--- /dev/null
+From 40c81856e622a9dc59294a90d169ac07ea25b0b0 Mon Sep 17 00:00:00 2001
+From: David Carlier <devnexen@gmail.com>
+Date: Wed, 20 May 2026 05:49:12 +0100
+Subject: mm/hugetlb: restore reservation on error in hugetlb folio copy paths
+
+From: David Carlier <devnexen@gmail.com>
+
+commit 40c81856e622a9dc59294a90d169ac07ea25b0b0 upstream.
+
+Two sites in mm/hugetlb.c allocate a hugetlb folio via
+alloc_hugetlb_folio() (consuming a VMA reservation) and then call
+copy_user_large_folio(), which became int-returning in commit 1cb9dc4b475c
+("mm: hwpoison: support recovery from HugePage copy-on-write faults") and
+can now fail (e.g. -EHWPOISON on a hwpoisoned source page). On the
+failure path, folio_put() restores the global hugetlb pool count through
+free_huge_folio(), but the per-VMA reservation map entry is left marked
+consumed:
+
+ - hugetlb_mfill_atomic_pte() resubmission path (UFFDIO_COPY)
+ - copy_hugetlb_page_range() fork-time CoW path when
+ hugetlb_try_dup_anon_rmap() fails (rare: pinned hugetlb anon
+ folio under fork)
+
+User-visible effect: on UFFDIO_COPY into a private hugetlb VMA where the
+resubmission copy fails, the reservation for that address is leaked from
+the VMA's reserve map. A subsequent fault at the same address takes the
+no-reservation path, and under hugetlb pool pressure the task is SIGBUSed
+at an address it had previously reserved. The fork-time CoW path leaks
+the same way in the child VMA's reserve map, though it requires the much
+rarer combination of pinned hugetlb anon page + hwpoisoned source.
+
+Add the missing restore_reserve_on_error() call before folio_put() on both
+error paths.
+
+Link: https://lore.kernel.org/20260520044912.6751-1-devnexen@gmail.com
+Fixes: 1cb9dc4b475c ("mm: hwpoison: support recovery from HugePage copy-on-write faults")
+Signed-off-by: David Carlier <devnexen@gmail.com>
+Reviewed-by: Muchun Song <muchun.song@linux.dev>
+Cc: David Hildenbrand <david@kernel.org>
+Cc: Mina Almasry <almasrymina@google.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: yuehaibing <yuehaibing@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -5340,6 +5340,7 @@ again:
+ addr, dst_vma);
+ folio_put(pte_folio);
+ if (ret) {
++ restore_reserve_on_error(h, dst_vma, addr, new_folio);
+ folio_put(new_folio);
+ break;
+ }
+@@ -6639,6 +6640,7 @@ int hugetlb_mfill_atomic_pte(pte_t *dst_
+ folio_put(*foliop);
+ *foliop = NULL;
+ if (ret) {
++ restore_reserve_on_error(h, dst_vma, dst_addr, folio);
+ folio_put(folio);
+ goto out;
+ }
--- /dev/null
+From 5a52c5701a67d5176eb1afbf1bdaf7d6dfeec597 Mon Sep 17 00:00:00 2001
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+Date: Thu, 23 Apr 2026 15:18:55 -0400
+Subject: mmc: core: Fix host controller programming for fixed driver type
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+commit 5a52c5701a67d5176eb1afbf1bdaf7d6dfeec597 upstream.
+
+When using the fixed-emmc-driver-type device tree property, the MMC core
+correctly selects the driver strength for the card but fails to program
+the host controller accordingly. This causes a mismatch where the card
+uses the specified driver type while the host controller defaults to
+Type B (since ios->drv_type remains zero).
+
+Split the driver type programming logic to handle both fixed and dynamic
+driver type selection paths. For fixed driver types, program the host
+controller with the selected drive_strength value. For dynamic selection,
+use the existing drv_type as before.
+
+This ensures both the eMMC device and host controller use matching driver
+strengths, preventing potential signal integrity issues.
+
+Fixes: 6186d06c519e ("mmc: parse new binding for eMMC fixed driver type")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: Shawn Lin <shawn.lin@rock-chips.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/mmc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/mmc.c
++++ b/drivers/mmc/core/mmc.c
+@@ -1348,7 +1348,9 @@ static void mmc_select_driver_type(struc
+
+ card->drive_strength = drive_strength;
+
+- if (drv_type)
++ if (fixed_drv_type >= 0 && drive_strength)
++ mmc_set_driver_type(card->host, drive_strength);
++ else if (drv_type)
+ mmc_set_driver_type(card->host, drv_type);
+ }
+
--- /dev/null
+From 1e9a4850afa0ceb63984fb1a9f3e86d0fc4fd18f Mon Sep 17 00:00:00 2001
+From: Heiko Stuebner <heiko@sntech.de>
+Date: Fri, 22 May 2026 20:43:07 +0200
+Subject: mmc: dw_mmc-rockchip: Add missing private data for very old controllers
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+commit 1e9a4850afa0ceb63984fb1a9f3e86d0fc4fd18f upstream.
+
+The really old controllers (rk2928, rk3066, rk3188) do not support UHS
+speeds at all, and thus never handled phase data.
+
+For that reason it never had a parse_dt callback and no driver private
+data at all.
+
+Commit ff6f0286c896 ("mmc: dw_mmc-rockchip: Add memory clock auto-gating
+support") makes the private data sort of mandatory, because the init
+function checks whether phases are configured internally or through the
+clock controller.
+
+This results in the old SoCs then experiencing NULL-pointer dereferences
+when they try to access that private-data struct.
+
+While we could have if (priv) conditionals in all places, it's way less
+cluttery to just give the old types their private-data struct.
+
+Fixes: ff6f0286c896 ("mmc: dw_mmc-rockchip: Add memory clock auto-gating support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Acked-by: Shawn Lin <shawn.lin@rock-chips.com>
+Signed-off-by: Ulf Hansson <ulfh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/dw_mmc-rockchip.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/drivers/mmc/host/dw_mmc-rockchip.c
++++ b/drivers/mmc/host/dw_mmc-rockchip.c
+@@ -433,6 +433,22 @@ static int dw_mci_common_parse_dt(struct
+ return 0;
+ }
+
++static int dw_mci_rk2928_parse_dt(struct dw_mci *host)
++{
++ struct dw_mci_rockchip_priv_data *priv;
++ int err;
++
++ err = dw_mci_common_parse_dt(host);
++ if (err)
++ return err;
++
++ priv = host->priv;
++
++ priv->internal_phase = false;
++
++ return 0;
++}
++
+ static int dw_mci_rk3288_parse_dt(struct dw_mci *host)
+ {
+ struct dw_mci_rockchip_priv_data *priv;
+@@ -506,6 +522,7 @@ static int dw_mci_rockchip_init(struct d
+
+ static const struct dw_mci_drv_data rk2928_drv_data = {
+ .init = dw_mci_rockchip_init,
++ .parse_dt = dw_mci_rk2928_parse_dt,
+ };
+
+ static const struct dw_mci_drv_data rk3288_drv_data = {
--- /dev/null
+From 99982b743e5ba72bd1f5de0e03e3b96ae70b1e51 Mon Sep 17 00:00:00 2001
+From: Inochi Amaoto <inochiama@gmail.com>
+Date: Thu, 21 May 2026 15:21:21 +0800
+Subject: mmc: litex_mmc: Set mandatory idle clocks before CMD0
+
+From: Inochi Amaoto <inochiama@gmail.com>
+
+commit 99982b743e5ba72bd1f5de0e03e3b96ae70b1e51 upstream.
