--- /dev/null
+From c25c4aa3f79a488cc270507935a29c07dc6bddfc Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Fri, 27 Feb 2026 18:53:06 +0000
+Subject: arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit c25c4aa3f79a488cc270507935a29c07dc6bddfc upstream.
+
+Commit 143937ca51cc ("arm64, mm: avoid always making PTE dirty in
+pte_mkwrite()") changed pte_mkwrite_novma() to only clear PTE_RDONLY
+when PTE_DIRTY is set. This was to allow writable-clean PTEs for swap
+pages that haven't actually been written.
+
+However, this broke kexec and hibernation for some platforms. Both go
+through trans_pgd_create_copy() -> _copy_pte(), which calls
+pte_mkwrite_novma() to make the temporary linear-map copy fully
+writable. With the updated pte_mkwrite_novma(), read-only kernel pages
+(without PTE_DIRTY) remain read-only in the temporary mapping.
+While such behaviour is fine for user pages where hardware DBM or
+trapping will make them writeable, subsequent in-kernel writes by the
+kexec relocation code will fault.
+
+Add PTE_DIRTY back to all _PAGE_KERNEL* protection definitions. This was
+the case prior to 5.4, commit aa57157be69f ("arm64: Ensure
+VM_WRITE|VM_SHARED ptes are clean by default"). With the kernel
+linear-map PTEs always having PTE_DIRTY set, pte_mkwrite_novma()
+correctly clears PTE_RDONLY.
+
+Fixes: 143937ca51cc ("arm64, mm: avoid always making PTE dirty in pte_mkwrite()")
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: stable@vger.kernel.org
+Reported-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
+Link: https://lore.kernel.org/r/20251204062722.3367201-1-jianpeng.chang.cn@windriver.com
+Cc: Will Deacon <will@kernel.org>
+Cc: Huang, Ying <ying.huang@linux.alibaba.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Huang Ying <ying.huang@linux.alibaba.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/pgtable-prot.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/include/asm/pgtable-prot.h
++++ b/arch/arm64/include/asm/pgtable-prot.h
+@@ -45,11 +45,11 @@
+
+ #define _PAGE_DEFAULT (_PROT_DEFAULT | PTE_ATTRINDX(MT_NORMAL))
+
+-#define _PAGE_KERNEL (PROT_NORMAL)
+-#define _PAGE_KERNEL_RO ((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY)
+-#define _PAGE_KERNEL_ROX ((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY)
+-#define _PAGE_KERNEL_EXEC (PROT_NORMAL & ~PTE_PXN)
+-#define _PAGE_KERNEL_EXEC_CONT ((PROT_NORMAL & ~PTE_PXN) | PTE_CONT)
++#define _PAGE_KERNEL (PROT_NORMAL | PTE_DIRTY)
++#define _PAGE_KERNEL_RO ((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY | PTE_DIRTY)
++#define _PAGE_KERNEL_ROX ((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY | PTE_DIRTY)
++#define _PAGE_KERNEL_EXEC ((PROT_NORMAL & ~PTE_PXN) | PTE_DIRTY)
++#define _PAGE_KERNEL_EXEC_CONT ((PROT_NORMAL & ~PTE_PXN) | PTE_CONT | PTE_DIRTY)
+
+ #define _PAGE_SHARED (_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN | PTE_WRITE)
+ #define _PAGE_SHARED_EXEC (_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_WRITE)
--- /dev/null
+From cfc83a3c71517b59c1047db57da31e26a9dc2f33 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Mon, 16 Feb 2026 11:20:29 +0100
+Subject: batman-adv: Avoid double-rtnl_lock ELP metric worker
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit cfc83a3c71517b59c1047db57da31e26a9dc2f33 upstream.
+
+batadv_v_elp_get_throughput() might be called when the RTNL lock is already
+held. This could be problematic when the work queue item is cancelled via
+cancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case,
+an rtnl_lock() would cause a deadlock.
+
+To avoid this, rtnl_trylock() was used in this function to skip the
+retrieval of the ethtool information in case the RTNL lock was already
+held.
+
+But for cfg80211 interfaces, batadv_get_real_netdev() was called - which
+also uses rtnl_lock(). The approach for __ethtool_get_link_ksettings() must
+also be used instead and the lockless version __batadv_get_real_netdev()
+has to be called.
+
+Cc: stable@vger.kernel.org
+Fixes: 8c8ecc98f5c6 ("batman-adv: Drop unmanaged ELP metric worker")
+Reported-by: Christian Schmidbauer <github@grische.xyz>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Tested-by: Sören Skaarup <freifunk_nordm4nn@gmx.de>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_v_elp.c | 10 +++++++++-
+ net/batman-adv/hard-interface.c | 8 ++++----
+ net/batman-adv/hard-interface.h | 1 +
+ 3 files changed, 14 insertions(+), 5 deletions(-)
+
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -112,7 +112,15 @@ static bool batadv_v_elp_get_throughput(
+ /* unsupported WiFi driver version */
+ goto default_throughput;
+
+- real_netdev = batadv_get_real_netdev(hard_iface->net_dev);
++ /* only use rtnl_trylock because the elp worker will be cancelled while
++ * the rntl_lock is held. the cancel_delayed_work_sync() would otherwise
++ * wait forever when the elp work_item was started and it is then also
++ * trying to rtnl_lock
++ */
++ if (!rtnl_trylock())
++ return false;
++ real_netdev = __batadv_get_real_netdev(hard_iface->net_dev);
++ rtnl_unlock();
+ if (!real_netdev)
+ goto default_throughput;
+
+--- a/net/batman-adv/hard-interface.c
++++ b/net/batman-adv/hard-interface.c
+@@ -203,7 +203,7 @@ static bool batadv_is_valid_iface(const
+ }
+
+ /**
+- * batadv_get_real_netdevice() - check if the given netdev struct is a virtual
++ * __batadv_get_real_netdev() - check if the given netdev struct is a virtual
+ * interface on top of another 'real' interface
+ * @netdev: the device to check
+ *
+@@ -213,7 +213,7 @@ static bool batadv_is_valid_iface(const
+ * Return: the 'real' net device or the original net device and NULL in case
+ * of an error.
