--- /dev/null
+From 3fcfff4ed35f963380a68741bcd52742baff7f76 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Wed, 11 Mar 2026 03:07:35 +0100
+Subject: crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit 3fcfff4ed35f963380a68741bcd52742baff7f76 upstream.
+
+atmel_aes_buff_init() allocates 4 pages using __get_free_pages() with
+ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only the
+first page using free_page(), leaking the remaining 3 pages. Use
+free_pages() with ATMEL_AES_BUFFER_ORDER to fix the memory leak.
+
+Fixes: bbe628ed897d ("crypto: atmel-aes - improve performances of data transfer")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/atmel-aes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/atmel-aes.c
++++ b/drivers/crypto/atmel-aes.c
+@@ -2265,7 +2265,7 @@ static int atmel_aes_buff_init(struct at
+
+ static void atmel_aes_buff_cleanup(struct atmel_aes_dev *dd)
+ {
+- free_page((unsigned long)dd->buf);
++ free_pages((unsigned long)dd->buf, ATMEL_AES_BUFFER_ORDER);
+ }
+
+ static int atmel_aes_dma_init(struct atmel_aes_dev *dd)
--- /dev/null
+From 095d50008d55d13f8fcf1bbeb7c6eba51779bc85 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Fri, 20 Feb 2026 15:03:13 +0100
+Subject: crypto: atmel-ecc - Release client on allocation failure
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit 095d50008d55d13f8fcf1bbeb7c6eba51779bc85 upstream.
+
+Call atmel_ecc_i2c_client_free() to release the I2C client reserved by
+atmel_ecc_i2c_client_alloc() when crypto_alloc_kpp() fails. Otherwise
+->tfm_count will be out of sync.
+
+Fixes: 11105693fa05 ("crypto: atmel-ecc - introduce Microchip / Atmel ECC driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/atmel-ecc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/crypto/atmel-ecc.c
++++ b/drivers/crypto/atmel-ecc.c
+@@ -273,6 +273,7 @@ static int atmel_ecdh_init_tfm(struct cr
+ if (IS_ERR(fallback)) {
+ dev_err(&ctx->client->dev, "Failed to allocate transformation for '%s': %ld\n",
+ alg, PTR_ERR(fallback));
++ atmel_ecc_i2c_client_free(ctx->client);
+ return PTR_ERR(fallback);
+ }
+
--- /dev/null
+From c8a9a647532f5c2a04180352693215e24e9dba03 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Sat, 7 Mar 2026 16:31:10 +0100
+Subject: crypto: atmel-tdes - fix DMA sync direction
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit c8a9a647532f5c2a04180352693215e24e9dba03 upstream.
+
+Before DMA output is consumed by the CPU, ->dma_addr_out must be synced
+with dma_sync_single_for_cpu() instead of dma_sync_single_for_device().
+Using the wrong direction can return stale cache data on non-coherent
+platforms.
