--- /dev/null
+From 2a72545fa7a789e7ebd79c817c6cf92728a69156 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:54 -0700
+Subject: efi/cper: Add a new helper function to print bitmasks
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ]
+
+Add a helper function to print a string with names associated
+to each bit field.
+
+A typical example is:
+
+ const char * const bits[] = {
+ "bit 3 name",
+ "bit 4 name",
+ "bit 5 name",
+ };
+ char str[120];
+ unsigned int bitmask = BIT(3) | BIT(5);
+
+ #define MASK GENMASK(5,3)
+
+ cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
+ bits, ARRAY_SIZE(bits));
+
+The above code fills string "str" with "bit 3 name|bit 5 name".
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++
+ include/linux/cper.h | 2 ++
+ 2 files changed, 62 insertions(+)
+
+diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
+index 232c092c4c970..a49868d01808b 100644
+--- a/drivers/firmware/efi/cper.c
++++ b/drivers/firmware/efi/cper.c
+@@ -12,6 +12,7 @@
+ * Specification version 2.4.
+ */
+
++#include <linux/bitmap.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/time.h>
+@@ -105,6 +106,65 @@ void cper_print_bits(const char *pfx, unsigned int bits,
+ printk("%s\n", buf);
+ }
+
++/**
++ * cper_bits_to_str - return a string for set bits
++ * @buf: buffer to store the output string
++ * @buf_size: size of the output string buffer
++ * @bits: bit mask
++ * @strs: string array, indexed by bit position
++ * @strs_size: size of the string array: @strs
++ *
++ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits,
++ * add the corresponding string describing the bit in @strs to @buf.
++ *
++ * A typical example is::
++ *
++ * const char * const bits[] = {
++ * "bit 3 name",
++ * "bit 4 name",
++ * "bit 5 name",
++ * };
++ * char str[120];
++ * unsigned int bitmask = BIT(3) | BIT(5);
++ * #define MASK GENMASK(5,3)
++ *
++ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
++ * bits, ARRAY_SIZE(bits));
++ *
++ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``.
++ *
++ * Return: number of bytes stored or an error code if lower than zero.
++ */
++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
++ const char * const strs[], unsigned int strs_size)
++{
++ int len = buf_size;
++ char *str = buf;
++ int i, size;
++
++ *buf = '\0';
++
++ for_each_set_bit(i, &bits, strs_size) {
++ if (!(bits & BIT_ULL(i)))
++ continue;
++
++ if (*buf && len > 0) {
++ *str = '|';
++ len--;
++ str++;
++ }
++
++ size = strscpy(str, strs[i], len);
++ if (size < 0)
++ return size;
++
++ len -= size;
++ str += size;
++ }
++ return len - buf_size;
++}
++EXPORT_SYMBOL_GPL(cper_bits_to_str);
++
+ static const char * const proc_type_strs[] = {
+ "IA32/X64",
+ "IA64",
+diff --git a/include/linux/cper.h b/include/linux/cper.h
+index 6a511a1078ca0..724a5e3c122d6 100644
+--- a/include/linux/cper.h
++++ b/include/linux/cper.h
+@@ -560,6 +560,8 @@ const char *cper_severity_str(unsigned int);
+ const char *cper_mem_err_type_str(unsigned int);
+ void cper_print_bits(const char *prefix, unsigned int bits,
+ const char * const strs[], unsigned int strs_size);
++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
++ const char * const strs[], unsigned int strs_size);
+ void cper_mem_err_pack(const struct cper_sec_mem_err *,
+ struct cper_mem_err_compact *);
+ const char *cper_mem_err_unpack(struct trace_seq *,
+--
+2.51.0
+
--- /dev/null
+From 37accc429f5df1ed19c24b6aa5921ba2346ff737 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:53 -0700
+Subject: efi/cper: Adjust infopfx size to accept an extra space
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ]
+
+Compiling with W=1 with werror enabled produces an error:
+
+drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’:
+drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
+ 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
+ | ^
+drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64
+ 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As the logic there adds an space at the end of infopx buffer.
+Add an extra space to avoid such warning.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper-arm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
+index 36d3b8b9da47e..f4b7a48327fbb 100644
+--- a/drivers/firmware/efi/cper-arm.c
++++ b/drivers/firmware/efi/cper-arm.c
+@@ -241,7 +241,7 @@ void cper_print_proc_arm(const char *pfx,
+ int i, len, max_ctx_type;
+ struct cper_arm_err_info *err_info;
+ struct cper_arm_ctx_info *ctx_info;
+- char newpfx[64], infopfx[64];
++ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
+
+ printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
+
+--
+2.51.0
+
--- /dev/null
+From b957b2b8c190f3c7ec31140b8abc48fc9a90bda1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:55 -0700
+Subject: efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ]
+
+Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor
+was defined simply as:
+
+Type at byte offset 4:
+
+ - Cache error
+ - TLB Error
+ - Bus Error
+ - Micro-architectural Error
+ All other values are reserved
+
+Yet, there was no information about how this would be encoded.
+
+Spec 2.9A errata corrected it by defining:
+
+ - Bit 1 - Cache Error
+ - Bit 2 - TLB Error
+ - Bit 3 - Bus Error
+ - Bit 4 - Micro-architectural Error
+ All other values are reserved
+
+That actually aligns with the values already defined on older
+versions at N.2.4.1. Generic Processor Error Section.
+
+Spec 2.10 also preserve the same encoding as 2.9A.
+
+Adjust CPER and GHES handling code for both generic and ARM
+processors to properly handle UEFI 2.9A and 2.10 encoding.
+
+Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/apei/ghes.c | 16 +++++++----
+ drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++-----------------
+ include/linux/cper.h | 10 +++----
+ 3 files changed, 39 insertions(+), 37 deletions(-)
+
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
+index 250ea9ec5f0c2..bdb23ca251e23 100644
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -22,6 +22,7 @@
+ #include <linux/moduleparam.h>
+ #include <linux/init.h>
+ #include <linux/acpi.h>
++#include <linux/bitfield.h>
+ #include <linux/io.h>
+ #include <linux/interrupt.h>
+ #include <linux/timer.h>
+@@ -500,6 +501,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ {
+ struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata);
+ int flags = sync ? MF_ACTION_REQUIRED : 0;
++ char error_type[120];
+ bool queued = false;
+ int sec_sev, i;
+ char *p;
+@@ -513,9 +515,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ p = (char *)(err + 1);
+ for (i = 0; i < err->err_info_num; i++) {
+ struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p;
+- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR);
++ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR;
+ bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR);
+- const char *error_type = "unknown error";
+
+ /*
+ * The field (err_info->error_info & BIT(26)) is fixed to set to
+@@ -529,12 +530,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ continue;
+ }
+
+- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs))
+- error_type = cper_proc_error_type_strs[err_info->type];
++ cper_bits_to_str(error_type, sizeof(error_type),
++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
++ cper_proc_error_type_strs,
++ ARRAY_SIZE(cper_proc_error_type_strs));
+
+ pr_warn_ratelimited(FW_WARN GHES_PFX
+- "Unhandled processor error type: %s\n",
+- error_type);
++ "Unhandled processor error type 0x%02x: %s%s\n",
++ err_info->type, error_type,
++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
+ p += err_info->length;
+ }
+
+diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
+index f4b7a48327fbb..ea43589944ba5 100644
+--- a/drivers/firmware/efi/cper-arm.c
++++ b/drivers/firmware/efi/cper-arm.c
+@@ -94,15 +94,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
+ bool proc_context_corrupt, corrected, precise_pc, restartable_pc;
+ bool time_out, access_mode;
+
+- /* If the type is unknown, bail. */
+- if (type > CPER_ARM_MAX_TYPE)
+- return;
+-
+ /*
+ * Vendor type errors have error information values that are vendor
+ * specific.
+ */
+- if (type == CPER_ARM_VENDOR_ERROR)
++ if (type & CPER_ARM_VENDOR_ERROR)
+ return;
+
+ if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) {
+@@ -117,43 +113,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
+ if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) {
+ op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT)
+ & CPER_ARM_ERR_OPERATION_MASK);
+- switch (type) {
+- case CPER_ARM_CACHE_ERROR:
++ if (type & CPER_ARM_CACHE_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%scache error, operation type: %s\n", pfx,
+ arm_cache_err_op_strs[op_type]);
+ }
+- break;
+- case CPER_ARM_TLB_ERROR:
++ }
++ if (type & CPER_ARM_TLB_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%sTLB error, operation type: %s\n", pfx,
+ arm_tlb_err_op_strs[op_type]);
+ }
+- break;
+- case CPER_ARM_BUS_ERROR:
++ }
++ if (type & CPER_ARM_BUS_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%sbus error, operation type: %s\n", pfx,
+ arm_bus_err_op_strs[op_type]);
+ }
+- break;
+ }
+ }
+
+ if (error_info & CPER_ARM_ERR_VALID_LEVEL) {
+ level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT)
+ & CPER_ARM_ERR_LEVEL_MASK);
+- switch (type) {
+- case CPER_ARM_CACHE_ERROR:
++ if (type & CPER_ARM_CACHE_ERROR)
+ printk("%scache level: %d\n", pfx, level);
+- break;
+- case CPER_ARM_TLB_ERROR:
++
++ if (type & CPER_ARM_TLB_ERROR)
+ printk("%sTLB level: %d\n", pfx, level);
+- break;
+- case CPER_ARM_BUS_ERROR:
++
++ if (type & CPER_ARM_BUS_ERROR)
+ printk("%saffinity level at which the bus error occurred: %d\n",
+ pfx, level);
+- break;
+- }
+ }
+
+ if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) {
+@@ -242,6 +233,7 @@ void cper_print_proc_arm(const char *pfx,
+ struct cper_arm_err_info *err_info;
+ struct cper_arm_ctx_info *ctx_info;
+ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
++ char error_type[120];
+
+ printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
+
+@@ -290,9 +282,15 @@ void cper_print_proc_arm(const char *pfx,
+ newpfx);
+ }
+
+- printk("%serror_type: %d, %s\n", newpfx, err_info->type,
+- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ?
+- cper_proc_error_type_strs[err_info->type] : "unknown");
++ cper_bits_to_str(error_type, sizeof(error_type),
++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
++ cper_proc_error_type_strs,
++ ARRAY_SIZE(cper_proc_error_type_strs));
++
++ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type,
++ error_type,
++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
++
+ if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) {
+ printk("%serror_info: 0x%016llx\n", newpfx,
+ err_info->error_info);
+diff --git a/include/linux/cper.h b/include/linux/cper.h
+index 724a5e3c122d6..a31e22cc839eb 100644
+--- a/include/linux/cper.h
++++ b/include/linux/cper.h
+@@ -270,11 +270,11 @@ enum {
+ #define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2)
+ #define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3)
+
+-#define CPER_ARM_CACHE_ERROR 0
+-#define CPER_ARM_TLB_ERROR 1
+-#define CPER_ARM_BUS_ERROR 2
+-#define CPER_ARM_VENDOR_ERROR 3
+-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR
++#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1)
++#define CPER_ARM_CACHE_ERROR BIT(1)
++#define CPER_ARM_TLB_ERROR BIT(2)
++#define CPER_ARM_BUS_ERROR BIT(3)
++#define CPER_ARM_VENDOR_ERROR BIT(4)
+
+ #define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0)
+ #define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1)
+--
+2.51.0
+
--- /dev/null
+From 5415675f40754e79db72a23973787e8c3546ef7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Dec 2025 09:51:59 +0300
+Subject: ocfs2: fix memory leak in ocfs2_merge_rec_left()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ]
+
+In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after
+move, thus allowing 'ocfs2_free_path()' to free it before return.
+
+Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru
+Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2
+Reviewed-by: Heming Zhao <heming.zhao@suse.com>
+Acked-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/alloc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
+index 94c7acfebe183..9f61a6d64cbce 100644
+--- a/fs/ocfs2/alloc.c
++++ b/fs/ocfs2/alloc.c
+@@ -3649,7 +3649,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path,
+ * So we use the new rightmost path.
+ */
+ ocfs2_mv_path(right_path, left_path);
+- left_path = NULL;
+ } else
+ ocfs2_complete_edge_insert(handle, left_path,
+ right_path, subtree_index);
+--
+2.51.0
+
arm-9464-1-fix-input-only-operand-modification-in-lo.patch
dm-raid-fix-possible-null-dereference-with-undefined.patch
dm-log-writes-add-missing-set_freezable-for-freezabl.patch
+efi-cper-add-a-new-helper-function-to-print-bitmasks.patch
+efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch
+efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch
+ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch
--- /dev/null
+From 433107503b64b57f27108d4ad58979294ebdf134 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:54 -0700
+Subject: efi/cper: Add a new helper function to print bitmasks
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ]
+
+Add a helper function to print a string with names associated
+to each bit field.
+
+A typical example is:
+
+ const char * const bits[] = {
+ "bit 3 name",
+ "bit 4 name",
+ "bit 5 name",
+ };
+ char str[120];
+ unsigned int bitmask = BIT(3) | BIT(5);
+
+ #define MASK GENMASK(5,3)
+
+ cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
+ bits, ARRAY_SIZE(bits));
+
+The above code fills string "str" with "bit 3 name|bit 5 name".
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++
+ include/linux/cper.h | 2 ++
+ 2 files changed, 62 insertions(+)
+
+diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
+index 6ec8edec63296..d0668452dca9e 100644
+--- a/drivers/firmware/efi/cper.c
++++ b/drivers/firmware/efi/cper.c
+@@ -12,6 +12,7 @@
+ * Specification version 2.4.
+ */
+
++#include <linux/bitmap.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/time.h>
+@@ -105,6 +106,65 @@ void cper_print_bits(const char *pfx, unsigned int bits,
+ printk("%s\n", buf);
+ }
+
++/**
++ * cper_bits_to_str - return a string for set bits
++ * @buf: buffer to store the output string
++ * @buf_size: size of the output string buffer
++ * @bits: bit mask
++ * @strs: string array, indexed by bit position
++ * @strs_size: size of the string array: @strs
++ *
++ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits,
++ * add the corresponding string describing the bit in @strs to @buf.
++ *
++ * A typical example is::
++ *
++ * const char * const bits[] = {
++ * "bit 3 name",
++ * "bit 4 name",
++ * "bit 5 name",
++ * };
++ * char str[120];
++ * unsigned int bitmask = BIT(3) | BIT(5);
++ * #define MASK GENMASK(5,3)
++ *
++ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
++ * bits, ARRAY_SIZE(bits));
++ *
++ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``.
++ *
++ * Return: number of bytes stored or an error code if lower than zero.
++ */
++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
++ const char * const strs[], unsigned int strs_size)
++{
++ int len = buf_size;
++ char *str = buf;
++ int i, size;
++
++ *buf = '\0';
++
++ for_each_set_bit(i, &bits, strs_size) {
++ if (!(bits & BIT_ULL(i)))
++ continue;
++
++ if (*buf && len > 0) {
++ *str = '|';
++ len--;
++ str++;
++ }
++
++ size = strscpy(str, strs[i], len);
++ if (size < 0)
++ return size;
++
++ len -= size;
++ str += size;
++ }
++ return len - buf_size;
++}
++EXPORT_SYMBOL_GPL(cper_bits_to_str);
++
+ static const char * const proc_type_strs[] = {
+ "IA32/X64",
+ "IA64",
+diff --git a/include/linux/cper.h b/include/linux/cper.h
+index 6a511a1078ca0..724a5e3c122d6 100644
+--- a/include/linux/cper.h
++++ b/include/linux/cper.h
+@@ -560,6 +560,8 @@ const char *cper_severity_str(unsigned int);
+ const char *cper_mem_err_type_str(unsigned int);
+ void cper_print_bits(const char *prefix, unsigned int bits,
+ const char * const strs[], unsigned int strs_size);
++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
++ const char * const strs[], unsigned int strs_size);
+ void cper_mem_err_pack(const struct cper_sec_mem_err *,
+ struct cper_mem_err_compact *);
+ const char *cper_mem_err_unpack(struct trace_seq *,
+--
+2.51.0
+
--- /dev/null
+From 4c0140f3f7d25cccb8dd1b8b18239c56e64b4551 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:53 -0700
+Subject: efi/cper: Adjust infopfx size to accept an extra space
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ]
+
+Compiling with W=1 with werror enabled produces an error:
+
+drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’:
+drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
+ 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
+ | ^
+drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64
+ 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As the logic there adds an space at the end of infopx buffer.
+Add an extra space to avoid such warning.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper-arm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
+index 36d3b8b9da47e..f4b7a48327fbb 100644
+--- a/drivers/firmware/efi/cper-arm.c
++++ b/drivers/firmware/efi/cper-arm.c
+@@ -241,7 +241,7 @@ void cper_print_proc_arm(const char *pfx,
+ int i, len, max_ctx_type;
+ struct cper_arm_err_info *err_info;
+ struct cper_arm_ctx_info *ctx_info;
+- char newpfx[64], infopfx[64];
++ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
+
+ printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
+
+--
+2.51.0
+
--- /dev/null
+From 044ce86484d9478a7de8f6de75310ed10ad4f22f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:55 -0700
+Subject: efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ]
+
+Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor
+was defined simply as:
+
+Type at byte offset 4:
+
+ - Cache error
+ - TLB Error
+ - Bus Error
+ - Micro-architectural Error
+ All other values are reserved
+
+Yet, there was no information about how this would be encoded.
+
+Spec 2.9A errata corrected it by defining:
+
+ - Bit 1 - Cache Error
+ - Bit 2 - TLB Error
+ - Bit 3 - Bus Error
+ - Bit 4 - Micro-architectural Error
+ All other values are reserved
+
+That actually aligns with the values already defined on older
+versions at N.2.4.1. Generic Processor Error Section.
+
+Spec 2.10 also preserve the same encoding as 2.9A.
+
+Adjust CPER and GHES handling code for both generic and ARM
+processors to properly handle UEFI 2.9A and 2.10 encoding.
+
+Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/apei/ghes.c | 16 +++++++----
+ drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++-----------------
+ include/linux/cper.h | 10 +++----
+ 3 files changed, 39 insertions(+), 37 deletions(-)
+
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
+index 250ea9ec5f0c2..bdb23ca251e23 100644
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -22,6 +22,7 @@
+ #include <linux/moduleparam.h>
+ #include <linux/init.h>
+ #include <linux/acpi.h>
++#include <linux/bitfield.h>
+ #include <linux/io.h>
+ #include <linux/interrupt.h>
+ #include <linux/timer.h>
+@@ -500,6 +501,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ {
+ struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata);
+ int flags = sync ? MF_ACTION_REQUIRED : 0;
++ char error_type[120];
+ bool queued = false;
+ int sec_sev, i;
+ char *p;
+@@ -513,9 +515,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ p = (char *)(err + 1);
+ for (i = 0; i < err->err_info_num; i++) {
+ struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p;
+- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR);
++ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR;
+ bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR);
+- const char *error_type = "unknown error";
+
+ /*
+ * The field (err_info->error_info & BIT(26)) is fixed to set to
+@@ -529,12 +530,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ continue;
+ }
+
+- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs))
+- error_type = cper_proc_error_type_strs[err_info->type];
++ cper_bits_to_str(error_type, sizeof(error_type),
++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
++ cper_proc_error_type_strs,
++ ARRAY_SIZE(cper_proc_error_type_strs));
+
+ pr_warn_ratelimited(FW_WARN GHES_PFX
+- "Unhandled processor error type: %s\n",
+- error_type);
++ "Unhandled processor error type 0x%02x: %s%s\n",
++ err_info->type, error_type,
++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
+ p += err_info->length;
+ }
+
+diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
+index f4b7a48327fbb..ea43589944ba5 100644
+--- a/drivers/firmware/efi/cper-arm.c
++++ b/drivers/firmware/efi/cper-arm.c
+@@ -94,15 +94,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
+ bool proc_context_corrupt, corrected, precise_pc, restartable_pc;
+ bool time_out, access_mode;
+
+- /* If the type is unknown, bail. */
+- if (type > CPER_ARM_MAX_TYPE)
+- return;
+-
+ /*
+ * Vendor type errors have error information values that are vendor
+ * specific.
+ */
+- if (type == CPER_ARM_VENDOR_ERROR)
++ if (type & CPER_ARM_VENDOR_ERROR)
+ return;
+
+ if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) {
+@@ -117,43 +113,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
+ if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) {
+ op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT)
+ & CPER_ARM_ERR_OPERATION_MASK);
+- switch (type) {
+- case CPER_ARM_CACHE_ERROR:
++ if (type & CPER_ARM_CACHE_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%scache error, operation type: %s\n", pfx,
+ arm_cache_err_op_strs[op_type]);
+ }
+- break;
+- case CPER_ARM_TLB_ERROR:
++ }
++ if (type & CPER_ARM_TLB_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%sTLB error, operation type: %s\n", pfx,
+ arm_tlb_err_op_strs[op_type]);
+ }
+- break;
+- case CPER_ARM_BUS_ERROR:
++ }
++ if (type & CPER_ARM_BUS_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%sbus error, operation type: %s\n", pfx,
+ arm_bus_err_op_strs[op_type]);
+ }
+- break;
+ }
+ }
+
+ if (error_info & CPER_ARM_ERR_VALID_LEVEL) {
+ level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT)
+ & CPER_ARM_ERR_LEVEL_MASK);
+- switch (type) {
+- case CPER_ARM_CACHE_ERROR:
++ if (type & CPER_ARM_CACHE_ERROR)
+ printk("%scache level: %d\n", pfx, level);
+- break;
+- case CPER_ARM_TLB_ERROR:
++
++ if (type & CPER_ARM_TLB_ERROR)
+ printk("%sTLB level: %d\n", pfx, level);
+- break;
+- case CPER_ARM_BUS_ERROR:
++
++ if (type & CPER_ARM_BUS_ERROR)
+ printk("%saffinity level at which the bus error occurred: %d\n",
+ pfx, level);
+- break;
+- }
+ }
+
+ if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) {
+@@ -242,6 +233,7 @@ void cper_print_proc_arm(const char *pfx,
+ struct cper_arm_err_info *err_info;
+ struct cper_arm_ctx_info *ctx_info;
+ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
++ char error_type[120];
+
+ printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
+
+@@ -290,9 +282,15 @@ void cper_print_proc_arm(const char *pfx,
+ newpfx);
+ }
+
+- printk("%serror_type: %d, %s\n", newpfx, err_info->type,
+- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ?
+- cper_proc_error_type_strs[err_info->type] : "unknown");
++ cper_bits_to_str(error_type, sizeof(error_type),
++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
++ cper_proc_error_type_strs,
++ ARRAY_SIZE(cper_proc_error_type_strs));
++
++ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type,
++ error_type,
++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
++
+ if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) {
+ printk("%serror_info: 0x%016llx\n", newpfx,
+ err_info->error_info);
+diff --git a/include/linux/cper.h b/include/linux/cper.h
+index 724a5e3c122d6..a31e22cc839eb 100644
+--- a/include/linux/cper.h
++++ b/include/linux/cper.h
+@@ -270,11 +270,11 @@ enum {
+ #define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2)
+ #define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3)
+
+-#define CPER_ARM_CACHE_ERROR 0
+-#define CPER_ARM_TLB_ERROR 1
+-#define CPER_ARM_BUS_ERROR 2
+-#define CPER_ARM_VENDOR_ERROR 3
+-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR
++#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1)
++#define CPER_ARM_CACHE_ERROR BIT(1)
++#define CPER_ARM_TLB_ERROR BIT(2)
++#define CPER_ARM_BUS_ERROR BIT(3)
++#define CPER_ARM_VENDOR_ERROR BIT(4)
+
+ #define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0)
+ #define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1)
+--
+2.51.0
+
--- /dev/null
+From e51a06577cad57759182511cf12e6279879e508d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Dec 2025 09:51:59 +0300
+Subject: ocfs2: fix memory leak in ocfs2_merge_rec_left()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ]
+
+In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after
+move, thus allowing 'ocfs2_free_path()' to free it before return.
+
+Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru
+Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2
+Reviewed-by: Heming Zhao <heming.zhao@suse.com>
+Acked-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/alloc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
+index 9c95d911a14b1..9589b462b5913 100644
+--- a/fs/ocfs2/alloc.c
++++ b/fs/ocfs2/alloc.c
+@@ -3647,7 +3647,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path,
+ * So we use the new rightmost path.
+ */
+ ocfs2_mv_path(right_path, left_path);
+- left_path = NULL;
+ } else
+ ocfs2_complete_edge_insert(handle, left_path,
+ right_path, subtree_index);
+--
+2.51.0
+
arm-9464-1-fix-input-only-operand-modification-in-lo.patch
dm-raid-fix-possible-null-dereference-with-undefined.patch
dm-log-writes-add-missing-set_freezable-for-freezabl.patch
+efi-cper-add-a-new-helper-function-to-print-bitmasks.patch
+efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch
+efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch
+ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch
--- /dev/null
+From 0b5152e45f8f73ddb04fec9dd6b3a3ff6468d07b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:54 -0700
+Subject: efi/cper: Add a new helper function to print bitmasks
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ]
+
+Add a helper function to print a string with names associated
+to each bit field.
+
+A typical example is:
+
+ const char * const bits[] = {
+ "bit 3 name",
+ "bit 4 name",
+ "bit 5 name",
+ };
+ char str[120];
+ unsigned int bitmask = BIT(3) | BIT(5);
+
+ #define MASK GENMASK(5,3)
+
+ cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
+ bits, ARRAY_SIZE(bits));
+
+The above code fills string "str" with "bit 3 name|bit 5 name".
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++
+ include/linux/cper.h | 2 ++
+ 2 files changed, 62 insertions(+)
+
+diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
+index e4e5ea7ce910a..eb5e67af69273 100644
+--- a/drivers/firmware/efi/cper.c
++++ b/drivers/firmware/efi/cper.c
+@@ -12,6 +12,7 @@
+ * Specification version 2.4.
+ */
+
++#include <linux/bitmap.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/time.h>
+@@ -105,6 +106,65 @@ void cper_print_bits(const char *pfx, unsigned int bits,
+ printk("%s\n", buf);
+ }
+
++/**
++ * cper_bits_to_str - return a string for set bits
++ * @buf: buffer to store the output string
++ * @buf_size: size of the output string buffer
++ * @bits: bit mask
++ * @strs: string array, indexed by bit position
++ * @strs_size: size of the string array: @strs
++ *
++ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits,
++ * add the corresponding string describing the bit in @strs to @buf.
++ *
++ * A typical example is::
++ *
++ * const char * const bits[] = {
++ * "bit 3 name",
++ * "bit 4 name",
++ * "bit 5 name",
++ * };
++ * char str[120];
++ * unsigned int bitmask = BIT(3) | BIT(5);
++ * #define MASK GENMASK(5,3)
++ *
++ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
++ * bits, ARRAY_SIZE(bits));
++ *
++ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``.
++ *
++ * Return: number of bytes stored or an error code if lower than zero.
++ */
++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
++ const char * const strs[], unsigned int strs_size)
++{
++ int len = buf_size;
++ char *str = buf;
++ int i, size;
++
++ *buf = '\0';
++
++ for_each_set_bit(i, &bits, strs_size) {
++ if (!(bits & BIT_ULL(i)))
++ continue;
++
++ if (*buf && len > 0) {
++ *str = '|';
++ len--;
++ str++;
++ }
++
++ size = strscpy(str, strs[i], len);
++ if (size < 0)
++ return size;
++
++ len -= size;
++ str += size;
++ }
++ return len - buf_size;
++}
++EXPORT_SYMBOL_GPL(cper_bits_to_str);
++
+ static const char * const proc_type_strs[] = {
+ "IA32/X64",
+ "IA64",
+diff --git a/include/linux/cper.h b/include/linux/cper.h
+index eacb7dd7b3af3..a15b7b9740344 100644
+--- a/include/linux/cper.h
++++ b/include/linux/cper.h
+@@ -561,6 +561,8 @@ const char *cper_mem_err_type_str(unsigned int);
+ const char *cper_mem_err_status_str(u64 status);
+ void cper_print_bits(const char *prefix, unsigned int bits,
+ const char * const strs[], unsigned int strs_size);
++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
++ const char * const strs[], unsigned int strs_size);
+ void cper_mem_err_pack(const struct cper_sec_mem_err *,
+ struct cper_mem_err_compact *);
+ const char *cper_mem_err_unpack(struct trace_seq *,
+--
+2.51.0
+
--- /dev/null
+From caa00aa9d967ac1c3e8b42d9115371bd6bd00ed8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:53 -0700
+Subject: efi/cper: Adjust infopfx size to accept an extra space
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ]
+
+Compiling with W=1 with werror enabled produces an error:
+
+drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’:
+drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
+ 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
+ | ^
+drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64
+ 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As the logic there adds an space at the end of infopx buffer.
+Add an extra space to avoid such warning.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper-arm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
+index 36d3b8b9da47e..f4b7a48327fbb 100644
+--- a/drivers/firmware/efi/cper-arm.c
++++ b/drivers/firmware/efi/cper-arm.c
+@@ -241,7 +241,7 @@ void cper_print_proc_arm(const char *pfx,
+ int i, len, max_ctx_type;
+ struct cper_arm_err_info *err_info;
+ struct cper_arm_ctx_info *ctx_info;
+- char newpfx[64], infopfx[64];
++ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
+
+ printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
+
+--
+2.51.0
+
--- /dev/null
+From 8dbff6c2cb2b85edc5b673c5bbf5807e08cc97ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:55 -0700
+Subject: efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ]
+
+Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor
+was defined simply as:
+
+Type at byte offset 4:
+
+ - Cache error
+ - TLB Error
+ - Bus Error
+ - Micro-architectural Error
+ All other values are reserved
+
+Yet, there was no information about how this would be encoded.
+
+Spec 2.9A errata corrected it by defining:
+
+ - Bit 1 - Cache Error
+ - Bit 2 - TLB Error
+ - Bit 3 - Bus Error
+ - Bit 4 - Micro-architectural Error
+ All other values are reserved
+
+That actually aligns with the values already defined on older
+versions at N.2.4.1. Generic Processor Error Section.
+
+Spec 2.10 also preserve the same encoding as 2.9A.
+
+Adjust CPER and GHES handling code for both generic and ARM
+processors to properly handle UEFI 2.9A and 2.10 encoding.
