--- /dev/null
+From af0db3c1f898144846d4c172531a199bb3ca375d Mon Sep 17 00:00:00 2001
+From: Sravan Kumar Gundu <sravankumarlpu@gmail.com>
+Date: Thu, 31 Jul 2025 15:36:18 -0500
+Subject: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit
+
+From: Sravan Kumar Gundu <sravankumarlpu@gmail.com>
+
+commit af0db3c1f898144846d4c172531a199bb3ca375d upstream.
+
+This issue triggers when a userspace program does an ioctl
+FBIOPUT_CON2FBMAP by passing console number and frame buffer number.
+Ideally this maps console to frame buffer and updates the screen if
+console is visible.
+
+As part of mapping it has to do resize of console according to frame
+buffer info. if this resize fails and returns from vc_do_resize() and
+continues further. At this point console and new frame buffer are mapped
+and sets display vars. Despite failure still it continue to proceed
+updating the screen at later stages where vc_data is related to previous
+frame buffer and frame buffer info and display vars are mapped to new
+frame buffer and eventully leading to out-of-bounds write in
+fast_imageblit(). This bheviour is excepted only when fg_console is
+equal to requested console which is a visible console and updates screen
+with invalid struct references in fbcon_putcs().
+
+Reported-and-tested-by: syzbot+c4b7aa0513823e2ea880@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c4b7aa0513823e2ea880
+Signed-off-by: Sravan Kumar Gundu <sravankumarlpu@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/fbcon.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/video/fbdev/core/fbcon.c
++++ b/drivers/video/fbdev/core/fbcon.c
+@@ -825,7 +825,8 @@ static void con2fb_init_display(struct v
+ fg_vc->vc_rows);
+ }
+
+- update_screen(vc_cons[fg_console].d);
++ if (fg_console != unit)
++ update_screen(vc_cons[fg_console].d);
+ }
+
+ /**
+@@ -1362,6 +1363,7 @@ static void fbcon_set_disp(struct fb_inf
+ struct vc_data *svc;
+ struct fbcon_ops *ops = info->fbcon_par;
+ int rows, cols;
++ unsigned long ret = 0;
+
+ p = &fb_display[unit];
+
+@@ -1412,11 +1414,10 @@ static void fbcon_set_disp(struct fb_inf
+ rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
+ cols /= vc->vc_font.width;
+ rows /= vc->vc_font.height;
+- vc_resize(vc, cols, rows);
++ ret = vc_resize(vc, cols, rows);
+
+- if (con_is_visible(vc)) {
++ if (con_is_visible(vc) && !ret)
+ update_screen(vc);
+- }
+ }
+
+ static __inline__ void ywrap_up(struct vc_data *vc, int count)
--- /dev/null
+From ecdd7df997fd992f0ec70b788e3b12258008a2bf Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Sun, 15 Jun 2025 11:36:51 -0700
+Subject: fbdev: nvidiafb: add depends on HAS_IOPORT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit ecdd7df997fd992f0ec70b788e3b12258008a2bf upstream.
+
+The nvidiafb driver uses inb()/outb() without depending on HAS_IOPORT,
+which leads to build errors since kernel v6.13-rc1:
+commit 6f043e757445 ("asm-generic/io.h: Remove I/O port accessors
+for HAS_IOPORT=n")
+
+Add the HAS_IOPORT dependency to prevent the build errors.
+
+(Found in ARCH=um allmodconfig builds)
+
+drivers/video/fbdev/nvidia/nv_accel.c: In function ‘NVDmaWait’:
+include/asm-generic/io.h:596:15: error: call to ‘_outb’ declared with attribute error: outb() requires CONFIG_HAS_IOPORT
+ 596 | #define _outb _outb
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Arnd Bergmann <arnd@kernel.org>
+Cc: Niklas Schnelle <schnelle@linux.ibm.com>
+Cc: Antonino Daplas <adaplas@gmail.com>
+Cc: Helge Deller <deller@gmx.de>
+Cc: linux-fbdev@vger.kernel.org
+Cc: dri-devel@lists.freedesktop.org
+Cc: stable@vger.kernel.org # v6.13+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/Kconfig
++++ b/drivers/video/fbdev/Kconfig
+@@ -660,7 +660,7 @@ config FB_ATMEL
+
+ config FB_NVIDIA
+ tristate "nVidia Framebuffer Support"
+- depends on FB && PCI
++ depends on FB && PCI && HAS_IOPORT
+ select FB_CFB_FILLRECT
+ select FB_CFB_COPYAREA
+ select FB_CFB_IMAGEBLIT
--- /dev/null
+From 33caa208dba6fa639e8a92fd0c8320b652e5550c Mon Sep 17 00:00:00 2001
+From: Haiyang Zhang <haiyangz@microsoft.com>
+Date: Wed, 6 Aug 2025 13:21:51 -0700
+Subject: hv_netvsc: Fix panic during namespace deletion with VF
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+commit 33caa208dba6fa639e8a92fd0c8320b652e5550c upstream.
+
+The existing code move the VF NIC to new namespace when NETDEV_REGISTER is
+received on netvsc NIC. During deletion of the namespace,
+default_device_exit_batch() >> default_device_exit_net() is called. When
+netvsc NIC is moved back and registered to the default namespace, it
+automatically brings VF NIC back to the default namespace. This will cause
+the default_device_exit_net() >> for_each_netdev_safe loop unable to detect
+the list end, and hit NULL ptr:
+
+[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0
+[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010
+[ 231.450246] #PF: supervisor read access in kernel mode
+[ 231.450579] #PF: error_code(0x0000) - not-present page
+[ 231.450916] PGD 17b8a8067 P4D 0
+[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI
+[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY
+[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024
+[ 231.452692] Workqueue: netns cleanup_net
+[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0
+[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00
+[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246
+[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb
+[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564
+[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000
+[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340
+[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340
+[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000
+[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0
+[ 231.458434] Call Trace:
+[ 231.458600] <TASK>
+[ 231.458777] ops_undo_list+0x100/0x220
+[ 231.459015] cleanup_net+0x1b8/0x300
+[ 231.459285] process_one_work+0x184/0x340
+
+To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid
+changing the netdev list when default_device_exit_net() is using it.
+
+Cc: stable@vger.kernel.org
+Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Link: https://patch.msgid.link/1754511711-11188-1-git-send-email-haiyangz@linux.microsoft.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/hyperv_net.h | 3 +++
+ drivers/net/hyperv/netvsc_drv.c | 29 ++++++++++++++++++++++++++++-
+ 2 files changed, 31 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/hyperv/hyperv_net.h
++++ b/drivers/net/hyperv/hyperv_net.h
+@@ -1061,6 +1061,7 @@ struct net_device_context {
+ struct net_device __rcu *vf_netdev;
+ struct netvsc_vf_pcpu_stats __percpu *vf_stats;
+ struct delayed_work vf_takeover;
++ struct delayed_work vfns_work;
+
+ /* 1: allocated, serial number is valid. 0: not allocated */
+ u32 vf_alloc;
+@@ -1075,6 +1076,8 @@ struct net_device_context {
+ struct netvsc_device_info *saved_netvsc_dev_info;
+ };
+
++void netvsc_vfns_work(struct work_struct *w);
++
+ /* Azure hosts don't support non-TCP port numbers in hashing for fragmented
+ * packets. We can use ethtool to change UDP hash level when necessary.