+
+The litex_mmc driver assumes the card is already probed in the BIOS
+and skip the phy initialization. This will cause the command fail
+like the following when the old card is unplugged and then insert
+a new card:
+
+[ 62.923593] litex-mmc f0004000.mmc: Command (cmd 8) error, status -110
+[ 62.949717] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110
+[ 62.976606] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110
+[ 63.002516] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110
+[ 63.028442] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110
+
+Add required clock settings and initialization for the CMD 0, so it can
+probe the new card.
+
+Fixes: 92e099104729 ("mmc: Add driver for LiteX's LiteSDCard interface")
+Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
+Reviewed-by: Gabriel Somlo <gsomlo@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulfh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/litex_mmc.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/mmc/host/litex_mmc.c
++++ b/drivers/mmc/host/litex_mmc.c
+@@ -69,6 +69,9 @@
+ #define SD_SLEEP_US 5
+ #define SD_TIMEOUT_US 20000
+
++#define SD_INIT_DELAY_US 1000
++#define SD_INIT_CLK_HZ 400000
++
+ #define SDIRQ_CARD_DETECT 1
+ #define SDIRQ_SD_TO_MEM_DONE 2
+ #define SDIRQ_MEM_TO_SD_DONE 4
+@@ -450,6 +453,17 @@ static void litex_mmc_set_ios(struct mmc
+ struct litex_mmc_host *host = mmc_priv(mmc);
+
+ /*
++ * The SD specification requires at least 74 idle clocks before CMD0.
++ * These dummy cycles is generated by writing LITEX_PHY_INITIALIZE.
++ */
++ if (ios->chip_select == MMC_CS_HIGH) {
++ litex_mmc_setclk(host, SD_INIT_CLK_HZ);
++ litex_write8(host->sdphy + LITEX_PHY_INITIALIZE, 1);
++ fsleep(SD_INIT_DELAY_US);
++ return;
++ }
++
++ /*
+ * NOTE: Ignore any ios->bus_width updates; they occur right after
+ * the mmc core sends its own acmd6 bus-width change notification,
+ * which is redundant since we snoop on the command flow and inject
--- /dev/null
+From f48ee49726ee4ab545fd2dc644f169c0809b19b3 Mon Sep 17 00:00:00 2001
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Date: Tue, 19 May 2026 14:53:40 +0100
+Subject: mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+commit f48ee49726ee4ab545fd2dc644f169c0809b19b3 upstream.
+
+The RZ/G2H (R8A774E1) SoC was previously handled via the generic
+"renesas,rcar-gen3-sdhi" fallback compatible string. However, because
+the SDHI IP on RZ/G2H is identical with the R-Car H3-N (R8A77951), it
+requires the specific quirks and configuration defined in
+`of_r8a7795_compatible` rather than the generic Gen3 data.
+
+Add the explicit "renesas,sdhi-r8a774e1" match entry to map it correctly.
+Note that the DT binding file renesas,sdhi.yaml does not need an update
+as the entry for this SoC is already present.
+
+Fixes: 31941342888d ("arm64: dts: renesas: r8a774e1: Add SDHI nodes")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Ulf Hansson <ulfh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/renesas_sdhi_internal_dmac.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c
++++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c
+@@ -278,6 +278,7 @@ static const struct renesas_sdhi_of_data
+ static const struct of_device_id renesas_sdhi_internal_dmac_of_match[] = {
+ { .compatible = "renesas,sdhi-r7s9210", .data = &of_rza2_compatible, },
+ { .compatible = "renesas,sdhi-mmc-r8a77470", .data = &of_rcar_gen3_compatible, },
++ { .compatible = "renesas,sdhi-r8a774e1", .data = &of_r8a7795_compatible, },
+ { .compatible = "renesas,sdhi-r8a7795", .data = &of_r8a7795_compatible, },
+ { .compatible = "renesas,sdhi-r8a77961", .data = &of_r8a77961_compatible, },
+ { .compatible = "renesas,sdhi-r8a77965", .data = &of_r8a77965_compatible, },
--- /dev/null
+From f595e8e77a51eee35e331f69321766593a845ef2 Mon Sep 17 00:00:00 2001
+From: Jisheng Zhang <jszhang@kernel.org>
+Date: Sun, 24 May 2026 10:34:55 +0800
+Subject: mmc: sdhci: add signal voltage switch in sdhci_resume_host
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+commit f595e8e77a51eee35e331f69321766593a845ef2 upstream.
+
+I met one suspend/resume issue with sdr104 capable sdio wifi card (with
+"keep-power-in-suspend" set in DT property):
+After resuming from suspend to ram, the sdio wifi card stops working.
+Further debug shows that although ios shows the sdio card is at sdr104
+mode, the voltage is still at 3V3. This is due to missing the calling
+of ->start_signal_voltage_switch() in sdhci_resume_host().
+
+Fix this issue by adding ->start_signal_voltage_switch() in
+sdhci_resume_host(). This also matches what we do for
+sdhci_runtime_resume_host().
+
+Then the question is: why this issue hasn't reported and fixed for so
+long time. IMHO, several reasons: Some host controllers just kick off
+the runtime resume for system resume, so they benefit from the well
+supported runtime pm code; Some platforms just use the old sdio wifi
+card which doesn't need signal voltage switch at all, the default
+voltage is 3v3 after resuming.
+
+Fixes: 6308d2905bd3 ("mmc: sdhci: add quirk for keeping card power during suspend")
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulfh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -3782,6 +3782,7 @@ int sdhci_resume_host(struct sdhci_host
+ host->pwr = 0;
+ host->clock = 0;
+ host->reinit_uhs = true;
++ mmc->ops->start_signal_voltage_switch(mmc, &mmc->ios);
+ mmc->ops->set_ios(mmc, &mmc->ios);
+ } else {
+ sdhci_init(host, (mmc->pm_flags & MMC_PM_KEEP_POWER));
--- /dev/null
+From fba0510cd62666951dcc0221527edc0c47ae6599 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Date: Thu, 21 May 2026 10:36:27 +0200
+Subject: pmdomain: imx: fix OF node refcount
+
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+
+commit fba0510cd62666951dcc0221527edc0c47ae6599 upstream.
+
+for_each_child_of_node_scoped() decrements the reference count of the
+nod after each iteration. Assigning it without incrementing the refcount
+to a dynamically allocated platform device will result in a double put
+in platform_device_release(). Add the missing call to of_node_get().
