--- /dev/null
+From e9418da50d9e5c496c22fe392e4ad74c038a94eb Mon Sep 17 00:00:00 2001
+From: Harin Lee <me@harin.net>
+Date: Mon, 6 Apr 2026 16:48:57 +0900
+Subject: ALSA: ctxfi: Limit PTP to a single page
+
+From: Harin Lee <me@harin.net>
+
+commit e9418da50d9e5c496c22fe392e4ad74c038a94eb upstream.
+
+Commit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256
+playback streams, but the additional pages are not used by the card
+correctly. The CT20K2 hardware already has multiple VMEM_PTPAL
+registers, but using them separately would require refactoring the
+entire virtual memory allocation logic.
+
+ct_vm_map() always uses PTEs in vm->ptp[0].area regardless of
+CT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When
+aggregate memory allocations exceed this limit, ct_vm_map() tries to
+access beyond the allocated space and causes a page fault:
+
+ BUG: unable to handle page fault for address: ffffd4ae8a10a000
+ Oops: Oops: 0002 [#1] SMP PTI
+ RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi]
+ Call Trace:
+ atc_pcm_playback_prepare+0x225/0x3b0
+ ct_pcm_playback_prepare+0x38/0x60
+ snd_pcm_do_prepare+0x2f/0x50
+ snd_pcm_action_single+0x36/0x90
+ snd_pcm_action_nonatomic+0xbf/0xd0
+ snd_pcm_ioctl+0x28/0x40
+ __x64_sys_ioctl+0x97/0xe0
+ do_syscall_64+0x81/0x610
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Revert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count
+remain unchanged.
+
+Fixes: 391e69143d0a ("ALSA: ctxfi: Bump playback substreams to 256")
+Cc: stable@vger.kernel.org
+Signed-off-by: Harin Lee <me@harin.net>
+Link: https://patch.msgid.link/20260406074857.216034-1-me@harin.net
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/ctxfi/ctvmem.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/ctxfi/ctvmem.h
++++ b/sound/pci/ctxfi/ctvmem.h
+@@ -15,7 +15,7 @@
+ #ifndef CTVMEM_H
+ #define CTVMEM_H
+
+-#define CT_PTP_NUM 4 /* num of device page table pages */
++#define CT_PTP_NUM 1 /* num of device page table pages */
+
+ #include <linux/mutex.h>
+ #include <linux/list.h>
--- /dev/null
+From f08fe8891c3eeb63b73f9f1f6d97aa629c821579 Mon Sep 17 00:00:00 2001
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+Date: Fri, 30 Jan 2026 11:48:53 +0800
+Subject: dcache: Limit the minimal number of bucket to two
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+commit f08fe8891c3eeb63b73f9f1f6d97aa629c821579 upstream.
+
+There is an OOB read problem on dentry_hashtable when user sets
+'dhash_entries=1':
+ BUG: unable to handle page fault for address: ffff888b30b774b0
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ Oops: Oops: 0000 [#1] SMP PTI
+ RIP: 0010:__d_lookup+0x56/0x120
+ Call Trace:
+ d_lookup.cold+0x16/0x5d
+ lookup_dcache+0x27/0xf0
+ lookup_one_qstr_excl+0x2a/0x180
+ start_dirop+0x55/0xa0
+ simple_start_creating+0x8d/0xa0
+ debugfs_start_creating+0x8c/0x180
+ debugfs_create_dir+0x1d/0x1c0
+ pinctrl_init+0x6d/0x140
+ do_one_initcall+0x6d/0x3d0
+ kernel_init_freeable+0x39f/0x460
+ kernel_init+0x2a/0x260
+
+There will be only one bucket in dentry_hashtable when dhash_entries is
+set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then,
+following process will access more than one buckets(which memory region
+is not allocated) in dentry_hashtable:
+ d_lookup
+ b = d_hash(hash)
+ dentry_hashtable + ((u32)hashlen >> d_hash_shift)
+ // The C standard defines the behavior of right shift amounts
+ // exceeding the bit width of the operand as undefined. The
+ // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',
+ // so 'b' will point to an unallocated memory region.
+ hlist_bl_for_each_entry_rcu(b)
+ hlist_bl_first_rcu(head)
+ h->first // read OOB!
+
+Fix it by limiting the minimal number of dentry_hashtable bucket to two,
+so that 'd_hash_shift' won't exceeds the bit width of type u32.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Link: https://patch.msgid.link/20260130034853.215819-1-chengzhihao1@huawei.com
+Reviewed-by: Yang Erkun <yangerkun@huawei.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dcache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -3127,7 +3127,7 @@ static void __init dcache_init_early(voi
+ HASH_EARLY | HASH_ZERO,
+ &d_hash_shift,
+ NULL,
+- 0,
++ 2,
+ 0);
+ d_hash_shift = 32 - d_hash_shift;
+
+@@ -3158,7 +3158,7 @@ static void __init dcache_init(void)
+ HASH_ZERO,
+ &d_hash_shift,
+ NULL,
+- 0,
++ 2,
+ 0);
+ d_hash_shift = 32 - d_hash_shift;
+
--- /dev/null
+From 0beba407d4585a15b0dc09f2064b5b3ddcb0e857 Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sj@kernel.org>
+Date: Sun, 29 Mar 2026 08:30:49 -0700
+Subject: Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates race
+
+From: SeongJae Park <sj@kernel.org>
+
+commit 0beba407d4585a15b0dc09f2064b5b3ddcb0e857 upstream.