+ */
+-static struct net_device *batadv_get_real_netdevice(struct net_device *netdev)
++struct net_device *__batadv_get_real_netdev(struct net_device *netdev)
+ {
+ struct batadv_hard_iface *hard_iface = NULL;
+ struct net_device *real_netdev = NULL;
+@@ -266,7 +266,7 @@ struct net_device *batadv_get_real_netde
+ struct net_device *real_netdev;
+
+ rtnl_lock();
+- real_netdev = batadv_get_real_netdevice(net_device);
++ real_netdev = __batadv_get_real_netdev(net_device);
+ rtnl_unlock();
+
+ return real_netdev;
+@@ -335,7 +335,7 @@ static u32 batadv_wifi_flags_evaluate(st
+ if (batadv_is_cfg80211_netdev(net_device))
+ wifi_flags |= BATADV_HARDIF_WIFI_CFG80211_DIRECT;
+
+- real_netdev = batadv_get_real_netdevice(net_device);
++ real_netdev = __batadv_get_real_netdev(net_device);
+ if (!real_netdev)
+ return wifi_flags;
+
+--- a/net/batman-adv/hard-interface.h
++++ b/net/batman-adv/hard-interface.h
+@@ -68,6 +68,7 @@ enum batadv_hard_if_bcast {
+
+ extern struct notifier_block batadv_hard_if_notifier;
+
++struct net_device *__batadv_get_real_netdev(struct net_device *net_device);
+ struct net_device *batadv_get_real_netdev(struct net_device *net_device);
+ bool batadv_is_cfg80211_hardif(struct batadv_hard_iface *hard_iface);
+ bool batadv_is_wifi_hardif(struct batadv_hard_iface *hard_iface);
--- /dev/null
+From 25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 Mon Sep 17 00:00:00 2001
+From: Sanman Pradhan <psanman@juniper.net>
+Date: Wed, 4 Mar 2026 15:51:17 -0800
+Subject: hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
+
+From: Sanman Pradhan <psanman@juniper.net>
+
+commit 25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 upstream.
+
+The q54sj108a2_debugfs_read function suffers from a stack buffer overflow
+due to incorrect arguments passed to bin2hex(). The function currently
+passes 'data' as the destination and 'data_char' as the source.
+
+Because bin2hex() converts each input byte into two hex characters, a
+32-byte block read results in 64 bytes of output. Since 'data' is only
+34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end
+of the buffer onto the stack.
+
+Additionally, the arguments were swapped: it was reading from the
+zero-initialized 'data_char' and writing to 'data', resulting in
+all-zero output regardless of the actual I2C read.
+
+Fix this by:
+1. Expanding 'data_char' to 66 bytes to safely hold the hex output.
+2. Correcting the bin2hex() argument order and using the actual read count.
+3. Using a pointer to select the correct output buffer for the final
+ simple_read_from_buffer call.
+
+Fixes: d014538aa385 ("hwmon: (pmbus) Driver for Delta power supplies Q54SJ108A2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sanman Pradhan <psanman@juniper.net>
+Link: https://lore.kernel.org/r/20260304235116.1045-1-sanman.p211993@gmail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/pmbus/q54sj108a2.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/drivers/hwmon/pmbus/q54sj108a2.c
++++ b/drivers/hwmon/pmbus/q54sj108a2.c
+@@ -78,7 +78,8 @@ static ssize_t q54sj108a2_debugfs_read(s
+ int idx = *idxp;
+ struct q54sj108a2_data *psu = to_psu(idxp, idx);
+ char data[I2C_SMBUS_BLOCK_MAX + 2] = { 0 };
+- char data_char[I2C_SMBUS_BLOCK_MAX + 2] = { 0 };
++ char data_char[I2C_SMBUS_BLOCK_MAX * 2 + 2] = { 0 };
++ char *out = data;
+ char *res;
+
+ switch (idx) {
+@@ -149,27 +150,27 @@ static ssize_t q54sj108a2_debugfs_read(s
+ if (rc < 0)
+ return rc;
+
+- res = bin2hex(data, data_char, 32);
+- rc = res - data;
+-
++ res = bin2hex(data_char, data, rc);
++ rc = res - data_char;
++ out = data_char;
+ break;
+ case Q54SJ108A2_DEBUGFS_FLASH_KEY:
+ rc = i2c_smbus_read_block_data(psu->client, PMBUS_FLASH_KEY_WRITE, data);
+ if (rc < 0)
+ return rc;
+
+- res = bin2hex(data, data_char, 4);
+- rc = res - data;
+-
++ res = bin2hex(data_char, data, rc);
++ rc = res - data_char;
++ out = data_char;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+- data[rc] = '\n';
++ out[rc] = '\n';
+ rc += 2;
+
+- return simple_read_from_buffer(buf, count, ppos, data, rc);
++ return simple_read_from_buffer(buf, count, ppos, out, rc);
+ }
+
+ static ssize_t q54sj108a2_debugfs_write(struct file *file, const char __user *buf,
--- /dev/null
+From fb4903b3354aed4a2301180cf991226f896c87ed Mon Sep 17 00:00:00 2001
+From: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
+Date: Tue, 13 Jan 2026 20:38:17 +0100
+Subject: ice: fix retry for AQ command 0x06EE
+
+From: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
+
+commit fb4903b3354aed4a2301180cf991226f896c87ed upstream.
+
+Executing ethtool -m can fail reporting a netlink I/O error while firmware
+link management holds the i2c bus used to communicate with the module.
+
+According to Intel(R) Ethernet Controller E810 Datasheet Rev 2.8 [1]
+Section 3.3.10.4 Read/Write SFF EEPROM (0x06EE)
+request should to be retried upon receiving EBUSY from firmware.
+
+Commit e9c9692c8a81 ("ice: Reimplement module reads used by ethtool")
+implemented it only for part of ice_get_module_eeprom(), leaving all other
+calls to ice_aq_sff_eeprom() vulnerable to returning early on getting
+EBUSY without retrying.
+
+Remove the retry loop from ice_get_module_eeprom() and add Admin Queue
+(AQ) command with opcode 0x06EE to the list of commands that should be
+retried on receiving EBUSY from firmware.
