--- /dev/null
+From 9a4cd471fb1c6f8fdc8f5dcdaa0e5d8247586ca1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Nov 2025 16:25:48 +0300
+Subject: mtd: onenand: Pass correct pointer to IRQ handler
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 97315e7c901a1de60e8ca9b11e0e96d0f9253e18 ]
+
+This was supposed to pass "onenand" instead of "&onenand" with the
+ampersand. Passing a random stack address which will be gone when the
+function ends makes no sense. However the good thing is that the pointer
+is never used, so this doesn't cause a problem at run time.
+
+Fixes: e23abf4b7743 ("mtd: OneNAND: S5PC110: Implement DMA interrupt method")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/onenand/onenand_samsung.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/onenand/onenand_samsung.c b/drivers/mtd/nand/onenand/onenand_samsung.c
+index 87b28e397d671..d51d3ff6f0a3c 100644
+--- a/drivers/mtd/nand/onenand/onenand_samsung.c
++++ b/drivers/mtd/nand/onenand/onenand_samsung.c
+@@ -908,7 +908,7 @@ static int s3c_onenand_probe(struct platform_device *pdev)
+ err = devm_request_irq(&pdev->dev, r->start,
+ s5pc110_onenand_irq,
+ IRQF_SHARED, "onenand",
+- &onenand);
++ onenand);
+ if (err) {
+ dev_err(&pdev->dev, "failed to get irq\n");
+ return err;
+--
+2.51.0
+
--- /dev/null
+From c6327c0a9590d2663d840cb6df3070cb6057c72d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 21:40:46 +0000
+Subject: netfilter: nf_tables: reject duplicate device on updates
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit cf5fb87fcdaaaafec55dcc0dc5a9e15ead343973 upstream.
+
+A chain/flowtable update with duplicated devices in the same batch is
+possible. Unfortunately, netdev event path only removes the first
+device that is found, leaving unregistered the hook of the duplicated
+device.
+
+Check if a duplicated device exists in the transaction batch, bail out
+with EEXIST in such case.
+
+WARNING is hit when unregistering the hook:
+
+ [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150
+ [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)
+ [...]
+ [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150
+
+Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable")
+Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 8e799848cbcc1..dcb35be8b2af2 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -7105,6 +7105,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
+ {
+ const struct nlattr * const *nla = ctx->nla;
+ struct nft_flowtable_hook flowtable_hook;
++ struct nftables_pernet *nft_net;
+ struct nft_hook *hook, *next;
+ struct nft_trans *trans;
+ bool unregister = false;
+@@ -7120,6 +7121,20 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
+ if (nft_hook_list_find(&flowtable->hook_list, hook)) {
+ list_del(&hook->list);
+ kfree(hook);
++ continue;
++ }
++
++ nft_net = net_generic(ctx->net, nf_tables_net_id);
++ list_for_each_entry(trans, &nft_net->commit_list, list) {
++ if (trans->msg_type != NFT_MSG_NEWFLOWTABLE ||
++ trans->ctx.table != ctx->table ||
++ !nft_trans_flowtable_update(trans))
++ continue;
++
++ if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) {
++ err = -EEXIST;
++ goto err_flowtable_update_hook;
++ }
+ }
+ }
+
+--
+2.51.0
+
fsdax-mark-the-iomap-argument-to-dax_iomap_sector-as.patch
mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch
lib-crypto-arm-curve25519-disable-on-cpu_big_endian.patch
+mtd-onenand-pass-correct-pointer-to-irq-handler.patch
+netfilter-nf_tables-reject-duplicate-device-on-updat.patch
--- /dev/null
+From 9ed44f1d9140990ec7bfde5ffdea4c0237a56c0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Nov 2025 16:25:48 +0300
+Subject: mtd: onenand: Pass correct pointer to IRQ handler
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 97315e7c901a1de60e8ca9b11e0e96d0f9253e18 ]
+
+This was supposed to pass "onenand" instead of "&onenand" with the
+ampersand. Passing a random stack address which will be gone when the
+function ends makes no sense. However the good thing is that the pointer
+is never used, so this doesn't cause a problem at run time.
+
+Fixes: e23abf4b7743 ("mtd: OneNAND: S5PC110: Implement DMA interrupt method")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/onenand/onenand_samsung.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/onenand/onenand_samsung.c b/drivers/mtd/nand/onenand/onenand_samsung.c
+index b64895573515e..48608632280c5 100644
+--- a/drivers/mtd/nand/onenand/onenand_samsung.c
++++ b/drivers/mtd/nand/onenand/onenand_samsung.c
+@@ -909,7 +909,7 @@ static int s3c_onenand_probe(struct platform_device *pdev)
+ err = devm_request_irq(&pdev->dev, r->start,
+ s5pc110_onenand_irq,
+ IRQF_SHARED, "onenand",
+- &onenand);
++ onenand);
+ if (err) {
+ dev_err(&pdev->dev, "failed to get irq\n");
+ return err;
+--
+2.51.0
+
--- /dev/null
+From ddf4cdd0f09a86eba506b4cec6dfaaf4e98ef3c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 21:40:23 +0000
+Subject: netfilter: nf_tables: reject duplicate device on updates
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit cf5fb87fcdaaaafec55dcc0dc5a9e15ead343973 upstream.
+
+A chain/flowtable update with duplicated devices in the same batch is
+possible. Unfortunately, netdev event path only removes the first
+device that is found, leaving unregistered the hook of the duplicated
+device.
+
+Check if a duplicated device exists in the transaction batch, bail out
+with EEXIST in such case.
+
+WARNING is hit when unregistering the hook:
+
+ [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150
+ [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)
+ [...]
+ [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150
+
+Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable")
+Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 33d03340d9fc8..91b012e476be6 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -7893,6 +7893,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
+ {
+ const struct nlattr * const *nla = ctx->nla;
+ struct nft_flowtable_hook flowtable_hook;
++ struct nftables_pernet *nft_net;
+ struct nft_hook *hook, *next;
+ struct nft_trans *trans;
+ bool unregister = false;
+@@ -7908,6 +7909,20 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
+ if (nft_hook_list_find(&flowtable->hook_list, hook)) {
+ list_del(&hook->list);
+ kfree(hook);
++ continue;
++ }
++
++ nft_net = nft_pernet(ctx->net);
++ list_for_each_entry(trans, &nft_net->commit_list, list) {
++ if (trans->msg_type != NFT_MSG_NEWFLOWTABLE ||
++ trans->ctx.table != ctx->table ||
++ !nft_trans_flowtable_update(trans))
++ continue;
++
++ if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) {
++ err = -EEXIST;
++ goto err_flowtable_update_hook;
++ }
+ }
+ }
+
+--
+2.51.0
+
mptcp-pm-in-kernel-c-flag-handle-late-add_addr.patch
mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch
lib-crypto-arm-curve25519-disable-on-cpu_big_endian.patch
+mtd-onenand-pass-correct-pointer-to-irq-handler.patch
+netfilter-nf_tables-reject-duplicate-device-on-updat.patch
--- /dev/null
+From 02e56679c15797e3402525af5687e35ea19cc5b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jun 2023 22:13:38 +0800
+Subject: asm-generic: Unify uapi bitsperlong.h for arm64, riscv and loongarch
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+[ Upstream commit 8386f58f8deda81110283798a387fb53ec21957c ]
+
+Now we specify the minimal version of GCC as 5.1 and Clang/LLVM as 11.0.0
+in Documentation/process/changes.rst, __CHAR_BIT__ and __SIZEOF_LONG__ are
+usable, it is probably fine to unify the definition of __BITS_PER_LONG as
+(__CHAR_BIT__ * __SIZEOF_LONG__) in asm-generic uapi bitsperlong.h.
+
+In order to keep safe and avoid regression, only unify uapi bitsperlong.h
+for some archs such as arm64, riscv and loongarch which are using newer
+toolchains that have the definitions of __CHAR_BIT__ and __SIZEOF_LONG__.
+
+Suggested-by: Xi Ruoyao <xry111@xry111.site>
+Link: https://lore.kernel.org/all/d3e255e4746de44c9903c4433616d44ffcf18d1b.camel@xry111.site/
+Suggested-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/linux-arch/a3a4f48a-07d4-4ed9-bc53-5d383428bdd2@app.fastmail.com/
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/uapi/asm/bitsperlong.h | 24 -------------------
+ arch/loongarch/include/uapi/asm/bitsperlong.h | 9 -------
+ arch/riscv/include/uapi/asm/bitsperlong.h | 14 -----------
+ include/uapi/asm-generic/bitsperlong.h | 13 +++++++++-
+ .../arch/arm64/include/uapi/asm/bitsperlong.h | 24 -------------------
+ .../arch/riscv/include/uapi/asm/bitsperlong.h | 14 -----------
+ tools/include/uapi/asm-generic/bitsperlong.h | 14 ++++++++++-
+ tools/include/uapi/asm/bitsperlong.h | 6 -----
+ 8 files changed, 25 insertions(+), 93 deletions(-)
+ delete mode 100644 arch/arm64/include/uapi/asm/bitsperlong.h
+ delete mode 100644 arch/loongarch/include/uapi/asm/bitsperlong.h
+ delete mode 100644 arch/riscv/include/uapi/asm/bitsperlong.h
+ delete mode 100644 tools/arch/arm64/include/uapi/asm/bitsperlong.h
+ delete mode 100644 tools/arch/riscv/include/uapi/asm/bitsperlong.h
+
+diff --git a/arch/arm64/include/uapi/asm/bitsperlong.h b/arch/arm64/include/uapi/asm/bitsperlong.h
+deleted file mode 100644
+index 485d60bee26ca..0000000000000
+--- a/arch/arm64/include/uapi/asm/bitsperlong.h
++++ /dev/null
+@@ -1,24 +0,0 @@
+-/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+-/*
+- * Copyright (C) 2012 ARM Ltd.
+- *
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License version 2 as
+- * published by the Free Software Foundation.
+- *
+- * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- * GNU General Public License for more details.
+- *
+- * You should have received a copy of the GNU General Public License
+- * along with this program. If not, see <http://www.gnu.org/licenses/>.
+- */
+-#ifndef __ASM_BITSPERLONG_H
+-#define __ASM_BITSPERLONG_H
+-
+-#define __BITS_PER_LONG 64
+-
+-#include <asm-generic/bitsperlong.h>
+-
+-#endif /* __ASM_BITSPERLONG_H */
+diff --git a/arch/loongarch/include/uapi/asm/bitsperlong.h b/arch/loongarch/include/uapi/asm/bitsperlong.h
+deleted file mode 100644
+index 00b4ba1e5cdf0..0000000000000
+--- a/arch/loongarch/include/uapi/asm/bitsperlong.h
++++ /dev/null
+@@ -1,9 +0,0 @@
+-/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+-#ifndef __ASM_LOONGARCH_BITSPERLONG_H
+-#define __ASM_LOONGARCH_BITSPERLONG_H
+-
+-#define __BITS_PER_LONG (__SIZEOF_LONG__ * 8)
+-
+-#include <asm-generic/bitsperlong.h>
+-
+-#endif /* __ASM_LOONGARCH_BITSPERLONG_H */
+diff --git a/arch/riscv/include/uapi/asm/bitsperlong.h b/arch/riscv/include/uapi/asm/bitsperlong.h
+deleted file mode 100644
+index 7d0b32e3b7017..0000000000000
+--- a/arch/riscv/include/uapi/asm/bitsperlong.h
++++ /dev/null
+@@ -1,14 +0,0 @@
+-/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */
+-/*
+- * Copyright (C) 2012 ARM Ltd.
+- * Copyright (C) 2015 Regents of the University of California
+- */
+-
+-#ifndef _UAPI_ASM_RISCV_BITSPERLONG_H
+-#define _UAPI_ASM_RISCV_BITSPERLONG_H
+-
+-#define __BITS_PER_LONG (__SIZEOF_POINTER__ * 8)
+-
+-#include <asm-generic/bitsperlong.h>
+-
+-#endif /* _UAPI_ASM_RISCV_BITSPERLONG_H */
+diff --git a/include/uapi/asm-generic/bitsperlong.h b/include/uapi/asm-generic/bitsperlong.h
+index 693d9a40eb7b0..352cb81947b87 100644
+--- a/include/uapi/asm-generic/bitsperlong.h
++++ b/include/uapi/asm-generic/bitsperlong.h
+@@ -2,6 +2,17 @@
+ #ifndef _UAPI__ASM_GENERIC_BITS_PER_LONG
+ #define _UAPI__ASM_GENERIC_BITS_PER_LONG
+
++#ifndef __BITS_PER_LONG
++/*
++ * In order to keep safe and avoid regression, only unify uapi
++ * bitsperlong.h for some archs which are using newer toolchains
++ * that have the definitions of __CHAR_BIT__ and __SIZEOF_LONG__.
++ * See the following link for more info:
++ * https://lore.kernel.org/linux-arch/b9624545-2c80-49a1-ac3c-39264a591f7b@app.fastmail.com/
++ */
++#if defined(__CHAR_BIT__) && defined(__SIZEOF_LONG__)
++#define __BITS_PER_LONG (__CHAR_BIT__ * __SIZEOF_LONG__)
++#else
+ /*
+ * There seems to be no way of detecting this automatically from user
+ * space, so 64 bit architectures should override this in their
+@@ -9,8 +20,8 @@
+ * both 32 and 64 bit user space must not rely on CONFIG_64BIT
+ * to decide it, but rather check a compiler provided macro.