+
+Fixes: 13802005d8f2 ("crypto: atmel - add Atmel DES/TDES driver")
+Fixes: 1f858040c2f7 ("crypto: atmel-tdes - add support for latest release of the IP (0x700)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/atmel-tdes.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/crypto/atmel-tdes.c
++++ b/drivers/crypto/atmel-tdes.c
+@@ -312,8 +312,8 @@ static int atmel_tdes_crypt_pdc_stop(str
+ dma_unmap_sg(dd->dev, dd->out_sg, 1, DMA_FROM_DEVICE);
+ dma_unmap_sg(dd->dev, dd->in_sg, 1, DMA_TO_DEVICE);
+ } else {
+- dma_sync_single_for_device(dd->dev, dd->dma_addr_out,
+- dd->dma_size, DMA_FROM_DEVICE);
++ dma_sync_single_for_cpu(dd->dev, dd->dma_addr_out,
++ dd->dma_size, DMA_FROM_DEVICE);
+
+ /* copy data */
+ count = atmel_tdes_sg_copy(&dd->out_sg, &dd->out_offset,
+@@ -671,8 +671,8 @@ static int atmel_tdes_crypt_dma_stop(str
+ dma_unmap_sg(dd->dev, dd->out_sg, 1, DMA_FROM_DEVICE);
+ dma_unmap_sg(dd->dev, dd->in_sg, 1, DMA_TO_DEVICE);
+ } else {
+- dma_sync_single_for_device(dd->dev, dd->dma_addr_out,
+- dd->dma_size, DMA_FROM_DEVICE);
++ dma_sync_single_for_cpu(dd->dev, dd->dma_addr_out,
++ dd->dma_size, DMA_FROM_DEVICE);
+
+ /* copy data */
+ count = atmel_tdes_sg_copy(&dd->out_sg, &dd->out_offset,
--- /dev/null
+From 02c64052fad03699b9c6d1df2f9b444d17e4ac50 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+Date: Mon, 30 Mar 2026 11:34:02 +0800
+Subject: crypto: ccree - fix a memory leak in cc_mac_digest()
+
+From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+
+commit 02c64052fad03699b9c6d1df2f9b444d17e4ac50 upstream.
+
+Add cc_unmap_result() if cc_map_hash_request_final()
+fails to prevent potential memory leak.
+
+Fixes: 63893811b0fc ("crypto: ccree - add ahash support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccree/cc_hash.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/crypto/ccree/cc_hash.c
++++ b/drivers/crypto/ccree/cc_hash.c
+@@ -1448,6 +1448,7 @@ static int cc_mac_digest(struct ahash_re
+ if (cc_map_hash_request_final(ctx->drvdata, state, req->src,
+ req->nbytes, 1, flags)) {
+ dev_err(dev, "map_ahash_request_final() failed\n");
++ cc_unmap_result(dev, state, digestsize, req->result);
+ cc_unmap_req(dev, state, ctx);
+ return -ENOMEM;
+ }
--- /dev/null
+From 1ee57ab93b75eb59f426aef37b5498a7ffc28278 Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Mon, 30 Mar 2026 17:19:32 +0200
+Subject: crypto: hisilicon - Fix dma_unmap_single() direction
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit 1ee57ab93b75eb59f426aef37b5498a7ffc28278 upstream.
+
+The direction used to map the buffer skreq->iv is DMA_TO_DEVICE but it is
+unmapped with direction DMA_BIDIRECTIONAL in the error path.
+
+Change the unmap to match the mapping.
+
+Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Thorsten Blum <thorsten.blum@linux.dev>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/hisilicon/sec/sec_algs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/hisilicon/sec/sec_algs.c
++++ b/drivers/crypto/hisilicon/sec/sec_algs.c
+@@ -844,7 +844,7 @@ err_free_elements:
+ if (crypto_skcipher_ivsize(atfm))
+ dma_unmap_single(info->dev, sec_req->dma_iv,
+ crypto_skcipher_ivsize(atfm),
+- DMA_BIDIRECTIONAL);
++ DMA_TO_DEVICE);
+ err_unmap_out_sg:
+ if (split)
+ sec_unmap_sg_on_err(skreq->dst, steps, splits_out,
--- /dev/null
+From 4c788c6f921b22f9b6c3f316c4a071c05683e7de Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Sun, 1 Mar 2026 21:10:58 +0800
+Subject: dm mirror: fix integer overflow in create_dirty_log()
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit 4c788c6f921b22f9b6c3f316c4a071c05683e7de upstream.
+
+The argument count calculation in create_dirty_log() performs
+`*args_used = 2 + param_count` before validating against argc. When a
+user provides a param_count close to UINT_MAX via the device mapper
+table string, this unsigned addition wraps around to a small value,
+causing the subsequent `argc < *args_used` check to be bypassed.
+
+The overflowed param_count is then passed as argc to dm_dirty_log_create(),
+where it can cause out-of-bounds reads on the argv array.
