--- /dev/null
+From 20eff9ce71705ca9ae47fea4e428ff52557a0948 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Dec 2025 11:46:10 +0300
+Subject: block: rnbd-clt: Fix signedness bug in init_dev()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 1ddb815fdfd45613c32e9bd1f7137428f298e541 ]
+
+The "dev->clt_device_id" variable is set using ida_alloc_max() which
+returns an int and in particular it returns negative error codes.
+Change the type from u32 to int to fix the error checking.
+
+Fixes: c9b5645fd8ca ("block: rnbd-clt: Fix leaked ID in init_dev()")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/rnbd/rnbd-clt.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/rnbd/rnbd-clt.h b/drivers/block/rnbd/rnbd-clt.h
+index 2941e3862b9c..beda2d6ce910 100644
+--- a/drivers/block/rnbd/rnbd-clt.h
++++ b/drivers/block/rnbd/rnbd-clt.h
+@@ -105,7 +105,7 @@ struct rnbd_clt_dev {
+ struct rnbd_queue *hw_queues;
+ u32 device_id;
+ /* local Idr index - used to track minor number allocations. */
+- u32 clt_device_id;
++ int clt_device_id;
+ struct mutex lock;
+ enum rnbd_clt_dev_state dev_state;
+ char *pathname;
+--
+2.51.0
+
usb-usb-storage-no-additional-quirks-need-to-be-adde.patch
serial-sprd-return-eprobe_defer-when-uart-clock-is-n.patch
nvme-fc-don-t-hold-rport-lock-when-putting-ctrl.patch
+block-rnbd-clt-fix-signedness-bug-in-init_dev.patch
+vhost-vsock-improve-rcu-read-sections-around-vhost_v.patch
--- /dev/null
+From 91b70b61eb4f3b9879dfe9b4857ee95c2dc4ad22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Nov 2025 14:38:26 +0100
+Subject: vhost/vsock: improve RCU read sections around vhost_vsock_get()
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit d8ee3cfdc89b75dc059dc21c27bef2c1440f67eb ]
+
+vhost_vsock_get() uses hash_for_each_possible_rcu() to find the
+`vhost_vsock` associated with the `guest_cid`. hash_for_each_possible_rcu()
+should only be called within an RCU read section, as mentioned in the
+following comment in include/linux/rculist.h:
+
+/**
+ * hlist_for_each_entry_rcu - iterate over rcu list of given type
+ * @pos: the type * to use as a loop cursor.
+ * @head: the head for your list.
+ * @member: the name of the hlist_node within the struct.
+ * @cond: optional lockdep expression if called from non-RCU protection.
+ *
+ * This list-traversal primitive may safely run concurrently with
+ * the _rcu list-mutation primitives such as hlist_add_head_rcu()
+ * as long as the traversal is guarded by rcu_read_lock().
+ */
+
+Currently, all calls to vhost_vsock_get() are between rcu_read_lock()
+and rcu_read_unlock() except for calls in vhost_vsock_set_cid() and
+vhost_vsock_reset_orphans(). In both cases, the current code is safe,
+but we can make improvements to make it more robust.
+
+About vhost_vsock_set_cid(), when building the kernel with
+CONFIG_PROVE_RCU_LIST enabled, we get the following RCU warning when the
+user space issues `ioctl(dev, VHOST_VSOCK_SET_GUEST_CID, ...)` :
+
+ WARNING: suspicious RCU usage
+ 6.18.0-rc7 #62 Not tainted
+ -----------------------------
+ drivers/vhost/vsock.c:74 RCU-list traversed in non-reader section!!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 2, debug_locks = 1
+ 1 lock held by rpc-libvirtd/3443:
+ #0: ffffffffc05032a8 (vhost_vsock_mutex){+.+.}-{4:4}, at: vhost_vsock_dev_ioctl+0x2ff/0x530 [vhost_vsock]
+
+ stack backtrace:
+ CPU: 2 UID: 0 PID: 3443 Comm: rpc-libvirtd Not tainted 6.18.0-rc7 #62 PREEMPT(none)
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-7.fc42 06/10/2025
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x75/0xb0
+ dump_stack+0x14/0x1a
+ lockdep_rcu_suspicious.cold+0x4e/0x97
+ vhost_vsock_get+0x8f/0xa0 [vhost_vsock]
+ vhost_vsock_dev_ioctl+0x307/0x530 [vhost_vsock]
+ __x64_sys_ioctl+0x4f2/0xa00
+ x64_sys_call+0xed0/0x1da0
+ do_syscall_64+0x73/0xfa0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ ...
+ </TASK>
+
+This is not a real problem, because the vhost_vsock_get() caller, i.e.
+vhost_vsock_set_cid(), holds the `vhost_vsock_mutex` used by the hash
+table writers. Anyway, to prevent that warning, add lockdep_is_held()
+condition to hash_for_each_possible_rcu() to verify that either the
+caller is in an RCU read section or `vhost_vsock_mutex` is held when
+CONFIG_PROVE_RCU_LIST is enabled; and also clarify the comment for
+vhost_vsock_get() to better describe the locking requirements and the
+scope of the returned pointer validity.
+
+About vhost_vsock_reset_orphans(), currently this function is only
+called via vsock_for_each_connected_socket(), which holds the
+`vsock_table_lock` spinlock (which is also an RCU read-side critical
+section). However, add an explicit RCU read lock there to make the code
+more robust and explicit about the RCU requirements, and to prevent
+issues if the calling context changes in the future or if
+vhost_vsock_reset_orphans() is called from other contexts.
+
+Fixes: 834e772c8db0 ("vhost/vsock: fix use-after-free in network stack callers")
+Cc: stefanha@redhat.com
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20251126133826.142496-1-sgarzare@redhat.com>
+Message-ID: <20251126210313.GA499503@fedora>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vsock.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
+index 7bce5f982e58..4b678dbaa93a 100644
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -58,14 +58,15 @@ static u32 vhost_transport_get_local_cid(void)
+ return VHOST_VSOCK_DEFAULT_HOST_CID;
+ }
+
+-/* Callers that dereference the return value must hold vhost_vsock_mutex or the
+- * RCU read lock.
++/* Callers must be in an RCU read section or hold the vhost_vsock_mutex.
++ * The return value can only be dereferenced while within the section.
+ */
+ static struct vhost_vsock *vhost_vsock_get(u32 guest_cid)
+ {
+ struct vhost_vsock *vsock;
+
+- hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid) {
++ hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid,
++ lockdep_is_held(&vhost_vsock_mutex)) {
+ u32 other_cid = vsock->guest_cid;
+
+ /* Skip instances that have no CID yet */
+@@ -666,9 +667,15 @@ static void vhost_vsock_reset_orphans(struct sock *sk)
+ * executing.
+ */
+
++ rcu_read_lock();
++
+ /* If the peer is still valid, no need to reset connection */
+- if (vhost_vsock_get(vsk->remote_addr.svm_cid))
++ if (vhost_vsock_get(vsk->remote_addr.svm_cid)) {
++ rcu_read_unlock();
+ return;
++ }
++
++ rcu_read_unlock();
+
+ /* If the close timeout is pending, let it expire. This avoids races
+ * with the timeout callback.
