--- /dev/null
+From 4d984b0574ff708e66152763fbfdef24ea40933f Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Wed, 7 Jan 2026 10:01:36 +0100
+Subject: atm: Fix dma_free_coherent() size
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit 4d984b0574ff708e66152763fbfdef24ea40933f upstream.
+
+The size of the buffer is not the same when alloc'd with
+dma_alloc_coherent() in he_init_tpdrq() and freed.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20260107090141.80900-2-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/he.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/atm/he.c
++++ b/drivers/atm/he.c
+@@ -1587,7 +1587,8 @@ he_stop(struct he_dev *he_dev)
+ he_dev->tbrq_base, he_dev->tbrq_phys);
+
+ if (he_dev->tpdrq_base)
+- dma_free_coherent(&he_dev->pci_dev->dev, CONFIG_TBRQ_SIZE * sizeof(struct he_tbrq),
++ dma_free_coherent(&he_dev->pci_dev->dev,
++ CONFIG_TPDRQ_SIZE * sizeof(struct he_tpdrq),
+ he_dev->tpdrq_base, he_dev->tpdrq_phys);
+
+ dma_pool_destroy(he_dev->tpd_pool);
--- /dev/null
+From 7ba0b6461bc4edb3005ea6e00cdae189bcf908a5 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 11 Dec 2025 15:06:26 +0000
+Subject: btrfs: always detect conflicting inodes when logging inode refs
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 7ba0b6461bc4edb3005ea6e00cdae189bcf908a5 upstream.
+
+After rename exchanging (either with the rename exchange operation or
+regular renames in multiple non-atomic steps) two inodes and at least
+one of them is a directory, we can end up with a log tree that contains
+only of the inodes and after a power failure that can result in an attempt
+to delete the other inode when it should not because it was not deleted
+before the power failure. In some case that delete attempt fails when
+the target inode is a directory that contains a subvolume inside it, since
+the log replay code is not prepared to deal with directory entries that
+point to root items (only inode items).
+
+1) We have directories "dir1" (inode A) and "dir2" (inode B) under the
+ same parent directory;
+
+2) We have a file (inode C) under directory "dir1" (inode A);
+
+3) We have a subvolume inside directory "dir2" (inode B);
+
+4) All these inodes were persisted in a past transaction and we are
+ currently at transaction N;
+
+5) We rename the file (inode C), so at btrfs_log_new_name() we update
+ inode C's last_unlink_trans to N;
+
+6) We get a rename exchange for "dir1" (inode A) and "dir2" (inode B),
+ so after the exchange "dir1" is inode B and "dir2" is inode A.
+ During the rename exchange we call btrfs_log_new_name() for inodes
+ A and B, but because they are directories, we don't update their
+ last_unlink_trans to N;
+
+7) An fsync against the file (inode C) is done, and because its inode
+ has a last_unlink_trans with a value of N we log its parent directory
+ (inode A) (through btrfs_log_all_parents(), called from
+ btrfs_log_inode_parent()).
+
+8) So we end up with inode B not logged, which now has the old name
+ of inode A. At copy_inode_items_to_log(), when logging inode A, we
+ did not check if we had any conflicting inode to log because inode
+ A has a generation lower than the current transaction (created in
+ a past transaction);
+
+9) After a power failure, when replaying the log tree, since we find that
+ inode A has a new name that conflicts with the name of inode B in the
+ fs tree, we attempt to delete inode B... this is wrong since that
+ directory was never deleted before the power failure, and because there
+ is a subvolume inside that directory, attempting to delete it will fail
+ since replay_dir_deletes() and btrfs_unlink_inode() are not prepared
+ to deal with dir items that point to roots instead of inodes.
+
+ When that happens the mount fails and we get a stack trace like the
+ following:
+
+ [87.2314] BTRFS info (device dm-0): start tree-log replay
+ [87.2318] BTRFS critical (device dm-0): failed to delete reference to subvol, root 5 inode 256 parent 259
+ [87.2332] ------------[ cut here ]------------
+ [87.2338] BTRFS: Transaction aborted (error -2)
+ [87.2346] WARNING: CPU: 1 PID: 638968 at fs/btrfs/inode.c:4345 __btrfs_unlink_inode+0x416/0x440 [btrfs]
+ [87.2368] Modules linked in: btrfs loop dm_thin_pool (...)
+ [87.2470] CPU: 1 UID: 0 PID: 638968 Comm: mount Tainted: G W 6.18.0-rc7-btrfs-next-218+ #2 PREEMPT(full)
+ [87.2489] Tainted: [W]=WARN
+ [87.2494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
+ [87.2514] RIP: 0010:__btrfs_unlink_inode+0x416/0x440 [btrfs]
+ [87.2538] Code: c0 89 04 24 (...)
+ [87.2568] RSP: 0018:ffffc0e741f4b9b8 EFLAGS: 00010286
+ [87.2574] RAX: 0000000000000000 RBX: ffff9d3ec8a6cf60 RCX: 0000000000000000
+ [87.2582] RDX: 0000000000000002 RSI: ffffffff84ab45a1 RDI: 00000000ffffffff
+ [87.2591] RBP: ffff9d3ec8a6ef20 R08: 0000000000000000 R09: ffffc0e741f4b840
+ [87.2599] R10: ffff9d45dc1fffa8 R11: 0000000000000003 R12: ffff9d3ee26d77e0
+ [87.2608] R13: ffffc0e741f4ba98 R14: ffff9d4458040800 R15: ffff9d44b6b7ca10
+ [87.2618] FS: 00007f7b9603a840(0000) GS:ffff9d4658982000(0000) knlGS:0000000000000000
+ [87.2629] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [87.2637] CR2: 00007ffc9ec33b98 CR3: 000000011273e003 CR4: 0000000000370ef0
+ [87.2648] Call Trace:
+ [87.2651] <TASK>
+ [87.2654] btrfs_unlink_inode+0x15/0x40 [btrfs]
+ [87.2661] unlink_inode_for_log_replay+0x27/0xf0 [btrfs]
+ [87.2669] check_item_in_log+0x1ea/0x2c0 [btrfs]
+ [87.2676] replay_dir_deletes+0x16b/0x380 [btrfs]
+ [87.2684] fixup_inode_link_count+0x34b/0x370 [btrfs]
+ [87.2696] fixup_inode_link_counts+0x41/0x160 [btrfs]
+ [87.2703] btrfs_recover_log_trees+0x1ff/0x7c0 [btrfs]
+ [87.2711] ? __pfx_replay_one_buffer+0x10/0x10 [btrfs]
+ [87.2719] open_ctree+0x10bb/0x15f0 [btrfs]
+ [87.2726] btrfs_get_tree.cold+0xb/0x16c [btrfs]
+ [87.2734] ? fscontext_read+0x15c/0x180
+ [87.2740] ? rw_verify_area+0x50/0x180
+ [87.2746] vfs_get_tree+0x25/0xd0
+ [87.2750] vfs_cmd_create+0x59/0xe0
+ [87.2755] __do_sys_fsconfig+0x4f6/0x6b0
+ [87.2760] do_syscall_64+0x50/0x1220
+ [87.2764] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ [87.2770] RIP: 0033:0x7f7b9625f4aa
+ [87.2775] Code: 73 01 c3 48 (...)