+ */
+-#ifndef __BITS_PER_LONG
+ #define __BITS_PER_LONG 32
+ #endif
++#endif
+
+ #endif /* _UAPI__ASM_GENERIC_BITS_PER_LONG */
+diff --git a/tools/arch/arm64/include/uapi/asm/bitsperlong.h b/tools/arch/arm64/include/uapi/asm/bitsperlong.h
+deleted file mode 100644
+index 485d60bee26ca..0000000000000
+--- a/tools/arch/arm64/include/uapi/asm/bitsperlong.h
++++ /dev/null
+@@ -1,24 +0,0 @@
+-/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+-/*
+- * Copyright (C) 2012 ARM Ltd.
+- *
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License version 2 as
+- * published by the Free Software Foundation.
+- *
+- * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- * GNU General Public License for more details.
+- *
+- * You should have received a copy of the GNU General Public License
+- * along with this program. If not, see <http://www.gnu.org/licenses/>.
+- */
+-#ifndef __ASM_BITSPERLONG_H
+-#define __ASM_BITSPERLONG_H
+-
+-#define __BITS_PER_LONG 64
+-
+-#include <asm-generic/bitsperlong.h>
+-
+-#endif /* __ASM_BITSPERLONG_H */
+diff --git a/tools/arch/riscv/include/uapi/asm/bitsperlong.h b/tools/arch/riscv/include/uapi/asm/bitsperlong.h
+deleted file mode 100644
+index 0b9b58b57ff6e..0000000000000
+--- a/tools/arch/riscv/include/uapi/asm/bitsperlong.h
++++ /dev/null
+@@ -1,14 +0,0 @@
+-/* SPDX-License-Identifier: GPL-2.0-only */
+-/*
+- * Copyright (C) 2012 ARM Ltd.
+- * Copyright (C) 2015 Regents of the University of California
+- */
+-
+-#ifndef _UAPI_ASM_RISCV_BITSPERLONG_H
+-#define _UAPI_ASM_RISCV_BITSPERLONG_H
+-
+-#define __BITS_PER_LONG (__SIZEOF_POINTER__ * 8)
+-
+-#include <asm-generic/bitsperlong.h>
+-
+-#endif /* _UAPI_ASM_RISCV_BITSPERLONG_H */
+diff --git a/tools/include/uapi/asm-generic/bitsperlong.h b/tools/include/uapi/asm-generic/bitsperlong.h
+index 23e6c416b85fc..352cb81947b87 100644
+--- a/tools/include/uapi/asm-generic/bitsperlong.h
++++ b/tools/include/uapi/asm-generic/bitsperlong.h
+@@ -1,6 +1,18 @@
++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+ #ifndef _UAPI__ASM_GENERIC_BITS_PER_LONG
+ #define _UAPI__ASM_GENERIC_BITS_PER_LONG
+
++#ifndef __BITS_PER_LONG
++/*
++ * In order to keep safe and avoid regression, only unify uapi
++ * bitsperlong.h for some archs which are using newer toolchains
++ * that have the definitions of __CHAR_BIT__ and __SIZEOF_LONG__.
++ * See the following link for more info:
++ * https://lore.kernel.org/linux-arch/b9624545-2c80-49a1-ac3c-39264a591f7b@app.fastmail.com/
++ */
++#if defined(__CHAR_BIT__) && defined(__SIZEOF_LONG__)
++#define __BITS_PER_LONG (__CHAR_BIT__ * __SIZEOF_LONG__)
++#else
+ /*
+ * There seems to be no way of detecting this automatically from user
+ * space, so 64 bit architectures should override this in their
+@@ -8,8 +20,8 @@
+ * both 32 and 64 bit user space must not rely on CONFIG_64BIT
+ * to decide it, but rather check a compiler provided macro.
+ */
+-#ifndef __BITS_PER_LONG
+ #define __BITS_PER_LONG 32
+ #endif
++#endif
+
+ #endif /* _UAPI__ASM_GENERIC_BITS_PER_LONG */
+diff --git a/tools/include/uapi/asm/bitsperlong.h b/tools/include/uapi/asm/bitsperlong.h
+index da52065171581..c65267afc3415 100644
+--- a/tools/include/uapi/asm/bitsperlong.h
++++ b/tools/include/uapi/asm/bitsperlong.h
+@@ -1,8 +1,6 @@
+ /* SPDX-License-Identifier: GPL-2.0 */
+ #if defined(__i386__) || defined(__x86_64__)
+ #include "../../../arch/x86/include/uapi/asm/bitsperlong.h"
+-#elif defined(__aarch64__)
+-#include "../../../arch/arm64/include/uapi/asm/bitsperlong.h"
+ #elif defined(__powerpc__)
+ #include "../../../arch/powerpc/include/uapi/asm/bitsperlong.h"
+ #elif defined(__s390__)
+@@ -13,12 +11,8 @@
+ #include "../../../arch/mips/include/uapi/asm/bitsperlong.h"
+ #elif defined(__ia64__)
+ #include "../../../arch/ia64/include/uapi/asm/bitsperlong.h"
+-#elif defined(__riscv)
+-#include "../../../arch/riscv/include/uapi/asm/bitsperlong.h"
+ #elif defined(__alpha__)
+ #include "../../../arch/alpha/include/uapi/asm/bitsperlong.h"
+-#elif defined(__loongarch__)
+-#include "../../../arch/loongarch/include/uapi/asm/bitsperlong.h"
+ #else
+ #include <asm-generic/bitsperlong.h>
+ #endif
+--
+2.51.0
+
--- /dev/null
+From c15007d3c1d1d69d89725629db8a04e4d81fbc31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Nov 2025 16:25:48 +0300
+Subject: mtd: onenand: Pass correct pointer to IRQ handler
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 97315e7c901a1de60e8ca9b11e0e96d0f9253e18 ]
+
+This was supposed to pass "onenand" instead of "&onenand" with the
+ampersand. Passing a random stack address which will be gone when the
+function ends makes no sense. However the good thing is that the pointer
+is never used, so this doesn't cause a problem at run time.
+
+Fixes: e23abf4b7743 ("mtd: OneNAND: S5PC110: Implement DMA interrupt method")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/onenand/onenand_samsung.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/onenand/onenand_samsung.c b/drivers/mtd/nand/onenand/onenand_samsung.c
+index b64895573515e..48608632280c5 100644
+--- a/drivers/mtd/nand/onenand/onenand_samsung.c
++++ b/drivers/mtd/nand/onenand/onenand_samsung.c
+@@ -909,7 +909,7 @@ static int s3c_onenand_probe(struct platform_device *pdev)
+ err = devm_request_irq(&pdev->dev, r->start,
+ s5pc110_onenand_irq,
+ IRQF_SHARED, "onenand",
+- &onenand);
++ onenand);
+ if (err) {
+ dev_err(&pdev->dev, "failed to get irq\n");
+ return err;
+--
+2.51.0
+
--- /dev/null
+From fb06be447e41a01dba8f1582bade15f985bf20b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 21:39:58 +0000
+Subject: netfilter: nf_tables: reject duplicate device on updates
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit cf5fb87fcdaaaafec55dcc0dc5a9e15ead343973 upstream.
+
+A chain/flowtable update with duplicated devices in the same batch is
+possible. Unfortunately, netdev event path only removes the first
+device that is found, leaving unregistered the hook of the duplicated
+device.
+
+Check if a duplicated device exists in the transaction batch, bail out
+with EEXIST in such case.
+
+WARNING is hit when unregistering the hook:
+
+ [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150
+ [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)
+ [...]
+ [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150
+
+Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable")
+Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index df83224bef06c..b278f493cc93c 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -8078,6 +8078,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
+ {
+ const struct nlattr * const *nla = ctx->nla;
+ struct nft_flowtable_hook flowtable_hook;
++ struct nftables_pernet *nft_net;
+ struct nft_hook *hook, *next;
+ struct nft_trans *trans;
+ bool unregister = false;
+@@ -8093,6 +8094,20 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
+ if (nft_hook_list_find(&flowtable->hook_list, hook)) {
+ list_del(&hook->list);
+ kfree(hook);
++ continue;
++ }
++
++ nft_net = nft_pernet(ctx->net);
++ list_for_each_entry(trans, &nft_net->commit_list, list) {
++ if (trans->msg_type != NFT_MSG_NEWFLOWTABLE ||
++ trans->ctx.table != ctx->table ||
++ !nft_trans_flowtable_update(trans))
++ continue;
++
++ if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) {
++ err = -EEXIST;
++ goto err_flowtable_update_hook;
++ }
+ }
+ }
+
+--
+2.51.0
+
espintcp-fix-skb-leaks.patch
mm-mprotect-delete-pmd_none_or_clear_bad_unless_tran.patch
lib-crypto-arm-curve25519-disable-on-cpu_big_endian.patch
+asm-generic-unify-uapi-bitsperlong.h-for-arm64-riscv.patch
+mtd-onenand-pass-correct-pointer-to-irq-handler.patch
+netfilter-nf_tables-reject-duplicate-device-on-updat.patch
--- /dev/null
+From 3f164e56d35a1cfd25a5cba89bd5149b29cdf72d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Nov 2025 06:28:15 +0000
+Subject: fs/namespace: correctly handle errors returned by
+ grab_requested_mnt_ns
+
+From: Andrei Vagin <avagin@google.com>
+
+[ Upstream commit 78f0e33cd6c939a555aa80dbed2fec6b333a7660 ]
+
+grab_requested_mnt_ns was changed to return error codes on failure, but
+its callers were not updated to check for error pointers, still checking
+only for a NULL return value.
+
+This commit updates the callers to use IS_ERR() or IS_ERR_OR_NULL() and
+PTR_ERR() to correctly check for and propagate errors.
+
+This also makes sure that the logic actually works and mount namespace
+file descriptors can be used to refere to mounts.
+
+Christian Brauner <brauner@kernel.org> says:
+
+Rework the patch to be more ergonomic and in line with our overall error
+handling patterns.
+
+Fixes: 7b9d14af8777 ("fs: allow mount namespace fd")
+Cc: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Andrei Vagin <avagin@google.com>
+Link: https://patch.msgid.link/20251111062815.2546189-1-avagin@google.com
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/namespace.c | 32 ++++++++++++++++----------------
+ include/uapi/linux/mount.h | 2 +-
+ 2 files changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index cc4926d53e7de..035d6f1f0b6ef 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -158,7 +158,8 @@ static void mnt_ns_release(struct mnt_namespace *ns)
+ kfree(ns);
+ }
+ }
+-DEFINE_FREE(mnt_ns_release, struct mnt_namespace *, if (_T) mnt_ns_release(_T))
++DEFINE_FREE(mnt_ns_release, struct mnt_namespace *,
++ if (!IS_ERR(_T)) mnt_ns_release(_T))
+
+ static void mnt_ns_tree_remove(struct mnt_namespace *ns)
+ {
+@@ -5325,7 +5326,7 @@ static int copy_mnt_id_req(const struct mnt_id_req __user *req,
+ ret = copy_struct_from_user(kreq, sizeof(*kreq), req, usize);
+ if (ret)
+ return ret;
+- if (kreq->spare != 0)
++ if (kreq->mnt_ns_fd != 0 && kreq->mnt_ns_id)
+ return -EINVAL;
+ /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */
+ if (kreq->mnt_id <= MNT_UNIQUE_ID_OFFSET)
+@@ -5342,16 +5343,12 @@ static struct mnt_namespace *grab_requested_mnt_ns(const struct mnt_id_req *kreq
+ {
+ struct mnt_namespace *mnt_ns;
+
+- if (kreq->mnt_ns_id && kreq->spare)
+- return ERR_PTR(-EINVAL);
+-
+- if (kreq->mnt_ns_id)
+- return lookup_mnt_ns(kreq->mnt_ns_id);
+-
+- if (kreq->spare) {
++ if (kreq->mnt_ns_id) {
++ mnt_ns = lookup_mnt_ns(kreq->mnt_ns_id);
++ } else if (kreq->mnt_ns_fd) {
+ struct ns_common *ns;
+
+- CLASS(fd, f)(kreq->spare);
++ CLASS(fd, f)(kreq->mnt_ns_fd);
+ if (fd_empty(f))
+ return ERR_PTR(-EBADF);
+
+@@ -5366,6 +5363,8 @@ static struct mnt_namespace *grab_requested_mnt_ns(const struct mnt_id_req *kreq
+ } else {
+ mnt_ns = current->nsproxy->mnt_ns;
+ }
++ if (!mnt_ns)
++ return ERR_PTR(-ENOENT);
+
+ refcount_inc(&mnt_ns->passive);
+ return mnt_ns;
+@@ -5390,8 +5389,8 @@ SYSCALL_DEFINE4(statmount, const struct mnt_id_req __user *, req,
+ return ret;
+
+ ns = grab_requested_mnt_ns(&kreq);
+- if (!ns)
+- return -ENOENT;
++ if (IS_ERR(ns))
++ return PTR_ERR(ns);
+
+ if (kreq.mnt_ns_id && (ns != current->nsproxy->mnt_ns) &&
+ !ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN))
+@@ -5500,8 +5499,8 @@ static void __free_klistmount_free(const struct klistmount *kls)
+ static inline int prepare_klistmount(struct klistmount *kls, struct mnt_id_req *kreq,
+ size_t nr_mnt_ids)
+ {
+-
+ u64 last_mnt_id = kreq->param;
++ struct mnt_namespace *ns;
+
+ /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */
+ if (last_mnt_id != 0 && last_mnt_id <= MNT_UNIQUE_ID_OFFSET)
+@@ -5515,9 +5514,10 @@ static inline int prepare_klistmount(struct klistmount *kls, struct mnt_id_req *
+ if (!kls->kmnt_ids)
+ return -ENOMEM;
+
+- kls->ns = grab_requested_mnt_ns(kreq);
+- if (!kls->ns)
+- return -ENOENT;
++ ns = grab_requested_mnt_ns(kreq);
++ if (IS_ERR(ns))
++ return PTR_ERR(ns);
++ kls->ns = ns;
+
+ kls->mnt_parent_id = kreq->mnt_id;
+ return 0;
+diff --git a/include/uapi/linux/mount.h b/include/uapi/linux/mount.h
+index 225bc366ffcbf..dbf65f2ffcf33 100644
+--- a/include/uapi/linux/mount.h
++++ b/include/uapi/linux/mount.h
+@@ -186,7 +186,7 @@ struct statmount {
+ */
+ struct mnt_id_req {
+ __u32 size;
+- __u32 spare;
++ __u32 mnt_ns_fd;
+ __u64 mnt_id;
+ __u64 param;
+ __u64 mnt_ns_id;
+--
+2.51.0
+
--- /dev/null
+From cfb591ac1fa82f391cb5306e595d1610607ed44b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Oct 2025 09:22:35 +0000
+Subject: hostfs: Fix only passing host root in boot stage with new mount
+
+From: Hongbo Li <lihongbo22@huawei.com>
+
+[ Upstream commit 2c2b67af5f5f77fc68261a137ad65dcfb8e52506 ]
+
+In the old mount proceedure, hostfs could only pass root directory during
+boot. This is because it constructed the root directory using the @root_ino
+event without any mount options. However, when using it with the new mount
+API, this step is no longer triggered. As a result, if users mounts without
+specifying any mount options, the @host_root_path remains uninitialized. To
+prevent this issue, the @host_root_path should be initialized at the time
+of allocation.
