5.10-stable patches

added patches:
	asoc-stm-use-dev_err_probe-helper.patch
	asoc-stm32-sai-fix-clk-prepare-imbalance-on-probe-failure.patch
	asoc-stm32-sai-use-the-devm_clk_get_optional-helper.patch
	btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch
	bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch
	cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_rate.patch
	drm-gma500-remove-unused-helper-psb_fbdev_fb_setcolreg.patch
	leds-leds-lp50xx-enable-chip-before-any-communication.patch
	leds-lp50xx-get-rid-of-redundant-check-in-lp50xx_enable_disable.patch
	leds-lp50xx-reduce-level-of-dereferences.patch
	leds-lp50xx-remove-duplicated-error-reporting-in-.remove.patch
	lockd-fix-vfs_test_lock-calls.patch
	media-mediatek-vcodec-fix-a-reference-leak-in-mtk_vcodec_fw_vpu_init.patch
	media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch
	media-vpif_capture-fix-section-mismatch.patch
	mm-balloon_compaction-convert-balloon_page_delete-to-balloon_page_finalize.patch
	mm-balloon_compaction-make-balloon-page-compaction-callbacks-static.patch
	mm-balloon_compaction-we-cannot-have-isolated-pages-in-the-balloon-list.patch
	mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch
	mm-mprotect-use-long-for-page-accountings-and-retval.patch
	nfsd-nfsv4-file-creation-neglects-setting-acl.patch
	ovl-use-buf-flexible-array-for-memcpy-destination.patch
	pmdomain-imx-fix-reference-count-leak-in-imx_gpc_probe.patch
	pmdomain-use-device_get_match_data.patch
	powerpc-pseries-cmm-adjust-balloon_migrate-when-migrating-pages.patch
	scsi-iscsi-move-pool-freeing.patch
	scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-the-shost-ipaddress.patch
	soc-rockchip-power-domain-manage-resource-conflicts-with-firmware.patch
	wifi-mac80211-discard-beacon-frames-to-non-broadcast-address.patch

diff --git a/queue-5.10/asoc-stm-use-dev_err_probe-helper.patch b/queue-5.10/asoc-stm-use-dev_err_probe-helper.patch
new file mode 100644 (file)
index 0000000..24992ab
--- /dev/null
+++ b/queue-5.10/asoc-stm-use-dev_err_probe-helper.patch
@@ -0,0 +1,307 @@
+From stable+bounces-204812-greg=kroah.com@vger.kernel.org Mon Jan  5 15:40:46 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon,  5 Jan 2026 09:36:24 -0500
+Subject: ASoC: stm: Use dev_err_probe() helper
+To: stable@vger.kernel.org
+Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>, Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260105143626.2605607-1-sashal@kernel.org>
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit efc162cbd480f1fb47d439c193ec9731bcc6c749 ]
+
+Use the dev_err_probe() helper, instead of open-coding the same
+operation.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/20211214020843.2225831-22-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: 312ec2f0d9d1 ("ASoC: stm32: sai: fix clk prepare imbalance on probe failure")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/stm/stm32_i2s.c     |   62 ++++++++++++++----------------------------
+ sound/soc/stm/stm32_sai.c     |   37 ++++++++-----------------
+ sound/soc/stm/stm32_sai_sub.c |   25 +++++-----------
+ sound/soc/stm/stm32_spdifrx.c |   44 ++++++++++-------------------
+ 4 files changed, 57 insertions(+), 111 deletions(-)
+
+--- a/sound/soc/stm/stm32_i2s.c
++++ b/sound/soc/stm/stm32_i2s.c
+@@ -830,36 +830,24 @@ static int stm32_i2s_parse_dt(struct pla
+ 
+       /* Get clocks */
+       i2s->pclk = devm_clk_get(&pdev->dev, "pclk");
+-      if (IS_ERR(i2s->pclk)) {
+-              if (PTR_ERR(i2s->pclk) != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "Could not get pclk: %ld\n",
+-                              PTR_ERR(i2s->pclk));
+-              return PTR_ERR(i2s->pclk);
+-      }
++      if (IS_ERR(i2s->pclk))
++              return dev_err_probe(&pdev->dev, PTR_ERR(i2s->pclk),
++                                   "Could not get pclk\n");
+ 
+       i2s->i2sclk = devm_clk_get(&pdev->dev, "i2sclk");
+-      if (IS_ERR(i2s->i2sclk)) {
+-              if (PTR_ERR(i2s->i2sclk) != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "Could not get i2sclk: %ld\n",
+-                              PTR_ERR(i2s->i2sclk));
+-              return PTR_ERR(i2s->i2sclk);
+-      }
++      if (IS_ERR(i2s->i2sclk))
++              return dev_err_probe(&pdev->dev, PTR_ERR(i2s->i2sclk),
++                                   "Could not get i2sclk\n");
+ 
+       i2s->x8kclk = devm_clk_get(&pdev->dev, "x8k");
+-      if (IS_ERR(i2s->x8kclk)) {
+-              if (PTR_ERR(i2s->x8kclk) != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "Could not get x8k parent clock: %ld\n",
+-                              PTR_ERR(i2s->x8kclk));
+-              return PTR_ERR(i2s->x8kclk);
+-      }
++      if (IS_ERR(i2s->x8kclk))
++              return dev_err_probe(&pdev->dev, PTR_ERR(i2s->x8kclk),
++                                   "Could not get x8k parent clock\n");
+ 
+       i2s->x11kclk = devm_clk_get(&pdev->dev, "x11k");
+-      if (IS_ERR(i2s->x11kclk)) {
+-              if (PTR_ERR(i2s->x11kclk) != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "Could not get x11k parent clock: %ld\n",
+-                              PTR_ERR(i2s->x11kclk));
+-              return PTR_ERR(i2s->x11kclk);
+-      }
++      if (IS_ERR(i2s->x11kclk))
++              return dev_err_probe(&pdev->dev, PTR_ERR(i2s->x11kclk),
++                                   "Could not get x11k parent clock\n");
+ 
+       /* Get irqs */
+       irq = platform_get_irq(pdev, 0);
+@@ -875,12 +863,10 @@ static int stm32_i2s_parse_dt(struct pla
+ 
+       /* Reset */
+       rst = devm_reset_control_get_optional_exclusive(&pdev->dev, NULL);
+-      if (IS_ERR(rst)) {
+-              if (PTR_ERR(rst) != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "Reset controller error %ld\n",
+-                              PTR_ERR(rst));
+-              return PTR_ERR(rst);
+-      }
++      if (IS_ERR(rst))
++              return dev_err_probe(&pdev->dev, PTR_ERR(rst),
++                                   "Reset controller error\n");
++
+       reset_control_assert(rst);
+       udelay(2);
+       reset_control_deassert(rst);
+@@ -922,19 +908,13 @@ static int stm32_i2s_probe(struct platfo
+ 
+       i2s->regmap = devm_regmap_init_mmio_clk(&pdev->dev, "pclk",
+                                               i2s->base, i2s->regmap_conf);
+-      if (IS_ERR(i2s->regmap)) {
+-              if (PTR_ERR(i2s->regmap) != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "Regmap init error %ld\n",
+-                              PTR_ERR(i2s->regmap));
+-              return PTR_ERR(i2s->regmap);
+-      }
++      if (IS_ERR(i2s->regmap))
++              return dev_err_probe(&pdev->dev, PTR_ERR(i2s->regmap),
++                                   "Regmap init error\n");
+ 
+       ret = snd_dmaengine_pcm_register(&pdev->dev, &stm32_i2s_pcm_config, 0);
+-      if (ret) {
+-              if (ret != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "PCM DMA register error %d\n", ret);
+-              return ret;
+-      }
++      if (ret)
++              return dev_err_probe(&pdev->dev, ret, "PCM DMA register error\n");
+ 
+       ret = snd_soc_register_component(&pdev->dev, &stm32_i2s_component,
+                                        i2s->dai_drv, 1);
+--- a/sound/soc/stm/stm32_sai.c
++++ b/sound/soc/stm/stm32_sai.c
+@@ -173,29 +173,20 @@ static int stm32_sai_probe(struct platfo
+ 
+       if (!STM_SAI_IS_F4(sai)) {
+               sai->pclk = devm_clk_get(&pdev->dev, "pclk");
+-              if (IS_ERR(sai->pclk)) {
+-                      if (PTR_ERR(sai->pclk) != -EPROBE_DEFER)
+-                              dev_err(&pdev->dev, "missing bus clock pclk: %ld\n",
+-                                      PTR_ERR(sai->pclk));
+-                      return PTR_ERR(sai->pclk);
+-              }
++              if (IS_ERR(sai->pclk))
++                      return dev_err_probe(&pdev->dev, PTR_ERR(sai->pclk),
++                                           "missing bus clock pclk\n");
+       }
+ 
+       sai->clk_x8k = devm_clk_get(&pdev->dev, "x8k");
+-      if (IS_ERR(sai->clk_x8k)) {
+-              if (PTR_ERR(sai->clk_x8k) != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "missing x8k parent clock: %ld\n",
+-                              PTR_ERR(sai->clk_x8k));
+-              return PTR_ERR(sai->clk_x8k);
+-      }
++      if (IS_ERR(sai->clk_x8k))
++              return dev_err_probe(&pdev->dev, PTR_ERR(sai->clk_x8k),
++                                   "missing x8k parent clock\n");
+ 
+       sai->clk_x11k = devm_clk_get(&pdev->dev, "x11k");
+-      if (IS_ERR(sai->clk_x11k)) {
+-              if (PTR_ERR(sai->clk_x11k) != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "missing x11k parent clock: %ld\n",
+-                              PTR_ERR(sai->clk_x11k));
+-              return PTR_ERR(sai->clk_x11k);
+-      }
++      if (IS_ERR(sai->clk_x11k))
++              return dev_err_probe(&pdev->dev, PTR_ERR(sai->clk_x11k),
++                                   "missing x11k parent clock\n");
+ 
+       /* init irqs */
+       sai->irq = platform_get_irq(pdev, 0);
+@@ -204,12 +195,10 @@ static int stm32_sai_probe(struct platfo
+ 
+       /* reset */
+       rst = devm_reset_control_get_optional_exclusive(&pdev->dev, NULL);
+-      if (IS_ERR(rst)) {
+-              if (PTR_ERR(rst) != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "Reset controller error %ld\n",
+-                              PTR_ERR(rst));
+-              return PTR_ERR(rst);
+-      }
++      if (IS_ERR(rst))
++              return dev_err_probe(&pdev->dev, PTR_ERR(rst),
++                                   "Reset controller error\n");
++
+       reset_control_assert(rst);
+       udelay(2);
+       reset_control_deassert(rst);
+--- a/sound/soc/stm/stm32_sai_sub.c
++++ b/sound/soc/stm/stm32_sai_sub.c
+@@ -1380,12 +1380,9 @@ static int stm32_sai_sub_parse_of(struct
+        */
+       sai->regmap = devm_regmap_init_mmio(&pdev->dev, base,
+                                           sai->regmap_config);
+-      if (IS_ERR(sai->regmap)) {
+-              if (PTR_ERR(sai->regmap) != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "Regmap init error %ld\n",
+-                              PTR_ERR(sai->regmap));
+-              return PTR_ERR(sai->regmap);
+-      }
++      if (IS_ERR(sai->regmap))
++              return dev_err_probe(&pdev->dev, PTR_ERR(sai->regmap),
++                                   "Regmap init error\n");
+ 
+       /* Get direction property */
+       if (of_property_match_string(np, "dma-names", "tx") >= 0) {
+@@ -1473,12 +1470,9 @@ static int stm32_sai_sub_parse_of(struct
+ 
+       of_node_put(args.np);
+       sai->sai_ck = devm_clk_get(&pdev->dev, "sai_ck");
+-      if (IS_ERR(sai->sai_ck)) {
+-              if (PTR_ERR(sai->sai_ck) != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "Missing kernel clock sai_ck: %ld\n",
+-                              PTR_ERR(sai->sai_ck));
+-              return PTR_ERR(sai->sai_ck);
+-      }
++      if (IS_ERR(sai->sai_ck))
++              return dev_err_probe(&pdev->dev, PTR_ERR(sai->sai_ck),
++                                   "Missing kernel clock sai_ck\n");
+ 
+       ret = clk_prepare(sai->pdata->pclk);
+       if (ret < 0)
+@@ -1552,11 +1546,8 @@ static int stm32_sai_sub_probe(struct pl
+               conf = &stm32_sai_pcm_config_spdif;
+ 
+       ret = snd_dmaengine_pcm_register(&pdev->dev, conf, 0);
+-      if (ret) {
+-              if (ret != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "Could not register pcm dma\n");
+-              return ret;
+-      }
++      if (ret)
++              return dev_err_probe(&pdev->dev, ret, "Could not register pcm dma\n");
+ 
+       ret = snd_soc_register_component(&pdev->dev, &stm32_component,
+                                        &sai->cpu_dai_drv, 1);
+--- a/sound/soc/stm/stm32_spdifrx.c
++++ b/sound/soc/stm/stm32_spdifrx.c
+@@ -405,12 +405,9 @@ static int stm32_spdifrx_dma_ctrl_regist
+       int ret;
+ 
+       spdifrx->ctrl_chan = dma_request_chan(dev, "rx-ctrl");
+-      if (IS_ERR(spdifrx->ctrl_chan)) {
+-              if (PTR_ERR(spdifrx->ctrl_chan) != -EPROBE_DEFER)
+-                      dev_err(dev, "dma_request_slave_channel error %ld\n",
+-                              PTR_ERR(spdifrx->ctrl_chan));
+-              return PTR_ERR(spdifrx->ctrl_chan);
+-      }
++      if (IS_ERR(spdifrx->ctrl_chan))
++              return dev_err_probe(dev, PTR_ERR(spdifrx->ctrl_chan),
++                                   "dma_request_slave_channel error\n");
+ 
+       spdifrx->dmab = devm_kzalloc(dev, sizeof(struct snd_dma_buffer),
+                                    GFP_KERNEL);
+@@ -930,12 +927,9 @@ static int stm32_spdifrx_parse_of(struct
+       spdifrx->phys_addr = res->start;
+ 
+       spdifrx->kclk = devm_clk_get(&pdev->dev, "kclk");
+-      if (IS_ERR(spdifrx->kclk)) {
+-              if (PTR_ERR(spdifrx->kclk) != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "Could not get kclk: %ld\n",
+-                              PTR_ERR(spdifrx->kclk));
+-              return PTR_ERR(spdifrx->kclk);
+-      }
++      if (IS_ERR(spdifrx->kclk))
++              return dev_err_probe(&pdev->dev, PTR_ERR(spdifrx->kclk),
++                                   "Could not get kclk\n");
+ 
+       spdifrx->irq = platform_get_irq(pdev, 0);
+       if (spdifrx->irq < 0)
+@@ -986,12 +980,9 @@ static int stm32_spdifrx_probe(struct pl
+       spdifrx->regmap = devm_regmap_init_mmio_clk(&pdev->dev, "kclk",
+                                                   spdifrx->base,
+                                                   spdifrx->regmap_conf);
+-      if (IS_ERR(spdifrx->regmap)) {
+-              if (PTR_ERR(spdifrx->regmap) != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "Regmap init error %ld\n",
+-                              PTR_ERR(spdifrx->regmap));
+-              return PTR_ERR(spdifrx->regmap);
+-      }
++      if (IS_ERR(spdifrx->regmap))
++              return dev_err_probe(&pdev->dev, PTR_ERR(spdifrx->regmap),
++                                   "Regmap init error\n");
+ 
+       ret = devm_request_irq(&pdev->dev, spdifrx->irq, stm32_spdifrx_isr, 0,
+                              dev_name(&pdev->dev), spdifrx);
+@@ -1001,23 +992,18 @@ static int stm32_spdifrx_probe(struct pl
+       }
+ 
+       rst = devm_reset_control_get_optional_exclusive(&pdev->dev, NULL);
+-      if (IS_ERR(rst)) {
+-              if (PTR_ERR(rst) != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "Reset controller error %ld\n",
+-                              PTR_ERR(rst));
+-              return PTR_ERR(rst);
+-      }
++      if (IS_ERR(rst))
++              return dev_err_probe(&pdev->dev, PTR_ERR(rst),
++                                   "Reset controller error\n");
++
+       reset_control_assert(rst);
+       udelay(2);
+       reset_control_deassert(rst);
+ 
+       pcm_config = &stm32_spdifrx_pcm_config;
+       ret = snd_dmaengine_pcm_register(&pdev->dev, pcm_config, 0);
+-      if (ret) {
+-              if (ret != -EPROBE_DEFER)
+-                      dev_err(&pdev->dev, "PCM DMA register error %d\n", ret);
+-              return ret;
+-      }
++      if (ret)
++              return dev_err_probe(&pdev->dev, ret, "PCM DMA register error\n");
+ 
+       ret = snd_soc_register_component(&pdev->dev,
+                                        &stm32_spdifrx_component,

diff --git a/queue-5.10/asoc-stm32-sai-fix-clk-prepare-imbalance-on-probe-failure.patch b/queue-5.10/asoc-stm32-sai-fix-clk-prepare-imbalance-on-probe-failure.patch
new file mode 100644 (file)
index 0000000..e6396c2
--- /dev/null
+++ b/queue-5.10/asoc-stm32-sai-fix-clk-prepare-imbalance-on-probe-failure.patch
@@ -0,0 +1,93 @@
+From stable+bounces-204814-greg=kroah.com@vger.kernel.org Mon Jan  5 15:40:55 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon,  5 Jan 2026 09:36:26 -0500
+Subject: ASoC: stm32: sai: fix clk prepare imbalance on probe failure
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Olivier Moysan <olivier.moysan@st.com>, olivier moysan <olivier.moysan@foss.st.com>, Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260105143626.2605607-3-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 312ec2f0d9d1a5656f76d770bbf1d967e9289aa7 ]
+
+Make sure to unprepare the parent clock also on probe failures (e.g.
+probe deferral).
+
+Fixes: a14bf98c045b ("ASoC: stm32: sai: fix possible circular locking")
+Cc: stable@vger.kernel.org     # 5.5
+Cc: Olivier Moysan <olivier.moysan@st.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: olivier moysan <olivier.moysan@foss.st.com>
+Link: https://patch.msgid.link/20251124104908.15754-3-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/stm/stm32_sai_sub.c |   28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+--- a/sound/soc/stm/stm32_sai_sub.c
++++ b/sound/soc/stm/stm32_sai_sub.c
+@@ -1485,14 +1485,21 @@ static int stm32_sai_sub_parse_of(struct
+       if (of_find_property(np, "#clock-cells", NULL)) {
+               ret = stm32_sai_add_mclk_provider(sai);
+               if (ret < 0)
+-                      return ret;
++                      goto err_unprepare_pclk;
+       } else {
+               sai->sai_mclk = devm_clk_get_optional(&pdev->dev, "MCLK");
+-              if (IS_ERR(sai->sai_mclk))
+-                      return PTR_ERR(sai->sai_mclk);
++              if (IS_ERR(sai->sai_mclk)) {
++                      ret = PTR_ERR(sai->sai_mclk);
++                      goto err_unprepare_pclk;
++              }
+       }
+ 
+       return 0;
++
++err_unprepare_pclk:
++      clk_unprepare(sai->pdata->pclk);
++
++      return ret;
+ }
+ 
+ static int stm32_sai_sub_probe(struct platform_device *pdev)
+@@ -1536,26 +1543,33 @@ static int stm32_sai_sub_probe(struct pl
+                              IRQF_SHARED, dev_name(&pdev->dev), sai);
+       if (ret) {
+               dev_err(&pdev->dev, "IRQ request returned %d\n", ret);
+-              return ret;
++              goto err_unprepare_pclk;
+       }
+ 
+       if (STM_SAI_PROTOCOL_IS_SPDIF(sai))
+               conf = &stm32_sai_pcm_config_spdif;
+ 
+       ret = snd_dmaengine_pcm_register(&pdev->dev, conf, 0);
+-      if (ret)
+-              return dev_err_probe(&pdev->dev, ret, "Could not register pcm dma\n");
++      if (ret) {
++              ret = dev_err_probe(&pdev->dev, ret, "Could not register pcm dma\n");
++              goto err_unprepare_pclk;
++      }
+ 
+       ret = snd_soc_register_component(&pdev->dev, &stm32_component,
+                                        &sai->cpu_dai_drv, 1);
+       if (ret) {
+               snd_dmaengine_pcm_unregister(&pdev->dev);
+-              return ret;
++              goto err_unprepare_pclk;
+       }
+ 
+       pm_runtime_enable(&pdev->dev);
+ 
+       return 0;
++
++err_unprepare_pclk:
++      clk_unprepare(sai->pdata->pclk);
++
++      return ret;
+ }
+ 
+ static int stm32_sai_sub_remove(struct platform_device *pdev)

