--- /dev/null
+From 3bbf004c4808e2c3241e5c1ad6cc102f38a03c39 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Fri, 19 Sep 2025 15:58:28 +0100
+Subject: arm64: cputype: Add Neoverse-V3AE definitions
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 3bbf004c4808e2c3241e5c1ad6cc102f38a03c39 upstream.
+
+Add cputype definitions for Neoverse-V3AE. These will be used for errata
+detection in subsequent patches.
+
+These values can be found in the Neoverse-V3AE TRM:
+
+ https://developer.arm.com/documentation/SDEN-2615521/9-0/
+
+... in section A.6.1 ("MIDR_EL1, Main ID Register").
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: James Morse <james.morse@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+[ Ryan: Trivial backport ]
+Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/cputype.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/include/asm/cputype.h
++++ b/arch/arm64/include/asm/cputype.h
+@@ -87,6 +87,7 @@
+ #define ARM_CPU_PART_NEOVERSE_V2 0xD4F
+ #define ARM_CPU_PART_CORTEX_A720 0xD81
+ #define ARM_CPU_PART_CORTEX_X4 0xD82
++#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83
+ #define ARM_CPU_PART_NEOVERSE_V3 0xD84
+ #define ARM_CPU_PART_CORTEX_X925 0xD85
+ #define ARM_CPU_PART_CORTEX_A725 0xD87
+@@ -139,6 +140,7 @@
+ #define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2)
+ #define MIDR_CORTEX_A720 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720)
+ #define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4)
++#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE)
+ #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3)
+ #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925)
+ #define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725)
--- /dev/null
+From 0c33aa1804d101c11ba1992504f17a42233f0e11 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Fri, 19 Sep 2025 15:58:29 +0100
+Subject: arm64: errata: Apply workarounds for Neoverse-V3AE
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 0c33aa1804d101c11ba1992504f17a42233f0e11 upstream.
+
+Neoverse-V3AE is also affected by erratum #3312417, as described in its
+Software Developer Errata Notice (SDEN) document:
+
+ Neoverse V3AE (MP172) SDEN v9.0, erratum 3312417
+ https://developer.arm.com/documentation/SDEN-2615521/9-0/
+
+Enable the workaround for Neoverse-V3AE, and document this.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: James Morse <james.morse@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+[ Ryan: Trivial backport ]
+Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/arm64/silicon-errata.rst | 2 ++
+ arch/arm64/Kconfig | 1 +
+ arch/arm64/kernel/cpu_errata.c | 1 +
+ 3 files changed, 4 insertions(+)
+
+--- a/Documentation/arm64/silicon-errata.rst
++++ b/Documentation/arm64/silicon-errata.rst
+@@ -134,6 +134,8 @@ stable kernels.
+ +----------------+-----------------+-----------------+-----------------------------+
+ | ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3194386 |
+ +----------------+-----------------+-----------------+-----------------------------+
++| ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 |
+++----------------+-----------------+-----------------+-----------------------------+
+ | ARM | MMU-500 | #841119,826419 | N/A |
+ +----------------+-----------------+-----------------+-----------------------------+
+ +----------------+-----------------+-----------------+-----------------------------+
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -617,6 +617,7 @@ config ARM64_ERRATUM_3194386
+ * ARM Neoverse-V1 erratum 3324341
+ * ARM Neoverse V2 erratum 3324336
+ * ARM Neoverse-V3 erratum 3312417
++ * ARM Neoverse-V3AE erratum 3312417
+
+ On affected cores "MSR SSBS, #0" instructions may not affect
+ subsequent speculative instructions, which may permit unexepected
+--- a/arch/arm64/kernel/cpu_errata.c
++++ b/arch/arm64/kernel/cpu_errata.c
+@@ -863,6 +863,7 @@ static const struct midr_range erratum_s
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
+ {}
+ };
+ #endif
--- /dev/null
+From stable+bounces-188349-greg=kroah.com@vger.kernel.org Tue Oct 21 15:55:31 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 09:51:54 -0400
+Subject: drm/amdgpu: use atomic functions with memory barriers for vm fault info
+To: stable@vger.kernel.org
+Cc: Gui-Dong Han <hanguidong02@gmail.com>, Felix Kuehling <felix.kuehling@amd.com>, Alex Deucher <alexander.deucher@amd.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021135154.2145346-1-sashal@kernel.org>
+
+From: Gui-Dong Han <hanguidong02@gmail.com>
+
+[ Upstream commit 6df8e84aa6b5b1812cc2cacd6b3f5ccbb18cda2b ]
+
+The atomic variable vm_fault_info_updated is used to synchronize access to
+adev->gmc.vm_fault_info between the interrupt handler and
+get_vm_fault_info().
+
+The default atomic functions like atomic_set() and atomic_read() do not
+provide memory barriers. This allows for CPU instruction reordering,
+meaning the memory accesses to vm_fault_info and the vm_fault_info_updated
+flag are not guaranteed to occur in the intended order. This creates a
+race condition that can lead to inconsistent or stale data being used.
+
+The previous implementation, which used an explicit mb(), was incomplete
+and inefficient. It failed to account for all potential CPU reorderings,
+such as the access of vm_fault_info being reordered before the atomic_read
+of the flag. This approach is also more verbose and less performant than
+using the proper atomic functions with acquire/release semantics.
+
+Fix this by switching to atomic_set_release() and atomic_read_acquire().
+These functions provide the necessary acquire and release semantics,
+which act as memory barriers to ensure the correct order of operations.
+It is also more efficient and idiomatic than using explicit full memory
+barriers.