+
+Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/apei/ghes.c | 16 +++++++----
+ drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++-----------------
+ include/linux/cper.h | 10 +++----
+ 3 files changed, 39 insertions(+), 37 deletions(-)
+
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
+index 3c862acaa28af..03344c2732220 100644
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -22,6 +22,7 @@
+ #include <linux/moduleparam.h>
+ #include <linux/init.h>
+ #include <linux/acpi.h>
++#include <linux/bitfield.h>
+ #include <linux/io.h>
+ #include <linux/interrupt.h>
+ #include <linux/timer.h>
+@@ -500,6 +501,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ {
+ struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata);
+ int flags = sync ? MF_ACTION_REQUIRED : 0;
++ char error_type[120];
+ bool queued = false;
+ int sec_sev, i;
+ char *p;
+@@ -513,9 +515,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ p = (char *)(err + 1);
+ for (i = 0; i < err->err_info_num; i++) {
+ struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p;
+- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR);
++ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR;
+ bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR);
+- const char *error_type = "unknown error";
+
+ /*
+ * The field (err_info->error_info & BIT(26)) is fixed to set to
+@@ -529,12 +530,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ continue;
+ }
+
+- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs))
+- error_type = cper_proc_error_type_strs[err_info->type];
++ cper_bits_to_str(error_type, sizeof(error_type),
++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
++ cper_proc_error_type_strs,
++ ARRAY_SIZE(cper_proc_error_type_strs));
+
+ pr_warn_ratelimited(FW_WARN GHES_PFX
+- "Unhandled processor error type: %s\n",
+- error_type);
++ "Unhandled processor error type 0x%02x: %s%s\n",
++ err_info->type, error_type,
++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
+ p += err_info->length;
+ }
+
+diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
+index f4b7a48327fbb..ea43589944ba5 100644
+--- a/drivers/firmware/efi/cper-arm.c
++++ b/drivers/firmware/efi/cper-arm.c
+@@ -94,15 +94,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
+ bool proc_context_corrupt, corrected, precise_pc, restartable_pc;
+ bool time_out, access_mode;
+
+- /* If the type is unknown, bail. */
+- if (type > CPER_ARM_MAX_TYPE)
+- return;
+-
+ /*
+ * Vendor type errors have error information values that are vendor
+ * specific.
+ */
+- if (type == CPER_ARM_VENDOR_ERROR)
++ if (type & CPER_ARM_VENDOR_ERROR)
+ return;
+
+ if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) {
+@@ -117,43 +113,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
+ if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) {
+ op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT)
+ & CPER_ARM_ERR_OPERATION_MASK);
+- switch (type) {
+- case CPER_ARM_CACHE_ERROR:
++ if (type & CPER_ARM_CACHE_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%scache error, operation type: %s\n", pfx,
+ arm_cache_err_op_strs[op_type]);
+ }
+- break;
+- case CPER_ARM_TLB_ERROR:
++ }
++ if (type & CPER_ARM_TLB_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%sTLB error, operation type: %s\n", pfx,
+ arm_tlb_err_op_strs[op_type]);
+ }
+- break;
+- case CPER_ARM_BUS_ERROR:
++ }
++ if (type & CPER_ARM_BUS_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%sbus error, operation type: %s\n", pfx,
+ arm_bus_err_op_strs[op_type]);
+ }
+- break;
+ }
+ }
+
+ if (error_info & CPER_ARM_ERR_VALID_LEVEL) {
+ level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT)
+ & CPER_ARM_ERR_LEVEL_MASK);
+- switch (type) {
+- case CPER_ARM_CACHE_ERROR:
++ if (type & CPER_ARM_CACHE_ERROR)
+ printk("%scache level: %d\n", pfx, level);
+- break;
+- case CPER_ARM_TLB_ERROR:
++
++ if (type & CPER_ARM_TLB_ERROR)
+ printk("%sTLB level: %d\n", pfx, level);
+- break;
+- case CPER_ARM_BUS_ERROR:
++
++ if (type & CPER_ARM_BUS_ERROR)
+ printk("%saffinity level at which the bus error occurred: %d\n",
+ pfx, level);
+- break;
+- }
+ }
+
+ if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) {
+@@ -242,6 +233,7 @@ void cper_print_proc_arm(const char *pfx,
+ struct cper_arm_err_info *err_info;
+ struct cper_arm_ctx_info *ctx_info;
+ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
++ char error_type[120];
+
+ printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
+
+@@ -290,9 +282,15 @@ void cper_print_proc_arm(const char *pfx,
+ newpfx);
+ }
+
+- printk("%serror_type: %d, %s\n", newpfx, err_info->type,
+- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ?
+- cper_proc_error_type_strs[err_info->type] : "unknown");
++ cper_bits_to_str(error_type, sizeof(error_type),
++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
++ cper_proc_error_type_strs,
++ ARRAY_SIZE(cper_proc_error_type_strs));
++
++ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type,
++ error_type,
++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
++
+ if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) {
+ printk("%serror_info: 0x%016llx\n", newpfx,
+ err_info->error_info);
+diff --git a/include/linux/cper.h b/include/linux/cper.h
+index a15b7b9740344..ff84d72cdee82 100644
+--- a/include/linux/cper.h
++++ b/include/linux/cper.h
+@@ -270,11 +270,11 @@ enum {
+ #define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2)
+ #define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3)
+
+-#define CPER_ARM_CACHE_ERROR 0
+-#define CPER_ARM_TLB_ERROR 1
+-#define CPER_ARM_BUS_ERROR 2
+-#define CPER_ARM_VENDOR_ERROR 3
+-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR
++#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1)
++#define CPER_ARM_CACHE_ERROR BIT(1)
++#define CPER_ARM_TLB_ERROR BIT(2)
++#define CPER_ARM_BUS_ERROR BIT(3)
++#define CPER_ARM_VENDOR_ERROR BIT(4)
+
+ #define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0)
+ #define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1)
+--
+2.51.0
+
--- /dev/null
+From dcec477b9709854b4ae121978d00d27d0e97ae91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Dec 2025 09:54:16 +0300
+Subject: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 ]
+
+If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then
+it results in an out of bounds access.
+
+The code checks for invalid values, but doesn't set the error code. Return
+-EINVAL in that case, instead of returning success.
+
+Fixes: 00fa3461c86d ("irqchip/mchp-eic: Add support for the Microchip EIC")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Link: https://patch.msgid.link/aTfHmOz6IBpTIPU5@stanley.mountain
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-mchp-eic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-mchp-eic.c b/drivers/irqchip/irq-mchp-eic.c
+index c726a19837d29..7f84c736d2827 100644
+--- a/drivers/irqchip/irq-mchp-eic.c
++++ b/drivers/irqchip/irq-mchp-eic.c
+@@ -166,7 +166,7 @@ static int mchp_eic_domain_alloc(struct irq_domain *domain, unsigned int virq,
+
+ ret = irq_domain_translate_twocell(domain, fwspec, &hwirq, &type);
+ if (ret || hwirq >= MCHP_EIC_NIRQ)
+- return ret;
++ return ret ?: -EINVAL;
+
+ switch (type) {
+ case IRQ_TYPE_EDGE_RISING:
+--
+2.51.0
+
--- /dev/null
+From eb6e70e2103f0460f2950a5fe6353286248b9ca9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Dec 2025 09:51:59 +0300
+Subject: ocfs2: fix memory leak in ocfs2_merge_rec_left()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ]
+
+In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after
+move, thus allowing 'ocfs2_free_path()' to free it before return.
+
+Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru
+Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2
+Reviewed-by: Heming Zhao <heming.zhao@suse.com>
+Acked-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/alloc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
+index 7f11ffacc9150..fa5223b05fad7 100644
+--- a/fs/ocfs2/alloc.c
++++ b/fs/ocfs2/alloc.c
+@@ -3647,7 +3647,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path,
+ * So we use the new rightmost path.
+ */
+ ocfs2_mv_path(right_path, left_path);
+- left_path = NULL;
+ } else
+ ocfs2_complete_edge_insert(handle, left_path,
+ right_path, subtree_index);
+--
+2.51.0
+
arm-9464-1-fix-input-only-operand-modification-in-lo.patch
dm-raid-fix-possible-null-dereference-with-undefined.patch
dm-log-writes-add-missing-set_freezable-for-freezabl.patch
+efi-cper-add-a-new-helper-function-to-print-bitmasks.patch
+efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch
+efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch
+irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch
+ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch
--- /dev/null
+From db7bd7e5e25e4839a59d0c66ce938fa5313ec037 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:54 -0700
+Subject: efi/cper: Add a new helper function to print bitmasks
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ]
+
+Add a helper function to print a string with names associated
+to each bit field.
+
+A typical example is:
+
+ const char * const bits[] = {
+ "bit 3 name",
+ "bit 4 name",
+ "bit 5 name",
+ };
+ char str[120];
+ unsigned int bitmask = BIT(3) | BIT(5);
+
+ #define MASK GENMASK(5,3)
+
+ cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
+ bits, ARRAY_SIZE(bits));
+
+The above code fills string "str" with "bit 3 name|bit 5 name".
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++
+ include/linux/cper.h | 2 ++
+ 2 files changed, 62 insertions(+)
+
+diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
+index b69e68ef3f02b..7f89a9fb2ecad 100644
+--- a/drivers/firmware/efi/cper.c
++++ b/drivers/firmware/efi/cper.c
+@@ -12,6 +12,7 @@
+ * Specification version 2.4.
+ */
+
++#include <linux/bitmap.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/time.h>
+@@ -106,6 +107,65 @@ void cper_print_bits(const char *pfx, unsigned int bits,
+ printk("%s\n", buf);
+ }
+
++/**
++ * cper_bits_to_str - return a string for set bits
++ * @buf: buffer to store the output string
++ * @buf_size: size of the output string buffer
++ * @bits: bit mask
++ * @strs: string array, indexed by bit position
++ * @strs_size: size of the string array: @strs
++ *
++ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits,
++ * add the corresponding string describing the bit in @strs to @buf.
++ *
++ * A typical example is::
++ *
++ * const char * const bits[] = {
++ * "bit 3 name",
++ * "bit 4 name",
++ * "bit 5 name",
++ * };
++ * char str[120];
++ * unsigned int bitmask = BIT(3) | BIT(5);
++ * #define MASK GENMASK(5,3)
++ *
++ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
++ * bits, ARRAY_SIZE(bits));
++ *
++ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``.
++ *
++ * Return: number of bytes stored or an error code if lower than zero.
++ */
++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
++ const char * const strs[], unsigned int strs_size)
++{
++ int len = buf_size;
++ char *str = buf;
++ int i, size;
++
++ *buf = '\0';
++
++ for_each_set_bit(i, &bits, strs_size) {
++ if (!(bits & BIT_ULL(i)))
++ continue;
++
++ if (*buf && len > 0) {
++ *str = '|';
++ len--;
++ str++;
++ }
++
++ size = strscpy(str, strs[i], len);
++ if (size < 0)
++ return size;
++
++ len -= size;
++ str += size;
++ }
++ return len - buf_size;
++}
++EXPORT_SYMBOL_GPL(cper_bits_to_str);
++
+ static const char * const proc_type_strs[] = {
+ "IA32/X64",
+ "IA64",
+diff --git a/include/linux/cper.h b/include/linux/cper.h
+index 265b0f8fc0b3c..25858a7608b7d 100644
+--- a/include/linux/cper.h
++++ b/include/linux/cper.h
+@@ -584,6 +584,8 @@ const char *cper_mem_err_type_str(unsigned int);
+ const char *cper_mem_err_status_str(u64 status);
+ void cper_print_bits(const char *prefix, unsigned int bits,
+ const char * const strs[], unsigned int strs_size);
++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
++ const char * const strs[], unsigned int strs_size);
+ void cper_mem_err_pack(const struct cper_sec_mem_err *,
+ struct cper_mem_err_compact *);
+ const char *cper_mem_err_unpack(struct trace_seq *,
+--
+2.51.0
+
--- /dev/null
+From 4fa26cb43d3407cb35dcc264edfb7a372a92fd9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:53 -0700
+Subject: efi/cper: Adjust infopfx size to accept an extra space
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ]
+
+Compiling with W=1 with werror enabled produces an error:
+
+drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’:
+drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
+ 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
+ | ^
+drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64
+ 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As the logic there adds an space at the end of infopx buffer.
+Add an extra space to avoid such warning.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper-arm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
+index fa9c1c3bf168b..eb7ee6af55f23 100644
+--- a/drivers/firmware/efi/cper-arm.c
++++ b/drivers/firmware/efi/cper-arm.c
+@@ -240,7 +240,7 @@ void cper_print_proc_arm(const char *pfx,
+ int i, len, max_ctx_type;
+ struct cper_arm_err_info *err_info;
+ struct cper_arm_ctx_info *ctx_info;
+- char newpfx[64], infopfx[64];
++ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
+
+ printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
+
+--
+2.51.0
+
--- /dev/null
+From 0ebd99d4eff5ab41fa293c2ccb79c51e26a1719c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:55 -0700
+Subject: efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ]
+
+Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor
+was defined simply as:
+
+Type at byte offset 4:
+
+ - Cache error
+ - TLB Error
+ - Bus Error
+ - Micro-architectural Error
+ All other values are reserved
+
+Yet, there was no information about how this would be encoded.
+
+Spec 2.9A errata corrected it by defining:
+
+ - Bit 1 - Cache Error
+ - Bit 2 - TLB Error
+ - Bit 3 - Bus Error
+ - Bit 4 - Micro-architectural Error
+ All other values are reserved
+
+That actually aligns with the values already defined on older
+versions at N.2.4.1. Generic Processor Error Section.
+
+Spec 2.10 also preserve the same encoding as 2.9A.
+
+Adjust CPER and GHES handling code for both generic and ARM
+processors to properly handle UEFI 2.9A and 2.10 encoding.
+
+Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/apei/ghes.c | 16 +++++++----
+ drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++-----------------
+ include/linux/cper.h | 10 +++----
+ 3 files changed, 39 insertions(+), 37 deletions(-)
+
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
+index 99659478e0bd0..45fa2510e4cf5 100644
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -22,6 +22,7 @@
+ #include <linux/moduleparam.h>
+ #include <linux/init.h>
+ #include <linux/acpi.h>
++#include <linux/bitfield.h>
+ #include <linux/io.h>
+ #include <linux/interrupt.h>
+ #include <linux/timer.h>
+@@ -531,6 +532,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ {
+ struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata);
+ int flags = sync ? MF_ACTION_REQUIRED : 0;
++ char error_type[120];
+ bool queued = false;
+ int sec_sev, i;
+ char *p;
+@@ -543,9 +545,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ p = (char *)(err + 1);
+ for (i = 0; i < err->err_info_num; i++) {
+ struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p;
+- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR);
++ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR;
+ bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR);
+- const char *error_type = "unknown error";
+
+ /*
+ * The field (err_info->error_info & BIT(26)) is fixed to set to
+@@ -559,12 +560,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ continue;
+ }
+
+- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs))
+- error_type = cper_proc_error_type_strs[err_info->type];
++ cper_bits_to_str(error_type, sizeof(error_type),
++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
++ cper_proc_error_type_strs,
++ ARRAY_SIZE(cper_proc_error_type_strs));
+
+ pr_warn_ratelimited(FW_WARN GHES_PFX
+- "Unhandled processor error type: %s\n",
+- error_type);
++ "Unhandled processor error type 0x%02x: %s%s\n",
++ err_info->type, error_type,
++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
+ p += err_info->length;
+ }
+
+diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
+index eb7ee6af55f23..52d18490b59e3 100644
+--- a/drivers/firmware/efi/cper-arm.c
++++ b/drivers/firmware/efi/cper-arm.c
+@@ -93,15 +93,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
+ bool proc_context_corrupt, corrected, precise_pc, restartable_pc;
+ bool time_out, access_mode;
+
+- /* If the type is unknown, bail. */
+- if (type > CPER_ARM_MAX_TYPE)
+- return;
+-
+ /*
+ * Vendor type errors have error information values that are vendor
+ * specific.
