--- /dev/null
+From d18a3b5d337fa412a38e776e6b4b857a58836575 Mon Sep 17 00:00:00 2001
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+Date: Tue, 21 Apr 2026 15:59:52 +0800
+Subject: erofs: fix the out-of-bounds nameoff handling for trailing dirents
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+commit d18a3b5d337fa412a38e776e6b4b857a58836575 upstream.
+
+Currently we already have boundary-checks for nameoffs, but the trailing
+dirents are special since the namelens are calculated with strnlen()
+with unchecked nameoffs.
+
+If a crafted EROFS has a trailing dirent with nameoff >= maxsize,
+maxsize - nameoff can underflow, causing strnlen() to read past the
+directory block.
+
+nameoff0 should also be verified to be a multiple of
+`sizeof(struct erofs_dirent)` as well [1].
+
+[1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com
+
+Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations")
+Fixes: 33bac912840f ("staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()")
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Closes: https://lore.kernel.org/r/A0FD7E0F-7558-49B0-8BC8-EB1ECDB2479A@outlook.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/erofs/dir.c | 28 +++++++++++++++-------------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+--- a/fs/erofs/dir.c
++++ b/fs/erofs/dir.c
+@@ -22,20 +22,18 @@ static int erofs_fill_dentries(struct in
+ nameoff = le16_to_cpu(de->nameoff);
+ de_name = (char *)dentry_blk + nameoff;
+
+- /* the last dirent in the block? */
+- if (de + 1 >= end)
+- de_namelen = strnlen(de_name, maxsize - nameoff);
+- else
++ /* non-trailing dirent in the directory block? */
++ if (de + 1 < end)
+ de_namelen = le16_to_cpu(de[1].nameoff) - nameoff;
++ else if (maxsize <= nameoff)
++ goto err_bogus;
++ else
++ de_namelen = strnlen(de_name, maxsize - nameoff);
+
+- /* a corrupted entry is found */
+- if (nameoff + de_namelen > maxsize ||
+- de_namelen > EROFS_NAME_LEN) {
+- erofs_err(dir->i_sb, "bogus dirent @ nid %llu",
+- EROFS_I(dir)->nid);
+- DBG_BUGON(1);
+- return -EFSCORRUPTED;
+- }
++ /* a corrupted entry is found (including negative namelen) */
++ if (!in_range32(de_namelen, 1, EROFS_NAME_LEN) ||
++ nameoff + de_namelen > maxsize)
++ goto err_bogus;
+
+ if (!dir_emit(ctx, de_name, de_namelen,
+ le64_to_cpu(de->nid), d_type))
+@@ -44,6 +42,10 @@ static int erofs_fill_dentries(struct in
+ ctx->pos += sizeof(struct erofs_dirent);
+ }
+ return 0;
++err_bogus:
++ erofs_err(dir->i_sb, "bogus dirent @ nid %llu", EROFS_I(dir)->nid);
++ DBG_BUGON(1);
++ return -EFSCORRUPTED;
+ }
+
+ static int erofs_readdir(struct file *f, struct dir_context *ctx)
+@@ -71,7 +73,7 @@ static int erofs_readdir(struct file *f,
+ }
+
+ nameoff = le16_to_cpu(de->nameoff);
+- if (nameoff < sizeof(struct erofs_dirent) || nameoff >= bsz) {
++ if (!nameoff || nameoff >= bsz || (nameoff % sizeof(*de))) {
+ erofs_err(sb, "invalid de[0].nameoff %u @ nid %llu",
+ nameoff, EROFS_I(dir)->nid);
+ err = -EFSCORRUPTED;
--- /dev/null
+From 7806c060cceb2d6895efbb6cff2f2f17cf1ec5de Mon Sep 17 00:00:00 2001
+From: David Lechner <dlechner@baylibre.com>
+Date: Sat, 14 Mar 2026 16:12:24 -0500
+Subject: iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()
+
+From: David Lechner <dlechner@baylibre.com>
+
+commit 7806c060cceb2d6895efbb6cff2f2f17cf1ec5de upstream.