+
+Fixes: b97dfa27ef3a ("drm/amdgpu: save vm fault information for amdkfd")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
+Signed-off-by: Felix Kuehling <felix.kuehling@amd.com>
+Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+[ kept kgd_dev parameter and adev cast in amdgpu_amdkfd_gpuvm_get_vm_fault_info ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 5 ++---
+ drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c | 7 +++----
+ drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 7 +++----
+ 3 files changed, 8 insertions(+), 11 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+@@ -1572,10 +1572,9 @@ int amdgpu_amdkfd_gpuvm_get_vm_fault_inf
+ struct amdgpu_device *adev;
+
+ adev = (struct amdgpu_device *)kgd;
+- if (atomic_read(&adev->gmc.vm_fault_info_updated) == 1) {
++ if (atomic_read_acquire(&adev->gmc.vm_fault_info_updated) == 1) {
+ *mem = *adev->gmc.vm_fault_info;
+- mb();
+- atomic_set(&adev->gmc.vm_fault_info_updated, 0);
++ atomic_set_release(&adev->gmc.vm_fault_info_updated, 0);
+ }
+ return 0;
+ }
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c
+@@ -1042,7 +1042,7 @@ static int gmc_v7_0_sw_init(void *handle
+ GFP_KERNEL);
+ if (!adev->gmc.vm_fault_info)
+ return -ENOMEM;
+- atomic_set(&adev->gmc.vm_fault_info_updated, 0);
++ atomic_set_release(&adev->gmc.vm_fault_info_updated, 0);
+
+ return 0;
+ }
+@@ -1272,7 +1272,7 @@ static int gmc_v7_0_process_interrupt(st
+ vmid = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS,
+ VMID);
+ if (amdgpu_amdkfd_is_kfd_vmid(adev, vmid)
+- && !atomic_read(&adev->gmc.vm_fault_info_updated)) {
++ && !atomic_read_acquire(&adev->gmc.vm_fault_info_updated)) {
+ struct kfd_vm_fault_info *info = adev->gmc.vm_fault_info;
+ u32 protections = REG_GET_FIELD(status,
+ VM_CONTEXT1_PROTECTION_FAULT_STATUS,
+@@ -1288,8 +1288,7 @@ static int gmc_v7_0_process_interrupt(st
+ info->prot_read = protections & 0x8 ? true : false;
+ info->prot_write = protections & 0x10 ? true : false;
+ info->prot_exec = protections & 0x20 ? true : false;
+- mb();
+- atomic_set(&adev->gmc.vm_fault_info_updated, 1);
++ atomic_set_release(&adev->gmc.vm_fault_info_updated, 1);
+ }
+
+ return 0;
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
+@@ -1175,7 +1175,7 @@ static int gmc_v8_0_sw_init(void *handle
+ GFP_KERNEL);
+ if (!adev->gmc.vm_fault_info)
+ return -ENOMEM;
+- atomic_set(&adev->gmc.vm_fault_info_updated, 0);
++ atomic_set_release(&adev->gmc.vm_fault_info_updated, 0);
+
+ return 0;
+ }
+@@ -1464,7 +1464,7 @@ static int gmc_v8_0_process_interrupt(st
+ vmid = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS,
+ VMID);
+ if (amdgpu_amdkfd_is_kfd_vmid(adev, vmid)
+- && !atomic_read(&adev->gmc.vm_fault_info_updated)) {
++ && !atomic_read_acquire(&adev->gmc.vm_fault_info_updated)) {
+ struct kfd_vm_fault_info *info = adev->gmc.vm_fault_info;
+ u32 protections = REG_GET_FIELD(status,
+ VM_CONTEXT1_PROTECTION_FAULT_STATUS,
+@@ -1480,8 +1480,7 @@ static int gmc_v8_0_process_interrupt(st
+ info->prot_read = protections & 0x8 ? true : false;
+ info->prot_write = protections & 0x10 ? true : false;
+ info->prot_exec = protections & 0x20 ? true : false;
+- mb();
+- atomic_set(&adev->gmc.vm_fault_info_updated, 1);
++ atomic_set_release(&adev->gmc.vm_fault_info_updated, 1);
+ }
+
+ return 0;
--- /dev/null
+From stable+bounces-188394-greg=kroah.com@vger.kernel.org Tue Oct 21 19:49:23 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 13:49:05 -0400
+Subject: ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
+To: stable@vger.kernel.org
+Cc: Theodore Ts'o <tytso@mit.edu>, Jan Kara <jack@suse.cz>, "Darrick J. Wong" <djwong@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021174905.2459401-1-sashal@kernel.org>
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+[ Upstream commit 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 ]
+
+Unlike other strings in the ext4 superblock, we rely on tune2fs to
+make sure s_mount_opts is NUL terminated. Harden
+parse_apply_sb_mount_options() by treating s_mount_opts as a potential
+__nonstring.
+
+Cc: stable@vger.kernel.org
+Fixes: 8b67f04ab9de ("ext4: Add mount options in superblock")
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Message-ID: <20250916-tune2fs-v2-1-d594dc7486f0@mit.edu>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+[ applied to ext4_fill_super() instead of parse_apply_sb_mount_options() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3882,18 +3882,16 @@ static int ext4_fill_super(struct super_
+ }
+
+ if (sbi->s_es->s_mount_opts[0]) {
+- char *s_mount_opts = kstrndup(sbi->s_es->s_mount_opts,
+- sizeof(sbi->s_es->s_mount_opts),
+- GFP_KERNEL);
+- if (!s_mount_opts)
+- goto failed_mount;
++ char s_mount_opts[65];
++
++ strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts,
++ sizeof(s_mount_opts));
+ if (!parse_options(s_mount_opts, sb, &journal_devnum,
+ &journal_ioprio, 0)) {
+ ext4_msg(sb, KERN_WARNING,
+ "failed to parse options in superblock: %s",
+ s_mount_opts);
+ }
+- kfree(s_mount_opts);
+ }
+ sbi->s_def_mount_opt = sbi->s_mount_opt;
+ if (!parse_options((char *) data, sb, &journal_devnum,
--- /dev/null
+From stable+bounces-188335-greg=kroah.com@vger.kernel.org Tue Oct 21 15:12:34 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 09:12:17 -0400
+Subject: ext4: detect invalid INLINE_DATA + EXTENTS flag combination
+To: stable@vger.kernel.org
+Cc: Deepanshu Kartikey <kartikey406@gmail.com>, stable@kernel.org, syzbot+038b7bf43423e132b308@syzkaller.appspotmail.com, Zhang Yi <yi.zhang@huawei.com>, Theodore Ts'o <tytso@mit.edu>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021131217.2071970-1-sashal@kernel.org>
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+[ Upstream commit 1d3ad183943b38eec2acf72a0ae98e635dc8456b ]
+
+syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity
+file on a corrupted ext4 filesystem mounted without a journal.
+
+The issue is that the filesystem has an inode with both the INLINE_DATA
+and EXTENTS flags set:
+
+ EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15:
+ comm syz.0.17: corrupted extent tree: lblk 0 < prev 66
+
+Investigation revealed that the inode has both flags set:
+ DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1
+
+This is an invalid combination since an inode should have either:
+- INLINE_DATA: data stored directly in the inode
+- EXTENTS: data stored in extent-mapped blocks
+
+Having both flags causes ext4_has_inline_data() to return true, skipping
+extent tree validation in __ext4_iget(). The unvalidated out-of-order
+extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer
+underflow when calculating hole sizes.
