--- /dev/null
+From 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 9 Nov 2025 10:12:07 +0100
+Subject: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf upstream.
+
+The PCM stream data in USB-audio driver is transferred over USB URB
+packet buffers, and each packet size is determined dynamically. The
+packet sizes are limited by some factors such as wMaxPacketSize USB
+descriptor. OTOH, in the current code, the actually used packet sizes
+are determined only by the rate and the PPS, which may be bigger than
+the size limit above. This results in a buffer overflow, as reported
+by syzbot.
+
+Basically when the limit is smaller than the calculated packet size,
+it implies that something is wrong, most likely a weird USB
+descriptor. So the best option would be just to return an error at
+the parameter setup time before doing any further operations.
+
+This patch introduces such a sanity check, and returns -EINVAL when
+the packet size is greater than maxpacksize. The comparison with
+ep->packsize[1] alone should suffice since it's always equal or
+greater than ep->packsize[0].
+
+Reported-by: syzbot+bfd77469c8966de076f7@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=bfd77469c8966de076f7
+Link: https://lore.kernel.org/690b6b46.050a0220.3d0d33.0054.GAE@google.com
+Cc: Lizhi Xu <lizhi.xu@windriver.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20251109091211.12739-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/endpoint.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -1383,6 +1383,11 @@ int snd_usb_endpoint_set_params(struct s
+ ep->sample_rem = ep->cur_rate % ep->pps;
+ ep->packsize[0] = ep->cur_rate / ep->pps;
+ ep->packsize[1] = (ep->cur_rate + (ep->pps - 1)) / ep->pps;
++ if (ep->packsize[1] > ep->maxpacksize) {
++ usb_audio_dbg(chip, "Too small maxpacksize %u for rate %u / pps %u\n",
++ ep->maxpacksize, ep->cur_rate, ep->pps);
++ return -EINVAL;
++ }
+
+ /* calculate the frequency in 16.16 format */
+ ep->freqm = ep->freqn;
--- /dev/null
+From bfe3d755ef7cec71aac6ecda34a107624735aac7 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 29 Oct 2025 13:05:32 +0000
+Subject: btrfs: do not update last_log_commit when logging inode due to a new name
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit bfe3d755ef7cec71aac6ecda34a107624735aac7 upstream.
+
+When logging that a new name exists, we skip updating the inode's
+last_log_commit field to prevent a later explicit fsync against the inode
+from doing nothing (as updating last_log_commit makes btrfs_inode_in_log()
+return true). We are detecting, at btrfs_log_inode(), that logging a new
+name is happening by checking the logging mode is not LOG_INODE_EXISTS,
+but that is not enough because we may log parent directories when logging
+a new name of a file in LOG_INODE_ALL mode - we need to check that the
+logging_new_name field of the log context too.
+
+An example scenario where this results in an explicit fsync against a
+directory not persisting changes to the directory is the following:
+
+ $ mkfs.btrfs -f /dev/sdc
+ $ mount /dev/sdc /mnt
+
+ $ touch /mnt/foo
+
+ $ sync
+
+ $ mkdir /mnt/dir
+
+ # Write some data to our file and fsync it.
+ $ xfs_io -c "pwrite -S 0xab 0 64K" -c "fsync" /mnt/foo
+
+ # Add a new link to our file. Since the file was logged before, we
+ # update it in the log tree by calling btrfs_log_new_name().
+ $ ln /mnt/foo /mnt/dir/bar
+
+ # fsync the root directory - we expect it to persist the dentry for
+ # the new directory "dir".
+ $ xfs_io -c "fsync" /mnt
+
+ <power fail>
+
+After mounting the fs the entry for directory "dir" does not exists,
+despite the explicit fsync on the root directory.
+
+Here's why this happens:
+
+1) When we fsync the file we log the inode, so that it's present in the
+ log tree;
+
+2) When adding the new link we enter btrfs_log_new_name(), and since the
+ inode is in the log tree we proceed to updating the inode in the log
+ tree;
+
+3) We first set the inode's last_unlink_trans to the current transaction
+ (early in btrfs_log_new_name());
+
+4) We then eventually enter btrfs_log_inode_parent(), and after logging
+ the file's inode, we call btrfs_log_all_parents() because the inode's
+ last_unlink_trans matches the current transaction's ID (updated in the
+ previous step);
+
+5) So btrfs_log_all_parents() logs the root directory by calling
+ btrfs_log_inode() for the root's inode with a log mode of LOG_INODE_ALL
+ so that new dentries are logged;
+
+6) At btrfs_log_inode(), because the log mode is LOG_INODE_ALL, we
+ update root inode's last_log_commit to the last transaction that
+ changed the inode (->last_sub_trans field of the inode), which
+ corresponds to the current transaction's ID;
+
+7) Then later when user space explicitly calls fsync against the root
+ directory, we enter btrfs_sync_file(), which calls skip_inode_logging()
+ and that returns true, since its call to btrfs_inode_in_log() returns
+ true and there are no ordered extents (it's a directory, never has
+ ordered extents). This results in btrfs_sync_file() returning without
+ syncing the log or committing the current transaction, so all the
+ updates we did when logging the new name, including logging the root
+ directory, are not persisted.
+
+So fix this by but updating the inode's last_log_commit if we are sure
+we are not logging a new name (if ctx->logging_new_name is false).
+
+A test case for fstests will follow soon.
+
+Reported-by: Vyacheslav Kovalevsky <slava.kovalevskiy.2014@gmail.com>
+Link: https://lore.kernel.org/linux-btrfs/03c5d7ec-5b3d-49d1-95bc-8970a7f82d87@gmail.com/
+Fixes: 130341be7ffa ("btrfs: always update the logged transaction when logging new names")
+CC: stable@vger.kernel.org # 6.1+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -6765,7 +6765,7 @@ log_extents:
+ * a power failure unless the log was synced as part of an fsync
+ * against any other unrelated inode.
+ */
+- if (inode_only != LOG_INODE_EXISTS)
++ if (!ctx->logging_new_name && inode_only != LOG_INODE_EXISTS)
+ inode->last_log_commit = inode->last_sub_trans;
+ spin_unlock(&inode->lock);
+
--- /dev/null
+From 5fea61aa1ca70c4b3738eebad9ce2d7e7938ebbd Mon Sep 17 00:00:00 2001
+From: Zilin Guan <zilin@seu.edu.cn>
+Date: Wed, 5 Nov 2025 03:53:21 +0000
+Subject: btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+commit 5fea61aa1ca70c4b3738eebad9ce2d7e7938ebbd upstream.
+
+scrub_raid56_parity_stripe() allocates a bio with bio_alloc(), but
+fails to release it on some error paths, leading to a potential
+memory leak.