+
+Patch series "Docs/admin-guide/mm/damon: warn commit_inputs vs other
+params race".
+
+Writing 'Y' to the commit_inputs parameter of DAMON_RECLAIM and
+DAMON_LRU_SORT, and writing other parameters before the commit_inputs
+request is completely processed can cause race conditions. While the
+consequence can be bad, the documentation is not clearly describing that.
+Add clear warnings.
+
+The issue was discovered [1,2] by sashiko.
+
+
+This patch (of 2):
+
+DAMON_RECLAIM handles commit_inputs request inside kdamond thread,
+reading the module parameters. If the user updates the module
+parameters while the kdamond thread is reading those, races can happen.
+To avoid this, the commit_inputs parameter shows whether it is still in
+the progress, assuming users wouldn't update parameters in the middle of
+the work. Some users might ignore that. Add a warning about the
+behavior.
+
+The issue was discovered in [1] by sashiko.
+
+Link: https://lore.kernel.org/20260329153052.46657-2-sj@kernel.org
+Link: https://lore.kernel.org/20260319161620.189392-3-objecting@objecting.org [1]
+Link: https://lore.kernel.org/20260319161620.189392-2-objecting@objecting.org [3]
+Fixes: 81a84182c343 ("Docs/admin-guide/mm/damon/reclaim: document 'commit_inputs' parameter")
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Cc: <stable@vger.kernel.org> # 5.19.x
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/mm/damon/reclaim.rst | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/Documentation/admin-guide/mm/damon/reclaim.rst
++++ b/Documentation/admin-guide/mm/damon/reclaim.rst
+@@ -71,6 +71,10 @@ of parametrs except ``enabled`` again.
+ parameter is set as ``N``. If invalid parameters are found while the
+ re-reading, DAMON_RECLAIM will be disabled.
+
++Once ``Y`` is written to this parameter, the user must not write to any
++parameters until reading ``commit_inputs`` again returns ``N``. If users
++violate this rule, the kernel may exhibit undefined behavior.
++
+ min_age
+ -------
+
--- /dev/null
+From a31e4518bec70333a0a98f2946a12b53b45fe5b9 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 9 Apr 2026 15:23:46 +0200
+Subject: fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit a31e4518bec70333a0a98f2946a12b53b45fe5b9 upstream.
+
+Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide
+by zero error"), we also need to prevent that same crash from happening
+in the udlfb driver as it uses pixclock directly when dividing, which
+will crash.
+
+Cc: Bernie Thompson <bernie@plugable.com>
+Cc: Helge Deller <deller@gmx.de>
+Fixes: 59277b679f8b ("Staging: udlfb: add dynamic modeset support")
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/udlfb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/video/fbdev/udlfb.c
++++ b/drivers/video/fbdev/udlfb.c
+@@ -1018,6 +1018,9 @@ static int dlfb_ops_check_var(struct fb_
+ struct fb_videomode mode;
+ struct dlfb_data *dlfb = info->par;
+
++ if (!var->pixclock)
++ return -EINVAL;
++
+ /* set device-specific elements of var unrelated to mode */
+ dlfb_var_color_format(var);
+
--- /dev/null
+From 624bf3440d7214b62c22d698a0a294323f331d5d Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 10 Mar 2026 16:48:12 -0700
+Subject: KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 624bf3440d7214b62c22d698a0a294323f331d5d upstream.
+
+Reject LAUNCH_FINISH for SEV-ES and SNP VMs if KVM is actively creating
+one or more vCPUs, as KVM needs to process and encrypt each vCPU's VMSA.
+Letting userspace create vCPUs while LAUNCH_FINISH is in-progress is
+"fine", at least in the current code base, as kvm_for_each_vcpu() operates
+on online_vcpus, LAUNCH_FINISH (all SEV+ sub-ioctls) holds kvm->mutex, and
+fully onlining a vCPU in kvm_vm_ioctl_create_vcpu() is done under
+kvm->mutex. I.e. there's no difference between an in-progress vCPU and a
+vCPU that is created entirely after LAUNCH_FINISH.
+
+However, given that concurrent LAUNCH_FINISH and vCPU creation can't
+possibly work (for any reasonable definition of "work"), since userspace
+can't guarantee whether a particular vCPU will be encrypted or not,
+disallow the combination as a hardening measure, to reduce the probability
+of introducing bugs in the future, and to avoid having to reason about the
+safety of future changes related to LAUNCH_FINISH.
