--- /dev/null
+From edf842abe4368ce3c423343cf4b23b210fcf1622 Mon Sep 17 00:00:00 2001
+From: Kyoji Ogasawara <sawara04.o@gmail.com>
+Date: Wed, 23 Jul 2025 00:38:37 +0900
+Subject: btrfs: fix incorrect log message for nobarrier mount option
+
+From: Kyoji Ogasawara <sawara04.o@gmail.com>
+
+commit edf842abe4368ce3c423343cf4b23b210fcf1622 upstream.
+
+Fix a wrong log message that appears when the "nobarrier" mount option
+is unset. When "nobarrier" is unset, barrier is actually enabled.
+However, the log incorrectly stated "turning off barriers".
+
+Fixes: eddb1a433f26 ("btrfs: add reconfigure callback for fs_context")
+CC: stable@vger.kernel.org # 6.12+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Kyoji Ogasawara <sawara04.o@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -1453,7 +1453,7 @@ static void btrfs_emit_options(struct bt
+ btrfs_info_if_unset(info, old, NODATACOW, "setting datacow");
+ btrfs_info_if_unset(info, old, SSD, "not using ssd optimizations");
+ btrfs_info_if_unset(info, old, SSD_SPREAD, "not using spread ssd allocation scheme");
+- btrfs_info_if_unset(info, old, NOBARRIER, "turning off barriers");
++ btrfs_info_if_unset(info, old, NOBARRIER, "turning on barriers");
+ btrfs_info_if_unset(info, old, NOTREELOG, "enabling tree log");
+ btrfs_info_if_unset(info, old, SPACE_CACHE, "disabling disk space caching");
+ btrfs_info_if_unset(info, old, FREE_SPACE_TREE, "disabling free space tree");
--- /dev/null
+From 74857fdc5dd2cdcdeb6e99bdf26976fd9299d2bb Mon Sep 17 00:00:00 2001
+From: Kyoji Ogasawara <sawara04.o@gmail.com>
+Date: Wed, 13 Aug 2025 03:00:07 +0900
+Subject: btrfs: fix printing of mount info messages for NODATACOW/NODATASUM
+
+From: Kyoji Ogasawara <sawara04.o@gmail.com>
+
+commit 74857fdc5dd2cdcdeb6e99bdf26976fd9299d2bb upstream.
+
+The NODATASUM message was printed twice by mistake and the NODATACOW was
+missing from the 'unset' part. Fix the duplication and make the output
+look the same.
+
+Fixes: eddb1a433f26 ("btrfs: add reconfigure callback for fs_context")
+CC: stable@vger.kernel.org # 6.8+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Kyoji Ogasawara <sawara04.o@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -1430,7 +1430,7 @@ static void btrfs_emit_options(struct bt
+ {
+ btrfs_info_if_set(info, old, NODATASUM, "setting nodatasum");
+ btrfs_info_if_set(info, old, DEGRADED, "allowing degraded mounts");
+- btrfs_info_if_set(info, old, NODATASUM, "setting nodatasum");
++ btrfs_info_if_set(info, old, NODATACOW, "setting nodatacow");
+ btrfs_info_if_set(info, old, SSD, "enabling ssd optimizations");
+ btrfs_info_if_set(info, old, SSD_SPREAD, "using spread ssd allocation scheme");
+ btrfs_info_if_set(info, old, NOBARRIER, "turning off barriers");
+@@ -1452,6 +1452,7 @@ static void btrfs_emit_options(struct bt
+ btrfs_info_if_set(info, old, IGNOREMETACSUMS, "ignoring meta csums");
+ btrfs_info_if_set(info, old, IGNORESUPERFLAGS, "ignoring unknown super block flags");
+
++ btrfs_info_if_unset(info, old, NODATASUM, "setting datasum");
+ btrfs_info_if_unset(info, old, NODATACOW, "setting datacow");
+ btrfs_info_if_unset(info, old, SSD, "not using ssd optimizations");
+ btrfs_info_if_unset(info, old, SSD_SPREAD, "not using spread ssd allocation scheme");
--- /dev/null
+From b435ab556bea875c088485f271ef2709ca1d75f5 Mon Sep 17 00:00:00 2001
+From: Kyoji Ogasawara <sawara04.o@gmail.com>
+Date: Wed, 13 Aug 2025 03:00:06 +0900
+Subject: btrfs: restore mount option info messages during mount
+
+From: Kyoji Ogasawara <sawara04.o@gmail.com>
+
+commit b435ab556bea875c088485f271ef2709ca1d75f5 upstream.
+
+After the fsconfig migration in 6.8, mount option info messages are no
+longer displayed during mount operations because btrfs_emit_options() is
+only called during remount, not during initial mount.
+
+Fix this by calling btrfs_emit_options() in btrfs_fill_super() after
+open_ctree() succeeds. Additionally, prevent log duplication by ensuring
+btrfs_check_options() handles validation with warn-level and err-level
+messages, while btrfs_emit_options() provides info-level messages.
+
+Fixes: eddb1a433f26 ("btrfs: add reconfigure callback for fs_context")
+CC: stable@vger.kernel.org # 6.8+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Kyoji Ogasawara <sawara04.o@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -88,6 +88,9 @@ struct btrfs_fs_context {
+ refcount_t refs;
+ };
+
++static void btrfs_emit_options(struct btrfs_fs_info *info,
++ struct btrfs_fs_context *old);
++
+ enum {
+ Opt_acl,
+ Opt_clear_cache,
+@@ -689,12 +692,9 @@ bool btrfs_check_options(const struct bt
+
+ if (!test_bit(BTRFS_FS_STATE_REMOUNTING, &info->fs_state)) {
+ if (btrfs_raw_test_opt(*mount_opt, SPACE_CACHE)) {
+- btrfs_info(info, "disk space caching is enabled");
+ btrfs_warn(info,
+ "space cache v1 is being deprecated and will be removed in a future release, please use -o space_cache=v2");
+ }
+- if (btrfs_raw_test_opt(*mount_opt, FREE_SPACE_TREE))
+- btrfs_info(info, "using free-space-tree");
+ }
+
+ return ret;
+@@ -971,6 +971,8 @@ static int btrfs_fill_super(struct super
+ return err;
+ }
+
++ btrfs_emit_options(fs_info, NULL);
++
+ inode = btrfs_iget(BTRFS_FIRST_FREE_OBJECTID, fs_info->fs_root);
+ if (IS_ERR(inode)) {
+ err = PTR_ERR(inode);
--- /dev/null
+From 5c4b93f4c8e5c53574c1a48d66a27a2c68b414af Mon Sep 17 00:00:00 2001
+From: Naohiro Aota <naohiro.aota@wdc.com>
+Date: Wed, 16 Jul 2025 16:59:54 +0900
+Subject: btrfs: zoned: fix write time activation failure for metadata block group
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+commit 5c4b93f4c8e5c53574c1a48d66a27a2c68b414af upstream.
+
+Since commit 13bb483d32ab ("btrfs: zoned: activate metadata block group on
+write time"), we activate a metadata block group at the write time. If the
+zone capacity is small enough, we can allocate the entire region before the
+first write. Then, we hit the btrfs_zoned_bg_is_full() in
+btrfs_zone_activate() and the activation fails.
+
+For a data block group, we activate it at the allocation time and we should
+check the fullness condition in the caller side. Add, a WARN to check the
+fullness condition.
+
+For a metadata block group, we don't need the fullness check because we
+activate it at the write time. Instead, activating it once it is written
+should be invalid. Catch that with a WARN too.
+
+Fixes: 13bb483d32ab ("btrfs: zoned: activate metadata block group on write time")
+CC: stable@vger.kernel.org # 6.6+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/zoned.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/btrfs/zoned.c
++++ b/fs/btrfs/zoned.c
+@@ -2169,10 +2169,15 @@ bool btrfs_zone_activate(struct btrfs_bl
+ goto out_unlock;
+ }
+
+- /* No space left */
+- if (btrfs_zoned_bg_is_full(block_group)) {
+- ret = false;
+- goto out_unlock;
++ if (block_group->flags & BTRFS_BLOCK_GROUP_DATA) {
++ /* The caller should check if the block group is full. */
++ if (WARN_ON_ONCE(btrfs_zoned_bg_is_full(block_group))) {
++ ret = false;
++ goto out_unlock;
++ }
++ } else {
++ /* Since it is already written, it should have been active. */
++ WARN_ON_ONCE(block_group->meta_write_pointer != block_group->start);
+ }
+
+ for (i = 0; i < map->num_stripes; i++) {
--- /dev/null
+From 5ffc47feddcf8eb4d8ac7b42111a02c8e8146512 Mon Sep 17 00:00:00 2001
+From: John Ernberg <john.ernberg@actia.se>
+Date: Wed, 11 Jun 2025 11:38:08 +0000
+Subject: crypto: caam - Prevent crash on suspend with iMX8QM / iMX8ULP
+
+From: John Ernberg <john.ernberg@actia.se>
+
+commit 5ffc47feddcf8eb4d8ac7b42111a02c8e8146512 upstream.
+
+Since the CAAM on these SoCs is managed by another ARM core, called the
+SECO (Security Controller) on iMX8QM and Secure Enclave on iMX8ULP, which
+also reserves access to register page 0 suspend operations cannot touch
+this page.
+
+This is similar to when running OPTEE, where OPTEE will reserve page 0.
+
+Track this situation using a new state variable no_page0, reflecting if
+page 0 is reserved elsewhere, either by other management cores in SoC or
+by OPTEE.
+
+Replace the optee_en check in suspend/resume with the new check.
+
+optee_en cannot go away as it's needed elsewhere to gate OPTEE specific
+situations.
