--- /dev/null
+From 06d712d297649f48ebf1381d19bd24e942813b37 Mon Sep 17 00:00:00 2001
+From: Yu Kuai <yukuai3@huawei.com>
+Date: Wed, 10 Sep 2025 14:30:45 +0800
+Subject: blk-crypto: fix missing blktrace bio split events
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+commit 06d712d297649f48ebf1381d19bd24e942813b37 upstream.
+
+trace_block_split() is missing, resulting in blktrace inability to catch
+BIO split events and making it harder to analyze the BIO sequence.
+
+Cc: stable@vger.kernel.org
+Fixes: 488f6682c832 ("block: blk-crypto-fallback for Inline Encryption")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-crypto-fallback.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/block/blk-crypto-fallback.c
++++ b/block/blk-crypto-fallback.c
+@@ -18,6 +18,7 @@
+ #include <linux/module.h>
+ #include <linux/random.h>
+ #include <linux/scatterlist.h>
++#include <trace/events/block.h>
+
+ #include "blk-cgroup.h"
+ #include "blk-crypto-internal.h"
+@@ -229,7 +230,9 @@ static bool blk_crypto_fallback_split_bi
+ bio->bi_status = BLK_STS_RESOURCE;
+ return false;
+ }
++
+ bio_chain(split_bio, bio);
++ trace_block_split(split_bio, bio->bi_iter.bi_sector);
+ submit_bio_noacct(bio);
+ *bio_ptr = split_bio;
+ }
--- /dev/null
+From dff4f9ff5d7f289e4545cc936362e01ed3252742 Mon Sep 17 00:00:00 2001
+From: Anderson Nascimento <anderson@allelesecurity.com>
+Date: Mon, 8 Sep 2025 09:49:02 -0300
+Subject: btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
+
+From: Anderson Nascimento <anderson@allelesecurity.com>
+
+commit dff4f9ff5d7f289e4545cc936362e01ed3252742 upstream.
+
+The function btrfs_encode_fh() does not properly account for the three
+cases it handles.
+
+Before writing to the file handle (fh), the function only returns to the
+user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or
+BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).
+
+However, when a parent exists and the root ID of the parent and the
+inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT
+(10 dwords, 40 bytes).
+
+If *max_len is not large enough, this write goes out of bounds because
+BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than
+BTRFS_FID_SIZE_CONNECTABLE originally returned.
+
+This results in an 8-byte out-of-bounds write at
+fid->parent_root_objectid = parent_root_id.
+
+A previous attempt to fix this issue was made but was lost.
+
+https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/
+
+Although this issue does not seem to be easily triggerable, it is a
+potential memory corruption bug that should be fixed. This patch
+resolves the issue by ensuring the function returns the appropriate size
+for all three cases and validates that *max_len is large enough before
+writing any data.
+
+Fixes: be6e8dc0ba84 ("NFS support for btrfs - v3")
+CC: stable@vger.kernel.org # 3.0+
+Signed-off-by: Anderson Nascimento <anderson@allelesecurity.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/export.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/export.c
++++ b/fs/btrfs/export.c
+@@ -22,7 +22,11 @@ static int btrfs_encode_fh(struct inode
+ int type;
+
+ if (parent && (len < BTRFS_FID_SIZE_CONNECTABLE)) {
+- *max_len = BTRFS_FID_SIZE_CONNECTABLE;
++ if (btrfs_root_id(BTRFS_I(inode)->root) !=
++ btrfs_root_id(BTRFS_I(parent)->root))
++ *max_len = BTRFS_FID_SIZE_CONNECTABLE_ROOT;
++ else
++ *max_len = BTRFS_FID_SIZE_CONNECTABLE;
+ return FILEID_INVALID;
+ } else if (len < BTRFS_FID_SIZE_NON_CONNECTABLE) {
+ *max_len = BTRFS_FID_SIZE_NON_CONNECTABLE;
+@@ -44,6 +48,8 @@ static int btrfs_encode_fh(struct inode
+ parent_root_id = BTRFS_I(parent)->root->root_key.objectid;
+
+ if (parent_root_id != fid->root_objectid) {
++ if (*max_len < BTRFS_FID_SIZE_CONNECTABLE_ROOT)
++ return FILEID_INVALID;
+ fid->parent_root_objectid = parent_root_id;
+ len = BTRFS_FID_SIZE_CONNECTABLE_ROOT;
+ type = FILEID_BTRFS_WITH_PARENT_ROOT;
--- /dev/null
+From d0856a6dff57f95cc5d2d74e50880f01697d0cc4 Mon Sep 17 00:00:00 2001
+From: Adam Xue <zxue@semtech.com>
+Date: Fri, 5 Sep 2025 10:41:18 -0700
+Subject: bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup()
+
+From: Adam Xue <zxue@semtech.com>
+
+commit d0856a6dff57f95cc5d2d74e50880f01697d0cc4 upstream.
+
+In mhi_init_irq_setup, the device pointer used for dev_err() was not
+initialized. Use the pointer from mhi_cntrl instead.
+
+Fixes: b0fc0167f254 ("bus: mhi: core: Allow shared IRQ for event rings")
+Fixes: 3000f85b8f47 ("bus: mhi: core: Add support for basic PM operations")
+Signed-off-by: Adam Xue <zxue@semtech.com>
+[mani: reworded subject/description and CCed stable]
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Reviewed-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250905174118.38512-1-zxue@semtech.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/mhi/host/init.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/bus/mhi/host/init.c
++++ b/drivers/bus/mhi/host/init.c
+@@ -164,7 +164,6 @@ void mhi_deinit_free_irq(struct mhi_cont
+ int mhi_init_irq_setup(struct mhi_controller *mhi_cntrl)
+ {
+ struct mhi_event *mhi_event = mhi_cntrl->mhi_event;
+- struct device *dev = &mhi_cntrl->mhi_dev->dev;
+ unsigned long irq_flags = IRQF_SHARED | IRQF_NO_SUSPEND;
+ int i, ret;
+
+@@ -191,7 +190,7 @@ int mhi_init_irq_setup(struct mhi_contro
+ continue;
+
+ if (mhi_event->irq >= mhi_cntrl->nr_irqs) {
+- dev_err(dev, "irq %d not available for event ring\n",
++ dev_err(mhi_cntrl->cntrl_dev, "irq %d not available for event ring\n",
+ mhi_event->irq);
+ ret = -EINVAL;
+ goto error_request;
+@@ -202,7 +201,7 @@ int mhi_init_irq_setup(struct mhi_contro
+ irq_flags,
+ "mhi", mhi_event);
+ if (ret) {
+- dev_err(dev, "Error requesting irq:%d for ev:%d\n",
++ dev_err(mhi_cntrl->cntrl_dev, "Error requesting irq:%d for ev:%d\n",
+ mhi_cntrl->irq[mhi_event->irq], i);
+ goto error_request;
+ }
media-pci-ivtv-add-missing-check-after-dma-map.patch
media-lirc-fix-error-handling-in-lirc_register.patch
drm-nouveau-fix-bad-ret-code-in-nouveau_bo_move_prep.patch
+blk-crypto-fix-missing-blktrace-bio-split-events.patch
+btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch
+bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch