--- /dev/null
+From 23aec71e2f8de34b33c518d8f213f4b7afad5d96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2026 14:25:59 +0000
+Subject: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on
+ linked streams
+
+From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+
+[ Upstream commit 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b ]
+
+snd_pcm_drain() uses init_waitqueue_entry which does not clear
+entry.prev/next, and add_wait_queue with a conditional
+remove_wait_queue that is skipped when to_check is no longer
+in the group after concurrent UNLINK. The orphaned wait entry
+remains on the unlinked substream sleep queue. On the next
+drain iteration, add_wait_queue adds the entry to a new queue
+while still linked on the old one, corrupting both lists. A
+subsequent wake_up dereferences NULL at the func pointer
+(mapped from the spinlock at offset 0 of the misinterpreted
+wait_queue_head_t), causing a kernel panic.
+
+Replace init_waitqueue_entry/add_wait_queue/conditional
+remove_wait_queue with init_wait_entry/prepare_to_wait/
+finish_wait. init_wait_entry clears prev/next via
+INIT_LIST_HEAD on each iteration and sets
+autoremove_wake_function which auto-removes the entry on
+wake-up. finish_wait safely handles both the already-removed
+and still-queued cases.
+
+Fixes: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain")
+Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+Link: https://patch.msgid.link/20260604142559.3840881-1-eilaimemedsnaimel@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/pcm_native.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
+index 09b4ad414ffbe0..51e5dd9ee793b5 100644
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -2161,9 +2161,8 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
+ drain_no_period_wakeup = to_check->no_period_wakeup;
+ drain_rate = to_check->rate;
+ drain_bufsz = to_check->buffer_size;
+- init_waitqueue_entry(&wait, current);
+- set_current_state(TASK_INTERRUPTIBLE);
+- add_wait_queue(&to_check->sleep, &wait);
++ init_wait_entry(&wait, 0);
++ prepare_to_wait(&to_check->sleep, &wait, TASK_INTERRUPTIBLE);
+ snd_pcm_stream_unlock_irq(substream);
+ if (drain_no_period_wakeup)
+ tout = MAX_SCHEDULE_TIMEOUT;
+@@ -2181,7 +2180,7 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
+ group = snd_pcm_stream_group_ref(substream);
+ snd_pcm_group_for_each_entry(s, substream) {
+ if (s->runtime == to_check) {
+- remove_wait_queue(&to_check->sleep, &wait);
++ finish_wait(&to_check->sleep, &wait);
+ break;
+ }
+ }
+--
+2.53.0
+
net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
+signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
+time-fix-off-by-one-in-settimeofday-usec-validation.patch
+alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch
--- /dev/null
+From 214b5b0ddd9de5745a142e89244fd395a1e094b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2026 16:22:40 +0200
+Subject: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
+
+From: Aleksandr Nogikh <nogikh@google.com>
+
+[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ]
+
+When a multi-threaded process receives a stop signal (e.g., SIGSTOP),
+do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all
+threads and sets signal->group_stop_count to the number of threads. If
+one of the threads concurrently calls execve(), de_thread() invokes
+zap_other_threads() to kill all other threads. zap_other_threads()
+aborts the pending group stop by resetting signal->group_stop_count to 0
+and clears the JOBCTL_PENDING_MASK for all other threads. However, it
+fails to clear the job control flags for the calling thread.
+
+When execve() completes, the calling thread returns to user mode and
+checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,
+it calls do_signal_stop(), which invokes task_participate_group_stop().
+Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the
+already-zero signal->group_stop_count, triggering a warning:
+
+sig->group_stop_count == 0
+WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373
+task_participate_group_stop+0x215/0x2d0
+Call Trace:
+ <TASK>
+ do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619
+ get_signal+0xa8c/0x1330 kernel/signal.c:2884
+ arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337
+ exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98
+ do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Fix this race condition by clearing the JOBCTL_PENDING_MASK for the
+calling thread in zap_other_threads(), ensuring it does not retain any
+stale job control state after the thread group is destroyed. This aligns
+with other functions that tear down a thread group and abort group
+stops, such as zap_process() and complete_signal(), which correctly
+clear these flags for all threads including the current one.
+
+Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop")
+Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot
+Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61
+Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3
+Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
+Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/signal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 7a9af6d4f2b01e..463b798651b6a6 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1351,6 +1351,7 @@ int zap_other_threads(struct task_struct *p)
+ int count = 0;
+
+ p->signal->group_stop_count = 0;
++ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK);
+
+ while_each_thread(p, t) {
+ task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
+--
+2.53.0
+
--- /dev/null
+From d26016abff9973dd02112c7313014f552ef0a663 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jun 2026 23:37:37 +0530
+Subject: time: Fix off-by-one in settimeofday() usec validation
+
+From: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
+
+[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ]
+
+The validation check uses '>' instead of '>=' when comparing tv_usec
+against USEC_PER_SEC, allowing the value 1000000 through. After
+conversion to nanoseconds (*= 1000), this produces tv_nsec ==
+NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be
+less than NSEC_PER_SEC.
+
+Use '>=' to reject tv_usec values that are not in the valid range of
+0 to 999999.
+
+Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()")
+Signed-off-by: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Acked-by: John Stultz <jstultz@google.com>
+Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/time/time.c b/kernel/time/time.c
+index 37c381607f3729..808ce6f4953572 100644
+--- a/kernel/time/time.c
++++ b/kernel/time/time.c
+@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv,
+ get_user(new_ts.tv_nsec, &tv->tv_usec))
+ return -EFAULT;
+
+- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0)
++ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0)
+ return -EINVAL;
+
+ new_ts.tv_nsec *= NSEC_PER_USEC;
+--
+2.53.0
+
net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
+signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
+time-fix-off-by-one-in-settimeofday-usec-validation.patch
--- /dev/null
+From 0aa82f45e94235b328082172fa30720bc3dcdbce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2026 16:22:40 +0200
+Subject: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
+
+From: Aleksandr Nogikh <nogikh@google.com>
+
+[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ]
+
+When a multi-threaded process receives a stop signal (e.g., SIGSTOP),
+do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all
+threads and sets signal->group_stop_count to the number of threads. If
+one of the threads concurrently calls execve(), de_thread() invokes
+zap_other_threads() to kill all other threads. zap_other_threads()
+aborts the pending group stop by resetting signal->group_stop_count to 0
+and clears the JOBCTL_PENDING_MASK for all other threads. However, it
+fails to clear the job control flags for the calling thread.
+
+When execve() completes, the calling thread returns to user mode and
+checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,
+it calls do_signal_stop(), which invokes task_participate_group_stop().
+Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the
+already-zero signal->group_stop_count, triggering a warning:
+
+sig->group_stop_count == 0
+WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373
+task_participate_group_stop+0x215/0x2d0
+Call Trace:
+ <TASK>
+ do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619
+ get_signal+0xa8c/0x1330 kernel/signal.c:2884
+ arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337
+ exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98
+ do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Fix this race condition by clearing the JOBCTL_PENDING_MASK for the
+calling thread in zap_other_threads(), ensuring it does not retain any
+stale job control state after the thread group is destroyed. This aligns
+with other functions that tear down a thread group and abort group
+stops, such as zap_process() and complete_signal(), which correctly
+clear these flags for all threads including the current one.
+
+Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop")
+Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot
+Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61
+Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3
+Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
+Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/signal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 8fc1da382448e0..10a315e461d34b 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1364,6 +1364,7 @@ int zap_other_threads(struct task_struct *p)
+ int count = 0;
+
+ p->signal->group_stop_count = 0;
++ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK);
+
+ while_each_thread(p, t) {
+ task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
+--
+2.53.0
+
--- /dev/null
+From a2b864946d7b7d2817db601ec3650b505b4085a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jun 2026 23:37:37 +0530
+Subject: time: Fix off-by-one in settimeofday() usec validation
+
+From: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
+
+[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ]
+
+The validation check uses '>' instead of '>=' when comparing tv_usec
+against USEC_PER_SEC, allowing the value 1000000 through. After
+conversion to nanoseconds (*= 1000), this produces tv_nsec ==
+NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be
+less than NSEC_PER_SEC.
+
+Use '>=' to reject tv_usec values that are not in the valid range of
+0 to 999999.
+
+Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()")
+Signed-off-by: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Acked-by: John Stultz <jstultz@google.com>
+Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/time/time.c b/kernel/time/time.c
+index df582f24f0d7b2..b7f6b9dbf940cd 100644
+--- a/kernel/time/time.c
++++ b/kernel/time/time.c
+@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv,
+ get_user(new_ts.tv_nsec, &tv->tv_usec))
+ return -EFAULT;
+
+- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0)
++ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0)
+ return -EINVAL;
+
+ new_ts.tv_nsec *= NSEC_PER_USEC;
+--
+2.53.0
+
--- /dev/null
+From 6196eaf3ca58a8918cb55386fb49b9559d5c5fce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2026 14:25:59 +0000
+Subject: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on
+ linked streams
+
+From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+
+[ Upstream commit 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b ]
+
+snd_pcm_drain() uses init_waitqueue_entry which does not clear
+entry.prev/next, and add_wait_queue with a conditional
+remove_wait_queue that is skipped when to_check is no longer
+in the group after concurrent UNLINK. The orphaned wait entry
+remains on the unlinked substream sleep queue. On the next
+drain iteration, add_wait_queue adds the entry to a new queue
+while still linked on the old one, corrupting both lists. A
+subsequent wake_up dereferences NULL at the func pointer
+(mapped from the spinlock at offset 0 of the misinterpreted
+wait_queue_head_t), causing a kernel panic.
+
+Replace init_waitqueue_entry/add_wait_queue/conditional
+remove_wait_queue with init_wait_entry/prepare_to_wait/
+finish_wait. init_wait_entry clears prev/next via
+INIT_LIST_HEAD on each iteration and sets
+autoremove_wake_function which auto-removes the entry on
+wake-up. finish_wait safely handles both the already-removed
+and still-queued cases.
+
+Fixes: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain")
+Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+Link: https://patch.msgid.link/20260604142559.3840881-1-eilaimemedsnaimel@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/pcm_native.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
+index 7be5f25612b954..2ed9abb911a7aa 100644
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -2178,9 +2178,8 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
+ drain_no_period_wakeup = to_check->no_period_wakeup;
+ drain_rate = to_check->rate;
+ drain_bufsz = to_check->buffer_size;
+- init_waitqueue_entry(&wait, current);
+- set_current_state(TASK_INTERRUPTIBLE);
+- add_wait_queue(&to_check->sleep, &wait);
++ init_wait_entry(&wait, 0);
++ prepare_to_wait(&to_check->sleep, &wait, TASK_INTERRUPTIBLE);
+ snd_pcm_stream_unlock_irq(substream);
+ if (drain_no_period_wakeup)
+ tout = MAX_SCHEDULE_TIMEOUT;
+@@ -2198,7 +2197,7 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
+ group = snd_pcm_stream_group_ref(substream);
+ snd_pcm_group_for_each_entry(s, substream) {
+ if (s->runtime == to_check) {
+- remove_wait_queue(&to_check->sleep, &wait);
++ finish_wait(&to_check->sleep, &wait);
+ break;
+ }
+ }
+--
+2.53.0
+
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch
+signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
+time-fix-off-by-one-in-settimeofday-usec-validation.patch
+alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch
--- /dev/null
+From 549c857db9f361cbd4ee92493e29bb6cbfeacc29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2026 16:22:40 +0200
+Subject: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
+
+From: Aleksandr Nogikh <nogikh@google.com>
+
+[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ]
+
+When a multi-threaded process receives a stop signal (e.g., SIGSTOP),
+do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all
+threads and sets signal->group_stop_count to the number of threads. If
+one of the threads concurrently calls execve(), de_thread() invokes
+zap_other_threads() to kill all other threads. zap_other_threads()
+aborts the pending group stop by resetting signal->group_stop_count to 0
+and clears the JOBCTL_PENDING_MASK for all other threads. However, it
+fails to clear the job control flags for the calling thread.