+ [87.2803] RSP: 002b:00007ffc9ec35b08 EFLAGS: 00000246 ORIG_RAX: 00000000000001af
+ [87.2817] RAX: ffffffffffffffda RBX: 0000558bfa91ac20 RCX: 00007f7b9625f4aa
+ [87.2829] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003
+ [87.2842] RBP: 0000558bfa91b120 R08: 0000000000000000 R09: 0000000000000000
+ [87.2854] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+ [87.2864] R13: 00007f7b963f1580 R14: 00007f7b963f326c R15: 00007f7b963d8a23
+ [87.2877] </TASK>
+ [87.2882] ---[ end trace 0000000000000000 ]---
+ [87.2891] BTRFS: error (device dm-0 state A) in __btrfs_unlink_inode:4345: errno=-2 No such entry
+ [87.2904] BTRFS: error (device dm-0 state EAO) in do_abort_log_replay:191: errno=-2 No such entry
+ [87.2915] BTRFS critical (device dm-0 state EAO): log tree (for root 5) leaf currently being processed (slot 7 key (258 12 257)):
+ [87.2929] BTRFS info (device dm-0 state EAO): leaf 30736384 gen 10 total ptrs 7 free space 15712 owner 18446744073709551610
+ [87.2929] BTRFS info (device dm-0 state EAO): refs 3 lock_owner 0 current 638968
+ [87.2929] item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160
+ [87.2929] inode generation 9 transid 10 size 0 nbytes 0
+ [87.2929] block group 0 mode 40755 links 1 uid 0 gid 0
+ [87.2929] rdev 0 sequence 7 flags 0x0
+ [87.2929] atime 1765464494.678070921
+ [87.2929] ctime 1765464494.686606513
+ [87.2929] mtime 1765464494.686606513
+ [87.2929] otime 1765464494.678070921
+ [87.2929] item 1 key (257 INODE_REF 256) itemoff 16109 itemsize 14
+ [87.2929] index 4 name_len 4
+ [87.2929] item 2 key (257 DIR_LOG_INDEX 2) itemoff 16101 itemsize 8
+ [87.2929] dir log end 2
+ [87.2929] item 3 key (257 DIR_LOG_INDEX 3) itemoff 16093 itemsize 8
+ [87.2929] dir log end 18446744073709551615
+ [87.2930] item 4 key (257 DIR_INDEX 3) itemoff 16060 itemsize 33
+ [87.2930] location key (258 1 0) type 1
+ [87.2930] transid 10 data_len 0 name_len 3
+ [87.2930] item 5 key (258 INODE_ITEM 0) itemoff 15900 itemsize 160
+ [87.2930] inode generation 9 transid 10 size 0 nbytes 0
+ [87.2930] block group 0 mode 100644 links 1 uid 0 gid 0
+ [87.2930] rdev 0 sequence 2 flags 0x0
+ [87.2930] atime 1765464494.678456467
+ [87.2930] ctime 1765464494.686606513
+ [87.2930] mtime 1765464494.678456467
+ [87.2930] otime 1765464494.678456467
+ [87.2930] item 6 key (258 INODE_REF 257) itemoff 15887 itemsize 13
+ [87.2930] index 3 name_len 3
+ [87.2930] BTRFS critical (device dm-0 state EAO): log replay failed in unlink_inode_for_log_replay:1045 for root 5, stage 3, with error -2: failed to unlink inode 256 parent dir 259 name subvol root 5
+ [87.2963] BTRFS: error (device dm-0 state EAO) in btrfs_recover_log_trees:7743: errno=-2 No such entry
+ [87.2981] BTRFS: error (device dm-0 state EAO) in btrfs_replay_log:2083: errno=-2 No such entry (Failed to recover log tr
+
+So fix this by changing copy_inode_items_to_log() to always detect if
+there are conflicting inodes for the ref/extref of the inode being logged
+even if the inode was created in a past transaction.
+
+A test case for fstests will follow soon.
+
+CC: stable@vger.kernel.org # 6.1+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -6002,10 +6002,8 @@ again:
+ * and no keys greater than that, so bail out.
+ */
+ break;
+- } else if ((min_key->type == BTRFS_INODE_REF_KEY ||
+- min_key->type == BTRFS_INODE_EXTREF_KEY) &&
+- (inode->generation == trans->transid ||
+- ctx->logging_conflict_inodes)) {
++ } else if (min_key->type == BTRFS_INODE_REF_KEY ||
++ min_key->type == BTRFS_INODE_EXTREF_KEY) {
+ u64 other_ino = 0;
+ u64 other_parent = 0;
+
--- /dev/null
+From 9517d76dd160208b7a432301ce7bec8fc1ddc305 Mon Sep 17 00:00:00 2001
+From: Haotian Zhang <vulab@iscas.ac.cn>
+Date: Mon, 15 Dec 2025 10:01:14 +0800
+Subject: counter: 104-quad-8: Fix incorrect return value in IRQ handler
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+commit 9517d76dd160208b7a432301ce7bec8fc1ddc305 upstream.
+
+quad8_irq_handler() should return irqreturn_t enum values, but it
+directly returns negative errno codes from regmap operations on error.
+
+Return IRQ_NONE if the interrupt status cannot be read. If clearing the
+interrupt fails, return IRQ_HANDLED to prevent the kernel from disabling
+the IRQ line due to a spurious interrupt storm. Also, log these regmap
+failures with dev_WARN_ONCE.
+
+Fixes: 98ffe0252911 ("counter: 104-quad-8: Migrate to the regmap API")
+Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20251215020114.1913-1-vulab@iscas.ac.cn
+Cc: stable@vger.kernel.org
+Signed-off-by: William Breathitt Gray <wbg@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/counter/104-quad-8.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/counter/104-quad-8.c
++++ b/drivers/counter/104-quad-8.c
+@@ -1192,6 +1192,7 @@ static irqreturn_t quad8_irq_handler(int
+ {
+ struct counter_device *counter = private;
+ struct quad8 *const priv = counter_priv(counter);
++ struct device *dev = counter->parent;
+ unsigned int status;
+ unsigned long irq_status;
+ unsigned long channel;
+@@ -1200,8 +1201,11 @@ static irqreturn_t quad8_irq_handler(int
+ int ret;
+
+ ret = regmap_read(priv->map, QUAD8_INTERRUPT_STATUS, &status);
+- if (ret)
+- return ret;
++ if (ret) {
++ dev_WARN_ONCE(dev, true,
++ "Attempt to read Interrupt Status Register failed: %d\n", ret);
++ return IRQ_NONE;
++ }
+ if (!status)
+ return IRQ_NONE;
+
+@@ -1223,8 +1227,9 @@ static irqreturn_t quad8_irq_handler(int
+ break;
+ default:
+ /* should never reach this path */
+- WARN_ONCE(true, "invalid interrupt trigger function %u configured for channel %lu\n",
+- flg_pins, channel);
++ dev_WARN_ONCE(dev, true,
++ "invalid interrupt trigger function %u configured for channel %lu\n",
++ flg_pins, channel);
+ continue;
+ }
+
+@@ -1232,8 +1237,11 @@ static irqreturn_t quad8_irq_handler(int
+ }
+
+ ret = regmap_write(priv->map, QUAD8_CHANNEL_OPERATION, CLEAR_PENDING_INTERRUPTS);
+- if (ret)
+- return ret;
++ if (ret) {
++ dev_WARN_ONCE(dev, true,
++ "Attempt to clear pending interrupts by writing to Channel Operation Register failed: %d\n", ret);
++ return IRQ_HANDLED;
++ }
+
+ return IRQ_HANDLED;
+ }
--- /dev/null
+From 23f9485510c338476b9735d516c1d4aacb810d46 Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Date: Tue, 18 Nov 2025 09:35:48 +0100
+Subject: counter: interrupt-cnt: Drop IRQF_NO_THREAD flag
+
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+
+commit 23f9485510c338476b9735d516c1d4aacb810d46 upstream.