+
+Add the missing bio_put() calls to properly drop the bio reference
+in those error cases.
+
+Fixes: 1009254bf22a3 ("btrfs: scrub: use scrub_stripe to implement RAID56 P/Q scrub")
+CC: stable@vger.kernel.org # 6.6+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/scrub.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/scrub.c
++++ b/fs/btrfs/scrub.c
+@@ -2000,6 +2000,7 @@ static int scrub_raid56_parity_stripe(st
+ ret = btrfs_map_block(fs_info, BTRFS_MAP_WRITE, full_stripe_start,
+ &length, &bioc, NULL, NULL, 1);
+ if (ret < 0) {
++ bio_put(bio);
+ btrfs_put_bioc(bioc);
+ btrfs_bio_counter_dec(fs_info);
+ goto out;
+@@ -2009,6 +2010,7 @@ static int scrub_raid56_parity_stripe(st
+ btrfs_put_bioc(bioc);
+ if (!rbio) {
+ ret = -ENOMEM;
++ bio_put(bio);
+ btrfs_bio_counter_dec(fs_info);
+ goto out;
+ }
--- /dev/null
+From e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6 Mon Sep 17 00:00:00 2001
+From: Edward Adam Davis <eadavis@qq.com>
+Date: Fri, 7 Nov 2025 22:01:39 +0800
+Subject: cifs: client: fix memory leak in smb3_fs_context_parse_param
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+commit e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6 upstream.
+
+The user calls fsconfig twice, but when the program exits, free() only
+frees ctx->source for the second fsconfig, not the first.
+Regarding fc->source, there is no code in the fs context related to its
+memory reclamation.
+
+To fix this memory leak, release the source memory corresponding to ctx
+or fc before each parsing.
+
+syzbot reported:
+BUG: memory leak
+unreferenced object 0xffff888128afa360 (size 96):
+ backtrace (crc 79c9c7ba):
+ kstrdup+0x3c/0x80 mm/util.c:84
+ smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444
+
+BUG: memory leak
+unreferenced object 0xffff888112c7d900 (size 96):
+ backtrace (crc 79c9c7ba):
+ smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629
+ smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438
+
+Reported-by: syzbot+72afd4c236e6bc3f4bac@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=72afd4c236e6bc3f4bac
+Cc: stable@vger.kernel.org
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/fs_context.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -1361,12 +1361,14 @@ static int smb3_fs_context_parse_param(s
+ cifs_errorf(fc, "Unknown error parsing devname\n");
+ goto cifs_parse_mount_err;
+ }
++ kfree(ctx->source);
+ ctx->source = smb3_fs_context_fullpath(ctx, '/');
+ if (IS_ERR(ctx->source)) {
+ ctx->source = NULL;
+ cifs_errorf(fc, "OOM when copying UNC string\n");
+ goto cifs_parse_mount_err;
+ }
++ kfree(fc->source);
+ fc->source = kstrdup(ctx->source, GFP_KERNEL);
+ if (fc->source == NULL) {
+ cifs_errorf(fc, "OOM when copying UNC string\n");
--- /dev/null
+From 59b0afd01b2ce353ab422ea9c8375b03db313a21 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Mon, 27 Oct 2025 23:09:34 +0800
+Subject: crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 59b0afd01b2ce353ab422ea9c8375b03db313a21 upstream.
+
+The qm_get_qos_value() function calls bus_find_device_by_name() which
+increases the device reference count, but fails to call put_device()
+to balance the reference count and lead to a device reference leak.
+
+Add put_device() calls in both the error path and success path to
+properly balance the reference count.
+
+Found via static analysis.
+
+Fixes: 22d7a6c39cab ("crypto: hisilicon/qm - add pci bdf number check")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Longfang Liu <liulongfang@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/hisilicon/qm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/crypto/hisilicon/qm.c
++++ b/drivers/crypto/hisilicon/qm.c
+@@ -3750,10 +3750,12 @@ static ssize_t qm_get_qos_value(struct h
+ pdev = container_of(dev, struct pci_dev, dev);
+ if (pci_physfn(pdev) != qm->pdev) {
+ pci_err(qm->pdev, "the pdev input does not match the pf!\n");
++ put_device(dev);
+ return -EINVAL;
+ }
+
+ *fun_index = pdev->devfn;
++ put_device(dev);
+
+ return 0;
+ }
--- /dev/null
+From fd3ecda38fe0cb713d167b5477d25f6b350f0514 Mon Sep 17 00:00:00 2001
+From: Niravkumar L Rabara <niravkumarlaxmidas.rabara@altera.com>
+Date: Tue, 11 Nov 2025 16:08:01 +0800
+Subject: EDAC/altera: Handle OCRAM ECC enable after warm reset
+
+From: Niravkumar L Rabara <niravkumarlaxmidas.rabara@altera.com>
+
+commit fd3ecda38fe0cb713d167b5477d25f6b350f0514 upstream.
+
+The OCRAM ECC is always enabled either by the BootROM or by the Secure Device
+Manager (SDM) during a power-on reset on SoCFPGA.
+
+However, during a warm reset, the OCRAM content is retained to preserve data,
+while the control and status registers are reset to their default values. As
+a result, ECC must be explicitly re-enabled after a warm reset.
+
+Fixes: 17e47dc6db4f ("EDAC/altera: Add Stratix10 OCRAM ECC support")
+Signed-off-by: Niravkumar L Rabara <niravkumarlaxmidas.rabara@altera.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Dinh Nguyen <dinguyen@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251111080801.1279401-1-niravkumarlaxmidas.rabara@altera.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/altera_edac.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/edac/altera_edac.c
++++ b/drivers/edac/altera_edac.c
+@@ -1194,10 +1194,22 @@ altr_check_ocram_deps_init(struct altr_e
+ if (ret)
+ return ret;
+
+- /* Verify OCRAM has been initialized */
++ /*
++ * Verify that OCRAM has been initialized.
++ * During a warm reset, OCRAM contents are retained, but the control
++ * and status registers are reset to their default values. Therefore,
++ * ECC must be explicitly re-enabled in the control register.
++ * Error condition: if INITCOMPLETEA is clear and ECC_EN is already set.