+ */
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -2530,6 +2530,7 @@ static int netvsc_probe(struct hv_device
+ spin_lock_init(&net_device_ctx->lock);
+ INIT_LIST_HEAD(&net_device_ctx->reconfig_events);
+ INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup);
++ INIT_DELAYED_WORK(&net_device_ctx->vfns_work, netvsc_vfns_work);
+
+ net_device_ctx->vf_stats
+ = netdev_alloc_pcpu_stats(struct netvsc_vf_pcpu_stats);
+@@ -2674,6 +2675,8 @@ static void netvsc_remove(struct hv_devi
+ cancel_delayed_work_sync(&ndev_ctx->dwork);
+
+ rtnl_lock();
++ cancel_delayed_work_sync(&ndev_ctx->vfns_work);
++
+ nvdev = rtnl_dereference(ndev_ctx->nvdev);
+ if (nvdev) {
+ cancel_work_sync(&nvdev->subchan_work);
+@@ -2715,6 +2718,7 @@ static int netvsc_suspend(struct hv_devi
+ cancel_delayed_work_sync(&ndev_ctx->dwork);
+
+ rtnl_lock();
++ cancel_delayed_work_sync(&ndev_ctx->vfns_work);
+
+ nvdev = rtnl_dereference(ndev_ctx->nvdev);
+ if (nvdev == NULL) {
+@@ -2808,6 +2812,27 @@ static void netvsc_event_set_vf_ns(struc
+ }
+ }
+
++void netvsc_vfns_work(struct work_struct *w)
++{
++ struct net_device_context *ndev_ctx =
++ container_of(w, struct net_device_context, vfns_work.work);
++ struct net_device *ndev;
++
++ if (!rtnl_trylock()) {
++ schedule_delayed_work(&ndev_ctx->vfns_work, 1);
++ return;
++ }
++
++ ndev = hv_get_drvdata(ndev_ctx->device_ctx);
++ if (!ndev)
++ goto out;
++
++ netvsc_event_set_vf_ns(ndev);
++
++out:
++ rtnl_unlock();
++}
++
+ /*
+ * On Hyper-V, every VF interface is matched with a corresponding
+ * synthetic interface. The synthetic interface is presented first
+@@ -2818,10 +2843,12 @@ static int netvsc_netdev_event(struct no
+ unsigned long event, void *ptr)
+ {
+ struct net_device *event_dev = netdev_notifier_info_to_dev(ptr);
++ struct net_device_context *ndev_ctx;
+ int ret = 0;
+
+ if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) {
+- netvsc_event_set_vf_ns(event_dev);
++ ndev_ctx = netdev_priv(event_dev);
++ schedule_delayed_work(&ndev_ctx->vfns_work, 0);
+ return NOTIFY_DONE;
+ }
+
--- /dev/null
+From bda2859bff0b9596a19648f3740c697ce4c71496 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Mon, 7 Jul 2025 18:34:01 +0000
+Subject: media: uvcvideo: Do not mark valid metadata as invalid
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit bda2859bff0b9596a19648f3740c697ce4c71496 upstream.
+
+Currently, the driver performs a length check of the metadata buffer
+before the actual metadata size is known and before the metadata is
+decided to be copied. This results in valid metadata buffers being
+incorrectly marked as invalid.
+
+Move the length check to occur after the metadata size is determined and
+is decided to be copied.
+
+Cc: stable@vger.kernel.org
+Fixes: 088ead255245 ("media: uvcvideo: Add a metadata device node")
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Hans de Goede <hansg@kernel.org>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Link: https://lore.kernel.org/r/20250707-uvc-meta-v8-1-ed17f8b1218b@chromium.org
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_video.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_video.c
++++ b/drivers/media/usb/uvc/uvc_video.c
+@@ -1442,12 +1442,6 @@ static void uvc_video_decode_meta(struct
+ if (!meta_buf || length == 2)
+ return;
+
+- if (meta_buf->length - meta_buf->bytesused <
+- length + sizeof(meta->ns) + sizeof(meta->sof)) {
+- meta_buf->error = 1;
+- return;
+- }
+-
+ has_pts = mem[1] & UVC_STREAM_PTS;
+ has_scr = mem[1] & UVC_STREAM_SCR;
+
+@@ -1468,6 +1462,12 @@ static void uvc_video_decode_meta(struct
+ !memcmp(scr, stream->clock.last_scr, 6)))
+ return;
+
++ if (meta_buf->length - meta_buf->bytesused <
++ length + sizeof(meta->ns) + sizeof(meta->sof)) {
++ meta_buf->error = 1;
++ return;
++ }
++
+ meta = (struct uvc_meta_buf *)((u8 *)meta_buf->mem + meta_buf->bytesused);
+ local_irq_save(flags);
+ time = uvc_video_get_time();
--- /dev/null
+From 782b6a718651eda3478b1824b37a8b3185d2740c Mon Sep 17 00:00:00 2001
+From: Youngjun Lee <yjjuny.lee@samsung.com>
+Date: Tue, 10 Jun 2025 21:41:07 +0900
+Subject: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
+
+From: Youngjun Lee <yjjuny.lee@samsung.com>
+
+commit 782b6a718651eda3478b1824b37a8b3185d2740c upstream.
+
+The buffer length check before calling uvc_parse_format() only ensured
+that the buffer has at least 3 bytes (buflen > 2), buf the function
+accesses buffer[3], requiring at least 4 bytes.
+
+This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.
+
+Fix it by checking that the buffer has at least 4 bytes in
+uvc_parse_format().
+
+Signed-off-by: Youngjun Lee <yjjuny.lee@samsung.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Link: https://lore.kernel.org/r/20250610124107.37360-1-yjjuny.lee@samsung.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -344,6 +344,9 @@ static int uvc_parse_format(struct uvc_d
+ u8 ftype;
+ int ret;
+
++ if (buflen < 4)
++ return -EINVAL;
++
+ format->type = buffer[2];
+ format->index = buffer[3];
+ format->frames = frames;
--- /dev/null
+From f7546da1d6eb8928efb89b7faacbd6c2f8f0de5c Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Fri, 11 Jul 2025 11:41:58 +0200
+Subject: media: v4l2: Add support for NV12M tiled variants to v4l2_format_info()
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit f7546da1d6eb8928efb89b7faacbd6c2f8f0de5c upstream.
+
+Commit 6f1466123d73 ("media: s5p-mfc: Add YV12 and I420 multiplanar
+format support") added support for the new formats to s5p-mfc driver,
+what in turn required some internal calls to the v4l2_format_info()
+function while setting up formats. This in turn broke support for the
+"old" tiled NV12MT* formats, which are not recognized by this function.
+Fix this by adding those variants of NV12M pixel format to
+v4l2_format_info() function database.