diff --git a/queue-5.10/asoc-stm32-sai-use-the-devm_clk_get_optional-helper.patch b/queue-5.10/asoc-stm32-sai-use-the-devm_clk_get_optional-helper.patch
new file mode 100644 (file)
index 0000000..701307e
--- /dev/null
+++ b/queue-5.10/asoc-stm32-sai-use-the-devm_clk_get_optional-helper.patch
@@ -0,0 +1,43 @@
+From stable+bounces-204813-greg=kroah.com@vger.kernel.org Mon Jan  5 15:36:36 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon,  5 Jan 2026 09:36:25 -0500
+Subject: ASoC: stm32: sai: Use the devm_clk_get_optional() helper
+To: stable@vger.kernel.org
+Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>, Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260105143626.2605607-2-sashal@kernel.org>
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 374628fb668e50b42fe81f2a63af616182415bcd ]
+
+Use devm_clk_get_optional() instead of hand writing it.
+This saves some LoC and improves the semantic.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/f7987f18dadf77bfa09969fd4c82d5a0f4e4e3b7.1684594838.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: 312ec2f0d9d1 ("ASoC: stm32: sai: fix clk prepare imbalance on probe failure")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/stm/stm32_sai_sub.c |    9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/sound/soc/stm/stm32_sai_sub.c
++++ b/sound/soc/stm/stm32_sai_sub.c
+@@ -1487,12 +1487,9 @@ static int stm32_sai_sub_parse_of(struct
+               if (ret < 0)
+                       return ret;
+       } else {
+-              sai->sai_mclk = devm_clk_get(&pdev->dev, "MCLK");
+-              if (IS_ERR(sai->sai_mclk)) {
+-                      if (PTR_ERR(sai->sai_mclk) != -ENOENT)
+-                              return PTR_ERR(sai->sai_mclk);
+-                      sai->sai_mclk = NULL;
+-              }
++              sai->sai_mclk = devm_clk_get_optional(&pdev->dev, "MCLK");
++              if (IS_ERR(sai->sai_mclk))
++                      return PTR_ERR(sai->sai_mclk);
+       }
+ 
+       return 0;

diff --git a/queue-5.10/btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch b/queue-5.10/btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch
new file mode 100644 (file)
index 0000000..09e8da4
--- /dev/null
+++ b/queue-5.10/btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch
@@ -0,0 +1,65 @@
+From stable+bounces-203280-greg=kroah.com@vger.kernel.org Tue Dec 23 09:02:55 2025
+From: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
+Date: Tue, 23 Dec 2025 08:00:41 +0000
+Subject: btrfs: do not clean up repair bio if submit fails
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: clm@fb.com, josef@toxicpanda.com, dsterba@suse.com, linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Boris Burkov <boris@bur.io>, Bin Lan <bin.lan.cn@windriver.com>, He Zhe <zhe.he@windriver.com>, Keerthana K <keerthana.kalyanasundaram@broadcom.com>
+Message-ID: <20251223080041.1428811-1-keerthana.kalyanasundaram@broadcom.com>
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 8cbc3001a3264d998d6b6db3e23f935c158abd4d ]
+
+The submit helper will always run bio_endio() on the bio if it fails to
+submit, so cleaning up the bio just leads to a variety of use-after-free
+and NULL pointer dereference bugs because we race with the endio
+function that is cleaning up the bio.  Instead just return BLK_STS_OK as
+the repair function has to continue to process the rest of the pages,
+and the endio for the repair bio will do the appropriate cleanup for the
+page that it was given.
+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[Minor context change fixed.]
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ Keerthana: Backported the patch to v5.10.y ]
+Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent_io.c |   15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -2655,7 +2655,6 @@ blk_status_t btrfs_submit_read_repair(st
+       bool need_validation;
+       struct bio *repair_bio;
+       struct btrfs_io_bio *repair_io_bio;
+-      blk_status_t status;
+ 
+       btrfs_debug(fs_info,
+                  "repair read error: read error at %llu", start);
+@@ -2699,13 +2698,13 @@ blk_status_t btrfs_submit_read_repair(st
+ "repair read error: submitting new read to mirror %d, in_validation=%d",
+                   failrec->this_mirror, failrec->in_validation);
+ 
+-      status = submit_bio_hook(inode, repair_bio, failrec->this_mirror,
+-                               failrec->bio_flags);
+-      if (status) {
+-              free_io_failure(failure_tree, tree, failrec);
+-              bio_put(repair_bio);
+-      }
+-      return status;
++      /*
++       * At this point we have a bio, so any errors from submit_bio_hook()
++       * will be handled by the endio on the repair_bio, so we can't return an
++       * error here.
++       */
++      submit_bio_hook(inode, repair_bio, failrec->this_mirror, failrec->bio_flags);
++      return BLK_STS_OK;
+ }
+ 
+ /* lots and lots of room for performance fixes in the end_bio funcs */

diff --git a/queue-5.10/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch b/queue-5.10/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch
new file mode 100644 (file)
index 0000000..fda2b03
--- /dev/null
+++ b/queue-5.10/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch
@@ -0,0 +1,53 @@
+From stable+bounces-203278-greg=kroah.com@vger.kernel.org Tue Dec 23 08:49:27 2025
+From: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
+Date: Tue, 23 Dec 2025 07:46:25 +0000
+Subject: bus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove()
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: stuyoder@gmail.com, laurentiu.tudor@nxp.com, Bharat.Bhushan@nxp.com, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>, Keerthana K <keerthana.kalyanasundaram@broadcom.com>
+Message-ID: <20251223074625.1428715-1-keerthana.kalyanasundaram@broadcom.com>
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+commit 928ea98252ad75118950941683893cf904541da9 upstream.
+
+In fsl_mc_bus_remove(), mc->root_mc_bus_dev->mc_io is passed to
+fsl_destroy_mc_io(). However, mc->root_mc_bus_dev is already freed in
+fsl_mc_device_remove(). Then reference to mc->root_mc_bus_dev->mc_io
+triggers KASAN use-after-free. To avoid the use-after-free, keep the
+reference to mc->root_mc_bus_dev->mc_io in a local variable and pass to
+fsl_destroy_mc_io().
+
+This patch needs rework to apply to kernels older than v5.15.
+
+Fixes: f93627146f0e ("staging: fsl-mc: fix asymmetry in destroy of mc_io")
+Cc: stable@vger.kernel.org # v5.15+
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Link: https://lore.kernel.org/r/20220601105159.87752-1-shinichiro.kawasaki@wdc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ Keerthana: Backported the patch to v5.10.y ]
+Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -1085,14 +1085,14 @@ error_cleanup_mc_io:
+ static int fsl_mc_bus_remove(struct platform_device *pdev)
+ {
+       struct fsl_mc *mc = platform_get_drvdata(pdev);
++      struct fsl_mc_io *mc_io;
+ 
+       if (!fsl_mc_is_root_dprc(&mc->root_mc_bus_dev->dev))
+               return -EINVAL;
+ 
++      mc_io = mc->root_mc_bus_dev->mc_io;
+       fsl_mc_device_remove(mc->root_mc_bus_dev);
+-
+-      fsl_destroy_mc_io(mc->root_mc_bus_dev->mc_io);
+-      mc->root_mc_bus_dev->mc_io = NULL;
++      fsl_destroy_mc_io(mc_io);
+ 
+       return 0;
+ }

diff --git a/queue-5.10/cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_rate.patch b/queue-5.10/cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_rate.patch
new file mode 100644 (file)
index 0000000..2fe0823
--- /dev/null
+++ b/queue-5.10/cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_rate.patch
@@ -0,0 +1,53 @@
+From stable+bounces-204627-greg=kroah.com@vger.kernel.org Mon Jan  5 11:19:06 2026
+From: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Date: Mon,  5 Jan 2026 01:57:01 -0800
+Subject: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: sudeep.holla@arm.com, cristian.marussi@arm.com, rafael@kernel.org, viresh.kumar@linaro.org, arm-scmi@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Henry Martin <bsdhenrymartin@gmail.com>, Sasha Levin <sashal@kernel.org>, Shivani Agarwal <shivani.agarwal@broadcom.com>
+Message-ID: <20260105095701.659420-1-shivani.agarwal@broadcom.com>
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit 484d3f15cc6cbaa52541d6259778e715b2c83c54 ]
+
+cpufreq_cpu_get_raw() can return NULL when the target CPU is not present
+in the policy->cpus mask. scmi_cpufreq_get_rate() does not check for
+this case, which results in a NULL pointer dereference.
+
+Add NULL check after cpufreq_cpu_get_raw() to prevent this issue.
+
+Fixes: 99d6bdf33877 ("cpufreq: add support for CPU DVFS based on SCMI message protocol")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[Shivani: Modified to apply on 5.10.y]
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/scmi-cpufreq.c |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/scmi-cpufreq.c
++++ b/drivers/cpufreq/scmi-cpufreq.c
+@@ -29,12 +29,18 @@ static const struct scmi_handle *handle;
+ 
+ static unsigned int scmi_cpufreq_get_rate(unsigned int cpu)
+ {
+-      struct cpufreq_policy *policy = cpufreq_cpu_get_raw(cpu);
++      struct cpufreq_policy *policy;
++      struct scmi_data *priv;
+       const struct scmi_perf_ops *perf_ops = handle->perf_ops;
+-      struct scmi_data *priv = policy->driver_data;
+       unsigned long rate;
+       int ret;
+ 
++      policy = cpufreq_cpu_get_raw(cpu);
++      if (unlikely(!policy))
++              return 0;
++
++      priv = policy->driver_data;
++
+       ret = perf_ops->freq_get(handle, priv->domain_id, &rate, false);
+       if (ret)
+               return 0;

diff --git a/queue-5.10/drm-gma500-remove-unused-helper-psb_fbdev_fb_setcolreg.patch b/queue-5.10/drm-gma500-remove-unused-helper-psb_fbdev_fb_setcolreg.patch
new file mode 100644 (file)
index 0000000..bc67980
--- /dev/null
+++ b/queue-5.10/drm-gma500-remove-unused-helper-psb_fbdev_fb_setcolreg.patch
@@ -0,0 +1,117 @@
+From stable+bounces-206185-greg=kroah.com@vger.kernel.org Wed Jan  7 17:44:01 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed,  7 Jan 2026 11:23:28 -0500
+Subject: drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg()
+To: stable@vger.kernel.org
+Cc: Thomas Zimmermann <tzimmermann@suse.de>, Patrik Jakobsson <patrik.r.jakobsson@gmail.com>, Stefan Christ <contact@stefanchrist.eu>, Daniel Vetter <daniel.vetter@ffwll.ch>, dri-devel@lists.freedesktop.org, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260107162328.4079503-1-sashal@kernel.org>
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit be729f9de6c64240645dc80a24162ac4d3fe00a8 ]
+
+Remove psb_fbdev_fb_setcolreg(), which hasn't been called in almost
+a decade.
+
+Gma500 commit 4d8d096e9ae8 ("gma500: introduce the framebuffer support
+code") added the helper psb_fbdev_fb_setcolreg() for setting the fbdev
+palette via fbdev's fb_setcolreg callback. Later
+commit 3da6c2f3b730 ("drm/gma500: use DRM_FB_HELPER_DEFAULT_OPS for
+fb_ops") set several default helpers for fbdev emulation, including
+fb_setcmap.
+
+The fbdev subsystem always prefers fb_setcmap over fb_setcolreg. [1]
+Hence, the gma500 code is no longer in use and gma500 has been using
+drm_fb_helper_setcmap() for several years without issues.
+
+Fixes: 3da6c2f3b730 ("drm/gma500: use DRM_FB_HELPER_DEFAULT_OPS for fb_ops")
+Cc: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Cc: Stefan Christ <contact@stefanchrist.eu>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v4.10+
+Link: https://elixir.bootlin.com/linux/v6.16.9/source/drivers/video/fbdev/core/fbcmap.c#L246 # [1]
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Acked-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://lore.kernel.org/r/20250929082338.18845-1-tzimmermann@suse.de
+[ adapted file path from fbdev.c to framebuffer.c and removed fb_setcolreg from three fb_ops structures ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/gma500/framebuffer.c |   44 -----------------------------------
+ 1 file changed, 44 deletions(-)
+
+--- a/drivers/gpu/drm/gma500/framebuffer.c
++++ b/drivers/gpu/drm/gma500/framebuffer.c
+@@ -34,47 +34,6 @@ static const struct drm_framebuffer_func
+       .create_handle = drm_gem_fb_create_handle,
+ };
+ 
+-#define CMAP_TOHW(_val, _width) ((((_val) << (_width)) + 0x7FFF - (_val)) >> 16)
+-
+-static int psbfb_setcolreg(unsigned regno, unsigned red, unsigned green,
+-                         unsigned blue, unsigned transp,
+-                         struct fb_info *info)
+-{
+-      struct drm_fb_helper *fb_helper = info->par;
+-      struct drm_framebuffer *fb = fb_helper->fb;
+-      uint32_t v;
+-
+-      if (!fb)
+-              return -ENOMEM;
+-
+-      if (regno > 255)
+-              return 1;
+-
+-      red = CMAP_TOHW(red, info->var.red.length);
+-      blue = CMAP_TOHW(blue, info->var.blue.length);
+-      green = CMAP_TOHW(green, info->var.green.length);
+-      transp = CMAP_TOHW(transp, info->var.transp.length);
+-
+-      v = (red << info->var.red.offset) |
+-          (green << info->var.green.offset) |
+-          (blue << info->var.blue.offset) |
+-          (transp << info->var.transp.offset);
+-
+-      if (regno < 16) {
+-              switch (fb->format->cpp[0] * 8) {
+-              case 16:
+-                      ((uint32_t *) info->pseudo_palette)[regno] = v;
+-                      break;
+-              case 24:
+-              case 32:
+-                      ((uint32_t *) info->pseudo_palette)[regno] = v;
+-                      break;
+-              }
+-      }
+-
+-      return 0;
+-}
+-
+ static int psbfb_pan(struct fb_var_screeninfo *var, struct fb_info *info)
+ {
+       struct drm_fb_helper *fb_helper = info->par;
+@@ -167,7 +126,6 @@ static int psbfb_mmap(struct fb_info *in
+ static const struct fb_ops psbfb_ops = {
+       .owner = THIS_MODULE,
+       DRM_FB_HELPER_DEFAULT_OPS,
+-      .fb_setcolreg = psbfb_setcolreg,
+       .fb_fillrect = drm_fb_helper_cfb_fillrect,
+       .fb_copyarea = psbfb_copyarea,
+       .fb_imageblit = drm_fb_helper_cfb_imageblit,
+@@ -178,7 +136,6 @@ static const struct fb_ops psbfb_ops = {
+ static const struct fb_ops psbfb_roll_ops = {
+       .owner = THIS_MODULE,
+       DRM_FB_HELPER_DEFAULT_OPS,
+-      .fb_setcolreg = psbfb_setcolreg,
+       .fb_fillrect = drm_fb_helper_cfb_fillrect,
+       .fb_copyarea = drm_fb_helper_cfb_copyarea,
+       .fb_imageblit = drm_fb_helper_cfb_imageblit,
+@@ -189,7 +146,6 @@ static const struct fb_ops psbfb_roll_op
+ static const struct fb_ops psbfb_unaccel_ops = {
+       .owner = THIS_MODULE,
+       DRM_FB_HELPER_DEFAULT_OPS,
+-      .fb_setcolreg = psbfb_setcolreg,
+       .fb_fillrect = drm_fb_helper_cfb_fillrect,
+       .fb_copyarea = drm_fb_helper_cfb_copyarea,
+       .fb_imageblit = drm_fb_helper_cfb_imageblit,

diff --git a/queue-5.10/kvm-arm64-sys_regs-disable-wuninitialized-const-pointer-warning.patch b/queue-5.10/kvm-arm64-sys_regs-disable-wuninitialized-const-pointer-warning.patch
deleted file mode 100644 (file)
index 8e6dc71..0000000
--- a/queue-5.10/kvm-arm64-sys_regs-disable-wuninitialized-const-pointer-warning.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From justinstitt@google.com  Thu Jan  8 16:52:32 2026
-From: Justin Stitt <justinstitt@google.com>
-Date: Thu, 04 Dec 2025 12:44:48 -0800
-Subject: KVM: arm64: sys_regs: disable -Wuninitialized-const-pointer warning
-To: Marc Zyngier <maz@kernel.org>, Oliver Upton <oliver.upton@linux.dev>,  Alexandru Elisei <alexandru.elisei@arm.com>, Joey Gouly <joey.gouly@arm.com>,  Suzuki K Poulose <suzuki.poulose@arm.com>, Catalin Marinas <catalin.marinas@arm.com>,  Zenghui Yu <yuzenghui@huawei.com>, Will Deacon <will@kernel.org>,  Nathan Chancellor <nathan@kernel.org>, Christopher Covington <cov@codeaurora.org>
-Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu,  linux-kernel@vger.kernel.org, llvm@lists.linux.dev, stable@vger.kernel.org,  Justin Stitt <justinstitt@google.com>
-Message-ID: <20251204-b4-stable-disable-uninit-ptr-warn-5-15-v1-1-41212e2c6409@google.com>
-
-From: Justin Stitt <justinstitt@google.com>
-
-A new warning in Clang 22 [1] complains that @clidr passed to
-get_clidr_el1() is an uninitialized const pointer. get_clidr_el1()
-doesn't really care since it casts away the const-ness anyways -- it is
-a false positive.
-
-|  ../arch/arm64/kvm/sys_regs.c:2838:23: warning: variable 'clidr' is uninitialized when passed as a const pointer argument here [-Wuninitialized-const-pointer]
-|   2838 |         get_clidr_el1(NULL, &clidr); /* Ugly... */
-|        |                              ^~~~~
-
-This patch isn't needed for anything past 6.1 as this code section was
-reworked in Commit 7af0c2534f4c ("KVM: arm64: Normalize cache
-configuration"). Since there is no upstream equivalent, this patch just
-needs to be applied to 5.15.
-
-Disable this warning for sys_regs.o with an iron fist as it doesn't make
-sense to waste maintainer's time or potentially break builds by
-backporting large changelists from 6.2+.
-
-Cc: stable@vger.kernel.org
-Fixes: 7c8c5e6a9101e ("arm64: KVM: system register handling")
-Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1]
-Reviewed-by: Nathan Chancellor <nathan@kernel.org>
-Signed-off-by: Justin Stitt <justinstitt@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm64/kvm/Makefile | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/arch/arm64/kvm/Makefile b/arch/arm64/kvm/Makefile
-index 989bb5dad2c8..109cca425d3e 100644
---- a/arch/arm64/kvm/Makefile
-+++ b/arch/arm64/kvm/Makefile
-@@ -25,3 +25,6 @@ kvm-y := $(KVM)/kvm_main.o $(KVM)/coalesced_mmio.o $(KVM)/eventfd.o \
-        vgic/vgic-its.o vgic/vgic-debug.o
- 
- kvm-$(CONFIG_HW_PERF_EVENTS)  += pmu-emul.o
-+
-+# Work around a false positive Clang 22 -Wuninitialized-const-pointer warning
-+CFLAGS_sys_regs.o := $(call cc-disable-warning, uninitialized-const-pointer)
-
----
-base-commit: 8bb7eca972ad531c9b149c0a51ab43a417385813
-change-id: 20250728-b4-stable-disable-uninit-ptr-warn-5-15-c0c9db3df206
-
-Best regards,
---
-Justin Stitt <justinstitt@google.com>
-

