--- /dev/null
+From 830988b6cf197e6dcffdfe2008c5738e6c6c3c0f Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+Date: Sat, 20 Dec 2025 00:28:45 +0800
+Subject: ALSA: ac97: fix a double free in snd_ac97_controller_register()
+
+From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+
+commit 830988b6cf197e6dcffdfe2008c5738e6c6c3c0f upstream.
+
+If ac97_add_adapter() fails, put_device() is the correct way to drop
+the device reference. kfree() is not required.
+Add kfree() if idr_alloc() fails and in ac97_adapter_release() to do
+the cleanup.
+
+Found by code review.
+
+Fixes: 74426fbff66e ("ALSA: ac97: add an ac97 bus")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+Link: https://patch.msgid.link/20251219162845.657525-1-lihaoxiang@isrc.iscas.ac.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/ac97/bus.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/sound/ac97/bus.c
++++ b/sound/ac97/bus.c
+@@ -298,6 +298,7 @@ static void ac97_adapter_release(struct
+ idr_remove(&ac97_adapter_idr, ac97_ctrl->nr);
+ dev_dbg(&ac97_ctrl->adap, "adapter unregistered by %s\n",
+ dev_name(ac97_ctrl->parent));
++ kfree(ac97_ctrl);
+ }
+
+ static const struct device_type ac97_adapter_type = {
+@@ -319,7 +320,9 @@ static int ac97_add_adapter(struct ac97_
+ ret = device_register(&ac97_ctrl->adap);
+ if (ret)
+ put_device(&ac97_ctrl->adap);
+- }
++ } else
++ kfree(ac97_ctrl);
++
+ if (!ret) {
+ list_add(&ac97_ctrl->controllers, &ac97_controllers);
+ dev_dbg(&ac97_ctrl->adap, "adapter registered by %s\n",
+@@ -361,14 +364,11 @@ struct ac97_controller *snd_ac97_control
+ ret = ac97_add_adapter(ac97_ctrl);
+
+ if (ret)
+- goto err;
++ return ERR_PTR(ret);
+ ac97_bus_reset(ac97_ctrl);
+ ac97_bus_scan(ac97_ctrl);
+
+ return ac97_ctrl;
+-err:
+- kfree(ac97_ctrl);
+- return ERR_PTR(ret);
+ }
+ EXPORT_SYMBOL_GPL(snd_ac97_controller_register);
+
--- /dev/null
+From e340663bbf2a75dae5d4fddf90b49281f5c9df3f Mon Sep 17 00:00:00 2001
+From: August Wikerfors <git@augustwikerfors.se>
+Date: Mon, 22 Dec 2025 20:47:04 +0100
+Subject: ALSA: hda/tas2781: properly initialize speaker_id for TAS2563
+
+From: August Wikerfors <git@augustwikerfors.se>
+
+commit e340663bbf2a75dae5d4fddf90b49281f5c9df3f upstream.
+
+After speaker id retrieval was refactored to happen in tas2781_read_acpi,
+devices that do not use a speaker id need a negative speaker_id value
+instead of NULL, but no initialization was added to the TAS2563 code path.
+This causes the driver to attempt to load a non-existent firmware file name
+with a speaker id of 0 ("TAS2XXX38700.bin") instead of the correct file
+name without a speaker id ("TAS2XXX3870.bin"), resulting in low volume and
+these dmesg errors:
+
+ tas2781-hda i2c-INT8866:00: Direct firmware load for TAS2XXX38700.bin failed with error -2
+ tas2781-hda i2c-INT8866:00: tasdevice_dsp_parser: load TAS2XXX38700.bin error
+ tas2781-hda i2c-INT8866:00: dspfw load TAS2XXX38700.bin error
+ [...]
+ tas2781-hda i2c-INT8866:00: tasdevice_prmg_load: Firmware is NULL
+
+Fix this by setting speaker_id to -1 as is done for other models.
+
+Fixes: 945865a0ddf3 ("ALSA: hda/tas2781: fix speaker id retrieval for multiple probes")
+Cc: stable@vger.kernel.org
+Signed-off-by: August Wikerfors <git@augustwikerfors.se>
+Link: https://patch.msgid.link/20251222194704.87232-1-git@augustwikerfors.se
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/hda/codecs/side-codecs/tas2781_hda_i2c.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c
++++ b/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c
+@@ -111,8 +111,10 @@ static int tas2781_read_acpi(struct tasd
+ sub = acpi_get_subsystem_id(ACPI_HANDLE(physdev));
+ if (IS_ERR(sub)) {
+ /* No subsys id in older tas2563 projects. */
+- if (!strncmp(hid, "INT8866", sizeof("INT8866")))
++ if (!strncmp(hid, "INT8866", sizeof("INT8866"))) {
++ p->speaker_id = -1;
+ goto end_2563;
++ }
+ dev_err(p->dev, "Failed to get SUBSYS ID.\n");
+ ret = PTR_ERR(sub);
+ goto err;
--- /dev/null
+From cd0caaf2005547eaef8170356939aaabfcad4837 Mon Sep 17 00:00:00 2001
+From: Carlos Song <carlos.song@nxp.com>
+Date: Tue, 18 Nov 2025 14:28:54 +0800
+Subject: arm64: dts: imx95: correct I3C2 pclk to IMX95_CLK_BUSWAKEUP
+
+From: Carlos Song <carlos.song@nxp.com>
+
+commit cd0caaf2005547eaef8170356939aaabfcad4837 upstream.
+
+I3C2 is in WAKEUP domain. Its pclk should be IMX95_CLK_BUSWAKEUP.
+
+Fixes: 969497ebefcf ("arm64: dts: imx95: Add i3c1 and i3c2")
+Signed-off-by: Carlos Song <carlos.song@nxp.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx95.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx95.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx95.dtsi
+@@ -806,7 +806,7 @@
+ interrupts = <GIC_SPI 57 IRQ_TYPE_LEVEL_HIGH>;
+ #address-cells = <3>;
+ #size-cells = <0>;
+- clocks = <&scmi_clk IMX95_CLK_BUSAON>,
++ clocks = <&scmi_clk IMX95_CLK_BUSWAKEUP>,
+ <&scmi_clk IMX95_CLK_I3C2SLOW>;
+ clock-names = "pclk", "fast_clk";
+ status = "disabled";
--- /dev/null
+From bdf3f4176092df5281877cacf42f843063b4784d Mon Sep 17 00:00:00 2001
+From: Yeoreum Yun <yeoreum.yun@arm.com>
+Date: Wed, 7 Jan 2026 16:21:15 +0000
+Subject: arm64: Fix cleared E0POE bit after cpu_suspend()/resume()
+
+From: Yeoreum Yun <yeoreum.yun@arm.com>
+
+commit bdf3f4176092df5281877cacf42f843063b4784d upstream.
+
+TCR2_ELx.E0POE is set during smp_init().
+However, this bit is not reprogrammed when the CPU enters suspension and
+later resumes via cpu_resume(), as __cpu_setup() does not re-enable E0POE
+and there is no save/restore logic for the TCR2_ELx system register.
+
+As a result, the E0POE feature no longer works after cpu_resume().
+
+To address this, save and restore TCR2_EL1 in the cpu_suspend()/cpu_resume()
+path, rather than adding related logic to __cpu_setup(), taking into account
+possible future extensions of the TCR2_ELx feature.
+
+Fixes: bf83dae90fbc ("arm64: enable the Permission Overlay Extension for EL0")
+Cc: <stable@vger.kernel.org> # 6.12.x
+Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Reviewed-by: Kevin Brodsky <kevin.brodsky@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/suspend.h | 2 +-
+ arch/arm64/mm/proc.S | 8 ++++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/include/asm/suspend.h
++++ b/arch/arm64/include/asm/suspend.h
+@@ -2,7 +2,7 @@
+ #ifndef __ASM_SUSPEND_H
+ #define __ASM_SUSPEND_H
+
+-#define NR_CTX_REGS 13
++#define NR_CTX_REGS 14
+ #define NR_CALLEE_SAVED_REGS 12
+
+ /*
+--- a/arch/arm64/mm/proc.S
++++ b/arch/arm64/mm/proc.S
+@@ -100,6 +100,10 @@ SYM_FUNC_START(cpu_do_suspend)
+ * call stack.
+ */
+ str x18, [x0, #96]
++alternative_if ARM64_HAS_TCR2
++ mrs x2, REG_TCR2_EL1
++ str x2, [x0, #104]
++alternative_else_nop_endif
+ ret
+ SYM_FUNC_END(cpu_do_suspend)
+
+@@ -134,6 +138,10 @@ SYM_FUNC_START(cpu_do_resume)
+ msr tcr_el1, x8
+ msr vbar_el1, x9
+ msr mdscr_el1, x10
++alternative_if ARM64_HAS_TCR2
++ ldr x2, [x0, #104]
++ msr REG_TCR2_EL1, x2
++alternative_else_nop_endif
+
+ msr sctlr_el1, x12
+ set_this_cpu_offset x13
--- /dev/null
+From 4d984b0574ff708e66152763fbfdef24ea40933f Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Wed, 7 Jan 2026 10:01:36 +0100
+Subject: atm: Fix dma_free_coherent() size
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit 4d984b0574ff708e66152763fbfdef24ea40933f upstream.
+
+The size of the buffer is not the same when alloc'd with
+dma_alloc_coherent() in he_init_tpdrq() and freed.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20260107090141.80900-2-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/he.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/atm/he.c
++++ b/drivers/atm/he.c
+@@ -1587,7 +1587,8 @@ he_stop(struct he_dev *he_dev)
+ he_dev->tbrq_base, he_dev->tbrq_phys);
+
+ if (he_dev->tpdrq_base)
+- dma_free_coherent(&he_dev->pci_dev->dev, CONFIG_TBRQ_SIZE * sizeof(struct he_tbrq),
++ dma_free_coherent(&he_dev->pci_dev->dev,
++ CONFIG_TPDRQ_SIZE * sizeof(struct he_tpdrq),
+ he_dev->tpdrq_base, he_dev->tpdrq_phys);
+
+ dma_pool_destroy(he_dev->tpd_pool);
--- /dev/null
+From 3358995b1a7f9dcb52a56ec8251570d71024dad0 Mon Sep 17 00:00:00 2001
+From: Breno Leitao <leitao@debian.org>
+Date: Tue, 6 Jan 2026 06:31:14 -0800
+Subject: bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup
+
+From: Breno Leitao <leitao@debian.org>
+
+commit 3358995b1a7f9dcb52a56ec8251570d71024dad0 upstream.
+
+When bnxt_init_one() fails during initialization (e.g.,
+bnxt_init_int_mode returns -ENODEV), the error path calls
+bnxt_free_hwrm_resources() which destroys the DMA pool and sets
+bp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called,
+which invokes ptp_clock_unregister().
+
+Since commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to
+disable events"), ptp_clock_unregister() now calls
+ptp_disable_all_events(), which in turn invokes the driver's .enable()
+callback (bnxt_ptp_enable()) to disable PTP events before completing the
+unregistration.
+
+bnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin()
+and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This
+function tries to allocate from bp->hwrm_dma_pool, causing a NULL
+pointer dereference:
+
+ bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed
+ KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
+ Call Trace:
+ __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72)
+ bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517)
+ ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66)
+ ptp_clock_unregister (drivers/ptp/ptp_clock.c:518)
+ bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134)
+ bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889)
+
+Lines are against commit f8f9c1f4d0c7 ("Linux 6.19-rc3")
+
+Fix this by clearing and unregistering ptp (bnxt_ptp_clear()) before
+freeing HWRM resources.
+
+Suggested-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Fixes: a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events")
+Cc: stable@vger.kernel.org
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Link: https://patch.msgid.link/20260106-bnxt-v3-1-71f37e11446a@debian.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -16856,12 +16856,12 @@ init_err_dl:
+
+ init_err_pci_clean:
+ bnxt_hwrm_func_drv_unrgtr(bp);
+- bnxt_free_hwrm_resources(bp);
+- bnxt_hwmon_uninit(bp);
+- bnxt_ethtool_free(bp);
+ bnxt_ptp_clear(bp);
+ kfree(bp->ptp_cfg);
+ bp->ptp_cfg = NULL;
++ bnxt_free_hwrm_resources(bp);
++ bnxt_hwmon_uninit(bp);
++ bnxt_ethtool_free(bp);
+ kfree(bp->fw_health);
+ bp->fw_health = NULL;
+ bnxt_cleanup_pci(bp);
--- /dev/null
+From 7ba0b6461bc4edb3005ea6e00cdae189bcf908a5 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 11 Dec 2025 15:06:26 +0000
+Subject: btrfs: always detect conflicting inodes when logging inode refs
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 7ba0b6461bc4edb3005ea6e00cdae189bcf908a5 upstream.
+
+After rename exchanging (either with the rename exchange operation or
+regular renames in multiple non-atomic steps) two inodes and at least
+one of them is a directory, we can end up with a log tree that contains
+only of the inodes and after a power failure that can result in an attempt
+to delete the other inode when it should not because it was not deleted
+before the power failure. In some case that delete attempt fails when
+the target inode is a directory that contains a subvolume inside it, since
+the log replay code is not prepared to deal with directory entries that
+point to root items (only inode items).
+
+1) We have directories "dir1" (inode A) and "dir2" (inode B) under the
+ same parent directory;
+
+2) We have a file (inode C) under directory "dir1" (inode A);
+
+3) We have a subvolume inside directory "dir2" (inode B);
+
+4) All these inodes were persisted in a past transaction and we are
+ currently at transaction N;
+
+5) We rename the file (inode C), so at btrfs_log_new_name() we update
+ inode C's last_unlink_trans to N;
+
+6) We get a rename exchange for "dir1" (inode A) and "dir2" (inode B),
+ so after the exchange "dir1" is inode B and "dir2" is inode A.
+ During the rename exchange we call btrfs_log_new_name() for inodes
+ A and B, but because they are directories, we don't update their
+ last_unlink_trans to N;
+
+7) An fsync against the file (inode C) is done, and because its inode
+ has a last_unlink_trans with a value of N we log its parent directory
+ (inode A) (through btrfs_log_all_parents(), called from
+ btrfs_log_inode_parent()).
+
+8) So we end up with inode B not logged, which now has the old name
+ of inode A. At copy_inode_items_to_log(), when logging inode A, we
+ did not check if we had any conflicting inode to log because inode
+ A has a generation lower than the current transaction (created in
+ a past transaction);
+
+9) After a power failure, when replaying the log tree, since we find that
+ inode A has a new name that conflicts with the name of inode B in the
+ fs tree, we attempt to delete inode B... this is wrong since that
+ directory was never deleted before the power failure, and because there
+ is a subvolume inside that directory, attempting to delete it will fail
+ since replay_dir_deletes() and btrfs_unlink_inode() are not prepared
+ to deal with dir items that point to roots instead of inodes.
+
+ When that happens the mount fails and we get a stack trace like the
+ following:
+
+ [87.2314] BTRFS info (device dm-0): start tree-log replay
+ [87.2318] BTRFS critical (device dm-0): failed to delete reference to subvol, root 5 inode 256 parent 259
+ [87.2332] ------------[ cut here ]------------
+ [87.2338] BTRFS: Transaction aborted (error -2)
+ [87.2346] WARNING: CPU: 1 PID: 638968 at fs/btrfs/inode.c:4345 __btrfs_unlink_inode+0x416/0x440 [btrfs]
+ [87.2368] Modules linked in: btrfs loop dm_thin_pool (...)
+ [87.2470] CPU: 1 UID: 0 PID: 638968 Comm: mount Tainted: G W 6.18.0-rc7-btrfs-next-218+ #2 PREEMPT(full)
+ [87.2489] Tainted: [W]=WARN
+ [87.2494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
+ [87.2514] RIP: 0010:__btrfs_unlink_inode+0x416/0x440 [btrfs]
+ [87.2538] Code: c0 89 04 24 (...)
+ [87.2568] RSP: 0018:ffffc0e741f4b9b8 EFLAGS: 00010286
+ [87.2574] RAX: 0000000000000000 RBX: ffff9d3ec8a6cf60 RCX: 0000000000000000
+ [87.2582] RDX: 0000000000000002 RSI: ffffffff84ab45a1 RDI: 00000000ffffffff
+ [87.2591] RBP: ffff9d3ec8a6ef20 R08: 0000000000000000 R09: ffffc0e741f4b840
+ [87.2599] R10: ffff9d45dc1fffa8 R11: 0000000000000003 R12: ffff9d3ee26d77e0
+ [87.2608] R13: ffffc0e741f4ba98 R14: ffff9d4458040800 R15: ffff9d44b6b7ca10
+ [87.2618] FS: 00007f7b9603a840(0000) GS:ffff9d4658982000(0000) knlGS:0000000000000000
+ [87.2629] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [87.2637] CR2: 00007ffc9ec33b98 CR3: 000000011273e003 CR4: 0000000000370ef0
+ [87.2648] Call Trace:
+ [87.2651] <TASK>
+ [87.2654] btrfs_unlink_inode+0x15/0x40 [btrfs]
+ [87.2661] unlink_inode_for_log_replay+0x27/0xf0 [btrfs]
+ [87.2669] check_item_in_log+0x1ea/0x2c0 [btrfs]
+ [87.2676] replay_dir_deletes+0x16b/0x380 [btrfs]
+ [87.2684] fixup_inode_link_count+0x34b/0x370 [btrfs]
+ [87.2696] fixup_inode_link_counts+0x41/0x160 [btrfs]
+ [87.2703] btrfs_recover_log_trees+0x1ff/0x7c0 [btrfs]
+ [87.2711] ? __pfx_replay_one_buffer+0x10/0x10 [btrfs]
+ [87.2719] open_ctree+0x10bb/0x15f0 [btrfs]
+ [87.2726] btrfs_get_tree.cold+0xb/0x16c [btrfs]
+ [87.2734] ? fscontext_read+0x15c/0x180
+ [87.2740] ? rw_verify_area+0x50/0x180
+ [87.2746] vfs_get_tree+0x25/0xd0
+ [87.2750] vfs_cmd_create+0x59/0xe0
+ [87.2755] __do_sys_fsconfig+0x4f6/0x6b0
+ [87.2760] do_syscall_64+0x50/0x1220
+ [87.2764] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ [87.2770] RIP: 0033:0x7f7b9625f4aa
+ [87.2775] Code: 73 01 c3 48 (...)