+
+Use iio_push_to_buffers_with_ts_unaligned() to avoid unaligned access
+when writing the timestamp in the rx_buf.
+
+The previous implementation would have been fine on architectures that
+support 4-byte alignment of 64-bit integers but could cause issues on
+architectures that require 8-byte alignment.
+
+Fixes: 902c4b2446d4 ("iio: adc: New driver for TI ADS7950 chips")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-ads7950.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/iio/adc/ti-ads7950.c
++++ b/drivers/iio/adc/ti-ads7950.c
+@@ -47,8 +47,6 @@
+ #define TI_ADS7950_MAX_CHAN 16
+ #define TI_ADS7950_NUM_GPIOS 4
+
+-#define TI_ADS7950_TIMESTAMP_SIZE (sizeof(int64_t) / sizeof(__be16))
+-
+ /* val = value, dec = left shift, bits = number of bits of the mask */
+ #define TI_ADS7950_EXTRACT(val, dec, bits) \
+ (((val) >> (dec)) & ((1 << (bits)) - 1))
+@@ -105,8 +103,7 @@ struct ti_ads7950_state {
+ * DMA (thus cache coherency maintenance) may require the
+ * transfer buffers to live in their own cache lines.
+ */
+- u16 rx_buf[TI_ADS7950_MAX_CHAN + 2 + TI_ADS7950_TIMESTAMP_SIZE]
+- __aligned(IIO_DMA_MINALIGN);
++ u16 rx_buf[TI_ADS7950_MAX_CHAN + 2] __aligned(IIO_DMA_MINALIGN);
+ u16 tx_buf[TI_ADS7950_MAX_CHAN + 2];
+ u16 single_tx;
+ u16 single_rx;
+@@ -313,8 +310,10 @@ static irqreturn_t ti_ads7950_trigger_ha
+ if (ret < 0)
+ goto out;
+
+- iio_push_to_buffers_with_timestamp(indio_dev, &st->rx_buf[2],
+- iio_get_time_ns(indio_dev));
++ iio_push_to_buffers_with_ts_unaligned(indio_dev, &st->rx_buf[2],
++ sizeof(*st->rx_buf) *
++ TI_ADS7950_MAX_CHAN,
++ iio_get_time_ns(indio_dev));
+
+ out:
+ mutex_unlock(&st->slock);
--- /dev/null
+From 1967f0b1cafdde37aa9e08e6021c14bcc484b7a5 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 21 Apr 2026 13:24:33 -0600
+Subject: io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 1967f0b1cafdde37aa9e08e6021c14bcc484b7a5 upstream.
+
+Commit:
+
+aacf2f9f382c ("io_uring: fix req->apoll_events")
+
+fixed an issue where poll->events and req->apoll_events weren't
+synchronized, but then when the commit referenced in Fixes got added,
+it didn't ensure the same thing.
+
+If we mask in EPOLLONESHOT in the regular EPOLL_URING_WAKE path, then
+ensure it's done for both. Including a link to the original report
+below, even though it's mostly nonsense. But it includes a reproducer
+that does show that IORING_CQE_F_MORE is set in the previous CQE,
+while no more CQEs will be generated for this request. Just ignore
+anything that pretends this is security related in any way, it's just
+the typical AI nonsense.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/io-uring/CAM0zi7yQzF3eKncgHo4iVM5yFLAjsiob_ucqyWKs=hyd_GqiMg@mail.gmail.com/
+Reported-by: Azizcan Daştan <azizcan.d@mileniumsec.com>
+Fixes: 4464853277d0 ("io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and wakeups")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/poll.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/io_uring/poll.c
++++ b/io_uring/poll.c
+@@ -451,8 +451,10 @@ static int io_poll_wake(struct wait_queu
+ * disable multishot as there is a circular dependency between
+ * CQ posting and triggering the event.