+
+When execve() completes, the calling thread returns to user mode and
+checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,
+it calls do_signal_stop(), which invokes task_participate_group_stop().
+Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the
+already-zero signal->group_stop_count, triggering a warning:
+
+sig->group_stop_count == 0
+WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373
+task_participate_group_stop+0x215/0x2d0
+Call Trace:
+ <TASK>
+ do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619
+ get_signal+0xa8c/0x1330 kernel/signal.c:2884
+ arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337
+ exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98
+ do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Fix this race condition by clearing the JOBCTL_PENDING_MASK for the
+calling thread in zap_other_threads(), ensuring it does not retain any
+stale job control state after the thread group is destroyed. This aligns
+with other functions that tear down a thread group and abort group
+stops, such as zap_process() and complete_signal(), which correctly
+clear these flags for all threads including the current one.
+
+Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop")
+Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot
+Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61
+Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3
+Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
+Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/signal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 723c84d162ddba..98dbe713829ec3 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1371,6 +1371,7 @@ int zap_other_threads(struct task_struct *p)
+ int count = 0;
+
+ p->signal->group_stop_count = 0;
++ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK);
+
+ while_each_thread(p, t) {
+ task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
+--
+2.53.0
+
--- /dev/null
+From d00d2aa5e90153997e5035178224726064881e65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jun 2026 23:37:37 +0530
+Subject: time: Fix off-by-one in settimeofday() usec validation
+
+From: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
+
+[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ]
+
+The validation check uses '>' instead of '>=' when comparing tv_usec
+against USEC_PER_SEC, allowing the value 1000000 through. After
+conversion to nanoseconds (*= 1000), this produces tv_nsec ==
+NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be
+less than NSEC_PER_SEC.
+
+Use '>=' to reject tv_usec values that are not in the valid range of
+0 to 999999.
+
+Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()")
+Signed-off-by: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Acked-by: John Stultz <jstultz@google.com>
+Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/time/time.c b/kernel/time/time.c
+index 170f1f8a0046ce..0e0b54fb34905e 100644
+--- a/kernel/time/time.c
++++ b/kernel/time/time.c
+@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv,
+ get_user(new_ts.tv_nsec, &tv->tv_usec))
+ return -EFAULT;
+
+- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0)
++ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0)
+ return -EINVAL;
+
+ new_ts.tv_nsec *= NSEC_PER_USEC;
+--
+2.53.0
+
--- /dev/null
+From 0ff9b089e6f5f327ad4cb2b8183d48a9764443e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2026 14:25:59 +0000
+Subject: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on
+ linked streams
+
+From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+
+[ Upstream commit 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b ]
+
+snd_pcm_drain() uses init_waitqueue_entry which does not clear
+entry.prev/next, and add_wait_queue with a conditional
+remove_wait_queue that is skipped when to_check is no longer
+in the group after concurrent UNLINK. The orphaned wait entry
+remains on the unlinked substream sleep queue. On the next
+drain iteration, add_wait_queue adds the entry to a new queue
+while still linked on the old one, corrupting both lists. A
+subsequent wake_up dereferences NULL at the func pointer
+(mapped from the spinlock at offset 0 of the misinterpreted
+wait_queue_head_t), causing a kernel panic.
+
+Replace init_waitqueue_entry/add_wait_queue/conditional
+remove_wait_queue with init_wait_entry/prepare_to_wait/
+finish_wait. init_wait_entry clears prev/next via
+INIT_LIST_HEAD on each iteration and sets
+autoremove_wake_function which auto-removes the entry on
+wake-up. finish_wait safely handles both the already-removed
+and still-queued cases.
+
+Fixes: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain")
+Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+Link: https://patch.msgid.link/20260604142559.3840881-1-eilaimemedsnaimel@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/pcm_native.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
+index 23708dc02401f6..a57123b1d3369f 100644
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -2176,9 +2176,8 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
+ drain_no_period_wakeup = to_check->no_period_wakeup;
+ drain_rate = to_check->rate;
+ drain_bufsz = to_check->buffer_size;
+- init_waitqueue_entry(&wait, current);
+- set_current_state(TASK_INTERRUPTIBLE);
+- add_wait_queue(&to_check->sleep, &wait);
++ init_wait_entry(&wait, 0);
++ prepare_to_wait(&to_check->sleep, &wait, TASK_INTERRUPTIBLE);
+ snd_pcm_stream_unlock_irq(substream);
+ if (drain_no_period_wakeup)
+ tout = MAX_SCHEDULE_TIMEOUT;
+@@ -2196,7 +2195,7 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
+ group = snd_pcm_stream_group_ref(substream);
+ snd_pcm_group_for_each_entry(s, substream) {
+ if (s->runtime == to_check) {
+- remove_wait_queue(&to_check->sleep, &wait);
++ finish_wait(&to_check->sleep, &wait);
+ break;
+ }
+ }
+--
+2.53.0
+
--- /dev/null
+From a8de25bc0e60a327a275523a3a7a275e9182508f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2026 01:02:04 -0700
+Subject: ALSA: seq: dummy: fix UMP event stack overread
+
+From: Kyle Zeng <kylebot@openai.com>
+
+[ Upstream commit 2b5ff4db5d7aa5b981d966df02e687f79ad7b311 ]
+
+The dummy sequencer port forwards events by copying an incoming
+struct snd_seq_event into a stack temporary, rewriting source and
+destination, and dispatching the temporary to subscribers. That legacy
+event storage is smaller than struct snd_seq_ump_event.
+
+When a UMP event reaches the dummy client, the copy leaves the UMP flag
+set but only provides legacy-sized stack storage. The subscriber
+delivery path then uses snd_seq_event_packet_size() and copies a
+UMP-sized packet from that stack object, reading past the end of the
+temporary.
+
+Use the existing union __snd_seq_event storage and copy the packet size
+reported for the incoming event before rewriting the common routing
+fields. This preserves the full UMP packet for UMP events while keeping
+legacy event handling unchanged.
+
+Fixes: 32cb23a0f911 ("ALSA: seq: dummy: Allow UMP conversion")
+Signed-off-by: Kyle Zeng <kylebot@openai.com>
+Link: https://patch.msgid.link/20260605080204.32045-1-kylebot@openai.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_dummy.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/sound/core/seq/seq_dummy.c b/sound/core/seq/seq_dummy.c
+index 783fc72c2ef673..bc11e4d1edd956 100644
+--- a/sound/core/seq/seq_dummy.c
++++ b/sound/core/seq/seq_dummy.c
+@@ -9,6 +9,7 @@
+ #include <linux/module.h>
+ #include <sound/core.h>
+ #include "seq_clientmgr.h"
++#include "seq_memory.h"
+ #include <sound/initval.h>
+ #include <sound/asoundef.h>
+
+@@ -81,19 +82,21 @@ dummy_input(struct snd_seq_event *ev, int direct, void *private_data,
+ int atomic, int hop)
+ {
+ struct snd_seq_dummy_port *p;
+- struct snd_seq_event tmpev;
++ union __snd_seq_event tmpev;
++ size_t size;
+
+ p = private_data;
+ if (ev->source.client == SNDRV_SEQ_CLIENT_SYSTEM ||
+ ev->type == SNDRV_SEQ_EVENT_KERNEL_ERROR)
+ return 0; /* ignore system messages */
+- tmpev = *ev;
++ size = snd_seq_event_packet_size(ev);
++ memcpy(&tmpev, ev, size);
+ if (p->duplex)
+- tmpev.source.port = p->connect;
++ tmpev.legacy.source.port = p->connect;
+ else
+- tmpev.source.port = p->port;
+- tmpev.dest.client = SNDRV_SEQ_ADDRESS_SUBSCRIBERS;
+- return snd_seq_kernel_client_dispatch(p->client, &tmpev, atomic, hop);
++ tmpev.legacy.source.port = p->port;
++ tmpev.legacy.dest.client = SNDRV_SEQ_ADDRESS_SUBSCRIBERS;
++ return snd_seq_kernel_client_dispatch(p->client, &tmpev.legacy, atomic, hop);
+ }
+
+ /*
+--
+2.53.0
+
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch
+signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
+time-fix-off-by-one-in-settimeofday-usec-validation.patch
+alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch
+alsa-seq-dummy-fix-ump-event-stack-overread.patch
--- /dev/null
+From 9ae6c85c06782c7b58ca9e29c94c4fde103e5e29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2026 16:22:40 +0200
+Subject: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
+
+From: Aleksandr Nogikh <nogikh@google.com>
+
+[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ]
+
+When a multi-threaded process receives a stop signal (e.g., SIGSTOP),
+do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all
+threads and sets signal->group_stop_count to the number of threads. If
+one of the threads concurrently calls execve(), de_thread() invokes
+zap_other_threads() to kill all other threads. zap_other_threads()
+aborts the pending group stop by resetting signal->group_stop_count to 0
+and clears the JOBCTL_PENDING_MASK for all other threads. However, it
+fails to clear the job control flags for the calling thread.
+
+When execve() completes, the calling thread returns to user mode and
+checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,
+it calls do_signal_stop(), which invokes task_participate_group_stop().
+Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the
+already-zero signal->group_stop_count, triggering a warning:
+
+sig->group_stop_count == 0
+WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373
+task_participate_group_stop+0x215/0x2d0
+Call Trace:
+ <TASK>
+ do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619
+ get_signal+0xa8c/0x1330 kernel/signal.c:2884
+ arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337
+ exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98
+ do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Fix this race condition by clearing the JOBCTL_PENDING_MASK for the
+calling thread in zap_other_threads(), ensuring it does not retain any
+stale job control state after the thread group is destroyed. This aligns
+with other functions that tear down a thread group and abort group
+stops, such as zap_process() and complete_signal(), which correctly
+clear these flags for all threads including the current one.
+
+Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop")
+Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot
+Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61
+Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3
+Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
+Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/signal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 468b589c39e695..b832158a9c4608 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1371,6 +1371,7 @@ int zap_other_threads(struct task_struct *p)
+ int count = 0;
+
+ p->signal->group_stop_count = 0;
++ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK);
+
+ for_other_threads(p, t) {
+ task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
+--
+2.53.0
+
--- /dev/null
+From ae2a81f46a599026c72735a5f88385a4a98ae45d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jun 2026 23:37:37 +0530
+Subject: time: Fix off-by-one in settimeofday() usec validation
+
+From: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
+
+[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ]
+
+The validation check uses '>' instead of '>=' when comparing tv_usec
+against USEC_PER_SEC, allowing the value 1000000 through. After
+conversion to nanoseconds (*= 1000), this produces tv_nsec ==
+NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be
+less than NSEC_PER_SEC.
+
+Use '>=' to reject tv_usec values that are not in the valid range of
+0 to 999999.
+
+Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()")
+Signed-off-by: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Acked-by: John Stultz <jstultz@google.com>
+Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/time/time.c b/kernel/time/time.c
+index da7e8a02a0964f..a6261fadb92b15 100644
+--- a/kernel/time/time.c
++++ b/kernel/time/time.c
+@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv,
+ get_user(new_ts.tv_nsec, &tv->tv_usec))
+ return -EFAULT;
+
+- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0)
++ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0)
+ return -EINVAL;
+
+ new_ts.tv_nsec *= NSEC_PER_USEC;
+--
+2.53.0
+
--- /dev/null
+From 8d834a5183f8b867cdfa9650a5a3e9cab78e8542 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2026 14:25:59 +0000
+Subject: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on
+ linked streams
+
+From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+
+[ Upstream commit 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b ]
+
+snd_pcm_drain() uses init_waitqueue_entry which does not clear
+entry.prev/next, and add_wait_queue with a conditional
+remove_wait_queue that is skipped when to_check is no longer
+in the group after concurrent UNLINK. The orphaned wait entry
+remains on the unlinked substream sleep queue. On the next
+drain iteration, add_wait_queue adds the entry to a new queue
+while still linked on the old one, corrupting both lists. A
+subsequent wake_up dereferences NULL at the func pointer
+(mapped from the spinlock at offset 0 of the misinterpreted
+wait_queue_head_t), causing a kernel panic.
