--- /dev/null
+From 7851263998d4269125fd6cb3fdbfc7c6db853859 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Mon, 16 Jun 2025 11:21:15 -0700
+Subject: atm: Revert atm_account_tx() if copy_from_iter_full() fails.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+commit 7851263998d4269125fd6cb3fdbfc7c6db853859 upstream.
+
+In vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by
+atm_account_tx().
+
+It is expected to be reverted by atm_pop_raw() later called by
+vcc->dev->ops->send(vcc, skb).
+
+However, vcc_sendmsg() misses the same revert when copy_from_iter_full()
+fails, and then we will leak a socket.
+
+Let's factorise the revert part as atm_return_tx() and call it in
+the failure path.
+
+Note that the corresponding sk_wmem_alloc operation can be found in
+alloc_tx() as of the blamed commit.
+
+ $ git blame -L:alloc_tx net/atm/common.c c55fa3cccbc2c~
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Simon Horman <horms@kernel.org>
+Closes: https://lore.kernel.org/netdev/20250614161959.GR414686@horms.kernel.org/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250616182147.963333-3-kuni1840@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/atmdev.h | 6 ++++++
+ net/atm/common.c | 1 +
+ net/atm/raw.c | 2 +-
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/include/linux/atmdev.h
++++ b/include/linux/atmdev.h
+@@ -249,6 +249,12 @@ static inline void atm_account_tx(struct
+ ATM_SKB(skb)->atm_options = vcc->atm_options;
+ }
+
++static inline void atm_return_tx(struct atm_vcc *vcc, struct sk_buff *skb)
++{
++ WARN_ON_ONCE(refcount_sub_and_test(ATM_SKB(skb)->acct_truesize,
++ &sk_atm(vcc)->sk_wmem_alloc));
++}
++
+ static inline void atm_force_charge(struct atm_vcc *vcc,int truesize)
+ {
+ atomic_add(truesize, &sk_atm(vcc)->sk_rmem_alloc);
+--- a/net/atm/common.c
++++ b/net/atm/common.c
+@@ -635,6 +635,7 @@ int vcc_sendmsg(struct socket *sock, str
+
+ skb->dev = NULL; /* for paths shared with net_device interfaces */
+ if (!copy_from_iter_full(skb_put(skb, size), size, &m->msg_iter)) {
++ atm_return_tx(vcc, skb);
+ kfree_skb(skb);
+ error = -EFAULT;
+ goto out;
+--- a/net/atm/raw.c
++++ b/net/atm/raw.c
+@@ -36,7 +36,7 @@ static void atm_pop_raw(struct atm_vcc *
+
+ pr_debug("(%d) %d -= %d\n",
+ vcc->vci, sk_wmem_alloc_get(sk), ATM_SKB(skb)->acct_truesize);
+- WARN_ON(refcount_sub_and_test(ATM_SKB(skb)->acct_truesize, &sk->sk_wmem_alloc));
++ atm_return_tx(vcc, skb);
+ dev_kfree_skb_any(skb);
+ sk->sk_write_space(sk);
+ }
--- /dev/null
+From 50695153d7ddde3b1696dbf0085be0033bf3ddb3 Mon Sep 17 00:00:00 2001
+From: Andrew Morton <akpm@linux-foundation.org>
+Date: Sat, 7 Jun 2025 17:43:18 -0700
+Subject: drivers/rapidio/rio_cm.c: prevent possible heap overwrite
+
+From: Andrew Morton <akpm@linux-foundation.org>
+
+commit 50695153d7ddde3b1696dbf0085be0033bf3ddb3 upstream.
+
+In
+
+riocm_cdev_ioctl(RIO_CM_CHAN_SEND)
+ -> cm_chan_msg_send()
+ -> riocm_ch_send()
+
+cm_chan_msg_send() checks that userspace didn't send too much data but
+riocm_ch_send() failed to check that userspace sent sufficient data. The
+result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr
+which were outside the bounds of the space which cm_chan_msg_send()
+allocated.
+
+Address this by teaching riocm_ch_send() to check that the entire
+rio_ch_chan_hdr was copied in from userspace.
+
+Reported-by: maher azz <maherazz04@gmail.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Linus Torvalds <torvalds@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rapidio/rio_cm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/rapidio/rio_cm.c
++++ b/drivers/rapidio/rio_cm.c
+@@ -787,6 +787,9 @@ static int riocm_ch_send(u16 ch_id, void
+ if (buf == NULL || ch_id == 0 || len == 0 || len > RIO_MAX_MSG_SIZE)
+ return -EINVAL;
+
++ if (len < sizeof(struct rio_ch_chan_hdr))
++ return -EINVAL; /* insufficient data from user */
++
+ ch = riocm_get_channel(ch_id);
+ if (!ch) {
+ riocm_error("%s(%d) ch_%d not found", current->comm,
--- /dev/null
+From 2b6d96503255a3ed676cd70f8368870c6d6a25c6 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Tue, 25 Mar 2025 19:32:13 +0300
+Subject: jffs2: check jffs2_prealloc_raw_node_refs() result in few other places
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit 2b6d96503255a3ed676cd70f8368870c6d6a25c6 upstream.
+
+Fuzzing hit another invalid pointer dereference due to the lack of
+checking whether jffs2_prealloc_raw_node_refs() completed successfully.
+Subsequent logic implies that the node refs have been allocated.
+
+Handle that. The code is ready for propagating the error upwards.
+
+KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+CPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+RIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600
+Call Trace:
+ jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline]
+ jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118
+ jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253
+ jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167
+ jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362
+ jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302
+ generic_perform_write+0x2c2/0x500 mm/filemap.c:3347
+ __generic_file_write_iter+0x252/0x610 mm/filemap.c:3465
+ generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497
+ call_write_iter include/linux/fs.h:2039 [inline]
+ do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740
+ do_iter_write+0x18c/0x710 fs/read_write.c:866
+ vfs_writev+0x1db/0x6a0 fs/read_write.c:939
+ do_pwritev fs/read_write.c:1036 [inline]
+ __do_sys_pwritev fs/read_write.c:1083 [inline]
+ __se_sys_pwritev fs/read_write.c:1078 [inline]
+ __x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078
+ do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x67/0xd1
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 2f785402f39b ("[JFFS2] Reduce visibility of raw_node_ref to upper layers of JFFS2 code.")