+
+An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as
+CONFIG_PROVE_RAW_LOCK_NESTING warns:
+=============================
+[ BUG: Invalid wait context ]
+6.18.0-rc1+git... #1
+-----------------------------
+some-user-space-process/1251 is trying to lock:
+(&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter]
+other info that might help us debug this:
+context-{2:2}
+no locks held by some-user-space-process/....
+stack backtrace:
+CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT
+Call trace:
+ show_stack (C)
+ dump_stack_lvl
+ dump_stack
+ __lock_acquire
+ lock_acquire
+ _raw_spin_lock_irqsave
+ counter_push_event [counter]
+ interrupt_cnt_isr [interrupt_cnt]
+ __handle_irq_event_percpu
+ handle_irq_event
+ handle_simple_irq
+ handle_irq_desc
+ generic_handle_domain_irq
+ gpio_irq_handler
+ handle_irq_desc
+ generic_handle_domain_irq
+ gic_handle_irq
+ call_on_irq_stack
+ do_interrupt_handler
+ el0_interrupt
+ __el0_irq_handler_common
+ el0t_64_irq_handler
+ el0t_64_irq
+
+... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an
+alternative to switching to raw_spinlock_t, because the latter would limit
+all potential nested locks to raw_spinlock_t only.
+
+Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20251117151314.xwLAZrWY@linutronix.de/
+Fixes: a55ebd47f21f ("counter: add IRQ or GPIO based counter")
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/r/20251118083603.778626-1-alexander.sverdlin@siemens.com
+Signed-off-by: William Breathitt Gray <wbg@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/counter/interrupt-cnt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/counter/interrupt-cnt.c
++++ b/drivers/counter/interrupt-cnt.c
+@@ -229,8 +229,7 @@ static int interrupt_cnt_probe(struct pl
+
+ irq_set_status_flags(priv->irq, IRQ_NOAUTOEN);
+ ret = devm_request_irq(dev, priv->irq, interrupt_cnt_isr,
+- IRQF_TRIGGER_RISING | IRQF_NO_THREAD,
+- dev_name(dev), counter);
++ IRQF_TRIGGER_RISING, dev_name(dev), counter);
+ if (ret)
+ return ret;
+
--- /dev/null
+From 0ddd3bb4b14c9102c0267b3fd916c81fe5ab89c1 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Thu, 11 Dec 2025 16:33:44 +0400
+Subject: drm/pl111: Fix error handling in pl111_amba_probe
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 0ddd3bb4b14c9102c0267b3fd916c81fe5ab89c1 upstream.
+
+Jump to the existing dev_put label when devm_request_irq() fails
+so drm_dev_put() and of_reserved_mem_device_release() run
+instead of returning early and leaking resources.
+
+Found via static analysis and code review.
+
+Fixes: bed41005e617 ("drm/pl111: Initial drm/kms driver for pl111")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Linus Walleij <linusw@kernel.org>
+Link: https://patch.msgid.link/20251211123345.2392065-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/pl111/pl111_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/pl111/pl111_drv.c
++++ b/drivers/gpu/drm/pl111/pl111_drv.c
+@@ -294,7 +294,7 @@ static int pl111_amba_probe(struct amba_
+ variant->name, priv);
+ if (ret != 0) {
+ dev_err(dev, "%s failed irq %d\n", __func__, ret);
+- return ret;
++ goto dev_put;
+ }
+
+ ret = pl111_modeset_init(drm);
--- /dev/null
+From 19158c7332468bc28572bdca428e89c7954ee1b1 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 30 Jun 2025 10:47:09 -0400
+Subject: drm/radeon: Remove __counted_by from ClockInfoArray.clockInfo[]
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 19158c7332468bc28572bdca428e89c7954ee1b1 upstream.
+
+clockInfo[] is a generic uchar pointer to variable sized structures
+which vary from ASIC to ASIC.
+
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4374
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit dc135aa73561b5acc74eadf776e48530996529a3)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/pptable.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/pptable.h
++++ b/drivers/gpu/drm/radeon/pptable.h
+@@ -450,7 +450,7 @@ typedef struct _ClockInfoArray{
+ //sizeof(ATOM_PPLIB_CLOCK_INFO)
+ UCHAR ucEntrySize;
+
+- UCHAR clockInfo[] __counted_by(ucNumEntries);
++ UCHAR clockInfo[] /*__counted_by(ucNumEntries)*/;
+ }ClockInfoArray;
+
+ typedef struct _NonClockInfoArray{
--- /dev/null
+From 20cf2aed89ac6d78a0122e31c875228e15247194 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Date: Tue, 6 Jan 2026 10:00:11 +0100
+Subject: gpio: rockchip: mark the GPIO controller as sleeping
+
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+
+commit 20cf2aed89ac6d78a0122e31c875228e15247194 upstream.
+
+The GPIO controller is configured as non-sleeping but it uses generic
+pinctrl helpers which use a mutex for synchronization.