+
+Reported-by: Geoffrey Thorpe <geoff@geoffthorpe.net>
+Closes: https://lore.kernel.org/all/643333a0-f434-42fb-82ac-d25a0b56f3b7@geoffthorpe.net/
+Fixes: cd140ce9f611 ("hostfs: convert hostfs to use the new mount API")
+Signed-off-by: Hongbo Li <lihongbo22@huawei.com>
+Link: https://patch.msgid.link/20251011092235.29880-1-lihongbo22@huawei.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hostfs/hostfs_kern.c | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c
+index a16a7df0766cd..3e143b679156d 100644
+--- a/fs/hostfs/hostfs_kern.c
++++ b/fs/hostfs/hostfs_kern.c
+@@ -972,7 +972,7 @@ static int hostfs_parse_param(struct fs_context *fc, struct fs_parameter *param)
+ {
+ struct hostfs_fs_info *fsi = fc->s_fs_info;
+ struct fs_parse_result result;
+- char *host_root;
++ char *host_root, *tmp_root;
+ int opt;
+
+ opt = fs_parse(fc, hostfs_param_specs, param, &result);
+@@ -983,11 +983,13 @@ static int hostfs_parse_param(struct fs_context *fc, struct fs_parameter *param)
+ case Opt_hostfs:
+ host_root = param->string;
+ if (!*host_root)
+- host_root = "";
+- fsi->host_root_path =
+- kasprintf(GFP_KERNEL, "%s/%s", root_ino, host_root);
+- if (fsi->host_root_path == NULL)
++ break;
++ tmp_root = kasprintf(GFP_KERNEL, "%s%s",
++ fsi->host_root_path, host_root);
++ if (!tmp_root)
+ return -ENOMEM;
++ kfree(fsi->host_root_path);
++ fsi->host_root_path = tmp_root;
+ break;
+ }
+
+@@ -997,17 +999,17 @@ static int hostfs_parse_param(struct fs_context *fc, struct fs_parameter *param)
+ static int hostfs_parse_monolithic(struct fs_context *fc, void *data)
+ {
+ struct hostfs_fs_info *fsi = fc->s_fs_info;
+- char *host_root = (char *)data;
++ char *tmp_root, *host_root = (char *)data;
+
+ /* NULL is printed as '(null)' by printf(): avoid that. */
+ if (host_root == NULL)
+- host_root = "";
++ return 0;
+
+- fsi->host_root_path =
+- kasprintf(GFP_KERNEL, "%s/%s", root_ino, host_root);
+- if (fsi->host_root_path == NULL)
++ tmp_root = kasprintf(GFP_KERNEL, "%s%s", fsi->host_root_path, host_root);
++ if (!tmp_root)
+ return -ENOMEM;
+-
++ kfree(fsi->host_root_path);
++ fsi->host_root_path = tmp_root;
+ return 0;
+ }
+
+@@ -1042,6 +1044,11 @@ static int hostfs_init_fs_context(struct fs_context *fc)
+ if (!fsi)
+ return -ENOMEM;
+
++ fsi->host_root_path = kasprintf(GFP_KERNEL, "%s/", root_ino);
++ if (!fsi->host_root_path) {
++ kfree(fsi);
++ return -ENOMEM;
++ }
+ fc->s_fs_info = fsi;
+ fc->ops = &hostfs_context_ops;
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 6691f827ebc35eb0e77f2da75c119eaa2dabe32a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Nov 2025 16:25:48 +0300
+Subject: mtd: onenand: Pass correct pointer to IRQ handler
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 97315e7c901a1de60e8ca9b11e0e96d0f9253e18 ]
+
+This was supposed to pass "onenand" instead of "&onenand" with the
+ampersand. Passing a random stack address which will be gone when the
+function ends makes no sense. However the good thing is that the pointer
+is never used, so this doesn't cause a problem at run time.
+
+Fixes: e23abf4b7743 ("mtd: OneNAND: S5PC110: Implement DMA interrupt method")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/onenand/onenand_samsung.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/onenand/onenand_samsung.c b/drivers/mtd/nand/onenand/onenand_samsung.c
+index fd6890a03d557..0e21d443078e4 100644
+--- a/drivers/mtd/nand/onenand/onenand_samsung.c
++++ b/drivers/mtd/nand/onenand/onenand_samsung.c
+@@ -906,7 +906,7 @@ static int s3c_onenand_probe(struct platform_device *pdev)
+ err = devm_request_irq(&pdev->dev, r->start,
+ s5pc110_onenand_irq,
+ IRQF_SHARED, "onenand",
+- &onenand);
++ onenand);
+ if (err) {
+ dev_err(&pdev->dev, "failed to get irq\n");
+ return err;
+--
+2.51.0
+
--- /dev/null
+From 340c9425f5363ea73eb30b586cf48d807d617a6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 21:28:59 +0000
+Subject: netfilter: nf_tables: reject duplicate device on updates
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit cf5fb87fcdaaaafec55dcc0dc5a9e15ead343973 upstream.
+
+A chain/flowtable update with duplicated devices in the same batch is
+possible. Unfortunately, netdev event path only removes the first
+device that is found, leaving unregistered the hook of the duplicated
+device.
+
+Check if a duplicated device exists in the transaction batch, bail out
+with EEXIST in such case.
+
+WARNING is hit when unregistering the hook:
+
+ [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150
+ [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)
+ [...]
+ [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150
+
+Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable")
+Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 2f3684dcbef8c..e1c617b488889 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2642,6 +2642,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
+ struct nft_chain *chain = ctx->chain;
+ struct nft_chain_hook hook = {};
+ struct nft_stats *stats = NULL;
++ struct nftables_pernet *nft_net;
+ struct nft_hook *h, *next;
+ struct nf_hook_ops *ops;
+ struct nft_trans *trans;
+@@ -2682,6 +2683,20 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
+ if (nft_hook_list_find(&basechain->hook_list, h)) {
+ list_del(&h->list);
+ kfree(h);
++ continue;
++ }
++
++ nft_net = nft_pernet(ctx->net);
++ list_for_each_entry(trans, &nft_net->commit_list, list) {
++ if (trans->msg_type != NFT_MSG_NEWCHAIN ||
++ trans->table != ctx->table ||
++ !nft_trans_chain_update(trans))
++ continue;
++
++ if (nft_hook_list_find(&nft_trans_chain_hooks(trans), h)) {
++ nft_chain_release_hook(&hook);
++ return -EEXIST;
++ }
+ }
+ }
+ } else {
+@@ -8686,6 +8701,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
+ {
+ const struct nlattr * const *nla = ctx->nla;
+ struct nft_flowtable_hook flowtable_hook;
++ struct nftables_pernet *nft_net;
+ struct nft_hook *hook, *next;
+ struct nft_trans *trans;
+ bool unregister = false;
+@@ -8701,6 +8717,20 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
+ if (nft_hook_list_find(&flowtable->hook_list, hook)) {
+ list_del(&hook->list);
+ kfree(hook);
++ continue;
++ }
++
++ nft_net = nft_pernet(ctx->net);
++ list_for_each_entry(trans, &nft_net->commit_list, list) {
++ if (trans->msg_type != NFT_MSG_NEWFLOWTABLE ||
++ trans->table != ctx->table ||
++ !nft_trans_flowtable_update(trans))
++ continue;
++
++ if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) {
++ err = -EEXIST;
++ goto err_flowtable_update_hook;
++ }
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From fb3881b0eaa0d10a3720496b7035d95b7cd6ea40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 21:28:58 +0000
+Subject: Revert "netfilter: nf_tables: Reintroduce shortened deletion
+ notifications"
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+This is a partial revert of commit dbe85d3115c7e6b5124c8b028f4f602856ea51dd.
+
+This update breaks old nftables userspace because monitor parser cannot
+handle this shortened deletion, this patch was added as a Stable-dep:,
+let's revert it.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 36 ++---------------------------------
+ 1 file changed, 2 insertions(+), 34 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 3028d388b2933..2f3684dcbef8c 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1032,12 +1032,6 @@ static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
+ NFTA_TABLE_PAD))
+ goto nla_put_failure;
+
+- if (event == NFT_MSG_DELTABLE ||
+- event == NFT_MSG_DESTROYTABLE) {
+- nlmsg_end(skb, nlh);
+- return 0;
+- }
+-
+ if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
+ htonl(table->flags & NFT_TABLE_F_MASK)))
+ goto nla_put_failure;
+@@ -1893,13 +1887,6 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
+ NFTA_CHAIN_PAD))
+ goto nla_put_failure;
+
+- if (!hook_list &&
+- (event == NFT_MSG_DELCHAIN ||
+- event == NFT_MSG_DESTROYCHAIN)) {
+- nlmsg_end(skb, nlh);
+- return 0;
+- }
+-
+ if (nft_is_base_chain(chain)) {
+ const struct nft_base_chain *basechain = nft_base_chain(chain);
+ struct nft_stats __percpu *stats;
+@@ -4685,12 +4672,6 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
+ NFTA_SET_PAD))
+ goto nla_put_failure;
+
+- if (event == NFT_MSG_DELSET ||
+- event == NFT_MSG_DESTROYSET) {
+- nlmsg_end(skb, nlh);
+- return 0;
+- }
+-
+ if (set->flags != 0)
+ if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
+ goto nla_put_failure;
+@@ -8021,18 +8002,12 @@ static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
+
+ if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
+ nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
+- nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
+ nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
+ NFTA_OBJ_PAD))
+ goto nla_put_failure;
+
+- if (event == NFT_MSG_DELOBJ ||
+- event == NFT_MSG_DESTROYOBJ) {
+- nlmsg_end(skb, nlh);
+- return 0;
+- }
+-
+- if (nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
++ if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
++ nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
+ nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
+ goto nla_put_failure;
+
+@@ -9048,13 +9023,6 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
+ NFTA_FLOWTABLE_PAD))
+ goto nla_put_failure;
+
+- if (!hook_list &&
+- (event == NFT_MSG_DELFLOWTABLE ||
+- event == NFT_MSG_DESTROYFLOWTABLE)) {
+- nlmsg_end(skb, nlh);
+- return 0;
+- }
+-
+ if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
+ nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
+ goto nla_put_failure;
+--
+2.51.0
+
--- /dev/null
+From 96c22b9425cdb711e8a61f9b5ae290ba5ac6d8b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 15:33:28 +0800
+Subject: sched_ext: Fix unsafe locking in the scx_dump_state()
+
+From: Zqiang <qiang.zhang@linux.dev>
+
+[ Upstream commit 5f02151c411dda46efcc5dc57b0845efcdcfc26d ]
+
+For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted
+sleepable spinlock and not disable-irq, so the following scenarios occur:
+
+inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
+irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes:
+(&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40
+{IN-HARDIRQ-W} state was registered at:
+ lock_acquire+0x1e1/0x510
+ _raw_spin_lock_nested+0x42/0x80
+ raw_spin_rq_lock_nested+0x2b/0x40
+ sched_tick+0xae/0x7b0
+ update_process_times+0x14c/0x1b0
+ tick_periodic+0x62/0x1f0
+ tick_handle_periodic+0x48/0xf0
+ timer_interrupt+0x55/0x80
+ __handle_irq_event_percpu+0x20a/0x5c0
+ handle_irq_event_percpu+0x18/0xc0
+ handle_irq_event+0xb5/0x150
+ handle_level_irq+0x220/0x460
+ __common_interrupt+0xa2/0x1e0
+ common_interrupt+0xb0/0xd0
+ asm_common_interrupt+0x2b/0x40
+ _raw_spin_unlock_irqrestore+0x45/0x80
+ __setup_irq+0xc34/0x1a30
+ request_threaded_irq+0x214/0x2f0
+ hpet_time_init+0x3e/0x60
+ x86_late_time_init+0x5b/0xb0
+ start_kernel+0x308/0x410
+ x86_64_start_reservations+0x1c/0x30
+ x86_64_start_kernel+0x96/0xa0
+ common_startup_64+0x13e/0x148
+
+ other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&rq->__lock);
+ <Interrupt>
+ lock(&rq->__lock);
+
+ *** DEADLOCK ***
+
+ stack backtrace:
+ CPU: 0 UID: 0 PID: 27 Comm: irq_work/0
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x8c/0xd0
+ dump_stack+0x14/0x20
+ print_usage_bug+0x42e/0x690
+ mark_lock.part.44+0x867/0xa70
+ ? __pfx_mark_lock.part.44+0x10/0x10
+ ? string_nocheck+0x19c/0x310
+ ? number+0x739/0x9f0
+ ? __pfx_string_nocheck+0x10/0x10
+ ? __pfx_check_pointer+0x10/0x10
+ ? kvm_sched_clock_read+0x15/0x30
+ ? sched_clock_noinstr+0xd/0x20
+ ? local_clock_noinstr+0x1c/0xe0
+ __lock_acquire+0xc4b/0x62b0
+ ? __pfx_format_decode+0x10/0x10
+ ? __pfx_string+0x10/0x10
+ ? __pfx___lock_acquire+0x10/0x10
+ ? __pfx_vsnprintf+0x10/0x10
+ lock_acquire+0x1e1/0x510
+ ? raw_spin_rq_lock_nested+0x2b/0x40
+ ? __pfx_lock_acquire+0x10/0x10
+ ? dump_line+0x12e/0x270
+ ? raw_spin_rq_lock_nested+0x20/0x40
+ _raw_spin_lock_nested+0x42/0x80
+ ? raw_spin_rq_lock_nested+0x2b/0x40
+ raw_spin_rq_lock_nested+0x2b/0x40
+ scx_dump_state+0x3b3/0x1270
+ ? finish_task_switch+0x27e/0x840
+ scx_ops_error_irq_workfn+0x67/0x80
+ irq_work_single+0x113/0x260
+ irq_work_run_list.part.3+0x44/0x70
+ run_irq_workd+0x6b/0x90
+ ? __pfx_run_irq_workd+0x10/0x10
+ smpboot_thread_fn+0x529/0x870
+ ? __pfx_smpboot_thread_fn+0x10/0x10
+ kthread+0x305/0x3f0
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x40/0x70
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+This commit therefore use rq_lock_irqsave/irqrestore() to replace
+rq_lock/unlock() in the scx_dump_state().
