--- /dev/null
+From 0f475ee0ebce5c9492b260027cd95270191675fa Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 27 Feb 2026 00:02:33 +0000
+Subject: btrfs: abort transaction on failure to update root in the received subvol ioctl
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 0f475ee0ebce5c9492b260027cd95270191675fa upstream.
+
+If we failed to update the root we don't abort the transaction, which is
+wrong since we already used the transaction to remove an item from the
+uuid tree.
+
+Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
+CC: stable@vger.kernel.org # 3.12+
+Reviewed-by: Anand Jain <asj@kernel.org>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ioctl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -4039,7 +4039,8 @@ static long _btrfs_ioctl_set_received_su
+
+ ret = btrfs_update_root(trans, fs_info->tree_root,
+ &root->root_key, &root->root_item);
+- if (ret < 0) {
++ if (unlikely(ret < 0)) {
++ btrfs_abort_transaction(trans, ret);
+ btrfs_end_transaction(trans);
+ goto out;
+ }
--- /dev/null
+From b2840e33127ce0eea880504b7f133e780f567a9b Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 25 Feb 2026 11:59:58 -0800
+Subject: btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit b2840e33127ce0eea880504b7f133e780f567a9b upstream.
+
+Call rcu_read_lock() before exiting the loop in
+try_release_subpage_extent_buffer() because there is a rcu_read_unlock()
+call past the loop.
+
+This has been detected by the Clang thread-safety analyzer.
+
+Fixes: ad580dfa388f ("btrfs: fix subpage deadlock in try_release_subpage_extent_buffer()")
+CC: stable@vger.kernel.org # 6.18+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent_io.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -4478,6 +4478,7 @@ static int try_release_subpage_extent_bu
+ */
+ if (!test_and_clear_bit(EXTENT_BUFFER_TREE_REF, &eb->bflags)) {
+ spin_unlock(&eb->refs_lock);
++ rcu_read_lock();
+ break;
+ }
+
--- /dev/null
+From 2d1ababdedd4ba38867c2500eb7f95af5ddeeef7 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 26 Feb 2026 11:05:43 +0000
+Subject: btrfs: fix transaction abort on file creation due to name hash collision
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 2d1ababdedd4ba38867c2500eb7f95af5ddeeef7 upstream.
+
+If we attempt to create several files with names that result in the same
+hash, we have to pack them in same dir item and that has a limit inherent
+to the leaf size. However if we reach that limit, we trigger a transaction
+abort and turns the filesystem into RO mode. This allows for a malicious
+user to disrupt a system, without the need to have administration
+privileges/capabilities.
+
+Reproducer:
+
+ $ cat exploit-hash-collisions.sh
+ #!/bin/bash
+
+ DEV=/dev/sdi
+ MNT=/mnt/sdi
+
+ # Use smallest node size to make the test faster and require fewer file
+ # names that result in hash collision.
+ mkfs.btrfs -f --nodesize 4K $DEV
+ mount $DEV $MNT
+
+ # List of names that result in the same crc32c hash for btrfs.
+ declare -a names=(
+ 'foobar'
+ '%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC'
+ 'AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z'
+ 'CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4'
+ 'ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:'
+ 'HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO'
+ 'Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us'
+ 'KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY'
+ 'NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO'
+ 'Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU'
+ 'Ono7avN5GjC:_6dBJ_'
+ 'WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am'
+ 'WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k'
+ 'XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2'
+ 'd3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd'
+ 'ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm'
+ 'evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ'
+ 'gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky'
+ 'hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS'
+ 'isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz'
+ 'kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu'
+ 'lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN'
+ 'rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4='
+ 'uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn'
+ 'UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C'
+ 'y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW'
+ '8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc'
+ 'YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mCaaKGxb990jzaagRktDTyp'
+ '9hD2ApKa_t_7x-a@GCG28kY:7$M@5udI1myQ$x5udtggvagmCQcq9QXWRC5hoB0o-_zHQUqZI5rMcz_kbMgvN5jr63LeYA4Cj-c6F5Ugmx6DgVf@2Jqm%MafecpgooqreJ53P-QTS'
+ )
+
+ # Now create files with all those names in the same parent directory.
+ # It should not fail since a 4K leaf has enough space for them.
+ for name in "${names[@]}"; do
+ touch $MNT/$name
+ done
+
+ # Now add one more file name that causes a crc32c hash collision.
+ # This should fail, but it should not turn the filesystem into RO mode
+ # (which could be exploited by malicious users) due to a transaction
+ # abort.
+ touch $MNT/'W6tIm-VK2@BGC@IBfcgg6j_p:pxp_QUqtWpGD5Ok_GmijKOJJt'
+
+ # Check that we are able to create another file, with a name that does not cause
+ # a crc32c hash collision.
+ echo -n "hello world" > $MNT/baz
+
+ # Unmount and mount again, verify file baz exists and with the right content.
+ umount $MNT
+ mount $DEV $MNT
+ echo "File baz content: $(cat $MNT/baz)"
+
+ umount $MNT
+
+When running the reproducer:
+
+ $ ./exploit-hash-collisions.sh
+ (...)
+ touch: cannot touch '/mnt/sdi/W6tIm-VK2@BGC@IBfcgg6j_p:pxp_QUqtWpGD5Ok_GmijKOJJt': Value too large for defined data type
+ ./exploit-hash-collisions.sh: line 57: /mnt/sdi/baz: Read-only file system
+ cat: /mnt/sdi/baz: No such file or directory
+ File baz content:
+
+And the transaction abort stack trace in dmesg/syslog:
+
+ $ dmesg
+ (...)
+ [758240.509761] ------------[ cut here ]------------
+ [758240.510668] BTRFS: Transaction aborted (error -75)
+ [758240.511577] WARNING: fs/btrfs/inode.c:6854 at btrfs_create_new_inode+0x805/0xb50 [btrfs], CPU#6: touch/888644
+ [758240.513513] Modules linked in: btrfs dm_zero (...)
+ [758240.523221] CPU: 6 UID: 0 PID: 888644 Comm: touch Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
+ [758240.524621] Tainted: [W]=WARN
+ [758240.525037] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
+ [758240.526331] RIP: 0010:btrfs_create_new_inode+0x80b/0xb50 [btrfs]
+ [758240.527093] Code: 0f 82 cf (...)
+ [758240.529211] RSP: 0018:ffffce64418fbb48 EFLAGS: 00010292
+ [758240.529935] RAX: 00000000ffffffd3 RBX: 0000000000000000 RCX: 00000000ffffffb5
+ [758240.531040] RDX: 0000000d04f33e06 RSI: 00000000ffffffb5 RDI: ffffffffc0919dd0
+ [758240.531920] RBP: ffffce64418fbc10 R08: 0000000000000000 R09: 00000000ffffffb5
+ [758240.532928] R10: 0000000000000000 R11: ffff8e52c0000000 R12: ffff8e53eee7d0f0
+ [758240.533818] R13: ffff8e57f70932a0 R14: ffff8e5417629568 R15: 0000000000000000
+ [758240.534664] FS: 00007f1959a2a740(0000) GS:ffff8e5b27cae000(0000) knlGS:0000000000000000
+ [758240.535821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [758240.536644] CR2: 00007f1959b10ce0 CR3: 000000012a2cc005 CR4: 0000000000370ef0
+ [758240.537517] Call Trace:
+ [758240.537828] <TASK>
+ [758240.538099] btrfs_create_common+0xbf/0x140 [btrfs]
+ [758240.538760] path_openat+0x111a/0x15b0
+ [758240.539252] do_filp_open+0xc2/0x170
+ [758240.539699] ? preempt_count_add+0x47/0xa0
+ [758240.540200] ? __virt_addr_valid+0xe4/0x1a0
+ [758240.540800] ? __check_object_size+0x1b3/0x230
+ [758240.541661] ? alloc_fd+0x118/0x180
+ [758240.542315] do_sys_openat2+0x70/0xd0
+ [758240.543012] __x64_sys_openat+0x50/0xa0
+ [758240.543723] do_syscall_64+0x50/0xf20
+ [758240.544462] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ [758240.545397] RIP: 0033:0x7f1959abc687
+ [758240.546019] Code: 48 89 fa (...)
+ [758240.548522] RSP: 002b:00007ffe16ff8690 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
+ [758240.566278] RAX: ffffffffffffffda RBX: 00007f1959a2a740 RCX: 00007f1959abc687
+ [758240.567068] RDX: 0000000000000941 RSI: 00007ffe16ffa333 RDI: ffffffffffffff9c
+ [758240.567860] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+ [758240.568707] R10: 00000000000001b6 R11: 0000000000000202 R12: 0000561eec7c4b90
+ [758240.569712] R13: 0000561eec7c311f R14: 00007ffe16ffa333 R15: 0000000000000000
+ [758240.570758] </TASK>
+ [758240.571040] ---[ end trace 0000000000000000 ]---
+ [758240.571681] BTRFS: error (device sdi state A) in btrfs_create_new_inode:6854: errno=-75 unknown
+ [758240.572899] BTRFS info (device sdi state EA): forced readonly
+
+Fix this by checking for hash collision, and if the adding a new name is
+possible, early in btrfs_create_new_inode() before we do any tree updates,
+so that we don't need to abort the transaction if we cannot add the new
+name due to the leaf size limit.
+
+A test case for fstests will be sent soon.
+
+Fixes: caae78e03234 ("btrfs: move common inode creation code into btrfs_create_new_inode()")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -6478,6 +6478,25 @@ int btrfs_create_new_inode(struct btrfs_
+ int ret;
+ bool xa_reserved = false;
+
++ if (!args->orphan && !args->subvol) {
++ /*
++ * Before anything else, check if we can add the name to the
++ * parent directory. We want to avoid a dir item overflow in
++ * case we have an existing dir item due to existing name
++ * hash collisions. We do this check here before we call
++ * btrfs_add_link() down below so that we can avoid a
++ * transaction abort (which could be exploited by malicious
++ * users).
++ *
++ * For subvolumes we already do this in btrfs_mksubvol().
++ */
++ ret = btrfs_check_dir_item_collision(BTRFS_I(dir)->root,
++ btrfs_ino(BTRFS_I(dir)),
++ name);
++ if (ret < 0)
++ return ret;
++ }
++
+ path = btrfs_alloc_path();
+ if (!path)
+ return -ENOMEM;
--- /dev/null
+From 87f2c46003fce4d739138aab4af1942b1afdadac Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 26 Feb 2026 23:41:07 +0000
+Subject: btrfs: fix transaction abort on set received ioctl due to item overflow
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 87f2c46003fce4d739138aab4af1942b1afdadac upstream.
+
+If the set received ioctl fails due to an item overflow when attempting to
+add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction
+since we did some metadata updates before.
+
+This means that if a user calls this ioctl with the same received UUID
+field for a lot of subvolumes, we will hit the overflow, trigger the
+transaction abort and turn the filesystem into RO mode. A malicious user
+could exploit this, and this ioctl does not even requires that a user
+has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.
+
+Fix this by doing an early check for item overflow before starting a
+transaction. This is also race safe because we are holding the subvol_sem
+semaphore in exclusive (write) mode.
+
+A test case for fstests will follow soon.
+
+Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
+CC: stable@vger.kernel.org # 3.12+
+Reviewed-by: Anand Jain <asj@kernel.org>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ioctl.c | 21 +++++++++++++++++++--
+ fs/btrfs/uuid-tree.c | 38 ++++++++++++++++++++++++++++++++++++++
+ fs/btrfs/uuid-tree.h | 2 ++
+ 3 files changed, 59 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3984,6 +3984,25 @@ static long _btrfs_ioctl_set_received_su
+ goto out;
+ }
+
++ received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
++ BTRFS_UUID_SIZE);
++
++ /*
++ * Before we attempt to add the new received uuid, check if we have room
++ * for it in case there's already an item. If the size of the existing
++ * item plus this root's ID (u64) exceeds the maximum item size, we can
++ * return here without the need to abort a transaction. If we don't do
++ * this check, the btrfs_uuid_tree_add() call below would fail with
++ * -EOVERFLOW and result in a transaction abort. Malicious users could
++ * exploit this to turn the fs into RO mode.
++ */
++ if (received_uuid_changed && !btrfs_is_empty_uuid(sa->uuid)) {
++ ret = btrfs_uuid_tree_check_overflow(fs_info, sa->uuid,
++ BTRFS_UUID_KEY_RECEIVED_SUBVOL);
++ if (ret < 0)
++ goto out;
++ }
++
+ /*
+ * 1 - root item
+ * 2 - uuid items (received uuid + subvol uuid)
+@@ -3999,8 +4018,6 @@ static long _btrfs_ioctl_set_received_su
+ sa->rtime.sec = ct.tv_sec;
+ sa->rtime.nsec = ct.tv_nsec;
+
+- received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
+- BTRFS_UUID_SIZE);
+ if (received_uuid_changed &&
+ !btrfs_is_empty_uuid(root_item->received_uuid)) {
+ ret = btrfs_uuid_tree_remove(trans, root_item->received_uuid,
+--- a/fs/btrfs/uuid-tree.c
++++ b/fs/btrfs/uuid-tree.c
+@@ -227,6 +227,44 @@ out:
+ return ret;
+ }
+
++/*
++ * Check if we can add one root ID to a UUID key.
++ * If the key does not yet exists, we can, otherwise only if extended item does
++ * not exceeds the maximum item size permitted by the leaf size.
++ *
++ * Returns 0 on success, negative value on error.
++ */
++int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
++ const u8 *uuid, u8 type)
++{
++ BTRFS_PATH_AUTO_FREE(path);
++ int ret;
++ u32 item_size;
++ struct btrfs_key key;
++
++ if (WARN_ON_ONCE(!fs_info->uuid_root))
++ return -EINVAL;
++
++ path = btrfs_alloc_path();
++ if (!path)
++ return -ENOMEM;
++
++ btrfs_uuid_to_key(uuid, type, &key);
++ ret = btrfs_search_slot(NULL, fs_info->uuid_root, &key, path, 0, 0);
++ if (ret < 0)
++ return ret;
++ if (ret > 0)
++ return 0;
++
++ item_size = btrfs_item_size(path->nodes[0], path->slots[0]);
++
++ if (sizeof(struct btrfs_item) + item_size + sizeof(u64) >
++ BTRFS_LEAF_DATA_SIZE(fs_info))
++ return -EOVERFLOW;
++
++ return 0;
++}
++
+ static int btrfs_uuid_iter_rem(struct btrfs_root *uuid_root, u8 *uuid, u8 type,
+ u64 subid)
+ {
+--- a/fs/btrfs/uuid-tree.h
++++ b/fs/btrfs/uuid-tree.h
+@@ -12,6 +12,8 @@ int btrfs_uuid_tree_add(struct btrfs_tra
+ u64 subid);
+ int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, const u8 *uuid, u8 type,
+ u64 subid);
++int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
++ const u8 *uuid, u8 type);
+ int btrfs_uuid_tree_iterate(struct btrfs_fs_info *fs_info);
+ int btrfs_create_uuid_tree(struct btrfs_fs_info *fs_info);
+ int btrfs_uuid_scan_kthread(void *data);
--- /dev/null
+From e1b18b959025e6b5dbad668f391f65d34b39595a Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 23 Feb 2026 16:19:31 +0000
+Subject: btrfs: fix transaction abort when snapshotting received subvolumes
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit e1b18b959025e6b5dbad668f391f65d34b39595a upstream.
+
+Currently a user can trigger a transaction abort by snapshotting a
+previously received snapshot a bunch of times until we reach a
+BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we
+can store in a leaf). This is very likely not common in practice, but
+if it happens, it turns the filesystem into RO mode. The snapshot, send
+and set_received_subvol and subvol_setflags (used by receive) don't
+require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user
+could use this to turn a filesystem into RO mode and disrupt a system.
+
+Reproducer script:
+
+ $ cat test.sh
+ #!/bin/bash
+
+ DEV=/dev/sdi
+ MNT=/mnt/sdi
+
+ # Use smallest node size to make the test faster.
+ mkfs.btrfs -f --nodesize 4K $DEV
+ mount $DEV $MNT
+
+ # Create a subvolume and set it to RO so that it can be used for send.
+ btrfs subvolume create $MNT/sv
+ touch $MNT/sv/foo
+ btrfs property set $MNT/sv ro true
+
+ # Send and receive the subvolume into snaps/sv.
+ mkdir $MNT/snaps
+ btrfs send $MNT/sv | btrfs receive $MNT/snaps
+
+ # Now snapshot the received subvolume, which has a received_uuid, a
+ # lot of times to trigger the leaf overflow.
+ total=500
+ for ((i = 1; i <= $total; i++)); do
+ echo -ne "\rCreating snapshot $i/$total"
+ btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null
+ done
+ echo
+
+ umount $MNT
+
+When running the test:
+
+ $ ./test.sh
+ (...)
+ Create subvolume '/mnt/sdi/sv'
+ At subvol /mnt/sdi/sv
+ At subvol sv
+ Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type
+ Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system
+ Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system
+ Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system
+ Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system
+
+And in dmesg/syslog:
+
+ $ dmesg
+ (...)
+ [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!
+ [251067.629212] ------------[ cut here ]------------
+ [251067.630033] BTRFS: Transaction aborted (error -75)
+ [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235
+ [251067.632851] Modules linked in: btrfs dm_zero (...)
+ [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
+ [251067.646165] Tainted: [W]=WARN
+ [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
+ [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]
+ [251067.649984] Code: f0 48 0f (...)