+Fixes: f560928baa60 ("[JFFS2] Allocate node_ref for wasted space when skipping to page boundary")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jffs2/erase.c | 4 +++-
+ fs/jffs2/scan.c | 4 +++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/jffs2/erase.c
++++ b/fs/jffs2/erase.c
+@@ -425,7 +425,9 @@ static void jffs2_mark_erased_block(stru
+ .totlen = cpu_to_je32(c->cleanmarker_size)
+ };
+
+- jffs2_prealloc_raw_node_refs(c, jeb, 1);
++ ret = jffs2_prealloc_raw_node_refs(c, jeb, 1);
++ if (ret)
++ goto filebad;
+
+ marker.hdr_crc = cpu_to_je32(crc32(0, &marker, sizeof(struct jffs2_unknown_node)-4));
+
+--- a/fs/jffs2/scan.c
++++ b/fs/jffs2/scan.c
+@@ -256,7 +256,9 @@ int jffs2_scan_medium(struct jffs2_sb_in
+
+ jffs2_dbg(1, "%s(): Skipping %d bytes in nextblock to ensure page alignment\n",
+ __func__, skip);
+- jffs2_prealloc_raw_node_refs(c, c->nextblock, 1);
++ ret = jffs2_prealloc_raw_node_refs(c, c->nextblock, 1);
++ if (ret)
++ goto out;
+ jffs2_scan_dirty_space(c, c->nextblock, skip);
+ }
+ #endif
--- /dev/null
+From ec9e6f22bce433b260ea226de127ec68042849b0 Mon Sep 17 00:00:00 2001
+From: Artem Sadovnikov <a.sadovnikov@ispras.ru>
+Date: Fri, 7 Mar 2025 16:34:09 +0000
+Subject: jffs2: check that raw node were preallocated before writing summary
+
+From: Artem Sadovnikov <a.sadovnikov@ispras.ru>
+
+commit ec9e6f22bce433b260ea226de127ec68042849b0 upstream.
+
+Syzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault
+injection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't
+check return value of jffs2_prealloc_raw_node_refs and simply lets any
+error propagate into jffs2_sum_write_data, which eventually calls
+jffs2_link_node_ref in order to link the summary to an expectedly allocated
+node.
+
+kernel BUG at fs/jffs2/nodelist.c:592!
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
+CPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+RIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592
+Call Trace:
+ <TASK>
+ jffs2_sum_write_data fs/jffs2/summary.c:841 [inline]
+ jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874
+ jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388
+ jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197
+ jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362
+ jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301
+ generic_perform_write+0x314/0x5d0 mm/filemap.c:3856
+ __generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973
+ generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005
+ call_write_iter include/linux/fs.h:2265 [inline]
+ do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735
+ do_iter_write+0x186/0x710 fs/read_write.c:861
+ vfs_iter_write+0x70/0xa0 fs/read_write.c:902
+ iter_file_splice_write+0x73b/0xc90 fs/splice.c:685
+ do_splice_from fs/splice.c:763 [inline]
+ direct_splice_actor+0x10c/0x170 fs/splice.c:950
+ splice_direct_to_actor+0x337/0xa10 fs/splice.c:896
+ do_splice_direct+0x1a9/0x280 fs/splice.c:1002
+ do_sendfile+0xb13/0x12c0 fs/read_write.c:1255
+ __do_sys_sendfile64 fs/read_write.c:1323 [inline]
+ __se_sys_sendfile64 fs/read_write.c:1309 [inline]
+ __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+Fix this issue by checking return value of jffs2_prealloc_raw_node_refs
+before calling jffs2_sum_write_data.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Cc: stable@vger.kernel.org
+Fixes: 2f785402f39b ("[JFFS2] Reduce visibility of raw_node_ref to upper layers of JFFS2 code.")
+Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
+Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jffs2/summary.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/jffs2/summary.c
++++ b/fs/jffs2/summary.c
+@@ -858,7 +858,10 @@ int jffs2_sum_write_sumnode(struct jffs2
+ spin_unlock(&c->erase_completion_lock);
+
+ jeb = c->nextblock;
+- jffs2_prealloc_raw_node_refs(c, jeb, 1);
++ ret = jffs2_prealloc_raw_node_refs(c, jeb, 1);
++
++ if (ret)
++ goto out;
+
+ if (!c->summary->sum_num || !c->summary->sum_list_head) {
+ JFFS2_WARNING("Empty summary info!!!\n");
+@@ -872,6 +875,8 @@ int jffs2_sum_write_sumnode(struct jffs2
+ datasize += padsize;
+
+ ret = jffs2_sum_write_data(c, jeb, infosize, datasize, padsize);
++
++out:
+ spin_lock(&c->erase_completion_lock);
+ return ret;
+ }
--- /dev/null
+From 7ac5b66acafcc9292fb935d7e03790f2b8b2dc0e Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 13 Jun 2025 10:12:43 +0900
+Subject: ksmbd: fix null pointer dereference in destroy_previous_session
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 7ac5b66acafcc9292fb935d7e03790f2b8b2dc0e upstream.
+
+If client set ->PreviousSessionId on kerberos session setup stage,
+NULL pointer dereference error will happen. Since sess->user is not
+set yet, It can pass the user argument as NULL to destroy_previous_session.
+sess->user will be set in ksmbd_krb5_authenticate(). So this patch move
+calling destroy_previous_session() after ksmbd_krb5_authenticate().