+--
+2.51.0
+
serial-sprd-return-eprobe_defer-when-uart-clock-is-n.patch
nvme-fc-don-t-hold-rport-lock-when-putting-ctrl.patch
platform-x86-intel-hid-add-dell-pro-rugged-10-12-tab.patch
+vhost-vsock-improve-rcu-read-sections-around-vhost_v.patch
--- /dev/null
+From 9b3e4d056ec46c97656b2e278c00f87a5f707f93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Nov 2025 14:38:26 +0100
+Subject: vhost/vsock: improve RCU read sections around vhost_vsock_get()
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit d8ee3cfdc89b75dc059dc21c27bef2c1440f67eb ]
+
+vhost_vsock_get() uses hash_for_each_possible_rcu() to find the
+`vhost_vsock` associated with the `guest_cid`. hash_for_each_possible_rcu()
+should only be called within an RCU read section, as mentioned in the
+following comment in include/linux/rculist.h:
+
+/**
+ * hlist_for_each_entry_rcu - iterate over rcu list of given type
+ * @pos: the type * to use as a loop cursor.
+ * @head: the head for your list.
+ * @member: the name of the hlist_node within the struct.
+ * @cond: optional lockdep expression if called from non-RCU protection.
+ *
+ * This list-traversal primitive may safely run concurrently with
+ * the _rcu list-mutation primitives such as hlist_add_head_rcu()
+ * as long as the traversal is guarded by rcu_read_lock().
+ */
+
+Currently, all calls to vhost_vsock_get() are between rcu_read_lock()
+and rcu_read_unlock() except for calls in vhost_vsock_set_cid() and
+vhost_vsock_reset_orphans(). In both cases, the current code is safe,
+but we can make improvements to make it more robust.
+
+About vhost_vsock_set_cid(), when building the kernel with
+CONFIG_PROVE_RCU_LIST enabled, we get the following RCU warning when the
+user space issues `ioctl(dev, VHOST_VSOCK_SET_GUEST_CID, ...)` :
+
+ WARNING: suspicious RCU usage
+ 6.18.0-rc7 #62 Not tainted
+ -----------------------------
+ drivers/vhost/vsock.c:74 RCU-list traversed in non-reader section!!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 2, debug_locks = 1
+ 1 lock held by rpc-libvirtd/3443:
+ #0: ffffffffc05032a8 (vhost_vsock_mutex){+.+.}-{4:4}, at: vhost_vsock_dev_ioctl+0x2ff/0x530 [vhost_vsock]
+
+ stack backtrace:
+ CPU: 2 UID: 0 PID: 3443 Comm: rpc-libvirtd Not tainted 6.18.0-rc7 #62 PREEMPT(none)
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-7.fc42 06/10/2025
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x75/0xb0
+ dump_stack+0x14/0x1a
+ lockdep_rcu_suspicious.cold+0x4e/0x97
+ vhost_vsock_get+0x8f/0xa0 [vhost_vsock]
+ vhost_vsock_dev_ioctl+0x307/0x530 [vhost_vsock]
+ __x64_sys_ioctl+0x4f2/0xa00
+ x64_sys_call+0xed0/0x1da0
+ do_syscall_64+0x73/0xfa0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ ...
+ </TASK>
+
+This is not a real problem, because the vhost_vsock_get() caller, i.e.
+vhost_vsock_set_cid(), holds the `vhost_vsock_mutex` used by the hash
+table writers. Anyway, to prevent that warning, add lockdep_is_held()
+condition to hash_for_each_possible_rcu() to verify that either the
+caller is in an RCU read section or `vhost_vsock_mutex` is held when
+CONFIG_PROVE_RCU_LIST is enabled; and also clarify the comment for
+vhost_vsock_get() to better describe the locking requirements and the
+scope of the returned pointer validity.
+
+About vhost_vsock_reset_orphans(), currently this function is only
+called via vsock_for_each_connected_socket(), which holds the
+`vsock_table_lock` spinlock (which is also an RCU read-side critical
+section). However, add an explicit RCU read lock there to make the code
+more robust and explicit about the RCU requirements, and to prevent
+issues if the calling context changes in the future or if
+vhost_vsock_reset_orphans() is called from other contexts.
+
+Fixes: 834e772c8db0 ("vhost/vsock: fix use-after-free in network stack callers")
+Cc: stefanha@redhat.com
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20251126133826.142496-1-sgarzare@redhat.com>
+Message-ID: <20251126210313.GA499503@fedora>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vsock.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
+index 531e3e139c0d..a53d7bf40461 100644
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -65,14 +65,15 @@ static u32 vhost_transport_get_local_cid(void)
+ return VHOST_VSOCK_DEFAULT_HOST_CID;
+ }
+
+-/* Callers that dereference the return value must hold vhost_vsock_mutex or the
+- * RCU read lock.
++/* Callers must be in an RCU read section or hold the vhost_vsock_mutex.
++ * The return value can only be dereferenced while within the section.
+ */
+ static struct vhost_vsock *vhost_vsock_get(u32 guest_cid)
+ {
+ struct vhost_vsock *vsock;
+
+- hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid) {
++ hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid,
++ lockdep_is_held(&vhost_vsock_mutex)) {
+ u32 other_cid = vsock->guest_cid;
+
+ /* Skip instances that have no CID yet */
+@@ -727,9 +728,15 @@ static void vhost_vsock_reset_orphans(struct sock *sk)
+ * executing.
+ */
+
++ rcu_read_lock();
++
+ /* If the peer is still valid, no need to reset connection */
+- if (vhost_vsock_get(vsk->remote_addr.svm_cid))
++ if (vhost_vsock_get(vsk->remote_addr.svm_cid)) {
++ rcu_read_unlock();
+ return;
++ }
++
++ rcu_read_unlock();
+
+ /* If the close timeout is pending, let it expire. This avoids races
+ * with the timeout callback.
+--
+2.51.0
+
--- /dev/null
+From 81f98378a6639c0db053651e846ec087670ac680 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Dec 2025 11:46:10 +0300
+Subject: block: rnbd-clt: Fix signedness bug in init_dev()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 1ddb815fdfd45613c32e9bd1f7137428f298e541 ]
+
+The "dev->clt_device_id" variable is set using ida_alloc_max() which
+returns an int and in particular it returns negative error codes.
+Change the type from u32 to int to fix the error checking.