+
+Fix by comparing param_count against argc - 2 before performing the
+addition, following the same pattern used by parse_features() in the
+same file. Since argc >= 2 is already guaranteed, the subtraction is
+safe.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-raid1.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-raid1.c
++++ b/drivers/md/dm-raid1.c
+@@ -981,13 +981,13 @@ static struct dm_dirty_log *create_dirty
+ return NULL;
+ }
+
+- *args_used = 2 + param_count;
+-
+- if (argc < *args_used) {
++ if (param_count > argc - 2) {
+ ti->error = "Insufficient mirror log arguments";
+ return NULL;
+ }
+
++ *args_used = 2 + param_count;
++
+ dl = dm_dirty_log_create(argv[0], ti, mirror_flush, param_count,
+ argv + 2);
+ if (!dl) {
--- /dev/null
+From 77d059519382bd66283e6a4e83ee186e87e7708f Mon Sep 17 00:00:00 2001
+From: Sohei Koyama <skoyama@ddn.com>
+Date: Mon, 6 Apr 2026 16:48:30 +0900
+Subject: ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
+
+From: Sohei Koyama <skoyama@ddn.com>
+
+commit 77d059519382bd66283e6a4e83ee186e87e7708f upstream.
+
+The commit c8e008b60492 ("ext4: ignore xattrs past end")
+introduced a refcount leak in when block_csum is false.
+
+ext4_xattr_inode_dec_ref_all() calls ext4_get_inode_loc() to
+get iloc.bh, but never releases it with brelse().
+
+Fixes: c8e008b60492 ("ext4: ignore xattrs past end")
+Signed-off-by: Sohei Koyama <skoyama@ddn.com>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
+Reviewed-by: Baokun Li <libaokun@linux.alibaba.com>
+Link: https://patch.msgid.link/20260406074830.8480-1-skoyama@ddn.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/xattr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1108,7 +1108,7 @@ ext4_xattr_inode_dec_ref_all(handle_t *h
+ {
+ struct inode *ea_inode;
+ struct ext4_xattr_entry *entry;
+- struct ext4_iloc iloc;
++ struct ext4_iloc iloc = { .bh = NULL };
+ bool dirty = false;
+ unsigned int ea_ino;
+ int err;
+@@ -1202,6 +1202,8 @@ ext4_xattr_inode_dec_ref_all(handle_t *h
+ ext4_warning_inode(parent,
+ "handle dirty metadata err=%d", err);
+ }
++
++ brelse(iloc.bh);
+ }
+
+ /*
--- /dev/null
+From 5e6de34d82b49cab9d8a42063e9cd0f22a4f31e5 Mon Sep 17 00:00:00 2001
+From: Chen Zhao <chezhao@nvidia.com>
+Date: Sun, 5 Apr 2026 18:44:55 +0300
+Subject: IB/core: Fix zero dmac race in neighbor resolution
+
+From: Chen Zhao <chezhao@nvidia.com>
+
+commit 5e6de34d82b49cab9d8a42063e9cd0f22a4f31e5 upstream.
+
+dst_fetch_ha() checks nud_state without holding the neighbor lock, then
+copies ha under the seqlock. A race in __neigh_update() where nud_state
+is set to NUD_REACHABLE before ha is written allows dst_fetch_ha() to
+read a zero MAC address while the seqlock reports no concurrent writer.
+
+netevent_callback amplifies this by waking ALL pending addr_req workers
+when ANY neighbor becomes NUD_VALID. At scale (N peers resolving ARP
+concurrently), the hit probability scales as N^2, making it near-certain
+for large RDMA workloads.
+
+N(A): neigh_update(A) W(A): addr_resolve(A)
+ | [sleep]
+ | write_lock_bh(&A->lock) |
+ | A->nud_state = NUD_REACHABLE |
+ | // A->ha is still 0 |
+ | [woken by netevent_cb() of
+ | another neighbour]
+ | | dst_fetch_ha(A)
+ | | A->nud_state & NUD_VALID
+ | | read_seqbegin(&A->ha_lock)
+ | | snapshot = A->ha /* 0 */
+ | | read_seqretry(&A->ha_lock)
+ | | return snapshot
+ | seqlock(&A->ha_lock)
+ | A->ha = mac_A /* too late */
+ | sequnlock(&A->ha_lock)
+ | write_unlock_bh(&A->lock)
+
+The incorrect/zero mac is read and programmed in the device QP while it
+was not yet updated. This causes silent packet loss and eventual
+RETRY_EXC_ERR.