+ */
+- if (mask & EPOLL_URING_WAKE)
++ if (mask & EPOLL_URING_WAKE) {
+ poll->events |= EPOLLONESHOT;
++ req->apoll_events |= EPOLLONESHOT;
++ }
+
+ /* optional, saves extra locking for removal in tw handler */
+ if (mask && poll->events & EPOLLONESHOT) {
--- /dev/null
+From 326941b22806cbf2df1fbfe902b7908b368cce42 Mon Sep 17 00:00:00 2001
+From: Longxuan Yu <ylong030@ucr.edu>
+Date: Sun, 12 Apr 2026 16:38:20 +0800
+Subject: io_uring/poll: fix signed comparison in io_poll_get_ownership()
+
+From: Longxuan Yu <ylong030@ucr.edu>
+
+commit 326941b22806cbf2df1fbfe902b7908b368cce42 upstream.
+
+io_poll_get_ownership() uses a signed comparison to check whether
+poll_refs has reached the threshold for the slowpath:
+
+ if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
+
+atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG
+(BIT(31)) is set in poll_refs, the value becomes negative in
+signed arithmetic, so the >= 128 comparison always evaluates to
+false and the slowpath is never taken.
+
+Fix this by casting the atomic_read() result to unsigned int
+before the comparison, so that the cancel flag is treated as a
+large positive value and correctly triggers the slowpath.
+
+Fixes: a26a35e9019f ("io_uring: make poll refs more robust")
+Cc: stable@vger.kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Signed-off-by: Longxuan Yu <ylong030@ucr.edu>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://patch.msgid.link/3a3508b08bcd7f1bc3beff848ae6e1d73d355043.1775965597.git.ylong030@ucr.edu
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/poll.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/io_uring/poll.c
++++ b/io_uring/poll.c
+@@ -88,7 +88,7 @@ static bool io_poll_get_ownership_slowpa
+ */
+ static inline bool io_poll_get_ownership(struct io_kiocb *req)
+ {
+- if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
++ if (unlikely((unsigned int)atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
+ return io_poll_get_ownership_slowpath(req);
+ return !(atomic_fetch_inc(&req->poll_refs) & IO_POLL_REF_MASK);
+ }
--- /dev/null
+From 484ae637a3e3d909718de7c07afd3bb34b6b8504 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Mon, 2 Mar 2026 13:10:34 +0000
+Subject: io_uring/timeout: check unused sqe fields
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 484ae637a3e3d909718de7c07afd3bb34b6b8504 upstream.
+
+Zero check unused SQE fields addr3 and pad2 for timeout and timeout
+update requests. They're not needed now, but could be used sometime
+in the future.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/timeout.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/io_uring/timeout.c
++++ b/io_uring/timeout.c
+@@ -394,6 +394,8 @@ int io_timeout_remove_prep(struct io_kio
+
+ if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
+ return -EINVAL;
++ if (sqe->addr3 || sqe->__pad2[0])
++ return -EINVAL;
+ if (sqe->buf_index || sqe->len || sqe->splice_fd_in)
+ return -EINVAL;
+
+@@ -466,6 +468,8 @@ static int __io_timeout_prep(struct io_k
+ unsigned flags;
+ u32 off = READ_ONCE(sqe->off);
+
++ if (sqe->addr3 || sqe->__pad2[0])
++ return -EINVAL;
+ if (sqe->buf_index || sqe->len != 1 || sqe->splice_fd_in)
+ return -EINVAL;
+ if (off && is_timeout_link)
--- /dev/null
+From 7d96f3120a7fb7210d21b520c5b6f495da6ba436 Mon Sep 17 00:00:00 2001
+From: Josh Hunt <johunt@akamai.com>
+Date: Mon, 2 Mar 2026 19:56:19 -0500
+Subject: md/raid10: fix deadlock with check operation and nowait requests
+
+From: Josh Hunt <johunt@akamai.com>
+
+commit 7d96f3120a7fb7210d21b520c5b6f495da6ba436 upstream.