+
+Fixes: c9b5645fd8ca ("block: rnbd-clt: Fix leaked ID in init_dev()")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/rnbd/rnbd-clt.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/rnbd/rnbd-clt.h b/drivers/block/rnbd/rnbd-clt.h
+index a48e040abe63..fbc1ed766025 100644
+--- a/drivers/block/rnbd/rnbd-clt.h
++++ b/drivers/block/rnbd/rnbd-clt.h
+@@ -112,7 +112,7 @@ struct rnbd_clt_dev {
+ struct rnbd_queue *hw_queues;
+ u32 device_id;
+ /* local Idr index - used to track minor number allocations. */
+- u32 clt_device_id;
++ int clt_device_id;
+ struct mutex lock;
+ enum rnbd_clt_dev_state dev_state;
+ refcount_t refcount;
+--
+2.51.0
+
serial-sprd-return-eprobe_defer-when-uart-clock-is-n.patch
nvme-fc-don-t-hold-rport-lock-when-putting-ctrl.patch
platform-x86-intel-hid-add-dell-pro-rugged-10-12-tab.patch
+block-rnbd-clt-fix-signedness-bug-in-init_dev.patch
+vhost-vsock-improve-rcu-read-sections-around-vhost_v.patch
--- /dev/null
+From 155ede94ce720428b1ce792a0bcade43e2fcd2ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Nov 2025 14:38:26 +0100
+Subject: vhost/vsock: improve RCU read sections around vhost_vsock_get()
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit d8ee3cfdc89b75dc059dc21c27bef2c1440f67eb ]
+
+vhost_vsock_get() uses hash_for_each_possible_rcu() to find the
+`vhost_vsock` associated with the `guest_cid`. hash_for_each_possible_rcu()
+should only be called within an RCU read section, as mentioned in the
+following comment in include/linux/rculist.h:
+
+/**
+ * hlist_for_each_entry_rcu - iterate over rcu list of given type
+ * @pos: the type * to use as a loop cursor.
+ * @head: the head for your list.
+ * @member: the name of the hlist_node within the struct.
+ * @cond: optional lockdep expression if called from non-RCU protection.
+ *
+ * This list-traversal primitive may safely run concurrently with
+ * the _rcu list-mutation primitives such as hlist_add_head_rcu()
+ * as long as the traversal is guarded by rcu_read_lock().
+ */
+
+Currently, all calls to vhost_vsock_get() are between rcu_read_lock()
+and rcu_read_unlock() except for calls in vhost_vsock_set_cid() and
+vhost_vsock_reset_orphans(). In both cases, the current code is safe,
+but we can make improvements to make it more robust.
+
+About vhost_vsock_set_cid(), when building the kernel with
+CONFIG_PROVE_RCU_LIST enabled, we get the following RCU warning when the
+user space issues `ioctl(dev, VHOST_VSOCK_SET_GUEST_CID, ...)` :
+
+ WARNING: suspicious RCU usage
+ 6.18.0-rc7 #62 Not tainted
+ -----------------------------
+ drivers/vhost/vsock.c:74 RCU-list traversed in non-reader section!!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 2, debug_locks = 1
+ 1 lock held by rpc-libvirtd/3443:
+ #0: ffffffffc05032a8 (vhost_vsock_mutex){+.+.}-{4:4}, at: vhost_vsock_dev_ioctl+0x2ff/0x530 [vhost_vsock]
+
+ stack backtrace:
+ CPU: 2 UID: 0 PID: 3443 Comm: rpc-libvirtd Not tainted 6.18.0-rc7 #62 PREEMPT(none)
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-7.fc42 06/10/2025
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x75/0xb0
+ dump_stack+0x14/0x1a
+ lockdep_rcu_suspicious.cold+0x4e/0x97
+ vhost_vsock_get+0x8f/0xa0 [vhost_vsock]
+ vhost_vsock_dev_ioctl+0x307/0x530 [vhost_vsock]
+ __x64_sys_ioctl+0x4f2/0xa00
+ x64_sys_call+0xed0/0x1da0
+ do_syscall_64+0x73/0xfa0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ ...
+ </TASK>
+
+This is not a real problem, because the vhost_vsock_get() caller, i.e.
+vhost_vsock_set_cid(), holds the `vhost_vsock_mutex` used by the hash
+table writers. Anyway, to prevent that warning, add lockdep_is_held()
+condition to hash_for_each_possible_rcu() to verify that either the
+caller is in an RCU read section or `vhost_vsock_mutex` is held when
+CONFIG_PROVE_RCU_LIST is enabled; and also clarify the comment for
+vhost_vsock_get() to better describe the locking requirements and the
+scope of the returned pointer validity.
+
+About vhost_vsock_reset_orphans(), currently this function is only
+called via vsock_for_each_connected_socket(), which holds the
+`vsock_table_lock` spinlock (which is also an RCU read-side critical
+section). However, add an explicit RCU read lock there to make the code
+more robust and explicit about the RCU requirements, and to prevent
+issues if the calling context changes in the future or if
+vhost_vsock_reset_orphans() is called from other contexts.
+
+Fixes: 834e772c8db0 ("vhost/vsock: fix use-after-free in network stack callers")
+Cc: stefanha@redhat.com
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20251126133826.142496-1-sgarzare@redhat.com>
+Message-ID: <20251126210313.GA499503@fedora>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vsock.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
+index 1c5096c44fd7..48002df5ef73 100644
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -64,14 +64,15 @@ static u32 vhost_transport_get_local_cid(void)
+ return VHOST_VSOCK_DEFAULT_HOST_CID;
+ }
+
+-/* Callers that dereference the return value must hold vhost_vsock_mutex or the
+- * RCU read lock.
++/* Callers must be in an RCU read section or hold the vhost_vsock_mutex.
++ * The return value can only be dereferenced while within the section.
+ */
+ static struct vhost_vsock *vhost_vsock_get(u32 guest_cid)
+ {
+ struct vhost_vsock *vsock;
+
+- hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid) {
++ hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid,
++ lockdep_is_held(&vhost_vsock_mutex)) {
+ u32 other_cid = vsock->guest_cid;
+
+ /* Skip instances that have no CID yet */
+@@ -693,9 +694,15 @@ static void vhost_vsock_reset_orphans(struct sock *sk)
+ * executing.
+ */
+
++ rcu_read_lock();
++
+ /* If the peer is still valid, no need to reset connection */
+- if (vhost_vsock_get(vsk->remote_addr.svm_cid))
++ if (vhost_vsock_get(vsk->remote_addr.svm_cid)) {
++ rcu_read_unlock();
+ return;
++ }
++
++ rcu_read_unlock();
+
+ /* If the close timeout is pending, let it expire. This avoids races
+ * with the timeout callback.
+--
+2.51.0
+
--- /dev/null
+From 5eb75a062a690dcb13830798f65db42d767a12b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Dec 2025 11:46:10 +0300
+Subject: block: rnbd-clt: Fix signedness bug in init_dev()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 1ddb815fdfd45613c32e9bd1f7137428f298e541 ]
+
+The "dev->clt_device_id" variable is set using ida_alloc_max() which
+returns an int and in particular it returns negative error codes.
+Change the type from u32 to int to fix the error checking.