+
+Cc: stable@vger.kernel.org
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27391
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1610,17 +1610,18 @@ static int krb5_authenticate(struct ksmb
+ out_len = work->response_sz -
+ (le16_to_cpu(rsp->SecurityBufferOffset) + 4);
+
+- /* Check previous session */
+- prev_sess_id = le64_to_cpu(req->PreviousSessionId);
+- if (prev_sess_id && prev_sess_id != sess->id)
+- destroy_previous_session(conn, sess->user, prev_sess_id);
+-
+ retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,
+ out_blob, &out_len);
+ if (retval) {
+ ksmbd_debug(SMB, "krb5 authentication failed\n");
+ return -EINVAL;
+ }
++
++ /* Check previous session */
++ prev_sess_id = le64_to_cpu(req->PreviousSessionId);
++ if (prev_sess_id && prev_sess_id != sess->id)
++ destroy_previous_session(conn, sess->user, prev_sess_id);
++
+ rsp->SecurityBufferLength = cpu_to_le16(out_len);
+
+ if ((conn->sign || server_conf.enforced_signing) ||
--- /dev/null
+From 52c22661c79a7b6af7fad9f77200738fc6c51878 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Fri, 30 May 2025 21:45:48 +0800
+Subject: LoongArch: Avoid using $r0/$r1 as "mask" for csrxchg
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit 52c22661c79a7b6af7fad9f77200738fc6c51878 upstream.
+
+When building kernel with LLVM there are occasionally such errors:
+
+In file included from ./include/linux/spinlock.h:59:
+In file included from ./include/linux/irqflags.h:17:
+arch/loongarch/include/asm/irqflags.h:38:3: error: must not be $r0 or $r1
+ 38 | "csrxchg %[val], %[mask], %[reg]\n\t"
+ | ^
+<inline asm>:1:16: note: instantiated into assembly here
+ 1 | csrxchg $a1, $ra, 0
+ | ^
+
+To prevent the compiler from allocating $r0 or $r1 for the "mask" of the
+csrxchg instruction, the 'q' constraint must be used but Clang < 21 does
+not support it. So force to use $t0 in the inline asm, in order to avoid
+using $r0/$r1 while keeping the backward compatibility.
+
+Cc: stable@vger.kernel.org
+Link: https://github.com/llvm/llvm-project/pull/141037
+Reviewed-by: Yanteng Si <si.yanteng@linux.dev>
+Suggested-by: WANG Rui <wangrui@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/include/asm/irqflags.h | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/arch/loongarch/include/asm/irqflags.h
++++ b/arch/loongarch/include/asm/irqflags.h
+@@ -14,40 +14,48 @@
+ static inline void arch_local_irq_enable(void)
+ {
+ u32 flags = CSR_CRMD_IE;
++ register u32 mask asm("t0") = CSR_CRMD_IE;
++
+ __asm__ __volatile__(
+ "csrxchg %[val], %[mask], %[reg]\n\t"
+ : [val] "+r" (flags)
+- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD)
++ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD)
+ : "memory");
+ }
+
+ static inline void arch_local_irq_disable(void)
+ {
+ u32 flags = 0;
++ register u32 mask asm("t0") = CSR_CRMD_IE;
++
+ __asm__ __volatile__(
+ "csrxchg %[val], %[mask], %[reg]\n\t"
+ : [val] "+r" (flags)
+- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD)
++ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD)
+ : "memory");
+ }
+
+ static inline unsigned long arch_local_irq_save(void)
+ {
+ u32 flags = 0;
++ register u32 mask asm("t0") = CSR_CRMD_IE;
++
+ __asm__ __volatile__(
+ "csrxchg %[val], %[mask], %[reg]\n\t"
+ : [val] "+r" (flags)
+- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD)
++ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD)
+ : "memory");
+ return flags;
+ }
+
+ static inline void arch_local_irq_restore(unsigned long flags)
+ {
++ register u32 mask asm("t0") = CSR_CRMD_IE;
++
+ __asm__ __volatile__(
+ "csrxchg %[val], %[mask], %[reg]\n\t"
+ : [val] "+r" (flags)
+- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD)
++ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD)
+ : "memory");
+ }
+
--- /dev/null
+From 7ca52541c05c832d32b112274f81a985101f9ba8 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 11 Jun 2025 08:35:01 +0000
+Subject: net_sched: sch_sfq: reject invalid perturb period
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 7ca52541c05c832d32b112274f81a985101f9ba8 upstream.
+
+Gerrard Tai reported that SFQ perturb_period has no range check yet,
+and this can be used to trigger a race condition fixed in a separate patch.
+
+We want to make sure ctl->perturb_period * HZ will not overflow
+and is positive.
+
+Tested:
+
+tc qd add dev lo root sfq perturb -10 # negative value : error
+Error: sch_sfq: invalid perturb period.
+
+tc qd add dev lo root sfq perturb 1000000000 # too big : error
+Error: sch_sfq: invalid perturb period.
+
+tc qd add dev lo root sfq perturb 2000000 # acceptable value
+tc -s -d qd sh dev lo
+qdisc sfq 8005: root refcnt 2 limit 127p quantum 64Kb depth 127 flows 128 divisor 1024 perturb 2000000sec
+ Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
+ backlog 0b 0p requeues 0
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250611083501.1810459-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_sfq.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/sched/sch_sfq.c
++++ b/net/sched/sch_sfq.c
+@@ -656,6 +656,14 @@ static int sfq_change(struct Qdisc *sch,
+ NL_SET_ERR_MSG_MOD(extack, "invalid quantum");
+ return -EINVAL;
+ }
++
++ if (ctl->perturb_period < 0 ||
++ ctl->perturb_period > INT_MAX / HZ) {
++ NL_SET_ERR_MSG_MOD(extack, "invalid perturb period");
++ return -EINVAL;
++ }
++ perturb_period = ctl->perturb_period * HZ;
++
+ if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
+ ctl_v1->Wlog, ctl_v1->Scell_log, NULL))
+ return -EINVAL;
+@@ -672,14 +680,12 @@ static int sfq_change(struct Qdisc *sch,
+ headdrop = q->headdrop;
+ maxdepth = q->maxdepth;
+ maxflows = q->maxflows;
+- perturb_period = q->perturb_period;
+ quantum = q->quantum;
+ flags = q->flags;
+
+ /* update and validate configuration */
+ if (ctl->quantum)
+ quantum = ctl->quantum;
+- perturb_period = ctl->perturb_period * HZ;
+ if (ctl->flows)
+ maxflows = min_t(u32, ctl->flows, SFQ_MAX_FLOWS);
+ if (ctl->divisor) {
--- /dev/null
+From 53c762b47f726e4079a1f06f684bce2fc0d56fba Mon Sep 17 00:00:00 2001
+From: Yao Zi <ziyao@disroot.org>
+Date: Thu, 5 Jun 2025 20:34:46 +0800
+Subject: platform/loongarch: laptop: Add backlight power control support
+
+From: Yao Zi <ziyao@disroot.org>
+
+commit 53c762b47f726e4079a1f06f684bce2fc0d56fba upstream.
