--- /dev/null
+From cf3fc037623c54de48d2ec1a1ee686e2d1de2d45 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Tue, 29 Jul 2025 18:28:07 +0900
+Subject: ata: libata-scsi: Fix ata_to_sense_error() status handling
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit cf3fc037623c54de48d2ec1a1ee686e2d1de2d45 upstream.
+
+Commit 8ae720449fca ("libata: whitespace fixes in ata_to_sense_error()")
+inadvertantly added the entry 0x40 (ATA_DRDY) to the stat_table array in
+the function ata_to_sense_error(). This entry ties a failed qc which has
+a status filed equal to ATA_DRDY to the sense key ILLEGAL REQUEST with
+the additional sense code UNALIGNED WRITE COMMAND. This entry will be
+used to generate a failed qc sense key and sense code when the qc is
+missing sense data and there is no match for the qc error field in the
+sense_table array of ata_to_sense_error().
+
+As a result, for a failed qc for which we failed to get sense data (e.g.
+read log 10h failed if qc is an NCQ command, or REQUEST SENSE EXT
+command failed for the non-ncq case, the user very often end up seeing
+the completely misleading "unaligned write command" error, even if qc
+was not a write command. E.g.:
+
+sd 0:0:0:0: [sda] tag#12 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s
+sd 0:0:0:0: [sda] tag#12 Sense Key : Illegal Request [current]
+sd 0:0:0:0: [sda] tag#12 Add. Sense: Unaligned write command
+sd 0:0:0:0: [sda] tag#12 CDB: Read(10) 28 00 00 00 10 00 00 00 08 00
+I/O error, dev sda, sector 4096 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
+
+Fix this by removing the ATA_DRDY entry from the stat_table array so
+that we default to always returning ABORTED COMMAND without any
+additional sense code, since we do not know any better. The entry 0x08
+(ATA_DRQ) is also removed since signaling ABORTED COMMAND with a parity
+error is also misleading (as a parity error would likely be signaled
+through a bus error). So for this case, also default to returning
+ABORTED COMMAND without any additional sense code. With this, the
+previous example error case becomes:
+
+sd 0:0:0:0: [sda] tag#17 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s
+sd 0:0:0:0: [sda] tag#17 Sense Key : Aborted Command [current]
+sd 0:0:0:0: [sda] tag#17 Add. Sense: No additional sense information
+sd 0:0:0:0: [sda] tag#17 CDB: Read(10) 28 00 00 00 10 00 00 00 08 00
+I/O error, dev sda, sector 4096 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
+
+Together with these fixes, refactor stat_table to make it more readable
+by putting the entries comments in front of the entries and using the
+defined status bits macros instead of hardcoded values.
+
+Reported-by: Lorenz Brun <lorenz@brun.one>
+Reported-by: Brandon Schwartz <Brandon.Schwartz@wdc.com>
+Fixes: 8ae720449fca ("libata: whitespace fixes in ata_to_sense_error()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -770,18 +770,14 @@ static void ata_to_sense_error(unsigned
+ {0xFF, 0xFF, 0xFF, 0xFF}, // END mark
+ };
+ static const unsigned char stat_table[][4] = {
+- /* Must be first because BUSY means no other bits valid */
+- {0x80, ABORTED_COMMAND, 0x47, 0x00},
+- // Busy, fake parity for now
+- {0x40, ILLEGAL_REQUEST, 0x21, 0x04},
+- // Device ready, unaligned write command
+- {0x20, HARDWARE_ERROR, 0x44, 0x00},
+- // Device fault, internal target failure
+- {0x08, ABORTED_COMMAND, 0x47, 0x00},
+- // Timed out in xfer, fake parity for now
+- {0x04, RECOVERED_ERROR, 0x11, 0x00},
+- // Recovered ECC error Medium error, recovered
+- {0xFF, 0xFF, 0xFF, 0xFF}, // END mark
++ /* Busy: must be first because BUSY means no other bits valid */
++ { ATA_BUSY, ABORTED_COMMAND, 0x00, 0x00 },
++ /* Device fault: INTERNAL TARGET FAILURE */
++ { ATA_DF, HARDWARE_ERROR, 0x44, 0x00 },
++ /* Corrected data error */
++ { ATA_CORR, RECOVERED_ERROR, 0x00, 0x00 },
++
++ { 0xFF, 0xFF, 0xFF, 0xFF }, /* END mark */
+ };
+
+ /*
--- /dev/null
+From b4cc4a4077268522e3d0d34de4b2dc144e2330fa Mon Sep 17 00:00:00 2001
+From: Andreas Dilger <adilger@dilger.ca>
+Date: Wed, 16 Jul 2025 19:36:42 -0600
+Subject: ext4: check fast symlink for ea_inode correctly
+
+From: Andreas Dilger <adilger@dilger.ca>
+
+commit b4cc4a4077268522e3d0d34de4b2dc144e2330fa upstream.
