--- /dev/null
+From 35264909e9d1973ab9aaa2a1b07cda70f12bb828 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 11 Mar 2024 15:51:59 +0100
+Subject: gfs2: Fix NULL pointer dereference in gfs2_log_flush
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 35264909e9d1973ab9aaa2a1b07cda70f12bb828 upstream.
+
+In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush
+lock to provide exclusion against gfs2_log_flush().
+
+In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before
+dereferencing it. Otherwise, we could run into a NULL pointer
+dereference when outstanding glock work races with an unmount
+(glock_work_func -> run_queue -> do_xmote -> inode_go_sync ->
+gfs2_log_flush).
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ The context change is due to the commit 4d927b03a688
+ ("gfs2: Rename gfs2_withdrawn to gfs2_withdrawing_or_withdrawn") in v6.8
+ which is irrelevant to the logic of this patch. ]
+Signed-off-by: Rahul Sharma <black.hawk@163.com>
+---
+---
+ fs/gfs2/log.c | 3 ++-
+ fs/gfs2/super.c | 4 ++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/gfs2/log.c
++++ b/fs/gfs2/log.c
+@@ -1094,7 +1094,8 @@ repeat:
+ lops_before_commit(sdp, tr);
+ if (gfs2_withdrawn(sdp))
+ goto out_withdraw;
+- gfs2_log_submit_bio(&sdp->sd_jdesc->jd_log_bio, REQ_OP_WRITE);
++ if (sdp->sd_jdesc)
++ gfs2_log_submit_bio(&sdp->sd_jdesc->jd_log_bio, REQ_OP_WRITE);
+ if (gfs2_withdrawn(sdp))
+ goto out_withdraw;
+
+--- a/fs/gfs2/super.c
++++ b/fs/gfs2/super.c
+@@ -67,9 +67,13 @@ void gfs2_jindex_free(struct gfs2_sbd *s
+ sdp->sd_journals = 0;
+ spin_unlock(&sdp->sd_jindex_spin);
+
++ down_write(&sdp->sd_log_flush_lock);
+ sdp->sd_jdesc = NULL;
++ up_write(&sdp->sd_log_flush_lock);
++
+ while (!list_empty(&list)) {
+ jd = list_first_entry(&list, struct gfs2_jdesc, jd_list);
++ BUG_ON(jd->jd_log_bio);
+ gfs2_free_journal_extents(jd);
+ list_del(&jd->jd_list);
+ iput(jd->jd_inode);
--- /dev/null
+From stable+bounces-214824-greg=kroah.com@vger.kernel.org Sat Feb 7 20:30:54 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Feb 2026 14:30:47 -0500
+Subject: gve: Correct ethtool rx_dropped calculation
+To: stable@vger.kernel.org
+Cc: Max Yuan <maxyuan@google.com>, Jordan Rhee <jordanrhee@google.com>, Joshua Washington <joshwash@google.com>, Matt Olson <maolson@google.com>, Harshitha Ramamurthy <hramamurthy@google.com>, Jacob Keller <jacob.e.keller@intel.com>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260207193047.526604-1-sashal@kernel.org>
+
+From: Max Yuan <maxyuan@google.com>
+
+[ Upstream commit c7db85d579a1dccb624235534508c75fbf2dfe46 ]
+
+The gve driver's "rx_dropped" statistic, exposed via `ethtool -S`,
+incorrectly includes `rx_buf_alloc_fail` counts. These failures
+represent an inability to allocate receive buffers, not true packet
+drops where a received packet is discarded. This misrepresentation can
+lead to inaccurate diagnostics.
+
+This patch rectifies the ethtool "rx_dropped" calculation. It removes
+`rx_buf_alloc_fail` from the total and adds `xdp_tx_errors` and
+`xdp_redirect_errors`, which represent legitimate packet drops within
+the XDP path.
+
+Cc: stable@vger.kernel.org
+Fixes: 433e274b8f7b ("gve: Add stats for gve.")