+
+Fixes: 6f1466123d73 ("media: s5p-mfc: Add YV12 and I420 multiplanar format support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-common.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/media/v4l2-core/v4l2-common.c
++++ b/drivers/media/v4l2-core/v4l2-common.c
+@@ -312,6 +312,12 @@ const struct v4l2_format_info *v4l2_form
+ { .format = V4L2_PIX_FMT_NV61M, .pixel_enc = V4L2_PIXEL_ENC_YUV, .mem_planes = 2, .comp_planes = 2, .bpp = { 1, 2, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 2, .vdiv = 1 },
+ { .format = V4L2_PIX_FMT_P012M, .pixel_enc = V4L2_PIXEL_ENC_YUV, .mem_planes = 2, .comp_planes = 2, .bpp = { 2, 4, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 2, .vdiv = 2 },
+
++ /* Tiled YUV formats, non contiguous variant */
++ { .format = V4L2_PIX_FMT_NV12MT, .pixel_enc = V4L2_PIXEL_ENC_YUV, .mem_planes = 2, .comp_planes = 2, .bpp = { 1, 2, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 2, .vdiv = 2,
++ .block_w = { 64, 32, 0, 0 }, .block_h = { 32, 16, 0, 0 }},
++ { .format = V4L2_PIX_FMT_NV12MT_16X16, .pixel_enc = V4L2_PIXEL_ENC_YUV, .mem_planes = 2, .comp_planes = 2, .bpp = { 1, 2, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 2, .vdiv = 2,
++ .block_w = { 16, 8, 0, 0 }, .block_h = { 16, 8, 0, 0 }},
++
+ /* Bayer RGB formats */
+ { .format = V4L2_PIX_FMT_SBGGR8, .pixel_enc = V4L2_PIXEL_ENC_BAYER, .mem_planes = 1, .comp_planes = 1, .bpp = { 1, 0, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 1, .vdiv = 1 },
+ { .format = V4L2_PIX_FMT_SGBRG8, .pixel_enc = V4L2_PIXEL_ENC_BAYER, .mem_planes = 1, .comp_planes = 1, .bpp = { 1, 0, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 1, .vdiv = 1 },
--- /dev/null
+From 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 Mon Sep 17 00:00:00 2001
+From: Vedang Nagar <quic_vnagar@quicinc.com>
+Date: Mon, 19 May 2025 12:42:22 +0530
+Subject: media: venus: Fix OOB read due to missing payload bound check
+
+From: Vedang Nagar <quic_vnagar@quicinc.com>
+
+commit 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 upstream.
+
+Currently, The event_seq_changed() handler processes a variable number
+of properties sent by the firmware. The number of properties is indicated
+by the firmware and used to iterate over the payload. However, the
+payload size is not being validated against the actual message length.
+
+This can lead to out-of-bounds memory access if the firmware provides a
+property count that exceeds the data available in the payload. Such a
+condition can result in kernel crashes or potential information leaks if
+memory beyond the buffer is accessed.
+
+Fix this by properly validating the remaining size of the payload before
+each property access and updating bounds accordingly as properties are
+parsed.
+
+This ensures that property parsing is safely bounded within the received
+message buffer and protects against malformed or malicious firmware
+behavior.
+
+Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vedang Nagar <quic_vnagar@quicinc.com>
+Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Co-developed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_msgs.c | 83 ++++++++++++++++++---------
+ 1 file changed, 58 insertions(+), 25 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/hfi_msgs.c
++++ b/drivers/media/platform/qcom/venus/hfi_msgs.c
+@@ -33,8 +33,9 @@ static void event_seq_changed(struct ven
+ struct hfi_buffer_requirements *bufreq;
+ struct hfi_extradata_input_crop *crop;
+ struct hfi_dpb_counts *dpb_count;
++ u32 ptype, rem_bytes;
++ u32 size_read = 0;
+ u8 *data_ptr;
+- u32 ptype;
+
+ inst->error = HFI_ERR_NONE;
+
+@@ -44,86 +45,118 @@ static void event_seq_changed(struct ven
+ break;
+ default:
+ inst->error = HFI_ERR_SESSION_INVALID_PARAMETER;
+- goto done;
++ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event);
++ return;
+ }
+
+ event.event_type = pkt->event_data1;
+
+ num_properties_changed = pkt->event_data2;
+- if (!num_properties_changed) {
+- inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES;
+- goto done;
+- }
++ if (!num_properties_changed)
++ goto error;
+
+ data_ptr = (u8 *)&pkt->ext_event_data[0];
++ rem_bytes = pkt->shdr.hdr.size - sizeof(*pkt);
++
+ do {
++ if (rem_bytes < sizeof(u32))
++ goto error;
+ ptype = *((u32 *)data_ptr);
++
++ data_ptr += sizeof(u32);
++ rem_bytes -= sizeof(u32);
++
+ switch (ptype) {
+ case HFI_PROPERTY_PARAM_FRAME_SIZE:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_framesize))
++ goto error;
++
+ frame_sz = (struct hfi_framesize *)data_ptr;
+ event.width = frame_sz->width;
+ event.height = frame_sz->height;
+- data_ptr += sizeof(*frame_sz);
++ size_read = sizeof(struct hfi_framesize);
+ break;
+ case HFI_PROPERTY_PARAM_PROFILE_LEVEL_CURRENT:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_profile_level))
++ goto error;
++
+ profile_level = (struct hfi_profile_level *)data_ptr;
+ event.profile = profile_level->profile;
+ event.level = profile_level->level;
+- data_ptr += sizeof(*profile_level);
++ size_read = sizeof(struct hfi_profile_level);
+ break;
+ case HFI_PROPERTY_PARAM_VDEC_PIXEL_BITDEPTH:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_bit_depth))
++ goto error;
++
+ pixel_depth = (struct hfi_bit_depth *)data_ptr;
+ event.bit_depth = pixel_depth->bit_depth;
+- data_ptr += sizeof(*pixel_depth);
++ size_read = sizeof(struct hfi_bit_depth);
+ break;
+ case HFI_PROPERTY_PARAM_VDEC_PIC_STRUCT:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_pic_struct))
++ goto error;
++
+ pic_struct = (struct hfi_pic_struct *)data_ptr;
+ event.pic_struct = pic_struct->progressive_only;
+- data_ptr += sizeof(*pic_struct);
++ size_read = sizeof(struct hfi_pic_struct);
+ break;
+ case HFI_PROPERTY_PARAM_VDEC_COLOUR_SPACE:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_colour_space))
++ goto error;
++
+ colour_info = (struct hfi_colour_space *)data_ptr;
+ event.colour_space = colour_info->colour_space;
+- data_ptr += sizeof(*colour_info);
++ size_read = sizeof(struct hfi_colour_space);
+ break;
+ case HFI_PROPERTY_CONFIG_VDEC_ENTROPY:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(u32))
++ goto error;
++
+ event.entropy_mode = *(u32 *)data_ptr;
+- data_ptr += sizeof(u32);
++ size_read = sizeof(u32);
+ break;
+ case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_buffer_requirements))
++ goto error;
++
+ bufreq = (struct hfi_buffer_requirements *)data_ptr;
+ event.buf_count = hfi_bufreq_get_count_min(bufreq, ver);
+- data_ptr += sizeof(*bufreq);
++ size_read = sizeof(struct hfi_buffer_requirements);
+ break;
+ case HFI_INDEX_EXTRADATA_INPUT_CROP:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_extradata_input_crop))
++ goto error;
++
+ crop = (struct hfi_extradata_input_crop *)data_ptr;
+ event.input_crop.left = crop->left;
+ event.input_crop.top = crop->top;
+ event.input_crop.width = crop->width;
+ event.input_crop.height = crop->height;
+- data_ptr += sizeof(*crop);
++ size_read = sizeof(struct hfi_extradata_input_crop);
+ break;
+ case HFI_PROPERTY_PARAM_VDEC_DPB_COUNTS:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_dpb_counts))
++ goto error;
++
+ dpb_count = (struct hfi_dpb_counts *)data_ptr;
+ event.buf_count = dpb_count->fw_min_cnt;
+- data_ptr += sizeof(*dpb_count);
++ size_read = sizeof(struct hfi_dpb_counts);
+ break;
+ default:
++ size_read = 0;
+ break;
+ }
++ data_ptr += size_read;
++ rem_bytes -= size_read;
+ num_properties_changed--;
+ } while (num_properties_changed > 0);
+
+-done:
++ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event);
++ return;
++
++error:
++ inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES;
+ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event);
+ }
+
--- /dev/null
+From 09fefdca80aebd1023e827cb0ee174983d829d18 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Fri, 13 Jun 2025 11:27:00 +0200
+Subject: mm/huge_memory: don't ignore queried cachemode in vmf_insert_pfn_pud()
+
+From: David Hildenbrand <david@redhat.com>
+
+commit 09fefdca80aebd1023e827cb0ee174983d829d18 upstream.