+
+Fixes: c9b5645fd8ca ("block: rnbd-clt: Fix leaked ID in init_dev()")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/rnbd/rnbd-clt.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/rnbd/rnbd-clt.h b/drivers/block/rnbd/rnbd-clt.h
+index a48e040abe63..fbc1ed766025 100644
+--- a/drivers/block/rnbd/rnbd-clt.h
++++ b/drivers/block/rnbd/rnbd-clt.h
+@@ -112,7 +112,7 @@ struct rnbd_clt_dev {
+ struct rnbd_queue *hw_queues;
+ u32 device_id;
+ /* local Idr index - used to track minor number allocations. */
+- u32 clt_device_id;
++ int clt_device_id;
+ struct mutex lock;
+ enum rnbd_clt_dev_state dev_state;
+ refcount_t refcount;
+--
+2.51.0
+
--- /dev/null
+From 290fdaf7fbdd2616d1f0e80491ed2fe994ce5cf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Dec 2025 15:21:42 +0000
+Subject: cifs: Fix memory and information leak in smb3_reconfigure()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d ]
+
+In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the
+function returns immediately without freeing and erasing the newly
+allocated new_password and new_password2. This causes both a memory leak
+and a potential information leak.
+
+Fix this by calling kfree_sensitive() on both password buffers before
+returning in this error case.
+
+Fixes: 0f0e357902957 ("cifs: during remount, make sure passwords are in sync")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/fs_context.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
+index 17133adfe798..ee9c95811477 100644
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -1011,6 +1011,8 @@ static int smb3_reconfigure(struct fs_context *fc)
+ rc = smb3_sync_session_ctx_passwords(cifs_sb, ses);
+ if (rc) {
+ mutex_unlock(&ses->session_mutex);
++ kfree_sensitive(new_password);
++ kfree_sensitive(new_password2);
+ return rc;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 5bc1b780f40185c05f9a1a6371ba91426a4e29de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 10:06:51 +0000
+Subject: scsi: scsi_debug: Fix atomic write enable module param description
+
+From: John Garry <john.g.garry@oracle.com>
+
+[ Upstream commit 1f7d6e2efeedd8f545d3e0e9bf338023bf4ea584 ]
+
+The atomic write enable module param is "atomic_wr", and not
+"atomic_write", so fix the module param description.
+
+Fixes: 84f3a3c01d70 ("scsi: scsi_debug: Atomic write support")
+Signed-off-by: John Garry <john.g.garry@oracle.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20251211100651.9056-1-john.g.garry@oracle.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
+index 89a2aaccdcfc..dfe38d34d051 100644
+--- a/drivers/scsi/scsi_debug.c
++++ b/drivers/scsi/scsi_debug.c
+@@ -6716,7 +6716,7 @@ MODULE_PARM_DESC(lbprz,
+ MODULE_PARM_DESC(lbpu, "enable LBP, support UNMAP command (def=0)");
+ MODULE_PARM_DESC(lbpws, "enable LBP, support WRITE SAME(16) with UNMAP bit (def=0)");
+ MODULE_PARM_DESC(lbpws10, "enable LBP, support WRITE SAME(10) with UNMAP bit (def=0)");
+-MODULE_PARM_DESC(atomic_write, "enable ATOMIC WRITE support, support WRITE ATOMIC(16) (def=0)");
++MODULE_PARM_DESC(atomic_wr, "enable ATOMIC WRITE support, support WRITE ATOMIC(16) (def=0)");
+ MODULE_PARM_DESC(lowest_aligned, "lowest aligned lba (def=0)");
+ MODULE_PARM_DESC(lun_format, "LUN format: 0->peripheral (def); 1 --> flat address method");
+ MODULE_PARM_DESC(max_luns, "number of LUNs per target to simulate(def=1)");
+--
+2.51.0
+
nvme-fabrics-add-enokey-to-no-retry-criteria-for-aut.patch
platform-x86-intel-hid-add-dell-pro-rugged-10-12-tab.patch
mips-ftrace-fix-memory-corruption-when-kernel-is-loc.patch
+scsi-scsi_debug-fix-atomic-write-enable-module-param.patch
+block-rnbd-clt-fix-signedness-bug-in-init_dev.patch
+vhost-vsock-improve-rcu-read-sections-around-vhost_v.patch
+cifs-fix-memory-and-information-leak-in-smb3_reconfi.patch
--- /dev/null
+From ff3d4a3b6fe0edc8f7c1d95940ce5b41764e0ec3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Nov 2025 14:38:26 +0100
+Subject: vhost/vsock: improve RCU read sections around vhost_vsock_get()
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit d8ee3cfdc89b75dc059dc21c27bef2c1440f67eb ]
+
+vhost_vsock_get() uses hash_for_each_possible_rcu() to find the
+`vhost_vsock` associated with the `guest_cid`. hash_for_each_possible_rcu()
+should only be called within an RCU read section, as mentioned in the
+following comment in include/linux/rculist.h:
+
+/**
+ * hlist_for_each_entry_rcu - iterate over rcu list of given type
+ * @pos: the type * to use as a loop cursor.
+ * @head: the head for your list.
+ * @member: the name of the hlist_node within the struct.
+ * @cond: optional lockdep expression if called from non-RCU protection.
+ *
+ * This list-traversal primitive may safely run concurrently with
+ * the _rcu list-mutation primitives such as hlist_add_head_rcu()
+ * as long as the traversal is guarded by rcu_read_lock().
+ */
+
+Currently, all calls to vhost_vsock_get() are between rcu_read_lock()
+and rcu_read_unlock() except for calls in vhost_vsock_set_cid() and
+vhost_vsock_reset_orphans(). In both cases, the current code is safe,
+but we can make improvements to make it more robust.
+
+About vhost_vsock_set_cid(), when building the kernel with
+CONFIG_PROVE_RCU_LIST enabled, we get the following RCU warning when the
+user space issues `ioctl(dev, VHOST_VSOCK_SET_GUEST_CID, ...)` :
+
+ WARNING: suspicious RCU usage
+ 6.18.0-rc7 #62 Not tainted
+ -----------------------------
+ drivers/vhost/vsock.c:74 RCU-list traversed in non-reader section!!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 2, debug_locks = 1
+ 1 lock held by rpc-libvirtd/3443:
+ #0: ffffffffc05032a8 (vhost_vsock_mutex){+.+.}-{4:4}, at: vhost_vsock_dev_ioctl+0x2ff/0x530 [vhost_vsock]
+
+ stack backtrace:
+ CPU: 2 UID: 0 PID: 3443 Comm: rpc-libvirtd Not tainted 6.18.0-rc7 #62 PREEMPT(none)
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-7.fc42 06/10/2025
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x75/0xb0
+ dump_stack+0x14/0x1a
+ lockdep_rcu_suspicious.cold+0x4e/0x97
+ vhost_vsock_get+0x8f/0xa0 [vhost_vsock]
+ vhost_vsock_dev_ioctl+0x307/0x530 [vhost_vsock]
+ __x64_sys_ioctl+0x4f2/0xa00
+ x64_sys_call+0xed0/0x1da0
+ do_syscall_64+0x73/0xfa0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ ...
+ </TASK>
+
+This is not a real problem, because the vhost_vsock_get() caller, i.e.