+
+loongson_laptop_turn_{on,off}_backlight() are designed for controlling
+the power of the backlight, but they aren't really used in the driver
+previously.
+
+Unify these two functions since they only differ in arguments passed to
+ACPI method, and wire up loongson_laptop_backlight_update() to update
+the power state of the backlight as well. Tested on the TongFang L860-T2
+Loongson-3A5000 laptop.
+
+Cc: stable@vger.kernel.org
+Fixes: 6246ed09111f ("LoongArch: Add ACPI-based generic laptop driver")
+Signed-off-by: Yao Zi <ziyao@disroot.org>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/loongarch/loongson-laptop.c | 73 +++++++++++++--------------
+ 1 file changed, 37 insertions(+), 36 deletions(-)
+
+--- a/drivers/platform/loongarch/loongson-laptop.c
++++ b/drivers/platform/loongarch/loongson-laptop.c
+@@ -56,8 +56,7 @@ static struct input_dev *generic_inputde
+ static acpi_handle hotkey_handle;
+ static struct key_entry hotkey_keycode_map[GENERIC_HOTKEY_MAP_MAX];
+
+-int loongson_laptop_turn_on_backlight(void);
+-int loongson_laptop_turn_off_backlight(void);
++static bool bl_powered;
+ static int loongson_laptop_backlight_update(struct backlight_device *bd);
+
+ /* 2. ACPI Helpers and device model */
+@@ -354,16 +353,42 @@ static int ec_backlight_level(u8 level)
+ return level;
+ }
+
++static int ec_backlight_set_power(bool state)
++{
++ int status;
++ union acpi_object arg0 = { ACPI_TYPE_INTEGER };
++ struct acpi_object_list args = { 1, &arg0 };
++
++ arg0.integer.value = state;
++ status = acpi_evaluate_object(NULL, "\\BLSW", &args, NULL);
++ if (ACPI_FAILURE(status)) {
++ pr_info("Loongson lvds error: 0x%x\n", status);
++ return -EIO;
++ }
++
++ return 0;
++}
++
+ static int loongson_laptop_backlight_update(struct backlight_device *bd)
+ {
+- int lvl = ec_backlight_level(bd->props.brightness);
++ bool target_powered = !backlight_is_blank(bd);
++ int ret = 0, lvl = ec_backlight_level(bd->props.brightness);
+
+ if (lvl < 0)
+ return -EIO;
++
+ if (ec_set_brightness(lvl))
+ return -EIO;
+
+- return 0;
++ if (target_powered != bl_powered) {
++ ret = ec_backlight_set_power(target_powered);
++ if (ret < 0)
++ return ret;
++
++ bl_powered = target_powered;
++ }
++
++ return ret;
+ }
+
+ static int loongson_laptop_get_brightness(struct backlight_device *bd)
+@@ -384,7 +409,7 @@ static const struct backlight_ops backli
+
+ static int laptop_backlight_register(void)
+ {
+- int status = 0;
++ int status = 0, ret;
+ struct backlight_properties props;
+
+ memset(&props, 0, sizeof(props));
+@@ -392,44 +417,20 @@ static int laptop_backlight_register(voi
+ if (!acpi_evalf(hotkey_handle, &status, "ECLL", "d"))
+ return -EIO;
+
++ ret = ec_backlight_set_power(true);
++ if (ret)
++ return ret;
++
++ bl_powered = true;
++
+ props.max_brightness = status;
+ props.brightness = ec_get_brightness();
++ props.power = BACKLIGHT_POWER_ON;
+ props.type = BACKLIGHT_PLATFORM;
+
+ backlight_device_register("loongson_laptop",
+ NULL, NULL, &backlight_laptop_ops, &props);
+
+- return 0;
+-}
+-
+-int loongson_laptop_turn_on_backlight(void)
+-{
+- int status;
+- union acpi_object arg0 = { ACPI_TYPE_INTEGER };
+- struct acpi_object_list args = { 1, &arg0 };
+-
+- arg0.integer.value = 1;
+- status = acpi_evaluate_object(NULL, "\\BLSW", &args, NULL);
+- if (ACPI_FAILURE(status)) {
+- pr_info("Loongson lvds error: 0x%x\n", status);
+- return -ENODEV;
+- }
+-
+- return 0;
+-}
+-
+-int loongson_laptop_turn_off_backlight(void)
+-{
+- int status;
+- union acpi_object arg0 = { ACPI_TYPE_INTEGER };
+- struct acpi_object_list args = { 1, &arg0 };
+-
+- arg0.integer.value = 0;
+- status = acpi_evaluate_object(NULL, "\\BLSW", &args, NULL);
+- if (ACPI_FAILURE(status)) {
+- pr_info("Loongson lvds error: 0x%x\n", status);
+- return -ENODEV;
+- }
+
+ return 0;
+ }
--- /dev/null
+From 1205088fd0393bd9eae96b62bf1e4b9eb1b73edf Mon Sep 17 00:00:00 2001
+From: Yao Zi <ziyao@disroot.org>
+Date: Thu, 5 Jun 2025 20:34:46 +0800
+Subject: platform/loongarch: laptop: Get brightness setting from EC on probe
+
+From: Yao Zi <ziyao@disroot.org>
+
+commit 1205088fd0393bd9eae96b62bf1e4b9eb1b73edf upstream.