+
+Patch series "mm/huge_memory: vmf_insert_folio_*() and
+vmf_insert_pfn_pud() fixes", v3.
+
+While working on improving vm_normal_page() and friends, I stumbled over
+this issues: refcounted "normal" folios must not be marked using
+pmd_special() / pud_special(). Otherwise, we're effectively telling the
+system that these folios are no "normal", violating the rules we
+documented for vm_normal_page().
+
+Fortunately, there are not many pmd_special()/pud_special() users yet. So
+far there doesn't seem to be serious damage.
+
+Tested using the ndctl tests ("ndctl:dax" suite).
+
+
+This patch (of 3):
+
+We set up the cache mode but ... don't forward the updated pgprot to
+insert_pfn_pud().
+
+Only a problem on x86-64 PAT when mapping PFNs using PUDs that require a
+special cachemode.
+
+Fix it by using the proper pgprot where the cachemode was setup.
+
+It is unclear in which configurations we would get the cachemode wrong:
+through vfio seems possible. Getting cachemodes wrong is usually ...
+bad. As the fix is easy, let's backport it to stable.
+
+Identified by code inspection.
+
+Link: https://lkml.kernel.org/r/20250613092702.1943533-1-david@redhat.com
+Link: https://lkml.kernel.org/r/20250613092702.1943533-2-david@redhat.com
+Fixes: 7b806d229ef1 ("mm: remove vmf_insert_pfn_xxx_prot() for huge page-table entries")
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Tested-by: Dan Williams <dan.j.williams@intel.com>
+Cc: Alistair Popple <apopple@nvidia.com>
+Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: Dev Jain <dev.jain@arm.com>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Mariano Pache <npache@redhat.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Zi Yan <ziy@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/huge_memory.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -1516,10 +1516,9 @@ static pud_t maybe_pud_mkwrite(pud_t pud
+ }
+
+ static void insert_pfn_pud(struct vm_area_struct *vma, unsigned long addr,
+- pud_t *pud, pfn_t pfn, bool write)
++ pud_t *pud, pfn_t pfn, pgprot_t prot, bool write)
+ {
+ struct mm_struct *mm = vma->vm_mm;
+- pgprot_t prot = vma->vm_page_prot;
+ pud_t entry;
+
+ if (!pud_none(*pud)) {
+@@ -1581,7 +1580,7 @@ vm_fault_t vmf_insert_pfn_pud(struct vm_
+ track_pfn_insert(vma, &pgprot, pfn);
+
+ ptl = pud_lock(vma->vm_mm, vmf->pud);
+- insert_pfn_pud(vma, addr, vmf->pud, pfn, write);
++ insert_pfn_pud(vma, addr, vmf->pud, pfn, pgprot, write);
+ spin_unlock(ptl);
+
+ return VM_FAULT_NOPAGE;
+@@ -1625,7 +1624,7 @@ vm_fault_t vmf_insert_folio_pud(struct v
+ add_mm_counter(mm, mm_counter_file(folio), HPAGE_PUD_NR);
+ }
+ insert_pfn_pud(vma, addr, vmf->pud, pfn_to_pfn_t(folio_pfn(folio)),
+- write);
++ vma->vm_page_prot, write);
+ spin_unlock(ptl);
+
+ return VM_FAULT_NOPAGE;
--- /dev/null
+From 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 Mon Sep 17 00:00:00 2001
+From: Breno Leitao <leitao@debian.org>
+Date: Thu, 31 Jul 2025 02:57:18 -0700
+Subject: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock
+
+From: Breno Leitao <leitao@debian.org>
+
+commit 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 upstream.
+
+When netpoll is enabled, calling pr_warn_once() while holding
+kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock
+inversion with the netconsole subsystem. This occurs because
+pr_warn_once() may trigger netpoll, which eventually leads to
+__alloc_skb() and back into kmemleak code, attempting to reacquire
+kmemleak_lock.
+
+This is the path for the deadlock.
+
+mem_pool_alloc()
+ -> raw_spin_lock_irqsave(&kmemleak_lock, flags);
+ -> pr_warn_once()
+ -> netconsole subsystem
+ -> netpoll
+ -> __alloc_skb
+ -> __create_object
+ -> raw_spin_lock_irqsave(&kmemleak_lock, flags);
+
+Fix this by setting a flag and issuing the pr_warn_once() after
+kmemleak_lock is released.
+
+Link: https://lkml.kernel.org/r/20250731-kmemleak_lock-v1-1-728fd470198f@debian.org
+Fixes: c5665868183f ("mm: kmemleak: use the memory pool for early allocations")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kmemleak.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/mm/kmemleak.c
++++ b/mm/kmemleak.c
+@@ -475,6 +475,7 @@ static struct kmemleak_object *mem_pool_
+ {
+ unsigned long flags;
+ struct kmemleak_object *object;
++ bool warn = false;
+
+ /* try the slab allocator first */
+ if (object_cache) {
+@@ -493,8 +494,10 @@ static struct kmemleak_object *mem_pool_
+ else if (mem_pool_free_count)
+ object = &mem_pool[--mem_pool_free_count];
+ else
+- pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n");
++ warn = true;
+ raw_spin_unlock_irqrestore(&kmemleak_lock, flags);
++ if (warn)
++ pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n");
+
+ return object;
+ }
--- /dev/null
+From d1534ae23c2b6be350c8ab060803fbf6e9682adc Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Mon, 28 Jul 2025 15:02:48 -0400
+Subject: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()
+
+From: Waiman Long <longman@redhat.com>
+
+commit d1534ae23c2b6be350c8ab060803fbf6e9682adc upstream.
+
+A soft lockup warning was observed on a relative small system x86-64
+system with 16 GB of memory when running a debug kernel with kmemleak
+enabled.
+
+ watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134]
+
+The test system was running a workload with hot unplug happening in
+parallel. Then kemleak decided to disable itself due to its inability to
+allocate more kmemleak objects. The debug kernel has its
+CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000.
+
+The soft lockup happened in kmemleak_do_cleanup() when the existing
+kmemleak objects were being removed and deleted one-by-one in a loop via a
+workqueue. In this particular case, there are at least 40,000 objects
+that need to be processed and given the slowness of a debug kernel and the
+fact that a raw_spinlock has to be acquired and released in
+__delete_object(), it could take a while to properly handle all these
+objects.
+
+As kmemleak has been disabled in this case, the object removal and
+deletion process can be further optimized as locking isn't really needed.
+However, it is probably not worth the effort to optimize for such an edge
+case that should rarely happen. So the simple solution is to call
+cond_resched() at periodic interval in the iteration loop to avoid soft
+lockup.
