--- /dev/null
+From 82d12088c297fa1cef670e1718b3d24f414c23f7 Mon Sep 17 00:00:00 2001
+From: Tianchu Chen <flynnnchen@tencent.com>
+Date: Fri, 28 Nov 2025 15:53:23 +0800
+Subject: char: applicom: fix NULL pointer dereference in ac_ioctl
+
+From: Tianchu Chen <flynnnchen@tencent.com>
+
+commit 82d12088c297fa1cef670e1718b3d24f414c23f7 upstream.
+
+Discovered by Atuin - Automated Vulnerability Discovery Engine.
+
+In ac_ioctl, the validation of IndexCard and the check for a valid
+RamIO pointer are skipped when cmd is 6. However, the function
+unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the
+end.
+
+If cmd is 6, IndexCard may reference a board that does not exist
+(where RamIO is NULL), leading to a NULL pointer dereference.
+
+Fix this by skipping the readb access when cmd is 6, as this
+command is a global information query and does not target a specific
+board context.
+
+Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/20251128155323.a786fde92ebb926cbe96fcb1@linux.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/applicom.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/applicom.c
++++ b/drivers/char/applicom.c
+@@ -835,7 +835,10 @@ static long ac_ioctl(struct file *file,
+ ret = -ENOTTY;
+ break;
+ }
+- Dummy = readb(apbs[IndexCard].RamIO + VERS);
++
++ if (cmd != 6)
++ Dummy = readb(apbs[IndexCard].RamIO + VERS);
++
+ kfree(adgl);
+ mutex_unlock(&ac_mutex);
+ return ret;
--- /dev/null
+From 9600156bb99852c216a2128cdf9f114eb67c350f Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Mon, 27 Oct 2025 23:04:45 +0800
+Subject: cpufreq: nforce2: fix reference count leak in nforce2
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 9600156bb99852c216a2128cdf9f114eb67c350f upstream.
+
+There are two reference count leaks in this driver:
+
+1. In nforce2_fsb_read(): pci_get_subsys() increases the reference count
+ of the PCI device, but pci_dev_put() is never called to release it,
+ thus leaking the reference.
+
+2. In nforce2_detect_chipset(): pci_get_subsys() gets a reference to the
+ nforce2_dev which is stored in a global variable, but the reference
+ is never released when the module is unloaded.
+
+Fix both by:
+- Adding pci_dev_put(nforce2_sub5) in nforce2_fsb_read() after reading
+ the configuration.
+- Adding pci_dev_put(nforce2_dev) in nforce2_exit() to release the
+ global device reference.
+
+Found via static analysis.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cpufreq-nforce2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/cpufreq/cpufreq-nforce2.c
++++ b/drivers/cpufreq/cpufreq-nforce2.c
+@@ -145,6 +145,8 @@ static unsigned int nforce2_fsb_read(int
+ pci_read_config_dword(nforce2_sub5, NFORCE2_BOOTFSB, &fsb);
+ fsb /= 1000000;
+
++ pci_dev_put(nforce2_sub5);
++
+ /* Check if PLL register is already set */
+ pci_read_config_byte(nforce2_dev, NFORCE2_PLLENABLE, (u8 *)&temp);
+
+@@ -426,6 +428,7 @@ static int __init nforce2_init(void)
+ static void __exit nforce2_exit(void)
+ {
+ cpufreq_unregister_driver(&nforce2_driver);
++ pci_dev_put(nforce2_dev);
+ }
+
+ module_init(nforce2_init);
--- /dev/null
+From a03b2011808ab02ccb7ab6b573b013b77fbb5921 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Thu, 13 Nov 2025 14:24:31 +0100
+Subject: cpuidle: governors: teo: Drop misguided target residency check
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit a03b2011808ab02ccb7ab6b573b013b77fbb5921 upstream.
+
+When the target residency of the current candidate idle state is
+greater than the expected time till the closest timer (the sleep
+length), it does not matter whether or not the tick has already been
+stopped or if it is going to be stopped. The closest timer will
+trigger anyway at its due time, so if an idle state with target
+residency above the sleep length is selected, energy will be wasted
+and there may be excess latency.
+
+Of course, if the closest timer were canceled before it could trigger,
+a deeper idle state would be more suitable, but this is not expected
+to happen (generally speaking, hrtimers are not expected to be
+canceled as a rule).
+
+Accordingly, the teo_state_ok() check done in that case causes energy to
+be wasted more often than it allows any energy to be saved (if it allows
+any energy to be saved at all), so drop it and let the governor use the
+teo_find_shallower_state() return value as the new candidate idle state
+index.
+
+Fixes: 21d28cd2fa5f ("cpuidle: teo: Do not call tick_nohz_get_sleep_length() upfront")
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Christian Loehle <christian.loehle@arm.com>
+Tested-by: Christian Loehle <christian.loehle@arm.com>
+Link: https://patch.msgid.link/5955081.DvuYhMxLoT@rafael.j.wysocki
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpuidle/governors/teo.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/cpuidle/governors/teo.c
++++ b/drivers/cpuidle/governors/teo.c
+@@ -458,11 +458,8 @@ static int teo_select(struct cpuidle_dri
+ * If the closest expected timer is before the target residency of the
+ * candidate state, a shallower one needs to be found.
+ */
+- if (drv->states[idx].target_residency_ns > duration_ns) {
+- i = teo_find_shallower_state(drv, dev, idx, duration_ns, false);
+- if (teo_state_ok(i, drv))
+- idx = i;
+- }
++ if (drv->states[idx].target_residency_ns > duration_ns)
++ idx = teo_find_shallower_state(drv, dev, idx, duration_ns, false);
+
+ /*
+ * If the selected state's target residency is below the tick length
--- /dev/null
+From 4d4e746aa9f0f07261dcb41e4f51edb98723dcaa Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Date: Fri, 14 Nov 2025 11:05:05 +0000
+Subject: dt-bindings: slimbus: fix warning from example
+
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+
+commit 4d4e746aa9f0f07261dcb41e4f51edb98723dcaa upstream.
+
+Fix below warnings generated dt_bindings_check for examples in the
+bindings.
+
+Documentation/devicetree/bindings/slimbus/slimbus.example.dtb:
+slim@28080000 (qcom,slim-ngd-v1.5.0): 'audio-codec@1,0' does not match
+any of the regexes: '^pinctrl-[0-9]+$', '^slim@[0-9a-f]+$'
+ from schema $id:
+http://devicetree.org/schemas/slimbus/qcom,slim-ngd.yaml#
+Documentation/devicetree/bindings/slimbus/slimbus.example.dtb:
+slim@28080000 (qcom,slim-ngd-v1.5.0): #address-cells: 1 was expected
+ from schema $id:
+http://devicetree.org/schemas/slimbus/qcom,slim-ngd.yaml#
+Documentation/devicetree/bindings/slimbus/slimbus.example.dtb:
+slim@28080000 (qcom,slim-ngd-v1.5.0): 'dmas' is a required property
+ from schema $id:
+http://devicetree.org/schemas/slimbus/qcom,slim-ngd.yaml#
+Documentation/devicetree/bindings/slimbus/slimbus.example.dtb:
+slim@28080000 (qcom,slim-ngd-v1.5.0): 'dma-names' is a required
+property
+ from schema $id:
+http://devicetree.org/schemas/slimbus/qcom,slim-ngd.yaml#
+
+Fixes: 7cbba32a2d62 ("slimbus: qcom: remove unused qcom controller driver")
+Cc: stable <stable@kernel.org>
+Reported-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Acked-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20251114110505.143105-1-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ .../devicetree/bindings/slimbus/slimbus.yaml | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/slimbus/slimbus.yaml b/Documentation/devicetree/bindings/slimbus/slimbus.yaml
+index 89017d9cda10..5a941610ce4e 100644
+--- a/Documentation/devicetree/bindings/slimbus/slimbus.yaml
++++ b/Documentation/devicetree/bindings/slimbus/slimbus.yaml
+@@ -75,16 +75,22 @@ examples:
+ #size-cells = <1>;
+ ranges;
+
+- slim@28080000 {
++ controller@28080000 {
+ compatible = "qcom,slim-ngd-v1.5.0";
+ reg = <0x091c0000 0x2c000>;
+ interrupts = <GIC_SPI 163 IRQ_TYPE_LEVEL_HIGH>;
+- #address-cells = <2>;
++ dmas = <&slimbam 3>, <&slimbam 4>;
++ dma-names = "rx", "tx";
++ #address-cells = <1>;
+ #size-cells = <0>;
+-
+- audio-codec@1,0 {
++ slim@1 {
++ reg = <1>;
++ #address-cells = <2>;
++ #size-cells = <0>;
++ codec@1,0 {
+ compatible = "slim217,1a0";
+ reg = <1 0>;
++ };
+ };
++ };
+ };
+- };
+--
+2.52.0
+
--- /dev/null
+From 297baa4aa263ff8f5b3d246ee16a660d76aa82c4 Mon Sep 17 00:00:00 2001
+From: Jan Prusakowski <jprusakowski@google.com>
+Date: Mon, 6 Oct 2025 10:46:15 +0200
+Subject: f2fs: ensure node page reads complete before f2fs_put_super() finishes
+
+From: Jan Prusakowski <jprusakowski@google.com>
+
+commit 297baa4aa263ff8f5b3d246ee16a660d76aa82c4 upstream.
+
+Xfstests generic/335, generic/336 sometimes crash with the following message:
+
+F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1
+------------[ cut here ]------------
+kernel BUG at fs/f2fs/super.c:1939!
+Oops: invalid opcode: 0000 [#1] SMP NOPTI
+CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none)
+Tainted: [W]=WARN
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+RIP: 0010:f2fs_put_super+0x3b3/0x3c0
+Call Trace:
+ <TASK>
+ generic_shutdown_super+0x7e/0x190
+ kill_block_super+0x1a/0x40
+ kill_f2fs_super+0x9d/0x190
+ deactivate_locked_super+0x30/0xb0
+ cleanup_mnt+0xba/0x150
+ task_work_run+0x5c/0xa0
+ exit_to_user_mode_loop+0xb7/0xc0
+ do_syscall_64+0x1ae/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ </TASK>
+---[ end trace 0000000000000000 ]---
+
+It appears that sometimes it is possible that f2fs_put_super() is called before
+all node page reads are completed.
+Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem.
+
+Cc: stable@kernel.org
+Fixes: 20872584b8c0b ("f2fs: fix to drop all dirty meta/node pages during umount()")
+Signed-off-by: Jan Prusakowski <jprusakowski@google.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/super.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1988,14 +1988,6 @@ static void f2fs_put_super(struct super_
+ truncate_inode_pages_final(META_MAPPING(sbi));
+ }
+
+- for (i = 0; i < NR_COUNT_TYPE; i++) {
+- if (!get_pages(sbi, i))
+- continue;
+- f2fs_err(sbi, "detect filesystem reference count leak during "
+- "umount, type: %d, count: %lld", i, get_pages(sbi, i));
+- f2fs_bug_on(sbi, 1);
+- }
+-
+ f2fs_bug_on(sbi, sbi->fsync_node_num);
+
+ f2fs_destroy_compress_inode(sbi);
+@@ -2006,6 +1998,15 @@ static void f2fs_put_super(struct super_
+ iput(sbi->meta_inode);
+ sbi->meta_inode = NULL;
+
++ /* Should check the page counts after dropping all node/meta pages */
++ for (i = 0; i < NR_COUNT_TYPE; i++) {
++ if (!get_pages(sbi, i))
++ continue;
++ f2fs_err(sbi, "detect filesystem reference count leak during "
++ "umount, type: %d, count: %lld", i, get_pages(sbi, i));
++ f2fs_bug_on(sbi, 1);
++ }
++
+ /*
+ * iput() can update stat information, if f2fs_write_checkpoint()
+ * above failed with error.
--- /dev/null
+From 27bf6a637b7613fc85fa6af468b7d612d78cd5c0 Mon Sep 17 00:00:00 2001
+From: Xiaole He <hexiaole1994@126.com>
+Date: Mon, 27 Oct 2025 17:23:41 +0800
+Subject: f2fs: fix age extent cache insertion skip on counter overflow
+
+From: Xiaole He <hexiaole1994@126.com>
+
+commit 27bf6a637b7613fc85fa6af468b7d612d78cd5c0 upstream.
+
+The age extent cache uses last_blocks (derived from
+allocated_data_blocks) to determine data age. However, there's a
+conflict between the deletion
+marker (last_blocks=0) and legitimate last_blocks=0 cases when
+allocated_data_blocks overflows to 0 after reaching ULLONG_MAX.
+
+In this case, valid extents are incorrectly skipped due to the
+"if (!tei->last_blocks)" check in __update_extent_tree_range().
+
+This patch fixes the issue by:
+1. Reserving ULLONG_MAX as an invalid/deletion marker
+2. Limiting allocated_data_blocks to range [0, ULLONG_MAX-1]
+3. Using F2FS_EXTENT_AGE_INVALID for deletion scenarios
+4. Adjusting overflow age calculation from ULLONG_MAX to (ULLONG_MAX-1)
+
+Reproducer (using a patched kernel with allocated_data_blocks
+initialized to ULLONG_MAX - 3 for quick testing):
+
+Step 1: Mount and check initial state
+ # dd if=/dev/zero of=/tmp/test.img bs=1M count=100
+ # mkfs.f2fs -f /tmp/test.img
+ # mkdir -p /mnt/f2fs_test
+ # mount -t f2fs -o loop,age_extent_cache /tmp/test.img /mnt/f2fs_test
+ # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
+ Allocated Data Blocks: 18446744073709551612 # ULLONG_MAX - 3
+ Inner Struct Count: tree: 1(0), node: 0
+
+Step 2: Create files and write data to trigger overflow
+ # touch /mnt/f2fs_test/{1,2,3,4}.txt; sync
+ # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
+ Allocated Data Blocks: 18446744073709551613 # ULLONG_MAX - 2
+ Inner Struct Count: tree: 5(0), node: 1
+
+ # dd if=/dev/urandom of=/mnt/f2fs_test/1.txt bs=4K count=1; sync
+ # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
+ Allocated Data Blocks: 18446744073709551614 # ULLONG_MAX - 1
+ Inner Struct Count: tree: 5(0), node: 2
+
+ # dd if=/dev/urandom of=/mnt/f2fs_test/2.txt bs=4K count=1; sync
+ # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
+ Allocated Data Blocks: 18446744073709551615 # ULLONG_MAX
+ Inner Struct Count: tree: 5(0), node: 3
+
+ # dd if=/dev/urandom of=/mnt/f2fs_test/3.txt bs=4K count=1; sync
+ # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
+ Allocated Data Blocks: 0 # Counter overflowed!
