--- /dev/null
+From 6bb1961d1f55ad3cf11fcbc1d0cf78d7d2505f4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 11:21:52 -0400
+Subject: dlm: check for defined force value in dlm_lockspace_release
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 6af515c9f3ccec3eb8a262ca86bef2c499d07951 ]
+
+Force values over 3 are undefined, so don't treat them as 3.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lockspace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
+index 624617c12250a..db33e521556e3 100644
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -783,7 +783,7 @@ static int release_lockspace(struct dlm_ls *ls, int force)
+
+ dlm_device_deregister(ls);
+
+- if (force < 3 && dlm_user_daemon_available())
++ if (force != 3 && dlm_user_daemon_available())
+ do_uevent(ls, 0);
+
+ dlm_recoverd_stop(ls);
+--
+2.51.0
+
--- /dev/null
+From 5ef45f8eb1548294cfb01f3b61d656697387f0a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Aug 2025 15:36:09 +0800
+Subject: exec: Fix incorrect type for ret
+
+From: Xichao Zhao <zhao.xichao@vivo.com>
+
+[ Upstream commit 5e088248375d171b80c643051e77ade6b97bc386 ]
+
+In the setup_arg_pages(), ret is declared as an unsigned long.
+The ret might take a negative value. Therefore, its type should
+be changed to int.
+
+Signed-off-by: Xichao Zhao <zhao.xichao@vivo.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20250825073609.219855-1-zhao.xichao@vivo.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 7144c541818f6..2979b458b650a 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -746,7 +746,7 @@ int setup_arg_pages(struct linux_binprm *bprm,
+ unsigned long stack_top,
+ int executable_stack)
+ {
+- unsigned long ret;
++ int ret;
+ unsigned long stack_shift;
+ struct mm_struct *mm = current->mm;
+ struct vm_area_struct *vma = bprm->vma;
+--
+2.51.0
+
--- /dev/null
+From 621fd2b4c26528885bab7cb6540d21f9c4f4a0a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 12:49:19 -0700
+Subject: hfs: clear offset and space out of valid records in b-tree node
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 18b07c44f245beb03588b00b212b38fce9af7cc9 ]
+
+Currently, hfs_brec_remove() executes moving records
+towards the location of deleted record and it updates
+offsets of moved records. However, the hfs_brec_remove()
+logic ignores the "mess" of b-tree node's free space and
+it doesn't touch the offsets out of records number.
+Potentially, it could confuse fsck or driver logic or
+to be a reason of potential corruption cases.
+
+This patch reworks the logic of hfs_brec_remove()
+by means of clearing freed space of b-tree node
+after the records moving. And it clear the last
+offset that keeping old location of free space
+because now the offset before this one is keeping
+the actual offset to the free space after the record
+deletion.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250815194918.38165-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/brec.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
+index 896396554bcc1..b01db1fae147c 100644
+--- a/fs/hfs/brec.c
++++ b/fs/hfs/brec.c
+@@ -179,6 +179,7 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ struct hfs_btree *tree;
+ struct hfs_bnode *node, *parent;
+ int end_off, rec_off, data_off, size;
++ int src, dst, len;
+
+ tree = fd->tree;
+ node = fd->bnode;
+@@ -208,10 +209,14 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ }
+ hfs_bnode_write_u16(node, offsetof(struct hfs_bnode_desc, num_recs), node->num_recs);
+
+- if (rec_off == end_off)
+- goto skip;
+ size = fd->keylength + fd->entrylength;
+
++ if (rec_off == end_off) {
++ src = fd->keyoffset;
++ hfs_bnode_clear(node, src, size);
++ goto skip;
++ }
++
+ do {
+ data_off = hfs_bnode_read_u16(node, rec_off);
+ hfs_bnode_write_u16(node, rec_off + 2, data_off - size);
+@@ -219,9 +224,23 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ } while (rec_off >= end_off);
+
+ /* fill hole */
+- hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size,
+- data_off - fd->keyoffset - size);
++ dst = fd->keyoffset;
++ src = fd->keyoffset + size;
++ len = data_off - src;
++
++ hfs_bnode_move(node, dst, src, len);
++
++ src = dst + len;
++ len = data_off - src;
++
++ hfs_bnode_clear(node, src, len);
++
+ skip:
++ /*
++ * Remove the obsolete offset to free space.
++ */
++ hfs_bnode_write_u16(node, end_off, 0);
++
+ hfs_bnode_dump(node);
+ if (!fd->record)
+ hfs_brec_update_parent(fd);
+--
+2.51.0
+
--- /dev/null
+From 98a7f19664a11d01e70898d5940c05d2337b6d67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Aug 2025 16:06:38 -0700
+Subject: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ]
+
+The syzbot reported issue in hfs_find_set_zero_bits():
+
+=====================================================
+BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
+ hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
+ hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151
+ hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408
+ hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353
+ __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151
+ block_write_begin fs/buffer.c:2262 [inline]
+ cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601
+ hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
+ cont_expand_zero fs/buffer.c:2528 [inline]
+ cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591
+ hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
+ hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494
+ hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654
+ notify_change+0x1993/0x1aa0 fs/attr.c:552
+ do_truncate+0x28f/0x310 fs/open.c:68
+ do_ftruncate+0x698/0x730 fs/open.c:195
+ do_sys_ftruncate fs/open.c:210 [inline]
+ __do_sys_ftruncate fs/open.c:215 [inline]
+ __se_sys_ftruncate fs/open.c:213 [inline]
+ __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213
+ x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:4154 [inline]
+ slab_alloc_node mm/slub.c:4197 [inline]
+ __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354
+ kmalloc_noprof include/linux/slab.h:905 [inline]
+ hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175
+ hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337
+ get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681
+ get_tree_bdev+0x38/0x50 fs/super.c:1704
+ hfs_get_tree+0x35/0x40 fs/hfs/super.c:388
+ vfs_get_tree+0xb0/0x5c0 fs/super.c:1804
+ do_new_mount+0x738/0x1610 fs/namespace.c:3902
+ path_mount+0x6db/0x1e90 fs/namespace.c:4226
+ do_mount fs/namespace.c:4239 [inline]
+ __do_sys_mount fs/namespace.c:4450 [inline]
+ __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427
+ __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427
+ x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
+=====================================================
+
+The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get():
+
+HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
+
+Finally, it can trigger the reported issue because kmalloc()
+doesn't clear the allocated memory. If allocated memory contains
+only zeros, then everything will work pretty fine.
+But if the allocated memory contains the "garbage", then
+it can affect the bitmap operations and it triggers
+the reported issue.
+
+This patch simply exchanges the kmalloc() on kzalloc()
+with the goal to guarantee the correctness of bitmap operations.
+Because, newly created allocation bitmap should have all
+available blocks free. Potentially, initialization bitmap's read
+operation could not fill the whole allocated memory and
+"garbage" in the not initialized memory will be the reason of
+volume coruptions and file system driver bugs.
+
+Reported-by: syzbot <syzbot+773fa9d79b29bd8b6831@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/mdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
+index cdf0edeeb2781..f8f976afcc740 100644
+--- a/fs/hfs/mdb.c
++++ b/fs/hfs/mdb.c
+@@ -172,7 +172,7 @@ int hfs_mdb_get(struct super_block *sb)
+ pr_warn("continuing without an alternate MDB\n");
+ }
+
+- HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
++ HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL);
+ if (!HFS_SB(sb)->bitmap)
+ goto out;
+
+--
+2.51.0
+
--- /dev/null
+From f4bdcdfcb7bdd269902e2190a5915ec8790f5ff6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 15:52:52 -0700
+Subject: hfs: make proper initalization of struct hfs_find_data
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit c62663a986acee7c4485c1fa9de5fc40194b6290 ]
+
+Potenatially, __hfs_ext_read_extent() could operate by
+not initialized values of fd->key after hfs_brec_find() call:
+
+static inline int __hfs_ext_read_extent(struct hfs_find_data *fd, struct hfs_extent *extent,
+ u32 cnid, u32 block, u8 type)
+{
+ int res;
+
+ hfs_ext_build_key(fd->search_key, cnid, block, type);
+ fd->key->ext.FNum = 0;
+ res = hfs_brec_find(fd);
+ if (res && res != -ENOENT)
+ return res;
+ if (fd->key->ext.FNum != fd->search_key->ext.FNum ||
+ fd->key->ext.FkType != fd->search_key->ext.FkType)
+ return -ENOENT;
+ if (fd->entrylength != sizeof(hfs_extent_rec))
+ return -EIO;
+ hfs_bnode_read(fd->bnode, extent, fd->entryoffset, sizeof(hfs_extent_rec));
+ return 0;
+}
+
+This patch changes kmalloc() on kzalloc() in hfs_find_init()
+and intializes fd->record, fd->keyoffset, fd->keylength,
+fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
+has been found nothing in the b-tree node.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250818225252.126427-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/bfind.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c
+index ef9498a6e88ac..6d37b4c759034 100644
+--- a/fs/hfs/bfind.c
++++ b/fs/hfs/bfind.c
+@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+
+ fd->tree = tree;
+ fd->bnode = NULL;
+- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+@@ -112,6 +112,12 @@ int hfs_brec_find(struct hfs_find_data *fd)
+ __be32 data;
+ int height, res;
+
++ fd->record = -1;
++ fd->keyoffset = -1;
++ fd->keylength = -1;
++ fd->entryoffset = -1;
++ fd->entrylength = -1;
++
+ tree = fd->tree;
+ if (fd->bnode)
+ hfs_bnode_put(fd->bnode);
+--
+2.51.0
+
--- /dev/null
+From f17312bc406313f43c1a4a6d52d44af9d9070f9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 22:17:34 +0800
+Subject: hfs: validate record offset in hfsplus_bmap_alloc
+
+From: Yang Chenzhi <yang.chenzhi@vivo.com>
+
+[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ]
+
+hfsplus_bmap_alloc can trigger a crash if a
+record offset or length is larger than node_size
+
+[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0
+[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183
+[ 15.265949]
+[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)
+[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 15.266167] Call Trace:
+[ 15.266168] <TASK>
+[ 15.266169] dump_stack_lvl+0x53/0x70
+[ 15.266173] print_report+0xd0/0x660
+[ 15.266181] kasan_report+0xce/0x100
+[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0
+[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0
+[ 15.266217] hfsplus_brec_insert+0x870/0xb00
+[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570
+[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910
+[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200
+[ 15.266233] hfsplus_file_extend+0x5a7/0x1000
+[ 15.266237] hfsplus_get_block+0x12b/0x8c0
+[ 15.266238] __block_write_begin_int+0x36b/0x12c0
+[ 15.266251] block_write_begin+0x77/0x110
+[ 15.266252] cont_write_begin+0x428/0x720
+[ 15.266259] hfsplus_write_begin+0x51/0x100
+[ 15.266262] cont_write_begin+0x272/0x720
+[ 15.266270] hfsplus_write_begin+0x51/0x100
+[ 15.266274] generic_perform_write+0x321/0x750
+[ 15.266285] generic_file_write_iter+0xc3/0x310
+[ 15.266289] __kernel_write_iter+0x2fd/0x800
+[ 15.266296] dump_user_range+0x2ea/0x910
+[ 15.266301] elf_core_dump+0x2a94/0x2ed0
+[ 15.266320] vfs_coredump+0x1d85/0x45e0
+[ 15.266349] get_signal+0x12e3/0x1990
+[ 15.266357] arch_do_signal_or_restart+0x89/0x580
+[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110
+[ 15.266364] asm_exc_page_fault+0x26/0x30
+[ 15.266366] RIP: 0033:0x41bd35
+[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f
+[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283
+[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000
+[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100
+[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000
+[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000
+[ 15.266376] </TASK>
+
+When calling hfsplus_bmap_alloc to allocate a free node, this function
+first retrieves the bitmap from header node and map node using node->page
+together with the offset and length from hfs_brec_lenoff
+
+```
+len = hfs_brec_lenoff(node, 2, &off16);
+off = off16;
+
+off += node->page_offset;
+pagep = node->page + (off >> PAGE_SHIFT);
+data = kmap_local_page(*pagep);
+```
+
+However, if the retrieved offset or length is invalid(i.e. exceeds
+node_size), the code may end up accessing pages outside the allocated
+range for this node.
+
+This patch adds proper validation of both offset and length before use,
+preventing out-of-bounds page access. Move is_bnode_offset_valid and
+check_and_correct_requested_length to hfsplus_fs.h, as they may be
+required by other functions.
+
+Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/
+Signed-off-by: Yang Chenzhi <yang.chenzhi@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bnode.c | 41 ----------------------------------------
+ fs/hfsplus/btree.c | 6 ++++++
+ fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 48 insertions(+), 41 deletions(-)
+
+diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
+index c9c38fddf505b..e566cea238279 100644
+--- a/fs/hfsplus/bnode.c
++++ b/fs/hfsplus/bnode.c
+@@ -18,47 +18,6 @@
+ #include "hfsplus_fs.h"
+ #include "hfsplus_raw.h"
+
+-static inline
+-bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
+-{
+- bool is_valid = off < node->tree->node_size;
+-
+- if (!is_valid) {
+- pr_err("requested invalid offset: "
+- "NODE: id %u, type %#x, height %u, "
+- "node_size %u, offset %d\n",
+- node->this, node->type, node->height,
+- node->tree->node_size, off);
+- }
+-
+- return is_valid;
+-}
+-
+-static inline
+-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
+-{
+- unsigned int node_size;
+-
+- if (!is_bnode_offset_valid(node, off))
+- return 0;
+-
+- node_size = node->tree->node_size;
+-
+- if ((off + len) > node_size) {
+- int new_len = (int)node_size - off;
+-
+- pr_err("requested length has been corrected: "
+- "NODE: id %u, type %#x, height %u, "
+- "node_size %u, offset %d, "
+- "requested_len %d, corrected_len %d\n",
+- node->this, node->type, node->height,
+- node->tree->node_size, off, len, new_len);
+-
+- return new_len;
+- }
+-
+- return len;
+-}
+
+ /* Copy a specified range of bytes from the raw data of a node */
+ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
+index 66774f4cb4fd5..2211907537fec 100644
+--- a/fs/hfsplus/btree.c
++++ b/fs/hfsplus/btree.c
+@@ -392,6 +392,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
+ len = hfs_brec_lenoff(node, 2, &off16);
+ off = off16;
+
++ if (!is_bnode_offset_valid(node, off)) {
++ hfs_bnode_put(node);
++ return ERR_PTR(-EIO);
++ }
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ pagep = node->page + (off >> PAGE_SHIFT);
+ data = kmap(*pagep);
+diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
+index c37a2f3d88af0..27fcadf4e9f82 100644
+--- a/fs/hfsplus/hfsplus_fs.h
++++ b/fs/hfsplus/hfsplus_fs.h
+@@ -579,6 +579,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree)
+ return class;
+ }
+
++static inline
++bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
++{
++ bool is_valid = off < node->tree->node_size;
++
++ if (!is_valid) {
++ pr_err("requested invalid offset: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off);
++ }
++
++ return is_valid;
++}
++
++static inline
++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
++{
++ unsigned int node_size;
++
++ if (!is_bnode_offset_valid(node, off))
++ return 0;
++
++ node_size = node->tree->node_size;
++
++ if ((off + len) > node_size) {
++ int new_len = (int)node_size - off;
++
++ pr_err("requested length has been corrected: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, "
++ "requested_len %d, corrected_len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len, new_len);
++
++ return new_len;
++ }
++
++ return len;
++}
++
+ /* compatibility */
+ #define hfsp_mt2ut(t) (struct timespec64){ .tv_sec = __hfsp_mt2ut(t) }
+ #define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec)
+--
+2.51.0
+
--- /dev/null
+From 5b44f17fe8add5fbc93cc29e969a84a8c12c362e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 15:52:32 -0700
+Subject: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 4840ceadef4290c56cc422f0fc697655f3cbf070 ]
+
+The syzbot reported issue in __hfsplus_ext_cache_extent():
+
+[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0
+[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.199771][ T9350] ksys_write+0x23e/0x490
+[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.202054][ T9350]
+[ 70.202279][ T9350] Uninit was created at:
+[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80
+[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0
+[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0
+[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.207961][ T9350] ksys_write+0x23e/0x490
+[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.210230][ T9350]
+[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5
+[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.212115][ T9350] =====================================================
+[ 70.212734][ T9350] Disabling lock debugging due to kernel taint
+[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...
+[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5
+[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE
+[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.215999][ T9350] Call Trace:
+[ 70.216309][ T9350] <TASK>
+[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0
+[ 70.217025][ T9350] dump_stack+0x1e/0x30
+[ 70.217421][ T9350] panic+0x502/0xca0
+[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+
+[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...
+ kernel
+:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+set ...
+[ 70.221254][ T9350] ? __msan_warning+0x96/0x120
+[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0
+[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0
+[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0
+[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950
+[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130
+[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060
+[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460
+[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0
+[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0
+[ 70.228997][ T9350] ? ksys_write+0x23e/0x490
+[ 70.229458][ T9350] ? __x64_sys_write+0x97/0xf0
+[ 70.229939][ T9350] ? x64_sys_call+0x3015/0x3cf0
+[ 70.230432][ T9350] ? do_syscall_64+0xd9/0x1d0
+[ 70.230941][ T9350] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.231926][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.232738][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.233711][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.234516][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.235398][ T9350] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.236323][ T9350] ? hfsplus_brec_find+0x218/0x9f0
+[ 70.237090][ T9350] ? __pfx_hfs_find_rec_by_key+0x10/0x10
+[ 70.237938][ T9350] ? __msan_instrument_asm_store+0xbf/0xf0
+[ 70.238827][ T9350] ? __msan_metadata_ptr_for_store_4+0x27/0x40
+[ 70.239772][ T9350] ? __hfsplus_ext_write_extent+0x536/0x620
+[ 70.240666][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.241175][ T9350] __msan_warning+0x96/0x120
+[ 70.241645][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.242223][ T9350] hfsplus_file_extend+0x74f/0x1cf0
+[ 70.242748][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.243255][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.243878][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.244400][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.244967][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.245531][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
+[ 70.246079][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.246598][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.247105][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
+[ 70.247650][ T9350] ? __pfx_hfsplus_write_begin+0x10/0x10
+[ 70.248211][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.248752][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.249314][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.249856][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.250487][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.250930][ T9350] ? __pfx_generic_file_write_iter+0x10/0x10
+[ 70.251530][ T9350] ksys_write+0x23e/0x490
+[ 70.251974][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.252450][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.252924][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.253384][ T9350] ? irqentry_exit+0x16/0x60
+[ 70.253844][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.254430][ T9350] RIP: 0033:0x7f7a92adffc9
+[ 70.254873][ T9350] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 70.256674][ T9350] RSP: 002b:00007fff0bca3188 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
+[ 70.257485][ T9350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a92adffc9
+[ 70.258246][ T9350] RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000004
+[ 70.258998][ T9350] RBP: 00007fff0bca31a0 R08: 00007fff0bca31a0 R09: 00007fff0bca31a0
+[ 70.259769][ T9350] R10: 0000000000000000 R11: 0000000000000202 R12: 000055e0d75f8250
+[ 70.260520][ T9350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 70.261286][ T9350] </TASK>
+[ 70.262026][ T9350] Kernel Offset: disabled
+
+(gdb) l *__hfsplus_ext_cache_extent+0x7d0
+0xffffffff8318aef0 is in __hfsplus_ext_cache_extent (fs/hfsplus/extents.c:168).
+163 fd->key->ext.cnid = 0;
+164 res = hfs_brec_find(fd, hfs_find_rec_by_key);
+165 if (res && res != -ENOENT)
+166 return res;
+167 if (fd->key->ext.cnid != fd->search_key->ext.cnid ||
+168 fd->key->ext.fork_type != fd->search_key->ext.fork_type)
+169 return -ENOENT;
+170 if (fd->entrylength != sizeof(hfsplus_extent_rec))
+171 return -EIO;
+172 hfs_bnode_read(fd->bnode, extent, fd->entryoffset,
+
+The __hfsplus_ext_cache_extent() calls __hfsplus_ext_read_extent():
+
+res = __hfsplus_ext_read_extent(fd, hip->cached_extents, inode->i_ino,
+ block, HFSPLUS_IS_RSRC(inode) ?
+ HFSPLUS_TYPE_RSRC :
+ HFSPLUS_TYPE_DATA);
+
+And if inode->i_ino could be equal to zero or any non-available CNID,
+then hfs_brec_find() could not find the record in the tree. As a result,
+fd->key could be compared with fd->search_key. But hfsplus_find_init()
+uses kmalloc() for fd->key and fd->search_key allocation:
+
+int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+{
+<skipped>
+ ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+ fd->key = ptr + tree->max_key_len + 2;
+<skipped>
+}
+
+Finally, fd->key is still not initialized if hfs_brec_find()
+has found nothing.
+
+This patch changes kmalloc() on kzalloc() in hfs_find_init()
+and intializes fd->record, fd->keyoffset, fd->keylength,
+fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
+has been found nothing in the b-tree node.
+
+Reported-by: syzbot <syzbot+55ad87f38795d6787521@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=55ad87f38795d6787521
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250818225232.126402-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bfind.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c
+index 901e83d65d202..26ebac4c60424 100644
+--- a/fs/hfsplus/bfind.c
++++ b/fs/hfsplus/bfind.c
+@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+
+ fd->tree = tree;
+ fd->bnode = NULL;
+- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+@@ -158,6 +158,12 @@ int hfs_brec_find(struct hfs_find_data *fd, search_strategy_t do_key_compare)
+ __be32 data;
+ int height, res;
+
++ fd->record = -1;
++ fd->keyoffset = -1;
++ fd->keylength = -1;
++ fd->entryoffset = -1;
++ fd->entrylength = -1;
++
+ tree = fd->tree;
+ if (fd->bnode)
+ hfs_bnode_put(fd->bnode);
+--
+2.51.0
+
--- /dev/null
+From 3f3b210e5f5de6908db840ed384620adfb92afc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Aug 2025 15:51:04 -0700
+Subject: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 9b3d15a758910bb98ba8feb4109d99cc67450ee4 ]
+
+The syzbot reported issue in hfsplus_delete_cat():
+
+[ 70.682285][ T9333] =====================================================
+[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0
+[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310
+[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810
+[ 70.685447][ T9333] do_rmdir+0x964/0xea0
+[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0
+[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0
+[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.687646][ T9333]
+[ 70.687856][ T9333] Uninit was stored to memory at:
+[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
+[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800
+[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600
+[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70
+[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0
+[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30
+[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0
+[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0
+[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.692773][ T9333]
+[ 70.692990][ T9333] Uninit was stored to memory at:
+[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
+[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800
+[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700
+[ 70.694911][ T9333] mount_bdev+0x37b/0x530
+[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60
+[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0
+[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0
+[ 70.696588][ T9333] do_new_mount+0x73e/0x1630
+[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0
+[ 70.697425][ T9333] __se_sys_mount+0x733/0x830
+[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150
+[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0
+[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.699730][ T9333]
+[ 70.699946][ T9333] Uninit was created at:
+[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60
+[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0
+[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0
+[ 70.701774][ T9333] allocate_slab+0x30e/0x1390
+[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0
+[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20
+[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0
+[ 70.703598][ T9333] alloc_inode+0x82/0x490
+[ 70.703984][ T9333] iget_locked+0x22e/0x1320
+[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0
+[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0
+[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700
+[ 70.705776][ T9333] mount_bdev+0x37b/0x530
+[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60
+[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0
+[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0
+[ 70.707444][ T9333] do_new_mount+0x73e/0x1630
+[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0
+[ 70.708270][ T9333] __se_sys_mount+0x733/0x830
+[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150
+[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0
+[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.710611][ T9333]
+[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17
+[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.712490][ T9333] =====================================================
+[ 70.713085][ T9333] Disabling lock debugging due to kernel taint
+[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...