+
+Replace init_waitqueue_entry/add_wait_queue/conditional
+remove_wait_queue with init_wait_entry/prepare_to_wait/
+finish_wait. init_wait_entry clears prev/next via
+INIT_LIST_HEAD on each iteration and sets
+autoremove_wake_function which auto-removes the entry on
+wake-up. finish_wait safely handles both the already-removed
+and still-queued cases.
+
+Fixes: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain")
+Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+Link: https://patch.msgid.link/20260604142559.3840881-1-eilaimemedsnaimel@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/pcm_native.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
+index 495ff93fcd1db2..0ae95a46708915 100644
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -2176,9 +2176,8 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
+ drain_no_period_wakeup = to_check->no_period_wakeup;
+ drain_rate = to_check->rate;
+ drain_bufsz = to_check->buffer_size;
+- init_waitqueue_entry(&wait, current);
+- set_current_state(TASK_INTERRUPTIBLE);
+- add_wait_queue(&to_check->sleep, &wait);
++ init_wait_entry(&wait, 0);
++ prepare_to_wait(&to_check->sleep, &wait, TASK_INTERRUPTIBLE);
+ snd_pcm_stream_unlock_irq(substream);
+ if (drain_no_period_wakeup)
+ tout = MAX_SCHEDULE_TIMEOUT;
+@@ -2196,7 +2195,7 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
+ group = snd_pcm_stream_group_ref(substream);
+ snd_pcm_group_for_each_entry(s, substream) {
+ if (s->runtime == to_check) {
+- remove_wait_queue(&to_check->sleep, &wait);
++ finish_wait(&to_check->sleep, &wait);
+ break;
+ }
+ }
+--
+2.53.0
+
--- /dev/null
+From 2e25571bd59a6506ad25574692a8a09975455e99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2026 01:02:04 -0700
+Subject: ALSA: seq: dummy: fix UMP event stack overread
+
+From: Kyle Zeng <kylebot@openai.com>
+
+[ Upstream commit 2b5ff4db5d7aa5b981d966df02e687f79ad7b311 ]
+
+The dummy sequencer port forwards events by copying an incoming
+struct snd_seq_event into a stack temporary, rewriting source and
+destination, and dispatching the temporary to subscribers. That legacy
+event storage is smaller than struct snd_seq_ump_event.
+
+When a UMP event reaches the dummy client, the copy leaves the UMP flag
+set but only provides legacy-sized stack storage. The subscriber
+delivery path then uses snd_seq_event_packet_size() and copies a
+UMP-sized packet from that stack object, reading past the end of the
+temporary.
+
+Use the existing union __snd_seq_event storage and copy the packet size
+reported for the incoming event before rewriting the common routing
+fields. This preserves the full UMP packet for UMP events while keeping
+legacy event handling unchanged.
+
+Fixes: 32cb23a0f911 ("ALSA: seq: dummy: Allow UMP conversion")
+Signed-off-by: Kyle Zeng <kylebot@openai.com>
+Link: https://patch.msgid.link/20260605080204.32045-1-kylebot@openai.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_dummy.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/sound/core/seq/seq_dummy.c b/sound/core/seq/seq_dummy.c
+index 783fc72c2ef673..bc11e4d1edd956 100644
+--- a/sound/core/seq/seq_dummy.c
++++ b/sound/core/seq/seq_dummy.c
+@@ -9,6 +9,7 @@
+ #include <linux/module.h>
+ #include <sound/core.h>
+ #include "seq_clientmgr.h"
++#include "seq_memory.h"
+ #include <sound/initval.h>
+ #include <sound/asoundef.h>
+
+@@ -81,19 +82,21 @@ dummy_input(struct snd_seq_event *ev, int direct, void *private_data,
+ int atomic, int hop)
+ {
+ struct snd_seq_dummy_port *p;
+- struct snd_seq_event tmpev;
++ union __snd_seq_event tmpev;
++ size_t size;
+
+ p = private_data;
+ if (ev->source.client == SNDRV_SEQ_CLIENT_SYSTEM ||
+ ev->type == SNDRV_SEQ_EVENT_KERNEL_ERROR)
+ return 0; /* ignore system messages */
+- tmpev = *ev;
++ size = snd_seq_event_packet_size(ev);
++ memcpy(&tmpev, ev, size);
+ if (p->duplex)
+- tmpev.source.port = p->connect;
++ tmpev.legacy.source.port = p->connect;
+ else
+- tmpev.source.port = p->port;
+- tmpev.dest.client = SNDRV_SEQ_ADDRESS_SUBSCRIBERS;
+- return snd_seq_kernel_client_dispatch(p->client, &tmpev, atomic, hop);
++ tmpev.legacy.source.port = p->port;
++ tmpev.legacy.dest.client = SNDRV_SEQ_ADDRESS_SUBSCRIBERS;
++ return snd_seq_kernel_client_dispatch(p->client, &tmpev.legacy, atomic, hop);
+ }
+
+ /*
+--
+2.53.0
+
--- /dev/null
+From e3900e981a2338ad45dafa6b8bcf3c5d291f124a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Oct 2025 16:34:04 -0700
+Subject: Drivers: hv: VMBus protocol version 6.0
+
+From: Roman Kisel <romank@linux.microsoft.com>
+
+[ Upstream commit 6802d8af47d1dccd9a74a1f708fb9129244ef843 ]
+
+The confidential VMBus is supported starting from the protocol
+version 6.0 onwards.
+
+Provide the required definitions. No functional changes.
+
+Signed-off-by: Roman Kisel <romank@linux.microsoft.com>
+Reviewed-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Stable-dep-of: c5c3ef8d49e1 ("Drivers: hv: vmbus: Provide option to skip VMBus unload on panic")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/hyperv_vmbus.h | 2 ++
+ drivers/hv/vmbus_drv.c | 12 +++++++
+ include/hyperv/hvgdk_mini.h | 1 +
+ include/linux/hyperv.h | 69 +++++++++++++++++++++++++++----------
+ 4 files changed, 65 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
+index 0b450e53161e51..4a01797d485139 100644
+--- a/drivers/hv/hyperv_vmbus.h
++++ b/drivers/hv/hyperv_vmbus.h
+@@ -333,6 +333,8 @@ extern const struct vmbus_channel_message_table_entry
+
+ /* General vmbus interface */
+
++bool vmbus_is_confidential(void);
++
+ struct hv_device *vmbus_device_create(const guid_t *type,
+ const guid_t *instance,
+ struct vmbus_channel *channel);
+diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
+index 3ab62277b6be6c..6d2bf7a96aa638 100644
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -57,6 +57,18 @@ static long __percpu *vmbus_evt;
+ int vmbus_irq;
+ int vmbus_interrupt;
+
++/*
++ * If the Confidential VMBus is used, the data on the "wire" is not
++ * visible to either the host or the hypervisor.
++ */
++static bool is_confidential;
++
++bool vmbus_is_confidential(void)
++{
++ return is_confidential;
++}
++EXPORT_SYMBOL_GPL(vmbus_is_confidential);
++
+ /*
+ * The panic notifier below is responsible solely for unloading the
+ * vmbus connection, which is necessary in a panic event.
+diff --git a/include/hyperv/hvgdk_mini.h b/include/hyperv/hvgdk_mini.h
+index 77abddfc750e40..7f730a0e54e611 100644
+--- a/include/hyperv/hvgdk_mini.h
++++ b/include/hyperv/hvgdk_mini.h
+@@ -260,6 +260,7 @@ union hv_hypervisor_version_info {
+ #define HYPERV_CPUID_VIRT_STACK_PROPERTIES 0x40000082
+ /* Support for the extended IOAPIC RTE format */
+ #define HYPERV_VS_PROPERTIES_EAX_EXTENDED_IOAPIC_RTE BIT(2)
++#define HYPERV_VS_PROPERTIES_EAX_CONFIDENTIAL_VMBUS_AVAILABLE BIT(3)
+
+ #define HYPERV_HYPERVISOR_PRESENT_BIT 0x80000000
+ #define HYPERV_CPUID_MIN 0x40000005
+diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
+index 59826c89171c79..dfc516c1c7193f 100644
+--- a/include/linux/hyperv.h
++++ b/include/linux/hyperv.h
+@@ -265,16 +265,18 @@ static inline u32 hv_get_avail_to_write_percent(
+ * Linux kernel.
+ */
+
+-#define VERSION_WS2008 ((0 << 16) | (13))
+-#define VERSION_WIN7 ((1 << 16) | (1))
+-#define VERSION_WIN8 ((2 << 16) | (4))
+-#define VERSION_WIN8_1 ((3 << 16) | (0))
+-#define VERSION_WIN10 ((4 << 16) | (0))
+-#define VERSION_WIN10_V4_1 ((4 << 16) | (1))
+-#define VERSION_WIN10_V5 ((5 << 16) | (0))
+-#define VERSION_WIN10_V5_1 ((5 << 16) | (1))
+-#define VERSION_WIN10_V5_2 ((5 << 16) | (2))
+-#define VERSION_WIN10_V5_3 ((5 << 16) | (3))
++#define VMBUS_MAKE_VERSION(MAJ, MIN) ((((u32)MAJ) << 16) | (MIN))
++#define VERSION_WS2008 VMBUS_MAKE_VERSION(0, 13)
++#define VERSION_WIN7 VMBUS_MAKE_VERSION(1, 1)
++#define VERSION_WIN8 VMBUS_MAKE_VERSION(2, 4)
++#define VERSION_WIN8_1 VMBUS_MAKE_VERSION(3, 0)
++#define VERSION_WIN10 VMBUS_MAKE_VERSION(4, 0)
++#define VERSION_WIN10_V4_1 VMBUS_MAKE_VERSION(4, 1)
++#define VERSION_WIN10_V5 VMBUS_MAKE_VERSION(5, 0)
++#define VERSION_WIN10_V5_1 VMBUS_MAKE_VERSION(5, 1)
++#define VERSION_WIN10_V5_2 VMBUS_MAKE_VERSION(5, 2)
++#define VERSION_WIN10_V5_3 VMBUS_MAKE_VERSION(5, 3)
++#define VERSION_WIN10_V6_0 VMBUS_MAKE_VERSION(6, 0)
+
+ /* Make maximum size of pipe payload of 16K */
+ #define MAX_PIPE_DATA_PAYLOAD (sizeof(u8) * 16384)
+@@ -335,14 +337,22 @@ struct vmbus_channel_offer {
+ } __packed;
+
+ /* Server Flags */
+-#define VMBUS_CHANNEL_ENUMERATE_DEVICE_INTERFACE 1
+-#define VMBUS_CHANNEL_SERVER_SUPPORTS_TRANSFER_PAGES 2
+-#define VMBUS_CHANNEL_SERVER_SUPPORTS_GPADLS 4
+-#define VMBUS_CHANNEL_NAMED_PIPE_MODE 0x10
+-#define VMBUS_CHANNEL_LOOPBACK_OFFER 0x100
+-#define VMBUS_CHANNEL_PARENT_OFFER 0x200
+-#define VMBUS_CHANNEL_REQUEST_MONITORED_NOTIFICATION 0x400
+-#define VMBUS_CHANNEL_TLNPI_PROVIDER_OFFER 0x2000
++#define VMBUS_CHANNEL_ENUMERATE_DEVICE_INTERFACE 0x0001
++/*
++ * This flag indicates that the channel is offered by the paravisor, and must
++ * use encrypted memory for the channel ring buffer.
