--- /dev/null
+From 82d12088c297fa1cef670e1718b3d24f414c23f7 Mon Sep 17 00:00:00 2001
+From: Tianchu Chen <flynnnchen@tencent.com>
+Date: Fri, 28 Nov 2025 15:53:23 +0800
+Subject: char: applicom: fix NULL pointer dereference in ac_ioctl
+
+From: Tianchu Chen <flynnnchen@tencent.com>
+
+commit 82d12088c297fa1cef670e1718b3d24f414c23f7 upstream.
+
+Discovered by Atuin - Automated Vulnerability Discovery Engine.
+
+In ac_ioctl, the validation of IndexCard and the check for a valid
+RamIO pointer are skipped when cmd is 6. However, the function
+unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the
+end.
+
+If cmd is 6, IndexCard may reference a board that does not exist
+(where RamIO is NULL), leading to a NULL pointer dereference.
+
+Fix this by skipping the readb access when cmd is 6, as this
+command is a global information query and does not target a specific
+board context.
+
+Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/20251128155323.a786fde92ebb926cbe96fcb1@linux.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/applicom.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/applicom.c
++++ b/drivers/char/applicom.c
+@@ -836,7 +836,10 @@ static long ac_ioctl(struct file *file,
+ ret = -ENOTTY;
+ break;
+ }
+- Dummy = readb(apbs[IndexCard].RamIO + VERS);
++
++ if (cmd != 6)
++ Dummy = readb(apbs[IndexCard].RamIO + VERS);
++
+ kfree(adgl);
+ mutex_unlock(&ac_mutex);
+ return ret;
--- /dev/null
+From 9600156bb99852c216a2128cdf9f114eb67c350f Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Mon, 27 Oct 2025 23:04:45 +0800
+Subject: cpufreq: nforce2: fix reference count leak in nforce2
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 9600156bb99852c216a2128cdf9f114eb67c350f upstream.
+
+There are two reference count leaks in this driver:
+
+1. In nforce2_fsb_read(): pci_get_subsys() increases the reference count
+ of the PCI device, but pci_dev_put() is never called to release it,
+ thus leaking the reference.
+
+2. In nforce2_detect_chipset(): pci_get_subsys() gets a reference to the
+ nforce2_dev which is stored in a global variable, but the reference
+ is never released when the module is unloaded.
+
+Fix both by:
+- Adding pci_dev_put(nforce2_sub5) in nforce2_fsb_read() after reading
+ the configuration.
+- Adding pci_dev_put(nforce2_dev) in nforce2_exit() to release the
+ global device reference.
+
+Found via static analysis.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cpufreq-nforce2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/cpufreq/cpufreq-nforce2.c
++++ b/drivers/cpufreq/cpufreq-nforce2.c
+@@ -145,6 +145,8 @@ static unsigned int nforce2_fsb_read(int
+ pci_read_config_dword(nforce2_sub5, NFORCE2_BOOTFSB, &fsb);
+ fsb /= 1000000;
+
++ pci_dev_put(nforce2_sub5);
++
+ /* Check if PLL register is already set */
+ pci_read_config_byte(nforce2_dev, NFORCE2_PLLENABLE, (u8 *)&temp);
+
+@@ -432,6 +434,7 @@ static int __init nforce2_init(void)
+ static void __exit nforce2_exit(void)
+ {
+ cpufreq_unregister_driver(&nforce2_driver);
++ pci_dev_put(nforce2_dev);
+ }
+
+ module_init(nforce2_init);
--- /dev/null
+From a03b2011808ab02ccb7ab6b573b013b77fbb5921 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Thu, 13 Nov 2025 14:24:31 +0100
+Subject: cpuidle: governors: teo: Drop misguided target residency check
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit a03b2011808ab02ccb7ab6b573b013b77fbb5921 upstream.
+
+When the target residency of the current candidate idle state is
+greater than the expected time till the closest timer (the sleep
+length), it does not matter whether or not the tick has already been
+stopped or if it is going to be stopped. The closest timer will
+trigger anyway at its due time, so if an idle state with target
+residency above the sleep length is selected, energy will be wasted
+and there may be excess latency.
+
+Of course, if the closest timer were canceled before it could trigger,
+a deeper idle state would be more suitable, but this is not expected
+to happen (generally speaking, hrtimers are not expected to be
+canceled as a rule).
+
+Accordingly, the teo_state_ok() check done in that case causes energy to
+be wasted more often than it allows any energy to be saved (if it allows
+any energy to be saved at all), so drop it and let the governor use the
+teo_find_shallower_state() return value as the new candidate idle state
+index.
+
+Fixes: 21d28cd2fa5f ("cpuidle: teo: Do not call tick_nohz_get_sleep_length() upfront")
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Christian Loehle <christian.loehle@arm.com>
+Tested-by: Christian Loehle <christian.loehle@arm.com>
+Link: https://patch.msgid.link/5955081.DvuYhMxLoT@rafael.j.wysocki
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpuidle/governors/teo.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/cpuidle/governors/teo.c
++++ b/drivers/cpuidle/governors/teo.c
+@@ -595,11 +595,8 @@ static int teo_select(struct cpuidle_dri
+ * If the closest expected timer is before the terget residency of the
+ * candidate state, a shallower one needs to be found.
+ */
+- if (drv->states[idx].target_residency_ns > duration_ns) {
+- i = teo_find_shallower_state(drv, dev, idx, duration_ns, false);
+- if (teo_state_ok(i, drv))
+- idx = i;
+- }
++ if (drv->states[idx].target_residency_ns > duration_ns)
++ idx = teo_find_shallower_state(drv, dev, idx, duration_ns, false);
+
+ /*
+ * If the selected state's target residency is below the tick length
--- /dev/null
+From 297baa4aa263ff8f5b3d246ee16a660d76aa82c4 Mon Sep 17 00:00:00 2001
+From: Jan Prusakowski <jprusakowski@google.com>
+Date: Mon, 6 Oct 2025 10:46:15 +0200
+Subject: f2fs: ensure node page reads complete before f2fs_put_super() finishes
+
+From: Jan Prusakowski <jprusakowski@google.com>
+
+commit 297baa4aa263ff8f5b3d246ee16a660d76aa82c4 upstream.
+
+Xfstests generic/335, generic/336 sometimes crash with the following message:
+
+F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1
+------------[ cut here ]------------
+kernel BUG at fs/f2fs/super.c:1939!
+Oops: invalid opcode: 0000 [#1] SMP NOPTI
+CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none)
+Tainted: [W]=WARN
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+RIP: 0010:f2fs_put_super+0x3b3/0x3c0
+Call Trace:
+ <TASK>
+ generic_shutdown_super+0x7e/0x190
+ kill_block_super+0x1a/0x40
+ kill_f2fs_super+0x9d/0x190
+ deactivate_locked_super+0x30/0xb0
+ cleanup_mnt+0xba/0x150
+ task_work_run+0x5c/0xa0
+ exit_to_user_mode_loop+0xb7/0xc0
+ do_syscall_64+0x1ae/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ </TASK>
+---[ end trace 0000000000000000 ]---
+
+It appears that sometimes it is possible that f2fs_put_super() is called before
+all node page reads are completed.
+Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem.
+
+Cc: stable@kernel.org
+Fixes: 20872584b8c0b ("f2fs: fix to drop all dirty meta/node pages during umount()")
+Signed-off-by: Jan Prusakowski <jprusakowski@google.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/super.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1637,14 +1637,6 @@ static void f2fs_put_super(struct super_
+ truncate_inode_pages_final(META_MAPPING(sbi));
+ }
+
+- for (i = 0; i < NR_COUNT_TYPE; i++) {
+- if (!get_pages(sbi, i))
+- continue;
+- f2fs_err(sbi, "detect filesystem reference count leak during "
+- "umount, type: %d, count: %lld", i, get_pages(sbi, i));
+- f2fs_bug_on(sbi, 1);
+- }
+-
+ f2fs_bug_on(sbi, sbi->fsync_node_num);
+
+ f2fs_destroy_compress_inode(sbi);
+@@ -1655,6 +1647,15 @@ static void f2fs_put_super(struct super_
+ iput(sbi->meta_inode);
+ sbi->meta_inode = NULL;
+
++ /* Should check the page counts after dropping all node/meta pages */
++ for (i = 0; i < NR_COUNT_TYPE; i++) {
++ if (!get_pages(sbi, i))
++ continue;
++ f2fs_err(sbi, "detect filesystem reference count leak during "
++ "umount, type: %d, count: %lld", i, get_pages(sbi, i));
++ f2fs_bug_on(sbi, 1);
++ }
++
+ /*
+ * iput() can update stat information, if f2fs_write_checkpoint()
+ * above failed with error.
--- /dev/null
+From 27bf6a637b7613fc85fa6af468b7d612d78cd5c0 Mon Sep 17 00:00:00 2001
+From: Xiaole He <hexiaole1994@126.com>
+Date: Mon, 27 Oct 2025 17:23:41 +0800
+Subject: f2fs: fix age extent cache insertion skip on counter overflow
+
+From: Xiaole He <hexiaole1994@126.com>
+
+commit 27bf6a637b7613fc85fa6af468b7d612d78cd5c0 upstream.
+
+The age extent cache uses last_blocks (derived from
+allocated_data_blocks) to determine data age. However, there's a
+conflict between the deletion
+marker (last_blocks=0) and legitimate last_blocks=0 cases when
+allocated_data_blocks overflows to 0 after reaching ULLONG_MAX.
+
+In this case, valid extents are incorrectly skipped due to the
+"if (!tei->last_blocks)" check in __update_extent_tree_range().
+
+This patch fixes the issue by:
+1. Reserving ULLONG_MAX as an invalid/deletion marker
+2. Limiting allocated_data_blocks to range [0, ULLONG_MAX-1]
+3. Using F2FS_EXTENT_AGE_INVALID for deletion scenarios
+4. Adjusting overflow age calculation from ULLONG_MAX to (ULLONG_MAX-1)
+
+Reproducer (using a patched kernel with allocated_data_blocks
+initialized to ULLONG_MAX - 3 for quick testing):
+
+Step 1: Mount and check initial state
+ # dd if=/dev/zero of=/tmp/test.img bs=1M count=100
+ # mkfs.f2fs -f /tmp/test.img
+ # mkdir -p /mnt/f2fs_test
+ # mount -t f2fs -o loop,age_extent_cache /tmp/test.img /mnt/f2fs_test
+ # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
+ Allocated Data Blocks: 18446744073709551612 # ULLONG_MAX - 3
+ Inner Struct Count: tree: 1(0), node: 0
+
+Step 2: Create files and write data to trigger overflow
+ # touch /mnt/f2fs_test/{1,2,3,4}.txt; sync
+ # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
+ Allocated Data Blocks: 18446744073709551613 # ULLONG_MAX - 2
+ Inner Struct Count: tree: 5(0), node: 1
+
+ # dd if=/dev/urandom of=/mnt/f2fs_test/1.txt bs=4K count=1; sync
+ # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
+ Allocated Data Blocks: 18446744073709551614 # ULLONG_MAX - 1
+ Inner Struct Count: tree: 5(0), node: 2
+
+ # dd if=/dev/urandom of=/mnt/f2fs_test/2.txt bs=4K count=1; sync
+ # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
+ Allocated Data Blocks: 18446744073709551615 # ULLONG_MAX
+ Inner Struct Count: tree: 5(0), node: 3
+
+ # dd if=/dev/urandom of=/mnt/f2fs_test/3.txt bs=4K count=1; sync
+ # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
+ Allocated Data Blocks: 0 # Counter overflowed!
+ Inner Struct Count: tree: 5(0), node: 4
+
+Step 3: Trigger the bug - next write should create node but gets skipped
+ # dd if=/dev/urandom of=/mnt/f2fs_test/4.txt bs=4K count=1; sync
+ # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
+ Allocated Data Blocks: 1
+ Inner Struct Count: tree: 5(0), node: 4
+
+ Expected: node: 5 (new extent node for 4.txt)
+ Actual: node: 4 (extent insertion was incorrectly skipped due to
+ last_blocks = allocated_data_blocks = 0 in __get_new_block_age)
+
+After this fix, the extent node is correctly inserted and node count
+becomes 5 as expected.
+
+Fixes: 71644dff4811 ("f2fs: add block_age-based extent cache")
+Cc: stable@kernel.org
+Signed-off-by: Xiaole He <hexiaole1994@126.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/extent_cache.c | 5 +++--
+ fs/f2fs/f2fs.h | 6 ++++++
+ fs/f2fs/segment.c | 9 +++++++--
+ 3 files changed, 16 insertions(+), 4 deletions(-)
+
+--- a/fs/f2fs/extent_cache.c
++++ b/fs/f2fs/extent_cache.c
+@@ -755,7 +755,7 @@ static void __update_extent_tree_range(s
+ }
+ goto out_read_extent_cache;
+ update_age_extent_cache:
+- if (!tei->last_blocks)
++ if (tei->last_blocks == F2FS_EXTENT_AGE_INVALID)
+ goto out_read_extent_cache;
+
+ __set_extent_info(&ei, fofs, len, 0, false,
+@@ -859,7 +859,7 @@ static int __get_new_block_age(struct in
+ cur_age = cur_blocks - tei.last_blocks;
+ else
+ /* allocated_data_blocks overflow */
+- cur_age = ULLONG_MAX - tei.last_blocks + cur_blocks;
++ cur_age = (ULLONG_MAX - 1) - tei.last_blocks + cur_blocks;
+
+ if (tei.age)
+ ei->age = __calculate_block_age(sbi, cur_age, tei.age);
+@@ -1063,6 +1063,7 @@ void f2fs_update_age_extent_cache_range(
+ struct extent_info ei = {
+ .fofs = fofs,
+ .len = len,
++ .last_blocks = F2FS_EXTENT_AGE_INVALID,
+ };
+
+ if (!__may_extent_tree(dn->inode, EX_BLOCK_AGE))
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -626,6 +626,12 @@ enum extent_type {
+ NR_EXTENT_CACHES,
+ };
+
++/*
++ * Reserved value to mark invalid age extents, hence valid block range
++ * from 0 to ULLONG_MAX-1
++ */
++#define F2FS_EXTENT_AGE_INVALID ULLONG_MAX
++
+ struct extent_info {
+ unsigned int fofs; /* start offset in a file */
+ unsigned int len; /* length of the extent */
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -3542,8 +3542,13 @@ skip_new_segment:
+ locate_dirty_segment(sbi, GET_SEGNO(sbi, old_blkaddr));
+ locate_dirty_segment(sbi, GET_SEGNO(sbi, *new_blkaddr));
+
+- if (IS_DATASEG(curseg->seg_type))
+- atomic64_inc(&sbi->allocated_data_blocks);
++ if (IS_DATASEG(curseg->seg_type)) {
++ unsigned long long new_val;
++
++ new_val = atomic64_inc_return(&sbi->allocated_data_blocks);
++ if (unlikely(new_val == ULLONG_MAX))
++ atomic64_set(&sbi->allocated_data_blocks, 0);
++ }
+
+ up_write(&sit_i->sentry_lock);
+
--- /dev/null
+From 01fba45deaddcce0d0b01c411435d1acf6feab7b Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Wed, 5 Nov 2025 14:50:22 +0800
+Subject: f2fs: fix return value of f2fs_recover_fsync_data()
+
+From: Chao Yu <chao@kernel.org>
+
+commit 01fba45deaddcce0d0b01c411435d1acf6feab7b upstream.
+
+With below scripts, it will trigger panic in f2fs:
+
+mkfs.f2fs -f /dev/vdd
+mount /dev/vdd /mnt/f2fs
+touch /mnt/f2fs/foo
+sync
+echo 111 >> /mnt/f2fs/foo
+f2fs_io fsync /mnt/f2fs/foo
+f2fs_io shutdown 2 /mnt/f2fs
+umount /mnt/f2fs
+mount -o ro,norecovery /dev/vdd /mnt/f2fs
+or
+mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs
+
+F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0
+F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f
+F2FS-fs (vdd): Stopped filesystem due to reason: 0
+F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1
+Filesystem f2fs get_tree() didn't set fc->root, returned 1
+------------[ cut here ]------------
+kernel BUG at fs/super.c:1761!
+Oops: invalid opcode: 0000 [#1] SMP PTI
+CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+RIP: 0010:vfs_get_tree.cold+0x18/0x1a
+Call Trace:
+ <TASK>
+ fc_mount+0x13/0xa0
+ path_mount+0x34e/0xc50
+ __x64_sys_mount+0x121/0x150
+ do_syscall_64+0x84/0x800
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+RIP: 0033:0x7fa6cc126cfe
+
+The root cause is we missed to handle error number returned from
+f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or
+ro,disable_roll_forward mount option, result in returning a positive
+error number to vfs_get_tree(), fix it.
+
+Cc: stable@kernel.org
+Fixes: 6781eabba1bd ("f2fs: give -EINVAL for norecovery and rw mount")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/super.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -4692,11 +4692,15 @@ try_onemore:
+ }
+ } else {
+ err = f2fs_recover_fsync_data(sbi, true);
+-
+- if (!f2fs_readonly(sb) && err > 0) {
+- err = -EINVAL;
+- f2fs_err(sbi, "Need to recover fsync data");
+- goto free_meta;
++ if (err > 0) {
++ if (!f2fs_readonly(sb)) {
++ f2fs_err(sbi, "Need to recover fsync data");
++ err = -EINVAL;
++ goto free_meta;
++ } else {
++ f2fs_info(sbi, "drop all fsynced data");
++ err = 0;
++ }
+ }
+ }
+
--- /dev/null
+From 7c37c79510329cd951a4dedf3f7bf7e2b18dccec Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Mon, 20 Oct 2025 10:42:12 +0800
+Subject: f2fs: fix to avoid updating zero-sized extent in extent cache
+
+From: Chao Yu <chao@kernel.org>
+
+commit 7c37c79510329cd951a4dedf3f7bf7e2b18dccec upstream.
+
+As syzbot reported:
+
+F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0]
+------------[ cut here ]------------
+kernel BUG at fs/f2fs/extent_cache.c:678!
+Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
+CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678
+Call Trace:
+ <TASK>
+ f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085
+ f2fs_do_zero_range fs/f2fs/file.c:1657 [inline]
+ f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737
+ f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030
+ vfs_fallocate+0x669/0x7e0 fs/open.c:342
+ ioctl_preallocate fs/ioctl.c:289 [inline]
+ file_ioctl+0x611/0x780 fs/ioctl.c:-1
+ do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576
+ __do_sys_ioctl fs/ioctl.c:595 [inline]
+ __se_sys_ioctl+0x82/0x170 fs/ioctl.c:583
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f07bc58eec9
+
+In error path of f2fs_zero_range(), it may add a zero-sized extent
+into extent cache, it should be avoided.
