@ SECTIONS
+ .llvm_bb_addr_map : { *(.llvm_bb_addr_map) }
+ #endif
+
++ MODINFO
+ ELF_DETAILS
+
+ DISCARDS
+--- a/include/asm-generic/vmlinux.lds.h
++++ b/include/asm-generic/vmlinux.lds.h
+@@ -848,12 +848,14 @@
+
+ /* Required sections not related to debugging. */
+ #define ELF_DETAILS \
+- .modinfo : { *(.modinfo) . = ALIGN(8); } \
+ .comment 0 : { *(.comment) } \
+ .symtab 0 : { *(.symtab) } \
+ .strtab 0 : { *(.strtab) } \
+ .shstrtab 0 : { *(.shstrtab) }
+
++#define MODINFO \
++ .modinfo : { *(.modinfo) . = ALIGN(8); }
++
+ #ifdef CONFIG_GENERIC_BUG
+ #define BUG_TABLE \
+ . = ALIGN(8); \
--- /dev/null
+From c5794709bc9105935dbedef8b9cf9c06f2b559fa Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Tue, 17 Feb 2026 20:28:29 -0800
+Subject: ksmbd: Compare MACs in constant time
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit c5794709bc9105935dbedef8b9cf9c06f2b559fa upstream.
+
+To prevent timing attacks, MAC comparisons need to be constant-time.
+Replace the memcmp() with the correct function, crypto_memneq().
+
+Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/Kconfig | 1 +
+ fs/smb/server/auth.c | 4 +++-
+ fs/smb/server/smb2pdu.c | 5 +++--
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/fs/smb/server/Kconfig
++++ b/fs/smb/server/Kconfig
+@@ -13,6 +13,7 @@ config SMB_SERVER
+ select CRYPTO_LIB_MD5
+ select CRYPTO_LIB_SHA256
+ select CRYPTO_LIB_SHA512
++ select CRYPTO_LIB_UTILS
+ select CRYPTO_CMAC
+ select CRYPTO_AEAD2
+ select CRYPTO_CCM
+--- a/fs/smb/server/auth.c
++++ b/fs/smb/server/auth.c
+@@ -15,6 +15,7 @@
+ #include <crypto/aead.h>
+ #include <crypto/md5.h>
+ #include <crypto/sha2.h>
++#include <crypto/utils.h>
+ #include <linux/random.h>
+ #include <linux/scatterlist.h>
+
+@@ -165,7 +166,8 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn
+ ntlmv2_rsp, CIFS_HMAC_MD5_HASH_SIZE,
+ sess->sess_key);
+
+- if (memcmp(ntlmv2->ntlmv2_hash, ntlmv2_rsp, CIFS_HMAC_MD5_HASH_SIZE) != 0)
++ if (crypto_memneq(ntlmv2->ntlmv2_hash, ntlmv2_rsp,
++ CIFS_HMAC_MD5_HASH_SIZE))
+ return -EINVAL;
+ return 0;
+ }
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -4,6 +4,7 @@
+ * Copyright (C) 2018 Samsung Electronics Co., Ltd.
+ */
+
++#include <crypto/utils.h>
+ #include <linux/inetdevice.h>
+ #include <net/addrconf.h>
+ #include <linux/syscalls.h>
+@@ -8879,7 +8880,7 @@ int smb2_check_sign_req(struct ksmbd_wor
+ ksmbd_sign_smb2_pdu(work->conn, work->sess->sess_key, iov, 1,
+ signature);
+
+- if (memcmp(signature, signature_req, SMB2_SIGNATURE_SIZE)) {
++ if (crypto_memneq(signature, signature_req, SMB2_SIGNATURE_SIZE)) {
+ pr_err("bad smb2 signature\n");
+ return 0;
+ }
+@@ -8967,7 +8968,7 @@ int smb3_check_sign_req(struct ksmbd_wor
+ if (ksmbd_sign_smb3_pdu(conn, signing_key, iov, 1, signature))
+ return 0;
+
+- if (memcmp(signature, signature_req, SMB2_SIGNATURE_SIZE)) {
++ if (crypto_memneq(signature, signature_req, SMB2_SIGNATURE_SIZE)) {
+ pr_err("bad smb2 signature\n");
+ return 0;
+ }
--- /dev/null
+From dd085fe9a8ebfc5d10314c60452db38d2b75e609 Mon Sep 17 00:00:00 2001
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+Date: Sat, 14 Feb 2026 05:45:35 +0530
+Subject: mm: thp: deny THP for files on anonymous inodes
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+commit dd085fe9a8ebfc5d10314c60452db38d2b75e609 upstream.
+
+file_thp_enabled() incorrectly allows THP for files on anonymous inodes
+(e.g. guest_memfd and secretmem). These files are created via
+alloc_file_pseudo(), which does not call get_write_access() and leaves
+inode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being
+true, they appear as read-only regular files when
+CONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP
+collapse.
+
+Anonymous inodes can never pass the inode_is_open_for_write() check
+since their i_writecount is never incremented through the normal VFS
+open path. The right thing to do is to exclude them from THP eligibility
+altogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real
+filesystem files (e.g. shared libraries), not for pseudo-filesystem
+inodes.
+
+For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create
+large folios in the page cache via the collapse path, but the
+guest_memfd fault handler does not support large folios. This triggers
+WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping().
+
+For secretmem, collapse_file() tries to copy page contents through the
+direct map, but secretmem pages are removed from the direct map. This
+can result in a kernel crash:
+
+ BUG: unable to handle page fault for address: ffff88810284d000
+ RIP: 0010:memcpy_orig+0x16/0x130
+ Call Trace:
+ collapse_file
+ hpage_collapse_scan_file
+ madvise_collapse
+
+Secretmem is not affected by the crash on upstream as the memory failure
+recovery handles the failed copy gracefully, but it still triggers
+confusing false memory failure reports:
+
+ Memory failure: 0x106d96f: recovery action for clean unevictable
+ LRU page: Recovered
+
+Check IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all
+anonymous inode files.
+
+Link: https://syzkaller.appspot.com/bug?extid=33a04338019ac7e43a44
+Link: https://lore.kernel.org/linux-mm/CAEvNRgHegcz3ro35ixkDw39ES8=U6rs6S7iP0gkR9enr7HoGtA@mail.gmail.com
+Link: https://lkml.kernel.org/r/20260214001535.435626-1-kartikey406@gmail.com
+Fixes: 7fbb5e188248 ("mm: remove VM_EXEC requirement for THP eligibility")
+Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
+Reported-by: syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=33a04338019ac7e43a44
+Tested-by: syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com
+Tested-by: Lance Yang <lance.yang@linux.dev>
+Acked-by: David Hildenbrand (Arm) <david@kernel.org>
+Reviewed-by: Barry Song <baohua@kernel.org>
+Reviewed-by: Ackerley Tng <ackerleytng@google.com>
+Tested-by: Ackerley Tng <ackerleytng@google.com>
+Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: Dev Jain <dev.jain@arm.com>
+Cc: Fangrui Song <i@maskray.me>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Nico Pache <npache@redhat.com>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: Yang Shi <shy828301@gmail.com>
+Cc: Zi Yan <ziy@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/huge_memory.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -94,6 +94,9 @@ static inline bool file_thp_enabled(stru
+
+ inode = file_inode(vma->vm_file);
+
++ if (IS_ANON_FILE(inode))
++ return false;
++
+ return !inode_is_open_for_write(inode) && S_ISREG(inode->i_mode);
+ }
+
--- /dev/null
+From fb8d0bccb221080630efcd9660c9f9349e53cc9e Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 3 Mar 2026 11:56:03 +0100
+Subject: mptcp: pm: avoid sending RM_ADDR over same subflow
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit fb8d0bccb221080630efcd9660c9f9349e53cc9e upstream.
+
+RM_ADDR are sent over an active subflow, the first one in the subflows
+list. There is then a high chance the initial subflow is picked. With
+the in-kernel PM, when an endpoint is removed, a RM_ADDR is sent, then
+linked subflows are closed. This is done for each active MPTCP
+connection.
+
+MPTCP endpoints are likely removed because the attached network is no
+longer available or usable. In this case, it is better to avoid sending
+this RM_ADDR over the subflow that is going to be removed, but prefer
+sending it over another active and non stale subflow, if any.
+
+This modification avoids situations where the other end is not notified
+when a subflow is no longer usable: typically when the endpoint linked
+to the initial subflow is removed, especially on the server side.
+
+Fixes: 8dd5efb1f91b ("mptcp: send ack for rm_addr")
+Cc: stable@vger.kernel.org
+Reported-by: Frank Lorenz <lorenz-frank@web.de>
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/612
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-2-4b5462b6f016@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm.c | 55 +++++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 43 insertions(+), 12 deletions(-)
+
+--- a/net/mptcp/pm.c
++++ b/net/mptcp/pm.c
+@@ -212,9 +212,24 @@ void mptcp_pm_send_ack(struct mptcp_sock
+ spin_lock_bh(&msk->pm.lock);
+ }
+
+-void mptcp_pm_addr_send_ack(struct mptcp_sock *msk)
++static bool subflow_in_rm_list(const struct mptcp_subflow_context *subflow,
++ const struct mptcp_rm_list *rm_list)
++{
++ u8 i, id = subflow_get_local_id(subflow);
++
++ for (i = 0; i < rm_list->nr; i++) {
++ if (rm_list->ids[i] == id)
++ return true;
++ }
++
++ return false;
++}
++
++static void
++mptcp_pm_addr_send_ack_avoid_list(struct mptcp_sock *msk,
++ const struct mptcp_rm_list *rm_list)
+ {
+- struct mptcp_subflow_context *subflow, *alt = NULL;
++ struct mptcp_subflow_context *subflow, *stale = NULL, *same_id = NULL;
+
+ msk_owned_by_me(msk);
+ lockdep_assert_held(&msk->pm.lock);
+@@ -224,19 +239,35 @@ void mptcp_pm_addr_send_ack(struct mptcp
+ return;
+
+ mptcp_for_each_subflow(msk, subflow) {
+- if (__mptcp_subflow_active(subflow)) {
+- if (!subflow->stale) {
+- mptcp_pm_send_ack(msk, subflow, false, false);
+- return;
+- }
++ if (!__mptcp_subflow_active(subflow))
++ continue;
+
+- if (!alt)
+- alt = subflow;
++ if (unlikely(subflow->stale)) {
++ if (!stale)
++ stale = subflow;
++ } else if (unlikely(rm_list &&
++ subflow_in_rm_list(subflow, rm_list))) {
++ if (!same_id)
++ same_id = subflow;
++ } else {
++ goto send_ack;
+ }
+ }
+
+- if (alt)
+- mptcp_pm_send_ack(msk, alt, false, false);
++ if (same_id)
++ subflow = same_id;
++ else if (stale)
++ subflow = stale;
++ else
++ return;
++
++send_ack:
++ mptcp_pm_send_ack(msk, subflow, false, false);
++}
++
++void mptcp_pm_addr_send_ack(struct mptcp_sock *msk)
++{
++ mptcp_pm_addr_send_ack_avoid_list(msk, NULL);
+ }
+
+ int mptcp_pm_mp_prio_send_ack(struct mptcp_sock *msk,
+@@ -470,7 +501,7 @@ int mptcp_pm_remove_addr(struct mptcp_so
+ msk->pm.rm_list_tx = *rm_list;
+ rm_addr |= BIT(MPTCP_RM_ADDR_SIGNAL);
+ WRITE_ONCE(msk->pm.addr_signal, rm_addr);
+- mptcp_pm_addr_send_ack(msk);
++ mptcp_pm_addr_send_ack_avoid_list(msk, rm_list);
+ return 0;
+ }
+
--- /dev/null
+From 579a752464a64cb5f9139102f0e6b90a1f595ceb Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 3 Mar 2026 11:56:05 +0100
+Subject: mptcp: pm: in-kernel: always mark signal+subflow endp as used
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 579a752464a64cb5f9139102f0e6b90a1f595ceb upstream.