++ */
++#define VMBUS_CHANNEL_CONFIDENTIAL_RING_BUFFER 0x0002
++/*
++ * This flag indicates that the channel is offered by the paravisor, and must
++ * use encrypted memory for GPA direct packets and additional GPADLs.
++ */
++#define VMBUS_CHANNEL_CONFIDENTIAL_EXTERNAL_MEMORY 0x0004
++#define VMBUS_CHANNEL_NAMED_PIPE_MODE 0x0010
++#define VMBUS_CHANNEL_LOOPBACK_OFFER 0x0100
++#define VMBUS_CHANNEL_PARENT_OFFER 0x0200
++#define VMBUS_CHANNEL_REQUEST_MONITORED_NOTIFICATION 0x0400
++#define VMBUS_CHANNEL_TLNPI_PROVIDER_OFFER 0x2000
+
+ struct vmpacket_descriptor {
+ u16 type;
+@@ -621,6 +631,12 @@ struct vmbus_channel_relid_released {
+ u32 child_relid;
+ } __packed;
+
++/*
++ * Used by the paravisor only, means that the encrypted ring buffers and
++ * the encrypted external memory are supported
++ */
++#define VMBUS_FEATURE_FLAG_CONFIDENTIAL_CHANNELS 0x10
++
+ struct vmbus_channel_initiate_contact {
+ struct vmbus_channel_message_header header;
+ u32 vmbus_version_requested;
+@@ -630,7 +646,8 @@ struct vmbus_channel_initiate_contact {
+ struct {
+ u8 msg_sint;
+ u8 msg_vtl;
+- u8 reserved[6];
++ u8 reserved[2];
++ u32 feature_flags; /* VMBus version 6.0 */
+ };
+ };
+ u64 monitor_page1;
+@@ -1003,6 +1020,10 @@ struct vmbus_channel {
+
+ /* boolean to control visibility of sysfs for ring buffer */
+ bool ring_sysfs_visible;
++ /* The ring buffer is encrypted */
++ bool co_ring_buffer;
++ /* The external memory is encrypted */
++ bool co_external_memory;
+ };
+
+ #define lock_requestor(channel, flags) \
+@@ -1027,6 +1048,16 @@ u64 vmbus_request_addr_match(struct vmbus_channel *channel, u64 trans_id,
+ u64 rqst_addr);
+ u64 vmbus_request_addr(struct vmbus_channel *channel, u64 trans_id);
+
++static inline bool is_co_ring_buffer(const struct vmbus_channel_offer_channel *o)
++{
++ return !!(o->offer.chn_flags & VMBUS_CHANNEL_CONFIDENTIAL_RING_BUFFER);
++}
++
++static inline bool is_co_external_memory(const struct vmbus_channel_offer_channel *o)
++{
++ return !!(o->offer.chn_flags & VMBUS_CHANNEL_CONFIDENTIAL_EXTERNAL_MEMORY);
++}
++
+ static inline bool is_hvsock_offer(const struct vmbus_channel_offer_channel *o)
+ {
+ return !!(o->offer.chn_flags & VMBUS_CHANNEL_TLNPI_PROVIDER_OFFER);
+--
+2.53.0
+
--- /dev/null
+From 97e951627071774019d8ea2ee4cd12ddd4f0370d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Feb 2026 10:23:34 -0800
+Subject: Drivers: hv: vmbus: Provide option to skip VMBus unload on panic
+
+From: Michael Kelley <mhklinux@outlook.com>
+
+[ Upstream commit c5c3ef8d49e15d2fc1cec4ad7c91d81b99977440 ]
+
+Currently, VMBus code initiates a VMBus unload in the panic path so
+that if a kdump kernel is loaded, it can start fresh in setting up its
+own VMBus connection. However, a driver for the VMBus virtual frame
+buffer may need to flush dirty portions of the frame buffer back to
+the Hyper-V host so that panic information is visible in the graphics
+console. To support such flushing, provide exported functions for the
+frame buffer driver to specify that the VMBus unload should not be
+done by the VMBus driver, and to initiate the VMBus unload itself.
+Together these allow a frame buffer driver to delay the VMBus unload
+until after it has completed the flush.
+
+Ideally, the VMBus driver could use its own panic-path callback to do
+the unload after all frame buffer drivers have finished. But DRM frame
+buffer drivers use the kmsg dump callback, and there are no callbacks
+after that in the panic path. Hence this somewhat messy approach to
+properly sequencing the frame buffer flush and the VMBus unload.
+
+Fixes: 3671f3777758 ("drm/hyperv: Add support for drm_panic")
+Signed-off-by: Michael Kelley <mhklinux@outlook.com>
+Reviewed-by: Long Li <longli@microsoft.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/channel_mgmt.c | 1 +
+ drivers/hv/hyperv_vmbus.h | 1 -
+ drivers/hv/vmbus_drv.c | 25 ++++++++++++++++++-------
+ include/linux/hyperv.h | 3 +++
+ 4 files changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
+index 65dd299e2944bd..fd1d675ae37a4f 100644
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -944,6 +944,7 @@ void vmbus_initiate_unload(bool crash)
+ else
+ vmbus_wait_for_unload();
+ }
++EXPORT_SYMBOL_GPL(vmbus_initiate_unload);
+
+ static void vmbus_setup_channel_state(struct vmbus_channel *channel,
+ struct vmbus_channel_offer_channel *offer)
+diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
+index 4a01797d485139..34943de7d6ac46 100644
+--- a/drivers/hv/hyperv_vmbus.h
++++ b/drivers/hv/hyperv_vmbus.h
+@@ -376,7 +376,6 @@ void hv_vss_deinit(void);
+ int hv_vss_pre_suspend(void);
+ int hv_vss_pre_resume(void);
+ void hv_vss_onchannelcallback(void *context);
+-void vmbus_initiate_unload(bool crash);
+
+ static inline void hv_poll_channel(struct vmbus_channel *channel,
+ void (*cb)(void *))
+diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
+index 6d2bf7a96aa638..8a090e2a28f928 100644
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -69,19 +69,29 @@ bool vmbus_is_confidential(void)
+ }
+ EXPORT_SYMBOL_GPL(vmbus_is_confidential);
+
++static bool skip_vmbus_unload;
++
++/*
++ * Allow a VMBus framebuffer driver to specify that in the case of a panic,
++ * it will do the VMbus unload operation once it has flushed any dirty
++ * portions of the framebuffer to the Hyper-V host.
++ */
++void vmbus_set_skip_unload(bool skip)
++{
++ skip_vmbus_unload = skip;
++}
++EXPORT_SYMBOL_GPL(vmbus_set_skip_unload);
++
+ /*
+ * The panic notifier below is responsible solely for unloading the
+ * vmbus connection, which is necessary in a panic event.
+- *
+- * Notice an intrincate relation of this notifier with Hyper-V
+- * framebuffer panic notifier exists - we need vmbus connection alive
+- * there in order to succeed, so we need to order both with each other
+- * [see hvfb_on_panic()] - this is done using notifiers' priorities.
+ */
+ static int hv_panic_vmbus_unload(struct notifier_block *nb, unsigned long val,
+ void *args)
+ {
+- vmbus_initiate_unload(true);
++ if (!skip_vmbus_unload)
++ vmbus_initiate_unload(true);
++
+ return NOTIFY_DONE;
+ }
+ static struct notifier_block hyperv_panic_vmbus_unload_block = {
+@@ -2862,7 +2872,8 @@ static void hv_crash_handler(struct pt_regs *regs)
+ {
+ int cpu;
+
+- vmbus_initiate_unload(true);
++ if (!skip_vmbus_unload)
++ vmbus_initiate_unload(true);
+ /*
+ * In crash handler we can't schedule synic cleanup for all CPUs,
+ * doing the cleanup for current CPU only. This should be sufficient
+diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
+index dfc516c1c7193f..b0502a336eb3a5 100644
+--- a/include/linux/hyperv.h
++++ b/include/linux/hyperv.h
+@@ -1334,6 +1334,9 @@ int vmbus_allocate_mmio(struct resource **new, struct hv_device *device_obj,
+ bool fb_overlap_ok);
+ void vmbus_free_mmio(resource_size_t start, resource_size_t size);
+
++void vmbus_initiate_unload(bool crash);
++void vmbus_set_skip_unload(bool skip);
++
+ /*
+ * GUID definitions of various offer types - services offered to the guest.
+ */
+--
+2.53.0
+
--- /dev/null
+From 0e2f6ac261f05ebf464009b01fe95ee3350c0298 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Feb 2026 10:23:35 -0800
+Subject: drm/hyperv: During panic do VMBus unload after frame buffer is
+ flushed
+
+From: Michael Kelley <mhklinux@outlook.com>
+
+[ Upstream commit 8b35874f56ded0cc1a90a25b87411249a86246cd ]
+
+In a VM, Linux panic information (reason for the panic, stack trace,
+etc.) may be written to a serial console and/or a virtual frame buffer
+for a graphics console. The latter may need to be flushed back to the
+host hypervisor for display.
+
+The current Hyper-V DRM driver for the frame buffer does the flushing
+*after* the VMBus connection has been unloaded, such that panic messages
+are not displayed on the graphics console. A user with a Hyper-V graphics
+console is left with just a hung empty screen after a panic. The enhanced
+control that DRM provides over the panic display in the graphics console
+is similarly non-functional.
+
+Commit 3671f3777758 ("drm/hyperv: Add support for drm_panic") added
+the Hyper-V DRM driver support to flush the virtual frame buffer. It
+provided necessary functionality but did not handle the sequencing
+problem with VMBus unload.
+
+Fix the full problem by using VMBus functions to suppress the VMBus
+unload that is normally done by the VMBus driver in the panic path. Then
+after the frame buffer has been flushed, do the VMBus unload so that a
+kdump kernel can start cleanly. As expected, CONFIG_DRM_PANIC must be
+selected for these changes to have effect. As a side benefit, the
+enhanced features of the DRM panic path are also functional.
+
+Fixes: 3671f3777758 ("drm/hyperv: Add support for drm_panic")
+Signed-off-by: Michael Kelley <mhklinux@outlook.com>
+Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 5 +++++
+ drivers/gpu/drm/hyperv/hyperv_drm_modeset.c | 15 ++++++++-------
+ 2 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/hyperv/hyperv_drm_drv.c b/drivers/gpu/drm/hyperv/hyperv_drm_drv.c
+index 0d49f168a919d5..dad8fd5cb1d3b6 100644
+--- a/drivers/gpu/drm/hyperv/hyperv_drm_drv.c
++++ b/drivers/gpu/drm/hyperv/hyperv_drm_drv.c
+@@ -149,6 +149,10 @@ static int hyperv_vmbus_probe(struct hv_device *hdev,
+ goto err_free_mmio;
+ }
+
++ /* If DRM panic path is stubbed out VMBus code must do the unload */
++ if (IS_ENABLED(CONFIG_DRM_PANIC))
++ vmbus_set_skip_unload(true);
++
+ drm_client_setup(dev, NULL);
+
+ return 0;
+@@ -168,6 +172,7 @@ static void hyperv_vmbus_remove(struct hv_device *hdev)
+ struct drm_device *dev = hv_get_drvdata(hdev);
+ struct hyperv_drm_device *hv = to_hv(dev);
+
++ vmbus_set_skip_unload(false);
+ drm_dev_unplug(dev);
+ drm_atomic_helper_shutdown(dev);
+ vmbus_close(hdev->channel);
+diff --git a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
+index 945b9482bcb3a9..86696a9a32c559 100644
+--- a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
++++ b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
+@@ -204,15 +204,16 @@ static void hyperv_plane_panic_flush(struct drm_plane *plane)
+ struct hyperv_drm_device *hv = to_hv(plane->dev);
+ struct drm_rect rect;
+
+- if (!plane->state || !plane->state->fb)
+- return;
++ if (plane->state && plane->state->fb) {
++ rect.x1 = 0;
++ rect.y1 = 0;
++ rect.x2 = plane->state->fb->width;
++ rect.y2 = plane->state->fb->height;
+
+- rect.x1 = 0;
+- rect.y1 = 0;
+- rect.x2 = plane->state->fb->width;
+- rect.y2 = plane->state->fb->height;
++ hyperv_update_dirt(hv->hdev, &rect);
++ }
+
+- hyperv_update_dirt(hv->hdev, &rect);
++ vmbus_initiate_unload(true);
+ }
+
+ static const struct drm_plane_helper_funcs hyperv_plane_helper_funcs = {
+--
+2.53.0
+
--- /dev/null
+From f270fd8b458b6479951baf35792e52a812545706 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 May 2026 12:21:01 -0700
+Subject: hyperv: Clean up and fix the guest ID comment in hvgdk.h
+
+From: Dexuan Cui <decui@microsoft.com>
+
+[ Upstream commit 83eb00f31eb1b10735d48e469df72cc2b0e06f6d ]
+
+Change the "64 bit" to "64-bit", and the "Os" to "OS".