+
+Fix this by detecting this invalid flag combination early in ext4_iget()
+and rejecting the corrupted inode.
+
+Cc: stable@kernel.org
+Reported-and-tested-by: syzbot+038b7bf43423e132b308@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=038b7bf43423e132b308
+Suggested-by: Zhang Yi <yi.zhang@huawei.com>
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
+Message-ID: <20250930112810.315095-1-kartikey406@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/inode.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -5077,6 +5077,14 @@ struct inode *__ext4_iget(struct super_b
+ }
+ ei->i_flags = le32_to_cpu(raw_inode->i_flags);
+ ext4_set_inode_flags(inode);
++ /* Detect invalid flag combination - can't have both inline data and extents */
++ if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA) &&
++ ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) {
++ ext4_error_inode(inode, function, line, 0,
++ "inode has both inline data and extents flags");
++ ret = -EFSCORRUPTED;
++ goto bad_inode;
++ }
+ inode->i_blocks = ext4_inode_blocks(raw_inode, ei);
+ ei->i_file_acl = le32_to_cpu(raw_inode->i_file_acl_lo);
+ if (ext4_has_feature_64bit(sb))
--- /dev/null
+From stable+bounces-188281-greg=kroah.com@vger.kernel.org Tue Oct 21 03:42:30 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 21:42:22 -0400
+Subject: jbd2: ensure that all ongoing I/O complete before freeing blocks
+To: stable@vger.kernel.org
+Cc: Zhang Yi <yi.zhang@huawei.com>, stable@kernel.org, Jan Kara <jack@suse.cz>, Theodore Ts'o <tytso@mit.edu>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021014222.1974745-1-sashal@kernel.org>
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+[ Upstream commit 3c652c3a71de1d30d72dc82c3bead8deb48eb749 ]
+
+When releasing file system metadata blocks in jbd2_journal_forget(), if
+this buffer has not yet been checkpointed, it may have already been
+written back, currently be in the process of being written back, or has
+not yet written back. jbd2_journal_forget() calls
+jbd2_journal_try_remove_checkpoint() to check the buffer's status and
+add it to the current transaction if it has not been written back. This
+buffer can only be reallocated after the transaction is committed.
+
+jbd2_journal_try_remove_checkpoint() attempts to lock the buffer and
+check its dirty status while holding the buffer lock. If the buffer has
+already been written back, everything proceeds normally. However, there
+are two issues. First, the function returns immediately if the buffer is
+locked by the write-back process. It does not wait for the write-back to
+complete. Consequently, until the current transaction is committed and
+the block is reallocated, there is no guarantee that the I/O will
+complete. This means that ongoing I/O could write stale metadata to the
+newly allocated block, potentially corrupting data. Second, the function
+unlocks the buffer as soon as it detects that the buffer is still dirty.
+If a concurrent write-back occurs immediately after this unlocking and
+before clear_buffer_dirty() is called in jbd2_journal_forget(), data
+corruption can theoretically still occur.
+
+Although these two issues are unlikely to occur in practice since the
+undergoing metadata writeback I/O does not take this long to complete,
+it's better to explicitly ensure that all ongoing I/O operations are
+completed.
+
+Fixes: 597599268e3b ("jbd2: discard dirty data when forgetting an un-journalled buffer")
+Cc: stable@kernel.org
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Message-ID: <20250916093337.3161016-2-yi.zhang@huaweicloud.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jbd2/transaction.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -1550,6 +1550,7 @@ int jbd2_journal_forget (handle_t *handl
+ int drop_reserve = 0;
+ int err = 0;
+ int was_modified = 0;
++ int wait_for_writeback = 0;
+
+ if (is_handle_aborted(handle))
+ return -EROFS;
+@@ -1675,18 +1676,22 @@ int jbd2_journal_forget (handle_t *handl
+ }
+
+ /*
+- * The buffer is still not written to disk, we should
+- * attach this buffer to current transaction so that the
+- * buffer can be checkpointed only after the current
+- * transaction commits.
++ * The buffer has not yet been written to disk. We should
++ * either clear the buffer or ensure that the ongoing I/O
++ * is completed, and attach this buffer to current
++ * transaction so that the buffer can be checkpointed only
++ * after the current transaction commits.
+ */
+ clear_buffer_dirty(bh);
++ wait_for_writeback = 1;
+ __jbd2_journal_file_buffer(jh, transaction, BJ_Forget);
+ spin_unlock(&journal->j_list_lock);
+ }
+
+ jbd_unlock_bh_state(bh);
+ __brelse(bh);
++ if (wait_for_writeback)
++ wait_on_buffer(bh);
+ drop:
+ if (drop_reserve) {
+ /* no need to reserve log space for this block -bzzz */
--- /dev/null
+From stable+bounces-188198-greg=kroah.com@vger.kernel.org Mon Oct 20 18:28:07 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 12:27:23 -0400
+Subject: KEYS: trusted_tpm1: Compare HMAC values in constant time
+To: stable@vger.kernel.org
+Cc: Eric Biggers <ebiggers@kernel.org>, Jarkko Sakkinen <jarkko@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251020162723.1838996-1-sashal@kernel.org>
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+[ Upstream commit eed0e3d305530066b4fc5370107cff8ef1a0d229 ]
+
+To prevent timing attacks, HMAC value comparison needs to be constant
+time. Replace the memcmp() with the correct function, crypto_memneq().
+
+[For the Fixes commit I used the commit that introduced the memcmp().
+It predates the introduction of crypto_memneq(), but it was still a bug
+at the time even though a helper function didn't exist yet.]