+ Inner Struct Count: tree: 5(0), node: 4
+
+Step 3: Trigger the bug - next write should create node but gets skipped
+ # dd if=/dev/urandom of=/mnt/f2fs_test/4.txt bs=4K count=1; sync
+ # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
+ Allocated Data Blocks: 1
+ Inner Struct Count: tree: 5(0), node: 4
+
+ Expected: node: 5 (new extent node for 4.txt)
+ Actual: node: 4 (extent insertion was incorrectly skipped due to
+ last_blocks = allocated_data_blocks = 0 in __get_new_block_age)
+
+After this fix, the extent node is correctly inserted and node count
+becomes 5 as expected.
+
+Fixes: 71644dff4811 ("f2fs: add block_age-based extent cache")
+Cc: stable@kernel.org
+Signed-off-by: Xiaole He <hexiaole1994@126.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/extent_cache.c | 5 +++--
+ fs/f2fs/f2fs.h | 6 ++++++
+ fs/f2fs/segment.c | 9 +++++++--
+ 3 files changed, 16 insertions(+), 4 deletions(-)
+
+--- a/fs/f2fs/extent_cache.c
++++ b/fs/f2fs/extent_cache.c
+@@ -808,7 +808,7 @@ static void __update_extent_tree_range(s
+ }
+ goto out_read_extent_cache;
+ update_age_extent_cache:
+- if (!tei->last_blocks)
++ if (tei->last_blocks == F2FS_EXTENT_AGE_INVALID)
+ goto out_read_extent_cache;
+
+ __set_extent_info(&ei, fofs, len, 0, false,
+@@ -912,7 +912,7 @@ static int __get_new_block_age(struct in
+ cur_age = cur_blocks - tei.last_blocks;
+ else
+ /* allocated_data_blocks overflow */
+- cur_age = ULLONG_MAX - tei.last_blocks + cur_blocks;
++ cur_age = (ULLONG_MAX - 1) - tei.last_blocks + cur_blocks;
+
+ if (tei.age)
+ ei->age = __calculate_block_age(sbi, cur_age, tei.age);
+@@ -1114,6 +1114,7 @@ void f2fs_update_age_extent_cache_range(
+ struct extent_info ei = {
+ .fofs = fofs,
+ .len = len,
++ .last_blocks = F2FS_EXTENT_AGE_INVALID,
+ };
+
+ if (!__may_extent_tree(dn->inode, EX_BLOCK_AGE))
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -708,6 +708,12 @@ enum extent_type {
+ NR_EXTENT_CACHES,
+ };
+
++/*
++ * Reserved value to mark invalid age extents, hence valid block range
++ * from 0 to ULLONG_MAX-1
++ */
++#define F2FS_EXTENT_AGE_INVALID ULLONG_MAX
++
+ struct extent_info {
+ unsigned int fofs; /* start offset in a file */
+ unsigned int len; /* length of the extent */
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -3881,8 +3881,13 @@ skip_new_segment:
+ locate_dirty_segment(sbi, GET_SEGNO(sbi, old_blkaddr));
+ locate_dirty_segment(sbi, GET_SEGNO(sbi, *new_blkaddr));
+
+- if (IS_DATASEG(curseg->seg_type))
+- atomic64_inc(&sbi->allocated_data_blocks);
++ if (IS_DATASEG(curseg->seg_type)) {
++ unsigned long long new_val;
++
++ new_val = atomic64_inc_return(&sbi->allocated_data_blocks);
++ if (unlikely(new_val == ULLONG_MAX))
++ atomic64_set(&sbi->allocated_data_blocks, 0);
++ }
+
+ up_write(&sit_i->sentry_lock);
+
--- /dev/null
+From 01fba45deaddcce0d0b01c411435d1acf6feab7b Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Wed, 5 Nov 2025 14:50:22 +0800
+Subject: f2fs: fix return value of f2fs_recover_fsync_data()
+
+From: Chao Yu <chao@kernel.org>
+
+commit 01fba45deaddcce0d0b01c411435d1acf6feab7b upstream.
+
+With below scripts, it will trigger panic in f2fs:
+
+mkfs.f2fs -f /dev/vdd
+mount /dev/vdd /mnt/f2fs
+touch /mnt/f2fs/foo
+sync
+echo 111 >> /mnt/f2fs/foo
+f2fs_io fsync /mnt/f2fs/foo
+f2fs_io shutdown 2 /mnt/f2fs
+umount /mnt/f2fs
+mount -o ro,norecovery /dev/vdd /mnt/f2fs
+or
+mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs
+
+F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0
+F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f
+F2FS-fs (vdd): Stopped filesystem due to reason: 0
+F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1
+Filesystem f2fs get_tree() didn't set fc->root, returned 1
+------------[ cut here ]------------
+kernel BUG at fs/super.c:1761!
+Oops: invalid opcode: 0000 [#1] SMP PTI
+CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+RIP: 0010:vfs_get_tree.cold+0x18/0x1a
+Call Trace:
+ <TASK>
+ fc_mount+0x13/0xa0
+ path_mount+0x34e/0xc50
+ __x64_sys_mount+0x121/0x150
+ do_syscall_64+0x84/0x800
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+RIP: 0033:0x7fa6cc126cfe
+
+The root cause is we missed to handle error number returned from
+f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or
+ro,disable_roll_forward mount option, result in returning a positive
+error number to vfs_get_tree(), fix it.
+
+Cc: stable@kernel.org
+Fixes: 6781eabba1bd ("f2fs: give -EINVAL for norecovery and rw mount")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/super.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -5203,11 +5203,15 @@ try_onemore:
+ }
+ } else {
+ err = f2fs_recover_fsync_data(sbi, true);
+-
+- if (!f2fs_readonly(sb) && err > 0) {
+- err = -EINVAL;
+- f2fs_err(sbi, "Need to recover fsync data");
+- goto free_meta;
++ if (err > 0) {
++ if (!f2fs_readonly(sb)) {
++ f2fs_err(sbi, "Need to recover fsync data");
++ err = -EINVAL;
++ goto free_meta;
++ } else {
++ f2fs_info(sbi, "drop all fsynced data");
++ err = 0;
++ }
+ }
+ }
+
--- /dev/null
+From ca8b201f28547e28343a6f00a6e91fa8c09572fe Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Tue, 14 Oct 2025 19:47:35 +0800
+Subject: f2fs: fix to avoid potential deadlock
+
+From: Chao Yu <chao@kernel.org>
+
+commit ca8b201f28547e28343a6f00a6e91fa8c09572fe upstream.
+
+As Jiaming Zhang and syzbot reported, there is potential deadlock in
+f2fs as below:
+
+Chain exists of:
+ &sbi->cp_rwsem --> fs_reclaim --> sb_internal#2
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ rlock(sb_internal#2);
+ lock(fs_reclaim);
+ lock(sb_internal#2);
+ rlock(&sbi->cp_rwsem);
+
+ *** DEADLOCK ***
+
+3 locks held by kswapd0/73:
+ #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline]
+ #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389
+ #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline]
+ #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197
+ #2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890
+
+stack backtrace:
+CPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
+ print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043
+ check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175
+ check_prev_add kernel/locking/lockdep.c:3165 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3284 [inline]
+ validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908
+ __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
+ lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
+ down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537
+ f2fs_down_read fs/f2fs/f2fs.h:2278 [inline]
+ f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline]
+ f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791
+ f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867
+ f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925
+ f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897
+ evict+0x504/0x9c0 fs/inode.c:810
+ f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853
+ evict+0x504/0x9c0 fs/inode.c:810
+ dispose_list fs/inode.c:852 [inline]
+ prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000
+ super_cache_scan+0x39b/0x4b0 fs/super.c:224
+ do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437
+ shrink_slab_memcg mm/shrinker.c:550 [inline]
+ shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628
+ shrink_one+0x28a/0x7c0 mm/vmscan.c:4955
+ shrink_many mm/vmscan.c:5016 [inline]
+ lru_gen_shrink_node mm/vmscan.c:5094 [inline]
+ shrink_node+0x315d/0x3780 mm/vmscan.c:6081
+ kswapd_shrink_node mm/vmscan.c:6941 [inline]
+ balance_pgdat mm/vmscan.c:7124 [inline]
+ kswapd+0x147c/0x2800 mm/vmscan.c:7389
+ kthread+0x70e/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+ </TASK>
+
+The root cause is deadlock among four locks as below:
+
+kswapd
+- fs_reclaim --- Lock A
+ - shrink_one
+ - evict
+ - f2fs_evict_inode
+ - sb_start_intwrite --- Lock B
+
+- iput
+ - evict
+ - f2fs_evict_inode
+ - sb_start_intwrite --- Lock B
+ - f2fs_truncate
+ - f2fs_truncate_blocks
+ - f2fs_do_truncate_blocks
+ - f2fs_lock_op --- Lock C
+
+ioctl
+- f2fs_ioc_commit_atomic_write
+ - f2fs_lock_op --- Lock C
+ - __f2fs_commit_atomic_write
+ - __replace_atomic_write_block
+ - f2fs_get_dnode_of_data
+ - __get_node_folio
+ - f2fs_check_nid_range
+ - f2fs_handle_error
+ - f2fs_record_errors
+ - f2fs_down_write --- Lock D
+
+open
+- do_open
+ - do_truncate
+ - security_inode_need_killpriv
+ - f2fs_getxattr
+ - lookup_all_xattrs
+ - f2fs_handle_error
+ - f2fs_record_errors
+ - f2fs_down_write --- Lock D
+ - f2fs_commit_super
+ - read_mapping_folio
+ - filemap_alloc_folio_noprof
+ - prepare_alloc_pages
+ - fs_reclaim_acquire --- Lock A
+
+In order to avoid such deadlock, we need to avoid grabbing sb_lock in
+f2fs_handle_error(), so, let's use asynchronous method instead:
+- remove f2fs_handle_error() implementation
+- rename f2fs_handle_error_async() to f2fs_handle_error()
+- spread f2fs_handle_error()
+
+Fixes: 95fa90c9e5a7 ("f2fs: support recording errors into superblock")
+Cc: stable@kernel.org
+Reported-by: syzbot+14b90e1156b9f6fc1266@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-f2fs-devel/68eae49b.050a0220.ac43.0001.GAE@google.com
+Reported-by: Jiaming Zhang <r772577952@gmail.com>
+Closes: https://lore.kernel.org/lkml/CANypQFa-Gy9sD-N35o3PC+FystOWkNuN8pv6S75HLT0ga-Tzgw@mail.gmail.com
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/compress.c | 5 +----
+ fs/f2fs/f2fs.h | 1 -
+ fs/f2fs/super.c | 41 -----------------------------------------
+ 3 files changed, 1 insertion(+), 46 deletions(-)
+
+--- a/fs/f2fs/compress.c
++++ b/fs/f2fs/compress.c
+@@ -759,10 +759,7 @@ void f2fs_decompress_cluster(struct deco
+ ret = -EFSCORRUPTED;
+
+ /* Avoid f2fs_commit_super in irq context */
+- if (!in_task)
+- f2fs_handle_error_async(sbi, ERROR_FAIL_DECOMPRESSION);
+- else
+- f2fs_handle_error(sbi, ERROR_FAIL_DECOMPRESSION);
++ f2fs_handle_error(sbi, ERROR_FAIL_DECOMPRESSION);
+ goto out_release;
+ }
+
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -3812,7 +3812,6 @@ void f2fs_quota_off_umount(struct super_
+ void f2fs_save_errors(struct f2fs_sb_info *sbi, unsigned char flag);
+ void f2fs_handle_critical_error(struct f2fs_sb_info *sbi, unsigned char reason);
+ void f2fs_handle_error(struct f2fs_sb_info *sbi, unsigned char error);
+-void f2fs_handle_error_async(struct f2fs_sb_info *sbi, unsigned char error);
+ int f2fs_commit_super(struct f2fs_sb_info *sbi, bool recover);
+ int f2fs_sync_fs(struct super_block *sb, int sync);
+ int f2fs_sanity_check_ckpt(struct f2fs_sb_info *sbi);
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -4560,50 +4560,9 @@ void f2fs_save_errors(struct f2fs_sb_inf
+ spin_unlock_irqrestore(&sbi->error_lock, flags);
+ }
+
+-static bool f2fs_update_errors(struct f2fs_sb_info *sbi)
+-{
+- unsigned long flags;
+- bool need_update = false;
+-
+- spin_lock_irqsave(&sbi->error_lock, flags);
+- if (sbi->error_dirty) {
+- memcpy(F2FS_RAW_SUPER(sbi)->s_errors, sbi->errors,
+- MAX_F2FS_ERRORS);
+- sbi->error_dirty = false;
+- need_update = true;
+- }
+- spin_unlock_irqrestore(&sbi->error_lock, flags);
+-
+- return need_update;
+-}
+-
+-static void f2fs_record_errors(struct f2fs_sb_info *sbi, unsigned char error)
+-{
+- int err;
+-
+- f2fs_down_write(&sbi->sb_lock);
+-
+- if (!f2fs_update_errors(sbi))
+- goto out_unlock;
+-
+- err = f2fs_commit_super(sbi, false);
+- if (err)
+- f2fs_err_ratelimited(sbi,
+- "f2fs_commit_super fails to record errors:%u, err:%d",
+- error, err);
+-out_unlock:
+- f2fs_up_write(&sbi->sb_lock);
+-}
+-
+ void f2fs_handle_error(struct f2fs_sb_info *sbi, unsigned char error)
+ {
+ f2fs_save_errors(sbi, error);
+- f2fs_record_errors(sbi, error);
+-}
+-
+-void f2fs_handle_error_async(struct f2fs_sb_info *sbi, unsigned char error)
+-{
+- f2fs_save_errors(sbi, error);
+
+ if (!sbi->error_dirty)
+ return;
--- /dev/null
+From 10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Wed, 22 Oct 2025 11:06:36 +0800
+Subject: f2fs: fix to avoid updating compression context during writeback
+
+From: Chao Yu <chao@kernel.org>
+
+commit 10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76 upstream.
+
+Bai, Shuangpeng <sjb7183@psu.edu> reported a bug as below:
+
+Oops: divide error: 0000 [#1] SMP KASAN PTI
+CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857
+Call Trace:
+ <TASK>
+ f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline]
+ __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline]
+ f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317
+ do_writepages+0x38e/0x640 mm/page-writeback.c:2634
+ filemap_fdatawrite_wbc mm/filemap.c:386 [inline]
+ __filemap_fdatawrite_range mm/filemap.c:419 [inline]
+ file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794
+ f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294
+ generic_write_sync include/linux/fs.h:3043 [inline]
+ f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x7e9/0xe00 fs/read_write.c:686
+ ksys_write+0x19d/0x2d0 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The bug was triggered w/ below race condition:
+
+fsync setattr ioctl
+- f2fs_do_sync_file
+ - file_write_and_wait_range
+ - f2fs_write_cache_pages
+ : inode is non-compressed
+ : cc.cluster_size =
+ F2FS_I(inode)->i_cluster_size = 0
+ - tag_pages_for_writeback
+ - f2fs_setattr
+ - truncate_setsize
+ - f2fs_truncate
+ - f2fs_fileattr_set
+ - f2fs_setflags_common
+ - set_compress_context
+ : F2FS_I(inode)->i_cluster_size = 4
+ : set_inode_flag(inode, FI_COMPRESSED_FILE)
+ - f2fs_compressed_file
+ : return true
+ - f2fs_all_cluster_page_ready
+ : "pgidx % cc->cluster_size" trigger dividing 0 issue
+
+Let's change as below to fix this issue:
+- introduce a new atomic type variable .writeback in structure f2fs_inode_info
+to track the number of threads which calling f2fs_write_cache_pages().