+
+Fixes: 6e9619499f53 ("f2fs: support in batch fzero in dnode page")
+Cc: stable@kernel.org
+Reported-by: syzbot+24124df3170c3638b35f@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-f2fs-devel/68e5d698.050a0220.256323.0032.GAE@google.com
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/file.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -1584,8 +1584,11 @@ static int f2fs_do_zero_range(struct dno
+ f2fs_set_data_blkaddr(dn, NEW_ADDR);
+ }
+
+- f2fs_update_read_extent_cache_range(dn, start, 0, index - start);
+- f2fs_update_age_extent_cache_range(dn, start, index - start);
++ if (index > start) {
++ f2fs_update_read_extent_cache_range(dn, start, 0,
++ index - start);
++ f2fs_update_age_extent_cache_range(dn, start, index - start);
++ }
+
+ return ret;
+ }
--- /dev/null
+From d33f89b34aa313f50f9a512d58dd288999f246b0 Mon Sep 17 00:00:00 2001
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+Date: Mon, 27 Oct 2025 18:36:34 +0530
+Subject: f2fs: invalidate dentry cache on failed whiteout creation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+commit d33f89b34aa313f50f9a512d58dd288999f246b0 upstream.
+
+F2FS can mount filesystems with corrupted directory depth values that
+get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT
+operations are performed on such directories, f2fs_rename performs
+directory modifications (updating target entry and deleting source
+entry) before attempting to add the whiteout entry via f2fs_add_link.
+
+If f2fs_add_link fails due to the corrupted directory structure, the
+function returns an error to VFS, but the partial directory
+modifications have already been committed to disk. VFS assumes the
+entire rename operation failed and does not update the dentry cache,
+leaving stale mappings.
+
+In the error path, VFS does not call d_move() to update the dentry
+cache. This results in new_dentry still pointing to the old inode
+(new_inode) which has already had its i_nlink decremented to zero.
+The stale cache causes subsequent operations to incorrectly reference
+the freed inode.
+
+This causes subsequent operations to use cached dentry information that
+no longer matches the on-disk state. When a second rename targets the
+same entry, VFS attempts to decrement i_nlink on the stale inode, which
+may already have i_nlink=0, triggering a WARNING in drop_nlink().
+
+Example sequence:
+1. First rename (RENAME_WHITEOUT): file2 → file1
+ - f2fs updates file1 entry on disk (points to inode 8)
+ - f2fs deletes file2 entry on disk
+ - f2fs_add_link(whiteout) fails (corrupted directory)
+ - Returns error to VFS
+ - VFS does not call d_move() due to error
+ - VFS cache still has: file1 → inode 7 (stale!)
+ - inode 7 has i_nlink=0 (already decremented)
+
+2. Second rename: file3 → file1
+ - VFS uses stale cache: file1 → inode 7
+ - Tries to drop_nlink on inode 7 (i_nlink already 0)
+ - WARNING in drop_nlink()
+
+Fix this by explicitly invalidating old_dentry and new_dentry when
+f2fs_add_link fails during whiteout creation. This forces VFS to
+refresh from disk on subsequent operations, ensuring cache consistency
+even when the rename partially succeeds.
+
+Reproducer:
+1. Mount F2FS image with corrupted i_current_depth
+2. renameat2(file2, file1, RENAME_WHITEOUT)
+3. renameat2(file3, file1, 0)
+4. System triggers WARNING in drop_nlink()
+
+Fixes: 7e01e7ad746b ("f2fs: support RENAME_WHITEOUT")
+Reported-by: syzbot+632cf32276a9a564188d@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=632cf32276a9a564188d
+Suggested-by: Chao Yu <chao@kernel.org>
+Link: https://lore.kernel.org/all/20251022233349.102728-1-kartikey406@gmail.com/ [v1]
+Cc: stable@vger.kernel.org
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/namei.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -1044,9 +1044,11 @@ static int f2fs_rename(struct mnt_idmap
+ if (whiteout) {
+ set_inode_flag(whiteout, FI_INC_LINK);
+ err = f2fs_add_link(old_dentry, whiteout);
+- if (err)
++ if (err) {
++ d_invalidate(old_dentry);
++ d_invalidate(new_dentry);
+ goto put_out_dir;
+-
++ }
+ spin_lock(&whiteout->i_lock);
+ whiteout->i_state &= ~I_LINKABLE;
+ spin_unlock(&whiteout->i_lock);
--- /dev/null
+From 6d5925b667e4ed9e77c8278cc215191d29454a3f Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Wed, 12 Nov 2025 17:17:23 +0800
+Subject: intel_th: Fix error handling in intel_th_output_open
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 6d5925b667e4ed9e77c8278cc215191d29454a3f upstream.
+
+intel_th_output_open() calls bus_find_device_by_devt() which
+internally increments the device reference count via get_device(), but
+this reference is not properly released in several error paths. When
+device driver is unavailable, file operations cannot be obtained, or
+the driver's open method fails, the function returns without calling
+put_device(), leading to a permanent device reference count leak. This
+prevents the device from being properly released and could cause
+resource exhaustion over time.
+
+Found by code review.
+
+Cc: stable <stable@kernel.org>
+Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Link: https://patch.msgid.link/20251112091723.35963-1-make24@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/intel_th/core.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+--- a/drivers/hwtracing/intel_th/core.c
++++ b/drivers/hwtracing/intel_th/core.c
+@@ -810,13 +810,17 @@ static int intel_th_output_open(struct i
+ int err;
+
+ dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev);
+- if (!dev || !dev->driver)
+- return -ENODEV;
++ if (!dev || !dev->driver) {
++ err = -ENODEV;
++ goto out_no_device;
++ }
+
+ thdrv = to_intel_th_driver(dev->driver);
+ fops = fops_get(thdrv->fops);
+- if (!fops)
+- return -ENODEV;
++ if (!fops) {
++ err = -ENODEV;
++ goto out_put_device;
++ }
+
+ replace_fops(file, fops);
+
+@@ -824,10 +828,16 @@ static int intel_th_output_open(struct i
+
+ if (file->f_op->open) {
+ err = file->f_op->open(inode, file);
+- return err;
++ if (err)
++ goto out_put_device;
+ }
+
+ return 0;
++
++out_put_device:
++ put_device(dev);
++out_no_device:
++ return err;
+ }
+
+ static const struct file_operations intel_th_output_fops = {
--- /dev/null
+From b91e6aafe8d356086cc621bc03e35ba2299e4788 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Mon, 21 Apr 2025 21:52:44 +0900
+Subject: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit b91e6aafe8d356086cc621bc03e35ba2299e4788 upstream.
+
+rlen value is a user-controlled value, but dtv5100_i2c_msg() does not
+check the size of the rlen value. Therefore, if it is set to a value
+larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data.
+
+Therefore, we need to add proper range checking to prevent this vuln.