+ [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292
+ [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3
+ [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750
+ [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820
+ [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0
+ [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5
+ [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000
+ [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0
+ [251067.661972] Call Trace:
+ [251067.662292] <TASK>
+ [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs]
+ [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs]
+ [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]
+ [251067.665238] ? _raw_spin_unlock+0x15/0x30
+ [251067.665837] ? record_root_in_trans+0xa2/0xd0 [btrfs]
+ [251067.666531] btrfs_mksubvol+0x330/0x580 [btrfs]
+ [251067.667145] btrfs_mksnapshot+0x74/0xa0 [btrfs]
+ [251067.667827] __btrfs_ioctl_snap_create+0x194/0x1d0 [btrfs]
+ [251067.668595] btrfs_ioctl_snap_create_v2+0x107/0x130 [btrfs]
+ [251067.669479] btrfs_ioctl+0x1580/0x2690 [btrfs]
+ [251067.670093] ? count_memcg_events+0x6d/0x180
+ [251067.670849] ? handle_mm_fault+0x1a0/0x2a0
+ [251067.671652] __x64_sys_ioctl+0x92/0xe0
+ [251067.672406] do_syscall_64+0x50/0xf20
+ [251067.673129] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ [251067.674096] RIP: 0033:0x7f2a495648db
+ [251067.674812] Code: 00 48 89 (...)
+ [251067.678227] RSP: 002b:00007ffc5aa57840 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ [251067.679691] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2a495648db
+ [251067.681145] RDX: 00007ffc5aa588b0 RSI: 0000000050009417 RDI: 0000000000000004
+ [251067.682511] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+ [251067.683842] R10: 000000000000000a R11: 0000000000000246 R12: 00007ffc5aa59910
+ [251067.685176] R13: 00007ffc5aa588b0 R14: 0000000000000004 R15: 0000000000000006
+ [251067.686524] </TASK>
+ [251067.686972] ---[ end trace 0000000000000000 ]---
+ [251067.687890] BTRFS: error (device sdi state A) in create_pending_snapshot:1907: errno=-75 unknown
+ [251067.689049] BTRFS info (device sdi state EA): forced readonly
+ [251067.689054] BTRFS warning (device sdi state EA): Skipping commit of aborted transaction.
+ [251067.690119] BTRFS: error (device sdi state EA) in cleanup_transaction:2043: errno=-75 unknown
+ [251067.702028] BTRFS info (device sdi state EA): last unmount of filesystem 46dc3975-30a2-4a69-a18f-418b859cccda
+
+Fix this by ignoring -EOVERFLOW errors from btrfs_uuid_tree_add() in the
+snapshot creation code when attempting to add the
+BTRFS_UUID_KEY_RECEIVED_SUBVOL item. This is OK because it's not critical
+and we are still able to delete the snapshot, as snapshot/subvolume
+deletion ignores if a BTRFS_UUID_KEY_RECEIVED_SUBVOL is missing (see
+inode.c:btrfs_delete_subvolume()). As for send/receive, we can still do
+send/receive operations since it always peeks the first root ID in the
+existing BTRFS_UUID_KEY_RECEIVED_SUBVOL (it could peek any since all
+snapshots have the same content), and even if the key is missing, it
+falls back to searching by BTRFS_UUID_KEY_SUBVOL key.
+
+A test case for fstests will be sent soon.
+
+Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
+CC: stable@vger.kernel.org # 3.12+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/transaction.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -1890,6 +1890,22 @@ static noinline int create_pending_snaps
+ ret = btrfs_uuid_tree_add(trans, new_root_item->received_uuid,
+ BTRFS_UUID_KEY_RECEIVED_SUBVOL,
+ objectid);
++ /*
++ * We are creating of lot of snapshots of the same root that was
++ * received (has a received UUID) and reached a leaf's limit for
++ * an item. We can safely ignore this and avoid a transaction
++ * abort. A deletion of this snapshot will still work since we
++ * ignore if an item with a BTRFS_UUID_KEY_RECEIVED_SUBVOL key
++ * is missing (see btrfs_delete_subvolume()). Send/receive will
++ * work too since it peeks the first root id from the existing
++ * item (it could peek any), and in case it's missing it
++ * falls back to search by BTRFS_UUID_KEY_SUBVOL keys.
++ * Creation of a snapshot does not require CAP_SYS_ADMIN, so
++ * we don't want users triggering transaction aborts, either
++ * intentionally or not.
++ */
++ if (ret == -EOVERFLOW)
++ ret = 0;
+ if (unlikely(ret && ret != -EEXIST)) {
+ btrfs_abort_transaction(trans, ret);
+ goto fail;
--- /dev/null
+From e3beefd3af09f8e460ddaf39063d3d7664d7ab59 Mon Sep 17 00:00:00 2001
+From: Shyam Prasad N <sprasad@microsoft.com>
+Date: Wed, 11 Mar 2026 10:48:54 +0530
+Subject: cifs: make default value of retrans as zero
+
+From: Shyam Prasad N <sprasad@microsoft.com>
+
+commit e3beefd3af09f8e460ddaf39063d3d7664d7ab59 upstream.
+
+When retrans mount option was introduced, the default value was set
+as 1. However, in the light of some bugs that this has exposed recently
+we should change it to 0 and retain the old behaviour before this option
+was introduced.
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Bharath SM <bharathsm@microsoft.com>
+Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/fs_context.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -1920,7 +1920,7 @@ int smb3_init_fs_context(struct fs_conte
+ ctx->backupuid_specified = false; /* no backup intent for a user */
+ ctx->backupgid_specified = false; /* no backup intent for a group */
+
+- ctx->retrans = 1;
++ ctx->retrans = 0;
+ ctx->reparse_type = CIFS_REPARSE_TYPE_DEFAULT;
+ ctx->symlink_type = CIFS_SYMLINK_TYPE_DEFAULT;
+ ctx->nonativesocket = 0;
--- /dev/null
+From 72ecb1dae72775fa9fea0159d8445d620a0a2295 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Thu, 5 Mar 2026 09:06:11 -0600
+Subject: drm/amd: Fix a few more NULL pointer dereference in device cleanup
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 72ecb1dae72775fa9fea0159d8445d620a0a2295 upstream.
+
+I found a few more paths that cleanup fails due to a NULL version pointer
+on unsupported hardware.
+
+Add NULL checks as applicable.
+
+Fixes: 39fc2bc4da00 ("drm/amdgpu: Protect GPU register accesses in powergated state in some paths")
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit f5a05f8414fc10f307eb965f303580c7778f8dd2)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -3625,6 +3625,8 @@ static int amdgpu_device_ip_fini_early(s
+ int i, r;
+
+ for (i = 0; i < adev->num_ip_blocks; i++) {
++ if (!adev->ip_blocks[i].version)
++ continue;
+ if (!adev->ip_blocks[i].version->funcs->early_fini)
+ continue;
+
+@@ -3687,6 +3689,8 @@ static int amdgpu_device_ip_fini(struct
+ if (!adev->ip_blocks[i].status.sw)
+ continue;
+
++ if (!adev->ip_blocks[i].version)
++ continue;
+ if (adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_GMC) {
+ amdgpu_ucode_free_bo(adev);
+ amdgpu_free_static_csa(&adev->virt.csa_obj);
+@@ -3713,6 +3717,8 @@ static int amdgpu_device_ip_fini(struct
+ for (i = adev->num_ip_blocks - 1; i >= 0; i--) {
+ if (!adev->ip_blocks[i].status.late_initialized)
+ continue;
++ if (!adev->ip_blocks[i].version)
++ continue;
+ if (adev->ip_blocks[i].version->funcs->late_fini)
+ adev->ip_blocks[i].version->funcs->late_fini(&adev->ip_blocks[i]);
+ adev->ip_blocks[i].status.late_initialized = false;
--- /dev/null
+From 062ea905fff7756b2e87143ffccaece5cdb44267 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Wed, 4 Mar 2026 14:07:40 -0600
+Subject: drm/amd: Fix NULL pointer dereference in device cleanup
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 062ea905fff7756b2e87143ffccaece5cdb44267 upstream.
+
+When GPU initialization fails due to an unsupported HW block
+IP blocks may have a NULL version pointer. During cleanup in
+amdgpu_device_fini_hw, the code calls amdgpu_device_set_pg_state and
+amdgpu_device_set_cg_state which iterate over all IP blocks and access
+adev->ip_blocks[i].version without NULL checks, leading to a kernel
+NULL pointer dereference.
+
+Add NULL checks for adev->ip_blocks[i].version in both
+amdgpu_device_set_cg_state and amdgpu_device_set_pg_state to prevent
+dereferencing NULL pointers during GPU teardown when initialization has
+failed.
+
+Fixes: 39fc2bc4da00 ("drm/amdgpu: Protect GPU register accesses in powergated state in some paths")
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit b7ac77468cda92eecae560b05f62f997a12fe2f2)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -3375,6 +3375,8 @@ int amdgpu_device_set_cg_state(struct am
+ i = state == AMD_CG_STATE_GATE ? j : adev->num_ip_blocks - j - 1;
+ if (!adev->ip_blocks[i].status.late_initialized)
+ continue;
++ if (!adev->ip_blocks[i].version)
++ continue;
+ /* skip CG for GFX, SDMA on S0ix */
+ if (adev->in_s0ix &&
+ (adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_GFX ||
+@@ -3414,6 +3416,8 @@ int amdgpu_device_set_pg_state(struct am
+ i = state == AMD_PG_STATE_GATE ? j : adev->num_ip_blocks - j - 1;
+ if (!adev->ip_blocks[i].status.late_initialized)
+ continue;
++ if (!adev->ip_blocks[i].version)
++ continue;
+ /* skip PG for GFX, SDMA on S0ix */
+ if (adev->in_s0ix &&
+ (adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_GFX ||
--- /dev/null
+From 68785c5e79e0fc1eacf63026fbba32be3867f410 Mon Sep 17 00:00:00 2001
+From: Yang Wang <kevinyang.wang@amd.com>
+Date: Wed, 25 Feb 2026 22:51:06 -0500
+Subject: drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on smu v13.0.x
+
+From: Yang Wang <kevinyang.wang@amd.com>
+
+commit 68785c5e79e0fc1eacf63026fbba32be3867f410 upstream.
+
+v1:
+The metrics->EnergyAccumulator field has been deprecated on newer pmfw.
+
+v2:
+add smu 13.0.0/13.0.7/13.0.10 support.
+
+Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 8de9edb35976fa56565dc8fbb5d1310e8e10187c)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 8 +++++++-
+ drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 3 ++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
+@@ -2109,6 +2109,7 @@ static ssize_t smu_v13_0_0_get_gpu_metri
+ (struct gpu_metrics_v1_3 *)smu_table->gpu_metrics_table;
+ SmuMetricsExternal_t metrics_ext;
+ SmuMetrics_t *metrics = &metrics_ext.SmuMetrics;
++ uint32_t mp1_ver = amdgpu_ip_version(smu->adev, MP1_HWIP, 0);
+ int ret = 0;
+
+ ret = smu_cmn_get_metrics_table(smu,
+@@ -2133,7 +2134,12 @@ static ssize_t smu_v13_0_0_get_gpu_metri
+ metrics->Vcn1ActivityPercentage);
+
+ gpu_metrics->average_socket_power = metrics->AverageSocketPower;
+- gpu_metrics->energy_accumulator = metrics->EnergyAccumulator;
++
++ if ((mp1_ver == IP_VERSION(13, 0, 0) && smu->smc_fw_version <= 0x004e1e00) ||
++ (mp1_ver == IP_VERSION(13, 0, 10) && smu->smc_fw_version <= 0x00500800))
++ gpu_metrics->energy_accumulator = metrics->EnergyAccumulator;
++ else
++ gpu_metrics->energy_accumulator = UINT_MAX;
+
+ if (metrics->AverageGfxActivity <= SMU_13_0_0_BUSY_THRESHOLD)
+ gpu_metrics->average_gfxclk_frequency = metrics->AverageGfxclkFrequencyPostDs;
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
+@@ -2119,7 +2119,8 @@ static ssize_t smu_v13_0_7_get_gpu_metri
+ metrics->Vcn1ActivityPercentage);
+
+ gpu_metrics->average_socket_power = metrics->AverageSocketPower;
+- gpu_metrics->energy_accumulator = metrics->EnergyAccumulator;
++ gpu_metrics->energy_accumulator = smu->smc_fw_version <= 0x00521400 ?
++ metrics->EnergyAccumulator : UINT_MAX;
+
+ if (metrics->AverageGfxActivity <= SMU_13_0_7_BUSY_THRESHOLD)
+ gpu_metrics->average_gfxclk_frequency = metrics->AverageGfxclkFrequencyPostDs;
--- /dev/null
+From 3646ff28780b4c52c5b5081443199e7a430110e5 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Tue, 10 Mar 2026 11:58:22 -0500
+Subject: drm/amd: Set num IP blocks to 0 if discovery fails
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 3646ff28780b4c52c5b5081443199e7a430110e5 upstream.
+
+If discovery has failed for any reason (such as no support for a block)
+then there is no need to unwind all the IP blocks in fini. In this
+condition there can actually be failures during the unwind too.
+
+Reset num_ip_blocks to zero during failure path and skip the unnecessary
+cleanup path.
+
+Suggested-by: Lijo Lazar <lijo.lazar@amd.com>
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit fae5984296b981c8cc3acca35b701c1f332a6cd8)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 +++-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -2814,8 +2814,10 @@ static int amdgpu_device_ip_early_init(s
+ break;
+ default:
+ r = amdgpu_discovery_set_ip_blocks(adev);
+- if (r)
++ if (r) {
++ adev->num_ip_blocks = 0;
+ return r;
++ }
+ break;
+ }
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+@@ -83,7 +83,7 @@ void amdgpu_driver_unload_kms(struct drm
+ {
+ struct amdgpu_device *adev = drm_to_adev(dev);
+
+- if (adev == NULL)
++ if (adev == NULL || !adev->num_ip_blocks)
+ return;
+
+ amdgpu_unregister_gpu_instance(adev);
--- /dev/null
+From 2c1030f2e84885cc58bffef6af67d5b9d2e7098f Mon Sep 17 00:00:00 2001
+From: Alysa Liu <Alysa.Liu@amd.com>
+Date: Thu, 5 Feb 2026 11:21:45 -0500
+Subject: drm/amdgpu: Fix use-after-free race in VM acquire
+
+From: Alysa Liu <Alysa.Liu@amd.com>
+
+commit 2c1030f2e84885cc58bffef6af67d5b9d2e7098f upstream.
+
+Replace non-atomic vm->process_info assignment with cmpxchg()
+to prevent race when parent/child processes sharing a drm_file
+both try to acquire the same VM after fork().
+
+Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+Signed-off-by: Alysa Liu <Alysa.Liu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+@@ -1421,7 +1421,10 @@ static int init_kfd_vm(struct amdgpu_vm
+ *process_info = info;
+ }
+
+- vm->process_info = *process_info;
++ if (cmpxchg(&vm->process_info, NULL, *process_info) != NULL) {
++ ret = -EINVAL;
++ goto already_acquired;
++ }
+
+ /* Validate page directory and attach eviction fence */
+ ret = amdgpu_bo_reserve(vm->root.bo, true);
+@@ -1461,6 +1464,7 @@ validate_pd_fail:
+ amdgpu_bo_unreserve(vm->root.bo);
+ reserve_pd_fail:
+ vm->process_info = NULL;
++already_acquired:
+ if (info) {
+ dma_fence_put(&info->eviction_fence->base);
+ *process_info = NULL;
--- /dev/null
+From 2f22702dc0fee06a240404e0f7ead5b789b253d8 Mon Sep 17 00:00:00 2001
+From: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Date: Thu, 26 Feb 2026 17:16:44 +0100
+Subject: drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding
+
+From: Luca Ceresoli <luca.ceresoli@bootlin.com>
+
+commit 2f22702dc0fee06a240404e0f7ead5b789b253d8 upstream.
+
+The DSI frequency must be in the range:
+
+ (CHA_DSI_CLK_RANGE * 5 MHz) <= DSI freq < ((CHA_DSI_CLK_RANGE + 1) * 5 MHz)
+
+So the register value should point to the lower range value, but
+DIV_ROUND_UP() rounds the division to the higher range value, resulting in
+an excess of 1 (unless the frequency is an exact multiple of 5 MHz).
+
+For example for a 437100000 MHz clock CHA_DSI_CLK_RANGE should be 87 (0x57):
+
+ (87 * 5 = 435) <= 437.1 < (88 * 5 = 440)
+
+but current code returns 88 (0x58).
+
+Fix the computation by removing the DIV_ROUND_UP().
+
+Fixes: ceb515ba29ba ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Marek Vasut <marek.vasut@mailbox.org>
+Link: https://patch.msgid.link/20260226-ti-sn65dsi83-dual-lvds-fixes-and-test-pattern-v1-1-2e15f5a9a6a0@bootlin.com
+Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/ti-sn65dsi83.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c
++++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
+@@ -351,9 +351,9 @@ static u8 sn65dsi83_get_dsi_range(struct
+ * DSI_CLK = mode clock * bpp / dsi_data_lanes / 2
+ * the 2 is there because the bus is DDR.
+ */
+- return DIV_ROUND_UP(clamp((unsigned int)mode->clock *
+- mipi_dsi_pixel_format_to_bpp(ctx->dsi->format) /
+- ctx->dsi->lanes / 2, 40000U, 500000U), 5000U);
++ return clamp((unsigned int)mode->clock *
++ mipi_dsi_pixel_format_to_bpp(ctx->dsi->format) /
++ ctx->dsi->lanes / 2, 40000U, 500000U) / 5000U;
+ }
+
+ static u8 sn65dsi83_get_dsi_div(struct sn65dsi83 *ctx)
--- /dev/null
+From d0d727746944096a6681dc6adb5f123fc5aa018d Mon Sep 17 00:00:00 2001
+From: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Date: Thu, 26 Feb 2026 17:16:45 +0100
+Subject: drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output
+
+From: Luca Ceresoli <luca.ceresoli@bootlin.com>
+
+commit d0d727746944096a6681dc6adb5f123fc5aa018d upstream.
+
+Dual LVDS output (available on the SN65DSI84) requires HSYNC_PULSE_WIDTH
+and HORIZONTAL_BACK_PORCH to be divided by two with respect to the values
+used for single LVDS output.