+
+Fixes the following splat at suspend:
+
+ Internal error: synchronous external abort: 0000000096000010 [#1] SMP
+ Hardware name: Freescale i.MX8QXP ACU6C (DT)
+ pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : readl+0x0/0x18
+ lr : rd_reg32+0x18/0x3c
+ sp : ffffffc08192ba20
+ x29: ffffffc08192ba20 x28: ffffff8025190000 x27: 0000000000000000
+ x26: ffffffc0808ae808 x25: ffffffc080922338 x24: ffffff8020e89090
+ x23: 0000000000000000 x22: ffffffc080922000 x21: ffffff8020e89010
+ x20: ffffffc080387ef8 x19: ffffff8020e89010 x18: 000000005d8000d5
+ x17: 0000000030f35963 x16: 000000008f785f3f x15: 000000003b8ef57c
+ x14: 00000000c418aef8 x13: 00000000f5fea526 x12: 0000000000000001
+ x11: 0000000000000002 x10: 0000000000000001 x9 : 0000000000000000
+ x8 : ffffff8025190870 x7 : ffffff8021726880 x6 : 0000000000000002
+ x5 : ffffff80217268f0 x4 : ffffff8021726880 x3 : ffffffc081200000
+ x2 : 0000000000000001 x1 : ffffff8020e89010 x0 : ffffffc081200004
+ Call trace:
+ readl+0x0/0x18
+ caam_ctrl_suspend+0x30/0xdc
+ dpm_run_callback.constprop.0+0x24/0x5c
+ device_suspend+0x170/0x2e8
+ dpm_suspend+0xa0/0x104
+ dpm_suspend_start+0x48/0x50
+ suspend_devices_and_enter+0x7c/0x45c
+ pm_suspend+0x148/0x160
+ state_store+0xb4/0xf8
+ kobj_attr_store+0x14/0x24
+ sysfs_kf_write+0x38/0x48
+ kernfs_fop_write_iter+0xb4/0x178
+ vfs_write+0x118/0x178
+ ksys_write+0x6c/0xd0
+ __arm64_sys_write+0x14/0x1c
+ invoke_syscall.constprop.0+0x64/0xb0
+ do_el0_svc+0x90/0xb0
+ el0_svc+0x18/0x44
+ el0t_64_sync_handler+0x88/0x124
+ el0t_64_sync+0x150/0x154
+ Code: 88dffc21 88dffc21 5ac00800 d65f03c0 (b9400000)
+
+Fixes: d2835701d93c ("crypto: caam - i.MX8ULP donot have CAAM page0 access")
+Cc: stable@kernel.org # v6.10+
+Signed-off-by: John Ernberg <john.ernberg@actia.se>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/caam/ctrl.c | 5 +++--
+ drivers/crypto/caam/intern.h | 1 +
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/caam/ctrl.c
++++ b/drivers/crypto/caam/ctrl.c
+@@ -831,7 +831,7 @@ static int caam_ctrl_suspend(struct devi
+ {
+ const struct caam_drv_private *ctrlpriv = dev_get_drvdata(dev);
+
+- if (ctrlpriv->caam_off_during_pm && !ctrlpriv->optee_en)
++ if (ctrlpriv->caam_off_during_pm && !ctrlpriv->no_page0)
+ caam_state_save(dev);
+
+ return 0;
+@@ -842,7 +842,7 @@ static int caam_ctrl_resume(struct devic
+ struct caam_drv_private *ctrlpriv = dev_get_drvdata(dev);
+ int ret = 0;
+
+- if (ctrlpriv->caam_off_during_pm && !ctrlpriv->optee_en) {
++ if (ctrlpriv->caam_off_during_pm && !ctrlpriv->no_page0) {
+ caam_state_restore(dev);
+
+ /* HW and rng will be reset so deinstantiation can be removed */
+@@ -908,6 +908,7 @@ static int caam_probe(struct platform_de
+
+ imx_soc_data = imx_soc_match->data;
+ reg_access = reg_access && imx_soc_data->page0_access;
++ ctrlpriv->no_page0 = !reg_access;
+ /*
+ * CAAM clocks cannot be controlled from kernel.
+ */
+--- a/drivers/crypto/caam/intern.h
++++ b/drivers/crypto/caam/intern.h
+@@ -115,6 +115,7 @@ struct caam_drv_private {
+ u8 blob_present; /* Nonzero if BLOB support present in device */
+ u8 mc_en; /* Nonzero if MC f/w is active */
+ u8 optee_en; /* Nonzero if OP-TEE f/w is active */
++ u8 no_page0; /* Nonzero if register page 0 is not controlled by Linux */
+ bool pr_support; /* RNG prediction resistance available */
+ int secvio_irq; /* Security violation interrupt number */
+ int virt_en; /* Virtualization enabled in CAAM */
--- /dev/null
+From ab8b9fd39c45b7760093528cbef93e7353359d82 Mon Sep 17 00:00:00 2001
+From: Ashish Kalra <ashish.kalra@amd.com>
+Date: Mon, 16 Jun 2025 21:50:27 +0000
+Subject: crypto: ccp - Fix SNP panic notifier unregistration
+
+From: Ashish Kalra <ashish.kalra@amd.com>
+
+commit ab8b9fd39c45b7760093528cbef93e7353359d82 upstream.
+
+Panic notifiers are invoked with RCU read lock held and when the
+SNP panic notifier tries to unregister itself from the panic
+notifier callback itself it causes a deadlock as notifier
+unregistration does RCU synchronization.
+
+Code flow for SNP panic notifier:
+snp_shutdown_on_panic() ->
+__sev_firmware_shutdown() ->
+__sev_snp_shutdown_locked() ->
+atomic_notifier_chain_unregister(.., &snp_panic_notifier)
+
+Fix SNP panic notifier to unregister itself during SNP shutdown
+only if panic is not in progress.
+
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: stable@vger.kernel.org
+Fixes: 19860c3274fb ("crypto: ccp - Register SNP panic notifier only if SNP is enabled")
+Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/sev-dev.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
+index 8fb94c5f006a..17edc6bf5622 100644
+--- a/drivers/crypto/ccp/sev-dev.c
++++ b/drivers/crypto/ccp/sev-dev.c
+@@ -1787,8 +1787,14 @@ static int __sev_snp_shutdown_locked(int *error, bool panic)
+ sev->snp_initialized = false;
+ dev_dbg(sev->dev, "SEV-SNP firmware shutdown\n");
+
+- atomic_notifier_chain_unregister(&panic_notifier_list,
+- &snp_panic_notifier);
++ /*
++ * __sev_snp_shutdown_locked() deadlocks when it tries to unregister
++ * itself during panic as the panic notifier is called with RCU read
++ * lock held and notifier unregistration does RCU synchronization.
++ */
++ if (!panic)
++ atomic_notifier_chain_unregister(&panic_notifier_list,
++ &snp_panic_notifier);
+
+ /* Reset TMR size back to default */
+ sev_es_tmr_size = SEV_TMR_SIZE;
+--
+2.50.1
+
--- /dev/null
+From 9d9b193ed73a65ec47cf1fd39925b09da8216461 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 31 Jul 2025 09:41:47 +0800
+Subject: crypto: hash - Increase HASH_MAX_DESCSIZE for hmac(sha3-224-s390)
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 9d9b193ed73a65ec47cf1fd39925b09da8216461 upstream.
+
+The value of HASH_MAX_DESCSIZE is off by one for hmac(sha3-224-s390).
+Fix this so that hmac(sha3-224-s390) can be registered.
+
+Reported-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Reported-by: Eric Biggers <ebiggers@kernel.org>
+Fixes: 6f90ba706551 ("crypto: s390/sha3 - Use API partial block handling")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/crypto/hash.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/crypto/hash.h b/include/crypto/hash.h
+index 6f6b9de12cd3..ed63b904837d 100644
+--- a/include/crypto/hash.h
++++ b/include/crypto/hash.h
+@@ -184,7 +184,7 @@ struct shash_desc {
+ * Worst case is hmac(sha3-224-s390). Its context is a nested 'shash_desc'
+ * containing a 'struct s390_sha_ctx'.
+ */
+-#define HASH_MAX_DESCSIZE (sizeof(struct shash_desc) + 360)
++#define HASH_MAX_DESCSIZE (sizeof(struct shash_desc) + 361)
+ #define MAX_SYNC_HASH_REQSIZE (sizeof(struct ahash_request) + \
+ HASH_MAX_DESCSIZE)
+
+--
+2.50.1
+
--- /dev/null
+From b7b88b4939e71ef2aed8238976a2bbabcb63a790 Mon Sep 17 00:00:00 2001
+From: Bharat Bhushan <bbhushan2@marvell.com>
+Date: Thu, 22 May 2025 15:36:25 +0530
+Subject: crypto: octeontx2 - Fix address alignment issue on ucode loading
+
+From: Bharat Bhushan <bbhushan2@marvell.com>
+
+commit b7b88b4939e71ef2aed8238976a2bbabcb63a790 upstream.
+
+octeontx2 crypto driver allocates memory using kmalloc/kzalloc,
+and uses this memory for dma (does dma_map_single()). It assumes
+that kmalloc/kzalloc will return 128-byte aligned address. But
+kmalloc/kzalloc returns 8-byte aligned address after below changes:
+ "9382bc44b5f5 arm64: allow kmalloc() caches aligned to the
+ smaller cache_line_size()"
+
+Completion address should be 32-Byte alignment when loading
+microcode.
+
+Signed-off-by: Bharat Bhushan <bbhushan2@marvell.com>
+Cc: <stable@vger.kernel.org> # v6.5+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 35 ++++++++++++--------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+--- a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
++++ b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
+@@ -1491,12 +1491,13 @@ int otx2_cpt_discover_eng_capabilities(s
+ union otx2_cpt_opcode opcode;
+ union otx2_cpt_res_s *result;
+ union otx2_cpt_inst_s inst;
++ dma_addr_t result_baddr;
+ dma_addr_t rptr_baddr;
+ struct pci_dev *pdev;
+- u32 len, compl_rlen;
+ int timeout = 10000;
++ void *base, *rptr;
+ int ret, etype;
+- void *rptr;
++ u32 len;
+
+ /*
+ * We don't get capabilities if it was already done
+@@ -1519,22 +1520,28 @@ int otx2_cpt_discover_eng_capabilities(s
+ if (ret)
+ goto delete_grps;
+
+- compl_rlen = ALIGN(sizeof(union otx2_cpt_res_s), OTX2_CPT_DMA_MINALIGN);
+- len = compl_rlen + LOADFVC_RLEN;
++ /* Allocate extra memory for "rptr" and "result" pointer alignment */
++ len = LOADFVC_RLEN + ARCH_DMA_MINALIGN +
++ sizeof(union otx2_cpt_res_s) + OTX2_CPT_RES_ADDR_ALIGN;
+
+- result = kzalloc(len, GFP_KERNEL);
+- if (!result) {
++ base = kzalloc(len, GFP_KERNEL);
++ if (!base) {
+ ret = -ENOMEM;
+ goto lf_cleanup;
+ }
+- rptr_baddr = dma_map_single(&pdev->dev, (void *)result, len,
+- DMA_BIDIRECTIONAL);
++
++ rptr = PTR_ALIGN(base, ARCH_DMA_MINALIGN);
++ rptr_baddr = dma_map_single(&pdev->dev, rptr, len, DMA_BIDIRECTIONAL);
+ if (dma_mapping_error(&pdev->dev, rptr_baddr)) {
+ dev_err(&pdev->dev, "DMA mapping failed\n");
+ ret = -EFAULT;
+- goto free_result;
++ goto free_rptr;
+ }
+- rptr = (u8 *)result + compl_rlen;
++
++ result = (union otx2_cpt_res_s *)PTR_ALIGN(rptr + LOADFVC_RLEN,
++ OTX2_CPT_RES_ADDR_ALIGN);
++ result_baddr = ALIGN(rptr_baddr + LOADFVC_RLEN,
++ OTX2_CPT_RES_ADDR_ALIGN);
+
+ /* Fill in the command */
+ opcode.s.major = LOADFVC_MAJOR_OP;
+@@ -1546,14 +1553,14 @@ int otx2_cpt_discover_eng_capabilities(s
+ /* 64-bit swap for microcode data reads, not needed for addresses */
+ cpu_to_be64s(&iq_cmd.cmd.u);
+ iq_cmd.dptr = 0;
+- iq_cmd.rptr = rptr_baddr + compl_rlen;
++ iq_cmd.rptr = rptr_baddr;
+ iq_cmd.cptr.u = 0;
+
+ for (etype = 1; etype < OTX2_CPT_MAX_ENG_TYPES; etype++) {
+ result->s.compcode = OTX2_CPT_COMPLETION_CODE_INIT;
+ iq_cmd.cptr.s.grp = otx2_cpt_get_eng_grp(&cptpf->eng_grps,
+ etype);
+- otx2_cpt_fill_inst(&inst, &iq_cmd, rptr_baddr);
++ otx2_cpt_fill_inst(&inst, &iq_cmd, result_baddr);
+ lfs->ops->send_cmd(&inst, 1, &cptpf->lfs.lf[0]);
+ timeout = 10000;
+
+@@ -1576,8 +1583,8 @@ int otx2_cpt_discover_eng_capabilities(s
+
+ error_no_response:
+ dma_unmap_single(&pdev->dev, rptr_baddr, len, DMA_BIDIRECTIONAL);
+-free_result:
+- kfree(result);
++free_rptr:
++ kfree(base);
+ lf_cleanup:
+ otx2_cptlf_shutdown(lfs);
+ delete_grps:
--- /dev/null
+From 2e13163b43e6bb861182ea999a80dd1d893c0cbf Mon Sep 17 00:00:00 2001
+From: Bharat Bhushan <bbhushan2@marvell.com>
+Date: Thu, 22 May 2025 15:36:26 +0530
+Subject: crypto: octeontx2 - Fix address alignment on CN10K A0/A1 and OcteonTX2
+
+From: Bharat Bhushan <bbhushan2@marvell.com>
+
+commit 2e13163b43e6bb861182ea999a80dd1d893c0cbf upstream.