+
+Fixes: 60688d5e6e6e ("V4L/DVB (8735): dtv5100: replace dummy frontend by zl10353")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/dvb-usb/dtv5100.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/media/usb/dvb-usb/dtv5100.c
++++ b/drivers/media/usb/dvb-usb/dtv5100.c
+@@ -55,6 +55,11 @@ static int dtv5100_i2c_msg(struct dvb_us
+ }
+ index = (addr << 8) + wbuf[0];
+
++ if (rlen > sizeof(st->data)) {
++ warn("rlen = %x is too big!\n", rlen);
++ return -EINVAL;
++ }
++
+ memcpy(st->data, rbuf, rlen);
+ msleep(1); /* avoid I2C errors */
+ return usb_control_msg(d->udev, pipe, request,
--- /dev/null
+From be440980eace19c035a0745fd6b6e42707bc4f49 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.i.king@gmail.com>
+Date: Wed, 3 Sep 2025 09:44:16 +0100
+Subject: media: pvrusb2: Fix incorrect variable used in trace message
+
+From: Colin Ian King <colin.i.king@gmail.com>
+
+commit be440980eace19c035a0745fd6b6e42707bc4f49 upstream.
+
+The pvr2_trace message is reporting an error about control read
+transfers, however it is using the incorrect variable write_len
+instead of read_lean. Fix this by using the correct variable
+read_len.
+
+Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18")
+Cc: stable@vger.kernel.org
+Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+@@ -3622,7 +3622,7 @@ static int pvr2_send_request_ex(struct p
+ pvr2_trace(
+ PVR2_TRACE_ERROR_LEGS,
+ "Attempted to execute %d byte control-read transfer (limit=%d)",
+- write_len,PVR2_CTL_BUFFSIZE);
++ read_len, PVR2_CTL_BUFFSIZE);
+ return -EINVAL;
+ }
+ if ((!write_len) && (!read_len)) {
--- /dev/null
+From 6f52063db9aabdaabea929b1e998af98c2e8d917 Mon Sep 17 00:00:00 2001
+From: Dai Ngo <dai.ngo@oracle.com>
+Date: Wed, 5 Nov 2025 12:45:54 -0800
+Subject: NFSD: use correct reservation type in nfsd4_scsi_fence_client
+
+From: Dai Ngo <dai.ngo@oracle.com>
+
+commit 6f52063db9aabdaabea929b1e998af98c2e8d917 upstream.
+
+The reservation type argument for the pr_preempt call should match the
+one used in nfsd4_block_get_device_info_scsi.
+
+Fixes: f99d4fbdae67 ("nfsd: add SCSI layout support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/blocklayout.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/blocklayout.c
++++ b/fs/nfsd/blocklayout.c
+@@ -334,7 +334,8 @@ nfsd4_scsi_fence_client(struct nfs4_layo
+ struct block_device *bdev = ls->ls_file->nf_file->f_path.mnt->mnt_sb->s_bdev;
+
+ bdev->bd_disk->fops->pr_ops->pr_preempt(bdev, NFSD_MDS_PR_KEY,
+- nfsd4_scsi_pr_key(clp), 0, true);
++ nfsd4_scsi_pr_key(clp),
++ PR_EXCLUSIVE_ACCESS_REG_ONLY, true);
+ }
+
+ const struct nfsd4_layout_ops scsi_layout_ops = {
--- /dev/null
+From 356d1924b9a6bc2164ce2bf1fad147b0c37ae085 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Oct 2025 07:45:37 +0200
+Subject: phy: broadcom: bcm63xx-usbh: fix section mismatches
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 356d1924b9a6bc2164ce2bf1fad147b0c37ae085 upstream.
+
+Platform drivers can be probed after their init sections have been
+discarded (e.g. on probe deferral or manual rebind through sysfs) so the
+probe function and match table must not live in init.
+
+Fixes: 783f6d3dcf35 ("phy: bcm63xx-usbh: Add BCM63xx USBH driver")
+Cc: stable@vger.kernel.org # 5.9
+Cc: Álvaro Fernández Rojas <noltari@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patch.msgid.link/20251017054537.6884-1-johan@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/broadcom/phy-bcm63xx-usbh.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/phy/broadcom/phy-bcm63xx-usbh.c
++++ b/drivers/phy/broadcom/phy-bcm63xx-usbh.c
+@@ -375,7 +375,7 @@ static struct phy *bcm63xx_usbh_phy_xlat
+ return of_phy_simple_xlate(dev, args);
+ }
+
+-static int __init bcm63xx_usbh_phy_probe(struct platform_device *pdev)
++static int bcm63xx_usbh_phy_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+ struct bcm63xx_usbh_phy *usbh;
+@@ -432,7 +432,7 @@ static int __init bcm63xx_usbh_phy_probe
+ return 0;
+ }
+
+-static const struct of_device_id bcm63xx_usbh_phy_ids[] __initconst = {
++static const struct of_device_id bcm63xx_usbh_phy_ids[] = {
+ { .compatible = "brcm,bcm6318-usbh-phy", .data = &usbh_bcm6318 },
+ { .compatible = "brcm,bcm6328-usbh-phy", .data = &usbh_bcm6328 },
+ { .compatible = "brcm,bcm6358-usbh-phy", .data = &usbh_bcm6358 },
+@@ -443,7 +443,7 @@ static const struct of_device_id bcm63xx
+ };
+ MODULE_DEVICE_TABLE(of, bcm63xx_usbh_phy_ids);
+
+-static struct platform_driver bcm63xx_usbh_phy_driver __refdata = {
++static struct platform_driver bcm63xx_usbh_phy_driver = {
+ .driver = {
+ .name = "bcm63xx-usbh-phy",
+ .of_match_table = bcm63xx_usbh_phy_ids,
--- /dev/null
+From f6ab594672d4cba08540919a4e6be2e202b60007 Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Wed, 29 Oct 2025 00:29:04 +0800
+Subject: scsi: aic94xx: fix use-after-free in device removal path
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit f6ab594672d4cba08540919a4e6be2e202b60007 upstream.
+
+The asd_pci_remove() function fails to synchronize with pending tasklets
+before freeing the asd_ha structure, leading to a potential
+use-after-free vulnerability.
+
+When a device removal is triggered (via hot-unplug or module unload),
+race condition can occur.
+
+The fix adds tasklet_kill() before freeing the asd_ha structure,
+ensuring all scheduled tasklets complete before cleanup proceeds.