+- use .i_sem lock to protect .writeback update.
+- check .writeback before update compression context in f2fs_setflags_common()
+to avoid race w/ ->writepages.
+
+Fixes: 4c8ff7095bef ("f2fs: support data compression")
+Cc: stable@kernel.org
+Reported-by: Bai, Shuangpeng <sjb7183@psu.edu>
+Tested-by: Bai, Shuangpeng <sjb7183@psu.edu>
+Closes: https://lore.kernel.org/lkml/44D8F7B3-68AD-425F-9915-65D27591F93F@psu.edu
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/data.c | 17 +++++++++++++++++
+ fs/f2fs/f2fs.h | 3 ++-
+ fs/f2fs/file.c | 5 +++--
+ fs/f2fs/super.c | 1 +
+ 4 files changed, 23 insertions(+), 3 deletions(-)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -3224,6 +3224,19 @@ static inline bool __should_serialize_io
+ return false;
+ }
+
++static inline void account_writeback(struct inode *inode, bool inc)
++{
++ if (!f2fs_sb_has_compression(F2FS_I_SB(inode)))
++ return;
++
++ f2fs_down_read(&F2FS_I(inode)->i_sem);
++ if (inc)
++ atomic_inc(&F2FS_I(inode)->writeback);
++ else
++ atomic_dec(&F2FS_I(inode)->writeback);
++ f2fs_up_read(&F2FS_I(inode)->i_sem);
++}
++
+ static int __f2fs_write_data_pages(struct address_space *mapping,
+ struct writeback_control *wbc,
+ enum iostat_type io_type)
+@@ -3269,10 +3282,14 @@ static int __f2fs_write_data_pages(struc
+ locked = true;
+ }
+
++ account_writeback(inode, true);
++
+ blk_start_plug(&plug);
+ ret = f2fs_write_cache_pages(mapping, wbc, io_type);
+ blk_finish_plug(&plug);
+
++ account_writeback(inode, false);
++
+ if (locked)
+ mutex_unlock(&sbi->writepages);
+
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -948,6 +948,7 @@ struct f2fs_inode_info {
+ unsigned char i_compress_level; /* compress level (lz4hc,zstd) */
+ unsigned char i_compress_flag; /* compress flag */
+ unsigned int i_cluster_size; /* cluster size */
++ atomic_t writeback; /* count # of writeback thread */
+
+ unsigned int atomic_write_cnt;
+ loff_t original_i_size; /* original i_size before atomic write */
+@@ -4675,7 +4676,7 @@ static inline bool f2fs_disable_compress
+ f2fs_up_write(&fi->i_sem);
+ return true;
+ }
+- if (f2fs_is_mmap_file(inode) ||
++ if (f2fs_is_mmap_file(inode) || atomic_read(&fi->writeback) ||
+ (S_ISREG(inode->i_mode) && F2FS_HAS_BLOCKS(inode))) {
+ f2fs_up_write(&fi->i_sem);
+ return false;
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -2125,8 +2125,9 @@ static int f2fs_setflags_common(struct i
+
+ f2fs_down_write(&fi->i_sem);
+ if (!f2fs_may_compress(inode) ||
+- (S_ISREG(inode->i_mode) &&
+- F2FS_HAS_BLOCKS(inode))) {
++ atomic_read(&fi->writeback) ||
++ (S_ISREG(inode->i_mode) &&
++ F2FS_HAS_BLOCKS(inode))) {
+ f2fs_up_write(&fi->i_sem);
+ return -EINVAL;
+ }
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1759,6 +1759,7 @@ static struct inode *f2fs_alloc_inode(st
+ atomic_set(&fi->dirty_pages, 0);
+ atomic_set(&fi->i_compr_blocks, 0);
+ atomic_set(&fi->open_count, 0);
++ atomic_set(&fi->writeback, 0);
+ init_f2fs_rwsem(&fi->i_sem);
+ spin_lock_init(&fi->i_size_lock);
+ INIT_LIST_HEAD(&fi->dirty_list);
--- /dev/null
+From 7c37c79510329cd951a4dedf3f7bf7e2b18dccec Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Mon, 20 Oct 2025 10:42:12 +0800
+Subject: f2fs: fix to avoid updating zero-sized extent in extent cache
+
+From: Chao Yu <chao@kernel.org>
+
+commit 7c37c79510329cd951a4dedf3f7bf7e2b18dccec upstream.
+
+As syzbot reported:
+
+F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0]
+------------[ cut here ]------------
+kernel BUG at fs/f2fs/extent_cache.c:678!
+Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
+CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678
+Call Trace:
+ <TASK>
+ f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085
+ f2fs_do_zero_range fs/f2fs/file.c:1657 [inline]
+ f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737
+ f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030
+ vfs_fallocate+0x669/0x7e0 fs/open.c:342
+ ioctl_preallocate fs/ioctl.c:289 [inline]
+ file_ioctl+0x611/0x780 fs/ioctl.c:-1
+ do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576
+ __do_sys_ioctl fs/ioctl.c:595 [inline]
+ __se_sys_ioctl+0x82/0x170 fs/ioctl.c:583
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f07bc58eec9
+
+In error path of f2fs_zero_range(), it may add a zero-sized extent
+into extent cache, it should be avoided.
+
+Fixes: 6e9619499f53 ("f2fs: support in batch fzero in dnode page")
+Cc: stable@kernel.org
+Reported-by: syzbot+24124df3170c3638b35f@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-f2fs-devel/68e5d698.050a0220.256323.0032.GAE@google.com
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/file.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -1654,8 +1654,11 @@ static int f2fs_do_zero_range(struct dno
+ f2fs_set_data_blkaddr(dn, NEW_ADDR);
+ }
+
+- f2fs_update_read_extent_cache_range(dn, start, 0, index - start);
+- f2fs_update_age_extent_cache_range(dn, start, index - start);
++ if (index > start) {
++ f2fs_update_read_extent_cache_range(dn, start, 0,
++ index - start);
++ f2fs_update_age_extent_cache_range(dn, start, index - start);
++ }
+
+ return ret;
+ }
--- /dev/null
+From 68d05693f8c031257a0822464366e1c2a239a512 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Wed, 5 Nov 2025 14:50:23 +0800
+Subject: f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes()
+
+From: Chao Yu <chao@kernel.org>
+
+commit 68d05693f8c031257a0822464366e1c2a239a512 upstream.
+
+mkfs.f2fs -f /dev/vdd
+mount /dev/vdd /mnt/f2fs
+touch /mnt/f2fs/foo
+sync # avoid CP_UMOUNT_FLAG in last f2fs_checkpoint.ckpt_flags
+touch /mnt/f2fs/bar
+f2fs_io fsync /mnt/f2fs/bar
+f2fs_io shutdown 2 /mnt/f2fs
+umount /mnt/f2fs
+blockdev --setro /dev/vdd
+mount /dev/vdd /mnt/f2fs
+mount: /mnt/f2fs: WARNING: source write-protected, mounted read-only.
+
+For the case if we create and fsync a new inode before sudden power-cut,
+without norecovery or disable_roll_forward mount option, the following
+mount will succeed w/o recovering last fsynced inode.
+
+The problem here is that we only check inode_list list after
+find_fsync_dnodes() in f2fs_recover_fsync_data() to find out whether
+there is recoverable data in the iamge, but there is a missed case, if
+last fsynced inode is not existing in last checkpoint, then, we will
+fail to get its inode due to nat of inode node is not existing in last
+checkpoint, so the inode won't be linked in inode_list.
+
+Let's detect such case in dyrun mode to fix this issue.
+
+After this change, mount will fail as expected below:
+mount: /mnt/f2fs: cannot mount /dev/vdd read-only.
+ dmesg(1) may have more information after failed mount system call.
+demsg:
+F2FS-fs (vdd): Need to recover fsync data, but write access unavailable, please try mount w/ disable_roll_forward or norecovery
+
+Cc: stable@kernel.org
+Fixes: 6781eabba1bd ("f2fs: give -EINVAL for norecovery and rw mount")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/recovery.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/fs/f2fs/recovery.c
++++ b/fs/f2fs/recovery.c
+@@ -399,7 +399,7 @@ static int sanity_check_node_chain(struc
+ }
+
+ static int find_fsync_dnodes(struct f2fs_sb_info *sbi, struct list_head *head,
+- bool check_only)
++ bool check_only, bool *new_inode)
+ {
+ struct curseg_info *curseg;
+ block_t blkaddr, blkaddr_fast;
+@@ -447,16 +447,19 @@ static int find_fsync_dnodes(struct f2fs
+ quota_inode = true;
+ }
+
+- /*
+- * CP | dnode(F) | inode(DF)
+- * For this case, we should not give up now.
+- */
+ entry = add_fsync_inode(sbi, head, ino_of_node(folio),
+ quota_inode);
+ if (IS_ERR(entry)) {
+ err = PTR_ERR(entry);
+- if (err == -ENOENT)
++ /*
++ * CP | dnode(F) | inode(DF)
++ * For this case, we should not give up now.
++ */
++ if (err == -ENOENT) {
++ if (check_only)
++ *new_inode = true;
+ goto next;
++ }
+ f2fs_folio_put(folio, true);
+ break;
+ }
+@@ -875,6 +878,7 @@ int f2fs_recover_fsync_data(struct f2fs_
+ int ret = 0;
+ unsigned long s_flags = sbi->sb->s_flags;
+ bool need_writecp = false;
++ bool new_inode = false;
+
+ f2fs_notice(sbi, "f2fs_recover_fsync_data: recovery fsync data, "
+ "check_only: %d", check_only);
+@@ -890,8 +894,8 @@ int f2fs_recover_fsync_data(struct f2fs_
+ f2fs_down_write(&sbi->cp_global_sem);
+
+ /* step #1: find fsynced inode numbers */
+- err = find_fsync_dnodes(sbi, &inode_list, check_only);
+- if (err || list_empty(&inode_list))
++ err = find_fsync_dnodes(sbi, &inode_list, check_only, &new_inode);
++ if (err < 0 || (list_empty(&inode_list) && (!check_only || !new_inode)))
+ goto skip;
+
+ if (check_only) {
--- /dev/null
+From 37345eae9deaa2e4f372eeb98f6594cd0ee0916e Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Fri, 28 Nov 2025 17:25:07 +0800
+Subject: f2fs: fix to not account invalid blocks in get_left_section_blocks()
+
+From: Chao Yu <chao@kernel.org>
+
+commit 37345eae9deaa2e4f372eeb98f6594cd0ee0916e upstream.
+
+w/ LFS mode, in get_left_section_blocks(), we should not account the
+blocks which were used before and now are invalided, otherwise those
+blocks will be counted as freed one in has_curseg_enough_space(), result
+in missing to trigger GC in time.
+
+Cc: stable@kernel.org
+Fixes: 249ad438e1d9 ("f2fs: add a method for calculating the remaining blocks in the current segment in LFS mode.")
+Fixes: bf34c93d2645 ("f2fs: check curseg space before foreground GC")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/segment.h | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/fs/f2fs/segment.h
++++ b/fs/f2fs/segment.h
+@@ -607,10 +607,12 @@ static inline int reserved_sections(stru
+ static inline unsigned int get_left_section_blocks(struct f2fs_sb_info *sbi,
+ enum log_type type, unsigned int segno)
+ {
+- if (f2fs_lfs_mode(sbi) && __is_large_section(sbi))
+- return CAP_BLKS_PER_SEC(sbi) - SEGS_TO_BLKS(sbi,
+- (segno - GET_START_SEG_FROM_SEC(sbi, segno))) -
++ if (f2fs_lfs_mode(sbi)) {
++ unsigned int used_blocks = __is_large_section(sbi) ? SEGS_TO_BLKS(sbi,
++ (segno - GET_START_SEG_FROM_SEC(sbi, segno))) : 0;
++ return CAP_BLKS_PER_SEC(sbi) - used_blocks -
+ CURSEG_I(sbi, type)->next_blkoff;
++ }
+ return CAP_BLKS_PER_SEC(sbi) - get_ckpt_valid_blocks(sbi, segno, true);
+ }
+
--- /dev/null
+From be112e7449a6e1b54aa9feac618825d154b3a5c7 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Mon, 27 Oct 2025 14:35:33 +0800
+Subject: f2fs: fix to propagate error from f2fs_enable_checkpoint()
+
+From: Chao Yu <chao@kernel.org>
+
+commit be112e7449a6e1b54aa9feac618825d154b3a5c7 upstream.
+
+In order to let userspace detect such error rather than suffering
+silent failure.
+
+Fixes: 4354994f097d ("f2fs: checkpoint disabling")
+Cc: stable@kernel.org
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/super.c | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -2634,10 +2634,11 @@ restore_flag:
+ return err;
+ }
+
+-static void f2fs_enable_checkpoint(struct f2fs_sb_info *sbi)
++static int f2fs_enable_checkpoint(struct f2fs_sb_info *sbi)
+ {
+ unsigned int nr_pages = get_pages(sbi, F2FS_DIRTY_DATA) / 16;
+ long long start, writeback, end;
++ int ret;
+
+ f2fs_info(sbi, "f2fs_enable_checkpoint() starts, meta: %lld, node: %lld, data: %lld",
+ get_pages(sbi, F2FS_DIRTY_META),
+@@ -2671,7 +2672,9 @@ static void f2fs_enable_checkpoint(struc
+ set_sbi_flag(sbi, SBI_IS_DIRTY);
+ f2fs_up_write(&sbi->gc_lock);
+
+- f2fs_sync_fs(sbi->sb, 1);
++ ret = f2fs_sync_fs(sbi->sb, 1);
++ if (ret)
++ f2fs_err(sbi, "%s sync_fs failed, ret: %d", __func__, ret);
+
+ /* Let's ensure there's no pending checkpoint anymore */
+ f2fs_flush_ckpt_thread(sbi);
+@@ -2681,6 +2684,7 @@ static void f2fs_enable_checkpoint(struc
+ f2fs_info(sbi, "f2fs_enable_checkpoint() finishes, writeback:%llu, sync:%llu",
+ ktime_ms_delta(writeback, start),
+ ktime_ms_delta(end, writeback));
++ return ret;
+ }
+
+ static int __f2fs_remount(struct fs_context *fc, struct super_block *sb)
+@@ -2894,7 +2898,9 @@ static int __f2fs_remount(struct fs_cont
+ goto restore_discard;
+ need_enable_checkpoint = true;
+ } else {
+- f2fs_enable_checkpoint(sbi);
++ err = f2fs_enable_checkpoint(sbi);
++ if (err)
++ goto restore_discard;
+ need_disable_checkpoint = true;
+ }
+ }
+@@ -2937,7 +2943,8 @@ skip:
+ return 0;
+ restore_checkpoint:
+ if (need_enable_checkpoint) {
+- f2fs_enable_checkpoint(sbi);
++ if (f2fs_enable_checkpoint(sbi))
++ f2fs_warn(sbi, "checkpoint has not been enabled");
+ } else if (need_disable_checkpoint) {
+ if (f2fs_disable_checkpoint(sbi))
+ f2fs_warn(sbi, "checkpoint has not been disabled");
+@@ -5232,13 +5239,12 @@ reset_checkpoint:
+ if (err)
+ goto sync_free_meta;
+
+- if (test_opt(sbi, DISABLE_CHECKPOINT)) {
++ if (test_opt(sbi, DISABLE_CHECKPOINT))
+ err = f2fs_disable_checkpoint(sbi);
+- if (err)
+- goto sync_free_meta;
+- } else if (is_set_ckpt_flags(sbi, CP_DISABLED_FLAG)) {
+- f2fs_enable_checkpoint(sbi);
+- }
++ else if (is_set_ckpt_flags(sbi, CP_DISABLED_FLAG))
++ err = f2fs_enable_checkpoint(sbi);
++ if (err)
++ goto sync_free_meta;
+
+ /*
+ * If filesystem is not mounted as read-only then
--- /dev/null
+From 392711ef18bff524a873b9c239a73148c5432262 Mon Sep 17 00:00:00 2001
+From: Xiaole He <hexiaole1994@126.com>
+Date: Wed, 29 Oct 2025 13:18:07 +0800
+Subject: f2fs: fix uninitialized one_time_gc in victim_sel_policy
+
+From: Xiaole He <hexiaole1994@126.com>
+
+commit 392711ef18bff524a873b9c239a73148c5432262 upstream.