+
+Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+[ changed include from crypto/utils.h to crypto/algapi.h ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/keys/trusted.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/security/keys/trusted.c
++++ b/security/keys/trusted.c
+@@ -9,6 +9,7 @@
+ */
+
+ #include <crypto/hash_info.h>
++#include <crypto/algapi.h>
+ #include <linux/uaccess.h>
+ #include <linux/module.h>
+ #include <linux/init.h>
+@@ -248,7 +249,7 @@ int TSS_checkhmac1(unsigned char *buffer
+ if (ret < 0)
+ goto out;
+
+- if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
++ if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE))
+ ret = -EINVAL;
+ out:
+ kzfree(sdesc);
+@@ -341,7 +342,7 @@ static int TSS_checkhmac2(unsigned char
+ TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
+ if (ret < 0)
+ goto out;
+- if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
++ if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
+ ret = -EINVAL;
+ goto out;
+ }
+@@ -350,7 +351,7 @@ static int TSS_checkhmac2(unsigned char
+ TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
+ if (ret < 0)
+ goto out;
+- if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
++ if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE))
+ ret = -EINVAL;
+ out:
+ kzfree(sdesc);
--- /dev/null
+From stable+bounces-187722-greg=kroah.com@vger.kernel.org Sat Oct 18 01:31:58 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 19:31:49 -0400
+Subject: media: s5p-mfc: remove an unused/uninitialized variable
+To: stable@vger.kernel.org
+Cc: Arnd Bergmann <arnd@arndb.de>, Hans Verkuil <hverkuil+cisco@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251017233149.37893-1-sashal@kernel.org>
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 7fa37ba25a1dfc084e24ea9acc14bf1fad8af14c ]
+
+The s5p_mfc_cmd_args structure in the v6 driver is never used, not
+initialized to anything other than zero, but as of clang-21 this
+causes a warning:
+
+drivers/media/platform/samsung/s5p-mfc/s5p_mfc_cmd_v6.c:45:7: error: variable 'h2r_args' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer]
+ 45 | &h2r_args);
+ | ^~~~~~~~
+
+Just remove this for simplicity. Since the function is also called
+through a callback, this does require adding a trivial wrapper with
+the correct prototype.
+
+Fixes: f96f3cfa0bb8 ("[media] s5p-mfc: Update MFC v4l2 driver to support MFC6.x")
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc_cmd_v6.c | 35 ++++++++----------------
+ 1 file changed, 13 insertions(+), 22 deletions(-)
+
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc_cmd_v6.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_cmd_v6.c
+@@ -14,8 +14,7 @@
+ #include "s5p_mfc_opr.h"
+ #include "s5p_mfc_cmd_v6.h"
+
+-static int s5p_mfc_cmd_host2risc_v6(struct s5p_mfc_dev *dev, int cmd,
+- struct s5p_mfc_cmd_args *args)
++static int s5p_mfc_cmd_host2risc_v6(struct s5p_mfc_dev *dev, int cmd)
+ {
+ mfc_debug(2, "Issue the command: %d\n", cmd);
+
+@@ -31,7 +30,6 @@ static int s5p_mfc_cmd_host2risc_v6(stru
+
+ static int s5p_mfc_sys_init_cmd_v6(struct s5p_mfc_dev *dev)
+ {
+- struct s5p_mfc_cmd_args h2r_args;
+ struct s5p_mfc_buf_size_v6 *buf_size = dev->variant->buf_size->priv;
+ int ret;
+
+@@ -41,33 +39,23 @@ static int s5p_mfc_sys_init_cmd_v6(struc
+
+ mfc_write(dev, dev->ctx_buf.dma, S5P_FIMV_CONTEXT_MEM_ADDR_V6);
+ mfc_write(dev, buf_size->dev_ctx, S5P_FIMV_CONTEXT_MEM_SIZE_V6);
+- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SYS_INIT_V6,
+- &h2r_args);
++ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SYS_INIT_V6);
+ }
+
+ static int s5p_mfc_sleep_cmd_v6(struct s5p_mfc_dev *dev)
+ {
+- struct s5p_mfc_cmd_args h2r_args;
+-
+- memset(&h2r_args, 0, sizeof(struct s5p_mfc_cmd_args));
+- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SLEEP_V6,
+- &h2r_args);
++ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SLEEP_V6);
+ }
+
+ static int s5p_mfc_wakeup_cmd_v6(struct s5p_mfc_dev *dev)
+ {
+- struct s5p_mfc_cmd_args h2r_args;
+-
+- memset(&h2r_args, 0, sizeof(struct s5p_mfc_cmd_args));
+- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_WAKEUP_V6,
+- &h2r_args);
++ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_WAKEUP_V6);
+ }
+
+ /* Open a new instance and get its number */
+ static int s5p_mfc_open_inst_cmd_v6(struct s5p_mfc_ctx *ctx)
+ {
+ struct s5p_mfc_dev *dev = ctx->dev;
+- struct s5p_mfc_cmd_args h2r_args;
+ int codec_type;
+
+ mfc_debug(2, "Requested codec mode: %d\n", ctx->codec_mode);
+@@ -129,23 +117,20 @@ static int s5p_mfc_open_inst_cmd_v6(stru
+ mfc_write(dev, ctx->ctx.size, S5P_FIMV_CONTEXT_MEM_SIZE_V6);
+ mfc_write(dev, 0, S5P_FIMV_D_CRC_CTRL_V6); /* no crc */
+
+- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_OPEN_INSTANCE_V6,
+- &h2r_args);
++ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_OPEN_INSTANCE_V6);
+ }
+
+ /* Close instance */
+ static int s5p_mfc_close_inst_cmd_v6(struct s5p_mfc_ctx *ctx)
+ {
+ struct s5p_mfc_dev *dev = ctx->dev;
+- struct s5p_mfc_cmd_args h2r_args;
+ int ret = 0;
+
+ dev->curr_ctx = ctx->num;
+ if (ctx->state != MFCINST_FREE) {
+ mfc_write(dev, ctx->inst_no, S5P_FIMV_INSTANCE_ID_V6);
+ ret = s5p_mfc_cmd_host2risc_v6(dev,
+- S5P_FIMV_H2R_CMD_CLOSE_INSTANCE_V6,
+- &h2r_args);
++ S5P_FIMV_H2R_CMD_CLOSE_INSTANCE_V6);
+ } else {
+ ret = -EINVAL;
+ }
+@@ -153,9 +138,15 @@ static int s5p_mfc_close_inst_cmd_v6(str
+ return ret;
+ }
+
++static int s5p_mfc_cmd_host2risc_v6_args(struct s5p_mfc_dev *dev, int cmd,
++ struct s5p_mfc_cmd_args *ignored)
++{
++ return s5p_mfc_cmd_host2risc_v6(dev, cmd);
++}
++
+ /* Initialize cmd function pointers for MFC v6 */
+ static struct s5p_mfc_hw_cmds s5p_mfc_cmds_v6 = {
+- .cmd_host2risc = s5p_mfc_cmd_host2risc_v6,
++ .cmd_host2risc = s5p_mfc_cmd_host2risc_v6_args,
+ .sys_init_cmd = s5p_mfc_sys_init_cmd_v6,
+ .sleep_cmd = s5p_mfc_sleep_cmd_v6,
+ .wakeup_cmd = s5p_mfc_wakeup_cmd_v6,
--- /dev/null
+From stable+bounces-188412-greg=kroah.com@vger.kernel.org Tue Oct 21 20:56:06 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 14:55:57 -0400
+Subject: memory: samsung: exynos-srom: Correct alignment
+To: stable@vger.kernel.org
+Cc: Krzysztof Kozlowski <krzk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021185558.2643476-1-sashal@kernel.org>
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 90de1c75d8acd83e9a699b93153307a1e411ef3a ]
+
+Align indentation with open parenthesis (or fix existing alignment).