+
+Cc: stable@vger.kernel.org
+Fixes: 3e4d109ee8fc ("pmdomain: imx: gpc: Simplify with scoped for each OF child loop")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Ulf Hansson <ulfh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pmdomain/imx/gpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pmdomain/imx/gpc.c
++++ b/drivers/pmdomain/imx/gpc.c
+@@ -488,7 +488,7 @@ static int imx_gpc_probe(struct platform
+ domain->ipg_rate_mhz = ipg_rate_mhz;
+
+ pd_pdev->dev.parent = &pdev->dev;
+- pd_pdev->dev.of_node = np;
++ pd_pdev->dev.of_node = of_node_get(np);
+ pd_pdev->dev.fwnode = of_fwnode_handle(np);
+
+ ret = platform_device_add(pd_pdev);
--- /dev/null
+From 9fc237f8d49f06d05f0f8e80361047b718894e81 Mon Sep 17 00:00:00 2001
+From: Justin Lai <justinlai0215@realtek.com>
+Date: Wed, 3 Jun 2026 14:18:16 +0800
+Subject: rtase: Avoid sleeping in get_stats64()
+
+From: Justin Lai <justinlai0215@realtek.com>
+
+commit 9fc237f8d49f06d05f0f8e80361047b718894e81 upstream.
+
+The .ndo_get_stats64 callback must not sleep because it can be
+called when reading /proc/net/dev.
+
+rtase_get_stats64() calls rtase_dump_tally_counter(), which polls
+the tally counter dump bit with read_poll_timeout(). This may
+sleep while waiting for the hardware counter dump to complete.
+
+Use read_poll_timeout_atomic() instead to avoid sleeping in the
+get_stats64() path.
+
+Fixes: 079600489960 ("rtase: Implement net_device_ops")
+Cc: stable@vger.kernel.org
+Signed-off-by: Justin Lai <justinlai0215@realtek.com>
+Link: https://patch.msgid.link/20260603061816.31356-1-justinlai0215@realtek.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/rtase/rtase_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/rtase/rtase_main.c
++++ b/drivers/net/ethernet/realtek/rtase/rtase_main.c
+@@ -1548,8 +1548,9 @@ static void rtase_dump_tally_counter(con
+ rtase_w32(tp, RTASE_DTCCR0, cmd);
+ rtase_w32(tp, RTASE_DTCCR0, cmd | RTASE_COUNTER_DUMP);
+
+- err = read_poll_timeout(rtase_r32, val, !(val & RTASE_COUNTER_DUMP),
+- 10, 250, false, tp, RTASE_DTCCR0);
++ err = read_poll_timeout_atomic(rtase_r32, val,
++ !(val & RTASE_COUNTER_DUMP),
++ 10, 250, false, tp, RTASE_DTCCR0);
+
+ if (err == -ETIMEDOUT)
+ netdev_err(tp->dev, "error occurred in dump tally counter\n");
--- /dev/null
+From ab1ecaabe74b7d86c38ab2ab44bd56cdcc33645a Mon Sep 17 00:00:00 2001
+From: Justin Lai <justinlai0215@realtek.com>
+Date: Tue, 2 Jun 2026 19:46:59 +0800
+Subject: rtase: Reset TX subqueue when clearing TX ring
+
+From: Justin Lai <justinlai0215@realtek.com>
+
+commit ab1ecaabe74b7d86c38ab2ab44bd56cdcc33645a upstream.
+
+rtase_tx_clear() clears the TX ring and resets the ring indexes.
+However, the TX queue state and BQL accounting are not reset at
+the same time.
+
+This may leave __QUEUE_STATE_STACK_XOFF asserted after
+rtase_sw_reset(), preventing new TX packets from being scheduled.
+
+Reset the TX subqueue when clearing the TX ring so the TX queue
+state and BQL accounting are restored together.
+
+Fixes: 5a2a2f15244c ("rtase: Implement the rtase_down function")
+Cc: stable@vger.kernel.org
+Signed-off-by: Justin Lai <justinlai0215@realtek.com>
+Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Link: https://patch.msgid.link/20260602114659.12335-1-justinlai0215@realtek.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/rtase/rtase_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/realtek/rtase/rtase_main.c b/drivers/net/ethernet/realtek/rtase/rtase_main.c
+index ef13109c49cf..6ccbefb5acf2 100644
+--- a/drivers/net/ethernet/realtek/rtase/rtase_main.c
++++ b/drivers/net/ethernet/realtek/rtase/rtase_main.c
+@@ -239,6 +239,8 @@ static void rtase_tx_clear(struct rtase_private *tp)
+ rtase_tx_clear_range(ring, ring->dirty_idx, RTASE_NUM_DESC);
+ ring->cur_idx = 0;
+ ring->dirty_idx = 0;
++
++ netdev_tx_reset_subqueue(tp->dev, i);
+ }
+ }
+
+--
+2.54.0
+
--- /dev/null
+From 5eba3e48d78edd7551b992cb7ba687019b3a78da Mon Sep 17 00:00:00 2001
+From: Zhao Zhang <zzhan461@ucr.edu>
+Date: Sat, 30 May 2026 23:57:14 +0800
+Subject: sctp: diag: reject stale associations in dump_one path
+
+From: Zhao Zhang <zzhan461@ucr.edu>
+
+commit 5eba3e48d78edd7551b992cb7ba687019b3a78da upstream.
+
+The SCTP exact sock_diag lookup can hold a transport reference, block on
+lock_sock(sk), and then resume after sctp_association_free() has marked
+the association dead and freed its bind address list.
+
+When that happens, inet_assoc_attr_size() and
+inet_diag_msg_sctpasoc_fill() can still dereference association state
+that is no longer valid for reporting. In particular,
+inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a
+real sctp_sockaddr_entry and trigger an out-of-bounds read from
+unrelated association memory.
+
+Reject the association after taking the socket lock if it has been
+reaped or detached from the endpoint, and report the lookup as stale.
+This keeps the exact dump-one path from formatting torn association
+state.