+
+Remove the obsolete paragraph since the guideline has been
+published in the Hypervisor Top Level Functional Specification
+for many years.
+
+The "OS Type" is 0x1 for Linux, not 0x100.
+
+No functional change.
+
+Fixes: 83ba0c4f3f31 ("Drivers: hv: Cleanup the guest ID computation")
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Reviewed-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/hyperv/hvgdk.h | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/include/hyperv/hvgdk.h b/include/hyperv/hvgdk.h
+index dd6d4939ea29b0..a837a6bc1275bd 100644
+--- a/include/hyperv/hvgdk.h
++++ b/include/hyperv/hvgdk.h
+@@ -10,18 +10,12 @@
+
+ /*
+ * The guest OS needs to register the guest ID with the hypervisor.
+- * The guest ID is a 64 bit entity and the structure of this ID is
++ * The guest ID is a 64-bit entity and the structure of this ID is
+ * specified in the Hyper-V TLFS specification.
+ *
+- * While the current guideline does not specify how Linux guest ID(s)
+- * need to be generated, our plan is to publish the guidelines for
+- * Linux and other guest operating systems that currently are hosted
+- * on Hyper-V. The implementation here conforms to this yet
+- * unpublished guidelines.
+- *
+ * Bit(s)
+ * 63 - Indicates if the OS is Open Source or not; 1 is Open Source
+- * 62:56 - Os Type; Linux is 0x100
++ * 62:56 - OS Type; Linux is 0x1
+ * 55:48 - Distro specific identification
+ * 47:16 - Linux kernel version number
+ * 15:0 - Distro specific identification
+--
+2.53.0
+
--- /dev/null
+From fd1be5163c75c86ddca8ad9e5eab34fc95bb937d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2026 17:45:28 +0800
+Subject: selftests: harness: fix pidfd leak in __wait_for_test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geliang Tang <tanggeliang@kylinos.cn>
+
+[ Upstream commit 0eb307d61317b42b120ab02099b597226318358a ]
+
+Fix the pidfd leak in kselftest_harness.h's __wait_for_test() where
+childfd = syscall(__NR_pidfd_open, t->pid, 0) is never closed.
+
+Fixes: 73a3cde97677 ("selftests: harness: Implement test timeouts through pidfd")
+Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
+Link: https://patch.msgid.link/a82e275ccfb2609a1984d90ab559fa3af78f1e81.1776678050.git.tanggeliang@kylinos.cn
+Reviewed-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kselftest_harness.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h
+index fe162cbfc09121..6928915a643b1e 100644
+--- a/tools/testing/selftests/kselftest_harness.h
++++ b/tools/testing/selftests/kselftest_harness.h
+@@ -996,6 +996,7 @@ static void __wait_for_test(struct __test_metadata *t)
+ poll_child.fd = childfd;
+ poll_child.events = POLLIN;
+ ret = poll(&poll_child, 1, t->timeout * 1000);
++ close(childfd);
+ if (ret == -1) {
+ t->exit_code = KSFT_FAIL;
+ fprintf(TH_LOG_STREAM,
+--
+2.53.0
+
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch
+drivers-hv-vmbus-protocol-version-6.0.patch
+drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch
+drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch
+selftests-harness-fix-pidfd-leak-in-__wait_for_test.patch
+signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
+hyperv-clean-up-and-fix-the-guest-id-comment-in-hvgd.patch
+time-fix-off-by-one-in-settimeofday-usec-validation.patch
+alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch
+alsa-seq-dummy-fix-ump-event-stack-overread.patch
--- /dev/null
+From b147184cf4b34308d8cabe51829ef341eb5d016d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2026 16:22:40 +0200
+Subject: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
+
+From: Aleksandr Nogikh <nogikh@google.com>
+
+[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ]
+
+When a multi-threaded process receives a stop signal (e.g., SIGSTOP),
+do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all
+threads and sets signal->group_stop_count to the number of threads. If
+one of the threads concurrently calls execve(), de_thread() invokes
+zap_other_threads() to kill all other threads. zap_other_threads()
+aborts the pending group stop by resetting signal->group_stop_count to 0
+and clears the JOBCTL_PENDING_MASK for all other threads. However, it
+fails to clear the job control flags for the calling thread.
+
+When execve() completes, the calling thread returns to user mode and
+checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,
+it calls do_signal_stop(), which invokes task_participate_group_stop().
+Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the
+already-zero signal->group_stop_count, triggering a warning:
+
+sig->group_stop_count == 0
+WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373
+task_participate_group_stop+0x215/0x2d0
+Call Trace:
+ <TASK>
+ do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619
+ get_signal+0xa8c/0x1330 kernel/signal.c:2884
+ arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337
+ exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98
+ do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Fix this race condition by clearing the JOBCTL_PENDING_MASK for the
+calling thread in zap_other_threads(), ensuring it does not retain any
+stale job control state after the thread group is destroyed. This aligns
+with other functions that tear down a thread group and abort group
+stops, such as zap_process() and complete_signal(), which correctly
+clear these flags for all threads including the current one.
+
+Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop")
+Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot
+Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61
+Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3
+Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
+Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/signal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index fe9190d84f281e..810098300ecdcb 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1340,6 +1340,7 @@ int zap_other_threads(struct task_struct *p)
+ int count = 0;
+
+ p->signal->group_stop_count = 0;
++ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK);
+
+ for_other_threads(p, t) {
+ task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
+--
+2.53.0
+
--- /dev/null
+From dba94dcefb323ee964c36feaef8468c03dadacfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jun 2026 23:37:37 +0530
+Subject: time: Fix off-by-one in settimeofday() usec validation
+
+From: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
+
+[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ]
+
+The validation check uses '>' instead of '>=' when comparing tv_usec
+against USEC_PER_SEC, allowing the value 1000000 through. After
+conversion to nanoseconds (*= 1000), this produces tv_nsec ==
+NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be
+less than NSEC_PER_SEC.
+
+Use '>=' to reject tv_usec values that are not in the valid range of
+0 to 999999.
+
+Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()")
+Signed-off-by: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Acked-by: John Stultz <jstultz@google.com>
+Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/time/time.c b/kernel/time/time.c
+index 155cf7def9146d..3c1518a7a52652 100644
+--- a/kernel/time/time.c
++++ b/kernel/time/time.c
+@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv,
+ get_user(new_ts.tv_nsec, &tv->tv_usec))
+ return -EFAULT;
+
+- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0)
++ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0)
+ return -EINVAL;
+
+ new_ts.tv_nsec *= NSEC_PER_USEC;
+--
+2.53.0
+
--- /dev/null
+From 77ccf0054e2879400088f89043088843db90b0ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2026 14:25:59 +0000
+Subject: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on
+ linked streams
+
+From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+
+[ Upstream commit 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b ]
+
+snd_pcm_drain() uses init_waitqueue_entry which does not clear
+entry.prev/next, and add_wait_queue with a conditional
+remove_wait_queue that is skipped when to_check is no longer
+in the group after concurrent UNLINK. The orphaned wait entry
+remains on the unlinked substream sleep queue. On the next
+drain iteration, add_wait_queue adds the entry to a new queue
+while still linked on the old one, corrupting both lists. A
+subsequent wake_up dereferences NULL at the func pointer
+(mapped from the spinlock at offset 0 of the misinterpreted
+wait_queue_head_t), causing a kernel panic.
+
+Replace init_waitqueue_entry/add_wait_queue/conditional
+remove_wait_queue with init_wait_entry/prepare_to_wait/
+finish_wait. init_wait_entry clears prev/next via
+INIT_LIST_HEAD on each iteration and sets
+autoremove_wake_function which auto-removes the entry on
+wake-up. finish_wait safely handles both the already-removed
+and still-queued cases.
+
+Fixes: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain")
+Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+Link: https://patch.msgid.link/20260604142559.3840881-1-eilaimemedsnaimel@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/pcm_native.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
+index 214210c8747458..c1b7ee1f3e7463 100644
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -2180,9 +2180,8 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
+ drain_no_period_wakeup = to_check->no_period_wakeup;
+ drain_rate = to_check->rate;
+ drain_bufsz = to_check->buffer_size;
+- init_waitqueue_entry(&wait, current);
+- set_current_state(TASK_INTERRUPTIBLE);
+- add_wait_queue(&to_check->sleep, &wait);
++ init_wait_entry(&wait, 0);
++ prepare_to_wait(&to_check->sleep, &wait, TASK_INTERRUPTIBLE);
+ snd_pcm_stream_unlock_irq(substream);
+ if (drain_no_period_wakeup)
+ tout = MAX_SCHEDULE_TIMEOUT;
+@@ -2200,7 +2199,7 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
+ group = snd_pcm_stream_group_ref(substream);
+ snd_pcm_group_for_each_entry(s, substream) {
+ if (s->runtime == to_check) {
+- remove_wait_queue(&to_check->sleep, &wait);
++ finish_wait(&to_check->sleep, &wait);
+ break;
+ }
+ }
+--
+2.53.0
+
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch
+signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
+time-fix-off-by-one-in-settimeofday-usec-validation.patch
+alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch
--- /dev/null
+From f141038e64aa8546a53cc59cef4df3773a972b23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2026 16:22:40 +0200
+Subject: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
+
+From: Aleksandr Nogikh <nogikh@google.com>
+
+[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ]
+
+When a multi-threaded process receives a stop signal (e.g., SIGSTOP),
+do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all
+threads and sets signal->group_stop_count to the number of threads. If
+one of the threads concurrently calls execve(), de_thread() invokes
+zap_other_threads() to kill all other threads. zap_other_threads()
+aborts the pending group stop by resetting signal->group_stop_count to 0
+and clears the JOBCTL_PENDING_MASK for all other threads. However, it
+fails to clear the job control flags for the calling thread.
+
+When execve() completes, the calling thread returns to user mode and
+checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,
+it calls do_signal_stop(), which invokes task_participate_group_stop().
+Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the
+already-zero signal->group_stop_count, triggering a warning:
+
+sig->group_stop_count == 0
+WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373
+task_participate_group_stop+0x215/0x2d0
+Call Trace:
+ <TASK>
+ do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619
+ get_signal+0xa8c/0x1330 kernel/signal.c:2884
+ arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337
+ exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98
+ do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Fix this race condition by clearing the JOBCTL_PENDING_MASK for the
+calling thread in zap_other_threads(), ensuring it does not retain any
+stale job control state after the thread group is destroyed. This aligns
+with other functions that tear down a thread group and abort group
+stops, such as zap_process() and complete_signal(), which correctly
+clear these flags for all threads including the current one.