+
+This can cause the following lockdep splat with shared GPIOs enabled on
+boards which have multiple devices using the same GPIO:
+
+BUG: sleeping function called from invalid context at
+kernel/locking/mutex.c:591
+in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 12, name:
+kworker/u16:0
+preempt_count: 1, expected: 0
+RCU nest depth: 0, expected: 0
+6 locks held by kworker/u16:0/12:
+ #0: ffff0001f0018d48 ((wq_completion)events_unbound#2){+.+.}-{0:0},
+at: process_one_work+0x18c/0x604
+ #1: ffff8000842dbdf0 (deferred_probe_work){+.+.}-{0:0}, at:
+process_one_work+0x1b4/0x604
+ #2: ffff0001f18498f8 (&dev->mutex){....}-{4:4}, at:
+__device_attach+0x38/0x1b0
+ #3: ffff0001f75f1e90 (&gdev->srcu){.+.?}-{0:0}, at:
+gpiod_direction_output_raw_commit+0x0/0x360
+ #4: ffff0001f46e3db8 (&shared_desc->spinlock){....}-{3:3}, at:
+gpio_shared_proxy_direction_output+0xd0/0x144 [gpio_shared_proxy]
+ #5: ffff0001f180ee90 (&gdev->srcu){.+.?}-{0:0}, at:
+gpiod_direction_output_raw_commit+0x0/0x360
+irq event stamp: 81450
+hardirqs last enabled at (81449): [<ffff8000813acba4>]
+_raw_spin_unlock_irqrestore+0x74/0x78
+hardirqs last disabled at (81450): [<ffff8000813abfb8>]
+_raw_spin_lock_irqsave+0x84/0x88
+softirqs last enabled at (79616): [<ffff8000811455fc>]
+__alloc_skb+0x17c/0x1e8
+softirqs last disabled at (79614): [<ffff8000811455fc>]
+__alloc_skb+0x17c/0x1e8
+CPU: 2 UID: 0 PID: 12 Comm: kworker/u16:0 Not tainted
+6.19.0-rc4-next-20260105+ #11975 PREEMPT
+Hardware name: Hardkernel ODROID-M1 (DT)
+Workqueue: events_unbound deferred_probe_work_func
+Call trace:
+ show_stack+0x18/0x24 (C)
+ dump_stack_lvl+0x90/0xd0
+ dump_stack+0x18/0x24
+ __might_resched+0x144/0x248
+ __might_sleep+0x48/0x98
+ __mutex_lock+0x5c/0x894
+ mutex_lock_nested+0x24/0x30
+ pinctrl_get_device_gpio_range+0x44/0x128
+ pinctrl_gpio_direction+0x3c/0xe0
+ pinctrl_gpio_direction_output+0x14/0x20
+ rockchip_gpio_direction_output+0xb8/0x19c
+ gpiochip_direction_output+0x38/0x94
+ gpiod_direction_output_raw_commit+0x1d8/0x360
+ gpiod_direction_output_nonotify+0x7c/0x230
+ gpiod_direction_output+0x34/0xf8
+ gpio_shared_proxy_direction_output+0xec/0x144 [gpio_shared_proxy]
+ gpiochip_direction_output+0x38/0x94
+ gpiod_direction_output_raw_commit+0x1d8/0x360
+ gpiod_direction_output_nonotify+0x7c/0x230
+ gpiod_configure_flags+0xbc/0x480
+ gpiod_find_and_request+0x1a0/0x574
+ gpiod_get_index+0x58/0x84
+ devm_gpiod_get_index+0x20/0xb4
+ devm_gpiod_get_optional+0x18/0x30
+ rockchip_pcie_probe+0x98/0x380
+ platform_probe+0x5c/0xac
+ really_probe+0xbc/0x298
+
+Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio")
+Cc: stable@vger.kernel.org
+Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Closes: https://lore.kernel.org/all/d035fc29-3b03-4cd6-b8ec-001f93540bc6@samsung.com/
+Acked-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20260106090011.21603-1-bartosz.golaszewski@oss.qualcomm.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-rockchip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpio/gpio-rockchip.c
++++ b/drivers/gpio/gpio-rockchip.c
+@@ -584,6 +584,7 @@ static int rockchip_gpiolib_register(str
+ gc->ngpio = bank->nr_pins;
+ gc->label = bank->name;
+ gc->parent = bank->dev;
++ gc->can_sleep = true;
+
+ ret = gpiochip_add_data(gc, bank);
+ if (ret) {
--- /dev/null
+From 74d74bb78aeccc9edc10db216d6be121cf7ec176 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Tue, 6 Jan 2026 21:20:23 -0800
+Subject: lib/crypto: aes: Fix missing MMU protection for AES S-box
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit 74d74bb78aeccc9edc10db216d6be121cf7ec176 upstream.
+
+__cacheline_aligned puts the data in the ".data..cacheline_aligned"
+section, which isn't marked read-only i.e. it doesn't receive MMU
+protection. Replace it with ____cacheline_aligned which does the right
+thing and just aligns the data while keeping it in ".rodata".
+
+Fixes: b5e0b032b6c3 ("crypto: aes - add generic time invariant AES cipher")
+Cc: stable@vger.kernel.org
+Reported-by: Qingfang Deng <dqfext@gmail.com>
+Closes: https://lore.kernel.org/r/20260105074712.498-1-dqfext@gmail.com/
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Link: https://lore.kernel.org/r/20260107052023.174620-1-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/crypto/aes.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/lib/crypto/aes.c
++++ b/lib/crypto/aes.c
+@@ -12,7 +12,7 @@
+ * Emit the sbox as volatile const to prevent the compiler from doing
+ * constant folding on sbox references involving fixed indexes.
+ */
+-static volatile const u8 __cacheline_aligned aes_sbox[] = {
++static volatile const u8 ____cacheline_aligned aes_sbox[] = {
+ 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
+ 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
+ 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
+@@ -47,7 +47,7 @@ static volatile const u8 __cacheline_ali
+ 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16,
+ };
+
+-static volatile const u8 __cacheline_aligned aes_inv_sbox[] = {
++static volatile const u8 ____cacheline_aligned aes_inv_sbox[] = {
+ 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
+ 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
+ 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
--- /dev/null
+From c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 5 Jan 2026 19:23:19 +0100
+Subject: libceph: make calc_target() set t->paused, not just clear it
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 upstream.
+
+Currently calc_target() clears t->paused if the request shouldn't be
+paused anymore, but doesn't ever set t->paused even though it's able to
+determine when the request should be paused. Setting t->paused is left
+to __submit_request() which is fine for regular requests but doesn't
+work for linger requests -- since __submit_request() doesn't operate
+on linger requests, there is nowhere for lreq->t.paused to be set.
+One consequence of this is that watches don't get reestablished on
+paused -> unpaused transitions in cases where requests have been paused
+long enough for the (paused) unwatch request to time out and for the
+subsequent (re)watch request to enter the paused state. On top of the
+watch not getting reestablished, rbd_reregister_watch() gets stuck with
+rbd_dev->watch_mutex held:
+
+ rbd_register_watch
+ __rbd_register_watch
+ ceph_osdc_watch
+ linger_reg_commit_wait
+
+It's waiting for lreq->reg_commit_wait to be completed, but for that to
+happen the respective request needs to end up on need_resend_linger list
+and be kicked when requests are unpaused. There is no chance for that
+if the request in question is never marked paused in the first place.
+
+The fact that rbd_dev->watch_mutex remains taken out forever then
+prevents the image from getting unmapped -- "rbd unmap" would inevitably
+hang in D state on an attempt to grab the mutex.
+
+Cc: stable@vger.kernel.org
+Reported-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osd_client.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/ceph/osd_client.c
++++ b/net/ceph/osd_client.c
+@@ -1611,6 +1611,7 @@ static enum calc_target_result calc_targ
+ struct ceph_pg_pool_info *pi;
+ struct ceph_pg pgid, last_pgid;
+ struct ceph_osds up, acting;
++ bool should_be_paused;
+ bool is_read = t->flags & CEPH_OSD_FLAG_READ;
+ bool is_write = t->flags & CEPH_OSD_FLAG_WRITE;
+ bool force_resend = false;
+@@ -1679,10 +1680,16 @@ static enum calc_target_result calc_targ
+ &last_pgid))
+ force_resend = true;
+
+- if (t->paused && !target_should_be_paused(osdc, t, pi)) {
+- t->paused = false;
++ should_be_paused = target_should_be_paused(osdc, t, pi);
++ if (t->paused && !should_be_paused) {
+ unpaused = true;
+ }
++ if (t->paused != should_be_paused) {
++ dout("%s t %p paused %d -> %d\n", __func__, t, t->paused,
++ should_be_paused);
++ t->paused = should_be_paused;
++ }
++
+ legacy_change = ceph_pg_compare(&t->pgid, &pgid) ||
+ ceph_osds_changed(&t->acting, &acting,
+ t->used_replica || any_change);
--- /dev/null
+From e3fe30e57649c551757a02e1cad073c47e1e075e Mon Sep 17 00:00:00 2001
+From: Tuo Li <islituo@gmail.com>
+Date: Sun, 21 Dec 2025 02:11:49 +0800
+Subject: libceph: make free_choose_arg_map() resilient to partial allocation
+
+From: Tuo Li <islituo@gmail.com>
+
+commit e3fe30e57649c551757a02e1cad073c47e1e075e upstream.