+
+octeontx2 crypto driver allocates memory using kmalloc/kzalloc,
+and uses this memory for dma (does dma_map_single()). It assumes
+that kmalloc/kzalloc will return 128-byte aligned address. But
+kmalloc/kzalloc returns 8-byte aligned address after below changes:
+ "9382bc44b5f5 arm64: allow kmalloc() caches aligned to the
+ smaller cache_line_size()
+
+Memory allocated are used for following purpose:
+ - Input data or scatter list address - 8-Byte alignment
+ - Output data or gather list address - 8-Byte alignment
+ - Completion address - 32-Byte alignment.
+
+This patch ensures all addresses are aligned as mentioned above.
+
+Signed-off-by: Bharat Bhushan <bbhushan2@marvell.com>
+Cc: <stable@vger.kernel.org> # v6.5+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h | 66 ++++++++++++++++-----
+ 1 file changed, 51 insertions(+), 15 deletions(-)
+
+--- a/drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h
++++ b/drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h
+@@ -34,6 +34,9 @@
+ #define SG_COMP_2 2
+ #define SG_COMP_1 1
+
++#define OTX2_CPT_DPTR_RPTR_ALIGN 8
++#define OTX2_CPT_RES_ADDR_ALIGN 32
++
+ union otx2_cpt_opcode {
+ u16 flags;
+ struct {
+@@ -417,10 +420,9 @@ static inline struct otx2_cpt_inst_info
+ otx2_sg_info_create(struct pci_dev *pdev, struct otx2_cpt_req_info *req,
+ gfp_t gfp)
+ {
+- int align = OTX2_CPT_DMA_MINALIGN;
+ struct otx2_cpt_inst_info *info;
+- u32 dlen, align_dlen, info_len;
+- u16 g_sz_bytes, s_sz_bytes;
++ u32 dlen, info_len;
++ u16 g_len, s_len;
+ u32 total_mem_len;
+
+ if (unlikely(req->in_cnt > OTX2_CPT_MAX_SG_IN_CNT ||
+@@ -429,22 +431,54 @@ otx2_sg_info_create(struct pci_dev *pdev
+ return NULL;
+ }
+
+- g_sz_bytes = ((req->in_cnt + 3) / 4) *
+- sizeof(struct otx2_cpt_sglist_component);
+- s_sz_bytes = ((req->out_cnt + 3) / 4) *
+- sizeof(struct otx2_cpt_sglist_component);
++ /* Allocate memory to meet below alignment requirement:
++ * ------------------------------------
++ * | struct otx2_cpt_inst_info |
++ * | (No alignment required) |
++ * | --------------------------------|
++ * | | padding for ARCH_DMA_MINALIGN |
++ * | | alignment |
++ * |------------------------------------|
++ * | SG List Header of 8 Byte |
++ * |------------------------------------|
++ * | SG List Gather/Input memory |
++ * | Length = multiple of 32Bytes |
++ * | Alignment = 8Byte |
++ * |---------------------------------- |
++ * | SG List Scatter/Output memory |
++ * | Length = multiple of 32Bytes |
++ * | Alignment = 8Byte |
++ * | -------------------------------|
++ * | | padding for 32B alignment |
++ * |------------------------------------|
++ * | Result response memory |
++ * | Alignment = 32Byte |
++ * ------------------------------------
++ */
+
+- dlen = g_sz_bytes + s_sz_bytes + SG_LIST_HDR_SIZE;
+- align_dlen = ALIGN(dlen, align);
+- info_len = ALIGN(sizeof(*info), align);
+- total_mem_len = align_dlen + info_len + sizeof(union otx2_cpt_res_s);
++ info_len = sizeof(*info);
++
++ g_len = ((req->in_cnt + 3) / 4) *
++ sizeof(struct otx2_cpt_sglist_component);
++ s_len = ((req->out_cnt + 3) / 4) *
++ sizeof(struct otx2_cpt_sglist_component);
++
++ dlen = g_len + s_len + SG_LIST_HDR_SIZE;
++
++ /* Allocate extra memory for SG and response address alignment */
++ total_mem_len = ALIGN(info_len, OTX2_CPT_DPTR_RPTR_ALIGN);
++ total_mem_len += (ARCH_DMA_MINALIGN - 1) &
++ ~(OTX2_CPT_DPTR_RPTR_ALIGN - 1);
++ total_mem_len += ALIGN(dlen, OTX2_CPT_RES_ADDR_ALIGN);
++ total_mem_len += sizeof(union otx2_cpt_res_s);
+
+ info = kzalloc(total_mem_len, gfp);
+ if (unlikely(!info))
+ return NULL;
+
+ info->dlen = dlen;
+- info->in_buffer = (u8 *)info + info_len;
++ info->in_buffer = PTR_ALIGN((u8 *)info + info_len, ARCH_DMA_MINALIGN);
++ info->out_buffer = info->in_buffer + SG_LIST_HDR_SIZE + g_len;
+
+ ((u16 *)info->in_buffer)[0] = req->out_cnt;
+ ((u16 *)info->in_buffer)[1] = req->in_cnt;
+@@ -460,7 +494,7 @@ otx2_sg_info_create(struct pci_dev *pdev
+ }
+
+ if (setup_sgio_components(pdev, req->out, req->out_cnt,
+- &info->in_buffer[8 + g_sz_bytes])) {
++ info->out_buffer)) {
+ dev_err(&pdev->dev, "Failed to setup scatter list\n");
+ goto destroy_info;
+ }
+@@ -476,8 +510,10 @@ otx2_sg_info_create(struct pci_dev *pdev
+ * Get buffer for union otx2_cpt_res_s response
+ * structure and its physical address
+ */
+- info->completion_addr = info->in_buffer + align_dlen;
+- info->comp_baddr = info->dptr_baddr + align_dlen;
++ info->completion_addr = PTR_ALIGN((info->in_buffer + dlen),
++ OTX2_CPT_RES_ADDR_ALIGN);
++ info->comp_baddr = ALIGN((info->dptr_baddr + dlen),
++ OTX2_CPT_RES_ADDR_ALIGN);
+
+ return info;
+
--- /dev/null
+From a091a58b8a1eba2f243b0c05bcc82bdc2a4a338d Mon Sep 17 00:00:00 2001
+From: Bharat Bhushan <bbhushan2@marvell.com>
+Date: Thu, 22 May 2025 15:36:27 +0530
+Subject: crypto: octeontx2 - Fix address alignment on CN10KB and CN10KA-B0
+
+From: Bharat Bhushan <bbhushan2@marvell.com>
+
+commit a091a58b8a1eba2f243b0c05bcc82bdc2a4a338d upstream.
+
+octeontx2 crypto driver allocates memory using kmalloc/kzalloc,
+and uses this memory for dma (does dma_map_single()). It assumes
+that kmalloc/kzalloc will return 128-byte aligned address. But
+kmalloc/kzalloc returns 8-byte aligned address after below changes:
+ "9382bc44b5f5 arm64: allow kmalloc() caches aligned to the
+ smaller cache_line_size()
+
+Memory allocated are used for following purpose:
+ - Input data or scatter list address - 8-Byte alignment
+ - Output data or gather list address - 8-Byte alignment
+ - Completion address - 32-Byte alignment.
+
+This patch ensures all addresses are aligned as mentioned above.