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/ME2PR01MB3156AB7DCACA206C845FC7E8AFFDA@ME2PR01MB3156.ausprd01.prod.outlook.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/aic94xx/aic94xx_init.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/aic94xx/aic94xx_init.c
++++ b/drivers/scsi/aic94xx/aic94xx_init.c
+@@ -896,6 +896,9 @@ static void asd_pci_remove(struct pci_de
+
+ asd_disable_ints(asd_ha);
+
++ /* Ensure all scheduled tasklets complete before freeing resources */
++ tasklet_kill(&asd_ha->seq.dl_tasklet);
++
+ asd_remove_dev_attrs(asd_ha);
+
+ /* XXX more here as needed */
--- /dev/null
+From b57fbc88715b6d18f379463f48a15b560b087ffe Mon Sep 17 00:00:00 2001
+From: Tony Battersby <tonyb@cybernetics.com>
+Date: Mon, 10 Nov 2025 10:47:35 -0500
+Subject: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
+
+From: Tony Battersby <tonyb@cybernetics.com>
+
+commit b57fbc88715b6d18f379463f48a15b560b087ffe upstream.
+
+This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.
+
+The commit being reverted added code to __qla2x00_abort_all_cmds() to
+call sp->done() without holding a spinlock. But unlike the older code
+below it, this new code failed to check sp->cmd_type and just assumed
+TYPE_SRB, which results in a jump to an invalid pointer in target-mode
+with TYPE_TGT_CMD:
+
+qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success
+ 0000000009f7a79b
+qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h
+ mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.
+qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer
+qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event
+ 0x8002 occurred
+qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -
+ ha=0000000058183fda.
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+PF: supervisor instruction fetch in kernel mode
+PF: error_code(0x0010) - not-present page
+PGD 0 P4D 0
+Oops: 0010 [#1] SMP
+CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1
+Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023
+RIP: 0010:0x0
+Code: Unable to access opcode bytes at 0xffffffffffffffd6.
+RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206
+RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000
+RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0
+RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045
+R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40
+R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400
+FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ? __die+0x4d/0x8b
+ ? page_fault_oops+0x91/0x180
+ ? trace_buffer_unlock_commit_regs+0x38/0x1a0
+ ? exc_page_fault+0x391/0x5e0
+ ? asm_exc_page_fault+0x22/0x30
+ __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]
+ qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]
+ qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]
+ qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]
+ qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]
+ kthread+0xa8/0xd0
+ </TASK>
+
+Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within
+lock") added the spinlock back, because not having the lock caused a
+race and a crash. But qla2x00_abort_srb() in the switch below already
+checks for qla2x00_chip_is_down() and handles it the same way, so the
+code above the switch is now redundant and still buggy in target-mode.
+Remove it.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
+Link: https://patch.msgid.link/3a8022dc-bcfd-4b01-9f9b-7a9ec61fa2a3@cybernetics.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -1874,12 +1874,6 @@ __qla2x00_abort_all_cmds(struct qla_qpai
+ for (cnt = 1; cnt < req->num_outstanding_cmds; cnt++) {
+ sp = req->outstanding_cmds[cnt];
+ if (sp) {
+- if (qla2x00_chip_is_down(vha)) {
+- req->outstanding_cmds[cnt] = NULL;
+- sp->done(sp, res);
+- continue;
+- }
+-
+ switch (sp->cmd_type) {
+ case TYPE_SRB:
+ qla2x00_abort_srb(qp, sp, res, &flags);
--- /dev/null
+From 5053eab38a4c4543522d0c320c639c56a8b59908 Mon Sep 17 00:00:00 2001
+From: Andrey Vatoropin <a.vatoropin@crpt.ru>
+Date: Tue, 18 Nov 2025 08:42:31 +0000
+Subject: scsi: target: Reset t_task_cdb pointer in error case
+
+From: Andrey Vatoropin <a.vatoropin@crpt.ru>
+
+commit 5053eab38a4c4543522d0c320c639c56a8b59908 upstream.
+
+If allocation of cmd->t_task_cdb fails, it remains NULL but is later
+dereferenced in the 'err' path.
+
+In case of error, reset NULL t_task_cdb value to point at the default
+fixed-size buffer.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 9e95fb805dc0 ("scsi: target: Fix NULL pointer dereference")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Link: https://patch.msgid.link/20251118084014.324940-1-a.vatoropin@crpt.ru
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_transport.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -1524,6 +1524,7 @@ target_cmd_init_cdb(struct se_cmd *cmd,
+ if (scsi_command_size(cdb) > sizeof(cmd->__t_task_cdb)) {
+ cmd->t_task_cdb = kzalloc(scsi_command_size(cdb), gfp);
+ if (!cmd->t_task_cdb) {
++ cmd->t_task_cdb = &cmd->__t_task_cdb[0];
+ pr_err("Unable to allocate cmd->t_task_cdb"
+ " %u > sizeof(cmd->__t_task_cdb): %lu ops\n",
+ scsi_command_size(cdb),
media-v4l2-mem2mem-fix-outdated-documentation.patch
mptcp-schedule-rtx-timer-only-after-pushing-data.patch
mptcp-avoid-deadlock-on-fallback-while-reinjecting.patch
+usb-usb-storage-maintain-minimal-modifications-to-the-bcddevice-range.patch
+media-dvb-usb-dtv5100-fix-out-of-bounds-in-dtv5100_i2c_msg.patch
+media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch
+phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch
+usb-lpc32xx_udc-fix-error-handling-in-probe.patch
+usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch
+usb-phy-isp1301-fix-non-of-device-reference-imbalance.patch
+usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch
+usb-dwc3-keep-susphy-enabled-during-exit-to-avoid-controller-faults.patch
+usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch
+char-applicom-fix-null-pointer-dereference-in-ac_ioctl.patch
+intel_th-fix-error-handling-in-intel_th_output_open.patch
+cpuidle-governors-teo-drop-misguided-target-residency-check.patch
+cpufreq-nforce2-fix-reference-count-leak-in-nforce2.patch
+scsi-revert-scsi-qla2xxx-perform-lockless-command-completion-in-abort-path.patch
+scsi-aic94xx-fix-use-after-free-in-device-removal-path.patch
+nfsd-use-correct-reservation-type-in-nfsd4_scsi_fence_client.patch
+scsi-target-reset-t_task_cdb-pointer-in-error-case.patch
+f2fs-ensure-node-page-reads-complete-before-f2fs_put_super-finishes.patch
+f2fs-fix-to-avoid-updating-zero-sized-extent-in-extent-cache.patch
+f2fs-invalidate-dentry-cache-on-failed-whiteout-creation.patch
+f2fs-fix-age-extent-cache-insertion-skip-on-counter-overflow.patch
+f2fs-fix-return-value-of-f2fs_recover_fsync_data.patch
--- /dev/null
+From e1003aa7ec9eccdde4c926bd64ef42816ad55f25 Mon Sep 17 00:00:00 2001
+From: Udipto Goswami <udipto.goswami@oss.qualcomm.com>
+Date: Wed, 26 Nov 2025 11:12:21 +0530
+Subject: usb: dwc3: keep susphy enabled during exit to avoid controller faults
+
+From: Udipto Goswami <udipto.goswami@oss.qualcomm.com>
+
+commit e1003aa7ec9eccdde4c926bd64ef42816ad55f25 upstream.