+
+free_choose_arg_map() may dereference a NULL pointer if its caller fails
+after a partial allocation.
+
+For example, in decode_choose_args(), if allocation of arg_map->args
+fails, execution jumps to the fail label and free_choose_arg_map() is
+called. Since arg_map->size is updated to a non-zero value before memory
+allocation, free_choose_arg_map() will iterate over arg_map->args and
+dereference a NULL pointer.
+
+To prevent this potential NULL pointer dereference and make
+free_choose_arg_map() more resilient, add checks for pointers before
+iterating.
+
+Cc: stable@vger.kernel.org
+Co-authored-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Tuo Li <islituo@gmail.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osdmap.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -241,22 +241,26 @@ static struct crush_choose_arg_map *allo
+
+ static void free_choose_arg_map(struct crush_choose_arg_map *arg_map)
+ {
+- if (arg_map) {
+- int i, j;
++ int i, j;
+
+- WARN_ON(!RB_EMPTY_NODE(&arg_map->node));
++ if (!arg_map)
++ return;
+
++ WARN_ON(!RB_EMPTY_NODE(&arg_map->node));
++
++ if (arg_map->args) {
+ for (i = 0; i < arg_map->size; i++) {
+ struct crush_choose_arg *arg = &arg_map->args[i];
+-
+- for (j = 0; j < arg->weight_set_size; j++)
+- kfree(arg->weight_set[j].weights);
+- kfree(arg->weight_set);
++ if (arg->weight_set) {
++ for (j = 0; j < arg->weight_set_size; j++)
++ kfree(arg->weight_set[j].weights);
++ kfree(arg->weight_set);
++ }
+ kfree(arg->ids);
+ }
+ kfree(arg_map->args);
+- kfree(arg_map);
+ }
++ kfree(arg_map);
+ }
+
+ DEFINE_RB_FUNCS(choose_arg_map, struct crush_choose_arg_map, choose_args_index,
--- /dev/null
+From 818156caffbf55cb4d368f9c3cac64e458fb49c9 Mon Sep 17 00:00:00 2001
+From: ziming zhang <ezrakiez@gmail.com>
+Date: Thu, 11 Dec 2025 16:52:58 +0800
+Subject: libceph: prevent potential out-of-bounds reads in handle_auth_done()
+
+From: ziming zhang <ezrakiez@gmail.com>
+
+commit 818156caffbf55cb4d368f9c3cac64e458fb49c9 upstream.
+
+Perform an explicit bounds check on payload_len to avoid a possible
+out-of-bounds access in the callout.
+
+[ idryomov: changelog ]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: ziming zhang <ezrakiez@gmail.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/messenger_v2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ceph/messenger_v2.c
++++ b/net/ceph/messenger_v2.c
+@@ -2409,7 +2409,9 @@ static int process_auth_done(struct ceph
+
+ ceph_decode_64_safe(&p, end, global_id, bad);
+ ceph_decode_32_safe(&p, end, con->v2.con_mode, bad);
++
+ ceph_decode_32_safe(&p, end, payload_len, bad);
++ ceph_decode_need(&p, end, payload_len, bad);
+
+ dout("%s con %p global_id %llu con_mode %d payload_len %d\n",
+ __func__, con, global_id, con->v2.con_mode, payload_len);
--- /dev/null
+From e00c3f71b5cf75681dbd74ee3f982a99cb690c2b Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 15 Dec 2025 11:53:31 +0100
+Subject: libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit e00c3f71b5cf75681dbd74ee3f982a99cb690c2b upstream.
+
+If the osdmap is (maliciously) corrupted such that the incremental
+osdmap epoch is different from what is expected, there is no need to
+BUG. Instead, just declare the incremental osdmap to be invalid.
+
+Cc: stable@vger.kernel.org
+Reported-by: ziming zhang <ezrakiez@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osdmap.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -1979,11 +1979,13 @@ struct ceph_osdmap *osdmap_apply_increme
+ sizeof(u64) + sizeof(u32), e_inval);
+ ceph_decode_copy(p, &fsid, sizeof(fsid));
+ epoch = ceph_decode_32(p);
+- BUG_ON(epoch != map->epoch+1);
+ ceph_decode_copy(p, &modified, sizeof(modified));
+ new_pool_max = ceph_decode_64(p);
+ new_flags = ceph_decode_32(p);
+
++ if (epoch != map->epoch + 1)
++ goto e_inval;
++
+ /* full map? */
+ ceph_decode_32_safe(p, end, len, e_inval);
+ if (len > 0) {
--- /dev/null
+From 11194b416ef95012c2cfe5f546d71af07b639e93 Mon Sep 17 00:00:00 2001
+From: Sam Edwards <cfsworks@gmail.com>
+Date: Tue, 30 Dec 2025 20:05:06 -0800
+Subject: libceph: reset sparse-read state in osd_fault()
+
+From: Sam Edwards <cfsworks@gmail.com>
+
+commit 11194b416ef95012c2cfe5f546d71af07b639e93 upstream.
+
+When a fault occurs, the connection is abandoned, reestablished, and any
+pending operations are retried. The OSD client tracks the progress of a
+sparse-read reply using a separate state machine, largely independent of
+the messenger's state.
+
+If a connection is lost mid-payload or the sparse-read state machine
+returns an error, the sparse-read state is not reset. The OSD client
+will then interpret the beginning of a new reply as the continuation of
+the old one. If this makes the sparse-read machinery enter a failure
+state, it may never recover, producing loops like:
+
+ libceph: [0] got 0 extents
+ libceph: data len 142248331 != extent len 0
+ libceph: osd0 (1)...:6801 socket error on read
+ libceph: data len 142248331 != extent len 0
+ libceph: osd0 (1)...:6801 socket error on read
+
+Therefore, reset the sparse-read state in osd_fault(), ensuring retries
+start from a clean state.
+
+Cc: stable@vger.kernel.org
+Fixes: f628d7999727 ("libceph: add sparse read support to OSD client")
+Signed-off-by: Sam Edwards <CFSworks@gmail.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osd_client.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ceph/osd_client.c
++++ b/net/ceph/osd_client.c
+@@ -4306,6 +4306,9 @@ static void osd_fault(struct ceph_connec
+ goto out_unlock;
+ }
+
++ osd->o_sparse_op_idx = -1;
++ ceph_init_sparse_read(&osd->o_sparse_read);
++
+ if (!reopen_osd(osd))
+ kick_osd_requests(osd);
+ maybe_request_map(osdc);
--- /dev/null
+From e84b48d31b5008932c0a0902982809fbaa1d3b70 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 29 Dec 2025 15:14:48 +0100
+Subject: libceph: return the handler error from mon_handle_auth_done()
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit e84b48d31b5008932c0a0902982809fbaa1d3b70 upstream.