+
+While not clearly stated in the datasheet, this is needed according to the
+DSI Tuner [0] output. It also makes sense intuitively because in dual LVDS
+output two pixels at a time are output and so the output clock is half of
+the pixel clock.
+
+Some dual-LVDS panels refuse to show any picture without this fix.
+
+Divide by two HORIZONTAL_FRONT_PORCH too, even though this register is used
+only for test pattern generation which is not currently implemented by this
+driver.
+
+[0] https://www.ti.com/tool/DSI-TUNER
+
+Fixes: ceb515ba29ba ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Marek Vasut <marek.vasut@mailbox.org>
+Link: https://patch.msgid.link/20260226-ti-sn65dsi83-dual-lvds-fixes-and-test-pattern-v1-2-2e15f5a9a6a0@bootlin.com
+Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/ti-sn65dsi83.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c
++++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
+@@ -474,6 +474,7 @@ static void sn65dsi83_atomic_pre_enable(
+ struct drm_atomic_state *state)
+ {
+ struct sn65dsi83 *ctx = bridge_to_sn65dsi83(bridge);
++ const unsigned int dual_factor = ctx->lvds_dual_link ? 2 : 1;
+ const struct drm_bridge_state *bridge_state;
+ const struct drm_crtc_state *crtc_state;
+ const struct drm_display_mode *mode;
+@@ -606,18 +607,18 @@ static void sn65dsi83_atomic_pre_enable(
+ /* 32 + 1 pixel clock to ensure proper operation */
+ le16val = cpu_to_le16(32 + 1);
+ regmap_bulk_write(ctx->regmap, REG_VID_CHA_SYNC_DELAY_LOW, &le16val, 2);
+- le16val = cpu_to_le16(mode->hsync_end - mode->hsync_start);
++ le16val = cpu_to_le16((mode->hsync_end - mode->hsync_start) / dual_factor);
+ regmap_bulk_write(ctx->regmap, REG_VID_CHA_HSYNC_PULSE_WIDTH_LOW,
+ &le16val, 2);
+ le16val = cpu_to_le16(mode->vsync_end - mode->vsync_start);
+ regmap_bulk_write(ctx->regmap, REG_VID_CHA_VSYNC_PULSE_WIDTH_LOW,
+ &le16val, 2);
+ regmap_write(ctx->regmap, REG_VID_CHA_HORIZONTAL_BACK_PORCH,
+- mode->htotal - mode->hsync_end);
++ (mode->htotal - mode->hsync_end) / dual_factor);
+ regmap_write(ctx->regmap, REG_VID_CHA_VERTICAL_BACK_PORCH,
+ mode->vtotal - mode->vsync_end);
+ regmap_write(ctx->regmap, REG_VID_CHA_HORIZONTAL_FRONT_PORCH,
+- mode->hsync_start - mode->hdisplay);
++ (mode->hsync_start - mode->hdisplay) / dual_factor);
+ regmap_write(ctx->regmap, REG_VID_CHA_VERTICAL_FRONT_PORCH,
+ mode->vsync_start - mode->vdisplay);
+ regmap_write(ctx->regmap, REG_VID_CHA_TEST_PATTERN, 0x00);
--- /dev/null
+From 029ae067431ab9d0fca479bdabe780fa436706ea Mon Sep 17 00:00:00 2001
+From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Date: Tue, 24 Feb 2026 10:49:06 +0100
+Subject: drm/i915: Fix potential overflow of shmem scatterlist length
+
+From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+
+commit 029ae067431ab9d0fca479bdabe780fa436706ea upstream.
+
+When a scatterlists table of a GEM shmem object of size 4 GB or more is
+populated with pages allocated from a folio, unsigned int .length
+attribute of a scatterlist may get overflowed if total byte length of
+pages allocated to that single scatterlist happens to reach or cross the
+4GB limit. As a consequence, users of the object may suffer from hitting
+unexpected, premature end of the object's backing pages.
+
+[278.780187] ------------[ cut here ]------------
+[278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915_mm.c:55 remap_sg+0x199/0x1d0 [i915]
+...
+[278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gem_mmap_offset Tainted: G S U 6.17.0-rc1-CI_DRM_16981-ged823aaa0607+ #1 PREEMPT(voluntary)
+[278.780656] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER
+[278.780658] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024
+[278.780659] RIP: 0010:remap_sg+0x199/0x1d0 [i915]
+...
+[278.780786] Call Trace:
+[278.780787] <TASK>
+[278.780788] ? __apply_to_page_range+0x3e6/0x910
+[278.780795] ? __pfx_remap_sg+0x10/0x10 [i915]
+[278.780906] apply_to_page_range+0x14/0x30
+[278.780908] remap_io_sg+0x14d/0x260 [i915]
+[278.781013] vm_fault_cpu+0xd2/0x330 [i915]
+[278.781137] __do_fault+0x3a/0x1b0
+[278.781140] do_fault+0x322/0x640
+[278.781143] __handle_mm_fault+0x938/0xfd0
+[278.781150] handle_mm_fault+0x12c/0x300
+[278.781152] ? lock_mm_and_find_vma+0x4b/0x760
+[278.781155] do_user_addr_fault+0x2d6/0x8e0
+[278.781160] exc_page_fault+0x96/0x2c0
+[278.781165] asm_exc_page_fault+0x27/0x30
+...
+
+That issue was apprehended by the author of a change that introduced it,
+and potential risk even annotated with a comment, but then never addressed.
+
+When adding folio pages to a scatterlist table, take care of byte length
+of any single scatterlist not exceeding max_segment.
+
+Fixes: 0b62af28f249b ("i915: convert shmem_sg_free_table() to use a folio_batch")
+Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14809
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: stable@vger.kernel.org # v6.5+
+Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://lore.kernel.org/r/20260224094944.2447913-2-janusz.krzysztofik@linux.intel.com
+(cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c
+@@ -151,8 +151,12 @@ int shmem_sg_alloc_table(struct drm_i915
+ }
+ } while (1);
+
+- nr_pages = min_t(unsigned long,
+- folio_nr_pages(folio), page_count - i);
++ nr_pages = min_array(((unsigned long[]) {
++ folio_nr_pages(folio),
++ page_count - i,
++ max_segment / PAGE_SIZE,
++ }), 3);
++
+ if (!i ||
+ sg->length >= max_segment ||
+ folio_pfn(folio) != next_pfn) {
+@@ -162,7 +166,9 @@ int shmem_sg_alloc_table(struct drm_i915
+ st->nents++;
+ sg_set_folio(sg, folio, nr_pages * PAGE_SIZE, 0);
+ } else {
+- /* XXX: could overflow? */
++ nr_pages = min_t(unsigned long, nr_pages,
++ (max_segment - sg->length) / PAGE_SIZE);
++
+ sg->length += nr_pages * PAGE_SIZE;
+ }
+ next_pfn = folio_pfn(folio) + nr_pages;
--- /dev/null
+From 1be2fca84f520105413d0d89ed04bb0ff742ab16 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jouni=20H=C3=B6gander?= <jouni.hogander@intel.com>
+Date: Wed, 4 Mar 2026 13:30:08 +0200
+Subject: drm/i915/psr: Repeat Selective Update area alignment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jouni Högander <jouni.hogander@intel.com>
+
+commit 1be2fca84f520105413d0d89ed04bb0ff742ab16 upstream.
+
+Currently we are aligning Selective Update area to cover cursor fully if
+needed only once. It may happen that cursor is in Selective Update area
+after pipe alignment and after that covering cursor plane only
+partially. Fix this by looping alignment as long as alignment isn't needed
+anymore.
+
+v2:
+ - do not unecessarily loop if cursor was already fully covered
+ - rename aligned as su_area_changed
+
+Fixes: 1bff93b8bc27 ("drm/i915/psr: Extend SU area to cover cursor fully if needed")
+Cc: <stable@vger.kernel.org> # v6.9+
+Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
+Reviewed-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
+Link: https://patch.msgid.link/20260304113011.626542-2-jouni.hogander@intel.com
+(cherry picked from commit 681e12440d8b110350a5709101169f319e10ccbb)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_psr.c | 50 +++++++++++++++++++++++--------
+ 1 file changed, 38 insertions(+), 12 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/intel_psr.c
++++ b/drivers/gpu/drm/i915/display/intel_psr.c
+@@ -2559,11 +2559,12 @@ static void clip_area_update(struct drm_
+ overlap_damage_area->y2 = damage_area->y2;
+ }
+
+-static void intel_psr2_sel_fetch_pipe_alignment(struct intel_crtc_state *crtc_state)
++static bool intel_psr2_sel_fetch_pipe_alignment(struct intel_crtc_state *crtc_state)
+ {
+ struct intel_display *display = to_intel_display(crtc_state);
+ const struct drm_dsc_config *vdsc_cfg = &crtc_state->dsc.config;
+ u16 y_alignment;
++ bool su_area_changed = false;
+
+ /* ADLP aligns the SU region to vdsc slice height in case dsc is enabled */
+ if (crtc_state->dsc.compression_enable &&
+@@ -2572,10 +2573,18 @@ static void intel_psr2_sel_fetch_pipe_al
+ else
+ y_alignment = crtc_state->su_y_granularity;
+
+- crtc_state->psr2_su_area.y1 -= crtc_state->psr2_su_area.y1 % y_alignment;
+- if (crtc_state->psr2_su_area.y2 % y_alignment)
++ if (crtc_state->psr2_su_area.y1 % y_alignment) {
++ crtc_state->psr2_su_area.y1 -= crtc_state->psr2_su_area.y1 % y_alignment;
++ su_area_changed = true;
++ }
++
++ if (crtc_state->psr2_su_area.y2 % y_alignment) {
+ crtc_state->psr2_su_area.y2 = ((crtc_state->psr2_su_area.y2 /
+ y_alignment) + 1) * y_alignment;
++ su_area_changed = true;
++ }
++
++ return su_area_changed;
+ }
+
+ /*
+@@ -2708,7 +2717,7 @@ int intel_psr2_sel_fetch_update(struct i
+ struct intel_crtc_state *crtc_state = intel_atomic_get_new_crtc_state(state, crtc);
+ struct intel_plane_state *new_plane_state, *old_plane_state;
+ struct intel_plane *plane;
+- bool full_update = false, cursor_in_su_area = false;
++ bool full_update = false, su_area_changed;
+ int i, ret;
+
+ if (!crtc_state->enable_psr2_sel_fetch)
+@@ -2815,15 +2824,32 @@ int intel_psr2_sel_fetch_update(struct i
+ if (ret)
+ return ret;
+
+- /*
+- * Adjust su area to cover cursor fully as necessary (early
+- * transport). This needs to be done after
+- * drm_atomic_add_affected_planes to ensure visible cursor is added into
+- * affected planes even when cursor is not updated by itself.
+- */
+- intel_psr2_sel_fetch_et_alignment(state, crtc, &cursor_in_su_area);
++ do {
++ bool cursor_in_su_area;
+
+- intel_psr2_sel_fetch_pipe_alignment(crtc_state);
++ /*
++ * Adjust su area to cover cursor fully as necessary
++ * (early transport). This needs to be done after
++ * drm_atomic_add_affected_planes to ensure visible
++ * cursor is added into affected planes even when
++ * cursor is not updated by itself.
++ */
++ intel_psr2_sel_fetch_et_alignment(state, crtc, &cursor_in_su_area);
++
++ su_area_changed = intel_psr2_sel_fetch_pipe_alignment(crtc_state);
++
++ /*
++ * If the cursor was outside the SU area before
++ * alignment, the alignment step (which only expands
++ * SU) may pull the cursor partially inside, so we
++ * must run ET alignment again to fully cover it. But
++ * if the cursor was already fully inside before
++ * alignment, expanding the SU area won't change that,
++ * so no further work is needed.
++ */
++ if (cursor_in_su_area)
++ break;
++ } while (su_area_changed);
+
+ /*
+ * Now that we have the pipe damaged area check if it intersect with
--- /dev/null
+From 4ce71cea574658f5c5c7412b1a3cc54efe4f9b50 Mon Sep 17 00:00:00 2001
+From: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Date: Thu, 5 Mar 2026 18:17:07 +0800
+Subject: drm/msm/dpu: Correct the SA8775P intr_underrun/intr_underrun index
+
+From: Abhinav Kumar <quic_abhinavk@quicinc.com>
+
+commit 4ce71cea574658f5c5c7412b1a3cc54efe4f9b50 upstream.
+
+The intr_underrun and intr_vsync indices have been swapped, just simply
+corrects them.
+
+Cc: stable@vger.kernel.org
+Fixes: b139c80d181c ("drm/msm/dpu: Add SA8775P support")
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Yongxing Mou <yongxing.mou@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/709209/
+Link: https://lore.kernel.org/r/20260305-mdss_catalog-v5-2-06678ac39ac7@oss.qualcomm.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_4_sa8775p.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_4_sa8775p.h
++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_4_sa8775p.h
+@@ -366,8 +366,8 @@ static const struct dpu_intf_cfg sa8775p
+ .type = INTF_NONE,
+ .controller_id = MSM_DP_CONTROLLER_0, /* pair with intf_0 for DP MST */
+ .prog_fetch_lines_worst_case = 24,
+- .intr_underrun = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 17),
+- .intr_vsync = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 16),
++ .intr_underrun = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 16),
++ .intr_vsync = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 17),
+ }, {
+ .name = "intf_7", .id = INTF_7,
+ .base = 0x3b000, .len = 0x280,
--- /dev/null
+From e4eb6e4dd6348dd00e19c2275e3fbaed304ca3bd Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Thu, 26 Feb 2026 10:57:11 +0100
+Subject: drm/msm: Fix dma_free_attrs() buffer size
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit e4eb6e4dd6348dd00e19c2275e3fbaed304ca3bd upstream.
+
+The gpummu->table buffer is alloc'd with size TABLE_SIZE + 32 in
+a2xx_gpummu_new() but freed with size TABLE_SIZE in
+a2xx_gpummu_destroy().
+
+Change the free size to match the allocation.
+
+Fixes: c2052a4e5c99 ("drm/msm: implement a2xx mmu")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/707340/
+Message-ID: <20260226095714.12126-2-fourier.thomas@gmail.com>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/adreno/a2xx_gpummu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/adreno/a2xx_gpummu.c
++++ b/drivers/gpu/drm/msm/adreno/a2xx_gpummu.c
+@@ -78,7 +78,7 @@ static void a2xx_gpummu_destroy(struct m
+ {
+ struct a2xx_gpummu *gpummu = to_a2xx_gpummu(mmu);
+
+- dma_free_attrs(mmu->dev, TABLE_SIZE, gpummu->table, gpummu->pt_base,
++ dma_free_attrs(mmu->dev, TABLE_SIZE + 32, gpummu->table, gpummu->pt_base,
+ DMA_ATTR_FORCE_CONTIGUOUS);
+
+ kfree(gpummu);
--- /dev/null
+From 064234044056c93a3719d6893e6e5a26a94a61b6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa@analog.com>
+Date: Mon, 16 Feb 2026 13:24:27 +0000
+Subject: iio: buffer: Fix wait_queue not being removed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+commit 064234044056c93a3719d6893e6e5a26a94a61b6 upstream.
+
+In the edge case where the IIO device is unregistered while we're
+buffering, we were directly returning an error without removing the wait
+queue. Instead, set 'ret' and break out of the loop.
+
+Fixes: 9eeee3b0bf19 ("iio: Add output buffer support")
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/industrialio-buffer.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/industrialio-buffer.c
++++ b/drivers/iio/industrialio-buffer.c
+@@ -228,8 +228,10 @@ static ssize_t iio_buffer_write(struct f
+ written = 0;
+ add_wait_queue(&rb->pollq, &wait);
+ do {
+- if (!indio_dev->info)
+- return -ENODEV;
++ if (!indio_dev->info) {
++ ret = -ENODEV;
++ break;
++ }
+
+ if (!iio_buffer_space_available(rb)) {
+ if (signal_pending(current)) {
--- /dev/null
+From f55b9510cd9437da3a0efa08b089caeb47595ff1 Mon Sep 17 00:00:00 2001
+From: Chris Spencer <spencercw@gmail.com>
+Date: Thu, 5 Feb 2026 14:55:45 +0000
+Subject: iio: chemical: bme680: Fix measurement wait duration calculation
+
+From: Chris Spencer <spencercw@gmail.com>
+
+commit f55b9510cd9437da3a0efa08b089caeb47595ff1 upstream.
+
+This function refers to the Bosch BME680 API as the source of the
+calculation, but one of the constants does not match the Bosch
+implementation. This appears to be a simple transposition of two digits,
+resulting in a wait time that is too short. This can cause the following
+'device measurement cycle incomplete' check to occasionally fail, returning
+EBUSY to user space.
+
+Adjust the constant to match the Bosch implementation and resolve the EBUSY
+errors.
+
+Fixes: 4241665e6ea0 ("iio: chemical: bme680: Fix sensor data read operation")
+Link: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x.c#L521
+Signed-off-by: Chris Spencer <spencercw@gmail.com>
+Acked-by: Vasileios Amoiridis <vassilisamir@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/chemical/bme680_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/chemical/bme680_core.c
++++ b/drivers/iio/chemical/bme680_core.c
+@@ -613,7 +613,7 @@ static int bme680_wait_for_eoc(struct bm
+ * + heater duration
+ */
+ int wait_eoc_us = ((data->oversampling_temp + data->oversampling_press +
+- data->oversampling_humid) * 1936) + (477 * 4) +
++ data->oversampling_humid) * 1963) + (477 * 4) +
+ (477 * 5) + 1000 + (data->heater_dur * 1000);
+
+ fsleep(wait_eoc_us);
--- /dev/null
+From 216345f98cae7fcc84f49728c67478ac00321c87 Mon Sep 17 00:00:00 2001
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Date: Thu, 12 Feb 2026 14:46:07 +0200
+Subject: iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
+
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+
+commit 216345f98cae7fcc84f49728c67478ac00321c87 upstream.