+
+Link: https://lkml.kernel.org/r/20250728190248.605750-1-longman@redhat.com
+Signed-off-by: Waiman Long <longman@redhat.com>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kmemleak.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/mm/kmemleak.c
++++ b/mm/kmemleak.c
+@@ -2172,6 +2172,7 @@ static const struct file_operations kmem
+ static void __kmemleak_do_cleanup(void)
+ {
+ struct kmemleak_object *object, *tmp;
++ unsigned int cnt = 0;
+
+ /*
+ * Kmemleak has already been disabled, no need for RCU list traversal
+@@ -2180,6 +2181,10 @@ static void __kmemleak_do_cleanup(void)
+ list_for_each_entry_safe(object, tmp, &object_list, object_list) {
+ __remove_object(object);
+ __delete_object(object);
++
++ /* Call cond_resched() once per 64 iterations to avoid soft lockup */
++ if (!(++cnt & 0x3f))
++ cond_resched();
+ }
+ }
+
--- /dev/null
+From 59305202c67fea50378dcad0cc199dbc13a0e99a Mon Sep 17 00:00:00 2001
+From: Anshuman Khandual <anshuman.khandual@arm.com>
+Date: Fri, 20 Jun 2025 10:54:27 +0530
+Subject: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()
+
+From: Anshuman Khandual <anshuman.khandual@arm.com>
+
+commit 59305202c67fea50378dcad0cc199dbc13a0e99a upstream.
+
+Memory hot remove unmaps and tears down various kernel page table regions
+as required. The ptdump code can race with concurrent modifications of
+the kernel page tables. When leaf entries are modified concurrently, the
+dump code may log stale or inconsistent information for a VA range, but
+this is otherwise not harmful.
+
+But when intermediate levels of kernel page table are freed, the dump code
+will continue to use memory that has been freed and potentially
+reallocated for another purpose. In such cases, the ptdump code may
+dereference bogus addresses, leading to a number of potential problems.
+
+To avoid the above mentioned race condition, platforms such as arm64,
+riscv and s390 take memory hotplug lock, while dumping kernel page table
+via the sysfs interface /sys/kernel/debug/kernel_page_tables.
+
+Similar race condition exists while checking for pages that might have
+been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages
+which in turn calls ptdump_check_wx(). Instead of solving this race
+condition again, let's just move the memory hotplug lock inside generic
+ptdump_check_wx() which will benefit both the scenarios.
+
+Drop get_online_mems() and put_online_mems() combination from all existing
+platform ptdump code paths.
+
+Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com
+Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove")
+Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Dev Jain <dev.jain@arm.com>
+Acked-by: Alexander Gordeev <agordeev@linux.ibm.com> [s390]
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/ptdump_debugfs.c | 3 ---
+ arch/riscv/mm/ptdump.c | 3 ---
+ arch/s390/mm/dump_pagetables.c | 2 --
+ mm/ptdump.c | 2 ++
+ 4 files changed, 2 insertions(+), 8 deletions(-)
+
+--- a/arch/arm64/mm/ptdump_debugfs.c
++++ b/arch/arm64/mm/ptdump_debugfs.c
+@@ -1,6 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include <linux/debugfs.h>
+-#include <linux/memory_hotplug.h>
+ #include <linux/seq_file.h>
+
+ #include <asm/ptdump.h>
+@@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file *
+ {
+ struct ptdump_info *info = m->private;
+
+- get_online_mems();
+ ptdump_walk(m, info);
+- put_online_mems();
+ return 0;
+ }
+ DEFINE_SHOW_ATTRIBUTE(ptdump);
+--- a/arch/riscv/mm/ptdump.c
++++ b/arch/riscv/mm/ptdump.c
+@@ -6,7 +6,6 @@
+ #include <linux/efi.h>
+ #include <linux/init.h>
+ #include <linux/debugfs.h>
+-#include <linux/memory_hotplug.h>
+ #include <linux/seq_file.h>
+ #include <linux/ptdump.h>
+
+@@ -371,9 +370,7 @@ bool ptdump_check_wx(void)
+
+ static int ptdump_show(struct seq_file *m, void *v)
+ {
+- get_online_mems();
+ ptdump_walk(m, m->private);
+- put_online_mems();
+
+ return 0;
+ }
+--- a/arch/s390/mm/dump_pagetables.c
++++ b/arch/s390/mm/dump_pagetables.c
+@@ -205,11 +205,9 @@ static int ptdump_show(struct seq_file *
+ .marker = markers,
+ };
+
+- get_online_mems();
+ mutex_lock(&cpa_mutex);
+ ptdump_walk_pgd(&st.ptdump, &init_mm, NULL);
+ mutex_unlock(&cpa_mutex);
+- put_online_mems();
+ return 0;
+ }
+ DEFINE_SHOW_ATTRIBUTE(ptdump);
+--- a/mm/ptdump.c
++++ b/mm/ptdump.c
+@@ -153,6 +153,7 @@ void ptdump_walk_pgd(struct ptdump_state
+ {
+ const struct ptdump_range *range = st->range;
+
++ get_online_mems();
+ mmap_write_lock(mm);
+ while (range->start != range->end) {
+ walk_page_range_novma(mm, range->start, range->end,
+@@ -160,6 +161,7 @@ void ptdump_walk_pgd(struct ptdump_state
+ range++;
+ }
+ mmap_write_unlock(mm);
++ put_online_mems();
+
+ /* Flush out the last page */
+ st->note_page(st, 0, -1, 0);
--- /dev/null
+From 5c241ed8d031693dadf33dd98ed2e7cc363e9b66 Mon Sep 17 00:00:00 2001
+From: Kairui Song <kasong@tencent.com>
+Date: Mon, 28 Jul 2025 15:52:59 +0800
+Subject: mm/shmem, swap: improve cached mTHP handling and fix potential hang
+
+From: Kairui Song <kasong@tencent.com>
+
+commit 5c241ed8d031693dadf33dd98ed2e7cc363e9b66 upstream.
+
+The current swap-in code assumes that, when a swap entry in shmem mapping
+is order 0, its cached folios (if present) must be order 0 too, which
+turns out not always correct.
+
+The problem is shmem_split_large_entry is called before verifying the
+folio will eventually be swapped in, one possible race is:
+
+ CPU1 CPU2
+shmem_swapin_folio
+/* swap in of order > 0 swap entry S1 */
+ folio = swap_cache_get_folio
+ /* folio = NULL */
+ order = xa_get_order
+ /* order > 0 */
+ folio = shmem_swap_alloc_folio
+ /* mTHP alloc failure, folio = NULL */
+ <... Interrupted ...>
+ shmem_swapin_folio
+ /* S1 is swapped in */
+ shmem_writeout
+ /* S1 is swapped out, folio cached */
+ shmem_split_large_entry(..., S1)
+ /* S1 is split, but the folio covering it has order > 0 now */
+
+Now any following swapin of S1 will hang: `xa_get_order` returns 0, and
+folio lookup will return a folio with order > 0. The
+`xa_get_order(&mapping->i_pages, index) != folio_order(folio)` will always
+return false causing swap-in to return -EEXIST.
+
+And this looks fragile. So fix this up by allowing seeing a larger folio
+in swap cache, and check the whole shmem mapping range covered by the
+swapin have the right swap value upon inserting the folio. And drop the
+redundant tree walks before the insertion.
+
+This will actually improve performance, as it avoids two redundant Xarray
+tree walks in the hot path, and the only side effect is that in the
+failure path, shmem may redundantly reallocate a few folios causing
+temporary slight memory pressure.
+
+And worth noting, it may seems the order and value check before inserting
+might help reducing the lock contention, which is not true. The swap
+cache layer ensures raced swapin will either see a swap cache folio or
+failed to do a swapin (we have SWAP_HAS_CACHE bit even if swap cache is
+bypassed), so holding the folio lock and checking the folio flag is
+already good enough for avoiding the lock contention. The chance that a
+folio passes the swap entry value check but the shmem mapping slot has
+changed should be very low.