+vhost_vsock_set_cid(), holds the `vhost_vsock_mutex` used by the hash
+table writers. Anyway, to prevent that warning, add lockdep_is_held()
+condition to hash_for_each_possible_rcu() to verify that either the
+caller is in an RCU read section or `vhost_vsock_mutex` is held when
+CONFIG_PROVE_RCU_LIST is enabled; and also clarify the comment for
+vhost_vsock_get() to better describe the locking requirements and the
+scope of the returned pointer validity.
+
+About vhost_vsock_reset_orphans(), currently this function is only
+called via vsock_for_each_connected_socket(), which holds the
+`vsock_table_lock` spinlock (which is also an RCU read-side critical
+section). However, add an explicit RCU read lock there to make the code
+more robust and explicit about the RCU requirements, and to prevent
+issues if the calling context changes in the future or if
+vhost_vsock_reset_orphans() is called from other contexts.
+
+Fixes: 834e772c8db0 ("vhost/vsock: fix use-after-free in network stack callers")
+Cc: stefanha@redhat.com
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20251126133826.142496-1-sgarzare@redhat.com>
+Message-ID: <20251126210313.GA499503@fedora>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vsock.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
+index 66a0f060770e..2dea6f868674 100644
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -64,14 +64,15 @@ static u32 vhost_transport_get_local_cid(void)
+ return VHOST_VSOCK_DEFAULT_HOST_CID;
+ }
+
+-/* Callers that dereference the return value must hold vhost_vsock_mutex or the
+- * RCU read lock.
++/* Callers must be in an RCU read section or hold the vhost_vsock_mutex.
++ * The return value can only be dereferenced while within the section.
+ */
+ static struct vhost_vsock *vhost_vsock_get(u32 guest_cid)
+ {
+ struct vhost_vsock *vsock;
+
+- hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid) {
++ hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid,
++ lockdep_is_held(&vhost_vsock_mutex)) {
+ u32 other_cid = vsock->guest_cid;
+
+ /* Skip instances that have no CID yet */
+@@ -708,9 +709,15 @@ static void vhost_vsock_reset_orphans(struct sock *sk)
+ * executing.
+ */
+
++ rcu_read_lock();
++
+ /* If the peer is still valid, no need to reset connection */
+- if (vhost_vsock_get(vsk->remote_addr.svm_cid))
++ if (vhost_vsock_get(vsk->remote_addr.svm_cid)) {
++ rcu_read_unlock();
+ return;
++ }
++
++ rcu_read_unlock();
+
+ /* If the close timeout is pending, let it expire. This avoids races
+ * with the timeout callback.
+--
+2.51.0
+
--- /dev/null
+From 62977805e2fa3df2377d3b76e614846fb579485c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Dec 2025 11:46:10 +0300
+Subject: block: rnbd-clt: Fix signedness bug in init_dev()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 1ddb815fdfd45613c32e9bd1f7137428f298e541 ]
+
+The "dev->clt_device_id" variable is set using ida_alloc_max() which
+returns an int and in particular it returns negative error codes.
+Change the type from u32 to int to fix the error checking.
+
+Fixes: c9b5645fd8ca ("block: rnbd-clt: Fix leaked ID in init_dev()")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/rnbd/rnbd-clt.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/rnbd/rnbd-clt.h b/drivers/block/rnbd/rnbd-clt.h
+index a48e040abe63..fbc1ed766025 100644
+--- a/drivers/block/rnbd/rnbd-clt.h
++++ b/drivers/block/rnbd/rnbd-clt.h
+@@ -112,7 +112,7 @@ struct rnbd_clt_dev {
+ struct rnbd_queue *hw_queues;
+ u32 device_id;
+ /* local Idr index - used to track minor number allocations. */
+- u32 clt_device_id;
++ int clt_device_id;
+ struct mutex lock;
+ enum rnbd_clt_dev_state dev_state;
+ refcount_t refcount;
+--
+2.51.0
+
--- /dev/null
+From 8f4fbe7afea370dc923e216ed1b338193b52a776 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Dec 2025 15:21:42 +0000
+Subject: cifs: Fix memory and information leak in smb3_reconfigure()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d ]
+
+In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the
+function returns immediately without freeing and erasing the newly
+allocated new_password and new_password2. This causes both a memory leak
+and a potential information leak.
+
+Fix this by calling kfree_sensitive() on both password buffers before
+returning in this error case.
+
+Fixes: 0f0e357902957 ("cifs: during remount, make sure passwords are in sync")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/fs_context.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
+index 2a0d8b87bd8e..d8bd3cdc535d 100644
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -1080,6 +1080,8 @@ static int smb3_reconfigure(struct fs_context *fc)
+ rc = smb3_sync_session_ctx_passwords(cifs_sb, ses);
+ if (rc) {
+ mutex_unlock(&ses->session_mutex);
++ kfree_sensitive(new_password);
++ kfree_sensitive(new_password2);
+ return rc;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 0b5c948f5ba9176d67b238fa578646e1a39d0859 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 00:28:31 -0800
+Subject: drm/msm/a6xx: move preempt_prepare_postamble after error check
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit ef3b04091fd8bc737dc45312375df8625b8318e2 ]
+
+Move the call to preempt_prepare_postamble() after verifying that
+preempt_postamble_ptr is valid. If preempt_postamble_ptr is NULL,
+dereferencing it in preempt_prepare_postamble() would lead to a crash.
+
+This change avoids calling the preparation function when the
+postamble allocation has failed, preventing potential NULL pointer
+dereference and ensuring proper error handling.
+
+Fixes: 50117cad0c50 ("drm/msm/a6xx: Use posamble to reset counters on preemption")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Patchwork: https://patchwork.freedesktop.org/patch/687659/
+Message-ID: <20251113082839.3821867-1-alok.a.tiwari@oracle.com>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_preempt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_preempt.c b/drivers/gpu/drm/msm/adreno/a6xx_preempt.c
+index afc5f4aa3b17..747a22afad9f 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_preempt.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_preempt.c
+@@ -454,11 +454,11 @@ void a6xx_preempt_init(struct msm_gpu *gpu)
+ gpu->vm, &a6xx_gpu->preempt_postamble_bo,
+ &a6xx_gpu->preempt_postamble_iova);
+
+- preempt_prepare_postamble(a6xx_gpu);
+-
+ if (IS_ERR(a6xx_gpu->preempt_postamble_ptr))
+ goto fail;
+
++ preempt_prepare_postamble(a6xx_gpu);
++
+ timer_setup(&a6xx_gpu->preempt_timer, a6xx_preempt_timer, 0);
+
+ return;
+--
+2.51.0
+
--- /dev/null
+From c739bbc103cc5ef57db853bb342184ae5b2bb30e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Nov 2025 15:51:35 +0100
+Subject: drm/msm: adreno: fix deferencing ifpc_reglist when not declared
+
+From: Neil Armstrong <neil.armstrong@linaro.org>
+
+[ Upstream commit 129049d4fe22c998ae9fd1ec479fbb4ed5338c15 ]
+
+On plaforms with an a7xx GPU not supporting IFPC, the ifpc_reglist
+if still deferenced in a7xx_patch_pwrup_reglist() which causes
+a kernel crash:
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
+...