+
+Fixes: 07814a9439a3 ("sched_ext: Print debug dump after an error exit")
+Signed-off-by: Zqiang <qiang.zhang@linux.dev>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/ext.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
+index be2e836e10e93..ad1d438b3085c 100644
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -4966,7 +4966,7 @@ static void scx_dump_state(struct scx_exit_info *ei, size_t dump_len)
+ size_t avail, used;
+ bool idle;
+
+- rq_lock(rq, &rf);
++ rq_lock_irqsave(rq, &rf);
+
+ idle = list_empty(&rq->scx.runnable_list) &&
+ rq->curr->sched_class == &idle_sched_class;
+@@ -5034,7 +5034,7 @@ static void scx_dump_state(struct scx_exit_info *ei, size_t dump_len)
+ list_for_each_entry(p, &rq->scx.runnable_list, scx.runnable_node)
+ scx_dump_task(&s, &dctx, p, ' ');
+ next:
+- rq_unlock(rq, &rf);
++ rq_unlock_irqrestore(rq, &rf);
+ }
+
+ if (seq_buf_has_overflowed(&s) && dump_len >= sizeof(trunc_marker))
+--
+2.51.0
+
ext4-fix-out-of-bound-read-in-ext4_xattr_inode_dec_r.patch
bluetooth-mgmt-fix-possible-uafs.patch
f2fs-fix-to-avoid-overflow-while-left-shift-operatio.patch
+hostfs-fix-only-passing-host-root-in-boot-stage-with.patch
+mtd-onenand-pass-correct-pointer-to-irq-handler.patch
+virtio-fs-fix-incorrect-check-for-fsvq-kobj.patch
+fs-namespace-correctly-handle-errors-returned-by-gra.patch
+sched_ext-fix-unsafe-locking-in-the-scx_dump_state.patch
+revert-netfilter-nf_tables-reintroduce-shortened-del.patch
+netfilter-nf_tables-reject-duplicate-device-on-updat.patch
--- /dev/null
+From 39bd0dd2b6eaca2f526e13338ea6d2aafa2e78a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Oct 2025 03:46:47 -0700
+Subject: virtio-fs: fix incorrect check for fsvq->kobj
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit c014021253d77cd89b2d8788ce522283d83fbd40 ]
+
+In virtio_fs_add_queues_sysfs(), the code incorrectly checks fs->mqs_kobj
+after calling kobject_create_and_add(). Change the check to fsvq->kobj
+(fs->mqs_kobj -> fsvq->kobj) to ensure the per-queue kobject is
+successfully created.
+
+Fixes: 87cbdc396a31 ("virtio_fs: add sysfs entries for queue information")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20251027104658.1668537-1-alok.a.tiwari@oracle.com
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fuse/virtio_fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
+index 749c9f66d74c6..c81f7b888c385 100644
+--- a/fs/fuse/virtio_fs.c
++++ b/fs/fuse/virtio_fs.c
+@@ -372,7 +372,7 @@ static int virtio_fs_add_queues_sysfs(struct virtio_fs *fs)
+
+ sprintf(buff, "%d", i);
+ fsvq->kobj = kobject_create_and_add(buff, fs->mqs_kobj);
+- if (!fs->mqs_kobj) {
++ if (!fsvq->kobj) {
+ ret = -ENOMEM;
+ goto out_del;
+ }
+--
+2.51.0
+
--- /dev/null
+From d7be7b9ba9d0a21b6de4c7c5f78eedf444cc9149 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Oct 2025 19:48:32 +0100
+Subject: afs: Fix dynamic lookup to fail on cell lookup failure
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 330e2c514823008b22e6afd2055715bc46dd8d55 ]
+
+When a process tries to access an entry in /afs, normally what happens is
+that an automount dentry is created by ->lookup() and then triggered, which
+jumps through the ->d_automount() op. Currently, afs_dynroot_lookup() does
+not do cell DNS lookup, leaving that to afs_d_automount() to perform -
+however, it is possible to use access() or stat() on the automount point,
+which will always return successfully, have briefly created an afs_cell
+record if one did not already exist.
+
+This means that something like:
+
+ test -d "/afs/.west" && echo Directory exists
+
+will print "Directory exists" even though no such cell is configured. This
+breaks the "west" python module available on PIP as it expects this access
+to fail.
+
+Now, it could be possible to make afs_dynroot_lookup() perform the DNS[*]
+lookup, but that would make "ls --color /afs" do this for each cell in /afs
+that is listed but not yet probed. kafs-client, probably wrongly, preloads
+the entire cell database and all the known cells are then listed in /afs -
+and doing ls /afs would be very, very slow, especially if any cell supplied
+addresses but was wholly inaccessible.
+
+ [*] When I say "DNS", actually read getaddrinfo(), which could use any one
+ of a host of mechanisms. Could also use static configuration.
+
+To fix this, make the following changes:
+
+ (1) Create an enum to specify the origination point of a call to
+ afs_lookup_cell() and pass this value into that function in place of
+ the "excl" parameter (which can be derived from it). There are six
+ points of origination:
+
+ - Cell preload through /proc/net/afs/cells
+ - Root cell config through /proc/net/afs/rootcell
+ - Lookup in dynamic root
+ - Automount trigger
+ - Direct mount with mount() syscall
+ - Alias check where YFS tells us the cell name is different
+
+ (2) Add an extra state into the afs_cell state machine to indicate a cell
+ that's been initialised, but not yet looked up. This is separate from
+ one that can be considered active and has been looked up at least
+ once.
+
+ (3) Make afs_lookup_cell() vary its behaviour more, depending on where it
+ was called from:
+
+ If called from preload or root cell config, DNS lookup will not happen
+ until we definitely want to use the cell (dynroot mount, automount,
+ direct mount or alias check). The cell will appear in /afs but stat()
+ won't trigger DNS lookup.
+
+ If the cell already exists, dynroot will not wait for the DNS lookup
+ to complete. If the cell did not already exist, dynroot will wait.
+
+ If called from automount, direct mount or alias check, it will wait
+ for the DNS lookup to complete.
+
+ (4) Make afs_lookup_cell() return an error if lookup failed in one way or
+ another. We try to return -ENOENT if the DNS says the cell does not
+ exist and -EDESTADDRREQ if we couldn't access the DNS.
+
+Reported-by: Markus Suvanto <markus.suvanto@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220685
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://patch.msgid.link/1784747.1761158912@warthog.procyon.org.uk
+Fixes: 1d0b929fc070 ("afs: Change dynroot to create contents on demand")
+Tested-by: Markus Suvanto <markus.suvanto@gmail.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/cell.c | 78 +++++++++++++++++++++++++++++++++++++++--------
+ fs/afs/dynroot.c | 3 +-
+ fs/afs/internal.h | 12 +++++++-
+ fs/afs/mntpt.c | 3 +-
+ fs/afs/proc.c | 3 +-
+ fs/afs/super.c | 2 +-
+ fs/afs/vl_alias.c | 3 +-
+ 7 files changed, 86 insertions(+), 18 deletions(-)
+
+diff --git a/fs/afs/cell.c b/fs/afs/cell.c
+index f31359922e98d..d9b6fa1088b7b 100644
+--- a/fs/afs/cell.c
++++ b/fs/afs/cell.c
+@@ -229,7 +229,7 @@ static struct afs_cell *afs_alloc_cell(struct afs_net *net,
+ * @name: The name of the cell.
+ * @namesz: The strlen of the cell name.
+ * @vllist: A colon/comma separated list of numeric IP addresses or NULL.
+- * @excl: T if an error should be given if the cell name already exists.
++ * @reason: The reason we're doing the lookup
+ * @trace: The reason to be logged if the lookup is successful.
+ *
+ * Look up a cell record by name and query the DNS for VL server addresses if
+@@ -239,7 +239,8 @@ static struct afs_cell *afs_alloc_cell(struct afs_net *net,
+ */
+ struct afs_cell *afs_lookup_cell(struct afs_net *net,
+ const char *name, unsigned int namesz,
+- const char *vllist, bool excl,
++ const char *vllist,
++ enum afs_lookup_cell_for reason,
+ enum afs_cell_trace trace)
+ {
+ struct afs_cell *cell, *candidate, *cursor;
+@@ -247,12 +248,18 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net,
+ enum afs_cell_state state;
+ int ret, n;
+
+- _enter("%s,%s", name, vllist);
++ _enter("%s,%s,%u", name, vllist, reason);
+
+- if (!excl) {
++ if (reason != AFS_LOOKUP_CELL_PRELOAD) {
+ cell = afs_find_cell(net, name, namesz, trace);
+- if (!IS_ERR(cell))
++ if (!IS_ERR(cell)) {
++ if (reason == AFS_LOOKUP_CELL_DYNROOT)
++ goto no_wait;
++ if (cell->state == AFS_CELL_SETTING_UP ||
++ cell->state == AFS_CELL_UNLOOKED)
++ goto lookup_cell;
+ goto wait_for_cell;
++ }
+ }
+
+ /* Assume we're probably going to create a cell and preallocate and
+@@ -298,26 +305,69 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net,
+ rb_insert_color(&cell->net_node, &net->cells);
+ up_write(&net->cells_lock);
+
+- afs_queue_cell(cell, afs_cell_trace_queue_new);
++lookup_cell:
++ if (reason != AFS_LOOKUP_CELL_PRELOAD &&
++ reason != AFS_LOOKUP_CELL_ROOTCELL) {
++ set_bit(AFS_CELL_FL_DO_LOOKUP, &cell->flags);
++ afs_queue_cell(cell, afs_cell_trace_queue_new);
++ }
+
+ wait_for_cell:
+- _debug("wait_for_cell");
+ state = smp_load_acquire(&cell->state); /* vs error */
+- if (state != AFS_CELL_ACTIVE &&
+- state != AFS_CELL_DEAD) {
++ switch (state) {
++ case AFS_CELL_ACTIVE:
++ case AFS_CELL_DEAD:
++ break;
++ case AFS_CELL_UNLOOKED:
++ default:
++ if (reason == AFS_LOOKUP_CELL_PRELOAD ||
++ reason == AFS_LOOKUP_CELL_ROOTCELL)
++ break;
++ _debug("wait_for_cell");
+ afs_see_cell(cell, afs_cell_trace_wait);
+ wait_var_event(&cell->state,
+ ({
+ state = smp_load_acquire(&cell->state); /* vs error */
+ state == AFS_CELL_ACTIVE || state == AFS_CELL_DEAD;
+ }));
++ _debug("waited_for_cell %d %d", cell->state, cell->error);
+ }
+
++no_wait:
+ /* Check the state obtained from the wait check. */
++ state = smp_load_acquire(&cell->state); /* vs error */
+ if (state == AFS_CELL_DEAD) {
+ ret = cell->error;
+ goto error;
+ }
++ if (state == AFS_CELL_ACTIVE) {
++ switch (cell->dns_status) {
++ case DNS_LOOKUP_NOT_DONE:
++ if (cell->dns_source == DNS_RECORD_FROM_CONFIG) {
++ ret = 0;
++ break;
++ }
++ fallthrough;
++ default:
++ ret = -EIO;
++ goto error;
++ case DNS_LOOKUP_GOOD:
++ case DNS_LOOKUP_GOOD_WITH_BAD:
++ ret = 0;
++ break;
++ case DNS_LOOKUP_GOT_NOT_FOUND:
++ ret = -ENOENT;
++ goto error;
++ case DNS_LOOKUP_BAD:
++ ret = -EREMOTEIO;
++ goto error;
++ case DNS_LOOKUP_GOT_LOCAL_FAILURE:
++ case DNS_LOOKUP_GOT_TEMP_FAILURE:
++ case DNS_LOOKUP_GOT_NS_FAILURE:
++ ret = -EDESTADDRREQ;
++ goto error;
++ }
++ }
+
+ _leave(" = %p [cell]", cell);
+ return cell;
+@@ -325,7 +375,7 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net,
+ cell_already_exists:
+ _debug("cell exists");
+ cell = cursor;
+- if (excl) {
++ if (reason == AFS_LOOKUP_CELL_PRELOAD) {
+ ret = -EEXIST;
+ } else {
+ afs_use_cell(cursor, trace);
+@@ -384,7 +434,8 @@ int afs_cell_init(struct afs_net *net, const char *rootcell)
+ return -EINVAL;
+
+ /* allocate a cell record for the root/workstation cell */
+- new_root = afs_lookup_cell(net, rootcell, len, vllist, false,
++ new_root = afs_lookup_cell(net, rootcell, len, vllist,
++ AFS_LOOKUP_CELL_ROOTCELL,
+ afs_cell_trace_use_lookup_ws);
+ if (IS_ERR(new_root)) {
+ _leave(" = %ld", PTR_ERR(new_root));
+@@ -777,6 +828,7 @@ static bool afs_manage_cell(struct afs_cell *cell)
+ switch (cell->state) {
+ case AFS_CELL_SETTING_UP:
+ goto set_up_cell;
++ case AFS_CELL_UNLOOKED:
+ case AFS_CELL_ACTIVE:
+ goto cell_is_active;
+ case AFS_CELL_REMOVING:
+@@ -797,7 +849,7 @@ static bool afs_manage_cell(struct afs_cell *cell)