+
+The one_time_gc field in struct victim_sel_policy is conditionally
+initialized but unconditionally read, leading to undefined behavior
+that triggers UBSAN warnings.
+
+In f2fs_get_victim() at fs/f2fs/gc.c:774, the victim_sel_policy
+structure is declared without initialization:
+
+ struct victim_sel_policy p;
+
+The field p.one_time_gc is only assigned when the 'one_time' parameter
+is true (line 789):
+
+ if (one_time) {
+ p.one_time_gc = one_time;
+ ...
+ }
+
+However, this field is unconditionally read in subsequent get_gc_cost()
+at line 395:
+
+ if (p->one_time_gc && (valid_thresh_ratio < 100) && ...)
+
+When one_time is false, p.one_time_gc contains uninitialized stack
+memory. Hence p.one_time_gc is an invalid bool value.
+
+UBSAN detects this invalid bool value:
+
+ UBSAN: invalid-load in fs/f2fs/gc.c:395:7
+ load of value 77 is not a valid value for type '_Bool'
+ CPU: 3 UID: 0 PID: 1297 Comm: f2fs_gc-252:16 Not tainted 6.18.0-rc3
+ #5 PREEMPT(voluntary)
+ Hardware name: OpenStack Foundation OpenStack Nova,
+ BIOS 1.13.0-1ubuntu1.1 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x70/0x90
+ dump_stack+0x14/0x20
+ __ubsan_handle_load_invalid_value+0xb3/0xf0
+ ? dl_server_update+0x2e/0x40
+ ? update_curr+0x147/0x170
+ f2fs_get_victim.cold+0x66/0x134 [f2fs]
+ ? sched_balance_newidle+0x2ca/0x470
+ ? finish_task_switch.isra.0+0x8d/0x2a0
+ f2fs_gc+0x2ba/0x8e0 [f2fs]
+ ? _raw_spin_unlock_irqrestore+0x12/0x40
+ ? __timer_delete_sync+0x80/0xe0
+ ? timer_delete_sync+0x14/0x20
+ ? schedule_timeout+0x82/0x100
+ gc_thread_func+0x38b/0x860 [f2fs]
+ ? gc_thread_func+0x38b/0x860 [f2fs]
+ ? __pfx_autoremove_wake_function+0x10/0x10
+ kthread+0x10b/0x220
+ ? __pfx_gc_thread_func+0x10/0x10 [f2fs]
+ ? _raw_spin_unlock_irq+0x12/0x40
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x11a/0x160
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+This issue is reliably reproducible with the following steps on a
+100GB SSD /dev/vdb:
+
+ mkfs.f2fs -f /dev/vdb
+ mount /dev/vdb /mnt/f2fs_test
+ fio --name=gc --directory=/mnt/f2fs_test --rw=randwrite \
+ --bs=4k --size=8G --numjobs=12 --fsync=4 --runtime=10 \
+ --time_based
+ echo 1 > /sys/fs/f2fs/vdb/gc_urgent
+
+The uninitialized value causes incorrect GC victim selection, leading
+to unpredictable garbage collection behavior.
+
+Fix by zero-initializing the entire victim_sel_policy structure to
+ensure all fields have defined values.
+
+Fixes: e791d00bd06c ("f2fs: add valid block ratio not to do excessive GC for one time GC")
+Cc: stable@kernel.org
+Signed-off-by: Xiaole He <hexiaole1994@126.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/gc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -774,7 +774,7 @@ int f2fs_get_victim(struct f2fs_sb_info
+ {
+ struct dirty_seglist_info *dirty_i = DIRTY_I(sbi);
+ struct sit_info *sm = SIT_I(sbi);
+- struct victim_sel_policy p;
++ struct victim_sel_policy p = {0};
+ unsigned int secno, last_victim;
+ unsigned int last_segment;
+ unsigned int nsearched;
--- /dev/null
+From d33f89b34aa313f50f9a512d58dd288999f246b0 Mon Sep 17 00:00:00 2001
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+Date: Mon, 27 Oct 2025 18:36:34 +0530
+Subject: f2fs: invalidate dentry cache on failed whiteout creation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+commit d33f89b34aa313f50f9a512d58dd288999f246b0 upstream.
+
+F2FS can mount filesystems with corrupted directory depth values that
+get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT
+operations are performed on such directories, f2fs_rename performs
+directory modifications (updating target entry and deleting source
+entry) before attempting to add the whiteout entry via f2fs_add_link.
+
+If f2fs_add_link fails due to the corrupted directory structure, the
+function returns an error to VFS, but the partial directory
+modifications have already been committed to disk. VFS assumes the
+entire rename operation failed and does not update the dentry cache,
+leaving stale mappings.
+
+In the error path, VFS does not call d_move() to update the dentry
+cache. This results in new_dentry still pointing to the old inode
+(new_inode) which has already had its i_nlink decremented to zero.
+The stale cache causes subsequent operations to incorrectly reference
+the freed inode.
+
+This causes subsequent operations to use cached dentry information that
+no longer matches the on-disk state. When a second rename targets the
+same entry, VFS attempts to decrement i_nlink on the stale inode, which
+may already have i_nlink=0, triggering a WARNING in drop_nlink().
+
+Example sequence:
+1. First rename (RENAME_WHITEOUT): file2 → file1
+ - f2fs updates file1 entry on disk (points to inode 8)
+ - f2fs deletes file2 entry on disk
+ - f2fs_add_link(whiteout) fails (corrupted directory)
+ - Returns error to VFS
+ - VFS does not call d_move() due to error
+ - VFS cache still has: file1 → inode 7 (stale!)
+ - inode 7 has i_nlink=0 (already decremented)
+
+2. Second rename: file3 → file1
+ - VFS uses stale cache: file1 → inode 7
+ - Tries to drop_nlink on inode 7 (i_nlink already 0)
+ - WARNING in drop_nlink()
+
+Fix this by explicitly invalidating old_dentry and new_dentry when
+f2fs_add_link fails during whiteout creation. This forces VFS to
+refresh from disk on subsequent operations, ensuring cache consistency
+even when the rename partially succeeds.
+
+Reproducer:
+1. Mount F2FS image with corrupted i_current_depth
+2. renameat2(file2, file1, RENAME_WHITEOUT)
+3. renameat2(file3, file1, 0)
+4. System triggers WARNING in drop_nlink()
+
+Fixes: 7e01e7ad746b ("f2fs: support RENAME_WHITEOUT")
+Reported-by: syzbot+632cf32276a9a564188d@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=632cf32276a9a564188d
+Suggested-by: Chao Yu <chao@kernel.org>
+Link: https://lore.kernel.org/all/20251022233349.102728-1-kartikey406@gmail.com/ [v1]
+Cc: stable@vger.kernel.org
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/namei.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -1053,9 +1053,11 @@ static int f2fs_rename(struct mnt_idmap
+ if (whiteout) {
+ set_inode_flag(whiteout, FI_INC_LINK);
+ err = f2fs_add_link(old_dentry, whiteout);
+- if (err)
++ if (err) {
++ d_invalidate(old_dentry);
++ d_invalidate(new_dentry);
+ goto put_out_dir;
+-
++ }
+ spin_lock(&whiteout->i_lock);
+ whiteout->i_state &= ~I_LINKABLE;
+ spin_unlock(&whiteout->i_lock);
--- /dev/null
+From 1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Tue, 21 Oct 2025 11:48:56 +0800
+Subject: f2fs: use global inline_xattr_slab instead of per-sb slab cache
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chao Yu <chao@kernel.org>
+
+commit 1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 upstream.
+
+As Hong Yun reported in mailing list:
+
+loop7: detected capacity change from 0 to 131072
+------------[ cut here ]------------
+kmem_cache of name 'f2fs_xattr_entry-7:7' already exists
+WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]
+WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
+CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]
+RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
+Call Trace:
+ __kmem_cache_create include/linux/slab.h:353 [inline]
+ f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]
+ f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843
+ f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918
+ get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692
+ vfs_get_tree+0x43/0x140 fs/super.c:1815
+ do_new_mount+0x201/0x550 fs/namespace.c:3808
+ do_mount fs/namespace.c:4136 [inline]
+ __do_sys_mount fs/namespace.c:4347 [inline]
+ __se_sys_mount+0x298/0x2f0 fs/namespace.c:4324
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+The bug can be reproduced w/ below scripts:
+- mount /dev/vdb /mnt1
+- mount /dev/vdc /mnt2
+- umount /mnt1
+- mounnt /dev/vdb /mnt1
+
+The reason is if we created two slab caches, named f2fs_xattr_entry-7:3
+and f2fs_xattr_entry-7:7, and they have the same slab size. Actually,
+slab system will only create one slab cache core structure which has
+slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same
+structure and cache address.
+
+So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will
+decrease reference count of slab cache, rather than release slab cache
+entirely, since there is one more user has referenced the cache.
+
+Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again,
+slab system will find that there is existed cache which has the same name
+and trigger the warning.
+
+Let's changes to use global inline_xattr_slab instead of per-sb slab cache
+for fixing.
+
+Fixes: a999150f4fe3 ("f2fs: use kmem_cache pool during inline xattr lookups")
+Cc: stable@kernel.org
+Reported-by: Hong Yun <yhong@link.cuhk.edu.hk>
+Tested-by: Hong Yun <yhong@link.cuhk.edu.hk>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/f2fs.h | 3 ---
+ fs/f2fs/super.c | 17 ++++++++---------
+ fs/f2fs/xattr.c | 32 +++++++++++---------------------
+ fs/f2fs/xattr.h | 10 ++++++----
+ 4 files changed, 25 insertions(+), 37 deletions(-)
+
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1886,9 +1886,6 @@ struct f2fs_sb_info {
+ spinlock_t error_lock; /* protect errors/stop_reason array */
+ bool error_dirty; /* errors of sb is dirty */
+
+- struct kmem_cache *inline_xattr_slab; /* inline xattr entry */
+- unsigned int inline_xattr_slab_size; /* default inline xattr slab size */
+-
+ /* For reclaimed segs statistics per each GC mode */
+ unsigned int gc_segment_mode; /* GC state for reclaimed segments */
+ unsigned int gc_reclaimed_segs[MAX_GC_MODE]; /* Reclaimed segs for each mode */
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -2028,7 +2028,6 @@ static void f2fs_put_super(struct super_
+ kfree(sbi->raw_super);
+
+ f2fs_destroy_page_array_cache(sbi);
+- f2fs_destroy_xattr_caches(sbi);
+ #ifdef CONFIG_QUOTA
+ for (i = 0; i < MAXQUOTAS; i++)
+ kfree(F2FS_OPTION(sbi).s_qf_names[i]);
+@@ -4997,13 +4996,9 @@ try_onemore:
+ if (err)
+ goto free_iostat;
+
+- /* init per sbi slab cache */
+- err = f2fs_init_xattr_caches(sbi);
+- if (err)
+- goto free_percpu;
+ err = f2fs_init_page_array_cache(sbi);
+ if (err)
+- goto free_xattr_cache;
++ goto free_percpu;
+
+ /* get an inode for meta space */
+ sbi->meta_inode = f2fs_iget(sb, F2FS_META_INO(sbi));
+@@ -5331,8 +5326,6 @@ free_meta_inode:
+ sbi->meta_inode = NULL;
+ free_page_array_cache:
+ f2fs_destroy_page_array_cache(sbi);
+-free_xattr_cache:
+- f2fs_destroy_xattr_caches(sbi);
+ free_percpu:
+ destroy_percpu_info(sbi);
+ free_iostat:
+@@ -5535,10 +5528,15 @@ static int __init init_f2fs_fs(void)
+ err = f2fs_create_casefold_cache();
+ if (err)
+ goto free_compress_cache;
+- err = register_filesystem(&f2fs_fs_type);
++ err = f2fs_init_xattr_cache();
+ if (err)
+ goto free_casefold_cache;
++ err = register_filesystem(&f2fs_fs_type);
++ if (err)
++ goto free_xattr_cache;
+ return 0;
++free_xattr_cache:
++ f2fs_destroy_xattr_cache();
+ free_casefold_cache:
+ f2fs_destroy_casefold_cache();
+ free_compress_cache:
+@@ -5579,6 +5577,7 @@ fail:
+ static void __exit exit_f2fs_fs(void)
+ {
+ unregister_filesystem(&f2fs_fs_type);
++ f2fs_destroy_xattr_cache();
+ f2fs_destroy_casefold_cache();
+ f2fs_destroy_compress_cache();
+ f2fs_destroy_compress_mempool();
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -23,11 +23,12 @@
+ #include "xattr.h"
+ #include "segment.h"
+
++static struct kmem_cache *inline_xattr_slab;
+ static void *xattr_alloc(struct f2fs_sb_info *sbi, int size, bool *is_inline)
+ {
+- if (likely(size == sbi->inline_xattr_slab_size)) {
++ if (likely(size == DEFAULT_XATTR_SLAB_SIZE)) {
+ *is_inline = true;
+- return f2fs_kmem_cache_alloc(sbi->inline_xattr_slab,
++ return f2fs_kmem_cache_alloc(inline_xattr_slab,
+ GFP_F2FS_ZERO, false, sbi);
+ }
+ *is_inline = false;
+@@ -38,7 +39,7 @@ static void xattr_free(struct f2fs_sb_in
+ bool is_inline)
+ {
+ if (is_inline)
+- kmem_cache_free(sbi->inline_xattr_slab, xattr_addr);
++ kmem_cache_free(inline_xattr_slab, xattr_addr);
+ else
+ kfree(xattr_addr);
+ }
+@@ -830,25 +831,14 @@ int f2fs_setxattr(struct inode *inode, i
+ return err;
+ }
+
+-int f2fs_init_xattr_caches(struct f2fs_sb_info *sbi)
++int __init f2fs_init_xattr_cache(void)
+ {
+- dev_t dev = sbi->sb->s_bdev->bd_dev;
+- char slab_name[32];
+-
+- sprintf(slab_name, "f2fs_xattr_entry-%u:%u", MAJOR(dev), MINOR(dev));
+-
+- sbi->inline_xattr_slab_size = F2FS_OPTION(sbi).inline_xattr_size *
+- sizeof(__le32) + XATTR_PADDING_SIZE;
+-
+- sbi->inline_xattr_slab = f2fs_kmem_cache_create(slab_name,
+- sbi->inline_xattr_slab_size);
+- if (!sbi->inline_xattr_slab)
+- return -ENOMEM;
+-
+- return 0;
++ inline_xattr_slab = f2fs_kmem_cache_create("f2fs_xattr_entry",
++ DEFAULT_XATTR_SLAB_SIZE);
++ return inline_xattr_slab ? 0 : -ENOMEM;
+ }
+
+-void f2fs_destroy_xattr_caches(struct f2fs_sb_info *sbi)
++void f2fs_destroy_xattr_cache(void)
+ {
+- kmem_cache_destroy(sbi->inline_xattr_slab);
+-}
++ kmem_cache_destroy(inline_xattr_slab);
++}
+\ No newline at end of file
+--- a/fs/f2fs/xattr.h
++++ b/fs/f2fs/xattr.h
+@@ -89,6 +89,8 @@ struct f2fs_xattr_entry {
+ F2FS_TOTAL_EXTRA_ATTR_SIZE / sizeof(__le32) - \
+ DEF_INLINE_RESERVED_SIZE - \
+ MIN_INLINE_DENTRY_SIZE / sizeof(__le32))
++#define DEFAULT_XATTR_SLAB_SIZE (DEFAULT_INLINE_XATTR_ADDRS * \
++ sizeof(__le32) + XATTR_PADDING_SIZE)
+
+ /*
+ * On-disk structure of f2fs_xattr
+@@ -132,8 +134,8 @@ int f2fs_setxattr(struct inode *, int, c
+ int f2fs_getxattr(struct inode *, int, const char *, void *,
+ size_t, struct folio *);
+ ssize_t f2fs_listxattr(struct dentry *, char *, size_t);
+-int f2fs_init_xattr_caches(struct f2fs_sb_info *);
+-void f2fs_destroy_xattr_caches(struct f2fs_sb_info *);
++int __init f2fs_init_xattr_cache(void);
++void f2fs_destroy_xattr_cache(void);
+ #else
+
+ #define f2fs_xattr_handlers NULL
+@@ -150,8 +152,8 @@ static inline int f2fs_getxattr(struct i
+ {
+ return -EOPNOTSUPP;
+ }
+-static inline int f2fs_init_xattr_caches(struct f2fs_sb_info *sbi) { return 0; }
+-static inline void f2fs_destroy_xattr_caches(struct f2fs_sb_info *sbi) { }
++static inline int __init f2fs_init_xattr_cache(void) { return 0; }
++static inline void f2fs_destroy_xattr_cache(void) { }
+ #endif
+
+ #ifdef CONFIG_F2FS_FS_SECURITY
--- /dev/null
+From 6d5925b667e4ed9e77c8278cc215191d29454a3f Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Wed, 12 Nov 2025 17:17:23 +0800
+Subject: intel_th: Fix error handling in intel_th_output_open
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 6d5925b667e4ed9e77c8278cc215191d29454a3f upstream.