+ */
+- if (type == CPER_ARM_VENDOR_ERROR)
++ if (type & CPER_ARM_VENDOR_ERROR)
+ return;
+
+ if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) {
+@@ -116,43 +112,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
+ if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) {
+ op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT)
+ & CPER_ARM_ERR_OPERATION_MASK);
+- switch (type) {
+- case CPER_ARM_CACHE_ERROR:
++ if (type & CPER_ARM_CACHE_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%scache error, operation type: %s\n", pfx,
+ arm_cache_err_op_strs[op_type]);
+ }
+- break;
+- case CPER_ARM_TLB_ERROR:
++ }
++ if (type & CPER_ARM_TLB_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%sTLB error, operation type: %s\n", pfx,
+ arm_tlb_err_op_strs[op_type]);
+ }
+- break;
+- case CPER_ARM_BUS_ERROR:
++ }
++ if (type & CPER_ARM_BUS_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%sbus error, operation type: %s\n", pfx,
+ arm_bus_err_op_strs[op_type]);
+ }
+- break;
+ }
+ }
+
+ if (error_info & CPER_ARM_ERR_VALID_LEVEL) {
+ level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT)
+ & CPER_ARM_ERR_LEVEL_MASK);
+- switch (type) {
+- case CPER_ARM_CACHE_ERROR:
++ if (type & CPER_ARM_CACHE_ERROR)
+ printk("%scache level: %d\n", pfx, level);
+- break;
+- case CPER_ARM_TLB_ERROR:
++
++ if (type & CPER_ARM_TLB_ERROR)
+ printk("%sTLB level: %d\n", pfx, level);
+- break;
+- case CPER_ARM_BUS_ERROR:
++
++ if (type & CPER_ARM_BUS_ERROR)
+ printk("%saffinity level at which the bus error occurred: %d\n",
+ pfx, level);
+- break;
+- }
+ }
+
+ if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) {
+@@ -241,6 +232,7 @@ void cper_print_proc_arm(const char *pfx,
+ struct cper_arm_err_info *err_info;
+ struct cper_arm_ctx_info *ctx_info;
+ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
++ char error_type[120];
+
+ printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
+
+@@ -289,9 +281,15 @@ void cper_print_proc_arm(const char *pfx,
+ newpfx);
+ }
+
+- printk("%serror_type: %d, %s\n", newpfx, err_info->type,
+- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ?
+- cper_proc_error_type_strs[err_info->type] : "unknown");
++ cper_bits_to_str(error_type, sizeof(error_type),
++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
++ cper_proc_error_type_strs,
++ ARRAY_SIZE(cper_proc_error_type_strs));
++
++ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type,
++ error_type,
++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
++
+ if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) {
+ printk("%serror_info: 0x%016llx\n", newpfx,
+ err_info->error_info);
+diff --git a/include/linux/cper.h b/include/linux/cper.h
+index 25858a7608b7d..3670b866ac119 100644
+--- a/include/linux/cper.h
++++ b/include/linux/cper.h
+@@ -293,11 +293,11 @@ enum {
+ #define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2)
+ #define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3)
+
+-#define CPER_ARM_CACHE_ERROR 0
+-#define CPER_ARM_TLB_ERROR 1
+-#define CPER_ARM_BUS_ERROR 2
+-#define CPER_ARM_VENDOR_ERROR 3
+-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR
++#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1)
++#define CPER_ARM_CACHE_ERROR BIT(1)
++#define CPER_ARM_TLB_ERROR BIT(2)
++#define CPER_ARM_BUS_ERROR BIT(3)
++#define CPER_ARM_VENDOR_ERROR BIT(4)
+
+ #define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0)
+ #define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1)
+--
+2.51.0
+
--- /dev/null
+From 02815138f8b59806eb32e0dfe15ea0e052ed3cef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Dec 2025 09:54:16 +0300
+Subject: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 ]
+
+If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then
+it results in an out of bounds access.
+
+The code checks for invalid values, but doesn't set the error code. Return
+-EINVAL in that case, instead of returning success.
+
+Fixes: 00fa3461c86d ("irqchip/mchp-eic: Add support for the Microchip EIC")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Link: https://patch.msgid.link/aTfHmOz6IBpTIPU5@stanley.mountain
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-mchp-eic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-mchp-eic.c b/drivers/irqchip/irq-mchp-eic.c
+index 5dcd94c000a26..8a5baa0987a4b 100644
+--- a/drivers/irqchip/irq-mchp-eic.c
++++ b/drivers/irqchip/irq-mchp-eic.c
+@@ -166,7 +166,7 @@ static int mchp_eic_domain_alloc(struct irq_domain *domain, unsigned int virq,
+
+ ret = irq_domain_translate_twocell(domain, fwspec, &hwirq, &type);
+ if (ret || hwirq >= MCHP_EIC_NIRQ)
+- return ret;
++ return ret ?: -EINVAL;
+
+ switch (type) {
+ case IRQ_TYPE_EDGE_RISING:
+--
+2.51.0
+
--- /dev/null
+From bfc97e6800a613b44fb8d5e110cd3d1c1b9dc09b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Dec 2025 09:51:59 +0300
+Subject: ocfs2: fix memory leak in ocfs2_merge_rec_left()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ]
+
+In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after
+move, thus allowing 'ocfs2_free_path()' to free it before return.
+
+Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru
+Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2
+Reviewed-by: Heming Zhao <heming.zhao@suse.com>
+Acked-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/alloc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
+index 5d9388b44e5be..f8025433ce3bf 100644
+--- a/fs/ocfs2/alloc.c
++++ b/fs/ocfs2/alloc.c
+@@ -3654,7 +3654,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path,
+ * So we use the new rightmost path.
+ */
+ ocfs2_mv_path(right_path, left_path);
+- left_path = NULL;
+ } else
+ ocfs2_complete_edge_insert(handle, left_path,
+ right_path, subtree_index);
+--
+2.51.0
+
--- /dev/null
+From 9c87bb55f86293540959d60dbd1fa0520059a40a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Oct 2025 18:01:49 +0800
+Subject: scsi: imm: Fix use-after-free bug caused by unfinished delayed work
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c ]
+
+The delayed work item 'imm_tq' is initialized in imm_attach() and
+scheduled via imm_queuecommand() for processing SCSI commands. When the
+IMM parallel port SCSI host adapter is detached through imm_detach(),
+the imm_struct device instance is deallocated.
+
+However, the delayed work might still be pending or executing
+when imm_detach() is called, leading to use-after-free bugs
+when the work function imm_interrupt() accesses the already
+freed imm_struct memory.
+
+The race condition can occur as follows:
+
+CPU 0(detach thread) | CPU 1
+ | imm_queuecommand()
+ | imm_queuecommand_lck()
+imm_detach() | schedule_delayed_work()
+ kfree(dev) //FREE | imm_interrupt()
+ | dev = container_of(...) //USE
+ dev-> //USE
+
+Add disable_delayed_work_sync() in imm_detach() to guarantee proper
+cancellation of the delayed work item before imm_struct is deallocated.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://patch.msgid.link/20251028100149.40721-1-duoming@zju.edu.cn
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/imm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/imm.c b/drivers/scsi/imm.c
+index 1d4c7310f1a63..d77490e2d7bc8 100644
+--- a/drivers/scsi/imm.c
++++ b/drivers/scsi/imm.c
+@@ -1261,6 +1261,7 @@ static void imm_detach(struct parport *pb)
+ imm_struct *dev;
+ list_for_each_entry(dev, &imm_hosts, list) {
+ if (dev->dev->port == pb) {
++ disable_delayed_work_sync(&dev->imm_tq);
+ list_del_init(&dev->list);
+ scsi_remove_host(dev->host);
+ scsi_host_put(dev->host);
+--
+2.51.0
+
block-return-unsigned-int-from-queue_dma_alignment.patch
dm-raid-fix-possible-null-dereference-with-undefined.patch
dm-log-writes-add-missing-set_freezable-for-freezabl.patch
+efi-cper-add-a-new-helper-function-to-print-bitmasks.patch
+efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch
+efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch
+scsi-imm-fix-use-after-free-bug-caused-by-unfinished.patch
+irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch
+ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch
--- /dev/null
+From 6d378222a4e30f6e418cc523b1110aac0d1c15b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Nov 2025 15:47:23 +0100
+Subject: cpu: Make atomic hotplug callbacks run with interrupts disabled on UP
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit c94291914b200e10c72cef23c8e4c67eb4fdbcd9 ]
+
+On SMP systems the CPU hotplug callbacks in the "starting" range are
+invoked while the CPU is brought up and interrupts are still
+disabled. Callbacks which are added later are invoked via the
+hotplug-thread on the target CPU and interrupts are explicitly disabled.
+
+In the UP case callbacks which are added later are invoked directly without
+the thread indirection. This is in principle okay since there is just one
+CPU but those callbacks are invoked with interrupt disabled code. That's
+incorrect as those callbacks assume interrupt disabled context.
+
+Disable interrupts before invoking the callbacks on UP if the state is
+atomic and interrupts are expected to be disabled. The "save" part is
+required because this is also invoked early in the boot process while
+interrupts are disabled and must not be enabled prematurely.
+
+Fixes: 06ddd17521bf1 ("sched/smp: Always define is_percpu_thread() and scheduler_ipi()")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://patch.msgid.link/20251127144723.ev9DuXXR@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cpu.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/cpu.c b/kernel/cpu.c
+index db9f6c539b28c..15000c7abc659 100644
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -249,6 +249,14 @@ static int cpuhp_invoke_callback(unsigned int cpu, enum cpuhp_state state,
+ return ret;
+ }
+
++/*
++ * The former STARTING/DYING states, ran with IRQs disabled and must not fail.
++ */
++static bool cpuhp_is_atomic_state(enum cpuhp_state state)
++{
++ return CPUHP_AP_IDLE_DEAD <= state && state < CPUHP_AP_ONLINE;
++}
++
+ #ifdef CONFIG_SMP
+ static bool cpuhp_is_ap_state(enum cpuhp_state state)
+ {
+@@ -271,14 +279,6 @@ static inline void complete_ap_thread(struct cpuhp_cpu_state *st, bool bringup)
+ complete(done);
+ }
+
+-/*
+- * The former STARTING/DYING states, ran with IRQs disabled and must not fail.
+- */
+-static bool cpuhp_is_atomic_state(enum cpuhp_state state)
+-{
+- return CPUHP_AP_IDLE_DEAD <= state && state < CPUHP_AP_ONLINE;
+-}
+-
+ /* Synchronization state management */
+ enum cpuhp_sync_state {
+ SYNC_STATE_DEAD,
+@@ -2364,7 +2364,14 @@ static int cpuhp_issue_call(int cpu, enum cpuhp_state state, bool bringup,
+ else
+ ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL);
+ #else
+- ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL);
++ if (cpuhp_is_atomic_state(state)) {
++ guard(irqsave)();
++ ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL);
++ /* STARTING/DYING must not fail! */
++ WARN_ON_ONCE(ret);
++ } else {
++ ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL);
++ }
+ #endif
+ BUG_ON(ret && !bringup);
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From 614d1fad37c65e8f5c0f6eb3de6cd6fd99a9d7d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:54 -0700
+Subject: efi/cper: Add a new helper function to print bitmasks
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ]
+
+Add a helper function to print a string with names associated
+to each bit field.
+
+A typical example is:
+
+ const char * const bits[] = {
+ "bit 3 name",
+ "bit 4 name",
+ "bit 5 name",
+ };
+ char str[120];
+ unsigned int bitmask = BIT(3) | BIT(5);
+
+ #define MASK GENMASK(5,3)
+
+ cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
+ bits, ARRAY_SIZE(bits));
+
+The above code fills string "str" with "bit 3 name|bit 5 name".
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++
+ include/linux/cper.h | 2 ++
+ 2 files changed, 62 insertions(+)
+
+diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
+index 928409199a1a4..79ba688a64f8d 100644
+--- a/drivers/firmware/efi/cper.c
++++ b/drivers/firmware/efi/cper.c
+@@ -12,6 +12,7 @@
+ * Specification version 2.4.
+ */
+
++#include <linux/bitmap.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/time.h>
+@@ -106,6 +107,65 @@ void cper_print_bits(const char *pfx, unsigned int bits,
+ printk("%s\n", buf);
+ }
+
++/**
++ * cper_bits_to_str - return a string for set bits
++ * @buf: buffer to store the output string
++ * @buf_size: size of the output string buffer
++ * @bits: bit mask
++ * @strs: string array, indexed by bit position
++ * @strs_size: size of the string array: @strs
++ *
++ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits,
++ * add the corresponding string describing the bit in @strs to @buf.
++ *
++ * A typical example is::
++ *
++ * const char * const bits[] = {
++ * "bit 3 name",
++ * "bit 4 name",
++ * "bit 5 name",
++ * };
++ * char str[120];
++ * unsigned int bitmask = BIT(3) | BIT(5);
++ * #define MASK GENMASK(5,3)
++ *
++ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
++ * bits, ARRAY_SIZE(bits));
++ *
++ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``.
++ *
++ * Return: number of bytes stored or an error code if lower than zero.
++ */
++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
++ const char * const strs[], unsigned int strs_size)
++{
++ int len = buf_size;
++ char *str = buf;
++ int i, size;
++
++ *buf = '\0';
++
++ for_each_set_bit(i, &bits, strs_size) {
++ if (!(bits & BIT_ULL(i)))
++ continue;
++
++ if (*buf && len > 0) {
++ *str = '|';
++ len--;
++ str++;
++ }
++
++ size = strscpy(str, strs[i], len);
++ if (size < 0)
++ return size;
++
++ len -= size;
++ str += size;
++ }
++ return len - buf_size;
++}
++EXPORT_SYMBOL_GPL(cper_bits_to_str);
++
+ static const char * const proc_type_strs[] = {
+ "IA32/X64",
+ "IA64",
+diff --git a/include/linux/cper.h b/include/linux/cper.h
+index 0ed60a91eca9d..58f40477c824e 100644
+--- a/include/linux/cper.h
++++ b/include/linux/cper.h
+@@ -588,6 +588,8 @@ const char *cper_mem_err_type_str(unsigned int);
+ const char *cper_mem_err_status_str(u64 status);
+ void cper_print_bits(const char *prefix, unsigned int bits,
+ const char * const strs[], unsigned int strs_size);
++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
++ const char * const strs[], unsigned int strs_size);
+ void cper_mem_err_pack(const struct cper_sec_mem_err *,
+ struct cper_mem_err_compact *);
+ const char *cper_mem_err_unpack(struct trace_seq *,
+--
+2.51.0
+
--- /dev/null
+From 0f6cbe1b97074c212f8d708c4768fa26ac96c43d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:53 -0700
+Subject: efi/cper: Adjust infopfx size to accept an extra space
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ]
+
+Compiling with W=1 with werror enabled produces an error:
+
+drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’:
+drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
+ 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
+ | ^
+drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64
+ 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As the logic there adds an space at the end of infopx buffer.
+Add an extra space to avoid such warning.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper-arm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
+index f0a63d09d3c49..6ff781e47147c 100644
+--- a/drivers/firmware/efi/cper-arm.c
++++ b/drivers/firmware/efi/cper-arm.c
+@@ -240,7 +240,7 @@ void cper_print_proc_arm(const char *pfx,
+ int i, len, max_ctx_type;
+ struct cper_arm_err_info *err_info;
+ struct cper_arm_ctx_info *ctx_info;
+- char newpfx[64], infopfx[64];
++ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
+
+ printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
+
+--
+2.51.0
+
--- /dev/null
+From dbb5570151a226b3a45331a570c5392f1b858ada Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:55 -0700
+Subject: efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ]
+
+Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor
+was defined simply as:
+
+Type at byte offset 4:
+
+ - Cache error
+ - TLB Error
+ - Bus Error
+ - Micro-architectural Error
+ All other values are reserved
+
+Yet, there was no information about how this would be encoded.
