--- /dev/null
+From d67aadee19ffdf3cc8520c5a4f4d5b2916d30baf Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristan@talencesecurity.com>
+Date: Tue, 5 May 2026 11:12:59 +0000
+Subject: hfs/hfsplus: zero-initialize buffer in hfs_bnode_read
+
+From: Tristan Madani <tristan@talencesecurity.com>
+
+commit d67aadee19ffdf3cc8520c5a4f4d5b2916d30baf upstream.
+
+hfs_bnode_read() can return early without writing to the output buffer
+when is_bnode_offset_valid() fails or when check_and_correct_requested_
+length() corrects the length to zero. Callers such as hfs_bnode_read_
+u16() and hfs_bnode_read_u8() pass stack-allocated buffers and use the
+result unconditionally, leading to KMSAN uninit-value reports.
+
+Rather than initializing at each individual call site, zero the buffer
+at the start of hfs_bnode_read() before any validation checks. This
+ensures all callers in both hfs and hfsplus get a deterministic zero
+value regardless of which early-return path is taken.
+
+Reported-by: syzbot+217eb327242d08197efb@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
+Tested-by: syzbot+217eb327242d08197efb@syzkaller.appspotmail.com
+Fixes: a431930c9bac ("hfs: fix slab-out-of-bounds in hfs_bnode_read()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20260505111300.3592757-3-tristmd@gmail.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hfs/bnode.c | 2 ++
+ fs/hfsplus/bnode.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/fs/hfs/bnode.c
++++ b/fs/hfs/bnode.c
+@@ -65,6 +65,8 @@ void hfs_bnode_read(struct hfs_bnode *no
+ int bytes_to_read;
+ void *vaddr;
+
++ memset(buf, 0, len);
++
+ if (!is_bnode_offset_valid(node, off))
+ return;
+
+--- a/fs/hfsplus/bnode.c
++++ b/fs/hfsplus/bnode.c
+@@ -25,6 +25,8 @@ void hfs_bnode_read(struct hfs_bnode *no
+ struct page **pagep;
+ int l;
+
++ memset(buf, 0, len);
++
+ if (!is_bnode_offset_valid(node, off))
+ return;
+
--- /dev/null
+From 0e7a690fe435f8d5ea3feb7c1d8d73ba7e8b8aa9 Mon Sep 17 00:00:00 2001
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+Date: Sun, 3 May 2026 13:33:29 +0900
+Subject: nilfs2: reject CLEAN_SEGMENTS ioctl with out-of-range segment numbers
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+commit 0e7a690fe435f8d5ea3feb7c1d8d73ba7e8b8aa9 upstream.
+
+Syzbot reported a hung task in nilfs_transaction_begin() where multiple
+tasks performing chmod() on a nilfs2 mount blocked for over 143 seconds
+waiting to acquire ns_segctor_sem for read:
+
+ INFO: task syz.0.17:5918 blocked for more than 143 seconds.
+ Call Trace:
+ schedule+0x164/0x360
+ rwsem_down_read_slowpath+0x6d9/0x940
+ down_read+0x99/0x2e0
+ nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
+ nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
+ notify_change+0xc1a/0xf40
+ chmod_common+0x273/0x4a0
+ do_fchmodat+0x12d/0x230
+
+The writer holding ns_segctor_sem was a concurrent
+NILFS_IOCTL_CLEAN_SEGMENTS caller, stuck inside printk while emitting
+per-element warnings from nilfs_sufile_updatev():
+
+ __nilfs_msg+0x373/0x450 fs/nilfs2/super.c:78
+ nilfs_sufile_updatev+0x21c/0x6d0 fs/nilfs2/sufile.c:186
+ nilfs_sufile_freev fs/nilfs2/sufile.h:93 [inline]
+ nilfs_free_segments fs/nilfs2/segment.c:1140 [inline]
+ nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1261 [inline]
+ nilfs_segctor_do_construct+0x1f55/0x76c0
+ nilfs_clean_segments+0x3bd/0xa50
+ nilfs_ioctl_clean_segments fs/nilfs2/ioctl.c:922 [inline]
+ nilfs_ioctl+0x261f/0x2780
+
+The root cause is that user-supplied segment numbers are not validated
+before nilfs_clean_segments() begins doing work; the range check on
+each segnum is performed deep inside the call chain by
+nilfs_sufile_updatev(), which emits a nilfs_warn() per invalid entry
+while still holding the segctor lock and the sufile mi_sem. Under load
+(repeated invocations across multiple mounts saturating the global
+printk path), the cumulative printk latency keeps ns_segctor_sem held
+long enough to trip the hung_task watchdog, blocking concurrent
+operations such as chmod() that need ns_segctor_sem for read.
+
+Fix by validating the contents of kbufs[4] in nilfs_clean_segments()
+immediately after acquiring ns_segctor_sem via nilfs_transaction_lock().