+
+sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead
+of the intended __be32 element size (4 bytes). Use sizeof(*meas) to
+correctly match the buffer element type.
+
+Fixes: 8f3f13085278 ("iio: sps30: separate core and interface specific code")
+Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Acked-by: Tomasz Duszynski <tduszyns@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/chemical/sps30_i2c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/chemical/sps30_i2c.c
++++ b/drivers/iio/chemical/sps30_i2c.c
+@@ -171,7 +171,7 @@ static int sps30_i2c_read_meas(struct sp
+ if (!sps30_i2c_meas_ready(state))
+ return -ETIMEDOUT;
+
+- return sps30_i2c_command(state, SPS30_I2C_READ_MEAS, NULL, 0, meas, sizeof(num) * num);
++ return sps30_i2c_command(state, SPS30_I2C_READ_MEAS, NULL, 0, meas, sizeof(*meas) * num);
+ }
+
+ static int sps30_i2c_clean_fan(struct sps30_state *state)
--- /dev/null
+From c3914ce1963c4db25e186112c90fa5d2361e9e0a Mon Sep 17 00:00:00 2001
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Date: Thu, 12 Feb 2026 14:46:08 +0200
+Subject: iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas()
+
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+
+commit c3914ce1963c4db25e186112c90fa5d2361e9e0a upstream.
+
+sizeof(num) evaluates to sizeof(size_t) which is 8 bytes on 64-bit,
+but the buffer elements are only 4 bytes. The same function already
+uses sizeof(*meas) on line 312, making the mismatch evident. Use
+sizeof(*meas) consistently.
+
+Fixes: b2e171f5a5c6 ("iio: sps30: add support for serial interface")
+Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Acked-by: Tomasz Duszynski <tduszyns@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/chemical/sps30_serial.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/chemical/sps30_serial.c
++++ b/drivers/iio/chemical/sps30_serial.c
+@@ -303,7 +303,7 @@ static int sps30_serial_read_meas(struct
+ if (msleep_interruptible(1000))
+ return -EINTR;
+
+- ret = sps30_serial_command(state, SPS30_SERIAL_READ_MEAS, NULL, 0, meas, num * sizeof(num));
++ ret = sps30_serial_command(state, SPS30_SERIAL_READ_MEAS, NULL, 0, meas, num * sizeof(*meas));
+ if (ret < 0)
+ return ret;
+ /* if measurements aren't ready sensor returns empty frame */
--- /dev/null
+From 5187e03b817c26c1c3bcb2645a612ea935c4be89 Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Wed, 4 Feb 2026 15:00:33 +0100
+Subject: iio: dac: ds4424: reject -128 RAW value
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit 5187e03b817c26c1c3bcb2645a612ea935c4be89 upstream.
+
+The DS442x DAC uses sign-magnitude encoding, so -128 cannot be represented
+in hardware (7-bit magnitude).
+
+Previously, passing -128 resulted in a truncated value that programmed
+0mA (magnitude 0) instead of the expected maximum negative current,
+effectively failing silently.
+
+Reject -128 to avoid producing the wrong current.
+
+Fixes: d632a2bd8ffc ("iio: dac: ds4422/ds4424 dac driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/dac/ds4424.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/dac/ds4424.c
++++ b/drivers/iio/dac/ds4424.c
+@@ -141,7 +141,7 @@ static int ds4424_write_raw(struct iio_d
+
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
+- if (val < S8_MIN || val > S8_MAX)
++ if (val <= S8_MIN || val > S8_MAX)
+ return -EINVAL;
+
+ if (val > 0) {
--- /dev/null
+From 6c8bf4b604a8a6346ca71f1c027fa01c2c2e04cb Mon Sep 17 00:00:00 2001
+From: SeungJu Cheon <suunj1331@gmail.com>
+Date: Sat, 24 Jan 2026 04:47:58 +0900
+Subject: iio: frequency: adf4377: Fix duplicated soft reset mask
+
+From: SeungJu Cheon <suunj1331@gmail.com>
+
+commit 6c8bf4b604a8a6346ca71f1c027fa01c2c2e04cb upstream.
+
+The regmap_read_poll_timeout() uses ADF4377_0000_SOFT_RESET_R_MSK
+twice instead of checking both SOFT_RESET_MSK (bit 0) and
+SOFT_RESET_R_MSK (bit 7). This causes an incomplete reset status check.
+
+The code first sets both SOFT_RESET and SOFT_RESET_R bits to 1 via
+regmap_update_bits(), then polls for them to be cleared. Since we set
+both bits before polling, we should be waiting for both to clear.
+
+Fix by using both masks as done in regmap_update_bits() above.
+
+Fixes: eda549e2e524 ("iio: frequency: adf4377: add support for ADF4377")
+Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
+Cc: Stable@vger.kernel.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/frequency/adf4377.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/frequency/adf4377.c
++++ b/drivers/iio/frequency/adf4377.c
+@@ -501,7 +501,7 @@ static int adf4377_soft_reset(struct adf
+ return ret;
+
+ return regmap_read_poll_timeout(st->regmap, 0x0, read_val,
+- !(read_val & (ADF4377_0000_SOFT_RESET_R_MSK |
++ !(read_val & (ADF4377_0000_SOFT_RESET_MSK |
+ ADF4377_0000_SOFT_RESET_R_MSK)), 200, 200 * 100);
+ }
+
--- /dev/null
+From acc3949aab3e8094641a9c7c2768de1958c88378 Mon Sep 17 00:00:00 2001
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Date: Mon, 16 Feb 2026 11:57:56 +0200
+Subject: iio: gyro: mpu3050-core: fix pm_runtime error handling
+
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+
+commit acc3949aab3e8094641a9c7c2768de1958c88378 upstream.
+
+The return value of pm_runtime_get_sync() is not checked, allowing
+the driver to access hardware that may fail to resume. The device
+usage count is also unconditionally incremented. Use
+pm_runtime_resume_and_get() which propagates errors and avoids
+incrementing the usage count on failure.
+
+In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate()
+failure since postdisable does not run when preenable fails.
+
+Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope")
+Reviewed-by: Linus Walleij <linusw@kernel.org>
+Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/gyro/mpu3050-core.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/iio/gyro/mpu3050-core.c
++++ b/drivers/iio/gyro/mpu3050-core.c
+@@ -322,7 +322,9 @@ static int mpu3050_read_raw(struct iio_d
+ }
+ case IIO_CHAN_INFO_RAW:
+ /* Resume device */
+- pm_runtime_get_sync(mpu3050->dev);
++ ret = pm_runtime_resume_and_get(mpu3050->dev);
++ if (ret)
++ return ret;
+ mutex_lock(&mpu3050->lock);
+
+ ret = mpu3050_set_8khz_samplerate(mpu3050);
+@@ -647,14 +649,20 @@ out_trigger_unlock:
+ static int mpu3050_buffer_preenable(struct iio_dev *indio_dev)
+ {
+ struct mpu3050 *mpu3050 = iio_priv(indio_dev);
++ int ret;
+
+- pm_runtime_get_sync(mpu3050->dev);
++ ret = pm_runtime_resume_and_get(mpu3050->dev);
++ if (ret)
++ return ret;
+
+ /* Unless we have OUR trigger active, run at full speed */
+- if (!mpu3050->hw_irq_trigger)
+- return mpu3050_set_8khz_samplerate(mpu3050);
++ if (!mpu3050->hw_irq_trigger) {
++ ret = mpu3050_set_8khz_samplerate(mpu3050);
++ if (ret)
++ pm_runtime_put_autosuspend(mpu3050->dev);
++ }
+
+- return 0;
++ return ret;
+ }
+
+ static int mpu3050_buffer_postdisable(struct iio_dev *indio_dev)
--- /dev/null
+From 91f950b4cbb1aa9ea4eb3999f1463e8044b717fb Mon Sep 17 00:00:00 2001
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Date: Mon, 16 Feb 2026 11:57:55 +0200
+Subject: iio: gyro: mpu3050-i2c: fix pm_runtime error handling
+
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+
+commit 91f950b4cbb1aa9ea4eb3999f1463e8044b717fb upstream.
+
+The return value of pm_runtime_get_sync() is not checked, and the
+function always returns success. This allows I2C mux operations to
+proceed even when the device fails to resume.
+
+Use pm_runtime_resume_and_get() and propagate its return value to
+properly handle resume failures.
+
+Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope")
+Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/gyro/mpu3050-i2c.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/iio/gyro/mpu3050-i2c.c
++++ b/drivers/iio/gyro/mpu3050-i2c.c
+@@ -19,8 +19,7 @@ static int mpu3050_i2c_bypass_select(str
+ struct mpu3050 *mpu3050 = i2c_mux_priv(mux);
+
+ /* Just power up the device, that is all that is needed */
+- pm_runtime_get_sync(mpu3050->dev);
+- return 0;
++ return pm_runtime_resume_and_get(mpu3050->dev);
+ }
+
+ static int mpu3050_i2c_bypass_deselect(struct i2c_mux_core *mux, u32 chan_id)
--- /dev/null
+From 9990cd4f8827bd1ae3fb6eb7407630d8d463c430 Mon Sep 17 00:00:00 2001
+From: Radu Sabau <radu.sabau@analog.com>
+Date: Fri, 20 Feb 2026 16:16:41 +0200
+Subject: iio: imu: adis: Fix NULL pointer dereference in adis_init
+
+From: Radu Sabau <radu.sabau@analog.com>
+
+commit 9990cd4f8827bd1ae3fb6eb7407630d8d463c430 upstream.
+
+The adis_init() function dereferences adis->ops to check if the
+individual function pointers (write, read, reset) are NULL, but does
+not first check if adis->ops itself is NULL.
+
+Drivers like adis16480, adis16490, adis16545 and others do not set
+custom ops and rely on adis_init() assigning the defaults. Since struct
+adis is zero-initialized by devm_iio_device_alloc(), adis->ops is NULL
+when adis_init() is called, causing a NULL pointer dereference:
+
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+ pc : adis_init+0xc0/0x118
+ Call trace:
+ adis_init+0xc0/0x118
+ adis16480_probe+0xe0/0x670
+
+Fix this by checking if adis->ops is NULL before dereferencing it,
+falling through to assign the default ops in that case.
+
+Fixes: 3b29bcee8f6f ("iio: imu: adis: Add custom ops struct")
+Signed-off-by: Radu Sabau <radu.sabau@analog.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Reviewed-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/adis.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/imu/adis.c b/drivers/iio/imu/adis.c
+index d160147cce0b..a2bc1d14ed91 100644
+--- a/drivers/iio/imu/adis.c
++++ b/drivers/iio/imu/adis.c
+@@ -526,7 +526,7 @@ int adis_init(struct adis *adis, struct iio_dev *indio_dev,
+
+ adis->spi = spi;
+ adis->data = data;
+- if (!adis->ops->write && !adis->ops->read && !adis->ops->reset)
++ if (!adis->ops)
+ adis->ops = &adis_default_ops;
+ else if (!adis->ops->write || !adis->ops->read || !adis->ops->reset)
+ return -EINVAL;
+--
+2.53.0
+
--- /dev/null
+From c9f3a593137d862d424130343e77d4b5260a4f5a Mon Sep 17 00:00:00 2001
+From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+Date: Fri, 30 Jan 2026 16:38:47 +0100
+Subject: iio: imu: inv_icm42600: fix odr switch to the same value
+
+From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+
+commit c9f3a593137d862d424130343e77d4b5260a4f5a upstream.
+
+ODR switch is done in 2 steps when FIFO is on : change the ODR register
+value and acknowledge change when reading the FIFO ODR change flag.
+When we are switching to the same odr value, we end up waiting for a
+FIFO ODR flag that is never happening.
+
+Fix the issue by doing nothing and exiting properly when we are
+switching to the same ODR value.
+
+Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping")
+Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 2 ++
+ drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c
++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c
+@@ -651,6 +651,8 @@ static int inv_icm42600_accel_write_odr(
+ return -EINVAL;
+
+ conf.odr = inv_icm42600_accel_odr_conv[idx / 2];
++ if (conf.odr == st->conf.accel.odr)
++ return 0;
+
+ pm_runtime_get_sync(dev);
+ mutex_lock(&st->lock);
+--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c
++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c
+@@ -358,6 +358,8 @@ static int inv_icm42600_gyro_write_odr(s
+ return -EINVAL;
+
+ conf.odr = inv_icm42600_gyro_odr_conv[idx / 2];
++ if (conf.odr == st->conf.gyro.odr)
++ return 0;
+
+ pm_runtime_get_sync(dev);
+ mutex_lock(&st->lock);
--- /dev/null
+From ffd32db8263d2d785a2c419486a450dc80693235 Mon Sep 17 00:00:00 2001
+From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+Date: Fri, 30 Jan 2026 17:10:23 +0100
+Subject: iio: imu: inv_icm42600: fix odr switch when turning buffer off
+
+From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+
+commit ffd32db8263d2d785a2c419486a450dc80693235 upstream.
+
+ODR switch is done in 2 steps when FIFO is on : change the ODR register
+value and acknowledge change when reading the FIFO ODR change flag.
+When we are switching odr and turning buffer off just afterward, we are
+losing the FIFO ODR change flag and ODR switch is blocked.
+
+Fix the issue by force applying any waiting ODR change when turning
+buffer off.
+
+Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping")
+Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c
++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c
+@@ -371,6 +371,8 @@ static int inv_icm42600_buffer_predisabl
+ static int inv_icm42600_buffer_postdisable(struct iio_dev *indio_dev)
+ {
+ struct inv_icm42600_state *st = iio_device_get_drvdata(indio_dev);
++ struct inv_icm42600_sensor_state *sensor_st = iio_priv(indio_dev);
++ struct inv_sensors_timestamp *ts = &sensor_st->ts;
+ struct device *dev = regmap_get_device(st->map);
+ unsigned int sensor;
+ unsigned int *watermark;
+@@ -392,6 +394,8 @@ static int inv_icm42600_buffer_postdisab
+
+ mutex_lock(&st->lock);
+
++ inv_sensors_timestamp_apply_odr(ts, 0, 0, 0);
++
+ ret = inv_icm42600_buffer_set_fifo_en(st, st->fifo.en & ~sensor);
+ if (ret)
+ goto out_unlock;
--- /dev/null
+From dd72e6c3cdea05cad24e99710939086f7a113fb5 Mon Sep 17 00:00:00 2001
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Date: Fri, 30 Jan 2026 13:30:20 +0200
+Subject: iio: light: bh1780: fix PM runtime leak on error path
+
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+
+commit dd72e6c3cdea05cad24e99710939086f7a113fb5 upstream.
+
+Move pm_runtime_put_autosuspend() before the error check to ensure
+the PM runtime reference count is always decremented after
+pm_runtime_get_sync(), regardless of whether the read operation
+succeeds or fails.
+
+Fixes: 1f0477f18306 ("iio: light: new driver for the ROHM BH1780")
+Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Reviewed-by: Linus Walleij <linusw@kernel.org>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/bh1780.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/light/bh1780.c
++++ b/drivers/iio/light/bh1780.c
+@@ -109,9 +109,9 @@ static int bh1780_read_raw(struct iio_de
+ case IIO_LIGHT:
+ pm_runtime_get_sync(&bh1780->client->dev);
+ value = bh1780_read_word(bh1780, BH1780_REG_DLOW);
++ pm_runtime_put_autosuspend(&bh1780->client->dev);
+ if (value < 0)
+ return value;
+- pm_runtime_put_autosuspend(&bh1780->client->dev);
+ *val = value;
+
+ return IIO_VAL_INT;
--- /dev/null
+From 82ee91d6b15f06b6094eea2c26afe0032fe8e177 Mon Sep 17 00:00:00 2001
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Date: Tue, 10 Feb 2026 18:49:50 +0200
+Subject: iio: magnetometer: tlv493d: remove erroneous shift in X-axis data
+
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+
+commit 82ee91d6b15f06b6094eea2c26afe0032fe8e177 upstream.
+
+TLV493D_BX2_MAG_X_AXIS_LSB is defined as GENMASK(7, 4). FIELD_GET()
+already right-shifts bits [7:4] to [3:0], so the additional >> 4
+discards most of the X-axis low nibble. The Y and Z axes correctly
+omit this extra shift. Remove it.
+
+Fixes: 106511d280c7 ("iio: magnetometer: add support for Infineon TLV493D 3D Magentic sensor")
+Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/magnetometer/tlv493d.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/magnetometer/tlv493d.c b/drivers/iio/magnetometer/tlv493d.c
+index ec53fd40277b..e5e050af2b74 100644
+--- a/drivers/iio/magnetometer/tlv493d.c
++++ b/drivers/iio/magnetometer/tlv493d.c
+@@ -171,7 +171,7 @@ static s16 tlv493d_get_channel_data(u8 *b, enum tlv493d_channels ch)
+ switch (ch) {
+ case TLV493D_AXIS_X:
+ val = FIELD_GET(TLV493D_BX_MAG_X_AXIS_MSB, b[TLV493D_RD_REG_BX]) << 4 |
+- FIELD_GET(TLV493D_BX2_MAG_X_AXIS_LSB, b[TLV493D_RD_REG_BX2]) >> 4;
++ FIELD_GET(TLV493D_BX2_MAG_X_AXIS_LSB, b[TLV493D_RD_REG_BX2]);
+ break;
+ case TLV493D_AXIS_Y:
+ val = FIELD_GET(TLV493D_BY_MAG_Y_AXIS_MSB, b[TLV493D_RD_REG_BY]) << 4 |
+--
+2.53.0
+
--- /dev/null
+From 85e4614524dca6c0a43874f475a17de2b9725648 Mon Sep 17 00:00:00 2001
+From: Lukas Schmid <lukas.schmid@netcube.li>
+Date: Mon, 2 Feb 2026 21:15:35 +0100
+Subject: iio: potentiometer: mcp4131: fix double application of wiper shift
+
+From: Lukas Schmid <lukas.schmid@netcube.li>
+
+commit 85e4614524dca6c0a43874f475a17de2b9725648 upstream.