+
+When an array check is running it will raise the barrier at which point
+normal requests will become blocked and increment the nr_pending value to
+signal there is work pending inside of wait_barrier(). NOWAIT requests
+do not block and so will return immediately with an error, and additionally
+do not increment nr_pending in wait_barrier(). Upstream change commit
+43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") added a
+call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit
+this condition. raid_end_bio_io() eventually calls allow_barrier() and
+it will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even
+though the corresponding increment on nr_pending didn't happen in the
+NOWAIT case.
+
+This can be easily seen by starting a check operation while an application
+is doing nowait IO on the same array. This results in a deadlocked state
+due to nr_pending value underflowing and so the md resync thread gets stuck
+waiting for nr_pending to == 0.
+
+Output of r10conf state of the array when we hit this condition:
+
+crash> struct r10conf
+ barrier = 1,
+ nr_pending = {
+ counter = -41
+ },
+ nr_waiting = 15,
+ nr_queued = 0,
+
+Example of md_sync thread stuck waiting on raise_barrier() and other
+requests stuck in wait_barrier():
+
+md1_resync
+[<0>] raise_barrier+0xce/0x1c0
+[<0>] raid10_sync_request+0x1ca/0x1ed0
+[<0>] md_do_sync+0x779/0x1110
+[<0>] md_thread+0x90/0x160
+[<0>] kthread+0xbe/0xf0
+[<0>] ret_from_fork+0x34/0x50
+[<0>] ret_from_fork_asm+0x1a/0x30
+
+kworker/u1040:2+flush-253:4
+[<0>] wait_barrier+0x1de/0x220
+[<0>] regular_request_wait+0x30/0x180
+[<0>] raid10_make_request+0x261/0x1000
+[<0>] md_handle_request+0x13b/0x230
+[<0>] __submit_bio+0x107/0x1f0
+[<0>] submit_bio_noacct_nocheck+0x16f/0x390
+[<0>] ext4_io_submit+0x24/0x40
+[<0>] ext4_do_writepages+0x254/0xc80
+[<0>] ext4_writepages+0x84/0x120
+[<0>] do_writepages+0x7a/0x260
+[<0>] __writeback_single_inode+0x3d/0x300
+[<0>] writeback_sb_inodes+0x1dd/0x470
+[<0>] __writeback_inodes_wb+0x4c/0xe0
+[<0>] wb_writeback+0x18b/0x2d0
+[<0>] wb_workfn+0x2a1/0x400
+[<0>] process_one_work+0x149/0x330
+[<0>] worker_thread+0x2d2/0x410
+[<0>] kthread+0xbe/0xf0
+[<0>] ret_from_fork+0x34/0x50
+[<0>] ret_from_fork_asm+0x1a/0x30
+
+Fixes: 43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request")
+Cc: stable@vger.kernel.org
+Signed-off-by: Josh Hunt <johunt@akamai.com>
+Link: https://lore.kernel.org/linux-raid/20260303005619.1352958-1-johunt@akamai.com
+Signed-off-by: Yu Kuai <yukuai@fnnas.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid10.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -1211,7 +1211,7 @@ static void raid10_read_request(struct m
+ }
+
+ if (!regular_request_wait(mddev, conf, bio, r10_bio->sectors)) {
+- raid_end_bio_io(r10_bio);
++ free_r10bio(r10_bio);
+ return;
+ }
+
+@@ -1436,7 +1436,7 @@ static void raid10_write_request(struct
+
+ sectors = r10_bio->sectors;
+ if (!regular_request_wait(mddev, conf, bio, sectors)) {
+- raid_end_bio_io(r10_bio);
++ free_r10bio(r10_bio);
+ return;
+ }
+
--- /dev/null
+From a8eebf9699d69987cc49cec4e4fdb4111ab32423 Mon Sep 17 00:00:00 2001
+From: Robert Beckett <bob.beckett@collabora.com>
+Date: Fri, 20 Mar 2026 19:22:09 +0000
+Subject: nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4
+
+From: Robert Beckett <bob.beckett@collabora.com>
+
+commit a8eebf9699d69987cc49cec4e4fdb4111ab32423 upstream.