++ */
+ if (!ecc_test_bits(ALTR_A10_ECC_INITCOMPLETEA,
+- (base + ALTR_A10_ECC_INITSTAT_OFST)))
+- return -ENODEV;
++ (base + ALTR_A10_ECC_INITSTAT_OFST))) {
++ if (!ecc_test_bits(ALTR_A10_ECC_EN,
++ (base + ALTR_A10_ECC_CTRL_OFST)))
++ ecc_set_bits(ALTR_A10_ECC_EN,
++ (base + ALTR_A10_ECC_CTRL_OFST));
++ else
++ return -ENODEV;
++ }
+
+ /* Enable IRQ on Single Bit Error */
+ writel(ALTR_A10_ECC_SERRINTEN, (base + ALTR_A10_ECC_ERRINTENS_OFST));
--- /dev/null
+From 281326be67252ac5794d1383f67526606b1d6b13 Mon Sep 17 00:00:00 2001
+From: Niravkumar L Rabara <niravkumarlaxmidas.rabara@altera.com>
+Date: Tue, 11 Nov 2025 16:13:33 +0800
+Subject: EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection
+
+From: Niravkumar L Rabara <niravkumarlaxmidas.rabara@altera.com>
+
+commit 281326be67252ac5794d1383f67526606b1d6b13 upstream.
+
+The current single-bit error injection mechanism flips bits directly in ECC RAM
+by performing write and read operations. When the ECC RAM is actively used by
+the Ethernet or USB controller, this approach sometimes trigger a false
+double-bit error.
+
+Switch both Ethernet and USB EDAC devices to use the INTTEST register
+(altr_edac_a10_device_inject_fops) for single-bit error injection, similar to
+the existing double-bit error injection method.
+
+Fixes: 064acbd4f4ab ("EDAC, altera: Add Stratix10 peripheral support")
+Signed-off-by: Niravkumar L Rabara <niravkumarlaxmidas.rabara@altera.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Dinh Nguyen <dinguyen@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251111081333.1279635-1-niravkumarlaxmidas.rabara@altera.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/altera_edac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/edac/altera_edac.c
++++ b/drivers/edac/altera_edac.c
+@@ -1379,7 +1379,7 @@ static const struct edac_device_prv_data
+ .ue_set_mask = ALTR_A10_ECC_TDERRA,
+ .set_err_ofst = ALTR_A10_ECC_INTTEST_OFST,
+ .ecc_irq_handler = altr_edac_a10_ecc_irq,
+- .inject_fops = &altr_edac_a10_device_inject2_fops,
++ .inject_fops = &altr_edac_a10_device_inject_fops,
+ };
+
+ #endif /* CONFIG_EDAC_ALTERA_ETHERNET */
+@@ -1469,7 +1469,7 @@ static const struct edac_device_prv_data
+ .ue_set_mask = ALTR_A10_ECC_TDERRA,
+ .set_err_ofst = ALTR_A10_ECC_INTTEST_OFST,
+ .ecc_irq_handler = altr_edac_a10_ecc_irq,
+- .inject_fops = &altr_edac_a10_device_inject2_fops,
++ .inject_fops = &altr_edac_a10_device_inject_fops,
+ };
+
+ #endif /* CONFIG_EDAC_ALTERA_USB */
--- /dev/null
+From 895b4c0c79b092d732544011c3cecaf7322c36a1 Mon Sep 17 00:00:00 2001
+From: Wei Yang <albinwyang@tencent.com>
+Date: Sat, 25 Oct 2025 10:42:33 +0800
+Subject: fs/proc: fix uaf in proc_readdir_de()
+
+From: Wei Yang <albinwyang@tencent.com>
+
+commit 895b4c0c79b092d732544011c3cecaf7322c36a1 upstream.
+
+Pde is erased from subdir rbtree through rb_erase(), but not set the node
+to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()
+set the erased node to EMPTY, then pde_subdir_next() will return NULL to
+avoid uaf access.
+
+We found an uaf issue while using stress-ng testing, need to run testcase
+getdent and tun in the same time. The steps of the issue is as follows:
+
+1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current
+ pde is tun3;
+
+2) in the [time windows] unregister netdevice tun3 and tun2, and erase
+ them from rbtree. erase tun3 first, and then erase tun2. the
+ pde(tun2) will be released to slab;
+
+3) continue to getdent process, then pde_subdir_next() will return
+ pde(tun2) which is released, it will case uaf access.
+
+CPU 0 | CPU 1
+-------------------------------------------------------------------------
+traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2
+sys_getdents64() |
+ iterate_dir() |
+ proc_readdir() |
+ proc_readdir_de() | snmp6_unregister_dev()
+ pde_get(de); | proc_remove()
+ read_unlock(&proc_subdir_lock); | remove_proc_subtree()
+ | write_lock(&proc_subdir_lock);
+ [time window] | rb_erase(&root->subdir_node, &parent->subdir);
+ | write_unlock(&proc_subdir_lock);
+ read_lock(&proc_subdir_lock); |
+ next = pde_subdir_next(de); |
+ pde_put(de); |
+ de = next; //UAF |
+
+rbtree of dev_snmp6
+ |
+ pde(tun3)
+ / \
+ NULL pde(tun2)
+
+Link: https://lkml.kernel.org/r/20251025024233.158363-1-albin_yang@163.com
+Signed-off-by: Wei Yang <albinwyang@tencent.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: wangzijie <wangzijie1@honor.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/generic.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/fs/proc/generic.c
++++ b/fs/proc/generic.c
+@@ -694,6 +694,12 @@ void pde_put(struct proc_dir_entry *pde)
+ }
+ }
+
++static void pde_erase(struct proc_dir_entry *pde, struct proc_dir_entry *parent)
++{
++ rb_erase(&pde->subdir_node, &parent->subdir);
++ RB_CLEAR_NODE(&pde->subdir_node);
++}
++
+ /*
+ * Remove a /proc entry and free it if it's not currently in use.
+ */
+@@ -716,7 +722,7 @@ void remove_proc_entry(const char *name,
+ WARN(1, "removing permanent /proc entry '%s'", de->name);
+ de = NULL;
+ } else {
+- rb_erase(&de->subdir_node, &parent->subdir);
++ pde_erase(de, parent);
+ if (S_ISDIR(de->mode))
+ parent->nlink--;
+ }
+@@ -760,7 +766,7 @@ int remove_proc_subtree(const char *name
+ root->parent->name, root->name);
+ return -EINVAL;
+ }
+- rb_erase(&root->subdir_node, &parent->subdir);
++ pde_erase(root, parent);
+
+ de = root;
+ while (1) {
+@@ -772,7 +778,7 @@ int remove_proc_subtree(const char *name
+ next->parent->name, next->name);
+ return -EINVAL;
+ }
+- rb_erase(&next->subdir_node, &de->subdir);
++ pde_erase(next, de);
+ de = next;
+ continue;
+ }
--- /dev/null
+From ac1499fcd40fe06479e9b933347b837ccabc2a40 Mon Sep 17 00:00:00 2001
+From: Chuang Wang <nashuiliang@gmail.com>
+Date: Tue, 11 Nov 2025 14:43:24 +0800
+Subject: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
+
+From: Chuang Wang <nashuiliang@gmail.com>
+
+commit ac1499fcd40fe06479e9b933347b837ccabc2a40 upstream.