+
+The MCP4131 wiper address is shifted twice when preparing the SPI
+command in mcp4131_write_raw().
+
+The address is already shifted when assigned to the local variable
+"address", but is then shifted again when written to data->buf[0].
+This results in an incorrect command being sent to the device and
+breaks wiper writes to the second channel.
+
+Remove the second shift and use the pre-shifted address directly
+when composing the SPI transfer.
+
+Fixes: 22d199a53910 ("iio: potentiometer: add driver for Microchip MCP413X/414X/415X/416X/423X/424X/425X/426X")
+Signed-off-by: Lukas Schmid <lukas.schmid@netcube.li>#
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/potentiometer/mcp4131.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/potentiometer/mcp4131.c
++++ b/drivers/iio/potentiometer/mcp4131.c
+@@ -221,7 +221,7 @@ static int mcp4131_write_raw(struct iio_
+
+ mutex_lock(&data->lock);
+
+- data->buf[0] = address << MCP4131_WIPER_SHIFT;
++ data->buf[0] = address;
+ data->buf[0] |= MCP4131_WRITE | (val >> 8);
+ data->buf[1] = val & 0xFF; /* 8 bits here */
+
--- /dev/null
+From 585b90c0161ab77416fe3acdbdc55b978e33e16c Mon Sep 17 00:00:00 2001
+From: Yasin Lee <yasin.lee.x@gmail.com>
+Date: Fri, 13 Feb 2026 23:14:43 +0800
+Subject: iio: proximity: hx9023s: fix assignment order for __counted_by
+
+From: Yasin Lee <yasin.lee.x@gmail.com>
+
+commit 585b90c0161ab77416fe3acdbdc55b978e33e16c upstream.
+
+Initialize fw_size before copying firmware data into the flexible
+array member to match the __counted_by() annotation. This fixes the
+incorrect assignment order that triggers runtime safety checks.
+
+Fixes: e9ed97be4fcc ("iio: proximity: hx9023s: Added firmware file parsing functionality")
+Signed-off-by: Yasin Lee <yasin.lee.x@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/proximity/hx9023s.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/iio/proximity/hx9023s.c
++++ b/drivers/iio/proximity/hx9023s.c
+@@ -1034,9 +1034,8 @@ static int hx9023s_send_cfg(const struct
+ if (!bin)
+ return -ENOMEM;
+
+- memcpy(bin->data, fw->data, fw->size);
+-
+ bin->fw_size = fw->size;
++ memcpy(bin->data, fw->data, bin->fw_size);
+ bin->fw_ver = bin->data[FW_VER_OFFSET];
+ bin->reg_count = get_unaligned_le16(bin->data + FW_REG_CNT_OFFSET);
+
--- /dev/null
+From a318cfc0853706f1d6ce682dba660bc455d674ef Mon Sep 17 00:00:00 2001
+From: Yasin Lee <yasin.lee.x@gmail.com>
+Date: Fri, 13 Feb 2026 23:14:44 +0800
+Subject: iio: proximity: hx9023s: Protect against division by zero in set_samp_freq
+
+From: Yasin Lee <yasin.lee.x@gmail.com>
+
+commit a318cfc0853706f1d6ce682dba660bc455d674ef upstream.
+
+Avoid division by zero when sampling frequency is unspecified.
+
+Fixes: 60df548277b7 ("iio: proximity: Add driver support for TYHX's HX9023S capacitive proximity sensor")
+Signed-off-by: Yasin Lee <yasin.lee.x@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/proximity/hx9023s.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/iio/proximity/hx9023s.c
++++ b/drivers/iio/proximity/hx9023s.c
+@@ -719,6 +719,9 @@ static int hx9023s_set_samp_freq(struct
+ struct device *dev = regmap_get_device(data->regmap);
+ unsigned int i, period_ms;
+
++ if (!val && !val2)
++ return -EINVAL;
++
+ period_ms = div_u64(NANO, (val * MEGA + val2));
+
+ for (i = 0; i < ARRAY_SIZE(hx9023s_samp_freq_table); i++) {
--- /dev/null
+From c2c185be5c85d37215397c8e8781abf0a69bec1f Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 12 Mar 2026 08:59:25 -0600
+Subject: io_uring/kbuf: check if target buffer list is still legacy on recycle
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit c2c185be5c85d37215397c8e8781abf0a69bec1f upstream.
+
+There's a gap between when the buffer was grabbed and when it
+potentially gets recycled, where if the list is empty, someone could've
+upgraded it to a ring provided type. This can happen if the request
+is forced via io-wq. The legacy recycling is missing checking if the
+buffer_list still exists, and if it's of the correct type. Add those
+checks.
+
+Cc: stable@vger.kernel.org
+Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers")
+Reported-by: Keenan Dong <keenanat2000@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/kbuf.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/io_uring/kbuf.c
++++ b/io_uring/kbuf.c
+@@ -111,9 +111,18 @@ bool io_kbuf_recycle_legacy(struct io_ki
+
+ buf = req->kbuf;
+ bl = io_buffer_get_list(ctx, buf->bgid);
+- list_add(&buf->list, &bl->buf_list);
+- bl->nbufs++;
++ /*
++ * If the buffer list was upgraded to a ring-based one, or removed,
++ * while the request was in-flight in io-wq, drop it.
++ */
++ if (bl && !(bl->flags & IOBL_BUF_RING)) {
++ list_add(&buf->list, &bl->buf_list);
++ bl->nbufs++;
++ } else {
++ kfree(buf);
++ }
+ req->flags &= ~REQ_F_BUFFER_SELECTED;
++ req->kbuf = NULL;
+
+ io_ring_submit_unlock(ctx, issue_flags);
+ return true;
--- /dev/null
+From 5ef268cb7a0aac55521fd9881f1939fa94a8988e Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Fri, 13 Mar 2026 23:04:11 +0900
+Subject: kprobes: Remove unneeded warnings from __arm_kprobe_ftrace()
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 5ef268cb7a0aac55521fd9881f1939fa94a8988e upstream.
+
+Remove unneeded warnings for handled errors from __arm_kprobe_ftrace()
+because all caller handled the error correctly.
+
+Link: https://lore.kernel.org/all/177261531182.1312989.8737778408503961141.stgit@mhiramat.tok.corp.google.com/
+
+Reported-by: Zw Tang <shicenci@gmail.com>
+Closes: https://lore.kernel.org/all/CAPHJ_V+J6YDb_wX2nhXU6kh466Dt_nyDSas-1i_Y8s7tqY-Mzw@mail.gmail.com/
+Fixes: 9c89bb8e3272 ("kprobes: treewide: Cleanup the error messages for kprobes")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kprobes.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1070,12 +1070,12 @@ static int __arm_kprobe_ftrace(struct kp
+ lockdep_assert_held(&kprobe_mutex);
+
+ ret = ftrace_set_filter_ip(ops, (unsigned long)p->addr, 0, 0);
+- if (WARN_ONCE(ret < 0, "Failed to arm kprobe-ftrace at %pS (error %d)\n", p->addr, ret))
++ if (ret < 0)
+ return ret;
+
+ if (*cnt == 0) {
+ ret = register_ftrace_function(ops);
+- if (WARN(ret < 0, "Failed to register kprobe-ftrace (error %d)\n", ret)) {
++ if (ret < 0) {
+ /*
+ * At this point, sinec ops is not registered, we should be sefe from
+ * registering empty filter.
--- /dev/null
+From 560f763baa0f2c9a44da4294c06af071405ac46f Mon Sep 17 00:00:00 2001
+From: Josh Law <objecting@objecting.org>
+Date: Thu, 12 Mar 2026 19:11:42 +0000
+Subject: lib/bootconfig: check bounds before writing in __xbc_open_brace()
+
+From: Josh Law <objecting@objecting.org>
+
+commit 560f763baa0f2c9a44da4294c06af071405ac46f upstream.
+
+The bounds check for brace_index happens after the array write.
+While the current call pattern prevents an actual out-of-bounds
+access (the previous call would have returned an error), the
+write-before-check pattern is fragile and would become a real
+out-of-bounds write if the error return were ever not propagated.
+
+Move the bounds check before the array write so the function is
+self-contained and safe regardless of caller behavior.
+
+Link: https://lore.kernel.org/all/20260312191143.28719-3-objecting@objecting.org/
+
+Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes")
+Cc: stable@vger.kernel.org
+Signed-off-by: Josh Law <objecting@objecting.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/bootconfig.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/bootconfig.c
++++ b/lib/bootconfig.c
+@@ -532,9 +532,9 @@ static char *skip_spaces_until_newline(c
+ static int __init __xbc_open_brace(char *p)
+ {
+ /* Push the last key as open brace */
+- open_brace[brace_index++] = xbc_node_index(last_parent);
+ if (brace_index >= XBC_DEPTH_MAX)
+ return xbc_parse_error("Exceed max depth of braces", p);
++ open_brace[brace_index++] = xbc_node_index(last_parent);
+
+ return 0;
+ }
--- /dev/null
+From 39ebc8d7f561e1b64eca87353ef9b18e2825e591 Mon Sep 17 00:00:00 2001
+From: Josh Law <objecting@objecting.org>
+Date: Thu, 12 Mar 2026 19:11:41 +0000
+Subject: lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
+
+From: Josh Law <objecting@objecting.org>
+
+commit 39ebc8d7f561e1b64eca87353ef9b18e2825e591 upstream.
+
+__xbc_open_brace() pushes entries with post-increment
+(open_brace[brace_index++]), so brace_index always points one past
+the last valid entry. xbc_verify_tree() reads open_brace[brace_index]
+to report which brace is unclosed, but this is one past the last
+pushed entry and contains stale/zero data, causing the error message
+to reference the wrong node.
+
+Use open_brace[brace_index - 1] to correctly identify the unclosed
+brace. brace_index is known to be > 0 here since we are inside the
+if (brace_index) guard.
+
+Link: https://lore.kernel.org/all/20260312191143.28719-2-objecting@objecting.org/
+
+Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes")
+Cc: stable@vger.kernel.org
+Signed-off-by: Josh Law <objecting@objecting.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/bootconfig.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/bootconfig.c
++++ b/lib/bootconfig.c
+@@ -791,7 +791,7 @@ static int __init xbc_verify_tree(void)
+
+ /* Brace closing */
+ if (brace_index) {
+- n = &xbc_nodes[open_brace[brace_index]];
++ n = &xbc_nodes[open_brace[brace_index - 1]];
+ return xbc_parse_error("Brace is not closed",
+ xbc_node_get_data(n));
+ }
--- /dev/null
+From 1120a36bb1e9b9e22de75ecb4ef0b998f73a97f1 Mon Sep 17 00:00:00 2001
+From: Josh Law <objecting@objecting.org>
+Date: Thu, 12 Mar 2026 19:11:43 +0000
+Subject: lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after()
+
+From: Josh Law <objecting@objecting.org>
+
+commit 1120a36bb1e9b9e22de75ecb4ef0b998f73a97f1 upstream.
+
+snprintf() returns the number of characters that would have been
+written excluding the NUL terminator. Output is truncated when the
+return value is >= the buffer size, not just > the buffer size.
+
+When ret == size, the current code takes the non-truncated path,
+advancing buf by ret and reducing size to 0. This is wrong because
+the output was actually truncated (the last character was replaced by
+NUL). Fix by using >= so the truncation path is taken correctly.
+
+Link: https://lore.kernel.org/all/20260312191143.28719-4-objecting@objecting.org/
+
+Fixes: 76db5a27a827 ("bootconfig: Add Extra Boot Config support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Josh Law <objecting@objecting.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/bootconfig.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/bootconfig.c
++++ b/lib/bootconfig.c
+@@ -316,7 +316,7 @@ int __init xbc_node_compose_key_after(st
+ depth ? "." : "");
+ if (ret < 0)
+ return ret;
+- if (ret > size) {
++ if (ret >= size) {
+ size = 0;
+ } else {
+ size -= ret;
--- /dev/null
+From 57885276cc16a2e2b76282c808a4e84cbecb3aae Mon Sep 17 00:00:00 2001
+From: Paul Moses <p@1g4.org>
+Date: Mon, 9 Mar 2026 17:35:10 +0000
+Subject: net-shapers: don't free reply skb after genlmsg_reply()
+
+From: Paul Moses <p@1g4.org>
+
+commit 57885276cc16a2e2b76282c808a4e84cbecb3aae upstream.
+
+genlmsg_reply() hands the reply skb to netlink, and
+netlink_unicast() consumes it on all return paths, whether the
+skb is queued successfully or freed on an error path.
+
+net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit()
+currently jump to free_msg after genlmsg_reply() fails and call
+nlmsg_free(msg), which can hit the same skb twice.
+
+Return the genlmsg_reply() error directly and keep free_msg
+only for pre-reply failures.
+
+Fixes: 4b623f9f0f59 ("net-shapers: implement NL get operation")
+Fixes: 553ea9f1efd6 ("net: shaper: implement introspection support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paul Moses <p@1g4.org>
+Link: https://patch.msgid.link/20260309173450.538026-2-p@1g4.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/shaper/shaper.c | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+--- a/net/shaper/shaper.c
++++ b/net/shaper/shaper.c
+@@ -759,11 +759,7 @@ int net_shaper_nl_get_doit(struct sk_buf
+ if (ret)
+ goto free_msg;
+
+- ret = genlmsg_reply(msg, info);
+- if (ret)
+- goto free_msg;
+-
+- return 0;
++ return genlmsg_reply(msg, info);
+
+ free_msg:
+ nlmsg_free(msg);
+@@ -1314,10 +1310,7 @@ int net_shaper_nl_cap_get_doit(struct sk
+ if (ret)
+ goto free_msg;
+
+- ret = genlmsg_reply(msg, info);
+- if (ret)
+- goto free_msg;
+- return 0;
++ return genlmsg_reply(msg, info);
+
+ free_msg:
+ nlmsg_free(msg);
--- /dev/null
+From 35e4f2a17eb40288f9bcdb09549fa04a63a96279 Mon Sep 17 00:00:00 2001
+From: Nam Cao <namcao@linutronix.de>
+Date: Mon, 2 Mar 2026 01:39:48 +0100
+Subject: powerpc/pseries: Correct MSI allocation tracking
+
+From: Nam Cao <namcao@linutronix.de>
+
+commit 35e4f2a17eb40288f9bcdb09549fa04a63a96279 upstream.
+
+The per-device MSI allocation calculation in pseries_irq_domain_alloc()
+is clearly wrong. It can still happen to work when nr_irqs is 1.
+
+Correct it.
+
+Fixes: c0215e2d72de ("powerpc/pseries: Fix MSI-X allocation failure when quota is exceeded")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nam Cao <namcao@linutronix.de>
+Reviewed-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
+Reviewed-by: Nilay Shroff <nilay@linux.ibm.com>
+[maddy: Fixed Nilay's reviewed-by tag]
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20260302003948.1452016-1-namcao@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/pseries/msi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/msi.c
++++ b/arch/powerpc/platforms/pseries/msi.c
+@@ -605,7 +605,7 @@ static int pseries_irq_domain_alloc(stru
+ &pseries_msi_irq_chip, pseries_dev);
+ }
+
+- pseries_dev->msi_used++;
++ pseries_dev->msi_used += nr_irqs;
+ return 0;
+
+ out:
--- /dev/null
+From 01b6ac72729610ae732ca2a66e3a642e23f6cd60 Mon Sep 17 00:00:00 2001
+From: Hari Bathini <hbathini@linux.ibm.com>
+Date: Tue, 3 Mar 2026 23:40:30 +0530
+Subject: powerpc64/bpf: fix kfunc call support
+
+From: Hari Bathini <hbathini@linux.ibm.com>
+
+commit 01b6ac72729610ae732ca2a66e3a642e23f6cd60 upstream.
+
+Commit 61688a82e047 ("powerpc/bpf: enable kfunc call") inadvertently
+enabled kfunc call support for 32-bit powerpc but that support will
+not be possible until ABI mismatch between 32-bit powerpc and eBPF is
+handled in 32-bit powerpc JIT code. Till then, advertise support only
+for 64-bit powerpc. Also, in powerpc ABI, caller needs to extend the
+arguments properly based on signedness. The JIT code is responsible
+for handling this explicitly for kfunc calls as verifier can't handle
+this for each architecture-specific ABI needs. But this was not taken
+care of while kfunc call support was enabled for powerpc. Fix it by
+handling this with bpf_jit_find_kfunc_model() and using zero_extend()
+& sign_extend() helper functions.