+Signed-off-by: Max Yuan <maxyuan@google.com>
+Reviewed-by: Jordan Rhee <jordanrhee@google.com>
+Reviewed-by: Joshua Washington <joshwash@google.com>
+Reviewed-by: Matt Olson <maolson@google.com>
+Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20260202193925.3106272-3-hramamurthy@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ removed rx_buf_alloc_fail from rx_dropped calculation ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/google/gve/gve_ethtool.c
++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c
+@@ -212,8 +212,7 @@ gve_get_ethtool_stats(struct net_device
+ data[i++] = rx_bytes;
+ data[i++] = tx_bytes;
+ /* total rx dropped packets */
+- data[i++] = rx_skb_alloc_fail + rx_buf_alloc_fail +
+- rx_desc_err_dropped_pkt;
++ data[i++] = rx_skb_alloc_fail + rx_desc_err_dropped_pkt;
+ /* Skip tx_dropped */
+ i++;
+
+@@ -287,7 +286,6 @@ gve_get_ethtool_stats(struct net_device
+ data[i++] = tmp_rx_bytes;
+ /* rx dropped packets */
+ data[i++] = tmp_rx_skb_alloc_fail +
+- tmp_rx_buf_alloc_fail +
+ tmp_rx_desc_err_dropped_pkt;
+ data[i++] = rx->rx_copybreak_pkt;
+ data[i++] = rx->rx_copied_pkt;
--- /dev/null
+From stable+bounces-214816-greg=kroah.com@vger.kernel.org Sat Feb 7 19:09:38 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Feb 2026 13:09:30 -0500
+Subject: gve: Fix stats report corruption on queue count change
+To: stable@vger.kernel.org
+Cc: Debarghya Kundu <debarghyak@google.com>, Joshua Washington <joshwash@google.com>, Harshitha Ramamurthy <hramamurthy@google.com>, Jacob Keller <jacob.e.keller@intel.com>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260207180930.486611-1-sashal@kernel.org>
+
+From: Debarghya Kundu <debarghyak@google.com>
+
+[ Upstream commit 7b9ebcce0296e104a0d82a6b09d68564806158ff ]
+
+The driver and the NIC share a region in memory for stats reporting.
+The NIC calculates its offset into this region based on the total size
+of the stats region and the size of the NIC's stats.
+
+When the number of queues is changed, the driver's stats region is
+resized. If the queue count is increased, the NIC can write past
+the end of the allocated stats region, causing memory corruption.
+If the queue count is decreased, there is a gap between the driver
+and NIC stats, leading to incorrect stats reporting.
+
+This change fixes the issue by allocating stats region with maximum
+size, and the offset calculation for NIC stats is changed to match
+with the calculation of the NIC.
+
+Cc: stable@vger.kernel.org
+Fixes: 24aeb56f2d38 ("gve: Add Gvnic stats AQ command and ethtool show/set-priv-flags.")
+Signed-off-by: Debarghya Kundu <debarghyak@google.com>
+Reviewed-by: Joshua Washington <joshwash@google.com>
+Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20260202193925.3106272-2-hramamurthy@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Same changes as 6.1 + context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/google/gve/gve_ethtool.c | 42 +++++++++++++++++---------
+ drivers/net/ethernet/google/gve/gve_main.c | 4 +-
+ 2 files changed, 31 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/ethernet/google/gve/gve_ethtool.c
++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c
+@@ -142,7 +142,8 @@ gve_get_ethtool_stats(struct net_device
+ tmp_rx_desc_err_dropped_pkt, tmp_tx_pkts, tmp_tx_bytes;
+ u64 rx_buf_alloc_fail, rx_desc_err_dropped_pkt, rx_pkts,
+ rx_skb_alloc_fail, rx_bytes, tx_pkts, tx_bytes;
+- int stats_idx, base_stats_idx, max_stats_idx;
++ int rx_base_stats_idx, max_rx_stats_idx, max_tx_stats_idx;