+
+The check for a fast symlink in the presence of only an
+external xattr inode is incorrect. If a fast symlink does
+not have an xattr block (i_file_acl == 0), but does have
+an external xattr inode that increases inode i_blocks, then
+the check for a fast symlink will incorrectly fail and
+__ext4_iget()->ext4_ind_check_inode() will report the inode
+is corrupt when it "validates" i_data[] on the next read:
+
+ # ln -s foo /mnt/tmp/bar
+ # setfattr -h -n trusted.test \
+ -v "$(yes | head -n 4000)" /mnt/tmp/bar
+ # umount /mnt/tmp
+ # mount /mnt/tmp
+ # ls -l /mnt/tmp
+ ls: cannot access '/mnt/tmp/bar': Structure needs cleaning
+ total 4
+ ? l?????????? ? ? ? ? ? bar
+ # dmesg | tail -1
+ EXT4-fs error (device dm-8): __ext4_iget:5098:
+ inode #24578: block 7303014: comm ls: invalid block
+
+(note that "block 7303014" = 0x6f6f66 = "foo" in LE order).
+
+ext4_inode_is_fast_symlink() should check the superblock
+EXT4_FEATURE_INCOMPAT_EA_INODE feature flag, not the inode
+EXT4_EA_INODE_FL, since the latter is only set on the xattr
+inode itself, and not on the inode that uses this xattr.
+
+Cc: stable@vger.kernel.org
+Fixes: fc82228a5e38 ("ext4: support fast symlinks from ext3 file systems")
+Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
+Reviewed-by: Li Dongyang <dongyangli@ddn.com>
+Reviewed-by: Alex Zhuravlev <bzzz@whamcloud.com>
+Reviewed-by: Oleg Drokin <green@whamcloud.com>
+Reviewed-on: https://review.whamcloud.com/59879
+Lustre-bug-id: https://jira.whamcloud.com/browse/LU-19121
+Link: https://patch.msgid.link/20250717063709.757077-1-adilger@dilger.ca
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -148,7 +148,7 @@ static int ext4_meta_trans_blocks(struct
+ */
+ int ext4_inode_is_fast_symlink(struct inode *inode)
+ {
+- if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) {
++ if (!ext4_has_feature_ea_inode(inode->i_sb)) {
+ int ea_blocks = EXT4_I(inode)->i_file_acl ?
+ EXT4_CLUSTER_SIZE(inode->i_sb) >> 9 : 0;
+
--- /dev/null
+From c5e104a91e7b6fa12c1dc2d8bf84abb7ef9b89ad Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 7 Aug 2025 09:35:20 -0400
+Subject: ext4: don't try to clear the orphan_present feature block device is r/o
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit c5e104a91e7b6fa12c1dc2d8bf84abb7ef9b89ad upstream.
+
+When the file system is frozen in preparation for taking an LVM
+snapshot, the journal is checkpointed and if the orphan_file feature
+is enabled, and the orphan file is empty, we clear the orphan_present
+feature flag. But if there are pending inodes that need to be removed
+the orphan_present feature flag can't be cleared.
+
+The problem comes if the block device is read-only. In that case, we
+can't process the orphan inode list, so it is skipped in
+ext4_orphan_cleanup(). But then in ext4_mark_recovery_complete(),
+this results in the ext4 error "Orphan file not empty on read-only fs"
+firing and the file system mount is aborted.
+
+Fix this by clearing the needs_recovery flag in the block device is
+read-only. We do this after the call to ext4_load_and_init-journal()
+since there are some error checks need to be done in case the journal
+needs to be replayed and the block device is read-only, or if the
+block device containing the externa journal is read-only, etc.