+ [87.2803] RSP: 002b:00007ffc9ec35b08 EFLAGS: 00000246 ORIG_RAX: 00000000000001af
+ [87.2817] RAX: ffffffffffffffda RBX: 0000558bfa91ac20 RCX: 00007f7b9625f4aa
+ [87.2829] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003
+ [87.2842] RBP: 0000558bfa91b120 R08: 0000000000000000 R09: 0000000000000000
+ [87.2854] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+ [87.2864] R13: 00007f7b963f1580 R14: 00007f7b963f326c R15: 00007f7b963d8a23
+ [87.2877] </TASK>
+ [87.2882] ---[ end trace 0000000000000000 ]---
+ [87.2891] BTRFS: error (device dm-0 state A) in __btrfs_unlink_inode:4345: errno=-2 No such entry
+ [87.2904] BTRFS: error (device dm-0 state EAO) in do_abort_log_replay:191: errno=-2 No such entry
+ [87.2915] BTRFS critical (device dm-0 state EAO): log tree (for root 5) leaf currently being processed (slot 7 key (258 12 257)):
+ [87.2929] BTRFS info (device dm-0 state EAO): leaf 30736384 gen 10 total ptrs 7 free space 15712 owner 18446744073709551610
+ [87.2929] BTRFS info (device dm-0 state EAO): refs 3 lock_owner 0 current 638968
+ [87.2929] item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160
+ [87.2929] inode generation 9 transid 10 size 0 nbytes 0
+ [87.2929] block group 0 mode 40755 links 1 uid 0 gid 0
+ [87.2929] rdev 0 sequence 7 flags 0x0
+ [87.2929] atime 1765464494.678070921
+ [87.2929] ctime 1765464494.686606513
+ [87.2929] mtime 1765464494.686606513
+ [87.2929] otime 1765464494.678070921
+ [87.2929] item 1 key (257 INODE_REF 256) itemoff 16109 itemsize 14
+ [87.2929] index 4 name_len 4
+ [87.2929] item 2 key (257 DIR_LOG_INDEX 2) itemoff 16101 itemsize 8
+ [87.2929] dir log end 2
+ [87.2929] item 3 key (257 DIR_LOG_INDEX 3) itemoff 16093 itemsize 8
+ [87.2929] dir log end 18446744073709551615
+ [87.2930] item 4 key (257 DIR_INDEX 3) itemoff 16060 itemsize 33
+ [87.2930] location key (258 1 0) type 1
+ [87.2930] transid 10 data_len 0 name_len 3
+ [87.2930] item 5 key (258 INODE_ITEM 0) itemoff 15900 itemsize 160
+ [87.2930] inode generation 9 transid 10 size 0 nbytes 0
+ [87.2930] block group 0 mode 100644 links 1 uid 0 gid 0
+ [87.2930] rdev 0 sequence 2 flags 0x0
+ [87.2930] atime 1765464494.678456467
+ [87.2930] ctime 1765464494.686606513
+ [87.2930] mtime 1765464494.678456467
+ [87.2930] otime 1765464494.678456467
+ [87.2930] item 6 key (258 INODE_REF 257) itemoff 15887 itemsize 13
+ [87.2930] index 3 name_len 3
+ [87.2930] BTRFS critical (device dm-0 state EAO): log replay failed in unlink_inode_for_log_replay:1045 for root 5, stage 3, with error -2: failed to unlink inode 256 parent dir 259 name subvol root 5
+ [87.2963] BTRFS: error (device dm-0 state EAO) in btrfs_recover_log_trees:7743: errno=-2 No such entry
+ [87.2981] BTRFS: error (device dm-0 state EAO) in btrfs_replay_log:2083: errno=-2 No such entry (Failed to recover log tr
+
+So fix this by changing copy_inode_items_to_log() to always detect if
+there are conflicting inodes for the ref/extref of the inode being logged
+even if the inode was created in a past transaction.
+
+A test case for fstests will follow soon.
+
+CC: stable@vger.kernel.org # 6.1+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -6348,10 +6348,8 @@ again:
+ * and no keys greater than that, so bail out.
+ */
+ break;
+- } else if ((min_key->type == BTRFS_INODE_REF_KEY ||
+- min_key->type == BTRFS_INODE_EXTREF_KEY) &&
+- (inode->generation == trans->transid ||
+- ctx->logging_conflict_inodes)) {
++ } else if (min_key->type == BTRFS_INODE_REF_KEY ||
++ min_key->type == BTRFS_INODE_EXTREF_KEY) {
+ u64 other_ino = 0;
+ u64 other_parent = 0;
+
--- /dev/null
+From 9517d76dd160208b7a432301ce7bec8fc1ddc305 Mon Sep 17 00:00:00 2001
+From: Haotian Zhang <vulab@iscas.ac.cn>
+Date: Mon, 15 Dec 2025 10:01:14 +0800
+Subject: counter: 104-quad-8: Fix incorrect return value in IRQ handler
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+commit 9517d76dd160208b7a432301ce7bec8fc1ddc305 upstream.
+
+quad8_irq_handler() should return irqreturn_t enum values, but it
+directly returns negative errno codes from regmap operations on error.
+
+Return IRQ_NONE if the interrupt status cannot be read. If clearing the
+interrupt fails, return IRQ_HANDLED to prevent the kernel from disabling
+the IRQ line due to a spurious interrupt storm. Also, log these regmap
+failures with dev_WARN_ONCE.
+
+Fixes: 98ffe0252911 ("counter: 104-quad-8: Migrate to the regmap API")
+Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20251215020114.1913-1-vulab@iscas.ac.cn
+Cc: stable@vger.kernel.org
+Signed-off-by: William Breathitt Gray <wbg@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/counter/104-quad-8.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/counter/104-quad-8.c
++++ b/drivers/counter/104-quad-8.c
+@@ -1192,6 +1192,7 @@ static irqreturn_t quad8_irq_handler(int
+ {
+ struct counter_device *counter = private;
+ struct quad8 *const priv = counter_priv(counter);
++ struct device *dev = counter->parent;
+ unsigned int status;
+ unsigned long irq_status;
+ unsigned long channel;
+@@ -1200,8 +1201,11 @@ static irqreturn_t quad8_irq_handler(int
+ int ret;
+
+ ret = regmap_read(priv->map, QUAD8_INTERRUPT_STATUS, &status);
+- if (ret)
+- return ret;
++ if (ret) {
++ dev_WARN_ONCE(dev, true,
++ "Attempt to read Interrupt Status Register failed: %d\n", ret);
++ return IRQ_NONE;
++ }
+ if (!status)
+ return IRQ_NONE;
+
+@@ -1223,8 +1227,9 @@ static irqreturn_t quad8_irq_handler(int
+ break;
+ default:
+ /* should never reach this path */
+- WARN_ONCE(true, "invalid interrupt trigger function %u configured for channel %lu\n",
+- flg_pins, channel);
++ dev_WARN_ONCE(dev, true,
++ "invalid interrupt trigger function %u configured for channel %lu\n",
++ flg_pins, channel);
+ continue;
+ }
+
+@@ -1232,8 +1237,11 @@ static irqreturn_t quad8_irq_handler(int
+ }
+
+ ret = regmap_write(priv->map, QUAD8_CHANNEL_OPERATION, CLEAR_PENDING_INTERRUPTS);
+- if (ret)
+- return ret;
++ if (ret) {
++ dev_WARN_ONCE(dev, true,
++ "Attempt to clear pending interrupts by writing to Channel Operation Register failed: %d\n", ret);
++ return IRQ_HANDLED;
++ }
+
+ return IRQ_HANDLED;
+ }
--- /dev/null
+From 23f9485510c338476b9735d516c1d4aacb810d46 Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Date: Tue, 18 Nov 2025 09:35:48 +0100
+Subject: counter: interrupt-cnt: Drop IRQF_NO_THREAD flag
+
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+
+commit 23f9485510c338476b9735d516c1d4aacb810d46 upstream.
+
+An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as
+CONFIG_PROVE_RAW_LOCK_NESTING warns:
+=============================
+[ BUG: Invalid wait context ]
+6.18.0-rc1+git... #1
+-----------------------------
+some-user-space-process/1251 is trying to lock:
+(&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter]
+other info that might help us debug this:
+context-{2:2}
+no locks held by some-user-space-process/....
+stack backtrace:
+CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT
+Call trace:
+ show_stack (C)
+ dump_stack_lvl
+ dump_stack
+ __lock_acquire
+ lock_acquire
+ _raw_spin_lock_irqsave
+ counter_push_event [counter]
+ interrupt_cnt_isr [interrupt_cnt]
+ __handle_irq_event_percpu
+ handle_irq_event
+ handle_simple_irq
+ handle_irq_desc
+ generic_handle_domain_irq
+ gpio_irq_handler
+ handle_irq_desc
+ generic_handle_domain_irq
+ gic_handle_irq
+ call_on_irq_stack
+ do_interrupt_handler
+ el0_interrupt
+ __el0_irq_handler_common
+ el0t_64_irq_handler
+ el0t_64_irq
+
+... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an
+alternative to switching to raw_spinlock_t, because the latter would limit
+all potential nested locks to raw_spinlock_t only.
+
+Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20251117151314.xwLAZrWY@linutronix.de/
+Fixes: a55ebd47f21f ("counter: add IRQ or GPIO based counter")
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/r/20251118083603.778626-1-alexander.sverdlin@siemens.com
+Signed-off-by: William Breathitt Gray <wbg@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/counter/interrupt-cnt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/counter/interrupt-cnt.c
++++ b/drivers/counter/interrupt-cnt.c
+@@ -229,8 +229,7 @@ static int interrupt_cnt_probe(struct pl
+
+ irq_set_status_flags(priv->irq, IRQ_NOAUTOEN);
+ ret = devm_request_irq(dev, priv->irq, interrupt_cnt_isr,
+- IRQF_TRIGGER_RISING | IRQF_NO_THREAD,
+- dev_name(dev), counter);
++ IRQF_TRIGGER_RISING, dev_name(dev), counter);
+ if (ret)
+ return ret;
+
--- /dev/null
+From 70740454377f1ba3ff32f5df4acd965db99d055b Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Sat, 13 Dec 2025 15:16:43 +0900
+Subject: drm/amd/display: Apply e4479aecf658 to dml
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 70740454377f1ba3ff32f5df4acd965db99d055b upstream.
+
+After an innocuous optimization change in clang-22, allmodconfig (which
+enables CONFIG_KASAN and CONFIG_WERROR) breaks with:
+
+ drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn32/display_mode_vba_32.c:1724:6: error: stack frame size (3144) exceeds limit (3072) in 'dml32_ModeSupportAndSystemConfigurationFull' [-Werror,-Wframe-larger-than]
+ 1724 | void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib)
+ | ^
+
+With clang-21, this function was already pretty close to the existing
+limit of 3072 bytes.
+
+ drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn32/display_mode_vba_32.c:1724:6: error: stack frame size (2904) exceeds limit (2048) in 'dml32_ModeSupportAndSystemConfigurationFull' [-Werror,-Wframe-larger-than]
+ 1724 | void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib)
+ | ^
+
+A similar situation occurred in dml2, which was resolved by
+commit e4479aecf658 ("drm/amd/display: Increase sanitizer frame larger
+than limit when compile testing with clang") by increasing the limit for
+clang when compile testing with certain sanitizer enabled, so that
+allmodconfig (an easy testing target) continues to work.
+
+Apply that same change to the dml folder to clear up the warning for
+allmodconfig, unbreaking the build.
+
+Closes: https://github.com/ClangBuiltLinux/linux/issues/2135
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 25314b453cf812150e9951a32007a32bba85707e)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml/Makefile | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/dml/Makefile
++++ b/drivers/gpu/drm/amd/display/dc/dml/Makefile
+@@ -30,7 +30,11 @@ dml_rcflags := $(CC_FLAGS_NO_FPU)
+
+ ifneq ($(CONFIG_FRAME_WARN),0)
+ ifeq ($(filter y,$(CONFIG_KASAN)$(CONFIG_KCSAN)),y)
+- frame_warn_limit := 3072
++ ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_COMPILE_TEST),yy)
++ frame_warn_limit := 4096
++ else
++ frame_warn_limit := 3072
++ endif
+ else
+ frame_warn_limit := 2048
+ endif
--- /dev/null
+From 72d7f4573660287f1b66c30319efecd6fcde92ee Mon Sep 17 00:00:00 2001
+From: Alan Liu <haoping.liu@amd.com>
+Date: Mon, 22 Dec 2025 12:26:35 +0800
+Subject: drm/amdgpu: Fix query for VPE block_type and ip_count
+
+From: Alan Liu <haoping.liu@amd.com>
+
+commit 72d7f4573660287f1b66c30319efecd6fcde92ee upstream.
+
+[Why]
+Query for VPE block_type and ip_count is missing.
+
+[How]
+Add VPE case in ip_block_type and hw_ip_count query.
+
+Reviewed-by: Lang Yu <lang.yu@amd.com>
+Signed-off-by: Alan Liu <haoping.liu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit a6ea0a430aca5932b9c75d8e38deeb45665dd2ae)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+@@ -201,6 +201,9 @@ static enum amd_ip_block_type
+ type = (amdgpu_device_ip_get_ip_block(adev, AMD_IP_BLOCK_TYPE_JPEG)) ?
+ AMD_IP_BLOCK_TYPE_JPEG : AMD_IP_BLOCK_TYPE_VCN;
+ break;
++ case AMDGPU_HW_IP_VPE:
++ type = AMD_IP_BLOCK_TYPE_VPE;
++ break;
+ default:
+ type = AMD_IP_BLOCK_TYPE_NUM;
+ break;
+@@ -721,6 +724,9 @@ int amdgpu_info_ioctl(struct drm_device
+ case AMD_IP_BLOCK_TYPE_UVD:
+ count = adev->uvd.num_uvd_inst;
+ break;
++ case AMD_IP_BLOCK_TYPE_VPE:
++ count = adev->vpe.num_instances;
++ break;
+ /* For all other IP block types not listed in the switch statement
+ * the ip status is valid here and the instance count is one.
+ */
--- /dev/null
+From d1c7dc57ff2400b141e6582a8d2dc5170108cf81 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linusw@kernel.org>
+Date: Fri, 5 Dec 2025 11:51:50 +0200
+Subject: drm/atomic-helper: Export and namespace some functions
+
+From: Linus Walleij <linusw@kernel.org>
+
+commit d1c7dc57ff2400b141e6582a8d2dc5170108cf81 upstream.
+
+Export and namespace those not prefixed with drm_* so
+it becomes possible to write custom commit tail functions
+in individual drivers using the helper infrastructure.
+
+Tested-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Cc: stable@vger.kernel.org # v6.17+
+Fixes: c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable and post-disable")
+Reviewed-by: Aradhya Bhatia <aradhya.bhatia@linux.dev>
+Reviewed-by: Linus Walleij <linusw@kernel.org>
+Tested-by: Linus Walleij <linusw@kernel.org>
+Signed-off-by: Linus Walleij <linusw@kernel.org>
+Link: https://patch.msgid.link/20251205-drm-seq-fix-v1-3-fda68fa1b3de@ideasonboard.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_atomic_helper.c | 122 +++++++++++++++++++++++++++++-------
+ include/drm/drm_atomic_helper.h | 22 ++++++
+ 2 files changed, 121 insertions(+), 23 deletions(-)
+
+--- a/drivers/gpu/drm/drm_atomic_helper.c
++++ b/drivers/gpu/drm/drm_atomic_helper.c
+@@ -1162,8 +1162,18 @@ crtc_needs_disable(struct drm_crtc_state
+ new_state->self_refresh_active;
+ }
+
+-static void
+-encoder_bridge_disable(struct drm_device *dev, struct drm_atomic_state *state)
++/**
++ * drm_atomic_helper_commit_encoder_bridge_disable - disable bridges and encoder
++ * @dev: DRM device
++ * @state: the driver state object
++ *
++ * Loops over all connectors in the current state and if the CRTC needs
++ * it, disables the bridge chain all the way, then disables the encoder
++ * afterwards.
++ */
++void
++drm_atomic_helper_commit_encoder_bridge_disable(struct drm_device *dev,
++ struct drm_atomic_state *state)
+ {
+ struct drm_connector *connector;
+ struct drm_connector_state *old_conn_state, *new_conn_state;
+@@ -1229,9 +1239,18 @@ encoder_bridge_disable(struct drm_device
+ }
+ }
+ }
++EXPORT_SYMBOL(drm_atomic_helper_commit_encoder_bridge_disable);
+
+-static void
+-crtc_disable(struct drm_device *dev, struct drm_atomic_state *state)
++/**
++ * drm_atomic_helper_commit_crtc_disable - disable CRTSs
++ * @dev: DRM device
++ * @state: the driver state object
++ *
++ * Loops over all CRTCs in the current state and if the CRTC needs
++ * it, disables it.
++ */
++void
++drm_atomic_helper_commit_crtc_disable(struct drm_device *dev, struct drm_atomic_state *state)
+ {
+ struct drm_crtc *crtc;
+ struct drm_crtc_state *old_crtc_state, *new_crtc_state;
+@@ -1282,9 +1301,18 @@ crtc_disable(struct drm_device *dev, str
+ drm_crtc_vblank_put(crtc);
+ }
+ }
++EXPORT_SYMBOL(drm_atomic_helper_commit_crtc_disable);
+
+-static void
+-encoder_bridge_post_disable(struct drm_device *dev, struct drm_atomic_state *state)
++/**
++ * drm_atomic_helper_commit_encoder_bridge_post_disable - post-disable encoder bridges
++ * @dev: DRM device
++ * @state: the driver state object
++ *
++ * Loops over all connectors in the current state and if the CRTC needs
++ * it, post-disables all encoder bridges.
++ */
++void
++drm_atomic_helper_commit_encoder_bridge_post_disable(struct drm_device *dev, struct drm_atomic_state *state)
+ {
+ struct drm_connector *connector;
+ struct drm_connector_state *old_conn_state, *new_conn_state;
+@@ -1335,15 +1363,16 @@ encoder_bridge_post_disable(struct drm_d
+ drm_bridge_put(bridge);
+ }
+ }
++EXPORT_SYMBOL(drm_atomic_helper_commit_encoder_bridge_post_disable);
+
+ static void
+ disable_outputs(struct drm_device *dev, struct drm_atomic_state *state)
+ {
+- encoder_bridge_disable(dev, state);
++ drm_atomic_helper_commit_encoder_bridge_disable(dev, state);
+
+- encoder_bridge_post_disable(dev, state);
++ drm_atomic_helper_commit_encoder_bridge_post_disable(dev, state);
+
+- crtc_disable(dev, state);
++ drm_atomic_helper_commit_crtc_disable(dev, state);
+ }
+
+ /**
+@@ -1446,8 +1475,17 @@ void drm_atomic_helper_calc_timestamping
+ }
+ EXPORT_SYMBOL(drm_atomic_helper_calc_timestamping_constants);
+
+-static void
+-crtc_set_mode(struct drm_device *dev, struct drm_atomic_state *state)
++/**
++ * drm_atomic_helper_commit_crtc_set_mode - set the new mode
++ * @dev: DRM device
++ * @state: the driver state object
++ *
++ * Loops over all connectors in the current state and if the mode has
++ * changed, change the mode of the CRTC, then call down the bridge
++ * chain and change the mode in all bridges as well.
++ */
++void
++drm_atomic_helper_commit_crtc_set_mode(struct drm_device *dev, struct drm_atomic_state *state)
+ {
+ struct drm_crtc *crtc;
+ struct drm_crtc_state *new_crtc_state;
+@@ -1508,6 +1546,7 @@ crtc_set_mode(struct drm_device *dev, st
+ drm_bridge_put(bridge);
+ }
+ }
++EXPORT_SYMBOL(drm_atomic_helper_commit_crtc_set_mode);
+
+ /**
+ * drm_atomic_helper_commit_modeset_disables - modeset commit to disable outputs
+@@ -1531,12 +1570,21 @@ void drm_atomic_helper_commit_modeset_di
+ drm_atomic_helper_update_legacy_modeset_state(dev, state);
+ drm_atomic_helper_calc_timestamping_constants(state);
+
+- crtc_set_mode(dev, state);
++ drm_atomic_helper_commit_crtc_set_mode(dev, state);
+ }
+ EXPORT_SYMBOL(drm_atomic_helper_commit_modeset_disables);
+
+-static void drm_atomic_helper_commit_writebacks(struct drm_device *dev,
+- struct drm_atomic_state *state)
++/**
++ * drm_atomic_helper_commit_writebacks - issue writebacks
++ * @dev: DRM device
++ * @state: atomic state object being committed
++ *
++ * This loops over the connectors, checks if the new state requires
++ * a writeback job to be issued and in that case issues an atomic
++ * commit on each connector.