+
+Previously during driver probe, 1 is unconditionally taken as current
+brightness value and set to props.brightness, which will be considered
+as the brightness before suspend and restored to EC on resume. Since a
+brightness value of 1 almost never matches EC's state on coldboot (my
+laptop's EC defaults to 80), this causes surprising changes of screen
+brightness on the first time of resume after coldboot.
+
+Let's get brightness from EC and take it as the current brightness on
+probe of the laptop driver to avoid the surprising behavior. Tested on
+TongFang L860-T2 Loongson-3A5000 laptop.
+
+Cc: stable@vger.kernel.org
+Fixes: 6246ed09111f ("LoongArch: Add ACPI-based generic laptop driver")
+Signed-off-by: Yao Zi <ziyao@disroot.org>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/loongarch/loongson-laptop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/platform/loongarch/loongson-laptop.c
++++ b/drivers/platform/loongarch/loongson-laptop.c
+@@ -392,8 +392,8 @@ static int laptop_backlight_register(voi
+ if (!acpi_evalf(hotkey_handle, &status, "ECLL", "d"))
+ return -EIO;
+
+- props.brightness = 1;
+ props.max_brightness = status;
++ props.brightness = ec_get_brightness();
+ props.type = BACKLIGHT_PLATFORM;
+
+ backlight_device_register("loongson_laptop",
--- /dev/null
+From f78fb2576f22b0ba5297412a9aa7691920666c41 Mon Sep 17 00:00:00 2001
+From: Yao Zi <ziyao@disroot.org>
+Date: Thu, 5 Jun 2025 20:34:46 +0800
+Subject: platform/loongarch: laptop: Unregister generic_sub_drivers on exit
+
+From: Yao Zi <ziyao@disroot.org>
+
+commit f78fb2576f22b0ba5297412a9aa7691920666c41 upstream.
+
+Without correct unregisteration, ACPI notify handlers and the platform
+drivers installed by generic_subdriver_init() will become dangling
+references after removing the loongson_laptop module, triggering various
+kernel faults when a hotkey is sent or at kernel shutdown.
+
+Cc: stable@vger.kernel.org
+Fixes: 6246ed09111f ("LoongArch: Add ACPI-based generic laptop driver")
+Signed-off-by: Yao Zi <ziyao@disroot.org>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/loongarch/loongson-laptop.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/platform/loongarch/loongson-laptop.c
++++ b/drivers/platform/loongarch/loongson-laptop.c
+@@ -611,11 +611,17 @@ static int __init generic_acpi_laptop_in
+
+ static void __exit generic_acpi_laptop_exit(void)
+ {
++ int i;
++
+ if (generic_inputdev) {
+- if (input_device_registered)
+- input_unregister_device(generic_inputdev);
+- else
++ if (!input_device_registered) {
+ input_free_device(generic_inputdev);
++ } else {
++ input_unregister_device(generic_inputdev);
++
++ for (i = 0; i < ARRAY_SIZE(generic_sub_drivers); i++)
++ generic_subdriver_exit(&generic_sub_drivers[i]);
++ }
+ }
+ }
+
--- /dev/null
+From 9697ca0d53e3db357be26d2414276143c4a2cd49 Mon Sep 17 00:00:00 2001
+From: Peter Oberparleiter <oberpar@linux.ibm.com>
+Date: Tue, 3 Jun 2025 20:21:56 +0200
+Subject: scsi: s390: zfcp: Ensure synchronous unit_add
+
+From: Peter Oberparleiter <oberpar@linux.ibm.com>
+
+commit 9697ca0d53e3db357be26d2414276143c4a2cd49 upstream.
+
+Improve the usability of the unit_add sysfs attribute by ensuring that
+the associated FCP LUN scan processing is completed synchronously. This
+enables configuration tooling to consistently determine the end of the
+scan process to allow for serialization of follow-on actions.
+
+While the scan process associated with unit_add typically completes
+synchronously, it is deferred to an asynchronous background process if
+unit_add is used before initial remote port scanning has completed. This
+occurs when unit_add is used immediately after setting the associated FCP
+device online.
+
+To ensure synchronous unit_add processing, wait for remote port scanning
+to complete before initiating the FCP LUN scan.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: M Nikhil <nikh1092@linux.ibm.com>
+Reviewed-by: Nihar Panda <niharp@linux.ibm.com>
+Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Signed-off-by: Nihar Panda <niharp@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250603182252.2287285-2-niharp@linux.ibm.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/scsi/zfcp_sysfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/s390/scsi/zfcp_sysfs.c
++++ b/drivers/s390/scsi/zfcp_sysfs.c
+@@ -450,6 +450,8 @@ static ssize_t zfcp_sysfs_unit_add_store
+ if (kstrtoull(buf, 0, (unsigned long long *) &fcp_lun))
+ return -EINVAL;
+
++ flush_work(&port->rport_work);
++
+ retval = zfcp_unit_add(port, fcp_lun);
+ if (retval)
+ return retval;
--- /dev/null
+From b2f966568faaad326de97481096d0f3dc0971c43 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Fri, 6 Jun 2025 13:57:39 -0700
+Subject: scsi: storvsc: Increase the timeouts to storvsc_timeout
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit b2f966568faaad326de97481096d0f3dc0971c43 upstream.
+
+Currently storvsc_timeout is only used in storvsc_sdev_configure(), and
+5s and 10s are used elsewhere. It turns out that rarely the 5s is not
+enough on Azure, so let's use storvsc_timeout everywhere.