+
+Syzkaller managed to find a combination of actions that was generating
+this warning:
+
+ msk->pm.local_addr_used == 0
+ WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961
+ WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961
+ WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961
+ Modules linked in:
+ CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full)
+ Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014
+ RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline]
+ RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline]
+ RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210
+ Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a
+ RSP: 0018:ffffc90001663880 EFLAGS: 00010293
+ RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff
+ R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640
+ R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650
+ FS: 00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0
+ Call Trace:
+ <TASK>
+ genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115
+ genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
+ genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210
+ netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
+ netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
+ netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344
+ netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg+0xc9/0xf0 net/socket.c:742
+ ____sys_sendmsg+0x272/0x3b0 net/socket.c:2592
+ ___sys_sendmsg+0x2de/0x320 net/socket.c:2646
+ __sys_sendmsg net/socket.c:2678 [inline]
+ __do_sys_sendmsg net/socket.c:2683 [inline]
+ __se_sys_sendmsg net/socket.c:2681 [inline]
+ __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ RIP: 0033:0x7f66346f826d
+ Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+ RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d
+ RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007
+ RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8
+ R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770
+ </TASK>
+
+The actions that caused that seem to be:
+
+ - Set the MPTCP subflows limit to 0
+ - Create an MPTCP endpoint with both the 'signal' and 'subflow' flags
+ - Create a new MPTCP connection from a different address: an ADD_ADDR
+ linked to the MPTCP endpoint will be sent ('signal' flag), but no
+ subflows is initiated ('subflow' flag)
+ - Remove the MPTCP endpoint
+
+In this case, msk->pm.local_addr_used has been kept to 0 -- because no
+subflows have been created -- but the corresponding bit in
+msk->pm.id_avail_bitmap has been cleared when the ADD_ADDR has been
+sent. This later causes a splat when removing the MPTCP endpoint because
+msk->pm.local_addr_used has been kept to 0.
+
+Now, if an endpoint has both the signal and subflow flags, but it is not
+possible to create subflows because of the limits or the c-flag case,
+then the local endpoint counter is still incremented: the endpoint is
+used at the end. This avoids issues later when removing the endpoint and
+calling __mark_subflow_endp_available(), which expects
+msk->pm.local_addr_used to have been previously incremented if the
+endpoint was marked as used according to msk->pm.id_avail_bitmap.
+
+Note that signal_and_subflow variable is reset to false when the limits
+and the c-flag case allows subflows creation. Also, local_addr_used is
+only incremented for non ID0 subflows.
+
+Fixes: 85df533a787b ("mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set")
+Cc: stable@vger.kernel.org
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/613
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-4-4b5462b6f016@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_kernel.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/mptcp/pm_kernel.c
++++ b/net/mptcp/pm_kernel.c
+@@ -418,6 +418,15 @@ subflow:
+ }
+
+ exit:
++ /* If an endpoint has both the signal and subflow flags, but it is not
++ * possible to create subflows -- the 'while' loop body above never
++ * executed -- then still mark the endp as used, which is somehow the
++ * case. This avoids issues later when removing the endpoint and calling
++ * __mark_subflow_endp_available(), which expects the increment here.
++ */
++ if (signal_and_subflow && local.addr.id != msk->mpc_endpoint_id)
++ msk->pm.local_addr_used++;
++
+ mptcp_pm_nl_check_work_pending(msk);
+ }
+
--- /dev/null
+From c8dbdc6e380e7e96a51706db3e4b7870d8a9402d Mon Sep 17 00:00:00 2001
+From: Andrew Lunn <andrew@lunn.ch>
+Date: Sun, 22 Feb 2026 16:26:01 +0100
+Subject: net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
+
+From: Andrew Lunn <andrew@lunn.ch>
+
+commit c8dbdc6e380e7e96a51706db3e4b7870d8a9402d upstream.
+
+There is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and
+LED_TRIGGER_PHY are enabled:
+
+[ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock "triggers_list_lock" via down_write(&triggers_list_lock);
+[ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234
+[ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c
+[ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c
+[ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0
+[ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0
+[ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c
+[ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78
+[ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock "rtnl_mutex" by calling rtnl_lock();
+[ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0
+[ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c
+[ 1362.104022] [<80014504>] syscall_common+0x34/0x58
+
+Here LED_TRIGGER_PHY is registering LED triggers during phy_attach
+while holding RTNL and then taking triggers_list_lock.
+
+[ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock "rtnl_mutex" via rtnl_lock();
+[ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4
+[ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock "triggers_list_lock" by down_read(&triggers_list_lock);
+[ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c
+[ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc
+[ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c
+[ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4
+[ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c
+[ 1362.232164] [<80014504>] syscall_common+0x34/0x58
+
+Here LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes
+triggers_list_lock and then RTNL. A classical AB-BA deadlock.
+
+phy_led_triggers_registers() does not require the RTNL, it does not
+make any calls into the network stack which require protection. There
+is also no requirement the PHY has been attached to a MAC, the
+triggers only make use of phydev state. This allows the call to
+phy_led_triggers_registers() to be placed elsewhere. PHY probe() and
+release() don't hold RTNL, so solving the AB-BA deadlock.
+
+Reported-by: Shiji Yang <yangshiji66@outlook.com>
+Closes: https://lore.kernel.org/all/OS7PR01MB13602B128BA1AD3FA38B6D1FFBC69A@OS7PR01MB13602.jpnprd01.prod.outlook.com/
+Fixes: 06f502f57d0d ("leds: trigger: Introduce a NETDEV trigger")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Tested-by: Shiji Yang <yangshiji66@outlook.com>
+Link: https://patch.msgid.link/20260222152601.1978655-1-andrew@lunn.ch
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy_device.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -1763,8 +1763,6 @@ int phy_attach_direct(struct net_device
+ goto error;
+
+ phy_resume(phydev);
+- if (!phydev->is_on_sfp_module)
+- phy_led_triggers_register(phydev);
+
+ /**
+ * If the external phy used by current mac interface is managed by
+@@ -1879,9 +1877,6 @@ void phy_detach(struct phy_device *phyde
+ phydev->phy_link_change = NULL;
+ phydev->phylink = NULL;
+
+- if (!phydev->is_on_sfp_module)
+- phy_led_triggers_unregister(phydev);
+-
+ if (phydev->mdio.dev.driver)
+ module_put(phydev->mdio.dev.driver->owner);
+
+@@ -3512,16 +3507,27 @@ static int phy_probe(struct device *dev)
+ /* Set the state to READY by default */
+ phydev->state = PHY_READY;
+
++ /* Register the PHY LED triggers */
++ if (!phydev->is_on_sfp_module)
++ phy_led_triggers_register(phydev);
++
+ /* Get the LEDs from the device tree, and instantiate standard
+ * LEDs for them.
+ */
+- if (IS_ENABLED(CONFIG_PHYLIB_LEDS) && !phy_driver_is_genphy(phydev))
++ if (IS_ENABLED(CONFIG_PHYLIB_LEDS) && !phy_driver_is_genphy(phydev)) {
+ err = of_phy_leds(phydev);
++ if (err)
++ goto out;
++ }
++
++ return 0;
+
+ out:
++ if (!phydev->is_on_sfp_module)
++ phy_led_triggers_unregister(phydev);
++
+ /* Re-assert the reset signal on error */
+- if (err)
+- phy_device_reset(phydev, 1);
++ phy_device_reset(phydev, 1);
+
+ return err;
+ }
+@@ -3535,6 +3541,9 @@ static int phy_remove(struct device *dev
+ if (IS_ENABLED(CONFIG_PHYLIB_LEDS) && !phy_driver_is_genphy(phydev))
+ phy_leds_unregister(phydev);
+
++ if (!phydev->is_on_sfp_module)
++ phy_led_triggers_unregister(phydev);
++
+ phydev->state = PHY_DOWN;
+
+ sfp_bus_del_upstream(phydev->sfp_bus);
--- /dev/null
+From e35626f610f3d2b7953ccddf6a77453da22b3a9e Mon Sep 17 00:00:00 2001
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Tue, 24 Feb 2026 21:28:32 +0100
+Subject: net/sched: ets: fix divide by zero in the offload path
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+commit e35626f610f3d2b7953ccddf6a77453da22b3a9e upstream.
+
+Offloading ETS requires computing each class' WRR weight: this is done by
+averaging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned
+int, the same integer size as the individual DRR quanta, can overflow and
+even cause division by zero, like it happened in the following splat:
+
+ Oops: divide error: 0000 [#1] SMP PTI
+ CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full)
+ Tainted: [E]=UNSIGNED_MODULE
+ Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+ RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]
+ Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44
+ RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246
+ RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660
+ RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe
+ R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe
+ R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000
+ FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0
+ Call Trace:
+ <TASK>
+ ets_qdisc_change+0x870/0xf40 [sch_ets]
+ qdisc_create+0x12b/0x540
+ tc_modify_qdisc+0x6d7/0xbd0
+ rtnetlink_rcv_msg+0x168/0x6b0
+ netlink_rcv_skb+0x5c/0x110
+ netlink_unicast+0x1d6/0x2b0
+ netlink_sendmsg+0x22e/0x470
+ ____sys_sendmsg+0x38a/0x3c0
+ ___sys_sendmsg+0x99/0xe0
+ __sys_sendmsg+0x8a/0xf0
+ do_syscall_64+0x111/0xf80
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ RIP: 0033:0x7f440b81c77e
+ Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa
+ RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e
+ RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003
+ RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8
+ R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980
+ </TASK>
+ Modules linked in: sch_ets(E) netdevsim(E)
+ ---[ end trace 0000000000000000 ]---
+ RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]
+ Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44
+ RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246
+ RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660
+ RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe
+ R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe
+ R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000
+ FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0
+ Kernel panic - not syncing: Fatal exception
+ Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+ ---[ end Kernel panic - not syncing: Fatal exception ]---
+
+Fix this using 64-bit integers for 'q_sum' and 'q_psum'.
+
+Cc: stable@vger.kernel.org
+Fixes: d35eb52bd2ac ("net: sch_ets: Make the ETS qdisc offloadable")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Link: https://patch.msgid.link/28504887df314588c7255e9911769c36f751edee.1771964872.git.dcaratti@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_ets.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/sched/sch_ets.c
++++ b/net/sched/sch_ets.c
+@@ -115,12 +115,12 @@ static void ets_offload_change(struct Qd
+ struct ets_sched *q = qdisc_priv(sch);
+ struct tc_ets_qopt_offload qopt;
+ unsigned int w_psum_prev = 0;
+- unsigned int q_psum = 0;
+- unsigned int q_sum = 0;
+ unsigned int quantum;
+ unsigned int w_psum;
+ unsigned int weight;
+ unsigned int i;
++ u64 q_psum = 0;
++ u64 q_sum = 0;
+
+ if (!tc_can_offload(dev) || !dev->netdev_ops->ndo_setup_tc)
+ return;
+@@ -138,8 +138,12 @@ static void ets_offload_change(struct Qd
+
+ for (i = 0; i < q->nbands; i++) {
+ quantum = q->classes[i].quantum;
+- q_psum += quantum;
+- w_psum = quantum ? q_psum * 100 / q_sum : 0;
++ if (quantum) {
++ q_psum += quantum;
++ w_psum = div64_u64(q_psum * 100, q_sum);
++ } else {
++ w_psum = 0;
++ }
+ weight = w_psum - w_psum_prev;
+ w_psum_prev = w_psum;
+
--- /dev/null
+From 1cb968a2013ffa8112d52ebe605009ea1c6a582c Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Sat, 24 Jan 2026 04:18:40 +0000
+Subject: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+commit 1cb968a2013ffa8112d52ebe605009ea1c6a582c upstream.