+
+Fixes: 61688a82e047 ("powerpc/bpf: enable kfunc call")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20260303181031.390073-7-hbathini@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/net/bpf_jit_comp.c | 2
+ arch/powerpc/net/bpf_jit_comp64.c | 101 ++++++++++++++++++++++++++++++++++----
+ 2 files changed, 94 insertions(+), 9 deletions(-)
+
+--- a/arch/powerpc/net/bpf_jit_comp.c
++++ b/arch/powerpc/net/bpf_jit_comp.c
+@@ -437,7 +437,7 @@ void bpf_jit_free(struct bpf_prog *fp)
+
+ bool bpf_jit_supports_kfunc_call(void)
+ {
+- return true;
++ return IS_ENABLED(CONFIG_PPC64);
+ }
+
+ bool bpf_jit_supports_arena(void)
+--- a/arch/powerpc/net/bpf_jit_comp64.c
++++ b/arch/powerpc/net/bpf_jit_comp64.c
+@@ -319,6 +319,83 @@ int bpf_jit_emit_func_call_rel(u32 *imag
+ return 0;
+ }
+
++static int zero_extend(u32 *image, struct codegen_context *ctx, u32 src_reg, u32 dst_reg, u32 size)
++{
++ switch (size) {
++ case 1:
++ /* zero-extend 8 bits into 64 bits */
++ EMIT(PPC_RAW_RLDICL(dst_reg, src_reg, 0, 56));
++ return 0;
++ case 2:
++ /* zero-extend 16 bits into 64 bits */
++ EMIT(PPC_RAW_RLDICL(dst_reg, src_reg, 0, 48));
++ return 0;
++ case 4:
++ /* zero-extend 32 bits into 64 bits */
++ EMIT(PPC_RAW_RLDICL(dst_reg, src_reg, 0, 32));
++ fallthrough;
++ case 8:
++ /* Nothing to do */
++ return 0;
++ default:
++ return -1;
++ }
++}
++
++static int sign_extend(u32 *image, struct codegen_context *ctx, u32 src_reg, u32 dst_reg, u32 size)
++{
++ switch (size) {
++ case 1:
++ /* sign-extend 8 bits into 64 bits */
++ EMIT(PPC_RAW_EXTSB(dst_reg, src_reg));
++ return 0;
++ case 2:
++ /* sign-extend 16 bits into 64 bits */
++ EMIT(PPC_RAW_EXTSH(dst_reg, src_reg));
++ return 0;
++ case 4:
++ /* sign-extend 32 bits into 64 bits */
++ EMIT(PPC_RAW_EXTSW(dst_reg, src_reg));
++ fallthrough;
++ case 8:
++ /* Nothing to do */
++ return 0;
++ default:
++ return -1;
++ }
++}
++
++/*
++ * Handle powerpc ABI expectations from caller:
++ * - Unsigned arguments are zero-extended.
++ * - Signed arguments are sign-extended.
++ */
++static int prepare_for_kfunc_call(const struct bpf_prog *fp, u32 *image,
++ struct codegen_context *ctx,
++ const struct bpf_insn *insn)
++{
++ const struct btf_func_model *m = bpf_jit_find_kfunc_model(fp, insn);
++ int i;
++
++ if (!m)
++ return -1;
++
++ for (i = 0; i < m->nr_args; i++) {
++ /* Note that BPF ABI only allows up to 5 args for kfuncs */
++ u32 reg = bpf_to_ppc(BPF_REG_1 + i), size = m->arg_size[i];
++
++ if (!(m->arg_flags[i] & BTF_FMODEL_SIGNED_ARG)) {
++ if (zero_extend(image, ctx, reg, reg, size))
++ return -1;
++ } else {
++ if (sign_extend(image, ctx, reg, reg, size))
++ return -1;
++ }
++ }
++
++ return 0;
++}
++
+ static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
+ {
+ /*
+@@ -931,14 +1008,16 @@ int bpf_jit_build_body(struct bpf_prog *
+ /* special mov32 for zext */
+ EMIT(PPC_RAW_RLWINM(dst_reg, dst_reg, 0, 0, 31));
+ break;
+- } else if (off == 8) {
+- EMIT(PPC_RAW_EXTSB(dst_reg, src_reg));
+- } else if (off == 16) {
+- EMIT(PPC_RAW_EXTSH(dst_reg, src_reg));
+- } else if (off == 32) {
+- EMIT(PPC_RAW_EXTSW(dst_reg, src_reg));
+- } else if (dst_reg != src_reg)
+- EMIT(PPC_RAW_MR(dst_reg, src_reg));
++ }
++ if (off == 0) {
++ /* MOV */
++ if (dst_reg != src_reg)
++ EMIT(PPC_RAW_MR(dst_reg, src_reg));
++ } else {
++ /* MOVSX: dst = (s8,s16,s32)src (off = 8,16,32) */
++ if (sign_extend(image, ctx, src_reg, dst_reg, off / 8))
++ return -1;
++ }
+ goto bpf_alu32_trunc;
+ case BPF_ALU | BPF_MOV | BPF_K: /* (u32) dst = imm */
+ case BPF_ALU64 | BPF_MOV | BPF_K: /* dst = (s64) imm */
+@@ -1395,6 +1474,12 @@ emit_clear:
+ if (ret < 0)
+ return ret;
+
++ /* Take care of powerpc ABI requirements before kfunc call */
++ if (insn[i].src_reg == BPF_PSEUDO_KFUNC_CALL) {
++ if (prepare_for_kfunc_call(fp, image, ctx, &insn[i]))
++ return -1;
++ }
++
+ ret = bpf_jit_emit_func_call_rel(image, fimage, ctx, func_addr);
+ if (ret)
+ return ret;
--- /dev/null
+From 157820264ac3dadfafffad63184b883eb28f9ae0 Mon Sep 17 00:00:00 2001
+From: Hari Bathini <hbathini@linux.ibm.com>
+Date: Tue, 3 Mar 2026 23:40:26 +0530
+Subject: powerpc64/bpf: fix the address returned by bpf_get_func_ip
+
+From: Hari Bathini <hbathini@linux.ibm.com>
+
+commit 157820264ac3dadfafffad63184b883eb28f9ae0 upstream.
+
+bpf_get_func_ip() helper function returns the address of the traced
+function. It relies on the IP address stored at ctx - 16 by the bpf
+trampoline. On 64-bit powerpc, this address is recovered from LR
+accounting for OOL trampoline. But the address stored here was off
+by 4-bytes. Ensure the address is the actual start of the traced
+function.
+
+Reported-by: Abhishek Dubey <adubey@linux.ibm.com>
+Fixes: d243b62b7bd3 ("powerpc64/bpf: Add support for bpf trampolines")
+Cc: stable@vger.kernel.org
+Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
+Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20260303181031.390073-3-hbathini@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/net/bpf_jit_comp.c | 28 +++++++++++++++++++---------
+ 1 file changed, 19 insertions(+), 9 deletions(-)
+
+--- a/arch/powerpc/net/bpf_jit_comp.c
++++ b/arch/powerpc/net/bpf_jit_comp.c
+@@ -722,9 +722,9 @@ static int __arch_prepare_bpf_trampoline
+ * retval_off [ return value ]
+ * [ reg argN ]
+ * [ ... ]
+- * regs_off [ reg_arg1 ] prog ctx context
+- * nregs_off [ args count ]
+- * ip_off [ traced function ]
++ * regs_off [ reg_arg1 ] prog_ctx
++ * nregs_off [ args count ] ((u64 *)prog_ctx)[-1]
++ * ip_off [ traced function ] ((u64 *)prog_ctx)[-2]
+ * [ ... ]
+ * run_ctx_off [ bpf_tramp_run_ctx ]
+ * [ reg argN ]
+@@ -824,7 +824,7 @@ static int __arch_prepare_bpf_trampoline
+
+ bpf_trampoline_save_args(image, ctx, func_frame_offset, nr_regs, regs_off);
+
+- /* Save our return address */
++ /* Save our LR/return address */
+ EMIT(PPC_RAW_MFLR(_R3));
+ if (IS_ENABLED(CONFIG_PPC_FTRACE_OUT_OF_LINE))
+ EMIT(PPC_RAW_STL(_R3, _R1, alt_lr_off));
+@@ -832,24 +832,34 @@ static int __arch_prepare_bpf_trampoline
+ EMIT(PPC_RAW_STL(_R3, _R1, bpf_frame_size + PPC_LR_STKOFF));
+
+ /*
+- * Save ip address of the traced function.
+- * We could recover this from LR, but we will need to address for OOL trampoline,
+- * and optional GEP area.
++ * Derive IP address of the traced function.
++ * In case of CONFIG_PPC_FTRACE_OUT_OF_LINE or BPF program, LR points to the instruction
++ * after the 'bl' instruction in the OOL stub. Refer to ftrace_init_ool_stub() and
++ * bpf_arch_text_poke() for OOL stub of kernel functions and bpf programs respectively.
++ * Relevant stub sequence:
++ *
++ * bl <tramp>
++ * LR (R3) => mtlr r0
++ * b <func_addr+4>
++ *
++ * Recover kernel function/bpf program address from the unconditional
++ * branch instruction at the end of OOL stub.
+ */
+ if (IS_ENABLED(CONFIG_PPC_FTRACE_OUT_OF_LINE) || flags & BPF_TRAMP_F_IP_ARG) {
+ EMIT(PPC_RAW_LWZ(_R4, _R3, 4));
+ EMIT(PPC_RAW_SLWI(_R4, _R4, 6));
+ EMIT(PPC_RAW_SRAWI(_R4, _R4, 6));
+ EMIT(PPC_RAW_ADD(_R3, _R3, _R4));
+- EMIT(PPC_RAW_ADDI(_R3, _R3, 4));
+ }
+
+ if (flags & BPF_TRAMP_F_IP_ARG)
+ EMIT(PPC_RAW_STL(_R3, _R1, ip_off));
+
+- if (IS_ENABLED(CONFIG_PPC_FTRACE_OUT_OF_LINE))
++ if (IS_ENABLED(CONFIG_PPC_FTRACE_OUT_OF_LINE)) {
+ /* Fake our LR for unwind */
++ EMIT(PPC_RAW_ADDI(_R3, _R3, 4));
+ EMIT(PPC_RAW_STL(_R3, _R1, bpf_frame_size + PPC_LR_STKOFF));
++ }
+
+ /* Save function arg count -- see bpf_get_func_arg_cnt() */
+ EMIT(PPC_RAW_LI(_R3, nr_regs));
--- /dev/null
+From 55f854dd5bdd8e19b936a00ef1f8d776ac32c7b0 Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <lvivier@redhat.com>
+Date: Wed, 4 Mar 2026 14:43:38 +0100
+Subject: qmi_wwan: allow max_mtu above hard_mtu to control rx_urb_size
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+commit 55f854dd5bdd8e19b936a00ef1f8d776ac32c7b0 upstream.
+
+Commit c7159e960f14 ("usbnet: limit max_mtu based on device's hard_mtu")
+capped net->max_mtu to the device's hard_mtu in usbnet_probe(). While
+this correctly prevents oversized packets on standard USB network
+devices, it breaks the qmi_wwan driver.
+
+qmi_wwan relies on userspace (e.g. ModemManager) setting a large MTU on
+the wwan0 interface to configure rx_urb_size via usbnet_change_mtu().
+QMI modems negotiate USB transfer sizes of 16,383 or 32,767 bytes, and
+the USB receive buffers must be sized accordingly. With max_mtu capped
+to hard_mtu (~1500 bytes), userspace can no longer raise the MTU, the
+receive buffers remain small, and download speeds drop from >300 Mbps
+to ~0.8 Mbps.
+
+Introduce a FLAG_NOMAXMTU driver flag that allows individual usbnet
+drivers to opt out of the max_mtu cap. Set this flag in qmi_wwan's
+driver_info structures to restore the previous behavior for QMI devices,
+while keeping the safety fix in place for all other usbnet drivers.
+
+Fixes: c7159e960f14 ("usbnet: limit max_mtu based on device's hard_mtu")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/lkml/CAPh3n803k8JcBPV5qEzUB-oKzWkAs-D5CU7z=Vd_nLRCr5ZqQg@mail.gmail.com/
+Reported-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
+Tested-by: Daniele Palmas <dnlplm@gmail.com>
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Link: https://patch.msgid.link/20260304134338.1785002-1-lvivier@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 4 ++--
+ drivers/net/usb/usbnet.c | 7 ++++---
+ include/linux/usb/usbnet.h | 1 +
+ 3 files changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -928,7 +928,7 @@ err:
+
+ static const struct driver_info qmi_wwan_info = {
+ .description = "WWAN/QMI device",
+- .flags = FLAG_WWAN | FLAG_SEND_ZLP,
++ .flags = FLAG_WWAN | FLAG_NOMAXMTU | FLAG_SEND_ZLP,
+ .bind = qmi_wwan_bind,
+ .unbind = qmi_wwan_unbind,
+ .manage_power = qmi_wwan_manage_power,
+@@ -937,7 +937,7 @@ static const struct driver_info qmi_wwan
+
+ static const struct driver_info qmi_wwan_info_quirk_dtr = {
+ .description = "WWAN/QMI device",
+- .flags = FLAG_WWAN | FLAG_SEND_ZLP,
++ .flags = FLAG_WWAN | FLAG_NOMAXMTU | FLAG_SEND_ZLP,
+ .bind = qmi_wwan_bind,
+ .unbind = qmi_wwan_unbind,
+ .manage_power = qmi_wwan_manage_power,
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1803,11 +1803,12 @@ usbnet_probe (struct usb_interface *udev
+ if ((dev->driver_info->flags & FLAG_NOARP) != 0)
+ net->flags |= IFF_NOARP;
+
+- if (net->max_mtu > (dev->hard_mtu - net->hard_header_len))
++ if ((dev->driver_info->flags & FLAG_NOMAXMTU) == 0 &&
++ net->max_mtu > (dev->hard_mtu - net->hard_header_len))
+ net->max_mtu = dev->hard_mtu - net->hard_header_len;
+
+- if (net->mtu > net->max_mtu)
+- net->mtu = net->max_mtu;
++ if (net->mtu > (dev->hard_mtu - net->hard_header_len))
++ net->mtu = dev->hard_mtu - net->hard_header_len;
+
+ } else if (!info->in || !info->out)
+ status = usbnet_get_endpoints (dev, udev);
+--- a/include/linux/usb/usbnet.h
++++ b/include/linux/usb/usbnet.h
+@@ -130,6 +130,7 @@ struct driver_info {
+ #define FLAG_MULTI_PACKET 0x2000
+ #define FLAG_RX_ASSEMBLE 0x4000 /* rx packets may span >1 frames */
+ #define FLAG_NOARP 0x8000 /* device can't do ARP */
++#define FLAG_NOMAXMTU 0x10000 /* allow max_mtu above hard_mtu */
+
+ /* init device ... can sleep, or cause probe() failure */
+ int (*bind)(struct usbnet *, struct usb_interface *);
--- /dev/null
+From 4c527c7e030672efd788d0806d7a68972a7ba3c1 Mon Sep 17 00:00:00 2001
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Tue, 10 Mar 2026 15:23:30 +0100
+Subject: s390/dasd: Copy detected format information to secondary device
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+commit 4c527c7e030672efd788d0806d7a68972a7ba3c1 upstream.
+
+During online processing for a DASD device an IO operation is started to
+determine the format of the device. CDL format contains specifically
+sized blocks at the beginning of the disk.
+
+For a PPRC secondary device no real IO operation is possible therefore
+this IO request can not be started and this step is skipped for online
+processing of secondary devices. This is generally fine since the
+secondary is a copy of the primary device.
+
+In case of an additional partition detection that is run after a swap
+operation the format information is needed to properly drive partition
+detection IO.
+
+Currently the information is not passed leading to IO errors during
+partition detection and a wrongly detected partition table which in turn
+might lead to data corruption on the disk with the wrong partition table.
+
+Fix by passing the format information from primary to secondary device.
+
+Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability")
+Cc: stable@vger.kernel.org #6.1
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Acked-by: Eduard Shishkin <edward6@linux.ibm.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Link: https://patch.msgid.link/20260310142330.4080106-3-sth@linux.ibm.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd_eckd.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -6146,6 +6146,7 @@ static void copy_pair_set_active(struct
+ static int dasd_eckd_copy_pair_swap(struct dasd_device *device, char *prim_busid,
+ char *sec_busid)
+ {
++ struct dasd_eckd_private *prim_priv, *sec_priv;
+ struct dasd_device *primary, *secondary;
+ struct dasd_copy_relation *copy;
+ struct dasd_block *block;
+@@ -6166,6 +6167,9 @@ static int dasd_eckd_copy_pair_swap(stru
+ if (!secondary)
+ return DASD_COPYPAIRSWAP_SECONDARY;
+
++ prim_priv = primary->private;
++ sec_priv = secondary->private;
++
+ /*
+ * usually the device should be quiesced for swap
+ * for paranoia stop device and requeue requests again
+@@ -6198,6 +6202,13 @@ static int dasd_eckd_copy_pair_swap(stru
+ dasd_device_remove_stop_bits(primary, DASD_STOPPED_QUIESCE);
+ }
+
++ /*
++ * The secondary device never got through format detection, but since it
++ * is a copy of the primary device, the format is exactly the same;
++ * therefore, the detected layout can simply be copied.
++ */
++ sec_priv->uses_cdl = prim_priv->uses_cdl;
++
+ /* re-enable device */
+ dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC);
+ dasd_device_remove_stop_bits(secondary, DASD_STOPPED_PPRC);
--- /dev/null
+From 40e9cd4ae8ec43b107ed2bff422a8fa39dcf4e4b Mon Sep 17 00:00:00 2001
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Tue, 10 Mar 2026 15:23:29 +0100
+Subject: s390/dasd: Move quiesce state with pprc swap
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+commit 40e9cd4ae8ec43b107ed2bff422a8fa39dcf4e4b upstream.
+
+Quiesce and resume is a mechanism to suspend operations on DASD devices.
+In the context of a controlled copy pair swap operation, the quiesce
+operation is usually issued before the actual swap and a resume
+afterwards.
+
+During the swap operation, the underlying device is exchanged. Therefore,
+the quiesce flag must be moved to the secondary device to ensure a
+consistent quiesce state after the swap.
+
+The secondary device itself cannot be suspended separately because there
+is no separate block device representation for it.
+
+Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability")
+Cc: stable@vger.kernel.org #6.1
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Link: https://patch.msgid.link/20260310142330.4080106-2-sth@linux.ibm.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd_eckd.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -6193,6 +6193,11 @@ static int dasd_eckd_copy_pair_swap(stru
+ dev_name(&secondary->cdev->dev), rc);
+ }
+
++ if (primary->stopped & DASD_STOPPED_QUIESCE) {
++ dasd_device_set_stop_bits(secondary, DASD_STOPPED_QUIESCE);
++ dasd_device_remove_stop_bits(primary, DASD_STOPPED_QUIESCE);
++ }
++
+ /* re-enable device */
+ dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC);
+ dasd_device_remove_stop_bits(secondary, DASD_STOPPED_PPRC);
--- /dev/null
+From 598bbefa8032cc58b564a81d1ad68bd815c8dc0f Mon Sep 17 00:00:00 2001
+From: Harald Freudenberger <freude@linux.ibm.com>
+Date: Fri, 27 Feb 2026 14:30:51 +0100
+Subject: s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+commit 598bbefa8032cc58b564a81d1ad68bd815c8dc0f upstream.