+ goto remove_cell;
+ }
+
+- afs_set_cell_state(cell, AFS_CELL_ACTIVE);
++ afs_set_cell_state(cell, AFS_CELL_UNLOOKED);
+
+ cell_is_active:
+ if (afs_has_cell_expired(cell, &next_manage))
+@@ -807,6 +859,8 @@ static bool afs_manage_cell(struct afs_cell *cell)
+ ret = afs_update_cell(cell);
+ if (ret < 0)
+ cell->error = ret;
++ if (cell->state == AFS_CELL_UNLOOKED)
++ afs_set_cell_state(cell, AFS_CELL_ACTIVE);
+ }
+
+ if (next_manage < TIME64_MAX && cell->net->live) {
+diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
+index 8c6130789fde3..dc9d29e3739e7 100644
+--- a/fs/afs/dynroot.c
++++ b/fs/afs/dynroot.c
+@@ -108,7 +108,8 @@ static struct dentry *afs_dynroot_lookup_cell(struct inode *dir, struct dentry *
+ dotted = true;
+ }
+
+- cell = afs_lookup_cell(net, name, len, NULL, false,
++ cell = afs_lookup_cell(net, name, len, NULL,
++ AFS_LOOKUP_CELL_DYNROOT,
+ afs_cell_trace_use_lookup_dynroot);
+ if (IS_ERR(cell)) {
+ ret = PTR_ERR(cell);
+diff --git a/fs/afs/internal.h b/fs/afs/internal.h
+index 1124ea4000cb1..87828d685293f 100644
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -343,6 +343,7 @@ extern const char afs_init_sysname[];
+
+ enum afs_cell_state {
+ AFS_CELL_SETTING_UP,
++ AFS_CELL_UNLOOKED,
+ AFS_CELL_ACTIVE,
+ AFS_CELL_REMOVING,
+ AFS_CELL_DEAD,
+@@ -1047,9 +1048,18 @@ static inline bool afs_cb_is_broken(unsigned int cb_break,
+ extern int afs_cell_init(struct afs_net *, const char *);
+ extern struct afs_cell *afs_find_cell(struct afs_net *, const char *, unsigned,
+ enum afs_cell_trace);
++enum afs_lookup_cell_for {
++ AFS_LOOKUP_CELL_DYNROOT,
++ AFS_LOOKUP_CELL_MOUNTPOINT,
++ AFS_LOOKUP_CELL_DIRECT_MOUNT,
++ AFS_LOOKUP_CELL_PRELOAD,
++ AFS_LOOKUP_CELL_ROOTCELL,
++ AFS_LOOKUP_CELL_ALIAS_CHECK,
++};
+ struct afs_cell *afs_lookup_cell(struct afs_net *net,
+ const char *name, unsigned int namesz,
+- const char *vllist, bool excl,
++ const char *vllist,
++ enum afs_lookup_cell_for reason,
+ enum afs_cell_trace trace);
+ extern struct afs_cell *afs_use_cell(struct afs_cell *, enum afs_cell_trace);
+ void afs_unuse_cell(struct afs_cell *cell, enum afs_cell_trace reason);
+diff --git a/fs/afs/mntpt.c b/fs/afs/mntpt.c
+index 9434a5399f2b0..828347fa26450 100644
+--- a/fs/afs/mntpt.c
++++ b/fs/afs/mntpt.c
+@@ -107,7 +107,8 @@ static int afs_mntpt_set_params(struct fs_context *fc, struct dentry *mntpt)
+ if (size > AFS_MAXCELLNAME)
+ return -ENAMETOOLONG;
+
+- cell = afs_lookup_cell(ctx->net, p, size, NULL, false,
++ cell = afs_lookup_cell(ctx->net, p, size, NULL,
++ AFS_LOOKUP_CELL_MOUNTPOINT,
+ afs_cell_trace_use_lookup_mntpt);
+ if (IS_ERR(cell)) {
+ pr_err("kAFS: unable to lookup cell '%pd'\n", mntpt);
+diff --git a/fs/afs/proc.c b/fs/afs/proc.c
+index 40e879c8ca773..44520549b509a 100644
+--- a/fs/afs/proc.c
++++ b/fs/afs/proc.c
+@@ -122,7 +122,8 @@ static int afs_proc_cells_write(struct file *file, char *buf, size_t size)
+ if (strcmp(buf, "add") == 0) {
+ struct afs_cell *cell;
+
+- cell = afs_lookup_cell(net, name, strlen(name), args, true,
++ cell = afs_lookup_cell(net, name, strlen(name), args,
++ AFS_LOOKUP_CELL_PRELOAD,
+ afs_cell_trace_use_lookup_add);
+ if (IS_ERR(cell)) {
+ ret = PTR_ERR(cell);
+diff --git a/fs/afs/super.c b/fs/afs/super.c
+index da407f2d6f0d1..d672b7ab57ae2 100644
+--- a/fs/afs/super.c
++++ b/fs/afs/super.c
+@@ -290,7 +290,7 @@ static int afs_parse_source(struct fs_context *fc, struct fs_parameter *param)
+ /* lookup the cell record */
+ if (cellname) {
+ cell = afs_lookup_cell(ctx->net, cellname, cellnamesz,
+- NULL, false,
++ NULL, AFS_LOOKUP_CELL_DIRECT_MOUNT,
+ afs_cell_trace_use_lookup_mount);
+ if (IS_ERR(cell)) {
+ pr_err("kAFS: unable to lookup cell '%*.*s'\n",
+diff --git a/fs/afs/vl_alias.c b/fs/afs/vl_alias.c
+index 709b4cdb723ee..fc9676abd2527 100644
+--- a/fs/afs/vl_alias.c
++++ b/fs/afs/vl_alias.c
+@@ -269,7 +269,8 @@ static int yfs_check_canonical_cell_name(struct afs_cell *cell, struct key *key)
+ if (!name_len || name_len > AFS_MAXCELLNAME)
+ master = ERR_PTR(-EOPNOTSUPP);
+ else
+- master = afs_lookup_cell(cell->net, cell_name, name_len, NULL, false,
++ master = afs_lookup_cell(cell->net, cell_name, name_len, NULL,
++ AFS_LOOKUP_CELL_ALIAS_CHECK,
+ afs_cell_trace_use_lookup_canonical);
+ kfree(cell_name);
+ if (IS_ERR(master))
+--
+2.51.0
+
--- /dev/null
+From d3dbf3ef58344f88eb87cc0b63979abb73cab82a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Nov 2025 02:29:23 +0000
+Subject: binfmt_misc: restore write access before closing files opened by
+ open_exec()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 90f601b497d76f40fa66795c3ecf625b6aced9fd ]
+
+bm_register_write() opens an executable file using open_exec(), which
+internally calls do_open_execat() and denies write access on the file to
+avoid modification while it is being executed.
+
+However, when an error occurs, bm_register_write() closes the file using
+filp_close() directly. This does not restore the write permission, which
+may cause subsequent write operations on the same file to fail.
+
+Fix this by calling exe_file_allow_write_access() before filp_close() to
+restore the write permission properly.
+
+Fixes: e7850f4d844e ("binfmt_misc: fix possible deadlock in bm_register_write")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Link: https://patch.msgid.link/20251105022923.1813587-1-zilin@seu.edu.cn
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_misc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
+index a839f960cd4a0..a8b1d79e4af07 100644
+--- a/fs/binfmt_misc.c
++++ b/fs/binfmt_misc.c
+@@ -837,8 +837,10 @@ static ssize_t bm_register_write(struct file *file, const char __user *buffer,
+ inode_unlock(d_inode(root));
+
+ if (err) {
+- if (f)
++ if (f) {
++ exe_file_allow_write_access(f);
+ filp_close(f, NULL);
++ }
+ kfree(e);
+ return err;
+ }
+--
+2.51.0
+
--- /dev/null
+From 27f8010a5a18c9bd7f552d7e0315b15ed909fe15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Nov 2025 06:28:15 +0000
+Subject: fs/namespace: correctly handle errors returned by
+ grab_requested_mnt_ns
+
+From: Andrei Vagin <avagin@google.com>
+
+[ Upstream commit 78f0e33cd6c939a555aa80dbed2fec6b333a7660 ]
+
+grab_requested_mnt_ns was changed to return error codes on failure, but
+its callers were not updated to check for error pointers, still checking
+only for a NULL return value.
+
+This commit updates the callers to use IS_ERR() or IS_ERR_OR_NULL() and
+PTR_ERR() to correctly check for and propagate errors.
+
+This also makes sure that the logic actually works and mount namespace
+file descriptors can be used to refere to mounts.
+
+Christian Brauner <brauner@kernel.org> says:
+
+Rework the patch to be more ergonomic and in line with our overall error
+handling patterns.
+
+Fixes: 7b9d14af8777 ("fs: allow mount namespace fd")
+Cc: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Andrei Vagin <avagin@google.com>
+Link: https://patch.msgid.link/20251111062815.2546189-1-avagin@google.com
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/namespace.c | 32 ++++++++++++++++----------------
+ include/uapi/linux/mount.h | 2 +-
+ 2 files changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index fa7c034ac4a69..0026a6e7730e9 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -186,7 +186,8 @@ static void mnt_ns_release(struct mnt_namespace *ns)
+ kfree(ns);
+ }
+ }
+-DEFINE_FREE(mnt_ns_release, struct mnt_namespace *, if (_T) mnt_ns_release(_T))
++DEFINE_FREE(mnt_ns_release, struct mnt_namespace *,
++ if (!IS_ERR(_T)) mnt_ns_release(_T))
+
+ static void mnt_ns_release_rcu(struct rcu_head *rcu)
+ {
+@@ -5881,7 +5882,7 @@ static int copy_mnt_id_req(const struct mnt_id_req __user *req,
+ ret = copy_struct_from_user(kreq, sizeof(*kreq), req, usize);
+ if (ret)
+ return ret;
+- if (kreq->spare != 0)
++ if (kreq->mnt_ns_fd != 0 && kreq->mnt_ns_id)
+ return -EINVAL;
+ /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */
+ if (kreq->mnt_id <= MNT_UNIQUE_ID_OFFSET)
+@@ -5898,16 +5899,12 @@ static struct mnt_namespace *grab_requested_mnt_ns(const struct mnt_id_req *kreq
+ {
+ struct mnt_namespace *mnt_ns;
+
+- if (kreq->mnt_ns_id && kreq->spare)
+- return ERR_PTR(-EINVAL);
+-
+- if (kreq->mnt_ns_id)
+- return lookup_mnt_ns(kreq->mnt_ns_id);
+-
+- if (kreq->spare) {
++ if (kreq->mnt_ns_id) {
++ mnt_ns = lookup_mnt_ns(kreq->mnt_ns_id);
++ } else if (kreq->mnt_ns_fd) {
+ struct ns_common *ns;
+
+- CLASS(fd, f)(kreq->spare);
++ CLASS(fd, f)(kreq->mnt_ns_fd);
+ if (fd_empty(f))
+ return ERR_PTR(-EBADF);
+
+@@ -5922,6 +5919,8 @@ static struct mnt_namespace *grab_requested_mnt_ns(const struct mnt_id_req *kreq
+ } else {
+ mnt_ns = current->nsproxy->mnt_ns;
+ }
++ if (!mnt_ns)
++ return ERR_PTR(-ENOENT);
+
+ refcount_inc(&mnt_ns->passive);
+ return mnt_ns;
+@@ -5946,8 +5945,8 @@ SYSCALL_DEFINE4(statmount, const struct mnt_id_req __user *, req,
+ return ret;
+
+ ns = grab_requested_mnt_ns(&kreq);
+- if (!ns)
+- return -ENOENT;
++ if (IS_ERR(ns))
++ return PTR_ERR(ns);
+
+ if (kreq.mnt_ns_id && (ns != current->nsproxy->mnt_ns) &&
+ !ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN))
+@@ -6056,8 +6055,8 @@ static void __free_klistmount_free(const struct klistmount *kls)
+ static inline int prepare_klistmount(struct klistmount *kls, struct mnt_id_req *kreq,
+ size_t nr_mnt_ids)
+ {
+-
+ u64 last_mnt_id = kreq->param;
++ struct mnt_namespace *ns;
+
+ /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */
+ if (last_mnt_id != 0 && last_mnt_id <= MNT_UNIQUE_ID_OFFSET)
+@@ -6071,9 +6070,10 @@ static inline int prepare_klistmount(struct klistmount *kls, struct mnt_id_req *
+ if (!kls->kmnt_ids)
+ return -ENOMEM;
+
+- kls->ns = grab_requested_mnt_ns(kreq);
+- if (!kls->ns)
+- return -ENOENT;
++ ns = grab_requested_mnt_ns(kreq);
++ if (IS_ERR(ns))
++ return PTR_ERR(ns);
++ kls->ns = ns;
+
+ kls->mnt_parent_id = kreq->mnt_id;
+ return 0;
+diff --git a/include/uapi/linux/mount.h b/include/uapi/linux/mount.h
+index 7fa67c2031a5d..5d3f8c9e3a625 100644
+--- a/include/uapi/linux/mount.h
++++ b/include/uapi/linux/mount.h
+@@ -197,7 +197,7 @@ struct statmount {
+ */
+ struct mnt_id_req {
+ __u32 size;
+- __u32 spare;
++ __u32 mnt_ns_fd;
+ __u64 mnt_id;
+ __u64 param;
+ __u64 mnt_ns_id;
+--
+2.51.0
+
--- /dev/null
+From ca7f0f457151a50d6045c71811b63868c590a720 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Oct 2025 09:22:35 +0000
+Subject: hostfs: Fix only passing host root in boot stage with new mount
+
+From: Hongbo Li <lihongbo22@huawei.com>
+
+[ Upstream commit 2c2b67af5f5f77fc68261a137ad65dcfb8e52506 ]
+
+In the old mount proceedure, hostfs could only pass root directory during
+boot. This is because it constructed the root directory using the @root_ino
+event without any mount options. However, when using it with the new mount
+API, this step is no longer triggered. As a result, if users mounts without
+specifying any mount options, the @host_root_path remains uninitialized. To
+prevent this issue, the @host_root_path should be initialized at the time
+of allocation.