+
+Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop")
+Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot
+Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61
+Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3
+Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
+Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/signal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 49c8c24b444d5e..3a484ea4bab658 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1382,6 +1382,7 @@ int zap_other_threads(struct task_struct *p)
+ int count = 0;
+
+ p->signal->group_stop_count = 0;
++ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK);
+
+ while_each_thread(p, t) {
+ task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
+--
+2.53.0
+
--- /dev/null
+From 20dd1a051ef06269b0abd44c21627f23ebdd1838 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jun 2026 23:37:37 +0530
+Subject: time: Fix off-by-one in settimeofday() usec validation
+
+From: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
+
+[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ]
+
+The validation check uses '>' instead of '>=' when comparing tv_usec
+against USEC_PER_SEC, allowing the value 1000000 through. After
+conversion to nanoseconds (*= 1000), this produces tv_nsec ==
+NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be
+less than NSEC_PER_SEC.
+
+Use '>=' to reject tv_usec values that are not in the valid range of
+0 to 999999.
+
+Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()")
+Signed-off-by: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Acked-by: John Stultz <jstultz@google.com>
+Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/time/time.c b/kernel/time/time.c
+index da7e8a02a0964f..a6261fadb92b15 100644
+--- a/kernel/time/time.c
++++ b/kernel/time/time.c
+@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv,
+ get_user(new_ts.tv_nsec, &tv->tv_usec))
+ return -EFAULT;
+
+- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0)
++ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0)
+ return -EINVAL;
+
+ new_ts.tv_nsec *= NSEC_PER_USEC;
+--
+2.53.0
+
--- /dev/null
+From 999d85820e4d5fd9c6ce65f9ebd26f5eca742d29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2026 14:25:59 +0000
+Subject: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on
+ linked streams
+
+From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+
+[ Upstream commit 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b ]
+
+snd_pcm_drain() uses init_waitqueue_entry which does not clear
+entry.prev/next, and add_wait_queue with a conditional
+remove_wait_queue that is skipped when to_check is no longer
+in the group after concurrent UNLINK. The orphaned wait entry
+remains on the unlinked substream sleep queue. On the next
+drain iteration, add_wait_queue adds the entry to a new queue
+while still linked on the old one, corrupting both lists. A
+subsequent wake_up dereferences NULL at the func pointer
+(mapped from the spinlock at offset 0 of the misinterpreted
+wait_queue_head_t), causing a kernel panic.
+
+Replace init_waitqueue_entry/add_wait_queue/conditional
+remove_wait_queue with init_wait_entry/prepare_to_wait/
+finish_wait. init_wait_entry clears prev/next via
+INIT_LIST_HEAD on each iteration and sets
+autoremove_wake_function which auto-removes the entry on
+wake-up. finish_wait safely handles both the already-removed
+and still-queued cases.
+
+Fixes: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain")
+Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+Link: https://patch.msgid.link/20260604142559.3840881-1-eilaimemedsnaimel@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/pcm_native.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
+index 5a64453da7283a..6fd479d135a4d1 100644
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -2176,9 +2176,8 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
+ drain_no_period_wakeup = to_check->no_period_wakeup;
+ drain_rate = to_check->rate;
+ drain_bufsz = to_check->buffer_size;
+- init_waitqueue_entry(&wait, current);
+- set_current_state(TASK_INTERRUPTIBLE);
+- add_wait_queue(&to_check->sleep, &wait);
++ init_wait_entry(&wait, 0);
++ prepare_to_wait(&to_check->sleep, &wait, TASK_INTERRUPTIBLE);
+ snd_pcm_stream_unlock_irq(substream);
+ if (drain_no_period_wakeup)
+ tout = MAX_SCHEDULE_TIMEOUT;
+@@ -2196,7 +2195,7 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream,
+ group = snd_pcm_stream_group_ref(substream);
+ snd_pcm_group_for_each_entry(s, substream) {
+ if (s->runtime == to_check) {
+- remove_wait_queue(&to_check->sleep, &wait);
++ finish_wait(&to_check->sleep, &wait);
+ break;
+ }
+ }
+--
+2.53.0
+
--- /dev/null
+From de06b322e9d5b20b975caf2c33d916a95f0502d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2026 01:02:04 -0700
+Subject: ALSA: seq: dummy: fix UMP event stack overread
+
+From: Kyle Zeng <kylebot@openai.com>
+
+[ Upstream commit 2b5ff4db5d7aa5b981d966df02e687f79ad7b311 ]
+
+The dummy sequencer port forwards events by copying an incoming
+struct snd_seq_event into a stack temporary, rewriting source and
+destination, and dispatching the temporary to subscribers. That legacy
+event storage is smaller than struct snd_seq_ump_event.
+
+When a UMP event reaches the dummy client, the copy leaves the UMP flag
+set but only provides legacy-sized stack storage. The subscriber
+delivery path then uses snd_seq_event_packet_size() and copies a
+UMP-sized packet from that stack object, reading past the end of the
+temporary.
+
+Use the existing union __snd_seq_event storage and copy the packet size
+reported for the incoming event before rewriting the common routing
+fields. This preserves the full UMP packet for UMP events while keeping
+legacy event handling unchanged.
+
+Fixes: 32cb23a0f911 ("ALSA: seq: dummy: Allow UMP conversion")
+Signed-off-by: Kyle Zeng <kylebot@openai.com>
+Link: https://patch.msgid.link/20260605080204.32045-1-kylebot@openai.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_dummy.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/sound/core/seq/seq_dummy.c b/sound/core/seq/seq_dummy.c
+index af45f328ae9901..8abe80985daddb 100644
+--- a/sound/core/seq/seq_dummy.c
++++ b/sound/core/seq/seq_dummy.c
+@@ -9,6 +9,7 @@
+ #include <linux/module.h>
+ #include <sound/core.h>
+ #include "seq_clientmgr.h"
++#include "seq_memory.h"
+ #include <sound/initval.h>
+ #include <sound/asoundef.h>
+
+@@ -81,19 +82,21 @@ dummy_input(struct snd_seq_event *ev, int direct, void *private_data,
+ int atomic, int hop)
+ {
+ struct snd_seq_dummy_port *p;
+- struct snd_seq_event tmpev;
++ union __snd_seq_event tmpev;
++ size_t size;
+
+ p = private_data;
+ if (ev->source.client == SNDRV_SEQ_CLIENT_SYSTEM ||
+ ev->type == SNDRV_SEQ_EVENT_KERNEL_ERROR)
+ return 0; /* ignore system messages */
+- tmpev = *ev;
++ size = snd_seq_event_packet_size(ev);
++ memcpy(&tmpev, ev, size);
+ if (p->duplex)
+- tmpev.source.port = p->connect;
++ tmpev.legacy.source.port = p->connect;
+ else
+- tmpev.source.port = p->port;
+- tmpev.dest.client = SNDRV_SEQ_ADDRESS_SUBSCRIBERS;
+- return snd_seq_kernel_client_dispatch(p->client, &tmpev, atomic, hop);
++ tmpev.legacy.source.port = p->port;
++ tmpev.legacy.dest.client = SNDRV_SEQ_ADDRESS_SUBSCRIBERS;
++ return snd_seq_kernel_client_dispatch(p->client, &tmpev.legacy, atomic, hop);
+ }
+
+ /*
+--
+2.53.0
+
--- /dev/null
+From 8846d8416cd1b67661d75bb6d10092a1b9e32e7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 May 2026 09:38:44 +0200
+Subject: crypto: s390 - add select CRYPTO_AEAD for aes
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit ecf3edd349dfabee9bc8a46c5ff91c9ebd858d48 ]
+
+The aes driver registers both skcipher and aead algorithms,
+but when aead is not enabled this causes a link failure:
+
+s390-linux-ld: arch/s390/crypto/aes_s390.o: in function `aes_s390_fini':
+arch/s390/crypto/aes_s390.c:969:(.text+0x115e): undefined reference to `crypto_unregister_aead'
+s390-linux-ld: arch/s390/crypto/aes_s390.o: in function `aes_s390_init':
+arch/s390/crypto/aes_s390.c:1028:(.init.text+0x294): undefined reference to `crypto_register_aead'
+
+Add the missing 'select' statement.
+
+Fixes: bf7fa038707c ("s390/crypto: add s390 platform specific aes gcm support.")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/crypto/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/s390/crypto/Kconfig b/arch/s390/crypto/Kconfig
+index 79a2d0034258b6..1b12856acfbcb7 100644
+--- a/arch/s390/crypto/Kconfig
++++ b/arch/s390/crypto/Kconfig
+@@ -14,6 +14,7 @@ config CRYPTO_GHASH_S390
+
+ config CRYPTO_AES_S390
+ tristate "Ciphers: AES, modes: ECB, CBC, CTR, XTS, GCM"
++ select CRYPTO_AEAD
+ select CRYPTO_SKCIPHER
+ help
+ AEAD cipher: AES with GCM
+--
+2.53.0
+
--- /dev/null
+From f20b91f40fea3153d840236b9ebf00a4e30d2bea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Feb 2026 10:23:34 -0800
+Subject: Drivers: hv: vmbus: Provide option to skip VMBus unload on panic
+
+From: Michael Kelley <mhklinux@outlook.com>
+
+[ Upstream commit c5c3ef8d49e15d2fc1cec4ad7c91d81b99977440 ]
+
+Currently, VMBus code initiates a VMBus unload in the panic path so
+that if a kdump kernel is loaded, it can start fresh in setting up its
+own VMBus connection. However, a driver for the VMBus virtual frame
+buffer may need to flush dirty portions of the frame buffer back to
+the Hyper-V host so that panic information is visible in the graphics
+console. To support such flushing, provide exported functions for the
+frame buffer driver to specify that the VMBus unload should not be
+done by the VMBus driver, and to initiate the VMBus unload itself.
+Together these allow a frame buffer driver to delay the VMBus unload
+until after it has completed the flush.
+
+Ideally, the VMBus driver could use its own panic-path callback to do
+the unload after all frame buffer drivers have finished. But DRM frame
+buffer drivers use the kmsg dump callback, and there are no callbacks
+after that in the panic path. Hence this somewhat messy approach to
+properly sequencing the frame buffer flush and the VMBus unload.
+
+Fixes: 3671f3777758 ("drm/hyperv: Add support for drm_panic")
+Signed-off-by: Michael Kelley <mhklinux@outlook.com>
+Reviewed-by: Long Li <longli@microsoft.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/channel_mgmt.c | 1 +
+ drivers/hv/hyperv_vmbus.h | 1 -
+ drivers/hv/vmbus_drv.c | 25 ++++++++++++++++++-------
+ include/linux/hyperv.h | 3 +++
+ 4 files changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
+index 7c77ada12b2e94..327d05ccf41683 100644
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -944,6 +944,7 @@ void vmbus_initiate_unload(bool crash)
+ else
+ vmbus_wait_for_unload();
+ }
++EXPORT_SYMBOL_GPL(vmbus_initiate_unload);
+
+ static void vmbus_setup_channel_state(struct vmbus_channel *channel,
+ struct vmbus_channel_offer_channel *offer)
+diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
+index 7bd8f8486e858c..592a16303b3bed 100644
+--- a/drivers/hv/hyperv_vmbus.h
++++ b/drivers/hv/hyperv_vmbus.h
+@@ -440,7 +440,6 @@ void hv_vss_deinit(void);
+ int hv_vss_pre_suspend(void);
+ int hv_vss_pre_resume(void);
+ void hv_vss_onchannelcallback(void *context);
+-void vmbus_initiate_unload(bool crash);
+
+ static inline void hv_poll_channel(struct vmbus_channel *channel,
+ void (*cb)(void *))
+diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
+index 3d2827477f0a54..59fc09d73a05d0 100644
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -70,19 +70,29 @@ bool vmbus_is_confidential(void)
+ }
+ EXPORT_SYMBOL_GPL(vmbus_is_confidential);
+
++static bool skip_vmbus_unload;
++
++/*
++ * Allow a VMBus framebuffer driver to specify that in the case of a panic,
++ * it will do the VMbus unload operation once it has flushed any dirty
++ * portions of the framebuffer to the Hyper-V host.