++ */
++void drm_atomic_helper_commit_writebacks(struct drm_device *dev,
++ struct drm_atomic_state *state)
+ {
+ struct drm_connector *connector;
+ struct drm_connector_state *new_conn_state;
+@@ -1555,9 +1603,18 @@ static void drm_atomic_helper_commit_wri
+ }
+ }
+ }
++EXPORT_SYMBOL(drm_atomic_helper_commit_writebacks);
+
+-static void
+-encoder_bridge_pre_enable(struct drm_device *dev, struct drm_atomic_state *state)
++/**
++ * drm_atomic_helper_commit_encoder_bridge_pre_enable - pre-enable bridges
++ * @dev: DRM device
++ * @state: atomic state object being committed
++ *
++ * This loops over the connectors and if the CRTC needs it, pre-enables
++ * the entire bridge chain.
++ */
++void
++drm_atomic_helper_commit_encoder_bridge_pre_enable(struct drm_device *dev, struct drm_atomic_state *state)
+ {
+ struct drm_connector *connector;
+ struct drm_connector_state *new_conn_state;
+@@ -1588,9 +1645,18 @@ encoder_bridge_pre_enable(struct drm_dev
+ drm_bridge_put(bridge);
+ }
+ }
++EXPORT_SYMBOL(drm_atomic_helper_commit_encoder_bridge_pre_enable);
+
+-static void
+-crtc_enable(struct drm_device *dev, struct drm_atomic_state *state)
++/**
++ * drm_atomic_helper_commit_crtc_enable - enables the CRTCs
++ * @dev: DRM device
++ * @state: atomic state object being committed
++ *
++ * This loops over CRTCs in the new state, and of the CRTC needs
++ * it, enables it.
++ */
++void
++drm_atomic_helper_commit_crtc_enable(struct drm_device *dev, struct drm_atomic_state *state)
+ {
+ struct drm_crtc *crtc;
+ struct drm_crtc_state *old_crtc_state;
+@@ -1619,9 +1685,18 @@ crtc_enable(struct drm_device *dev, stru
+ }
+ }
+ }
++EXPORT_SYMBOL(drm_atomic_helper_commit_crtc_enable);
+
+-static void
+-encoder_bridge_enable(struct drm_device *dev, struct drm_atomic_state *state)
++/**
++ * drm_atomic_helper_commit_encoder_bridge_enable - enables the bridges
++ * @dev: DRM device
++ * @state: atomic state object being committed
++ *
++ * This loops over all connectors in the new state, and of the CRTC needs
++ * it, enables the entire bridge chain.
++ */
++void
++drm_atomic_helper_commit_encoder_bridge_enable(struct drm_device *dev, struct drm_atomic_state *state)
+ {
+ struct drm_connector *connector;
+ struct drm_connector_state *new_conn_state;
+@@ -1664,6 +1739,7 @@ encoder_bridge_enable(struct drm_device
+ drm_bridge_put(bridge);
+ }
+ }
++EXPORT_SYMBOL(drm_atomic_helper_commit_encoder_bridge_enable);
+
+ /**
+ * drm_atomic_helper_commit_modeset_enables - modeset commit to enable outputs
+@@ -1682,11 +1758,11 @@ encoder_bridge_enable(struct drm_device
+ void drm_atomic_helper_commit_modeset_enables(struct drm_device *dev,
+ struct drm_atomic_state *state)
+ {
+- crtc_enable(dev, state);
++ drm_atomic_helper_commit_crtc_enable(dev, state);
+
+- encoder_bridge_pre_enable(dev, state);
++ drm_atomic_helper_commit_encoder_bridge_pre_enable(dev, state);
+
+- encoder_bridge_enable(dev, state);
++ drm_atomic_helper_commit_encoder_bridge_enable(dev, state);
+
+ drm_atomic_helper_commit_writebacks(dev, state);
+ }
+--- a/include/drm/drm_atomic_helper.h
++++ b/include/drm/drm_atomic_helper.h
+@@ -60,6 +60,12 @@ int drm_atomic_helper_check_plane_state(
+ int drm_atomic_helper_check_planes(struct drm_device *dev,
+ struct drm_atomic_state *state);
+ int drm_atomic_helper_check_crtc_primary_plane(struct drm_crtc_state *crtc_state);
++void drm_atomic_helper_commit_encoder_bridge_disable(struct drm_device *dev,
++ struct drm_atomic_state *state);
++void drm_atomic_helper_commit_crtc_disable(struct drm_device *dev,
++ struct drm_atomic_state *state);
++void drm_atomic_helper_commit_encoder_bridge_post_disable(struct drm_device *dev,
++ struct drm_atomic_state *state);
+ int drm_atomic_helper_check(struct drm_device *dev,
+ struct drm_atomic_state *state);
+ void drm_atomic_helper_commit_tail(struct drm_atomic_state *state);
+@@ -89,8 +95,24 @@ drm_atomic_helper_update_legacy_modeset_
+ void
+ drm_atomic_helper_calc_timestamping_constants(struct drm_atomic_state *state);
+
++void drm_atomic_helper_commit_crtc_set_mode(struct drm_device *dev,
++ struct drm_atomic_state *state);
++
+ void drm_atomic_helper_commit_modeset_disables(struct drm_device *dev,
+ struct drm_atomic_state *state);
++
++void drm_atomic_helper_commit_writebacks(struct drm_device *dev,
++ struct drm_atomic_state *state);
++
++void drm_atomic_helper_commit_encoder_bridge_pre_enable(struct drm_device *dev,
++ struct drm_atomic_state *state);
++
++void drm_atomic_helper_commit_crtc_enable(struct drm_device *dev,
++ struct drm_atomic_state *state);
++
++void drm_atomic_helper_commit_encoder_bridge_enable(struct drm_device *dev,
++ struct drm_atomic_state *state);
++
+ void drm_atomic_helper_commit_modeset_enables(struct drm_device *dev,
+ struct drm_atomic_state *old_state);
+
--- /dev/null
+From 0ddd3bb4b14c9102c0267b3fd916c81fe5ab89c1 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Thu, 11 Dec 2025 16:33:44 +0400
+Subject: drm/pl111: Fix error handling in pl111_amba_probe
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 0ddd3bb4b14c9102c0267b3fd916c81fe5ab89c1 upstream.
+
+Jump to the existing dev_put label when devm_request_irq() fails
+so drm_dev_put() and of_reserved_mem_device_release() run
+instead of returning early and leaking resources.
+
+Found via static analysis and code review.
+
+Fixes: bed41005e617 ("drm/pl111: Initial drm/kms driver for pl111")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Linus Walleij <linusw@kernel.org>
+Link: https://patch.msgid.link/20251211123345.2392065-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/pl111/pl111_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/pl111/pl111_drv.c
++++ b/drivers/gpu/drm/pl111/pl111_drv.c
+@@ -295,7 +295,7 @@ static int pl111_amba_probe(struct amba_
+ variant->name, priv);
+ if (ret != 0) {
+ dev_err(dev, "%s failed irq %d\n", __func__, ret);
+- return ret;
++ goto dev_put;
+ }
+
+ ret = pl111_modeset_init(drm);
--- /dev/null
+From 19158c7332468bc28572bdca428e89c7954ee1b1 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 30 Jun 2025 10:47:09 -0400
+Subject: drm/radeon: Remove __counted_by from ClockInfoArray.clockInfo[]
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 19158c7332468bc28572bdca428e89c7954ee1b1 upstream.
+
+clockInfo[] is a generic uchar pointer to variable sized structures
+which vary from ASIC to ASIC.
+
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4374
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit dc135aa73561b5acc74eadf776e48530996529a3)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/pptable.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/pptable.h
++++ b/drivers/gpu/drm/radeon/pptable.h
+@@ -450,7 +450,7 @@ typedef struct _ClockInfoArray{
+ //sizeof(ATOM_PPLIB_CLOCK_INFO)
+ UCHAR ucEntrySize;
+
+- UCHAR clockInfo[] __counted_by(ucNumEntries);
++ UCHAR clockInfo[] /*__counted_by(ucNumEntries)*/;
+ }ClockInfoArray;
+
+ typedef struct _NonClockInfoArray{
--- /dev/null
+From 2fc04340cf30d7960eed2525d26ffb8905aca02b Mon Sep 17 00:00:00 2001
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Date: Fri, 5 Dec 2025 11:51:51 +0200
+Subject: drm/tidss: Fix enable/disable order
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+commit 2fc04340cf30d7960eed2525d26ffb8905aca02b upstream.
+
+TI's OLDI and DSI encoders need to be set up before the crtc is enabled,
+but the DRM helpers will enable the crtc first. This causes various
+issues on TI platforms, like visual artifacts or crtc sync lost
+warnings.
+
+Thus drm_atomic_helper_commit_modeset_enables() and
+drm_atomic_helper_commit_modeset_disables() cannot be used, as they
+enable the crtc before bridges' pre-enable, and disable the crtc after
+bridges' post-disable.
+
+Open code the drm_atomic_helper_commit_modeset_enables() and
+drm_atomic_helper_commit_modeset_disables(), and first call the bridges'
+pre-enables, then crtc enable, then bridges' post-enable (and vice versa
+for disable).
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Cc: stable@vger.kernel.org # v6.17+
+Fixes: c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable and post-disable")
+Reviewed-by: Aradhya Bhatia <aradhya.bhatia@linux.dev>
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Reviewed-by: Linus Walleij <linusw@kernel.org>
+Tested-by: Linus Walleij <linusw@kernel.org>
+Signed-off-by: Linus Walleij <linusw@kernel.org>
+Link: https://patch.msgid.link/20251205-drm-seq-fix-v1-4-fda68fa1b3de@ideasonboard.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tidss/tidss_kms.c | 30 +++++++++++++++++++++++++++---
+ 1 file changed, 27 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/tidss/tidss_kms.c
++++ b/drivers/gpu/drm/tidss/tidss_kms.c
+@@ -28,9 +28,33 @@ static void tidss_atomic_commit_tail(str
+
+ tidss_runtime_get(tidss);
+
+- drm_atomic_helper_commit_modeset_disables(ddev, old_state);
+- drm_atomic_helper_commit_planes(ddev, old_state, DRM_PLANE_COMMIT_ACTIVE_ONLY);
+- drm_atomic_helper_commit_modeset_enables(ddev, old_state);
++ /*
++ * TI's OLDI and DSI encoders need to be set up before the crtc is
++ * enabled. Thus drm_atomic_helper_commit_modeset_enables() and
++ * drm_atomic_helper_commit_modeset_disables() cannot be used here, as
++ * they enable the crtc before bridges' pre-enable, and disable the crtc
++ * after bridges' post-disable.
++ *
++ * Open code the functions here and first call the bridges' pre-enables,
++ * then crtc enable, then bridges' post-enable (and vice versa for
++ * disable).
++ */
++
++ drm_atomic_helper_commit_encoder_bridge_disable(ddev, old_state);
++ drm_atomic_helper_commit_crtc_disable(ddev, old_state);
++ drm_atomic_helper_commit_encoder_bridge_post_disable(ddev, old_state);
++
++ drm_atomic_helper_update_legacy_modeset_state(ddev, old_state);
++ drm_atomic_helper_calc_timestamping_constants(old_state);
++ drm_atomic_helper_commit_crtc_set_mode(ddev, old_state);
++
++ drm_atomic_helper_commit_planes(ddev, old_state,
++ DRM_PLANE_COMMIT_ACTIVE_ONLY);
++
++ drm_atomic_helper_commit_encoder_bridge_pre_enable(ddev, old_state);
++ drm_atomic_helper_commit_crtc_enable(ddev, old_state);
++ drm_atomic_helper_commit_encoder_bridge_enable(ddev, old_state);
++ drm_atomic_helper_commit_writebacks(ddev, old_state);
+
+ drm_atomic_helper_commit_hw_done(old_state);
+ drm_atomic_helper_wait_for_flip_done(ddev, old_state);
--- /dev/null
+From 20cf2aed89ac6d78a0122e31c875228e15247194 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Date: Tue, 6 Jan 2026 10:00:11 +0100
+Subject: gpio: rockchip: mark the GPIO controller as sleeping
+
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+
+commit 20cf2aed89ac6d78a0122e31c875228e15247194 upstream.
+
+The GPIO controller is configured as non-sleeping but it uses generic
+pinctrl helpers which use a mutex for synchronization.
+
+This can cause the following lockdep splat with shared GPIOs enabled on
+boards which have multiple devices using the same GPIO:
+
+BUG: sleeping function called from invalid context at
+kernel/locking/mutex.c:591
+in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 12, name:
+kworker/u16:0
+preempt_count: 1, expected: 0
+RCU nest depth: 0, expected: 0
+6 locks held by kworker/u16:0/12:
+ #0: ffff0001f0018d48 ((wq_completion)events_unbound#2){+.+.}-{0:0},
+at: process_one_work+0x18c/0x604
+ #1: ffff8000842dbdf0 (deferred_probe_work){+.+.}-{0:0}, at:
+process_one_work+0x1b4/0x604
+ #2: ffff0001f18498f8 (&dev->mutex){....}-{4:4}, at:
+__device_attach+0x38/0x1b0
+ #3: ffff0001f75f1e90 (&gdev->srcu){.+.?}-{0:0}, at:
+gpiod_direction_output_raw_commit+0x0/0x360
+ #4: ffff0001f46e3db8 (&shared_desc->spinlock){....}-{3:3}, at:
+gpio_shared_proxy_direction_output+0xd0/0x144 [gpio_shared_proxy]
+ #5: ffff0001f180ee90 (&gdev->srcu){.+.?}-{0:0}, at:
+gpiod_direction_output_raw_commit+0x0/0x360
+irq event stamp: 81450
+hardirqs last enabled at (81449): [<ffff8000813acba4>]
+_raw_spin_unlock_irqrestore+0x74/0x78
+hardirqs last disabled at (81450): [<ffff8000813abfb8>]
+_raw_spin_lock_irqsave+0x84/0x88
+softirqs last enabled at (79616): [<ffff8000811455fc>]
+__alloc_skb+0x17c/0x1e8
+softirqs last disabled at (79614): [<ffff8000811455fc>]
+__alloc_skb+0x17c/0x1e8
+CPU: 2 UID: 0 PID: 12 Comm: kworker/u16:0 Not tainted
+6.19.0-rc4-next-20260105+ #11975 PREEMPT
+Hardware name: Hardkernel ODROID-M1 (DT)
+Workqueue: events_unbound deferred_probe_work_func
+Call trace:
+ show_stack+0x18/0x24 (C)
+ dump_stack_lvl+0x90/0xd0
+ dump_stack+0x18/0x24
+ __might_resched+0x144/0x248
+ __might_sleep+0x48/0x98
+ __mutex_lock+0x5c/0x894
+ mutex_lock_nested+0x24/0x30
+ pinctrl_get_device_gpio_range+0x44/0x128
+ pinctrl_gpio_direction+0x3c/0xe0
+ pinctrl_gpio_direction_output+0x14/0x20
+ rockchip_gpio_direction_output+0xb8/0x19c
+ gpiochip_direction_output+0x38/0x94
+ gpiod_direction_output_raw_commit+0x1d8/0x360
+ gpiod_direction_output_nonotify+0x7c/0x230
+ gpiod_direction_output+0x34/0xf8
+ gpio_shared_proxy_direction_output+0xec/0x144 [gpio_shared_proxy]
+ gpiochip_direction_output+0x38/0x94
+ gpiod_direction_output_raw_commit+0x1d8/0x360
+ gpiod_direction_output_nonotify+0x7c/0x230
+ gpiod_configure_flags+0xbc/0x480
+ gpiod_find_and_request+0x1a0/0x574
+ gpiod_get_index+0x58/0x84
+ devm_gpiod_get_index+0x20/0xb4
+ devm_gpiod_get_optional+0x18/0x30
+ rockchip_pcie_probe+0x98/0x380
+ platform_probe+0x5c/0xac
+ really_probe+0xbc/0x298
+
+Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio")
+Cc: stable@vger.kernel.org
+Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Closes: https://lore.kernel.org/all/d035fc29-3b03-4cd6-b8ec-001f93540bc6@samsung.com/
+Acked-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20260106090011.21603-1-bartosz.golaszewski@oss.qualcomm.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-rockchip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpio/gpio-rockchip.c
++++ b/drivers/gpio/gpio-rockchip.c
+@@ -593,6 +593,7 @@ static int rockchip_gpiolib_register(str
+ gc->ngpio = bank->nr_pins;
+ gc->label = bank->name;
+ gc->parent = bank->dev;
++ gc->can_sleep = true;
+
+ ret = gpiochip_add_data(gc, bank);
+ if (ret) {
--- /dev/null
+From e0392a10c9e80a3991855a81317da3039fcbe32c Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 5 Jan 2026 07:42:48 -0700
+Subject: io_uring/io-wq: fix incorrect io_wq_for_each_worker() termination logic
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit e0392a10c9e80a3991855a81317da3039fcbe32c upstream.
+
+A previous commit added this helper, and had it terminate if false is
+returned from the handler. However, that is completely opposite, it
+should abort the loop if true is returned.
+
+Fix this up by having io_wq_for_each_worker() keep iterating as long
+as false is returned, and only abort if true is returned.
+
+Cc: stable@vger.kernel.org
+Fixes: 751eedc4b4b7 ("io_uring/io-wq: move worker lists to struct io_wq_acct")
+Reported-by: Lewis Campbell <info@lewiscampbell.tech>
+Reviewed-by: Gabriel Krisman Bertazi <krisman@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io-wq.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/io_uring/io-wq.c
++++ b/io_uring/io-wq.c
+@@ -951,11 +951,11 @@ static bool io_wq_for_each_worker(struct
+ void *data)
+ {
+ for (int i = 0; i < IO_WQ_ACCT_NR; i++) {
+- if (!io_acct_for_each_worker(&wq->acct[i], func, data))
+- return false;
++ if (io_acct_for_each_worker(&wq->acct[i], func, data))
++ return true;
+ }
+
+- return true;
++ return false;
+ }
+
+ static bool io_wq_worker_wake(struct io_worker *worker, void *data)
--- /dev/null
+From 74d74bb78aeccc9edc10db216d6be121cf7ec176 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Tue, 6 Jan 2026 21:20:23 -0800
+Subject: lib/crypto: aes: Fix missing MMU protection for AES S-box
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit 74d74bb78aeccc9edc10db216d6be121cf7ec176 upstream.
+
+__cacheline_aligned puts the data in the ".data..cacheline_aligned"
+section, which isn't marked read-only i.e. it doesn't receive MMU
+protection. Replace it with ____cacheline_aligned which does the right
+thing and just aligns the data while keeping it in ".rodata".
+
+Fixes: b5e0b032b6c3 ("crypto: aes - add generic time invariant AES cipher")
+Cc: stable@vger.kernel.org
+Reported-by: Qingfang Deng <dqfext@gmail.com>
+Closes: https://lore.kernel.org/r/20260105074712.498-1-dqfext@gmail.com/
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Link: https://lore.kernel.org/r/20260107052023.174620-1-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/crypto/aes.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/lib/crypto/aes.c
++++ b/lib/crypto/aes.c
+@@ -13,7 +13,7 @@
+ * Emit the sbox as volatile const to prevent the compiler from doing
+ * constant folding on sbox references involving fixed indexes.