++ int stats_idx, stats_region_len, nic_stats_len;
+ struct stats *report_stats;
+ int *rx_qid_to_stats_idx;
+ int *tx_qid_to_stats_idx;
+@@ -228,14 +229,33 @@ gve_get_ethtool_stats(struct net_device
+ data[i++] = priv->stats_report_trigger_cnt;
+ i = GVE_MAIN_STATS_LEN;
+
+- /* For rx cross-reporting stats, start from nic rx stats in report */
+- base_stats_idx = GVE_TX_STATS_REPORT_NUM * priv->tx_cfg.num_queues +
+- GVE_RX_STATS_REPORT_NUM * priv->rx_cfg.num_queues;
+- max_stats_idx = NIC_RX_STATS_REPORT_NUM * priv->rx_cfg.num_queues +
+- base_stats_idx;
++ rx_base_stats_idx = 0;
++ max_rx_stats_idx = 0;
++ max_tx_stats_idx = 0;
++ stats_region_len = priv->stats_report_len -
++ sizeof(struct gve_stats_report);
++ nic_stats_len = (NIC_RX_STATS_REPORT_NUM * priv->rx_cfg.num_queues +
++ NIC_TX_STATS_REPORT_NUM * priv->tx_cfg.num_queues) *
++ sizeof(struct stats);
++ if (unlikely((stats_region_len -
++ nic_stats_len) % sizeof(struct stats))) {
++ net_err_ratelimited("Starting index of NIC stats should be multiple of stats size");
++ } else {
++ /* For rx cross-reporting stats,
++ * start from nic rx stats in report
++ */
++ rx_base_stats_idx = (stats_region_len - nic_stats_len) /
++ sizeof(struct stats);
++ max_rx_stats_idx = NIC_RX_STATS_REPORT_NUM *
++ priv->rx_cfg.num_queues +
++ rx_base_stats_idx;
++ max_tx_stats_idx = NIC_TX_STATS_REPORT_NUM *
++ priv->tx_cfg.num_queues +
++ max_rx_stats_idx;
++ }
+ /* Preprocess the stats report for rx, map queue id to start index */
+ skip_nic_stats = false;
+- for (stats_idx = base_stats_idx; stats_idx < max_stats_idx;
++ for (stats_idx = rx_base_stats_idx; stats_idx < max_rx_stats_idx;
+ stats_idx += NIC_RX_STATS_REPORT_NUM) {
+ u32 stat_name = be32_to_cpu(report_stats[stats_idx].stat_name);
+ u32 queue_id = be32_to_cpu(report_stats[stats_idx].queue_id);
+@@ -288,13 +308,9 @@ gve_get_ethtool_stats(struct net_device
+ i += priv->rx_cfg.num_queues * NUM_GVE_RX_CNTS;
+ }
+
+- /* For tx cross-reporting stats, start from nic tx stats in report */
+- base_stats_idx = max_stats_idx;
+- max_stats_idx = NIC_TX_STATS_REPORT_NUM * priv->tx_cfg.num_queues +
+- max_stats_idx;
+- /* Preprocess the stats report for tx, map queue id to start index */
+ skip_nic_stats = false;
+- for (stats_idx = base_stats_idx; stats_idx < max_stats_idx;
++ /* NIC TX stats start right after NIC RX stats */
++ for (stats_idx = max_rx_stats_idx; stats_idx < max_tx_stats_idx;
+ stats_idx += NIC_TX_STATS_REPORT_NUM) {
+ u32 stat_name = be32_to_cpu(report_stats[stats_idx].stat_name);
+ u32 queue_id = be32_to_cpu(report_stats[stats_idx].queue_id);
+--- a/drivers/net/ethernet/google/gve/gve_main.c
++++ b/drivers/net/ethernet/google/gve/gve_main.c
+@@ -135,9 +135,9 @@ static int gve_alloc_stats_report(struct
+ int tx_stats_num, rx_stats_num;
+
+ tx_stats_num = (GVE_TX_STATS_REPORT_NUM + NIC_TX_STATS_REPORT_NUM) *
+- priv->tx_cfg.num_queues;
++ priv->tx_cfg.max_queues;
+ rx_stats_num = (GVE_RX_STATS_REPORT_NUM + NIC_RX_STATS_REPORT_NUM) *
+- priv->rx_cfg.num_queues;
++ priv->rx_cfg.max_queues;
+ priv->stats_report_len = struct_size(priv->stats_report, stats,
+ size_add(tx_stats_num, rx_stats_num));
+ priv->stats_report =
--- /dev/null
+From bea3e1d4467bcf292c8e54f080353d556d355e26 Mon Sep 17 00:00:00 2001
+From: Kang Chen <k.chen@smail.nju.edu.cn>
+Date: Tue, 9 Sep 2025 11:13:16 +0800
+Subject: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
+
+From: Kang Chen <k.chen@smail.nju.edu.cn>
+
+commit bea3e1d4467bcf292c8e54f080353d556d355e26 upstream.