+
+intel_th_output_open() calls bus_find_device_by_devt() which
+internally increments the device reference count via get_device(), but
+this reference is not properly released in several error paths. When
+device driver is unavailable, file operations cannot be obtained, or
+the driver's open method fails, the function returns without calling
+put_device(), leading to a permanent device reference count leak. This
+prevents the device from being properly released and could cause
+resource exhaustion over time.
+
+Found by code review.
+
+Cc: stable <stable@kernel.org>
+Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Link: https://patch.msgid.link/20251112091723.35963-1-make24@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/intel_th/core.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+--- a/drivers/hwtracing/intel_th/core.c
++++ b/drivers/hwtracing/intel_th/core.c
+@@ -810,13 +810,17 @@ static int intel_th_output_open(struct i
+ int err;
+
+ dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev);
+- if (!dev || !dev->driver)
+- return -ENODEV;
++ if (!dev || !dev->driver) {
++ err = -ENODEV;
++ goto out_no_device;
++ }
+
+ thdrv = to_intel_th_driver(dev->driver);
+ fops = fops_get(thdrv->fops);
+- if (!fops)
+- return -ENODEV;
++ if (!fops) {
++ err = -ENODEV;
++ goto out_put_device;
++ }
+
+ replace_fops(file, fops);
+
+@@ -824,10 +828,16 @@ static int intel_th_output_open(struct i
+
+ if (file->f_op->open) {
+ err = file->f_op->open(inode, file);
+- return err;
++ if (err)
++ goto out_put_device;
+ }
+
+ return 0;
++
++out_put_device:
++ put_device(dev);
++out_no_device:
++ return err;
+ }
+
+ static const struct file_operations intel_th_output_fops = {
--- /dev/null
+From b91e6aafe8d356086cc621bc03e35ba2299e4788 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Mon, 21 Apr 2025 21:52:44 +0900
+Subject: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit b91e6aafe8d356086cc621bc03e35ba2299e4788 upstream.
+
+rlen value is a user-controlled value, but dtv5100_i2c_msg() does not
+check the size of the rlen value. Therefore, if it is set to a value
+larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data.
+
+Therefore, we need to add proper range checking to prevent this vuln.
+
+Fixes: 60688d5e6e6e ("V4L/DVB (8735): dtv5100: replace dummy frontend by zl10353")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/dvb-usb/dtv5100.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/media/usb/dvb-usb/dtv5100.c
++++ b/drivers/media/usb/dvb-usb/dtv5100.c
+@@ -55,6 +55,11 @@ static int dtv5100_i2c_msg(struct dvb_us
+ }
+ index = (addr << 8) + wbuf[0];
+
++ if (rlen > sizeof(st->data)) {
++ warn("rlen = %x is too big!\n", rlen);
++ return -EINVAL;
++ }
++
+ memcpy(st->data, rbuf, rlen);
+ msleep(1); /* avoid I2C errors */
+ return usb_control_msg(d->udev, pipe, request,
--- /dev/null
+From be440980eace19c035a0745fd6b6e42707bc4f49 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.i.king@gmail.com>
+Date: Wed, 3 Sep 2025 09:44:16 +0100
+Subject: media: pvrusb2: Fix incorrect variable used in trace message
+
+From: Colin Ian King <colin.i.king@gmail.com>
+
+commit be440980eace19c035a0745fd6b6e42707bc4f49 upstream.
+
+The pvr2_trace message is reporting an error about control read
+transfers, however it is using the incorrect variable write_len
+instead of read_lean. Fix this by using the correct variable
+read_len.
+
+Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18")
+Cc: stable@vger.kernel.org
+Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+@@ -3622,7 +3622,7 @@ static int pvr2_send_request_ex(struct p
+ pvr2_trace(
+ PVR2_TRACE_ERROR_LEGS,
+ "Attempted to execute %d byte control-read transfer (limit=%d)",
+- write_len,PVR2_CTL_BUFFSIZE);
++ read_len, PVR2_CTL_BUFFSIZE);
+ return -EINVAL;
+ }
+ if ((!write_len) && (!read_len)) {
--- /dev/null
+From a6dab2f61d23c1eb32f1d08fa7b4919a2478950b Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Tue, 4 Nov 2025 10:01:33 +0800
+Subject: mei: Fix error handling in mei_register
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit a6dab2f61d23c1eb32f1d08fa7b4919a2478950b upstream.
+
+mei_register() fails to release the device reference in error paths
+after device_initialize(). During normal device registration, the
+reference is properly handled through mei_deregister() which calls
+device_destroy(). However, in error handling paths (such as cdev_alloc
+failure, cdev_add failure, etc.), missing put_device() calls cause
+reference count leaks, preventing the device's release function
+(mei_device_release) from being called and resulting in memory leaks
+of mei_device.
+
+Found by code review.
+
+Cc: stable <stable@kernel.org>
+Fixes: 7704e6be4ed2 ("mei: hook mei_device on class device")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Acked-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Link: https://patch.msgid.link/20251104020133.5017-1-make24@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c
+index 86a73684a373..6f26d5160788 100644
+--- a/drivers/misc/mei/main.c
++++ b/drivers/misc/mei/main.c
+@@ -1307,6 +1307,7 @@ int mei_register(struct mei_device *dev, struct device *parent)
+ err_del_cdev:
+ cdev_del(dev->cdev);
+ err:
++ put_device(&dev->dev);
+ mei_minor_free(minor);
+ return ret;
+ }
+--
+2.52.0
+
--- /dev/null
+From 5d92c3b41f0bddfa416130c6e1b424414f3d2acf Mon Sep 17 00:00:00 2001
+From: Junxiao Chang <junxiao.chang@intel.com>
+Date: Sun, 9 Nov 2025 17:35:33 +0200
+Subject: mei: gsc: add dependency on Xe driver
+
+From: Junxiao Chang <junxiao.chang@intel.com>
+
+commit 5d92c3b41f0bddfa416130c6e1b424414f3d2acf upstream.
+
+INTEL_MEI_GSC depends on either i915 or Xe
+and can be present when either of above is present.
+
+Cc: stable <stable@kernel.org>
+Fixes: 87a4c85d3a3e ("drm/xe/gsc: add gsc device support")
+Tested-by: Baoli Zhang <baoli.zhang@intel.com>
+Signed-off-by: Junxiao Chang <junxiao.chang@intel.com>
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Link: https://patch.msgid.link/20251109153533.3179787-1-alexander.usyskin@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/mei/Kconfig
++++ b/drivers/misc/mei/Kconfig
+@@ -49,7 +49,7 @@ config INTEL_MEI_TXE
+ config INTEL_MEI_GSC
+ tristate "Intel MEI GSC embedded device"
+ depends on INTEL_MEI_ME
+- depends on DRM_I915
++ depends on DRM_I915 || DRM_XE
+ help
+ Intel auxiliary driver for GSC devices embedded in Intel graphics devices.
+
--- /dev/null
+From 6f52063db9aabdaabea929b1e998af98c2e8d917 Mon Sep 17 00:00:00 2001
+From: Dai Ngo <dai.ngo@oracle.com>
+Date: Wed, 5 Nov 2025 12:45:54 -0800
+Subject: NFSD: use correct reservation type in nfsd4_scsi_fence_client
+
+From: Dai Ngo <dai.ngo@oracle.com>
+
+commit 6f52063db9aabdaabea929b1e998af98c2e8d917 upstream.
+
+The reservation type argument for the pr_preempt call should match the
+one used in nfsd4_block_get_device_info_scsi.
+
+Fixes: f99d4fbdae67 ("nfsd: add SCSI layout support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/blocklayout.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/blocklayout.c
++++ b/fs/nfsd/blocklayout.c
+@@ -344,7 +344,8 @@ nfsd4_scsi_fence_client(struct nfs4_layo
+ struct block_device *bdev = file->nf_file->f_path.mnt->mnt_sb->s_bdev;
+
+ bdev->bd_disk->fops->pr_ops->pr_preempt(bdev, NFSD_MDS_PR_KEY,
+- nfsd4_scsi_pr_key(clp), 0, true);
++ nfsd4_scsi_pr_key(clp),
++ PR_EXCLUSIVE_ACCESS_REG_ONLY, true);
+ }
+
+ const struct nfsd4_layout_ops scsi_layout_ops = {
--- /dev/null
+From 356d1924b9a6bc2164ce2bf1fad147b0c37ae085 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Oct 2025 07:45:37 +0200
+Subject: phy: broadcom: bcm63xx-usbh: fix section mismatches
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 356d1924b9a6bc2164ce2bf1fad147b0c37ae085 upstream.
+
+Platform drivers can be probed after their init sections have been
+discarded (e.g. on probe deferral or manual rebind through sysfs) so the
+probe function and match table must not live in init.
+
+Fixes: 783f6d3dcf35 ("phy: bcm63xx-usbh: Add BCM63xx USBH driver")
+Cc: stable@vger.kernel.org # 5.9
+Cc: Álvaro Fernández Rojas <noltari@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patch.msgid.link/20251017054537.6884-1-johan@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/broadcom/phy-bcm63xx-usbh.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/phy/broadcom/phy-bcm63xx-usbh.c
++++ b/drivers/phy/broadcom/phy-bcm63xx-usbh.c
+@@ -375,7 +375,7 @@ static struct phy *bcm63xx_usbh_phy_xlat
+ return of_phy_simple_xlate(dev, args);
+ }
+
+-static int __init bcm63xx_usbh_phy_probe(struct platform_device *pdev)
++static int bcm63xx_usbh_phy_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+ struct bcm63xx_usbh_phy *usbh;
+@@ -432,7 +432,7 @@ static int __init bcm63xx_usbh_phy_probe
+ return 0;
+ }
+
+-static const struct of_device_id bcm63xx_usbh_phy_ids[] __initconst = {
++static const struct of_device_id bcm63xx_usbh_phy_ids[] = {
+ { .compatible = "brcm,bcm6318-usbh-phy", .data = &usbh_bcm6318 },
+ { .compatible = "brcm,bcm6328-usbh-phy", .data = &usbh_bcm6328 },
+ { .compatible = "brcm,bcm6358-usbh-phy", .data = &usbh_bcm6358 },
+@@ -443,7 +443,7 @@ static const struct of_device_id bcm63xx
+ };
+ MODULE_DEVICE_TABLE(of, bcm63xx_usbh_phy_ids);
+
+-static struct platform_driver bcm63xx_usbh_phy_driver __refdata = {
++static struct platform_driver bcm63xx_usbh_phy_driver = {
+ .driver = {
+ .name = "bcm63xx-usbh-phy",
+ .of_match_table = bcm63xx_usbh_phy_ids,
--- /dev/null
+From f6ab594672d4cba08540919a4e6be2e202b60007 Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Wed, 29 Oct 2025 00:29:04 +0800
+Subject: scsi: aic94xx: fix use-after-free in device removal path
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit f6ab594672d4cba08540919a4e6be2e202b60007 upstream.
+
+The asd_pci_remove() function fails to synchronize with pending tasklets
+before freeing the asd_ha structure, leading to a potential
+use-after-free vulnerability.
+
+When a device removal is triggered (via hot-unplug or module unload),
+race condition can occur.