+
+Fix by holding the neighbor read lock across the nud_state check and
+ha copy in dst_fetch_ha(), ensuring it synchronizes with
+__neigh_update() which is updating while holding the write lock.
+
+Cc: stable@vger.kernel.org
+Fixes: 92ebb6a0a13a ("IB/cm: Remove now useless rcu_lock in dst_fetch_ha")
+Link: https://patch.msgid.link/r/20260405-fix-dmac-race-v1-1-cfa1ec2ce54a@nvidia.com
+Signed-off-by: Chen Zhao <chezhao@nvidia.com>
+Reviewed-by: Parav Pandit <parav@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/addr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/core/addr.c
++++ b/drivers/infiniband/core/addr.c
+@@ -322,11 +322,14 @@ static int dst_fetch_ha(const struct dst
+ if (!n)
+ return -ENODATA;
+
++ read_lock_bh(&n->lock);
+ if (!(n->nud_state & NUD_VALID)) {
++ read_unlock_bh(&n->lock);
+ neigh_event_send(n, NULL);
+ ret = -ENODATA;
+ } else {
+ neigh_ha_snapshot(dev_addr->dst_dev_addr, n, dst->dev);
++ read_unlock_bh(&n->lock);
+ }
+
+ neigh_release(n);
--- /dev/null
+From 6a320935fa4293e9e599ec9f85dc9eb3be7029f8 Mon Sep 17 00:00:00 2001
+From: Chia-Ming Chang <chiamingc@synology.com>
+Date: Tue, 24 Feb 2026 17:34:42 +0800
+Subject: inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
+
+From: Chia-Ming Chang <chiamingc@synology.com>
+
+commit 6a320935fa4293e9e599ec9f85dc9eb3be7029f8 upstream.
+
+When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(),
+the error path calls inotify_remove_from_idr() but does not call
+dec_inotify_watches() to undo the preceding inc_inotify_watches().
+This leaks a watch count, and repeated failures can exhaust the
+max_user_watches limit with -ENOSPC even when no watches are active.
+
+Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace
+limits"), the watch count was incremented after fsnotify_add_mark_locked()
+succeeded, so this path was not affected. The conversion moved
+inc_inotify_watches() before the mark insertion without adding the
+corresponding rollback.
+
+Add the missing dec_inotify_watches() call in the error path.
+
+Fixes: 1cce1eea0aff ("inotify: Convert to using per-namespace limits")
+Cc: stable@vger.kernel.org
+Signed-off-by: Chia-Ming Chang <chiamingc@synology.com>
+Signed-off-by: robbieko <robbieko@synology.com>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Link: https://patch.msgid.link/20260224093442.3076294-1-chiamingc@synology.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/notify/inotify/inotify_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/notify/inotify/inotify_user.c
++++ b/fs/notify/inotify/inotify_user.c
+@@ -609,6 +609,7 @@ static int inotify_new_watch(struct fsno
+ if (ret) {
+ /* we failed to get on the inode, get off the idr */
+ inotify_remove_from_idr(group, tmp_i_mark);
++ dec_inotify_watches(group->inotify_data.ucounts);
+ goto out_err;
+ }
+
--- /dev/null
+From 7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc Mon Sep 17 00:00:00 2001
+From: Chia-Ming Chang <chiamingc@synology.com>
+Date: Thu, 2 Apr 2026 14:14:06 +0800
+Subject: md/raid5: fix soft lockup in retry_aligned_read()
+
+From: Chia-Ming Chang <chiamingc@synology.com>
+
+commit 7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc upstream.