+Holding ns_segctor_sem serializes the check against
+nilfs_ioctl_resize(), which can modify ns_nsegments, so the validation
+uses a consistent value. Out-of-range segment numbers are rejected
+with -EINVAL before any segment-cleaning work begins, so the bad
+entries never reach the per-element diagnostic path inside
+nilfs_sufile_updatev().
+
+Reported-by: syzbot+62f0f99d2f2bb8e3bbd7@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=62f0f99d2f2bb8e3bbd7
+Tested-by: syzbot+62f0f99d2f2bb8e3bbd7@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Fixes: 071cb4b81987 ("nilfs2: eliminate removal list of segments")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/segment.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/fs/nilfs2/segment.c
++++ b/fs/nilfs2/segment.c
+@@ -2505,12 +2505,33 @@ int nilfs_clean_segments(struct super_bl
+ struct nilfs_sc_info *sci = nilfs->ns_writer;
+ struct nilfs_transaction_info ti;
+ int err;
++ size_t i, nfreesegs = argv[4].v_nmembs;
++ __u64 *segnumv = kbufs[4];
+
+ if (unlikely(!sci))
+ return -EROFS;
+
+ nilfs_transaction_lock(sb, &ti, 1);
+
++ /*
++ * Validate segment numbers under ns_segctor_sem (held for write
++ * by nilfs_transaction_lock above) so the check is serialized
++ * against nilfs_ioctl_resize(), which can modify ns_nsegments.
++ * Rejecting bad input here, before any segment-cleaning work
++ * begins, avoids the per-element diagnostic path inside
++ * nilfs_sufile_updatev() that would otherwise run under this
++ * same lock and stall concurrent readers.
++ */
++ for (i = 0; i < nfreesegs; i++) {
++ if (segnumv[i] >= nilfs->ns_nsegments) {
++ nilfs_err(sb,
++ "Segment number %llu to be freed is out of range",
++ (unsigned long long)segnumv[i]);
++ err = -EINVAL;
++ goto bail_unlock;
++ }
++ }
++
+ err = nilfs_mdt_save_to_shadow_map(nilfs->ns_dat);
+ if (unlikely(err))
+ goto out_unlock;
+@@ -2551,6 +2572,7 @@ int nilfs_clean_segments(struct super_bl
+ sci->sc_freesegs = NULL;
+ sci->sc_nfreesegs = 0;
+ nilfs_mdt_clear_shadow_map(nilfs->ns_dat);
++ bail_unlock:
+ nilfs_transaction_unlock(sb);
+ return err;
+ }
--- /dev/null
+From 03866d130ed33ab68cc7faaf4bf2c4abef96d42e Mon Sep 17 00:00:00 2001
+From: Alexey Nepomnyashih <sdl@nppct.ru>
+Date: Wed, 3 Jun 2026 20:41:47 +0000
+Subject: xfs: fix unreachable BIGTIME check in dquot flush validation
+
+From: Alexey Nepomnyashih <sdl@nppct.ru>
+
+commit 03866d130ed33ab68cc7faaf4bf2c4abef96d42e upstream.
+
+The dqp->q_id == 0 check inside the XFS_DQTYPE_BIGTIME block is
+unreachable because root dquots return successfully earlier. Reject root
+dquots with XFS_DQTYPE_BIGTIME before that early return, preserving the
+intended validation and removing the unreachable condition.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 4ea1ff3b4968 ("xfs: widen ondisk quota expiration timestamps to handle y2038+")
+Cc: stable@vger.kernel.org # v5.10+
+Signed-off-by: Alexey Nepomnyashih <sdl@nppct.ru>
+Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
+Reviewed-by: Allison Henderson <achender@kernel.org>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_dquot.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/fs/xfs/xfs_dquot.c
++++ b/fs/xfs/xfs_dquot.c
+@@ -1202,6 +1202,14 @@ xfs_qm_dqflush_check(
+ type != XFS_DQTYPE_PROJ)
+ return __this_address;
+
++ /* bigtime flag should never be set on root dquots */
++ if (dqp->q_type & XFS_DQTYPE_BIGTIME) {
++ if (!xfs_has_bigtime(dqp->q_mount))
++ return __this_address;
++ if (dqp->q_id == 0)
++ return __this_address;
++ }
++
+ if (dqp->q_id == 0)
+ return NULL;
+
+@@ -1217,14 +1225,6 @@ xfs_qm_dqflush_check(
+ !dqp->q_rtb.timer)
+ return __this_address;
+
+- /* bigtime flag should never be set on root dquots */
+- if (dqp->q_type & XFS_DQTYPE_BIGTIME) {
+- if (!xfs_has_bigtime(dqp->q_mount))
+- return __this_address;
+- if (dqp->q_id == 0)
+- return __this_address;
+- }
+-
+ return NULL;
+ }
+