+
+Cc: stable@kernel.org
+Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108271
+Cc: stable@vger.kernel.org
+Fixes: 02f310fcf47f ("ext4: Speedup ext4 orphan inode handling")
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4669,6 +4669,8 @@ static int ext4_fill_super(struct super_
+ err = ext4_load_journal(sb, es, parsed_opts.journal_devnum);
+ if (err)
+ goto failed_mount3a;
++ if (bdev_read_only(sb->s_bdev))
++ needs_recovery = 0;
+ } else if (test_opt(sb, NOLOAD) && !sb_rdonly(sb) &&
+ ext4_has_feature_journal_needs_recovery(sb)) {
+ ext4_msg(sb, KERN_ERR, "required journal recovery "
--- /dev/null
+From bae76c035bf0852844151e68098c9b7cd63ef238 Mon Sep 17 00:00:00 2001
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Date: Tue, 5 Aug 2025 14:00:30 +0530
+Subject: ext4: fix fsmap end of range reporting with bigalloc
+
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+
+commit bae76c035bf0852844151e68098c9b7cd63ef238 upstream.
+
+With bigalloc enabled, the logic to report last extent has a bug since
+we try to use cluster units instead of block units. This can cause an
+issue where extra incorrect entries might be returned back to the
+user. This was flagged by generic/365 with 64k bs and -O bigalloc.
+
+** Details of issue **
+
+The issue was noticed on 5G 64k blocksize FS with -O bigalloc which has
+only 1 bg.
+
+$ xfs_io -c "fsmap -d" /mnt/scratch
+
+ 0: 253:48 [0..127]: static fs metadata 128 /* sb */
+ 1: 253:48 [128..255]: special 102:1 128 /* gdt */
+ 3: 253:48 [256..383]: special 102:3 128 /* block bitmap */
+ 4: 253:48 [384..2303]: unknown 1920 /* flex bg empty space */
+ 5: 253:48 [2304..2431]: special 102:4 128 /* inode bitmap */
+ 6: 253:48 [2432..4351]: unknown 1920 /* flex bg empty space */
+ 7: 253:48 [4352..6911]: inodes 2560
+ 8: 253:48 [6912..538623]: unknown 531712
+ 9: 253:48 [538624..10485759]: free space 9947136
+
+The issue can be seen with:
+
+$ xfs_io -c "fsmap -d 0 3" /mnt/scratch
+
+ 0: 253:48 [0..127]: static fs metadata 128
+ 1: 253:48 [384..2047]: unknown 1664
+
+Only the first entry was expected to be returned but we get 2. This is
+because:
+
+ext4_getfsmap_datadev()
+ first_cluster, last_cluster = 0
+ ...
+ info->gfi_last = true;
+ ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1, 0, info);
+ fsb = C2B(1) = 16
+ fslen = 0
+ ...
+ /* Merge in any relevant extents from the meta_list */
+ list_for_each_entry_safe(p, tmp, &info->gfi_meta_list, fmr_list) {
+ ...
+ // since fsb = 16, considers all metadata which starts before 16 blockno
+ iter 1: error = ext4_getfsmap_helper(sb, info, p); // p = sb (0,1), nop
+ info->gfi_next_fsblk = 1
+ iter 2: error = ext4_getfsmap_helper(sb, info, p); // p = gdt (1,2), nop
+ info->gfi_next_fsblk = 2
+ iter 3: error = ext4_getfsmap_helper(sb, info, p); // p = blk bitmap (2,3), nop
+ info->gfi_next_fsblk = 3
+ iter 4: error = ext4_getfsmap_helper(sb, info, p); // p = ino bitmap (18,19)
+ if (rec_blk > info->gfi_next_fsblk) { // (18 > 3)
+ // emits an extra entry ** BUG **
+ }
+ }
+
+Fix this by directly calling ext4_getfsmap_datadev() with a dummy
+record that has fmr_physical set to (end_fsb + 1) instead of
+last_cluster + 1. By using the block instead of cluster we get the
+correct behavior.
+
+Replacing ext4_getfsmap_datadev_helper() with ext4_getfsmap_helper()
+is okay since the gfi_lastfree and metadata checks in
+ext4_getfsmap_datadev_helper() are anyways redundant when we only want
+to emit the last allocated block of the range, as we have already
+taken care of emitting metadata and any last free blocks.