++ */
++void vmbus_set_skip_unload(bool skip)
++{
++ skip_vmbus_unload = skip;
++}
++EXPORT_SYMBOL_GPL(vmbus_set_skip_unload);
++
+ /*
+ * The panic notifier below is responsible solely for unloading the
+ * vmbus connection, which is necessary in a panic event.
+- *
+- * Notice an intrincate relation of this notifier with Hyper-V
+- * framebuffer panic notifier exists - we need vmbus connection alive
+- * there in order to succeed, so we need to order both with each other
+- * [see hvfb_on_panic()] - this is done using notifiers' priorities.
+ */
+ static int hv_panic_vmbus_unload(struct notifier_block *nb, unsigned long val,
+ void *args)
+ {
+- vmbus_initiate_unload(true);
++ if (!skip_vmbus_unload)
++ vmbus_initiate_unload(true);
++
+ return NOTIFY_DONE;
+ }
+ static struct notifier_block hyperv_panic_vmbus_unload_block = {
+@@ -2903,7 +2913,8 @@ static void hv_crash_handler(struct pt_regs *regs)
+ {
+ int cpu;
+
+- vmbus_initiate_unload(true);
++ if (!skip_vmbus_unload)
++ vmbus_initiate_unload(true);
+ /*
+ * In crash handler we can't schedule synic cleanup for all CPUs,
+ * doing the cleanup for current CPU only. This should be sufficient
+diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
+index dfc516c1c7193f..b0502a336eb3a5 100644
+--- a/include/linux/hyperv.h
++++ b/include/linux/hyperv.h
+@@ -1334,6 +1334,9 @@ int vmbus_allocate_mmio(struct resource **new, struct hv_device *device_obj,
+ bool fb_overlap_ok);
+ void vmbus_free_mmio(resource_size_t start, resource_size_t size);
+
++void vmbus_initiate_unload(bool crash);
++void vmbus_set_skip_unload(bool skip);
++
+ /*
+ * GUID definitions of various offer types - services offered to the guest.
+ */
+--
+2.53.0
+
--- /dev/null
+From 84281d65baede39621f2f0c7dcc018e91e8d737d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Feb 2026 10:23:35 -0800
+Subject: drm/hyperv: During panic do VMBus unload after frame buffer is
+ flushed
+
+From: Michael Kelley <mhklinux@outlook.com>
+
+[ Upstream commit 8b35874f56ded0cc1a90a25b87411249a86246cd ]
+
+In a VM, Linux panic information (reason for the panic, stack trace,
+etc.) may be written to a serial console and/or a virtual frame buffer
+for a graphics console. The latter may need to be flushed back to the
+host hypervisor for display.
+
+The current Hyper-V DRM driver for the frame buffer does the flushing
+*after* the VMBus connection has been unloaded, such that panic messages
+are not displayed on the graphics console. A user with a Hyper-V graphics
+console is left with just a hung empty screen after a panic. The enhanced
+control that DRM provides over the panic display in the graphics console
+is similarly non-functional.
+
+Commit 3671f3777758 ("drm/hyperv: Add support for drm_panic") added
+the Hyper-V DRM driver support to flush the virtual frame buffer. It
+provided necessary functionality but did not handle the sequencing
+problem with VMBus unload.
+
+Fix the full problem by using VMBus functions to suppress the VMBus
+unload that is normally done by the VMBus driver in the panic path. Then
+after the frame buffer has been flushed, do the VMBus unload so that a
+kdump kernel can start cleanly. As expected, CONFIG_DRM_PANIC must be
+selected for these changes to have effect. As a side benefit, the
+enhanced features of the DRM panic path are also functional.
+
+Fixes: 3671f3777758 ("drm/hyperv: Add support for drm_panic")
+Signed-off-by: Michael Kelley <mhklinux@outlook.com>
+Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 5 +++++
+ drivers/gpu/drm/hyperv/hyperv_drm_modeset.c | 15 ++++++++-------
+ 2 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/hyperv/hyperv_drm_drv.c b/drivers/gpu/drm/hyperv/hyperv_drm_drv.c
+index 06b5d96e6eaf6b..b6bf6412ae34ac 100644
+--- a/drivers/gpu/drm/hyperv/hyperv_drm_drv.c
++++ b/drivers/gpu/drm/hyperv/hyperv_drm_drv.c
+@@ -150,6 +150,10 @@ static int hyperv_vmbus_probe(struct hv_device *hdev,
+ goto err_free_mmio;
+ }
+
++ /* If DRM panic path is stubbed out VMBus code must do the unload */
++ if (IS_ENABLED(CONFIG_DRM_PANIC))
++ vmbus_set_skip_unload(true);
++
+ drm_client_setup(dev, NULL);
+
+ return 0;
+@@ -169,6 +173,7 @@ static void hyperv_vmbus_remove(struct hv_device *hdev)
+ struct drm_device *dev = hv_get_drvdata(hdev);
+ struct hyperv_drm_device *hv = to_hv(dev);
+
++ vmbus_set_skip_unload(false);
+ drm_dev_unplug(dev);
+ drm_atomic_helper_shutdown(dev);
+ vmbus_close(hdev->channel);
+diff --git a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
+index 7978f8c8108c23..d48ca6c23b7c5e 100644
+--- a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
++++ b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
+@@ -212,15 +212,16 @@ static void hyperv_plane_panic_flush(struct drm_plane *plane)
+ struct hyperv_drm_device *hv = to_hv(plane->dev);
+ struct drm_rect rect;
+
+- if (!plane->state || !plane->state->fb)
+- return;
++ if (plane->state && plane->state->fb) {
++ rect.x1 = 0;
++ rect.y1 = 0;
++ rect.x2 = plane->state->fb->width;
++ rect.y2 = plane->state->fb->height;
+
+- rect.x1 = 0;
+- rect.y1 = 0;
+- rect.x2 = plane->state->fb->width;
+- rect.y2 = plane->state->fb->height;
++ hyperv_update_dirt(hv->hdev, &rect);
++ }
+
+- hyperv_update_dirt(hv->hdev, &rect);
++ vmbus_initiate_unload(true);
+ }
+
+ static const struct drm_plane_helper_funcs hyperv_plane_helper_funcs = {
+--
+2.53.0
+
--- /dev/null
+From bb393c7046fe6e07cb78b109867e72638066a2c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 May 2026 12:21:01 -0700
+Subject: hyperv: Clean up and fix the guest ID comment in hvgdk.h
+
+From: Dexuan Cui <decui@microsoft.com>
+
+[ Upstream commit 83eb00f31eb1b10735d48e469df72cc2b0e06f6d ]
+
+Change the "64 bit" to "64-bit", and the "Os" to "OS".
+
+Remove the obsolete paragraph since the guideline has been
+published in the Hypervisor Top Level Functional Specification
+for many years.
+
+The "OS Type" is 0x1 for Linux, not 0x100.
+
+No functional change.
+
+Fixes: 83ba0c4f3f31 ("Drivers: hv: Cleanup the guest ID computation")
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Reviewed-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/hyperv/hvgdk.h | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/include/hyperv/hvgdk.h b/include/hyperv/hvgdk.h
+index 384c3f3ff4a525..f538144280ca55 100644
+--- a/include/hyperv/hvgdk.h
++++ b/include/hyperv/hvgdk.h
+@@ -10,18 +10,12 @@
+
+ /*
+ * The guest OS needs to register the guest ID with the hypervisor.
+- * The guest ID is a 64 bit entity and the structure of this ID is
++ * The guest ID is a 64-bit entity and the structure of this ID is
+ * specified in the Hyper-V TLFS specification.
+ *
+- * While the current guideline does not specify how Linux guest ID(s)
+- * need to be generated, our plan is to publish the guidelines for
+- * Linux and other guest operating systems that currently are hosted
+- * on Hyper-V. The implementation here conforms to this yet
+- * unpublished guidelines.
+- *
+ * Bit(s)
+ * 63 - Indicates if the OS is Open Source or not; 1 is Open Source
+- * 62:56 - Os Type; Linux is 0x100
++ * 62:56 - OS Type; Linux is 0x1
+ * 55:48 - Distro specific identification
+ * 47:16 - Linux kernel version number
+ * 15:0 - Distro specific identification
+--
+2.53.0
+
--- /dev/null
+From bbefbb454d700d78044c1b5fac269439881a29af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 May 2026 12:19:37 +0200
+Subject: regulator: mt6363: select CONFIG_IRQ_DOMAIN
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 29d87434cb91b7689de2917830ca82acfd2770f5 ]
+
+When build-testing this driver without CONFIG_IRQ_DOMAIN causes
+a compile-time error:
+
+drivers/regulator/mt6363-regulator.c: In function 'mt6363_regulator_probe':
+drivers/regulator/mt6363-regulator.c:884:18: error: implicit declaration of function 'irq_find_host' [-Wimplicit-function-declaration]
+ 884 | domain = irq_find_host(interrupt_parent);
+ | ^~~~~~~~~~~~~
+drivers/regulator/mt6363-regulator.c:884:16: error: assignment to 'struct irq_domain *' from 'int' makes pointer from integer without a cast [-Wint-conversion]
+ 884 | domain = irq_find_host(interrupt_parent);
+ | ^
+drivers/regulator/mt6363-regulator.c:896:30: error: implicit declaration of function 'irq_create_fwspec_mapping'; did you mean 'irq_create_of_mapping'? [-Wimplicit-function-declaration]
+ 896 | info->virq = irq_create_fwspec_mapping(&fwspec);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~
+ | irq_create_of_mapping
+
+This is rather hard to trigger because so many other drivers
+enable IRQ_DOMAIN already, but I ran into this on an s390
+randconfig build.
+
+Ensure this is always enabled using a Kconfig 'select IRQ_DOMAIN'
+entry, as we do for all other users of this.
+
+Fixes: 3c36965df808 ("regulator: Add support for MediaTek MT6363 SPMI PMIC Regulators")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://patch.msgid.link/20260526102003.2527570-1-arnd@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/regulator/Kconfig b/drivers/regulator/Kconfig
+index d10b6f9243d515..426642d7a02c0c 100644
+--- a/drivers/regulator/Kconfig
++++ b/drivers/regulator/Kconfig
+@@ -977,6 +977,7 @@ config REGULATOR_MT6363
+ tristate "MT6363 SPMI PMIC regulator driver"
+ depends on SPMI
+ select REGMAP_SPMI
++ select IRQ_DOMAIN
+ help
+ Say Y here to enable support for regulators found in the MediaTek
+ MT6363 SPMI PMIC.
+--
+2.53.0
+
--- /dev/null
+From 3234a79b5329048297cca3fcd42af15054ed3bdf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jun 2026 11:08:54 +0800
+Subject: rseq: Fix using an uninitialized stack variable in
+ rseq_exit_user_update()
+
+From: Qing Wang <wangqing7171@gmail.com>
+
+[ Upstream commit 6d99479799c69c3cb588fcda19c81d8f61d64ecd ]
+
+There is an bug in which an uninitialized stack variable is used in
+rseq_exit_user_update() as reported by syzbot:
+
+BUG: KMSAN: kernel-infoleak in rseq_set_ids_get_csaddr include/linux/rseq_entry.h:502 [inline]
+
+The local variable:
+
+ struct rseq_ids ids = {
+ .cpu_id = task_cpu(t),
+ .mm_cid = task_mm_cid(t),
+ .node_id = cpu_to_node(ids.cpu_id),
+ };
+
+According to the C standard, the evaluation order of expressions in an
+initializer list is indeterminately sequenced. The compiler (Clang, in
+this KMSAN build) evaluates `cpu_to_node(ids.cpu_id)` *before*
+`ids.cpu_id` is initialized with `task_cpu(t)`.
+
+This is fixed by moving the assignment of ids.node_id outside the
+structure initialization.