+
+Signed-off-by: Bharat Bhushan <bbhushan2@marvell.com>
+Cc: <stable@vger.kernel.org> # v6.8+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h | 61 +++++++++++++++------
+ 1 file changed, 45 insertions(+), 16 deletions(-)
+
+--- a/drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h
++++ b/drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h
+@@ -350,22 +350,48 @@ static inline struct otx2_cpt_inst_info
+ cn10k_sgv2_info_create(struct pci_dev *pdev, struct otx2_cpt_req_info *req,
+ gfp_t gfp)
+ {
+- u32 dlen = 0, g_len, sg_len, info_len;
+- int align = OTX2_CPT_DMA_MINALIGN;
++ u32 dlen = 0, g_len, s_len, sg_len, info_len;
+ struct otx2_cpt_inst_info *info;
+- u16 g_sz_bytes, s_sz_bytes;
+ u32 total_mem_len;
+ int i;
+
+- g_sz_bytes = ((req->in_cnt + 2) / 3) *
+- sizeof(struct cn10kb_cpt_sglist_component);
+- s_sz_bytes = ((req->out_cnt + 2) / 3) *
+- sizeof(struct cn10kb_cpt_sglist_component);
+-
+- g_len = ALIGN(g_sz_bytes, align);
+- sg_len = ALIGN(g_len + s_sz_bytes, align);
+- info_len = ALIGN(sizeof(*info), align);
+- total_mem_len = sg_len + info_len + sizeof(union otx2_cpt_res_s);
++ /* Allocate memory to meet below alignment requirement:
++ * ------------------------------------
++ * | struct otx2_cpt_inst_info |
++ * | (No alignment required) |
++ * | --------------------------------|
++ * | | padding for ARCH_DMA_MINALIGN |
++ * | | alignment |
++ * |------------------------------------|
++ * | SG List Gather/Input memory |
++ * | Length = multiple of 32Bytes |
++ * | Alignment = 8Byte |
++ * |---------------------------------- |
++ * | SG List Scatter/Output memory |
++ * | Length = multiple of 32Bytes |
++ * | Alignment = 8Byte |
++ * | -------------------------------|
++ * | | padding for 32B alignment |
++ * |------------------------------------|
++ * | Result response memory |
++ * | Alignment = 32Byte |
++ * ------------------------------------
++ */
++
++ info_len = sizeof(*info);
++
++ g_len = ((req->in_cnt + 2) / 3) *
++ sizeof(struct cn10kb_cpt_sglist_component);
++ s_len = ((req->out_cnt + 2) / 3) *
++ sizeof(struct cn10kb_cpt_sglist_component);
++ sg_len = g_len + s_len;
++
++ /* Allocate extra memory for SG and response address alignment */
++ total_mem_len = ALIGN(info_len, OTX2_CPT_DPTR_RPTR_ALIGN);
++ total_mem_len += (ARCH_DMA_MINALIGN - 1) &
++ ~(OTX2_CPT_DPTR_RPTR_ALIGN - 1);
++ total_mem_len += ALIGN(sg_len, OTX2_CPT_RES_ADDR_ALIGN);
++ total_mem_len += sizeof(union otx2_cpt_res_s);
+
+ info = kzalloc(total_mem_len, gfp);
+ if (unlikely(!info))
+@@ -375,7 +401,8 @@ cn10k_sgv2_info_create(struct pci_dev *p
+ dlen += req->in[i].size;
+
+ info->dlen = dlen;
+- info->in_buffer = (u8 *)info + info_len;
++ info->in_buffer = PTR_ALIGN((u8 *)info + info_len, ARCH_DMA_MINALIGN);
++ info->out_buffer = info->in_buffer + g_len;
+ info->gthr_sz = req->in_cnt;
+ info->sctr_sz = req->out_cnt;
+
+@@ -387,7 +414,7 @@ cn10k_sgv2_info_create(struct pci_dev *p
+ }
+
+ if (sgv2io_components_setup(pdev, req->out, req->out_cnt,
+- &info->in_buffer[g_len])) {
++ info->out_buffer)) {
+ dev_err(&pdev->dev, "Failed to setup scatter list\n");
+ goto destroy_info;
+ }
+@@ -404,8 +431,10 @@ cn10k_sgv2_info_create(struct pci_dev *p
+ * Get buffer for union otx2_cpt_res_s response
+ * structure and its physical address
+ */
+- info->completion_addr = info->in_buffer + sg_len;
+- info->comp_baddr = info->dptr_baddr + sg_len;
++ info->completion_addr = PTR_ALIGN((info->in_buffer + sg_len),
++ OTX2_CPT_RES_ADDR_ALIGN);
++ info->comp_baddr = ALIGN((info->dptr_baddr + sg_len),
++ OTX2_CPT_RES_ADDR_ALIGN);
+
+ return info;
+
--- /dev/null
+From 3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a Mon Sep 17 00:00:00 2001
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Date: Fri, 11 Jul 2025 13:27:43 +0100
+Subject: crypto: qat - flush misc workqueue during device shutdown
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+commit 3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a upstream.
+
+Repeated loading and unloading of a device specific QAT driver, for
+example qat_4xxx, in a tight loop can lead to a crash due to a
+use-after-free scenario. This occurs when a power management (PM)
+interrupt triggers just before the device-specific driver (e.g.,
+qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains
+loaded.
+
+Since the driver uses a shared workqueue (`qat_misc_wq`) across all
+devices and owned by intel_qat.ko, a deferred routine from the
+device-specific driver may still be pending in the queue. If this
+routine executes after the driver is unloaded, it can dereference freed
+memory, resulting in a page fault and kernel crash like the following:
+
+ BUG: unable to handle page fault for address: ffa000002e50a01c
+ #PF: supervisor read access in kernel mode
+ RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat]
+ Call Trace:
+ pm_bh_handler+0x1d2/0x250 [intel_qat]
+ process_one_work+0x171/0x340
+ worker_thread+0x277/0x3a0
+ kthread+0xf0/0x120
+ ret_from_fork+0x2d/0x50
+
+To prevent this, flush the misc workqueue during device shutdown to
+ensure that all pending work items are completed before the driver is
+unloaded.
+
+Note: This approach may slightly increase shutdown latency if the
+workqueue contains jobs from other devices, but it ensures correctness
+and stability.
+
+Fixes: e5745f34113b ("crypto: qat - enable power management for QAT GEN4")
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/intel/qat/qat_common/adf_common_drv.h | 1 +
+ drivers/crypto/intel/qat/qat_common/adf_init.c | 1 +
+ drivers/crypto/intel/qat/qat_common/adf_isr.c | 5 +++++
+ 3 files changed, 7 insertions(+)
+
+--- a/drivers/crypto/intel/qat/qat_common/adf_common_drv.h
++++ b/drivers/crypto/intel/qat/qat_common/adf_common_drv.h
+@@ -189,6 +189,7 @@ void adf_exit_misc_wq(void);
+ bool adf_misc_wq_queue_work(struct work_struct *work);
+ bool adf_misc_wq_queue_delayed_work(struct delayed_work *work,
+ unsigned long delay);
++void adf_misc_wq_flush(void);
+ #if defined(CONFIG_PCI_IOV)
+ int adf_sriov_configure(struct pci_dev *pdev, int numvfs);
+ void adf_disable_sriov(struct adf_accel_dev *accel_dev);
+--- a/drivers/crypto/intel/qat/qat_common/adf_init.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_init.c
+@@ -404,6 +404,7 @@ static void adf_dev_shutdown(struct adf_
+ hw_data->exit_admin_comms(accel_dev);
+
+ adf_cleanup_etr_data(accel_dev);
++ adf_misc_wq_flush();
+ adf_dev_restore(accel_dev);
+ }
+
+--- a/drivers/crypto/intel/qat/qat_common/adf_isr.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_isr.c
+@@ -407,3 +407,8 @@ bool adf_misc_wq_queue_delayed_work(stru
+ {
+ return queue_delayed_work(adf_misc_wq, work, delay);
+ }
++
++void adf_misc_wq_flush(void)
++{
++ flush_workqueue(adf_misc_wq);
++}
--- /dev/null
+From 8024774190a5ef2af2c5846f60a50b23e0980a32 Mon Sep 17 00:00:00 2001
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Date: Fri, 13 Jun 2025 11:32:27 +0100
+Subject: crypto: qat - lower priority for skcipher and aead algorithms
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+commit 8024774190a5ef2af2c5846f60a50b23e0980a32 upstream.
+
+Most kernel applications utilizing the crypto API operate synchronously
+and on small buffer sizes, therefore do not benefit from QAT acceleration.
+
+Reduce the priority of QAT implementations for both skcipher and aead
+algorithms, allowing more suitable alternatives to be selected by default.
+
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Link: https://lore.kernel.org/all/20250613012357.GA3603104@google.com/
+Cc: stable@vger.kernel.org
+Acked-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/intel/qat/qat_common/qat_algs.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/crypto/intel/qat/qat_common/qat_algs.c
++++ b/drivers/crypto/intel/qat/qat_common/qat_algs.c
+@@ -1277,7 +1277,7 @@ static struct aead_alg qat_aeads[] = { {
+ .base = {
+ .cra_name = "authenc(hmac(sha1),cbc(aes))",
+ .cra_driver_name = "qat_aes_cbc_hmac_sha1",
+- .cra_priority = 4001,
++ .cra_priority = 100,
+ .cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY,
+ .cra_blocksize = AES_BLOCK_SIZE,
+ .cra_ctxsize = sizeof(struct qat_alg_aead_ctx),
+@@ -1294,7 +1294,7 @@ static struct aead_alg qat_aeads[] = { {
+ .base = {
+ .cra_name = "authenc(hmac(sha256),cbc(aes))",
+ .cra_driver_name = "qat_aes_cbc_hmac_sha256",
+- .cra_priority = 4001,
++ .cra_priority = 100,
+ .cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY,
+ .cra_blocksize = AES_BLOCK_SIZE,
+ .cra_ctxsize = sizeof(struct qat_alg_aead_ctx),
+@@ -1311,7 +1311,7 @@ static struct aead_alg qat_aeads[] = { {
+ .base = {
+ .cra_name = "authenc(hmac(sha512),cbc(aes))",
+ .cra_driver_name = "qat_aes_cbc_hmac_sha512",
+- .cra_priority = 4001,
++ .cra_priority = 100,
+ .cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY,
+ .cra_blocksize = AES_BLOCK_SIZE,
+ .cra_ctxsize = sizeof(struct qat_alg_aead_ctx),
+@@ -1329,7 +1329,7 @@ static struct aead_alg qat_aeads[] = { {
+ static struct skcipher_alg qat_skciphers[] = { {
+ .base.cra_name = "cbc(aes)",
+ .base.cra_driver_name = "qat_aes_cbc",
+- .base.cra_priority = 4001,
++ .base.cra_priority = 100,
+ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY,
+ .base.cra_blocksize = AES_BLOCK_SIZE,
+ .base.cra_ctxsize = sizeof(struct qat_alg_skcipher_ctx),
+@@ -1347,7 +1347,7 @@ static struct skcipher_alg qat_skciphers
+ }, {
+ .base.cra_name = "ctr(aes)",
+ .base.cra_driver_name = "qat_aes_ctr",
+- .base.cra_priority = 4001,
++ .base.cra_priority = 100,
+ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY,
+ .base.cra_blocksize = 1,
+ .base.cra_ctxsize = sizeof(struct qat_alg_skcipher_ctx),
+@@ -1365,7 +1365,7 @@ static struct skcipher_alg qat_skciphers
+ }, {
+ .base.cra_name = "xts(aes)",
+ .base.cra_driver_name = "qat_aes_xts",
+- .base.cra_priority = 4001,
++ .base.cra_priority = 100,
+ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK |
+ CRYPTO_ALG_ALLOCATES_MEMORY,
+ .base.cra_blocksize = AES_BLOCK_SIZE,
--- /dev/null
+From 3d9eb180fbe8828cce43bce4c370124685b205c3 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Tue, 8 Jul 2025 12:38:29 -0700
+Subject: crypto: x86/aegis - Add missing error checks
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit 3d9eb180fbe8828cce43bce4c370124685b205c3 upstream.
+
+The skcipher_walk functions can allocate memory and can fail, so
+checking for errors is necessary.