+
+syzbot reported memory leak of struct cred. [0]
+
+nfsd_nl_threads_set_doit() passes get_current_cred() to
+nfsd_svc(), but put_cred() is not called after that.
+
+The cred is finally passed down to _svc_xprt_create(),
+which calls get_cred() with the cred for struct svc_xprt.
+
+The ownership of the refcount by get_current_cred() is not
+transferred to anywhere and is just leaked.
+
+nfsd_svc() is also called from write_threads(), but it does
+not bump file->f_cred there.
+
+nfsd_nl_threads_set_doit() is called from sendmsg() and
+current->cred does not go away.
+
+Let's use current_cred() in nfsd_nl_threads_set_doit().
+
+[0]:
+BUG: memory leak
+unreferenced object 0xffff888108b89480 (size 184):
+ comm "syz-executor", pid 5994, jiffies 4294943386
+ hex dump (first 32 bytes):
+ 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace (crc 369454a7):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4958 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270
+ prepare_creds+0x22/0x600 kernel/cred.c:185
+ copy_creds+0x44/0x290 kernel/cred.c:286
+ copy_process+0x7a7/0x2870 kernel/fork.c:2086
+ kernel_clone+0xac/0x6e0 kernel/fork.c:2651
+ __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 924f4fb003ba ("NFSD: convert write_threads to netlink command")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+dd3b43aa0204089217ee@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69744674.a00a0220.33ccc7.0000.GAE@google.com/
+Tested-by: syzbot+dd3b43aa0204089217ee@syzkaller.appspotmail.com
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfsctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -1642,7 +1642,7 @@ int nfsd_nl_threads_set_doit(struct sk_b
+ scope = nla_data(attr);
+ }
+
+- ret = nfsd_svc(nrpools, nthreads, net, get_current_cred(), scope);
++ ret = nfsd_svc(nrpools, nthreads, net, current_cred(), scope);
+ if (ret > 0)
+ ret = 0;
+ out_unlock:
--- /dev/null
+From 6a8a48644c4b804123e59dbfc5d6cd29a0194046 Mon Sep 17 00:00:00 2001
+From: Zide Chen <zide.chen@intel.com>
+Date: Mon, 9 Feb 2026 16:52:25 -0800
+Subject: perf/x86/intel/uncore: Add per-scheduler IMC CAS count events
+
+From: Zide Chen <zide.chen@intel.com>
+
+commit 6a8a48644c4b804123e59dbfc5d6cd29a0194046 upstream.
+
+IMC on SPR and EMR does not support sub-channels. In contrast, CPUs
+that use gnr_uncores[] (e.g. Granite Rapids and Sierra Forest)
+implement two command schedulers (SCH0/SCH1) per memory channel,
+providing logically independent command and data paths.
+
+Do not reuse the spr_uncore_imc[] configuration for these CPUs.
+Instead, introduce a dedicated gnr_uncore_imc[] with per-scheduler
+events, so userspace can monitor SCH0 and SCH1 independently.
+
+On these CPUs, replace cas_count_{read,write} with
+cas_count_{read,write}_sch{0,1}. This may break existing userspace
+that relies on cas_count_{read,write}, prompting it to switch to the
+per-scheduler events, as the legacy event reports only partial
+traffic (SCH0).
+
+Fixes: 632c4bf6d007 ("perf/x86/intel/uncore: Support Granite Rapids")
+Fixes: cb4a6ccf3583 ("perf/x86/intel/uncore: Support Sierra Forest and Grand Ridge")
+Reported-by: Reinette Chatre <reinette.chatre@intel.com>
+Signed-off-by: Zide Chen <zide.chen@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260210005225.20311-1-zide.chen@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/uncore_snbep.c | 28 +++++++++++++++++++++++++++-
+ 1 file changed, 27 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -6610,6 +6610,32 @@ static struct intel_uncore_type gnr_unco
+ .attr_update = uncore_alias_groups,
+ };
+
++static struct uncore_event_desc gnr_uncore_imc_events[] = {
++ INTEL_UNCORE_EVENT_DESC(clockticks, "event=0x01,umask=0x00"),
++ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch0, "event=0x05,umask=0xcf"),
++ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch0.scale, "6.103515625e-5"),
++ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch0.unit, "MiB"),
++ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch1, "event=0x06,umask=0xcf"),
++ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch1.scale, "6.103515625e-5"),
++ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch1.unit, "MiB"),
++ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch0, "event=0x05,umask=0xf0"),
++ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch0.scale, "6.103515625e-5"),
++ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch0.unit, "MiB"),
++ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch1, "event=0x06,umask=0xf0"),
++ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch1.scale, "6.103515625e-5"),
++ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch1.unit, "MiB"),
++ { /* end: all zeroes */ },
++};
++
++static struct intel_uncore_type gnr_uncore_imc = {
++ SPR_UNCORE_MMIO_COMMON_FORMAT(),
++ .name = "imc",
++ .fixed_ctr_bits = 48,
++ .fixed_ctr = SNR_IMC_MMIO_PMON_FIXED_CTR,
++ .fixed_ctl = SNR_IMC_MMIO_PMON_FIXED_CTL,
++ .event_descs = gnr_uncore_imc_events,
++};
++
+ static struct intel_uncore_type gnr_uncore_pciex8 = {
+ SPR_UNCORE_PCI_COMMON_FORMAT(),
+ .name = "pciex8",
+@@ -6657,7 +6683,7 @@ static struct intel_uncore_type *gnr_unc
+ NULL,
+ &spr_uncore_pcu,
+ &gnr_uncore_ubox,
+- &spr_uncore_imc,
++ &gnr_uncore_imc,
+ NULL,
+ &gnr_uncore_upi,
+ NULL,
--- /dev/null
+From bd5914caeb4b2de233992c31babccda88041b035 Mon Sep 17 00:00:00 2001
+From: Kurt Borja <kuurtb@gmail.com>
+Date: Thu, 29 Jan 2026 12:19:24 -0500
+Subject: platform/x86: alienware-wmi-wmax: Add G-Mode support to m18 laptops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+commit bd5914caeb4b2de233992c31babccda88041b035 upstream.
+
+Alienware m18 laptops support G-Mode. Therefore, match them with
+G-Series quirks.
+
+Cc: stable@vger.kernel.org
+Tested-by: Olexa Bilaniuk <obilaniu@gmail.com>
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://patch.msgid.link/20260129-m18-gmode-v1-1-48be521487b9@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/dell/alienware-wmi-wmax.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/dell/alienware-wmi-wmax.c
++++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c
+@@ -175,7 +175,7 @@ static const struct dmi_system_id awcc_d
+ DMI_MATCH(DMI_SYS_VENDOR, "Alienware"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m18"),
+ },
+- .driver_data = &generic_quirks,
++ .driver_data = &g_series_quirks,
+ },
+ {
+ .ident = "Alienware x15",
--- /dev/null
+From 26a7601471f62b95d56a81c3a8ccb551b5a6630f Mon Sep 17 00:00:00 2001
+From: Kurt Borja <kuurtb@gmail.com>
+Date: Sat, 7 Feb 2026 12:16:34 -0500
+Subject: platform/x86: dell-wmi: Add audio/mic mute key codes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+commit 26a7601471f62b95d56a81c3a8ccb551b5a6630f upstream.
+
+Add audio/mic mute key codes found in Alienware m18 r1 AMD.
+
+Cc: stable@vger.kernel.org
+Tested-by: Olexa Bilaniuk <obilaniu@gmail.com>
+Suggested-by: Olexa Bilaniuk <obilaniu@gmail.com>
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Acked-by: Pali Rohár <pali@kernel.org>
+Link: https://patch.msgid.link/20260207-mute-keys-v2-1-c55e5471c9c1@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/dell/dell-wmi-base.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/platform/x86/dell/dell-wmi-base.c
++++ b/drivers/platform/x86/dell/dell-wmi-base.c
+@@ -80,6 +80,12 @@ static const struct dmi_system_id dell_w
+ static const struct key_entry dell_wmi_keymap_type_0000[] = {
+ { KE_IGNORE, 0x003a, { KEY_CAPSLOCK } },
+
++ /* Audio mute toggle */
++ { KE_KEY, 0x0109, { KEY_MUTE } },
++
++ /* Mic mute toggle */
++ { KE_KEY, 0x0150, { KEY_MICMUTE } },
++
+ /* Meta key lock */
+ { KE_IGNORE, 0xe000, { KEY_RIGHTMETA } },
+
--- /dev/null
+From d1a196e0a6dcddd03748468a0e9e3100790fc85c Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Tue, 3 Mar 2026 12:30:51 +0100
+Subject: platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit d1a196e0a6dcddd03748468a0e9e3100790fc85c upstream.
+
+set_new_password() hex dumps the entire buffer, which contains plaintext
+password data, including current and new passwords. Remove the hex dump
+to avoid leaking credentials.
+
+Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Link: https://patch.msgid.link/20260303113050.58127-2-thorsten.blum@linux.dev
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c
+@@ -93,7 +93,6 @@ int set_new_password(const char *passwor
+ if (ret < 0)
+ goto out;
+
+- print_hex_dump_bytes("set new password data: ", DUMP_PREFIX_NONE, buffer, buffer_size);
+ ret = call_password_interface(wmi_priv.password_attr_wdev, buffer, buffer_size);
+ /* on success copy the new password to current password */
+ if (!ret)
--- /dev/null
+From faa72102b178c7ae6c6afea23879e7c84fc59b4e Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Mon, 16 Feb 2026 11:02:50 -0400
+Subject: RDMA/ionic: Fix kernel stack leak in ionic_create_cq()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit faa72102b178c7ae6c6afea23879e7c84fc59b4e upstream.
+
+struct ionic_cq_resp resp {
+ __u32 cqid[2]; // offset 0 - PARTIALLY SET (see below)
+ __u8 udma_mask; // offset 8 - SET (resp.udma_mask = vcq->udma_mask)
+ __u8 rsvd[7]; // offset 9 - NEVER SET <- LEAK
+};
+
+rsvd[7]: 7 bytes of stack memory leaked unconditionally.
+
+cqid[2]: The loop at line 1256 iterates over udma_idx but skips indices
+where !(vcq->udma_mask & BIT(udma_idx)). The array has 2 entries but
+udma_count could be 1, meaning cqid[1] might never be written via
+ionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4
+bytes) is also leaked. So potentially 11 bytes leaked.
+
+Cc: stable@vger.kernel.org
+Fixes: e8521822c733 ("RDMA/ionic: Register device ops for control path")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://patch.msgid.link/4-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com
+Acked-by: Abhijit Gangurde <abhijit.gangurde@amd.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/ionic/ionic_controlpath.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/ionic/ionic_controlpath.c
++++ b/drivers/infiniband/hw/ionic/ionic_controlpath.c
+@@ -1218,7 +1218,7 @@ int ionic_create_cq(struct ib_cq *ibcq,
+ rdma_udata_to_drv_context(udata, struct ionic_ctx, ibctx);
+ struct ionic_vcq *vcq = to_ionic_vcq(ibcq);
+ struct ionic_tbl_buf buf = {};
+- struct ionic_cq_resp resp;
++ struct ionic_cq_resp resp = {};
+ struct ionic_cq_req req;
+ int udma_idx = 0, rc;
+
--- /dev/null
+From 74586c6da9ea222a61c98394f2fc0a604748438c Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Mon, 16 Feb 2026 11:02:49 -0400
+Subject: RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit 74586c6da9ea222a61c98394f2fc0a604748438c upstream.