+
+The sit driver's packet transmission path calls: sit_tunnel_xmit() ->
+update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called
+to delete entries exceeding FNHE_RECLAIM_DEPTH+random.
+
+The race window is between fnhe_remove_oldest() selecting fnheX for
+deletion and the subsequent kfree_rcu(). During this time, the
+concurrent path's __mkroute_output() -> find_exception() can fetch the
+soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a
+new dst using a dst_hold(). When the original fnheX is freed via RCU,
+the dst reference remains permanently leaked.
+
+CPU 0 CPU 1
+__mkroute_output()
+ find_exception() [fnheX]
+ update_or_create_fnhe()
+ fnhe_remove_oldest() [fnheX]
+ rt_bind_exception() [bind dst]
+ RCU callback [fnheX freed, dst leak]
+
+This issue manifests as a device reference count leak and a warning in
+dmesg when unregistering the net device:
+
+ unregister_netdevice: waiting for sitX to become free. Usage count = N
+
+Ido Schimmel provided the simple test validation method [1].
+
+The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes().
+Since rt_bind_exception() checks this field, setting it to zero prevents
+the stale fnhe from being reused and bound to a new dst just before it
+is freed.
+
+[1]
+ip netns add ns1
+ip -n ns1 link set dev lo up
+ip -n ns1 address add 192.0.2.1/32 dev lo
+ip -n ns1 link add name dummy1 up type dummy
+ip -n ns1 route add 192.0.2.2/32 dev dummy1
+ip -n ns1 link add name gretap1 up arp off type gretap \
+ local 192.0.2.1 remote 192.0.2.2
+ip -n ns1 route add 198.51.0.0/16 dev gretap1
+taskset -c 0 ip netns exec ns1 mausezahn gretap1 \
+ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &
+taskset -c 2 ip netns exec ns1 mausezahn gretap1 \
+ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &
+sleep 10
+ip netns pids ns1 | xargs kill
+ip netns del ns1
+
+Cc: stable@vger.kernel.org
+Fixes: 67d6d681e15b ("ipv4: make exception cache less predictible")
+Signed-off-by: Chuang Wang <nashuiliang@gmail.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20251111064328.24440-1-nashuiliang@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -617,6 +617,11 @@ static void fnhe_remove_oldest(struct fn
+ oldest_p = fnhe_p;
+ }
+ }
++
++ /* Clear oldest->fnhe_daddr to prevent this fnhe from being
++ * rebound with new dsts in rt_bind_exception().
++ */
++ oldest->fnhe_daddr = 0;
+ fnhe_flush_routes(oldest);
+ *oldest_p = oldest->fnhe_next;
+ kfree_rcu(oldest, rcu);
--- /dev/null
+From 4e67526840fc55917581b90f6a4b65849a616dd8 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Sun, 9 Nov 2025 16:02:00 +0800
+Subject: LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit 4e67526840fc55917581b90f6a4b65849a616dd8 upstream.
+
+Now we use virtual addresses to fill CSR_MERRENTRY/CSR_TLBRENTRY, but
+hardware hope physical addresses. Now it works well because the high
+bits are ignored above PA_BITS (48 bits), but explicitly use physical
+addresses can avoid potential bugs. So fix it.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kernel/traps.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/loongarch/kernel/traps.c
++++ b/arch/loongarch/kernel/traps.c
+@@ -1097,8 +1097,8 @@ static void configure_exception_vector(v
+ tlbrentry = (unsigned long)exception_handlers + 80*VECSIZE;
+
+ csr_write64(eentry, LOONGARCH_CSR_EENTRY);
+- csr_write64(eentry, LOONGARCH_CSR_MERRENTRY);
+- csr_write64(tlbrentry, LOONGARCH_CSR_TLBRENTRY);
++ csr_write64(__pa(eentry), LOONGARCH_CSR_MERRENTRY);
++ csr_write64(__pa(tlbrentry), LOONGARCH_CSR_TLBRENTRY);
+ }
+
+ void per_cpu_trap_init(int cpu)
--- /dev/null
+From 0d6c356dd6547adac2b06b461528e3573f52d953 Mon Sep 17 00:00:00 2001
+From: "Isaac J. Manjarres" <isaacmanjarres@google.com>
+Date: Tue, 28 Oct 2025 12:10:12 -0700
+Subject: mm/mm_init: fix hash table order logging in alloc_large_system_hash()
+
+From: Isaac J. Manjarres <isaacmanjarres@google.com>
+
+commit 0d6c356dd6547adac2b06b461528e3573f52d953 upstream.
+
+When emitting the order of the allocation for a hash table,
+alloc_large_system_hash() unconditionally subtracts PAGE_SHIFT from log
+base 2 of the allocation size. This is not correct if the allocation size
+is smaller than a page, and yields a negative value for the order as seen
+below:
+
+TCP established hash table entries: 32 (order: -4, 256 bytes, linear) TCP
+bind hash table entries: 32 (order: -2, 1024 bytes, linear)
+
+Use get_order() to compute the order when emitting the hash table
+information to correctly handle cases where the allocation size is smaller
+than a page:
+
+TCP established hash table entries: 32 (order: 0, 256 bytes, linear) TCP
+bind hash table entries: 32 (order: 0, 1024 bytes, linear)
+
+Link: https://lkml.kernel.org/r/20251028191020.413002-1-isaacmanjarres@google.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
+Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mm_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/mm_init.c
++++ b/mm/mm_init.c
+@@ -2546,7 +2546,7 @@ void *__init alloc_large_system_hash(con
+ panic("Failed to allocate %s hash table\n", tablename);
+
+ pr_info("%s hash table entries: %ld (order: %d, %lu bytes, %s)\n",
+- tablename, 1UL << log2qty, ilog2(size) - PAGE_SHIFT, size,
++ tablename, 1UL << log2qty, get_order(size), size,
+ virt ? (huge ? "vmalloc hugepage" : "vmalloc") : "linear");
+
+ if (_hash_shift)
--- /dev/null
+From a28352cf2d2f8380e7aca8cb61682396dca7a991 Mon Sep 17 00:00:00 2001
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Mon, 20 Oct 2025 09:49:41 +0800
+Subject: mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+commit a28352cf2d2f8380e7aca8cb61682396dca7a991 upstream.
+
+strbin signal delay under 0x8 configuration is not stable after massive
+test. The recommandation of it should be 0x4.