+
+BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186
+Read of size 2 at addr ffff8880289ef218 by task syz.6.248/14290
+
+CPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x5f0 mm/kasan/report.c:482
+ kasan_report+0xca/0x100 mm/kasan/report.c:595
+ hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186
+ hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738
+ vfs_listxattr+0xbe/0x140 fs/xattr.c:493
+ listxattr+0xee/0x190 fs/xattr.c:924
+ filename_listxattr fs/xattr.c:958 [inline]
+ path_listxattrat+0x143/0x360 fs/xattr.c:988
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fe0e9fae16d
+Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3
+RAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000
+RBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000
+ </TASK>
+
+Allocated by task 14290:
+ kasan_save_stack+0x24/0x50 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
+ __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
+ kasan_kmalloc include/linux/kasan.h:260 [inline]
+ __do_kmalloc_node mm/slub.c:4333 [inline]
+ __kmalloc_noprof+0x219/0x540 mm/slub.c:4345
+ kmalloc_noprof include/linux/slab.h:909 [inline]
+ hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21
+ hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697
+ vfs_listxattr+0xbe/0x140 fs/xattr.c:493
+ listxattr+0xee/0x190 fs/xattr.c:924
+ filename_listxattr fs/xattr.c:958 [inline]
+ path_listxattrat+0x143/0x360 fs/xattr.c:988
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+When hfsplus_uni2asc is called from hfsplus_listxattr,
+it actually passes in a struct hfsplus_attr_unistr*.
+The size of the corresponding structure is different from that of hfsplus_unistr,
+so the previous fix (94458781aee6) is insufficient.
+The pointer on the unicode buffer is still going beyond the allocated memory.
+
+This patch introduces two warpper functions hfsplus_uni2asc_xattr_str and
+hfsplus_uni2asc_str to process two unicode buffers,
+struct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively.
+When ustrlen value is bigger than the allocated memory size,
+the ustrlen value is limited to an safe size.
+
+Fixes: 94458781aee6 ("hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()")
+Signed-off-by: Kang Chen <k.chen@smail.nju.edu.cn>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250909031316.1647094-1-k.chen@smail.nju.edu.cn
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Jianqiang kang <jianqkang@sina.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hfsplus/dir.c | 2 +-
+ fs/hfsplus/hfsplus_fs.h | 8 ++++++--
+ fs/hfsplus/unicode.c | 24 +++++++++++++++++++-----
+ fs/hfsplus/xattr.c | 6 +++---
+ 4 files changed, 29 insertions(+), 11 deletions(-)
+
+--- a/fs/hfsplus/dir.c
++++ b/fs/hfsplus/dir.c
+@@ -204,7 +204,7 @@ static int hfsplus_readdir(struct file *
+ fd.entrylength);
+ type = be16_to_cpu(entry.type);
+ len = NLS_MAX_CHARSET_SIZE * HFSPLUS_MAX_STRLEN;
+- err = hfsplus_uni2asc(sb, &fd.key->cat.name, strbuf, &len);
++ err = hfsplus_uni2asc_str(sb, &fd.key->cat.name, strbuf, &len);
+ if (err)
+ goto out;
+ if (type == HFSPLUS_FOLDER) {
+--- a/fs/hfsplus/hfsplus_fs.h
++++ b/fs/hfsplus/hfsplus_fs.h
+@@ -516,8 +516,12 @@ int hfsplus_strcasecmp(const struct hfsp
+ const struct hfsplus_unistr *s2);
+ int hfsplus_strcmp(const struct hfsplus_unistr *s1,
+ const struct hfsplus_unistr *s2);
+-int hfsplus_uni2asc(struct super_block *sb, const struct hfsplus_unistr *ustr,
+- char *astr, int *len_p);
++int hfsplus_uni2asc_str(struct super_block *sb,
++ const struct hfsplus_unistr *ustr, char *astr,
++ int *len_p);
++int hfsplus_uni2asc_xattr_str(struct super_block *sb,
++ const struct hfsplus_attr_unistr *ustr,
++ char *astr, int *len_p);
+ int hfsplus_asc2uni(struct super_block *sb, struct hfsplus_unistr *ustr,
+ int max_unistr_len, const char *astr, int len);