+
+When retry_aligned_read() encounters an overlapped stripe, it releases
+the stripe via raid5_release_stripe() which puts it on the lockless
+released_stripes llist. In the next raid5d loop iteration,
+release_stripe_list() drains the stripe onto handle_list (since
+STRIPE_HANDLE is set by the original IO), but retry_aligned_read()
+runs before handle_active_stripes() and removes the stripe from
+handle_list via find_get_stripe() -> list_del_init(). This prevents
+handle_stripe() from ever processing the stripe to resolve the
+overlap, causing an infinite loop and soft lockup.
+
+Fix this by using __release_stripe() with temp_inactive_list instead
+of raid5_release_stripe() in the failure path, so the stripe does not
+go through the released_stripes llist. This allows raid5d to break out
+of its loop, and the overlap will be resolved when the stripe is
+eventually processed by handle_stripe().
+
+Fixes: 773ca82fa1ee ("raid5: make release_stripe lockless")
+Cc: stable@vger.kernel.org
+Signed-off-by: FengWei Shih <dannyshih@synology.com>
+Signed-off-by: Chia-Ming Chang <chiamingc@synology.com>
+Link: https://lore.kernel.org/linux-raid/20260402061406.455755-1-chiamingc@synology.com/
+Signed-off-by: Yu Kuai <yukuai@fnnas.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid5.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -6349,7 +6349,13 @@ static int retry_aligned_read(struct r5
+ }
+
+ if (!add_stripe_bio(sh, raid_bio, dd_idx, 0, 0)) {
+- raid5_release_stripe(sh);
++ int hash;
++
++ spin_lock_irq(&conf->device_lock);
++ hash = sh->hash_lock_index;
++ __release_stripe(conf, sh,
++ &conf->temp_inactive_list[hash]);
++ spin_unlock_irq(&conf->device_lock);
+ conf->retry_read_aligned = raid_bio;
+ conf->retry_read_offset = scnt;
+ return handled;
--- /dev/null
+From b0cc3ae97e893bf54bbce447f4e9fd2e0b88bff9 Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Sat, 4 Apr 2026 15:44:35 +0800
+Subject: md/raid5: validate payload size before accessing journal metadata
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit b0cc3ae97e893bf54bbce447f4e9fd2e0b88bff9 upstream.
+
+r5c_recovery_analyze_meta_block() and
+r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a
+journal metadata block using on-disk payload size fields without
+validating them against the remaining space in the metadata block.
+
+A corrupted journal contains payload sizes extending beyond the PAGE_SIZE
+boundary can cause out-of-bounds reads when accessing payload fields or
+computing offsets.
+
+Add bounds validation for each payload type to ensure the full payload
+fits within meta_size before processing.
+
+Fixes: b4c625c67362 ("md/r5cache: r5cache recovery: part 1")
+Cc: stable@vger.kernel.org
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://lore.kernel.org/linux-raid/SYBPR01MB78815E78D829BB86CD7C8015AF5FA@SYBPR01MB7881.ausprd01.prod.outlook.com/
+Signed-off-by: Yu Kuai <yukuai@fnnas.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid5-cache.c | 48 ++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 33 insertions(+), 15 deletions(-)
+
+--- a/drivers/md/raid5-cache.c
++++ b/drivers/md/raid5-cache.c
+@@ -2017,15 +2017,27 @@ r5l_recovery_verify_data_checksum_for_mb
+ return -ENOMEM;
+