+
+Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/crypto/aegis128-aesni-glue.c | 36 +++++++++++++++++++++++-----------
+ 1 file changed, 25 insertions(+), 11 deletions(-)
+
+--- a/arch/x86/crypto/aegis128-aesni-glue.c
++++ b/arch/x86/crypto/aegis128-aesni-glue.c
+@@ -104,10 +104,12 @@ static void crypto_aegis128_aesni_proces
+ }
+ }
+
+-static __always_inline void
++static __always_inline int
+ crypto_aegis128_aesni_process_crypt(struct aegis_state *state,
+ struct skcipher_walk *walk, bool enc)
+ {
++ int err = 0;
++
+ while (walk->nbytes >= AEGIS128_BLOCK_SIZE) {
+ if (enc)
+ aegis128_aesni_enc(state, walk->src.virt.addr,
+@@ -120,7 +122,8 @@ crypto_aegis128_aesni_process_crypt(stru
+ round_down(walk->nbytes,
+ AEGIS128_BLOCK_SIZE));
+ kernel_fpu_end();
+- skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE);
++ err = skcipher_walk_done(walk,
++ walk->nbytes % AEGIS128_BLOCK_SIZE);
+ kernel_fpu_begin();
+ }
+
+@@ -134,9 +137,10 @@ crypto_aegis128_aesni_process_crypt(stru
+ walk->dst.virt.addr,
+ walk->nbytes);
+ kernel_fpu_end();
+- skcipher_walk_done(walk, 0);
++ err = skcipher_walk_done(walk, 0);
+ kernel_fpu_begin();
+ }
++ return err;
+ }
+
+ static struct aegis_ctx *crypto_aegis128_aesni_ctx(struct crypto_aead *aead)
+@@ -169,7 +173,7 @@ static int crypto_aegis128_aesni_setauth
+ return 0;
+ }
+
+-static __always_inline void
++static __always_inline int
+ crypto_aegis128_aesni_crypt(struct aead_request *req,
+ struct aegis_block *tag_xor,
+ unsigned int cryptlen, bool enc)
+@@ -178,20 +182,24 @@ crypto_aegis128_aesni_crypt(struct aead_
+ struct aegis_ctx *ctx = crypto_aegis128_aesni_ctx(tfm);
+ struct skcipher_walk walk;
+ struct aegis_state state;
++ int err;
+
+ if (enc)
+- skcipher_walk_aead_encrypt(&walk, req, false);
++ err = skcipher_walk_aead_encrypt(&walk, req, false);
+ else
+- skcipher_walk_aead_decrypt(&walk, req, false);
++ err = skcipher_walk_aead_decrypt(&walk, req, false);
++ if (err)
++ return err;
+
+ kernel_fpu_begin();
+
+ aegis128_aesni_init(&state, &ctx->key, req->iv);
+ crypto_aegis128_aesni_process_ad(&state, req->src, req->assoclen);
+- crypto_aegis128_aesni_process_crypt(&state, &walk, enc);
+- aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen);
+-
++ err = crypto_aegis128_aesni_process_crypt(&state, &walk, enc);
++ if (err == 0)
++ aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen);
+ kernel_fpu_end();
++ return err;
+ }
+
+ static int crypto_aegis128_aesni_encrypt(struct aead_request *req)
+@@ -200,8 +208,11 @@ static int crypto_aegis128_aesni_encrypt
+ struct aegis_block tag = {};
+ unsigned int authsize = crypto_aead_authsize(tfm);
+ unsigned int cryptlen = req->cryptlen;
++ int err;
+
+- crypto_aegis128_aesni_crypt(req, &tag, cryptlen, true);
++ err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, true);
++ if (err)
++ return err;
+
+ scatterwalk_map_and_copy(tag.bytes, req->dst,
+ req->assoclen + cryptlen, authsize, 1);
+@@ -216,11 +227,14 @@ static int crypto_aegis128_aesni_decrypt
+ struct aegis_block tag;
+ unsigned int authsize = crypto_aead_authsize(tfm);
+ unsigned int cryptlen = req->cryptlen - authsize;
++ int err;
+
+ scatterwalk_map_and_copy(tag.bytes, req->src,
+ req->assoclen + cryptlen, authsize, 0);
+
+- crypto_aegis128_aesni_crypt(req, &tag, cryptlen, false);
++ err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, false);
++ if (err)
++ return err;
+
+ return crypto_memneq(tag.bytes, zeros.bytes, authsize) ? -EBADMSG : 0;
+ }
--- /dev/null
+From c7f49dadfcdf27e1f747442e874e9baa52ab7674 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Tue, 8 Jul 2025 12:38:28 -0700
+Subject: crypto: x86/aegis - Fix sleeping when disallowed on PREEMPT_RT
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit c7f49dadfcdf27e1f747442e874e9baa52ab7674 upstream.
+
+skcipher_walk_done() can call kfree(), which takes a spinlock, which
+makes it incorrect to call while preemption is disabled on PREEMPT_RT.
+Therefore, end the kernel-mode FPU section before calling
+skcipher_walk_done(), and restart it afterwards.
+
+Moreover, pass atomic=false to skcipher_walk_aead_encrypt() instead of
+atomic=true. The point of atomic=true was to make skcipher_walk_done()
+safe to call while in a kernel-mode FPU section, but that does not
+actually work. So just use the usual atomic=false.
+
+Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/crypto/aegis128-aesni-glue.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/crypto/aegis128-aesni-glue.c
++++ b/arch/x86/crypto/aegis128-aesni-glue.c
+@@ -119,7 +119,9 @@ crypto_aegis128_aesni_process_crypt(stru
+ walk->dst.virt.addr,
+ round_down(walk->nbytes,
+ AEGIS128_BLOCK_SIZE));
++ kernel_fpu_end();
+ skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE);
++ kernel_fpu_begin();
+ }
+
+ if (walk->nbytes) {
+@@ -131,7 +133,9 @@ crypto_aegis128_aesni_process_crypt(stru
+ aegis128_aesni_dec_tail(state, walk->src.virt.addr,
+ walk->dst.virt.addr,
+ walk->nbytes);
++ kernel_fpu_end();
+ skcipher_walk_done(walk, 0);
++ kernel_fpu_begin();
+ }
+ }
+
+@@ -176,9 +180,9 @@ crypto_aegis128_aesni_crypt(struct aead_
+ struct aegis_state state;
+
+ if (enc)
+- skcipher_walk_aead_encrypt(&walk, req, true);
++ skcipher_walk_aead_encrypt(&walk, req, false);
+ else
+- skcipher_walk_aead_decrypt(&walk, req, true);
++ skcipher_walk_aead_decrypt(&walk, req, false);
+
+ kernel_fpu_begin();
+
--- /dev/null
+From b4cc4a4077268522e3d0d34de4b2dc144e2330fa Mon Sep 17 00:00:00 2001
+From: Andreas Dilger <adilger@dilger.ca>
+Date: Wed, 16 Jul 2025 19:36:42 -0600
+Subject: ext4: check fast symlink for ea_inode correctly
+
+From: Andreas Dilger <adilger@dilger.ca>
+
+commit b4cc4a4077268522e3d0d34de4b2dc144e2330fa upstream.
+
+The check for a fast symlink in the presence of only an
+external xattr inode is incorrect. If a fast symlink does
+not have an xattr block (i_file_acl == 0), but does have
+an external xattr inode that increases inode i_blocks, then
+the check for a fast symlink will incorrectly fail and
+__ext4_iget()->ext4_ind_check_inode() will report the inode
+is corrupt when it "validates" i_data[] on the next read:
+
+ # ln -s foo /mnt/tmp/bar
+ # setfattr -h -n trusted.test \
+ -v "$(yes | head -n 4000)" /mnt/tmp/bar
+ # umount /mnt/tmp
+ # mount /mnt/tmp
+ # ls -l /mnt/tmp
+ ls: cannot access '/mnt/tmp/bar': Structure needs cleaning
+ total 4
+ ? l?????????? ? ? ? ? ? bar
+ # dmesg | tail -1
+ EXT4-fs error (device dm-8): __ext4_iget:5098:
+ inode #24578: block 7303014: comm ls: invalid block
+
+(note that "block 7303014" = 0x6f6f66 = "foo" in LE order).
+
+ext4_inode_is_fast_symlink() should check the superblock
+EXT4_FEATURE_INCOMPAT_EA_INODE feature flag, not the inode
+EXT4_EA_INODE_FL, since the latter is only set on the xattr
+inode itself, and not on the inode that uses this xattr.
+
+Cc: stable@vger.kernel.org
+Fixes: fc82228a5e38 ("ext4: support fast symlinks from ext3 file systems")
+Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
+Reviewed-by: Li Dongyang <dongyangli@ddn.com>
+Reviewed-by: Alex Zhuravlev <bzzz@whamcloud.com>
+Reviewed-by: Oleg Drokin <green@whamcloud.com>
+Reviewed-on: https://review.whamcloud.com/59879
+Lustre-bug-id: https://jira.whamcloud.com/browse/LU-19121
+Link: https://patch.msgid.link/20250717063709.757077-1-adilger@dilger.ca
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -146,7 +146,7 @@ static inline int ext4_begin_ordered_tru
+ */
+ int ext4_inode_is_fast_symlink(struct inode *inode)
+ {
+- if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) {
++ if (!ext4_has_feature_ea_inode(inode->i_sb)) {
+ int ea_blocks = EXT4_I(inode)->i_file_acl ?
+ EXT4_CLUSTER_SIZE(inode->i_sb) >> 9 : 0;
+
--- /dev/null
+From c5e104a91e7b6fa12c1dc2d8bf84abb7ef9b89ad Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 7 Aug 2025 09:35:20 -0400
+Subject: ext4: don't try to clear the orphan_present feature block device is r/o
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit c5e104a91e7b6fa12c1dc2d8bf84abb7ef9b89ad upstream.
+
+When the file system is frozen in preparation for taking an LVM
+snapshot, the journal is checkpointed and if the orphan_file feature
+is enabled, and the orphan file is empty, we clear the orphan_present
+feature flag. But if there are pending inodes that need to be removed
+the orphan_present feature flag can't be cleared.
+
+The problem comes if the block device is read-only. In that case, we
+can't process the orphan inode list, so it is skipped in
+ext4_orphan_cleanup(). But then in ext4_mark_recovery_complete(),
+this results in the ext4 error "Orphan file not empty on read-only fs"
+firing and the file system mount is aborted.
+
+Fix this by clearing the needs_recovery flag in the block device is
+read-only. We do this after the call to ext4_load_and_init-journal()
+since there are some error checks need to be done in case the journal
+needs to be replayed and the block device is read-only, or if the
+block device containing the externa journal is read-only, etc.
+
+Cc: stable@kernel.org
+Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108271
+Cc: stable@vger.kernel.org
+Fixes: 02f310fcf47f ("ext4: Speedup ext4 orphan inode handling")
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -5414,6 +5414,8 @@ static int __ext4_fill_super(struct fs_c
+ err = ext4_load_and_init_journal(sb, es, ctx);
+ if (err)
+ goto failed_mount3a;
++ if (bdev_read_only(sb->s_bdev))
++ needs_recovery = 0;
+ } else if (test_opt(sb, NOLOAD) && !sb_rdonly(sb) &&
+ ext4_has_feature_journal_needs_recovery(sb)) {
+ ext4_msg(sb, KERN_ERR, "required journal recovery "
--- /dev/null
+From bae76c035bf0852844151e68098c9b7cd63ef238 Mon Sep 17 00:00:00 2001
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Date: Tue, 5 Aug 2025 14:00:30 +0530
+Subject: ext4: fix fsmap end of range reporting with bigalloc
+
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+
+commit bae76c035bf0852844151e68098c9b7cd63ef238 upstream.
+
+With bigalloc enabled, the logic to report last extent has a bug since
+we try to use cluster units instead of block units. This can cause an
+issue where extra incorrect entries might be returned back to the
+user. This was flagged by generic/365 with 64k bs and -O bigalloc.
+
+** Details of issue **
+
+The issue was noticed on 5G 64k blocksize FS with -O bigalloc which has
+only 1 bg.