+
+Currently any error from ceph_auth_handle_reply_done() is propagated
+via finish_auth() but isn't returned from mon_handle_auth_done(). This
+results in higher layers learning that (despite the monitor considering
+us to be successfully authenticated) something went wrong in the
+authentication phase and reacting accordingly, but msgr2 still trying
+to proceed with establishing the session in the background. In the
+case of secure mode this can trigger a WARN in setup_crypto() and later
+lead to a NULL pointer dereference inside of prepare_auth_signature().
+
+Cc: stable@vger.kernel.org
+Fixes: cd1a677cad99 ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)")
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/mon_client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ceph/mon_client.c
++++ b/net/ceph/mon_client.c
+@@ -1417,7 +1417,7 @@ static int mon_handle_auth_done(struct c
+ if (!ret)
+ finish_hunting(monc);
+ mutex_unlock(&monc->mutex);
+- return 0;
++ return ret;
+ }
+
+ static int mon_handle_auth_bad_method(struct ceph_connection *con,
--- /dev/null
+From 420f423defcf6d0af2263d38da870ca4a20c0990 Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Mon, 15 Dec 2025 12:59:15 +0200
+Subject: mei: me: add nova lake point S DID
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit 420f423defcf6d0af2263d38da870ca4a20c0990 upstream.
+
+Add Nova Lake S device id.
+
+Cc: stable <stable@kernel.org>
+Co-developed-by: Tomas Winkler <tomasw@gmail.com>
+Signed-off-by: Tomas Winkler <tomasw@gmail.com>
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Link: https://patch.msgid.link/20251215105915.1672659-1-alexander.usyskin@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/hw-me-regs.h | 2 ++
+ drivers/misc/mei/pci-me.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -122,6 +122,8 @@
+
+ #define MEI_DEV_ID_WCL_P 0x4D70 /* Wildcat Lake P */
+
++#define MEI_DEV_ID_NVL_S 0x6E68 /* Nova Lake Point S */
++
+ /*
+ * MEI HW Section
+ */
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -129,6 +129,8 @@ static const struct pci_device_id mei_me
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_WCL_P, MEI_ME_PCH15_CFG)},
+
++ {MEI_PCI_DEVICE(MEI_DEV_ID_NVL_S, MEI_ME_PCH15_CFG)},
++
+ /* required last entry */
+ {0, }
+ };
--- /dev/null
+From a4e305ed60f7c41bbf9aabc16dd75267194e0de3 Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Tue, 6 Jan 2026 10:47:21 +0100
+Subject: net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit a4e305ed60f7c41bbf9aabc16dd75267194e0de3 upstream.
+
+pdev can be null and free_ring: can be called in 1297 with a null
+pdev.
+
+Fixes: 55c82617c3e8 ("3c59x: convert to generic DMA API")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20260106094731.25819-2-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/3com/3c59x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/3com/3c59x.c
++++ b/drivers/net/ethernet/3com/3c59x.c
+@@ -1473,7 +1473,7 @@ static int vortex_probe1(struct device *
+ return 0;
+
+ free_ring:
+- dma_free_coherent(&pdev->dev,
++ dma_free_coherent(gendev,
+ sizeof(struct boom_rx_desc) * RX_RING_SIZE +
+ sizeof(struct boom_tx_desc) * TX_RING_SIZE,
+ vp->rx_ring, vp->rx_ring_dma);
--- /dev/null
+From e901c7fce59e72d9f3c92733c379849c4034ac50 Mon Sep 17 00:00:00 2001
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Thu, 11 Dec 2025 07:34:34 -0500
+Subject: NFSD: Fix permission check for read access to executable-only files
+
+From: Scott Mayhew <smayhew@redhat.com>
+
+commit e901c7fce59e72d9f3c92733c379849c4034ac50 upstream.
+
+Commit abc02e5602f7 ("NFSD: Support write delegations in LAYOUTGET")
+added NFSD_MAY_OWNER_OVERRIDE to the access flags passed from
+nfsd4_layoutget() to fh_verify(). This causes LAYOUTGET to fail for
+executable-only files, and causes xfstests generic/126 to fail on
+pNFS SCSI.
+
+To allow read access to executable-only files, what we really want is:
+1. The "permissions" portion of the access flags (the lower 6 bits)
+ must be exactly NFSD_MAY_READ
+2. The "hints" portion of the access flags (the upper 26 bits) can
+ contain any combination of NFSD_MAY_OWNER_OVERRIDE and
+ NFSD_MAY_READ_IF_EXEC
+
+Fixes: abc02e5602f7 ("NFSD: Support write delegations in LAYOUTGET")
+Cc: stable@vger.kernel.org # v6.6+
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: NeilBrown <neil@brown.name>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/vfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -2474,8 +2474,8 @@ nfsd_permission(struct svc_rqst *rqstp,
+
+ /* Allow read access to binaries even when mode 111 */
+ if (err == -EACCES && S_ISREG(inode->i_mode) &&
+- (acc == (NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE) ||
+- acc == (NFSD_MAY_READ | NFSD_MAY_READ_IF_EXEC)))
++ (((acc & NFSD_MAY_MASK) == NFSD_MAY_READ) &&
++ (acc & (NFSD_MAY_OWNER_OVERRIDE | NFSD_MAY_READ_IF_EXEC))))
+ err = inode_permission(&nop_mnt_idmap, inode, MAY_EXEC);
+
+ return err? nfserrno(err) : 0;
--- /dev/null
+From 2857bd59feb63fcf40fe4baf55401baea6b4feb4 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neil@brown.name>
+Date: Sat, 13 Dec 2025 13:41:59 -0500
+Subject: nfsd: provide locking for v4_end_grace
+
+From: NeilBrown <neil@brown.name>
+
+commit 2857bd59feb63fcf40fe4baf55401baea6b4feb4 upstream.
+
+Writing to v4_end_grace can race with server shutdown and result in
+memory being accessed after it was freed - reclaim_str_hashtbl in
+particularly.
+
+We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is
+held while client_tracking_op->init() is called and that can wait for
+an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a
+deadlock.
+
+nfsd4_end_grace() is also called by the landromat work queue and this
+doesn't require locking as server shutdown will stop the work and wait
+for it before freeing anything that nfsd4_end_grace() might access.
+
+However, we must be sure that writing to v4_end_grace doesn't restart
+the work item after shutdown has already waited for it. For this we
+add a new flag protected with nn->client_lock. It is set only while it
+is safe to make client tracking calls, and v4_end_grace only schedules
+work while the flag is set with the spinlock held.
+
+So this patch adds a nfsd_net field "client_tracking_active" which is
+set as described. Another field "grace_end_forced", is set when
+v4_end_grace is written. After this is set, and providing
+client_tracking_active is set, the laundromat is scheduled.
+This "grace_end_forced" field bypasses other checks for whether the
+grace period has finished.
+
+This resolves a race which can result in use-after-free.