+
+struct irdma_create_ah_resp { // 8 bytes, no padding
+ __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx)
+ __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK
+};
+
+rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().
+
+The reserved members of the structure were not zeroed.
+
+Cc: stable@vger.kernel.org
+Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://patch.msgid.link/3-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -5209,7 +5209,7 @@ static int irdma_create_user_ah(struct i
+ #define IRDMA_CREATE_AH_MIN_RESP_LEN offsetofend(struct irdma_create_ah_resp, rsvd)
+ struct irdma_ah *ah = container_of(ibah, struct irdma_ah, ibah);
+ struct irdma_device *iwdev = to_iwdev(ibah->pd->device);
+- struct irdma_create_ah_resp uresp;
++ struct irdma_create_ah_resp uresp = {};
+ struct irdma_ah *parent_ah;
+ int err;
+
--- /dev/null
+From 1ac22c8eae81366101597d48360718dff9b9d980 Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Mon, 23 Feb 2026 15:27:28 -0800
+Subject: scsi: core: Fix refcount leak for tagset_refcnt
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit 1ac22c8eae81366101597d48360718dff9b9d980 upstream.
+
+This leak will cause a hang when tearing down the SCSI host. For example,
+iscsid hangs with the following call trace:
+
+[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured
+
+PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid"
+ #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4
+ #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f
+ #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0
+ #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f
+ #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b
+ #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]
+ #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]
+ #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]
+ #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6
+ #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef
+
+Fixes: 8fe4ce5836e9 ("scsi: core: Fix a use-after-free")
+Cc: stable@vger.kernel.org
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20260223232728.93350-1-junxiao.bi@oracle.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_scan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/scsi_scan.c
++++ b/drivers/scsi/scsi_scan.c
+@@ -361,6 +361,7 @@ static struct scsi_device *scsi_alloc_sd
+ * since we use this queue depth most of times.
+ */
+ if (scsi_realloc_sdev_budget_map(sdev, depth)) {
++ kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags);
+ put_device(&starget->dev);
+ kfree(sdev);
+ goto out;
--- /dev/null
+From 14d4ac19d1895397532eec407433c5d74d9da53b Mon Sep 17 00:00:00 2001
+From: Prithvi Tambewagh <activprithvi@gmail.com>
+Date: Mon, 16 Feb 2026 11:50:02 +0530
+Subject: scsi: target: Fix recursive locking in __configfs_open_file()
+
+From: Prithvi Tambewagh <activprithvi@gmail.com>
+
+commit 14d4ac19d1895397532eec407433c5d74d9da53b upstream.
+
+In flush_write_buffer, &p->frag_sem is acquired and then the loaded store
+function is called, which, here, is target_core_item_dbroot_store(). This
+function called filp_open(), following which these functions were called
+(in reverse order), according to the call trace:
+
+ down_read
+ __configfs_open_file
+ do_dentry_open
+ vfs_open
+ do_open
+ path_openat
+ do_filp_open
+ file_open_name
+ filp_open
+ target_core_item_dbroot_store
+ flush_write_buffer
+ configfs_write_iter
+
+target_core_item_dbroot_store() tries to validate the new file path by
+trying to open the file path provided to it; however, in this case, the bug
+report shows:
+
+db_root: not a directory: /sys/kernel/config/target/dbroot
+
+indicating that the same configfs file was tried to be opened, on which it
+is currently working on. Thus, it is trying to acquire frag_sem semaphore
+of the same file of which it already holds the semaphore obtained in
+flush_write_buffer(), leading to acquiring the semaphore in a nested manner
+and a possibility of recursive locking.
+
+Fix this by modifying target_core_item_dbroot_store() to use kern_path()
+instead of filp_open() to avoid opening the file using filesystem-specific
+function __configfs_open_file(), and further modifying it to make this fix
+compatible.
+
+Reported-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=f6e8174215573a84b797
+Tested-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com>
+Reviewed-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
+Link: https://patch.msgid.link/20260216062002.61937-1-activprithvi@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_configfs.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+--- a/drivers/target/target_core_configfs.c
++++ b/drivers/target/target_core_configfs.c
+@@ -108,8 +108,8 @@ static ssize_t target_core_item_dbroot_s
+ const char *page, size_t count)
+ {
+ ssize_t read_bytes;
+- struct file *fp;
+ ssize_t r = -EINVAL;
++ struct path path = {};
+
+ mutex_lock(&target_devices_lock);
+ if (target_devices) {
+@@ -131,17 +131,14 @@ static ssize_t target_core_item_dbroot_s
+ db_root_stage[read_bytes - 1] = '\0';
+
+ /* validate new db root before accepting it */
+- fp = filp_open(db_root_stage, O_RDONLY, 0);
+- if (IS_ERR(fp)) {
++ r = kern_path(db_root_stage, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path);
++ if (r) {
+ pr_err("db_root: cannot open: %s\n", db_root_stage);
++ if (r == -ENOTDIR)
++ pr_err("db_root: not a directory: %s\n", db_root_stage);
+ goto unlock;
+ }
+- if (!S_ISDIR(file_inode(fp)->i_mode)) {
+- filp_close(fp, NULL);
+- pr_err("db_root: not a directory: %s\n", db_root_stage);
+- goto unlock;
+- }
+- filp_close(fp, NULL);
++ path_put(&path);
+
+ strscpy(db_root, db_root_stage);
+ pr_debug("Target_Core_ConfigFS: db_root set to %s\n", db_root);
--- /dev/null
+From 2e6b5cd6a4b37a95b78cf8c39a979b58c915c8ed Mon Sep 17 00:00:00 2001
+From: Alexey Charkov <alchark@flipper.net>
+Date: Mon, 9 Feb 2026 19:17:34 +0400
+Subject: scsi: ufs: core: Fix RPMB region size detection for UFS 2.2
+
+From: Alexey Charkov <alchark@flipper.net>
+
+commit 2e6b5cd6a4b37a95b78cf8c39a979b58c915c8ed upstream.
+
+Older UFS spec devices (2.2 and earlier) do not expose per-region RPMB
+sizes, as only one RPMB region is supported. In such cases, the size of the
+single RPMB region can be deduced from the Logical Block Count and Logical
+Block Size fields in the RPMB Unit Descriptor.
+
+Add a fallback mechanism to calculate the RPMB region size from these
+fields if the device implements an older spec, so that the RPMB driver can
+work with such devices - otherwise it silently skips the whole RPMB.
+
+ Section 14.1.4.6 (RPMB Unit Descriptor)
+
+Link: https://www.jedec.org/system/files/docs/JESD220C-2_2.pdf
+Cc: stable@vger.kernel.org
+Fixes: b06b8c421485 ("scsi: ufs: core: Add OP-TEE based RPMB driver for UFS devices")
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Signed-off-by: Alexey Charkov <alchark@flipper.net>
+Link: https://patch.msgid.link/20260209-ufs-rpmb-v3-1-b1804e71bd38@flipper.net
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/core/ufshcd.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -23,6 +23,7 @@
+ #include <linux/pm_opp.h>
+ #include <linux/regulator/consumer.h>
+ #include <linux/sched/clock.h>
++#include <linux/sizes.h>
+ #include <linux/iopoll.h>
+ #include <scsi/scsi_cmnd.h>
+ #include <scsi/scsi_dbg.h>
+@@ -5237,6 +5238,25 @@ static void ufshcd_lu_init(struct ufs_hb
+ hba->dev_info.rpmb_region_size[1] = desc_buf[RPMB_UNIT_DESC_PARAM_REGION1_SIZE];
+ hba->dev_info.rpmb_region_size[2] = desc_buf[RPMB_UNIT_DESC_PARAM_REGION2_SIZE];
+ hba->dev_info.rpmb_region_size[3] = desc_buf[RPMB_UNIT_DESC_PARAM_REGION3_SIZE];
++
++ if (hba->dev_info.wspecversion <= 0x0220) {
++ /*
++ * These older spec chips have only one RPMB region,
++ * sized between 128 kB minimum and 16 MB maximum.
++ * No per region size fields are provided (respective
++ * REGIONX_SIZE fields always contain zeros), so get
++ * it from the logical block count and size fields for
++ * compatibility
++ *
++ * (See JESD220C-2_2 Section 14.1.4.6
++ * RPMB Unit Descriptor,* offset 13h, 4 bytes)
++ */
++ hba->dev_info.rpmb_region_size[0] =
++ (get_unaligned_be64(desc_buf
++ + RPMB_UNIT_DESC_PARAM_LOGICAL_BLK_COUNT)
++ << desc_buf[RPMB_UNIT_DESC_PARAM_LOGICAL_BLK_SIZE])
++ / SZ_128K;
++ }
+ }
+
+
--- /dev/null
+From 1777f349ff41b62dfe27454b69c27b0bc99ffca5 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 3 Mar 2026 11:56:06 +0100
+Subject: selftests: mptcp: join: check removing signal+subflow endp
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 1777f349ff41b62dfe27454b69c27b0bc99ffca5 upstream.
+
+This validates the previous commit: endpoints with both the signal and
+subflow flags should always be marked as used even if it was not
+possible to create new subflows due to the MPTCP PM limits.
+
+For this test, an extra endpoint is created with both the signal and the
+subflow flags, and limits are set not to create extra subflows. In this
+case, an ADD_ADDR is sent, but no subflows are created. Still, the local
+endpoint is marked as used, and no warning is fired when removing the
+endpoint, after having sent a RM_ADDR.
+
+The 'Fixes' tag here below is the same as the one from the previous
+commit: this patch here is not fixing anything wrong in the selftests,
+but it validates the previous fix for an issue introduced by this commit
+ID.
+
+Fixes: 85df533a787b ("mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-5-4b5462b6f016@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -2637,6 +2637,19 @@ remove_tests()
+ chk_rst_nr 0 0
+ fi
+
++ # signal+subflow with limits, remove
++ if reset "remove signal+subflow with limits"; then
++ pm_nl_set_limits $ns1 0 0
++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,subflow
++ pm_nl_set_limits $ns2 0 0
++ addr_nr_ns1=-1 speed=slow \
++ run_tests $ns1 $ns2 10.0.1.1
++ chk_join_nr 0 0 0
++ chk_add_nr 1 1
++ chk_rm_nr 1 0 invert
++ chk_rst_nr 0 0
++ fi
++
+ # addresses remove
+ if reset "remove addresses"; then
+ pm_nl_set_limits $ns1 3 3
--- /dev/null
+From 560edd99b5f58b2d4bbe3c8e51e1eed68d887b0e Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 3 Mar 2026 11:56:04 +0100
+Subject: selftests: mptcp: join: check RM_ADDR not sent over same subflow
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 560edd99b5f58b2d4bbe3c8e51e1eed68d887b0e upstream.
+
+This validates the previous commit: RM_ADDR were sent over the first
+found active subflow which could be the same as the one being removed.
+It is more likely to loose this notification.
+
+For this check, RM_ADDR are explicitly dropped when trying to send them
+over the initial subflow, when removing the endpoint attached to it. If
+it is dropped, the test will complain because some RM_ADDR have not been
+received.
+
+Note that only the RM_ADDR are dropped, to allow the linked subflow to
+be quickly and cleanly closed. To only drop those RM_ADDR, a cBPF byte
+code is used. If the IPTables commands fail, that's OK, the tests will
+continue to pass, but not validate this part. This can be ignored:
+another subtest fully depends on such command, and will be marked as
+skipped.