+
+Cc: stable@vger.kernel.org
+Fixes: e9c9692c8a81 ("ice: Reimplement module reads used by ethtool")
+Signed-off-by: Jakub Staniszewski <jakub.staniszewski@linux.intel.com>
+Co-developed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
+Signed-off-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Link: https://www.intel.com/content/www/us/en/content-details/613875/intel-ethernet-controller-e810-datasheet.html [1]
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_common.c | 1
+ drivers/net/ethernet/intel/ice/ice_ethtool.c | 35 ++++++++++-----------------
+ 2 files changed, 15 insertions(+), 21 deletions(-)
+
+--- a/drivers/net/ethernet/intel/ice/ice_common.c
++++ b/drivers/net/ethernet/intel/ice/ice_common.c
+@@ -1611,6 +1611,7 @@ static bool ice_should_retry_sq_send_cmd
+ case ice_aqc_opc_lldp_stop:
+ case ice_aqc_opc_lldp_start:
+ case ice_aqc_opc_lldp_filter_ctrl:
++ case ice_aqc_opc_sff_eeprom:
+ return true;
+ }
+
+--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+@@ -4045,7 +4045,7 @@ ice_get_module_eeprom(struct net_device
+ struct ice_pf *pf = vsi->back;
+ struct ice_hw *hw = &pf->hw;
+ bool is_sfp = false;
+- unsigned int i, j;
++ unsigned int i;
+ u16 offset = 0;
+ u8 page = 0;
+ int status;
+@@ -4087,26 +4087,19 @@ ice_get_module_eeprom(struct net_device
+ if (page == 0 || !(data[0x2] & 0x4)) {
+ u32 copy_len;
+
+- /* If i2c bus is busy due to slow page change or
+- * link management access, call can fail. This is normal.
+- * So we retry this a few times.
+- */
+- for (j = 0; j < 4; j++) {
+- status = ice_aq_sff_eeprom(hw, 0, addr, offset, page,
+- !is_sfp, value,
+- SFF_READ_BLOCK_SIZE,
+- 0, NULL);
+- netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%X)\n",
+- addr, offset, page, is_sfp,
+- value[0], value[1], value[2], value[3],
+- value[4], value[5], value[6], value[7],
+- status);
+- if (status) {
+- usleep_range(1500, 2500);
+- memset(value, 0, SFF_READ_BLOCK_SIZE);
+- continue;
+- }
+- break;
++ status = ice_aq_sff_eeprom(hw, 0, addr, offset, page,
++ !is_sfp, value,
++ SFF_READ_BLOCK_SIZE,
++ 0, NULL);
++ netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%pe)\n",
++ addr, offset, page, is_sfp,
++ value[0], value[1], value[2], value[3],
++ value[4], value[5], value[6], value[7],
++ ERR_PTR(status));
++ if (status) {
++ netdev_err(netdev, "%s: error reading module EEPROM: status %pe\n",
++ __func__, ERR_PTR(status));
++ return status;
+ }
+
+ /* Make sure we have enough room for the new block */
--- /dev/null
+From 1dfd062caa165ec9d7ee0823087930f3ab8a6294 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sat, 7 Mar 2026 11:32:31 +0900
+Subject: ksmbd: fix use-after-free by using call_rcu() for oplock_info
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 1dfd062caa165ec9d7ee0823087930f3ab8a6294 upstream.
+
+ksmbd currently frees oplock_info immediately using kfree(), even
+though it is accessed under RCU read-side critical sections in places
+like opinfo_get() and proc_show_files().
+
+Since there is no RCU grace period delay between nullifying the pointer
+and freeing the memory, a reader can still access oplock_info
+structure after it has been freed. This can leads to a use-after-free
+especially in opinfo_get() where atomic_inc_not_zero() is called on
+already freed memory.
+
+Fix this by switching to deferred freeing using call_rcu().
+
+Fixes: 18b4fac5ef17 ("ksmbd: fix use-after-free in smb_break_all_levII_oplock()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/oplock.c | 29 +++++++++++++++++++++--------
+ fs/smb/server/oplock.h | 5 +++--
+ 2 files changed, 24 insertions(+), 10 deletions(-)
+
+--- a/fs/smb/server/oplock.c
++++ b/fs/smb/server/oplock.c
+@@ -120,7 +120,7 @@ static void free_lease(struct oplock_inf
+ kfree(lease);
+ }
+
+-static void free_opinfo(struct oplock_info *opinfo)
++static void __free_opinfo(struct oplock_info *opinfo)
+ {
+ if (opinfo->is_lease)
+ free_lease(opinfo);
+@@ -129,6 +129,18 @@ static void free_opinfo(struct oplock_in
+ kfree(opinfo);
+ }
+
++static void free_opinfo_rcu(struct rcu_head *rcu)
++{
++ struct oplock_info *opinfo = container_of(rcu, struct oplock_info, rcu);
++
++ __free_opinfo(opinfo);
++}
++
++static void free_opinfo(struct oplock_info *opinfo)
++{
++ call_rcu(&opinfo->rcu, free_opinfo_rcu);
++}
++
+ struct oplock_info *opinfo_get(struct ksmbd_file *fp)
+ {
+ struct oplock_info *opinfo;
+@@ -176,9 +188,9 @@ void opinfo_put(struct oplock_info *opin
+ free_opinfo(opinfo);
+ }
+
+-static void opinfo_add(struct oplock_info *opinfo)
++static void opinfo_add(struct oplock_info *opinfo, struct ksmbd_file *fp)
+ {
+- struct ksmbd_inode *ci = opinfo->o_fp->f_ci;
++ struct ksmbd_inode *ci = fp->f_ci;
+
+ down_write(&ci->m_lock);
+ list_add(&opinfo->op_entry, &ci->m_op_list);
+@@ -1279,20 +1291,21 @@ set_lev:
+ set_oplock_level(opinfo, req_op_level, lctx);
+
+ out:
+- rcu_assign_pointer(fp->f_opinfo, opinfo);
+- opinfo->o_fp = fp;
+-
+ opinfo_count_inc(fp);
+- opinfo_add(opinfo);
++ opinfo_add(opinfo, fp);
++
+ if (opinfo->is_lease) {
+ err = add_lease_global_list(opinfo);
+ if (err)
+ goto err_out;
+ }
+
++ rcu_assign_pointer(fp->f_opinfo, opinfo);
++ opinfo->o_fp = fp;
++
+ return 0;
+ err_out:
+- free_opinfo(opinfo);
++ __free_opinfo(opinfo);
+ return err;
+ }
+
+--- a/fs/smb/server/oplock.h
++++ b/fs/smb/server/oplock.h
+@@ -76,8 +76,9 @@ struct oplock_info {
+ struct lease *o_lease;
+ struct list_head op_entry;
+ struct list_head lease_entry;
+- wait_queue_head_t oplock_q; /* Other server threads */
+- wait_queue_head_t oplock_brk; /* oplock breaking wait */
++ wait_queue_head_t oplock_q; /* Other server threads */
++ wait_queue_head_t oplock_brk; /* oplock breaking wait */
++ struct rcu_head rcu;
+ };
+
+ struct lease_break_info {
--- /dev/null
+From eac3361e3d5dd8067b3258c69615888eb45e9f25 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Mon, 2 Mar 2026 12:55:02 +0900
+Subject: ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit eac3361e3d5dd8067b3258c69615888eb45e9f25 upstream.