+ int hfsplus_hash_dentry(const struct dentry *dentry, struct qstr *str);
+--- a/fs/hfsplus/unicode.c
++++ b/fs/hfsplus/unicode.c
+@@ -143,9 +143,8 @@ static u16 *hfsplus_compose_lookup(u16 *
+ return NULL;
+ }
+
+-int hfsplus_uni2asc(struct super_block *sb,
+- const struct hfsplus_unistr *ustr,
+- char *astr, int *len_p)
++static int hfsplus_uni2asc(struct super_block *sb, const struct hfsplus_unistr *ustr,
++ int max_len, char *astr, int *len_p)
+ {
+ const hfsplus_unichr *ip;
+ struct nls_table *nls = HFSPLUS_SB(sb)->nls;
+@@ -158,8 +157,8 @@ int hfsplus_uni2asc(struct super_block *
+ ip = ustr->unicode;
+
+ ustrlen = be16_to_cpu(ustr->length);
+- if (ustrlen > HFSPLUS_MAX_STRLEN) {
+- ustrlen = HFSPLUS_MAX_STRLEN;
++ if (ustrlen > max_len) {
++ ustrlen = max_len;
+ pr_err("invalid length %u has been corrected to %d\n",
+ be16_to_cpu(ustr->length), ustrlen);
+ }
+@@ -280,6 +279,21 @@ out:
+ return res;
+ }
+
++inline int hfsplus_uni2asc_str(struct super_block *sb,
++ const struct hfsplus_unistr *ustr, char *astr,
++ int *len_p)
++{
++ return hfsplus_uni2asc(sb, ustr, HFSPLUS_MAX_STRLEN, astr, len_p);
++}
++
++inline int hfsplus_uni2asc_xattr_str(struct super_block *sb,
++ const struct hfsplus_attr_unistr *ustr,
++ char *astr, int *len_p)
++{
++ return hfsplus_uni2asc(sb, (const struct hfsplus_unistr *)ustr,
++ HFSPLUS_ATTR_MAX_STRLEN, astr, len_p);
++}
++
+ /*
+ * Convert one or more ASCII characters into a single unicode character.
+ * Returns the number of ASCII characters corresponding to the unicode char.
+--- a/fs/hfsplus/xattr.c
++++ b/fs/hfsplus/xattr.c
+@@ -737,9 +737,9 @@ ssize_t hfsplus_listxattr(struct dentry
+ goto end_listxattr;
+
+ xattr_name_len = NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN;
+- if (hfsplus_uni2asc(inode->i_sb,
+- (const struct hfsplus_unistr *)&fd.key->attr.key_name,
+- strbuf, &xattr_name_len)) {
++ if (hfsplus_uni2asc_xattr_str(inode->i_sb,
++ &fd.key->attr.key_name, strbuf,
++ &xattr_name_len)) {
+ pr_err("unicode conversion failed\n");
+ res = -EIO;
+ goto end_listxattr;
--- /dev/null
+From 7d1d19a11cfbfd8bae1d89cc010b2cc397cd0c48 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= <bjorn@rivosinc.com>
+Date: Sat, 19 Apr 2025 13:14:00 +0200
+Subject: riscv: uprobes: Add missing fence.i after building the XOL buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Björn Töpel <bjorn@rivosinc.com>
+
+commit 7d1d19a11cfbfd8bae1d89cc010b2cc397cd0c48 upstream.
+
+The XOL (execute out-of-line) buffer is used to single-step the
+replaced instruction(s) for uprobes. The RISC-V port was missing a
+proper fence.i (i$ flushing) after constructing the XOL buffer, which
+can result in incorrect execution of stale/broken instructions.
+
+This was found running the BPF selftests "test_progs:
+uprobe_autoattach, attach_probe" on the Spacemit K1/X60, where the
+uprobes tests randomly blew up.
+
+Reviewed-by: Guo Ren <guoren@kernel.org>
+Fixes: 74784081aac8 ("riscv: Add uprobes supported")
+Signed-off-by: Björn Töpel <bjorn@rivosinc.com>
+Link: https://lore.kernel.org/r/20250419111402.1660267-2-bjorn@kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Rahul Sharma <black.hawk@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/probes/uprobes.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+--- a/arch/riscv/kernel/probes/uprobes.c
++++ b/arch/riscv/kernel/probes/uprobes.c
+@@ -161,6 +161,7 @@ void arch_uprobe_copy_ixol(struct page *
+ /* Initialize the slot */
+ void *kaddr = kmap_atomic(page);
+ void *dst = kaddr + (vaddr & ~PAGE_MASK);
++ unsigned long start = (unsigned long)dst;
+
+ memcpy(dst, src, len);
+
+@@ -170,13 +171,6 @@ void arch_uprobe_copy_ixol(struct page *
+ *(uprobe_opcode_t *)dst = __BUG_INSN_32;
+ }
+
++ flush_icache_range(start, start + len);
+ kunmap_atomic(kaddr);
+-
+- /*
+- * We probably need flush_icache_user_page() but it needs vma.