+[ 70.714159][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Tainted: G B 6.12.0-rc6-dirty #17
+[ 70.715007][ T9333] Tainted: [B]=BAD_PAGE
+[ 70.715365][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.716311][ T9333] Call Trace:
+[ 70.716621][ T9333] <TASK>
+[ 70.716899][ T9333] dump_stack_lvl+0x1fd/0x2b0
+[ 70.717350][ T9333] dump_stack+0x1e/0x30
+[ 70.717743][ T9333] panic+0x502/0xca0
+[ 70.718116][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.718611][ T9333] kmsan_report+0x296/0x2a0
+[ 70.719038][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.719859][ T9333] ? __msan_warning+0x96/0x120
+[ 70.720345][ T9333] ? hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.720881][ T9333] ? hfsplus_delete_cat+0x105d/0x12b0
+[ 70.721412][ T9333] ? hfsplus_rmdir+0x13d/0x310
+[ 70.721880][ T9333] ? vfs_rmdir+0x5ba/0x810
+[ 70.722458][ T9333] ? do_rmdir+0x964/0xea0
+[ 70.722883][ T9333] ? __x64_sys_rmdir+0x71/0xb0
+[ 70.723397][ T9333] ? x64_sys_call+0xcd8/0x3cf0
+[ 70.723915][ T9333] ? do_syscall_64+0xd9/0x1d0
+[ 70.724454][ T9333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.725110][ T9333] ? vprintk_emit+0xd1f/0xe60
+[ 70.725616][ T9333] ? vprintk_default+0x3f/0x50
+[ 70.726175][ T9333] ? vprintk+0xce/0xd0
+[ 70.726628][ T9333] ? _printk+0x17e/0x1b0
+[ 70.727129][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.727739][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.728324][ T9333] __msan_warning+0x96/0x120
+[ 70.728854][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.729479][ T9333] hfsplus_delete_cat+0x105d/0x12b0
+[ 70.729984][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.730646][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.731296][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.731863][ T9333] hfsplus_rmdir+0x13d/0x310
+[ 70.732390][ T9333] ? __pfx_hfsplus_rmdir+0x10/0x10
+[ 70.732919][ T9333] vfs_rmdir+0x5ba/0x810
+[ 70.733416][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.734044][ T9333] do_rmdir+0x964/0xea0
+[ 70.734537][ T9333] __x64_sys_rmdir+0x71/0xb0
+[ 70.735032][ T9333] x64_sys_call+0xcd8/0x3cf0
+[ 70.735579][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.736092][ T9333] ? irqentry_exit+0x16/0x60
+[ 70.736637][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.737269][ T9333] RIP: 0033:0x7fa9424eafc9
+[ 70.737775][ T9333] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 70.739844][ T9333] RSP: 002b:00007fff099cd8d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000054
+[ 70.740760][ T9333] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa9424eafc9
+[ 70.741642][ T9333] RDX: 006c6f72746e6f63 RSI: 000000000000000a RDI: 0000000020000100
+[ 70.742543][ T9333] RBP: 00007fff099cd8e0 R08: 00007fff099cd910 R09: 00007fff099cd910
+[ 70.743376][ T9333] R10: 0000000000000000 R11: 0000000000000202 R12: 0000565430642260
+[ 70.744247][ T9333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 70.745082][ T9333] </TASK>
+
+The main reason of the issue that struct hfsplus_inode_info
+has not been properly initialized for the case of root folder.
+In the case of root folder, hfsplus_fill_super() calls
+the hfsplus_iget() that implements only partial initialization of
+struct hfsplus_inode_info and subfolders field is not
+initialized by hfsplus_iget() logic.
+
+This patch implements complete initialization of
+struct hfsplus_inode_info in the hfsplus_iget() logic with
+the goal to prevent likewise issues for the case of
+root folder.
+
+Reported-by: syzbot <syzbot+fdedff847a0e5e84c39f@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=fdedff847a0e5e84c39f
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250825225103.326401-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/super.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+index 7648f64a17a82..65c63c7a00b12 100644
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -67,13 +67,26 @@ struct inode *hfsplus_iget(struct super_block *sb, unsigned long ino)
+ if (!(inode->i_state & I_NEW))
+ return inode;
+
+- INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
+- spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
+- mutex_init(&HFSPLUS_I(inode)->extents_lock);
+- HFSPLUS_I(inode)->flags = 0;
++ atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
++ HFSPLUS_I(inode)->first_blocks = 0;
++ HFSPLUS_I(inode)->clump_blocks = 0;
++ HFSPLUS_I(inode)->alloc_blocks = 0;
++ HFSPLUS_I(inode)->cached_start = U32_MAX;
++ HFSPLUS_I(inode)->cached_blocks = 0;
++ memset(HFSPLUS_I(inode)->first_extents, 0, sizeof(hfsplus_extent_rec));
++ memset(HFSPLUS_I(inode)->cached_extents, 0, sizeof(hfsplus_extent_rec));
+ HFSPLUS_I(inode)->extent_state = 0;
++ mutex_init(&HFSPLUS_I(inode)->extents_lock);
+ HFSPLUS_I(inode)->rsrc_inode = NULL;
+- atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
++ HFSPLUS_I(inode)->create_date = 0;
++ HFSPLUS_I(inode)->linkid = 0;
++ HFSPLUS_I(inode)->flags = 0;
++ HFSPLUS_I(inode)->fs_blocks = 0;
++ HFSPLUS_I(inode)->userflags = 0;
++ HFSPLUS_I(inode)->subfolders = 0;
++ INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
++ spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
++ HFSPLUS_I(inode)->phys_size = 0;
+
+ if (inode->i_ino >= HFSPLUS_FIRSTUSER_CNID ||
+ inode->i_ino == HFSPLUS_ROOT_CNID) {
+--
+2.51.0
+
--- /dev/null
+From 79cbd4abe81625e5c5f6a388c3499684763b2af6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Aug 2025 10:58:59 -0600
+Subject: hfsplus: return EIO when type of hidden directory mismatch in
+ hfsplus_fill_super()
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit 9282bc905f0949fab8cf86c0f620ca988761254c ]
+
+If Catalog File contains corrupted record for the case of
+hidden directory's type, regard it as I/O error instead of
+Invalid argument.
+
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250805165905.3390154-1-frank.li@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+index 65c63c7a00b12..9f8945042faa8 100644
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -538,7 +538,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent)
+ if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
+ hfs_find_exit(&fd);
+ if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
+- err = -EINVAL;
++ err = -EIO;
+ goto out_put_root;
+ }
+ inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id));
+--
+2.51.0
+
--- /dev/null
+From 5ec620e24abab94f8acc3be20896b98f67924951 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Sep 2025 17:16:13 +0200
+Subject: m68k: bitops: Fix find_*_bit() signatures
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit 6d5674090543b89aac0c177d67e5fb32ddc53804 ]
+
+The function signatures of the m68k-optimized implementations of the
+find_{first,next}_{,zero_}bit() helpers do not match the generic
+variants.
+
+Fix this by changing all non-pointer inputs and outputs to "unsigned
+long", and updating a few local variables.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202509092305.ncd9mzaZ-lkp@intel.com/
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Acked-by: "Yury Norov (NVIDIA)" <yury.norov@gmail.com>
+Link: https://patch.msgid.link/de6919554fbb4cd1427155c6bafbac8a9df822c8.1757517135.git.geert@linux-m68k.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/bitops.h | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/arch/m68k/include/asm/bitops.h b/arch/m68k/include/asm/bitops.h
+index 10133a968c8e1..d2a9aa0485175 100644
+--- a/arch/m68k/include/asm/bitops.h
++++ b/arch/m68k/include/asm/bitops.h
+@@ -314,12 +314,12 @@ static inline int bfchg_mem_test_and_change_bit(int nr,
+ #include <asm-generic/bitops/ffz.h>
+ #else
+
+-static inline int find_first_zero_bit(const unsigned long *vaddr,
+- unsigned size)
++static inline unsigned long find_first_zero_bit(const unsigned long *vaddr,
++ unsigned long size)
+ {
+ const unsigned long *p = vaddr;
+- int res = 32;
+- unsigned int words;
++ unsigned long res = 32;
++ unsigned long words;
+ unsigned long num;
+
+ if (!size)
+@@ -340,8 +340,9 @@ static inline int find_first_zero_bit(const unsigned long *vaddr,
+ }
+ #define find_first_zero_bit find_first_zero_bit
+
+-static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
+- int offset)
++static inline unsigned long find_next_zero_bit(const unsigned long *vaddr,
++ unsigned long size,
++ unsigned long offset)
+ {
+ const unsigned long *p = vaddr + (offset >> 5);
+ int bit = offset & 31UL, res;
+@@ -370,11 +371,12 @@ static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
+ }
+ #define find_next_zero_bit find_next_zero_bit
+
+-static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
++static inline unsigned long find_first_bit(const unsigned long *vaddr,
++ unsigned long size)
+ {
+ const unsigned long *p = vaddr;
+- int res = 32;
+- unsigned int words;
++ unsigned long res = 32;
++ unsigned long words;
+ unsigned long num;
+
+ if (!size)
+@@ -395,8 +397,9 @@ static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
+ }
+ #define find_first_bit find_first_bit
+
+-static inline int find_next_bit(const unsigned long *vaddr, int size,
+- int offset)
++static inline unsigned long find_next_bit(const unsigned long *vaddr,
++ unsigned long size,
++ unsigned long offset)
+ {
+ const unsigned long *p = vaddr + (offset >> 5);
+ int bit = offset & 31UL, res;
+--
+2.51.0
+
sched-fair-fix-pelt-lost-idle-time-detection.patch
alsa-firewire-amdtp-stream-fix-enum-kernel-doc-warni.patch
hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch
+exec-fix-incorrect-type-for-ret.patch
+hfs-clear-offset-and-space-out-of-valid-records-in-b.patch
+hfs-make-proper-initalization-of-struct-hfs_find_dat.patch
+hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch
+hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch
+hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch
+dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch
+hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch
+hfsplus-return-eio-when-type-of-hidden-directory-mis.patch
+m68k-bitops-fix-find_-_bit-signatures.patch
--- /dev/null
+From c68d007983539ec17f883ce6ca7fbeac186775c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 11:21:52 -0400
+Subject: dlm: check for defined force value in dlm_lockspace_release
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 6af515c9f3ccec3eb8a262ca86bef2c499d07951 ]
+
+Force values over 3 are undefined, so don't treat them as 3.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lockspace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
+index fa086a81a8476..5394c5713975d 100644
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -785,7 +785,7 @@ static int release_lockspace(struct dlm_ls *ls, int force)
+
+ dlm_device_deregister(ls);
+
+- if (force < 3 && dlm_user_daemon_available())
++ if (force != 3 && dlm_user_daemon_available())
+ do_uevent(ls, 0);
+
+ dlm_recoverd_stop(ls);
+--
+2.51.0
+
--- /dev/null
+From 2a9711e59b977af5339a0efa36d4063e897387ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Aug 2025 15:36:09 +0800
+Subject: exec: Fix incorrect type for ret
+
+From: Xichao Zhao <zhao.xichao@vivo.com>
+
+[ Upstream commit 5e088248375d171b80c643051e77ade6b97bc386 ]
+
+In the setup_arg_pages(), ret is declared as an unsigned long.
+The ret might take a negative value. Therefore, its type should
+be changed to int.
+
+Signed-off-by: Xichao Zhao <zhao.xichao@vivo.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20250825073609.219855-1-zhao.xichao@vivo.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 8395e7ff7b940..4d5defc2966bd 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -746,7 +746,7 @@ int setup_arg_pages(struct linux_binprm *bprm,
+ unsigned long stack_top,
+ int executable_stack)
+ {
+- unsigned long ret;
++ int ret;
+ unsigned long stack_shift;
+ struct mm_struct *mm = current->mm;
+ struct vm_area_struct *vma = bprm->vma;
+--
+2.51.0
+
--- /dev/null
+From 01c9ecc3990af3a49872e8ad52bfb0a418ca37cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 12:49:19 -0700
+Subject: hfs: clear offset and space out of valid records in b-tree node
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 18b07c44f245beb03588b00b212b38fce9af7cc9 ]
+
+Currently, hfs_brec_remove() executes moving records
+towards the location of deleted record and it updates
+offsets of moved records. However, the hfs_brec_remove()
+logic ignores the "mess" of b-tree node's free space and
+it doesn't touch the offsets out of records number.
+Potentially, it could confuse fsck or driver logic or
+to be a reason of potential corruption cases.
+
+This patch reworks the logic of hfs_brec_remove()
+by means of clearing freed space of b-tree node
+after the records moving. And it clear the last
+offset that keeping old location of free space
+because now the offset before this one is keeping
+the actual offset to the free space after the record
+deletion.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250815194918.38165-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/brec.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
+index 896396554bcc1..b01db1fae147c 100644
+--- a/fs/hfs/brec.c
++++ b/fs/hfs/brec.c
+@@ -179,6 +179,7 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ struct hfs_btree *tree;
+ struct hfs_bnode *node, *parent;
+ int end_off, rec_off, data_off, size;
++ int src, dst, len;
+
+ tree = fd->tree;
+ node = fd->bnode;
+@@ -208,10 +209,14 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ }
+ hfs_bnode_write_u16(node, offsetof(struct hfs_bnode_desc, num_recs), node->num_recs);
+
+- if (rec_off == end_off)
+- goto skip;
+ size = fd->keylength + fd->entrylength;
+
++ if (rec_off == end_off) {
++ src = fd->keyoffset;
++ hfs_bnode_clear(node, src, size);
++ goto skip;
++ }
++
+ do {
+ data_off = hfs_bnode_read_u16(node, rec_off);
+ hfs_bnode_write_u16(node, rec_off + 2, data_off - size);
+@@ -219,9 +224,23 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ } while (rec_off >= end_off);
+
+ /* fill hole */
+- hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size,
+- data_off - fd->keyoffset - size);
++ dst = fd->keyoffset;
++ src = fd->keyoffset + size;
++ len = data_off - src;
++
++ hfs_bnode_move(node, dst, src, len);
++
++ src = dst + len;
++ len = data_off - src;
++
++ hfs_bnode_clear(node, src, len);
++
+ skip:
++ /*
++ * Remove the obsolete offset to free space.
++ */
++ hfs_bnode_write_u16(node, end_off, 0);
++
+ hfs_bnode_dump(node);
+ if (!fd->record)
+ hfs_brec_update_parent(fd);
+--
+2.51.0
+
--- /dev/null
+From 8b0ebded6bc465ed2b3d568cd257ad26c0b1c0eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Aug 2025 16:06:38 -0700
+Subject: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ]
+
+The syzbot reported issue in hfs_find_set_zero_bits():
+
+=====================================================
+BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
+ hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
+ hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151
+ hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408
+ hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353
+ __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151
+ block_write_begin fs/buffer.c:2262 [inline]
+ cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601
+ hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
+ cont_expand_zero fs/buffer.c:2528 [inline]
+ cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591
+ hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
+ hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494
+ hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654
+ notify_change+0x1993/0x1aa0 fs/attr.c:552
+ do_truncate+0x28f/0x310 fs/open.c:68
+ do_ftruncate+0x698/0x730 fs/open.c:195
+ do_sys_ftruncate fs/open.c:210 [inline]
+ __do_sys_ftruncate fs/open.c:215 [inline]
+ __se_sys_ftruncate fs/open.c:213 [inline]
+ __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213
+ x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:4154 [inline]
+ slab_alloc_node mm/slub.c:4197 [inline]
+ __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354
+ kmalloc_noprof include/linux/slab.h:905 [inline]
+ hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175
+ hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337
+ get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681
+ get_tree_bdev+0x38/0x50 fs/super.c:1704
+ hfs_get_tree+0x35/0x40 fs/hfs/super.c:388
+ vfs_get_tree+0xb0/0x5c0 fs/super.c:1804
+ do_new_mount+0x738/0x1610 fs/namespace.c:3902
+ path_mount+0x6db/0x1e90 fs/namespace.c:4226
+ do_mount fs/namespace.c:4239 [inline]
+ __do_sys_mount fs/namespace.c:4450 [inline]
+ __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427
+ __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427
+ x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
+=====================================================
+
+The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get():
+
+HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
+
+Finally, it can trigger the reported issue because kmalloc()
+doesn't clear the allocated memory. If allocated memory contains
+only zeros, then everything will work pretty fine.
+But if the allocated memory contains the "garbage", then
+it can affect the bitmap operations and it triggers
+the reported issue.
+
+This patch simply exchanges the kmalloc() on kzalloc()
+with the goal to guarantee the correctness of bitmap operations.
+Because, newly created allocation bitmap should have all
+available blocks free. Potentially, initialization bitmap's read
+operation could not fill the whole allocated memory and
+"garbage" in the not initialized memory will be the reason of
+volume coruptions and file system driver bugs.
+
+Reported-by: syzbot <syzbot+773fa9d79b29bd8b6831@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/mdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
+index cdf0edeeb2781..f8f976afcc740 100644
+--- a/fs/hfs/mdb.c
++++ b/fs/hfs/mdb.c
+@@ -172,7 +172,7 @@ int hfs_mdb_get(struct super_block *sb)
+ pr_warn("continuing without an alternate MDB\n");
+ }
+
+- HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
++ HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL);
+ if (!HFS_SB(sb)->bitmap)
+ goto out;
+
+--
+2.51.0
+
--- /dev/null
+From b36cc682d177a20b964863c50e2f4af23c09c6db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 15:52:52 -0700
+Subject: hfs: make proper initalization of struct hfs_find_data
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit c62663a986acee7c4485c1fa9de5fc40194b6290 ]
+
+Potenatially, __hfs_ext_read_extent() could operate by
+not initialized values of fd->key after hfs_brec_find() call:
+
+static inline int __hfs_ext_read_extent(struct hfs_find_data *fd, struct hfs_extent *extent,
+ u32 cnid, u32 block, u8 type)
+{
+ int res;
+
+ hfs_ext_build_key(fd->search_key, cnid, block, type);
+ fd->key->ext.FNum = 0;
+ res = hfs_brec_find(fd);
+ if (res && res != -ENOENT)
+ return res;
+ if (fd->key->ext.FNum != fd->search_key->ext.FNum ||
+ fd->key->ext.FkType != fd->search_key->ext.FkType)
+ return -ENOENT;
+ if (fd->entrylength != sizeof(hfs_extent_rec))
+ return -EIO;
+ hfs_bnode_read(fd->bnode, extent, fd->entryoffset, sizeof(hfs_extent_rec));
+ return 0;
+}
+
+This patch changes kmalloc() on kzalloc() in hfs_find_init()
+and intializes fd->record, fd->keyoffset, fd->keylength,
+fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
+has been found nothing in the b-tree node.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250818225252.126427-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/bfind.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c
+index ef9498a6e88ac..6d37b4c759034 100644
+--- a/fs/hfs/bfind.c
++++ b/fs/hfs/bfind.c
+@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+
+ fd->tree = tree;
+ fd->bnode = NULL;
+- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+@@ -112,6 +112,12 @@ int hfs_brec_find(struct hfs_find_data *fd)
+ __be32 data;
+ int height, res;
+
++ fd->record = -1;
++ fd->keyoffset = -1;
++ fd->keylength = -1;
++ fd->entryoffset = -1;
++ fd->entrylength = -1;
++
+ tree = fd->tree;
+ if (fd->bnode)
+ hfs_bnode_put(fd->bnode);
+--
+2.51.0
+
--- /dev/null
+From 7fd2a77d68d3b30e188d7a255184649769d52f5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 22:17:34 +0800
+Subject: hfs: validate record offset in hfsplus_bmap_alloc
+
+From: Yang Chenzhi <yang.chenzhi@vivo.com>
+
+[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ]
+
+hfsplus_bmap_alloc can trigger a crash if a
+record offset or length is larger than node_size
+
+[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0
+[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183
+[ 15.265949]
+[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)
+[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 15.266167] Call Trace:
+[ 15.266168] <TASK>
+[ 15.266169] dump_stack_lvl+0x53/0x70
+[ 15.266173] print_report+0xd0/0x660
+[ 15.266181] kasan_report+0xce/0x100
+[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0
+[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0
+[ 15.266217] hfsplus_brec_insert+0x870/0xb00
+[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570
+[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910
+[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200
+[ 15.266233] hfsplus_file_extend+0x5a7/0x1000
+[ 15.266237] hfsplus_get_block+0x12b/0x8c0
+[ 15.266238] __block_write_begin_int+0x36b/0x12c0
+[ 15.266251] block_write_begin+0x77/0x110
+[ 15.266252] cont_write_begin+0x428/0x720
+[ 15.266259] hfsplus_write_begin+0x51/0x100
+[ 15.266262] cont_write_begin+0x272/0x720
+[ 15.266270] hfsplus_write_begin+0x51/0x100
+[ 15.266274] generic_perform_write+0x321/0x750
+[ 15.266285] generic_file_write_iter+0xc3/0x310
+[ 15.266289] __kernel_write_iter+0x2fd/0x800
+[ 15.266296] dump_user_range+0x2ea/0x910
+[ 15.266301] elf_core_dump+0x2a94/0x2ed0
+[ 15.266320] vfs_coredump+0x1d85/0x45e0
+[ 15.266349] get_signal+0x12e3/0x1990
+[ 15.266357] arch_do_signal_or_restart+0x89/0x580
+[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110
+[ 15.266364] asm_exc_page_fault+0x26/0x30
+[ 15.266366] RIP: 0033:0x41bd35
+[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f
+[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283
+[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000
+[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100
+[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000
+[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000
+[ 15.266376] </TASK>
+
+When calling hfsplus_bmap_alloc to allocate a free node, this function
+first retrieves the bitmap from header node and map node using node->page
+together with the offset and length from hfs_brec_lenoff
+
+```
+len = hfs_brec_lenoff(node, 2, &off16);
+off = off16;
+
+off += node->page_offset;
+pagep = node->page + (off >> PAGE_SHIFT);
+data = kmap_local_page(*pagep);
+```
+
+However, if the retrieved offset or length is invalid(i.e. exceeds
+node_size), the code may end up accessing pages outside the allocated
+range for this node.
+
+This patch adds proper validation of both offset and length before use,
+preventing out-of-bounds page access. Move is_bnode_offset_valid and
+check_and_correct_requested_length to hfsplus_fs.h, as they may be
+required by other functions.