+pc : a6xx_hw_init+0x155c/0x1e4c [msm]
+lr : a6xx_hw_init+0x9a8/0x1e4c [msm]
+...
+Call trace:
+ a6xx_hw_init+0x155c/0x1e4c [msm] (P)
+ msm_gpu_hw_init+0x58/0x88 [msm]
+ adreno_load_gpu+0x94/0x1fc [msm]
+ msm_open+0xe4/0xf4 [msm]
+ drm_file_alloc+0x1a0/0x2e4 [drm]
+ drm_client_init+0x7c/0x104 [drm]
+ drm_fbdev_client_setup+0x94/0xcf0 [drm_client_lib]
+ drm_client_setup+0xb4/0xd8 [drm_client_lib]
+ msm_drm_kms_post_init+0x2c/0x3c [msm]
+ msm_drm_init+0x1a4/0x228 [msm]
+ msm_drm_bind+0x30/0x3c [msm]
+...
+
+Check the validity of ifpc_reglist before deferencing the table
+to setup the register values.
+
+Fixes: a6a0157cc68e ("drm/msm/a6xx: Enable IFPC on Adreno X1-85")
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Reviewed-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/688944/
+Message-ID: <20251117-topic-sm8x50-fix-a6xx-non-ifpc-v1-1-e4473cbf5903@linaro.org>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
+index 6f7ed07670b1..d1eaa849b197 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
+@@ -837,15 +837,17 @@ static void a7xx_patch_pwrup_reglist(struct msm_gpu *gpu)
+ lock->gpu_req = lock->cpu_req = lock->turn = 0;
+
+ reglist = adreno_gpu->info->a6xx->ifpc_reglist;
+- lock->ifpc_list_len = reglist->count;
++ if (reglist) {
++ lock->ifpc_list_len = reglist->count;
+
+- /*
+- * For each entry in each of the lists, write the offset and the current
+- * register value into the GPU buffer
+- */
+- for (i = 0; i < reglist->count; i++) {
+- *dest++ = reglist->regs[i];
+- *dest++ = gpu_read(gpu, reglist->regs[i]);
++ /*
++ * For each entry in each of the lists, write the offset and the current
++ * register value into the GPU buffer
++ */
++ for (i = 0; i < reglist->count; i++) {
++ *dest++ = reglist->regs[i];
++ *dest++ = gpu_read(gpu, reglist->regs[i]);
++ }
+ }
+
+ reglist = adreno_gpu->info->a6xx->pwrup_reglist;
+--
+2.51.0
+
--- /dev/null
+From 1dc5ec78bd3e1279c634f3dec2683888b8740463 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 10:06:51 +0000
+Subject: scsi: scsi_debug: Fix atomic write enable module param description
+
+From: John Garry <john.g.garry@oracle.com>
+
+[ Upstream commit 1f7d6e2efeedd8f545d3e0e9bf338023bf4ea584 ]
+
+The atomic write enable module param is "atomic_wr", and not
+"atomic_write", so fix the module param description.
+
+Fixes: 84f3a3c01d70 ("scsi: scsi_debug: Atomic write support")
+Signed-off-by: John Garry <john.g.garry@oracle.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20251211100651.9056-1-john.g.garry@oracle.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
+index b2ab97be5db3..047d56d23bea 100644
+--- a/drivers/scsi/scsi_debug.c
++++ b/drivers/scsi/scsi_debug.c
+@@ -7410,7 +7410,7 @@ MODULE_PARM_DESC(lbprz,
+ MODULE_PARM_DESC(lbpu, "enable LBP, support UNMAP command (def=0)");
+ MODULE_PARM_DESC(lbpws, "enable LBP, support WRITE SAME(16) with UNMAP bit (def=0)");
+ MODULE_PARM_DESC(lbpws10, "enable LBP, support WRITE SAME(10) with UNMAP bit (def=0)");
+-MODULE_PARM_DESC(atomic_write, "enable ATOMIC WRITE support, support WRITE ATOMIC(16) (def=0)");
++MODULE_PARM_DESC(atomic_wr, "enable ATOMIC WRITE support, support WRITE ATOMIC(16) (def=0)");
+ MODULE_PARM_DESC(lowest_aligned, "lowest aligned lba (def=0)");
+ MODULE_PARM_DESC(lun_format, "LUN format: 0->peripheral (def); 1 --> flat address method");
+ MODULE_PARM_DESC(max_luns, "number of LUNs per target to simulate(def=1)");
+--
+2.51.0
+
hwmon-emc2305-fix-double-put-in-emc2305_probe_childs.patch
platform-x86-intel-hid-add-dell-pro-rugged-10-12-tab.patch
mips-ftrace-fix-memory-corruption-when-kernel-is-loc.patch
+scsi-scsi_debug-fix-atomic-write-enable-module-param.patch
+drm-msm-adreno-fix-deferencing-ifpc_reglist-when-not.patch
+drm-msm-a6xx-move-preempt_prepare_postamble-after-er.patch
+ublk-clean-up-user-copy-references-on-ublk-server-ex.patch
+block-rnbd-clt-fix-signedness-bug-in-init_dev.patch
+vhost-vsock-improve-rcu-read-sections-around-vhost_v.patch
+cifs-fix-memory-and-information-leak-in-smb3_reconfi.patch
--- /dev/null
+From 57de68bfbd4ae98116882be345e73ce0b202e034 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Dec 2025 17:19:49 -0700
+Subject: ublk: clean up user copy references on ublk server exit
+
+From: Caleb Sander Mateos <csander@purestorage.com>
+
+[ Upstream commit daa24603d9f0808929514ee62ced30052ca7221c ]
+
+If a ublk server process releases a ublk char device file, any requests
+dispatched to the ublk server but not yet completed will retain a ref
+value of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 ("ublk: simplify
+aborting ublk request"), __ublk_fail_req() would decrement the reference
+count before completing the failed request. However, that commit
+optimized __ublk_fail_req() to call __ublk_complete_rq() directly
+without decrementing the request reference count.
+The leaked reference count incorrectly allows user copy and zero copy
+operations on the completed ublk request. It also triggers the
+WARN_ON_ONCE(refcount_read(&io->ref)) warnings in ublk_queue_reinit()
+and ublk_deinit_queue().
+Commit c5c5eb24ed61 ("ublk: avoid ublk_io_release() called after ublk
+char dev is closed") already fixed the issue for ublk devices using
+UBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference
+count leak also affects UBLK_F_USER_COPY, the other reference-counted
+data copy mode. Fix the condition in ublk_check_and_reset_active_ref()
+to include all reference-counted data copy modes. This ensures that any
+ublk requests still owned by the ublk server when it exits have their
+reference counts reset to 0.