+
+Reported-by: Geoffrey Thorpe <geoff@geoffthorpe.net>
+Closes: https://lore.kernel.org/all/643333a0-f434-42fb-82ac-d25a0b56f3b7@geoffthorpe.net/
+Fixes: cd140ce9f611 ("hostfs: convert hostfs to use the new mount API")
+Signed-off-by: Hongbo Li <lihongbo22@huawei.com>
+Link: https://patch.msgid.link/20251011092235.29880-1-lihongbo22@huawei.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hostfs/hostfs_kern.c | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c
+index 01e516175bcd7..30fcce80a2c35 100644
+--- a/fs/hostfs/hostfs_kern.c
++++ b/fs/hostfs/hostfs_kern.c
+@@ -979,7 +979,7 @@ static int hostfs_parse_param(struct fs_context *fc, struct fs_parameter *param)
+ {
+ struct hostfs_fs_info *fsi = fc->s_fs_info;
+ struct fs_parse_result result;
+- char *host_root;
++ char *host_root, *tmp_root;
+ int opt;
+
+ opt = fs_parse(fc, hostfs_param_specs, param, &result);
+@@ -990,11 +990,13 @@ static int hostfs_parse_param(struct fs_context *fc, struct fs_parameter *param)
+ case Opt_hostfs:
+ host_root = param->string;
+ if (!*host_root)
+- host_root = "";
+- fsi->host_root_path =
+- kasprintf(GFP_KERNEL, "%s/%s", root_ino, host_root);
+- if (fsi->host_root_path == NULL)
++ break;
++ tmp_root = kasprintf(GFP_KERNEL, "%s%s",
++ fsi->host_root_path, host_root);
++ if (!tmp_root)
+ return -ENOMEM;
++ kfree(fsi->host_root_path);
++ fsi->host_root_path = tmp_root;
+ break;
+ }
+
+@@ -1004,17 +1006,17 @@ static int hostfs_parse_param(struct fs_context *fc, struct fs_parameter *param)
+ static int hostfs_parse_monolithic(struct fs_context *fc, void *data)
+ {
+ struct hostfs_fs_info *fsi = fc->s_fs_info;
+- char *host_root = (char *)data;
++ char *tmp_root, *host_root = (char *)data;
+
+ /* NULL is printed as '(null)' by printf(): avoid that. */
+ if (host_root == NULL)
+- host_root = "";
++ return 0;
+
+- fsi->host_root_path =
+- kasprintf(GFP_KERNEL, "%s/%s", root_ino, host_root);
+- if (fsi->host_root_path == NULL)
++ tmp_root = kasprintf(GFP_KERNEL, "%s%s", fsi->host_root_path, host_root);
++ if (!tmp_root)
+ return -ENOMEM;
+-
++ kfree(fsi->host_root_path);
++ fsi->host_root_path = tmp_root;
+ return 0;
+ }
+
+@@ -1049,6 +1051,11 @@ static int hostfs_init_fs_context(struct fs_context *fc)
+ if (!fsi)
+ return -ENOMEM;
+
++ fsi->host_root_path = kasprintf(GFP_KERNEL, "%s/", root_ino);
++ if (!fsi->host_root_path) {
++ kfree(fsi);
++ return -ENOMEM;
++ }
+ fc->s_fs_info = fsi;
+ fc->ops = &hostfs_context_ops;
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 62501640348ac845b2bba07a105a44ae60db30ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Nov 2025 16:25:48 +0300
+Subject: mtd: onenand: Pass correct pointer to IRQ handler
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 97315e7c901a1de60e8ca9b11e0e96d0f9253e18 ]
+
+This was supposed to pass "onenand" instead of "&onenand" with the
+ampersand. Passing a random stack address which will be gone when the
+function ends makes no sense. However the good thing is that the pointer
+is never used, so this doesn't cause a problem at run time.
+
+Fixes: e23abf4b7743 ("mtd: OneNAND: S5PC110: Implement DMA interrupt method")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/onenand/onenand_samsung.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/onenand/onenand_samsung.c b/drivers/mtd/nand/onenand/onenand_samsung.c
+index f37a6138e461f..6d6aa709a21f8 100644
+--- a/drivers/mtd/nand/onenand/onenand_samsung.c
++++ b/drivers/mtd/nand/onenand/onenand_samsung.c
+@@ -906,7 +906,7 @@ static int s3c_onenand_probe(struct platform_device *pdev)
+ err = devm_request_irq(&pdev->dev, r->start,
+ s5pc110_onenand_irq,
+ IRQF_SHARED, "onenand",
+- &onenand);
++ onenand);
+ if (err) {
+ dev_err(&pdev->dev, "failed to get irq\n");
+ return err;
+--
+2.51.0
+
--- /dev/null
+From b688e926810031a0ccfa2550c29b2a8a5240f83f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 21:57:08 -0300
+Subject: perf build: Don't fail fast path feature detection when
+ binutils-devel is not available
+
+From: Arnaldo Carvalho de Melo <acme@kernel.org>
+
+[ Upstream commit a09e5967ad6819379fd31894634d7aed29c18409 ]
+
+This is one more remnant of the BUILD_NONDISTRO series to make building
+with binutils-devel opt-in due to license incompatibility.
+
+In this case just the references at link time were still in place, which
+make building the test-all.bin file fail, which wasn't detected before
+probably because the last test was done with binutils-devel available,
+doh.
+
+Now:
+
+ $ rpm -q binutils-devel
+ package binutils-devel is not installed
+ $ file /tmp/build/perf-tools/feature/test-all.bin
+ /tmp/build/perf-tools/feature/test-all.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
+ dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
+ BuildID[sha1]=4b5388a346b51f1b993f0b0dbd49f4570769b03c, for GNU/Linux 3.2.0, not stripped
+ $
+
+Fixes: 970ae86307718c34 ("perf build: The bfd features are opt-in, stop testing for them by default")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/build/feature/Makefile | 4 ++--
+ tools/perf/Makefile.config | 5 ++---
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/tools/build/feature/Makefile b/tools/build/feature/Makefile
+index bd615a708a0aa..049d5d2b36468 100644
+--- a/tools/build/feature/Makefile
++++ b/tools/build/feature/Makefile
+@@ -110,7 +110,7 @@ all: $(FILES)
+ __BUILD = $(CC) $(CFLAGS) -MD -Wall -Werror -o $@ $(patsubst %.bin,%.c,$(@F)) $(LDFLAGS)
+ BUILD = $(__BUILD) > $(@:.bin=.make.output) 2>&1
+ BUILD_BFD = $(BUILD) -DPACKAGE='"perf"' -lbfd -ldl
+- BUILD_ALL = $(BUILD) -fstack-protector-all -O2 -D_FORTIFY_SOURCE=2 -ldw -lelf -lnuma -lelf -lslang $(FLAGS_PERL_EMBED) $(FLAGS_PYTHON_EMBED) -DPACKAGE='"perf"' -lbfd -ldl -lz -llzma -lzstd
++ BUILD_ALL = $(BUILD) -fstack-protector-all -O2 -D_FORTIFY_SOURCE=2 -ldw -lelf -lnuma -lelf -lslang $(FLAGS_PERL_EMBED) $(FLAGS_PYTHON_EMBED) -ldl -lz -llzma -lzstd
+
+ __BUILDXX = $(CXX) $(CXXFLAGS) -MD -Wall -Werror -o $@ $(patsubst %.bin,%.cpp,$(@F)) $(LDFLAGS)
+ BUILDXX = $(__BUILDXX) > $(@:.bin=.make.output) 2>&1
+@@ -118,7 +118,7 @@ __BUILDXX = $(CXX) $(CXXFLAGS) -MD -Wall -Werror -o $@ $(patsubst %.bin,%.cpp,$(
+ ###############################
+
+ $(OUTPUT)test-all.bin:
+- $(BUILD_ALL) || $(BUILD_ALL) -lopcodes -liberty
++ $(BUILD_ALL)
+
+ $(OUTPUT)test-hello.bin:
+ $(BUILD)
+diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config
+index 5a5832ee7b53c..5a3026bba31c6 100644
+--- a/tools/perf/Makefile.config
++++ b/tools/perf/Makefile.config
+@@ -323,9 +323,6 @@ FEATURE_CHECK_LDFLAGS-libpython := $(PYTHON_EMBED_LDOPTS)
+
+ FEATURE_CHECK_LDFLAGS-libaio = -lrt
+
+-FEATURE_CHECK_LDFLAGS-disassembler-four-args = -lbfd -lopcodes -ldl
+-FEATURE_CHECK_LDFLAGS-disassembler-init-styled = -lbfd -lopcodes -ldl
+-
+ CORE_CFLAGS += -fno-omit-frame-pointer
+ CORE_CFLAGS += -Wall
+ CORE_CFLAGS += -Wextra
+@@ -921,6 +918,8 @@ ifdef BUILD_NONDISTRO
+
+ ifeq ($(feature-libbfd), 1)
+ EXTLIBS += -lbfd -lopcodes
++ FEATURE_CHECK_LDFLAGS-disassembler-four-args = -lbfd -lopcodes -ldl
++ FEATURE_CHECK_LDFLAGS-disassembler-init-styled = -lbfd -lopcodes -ldl
+ else
+ # we are on a system that requires -liberty and (maybe) -lz
+ # to link against -lbfd; test each case individually here
+--
+2.51.0
+
--- /dev/null
+From afb029f8d9bdc5d5b39d7c0a4136cd6c64ae1efa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Nov 2025 11:31:50 -0600
+Subject: perf header: Write bpf_prog (infos|btfs)_cnt to data file
+
+From: Thomas Falcon <thomas.falcon@intel.com>
+
+[ Upstream commit 85c894a80ac46aa177df04e0a33bcad409b7d64f ]
+
+With commit f0d0f978f3f5830a ("perf header: Don't write empty BPF/BTF
+info"), the write_bpf_( prog_info() | btf() ) functions exit without
+writing anything if env->bpf_prog.(infos| btfs)_cnt is zero.
+
+process_bpf_( prog_info() | btf() ), however, still expect a "count"
+value to exist in the data file. If btf information is empty, for
+example, process_bpf_btf will read garbage or some other data as the
+number of btf nodes in the data file. As a result, the data file will
+not be processed correctly.
+
+Instead, write the count to the data file and exit if it is zero.
+
+Fixes: f0d0f978f3f5830a ("perf header: Don't write empty BPF/BTF info")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Signed-off-by: Thomas Falcon <thomas.falcon@intel.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/header.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
+index 4f2a6e10ed5cc..4e12be579140a 100644
+--- a/tools/perf/util/header.c
++++ b/tools/perf/util/header.c
+@@ -1022,12 +1022,9 @@ static int write_bpf_prog_info(struct feat_fd *ff,
+
+ down_read(&env->bpf_progs.lock);
+
+- if (env->bpf_progs.infos_cnt == 0)
+- goto out;
+-
+ ret = do_write(ff, &env->bpf_progs.infos_cnt,
+ sizeof(env->bpf_progs.infos_cnt));
+- if (ret < 0)
++ if (ret < 0 || env->bpf_progs.infos_cnt == 0)
+ goto out;
+
+ root = &env->bpf_progs.infos;
+@@ -1067,13 +1064,10 @@ static int write_bpf_btf(struct feat_fd *ff,
+
+ down_read(&env->bpf_progs.lock);
+
+- if (env->bpf_progs.btfs_cnt == 0)
+- goto out;
+-
+ ret = do_write(ff, &env->bpf_progs.btfs_cnt,
+ sizeof(env->bpf_progs.btfs_cnt));
+
+- if (ret < 0)
++ if (ret < 0 || env->bpf_progs.btfs_cnt == 0)
+ goto out;
+
+ root = &env->bpf_progs.btfs;
+--
+2.51.0
+
--- /dev/null
+From 54ff2f6c13ba529acdbfe1601691c85b30ea9d1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 16:01:23 +0000
+Subject: perf lock: Fix segfault due to missing kernel map
+
+From: Ravi Bangoria <ravi.bangoria@amd.com>
+
+[ Upstream commit d0206db94b36c998c11458cfdae2f45ba20bc4fb ]
+
+Kernel maps are encoded in PERF_RECORD_MMAP2 samples but "perf lock
+report" and "perf lock contention" do not process MMAP2 samples.