+
+On some platforms, switching USB roles from host to device can trigger
+controller faults due to premature PHY power-down. This occurs when the
+PHY is disabled too early during teardown, causing synchronization
+issues between the PHY and controller.
+
+Keep susphy enabled during dwc3_host_exit() and dwc3_gadget_exit()
+ensures the PHY remains in a low-power state capable of handling
+required commands during role switch.
+
+Cc: stable <stable@kernel.org>
+Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init")
+Suggested-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Signed-off-by: Udipto Goswami <udipto.goswami@oss.qualcomm.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://patch.msgid.link/20251126054221.120638-1-udipto.goswami@oss.qualcomm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c | 2 +-
+ drivers/usb/dwc3/host.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -4807,7 +4807,7 @@ void dwc3_gadget_exit(struct dwc3 *dwc)
+ if (!dwc->gadget)
+ return;
+
+- dwc3_enable_susphy(dwc, false);
++ dwc3_enable_susphy(dwc, true);
+ usb_del_gadget(dwc->gadget);
+ dwc3_gadget_free_endpoints(dwc);
+ usb_put_gadget(dwc->gadget);
+--- a/drivers/usb/dwc3/host.c
++++ b/drivers/usb/dwc3/host.c
+@@ -168,7 +168,7 @@ void dwc3_host_exit(struct dwc3 *dwc)
+ if (dwc->sys_wakeup)
+ device_init_wakeup(&dwc->xhci->dev, false);
+
+- dwc3_enable_susphy(dwc, false);
++ dwc3_enable_susphy(dwc, true);
+ platform_device_unregister(dwc->xhci);
+ dwc->xhci = NULL;
+ }
--- /dev/null
+From 3b4961313d31e200c9e974bb1536cdea217f78b5 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Thu, 11 Dec 2025 10:49:36 +0400
+Subject: usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 3b4961313d31e200c9e974bb1536cdea217f78b5 upstream.
+
+When clk_bulk_prepare_enable() fails, the error path jumps to
+err_resetc_assert, skipping clk_bulk_put_all() and leaking the
+clock references acquired by clk_bulk_get_all().
+
+Add err_clk_put_all label to properly release clock resources
+in all error paths.
+
+Found via static analysis and code review.
+
+Fixes: c0c61471ef86 ("usb: dwc3: of-simple: Convert to bulk clk API")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://patch.msgid.link/20251211064937.2360510-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/dwc3-of-simple.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/dwc3/dwc3-of-simple.c
++++ b/drivers/usb/dwc3/dwc3-of-simple.c
+@@ -71,11 +71,11 @@ static int dwc3_of_simple_probe(struct p
+ simple->num_clocks = ret;
+ ret = clk_bulk_prepare_enable(simple->num_clocks, simple->clks);
+ if (ret)
+- goto err_resetc_assert;
++ goto err_clk_put_all;
+
+ ret = of_platform_populate(np, NULL, NULL, dev);
+ if (ret)
+- goto err_clk_put;
++ goto err_clk_disable;
+
+ pm_runtime_set_active(dev);
+ pm_runtime_enable(dev);
+@@ -83,8 +83,9 @@ static int dwc3_of_simple_probe(struct p
+
+ return 0;
+
+-err_clk_put:
++err_clk_disable:
+ clk_bulk_disable_unprepare(simple->num_clocks, simple->clks);
++err_clk_put_all:
+ clk_bulk_put_all(simple->num_clocks, simple->clks);
+
+ err_resetc_assert:
--- /dev/null
+From c84117912bddd9e5d87e68daf182410c98181407 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Mon, 15 Dec 2025 10:09:31 +0800
+Subject: USB: lpc32xx_udc: Fix error handling in probe
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit c84117912bddd9e5d87e68daf182410c98181407 upstream.
+
+lpc32xx_udc_probe() acquires an i2c_client reference through
+isp1301_get_client() but fails to release it in both error handling
+paths and the normal removal path. This could result in a reference
+count leak for the I2C device, preventing proper cleanup and potentially
+leading to resource exhaustion. Add put_device() to release the
+reference in the probe failure path and in the remove function.
+
+Calling path: isp1301_get_client() -> of_find_i2c_device_by_node() ->
+i2c_find_device_by_fwnode(). As comments of i2c_find_device_by_fwnode()
+says, 'The user must call put_device(&client->dev) once done with the
+i2c client.'
+
+Found by code review.
+
+Cc: stable <stable@kernel.org>
+Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Link: https://patch.msgid.link/20251215020931.15324-1-make24@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/lpc32xx_udc.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
++++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
+@@ -3027,7 +3027,7 @@ static int lpc32xx_udc_probe(struct plat
+ pdev->dev.dma_mask = &lpc32xx_usbd_dmamask;
+ retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
+ if (retval)
+- return retval;
++ goto i2c_fail;
+
+ udc->board = &lpc32xx_usbddata;
+
+@@ -3045,28 +3045,32 @@ static int lpc32xx_udc_probe(struct plat
+ /* Get IRQs */
+ for (i = 0; i < 4; i++) {
+ udc->udp_irq[i] = platform_get_irq(pdev, i);
+- if (udc->udp_irq[i] < 0)
+- return udc->udp_irq[i];
++ if (udc->udp_irq[i] < 0) {
++ retval = udc->udp_irq[i];
++ goto i2c_fail;
++ }
+ }
+
+ udc->udp_baseaddr = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(udc->udp_baseaddr)) {
+ dev_err(udc->dev, "IO map failure\n");
+- return PTR_ERR(udc->udp_baseaddr);
++ retval = PTR_ERR(udc->udp_baseaddr);
++ goto i2c_fail;
+ }
+
+ /* Get USB device clock */
+ udc->usb_slv_clk = devm_clk_get(&pdev->dev, NULL);
+ if (IS_ERR(udc->usb_slv_clk)) {
+ dev_err(udc->dev, "failed to acquire USB device clock\n");
+- return PTR_ERR(udc->usb_slv_clk);
++ retval = PTR_ERR(udc->usb_slv_clk);
++ goto i2c_fail;
+ }
+
+ /* Enable USB device clock */
+ retval = clk_prepare_enable(udc->usb_slv_clk);
+ if (retval < 0) {
+ dev_err(udc->dev, "failed to start USB device clock\n");
+- return retval;
++ goto i2c_fail;
+ }
+
+ /* Setup deferred workqueue data */
+@@ -3168,6 +3172,8 @@ dma_alloc_fail:
+ dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
+ udc->udca_v_base, udc->udca_p_base);
+ i2c_fail:
++ if (udc->isp1301_i2c_client)
++ put_device(&udc->isp1301_i2c_client->dev);
+ clk_disable_unprepare(udc->usb_slv_clk);
+ dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval);
+
+@@ -3193,6 +3199,9 @@ static int lpc32xx_udc_remove(struct pla
+ dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
+ udc->udca_v_base, udc->udca_p_base);
+
++ if (udc->isp1301_i2c_client)
++ put_device(&udc->isp1301_i2c_client->dev);
++
+ clk_disable_unprepare(udc->usb_slv_clk);
+
+ return 0;
--- /dev/null
+From 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Fri, 5 Dec 2025 11:48:31 +0800
+Subject: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f upstream.