diff --git a/queue-5.10/leds-leds-lp50xx-enable-chip-before-any-communication.patch b/queue-5.10/leds-leds-lp50xx-enable-chip-before-any-communication.patch
new file mode 100644 (file)
index 0000000..109db2f
--- /dev/null
+++ b/queue-5.10/leds-leds-lp50xx-enable-chip-before-any-communication.patch
@@ -0,0 +1,151 @@
+From stable+bounces-204855-greg=kroah.com@vger.kernel.org Mon Jan  5 17:49:33 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon,  5 Jan 2026 11:48:08 -0500
+Subject: leds: leds-lp50xx: Enable chip before any communication
+To: stable@vger.kernel.org
+Cc: Christian Hitz <christian.hitz@bbv.ch>, Lee Jones <lee@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260105164808.2675734-4-sashal@kernel.org>
+
+From: Christian Hitz <christian.hitz@bbv.ch>
+
+[ Upstream commit 434959618c47efe9e5f2e20f4a850caac4f6b823 ]
+
+If a GPIO is used to control the chip's enable pin, it needs to be pulled
+high before any i2c communication is attempted.
+
+Currently, the enable GPIO handling is not correct.
+
+Assume the enable GPIO is low when the probe function is entered. In this
+case the device is in SHUTDOWN mode and does not react to i2c commands.
+
+During probe the following sequence happens:
+ 1. The call to lp50xx_reset() on line 548 has no effect as i2c is not
+    possible yet.
+ 2. Then - on line 552 - lp50xx_enable_disable() is called. As
+    "priv->enable_gpio“ has not yet been initialized, setting the GPIO has
+    no effect. Also the i2c enable command is not executed as the device
+    is still in SHUTDOWN.
+ 3. On line 556 the call to lp50xx_probe_dt() finally parses the rest of
+    the DT and the configured priv->enable_gpio is set up.
+
+As a result the device is still in SHUTDOWN mode and not ready for
+operation.
+
+Split lp50xx_enable_disable() into distinct enable and disable functions
+to enforce correct ordering between enable_gpio manipulations and i2c
+commands.
+Read enable_gpio configuration from DT before attempting to manipulate
+enable_gpio.
+Add delays to observe correct wait timing after manipulating enable_gpio
+and before any i2c communication.
+
+Cc: stable@vger.kernel.org
+Fixes: 242b81170fb8 ("leds: lp50xx: Add the LP50XX family of the RGB LED driver")
+Signed-off-by: Christian Hitz <christian.hitz@bbv.ch>
+Link: https://patch.msgid.link/20251028155141.1603193-1-christian@klarinett.li
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/leds/leds-lp50xx.c |   55 ++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 40 insertions(+), 15 deletions(-)
+
+--- a/drivers/leds/leds-lp50xx.c
++++ b/drivers/leds/leds-lp50xx.c
+@@ -53,6 +53,12 @@
+ 
+ #define LP50XX_SW_RESET               0xff
+ #define LP50XX_CHIP_EN                BIT(6)
++#define LP50XX_CHIP_DISABLE   0x00
++#define LP50XX_START_TIME_US  500
++#define LP50XX_RESET_TIME_US  3
++
++#define LP50XX_EN_GPIO_LOW    0
++#define LP50XX_EN_GPIO_HIGH   1
+ 
+ /* There are 3 LED outputs per bank */
+ #define LP50XX_LEDS_PER_MODULE        3
+@@ -376,19 +382,42 @@ static int lp50xx_reset(struct lp50xx *p
+       return regmap_write(priv->regmap, priv->chip_info->reset_reg, LP50XX_SW_RESET);
+ }
+ 
+-static int lp50xx_enable_disable(struct lp50xx *priv, int enable_disable)
++static int lp50xx_enable(struct lp50xx *priv)
+ {
+       int ret;
+ 
+-      ret = gpiod_direction_output(priv->enable_gpio, enable_disable);
++      if (priv->enable_gpio) {
++              ret = gpiod_direction_output(priv->enable_gpio, LP50XX_EN_GPIO_HIGH);
++              if (ret)
++                      return ret;
++
++              udelay(LP50XX_START_TIME_US);
++      }
++
++      ret = lp50xx_reset(priv);
+       if (ret)
+               return ret;
+ 
+-      if (enable_disable)
+-              return regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_EN);
+-      else
+-              return regmap_write(priv->regmap, LP50XX_DEV_CFG0, 0);
++      return regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_EN);
++}
+ 
++static int lp50xx_disable(struct lp50xx *priv)
++{
++      int ret;
++
++      ret = regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_DISABLE);
++      if (ret)
++              return ret;
++
++      if (priv->enable_gpio) {
++              ret = gpiod_direction_output(priv->enable_gpio, LP50XX_EN_GPIO_LOW);
++              if (ret)
++                      return ret;
++
++              udelay(LP50XX_RESET_TIME_US);
++      }
++
++      return 0;
+ }
+ 
+ static int lp50xx_probe_leds(struct fwnode_handle *child, struct lp50xx *priv,
+@@ -458,6 +487,10 @@ static int lp50xx_probe_dt(struct lp50xx
+               return ret;
+       }
+ 
++      ret = lp50xx_enable(priv);
++      if (ret)
++              return ret;
++
+       priv->regulator = devm_regulator_get(priv->dev, "vled");
+       if (IS_ERR(priv->regulator))
+               priv->regulator = NULL;
+@@ -565,14 +598,6 @@ static int lp50xx_probe(struct i2c_clien
+               return ret;
+       }
+ 
+-      ret = lp50xx_reset(led);
+-      if (ret)
+-              return ret;
+-
+-      ret = lp50xx_enable_disable(led, 1);
+-      if (ret)
+-              return ret;
+-
+       return lp50xx_probe_dt(led);
+ }
+ 
+@@ -581,7 +606,7 @@ static int lp50xx_remove(struct i2c_clie
+       struct lp50xx *led = i2c_get_clientdata(client);
+       int ret;
+ 
+-      ret = lp50xx_enable_disable(led, 0);
++      ret = lp50xx_disable(led);
+       if (ret)
+               dev_err(led->dev, "Failed to disable chip\n");
+ 

diff --git a/queue-5.10/leds-lp50xx-get-rid-of-redundant-check-in-lp50xx_enable_disable.patch b/queue-5.10/leds-lp50xx-get-rid-of-redundant-check-in-lp50xx_enable_disable.patch
new file mode 100644 (file)
index 0000000..09d70fb
--- /dev/null
+++ b/queue-5.10/leds-lp50xx-get-rid-of-redundant-check-in-lp50xx_enable_disable.patch
@@ -0,0 +1,41 @@
+From stable+bounces-204853-greg=kroah.com@vger.kernel.org Mon Jan  5 17:53:40 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon,  5 Jan 2026 11:48:06 -0500
+Subject: leds: lp50xx: Get rid of redundant check in lp50xx_enable_disable()
+To: stable@vger.kernel.org
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>, Pavel Machek <pavel@ucw.cz>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260105164808.2675734-2-sashal@kernel.org>
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 5d2bfb3fb95b2d448c0fbcaa2c58b215b2fa87fc ]
+
+Since GPIO is optional the API is NULL aware and will check descriptor anyway.
+Remove duplicate redundant check in lp50xx_enable_disable().
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Stable-dep-of: 434959618c47 ("leds: leds-lp50xx: Enable chip before any communication")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/leds/leds-lp50xx.c |    8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/leds/leds-lp50xx.c
++++ b/drivers/leds/leds-lp50xx.c
+@@ -380,11 +380,9 @@ static int lp50xx_enable_disable(struct
+ {
+       int ret;
+ 
+-      if (priv->enable_gpio) {
+-              ret = gpiod_direction_output(priv->enable_gpio, enable_disable);
+-              if (ret)
+-                      return ret;
+-      }
++      ret = gpiod_direction_output(priv->enable_gpio, enable_disable);
++      if (ret)
++              return ret;
+ 
+       if (enable_disable)
+               return regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_EN);

diff --git a/queue-5.10/leds-lp50xx-reduce-level-of-dereferences.patch b/queue-5.10/leds-lp50xx-reduce-level-of-dereferences.patch
new file mode 100644 (file)
index 0000000..2e45987
--- /dev/null
+++ b/queue-5.10/leds-lp50xx-reduce-level-of-dereferences.patch
@@ -0,0 +1,126 @@
+From stable+bounces-204852-greg=kroah.com@vger.kernel.org Mon Jan  5 18:06:55 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon,  5 Jan 2026 11:48:05 -0500
+Subject: leds: lp50xx: Reduce level of dereferences
+To: stable@vger.kernel.org
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>, Pavel Machek <pavel@ucw.cz>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260105164808.2675734-1-sashal@kernel.org>
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 556f15fe023ec1d9f9cd2781ba6cd14bda650d22 ]
+
+The priv->dev is effectively the same as &priv->client->dev.
+So, drop the latter for the former.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Stable-dep-of: 434959618c47 ("leds: leds-lp50xx: Enable chip before any communication")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/leds/leds-lp50xx.c |   26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+--- a/drivers/leds/leds-lp50xx.c
++++ b/drivers/leds/leds-lp50xx.c
+@@ -322,7 +322,7 @@ static int lp50xx_brightness_set(struct
+ 
+       ret = regmap_write(led->priv->regmap, reg_val, brightness);
+       if (ret) {
+-              dev_err(&led->priv->client->dev,
++              dev_err(led->priv->dev,
+                       "Cannot write brightness value %d\n", ret);
+               goto out;
+       }
+@@ -338,7 +338,7 @@ static int lp50xx_brightness_set(struct
+               ret = regmap_write(led->priv->regmap, reg_val,
+                                  mc_dev->subled_info[i].intensity);
+               if (ret) {
+-                      dev_err(&led->priv->client->dev,
++                      dev_err(led->priv->dev,
+                               "Cannot write intensity value %d\n", ret);
+                       goto out;
+               }
+@@ -402,7 +402,7 @@ static int lp50xx_probe_leds(struct fwno
+ 
+       if (num_leds > 1) {
+               if (num_leds > priv->chip_info->max_modules) {
+-                      dev_err(&priv->client->dev, "reg property is invalid\n");
++                      dev_err(priv->dev, "reg property is invalid\n");
+                       return -EINVAL;
+               }
+ 
+@@ -410,13 +410,13 @@ static int lp50xx_probe_leds(struct fwno
+ 
+               ret = fwnode_property_read_u32_array(child, "reg", led_banks, num_leds);
+               if (ret) {
+-                      dev_err(&priv->client->dev, "reg property is missing\n");
++                      dev_err(priv->dev, "reg property is missing\n");
+                       return ret;
+               }
+ 
+               ret = lp50xx_set_banks(priv, led_banks, num_leds);
+               if (ret) {
+-                      dev_err(&priv->client->dev, "Cannot setup banked LEDs\n");
++                      dev_err(priv->dev, "Cannot setup banked LEDs\n");
+                       return ret;
+               }
+ 
+@@ -424,12 +424,12 @@ static int lp50xx_probe_leds(struct fwno
+       } else {
+               ret = fwnode_property_read_u32(child, "reg", &led_number);
+               if (ret) {
+-                      dev_err(&priv->client->dev, "led reg property missing\n");
++                      dev_err(priv->dev, "led reg property missing\n");
+                       return ret;
+               }
+ 
+               if (led_number > priv->chip_info->num_leds) {
+-                      dev_err(&priv->client->dev, "led-sources property is invalid\n");
++                      dev_err(priv->dev, "led-sources property is invalid\n");
+                       return -EINVAL;
+               }
+ 
+@@ -468,7 +468,7 @@ static int lp50xx_probe_dt(struct lp50xx
+               led = &priv->leds[i];
+               ret = fwnode_property_count_u32(child, "reg");
+               if (ret < 0) {
+-                      dev_err(&priv->client->dev, "reg property is invalid\n");
++                      dev_err(priv->dev, "reg property is invalid\n");
+                       goto child_out;
+               }
+ 
+@@ -518,12 +518,11 @@ static int lp50xx_probe_dt(struct lp50xx
+               led_cdev = &led->mc_cdev.led_cdev;
+               led_cdev->brightness_set_blocking = lp50xx_brightness_set;
+ 
+-              ret = devm_led_classdev_multicolor_register_ext(&priv->client->dev,
++              ret = devm_led_classdev_multicolor_register_ext(priv->dev,
+                                                      &led->mc_cdev,
+                                                      &init_data);
+               if (ret) {
+-                      dev_err(&priv->client->dev, "led register err: %d\n",
+-                              ret);
++                      dev_err(priv->dev, "led register err: %d\n", ret);
+                       goto child_out;
+               }
+               i++;
+@@ -586,15 +585,14 @@ static int lp50xx_remove(struct i2c_clie
+ 
+       ret = lp50xx_enable_disable(led, 0);
+       if (ret) {
+-              dev_err(&led->client->dev, "Failed to disable chip\n");
++              dev_err(led->dev, "Failed to disable chip\n");
+               return ret;
+       }
+ 
+       if (led->regulator) {
+               ret = regulator_disable(led->regulator);
+               if (ret)
+-                      dev_err(&led->client->dev,
+-                              "Failed to disable regulator\n");
++                      dev_err(led->dev, "Failed to disable regulator\n");
+       }
+ 
+       mutex_destroy(&led->lock);

diff --git a/queue-5.10/leds-lp50xx-remove-duplicated-error-reporting-in-.remove.patch b/queue-5.10/leds-lp50xx-remove-duplicated-error-reporting-in-.remove.patch
new file mode 100644 (file)
index 0000000..901e6a6
--- /dev/null
+++ b/queue-5.10/leds-lp50xx-remove-duplicated-error-reporting-in-.remove.patch
@@ -0,0 +1,47 @@
+From stable+bounces-204854-greg=kroah.com@vger.kernel.org Mon Jan  5 18:06:59 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon,  5 Jan 2026 11:48:07 -0500
+Subject: leds: lp50xx: Remove duplicated error reporting in .remove()
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>, "Pavel Machek" <pavel@ucw.cz>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20260105164808.2675734-3-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 73bce575ed90c752eaa4b2b9a70860481d58d240 ]
+
+Returning an error value from an i2c remove callback results in an error
+message being emitted by the i2c core, but otherwise it doesn't make a
+difference. The device goes away anyhow and the devm cleanups are
+called.
+
+As stk3310_set_state() already emits an error message on failure and the
+additional error message by the i2c core doesn't add any useful
+information, don't pass the error value up the stack. Instead continue
+to clean up and return 0.
+
+This patch is a preparation for making i2c remove callbacks return void.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Stable-dep-of: 434959618c47 ("leds: leds-lp50xx: Enable chip before any communication")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/leds/leds-lp50xx.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/leds/leds-lp50xx.c
++++ b/drivers/leds/leds-lp50xx.c
+@@ -582,10 +582,8 @@ static int lp50xx_remove(struct i2c_clie
+       int ret;
+ 
+       ret = lp50xx_enable_disable(led, 0);
+-      if (ret) {
++      if (ret)
+               dev_err(led->dev, "Failed to disable chip\n");
+-              return ret;
+-      }
+ 
+       if (led->regulator) {
+               ret = regulator_disable(led->regulator);

diff --git a/queue-5.10/lockd-fix-vfs_test_lock-calls.patch b/queue-5.10/lockd-fix-vfs_test_lock-calls.patch
new file mode 100644 (file)
index 0000000..80acb58
--- /dev/null
+++ b/queue-5.10/lockd-fix-vfs_test_lock-calls.patch
@@ -0,0 +1,182 @@
+From stable+bounces-206058-greg=kroah.com@vger.kernel.org Wed Jan  7 00:58:22 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue,  6 Jan 2026 18:58:16 -0500
+Subject: lockd: fix vfs_test_lock() calls
+To: stable@vger.kernel.org
+Cc: NeilBrown <neil@brown.name>, Olga Kornievskaia <okorniev@redhat.com>, Jeff Layton <jlayton@kernel.org>, Chuck Lever <chuck.lever@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260106235816.3462079-1-sashal@kernel.org>
+
+From: NeilBrown <neil@brown.name>
+
+[ Upstream commit a49a2a1baa0c553c3548a1c414b6a3c005a8deba ]
+
+Usage of vfs_test_lock() is somewhat confused.  Documentation suggests
+it is given a "lock" but this is not the case.  It is given a struct
+file_lock which contains some details of the sort of lock it should be
+looking for.
+
+In particular passing a "file_lock" containing fl_lmops or fl_ops is
+meaningless and possibly confusing.
+
+This is particularly problematic in lockd.  nlmsvc_testlock() receives
+an initialised "file_lock" from xdr-decode, including manager ops and an
+owner.  It then mistakenly passes this to vfs_test_lock() which might
+replace the owner and the ops.  This can lead to confusion when freeing
+the lock.
+
+The primary role of the 'struct file_lock' passed to vfs_test_lock() is
+to report a conflicting lock that was found, so it makes more sense for
+nlmsvc_testlock() to pass "conflock", which it uses for returning the
+conflicting lock.
+
+With this change, freeing of the lock is not confused and code in
+__nlm4svc_proc_test() and __nlmsvc_proc_test() can be simplified.
+
+Documentation for vfs_test_lock() is improved to reflect its real
+purpose, and a WARN_ON_ONCE() is added to avoid a similar problem in the
+future.
+
+Reported-by: Olga Kornievskaia <okorniev@redhat.com>
+Closes: https://lore.kernel.org/all/20251021130506.45065-1-okorniev@redhat.com
+Signed-off-by: NeilBrown <neil@brown.name>
+Fixes: 20fa19027286 ("nfs: add export operations")
+Cc: stable@vger.kernel.org
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+[ adapted c.flc_* field accesses to direct fl_* fields ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/lockd/svc4proc.c |    4 +---
+ fs/lockd/svclock.c  |   21 ++++++++++++---------
+ fs/lockd/svcproc.c  |    5 +----
+ fs/locks.c          |   13 +++++++++++--
+ 4 files changed, 25 insertions(+), 18 deletions(-)
+
+--- a/fs/lockd/svc4proc.c
++++ b/fs/lockd/svc4proc.c
+@@ -96,7 +96,6 @@ __nlm4svc_proc_test(struct svc_rqst *rqs
+       struct nlm_args *argp = rqstp->rq_argp;
+       struct nlm_host *host;
+       struct nlm_file *file;
+-      struct nlm_lockowner *test_owner;
+       __be32 rc = rpc_success;
+ 
+       dprintk("lockd: TEST4        called\n");
+@@ -106,7 +105,6 @@ __nlm4svc_proc_test(struct svc_rqst *rqs
+       if ((resp->status = nlm4svc_retrieve_args(rqstp, argp, &host, &file)))
+               return resp->status == nlm_drop_reply ? rpc_drop_reply :rpc_success;
+ 
+-      test_owner = argp->lock.fl.fl_owner;
+       /* Now check for conflicting locks */
+       resp->status = nlmsvc_testlock(rqstp, file, host, &argp->lock, &resp->lock, &resp->cookie);
+       if (resp->status == nlm_drop_reply)
+@@ -114,7 +112,7 @@ __nlm4svc_proc_test(struct svc_rqst *rqs
+       else
+               dprintk("lockd: TEST4        status %d\n", ntohl(resp->status));
+ 
+-      nlmsvc_put_lockowner(test_owner);
++      nlmsvc_release_lockowner(&argp->lock);
+       nlmsvc_release_host(host);
+       nlm_release_file(file);
+       return rc;
+--- a/fs/lockd/svclock.c
++++ b/fs/lockd/svclock.c
+@@ -604,7 +604,13 @@ nlmsvc_testlock(struct svc_rqst *rqstp,
+       }
+ 
+       mode = lock_to_openmode(&lock->fl);
+-      error = vfs_test_lock(file->f_file[mode], &lock->fl);
++      locks_init_lock(&conflock->fl);
++      /* vfs_test_lock only uses start, end, and owner, but tests fl_file */
++      conflock->fl.fl_file = lock->fl.fl_file;
++      conflock->fl.fl_start = lock->fl.fl_start;
++      conflock->fl.fl_end = lock->fl.fl_end;
++      conflock->fl.fl_owner = lock->fl.fl_owner;
++      error = vfs_test_lock(file->f_file[mode], &conflock->fl);
+       if (error) {
+               /* We can't currently deal with deferred test requests */
+               if (error == FILE_LOCK_DEFERRED)
+@@ -614,22 +620,19 @@ nlmsvc_testlock(struct svc_rqst *rqstp,
+               goto out;
+       }
+ 
+-      if (lock->fl.fl_type == F_UNLCK) {
++      if (conflock->fl.fl_type == F_UNLCK) {
+               ret = nlm_granted;
+               goto out;
+       }
+ 
+       dprintk("lockd: conflicting lock(ty=%d, %Ld-%Ld)\n",
+-              lock->fl.fl_type, (long long)lock->fl.fl_start,
+-              (long long)lock->fl.fl_end);
++              conflock->fl.fl_type, (long long)conflock->fl.fl_start,
++              (long long)conflock->fl.fl_end);
+       conflock->caller = "somehost";  /* FIXME */
+       conflock->len = strlen(conflock->caller);
+       conflock->oh.len = 0;           /* don't return OH info */
+-      conflock->svid = lock->fl.fl_pid;
+-      conflock->fl.fl_type = lock->fl.fl_type;
+-      conflock->fl.fl_start = lock->fl.fl_start;
+-      conflock->fl.fl_end = lock->fl.fl_end;
+-      locks_release_private(&lock->fl);
++      conflock->svid = conflock->fl.fl_pid;
++      locks_release_private(&conflock->fl);
+ 
+       ret = nlm_lck_denied;
+ out:
+--- a/fs/lockd/svcproc.c
++++ b/fs/lockd/svcproc.c
+@@ -117,7 +117,6 @@ __nlmsvc_proc_test(struct svc_rqst *rqst
+       struct nlm_args *argp = rqstp->rq_argp;
+       struct nlm_host *host;
+       struct nlm_file *file;
+-      struct nlm_lockowner *test_owner;
+       __be32 rc = rpc_success;
+ 
+       dprintk("lockd: TEST          called\n");
+@@ -127,8 +126,6 @@ __nlmsvc_proc_test(struct svc_rqst *rqst
+       if ((resp->status = nlmsvc_retrieve_args(rqstp, argp, &host, &file)))
+               return resp->status == nlm_drop_reply ? rpc_drop_reply :rpc_success;
+ 
+-      test_owner = argp->lock.fl.fl_owner;
+-
+       /* Now check for conflicting locks */
+       resp->status = cast_status(nlmsvc_testlock(rqstp, file, host, &argp->lock, &resp->lock, &resp->cookie));
+       if (resp->status == nlm_drop_reply)
+@@ -137,7 +134,7 @@ __nlmsvc_proc_test(struct svc_rqst *rqst
+               dprintk("lockd: TEST          status %d vers %d\n",
+                       ntohl(resp->status), rqstp->rq_vers);
+ 
+-      nlmsvc_put_lockowner(test_owner);
++      nlmsvc_release_lockowner(&argp->lock);
+       nlmsvc_release_host(host);
+       nlm_release_file(file);
+       return rc;
+--- a/fs/locks.c
++++ b/fs/locks.c
+@@ -2325,13 +2325,22 @@ SYSCALL_DEFINE2(flock, unsigned int, fd,
+ /**
+  * vfs_test_lock - test file byte range lock
+  * @filp: The file to test lock for
+- * @fl: The lock to test; also used to hold result
++ * @fl: The byte-range in the file to test; also used to hold result
+  *
++ * On entry, @fl does not contain a lock, but identifies a range (fl_start, fl_end)
++ * in the file (c.flc_file), and an owner (c.flc_owner) for whom existing locks
++ * should be ignored.  c.flc_type and c.flc_flags are ignored.
++ * Both fl_lmops and fl_ops in @fl must be NULL.
+  * Returns -ERRNO on failure.  Indicates presence of conflicting lock by
+- * setting conf->fl_type to something other than F_UNLCK.
++ * setting fl->fl_type to something other than F_UNLCK.
++ *
++ * If vfs_test_lock() does find a lock and return it, the caller must
++ * use locks_free_lock() or locks_release_private() on the returned lock.
+  */
+ int vfs_test_lock(struct file *filp, struct file_lock *fl)
+ {
++      WARN_ON_ONCE(fl->fl_ops || fl->fl_lmops);
++      WARN_ON_ONCE(filp != fl->fl_file);
+       if (filp->f_op->lock)
+               return filp->f_op->lock(filp, F_GETLK, fl);
+       posix_test_lock(filp, fl);