+
+Spec 2.9A errata corrected it by defining:
+
+ - Bit 1 - Cache Error
+ - Bit 2 - TLB Error
+ - Bit 3 - Bus Error
+ - Bit 4 - Micro-architectural Error
+ All other values are reserved
+
+That actually aligns with the values already defined on older
+versions at N.2.4.1. Generic Processor Error Section.
+
+Spec 2.10 also preserve the same encoding as 2.9A.
+
+Adjust CPER and GHES handling code for both generic and ARM
+processors to properly handle UEFI 2.9A and 2.10 encoding.
+
+Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/apei/ghes.c | 16 +++++++----
+ drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++-----------------
+ include/linux/cper.h | 10 +++----
+ 3 files changed, 39 insertions(+), 37 deletions(-)
+
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
+index 7fca0ede9ecc0..307dc7f62e525 100644
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -22,6 +22,7 @@
+ #include <linux/moduleparam.h>
+ #include <linux/init.h>
+ #include <linux/acpi.h>
++#include <linux/bitfield.h>
+ #include <linux/io.h>
+ #include <linux/interrupt.h>
+ #include <linux/timer.h>
+@@ -556,6 +557,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ {
+ struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata);
+ int flags = sync ? MF_ACTION_REQUIRED : 0;
++ char error_type[120];
+ bool queued = false;
+ int sec_sev, i;
+ char *p;
+@@ -568,9 +570,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ p = (char *)(err + 1);
+ for (i = 0; i < err->err_info_num; i++) {
+ struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p;
+- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR);
++ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR;
+ bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR);
+- const char *error_type = "unknown error";
+
+ /*
+ * The field (err_info->error_info & BIT(26)) is fixed to set to
+@@ -584,12 +585,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ continue;
+ }
+
+- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs))
+- error_type = cper_proc_error_type_strs[err_info->type];
++ cper_bits_to_str(error_type, sizeof(error_type),
++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
++ cper_proc_error_type_strs,
++ ARRAY_SIZE(cper_proc_error_type_strs));
+
+ pr_warn_ratelimited(FW_WARN GHES_PFX
+- "Unhandled processor error type: %s\n",
+- error_type);
++ "Unhandled processor error type 0x%02x: %s%s\n",
++ err_info->type, error_type,
++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
+ p += err_info->length;
+ }
+
+diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
+index 6ff781e47147c..76542a53e2027 100644
+--- a/drivers/firmware/efi/cper-arm.c
++++ b/drivers/firmware/efi/cper-arm.c
+@@ -93,15 +93,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
+ bool proc_context_corrupt, corrected, precise_pc, restartable_pc;
+ bool time_out, access_mode;
+
+- /* If the type is unknown, bail. */
+- if (type > CPER_ARM_MAX_TYPE)
+- return;
+-
+ /*
+ * Vendor type errors have error information values that are vendor
+ * specific.
+ */
+- if (type == CPER_ARM_VENDOR_ERROR)
++ if (type & CPER_ARM_VENDOR_ERROR)
+ return;
+
+ if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) {
+@@ -116,43 +112,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
+ if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) {
+ op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT)
+ & CPER_ARM_ERR_OPERATION_MASK);
+- switch (type) {
+- case CPER_ARM_CACHE_ERROR:
++ if (type & CPER_ARM_CACHE_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%scache error, operation type: %s\n", pfx,
+ arm_cache_err_op_strs[op_type]);
+ }
+- break;
+- case CPER_ARM_TLB_ERROR:
++ }
++ if (type & CPER_ARM_TLB_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%sTLB error, operation type: %s\n", pfx,
+ arm_tlb_err_op_strs[op_type]);
+ }
+- break;
+- case CPER_ARM_BUS_ERROR:
++ }
++ if (type & CPER_ARM_BUS_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%sbus error, operation type: %s\n", pfx,
+ arm_bus_err_op_strs[op_type]);
+ }
+- break;
+ }
+ }
+
+ if (error_info & CPER_ARM_ERR_VALID_LEVEL) {
+ level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT)
+ & CPER_ARM_ERR_LEVEL_MASK);
+- switch (type) {
+- case CPER_ARM_CACHE_ERROR:
++ if (type & CPER_ARM_CACHE_ERROR)
+ printk("%scache level: %d\n", pfx, level);
+- break;
+- case CPER_ARM_TLB_ERROR:
++
++ if (type & CPER_ARM_TLB_ERROR)
+ printk("%sTLB level: %d\n", pfx, level);
+- break;
+- case CPER_ARM_BUS_ERROR:
++
++ if (type & CPER_ARM_BUS_ERROR)
+ printk("%saffinity level at which the bus error occurred: %d\n",
+ pfx, level);
+- break;
+- }
+ }
+
+ if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) {
+@@ -241,6 +232,7 @@ void cper_print_proc_arm(const char *pfx,
+ struct cper_arm_err_info *err_info;
+ struct cper_arm_ctx_info *ctx_info;
+ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
++ char error_type[120];
+
+ printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
+
+@@ -289,9 +281,15 @@ void cper_print_proc_arm(const char *pfx,
+ newpfx);
+ }
+
+- printk("%serror_type: %d, %s\n", newpfx, err_info->type,
+- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ?
+- cper_proc_error_type_strs[err_info->type] : "unknown");
++ cper_bits_to_str(error_type, sizeof(error_type),
++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
++ cper_proc_error_type_strs,
++ ARRAY_SIZE(cper_proc_error_type_strs));
++
++ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type,
++ error_type,
++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
++
+ if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) {
+ printk("%serror_info: 0x%016llx\n", newpfx,
+ err_info->error_info);
+diff --git a/include/linux/cper.h b/include/linux/cper.h
+index 58f40477c824e..5b1236d8c65bb 100644
+--- a/include/linux/cper.h
++++ b/include/linux/cper.h
+@@ -297,11 +297,11 @@ enum {
+ #define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2)
+ #define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3)
+
+-#define CPER_ARM_CACHE_ERROR 0
+-#define CPER_ARM_TLB_ERROR 1
+-#define CPER_ARM_BUS_ERROR 2
+-#define CPER_ARM_VENDOR_ERROR 3
+-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR
++#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1)
++#define CPER_ARM_CACHE_ERROR BIT(1)
++#define CPER_ARM_TLB_ERROR BIT(2)
++#define CPER_ARM_BUS_ERROR BIT(3)
++#define CPER_ARM_VENDOR_ERROR BIT(4)
+
+ #define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0)
+ #define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1)
+--
+2.51.0
+
--- /dev/null
+From 2df1f4da8e6dd48cafea2b30b47d3a7ac9b23f7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Dec 2025 09:54:16 +0300
+Subject: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 ]
+
+If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then
+it results in an out of bounds access.
+
+The code checks for invalid values, but doesn't set the error code. Return
+-EINVAL in that case, instead of returning success.
+
+Fixes: 00fa3461c86d ("irqchip/mchp-eic: Add support for the Microchip EIC")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Link: https://patch.msgid.link/aTfHmOz6IBpTIPU5@stanley.mountain
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-mchp-eic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-mchp-eic.c b/drivers/irqchip/irq-mchp-eic.c
+index 516a3a0e359cc..c6b5529e17f1a 100644
+--- a/drivers/irqchip/irq-mchp-eic.c
++++ b/drivers/irqchip/irq-mchp-eic.c
+@@ -166,7 +166,7 @@ static int mchp_eic_domain_alloc(struct irq_domain *domain, unsigned int virq,
+
+ ret = irq_domain_translate_twocell(domain, fwspec, &hwirq, &type);
+ if (ret || hwirq >= MCHP_EIC_NIRQ)
+- return ret;
++ return ret ?: -EINVAL;
+
+ switch (type) {
+ case IRQ_TYPE_EDGE_RISING:
+--
+2.51.0
+
--- /dev/null
+From 368a7d2de28ec533753c601d0a577104de6af34f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Dec 2025 09:51:59 +0300
+Subject: ocfs2: fix memory leak in ocfs2_merge_rec_left()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ]
+
+In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after
+move, thus allowing 'ocfs2_free_path()' to free it before return.
+
+Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru
+Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2
+Reviewed-by: Heming Zhao <heming.zhao@suse.com>
+Acked-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/alloc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
+index 821cb7874685e..b23eb63dc838b 100644
+--- a/fs/ocfs2/alloc.c
++++ b/fs/ocfs2/alloc.c
+@@ -3654,7 +3654,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path,
+ * So we use the new rightmost path.
+ */
+ ocfs2_mv_path(right_path, left_path);
+- left_path = NULL;
+ } else
+ ocfs2_complete_edge_insert(handle, left_path,
+ right_path, subtree_index);
+--
+2.51.0
+
--- /dev/null
+From a7dd63cda492a9fe1c90bff56e22ad4fc3ff8ddb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Dec 2025 12:16:00 +0800
+Subject: perf/core: Fix missing read event generation on task exit
+
+From: Thaumy Cheng <thaumy.love@gmail.com>
+
+[ Upstream commit c418d8b4d7a43a86b82ee39cb52ece3034383530 ]
+
+For events with inherit_stat enabled, a "read" event will be generated
+to collect per task event counts on task exit.
+
+The call chain is as follows:
+
+do_exit
+ -> perf_event_exit_task
+ -> perf_event_exit_task_context
+ -> perf_event_exit_event
+ -> perf_remove_from_context
+ -> perf_child_detach
+ -> sync_child_event
+ -> perf_event_read_event
+
+However, the child event context detaches the task too early in
+perf_event_exit_task_context, which causes sync_child_event to never
+generate the read event in this case, since child_event->ctx->task is
+always set to TASK_TOMBSTONE. Fix that by moving context lock section
+backward to ensure ctx->task is not set to TASK_TOMBSTONE before
+generating the read event.
+
+Because perf_event_free_task calls perf_event_exit_task_context with
+exit = false to tear down all child events from the context, and the
+task never lived, accessing the task PID can lead to a use-after-free.
+
+To fix that, let sync_child_event read task from argument and move the
+call to the only place it should be triggered to avoid the effect of
+setting ctx->task to TASK_TOMESTONE, and add a task parameter to
+perf_event_exit_event to trigger the sync_child_event properly when
+needed.
+
+This bug can be reproduced by running "perf record -s" and attaching to
+any program that generates perf events in its child tasks. If we check
+the result with "perf report -T", the last line of the report will leave
+an empty table like "# PID TID", which is expected to contain the
+per-task event counts by design.
+
+Fixes: ef54c1a476ae ("perf: Rework perf_event_exit_event()")
+Signed-off-by: Thaumy Cheng <thaumy.love@gmail.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Ian Rogers <irogers@google.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: linux-perf-users@vger.kernel.org
+Link: https://patch.msgid.link/20251209041600.963586-1-thaumy.love@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 01d080978865f..a9d7ad4301353 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -2316,8 +2316,6 @@ static void perf_group_detach(struct perf_event *event)
+ perf_event__header_size(leader);
+ }
+
+-static void sync_child_event(struct perf_event *child_event);
+-
+ static void perf_child_detach(struct perf_event *event)
+ {
+ struct perf_event *parent_event = event->parent;
+@@ -2336,7 +2334,6 @@ static void perf_child_detach(struct perf_event *event)
+ lockdep_assert_held(&parent_event->child_mutex);
+ */
+
+- sync_child_event(event);
+ list_del_init(&event->child_list);
+ }
+
+@@ -4587,6 +4584,7 @@ static void perf_event_enable_on_exec(struct perf_event_context *ctx)
+ static void perf_remove_from_owner(struct perf_event *event);
+ static void perf_event_exit_event(struct perf_event *event,
+ struct perf_event_context *ctx,
++ struct task_struct *task,
+ bool revoke);
+
+ /*
+@@ -4614,7 +4612,7 @@ static void perf_event_remove_on_exec(struct perf_event_context *ctx)
+
+ modified = true;
+
+- perf_event_exit_event(event, ctx, false);
++ perf_event_exit_event(event, ctx, ctx->task, false);
+ }
+
+ raw_spin_lock_irqsave(&ctx->lock, flags);
+@@ -12431,7 +12429,7 @@ static void __pmu_detach_event(struct pmu *pmu, struct perf_event *event,
+ /*
+ * De-schedule the event and mark it REVOKED.
+ */
+- perf_event_exit_event(event, ctx, true);
++ perf_event_exit_event(event, ctx, ctx->task, true);
+
+ /*
+ * All _free_event() bits that rely on event->pmu:
+@@ -13988,14 +13986,13 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu)
+ }
+ EXPORT_SYMBOL_GPL(perf_pmu_migrate_context);
+
+-static void sync_child_event(struct perf_event *child_event)
++static void sync_child_event(struct perf_event *child_event,
++ struct task_struct *task)
+ {
+ struct perf_event *parent_event = child_event->parent;
+ u64 child_val;
+
+ if (child_event->attr.inherit_stat) {
+- struct task_struct *task = child_event->ctx->task;
+-
+ if (task && task != TASK_TOMBSTONE)
+ perf_event_read_event(child_event, task);
+ }
+@@ -14014,7 +14011,9 @@ static void sync_child_event(struct perf_event *child_event)
+
+ static void
+ perf_event_exit_event(struct perf_event *event,
+- struct perf_event_context *ctx, bool revoke)
++ struct perf_event_context *ctx,
++ struct task_struct *task,
++ bool revoke)
+ {
+ struct perf_event *parent_event = event->parent;
+ unsigned long detach_flags = DETACH_EXIT;
+@@ -14037,6 +14036,9 @@ perf_event_exit_event(struct perf_event *event,
+ mutex_lock(&parent_event->child_mutex);
+ /* PERF_ATTACH_ITRACE might be set concurrently */
+ attach_state = READ_ONCE(event->attach_state);
++
++ if (attach_state & PERF_ATTACH_CHILD)
++ sync_child_event(event, task);
+ }
+
+ if (revoke)
+@@ -14128,7 +14130,7 @@ static void perf_event_exit_task_context(struct task_struct *task, bool exit)
+ perf_event_task(task, ctx, 0);
+
+ list_for_each_entry_safe(child_event, next, &ctx->event_list, event_entry)
+- perf_event_exit_event(child_event, ctx, false);
++ perf_event_exit_event(child_event, ctx, exit ? task : NULL, false);
+
+ mutex_unlock(&ctx->mutex);
+
+--
+2.51.0
+
--- /dev/null
+From 4b94121077155aff60902437ba085c9542b69207 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Dec 2025 16:49:43 +0800
+Subject: perf/x86/intel: Fix NULL event dereference crash in
+ handle_pmi_common()
+
+From: Evan Li <evan.li@linux.alibaba.com>
+
+[ Upstream commit 9415f749d34b926b9e4853da1462f4d941f89a0d ]
+
+handle_pmi_common() may observe an active bit set in cpuc->active_mask
+while the corresponding cpuc->events[] entry has already been cleared,
+which leads to a NULL pointer dereference.
+
+This can happen when interrupt throttling stops all events in a group
+while PEBS processing is still in progress. perf_event_overflow() can
+trigger perf_event_throttle_group(), which stops the group and clears
+the cpuc->events[] entry, but the active bit may still be set when
+handle_pmi_common() iterates over the events.
+
+The following recent fix:
+
+ 7e772a93eb61 ("perf/x86: Fix NULL event access and potential PEBS record loss")
+
+moved the cpuc->events[] clearing from x86_pmu_stop() to x86_pmu_del() and
+relied on cpuc->active_mask/pebs_enabled checks. However,
+handle_pmi_common() can still encounter a NULL cpuc->events[] entry
+despite the active bit being set.