+- * This should work on most of architectures by default. If
+- * architecture needs to do something different it can define
+- * its own version of the function.
+- */
+- flush_dcache_page(page);
+ }
nvmet-tcp-don-t-map-pages-which-can-t-come-from-high.patch
nvmet-tcp-add-bounds-checks-in-nvmet_tcp_build_pdu_i.patch
asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch
+riscv-uprobes-add-missing-fence.i-after-building-the-xol-buffer.patch
+hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc.patch
+gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch
+tracing-fix-ftrace-event-field-alignments.patch
+gve-fix-stats-report-corruption-on-queue-count-change.patch
+gve-correct-ethtool-rx_dropped-calculation.patch
--- /dev/null
+From stable+bounces-214815-greg=kroah.com@vger.kernel.org Sat Feb 7 18:55:26 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Feb 2026 12:55:20 -0500
+Subject: tracing: Fix ftrace event field alignments
+To: stable@vger.kernel.org
+Cc: Steven Rostedt <rostedt@goodmis.org>, Mathieu Desnoyers <mathieu.desnoyers@efficios.com>, Mark Rutland <mark.rutland@arm.com>, "Masami Hiramatsu (Google)" <mhiramat@kernel.org>, "jempty.liang" <imntjempty@163.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260207175520.482420-1-sashal@kernel.org>
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit 033c55fe2e326bea022c3cc5178ecf3e0e459b82 ]
+
+The fields of ftrace specific events (events used to save ftrace internal
+events like function traces and trace_printk) are generated similarly to
+how normal trace event fields are generated. That is, the fields are added
+to a trace_events_fields array that saves the name, offset, size,
+alignment and signness of the field. It is used to produce the output in
+the format file in tracefs so that tooling knows how to parse the binary
+data of the trace events.
+
+The issue is that some of the ftrace event structures are packed. The
+function graph exit event structures are one of them. The 64 bit calltime
+and rettime fields end up 4 byte aligned, but the algorithm to show to
+userspace shows them as 8 byte aligned.
+
+The macros that create the ftrace events has one for embedded structure
+fields. There's two macros for theses fields:
+
+ __field_desc() and __field_packed()
+
+The difference of the latter macro is that it treats the field as packed.
+
+Rename that field to __field_desc_packed() and create replace the
+__field_packed() to be a normal field that is packed and have the calltime
+and rettime use those.
+
+This showed up on 32bit architectures for function graph time fields. It
+had:
+
+ ~# cat /sys/kernel/tracing/events/ftrace/funcgraph_exit/format
+[..]
+ field:unsigned long func; offset:8; size:4; signed:0;
+ field:unsigned int depth; offset:12; size:4; signed:0;
+ field:unsigned int overrun; offset:16; size:4; signed:0;
+ field:unsigned long long calltime; offset:24; size:8; signed:0;
+ field:unsigned long long rettime; offset:32; size:8; signed:0;
+
+Notice that overrun is at offset 16 with size 4, where in the structure
+calltime is at offset 20 (16 + 4), but it shows the offset at 24. That's
+because it used the alignment of unsigned long long when used as a
+declaration and not as a member of a structure where it would be aligned
+by word size (in this case 4).
+
+By using the proper structure alignment, the format has it at the correct
+offset:
+
+ ~# cat /sys/kernel/tracing/events/ftrace/funcgraph_exit/format
+[..]