+
+Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/
+Signed-off-by: Yang Chenzhi <yang.chenzhi@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bnode.c | 41 ----------------------------------------
+ fs/hfsplus/btree.c | 6 ++++++
+ fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 48 insertions(+), 41 deletions(-)
+
+diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
+index c9c38fddf505b..e566cea238279 100644
+--- a/fs/hfsplus/bnode.c
++++ b/fs/hfsplus/bnode.c
+@@ -18,47 +18,6 @@
+ #include "hfsplus_fs.h"
+ #include "hfsplus_raw.h"
+
+-static inline
+-bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
+-{
+- bool is_valid = off < node->tree->node_size;
+-
+- if (!is_valid) {
+- pr_err("requested invalid offset: "
+- "NODE: id %u, type %#x, height %u, "
+- "node_size %u, offset %d\n",
+- node->this, node->type, node->height,
+- node->tree->node_size, off);
+- }
+-
+- return is_valid;
+-}
+-
+-static inline
+-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
+-{
+- unsigned int node_size;
+-
+- if (!is_bnode_offset_valid(node, off))
+- return 0;
+-
+- node_size = node->tree->node_size;
+-
+- if ((off + len) > node_size) {
+- int new_len = (int)node_size - off;
+-
+- pr_err("requested length has been corrected: "
+- "NODE: id %u, type %#x, height %u, "
+- "node_size %u, offset %d, "
+- "requested_len %d, corrected_len %d\n",
+- node->this, node->type, node->height,
+- node->tree->node_size, off, len, new_len);
+-
+- return new_len;
+- }
+-
+- return len;
+-}
+
+ /* Copy a specified range of bytes from the raw data of a node */
+ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
+index 66774f4cb4fd5..2211907537fec 100644
+--- a/fs/hfsplus/btree.c
++++ b/fs/hfsplus/btree.c
+@@ -392,6 +392,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
+ len = hfs_brec_lenoff(node, 2, &off16);
+ off = off16;
+
++ if (!is_bnode_offset_valid(node, off)) {
++ hfs_bnode_put(node);
++ return ERR_PTR(-EIO);
++ }
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ pagep = node->page + (off >> PAGE_SHIFT);
+ data = kmap(*pagep);
+diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
+index c01bf9ff56a96..8396964b056f0 100644
+--- a/fs/hfsplus/hfsplus_fs.h
++++ b/fs/hfsplus/hfsplus_fs.h
+@@ -572,6 +572,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree)
+ return class;
+ }
+
++static inline
++bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
++{
++ bool is_valid = off < node->tree->node_size;
++
++ if (!is_valid) {
++ pr_err("requested invalid offset: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off);
++ }
++
++ return is_valid;
++}
++
++static inline
++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
++{
++ unsigned int node_size;
++
++ if (!is_bnode_offset_valid(node, off))
++ return 0;
++
++ node_size = node->tree->node_size;
++
++ if ((off + len) > node_size) {
++ int new_len = (int)node_size - off;
++
++ pr_err("requested length has been corrected: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, "
++ "requested_len %d, corrected_len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len, new_len);
++
++ return new_len;
++ }
++
++ return len;
++}
++
+ /* compatibility */
+ #define hfsp_mt2ut(t) (struct timespec64){ .tv_sec = __hfsp_mt2ut(t) }
+ #define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec)
+--
+2.51.0
+
--- /dev/null
+From 60593a0805cb65b7a7e26f7a29b5b82df2d71734 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 15:52:32 -0700
+Subject: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 4840ceadef4290c56cc422f0fc697655f3cbf070 ]
+
+The syzbot reported issue in __hfsplus_ext_cache_extent():
+
+[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0
+[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.199771][ T9350] ksys_write+0x23e/0x490
+[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.202054][ T9350]
+[ 70.202279][ T9350] Uninit was created at:
+[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80
+[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0
+[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0
+[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.207961][ T9350] ksys_write+0x23e/0x490
+[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.210230][ T9350]
+[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5
+[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.212115][ T9350] =====================================================
+[ 70.212734][ T9350] Disabling lock debugging due to kernel taint
+[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...
+[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5
+[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE
+[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.215999][ T9350] Call Trace:
+[ 70.216309][ T9350] <TASK>
+[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0
+[ 70.217025][ T9350] dump_stack+0x1e/0x30
+[ 70.217421][ T9350] panic+0x502/0xca0
+[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+
+[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...
+ kernel
+:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+set ...
+[ 70.221254][ T9350] ? __msan_warning+0x96/0x120
+[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0
+[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0
+[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0
+[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950
+[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130
+[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060
+[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460
+[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0
+[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0
+[ 70.228997][ T9350] ? ksys_write+0x23e/0x490
+[ 70.229458][ T9350] ? __x64_sys_write+0x97/0xf0
+[ 70.229939][ T9350] ? x64_sys_call+0x3015/0x3cf0
+[ 70.230432][ T9350] ? do_syscall_64+0xd9/0x1d0
+[ 70.230941][ T9350] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.231926][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.232738][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.233711][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.234516][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.235398][ T9350] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.236323][ T9350] ? hfsplus_brec_find+0x218/0x9f0
+[ 70.237090][ T9350] ? __pfx_hfs_find_rec_by_key+0x10/0x10
+[ 70.237938][ T9350] ? __msan_instrument_asm_store+0xbf/0xf0
+[ 70.238827][ T9350] ? __msan_metadata_ptr_for_store_4+0x27/0x40
+[ 70.239772][ T9350] ? __hfsplus_ext_write_extent+0x536/0x620
+[ 70.240666][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.241175][ T9350] __msan_warning+0x96/0x120
+[ 70.241645][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.242223][ T9350] hfsplus_file_extend+0x74f/0x1cf0
+[ 70.242748][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.243255][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.243878][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.244400][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.244967][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.245531][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
+[ 70.246079][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.246598][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.247105][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
+[ 70.247650][ T9350] ? __pfx_hfsplus_write_begin+0x10/0x10
+[ 70.248211][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.248752][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.249314][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.249856][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.250487][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.250930][ T9350] ? __pfx_generic_file_write_iter+0x10/0x10
+[ 70.251530][ T9350] ksys_write+0x23e/0x490
+[ 70.251974][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.252450][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.252924][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.253384][ T9350] ? irqentry_exit+0x16/0x60
+[ 70.253844][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.254430][ T9350] RIP: 0033:0x7f7a92adffc9
+[ 70.254873][ T9350] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 70.256674][ T9350] RSP: 002b:00007fff0bca3188 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
+[ 70.257485][ T9350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a92adffc9
+[ 70.258246][ T9350] RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000004
+[ 70.258998][ T9350] RBP: 00007fff0bca31a0 R08: 00007fff0bca31a0 R09: 00007fff0bca31a0
+[ 70.259769][ T9350] R10: 0000000000000000 R11: 0000000000000202 R12: 000055e0d75f8250
+[ 70.260520][ T9350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 70.261286][ T9350] </TASK>
+[ 70.262026][ T9350] Kernel Offset: disabled
+
+(gdb) l *__hfsplus_ext_cache_extent+0x7d0
+0xffffffff8318aef0 is in __hfsplus_ext_cache_extent (fs/hfsplus/extents.c:168).
+163 fd->key->ext.cnid = 0;
+164 res = hfs_brec_find(fd, hfs_find_rec_by_key);
+165 if (res && res != -ENOENT)
+166 return res;
+167 if (fd->key->ext.cnid != fd->search_key->ext.cnid ||
+168 fd->key->ext.fork_type != fd->search_key->ext.fork_type)
+169 return -ENOENT;
+170 if (fd->entrylength != sizeof(hfsplus_extent_rec))
+171 return -EIO;
+172 hfs_bnode_read(fd->bnode, extent, fd->entryoffset,
+
+The __hfsplus_ext_cache_extent() calls __hfsplus_ext_read_extent():
+
+res = __hfsplus_ext_read_extent(fd, hip->cached_extents, inode->i_ino,
+ block, HFSPLUS_IS_RSRC(inode) ?
+ HFSPLUS_TYPE_RSRC :
+ HFSPLUS_TYPE_DATA);
+
+And if inode->i_ino could be equal to zero or any non-available CNID,
+then hfs_brec_find() could not find the record in the tree. As a result,
+fd->key could be compared with fd->search_key. But hfsplus_find_init()
+uses kmalloc() for fd->key and fd->search_key allocation:
+
+int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+{
+<skipped>
+ ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+ fd->key = ptr + tree->max_key_len + 2;
+<skipped>
+}
+
+Finally, fd->key is still not initialized if hfs_brec_find()
+has found nothing.
+
+This patch changes kmalloc() on kzalloc() in hfs_find_init()
+and intializes fd->record, fd->keyoffset, fd->keylength,
+fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
+has been found nothing in the b-tree node.
+
+Reported-by: syzbot <syzbot+55ad87f38795d6787521@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=55ad87f38795d6787521
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250818225232.126402-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bfind.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c
+index 901e83d65d202..26ebac4c60424 100644
+--- a/fs/hfsplus/bfind.c
++++ b/fs/hfsplus/bfind.c
+@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+
+ fd->tree = tree;
+ fd->bnode = NULL;
+- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+@@ -158,6 +158,12 @@ int hfs_brec_find(struct hfs_find_data *fd, search_strategy_t do_key_compare)
+ __be32 data;
+ int height, res;
+
++ fd->record = -1;
++ fd->keyoffset = -1;
++ fd->keylength = -1;
++ fd->entryoffset = -1;
++ fd->entrylength = -1;
++
+ tree = fd->tree;
+ if (fd->bnode)
+ hfs_bnode_put(fd->bnode);
+--
+2.51.0
+
--- /dev/null
+From 47c7c45273bbe3ee9fd67dfc36ab2787559b7437 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Aug 2025 15:51:04 -0700
+Subject: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 9b3d15a758910bb98ba8feb4109d99cc67450ee4 ]
+
+The syzbot reported issue in hfsplus_delete_cat():
+
+[ 70.682285][ T9333] =====================================================
+[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0
+[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310
+[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810
+[ 70.685447][ T9333] do_rmdir+0x964/0xea0
+[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0
+[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0
+[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.687646][ T9333]
+[ 70.687856][ T9333] Uninit was stored to memory at:
+[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
+[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800
+[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600
+[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70
+[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0
+[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30
+[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0
+[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0
+[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.692773][ T9333]
+[ 70.692990][ T9333] Uninit was stored to memory at:
+[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
+[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800
+[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700
+[ 70.694911][ T9333] mount_bdev+0x37b/0x530
+[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60
+[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0
+[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0
+[ 70.696588][ T9333] do_new_mount+0x73e/0x1630
+[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0
+[ 70.697425][ T9333] __se_sys_mount+0x733/0x830
+[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150
+[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0
+[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.699730][ T9333]
+[ 70.699946][ T9333] Uninit was created at:
+[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60
+[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0
+[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0
+[ 70.701774][ T9333] allocate_slab+0x30e/0x1390
+[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0
+[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20
+[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0
+[ 70.703598][ T9333] alloc_inode+0x82/0x490
+[ 70.703984][ T9333] iget_locked+0x22e/0x1320
+[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0
+[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0
+[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700
+[ 70.705776][ T9333] mount_bdev+0x37b/0x530
+[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60
+[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0
+[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0
+[ 70.707444][ T9333] do_new_mount+0x73e/0x1630
+[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0
+[ 70.708270][ T9333] __se_sys_mount+0x733/0x830
+[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150
+[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0
+[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.710611][ T9333]
+[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17
+[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.712490][ T9333] =====================================================
+[ 70.713085][ T9333] Disabling lock debugging due to kernel taint
+[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...
+[ 70.714159][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Tainted: G B 6.12.0-rc6-dirty #17
+[ 70.715007][ T9333] Tainted: [B]=BAD_PAGE
+[ 70.715365][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.716311][ T9333] Call Trace:
+[ 70.716621][ T9333] <TASK>
+[ 70.716899][ T9333] dump_stack_lvl+0x1fd/0x2b0
+[ 70.717350][ T9333] dump_stack+0x1e/0x30
+[ 70.717743][ T9333] panic+0x502/0xca0
+[ 70.718116][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.718611][ T9333] kmsan_report+0x296/0x2a0
+[ 70.719038][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.719859][ T9333] ? __msan_warning+0x96/0x120
+[ 70.720345][ T9333] ? hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.720881][ T9333] ? hfsplus_delete_cat+0x105d/0x12b0
+[ 70.721412][ T9333] ? hfsplus_rmdir+0x13d/0x310
+[ 70.721880][ T9333] ? vfs_rmdir+0x5ba/0x810
+[ 70.722458][ T9333] ? do_rmdir+0x964/0xea0
+[ 70.722883][ T9333] ? __x64_sys_rmdir+0x71/0xb0
+[ 70.723397][ T9333] ? x64_sys_call+0xcd8/0x3cf0
+[ 70.723915][ T9333] ? do_syscall_64+0xd9/0x1d0
+[ 70.724454][ T9333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.725110][ T9333] ? vprintk_emit+0xd1f/0xe60
+[ 70.725616][ T9333] ? vprintk_default+0x3f/0x50
+[ 70.726175][ T9333] ? vprintk+0xce/0xd0
+[ 70.726628][ T9333] ? _printk+0x17e/0x1b0
+[ 70.727129][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.727739][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.728324][ T9333] __msan_warning+0x96/0x120
+[ 70.728854][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.729479][ T9333] hfsplus_delete_cat+0x105d/0x12b0
+[ 70.729984][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.730646][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.731296][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.731863][ T9333] hfsplus_rmdir+0x13d/0x310
+[ 70.732390][ T9333] ? __pfx_hfsplus_rmdir+0x10/0x10
+[ 70.732919][ T9333] vfs_rmdir+0x5ba/0x810
+[ 70.733416][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.734044][ T9333] do_rmdir+0x964/0xea0
+[ 70.734537][ T9333] __x64_sys_rmdir+0x71/0xb0
+[ 70.735032][ T9333] x64_sys_call+0xcd8/0x3cf0
+[ 70.735579][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.736092][ T9333] ? irqentry_exit+0x16/0x60
+[ 70.736637][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.737269][ T9333] RIP: 0033:0x7fa9424eafc9
+[ 70.737775][ T9333] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 70.739844][ T9333] RSP: 002b:00007fff099cd8d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000054
+[ 70.740760][ T9333] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa9424eafc9
+[ 70.741642][ T9333] RDX: 006c6f72746e6f63 RSI: 000000000000000a RDI: 0000000020000100
+[ 70.742543][ T9333] RBP: 00007fff099cd8e0 R08: 00007fff099cd910 R09: 00007fff099cd910
+[ 70.743376][ T9333] R10: 0000000000000000 R11: 0000000000000202 R12: 0000565430642260
+[ 70.744247][ T9333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 70.745082][ T9333] </TASK>
+
+The main reason of the issue that struct hfsplus_inode_info
+has not been properly initialized for the case of root folder.
+In the case of root folder, hfsplus_fill_super() calls
+the hfsplus_iget() that implements only partial initialization of
+struct hfsplus_inode_info and subfolders field is not
+initialized by hfsplus_iget() logic.
+
+This patch implements complete initialization of
+struct hfsplus_inode_info in the hfsplus_iget() logic with
+the goal to prevent likewise issues for the case of
+root folder.
+
+Reported-by: syzbot <syzbot+fdedff847a0e5e84c39f@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=fdedff847a0e5e84c39f
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250825225103.326401-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/super.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+index 392edb60edd07..16cf5e1c685bf 100644
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -67,13 +67,26 @@ struct inode *hfsplus_iget(struct super_block *sb, unsigned long ino)
+ if (!(inode->i_state & I_NEW))
+ return inode;
+
+- INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
+- spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
+- mutex_init(&HFSPLUS_I(inode)->extents_lock);
+- HFSPLUS_I(inode)->flags = 0;
++ atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
++ HFSPLUS_I(inode)->first_blocks = 0;
++ HFSPLUS_I(inode)->clump_blocks = 0;
++ HFSPLUS_I(inode)->alloc_blocks = 0;
++ HFSPLUS_I(inode)->cached_start = U32_MAX;
++ HFSPLUS_I(inode)->cached_blocks = 0;
++ memset(HFSPLUS_I(inode)->first_extents, 0, sizeof(hfsplus_extent_rec));
++ memset(HFSPLUS_I(inode)->cached_extents, 0, sizeof(hfsplus_extent_rec));
+ HFSPLUS_I(inode)->extent_state = 0;
++ mutex_init(&HFSPLUS_I(inode)->extents_lock);
+ HFSPLUS_I(inode)->rsrc_inode = NULL;
+- atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
++ HFSPLUS_I(inode)->create_date = 0;
++ HFSPLUS_I(inode)->linkid = 0;
++ HFSPLUS_I(inode)->flags = 0;
++ HFSPLUS_I(inode)->fs_blocks = 0;
++ HFSPLUS_I(inode)->userflags = 0;
++ HFSPLUS_I(inode)->subfolders = 0;
++ INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
++ spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
++ HFSPLUS_I(inode)->phys_size = 0;
+
+ if (inode->i_ino >= HFSPLUS_FIRSTUSER_CNID ||
+ inode->i_ino == HFSPLUS_ROOT_CNID) {
+--
+2.51.0
+
--- /dev/null
+From edaf2c373746c00aa2e2124b48e6fab958b2547b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Aug 2025 10:58:59 -0600
+Subject: hfsplus: return EIO when type of hidden directory mismatch in
+ hfsplus_fill_super()
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit 9282bc905f0949fab8cf86c0f620ca988761254c ]
+
+If Catalog File contains corrupted record for the case of
+hidden directory's type, regard it as I/O error instead of
+Invalid argument.
+
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250805165905.3390154-1-frank.li@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+index 16cf5e1c685bf..cb703b3e99fc2 100644
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -538,7 +538,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent)
+ if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
+ hfs_find_exit(&fd);
+ if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
+- err = -EINVAL;
++ err = -EIO;
+ goto out_put_root;
+ }
+ inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id));
+--
+2.51.0
+
--- /dev/null
+From ce93bd51b8fa3c664d4fac6e63e9f9f3dd2dee43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Sep 2025 17:16:13 +0200
+Subject: m68k: bitops: Fix find_*_bit() signatures
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit 6d5674090543b89aac0c177d67e5fb32ddc53804 ]
+
+The function signatures of the m68k-optimized implementations of the
+find_{first,next}_{,zero_}bit() helpers do not match the generic
+variants.
+
+Fix this by changing all non-pointer inputs and outputs to "unsigned
+long", and updating a few local variables.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202509092305.ncd9mzaZ-lkp@intel.com/
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Acked-by: "Yury Norov (NVIDIA)" <yury.norov@gmail.com>
+Link: https://patch.msgid.link/de6919554fbb4cd1427155c6bafbac8a9df822c8.1757517135.git.geert@linux-m68k.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/bitops.h | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/arch/m68k/include/asm/bitops.h b/arch/m68k/include/asm/bitops.h
+index 7b414099e5fc2..cca33f8ba0f67 100644
+--- a/arch/m68k/include/asm/bitops.h
++++ b/arch/m68k/include/asm/bitops.h
+@@ -314,12 +314,12 @@ static inline int bfchg_mem_test_and_change_bit(int nr,
+ #include <asm-generic/bitops/ffz.h>
+ #else
+
+-static inline int find_first_zero_bit(const unsigned long *vaddr,
+- unsigned size)
++static inline unsigned long find_first_zero_bit(const unsigned long *vaddr,
++ unsigned long size)
+ {
+ const unsigned long *p = vaddr;
+- int res = 32;
+- unsigned int words;
++ unsigned long res = 32;
++ unsigned long words;
+ unsigned long num;
+
+ if (!size)
+@@ -340,8 +340,9 @@ static inline int find_first_zero_bit(const unsigned long *vaddr,
+ }
+ #define find_first_zero_bit find_first_zero_bit
+
+-static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
+- int offset)
++static inline unsigned long find_next_zero_bit(const unsigned long *vaddr,
++ unsigned long size,
++ unsigned long offset)
+ {
+ const unsigned long *p = vaddr + (offset >> 5);
+ int bit = offset & 31UL, res;
+@@ -370,11 +371,12 @@ static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
+ }
+ #define find_next_zero_bit find_next_zero_bit
+
+-static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
++static inline unsigned long find_first_bit(const unsigned long *vaddr,
++ unsigned long size)
+ {
+ const unsigned long *p = vaddr;
+- int res = 32;
+- unsigned int words;
++ unsigned long res = 32;
++ unsigned long words;
+ unsigned long num;
+
+ if (!size)
+@@ -395,8 +397,9 @@ static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
+ }
+ #define find_first_bit find_first_bit
+
+-static inline int find_next_bit(const unsigned long *vaddr, int size,
+- int offset)
++static inline unsigned long find_next_bit(const unsigned long *vaddr,
++ unsigned long size,
++ unsigned long offset)
+ {
+ const unsigned long *p = vaddr + (offset >> 5);
+ int bit = offset & 31UL, res;
+--
+2.51.0
+
--- /dev/null
+From 5dc771e2e57340f5fabe03e22a15fb9ae7a03511 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:37:07 +0200
+Subject: nios2: ensure that memblock.current_limit is set when setting pfn
+ limits
+
+From: Simon Schuster <schuster.simon@siemens-energy.com>
+
+[ Upstream commit a20b83cf45be2057f3d073506779e52c7fa17f94 ]
+
+On nios2, with CONFIG_FLATMEM set, the kernel relies on
+memblock_get_current_limit() to determine the limits of mem_map, in
+particular for max_low_pfn.
+Unfortunately, memblock.current_limit is only default initialized to
+MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading
+to situations where max_low_pfn can erroneously exceed the value of
+max_pfn and, thus, the valid range of available DRAM.
+
+This can in turn cause kernel-level paging failures, e.g.:
+
+[ 76.900000] Unable to handle kernel paging request at virtual address 20303000
+[ 76.900000] ea = c0080890, ra = c000462c, cause = 14
+[ 76.900000] Kernel panic - not syncing: Oops
+[ 76.900000] ---[ end Kernel panic - not syncing: Oops ]---
+
+This patch fixes this by pre-calculating memblock.current_limit
+based on the upper limits of the available memory ranges via
+adjust_lowmem_bounds, a simplified version of the equivalent
+implementation within the arm architecture.