+
+Fixes: 82f572449cfe ("rseq: Implement read only ABI enforcement for optimized RSEQ V2 mode")
+Closes: https://syzkaller.appspot.com/bug?extid=185a631927096f9da2fc
+Reported-by: syzbot+185a631927096f9da2fc@syzkaller.appspotmail.com
+Signed-off-by: Qing Wang <wangqing7171@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://patch.msgid.link/20260602030854.574038-1-wangqing7171@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/rseq_entry.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/rseq_entry.h b/include/linux/rseq_entry.h
+index 413a3543fbe8ed..69bdb93951b904 100644
+--- a/include/linux/rseq_entry.h
++++ b/include/linux/rseq_entry.h
+@@ -625,10 +625,11 @@ static __always_inline bool rseq_exit_user_update(struct pt_regs *regs, struct t
+ return true;
+ }
+
++ int cpu = task_cpu(t);
+ struct rseq_ids ids = {
+- .cpu_id = task_cpu(t),
++ .cpu_id = cpu,
+ .mm_cid = task_mm_cid(t),
+- .node_id = cpu_to_node(ids.cpu_id),
++ .node_id = cpu_to_node(cpu),
+ };
+
+ return rseq_update_usr(t, regs, &ids);
+--
+2.53.0
+
--- /dev/null
+From 97b4a0962f727acf88d18c07cc5afcda11b66647 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2026 17:45:28 +0800
+Subject: selftests: harness: fix pidfd leak in __wait_for_test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geliang Tang <tanggeliang@kylinos.cn>
+
+[ Upstream commit 0eb307d61317b42b120ab02099b597226318358a ]
+
+Fix the pidfd leak in kselftest_harness.h's __wait_for_test() where
+childfd = syscall(__NR_pidfd_open, t->pid, 0) is never closed.
+
+Fixes: 73a3cde97677 ("selftests: harness: Implement test timeouts through pidfd")
+Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
+Link: https://patch.msgid.link/a82e275ccfb2609a1984d90ab559fa3af78f1e81.1776678050.git.tanggeliang@kylinos.cn
+Reviewed-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kselftest_harness.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h
+index 4afaef01c22e97..27d1bf5fd86180 100644
+--- a/tools/testing/selftests/kselftest_harness.h
++++ b/tools/testing/selftests/kselftest_harness.h
+@@ -996,6 +996,7 @@ static void __wait_for_test(struct __test_metadata *t)
+ poll_child.fd = childfd;
+ poll_child.events = POLLIN;
+ ret = poll(&poll_child, 1, t->timeout * 1000);
++ close(childfd);
+ if (ret == -1) {
+ t->exit_code = KSFT_FAIL;
+ fprintf(TH_LOG_STREAM,
+--
+2.53.0
+
reapply-bnxt_en-bring-back-rtnl_lock-in-the-bnxt_ope.patch
i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch
+drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch
+drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch
+selftests-harness-fix-pidfd-leak-in-__wait_for_test.patch
+signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
+regulator-mt6363-select-config_irq_domain.patch
+hyperv-clean-up-and-fix-the-guest-id-comment-in-hvgd.patch
+vfs-fix-possible-failure-to-unlock-in-nfsd4_create_f.patch
+crypto-s390-add-select-crypto_aead-for-aes.patch
+rseq-fix-using-an-uninitialized-stack-variable-in-rs.patch
+time-fix-off-by-one-in-settimeofday-usec-validation.patch
+alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch
+alsa-seq-dummy-fix-ump-event-stack-overread.patch
+x86-resctrl-only-check-intel-systems-for-snc.patch
--- /dev/null
+From 5e8acff25f8aa5346a6040274440b28dd94cbf50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2026 16:22:40 +0200
+Subject: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
+
+From: Aleksandr Nogikh <nogikh@google.com>
+
+[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ]
+
+When a multi-threaded process receives a stop signal (e.g., SIGSTOP),
+do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all
+threads and sets signal->group_stop_count to the number of threads. If
+one of the threads concurrently calls execve(), de_thread() invokes
+zap_other_threads() to kill all other threads. zap_other_threads()
+aborts the pending group stop by resetting signal->group_stop_count to 0
+and clears the JOBCTL_PENDING_MASK for all other threads. However, it
+fails to clear the job control flags for the calling thread.
+
+When execve() completes, the calling thread returns to user mode and
+checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,
+it calls do_signal_stop(), which invokes task_participate_group_stop().
+Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the
+already-zero signal->group_stop_count, triggering a warning:
+
+sig->group_stop_count == 0
+WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373
+task_participate_group_stop+0x215/0x2d0
+Call Trace:
+ <TASK>
+ do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619
+ get_signal+0xa8c/0x1330 kernel/signal.c:2884
+ arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337
+ exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98
+ do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Fix this race condition by clearing the JOBCTL_PENDING_MASK for the
+calling thread in zap_other_threads(), ensuring it does not retain any
+stale job control state after the thread group is destroyed. This aligns
+with other functions that tear down a thread group and abort group
+stops, such as zap_process() and complete_signal(), which correctly
+clear these flags for all threads including the current one.
+
+Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop")
+Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot
+Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61
+Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3
+Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
+Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/signal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index d65d0fe24bfb8c..1c9b5bf8126e01 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1340,6 +1340,7 @@ int zap_other_threads(struct task_struct *p)
+ int count = 0;
+
+ p->signal->group_stop_count = 0;
++ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK);
+
+ for_other_threads(p, t) {
+ task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
+--
+2.53.0
+
--- /dev/null
+From 991b4851c558846043f0acb748aceb046c32ae16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jun 2026 23:37:37 +0530
+Subject: time: Fix off-by-one in settimeofday() usec validation
+
+From: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
+
+[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ]
+
+The validation check uses '>' instead of '>=' when comparing tv_usec
+against USEC_PER_SEC, allowing the value 1000000 through. After
+conversion to nanoseconds (*= 1000), this produces tv_nsec ==
+NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be
+less than NSEC_PER_SEC.
+
+Use '>=' to reject tv_usec values that are not in the valid range of
+0 to 999999.
+
+Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()")
+Signed-off-by: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Acked-by: John Stultz <jstultz@google.com>
+Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/time/time.c b/kernel/time/time.c
+index 0d832317d5766a..771cef87ad3b0a 100644
+--- a/kernel/time/time.c
++++ b/kernel/time/time.c
+@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv,
+ get_user(new_ts.tv_nsec, &tv->tv_usec))
+ return -EFAULT;
+
+- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0)
++ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0)
+ return -EINVAL;
+
+ new_ts.tv_nsec *= NSEC_PER_USEC;
+--
+2.53.0
+
--- /dev/null
+From 9cbae74b1410efacb9733c9348cdc17065d7f8e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 May 2026 16:23:45 +1000
+Subject: VFS: fix possible failure to unlock in nfsd4_create_file()
+
+From: NeilBrown <neilb@ownmail.net>
+
+[ Upstream commit e824bbd4d224cce4b5fb59cc9dcd3447fe0b7e44 ]
+
+atomic_create() in fs/namei.c drops the reference to the dentry
+when it returns an error.
+This behaviour was imported into dentry_create() so that it
+will drop the reference if an error is returned from atomic_create(),
+though not if vfs_create() returns an error (in the case where
+->atomic_create is not supported).
+
+The caller - nfsd4_create_file() - is made aware of this by checking
+path->dentry, which will either be a counted reference to a dentry, or
+an error pointer.
+
+However the change to use start_creating()/end_creating() (which landed
+shortly before the dentry_create() change landed, though was likely
+developed around the same time) means that nfsd4_create_file() *needs* a
+valid dentry so that it can unlock the parent.
+
+The net result is that if NFSD exports a filesystem which uses
+->atomic_create, and if a call to ->atomic_create returns an error, then
+nfsd4_create_file() will pass an error pointer to end_creating()
+and the parent will not be unlocked.
+
+Fix this by changing dentry_create() to make sure path->dentry is always
+a valid dentry, never an error-pointer. The actual error is already
+returned a different way.
+
+Note that if ->atomic_create() returns a different dentry (which may not
+be possible in practice) we are guaranteed (because it is only ever
+provided by d_spliace_alias()) that it will have the same d_parent and
+so it will have the same effect when passed to end_creating().
+
+Fixes: 64a989dbd144 ("VFS/knfsd: Teach dentry_create() to use atomic_open()")
+Signed-off-by: NeilBrown <neil@brown.name>
+Link: https://patch.msgid.link/177969022571.3379282.16448744624428323496@noble.neil.brown.name
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Benjamin Coddington <bcodding@hammerspace.com>
+Reviewed-by: Jori Koolstra <jkoolstra@xs4all.nl>
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/namei.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/namei.c b/fs/namei.c
+index 9e5500dad14f59..d615cd62885198 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -5002,6 +5002,7 @@ struct file *dentry_create(struct path *path, int flags, umode_t mode,
+ {
+ struct file *file __free(fput) = NULL;
+ struct dentry *dentry = path->dentry;
++ struct dentry *orig_dentry = dentry;
+ struct dentry *dir = dentry->d_parent;
+ struct inode *dir_inode = d_inode(dir);
+ struct mnt_idmap *idmap;
+@@ -5021,9 +5022,18 @@ struct file *dentry_create(struct path *path, int flags, umode_t mode,
+ if (create_error)
+ flags &= ~O_CREAT;
+
++ /* atomic_open will dput(dentry) on error */
++ dget(orig_dentry);
+ dentry = atomic_open(path, dentry, file, flags, mode);
+ error = PTR_ERR_OR_ZERO(dentry);
+
++ if (IS_ERR(dentry))
++ /* keep the original */
++ dentry = orig_dentry;
++ else
++ /* Drop the extra reference */
++ dput(orig_dentry);
++
+ if (unlikely(create_error) && error == -ENOENT)
+ error = create_error;
+
+--
+2.53.0
+
--- /dev/null
+From 090b5b243ddbe79e44566c83f6f85164b36fe371 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2026 21:46:49 -0700
+Subject: x86/resctrl: Only check Intel systems for SNC
+
+From: Tony Luck <tony.luck@intel.com>
+
+[ Upstream commit 6f6947b2387e94e405f80d472f8a189bfbf2bd6c ]
+
+topology_num_nodes_per_package() reports values greater than one on certain
+AMD systems resulting in resctrl's Intel model specific SNC detection
+printing the confusing message:
+
+ "CoD enabled system? Resctrl not supported"
+
+Add a check for Intel systems before looking at the topology.
+
+[ reinette: Add Closes tag, fix tag typos, rework changelog ]
+
+Fixes: 59674fc9d0bf ("x86/resctrl: Fix SNC detection")
+Reported-by: Babu Moger <babu.moger@amd.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Tested-by: Babu Moger <babu.moger@amd.com>
+Link: https://patch.msgid.link/9849330f45ac86344cc5ac54df2d313906d70bc4.1780634584.git.reinette.chatre@intel.com
+Closes: https://lore.kernel.org/lkml/37ac0376-43a3-4283-a3d5-4d57b3bec578@amd.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/resctrl/monitor.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/resctrl/monitor.c b/arch/x86/kernel/cpu/resctrl/monitor.c
+index 9bd87bae498342..59215fef3924c8 100644
+--- a/arch/x86/kernel/cpu/resctrl/monitor.c
++++ b/arch/x86/kernel/cpu/resctrl/monitor.c
+@@ -377,7 +377,12 @@ static const struct x86_cpu_id snc_cpu_ids[] __initconst = {
+
+ static __init int snc_get_config(void)
+ {
+- int ret = topology_num_nodes_per_package();
++ int ret;
++
++ if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL)
++ return 1;
++
++ ret = topology_num_nodes_per_package();
+
+ if (ret > 1 && !x86_match_cpu(snc_cpu_ids)) {
+ pr_warn("CoD enabled system? Resctrl not supported\n");
+--
+2.53.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