+ while (mb_offset < le32_to_cpu(mb->meta_size)) {
++ sector_t payload_len;
++
+ payload = (void *)mb + mb_offset;
+ payload_flush = (void *)mb + mb_offset;
+
+ if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_DATA) {
++ payload_len = sizeof(struct r5l_payload_data_parity) +
++ (sector_t)sizeof(__le32) *
++ (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
++ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
++ goto mismatch;
+ if (r5l_recovery_verify_data_checksum(
+ log, ctx, page, log_offset,
+ payload->checksum[0]) < 0)
+ goto mismatch;
+ } else if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_PARITY) {
++ payload_len = sizeof(struct r5l_payload_data_parity) +
++ (sector_t)sizeof(__le32) *
++ (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
++ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
++ goto mismatch;
+ if (r5l_recovery_verify_data_checksum(
+ log, ctx, page, log_offset,
+ payload->checksum[0]) < 0)
+@@ -2038,22 +2050,18 @@ r5l_recovery_verify_data_checksum_for_mb
+ payload->checksum[1]) < 0)
+ goto mismatch;
+ } else if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) {
+- /* nothing to do for R5LOG_PAYLOAD_FLUSH here */
++ payload_len = sizeof(struct r5l_payload_flush) +
++ (sector_t)le32_to_cpu(payload_flush->size);
++ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
++ goto mismatch;
+ } else /* not R5LOG_PAYLOAD_DATA/PARITY/FLUSH */
+ goto mismatch;
+
+- if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) {
+- mb_offset += sizeof(struct r5l_payload_flush) +
+- le32_to_cpu(payload_flush->size);
+- } else {
+- /* DATA or PARITY payload */
++ if (le16_to_cpu(payload->header.type) != R5LOG_PAYLOAD_FLUSH) {
+ log_offset = r5l_ring_add(log, log_offset,
+ le32_to_cpu(payload->size));
+- mb_offset += sizeof(struct r5l_payload_data_parity) +
+- sizeof(__le32) *
+- (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
+ }
+-
++ mb_offset += payload_len;
+ }
+
+ put_page(page);
+@@ -2104,6 +2112,7 @@ r5c_recovery_analyze_meta_block(struct r
+ log_offset = r5l_ring_add(log, ctx->pos, BLOCK_SECTORS);
+
+ while (mb_offset < le32_to_cpu(mb->meta_size)) {
++ sector_t payload_len;
+ int dd;
+
+ payload = (void *)mb + mb_offset;
+@@ -2112,6 +2121,12 @@ r5c_recovery_analyze_meta_block(struct r
+ if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) {
+ int i, count;
+
++ payload_len = sizeof(struct r5l_payload_flush) +
++ (sector_t)le32_to_cpu(payload_flush->size);
++ if (mb_offset + payload_len >
++ le32_to_cpu(mb->meta_size))
++ return -EINVAL;
++
+ count = le32_to_cpu(payload_flush->size) / sizeof(__le64);
+ for (i = 0; i < count; ++i) {
+ stripe_sect = le64_to_cpu(payload_flush->flush_stripes[i]);
+@@ -2125,12 +2140,17 @@ r5c_recovery_analyze_meta_block(struct r
+ }
+ }
+
+- mb_offset += sizeof(struct r5l_payload_flush) +
+- le32_to_cpu(payload_flush->size);
++ mb_offset += payload_len;
+ continue;
+ }
+
+ /* DATA or PARITY payload */
++ payload_len = sizeof(struct r5l_payload_data_parity) +
++ (sector_t)sizeof(__le32) *
++ (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
++ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size))
++ return -EINVAL;
++
+ stripe_sect = (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_DATA) ?