+
+In case a timeout happens and storvsc_channel_init() returns an error,
+close the VMBus channel so that any host-to-guest messages in the
+channel's ringbuffer, which might come late, can be safely ignored.
+
+Add a "const" to storvsc_timeout.
+
+Cc: stable@kernel.org
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Link: https://lore.kernel.org/r/1749243459-10419-1-git-send-email-decui@microsoft.com
+Reviewed-by: Long Li <longli@microsoft.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/storvsc_drv.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -358,7 +358,7 @@ MODULE_PARM_DESC(ring_avail_percent_lowa
+ /*
+ * Timeout in seconds for all devices managed by this driver.
+ */
+-static int storvsc_timeout = 180;
++static const int storvsc_timeout = 180;
+
+ #if IS_ENABLED(CONFIG_SCSI_FC_ATTRS)
+ static struct scsi_transport_template *fc_transport_template;
+@@ -764,7 +764,7 @@ static void handle_multichannel_storage
+ return;
+ }
+
+- t = wait_for_completion_timeout(&request->wait_event, 10*HZ);
++ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ);
+ if (t == 0) {
+ dev_err(dev, "Failed to create sub-channel: timed out\n");
+ return;
+@@ -829,7 +829,7 @@ static int storvsc_execute_vstor_op(stru
+ if (ret != 0)
+ return ret;
+
+- t = wait_for_completion_timeout(&request->wait_event, 5*HZ);
++ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ);
+ if (t == 0)
+ return -ETIMEDOUT;
+
+@@ -1342,6 +1342,8 @@ static int storvsc_connect_to_vsp(struct
+ return ret;
+
+ ret = storvsc_channel_init(device, is_fc);
++ if (ret)
++ vmbus_close(device->channel);
+
+ return ret;
+ }
+@@ -1659,7 +1661,7 @@ static int storvsc_host_reset_handler(st
+ if (ret != 0)
+ return FAILED;
+
+- t = wait_for_completion_timeout(&request->wait_event, 5*HZ);
++ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ);
+ if (t == 0)
+ return TIMEOUT_ERROR;
+
--- /dev/null
+From f287822688eeb44ae1cf6ac45701d965efc33218 Mon Sep 17 00:00:00 2001
+From: "Xin Li (Intel)" <xin@zytor.com>
+Date: Mon, 9 Jun 2025 01:40:54 -0700
+Subject: selftests/x86: Add a test to detect infinite SIGTRAP handler loop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xin Li (Intel) <xin@zytor.com>
+
+commit f287822688eeb44ae1cf6ac45701d965efc33218 upstream.
+
+When FRED is enabled, if the Trap Flag (TF) is set without an external
+debugger attached, it can lead to an infinite loop in the SIGTRAP
+handler. To avoid this, the software event flag in the augmented SS
+must be cleared, ensuring that no single-step trap remains pending when
+ERETU completes.
+
+This test checks for that specific scenario—verifying whether the kernel
+correctly prevents an infinite SIGTRAP loop in this edge case when FRED
+is enabled.
+
+The test should _always_ pass with IDT event delivery, thus no need to
+disable the test even when FRED is not enabled.
+
+Signed-off-by: Xin Li (Intel) <xin@zytor.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Tested-by: Sohil Mehta <sohil.mehta@intel.com>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250609084054.2083189-3-xin%40zytor.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/Makefile | 2
+ tools/testing/selftests/x86/sigtrap_loop.c | 101 +++++++++++++++++++++++++++++
+ 2 files changed, 102 insertions(+), 1 deletion(-)
+ create mode 100644 tools/testing/selftests/x86/sigtrap_loop.c
+
+--- a/tools/testing/selftests/x86/Makefile
++++ b/tools/testing/selftests/x86/Makefile
+@@ -12,7 +12,7 @@ CAN_BUILD_WITH_NOPIE := $(shell ./check_
+
+ TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt test_mremap_vdso \
+ check_initial_reg_state sigreturn iopl ioperm \
+- test_vsyscall mov_ss_trap \
++ test_vsyscall mov_ss_trap sigtrap_loop \
+ syscall_arg_fault fsgsbase_restore sigaltstack
+ TARGETS_C_32BIT_ONLY := entry_from_vm86 test_syscall_vdso unwind_vdso \
+ test_FCMOV test_FCOMI test_FISTTP \
+--- /dev/null
++++ b/tools/testing/selftests/x86/sigtrap_loop.c
+@@ -0,0 +1,101 @@
++// SPDX-License-Identifier: GPL-2.0-only
++/*
++ * Copyright (C) 2025 Intel Corporation
++ */
++#define _GNU_SOURCE
++
++#include <err.h>
++#include <signal.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/ucontext.h>
++
++#ifdef __x86_64__
++# define REG_IP REG_RIP
++#else
++# define REG_IP REG_EIP
++#endif
++
++static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *), int flags)
++{
++ struct sigaction sa;
++
++ memset(&sa, 0, sizeof(sa));
++ sa.sa_sigaction = handler;
++ sa.sa_flags = SA_SIGINFO | flags;
++ sigemptyset(&sa.sa_mask);
++
++ if (sigaction(sig, &sa, 0))
++ err(1, "sigaction");
++
++ return;
++}
++
++static void sigtrap(int sig, siginfo_t *info, void *ctx_void)
++{
++ ucontext_t *ctx = (ucontext_t *)ctx_void;
++ static unsigned int loop_count_on_same_ip;
++ static unsigned long last_trap_ip;
++
++ if (last_trap_ip == ctx->uc_mcontext.gregs[REG_IP]) {
++ printf("\tTrapped at %016lx\n", last_trap_ip);
++
++ /*
++ * If the same IP is hit more than 10 times in a row, it is
++ * _considered_ an infinite loop.