+
+Cc: Jethro Beekman <jethro@fortanix.com>
+Closes: https://lore.kernel.org/all/b31f7c6e-2807-4662-bcdd-eea2c1e132fa@fortanix.com
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260310234829.2608037-5-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/sev.c | 10 ++++++++--
+ include/linux/kvm_host.h | 7 +++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/svm/sev.c
++++ b/arch/x86/kvm/svm/sev.c
+@@ -962,6 +962,9 @@ static int sev_launch_update_vmsa(struct
+ if (!sev_es_guest(kvm))
+ return -ENOTTY;
+
++ if (kvm_is_vcpu_creation_in_progress(kvm))
++ return -EBUSY;
++
+ kvm_for_each_vcpu(i, vcpu, kvm) {
+ ret = mutex_lock_killable(&vcpu->mutex);
+ if (ret)
+@@ -2061,8 +2064,8 @@ static int sev_check_source_vcpus(struct
+ struct kvm_vcpu *src_vcpu;
+ unsigned long i;
+
+- if (src->created_vcpus != atomic_read(&src->online_vcpus) ||
+- dst->created_vcpus != atomic_read(&dst->online_vcpus))
++ if (kvm_is_vcpu_creation_in_progress(src) ||
++ kvm_is_vcpu_creation_in_progress(dst))
+ return -EBUSY;
+
+ if (!sev_es_guest(src))
+@@ -2456,6 +2459,9 @@ static int snp_launch_update_vmsa(struct
+ unsigned long i;
+ int ret;
+
++ if (kvm_is_vcpu_creation_in_progress(kvm))
++ return -EBUSY;
++
+ data.gctx_paddr = __psp_pa(sev->snp_context);
+ data.page_type = SNP_PAGE_TYPE_VMSA;
+
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -1017,6 +1017,13 @@ static inline struct kvm_vcpu *kvm_get_v
+ return NULL;
+ }
+
++static inline bool kvm_is_vcpu_creation_in_progress(struct kvm *kvm)
++{
++ lockdep_assert_held(&kvm->lock);
++
++ return kvm->created_vcpus != atomic_read(&kvm->online_vcpus);
++}
++
+ void kvm_destroy_vcpus(struct kvm *kvm);
+
+ void vcpu_load(struct kvm_vcpu *vcpu);
--- /dev/null
+From 8acffeef5ef720c35e513e322ab08e32683f32f2 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Thu, 12 Mar 2026 17:32:58 -0700
+Subject: KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 8acffeef5ef720c35e513e322ab08e32683f32f2 upstream.
+
+Drop the WARN in sev_pin_memory() on npages overflowing an int, as the
+WARN is comically trivially to trigger from userspace, e.g. by doing:
+
+ struct kvm_enc_region range = {
+ .addr = 0,
+ .size = -1ul,
+ };
+
+ __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range);
+
+Note, the checks in sev_mem_enc_register_region() that presumably exist to
+verify the incoming address+size are completely worthless, as both "addr"
+and "size" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater
+than ULONG_MAX. That wart will be cleaned up in the near future.
+
+ if (range->addr > ULONG_MAX || range->size > ULONG_MAX)
+ return -EINVAL;
+
+Opportunistically add a comment to explain why the code calculates the
+number of pages the "hard" way, e.g. instead of just shifting @ulen.
+
+Fixes: 78824fabc72e ("KVM: SVM: fix svn_pin_memory()'s use of get_user_pages_fast()")
+Cc: stable@vger.kernel.org
+Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
+Tested-by: Liam Merwick <liam.merwick@oracle.com>
+Link: https://patch.msgid.link/20260313003302.3136111-2-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/sev.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/svm/sev.c
++++ b/arch/x86/kvm/svm/sev.c
+@@ -642,10 +642,16 @@ static struct page **sev_pin_memory(stru
+ if (ulen == 0 || uaddr + ulen < uaddr)
+ return ERR_PTR(-EINVAL);
+
+- /* Calculate number of pages. */
++ /*
++ * Calculate the number of pages that need to be pinned to cover the
++ * entire range. Note! This isn't simply ulen >> PAGE_SHIFT, as KVM
++ * doesn't require the incoming address+size to be page aligned!
++ */
+ first = (uaddr & PAGE_MASK) >> PAGE_SHIFT;
+ last = ((uaddr + ulen - 1) & PAGE_MASK) >> PAGE_SHIFT;
+ npages = (last - first + 1);
++ if (npages > INT_MAX)
++ return ERR_PTR(-EINVAL);
+
+ locked = sev->pages_locked + npages;
+ lock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
+@@ -654,9 +660,6 @@ static struct page **sev_pin_memory(stru
+ return ERR_PTR(-ENOMEM);
+ }
+
+- if (WARN_ON_ONCE(npages > INT_MAX))
+- return ERR_PTR(-EINVAL);
+-
+ /* Avoid using vmalloc for smaller buffers. */
+ size = npages * sizeof(struct page *);
+ if (size > PAGE_SIZE)
--- /dev/null
+From 9b9f7962e3e879d12da2bf47e02a24ec51690e3d Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 10 Mar 2026 16:48:10 -0700
+Subject: KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 9b9f7962e3e879d12da2bf47e02a24ec51690e3d upstream.
+
+Reject synchronizing vCPU state to its associated VMSA if the vCPU has
+already been launched, i.e. if the VMSA has already been encrypted. On a
+host with SNP enabled, accessing guest-private memory generates an RMP #PF
+and panics the host.