+
+Reported-by: Li Lingfeng <lilingfeng3@huawei.com>
+Closes: https://lore.kernel.org/linux-nfs/20250623030015.2353515-1-neil@brown.name/T/#t
+Fixes: 7f5ef2e900d9 ("nfsd: add a v4_end_grace file to /proc/fs/nfsd")
+Cc: stable@vger.kernel.org
+Signed-off-by: NeilBrown <neil@brown.name>
+Tested-by: Li Lingfeng <lilingfeng3@huawei.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/netns.h | 2 ++
+ fs/nfsd/nfs4state.c | 42 ++++++++++++++++++++++++++++++++++++++++--
+ fs/nfsd/nfsctl.c | 3 +--
+ fs/nfsd/state.h | 2 +-
+ 4 files changed, 44 insertions(+), 5 deletions(-)
+
+--- a/fs/nfsd/netns.h
++++ b/fs/nfsd/netns.h
+@@ -65,6 +65,8 @@ struct nfsd_net {
+
+ struct lock_manager nfsd4_manager;
+ bool grace_ended;
++ bool grace_end_forced;
++ bool client_tracking_active;
+ time64_t boot_time;
+
+ struct dentry *nfsd_client_dir;
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -84,7 +84,7 @@ static u64 current_sessionid = 1;
+ /* forward declarations */
+ static bool check_for_locks(struct nfs4_file *fp, struct nfs4_lockowner *lowner);
+ static void nfs4_free_ol_stateid(struct nfs4_stid *stid);
+-void nfsd4_end_grace(struct nfsd_net *nn);
++static void nfsd4_end_grace(struct nfsd_net *nn);
+ static void _free_cpntf_state_locked(struct nfsd_net *nn, struct nfs4_cpntf_state *cps);
+ static void nfsd4_file_hash_remove(struct nfs4_file *fi);
+
+@@ -5924,7 +5924,7 @@ nfsd4_renew(struct svc_rqst *rqstp, stru
+ return nfs_ok;
+ }
+
+-void
++static void
+ nfsd4_end_grace(struct nfsd_net *nn)
+ {
+ /* do nothing if grace period already ended */
+@@ -5957,6 +5957,33 @@ nfsd4_end_grace(struct nfsd_net *nn)
+ */
+ }
+
++/**
++ * nfsd4_force_end_grace - forcibly end the NFSv4 grace period
++ * @nn: network namespace for the server instance to be updated
++ *
++ * Forces bypass of normal grace period completion, then schedules
++ * the laundromat to end the grace period immediately. Does not wait
++ * for the grace period to fully terminate before returning.
++ *
++ * Return values:
++ * %true: Grace termination schedule
++ * %false: No action was taken
++ */
++bool nfsd4_force_end_grace(struct nfsd_net *nn)
++{
++ if (!nn->client_tracking_ops)
++ return false;
++ spin_lock(&nn->client_lock);
++ if (nn->grace_ended || !nn->client_tracking_active) {
++ spin_unlock(&nn->client_lock);
++ return false;
++ }
++ WRITE_ONCE(nn->grace_end_forced, true);
++ mod_delayed_work(laundry_wq, &nn->laundromat_work, 0);
++ spin_unlock(&nn->client_lock);
++ return true;
++}
++
+ /*
+ * If we've waited a lease period but there are still clients trying to
+ * reclaim, wait a little longer to give them a chance to finish.
+@@ -5966,6 +5993,8 @@ static bool clients_still_reclaiming(str
+ time64_t double_grace_period_end = nn->boot_time +
+ 2 * nn->nfsd4_lease;
+
++ if (READ_ONCE(nn->grace_end_forced))
++ return false;
+ if (nn->track_reclaim_completes &&
+ atomic_read(&nn->nr_reclaim_complete) ==
+ nn->reclaim_str_hashtbl_size)
+@@ -8197,6 +8226,8 @@ static int nfs4_state_create_net(struct
+ nn->unconf_name_tree = RB_ROOT;
+ nn->boot_time = ktime_get_real_seconds();
+ nn->grace_ended = false;
++ nn->grace_end_forced = false;
++ nn->client_tracking_active = false;
+ nn->nfsd4_manager.block_opens = true;
+ INIT_LIST_HEAD(&nn->nfsd4_manager.list);
+ INIT_LIST_HEAD(&nn->client_lru);
+@@ -8273,6 +8304,10 @@ nfs4_state_start_net(struct net *net)
+ return ret;
+ locks_start_grace(net, &nn->nfsd4_manager);
+ nfsd4_client_tracking_init(net);
++ /* safe for laundromat to run now */
++ spin_lock(&nn->client_lock);
++ nn->client_tracking_active = true;
++ spin_unlock(&nn->client_lock);
+ if (nn->track_reclaim_completes && nn->reclaim_str_hashtbl_size == 0)
+ goto skip_grace;
+ printk(KERN_INFO "NFSD: starting %lld-second grace period (net %x)\n",
+@@ -8319,6 +8354,9 @@ nfs4_state_shutdown_net(struct net *net)
+
+ unregister_shrinker(&nn->nfsd_client_shrinker);
+ cancel_work_sync(&nn->nfsd_shrinker_work);
++ spin_lock(&nn->client_lock);
++ nn->client_tracking_active = false;
++ spin_unlock(&nn->client_lock);
+ cancel_delayed_work_sync(&nn->laundromat_work);
+ locks_end_grace(&nn->nfsd4_manager);
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -1110,10 +1110,9 @@ static ssize_t write_v4_end_grace(struct
+ case 'Y':
+ case 'y':
+ case '1':
+- if (!nn->nfsd_serv)
++ if (!nfsd4_force_end_grace(nn))
+ return -EBUSY;
+ trace_nfsd_end_grace(netns(file));
+- nfsd4_end_grace(nn);
+ break;
+ default:
+ return -EINVAL;
+--- a/fs/nfsd/state.h
++++ b/fs/nfsd/state.h
+@@ -717,7 +717,7 @@ static inline void get_nfs4_file(struct
+ struct nfsd_file *find_any_file(struct nfs4_file *f);
+
+ /* grace period management */
+-void nfsd4_end_grace(struct nfsd_net *nn);
++bool nfsd4_force_end_grace(struct nfsd_net *nn);
+
+ /* nfs4recover operations */
+ extern int nfsd4_client_tracking_init(struct net *net);
--- /dev/null
+From ebc18e9854e5a2b62a041fb57b216a903af45b85 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Wed, 26 Nov 2025 13:22:19 +0100
+Subject: pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit ebc18e9854e5a2b62a041fb57b216a903af45b85 upstream.