+
+$ xfs_io -c "fsmap -d" /mnt/scratch
+
+ 0: 253:48 [0..127]: static fs metadata 128 /* sb */
+ 1: 253:48 [128..255]: special 102:1 128 /* gdt */
+ 3: 253:48 [256..383]: special 102:3 128 /* block bitmap */
+ 4: 253:48 [384..2303]: unknown 1920 /* flex bg empty space */
+ 5: 253:48 [2304..2431]: special 102:4 128 /* inode bitmap */
+ 6: 253:48 [2432..4351]: unknown 1920 /* flex bg empty space */
+ 7: 253:48 [4352..6911]: inodes 2560
+ 8: 253:48 [6912..538623]: unknown 531712
+ 9: 253:48 [538624..10485759]: free space 9947136
+
+The issue can be seen with:
+
+$ xfs_io -c "fsmap -d 0 3" /mnt/scratch
+
+ 0: 253:48 [0..127]: static fs metadata 128
+ 1: 253:48 [384..2047]: unknown 1664
+
+Only the first entry was expected to be returned but we get 2. This is
+because:
+
+ext4_getfsmap_datadev()
+ first_cluster, last_cluster = 0
+ ...
+ info->gfi_last = true;
+ ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1, 0, info);
+ fsb = C2B(1) = 16
+ fslen = 0
+ ...
+ /* Merge in any relevant extents from the meta_list */
+ list_for_each_entry_safe(p, tmp, &info->gfi_meta_list, fmr_list) {
+ ...
+ // since fsb = 16, considers all metadata which starts before 16 blockno
+ iter 1: error = ext4_getfsmap_helper(sb, info, p); // p = sb (0,1), nop
+ info->gfi_next_fsblk = 1
+ iter 2: error = ext4_getfsmap_helper(sb, info, p); // p = gdt (1,2), nop
+ info->gfi_next_fsblk = 2
+ iter 3: error = ext4_getfsmap_helper(sb, info, p); // p = blk bitmap (2,3), nop
+ info->gfi_next_fsblk = 3
+ iter 4: error = ext4_getfsmap_helper(sb, info, p); // p = ino bitmap (18,19)
+ if (rec_blk > info->gfi_next_fsblk) { // (18 > 3)
+ // emits an extra entry ** BUG **
+ }
+ }
+
+Fix this by directly calling ext4_getfsmap_datadev() with a dummy
+record that has fmr_physical set to (end_fsb + 1) instead of
+last_cluster + 1. By using the block instead of cluster we get the
+correct behavior.
+
+Replacing ext4_getfsmap_datadev_helper() with ext4_getfsmap_helper()
+is okay since the gfi_lastfree and metadata checks in
+ext4_getfsmap_datadev_helper() are anyways redundant when we only want
+to emit the last allocated block of the range, as we have already
+taken care of emitting metadata and any last free blocks.
+
+Cc: stable@kernel.org
+Reported-by: Disha Goel <disgoel@linux.ibm.com>
+Fixes: 4a622e4d477b ("ext4: fix FS_IOC_GETFSMAP handling")
+Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Link: https://patch.msgid.link/e7472c8535c9c5ec10f425f495366864ea12c9da.1754377641.git.ojaswin@linux.ibm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/fsmap.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/fsmap.c
++++ b/fs/ext4/fsmap.c
+@@ -526,6 +526,7 @@ static int ext4_getfsmap_datadev(struct
+ ext4_group_t end_ag;
+ ext4_grpblk_t first_cluster;
+ ext4_grpblk_t last_cluster;
++ struct ext4_fsmap irec;
+ int error = 0;
+
+ bofs = le32_to_cpu(sbi->s_es->s_first_data_block);
+@@ -609,10 +610,18 @@ static int ext4_getfsmap_datadev(struct
+ goto err;
+ }
+
+- /* Report any gaps at the end of the bg */
++ /*
++ * The dummy record below will cause ext4_getfsmap_helper() to report
++ * any allocated blocks at the end of the range.
++ */
++ irec.fmr_device = 0;
++ irec.fmr_physical = end_fsb + 1;
++ irec.fmr_length = 0;
++ irec.fmr_owner = EXT4_FMR_OWN_FREE;
++ irec.fmr_flags = 0;
++
+ info->gfi_last = true;
+- error = ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1,
+- 0, info);
++ error = ext4_getfsmap_helper(sb, info, &irec);
+ if (error)
+ goto err;
+
--- /dev/null
+From 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 Mon Sep 17 00:00:00 2001
+From: Zhang Yi <yi.zhang@huawei.com>
+Date: Mon, 11 Aug 2025 14:45:32 +0800
+Subject: ext4: fix hole length calculation overflow in non-extent inodes
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+commit 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 upstream.
+
+In a filesystem with a block size larger than 4KB, the hole length
+calculation for a non-extent inode in ext4_ind_map_blocks() can easily
+exceed INT_MAX. Then it could return a zero length hole and trigger the
+following waring and infinite in the iomap infrastructure.
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 3 PID: 434101 at fs/iomap/iter.c:34 iomap_iter_done+0x148/0x190
+ CPU: 3 UID: 0 PID: 434101 Comm: fsstress Not tainted 6.16.0-rc7+ #128 PREEMPT(voluntary)
+ Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
+ pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : iomap_iter_done+0x148/0x190
+ lr : iomap_iter+0x174/0x230
+ sp : ffff8000880af740
+ x29: ffff8000880af740 x28: ffff0000db8e6840 x27: 0000000000000000
+ x26: 0000000000000000 x25: ffff8000880af830 x24: 0000004000000000
+ x23: 0000000000000002 x22: 000001bfdbfa8000 x21: ffffa6a41c002e48
+ x20: 0000000000000001 x19: ffff8000880af808 x18: 0000000000000000
+ x17: 0000000000000000 x16: ffffa6a495ee6cd0 x15: 0000000000000000
+ x14: 00000000000003d4 x13: 00000000fa83b2da x12: 0000b236fc95f18c
+ x11: ffffa6a4978b9c08 x10: 0000000000001da0 x9 : ffffa6a41c1a2a44
+ x8 : ffff8000880af5c8 x7 : 0000000001000000 x6 : 0000000000000000
+ x5 : 0000000000000004 x4 : 000001bfdbfa8000 x3 : 0000000000000000
+ x2 : 0000000000000000 x1 : 0000004004030000 x0 : 0000000000000000
+ Call trace:
+ iomap_iter_done+0x148/0x190 (P)
+ iomap_iter+0x174/0x230
+ iomap_fiemap+0x154/0x1d8
+ ext4_fiemap+0x110/0x140 [ext4]
+ do_vfs_ioctl+0x4b8/0xbc0
+ __arm64_sys_ioctl+0x8c/0x120
+ invoke_syscall+0x6c/0x100
+ el0_svc_common.constprop.0+0x48/0xf0
+ do_el0_svc+0x24/0x38
+ el0_svc+0x38/0x120
+ el0t_64_sync_handler+0x10c/0x138
+ el0t_64_sync+0x198/0x1a0
+ ---[ end trace 0000000000000000 ]---
+
+Cc: stable@kernel.org
+Fixes: facab4d9711e ("ext4: return hole from ext4_map_blocks()")
+Reported-by: Qu Wenruo <wqu@suse.com>
+Closes: https://lore.kernel.org/linux-ext4/9b650a52-9672-4604-a765-bb6be55d1e4a@gmx.com/
+Tested-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Link: https://patch.msgid.link/20250811064532.1788289-1-yi.zhang@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/indirect.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/indirect.c
++++ b/fs/ext4/indirect.c
+@@ -539,7 +539,7 @@ int ext4_ind_map_blocks(handle_t *handle
+ int indirect_blks;
+ int blocks_to_boundary = 0;
+ int depth;
+- int count = 0;
++ u64 count = 0;
+ ext4_fsblk_t first_block = 0;
+
+ trace_ext4_ind_map_blocks_enter(inode, map->m_lblk, map->m_len, flags);
+@@ -588,7 +588,7 @@ int ext4_ind_map_blocks(handle_t *handle
+ count++;
+ /* Fill in size of a hole we found */
+ map->m_pblk = 0;
+- map->m_len = min_t(unsigned int, map->m_len, count);
++ map->m_len = umin(map->m_len, count);
+ goto cleanup;
+ }
+
--- /dev/null
+From 3ffbdd1f1165f1b2d6a94d1b1aabef57120deaf7 Mon Sep 17 00:00:00 2001
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Date: Tue, 5 Aug 2025 14:00:31 +0530
+Subject: ext4: fix reserved gdt blocks handling in fsmap
+
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+
+commit 3ffbdd1f1165f1b2d6a94d1b1aabef57120deaf7 upstream.
+
+In some cases like small FSes with no meta_bg and where the resize
+doesn't need extra gdt blocks as it can fit in the current one,
+s_reserved_gdt_blocks is set as 0, which causes fsmap to emit a 0
+length entry, which is incorrect.
+
+ $ mkfs.ext4 -b 65536 -O bigalloc /dev/sda 5G
+ $ mount /dev/sda /mnt/scratch
+ $ xfs_io -c "fsmap -d" /mnt/scartch
+
+ 0: 253:48 [0..127]: static fs metadata 128
+ 1: 253:48 [128..255]: special 102:1 128
+ 2: 253:48 [256..255]: special 102:2 0 <---- 0 len entry
+ 3: 253:48 [256..383]: special 102:3 128
+
+Fix this by adding a check for this case.
+
+Cc: stable@kernel.org
+Fixes: 0c9ec4beecac ("ext4: support GETFSMAP ioctls")
+Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Link: https://patch.msgid.link/08781b796453a5770112aa96ad14c864fbf31935.1754377641.git.ojaswin@linux.ibm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/fsmap.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/ext4/fsmap.c
++++ b/fs/ext4/fsmap.c
+@@ -393,6 +393,14 @@ static unsigned int ext4_getfsmap_find_s
+ /* Reserved GDT blocks */
+ if (!ext4_has_feature_meta_bg(sb) || metagroup < first_meta_bg) {
+ len = le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks);
++
++ /*
++ * mkfs.ext4 can set s_reserved_gdt_blocks as 0 in some cases,
++ * check for that.
++ */
++ if (!len)
++ return 0;
++
+ error = ext4_getfsmap_fill(meta_list, fsb, len,
+ EXT4_FMR_OWN_RESV_GDT);
+ if (error)
--- /dev/null
+From f2326fd14a224e4cccbab89e14c52279ff79b7ec Mon Sep 17 00:00:00 2001
+From: Baokun Li <libaokun1@huawei.com>
+Date: Thu, 3 Jul 2025 15:39:03 +0800
+Subject: ext4: preserve SB_I_VERSION on remount
+
+From: Baokun Li <libaokun1@huawei.com>
+
+commit f2326fd14a224e4cccbab89e14c52279ff79b7ec upstream.
+
+IMA testing revealed that after an ext4 remount, file accesses triggered
+full measurements even without modifications, instead of skipping as
+expected when i_version is unchanged.
+
+Debugging showed `SB_I_VERSION` was cleared in reconfigure_super() during
+remount due to commit 1ff20307393e ("ext4: unconditionally enable the
+i_version counter") removing the fix from commit 960e0ab63b2e ("ext4: fix
+i_version handling on remount").