+
+Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
+Fixes: e63d2228ef83 ("ublk: simplify aborting ublk request")
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index fa7b0481ea04..d8079ea8f8ca 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -1674,8 +1674,7 @@ static bool ublk_check_and_reset_active_ref(struct ublk_device *ub)
+ {
+ int i, j;
+
+- if (!(ub->dev_info.flags & (UBLK_F_SUPPORT_ZERO_COPY |
+- UBLK_F_AUTO_BUF_REG)))
++ if (!ublk_dev_need_req_ref(ub))
+ return false;
+
+ for (i = 0; i < ub->dev_info.nr_hw_queues; i++) {
+--
+2.51.0
+
--- /dev/null
+From 24ffb0b28d866d07b876f48aaab3437580aaf2a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Nov 2025 14:38:26 +0100
+Subject: vhost/vsock: improve RCU read sections around vhost_vsock_get()
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit d8ee3cfdc89b75dc059dc21c27bef2c1440f67eb ]
+
+vhost_vsock_get() uses hash_for_each_possible_rcu() to find the
+`vhost_vsock` associated with the `guest_cid`. hash_for_each_possible_rcu()
+should only be called within an RCU read section, as mentioned in the
+following comment in include/linux/rculist.h:
+
+/**
+ * hlist_for_each_entry_rcu - iterate over rcu list of given type
+ * @pos: the type * to use as a loop cursor.
+ * @head: the head for your list.
+ * @member: the name of the hlist_node within the struct.
+ * @cond: optional lockdep expression if called from non-RCU protection.
+ *
+ * This list-traversal primitive may safely run concurrently with
+ * the _rcu list-mutation primitives such as hlist_add_head_rcu()
+ * as long as the traversal is guarded by rcu_read_lock().
+ */
+
+Currently, all calls to vhost_vsock_get() are between rcu_read_lock()
+and rcu_read_unlock() except for calls in vhost_vsock_set_cid() and
+vhost_vsock_reset_orphans(). In both cases, the current code is safe,
+but we can make improvements to make it more robust.
+
+About vhost_vsock_set_cid(), when building the kernel with
+CONFIG_PROVE_RCU_LIST enabled, we get the following RCU warning when the
+user space issues `ioctl(dev, VHOST_VSOCK_SET_GUEST_CID, ...)` :
+
+ WARNING: suspicious RCU usage
+ 6.18.0-rc7 #62 Not tainted
+ -----------------------------
+ drivers/vhost/vsock.c:74 RCU-list traversed in non-reader section!!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 2, debug_locks = 1
+ 1 lock held by rpc-libvirtd/3443:
+ #0: ffffffffc05032a8 (vhost_vsock_mutex){+.+.}-{4:4}, at: vhost_vsock_dev_ioctl+0x2ff/0x530 [vhost_vsock]
+
+ stack backtrace:
+ CPU: 2 UID: 0 PID: 3443 Comm: rpc-libvirtd Not tainted 6.18.0-rc7 #62 PREEMPT(none)
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-7.fc42 06/10/2025
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x75/0xb0
+ dump_stack+0x14/0x1a
+ lockdep_rcu_suspicious.cold+0x4e/0x97
+ vhost_vsock_get+0x8f/0xa0 [vhost_vsock]
+ vhost_vsock_dev_ioctl+0x307/0x530 [vhost_vsock]
+ __x64_sys_ioctl+0x4f2/0xa00
+ x64_sys_call+0xed0/0x1da0
+ do_syscall_64+0x73/0xfa0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ ...
+ </TASK>
+
+This is not a real problem, because the vhost_vsock_get() caller, i.e.
+vhost_vsock_set_cid(), holds the `vhost_vsock_mutex` used by the hash
+table writers. Anyway, to prevent that warning, add lockdep_is_held()
+condition to hash_for_each_possible_rcu() to verify that either the
+caller is in an RCU read section or `vhost_vsock_mutex` is held when
+CONFIG_PROVE_RCU_LIST is enabled; and also clarify the comment for
+vhost_vsock_get() to better describe the locking requirements and the
+scope of the returned pointer validity.
+
+About vhost_vsock_reset_orphans(), currently this function is only
+called via vsock_for_each_connected_socket(), which holds the
+`vsock_table_lock` spinlock (which is also an RCU read-side critical
+section). However, add an explicit RCU read lock there to make the code
+more robust and explicit about the RCU requirements, and to prevent
+issues if the calling context changes in the future or if
+vhost_vsock_reset_orphans() is called from other contexts.
+
+Fixes: 834e772c8db0 ("vhost/vsock: fix use-after-free in network stack callers")
+Cc: stefanha@redhat.com
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20251126133826.142496-1-sgarzare@redhat.com>
+Message-ID: <20251126210313.GA499503@fedora>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vsock.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
+index ae01457ea2cd..78cc66fbb3dd 100644
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -64,14 +64,15 @@ static u32 vhost_transport_get_local_cid(void)
+ return VHOST_VSOCK_DEFAULT_HOST_CID;
+ }
+
+-/* Callers that dereference the return value must hold vhost_vsock_mutex or the
+- * RCU read lock.
++/* Callers must be in an RCU read section or hold the vhost_vsock_mutex.
++ * The return value can only be dereferenced while within the section.
+ */
+ static struct vhost_vsock *vhost_vsock_get(u32 guest_cid)
+ {
+ struct vhost_vsock *vsock;
+
+- hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid) {
++ hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid,
++ lockdep_is_held(&vhost_vsock_mutex)) {
+ u32 other_cid = vsock->guest_cid;
+
+ /* Skip instances that have no CID yet */
+@@ -707,9 +708,15 @@ static void vhost_vsock_reset_orphans(struct sock *sk)
+ * executing.
+ */
+
++ rcu_read_lock();
++
+ /* If the peer is still valid, no need to reset connection */
+- if (vhost_vsock_get(vsk->remote_addr.svm_cid))
++ if (vhost_vsock_get(vsk->remote_addr.svm_cid)) {
++ rcu_read_unlock();
+ return;
++ }
++
++ rcu_read_unlock();
+
+ /* If the close timeout is pending, let it expire. This avoids races
+ * with the timeout callback.
+--
+2.51.0
+
--- /dev/null
+From c334ab6a04fbdb75ca20a731828725b36abcd355 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Dec 2025 11:46:10 +0300
+Subject: block: rnbd-clt: Fix signedness bug in init_dev()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 1ddb815fdfd45613c32e9bd1f7137428f298e541 ]
+
+The "dev->clt_device_id" variable is set using ida_alloc_max() which
+returns an int and in particular it returns negative error codes.
+Change the type from u32 to int to fix the error checking.
+
+Fixes: c9b5645fd8ca ("block: rnbd-clt: Fix leaked ID in init_dev()")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/rnbd/rnbd-clt.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/rnbd/rnbd-clt.h b/drivers/block/rnbd/rnbd-clt.h
+index a48e040abe63..fbc1ed766025 100644
+--- a/drivers/block/rnbd/rnbd-clt.h
++++ b/drivers/block/rnbd/rnbd-clt.h
+@@ -112,7 +112,7 @@ struct rnbd_clt_dev {
+ struct rnbd_queue *hw_queues;
+ u32 device_id;
+ /* local Idr index - used to track minor number allocations. */
+- u32 clt_device_id;
++ int clt_device_id;
+ struct mutex lock;
+ enum rnbd_clt_dev_state dev_state;
+ refcount_t refcount;
+--
+2.51.0
+
--- /dev/null
+From bf04fc9b8660afb140f99cc1a10516bb74f8107f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Dec 2025 15:21:42 +0000
+Subject: cifs: Fix memory and information leak in smb3_reconfigure()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d ]
+
+In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the
+function returns immediately without freeing and erasing the newly
+allocated new_password and new_password2. This causes both a memory leak
+and a potential information leak.