+
+opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being
+accessed after rcu_read_unlock() has been called. This creates a
+race condition where the memory could be freed by a concurrent
+writer between the unlock and the subsequent pointer dereferences
+(opinfo->is_lease, etc.), leading to a use-after-free.
+
+Fixes: 5fb282ba4fef ("ksmbd: fix possible null-deref in smb_lazy_parent_lease_break_close")
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/oplock.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/oplock.c
++++ b/fs/smb/server/oplock.c
+@@ -1123,10 +1123,12 @@ void smb_lazy_parent_lease_break_close(s
+
+ rcu_read_lock();
+ opinfo = rcu_dereference(fp->f_opinfo);
+- rcu_read_unlock();
+
+- if (!opinfo || !opinfo->is_lease || opinfo->o_lease->version != 2)
++ if (!opinfo || !opinfo->is_lease || opinfo->o_lease->version != 2) {
++ rcu_read_unlock();
+ return;
++ }
++ rcu_read_unlock();
+
+ p_ci = ksmbd_inode_lookup_lock(fp->filp->f_path.dentry->d_parent);
+ if (!p_ci)
--- /dev/null
+From 24d87712727a5017ad142d63940589a36cd25647 Mon Sep 17 00:00:00 2001
+From: Ariel Silver <arielsilver77@gmail.com>
+Date: Sat, 21 Feb 2026 15:26:00 +0100
+Subject: media: dvb-net: fix OOB access in ULE extension header tables
+
+From: Ariel Silver <arielsilver77@gmail.com>
+
+commit 24d87712727a5017ad142d63940589a36cd25647 upstream.
+
+The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables
+in handle_one_ule_extension() are declared with 255 elements (valid
+indices 0-254), but the index htype is derived from network-controlled
+data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When
+htype equals 255, an out-of-bounds read occurs on the function pointer
+table, and the OOB value may be called as a function pointer.
+
+Add a bounds check on htype against the array size before either table
+is accessed. Out-of-range values now cause the SNDU to be discarded.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Ariel Silver <arielsilver77@gmail.com>
+Signed-off-by: Ariel Silver <arielsilver77@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-core/dvb_net.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/dvb-core/dvb_net.c
++++ b/drivers/media/dvb-core/dvb_net.c
+@@ -228,6 +228,9 @@ static int handle_one_ule_extension( str
+ unsigned char hlen = (p->ule_sndu_type & 0x0700) >> 8;
+ unsigned char htype = p->ule_sndu_type & 0x00FF;
+
++ if (htype >= ARRAY_SIZE(ule_mandatory_ext_handlers))
++ return -1;
++
+ /* Discriminate mandatory and optional extension headers. */
+ if (hlen == 0) {
+ /* Mandatory extension header */
--- /dev/null
+From 99c8c16a4aad0b37293cae213e15957c573cf79b Mon Sep 17 00:00:00 2001
+From: "Bastien Curutchet (Schneider Electric)" <bastien.curutchet@bootlin.com>
+Date: Mon, 9 Mar 2026 14:15:43 +0100
+Subject: net: dsa: microchip: Fix error path in PTP IRQ setup
+
+From: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
+
+commit 99c8c16a4aad0b37293cae213e15957c573cf79b upstream.
+
+If request_threaded_irq() fails during the PTP message IRQ setup, the
+newly created IRQ mapping is never disposed. Indeed, the
+ksz_ptp_irq_setup()'s error path only frees the mappings that were
+successfully set up.
+
+Dispose the newly created mapping if the associated
+request_threaded_irq() fails at setup.
+
+Cc: stable@vger.kernel.org
+Fixes: d0b8fec8ae505 ("net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}()")
+Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://patch.msgid.link/20260309-ksz-ptp-irq-fix-v1-1-757b3b985955@bootlin.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/microchip/ksz_ptp.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/dsa/microchip/ksz_ptp.c
++++ b/drivers/net/dsa/microchip/ksz_ptp.c
+@@ -1101,6 +1101,7 @@ static int ksz_ptp_msg_irq_setup(struct
+ const struct ksz_dev_ops *ops = port->ksz_dev->dev_ops;
+ struct ksz_irq *ptpirq = &port->ptpirq;
+ struct ksz_ptp_irq *ptpmsg_irq;
++ int ret;
+
+ ptpmsg_irq = &port->ptpmsg_irq[n];
+ ptpmsg_irq->num = irq_create_mapping(ptpirq->domain, n);
+@@ -1112,9 +1113,13 @@ static int ksz_ptp_msg_irq_setup(struct
+
+ snprintf(ptpmsg_irq->name, sizeof(ptpmsg_irq->name), name[n]);
+
+- return request_threaded_irq(ptpmsg_irq->num, NULL,
+- ksz_ptp_msg_thread_fn, IRQF_ONESHOT,
+- ptpmsg_irq->name, ptpmsg_irq);
++ ret = request_threaded_irq(ptpmsg_irq->num, NULL,
++ ksz_ptp_msg_thread_fn, IRQF_ONESHOT,
++ ptpmsg_irq->name, ptpmsg_irq);
++ if (ret)
++ irq_dispose_mapping(ptpmsg_irq->num);
++
++ return ret;
+ }
+
+ int ksz_ptp_irq_setup(struct dsa_switch *ds, u8 p)
--- /dev/null
+From 2503d08f8a2de618e5c3a8183b250ff4a2e2d52c Mon Sep 17 00:00:00 2001
+From: Fan Wu <fanwu01@zju.edu.cn>
+Date: Mon, 9 Mar 2026 13:24:09 +0000
+Subject: net: ethernet: arc: emac: quiesce interrupts before requesting IRQ
+
+From: Fan Wu <fanwu01@zju.edu.cn>
+
+commit 2503d08f8a2de618e5c3a8183b250ff4a2e2d52c upstream.