+ */
+-static volatile const u8 __cacheline_aligned aes_sbox[] = {
++static volatile const u8 ____cacheline_aligned aes_sbox[] = {
+ 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
+ 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
+ 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
+@@ -48,7 +48,7 @@ static volatile const u8 __cacheline_ali
+ 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16,
+ };
+
+-static volatile const u8 __cacheline_aligned aes_inv_sbox[] = {
++static volatile const u8 ____cacheline_aligned aes_inv_sbox[] = {
+ 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
+ 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
+ 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
--- /dev/null
+From c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 5 Jan 2026 19:23:19 +0100
+Subject: libceph: make calc_target() set t->paused, not just clear it
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 upstream.
+
+Currently calc_target() clears t->paused if the request shouldn't be
+paused anymore, but doesn't ever set t->paused even though it's able to
+determine when the request should be paused. Setting t->paused is left
+to __submit_request() which is fine for regular requests but doesn't
+work for linger requests -- since __submit_request() doesn't operate
+on linger requests, there is nowhere for lreq->t.paused to be set.
+One consequence of this is that watches don't get reestablished on
+paused -> unpaused transitions in cases where requests have been paused
+long enough for the (paused) unwatch request to time out and for the
+subsequent (re)watch request to enter the paused state. On top of the
+watch not getting reestablished, rbd_reregister_watch() gets stuck with
+rbd_dev->watch_mutex held:
+
+ rbd_register_watch
+ __rbd_register_watch
+ ceph_osdc_watch
+ linger_reg_commit_wait
+
+It's waiting for lreq->reg_commit_wait to be completed, but for that to
+happen the respective request needs to end up on need_resend_linger list
+and be kicked when requests are unpaused. There is no chance for that
+if the request in question is never marked paused in the first place.
+
+The fact that rbd_dev->watch_mutex remains taken out forever then
+prevents the image from getting unmapped -- "rbd unmap" would inevitably
+hang in D state on an attempt to grab the mutex.
+
+Cc: stable@vger.kernel.org
+Reported-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osd_client.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/ceph/osd_client.c
++++ b/net/ceph/osd_client.c
+@@ -1588,6 +1588,7 @@ static enum calc_target_result calc_targ
+ struct ceph_pg_pool_info *pi;
+ struct ceph_pg pgid, last_pgid;
+ struct ceph_osds up, acting;
++ bool should_be_paused;
+ bool is_read = t->flags & CEPH_OSD_FLAG_READ;
+ bool is_write = t->flags & CEPH_OSD_FLAG_WRITE;
+ bool force_resend = false;
+@@ -1656,10 +1657,16 @@ static enum calc_target_result calc_targ
+ &last_pgid))
+ force_resend = true;
+
+- if (t->paused && !target_should_be_paused(osdc, t, pi)) {
+- t->paused = false;
++ should_be_paused = target_should_be_paused(osdc, t, pi);
++ if (t->paused && !should_be_paused) {
+ unpaused = true;
+ }
++ if (t->paused != should_be_paused) {
++ dout("%s t %p paused %d -> %d\n", __func__, t, t->paused,
++ should_be_paused);
++ t->paused = should_be_paused;
++ }
++
+ legacy_change = ceph_pg_compare(&t->pgid, &pgid) ||
+ ceph_osds_changed(&t->acting, &acting,
+ t->used_replica || any_change);
--- /dev/null
+From e3fe30e57649c551757a02e1cad073c47e1e075e Mon Sep 17 00:00:00 2001
+From: Tuo Li <islituo@gmail.com>
+Date: Sun, 21 Dec 2025 02:11:49 +0800
+Subject: libceph: make free_choose_arg_map() resilient to partial allocation
+
+From: Tuo Li <islituo@gmail.com>
+
+commit e3fe30e57649c551757a02e1cad073c47e1e075e upstream.
+
+free_choose_arg_map() may dereference a NULL pointer if its caller fails
+after a partial allocation.
+
+For example, in decode_choose_args(), if allocation of arg_map->args
+fails, execution jumps to the fail label and free_choose_arg_map() is
+called. Since arg_map->size is updated to a non-zero value before memory
+allocation, free_choose_arg_map() will iterate over arg_map->args and
+dereference a NULL pointer.
+
+To prevent this potential NULL pointer dereference and make
+free_choose_arg_map() more resilient, add checks for pointers before
+iterating.
+
+Cc: stable@vger.kernel.org
+Co-authored-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Tuo Li <islituo@gmail.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osdmap.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -241,22 +241,26 @@ static struct crush_choose_arg_map *allo
+
+ static void free_choose_arg_map(struct crush_choose_arg_map *arg_map)
+ {
+- if (arg_map) {
+- int i, j;
++ int i, j;
+
+- WARN_ON(!RB_EMPTY_NODE(&arg_map->node));
++ if (!arg_map)
++ return;
+
++ WARN_ON(!RB_EMPTY_NODE(&arg_map->node));
++
++ if (arg_map->args) {
+ for (i = 0; i < arg_map->size; i++) {
+ struct crush_choose_arg *arg = &arg_map->args[i];
+-
+- for (j = 0; j < arg->weight_set_size; j++)
+- kfree(arg->weight_set[j].weights);
+- kfree(arg->weight_set);
++ if (arg->weight_set) {
++ for (j = 0; j < arg->weight_set_size; j++)
++ kfree(arg->weight_set[j].weights);
++ kfree(arg->weight_set);
++ }
+ kfree(arg->ids);
+ }
+ kfree(arg_map->args);
+- kfree(arg_map);
+ }
++ kfree(arg_map);
+ }
+
+ DEFINE_RB_FUNCS(choose_arg_map, struct crush_choose_arg_map, choose_args_index,
--- /dev/null
+From 818156caffbf55cb4d368f9c3cac64e458fb49c9 Mon Sep 17 00:00:00 2001
+From: ziming zhang <ezrakiez@gmail.com>
+Date: Thu, 11 Dec 2025 16:52:58 +0800
+Subject: libceph: prevent potential out-of-bounds reads in handle_auth_done()
+
+From: ziming zhang <ezrakiez@gmail.com>
+
+commit 818156caffbf55cb4d368f9c3cac64e458fb49c9 upstream.
+
+Perform an explicit bounds check on payload_len to avoid a possible
+out-of-bounds access in the callout.
+
+[ idryomov: changelog ]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: ziming zhang <ezrakiez@gmail.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/messenger_v2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ceph/messenger_v2.c
++++ b/net/ceph/messenger_v2.c
+@@ -2377,7 +2377,9 @@ static int process_auth_done(struct ceph
+
+ ceph_decode_64_safe(&p, end, global_id, bad);
+ ceph_decode_32_safe(&p, end, con->v2.con_mode, bad);
++
+ ceph_decode_32_safe(&p, end, payload_len, bad);
++ ceph_decode_need(&p, end, payload_len, bad);
+
+ dout("%s con %p global_id %llu con_mode %d payload_len %d\n",
+ __func__, con, global_id, con->v2.con_mode, payload_len);
--- /dev/null
+From e00c3f71b5cf75681dbd74ee3f982a99cb690c2b Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 15 Dec 2025 11:53:31 +0100
+Subject: libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit e00c3f71b5cf75681dbd74ee3f982a99cb690c2b upstream.
+
+If the osdmap is (maliciously) corrupted such that the incremental
+osdmap epoch is different from what is expected, there is no need to
+BUG. Instead, just declare the incremental osdmap to be invalid.
+
+Cc: stable@vger.kernel.org
+Reported-by: ziming zhang <ezrakiez@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osdmap.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -1979,11 +1979,13 @@ struct ceph_osdmap *osdmap_apply_increme
+ sizeof(u64) + sizeof(u32), e_inval);
+ ceph_decode_copy(p, &fsid, sizeof(fsid));
+ epoch = ceph_decode_32(p);
+- BUG_ON(epoch != map->epoch+1);
+ ceph_decode_copy(p, &modified, sizeof(modified));
+ new_pool_max = ceph_decode_64(p);
+ new_flags = ceph_decode_32(p);
+
++ if (epoch != map->epoch + 1)
++ goto e_inval;
++
+ /* full map? */
+ ceph_decode_32_safe(p, end, len, e_inval);
+ if (len > 0) {
--- /dev/null
+From 11194b416ef95012c2cfe5f546d71af07b639e93 Mon Sep 17 00:00:00 2001
+From: Sam Edwards <cfsworks@gmail.com>
+Date: Tue, 30 Dec 2025 20:05:06 -0800
+Subject: libceph: reset sparse-read state in osd_fault()
+
+From: Sam Edwards <cfsworks@gmail.com>
+
+commit 11194b416ef95012c2cfe5f546d71af07b639e93 upstream.
+
+When a fault occurs, the connection is abandoned, reestablished, and any
+pending operations are retried. The OSD client tracks the progress of a
+sparse-read reply using a separate state machine, largely independent of
+the messenger's state.
+
+If a connection is lost mid-payload or the sparse-read state machine
+returns an error, the sparse-read state is not reset. The OSD client
+will then interpret the beginning of a new reply as the continuation of
+the old one. If this makes the sparse-read machinery enter a failure
+state, it may never recover, producing loops like:
+
+ libceph: [0] got 0 extents
+ libceph: data len 142248331 != extent len 0
+ libceph: osd0 (1)...:6801 socket error on read
+ libceph: data len 142248331 != extent len 0
+ libceph: osd0 (1)...:6801 socket error on read
+
+Therefore, reset the sparse-read state in osd_fault(), ensuring retries
+start from a clean state.
+
+Cc: stable@vger.kernel.org
+Fixes: f628d7999727 ("libceph: add sparse read support to OSD client")
+Signed-off-by: Sam Edwards <CFSworks@gmail.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osd_client.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ceph/osd_client.c
++++ b/net/ceph/osd_client.c
+@@ -4283,6 +4283,9 @@ static void osd_fault(struct ceph_connec
+ goto out_unlock;
+ }
+
++ osd->o_sparse_op_idx = -1;
++ ceph_init_sparse_read(&osd->o_sparse_read);
++
+ if (!reopen_osd(osd))
+ kick_osd_requests(osd);
+ maybe_request_map(osdc);
--- /dev/null
+From e84b48d31b5008932c0a0902982809fbaa1d3b70 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 29 Dec 2025 15:14:48 +0100
+Subject: libceph: return the handler error from mon_handle_auth_done()
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit e84b48d31b5008932c0a0902982809fbaa1d3b70 upstream.
+
+Currently any error from ceph_auth_handle_reply_done() is propagated
+via finish_auth() but isn't returned from mon_handle_auth_done(). This
+results in higher layers learning that (despite the monitor considering
+us to be successfully authenticated) something went wrong in the
+authentication phase and reacting accordingly, but msgr2 still trying
+to proceed with establishing the session in the background. In the
+case of secure mode this can trigger a WARN in setup_crypto() and later
+lead to a NULL pointer dereference inside of prepare_auth_signature().
+
+Cc: stable@vger.kernel.org
+Fixes: cd1a677cad99 ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)")
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/mon_client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ceph/mon_client.c
++++ b/net/ceph/mon_client.c
+@@ -1417,7 +1417,7 @@ static int mon_handle_auth_done(struct c
+ if (!ret)
+ finish_hunting(monc);
+ mutex_unlock(&monc->mutex);
+- return 0;
++ return ret;
+ }
+
+ static int mon_handle_auth_bad_method(struct ceph_connection *con,
--- /dev/null
+From 420f423defcf6d0af2263d38da870ca4a20c0990 Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Mon, 15 Dec 2025 12:59:15 +0200
+Subject: mei: me: add nova lake point S DID
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit 420f423defcf6d0af2263d38da870ca4a20c0990 upstream.
+
+Add Nova Lake S device id.
+
+Cc: stable <stable@kernel.org>
+Co-developed-by: Tomas Winkler <tomasw@gmail.com>
+Signed-off-by: Tomas Winkler <tomasw@gmail.com>
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Link: https://patch.msgid.link/20251215105915.1672659-1-alexander.usyskin@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/hw-me-regs.h | 2 ++
+ drivers/misc/mei/pci-me.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -122,6 +122,8 @@
+
+ #define MEI_DEV_ID_WCL_P 0x4D70 /* Wildcat Lake P */
+
++#define MEI_DEV_ID_NVL_S 0x6E68 /* Nova Lake Point S */
++
+ /*
+ * MEI HW Section
+ */
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -129,6 +129,8 @@ static const struct pci_device_id mei_me
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_WCL_P, MEI_ME_PCH15_CFG)},
+
++ {MEI_PCI_DEVICE(MEI_DEV_ID_NVL_S, MEI_ME_PCH15_CFG)},
++
+ /* required last entry */
+ {0, }
+ };
--- /dev/null
+From a4e305ed60f7c41bbf9aabc16dd75267194e0de3 Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Tue, 6 Jan 2026 10:47:21 +0100
+Subject: net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit a4e305ed60f7c41bbf9aabc16dd75267194e0de3 upstream.
+
+pdev can be null and free_ring: can be called in 1297 with a null
+pdev.
+
+Fixes: 55c82617c3e8 ("3c59x: convert to generic DMA API")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20260106094731.25819-2-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/3com/3c59x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/3com/3c59x.c
++++ b/drivers/net/ethernet/3com/3c59x.c
+@@ -1473,7 +1473,7 @@ static int vortex_probe1(struct device *
+ return 0;
+
+ free_ring:
+- dma_free_coherent(&pdev->dev,
++ dma_free_coherent(gendev,
+ sizeof(struct boom_rx_desc) * RX_RING_SIZE +
+ sizeof(struct boom_tx_desc) * TX_RING_SIZE,
+ vp->rx_ring, vp->rx_ring_dma);
--- /dev/null
+From 7d11e047eda5f98514ae62507065ac961981c025 Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemb@google.com>
+Date: Tue, 6 Jan 2026 10:05:46 -0500
+Subject: net: do not write to msg_get_inq in callee
+
+From: Willem de Bruijn <willemb@google.com>
+
+commit 7d11e047eda5f98514ae62507065ac961981c025 upstream.
+
+NULL pointer dereference fix.
+
+msg_get_inq is an input field from caller to callee. Don't set it in
+the callee, as the caller may not clear it on struct reuse.
+
+This is a kernel-internal variant of msghdr only, and the only user
+does reinitialize the field. So this is not critical for that reason.
+But it is more robust to avoid the write, and slightly simpler code.
+And it fixes a bug, see below.
+
+Callers set msg_get_inq to request the input queue length to be
+returned in msg_inq. This is equivalent to but independent from the
+SO_INQ request to return that same info as a cmsg (tp->recvmsg_inq).
+To reduce branching in the hot path the second also sets the msg_inq.
+That is WAI.
+
+This is a fix to commit 4d1442979e4a ("af_unix: don't post cmsg for
+SO_INQ unless explicitly asked for"), which fixed the inverse.
+
+Also avoid NULL pointer dereference in unix_stream_read_generic if
+state->msg is NULL and msg->msg_get_inq is written. A NULL state->msg
+can happen when splicing as of commit 2b514574f7e8 ("net: af_unix:
+implement splice for stream af_unix sockets").
+
+Also collapse two branches using a bitwise or.
+
+Cc: stable@vger.kernel.org
+Fixes: 4d1442979e4a ("af_unix: don't post cmsg for SO_INQ unless explicitly asked for")
+Link: https://lore.kernel.org/netdev/willemdebruijn.kernel.24d8030f7a3de@gmail.com/
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Jens Axboe <axboe@kernel.dk>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260106150626.3944363-1-willemdebruijn.kernel@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 8 +++-----
+ net/unix/af_unix.c | 8 +++-----
+ 2 files changed, 6 insertions(+), 10 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2651,10 +2651,8 @@ static int tcp_recvmsg_locked(struct soc
+ if (sk->sk_state == TCP_LISTEN)
+ goto out;
+
+- if (tp->recvmsg_inq) {
++ if (tp->recvmsg_inq)
+ *cmsg_flags = TCP_CMSG_INQ;
+- msg->msg_get_inq = 1;
+- }
+ timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+
+ /* Urgent data needs to be handled specially. */
+@@ -2928,10 +2926,10 @@ int tcp_recvmsg(struct sock *sk, struct
+ ret = tcp_recvmsg_locked(sk, msg, len, flags, &tss, &cmsg_flags);
+ release_sock(sk);
+
+- if ((cmsg_flags || msg->msg_get_inq) && ret >= 0) {
++ if ((cmsg_flags | msg->msg_get_inq) && ret >= 0) {
+ if (cmsg_flags & TCP_CMSG_TS)
+ tcp_recv_timestamp(msg, sk, &tss);
+- if (msg->msg_get_inq) {
++ if ((cmsg_flags & TCP_CMSG_INQ) | msg->msg_get_inq) {
+ msg->msg_inq = tcp_inq_hint(sk);
+ if (cmsg_flags & TCP_CMSG_INQ)
+ put_cmsg(msg, SOL_TCP, TCP_CM_INQ,
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2929,7 +2929,6 @@ static int unix_stream_read_generic(stru
+ unsigned int last_len;
+ struct unix_sock *u;
+ int copied = 0;
+- bool do_cmsg;
+ int err = 0;
+ long timeo;
+ int target;
+@@ -2955,9 +2954,6 @@ static int unix_stream_read_generic(stru
+
+ u = unix_sk(sk);
+
+- do_cmsg = READ_ONCE(u->recvmsg_inq);
+- if (do_cmsg)
+- msg->msg_get_inq = 1;
+ redo:
+ /* Lock the socket to prevent queue disordering
+ * while sleeps in memcpy_tomsg
+@@ -3115,9 +3111,11 @@ unlock:
+
+ mutex_unlock(&u->iolock);
+ if (msg) {
++ bool do_cmsg = READ_ONCE(u->recvmsg_inq);
++
+ scm_recv_unix(sock, msg, &scm, flags);
+
+- if (msg->msg_get_inq && (copied ?: err) >= 0) {
++ if ((do_cmsg | msg->msg_get_inq) && (copied ?: err) >= 0) {
+ msg->msg_inq = READ_ONCE(u->inq_len);
+ if (do_cmsg)
+ put_cmsg(msg, SOL_SOCKET, SCM_INQ,
--- /dev/null
+From d0424066fcd294977f310964bed6f2a487fa4515 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <okorniev@redhat.com>
+Date: Mon, 15 Dec 2025 14:10:36 -0500
+Subject: nfsd: check that server is running in unlock_filesystem
+
+From: Olga Kornievskaia <okorniev@redhat.com>
+
+commit d0424066fcd294977f310964bed6f2a487fa4515 upstream.
+
+If we are trying to unlock the filesystem via an administrative
+interface and nfsd isn't running, it crashes the server. This
+happens currently because nfsd4_revoke_states() access state
+structures (eg., conf_id_hashtbl) that has been freed as a part
+of the server shutdown.
+
+[ 59.465072] Call trace:
+[ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P)
+[ 59.465830] write_unlock_fs+0x258/0x440 [nfsd]
+[ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd]
+[ 59.466780] vfs_write+0x1f0/0x938
+[ 59.467088] ksys_write+0xfc/0x1f8
+[ 59.467395] __arm64_sys_write+0x74/0xb8
+[ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8
+[ 59.468177] do_el0_svc+0x154/0x1d8
+[ 59.468489] el0_svc+0x40/0xe0
+[ 59.468767] el0t_64_sync_handler+0xa0/0xe8
+[ 59.469138] el0t_64_sync+0x1ac/0x1b0
+
+Ensure this can't happen by taking the nfsd_mutex and checking that
+the server is still up, and then holding the mutex across the call to
+nfsd4_revoke_states().