+
+Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Zhao Zhang <zzhan461@ucr.edu>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Acked-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/fac6043fa20a2ff68e12958c431836f692c51268.1780113823.git.zzhan461@ucr.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/diag.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/net/sctp/diag.c
++++ b/net/sctp/diag.c
+@@ -266,15 +266,15 @@ static int sctp_sock_dump_one(struct sct
+
+ lock_sock(sk);
+
+- rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
+- if (!rep) {
+- release_sock(sk);
+- return -ENOMEM;
++ if (ep != assoc->ep || assoc->base.dead) {
++ err = -ESTALE;
++ goto out_unlock;
+ }
+
+- if (ep != assoc->ep) {
+- err = -EAGAIN;
+- goto out;
++ rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
++ if (!rep) {
++ err = -ENOMEM;
++ goto out_unlock;
+ }
+
+ err = inet_sctp_diag_fill(sk, assoc, rep, req, sk_user_ns(NETLINK_CB(skb).sk),
+@@ -289,8 +289,9 @@ static int sctp_sock_dump_one(struct sct
+ return nlmsg_unicast(sock_net(skb->sk)->diag_nlsk, rep, NETLINK_CB(skb).portid);
+
+ out:
+- release_sock(sk);
+ kfree_skb(rep);
++out_unlock:
++ release_sock(sk);
+ return err;
+ }
+
--- /dev/null
+From a5f8a90ac9f77c678a9781c0a464b635e0d63e49 Mon Sep 17 00:00:00 2001
+From: Wyatt Feng <bronzed_45_vested@icloud.com>
+Date: Fri, 5 Jun 2026 13:53:42 +0800
+Subject: sctp: stream: fully roll back denied add-stream state
+
+From: Wyatt Feng <bronzed_45_vested@icloud.com>
+
+commit a5f8a90ac9f77c678a9781c0a464b635e0d63e49 upstream.
+
+When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and
+then lowers outcnt. That leaves removed stream metadata behind, so a
+later re-add can reuse a stale ext and hit a null-pointer dereference in
+the scheduler get path.
+
+Fix the rollback by tearing down the removed stream state the same way
+other stream resizes do. Unschedule the current scheduler state, drop
+the removed stream ext state with sctp_stream_outq_migrate(), and then
+reschedule the remaining streams.
+
+This keeps scheduler-private RR/FC/PRIO lists consistent while fully
+rolling back denied outgoing stream additions.
+
+Fixes: 637784ade221 ("sctp: introduce priority based stream scheduler")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Acked-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/d78954ecd94954653ee299400e98d74a03a6f7d3.1780603399.git.bronzed_45_vested@icloud.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/stream.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/stream.c
++++ b/net/sctp/stream.c
+@@ -1038,6 +1038,7 @@ struct sctp_chunk *sctp_process_strreset
+ stsn, rtsn, GFP_ATOMIC);
+ } else if (req->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS) {
+ struct sctp_strreset_addstrm *addstrm;
++ const struct sctp_sched_ops *sched;
+ __u16 number;
+
+ addstrm = (struct sctp_strreset_addstrm *)req;
+@@ -1048,7 +1049,10 @@ struct sctp_chunk *sctp_process_strreset
+ for (i = number; i < stream->outcnt; i++)
+ SCTP_SO(stream, i)->state = SCTP_STREAM_OPEN;
+ } else {
+- sctp_stream_shrink_out(stream, number);
++ sched = sctp_sched_ops_from_stream(stream);
++ sched->unsched_all(stream);
++ sctp_stream_outq_migrate(stream, NULL, number);
++ sched->sched_all(stream);
+ stream->outcnt = number;
+ }
+
octeontx2-af-fix-memory-leak-in-rvu_setup_hw_resources.patch
io_uring-kbuf-don-t-truncate-end-buffer-for-bundles.patch
io_uring-wait-fix-min_timeout-behavior.patch
+mm-hugetlb-restore-reservation-on-error-in-hugetlb-folio-copy-paths.patch
+mmc-core-fix-host-controller-programming-for-fixed-driver-type.patch
+mmc-dw_mmc-rockchip-add-missing-private-data-for-very-old-controllers.patch
+mmc-litex_mmc-set-mandatory-idle-clocks-before-cmd0.patch
+mmc-renesas_sdhi-add-of-entry-for-rz-g2h-soc.patch
+mmc-sdhci-add-signal-voltage-switch-in-sdhci_resume_host.patch
+pmdomain-imx-fix-of-node-refcount.patch
+rtase-avoid-sleeping-in-get_stats64.patch
+rtase-reset-tx-subqueue-when-clearing-tx-ring.patch
+sctp-diag-reject-stale-associations-in-dump_one-path.patch
+sctp-stream-fully-roll-back-denied-add-stream-state.patch
+thunderbolt-reject-zero-length-property-entries-in-validator.patch
+thunderbolt-bound-root-directory-content-to-block-size.patch
+thunderbolt-clamp-xdomain-response-data-copy-to-allocation-size.patch
+thunderbolt-validate-xdomain-request-packet-size-before-type-cast.patch
+thunderbolt-limit-xdomain-response-copy-to-actual-frame-size.patch
+slimbus-qcom-ngd-ctrl-fix-of-node-refcount.patch
+slimbus-qcom-ngd-ctrl-fix-up-platform_driver-registration.patch
+slimbus-qcom-ngd-ctrl-fix-probe-error-path-ordering.patch
+slimbus-qcom-ngd-ctrl-register-callbacks-after-creating-the-ngd.patch
+slimbus-qcom-ngd-ctrl-initialize-controller-resources-in-controller.patch
+slimbus-qcom-ngd-ctrl-correct-pdr-and-ssr-cleanup-ownership.patch
+slimbus-qcom-ngd-ctrl-balance-pm_runtime-enablement-for-ngd.patch
+slimbus-qcom-ngd-ctrl-avoid-abba-on-tx_lock-ctrl-lock.patch
--- /dev/null
+From 55f2ea9ff83cc27a85526b14bc9b32f96a08d6ec Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Date: Sat, 30 May 2026 21:44:21 +0100
+Subject: slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+commit 55f2ea9ff83cc27a85526b14bc9b32f96a08d6ec upstream.
+
+During the SSR/PDR down notification the tx_lock is taken with the
+intent to provide synchronization with active DMA transfers.
+
+But during this period qcom_slim_ngd_down() is invoked, which ends up in
+slim_report_absent(), which takes the slim_controller lock. In multiple
+other codepaths these two locks are taken in the opposite order (i.e.
+slim_controller then tx_lock).
+
+The result is a lockdep splat, and a possible deadlock:
+
+ rprocctl/449 is trying to acquire lock:
+ ffff00009793e620 (&ctrl->lock){+.+.}-{4:4}, at: slim_report_absent (drivers/slimbus/core.c:322) slimbus
+
+ but task is already holding lock:
+ ffff00009793fb50 (&ctrl->tx_lock){+.+.}-{4:4}, at: qcom_slim_ngd_ssr_pdr_notify (drivers/slimbus/qcom-ngd-ctrl.c:1475) slim_qcom_ngd_ctrl
+
+ which lock already depends on the new lock.
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&ctrl->tx_lock);
+ lock(&ctrl->lock);
+ lock(&ctrl->tx_lock);
+ lock(&ctrl->lock);
+
+The assumption is that the comment refers to the desire to not call
+qcom_slim_ngd_exit_dma() while we have an ongoing DMA TX transaction.
+But any such transaction is initiated and completed within a single
+qcom_slim_ngd_xfer_msg().
+
+Prior to calling qcom_slim_ngd_exit_dma() the slim_controller is torn
+down, all child devices are notified that the slimbus is gone and the
+child devices are removed.
+
+Stop taking the tx_lock in qcom_slim_ngd_ssr_pdr_notify() to avoid the
+deadlock.