+
+The fix adds tasklet_kill() before freeing the asd_ha structure,
+ensuring all scheduled tasklets complete before cleanup proceeds.
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/ME2PR01MB3156AB7DCACA206C845FC7E8AFFDA@ME2PR01MB3156.ausprd01.prod.outlook.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/aic94xx/aic94xx_init.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/aic94xx/aic94xx_init.c
++++ b/drivers/scsi/aic94xx/aic94xx_init.c
+@@ -882,6 +882,9 @@ static void asd_pci_remove(struct pci_de
+
+ asd_disable_ints(asd_ha);
+
++ /* Ensure all scheduled tasklets complete before freeing resources */
++ tasklet_kill(&asd_ha->seq.dl_tasklet);
++
+ asd_remove_dev_attrs(asd_ha);
+
+ /* XXX more here as needed */
--- /dev/null
+From d373163194982f43b92c552c138c29d9f0b79553 Mon Sep 17 00:00:00 2001
+From: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Date: Thu, 11 Dec 2025 05:59:29 +0530
+Subject: scsi: mpi3mr: Read missing IOCFacts flag for reply queue full overflow
+
+From: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+
+commit d373163194982f43b92c552c138c29d9f0b79553 upstream.
+
+The driver was not reading the MAX_REQ_PER_REPLY_QUEUE_LIMIT IOCFacts
+flag, so the reply-queue-full handling was never enabled, even on
+firmware that supports it. Reading this flag enables the feature and
+prevents reply queue overflow.
+
+Fixes: f08b24d82749 ("scsi: mpi3mr: Avoid reply queue full condition")
+Cc: stable@vger.kernel.org
+Signed-off-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Link: https://patch.msgid.link/20251211002929.22071-1-chandrakanth.patil@broadcom.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpi3mr/mpi/mpi30_ioc.h | 1 +
+ drivers/scsi/mpi3mr/mpi3mr_fw.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/scsi/mpi3mr/mpi/mpi30_ioc.h
++++ b/drivers/scsi/mpi3mr/mpi/mpi30_ioc.h
+@@ -166,6 +166,7 @@ struct mpi3_ioc_facts_data {
+ #define MPI3_IOCFACTS_FLAGS_SIGNED_NVDATA_REQUIRED (0x00010000)
+ #define MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_MASK (0x0000ff00)
+ #define MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_SHIFT (8)
++#define MPI3_IOCFACTS_FLAGS_MAX_REQ_PER_REPLY_QUEUE_LIMIT (0x00000040)
+ #define MPI3_IOCFACTS_FLAGS_INITIAL_PORT_ENABLE_MASK (0x00000030)
+ #define MPI3_IOCFACTS_FLAGS_INITIAL_PORT_ENABLE_SHIFT (4)
+ #define MPI3_IOCFACTS_FLAGS_INITIAL_PORT_ENABLE_NOT_STARTED (0x00000000)
+--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
+@@ -3158,6 +3158,8 @@ static void mpi3mr_process_factsdata(str
+ mrioc->facts.dma_mask = (facts_flags &
+ MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_MASK) >>
+ MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_SHIFT;
++ mrioc->facts.max_req_limit = (facts_flags &
++ MPI3_IOCFACTS_FLAGS_MAX_REQ_PER_REPLY_QUEUE_LIMIT);
+ mrioc->facts.protocol_flags = facts_data->protocol_flags;
+ mrioc->facts.mpi_version = le32_to_cpu(facts_data->mpi_version.word);
+ mrioc->facts.max_reqs = le16_to_cpu(facts_data->max_outstanding_requests);
--- /dev/null
+From b57fbc88715b6d18f379463f48a15b560b087ffe Mon Sep 17 00:00:00 2001
+From: Tony Battersby <tonyb@cybernetics.com>
+Date: Mon, 10 Nov 2025 10:47:35 -0500
+Subject: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
+
+From: Tony Battersby <tonyb@cybernetics.com>
+
+commit b57fbc88715b6d18f379463f48a15b560b087ffe upstream.
+
+This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.
+
+The commit being reverted added code to __qla2x00_abort_all_cmds() to
+call sp->done() without holding a spinlock. But unlike the older code
+below it, this new code failed to check sp->cmd_type and just assumed
+TYPE_SRB, which results in a jump to an invalid pointer in target-mode
+with TYPE_TGT_CMD:
+
+qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success
+ 0000000009f7a79b
+qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h
+ mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.
+qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer
+qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event
+ 0x8002 occurred
+qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -
+ ha=0000000058183fda.
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+PF: supervisor instruction fetch in kernel mode
+PF: error_code(0x0010) - not-present page
+PGD 0 P4D 0
+Oops: 0010 [#1] SMP
+CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1
+Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023
+RIP: 0010:0x0
+Code: Unable to access opcode bytes at 0xffffffffffffffd6.
+RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206
+RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000
+RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0
+RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045
+R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40
+R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400
+FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ? __die+0x4d/0x8b
+ ? page_fault_oops+0x91/0x180
+ ? trace_buffer_unlock_commit_regs+0x38/0x1a0
+ ? exc_page_fault+0x391/0x5e0
+ ? asm_exc_page_fault+0x22/0x30
+ __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]
+ qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]
+ qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]
+ qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]
+ qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]
+ kthread+0xa8/0xd0
+ </TASK>
+
+Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within
+lock") added the spinlock back, because not having the lock caused a
+race and a crash. But qla2x00_abort_srb() in the switch below already
+checks for qla2x00_chip_is_down() and handles it the same way, so the
+code above the switch is now redundant and still buggy in target-mode.
+Remove it.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
+Link: https://patch.msgid.link/3a8022dc-bcfd-4b01-9f9b-7a9ec61fa2a3@cybernetics.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -1862,12 +1862,6 @@ __qla2x00_abort_all_cmds(struct qla_qpai
+ for (cnt = 1; cnt < req->num_outstanding_cmds; cnt++) {
+ sp = req->outstanding_cmds[cnt];
+ if (sp) {
+- if (qla2x00_chip_is_down(vha)) {
+- req->outstanding_cmds[cnt] = NULL;
+- sp->done(sp, res);
+- continue;
+- }
+-
+ switch (sp->cmd_type) {
+ case TYPE_SRB:
+ qla2x00_abort_srb(qp, sp, res, &flags);
--- /dev/null
+From 5053eab38a4c4543522d0c320c639c56a8b59908 Mon Sep 17 00:00:00 2001
+From: Andrey Vatoropin <a.vatoropin@crpt.ru>
+Date: Tue, 18 Nov 2025 08:42:31 +0000
+Subject: scsi: target: Reset t_task_cdb pointer in error case
+
+From: Andrey Vatoropin <a.vatoropin@crpt.ru>
+
+commit 5053eab38a4c4543522d0c320c639c56a8b59908 upstream.
+
+If allocation of cmd->t_task_cdb fails, it remains NULL but is later
+dereferenced in the 'err' path.
+
+In case of error, reset NULL t_task_cdb value to point at the default
+fixed-size buffer.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 9e95fb805dc0 ("scsi: target: Fix NULL pointer dereference")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Link: https://patch.msgid.link/20251118084014.324940-1-a.vatoropin@crpt.ru
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_transport.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -1524,6 +1524,7 @@ target_cmd_init_cdb(struct se_cmd *cmd,
+ if (scsi_command_size(cdb) > sizeof(cmd->__t_task_cdb)) {
+ cmd->t_task_cdb = kzalloc(scsi_command_size(cdb), gfp);
+ if (!cmd->t_task_cdb) {
++ cmd->t_task_cdb = &cmd->__t_task_cdb[0];
+ pr_err("Unable to allocate cmd->t_task_cdb"
+ " %u > sizeof(cmd->__t_task_cdb): %lu ops\n",
+ scsi_command_size(cdb),
--- /dev/null
+From c9f36f04a8a2725172cdf2b5e32363e4addcb14c Mon Sep 17 00:00:00 2001
+From: Seunghwan Baek <sh8267.baek@samsung.com>
+Date: Wed, 10 Dec 2025 15:38:54 +0900
+Subject: scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error
+
+From: Seunghwan Baek <sh8267.baek@samsung.com>
+
+commit c9f36f04a8a2725172cdf2b5e32363e4addcb14c upstream.
+
+If UFS resume fails, the event history is updated in ufshcd_resume(), but
+there is no code anywhere to record UFS suspend. Therefore, add code to
+record UFS suspend error event history.
+
+Fixes: dd11376b9f1b ("scsi: ufs: Split the drivers/scsi/ufs directory")
+Cc: stable@vger.kernel.org
+Signed-off-by: Seunghwan Baek <sh8267.baek@samsung.com>
+Reviewed-by: Peter Wang <peter.wang@mediatek.com>
+Link: https://patch.msgid.link/20251210063854.1483899-2-sh8267.baek@samsung.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/core/ufshcd.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -10223,7 +10223,7 @@ static int ufshcd_suspend(struct ufs_hba
+ ret = ufshcd_setup_clocks(hba, false);
+ if (ret) {
+ ufshcd_enable_irq(hba);
+- return ret;
++ goto out;
+ }
+ if (ufshcd_is_clkgating_allowed(hba)) {
+ hba->clk_gating.state = CLKS_OFF;
+@@ -10235,6 +10235,9 @@ static int ufshcd_suspend(struct ufs_hba
+ /* Put the host controller in low power mode if possible */
+ ufshcd_hba_vreg_set_lpm(hba);
+ ufshcd_pm_qos_update(hba, false);
++out:
++ if (ret)
++ ufshcd_update_evt_hist(hba, UFS_EVT_SUSPEND_ERR, (u32)ret);
+ return ret;
+ }
+
--- /dev/null
+From f54151148b969fb4b62bec8093d255306d20df30 Mon Sep 17 00:00:00 2001
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+Date: Fri, 19 Dec 2025 16:28:12 +0100
+Subject: serial: core: Fix serial device initialization
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+commit f54151148b969fb4b62bec8093d255306d20df30 upstream.
+
+During restoring sysfs fwnode information the information of_node_reused
+was dropped. This was previously set by device_set_of_node_from_dev().
+Add it back manually
+
+Fixes: 24ec03cc5512 ("serial: core: Restore sysfs fwnode information")
+Cc: stable <stable@kernel.org>
+Suggested-by: Cosmin Tanislav <demonsingur@gmail.com>
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Tested-by: Michael Walle <mwalle@kernel.org>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Tested-by: Cosmin Tanislav <demonsingur@gmail.com>
+Link: https://patch.msgid.link/20251219152813.1893982-1-alexander.stein@ew.tq-group.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/serial_base_bus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/serial/serial_base_bus.c
++++ b/drivers/tty/serial/serial_base_bus.c
+@@ -74,6 +74,7 @@ static int serial_base_device_init(struc
+ dev->parent = parent_dev;
+ dev->bus = &serial_base_bus_type;
+ dev->release = release;
++ dev->of_node_reused = true;
+
+ device_set_node(dev, fwnode_handle_get(dev_fwnode(parent_dev)));
+
--- /dev/null
+From 24ec03cc55126b7b3adf102f4b3d9f716532b329 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Thu, 27 Nov 2025 17:36:50 +0100
+Subject: serial: core: Restore sysfs fwnode information
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 24ec03cc55126b7b3adf102f4b3d9f716532b329 upstream.
+
+The change that restores sysfs fwnode information does it only for OF cases.
+Update the fix to cover all possible types of fwnodes.
+
+Fixes: d36f0e9a0002 ("serial: core: restore of_node information in sysfs")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://patch.msgid.link/20251127163650.2942075-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/serial_base_bus.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/serial/serial_base_bus.c
++++ b/drivers/tty/serial/serial_base_bus.c
+@@ -13,7 +13,7 @@
+ #include <linux/device.h>
+ #include <linux/idr.h>
+ #include <linux/module.h>
+-#include <linux/of.h>
++#include <linux/property.h>
+ #include <linux/serial_core.h>
+ #include <linux/slab.h>
+ #include <linux/spinlock.h>
+@@ -60,6 +60,7 @@ void serial_base_driver_unregister(struc
+ driver_unregister(driver);
+ }
+
++/* On failure the caller must put device @dev with put_device() */
+ static int serial_base_device_init(struct uart_port *port,
+ struct device *dev,
+ struct device *parent_dev,
+@@ -73,7 +74,8 @@ static int serial_base_device_init(struc
+ dev->parent = parent_dev;
+ dev->bus = &serial_base_bus_type;
+ dev->release = release;
+- device_set_of_node_from_dev(dev, parent_dev);
++
++ device_set_node(dev, fwnode_handle_get(dev_fwnode(parent_dev)));
+
+ if (!serial_base_initialized) {
+ dev_dbg(port->dev, "uart_add_one_port() called before arch_initcall()?\n");
+@@ -94,7 +96,7 @@ static void serial_base_ctrl_release(str
+ {
+ struct serial_ctrl_device *ctrl_dev = to_serial_base_ctrl_device(dev);
+
+- of_node_put(dev->of_node);
++ fwnode_handle_put(dev_fwnode(dev));
+ kfree(ctrl_dev);
+ }
+
+@@ -142,7 +144,7 @@ static void serial_base_port_release(str
+ {
+ struct serial_port_device *port_dev = to_serial_base_port_device(dev);
+
+- of_node_put(dev->of_node);
++ fwnode_handle_put(dev_fwnode(dev));
+ kfree(port_dev);
+ }
+
--- /dev/null
+From c3ca8a0aac832fe8047608bb2ae2cca314c6d717 Mon Sep 17 00:00:00 2001
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Date: Wed, 17 Dec 2025 15:57:59 +0200
+Subject: serial: sh-sci: Check that the DMA cookie is valid
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+commit c3ca8a0aac832fe8047608bb2ae2cca314c6d717 upstream.
+
+The driver updates struct sci_port::tx_cookie to zero right before the TX
+work is scheduled, or to -EINVAL when DMA is disabled.
+dma_async_is_complete(), called through dma_cookie_status() (and possibly
+through dmaengine_tx_status()), considers cookies valid only if they have
+values greater than or equal to 1.
+
+Passing zero or -EINVAL to dmaengine_tx_status() before any TX DMA
+transfer has started leads to an incorrect TX status being reported, as the
+cookie is invalid for the DMA subsystem. This may cause long wait times
+when the serial device is opened for configuration before any TX activity
+has occurred.
+
+Check that the TX cookie is valid before passing it to
+dmaengine_tx_status().
+
+Fixes: 7cc0e0a43a91 ("serial: sh-sci: Check if TX data was written to device in .tx_empty()")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Link: https://patch.msgid.link/20251217135759.402015-1-claudiu.beznea.uj@bp.renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sh-sci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -1740,7 +1740,7 @@ static void sci_dma_check_tx_occurred(st
+ struct dma_tx_state state;
+ enum dma_status status;
+
+- if (!s->chan_tx)
++ if (!s->chan_tx || s->cookie_tx <= 0)
+ return;
+
+ status = dmaengine_tx_status(s->chan_tx, s->cookie_tx, &state);
--- /dev/null
+From 267ee93c417e685d9f8e079e41c70ba6ee4df5a5 Mon Sep 17 00:00:00 2001
+From: "j.turek" <jakub.turek@elsta.tech>
+Date: Sun, 21 Dec 2025 11:32:21 +0100
+Subject: serial: xilinx_uartps: fix rs485 delay_rts_after_send
+
+From: j.turek <jakub.turek@elsta.tech>
+
+commit 267ee93c417e685d9f8e079e41c70ba6ee4df5a5 upstream.