+
+Because of that, machine->vmlinux_map stays NULL and any later access
+triggers a segmentation fault.
+
+Fix it by adding ->mmap2() callbacks.
+
+Fixes: 53b00ff358dc75b1 ("perf record: Make --buildid-mmap the default")
+Reported-by: Tycho Andersen (AMD) <tycho@kernel.org>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Signed-off-by: Ravi Bangoria <ravi.bangoria@amd.com>
+Tested-by: Tycho Andersen (AMD) <tycho@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ananth Narayan <ananth.narayan@amd.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sandipan Das <sandipan.das@amd.com>
+Cc: Santosh Shukla <santosh.shukla@amd.com>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-lock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/builtin-lock.c b/tools/perf/builtin-lock.c
+index 078634461df27..e8962c985d34a 100644
+--- a/tools/perf/builtin-lock.c
++++ b/tools/perf/builtin-lock.c
+@@ -1867,6 +1867,7 @@ static int __cmd_report(bool display_info)
+ eops.sample = process_sample_event;
+ eops.comm = perf_event__process_comm;
+ eops.mmap = perf_event__process_mmap;
++ eops.mmap2 = perf_event__process_mmap2;
+ eops.namespaces = perf_event__process_namespaces;
+ eops.tracing_data = perf_event__process_tracing_data;
+ session = perf_session__new(&data, &eops);
+@@ -2023,6 +2024,7 @@ static int __cmd_contention(int argc, const char **argv)
+ eops.sample = process_sample_event;
+ eops.comm = perf_event__process_comm;
+ eops.mmap = perf_event__process_mmap;
++ eops.mmap2 = perf_event__process_mmap2;
+ eops.tracing_data = perf_event__process_tracing_data;
+
+ perf_env__init(&host_env);
+--
+2.51.0
+
--- /dev/null
+From 916d72d18b8ce4dbcad60efc983c4a8a859a3288 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 16:01:24 +0000
+Subject: perf test: Fix lock contention test
+
+From: Ravi Bangoria <ravi.bangoria@amd.com>
+
+[ Upstream commit 3c723f449723db2dc2b75b7efe03c2a76e4c09f0 ]
+
+Couple of independent fixes:
+
+1. Wire in SIGSEGV handler that terminates the test with a failure code.
+
+2. Use "--lock-cgroup" instead of "-g"; "-g" was proposed but never
+ merged. See commit 4d1792d0a2564caf ("perf lock contention: Add
+ --lock-cgroup option")
+
+3. Call cleanup() on every normal exit so trap_cleanup() doesn't mistake
+ it for an unexpected signal and emit a false-negative "Unexpected
+ signal in main" message.
+
+Before patch:
+
+ # ./perf test -vv "lock contention"
+ 85: kernel lock contention analysis test:
+ --- start ---
+ test child forked, pid 610711
+ Testing perf lock record and perf lock contention
+ Testing perf lock contention --use-bpf
+ Testing perf lock record and perf lock contention at the same time
+ Testing perf lock contention --threads
+ Testing perf lock contention --lock-addr
+ Testing perf lock contention --lock-cgroup
+ Unexpected signal in test_aggr_cgroup
+ ---- end(0) ----
+ 85: kernel lock contention analysis test : Ok
+
+After patch:
+
+ # ./perf test -vv "lock contention"
+ 85: kernel lock contention analysis test:
+ --- start ---
+ test child forked, pid 602637
+ Testing perf lock record and perf lock contention
+ Testing perf lock contention --use-bpf
+ Testing perf lock record and perf lock contention at the same time
+ Testing perf lock contention --threads
+ Testing perf lock contention --lock-addr
+ Testing perf lock contention --lock-cgroup
+ Testing perf lock contention --type-filter (w/ spinlock)
+ Testing perf lock contention --lock-filter (w/ tasklist_lock)
+ Testing perf lock contention --callstack-filter (w/ unix_stream)
+ [Skip] Could not find 'unix_stream'
+ Testing perf lock contention --callstack-filter with task aggregation
+ [Skip] Could not find 'unix_stream'
+ Testing perf lock contention --cgroup-filter
+ Testing perf lock contention CSV output
+ ---- end(0) ----
+ 85: kernel lock contention analysis test : Ok
+
+Reviewed-by: Ian Rogers <irogers@google.com>
+Signed-off-by: Ravi Bangoria <ravi.bangoria@amd.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ananth Narayan <ananth.narayan@amd.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sandipan Das <sandipan.das@amd.com>
+Cc: Santosh Shukla <santosh.shukla@amd.com>
+Cc: Tycho Andersen <tycho@kernel.org>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/shell/lock_contention.sh | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/tools/perf/tests/shell/lock_contention.sh b/tools/perf/tests/shell/lock_contention.sh
+index 7248a74ca2a32..6dd90519f45ce 100755
+--- a/tools/perf/tests/shell/lock_contention.sh
++++ b/tools/perf/tests/shell/lock_contention.sh
+@@ -13,15 +13,18 @@ cleanup() {
+ rm -f ${perfdata}
+ rm -f ${result}
+ rm -f ${errout}
+- trap - EXIT TERM INT
++ trap - EXIT TERM INT ERR
+ }
+
+ trap_cleanup() {
++ if (( $? == 139 )); then #SIGSEGV
++ err=1
++ fi
+ echo "Unexpected signal in ${FUNCNAME[1]}"
+ cleanup
+ exit ${err}
+ }
+-trap trap_cleanup EXIT TERM INT
++trap trap_cleanup EXIT TERM INT ERR
+
+ check() {
+ if [ "$(id -u)" != 0 ]; then
+@@ -145,7 +148,7 @@ test_aggr_cgroup()
+ fi
+
+ # the perf lock contention output goes to the stderr
+- perf lock con -a -b -g -E 1 -q -- perf bench sched messaging -p > /dev/null 2> ${result}
++ perf lock con -a -b --lock-cgroup -E 1 -q -- perf bench sched messaging -p > /dev/null 2> ${result}
+ if [ "$(cat "${result}" | wc -l)" != "1" ]; then
+ echo "[Fail] BPF result count is not 1:" "$(cat "${result}" | wc -l)"
+ err=1
+@@ -271,7 +274,7 @@ test_cgroup_filter()
+ return
+ fi
+
+- perf lock con -a -b -g -E 1 -F wait_total -q -- perf bench sched messaging -p > /dev/null 2> ${result}
++ perf lock con -a -b --lock-cgroup -E 1 -F wait_total -q -- perf bench sched messaging -p > /dev/null 2> ${result}
+ if [ "$(cat "${result}" | wc -l)" != "1" ]; then
+ echo "[Fail] BPF result should have a cgroup result:" "$(cat "${result}")"
+ err=1
+@@ -279,7 +282,7 @@ test_cgroup_filter()
+ fi
+
+ cgroup=$(cat "${result}" | awk '{ print $3 }')
+- perf lock con -a -b -g -E 1 -G "${cgroup}" -q -- perf bench sched messaging -p > /dev/null 2> ${result}
++ perf lock con -a -b --lock-cgroup -E 1 -G "${cgroup}" -q -- perf bench sched messaging -p > /dev/null 2> ${result}
+ if [ "$(cat "${result}" | wc -l)" != "1" ]; then
+ echo "[Fail] BPF result should have a result with cgroup filter:" "$(cat "${cgroup}")"
+ err=1
+@@ -338,4 +341,5 @@ test_aggr_task_stack_filter
+ test_cgroup_filter
+ test_csv_output
+
++cleanup
+ exit ${err}
+--
+2.51.0
+
--- /dev/null
+From 7fdc71dbaacfc73e4a94edf17c9be0307405ecc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 09:38:18 -0700
+Subject: perf test shell lock_contention: Extra debug diagnostics
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 8b93f8933d37591d17c59fd71b18fc61966d9515 ]
+
+In test_record_concurrent, as stderr is sent to /dev/null, error
+messages are hidden. Change this to gather the error messages and dump
+them on failure.
+
+Some minor sh->bash changes to add some more diagnostics in
+trap_cleanup.
+
+Reviewed-by: James Clark <james.clark@linaro.org>
+Signed-off-by: Ian Rogers <irogers@google.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Athira Rajeev <atrajeev@linux.ibm.com>
+Cc: Blake Jones <blakejones@google.com>
+Cc: Chun-Tse Shao <ctshao@google.com>
+Cc: Collin Funk <collin.funk1@gmail.com>
+Cc: Howard Chu <howardchu95@gmail.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jan Polensky <japo@linux.ibm.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Li Huafei <lihuafei1@huawei.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Nam Cao <namcao@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steinar H. Gunderson <sesse@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20250821163820.1132977-5-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Stable-dep-of: 3c723f449723 ("perf test: Fix lock contention test")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/shell/lock_contention.sh | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/tests/shell/lock_contention.sh b/tools/perf/tests/shell/lock_contention.sh
+index d33d9e4392b06..7248a74ca2a32 100755
+--- a/tools/perf/tests/shell/lock_contention.sh
++++ b/tools/perf/tests/shell/lock_contention.sh
+@@ -7,14 +7,17 @@ set -e
+ err=0
+ perfdata=$(mktemp /tmp/__perf_test.perf.data.XXXXX)
+ result=$(mktemp /tmp/__perf_test.result.XXXXX)
++errout=$(mktemp /tmp/__perf_test.errout.XXXXX)
+
+ cleanup() {
+ rm -f ${perfdata}
+ rm -f ${result}
++ rm -f ${errout}
+ trap - EXIT TERM INT
+ }
+
+ trap_cleanup() {
++ echo "Unexpected signal in ${FUNCNAME[1]}"
+ cleanup
+ exit ${err}
+ }
+@@ -75,10 +78,12 @@ test_bpf()
+ test_record_concurrent()
+ {
+ echo "Testing perf lock record and perf lock contention at the same time"
+- perf lock record -o- -- perf bench sched messaging -p 2> /dev/null | \
++ perf lock record -o- -- perf bench sched messaging -p 2> ${errout} | \
+ perf lock contention -i- -E 1 -q 2> ${result}
+ if [ "$(cat "${result}" | wc -l)" != "1" ]; then
+ echo "[Fail] Recorded result count is not 1:" "$(cat "${result}" | wc -l)"
++ cat ${errout}
++ cat ${result}
+ err=1
+ exit
+ fi
+--
+2.51.0
+
--- /dev/null
+From d1a369c60434f10e22e7ec5d8c5d1cdb06780c9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 15:33:28 +0800
+Subject: sched_ext: Fix unsafe locking in the scx_dump_state()
+
+From: Zqiang <qiang.zhang@linux.dev>
+
+[ Upstream commit 5f02151c411dda46efcc5dc57b0845efcdcfc26d ]
+
+For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted
+sleepable spinlock and not disable-irq, so the following scenarios occur:
+
+inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
+irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes:
+(&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40
+{IN-HARDIRQ-W} state was registered at:
+ lock_acquire+0x1e1/0x510
+ _raw_spin_lock_nested+0x42/0x80
+ raw_spin_rq_lock_nested+0x2b/0x40
+ sched_tick+0xae/0x7b0
+ update_process_times+0x14c/0x1b0
+ tick_periodic+0x62/0x1f0
+ tick_handle_periodic+0x48/0xf0
+ timer_interrupt+0x55/0x80
+ __handle_irq_event_percpu+0x20a/0x5c0
+ handle_irq_event_percpu+0x18/0xc0
+ handle_irq_event+0xb5/0x150
+ handle_level_irq+0x220/0x460
+ __common_interrupt+0xa2/0x1e0
+ common_interrupt+0xb0/0xd0
+ asm_common_interrupt+0x2b/0x40
+ _raw_spin_unlock_irqrestore+0x45/0x80
+ __setup_irq+0xc34/0x1a30
+ request_threaded_irq+0x214/0x2f0
+ hpet_time_init+0x3e/0x60
+ x86_late_time_init+0x5b/0xb0
+ start_kernel+0x308/0x410
+ x86_64_start_reservations+0x1c/0x30
+ x86_64_start_kernel+0x96/0xa0
+ common_startup_64+0x13e/0x148
+
+ other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&rq->__lock);
+ <Interrupt>
+ lock(&rq->__lock);
+
+ *** DEADLOCK ***
+
+ stack backtrace:
+ CPU: 0 UID: 0 PID: 27 Comm: irq_work/0
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x8c/0xd0
+ dump_stack+0x14/0x20
+ print_usage_bug+0x42e/0x690
+ mark_lock.part.44+0x867/0xa70
+ ? __pfx_mark_lock.part.44+0x10/0x10
+ ? string_nocheck+0x19c/0x310
+ ? number+0x739/0x9f0
+ ? __pfx_string_nocheck+0x10/0x10
+ ? __pfx_check_pointer+0x10/0x10
+ ? kvm_sched_clock_read+0x15/0x30
+ ? sched_clock_noinstr+0xd/0x20
+ ? local_clock_noinstr+0x1c/0xe0
+ __lock_acquire+0xc4b/0x62b0
+ ? __pfx_format_decode+0x10/0x10
+ ? __pfx_string+0x10/0x10
+ ? __pfx___lock_acquire+0x10/0x10
+ ? __pfx_vsnprintf+0x10/0x10
+ lock_acquire+0x1e1/0x510
+ ? raw_spin_rq_lock_nested+0x2b/0x40
+ ? __pfx_lock_acquire+0x10/0x10
+ ? dump_line+0x12e/0x270
+ ? raw_spin_rq_lock_nested+0x20/0x40
+ _raw_spin_lock_nested+0x42/0x80
+ ? raw_spin_rq_lock_nested+0x2b/0x40
+ raw_spin_rq_lock_nested+0x2b/0x40
+ scx_dump_state+0x3b3/0x1270
+ ? finish_task_switch+0x27e/0x840
+ scx_ops_error_irq_workfn+0x67/0x80
+ irq_work_single+0x113/0x260
+ irq_work_run_list.part.3+0x44/0x70
+ run_irq_workd+0x6b/0x90
+ ? __pfx_run_irq_workd+0x10/0x10
+ smpboot_thread_fn+0x529/0x870
+ ? __pfx_smpboot_thread_fn+0x10/0x10
+ kthread+0x305/0x3f0
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x40/0x70
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+This commit therefore use rq_lock_irqsave/irqrestore() to replace
+rq_lock/unlock() in the scx_dump_state().