+
+The Kingston OM3SGP42048K2-A00 (PCI ID 2646:502f) firmware has a race
+condition when processing concurrent write zeroes and DSM (discard)
+commands, causing spurious "LBA Out of Range" errors and IOMMU page
+faults at address 0x0.
+
+The issue is reliably triggered by running two concurrent mkfs commands
+on different partitions of the same drive, which generates interleaved
+write zeroes and discard operations.
+
+Disable write zeroes for this device, matching the pattern used for
+other Kingston OM* drives that have similar firmware issues.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Robert Beckett <bob.beckett@collabora.com>
+Assisted-by: claude-opus-4-6-v1
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -3620,6 +3620,8 @@ static const struct pci_device_id nvme_i
+ .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, },
+ { PCI_DEVICE(0x2646, 0x501E), /* KINGSTON OM3PGP4xxxxQ OS21011 NVMe SSD */
+ .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, },
++ { PCI_DEVICE(0x2646, 0x502F), /* KINGSTON OM3SGP4xxxxK NVMe SSD */
++ .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, },
+ { PCI_DEVICE(0x1f40, 0x1202), /* Netac Technologies Co. NV3000 NVMe SSD */
+ .driver_data = NVME_QUIRK_BOGUS_NID, },
+ { PCI_DEVICE(0x1f40, 0x5236), /* Netac Technologies Co. NV7000 NVMe SSD */
--- /dev/null
+From 40f0496b617b431f8d2dd94d7f785c1121f8a68a Mon Sep 17 00:00:00 2001
+From: Robert Beckett <bob.beckett@collabora.com>
+Date: Fri, 20 Mar 2026 19:22:08 +0000
+Subject: nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
+
+From: Robert Beckett <bob.beckett@collabora.com>
+
+commit 40f0496b617b431f8d2dd94d7f785c1121f8a68a upstream.
+
+The NVM Command Set Identify Controller data may report a non-zero
+Write Zeroes Size Limit (wzsl). When present, nvme_init_non_mdts_limits()
+unconditionally overrides max_zeroes_sectors from wzsl, even if
+NVME_QUIRK_DISABLE_WRITE_ZEROES previously set it to zero.
+
+This effectively re-enables write zeroes for devices that need it
+disabled, defeating the quirk. Several Kingston OM* drives rely on
+this quirk to avoid firmware issues with write zeroes commands.
+
+Check for the quirk before applying the wzsl override.