+
+Signed-off-by: Simon Schuster <schuster.simon@siemens-energy.com>
+Signed-off-by: Andreas Oetken <andreas.oetken@siemens-energy.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/nios2/kernel/setup.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/arch/nios2/kernel/setup.c b/arch/nios2/kernel/setup.c
+index 40bc8fb75e0b5..e2fc4b59d93ea 100644
+--- a/arch/nios2/kernel/setup.c
++++ b/arch/nios2/kernel/setup.c
+@@ -147,6 +147,20 @@ static void __init find_limits(unsigned long *min, unsigned long *max_low,
+ *max_high = PFN_DOWN(memblock_end_of_DRAM());
+ }
+
++static void __init adjust_lowmem_bounds(void)
++{
++ phys_addr_t block_start, block_end;
++ u64 i;
++ phys_addr_t memblock_limit = 0;
++
++ for_each_mem_range(i, &block_start, &block_end) {
++ if (block_end > memblock_limit)
++ memblock_limit = block_end;
++ }
++
++ memblock_set_current_limit(memblock_limit);
++}
++
+ void __init setup_arch(char **cmdline_p)
+ {
+ console_verbose();
+@@ -160,6 +174,7 @@ void __init setup_arch(char **cmdline_p)
+ /* Keep a copy of command line */
+ *cmdline_p = boot_command_line;
+
++ adjust_lowmem_bounds();
+ find_limits(&min_low_pfn, &max_low_pfn, &max_pfn);
+ max_mapnr = max_low_pfn;
+
+--
+2.51.0
+
hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch
pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch
revert-perf-test-don-t-leak-workload-gopipe-in-perf_record_.patch
+exec-fix-incorrect-type-for-ret.patch
+nios2-ensure-that-memblock.current_limit-is-set-when.patch
+hfs-clear-offset-and-space-out-of-valid-records-in-b.patch
+hfs-make-proper-initalization-of-struct-hfs_find_dat.patch
+hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch
+hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch
+hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch
+dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch
+hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch
+hfsplus-return-eio-when-type-of-hidden-directory-mis.patch
+m68k-bitops-fix-find_-_bit-signatures.patch
--- /dev/null
+From 9a203405f8f9ff91ed83026e7fe312002116f2ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 11:21:52 -0400
+Subject: dlm: check for defined force value in dlm_lockspace_release
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 6af515c9f3ccec3eb8a262ca86bef2c499d07951 ]
+
+Force values over 3 are undefined, so don't treat them as 3.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lockspace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
+index c689359ca532b..9030e0e5927cb 100644
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -793,7 +793,7 @@ static int release_lockspace(struct dlm_ls *ls, int force)
+
+ dlm_device_deregister(ls);
+
+- if (force < 3 && dlm_user_daemon_available())
++ if (force != 3 && dlm_user_daemon_available())
+ do_uevent(ls, 0);
+
+ dlm_recoverd_stop(ls);
+--
+2.51.0
+
--- /dev/null
+From 8ac80cf4ed6fd19ecbd0ac375a6407584d274492 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Aug 2025 15:36:09 +0800
+Subject: exec: Fix incorrect type for ret
+
+From: Xichao Zhao <zhao.xichao@vivo.com>
+
+[ Upstream commit 5e088248375d171b80c643051e77ade6b97bc386 ]
+
+In the setup_arg_pages(), ret is declared as an unsigned long.
+The ret might take a negative value. Therefore, its type should
+be changed to int.
+
+Signed-off-by: Xichao Zhao <zhao.xichao@vivo.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20250825073609.219855-1-zhao.xichao@vivo.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 5dffc67745c80..5aa0d9ec7f21b 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -701,7 +701,7 @@ int setup_arg_pages(struct linux_binprm *bprm,
+ unsigned long stack_top,
+ int executable_stack)
+ {
+- unsigned long ret;
++ int ret;
+ unsigned long stack_shift;
+ struct mm_struct *mm = current->mm;
+ struct vm_area_struct *vma = bprm->vma;
+--
+2.51.0
+
--- /dev/null
+From d0ffb9bb0a9ccf295ff1d52b2fb438914d5cd046 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 12:49:19 -0700
+Subject: hfs: clear offset and space out of valid records in b-tree node
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 18b07c44f245beb03588b00b212b38fce9af7cc9 ]
+
+Currently, hfs_brec_remove() executes moving records
+towards the location of deleted record and it updates
+offsets of moved records. However, the hfs_brec_remove()
+logic ignores the "mess" of b-tree node's free space and
+it doesn't touch the offsets out of records number.
+Potentially, it could confuse fsck or driver logic or
+to be a reason of potential corruption cases.
+
+This patch reworks the logic of hfs_brec_remove()
+by means of clearing freed space of b-tree node
+after the records moving. And it clear the last
+offset that keeping old location of free space
+because now the offset before this one is keeping
+the actual offset to the free space after the record
+deletion.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250815194918.38165-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/brec.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
+index 896396554bcc1..b01db1fae147c 100644
+--- a/fs/hfs/brec.c
++++ b/fs/hfs/brec.c
+@@ -179,6 +179,7 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ struct hfs_btree *tree;
+ struct hfs_bnode *node, *parent;
+ int end_off, rec_off, data_off, size;
++ int src, dst, len;
+
+ tree = fd->tree;
+ node = fd->bnode;
+@@ -208,10 +209,14 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ }
+ hfs_bnode_write_u16(node, offsetof(struct hfs_bnode_desc, num_recs), node->num_recs);
+
+- if (rec_off == end_off)
+- goto skip;
+ size = fd->keylength + fd->entrylength;
+
++ if (rec_off == end_off) {
++ src = fd->keyoffset;
++ hfs_bnode_clear(node, src, size);
++ goto skip;
++ }
++
+ do {
+ data_off = hfs_bnode_read_u16(node, rec_off);
+ hfs_bnode_write_u16(node, rec_off + 2, data_off - size);
+@@ -219,9 +224,23 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ } while (rec_off >= end_off);
+
+ /* fill hole */
+- hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size,
+- data_off - fd->keyoffset - size);
++ dst = fd->keyoffset;
++ src = fd->keyoffset + size;
++ len = data_off - src;
++
++ hfs_bnode_move(node, dst, src, len);
++
++ src = dst + len;
++ len = data_off - src;
++
++ hfs_bnode_clear(node, src, len);
++
+ skip:
++ /*
++ * Remove the obsolete offset to free space.
++ */
++ hfs_bnode_write_u16(node, end_off, 0);
++
+ hfs_bnode_dump(node);
+ if (!fd->record)
+ hfs_brec_update_parent(fd);
+--
+2.51.0
+
--- /dev/null
+From a88e7f33c5bec05bd66c50bdad2d4635f97522e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Aug 2025 16:06:38 -0700
+Subject: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ]
+
+The syzbot reported issue in hfs_find_set_zero_bits():
+
+=====================================================
+BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
+ hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
+ hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151
+ hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408
+ hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353
+ __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151
+ block_write_begin fs/buffer.c:2262 [inline]
+ cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601
+ hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
+ cont_expand_zero fs/buffer.c:2528 [inline]
+ cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591
+ hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
+ hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494
+ hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654
+ notify_change+0x1993/0x1aa0 fs/attr.c:552
+ do_truncate+0x28f/0x310 fs/open.c:68
+ do_ftruncate+0x698/0x730 fs/open.c:195
+ do_sys_ftruncate fs/open.c:210 [inline]
+ __do_sys_ftruncate fs/open.c:215 [inline]
+ __se_sys_ftruncate fs/open.c:213 [inline]
+ __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213
+ x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:4154 [inline]
+ slab_alloc_node mm/slub.c:4197 [inline]
+ __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354
+ kmalloc_noprof include/linux/slab.h:905 [inline]
+ hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175
+ hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337
+ get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681
+ get_tree_bdev+0x38/0x50 fs/super.c:1704
+ hfs_get_tree+0x35/0x40 fs/hfs/super.c:388
+ vfs_get_tree+0xb0/0x5c0 fs/super.c:1804
+ do_new_mount+0x738/0x1610 fs/namespace.c:3902
+ path_mount+0x6db/0x1e90 fs/namespace.c:4226
+ do_mount fs/namespace.c:4239 [inline]
+ __do_sys_mount fs/namespace.c:4450 [inline]
+ __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427
+ __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427
+ x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
+=====================================================
+
+The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get():
+
+HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
+
+Finally, it can trigger the reported issue because kmalloc()
+doesn't clear the allocated memory. If allocated memory contains
+only zeros, then everything will work pretty fine.
+But if the allocated memory contains the "garbage", then
+it can affect the bitmap operations and it triggers
+the reported issue.
+
+This patch simply exchanges the kmalloc() on kzalloc()
+with the goal to guarantee the correctness of bitmap operations.
+Because, newly created allocation bitmap should have all
+available blocks free. Potentially, initialization bitmap's read
+operation could not fill the whole allocated memory and
+"garbage" in the not initialized memory will be the reason of
+volume coruptions and file system driver bugs.
+
+Reported-by: syzbot <syzbot+773fa9d79b29bd8b6831@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/mdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
+index 460281b1299eb..8036445672c5f 100644
+--- a/fs/hfs/mdb.c
++++ b/fs/hfs/mdb.c
+@@ -166,7 +166,7 @@ int hfs_mdb_get(struct super_block *sb)
+ pr_warn("continuing without an alternate MDB\n");
+ }
+
+- HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
++ HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL);
+ if (!HFS_SB(sb)->bitmap)
+ goto out;
+
+--
+2.51.0
+
--- /dev/null
+From 645bcf275469dac095dd204a14795953b8c70ab8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 15:52:52 -0700
+Subject: hfs: make proper initalization of struct hfs_find_data
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit c62663a986acee7c4485c1fa9de5fc40194b6290 ]
+
+Potenatially, __hfs_ext_read_extent() could operate by
+not initialized values of fd->key after hfs_brec_find() call:
+
+static inline int __hfs_ext_read_extent(struct hfs_find_data *fd, struct hfs_extent *extent,
+ u32 cnid, u32 block, u8 type)
+{
+ int res;
+
+ hfs_ext_build_key(fd->search_key, cnid, block, type);
+ fd->key->ext.FNum = 0;
+ res = hfs_brec_find(fd);
+ if (res && res != -ENOENT)
+ return res;
+ if (fd->key->ext.FNum != fd->search_key->ext.FNum ||
+ fd->key->ext.FkType != fd->search_key->ext.FkType)
+ return -ENOENT;
+ if (fd->entrylength != sizeof(hfs_extent_rec))
+ return -EIO;
+ hfs_bnode_read(fd->bnode, extent, fd->entryoffset, sizeof(hfs_extent_rec));
+ return 0;
+}
+
+This patch changes kmalloc() on kzalloc() in hfs_find_init()
+and intializes fd->record, fd->keyoffset, fd->keylength,
+fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
+has been found nothing in the b-tree node.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250818225252.126427-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/bfind.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c
+index ef9498a6e88ac..6d37b4c759034 100644
+--- a/fs/hfs/bfind.c
++++ b/fs/hfs/bfind.c
+@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+
+ fd->tree = tree;
+ fd->bnode = NULL;
+- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+@@ -112,6 +112,12 @@ int hfs_brec_find(struct hfs_find_data *fd)
+ __be32 data;
+ int height, res;
+
++ fd->record = -1;
++ fd->keyoffset = -1;
++ fd->keylength = -1;
++ fd->entryoffset = -1;
++ fd->entrylength = -1;
++
+ tree = fd->tree;
+ if (fd->bnode)
+ hfs_bnode_put(fd->bnode);
+--
+2.51.0
+
--- /dev/null
+From 2127c4e0953600fc49352e812566b6dadd610b8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 22:17:34 +0800
+Subject: hfs: validate record offset in hfsplus_bmap_alloc
+
+From: Yang Chenzhi <yang.chenzhi@vivo.com>
+
+[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ]
+
+hfsplus_bmap_alloc can trigger a crash if a
+record offset or length is larger than node_size
+
+[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0
+[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183
+[ 15.265949]
+[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)
+[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 15.266167] Call Trace:
+[ 15.266168] <TASK>
+[ 15.266169] dump_stack_lvl+0x53/0x70
+[ 15.266173] print_report+0xd0/0x660
+[ 15.266181] kasan_report+0xce/0x100
+[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0
+[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0
+[ 15.266217] hfsplus_brec_insert+0x870/0xb00
+[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570
+[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910
+[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200
+[ 15.266233] hfsplus_file_extend+0x5a7/0x1000
+[ 15.266237] hfsplus_get_block+0x12b/0x8c0
+[ 15.266238] __block_write_begin_int+0x36b/0x12c0
+[ 15.266251] block_write_begin+0x77/0x110
+[ 15.266252] cont_write_begin+0x428/0x720
+[ 15.266259] hfsplus_write_begin+0x51/0x100
+[ 15.266262] cont_write_begin+0x272/0x720
+[ 15.266270] hfsplus_write_begin+0x51/0x100
+[ 15.266274] generic_perform_write+0x321/0x750
+[ 15.266285] generic_file_write_iter+0xc3/0x310
+[ 15.266289] __kernel_write_iter+0x2fd/0x800
+[ 15.266296] dump_user_range+0x2ea/0x910
+[ 15.266301] elf_core_dump+0x2a94/0x2ed0
+[ 15.266320] vfs_coredump+0x1d85/0x45e0
+[ 15.266349] get_signal+0x12e3/0x1990
+[ 15.266357] arch_do_signal_or_restart+0x89/0x580
+[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110
+[ 15.266364] asm_exc_page_fault+0x26/0x30
+[ 15.266366] RIP: 0033:0x41bd35
+[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f
+[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283
+[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000
+[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100
+[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000
+[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000
+[ 15.266376] </TASK>
+
+When calling hfsplus_bmap_alloc to allocate a free node, this function
+first retrieves the bitmap from header node and map node using node->page
+together with the offset and length from hfs_brec_lenoff
+
+```
+len = hfs_brec_lenoff(node, 2, &off16);
+off = off16;
+
+off += node->page_offset;
+pagep = node->page + (off >> PAGE_SHIFT);
+data = kmap_local_page(*pagep);
+```
+
+However, if the retrieved offset or length is invalid(i.e. exceeds
+node_size), the code may end up accessing pages outside the allocated
+range for this node.
+
+This patch adds proper validation of both offset and length before use,
+preventing out-of-bounds page access. Move is_bnode_offset_valid and
+check_and_correct_requested_length to hfsplus_fs.h, as they may be
+required by other functions.
+
+Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/
+Signed-off-by: Yang Chenzhi <yang.chenzhi@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bnode.c | 41 ----------------------------------------
+ fs/hfsplus/btree.c | 6 ++++++
+ fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 48 insertions(+), 41 deletions(-)
+
+diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
+index c9c38fddf505b..e566cea238279 100644
+--- a/fs/hfsplus/bnode.c
++++ b/fs/hfsplus/bnode.c
+@@ -18,47 +18,6 @@
+ #include "hfsplus_fs.h"
+ #include "hfsplus_raw.h"
+
+-static inline
+-bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
+-{
+- bool is_valid = off < node->tree->node_size;
+-
+- if (!is_valid) {
+- pr_err("requested invalid offset: "
+- "NODE: id %u, type %#x, height %u, "
+- "node_size %u, offset %d\n",
+- node->this, node->type, node->height,
+- node->tree->node_size, off);
+- }
+-
+- return is_valid;
+-}
+-
+-static inline
+-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
+-{
+- unsigned int node_size;
+-
+- if (!is_bnode_offset_valid(node, off))
+- return 0;
+-
+- node_size = node->tree->node_size;
+-
+- if ((off + len) > node_size) {
+- int new_len = (int)node_size - off;
+-
+- pr_err("requested length has been corrected: "
+- "NODE: id %u, type %#x, height %u, "
+- "node_size %u, offset %d, "
+- "requested_len %d, corrected_len %d\n",
+- node->this, node->type, node->height,
+- node->tree->node_size, off, len, new_len);
+-
+- return new_len;
+- }
+-
+- return len;
+-}
+
+ /* Copy a specified range of bytes from the raw data of a node */
+ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
+index 66774f4cb4fd5..2211907537fec 100644
+--- a/fs/hfsplus/btree.c
++++ b/fs/hfsplus/btree.c
+@@ -392,6 +392,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
+ len = hfs_brec_lenoff(node, 2, &off16);
+ off = off16;
+
++ if (!is_bnode_offset_valid(node, off)) {
++ hfs_bnode_put(node);
++ return ERR_PTR(-EIO);
++ }
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ pagep = node->page + (off >> PAGE_SHIFT);
+ data = kmap(*pagep);
+diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
+index 86cfc147bf3d1..5355d1ff7a9b2 100644
+--- a/fs/hfsplus/hfsplus_fs.h
++++ b/fs/hfsplus/hfsplus_fs.h
+@@ -561,6 +561,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree)
+ return class;
+ }
+
++static inline
++bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
++{
++ bool is_valid = off < node->tree->node_size;
++
++ if (!is_valid) {
++ pr_err("requested invalid offset: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off);
++ }
++
++ return is_valid;
++}
++
++static inline
++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
++{
++ unsigned int node_size;
++
++ if (!is_bnode_offset_valid(node, off))
++ return 0;
++
++ node_size = node->tree->node_size;
++
++ if ((off + len) > node_size) {
++ int new_len = (int)node_size - off;
++
++ pr_err("requested length has been corrected: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, "
++ "requested_len %d, corrected_len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len, new_len);
++
++ return new_len;
++ }
++
++ return len;
++}
++
+ /* compatibility */
+ #define hfsp_mt2ut(t) (struct timespec){ .tv_sec = __hfsp_mt2ut(t) }
+ #define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec)
+--
+2.51.0
+
--- /dev/null
+From 3daf5d69e92b3cc337c0f2bf55d9dbaf7857dbbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 15:52:32 -0700
+Subject: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 4840ceadef4290c56cc422f0fc697655f3cbf070 ]
+
+The syzbot reported issue in __hfsplus_ext_cache_extent():
+
+[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0
+[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.199771][ T9350] ksys_write+0x23e/0x490
+[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.202054][ T9350]
+[ 70.202279][ T9350] Uninit was created at:
+[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80
+[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0
+[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0
+[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.207961][ T9350] ksys_write+0x23e/0x490
+[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.210230][ T9350]
+[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5
+[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.212115][ T9350] =====================================================
+[ 70.212734][ T9350] Disabling lock debugging due to kernel taint
+[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...
+[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5
+[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE
+[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.215999][ T9350] Call Trace:
+[ 70.216309][ T9350] <TASK>
+[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0
+[ 70.217025][ T9350] dump_stack+0x1e/0x30
+[ 70.217421][ T9350] panic+0x502/0xca0
+[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+
+[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...
+ kernel
+:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+set ...
+[ 70.221254][ T9350] ? __msan_warning+0x96/0x120
+[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0
+[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0
+[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0
+[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950
+[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130
+[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060
+[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460
+[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0
+[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0
+[ 70.228997][ T9350] ? ksys_write+0x23e/0x490
+[ 70.229458][ T9350] ? __x64_sys_write+0x97/0xf0
+[ 70.229939][ T9350] ? x64_sys_call+0x3015/0x3cf0
+[ 70.230432][ T9350] ? do_syscall_64+0xd9/0x1d0
+[ 70.230941][ T9350] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.231926][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.232738][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.233711][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.234516][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.235398][ T9350] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.236323][ T9350] ? hfsplus_brec_find+0x218/0x9f0
+[ 70.237090][ T9350] ? __pfx_hfs_find_rec_by_key+0x10/0x10
+[ 70.237938][ T9350] ? __msan_instrument_asm_store+0xbf/0xf0
+[ 70.238827][ T9350] ? __msan_metadata_ptr_for_store_4+0x27/0x40
+[ 70.239772][ T9350] ? __hfsplus_ext_write_extent+0x536/0x620
+[ 70.240666][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.241175][ T9350] __msan_warning+0x96/0x120
+[ 70.241645][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.242223][ T9350] hfsplus_file_extend+0x74f/0x1cf0
+[ 70.242748][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.243255][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.243878][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.244400][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.244967][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.245531][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
+[ 70.246079][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.246598][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.247105][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
+[ 70.247650][ T9350] ? __pfx_hfsplus_write_begin+0x10/0x10
+[ 70.248211][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.248752][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.249314][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.249856][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.250487][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.250930][ T9350] ? __pfx_generic_file_write_iter+0x10/0x10
+[ 70.251530][ T9350] ksys_write+0x23e/0x490
+[ 70.251974][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.252450][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.252924][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.253384][ T9350] ? irqentry_exit+0x16/0x60
+[ 70.253844][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.254430][ T9350] RIP: 0033:0x7f7a92adffc9
+[ 70.254873][ T9350] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 70.256674][ T9350] RSP: 002b:00007fff0bca3188 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
+[ 70.257485][ T9350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a92adffc9
+[ 70.258246][ T9350] RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000004
+[ 70.258998][ T9350] RBP: 00007fff0bca31a0 R08: 00007fff0bca31a0 R09: 00007fff0bca31a0
+[ 70.259769][ T9350] R10: 0000000000000000 R11: 0000000000000202 R12: 000055e0d75f8250
+[ 70.260520][ T9350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 70.261286][ T9350] </TASK>
+[ 70.262026][ T9350] Kernel Offset: disabled
+
+(gdb) l *__hfsplus_ext_cache_extent+0x7d0
+0xffffffff8318aef0 is in __hfsplus_ext_cache_extent (fs/hfsplus/extents.c:168).
+163 fd->key->ext.cnid = 0;
+164 res = hfs_brec_find(fd, hfs_find_rec_by_key);
+165 if (res && res != -ENOENT)
+166 return res;
+167 if (fd->key->ext.cnid != fd->search_key->ext.cnid ||
+168 fd->key->ext.fork_type != fd->search_key->ext.fork_type)
+169 return -ENOENT;
+170 if (fd->entrylength != sizeof(hfsplus_extent_rec))
+171 return -EIO;
+172 hfs_bnode_read(fd->bnode, extent, fd->entryoffset,
+
+The __hfsplus_ext_cache_extent() calls __hfsplus_ext_read_extent():
+
+res = __hfsplus_ext_read_extent(fd, hip->cached_extents, inode->i_ino,
+ block, HFSPLUS_IS_RSRC(inode) ?
+ HFSPLUS_TYPE_RSRC :
+ HFSPLUS_TYPE_DATA);
+
+And if inode->i_ino could be equal to zero or any non-available CNID,
+then hfs_brec_find() could not find the record in the tree. As a result,
+fd->key could be compared with fd->search_key. But hfsplus_find_init()
+uses kmalloc() for fd->key and fd->search_key allocation:
+
+int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+{
+<skipped>
+ ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+ fd->key = ptr + tree->max_key_len + 2;
+<skipped>
+}
+
+Finally, fd->key is still not initialized if hfs_brec_find()
+has found nothing.
+
+This patch changes kmalloc() on kzalloc() in hfs_find_init()
+and intializes fd->record, fd->keyoffset, fd->keylength,
+fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
+has been found nothing in the b-tree node.