+
+RTS line control with delay should be triggered when there is no more
+bytes in kfifo and hardware buffer is empty. Without this patch RTS
+control is scheduled right after feeding hardware buffer and this is too
+early.
+
+RTS line may change state before hardware buffer is empty.
+
+With this patch delayed RTS state change is triggered when function
+cdns_uart_handle_tx is called from cdns_uart_isr on
+CDNS_UART_IXR_TXEMPTY exactly when hardware completed transmission
+
+Fixes: fccc9d9233f9 ("tty: serial: uartps: Add rs485 support to uartps driver")
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/20251221103221.1971125-1-jakub.turek@elsta.tech
+Signed-off-by: Jakub Turek <jakub.turek@elsta.tech>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/xilinx_uartps.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/tty/serial/xilinx_uartps.c
++++ b/drivers/tty/serial/xilinx_uartps.c
+@@ -430,10 +430,17 @@ static void cdns_uart_handle_tx(void *de
+ struct tty_port *tport = &port->state->port;
+ unsigned int numbytes;
+ unsigned char ch;
++ ktime_t rts_delay;
+
+ if (kfifo_is_empty(&tport->xmit_fifo) || uart_tx_stopped(port)) {
+ /* Disable the TX Empty interrupt */
+ writel(CDNS_UART_IXR_TXEMPTY, port->membase + CDNS_UART_IDR);
++ /* Set RTS line after delay */
++ if (cdns_uart->port->rs485.flags & SER_RS485_ENABLED) {
++ cdns_uart->tx_timer.function = &cdns_rs485_rx_callback;
++ rts_delay = ns_to_ktime(cdns_calc_after_tx_delay(cdns_uart));
++ hrtimer_start(&cdns_uart->tx_timer, rts_delay, HRTIMER_MODE_REL);
++ }
+ return;
+ }
+
+@@ -450,13 +457,6 @@ static void cdns_uart_handle_tx(void *de
+
+ /* Enable the TX Empty interrupt */
+ writel(CDNS_UART_IXR_TXEMPTY, cdns_uart->port->membase + CDNS_UART_IER);
+-
+- if (cdns_uart->port->rs485.flags & SER_RS485_ENABLED &&
+- (kfifo_is_empty(&tport->xmit_fifo) || uart_tx_stopped(port))) {
+- hrtimer_update_function(&cdns_uart->tx_timer, cdns_rs485_rx_callback);
+- hrtimer_start(&cdns_uart->tx_timer,
+- ns_to_ktime(cdns_calc_after_tx_delay(cdns_uart)), HRTIMER_MODE_REL);
+- }
+ }
+
+ /**
selftests-mptcp-pm-ensure-unknown-flags-are-ignored.patch
mptcp-schedule-rtx-timer-only-after-pushing-data.patch
mptcp-avoid-deadlock-on-fallback-while-reinjecting.patch
+usb-usb-storage-maintain-minimal-modifications-to-the-bcddevice-range.patch
+media-dvb-usb-dtv5100-fix-out-of-bounds-in-dtv5100_i2c_msg.patch
+media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch
+phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch
+usb-ohci-nxp-fix-device-leak-on-probe-failure.patch
+usb-typec-ucsi-huawei-gaokin-add-drm-dependency.patch
+usb-typec-altmodes-displayport-drop-the-device-reference-in-dp_altmode_probe.patch
+usb-lpc32xx_udc-fix-error-handling-in-probe.patch
+usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch
+usb-phy-isp1301-fix-non-of-device-reference-imbalance.patch
+usb-gadget-lpc32xx_udc-fix-clock-imbalance-in-error-path.patch
+usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch
+usb-dwc3-keep-susphy-enabled-during-exit-to-avoid-controller-faults.patch
+usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch
+xhci-dbgtty-fix-device-unregister-fixup.patch
+char-applicom-fix-null-pointer-dereference-in-ac_ioctl.patch
+dt-bindings-slimbus-fix-warning-from-example.patch
+intel_th-fix-error-handling-in-intel_th_output_open.patch
+mei-fix-error-handling-in-mei_register.patch
+mei-gsc-add-dependency-on-xe-driver.patch
+serial-core-restore-sysfs-fwnode-information.patch
+serial-core-fix-serial-device-initialization.patch
+serial-xilinx_uartps-fix-rs485-delay_rts_after_send.patch
+serial-sh-sci-check-that-the-dma-cookie-is-valid.patch
+cpuidle-governors-teo-drop-misguided-target-residency-check.patch
+cpufreq-nforce2-fix-reference-count-leak-in-nforce2.patch
+scsi-revert-scsi-qla2xxx-perform-lockless-command-completion-in-abort-path.patch
+scsi-aic94xx-fix-use-after-free-in-device-removal-path.patch
+nfsd-use-correct-reservation-type-in-nfsd4_scsi_fence_client.patch
+scsi-target-reset-t_task_cdb-pointer-in-error-case.patch
+scsi-mpi3mr-read-missing-iocfacts-flag-for-reply-queue-full-overflow.patch
+scsi-ufs-core-add-ufshcd_update_evt_hist-for-ufs-suspend-error.patch
+f2fs-ensure-node-page-reads-complete-before-f2fs_put_super-finishes.patch
+f2fs-fix-to-avoid-updating-compression-context-during-writeback.patch
+f2fs-fix-to-avoid-potential-deadlock.patch
+f2fs-fix-to-propagate-error-from-f2fs_enable_checkpoint.patch
+f2fs-fix-to-avoid-updating-zero-sized-extent-in-extent-cache.patch
+f2fs-invalidate-dentry-cache-on-failed-whiteout-creation.patch
+f2fs-use-global-inline_xattr_slab-instead-of-per-sb-slab-cache.patch
+f2fs-fix-age-extent-cache-insertion-skip-on-counter-overflow.patch
+f2fs-fix-uninitialized-one_time_gc-in-victim_sel_policy.patch
+f2fs-fix-to-detect-recoverable-inode-during-dryrun-of-find_fsync_dnodes.patch
+f2fs-fix-to-not-account-invalid-blocks-in-get_left_section_blocks.patch
+f2fs-fix-return-value-of-f2fs_recover_fsync_data.patch
--- /dev/null
+From e1003aa7ec9eccdde4c926bd64ef42816ad55f25 Mon Sep 17 00:00:00 2001
+From: Udipto Goswami <udipto.goswami@oss.qualcomm.com>
+Date: Wed, 26 Nov 2025 11:12:21 +0530
+Subject: usb: dwc3: keep susphy enabled during exit to avoid controller faults
+
+From: Udipto Goswami <udipto.goswami@oss.qualcomm.com>
+
+commit e1003aa7ec9eccdde4c926bd64ef42816ad55f25 upstream.
+
+On some platforms, switching USB roles from host to device can trigger
+controller faults due to premature PHY power-down. This occurs when the
+PHY is disabled too early during teardown, causing synchronization
+issues between the PHY and controller.
+
+Keep susphy enabled during dwc3_host_exit() and dwc3_gadget_exit()
+ensures the PHY remains in a low-power state capable of handling
+required commands during role switch.
+
+Cc: stable <stable@kernel.org>
+Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init")
+Suggested-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Signed-off-by: Udipto Goswami <udipto.goswami@oss.qualcomm.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://patch.msgid.link/20251126054221.120638-1-udipto.goswami@oss.qualcomm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c | 2 +-
+ drivers/usb/dwc3/host.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -4825,7 +4825,7 @@ void dwc3_gadget_exit(struct dwc3 *dwc)
+ if (!dwc->gadget)
+ return;
+
+- dwc3_enable_susphy(dwc, false);
++ dwc3_enable_susphy(dwc, true);
+ usb_del_gadget(dwc->gadget);
+ dwc3_gadget_free_endpoints(dwc);
+ usb_put_gadget(dwc->gadget);
+--- a/drivers/usb/dwc3/host.c
++++ b/drivers/usb/dwc3/host.c
+@@ -226,7 +226,7 @@ void dwc3_host_exit(struct dwc3 *dwc)
+ if (dwc->sys_wakeup)
+ device_init_wakeup(&dwc->xhci->dev, false);
+
+- dwc3_enable_susphy(dwc, false);
++ dwc3_enable_susphy(dwc, true);
+ platform_device_unregister(dwc->xhci);
+ dwc->xhci = NULL;
+ }
--- /dev/null
+From 3b4961313d31e200c9e974bb1536cdea217f78b5 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Thu, 11 Dec 2025 10:49:36 +0400
+Subject: usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 3b4961313d31e200c9e974bb1536cdea217f78b5 upstream.
+
+When clk_bulk_prepare_enable() fails, the error path jumps to
+err_resetc_assert, skipping clk_bulk_put_all() and leaking the
+clock references acquired by clk_bulk_get_all().
+
+Add err_clk_put_all label to properly release clock resources
+in all error paths.
+
+Found via static analysis and code review.
+
+Fixes: c0c61471ef86 ("usb: dwc3: of-simple: Convert to bulk clk API")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://patch.msgid.link/20251211064937.2360510-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/dwc3-of-simple.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/dwc3/dwc3-of-simple.c
++++ b/drivers/usb/dwc3/dwc3-of-simple.c
+@@ -70,11 +70,11 @@ static int dwc3_of_simple_probe(struct p
+ simple->num_clocks = ret;
+ ret = clk_bulk_prepare_enable(simple->num_clocks, simple->clks);
+ if (ret)
+- goto err_resetc_assert;
++ goto err_clk_put_all;
+
+ ret = of_platform_populate(np, NULL, NULL, dev);
+ if (ret)
+- goto err_clk_put;
++ goto err_clk_disable;
+
+ pm_runtime_set_active(dev);
+ pm_runtime_enable(dev);
+@@ -82,8 +82,9 @@ static int dwc3_of_simple_probe(struct p
+
+ return 0;
+
+-err_clk_put:
++err_clk_disable:
+ clk_bulk_disable_unprepare(simple->num_clocks, simple->clks);
++err_clk_put_all:
+ clk_bulk_put_all(simple->num_clocks, simple->clks);
+
+ err_resetc_assert:
--- /dev/null
+From 782be79e4551550d7a82b1957fc0f7347e6d461f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 18 Dec 2025 16:35:15 +0100
+Subject: usb: gadget: lpc32xx_udc: fix clock imbalance in error path
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 782be79e4551550d7a82b1957fc0f7347e6d461f upstream.
+
+A recent change fixing a device reference leak introduced a clock
+imbalance by reusing an error path so that the clock may be disabled
+before having been enabled.
+
+Note that the clock framework allows for passing in NULL clocks so there
+is no risk for a NULL pointer dereference.
+
+Also drop the bogus I2C client NULL check added by the offending commit
+as the pointer has already been verified to be non-NULL.
+
+Fixes: c84117912bdd ("USB: lpc32xx_udc: Fix error handling in probe")
+Cc: stable@vger.kernel.org
+Cc: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
+Link: https://patch.msgid.link/20251218153519.19453-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/lpc32xx_udc.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
++++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
+@@ -3020,7 +3020,7 @@ static int lpc32xx_udc_probe(struct plat
+ pdev->dev.dma_mask = &lpc32xx_usbd_dmamask;
+ retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
+ if (retval)
+- goto i2c_fail;
++ goto err_put_client;
+
+ udc->board = &lpc32xx_usbddata;
+
+@@ -3040,7 +3040,7 @@ static int lpc32xx_udc_probe(struct plat
+ udc->udp_irq[i] = platform_get_irq(pdev, i);
+ if (udc->udp_irq[i] < 0) {
+ retval = udc->udp_irq[i];
+- goto i2c_fail;
++ goto err_put_client;
+ }
+ }
+
+@@ -3048,7 +3048,7 @@ static int lpc32xx_udc_probe(struct plat
+ if (IS_ERR(udc->udp_baseaddr)) {
+ dev_err(udc->dev, "IO map failure\n");
+ retval = PTR_ERR(udc->udp_baseaddr);
+- goto i2c_fail;
++ goto err_put_client;
+ }
+
+ /* Get USB device clock */
+@@ -3056,14 +3056,14 @@ static int lpc32xx_udc_probe(struct plat
+ if (IS_ERR(udc->usb_slv_clk)) {
+ dev_err(udc->dev, "failed to acquire USB device clock\n");
+ retval = PTR_ERR(udc->usb_slv_clk);
+- goto i2c_fail;
++ goto err_put_client;
+ }
+
+ /* Enable USB device clock */
+ retval = clk_prepare_enable(udc->usb_slv_clk);
+ if (retval < 0) {
+ dev_err(udc->dev, "failed to start USB device clock\n");
+- goto i2c_fail;
++ goto err_put_client;
+ }
+
+ /* Setup deferred workqueue data */
+@@ -3165,9 +3165,10 @@ dma_alloc_fail:
+ dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
+ udc->udca_v_base, udc->udca_p_base);
+ i2c_fail:
+- if (udc->isp1301_i2c_client)
+- put_device(&udc->isp1301_i2c_client->dev);
+ clk_disable_unprepare(udc->usb_slv_clk);
++err_put_client:
++ put_device(&udc->isp1301_i2c_client->dev);
++
+ dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval);
+
+ return retval;
+@@ -3195,10 +3196,9 @@ static void lpc32xx_udc_remove(struct pl
+ dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
+ udc->udca_v_base, udc->udca_p_base);
+
+- if (udc->isp1301_i2c_client)
+- put_device(&udc->isp1301_i2c_client->dev);
+-
+ clk_disable_unprepare(udc->usb_slv_clk);
++
++ put_device(&udc->isp1301_i2c_client->dev);
+ }
+
+ #ifdef CONFIG_PM
--- /dev/null
+From c84117912bddd9e5d87e68daf182410c98181407 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Mon, 15 Dec 2025 10:09:31 +0800
+Subject: USB: lpc32xx_udc: Fix error handling in probe
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit c84117912bddd9e5d87e68daf182410c98181407 upstream.
+
+lpc32xx_udc_probe() acquires an i2c_client reference through
+isp1301_get_client() but fails to release it in both error handling
+paths and the normal removal path. This could result in a reference
+count leak for the I2C device, preventing proper cleanup and potentially
+leading to resource exhaustion. Add put_device() to release the
+reference in the probe failure path and in the remove function.
+
+Calling path: isp1301_get_client() -> of_find_i2c_device_by_node() ->
+i2c_find_device_by_fwnode(). As comments of i2c_find_device_by_fwnode()
+says, 'The user must call put_device(&client->dev) once done with the
+i2c client.'
+
+Found by code review.