+
+ BUG: unable to handle page fault for address: ff1276cbfdf36000
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x80000003) - RMP violation
+ PGD 5a31801067 P4D 5a31802067 PUD 40ccfb5063 PMD 40e5954063 PTE 80000040fdf36163
+ SEV-SNP: PFN 0x40fdf36, RMP entry: [0x6010fffffffff001 - 0x000000000000001f]
+ Oops: Oops: 0003 [#1] SMP NOPTI
+ CPU: 33 UID: 0 PID: 996180 Comm: qemu-system-x86 Tainted: G OE
+ Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+ Hardware name: Dell Inc. PowerEdge R7625/0H1TJT, BIOS 1.5.8 07/21/2023
+ RIP: 0010:sev_es_sync_vmsa+0x54/0x4c0 [kvm_amd]
+ Call Trace:
+ <TASK>
+ snp_launch_update_vmsa+0x19d/0x290 [kvm_amd]
+ snp_launch_finish+0xb6/0x380 [kvm_amd]
+ sev_mem_enc_ioctl+0x14e/0x720 [kvm_amd]
+ kvm_arch_vm_ioctl+0x837/0xcf0 [kvm]
+ kvm_vm_ioctl+0x3fd/0xcc0 [kvm]
+ __x64_sys_ioctl+0xa3/0x100
+ x64_sys_call+0xfe0/0x2350
+ do_syscall_64+0x81/0x10f0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ RIP: 0033:0x7ffff673287d
+ </TASK>
+
+Note, the KVM flaw has been present since commit ad73109ae7ec ("KVM: SVM:
+Provide support to launch and run an SEV-ES guest"), but has only been
+actively dangerous for the host since SNP support was added. With SEV-ES,
+KVM would "just" clobber guest state, which is totally fine from a host
+kernel perspective since userspace can clobber guest state any time before
+sev_launch_update_vmsa().
+
+Fixes: ad27ce155566 ("KVM: SEV: Add KVM_SEV_SNP_LAUNCH_FINISH command")
+Reported-by: Jethro Beekman <jethro@fortanix.com>
+Closes: https://lore.kernel.org/all/d98692e2-d96b-4c36-8089-4bc1e5cc3d57@fortanix.com
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260310234829.2608037-3-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/sev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kvm/svm/sev.c
++++ b/arch/x86/kvm/svm/sev.c
+@@ -814,6 +814,9 @@ static int sev_es_sync_vmsa(struct vcpu_
+ u8 *d;
+ int i;
+
++ if (vcpu->arch.guest_state_protected)
++ return -EINVAL;
++
+ /* Check some debug related fields before encrypting the VMSA */
+ if (svm->vcpu.guest_debug || (svm->vmcb->save.dr7 & ~DR7_FIXED_1))
+ return -EINVAL;
--- /dev/null
+From f8e1fc918a9fe67103bcda01d20d745f264d00a7 Mon Sep 17 00:00:00 2001
+From: Ruslan Valiyev <linuxoid@gmail.com>
+Date: Tue, 3 Mar 2026 11:27:54 +0000
+Subject: media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections
+
+From: Ruslan Valiyev <linuxoid@gmail.com>
+
+commit f8e1fc918a9fe67103bcda01d20d745f264d00a7 upstream.
+
+syzbot reported a general protection fault in vidtv_psi_desc_assign [1].
+
+vidtv_psi_pmt_stream_init() can return NULL on memory allocation
+failure, but vidtv_channel_pmt_match_sections() does not check for
+this. When tail is NULL, the subsequent call to
+vidtv_psi_desc_assign(&tail->descriptor, desc) dereferences a NULL
+pointer offset, causing a general protection fault.
+
+Add a NULL check after vidtv_psi_pmt_stream_init(). On failure, clean
+up the already-allocated stream chain and return.
+
+[1]
+Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+RIP: 0010:vidtv_psi_desc_assign+0x24/0x90 drivers/media/test-drivers/vidtv/vidtv_psi.c:629
+Call Trace:
+ <TASK>
+ vidtv_channel_pmt_match_sections drivers/media/test-drivers/vidtv/vidtv_channel.c:349 [inline]
+ vidtv_channel_si_init+0x1445/0x1a50 drivers/media/test-drivers/vidtv/vidtv_channel.c:479
+ vidtv_mux_init+0x526/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:519
+ vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
+ vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
+
+Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+1f5bcc7c919ec578777a@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=1f5bcc7c919ec578777a
+Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/vidtv/vidtv_channel.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
++++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
+@@ -341,6 +341,10 @@ vidtv_channel_pmt_match_sections(struct
+ tail = vidtv_psi_pmt_stream_init(tail,
+ s->type,
+ e_pid);
++ if (!tail) {
++ vidtv_psi_pmt_stream_destroy(head);
++ return;
++ }
+
+ if (!head)
+ head = tail;
--- /dev/null
+From b02da26a992db0c0e2559acbda0fc48d4a2fd337 Mon Sep 17 00:00:00 2001
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+Date: Fri, 6 Mar 2026 11:22:11 +0800
+Subject: ocfs2: fix possible deadlock between unlink and dio_end_io_write
+
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+
+commit b02da26a992db0c0e2559acbda0fc48d4a2fd337 upstream.
+
+ocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem,
+while in ocfs2_dio_end_io_write, it acquires these locks in reverse order.
+This creates an ABBA lock ordering violation on lock classes
+ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE] and
+ocfs2_file_ip_alloc_sem_key.