+
+Cc: stable@kernel.org
+Reported-by: Disha Goel <disgoel@linux.ibm.com>
+Fixes: 4a622e4d477b ("ext4: fix FS_IOC_GETFSMAP handling")
+Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Link: https://patch.msgid.link/e7472c8535c9c5ec10f425f495366864ea12c9da.1754377641.git.ojaswin@linux.ibm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/fsmap.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/fsmap.c
++++ b/fs/ext4/fsmap.c
+@@ -526,6 +526,7 @@ static int ext4_getfsmap_datadev(struct
+ ext4_group_t end_ag;
+ ext4_grpblk_t first_cluster;
+ ext4_grpblk_t last_cluster;
++ struct ext4_fsmap irec;
+ int error = 0;
+
+ bofs = le32_to_cpu(sbi->s_es->s_first_data_block);
+@@ -609,10 +610,18 @@ static int ext4_getfsmap_datadev(struct
+ goto err;
+ }
+
+- /* Report any gaps at the end of the bg */
++ /*
++ * The dummy record below will cause ext4_getfsmap_helper() to report
++ * any allocated blocks at the end of the range.
++ */
++ irec.fmr_device = 0;
++ irec.fmr_physical = end_fsb + 1;
++ irec.fmr_length = 0;
++ irec.fmr_owner = EXT4_FMR_OWN_FREE;
++ irec.fmr_flags = 0;
++
+ info->gfi_last = true;
+- error = ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1,
+- 0, info);
++ error = ext4_getfsmap_helper(sb, info, &irec);
+ if (error)
+ goto err;
+
--- /dev/null
+From 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 Mon Sep 17 00:00:00 2001
+From: Zhang Yi <yi.zhang@huawei.com>
+Date: Mon, 11 Aug 2025 14:45:32 +0800
+Subject: ext4: fix hole length calculation overflow in non-extent inodes
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+commit 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 upstream.
+
+In a filesystem with a block size larger than 4KB, the hole length
+calculation for a non-extent inode in ext4_ind_map_blocks() can easily
+exceed INT_MAX. Then it could return a zero length hole and trigger the
+following waring and infinite in the iomap infrastructure.
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 3 PID: 434101 at fs/iomap/iter.c:34 iomap_iter_done+0x148/0x190
+ CPU: 3 UID: 0 PID: 434101 Comm: fsstress Not tainted 6.16.0-rc7+ #128 PREEMPT(voluntary)
+ Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
+ pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : iomap_iter_done+0x148/0x190
+ lr : iomap_iter+0x174/0x230
+ sp : ffff8000880af740
+ x29: ffff8000880af740 x28: ffff0000db8e6840 x27: 0000000000000000
+ x26: 0000000000000000 x25: ffff8000880af830 x24: 0000004000000000
+ x23: 0000000000000002 x22: 000001bfdbfa8000 x21: ffffa6a41c002e48
+ x20: 0000000000000001 x19: ffff8000880af808 x18: 0000000000000000
+ x17: 0000000000000000 x16: ffffa6a495ee6cd0 x15: 0000000000000000
+ x14: 00000000000003d4 x13: 00000000fa83b2da x12: 0000b236fc95f18c
+ x11: ffffa6a4978b9c08 x10: 0000000000001da0 x9 : ffffa6a41c1a2a44
+ x8 : ffff8000880af5c8 x7 : 0000000001000000 x6 : 0000000000000000
+ x5 : 0000000000000004 x4 : 000001bfdbfa8000 x3 : 0000000000000000
+ x2 : 0000000000000000 x1 : 0000004004030000 x0 : 0000000000000000
+ Call trace:
+ iomap_iter_done+0x148/0x190 (P)
+ iomap_iter+0x174/0x230
+ iomap_fiemap+0x154/0x1d8
+ ext4_fiemap+0x110/0x140 [ext4]
+ do_vfs_ioctl+0x4b8/0xbc0
+ __arm64_sys_ioctl+0x8c/0x120
+ invoke_syscall+0x6c/0x100
+ el0_svc_common.constprop.0+0x48/0xf0
+ do_el0_svc+0x24/0x38
+ el0_svc+0x38/0x120
+ el0t_64_sync_handler+0x10c/0x138