+
+The serialnr sysfs attribute for CCA cards when queried always
+used the default domain for sending the request down to the card.
+If for any reason exactly this default domain is disabled then
+the attribute code fails to retrieve the CCA info and the sysfs
+entry shows an empty string. Works as designed but the serial
+number is a card attribute and thus it does not matter which
+domain is used for the query. So if there are other domains on
+this card available, these could be used.
+
+So extend the code to use AUTOSEL_DOM for the domain value to
+address any online domain within the card for querying the cca
+info and thus show the serialnr as long as there is one domain
+usable regardless of the default domain setting.
+
+Fixes: 8f291ebf3270 ("s390/zcrypt: enable card/domain autoselect on ep11 cprbs")
+Suggested-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/crypto/zcrypt_ccamisc.c | 12 +++++++-----
+ drivers/s390/crypto/zcrypt_cex4.c | 3 +--
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/s390/crypto/zcrypt_ccamisc.c
++++ b/drivers/s390/crypto/zcrypt_ccamisc.c
+@@ -1640,11 +1640,13 @@ int cca_get_info(u16 cardnr, u16 domain,
+
+ memset(ci, 0, sizeof(*ci));
+
+- /* get first info from zcrypt device driver about this apqn */
+- rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
+- if (rc)
+- return rc;
+- ci->hwtype = devstat.hwtype;
++ /* if specific domain given, fetch status and hw info for this apqn */
++ if (domain != AUTOSEL_DOM) {
++ rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
++ if (rc)
++ return rc;
++ ci->hwtype = devstat.hwtype;
++ }
+
+ /*
+ * Prep memory for rule array and var array use.
+--- a/drivers/s390/crypto/zcrypt_cex4.c
++++ b/drivers/s390/crypto/zcrypt_cex4.c
+@@ -84,8 +84,7 @@ static ssize_t cca_serialnr_show(struct
+
+ memset(&ci, 0, sizeof(ci));
+
+- if (ap_domain_index >= 0)
+- cca_get_info(ac->id, ap_domain_index, &ci, 0);
++ cca_get_info(ac->id, AUTOSEL_DOM, &ci, 0);
+
+ return sysfs_emit(buf, "%s\n", ci.serial);
+ }
--- /dev/null
+From 57ccf5ccdc56954f2a91a7f66684fd31c566bde5 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Sat, 7 Mar 2026 04:53:32 -1000
+Subject: sched_ext: Fix enqueue_task_scx() truncation of upper enqueue flags
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 57ccf5ccdc56954f2a91a7f66684fd31c566bde5 upstream.
+
+enqueue_task_scx() takes int enq_flags from the sched_class interface.
+SCX enqueue flags starting at bit 32 (SCX_ENQ_PREEMPT and above) are
+silently truncated when passed through activate_task(). extra_enq_flags
+was added as a workaround - storing high bits in rq->scx.extra_enq_flags
+and OR-ing them back in enqueue_task_scx(). However, the OR target is
+still the int parameter, so the high bits are lost anyway.
+
+The current impact is limited as the only affected flag is SCX_ENQ_PREEMPT
+which is informational to the BPF scheduler - its loss means the scheduler
+doesn't know about preemption but doesn't cause incorrect behavior.
+
+Fix by renaming the int parameter to core_enq_flags and introducing a
+u64 enq_flags local that merges both sources. All downstream functions
+already take u64 enq_flags.
+
+Fixes: f0e1a0643a59 ("sched_ext: Implement BPF extensible scheduler class")
+Cc: stable@vger.kernel.org # v6.12+
+Acked-by: Andrea Righi <arighi@nvidia.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/ext.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -1358,16 +1358,15 @@ static void clr_task_runnable(struct tas
+ p->scx.flags |= SCX_TASK_RESET_RUNNABLE_AT;
+ }
+
+-static void enqueue_task_scx(struct rq *rq, struct task_struct *p, int enq_flags)
++static void enqueue_task_scx(struct rq *rq, struct task_struct *p, int core_enq_flags)
+ {
+ struct scx_sched *sch = scx_root;
+ int sticky_cpu = p->scx.sticky_cpu;
++ u64 enq_flags = core_enq_flags | rq->scx.extra_enq_flags;
+
+ if (enq_flags & ENQUEUE_WAKEUP)
+ rq->scx.flags |= SCX_RQ_IN_WAKEUP;
+
+- enq_flags |= rq->scx.extra_enq_flags;
+-
+ if (sticky_cpu >= 0)
+ p->scx.sticky_cpu = -1;
+
--- /dev/null
+From 4ce7ada40c008fa21b7e52ab9d04e8746e2e9325 Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Wed, 4 Mar 2026 08:46:03 -0800
+Subject: scsi: core: Fix error handling for scsi_alloc_sdev()
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit 4ce7ada40c008fa21b7e52ab9d04e8746e2e9325 upstream.
+
+After scsi_sysfs_device_initialize() was called, error paths must call
+__scsi_remove_device().
+
+Fixes: 1ac22c8eae81 ("scsi: core: Fix refcount leak for tagset_refcnt")
+Cc: stable@vger.kernel.org
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: John Garry <john.g.garry@oracle.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20260304164603.51528-1-junxiao.bi@oracle.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_scan.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/drivers/scsi/scsi_scan.c
++++ b/drivers/scsi/scsi_scan.c
+@@ -355,12 +355,8 @@ static struct scsi_device *scsi_alloc_sd
+ * default device queue depth to figure out sbitmap shift
+ * since we use this queue depth most of times.
+ */
+- if (scsi_realloc_sdev_budget_map(sdev, depth)) {
+- kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags);
+- put_device(&starget->dev);
+- kfree(sdev);
+- goto out;
+- }
++ if (scsi_realloc_sdev_budget_map(sdev, depth))
++ goto out_device_destroy;
+
+ scsi_change_queue_depth(sdev, depth);
+
net-ncsi-fix-skb-leak-in-error-paths.patch
net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch
net-dsa-microchip-fix-error-path-in-ptp-irq-setup.patch
+drm-amd-pm-remove-invalid-gpu_metrics.energy_accumulator-on-smu-v13.0.x.patch
+drm-amdgpu-fix-use-after-free-race-in-vm-acquire.patch
+drm-amd-set-num-ip-blocks-to-0-if-discovery-fails.patch
+drm-amd-fix-null-pointer-dereference-in-device-cleanup.patch
+drm-bridge-ti-sn65dsi83-fix-cha_dsi_clk_range-rounding.patch
+drm-bridge-ti-sn65dsi83-halve-horizontal-syncs-for-dual-lvds-output.patch
+drm-i915-fix-potential-overflow-of-shmem-scatterlist-length.patch
+drm-i915-psr-repeat-selective-update-area-alignment.patch
+drm-msm-fix-dma_free_attrs-buffer-size.patch
+drm-amd-fix-a-few-more-null-pointer-dereference-in-device-cleanup.patch
+drm-msm-dpu-correct-the-sa8775p-intr_underrun-intr_underrun-index.patch
+tracing-fix-enabling-multiple-events-on-the-kernel-command-line-and-bootconfig.patch
+tracing-fix-trace_buf_size-cmdline-parameter-with-sizes-2g.patch
+net-shapers-don-t-free-reply-skb-after-genlmsg_reply.patch
+qmi_wwan-allow-max_mtu-above-hard_mtu-to-control-rx_urb_size.patch
+io_uring-kbuf-check-if-target-buffer-list-is-still-legacy-on-recycle.patch
+cifs-make-default-value-of-retrans-as-zero.patch
+xfs-fix-integer-overflow-in-bmap-intent-sort-comparator.patch
+xfs-fix-returned-valued-from-xfs_defer_can_append.patch
+xfs-fix-undersized-l_iclog_roundoff-values.patch
+xfs-ensure-dquot-item-is-deleted-from-ail-only-after-log-shutdown.patch
+sched_ext-fix-enqueue_task_scx-truncation-of-upper-enqueue-flags.patch
+s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch
+s390-dasd-move-quiesce-state-with-pprc-swap.patch
+s390-dasd-copy-detected-format-information-to-secondary-device.patch
+powerpc-pseries-correct-msi-allocation-tracking.patch
+powerpc64-bpf-fix-kfunc-call-support.patch
+powerpc64-bpf-fix-the-address-returned-by-bpf_get_func_ip.patch
+lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch
+scsi-core-fix-error-handling-for-scsi_alloc_sdev.patch
+x86-apic-disable-x2apic-on-resume-if-the-kernel-expects-so.patch
+kprobes-remove-unneeded-warnings-from-__arm_kprobe_ftrace.patch
+lib-bootconfig-fix-snprintf-truncation-check-in-xbc_node_compose_key_after.patch
+lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch
+smb-client-fix-atomic-open-with-o_direct-o_sync.patch
+smb-client-fix-in-place-encryption-corruption-in-smb2_write.patch
+smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch
+btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch
+btrfs-fix-transaction-abort-on-file-creation-due-to-name-hash-collision.patch
+btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch
+btrfs-add-missing-rcu-unlock-in-error-path-in-try_release_subpage_extent_buffer.patch
+btrfs-abort-transaction-on-failure-to-update-root-in-the-received-subvol-ioctl.patch
+iio-dac-ds4424-reject-128-raw-value.patch
+iio-frequency-adf4377-fix-duplicated-soft-reset-mask.patch
+iio-chemical-sps30_serial-fix-buffer-size-in-sps30_serial_read_meas.patch
+iio-chemical-sps30_i2c-fix-buffer-size-in-sps30_i2c_read_meas.patch
+iio-magnetometer-tlv493d-remove-erroneous-shift-in-x-axis-data.patch
+iio-potentiometer-mcp4131-fix-double-application-of-wiper-shift.patch
+iio-chemical-bme680-fix-measurement-wait-duration-calculation.patch
+iio-buffer-fix-wait_queue-not-being-removed.patch
+iio-gyro-mpu3050-core-fix-pm_runtime-error-handling.patch
+iio-imu-adis-fix-null-pointer-dereference-in-adis_init.patch
+iio-gyro-mpu3050-i2c-fix-pm_runtime-error-handling.patch
+iio-light-bh1780-fix-pm-runtime-leak-on-error-path.patch
+iio-imu-inv_icm42600-fix-odr-switch-to-the-same-value.patch
+iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch
+iio-proximity-hx9023s-fix-assignment-order-for-__counted_by.patch
+iio-proximity-hx9023s-protect-against-division-by-zero-in-set_samp_freq.patch
--- /dev/null
+From 4a7d2729dc99437dbb880a64c47828c0d191b308 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.org>
+Date: Sat, 7 Mar 2026 18:20:16 -0300
+Subject: smb: client: fix atomic open with O_DIRECT & O_SYNC
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+commit 4a7d2729dc99437dbb880a64c47828c0d191b308 upstream.
+
+When user application requests O_DIRECT|O_SYNC along with O_CREAT on
+open(2), CREATE_NO_BUFFER and CREATE_WRITE_THROUGH bits were missed in
+CREATE request when performing an atomic open, thus leading to
+potentially data integrity issues.
+
+Fix this by setting those missing bits in CREATE request when
+O_DIRECT|O_SYNC has been specified in cifs_do_create().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Reviewed-by: David Howells <dhowells@redhat.com>
+Acked-by: Henrique Carvalho <henrique.carvalho@suse.com>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifsglob.h | 11 +++++++++++
+ fs/smb/client/dir.c | 1 +
+ fs/smb/client/file.c | 18 +++---------------
+ 3 files changed, 15 insertions(+), 15 deletions(-)
+
+--- a/fs/smb/client/cifsglob.h
++++ b/fs/smb/client/cifsglob.h
+@@ -20,6 +20,7 @@
+ #include <linux/utsname.h>
+ #include <linux/sched/mm.h>
+ #include <linux/netfs.h>
++#include <linux/fcntl.h>
+ #include "cifs_fs_sb.h"
+ #include "cifsacl.h"
+ #include <crypto/internal/hash.h>
+@@ -2396,4 +2397,14 @@ static inline void mid_execute_callback(
+ (le32_to_cpu((tcon)->fsAttrInfo.Attributes) & \
+ FILE_SUPPORTS_REPARSE_POINTS))
+
++static inline int cifs_open_create_options(unsigned int oflags, int opts)
++{
++ /* O_SYNC also has bit for O_DSYNC so following check picks up either */
++ if (oflags & O_SYNC)
++ opts |= CREATE_WRITE_THROUGH;
++ if (oflags & O_DIRECT)
++ opts |= CREATE_NO_BUFFER;
++ return opts;
++}
++
+ #endif /* _CIFS_GLOB_H */
+--- a/fs/smb/client/dir.c
++++ b/fs/smb/client/dir.c
+@@ -307,6 +307,7 @@ static int cifs_do_create(struct inode *
+ goto out;
+ }
+
++ create_options |= cifs_open_create_options(oflags, create_options);
+ /*
+ * if we're not using unix extensions, see if we need to set
+ * ATTR_READONLY on the create call
+--- a/fs/smb/client/file.c
++++ b/fs/smb/client/file.c
+@@ -584,15 +584,8 @@ static int cifs_nt_open(const char *full
+ *********************************************************************/
+
+ disposition = cifs_get_disposition(f_flags);
+-
+ /* BB pass O_SYNC flag through on file attributes .. BB */
+-
+- /* O_SYNC also has bit for O_DSYNC so following check picks up either */
+- if (f_flags & O_SYNC)
+- create_options |= CREATE_WRITE_THROUGH;
+-
+- if (f_flags & O_DIRECT)
+- create_options |= CREATE_NO_BUFFER;
++ create_options |= cifs_open_create_options(f_flags, create_options);
+
+ retry_open:
+ oparms = (struct cifs_open_parms) {
+@@ -1318,13 +1311,8 @@ cifs_reopen_file(struct cifsFileInfo *cf
+ rdwr_for_fscache = 1;
+
+ desired_access = cifs_convert_flags(cfile->f_flags, rdwr_for_fscache);
+-
+- /* O_SYNC also has bit for O_DSYNC so following check picks up either */
+- if (cfile->f_flags & O_SYNC)
+- create_options |= CREATE_WRITE_THROUGH;
+-
+- if (cfile->f_flags & O_DIRECT)
+- create_options |= CREATE_NO_BUFFER;
++ create_options |= cifs_open_create_options(cfile->f_flags,
++ create_options);
+
+ if (server->ops->get_lease_key)
+ server->ops->get_lease_key(inode, &cfile->fid);
--- /dev/null
+From d4c7210d2f3ea481a6481f03040a64d9077a6172 Mon Sep 17 00:00:00 2001
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+Date: Wed, 11 Mar 2026 20:17:23 -0300
+Subject: smb: client: fix iface port assignment in parse_server_interfaces
+
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+
+commit d4c7210d2f3ea481a6481f03040a64d9077a6172 upstream.
+
+parse_server_interfaces() initializes interface socket addresses with
+CIFS_PORT. When the mount uses a non-default port this overwrites the
+configured destination port.
+
+Later, cifs_chan_update_iface() copies this sockaddr into server->dstaddr,
+causing reconnect attempts to use the wrong port after server interface
+updates.
+
+Use the existing port from server->dstaddr instead.
+
+Cc: stable@vger.kernel.org
+Fixes: fe856be475f7 ("CIFS: parse and store info on iface queries")
+Tested-by: Dr. Thomas Orgis <thomas.orgis@uni-hamburg.de>
+Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
+Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2ops.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/client/smb2ops.c
++++ b/fs/smb/client/smb2ops.c
+@@ -628,6 +628,7 @@ parse_server_interfaces(struct network_i
+ struct iface_info_ipv6 *p6;
+ struct cifs_server_iface *info = NULL, *iface = NULL, *niface = NULL;
+ struct cifs_server_iface tmp_iface;
++ __be16 port;
+ ssize_t bytes_left;
+ size_t next = 0;
+ int nb_iface = 0;
+@@ -662,6 +663,15 @@ parse_server_interfaces(struct network_i
+ goto out;
+ }
+
++ spin_lock(&ses->server->srv_lock);
++ if (ses->server->dstaddr.ss_family == AF_INET)
++ port = ((struct sockaddr_in *)&ses->server->dstaddr)->sin_port;
++ else if (ses->server->dstaddr.ss_family == AF_INET6)
++ port = ((struct sockaddr_in6 *)&ses->server->dstaddr)->sin6_port;
++ else
++ port = cpu_to_be16(CIFS_PORT);
++ spin_unlock(&ses->server->srv_lock);
++
+ while (bytes_left >= (ssize_t)sizeof(*p)) {
+ memset(&tmp_iface, 0, sizeof(tmp_iface));
+ /* default to 1Gbps when link speed is unset */
+@@ -682,7 +692,7 @@ parse_server_interfaces(struct network_i
+ memcpy(&addr4->sin_addr, &p4->IPv4Address, 4);
+
+ /* [MS-SMB2] 2.2.32.5.1.1 Clients MUST ignore these */
+- addr4->sin_port = cpu_to_be16(CIFS_PORT);
++ addr4->sin_port = port;
+
+ cifs_dbg(FYI, "%s: ipv4 %pI4\n", __func__,
+ &addr4->sin_addr);
+@@ -696,7 +706,7 @@ parse_server_interfaces(struct network_i
+ /* [MS-SMB2] 2.2.32.5.1.2 Clients MUST ignore these */
+ addr6->sin6_flowinfo = 0;
+ addr6->sin6_scope_id = 0;
+- addr6->sin6_port = cpu_to_be16(CIFS_PORT);
++ addr6->sin6_port = port;
+
+ cifs_dbg(FYI, "%s: ipv6 %pI6\n", __func__,
+ &addr6->sin6_addr);
--- /dev/null
+From d78840a6a38d312dc1a51a65317bb67e46f0b929 Mon Sep 17 00:00:00 2001
+From: Bharath SM <bharathsm@microsoft.com>
+Date: Mon, 9 Mar 2026 16:00:49 +0530
+Subject: smb: client: fix in-place encryption corruption in SMB2_write()
+
+From: Bharath SM <bharathsm@microsoft.com>
+
+commit d78840a6a38d312dc1a51a65317bb67e46f0b929 upstream.