+
+Fix this by calling kfree_sensitive() on both password buffers before
+returning in this error case.
+
+Fixes: 0f0e357902957 ("cifs: during remount, make sure passwords are in sync")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/fs_context.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
+index 6358f2483c86..37b04c23ee89 100644
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -979,6 +979,8 @@ static int smb3_reconfigure(struct fs_context *fc)
+ rc = smb3_sync_session_ctx_passwords(cifs_sb, ses);
+ if (rc) {
+ mutex_unlock(&ses->session_mutex);
++ kfree_sensitive(new_password);
++ kfree_sensitive(new_password2);
+ return rc;
+ }
+
+--
+2.51.0
+
i2c-designware-disable-smbus-interrupts-to-prevent-s.patch
nvme-fc-don-t-hold-rport-lock-when-putting-ctrl.patch
platform-x86-intel-hid-add-dell-pro-rugged-10-12-tab.patch
+block-rnbd-clt-fix-signedness-bug-in-init_dev.patch
+vhost-vsock-improve-rcu-read-sections-around-vhost_v.patch
+cifs-fix-memory-and-information-leak-in-smb3_reconfi.patch
--- /dev/null
+From 065bb0fbb9dc0e71141f0fa14caeae95ee74e7b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Nov 2025 14:38:26 +0100
+Subject: vhost/vsock: improve RCU read sections around vhost_vsock_get()
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit d8ee3cfdc89b75dc059dc21c27bef2c1440f67eb ]
+
+vhost_vsock_get() uses hash_for_each_possible_rcu() to find the
+`vhost_vsock` associated with the `guest_cid`. hash_for_each_possible_rcu()
+should only be called within an RCU read section, as mentioned in the
+following comment in include/linux/rculist.h:
+
+/**
+ * hlist_for_each_entry_rcu - iterate over rcu list of given type
+ * @pos: the type * to use as a loop cursor.
+ * @head: the head for your list.
+ * @member: the name of the hlist_node within the struct.
+ * @cond: optional lockdep expression if called from non-RCU protection.
+ *
+ * This list-traversal primitive may safely run concurrently with
+ * the _rcu list-mutation primitives such as hlist_add_head_rcu()
+ * as long as the traversal is guarded by rcu_read_lock().
+ */
+
+Currently, all calls to vhost_vsock_get() are between rcu_read_lock()
+and rcu_read_unlock() except for calls in vhost_vsock_set_cid() and
+vhost_vsock_reset_orphans(). In both cases, the current code is safe,
+but we can make improvements to make it more robust.
+
+About vhost_vsock_set_cid(), when building the kernel with
+CONFIG_PROVE_RCU_LIST enabled, we get the following RCU warning when the
+user space issues `ioctl(dev, VHOST_VSOCK_SET_GUEST_CID, ...)` :
+
+ WARNING: suspicious RCU usage
+ 6.18.0-rc7 #62 Not tainted
+ -----------------------------
+ drivers/vhost/vsock.c:74 RCU-list traversed in non-reader section!!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 2, debug_locks = 1
+ 1 lock held by rpc-libvirtd/3443:
+ #0: ffffffffc05032a8 (vhost_vsock_mutex){+.+.}-{4:4}, at: vhost_vsock_dev_ioctl+0x2ff/0x530 [vhost_vsock]
+
+ stack backtrace:
+ CPU: 2 UID: 0 PID: 3443 Comm: rpc-libvirtd Not tainted 6.18.0-rc7 #62 PREEMPT(none)
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-7.fc42 06/10/2025
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x75/0xb0
+ dump_stack+0x14/0x1a
+ lockdep_rcu_suspicious.cold+0x4e/0x97
+ vhost_vsock_get+0x8f/0xa0 [vhost_vsock]
+ vhost_vsock_dev_ioctl+0x307/0x530 [vhost_vsock]
+ __x64_sys_ioctl+0x4f2/0xa00
+ x64_sys_call+0xed0/0x1da0
+ do_syscall_64+0x73/0xfa0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ ...
+ </TASK>
+
+This is not a real problem, because the vhost_vsock_get() caller, i.e.
+vhost_vsock_set_cid(), holds the `vhost_vsock_mutex` used by the hash
+table writers. Anyway, to prevent that warning, add lockdep_is_held()
+condition to hash_for_each_possible_rcu() to verify that either the
+caller is in an RCU read section or `vhost_vsock_mutex` is held when
+CONFIG_PROVE_RCU_LIST is enabled; and also clarify the comment for
+vhost_vsock_get() to better describe the locking requirements and the
+scope of the returned pointer validity.
+
+About vhost_vsock_reset_orphans(), currently this function is only
+called via vsock_for_each_connected_socket(), which holds the
+`vsock_table_lock` spinlock (which is also an RCU read-side critical
+section). However, add an explicit RCU read lock there to make the code
+more robust and explicit about the RCU requirements, and to prevent
+issues if the calling context changes in the future or if
+vhost_vsock_reset_orphans() is called from other contexts.
+
+Fixes: 834e772c8db0 ("vhost/vsock: fix use-after-free in network stack callers")
+Cc: stefanha@redhat.com
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20251126133826.142496-1-sgarzare@redhat.com>
+Message-ID: <20251126210313.GA499503@fedora>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vsock.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
+index 2ec0d5260685..912e5153b1f8 100644
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -64,14 +64,15 @@ static u32 vhost_transport_get_local_cid(void)
+ return VHOST_VSOCK_DEFAULT_HOST_CID;
+ }
+
+-/* Callers that dereference the return value must hold vhost_vsock_mutex or the
+- * RCU read lock.
++/* Callers must be in an RCU read section or hold the vhost_vsock_mutex.
++ * The return value can only be dereferenced while within the section.
+ */
+ static struct vhost_vsock *vhost_vsock_get(u32 guest_cid)
+ {
+ struct vhost_vsock *vsock;
+
+- hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid) {
++ hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid,
++ lockdep_is_held(&vhost_vsock_mutex)) {
+ u32 other_cid = vsock->guest_cid;
+
+ /* Skip instances that have no CID yet */
+@@ -695,9 +696,15 @@ static void vhost_vsock_reset_orphans(struct sock *sk)
+ * executing.
+ */
+
++ rcu_read_lock();
++
+ /* If the peer is still valid, no need to reset connection */
+- if (vhost_vsock_get(vsk->remote_addr.svm_cid))
++ if (vhost_vsock_get(vsk->remote_addr.svm_cid)) {
++ rcu_read_unlock();
+ return;
++ }
++
++ rcu_read_unlock();
+
+ /* If the close timeout is pending, let it expire. This avoids races
+ * with the timeout callback.
+--
+2.51.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