+
+Reported-by: syzbot <syzbot+55ad87f38795d6787521@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=55ad87f38795d6787521
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250818225232.126402-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bfind.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c
+index 901e83d65d202..26ebac4c60424 100644
+--- a/fs/hfsplus/bfind.c
++++ b/fs/hfsplus/bfind.c
+@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+
+ fd->tree = tree;
+ fd->bnode = NULL;
+- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+@@ -158,6 +158,12 @@ int hfs_brec_find(struct hfs_find_data *fd, search_strategy_t do_key_compare)
+ __be32 data;
+ int height, res;
+
++ fd->record = -1;
++ fd->keyoffset = -1;
++ fd->keylength = -1;
++ fd->entryoffset = -1;
++ fd->entrylength = -1;
++
+ tree = fd->tree;
+ if (fd->bnode)
+ hfs_bnode_put(fd->bnode);
+--
+2.51.0
+
--- /dev/null
+From 9b833eef6c8aab8c9a9145c8c90a9054fc77eadb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Aug 2025 15:51:04 -0700
+Subject: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 9b3d15a758910bb98ba8feb4109d99cc67450ee4 ]
+
+The syzbot reported issue in hfsplus_delete_cat():
+
+[ 70.682285][ T9333] =====================================================
+[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0
+[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310
+[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810
+[ 70.685447][ T9333] do_rmdir+0x964/0xea0
+[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0
+[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0
+[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.687646][ T9333]
+[ 70.687856][ T9333] Uninit was stored to memory at:
+[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
+[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800
+[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600
+[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70
+[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0
+[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30
+[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0
+[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0
+[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.692773][ T9333]
+[ 70.692990][ T9333] Uninit was stored to memory at:
+[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
+[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800
+[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700
+[ 70.694911][ T9333] mount_bdev+0x37b/0x530
+[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60
+[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0
+[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0
+[ 70.696588][ T9333] do_new_mount+0x73e/0x1630
+[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0
+[ 70.697425][ T9333] __se_sys_mount+0x733/0x830
+[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150
+[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0
+[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.699730][ T9333]
+[ 70.699946][ T9333] Uninit was created at:
+[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60
+[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0
+[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0
+[ 70.701774][ T9333] allocate_slab+0x30e/0x1390
+[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0
+[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20
+[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0
+[ 70.703598][ T9333] alloc_inode+0x82/0x490
+[ 70.703984][ T9333] iget_locked+0x22e/0x1320
+[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0
+[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0
+[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700
+[ 70.705776][ T9333] mount_bdev+0x37b/0x530
+[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60
+[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0
+[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0
+[ 70.707444][ T9333] do_new_mount+0x73e/0x1630
+[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0
+[ 70.708270][ T9333] __se_sys_mount+0x733/0x830
+[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150
+[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0
+[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.710611][ T9333]
+[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17
+[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.712490][ T9333] =====================================================
+[ 70.713085][ T9333] Disabling lock debugging due to kernel taint
+[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...
+[ 70.714159][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Tainted: G B 6.12.0-rc6-dirty #17
+[ 70.715007][ T9333] Tainted: [B]=BAD_PAGE
+[ 70.715365][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.716311][ T9333] Call Trace:
+[ 70.716621][ T9333] <TASK>
+[ 70.716899][ T9333] dump_stack_lvl+0x1fd/0x2b0
+[ 70.717350][ T9333] dump_stack+0x1e/0x30
+[ 70.717743][ T9333] panic+0x502/0xca0
+[ 70.718116][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.718611][ T9333] kmsan_report+0x296/0x2a0
+[ 70.719038][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.719859][ T9333] ? __msan_warning+0x96/0x120
+[ 70.720345][ T9333] ? hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.720881][ T9333] ? hfsplus_delete_cat+0x105d/0x12b0
+[ 70.721412][ T9333] ? hfsplus_rmdir+0x13d/0x310
+[ 70.721880][ T9333] ? vfs_rmdir+0x5ba/0x810
+[ 70.722458][ T9333] ? do_rmdir+0x964/0xea0
+[ 70.722883][ T9333] ? __x64_sys_rmdir+0x71/0xb0
+[ 70.723397][ T9333] ? x64_sys_call+0xcd8/0x3cf0
+[ 70.723915][ T9333] ? do_syscall_64+0xd9/0x1d0
+[ 70.724454][ T9333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.725110][ T9333] ? vprintk_emit+0xd1f/0xe60
+[ 70.725616][ T9333] ? vprintk_default+0x3f/0x50
+[ 70.726175][ T9333] ? vprintk+0xce/0xd0
+[ 70.726628][ T9333] ? _printk+0x17e/0x1b0
+[ 70.727129][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.727739][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.728324][ T9333] __msan_warning+0x96/0x120
+[ 70.728854][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.729479][ T9333] hfsplus_delete_cat+0x105d/0x12b0
+[ 70.729984][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.730646][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.731296][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.731863][ T9333] hfsplus_rmdir+0x13d/0x310
+[ 70.732390][ T9333] ? __pfx_hfsplus_rmdir+0x10/0x10
+[ 70.732919][ T9333] vfs_rmdir+0x5ba/0x810
+[ 70.733416][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.734044][ T9333] do_rmdir+0x964/0xea0
+[ 70.734537][ T9333] __x64_sys_rmdir+0x71/0xb0
+[ 70.735032][ T9333] x64_sys_call+0xcd8/0x3cf0
+[ 70.735579][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.736092][ T9333] ? irqentry_exit+0x16/0x60
+[ 70.736637][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.737269][ T9333] RIP: 0033:0x7fa9424eafc9
+[ 70.737775][ T9333] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 70.739844][ T9333] RSP: 002b:00007fff099cd8d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000054
+[ 70.740760][ T9333] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa9424eafc9
+[ 70.741642][ T9333] RDX: 006c6f72746e6f63 RSI: 000000000000000a RDI: 0000000020000100
+[ 70.742543][ T9333] RBP: 00007fff099cd8e0 R08: 00007fff099cd910 R09: 00007fff099cd910
+[ 70.743376][ T9333] R10: 0000000000000000 R11: 0000000000000202 R12: 0000565430642260
+[ 70.744247][ T9333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 70.745082][ T9333] </TASK>
+
+The main reason of the issue that struct hfsplus_inode_info
+has not been properly initialized for the case of root folder.
+In the case of root folder, hfsplus_fill_super() calls
+the hfsplus_iget() that implements only partial initialization of
+struct hfsplus_inode_info and subfolders field is not
+initialized by hfsplus_iget() logic.
+
+This patch implements complete initialization of
+struct hfsplus_inode_info in the hfsplus_iget() logic with
+the goal to prevent likewise issues for the case of
+root folder.
+
+Reported-by: syzbot <syzbot+fdedff847a0e5e84c39f@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=fdedff847a0e5e84c39f
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250825225103.326401-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/super.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+index 29a39afe26535..d744fde416804 100644
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -67,13 +67,26 @@ struct inode *hfsplus_iget(struct super_block *sb, unsigned long ino)
+ if (!(inode->i_state & I_NEW))
+ return inode;
+
+- INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
+- spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
+- mutex_init(&HFSPLUS_I(inode)->extents_lock);
+- HFSPLUS_I(inode)->flags = 0;
++ atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
++ HFSPLUS_I(inode)->first_blocks = 0;
++ HFSPLUS_I(inode)->clump_blocks = 0;
++ HFSPLUS_I(inode)->alloc_blocks = 0;
++ HFSPLUS_I(inode)->cached_start = U32_MAX;
++ HFSPLUS_I(inode)->cached_blocks = 0;
++ memset(HFSPLUS_I(inode)->first_extents, 0, sizeof(hfsplus_extent_rec));
++ memset(HFSPLUS_I(inode)->cached_extents, 0, sizeof(hfsplus_extent_rec));
+ HFSPLUS_I(inode)->extent_state = 0;
++ mutex_init(&HFSPLUS_I(inode)->extents_lock);
+ HFSPLUS_I(inode)->rsrc_inode = NULL;
+- atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
++ HFSPLUS_I(inode)->create_date = 0;
++ HFSPLUS_I(inode)->linkid = 0;
++ HFSPLUS_I(inode)->flags = 0;
++ HFSPLUS_I(inode)->fs_blocks = 0;
++ HFSPLUS_I(inode)->userflags = 0;
++ HFSPLUS_I(inode)->subfolders = 0;
++ INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
++ spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
++ HFSPLUS_I(inode)->phys_size = 0;
+
+ if (inode->i_ino >= HFSPLUS_FIRSTUSER_CNID ||
+ inode->i_ino == HFSPLUS_ROOT_CNID) {
+--
+2.51.0
+
--- /dev/null
+From cd632ad48648ddda029f3a76fe5e56b5e656cf20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Aug 2025 10:58:59 -0600
+Subject: hfsplus: return EIO when type of hidden directory mismatch in
+ hfsplus_fill_super()
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit 9282bc905f0949fab8cf86c0f620ca988761254c ]
+
+If Catalog File contains corrupted record for the case of
+hidden directory's type, regard it as I/O error instead of
+Invalid argument.
+
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250805165905.3390154-1-frank.li@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+index d744fde416804..db68ed59b4b21 100644
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -539,7 +539,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent)
+ if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
+ hfs_find_exit(&fd);
+ if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
+- err = -EINVAL;
++ err = -EIO;
+ goto out_put_root;
+ }
+ inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id));
+--
+2.51.0
+
--- /dev/null
+From 49f7ffff7a362b33d0ff088eb053926cd8f1fac8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Sep 2025 17:16:13 +0200
+Subject: m68k: bitops: Fix find_*_bit() signatures
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit 6d5674090543b89aac0c177d67e5fb32ddc53804 ]
+
+The function signatures of the m68k-optimized implementations of the
+find_{first,next}_{,zero_}bit() helpers do not match the generic
+variants.
+
+Fix this by changing all non-pointer inputs and outputs to "unsigned
+long", and updating a few local variables.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202509092305.ncd9mzaZ-lkp@intel.com/
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Acked-by: "Yury Norov (NVIDIA)" <yury.norov@gmail.com>
+Link: https://patch.msgid.link/de6919554fbb4cd1427155c6bafbac8a9df822c8.1757517135.git.geert@linux-m68k.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/bitops.h | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/arch/m68k/include/asm/bitops.h b/arch/m68k/include/asm/bitops.h
+index 10133a968c8e1..d2a9aa0485175 100644
+--- a/arch/m68k/include/asm/bitops.h
++++ b/arch/m68k/include/asm/bitops.h
+@@ -314,12 +314,12 @@ static inline int bfchg_mem_test_and_change_bit(int nr,
+ #include <asm-generic/bitops/ffz.h>
+ #else
+
+-static inline int find_first_zero_bit(const unsigned long *vaddr,
+- unsigned size)
++static inline unsigned long find_first_zero_bit(const unsigned long *vaddr,
++ unsigned long size)
+ {
+ const unsigned long *p = vaddr;
+- int res = 32;
+- unsigned int words;
++ unsigned long res = 32;
++ unsigned long words;
+ unsigned long num;
+
+ if (!size)
+@@ -340,8 +340,9 @@ static inline int find_first_zero_bit(const unsigned long *vaddr,
+ }
+ #define find_first_zero_bit find_first_zero_bit
+
+-static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
+- int offset)
++static inline unsigned long find_next_zero_bit(const unsigned long *vaddr,
++ unsigned long size,
++ unsigned long offset)
+ {
+ const unsigned long *p = vaddr + (offset >> 5);
+ int bit = offset & 31UL, res;
+@@ -370,11 +371,12 @@ static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
+ }
+ #define find_next_zero_bit find_next_zero_bit
+
+-static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
++static inline unsigned long find_first_bit(const unsigned long *vaddr,
++ unsigned long size)
+ {
+ const unsigned long *p = vaddr;
+- int res = 32;
+- unsigned int words;
++ unsigned long res = 32;
++ unsigned long words;
+ unsigned long num;
+
+ if (!size)
+@@ -395,8 +397,9 @@ static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
+ }
+ #define find_first_bit find_first_bit
+
+-static inline int find_next_bit(const unsigned long *vaddr, int size,
+- int offset)
++static inline unsigned long find_next_bit(const unsigned long *vaddr,
++ unsigned long size,
++ unsigned long offset)
+ {
+ const unsigned long *p = vaddr + (offset >> 5);
+ int bit = offset & 31UL, res;
+--
+2.51.0
+
sched-fair-fix-pelt-lost-idle-time-detection.patch
alsa-firewire-amdtp-stream-fix-enum-kernel-doc-warni.patch
hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch
+exec-fix-incorrect-type-for-ret.patch
+hfs-clear-offset-and-space-out-of-valid-records-in-b.patch
+hfs-make-proper-initalization-of-struct-hfs_find_dat.patch
+hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch
+hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch
+hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch
+dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch
+hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch
+hfsplus-return-eio-when-type-of-hidden-directory-mis.patch
+m68k-bitops-fix-find_-_bit-signatures.patch
--- /dev/null
+From fa85221e0c43a952362611e56dbf2b40b75d93d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 11:21:52 -0400
+Subject: dlm: check for defined force value in dlm_lockspace_release
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 6af515c9f3ccec3eb8a262ca86bef2c499d07951 ]
+
+Force values over 3 are undefined, so don't treat them as 3.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lockspace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
+index 23cf9b8f31b74..e7372d56c13f4 100644
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -825,7 +825,7 @@ static int release_lockspace(struct dlm_ls *ls, int force)
+
+ dlm_device_deregister(ls);
+
+- if (force < 3 && dlm_user_daemon_available())
++ if (force != 3 && dlm_user_daemon_available())
+ do_uevent(ls, 0);
+
+ dlm_recoverd_stop(ls);
+--
+2.51.0
+
--- /dev/null
+From 9a166cc3972828ad6c26d00427b719758c3425a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Aug 2025 15:36:09 +0800
+Subject: exec: Fix incorrect type for ret
+
+From: Xichao Zhao <zhao.xichao@vivo.com>
+
+[ Upstream commit 5e088248375d171b80c643051e77ade6b97bc386 ]
+
+In the setup_arg_pages(), ret is declared as an unsigned long.
+The ret might take a negative value. Therefore, its type should
+be changed to int.
+
+Signed-off-by: Xichao Zhao <zhao.xichao@vivo.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20250825073609.219855-1-zhao.xichao@vivo.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index b65af8f9a4f9b..a4d21a67723d7 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -750,7 +750,7 @@ int setup_arg_pages(struct linux_binprm *bprm,
+ unsigned long stack_top,
+ int executable_stack)
+ {
+- unsigned long ret;
++ int ret;
+ unsigned long stack_shift;
+ struct mm_struct *mm = current->mm;
+ struct vm_area_struct *vma = bprm->vma;
+--
+2.51.0
+
--- /dev/null
+From 7d2b252bc4f44632f19e33368d4d2f85fe5503a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 12:49:19 -0700
+Subject: hfs: clear offset and space out of valid records in b-tree node
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 18b07c44f245beb03588b00b212b38fce9af7cc9 ]
+
+Currently, hfs_brec_remove() executes moving records
+towards the location of deleted record and it updates
+offsets of moved records. However, the hfs_brec_remove()
+logic ignores the "mess" of b-tree node's free space and
+it doesn't touch the offsets out of records number.
+Potentially, it could confuse fsck or driver logic or
+to be a reason of potential corruption cases.
+
+This patch reworks the logic of hfs_brec_remove()
+by means of clearing freed space of b-tree node
+after the records moving. And it clear the last
+offset that keeping old location of free space
+because now the offset before this one is keeping
+the actual offset to the free space after the record
+deletion.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250815194918.38165-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/brec.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
+index 896396554bcc1..b01db1fae147c 100644
+--- a/fs/hfs/brec.c
++++ b/fs/hfs/brec.c
+@@ -179,6 +179,7 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ struct hfs_btree *tree;
+ struct hfs_bnode *node, *parent;
+ int end_off, rec_off, data_off, size;
++ int src, dst, len;
+
+ tree = fd->tree;
+ node = fd->bnode;
+@@ -208,10 +209,14 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ }
+ hfs_bnode_write_u16(node, offsetof(struct hfs_bnode_desc, num_recs), node->num_recs);
+
+- if (rec_off == end_off)
+- goto skip;
+ size = fd->keylength + fd->entrylength;
+
++ if (rec_off == end_off) {
++ src = fd->keyoffset;
++ hfs_bnode_clear(node, src, size);
++ goto skip;
++ }
++
+ do {
+ data_off = hfs_bnode_read_u16(node, rec_off);
+ hfs_bnode_write_u16(node, rec_off + 2, data_off - size);
+@@ -219,9 +224,23 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ } while (rec_off >= end_off);
+
+ /* fill hole */
+- hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size,
+- data_off - fd->keyoffset - size);
++ dst = fd->keyoffset;
++ src = fd->keyoffset + size;
++ len = data_off - src;
++
++ hfs_bnode_move(node, dst, src, len);
++
++ src = dst + len;
++ len = data_off - src;
++
++ hfs_bnode_clear(node, src, len);
++
+ skip:
++ /*
++ * Remove the obsolete offset to free space.
++ */
++ hfs_bnode_write_u16(node, end_off, 0);
++
+ hfs_bnode_dump(node);
+ if (!fd->record)
+ hfs_brec_update_parent(fd);
+--
+2.51.0
+
--- /dev/null
+From 182a3cfa6bf2495d680f70656acfe15534a86a12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Aug 2025 16:06:38 -0700
+Subject: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ]
+
+The syzbot reported issue in hfs_find_set_zero_bits():
+
+=====================================================
+BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
+ hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
+ hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151
+ hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408
+ hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353
+ __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151
+ block_write_begin fs/buffer.c:2262 [inline]
+ cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601
+ hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
+ cont_expand_zero fs/buffer.c:2528 [inline]
+ cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591
+ hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
+ hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494
+ hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654
+ notify_change+0x1993/0x1aa0 fs/attr.c:552
+ do_truncate+0x28f/0x310 fs/open.c:68
+ do_ftruncate+0x698/0x730 fs/open.c:195
+ do_sys_ftruncate fs/open.c:210 [inline]
+ __do_sys_ftruncate fs/open.c:215 [inline]
+ __se_sys_ftruncate fs/open.c:213 [inline]
+ __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213
+ x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:4154 [inline]
+ slab_alloc_node mm/slub.c:4197 [inline]
+ __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354
+ kmalloc_noprof include/linux/slab.h:905 [inline]
+ hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175
+ hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337
+ get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681
+ get_tree_bdev+0x38/0x50 fs/super.c:1704
+ hfs_get_tree+0x35/0x40 fs/hfs/super.c:388
+ vfs_get_tree+0xb0/0x5c0 fs/super.c:1804
+ do_new_mount+0x738/0x1610 fs/namespace.c:3902
+ path_mount+0x6db/0x1e90 fs/namespace.c:4226
+ do_mount fs/namespace.c:4239 [inline]
+ __do_sys_mount fs/namespace.c:4450 [inline]
+ __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427
+ __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427
+ x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
+=====================================================
+
+The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get():
+
+HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
+
+Finally, it can trigger the reported issue because kmalloc()
+doesn't clear the allocated memory. If allocated memory contains
+only zeros, then everything will work pretty fine.
+But if the allocated memory contains the "garbage", then
+it can affect the bitmap operations and it triggers
+the reported issue.
+
+This patch simply exchanges the kmalloc() on kzalloc()
+with the goal to guarantee the correctness of bitmap operations.
+Because, newly created allocation bitmap should have all
+available blocks free. Potentially, initialization bitmap's read
+operation could not fill the whole allocated memory and
+"garbage" in the not initialized memory will be the reason of
+volume coruptions and file system driver bugs.
+
+Reported-by: syzbot <syzbot+773fa9d79b29bd8b6831@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/mdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
+index 8082eb01127cd..bf811347bb07d 100644
+--- a/fs/hfs/mdb.c
++++ b/fs/hfs/mdb.c
+@@ -172,7 +172,7 @@ int hfs_mdb_get(struct super_block *sb)
+ pr_warn("continuing without an alternate MDB\n");
+ }
+
+- HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
++ HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL);
+ if (!HFS_SB(sb)->bitmap)
+ goto out;
+
+--
+2.51.0
+
--- /dev/null
+From 6315368b3075acd66a504cb0a0691bf79ca8dc39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 15:52:52 -0700
+Subject: hfs: make proper initalization of struct hfs_find_data
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit c62663a986acee7c4485c1fa9de5fc40194b6290 ]
+
+Potenatially, __hfs_ext_read_extent() could operate by
+not initialized values of fd->key after hfs_brec_find() call:
+
+static inline int __hfs_ext_read_extent(struct hfs_find_data *fd, struct hfs_extent *extent,
+ u32 cnid, u32 block, u8 type)
+{
+ int res;
+
+ hfs_ext_build_key(fd->search_key, cnid, block, type);
+ fd->key->ext.FNum = 0;
+ res = hfs_brec_find(fd);
+ if (res && res != -ENOENT)
+ return res;
+ if (fd->key->ext.FNum != fd->search_key->ext.FNum ||
+ fd->key->ext.FkType != fd->search_key->ext.FkType)
+ return -ENOENT;
+ if (fd->entrylength != sizeof(hfs_extent_rec))
+ return -EIO;
+ hfs_bnode_read(fd->bnode, extent, fd->entryoffset, sizeof(hfs_extent_rec));
+ return 0;
+}
+
+This patch changes kmalloc() on kzalloc() in hfs_find_init()
+and intializes fd->record, fd->keyoffset, fd->keylength,
+fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
+has been found nothing in the b-tree node.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250818225252.126427-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/bfind.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c
+index ef9498a6e88ac..6d37b4c759034 100644
+--- a/fs/hfs/bfind.c
++++ b/fs/hfs/bfind.c
+@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+
+ fd->tree = tree;
+ fd->bnode = NULL;
+- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+@@ -112,6 +112,12 @@ int hfs_brec_find(struct hfs_find_data *fd)
+ __be32 data;
+ int height, res;
+
++ fd->record = -1;
++ fd->keyoffset = -1;
++ fd->keylength = -1;
++ fd->entryoffset = -1;
++ fd->entrylength = -1;
++
+ tree = fd->tree;
+ if (fd->bnode)
+ hfs_bnode_put(fd->bnode);
+--
+2.51.0
+
--- /dev/null
+From 55d66faa7318763a7b1356757a80030ea0841389 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 22:17:34 +0800
+Subject: hfs: validate record offset in hfsplus_bmap_alloc
+
+From: Yang Chenzhi <yang.chenzhi@vivo.com>
+
+[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ]
+
+hfsplus_bmap_alloc can trigger a crash if a
+record offset or length is larger than node_size
+
+[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0
+[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183
+[ 15.265949]
+[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)
+[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 15.266167] Call Trace:
+[ 15.266168] <TASK>
+[ 15.266169] dump_stack_lvl+0x53/0x70
+[ 15.266173] print_report+0xd0/0x660
+[ 15.266181] kasan_report+0xce/0x100
+[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0
+[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0
+[ 15.266217] hfsplus_brec_insert+0x870/0xb00
+[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570
+[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910
+[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200
+[ 15.266233] hfsplus_file_extend+0x5a7/0x1000
+[ 15.266237] hfsplus_get_block+0x12b/0x8c0
+[ 15.266238] __block_write_begin_int+0x36b/0x12c0
+[ 15.266251] block_write_begin+0x77/0x110
+[ 15.266252] cont_write_begin+0x428/0x720
+[ 15.266259] hfsplus_write_begin+0x51/0x100
+[ 15.266262] cont_write_begin+0x272/0x720
+[ 15.266270] hfsplus_write_begin+0x51/0x100
+[ 15.266274] generic_perform_write+0x321/0x750
+[ 15.266285] generic_file_write_iter+0xc3/0x310
+[ 15.266289] __kernel_write_iter+0x2fd/0x800
+[ 15.266296] dump_user_range+0x2ea/0x910
+[ 15.266301] elf_core_dump+0x2a94/0x2ed0
+[ 15.266320] vfs_coredump+0x1d85/0x45e0
+[ 15.266349] get_signal+0x12e3/0x1990
+[ 15.266357] arch_do_signal_or_restart+0x89/0x580
+[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110
+[ 15.266364] asm_exc_page_fault+0x26/0x30
+[ 15.266366] RIP: 0033:0x41bd35
+[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f
+[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283
+[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000
+[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100
+[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000
+[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000
+[ 15.266376] </TASK>
+
+When calling hfsplus_bmap_alloc to allocate a free node, this function
+first retrieves the bitmap from header node and map node using node->page
+together with the offset and length from hfs_brec_lenoff
+
+```
+len = hfs_brec_lenoff(node, 2, &off16);
+off = off16;
+
+off += node->page_offset;
+pagep = node->page + (off >> PAGE_SHIFT);
+data = kmap_local_page(*pagep);
+```
+
+However, if the retrieved offset or length is invalid(i.e. exceeds
+node_size), the code may end up accessing pages outside the allocated
+range for this node.