+
+Add an explicit NULL check on the event pointer before using it,
+to cover this legitimate scenario and avoid the NULL dereference crash.
+
+Fixes: 7e772a93eb61 ("perf/x86: Fix NULL event access and potential PEBS record loss")
+Reported-by: kitta <kitta@linux.alibaba.com>
+Co-developed-by: kitta <kitta@linux.alibaba.com>
+Signed-off-by: Evan Li <evan.li@linux.alibaba.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://patch.msgid.link/20251212084943.2124787-1-evan.li@linux.alibaba.com
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220855
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
+index 52270268144c2..76cd840e33e30 100644
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -3249,6 +3249,9 @@ static int handle_pmi_common(struct pt_regs *regs, u64 status)
+
+ if (!test_bit(bit, cpuc->active_mask))
+ continue;
++ /* Event may have already been cleared: */
++ if (!event)
++ continue;
+
+ /*
+ * There may be unprocessed PEBS records in the PEBS buffer,
+--
+2.51.0
+
--- /dev/null
+From 6d83260eda448f97733ad4a6583c06c5f483a370 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Oct 2025 18:01:49 +0800
+Subject: scsi: imm: Fix use-after-free bug caused by unfinished delayed work
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c ]
+
+The delayed work item 'imm_tq' is initialized in imm_attach() and
+scheduled via imm_queuecommand() for processing SCSI commands. When the
+IMM parallel port SCSI host adapter is detached through imm_detach(),
+the imm_struct device instance is deallocated.
+
+However, the delayed work might still be pending or executing
+when imm_detach() is called, leading to use-after-free bugs
+when the work function imm_interrupt() accesses the already
+freed imm_struct memory.
+
+The race condition can occur as follows:
+
+CPU 0(detach thread) | CPU 1
+ | imm_queuecommand()
+ | imm_queuecommand_lck()
+imm_detach() | schedule_delayed_work()
+ kfree(dev) //FREE | imm_interrupt()
+ | dev = container_of(...) //USE
+ dev-> //USE
+
+Add disable_delayed_work_sync() in imm_detach() to guarantee proper
+cancellation of the delayed work item before imm_struct is deallocated.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://patch.msgid.link/20251028100149.40721-1-duoming@zju.edu.cn
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/imm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/imm.c b/drivers/scsi/imm.c
+index 0821cf994b986..8a099bc27e06c 100644
+--- a/drivers/scsi/imm.c
++++ b/drivers/scsi/imm.c
+@@ -1260,6 +1260,7 @@ static void imm_detach(struct parport *pb)
+ imm_struct *dev;
+ list_for_each_entry(dev, &imm_hosts, list) {
+ if (dev->dev->port == pb) {
++ disable_delayed_work_sync(&dev->imm_tq);
+ list_del_init(&dev->list);
+ scsi_remove_host(dev->host);
+ scsi_host_put(dev->host);
+--
+2.51.0
+
asoc-amd-acp-update-tdm-channels-for-specific-dai.patch
dm-raid-fix-possible-null-dereference-with-undefined.patch
dm-log-writes-add-missing-set_freezable-for-freezabl.patch
+efi-cper-add-a-new-helper-function-to-print-bitmasks.patch
+efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch
+efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch
+scsi-imm-fix-use-after-free-bug-caused-by-unfinished.patch
+perf-core-fix-missing-read-event-generation-on-task-.patch
+irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch
+cpu-make-atomic-hotplug-callbacks-run-with-interrupt.patch
+ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch
+perf-x86-intel-fix-null-event-dereference-crash-in-h.patch
--- /dev/null
+From 73698ee794ce0f31ce804713c6915ea089fdda5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Nov 2025 15:47:23 +0100
+Subject: cpu: Make atomic hotplug callbacks run with interrupts disabled on UP
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit c94291914b200e10c72cef23c8e4c67eb4fdbcd9 ]
+
+On SMP systems the CPU hotplug callbacks in the "starting" range are
+invoked while the CPU is brought up and interrupts are still
+disabled. Callbacks which are added later are invoked via the
+hotplug-thread on the target CPU and interrupts are explicitly disabled.
+
+In the UP case callbacks which are added later are invoked directly without
+the thread indirection. This is in principle okay since there is just one
+CPU but those callbacks are invoked with interrupt disabled code. That's
+incorrect as those callbacks assume interrupt disabled context.
+
+Disable interrupts before invoking the callbacks on UP if the state is
+atomic and interrupts are expected to be disabled. The "save" part is
+required because this is also invoked early in the boot process while
+interrupts are disabled and must not be enabled prematurely.
+
+Fixes: 06ddd17521bf1 ("sched/smp: Always define is_percpu_thread() and scheduler_ipi()")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://patch.msgid.link/20251127144723.ev9DuXXR@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cpu.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/cpu.c b/kernel/cpu.c
+index db9f6c539b28c..15000c7abc659 100644
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -249,6 +249,14 @@ static int cpuhp_invoke_callback(unsigned int cpu, enum cpuhp_state state,
+ return ret;
+ }
+
++/*
++ * The former STARTING/DYING states, ran with IRQs disabled and must not fail.
++ */
++static bool cpuhp_is_atomic_state(enum cpuhp_state state)
++{
++ return CPUHP_AP_IDLE_DEAD <= state && state < CPUHP_AP_ONLINE;
++}
++
+ #ifdef CONFIG_SMP
+ static bool cpuhp_is_ap_state(enum cpuhp_state state)
+ {
+@@ -271,14 +279,6 @@ static inline void complete_ap_thread(struct cpuhp_cpu_state *st, bool bringup)
+ complete(done);
+ }
+
+-/*
+- * The former STARTING/DYING states, ran with IRQs disabled and must not fail.
+- */
+-static bool cpuhp_is_atomic_state(enum cpuhp_state state)
+-{
+- return CPUHP_AP_IDLE_DEAD <= state && state < CPUHP_AP_ONLINE;
+-}
+-
+ /* Synchronization state management */
+ enum cpuhp_sync_state {
+ SYNC_STATE_DEAD,
+@@ -2364,7 +2364,14 @@ static int cpuhp_issue_call(int cpu, enum cpuhp_state state, bool bringup,
+ else
+ ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL);
+ #else
+- ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL);
++ if (cpuhp_is_atomic_state(state)) {
++ guard(irqsave)();
++ ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL);
++ /* STARTING/DYING must not fail! */
++ WARN_ON_ONCE(ret);
++ } else {
++ ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL);
++ }
+ #endif
+ BUG_ON(ret && !bringup);
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From 06d39b93424e64e47244b0ccb97a3c6b2c033cfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:54 -0700
+Subject: efi/cper: Add a new helper function to print bitmasks
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ]
+
+Add a helper function to print a string with names associated
+to each bit field.
+
+A typical example is:
+
+ const char * const bits[] = {
+ "bit 3 name",
+ "bit 4 name",
+ "bit 5 name",
+ };
+ char str[120];
+ unsigned int bitmask = BIT(3) | BIT(5);
+
+ #define MASK GENMASK(5,3)
+
+ cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
+ bits, ARRAY_SIZE(bits));
+
+The above code fills string "str" with "bit 3 name|bit 5 name".
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++
+ include/linux/cper.h | 2 ++
+ 2 files changed, 62 insertions(+)
+
+diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
+index 928409199a1a4..79ba688a64f8d 100644
+--- a/drivers/firmware/efi/cper.c
++++ b/drivers/firmware/efi/cper.c
+@@ -12,6 +12,7 @@
+ * Specification version 2.4.
+ */
+
++#include <linux/bitmap.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/time.h>
+@@ -106,6 +107,65 @@ void cper_print_bits(const char *pfx, unsigned int bits,
+ printk("%s\n", buf);
+ }
+
++/**
++ * cper_bits_to_str - return a string for set bits
++ * @buf: buffer to store the output string
++ * @buf_size: size of the output string buffer
++ * @bits: bit mask
++ * @strs: string array, indexed by bit position
++ * @strs_size: size of the string array: @strs
++ *
++ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits,
++ * add the corresponding string describing the bit in @strs to @buf.
++ *
++ * A typical example is::
++ *
++ * const char * const bits[] = {
++ * "bit 3 name",
++ * "bit 4 name",
++ * "bit 5 name",
++ * };
++ * char str[120];
++ * unsigned int bitmask = BIT(3) | BIT(5);
++ * #define MASK GENMASK(5,3)
++ *
++ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
++ * bits, ARRAY_SIZE(bits));
++ *
++ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``.
++ *
++ * Return: number of bytes stored or an error code if lower than zero.
++ */
++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
++ const char * const strs[], unsigned int strs_size)
++{
++ int len = buf_size;
++ char *str = buf;
++ int i, size;
++
++ *buf = '\0';
++
++ for_each_set_bit(i, &bits, strs_size) {
++ if (!(bits & BIT_ULL(i)))
++ continue;
++
++ if (*buf && len > 0) {
++ *str = '|';
++ len--;
++ str++;
++ }
++
++ size = strscpy(str, strs[i], len);
++ if (size < 0)
++ return size;
++
++ len -= size;
++ str += size;
++ }
++ return len - buf_size;
++}
++EXPORT_SYMBOL_GPL(cper_bits_to_str);
++
+ static const char * const proc_type_strs[] = {
+ "IA32/X64",
+ "IA64",
+diff --git a/include/linux/cper.h b/include/linux/cper.h
+index 0ed60a91eca9d..58f40477c824e 100644
+--- a/include/linux/cper.h
++++ b/include/linux/cper.h
+@@ -588,6 +588,8 @@ const char *cper_mem_err_type_str(unsigned int);
+ const char *cper_mem_err_status_str(u64 status);
+ void cper_print_bits(const char *prefix, unsigned int bits,
+ const char * const strs[], unsigned int strs_size);
++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
++ const char * const strs[], unsigned int strs_size);
+ void cper_mem_err_pack(const struct cper_sec_mem_err *,
+ struct cper_mem_err_compact *);
+ const char *cper_mem_err_unpack(struct trace_seq *,
+--
+2.51.0
+
--- /dev/null
+From 3d7673efcd982e70a20ef7e41ea394c5d120da30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:53 -0700
+Subject: efi/cper: Adjust infopfx size to accept an extra space
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ]
+
+Compiling with W=1 with werror enabled produces an error:
+
+drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’:
+drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
+ 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
+ | ^
+drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64
+ 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As the logic there adds an space at the end of infopx buffer.
+Add an extra space to avoid such warning.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper-arm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
+index f0a63d09d3c49..6ff781e47147c 100644
+--- a/drivers/firmware/efi/cper-arm.c
++++ b/drivers/firmware/efi/cper-arm.c
+@@ -240,7 +240,7 @@ void cper_print_proc_arm(const char *pfx,
+ int i, len, max_ctx_type;
+ struct cper_arm_err_info *err_info;
+ struct cper_arm_ctx_info *ctx_info;
+- char newpfx[64], infopfx[64];
++ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
+
+ printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
+
+--
+2.51.0
+
--- /dev/null
+From 30c01cc4441a729b83856c5870420e420d9f3f20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:55 -0700
+Subject: efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ]
+
+Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor
+was defined simply as:
+
+Type at byte offset 4:
+
+ - Cache error
+ - TLB Error
+ - Bus Error
+ - Micro-architectural Error
+ All other values are reserved
+
+Yet, there was no information about how this would be encoded.
+
+Spec 2.9A errata corrected it by defining:
+
+ - Bit 1 - Cache Error
+ - Bit 2 - TLB Error
+ - Bit 3 - Bus Error
+ - Bit 4 - Micro-architectural Error
+ All other values are reserved
+
+That actually aligns with the values already defined on older
+versions at N.2.4.1. Generic Processor Error Section.
+
+Spec 2.10 also preserve the same encoding as 2.9A.
+
+Adjust CPER and GHES handling code for both generic and ARM
+processors to properly handle UEFI 2.9A and 2.10 encoding.
+
+Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/apei/ghes.c | 16 +++++++----
+ drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++-----------------
+ include/linux/cper.h | 10 +++----
+ 3 files changed, 39 insertions(+), 37 deletions(-)
+
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
+index 7d2466b515046..56107aa002744 100644
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -22,6 +22,7 @@
+ #include <linux/moduleparam.h>
+ #include <linux/init.h>
+ #include <linux/acpi.h>
++#include <linux/bitfield.h>
+ #include <linux/io.h>
+ #include <linux/interrupt.h>
+ #include <linux/timer.h>
+@@ -556,6 +557,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ {
+ struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata);
+ int flags = sync ? MF_ACTION_REQUIRED : 0;
++ char error_type[120];
+ bool queued = false;
+ int sec_sev, i;
+ char *p;
+@@ -568,9 +570,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ p = (char *)(err + 1);
+ for (i = 0; i < err->err_info_num; i++) {
+ struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p;
+- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR);
++ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR;
+ bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR);
+- const char *error_type = "unknown error";
+
+ /*
+ * The field (err_info->error_info & BIT(26)) is fixed to set to
+@@ -584,12 +585,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ continue;
+ }
+
+- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs))
+- error_type = cper_proc_error_type_strs[err_info->type];
++ cper_bits_to_str(error_type, sizeof(error_type),
++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
++ cper_proc_error_type_strs,
++ ARRAY_SIZE(cper_proc_error_type_strs));
+
+ pr_warn_ratelimited(FW_WARN GHES_PFX
+- "Unhandled processor error type: %s\n",
+- error_type);
++ "Unhandled processor error type 0x%02x: %s%s\n",
++ err_info->type, error_type,
++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
+ p += err_info->length;
+ }
+
+diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
+index 6ff781e47147c..76542a53e2027 100644
+--- a/drivers/firmware/efi/cper-arm.c
++++ b/drivers/firmware/efi/cper-arm.c
+@@ -93,15 +93,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
+ bool proc_context_corrupt, corrected, precise_pc, restartable_pc;
+ bool time_out, access_mode;
+
+- /* If the type is unknown, bail. */
+- if (type > CPER_ARM_MAX_TYPE)
+- return;
+-
+ /*
+ * Vendor type errors have error information values that are vendor
+ * specific.
+ */
+- if (type == CPER_ARM_VENDOR_ERROR)
++ if (type & CPER_ARM_VENDOR_ERROR)
+ return;
+
+ if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) {
+@@ -116,43 +112,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
+ if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) {
+ op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT)
+ & CPER_ARM_ERR_OPERATION_MASK);
+- switch (type) {
+- case CPER_ARM_CACHE_ERROR:
++ if (type & CPER_ARM_CACHE_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%scache error, operation type: %s\n", pfx,
+ arm_cache_err_op_strs[op_type]);
+ }
+- break;
+- case CPER_ARM_TLB_ERROR:
++ }
++ if (type & CPER_ARM_TLB_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%sTLB error, operation type: %s\n", pfx,
+ arm_tlb_err_op_strs[op_type]);
+ }
+- break;
+- case CPER_ARM_BUS_ERROR:
++ }
++ if (type & CPER_ARM_BUS_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%sbus error, operation type: %s\n", pfx,
+ arm_bus_err_op_strs[op_type]);
+ }
+- break;
+ }
+ }
+
+ if (error_info & CPER_ARM_ERR_VALID_LEVEL) {
+ level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT)
+ & CPER_ARM_ERR_LEVEL_MASK);
+- switch (type) {
+- case CPER_ARM_CACHE_ERROR:
++ if (type & CPER_ARM_CACHE_ERROR)
+ printk("%scache level: %d\n", pfx, level);
+- break;
+- case CPER_ARM_TLB_ERROR:
++
++ if (type & CPER_ARM_TLB_ERROR)
+ printk("%sTLB level: %d\n", pfx, level);
+- break;
+- case CPER_ARM_BUS_ERROR:
++
++ if (type & CPER_ARM_BUS_ERROR)
+ printk("%saffinity level at which the bus error occurred: %d\n",
+ pfx, level);
+- break;
+- }
+ }
+
+ if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) {
+@@ -241,6 +232,7 @@ void cper_print_proc_arm(const char *pfx,
+ struct cper_arm_err_info *err_info;
+ struct cper_arm_ctx_info *ctx_info;
+ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
++ char error_type[120];
+
+ printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
+
+@@ -289,9 +281,15 @@ void cper_print_proc_arm(const char *pfx,
+ newpfx);
+ }
+
+- printk("%serror_type: %d, %s\n", newpfx, err_info->type,
+- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ?