+
+Cc: stable <stable@kernel.org>
+Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Link: https://patch.msgid.link/20251215020931.15324-1-make24@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/lpc32xx_udc.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
++++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
+@@ -3020,7 +3020,7 @@ static int lpc32xx_udc_probe(struct plat
+ pdev->dev.dma_mask = &lpc32xx_usbd_dmamask;
+ retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
+ if (retval)
+- return retval;
++ goto i2c_fail;
+
+ udc->board = &lpc32xx_usbddata;
+
+@@ -3038,28 +3038,32 @@ static int lpc32xx_udc_probe(struct plat
+ /* Get IRQs */
+ for (i = 0; i < 4; i++) {
+ udc->udp_irq[i] = platform_get_irq(pdev, i);
+- if (udc->udp_irq[i] < 0)
+- return udc->udp_irq[i];
++ if (udc->udp_irq[i] < 0) {
++ retval = udc->udp_irq[i];
++ goto i2c_fail;
++ }
+ }
+
+ udc->udp_baseaddr = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(udc->udp_baseaddr)) {
+ dev_err(udc->dev, "IO map failure\n");
+- return PTR_ERR(udc->udp_baseaddr);
++ retval = PTR_ERR(udc->udp_baseaddr);
++ goto i2c_fail;
+ }
+
+ /* Get USB device clock */
+ udc->usb_slv_clk = devm_clk_get(&pdev->dev, NULL);
+ if (IS_ERR(udc->usb_slv_clk)) {
+ dev_err(udc->dev, "failed to acquire USB device clock\n");
+- return PTR_ERR(udc->usb_slv_clk);
++ retval = PTR_ERR(udc->usb_slv_clk);
++ goto i2c_fail;
+ }
+
+ /* Enable USB device clock */
+ retval = clk_prepare_enable(udc->usb_slv_clk);
+ if (retval < 0) {
+ dev_err(udc->dev, "failed to start USB device clock\n");
+- return retval;
++ goto i2c_fail;
+ }
+
+ /* Setup deferred workqueue data */
+@@ -3161,6 +3165,8 @@ dma_alloc_fail:
+ dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
+ udc->udca_v_base, udc->udca_p_base);
+ i2c_fail:
++ if (udc->isp1301_i2c_client)
++ put_device(&udc->isp1301_i2c_client->dev);
+ clk_disable_unprepare(udc->usb_slv_clk);
+ dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval);
+
+@@ -3189,6 +3195,9 @@ static void lpc32xx_udc_remove(struct pl
+ dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
+ udc->udca_v_base, udc->udca_p_base);
+
++ if (udc->isp1301_i2c_client)
++ put_device(&udc->isp1301_i2c_client->dev);
++
+ clk_disable_unprepare(udc->usb_slv_clk);
+ }
+
--- /dev/null
+From b4c61e542faf8c9131d69ecfc3ad6de96d1b2ab8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 18 Dec 2025 16:35:17 +0100
+Subject: usb: ohci-nxp: fix device leak on probe failure
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b4c61e542faf8c9131d69ecfc3ad6de96d1b2ab8 upstream.
+
+Make sure to drop the reference taken when looking up the PHY I2C device
+during probe on probe failure (e.g. probe deferral) and on driver
+unbind.
+
+Fixes: 73108aa90cbf ("USB: ohci-nxp: Use isp1301 driver")
+Cc: stable@vger.kernel.org # 3.5
+Reported-by: Ma Ke <make24@iscas.ac.cn>
+Link: https://lore.kernel.org/lkml/20251117013428.21840-1-make24@iscas.ac.cn/
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
+Link: https://patch.msgid.link/20251218153519.19453-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/ohci-nxp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/host/ohci-nxp.c
++++ b/drivers/usb/host/ohci-nxp.c
+@@ -223,6 +223,7 @@ static int ohci_hcd_nxp_probe(struct pla
+ fail_resource:
+ usb_put_hcd(hcd);
+ fail_disable:
++ put_device(&isp1301_i2c_client->dev);
+ isp1301_i2c_client = NULL;
+ return ret;
+ }
+@@ -234,6 +235,7 @@ static void ohci_hcd_nxp_remove(struct p
+ usb_remove_hcd(hcd);
+ ohci_nxp_stop_hc();
+ usb_put_hcd(hcd);
++ put_device(&isp1301_i2c_client->dev);
+ isp1301_i2c_client = NULL;
+ }
+
--- /dev/null
+From 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Fri, 5 Dec 2025 11:48:31 +0800
+Subject: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f upstream.
+
+The delayed work item otg_event is initialized in fsl_otg_conf() and
+scheduled under two conditions:
+1. When a host controller binds to the OTG controller.
+2. When the USB ID pin state changes (cable insertion/removal).
+
+A race condition occurs when the device is removed via fsl_otg_remove():
+the fsl_otg instance may be freed while the delayed work is still pending
+or executing. This leads to use-after-free when the work function
+fsl_otg_event() accesses the already freed memory.
+
+The problematic scenario:
+
+(detach thread) | (delayed work)
+fsl_otg_remove() |
+ kfree(fsl_otg_dev) //FREE| fsl_otg_event()
+ | og = container_of(...) //USE
+ | og-> //USE
+
+Fix this by calling disable_delayed_work_sync() in fsl_otg_remove()
+before deallocating the fsl_otg structure. This ensures the delayed work
+is properly canceled and completes execution prior to memory deallocation.
+
+This bug was identified through static analysis.
+
+Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://patch.msgid.link/20251205034831.12846-1-duoming@zju.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/phy/phy-fsl-usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/phy/phy-fsl-usb.c
++++ b/drivers/usb/phy/phy-fsl-usb.c
+@@ -988,6 +988,7 @@ static void fsl_otg_remove(struct platfo
+ {
+ struct fsl_usb2_platform_data *pdata = dev_get_platdata(&pdev->dev);
+
++ disable_delayed_work_sync(&fsl_otg_dev->otg_event);
+ usb_remove_phy(&fsl_otg_dev->phy);
+ free_irq(fsl_otg_dev->irq, fsl_otg_dev);
+
--- /dev/null
+From b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 18 Dec 2025 16:35:16 +0100
+Subject: usb: phy: isp1301: fix non-OF device reference imbalance
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 upstream.
+
+A recent change fixing a device reference leak in a UDC driver
+introduced a potential use-after-free in the non-OF case as the
+isp1301_get_client() helper only increases the reference count for the
+returned I2C device in the OF case.
+
+Increment the reference count also for non-OF so that the caller can
+decrement it unconditionally.
+
+Note that this is inherently racy just as using the returned I2C device
+is since nothing is preventing the PHY driver from being unbound while
+in use.
+
+Fixes: c84117912bdd ("USB: lpc32xx_udc: Fix error handling in probe")
+Cc: stable@vger.kernel.org
+Cc: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
+Link: https://patch.msgid.link/20251218153519.19453-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/phy/phy-isp1301.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/phy/phy-isp1301.c
++++ b/drivers/usb/phy/phy-isp1301.c
+@@ -149,7 +149,12 @@ struct i2c_client *isp1301_get_client(st
+ return client;
+
+ /* non-DT: only one ISP1301 chip supported */
+- return isp1301_i2c_client;
++ if (isp1301_i2c_client) {
++ get_device(&isp1301_i2c_client->dev);
++ return isp1301_i2c_client;
++ }
++
++ return NULL;
+ }
+ EXPORT_SYMBOL_GPL(isp1301_get_client);
+
--- /dev/null
+From 36cc7e09df9e43db21b46519b740145410dd9f4a Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Thu, 4 Dec 2025 21:21:29 +0800
+Subject: usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 36cc7e09df9e43db21b46519b740145410dd9f4a upstream.
+
+usbhsp_get_pipe() set pipe's flags to IS_USED. In error paths,
+usbhsp_put_pipe() is required to clear pipe's flags to prevent
+pipe exhaustion.
+
+Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Link: https://patch.msgid.link/20251204132129.109234-1-haoxiang_li2024@163.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/renesas_usbhs/pipe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/renesas_usbhs/pipe.c
++++ b/drivers/usb/renesas_usbhs/pipe.c
+@@ -713,11 +713,13 @@ struct usbhs_pipe *usbhs_pipe_malloc(str
+ /* make sure pipe is not busy */
+ ret = usbhsp_pipe_barrier(pipe);
+ if (ret < 0) {
++ usbhsp_put_pipe(pipe);
+ dev_err(dev, "pipe setup failed %d\n", usbhs_pipe_number(pipe));
+ return NULL;
+ }
+
+ if (usbhsp_setup_pipecfg(pipe, is_host, dir_in, &pipecfg)) {
++ usbhsp_put_pipe(pipe);
+ dev_err(dev, "can't setup pipe\n");
+ return NULL;
+ }
--- /dev/null
+From 128bb7fab342546352603bde8b49ff54e3af0529 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+Date: Sat, 6 Dec 2025 15:04:45 +0800
+Subject: usb: typec: altmodes/displayport: Drop the device reference in dp_altmode_probe()
+
+From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+
+commit 128bb7fab342546352603bde8b49ff54e3af0529 upstream.
+
+In error paths, call typec_altmode_put_plug() to drop the device reference
+obtained by typec_altmode_get_plug().
+
+Fixes: 71ba4fe56656 ("usb: typec: altmodes/displayport: add SOP' support")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://patch.msgid.link/20251206070445.190770-1-lihaoxiang@isrc.iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/altmodes/displayport.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/typec/altmodes/displayport.c
++++ b/drivers/usb/typec/altmodes/displayport.c
+@@ -764,12 +764,16 @@ int dp_altmode_probe(struct typec_altmod
+ if (!(DP_CAP_PIN_ASSIGN_DFP_D(port->vdo) &
+ DP_CAP_PIN_ASSIGN_UFP_D(alt->vdo)) &&
+ !(DP_CAP_PIN_ASSIGN_UFP_D(port->vdo) &
+- DP_CAP_PIN_ASSIGN_DFP_D(alt->vdo)))
++ DP_CAP_PIN_ASSIGN_DFP_D(alt->vdo))) {
++ typec_altmode_put_plug(plug);
+ return -ENODEV;
++ }
+
+ dp = devm_kzalloc(&alt->dev, sizeof(*dp), GFP_KERNEL);
+- if (!dp)
++ if (!dp) {
++ typec_altmode_put_plug(plug);
+ return -ENOMEM;
++ }
+
+ INIT_WORK(&dp->work, dp_altmode_work);
+ mutex_init(&dp->lock);
--- /dev/null
+From d14cd998e67ba8f1cca52a260a1ce1a60954fd8b Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 4 Dec 2025 11:11:07 +0100
+Subject: usb: typec: ucsi: huawei-gaokin: add DRM dependency
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit d14cd998e67ba8f1cca52a260a1ce1a60954fd8b upstream.
+
+Selecting DRM_AUX_HPD_BRIDGE is not possible from a built-in driver when
+CONFIG_DRM=m:
+
+WARNING: unmet direct dependencies detected for DRM_AUX_HPD_BRIDGE
+ Depends on [m]: HAS_IOMEM [=y] && DRM [=m] && DRM_BRIDGE [=y] && OF [=y]
+ Selected by [y]:
+ - UCSI_HUAWEI_GAOKUN [=y] && USB_SUPPORT [=y] && TYPEC [=y] && TYPEC_UCSI [=y] && EC_HUAWEI_GAOKUN [=y] && DRM_BRIDGE [=y] && OF [=y]
+
+Add the same dependency we have in similar drivers to work around this.
+
+Fixes: 00327d7f2c8c ("usb: typec: ucsi: add Huawei Matebook E Go ucsi driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://patch.msgid.link/20251204101111.1035975-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/typec/ucsi/Kconfig
++++ b/drivers/usb/typec/ucsi/Kconfig
+@@ -96,6 +96,7 @@ config UCSI_LENOVO_YOGA_C630
+ config UCSI_HUAWEI_GAOKUN
+ tristate "UCSI Interface Driver for Huawei Matebook E Go"
+ depends on EC_HUAWEI_GAOKUN
++ depends on DRM || !DRM
+ select DRM_AUX_HPD_BRIDGE if DRM_BRIDGE && OF
+ help
+ This driver enables UCSI support on the Huawei Matebook E Go tablet,
--- /dev/null
+From 0831269b5f71594882accfceb02638124f88955d Mon Sep 17 00:00:00 2001
+From: Chen Changcheng <chenchangcheng@kylinos.cn>
+Date: Thu, 18 Dec 2025 09:23:18 +0800
+Subject: usb: usb-storage: Maintain minimal modifications to the bcdDevice range.
+
+From: Chen Changcheng <chenchangcheng@kylinos.cn>
+
+commit 0831269b5f71594882accfceb02638124f88955d upstream.
+
+We cannot determine which models require the NO_ATA_1X and
+IGNORE_RESIDUE quirks aside from the EL-R12 optical drive device.
+
+Fixes: 955a48a5353f ("usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.")
+Signed-off-by: Chen Changcheng <chenchangcheng@kylinos.cn>
+Link: https://patch.msgid.link/20251218012318.15978-1-chenchangcheng@kylinos.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/unusual_uas.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -98,7 +98,7 @@ UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x01
+ US_FL_NO_ATA_1X),
+
+ /* Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> */
+-UNUSUAL_DEV(0x13fd, 0x3940, 0x0309, 0x0309,
++UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x0309,
+ "Initio Corporation",
+ "INIC-3069",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
--- /dev/null
+From 74098cc06e753d3ffd8398b040a3a1dfb65260c0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C5=81ukasz=20Bartosik?= <ukaszb@chromium.org>
+Date: Thu, 27 Nov 2025 11:16:44 +0000
+Subject: xhci: dbgtty: fix device unregister: fixup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Łukasz Bartosik <ukaszb@chromium.org>
+
+commit 74098cc06e753d3ffd8398b040a3a1dfb65260c0 upstream.
+
+This fixup replaces tty_vhangup() call with call to
+tty_port_tty_vhangup(). Both calls hangup tty device
+synchronously however tty_port_tty_vhangup() increases
+reference count during the hangup operation using
+scoped_guard(tty_port_tty).
+
+Cc: stable <stable@kernel.org>
+Fixes: 1f73b8b56cf3 ("xhci: dbgtty: fix device unregister")
+Signed-off-by: Łukasz Bartosik <ukaszb@chromium.org>
+Link: https://patch.msgid.link/20251127111644.3161386-1-ukaszb@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-dbgtty.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-dbgtty.c
++++ b/drivers/usb/host/xhci-dbgtty.c
+@@ -554,7 +554,7 @@ static void xhci_dbc_tty_unregister_devi
+ * Hang up the TTY. This wakes up any blocked
+ * writers and causes subsequent writes to fail.
+ */
+- tty_vhangup(port->port.tty);
++ tty_port_tty_vhangup(&port->port);
+
+ tty_unregister_device(dbc_tty_driver, port->minor);
+ xhci_dbc_tty_exit_port(port);
projects / thirdparty / kernel / stable-queue.git / commitdiff