+
+Normal RX/TX interrupts are enabled later, in arc_emac_open(), so probe
+should not see interrupt delivery in the usual case. However, hardware may
+still present stale or latched interrupt status left by firmware or the
+bootloader.
+
+If probe later unwinds after devm_request_irq() has installed the handler,
+such a stale interrupt can still reach arc_emac_intr() during teardown and
+race with release of the associated net_device.
+
+Avoid that window by putting the device into a known quiescent state before
+requesting the IRQ: disable all EMAC interrupt sources and clear any
+pending EMAC interrupt status bits. This keeps the change hardware-focused
+and minimal, while preventing spurious IRQ delivery from leftover state.
+
+Fixes: e4f2379db6c6 ("ethernet/arc/arc_emac - Add new driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
+Link: https://patch.msgid.link/20260309132409.584966-1-fanwu01@zju.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/arc/emac_main.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/net/ethernet/arc/emac_main.c
++++ b/drivers/net/ethernet/arc/emac_main.c
+@@ -934,6 +934,17 @@ int arc_emac_probe(struct net_device *nd
+ /* Set poll rate so that it polls every 1 ms */
+ arc_reg_set(priv, R_POLLRATE, clock_frequency / 1000000);
+
++ /*
++ * Put the device into a known quiescent state before requesting
++ * the IRQ. Clear only EMAC interrupt status bits here; leave the
++ * MDIO completion bit alone and avoid writing TXPL_MASK, which is
++ * used to force TX polling rather than acknowledge interrupts.
++ */
++ arc_reg_set(priv, R_ENABLE, 0);
++ arc_reg_set(priv, R_STATUS, RXINT_MASK | TXINT_MASK | ERR_MASK |
++ TXCH_MASK | MSER_MASK | RXCR_MASK |
++ RXFR_MASK | RXFL_MASK);
++
+ ndev->irq = irq;
+ dev_info(dev, "IRQ is %d\n", ndev->irq);
+
--- /dev/null
+From dabffd08545ffa1d7183bc45e387860984025291 Mon Sep 17 00:00:00 2001
+From: Long Li <longli@microsoft.com>
+Date: Thu, 26 Feb 2026 11:28:33 -0800
+Subject: net: mana: Ring doorbell at 4 CQ wraparounds
+
+From: Long Li <longli@microsoft.com>
+
+commit dabffd08545ffa1d7183bc45e387860984025291 upstream.
+
+MANA hardware requires at least one doorbell ring every 8 wraparounds
+of the CQ. The driver rings the doorbell as a form of flow control to
+inform hardware that CQEs have been consumed.
+
+The NAPI poll functions mana_poll_tx_cq() and mana_poll_rx_cq() can
+poll up to CQE_POLLING_BUFFER (512) completions per call. If the CQ
+has fewer than 512 entries, a single poll call can process more than
+4 wraparounds without ringing the doorbell. The doorbell threshold
+check also uses ">" instead of ">=", delaying the ring by one extra
+CQE beyond 4 wraparounds. Combined, these issues can cause the driver
+to exceed the 8-wraparound hardware limit, leading to missed
+completions and stalled queues.
+
+Fix this by capping the number of CQEs polled per call to 4 wraparounds
+of the CQ in both TX and RX paths. Also change the doorbell threshold
+from ">" to ">=" so the doorbell is rung as soon as 4 wraparounds are
+reached.
+
+Cc: stable@vger.kernel.org
+Fixes: 58a63729c957 ("net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings")
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://patch.msgid.link/20260226192833.1050807-1-longli@microsoft.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/microsoft/mana/mana_en.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
+@@ -1368,8 +1368,14 @@ static void mana_poll_tx_cq(struct mana_
+ ndev = txq->ndev;
+ apc = netdev_priv(ndev);
+
++ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the
++ * doorbell can be rung in time for the hardware's requirement
++ * of at least one doorbell ring every 8 wraparounds.
++ */
+ comp_read = mana_gd_poll_cq(cq->gdma_cq, completions,
+- CQE_POLLING_BUFFER);
++ min((cq->gdma_cq->queue_size /
++ COMP_ENTRY_SIZE) * 4,
++ CQE_POLLING_BUFFER));
+
+ if (comp_read < 1)
+ return;
+@@ -1749,7 +1755,14 @@ static void mana_poll_rx_cq(struct mana_
+ struct mana_rxq *rxq = cq->rxq;
+ int comp_read, i;
+
+- comp_read = mana_gd_poll_cq(cq->gdma_cq, comp, CQE_POLLING_BUFFER);
++ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the
++ * doorbell can be rung in time for the hardware's requirement
++ * of at least one doorbell ring every 8 wraparounds.
++ */
++ comp_read = mana_gd_poll_cq(cq->gdma_cq, comp,
++ min((cq->gdma_cq->queue_size /
++ COMP_ENTRY_SIZE) * 4,
++ CQE_POLLING_BUFFER));
+ WARN_ON_ONCE(comp_read > CQE_POLLING_BUFFER);
+
+ rxq->xdp_flush = false;
+@@ -1794,11 +1807,11 @@ static int mana_cq_handler(void *context
+ mana_gd_ring_cq(gdma_queue, SET_ARM_BIT);
+ cq->work_done_since_doorbell = 0;
+ napi_complete_done(&cq->napi, w);
+- } else if (cq->work_done_since_doorbell >
+- cq->gdma_cq->queue_size / COMP_ENTRY_SIZE * 4) {
++ } else if (cq->work_done_since_doorbell >=
++ (cq->gdma_cq->queue_size / COMP_ENTRY_SIZE) * 4) {
+ /* MANA hardware requires at least one doorbell ring every 8
+ * wraparounds of CQ even if there is no need to arm the CQ.
+- * This driver rings the doorbell as soon as we have exceeded
++ * This driver rings the doorbell as soon as it has processed
+ * 4 wraparounds.