diff --git a/queue-5.10/media-mediatek-vcodec-fix-a-reference-leak-in-mtk_vcodec_fw_vpu_init.patch b/queue-5.10/media-mediatek-vcodec-fix-a-reference-leak-in-mtk_vcodec_fw_vpu_init.patch
new file mode 100644 (file)
index 0000000..c432e7e
--- /dev/null
+++ b/queue-5.10/media-mediatek-vcodec-fix-a-reference-leak-in-mtk_vcodec_fw_vpu_init.patch
@@ -0,0 +1,47 @@
+From stable+bounces-204973-greg=kroah.com@vger.kernel.org Tue Jan  6 01:55:49 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon,  5 Jan 2026 19:55:31 -0500
+Subject: media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init()
+To: stable@vger.kernel.org
+Cc: Haoxiang Li <haoxiang_li2024@163.com>, AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>, Tzung-Bi Shih <tzungbi@kernel.org>, Nicolas Dufresne <nicolas.dufresne@collabora.com>, Hans Verkuil <hverkuil+cisco@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260106005531.2866023-1-sashal@kernel.org>
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+[ Upstream commit cdd0f118ef87db8a664fb5ea366fd1766d2df1cd ]
+
+vpu_get_plat_device() increases the reference count of the returned
+platform device. However, when devm_kzalloc() fails, the reference
+is not released, causing a reference leak.
+
+Fix this by calling put_device() on fw_pdev->dev before returning
+on the error path.
+
+Fixes: e25a89f743b1 ("media: mtk-vcodec: potential dereference of null pointer")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+[ adapted file path from common/ subdirectory and adjusted devm_kzalloc target from plat_dev->dev to dev->plat_dev->dev ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c
++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c
+@@ -94,8 +94,10 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_vpu_
+       vpu_wdt_reg_handler(fw_pdev, mtk_vcodec_vpu_reset_handler, dev, rst_id);
+ 
+       fw = devm_kzalloc(&dev->plat_dev->dev, sizeof(*fw), GFP_KERNEL);
+-      if (!fw)
++      if (!fw) {
++              put_device(&fw_pdev->dev);
+               return ERR_PTR(-ENOMEM);
++      }
+       fw->type = VPU;
+       fw->ops = &mtk_vcodec_vpu_msg;
+       fw->pdev = fw_pdev;

diff --git a/queue-5.10/media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch b/queue-5.10/media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch
new file mode 100644 (file)
index 0000000..e2fc34c
--- /dev/null
+++ b/queue-5.10/media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch
@@ -0,0 +1,48 @@
+From stable+bounces-204922-greg=kroah.com@vger.kernel.org Mon Jan  5 21:40:56 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon,  5 Jan 2026 15:40:38 -0500
+Subject: media: samsung: exynos4-is: fix potential ABBA deadlock on init
+To: stable@vger.kernel.org
+Cc: Marek Szyprowski <m.szyprowski@samsung.com>, Sylwester Nawrocki <s.nawrocki@samsung.com>, Hans Verkuil <hverkuil+cisco@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260105204038.2787172-1-sashal@kernel.org>
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit 17dc8ccd6dd5ffe30aa9b0d36e2af1389344ce2b ]
+
+v4l2_device_register_subdev_nodes() must called without taking
+media_dev->graph_mutex to avoid potential AB-BA deadlock on further
+subdevice driver initialization.
+
+Fixes: fa91f1056f17 ("[media] exynos4-is: Add support for asynchronous subdevices registration")
+Cc: stable@vger.kernel.org
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Acked-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/exynos4-is/media-dev.c |   10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/platform/exynos4-is/media-dev.c
++++ b/drivers/media/platform/exynos4-is/media-dev.c
+@@ -1409,12 +1409,14 @@ static int subdev_notifier_complete(stru
+       mutex_lock(&fmd->media_dev.graph_mutex);
+ 
+       ret = fimc_md_create_links(fmd);
+-      if (ret < 0)
+-              goto unlock;
++      if (ret < 0) {
++              mutex_unlock(&fmd->media_dev.graph_mutex);
++              return ret;
++      }
+ 
+-      ret = v4l2_device_register_subdev_nodes(&fmd->v4l2_dev);
+-unlock:
+       mutex_unlock(&fmd->media_dev.graph_mutex);
++
++      ret = v4l2_device_register_subdev_nodes(&fmd->v4l2_dev);
+       if (ret < 0)
+               return ret;
+ 

diff --git a/queue-5.10/media-vpif_capture-fix-section-mismatch.patch b/queue-5.10/media-vpif_capture-fix-section-mismatch.patch
new file mode 100644 (file)
index 0000000..166b0c0
--- /dev/null
+++ b/queue-5.10/media-vpif_capture-fix-section-mismatch.patch
@@ -0,0 +1,50 @@
+From stable+bounces-204935-greg=kroah.com@vger.kernel.org Mon Jan  5 22:21:28 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon,  5 Jan 2026 16:17:47 -0500
+Subject: media: vpif_capture: fix section mismatch
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Hans Verkuil <hverkuil+cisco@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260105211747.2802180-1-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 0ef841113724166c3c484d0e9ae6db1eb5634fde ]
+
+Platform drivers can be probed after their init sections have been
+discarded (e.g. on probe deferral or manual rebind through sysfs) so the
+probe function must not live in init.
+
+Note that commit ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section
+mismatch warning") incorrectly suppressed the modpost warning.
+
+Fixes: ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section mismatch warning")
+Fixes: 6ffefff5a9e7 ("V4L/DVB (12906c): V4L : vpif capture driver for DM6467")
+Cc: stable@vger.kernel.org     # 2.6.32
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/davinci/vpif_capture.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/platform/davinci/vpif_capture.c
++++ b/drivers/media/platform/davinci/vpif_capture.c
+@@ -1614,7 +1614,7 @@ err_cleanup:
+  * This creates device entries by register itself to the V4L2 driver and
+  * initializes fields of each channel objects
+  */
+-static __init int vpif_probe(struct platform_device *pdev)
++static int vpif_probe(struct platform_device *pdev)
+ {
+       struct vpif_subdev_info *subdevdata;
+       struct i2c_adapter *i2c_adap;
+@@ -1817,7 +1817,7 @@ static int vpif_resume(struct device *de
+ 
+ static SIMPLE_DEV_PM_OPS(vpif_pm_ops, vpif_suspend, vpif_resume);
+ 
+-static __refdata struct platform_driver vpif_driver = {
++static struct platform_driver vpif_driver = {
+       .driver = {
+               .name   = VPIF_DRIVER_NAME,
+               .pm     = &vpif_pm_ops,

diff --git a/queue-5.10/mm-balloon_compaction-convert-balloon_page_delete-to-balloon_page_finalize.patch b/queue-5.10/mm-balloon_compaction-convert-balloon_page_delete-to-balloon_page_finalize.patch
new file mode 100644 (file)
index 0000000..d4b488a
--- /dev/null
+++ b/queue-5.10/mm-balloon_compaction-convert-balloon_page_delete-to-balloon_page_finalize.patch
@@ -0,0 +1,225 @@
+From stable+bounces-204903-greg=kroah.com@vger.kernel.org Mon Jan  5 20:41:13 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon,  5 Jan 2026 14:40:56 -0500
+Subject: mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize()
+To: stable@vger.kernel.org
+Cc: "David Hildenbrand" <david@redhat.com>, "Lorenzo Stoakes" <lorenzo.stoakes@oracle.com>, "Alistair Popple" <apopple@nvidia.com>, "Al Viro" <viro@zeniv.linux.org.uk>, "Arnd Bergmann" <arnd@arndb.de>, "Brendan Jackman" <jackmanb@google.com>, "Byungchul Park" <byungchul@sk.com>, "Chengming Zhou" <chengming.zhou@linux.dev>, "Christian Brauner" <brauner@kernel.org>, "Christophe Leroy" <christophe.leroy@csgroup.eu>, "Eugenio Pé rez" <eperezma@redhat.com>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "Gregory Price" <gourry@gourry.net>, "Harry Yoo" <harry.yoo@oracle.com>, "Huang, Ying" <ying.huang@linux.alibaba.com>, "Jan Kara" <jack@suse.cz>, "Jason Gunthorpe" <jgg@ziepe.ca>, "Jason Wang" <jasowang@redhat.com>, "Jerrin Shaji George" <jerrin.shaji-george@broadcom.com>, "Johannes Weiner" <hannes@cmpxchg.org>, "John Hubbard" <jhubbard@nvidia.com>, "Jonathan Corbet" <corbet@lwn.net>, "Joshua Hahn" <joshua.hahnjy@gmail.com>, "Liam Howlett" <liam.howlett@oracle.com>, "Madhavan Srinivasan" <maddy@linux.ibm.com>, "Mathew Brost" <matthew.brost@intel.com>, "Matthew Wilcox (Oracle)" <willy@infradead.org>, "Miaohe Lin" <linmiaohe@huawei.com>, "Michael Ellerman" <mpe@ellerman.id.au>, "Michael S. Tsirkin" <mst@redhat.com>, "Michal Hocko" <mhocko@suse.com>, "Mike Rapoport" <rppt@kernel.org>, "Minchan Kim" <minchan@kernel.org>, "Naoya Horiguchi" <nao.horiguchi@gmail.com>, "Nicholas Piggin" <npiggin@gmail.com>, "Oscar Salvador" <osalvador@suse.de>, "Peter Xu" <peterx@redhat.com>, "Qi Zheng" <zhengqi.arch@bytedance.com>, "Rakie Kim" <rakie.kim@sk.com>, "Rik van Riel" <riel@surriel.com>, "Sergey Senozhatsky" <senozhatsky@chromium.org>, "Shakeel Butt" <shakeel.butt@linux.dev>, "Suren Baghdasaryan" <surenb@google.com>, "Vlastimil Babka" <vbabka@suse.cz>, "Xuan Zhuo" <xuanzhuo@linux.alibaba.com>, "xu xin" <xu.xin16@zte.com.cn>, "Zi Yan" <ziy@nvidia.com>, "Andrew Morton" <akpm@linux-foundation.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20260105194057.2747929-3-sashal@kernel.org>
+
+From: David Hildenbrand <david@redhat.com>
+
+[ Upstream commit 15504b1163007bbfbd9a63460d5c14737c16e96d ]
+
+Let's move the removal of the page from the balloon list into the single
+caller, to remove the dependency on the PG_isolated flag and clarify
+locking requirements.
+
+Note that for now, balloon_page_delete() was used on two paths:
+
+(1) Removing a page from the balloon for deflation through
+    balloon_page_list_dequeue()
+(2) Removing an isolated page from the balloon for migration in the
+    per-driver migration handlers. Isolated pages were already removed from
+    the balloon list during isolation.
+
+So instead of relying on the flag, we can just distinguish both cases
+directly and handle it accordingly in the caller.
+
+We'll shuffle the operations a bit such that they logically make more
+sense (e.g., remove from the list before clearing flags).
+
+In balloon migration functions we can now move the balloon_page_finalize()
+out of the balloon lock and perform the finalization just before dropping
+the balloon reference.
+
+Document that the page lock is currently required when modifying the
+movability aspects of a page; hopefully we can soon decouple this from the
+page lock.
+
+Link: https://lkml.kernel.org/r/20250704102524.326966-3-david@redhat.com
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Alistair Popple <apopple@nvidia.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Brendan Jackman <jackmanb@google.com>
+Cc: Byungchul Park <byungchul@sk.com>
+Cc: Chengming Zhou <chengming.zhou@linux.dev>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Eugenio Pé rez <eperezma@redhat.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Gregory Price <gourry@gourry.net>
+Cc: Harry Yoo <harry.yoo@oracle.com>
+Cc: "Huang, Ying" <ying.huang@linux.alibaba.com>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Jason Gunthorpe <jgg@ziepe.ca>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Jerrin Shaji George <jerrin.shaji-george@broadcom.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
+Cc: Mathew Brost <matthew.brost@intel.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Qi Zheng <zhengqi.arch@bytedance.com>
+Cc: Rakie Kim <rakie.kim@sk.com>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: Shakeel Butt <shakeel.butt@linux.dev>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Cc: xu xin <xu.xin16@zte.com.cn>
+Cc: Zi Yan <ziy@nvidia.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 0da2ba35c0d5 ("powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/pseries/cmm.c |    2 -
+ drivers/misc/vmw_balloon.c           |    3 --
+ drivers/virtio/virtio_balloon.c      |    4 ---
+ include/linux/balloon_compaction.h   |   43 +++++++++++++----------------------
+ mm/balloon_compaction.c              |    3 +-
+ 5 files changed, 21 insertions(+), 34 deletions(-)
+
+--- a/arch/powerpc/platforms/pseries/cmm.c
++++ b/arch/powerpc/platforms/pseries/cmm.c
+@@ -550,7 +550,6 @@ static int cmm_migratepage(struct balloo
+ 
+       spin_lock_irqsave(&b_dev_info->pages_lock, flags);
+       balloon_page_insert(b_dev_info, newpage);
+-      balloon_page_delete(page);
+       b_dev_info->isolated_pages--;
+       spin_unlock_irqrestore(&b_dev_info->pages_lock, flags);
+ 
+@@ -560,6 +559,7 @@ static int cmm_migratepage(struct balloo
+        */
+       plpar_page_set_active(page);
+ 
++      balloon_page_finalize(page);
+       /* balloon page list reference */
+       put_page(page);
+ 
+--- a/drivers/misc/vmw_balloon.c
++++ b/drivers/misc/vmw_balloon.c
+@@ -1810,8 +1810,7 @@ static int vmballoon_migratepage(struct
+        * @pages_lock . We keep holding @comm_lock since we will need it in a
+        * second.
+        */
+-      balloon_page_delete(page);
+-
++      balloon_page_finalize(page);
+       put_page(page);
+ 
+       /* Inflate */
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -796,15 +796,13 @@ static int virtballoon_migratepage(struc
+       tell_host(vb, vb->inflate_vq);
+ 
+       /* balloon's page migration 2nd step -- deflate "page" */
+-      spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
+-      balloon_page_delete(page);
+-      spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
+       vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
+       set_page_pfns(vb, vb->pfns, page);
+       tell_host(vb, vb->deflate_vq);
+ 
+       mutex_unlock(&vb->balloon_lock);
+ 
++      balloon_page_finalize(page);
+       put_page(page); /* balloon reference */
+ 
+       return MIGRATEPAGE_SUCCESS;
+--- a/include/linux/balloon_compaction.h
++++ b/include/linux/balloon_compaction.h
+@@ -100,27 +100,6 @@ static inline void balloon_page_insert(s
+ }
+ 
+ /*
+- * balloon_page_delete - delete a page from balloon's page list and clear
+- *                     the page->private assignement accordingly.
+- * @page    : page to be released from balloon's page list
+- *
+- * Caller must ensure the page is locked and the spin_lock protecting balloon
+- * pages list is held before deleting a page from the balloon device.
+- */
+-static inline void balloon_page_delete(struct page *page)
+-{
+-      __ClearPageOffline(page);
+-      __ClearPageMovable(page);
+-      set_page_private(page, 0);
+-      /*
+-       * No touch page.lru field once @page has been isolated
+-       * because VM is using the field.
+-       */
+-      if (!PageIsolated(page))
+-              list_del(&page->lru);
+-}
+-
+-/*
+  * balloon_page_device - get the b_dev_info descriptor for the balloon device
+  *                     that enqueues the given page.
+  */
+@@ -143,12 +122,6 @@ static inline void balloon_page_insert(s
+       list_add(&page->lru, &balloon->pages);
+ }
+ 
+-static inline void balloon_page_delete(struct page *page)
+-{
+-      __ClearPageOffline(page);
+-      list_del(&page->lru);
+-}
+-
+ static inline gfp_t balloon_mapping_gfp_mask(void)
+ {
+       return GFP_HIGHUSER;
+@@ -157,6 +130,22 @@ static inline gfp_t balloon_mapping_gfp_
+ #endif /* CONFIG_BALLOON_COMPACTION */
+ 
+ /*
++ * balloon_page_finalize - prepare a balloon page that was removed from the
++ *                       balloon list for release to the page allocator
++ * @page: page to be released to the page allocator
++ *
++ * Caller must ensure that the page is locked.
++ */
++static inline void balloon_page_finalize(struct page *page)
++{
++      if (IS_ENABLED(CONFIG_BALLOON_COMPACTION)) {
++              __ClearPageMovable(page);
++              set_page_private(page, 0);
++      }
++      __ClearPageOffline(page);
++}
++
++/*
+  * balloon_page_push - insert a page into a page list.
+  * @head : pointer to list
+  * @page : page to be added
+--- a/mm/balloon_compaction.c
++++ b/mm/balloon_compaction.c
+@@ -93,7 +93,8 @@ size_t balloon_page_list_dequeue(struct
+               if (!trylock_page(page))
+                       continue;
+ 
+-              balloon_page_delete(page);
++              list_del(&page->lru);
++              balloon_page_finalize(page);
+               __count_vm_event(BALLOON_DEFLATE);
+               list_add(&page->lru, pages);
+               unlock_page(page);