+- cper_proc_error_type_strs[err_info->type] : "unknown");
++ cper_bits_to_str(error_type, sizeof(error_type),
++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
++ cper_proc_error_type_strs,
++ ARRAY_SIZE(cper_proc_error_type_strs));
++
++ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type,
++ error_type,
++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
++
+ if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) {
+ printk("%serror_info: 0x%016llx\n", newpfx,
+ err_info->error_info);
+diff --git a/include/linux/cper.h b/include/linux/cper.h
+index 58f40477c824e..5b1236d8c65bb 100644
+--- a/include/linux/cper.h
++++ b/include/linux/cper.h
+@@ -297,11 +297,11 @@ enum {
+ #define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2)
+ #define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3)
+
+-#define CPER_ARM_CACHE_ERROR 0
+-#define CPER_ARM_TLB_ERROR 1
+-#define CPER_ARM_BUS_ERROR 2
+-#define CPER_ARM_VENDOR_ERROR 3
+-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR
++#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1)
++#define CPER_ARM_CACHE_ERROR BIT(1)
++#define CPER_ARM_TLB_ERROR BIT(2)
++#define CPER_ARM_BUS_ERROR BIT(3)
++#define CPER_ARM_VENDOR_ERROR BIT(4)
+
+ #define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0)
+ #define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1)
+--
+2.51.0
+
--- /dev/null
+From a50e5feaa66480a00615d4cbd4d3940b83aadfb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Dec 2025 09:54:16 +0300
+Subject: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 ]
+
+If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then
+it results in an out of bounds access.
+
+The code checks for invalid values, but doesn't set the error code. Return
+-EINVAL in that case, instead of returning success.
+
+Fixes: 00fa3461c86d ("irqchip/mchp-eic: Add support for the Microchip EIC")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Link: https://patch.msgid.link/aTfHmOz6IBpTIPU5@stanley.mountain
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-mchp-eic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-mchp-eic.c b/drivers/irqchip/irq-mchp-eic.c
+index b513a899c0853..979bb86929f8e 100644
+--- a/drivers/irqchip/irq-mchp-eic.c
++++ b/drivers/irqchip/irq-mchp-eic.c
+@@ -166,7 +166,7 @@ static int mchp_eic_domain_alloc(struct irq_domain *domain, unsigned int virq,
+
+ ret = irq_domain_translate_twocell(domain, fwspec, &hwirq, &type);
+ if (ret || hwirq >= MCHP_EIC_NIRQ)
+- return ret;
++ return ret ?: -EINVAL;
+
+ switch (type) {
+ case IRQ_TYPE_EDGE_RISING:
+--
+2.51.0
+
--- /dev/null
+From 3b126a0b5f9a1b494641ecaf84555487f07f29fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Dec 2025 09:51:59 +0300
+Subject: ocfs2: fix memory leak in ocfs2_merge_rec_left()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ]
+
+In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after
+move, thus allowing 'ocfs2_free_path()' to free it before return.
+
+Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru
+Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2
+Reviewed-by: Heming Zhao <heming.zhao@suse.com>
+Acked-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/alloc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
+index 162711cc5b201..a0ced11e0c24a 100644
+--- a/fs/ocfs2/alloc.c
++++ b/fs/ocfs2/alloc.c
+@@ -3654,7 +3654,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path,
+ * So we use the new rightmost path.
+ */
+ ocfs2_mv_path(right_path, left_path);
+- left_path = NULL;
+ } else
+ ocfs2_complete_edge_insert(handle, left_path,
+ right_path, subtree_index);
+--
+2.51.0
+
--- /dev/null
+From 7e7f6f2e17ff9a64f49496f49ce41f1bccf4724c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Dec 2025 12:16:00 +0800
+Subject: perf/core: Fix missing read event generation on task exit
+
+From: Thaumy Cheng <thaumy.love@gmail.com>
+
+[ Upstream commit c418d8b4d7a43a86b82ee39cb52ece3034383530 ]
+
+For events with inherit_stat enabled, a "read" event will be generated
+to collect per task event counts on task exit.
+
+The call chain is as follows:
+
+do_exit
+ -> perf_event_exit_task
+ -> perf_event_exit_task_context
+ -> perf_event_exit_event
+ -> perf_remove_from_context
+ -> perf_child_detach
+ -> sync_child_event
+ -> perf_event_read_event
+
+However, the child event context detaches the task too early in
+perf_event_exit_task_context, which causes sync_child_event to never
+generate the read event in this case, since child_event->ctx->task is
+always set to TASK_TOMBSTONE. Fix that by moving context lock section
+backward to ensure ctx->task is not set to TASK_TOMBSTONE before
+generating the read event.
+
+Because perf_event_free_task calls perf_event_exit_task_context with
+exit = false to tear down all child events from the context, and the
+task never lived, accessing the task PID can lead to a use-after-free.
+
+To fix that, let sync_child_event read task from argument and move the
+call to the only place it should be triggered to avoid the effect of
+setting ctx->task to TASK_TOMESTONE, and add a task parameter to
+perf_event_exit_event to trigger the sync_child_event properly when
+needed.
+
+This bug can be reproduced by running "perf record -s" and attaching to
+any program that generates perf events in its child tasks. If we check
+the result with "perf report -T", the last line of the report will leave
+an empty table like "# PID TID", which is expected to contain the
+per-task event counts by design.
+
+Fixes: ef54c1a476ae ("perf: Rework perf_event_exit_event()")
+Signed-off-by: Thaumy Cheng <thaumy.love@gmail.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Ian Rogers <irogers@google.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: linux-perf-users@vger.kernel.org
+Link: https://patch.msgid.link/20251209041600.963586-1-thaumy.love@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 2c35acc2722b0..413b88a4e00fb 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -2316,8 +2316,6 @@ static void perf_group_detach(struct perf_event *event)
+ perf_event__header_size(leader);
+ }
+
+-static void sync_child_event(struct perf_event *child_event);
+-
+ static void perf_child_detach(struct perf_event *event)
+ {
+ struct perf_event *parent_event = event->parent;
+@@ -2336,7 +2334,6 @@ static void perf_child_detach(struct perf_event *event)
+ lockdep_assert_held(&parent_event->child_mutex);
+ */
+
+- sync_child_event(event);
+ list_del_init(&event->child_list);
+ }
+
+@@ -4587,6 +4584,7 @@ static void perf_event_enable_on_exec(struct perf_event_context *ctx)
+ static void perf_remove_from_owner(struct perf_event *event);
+ static void perf_event_exit_event(struct perf_event *event,
+ struct perf_event_context *ctx,
++ struct task_struct *task,
+ bool revoke);
+
+ /*
+@@ -4614,7 +4612,7 @@ static void perf_event_remove_on_exec(struct perf_event_context *ctx)
+
+ modified = true;
+
+- perf_event_exit_event(event, ctx, false);
++ perf_event_exit_event(event, ctx, ctx->task, false);
+ }
+
+ raw_spin_lock_irqsave(&ctx->lock, flags);
+@@ -12447,7 +12445,7 @@ static void __pmu_detach_event(struct pmu *pmu, struct perf_event *event,
+ /*
+ * De-schedule the event and mark it REVOKED.
+ */
+- perf_event_exit_event(event, ctx, true);
++ perf_event_exit_event(event, ctx, ctx->task, true);
+
+ /*
+ * All _free_event() bits that rely on event->pmu:
+@@ -14004,14 +14002,13 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu)
+ }
+ EXPORT_SYMBOL_GPL(perf_pmu_migrate_context);
+
+-static void sync_child_event(struct perf_event *child_event)
++static void sync_child_event(struct perf_event *child_event,
++ struct task_struct *task)
+ {
+ struct perf_event *parent_event = child_event->parent;
+ u64 child_val;
+
+ if (child_event->attr.inherit_stat) {
+- struct task_struct *task = child_event->ctx->task;
+-
+ if (task && task != TASK_TOMBSTONE)
+ perf_event_read_event(child_event, task);
+ }
+@@ -14030,7 +14027,9 @@ static void sync_child_event(struct perf_event *child_event)
+
+ static void
+ perf_event_exit_event(struct perf_event *event,
+- struct perf_event_context *ctx, bool revoke)
++ struct perf_event_context *ctx,
++ struct task_struct *task,
++ bool revoke)
+ {
+ struct perf_event *parent_event = event->parent;
+ unsigned long detach_flags = DETACH_EXIT;
+@@ -14053,6 +14052,9 @@ perf_event_exit_event(struct perf_event *event,
+ mutex_lock(&parent_event->child_mutex);
+ /* PERF_ATTACH_ITRACE might be set concurrently */
+ attach_state = READ_ONCE(event->attach_state);
++
++ if (attach_state & PERF_ATTACH_CHILD)
++ sync_child_event(event, task);
+ }
+
+ if (revoke)
+@@ -14144,7 +14146,7 @@ static void perf_event_exit_task_context(struct task_struct *task, bool exit)
+ perf_event_task(task, ctx, 0);
+
+ list_for_each_entry_safe(child_event, next, &ctx->event_list, event_entry)
+- perf_event_exit_event(child_event, ctx, false);
++ perf_event_exit_event(child_event, ctx, exit ? task : NULL, false);
+
+ mutex_unlock(&ctx->mutex);
+
+--
+2.51.0
+
--- /dev/null
+From b2b3d64e727ec6d64797108fe6b64cffc37bf213 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Dec 2025 16:49:43 +0800
+Subject: perf/x86/intel: Fix NULL event dereference crash in
+ handle_pmi_common()
+
+From: Evan Li <evan.li@linux.alibaba.com>
+
+[ Upstream commit 9415f749d34b926b9e4853da1462f4d941f89a0d ]
+
+handle_pmi_common() may observe an active bit set in cpuc->active_mask
+while the corresponding cpuc->events[] entry has already been cleared,
+which leads to a NULL pointer dereference.
+
+This can happen when interrupt throttling stops all events in a group
+while PEBS processing is still in progress. perf_event_overflow() can
+trigger perf_event_throttle_group(), which stops the group and clears
+the cpuc->events[] entry, but the active bit may still be set when
+handle_pmi_common() iterates over the events.
+
+The following recent fix:
+
+ 7e772a93eb61 ("perf/x86: Fix NULL event access and potential PEBS record loss")
+
+moved the cpuc->events[] clearing from x86_pmu_stop() to x86_pmu_del() and
+relied on cpuc->active_mask/pebs_enabled checks. However,
+handle_pmi_common() can still encounter a NULL cpuc->events[] entry
+despite the active bit being set.
+
+Add an explicit NULL check on the event pointer before using it,
+to cover this legitimate scenario and avoid the NULL dereference crash.
+
+Fixes: 7e772a93eb61 ("perf/x86: Fix NULL event access and potential PEBS record loss")
+Reported-by: kitta <kitta@linux.alibaba.com>
+Co-developed-by: kitta <kitta@linux.alibaba.com>
+Signed-off-by: Evan Li <evan.li@linux.alibaba.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://patch.msgid.link/20251212084943.2124787-1-evan.li@linux.alibaba.com
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220855
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
+index 9b824ed6fc1de..32d551f2646a7 100644
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -3249,6 +3249,9 @@ static int handle_pmi_common(struct pt_regs *regs, u64 status)
+
+ if (!test_bit(bit, cpuc->active_mask))
+ continue;
++ /* Event may have already been cleared: */
++ if (!event)
++ continue;
+
+ /*
+ * There may be unprocessed PEBS records in the PEBS buffer,
+--
+2.51.0
+
--- /dev/null
+From d0e4a1277acdb5d7bb4f60a1df9b24af251dbe7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Oct 2025 18:01:49 +0800
+Subject: scsi: imm: Fix use-after-free bug caused by unfinished delayed work
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c ]
+
+The delayed work item 'imm_tq' is initialized in imm_attach() and
+scheduled via imm_queuecommand() for processing SCSI commands. When the
+IMM parallel port SCSI host adapter is detached through imm_detach(),
+the imm_struct device instance is deallocated.
+
+However, the delayed work might still be pending or executing
+when imm_detach() is called, leading to use-after-free bugs
+when the work function imm_interrupt() accesses the already
+freed imm_struct memory.
+
+The race condition can occur as follows:
+
+CPU 0(detach thread) | CPU 1
+ | imm_queuecommand()
+ | imm_queuecommand_lck()
+imm_detach() | schedule_delayed_work()
+ kfree(dev) //FREE | imm_interrupt()
+ | dev = container_of(...) //USE
+ dev-> //USE
+
+Add disable_delayed_work_sync() in imm_detach() to guarantee proper
+cancellation of the delayed work item before imm_struct is deallocated.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://patch.msgid.link/20251028100149.40721-1-duoming@zju.edu.cn
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/imm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/imm.c b/drivers/scsi/imm.c
+index 5c602c0577989..45b0e33293a59 100644
+--- a/drivers/scsi/imm.c
++++ b/drivers/scsi/imm.c
+@@ -1260,6 +1260,7 @@ static void imm_detach(struct parport *pb)
+ imm_struct *dev;
+ list_for_each_entry(dev, &imm_hosts, list) {
+ if (dev->dev->port == pb) {
++ disable_delayed_work_sync(&dev->imm_tq);
+ list_del_init(&dev->list);
+ scsi_remove_host(dev->host);
+ scsi_host_put(dev->host);
+--
+2.51.0
+
--- /dev/null
+From 5ad46053d12de48c7637b97e0872561ed407deaa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Dec 2025 07:04:52 -1000
+Subject: scsi: ufs: core: Fix an error handler crash
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 14be351e5cd07349377010e457a58fac99201832 ]
+
+The UFS error handler may be activated before SCSI scanning has started
+and hence before hba->ufs_device_wlun has been set. Check the
+hba->ufs_device_wlun pointer before using it.
+
+Cc: Peter Wang <peter.wang@mediatek.com>
+Cc: Nitin Rawat <nitin.rawat@oss.qualcomm.com>
+Fixes: e23ef4f22db3 ("scsi: ufs: core: Fix error handler host_sem issue")
+Fixes: f966e02ae521 ("scsi: ufs: core: Fix runtime suspend error deadlock")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Peter Wang <peter.wang@mediatek.com>
+Reviewed-by: Nitin Rawat <nitin.rawat@oss.qualcomm.com>
+Tested-by: Nitin Rawat <nitin.rawat@oss.qualcomm.com> #SM8750
+Link: https://patch.msgid.link/20251204170457.994851-1-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufshcd.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index 12f5a7a973128..a921a9098a291 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -6670,19 +6670,22 @@ static void ufshcd_err_handler(struct work_struct *work)
+ hba->saved_uic_err, hba->force_reset,
+ ufshcd_is_link_broken(hba) ? "; link is broken" : "");
+
+- /*
+- * Use ufshcd_rpm_get_noresume() here to safely perform link recovery
+- * even if an error occurs during runtime suspend or runtime resume.