+ field:unsigned long func; offset:8; size:4; signed:0;
+ field:unsigned int depth; offset:12; size:4; signed:0;
+ field:unsigned int overrun; offset:16; size:4; signed:0;
+ field:unsigned long long calltime; offset:20; size:8; signed:0;
+ field:unsigned long long rettime; offset:28; size:8; signed:0;
+
+Cc: stable@vger.kernel.org
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reported-by: "jempty.liang" <imntjempty@163.com>
+Link: https://patch.msgid.link/20260204113628.53faec78@gandalf.local.home
+Fixes: 04ae87a52074e ("ftrace: Rework event_create_dir()")
+Closes: https://lore.kernel.org/all/20260130015740.212343-1-imntjempty@163.com/
+Closes: https://lore.kernel.org/all/20260202123342.2544795-1-imntjempty@163.com/
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+[ Context / renames ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.h | 7 +++++--
+ kernel/trace/trace_entries.h | 14 +++++++-------
+ kernel/trace/trace_export.c | 21 +++++++++++++++------
+ 3 files changed, 27 insertions(+), 15 deletions(-)
+
+--- a/kernel/trace/trace.h
++++ b/kernel/trace/trace.h
+@@ -65,14 +65,17 @@ enum trace_type {
+ #undef __field_fn
+ #define __field_fn(type, item) type item;
+
++#undef __field_packed
++#define __field_packed(type, item) type item;
++
+ #undef __field_struct
+ #define __field_struct(type, item) __field(type, item)
+
+ #undef __field_desc
+ #define __field_desc(type, container, item)
+
+-#undef __field_packed
+-#define __field_packed(type, container, item)
++#undef __field_desc_packed
++#define __field_desc_packed(type, container, item)
+
+ #undef __array
+ #define __array(type, item, size) type item[size];
+--- a/kernel/trace/trace_entries.h
++++ b/kernel/trace/trace_entries.h
+@@ -78,8 +78,8 @@ FTRACE_ENTRY_PACKED(funcgraph_entry, ftr
+
+ F_STRUCT(
+ __field_struct( struct ftrace_graph_ent, graph_ent )
+- __field_packed( unsigned long, graph_ent, func )
+- __field_packed( int, graph_ent, depth )
++ __field_desc_packed( unsigned long, graph_ent, func )
++ __field_desc_packed( int, graph_ent, depth )
+ ),
+
+ F_printk("--> %ps (%d)", (void *)__entry->func, __entry->depth)
+@@ -92,11 +92,11 @@ FTRACE_ENTRY_PACKED(funcgraph_exit, ftra
+
+ F_STRUCT(
+ __field_struct( struct ftrace_graph_ret, ret )
+- __field_packed( unsigned long, ret, func )
+- __field_packed( int, ret, depth )
+- __field_packed( unsigned int, ret, overrun )
+- __field_packed( unsigned long long, ret, calltime)
+- __field_packed( unsigned long long, ret, rettime )
++ __field_desc_packed( unsigned long, ret, func )
++ __field_desc_packed( int, ret, depth )
++ __field_desc_packed( unsigned int, ret, overrun )
++ __field_desc_packed( unsigned long long, ret, calltime)
++ __field_desc_packed( unsigned long long, ret, rettime )
+ ),
+
+ F_printk("<-- %ps (%d) (start: %llx end: %llx) over: %d",
+--- a/kernel/trace/trace_export.c
++++ b/kernel/trace/trace_export.c
+@@ -42,11 +42,14 @@ static int ftrace_event_register(struct
+ #undef __field_fn
+ #define __field_fn(type, item) type item;
+
++#undef __field_packed
++#define __field_packed(type, item) type item;
++
+ #undef __field_desc
+ #define __field_desc(type, container, item) type item;
+
+-#undef __field_packed
+-#define __field_packed(type, container, item) type item;
++#undef __field_desc_packed
++#define __field_desc_packed(type, container, item) type item;
+
+ #undef __array
+ #define __array(type, item, size) type item[size];
+@@ -101,11 +104,14 @@ static void __always_unused ____ftrace_c
+ #undef __field_fn
+ #define __field_fn(_type, _item) __field_ext(_type, _item, FILTER_TRACE_FN)
+
++#undef __field_packed
++#define __field_packed(_type, _item) __field_ext_packed(_type, _item, FILTER_OTHER)
++
+ #undef __field_desc
+ #define __field_desc(_type, _container, _item) __field_ext(_type, _item, FILTER_OTHER)
+
+-#undef __field_packed
+-#define __field_packed(_type, _container, _item) __field_ext_packed(_type, _item, FILTER_OTHER)
++#undef __field_desc_packed
++#define __field_desc_packed(_type, _container, _item) __field_ext_packed(_type, _item, FILTER_OTHER)
+
+ #undef __array
+ #define __array(_type, _item, _len) { \
+@@ -139,11 +145,14 @@ static struct trace_event_fields ftrace_
+ #undef __field_fn
+ #define __field_fn(type, item)
+
++#undef __field_packed
++#define __field_packed(type, item)
++
+ #undef __field_desc
+ #define __field_desc(type, container, item)
+
+-#undef __field_packed
+-#define __field_packed(type, container, item)
++#undef __field_desc_packed
++#define __field_desc_packed(type, container, item)
+
+ #undef __array
+ #define __array(type, item, len)
projects / thirdparty / kernel / stable-queue.git / commitdiff