+
+Reviewed-by: NeilBrown <neil@brown.name>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Fixes: 1ac3629bf0125 ("nfsd: prepare for supporting admin-revocation of state")
+Cc: stable@vger.kernel.org
+Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 5 ++---
+ fs/nfsd/nfsctl.c | 9 ++++++++-
+ fs/nfsd/state.h | 4 ++--
+ 3 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -1759,7 +1759,7 @@ static struct nfs4_stid *find_one_sb_sti
+
+ /**
+ * nfsd4_revoke_states - revoke all nfsv4 states associated with given filesystem
+- * @net: used to identify instance of nfsd (there is one per net namespace)
++ * @nn: used to identify instance of nfsd (there is one per net namespace)
+ * @sb: super_block used to identify target filesystem
+ *
+ * All nfs4 states (open, lock, delegation, layout) held by the server instance
+@@ -1771,9 +1771,8 @@ static struct nfs4_stid *find_one_sb_sti
+ * The clients which own the states will subsequently being notified that the
+ * states have been "admin-revoked".
+ */
+-void nfsd4_revoke_states(struct net *net, struct super_block *sb)
++void nfsd4_revoke_states(struct nfsd_net *nn, struct super_block *sb)
+ {
+- struct nfsd_net *nn = net_generic(net, nfsd_net_id);
+ unsigned int idhashval;
+ unsigned int sc_types;
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -259,6 +259,7 @@ static ssize_t write_unlock_fs(struct fi
+ struct path path;
+ char *fo_path;
+ int error;
++ struct nfsd_net *nn;
+
+ /* sanity check */
+ if (size == 0)
+@@ -285,7 +286,13 @@ static ssize_t write_unlock_fs(struct fi
+ * 3. Is that directory the root of an exported file system?
+ */
+ error = nlmsvc_unlock_all_by_sb(path.dentry->d_sb);
+- nfsd4_revoke_states(netns(file), path.dentry->d_sb);
++ mutex_lock(&nfsd_mutex);
++ nn = net_generic(netns(file), nfsd_net_id);
++ if (nn->nfsd_serv)
++ nfsd4_revoke_states(nn, path.dentry->d_sb);
++ else
++ error = -EINVAL;
++ mutex_unlock(&nfsd_mutex);
+
+ path_put(&path);
+ return error;
+--- a/fs/nfsd/state.h
++++ b/fs/nfsd/state.h
+@@ -841,9 +841,9 @@ static inline void get_nfs4_file(struct
+ struct nfsd_file *find_any_file(struct nfs4_file *f);
+
+ #ifdef CONFIG_NFSD_V4
+-void nfsd4_revoke_states(struct net *net, struct super_block *sb);
++void nfsd4_revoke_states(struct nfsd_net *nn, struct super_block *sb);
+ #else
+-static inline void nfsd4_revoke_states(struct net *net, struct super_block *sb)
++static inline void nfsd4_revoke_states(struct nfsd_net *nn, struct super_block *sb)
+ {
+ }
+ #endif
--- /dev/null
+From e901c7fce59e72d9f3c92733c379849c4034ac50 Mon Sep 17 00:00:00 2001
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Thu, 11 Dec 2025 07:34:34 -0500
+Subject: NFSD: Fix permission check for read access to executable-only files
+
+From: Scott Mayhew <smayhew@redhat.com>
+
+commit e901c7fce59e72d9f3c92733c379849c4034ac50 upstream.
+
+Commit abc02e5602f7 ("NFSD: Support write delegations in LAYOUTGET")
+added NFSD_MAY_OWNER_OVERRIDE to the access flags passed from
+nfsd4_layoutget() to fh_verify(). This causes LAYOUTGET to fail for
+executable-only files, and causes xfstests generic/126 to fail on
+pNFS SCSI.
+
+To allow read access to executable-only files, what we really want is:
+1. The "permissions" portion of the access flags (the lower 6 bits)
+ must be exactly NFSD_MAY_READ
+2. The "hints" portion of the access flags (the upper 26 bits) can
+ contain any combination of NFSD_MAY_OWNER_OVERRIDE and
+ NFSD_MAY_READ_IF_EXEC
+
+Fixes: abc02e5602f7 ("NFSD: Support write delegations in LAYOUTGET")
+Cc: stable@vger.kernel.org # v6.6+
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: NeilBrown <neil@brown.name>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/vfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -2683,8 +2683,8 @@ nfsd_permission(struct svc_cred *cred, s
+
+ /* Allow read access to binaries even when mode 111 */
+ if (err == -EACCES && S_ISREG(inode->i_mode) &&
+- (acc == (NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE) ||
+- acc == (NFSD_MAY_READ | NFSD_MAY_READ_IF_EXEC)))
++ (((acc & NFSD_MAY_MASK) == NFSD_MAY_READ) &&
++ (acc & (NFSD_MAY_OWNER_OVERRIDE | NFSD_MAY_READ_IF_EXEC))))
+ err = inode_permission(&nop_mnt_idmap, inode, MAY_EXEC);
+
+ return err? nfserrno(err) : 0;
--- /dev/null
+From 0b88bfa42e5468baff71909c2f324a495318532b Mon Sep 17 00:00:00 2001
+From: Edward Adam Davis <eadavis@qq.com>
+Date: Tue, 16 Dec 2025 18:27:37 +0800
+Subject: NFSD: net ref data still needs to be freed even if net hasn't startup
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+commit 0b88bfa42e5468baff71909c2f324a495318532b upstream.
+
+When the NFSD instance doesn't to startup, the net ref data memory is
+not properly reclaimed, which triggers the memory leak issue reported
+by syzbot [1].
+
+To avoid the problem reported in [1], the net ref data memory reclamation
+action is moved outside of nfsd_net_up when the net is shutdown.
+
+[1]
+unreferenced object 0xffff88812a39dfc0 (size 64):
+ backtrace (crc a2262fc6):
+ percpu_ref_init+0x94/0x1e0 lib/percpu-refcount.c:76
+ nfsd_create_serv+0xbe/0x260 fs/nfsd/nfssvc.c:605
+ nfsd_nl_listener_set_doit+0x62/0xb00 fs/nfsd/nfsctl.c:1882
+ genl_family_rcv_msg_doit+0x11e/0x190 net/netlink/genetlink.c:1115
+ genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
+ genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1210
+
+BUG: memory leak
+
+Reported-by: syzbot+6ee3b889bdeada0a6226@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=6ee3b889bdeada0a6226
+Fixes: 39972494e318 ("nfsd: update percpu_ref to manage references on nfsd_net")
+Cc: stable@vger.kernel.org
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfssvc.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+--- a/fs/nfsd/nfssvc.c
++++ b/fs/nfsd/nfssvc.c
+@@ -424,26 +424,26 @@ static void nfsd_shutdown_net(struct net
+ {
+ struct nfsd_net *nn = net_generic(net, nfsd_net_id);
+
+- if (!nn->nfsd_net_up)
+- return;
+-
+- percpu_ref_kill_and_confirm(&nn->nfsd_net_ref, nfsd_net_done);
+- wait_for_completion(&nn->nfsd_net_confirm_done);
+-
+- nfsd_export_flush(net);
+- nfs4_state_shutdown_net(net);
+- nfsd_reply_cache_shutdown(nn);
+- nfsd_file_cache_shutdown_net(net);
+- if (nn->lockd_up) {
+- lockd_down(net);
+- nn->lockd_up = false;
++ if (nn->nfsd_net_up) {
++ percpu_ref_kill_and_confirm(&nn->nfsd_net_ref, nfsd_net_done);
++ wait_for_completion(&nn->nfsd_net_confirm_done);
++
++ nfsd_export_flush(net);
++ nfs4_state_shutdown_net(net);
++ nfsd_reply_cache_shutdown(nn);
++ nfsd_file_cache_shutdown_net(net);
++ if (nn->lockd_up) {
++ lockd_down(net);
++ nn->lockd_up = false;
++ }
++ wait_for_completion(&nn->nfsd_net_free_done);
+ }
+
+- wait_for_completion(&nn->nfsd_net_free_done);
+ percpu_ref_exit(&nn->nfsd_net_ref);
+
++ if (nn->nfsd_net_up)
++ nfsd_shutdown_generic();
+ nn->nfsd_net_up = false;
+- nfsd_shutdown_generic();
+ }
+
+ static DEFINE_SPINLOCK(nfsd_notifier_lock);
--- /dev/null
+From 2857bd59feb63fcf40fe4baf55401baea6b4feb4 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neil@brown.name>
+Date: Sat, 13 Dec 2025 13:41:59 -0500
+Subject: nfsd: provide locking for v4_end_grace
+
+From: NeilBrown <neil@brown.name>
+
+commit 2857bd59feb63fcf40fe4baf55401baea6b4feb4 upstream.
+
+Writing to v4_end_grace can race with server shutdown and result in
+memory being accessed after it was freed - reclaim_str_hashtbl in
+particularly.
+
+We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is
+held while client_tracking_op->init() is called and that can wait for
+an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a
+deadlock.
+
+nfsd4_end_grace() is also called by the landromat work queue and this
+doesn't require locking as server shutdown will stop the work and wait
+for it before freeing anything that nfsd4_end_grace() might access.
+
+However, we must be sure that writing to v4_end_grace doesn't restart
+the work item after shutdown has already waited for it. For this we
+add a new flag protected with nn->client_lock. It is set only while it
+is safe to make client tracking calls, and v4_end_grace only schedules
+work while the flag is set with the spinlock held.
+
+So this patch adds a nfsd_net field "client_tracking_active" which is
+set as described. Another field "grace_end_forced", is set when
+v4_end_grace is written. After this is set, and providing
+client_tracking_active is set, the laundromat is scheduled.
+This "grace_end_forced" field bypasses other checks for whether the
+grace period has finished.
+
+This resolves a race which can result in use-after-free.
+
+Reported-by: Li Lingfeng <lilingfeng3@huawei.com>
+Closes: https://lore.kernel.org/linux-nfs/20250623030015.2353515-1-neil@brown.name/T/#t
+Fixes: 7f5ef2e900d9 ("nfsd: add a v4_end_grace file to /proc/fs/nfsd")
+Cc: stable@vger.kernel.org
+Signed-off-by: NeilBrown <neil@brown.name>
+Tested-by: Li Lingfeng <lilingfeng3@huawei.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/netns.h | 2 ++
+ fs/nfsd/nfs4state.c | 42 ++++++++++++++++++++++++++++++++++++++++--
+ fs/nfsd/nfsctl.c | 3 +--
+ fs/nfsd/state.h | 2 +-
+ 4 files changed, 44 insertions(+), 5 deletions(-)
+
+--- a/fs/nfsd/netns.h
++++ b/fs/nfsd/netns.h
+@@ -66,6 +66,8 @@ struct nfsd_net {
+
+ struct lock_manager nfsd4_manager;
+ bool grace_ended;
++ bool grace_end_forced;
++ bool client_tracking_active;
+ time64_t boot_time;
+
+ struct dentry *nfsd_client_dir;
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -84,7 +84,7 @@ static u64 current_sessionid = 1;
+ /* forward declarations */
+ static bool check_for_locks(struct nfs4_file *fp, struct nfs4_lockowner *lowner);
+ static void nfs4_free_ol_stateid(struct nfs4_stid *stid);
+-void nfsd4_end_grace(struct nfsd_net *nn);
++static void nfsd4_end_grace(struct nfsd_net *nn);
+ static void _free_cpntf_state_locked(struct nfsd_net *nn, struct nfs4_cpntf_state *cps);
+ static void nfsd4_file_hash_remove(struct nfs4_file *fi);
+ static void deleg_reaper(struct nfsd_net *nn);
+@@ -6597,7 +6597,7 @@ nfsd4_renew(struct svc_rqst *rqstp, stru
+ return nfs_ok;
+ }
+
+-void
++static void
+ nfsd4_end_grace(struct nfsd_net *nn)
+ {
+ /* do nothing if grace period already ended */
+@@ -6630,6 +6630,33 @@ nfsd4_end_grace(struct nfsd_net *nn)
+ */
+ }
+
++/**
++ * nfsd4_force_end_grace - forcibly end the NFSv4 grace period
++ * @nn: network namespace for the server instance to be updated
++ *
++ * Forces bypass of normal grace period completion, then schedules
++ * the laundromat to end the grace period immediately. Does not wait
++ * for the grace period to fully terminate before returning.
++ *
++ * Return values:
++ * %true: Grace termination schedule
++ * %false: No action was taken
++ */
++bool nfsd4_force_end_grace(struct nfsd_net *nn)
++{
++ if (!nn->client_tracking_ops)
++ return false;
++ spin_lock(&nn->client_lock);
++ if (nn->grace_ended || !nn->client_tracking_active) {
++ spin_unlock(&nn->client_lock);
++ return false;
++ }
++ WRITE_ONCE(nn->grace_end_forced, true);
++ mod_delayed_work(laundry_wq, &nn->laundromat_work, 0);
++ spin_unlock(&nn->client_lock);
++ return true;
++}
++
+ /*
+ * If we've waited a lease period but there are still clients trying to
+ * reclaim, wait a little longer to give them a chance to finish.
+@@ -6639,6 +6666,8 @@ static bool clients_still_reclaiming(str
+ time64_t double_grace_period_end = nn->boot_time +
+ 2 * nn->nfsd4_lease;
+
++ if (READ_ONCE(nn->grace_end_forced))
++ return false;
+ if (nn->track_reclaim_completes &&
+ atomic_read(&nn->nr_reclaim_complete) ==
+ nn->reclaim_str_hashtbl_size)
+@@ -8942,6 +8971,8 @@ static int nfs4_state_create_net(struct
+ nn->unconf_name_tree = RB_ROOT;
+ nn->boot_time = ktime_get_real_seconds();
+ nn->grace_ended = false;
++ nn->grace_end_forced = false;
++ nn->client_tracking_active = false;
+ nn->nfsd4_manager.block_opens = true;
+ INIT_LIST_HEAD(&nn->nfsd4_manager.list);
+ INIT_LIST_HEAD(&nn->client_lru);
+@@ -9022,6 +9053,10 @@ nfs4_state_start_net(struct net *net)
+ return ret;
+ locks_start_grace(net, &nn->nfsd4_manager);
+ nfsd4_client_tracking_init(net);
++ /* safe for laundromat to run now */
++ spin_lock(&nn->client_lock);
++ nn->client_tracking_active = true;
++ spin_unlock(&nn->client_lock);
+ if (nn->track_reclaim_completes && nn->reclaim_str_hashtbl_size == 0)
+ goto skip_grace;
+ printk(KERN_INFO "NFSD: starting %lld-second grace period (net %x)\n",
+@@ -9070,6 +9105,9 @@ nfs4_state_shutdown_net(struct net *net)
+
+ shrinker_free(nn->nfsd_client_shrinker);
+ cancel_work_sync(&nn->nfsd_shrinker_work);
++ spin_lock(&nn->client_lock);
++ nn->client_tracking_active = false;
++ spin_unlock(&nn->client_lock);
+ cancel_delayed_work_sync(&nn->laundromat_work);
+ locks_end_grace(&nn->nfsd4_manager);
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -1082,10 +1082,9 @@ static ssize_t write_v4_end_grace(struct
+ case 'Y':
+ case 'y':
+ case '1':
+- if (!nn->nfsd_serv)
++ if (!nfsd4_force_end_grace(nn))
+ return -EBUSY;
+ trace_nfsd_end_grace(netns(file));
+- nfsd4_end_grace(nn);
+ break;
+ default:
+ return -EINVAL;
+--- a/fs/nfsd/state.h
++++ b/fs/nfsd/state.h
+@@ -849,7 +849,7 @@ static inline void nfsd4_revoke_states(s
+ #endif
+
+ /* grace period management */
+-void nfsd4_end_grace(struct nfsd_net *nn);
++bool nfsd4_force_end_grace(struct nfsd_net *nn);
+
+ /* nfs4recover operations */
+ extern int nfsd4_client_tracking_init(struct net *net);
--- /dev/null
+From c6c209ceb87f64a6ceebe61761951dcbbf4a0baa Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Tue, 9 Dec 2025 19:28:49 -0500
+Subject: NFSD: Remove NFSERR_EAGAIN
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit c6c209ceb87f64a6ceebe61761951dcbbf4a0baa upstream.
+
+I haven't found an NFSERR_EAGAIN in RFCs 1094, 1813, 7530, or 8881.
+None of these RFCs have an NFS status code that match the numeric
+value "11".
+
+Based on the meaning of the EAGAIN errno, I presume the use of this
+status in NFSD means NFS4ERR_DELAY. So replace the one usage of
+nfserr_eagain, and remove it from NFSD's NFS status conversion
+tables.
+
+As far as I can tell, NFSERR_EAGAIN has existed since the pre-git
+era, but was not actually used by any code until commit f4e44b393389
+("NFSD: delay unmount source's export after inter-server copy
+completed."), at which time it become possible for NFSD to return
+a status code of 11 (which is not valid NFS protocol).
+
+Fixes: f4e44b393389 ("NFSD: delay unmount source's export after inter-server copy completed.")