+
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Stable-dep-of: 6744085079e7 ("memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/memory/samsung/exynos-srom.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/drivers/memory/samsung/exynos-srom.c
++++ b/drivers/memory/samsung/exynos-srom.c
+@@ -47,9 +47,9 @@ struct exynos_srom {
+ struct exynos_srom_reg_dump *reg_offset;
+ };
+
+-static struct exynos_srom_reg_dump *exynos_srom_alloc_reg_dump(
+- const unsigned long *rdump,
+- unsigned long nr_rdump)
++static struct exynos_srom_reg_dump *
++exynos_srom_alloc_reg_dump(const unsigned long *rdump,
++ unsigned long nr_rdump)
+ {
+ struct exynos_srom_reg_dump *rd;
+ unsigned int i;
+@@ -116,7 +116,7 @@ static int exynos_srom_probe(struct plat
+ }
+
+ srom = devm_kzalloc(&pdev->dev,
+- sizeof(struct exynos_srom), GFP_KERNEL);
++ sizeof(struct exynos_srom), GFP_KERNEL);
+ if (!srom)
+ return -ENOMEM;
+
+@@ -130,7 +130,7 @@ static int exynos_srom_probe(struct plat
+ platform_set_drvdata(pdev, srom);
+
+ srom->reg_offset = exynos_srom_alloc_reg_dump(exynos_srom_offsets,
+- ARRAY_SIZE(exynos_srom_offsets));
++ ARRAY_SIZE(exynos_srom_offsets));
+ if (!srom->reg_offset) {
+ iounmap(srom->reg_base);
+ return -ENOMEM;
+@@ -157,16 +157,16 @@ static int exynos_srom_probe(struct plat
+
+ #ifdef CONFIG_PM_SLEEP
+ static void exynos_srom_save(void __iomem *base,
+- struct exynos_srom_reg_dump *rd,
+- unsigned int num_regs)
++ struct exynos_srom_reg_dump *rd,
++ unsigned int num_regs)
+ {
+ for (; num_regs > 0; --num_regs, ++rd)
+ rd->value = readl(base + rd->offset);
+ }
+
+ static void exynos_srom_restore(void __iomem *base,
+- const struct exynos_srom_reg_dump *rd,
+- unsigned int num_regs)
++ const struct exynos_srom_reg_dump *rd,
++ unsigned int num_regs)
+ {
+ for (; num_regs > 0; --num_regs, ++rd)
+ writel(rd->value, base + rd->offset);
+@@ -177,7 +177,7 @@ static int exynos_srom_suspend(struct de
+ struct exynos_srom *srom = dev_get_drvdata(dev);
+
+ exynos_srom_save(srom->reg_base, srom->reg_offset,
+- ARRAY_SIZE(exynos_srom_offsets));
++ ARRAY_SIZE(exynos_srom_offsets));
+ return 0;
+ }
+
+@@ -186,7 +186,7 @@ static int exynos_srom_resume(struct dev
+ struct exynos_srom *srom = dev_get_drvdata(dev);
+
+ exynos_srom_restore(srom->reg_base, srom->reg_offset,
+- ARRAY_SIZE(exynos_srom_offsets));
++ ARRAY_SIZE(exynos_srom_offsets));
+ return 0;
+ }
+ #endif
--- /dev/null
+From stable+bounces-188413-greg=kroah.com@vger.kernel.org Tue Oct 21 20:56:10 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 14:55:58 -0400
+Subject: memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe
+To: stable@vger.kernel.org
+Cc: Zhen Ni <zhen.ni@easystack.cn>, Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021185558.2643476-2-sashal@kernel.org>
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+[ Upstream commit 6744085079e785dae5f7a2239456135407c58b25 ]
+
+The of_platform_populate() call at the end of the function has a
+possible failure path, causing a resource leak.
+
+Replace of_iomap() with devm_platform_ioremap_resource() to ensure
+automatic cleanup of srom->reg_base.
+
+This issue was detected by smatch static analysis:
+drivers/memory/samsung/exynos-srom.c:155 exynos_srom_probe()warn:
+'srom->reg_base' from of_iomap() not released on lines: 155.
+
+Fixes: 8ac2266d8831 ("memory: samsung: exynos-srom: Add support for bank configuration")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Link: https://lore.kernel.org/r/20250806025538.306593-1-zhen.ni@easystack.cn
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/memory/samsung/exynos-srom.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/memory/samsung/exynos-srom.c
++++ b/drivers/memory/samsung/exynos-srom.c
+@@ -121,20 +121,18 @@ static int exynos_srom_probe(struct plat
+ return -ENOMEM;
+
+ srom->dev = dev;
+- srom->reg_base = of_iomap(np, 0);
+- if (!srom->reg_base) {
++ srom->reg_base = devm_platform_ioremap_resource(pdev, 0);
++ if (IS_ERR(srom->reg_base)) {
+ dev_err(&pdev->dev, "iomap of exynos srom controller failed\n");
+- return -ENOMEM;
++ return PTR_ERR(srom->reg_base);
+ }
+
+ platform_set_drvdata(pdev, srom);
+
+ srom->reg_offset = exynos_srom_alloc_reg_dump(exynos_srom_offsets,
+ ARRAY_SIZE(exynos_srom_offsets));
+- if (!srom->reg_offset) {
+- iounmap(srom->reg_base);
++ if (!srom->reg_offset)
+ return -ENOMEM;
+- }
+
+ for_each_child_of_node(np, child) {
+ if (exynos_srom_configure_bank(srom, child)) {
--- /dev/null
+From stable+bounces-188278-greg=kroah.com@vger.kernel.org Tue Oct 21 03:11:04 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 21:10:56 -0400
+Subject: NFSD: Define a proc_layoutcommit for the FlexFiles layout type
+To: stable@vger.kernel.org
+Cc: Chuck Lever <chuck.lever@oracle.com>, Robert Morris <rtm@csail.mit.edu>, Thomas Haynes <loghyr@hammerspace.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021011056.1964892-1-sashal@kernel.org>
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 4b47a8601b71ad98833b447d465592d847b4dc77 ]
+
+Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT
+operation on a FlexFiles layout.