+
+This patch adds proper validation of both offset and length before use,
+preventing out-of-bounds page access. Move is_bnode_offset_valid and
+check_and_correct_requested_length to hfsplus_fs.h, as they may be
+required by other functions.
+
+Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/
+Signed-off-by: Yang Chenzhi <yang.chenzhi@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bnode.c | 41 ----------------------------------------
+ fs/hfsplus/btree.c | 6 ++++++
+ fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 48 insertions(+), 41 deletions(-)
+
+diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
+index 14f4995588ff0..407d5152eb411 100644
+--- a/fs/hfsplus/bnode.c
++++ b/fs/hfsplus/bnode.c
+@@ -18,47 +18,6 @@
+ #include "hfsplus_fs.h"
+ #include "hfsplus_raw.h"
+
+-static inline
+-bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
+-{
+- bool is_valid = off < node->tree->node_size;
+-
+- if (!is_valid) {
+- pr_err("requested invalid offset: "
+- "NODE: id %u, type %#x, height %u, "
+- "node_size %u, offset %d\n",
+- node->this, node->type, node->height,
+- node->tree->node_size, off);
+- }
+-
+- return is_valid;
+-}
+-
+-static inline
+-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
+-{
+- unsigned int node_size;
+-
+- if (!is_bnode_offset_valid(node, off))
+- return 0;
+-
+- node_size = node->tree->node_size;
+-
+- if ((off + len) > node_size) {
+- int new_len = (int)node_size - off;
+-
+- pr_err("requested length has been corrected: "
+- "NODE: id %u, type %#x, height %u, "
+- "node_size %u, offset %d, "
+- "requested_len %d, corrected_len %d\n",
+- node->this, node->type, node->height,
+- node->tree->node_size, off, len, new_len);
+-
+- return new_len;
+- }
+-
+- return len;
+-}
+
+ /* Copy a specified range of bytes from the raw data of a node */
+ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
+index 9e1732a2b92a8..fe6a54c4083c3 100644
+--- a/fs/hfsplus/btree.c
++++ b/fs/hfsplus/btree.c
+@@ -393,6 +393,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
+ len = hfs_brec_lenoff(node, 2, &off16);
+ off = off16;
+
++ if (!is_bnode_offset_valid(node, off)) {
++ hfs_bnode_put(node);
++ return ERR_PTR(-EIO);
++ }
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ pagep = node->page + (off >> PAGE_SHIFT);
+ data = kmap_local_page(*pagep);
+diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
+index 3227436f3a4a6..e13da1fe2c2a2 100644
+--- a/fs/hfsplus/hfsplus_fs.h
++++ b/fs/hfsplus/hfsplus_fs.h
+@@ -574,6 +574,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree)
+ return class;
+ }
+
++static inline
++bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
++{
++ bool is_valid = off < node->tree->node_size;
++
++ if (!is_valid) {
++ pr_err("requested invalid offset: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off);
++ }
++
++ return is_valid;
++}
++
++static inline
++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
++{
++ unsigned int node_size;
++
++ if (!is_bnode_offset_valid(node, off))
++ return 0;
++
++ node_size = node->tree->node_size;
++
++ if ((off + len) > node_size) {
++ int new_len = (int)node_size - off;
++
++ pr_err("requested length has been corrected: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, "
++ "requested_len %d, corrected_len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len, new_len);
++
++ return new_len;
++ }
++
++ return len;
++}
++
+ /* compatibility */
+ #define hfsp_mt2ut(t) (struct timespec64){ .tv_sec = __hfsp_mt2ut(t) }
+ #define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec)
+--
+2.51.0
+
--- /dev/null
+From 83b37f602a1068b87b7bdcb20468b787d9a5b052 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 15:52:32 -0700
+Subject: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 4840ceadef4290c56cc422f0fc697655f3cbf070 ]
+
+The syzbot reported issue in __hfsplus_ext_cache_extent():
+
+[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0
+[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.199771][ T9350] ksys_write+0x23e/0x490
+[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.202054][ T9350]
+[ 70.202279][ T9350] Uninit was created at:
+[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80
+[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0
+[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0
+[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.207961][ T9350] ksys_write+0x23e/0x490
+[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.210230][ T9350]
+[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5
+[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.212115][ T9350] =====================================================
+[ 70.212734][ T9350] Disabling lock debugging due to kernel taint
+[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...
+[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5
+[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE
+[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.215999][ T9350] Call Trace:
+[ 70.216309][ T9350] <TASK>
+[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0
+[ 70.217025][ T9350] dump_stack+0x1e/0x30
+[ 70.217421][ T9350] panic+0x502/0xca0
+[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+
+[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...
+ kernel
+:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+set ...
+[ 70.221254][ T9350] ? __msan_warning+0x96/0x120
+[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0
+[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0
+[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0
+[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950
+[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130
+[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060
+[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460
+[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0
+[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0
+[ 70.228997][ T9350] ? ksys_write+0x23e/0x490
+[ 70.229458][ T9350] ? __x64_sys_write+0x97/0xf0
+[ 70.229939][ T9350] ? x64_sys_call+0x3015/0x3cf0
+[ 70.230432][ T9350] ? do_syscall_64+0xd9/0x1d0
+[ 70.230941][ T9350] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.231926][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.232738][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.233711][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.234516][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.235398][ T9350] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.236323][ T9350] ? hfsplus_brec_find+0x218/0x9f0
+[ 70.237090][ T9350] ? __pfx_hfs_find_rec_by_key+0x10/0x10
+[ 70.237938][ T9350] ? __msan_instrument_asm_store+0xbf/0xf0
+[ 70.238827][ T9350] ? __msan_metadata_ptr_for_store_4+0x27/0x40
+[ 70.239772][ T9350] ? __hfsplus_ext_write_extent+0x536/0x620
+[ 70.240666][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.241175][ T9350] __msan_warning+0x96/0x120
+[ 70.241645][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.242223][ T9350] hfsplus_file_extend+0x74f/0x1cf0
+[ 70.242748][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.243255][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.243878][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.244400][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.244967][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.245531][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
+[ 70.246079][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.246598][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.247105][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
+[ 70.247650][ T9350] ? __pfx_hfsplus_write_begin+0x10/0x10
+[ 70.248211][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.248752][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.249314][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.249856][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.250487][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.250930][ T9350] ? __pfx_generic_file_write_iter+0x10/0x10
+[ 70.251530][ T9350] ksys_write+0x23e/0x490
+[ 70.251974][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.252450][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.252924][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.253384][ T9350] ? irqentry_exit+0x16/0x60
+[ 70.253844][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.254430][ T9350] RIP: 0033:0x7f7a92adffc9
+[ 70.254873][ T9350] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 70.256674][ T9350] RSP: 002b:00007fff0bca3188 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
+[ 70.257485][ T9350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a92adffc9
+[ 70.258246][ T9350] RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000004
+[ 70.258998][ T9350] RBP: 00007fff0bca31a0 R08: 00007fff0bca31a0 R09: 00007fff0bca31a0
+[ 70.259769][ T9350] R10: 0000000000000000 R11: 0000000000000202 R12: 000055e0d75f8250
+[ 70.260520][ T9350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 70.261286][ T9350] </TASK>
+[ 70.262026][ T9350] Kernel Offset: disabled
+
+(gdb) l *__hfsplus_ext_cache_extent+0x7d0
+0xffffffff8318aef0 is in __hfsplus_ext_cache_extent (fs/hfsplus/extents.c:168).
+163 fd->key->ext.cnid = 0;
+164 res = hfs_brec_find(fd, hfs_find_rec_by_key);
+165 if (res && res != -ENOENT)
+166 return res;
+167 if (fd->key->ext.cnid != fd->search_key->ext.cnid ||
+168 fd->key->ext.fork_type != fd->search_key->ext.fork_type)
+169 return -ENOENT;
+170 if (fd->entrylength != sizeof(hfsplus_extent_rec))
+171 return -EIO;
+172 hfs_bnode_read(fd->bnode, extent, fd->entryoffset,
+
+The __hfsplus_ext_cache_extent() calls __hfsplus_ext_read_extent():
+
+res = __hfsplus_ext_read_extent(fd, hip->cached_extents, inode->i_ino,
+ block, HFSPLUS_IS_RSRC(inode) ?
+ HFSPLUS_TYPE_RSRC :
+ HFSPLUS_TYPE_DATA);
+
+And if inode->i_ino could be equal to zero or any non-available CNID,
+then hfs_brec_find() could not find the record in the tree. As a result,
+fd->key could be compared with fd->search_key. But hfsplus_find_init()
+uses kmalloc() for fd->key and fd->search_key allocation:
+
+int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+{
+<skipped>
+ ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+ fd->key = ptr + tree->max_key_len + 2;
+<skipped>
+}
+
+Finally, fd->key is still not initialized if hfs_brec_find()
+has found nothing.
+
+This patch changes kmalloc() on kzalloc() in hfs_find_init()
+and intializes fd->record, fd->keyoffset, fd->keylength,
+fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
+has been found nothing in the b-tree node.
+
+Reported-by: syzbot <syzbot+55ad87f38795d6787521@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=55ad87f38795d6787521
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250818225232.126402-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bfind.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c
+index 901e83d65d202..26ebac4c60424 100644
+--- a/fs/hfsplus/bfind.c
++++ b/fs/hfsplus/bfind.c
+@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+
+ fd->tree = tree;
+ fd->bnode = NULL;
+- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+@@ -158,6 +158,12 @@ int hfs_brec_find(struct hfs_find_data *fd, search_strategy_t do_key_compare)
+ __be32 data;
+ int height, res;
+
++ fd->record = -1;
++ fd->keyoffset = -1;
++ fd->keylength = -1;
++ fd->entryoffset = -1;
++ fd->entrylength = -1;
++
+ tree = fd->tree;
+ if (fd->bnode)
+ hfs_bnode_put(fd->bnode);
+--
+2.51.0
+
--- /dev/null
+From 52cde0a6aba81f4e8f26242bd2dbead23d86736e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Aug 2025 15:51:04 -0700
+Subject: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 9b3d15a758910bb98ba8feb4109d99cc67450ee4 ]
+
+The syzbot reported issue in hfsplus_delete_cat():
+
+[ 70.682285][ T9333] =====================================================
+[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0
+[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310
+[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810
+[ 70.685447][ T9333] do_rmdir+0x964/0xea0
+[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0
+[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0
+[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.687646][ T9333]
+[ 70.687856][ T9333] Uninit was stored to memory at:
+[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
+[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800
+[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600
+[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70
+[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0
+[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30
+[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0
+[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0
+[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.692773][ T9333]
+[ 70.692990][ T9333] Uninit was stored to memory at:
+[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
+[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800
+[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700
+[ 70.694911][ T9333] mount_bdev+0x37b/0x530
+[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60
+[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0
+[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0
+[ 70.696588][ T9333] do_new_mount+0x73e/0x1630
+[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0
+[ 70.697425][ T9333] __se_sys_mount+0x733/0x830
+[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150
+[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0
+[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.699730][ T9333]
+[ 70.699946][ T9333] Uninit was created at:
+[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60
+[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0
+[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0
+[ 70.701774][ T9333] allocate_slab+0x30e/0x1390
+[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0
+[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20
+[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0
+[ 70.703598][ T9333] alloc_inode+0x82/0x490
+[ 70.703984][ T9333] iget_locked+0x22e/0x1320
+[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0
+[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0
+[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700
+[ 70.705776][ T9333] mount_bdev+0x37b/0x530
+[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60
+[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0
+[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0
+[ 70.707444][ T9333] do_new_mount+0x73e/0x1630
+[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0
+[ 70.708270][ T9333] __se_sys_mount+0x733/0x830
+[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150
+[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0
+[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.710611][ T9333]
+[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17
+[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.712490][ T9333] =====================================================
+[ 70.713085][ T9333] Disabling lock debugging due to kernel taint
+[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...
+[ 70.714159][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Tainted: G B 6.12.0-rc6-dirty #17
+[ 70.715007][ T9333] Tainted: [B]=BAD_PAGE
+[ 70.715365][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.716311][ T9333] Call Trace:
+[ 70.716621][ T9333] <TASK>
+[ 70.716899][ T9333] dump_stack_lvl+0x1fd/0x2b0
+[ 70.717350][ T9333] dump_stack+0x1e/0x30
+[ 70.717743][ T9333] panic+0x502/0xca0
+[ 70.718116][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.718611][ T9333] kmsan_report+0x296/0x2a0
+[ 70.719038][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.719859][ T9333] ? __msan_warning+0x96/0x120
+[ 70.720345][ T9333] ? hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.720881][ T9333] ? hfsplus_delete_cat+0x105d/0x12b0
+[ 70.721412][ T9333] ? hfsplus_rmdir+0x13d/0x310
+[ 70.721880][ T9333] ? vfs_rmdir+0x5ba/0x810
+[ 70.722458][ T9333] ? do_rmdir+0x964/0xea0
+[ 70.722883][ T9333] ? __x64_sys_rmdir+0x71/0xb0
+[ 70.723397][ T9333] ? x64_sys_call+0xcd8/0x3cf0
+[ 70.723915][ T9333] ? do_syscall_64+0xd9/0x1d0
+[ 70.724454][ T9333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.725110][ T9333] ? vprintk_emit+0xd1f/0xe60
+[ 70.725616][ T9333] ? vprintk_default+0x3f/0x50
+[ 70.726175][ T9333] ? vprintk+0xce/0xd0
+[ 70.726628][ T9333] ? _printk+0x17e/0x1b0
+[ 70.727129][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.727739][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.728324][ T9333] __msan_warning+0x96/0x120
+[ 70.728854][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.729479][ T9333] hfsplus_delete_cat+0x105d/0x12b0
+[ 70.729984][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.730646][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.731296][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.731863][ T9333] hfsplus_rmdir+0x13d/0x310
+[ 70.732390][ T9333] ? __pfx_hfsplus_rmdir+0x10/0x10
+[ 70.732919][ T9333] vfs_rmdir+0x5ba/0x810
+[ 70.733416][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.734044][ T9333] do_rmdir+0x964/0xea0
+[ 70.734537][ T9333] __x64_sys_rmdir+0x71/0xb0
+[ 70.735032][ T9333] x64_sys_call+0xcd8/0x3cf0
+[ 70.735579][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.736092][ T9333] ? irqentry_exit+0x16/0x60
+[ 70.736637][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.737269][ T9333] RIP: 0033:0x7fa9424eafc9
+[ 70.737775][ T9333] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 70.739844][ T9333] RSP: 002b:00007fff099cd8d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000054
+[ 70.740760][ T9333] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa9424eafc9
+[ 70.741642][ T9333] RDX: 006c6f72746e6f63 RSI: 000000000000000a RDI: 0000000020000100
+[ 70.742543][ T9333] RBP: 00007fff099cd8e0 R08: 00007fff099cd910 R09: 00007fff099cd910
+[ 70.743376][ T9333] R10: 0000000000000000 R11: 0000000000000202 R12: 0000565430642260
+[ 70.744247][ T9333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 70.745082][ T9333] </TASK>
+
+The main reason of the issue that struct hfsplus_inode_info
+has not been properly initialized for the case of root folder.
+In the case of root folder, hfsplus_fill_super() calls
+the hfsplus_iget() that implements only partial initialization of
+struct hfsplus_inode_info and subfolders field is not
+initialized by hfsplus_iget() logic.
+
+This patch implements complete initialization of
+struct hfsplus_inode_info in the hfsplus_iget() logic with
+the goal to prevent likewise issues for the case of
+root folder.
+
+Reported-by: syzbot <syzbot+fdedff847a0e5e84c39f@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=fdedff847a0e5e84c39f
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250825225103.326401-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/super.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+index 1986b4f18a901..8c086f16dd589 100644
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -67,13 +67,26 @@ struct inode *hfsplus_iget(struct super_block *sb, unsigned long ino)
+ if (!(inode->i_state & I_NEW))
+ return inode;
+
+- INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
+- spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
+- mutex_init(&HFSPLUS_I(inode)->extents_lock);
+- HFSPLUS_I(inode)->flags = 0;
++ atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
++ HFSPLUS_I(inode)->first_blocks = 0;
++ HFSPLUS_I(inode)->clump_blocks = 0;
++ HFSPLUS_I(inode)->alloc_blocks = 0;
++ HFSPLUS_I(inode)->cached_start = U32_MAX;
++ HFSPLUS_I(inode)->cached_blocks = 0;
++ memset(HFSPLUS_I(inode)->first_extents, 0, sizeof(hfsplus_extent_rec));
++ memset(HFSPLUS_I(inode)->cached_extents, 0, sizeof(hfsplus_extent_rec));
+ HFSPLUS_I(inode)->extent_state = 0;
++ mutex_init(&HFSPLUS_I(inode)->extents_lock);
+ HFSPLUS_I(inode)->rsrc_inode = NULL;
+- atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
++ HFSPLUS_I(inode)->create_date = 0;
++ HFSPLUS_I(inode)->linkid = 0;
++ HFSPLUS_I(inode)->flags = 0;
++ HFSPLUS_I(inode)->fs_blocks = 0;
++ HFSPLUS_I(inode)->userflags = 0;
++ HFSPLUS_I(inode)->subfolders = 0;
++ INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
++ spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
++ HFSPLUS_I(inode)->phys_size = 0;
+
+ if (inode->i_ino >= HFSPLUS_FIRSTUSER_CNID ||
+ inode->i_ino == HFSPLUS_ROOT_CNID) {
+--
+2.51.0
+
--- /dev/null
+From 34dd19057870efcc9baa15ca70150cde27cc7f2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Aug 2025 10:58:59 -0600
+Subject: hfsplus: return EIO when type of hidden directory mismatch in
+ hfsplus_fill_super()
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit 9282bc905f0949fab8cf86c0f620ca988761254c ]
+
+If Catalog File contains corrupted record for the case of
+hidden directory's type, regard it as I/O error instead of
+Invalid argument.
+
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250805165905.3390154-1-frank.li@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+index 8c086f16dd589..7e889820a63d0 100644
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -538,7 +538,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent)
+ if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
+ hfs_find_exit(&fd);
+ if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
+- err = -EINVAL;
++ err = -EIO;
+ goto out_put_root;
+ }
+ inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id));
+--
+2.51.0
+
--- /dev/null
+From 7c2c51cba980677c3e0ff43fd0a1d26a48d62a1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 14:06:05 +0800
+Subject: lkdtm: fortify: Fix potential NULL dereference on kmalloc failure
+
+From: Junjie Cao <junjie.cao@intel.com>
+
+[ Upstream commit 01c7344e21c2140e72282d9d16d79a61f840fc20 ]
+
+Add missing NULL pointer checks after kmalloc() calls in
+lkdtm_FORTIFY_STR_MEMBER() and lkdtm_FORTIFY_MEM_MEMBER() functions.
+
+Signed-off-by: Junjie Cao <junjie.cao@intel.com>
+Link: https://lore.kernel.org/r/20250814060605.5264-1-junjie.cao@intel.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/lkdtm/fortify.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/misc/lkdtm/fortify.c b/drivers/misc/lkdtm/fortify.c
+index 0159276656780..00ed2147113e6 100644
+--- a/drivers/misc/lkdtm/fortify.c
++++ b/drivers/misc/lkdtm/fortify.c
+@@ -44,6 +44,9 @@ static void lkdtm_FORTIFY_STR_MEMBER(void)
+ char *src;
+
+ src = kmalloc(size, GFP_KERNEL);
++ if (!src)
++ return;
++
+ strscpy(src, "over ten bytes", size);
+ size = strlen(src) + 1;
+
+@@ -109,6 +112,9 @@ static void lkdtm_FORTIFY_MEM_MEMBER(void)
+ char *src;
+
+ src = kmalloc(size, GFP_KERNEL);
++ if (!src)
++ return;
++
+ strscpy(src, "over ten bytes", size);
+ size = strlen(src) + 1;
+
+--
+2.51.0
+
--- /dev/null
+From f49e097b18d19fc41f967dca455650662c204e6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Sep 2025 17:16:13 +0200
+Subject: m68k: bitops: Fix find_*_bit() signatures
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit 6d5674090543b89aac0c177d67e5fb32ddc53804 ]
+
+The function signatures of the m68k-optimized implementations of the
+find_{first,next}_{,zero_}bit() helpers do not match the generic
+variants.
+
+Fix this by changing all non-pointer inputs and outputs to "unsigned
+long", and updating a few local variables.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202509092305.ncd9mzaZ-lkp@intel.com/
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Acked-by: "Yury Norov (NVIDIA)" <yury.norov@gmail.com>
+Link: https://patch.msgid.link/de6919554fbb4cd1427155c6bafbac8a9df822c8.1757517135.git.geert@linux-m68k.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/bitops.h | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/arch/m68k/include/asm/bitops.h b/arch/m68k/include/asm/bitops.h
+index e984af71df6be..d86aa744cb8fc 100644
+--- a/arch/m68k/include/asm/bitops.h
++++ b/arch/m68k/include/asm/bitops.h
+@@ -329,12 +329,12 @@ arch___test_and_change_bit(unsigned long nr, volatile unsigned long *addr)
+ #include <asm-generic/bitops/ffz.h>
+ #else
+
+-static inline int find_first_zero_bit(const unsigned long *vaddr,
+- unsigned size)
++static inline unsigned long find_first_zero_bit(const unsigned long *vaddr,
++ unsigned long size)
+ {
+ const unsigned long *p = vaddr;
+- int res = 32;
+- unsigned int words;
++ unsigned long res = 32;
++ unsigned long words;
+ unsigned long num;
+
+ if (!size)
+@@ -355,8 +355,9 @@ static inline int find_first_zero_bit(const unsigned long *vaddr,
+ }
+ #define find_first_zero_bit find_first_zero_bit
+
+-static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
+- int offset)
++static inline unsigned long find_next_zero_bit(const unsigned long *vaddr,
++ unsigned long size,
++ unsigned long offset)
+ {
+ const unsigned long *p = vaddr + (offset >> 5);
+ int bit = offset & 31UL, res;
+@@ -385,11 +386,12 @@ static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
+ }
+ #define find_next_zero_bit find_next_zero_bit
+
+-static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
++static inline unsigned long find_first_bit(const unsigned long *vaddr,
++ unsigned long size)
+ {
+ const unsigned long *p = vaddr;
+- int res = 32;
+- unsigned int words;
++ unsigned long res = 32;
++ unsigned long words;
+ unsigned long num;
+
+ if (!size)
+@@ -410,8 +412,9 @@ static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
+ }
+ #define find_first_bit find_first_bit
+
+-static inline int find_next_bit(const unsigned long *vaddr, int size,
+- int offset)
++static inline unsigned long find_next_bit(const unsigned long *vaddr,
++ unsigned long size,
++ unsigned long offset)
+ {
+ const unsigned long *p = vaddr + (offset >> 5);
+ int bit = offset & 31UL, res;
+--
+2.51.0
+
--- /dev/null
+From b386cf61d294a4a9e9fcb4a136191aa97e336e06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:37:07 +0200
+Subject: nios2: ensure that memblock.current_limit is set when setting pfn
+ limits
+
+From: Simon Schuster <schuster.simon@siemens-energy.com>
+
+[ Upstream commit a20b83cf45be2057f3d073506779e52c7fa17f94 ]
+
+On nios2, with CONFIG_FLATMEM set, the kernel relies on
+memblock_get_current_limit() to determine the limits of mem_map, in
+particular for max_low_pfn.