+
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Tested-by: Alexey Charkov <alchark@gmail.com>
+Tested-by: Hugh Cole-Baker <sigmaris@gmail.com>
+Fixes: 08f3dff799d4 ("mmc: sdhci-of-dwcmshc: add rockchip platform support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-of-dwcmshc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-of-dwcmshc.c
++++ b/drivers/mmc/host/sdhci-of-dwcmshc.c
+@@ -54,7 +54,7 @@
+ #define DLL_TXCLK_TAPNUM_DEFAULT 0x10
+ #define DLL_TXCLK_TAPNUM_90_DEGREES 0xA
+ #define DLL_TXCLK_TAPNUM_FROM_SW BIT(24)
+-#define DLL_STRBIN_TAPNUM_DEFAULT 0x8
++#define DLL_STRBIN_TAPNUM_DEFAULT 0x4
+ #define DLL_STRBIN_TAPNUM_FROM_SW BIT(24)
+ #define DLL_STRBIN_DELAY_NUM_SEL BIT(26)
+ #define DLL_STRBIN_DELAY_NUM_OFFSET 16
--- /dev/null
+From 90c82941adf1986364e0f82c35cf59f2bf5f6a1d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@linaro.org>
+Date: Thu, 16 Oct 2025 16:58:37 +0100
+Subject: pmdomain: samsung: plug potential memleak during probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: André Draszik <andre.draszik@linaro.org>
+
+commit 90c82941adf1986364e0f82c35cf59f2bf5f6a1d upstream.
+
+of_genpd_add_provider_simple() could fail, in which case this code
+leaks the domain name, pd->pd.name.
+
+Use devm_kstrdup_const() to plug this leak. As a side-effect, we can
+simplify existing error handling.
+
+Fixes: c09a3e6c97f0 ("soc: samsung: pm_domains: Convert to regular platform driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Peter Griffin <peter.griffin@linaro.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: André Draszik <andre.draszik@linaro.org>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pmdomain/samsung/exynos-pm-domains.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/pmdomain/samsung/exynos-pm-domains.c
++++ b/drivers/pmdomain/samsung/exynos-pm-domains.c
+@@ -92,13 +92,14 @@ static const struct of_device_id exynos_
+ { },
+ };
+
+-static const char *exynos_get_domain_name(struct device_node *node)
++static const char *exynos_get_domain_name(struct device *dev,
++ struct device_node *node)
+ {
+ const char *name;
+
+ if (of_property_read_string(node, "label", &name) < 0)
+ name = kbasename(node->full_name);
+- return kstrdup_const(name, GFP_KERNEL);
++ return devm_kstrdup_const(dev, name, GFP_KERNEL);
+ }
+
+ static int exynos_pd_probe(struct platform_device *pdev)
+@@ -115,15 +116,13 @@ static int exynos_pd_probe(struct platfo
+ if (!pd)
+ return -ENOMEM;
+
+- pd->pd.name = exynos_get_domain_name(np);
++ pd->pd.name = exynos_get_domain_name(dev, np);
+ if (!pd->pd.name)
+ return -ENOMEM;
+
+ pd->base = of_iomap(np, 0);
+- if (!pd->base) {
+- kfree_const(pd->pd.name);
++ if (!pd->base)
+ return -ENODEV;
+- }
+
+ pd->pd.power_off = exynos_pd_power_off;
+ pd->pd.power_on = exynos_pd_power_on;
--- /dev/null
+From 63c643aa7b7287fdbb0167063785f89ece3f000f Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 10 Nov 2025 19:23:40 +0100
+Subject: selftests: mptcp: connect: fix fallback note due to OoO
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 63c643aa7b7287fdbb0167063785f89ece3f000f upstream.
+
+The "fallback due to TCP OoO" was never printed because the stat_ooo_now
+variable was checked twice: once in the parent if-statement, and one in
+the child one. The second condition was then always true then, and the
+'else' branch was never taken.
+
+The idea is that when there are more ACK + MP_CAPABLE than expected, the
+test either fails if there was no out of order packets, or a notice is
+printed.
+
+Fixes: 69ca3d29a755 ("mptcp: update selftest for fallback due to OoO")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-1-a4332c714e10@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_connect.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh
+@@ -516,7 +516,7 @@ do_transfer()
+ "${stat_synrx_now_l}" "${expect_synrx}" 1>&2
+ retc=1
+ fi
+- if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} ] && [ ${stat_ooo_now} -eq 0 ]; then
++ if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} ]; then
+ if [ ${stat_ooo_now} -eq 0 ]; then
+ printf "[ FAIL ] lower MPC ACK rx (%d) than expected (%d)\n" \
+ "${stat_ackrx_now_l}" "${expect_ackrx}" 1>&2
--- /dev/null
+From ee79980f7a428ec299f6261bea4c1084dcbc9631 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 10 Nov 2025 19:23:44 +0100
+Subject: selftests: mptcp: connect: trunc: read all recv data
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit ee79980f7a428ec299f6261bea4c1084dcbc9631 upstream.
+
+MPTCP Join "fastclose server" selftest is sometimes failing because the
+client output file doesn't have the expected size, e.g. 296B instead of
+1024B.
+
+When looking at a packet trace when this happens, the server sent the
+expected 1024B in two parts -- 100B, then 924B -- then the MP_FASTCLOSE.
+It is then strange to see the client only receiving 296B, which would
+mean it only got a part of the second packet. The problem is then not on
+the networking side, but rather on the data reception side.
+
+When mptcp_connect is launched with '-f -1', it means the connection
+might stop before having sent everything, because a reset has been
+received. When this happens, the program was directly stopped. But it is
+also possible there are still some data to read, simply because the
+previous 'read' step was done with a buffer smaller than the pending
+data, see do_rnd_read(). In this case, it is important to read what's
+left in the kernel buffers before stopping without error like before.
+
+SIGPIPE is now ignored, not to quit the app before having read
+everything.