+
+To rectify this, `SB_I_VERSION` is always set for `fc->sb_flags` in
+ext4_init_fs_context(), instead of `sb->s_flags` in __ext4_fill_super(),
+ensuring it persists across all mounts.
+
+Cc: stable@kernel.org
+Fixes: 1ff20307393e ("ext4: unconditionally enable the i_version counter")
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20250703073903.6952-2-libaokun@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1998,6 +1998,9 @@ int ext4_init_fs_context(struct fs_conte
+ fc->fs_private = ctx;
+ fc->ops = &ext4_context_ops;
+
++ /* i_version is always enabled now */
++ fc->sb_flags |= SB_I_VERSION;
++
+ return 0;
+ }
+
+@@ -5314,9 +5317,6 @@ static int __ext4_fill_super(struct fs_c
+ sb->s_flags = (sb->s_flags & ~SB_POSIXACL) |
+ (test_opt(sb, POSIX_ACL) ? SB_POSIXACL : 0);
+
+- /* i_version is always enabled now */
+- sb->s_flags |= SB_I_VERSION;
+-
+ /* HSM events are allowed by default. */
+ sb->s_iflags |= SB_I_ALLOW_HSM;
+
--- /dev/null
+From 76dba1fe277f6befd6ef650e1946f626c547387a Mon Sep 17 00:00:00 2001
+From: Liao Yuanhong <liaoyuanhong@vivo.com>
+Date: Mon, 11 Aug 2025 20:58:16 +0800
+Subject: ext4: use kmalloc_array() for array space allocation
+
+From: Liao Yuanhong <liaoyuanhong@vivo.com>
+
+commit 76dba1fe277f6befd6ef650e1946f626c547387a upstream.
+
+Replace kmalloc(size * sizeof) with kmalloc_array() for safer memory
+allocation and overflow prevention.
+
+Cc: stable@kernel.org
+Signed-off-by: Liao Yuanhong <liaoyuanhong@vivo.com>
+Link: https://patch.msgid.link/20250811125816.570142-1-liaoyuanhong@vivo.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/orphan.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/orphan.c
++++ b/fs/ext4/orphan.c
+@@ -589,8 +589,9 @@ int ext4_init_orphan_info(struct super_b
+ }
+ oi->of_blocks = inode->i_size >> sb->s_blocksize_bits;
+ oi->of_csum_seed = EXT4_I(inode)->i_csum_seed;
+- oi->of_binfo = kmalloc(oi->of_blocks*sizeof(struct ext4_orphan_block),
+- GFP_KERNEL);
++ oi->of_binfo = kmalloc_array(oi->of_blocks,
++ sizeof(struct ext4_orphan_block),
++ GFP_KERNEL);
+ if (!oi->of_binfo) {
+ ret = -ENOMEM;
+ goto out_put;
--- /dev/null
+From c0d41112f1a5828c194b59cca953114bc3776ef2 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sun, 17 Aug 2025 09:48:40 +0900
+Subject: ksmbd: extend the connection limiting mechanism to support IPv6
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit c0d41112f1a5828c194b59cca953114bc3776ef2 upstream.
+
+Update the connection tracking logic to handle both IPv4 and IPv6
+address families.
+
+Cc: stable@vger.kernel.org
+Fixes: e6bb91939740 ("ksmbd: limit repeated connections from clients with the same IP")
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/connection.h | 7 ++++++-
+ fs/smb/server/transport_tcp.c | 26 +++++++++++++++++++++++---
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+
+--- a/fs/smb/server/connection.h
++++ b/fs/smb/server/connection.h
+@@ -46,7 +46,12 @@ struct ksmbd_conn {
+ struct mutex srv_mutex;
+ int status;
+ unsigned int cli_cap;
+- __be32 inet_addr;
++ union {
++ __be32 inet_addr;
++#if IS_ENABLED(CONFIG_IPV6)
++ u8 inet6_addr[16];
++#endif
++ };
+ char *request_buf;
+ struct ksmbd_transport *transport;
+ struct nls_table *local_nls;
+--- a/fs/smb/server/transport_tcp.c
++++ b/fs/smb/server/transport_tcp.c
+@@ -87,7 +87,14 @@ static struct tcp_transport *alloc_trans
+ return NULL;
+ }
+
++#if IS_ENABLED(CONFIG_IPV6)
++ if (client_sk->sk->sk_family == AF_INET6)
++ memcpy(&conn->inet6_addr, &client_sk->sk->sk_v6_daddr, 16);
++ else
++ conn->inet_addr = inet_sk(client_sk->sk)->inet_daddr;
++#else
+ conn->inet_addr = inet_sk(client_sk->sk)->inet_daddr;
++#endif
+ conn->transport = KSMBD_TRANS(t);
+ KSMBD_TRANS(t)->conn = conn;
+ KSMBD_TRANS(t)->ops = &ksmbd_tcp_transport_ops;
+@@ -231,7 +238,6 @@ static int ksmbd_kthread_fn(void *p)
+ {
+ struct socket *client_sk = NULL;
+ struct interface *iface = (struct interface *)p;
+- struct inet_sock *csk_inet;
+ struct ksmbd_conn *conn;
+ int ret;
+
+@@ -254,13 +260,27 @@ static int ksmbd_kthread_fn(void *p)
+ /*
+ * Limits repeated connections from clients with the same IP.
+ */
+- csk_inet = inet_sk(client_sk->sk);
+ down_read(&conn_list_lock);
+ list_for_each_entry(conn, &conn_list, conns_list)
+- if (csk_inet->inet_daddr == conn->inet_addr) {
++#if IS_ENABLED(CONFIG_IPV6)
++ if (client_sk->sk->sk_family == AF_INET6) {
++ if (memcmp(&client_sk->sk->sk_v6_daddr,
++ &conn->inet6_addr, 16) == 0) {
++ ret = -EAGAIN;
++ break;
++ }
++ } else if (inet_sk(client_sk->sk)->inet_daddr ==
++ conn->inet_addr) {
+ ret = -EAGAIN;
+ break;
+ }
++#else
++ if (inet_sk(client_sk->sk)->inet_daddr ==
++ conn->inet_addr) {
++ ret = -EAGAIN;
++ break;
++ }
++#endif
+ up_read(&conn_list_lock);
+ if (ret == -EAGAIN)
+ continue;
--- /dev/null
+From 89bb430f621124af39bb31763c4a8b504c9651e2 Mon Sep 17 00:00:00 2001
+From: Ziyan Xu <ziyan@securitygossip.com>
+Date: Sat, 16 Aug 2025 10:20:05 +0900
+Subject: ksmbd: fix refcount leak causing resource not released
+
+From: Ziyan Xu <ziyan@securitygossip.com>
+
+commit 89bb430f621124af39bb31763c4a8b504c9651e2 upstream.
+
+When ksmbd_conn_releasing(opinfo->conn) returns true,the refcount was not
+decremented properly, causing a refcount leak that prevents the count from
+reaching zero and the memory from being released.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ziyan Xu <ziyan@securitygossip.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/oplock.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/fs/smb/server/oplock.c
++++ b/fs/smb/server/oplock.c
+@@ -1102,8 +1102,10 @@ void smb_send_parent_lease_break_noti(st
+ if (!atomic_inc_not_zero(&opinfo->refcount))
+ continue;
+
+- if (ksmbd_conn_releasing(opinfo->conn))
++ if (ksmbd_conn_releasing(opinfo->conn)) {
++ opinfo_put(opinfo);
+ continue;
++ }
+
+ oplock_break(opinfo, SMB2_OPLOCK_LEVEL_NONE, NULL);
+ opinfo_put(opinfo);
+@@ -1139,8 +1141,11 @@ void smb_lazy_parent_lease_break_close(s
+ if (!atomic_inc_not_zero(&opinfo->refcount))
+ continue;
+
+- if (ksmbd_conn_releasing(opinfo->conn))
++ if (ksmbd_conn_releasing(opinfo->conn)) {
++ opinfo_put(opinfo);
+ continue;
++ }
++
+ oplock_break(opinfo, SMB2_OPLOCK_LEVEL_NONE, NULL);
+ opinfo_put(opinfo);
+ }
+@@ -1343,8 +1348,10 @@ void smb_break_all_levII_oplock(struct k
+ if (!atomic_inc_not_zero(&brk_op->refcount))
+ continue;
+
+- if (ksmbd_conn_releasing(brk_op->conn))
++ if (ksmbd_conn_releasing(brk_op->conn)) {
++ opinfo_put(brk_op);
+ continue;
++ }
+
+ if (brk_op->is_lease && (brk_op->o_lease->state &
+ (~(SMB2_LEASE_READ_CACHING_LE |
--- /dev/null
+From 52c3e242f4d0043186b70d65460ba1767f27494a Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Sun, 6 Jul 2025 16:10:57 -0700
+Subject: lib/crypto: arm/poly1305: Fix register corruption in no-SIMD contexts
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit 52c3e242f4d0043186b70d65460ba1767f27494a upstream.
+
+Restore the SIMD usability check that was removed by commit 773426f4771b
+("crypto: arm/poly1305 - Add block-only interface").
+
+This safety check is cheap and is well worth eliminating a footgun.
+While the Poly1305 functions should not be called when SIMD registers
+are unusable, if they are anyway, they should just do the right thing
+instead of corrupting random tasks' registers and/or computing incorrect
+MACs. Fixing this is also needed for poly1305_kunit to pass.
+
+Just use may_use_simd() instead of the original crypto_simd_usable(),
+since poly1305_kunit won't rely on crypto_simd_disabled_for_test.
+
+Fixes: 773426f4771b ("crypto: arm/poly1305 - Add block-only interface")
+Cc: stable@vger.kernel.org
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Link: https://lore.kernel.org/r/20250706231100.176113-3-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/lib/crypto/poly1305-glue.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/lib/crypto/poly1305-glue.c
++++ b/arch/arm/lib/crypto/poly1305-glue.c
+@@ -7,6 +7,7 @@
+
+ #include <asm/hwcap.h>
+ #include <asm/neon.h>
++#include <asm/simd.h>
+ #include <crypto/internal/poly1305.h>
+ #include <linux/cpufeature.h>
+ #include <linux/jump_label.h>
+@@ -39,7 +40,7 @@ void poly1305_blocks_arch(struct poly130
+ {
+ len = round_down(len, POLY1305_BLOCK_SIZE);
+ if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) &&
+- static_branch_likely(&have_neon)) {
++ static_branch_likely(&have_neon) && likely(may_use_simd())) {
+ do {
+ unsigned int todo = min_t(unsigned int, len, SZ_4K);
+
--- /dev/null
+From eec76ea5a7213c48529a46eed1b343e5cee3aaab Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Sun, 6 Jul 2025 16:10:58 -0700
+Subject: lib/crypto: arm64/poly1305: Fix register corruption in no-SIMD contexts
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit eec76ea5a7213c48529a46eed1b343e5cee3aaab upstream.
+
+Restore the SIMD usability check that was removed by commit a59e5468a921
+("crypto: arm64/poly1305 - Add block-only interface").