+
+Fixes: a899d324863a ("slimbus: qcom-ngd-ctrl: add Sub System Restart support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204421.116824-9-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1471,15 +1471,12 @@ static int qcom_slim_ngd_ssr_pdr_notify(
+ switch (action) {
+ case QCOM_SSR_BEFORE_SHUTDOWN:
+ case SERVREG_SERVICE_STATE_DOWN:
+- /* Make sure the last dma xfer is finished */
+- mutex_lock(&ctrl->tx_lock);
+ if (ctrl->state != QCOM_SLIM_NGD_CTRL_DOWN) {
+ pm_runtime_get_noresume(ctrl->ctrl.dev);
+ ctrl->state = QCOM_SLIM_NGD_CTRL_DOWN;
+ qcom_slim_ngd_down(ctrl);
+ qcom_slim_ngd_exit_dma(ctrl);
+ }
+- mutex_unlock(&ctrl->tx_lock);
+ break;
+ case QCOM_SSR_AFTER_POWERUP:
+ case SERVREG_SERVICE_STATE_UP:
--- /dev/null
+From 6a003446b725c44b9e3ffa111b0effbaa2d43085 Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Date: Sat, 30 May 2026 21:44:20 +0100
+Subject: slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+commit 6a003446b725c44b9e3ffa111b0effbaa2d43085 upstream.
+
+The pm_runtime_enable() and pm_runtime_use_autosuspend() calls are
+supposed to be balanced on exit, add these calls.
+
+Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204421.116824-8-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1588,8 +1588,11 @@ static int qcom_slim_ngd_probe(struct pl
+ pm_runtime_enable(dev);
+ pm_runtime_get_noresume(dev);
+ ret = qcom_slim_ngd_qmi_svc_event_init(ctrl);
+- if (ret)
++ if (ret) {
+ dev_err(&pdev->dev, "QMI service registration failed:%d", ret);
++ pm_runtime_dont_use_autosuspend(dev);
++ pm_runtime_disable(dev);
++ }
+
+ return ret;
+ }
+@@ -1702,6 +1705,7 @@ static void qcom_slim_ngd_remove(struct
+ {
+ struct qcom_slim_ngd_ctrl *ctrl = platform_get_drvdata(pdev);
+
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+ qcom_slim_ngd_enable(ctrl, false);
+ qcom_slim_ngd_exit_dma(ctrl);
--- /dev/null
+From 960b53a3f76fa214c2fc493734ae7b3c5e713bbf Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Date: Sat, 30 May 2026 21:44:17 +0100
+Subject: slimbus: qcom-ngd-ctrl: Correct PDR and SSR cleanup ownership
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+commit 960b53a3f76fa214c2fc493734ae7b3c5e713bbf upstream.
+
+PDR and SSR callbacks are registred from the controller probe function,
+but currently released from the child device's remove function.
+
+The remove() function should only be unwinding what was done in the
+same device's probe() function.
+
+Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204421.116824-5-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1690,6 +1690,9 @@ static void qcom_slim_ngd_ctrl_remove(st
+ {
+ struct qcom_slim_ngd_ctrl *ctrl = platform_get_drvdata(pdev);
+
++ pdr_handle_release(ctrl->pdr);
++ qcom_unregister_ssr_notifier(ctrl->notifier, &ctrl->nb);
++
+ qcom_slim_ngd_unregister(ctrl);
+
+ destroy_workqueue(ctrl->mwq);
+@@ -1700,8 +1703,6 @@ static void qcom_slim_ngd_remove(struct
+ struct qcom_slim_ngd_ctrl *ctrl = platform_get_drvdata(pdev);
+
+ pm_runtime_disable(&pdev->dev);
+- pdr_handle_release(ctrl->pdr);
+- qcom_unregister_ssr_notifier(ctrl->notifier, &ctrl->nb);
+ qcom_slim_ngd_enable(ctrl, false);
+ qcom_slim_ngd_exit_dma(ctrl);
+ qcom_slim_ngd_qmi_svc_event_deinit(&ctrl->qmi);
--- /dev/null
+From 120134fe75c6b0ae38f14eb8b548ad1e5761f912 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Date: Sat, 30 May 2026 21:44:14 +0100
+Subject: slimbus: qcom-ngd-ctrl: fix OF node refcount
+
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+
+commit 120134fe75c6b0ae38f14eb8b548ad1e5761f912 upstream.
+
+Platform devices created with platform_device_alloc() call
+platform_device_release() when the last reference to the device's
+kobject is dropped. This function calls of_node_put() unconditionally.
+This works fine for devices created with platform_device_register_full()
+but users of the split approach (platform_device_alloc() +
+platform_device_add()) must bump the reference of the of_node they
+assign manually. Add the missing call to of_node_get().
+
+Cc: stable@vger.kernel.org
+Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204421.116824-2-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1547,7 +1547,7 @@ static int of_qcom_slim_ngd_register(str
+ of_node_put(node);
+ return ret;
+ }
+- ngd->pdev->dev.of_node = node;
++ ngd->pdev->dev.of_node = of_node_get(node);
+ ctrl->ngd = ngd;
+
+ ret = platform_device_add(ngd->pdev);
--- /dev/null
+From 2c22ff152d380ec3d3af099fa05d0ac5ca9b4c1e Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Date: Sat, 30 May 2026 21:44:16 +0100
+Subject: slimbus: qcom-ngd-ctrl: Fix probe error path ordering
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+commit 2c22ff152d380ec3d3af099fa05d0ac5ca9b4c1e upstream.
+
+qcom_slim_ngd_ctrl_probe() first registers the SSR callback then
+allocates the PDR context, as such the error path needs to come in
+opposite order to allow us to unroll each step.
+
+Fixes: 16f14551d0df ("slimbus: qcom-ngd: cleanup in probe error path")
+Cc: stable@vger.kernel.org
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204421.116824-4-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1666,22 +1666,21 @@ static int qcom_slim_ngd_ctrl_probe(stru
+ if (IS_ERR(ctrl->pdr)) {
+ ret = dev_err_probe(dev, PTR_ERR(ctrl->pdr),
+ "Failed to init PDR handle\n");
+- goto err_pdr_alloc;
++ goto err_unregister_ssr;
+ }
+
+ pds = pdr_add_lookup(ctrl->pdr, "avs/audio", "msm/adsp/audio_pd");
+ if (IS_ERR(pds) && PTR_ERR(pds) != -EALREADY) {
+ ret = dev_err_probe(dev, PTR_ERR(pds), "pdr add lookup failed\n");
+- goto err_pdr_lookup;
++ goto err_pdr_release;
+ }
+
+ return of_qcom_slim_ngd_register(dev, ctrl);
+
+-err_pdr_alloc:
+- qcom_unregister_ssr_notifier(ctrl->notifier, &ctrl->nb);
+-
+-err_pdr_lookup:
++err_pdr_release:
+ pdr_handle_release(ctrl->pdr);
++err_unregister_ssr:
++ qcom_unregister_ssr_notifier(ctrl->notifier, &ctrl->nb);
+
+ return ret;
+ }
--- /dev/null
+From 8663e8334d7b6007f5d8a4e5dd270246f35107a6 Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Date: Sat, 30 May 2026 21:44:15 +0100
+Subject: slimbus: qcom-ngd-ctrl: Fix up platform_driver registration
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+commit 8663e8334d7b6007f5d8a4e5dd270246f35107a6 upstream.