++ */
++ if (++loop_count_on_same_ip > 10) {
++ printf("[FAIL]\tDetected SIGTRAP infinite loop\n");
++ exit(1);
++ }
++
++ return;
++ }
++
++ loop_count_on_same_ip = 0;
++ last_trap_ip = ctx->uc_mcontext.gregs[REG_IP];
++ printf("\tTrapped at %016lx\n", last_trap_ip);
++}
++
++int main(int argc, char *argv[])
++{
++ sethandler(SIGTRAP, sigtrap, 0);
++
++ /*
++ * Set the Trap Flag (TF) to single-step the test code, therefore to
++ * trigger a SIGTRAP signal after each instruction until the TF is
++ * cleared.
++ *
++ * Because the arithmetic flags are not significant here, the TF is
++ * set by pushing 0x302 onto the stack and then popping it into the
++ * flags register.
++ *
++ * Four instructions in the following asm code are executed with the
++ * TF set, thus the SIGTRAP handler is expected to run four times.
++ */
++ printf("[RUN]\tSIGTRAP infinite loop detection\n");
++ asm volatile(
++#ifdef __x86_64__
++ /*
++ * Avoid clobbering the redzone
++ *
++ * Equivalent to "sub $128, %rsp", however -128 can be encoded
++ * in a single byte immediate while 128 uses 4 bytes.
++ */
++ "add $-128, %rsp\n\t"
++#endif
++ "push $0x302\n\t"
++ "popf\n\t"
++ "nop\n\t"
++ "nop\n\t"
++ "push $0x202\n\t"
++ "popf\n\t"
++#ifdef __x86_64__
++ "sub $-128, %rsp\n\t"
++#endif
++ );
++
++ printf("[OK]\tNo SIGTRAP infinite loop detected\n");
++ return 0;
++}
--- /dev/null
+From 86c8db86af43f52f682e53a0f2f0828683be1e52 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+Date: Fri, 13 Jun 2025 15:37:05 -0400
+Subject: selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+
+commit 86c8db86af43f52f682e53a0f2f0828683be1e52 upstream.
+
+We should count the terminating NUL byte as part of the ctx_len.
+Otherwise, UBSAN logs a warning:
+ UBSAN: array-index-out-of-bounds in security/selinux/xfrm.c:99:14
+ index 60 is out of range for type 'char [*]'
+
+The allocation itself is correct so there is no actual out of bounds
+indexing, just a warning.
+
+Cc: stable@vger.kernel.org
+Suggested-by: Christian Göttsche <cgzones@googlemail.com>
+Link: https://lore.kernel.org/selinux/CAEjxPJ6tA5+LxsGfOJokzdPeRomBHjKLBVR6zbrg+_w3ZZbM3A@mail.gmail.com/
+Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/xfrm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/selinux/xfrm.c
++++ b/security/selinux/xfrm.c
+@@ -95,7 +95,7 @@ static int selinux_xfrm_alloc_user(struc
+
+ ctx->ctx_doi = XFRM_SC_DOI_LSM;
+ ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
+- ctx->ctx_len = str_len;
++ ctx->ctx_len = str_len + 1;
+ memcpy(ctx->ctx_str, &uctx[1], str_len);
+ ctx->ctx_str[str_len] = '\0';
+ rc = security_context_to_sid(&selinux_state, ctx->ctx_str, str_len,
platform-x86-dell_rbu-stop-overwriting-data-buffer.patch
powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch
revert-x86-bugs-make-spectre-user-default-depend-on-mitigation_spectre_v2-on-v6.6-and-older.patch
+drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch
+platform-loongarch-laptop-get-brightness-setting-from-ec-on-probe.patch
+platform-loongarch-laptop-unregister-generic_sub_drivers-on-exit.patch
+platform-loongarch-laptop-add-backlight-power-control-support.patch
+loongarch-avoid-using-r0-r1-as-mask-for-csrxchg.patch
+jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch
+jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch
+smb-improve-directory-cache-reuse-for-readdir-operations.patch
+scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch
+scsi-s390-zfcp-ensure-synchronous-unit_add.patch
+net_sched-sch_sfq-reject-invalid-perturb-period.patch
+udmabuf-use-sgtable-based-scatterlist-wrappers.patch
+selftests-x86-add-a-test-to-detect-infinite-sigtrap-handler-loop.patch
+ksmbd-fix-null-pointer-dereference-in-destroy_previous_session.patch
+selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch
+atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch
--- /dev/null
+From 72dd7961a4bb4fa1fc456169a61dd12e68e50645 Mon Sep 17 00:00:00 2001
+From: Bharath SM <bharathsm.hsk@gmail.com>
+Date: Wed, 11 Jun 2025 16:59:02 +0530
+Subject: smb: improve directory cache reuse for readdir operations
+
+From: Bharath SM <bharathsm.hsk@gmail.com>
+
+commit 72dd7961a4bb4fa1fc456169a61dd12e68e50645 upstream.
+
+Currently, cached directory contents were not reused across subsequent
+'ls' operations because the cache validity check relied on comparing
+the ctx pointer, which changes with each readdir invocation. As a
+result, the cached dir entries was not marked as valid and the cache was
+not utilized for subsequent 'ls' operations.
+
+This change uses the file pointer, which remains consistent across all
+readdir calls for a given directory instance, to associate and validate
+the cache. As a result, cached directory contents can now be
+correctly reused, improving performance for repeated directory listings.
+
+Performance gains with local windows SMB server:
+
+Without the patch and default actimeo=1:
+ 1000 directory enumeration operations on dir with 10k files took 135.0s
+
+With this patch and actimeo=0:
+ 1000 directory enumeration operations on dir with 10k files took just 5.1s
+
+Signed-off-by: Bharath SM <bharathsm@microsoft.com>
+Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cached_dir.h | 8 ++++----
+ fs/smb/client/readdir.c | 28 +++++++++++++++-------------
+ 2 files changed, 19 insertions(+), 17 deletions(-)
+
+--- a/fs/smb/client/cached_dir.h
++++ b/fs/smb/client/cached_dir.h
+@@ -21,10 +21,10 @@ struct cached_dirent {
+ struct cached_dirents {
+ bool is_valid:1;
+ bool is_failed:1;
+- struct dir_context *ctx; /*
+- * Only used to make sure we only take entries
+- * from a single context. Never dereferenced.