+
+The 'Fixes' tag here below is the same as the one from the previous
+commit: this patch here is not fixing anything wrong in the selftests,
+but it validates the previous fix for an issue introduced by this commit
+ID.
+
+Fixes: 8dd5efb1f91b ("mptcp: send ack for rm_addr")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-3-4b5462b6f016@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 36 ++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -104,6 +104,24 @@ CBPF_MPTCP_SUBOPTION_ADD_ADDR="14,
+ 6 0 0 65535,
+ 6 0 0 0"
+
++# IPv4: TCP hdr of 48B, a first suboption of 12B (DACK8), the RM_ADDR suboption
++# generated using "nfbpf_compile '(ip[32] & 0xf0) == 0xc0 && ip[53] == 0x0c &&
++# (ip[66] & 0xf0) == 0x40'"
++CBPF_MPTCP_SUBOPTION_RM_ADDR="13,
++ 48 0 0 0,
++ 84 0 0 240,
++ 21 0 9 64,
++ 48 0 0 32,
++ 84 0 0 240,
++ 21 0 6 192,
++ 48 0 0 53,
++ 21 0 4 12,
++ 48 0 0 66,
++ 84 0 0 240,
++ 21 0 1 64,
++ 6 0 0 65535,
++ 6 0 0 0"
++
+ init_partial()
+ {
+ capout=$(mktemp)
+@@ -4222,6 +4240,14 @@ endpoint_tests()
+ chk_subflow_nr "after no reject" 3
+ chk_mptcp_info subflows 2 subflows 2
+
++ # To make sure RM_ADDR are sent over a different subflow, but
++ # allow the rest to quickly and cleanly close the subflow
++ local ipt=1
++ ip netns exec "${ns2}" ${iptables} -I OUTPUT -s "10.0.1.2" \
++ -p tcp -m tcp --tcp-option 30 \
++ -m bpf --bytecode \
++ "$CBPF_MPTCP_SUBOPTION_RM_ADDR" \
++ -j DROP || ipt=0
+ local i
+ for i in $(seq 3); do
+ pm_nl_del_endpoint $ns2 1 10.0.1.2
+@@ -4234,6 +4260,7 @@ endpoint_tests()
+ chk_subflow_nr "after re-add id 0 ($i)" 3
+ chk_mptcp_info subflows 3 subflows 3
+ done
++ [ ${ipt} = 1 ] && ip netns exec "${ns2}" ${iptables} -D OUTPUT 1
+
+ mptcp_lib_kill_group_wait $tests_pid
+
+@@ -4293,11 +4320,20 @@ endpoint_tests()
+ chk_mptcp_info subflows 2 subflows 2
+ chk_mptcp_info add_addr_signal 2 add_addr_accepted 2
+
++ # To make sure RM_ADDR are sent over a different subflow, but
++ # allow the rest to quickly and cleanly close the subflow
++ local ipt=1
++ ip netns exec "${ns1}" ${iptables} -I OUTPUT -s "10.0.1.1" \
++ -p tcp -m tcp --tcp-option 30 \
++ -m bpf --bytecode \
++ "$CBPF_MPTCP_SUBOPTION_RM_ADDR" \
++ -j DROP || ipt=0
+ pm_nl_del_endpoint $ns1 42 10.0.1.1
+ sleep 0.5
+ chk_subflow_nr "after delete ID 0" 2
+ chk_mptcp_info subflows 2 subflows 2
+ chk_mptcp_info add_addr_signal 2 add_addr_accepted 2
++ [ ${ipt} = 1 ] && ip netns exec "${ns1}" ${iptables} -D OUTPUT 1
+
+ pm_nl_add_endpoint $ns1 10.0.1.1 id 99 flags signal
+ wait_mpj $ns2
--- /dev/null
+From 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 3 Mar 2026 11:56:02 +0100
+Subject: selftests: mptcp: more stable simult_flows tests
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 upstream.
+
+By default, the netem qdisc can keep up to 1000 packets under its belly
+to deal with the configured rate and delay. The simult flows test-case
+simulates very low speed links, to avoid problems due to slow CPUs and
+the TCP stack tend to transmit at a slightly higher rate than the
+(virtual) link constraints.
+
+All the above causes a relatively large amount of packets being enqueued
+in the netem qdiscs - the longer the transfer, the longer the queue -
+producing increasingly high TCP RTT samples and consequently increasingly
+larger receive buffer size due to DRS.
+
+When the receive buffer size becomes considerably larger than the needed
+size, the tests results can flake, i.e. because minimal inaccuracy in the
+pacing rate can lead to a single subflow usage towards the end of the
+connection for a considerable amount of data.
+
+Address the issue explicitly setting netem limits suitable for the
+configured link speeds and unflake all the affected tests.
+
+Fixes: 1a418cb8e888 ("mptcp: simult flow self-tests")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-1-4b5462b6f016@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/simult_flows.sh | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/simult_flows.sh
++++ b/tools/testing/selftests/net/mptcp/simult_flows.sh
+@@ -237,10 +237,13 @@ run_test()
+ for dev in ns2eth1 ns2eth2; do
+ tc -n $ns2 qdisc del dev $dev root >/dev/null 2>&1
+ done
+- tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1
+- tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2
+- tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1
+- tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2
++
++ # keep the queued pkts number low, or the RTT estimator will see
++ # increasing latency over time.
++ tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1 limit 50
++ tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2 limit 50
++ tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1 limit 50
++ tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2 limit 50
+
+ # time is measured in ms, account for transfer size, aggregated link speed
+ # and header overhead (10%)
hid-pidff-fix-condition-effect-bit-clearing.patch
hid-multitouch-keep-latency-normal-on-deactivate-for-reactivation-gesture.patch
x86-efi-defer-freeing-of-boot-services-memory.patch
+perf-x86-intel-uncore-add-per-scheduler-imc-cas-count-events.patch
+x86-boot-handle-relative-config_efi_sbat_file-file-paths.patch
+x86-sev-allow-ibpb-on-entry-feature-for-snp-guests.patch
+x86-boot-sev-move-sev-decompressor-variables-into-the-.data-section.patch
+platform-x86-dell-wmi-sysman-don-t-hex-dump-plaintext-password-data.patch
+platform-x86-alienware-wmi-wmax-add-g-mode-support-to-m18-laptops.patch
+platform-x86-dell-wmi-add-audio-mic-mute-key-codes.patch
+alsa-hda-realtek-add-quirk-for-hp-pavilion-15-eh1xxx-to-enable-mute-led.patch
+alsa-doc-usb-audio-add-doc-for-quirk_flag_skip_iface_setup.patch
+alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch
+alsa-hda-intel-increase-default-bdl_pos_adj-for-nvidia-controllers.patch
+alsa-hda-realtek-fix-model-name-typo-for-samsung-galaxy-book-flex-nt950qcg-x716.patch
+alsa-hda-realtek-add-quirk-for-acer-aspire-v3-572g.patch
+alsa-hda-realtek-add-quirk-for-samsung-galaxy-book-flex-nt950qct-a38a.patch
+alsa-hda-realtek-add-quirk-for-acer-nitro-anv15-51.patch
+wifi-radiotap-reject-radiotap-with-unknown-bits.patch
+wifi-libertas-fix-use-after-free-in-lbs_free_adapter.patch
+wifi-cfg80211-cancel-rfkill_block-work-in-wiphy_unregister.patch
+wifi-mac80211-bounds-check-link_id-in-ieee80211_ml_reconfiguration.patch
+wifi-mac80211-fix-null-pointer-dereference-in-mesh_rx_csa_frame.patch
+bluetooth-purge-error-queues-in-socket-destructors.patch
+gve-fix-incorrect-buffer-cleanup-in-gve_tx_clean_pending_packets-for-qpl.patch
+net-phy-register-phy-led_triggers-during-probe-to-avoid-ab-ba-deadlock.patch
+ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch
+rdma-irdma-fix-kernel-stack-leak-in-irdma_create_user_ah.patch
+rdma-ionic-fix-kernel-stack-leak-in-ionic_create_cq.patch
+ksmbd-compare-macs-in-constant-time.patch
+cpufreq-intel_pstate-fix-crash-during-turbo-disable.patch
+arm64-gcs-do-not-set-pte_shared-on-gcs-mappings-if-feat_lpa2-is-enabled.patch
+net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch
+nfsd-fix-cred-ref-leak-in-nfsd_nl_threads_set_doit.patch
+tracing-fix-warn_on-in-tracing_buffers_mmap_close.patch
+scsi-target-fix-recursive-locking-in-__configfs_open_file.patch
+mm-thp-deny-thp-for-files-on-anonymous-inodes.patch
+squashfs-check-metadata-block-offset-is-within-range.patch
+drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch
+drbd-fix-null-pointer-dereference-on-local-read-error.patch
+xfs-fix-xfs_group-release-bug-in-xfs_dax_notify_dev_failure.patch
+xfs-fix-error-pointer-dereference.patch
+smb-client-fix-cifs_pick_channel-when-channels-are-equally-loaded.patch
+smb-client-fix-broken-multichannel-with-krb5-signing.patch
+smb-client-don-t-log-plaintext-credentials-in-cifs_set_cifscreds.patch
+smb-client-fix-oops-due-to-uninitialised-var-in-smb2_unlink.patch
+scsi-core-fix-refcount-leak-for-tagset_refcnt.patch
+scsi-ufs-core-fix-rpmb-region-size-detection-for-ufs-2.2.patch
+mptcp-pm-avoid-sending-rm_addr-over-same-subflow.patch
+mptcp-pm-in-kernel-always-mark-signal-subflow-endp-as-used.patch
+selftests-mptcp-more-stable-simult_flows-tests.patch
+selftests-mptcp-join-check-rm_addr-not-sent-over-same-subflow.patch
+selftests-mptcp-join-check-removing-signal-subflow-endp.patch
+kbuild-split-.modinfo-out-from-elf_details.patch
+kbuild-leave-objtool-binary-around-with-make-clean.patch
--- /dev/null
+From 2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Thu, 26 Feb 2026 22:28:45 +0100
+Subject: smb: client: Don't log plaintext credentials in cifs_set_cifscreds
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit 2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d upstream.
+
+When debug logging is enabled, cifs_set_cifscreds() logs the key
+payload and exposes the plaintext username and password. Remove the
+debug log to avoid exposing credentials.
+
+Fixes: 8a8798a5ff90 ("cifs: fetch credentials out of keyring for non-krb5 auth multiuser mounts")
+Cc: stable@vger.kernel.org
+Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/connect.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -2233,7 +2233,6 @@ cifs_set_cifscreds(struct smb3_fs_contex
+ /* find first : in payload */
+ payload = upayload->data;
+ delim = strnchr(payload, upayload->datalen, ':');
+- cifs_dbg(FYI, "payload=%s\n", payload);
+ if (!delim) {
+ cifs_dbg(FYI, "Unable to find ':' in payload (datalen=%d)\n",
+ upayload->datalen);
--- /dev/null
+From d9d1e319b39ea685ede59319002d567c159d23c3 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.org>
+Date: Wed, 25 Feb 2026 21:34:55 -0300
+Subject: smb: client: fix broken multichannel with krb5+signing
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+commit d9d1e319b39ea685ede59319002d567c159d23c3 upstream.
+
+When mounting a share with 'multichannel,max_channels=n,sec=krb5i',
+the client was duplicating signing key for all secondary channels,
+thus making the server fail all commands sent from secondary channels
+due to bad signatures.
+
+Every channel has its own signing key, so when establishing a new
+channel with krb5 auth, make sure to use the new session key as the
+derived key to generate channel's signing key in SMB2_auth_kerberos().