+
+Lock Chain #0 (orphan dir inode_lock -> ip_alloc_sem):
+ocfs2_unlink
+ ocfs2_prepare_orphan_dir
+ ocfs2_lookup_lock_orphan_dir
+ inode_lock(orphan_dir_inode) <- lock A
+ __ocfs2_prepare_orphan_dir
+ ocfs2_prepare_dir_for_insert
+ ocfs2_extend_dir
+ ocfs2_expand_inline_dir
+ down_write(&oi->ip_alloc_sem) <- Lock B
+
+Lock Chain #1 (ip_alloc_sem -> orphan dir inode_lock):
+ocfs2_dio_end_io_write
+ down_write(&oi->ip_alloc_sem) <- Lock B
+ ocfs2_del_inode_from_orphan()
+ inode_lock(orphan_dir_inode) <- Lock A
+
+Deadlock Scenario:
+ CPU0 (unlink) CPU1 (dio_end_io_write)
+ ------ ------
+ inode_lock(orphan_dir_inode)
+ down_write(ip_alloc_sem)
+ down_write(ip_alloc_sem)
+ inode_lock(orphan_dir_inode)
+
+Since ip_alloc_sem is to protect allocation changes, which is unrelated
+with operations in ocfs2_del_inode_from_orphan. So move
+ocfs2_del_inode_from_orphan out of ip_alloc_sem to fix the deadlock.
+
+Link: https://lkml.kernel.org/r/20260306032211.1016452-1-joseph.qi@linux.alibaba.com
+Reported-by: syzbot+67b90111784a3eac8c04@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=67b90111784a3eac8c04
+Fixes: a86a72a4a4e0 ("ocfs2: take ip_alloc_sem in ocfs2_dio_get_block & ocfs2_dio_end_io_write")
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reviewed-by: Heming Zhao <heming.zhao@suse.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/aops.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -2318,8 +2318,6 @@ static int ocfs2_dio_end_io_write(struct
+ goto out;
+ }
+
+- down_write(&oi->ip_alloc_sem);
+-
+ /* Delete orphan before acquire i_rwsem. */
+ if (dwc->dw_orphaned) {
+ BUG_ON(dwc->dw_writer_pid != task_pid_nr(current));
+@@ -2332,6 +2330,7 @@ static int ocfs2_dio_end_io_write(struct
+ mlog_errno(ret);
+ }
+
++ down_write(&oi->ip_alloc_sem);
+ di = (struct ocfs2_dinode *)di_bh->b_data;
+
+ ocfs2_init_dinode_extent_tree(&et, INODE_CACHE(inode), di_bh);
--- /dev/null
+From 7de554cabf160e331e4442e2a9ad874ca9875921 Mon Sep 17 00:00:00 2001
+From: Tejas Bharambe <tejas.bharambe@outlook.com>
+Date: Fri, 10 Apr 2026 01:38:16 -0700
+Subject: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
+
+From: Tejas Bharambe <tejas.bharambe@outlook.com>
+
+commit 7de554cabf160e331e4442e2a9ad874ca9875921 upstream.
+
+filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
+as documented in mm/filemap.c:
+
+ "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
+ may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
+
+When this happens, a concurrent munmap() can call remove_vma() and free
+the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
+becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
+dereferences it -- a use-after-free.
+
+Fix this by saving ip_blkno as a plain integer before calling
+filemap_fault(), and removing vma from the trace event. Since
+ip_blkno is copied by value before the lock can be dropped, it
+remains valid regardless of what happens to the vma or inode
+afterward.
+
+Link: https://lkml.kernel.org/r/20260410083816.34951-1-tejas.bharambe@outlook.com
+Fixes: 614a9e849ca6 ("ocfs2: Remove FILE_IO from masklog.")
+Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
+Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
+Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Heming Zhao <heming.zhao@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/mmap.c | 7 +++----
+ fs/ocfs2/ocfs2_trace.h | 10 ++++------
+ 2 files changed, 7 insertions(+), 10 deletions(-)
+
+--- a/fs/ocfs2/mmap.c
++++ b/fs/ocfs2/mmap.c
+@@ -30,7 +30,8 @@
+
+ static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
+ {
+- struct vm_area_struct *vma = vmf->vma;
++ unsigned long long ip_blkno =
++ OCFS2_I(file_inode(vmf->vma->vm_file))->ip_blkno;
+ sigset_t oldset;
+ vm_fault_t ret;
+
+@@ -38,11 +39,9 @@ static vm_fault_t ocfs2_fault(struct vm_
+ ret = filemap_fault(vmf);
+ ocfs2_unblock_signals(&oldset);
+
+- trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno,
+- vma, vmf->page, vmf->pgoff);
++ trace_ocfs2_fault(ip_blkno, vmf->page, vmf->pgoff);
+ return ret;
+ }
+-
+ static vm_fault_t __ocfs2_page_mkwrite(struct file *file,
+ struct buffer_head *di_bh, struct page *page)
+ {
+--- a/fs/ocfs2/ocfs2_trace.h
++++ b/fs/ocfs2/ocfs2_trace.h
+@@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline,
+
+ TRACE_EVENT(ocfs2_fault,
+ TP_PROTO(unsigned long long ino,
+- void *area, void *page, unsigned long pgoff),
+- TP_ARGS(ino, area, page, pgoff),
++ void *page, unsigned long pgoff),
++ TP_ARGS(ino, page, pgoff),
+ TP_STRUCT__entry(
+ __field(unsigned long long, ino)
+- __field(void *, area)
+ __field(void *, page)
+ __field(unsigned long, pgoff)
+ ),
+ TP_fast_assign(
+ __entry->ino = ino;
+- __entry->area = area;
+ __entry->page = page;
+ __entry->pgoff = pgoff;
+ ),
+- TP_printk("%llu %p %p %lu",
+- __entry->ino, __entry->area, __entry->page, __entry->pgoff)
++ TP_printk("%llu %p %lu",
++ __entry->ino, __entry->page, __entry->pgoff)
+ );
+
+ /* End of trace events for fs/ocfs2/mmap.c. */
--- /dev/null
+From 4a1c0ddc6e7bcf2e9db0eeaab9340dcfe97f448f Mon Sep 17 00:00:00 2001
+From: ZhengYuan Huang <gality369@gmail.com>
+Date: Wed, 1 Apr 2026 17:23:03 +0800
+Subject: ocfs2: handle invalid dinode in ocfs2_group_extend
+
+From: ZhengYuan Huang <gality369@gmail.com>
+
+commit 4a1c0ddc6e7bcf2e9db0eeaab9340dcfe97f448f upstream.