+Cc: stable@vger.kernel.org
+Reviewed-by: NeilBrown <neil@brown.name>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs_common/common.c | 1 -
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfsd.h | 1 -
+ include/trace/misc/nfs.h | 2 --
+ include/uapi/linux/nfs.h | 1 -
+ 5 files changed, 1 insertion(+), 6 deletions(-)
+
+--- a/fs/nfs_common/common.c
++++ b/fs/nfs_common/common.c
+@@ -17,7 +17,6 @@ static const struct {
+ { NFSERR_NOENT, -ENOENT },
+ { NFSERR_IO, -EIO },
+ { NFSERR_NXIO, -ENXIO },
+-/* { NFSERR_EAGAIN, -EAGAIN }, */
+ { NFSERR_ACCES, -EACCES },
+ { NFSERR_EXIST, -EEXIST },
+ { NFSERR_XDEV, -EXDEV },
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1506,7 +1506,7 @@ try_again:
+ (schedule_timeout(20*HZ) == 0)) {
+ finish_wait(&nn->nfsd_ssc_waitq, &wait);
+ kfree(work);
+- return nfserr_eagain;
++ return nfserr_jukebox;
+ }
+ finish_wait(&nn->nfsd_ssc_waitq, &wait);
+ goto try_again;
+--- a/fs/nfsd/nfsd.h
++++ b/fs/nfsd/nfsd.h
+@@ -232,7 +232,6 @@ void nfsd_lockd_shutdown(void);
+ #define nfserr_noent cpu_to_be32(NFSERR_NOENT)
+ #define nfserr_io cpu_to_be32(NFSERR_IO)
+ #define nfserr_nxio cpu_to_be32(NFSERR_NXIO)
+-#define nfserr_eagain cpu_to_be32(NFSERR_EAGAIN)
+ #define nfserr_acces cpu_to_be32(NFSERR_ACCES)
+ #define nfserr_exist cpu_to_be32(NFSERR_EXIST)
+ #define nfserr_xdev cpu_to_be32(NFSERR_XDEV)
+--- a/include/trace/misc/nfs.h
++++ b/include/trace/misc/nfs.h
+@@ -16,7 +16,6 @@ TRACE_DEFINE_ENUM(NFSERR_PERM);
+ TRACE_DEFINE_ENUM(NFSERR_NOENT);
+ TRACE_DEFINE_ENUM(NFSERR_IO);
+ TRACE_DEFINE_ENUM(NFSERR_NXIO);
+-TRACE_DEFINE_ENUM(NFSERR_EAGAIN);
+ TRACE_DEFINE_ENUM(NFSERR_ACCES);
+ TRACE_DEFINE_ENUM(NFSERR_EXIST);
+ TRACE_DEFINE_ENUM(NFSERR_XDEV);
+@@ -52,7 +51,6 @@ TRACE_DEFINE_ENUM(NFSERR_JUKEBOX);
+ { NFSERR_NXIO, "NXIO" }, \
+ { ECHILD, "CHILD" }, \
+ { ETIMEDOUT, "TIMEDOUT" }, \
+- { NFSERR_EAGAIN, "AGAIN" }, \
+ { NFSERR_ACCES, "ACCES" }, \
+ { NFSERR_EXIST, "EXIST" }, \
+ { NFSERR_XDEV, "XDEV" }, \
+--- a/include/uapi/linux/nfs.h
++++ b/include/uapi/linux/nfs.h
+@@ -49,7 +49,6 @@
+ NFSERR_NOENT = 2, /* v2 v3 v4 */
+ NFSERR_IO = 5, /* v2 v3 v4 */
+ NFSERR_NXIO = 6, /* v2 v3 v4 */
+- NFSERR_EAGAIN = 11, /* v2 v3 */
+ NFSERR_ACCES = 13, /* v2 v3 v4 */
+ NFSERR_EXIST = 17, /* v2 v3 v4 */
+ NFSERR_XDEV = 18, /* v3 v4 */
--- /dev/null
+From fb321998de7639f1954430674475e469fb529d9c Mon Sep 17 00:00:00 2001
+From: NeilBrown <neil@brown.name>
+Date: Mon, 15 Dec 2025 08:07:28 +1100
+Subject: nfsd: use correct loop termination in nfsd4_revoke_states()
+
+From: NeilBrown <neil@brown.name>
+
+commit fb321998de7639f1954430674475e469fb529d9c upstream.
+
+The loop in nfsd4_revoke_states() stops one too early because
+the end value given is CLIENT_HASH_MASK where it should be
+CLIENT_HASH_SIZE.
+
+This means that an admin request to drop all locks for a filesystem will
+miss locks held by clients which hash to the maximum possible hash value.
+
+Fixes: 1ac3629bf012 ("nfsd: prepare for supporting admin-revocation of state")
+Cc: stable@vger.kernel.org
+Signed-off-by: NeilBrown <neil@brown.name>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -1780,7 +1780,7 @@ void nfsd4_revoke_states(struct net *net
+ sc_types = SC_TYPE_OPEN | SC_TYPE_LOCK | SC_TYPE_DELEG | SC_TYPE_LAYOUT;
+
+ spin_lock(&nn->client_lock);
+- for (idhashval = 0; idhashval < CLIENT_HASH_MASK; idhashval++) {
++ for (idhashval = 0; idhashval < CLIENT_HASH_SIZE; idhashval++) {
+ struct list_head *head = &nn->conf_id_hashtbl[idhashval];
+ struct nfs4_client *clp;
+ retry:
--- /dev/null
+From e8b3627bec357698f2d4d6dbf27cdcfa0e9d8715 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Fri, 2 Jan 2026 14:18:29 +1000
+Subject: nouveau: don't attempt fwsec on sb on newer platforms.
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit e8b3627bec357698f2d4d6dbf27cdcfa0e9d8715 upstream.
+
+The changes to always loads fwsec sb causes problems on newer GPUs
+which don't use this path.
+
+Add hooks and pass through the device specific layers.
+
+Fixes: da67179e5538 ("drm/nouveau/gsp: Allocate fwsec-sb at boot")
+Cc: <stable@vger.kernel.org> # v6.16+
+Cc: Lyude Paul <lyude@redhat.com>
+Cc: Timur Tabi <ttabi@nvidia.com>
+Tested-by: Matthew Schwartz <matthew.schwartz@linux.dev>
+Tested-by: Christopher Snowhill <chris@kode54.net>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Link: https://patch.msgid.link/20260102041829.2748009-1-airlied@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ .../gpu/drm/nouveau/nvkm/subdev/gsp/ad102.c | 3 +++
+ .../gpu/drm/nouveau/nvkm/subdev/gsp/fwsec.c | 8 +------
+ .../gpu/drm/nouveau/nvkm/subdev/gsp/ga100.c | 3 +++
+ .../gpu/drm/nouveau/nvkm/subdev/gsp/ga102.c | 3 +++
+ .../gpu/drm/nouveau/nvkm/subdev/gsp/priv.h | 23 +++++++++++++++++--
+ .../gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c | 15 ++++++++++++
+ .../gpu/drm/nouveau/nvkm/subdev/gsp/tu116.c | 3 +++
+ 7 files changed, 49 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ad102.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ad102.c
+index 35d1fcef520b..c456a9626823 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ad102.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ad102.c
+@@ -30,6 +30,9 @@ ad102_gsp = {
+
+ .booter.ctor = ga102_gsp_booter_ctor,
+
++ .fwsec_sb.ctor = tu102_gsp_fwsec_sb_ctor,
++ .fwsec_sb.dtor = tu102_gsp_fwsec_sb_dtor,
++
+ .dtor = r535_gsp_dtor,
+ .oneinit = tu102_gsp_oneinit,
+ .init = tu102_gsp_init,
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/fwsec.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/fwsec.c
+index 503760246660..851140e80122 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/fwsec.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/fwsec.c
+@@ -337,18 +337,12 @@ nvkm_gsp_fwsec_sb(struct nvkm_gsp *gsp)
+ }
+
+ int
+-nvkm_gsp_fwsec_sb_ctor(struct nvkm_gsp *gsp)
++nvkm_gsp_fwsec_sb_init(struct nvkm_gsp *gsp)
+ {
+ return nvkm_gsp_fwsec_init(gsp, &gsp->fws.falcon.sb, "fwsec-sb",
+ NVFW_FALCON_APPIF_DMEMMAPPER_CMD_SB);
+ }
+
+-void
+-nvkm_gsp_fwsec_sb_dtor(struct nvkm_gsp *gsp)
+-{
+- nvkm_falcon_fw_dtor(&gsp->fws.falcon.sb);
+-}
+-
+ int
+ nvkm_gsp_fwsec_frts(struct nvkm_gsp *gsp)
+ {
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga100.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga100.c
+index d201e8697226..27a13aeccd3c 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga100.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga100.c
+@@ -47,6 +47,9 @@ ga100_gsp = {
+
+ .booter.ctor = tu102_gsp_booter_ctor,
+
++ .fwsec_sb.ctor = tu102_gsp_fwsec_sb_ctor,
++ .fwsec_sb.dtor = tu102_gsp_fwsec_sb_dtor,
++
+ .dtor = r535_gsp_dtor,
+ .oneinit = tu102_gsp_oneinit,
+ .init = tu102_gsp_init,
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga102.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga102.c
+index 917f7e2f6c46..b6b3eb6f4c00 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga102.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga102.c
+@@ -158,6 +158,9 @@ ga102_gsp_r535 = {
+
+ .booter.ctor = ga102_gsp_booter_ctor,
+
++ .fwsec_sb.ctor = tu102_gsp_fwsec_sb_ctor,
++ .fwsec_sb.dtor = tu102_gsp_fwsec_sb_dtor,
++
+ .dtor = r535_gsp_dtor,
+ .oneinit = tu102_gsp_oneinit,
+ .init = tu102_gsp_init,
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/priv.h b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/priv.h
+index 86bdd203bc10..9dd66a2e3801 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/priv.h
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/priv.h
+@@ -7,9 +7,8 @@ enum nvkm_acr_lsf_id;
+
+ int nvkm_gsp_fwsec_frts(struct nvkm_gsp *);
+
+-int nvkm_gsp_fwsec_sb_ctor(struct nvkm_gsp *);
+ int nvkm_gsp_fwsec_sb(struct nvkm_gsp *);
+-void nvkm_gsp_fwsec_sb_dtor(struct nvkm_gsp *);
++int nvkm_gsp_fwsec_sb_init(struct nvkm_gsp *gsp);
+
+ struct nvkm_gsp_fwif {
+ int version;
+@@ -52,6 +51,11 @@ struct nvkm_gsp_func {
+ struct nvkm_falcon *, struct nvkm_falcon_fw *);
+ } booter;
+
++ struct {
++ int (*ctor)(struct nvkm_gsp *);
++ void (*dtor)(struct nvkm_gsp *);
++ } fwsec_sb;
++
+ void (*dtor)(struct nvkm_gsp *);
+ int (*oneinit)(struct nvkm_gsp *);
+ int (*init)(struct nvkm_gsp *);
+@@ -67,6 +71,8 @@ extern const struct nvkm_falcon_func tu102_gsp_flcn;
+ extern const struct nvkm_falcon_fw_func tu102_gsp_fwsec;
+ int tu102_gsp_booter_ctor(struct nvkm_gsp *, const char *, const struct firmware *,
+ struct nvkm_falcon *, struct nvkm_falcon_fw *);
++int tu102_gsp_fwsec_sb_ctor(struct nvkm_gsp *);
++void tu102_gsp_fwsec_sb_dtor(struct nvkm_gsp *);
+ int tu102_gsp_oneinit(struct nvkm_gsp *);
+ int tu102_gsp_init(struct nvkm_gsp *);
+ int tu102_gsp_fini(struct nvkm_gsp *, bool suspend);
+@@ -91,5 +97,18 @@ int r535_gsp_fini(struct nvkm_gsp *, bool suspend);
+ int nvkm_gsp_new_(const struct nvkm_gsp_fwif *, struct nvkm_device *, enum nvkm_subdev_type, int,
+ struct nvkm_gsp **);
+
++static inline int nvkm_gsp_fwsec_sb_ctor(struct nvkm_gsp *gsp)
++{
++ if (gsp->func->fwsec_sb.ctor)
++ return gsp->func->fwsec_sb.ctor(gsp);
++ return 0;
++}
++
++static inline void nvkm_gsp_fwsec_sb_dtor(struct nvkm_gsp *gsp)
++{
++ if (gsp->func->fwsec_sb.dtor)
++ gsp->func->fwsec_sb.dtor(gsp);
++}
++
+ extern const struct nvkm_gsp_func gv100_gsp;
+ #endif
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c
+index 81e56da0474a..04b642a1f730 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c
+@@ -30,6 +30,18 @@
+ #include <nvfw/fw.h>
+ #include <nvfw/hs.h>
+
++int
++tu102_gsp_fwsec_sb_ctor(struct nvkm_gsp *gsp)
++{
++ return nvkm_gsp_fwsec_sb_init(gsp);
++}
++
++void
++tu102_gsp_fwsec_sb_dtor(struct nvkm_gsp *gsp)
++{
++ nvkm_falcon_fw_dtor(&gsp->fws.falcon.sb);
++}
++
+ static int
+ tu102_gsp_booter_unload(struct nvkm_gsp *gsp, u32 mbox0, u32 mbox1)
+ {
+@@ -370,6 +382,9 @@ tu102_gsp = {
+
+ .booter.ctor = tu102_gsp_booter_ctor,
+
++ .fwsec_sb.ctor = tu102_gsp_fwsec_sb_ctor,
++ .fwsec_sb.dtor = tu102_gsp_fwsec_sb_dtor,
++
+ .dtor = r535_gsp_dtor,
+ .oneinit = tu102_gsp_oneinit,
+ .init = tu102_gsp_init,
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu116.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu116.c
+index 97eb046c25d0..58cf25842421 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu116.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu116.c
+@@ -30,6 +30,9 @@ tu116_gsp = {
+
+ .booter.ctor = tu102_gsp_booter_ctor,
+
++ .fwsec_sb.ctor = tu102_gsp_fwsec_sb_ctor,
++ .fwsec_sb.dtor = tu102_gsp_fwsec_sb_dtor,
++
+ .dtor = r535_gsp_dtor,
+ .oneinit = tu102_gsp_oneinit,
+ .init = tu102_gsp_init,
+--
+2.52.0
+
--- /dev/null
+From df27c03b9e3ef2baa9e9c9f56a771d463a84489d Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Mon, 3 Nov 2025 16:19:26 -0600
+Subject: PCI: meson: Report that link is up while in ASPM L0s and L1 states
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit df27c03b9e3ef2baa9e9c9f56a771d463a84489d upstream.
+
+Previously meson_pcie_link_up() only returned true if the link was in the
+L0 state. This was incorrect because hardware autonomously manages
+transitions between L0, L0s, and L1 while both components on the link stay
+in D0. Those states should all be treated as "link is active".
+
+Returning false when the device was in L0s or L1 broke config accesses
+because dw_pcie_other_conf_map_bus() fails if the link is down, which
+caused errors like this:
+
+ meson-pcie fc000000.pcie: error: wait linkup timeout
+ pci 0000:01:00.0: BAR 0: error updating (0xfc700004 != 0xffffffff)
+
+Remove the LTSSM state check, timeout, speed check, and error message from
+meson_pcie_link_up(), the dw_pcie_ops.link_up() method, so it is a simple
+boolean check of whether the link is active. Timeouts and error messages
+are handled at a higher level, e.g., dw_pcie_wait_for_link().
+
+Fixes: 9c0ef6d34fdb ("PCI: amlogic: Add the Amlogic Meson PCIe controller driver")
+Reported-by: Linnaea Lavia <linnaea-von-lavia@live.com>
+Closes: https://lore.kernel.org/r/DM4PR05MB102707B8CDF84D776C39F22F2C7F0A@DM4PR05MB10270.namprd05.prod.outlook.com
+[bhelgaas: squash removal of unused WAIT_LINKUP_TIMEOUT by
+Martin Blumenstingl <martin.blumenstingl@googlemail.com>:
+https://patch.msgid.link/20260105125625.239497-1-martin.blumenstingl@googlemail.com]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Linnaea Lavia <linnaea-von-lavia@live.com>
+Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on BananaPi M2S
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251103221930.1831376-1-helgaas@kernel.org
+Link: https://patch.msgid.link/20260105125625.239497-1-martin.blumenstingl@googlemail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pci-meson.c | 37 ++-------------------------------
+ 1 file changed, 3 insertions(+), 34 deletions(-)
+
+--- a/drivers/pci/controller/dwc/pci-meson.c
++++ b/drivers/pci/controller/dwc/pci-meson.c
+@@ -37,7 +37,6 @@
+ #define PCIE_CFG_STATUS17 0x44
+ #define PM_CURRENT_STATE(x) (((x) >> 7) & 0x1)
+
+-#define WAIT_LINKUP_TIMEOUT 4000
+ #define PORT_CLK_RATE 100000000UL
+ #define MAX_PAYLOAD_SIZE 256
+ #define MAX_READ_REQ_SIZE 256
+@@ -350,40 +349,10 @@ static struct pci_ops meson_pci_ops = {
+ static bool meson_pcie_link_up(struct dw_pcie *pci)
+ {
+ struct meson_pcie *mp = to_meson_pcie(pci);
+- struct device *dev = pci->dev;
+- u32 speed_okay = 0;
+- u32 cnt = 0;
+- u32 state12, state17, smlh_up, ltssm_up, rdlh_up;
+-
+- do {
+- state12 = meson_cfg_readl(mp, PCIE_CFG_STATUS12);
+- state17 = meson_cfg_readl(mp, PCIE_CFG_STATUS17);
+- smlh_up = IS_SMLH_LINK_UP(state12);
+- rdlh_up = IS_RDLH_LINK_UP(state12);
+- ltssm_up = IS_LTSSM_UP(state12);
+-
+- if (PM_CURRENT_STATE(state17) < PCIE_GEN3)
+- speed_okay = 1;
+-
+- if (smlh_up)
+- dev_dbg(dev, "smlh_link_up is on\n");
+- if (rdlh_up)
+- dev_dbg(dev, "rdlh_link_up is on\n");
+- if (ltssm_up)
+- dev_dbg(dev, "ltssm_up is on\n");
+- if (speed_okay)
+- dev_dbg(dev, "speed_okay\n");
+-
+- if (smlh_up && rdlh_up && ltssm_up && speed_okay)
+- return true;
++ u32 state12;
+
+- cnt++;
+-
+- udelay(10);
+- } while (cnt < WAIT_LINKUP_TIMEOUT);
+-
+- dev_err(dev, "error: wait linkup timeout\n");
+- return false;
++ state12 = meson_cfg_readl(mp, PCIE_CFG_STATUS12);
++ return IS_SMLH_LINK_UP(state12) && IS_RDLH_LINK_UP(state12);
+ }
+
+ static int meson_pcie_host_init(struct dw_pcie_rp *pp)
--- /dev/null
+From ebc18e9854e5a2b62a041fb57b216a903af45b85 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Wed, 26 Nov 2025 13:22:19 +0100
+Subject: pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit ebc18e9854e5a2b62a041fb57b216a903af45b85 upstream.
+
+The gpio_chip settings in this driver say the controller can't sleep
+but it actually uses a mutex for synchronization. This triggers the
+following BUG():
+
+[ 9.233659] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:281
+[ 9.233665] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 554, name: (udev-worker)
+[ 9.233669] preempt_count: 1, expected: 0
+[ 9.233673] RCU nest depth: 0, expected: 0
+[ 9.233688] Tainted: [W]=WARN
+[ 9.233690] Hardware name: Dell Inc. Latitude 7455/0FK7MX, BIOS 2.10.1 05/20/2025
+[ 9.233694] Call trace:
+[ 9.233696] show_stack+0x24/0x38 (C)
+[ 9.233709] dump_stack_lvl+0x40/0x88
+[ 9.233716] dump_stack+0x18/0x24
+[ 9.233722] __might_resched+0x148/0x160
+[ 9.233731] __might_sleep+0x38/0x98
+[ 9.233736] mutex_lock+0x30/0xd8
+[ 9.233749] lpi_config_set+0x2e8/0x3c8 [pinctrl_lpass_lpi]
+[ 9.233757] lpi_gpio_direction_output+0x58/0x90 [pinctrl_lpass_lpi]
+[ 9.233761] gpiod_direction_output_raw_commit+0x110/0x428
+[ 9.233772] gpiod_direction_output_nonotify+0x234/0x358
+[ 9.233779] gpiod_direction_output+0x38/0xd0
+[ 9.233786] gpio_shared_proxy_direction_output+0xb8/0x2a8 [gpio_shared_proxy]
+[ 9.233792] gpiod_direction_output_raw_commit+0x110/0x428
+[ 9.233799] gpiod_direction_output_nonotify+0x234/0x358
+[ 9.233806] gpiod_configure_flags+0x2c0/0x580
+[ 9.233812] gpiod_find_and_request+0x358/0x4f8
+[ 9.233819] gpiod_get_index+0x7c/0x98
+[ 9.233826] devm_gpiod_get+0x34/0xb0
+[ 9.233829] reset_gpio_probe+0x58/0x128 [reset_gpio]
+[ 9.233836] auxiliary_bus_probe+0xb0/0xf0
+[ 9.233845] really_probe+0x14c/0x450
+[ 9.233853] __driver_probe_device+0xb0/0x188
+[ 9.233858] driver_probe_device+0x4c/0x250
+[ 9.233863] __driver_attach+0xf8/0x2a0
+[ 9.233868] bus_for_each_dev+0xf8/0x158
+[ 9.233872] driver_attach+0x30/0x48
+[ 9.233876] bus_add_driver+0x158/0x2b8
+[ 9.233880] driver_register+0x74/0x118
+[ 9.233886] __auxiliary_driver_register+0x94/0xe8
+[ 9.233893] init_module+0x34/0xfd0 [reset_gpio]
+[ 9.233898] do_one_initcall+0xec/0x300
+[ 9.233903] do_init_module+0x64/0x260
+[ 9.233910] load_module+0x16c4/0x1900
+[ 9.233915] __arm64_sys_finit_module+0x24c/0x378
+[ 9.233919] invoke_syscall+0x4c/0xe8
+[ 9.233925] el0_svc_common+0x8c/0xf0
+[ 9.233929] do_el0_svc+0x28/0x40
+[ 9.233934] el0_svc+0x38/0x100
+[ 9.233938] el0t_64_sync_handler+0x84/0x130
+[ 9.233943] el0t_64_sync+0x17c/0x180
+
+Mark the controller as sleeping.