+
+Fixes: 6bf41020b72b ("selftests: mptcp: update and extend fastclose test-cases")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-5-a4332c714e10@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_connect.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c
+@@ -696,8 +696,14 @@ static int copyfd_io_poll(int infd, int
+
+ bw = do_rnd_write(peerfd, winfo->buf + winfo->off, winfo->len);
+ if (bw < 0) {
+- if (cfg_rcv_trunc)
+- return 0;
++ /* expected reset, continue to read */
++ if (cfg_rcv_trunc &&
++ (errno == ECONNRESET ||
++ errno == EPIPE)) {
++ fds.events &= ~POLLOUT;
++ continue;
++ }
++
+ perror("write");
+ return 111;
+ }
+@@ -723,8 +729,10 @@ static int copyfd_io_poll(int infd, int
+ }
+
+ if (fds.revents & (POLLERR | POLLNVAL)) {
+- if (cfg_rcv_trunc)
+- return 0;
++ if (cfg_rcv_trunc) {
++ fds.events &= ~(POLLERR | POLLNVAL);
++ continue;
++ }
+ fprintf(stderr, "Unexpected revents: "
+ "POLLERR/POLLNVAL(%x)\n", fds.revents);
+ return 5;
+@@ -1419,7 +1427,7 @@ static void parse_opts(int argc, char **
+ */
+ if (cfg_truncate < 0) {
+ cfg_rcv_trunc = true;
+- signal(SIGPIPE, handle_signal);
++ signal(SIGPIPE, SIG_IGN);
+ }
+ break;
+ case 'j':
--- /dev/null
+From aea73bae662a0e184393d6d7d0feb18d2577b9b9 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 10 Nov 2025 19:23:41 +0100
+Subject: selftests: mptcp: join: rm: set backup flag
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit aea73bae662a0e184393d6d7d0feb18d2577b9b9 upstream.
+
+Some of these 'remove' tests rarely fail because a subflow has been
+reset instead of cleanly removed. This can happen when one extra subflow
+which has never carried data is being closed (FIN) on one side, while
+the other is sending data for the first time.
+
+To avoid such subflows to be used right at the end, the backup flag has
+been added. With that, data will be only carried on the initial subflow.
+
+Fixes: d2c4333a801c ("selftests: mptcp: add testcases for removing addrs")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-2-a4332c714e10@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 54 ++++++++++++------------
+ 1 file changed, 27 insertions(+), 27 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -2361,7 +2361,7 @@ remove_tests()
+ if reset "remove single subflow"; then
+ pm_nl_set_limits $ns1 0 1
+ pm_nl_set_limits $ns2 0 1
+- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
+ addr_nr_ns2=-1 speed=slow \
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr 1 1 1
+@@ -2374,8 +2374,8 @@ remove_tests()
+ if reset "remove multiple subflows"; then
+ pm_nl_set_limits $ns1 0 2
+ pm_nl_set_limits $ns2 0 2
+- pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow
+- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
++ pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow,backup
++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
+ addr_nr_ns2=-2 speed=slow \
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr 2 2 2
+@@ -2386,7 +2386,7 @@ remove_tests()
+ # single address, remove
+ if reset "remove single address"; then
+ pm_nl_set_limits $ns1 0 1
+- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup
+ pm_nl_set_limits $ns2 1 1
+ addr_nr_ns1=-1 speed=slow \
+ run_tests $ns1 $ns2 10.0.1.1
+@@ -2399,9 +2399,9 @@ remove_tests()
+ # subflow and signal, remove
+ if reset "remove subflow and signal"; then
+ pm_nl_set_limits $ns1 0 2
+- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup
+ pm_nl_set_limits $ns2 1 2
+- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
+ addr_nr_ns1=-1 addr_nr_ns2=-1 speed=slow \
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr 2 2 2
+@@ -2413,10 +2413,10 @@ remove_tests()
+ # subflows and signal, remove
+ if reset "remove subflows and signal"; then
+ pm_nl_set_limits $ns1 0 3
+- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup
+ pm_nl_set_limits $ns2 1 3
+- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
+- pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow
++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
++ pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow,backup
+ addr_nr_ns1=-1 addr_nr_ns2=-2 speed=10 \
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr 3 3 3
+@@ -2428,9 +2428,9 @@ remove_tests()
+ # addresses remove
+ if reset "remove addresses"; then
+ pm_nl_set_limits $ns1 3 3
+- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal id 250
+- pm_nl_add_endpoint $ns1 10.0.3.1 flags signal
+- pm_nl_add_endpoint $ns1 10.0.4.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup id 250
++ pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup
++ pm_nl_add_endpoint $ns1 10.0.4.1 flags signal,backup
+ pm_nl_set_limits $ns2 3 3
+ addr_nr_ns1=-3 speed=10 \
+ run_tests $ns1 $ns2 10.0.1.1
+@@ -2443,10 +2443,10 @@ remove_tests()
+ # invalid addresses remove
+ if reset "remove invalid addresses"; then
+ pm_nl_set_limits $ns1 3 3
+- pm_nl_add_endpoint $ns1 10.0.12.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.12.1 flags signal,backup
+ # broadcast IP: no packet for this address will be received on ns1
+- pm_nl_add_endpoint $ns1 224.0.0.1 flags signal
+- pm_nl_add_endpoint $ns1 10.0.3.1 flags signal
++ pm_nl_add_endpoint $ns1 224.0.0.1 flags signal,backup
++ pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup
+ pm_nl_set_limits $ns2 2 2
+ addr_nr_ns1=-3 speed=10 \
+ run_tests $ns1 $ns2 10.0.1.1
+@@ -2459,10 +2459,10 @@ remove_tests()
+ # subflows and signal, flush
+ if reset "flush subflows and signal"; then
+ pm_nl_set_limits $ns1 0 3
+- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup
+ pm_nl_set_limits $ns2 1 3
+- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
+- pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow
++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
++ pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow,backup
+ addr_nr_ns1=-8 addr_nr_ns2=-8 speed=slow \
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr 3 3 3
+@@ -2475,9 +2475,9 @@ remove_tests()
+ if reset "flush subflows"; then
+ pm_nl_set_limits $ns1 3 3
+ pm_nl_set_limits $ns2 3 3
+- pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow id 150
+- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
+- pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow
++ pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow,backup id 150
++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
++ pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow,backup
+ addr_nr_ns1=-8 addr_nr_ns2=-8 speed=slow \
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr 3 3 3
+@@ -2494,9 +2494,9 @@ remove_tests()
+ # addresses flush
+ if reset "flush addresses"; then
+ pm_nl_set_limits $ns1 3 3
+- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal id 250
+- pm_nl_add_endpoint $ns1 10.0.3.1 flags signal
+- pm_nl_add_endpoint $ns1 10.0.4.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup id 250
++ pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup
++ pm_nl_add_endpoint $ns1 10.0.4.1 flags signal,backup
+ pm_nl_set_limits $ns2 3 3
+ addr_nr_ns1=-8 addr_nr_ns2=-8 speed=slow \
+ run_tests $ns1 $ns2 10.0.1.1
+@@ -2509,9 +2509,9 @@ remove_tests()
+ # invalid addresses flush
+ if reset "flush invalid addresses"; then
+ pm_nl_set_limits $ns1 3 3
+- pm_nl_add_endpoint $ns1 10.0.12.1 flags signal
+- pm_nl_add_endpoint $ns1 10.0.3.1 flags signal
+- pm_nl_add_endpoint $ns1 10.0.14.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.12.1 flags signal,backup
++ pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup
++ pm_nl_add_endpoint $ns1 10.0.14.1 flags signal,backup
+ pm_nl_set_limits $ns2 3 3
+ addr_nr_ns1=-8 speed=slow \
+ run_tests $ns1 $ns2 10.0.1.1
--- /dev/null
+From dd4adb986a86727ed8f56c48b6d0695f1e211e65 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Tue, 28 Oct 2025 12:27:24 -0400
+Subject: selftests/tracing: Run sample events to clear page cache events
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit dd4adb986a86727ed8f56c48b6d0695f1e211e65 upstream.