+ el0t_64_sync+0x198/0x1a0
+ ---[ end trace 0000000000000000 ]---
+
+Cc: stable@kernel.org
+Fixes: facab4d9711e ("ext4: return hole from ext4_map_blocks()")
+Reported-by: Qu Wenruo <wqu@suse.com>
+Closes: https://lore.kernel.org/linux-ext4/9b650a52-9672-4604-a765-bb6be55d1e4a@gmx.com/
+Tested-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Link: https://patch.msgid.link/20250811064532.1788289-1-yi.zhang@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/indirect.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/indirect.c
++++ b/fs/ext4/indirect.c
+@@ -539,7 +539,7 @@ int ext4_ind_map_blocks(handle_t *handle
+ int indirect_blks;
+ int blocks_to_boundary = 0;
+ int depth;
+- int count = 0;
++ u64 count = 0;
+ ext4_fsblk_t first_block = 0;
+
+ trace_ext4_ind_map_blocks_enter(inode, map->m_lblk, map->m_len, flags);
+@@ -588,7 +588,7 @@ int ext4_ind_map_blocks(handle_t *handle
+ count++;
+ /* Fill in size of a hole we found */
+ map->m_pblk = 0;
+- map->m_len = min_t(unsigned int, map->m_len, count);
++ map->m_len = umin(map->m_len, count);
+ goto cleanup;
+ }
+
--- /dev/null
+From 3ffbdd1f1165f1b2d6a94d1b1aabef57120deaf7 Mon Sep 17 00:00:00 2001
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Date: Tue, 5 Aug 2025 14:00:31 +0530
+Subject: ext4: fix reserved gdt blocks handling in fsmap
+
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+
+commit 3ffbdd1f1165f1b2d6a94d1b1aabef57120deaf7 upstream.
+
+In some cases like small FSes with no meta_bg and where the resize
+doesn't need extra gdt blocks as it can fit in the current one,
+s_reserved_gdt_blocks is set as 0, which causes fsmap to emit a 0
+length entry, which is incorrect.
+
+ $ mkfs.ext4 -b 65536 -O bigalloc /dev/sda 5G
+ $ mount /dev/sda /mnt/scratch
+ $ xfs_io -c "fsmap -d" /mnt/scartch
+
+ 0: 253:48 [0..127]: static fs metadata 128
+ 1: 253:48 [128..255]: special 102:1 128
+ 2: 253:48 [256..255]: special 102:2 0 <---- 0 len entry
+ 3: 253:48 [256..383]: special 102:3 128
+
+Fix this by adding a check for this case.
+
+Cc: stable@kernel.org
+Fixes: 0c9ec4beecac ("ext4: support GETFSMAP ioctls")
+Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Link: https://patch.msgid.link/08781b796453a5770112aa96ad14c864fbf31935.1754377641.git.ojaswin@linux.ibm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/fsmap.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/ext4/fsmap.c
++++ b/fs/ext4/fsmap.c
+@@ -393,6 +393,14 @@ static unsigned int ext4_getfsmap_find_s
+ /* Reserved GDT blocks */
+ if (!ext4_has_feature_meta_bg(sb) || metagroup < first_meta_bg) {
+ len = le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks);
++
++ /*
++ * mkfs.ext4 can set s_reserved_gdt_blocks as 0 in some cases,
++ * check for that.
++ */
++ if (!len)
++ return 0;
++
+ error = ext4_getfsmap_fill(meta_list, fsb, len,
+ EXT4_FMR_OWN_RESV_GDT);
+ if (error)
--- /dev/null
+From 76dba1fe277f6befd6ef650e1946f626c547387a Mon Sep 17 00:00:00 2001
+From: Liao Yuanhong <liaoyuanhong@vivo.com>
+Date: Mon, 11 Aug 2025 20:58:16 +0800
+Subject: ext4: use kmalloc_array() for array space allocation
+
+From: Liao Yuanhong <liaoyuanhong@vivo.com>
+
+commit 76dba1fe277f6befd6ef650e1946f626c547387a upstream.
+
+Replace kmalloc(size * sizeof) with kmalloc_array() for safer memory
+allocation and overflow prevention.