+
+SMB2_write() places write payload in iov[1..n] as part of rq_iov.
+smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()
+encrypts iov[1] in-place, replacing the original plaintext with
+ciphertext. On a replayable error, the retry sends the same iov[1]
+which now contains ciphertext instead of the original data,
+resulting in corruption.
+
+The corruption is most likely to be observed when connections are
+unstable, as reconnects trigger write retries that re-send the
+already-encrypted data.
+
+This affects SFU mknod, MF symlinks, etc. On kernels before
+6.10 (prior to the netfs conversion), sync writes also used
+this path and were similarly affected. The async write path
+wasn't unaffected as it uses rq_iter which gets deep-copied.
+
+Fix by moving the write payload into rq_iter via iov_iter_kvec(),
+so smb3_init_transform_rq() deep-copies it before encryption.
+
+Cc: stable@vger.kernel.org #6.3+
+Acked-by: Henrique Carvalho <henrique.carvalho@suse.com>
+Acked-by: Shyam Prasad N <sprasad@microsoft.com>
+Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Bharath SM <bharathsm@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2pdu.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@ -5172,7 +5172,10 @@ replay_again:
+
+ memset(&rqst, 0, sizeof(struct smb_rqst));
+ rqst.rq_iov = iov;
+- rqst.rq_nvec = n_vec + 1;
++ /* iov[0] is the SMB header; move payload to rq_iter for encryption safety */
++ rqst.rq_nvec = 1;
++ iov_iter_kvec(&rqst.rq_iter, ITER_SOURCE, &iov[1], n_vec,
++ io_parms->length);
+
+ if (retries)
+ smb2_set_replay(server, &rqst);
--- /dev/null
+From 3b1679e086bb869ca02722f6bd29b3573a6a0e7e Mon Sep 17 00:00:00 2001
+From: Andrei-Alexandru Tachici <andrei-alexandru.tachici@oss.qualcomm.com>
+Date: Mon, 2 Mar 2026 11:27:34 +0100
+Subject: tracing: Fix enabling multiple events on the kernel command line and bootconfig
+
+From: Andrei-Alexandru Tachici <andrei-alexandru.tachici@oss.qualcomm.com>
+
+commit 3b1679e086bb869ca02722f6bd29b3573a6a0e7e upstream.
+
+Multiple events can be enabled on the kernel command line via a comma
+separator. But if the are specified one at a time, then only the last
+event is enabled. This is because the event names are saved in a temporary
+buffer, and each call by the init cmdline code will reset that buffer.
+
+This also affects names in the boot config file, as it may call the
+callback multiple times with an example of:
+
+ kernel.trace_event = ":mod:rproc_qcom_common", ":mod:qrtr", ":mod:qcom_aoss"
+
+Change the cmdline callback function to append a comma and the next value
+if the temporary buffer already has content.
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Link: https://patch.msgid.link/20260302-trace-events-allow-multiple-modules-v1-1-ce4436e37fb8@oss.qualcomm.com
+Signed-off-by: Andrei-Alexandru Tachici <andrei-alexandru.tachici@oss.qualcomm.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -4342,7 +4342,11 @@ static char bootup_event_buf[COMMAND_LIN
+
+ static __init int setup_trace_event(char *str)
+ {
+- strscpy(bootup_event_buf, str, COMMAND_LINE_SIZE);
++ if (bootup_event_buf[0] != '\0')
++ strlcat(bootup_event_buf, ",", COMMAND_LINE_SIZE);
++
++ strlcat(bootup_event_buf, str, COMMAND_LINE_SIZE);
++
+ trace_set_ring_buffer_expanded(NULL);
+ disable_tracing_selftest("running event tracing");
+
--- /dev/null
+From d008ba8be8984760e36d7dcd4adbd5a41a645708 Mon Sep 17 00:00:00 2001
+From: Calvin Owens <calvin@wbinvd.org>
+Date: Fri, 6 Mar 2026 19:19:25 -0800
+Subject: tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
+
+From: Calvin Owens <calvin@wbinvd.org>
+
+commit d008ba8be8984760e36d7dcd4adbd5a41a645708 upstream.
+
+Some of the sizing logic through tracer_alloc_buffers() uses int
+internally, causing unexpected behavior if the user passes a value that
+does not fit in an int (on my x86 machine, the result is uselessly tiny
+buffers).
+
+Fix by plumbing the parameter's real type (unsigned long) through to the
+ring buffer allocation functions, which already use unsigned long.
+
+It has always been possible to create larger ring buffers via the sysfs
+interface: this only affects the cmdline parameter.
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Link: https://patch.msgid.link/bff42a4288aada08bdf74da3f5b67a2c28b761f8.1772852067.git.calvin@wbinvd.org
+Fixes: 73c5162aa362 ("tracing: keep ring buffer to minimum size till used")
+Signed-off-by: Calvin Owens <calvin@wbinvd.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -9849,7 +9849,7 @@ static void setup_trace_scratch(struct t
+ }
+
+ static int
+-allocate_trace_buffer(struct trace_array *tr, struct array_buffer *buf, int size)
++allocate_trace_buffer(struct trace_array *tr, struct array_buffer *buf, unsigned long size)
+ {
+ enum ring_buffer_flags rb_flags;
+ struct trace_scratch *tscratch;
+@@ -9904,7 +9904,7 @@ static void free_trace_buffer(struct arr
+ }
+ }
+
+-static int allocate_trace_buffers(struct trace_array *tr, int size)
++static int allocate_trace_buffers(struct trace_array *tr, unsigned long size)
+ {
+ int ret;
+
+@@ -11186,7 +11186,7 @@ __init static void enable_instances(void
+
+ __init static int tracer_alloc_buffers(void)
+ {
+- int ring_buf_size;
++ unsigned long ring_buf_size;
+ int ret = -ENOMEM;
+
+
--- /dev/null
+From 8cc7dd77a1466f0ec58c03478b2e735a5b289b96 Mon Sep 17 00:00:00 2001
+From: Shashank Balaji <shashank.mahadasyam@sony.com>
+Date: Fri, 6 Mar 2026 14:46:28 +0900
+Subject: x86/apic: Disable x2apic on resume if the kernel expects so
+
+From: Shashank Balaji <shashank.mahadasyam@sony.com>
+
+commit 8cc7dd77a1466f0ec58c03478b2e735a5b289b96 upstream.
+
+When resuming from s2ram, firmware may re-enable x2apic mode, which may have
+been disabled by the kernel during boot either because it doesn't support IRQ
+remapping or for other reasons. This causes the kernel to continue using the
+xapic interface, while the hardware is in x2apic mode, which causes hangs.
+This happens on defconfig + bare metal + s2ram.
+
+Fix this in lapic_resume() by disabling x2apic if the kernel expects it to be
+disabled, i.e. when x2apic_mode = 0.
+
+The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the
+pre-sleep configuration or initial boot configuration for each CPU, including
+MSR state:
+
+ When executing from the power-on reset vector as a result of waking from an
+ S2 or S3 sleep state, the platform firmware performs only the hardware
+ initialization required to restore the system to either the state the
+ platform was in prior to the initial operating system boot, or to the
+ pre-sleep configuration state. In multiprocessor systems, non-boot
+ processors should be placed in the same state as prior to the initial
+ operating system boot.
+
+ (further ahead)
+
+ If this is an S2 or S3 wake, then the platform runtime firmware restores
+ minimum context of the system before jumping to the waking vector. This
+ includes:
+
+ CPU configuration. Platform runtime firmware restores the pre-sleep
+ configuration or initial boot configuration of each CPU (MSR, MTRR,
+ firmware update, SMBase, and so on). Interrupts must be disabled (for
+ IA-32 processors, disabled by CLI instruction).
+
+ (and other things)
+
+So at least as per the spec, re-enablement of x2apic by the firmware is
+allowed if "x2apic on" is a part of the initial boot configuration.
+
+ [1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization
+
+ [ bp: Massage. ]
+
+Fixes: 6e1cb38a2aef ("x64, x2apic/intr-remap: add x2apic support, including enabling interrupt-remapping")
+Co-developed-by: Rahul Bukte <rahul.bukte@sony.com>
+Signed-off-by: Rahul Bukte <rahul.bukte@sony.com>
+Signed-off-by: Shashank Balaji <shashank.mahadasyam@sony.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Thomas Gleixner <tglx@kernel.org>
+Reviewed-by: Sohil Mehta <sohil.mehta@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260306-x2apic-fix-v2-1-bee99c12efa3@sony.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/apic/apic.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1890,6 +1890,7 @@ void __init check_x2apic(void)
+
+ static inline void try_to_enable_x2apic(int remap_mode) { }
+ static inline void __x2apic_enable(void) { }
++static inline void __x2apic_disable(void) { }
+ #endif /* !CONFIG_X86_X2APIC */
+
+ void __init enable_IR_x2apic(void)
+@@ -2452,6 +2453,11 @@ static void lapic_resume(void)
+ if (x2apic_mode) {
+ __x2apic_enable();
+ } else {
++ if (x2apic_enabled()) {
++ pr_warn_once("x2apic: re-enabled by firmware during resume. Disabling\n");
++ __x2apic_disable();
++ }
++
+ /*
+ * Make sure the APICBASE points to the right address
+ *
--- /dev/null
+From 186ac39b8a7d3ec7ce9c5dd45e5c2730177f375c Mon Sep 17 00:00:00 2001
+From: Long Li <leo.lilong@huawei.com>
+Date: Thu, 5 Mar 2026 16:49:22 +0800
+Subject: xfs: ensure dquot item is deleted from AIL only after log shutdown
+
+From: Long Li <leo.lilong@huawei.com>
+
+commit 186ac39b8a7d3ec7ce9c5dd45e5c2730177f375c upstream.
+
+In xfs_qm_dqflush(), when a dquot flush fails due to corruption
+(the out_abort error path), the original code removed the dquot log
+item from the AIL before calling xfs_force_shutdown(). This ordering
+introduces a subtle race condition that can lead to data loss after
+a crash.
+
+The AIL tracks the oldest dirty metadata in the journal. The position
+of the tail item in the AIL determines the log tail LSN, which is the
+oldest LSN that must be preserved for crash recovery. When an item is
+removed from the AIL, the log tail can advance past the LSN of that item.
+
+The race window is as follows: if the dquot item happens to be at
+the tail of the log, removing it from the AIL allows the log tail
+to advance. If a concurrent log write is sampling the tail LSN at
+the same time and subsequently writes a complete checkpoint (i.e.,
+one containing a commit record) to disk before the shutdown takes
+effect, the journal will no longer protect the dquot's last
+modification. On the next mount, log recovery will not replay the
+dquot changes, even though they were never written back to disk,
+resulting in silent data loss.
+
+Fix this by calling xfs_force_shutdown() before xfs_trans_ail_delete()
+in the out_abort path. Once the log is shut down, no new log writes
+can complete with an updated tail LSN, making it safe to remove the
+dquot item from the AIL.
+
+Cc: stable@vger.kernel.org
+Fixes: b707fffda6a3 ("xfs: abort consistently on dquot flush failure")
+Signed-off-by: Long Li <leo.lilong@huawei.com>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_dquot.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_dquot.c
++++ b/fs/xfs/xfs_dquot.c
+@@ -1464,9 +1464,15 @@ xfs_qm_dqflush(
+ return 0;
+
+ out_abort:
++ /*
++ * Shut down the log before removing the dquot item from the AIL.
++ * Otherwise, the log tail may advance past this item's LSN while
++ * log writes are still in progress, making these unflushed changes
++ * unrecoverable on the next mount.
++ */
++ xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
+ dqp->q_flags &= ~XFS_DQFLAG_DIRTY;
+ xfs_trans_ail_delete(lip, 0);
+- xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
+ xfs_dqfunlock(dqp);
+ return error;
+ }
--- /dev/null
+From 362c490980867930a098b99f421268fbd7ca05fd Mon Sep 17 00:00:00 2001
+From: Long Li <leo.lilong@huawei.com>
+Date: Tue, 10 Mar 2026 20:32:33 +0800
+Subject: xfs: fix integer overflow in bmap intent sort comparator
+
+From: Long Li <leo.lilong@huawei.com>
+
+commit 362c490980867930a098b99f421268fbd7ca05fd upstream.
+
+xfs_bmap_update_diff_items() sorts bmap intents by inode number using
+a subtraction of two xfs_ino_t (uint64_t) values, with the result
+truncated to int. This is incorrect when two inode numbers differ by
+more than INT_MAX (2^31 - 1), which is entirely possible on large XFS
+filesystems.
+
+Fix this by replacing the subtraction with cmp_int().
+
+Cc: <stable@vger.kernel.org> # v4.9
+Fixes: 9f3afb57d5f1 ("xfs: implement deferred bmbt map/unmap operations")
+Signed-off-by: Long Li <leo.lilong@huawei.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_bmap_item.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_bmap_item.c
++++ b/fs/xfs/xfs_bmap_item.c
+@@ -247,7 +247,7 @@ xfs_bmap_update_diff_items(
+ struct xfs_bmap_intent *ba = bi_entry(a);
+ struct xfs_bmap_intent *bb = bi_entry(b);
+
+- return ba->bi_owner->i_ino - bb->bi_owner->i_ino;
++ return cmp_int(ba->bi_owner->i_ino, bb->bi_owner->i_ino);
+ }
+
+ /* Log bmap updates in the intent item. */
--- /dev/null
+From 54fcd2f95f8d216183965a370ec69e1aab14f5da Mon Sep 17 00:00:00 2001
+From: Carlos Maiolino <cem@kernel.org>
+Date: Wed, 4 Mar 2026 19:54:27 +0100
+Subject: xfs: fix returned valued from xfs_defer_can_append
+
+From: Carlos Maiolino <cem@kernel.org>
+
+commit 54fcd2f95f8d216183965a370ec69e1aab14f5da upstream.
+
+xfs_defer_can_append returns a bool, it shouldn't be returning
+a NULL.
+
+Found by code inspection.
+
+Fixes: 4dffb2cbb483 ("xfs: allow pausing of pending deferred work items")
+Cc: <stable@vger.kernel.org> # v6.8
+Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Acked-by: Souptick Joarder <souptick.joarder@hpe.com>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/libxfs/xfs_defer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xfs/libxfs/xfs_defer.c
++++ b/fs/xfs/libxfs/xfs_defer.c
+@@ -809,7 +809,7 @@ xfs_defer_can_append(
+
+ /* Paused items cannot absorb more work */
+ if (dfp->dfp_flags & XFS_DEFER_PAUSED)
+- return NULL;
++ return false;
+
+ /* Already full? */
+ if (ops->max_items && dfp->dfp_count >= ops->max_items)
--- /dev/null
+From 52a8a1ba883defbfe3200baa22cf4cd21985d51a Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <djwong@kernel.org>
+Date: Wed, 4 Mar 2026 20:26:20 -0800
+Subject: xfs: fix undersized l_iclog_roundoff values
+
+From: Darrick J. Wong <djwong@kernel.org>
+
+commit 52a8a1ba883defbfe3200baa22cf4cd21985d51a upstream.
+
+If the superblock doesn't list a log stripe unit, we set the incore log
+roundoff value to 512. This leads to corrupt logs and unmountable
+filesystems in generic/617 on a disk with 4k physical sectors...
+
+XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c
+XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197.
+XFS (sda1): failed to locate log tail
+XFS (sda1): log mount/recovery failed: error -74
+XFS (sda1): log mount failed
+XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c
+XFS (sda1): Ending clean mount
+
+...on the current xfsprogs for-next which has a broken mkfs. xfs_info
+shows this...
+
+meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks
+ = sectsz=4096 attr=2, projid32bit=1
+ = crc=1 finobt=1, sparse=1, rmapbt=1
+ = reflink=1 bigtime=1 inobtcount=1 nrext64=1
+ = exchange=1 metadir=1
+data = bsize=4096 blocks=2579968, imaxpct=25
+ = sunit=0 swidth=0 blks
+naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1
+log =internal log bsize=4096 blocks=16384, version=2
+ = sectsz=4096 sunit=0 blks, lazy-count=1
+realtime =none extsz=4096 blocks=0, rtextents=0
+ = rgcount=0 rgsize=268435456 extents
+ = zoned=0 start=0 reserved=0
+
+...observe that the log section has sectsz=4096 sunit=0, which means
+that the roundoff factor is 512, not 4096 as you'd expect. We should
+fix mkfs not to generate broken filesystems, but anyone can fuzz the
+ondisk superblock so we should be more cautious. I think the inadequate
+logic predates commit a6a65fef5ef8d0, but that's clearly going to
+require a different backport.
+
+Cc: stable@vger.kernel.org # v5.14
+Fixes: a6a65fef5ef8d0 ("xfs: log stripe roundoff is a property of the log")
+Signed-off-by: Darrick J. Wong <djwong@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_log.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/xfs/xfs_log.c
++++ b/fs/xfs/xfs_log.c
+@@ -1397,6 +1397,8 @@ xlog_alloc_log(
+
+ if (xfs_has_logv2(mp) && mp->m_sb.sb_logsunit > 1)
+ log->l_iclog_roundoff = mp->m_sb.sb_logsunit;
++ else if (mp->m_sb.sb_logsectsize > 0)
++ log->l_iclog_roundoff = mp->m_sb.sb_logsectsize;
+ else
+ log->l_iclog_roundoff = BBSIZE;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