+ raid5_compute_sector(
+ conf, le64_to_cpu(payload->location), 0, &dd,
+@@ -2195,9 +2215,7 @@ r5c_recovery_analyze_meta_block(struct r
+ log_offset = r5l_ring_add(log, log_offset,
+ le32_to_cpu(payload->size));
+
+- mb_offset += sizeof(struct r5l_payload_data_parity) +
+- sizeof(__le32) *
+- (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9));
++ mb_offset += payload_len;
+ }
+
+ return 0;
io_uring-poll-fix-epoll_uring_wake-sometimes-not-bei.patch-12437
io_uring-poll-fix-backport-of-io_poll_add-changes.patch-11453
mtd-docg3-fix-use-after-free-in-docg3_release.patch
+ext4-fix-missing-brelse-in-ext4_xattr_inode_dec_ref_all.patch
+md-raid5-fix-soft-lockup-in-retry_aligned_read.patch
+md-raid5-validate-payload-size-before-accessing-journal-metadata.patch
+inotify-fix-watch-count-leak-when-fsnotify_add_inode_mark_locked-fails.patch
+taskstats-set-version-in-tgid-exit-notifications.patch
+crypto-atmel-aes-fix-3-page-memory-leak-in-atmel_aes_buff_cleanup.patch
+crypto-atmel-ecc-release-client-on-allocation-failure.patch
+crypto-hisilicon-fix-dma_unmap_single-direction.patch
+crypto-ccree-fix-a-memory-leak-in-cc_mac_digest.patch
+crypto-atmel-tdes-fix-dma-sync-direction.patch
+dm-mirror-fix-integer-overflow-in-create_dirty_log.patch
+ib-core-fix-zero-dmac-race-in-neighbor-resolution.patch
--- /dev/null
+From 16c4f0211aaa1ec1422b11b59f64f1abe9009fc0 Mon Sep 17 00:00:00 2001
+From: Yiyang Chen <cyyzero16@gmail.com>
+Date: Mon, 30 Mar 2026 03:00:40 +0800
+Subject: taskstats: set version in TGID exit notifications
+
+From: Yiyang Chen <cyyzero16@gmail.com>
+
+commit 16c4f0211aaa1ec1422b11b59f64f1abe9009fc0 upstream.
+
+delay accounting started populating taskstats records with a valid version
+field via fill_pid() and fill_tgid().
+
+Later, commit ad4ecbcba728 ("[PATCH] delay accounting taskstats interface
+send tgid once") changed the TGID exit path to send the cached
+signal->stats aggregate directly instead of building the outgoing record
+through fill_tgid(). Unlike fill_tgid(), fill_tgid_exit() only
+accumulates accounting data and never initializes stats->version.
+
+As a result, TGID exit notifications can reach userspace with version == 0
+even though PID exit notifications and TASKSTATS_CMD_GET replies carry a
+valid taskstats version.
+
+This is easy to reproduce with `tools/accounting/getdelays.c`.
+
+I have a small follow-up patch for that tool which:
+
+1. increases the receive buffer/message size so the pid+tgid
+ combined exit notification is not dropped/truncated
+
+2. prints `stats->version`.
+
+With that patch, the reproducer is:
+
+ Terminal 1:
+ ./getdelays -d -v -l -m 0
+
+ Terminal 2:
+ taskset -c 0 python3 -c 'import threading,time; t=threading.Thread(target=time.sleep,args=(0.1,)); t.start(); t.join()'
+
+That produces both PID and TGID exit notifications for the same
+process. The PID exit record reports a valid taskstats version, while
+the TGID exit record reports `version 0`.
+
+
+This patch (of 2):
+
+Set stats->version = TASKSTATS_VERSION after copying the cached TGID
+aggregate into the outgoing netlink payload so all taskstats records are
+self-describing again.
+
+Link: https://lkml.kernel.org/r/ba83d934e59edd431b693607de573eb9ca059309.1774810498.git.cyyzero16@gmail.com
+Fixes: ad4ecbcba728 ("[PATCH] delay accounting taskstats interface send tgid once")
+Signed-off-by: Yiyang Chen <cyyzero16@gmail.com>
+Cc: Balbir Singh <bsingharora@gmail.com>
+Cc: Dr. Thomas Orgis <thomas.orgis@uni-hamburg.de>
+Cc: Fan Yu <fan.yu9@zte.com.cn>
+Cc: Wang Yaxin <wang.yaxin@zte.com.cn>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/taskstats.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/taskstats.c
++++ b/kernel/taskstats.c
+@@ -632,6 +632,7 @@ void taskstats_exit(struct task_struct *
+ goto err;
+
+ memcpy(stats, tsk->signal->stats, sizeof(*stats));
++ stats->version = TASKSTATS_VERSION;
+
+ send:
+ send_cpu_listeners(rep_skb, listeners);
projects / thirdparty / kernel / stable-queue.git / commitdiff