+ */
+ mana_gd_ring_cq(gdma_queue, 0);
--- /dev/null
+From 5c3398a54266541610c8d0a7082e654e9ff3e259 Mon Sep 17 00:00:00 2001
+From: Jian Zhang <zhangjian.3032@bytedance.com>
+Date: Thu, 5 Mar 2026 14:06:55 +0800
+Subject: net: ncsi: fix skb leak in error paths
+
+From: Jian Zhang <zhangjian.3032@bytedance.com>
+
+commit 5c3398a54266541610c8d0a7082e654e9ff3e259 upstream.
+
+Early return paths in NCSI RX and AEN handlers fail to release
+the received skb, resulting in a memory leak.
+
+Specifically, ncsi_aen_handler() returns on invalid AEN packets
+without consuming the skb. Similarly, ncsi_rcv_rsp() exits early
+when failing to resolve the NCSI device, response handler, or
+request, leaving the skb unfreed.
+
+CC: stable@vger.kernel.org
+Fixes: 7a82ecf4cfb8 ("net/ncsi: NCSI AEN packet handler")
+Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler")
+Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
+Link: https://patch.msgid.link/20260305060656.3357250-1-zhangjian.3032@bytedance.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ncsi/ncsi-aen.c | 3 ++-
+ net/ncsi/ncsi-rsp.c | 16 ++++++++++++----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+--- a/net/ncsi/ncsi-aen.c
++++ b/net/ncsi/ncsi-aen.c
+@@ -224,7 +224,8 @@ int ncsi_aen_handler(struct ncsi_dev_pri
+ if (!nah) {
+ netdev_warn(ndp->ndev.dev, "Invalid AEN (0x%x) received\n",
+ h->type);
+- return -ENOENT;
++ ret = -ENOENT;
++ goto out;
+ }
+
+ ret = ncsi_validate_aen_pkt(h, nah->payload);
+--- a/net/ncsi/ncsi-rsp.c
++++ b/net/ncsi/ncsi-rsp.c
+@@ -1176,8 +1176,10 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st
+ /* Find the NCSI device */
+ nd = ncsi_find_dev(orig_dev);
+ ndp = nd ? TO_NCSI_DEV_PRIV(nd) : NULL;
+- if (!ndp)
+- return -ENODEV;
++ if (!ndp) {
++ ret = -ENODEV;
++ goto err_free_skb;
++ }
+
+ /* Check if it is AEN packet */
+ hdr = (struct ncsi_pkt_hdr *)skb_network_header(skb);
+@@ -1199,7 +1201,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st
+ if (!nrh) {
+ netdev_err(nd->dev, "Received unrecognized packet (0x%x)\n",
+ hdr->type);
+- return -ENOENT;
++ ret = -ENOENT;
++ goto err_free_skb;
+ }
+
+ /* Associate with the request */
+@@ -1207,7 +1210,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st
+ nr = &ndp->requests[hdr->id];
+ if (!nr->used) {
+ spin_unlock_irqrestore(&ndp->lock, flags);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_free_skb;
+ }
+
+ nr->rsp = skb;
+@@ -1261,4 +1265,8 @@ out_netlink:
+ out:
+ ncsi_free_request(nr);
+ return ret;
++
++err_free_skb:
++ kfree_skb(skb);
++ return ret;
+ }
--- /dev/null
+From 8f3c6f08ababad2e3bdd239728cf66a9949446b4 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Tue, 24 Feb 2026 13:17:50 +1000
+Subject: nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit 8f3c6f08ababad2e3bdd239728cf66a9949446b4 upstream.
+
+If we have runtime suspended, and userspace wants to use /dev/drm_dp_*
+then just tell it the device is busy instead of crashing in the GSP
+code.
+
+WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]
+CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy)
+Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024
+RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]
+
+This is a simple fix to get backported. We should probably engineer a
+proper power domain solution to wake up devices and keep them awake
+while fw updates are happening.
+
+Cc: stable@vger.kernel.org
+Fixes: 8894f4919bc4 ("drm/nouveau: register a drm_dp_aux channel for each dp connector")
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Link: https://patch.msgid.link/20260224031750.791621-1-airlied@gmail.com
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
+@@ -1212,6 +1212,9 @@ nouveau_connector_aux_xfer(struct drm_dp
+ u8 size = msg->size;
+ int ret;
+
++ if (pm_runtime_suspended(nv_connector->base.dev->dev))
++ return -EBUSY;
++
+ nv_encoder = find_encoder(&nv_connector->base, DCB_OUTPUT_DP);
+ if (!nv_encoder || !(aux = nv_encoder->aux))
+ return -ENODEV;
--- /dev/null
+From 17c144f1104bfc29a3ce3f7d0931a1bfb7a3558c Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Tue, 3 Mar 2026 23:36:11 +0100
+Subject: parisc: Check kernel mapping earlier at bootup
+
+From: Helge Deller <deller@gmx.de>
+
+commit 17c144f1104bfc29a3ce3f7d0931a1bfb7a3558c upstream.
+
+The check if the initial mapping is sufficient needs to happen much
+earlier during bootup. Move this test directly to the start_parisc()
+function and use native PDC iodc functions to print the warning, because
+panic() and printk() are not functional yet.
+
+This fixes boot when enabling various KALLSYSMS options which need
+much more space.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org> # v6.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/setup.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/arch/parisc/kernel/setup.c
++++ b/arch/parisc/kernel/setup.c
+@@ -123,14 +123,6 @@ void __init setup_arch(char **cmdline_p)
+ #endif
+ printk(KERN_CONT ".\n");
+
+- /*
+- * Check if initial kernel page mappings are sufficient.
+- * panic early if not, else we may access kernel functions
+- * and variables which can't be reached.
+- */
+- if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE)
+- panic("KERNEL_INITIAL_ORDER too small!");
+-
+ #ifdef CONFIG_64BIT
+ if(parisc_narrow_firmware) {
+ printk(KERN_INFO "Kernel is using PDC in 32-bit mode.\n");
+@@ -282,6 +274,18 @@ void __init start_parisc(void)
+ int ret, cpunum;
+ struct pdc_coproc_cfg coproc_cfg;
+
++ /*
++ * Check if initial kernel page mapping is sufficient.
++ * Print warning if not, because we may access kernel functions and
++ * variables which can't be reached yet through the initial mappings.
++ * Note that the panic() and printk() functions are not functional
++ * yet, so we need to use direct iodc() firmware calls instead.