+- * This avoids potential deadlocks that could happen if we tried to
+- * resume the device while a PM operation is already in progress.
+- */
+- ufshcd_rpm_get_noresume(hba);
+- if (hba->pm_op_in_progress) {
+- ufshcd_link_recovery(hba);
++ if (hba->ufs_device_wlun) {
++ /*
++ * Use ufshcd_rpm_get_noresume() here to safely perform link
++ * recovery even if an error occurs during runtime suspend or
++ * runtime resume. This avoids potential deadlocks that could
++ * happen if we tried to resume the device while a PM operation
++ * is already in progress.
++ */
++ ufshcd_rpm_get_noresume(hba);
++ if (hba->pm_op_in_progress) {
++ ufshcd_link_recovery(hba);
++ ufshcd_rpm_put(hba);
++ return;
++ }
+ ufshcd_rpm_put(hba);
+- return;
+ }
+- ufshcd_rpm_put(hba);
+
+ down(&hba->host_sem);
+ spin_lock_irqsave(hba->host->host_lock, flags);
+--
+2.51.0
+
asoc-amd-acp-update-tdm-channels-for-specific-dai.patch
dm-raid-fix-possible-null-dereference-with-undefined.patch
dm-log-writes-add-missing-set_freezable-for-freezabl.patch
+scsi-imm-fix-use-after-free-bug-caused-by-unfinished.patch
+scsi-ufs-core-fix-an-error-handler-crash.patch
+perf-core-fix-missing-read-event-generation-on-task-.patch
+irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch
+cpu-make-atomic-hotplug-callbacks-run-with-interrupt.patch
+ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch
+perf-x86-intel-fix-null-event-dereference-crash-in-h.patch
+efi-cper-add-a-new-helper-function-to-print-bitmasks.patch
+efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch
+efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch
--- /dev/null
+From 811403030fb11b2429c2707db96ec5353e67bcd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:54 -0700
+Subject: efi/cper: Add a new helper function to print bitmasks
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ]
+
+Add a helper function to print a string with names associated
+to each bit field.
+
+A typical example is:
+
+ const char * const bits[] = {
+ "bit 3 name",
+ "bit 4 name",
+ "bit 5 name",
+ };
+ char str[120];
+ unsigned int bitmask = BIT(3) | BIT(5);
+
+ #define MASK GENMASK(5,3)
+
+ cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
+ bits, ARRAY_SIZE(bits));
+
+The above code fills string "str" with "bit 3 name|bit 5 name".
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++
+ include/linux/cper.h | 2 ++
+ 2 files changed, 62 insertions(+)
+
+diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
+index 35c37f667781c..cd34ef9384f1e 100644
+--- a/drivers/firmware/efi/cper.c
++++ b/drivers/firmware/efi/cper.c
+@@ -12,6 +12,7 @@
+ * Specification version 2.4.
+ */
+
++#include <linux/bitmap.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/time.h>
+@@ -106,6 +107,65 @@ void cper_print_bits(const char *pfx, unsigned int bits,
+ printk("%s\n", buf);
+ }
+
++/**
++ * cper_bits_to_str - return a string for set bits
++ * @buf: buffer to store the output string
++ * @buf_size: size of the output string buffer
++ * @bits: bit mask
++ * @strs: string array, indexed by bit position
++ * @strs_size: size of the string array: @strs
++ *
++ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits,
++ * add the corresponding string describing the bit in @strs to @buf.
++ *
++ * A typical example is::
++ *
++ * const char * const bits[] = {
++ * "bit 3 name",
++ * "bit 4 name",
++ * "bit 5 name",
++ * };
++ * char str[120];
++ * unsigned int bitmask = BIT(3) | BIT(5);
++ * #define MASK GENMASK(5,3)
++ *
++ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
++ * bits, ARRAY_SIZE(bits));
++ *
++ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``.
++ *
++ * Return: number of bytes stored or an error code if lower than zero.
++ */
++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
++ const char * const strs[], unsigned int strs_size)
++{
++ int len = buf_size;
++ char *str = buf;
++ int i, size;
++
++ *buf = '\0';
++
++ for_each_set_bit(i, &bits, strs_size) {
++ if (!(bits & BIT_ULL(i)))
++ continue;
++
++ if (*buf && len > 0) {
++ *str = '|';
++ len--;
++ str++;
++ }
++
++ size = strscpy(str, strs[i], len);
++ if (size < 0)
++ return size;
++
++ len -= size;
++ str += size;
++ }
++ return len - buf_size;
++}
++EXPORT_SYMBOL_GPL(cper_bits_to_str);
++
+ static const char * const proc_type_strs[] = {
+ "IA32/X64",
+ "IA64",
+diff --git a/include/linux/cper.h b/include/linux/cper.h
+index c1a7dc3251215..f792e4b3df907 100644
+--- a/include/linux/cper.h
++++ b/include/linux/cper.h
+@@ -561,6 +561,8 @@ const char *cper_mem_err_type_str(unsigned int);
+ const char *cper_mem_err_status_str(u64 status);
+ void cper_print_bits(const char *prefix, unsigned int bits,
+ const char * const strs[], unsigned int strs_size);
++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
++ const char * const strs[], unsigned int strs_size);
+ void cper_mem_err_pack(const struct cper_sec_mem_err *,
+ struct cper_mem_err_compact *);
+ const char *cper_mem_err_unpack(struct trace_seq *,
+--
+2.51.0
+
--- /dev/null
+From 360fa38e44f411b8133da4a1f2e9d7fd23b04e7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:53 -0700
+Subject: efi/cper: Adjust infopfx size to accept an extra space
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ]
+
+Compiling with W=1 with werror enabled produces an error:
+
+drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’:
+drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
+ 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
+ | ^
+drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64
+ 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As the logic there adds an space at the end of infopx buffer.
+Add an extra space to avoid such warning.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper-arm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
+index fa9c1c3bf168b..eb7ee6af55f23 100644
+--- a/drivers/firmware/efi/cper-arm.c
++++ b/drivers/firmware/efi/cper-arm.c
+@@ -240,7 +240,7 @@ void cper_print_proc_arm(const char *pfx,
+ int i, len, max_ctx_type;
+ struct cper_arm_err_info *err_info;
+ struct cper_arm_ctx_info *ctx_info;
+- char newpfx[64], infopfx[64];
++ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
+
+ printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
+
+--
+2.51.0
+
--- /dev/null
+From a7bedbca518bf07e22b97e32a8bc0315a991d7b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 09:52:55 -0700
+Subject: efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ]
+
+Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor
+was defined simply as:
+
+Type at byte offset 4:
+
+ - Cache error
+ - TLB Error
+ - Bus Error
+ - Micro-architectural Error
+ All other values are reserved
+
+Yet, there was no information about how this would be encoded.
+
+Spec 2.9A errata corrected it by defining:
+
+ - Bit 1 - Cache Error
+ - Bit 2 - TLB Error
+ - Bit 3 - Bus Error
+ - Bit 4 - Micro-architectural Error
+ All other values are reserved
+
+That actually aligns with the values already defined on older
+versions at N.2.4.1. Generic Processor Error Section.
+
+Spec 2.10 also preserve the same encoding as 2.9A.
+
+Adjust CPER and GHES handling code for both generic and ARM
+processors to properly handle UEFI 2.9A and 2.10 encoding.
+
+Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/apei/ghes.c | 16 +++++++----
+ drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++-----------------
+ include/linux/cper.h | 10 +++----
+ 3 files changed, 39 insertions(+), 37 deletions(-)
+
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
+index ec364c2541124..e768dfd345fb2 100644
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -22,6 +22,7 @@
+ #include <linux/moduleparam.h>
+ #include <linux/init.h>
+ #include <linux/acpi.h>
++#include <linux/bitfield.h>
+ #include <linux/io.h>
+ #include <linux/interrupt.h>
+ #include <linux/timer.h>
+@@ -528,6 +529,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ {
+ struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata);
+ int flags = sync ? MF_ACTION_REQUIRED : 0;
++ char error_type[120];
+ bool queued = false;
+ int sec_sev, i;
+ char *p;
+@@ -541,9 +543,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ p = (char *)(err + 1);
+ for (i = 0; i < err->err_info_num; i++) {
+ struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p;
+- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR);
++ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR;
+ bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR);
+- const char *error_type = "unknown error";
+
+ /*
+ * The field (err_info->error_info & BIT(26)) is fixed to set to
+@@ -557,12 +558,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
+ continue;
+ }
+
+- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs))
+- error_type = cper_proc_error_type_strs[err_info->type];
++ cper_bits_to_str(error_type, sizeof(error_type),
++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
++ cper_proc_error_type_strs,
++ ARRAY_SIZE(cper_proc_error_type_strs));
+
+ pr_warn_ratelimited(FW_WARN GHES_PFX
+- "Unhandled processor error type: %s\n",
+- error_type);
++ "Unhandled processor error type 0x%02x: %s%s\n",
++ err_info->type, error_type,
++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
+ p += err_info->length;
+ }
+
+diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
+index eb7ee6af55f23..52d18490b59e3 100644
+--- a/drivers/firmware/efi/cper-arm.c
++++ b/drivers/firmware/efi/cper-arm.c
+@@ -93,15 +93,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
+ bool proc_context_corrupt, corrected, precise_pc, restartable_pc;
+ bool time_out, access_mode;
+
+- /* If the type is unknown, bail. */
+- if (type > CPER_ARM_MAX_TYPE)
+- return;
+-
+ /*
+ * Vendor type errors have error information values that are vendor
+ * specific.
+ */
+- if (type == CPER_ARM_VENDOR_ERROR)
++ if (type & CPER_ARM_VENDOR_ERROR)
+ return;
+
+ if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) {
+@@ -116,43 +112,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
+ if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) {
+ op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT)
+ & CPER_ARM_ERR_OPERATION_MASK);
+- switch (type) {
+- case CPER_ARM_CACHE_ERROR:
++ if (type & CPER_ARM_CACHE_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%scache error, operation type: %s\n", pfx,
+ arm_cache_err_op_strs[op_type]);
+ }
+- break;
+- case CPER_ARM_TLB_ERROR:
++ }
++ if (type & CPER_ARM_TLB_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%sTLB error, operation type: %s\n", pfx,
+ arm_tlb_err_op_strs[op_type]);
+ }
+- break;
+- case CPER_ARM_BUS_ERROR:
++ }
++ if (type & CPER_ARM_BUS_ERROR) {
+ if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) {
+- printk("%soperation type: %s\n", pfx,
++ printk("%sbus error, operation type: %s\n", pfx,
+ arm_bus_err_op_strs[op_type]);
+ }
+- break;
+ }
+ }
+
+ if (error_info & CPER_ARM_ERR_VALID_LEVEL) {
+ level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT)
+ & CPER_ARM_ERR_LEVEL_MASK);
+- switch (type) {
+- case CPER_ARM_CACHE_ERROR:
++ if (type & CPER_ARM_CACHE_ERROR)
+ printk("%scache level: %d\n", pfx, level);
+- break;
+- case CPER_ARM_TLB_ERROR:
++
++ if (type & CPER_ARM_TLB_ERROR)
+ printk("%sTLB level: %d\n", pfx, level);
+- break;
+- case CPER_ARM_BUS_ERROR:
++
++ if (type & CPER_ARM_BUS_ERROR)
+ printk("%saffinity level at which the bus error occurred: %d\n",
+ pfx, level);
+- break;
+- }
+ }
+
+ if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) {
+@@ -241,6 +232,7 @@ void cper_print_proc_arm(const char *pfx,
+ struct cper_arm_err_info *err_info;
+ struct cper_arm_ctx_info *ctx_info;
+ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
++ char error_type[120];
+
+ printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
+
+@@ -289,9 +281,15 @@ void cper_print_proc_arm(const char *pfx,
+ newpfx);
+ }
+
+- printk("%serror_type: %d, %s\n", newpfx, err_info->type,
+- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ?
+- cper_proc_error_type_strs[err_info->type] : "unknown");
++ cper_bits_to_str(error_type, sizeof(error_type),
++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
++ cper_proc_error_type_strs,
++ ARRAY_SIZE(cper_proc_error_type_strs));
++
++ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type,
++ error_type,
++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
++
+ if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) {
+ printk("%serror_info: 0x%016llx\n", newpfx,
+ err_info->error_info);
+diff --git a/include/linux/cper.h b/include/linux/cper.h
+index f792e4b3df907..ad1ed24730917 100644
+--- a/include/linux/cper.h
++++ b/include/linux/cper.h
+@@ -270,11 +270,11 @@ enum {
+ #define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2)
+ #define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3)
+
+-#define CPER_ARM_CACHE_ERROR 0
+-#define CPER_ARM_TLB_ERROR 1
+-#define CPER_ARM_BUS_ERROR 2
+-#define CPER_ARM_VENDOR_ERROR 3
+-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR
++#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1)
++#define CPER_ARM_CACHE_ERROR BIT(1)
++#define CPER_ARM_TLB_ERROR BIT(2)
++#define CPER_ARM_BUS_ERROR BIT(3)
++#define CPER_ARM_VENDOR_ERROR BIT(4)
+
+ #define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0)
+ #define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1)
+--
+2.51.0
+
--- /dev/null
+From dccede945f43dc08eb1598cb639def281cc6ac00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Dec 2025 09:54:16 +0300
+Subject: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 ]
+
+If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then
+it results in an out of bounds access.
+
+The code checks for invalid values, but doesn't set the error code. Return
+-EINVAL in that case, instead of returning success.
+
+Fixes: 00fa3461c86d ("irqchip/mchp-eic: Add support for the Microchip EIC")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Link: https://patch.msgid.link/aTfHmOz6IBpTIPU5@stanley.mountain
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-mchp-eic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-mchp-eic.c b/drivers/irqchip/irq-mchp-eic.c
+index 5dcd94c000a26..8a5baa0987a4b 100644
+--- a/drivers/irqchip/irq-mchp-eic.c
++++ b/drivers/irqchip/irq-mchp-eic.c
+@@ -166,7 +166,7 @@ static int mchp_eic_domain_alloc(struct irq_domain *domain, unsigned int virq,
+
+ ret = irq_domain_translate_twocell(domain, fwspec, &hwirq, &type);
+ if (ret || hwirq >= MCHP_EIC_NIRQ)
+- return ret;
++ return ret ?: -EINVAL;
+
+ switch (type) {
+ case IRQ_TYPE_EDGE_RISING:
+--
+2.51.0
+
--- /dev/null
+From b52c4db0dbd123bb94925f38930da8f5004ef872 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Dec 2025 09:51:59 +0300
+Subject: ocfs2: fix memory leak in ocfs2_merge_rec_left()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ]
+
+In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after
+move, thus allowing 'ocfs2_free_path()' to free it before return.
+
+Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru
+Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2
+Reviewed-by: Heming Zhao <heming.zhao@suse.com>
+Acked-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/alloc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
+index e6191249169e6..af40f0da3a95c 100644
+--- a/fs/ocfs2/alloc.c
++++ b/fs/ocfs2/alloc.c
+@@ -3647,7 +3647,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path,
+ * So we use the new rightmost path.
+ */
+ ocfs2_mv_path(right_path, left_path);
+- left_path = NULL;
+ } else
+ ocfs2_complete_edge_insert(handle, left_path,
+ right_path, subtree_index);
+--
+2.51.0
+
block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch
dm-raid-fix-possible-null-dereference-with-undefined.patch
dm-log-writes-add-missing-set_freezable-for-freezabl.patch
+efi-cper-add-a-new-helper-function-to-print-bitmasks.patch
+efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch
+efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch
+irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch
+ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