+
+[BUG]
+kernel BUG at fs/ocfs2/resize.c:308!
+Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
+RIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308
+Code: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe
+Call Trace:
+ ...
+ ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:597 [inline]
+ __se_sys_ioctl fs/ioctl.c:583 [inline]
+ __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583
+ x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ ...
+
+[CAUSE]
+ocfs2_group_extend() assumes that the global bitmap inode block
+returned from ocfs2_inode_lock() has already been validated and
+BUG_ONs when the signature is not a dinode. That assumption is too
+strong for crafted filesystems because the JBD2-managed buffer path
+can bypass structural validation and return an invalid dinode to the
+resize ioctl.
+
+[FIX]
+Validate the dinode explicitly in ocfs2_group_extend(). If the global
+bitmap buffer does not contain a valid dinode, report filesystem
+corruption with ocfs2_error() and fail the resize operation instead of
+crashing the kernel.
+
+Link: https://lkml.kernel.org/r/20260401092303.3709187-1-gality369@gmail.com
+Fixes: 10995aa2451a ("ocfs2: Morph the haphazard OCFS2_IS_VALID_DINODE() checks.")
+Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Heming Zhao <heming.zhao@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/resize.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/fs/ocfs2/resize.c
++++ b/fs/ocfs2/resize.c
+@@ -303,9 +303,13 @@ int ocfs2_group_extend(struct inode * in
+
+ fe = (struct ocfs2_dinode *)main_bm_bh->b_data;
+
+- /* main_bm_bh is validated by inode read inside ocfs2_inode_lock(),
+- * so any corruption is a code bug. */
+- BUG_ON(!OCFS2_IS_VALID_DINODE(fe));
++ /* JBD-managed buffers can bypass validation, so treat this as corruption. */
++ if (!OCFS2_IS_VALID_DINODE(fe)) {
++ ret = ocfs2_error(main_bm_inode->i_sb,
++ "Invalid dinode #%llu\n",
++ (unsigned long long)OCFS2_I(main_bm_inode)->ip_blkno);
++ goto out_unlock;
++ }
+
+ if (le16_to_cpu(fe->id2.i_chain.cl_cpg) !=
+ ocfs2_group_bitmap_size(osb->sb, 0,
--- /dev/null
+From d799984233a50abd2667a7d17a9a710a3f10ebe2 Mon Sep 17 00:00:00 2001
+From: Koichiro Den <den@valinux.co.jp>
+Date: Thu, 26 Feb 2026 17:41:40 +0900
+Subject: PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup
+
+From: Koichiro Den <den@valinux.co.jp>
+
+commit d799984233a50abd2667a7d17a9a710a3f10ebe2 upstream.
+
+Disable the delayed work before clearing BAR mappings and doorbells to
+avoid running the handler after resources have been torn down.
+
+ Unable to handle kernel paging request at virtual address ffff800083f46004
+ [...]
+ Internal error: Oops: 0000000096000007 [#1] SMP
+ [...]
+ Call trace:
+ epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P)
+ process_one_work+0x154/0x3b0
+ worker_thread+0x2c8/0x400
+ kthread+0x148/0x210
+ ret_from_fork+0x10/0x20
+
+Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP")
+Signed-off-by: Koichiro Den <den@valinux.co.jp>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260226084142.2226875-4-den@valinux.co.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/functions/pci-epf-vntb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c
++++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c
+@@ -799,6 +799,7 @@ err_config_interrupt:
+ */
+ static void epf_ntb_epc_cleanup(struct epf_ntb *ntb)
+ {
++ disable_delayed_work_sync(&ntb->cmd_handler);
+ epf_ntb_mw_bar_clear(ntb, ntb->num_mws);
+ epf_ntb_db_bar_clear(ntb);
+ epf_ntb_config_sspad_bar_clear(ntb);
--- /dev/null
+From 8545d9bc4bd0801e0bdfbfdfdc2532ff31236ddf Mon Sep 17 00:00:00 2001
+From: Harry Wentland <harry.wentland@amd.com>
+Date: Fri, 27 Mar 2026 11:41:57 -0400
+Subject: scripts/checkpatch: add Assisted-by: tag validation
+
+From: Harry Wentland <harry.wentland@amd.com>
+
+commit 8545d9bc4bd0801e0bdfbfdfdc2532ff31236ddf upstream.
+
+The coding-assistants.rst documentation defines the Assisted-by: tag
+format for AI-assisted contributions as:
+
+ Assisted-by: AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2]
+
+This format does not use an email address, so checkpatch currently
+reports a false positive about an invalid email when encountering this
+tag.