+
+The delayed work item otg_event is initialized in fsl_otg_conf() and
+scheduled under two conditions:
+1. When a host controller binds to the OTG controller.
+2. When the USB ID pin state changes (cable insertion/removal).
+
+A race condition occurs when the device is removed via fsl_otg_remove():
+the fsl_otg instance may be freed while the delayed work is still pending
+or executing. This leads to use-after-free when the work function
+fsl_otg_event() accesses the already freed memory.
+
+The problematic scenario:
+
+(detach thread) | (delayed work)
+fsl_otg_remove() |
+ kfree(fsl_otg_dev) //FREE| fsl_otg_event()
+ | og = container_of(...) //USE
+ | og-> //USE
+
+Fix this by calling disable_delayed_work_sync() in fsl_otg_remove()
+before deallocating the fsl_otg structure. This ensures the delayed work
+is properly canceled and completes execution prior to memory deallocation.
+
+This bug was identified through static analysis.
+
+Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://patch.msgid.link/20251205034831.12846-1-duoming@zju.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/phy/phy-fsl-usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/phy/phy-fsl-usb.c
++++ b/drivers/usb/phy/phy-fsl-usb.c
+@@ -987,6 +987,7 @@ static void fsl_otg_remove(struct platfo
+ {
+ struct fsl_usb2_platform_data *pdata = dev_get_platdata(&pdev->dev);
+
++ disable_delayed_work_sync(&fsl_otg_dev->otg_event);
+ usb_remove_phy(&fsl_otg_dev->phy);
+ free_irq(fsl_otg_dev->irq, fsl_otg_dev);
+
--- /dev/null
+From b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 18 Dec 2025 16:35:16 +0100
+Subject: usb: phy: isp1301: fix non-OF device reference imbalance
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 upstream.
+
+A recent change fixing a device reference leak in a UDC driver
+introduced a potential use-after-free in the non-OF case as the
+isp1301_get_client() helper only increases the reference count for the
+returned I2C device in the OF case.
+
+Increment the reference count also for non-OF so that the caller can
+decrement it unconditionally.
+
+Note that this is inherently racy just as using the returned I2C device
+is since nothing is preventing the PHY driver from being unbound while
+in use.
+
+Fixes: c84117912bdd ("USB: lpc32xx_udc: Fix error handling in probe")
+Cc: stable@vger.kernel.org
+Cc: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
+Link: https://patch.msgid.link/20251218153519.19453-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/phy/phy-isp1301.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/phy/phy-isp1301.c
++++ b/drivers/usb/phy/phy-isp1301.c
+@@ -149,7 +149,12 @@ struct i2c_client *isp1301_get_client(st
+ return client;
+
+ /* non-DT: only one ISP1301 chip supported */
+- return isp1301_i2c_client;
++ if (isp1301_i2c_client) {
++ get_device(&isp1301_i2c_client->dev);
++ return isp1301_i2c_client;
++ }
++
++ return NULL;
+ }
+ EXPORT_SYMBOL_GPL(isp1301_get_client);
+
--- /dev/null
+From 36cc7e09df9e43db21b46519b740145410dd9f4a Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Thu, 4 Dec 2025 21:21:29 +0800
+Subject: usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 36cc7e09df9e43db21b46519b740145410dd9f4a upstream.
+
+usbhsp_get_pipe() set pipe's flags to IS_USED. In error paths,
+usbhsp_put_pipe() is required to clear pipe's flags to prevent
+pipe exhaustion.
+
+Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Link: https://patch.msgid.link/20251204132129.109234-1-haoxiang_li2024@163.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/renesas_usbhs/pipe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/renesas_usbhs/pipe.c
++++ b/drivers/usb/renesas_usbhs/pipe.c
+@@ -713,11 +713,13 @@ struct usbhs_pipe *usbhs_pipe_malloc(str
+ /* make sure pipe is not busy */
+ ret = usbhsp_pipe_barrier(pipe);
+ if (ret < 0) {
++ usbhsp_put_pipe(pipe);
+ dev_err(dev, "pipe setup failed %d\n", usbhs_pipe_number(pipe));
+ return NULL;
+ }
+
+ if (usbhsp_setup_pipecfg(pipe, is_host, dir_in, &pipecfg)) {
++ usbhsp_put_pipe(pipe);
+ dev_err(dev, "can't setup pipe\n");
+ return NULL;
+ }
--- /dev/null
+From 0831269b5f71594882accfceb02638124f88955d Mon Sep 17 00:00:00 2001
+From: Chen Changcheng <chenchangcheng@kylinos.cn>
+Date: Thu, 18 Dec 2025 09:23:18 +0800
+Subject: usb: usb-storage: Maintain minimal modifications to the bcdDevice range.
+
+From: Chen Changcheng <chenchangcheng@kylinos.cn>
+
+commit 0831269b5f71594882accfceb02638124f88955d upstream.
+
+We cannot determine which models require the NO_ATA_1X and
+IGNORE_RESIDUE quirks aside from the EL-R12 optical drive device.
+
+Fixes: 955a48a5353f ("usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.")
+Signed-off-by: Chen Changcheng <chenchangcheng@kylinos.cn>
+Link: https://patch.msgid.link/20251218012318.15978-1-chenchangcheng@kylinos.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/unusual_uas.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -98,7 +98,7 @@ UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x01
+ US_FL_NO_ATA_1X),
+
+ /* Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> */
+-UNUSUAL_DEV(0x13fd, 0x3940, 0x0309, 0x0309,
++UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x0309,
+ "Initio Corporation",
+ "INIC-3069",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
projects / thirdparty / kernel / stable-queue.git / commitdiff