+
+Link: https://lkml.kernel.org/r/20250728075306.12704-1-ryncsn@gmail.com
+Link: https://lkml.kernel.org/r/20250728075306.12704-2-ryncsn@gmail.com
+Fixes: 809bc86517cc ("mm: shmem: support large folio swap out")
+Signed-off-by: Kairui Song <kasong@tencent.com>
+Reviewed-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
+Tested-by: Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Barry Song <baohua@kernel.org>
+Cc: Chris Li <chrisl@kernel.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Nhat Pham <nphamcs@gmail.com>
+Cc: Dev Jain <dev.jain@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/shmem.c | 39 ++++++++++++++++++++++++++++++---------
+ 1 file changed, 30 insertions(+), 9 deletions(-)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -884,7 +884,9 @@ static int shmem_add_to_page_cache(struc
+ pgoff_t index, void *expected, gfp_t gfp)
+ {
+ XA_STATE_ORDER(xas, &mapping->i_pages, index, folio_order(folio));
+- long nr = folio_nr_pages(folio);
++ unsigned long nr = folio_nr_pages(folio);
++ swp_entry_t iter, swap;
++ void *entry;
+
+ VM_BUG_ON_FOLIO(index != round_down(index, nr), folio);
+ VM_BUG_ON_FOLIO(!folio_test_locked(folio), folio);
+@@ -896,14 +898,25 @@ static int shmem_add_to_page_cache(struc
+
+ gfp &= GFP_RECLAIM_MASK;
+ folio_throttle_swaprate(folio, gfp);
++ swap = radix_to_swp_entry(expected);
+
+ do {
++ iter = swap;
+ xas_lock_irq(&xas);
+- if (expected != xas_find_conflict(&xas)) {
+- xas_set_err(&xas, -EEXIST);
+- goto unlock;
++ xas_for_each_conflict(&xas, entry) {
++ /*
++ * The range must either be empty, or filled with
++ * expected swap entries. Shmem swap entries are never
++ * partially freed without split of both entry and
++ * folio, so there shouldn't be any holes.
++ */
++ if (!expected || entry != swp_to_radix_entry(iter)) {
++ xas_set_err(&xas, -EEXIST);
++ goto unlock;
++ }
++ iter.val += 1 << xas_get_order(&xas);
+ }
+- if (expected && xas_find_conflict(&xas)) {
++ if (expected && iter.val - nr != swap.val) {
+ xas_set_err(&xas, -EEXIST);
+ goto unlock;
+ }
+@@ -2330,7 +2343,7 @@ static int shmem_swapin_folio(struct ino
+ error = -ENOMEM;
+ goto failed;
+ }
+- } else if (order != folio_order(folio)) {
++ } else if (order > folio_order(folio)) {
+ /*
+ * Swap readahead may swap in order 0 folios into swapcache
+ * asynchronously, while the shmem mapping can still stores
+@@ -2353,15 +2366,23 @@ static int shmem_swapin_folio(struct ino
+
+ swap = swp_entry(swp_type(swap), swp_offset(swap) + offset);
+ }
++ } else if (order < folio_order(folio)) {
++ swap.val = round_down(swap.val, 1 << folio_order(folio));
++ index = round_down(index, 1 << folio_order(folio));
+ }
+
+ alloced:
+- /* We have to do this with folio locked to prevent races */
++ /*
++ * We have to do this with the folio locked to prevent races.
++ * The shmem_confirm_swap below only checks if the first swap
++ * entry matches the folio, that's enough to ensure the folio
++ * is not used outside of shmem, as shmem swap entries
++ * and swap cache folios are never partially freed.
++ */
+ folio_lock(folio);
+ if ((!skip_swapcache && !folio_test_swapcache(folio)) ||
+- folio->swap.val != swap.val ||
+ !shmem_confirm_swap(mapping, index, swap) ||
+- xa_get_order(&mapping->i_pages, index) != folio_order(folio)) {
++ folio->swap.val != swap.val) {
+ error = -EEXIST;
+ goto unlock;
+ }
--- /dev/null
+From e2d18cbf178775ad377ad88ee55e6e183c38d262 Mon Sep 17 00:00:00 2001
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Mon, 2 Jun 2025 13:02:12 +0200
+Subject: mm, slab: restore NUMA policy support for large kmalloc
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+commit e2d18cbf178775ad377ad88ee55e6e183c38d262 upstream.
+
+The slab allocator observes the task's NUMA policy in various places
+such as allocating slab pages. Large kmalloc() allocations used to do
+that too, until an unintended change by c4cab557521a ("mm/slab_common:
+cleanup kmalloc_large()") resulted in ignoring mempolicy and just
+preferring the local node. Restore the NUMA policy support.
+
+Fixes: c4cab557521a ("mm/slab_common: cleanup kmalloc_large()")
+Cc: <stable@vger.kernel.org>
+Acked-by: Christoph Lameter (Ampere) <cl@gentwo.org>
+Acked-by: Roman Gushchin <roman.gushchin@linux.dev>
+Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slub.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -4268,7 +4268,12 @@ static void *___kmalloc_large_node(size_
+ flags = kmalloc_fix_flags(flags);
+
+ flags |= __GFP_COMP;
+- folio = (struct folio *)alloc_pages_node_noprof(node, flags, order);
++
++ if (node == NUMA_NO_NODE)
++ folio = (struct folio *)alloc_pages_noprof(flags, order);
++ else
++ folio = (struct folio *)__alloc_pages_noprof(flags, order, node, NULL);
++
+ if (folio) {
+ ptr = folio_address(folio);
+ lruvec_stat_mod_folio(folio, NR_SLAB_UNRECLAIMABLE_B,
--- /dev/null
+From 87c6efc5ce9c126ae4a781bc04504b83780e3650 Mon Sep 17 00:00:00 2001
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Tue, 12 Aug 2025 18:40:29 +0200
+Subject: net/sched: ets: use old 'nbands' while purging unused classes
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+commit 87c6efc5ce9c126ae4a781bc04504b83780e3650 upstream.