+- */
++ struct file *file; /*
++ * Used to associate the cache with a single
++ * open file instance.
++ */
+ struct mutex de_mutex;
+ int pos; /* Expected ctx->pos */
+ struct list_head entries;
+--- a/fs/smb/client/readdir.c
++++ b/fs/smb/client/readdir.c
+@@ -882,9 +882,9 @@ static bool emit_cached_dirents(struct c
+ }
+
+ static void update_cached_dirents_count(struct cached_dirents *cde,
+- struct dir_context *ctx)
++ struct file *file)
+ {
+- if (cde->ctx != ctx)
++ if (cde->file != file)
+ return;
+ if (cde->is_valid || cde->is_failed)
+ return;
+@@ -893,9 +893,9 @@ static void update_cached_dirents_count(
+ }
+
+ static void finished_cached_dirents_count(struct cached_dirents *cde,
+- struct dir_context *ctx)
++ struct dir_context *ctx, struct file *file)
+ {
+- if (cde->ctx != ctx)
++ if (cde->file != file)
+ return;
+ if (cde->is_valid || cde->is_failed)
+ return;
+@@ -908,11 +908,12 @@ static void finished_cached_dirents_coun
+ static void add_cached_dirent(struct cached_dirents *cde,
+ struct dir_context *ctx,
+ const char *name, int namelen,
+- struct cifs_fattr *fattr)
++ struct cifs_fattr *fattr,
++ struct file *file)
+ {
+ struct cached_dirent *de;
+
+- if (cde->ctx != ctx)
++ if (cde->file != file)
+ return;
+ if (cde->is_valid || cde->is_failed)
+ return;
+@@ -942,7 +943,8 @@ static void add_cached_dirent(struct cac
+ static bool cifs_dir_emit(struct dir_context *ctx,
+ const char *name, int namelen,
+ struct cifs_fattr *fattr,
+- struct cached_fid *cfid)
++ struct cached_fid *cfid,
++ struct file *file)
+ {
+ bool rc;
+ ino_t ino = cifs_uniqueid_to_ino_t(fattr->cf_uniqueid);
+@@ -954,7 +956,7 @@ static bool cifs_dir_emit(struct dir_con
+ if (cfid) {
+ mutex_lock(&cfid->dirents.de_mutex);
+ add_cached_dirent(&cfid->dirents, ctx, name, namelen,
+- fattr);
++ fattr, file);
+ mutex_unlock(&cfid->dirents.de_mutex);
+ }
+
+@@ -1054,7 +1056,7 @@ static int cifs_filldir(char *find_entry
+ cifs_prime_dcache(file_dentry(file), &name, &fattr);
+
+ return !cifs_dir_emit(ctx, name.name, name.len,
+- &fattr, cfid);
++ &fattr, cfid, file);
+ }
+
+
+@@ -1105,8 +1107,8 @@ int cifs_readdir(struct file *file, stru
+ * we need to initialize scanning and storing the
+ * directory content.
+ */
+- if (ctx->pos == 0 && cfid->dirents.ctx == NULL) {
+- cfid->dirents.ctx = ctx;
++ if (ctx->pos == 0 && cfid->dirents.file == NULL) {
++ cfid->dirents.file = file;
+ cfid->dirents.pos = 2;
+ }
+ /*
+@@ -1174,7 +1176,7 @@ int cifs_readdir(struct file *file, stru
+ } else {
+ if (cfid) {
+ mutex_lock(&cfid->dirents.de_mutex);
+- finished_cached_dirents_count(&cfid->dirents, ctx);
++ finished_cached_dirents_count(&cfid->dirents, ctx, file);
+ mutex_unlock(&cfid->dirents.de_mutex);
+ }
+ cifs_dbg(FYI, "Could not find entry\n");
+@@ -1215,7 +1217,7 @@ int cifs_readdir(struct file *file, stru
+ ctx->pos++;
+ if (cfid) {
+ mutex_lock(&cfid->dirents.de_mutex);
+- update_cached_dirents_count(&cfid->dirents, ctx);
++ update_cached_dirents_count(&cfid->dirents, file);
+ mutex_unlock(&cfid->dirents.de_mutex);
+ }
+
--- /dev/null
+From afe382843717d44b24ef5014d57dcbaab75a4052 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Wed, 7 May 2025 18:09:12 +0200
+Subject: udmabuf: use sgtable-based scatterlist wrappers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit afe382843717d44b24ef5014d57dcbaab75a4052 upstream.
+
+Use common wrappers operating directly on the struct sg_table objects to
+fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*()
+functions have to be called with the number of elements originally passed
+to dma_map_sg_*() function, not the one returned in sgtable's nents.
+
+Fixes: 1ffe09590121 ("udmabuf: fix dma-buf cpu access")
+CC: stable@vger.kernel.org
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Link: https://lore.kernel.org/r/20250507160913.2084079-3-m.szyprowski@samsung.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma-buf/udmabuf.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/dma-buf/udmabuf.c
++++ b/drivers/dma-buf/udmabuf.c
+@@ -133,8 +133,7 @@ static int begin_cpu_udmabuf(struct dma_
+ ubuf->sg = NULL;
+ }
+ } else {
+- dma_sync_sg_for_cpu(dev, ubuf->sg->sgl, ubuf->sg->nents,
+- direction);
++ dma_sync_sgtable_for_cpu(dev, ubuf->sg, direction);
+ }
+
+ return ret;
+@@ -149,7 +148,7 @@ static int end_cpu_udmabuf(struct dma_bu
+ if (!ubuf->sg)
+ return -EINVAL;
+
+- dma_sync_sg_for_device(dev, ubuf->sg->sgl, ubuf->sg->nents, direction);
++ dma_sync_sgtable_for_device(dev, ubuf->sg, direction);
+ return 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