+
+Cc: stable@kernel.org
+Signed-off-by: Liao Yuanhong <liaoyuanhong@vivo.com>
+Link: https://patch.msgid.link/20250811125816.570142-1-liaoyuanhong@vivo.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/orphan.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/orphan.c
++++ b/fs/ext4/orphan.c
+@@ -590,8 +590,9 @@ int ext4_init_orphan_info(struct super_b
+ }
+ oi->of_blocks = inode->i_size >> sb->s_blocksize_bits;
+ oi->of_csum_seed = EXT4_I(inode)->i_csum_seed;
+- oi->of_binfo = kmalloc(oi->of_blocks*sizeof(struct ext4_orphan_block),
+- GFP_KERNEL);
++ oi->of_binfo = kmalloc_array(oi->of_blocks,
++ sizeof(struct ext4_orphan_block),
++ GFP_KERNEL);
+ if (!oi->of_binfo) {
+ ret = -ENOMEM;
+ goto out_put;
--- /dev/null
+From 22375adaa0d9fbba9646c8e2b099c6e87c97bfae Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Thu, 19 Jun 2025 15:55:35 -0700
+Subject: lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit 22375adaa0d9fbba9646c8e2b099c6e87c97bfae upstream.
+
+The MIPS32r2 ChaCha code has never been buildable with the clang
+assembler. First, clang doesn't support the 'rotl' pseudo-instruction:
+
+ error: unknown instruction, did you mean: rol, rotr?
+
+Second, clang requires that both operands of the 'wsbh' instruction be
+explicitly given:
+
+ error: too few operands for instruction
+
+To fix this, align the code with the real instruction set by (1) using
+the real instruction 'rotr' instead of the nonstandard pseudo-
+instruction 'rotl', and (2) explicitly giving both operands to 'wsbh'.
+
+To make removing the use of 'rotl' a bit easier, also remove the
+unnecessary special-casing for big endian CPUs at
+.Lchacha_mips_xor_bytes. The tail handling is actually
+endian-independent since it processes one byte at a time. On big endian
+CPUs the old code byte-swapped SAVED_X, then iterated through it in
+reverse order. But the byteswap and reverse iteration canceled out.
+
+Tested with chacha20poly1305-selftest in QEMU using "-M malta" with both
+little endian and big endian mips32r2 kernels.
+
+Fixes: 49aa7c00eddf ("crypto: mips/chacha - import 32r2 ChaCha code from Zinc")
+Cc: stable@vger.kernel.org
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202505080409.EujEBwA0-lkp@intel.com/
+Link: https://lore.kernel.org/r/20250619225535.679301-1-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/crypto/chacha-core.S | 20 +++++++-------------
+ 1 file changed, 7 insertions(+), 13 deletions(-)
+
+--- a/arch/mips/crypto/chacha-core.S
++++ b/arch/mips/crypto/chacha-core.S
+@@ -55,17 +55,13 @@
+ #if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
+ #define MSB 0
+ #define LSB 3
+-#define ROTx rotl
+-#define ROTR(n) rotr n, 24
+ #define CPU_TO_LE32(n) \
+- wsbh n; \
++ wsbh n, n; \
+ rotr n, 16;
+ #else
+ #define MSB 3
+ #define LSB 0
+-#define ROTx rotr
+ #define CPU_TO_LE32(n)
+-#define ROTR(n)
+ #endif
+
+ #define FOR_EACH_WORD(x) \
+@@ -192,10 +188,10 @@ CONCAT3(.Lchacha_mips_xor_aligned_, PLUS
+ xor X(W), X(B); \
+ xor X(Y), X(C); \
+ xor X(Z), X(D); \
+- rotl X(V), S; \
+- rotl X(W), S; \
+- rotl X(Y), S; \
+- rotl X(Z), S;
++ rotr X(V), 32 - S; \
++ rotr X(W), 32 - S; \
++ rotr X(Y), 32 - S; \
++ rotr X(Z), 32 - S;
+
+ .text
+ .set reorder
+@@ -372,21 +368,19 @@ chacha_crypt_arch:
+ /* First byte */
+ lbu T1, 0(IN)
+ addiu $at, BYTES, 1
+- CPU_TO_LE32(SAVED_X)
+- ROTR(SAVED_X)
+ xor T1, SAVED_X
+ sb T1, 0(OUT)
+ beqz $at, .Lchacha_mips_xor_done
+ /* Second byte */
+ lbu T1, 1(IN)
+ addiu $at, BYTES, 2
+- ROTx SAVED_X, 8
++ rotr SAVED_X, 8
+ xor T1, SAVED_X
+ sb T1, 1(OUT)
+ beqz $at, .Lchacha_mips_xor_done
+ /* Third byte */
+ lbu T1, 2(IN)
+- ROTx SAVED_X, 8
++ rotr SAVED_X, 8
+ xor T1, SAVED_X
+ sb T1, 2(OUT)
+ b .Lchacha_mips_xor_done
--- /dev/null
+From e4fc307d8e24f122402907ebf585248cad52841d Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 2 Aug 2025 21:34:37 +0200
+Subject: Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()"
+
+From: Helge Deller <deller@gmx.de>
+
+commit e4fc307d8e24f122402907ebf585248cad52841d upstream.