+
+Fixes: 07814a9439a3 ("sched_ext: Print debug dump after an error exit")
+Signed-off-by: Zqiang <qiang.zhang@linux.dev>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/ext.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
+index e1b502ef1243c..313206067ea3d 100644
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -4270,7 +4270,7 @@ static void scx_dump_state(struct scx_exit_info *ei, size_t dump_len)
+ size_t avail, used;
+ bool idle;
+
+- rq_lock(rq, &rf);
++ rq_lock_irqsave(rq, &rf);
+
+ idle = list_empty(&rq->scx.runnable_list) &&
+ rq->curr->sched_class == &idle_sched_class;
+@@ -4339,7 +4339,7 @@ static void scx_dump_state(struct scx_exit_info *ei, size_t dump_len)
+ list_for_each_entry(p, &rq->scx.runnable_list, scx.runnable_node)
+ scx_dump_task(&s, &dctx, p, ' ');
+ next:
+- rq_unlock(rq, &rf);
++ rq_unlock_irqrestore(rq, &rf);
+ }
+
+ dump_newline(&s);
+--
+2.51.0
+
irqchip-riscv-intc-add-missing-free-callback-in-risc.patch
posix-timers-plug-potential-memory-leak-in-do_timer_.patch
lib-crypto-arm-curve25519-disable-on-cpu_big_endian.patch
+hostfs-fix-only-passing-host-root-in-boot-stage-with.patch
+afs-fix-dynamic-lookup-to-fail-on-cell-lookup-failur.patch
+mtd-onenand-pass-correct-pointer-to-irq-handler.patch
+virtio-fs-fix-incorrect-check-for-fsvq-kobj.patch
+binfmt_misc-restore-write-access-before-closing-file.patch
+fs-namespace-correctly-handle-errors-returned-by-gra.patch
+sched_ext-fix-unsafe-locking-in-the-scx_dump_state.patch
+perf-header-write-bpf_prog-infos-btfs-_cnt-to-data-f.patch
+perf-build-don-t-fail-fast-path-feature-detection-wh.patch
+perf-lock-fix-segfault-due-to-missing-kernel-map.patch
+perf-test-shell-lock_contention-extra-debug-diagnost.patch
+perf-test-fix-lock-contention-test.patch
--- /dev/null
+From 45d1c50b03f08e797f45c0c1c52cd51f86f90f78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Oct 2025 03:46:47 -0700
+Subject: virtio-fs: fix incorrect check for fsvq->kobj
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit c014021253d77cd89b2d8788ce522283d83fbd40 ]
+
+In virtio_fs_add_queues_sysfs(), the code incorrectly checks fs->mqs_kobj
+after calling kobject_create_and_add(). Change the check to fsvq->kobj
+(fs->mqs_kobj -> fsvq->kobj) to ensure the per-queue kobject is
+successfully created.
+
+Fixes: 87cbdc396a31 ("virtio_fs: add sysfs entries for queue information")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20251027104658.1668537-1-alok.a.tiwari@oracle.com
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fuse/virtio_fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
+index 1751cd6e3d42b..38051e5fba19b 100644
+--- a/fs/fuse/virtio_fs.c
++++ b/fs/fuse/virtio_fs.c
+@@ -373,7 +373,7 @@ static int virtio_fs_add_queues_sysfs(struct virtio_fs *fs)
+
+ sprintf(buff, "%d", i);
+ fsvq->kobj = kobject_create_and_add(buff, fs->mqs_kobj);
+- if (!fs->mqs_kobj) {
++ if (!fsvq->kobj) {
+ ret = -ENOMEM;
+ goto out_del;
+ }
+--
+2.51.0
+
--- /dev/null
+From a07fa1268fa9991696b3847041853c7857448670 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Nov 2025 20:18:47 +0800
+Subject: Bluetooth: hci_sync: fix double free in
+ 'hci_discovery_filter_clear()'
+
+From: Arseniy Krasnov <avkrasnov@salutedevices.com>
+
+[ Upstream commit 2935e556850e9c94d7a00adf14d3cd7fe406ac03 ]
+
+Function 'hci_discovery_filter_clear()' frees 'uuids' array and then
+sets it to NULL. There is a tiny chance of the following race:
+
+'hci_cmd_sync_work()'
+
+ 'update_passive_scan_sync()'
+
+ 'hci_update_passive_scan_sync()'
+
+ 'hci_discovery_filter_clear()'
+ kfree(uuids);
+
+ <-------------------------preempted-------------------------------->
+ 'start_service_discovery()'
+
+ 'hci_discovery_filter_clear()'
+ kfree(uuids); // DOUBLE FREE
+
+ <-------------------------preempted-------------------------------->
+
+ uuids = NULL;
+
+To fix it let's add locking around 'kfree()' call and NULL pointer
+assignment. Otherwise the following backtrace fires:
+
+[ ] ------------[ cut here ]------------
+[ ] kernel BUG at mm/slub.c:547!
+[ ] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
+[ ] CPU: 3 UID: 0 PID: 246 Comm: bluetoothd Tainted: G O 6.12.19-kernel #1
+[ ] Tainted: [O]=OOT_MODULE
+[ ] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ ] pc : __slab_free+0xf8/0x348
+[ ] lr : __slab_free+0x48/0x348
+...
+[ ] Call trace:
+[ ] __slab_free+0xf8/0x348
+[ ] kfree+0x164/0x27c
+[ ] start_service_discovery+0x1d0/0x2c0
+[ ] hci_sock_sendmsg+0x518/0x924
+[ ] __sock_sendmsg+0x54/0x60
+[ ] sock_write_iter+0x98/0xf8
+[ ] do_iter_readv_writev+0xe4/0x1c8
+[ ] vfs_writev+0x128/0x2b0
+[ ] do_writev+0xfc/0x118
+[ ] __arm64_sys_writev+0x20/0x2c
+[ ] invoke_syscall+0x68/0xf0
+[ ] el0_svc_common.constprop.0+0x40/0xe0
+[ ] do_el0_svc+0x1c/0x28
+[ ] el0_svc+0x30/0xd0
+[ ] el0t_64_sync_handler+0x100/0x12c
+[ ] el0t_64_sync+0x194/0x198
+[ ] Code: 8b0002e6 eb17031f 54fffbe1 d503201f (d4210000)
+[ ] ---[ end trace 0000000000000000 ]---
+
+Fixes: ad383c2c65a5 ("Bluetooth: hci_sync: Enable advertising when LL privacy is enabled")
+Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+[ Minor context change fixed. ]
+Signed-off-by: Alva Lan <alvalan9@foxmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 7672d8d6005d1..a2a6fb20f4964 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -29,6 +29,7 @@
+ #include <linux/idr.h>
+ #include <linux/leds.h>
+ #include <linux/rculist.h>
++#include <linux/spinlock.h>
+ #include <linux/srcu.h>
+
+ #include <net/bluetooth/hci.h>
+@@ -95,6 +96,7 @@ struct discovery_state {
+ unsigned long scan_start;
+ unsigned long scan_duration;
+ unsigned long name_resolve_timeout;
++ spinlock_t lock;
+ };
+
+ #define SUSPEND_NOTIFIER_TIMEOUT msecs_to_jiffies(2000) /* 2 seconds */
+@@ -870,6 +872,7 @@ static inline void iso_recv(struct hci_conn *hcon, struct sk_buff *skb,
+
+ static inline void discovery_init(struct hci_dev *hdev)
+ {
++ spin_lock_init(&hdev->discovery.lock);
+ hdev->discovery.state = DISCOVERY_STOPPED;
+ INIT_LIST_HEAD(&hdev->discovery.all);
+ INIT_LIST_HEAD(&hdev->discovery.unknown);
+@@ -884,8 +887,12 @@ static inline void hci_discovery_filter_clear(struct hci_dev *hdev)
+ hdev->discovery.report_invalid_rssi = true;
+ hdev->discovery.rssi = HCI_RSSI_INVALID;
+ hdev->discovery.uuid_count = 0;
++
++ spin_lock(&hdev->discovery.lock);
+ kfree(hdev->discovery.uuids);
+ hdev->discovery.uuids = NULL;
++ spin_unlock(&hdev->discovery.lock);
++
+ hdev->discovery.scan_start = 0;
+ hdev->discovery.scan_duration = 0;
+ }
+--
+2.51.0
+
--- /dev/null
+From 43cc7f02c2badb800bf9617fa53b0ac2f6133cac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Nov 2025 16:25:48 +0300
+Subject: mtd: onenand: Pass correct pointer to IRQ handler
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 97315e7c901a1de60e8ca9b11e0e96d0f9253e18 ]
+
+This was supposed to pass "onenand" instead of "&onenand" with the
+ampersand. Passing a random stack address which will be gone when the
+function ends makes no sense. However the good thing is that the pointer
+is never used, so this doesn't cause a problem at run time.
+
+Fixes: e23abf4b7743 ("mtd: OneNAND: S5PC110: Implement DMA interrupt method")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/onenand/onenand_samsung.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/onenand/onenand_samsung.c b/drivers/mtd/nand/onenand/onenand_samsung.c
+index fd6890a03d557..0e21d443078e4 100644
+--- a/drivers/mtd/nand/onenand/onenand_samsung.c
++++ b/drivers/mtd/nand/onenand/onenand_samsung.c
+@@ -906,7 +906,7 @@ static int s3c_onenand_probe(struct platform_device *pdev)
+ err = devm_request_irq(&pdev->dev, r->start,
+ s5pc110_onenand_irq,
+ IRQF_SHARED, "onenand",
+- &onenand);
++ onenand);
+ if (err) {
+ dev_err(&pdev->dev, "failed to get irq\n");
+ return err;
+--
+2.51.0
+
--- /dev/null
+From 55d448467fc72dd4cf709e2518d481950d874b22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 21:39:21 +0000
+Subject: netfilter: nf_tables: reject duplicate device on updates
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit cf5fb87fcdaaaafec55dcc0dc5a9e15ead343973 upstream.
+
+A chain/flowtable update with duplicated devices in the same batch is
+possible. Unfortunately, netdev event path only removes the first
+device that is found, leaving unregistered the hook of the duplicated
+device.
+
+Check if a duplicated device exists in the transaction batch, bail out
+with EEXIST in such case.
+
+WARNING is hit when unregistering the hook:
+
+ [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150
+ [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)
+ [...]
+ [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150
+
+Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable")
+Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 5ca1d775e976d..80443b4eaeff0 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2576,6 +2576,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
+ struct nft_chain *chain = ctx->chain;
+ struct nft_chain_hook hook = {};
+ struct nft_stats *stats = NULL;
++ struct nftables_pernet *nft_net;
+ struct nft_hook *h, *next;
+ struct nf_hook_ops *ops;
+ struct nft_trans *trans;
+@@ -2616,6 +2617,20 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
+ if (nft_hook_list_find(&basechain->hook_list, h)) {
+ list_del(&h->list);
+ kfree(h);
++ continue;
++ }
++
++ nft_net = nft_pernet(ctx->net);
++ list_for_each_entry(trans, &nft_net->commit_list, list) {
++ if (trans->msg_type != NFT_MSG_NEWCHAIN ||
++ trans->ctx.table != ctx->table ||
++ !nft_trans_chain_update(trans))
++ continue;
++
++ if (nft_hook_list_find(&nft_trans_chain_hooks(trans), h)) {
++ nft_chain_release_hook(&hook);
++ return -EEXIST;
++ }
+ }
+ }
+ } else {
+@@ -8493,6 +8508,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
+ {
+ const struct nlattr * const *nla = ctx->nla;
+ struct nft_flowtable_hook flowtable_hook;
++ struct nftables_pernet *nft_net;
+ struct nft_hook *hook, *next;
+ struct nft_trans *trans;
+ bool unregister = false;
+@@ -8508,6 +8524,20 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
+ if (nft_hook_list_find(&flowtable->hook_list, hook)) {
+ list_del(&hook->list);
+ kfree(hook);
++ continue;
++ }
++
++ nft_net = nft_pernet(ctx->net);
++ list_for_each_entry(trans, &nft_net->commit_list, list) {
++ if (trans->msg_type != NFT_MSG_NEWFLOWTABLE ||
++ trans->ctx.table != ctx->table ||
++ !nft_trans_flowtable_update(trans))
++ continue;
++
++ if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) {
++ err = -EEXIST;
++ goto err_flowtable_update_hook;
++ }
+ }
+ }
+
+--
+2.51.0
+
net-dsa-improve-shutdown-sequence.patch
espintcp-fix-skb-leaks.patch
lib-crypto-arm-curve25519-disable-on-cpu_big_endian.patch
+bluetooth-hci_sync-fix-double-free-in-hci_discovery_.patch
+mtd-onenand-pass-correct-pointer-to-irq-handler.patch
+netfilter-nf_tables-reject-duplicate-device-on-updat.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