+
+Fixes: 6e261d1090d6 ("pinctrl: qcom: Add sm8250 lpass lpi pinctrl driver")
+Cc: stable@vger.kernel.org
+Reported-by: Val Packett <val@packett.cool>
+Closes: https://lore.kernel.org/all/98c0f185-b0e0-49ea-896c-f3972dd011ca@packett.cool/
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Linus Walleij <linusw@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/qcom/pinctrl-lpass-lpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/qcom/pinctrl-lpass-lpi.c
++++ b/drivers/pinctrl/qcom/pinctrl-lpass-lpi.c
+@@ -498,7 +498,7 @@ int lpi_pinctrl_probe(struct platform_de
+ pctrl->chip.base = -1;
+ pctrl->chip.ngpio = data->npins;
+ pctrl->chip.label = dev_name(dev);
+- pctrl->chip.can_sleep = false;
++ pctrl->chip.can_sleep = true;
+
+ mutex_init(&pctrl->lock);
+
--- /dev/null
+From 7966cf0ebe32c981bfa3db252cb5fc3bb1bf2e77 Mon Sep 17 00:00:00 2001
+From: Malaya Kumar Rout <mrout@redhat.com>
+Date: Tue, 30 Dec 2025 17:26:13 +0530
+Subject: PM: hibernate: Fix crash when freeing invalid crypto compressor
+
+From: Malaya Kumar Rout <mrout@redhat.com>
+
+commit 7966cf0ebe32c981bfa3db252cb5fc3bb1bf2e77 upstream.
+
+When crypto_alloc_acomp() fails, it returns an ERR_PTR value, not NULL.
+
+The cleanup code in save_compressed_image() and load_compressed_image()
+unconditionally calls crypto_free_acomp() without checking for ERR_PTR,
+which causes crypto_acomp_tfm() to dereference an invalid pointer and
+crash the kernel.
+
+This can be triggered when the compression algorithm is unavailable
+(e.g., CONFIG_CRYPTO_LZO not enabled).
+
+Fix by adding IS_ERR_OR_NULL() checks before calling crypto_free_acomp()
+and acomp_request_free(), similar to the existing kthread_stop() check.
+
+Fixes: b03d542c3c95 ("PM: hibernate: Use crypto_acomp interface")
+Signed-off-by: Malaya Kumar Rout <mrout@redhat.com>
+Cc: 6.15+ <stable@vger.kernel.org> # 6.15+
+[ rjw: Added 2 empty code lines ]
+Link: https://patch.msgid.link/20251230115613.64080-1-mrout@redhat.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/power/swap.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/kernel/power/swap.c
++++ b/kernel/power/swap.c
+@@ -897,8 +897,11 @@ out_clean:
+ for (thr = 0; thr < nr_threads; thr++) {
+ if (data[thr].thr)
+ kthread_stop(data[thr].thr);
+- acomp_request_free(data[thr].cr);
+- crypto_free_acomp(data[thr].cc);
++ if (data[thr].cr)
++ acomp_request_free(data[thr].cr);
++
++ if (!IS_ERR_OR_NULL(data[thr].cc))
++ crypto_free_acomp(data[thr].cc);
+ }
+ vfree(data);
+ }
+@@ -1519,8 +1522,11 @@ out_clean:
+ for (thr = 0; thr < nr_threads; thr++) {
+ if (data[thr].thr)
+ kthread_stop(data[thr].thr);
+- acomp_request_free(data[thr].cr);
+- crypto_free_acomp(data[thr].cc);
++ if (data[thr].cr)
++ acomp_request_free(data[thr].cr);
++
++ if (!IS_ERR_OR_NULL(data[thr].cc))
++ crypto_free_acomp(data[thr].cc);
+ }
+ vfree(data);
+ }
--- /dev/null
+From c1ef9a6cabb34dbc09e31417b0c0a672fe0de13a Mon Sep 17 00:00:00 2001
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Date: Fri, 5 Dec 2025 11:51:48 +0200
+Subject: Revert "drm/atomic-helper: Re-order bridge chain pre-enable and post-disable"
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+commit c1ef9a6cabb34dbc09e31417b0c0a672fe0de13a upstream.
+
+This reverts commit c9b1150a68d9362a0827609fc0dc1664c0d8bfe1.
+
+Changing the enable/disable sequence has caused regressions on multiple
+platforms: R-Car, MCDE, Rockchip. A series (see link below) was sent to
+fix these, but it was decided that it's better to revert the original
+patch and change the enable/disable sequence only in the tidss driver.
+
+Reverting this commit breaks tidss's DSI and OLDI outputs, which will be
+fixed in the following commits.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Link: https://lore.kernel.org/all/20251202-mcde-drm-regression-thirdfix-v6-0-f1bffd4ec0fa%40kernel.org/
+Fixes: c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable and post-disable")
+Cc: stable@vger.kernel.org # v6.17+
+Reviewed-by: Aradhya Bhatia <aradhya.bhatia@linux.dev>
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Reviewed-by: Linus Walleij <linusw@kernel.org>
+Tested-by: Linus Walleij <linusw@kernel.org>
+Signed-off-by: Linus Walleij <linusw@kernel.org>
+Link: https://patch.msgid.link/20251205-drm-seq-fix-v1-1-fda68fa1b3de@ideasonboard.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_atomic_helper.c | 8 +-
+ include/drm/drm_bridge.h | 249 ++++++++--------------------
+ 2 files changed, 70 insertions(+), 187 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
+index 10adac9397cf..ef97f37560b2 100644
+--- a/drivers/gpu/drm/drm_atomic_helper.c
++++ b/drivers/gpu/drm/drm_atomic_helper.c
+@@ -1341,9 +1341,9 @@ disable_outputs(struct drm_device *dev, struct drm_atomic_state *state)
+ {
+ encoder_bridge_disable(dev, state);
+
+- crtc_disable(dev, state);
+-
+ encoder_bridge_post_disable(dev, state);
++
++ crtc_disable(dev, state);
+ }
+
+ /**
+@@ -1682,10 +1682,10 @@ encoder_bridge_enable(struct drm_device *dev, struct drm_atomic_state *state)
+ void drm_atomic_helper_commit_modeset_enables(struct drm_device *dev,
+ struct drm_atomic_state *state)
+ {
+- encoder_bridge_pre_enable(dev, state);
+-
+ crtc_enable(dev, state);
+
++ encoder_bridge_pre_enable(dev, state);
++
+ encoder_bridge_enable(dev, state);
+
+ drm_atomic_helper_commit_writebacks(dev, state);
+diff --git a/include/drm/drm_bridge.h b/include/drm/drm_bridge.h
+index 0ff7ab4aa868..dbafe136833f 100644
+--- a/include/drm/drm_bridge.h
++++ b/include/drm/drm_bridge.h
+@@ -176,33 +176,17 @@ struct drm_bridge_funcs {
+ /**
+ * @disable:
+ *
+- * The @disable callback should disable the bridge.
++ * This callback should disable the bridge. It is called right before
++ * the preceding element in the display pipe is disabled. If the
++ * preceding element is a bridge this means it's called before that
++ * bridge's @disable vfunc. If the preceding element is a &drm_encoder
++ * it's called right before the &drm_encoder_helper_funcs.disable,
++ * &drm_encoder_helper_funcs.prepare or &drm_encoder_helper_funcs.dpms
++ * hook.
+ *
+ * The bridge can assume that the display pipe (i.e. clocks and timing
+ * signals) feeding it is still running when this callback is called.
+ *
+- *
+- * If the preceding element is a &drm_bridge, then this is called before
+- * that bridge is disabled via one of:
+- *
+- * - &drm_bridge_funcs.disable
+- * - &drm_bridge_funcs.atomic_disable
+- *
+- * If the preceding element of the bridge is a display controller, then
+- * this callback is called before the encoder is disabled via one of:
+- *
+- * - &drm_encoder_helper_funcs.atomic_disable
+- * - &drm_encoder_helper_funcs.prepare
+- * - &drm_encoder_helper_funcs.disable
+- * - &drm_encoder_helper_funcs.dpms
+- *
+- * and the CRTC is disabled via one of:
+- *
+- * - &drm_crtc_helper_funcs.prepare
+- * - &drm_crtc_helper_funcs.atomic_disable
+- * - &drm_crtc_helper_funcs.disable
+- * - &drm_crtc_helper_funcs.dpms.
+- *
+ * The @disable callback is optional.
+ *
+ * NOTE:
+@@ -215,34 +199,17 @@ struct drm_bridge_funcs {
+ /**
+ * @post_disable:
+ *
++ * This callback should disable the bridge. It is called right after the
++ * preceding element in the display pipe is disabled. If the preceding
++ * element is a bridge this means it's called after that bridge's
++ * @post_disable function. If the preceding element is a &drm_encoder
++ * it's called right after the encoder's
++ * &drm_encoder_helper_funcs.disable, &drm_encoder_helper_funcs.prepare
++ * or &drm_encoder_helper_funcs.dpms hook.
++ *
+ * The bridge must assume that the display pipe (i.e. clocks and timing
+- * signals) feeding this bridge is no longer running when the
+- * @post_disable is called.
+- *
+- * This callback should perform all the actions required by the hardware
+- * after it has stopped receiving signals from the preceding element.
+- *
+- * If the preceding element is a &drm_bridge, then this is called after
+- * that bridge is post-disabled (unless marked otherwise by the
+- * @pre_enable_prev_first flag) via one of:
+- *
+- * - &drm_bridge_funcs.post_disable
+- * - &drm_bridge_funcs.atomic_post_disable
+- *
+- * If the preceding element of the bridge is a display controller, then
+- * this callback is called after the encoder is disabled via one of:
+- *
+- * - &drm_encoder_helper_funcs.atomic_disable
+- * - &drm_encoder_helper_funcs.prepare
+- * - &drm_encoder_helper_funcs.disable
+- * - &drm_encoder_helper_funcs.dpms
+- *
+- * and the CRTC is disabled via one of:
+- *
+- * - &drm_crtc_helper_funcs.prepare
+- * - &drm_crtc_helper_funcs.atomic_disable
+- * - &drm_crtc_helper_funcs.disable
+- * - &drm_crtc_helper_funcs.dpms
++ * signals) feeding it is no longer running when this callback is
++ * called.
+ *
+ * The @post_disable callback is optional.
+ *
+@@ -285,30 +252,18 @@ struct drm_bridge_funcs {
+ /**
+ * @pre_enable:
+ *
++ * This callback should enable the bridge. It is called right before
++ * the preceding element in the display pipe is enabled. If the
++ * preceding element is a bridge this means it's called before that
++ * bridge's @pre_enable function. If the preceding element is a
++ * &drm_encoder it's called right before the encoder's
++ * &drm_encoder_helper_funcs.enable, &drm_encoder_helper_funcs.commit or
++ * &drm_encoder_helper_funcs.dpms hook.
++ *
+ * The display pipe (i.e. clocks and timing signals) feeding this bridge
+- * will not yet be running when the @pre_enable is called.
+- *
+- * This callback should perform all the necessary actions to prepare the
+- * bridge to accept signals from the preceding element.
+- *
+- * If the preceding element is a &drm_bridge, then this is called before
+- * that bridge is pre-enabled (unless marked otherwise by
+- * @pre_enable_prev_first flag) via one of:
+- *
+- * - &drm_bridge_funcs.pre_enable
+- * - &drm_bridge_funcs.atomic_pre_enable
+- *
+- * If the preceding element of the bridge is a display controller, then
+- * this callback is called before the CRTC is enabled via one of:
+- *
+- * - &drm_crtc_helper_funcs.atomic_enable
+- * - &drm_crtc_helper_funcs.commit
+- *
+- * and the encoder is enabled via one of:
+- *
+- * - &drm_encoder_helper_funcs.atomic_enable
+- * - &drm_encoder_helper_funcs.enable
+- * - &drm_encoder_helper_funcs.commit
++ * will not yet be running when this callback is called. The bridge must
++ * not enable the display link feeding the next bridge in the chain (if
++ * there is one) when this callback is called.
+ *
+ * The @pre_enable callback is optional.
+ *
+@@ -322,31 +277,19 @@ struct drm_bridge_funcs {
+ /**
+ * @enable:
+ *
+- * The @enable callback should enable the bridge.
++ * This callback should enable the bridge. It is called right after
++ * the preceding element in the display pipe is enabled. If the
++ * preceding element is a bridge this means it's called after that
++ * bridge's @enable function. If the preceding element is a
++ * &drm_encoder it's called right after the encoder's
++ * &drm_encoder_helper_funcs.enable, &drm_encoder_helper_funcs.commit or
++ * &drm_encoder_helper_funcs.dpms hook.
+ *
+ * The bridge can assume that the display pipe (i.e. clocks and timing
+ * signals) feeding it is running when this callback is called. This
+ * callback must enable the display link feeding the next bridge in the
+ * chain if there is one.
+ *
+- * If the preceding element is a &drm_bridge, then this is called after
+- * that bridge is enabled via one of:
+- *
+- * - &drm_bridge_funcs.enable
+- * - &drm_bridge_funcs.atomic_enable
+- *
+- * If the preceding element of the bridge is a display controller, then
+- * this callback is called after the CRTC is enabled via one of:
+- *
+- * - &drm_crtc_helper_funcs.atomic_enable
+- * - &drm_crtc_helper_funcs.commit
+- *
+- * and the encoder is enabled via one of:
+- *
+- * - &drm_encoder_helper_funcs.atomic_enable
+- * - &drm_encoder_helper_funcs.enable
+- * - drm_encoder_helper_funcs.commit
+- *
+ * The @enable callback is optional.
+ *
+ * NOTE:
+@@ -359,30 +302,17 @@ struct drm_bridge_funcs {
+ /**
+ * @atomic_pre_enable:
+ *
++ * This callback should enable the bridge. It is called right before
++ * the preceding element in the display pipe is enabled. If the
++ * preceding element is a bridge this means it's called before that
++ * bridge's @atomic_pre_enable or @pre_enable function. If the preceding
++ * element is a &drm_encoder it's called right before the encoder's
++ * &drm_encoder_helper_funcs.atomic_enable hook.
++ *
+ * The display pipe (i.e. clocks and timing signals) feeding this bridge
+- * will not yet be running when the @atomic_pre_enable is called.
+- *
+- * This callback should perform all the necessary actions to prepare the
+- * bridge to accept signals from the preceding element.
+- *
+- * If the preceding element is a &drm_bridge, then this is called before
+- * that bridge is pre-enabled (unless marked otherwise by
+- * @pre_enable_prev_first flag) via one of:
+- *
+- * - &drm_bridge_funcs.pre_enable
+- * - &drm_bridge_funcs.atomic_pre_enable
+- *
+- * If the preceding element of the bridge is a display controller, then
+- * this callback is called before the CRTC is enabled via one of:
+- *
+- * - &drm_crtc_helper_funcs.atomic_enable
+- * - &drm_crtc_helper_funcs.commit
+- *
+- * and the encoder is enabled via one of:
+- *
+- * - &drm_encoder_helper_funcs.atomic_enable
+- * - &drm_encoder_helper_funcs.enable
+- * - &drm_encoder_helper_funcs.commit
++ * will not yet be running when this callback is called. The bridge must
++ * not enable the display link feeding the next bridge in the chain (if
++ * there is one) when this callback is called.
+ *
+ * The @atomic_pre_enable callback is optional.
+ */
+@@ -392,31 +322,18 @@ struct drm_bridge_funcs {
+ /**
+ * @atomic_enable:
+ *
+- * The @atomic_enable callback should enable the bridge.
++ * This callback should enable the bridge. It is called right after
++ * the preceding element in the display pipe is enabled. If the
++ * preceding element is a bridge this means it's called after that
++ * bridge's @atomic_enable or @enable function. If the preceding element
++ * is a &drm_encoder it's called right after the encoder's
++ * &drm_encoder_helper_funcs.atomic_enable hook.
+ *
+ * The bridge can assume that the display pipe (i.e. clocks and timing
+ * signals) feeding it is running when this callback is called. This
+ * callback must enable the display link feeding the next bridge in the
+ * chain if there is one.
+ *
+- * If the preceding element is a &drm_bridge, then this is called after
+- * that bridge is enabled via one of:
+- *
+- * - &drm_bridge_funcs.enable
+- * - &drm_bridge_funcs.atomic_enable
+- *
+- * If the preceding element of the bridge is a display controller, then
+- * this callback is called after the CRTC is enabled via one of:
+- *
+- * - &drm_crtc_helper_funcs.atomic_enable
+- * - &drm_crtc_helper_funcs.commit
+- *
+- * and the encoder is enabled via one of:
+- *
+- * - &drm_encoder_helper_funcs.atomic_enable
+- * - &drm_encoder_helper_funcs.enable
+- * - drm_encoder_helper_funcs.commit
+- *
+ * The @atomic_enable callback is optional.
+ */
+ void (*atomic_enable)(struct drm_bridge *bridge,
+@@ -424,32 +341,16 @@ struct drm_bridge_funcs {
+ /**
+ * @atomic_disable:
+ *
+- * The @atomic_disable callback should disable the bridge.
++ * This callback should disable the bridge. It is called right before
++ * the preceding element in the display pipe is disabled. If the
++ * preceding element is a bridge this means it's called before that
++ * bridge's @atomic_disable or @disable vfunc. If the preceding element
++ * is a &drm_encoder it's called right before the
++ * &drm_encoder_helper_funcs.atomic_disable hook.
+ *
+ * The bridge can assume that the display pipe (i.e. clocks and timing
+ * signals) feeding it is still running when this callback is called.
+ *
+- * If the preceding element is a &drm_bridge, then this is called before
+- * that bridge is disabled via one of:
+- *
+- * - &drm_bridge_funcs.disable
+- * - &drm_bridge_funcs.atomic_disable
+- *
+- * If the preceding element of the bridge is a display controller, then
+- * this callback is called before the encoder is disabled via one of:
+- *
+- * - &drm_encoder_helper_funcs.atomic_disable
+- * - &drm_encoder_helper_funcs.prepare
+- * - &drm_encoder_helper_funcs.disable
+- * - &drm_encoder_helper_funcs.dpms
+- *
+- * and the CRTC is disabled via one of:
+- *
+- * - &drm_crtc_helper_funcs.prepare
+- * - &drm_crtc_helper_funcs.atomic_disable
+- * - &drm_crtc_helper_funcs.disable
+- * - &drm_crtc_helper_funcs.dpms.