+
+This reverts commit 864f9963ec6b4b76d104d595ba28110b87158003.
+
+The patch is wrong as it checks vc_origin against vc_screenbuf,
+while in text mode it should compare against vga_vram_base.
+
+As such it broke VGA text scrolling, which can be reproduced like this:
+(1) boot a kernel that is configured to use text mode VGA-console
+(2) type commands: ls -l /usr/bin | less -S
+(3) scroll up/down with cursor-down/up keys
+
+Reported-by: Jari Ruusu <jariruusu@protonmail.com>
+Cc: stable@vger.kernel.org
+Cc: Yi Yang <yiyang13@huawei.com>
+Cc: GONG Ruiqi <gongruiqi1@huawei.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/console/vgacon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/console/vgacon.c
++++ b/drivers/video/console/vgacon.c
+@@ -1170,7 +1170,7 @@ static bool vgacon_scroll(struct vc_data
+ c->vc_screenbuf_size - delta);
+ c->vc_origin = vga_vram_end - c->vc_screenbuf_size;
+ vga_rolled_over = 0;
+- } else if (oldo - delta >= (unsigned long)c->vc_screenbuf)
++ } else
+ c->vc_origin -= delta;
+ c->vc_scr_end = c->vc_origin + c->vc_screenbuf_size;
+ scr_memsetw((u16 *) (c->vc_origin), c->vc_video_erase_char,
--- /dev/null
+From e6327c4acf925bb6d6d387d76fc3bd94471e10d8 Mon Sep 17 00:00:00 2001
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Date: Sat, 28 Jun 2025 01:15:36 +0530
+Subject: scsi: mpi3mr: Fix race between config read submit and interrupt completion
+
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+
+commit e6327c4acf925bb6d6d387d76fc3bd94471e10d8 upstream.
+
+The "is_waiting" flag was updated after calling complete(), which could
+lead to a race where the waiting thread wakes up before the flag is
+cleared. This may cause a missed wakeup or stale state check.
+
+Reorder the operations to update "is_waiting" before signaling completion
+to ensure consistent state.
+
+Fixes: 824a156633df ("scsi: mpi3mr: Base driver code")
+Cc: stable@vger.kernel.org
+Co-developed-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Signed-off-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Link: https://lore.kernel.org/r/20250627194539.48851-2-ranjan.kumar@broadcom.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpi3mr/mpi3mr_fw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
+@@ -372,8 +372,8 @@ static void mpi3mr_process_admin_reply_d
+ mrioc->facts.reply_sz);
+ }
+ if (cmdptr->is_waiting) {
+- complete(&cmdptr->done);
+ cmdptr->is_waiting = 0;
++ complete(&cmdptr->done);
+ } else if (cmdptr->callback)
+ cmdptr->callback(mrioc, cmdptr);
+ }
bus-mhi-host-fix-endianness-of-bhi-vector-table.patch
vt-keyboard-don-t-process-unicode-characters-in-k_off-mode.patch
vt-defkeymap-map-keycodes-above-127-to-k_hole.patch
+lib-crypto-mips-chacha-fix-clang-build-and-remove-unneeded-byteswap.patch
+revert-vgacon-add-check-for-vc_origin-address-range-in-vgacon_scroll.patch
+ext4-check-fast-symlink-for-ea_inode-correctly.patch
+ext4-fix-fsmap-end-of-range-reporting-with-bigalloc.patch
+ext4-fix-reserved-gdt-blocks-handling-in-fsmap.patch
+ext4-don-t-try-to-clear-the-orphan_present-feature-block-device-is-r-o.patch
+ext4-use-kmalloc_array-for-array-space-allocation.patch
+ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch
+scsi-mpi3mr-fix-race-between-config-read-submit-and-interrupt-completion.patch
+ata-libata-scsi-fix-ata_to_sense_error-status-handling.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