+
+Repro:
+
+$ mount.cifs //srv/share /mnt -o multichannel,max_channels=4,sec=krb5i
+$ sleep 5
+$ umount /mnt
+$ dmesg
+ ...
+ CIFS: VFS: sign fail cmd 0x5 message id 0x2
+ CIFS: VFS: \\srv SMB signature verification returned error = -13
+ CIFS: VFS: sign fail cmd 0x5 message id 0x2
+ CIFS: VFS: \\srv SMB signature verification returned error = -13
+ CIFS: VFS: sign fail cmd 0x4 message id 0x2
+ CIFS: VFS: \\srv SMB signature verification returned error = -13
+
+Reported-by: Xiaoli Feng <xifeng@redhat.com>
+Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Cc: David Howells <dhowells@redhat.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2pdu.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@ -1715,19 +1715,17 @@ SMB2_auth_kerberos(struct SMB2_sess_data
+ is_binding = (ses->ses_status == SES_GOOD);
+ spin_unlock(&ses->ses_lock);
+
+- /* keep session key if binding */
+- if (!is_binding) {
+- kfree_sensitive(ses->auth_key.response);
+- ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len,
+- GFP_KERNEL);
+- if (!ses->auth_key.response) {
+- cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n",
+- msg->sesskey_len);
+- rc = -ENOMEM;
+- goto out_put_spnego_key;
+- }
+- ses->auth_key.len = msg->sesskey_len;
++ kfree_sensitive(ses->auth_key.response);
++ ses->auth_key.response = kmemdup(msg->data,
++ msg->sesskey_len,
++ GFP_KERNEL);
++ if (!ses->auth_key.response) {
++ cifs_dbg(VFS, "%s: can't allocate (%u bytes) memory\n",
++ __func__, msg->sesskey_len);
++ rc = -ENOMEM;
++ goto out_put_spnego_key;
+ }
++ ses->auth_key.len = msg->sesskey_len;
+
+ sess_data->iov[1].iov_base = msg->data + msg->sesskey_len;
+ sess_data->iov[1].iov_len = msg->secblob_len;
--- /dev/null
+From 663c28469d3274d6456f206a6671c91493d85ff1 Mon Sep 17 00:00:00 2001
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+Date: Sat, 21 Feb 2026 01:59:44 -0300
+Subject: smb: client: fix cifs_pick_channel when channels are equally loaded
+
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+
+commit 663c28469d3274d6456f206a6671c91493d85ff1 upstream.
+
+cifs_pick_channel uses (start % chan_count) when channels are equally
+loaded, but that can return a channel that failed the eligibility
+checks.
+
+Drop the fallback and return the scan-selected channel instead. If none
+is eligible, keep the existing behavior of using the primary channel.
+
+Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
+Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Acked-by: Meetakshi Setiya <msetiya@microsoft.com>
+Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/transport.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+--- a/fs/smb/client/transport.c
++++ b/fs/smb/client/transport.c
+@@ -808,16 +808,21 @@ cifs_cancelled_callback(struct TCP_Serve
+ }
+
+ /*
+- * Return a channel (master if none) of @ses that can be used to send
+- * regular requests.
++ * cifs_pick_channel - pick an eligible channel for network operations
+ *
+- * If we are currently binding a new channel (negprot/sess.setup),
+- * return the new incomplete channel.
++ * @ses: session reference
++ *
++ * Select an eligible channel (not terminating and not marked as needing
++ * reconnect), preferring the least loaded one. If no eligible channel is
++ * found, fall back to the primary channel (index 0).
++ *
++ * Return: TCP_Server_Info pointer for the chosen channel, or NULL if @ses is
++ * NULL.
+ */
+ struct TCP_Server_Info *cifs_pick_channel(struct cifs_ses *ses)
+ {
+ uint index = 0;
+- unsigned int min_in_flight = UINT_MAX, max_in_flight = 0;
++ unsigned int min_in_flight = UINT_MAX;
+ struct TCP_Server_Info *server = NULL;
+ int i, start, cur;
+
+@@ -847,14 +852,8 @@ struct TCP_Server_Info *cifs_pick_channe
+ min_in_flight = server->in_flight;
+ index = cur;
+ }
+- if (server->in_flight > max_in_flight)
+- max_in_flight = server->in_flight;
+ }
+
+- /* if all channels are equally loaded, fall back to round-robin */
+- if (min_in_flight == max_in_flight)
+- index = (uint)start % ses->chan_count;
+-
+ server = ses->chans[index].server;
+ spin_unlock(&ses->chan_lock);
+
--- /dev/null
+From 048efe129a297256d3c2088cf8d79515ff5ec864 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.org>
+Date: Thu, 5 Mar 2026 21:57:06 -0300
+Subject: smb: client: fix oops due to uninitialised var in smb2_unlink()
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+commit 048efe129a297256d3c2088cf8d79515ff5ec864 upstream.
+
+If SMB2_open_init() or SMB2_close_init() fails (e.g. reconnect), the
+iovs set @rqst will be left uninitialised, hence calling
+SMB2_open_free(), SMB2_close_free() or smb2_set_related() on them will
+oops.
+
+Fix this by initialising @close_iov and @open_iov before setting them
+in @rqst.
+
+Reported-by: Thiago Becker <tbecker@redhat.com>
+Fixes: 1cf9f2a6a544 ("smb: client: handle unlink(2) of files open by different clients")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Cc: David Howells <dhowells@redhat.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2inode.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/smb2inode.c
++++ b/fs/smb/client/smb2inode.c
+@@ -1208,6 +1208,7 @@ again:
+ memset(resp_buftype, 0, sizeof(resp_buftype));
+ memset(rsp_iov, 0, sizeof(rsp_iov));
+
++ memset(open_iov, 0, sizeof(open_iov));
+ rqst[0].rq_iov = open_iov;
+ rqst[0].rq_nvec = ARRAY_SIZE(open_iov);
+
+@@ -1232,14 +1233,15 @@ again:
+ creq = rqst[0].rq_iov[0].iov_base;
+ creq->ShareAccess = FILE_SHARE_DELETE_LE;
+
++ memset(&close_iov, 0, sizeof(close_iov));
+ rqst[1].rq_iov = &close_iov;
+ rqst[1].rq_nvec = 1;
+
+ rc = SMB2_close_init(tcon, server, &rqst[1],
+ COMPOUND_FID, COMPOUND_FID, false);
+- smb2_set_related(&rqst[1]);
+ if (rc)
+ goto err_free;
++ smb2_set_related(&rqst[1]);
+
+ if (retries) {
+ for (int i = 0; i < ARRAY_SIZE(rqst); i++)
--- /dev/null
+From fdb24a820a5832ec4532273282cbd4f22c291a0d Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Tue, 17 Feb 2026 05:09:55 +0000
+Subject: Squashfs: check metadata block offset is within range
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+commit fdb24a820a5832ec4532273282cbd4f22c291a0d upstream.
+
+Syzkaller reports a "general protection fault in squashfs_copy_data"
+
+This is ultimately caused by a corrupted index look-up table, which
+produces a negative metadata block offset.
+
+This is subsequently passed to squashfs_copy_data (via
+squashfs_read_metadata) where the negative offset causes an out of bounds
+access.
+
+The fix is to check that the offset is within range in
+squashfs_read_metadata. This will trap this and other cases.
+
+Link: https://lkml.kernel.org/r/20260217050955.138351-1-phillip@squashfs.org.uk
+Fixes: f400e12656ab ("Squashfs: cache operations")
+Reported-by: syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/699234e2.a70a0220.2c38d7.00e2.GAE@google.com/
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/cache.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/squashfs/cache.c
++++ b/fs/squashfs/cache.c
+@@ -344,6 +344,9 @@ int squashfs_read_metadata(struct super_
+ if (unlikely(length < 0))
+ return -EIO;
+
++ if (unlikely(*offset < 0 || *offset >= SQUASHFS_METADATA_SIZE))
++ return -EIO;
++
+ while (length) {
+ entry = squashfs_cache_get(sb, msblk->block_cache, *block, 0);
+ if (entry->error) {
--- /dev/null
+From e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e Mon Sep 17 00:00:00 2001
+From: Qing Wang <wangqing7171@gmail.com>
+Date: Fri, 27 Feb 2026 10:58:42 +0800
+Subject: tracing: Fix WARN_ON in tracing_buffers_mmap_close
+
+From: Qing Wang <wangqing7171@gmail.com>
+
+commit e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e upstream.
+
+When a process forks, the child process copies the parent's VMAs but the
+user_mapped reference count is not incremented. As a result, when both the
+parent and child processes exit, tracing_buffers_mmap_close() is called
+twice. On the second call, user_mapped is already 0, causing the function to
+return -ENODEV and triggering a WARN_ON.
+
+Normally, this isn't an issue as the memory is mapped with VM_DONTCOPY set.
+But this is only a hint, and the application can call
+madvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the
+application does that, it can trigger this issue on fork.
+
+Fix it by incrementing the user_mapped reference count without re-mapping
+the pages in the VMA's open callback.
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Vincent Donnefort <vdonnefort@google.com>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Link: https://patch.msgid.link/20260227025842.1085206-1-wangqing7171@gmail.com
+Fixes: cf9f0f7c4c5bb ("tracing: Allow user-space mapping of the ring-buffer")
+Reported-by: syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=3b5dd2030fe08afdf65d
+Tested-by: syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com
+Signed-off-by: Qing Wang <wangqing7171@gmail.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/ring_buffer.h | 1 +
+ kernel/trace/ring_buffer.c | 21 +++++++++++++++++++++
+ kernel/trace/trace.c | 13 +++++++++++++
+ 3 files changed, 35 insertions(+)
+
+--- a/include/linux/ring_buffer.h
++++ b/include/linux/ring_buffer.h
+@@ -248,6 +248,7 @@ int trace_rb_cpu_prepare(unsigned int cp
+
+ int ring_buffer_map(struct trace_buffer *buffer, int cpu,
+ struct vm_area_struct *vma);
++void ring_buffer_map_dup(struct trace_buffer *buffer, int cpu);
+ int ring_buffer_unmap(struct trace_buffer *buffer, int cpu);
+ int ring_buffer_map_get_reader(struct trace_buffer *buffer, int cpu);
+ #endif /* _LINUX_RING_BUFFER_H */
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -7292,6 +7292,27 @@ int ring_buffer_map(struct trace_buffer
+ return err;
+ }
+
++/*
++ * This is called when a VMA is duplicated (e.g., on fork()) to increment
++ * the user_mapped counter without remapping pages.
++ */
++void ring_buffer_map_dup(struct trace_buffer *buffer, int cpu)
++{
++ struct ring_buffer_per_cpu *cpu_buffer;
++
++ if (WARN_ON(!cpumask_test_cpu(cpu, buffer->cpumask)))
++ return;
++
++ cpu_buffer = buffer->buffers[cpu];
++
++ guard(mutex)(&cpu_buffer->mapping_lock);
++
++ if (cpu_buffer->user_mapped)
++ __rb_inc_dec_mapped(cpu_buffer, true);
++ else
++ WARN(1, "Unexpected buffer stat, it should be mapped");
++}
++
+ int ring_buffer_unmap(struct trace_buffer *buffer, int cpu)
+ {
+ struct ring_buffer_per_cpu *cpu_buffer;
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -8999,6 +8999,18 @@ static inline int get_snapshot_map(struc
+ static inline void put_snapshot_map(struct trace_array *tr) { }
+ #endif
+
++/*
++ * This is called when a VMA is duplicated (e.g., on fork()) to increment
++ * the user_mapped counter without remapping pages.