+
+Device drivers should not invoke platform_driver_register()/unregister()
+in their probe and remove paths. They should further not rely on
+platform_driver_unregister() as their only means of "deleting" their
+child devices.
+
+Introduce a helper to unregister the child device and move the
+platform_driver_register()/unregister() to module_init()/exit().
+
+Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204421.116824-3-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 36 +++++++++++++++++++++++++++++++++---
+ 1 file changed, 33 insertions(+), 3 deletions(-)
+
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1566,6 +1566,13 @@ static int of_qcom_slim_ngd_register(str
+ return -ENODEV;
+ }
+
++static void qcom_slim_ngd_unregister(struct qcom_slim_ngd_ctrl *ctrl)
++{
++ struct qcom_slim_ngd *ngd = ctrl->ngd;
++
++ platform_device_del(ngd->pdev);
++}
++
+ static int qcom_slim_ngd_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+@@ -1668,7 +1675,6 @@ static int qcom_slim_ngd_ctrl_probe(stru
+ goto err_pdr_lookup;
+ }
+
+- platform_driver_register(&qcom_slim_ngd_driver);
+ return of_qcom_slim_ngd_register(dev, ctrl);
+
+ err_pdr_alloc:
+@@ -1682,7 +1688,9 @@ err_pdr_lookup:
+
+ static void qcom_slim_ngd_ctrl_remove(struct platform_device *pdev)
+ {
+- platform_driver_unregister(&qcom_slim_ngd_driver);
++ struct qcom_slim_ngd_ctrl *ctrl = platform_get_drvdata(pdev);
++
++ qcom_slim_ngd_unregister(ctrl);
+ }
+
+ static void qcom_slim_ngd_remove(struct platform_device *pdev)
+@@ -1758,6 +1766,28 @@ static struct platform_driver qcom_slim_
+ },
+ };
+
+-module_platform_driver(qcom_slim_ngd_ctrl_driver);
++static int qcom_slim_ngd_init(void)
++{
++ int ret;
++
++ ret = platform_driver_register(&qcom_slim_ngd_driver);
++ if (ret)
++ return ret;
++
++ ret = platform_driver_register(&qcom_slim_ngd_ctrl_driver);
++ if (ret)
++ platform_driver_unregister(&qcom_slim_ngd_driver);
++
++ return ret;
++}
++
++static void qcom_slim_ngd_exit(void)
++{
++ platform_driver_unregister(&qcom_slim_ngd_ctrl_driver);
++ platform_driver_unregister(&qcom_slim_ngd_driver);
++}
++
++module_init(qcom_slim_ngd_init);
++module_exit(qcom_slim_ngd_exit);
+ MODULE_LICENSE("GPL v2");
+ MODULE_DESCRIPTION("Qualcomm SLIMBus NGD controller");
--- /dev/null
+From 07c564ea5fb859b7381429de935d5df4781947c6 Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Date: Sat, 30 May 2026 21:44:19 +0100
+Subject: slimbus: qcom-ngd-ctrl: Initialize controller resources in controller
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+commit 07c564ea5fb859b7381429de935d5df4781947c6 upstream.
+
+The work structs and work queue are controller resources, create and
+destroy them in the controller context. Creating them as part of the
+child device's probe path seems to be okay now that the controller's
+probe has been updated, but if for some reason the child does not probe
+successfully a SSR or PDR notification will schedule_work() on an
+uninitialized "ngd_up_work".
+
+Move the initialization of these controller resources to the controller
+probe function to avoid any issues, and to clarify the ownership.
+
+Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204421.116824-7-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 38 ++++++++++++++++----------------------
+ 1 file changed, 16 insertions(+), 22 deletions(-)
+
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1588,25 +1588,8 @@ static int qcom_slim_ngd_probe(struct pl
+ pm_runtime_enable(dev);
+ pm_runtime_get_noresume(dev);
+ ret = qcom_slim_ngd_qmi_svc_event_init(ctrl);
+- if (ret) {
++ if (ret)
+ dev_err(&pdev->dev, "QMI service registration failed:%d", ret);
+- return ret;
+- }
+-
+- INIT_WORK(&ctrl->m_work, qcom_slim_ngd_master_worker);
+- INIT_WORK(&ctrl->ngd_up_work, qcom_slim_ngd_up_worker);
+- ctrl->mwq = create_singlethread_workqueue("ngd_master");
+- if (!ctrl->mwq) {
+- dev_err(&pdev->dev, "Failed to start master worker\n");
+- ret = -ENOMEM;
+- goto wq_err;
+- }
+-
+- return 0;
+-wq_err:
+- qcom_slim_ngd_qmi_svc_event_deinit(&ctrl->qmi);
+- if (ctrl->mwq)
+- destroy_workqueue(ctrl->mwq);
+
+ return ret;
+ }
+@@ -1659,9 +1642,18 @@ static int qcom_slim_ngd_ctrl_probe(stru
+ init_completion(&ctrl->qmi.qmi_comp);
+ init_completion(&ctrl->qmi_up);
+
++ INIT_WORK(&ctrl->m_work, qcom_slim_ngd_master_worker);
++ INIT_WORK(&ctrl->ngd_up_work, qcom_slim_ngd_up_worker);
++
++ ctrl->mwq = create_singlethread_workqueue("ngd_master");
++ if (!ctrl->mwq)
++ return dev_err_probe(dev, -ENOMEM, "Failed to start master worker\n");
++
+ ctrl->pdr = pdr_handle_alloc(slim_pd_status, ctrl);
+- if (IS_ERR(ctrl->pdr))
+- return dev_err_probe(dev, PTR_ERR(ctrl->pdr), "Failed to init PDR handle\n");
++ if (IS_ERR(ctrl->pdr)) {
++ ret = dev_err_probe(dev, PTR_ERR(ctrl->pdr), "Failed to init PDR handle\n");
++ goto err_destroy_mwq;
++ }
+
+ ret = of_qcom_slim_ngd_register(dev, ctrl);
+ if (ret)
+@@ -1688,6 +1680,8 @@ err_unregister_ngd:
+ qcom_slim_ngd_unregister(ctrl);
+ err_pdr_release:
+ pdr_handle_release(ctrl->pdr);
++err_destroy_mwq:
++ destroy_workqueue(ctrl->mwq);
+
+ return ret;
+ }
+@@ -1697,6 +1691,8 @@ static void qcom_slim_ngd_ctrl_remove(st
+ struct qcom_slim_ngd_ctrl *ctrl = platform_get_drvdata(pdev);
+
+ qcom_slim_ngd_unregister(ctrl);
++
++ destroy_workqueue(ctrl->mwq);
+ }
+
+ static void qcom_slim_ngd_remove(struct platform_device *pdev)
+@@ -1709,8 +1705,6 @@ static void qcom_slim_ngd_remove(struct
+ qcom_slim_ngd_enable(ctrl, false);
+ qcom_slim_ngd_exit_dma(ctrl);
+ qcom_slim_ngd_qmi_svc_event_deinit(&ctrl->qmi);
+- if (ctrl->mwq)
+- destroy_workqueue(ctrl->mwq);
+
+ kfree(ctrl->ngd);
+ ctrl->ngd = NULL;
--- /dev/null
+From 2a9d50e9ea406e0c8735938484adc20515ef1b47 Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Date: Sat, 30 May 2026 21:44:18 +0100
+Subject: slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+commit 2a9d50e9ea406e0c8735938484adc20515ef1b47 upstream.