++ */
++ const char warn1[] = "CRITICAL: Kernel may crash because "
++ "KERNEL_INITIAL_ORDER is too small.\n";
++ if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE)
++ pdc_iodc_print(warn1, sizeof(warn1) - 1);
++
+ /* check QEMU/SeaBIOS marker in PAGE0 */
+ running_on_qemu = (memcmp(&PAGE0->pad0, "SeaBIOS", 8) == 0);
+
--- /dev/null
+From 8475d8fe21ec9c7eb2faca555fbc5b68cf0d2597 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Wed, 4 Mar 2026 22:24:18 +0100
+Subject: parisc: Fix initial page table creation for boot
+
+From: Helge Deller <deller@gmx.de>
+
+commit 8475d8fe21ec9c7eb2faca555fbc5b68cf0d2597 upstream.
+
+The KERNEL_INITIAL_ORDER value defines the initial size (usually 32 or
+64 MB) of the page table during bootup. Up until now the whole area was
+initialized with PTE entries, but there was no check if we filled too
+many entries. Change the code to fill up with so many entries that the
+"_end" symbol can be reached by the kernel, but not more entries than
+actually fit into the initial PTE tables.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org> # v6.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/head.S | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/kernel/head.S
++++ b/arch/parisc/kernel/head.S
+@@ -56,6 +56,7 @@ ENTRY(parisc_kernel_start)
+
+ .import __bss_start,data
+ .import __bss_stop,data
++ .import __end,data
+
+ load32 PA(__bss_start),%r3
+ load32 PA(__bss_stop),%r4
+@@ -149,7 +150,11 @@ $cpu_ok:
+ * everything ... it will get remapped correctly later */
+ ldo 0+_PAGE_KERNEL_RWX(%r0),%r3 /* Hardwired 0 phys addr start */
+ load32 (1<<(KERNEL_INITIAL_ORDER-PAGE_SHIFT)),%r11 /* PFN count */
+- load32 PA(pg0),%r1
++ load32 PA(_end),%r1
++ SHRREG %r1,PAGE_SHIFT,%r1 /* %r1 is PFN count for _end symbol */
++ cmpb,<<,n %r11,%r1,1f
++ copy %r1,%r11 /* %r1 PFN count smaller than %r11 */
++1: load32 PA(pg0),%r1
+
+ $pgt_fill_loop:
+ STREGM %r3,ASM_PTE_ENTRY_SIZE(%r1)
--- /dev/null
+From 8e732934fb81282be41602550e7e07baf265e972 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Tue, 3 Mar 2026 23:36:10 +0100
+Subject: parisc: Increase initial mapping to 64 MB with KALLSYMS
+
+From: Helge Deller <deller@gmx.de>
+
+commit 8e732934fb81282be41602550e7e07baf265e972 upstream.
+
+The 32MB initial kernel mapping can become too small when CONFIG_KALLSYMS
+is used. Increase the mapping to 64 MB in this case.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org> # v6.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/asm/pgtable.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/parisc/include/asm/pgtable.h
++++ b/arch/parisc/include/asm/pgtable.h
+@@ -85,7 +85,7 @@ extern void __update_cache(pte_t pte);
+ printk("%s:%d: bad pgd %08lx.\n", __FILE__, __LINE__, (unsigned long)pgd_val(e))
+
+ /* This is the size of the initially mapped kernel memory */
+-#if defined(CONFIG_64BIT)
++#if defined(CONFIG_64BIT) || defined(CONFIG_KALLSYMS)
+ #define KERNEL_INITIAL_ORDER 26 /* 1<<26 = 64MB */
+ #else
+ #define KERNEL_INITIAL_ORDER 25 /* 1<<25 = 32MB */
--- /dev/null
+From 550bae2c0931dbb664a61b08c21cf156f0a5362a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ma=C3=ADra=20Canal?= <mcanal@igalia.com>
+Date: Thu, 12 Feb 2026 11:49:44 -0300
+Subject: pmdomain: bcm: bcm2835-power: Fix broken reset status read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+commit 550bae2c0931dbb664a61b08c21cf156f0a5362a upstream.
+
+bcm2835_reset_status() has a misplaced parenthesis on every PM_READ()
+call. Since PM_READ(reg) expands to readl(power->base + (reg)), the
+expression:
+
+ PM_READ(PM_GRAFX & PM_V3DRSTN)
+
+computes the bitwise AND of the register offset PM_GRAFX with the
+bitmask PM_V3DRSTN before using the result as a register offset, reading
+from the wrong MMIO address instead of the intended PM_GRAFX register.
+The same issue affects the PM_IMAGE cases.
+
+Fix by moving the closing parenthesis so PM_READ() receives only the
+register offset, and the bitmask is applied to the value returned by
+the read.
+
+Fixes: 670c672608a1 ("soc: bcm: bcm2835-pm: Add support for power domains under a new binding.")
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pmdomain/bcm/bcm2835-power.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/pmdomain/bcm/bcm2835-power.c
++++ b/drivers/pmdomain/bcm/bcm2835-power.c
+@@ -580,11 +580,11 @@ static int bcm2835_reset_status(struct r
+
+ switch (id) {
+ case BCM2835_RESET_V3D:
+- return !PM_READ(PM_GRAFX & PM_V3DRSTN);
++ return !(PM_READ(PM_GRAFX) & PM_V3DRSTN);
+ case BCM2835_RESET_H264:
+- return !PM_READ(PM_IMAGE & PM_H264RSTN);
++ return !(PM_READ(PM_IMAGE) & PM_H264RSTN);
+ case BCM2835_RESET_ISP:
+- return !PM_READ(PM_IMAGE & PM_ISPRSTN);
++ return !(PM_READ(PM_IMAGE) & PM_ISPRSTN);
+ default:
+ return -EINVAL;
+ }
ixgbevf-fix-link-setup-issue.patch
staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch
staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch
+media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch
+net-mana-ring-doorbell-at-4-cq-wraparounds.patch
+ice-fix-retry-for-aq-command-0x06ee.patch
+tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch
+batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch
+parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch
+nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch
+arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch
+hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch
+parisc-fix-initial-page-table-creation-for-boot.patch
+parisc-check-kernel-mapping-earlier-at-bootup.patch
+pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch
+ksmbd-fix-use-after-free-in-smb_lazy_parent_lease_break_close.patch
+smb-server-fix-use-after-free-in-smb2_open.patch
+ksmbd-fix-use-after-free-by-using-call_rcu-for-oplock_info.patch
+net-ncsi-fix-skb-leak-in-error-paths.patch
+net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch
+net-dsa-microchip-fix-error-path-in-ptp-irq-setup.patch
--- /dev/null
+From 1e689a56173827669a35da7cb2a3c78ed5c53680 Mon Sep 17 00:00:00 2001
+From: Marios Makassikis <mmakassikis@freebox.fr>
+Date: Tue, 3 Mar 2026 11:14:32 +0100
+Subject: smb: server: fix use-after-free in smb2_open()
+
+From: Marios Makassikis <mmakassikis@freebox.fr>
+
+commit 1e689a56173827669a35da7cb2a3c78ed5c53680 upstream.