+Unfortunately, memblock.current_limit is only default initialized to
+MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading
+to situations where max_low_pfn can erroneously exceed the value of
+max_pfn and, thus, the valid range of available DRAM.
+
+This can in turn cause kernel-level paging failures, e.g.:
+
+[ 76.900000] Unable to handle kernel paging request at virtual address 20303000
+[ 76.900000] ea = c0080890, ra = c000462c, cause = 14
+[ 76.900000] Kernel panic - not syncing: Oops
+[ 76.900000] ---[ end Kernel panic - not syncing: Oops ]---
+
+This patch fixes this by pre-calculating memblock.current_limit
+based on the upper limits of the available memory ranges via
+adjust_lowmem_bounds, a simplified version of the equivalent
+implementation within the arm architecture.
+
+Signed-off-by: Simon Schuster <schuster.simon@siemens-energy.com>
+Signed-off-by: Andreas Oetken <andreas.oetken@siemens-energy.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/nios2/kernel/setup.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/arch/nios2/kernel/setup.c b/arch/nios2/kernel/setup.c
+index 40bc8fb75e0b5..e2fc4b59d93ea 100644
+--- a/arch/nios2/kernel/setup.c
++++ b/arch/nios2/kernel/setup.c
+@@ -147,6 +147,20 @@ static void __init find_limits(unsigned long *min, unsigned long *max_low,
+ *max_high = PFN_DOWN(memblock_end_of_DRAM());
+ }
+
++static void __init adjust_lowmem_bounds(void)
++{
++ phys_addr_t block_start, block_end;
++ u64 i;
++ phys_addr_t memblock_limit = 0;
++
++ for_each_mem_range(i, &block_start, &block_end) {
++ if (block_end > memblock_limit)
++ memblock_limit = block_end;
++ }
++
++ memblock_set_current_limit(memblock_limit);
++}
++
+ void __init setup_arch(char **cmdline_p)
+ {
+ console_verbose();
+@@ -160,6 +174,7 @@ void __init setup_arch(char **cmdline_p)
+ /* Keep a copy of command line */
+ *cmdline_p = boot_command_line;
+
++ adjust_lowmem_bounds();
+ find_limits(&min_low_pfn, &max_low_pfn, &max_pfn);
+ max_mapnr = max_low_pfn;
+
+--
+2.51.0
+
--- /dev/null
+From 693f886a7ef196bbb685e32f3622453163301ec8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Sep 2025 12:03:49 +0200
+Subject: powerpc/32: Remove PAGE_KERNEL_TEXT to fix startup failure
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 9316512b717f6f25c4649b3fdb0a905b6a318e9f ]
+
+PAGE_KERNEL_TEXT is an old macro that is used to tell kernel whether
+kernel text has to be mapped read-only or read-write based on build
+time options.
+
+But nowadays, with functionnalities like jump_labels, static links,
+etc ... more only less all kernels need to be read-write at some
+point, and some combinations of configs failed to work due to
+innacurate setting of PAGE_KERNEL_TEXT. On the other hand, today
+we have CONFIG_STRICT_KERNEL_RWX which implements a more controlled
+access to kernel modifications.
+
+Instead of trying to keep PAGE_KERNEL_TEXT accurate with all
+possible options that may imply kernel text modification, always
+set kernel text read-write at startup and rely on
+CONFIG_STRICT_KERNEL_RWX to provide accurate protection.
+
+Do this by passing PAGE_KERNEL_X to map_kernel_page() in
+__maping_ram_chunk() instead of passing PAGE_KERNEL_TEXT. Once
+this is done, the only remaining user of PAGE_KERNEL_TEXT is
+mmu_mark_initmem_nx() which uses it in a call to setibat().
+As setibat() ignores the RW/RO, we can seamlessly replace
+PAGE_KERNEL_TEXT by PAGE_KERNEL_X here as well and get rid of
+PAGE_KERNEL_TEXT completely.
+
+Reported-by: Erhard Furtner <erhard_f@mailbox.org>
+Closes: https://lore.kernel.org/all/342b4120-911c-4723-82ec-d8c9b03a8aef@mailbox.org/
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Tested-by: Andrew Donnellan <ajd@linux.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/8e2d793abf87ae3efb8f6dce10f974ac0eda61b8.1757412205.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/pgtable.h | 12 ------------
+ arch/powerpc/mm/book3s32/mmu.c | 4 ++--
+ arch/powerpc/mm/pgtable_32.c | 2 +-
+ 3 files changed, 3 insertions(+), 15 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/pgtable.h b/arch/powerpc/include/asm/pgtable.h
+index 9972626ddaf68..eda12ceacb55a 100644
+--- a/arch/powerpc/include/asm/pgtable.h
++++ b/arch/powerpc/include/asm/pgtable.h
+@@ -20,18 +20,6 @@ struct mm_struct;
+ #include <asm/nohash/pgtable.h>
+ #endif /* !CONFIG_PPC_BOOK3S */
+
+-/*
+- * Protection used for kernel text. We want the debuggers to be able to
+- * set breakpoints anywhere, so don't write protect the kernel text
+- * on platforms where such control is possible.
+- */
+-#if defined(CONFIG_KGDB) || defined(CONFIG_XMON) || defined(CONFIG_BDI_SWITCH) || \
+- defined(CONFIG_KPROBES) || defined(CONFIG_DYNAMIC_FTRACE)
+-#define PAGE_KERNEL_TEXT PAGE_KERNEL_X
+-#else
+-#define PAGE_KERNEL_TEXT PAGE_KERNEL_ROX
+-#endif
+-
+ /* Make modules code happy. We don't set RO yet */
+ #define PAGE_KERNEL_EXEC PAGE_KERNEL_X
+
+diff --git a/arch/powerpc/mm/book3s32/mmu.c b/arch/powerpc/mm/book3s32/mmu.c
+index 850783cfa9c73..1b1848761a000 100644
+--- a/arch/powerpc/mm/book3s32/mmu.c
++++ b/arch/powerpc/mm/book3s32/mmu.c
+@@ -204,7 +204,7 @@ void mmu_mark_initmem_nx(void)
+
+ for (i = 0; i < nb - 1 && base < top;) {
+ size = bat_block_size(base, top);
+- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT);
++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X);
+ base += size;
+ }
+ if (base < top) {
+@@ -215,7 +215,7 @@ void mmu_mark_initmem_nx(void)
+ pr_warn("Some RW data is getting mapped X. "
+ "Adjust CONFIG_DATA_SHIFT to avoid that.\n");
+ }
+- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT);
++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X);
+ base += size;
+ }
+ for (; i < nb; i++)
+diff --git a/arch/powerpc/mm/pgtable_32.c b/arch/powerpc/mm/pgtable_32.c
+index 5c02fd08d61ef..69fac96c2dcd1 100644
+--- a/arch/powerpc/mm/pgtable_32.c
++++ b/arch/powerpc/mm/pgtable_32.c
+@@ -109,7 +109,7 @@ static void __init __mapin_ram_chunk(unsigned long offset, unsigned long top)
+ p = memstart_addr + s;
+ for (; s < top; s += PAGE_SIZE) {
+ ktext = core_kernel_text(v);
+- map_kernel_page(v, p, ktext ? PAGE_KERNEL_TEXT : PAGE_KERNEL);
++ map_kernel_page(v, p, ktext ? PAGE_KERNEL_X : PAGE_KERNEL);
+ v += PAGE_SIZE;
+ p += PAGE_SIZE;
+ }
+--
+2.51.0
+
hid-multitouch-fix-name-of-stylus-input-devices.patch
hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch
pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch
+exec-fix-incorrect-type-for-ret.patch
+nios2-ensure-that-memblock.current_limit-is-set-when.patch
+hfs-clear-offset-and-space-out-of-valid-records-in-b.patch
+hfs-make-proper-initalization-of-struct-hfs_find_dat.patch
+hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch
+hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch
+hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch
+dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch
+hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch
+hfsplus-return-eio-when-type-of-hidden-directory-mis.patch
+lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch
+m68k-bitops-fix-find_-_bit-signatures.patch
+powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch
+smb-server-let-smb_direct_flush_send_list-invalidate.patch
--- /dev/null
+From 4550a62dea60fe761785cf76cb7919b9be41276d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Sep 2025 22:22:35 +0200
+Subject: smb: server: let smb_direct_flush_send_list() invalidate a remote key
+ first
+
+From: Stefan Metzmacher <metze@samba.org>
+
+[ Upstream commit 1b53426334c3c942db47e0959a2527a4f815af50 ]
+
+If we want to invalidate a remote key we should do that as soon as
+possible, so do it in the first send work request.
+
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Cc: Steve French <smfrench@gmail.com>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: samba-technical@lists.samba.org
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/transport_rdma.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c
+index af1c41f922bb3..81da8a5c1e0db 100644
+--- a/fs/smb/server/transport_rdma.c
++++ b/fs/smb/server/transport_rdma.c
+@@ -933,12 +933,15 @@ static int smb_direct_flush_send_list(struct smb_direct_transport *t,
+ struct smb_direct_sendmsg,
+ list);
+
++ if (send_ctx->need_invalidate_rkey) {
++ first->wr.opcode = IB_WR_SEND_WITH_INV;
++ first->wr.ex.invalidate_rkey = send_ctx->remote_key;
++ send_ctx->need_invalidate_rkey = false;
++ send_ctx->remote_key = 0;
++ }
++
+ last->wr.send_flags = IB_SEND_SIGNALED;
+ last->wr.wr_cqe = &last->cqe;
+- if (is_last && send_ctx->need_invalidate_rkey) {
+- last->wr.opcode = IB_WR_SEND_WITH_INV;
+- last->wr.ex.invalidate_rkey = send_ctx->remote_key;
+- }
+
+ ret = smb_direct_post_send(t, &first->wr);
+ if (!ret) {
+--
+2.51.0
+
--- /dev/null
+From 4d79ad7da8c6cd79b200e58bdcef5364e5698e44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 10:51:42 +0100
+Subject: arm64: sysreg: Correct sign definitions for EIESB and DoubleLock
+
+From: Fuad Tabba <tabba@google.com>
+
+[ Upstream commit f4d4ebc84995178273740f3e601e97fdefc561d2 ]
+
+The `ID_AA64MMFR4_EL1.EIESB` field, is an unsigned enumeration, but was
+incorrectly defined as a `SignedEnum` when introduced in commit
+cfc680bb04c5 ("arm64: sysreg: Add layout for ID_AA64MMFR4_EL1"). This is
+corrected to `UnsignedEnum`.
+
+Conversely, the `ID_AA64DFR0_EL1.DoubleLock` field, is a signed
+enumeration, but was incorrectly defined as an `UnsignedEnum`. This is
+corrected to `SignedEnum`, which wasn't correctly set when annotated as
+such in commit ad16d4cf0b4f ("arm64/sysreg: Initial unsigned annotations
+for ID registers").
+
+Signed-off-by: Fuad Tabba <tabba@google.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/tools/sysreg | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/tools/sysreg b/arch/arm64/tools/sysreg
+index 362bcfa0aed18..5127d3d3b8677 100644
+--- a/arch/arm64/tools/sysreg
++++ b/arch/arm64/tools/sysreg
+@@ -1213,7 +1213,7 @@ UnsignedEnum 43:40 TraceFilt
+ 0b0000 NI
+ 0b0001 IMP
+ EndEnum
+-UnsignedEnum 39:36 DoubleLock
++SignedEnum 39:36 DoubleLock
+ 0b0000 IMP
+ 0b1111 NI
+ EndEnum
+@@ -1861,7 +1861,7 @@ UnsignedEnum 11:8 ASID2
+ 0b0000 NI
+ 0b0001 IMP
+ EndEnum
+-SignedEnum 7:4 EIESB
++UnsignedEnum 7:4 EIESB
+ 0b0000 NI
+ 0b0001 ToEL3
+ 0b0010 ToELx
+--
+2.51.0
+
--- /dev/null
+From eba4f3edaa473a20133488c4893cc6c81e546655 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 20:53:50 +0700
+Subject: binfmt_elf: preserve original ELF e_flags for core dumps
+
+From: Svetlana Parfenova <svetlana.parfenova@syntacore.com>
+
+[ Upstream commit 8c94db0ae97c72c253a615f990bd466b456e94f6 ]
+
+Some architectures, such as RISC-V, use the ELF e_flags field to encode
+ABI-specific information (e.g., ISA extensions, fpu support). Debuggers
+like GDB rely on these flags in core dumps to correctly interpret
+optional register sets. If the flags are missing or incorrect, GDB may
+warn and ignore valid data, for example:
+
+ warning: Unexpected size of section '.reg2/213' in core file.
+
+This can prevent access to fpu or other architecture-specific registers
+even when they were dumped.
+
+Save the e_flags field during ELF binary loading (in load_elf_binary())
+into the mm_struct, and later retrieve it during core dump generation
+(in fill_note_info()). Kconfig option CONFIG_ARCH_HAS_ELF_CORE_EFLAGS
+is introduced for architectures that require this behaviour.
+
+Signed-off-by: Svetlana Parfenova <svetlana.parfenova@syntacore.com>
+Link: https://lore.kernel.org/r/20250901135350.619485-1-svetlana.parfenova@syntacore.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/Kconfig | 1 +
+ fs/Kconfig.binfmt | 9 +++++++++
+ fs/binfmt_elf.c | 40 ++++++++++++++++++++++++++++++++++------
+ include/linux/mm_types.h | 5 +++++
+ 4 files changed, 49 insertions(+), 6 deletions(-)
+
+diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
+index d160c3b830266..ab6d0321d8e61 100644
+--- a/arch/riscv/Kconfig
++++ b/arch/riscv/Kconfig
+@@ -28,6 +28,7 @@ config RISCV
+ select ARCH_HAS_DEBUG_VIRTUAL if MMU
+ select ARCH_HAS_DEBUG_VM_PGTABLE
+ select ARCH_HAS_DEBUG_WX
++ select ARCH_HAS_ELF_CORE_EFLAGS
+ select ARCH_HAS_FAST_MULTIPLIER
+ select ARCH_HAS_FORTIFY_SOURCE
+ select ARCH_HAS_GCOV_PROFILE_ALL
+diff --git a/fs/Kconfig.binfmt b/fs/Kconfig.binfmt
+index bd2f530e57408..1949e25c7741b 100644
+--- a/fs/Kconfig.binfmt
++++ b/fs/Kconfig.binfmt
+@@ -184,4 +184,13 @@ config EXEC_KUNIT_TEST
+ This builds the exec KUnit tests, which tests boundary conditions
+ of various aspects of the exec internals.
+
++config ARCH_HAS_ELF_CORE_EFLAGS
++ bool
++ depends on BINFMT_ELF && ELF_CORE
++ default n
++ help
++ Select this option if the architecture makes use of the e_flags
++ field in the ELF header to store ABI or other architecture-specific
++ information that should be preserved in core dumps.
++
+ endmenu
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 47335a0f4a618..b37f2a3d58de2 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -110,6 +110,21 @@ static struct linux_binfmt elf_format = {
+
+ #define BAD_ADDR(x) (unlikely((unsigned long)(x) >= TASK_SIZE))
+
++static inline void elf_coredump_set_mm_eflags(struct mm_struct *mm, u32 flags)
++{
++#ifdef CONFIG_ARCH_HAS_ELF_CORE_EFLAGS
++ mm->saved_e_flags = flags;
++#endif
++}
++
++static inline u32 elf_coredump_get_mm_eflags(struct mm_struct *mm, u32 flags)
++{
++#ifdef CONFIG_ARCH_HAS_ELF_CORE_EFLAGS
++ flags = mm->saved_e_flags;
++#endif
++ return flags;
++}
++
+ /*
+ * We need to explicitly zero any trailing portion of the page that follows
+ * p_filesz when it ends before the page ends (e.g. bss), otherwise this
+@@ -1292,6 +1307,8 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ mm->end_data = end_data;
+ mm->start_stack = bprm->p;
+
++ elf_coredump_set_mm_eflags(mm, elf_ex->e_flags);
++
+ /**
+ * DOC: "brk" handling
+ *
+@@ -1865,6 +1882,8 @@ static int fill_note_info(struct elfhdr *elf, int phdrs,
+ struct elf_thread_core_info *t;
+ struct elf_prpsinfo *psinfo;
+ struct core_thread *ct;
++ u16 machine;
++ u32 flags;
+
+ psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL);
+ if (!psinfo)
+@@ -1892,17 +1911,26 @@ static int fill_note_info(struct elfhdr *elf, int phdrs,
+ return 0;
+ }
+
+- /*
+- * Initialize the ELF file header.
+- */
+- fill_elf_header(elf, phdrs,
+- view->e_machine, view->e_flags);
++ machine = view->e_machine;
++ flags = view->e_flags;
+ #else
+ view = NULL;
+ info->thread_notes = 2;
+- fill_elf_header(elf, phdrs, ELF_ARCH, ELF_CORE_EFLAGS);
++ machine = ELF_ARCH;
++ flags = ELF_CORE_EFLAGS;
+ #endif
+
++ /*
++ * Override ELF e_flags with value taken from process,
++ * if arch needs that.
++ */
++ flags = elf_coredump_get_mm_eflags(dump_task->mm, flags);
++
++ /*
++ * Initialize the ELF file header.
++ */
++ fill_elf_header(elf, phdrs, machine, flags);
++
+ /*
+ * Allocate a structure for each thread.
+ */
+diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
+index 6894de506b364..d0a075f3fc2d4 100644
+--- a/include/linux/mm_types.h
++++ b/include/linux/mm_types.h
+@@ -955,6 +955,11 @@ struct mm_struct {
+
+ unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */
+
++#ifdef CONFIG_ARCH_HAS_ELF_CORE_EFLAGS
++ /* the ABI-related flags from the ELF header. Used for core dump */
++ unsigned long saved_e_flags;
++#endif
++
+ struct percpu_counter rss_stat[NR_MM_COUNTERS];
+
+ struct linux_binfmt *binfmt;
+--
+2.51.0
+
--- /dev/null
+From c17f4964f2c8763bb712c615ef59e50d4e15d2b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 17:07:00 -0700
+Subject: bpf: Replace bpf_map_kmalloc_node() with kmalloc_nolock() to allocate
+ bpf_async_cb structures.
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+[ Upstream commit 5fb750e8a9ae123b2034771b864b8a21dbef65cd ]
+
+The following kmemleak splat:
+
+[ 8.105530] kmemleak: Trying to color unknown object at 0xff11000100e918c0 as Black
+[ 8.106521] Call Trace:
+[ 8.106521] <TASK>
+[ 8.106521] dump_stack_lvl+0x4b/0x70
+[ 8.106521] kvfree_call_rcu+0xcb/0x3b0
+[ 8.106521] ? hrtimer_cancel+0x21/0x40
+[ 8.106521] bpf_obj_free_fields+0x193/0x200
+[ 8.106521] htab_map_update_elem+0x29c/0x410
+[ 8.106521] bpf_prog_cfc8cd0f42c04044_overwrite_cb+0x47/0x4b
+[ 8.106521] bpf_prog_8c30cd7c4db2e963_overwrite_timer+0x65/0x86
+[ 8.106521] bpf_prog_test_run_syscall+0xe1/0x2a0
+
+happens due to the combination of features and fixes, but mainly due to
+commit 6d78b4473cdb ("bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()")
+It's using __GFP_HIGH, which instructs slub/kmemleak internals to skip
+kmemleak_alloc_recursive() on allocation, so subsequent kfree_rcu()->
+kvfree_call_rcu()->kmemleak_ignore() complains with the above splat.
+
+To fix this imbalance, replace bpf_map_kmalloc_node() with
+kmalloc_nolock() and kfree_rcu() with call_rcu() + kfree_nolock() to
+make sure that the objects allocated with kmalloc_nolock() are freed
+with kfree_nolock() rather than the implicit kfree() that kfree_rcu()
+uses internally.
+
+Note, the kmalloc_nolock() happens under bpf_spin_lock_irqsave(), so
+it will always fail in PREEMPT_RT. This is not an issue at the moment,
+since bpf_timers are disabled in PREEMPT_RT. In the future
+bpf_spin_lock will be replaced with state machine similar to
+bpf_task_work.
+
+Fixes: 6d78b4473cdb ("bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()")
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Shakeel Butt <shakeel.butt@linux.dev>
+Acked-by: Harry Yoo <harry.yoo@oracle.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: linux-mm@kvack.org
+Link: https://lore.kernel.org/bpf/20251015000700.28988-1-alexei.starovoitov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h | 4 ++++
+ kernel/bpf/helpers.c | 25 ++++++++++++++-----------
+ kernel/bpf/syscall.c | 15 +++++++++++++++
+ 3 files changed, 33 insertions(+), 11 deletions(-)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index e8d9803cc6756..c7c23b8e5657e 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -2321,6 +2321,8 @@ int bpf_map_alloc_pages(const struct bpf_map *map, gfp_t gfp, int nid,
+ #ifdef CONFIG_MEMCG
+ void *bpf_map_kmalloc_node(const struct bpf_map *map, size_t size, gfp_t flags,
+ int node);
++void *bpf_map_kmalloc_nolock(const struct bpf_map *map, size_t size, gfp_t flags,
++ int node);
+ void *bpf_map_kzalloc(const struct bpf_map *map, size_t size, gfp_t flags);
+ void *bpf_map_kvcalloc(struct bpf_map *map, size_t n, size_t size,
+ gfp_t flags);
+@@ -2333,6 +2335,8 @@ void __percpu *bpf_map_alloc_percpu(const struct bpf_map *map, size_t size,
+ */
+ #define bpf_map_kmalloc_node(_map, _size, _flags, _node) \
+ kmalloc_node(_size, _flags, _node)
++#define bpf_map_kmalloc_nolock(_map, _size, _flags, _node) \
++ kmalloc_nolock(_size, _flags, _node)
+ #define bpf_map_kzalloc(_map, _size, _flags) \
+ kzalloc(_size, _flags)
+ #define bpf_map_kvcalloc(_map, _n, _size, _flags) \
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index a0bf39b7359aa..5c97dbc6c30d5 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -1221,13 +1221,20 @@ static void bpf_wq_work(struct work_struct *work)
+ rcu_read_unlock_trace();
+ }
+
++static void bpf_async_cb_rcu_free(struct rcu_head *rcu)
++{
++ struct bpf_async_cb *cb = container_of(rcu, struct bpf_async_cb, rcu);
++
++ kfree_nolock(cb);
++}
++
+ static void bpf_wq_delete_work(struct work_struct *work)
+ {
+ struct bpf_work *w = container_of(work, struct bpf_work, delete_work);
+
+ cancel_work_sync(&w->work);
+
+- kfree_rcu(w, cb.rcu);
++ call_rcu(&w->cb.rcu, bpf_async_cb_rcu_free);
+ }
+
+ static void bpf_timer_delete_work(struct work_struct *work)
+@@ -1236,13 +1243,13 @@ static void bpf_timer_delete_work(struct work_struct *work)
+
+ /* Cancel the timer and wait for callback to complete if it was running.