++ */
++static void tracing_buffers_mmap_open(struct vm_area_struct *vma)
++{
++ struct ftrace_buffer_info *info = vma->vm_file->private_data;
++ struct trace_iterator *iter = &info->iter;
++
++ ring_buffer_map_dup(iter->array_buffer->buffer, iter->cpu_file);
++}
++
+ static void tracing_buffers_mmap_close(struct vm_area_struct *vma)
+ {
+ struct ftrace_buffer_info *info = vma->vm_file->private_data;
+@@ -9018,6 +9030,7 @@ static int tracing_buffers_may_split(str
+ }
+
+ static const struct vm_operations_struct tracing_buffers_vmops = {
++ .open = tracing_buffers_mmap_open,
+ .close = tracing_buffers_mmap_close,
+ .may_split = tracing_buffers_may_split,
+ };
--- /dev/null
+From 767d23ade706d5fa51c36168e92a9c5533c351a1 Mon Sep 17 00:00:00 2001
+From: Daniil Dulov <d.dulov@aladdin.ru>
+Date: Wed, 11 Feb 2026 11:20:24 +0300
+Subject: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
+
+From: Daniil Dulov <d.dulov@aladdin.ru>
+
+commit 767d23ade706d5fa51c36168e92a9c5533c351a1 upstream.
+
+There is a use-after-free error in cfg80211_shutdown_all_interfaces found
+by syzkaller:
+
+BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220
+Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326
+CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+Workqueue: events cfg80211_rfkill_block_work
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x116/0x1f0
+ print_report+0xcd/0x630
+ kasan_report+0xe0/0x110
+ cfg80211_shutdown_all_interfaces+0x213/0x220
+ cfg80211_rfkill_block_work+0x1e/0x30
+ process_one_work+0x9cf/0x1b70
+ worker_thread+0x6c8/0xf10
+ kthread+0x3c5/0x780
+ ret_from_fork+0x56d/0x700
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+The problem arises due to the rfkill_block work is not cancelled when wiphy
+is being unregistered. In order to fix the issue cancel the corresponding
+work in wiphy_unregister().
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 1f87f7d3a3b4 ("cfg80211: add rfkill support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
+Link: https://patch.msgid.link/20260211082024.1967588-1-d.dulov@aladdin.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -1210,6 +1210,7 @@ void wiphy_unregister(struct wiphy *wiph
+ /* this has nothing to do now but make sure it's gone */
+ cancel_work_sync(&rdev->wiphy_work);
+
++ cancel_work_sync(&rdev->rfkill_block);
+ cancel_work_sync(&rdev->conn_work);
+ flush_work(&rdev->event_work);
+ cancel_delayed_work_sync(&rdev->dfs_update_channels_wk);
--- /dev/null
+From 03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0 Mon Sep 17 00:00:00 2001
+From: Daniel Hodges <git@danielhodges.dev>
+Date: Fri, 6 Feb 2026 14:53:56 -0500
+Subject: wifi: libertas: fix use-after-free in lbs_free_adapter()
+
+From: Daniel Hodges <git@danielhodges.dev>
+
+commit 03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0 upstream.
+
+The lbs_free_adapter() function uses timer_delete() (non-synchronous)
+for both command_timer and tx_lockup_timer before the structure is
+freed. This is incorrect because timer_delete() does not wait for
+any running timer callback to complete.
+
+If a timer callback is executing when lbs_free_adapter() is called,
+the callback will access freed memory since lbs_cfg_free() frees the
+containing structure immediately after lbs_free_adapter() returns.
+
+Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler)
+access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields,
+which would all be use-after-free violations.
+
+Use timer_delete_sync() instead to ensure any running timer callback
+has completed before returning.
+
+This bug was introduced in commit 8f641d93c38a ("libertas: detect TX
+lockups and reset hardware") where del_timer() was used instead of
+del_timer_sync() in the cleanup path. The command_timer has had the
+same issue since the driver was first written.
+
+Fixes: 8f641d93c38a ("libertas: detect TX lockups and reset hardware")
+Fixes: 954ee164f4f4 ("[PATCH] libertas: reorganize and simplify init sequence")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Hodges <git@danielhodges.dev>
+Link: https://patch.msgid.link/20260206195356.15647-1-git@danielhodges.dev
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/marvell/libertas/main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/marvell/libertas/main.c
++++ b/drivers/net/wireless/marvell/libertas/main.c
+@@ -799,8 +799,8 @@ static void lbs_free_adapter(struct lbs_
+ {
+ lbs_free_cmd_buffer(priv);
+ kfifo_free(&priv->event_fifo);
+- timer_delete(&priv->command_timer);
+- timer_delete(&priv->tx_lockup_timer);
++ timer_delete_sync(&priv->command_timer);
++ timer_delete_sync(&priv->tx_lockup_timer);
+ }
+
+ static const struct net_device_ops lbs_netdev_ops = {
--- /dev/null
+From 162d331d833dc73a3e905a24c44dd33732af1fc5 Mon Sep 17 00:00:00 2001
+From: Ariel Silver <arielsilver77@gmail.com>
+Date: Fri, 20 Feb 2026 10:11:29 +0000
+Subject: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration
+
+From: Ariel Silver <arielsilver77@gmail.com>
+
+commit 162d331d833dc73a3e905a24c44dd33732af1fc5 upstream.
+
+link_id is taken from the ML Reconfiguration element (control & 0x000f),
+so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS
+(15) elements, so index 15 is out-of-bounds. Skip subelements with
+link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds
+write.
+
+Fixes: 8eb8dd2ffbbb ("wifi: mac80211: Support link removal using Reconfiguration ML element")
+Reported-by: Ariel Silver <arielsilver77@gmail.com>
+Signed-off-by: Ariel Silver <arielsilver77@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260220101129.1202657-1-Ariel.Silver@cybereason.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mlme.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -6975,6 +6975,9 @@ static void ieee80211_ml_reconfiguration
+ control = le16_to_cpu(prof->control);
+ link_id = control & IEEE80211_MLE_STA_RECONF_CONTROL_LINK_ID;
+
++ if (link_id >= IEEE80211_MLD_MAX_NUM_LINKS)
++ continue;
++
+ removed_links |= BIT(link_id);
+
+ /* the MAC address should not be included, but handle it */
--- /dev/null
+From 017c1792525064a723971f0216e6ef86a8c7af11 Mon Sep 17 00:00:00 2001
+From: Vahagn Vardanian <vahagn@redrays.io>
+Date: Mon, 23 Feb 2026 00:00:00 +0000
+Subject: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
+
+From: Vahagn Vardanian <vahagn@redrays.io>
+
+commit 017c1792525064a723971f0216e6ef86a8c7af11 upstream.
+
+In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced
+at lines 1638 and 1642 without a prior NULL check:
+
+ ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
+ ...
+ pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);
+
+The mesh_matches_local() check above only validates the Mesh ID,
+Mesh Configuration, and Supported Rates IEs. It does not verify the
+presence of the Mesh Channel Switch Parameters IE (element ID 118).
+When a received CSA action frame omits that IE, ieee802_11_parse_elems()
+leaves elems->mesh_chansw_params_ie as NULL, and the unconditional
+dereference causes a kernel NULL pointer dereference.
+
+A remote mesh peer with an established peer link (PLINK_ESTAB) can
+trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame
+that includes a matching Mesh ID and Mesh Configuration IE but omits the
+Mesh Channel Switch Parameters IE. No authentication beyond the default
+open mesh peering is required.
+
+Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]
+ CR2: 0000000000000000
+
+Fix by adding a NULL check for mesh_chansw_params_ie after
+mesh_matches_local() returns, consistent with how other optional IEs
+are guarded throughout the mesh code.
+
+The bug has been present since v3.13 (released 2014-01-19).
+
+Fixes: 8f2535b92d68 ("mac80211: process the CSA frame for mesh accordingly")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vahagn Vardanian <vahagn@redrays.io>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mesh.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -1636,6 +1636,9 @@ static void mesh_rx_csa_frame(struct iee
+ if (!mesh_matches_local(sdata, elems))
+ goto free;
+
++ if (!elems->mesh_chansw_params_ie)
++ goto free;
++
+ ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
+ if (!--ifmsh->chsw_ttl)
+ fwd_csa = false;
--- /dev/null
+From c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 17 Feb 2026 13:05:26 +0100
+Subject: wifi: radiotap: reject radiotap with unknown bits
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 upstream.
+
+The radiotap parser is currently only used with the radiotap
+namespace (not with vendor namespaces), but if the undefined
+field 18 is used, the alignment/size is unknown as well. In
+this case, iterator->_next_ns_data isn't initialized (it's
+only set for skipping vendor namespaces), and syzbot points
+out that we later compare against this uninitialized value.
+
+Fix this by moving the rejection of unknown radiotap fields
+down to after the in-namespace lookup, so it will really use
+iterator->_next_ns_data only for vendor namespaces, even in
+case undefined fields are present.
+
+Cc: stable@vger.kernel.org
+Fixes: 33e5a2f776e3 ("wireless: update radiotap parser")
+Reported-by: syzbot+b09c1af8764c0097bb19@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/69944a91.a70a0220.2c38d7.00fc.GAE@google.com
+Link: https://patch.msgid.link/20260217120526.162647-2-johannes@sipsolutions.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/radiotap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/wireless/radiotap.c
++++ b/net/wireless/radiotap.c
+@@ -239,14 +239,14 @@ int ieee80211_radiotap_iterator_next(
+ default:
+ if (!iterator->current_namespace ||
+ iterator->_arg_index >= iterator->current_namespace->n_bits) {
+- if (iterator->current_namespace == &radiotap_ns)
+- return -ENOENT;
+ align = 0;
+ } else {
+ align = iterator->current_namespace->align_size[iterator->_arg_index].align;
+ size = iterator->current_namespace->align_size[iterator->_arg_index].size;
+ }
+ if (!align) {
++ if (iterator->current_namespace == &radiotap_ns)
++ return -ENOENT;
+ /* skip all subsequent data */
+ iterator->_arg = iterator->_next_ns_data;
+ /* give up on this namespace */
--- /dev/null
+From 3d1973a0c76a78a4728cff13648a188ed486cf44 Mon Sep 17 00:00:00 2001
+From: Jan Stancek <jstancek@redhat.com>
+Date: Wed, 25 Feb 2026 20:30:23 +0100
+Subject: x86/boot: Handle relative CONFIG_EFI_SBAT_FILE file paths
+
+From: Jan Stancek <jstancek@redhat.com>
+
+commit 3d1973a0c76a78a4728cff13648a188ed486cf44 upstream.
+
+CONFIG_EFI_SBAT_FILE can be a relative path. When compiling using a different
+output directory (O=) the build currently fails because it can't find the
+filename set in CONFIG_EFI_SBAT_FILE:
+
+ arch/x86/boot/compressed/sbat.S: Assembler messages:
+ arch/x86/boot/compressed/sbat.S:6: Error: file not found: kernel.sbat
+
+Add $(srctree) as include dir for sbat.o.
+
+ [ bp: Massage commit message. ]
+
+Fixes: 61b57d35396a ("x86/efi: Implement support for embedding SBAT data for x86")
+Signed-off-by: Jan Stancek <jstancek@redhat.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Cc: <stable@kernel.org>
+Link: https://patch.msgid.link/f4eda155b0cef91d4d316b4e92f5771cb0aa7187.1772047658.git.jstancek@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/boot/compressed/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/boot/compressed/Makefile
++++ b/arch/x86/boot/compressed/Makefile
+@@ -113,6 +113,7 @@ vmlinux-objs-$(CONFIG_EFI_SBAT) += $(obj
+
+ ifdef CONFIG_EFI_SBAT
+ $(obj)/sbat.o: $(CONFIG_EFI_SBAT_FILE)
++AFLAGS_sbat.o += -I $(srctree)
+ endif
+
+ $(obj)/vmlinux: $(vmlinux-objs-y) $(vmlinux-libs-y) FORCE
--- /dev/null
+From 4ca191cec17a997d0e3b2cd312f3a884288acc27 Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Wed, 4 Feb 2026 09:01:00 -0600
+Subject: x86/boot/sev: Move SEV decompressor variables into the .data section
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+commit 4ca191cec17a997d0e3b2cd312f3a884288acc27 upstream.