+
+This safety check is cheap and is well worth eliminating a footgun.
+While the Poly1305 functions should not be called when SIMD registers
+are unusable, if they are anyway, they should just do the right thing
+instead of corrupting random tasks' registers and/or computing incorrect
+MACs. Fixing this is also needed for poly1305_kunit to pass.
+
+Just use may_use_simd() instead of the original crypto_simd_usable(),
+since poly1305_kunit won't rely on crypto_simd_disabled_for_test.
+
+Fixes: a59e5468a921 ("crypto: arm64/poly1305 - Add block-only interface")
+Cc: stable@vger.kernel.org
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Link: https://lore.kernel.org/r/20250706231100.176113-4-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/lib/crypto/poly1305-glue.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/lib/crypto/poly1305-glue.c
++++ b/arch/arm64/lib/crypto/poly1305-glue.c
+@@ -7,6 +7,7 @@
+
+ #include <asm/hwcap.h>
+ #include <asm/neon.h>
++#include <asm/simd.h>
+ #include <crypto/internal/poly1305.h>
+ #include <linux/cpufeature.h>
+ #include <linux/jump_label.h>
+@@ -33,7 +34,7 @@ void poly1305_blocks_arch(struct poly130
+ unsigned int len, u32 padbit)
+ {
+ len = round_down(len, POLY1305_BLOCK_SIZE);
+- if (static_branch_likely(&have_neon)) {
++ if (static_branch_likely(&have_neon) && likely(may_use_simd())) {
+ do {
+ unsigned int todo = min_t(unsigned int, len, SZ_4K);
+
--- /dev/null
+From 22375adaa0d9fbba9646c8e2b099c6e87c97bfae Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Thu, 19 Jun 2025 15:55:35 -0700
+Subject: lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit 22375adaa0d9fbba9646c8e2b099c6e87c97bfae upstream.
+
+The MIPS32r2 ChaCha code has never been buildable with the clang
+assembler. First, clang doesn't support the 'rotl' pseudo-instruction:
+
+ error: unknown instruction, did you mean: rol, rotr?
+
+Second, clang requires that both operands of the 'wsbh' instruction be
+explicitly given:
+
+ error: too few operands for instruction
+
+To fix this, align the code with the real instruction set by (1) using
+the real instruction 'rotr' instead of the nonstandard pseudo-
+instruction 'rotl', and (2) explicitly giving both operands to 'wsbh'.
+
+To make removing the use of 'rotl' a bit easier, also remove the
+unnecessary special-casing for big endian CPUs at
+.Lchacha_mips_xor_bytes. The tail handling is actually
+endian-independent since it processes one byte at a time. On big endian
+CPUs the old code byte-swapped SAVED_X, then iterated through it in
+reverse order. But the byteswap and reverse iteration canceled out.
+
+Tested with chacha20poly1305-selftest in QEMU using "-M malta" with both
+little endian and big endian mips32r2 kernels.
+
+Fixes: 49aa7c00eddf ("crypto: mips/chacha - import 32r2 ChaCha code from Zinc")
+Cc: stable@vger.kernel.org
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202505080409.EujEBwA0-lkp@intel.com/
+Link: https://lore.kernel.org/r/20250619225535.679301-1-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/lib/crypto/chacha-core.S | 20 +++++++-------------
+ 1 file changed, 7 insertions(+), 13 deletions(-)
+
+--- a/arch/mips/lib/crypto/chacha-core.S
++++ b/arch/mips/lib/crypto/chacha-core.S
+@@ -55,17 +55,13 @@
+ #if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
+ #define MSB 0
+ #define LSB 3
+-#define ROTx rotl
+-#define ROTR(n) rotr n, 24
+ #define CPU_TO_LE32(n) \
+- wsbh n; \
++ wsbh n, n; \
+ rotr n, 16;
+ #else
+ #define MSB 3
+ #define LSB 0
+-#define ROTx rotr
+ #define CPU_TO_LE32(n)
+-#define ROTR(n)
+ #endif
+
+ #define FOR_EACH_WORD(x) \
+@@ -192,10 +188,10 @@ CONCAT3(.Lchacha_mips_xor_aligned_, PLUS
+ xor X(W), X(B); \
+ xor X(Y), X(C); \
+ xor X(Z), X(D); \
+- rotl X(V), S; \
+- rotl X(W), S; \
+- rotl X(Y), S; \
+- rotl X(Z), S;
++ rotr X(V), 32 - S; \
++ rotr X(W), 32 - S; \
++ rotr X(Y), 32 - S; \
++ rotr X(Z), 32 - S;
+
+ .text
+ .set reorder
+@@ -372,21 +368,19 @@ chacha_crypt_arch:
+ /* First byte */
+ lbu T1, 0(IN)
+ addiu $at, BYTES, 1
+- CPU_TO_LE32(SAVED_X)
+- ROTR(SAVED_X)
+ xor T1, SAVED_X
+ sb T1, 0(OUT)
+ beqz $at, .Lchacha_mips_xor_done
+ /* Second byte */
+ lbu T1, 1(IN)
+ addiu $at, BYTES, 2
+- ROTx SAVED_X, 8
++ rotr SAVED_X, 8
+ xor T1, SAVED_X
+ sb T1, 1(OUT)
+ beqz $at, .Lchacha_mips_xor_done
+ /* Third byte */
+ lbu T1, 2(IN)
+- ROTx SAVED_X, 8
++ rotr SAVED_X, 8
+ xor T1, SAVED_X
+ sb T1, 2(OUT)
+ b .Lchacha_mips_xor_done
--- /dev/null
+From e4fc307d8e24f122402907ebf585248cad52841d Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 2 Aug 2025 21:34:37 +0200
+Subject: Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()"
+
+From: Helge Deller <deller@gmx.de>
+
+commit e4fc307d8e24f122402907ebf585248cad52841d upstream.
+
+This reverts commit 864f9963ec6b4b76d104d595ba28110b87158003.
+
+The patch is wrong as it checks vc_origin against vc_screenbuf,
+while in text mode it should compare against vga_vram_base.
+
+As such it broke VGA text scrolling, which can be reproduced like this:
+(1) boot a kernel that is configured to use text mode VGA-console
+(2) type commands: ls -l /usr/bin | less -S
+(3) scroll up/down with cursor-down/up keys
+
+Reported-by: Jari Ruusu <jariruusu@protonmail.com>
+Cc: stable@vger.kernel.org
+Cc: Yi Yang <yiyang13@huawei.com>
+Cc: GONG Ruiqi <gongruiqi1@huawei.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/console/vgacon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/console/vgacon.c
++++ b/drivers/video/console/vgacon.c
+@@ -1168,7 +1168,7 @@ static bool vgacon_scroll(struct vc_data
+ c->vc_screenbuf_size - delta);
+ c->vc_origin = vga_vram_end - c->vc_screenbuf_size;
+ vga_rolled_over = 0;
+- } else if (oldo - delta >= (unsigned long)c->vc_screenbuf)
++ } else
+ c->vc_origin -= delta;
+ c->vc_scr_end = c->vc_origin + c->vc_screenbuf_size;
+ scr_memsetw((u16 *) (c->vc_origin), c->vc_video_erase_char,
vt-keyboard-don-t-process-unicode-characters-in-k_off-mode.patch
vt-defkeymap-map-keycodes-above-127-to-k_hole.patch
netfs-fix-unbuffered-write-error-handling.patch
+lib-crypto-mips-chacha-fix-clang-build-and-remove-unneeded-byteswap.patch
+lib-crypto-arm-poly1305-fix-register-corruption-in-no-simd-contexts.patch
+lib-crypto-arm64-poly1305-fix-register-corruption-in-no-simd-contexts.patch
+crypto-qat-lower-priority-for-skcipher-and-aead-algorithms.patch
+crypto-ccp-fix-snp-panic-notifier-unregistration.patch
+crypto-caam-prevent-crash-on-suspend-with-imx8qm-imx8ulp.patch
+crypto-qat-flush-misc-workqueue-during-device-shutdown.patch
+crypto-x86-aegis-fix-sleeping-when-disallowed-on-preempt_rt.patch
+crypto-x86-aegis-add-missing-error-checks.patch
+crypto-octeontx2-fix-address-alignment-issue-on-ucode-loading.patch
+crypto-octeontx2-fix-address-alignment-on-cn10k-a0-a1-and-octeontx2.patch
+crypto-octeontx2-fix-address-alignment-on-cn10kb-and-cn10ka-b0.patch
+crypto-hash-increase-hash_max_descsize-for-hmac-sha3-224-s390.patch
+revert-vgacon-add-check-for-vc_origin-address-range-in-vgacon_scroll.patch
+ksmbd-fix-refcount-leak-causing-resource-not-released.patch
+ksmbd-extend-the-connection-limiting-mechanism-to-support-ipv6.patch
+tracing-fprobe-event-sanitize-wildcard-for-fprobe-event-name.patch
+ext4-preserve-sb_i_version-on-remount.patch
+ext4-check-fast-symlink-for-ea_inode-correctly.patch
+ext4-fix-fsmap-end-of-range-reporting-with-bigalloc.patch
+ext4-fix-reserved-gdt-blocks-handling-in-fsmap.patch
+ext4-don-t-try-to-clear-the-orphan_present-feature-block-device-is-r-o.patch
+ext4-use-kmalloc_array-for-array-space-allocation.patch
+ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch
+btrfs-zoned-fix-write-time-activation-failure-for-metadata-block-group.patch
+btrfs-fix-incorrect-log-message-for-nobarrier-mount-option.patch
+btrfs-restore-mount-option-info-messages-during-mount.patch
+btrfs-fix-printing-of-mount-info-messages-for-nodatacow-nodatasum.patch
--- /dev/null
+From ec879e1a0be8007aa232ffedcf6a6445dfc1a3d7 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Sat, 16 Aug 2025 23:10:51 +0900
+Subject: tracing: fprobe-event: Sanitize wildcard for fprobe event name
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit ec879e1a0be8007aa232ffedcf6a6445dfc1a3d7 upstream.
+
+Fprobe event accepts wildcards for the target functions, but unless user
+specifies its event name, it makes an event with the wildcards.
+
+ /sys/kernel/tracing # echo 'f mutex*' >> dynamic_events
+ /sys/kernel/tracing # cat dynamic_events
+ f:fprobes/mutex*__entry mutex*
+ /sys/kernel/tracing # ls events/fprobes/
+ enable filter mutex*__entry
+
+To fix this, replace the wildcard ('*') with an underscore.
+
+Link: https://lore.kernel.org/all/175535345114.282990.12294108192847938710.stgit@devnote2/
+
+Fixes: 334e5519c375 ("tracing/probes: Add fprobe events for tracing function entry and exit.")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.h
++++ b/kernel/trace/trace.h
+@@ -2204,7 +2204,7 @@ static inline bool is_good_system_name(c
+ static inline void sanitize_event_name(char *name)
+ {
+ while (*name++ != '\0')
+- if (*name == ':' || *name == '.')
++ if (*name == ':' || *name == '.' || *name == '*')
+ *name = '_';
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