+
+Reported-by: Robert Morris <rtm@csail.mit.edu>
+Closes: https://lore.kernel.org/linux-nfs/152f99b2-ba35-4dec-93a9-4690e625dccd@oracle.com/T/#t
+Cc: Thomas Haynes <loghyr@hammerspace.com>
+Cc: stable@vger.kernel.org
+Fixes: 9b9960a0ca47 ("nfsd: Add a super simple flex file server")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+[ removed struct svc_rqst parameter from nfsd4_ff_proc_layoutcommit ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/flexfilelayout.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/nfsd/flexfilelayout.c
++++ b/fs/nfsd/flexfilelayout.c
+@@ -124,6 +124,13 @@ nfsd4_ff_proc_getdeviceinfo(struct super
+ return 0;
+ }
+
++static __be32
++nfsd4_ff_proc_layoutcommit(struct inode *inode,
++ struct nfsd4_layoutcommit *lcp)
++{
++ return nfs_ok;
++}
++
+ const struct nfsd4_layout_ops ff_layout_ops = {
+ .notify_types =
+ NOTIFY_DEVICEID4_DELETE | NOTIFY_DEVICEID4_CHANGE,
+@@ -132,4 +139,5 @@ const struct nfsd4_layout_ops ff_layout_
+ .encode_getdeviceinfo = nfsd4_ff_encode_getdeviceinfo,
+ .proc_layoutget = nfsd4_ff_proc_layoutget,
+ .encode_layoutget = nfsd4_ff_encode_layoutget,
++ .proc_layoutcommit = nfsd4_ff_proc_layoutcommit,
+ };
--- /dev/null
+From stable+bounces-188085-greg=kroah.com@vger.kernel.org Mon Oct 20 14:58:05 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 08:57:40 -0400
+Subject: NFSD: Fix last write offset handling in layoutcommit
+To: stable@vger.kernel.org
+Cc: Sergey Bashirov <sergeybashirov@gmail.com>, Konstantin Evtushenko <koevtushenko@yandex.com>, Christoph Hellwig <hch@lst.de>, Jeff Layton <jlayton@kernel.org>, Chuck Lever <chuck.lever@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251020125740.1762043-2-sashal@kernel.org>
+
+From: Sergey Bashirov <sergeybashirov@gmail.com>
+
+[ Upstream commit d68886bae76a4b9b3484d23e5b7df086f940fa38 ]
+
+The data type of loca_last_write_offset is newoffset4 and is switched
+on a boolean value, no_newoffset, that indicates if a previous write
+occurred or not. If no_newoffset is FALSE, an offset is not given.
+This means that client does not try to update the file size. Thus,
+server should not try to calculate new file size and check if it fits
+into the segment range. See RFC 8881, section 12.5.4.2.
+
+Sometimes the current incorrect logic may cause clients to hang when
+trying to sync an inode. If layoutcommit fails, the client marks the
+inode as dirty again.
+
+Fixes: 9cf514ccfacb ("nfsd: implement pNFS operations")
+Cc: stable@vger.kernel.org
+Co-developed-by: Konstantin Evtushenko <koevtushenko@yandex.com>
+Signed-off-by: Konstantin Evtushenko <koevtushenko@yandex.com>
+Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+[ replaced inode_get_mtime() with inode->i_mtime and removed rqstp parameter from proc_layoutcommit() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/blocklayout.c | 5 ++---
+ fs/nfsd/nfs4proc.c | 30 +++++++++++++++---------------
+ 2 files changed, 17 insertions(+), 18 deletions(-)
+
+--- a/fs/nfsd/blocklayout.c
++++ b/fs/nfsd/blocklayout.c
+@@ -120,7 +120,6 @@ static __be32
+ nfsd4_block_commit_blocks(struct inode *inode, struct nfsd4_layoutcommit *lcp,
+ struct iomap *iomaps, int nr_iomaps)
+ {
+- loff_t new_size = lcp->lc_last_wr + 1;
+ struct iattr iattr = { .ia_valid = 0 };
+ int error;
+
+@@ -130,9 +129,9 @@ nfsd4_block_commit_blocks(struct inode *
+ iattr.ia_valid |= ATTR_ATIME | ATTR_CTIME | ATTR_MTIME;
+ iattr.ia_atime = iattr.ia_ctime = iattr.ia_mtime = lcp->lc_mtime;
+
+- if (new_size > i_size_read(inode)) {
++ if (lcp->lc_size_chg) {
+ iattr.ia_valid |= ATTR_SIZE;
+- iattr.ia_size = new_size;
++ iattr.ia_size = lcp->lc_newsize;
+ }
+
+ error = inode->i_sb->s_export_op->commit_blocks(inode, iomaps,
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1701,7 +1701,6 @@ nfsd4_layoutcommit(struct svc_rqst *rqst
+ const struct nfsd4_layout_seg *seg = &lcp->lc_seg;
+ struct svc_fh *current_fh = &cstate->current_fh;
+ const struct nfsd4_layout_ops *ops;
+- loff_t new_size = lcp->lc_last_wr + 1;
+ struct inode *inode;
+ struct nfs4_layout_stateid *ls;
+ __be32 nfserr;
+@@ -1716,13 +1715,21 @@ nfsd4_layoutcommit(struct svc_rqst *rqst
+ goto out;
+ inode = d_inode(current_fh->fh_dentry);
+
+- nfserr = nfserr_inval;
+- if (new_size <= seg->offset)
+- goto out;
+- if (new_size > seg->offset + seg->length)
+- goto out;
+- if (!lcp->lc_newoffset && new_size > i_size_read(inode))
+- goto out;
++ lcp->lc_size_chg = false;
++ if (lcp->lc_newoffset) {
++ loff_t new_size = lcp->lc_last_wr + 1;
++
++ nfserr = nfserr_inval;
++ if (new_size <= seg->offset)
++ goto out;
++ if (new_size > seg->offset + seg->length)
++ goto out;
++
++ if (new_size > i_size_read(inode)) {
++ lcp->lc_size_chg = true;
++ lcp->lc_newsize = new_size;
++ }
++ }
+
+ nfserr = nfsd4_preprocess_layout_stateid(rqstp, cstate, &lcp->lc_sid,
+ false, lcp->lc_layout_type,
+@@ -1738,13 +1745,6 @@ nfsd4_layoutcommit(struct svc_rqst *rqst
+ /* LAYOUTCOMMIT does not require any serialization */
+ mutex_unlock(&ls->ls_mutex);
+
+- if (new_size > i_size_read(inode)) {
+- lcp->lc_size_chg = 1;
+- lcp->lc_newsize = new_size;
+- } else {
+- lcp->lc_size_chg = 0;
+- }
+-
+ nfserr = ops->proc_layoutcommit(inode, lcp);
+ nfs4_put_stid(&ls->ls_stid);
+ out:
--- /dev/null
+From stable+bounces-188084-greg=kroah.com@vger.kernel.org Mon Oct 20 14:58:05 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 08:57:39 -0400
+Subject: NFSD: Minor cleanup in layoutcommit processing
+To: stable@vger.kernel.org
+Cc: Sergey Bashirov <sergeybashirov@gmail.com>, Christoph Hellwig <hch@lst.de>, Chuck Lever <chuck.lever@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251020125740.1762043-1-sashal@kernel.org>
+
+From: Sergey Bashirov <sergeybashirov@gmail.com>
+
+[ Upstream commit 274365a51d88658fb51cca637ba579034e90a799 ]
+
+Remove dprintk in nfsd4_layoutcommit. These are not needed
+in day to day usage, and the information is also available
+in Wireshark when capturing NFS traffic.