+- *
+ * The @atomic_disable callback is optional.
+ */
+ void (*atomic_disable)(struct drm_bridge *bridge,
+@@ -458,34 +359,16 @@ struct drm_bridge_funcs {
+ /**
+ * @atomic_post_disable:
+ *
++ * This callback should disable the bridge. It is called right after the
++ * preceding element in the display pipe is disabled. If the preceding
++ * element is a bridge this means it's called after that bridge's
++ * @atomic_post_disable or @post_disable function. If the preceding
++ * element is a &drm_encoder it's called right after the encoder's
++ * &drm_encoder_helper_funcs.atomic_disable hook.
++ *
+ * The bridge must assume that the display pipe (i.e. clocks and timing
+- * signals) feeding this bridge is no longer running when the
+- * @atomic_post_disable is called.
+- *
+- * This callback should perform all the actions required by the hardware
+- * after it has stopped receiving signals from the preceding element.
+- *
+- * If the preceding element is a &drm_bridge, then this is called after
+- * that bridge is post-disabled (unless marked otherwise by the
+- * @pre_enable_prev_first flag) via one of:
+- *
+- * - &drm_bridge_funcs.post_disable
+- * - &drm_bridge_funcs.atomic_post_disable
+- *
+- * If the preceding element of the bridge is a display controller, then
+- * this callback is called after the encoder is disabled via one of:
+- *
+- * - &drm_encoder_helper_funcs.atomic_disable
+- * - &drm_encoder_helper_funcs.prepare
+- * - &drm_encoder_helper_funcs.disable
+- * - &drm_encoder_helper_funcs.dpms
+- *
+- * and the CRTC is disabled via one of:
+- *
+- * - &drm_crtc_helper_funcs.prepare
+- * - &drm_crtc_helper_funcs.atomic_disable
+- * - &drm_crtc_helper_funcs.disable
+- * - &drm_crtc_helper_funcs.dpms
++ * signals) feeding it is no longer running when this callback is
++ * called.
+ *
+ * The @atomic_post_disable callback is optional.
+ */
+--
+2.52.0
+
--- /dev/null
+From 33e8150bd32d7dc25c977bb455f1f5d54bfd5241 Mon Sep 17 00:00:00 2001
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Date: Fri, 5 Dec 2025 11:51:49 +0200
+Subject: Revert "drm/mediatek: dsi: Fix DSI host and panel bridge pre-enable order"
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+commit 33e8150bd32d7dc25c977bb455f1f5d54bfd5241 upstream.
+
+This reverts commit f5b1819193667bf62c3c99d3921b9429997a14b2.
+
+As the original commit (c9b1150a68d9 ("drm/atomic-helper: Re-order
+bridge chain pre-enable and post-disable")) causing the issue has been
+reverted, let's revert the fix for mediatek.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Cc: stable@vger.kernel.org # v6.17+
+Fixes: c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable and post-disable")
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Reviewed-by: Linus Walleij <linusw@kernel.org>
+Tested-by: Linus Walleij <linusw@kernel.org>
+Signed-off-by: Linus Walleij <linusw@kernel.org>
+Link: https://patch.msgid.link/20251205-drm-seq-fix-v1-2-fda68fa1b3de@ideasonboard.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/mediatek/mtk_dsi.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/gpu/drm/mediatek/mtk_dsi.c
++++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
+@@ -1002,12 +1002,6 @@ static int mtk_dsi_host_attach(struct mi
+ return PTR_ERR(dsi->next_bridge);
+ }
+
+- /*
+- * set flag to request the DSI host bridge be pre-enabled before device bridge
+- * in the chain, so the DSI host is ready when the device bridge is pre-enabled
+- */
+- dsi->next_bridge->pre_enable_prev_first = true;
+-
+ drm_bridge_add(&dsi->bridge);
+
+ ret = component_add(host->dev, &mtk_dsi_component_ops);
--- /dev/null
+From 66562b66dcbc8f93c1e28632299f449bb2f5c47d Mon Sep 17 00:00:00 2001
+From: Vivian Wang <wangruikang@iscas.ac.cn>
+Date: Tue, 30 Dec 2025 21:39:17 +0800
+Subject: riscv: boot: Always make Image from vmlinux, not vmlinux.unstripped
+
+From: Vivian Wang <wangruikang@iscas.ac.cn>
+
+commit 66562b66dcbc8f93c1e28632299f449bb2f5c47d upstream.
+
+Since commit 4b47a3aefb29 ("kbuild: Restore pattern to avoid stripping
+.rela.dyn from vmlinux") vmlinux has .rel*.dyn preserved. Therefore, use
+vmlinux to produce Image, not vmlinux.unstripped.
+
+Doing so fixes booting a RELOCATABLE=y Image with kexec. The problem is
+caused by this chain of events:
+
+- Since commit 3e86e4d74c04 ("kbuild: keep .modinfo section in
+ vmlinux.unstripped"), vmlinux.unstripped gets a .modinfo section.
+- The .modinfo section has SHF_ALLOC, so it ends up in Image, at the end
+ of it.
+- The Image header's image_size field does not expect to include
+ .modinfo and does not account for it, since it should not be in Image.
+- If .modinfo is large enough, the file size of Image ends up larger
+ than image_size, which eventually leads to it failing
+ sanity_check_segment_list().
+
+Using vmlinux instead of vmlinux.unstripped means that the unexpected
+.modinfo section is gone from Image, fixing the file size problem.
+
+Cc: stable@vger.kernel.org
+Fixes: 3e86e4d74c04 ("kbuild: keep .modinfo section in vmlinux.unstripped")
+Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Tested-by: Han Gao <gaohan@iscas.ac.cn>
+Link: https://patch.msgid.link/20251230-riscv-vmlinux-not-unstripped-v1-1-15f49df880df@iscas.ac.cn
+Signed-off-by: Paul Walmsley <pjw@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/boot/Makefile | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/arch/riscv/boot/Makefile b/arch/riscv/boot/Makefile
+index bfc3d0b75b9b..5301adf5f3f5 100644
+--- a/arch/riscv/boot/Makefile
++++ b/arch/riscv/boot/Makefile
+@@ -31,11 +31,7 @@ $(obj)/xipImage: vmlinux FORCE
+
+ endif
+
+-ifdef CONFIG_RELOCATABLE
+-$(obj)/Image: vmlinux.unstripped FORCE
+-else
+ $(obj)/Image: vmlinux FORCE
+-endif
+ $(call if_changed,objcopy)
+
+ $(obj)/Image.gz: $(obj)/Image FORCE
+--
+2.52.0
+
--- /dev/null
+From 361e0ff456a8daf9753c18030533256e4133ce7a Mon Sep 17 00:00:00 2001
+From: Alice Ryhl <aliceryhl@google.com>
+Date: Tue, 2 Dec 2025 11:24:24 +0000
+Subject: rust_binder: remove spin_lock() in rust_shrink_free_page()
+
+From: Alice Ryhl <aliceryhl@google.com>
+
+commit 361e0ff456a8daf9753c18030533256e4133ce7a upstream.
+
+When forward-porting Rust Binder to 6.18, I neglected to take commit
+fb56fdf8b9a2 ("mm/list_lru: split the lock to per-cgroup scope") into
+account, and apparently I did not end up running the shrinker callback
+when I sanity tested the driver before submission. This leads to crashes
+like the following:
+
+ ============================================
+ WARNING: possible recursive locking detected
+ 6.18.0-mainline-maybe-dirty #1 Tainted: G IO
+ --------------------------------------------
+ kswapd0/68 is trying to acquire lock:
+ ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: lock_list_lru_of_memcg+0x128/0x230
+
+ but task is already holding lock:
+ ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20
+
+ other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&l->lock);
+ lock(&l->lock);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+ 3 locks held by kswapd0/68:
+ #0: ffffffff90d2e260 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x597/0x1160
+ #1: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20
+ #2: ffffffff90cf3680 (rcu_read_lock){....}-{1:2}, at: lock_list_lru_of_memcg+0x2d/0x230
+
+To fix this, remove the spin_lock() call from rust_shrink_free_page().
+
+Cc: stable <stable@kernel.org>
+Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
+Signed-off-by: Alice Ryhl <aliceryhl@google.com>
+Link: https://patch.msgid.link/20251202-binder-shrink-unspin-v1-1-263efb9ad625@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder/page_range.rs | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/android/binder/page_range.rs b/drivers/android/binder/page_range.rs
+index 9379038f61f5..fdd97112ef5c 100644
+--- a/drivers/android/binder/page_range.rs
++++ b/drivers/android/binder/page_range.rs
+@@ -727,8 +727,5 @@ fn drop(self: Pin<&mut Self>) {
+ drop(mm);
+ drop(page);
+
+- // SAFETY: We just unlocked the lru lock, but it should be locked when we return.
+- unsafe { bindings::spin_lock(&raw mut (*lru).lock) };
+-
+ LRU_REMOVED_ENTRY
+ }
+--
+2.52.0
+
--- /dev/null
+nfsd-fix-permission-check-for-read-access-to-executable-only-files.patch
+nfsd-provide-locking-for-v4_end_grace.patch
+nfsd-use-correct-loop-termination-in-nfsd4_revoke_states.patch
+nfsd-check-that-server-is-running-in-unlock_filesystem.patch
+nfsd-net-ref-data-still-needs-to-be-freed-even-if-net-hasn-t-startup.patch
+nfsd-remove-nfserr_eagain.patch
+atm-fix-dma_free_coherent-size.patch
+net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch
+net-do-not-write-to-msg_get_inq-in-callee.patch
+arm64-fix-cleared-e0poe-bit-after-cpu_suspend-resume.patch
+bnxt_en-fix-null-pointer-crash-in-bnxt_ptp_enable-during-error-cleanup.patch
+btrfs-always-detect-conflicting-inodes-when-logging-inode-refs.patch
+mei-me-add-nova-lake-point-s-did.patch
+rust_binder-remove-spin_lock-in-rust_shrink_free_page.patch
+lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch
+counter-104-quad-8-fix-incorrect-return-value-in-irq-handler.patch
+counter-interrupt-cnt-drop-irqf_no_thread-flag.patch
+tracing-add-recursion-protection-in-kernel-stack-trace-recording.patch
+riscv-boot-always-make-image-from-vmlinux-not-vmlinux.unstripped.patch
+nouveau-don-t-attempt-fwsec-on-sb-on-newer-platforms.patch
+revert-drm-atomic-helper-re-order-bridge-chain-pre-enable-and-post-disable.patch
+alsa-ac97-fix-a-double-free-in-snd_ac97_controller_register.patch
+alsa-hda-tas2781-properly-initialize-speaker_id-for-tas2563.patch
+arm64-dts-imx95-correct-i3c2-pclk-to-imx95_clk_buswakeup.patch
+drm-amd-display-apply-e4479aecf658-to-dml.patch
+drm-amdgpu-fix-query-for-vpe-block_type-and-ip_count.patch
+drm-atomic-helper-export-and-namespace-some-functions.patch
+drm-pl111-fix-error-handling-in-pl111_amba_probe.patch
+drm-tidss-fix-enable-disable-order.patch
+drm-radeon-remove-__counted_by-from-clockinfoarray.clockinfo.patch
+gpio-rockchip-mark-the-gpio-controller-as-sleeping.patch
+io_uring-io-wq-fix-incorrect-io_wq_for_each_worker-termination-logic.patch
+pci-meson-report-that-link-is-up-while-in-aspm-l0s-and-l1-states.patch
+pinctrl-qcom-lpass-lpi-mark-the-gpio-controller-as-sleeping.patch
+pm-hibernate-fix-crash-when-freeing-invalid-crypto-compressor.patch
+revert-drm-mediatek-dsi-fix-dsi-host-and-panel-bridge-pre-enable-order.patch
+wifi-avoid-kernel-infoleak-from-struct-iw_point.patch
+wifi-mac80211-restore-non-chanctx-injection-behaviour.patch
+libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch
+libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch
+libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch
+libceph-return-the-handler-error-from-mon_handle_auth_done.patch
+libceph-reset-sparse-read-state-in-osd_fault.patch
+libceph-make-calc_target-set-t-paused-not-just-clear-it.patch
--- /dev/null
+From 5f1ef0dfcb5b7f4a91a9b0e0ba533efd9f7e2cdb Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Mon, 5 Jan 2026 20:31:41 -0500
+Subject: tracing: Add recursion protection in kernel stack trace recording
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 5f1ef0dfcb5b7f4a91a9b0e0ba533efd9f7e2cdb upstream.
+
+A bug was reported about an infinite recursion caused by tracing the rcu
+events with the kernel stack trace trigger enabled. The stack trace code
+called back into RCU which then called the stack trace again.
+
+Expand the ftrace recursion protection to add a set of bits to protect
+events from recursion. Each bit represents the context that the event is
+in (normal, softirq, interrupt and NMI).
+
+Have the stack trace code use the interrupt context to protect against
+recursion.
+
+Note, the bug showed an issue in both the RCU code as well as the tracing
+stacktrace code. This only handles the tracing stack trace side of the
+bug. The RCU fix will be handled separately.
+
+Link: https://lore.kernel.org/all/20260102122807.7025fc87@gandalf.local.home/
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Joel Fernandes <joel@joelfernandes.org>
+Cc: "Paul E. McKenney" <paulmck@kernel.org>
+Cc: Boqun Feng <boqun.feng@gmail.com>
+Link: https://patch.msgid.link/20260105203141.515cd49f@gandalf.local.home
+Reported-by: Yao Kai <yaokai34@huawei.com>
+Tested-by: Yao Kai <yaokai34@huawei.com>
+Fixes: 5f5fa7ea89dc ("rcu: Don't use negative nesting depth in __rcu_read_unlock()")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/trace_recursion.h | 9 +++++++++
+ kernel/trace/trace.c | 6 ++++++
+ 2 files changed, 15 insertions(+)
+
+--- a/include/linux/trace_recursion.h
++++ b/include/linux/trace_recursion.h
+@@ -34,6 +34,13 @@ enum {
+ TRACE_INTERNAL_SIRQ_BIT,
+ TRACE_INTERNAL_TRANSITION_BIT,
+
++ /* Internal event use recursion bits */
++ TRACE_INTERNAL_EVENT_BIT,
++ TRACE_INTERNAL_EVENT_NMI_BIT,
++ TRACE_INTERNAL_EVENT_IRQ_BIT,
++ TRACE_INTERNAL_EVENT_SIRQ_BIT,
++ TRACE_INTERNAL_EVENT_TRANSITION_BIT,
++
+ TRACE_BRANCH_BIT,
+ /*
+ * Abuse of the trace_recursion.
+@@ -58,6 +65,8 @@ enum {
+
+ #define TRACE_LIST_START TRACE_INTERNAL_BIT
+
++#define TRACE_EVENT_START TRACE_INTERNAL_EVENT_BIT
++
+ #define TRACE_CONTEXT_MASK ((1 << (TRACE_LIST_START + TRACE_CONTEXT_BITS)) - 1)
+
+ /*
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -3003,6 +3003,11 @@ static void __ftrace_trace_stack(struct
+ struct ftrace_stack *fstack;
+ struct stack_entry *entry;
+ int stackidx;
++ int bit;
++
++ bit = trace_test_and_set_recursion(_THIS_IP_, _RET_IP_, TRACE_EVENT_START);
++ if (bit < 0)
++ return;
+
+ /*
+ * Add one, for this function and the call to save_stack_trace()
+@@ -3071,6 +3076,7 @@ static void __ftrace_trace_stack(struct
+ /* Again, don't let gcc optimize things here */
+ barrier();
+ __this_cpu_dec(ftrace_stack_reserve);
++ trace_clear_recursion(bit);
+ }
+
+ static inline void ftrace_trace_stack(struct trace_array *tr,
--- /dev/null
+From 21cbf883d073abbfe09e3924466aa5e0449e7261 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 8 Jan 2026 10:19:27 +0000
+Subject: wifi: avoid kernel-infoleak from struct iw_point
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 21cbf883d073abbfe09e3924466aa5e0449e7261 upstream.
+
+struct iw_point has a 32bit hole on 64bit arches.
+
+struct iw_point {
+ void __user *pointer; /* Pointer to the data (in user space) */
+ __u16 length; /* number of fields or size in bytes */
+ __u16 flags; /* Optional params */
+};
+
+Make sure to zero the structure to avoid disclosing 32bits of kernel data
+to user space.
+
+Fixes: 87de87d5e47f ("wext: Dispatch and handle compat ioctls entirely in net/wireless/wext.c")
+Reported-by: syzbot+bfc7323743ca6dbcc3d3@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/695f83f3.050a0220.1c677c.0392.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260108101927.857582-1-edumazet@google.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/wext-core.c | 4 ++++
+ net/wireless/wext-priv.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+--- a/net/wireless/wext-core.c
++++ b/net/wireless/wext-core.c
+@@ -1101,6 +1101,10 @@ static int compat_standard_call(struct n
+ return ioctl_standard_call(dev, iwr, cmd, info, handler);
+
+ iwp_compat = (struct compat_iw_point *) &iwr->u.data;
++
++ /* struct iw_point has a 32bit hole on 64bit arches. */
++ memset(&iwp, 0, sizeof(iwp));
++
+ iwp.pointer = compat_ptr(iwp_compat->pointer);
+ iwp.length = iwp_compat->length;
+ iwp.flags = iwp_compat->flags;
+--- a/net/wireless/wext-priv.c
++++ b/net/wireless/wext-priv.c
+@@ -228,6 +228,10 @@ int compat_private_call(struct net_devic
+ struct iw_point iwp;
+
+ iwp_compat = (struct compat_iw_point *) &iwr->u.data;
++
++ /* struct iw_point has a 32bit hole on 64bit arches. */
++ memset(&iwp, 0, sizeof(iwp));
++
+ iwp.pointer = compat_ptr(iwp_compat->pointer);
+ iwp.length = iwp_compat->length;
+ iwp.flags = iwp_compat->flags;
--- /dev/null
+From d594cc6f2c588810888df70c83a9654b6bc7942d Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 16 Dec 2025 11:52:42 +0100
+Subject: wifi: mac80211: restore non-chanctx injection behaviour
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit d594cc6f2c588810888df70c83a9654b6bc7942d upstream.
+
+During the transition to use channel contexts throughout, the
+ability to do injection while in monitor mode concurrent with
+another interface was lost, since the (virtual) monitor won't
+have a chanctx assigned in this scenario.
+
+It's harder to fix drivers that actually transitioned to using
+channel contexts themselves, such as mt76, but it's easy to do
+those that are (still) just using the emulation. Do that.
+
+Cc: stable@vger.kernel.org
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=218763
+Reported-and-tested-by: Oscar Alfonso Diaz <oscar.alfonso.diaz@gmail.com>
+Fixes: 0a44dfc07074 ("wifi: mac80211: simplify non-chanctx drivers")
+Link: https://patch.msgid.link/20251216105242.18366-2-johannes@sipsolutions.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/tx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -2395,6 +2395,8 @@ netdev_tx_t ieee80211_monitor_start_xmit
+
+ if (chanctx_conf)
+ chandef = &chanctx_conf->def;
++ else if (local->emulate_chanctx)
++ chandef = &local->hw.conf.chandef;
+ else
+ goto fail_rcu;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