+
+The tracing selftest "event-filter-function.tc" was failing because it
+first runs the "sample_events" function that triggers the kmem_cache_free
+event and it looks at what function was used during a call to "ls".
+
+But the first time it calls this, it could trigger events that are used to
+pull pages into the page cache.
+
+The rest of the test uses the function it finds during that call to see if
+it will be called in subsequent "sample_events" calls. But if there's no
+need to pull pages into the page cache, it will not trigger that function
+and the test will fail.
+
+Call the "sample_events" twice to trigger all the page cache work before
+it calls it to find a function to use in subsequent checks.
+
+Cc: stable@vger.kernel.org
+Fixes: eb50d0f250e96 ("selftests/ftrace: Choose target function for filter test from samples")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc
++++ b/tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc
+@@ -20,6 +20,10 @@ sample_events() {
+ echo 0 > tracing_on
+ echo 0 > events/enable
+
++# Clear functions caused by page cache; run sample_events twice
++sample_events
++sample_events
++
+ echo "Get the most frequently calling function"
+ echo > trace
+ sample_events
--- /dev/null
+From 216158f063fe24fb003bd7da0cd92cd6e2c4d48b Mon Sep 17 00:00:00 2001
+From: Ankit Khushwaha <ankitkhushwaha.linux@gmail.com>
+Date: Thu, 6 Nov 2025 15:25:32 +0530
+Subject: selftests/user_events: fix type cast for write_index packed member in perf_test
+
+From: Ankit Khushwaha <ankitkhushwaha.linux@gmail.com>
+
+commit 216158f063fe24fb003bd7da0cd92cd6e2c4d48b upstream.
+
+Accessing 'reg.write_index' directly triggers a -Waddress-of-packed-member
+warning due to potential unaligned pointer access:
+
+perf_test.c:239:38: warning: taking address of packed member 'write_index'
+of class or structure 'user_reg' may result in an unaligned pointer value
+[-Waddress-of-packed-member]
+ 239 | ASSERT_NE(-1, write(self->data_fd, ®.write_index,
+ | ^~~~~~~~~~~~~~~
+
+Since write(2) works with any alignment. Casting '®.write_index'
+explicitly to 'void *' to suppress this warning.
+
+Link: https://lkml.kernel.org/r/20251106095532.15185-1-ankitkhushwaha.linux@gmail.com
+Fixes: 42187bdc3ca4 ("selftests/user_events: Add perf self-test for empty arguments events")
+Signed-off-by: Ankit Khushwaha <ankitkhushwaha.linux@gmail.com>
+Cc: Beau Belgrave <beaub@linux.microsoft.com>
+Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: sunliming <sunliming@kylinos.cn>
+Cc: Wei Yang <richard.weiyang@gmail.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/user_events/perf_test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/user_events/perf_test.c b/tools/testing/selftests/user_events/perf_test.c
+index 5288e768b207..68625362add2 100644
+--- a/tools/testing/selftests/user_events/perf_test.c
++++ b/tools/testing/selftests/user_events/perf_test.c
+@@ -236,7 +236,7 @@ TEST_F(user, perf_empty_events) {
+ ASSERT_EQ(1 << reg.enable_bit, self->check);
+
+ /* Ensure write shows up at correct offset */
+- ASSERT_NE(-1, write(self->data_fd, ®.write_index,
++ ASSERT_NE(-1, write(self->data_fd, (void *)®.write_index,
+ sizeof(reg.write_index)));
+ val = (void *)(((char *)perf_page) + perf_page->data_offset);
+ ASSERT_EQ(PERF_RECORD_SAMPLE, *val);
+--
+2.52.0
+
dma-mapping-benchmark-restore-padding-to-ensure-uabi-remained-consistent.patch
loongarch-use-correct-accessor-to-read-fwpc-mwpc.patch
loongarch-let-pte-pmd-_modify-record-the-status-of-_page_dirty.patch
+ipv4-route-prevent-rt_bind_exception-from-rebinding-stale-fnhe.patch
+selftests-tracing-run-sample-events-to-clear-page-cache-events.patch
+wifi-mac80211-reject-address-change-while-connecting.patch
+fs-proc-fix-uaf-in-proc_readdir_de.patch
+mm-mm_init-fix-hash-table-order-logging-in-alloc_large_system_hash.patch
+mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch
+alsa-usb-audio-fix-potential-overflow-of-pcm-transfer-buffer.patch
+cifs-client-fix-memory-leak-in-smb3_fs_context_parse_param.patch
+crypto-hisilicon-qm-fix-device-reference-leak-in-qm_get_qos_value.patch
+smb-client-fix-cifs_pick_channel-when-channel-needs-reconnect.patch
+spi-try-to-get-acpi-gpio-irq-earlier.patch
+x86-microcode-amd-add-zen5-model-0x44-stepping-0x1-minrev.patch
+selftests-user_events-fix-type-cast-for-write_index-packed-member-in-perf_test.patch
+loongarch-use-physical-addresses-for-csr_merrentry-csr_tlbrentry.patch
+edac-altera-handle-ocram-ecc-enable-after-warm-reset.patch
+edac-altera-use-inttest-register-for-ethernet-and-usb-sbe-injection.patch
+btrfs-scrub-put-bio-after-errors-in-scrub_raid56_parity_stripe.patch
+btrfs-do-not-update-last_log_commit-when-logging-inode-due-to-a-new-name.patch
+pmdomain-samsung-plug-potential-memleak-during-probe.patch
+selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch
+selftests-mptcp-join-rm-set-backup-flag.patch
+selftests-mptcp-connect-trunc-read-all-recv-data.patch
--- /dev/null
+From 79280191c2fd7f24899bbd640003b5389d3c109c Mon Sep 17 00:00:00 2001
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+Date: Fri, 7 Nov 2025 18:59:53 -0300
+Subject: smb: client: fix cifs_pick_channel when channel needs reconnect
+
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+
+commit 79280191c2fd7f24899bbd640003b5389d3c109c upstream.
+
+cifs_pick_channel iterates candidate channels using cur. The
+reconnect-state test mistakenly used a different variable.