+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Stable-dep-of: d68886bae76a ("NFSD: Fix last write offset handling in layoutcommit")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1717,18 +1717,12 @@ nfsd4_layoutcommit(struct svc_rqst *rqst
+ inode = d_inode(current_fh->fh_dentry);
+
+ nfserr = nfserr_inval;
+- if (new_size <= seg->offset) {
+- dprintk("pnfsd: last write before layout segment\n");
++ if (new_size <= seg->offset)
+ goto out;
+- }
+- if (new_size > seg->offset + seg->length) {
+- dprintk("pnfsd: last write beyond layout segment\n");
++ if (new_size > seg->offset + seg->length)
+ goto out;
+- }
+- if (!lcp->lc_newoffset && new_size > i_size_read(inode)) {
+- dprintk("pnfsd: layoutcommit beyond EOF\n");
++ if (!lcp->lc_newoffset && new_size > i_size_read(inode))
+ goto out;
+- }
+
+ nfserr = nfsd4_preprocess_layout_stateid(rqstp, cstate, &lcp->lc_sid,
+ false, lcp->lc_layout_type,
--- /dev/null
+From stable+bounces-188145-greg=kroah.com@vger.kernel.org Mon Oct 20 17:44:23 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 11:41:31 -0400
+Subject: padata: Reset next CPU when reorder sequence wraps around
+To: stable@vger.kernel.org
+Cc: Xiao Liang <shaw.leon@gmail.com>, Herbert Xu <herbert@gondor.apana.org.au>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251020154131.1822336-1-sashal@kernel.org>
+
+From: Xiao Liang <shaw.leon@gmail.com>
+
+[ Upstream commit 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b ]
+
+When seq_nr wraps around, the next reorder job with seq 0 is hashed to
+the first CPU in padata_do_serial(). Correspondingly, need reset pd->cpu
+to the first one when pd->processed wraps around. Otherwise, if the
+number of used CPUs is not a power of 2, padata_find_next() will be
+checking a wrong list, hence deadlock.
+
+Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in padata_reorder")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+[ moved from padata_reorder() to padata_find_next() function ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/padata.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -204,7 +204,11 @@ static struct padata_priv *padata_find_n
+ list_del_init(&padata->list);
+ atomic_dec(&pd->reorder_objects);
+ ++pd->processed;
+- pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false);
++ /* When sequence wraps around, reset to the first CPU. */
++ if (unlikely(pd->processed == 0))
++ pd->cpu = cpumask_first(pd->cpumask.pcpu);
++ else
++ pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false);
+ }
+
+ spin_unlock(&reorder->lock);
xhci-dbc-enable-back-dbc-in-resume-if-it-was-enabled-before-suspend.patch
binder-remove-invalid-inc-weak-check.patch
comedi-fix-divide-by-zero-in-comedi_buf_munge.patch
+arm64-cputype-add-neoverse-v3ae-definitions.patch
+arm64-errata-apply-workarounds-for-neoverse-v3ae.patch
+memory-samsung-exynos-srom-correct-alignment.patch
+memory-samsung-exynos-srom-fix-of_iomap-leak-in-exynos_srom_probe.patch
+spi-cadence-quadspi-flush-posted-register-writes-before-indac-access.patch
+spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch
+ext4-avoid-potential-buffer-over-read-in-parse_apply_sb_mount_options.patch
+drm-amdgpu-use-atomic-functions-with-memory-barriers-for-vm-fault-info.patch
+ext4-detect-invalid-inline_data-extents-flag-combination.patch
+jbd2-ensure-that-all-ongoing-i-o-complete-before-freeing-blocks.patch
+vfs-don-t-leak-disconnected-dentries-on-umount.patch
+nfsd-define-a-proc_layoutcommit-for-the-flexfiles-layout-type.patch
+keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch
+padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch
+nfsd-minor-cleanup-in-layoutcommit-processing.patch
+nfsd-fix-last-write-offset-handling-in-layoutcommit.patch
+media-s5p-mfc-remove-an-unused-uninitialized-variable.patch
--- /dev/null
+From stable+bounces-188397-greg=kroah.com@vger.kernel.org Tue Oct 21 20:14:18 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 14:14:06 -0400
+Subject: spi: cadence-quadspi: Flush posted register writes before DAC access
+To: stable@vger.kernel.org
+Cc: Pratyush Yadav <pratyush@kernel.org>, Santhosh Kumar K <s-k6@ti.com>, Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021181406.2495307-1-sashal@kernel.org>
+
+From: Pratyush Yadav <pratyush@kernel.org>
+
+[ Upstream commit 1ad55767e77a853c98752ed1e33b68049a243bd7 ]
+
+cqspi_read_setup() and cqspi_write_setup() program the address width as
+the last step in the setup. This is likely to be immediately followed by
+a DAC region read/write. On TI K3 SoCs the DAC region is on a different
+endpoint from the register region. This means that the order of the two
+operations is not guaranteed, and they might be reordered at the
+interconnect level. It is possible that the DAC read/write goes through
+before the address width update goes through. In this situation if the
+previous command used a different address width the OSPI command is sent
+with the wrong number of address bytes, resulting in an invalid command
+and undefined behavior.