diff --git a/queue-5.10/mm-balloon_compaction-make-balloon-page-compaction-callbacks-static.patch b/queue-5.10/mm-balloon_compaction-make-balloon-page-compaction-callbacks-static.patch
new file mode 100644 (file)
index 0000000..a0b0a61
--- /dev/null
+++ b/queue-5.10/mm-balloon_compaction-make-balloon-page-compaction-callbacks-static.patch
@@ -0,0 +1,96 @@
+From stable+bounces-204901-greg=kroah.com@vger.kernel.org Mon Jan  5 20:41:05 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon,  5 Jan 2026 14:40:54 -0500
+Subject: mm/balloon_compaction: make balloon page compaction callbacks static
+To: stable@vger.kernel.org
+Cc: Miaohe Lin <linmiaohe@huawei.com>, "Michael S. Tsirkin" <mst@redhat.com>, Muchun Song <songmuchun@bytedance.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260105194057.2747929-1-sashal@kernel.org>
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit 504c1cabe325df65c18ef38365ddd1a41c6b591b ]
+
+Since commit b1123ea6d3b3 ("mm: balloon: use general non-lru movable page
+feature"), these functions are called via balloon_aops callbacks. They're
+not called directly outside this file. So make them static and clean up
+the relevant code.
+
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Link: https://lore.kernel.org/r/20220125132221.2220-1-linmiaohe@huawei.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Muchun Song <songmuchun@bytedance.com>
+Stable-dep-of: 0da2ba35c0d5 ("powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/balloon_compaction.h |   22 ----------------------
+ mm/balloon_compaction.c            |    6 +++---
+ 2 files changed, 3 insertions(+), 25 deletions(-)
+
+--- a/include/linux/balloon_compaction.h
++++ b/include/linux/balloon_compaction.h
+@@ -80,12 +80,6 @@ static inline void balloon_devinfo_init(
+ 
+ #ifdef CONFIG_BALLOON_COMPACTION
+ extern const struct address_space_operations balloon_aops;
+-extern bool balloon_page_isolate(struct page *page,
+-                              isolate_mode_t mode);
+-extern void balloon_page_putback(struct page *page);
+-extern int balloon_page_migrate(struct address_space *mapping,
+-                              struct page *newpage,
+-                              struct page *page, enum migrate_mode mode);
+ 
+ /*
+  * balloon_page_insert - insert a page into the balloon's page list and make
+@@ -155,22 +149,6 @@ static inline void balloon_page_delete(s
+       list_del(&page->lru);
+ }
+ 
+-static inline bool balloon_page_isolate(struct page *page)
+-{
+-      return false;
+-}
+-
+-static inline void balloon_page_putback(struct page *page)
+-{
+-      return;
+-}
+-
+-static inline int balloon_page_migrate(struct page *newpage,
+-                              struct page *page, enum migrate_mode mode)
+-{
+-      return 0;
+-}
+-
+ static inline gfp_t balloon_mapping_gfp_mask(void)
+ {
+       return GFP_HIGHUSER;
+--- a/mm/balloon_compaction.c
++++ b/mm/balloon_compaction.c
+@@ -203,7 +203,7 @@ EXPORT_SYMBOL_GPL(balloon_page_dequeue);
+ 
+ #ifdef CONFIG_BALLOON_COMPACTION
+ 
+-bool balloon_page_isolate(struct page *page, isolate_mode_t mode)
++static bool balloon_page_isolate(struct page *page, isolate_mode_t mode)
+ 
+ {
+       struct balloon_dev_info *b_dev_info = balloon_page_device(page);
+@@ -217,7 +217,7 @@ bool balloon_page_isolate(struct page *p
+       return true;
+ }
+ 
+-void balloon_page_putback(struct page *page)
++static void balloon_page_putback(struct page *page)
+ {
+       struct balloon_dev_info *b_dev_info = balloon_page_device(page);
+       unsigned long flags;
+@@ -230,7 +230,7 @@ void balloon_page_putback(struct page *p
+ 
+ 
+ /* move_to_new_page() counterpart for a ballooned page */
+-int balloon_page_migrate(struct address_space *mapping,
++static int balloon_page_migrate(struct address_space *mapping,
+               struct page *newpage, struct page *page,
+               enum migrate_mode mode)
+ {

diff --git a/queue-5.10/mm-balloon_compaction-we-cannot-have-isolated-pages-in-the-balloon-list.patch b/queue-5.10/mm-balloon_compaction-we-cannot-have-isolated-pages-in-the-balloon-list.patch
new file mode 100644 (file)
index 0000000..7af2af7
--- /dev/null
+++ b/queue-5.10/mm-balloon_compaction-we-cannot-have-isolated-pages-in-the-balloon-list.patch
@@ -0,0 +1,109 @@
+From stable+bounces-204902-greg=kroah.com@vger.kernel.org Mon Jan  5 20:41:10 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon,  5 Jan 2026 14:40:55 -0500
+Subject: mm/balloon_compaction: we cannot have isolated pages in the balloon list
+To: stable@vger.kernel.org
+Cc: "David Hildenbrand" <david@redhat.com>, "Zi Yan" <ziy@nvidia.com>, "Lorenzo Stoakes" <lorenzo.stoakes@oracle.com>, "Alistair Popple" <apopple@nvidia.com>, "Al Viro" <viro@zeniv.linux.org.uk>, "Arnd Bergmann" <arnd@arndb.de>, "Brendan Jackman" <jackmanb@google.com>, "Byungchul Park" <byungchul@sk.com>, "Chengming Zhou" <chengming.zhou@linux.dev>, "Christian Brauner" <brauner@kernel.org>, "Christophe Leroy" <christophe.leroy@csgroup.eu>, "Eugenio Pé rez" <eperezma@redhat.com>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "Gregory Price" <gourry@gourry.net>, "Huang, Ying" <ying.huang@linux.alibaba.com>, "Jan Kara" <jack@suse.cz>, "Jason Gunthorpe" <jgg@ziepe.ca>, "Jason Wang" <jasowang@redhat.com>, "Jerrin Shaji George" <jerrin.shaji-george@broadcom.com>, "Johannes Weiner" <hannes@cmpxchg.org>, "John Hubbard" <jhubbard@nvidia.com>, "Jonathan Corbet" <corbet@lwn.net>, "Joshua Hahn" <joshua.hahnjy@gmail.com>, "Liam Howlett" <liam.howlett@oracle.com>, "Madhavan Srinivasan" <maddy@linux.ibm.com>, "Mathew Brost" <matthew.brost@intel.com>, "Matthew Wilcox (Oracle)" <willy@infradead.org>, "Miaohe Lin" <linmiaohe@huawei.com>, "Michael Ellerman" <mpe@ellerman.id.au>, "Michael S. Tsirkin" <mst@redhat.com>, "Michal Hocko" <mhocko@suse.com>, "Mike Rapoport" <rppt@kernel.org>, "Minchan Kim" <minchan@kernel.org>, "Naoya Horiguchi" <nao.horiguchi@gmail.com>, "Nicholas Piggin" <npiggin@gmail.com>, "Oscar Salvador" <osalvador@suse.de>, "Peter Xu" <peterx@redhat.com>, "Qi Zheng" <zhengqi.arch@bytedance.com>, "Rakie Kim" <rakie.kim@sk.com>, "Rik van Riel" <riel@surriel.com>, "Sergey Senozhatsky" <senozhatsky@chromium.org>, "Shakeel Butt" <shakeel.butt@linux.dev>, "Suren Baghdasaryan" <surenb@google.com>, "Vlastimil Babka" <vbabka@suse.cz>, "Xuan Zhuo" <xuanzhuo@linux.alibaba.com>, "xu xin" <xu.xin16@zte.com.cn>, "Harry Yoo" <harry.yoo@oracle.com>, "Andrew Morton" <akpm@linux-foundation.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20260105194057.2747929-2-sashal@kernel.org>
+
+From: David Hildenbrand <david@redhat.com>
+
+[ Upstream commit fb05f992b6bbb4702307d96f00703ee637b24dbf ]
+
+Patch series "mm/migration: rework movable_ops page migration (part 1)",
+v2.
+
+In the future, as we decouple "struct page" from "struct folio", pages
+that support "non-lru page migration" -- movable_ops page migration such
+as memory balloons and zsmalloc -- will no longer be folios.  They will
+not have ->mapping, ->lru, and likely no refcount and no page lock.  But
+they will have a type and flags 🙂
+
+This is the first part (other parts not written yet) of decoupling
+movable_ops page migration from folio migration.
+
+In this series, we get rid of the ->mapping usage, and start cleaning up
+the code + separating it from folio migration.
+
+Migration core will have to be further reworked to not treat movable_ops
+pages like folios.  This is the first step into that direction.
+
+This patch (of 29):
+
+The core will set PG_isolated only after mops->isolate_page() was called.
+In case of the balloon, that is where we will remove it from the balloon
+list.  So we cannot have isolated pages in the balloon list.
+
+Let's drop this unnecessary check.
+
+Link: https://lkml.kernel.org/r/20250704102524.326966-2-david@redhat.com
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Acked-by: Zi Yan <ziy@nvidia.com>
+Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Alistair Popple <apopple@nvidia.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Brendan Jackman <jackmanb@google.com>
+Cc: Byungchul Park <byungchul@sk.com>
+Cc: Chengming Zhou <chengming.zhou@linux.dev>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Eugenio Pé rez <eperezma@redhat.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Gregory Price <gourry@gourry.net>
+Cc: "Huang, Ying" <ying.huang@linux.alibaba.com>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Jason Gunthorpe <jgg@ziepe.ca>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Jerrin Shaji George <jerrin.shaji-george@broadcom.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
+Cc: Mathew Brost <matthew.brost@intel.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Qi Zheng <zhengqi.arch@bytedance.com>
+Cc: Rakie Kim <rakie.kim@sk.com>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: Shakeel Butt <shakeel.butt@linux.dev>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Cc: xu xin <xu.xin16@zte.com.cn>
+Cc: Harry Yoo <harry.yoo@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 0da2ba35c0d5 ("powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/balloon_compaction.c |    6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/mm/balloon_compaction.c
++++ b/mm/balloon_compaction.c
+@@ -93,12 +93,6 @@ size_t balloon_page_list_dequeue(struct
+               if (!trylock_page(page))
+                       continue;
+ 
+-              if (IS_ENABLED(CONFIG_BALLOON_COMPACTION) &&
+-                  PageIsolated(page)) {
+-                      /* raced with isolation */
+-                      unlock_page(page);
+-                      continue;
+-              }
+               balloon_page_delete(page);
+               __count_vm_event(BALLOON_DEFLATE);
+               list_add(&page->lru, pages);

diff --git a/queue-5.10/mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch b/queue-5.10/mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch
new file mode 100644 (file)
index 0000000..1ef8212
--- /dev/null
+++ b/queue-5.10/mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch
@@ -0,0 +1,245 @@
+From stable+bounces-206085-greg=kroah.com@vger.kernel.org Wed Jan  7 04:23:10 2026
+From: Harry Yoo <harry.yoo@oracle.com>
+Date: Wed,  7 Jan 2026 12:21:21 +0900
+Subject: mm/mprotect: delete pmd_none_or_clear_bad_unless_trans_huge()
+To: stable@vger.kernel.org
+Cc: Liam.Howlett@oracle.com, akpm@linux-foundation.org, baohua@kernel.org, baolin.wang@linux.alibaba.com, david@kernel.org, dev.jain@arm.com, hughd@google.com, jane.chu@oracle.com, jannh@google.com, kas@kernel.org, lance.yang@linux.dev, linux-mm@kvack.org, lorenzo.stoakes@oracle.com, npache@redhat.com, pfalcato@suse.de, ryan.roberts@arm.com, vbabka@suse.cz, ziy@nvidia.com, "Alistair Popple" <apopple@nvidia.com>, "Anshuman Khandual" <anshuman.khandual@arm.com>, "Axel Rasmussen" <axelrasmussen@google.com>, "Christophe Leroy" <christophe.leroy@csgroup.eu>, "Christoph Hellwig" <hch@infradead.org>, "David Hildenbrand" <david@redhat.com>, "Huang, Ying" <ying.huang@intel.com>, "Ira Weiny" <ira.weiny@intel.com>, "Jason Gunthorpe" <jgg@ziepe.ca>, "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, "Lorenzo Stoakes" <lstoakes@gmail.com>, "Matthew Wilcox" <willy@infradead.org>, "Mel Gorman" <mgorman@techsingularity.net>, "Miaohe Lin" <linmiaohe@huawei.com>, "Mike Kravetz" <mike.kravetz@oracle.com>, "Mike Rapoport" <rppt@kernel.org>, "Minchan Kim" <minchan@kernel.org>, "Naoya Horiguchi" <naoya.horiguchi@nec.com>, "Pavel Tatashin" <pasha.tatashin@soleen.com>, "Peter Xu" <peterx@redhat.com>, "Peter Zijlstra" <peterz@infradead.org>, "Qi Zheng" <zhengqi.arch@bytedance.com>, "Ralph Campbell" <rcampbell@nvidia.com>, "SeongJae Park" <sj@kernel.org>, "Song Liu" <song@kernel.org>, "Steven Price" <steven.price@arm.com>, "Suren Baghdasaryan" <surenb@google.com>, "Thomas Hellström" <thomas.hellstrom@linux.intel.com>, "Will Deacon" <will@kernel.org>, "Yang Shi" <shy828301@gmail.com>, "Yu Zhao" <yuzhao@google.com>, "Zack Rusin" <zackr@vmware.com>, "Harry Yoo" <harry.yoo@oracle.com>
+Message-ID: <20260107032121.587629-3-harry.yoo@oracle.com>
+
+From: Hugh Dickins <hughd@google.com>
+
+commit 670ddd8cdcbd1d07a4571266ae3517f821728c3a upstream.
+
+change_pmd_range() had special pmd_none_or_clear_bad_unless_trans_huge(),
+required to avoid "bad" choices when setting automatic NUMA hinting under
+mmap_read_lock(); but most of that is already covered in pte_offset_map()
+now.  change_pmd_range() just wants a pmd_none() check before wasting time
+on MMU notifiers, then checks on the read-once _pmd value to work out
+what's needed for huge cases.  If change_pte_range() returns -EAGAIN to
+retry if pte_offset_map_lock() fails, nothing more special is needed.
+
+Link: https://lkml.kernel.org/r/725a42a9-91e9-c868-925-e3a5fd40bb4f@google.com
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Cc: Alistair Popple <apopple@nvidia.com>
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>
+Cc: Axel Rasmussen <axelrasmussen@google.com>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Christoph Hellwig <hch@infradead.org>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: "Huang, Ying" <ying.huang@intel.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Cc: Jason Gunthorpe <jgg@ziepe.ca>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Lorenzo Stoakes <lstoakes@gmail.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Mike Rapoport (IBM) <rppt@kernel.org>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
+Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Qi Zheng <zhengqi.arch@bytedance.com>
+Cc: Ralph Campbell <rcampbell@nvidia.com>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: SeongJae Park <sj@kernel.org>
+Cc: Song Liu <song@kernel.org>
+Cc: Steven Price <steven.price@arm.com>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Yang Shi <shy828301@gmail.com>
+Cc: Yu Zhao <yuzhao@google.com>
+Cc: Zack Rusin <zackr@vmware.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+[ Background: It was reported that a bad pmd is seen when automatic NUMA
+  balancing is marking page table entries as prot_numa:
+
+      [2437548.196018] mm/pgtable-generic.c:50: bad pmd 00000000af22fc02(dffffffe71fbfe02)
+      [2437548.235022] Call Trace:
+      [2437548.238234]  <TASK>
+      [2437548.241060]  dump_stack_lvl+0x46/0x61
+      [2437548.245689]  panic+0x106/0x2e5
+      [2437548.249497]  pmd_clear_bad+0x3c/0x3c
+      [2437548.253967]  change_pmd_range.isra.0+0x34d/0x3a7
+      [2437548.259537]  change_p4d_range+0x156/0x20e
+      [2437548.264392]  change_protection_range+0x116/0x1a9
+      [2437548.269976]  change_prot_numa+0x15/0x37
+      [2437548.274774]  task_numa_work+0x1b8/0x302
+      [2437548.279512]  task_work_run+0x62/0x95
+      [2437548.283882]  exit_to_user_mode_loop+0x1a4/0x1a9
+      [2437548.289277]  exit_to_user_mode_prepare+0xf4/0xfc
+      [2437548.294751]  ? sysvec_apic_timer_interrupt+0x34/0x81
+      [2437548.300677]  irqentry_exit_to_user_mode+0x5/0x25
+      [2437548.306153]  asm_sysvec_apic_timer_interrupt+0x16/0x1b
+
+    This is due to a race condition between change_prot_numa() and
+    THP migration because the kernel doesn't check is_swap_pmd() and
+    pmd_trans_huge() atomically:
+
+    change_prot_numa()                      THP migration
+    ======================================================================
+    - change_pmd_range()
+    -> is_swap_pmd() returns false,
+    meaning it's not a PMD migration
+    entry.
+                                      - do_huge_pmd_numa_page()
+                                      -> migrate_misplaced_page() sets
+                                         migration entries for the THP.
+    - change_pmd_range()
+    -> pmd_none_or_clear_bad_unless_trans_huge()
+    -> pmd_none() and pmd_trans_huge() returns false
+    - pmd_none_or_clear_bad_unless_trans_huge()
+    -> pmd_bad() returns true for the migration entry!
+
+  The upstream commit 670ddd8cdcbd ("mm/mprotect: delete
+  pmd_none_or_clear_bad_unless_trans_huge()") closes this race condition
+  by checking is_swap_pmd() and pmd_trans_huge() atomically.
+
+  Backporting note:
+    Unlike the mainline, pte_offset_map_lock() does not check if the pmd
+    entry is a migration entry or a hugepage; acquires PTL unconditionally
+    instead of returning failure. Therefore, it is necessary to keep the
+    !is_swap_pmd() && !pmd_trans_huge() && !pmd_devmap() check before
+    acquiring the PTL.
+
+    After acquiring the lock, open-code the semantics of
+    pte_offset_map_lock() in the mainline kernel; change_pte_range() fails
+    if the pmd value has changed. This requires adding one more parameter
+    (to pass pmd value that is read before calling the function) to
+    change_pte_range(). ]
+
+Signed-off-by: Harry Yoo <harry.yoo@oracle.com>
+Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mprotect.c |   75 ++++++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 42 insertions(+), 33 deletions(-)
+
+--- a/mm/mprotect.c
++++ b/mm/mprotect.c
+@@ -36,10 +36,11 @@
+ #include "internal.h"
+ 
+ static long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd,
+-              unsigned long addr, unsigned long end, pgprot_t newprot,
+-              unsigned long cp_flags)
++              pmd_t pmd_old, unsigned long addr, unsigned long end,
++              pgprot_t newprot, unsigned long cp_flags)
+ {
+       pte_t *pte, oldpte;
++      pmd_t _pmd;
+       spinlock_t *ptl;
+       long pages = 0;
+       int target_node = NUMA_NO_NODE;
+@@ -48,21 +49,15 @@ static long change_pte_range(struct vm_a
+       bool uffd_wp = cp_flags & MM_CP_UFFD_WP;
+       bool uffd_wp_resolve = cp_flags & MM_CP_UFFD_WP_RESOLVE;
+ 
+-      /*
+-       * Can be called with only the mmap_lock for reading by
+-       * prot_numa so we must check the pmd isn't constantly
+-       * changing from under us from pmd_none to pmd_trans_huge
+-       * and/or the other way around.
+-       */
+-      if (pmd_trans_unstable(pmd))
+-              return 0;
+-
+-      /*
+-       * The pmd points to a regular pte so the pmd can't change
+-       * from under us even if the mmap_lock is only hold for
+-       * reading.
+-       */
+       pte = pte_offset_map_lock(vma->vm_mm, pmd, addr, &ptl);
++      /* Make sure pmd didn't change after acquiring ptl */
++      _pmd = pmd_read_atomic(pmd);
++      /* See pmd_none_or_trans_huge_or_clear_bad for info on barrier */
++      barrier();
++      if (!pmd_same(pmd_old, _pmd)) {
++              pte_unmap_unlock(pte, ptl);
++              return -EAGAIN;
++      }
+ 
+       /* Get target node for single threaded private VMAs */
+       if (prot_numa && !(vma->vm_flags & VM_SHARED) &&
+@@ -223,21 +218,33 @@ static inline long change_pmd_range(stru
+ 
+       pmd = pmd_offset(pud, addr);
+       do {
+-              long this_pages;
+-
++              long ret;
++              pmd_t _pmd;
++again:
+               next = pmd_addr_end(addr, end);
++              _pmd = pmd_read_atomic(pmd);
++              /* See pmd_none_or_trans_huge_or_clear_bad for info on barrier */
++#ifdef CONFIG_TRANSPARENT_HUGEPAGE
++              barrier();
++#endif
+ 
+               /*
+                * Automatic NUMA balancing walks the tables with mmap_lock
+                * held for read. It's possible a parallel update to occur
+-               * between pmd_trans_huge() and a pmd_none_or_clear_bad()
+-               * check leading to a false positive and clearing.
+-               * Hence, it's necessary to atomically read the PMD value
+-               * for all the checks.
++               * between pmd_trans_huge(), is_swap_pmd(), and
++               * a pmd_none_or_clear_bad() check leading to a false positive
++               * and clearing. Hence, it's necessary to atomically read
++               * the PMD value for all the checks.
+                */
+-              if (!is_swap_pmd(*pmd) && !pmd_devmap(*pmd) &&
+-                   pmd_none_or_clear_bad_unless_trans_huge(pmd))
+-                      goto next;
++              if (!is_swap_pmd(_pmd) && !pmd_devmap(_pmd) && !pmd_trans_huge(_pmd)) {
++                      if (pmd_none(_pmd))
++                              goto next;
++
++                      if (pmd_bad(_pmd)) {
++                              pmd_clear_bad(pmd);
++                              goto next;
++                      }
++              }
+ 
+               /* invoke the mmu notifier if the pmd is populated */
+               if (!range.start) {
+@@ -247,15 +254,15 @@ static inline long change_pmd_range(stru
+                       mmu_notifier_invalidate_range_start(&range);
+               }
+ 
+-              if (is_swap_pmd(*pmd) || pmd_trans_huge(*pmd) || pmd_devmap(*pmd)) {
++              if (is_swap_pmd(_pmd) || pmd_trans_huge(_pmd) || pmd_devmap(_pmd)) {
+                       if (next - addr != HPAGE_PMD_SIZE) {
+                               __split_huge_pmd(vma, pmd, addr, false, NULL);
+                       } else {
+-                              int nr_ptes = change_huge_pmd(vma, pmd, addr,
+-                                                            newprot, cp_flags);
++                              ret = change_huge_pmd(vma, pmd, addr, newprot,
++                                                    cp_flags);
+ 
+-                              if (nr_ptes) {
+-                                      if (nr_ptes == HPAGE_PMD_NR) {
++                              if (ret) {
++                                      if (ret == HPAGE_PMD_NR) {
+                                               pages += HPAGE_PMD_NR;
+                                               nr_huge_updates++;
+                                       }
+@@ -266,9 +273,11 @@ static inline long change_pmd_range(stru
+                       }
+                       /* fall through, the trans huge pmd just split */
+               }
+-              this_pages = change_pte_range(vma, pmd, addr, next, newprot,
+-                                            cp_flags);
+-              pages += this_pages;
++              ret = change_pte_range(vma, pmd, _pmd, addr, next, newprot,
++                                     cp_flags);
++              if (ret < 0)
++                      goto again;
++              pages += ret;
+ next:
+               cond_resched();
+       } while (pmd++, addr = next, addr != end);