+
+This checked the wrong slot and would cause us to skip a healthy channel
+and to dispatch on one that needs reconnect, occasionally failing
+operations when a channel was down.
+
+Fix by replacing for the correct variable.
+
+Fixes: fc43a8ac396d ("cifs: cifs_pick_channel should try selecting active channels")
+Cc: stable@vger.kernel.org
+Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/smb/client/transport.c
++++ b/fs/smb/client/transport.c
+@@ -1046,7 +1046,7 @@ struct TCP_Server_Info *cifs_pick_channe
+ if (!server || server->terminate)
+ continue;
+
+- if (CIFS_CHAN_NEEDS_RECONNECT(ses, i))
++ if (CIFS_CHAN_NEEDS_RECONNECT(ses, cur))
+ continue;
+
+ /*
--- /dev/null
+From 3cd2018e15b3d66d2187d92867e265f45ad79e6f Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hansg@kernel.org>
+Date: Sun, 2 Nov 2025 20:09:21 +0100
+Subject: spi: Try to get ACPI GPIO IRQ earlier
+
+From: Hans de Goede <hansg@kernel.org>
+
+commit 3cd2018e15b3d66d2187d92867e265f45ad79e6f upstream.
+
+Since commit d24cfee7f63d ("spi: Fix acpi deferred irq probe"), the
+acpi_dev_gpio_irq_get() call gets delayed till spi_probe() is called
+on the SPI device.
+
+If there is no driver for the SPI device then the move to spi_probe()
+results in acpi_dev_gpio_irq_get() never getting called. This may
+cause problems by leaving the GPIO pin floating because this call is
+responsible for setting up the GPIO pin direction and/or bias according
+to the values from the ACPI tables.
+
+Re-add the removed acpi_dev_gpio_irq_get() in acpi_register_spi_device()
+to ensure the GPIO pin is always correctly setup, while keeping the
+acpi_dev_gpio_irq_get() call added to spi_probe() to deal with
+-EPROBE_DEFER returns caused by the GPIO controller not having a driver
+yet.
+
+Link: https://bbs.archlinux.org/viewtopic.php?id=302348
+Fixes: d24cfee7f63d ("spi: Fix acpi deferred irq probe")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Link: https://patch.msgid.link/20251102190921.30068-1-hansg@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -2716,6 +2716,16 @@ static acpi_status acpi_register_spi_dev
+ acpi_set_modalias(adev, acpi_device_hid(adev), spi->modalias,
+ sizeof(spi->modalias));
+
++ /*
++ * This gets re-tried in spi_probe() for -EPROBE_DEFER handling in case
++ * the GPIO controller does not have a driver yet. This needs to be done
++ * here too, because this call sets the GPIO direction and/or bias.
++ * Setting these needs to be done even if there is no driver, in which
++ * case spi_probe() will never get called.
++ */
++ if (spi->irq < 0)
++ spi->irq = acpi_dev_gpio_irq_get(adev, 0);
++
+ acpi_device_set_enumerated(adev);
+
+ adev->power.flags.ignore_parent = true;
--- /dev/null
+From a9da90e618cd0669a22bcc06a96209db5dd96e9b Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 5 Nov 2025 15:41:19 +0100
+Subject: wifi: mac80211: reject address change while connecting
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit a9da90e618cd0669a22bcc06a96209db5dd96e9b upstream.
+
+While connecting, the MAC address can already no longer be
+changed. The change is already rejected if netif_carrier_ok(),
+but of course that's not true yet while connecting. Check for
+auth_data or assoc_data, so the MAC address cannot be changed.
+
+Also more comprehensively check that there are no stations on
+the interface being changed - if any peer station is added it
+will know about our address already, so we cannot change it.
+
+Cc: stable@vger.kernel.org
+Fixes: 3c06e91b40db ("wifi: mac80211: Support POWERED_ADDR_CHANGE feature")
+Link: https://patch.msgid.link/20251105154119.f9f6c1df81bb.I9bb3760ede650fb96588be0d09a5a7bdec21b217@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/iface.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -216,6 +216,10 @@ static int ieee80211_can_powered_addr_ch
+
+ mutex_lock(&local->mtx);
+
++ /* if any stations are set known (so they know this vif too), reject */
++ if (sta_info_get_by_idx(sdata, 0))
++ return -EBUSY;
++
+ /* First check no ROC work is happening on this iface */
+ list_for_each_entry(roc, &local->roc_list, list) {
+ if (roc->sdata != sdata)
+@@ -235,12 +239,16 @@ static int ieee80211_can_powered_addr_ch
+ ret = -EBUSY;
+ }
+
++ /*
++ * More interface types could be added here but changing the
++ * address while powered makes the most sense in client modes.
++ */
+ switch (sdata->vif.type) {
+ case NL80211_IFTYPE_STATION:
+ case NL80211_IFTYPE_P2P_CLIENT:
+- /* More interface types could be added here but changing the
+- * address while powered makes the most sense in client modes.
+- */
++ /* refuse while connecting */
++ if (sdata->u.mgd.auth_data || sdata->u.mgd.assoc_data)
++ return -EBUSY;
+ break;
+ default:
+ ret = -EOPNOTSUPP;
--- /dev/null
+From dd14022a7ce96963aa923e35cf4bcc8c32f95840 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Fri, 14 Nov 2025 14:01:14 +0100
+Subject: x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev
+
+From: Borislav Petkov (AMD) <bp@alien8.de>
+
+commit dd14022a7ce96963aa923e35cf4bcc8c32f95840 upstream.
+
+Add the minimum Entrysign revision for that model+stepping to the list
+of minimum revisions.
+
+Fixes: 50cef76d5cb0 ("x86/microcode/AMD: Load only SHA256-checksummed patches")
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: <stable@kernel.org>
+Link: https://lore.kernel.org/r/e94dd76b-4911-482f-8500-5c848a3df026@citrix.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/microcode/amd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kernel/cpu/microcode/amd.c
++++ b/arch/x86/kernel/cpu/microcode/amd.c
+@@ -214,6 +214,7 @@ static bool need_sha_check(u32 cur_rev)
+ case 0xb1010: return cur_rev <= 0xb101046; break;
+ case 0xb2040: return cur_rev <= 0xb204031; break;
+ case 0xb4040: return cur_rev <= 0xb404031; break;
++ case 0xb4041: return cur_rev <= 0xb404101; break;
+ case 0xb6000: return cur_rev <= 0xb600031; break;
+ case 0xb6080: return cur_rev <= 0xb608031; break;
+ case 0xb7000: return cur_rev <= 0xb700031; break;
projects / thirdparty / kernel / stable-queue.git / commitdiff