+
+The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is
+dereferenced after rcu_read_unlock(), creating a use-after-free
+window.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -3593,10 +3593,8 @@ int smb2_open(struct ksmbd_work *work)
+
+ reconnected_fp:
+ rsp->StructureSize = cpu_to_le16(89);
+- rcu_read_lock();
+- opinfo = rcu_dereference(fp->f_opinfo);
++ opinfo = opinfo_get(fp);
+ rsp->OplockLevel = opinfo != NULL ? opinfo->level : 0;
+- rcu_read_unlock();
+ rsp->Flags = 0;
+ rsp->CreateAction = cpu_to_le32(file_info);
+ rsp->CreationTime = cpu_to_le64(fp->create_time);
+@@ -3637,6 +3635,7 @@ reconnected_fp:
+ next_ptr = &lease_ccontext->Next;
+ next_off = conn->vals->create_lease_size;
+ }
++ opinfo_put(opinfo);
+
+ if (maximal_access_ctxt) {
+ struct create_context *mxac_ccontext;
--- /dev/null
+From 0a663b764dbdf135a126284f454c9f01f95a87d4 Mon Sep 17 00:00:00 2001
+From: Huiwen He <hehuiwen@kylinos.cn>
+Date: Tue, 24 Feb 2026 10:35:44 +0800
+Subject: tracing: Fix syscall events activation by ensuring refcount hits zero
+
+From: Huiwen He <hehuiwen@kylinos.cn>
+
+commit 0a663b764dbdf135a126284f454c9f01f95a87d4 upstream.
+
+When multiple syscall events are specified in the kernel command line
+(e.g., trace_event=syscalls:sys_enter_openat,syscalls:sys_enter_close),
+they are often not captured after boot, even though they appear enabled
+in the tracing/set_event file.
+
+The issue stems from how syscall events are initialized. Syscall
+tracepoints require the global reference count (sys_tracepoint_refcount)
+to transition from 0 to 1 to trigger the registration of the syscall
+work (TIF_SYSCALL_TRACEPOINT) for tasks, including the init process (pid 1).
+
+The current implementation of early_enable_events() with disable_first=true
+used an interleaved sequence of "Disable A -> Enable A -> Disable B -> Enable B".
+If multiple syscalls are enabled, the refcount never drops to zero,
+preventing the 0->1 transition that triggers actual registration.
+
+Fix this by splitting early_enable_events() into two distinct phases:
+1. Disable all events specified in the buffer.
+2. Enable all events specified in the buffer.
+
+This ensures the refcount hits zero before re-enabling, allowing syscall
+events to be properly activated during early boot.
+
+The code is also refactored to use a helper function to avoid logic
+duplication between the disable and enable phases.
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Link: https://patch.msgid.link/20260224023544.1250787-1-hehuiwen@kylinos.cn
+Fixes: ce1039bd3a89 ("tracing: Fix enabling of syscall events on the command line")
+Signed-off-by: Huiwen He <hehuiwen@kylinos.cn>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events.c | 52 +++++++++++++++++++++++++++++++-------------
+ 1 file changed, 37 insertions(+), 15 deletions(-)
+
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -4140,26 +4140,22 @@ static __init int event_trace_memsetup(v
+ return 0;
+ }
+
+-__init void
+-early_enable_events(struct trace_array *tr, char *buf, bool disable_first)
++/*
++ * Helper function to enable or disable a comma-separated list of events
++ * from the bootup buffer.
++ */
++static __init void __early_set_events(struct trace_array *tr, char *buf, bool enable)
+ {
+ char *token;
+- int ret;
+-
+- while (true) {
+- token = strsep(&buf, ",");
+-
+- if (!token)
+- break;
+
++ while ((token = strsep(&buf, ","))) {
+ if (*token) {
+- /* Restarting syscalls requires that we stop them first */
+- if (disable_first)
++ if (enable) {
++ if (ftrace_set_clr_event(tr, token, 1))
++ pr_warn("Failed to enable trace event: %s\n", token);
++ } else {
+ ftrace_set_clr_event(tr, token, 0);
+-
+- ret = ftrace_set_clr_event(tr, token, 1);
+- if (ret)
+- pr_warn("Failed to enable trace event: %s\n", token);
++ }
+ }
+
+ /* Put back the comma to allow this to be called again */
+@@ -4168,6 +4164,32 @@ early_enable_events(struct trace_array *
+ }
+ }
+
++/**
++ * early_enable_events - enable events from the bootup buffer
++ * @tr: The trace array to enable the events in
++ * @buf: The buffer containing the comma separated list of events
++ * @disable_first: If true, disable all events in @buf before enabling them
++ *
++ * This function enables events from the bootup buffer. If @disable_first
++ * is true, it will first disable all events in the buffer before enabling
++ * them.
++ *
++ * For syscall events, which rely on a global refcount to register the
++ * SYSCALL_WORK_SYSCALL_TRACEPOINT flag (especially for pid 1), we must
++ * ensure the refcount hits zero before re-enabling them. A simple
++ * "disable then enable" per-event is not enough if multiple syscalls are
++ * used, as the refcount will stay above zero. Thus, we need a two-phase
++ * approach: disable all, then enable all.
++ */
++__init void
++early_enable_events(struct trace_array *tr, char *buf, bool disable_first)
++{
++ if (disable_first)
++ __early_set_events(tr, buf, false);
++
++ __early_set_events(tr, buf, true);
++}
++
+ static __init int event_trace_enable(void)
+ {
+ struct trace_array *tr = top_trace_array();
projects / thirdparty / kernel / stable-queue.git / commitdiff