+
+The gpio_chip settings in this driver say the controller can't sleep
+but it actually uses a mutex for synchronization. This triggers the
+following BUG():
+
+[ 9.233659] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:281
+[ 9.233665] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 554, name: (udev-worker)
+[ 9.233669] preempt_count: 1, expected: 0
+[ 9.233673] RCU nest depth: 0, expected: 0
+[ 9.233688] Tainted: [W]=WARN
+[ 9.233690] Hardware name: Dell Inc. Latitude 7455/0FK7MX, BIOS 2.10.1 05/20/2025
+[ 9.233694] Call trace:
+[ 9.233696] show_stack+0x24/0x38 (C)
+[ 9.233709] dump_stack_lvl+0x40/0x88
+[ 9.233716] dump_stack+0x18/0x24
+[ 9.233722] __might_resched+0x148/0x160
+[ 9.233731] __might_sleep+0x38/0x98
+[ 9.233736] mutex_lock+0x30/0xd8
+[ 9.233749] lpi_config_set+0x2e8/0x3c8 [pinctrl_lpass_lpi]
+[ 9.233757] lpi_gpio_direction_output+0x58/0x90 [pinctrl_lpass_lpi]
+[ 9.233761] gpiod_direction_output_raw_commit+0x110/0x428
+[ 9.233772] gpiod_direction_output_nonotify+0x234/0x358
+[ 9.233779] gpiod_direction_output+0x38/0xd0
+[ 9.233786] gpio_shared_proxy_direction_output+0xb8/0x2a8 [gpio_shared_proxy]
+[ 9.233792] gpiod_direction_output_raw_commit+0x110/0x428
+[ 9.233799] gpiod_direction_output_nonotify+0x234/0x358
+[ 9.233806] gpiod_configure_flags+0x2c0/0x580
+[ 9.233812] gpiod_find_and_request+0x358/0x4f8
+[ 9.233819] gpiod_get_index+0x7c/0x98
+[ 9.233826] devm_gpiod_get+0x34/0xb0
+[ 9.233829] reset_gpio_probe+0x58/0x128 [reset_gpio]
+[ 9.233836] auxiliary_bus_probe+0xb0/0xf0
+[ 9.233845] really_probe+0x14c/0x450
+[ 9.233853] __driver_probe_device+0xb0/0x188
+[ 9.233858] driver_probe_device+0x4c/0x250
+[ 9.233863] __driver_attach+0xf8/0x2a0
+[ 9.233868] bus_for_each_dev+0xf8/0x158
+[ 9.233872] driver_attach+0x30/0x48
+[ 9.233876] bus_add_driver+0x158/0x2b8
+[ 9.233880] driver_register+0x74/0x118
+[ 9.233886] __auxiliary_driver_register+0x94/0xe8
+[ 9.233893] init_module+0x34/0xfd0 [reset_gpio]
+[ 9.233898] do_one_initcall+0xec/0x300
+[ 9.233903] do_init_module+0x64/0x260
+[ 9.233910] load_module+0x16c4/0x1900
+[ 9.233915] __arm64_sys_finit_module+0x24c/0x378
+[ 9.233919] invoke_syscall+0x4c/0xe8
+[ 9.233925] el0_svc_common+0x8c/0xf0
+[ 9.233929] do_el0_svc+0x28/0x40
+[ 9.233934] el0_svc+0x38/0x100
+[ 9.233938] el0t_64_sync_handler+0x84/0x130
+[ 9.233943] el0t_64_sync+0x17c/0x180
+
+Mark the controller as sleeping.
+
+Fixes: 6e261d1090d6 ("pinctrl: qcom: Add sm8250 lpass lpi pinctrl driver")
+Cc: stable@vger.kernel.org
+Reported-by: Val Packett <val@packett.cool>
+Closes: https://lore.kernel.org/all/98c0f185-b0e0-49ea-896c-f3972dd011ca@packett.cool/
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Linus Walleij <linusw@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/qcom/pinctrl-lpass-lpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/qcom/pinctrl-lpass-lpi.c
++++ b/drivers/pinctrl/qcom/pinctrl-lpass-lpi.c
+@@ -464,7 +464,7 @@ int lpi_pinctrl_probe(struct platform_de
+ pctrl->chip.base = -1;
+ pctrl->chip.ngpio = data->npins;
+ pctrl->chip.label = dev_name(dev);
+- pctrl->chip.can_sleep = false;
++ pctrl->chip.can_sleep = true;
+
+ mutex_init(&pctrl->lock);
+
--- /dev/null
+nfsd-fix-permission-check-for-read-access-to-executable-only-files.patch
+nfsd-provide-locking-for-v4_end_grace.patch
+atm-fix-dma_free_coherent-size.patch
+net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch
+btrfs-always-detect-conflicting-inodes-when-logging-inode-refs.patch
+mei-me-add-nova-lake-point-s-did.patch
+lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch
+counter-104-quad-8-fix-incorrect-return-value-in-irq-handler.patch
+counter-interrupt-cnt-drop-irqf_no_thread-flag.patch
+drm-pl111-fix-error-handling-in-pl111_amba_probe.patch
+drm-radeon-remove-__counted_by-from-clockinfoarray.clockinfo.patch
+gpio-rockchip-mark-the-gpio-controller-as-sleeping.patch
+pinctrl-qcom-lpass-lpi-mark-the-gpio-controller-as-sleeping.patch
+wifi-avoid-kernel-infoleak-from-struct-iw_point.patch
+libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch
+libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch
+libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch
+libceph-return-the-handler-error-from-mon_handle_auth_done.patch
+libceph-reset-sparse-read-state-in-osd_fault.patch
+libceph-make-calc_target-set-t-paused-not-just-clear-it.patch
--- /dev/null
+From 21cbf883d073abbfe09e3924466aa5e0449e7261 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 8 Jan 2026 10:19:27 +0000
+Subject: wifi: avoid kernel-infoleak from struct iw_point
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 21cbf883d073abbfe09e3924466aa5e0449e7261 upstream.
+
+struct iw_point has a 32bit hole on 64bit arches.
+
+struct iw_point {
+ void __user *pointer; /* Pointer to the data (in user space) */
+ __u16 length; /* number of fields or size in bytes */
+ __u16 flags; /* Optional params */
+};
+
+Make sure to zero the structure to avoid disclosing 32bits of kernel data
+to user space.
+
+Fixes: 87de87d5e47f ("wext: Dispatch and handle compat ioctls entirely in net/wireless/wext.c")
+Reported-by: syzbot+bfc7323743ca6dbcc3d3@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/695f83f3.050a0220.1c677c.0392.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260108101927.857582-1-edumazet@google.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/wext-core.c | 4 ++++
+ net/wireless/wext-priv.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+--- a/net/wireless/wext-core.c
++++ b/net/wireless/wext-core.c
+@@ -1103,6 +1103,10 @@ static int compat_standard_call(struct n
+ return ioctl_standard_call(dev, iwr, cmd, info, handler);
+
+ iwp_compat = (struct compat_iw_point *) &iwr->u.data;
++
++ /* struct iw_point has a 32bit hole on 64bit arches. */
++ memset(&iwp, 0, sizeof(iwp));
++
+ iwp.pointer = compat_ptr(iwp_compat->pointer);
+ iwp.length = iwp_compat->length;
+ iwp.flags = iwp_compat->flags;
+--- a/net/wireless/wext-priv.c
++++ b/net/wireless/wext-priv.c
+@@ -228,6 +228,10 @@ int compat_private_call(struct net_devic
+ struct iw_point iwp;
+
+ iwp_compat = (struct compat_iw_point *) &iwr->u.data;
++
++ /* struct iw_point has a 32bit hole on 64bit arches. */
++ memset(&iwp, 0, sizeof(iwp));
++
+ iwp.pointer = compat_ptr(iwp_compat->pointer);
+ iwp.length = iwp_compat->length;
+ iwp.flags = iwp_compat->flags;
projects / thirdparty / kernel / stable-queue.git / commitdiff