+
+Add Assisted-by: to the recognized signature tags and standard signature
+list. When an Assisted-by: tag is found, validate it instead of checking
+for an email address.
+
+Examples of passing tags:
+- Claude:claude-3-opus coccinelle sparse
+- FOO:BAR.baz
+- Copilot Github:claude-3-opus
+- GitHub Copilot:Claude Opus 4.6
+- My Cool Agent:v1.2.3 coccinelle sparse
+
+Examples of tags triggering the new warning:
+- Claude coccinelle sparse
+- JustAName
+- :missing-agent
+
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Assisted-by: Claude:claude-opus-4.6
+Co-developed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Harry Wentland <harry.wentland@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Message-ID: <20260327154157.162962-1-harry.wentland@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/checkpatch.pl | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/scripts/checkpatch.pl
++++ b/scripts/checkpatch.pl
+@@ -622,6 +622,7 @@ our $signature_tags = qr{(?xi:
+ Reviewed-by:|
+ Reported-by:|
+ Suggested-by:|
++ Assisted-by:|
+ To:|
+ Cc:
+ )};
+@@ -715,7 +716,7 @@ sub find_standard_signature {
+ my ($sign_off) = @_;
+ my @standard_signature_tags = (
+ 'Signed-off-by:', 'Co-developed-by:', 'Acked-by:', 'Tested-by:',
+- 'Reviewed-by:', 'Reported-by:', 'Suggested-by:'
++ 'Reviewed-by:', 'Reported-by:', 'Suggested-by:', 'Assisted-by:'
+ );
+ foreach my $signature (@standard_signature_tags) {
+ return $signature if (get_edit_distance($sign_off, $signature) <= 2);
+@@ -3070,6 +3071,15 @@ sub process {
+ }
+ }
+
++# Assisted-by: uses format AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2] instead of email
++ if ($sign_off =~ /^assisted-by:$/i) {
++ if ($email !~ /^[^:]+:\S+(\s+\S+)*$/) {
++ WARN("BAD_ASSISTED_BY",
++ "Assisted-by: should use format: 'Assisted-by: AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2]'\n" . $herecurr);
++ }
++ next;
++ }
++
+ my ($email_name, $name_comment, $email_address, $comment) = parse_email($email);
+ my $suggested_email = format_email(($email_name, $name_comment, $email_address, $comment));
+ if ($suggested_email eq "") {
--- /dev/null
+From 9b4744d8eda2824041064a5639ccbb079850914d Mon Sep 17 00:00:00 2001
+From: Tamir Duberstein <tamird@kernel.org>
+Date: Tue, 27 Jan 2026 11:35:43 -0500
+Subject: scripts: generate_rust_analyzer.py: avoid FD leak
+
+From: Tamir Duberstein <tamird@kernel.org>
+
+commit 9b4744d8eda2824041064a5639ccbb079850914d upstream.
+
+Use `pathlib.Path.read_text()` to avoid leaking file descriptors.
+
+Fixes: 8c4555ccc55c ("scripts: add `generate_rust_analyzer.py`")
+Cc: stable@vger.kernel.org
+Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
+Reviewed-by: Fiona Behrens <me@kloenk.dev>
+Reviewed-by: Trevor Gross <tmgross@umich.edu>
+Link: https://patch.msgid.link/20260127-rust-analyzer-fd-leak-v2-1-1bb55b9b6822@kernel.org
+Signed-off-by: Tamir Duberstein <tamird@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/generate_rust_analyzer.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/scripts/generate_rust_analyzer.py
++++ b/scripts/generate_rust_analyzer.py
+@@ -146,9 +146,10 @@ def generate_crates(srctree, objtree, sy
+
+ def is_root_crate(build_file, target):
+ try:
+- return f"{target}.o" in open(build_file).read()
++ contents = build_file.read_text()
+ except FileNotFoundError:
+ return False
++ return f"{target}.o" in contents
+
+ # Then, the rest outside of `rust/`.
+ #
usb-cdc-acm-add-quirks-for-yoga-book-9-14iah10-ingenic-touchscreen.patch
usb-gadget-f_hid-don-t-call-cdev_init-while-cdev-in-use.patch
usb-port-add-delay-after-usb_hub_set_port_power.patch
+fbdev-udlfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch
+scripts-checkpatch-add-assisted-by-tag-validation.patch
+scripts-generate_rust_analyzer.py-avoid-fd-leak.patch
+wifi-rtw88-fix-device-leak-on-probe-failure.patch
+staging-sm750fb-fix-division-by-zero-in-ps_to_hz.patch
+usb-serial-option-add-telit-cinterion-fn990a-mbim-composition.patch
+docs-admin-guide-mm-damon-reclaim-warn-commit_inputs-vs-param-updates-race.patch
+alsa-ctxfi-limit-ptp-to-a-single-page.patch
+dcache-limit-the-minimal-number-of-bucket-to-two.patch
+media-vidtv-fix-null-pointer-dereference-in-vidtv_channel_pmt_match_sections.patch
+ocfs2-fix-possible-deadlock-between-unlink-and-dio_end_io_write.patch
+ocfs2-fix-use-after-free-in-ocfs2_fault-when-vm_fault_retry.patch
+ocfs2-handle-invalid-dinode-in-ocfs2_group_extend.patch
+pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch
+kvm-sev-reject-attempts-to-sync-vmsa-of-an-already-launched-encrypted-vcpu.patch
+kvm-sev-disallow-launch_finish-if-vcpus-are-actively-being-created.patch
+kvm-sev-drop-warn-on-large-size-for-kvm_memory_encrypt_reg_region.patch
--- /dev/null
+From 75a1621e4f91310673c9acbcbb25c2a7ff821cd3 Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Mon, 23 Mar 2026 15:31:56 +0800
+Subject: staging: sm750fb: fix division by zero in ps_to_hz()
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit 75a1621e4f91310673c9acbcbb25c2a7ff821cd3 upstream.