+
+Fixes: 5befc7c26e5a ("nvme: implement non-mdts command limits")
+Cc: stable@vger.kernel.org
+Signed-off-by: Robert Beckett <bob.beckett@collabora.com>
+Assisted-by: claude-opus-4-6-v1
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3188,7 +3188,7 @@ static int nvme_init_non_mdts_limits(str
+ if (id->dmrl)
+ ctrl->max_discard_segments = id->dmrl;
+ ctrl->dmrsl = le32_to_cpu(id->dmrsl);
+- if (id->wzsl)
++ if (id->wzsl && !(ctrl->quirks & NVME_QUIRK_DISABLE_WRITE_ZEROES))
+ ctrl->max_zeroes_sectors = nvme_mps_to_sectors(ctrl, id->wzsl);
+
+ free_data:
--- /dev/null
+From da3680f564bd787ce974f9931e6e924d908b3b2a Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Tue, 7 Apr 2026 23:56:28 +0200
+Subject: parisc: _llseek syscall is only available for 32-bit userspace
+
+From: Helge Deller <deller@gmx.de>
+
+commit da3680f564bd787ce974f9931e6e924d908b3b2a upstream.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/syscalls/syscall.tbl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/parisc/kernel/syscalls/syscall.tbl
++++ b/arch/parisc/kernel/syscalls/syscall.tbl
+@@ -154,7 +154,7 @@
+ # 137 was afs_syscall
+ 138 common setfsuid sys_setfsuid
+ 139 common setfsgid sys_setfsgid
+-140 common _llseek sys_llseek
++140 32 _llseek sys_llseek
+ 141 common getdents sys_getdents compat_sys_getdents
+ 142 common _newselect sys_select compat_sys_select
+ 143 common flock sys_flock
--- /dev/null
+From d1fef92e414433ca7b89abf85cb0df42b8d475eb Mon Sep 17 00:00:00 2001
+From: Dawei Feng <dawei.feng@seu.edu.cn>
+Date: Sun, 19 Apr 2026 17:03:48 +0800
+Subject: rbd: fix null-ptr-deref when device_add_disk() fails
+
+From: Dawei Feng <dawei.feng@seu.edu.cn>
+
+commit d1fef92e414433ca7b89abf85cb0df42b8d475eb upstream.
+
+do_rbd_add() publishes the device with device_add() before calling
+device_add_disk(). If device_add_disk() fails after device_add()
+succeeds, the error path calls rbd_free_disk() directly and then later
+falls through to rbd_dev_device_release(), which calls rbd_free_disk()
+again. This double teardown can leave blk-mq cleanup operating on
+invalid state and trigger a null-ptr-deref in
+__blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set().
+
+Fix this by following the normal remove ordering: call device_del()
+before rbd_dev_device_release() when device_add_disk() fails after
+device_add(). That keeps the teardown sequence consistent and avoids
+re-entering disk cleanup through the wrong path.
+
+The bug was first flagged by an experimental analysis tool we are
+developing for kernel memory-management bugs while analyzing
+v6.13-rc1. The tool is still under development and is not yet publicly
+available.
+
+We reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64
+guest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer
+confines failslab injections to the __add_disk() range and injects
+fail-nth while mapping an RBD image through
+/sys/bus/rbd/add_single_major.
+
+On the unpatched kernel, fail-nth=4 reliably triggered the fault:
+
+ Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ CPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy)
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+ RIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240
+ Code: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 <80> 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00
+ RSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246
+ RAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000
+ RDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4
+ RBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b
+ R10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000
+ R13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004
+ FS: 00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ blk_mq_free_tag_set+0x77/0x460
+ do_rbd_add+0x1446/0x2b80
+ ? __pfx_do_rbd_add+0x10/0x10
+ ? lock_acquire+0x18c/0x300
+ ? find_held_lock+0x2b/0x80
+ ? sysfs_file_kobj+0xb6/0x1b0
+ ? __pfx_sysfs_kf_write+0x10/0x10
+ kernfs_fop_write_iter+0x2f4/0x4a0
+ vfs_write+0x98e/0x1000
+ ? expand_files+0x51f/0x850
+ ? __pfx_vfs_write+0x10/0x10
+ ksys_write+0xf2/0x1d0
+ ? __pfx_ksys_write+0x10/0x10
+ do_syscall_64+0x115/0x690
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ RIP: 0033:0x7f0fbea15907
+ Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
+ RSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+ RAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907
+ RDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001
+ RBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141
+ R10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058
+ R13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004
+ </TASK>
+
+With this fix applied, rerunning the reproducer over fail-nth=1..256
+yields no KASAN reports.