+
+Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify()
+after recent changes from Lion [2]. The problem is: in ets_qdisc_change()
+we purge unused DWRR queues; the value of 'q->nbands' is the new one, and
+the cleanup should be done with the old one. The problem is here since my
+first attempts to fix ets_qdisc_change(), but it surfaced again after the
+recent qdisc len accounting fixes. Fix it purging idle DWRR queues before
+assigning a new value of 'q->nbands', so that all purge operations find a
+consistent configuration:
+
+ - old 'q->nbands' because it's needed by ets_class_find()
+ - old 'q->nstrict' because it's needed by ets_class_is_strict()
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary)
+ Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021
+ RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80
+ Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab
+ RSP: 0018:ffffba186009f400 EFLAGS: 00010202
+ RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004
+ RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004
+ R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000
+ R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000
+ FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ ets_class_qlen_notify+0x65/0x90 [sch_ets]
+ qdisc_tree_reduce_backlog+0x74/0x110
+ ets_qdisc_change+0x630/0xa40 [sch_ets]
+ __tc_modify_qdisc.constprop.0+0x216/0x7f0
+ tc_modify_qdisc+0x7c/0x120
+ rtnetlink_rcv_msg+0x145/0x3f0
+ netlink_rcv_skb+0x53/0x100
+ netlink_unicast+0x245/0x390
+ netlink_sendmsg+0x21b/0x470
+ ____sys_sendmsg+0x39d/0x3d0
+ ___sys_sendmsg+0x9a/0xe0
+ __sys_sendmsg+0x7a/0xd0
+ do_syscall_64+0x7d/0x160
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ RIP: 0033:0x7f2155114084
+ Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
+ RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084
+ RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003
+ RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f
+ R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0
+ R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0
+ </TASK>
+
+ [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/
+ [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
+
+Cc: stable@vger.kernel.org
+Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty")
+Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list")
+Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc")
+Reported-by: Li Shuang <shuali@redhat.com>
+Closes: https://issues.redhat.com/browse/RHEL-108026
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Co-developed-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.1755016081.git.dcaratti@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_ets.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/sched/sch_ets.c
++++ b/net/sched/sch_ets.c
+@@ -651,6 +651,12 @@ static int ets_qdisc_change(struct Qdisc
+
+ sch_tree_lock(sch);
+
++ for (i = nbands; i < oldbands; i++) {
++ if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
++ list_del_init(&q->classes[i].alist);
++ qdisc_purge_queue(q->classes[i].qdisc);
++ }
++
+ WRITE_ONCE(q->nbands, nbands);
+ for (i = nstrict; i < q->nstrict; i++) {
+ if (q->classes[i].qdisc->q.qlen) {
+@@ -658,11 +664,6 @@ static int ets_qdisc_change(struct Qdisc
+ q->classes[i].deficit = quanta[i];
+ }
+ }
+- for (i = q->nbands; i < oldbands; i++) {
+- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
+- list_del_init(&q->classes[i].alist);
+- qdisc_purge_queue(q->classes[i].qdisc);
+- }
+ WRITE_ONCE(q->nstrict, nstrict);
+ memcpy(q->prio2band, priomap, sizeof(priomap));
+
--- /dev/null
+From 2ae826799932ff89409f56636ad3c25578fe7cf5 Mon Sep 17 00:00:00 2001
+From: Lizhi Xu <lizhi.xu@windriver.com>
+Date: Mon, 16 Jun 2025 09:31:40 +0800
+Subject: ocfs2: reset folio to NULL when get folio fails
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+commit 2ae826799932ff89409f56636ad3c25578fe7cf5 upstream.
+
+The reproducer uses FAULT_INJECTION to make memory allocation fail, which
+causes __filemap_get_folio() to fail, when initializing w_folios[i] in
+ocfs2_grab_folios_for_write(), it only returns an error code and the value
+of w_folios[i] is the error code, which causes
+ocfs2_unlock_and_free_folios() to recycle the invalid w_folios[i] when
+releasing folios.
+
+Link: https://lkml.kernel.org/r/20250616013140.3602219-1-lizhi.xu@windriver.com
+Reported-by: syzbot+c2ea94ae47cd7e3881ec@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c2ea94ae47cd7e3881ec
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/aops.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -1071,6 +1071,7 @@ static int ocfs2_grab_folios_for_write(s
+ if (IS_ERR(wc->w_folios[i])) {
+ ret = PTR_ERR(wc->w_folios[i]);
+ mlog_errno(ret);
++ wc->w_folios[i] = NULL;
+ goto out;
+ }
+ }
--- /dev/null
+From 963f1b20a8d2a098954606b9725cd54336a2a86c Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Wed, 25 Jun 2025 00:39:33 -0700
+Subject: parisc: Makefile: fix a typo in palo.conf
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 963f1b20a8d2a098954606b9725cd54336a2a86c upstream.
+
+Correct "objree" to "objtree". "objree" is not defined.
+
+Fixes: 75dd47472b92 ("kbuild: remove src and obj from the top Makefile")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
+Cc: Helge Deller <deller@gmx.de>
+Cc: linux-parisc@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v5.3+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/parisc/Makefile
++++ b/arch/parisc/Makefile
+@@ -139,7 +139,7 @@ palo lifimage: vmlinuz
+ fi
+ @if test ! -f "$(PALOCONF)"; then \
+ cp $(srctree)/arch/parisc/defpalo.conf $(objtree)/palo.conf; \
+- echo 'A generic palo config file ($(objree)/palo.conf) has been created for you.'; \
++ echo 'A generic palo config file ($(objtree)/palo.conf) has been created for you.'; \
+ echo 'You should check it and re-run "make palo".'; \
+ echo 'WARNING: the "lifimage" file is now placed in this directory by default!'; \
+ false; \
--- /dev/null
+From c18646248fed07683d4cee8a8af933fc4fe83c0d Mon Sep 17 00:00:00 2001
+From: Pedro Falcato <pfalcato@suse.de>
+Date: Tue, 29 Jul 2025 13:03:48 +0100
+Subject: RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages
+
+From: Pedro Falcato <pfalcato@suse.de>
+
+commit c18646248fed07683d4cee8a8af933fc4fe83c0d upstream.
+
+Ever since commit c2ff29e99a76 ("siw: Inline do_tcp_sendpages()"),
+we have been doing this:
+
+static int siw_tcp_sendpages(struct socket *s, struct page **page, int offset,
+ size_t size)
+[...]
+ /* Calculate the number of bytes we need to push, for this page
+ * specifically */
+ size_t bytes = min_t(size_t, PAGE_SIZE - offset, size);
+ /* If we can't splice it, then copy it in, as normal */
+ if (!sendpage_ok(page[i]))
+ msg.msg_flags &= ~MSG_SPLICE_PAGES;
+ /* Set the bvec pointing to the page, with len $bytes */
+ bvec_set_page(&bvec, page[i], bytes, offset);
+ /* Set the iter to $size, aka the size of the whole sendpages (!!!) */
+ iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size);
+try_page_again:
+ lock_sock(sk);
+ /* Sendmsg with $size size (!!!) */
+ rv = tcp_sendmsg_locked(sk, &msg, size);
+
+This means we've been sending oversized iov_iters and tcp_sendmsg calls
+for a while. This has a been a benign bug because sendpage_ok() always
+returned true. With the recent slab allocator changes being slowly
+introduced into next (that disallow sendpage on large kmalloc
+allocations), we have recently hit out-of-bounds crashes, due to slight
+differences in iov_iter behavior between the MSG_SPLICE_PAGES and
+"regular" copy paths:
+
+(MSG_SPLICE_PAGES)
+skb_splice_from_iter
+ iov_iter_extract_pages
+ iov_iter_extract_bvec_pages
+ uses i->nr_segs to correctly stop in its tracks before OoB'ing everywhere
+ skb_splice_from_iter gets a "short" read
+
+(!MSG_SPLICE_PAGES)
+skb_copy_to_page_nocache copy=iov_iter_count
+ [...]
+ copy_from_iter
+ /* this doesn't help */
+ if (unlikely(iter->count < len))
+ len = iter->count;
+ iterate_bvec
+ ... and we run off the bvecs
+
+Fix this by properly setting the iov_iter's byte count, plus sending the
+correct byte count to tcp_sendmsg_locked.