+
+ps_to_hz() is called from hw_sm750_crtc_set_mode() without validating
+that pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFO
+causes a division by zero.
+
+Fix by rejecting zero pixclock in lynxfb_ops_check_var(), consistent
+with other framebuffer drivers.
+
+Fixes: 81dee67e215b ("staging: sm750fb: add sm750 to staging")
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB7881AFBFCE28CCF528B35D0CAF4BA@SYBPR01MB7881.ausprd01.prod.outlook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/sm750fb/sm750.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/staging/sm750fb/sm750.c
++++ b/drivers/staging/sm750fb/sm750.c
+@@ -483,6 +483,9 @@ static int lynxfb_ops_check_var(struct f
+ struct lynxfb_crtc *crtc;
+ resource_size_t request;
+
++ if (!var->pixclock)
++ return -EINVAL;
++
+ ret = 0;
+ par = info->par;
+ crtc = &par->crtc;
--- /dev/null
+From f8cc59ecc22841be5deb07b549c0c6a2657cd5f9 Mon Sep 17 00:00:00 2001
+From: Fabio Porcedda <fabio.porcedda@gmail.com>
+Date: Thu, 2 Apr 2026 11:57:27 +0200
+Subject: USB: serial: option: add Telit Cinterion FN990A MBIM composition
+
+From: Fabio Porcedda <fabio.porcedda@gmail.com>
+
+commit f8cc59ecc22841be5deb07b549c0c6a2657cd5f9 upstream.
+
+Add the following Telit Cinterion FN990A MBIM composition:
+
+0x1074: MBIM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (diag) +
+ DPL (Data Packet Logging) + adb
+
+T: Bus=01 Lev=01 Prnt=04 Port=06 Cnt=01 Dev#= 7 Spd=480 MxCh= 0
+D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=1074 Rev=05.04
+S: Manufacturer=Telit Wireless Solutions
+S: Product=FN990
+S: SerialNumber=70628d0c
+C: #Ifs= 8 Cfg#= 1 Atr=e0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
+E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
+E: Ad=8f(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1383,6 +1383,8 @@ static const struct usb_device_id option
+ .driver_info = NCTRL(2) | RSVD(3) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1073, 0xff), /* Telit FN990A (ECM) */
+ .driver_info = NCTRL(0) | RSVD(1) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1074, 0xff), /* Telit FN990A (MBIM) */
++ .driver_info = NCTRL(5) | RSVD(6) | RSVD(7) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1075, 0xff), /* Telit FN990A (PCIe) */
+ .driver_info = RSVD(0) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1077, 0xff), /* Telit FN990A (rmnet + audio) */
--- /dev/null
+From bbb15e71156cd9f5e1869eee7207a06ea8e96c39 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 6 Mar 2026 09:51:44 +0100
+Subject: wifi: rtw88: fix device leak on probe failure
+
+From: Johan Hovold <johan@kernel.org>
+
+commit bbb15e71156cd9f5e1869eee7207a06ea8e96c39 upstream.
+
+Driver core holds a reference to the USB interface and its parent USB
+device while the interface is bound to a driver and there is no need to
+take additional references unless the structures are needed after
+disconnect.
+
+This driver takes a reference to the USB device during probe but does
+not to release it on all probe errors (e.g. when descriptor parsing
+fails).
+
+Drop the redundant device reference to fix the leak, reduce cargo
+culting, make it easier to spot drivers where an extra reference is
+needed, and reduce the risk of further memory leaks.
+
+Fixes: a82dfd33d123 ("wifi: rtw88: Add common USB chip support")
+Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/netdev/2026022319-turbofan-darkened-206d@gregkh/
+Cc: stable@vger.kernel.org # 6.2
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20260306085144.12064-19-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtw88/usb.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtw88/usb.c
++++ b/drivers/net/wireless/realtek/rtw88/usb.c
+@@ -953,7 +953,7 @@ static int rtw_usb_intf_init(struct rtw_
+ struct usb_interface *intf)
+ {
+ struct rtw_usb *rtwusb = rtw_get_usb_priv(rtwdev);
+- struct usb_device *udev = usb_get_dev(interface_to_usbdev(intf));
++ struct usb_device *udev = interface_to_usbdev(intf);
+ int ret;
+
+ rtwusb->udev = udev;
+@@ -979,7 +979,6 @@ static void rtw_usb_intf_deinit(struct r
+ {
+ struct rtw_usb *rtwusb = rtw_get_usb_priv(rtwdev);
+
+- usb_put_dev(rtwusb->udev);
+ kfree(rtwusb->usb_data);
+ usb_set_intfdata(intf, NULL);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