diff --git a/queue-5.10/mm-mprotect-use-long-for-page-accountings-and-retval.patch b/queue-5.10/mm-mprotect-use-long-for-page-accountings-and-retval.patch
new file mode 100644 (file)
index 0000000..b8b5e38
--- /dev/null
+++ b/queue-5.10/mm-mprotect-use-long-for-page-accountings-and-retval.patch
@@ -0,0 +1,227 @@
+From stable+bounces-206084-greg=kroah.com@vger.kernel.org Wed Jan  7 04:22:20 2026
+From: Harry Yoo <harry.yoo@oracle.com>
+Date: Wed,  7 Jan 2026 12:21:20 +0900
+Subject: mm/mprotect: use long for page accountings and retval
+To: stable@vger.kernel.org
+Cc: Liam.Howlett@oracle.com, akpm@linux-foundation.org, baohua@kernel.org, baolin.wang@linux.alibaba.com, david@kernel.org, dev.jain@arm.com, hughd@google.com, jane.chu@oracle.com, jannh@google.com, kas@kernel.org, lance.yang@linux.dev, linux-mm@kvack.org, lorenzo.stoakes@oracle.com, npache@redhat.com, pfalcato@suse.de, ryan.roberts@arm.com, vbabka@suse.cz, ziy@nvidia.com, Peter Xu <peterx@redhat.com>, Mike Kravetz <mike.kravetz@oracle.com>, James Houghton <jthoughton@google.com>, Andrea Arcangeli <aarcange@redhat.com>, Axel Rasmussen <axelrasmussen@google.com>, David Hildenbrand <david@redhat.com>, Muchun Song <songmuchun@bytedance.com>, Nadav Amit <nadav.amit@gmail.com>, Harry Yoo <harry.yoo@oracle.com>
+Message-ID: <20260107032121.587629-2-harry.yoo@oracle.com>
+
+From: Peter Xu <peterx@redhat.com>
+
+commit a79390f5d6a78647fd70856bd42b22d994de0ba2 upstream.
+
+Switch to use type "long" for page accountings and retval across the whole
+procedure of change_protection().
+
+The change should have shrinked the possible maximum page number to be
+half comparing to previous (ULONG_MAX / 2), but it shouldn't overflow on
+any system either because the maximum possible pages touched by change
+protection should be ULONG_MAX / PAGE_SIZE.
+
+Two reasons to switch from "unsigned long" to "long":
+
+  1. It suites better on count_vm_numa_events(), whose 2nd parameter takes
+     a long type.
+
+  2. It paves way for returning negative (error) values in the future.
+
+Currently the only caller that consumes this retval is change_prot_numa(),
+where the unsigned long was converted to an int.  Since at it, touching up
+the numa code to also take a long, so it'll avoid any possible overflow
+too during the int-size convertion.
+
+Link: https://lkml.kernel.org/r/20230104225207.1066932-3-peterx@redhat.com
+Signed-off-by: Peter Xu <peterx@redhat.com>
+Acked-by: Mike Kravetz <mike.kravetz@oracle.com>
+Acked-by: James Houghton <jthoughton@google.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Axel Rasmussen <axelrasmussen@google.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: Nadav Amit <nadav.amit@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+[ Adjust context ]
+Signed-off-by: Harry Yoo <harry.yoo@oracle.com>
+Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/hugetlb.h |    4 ++--
+ include/linux/mm.h      |    2 +-
+ mm/hugetlb.c            |    4 ++--
+ mm/mempolicy.c          |    2 +-
+ mm/mprotect.c           |   34 +++++++++++++++++-----------------
+ 5 files changed, 23 insertions(+), 23 deletions(-)
+
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -184,7 +184,7 @@ struct page *follow_huge_pgd(struct mm_s
+ 
+ int pmd_huge(pmd_t pmd);
+ int pud_huge(pud_t pud);
+-unsigned long hugetlb_change_protection(struct vm_area_struct *vma,
++long hugetlb_change_protection(struct vm_area_struct *vma,
+               unsigned long address, unsigned long end, pgprot_t newprot);
+ 
+ bool is_hugetlb_entry_migration(pte_t pte);
+@@ -342,7 +342,7 @@ static inline void move_hugetlb_state(st
+ {
+ }
+ 
+-static inline unsigned long hugetlb_change_protection(
++static inline long hugetlb_change_protection(
+                       struct vm_area_struct *vma, unsigned long address,
+                       unsigned long end, pgprot_t newprot)
+ {
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -1876,7 +1876,7 @@ extern unsigned long move_page_tables(st
+ #define  MM_CP_UFFD_WP_ALL                 (MM_CP_UFFD_WP | \
+                                           MM_CP_UFFD_WP_RESOLVE)
+ 
+-extern unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
++extern long change_protection(struct vm_area_struct *vma, unsigned long start,
+                             unsigned long end, pgprot_t newprot,
+                             unsigned long cp_flags);
+ extern int mprotect_fixup(struct vm_area_struct *vma,
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -5051,7 +5051,7 @@ same_page:
+ #define flush_hugetlb_tlb_range(vma, addr, end)       flush_tlb_range(vma, addr, end)
+ #endif
+ 
+-unsigned long hugetlb_change_protection(struct vm_area_struct *vma,
++long hugetlb_change_protection(struct vm_area_struct *vma,
+               unsigned long address, unsigned long end, pgprot_t newprot)
+ {
+       struct mm_struct *mm = vma->vm_mm;
+@@ -5059,7 +5059,7 @@ unsigned long hugetlb_change_protection(
+       pte_t *ptep;
+       pte_t pte;
+       struct hstate *h = hstate_vma(vma);
+-      unsigned long pages = 0;
++      long pages = 0;
+       bool shared_pmd = false;
+       struct mmu_notifier_range range;
+ 
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -653,7 +653,7 @@ unlock:
+ unsigned long change_prot_numa(struct vm_area_struct *vma,
+                       unsigned long addr, unsigned long end)
+ {
+-      int nr_updated;
++      long nr_updated;
+ 
+       nr_updated = change_protection(vma, addr, end, PAGE_NONE, MM_CP_PROT_NUMA);
+       if (nr_updated)
+--- a/mm/mprotect.c
++++ b/mm/mprotect.c
+@@ -35,13 +35,13 @@
+ 
+ #include "internal.h"
+ 
+-static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd,
++static long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd,
+               unsigned long addr, unsigned long end, pgprot_t newprot,
+               unsigned long cp_flags)
+ {
+       pte_t *pte, oldpte;
+       spinlock_t *ptl;
+-      unsigned long pages = 0;
++      long pages = 0;
+       int target_node = NUMA_NO_NODE;
+       bool dirty_accountable = cp_flags & MM_CP_DIRTY_ACCT;
+       bool prot_numa = cp_flags & MM_CP_PROT_NUMA;
+@@ -209,13 +209,13 @@ static inline int pmd_none_or_clear_bad_
+       return 0;
+ }
+ 
+-static inline unsigned long change_pmd_range(struct vm_area_struct *vma,
++static inline long change_pmd_range(struct vm_area_struct *vma,
+               pud_t *pud, unsigned long addr, unsigned long end,
+               pgprot_t newprot, unsigned long cp_flags)
+ {
+       pmd_t *pmd;
+       unsigned long next;
+-      unsigned long pages = 0;
++      long pages = 0;
+       unsigned long nr_huge_updates = 0;
+       struct mmu_notifier_range range;
+ 
+@@ -223,7 +223,7 @@ static inline unsigned long change_pmd_r
+ 
+       pmd = pmd_offset(pud, addr);
+       do {
+-              unsigned long this_pages;
++              long this_pages;
+ 
+               next = pmd_addr_end(addr, end);
+ 
+@@ -281,13 +281,13 @@ next:
+       return pages;
+ }
+ 
+-static inline unsigned long change_pud_range(struct vm_area_struct *vma,
+-              p4d_t *p4d, unsigned long addr, unsigned long end,
+-              pgprot_t newprot, unsigned long cp_flags)
++static inline long change_pud_range(struct vm_area_struct *vma, p4d_t *p4d,
++              unsigned long addr, unsigned long end, pgprot_t newprot,
++              unsigned long cp_flags)
+ {
+       pud_t *pud;
+       unsigned long next;
+-      unsigned long pages = 0;
++      long pages = 0;
+ 
+       pud = pud_offset(p4d, addr);
+       do {
+@@ -301,13 +301,13 @@ static inline unsigned long change_pud_r
+       return pages;
+ }
+ 
+-static inline unsigned long change_p4d_range(struct vm_area_struct *vma,
+-              pgd_t *pgd, unsigned long addr, unsigned long end,
+-              pgprot_t newprot, unsigned long cp_flags)
++static inline long change_p4d_range(struct vm_area_struct *vma, pgd_t *pgd,
++              unsigned long addr, unsigned long end, pgprot_t newprot,
++              unsigned long cp_flags)
+ {
+       p4d_t *p4d;
+       unsigned long next;
+-      unsigned long pages = 0;
++      long pages = 0;
+ 
+       p4d = p4d_offset(pgd, addr);
+       do {
+@@ -321,7 +321,7 @@ static inline unsigned long change_p4d_r
+       return pages;
+ }
+ 
+-static unsigned long change_protection_range(struct vm_area_struct *vma,
++static long change_protection_range(struct vm_area_struct *vma,
+               unsigned long addr, unsigned long end, pgprot_t newprot,
+               unsigned long cp_flags)
+ {
+@@ -329,7 +329,7 @@ static unsigned long change_protection_r
+       pgd_t *pgd;
+       unsigned long next;
+       unsigned long start = addr;
+-      unsigned long pages = 0;
++      long pages = 0;
+ 
+       BUG_ON(addr >= end);
+       pgd = pgd_offset(mm, addr);
+@@ -351,11 +351,11 @@ static unsigned long change_protection_r
+       return pages;
+ }
+ 
+-unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
++long change_protection(struct vm_area_struct *vma, unsigned long start,
+                      unsigned long end, pgprot_t newprot,
+                      unsigned long cp_flags)
+ {
+-      unsigned long pages;
++      long pages;
+ 
+       BUG_ON((cp_flags & MM_CP_UFFD_WP_ALL) == MM_CP_UFFD_WP_ALL);
+ 

diff --git a/queue-5.10/nfsd-nfsv4-file-creation-neglects-setting-acl.patch b/queue-5.10/nfsd-nfsv4-file-creation-neglects-setting-acl.patch
new file mode 100644 (file)
index 0000000..fb8505e
--- /dev/null
+++ b/queue-5.10/nfsd-nfsv4-file-creation-neglects-setting-acl.patch
@@ -0,0 +1,49 @@
+From stable+bounces-204921-greg=kroah.com@vger.kernel.org Mon Jan  5 21:37:22 2026
+From: Chuck Lever <cel@kernel.org>
+Date: Mon,  5 Jan 2026 15:36:25 -0500
+Subject: NFSD: NFSv4 file creation neglects setting ACL
+To: <stable@vger.kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>, <linux-nfs@vger.kernel.org>, Chuck Lever <chuck.lever@oracle.com>, Aurelien Couderc <aurelien.couderc2002@gmail.com>
+Message-ID: <20260105203625.3562597-1-cel@kernel.org>
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 913f7cf77bf14c13cfea70e89bcb6d0b22239562 ]
+
+An NFSv4 client that sets an ACL with a named principal during file
+creation retrieves the ACL afterwards, and finds that it is only a
+default ACL (based on the mode bits) and not the ACL that was
+requested during file creation. This violates RFC 8881 section
+6.4.1.3: "the ACL attribute is set as given".
+
+The issue occurs in nfsd_create_setattr(). On 6.1.y, the check to
+determine whether nfsd_setattr() should be called is simply
+"iap->ia_valid", which only accounts for iattr changes. When only
+an ACL is present (and no iattr fields are set), nfsd_setattr() is
+skipped and the POSIX ACL is never applied to the inode.
+
+Subsequently, when the client retrieves the ACL, the server finds
+no POSIX ACL on the inode and returns one generated from the file's
+mode bits rather than returning the originally-specified ACL.
+
+Reported-by: Aurelien Couderc <aurelien.couderc2002@gmail.com>
+Fixes: c0cbe70742f4 ("NFSD: add posix ACLs to struct nfsd_attrs")
+Cc: stable@vger.kernel.org
+[ cel: Adjust nfsd_create_setattr() instead of nfsd_attrs_valid() ]
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/vfs.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -1335,7 +1335,7 @@ nfsd_create_setattr(struct svc_rqst *rqs
+        * Callers expect new file metadata to be committed even
+        * if the attributes have not changed.
+        */
+-      if (iap->ia_valid)
++      if (iap->ia_valid || attrs->na_pacl || attrs->na_dpacl)
+               status = nfsd_setattr(rqstp, resfhp, attrs, 0, (time64_t)0);
+       else
+               status = nfserrno(commit_metadata(resfhp));

diff --git a/queue-5.10/ovl-use-buf-flexible-array-for-memcpy-destination.patch b/queue-5.10/ovl-use-buf-flexible-array-for-memcpy-destination.patch
new file mode 100644 (file)
index 0000000..998655e
--- /dev/null
+++ b/queue-5.10/ovl-use-buf-flexible-array-for-memcpy-destination.patch
@@ -0,0 +1,55 @@
+From stable+bounces-204333-greg=kroah.com@vger.kernel.org Wed Dec 31 11:28:57 2025
+From: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Date: Wed, 31 Dec 2025 02:08:09 -0800
+Subject: ovl: Use "buf" flexible array for memcpy() destination
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: miklos@szeredi.hu, amir73il@gmail.com, linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Kees Cook <keescook@chromium.org>, syzbot+9d14351a171d0d1c7955@syzkaller.appspotmail.com, "Gustavo A . R . Silva" <gustavoars@kernel.org>, Miklos Szeredi <mszeredi@redhat.com>, Shivani Agarwal <shivani.agarwal@broadcom.com>
+Message-ID: <20251231100809.642262-1-shivani.agarwal@broadcom.com>
+
+From: Kees Cook <keescook@chromium.org>
+
+commit cf8aa9bf97cadf85745506c6a3e244b22c268d63 upstream.
+
+The "buf" flexible array needs to be the memcpy() destination to avoid
+false positive run-time warning from the recent FORTIFY_SOURCE
+hardening:
+
+  memcpy: detected field-spanning write (size 93) of single field "&fh->fb"
+  at fs/overlayfs/export.c:799 (size 21)
+
+Reported-by: syzbot+9d14351a171d0d1c7955@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/all/000000000000763a6c05e95a5985@google.com/
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[Shivani: Modified to apply on 5.10.y]
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/export.c    |    2 +-
+ fs/overlayfs/overlayfs.h |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/overlayfs/export.c
++++ b/fs/overlayfs/export.c
+@@ -788,7 +788,7 @@ static struct ovl_fh *ovl_fid_to_fh(stru
+               return ERR_PTR(-ENOMEM);
+ 
+       /* Copy unaligned inner fh into aligned buffer */
+-      memcpy(&fh->fb, fid, buflen - OVL_FH_WIRE_OFFSET);
++      memcpy(fh->buf, fid, buflen - OVL_FH_WIRE_OFFSET);
+       return fh;
+ }
+ 
+--- a/fs/overlayfs/overlayfs.h
++++ b/fs/overlayfs/overlayfs.h
+@@ -104,7 +104,7 @@ struct ovl_fh {
+       u8 padding[3];  /* make sure fb.fid is 32bit aligned */
+       union {
+               struct ovl_fb fb;
+-              u8 buf[0];
++              DECLARE_FLEX_ARRAY(u8, buf);
+       };
+ } __packed;
+ 