+
+[ idryomov: rename err_out_device_del -> err_out_device ]
+
+Cc: stable@vger.kernel.org
+Fixes: 27c97abc30e2 ("rbd: add add_disk() error handling")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/rbd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -7175,7 +7175,7 @@ static ssize_t do_rbd_add(struct bus_typ
+
+ rc = device_add_disk(&rbd_dev->dev, rbd_dev->disk, NULL);
+ if (rc)
+- goto err_out_cleanup_disk;
++ goto err_out_device;
+
+ spin_lock(&rbd_dev_list_lock);
+ list_add_tail(&rbd_dev->node, &rbd_dev_list);
+@@ -7189,8 +7189,8 @@ out:
+ module_put(THIS_MODULE);
+ return rc;
+
+-err_out_cleanup_disk:
+- rbd_free_disk(rbd_dev);
++err_out_device:
++ device_del(&rbd_dev->dev);
+ err_out_image_lock:
+ rbd_dev_image_unlock(rbd_dev);
+ rbd_dev_device_release(rbd_dev);
--- /dev/null
+From 64fac99037689020ad97e472ae898e96ea3616dc Mon Sep 17 00:00:00 2001
+From: Simon Liebold <simonlie@amazon.de>
+Date: Thu, 12 Mar 2026 14:02:00 +0000
+Subject: selftests/mqueue: Fix incorrectly named file
+
+From: Simon Liebold <simonlie@amazon.de>
+
+commit 64fac99037689020ad97e472ae898e96ea3616dc upstream.
+
+Commit 85506aca2eb4 ("selftests/mqueue: Set timeout to 180 seconds")
+intended to increase the timeout for mq_perf_tests from the default
+kselftest limit of 45 seconds to 180 seconds.
+
+Unfortunately, the file storing this information was incorrectly named
+`setting` instead of `settings`, causing the kselftest runner not to
+pick up the limit and keep using the default 45 seconds limit.
+
+Fix this by renaming it to `settings` to ensure that the kselftest
+runner uses the increased timeout of 180 seconds for this test.
+
+Fixes: 85506aca2eb4 ("selftests/mqueue: Set timeout to 180 seconds")
+Cc: <stable@vger.kernel.org> # 5.10.y
+Signed-off-by: Simon Liebold <simonlie@amazon.de>
+Link: https://lore.kernel.org/r/20260312140200.2224850-1-simonlie@amazon.de
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/mqueue/{setting => settings} | 0
+ tools/testing/selftests/mqueue/setting | 1 -
+ tools/testing/selftests/mqueue/settings | 1 +
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+ rename tools/testing/selftests/mqueue/{setting => settings} (100%)
+
+--- a/tools/testing/selftests/mqueue/setting
++++ /dev/null
+@@ -1 +0,0 @@
+-timeout=180
+--- /dev/null
++++ b/tools/testing/selftests/mqueue/settings
+@@ -0,0 +1 @@
++timeout=180
alsa-aoa-i2sbus-fix-of-node-lifetime-handling.patch
alsa-ctxfi-add-fallback-to-default-rsr-for-s-pdif.patch
alsa-seq_oss-return-full-count-for-successful-seq_fullsize-writes.patch
+erofs-fix-the-out-of-bounds-nameoff-handling-for-trailing-dirents.patch
+md-raid10-fix-deadlock-with-check-operation-and-nowait-requests.patch
+nvme-pci-add-nvme_quirk_disable_write_zeroes-for-kingston-om3sgp4.patch
+nvme-respect-nvme_quirk_disable_write_zeroes-when-wzsl-is-set.patch
+parisc-_llseek-syscall-is-only-available-for-32-bit-userspace.patch
+selftests-mqueue-fix-incorrectly-named-file.patch
+rbd-fix-null-ptr-deref-when-device_add_disk-fails.patch
+io_uring-timeout-check-unused-sqe-fields.patch
+iio-adc-ti-ads7950-use-iio_push_to_buffers_with_ts_unaligned.patch
+io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch
+io_uring-poll-ensure-epoll_oneshot-is-propagated-for-epoll_uring_wake.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