+
+As part of the work to remove the dependency on calling into the decompressor
+code (startup_64()) for a UEFI boot, a call to rmpadjust() was removed from
+sev_enable() in favor of checking the value of the snp_vmpl variable.
+
+When booting through a non-UEFI path and calling startup_64(), the call to
+sev_enable() is performed before the BSS section is zeroed. With the removal
+of the rmpadjust() call and the corresponding check of the return code, the
+snp_vmpl variable is checked.
+
+Since the kernel is running at VMPL0, the snp_vmpl variable will not have been
+set and should be the default value of 0. However, since the call occurs
+before the BSS is zeroed, the snp_vmpl variable may not actually be zero,
+which will cause the guest boot to fail.
+
+Since the decompressor relocates itself, the BSS would need to be cleared both
+before and after the relocation, but this would, in effect, cause all of the
+changes to BSS variables before relocation to be lost after relocation.
+
+Instead, move the snp_vmpl variable into the .data section so that it is
+initialized and the value made safe during relocation. As a pre-caution
+against future changes, move other SEV-related decompressor variables into the
+.data section, too.
+
+Fixes: 68a501d7fd82 ("x86/boot: Drop redundant RMPADJUST in SEV SVSM presence check")
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Changyuan Lyu <changyuanl@google.com>
+Tested-by: Kevin Hui <kevinhui@meta.com>
+Tested-by: Changyuan Lyu <changyuanl@google.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/5648b7de5b0a5d0dfef3785f9582b718678c6448.1770217260.git.thomas.lendacky@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/boot/compressed/sev.c | 8 ++++----
+ arch/x86/boot/startup/sev-shared.c | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/sev.c
+index c8c1464b3a56..46b54720d91d 100644
+--- a/arch/x86/boot/compressed/sev.c
++++ b/arch/x86/boot/compressed/sev.c
+@@ -28,17 +28,17 @@
+ #include "sev.h"
+
+ static struct ghcb boot_ghcb_page __aligned(PAGE_SIZE);
+-struct ghcb *boot_ghcb;
++struct ghcb *boot_ghcb __section(".data");
+
+ #undef __init
+ #define __init
+
+ #define __BOOT_COMPRESSED
+
+-u8 snp_vmpl;
+-u16 ghcb_version;
++u8 snp_vmpl __section(".data");
++u16 ghcb_version __section(".data");
+
+-u64 boot_svsm_caa_pa;
++u64 boot_svsm_caa_pa __section(".data");
+
+ /* Include code for early handlers */
+ #include "../../boot/startup/sev-shared.c"
+diff --git a/arch/x86/boot/startup/sev-shared.c b/arch/x86/boot/startup/sev-shared.c
+index a0fa8bb2b945..d9ac3a929d33 100644
+--- a/arch/x86/boot/startup/sev-shared.c
++++ b/arch/x86/boot/startup/sev-shared.c
+@@ -31,7 +31,7 @@ static u32 cpuid_std_range_max __ro_after_init;
+ static u32 cpuid_hyp_range_max __ro_after_init;
+ static u32 cpuid_ext_range_max __ro_after_init;
+
+-bool sev_snp_needs_sfw;
++bool sev_snp_needs_sfw __section(".data");
+
+ void __noreturn
+ sev_es_terminate(unsigned int set, unsigned int reason)
+--
+2.53.0
+
--- /dev/null
+From 9073428bb204d921ae15326bb7d4558d9d269aab Mon Sep 17 00:00:00 2001
+From: Kim Phillips <kim.phillips@amd.com>
+Date: Tue, 3 Feb 2026 16:24:03 -0600
+Subject: x86/sev: Allow IBPB-on-Entry feature for SNP guests
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+commit 9073428bb204d921ae15326bb7d4558d9d269aab upstream.
+
+The SEV-SNP IBPB-on-Entry feature does not require a guest-side
+implementation. It was added in Zen5 h/w, after the first SNP Zen
+implementation, and thus was not accounted for when the initial set of SNP
+features were added to the kernel.
+
+In its abundant precaution, commit
+
+ 8c29f0165405 ("x86/sev: Add SEV-SNP guest feature negotiation support")
+
+included SEV_STATUS' IBPB-on-Entry bit as a reserved bit, thereby masking
+guests from using the feature.
+
+Allow guests to make use of IBPB-on-Entry when supported by the hypervisor, as
+the bit is now architecturally defined and safe to expose.
+
+Fixes: 8c29f0165405 ("x86/sev: Add SEV-SNP guest feature negotiation support")
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikunj A Dadhania <nikunj@amd.com>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: stable@kernel.org
+Link: https://patch.msgid.link/20260203222405.4065706-2-kim.phillips@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/boot/compressed/sev.c | 1 +
+ arch/x86/coco/sev/core.c | 1 +
+ arch/x86/include/asm/msr-index.h | 5 ++++-
+ 3 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/boot/compressed/sev.c
++++ b/arch/x86/boot/compressed/sev.c
+@@ -188,6 +188,7 @@ bool sev_es_check_ghcb_fault(unsigned lo
+ MSR_AMD64_SNP_RESERVED_BIT13 | \
+ MSR_AMD64_SNP_RESERVED_BIT15 | \
+ MSR_AMD64_SNP_SECURE_AVIC | \
++ MSR_AMD64_SNP_RESERVED_BITS19_22 | \
+ MSR_AMD64_SNP_RESERVED_MASK)
+
+ #ifdef CONFIG_AMD_SECURE_AVIC
+--- a/arch/x86/coco/sev/core.c
++++ b/arch/x86/coco/sev/core.c
+@@ -122,6 +122,7 @@ static const char * const sev_status_fea
+ [MSR_AMD64_SNP_VMSA_REG_PROT_BIT] = "VMSARegProt",
+ [MSR_AMD64_SNP_SMT_PROT_BIT] = "SMTProt",
+ [MSR_AMD64_SNP_SECURE_AVIC_BIT] = "SecureAVIC",
++ [MSR_AMD64_SNP_IBPB_ON_ENTRY_BIT] = "IBPBOnEntry",
+ };
+
+ /*
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -735,7 +735,10 @@
+ #define MSR_AMD64_SNP_SMT_PROT BIT_ULL(MSR_AMD64_SNP_SMT_PROT_BIT)
+ #define MSR_AMD64_SNP_SECURE_AVIC_BIT 18
+ #define MSR_AMD64_SNP_SECURE_AVIC BIT_ULL(MSR_AMD64_SNP_SECURE_AVIC_BIT)
+-#define MSR_AMD64_SNP_RESV_BIT 19
++#define MSR_AMD64_SNP_RESERVED_BITS19_22 GENMASK_ULL(22, 19)
++#define MSR_AMD64_SNP_IBPB_ON_ENTRY_BIT 23
++#define MSR_AMD64_SNP_IBPB_ON_ENTRY BIT_ULL(MSR_AMD64_SNP_IBPB_ON_ENTRY_BIT)
++#define MSR_AMD64_SNP_RESV_BIT 24
+ #define MSR_AMD64_SNP_RESERVED_MASK GENMASK_ULL(63, MSR_AMD64_SNP_RESV_BIT)
+ #define MSR_AMD64_SAVIC_CONTROL 0xc0010138
+ #define MSR_AMD64_SAVIC_EN_BIT 0
--- /dev/null
+From cddfa648f1ab99e30e91455be19cd5ade26338c2 Mon Sep 17 00:00:00 2001
+From: Ethan Tidmore <ethantidmore06@gmail.com>
+Date: Thu, 19 Feb 2026 21:38:25 -0600
+Subject: xfs: Fix error pointer dereference
+
+From: Ethan Tidmore <ethantidmore06@gmail.com>
+
+commit cddfa648f1ab99e30e91455be19cd5ade26338c2 upstream.
+
+The function try_lookup_noperm() can return an error pointer and is not
+checked for one.
+
+Add checks for error pointer in xrep_adoption_check_dcache() and
+xrep_adoption_zap_dcache().
+
+Detected by Smatch:
+fs/xfs/scrub/orphanage.c:449 xrep_adoption_check_dcache() error:
+'d_child' dereferencing possible ERR_PTR()
+
+fs/xfs/scrub/orphanage.c:485 xrep_adoption_zap_dcache() error:
+'d_child' dereferencing possible ERR_PTR()
+
+Fixes: 73597e3e42b4 ("xfs: ensure dentry consistency when the orphanage adopts a file")
+Cc: stable@vger.kernel.org # v6.16
+Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Reviewed-by: Nirjhar Roy (IBM) <nirjhar.roy.lists@gmail.com>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/scrub/orphanage.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/xfs/scrub/orphanage.c
++++ b/fs/xfs/scrub/orphanage.c
+@@ -442,6 +442,11 @@ xrep_adoption_check_dcache(
+ return 0;
+
+ d_child = try_lookup_noperm(&qname, d_orphanage);
++ if (IS_ERR(d_child)) {
++ dput(d_orphanage);
++ return PTR_ERR(d_child);
++ }
++
+ if (d_child) {
+ trace_xrep_adoption_check_child(sc->mp, d_child);
+
+@@ -479,7 +484,7 @@ xrep_adoption_zap_dcache(
+ return;
+
+ d_child = try_lookup_noperm(&qname, d_orphanage);
+- while (d_child != NULL) {
++ while (!IS_ERR_OR_NULL(d_child)) {
+ trace_xrep_adoption_invalidate_child(sc->mp, d_child);
+
+ ASSERT(d_is_negative(d_child));
--- /dev/null
+From eb8550fb75a875657dc29e3925a40244ec6b6bd6 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <djwong@kernel.org>
+Date: Wed, 18 Feb 2026 15:25:36 -0800
+Subject: xfs: fix xfs_group release bug in xfs_dax_notify_dev_failure
+
+From: Darrick J. Wong <djwong@kernel.org>
+
+commit eb8550fb75a875657dc29e3925a40244ec6b6bd6 upstream.
+
+Chris Mason reports that his AI tools noticed that we were using
+xfs_perag_put and xfs_group_put to release the group reference returned
+by xfs_group_next_range. However, the iterator function returns an
+object with an active refcount, which means that we must use the correct
+function to release the active refcount, which is _rele.
+
+Cc: <stable@vger.kernel.org> # v6.0
+Fixes: 6f643c57d57c56 ("xfs: implement ->notify_failure() for XFS")
+Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_notify_failure.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/xfs/xfs_notify_failure.c
++++ b/fs/xfs/xfs_notify_failure.c
+@@ -293,7 +293,7 @@ xfs_dax_notify_dev_failure(
+
+ error = xfs_alloc_read_agf(pag, tp, 0, &agf_bp);
+ if (error) {
+- xfs_perag_put(pag);
++ xfs_perag_rele(pag);
+ break;
+ }
+
+@@ -329,7 +329,7 @@ xfs_dax_notify_dev_failure(
+ if (rtg)
+ xfs_rtgroup_unlock(rtg, XFS_RTGLOCK_RMAP);
+ if (error) {
+- xfs_group_put(xg);
++ xfs_group_rele(xg);
+ break;
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