+
+When the remoteproc starts in parallel with the NGD driver being probed,
+or the remoteproc is already up when the PDR lookup is being registered,
+or in the theoretical event that we get an interrupt from the hardware,
+these callbacks will operate on uninitialized data. This result in
+issues to boot the affected boards.
+
+One such example can be seen in the following fault, where
+qcom_slim_ngd_ssr_pdr_notify() schedules work on the NULL ngd_up_work.
+
+[ 21.858578] ------------[ cut here ]------------
+[ 21.858745] WARNING: kernel/workqueue.c:2338 at __queue_work+0x5e0/0x790, CPU#2: kworker/2:2/116
+...
+[ 21.859251] Call trace:
+[ 21.859255] __queue_work+0x5e0/0x790 (P)
+[ 21.859265] queue_work_on+0x6c/0xf0
+[ 21.859273] qcom_slim_ngd_ssr_pdr_notify+0x110/0x150 [slim_qcom_ngd_ctrl]
+[ 21.859304] qcom_slim_ngd_ssr_notify+0x24/0x40 [slim_qcom_ngd_ctrl]
+[ 21.859318] notifier_call_chain+0xa4/0x230
+[ 21.859329] srcu_notifier_call_chain+0x64/0xb8
+[ 21.859338] ssr_notify_start+0x40/0x78 [qcom_common]
+[ 21.859355] rproc_start+0x130/0x230
+[ 21.859367] rproc_boot+0x3d4/0x518
+...
+
+Move the enablement of interrupts, and the registration of SSR and PDR
+until after the NGD device has been registered.
+
+This could be further refined by moving initialization to the control
+driver probe and by removing the platform driver model from the picture.
+
+Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204421.116824-6-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 47 ++++++++++++++++++++++------------------
+ 1 file changed, 27 insertions(+), 20 deletions(-)
+
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1615,6 +1615,7 @@ static int qcom_slim_ngd_ctrl_probe(stru
+ {
+ struct device *dev = &pdev->dev;
+ struct qcom_slim_ngd_ctrl *ctrl;
++ int irq;
+ int ret;
+ struct pdr_service *pds;
+
+@@ -1628,20 +1629,16 @@ static int qcom_slim_ngd_ctrl_probe(stru
+ if (IS_ERR(ctrl->base))
+ return PTR_ERR(ctrl->base);
+
+- ret = platform_get_irq(pdev, 0);
+- if (ret < 0)
+- return ret;
+-
+- ret = devm_request_irq(dev, ret, qcom_slim_ngd_interrupt,
+- IRQF_TRIGGER_HIGH, "slim-ngd", ctrl);
++ irq = platform_get_irq(pdev, 0);
++ if (irq < 0)
++ return irq;
++
++ ret = devm_request_irq(dev, irq, qcom_slim_ngd_interrupt,
++ IRQF_TRIGGER_HIGH | IRQF_NO_AUTOEN,
++ "slim-ngd", ctrl);
+ if (ret)
+ return dev_err_probe(&pdev->dev, ret, "request IRQ failed\n");
+
+- ctrl->nb.notifier_call = qcom_slim_ngd_ssr_notify;
+- ctrl->notifier = qcom_register_ssr_notifier("lpass", &ctrl->nb);
+- if (IS_ERR(ctrl->notifier))
+- return PTR_ERR(ctrl->notifier);
+-
+ ctrl->dev = dev;
+ ctrl->framer.rootfreq = SLIM_ROOT_FREQ >> 3;
+ ctrl->framer.superfreq =
+@@ -1663,24 +1660,34 @@ static int qcom_slim_ngd_ctrl_probe(stru
+ init_completion(&ctrl->qmi_up);
+
+ ctrl->pdr = pdr_handle_alloc(slim_pd_status, ctrl);
+- if (IS_ERR(ctrl->pdr)) {
+- ret = dev_err_probe(dev, PTR_ERR(ctrl->pdr),
+- "Failed to init PDR handle\n");
+- goto err_unregister_ssr;
+- }
++ if (IS_ERR(ctrl->pdr))
++ return dev_err_probe(dev, PTR_ERR(ctrl->pdr), "Failed to init PDR handle\n");
++
++ ret = of_qcom_slim_ngd_register(dev, ctrl);
++ if (ret)
++ goto err_pdr_release;
+
+ pds = pdr_add_lookup(ctrl->pdr, "avs/audio", "msm/adsp/audio_pd");
+ if (IS_ERR(pds) && PTR_ERR(pds) != -EALREADY) {
+ ret = dev_err_probe(dev, PTR_ERR(pds), "pdr add lookup failed\n");
+- goto err_pdr_release;
++ goto err_unregister_ngd;
+ }
+
+- return of_qcom_slim_ngd_register(dev, ctrl);
++ ctrl->nb.notifier_call = qcom_slim_ngd_ssr_notify;
++ ctrl->notifier = qcom_register_ssr_notifier("lpass", &ctrl->nb);
++ if (IS_ERR(ctrl->notifier)) {
++ ret = PTR_ERR(ctrl->notifier);
++ goto err_unregister_ngd;
++ }
++
++ enable_irq(irq);
++
++ return 0;
+
++err_unregister_ngd:
++ qcom_slim_ngd_unregister(ctrl);
+ err_pdr_release:
+ pdr_handle_release(ctrl->pdr);
+-err_unregister_ssr:
+- qcom_unregister_ssr_notifier(ctrl->notifier, &ctrl->nb);
+
+ return ret;
+ }
--- /dev/null
+From 65423079c7420e3dbf9a7aa345c243a3f5752e5d Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Mon, 25 May 2026 05:28:26 -0400
+Subject: thunderbolt: Bound root directory content to block size
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 65423079c7420e3dbf9a7aa345c243a3f5752e5d upstream.
+
+__tb_property_parse_dir() does not check that content_offset +
+content_len fits within block_len for the root directory case.
+When rootdir->length equals or exceeds block_len - 2, the entry
+loop reads past the allocated property block.
+
+Add a bounds check after computing content_offset and content_len
+to reject directories whose content extends past the block.