diff --git a/queue-5.10/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_probe.patch b/queue-5.10/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_probe.patch
new file mode 100644 (file)
index 0000000..3866ee8
--- /dev/null
+++ b/queue-5.10/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_probe.patch
@@ -0,0 +1,48 @@
+From stable+bounces-206025-greg=kroah.com@vger.kernel.org Tue Jan  6 20:18:15 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue,  6 Jan 2026 13:26:54 -0500
+Subject: pmdomain: imx: Fix reference count leak in imx_gpc_probe()
+To: stable@vger.kernel.org
+Cc: Wentao Liang <vulab@iscas.ac.cn>, Frank Li <Frank.Li@nxp.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260106182656.3115094-3-sashal@kernel.org>
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+[ Upstream commit 73cb5f6eafb0ac7aea8cdeb8ff12981aa741d8fb ]
+
+of_get_child_by_name() returns a node pointer with refcount incremented.
+Use the __free() attribute to manage the pgc_node reference, ensuring
+automatic of_node_put() cleanup when pgc_node goes out of scope.
+
+This eliminates the need for explicit error handling paths and avoids
+reference count leaks.
+
+Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/imx/gpc.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/soc/imx/gpc.c
++++ b/drivers/soc/imx/gpc.c
+@@ -405,13 +405,12 @@ clk_err:
+ static int imx_gpc_probe(struct platform_device *pdev)
+ {
+       const struct imx_gpc_dt_data *of_id_data = device_get_match_data(&pdev->dev);
+-      struct device_node *pgc_node;
++      struct device_node *pgc_node __free(device_node)
++              = of_get_child_by_name(pdev->dev.of_node, "pgc");
+       struct regmap *regmap;
+       void __iomem *base;
+       int ret;
+ 
+-      pgc_node = of_get_child_by_name(pdev->dev.of_node, "pgc");
+-
+       /* bail out if DT too old and doesn't provide the necessary info */
+       if (!of_property_read_bool(pdev->dev.of_node, "#power-domain-cells") &&
+           !pgc_node)

diff --git a/queue-5.10/pmdomain-use-device_get_match_data.patch b/queue-5.10/pmdomain-use-device_get_match_data.patch
new file mode 100644 (file)
index 0000000..d7aba50
--- /dev/null
+++ b/queue-5.10/pmdomain-use-device_get_match_data.patch
@@ -0,0 +1,134 @@
+From stable+bounces-206024-greg=kroah.com@vger.kernel.org Tue Jan  6 19:29:58 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue,  6 Jan 2026 13:26:53 -0500
+Subject: pmdomain: Use device_get_match_data()
+To: stable@vger.kernel.org
+Cc: Rob Herring <robh@kernel.org>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260106182656.3115094-2-sashal@kernel.org>
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit 3ba9fdfaa550936837b50b73d6c27ac401fde875 ]
+
+Use preferred device_get_match_data() instead of of_match_device() to
+get the driver match data. With this, adjust the includes to explicitly
+include the correct headers.
+
+Signed-off-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/20231006224614.444488-1-robh@kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Stable-dep-of: 73cb5f6eafb0 ("pmdomain: imx: Fix reference count leak in imx_gpc_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/actions/owl-sps.c     |   16 +++++-----------
+ drivers/soc/imx/gpc.c             |    7 +++----
+ drivers/soc/rockchip/pm_domains.c |   13 ++++---------
+ 3 files changed, 12 insertions(+), 24 deletions(-)
+
+--- a/drivers/soc/actions/owl-sps.c
++++ b/drivers/soc/actions/owl-sps.c
+@@ -8,8 +8,10 @@
+  * Copyright (c) 2017 Andreas Färber
+  */
+ 
++#include <linux/mod_devicetable.h>
+ #include <linux/of_address.h>
+-#include <linux/of_platform.h>
++#include <linux/platform_device.h>
++#include <linux/property.h>
+ #include <linux/pm_domain.h>
+ #include <linux/soc/actions/owl-sps.h>
+ #include <dt-bindings/power/owl-s500-powergate.h>
+@@ -96,24 +98,16 @@ static int owl_sps_init_domain(struct ow
+ 
+ static int owl_sps_probe(struct platform_device *pdev)
+ {
+-      const struct of_device_id *match;
+       const struct owl_sps_info *sps_info;
+       struct owl_sps *sps;
+       int i, ret;
+ 
+-      if (!pdev->dev.of_node) {
+-              dev_err(&pdev->dev, "no device node\n");
+-              return -ENODEV;
+-      }
+-
+-      match = of_match_device(pdev->dev.driver->of_match_table, &pdev->dev);
+-      if (!match || !match->data) {
++      sps_info = device_get_match_data(&pdev->dev);
++      if (!sps_info) {
+               dev_err(&pdev->dev, "unknown compatible or missing data\n");
+               return -EINVAL;
+       }
+ 
+-      sps_info = match->data;
+-
+       sps = devm_kzalloc(&pdev->dev,
+                          struct_size(sps, domains, sps_info->num_domains),
+                          GFP_KERNEL);
+--- a/drivers/soc/imx/gpc.c
++++ b/drivers/soc/imx/gpc.c
+@@ -7,9 +7,10 @@
+ #include <linux/clk.h>
+ #include <linux/delay.h>
+ #include <linux/io.h>
+-#include <linux/of_device.h>
++#include <linux/of.h>
+ #include <linux/platform_device.h>
+ #include <linux/pm_domain.h>
++#include <linux/property.h>
+ #include <linux/regmap.h>
+ #include <linux/regulator/consumer.h>
+ 
+@@ -403,9 +404,7 @@ clk_err:
+ 
+ static int imx_gpc_probe(struct platform_device *pdev)
+ {
+-      const struct of_device_id *of_id =
+-                      of_match_device(imx_gpc_dt_ids, &pdev->dev);
+-      const struct imx_gpc_dt_data *of_id_data = of_id->data;
++      const struct imx_gpc_dt_data *of_id_data = device_get_match_data(&pdev->dev);
+       struct device_node *pgc_node;
+       struct regmap *regmap;
+       void __iomem *base;
+--- a/drivers/soc/rockchip/pm_domains.c
++++ b/drivers/soc/rockchip/pm_domains.c
+@@ -9,11 +9,13 @@
+ #include <linux/iopoll.h>
+ #include <linux/err.h>
+ #include <linux/mutex.h>
++#include <linux/platform_device.h>
+ #include <linux/pm_clock.h>
+ #include <linux/pm_domain.h>
++#include <linux/property.h>
++#include <linux/of.h>
+ #include <linux/of_address.h>
+ #include <linux/of_clk.h>
+-#include <linux/of_platform.h>
+ #include <linux/clk.h>
+ #include <linux/regmap.h>
+ #include <linux/mfd/syscon.h>
+@@ -728,7 +730,6 @@ static int rockchip_pm_domain_probe(stru
+       struct device_node *node;
+       struct device *parent;
+       struct rockchip_pmu *pmu;
+-      const struct of_device_id *match;
+       const struct rockchip_pmu_info *pmu_info;
+       int error;
+ 
+@@ -737,13 +738,7 @@ static int rockchip_pm_domain_probe(stru
+               return -ENODEV;
+       }
+ 
+-      match = of_match_device(dev->driver->of_match_table, dev);
+-      if (!match || !match->data) {
+-              dev_err(dev, "missing pmu data\n");
+-              return -EINVAL;
+-      }
+-
+-      pmu_info = match->data;
++      pmu_info = device_get_match_data(dev);
+ 
+       pmu = devm_kzalloc(dev,
+                          struct_size(pmu, domains, pmu_info->num_domains),

diff --git a/queue-5.10/powerpc-pseries-cmm-adjust-balloon_migrate-when-migrating-pages.patch b/queue-5.10/powerpc-pseries-cmm-adjust-balloon_migrate-when-migrating-pages.patch
new file mode 100644 (file)
index 0000000..2388e85
--- /dev/null
+++ b/queue-5.10/powerpc-pseries-cmm-adjust-balloon_migrate-when-migrating-pages.patch
@@ -0,0 +1,45 @@
+From stable+bounces-204904-greg=kroah.com@vger.kernel.org Mon Jan  5 20:41:15 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon,  5 Jan 2026 14:40:57 -0500
+Subject: powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages
+To: stable@vger.kernel.org
+Cc: David Hildenbrand <david@redhat.com>, "Ritesh Harjani (IBM)" <ritesh.list@gmail.com>, Christophe Leroy <christophe.leroy@csgroup.eu>, Madhavan Srinivasan <maddy@linux.ibm.com>, Michael Ellerman <mpe@ellerman.id.au>, Nicholas Piggin <npiggin@gmail.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260105194057.2747929-4-sashal@kernel.org>
+
+From: David Hildenbrand <david@redhat.com>
+
+[ Upstream commit 0da2ba35c0d532ca0fe7af698b17d74c4d084b9a ]
+
+Let's properly adjust BALLOON_MIGRATE like the other drivers.
+
+Note that the INFLATE/DEFLATE events are triggered from the core when
+enqueueing/dequeueing pages.
+
+This was found by code inspection.
+
+Link: https://lkml.kernel.org/r/20251021100606.148294-3-david@redhat.com
+Fixes: fe030c9b85e6 ("powerpc/pseries/cmm: Implement balloon compaction")
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/pseries/cmm.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/platforms/pseries/cmm.c
++++ b/arch/powerpc/platforms/pseries/cmm.c
+@@ -550,6 +550,7 @@ static int cmm_migratepage(struct balloo
+ 
+       spin_lock_irqsave(&b_dev_info->pages_lock, flags);
+       balloon_page_insert(b_dev_info, newpage);
++      __count_vm_event(BALLOON_MIGRATE);
+       b_dev_info->isolated_pages--;
+       spin_unlock_irqrestore(&b_dev_info->pages_lock, flags);
+ 

diff --git a/queue-5.10/scsi-iscsi-move-pool-freeing.patch b/queue-5.10/scsi-iscsi-move-pool-freeing.patch
new file mode 100644 (file)
index 0000000..85cd454
--- /dev/null
+++ b/queue-5.10/scsi-iscsi-move-pool-freeing.patch
@@ -0,0 +1,42 @@
+From stable+bounces-206249-greg=kroah.com@vger.kernel.org Thu Jan  8 07:46:17 2026
+From: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Date: Wed,  7 Jan 2026 22:22:21 -0800
+Subject: scsi: iscsi: Move pool freeing
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: lduncan@suse.com, cleech@redhat.com, michael.christie@oracle.com, James.Bottomley@HansenPartnership.com, martin.petersen@oracle.com, open-iscsi@googlegroups.com, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Shivani Agarwal <shivani.agarwal@broadcom.com>
+Message-ID: <20260108062222.670715-2-shivani.agarwal@broadcom.com>
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit a1f3486b3b095ed2259d7a1fc021a8b6e72a5365 ]
+
+This doesn't fix any bugs, but it makes more sense to free the pool after
+we have removed the session. At that time we know nothing is touching any
+of the session fields, because all devices have been removed and scans are
+stopped.
+
+Link: https://lore.kernel.org/r/20210525181821.7617-19-michael.christie@oracle.com
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[Shivani: Modified to apply on 5.10.y]
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libiscsi.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -2902,10 +2902,9 @@ void iscsi_session_teardown(struct iscsi
+       struct module *owner = cls_session->transport->owner;
+       struct Scsi_Host *shost = session->host;
+ 
+-      iscsi_pool_free(&session->cmdpool);
+-
+       iscsi_remove_session(cls_session);
+ 
++      iscsi_pool_free(&session->cmdpool);
+       kfree(session->password);
+       kfree(session->password_in);
+       kfree(session->username);

diff --git a/queue-5.10/scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-the-shost-ipaddress.patch b/queue-5.10/scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-the-shost-ipaddress.patch
new file mode 100644 (file)
index 0000000..5ecc01b
--- /dev/null
+++ b/queue-5.10/scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-the-shost-ipaddress.patch
@@ -0,0 +1,227 @@
+From stable+bounces-206250-greg=kroah.com@vger.kernel.org Thu Jan  8 07:46:57 2026
+From: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Date: Wed,  7 Jan 2026 22:22:22 -0800
+Subject: scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: lduncan@suse.com, cleech@redhat.com, michael.christie@oracle.com, James.Bottomley@HansenPartnership.com, martin.petersen@oracle.com, open-iscsi@googlegroups.com, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Ding Hui <dinghui@sangfor.com.cn>, Shivani Agarwal <shivani.agarwal@broadcom.com>
+Message-ID: <20260108062222.670715-3-shivani.agarwal@broadcom.com>
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit 6f1d64b13097e85abda0f91b5638000afc5f9a06 ]
+
+Bug report and analysis from Ding Hui.
+
+During iSCSI session logout, if another task accesses the shost ipaddress
+attr, we can get a KASAN UAF report like this:
+
+[  276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0
+[  276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088
+[  276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G            E      6.1.0-rc8+ #3
+[  276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
+[  276.944470] Call Trace:
+[  276.944943]  <TASK>
+[  276.945397]  dump_stack_lvl+0x34/0x48
+[  276.945887]  print_address_description.constprop.0+0x86/0x1e7
+[  276.946421]  print_report+0x36/0x4f
+[  276.947358]  kasan_report+0xad/0x130
+[  276.948234]  kasan_check_range+0x35/0x1c0
+[  276.948674]  _raw_spin_lock_bh+0x78/0xe0
+[  276.949989]  iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]
+[  276.951765]  show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi]
+[  276.952185]  dev_attr_show+0x3f/0x80
+[  276.953005]  sysfs_kf_seq_show+0x1fb/0x3e0
+[  276.953401]  seq_read_iter+0x402/0x1020
+[  276.954260]  vfs_read+0x532/0x7b0
+[  276.955113]  ksys_read+0xed/0x1c0
+[  276.955952]  do_syscall_64+0x38/0x90
+[  276.956347]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[  276.956769] RIP: 0033:0x7f5d3a679222
+[  276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
+[  276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
+[  276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222
+[  276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003
+[  276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000
+[  276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000
+[  276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58
+[  276.960536]  </TASK>
+[  276.961357] Allocated by task 2209:
+[  276.961756]  kasan_save_stack+0x1e/0x40
+[  276.962170]  kasan_set_track+0x21/0x30
+[  276.962557]  __kasan_kmalloc+0x7e/0x90
+[  276.962923]  __kmalloc+0x5b/0x140
+[  276.963308]  iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]
+[  276.963712]  iscsi_session_setup+0xda/0xba0 [libiscsi]
+[  276.964078]  iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]
+[  276.964431]  iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi]
+[  276.964793]  iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]
+[  276.965153]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
+[  276.965546]  netlink_unicast+0x4d5/0x7b0
+[  276.965905]  netlink_sendmsg+0x78d/0xc30
+[  276.966236]  sock_sendmsg+0xe5/0x120
+[  276.966576]  ____sys_sendmsg+0x5fe/0x860
+[  276.966923]  ___sys_sendmsg+0xe0/0x170
+[  276.967300]  __sys_sendmsg+0xc8/0x170
+[  276.967666]  do_syscall_64+0x38/0x90
+[  276.968028]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[  276.968773] Freed by task 2209:
+[  276.969111]  kasan_save_stack+0x1e/0x40
+[  276.969449]  kasan_set_track+0x21/0x30
+[  276.969789]  kasan_save_free_info+0x2a/0x50
+[  276.970146]  __kasan_slab_free+0x106/0x190
+[  276.970470]  __kmem_cache_free+0x133/0x270
+[  276.970816]  device_release+0x98/0x210
+[  276.971145]  kobject_cleanup+0x101/0x360
+[  276.971462]  iscsi_session_teardown+0x3fb/0x530 [libiscsi]
+[  276.971775]  iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]
+[  276.972143]  iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]
+[  276.972485]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
+[  276.972808]  netlink_unicast+0x4d5/0x7b0
+[  276.973201]  netlink_sendmsg+0x78d/0xc30
+[  276.973544]  sock_sendmsg+0xe5/0x120
+[  276.973864]  ____sys_sendmsg+0x5fe/0x860
+[  276.974248]  ___sys_sendmsg+0xe0/0x170
+[  276.974583]  __sys_sendmsg+0xc8/0x170
+[  276.974891]  do_syscall_64+0x38/0x90
+[  276.975216]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+We can easily reproduce by two tasks:
+1. while :; do iscsiadm -m node --login; iscsiadm -m node --logout; done
+2. while :; do cat \
+/sys/devices/platform/host*/iscsi_host/host*/ipaddress; done
+
+            iscsid              |        cat
+--------------------------------+---------------------------------------
+|- iscsi_sw_tcp_session_destroy |
+  |- iscsi_session_teardown     |
+    |- device_release           |
+      |- iscsi_session_release  ||- dev_attr_show
+        |- kfree                |  |- show_host_param_
+                                |             ISCSI_HOST_PARAM_IPADDRESS
+                                |    |- iscsi_sw_tcp_host_get_param
+                                |      |- r/w tcp_sw_host->session (UAF)
+  |- iscsi_host_remove          |
+  |- iscsi_host_free            |
+
+Fix the above bug by splitting the session removal into 2 parts:
+
+ 1. removal from iSCSI class which includes sysfs and removal from host
+    tracking.
+
+ 2. freeing of session.
+
+During iscsi_tcp host and session removal we can remove the session from
+sysfs then remove the host from sysfs. At this point we know userspace is
+not accessing the kernel via sysfs so we can free the session and host.
+
+Link: https://lore.kernel.org/r/20230117193937.21244-2-michael.christie@oracle.com
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Acked-by: Ding Hui <dinghui@sangfor.com.cn>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[Shivani: The false parameter was not passed to iscsi_host_remove() because,
+          in Linux 5.10.y, the default behavior of iscsi_host_remove() already
+          assumes false.]
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/iscsi_tcp.c |   11 +++++++++--
+ drivers/scsi/libiscsi.c  |   38 +++++++++++++++++++++++++++++++-------
+ include/scsi/libiscsi.h  |    2 ++
+ 3 files changed, 42 insertions(+), 9 deletions(-)
+
+--- a/drivers/scsi/iscsi_tcp.c
++++ b/drivers/scsi/iscsi_tcp.c
+@@ -933,10 +933,17 @@ static void iscsi_sw_tcp_session_destroy
+       if (WARN_ON_ONCE(session->leadconn))
+               return;
+ 
++      iscsi_session_remove(cls_session);
++      /*
++       * Our get_host_param needs to access the session, so remove the
++       * host from sysfs before freeing the session to make sure userspace
++       * is no longer accessing the callout.
++       */
++      iscsi_host_remove(shost);
++
+       iscsi_tcp_r2tpool_free(cls_session->dd_data);
+-      iscsi_session_teardown(cls_session);
+ 
+-      iscsi_host_remove(shost);
++      iscsi_session_free(cls_session);
+       iscsi_host_free(shost);
+ }
+ 
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -2892,17 +2892,32 @@ dec_session_count:
+ }
+ EXPORT_SYMBOL_GPL(iscsi_session_setup);
+ 
+-/**
+- * iscsi_session_teardown - destroy session, host, and cls_session
+- * @cls_session: iscsi session
++/*
++ * issi_session_remove - Remove session from iSCSI class.
+  */
+-void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
++void iscsi_session_remove(struct iscsi_cls_session *cls_session)
+ {
+       struct iscsi_session *session = cls_session->dd_data;
+-      struct module *owner = cls_session->transport->owner;
+       struct Scsi_Host *shost = session->host;
+ 
+       iscsi_remove_session(cls_session);
++      /*
++       * host removal only has to wait for its children to be removed from
++       * sysfs, and iscsi_tcp needs to do iscsi_host_remove before freeing
++       * the session, so drop the session count here.
++       */
++      iscsi_host_dec_session_cnt(shost);
++}
++EXPORT_SYMBOL_GPL(iscsi_session_remove);
++
++/**
++ * iscsi_session_free - Free iscsi session and it's resources
++ * @cls_session: iscsi session
++ */
++void iscsi_session_free(struct iscsi_cls_session *cls_session)
++{
++      struct iscsi_session *session = cls_session->dd_data;
++      struct module *owner = cls_session->transport->owner;
+ 
+       iscsi_pool_free(&session->cmdpool);
+       kfree(session->password);
+@@ -2920,10 +2935,19 @@ void iscsi_session_teardown(struct iscsi
+       kfree(session->discovery_parent_type);
+ 
+       iscsi_free_session(cls_session);
+-
+-      iscsi_host_dec_session_cnt(shost);
+       module_put(owner);
+ }
++EXPORT_SYMBOL_GPL(iscsi_session_free);
++
++/**
++ * iscsi_session_teardown - destroy session and cls_session
++ * @cls_session: iscsi session
++ */
++void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
++{
++      iscsi_session_remove(cls_session);
++      iscsi_session_free(cls_session);
++}
+ EXPORT_SYMBOL_GPL(iscsi_session_teardown);
+ 
+ /**
+--- a/include/scsi/libiscsi.h
++++ b/include/scsi/libiscsi.h
+@@ -401,6 +401,8 @@ extern int iscsi_target_alloc(struct scs
+ extern struct iscsi_cls_session *
+ iscsi_session_setup(struct iscsi_transport *, struct Scsi_Host *shost,
+                   uint16_t, int, int, uint32_t, unsigned int);
++void iscsi_session_remove(struct iscsi_cls_session *cls_session);
++void iscsi_session_free(struct iscsi_cls_session *cls_session);
+ extern void iscsi_session_teardown(struct iscsi_cls_session *);
+ extern void iscsi_session_recovery_timedout(struct iscsi_cls_session *);
+ extern int iscsi_set_param(struct iscsi_cls_conn *cls_conn,