+
+Read back the size register to make sure the write gets flushed before
+accessing the DAC region.
+
+Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller")
+CC: stable@vger.kernel.org
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
+Message-ID: <20250905185958.3575037-3-s-k6@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[ backported to drivers/mtd/spi-nor ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/cadence-quadspi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/spi-nor/cadence-quadspi.c
++++ b/drivers/mtd/spi-nor/cadence-quadspi.c
+@@ -496,6 +496,7 @@ static int cqspi_read_setup(struct spi_n
+ reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK;
+ reg |= (nor->addr_width - 1);
+ writel(reg, reg_base + CQSPI_REG_SIZE);
++ readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */
+ return 0;
+ }
+
+@@ -609,6 +610,7 @@ static int cqspi_write_setup(struct spi_
+ reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK;
+ reg |= (nor->addr_width - 1);
+ writel(reg, reg_base + CQSPI_REG_SIZE);
++ readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */
+ return 0;
+ }
+
--- /dev/null
+From stable+bounces-188398-greg=kroah.com@vger.kernel.org Tue Oct 21 20:23:33 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 14:23:26 -0400
+Subject: spi: cadence-quadspi: Flush posted register writes before INDAC access
+To: stable@vger.kernel.org
+Cc: Pratyush Yadav <pratyush@kernel.org>, Santhosh Kumar K <s-k6@ti.com>, Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021182326.2505523-1-sashal@kernel.org>
+
+From: Pratyush Yadav <pratyush@kernel.org>
+
+[ Upstream commit 29e0b471ccbd674d20d4bbddea1a51e7105212c5 ]
+
+cqspi_indirect_read_execute() and cqspi_indirect_write_execute() first
+set the enable bit on APB region and then start reading/writing to the
+AHB region. On TI K3 SoCs these regions lie on different endpoints. This
+means that the order of the two operations is not guaranteed, and they
+might be reordered at the interconnect level.
+
+It is possible for the AHB write to be executed before the APB write to
+enable the indirect controller, causing the transaction to be invalid
+and the write erroring out. Read back the APB region write before
+accessing the AHB region to make sure the write got flushed and the race
+condition is eliminated.
+
+Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller")
+CC: stable@vger.kernel.org
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
+Message-ID: <20250905185958.3575037-2-s-k6@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[ applied changes to drivers/mtd/spi-nor/cadence-quadspi.c instead of drivers/spi/spi-cadence-quadspi.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/cadence-quadspi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mtd/spi-nor/cadence-quadspi.c
++++ b/drivers/mtd/spi-nor/cadence-quadspi.c
+@@ -523,6 +523,7 @@ static int cqspi_indirect_read_execute(s
+ reinit_completion(&cqspi->transfer_complete);
+ writel(CQSPI_REG_INDIRECTRD_START_MASK,
+ reg_base + CQSPI_REG_INDIRECTRD);
++ readl(reg_base + CQSPI_REG_INDIRECTRD); /* Flush posted write. */
+
+ while (remaining > 0) {
+ if (!wait_for_completion_timeout(&cqspi->transfer_complete,
+@@ -633,6 +634,8 @@ static int cqspi_indirect_write_execute(
+ reinit_completion(&cqspi->transfer_complete);
+ writel(CQSPI_REG_INDIRECTWR_START_MASK,
+ reg_base + CQSPI_REG_INDIRECTWR);
++ readl(reg_base + CQSPI_REG_INDIRECTWR); /* Flush posted write. */
++
+ /*
+ * As per 66AK2G02 TRM SPRUHY8F section 11.15.5.3 Indirect Access
+ * Controller programming sequence, couple of cycles of
--- /dev/null
+From stable+bounces-188280-greg=kroah.com@vger.kernel.org Tue Oct 21 03:19:24 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 21:19:11 -0400
+Subject: vfs: Don't leak disconnected dentries on umount
+To: stable@vger.kernel.org
+Cc: Jan Kara <jack@suse.cz>, syzbot+1d79ebe5383fc016cf07@syzkaller.appspotmail.com, Christian Brauner <brauner@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021011911.1967865-1-sashal@kernel.org>
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 56094ad3eaa21e6621396cc33811d8f72847a834 ]
+
+When user calls open_by_handle_at() on some inode that is not cached, we
+will create disconnected dentry for it. If such dentry is a directory,
+exportfs_decode_fh_raw() will then try to connect this dentry to the
+dentry tree through reconnect_path(). It may happen for various reasons
+(such as corrupted fs or race with rename) that the call to
+lookup_one_unlocked() in reconnect_one() will fail to find the dentry we
+are trying to reconnect and instead create a new dentry under the
+parent. Now this dentry will not be marked as disconnected although the
+parent still may well be disconnected (at least in case this
+inconsistency happened because the fs is corrupted and .. doesn't point
+to the real parent directory). This creates inconsistency in
+disconnected flags but AFAICS it was mostly harmless. At least until
+commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon")
+which removed adding of most disconnected dentries to sb->s_anon list.
+Thus after this commit cleanup of disconnected dentries implicitely
+relies on the fact that dput() will immediately reclaim such dentries.
+However when some leaf dentry isn't marked as disconnected, as in the
+scenario described above, the reclaim doesn't happen and the dentries
+are "leaked". Memory reclaim can eventually reclaim them but otherwise
+they stay in memory and if umount comes first, we hit infamous "Busy
+inodes after unmount" bug. Make sure all dentries created under a
+disconnected parent are marked as disconnected as well.
+
+Reported-by: syzbot+1d79ebe5383fc016cf07@syzkaller.appspotmail.com
+Fixes: f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon")
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+[ relocated DCACHE_DISCONNECTED propagation from d_alloc_parallel() to d_alloc() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dcache.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -1782,6 +1782,8 @@ struct dentry *d_alloc(struct dentry * p
+ __dget_dlock(parent);
+ dentry->d_parent = parent;
+ list_add(&dentry->d_child, &parent->d_subdirs);
++ if (parent->d_flags & DCACHE_DISCONNECTED)
++ dentry->d_flags |= DCACHE_DISCONNECTED;
+ spin_unlock(&parent->d_lock);
+
+ return dentry;
projects / thirdparty / kernel / stable-queue.git / commitdiff