+
+Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/property.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/thunderbolt/property.c
++++ b/drivers/thunderbolt/property.c
+@@ -187,6 +187,10 @@ static struct tb_property_dir *__tb_prop
+ if (is_root) {
+ content_offset = dir_offset + 2;
+ content_len = dir_len;
++ if (content_offset + content_len > block_len) {
++ tb_property_free_dir(dir);
++ return NULL;
++ }
+ } else {
+ if (dir_len < 4) {
+ tb_property_free_dir(dir);
--- /dev/null
+From 322e93448d908434ae5545660fcbe8f5a7a8e141 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Mon, 25 May 2026 05:28:27 -0400
+Subject: thunderbolt: Clamp XDomain response data copy to allocation size
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 322e93448d908434ae5545660fcbe8f5a7a8e141 upstream.
+
+tb_xdp_properties_request() derives the per-packet copy length from
+the response header without checking that it fits in the previously
+allocated data buffer. A malicious peer can set its length field
+larger than the declared data_length, causing memcpy to write past
+the kcalloc allocation.
+
+Clamp the per-packet copy length so that the cumulative offset
+never exceeds data_len.
+
+Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/xdomain.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/thunderbolt/xdomain.c
++++ b/drivers/thunderbolt/xdomain.c
+@@ -393,6 +393,8 @@ static int tb_xdp_properties_request(str
+ }
+ }
+
++ if (req.offset + len > data_len)
++ len = data_len - req.offset;
+ memcpy(data + req.offset, res->data, len * 4);
+ req.offset += len;
+ } while (!data_len || req.offset < data_len);
--- /dev/null
+From 4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Mon, 25 May 2026 05:28:29 -0400
+Subject: thunderbolt: Limit XDomain response copy to actual frame size
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb upstream.
+
+tb_xdomain_copy() copies req->response_size bytes from the received
+packet buffer regardless of the actual frame size. When a short
+response arrives, this reads past the valid frame data in the DMA
+pool buffer into stale contents from previous transactions.
+
+Use the minimum of frame size and expected response size for the
+copy length.
+
+Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/xdomain.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/thunderbolt/xdomain.c
++++ b/drivers/thunderbolt/xdomain.c
+@@ -123,7 +123,9 @@ static bool tb_xdomain_match(const struc
+ static bool tb_xdomain_copy(struct tb_cfg_request *req,
+ const struct ctl_pkg *pkg)
+ {
+- memcpy(req->response, pkg->buffer, req->response_size);
++ size_t len = min_t(size_t, pkg->frame.size, req->response_size);
++
++ memcpy(req->response, pkg->buffer, len);
+ req->result.err = 0;
+ return true;
+ }
--- /dev/null
+From cff8eb65d1eafe7793e54b4d0cf6bf831644630b Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Mon, 25 May 2026 05:28:25 -0400
+Subject: thunderbolt: Reject zero-length property entries in validator
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit cff8eb65d1eafe7793e54b4d0cf6bf831644630b upstream.
+
+tb_property_entry_valid() accepts entries with length == 0 for
+DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes
+validation but causes an underflow in the null-termination logic:
+
+ property->value.text[property->length * 4 - 1] = '\0';
+
+When property->length is 0 this writes to offset -1 relative to
+the allocation.
+
+Reject zero-length entries early in the validator since they have no
+valid representation in the XDomain property protocol.
+
+Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/property.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/thunderbolt/property.c
++++ b/drivers/thunderbolt/property.c
+@@ -60,6 +60,8 @@ static bool tb_property_entry_valid(cons
+ case TB_PROPERTY_TYPE_DIRECTORY:
+ case TB_PROPERTY_TYPE_DATA:
+ case TB_PROPERTY_TYPE_TEXT:
++ if (!entry->length)
++ return false;
+ if (entry->length > block_len)
+ return false;
+ if (check_add_overflow(entry->value, entry->length, &end) ||
--- /dev/null
+From a504b9f2797b739e0304d537e8aa4ce883ecce39 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Mon, 25 May 2026 05:28:28 -0400
+Subject: thunderbolt: Validate XDomain request packet size before type cast
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit a504b9f2797b739e0304d537e8aa4ce883ecce39 upstream.
+
+tb_xdp_handle_request() casts the received packet buffer to
+protocol-specific structs without verifying that the allocation
+is large enough for the target type. A peer can send a minimal
+XDomain packet that passes the generic header length check but is
+shorter than the struct accessed after the cast, causing out-of-
+bounds reads from the kmemdup allocation.
+
+Plumb the packet length through xdomain_request_work and validate
+it against the expected struct size before each cast.
+
+Fixes: 8e1de7042596 ("thunderbolt: Add support for XDomain lane bonding")
+Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/xdomain.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/thunderbolt/xdomain.c
++++ b/drivers/thunderbolt/xdomain.c
+@@ -55,6 +55,7 @@ static const char * const state_names[]
+ struct xdomain_request_work {
+ struct work_struct work;
+ struct tb_xdp_header *pkg;
++ size_t pkg_len;
+ struct tb *tb;
+ };
+
+@@ -731,6 +732,7 @@ static void tb_xdp_handle_request(struct
+ struct xdomain_request_work *xw = container_of(work, typeof(*xw), work);
+ const struct tb_xdp_header *pkg = xw->pkg;
+ const struct tb_xdomain_header *xhdr = &pkg->xd_hdr;
++ size_t pkg_len = xw->pkg_len;
+ struct tb *tb = xw->tb;
+ struct tb_ctl *ctl = tb->ctl;
+ struct tb_xdomain *xd;
+@@ -762,7 +764,7 @@ static void tb_xdp_handle_request(struct
+ switch (pkg->type) {
+ case PROPERTIES_REQUEST:
+ tb_dbg(tb, "%llx: received XDomain properties request\n", route);
+- if (xd) {
++ if (xd && pkg_len >= sizeof(struct tb_xdp_properties)) {
+ ret = tb_xdp_properties_response(tb, ctl, xd, sequence,
+ (const struct tb_xdp_properties *)pkg);
+ }
+@@ -816,7 +818,8 @@ static void tb_xdp_handle_request(struct
+ tb_dbg(tb, "%llx: received XDomain link state change request\n",
+ route);
+
+- if (xd && xd->state == XDOMAIN_STATE_BONDING_UUID_HIGH) {
++ if (xd && xd->state == XDOMAIN_STATE_BONDING_UUID_HIGH &&
++ pkg_len >= sizeof(struct tb_xdp_link_state_change)) {
+ const struct tb_xdp_link_state_change *lsc =
+ (const struct tb_xdp_link_state_change *)pkg;
+
+@@ -868,6 +871,7 @@ tb_xdp_schedule_request(struct tb *tb, c
+ kfree(xw);
+ return false;
+ }
++ xw->pkg_len = size;
+ xw->tb = tb_domain_get(tb);
+
+ schedule_work(&xw->work);
projects / thirdparty / kernel / stable-queue.git / commitdiff