diff --git a/queue-5.10/series b/queue-5.10/series
index c45a10a2b111b82f3e1340a2b2d0193cb1190b5f..65a3f6d2f5ad7d661464084b5b5fc4c29c5acc9e 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -377,4 +377,32 @@ powerpc-64s-slb-fix-slb-multihit-issue-during-slb-preload.patch
 pci-brcmstb-fix-disabling-l0s-capability.patch
 powerpc-pseries-cmm-call-balloon_devinfo_init-also-without-config_balloon_compaction.patch
 media-renesas-rcar_drif-fix-device-node-reference-leak-in-rcar_drif_bond_enabled.patch
-kvm-arm64-sys_regs-disable-wuninitialized-const-pointer-warning.patch
+asoc-stm-use-dev_err_probe-helper.patch
+asoc-stm32-sai-use-the-devm_clk_get_optional-helper.patch
+asoc-stm32-sai-fix-clk-prepare-imbalance-on-probe-failure.patch
+mm-balloon_compaction-make-balloon-page-compaction-callbacks-static.patch
+mm-balloon_compaction-we-cannot-have-isolated-pages-in-the-balloon-list.patch
+mm-balloon_compaction-convert-balloon_page_delete-to-balloon_page_finalize.patch
+powerpc-pseries-cmm-adjust-balloon_migrate-when-migrating-pages.patch
+media-mediatek-vcodec-fix-a-reference-leak-in-mtk_vcodec_fw_vpu_init.patch
+media-vpif_capture-fix-section-mismatch.patch
+media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch
+soc-rockchip-power-domain-manage-resource-conflicts-with-firmware.patch
+pmdomain-use-device_get_match_data.patch
+pmdomain-imx-fix-reference-count-leak-in-imx_gpc_probe.patch
+lockd-fix-vfs_test_lock-calls.patch
+drm-gma500-remove-unused-helper-psb_fbdev_fb_setcolreg.patch
+wifi-mac80211-discard-beacon-frames-to-non-broadcast-address.patch
+nfsd-nfsv4-file-creation-neglects-setting-acl.patch
+mm-mprotect-use-long-for-page-accountings-and-retval.patch
+mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch
+scsi-iscsi-move-pool-freeing.patch
+scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-the-shost-ipaddress.patch
+cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_rate.patch
+ovl-use-buf-flexible-array-for-memcpy-destination.patch
+btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch
+bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch
+leds-lp50xx-reduce-level-of-dereferences.patch
+leds-lp50xx-get-rid-of-redundant-check-in-lp50xx_enable_disable.patch
+leds-lp50xx-remove-duplicated-error-reporting-in-.remove.patch
+leds-leds-lp50xx-enable-chip-before-any-communication.patch

diff --git a/queue-5.10/soc-rockchip-power-domain-manage-resource-conflicts-with-firmware.patch b/queue-5.10/soc-rockchip-power-domain-manage-resource-conflicts-with-firmware.patch
new file mode 100644 (file)
index 0000000..fda4b06
--- /dev/null
+++ b/queue-5.10/soc-rockchip-power-domain-manage-resource-conflicts-with-firmware.patch
@@ -0,0 +1,291 @@
+From stable+bounces-206023-greg=kroah.com@vger.kernel.org Tue Jan  6 20:08:34 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue,  6 Jan 2026 13:26:52 -0500
+Subject: soc: rockchip: power-domain: Manage resource conflicts with firmware
+To: stable@vger.kernel.org
+Cc: Brian Norris <briannorris@chromium.org>, Peter Geis <pgwipeout@gmail.com>, Heiko Stuebner <heiko@sntech.de>, Chanwoo Choi <cw00.choi@samsung.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260106182656.3115094-1-sashal@kernel.org>
+
+From: Brian Norris <briannorris@chromium.org>
+
+[ Upstream commit defec178df76e0caadd4e8ef68f3d655a2088198 ]
+
+On RK3399 platforms, power domains are managed mostly by the kernel
+(drivers/soc/rockchip/pm_domains.c), but there are a few exceptions
+where ARM Trusted Firmware has to be involved:
+
+(1) system suspend/resume
+(2) DRAM DVFS (a.k.a., "ddrfreq")
+
+Exception (1) does not cause much conflict, since the kernel has
+quiesced itself by the time we make the relevant PSCI call.
+
+Exception (2) can cause conflict, because of two actions:
+
+(a) ARM Trusted Firmware needs to read/modify/write the PMU_BUS_IDLE_REQ
+    register to idle the memory controller domain; the kernel driver
+    also has to touch this register for other domains.
+(b) ARM Trusted Firmware needs to manage the clocks associated with
+    these domains.
+
+To elaborate on (b): idling a power domain has always required ungating
+an array of clocks; see this old explanation from Rockchip:
+https://lore.kernel.org/linux-arm-kernel/54503C19.9060607@rock-chips.com/
+
+Historically, ARM Trusted Firmware has avoided this issue by using a
+special PMU_CRU_GATEDIS_CON0 register -- this register ungates all the
+necessary clocks -- when idling the memory controller. Unfortunately,
+we've found that this register is not 100% sufficient; it does not turn
+the relevant PLLs on [0].
+
+So it's possible to trigger issues with something like the following:
+
+1. enable a power domain (e.g., RK3399_PD_VDU) -- kernel will
+   temporarily enable relevant clocks/PLLs, then turn them back off
+   2. a PLL (e.g., PLL_NPLL) is part of the clock tree for
+      RK3399_PD_VDU's clocks but otherwise unused; NPLL is disabled
+3. perform a ddrfreq transition (rk3399_dmcfreq_target() -> ...
+   drivers/clk/rockchip/clk-ddr.c / ROCKCHIP_SIP_DRAM_FREQ)
+   4. ARM Trusted Firmware unagates VDU clocks (via PMU_CRU_GATEDIS_CON0)
+   5. ARM Trusted firmware idles the memory controller domain
+   6. Step 5 waits on the VDU domain/clocks, but NPLL is still off
+
+i.e., we hang the system.
+
+So for (b), we need to at a minimum manage the relevant PLLs on behalf
+of firmware. It's easier to simply manage the whole clock tree, in a
+similar way we do in rockchip_pd_power().
+
+For (a), we need to provide mutual exclusion betwen rockchip_pd_power()
+and firmware. To resolve that, we simply grab the PMU mutex and release
+it when ddrfreq is done.
+
+The Chromium OS kernel has been carrying versions of part of this hack
+for a while, based on some new custom notifiers [1]. I've rewritten as a
+simple function call between the drivers, which is OK because:
+
+ * the PMU driver isn't enabled, and we don't have this problem at all
+   (the firmware should have left us in an OK state, and there are no
+   runtime conflicts); or
+ * the PMU driver is present, and is a single instance.
+
+And the power-domain driver cannot be removed, so there's no lifetime
+management to worry about.
+
+For completeness, there's a 'dmc_pmu_mutex' to guard (likely
+theoretical?) probe()-time races. It's OK for the memory controller
+driver to start running before the PMU, because the PMU will avoid any
+critical actions during the block() sequence.
+
+[0] The RK3399 TRM for PMU_CRU_GATEDIS_CON0 only talks about ungating
+    clocks. Based on experimentation, we've found that it does not power
+    up the necessary PLLs.
+
+[1] CHROMIUM: soc: rockchip: power-domain: Add notifier to dmc driver
+    https://chromium-review.googlesource.com/q/I242dbd706d352f74ff706f5cbf42ebb92f9bcc60
+    Notably, the Chromium solution only handled conflict (a), not (b).
+    In practice, item (b) wasn't a problem in many cases because we
+    never managed to fully power off PLLs. Now that the (upstream) video
+    decoder driver performs runtime clock management, we often power off
+    NPLL.
+
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Tested-by: Peter Geis <pgwipeout@gmail.com>
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Stable-dep-of: 73cb5f6eafb0 ("pmdomain: imx: Fix reference count leak in imx_gpc_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/rockchip/pm_domains.c |  118 ++++++++++++++++++++++++++++++++++++++
+ include/soc/rockchip/pm_domains.h |   25 ++++++++
+ 2 files changed, 143 insertions(+)
+ create mode 100644 include/soc/rockchip/pm_domains.h
+
+--- a/drivers/soc/rockchip/pm_domains.c
++++ b/drivers/soc/rockchip/pm_domains.c
+@@ -8,6 +8,7 @@
+ #include <linux/io.h>
+ #include <linux/iopoll.h>
+ #include <linux/err.h>
++#include <linux/mutex.h>
+ #include <linux/pm_clock.h>
+ #include <linux/pm_domain.h>
+ #include <linux/of_address.h>
+@@ -16,6 +17,7 @@
+ #include <linux/clk.h>
+ #include <linux/regmap.h>
+ #include <linux/mfd/syscon.h>
++#include <soc/rockchip/pm_domains.h>
+ #include <dt-bindings/power/px30-power.h>
+ #include <dt-bindings/power/rk3036-power.h>
+ #include <dt-bindings/power/rk3066-power.h>
+@@ -131,6 +133,109 @@ struct rockchip_pmu {
+ #define DOMAIN_RK3399(pwr, status, req, wakeup)               \
+       DOMAIN(pwr, status, req, req, req, wakeup)
+ 
++/*
++ * Dynamic Memory Controller may need to coordinate with us -- see
++ * rockchip_pmu_block().
++ *
++ * dmc_pmu_mutex protects registration-time races, so DMC driver doesn't try to
++ * block() while we're initializing the PMU.
++ */
++static DEFINE_MUTEX(dmc_pmu_mutex);
++static struct rockchip_pmu *dmc_pmu;
++
++/*
++ * Block PMU transitions and make sure they don't interfere with ARM Trusted
++ * Firmware operations. There are two conflicts, noted in the comments below.
++ *
++ * Caller must unblock PMU transitions via rockchip_pmu_unblock().
++ */
++int rockchip_pmu_block(void)
++{
++      struct rockchip_pmu *pmu;
++      struct generic_pm_domain *genpd;
++      struct rockchip_pm_domain *pd;
++      int i, ret;
++
++      mutex_lock(&dmc_pmu_mutex);
++
++      /* No PMU (yet)? Then we just block rockchip_pmu_probe(). */
++      if (!dmc_pmu)
++              return 0;
++      pmu = dmc_pmu;
++
++      /*
++       * mutex blocks all idle transitions: we can't touch the
++       * PMU_BUS_IDLE_REQ (our ".idle_offset") register while ARM Trusted
++       * Firmware might be using it.
++       */
++      mutex_lock(&pmu->mutex);
++
++      /*
++       * Power domain clocks: Per Rockchip, we *must* keep certain clocks
++       * enabled for the duration of power-domain transitions. Most
++       * transitions are handled by this driver, but some cases (in
++       * particular, DRAM DVFS / memory-controller idle) must be handled by
++       * firmware. Firmware can handle most clock management via a special
++       * "ungate" register (PMU_CRU_GATEDIS_CON0), but unfortunately, this
++       * doesn't handle PLLs. We can assist this transition by doing the
++       * clock management on behalf of firmware.
++       */
++      for (i = 0; i < pmu->genpd_data.num_domains; i++) {
++              genpd = pmu->genpd_data.domains[i];
++              if (genpd) {
++                      pd = to_rockchip_pd(genpd);
++                      ret = clk_bulk_enable(pd->num_clks, pd->clks);
++                      if (ret < 0) {
++                              dev_err(pmu->dev,
++                                      "failed to enable clks for domain '%s': %d\n",
++                                      genpd->name, ret);
++                              goto err;
++                      }
++              }
++      }
++
++      return 0;
++
++err:
++      for (i = i - 1; i >= 0; i--) {
++              genpd = pmu->genpd_data.domains[i];
++              if (genpd) {
++                      pd = to_rockchip_pd(genpd);
++                      clk_bulk_disable(pd->num_clks, pd->clks);
++              }
++      }
++      mutex_unlock(&pmu->mutex);
++      mutex_unlock(&dmc_pmu_mutex);
++
++      return ret;
++}
++EXPORT_SYMBOL_GPL(rockchip_pmu_block);
++
++/* Unblock PMU transitions. */
++void rockchip_pmu_unblock(void)
++{
++      struct rockchip_pmu *pmu;
++      struct generic_pm_domain *genpd;
++      struct rockchip_pm_domain *pd;
++      int i;
++
++      if (dmc_pmu) {
++              pmu = dmc_pmu;
++              for (i = 0; i < pmu->genpd_data.num_domains; i++) {
++                      genpd = pmu->genpd_data.domains[i];
++                      if (genpd) {
++                              pd = to_rockchip_pd(genpd);
++                              clk_bulk_disable(pd->num_clks, pd->clks);
++                      }
++              }
++
++              mutex_unlock(&pmu->mutex);
++      }
++
++      mutex_unlock(&dmc_pmu_mutex);
++}
++EXPORT_SYMBOL_GPL(rockchip_pmu_unblock);
++
+ static bool rockchip_pmu_domain_is_idle(struct rockchip_pm_domain *pd)
+ {
+       struct rockchip_pmu *pmu = pd->pmu;
+@@ -679,6 +784,12 @@ static int rockchip_pm_domain_probe(stru
+ 
+       error = -ENODEV;
+ 
++      /*
++       * Prevent any rockchip_pmu_block() from racing with the remainder of
++       * setup (clocks, register initialization).
++       */
++      mutex_lock(&dmc_pmu_mutex);
++
+       for_each_available_child_of_node(np, node) {
+               error = rockchip_pm_add_one_domain(pmu, node);
+               if (error) {
+@@ -708,10 +819,17 @@ static int rockchip_pm_domain_probe(stru
+               goto err_out;
+       }
+ 
++      /* We only expect one PMU. */
++      if (!WARN_ON_ONCE(dmc_pmu))
++              dmc_pmu = pmu;
++
++      mutex_unlock(&dmc_pmu_mutex);
++
+       return 0;
+ 
+ err_out:
+       rockchip_pm_domain_cleanup(pmu);
++      mutex_unlock(&dmc_pmu_mutex);
+       return error;
+ }
+ 
+--- /dev/null
++++ b/include/soc/rockchip/pm_domains.h
+@@ -0,0 +1,25 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++/*
++ * Copyright 2022, The Chromium OS Authors. All rights reserved.
++ */
++
++#ifndef __SOC_ROCKCHIP_PM_DOMAINS_H__
++#define __SOC_ROCKCHIP_PM_DOMAINS_H__
++
++#ifdef CONFIG_ROCKCHIP_PM_DOMAINS
++
++int rockchip_pmu_block(void);
++void rockchip_pmu_unblock(void);
++
++#else /* CONFIG_ROCKCHIP_PM_DOMAINS */
++
++static inline int rockchip_pmu_block(void)
++{
++      return 0;
++}
++
++static inline void rockchip_pmu_unblock(void) { }
++
++#endif /* CONFIG_ROCKCHIP_PM_DOMAINS */
++
++#endif /* __SOC_ROCKCHIP_PM_DOMAINS_H__ */

diff --git a/queue-5.10/wifi-mac80211-discard-beacon-frames-to-non-broadcast-address.patch b/queue-5.10/wifi-mac80211-discard-beacon-frames-to-non-broadcast-address.patch
new file mode 100644 (file)
index 0000000..fd7685e
--- /dev/null
+++ b/queue-5.10/wifi-mac80211-discard-beacon-frames-to-non-broadcast-address.patch
@@ -0,0 +1,62 @@
+From stable+bounces-206131-greg=kroah.com@vger.kernel.org Wed Jan  7 12:54:09 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed,  7 Jan 2026 06:53:59 -0500
+Subject: wifi: mac80211: Discard Beacon frames to non-broadcast address
+To: stable@vger.kernel.org
+Cc: Jouni Malinen <jouni.malinen@oss.qualcomm.com>, Johannes Berg <johannes.berg@intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260107115359.3985007-1-sashal@kernel.org>
+
+From: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
+
+[ Upstream commit 193d18f60588e95d62e0f82b6a53893e5f2f19f8 ]
+
+Beacon frames are required to be sent to the broadcast address, see IEEE
+Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame
+shall be set to the broadcast address"). A unicast Beacon frame might be
+used as a targeted attack to get one of the associated STAs to do
+something (e.g., using CSA to move it to another channel). As such, it
+is better have strict filtering for this on the received side and
+discard all Beacon frames that are sent to an unexpected address.
+
+This is even more important for cases where beacon protection is used.
+The current implementation in mac80211 is correctly discarding unicast
+Beacon frames if the Protected Frame bit in the Frame Control field is
+set to 0. However, if that bit is set to 1, the logic used for checking
+for configured BIGTK(s) does not actually work. If the driver does not
+have logic for dropping unicast Beacon frames with Protected Frame bit
+1, these frames would be accepted in mac80211 processing as valid Beacon
+frames even though they are not protected. This would allow beacon
+protection to be bypassed. While the logic for checking beacon
+protection could be extended to cover this corner case, a more generic
+check for discard all Beacon frames based on A1=unicast address covers
+this without needing additional changes.
+
+Address all these issues by dropping received Beacon frames if they are
+sent to a non-broadcast address.
+
+Cc: stable@vger.kernel.org
+Fixes: af2d14b01c32 ("mac80211: Beacon protection using the new BIGTK (STA)")
+Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251215151134.104501-1-jouni.malinen@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+[ adapted RX_DROP return value to RX_DROP_MONITOR ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/rx.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -3189,6 +3189,11 @@ ieee80211_rx_h_mgmt_check(struct ieee802
+       if (!ieee80211_is_mgmt(mgmt->frame_control))
+               return RX_DROP_MONITOR;
+ 
++      /* Drop non-broadcast Beacon frames */
++      if (ieee80211_is_beacon(mgmt->frame_control) &&
++          !is_broadcast_ether_addr(mgmt->da))
++              return RX_DROP_MONITOR;
++
+       if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
+           ieee80211_is_beacon(mgmt->frame_control) &&
+           !(rx->flags & IEEE80211_RX_BEACON_REPORTED)) {