+
+Link: https://patch.msgid.link/r/20250729120348.495568-1-pfalcato@suse.de
+Cc: stable@vger.kernel.org
+Fixes: c2ff29e99a76 ("siw: Inline do_tcp_sendpages()")
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202507220801.50a7210-lkp@intel.com
+Reviewed-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Pedro Falcato <pfalcato@suse.de>
+Acked-by: Bernard Metzler <bernard.metzler@linux.dev>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/siw/siw_qp_tx.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/sw/siw/siw_qp_tx.c
++++ b/drivers/infiniband/sw/siw/siw_qp_tx.c
+@@ -332,18 +332,17 @@ static int siw_tcp_sendpages(struct sock
+ if (!sendpage_ok(page[i]))
+ msg.msg_flags &= ~MSG_SPLICE_PAGES;
+ bvec_set_page(&bvec, page[i], bytes, offset);
+- iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size);
++ iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, bytes);
+
+ try_page_again:
+ lock_sock(sk);
+- rv = tcp_sendmsg_locked(sk, &msg, size);
++ rv = tcp_sendmsg_locked(sk, &msg, bytes);
+ release_sock(sk);
+
+ if (rv > 0) {
+ size -= rv;
+ sent += rv;
+ if (rv != bytes) {
+- offset += rv;
+ bytes -= rv;
+ goto try_page_again;
+ }
btrfs-fix-iteration-bug-in-__qgroup_excl_accounting.patch
btrfs-do-not-allow-relocation-of-partially-dropped-subvolumes.patch
xfs-fix-scrub-trace-with-null-pointer-in-quotacheck.patch
+userfaultfd-fix-a-crash-in-uffdio_move-when-pmd-is-a-migration-entry.patch
+fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch
+fbdev-nvidiafb-add-depends-on-has_ioport.patch
+ocfs2-reset-folio-to-null-when-get-folio-fails.patch
+net-sched-ets-use-old-nbands-while-purging-unused-classes.patch
+hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch
+parisc-makefile-fix-a-typo-in-palo.conf.patch
+mm-slab-restore-numa-policy-support-for-large-kmalloc.patch
+mm-huge_memory-don-t-ignore-queried-cachemode-in-vmf_insert_pfn_pud.patch
+mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch
+mm-shmem-swap-improve-cached-mthp-handling-and-fix-potential-hang.patch
+mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch
+mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch
+media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch
+media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch
+media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch
+media-v4l2-add-support-for-nv12m-tiled-variants-to-v4l2_format_info.patch
+tracing-fprobe-fix-infinite-recursion-using-preempt_-_notrace.patch
+tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch
+rdma-siw-fix-the-sendmsg-byte-count-in-siw_tcp_sendpages.patch
--- /dev/null
+From a477629baa2a0e9991f640af418e8c973a1c08e3 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Thu, 19 Jun 2025 11:30:51 +0200
+Subject: tools/nolibc: fix spelling of FD_SETBITMASK in FD_* macros
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Willy Tarreau <w@1wt.eu>
+
+commit a477629baa2a0e9991f640af418e8c973a1c08e3 upstream.
+
+While nolibc-test does test syscalls, it doesn't test as much the rest
+of the macros, and a wrong spelling of FD_SETBITMASK in commit
+feaf75658783a broke programs using either FD_SET() or FD_CLR() without
+being noticed. Let's fix these macros.
+
+Fixes: feaf75658783a ("nolibc: fix fd_set type")
+Cc: stable@vger.kernel.org # v6.2+
+Acked-by: Thomas Weißschuh <linux@weissschuh.net>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/include/nolibc/types.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/include/nolibc/types.h
++++ b/tools/include/nolibc/types.h
+@@ -127,7 +127,7 @@ typedef struct {
+ int __fd = (fd); \
+ if (__fd >= 0) \
+ __set->fds[__fd / FD_SETIDXMASK] &= \
+- ~(1U << (__fd & FX_SETBITMASK)); \
++ ~(1U << (__fd & FD_SETBITMASK)); \
+ } while (0)
+
+ #define FD_SET(fd, set) do { \
+@@ -144,7 +144,7 @@ typedef struct {
+ int __r = 0; \
+ if (__fd >= 0) \
+ __r = !!(__set->fds[__fd / FD_SETIDXMASK] & \
+-1U << (__fd & FD_SET_BITMASK)); \
++1U << (__fd & FD_SETBITMASK)); \
+ __r; \
+ })
+
--- /dev/null
+From a3e892ab0fc287389176eabdcd74234508f6e52d Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Tue, 29 Jul 2025 08:47:03 +0900
+Subject: tracing: fprobe: Fix infinite recursion using preempt_*_notrace()
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit a3e892ab0fc287389176eabdcd74234508f6e52d upstream.
+
+Since preempt_count_add/del() are tracable functions, it is not allowed
+to use preempt_disable/enable() in ftrace handlers. Without this fix,
+probing on `preempt_count_add%return` will cause an infinite recursion
+of fprobes.
+
+To fix this problem, use preempt_disable/enable_notrace() in
+fprobe_return().
+
+Link: https://lore.kernel.org/all/175374642359.1471729.1054175011228386560.stgit@mhiramat.tok.corp.google.com/
+
+Fixes: 4346ba160409 ("fprobe: Rewrite fprobe on function-graph tracer")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/fprobe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/trace/fprobe.c b/kernel/trace/fprobe.c
+index ba7ff14f5339..f9b3aa9afb17 100644
+--- a/kernel/trace/fprobe.c
++++ b/kernel/trace/fprobe.c
+@@ -352,7 +352,7 @@ static void fprobe_return(struct ftrace_graph_ret *trace,
+ size_words = SIZE_IN_LONG(size);
+ ret_ip = ftrace_regs_get_instruction_pointer(fregs);
+
+- preempt_disable();
++ preempt_disable_notrace();
+
+ curr = 0;
+ while (size_words > curr) {
+@@ -368,7 +368,7 @@ static void fprobe_return(struct ftrace_graph_ret *trace,
+ }
+ curr += size;
+ }
+- preempt_enable();
++ preempt_enable_notrace();
+ }
+ NOKPROBE_SYMBOL(fprobe_return);
+
+--
+2.50.1
+
--- /dev/null
+From aba6faec0103ed8f169be8dce2ead41fcb689446 Mon Sep 17 00:00:00 2001
+From: Suren Baghdasaryan <surenb@google.com>
+Date: Wed, 6 Aug 2025 15:00:22 -0700
+Subject: userfaultfd: fix a crash in UFFDIO_MOVE when PMD is a migration entry
+
+From: Suren Baghdasaryan <surenb@google.com>
+
+commit aba6faec0103ed8f169be8dce2ead41fcb689446 upstream.
+
+When UFFDIO_MOVE encounters a migration PMD entry, it proceeds with
+obtaining a folio and accessing it even though the entry is swp_entry_t.
+Add the missing check and let split_huge_pmd() handle migration entries.
+While at it also remove unnecessary folio check.
+
+[surenb@google.com: remove extra folio check, per David]
+ Link: https://lkml.kernel.org/r/20250807200418.1963585-1-surenb@google.com
+Link: https://lkml.kernel.org/r/20250806220022.926763-1-surenb@google.com
+Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI")
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Reported-by: syzbot+b446dbe27035ef6bd6c2@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68794b5c.a70a0220.693ce.0050.GAE@google.com/
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Lokesh Gidra <lokeshgidra@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/userfaultfd.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/mm/userfaultfd.c
++++ b/mm/userfaultfd.c
+@@ -1829,13 +1829,16 @@ ssize_t move_pages(struct userfaultfd_ct
+ /* Check if we can move the pmd without splitting it. */
+ if (move_splits_huge_pmd(dst_addr, src_addr, src_start + len) ||
+ !pmd_none(dst_pmdval)) {
+- struct folio *folio = pmd_folio(*src_pmd);
++ /* Can be a migration entry */
++ if (pmd_present(*src_pmd)) {
++ struct folio *folio = pmd_folio(*src_pmd);
+
+- if (!folio || (!is_huge_zero_folio(folio) &&
+- !PageAnonExclusive(&folio->page))) {
+- spin_unlock(ptl);
+- err = -EBUSY;
+- break;
++ if (!is_huge_zero_folio(folio) &&
++ !PageAnonExclusive(&folio->page)) {
++ spin_unlock(ptl);
++ err = -EBUSY;
++ break;
++ }
+ }
+
+ spin_unlock(ptl);
projects / thirdparty / kernel / stable-queue.git / commitdiff