+ * If hrtimer_cancel() can be safely called it's safe to call
+- * kfree_rcu(t) right after for both preallocated and non-preallocated
++ * call_rcu() right after for both preallocated and non-preallocated
+ * maps. The async->cb = NULL was already done and no code path can see
+ * address 't' anymore. Timer if armed for existing bpf_hrtimer before
+ * bpf_timer_cancel_and_free will have been cancelled.
+ */
+ hrtimer_cancel(&t->timer);
+- kfree_rcu(t, cb.rcu);
++ call_rcu(&t->cb.rcu, bpf_async_cb_rcu_free);
+ }
+
+ static int __bpf_async_init(struct bpf_async_kern *async, struct bpf_map *map, u64 flags,
+@@ -1276,11 +1283,7 @@ static int __bpf_async_init(struct bpf_async_kern *async, struct bpf_map *map, u
+ goto out;
+ }
+
+- /* Allocate via bpf_map_kmalloc_node() for memcg accounting. Until
+- * kmalloc_nolock() is available, avoid locking issues by using
+- * __GFP_HIGH (GFP_ATOMIC & ~__GFP_RECLAIM).
+- */
+- cb = bpf_map_kmalloc_node(map, size, __GFP_HIGH, map->numa_node);
++ cb = bpf_map_kmalloc_nolock(map, size, 0, map->numa_node);
+ if (!cb) {
+ ret = -ENOMEM;
+ goto out;
+@@ -1322,7 +1325,7 @@ static int __bpf_async_init(struct bpf_async_kern *async, struct bpf_map *map, u
+ * or pinned in bpffs.
+ */
+ WRITE_ONCE(async->cb, NULL);
+- kfree(cb);
++ kfree_nolock(cb);
+ ret = -EPERM;
+ }
+ out:
+@@ -1587,7 +1590,7 @@ void bpf_timer_cancel_and_free(void *val)
+ * timer _before_ calling us, such that failing to cancel it here will
+ * cause it to possibly use struct hrtimer after freeing bpf_hrtimer.
+ * Therefore, we _need_ to cancel any outstanding timers before we do
+- * kfree_rcu, even though no more timers can be armed.
++ * call_rcu, even though no more timers can be armed.
+ *
+ * Moreover, we need to schedule work even if timer does not belong to
+ * the calling callback_fn, as on two different CPUs, we can end up in a
+@@ -1614,7 +1617,7 @@ void bpf_timer_cancel_and_free(void *val)
+ * completion.
+ */
+ if (hrtimer_try_to_cancel(&t->timer) >= 0)
+- kfree_rcu(t, cb.rcu);
++ call_rcu(&t->cb.rcu, bpf_async_cb_rcu_free);
+ else
+ queue_work(system_unbound_wq, &t->cb.delete_work);
+ } else {
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index ba4543e771a6e..af6e6a7e71572 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -428,6 +428,21 @@ void *bpf_map_kmalloc_node(const struct bpf_map *map, size_t size, gfp_t flags,
+ return ptr;
+ }
+
++void *bpf_map_kmalloc_nolock(const struct bpf_map *map, size_t size, gfp_t flags,
++ int node)
++{
++ struct mem_cgroup *memcg, *old_memcg;
++ void *ptr;
++
++ memcg = bpf_map_get_memcg(map);
++ old_memcg = set_active_memcg(memcg);
++ ptr = kmalloc_nolock(size, flags | __GFP_ACCOUNT, node);
++ set_active_memcg(old_memcg);
++ mem_cgroup_put(memcg);
++
++ return ptr;
++}
++
+ void *bpf_map_kzalloc(const struct bpf_map *map, size_t size, gfp_t flags)
+ {
+ struct mem_cgroup *memcg, *old_memcg;
+--
+2.51.0
+
--- /dev/null
+From b9b1ab6dc0b7b4b071fe00bef98bd7141d93f445 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 11:21:52 -0400
+Subject: dlm: check for defined force value in dlm_lockspace_release
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 6af515c9f3ccec3eb8a262ca86bef2c499d07951 ]
+
+Force values over 3 are undefined, so don't treat them as 3.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lockspace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
+index 8afac6e2dff00..7b4b6977dcd66 100644
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -730,7 +730,7 @@ static int release_lockspace(struct dlm_ls *ls, int force)
+
+ dlm_device_deregister(ls);
+
+- if (force < 3 && dlm_user_daemon_available())
++ if (force != 3 && dlm_user_daemon_available())
+ do_uevent(ls, 0);
+
+ dlm_recoverd_stop(ls);
+--
+2.51.0
+
--- /dev/null
+From f342a273914d1e74afe0b9e68d50e8f5e740da2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 18:14:19 +0800
+Subject: drivers/perf: hisi: Relax the event ID check in the framework
+
+From: Yicong Yang <yangyicong@hisilicon.com>
+
+[ Upstream commit 43de0ac332b815cf56dbdce63687de9acfd35d49 ]
+
+Event ID is only using the attr::config bit [7, 0] but we check the
+event range using the whole 64bit field. It blocks the usage of the
+rest field of attr::config. Relax the check by only using the
+bit [7, 0].
+
+Acked-by: Jonathan Cameron <jonathan.cameron@huawei.com>
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Signed-off-by: Yushan Wang <wangyushan12@huawei.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/hisilicon/hisi_uncore_pmu.c | 2 +-
+ drivers/perf/hisilicon/hisi_uncore_pmu.h | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/perf/hisilicon/hisi_uncore_pmu.c b/drivers/perf/hisilicon/hisi_uncore_pmu.c
+index 918cdc31de572..e37682b280db5 100644
+--- a/drivers/perf/hisilicon/hisi_uncore_pmu.c
++++ b/drivers/perf/hisilicon/hisi_uncore_pmu.c
+@@ -198,7 +198,7 @@ int hisi_uncore_pmu_event_init(struct perf_event *event)
+ return -EINVAL;
+
+ hisi_pmu = to_hisi_pmu(event->pmu);
+- if (event->attr.config > hisi_pmu->check_event)
++ if ((event->attr.config & HISI_EVENTID_MASK) > hisi_pmu->check_event)
+ return -EINVAL;
+
+ if (hisi_pmu->on_cpu == -1)
+diff --git a/drivers/perf/hisilicon/hisi_uncore_pmu.h b/drivers/perf/hisilicon/hisi_uncore_pmu.h
+index 25b2d43b72bf9..ab5d54170b416 100644
+--- a/drivers/perf/hisilicon/hisi_uncore_pmu.h
++++ b/drivers/perf/hisilicon/hisi_uncore_pmu.h
+@@ -43,7 +43,8 @@
+ return FIELD_GET(GENMASK_ULL(hi, lo), event->attr.config); \
+ }
+
+-#define HISI_GET_EVENTID(ev) (ev->hw.config_base & 0xff)
++#define HISI_EVENTID_MASK GENMASK(7, 0)
++#define HISI_GET_EVENTID(ev) ((ev)->hw.config_base & HISI_EVENTID_MASK)
+
+ #define HISI_PMU_EVTYPE_BITS 8
+ #define HISI_PMU_EVTYPE_SHIFT(idx) ((idx) % 4 * HISI_PMU_EVTYPE_BITS)
+--
+2.51.0
+
--- /dev/null
+From e147c1cd5d6680b5527973eb820fd009348cca88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Aug 2025 15:36:09 +0800
+Subject: exec: Fix incorrect type for ret
+
+From: Xichao Zhao <zhao.xichao@vivo.com>
+
+[ Upstream commit 5e088248375d171b80c643051e77ade6b97bc386 ]
+
+In the setup_arg_pages(), ret is declared as an unsigned long.
+The ret might take a negative value. Therefore, its type should
+be changed to int.
+
+Signed-off-by: Xichao Zhao <zhao.xichao@vivo.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20250825073609.219855-1-zhao.xichao@vivo.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index d607943729638..030240d99ab7c 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -717,7 +717,7 @@ int setup_arg_pages(struct linux_binprm *bprm,
+ unsigned long stack_top,
+ int executable_stack)
+ {
+- unsigned long ret;
++ int ret;
+ unsigned long stack_shift;
+ struct mm_struct *mm = current->mm;
+ struct vm_area_struct *vma = bprm->vma;
+--
+2.51.0
+
--- /dev/null
+From e3883d69abd63774315b857bd3eb75e6326e5b35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Aug 2025 23:34:03 +0200
+Subject: gfs2: Fix unlikely race in gdlm_put_lock
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit 28c4d9bc0708956c1a736a9e49fee71b65deee81 ]
+
+In gdlm_put_lock(), there is a small window of time in which the
+DFL_UNMOUNT flag has been set but the lockspace hasn't been released,
+yet. In that window, dlm may still call gdlm_ast() and gdlm_bast().
+To prevent it from dereferencing freed glock objects, only free the
+glock if the lockspace has actually been released.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Reviewed-by: Andrew Price <anprice@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/lock_dlm.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/fs/gfs2/lock_dlm.c b/fs/gfs2/lock_dlm.c
+index 9e27dd8bef88d..38ea69ca2303d 100644
+--- a/fs/gfs2/lock_dlm.c
++++ b/fs/gfs2/lock_dlm.c
+@@ -321,12 +321,6 @@ static void gdlm_put_lock(struct gfs2_glock *gl)
+ gfs2_sbstats_inc(gl, GFS2_LKS_DCOUNT);
+ gfs2_update_request_times(gl);
+
+- /* don't want to call dlm if we've unmounted the lock protocol */
+- if (test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) {
+- gfs2_glock_free(gl);
+- return;
+- }
+-
+ /*
+ * When the lockspace is released, all remaining glocks will be
+ * unlocked automatically. This is more efficient than unlocking them
+@@ -348,6 +342,11 @@ static void gdlm_put_lock(struct gfs2_glock *gl)
+ goto again;
+ }
+
++ if (error == -ENODEV) {
++ gfs2_glock_free(gl);
++ return;
++ }
++
+ if (error) {
+ fs_err(sdp, "gdlm_unlock %x,%llx err=%d\n",
+ gl->gl_name.ln_type,
+--
+2.51.0
+
--- /dev/null
+From 8d4492d113c405f530677d3326fb7505f7dd71fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 12:49:19 -0700
+Subject: hfs: clear offset and space out of valid records in b-tree node
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 18b07c44f245beb03588b00b212b38fce9af7cc9 ]
+
+Currently, hfs_brec_remove() executes moving records
+towards the location of deleted record and it updates
+offsets of moved records. However, the hfs_brec_remove()
+logic ignores the "mess" of b-tree node's free space and
+it doesn't touch the offsets out of records number.
+Potentially, it could confuse fsck or driver logic or
+to be a reason of potential corruption cases.
+
+This patch reworks the logic of hfs_brec_remove()
+by means of clearing freed space of b-tree node
+after the records moving. And it clear the last
+offset that keeping old location of free space
+because now the offset before this one is keeping
+the actual offset to the free space after the record
+deletion.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250815194918.38165-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/brec.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
+index 896396554bcc1..b01db1fae147c 100644
+--- a/fs/hfs/brec.c
++++ b/fs/hfs/brec.c
+@@ -179,6 +179,7 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ struct hfs_btree *tree;
+ struct hfs_bnode *node, *parent;
+ int end_off, rec_off, data_off, size;
++ int src, dst, len;
+
+ tree = fd->tree;
+ node = fd->bnode;
+@@ -208,10 +209,14 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ }
+ hfs_bnode_write_u16(node, offsetof(struct hfs_bnode_desc, num_recs), node->num_recs);
+
+- if (rec_off == end_off)
+- goto skip;
+ size = fd->keylength + fd->entrylength;
+
++ if (rec_off == end_off) {
++ src = fd->keyoffset;
++ hfs_bnode_clear(node, src, size);
++ goto skip;
++ }
++
+ do {
+ data_off = hfs_bnode_read_u16(node, rec_off);
+ hfs_bnode_write_u16(node, rec_off + 2, data_off - size);
+@@ -219,9 +224,23 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ } while (rec_off >= end_off);
+
+ /* fill hole */
+- hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size,
+- data_off - fd->keyoffset - size);
++ dst = fd->keyoffset;
++ src = fd->keyoffset + size;
++ len = data_off - src;
++
++ hfs_bnode_move(node, dst, src, len);
++
++ src = dst + len;
++ len = data_off - src;
++
++ hfs_bnode_clear(node, src, len);
++
+ skip:
++ /*
++ * Remove the obsolete offset to free space.
++ */
++ hfs_bnode_write_u16(node, end_off, 0);
++
+ hfs_bnode_dump(node);
+ if (!fd->record)
+ hfs_brec_update_parent(fd);
+--
+2.51.0
+
--- /dev/null
+From f4ce019727687254d803d92429de9972107f8afe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Aug 2025 16:06:38 -0700
+Subject: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ]
+
+The syzbot reported issue in hfs_find_set_zero_bits():
+
+=====================================================
+BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
+ hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
+ hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151
+ hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408
+ hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353
+ __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151
+ block_write_begin fs/buffer.c:2262 [inline]
+ cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601
+ hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
+ cont_expand_zero fs/buffer.c:2528 [inline]
+ cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591
+ hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
+ hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494
+ hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654
+ notify_change+0x1993/0x1aa0 fs/attr.c:552
+ do_truncate+0x28f/0x310 fs/open.c:68
+ do_ftruncate+0x698/0x730 fs/open.c:195
+ do_sys_ftruncate fs/open.c:210 [inline]
+ __do_sys_ftruncate fs/open.c:215 [inline]
+ __se_sys_ftruncate fs/open.c:213 [inline]
+ __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213
+ x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:4154 [inline]
+ slab_alloc_node mm/slub.c:4197 [inline]
+ __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354
+ kmalloc_noprof include/linux/slab.h:905 [inline]
+ hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175
+ hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337
+ get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681
+ get_tree_bdev+0x38/0x50 fs/super.c:1704
+ hfs_get_tree+0x35/0x40 fs/hfs/super.c:388
+ vfs_get_tree+0xb0/0x5c0 fs/super.c:1804
+ do_new_mount+0x738/0x1610 fs/namespace.c:3902
+ path_mount+0x6db/0x1e90 fs/namespace.c:4226
+ do_mount fs/namespace.c:4239 [inline]
+ __do_sys_mount fs/namespace.c:4450 [inline]
+ __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427
+ __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427
+ x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
+=====================================================
+
+The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get():
+
+HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
+
+Finally, it can trigger the reported issue because kmalloc()
+doesn't clear the allocated memory. If allocated memory contains
+only zeros, then everything will work pretty fine.
+But if the allocated memory contains the "garbage", then
+it can affect the bitmap operations and it triggers
+the reported issue.
+
+This patch simply exchanges the kmalloc() on kzalloc()
+with the goal to guarantee the correctness of bitmap operations.
+Because, newly created allocation bitmap should have all
+available blocks free. Potentially, initialization bitmap's read
+operation could not fill the whole allocated memory and
+"garbage" in the not initialized memory will be the reason of
+volume coruptions and file system driver bugs.
+
+Reported-by: syzbot <syzbot+773fa9d79b29bd8b6831@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/mdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
+index 8082eb01127cd..bf811347bb07d 100644
+--- a/fs/hfs/mdb.c
++++ b/fs/hfs/mdb.c
+@@ -172,7 +172,7 @@ int hfs_mdb_get(struct super_block *sb)
+ pr_warn("continuing without an alternate MDB\n");
+ }
+
+- HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
++ HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL);
+ if (!HFS_SB(sb)->bitmap)
+ goto out;
+
+--
+2.51.0
+
--- /dev/null
+From c104bf1c73d697510723f9cb23d19b6ffebe0f8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 15:52:52 -0700
+Subject: hfs: make proper initalization of struct hfs_find_data
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit c62663a986acee7c4485c1fa9de5fc40194b6290 ]
+
+Potenatially, __hfs_ext_read_extent() could operate by
+not initialized values of fd->key after hfs_brec_find() call:
+
+static inline int __hfs_ext_read_extent(struct hfs_find_data *fd, struct hfs_extent *extent,
+ u32 cnid, u32 block, u8 type)
+{
+ int res;
+
+ hfs_ext_build_key(fd->search_key, cnid, block, type);
+ fd->key->ext.FNum = 0;
+ res = hfs_brec_find(fd);
+ if (res && res != -ENOENT)
+ return res;
+ if (fd->key->ext.FNum != fd->search_key->ext.FNum ||
+ fd->key->ext.FkType != fd->search_key->ext.FkType)
+ return -ENOENT;
+ if (fd->entrylength != sizeof(hfs_extent_rec))
+ return -EIO;
+ hfs_bnode_read(fd->bnode, extent, fd->entryoffset, sizeof(hfs_extent_rec));
+ return 0;
+}
+
+This patch changes kmalloc() on kzalloc() in hfs_find_init()
+and intializes fd->record, fd->keyoffset, fd->keylength,
+fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
+has been found nothing in the b-tree node.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250818225252.126427-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/bfind.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c
+index 34e9804e0f360..e46f650b5e9c2 100644
+--- a/fs/hfs/bfind.c
++++ b/fs/hfs/bfind.c
+@@ -21,7 +21,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+
+ fd->tree = tree;
+ fd->bnode = NULL;
+- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+@@ -115,6 +115,12 @@ int hfs_brec_find(struct hfs_find_data *fd)
+ __be32 data;
+ int height, res;
+
++ fd->record = -1;
++ fd->keyoffset = -1;
++ fd->keylength = -1;
++ fd->entryoffset = -1;
++ fd->entrylength = -1;
++
+ tree = fd->tree;
+ if (fd->bnode)
+ hfs_bnode_put(fd->bnode);
+--
+2.51.0
+
--- /dev/null
+From f89c37259c54dfbfedff5a813bdb26de1f1895d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 22:17:34 +0800
+Subject: hfs: validate record offset in hfsplus_bmap_alloc
+
+From: Yang Chenzhi <yang.chenzhi@vivo.com>
+
+[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ]
+
+hfsplus_bmap_alloc can trigger a crash if a
+record offset or length is larger than node_size
+
+[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0
+[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183
+[ 15.265949]
+[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)
+[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 15.266167] Call Trace:
+[ 15.266168] <TASK>
+[ 15.266169] dump_stack_lvl+0x53/0x70
+[ 15.266173] print_report+0xd0/0x660
+[ 15.266181] kasan_report+0xce/0x100
+[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0
+[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0
+[ 15.266217] hfsplus_brec_insert+0x870/0xb00
+[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570
+[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910
+[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200
+[ 15.266233] hfsplus_file_extend+0x5a7/0x1000
+[ 15.266237] hfsplus_get_block+0x12b/0x8c0
+[ 15.266238] __block_write_begin_int+0x36b/0x12c0
+[ 15.266251] block_write_begin+0x77/0x110
+[ 15.266252] cont_write_begin+0x428/0x720
+[ 15.266259] hfsplus_write_begin+0x51/0x100
+[ 15.266262] cont_write_begin+0x272/0x720
+[ 15.266270] hfsplus_write_begin+0x51/0x100
+[ 15.266274] generic_perform_write+0x321/0x750
+[ 15.266285] generic_file_write_iter+0xc3/0x310
+[ 15.266289] __kernel_write_iter+0x2fd/0x800
+[ 15.266296] dump_user_range+0x2ea/0x910
+[ 15.266301] elf_core_dump+0x2a94/0x2ed0
+[ 15.266320] vfs_coredump+0x1d85/0x45e0
+[ 15.266349] get_signal+0x12e3/0x1990
+[ 15.266357] arch_do_signal_or_restart+0x89/0x580
+[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110
+[ 15.266364] asm_exc_page_fault+0x26/0x30
+[ 15.266366] RIP: 0033:0x41bd35
+[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f
+[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283
+[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000
+[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100
+[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000
+[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000
+[ 15.266376] </TASK>
+
+When calling hfsplus_bmap_alloc to allocate a free node, this function
+first retrieves the bitmap from header node and map node using node->page
+together with the offset and length from hfs_brec_lenoff
+
+```
+len = hfs_brec_lenoff(node, 2, &off16);
+off = off16;
+
+off += node->page_offset;
+pagep = node->page + (off >> PAGE_SHIFT);
+data = kmap_local_page(*pagep);
+```
+
+However, if the retrieved offset or length is invalid(i.e. exceeds
+node_size), the code may end up accessing pages outside the allocated
+range for this node.
+
+This patch adds proper validation of both offset and length before use,
+preventing out-of-bounds page access. Move is_bnode_offset_valid and
+check_and_correct_requested_length to hfsplus_fs.h, as they may be
+required by other functions.
+
+Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/
+Signed-off-by: Yang Chenzhi <yang.chenzhi@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bnode.c | 41 ----------------------------------------
+ fs/hfsplus/btree.c | 6 ++++++
+ fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 48 insertions(+), 41 deletions(-)
+
+diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
+index 14f4995588ff0..407d5152eb411 100644
+--- a/fs/hfsplus/bnode.c
++++ b/fs/hfsplus/bnode.c
+@@ -18,47 +18,6 @@
+ #include "hfsplus_fs.h"
+ #include "hfsplus_raw.h"
+
+-static inline
+-bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
+-{
+- bool is_valid = off < node->tree->node_size;
+-
+- if (!is_valid) {
+- pr_err("requested invalid offset: "
+- "NODE: id %u, type %#x, height %u, "
+- "node_size %u, offset %d\n",
+- node->this, node->type, node->height,
+- node->tree->node_size, off);
+- }
+-
+- return is_valid;
+-}
+-
+-static inline
+-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
+-{
+- unsigned int node_size;
+-
+- if (!is_bnode_offset_valid(node, off))
+- return 0;
+-
+- node_size = node->tree->node_size;
+-
+- if ((off + len) > node_size) {
+- int new_len = (int)node_size - off;
+-
+- pr_err("requested length has been corrected: "
+- "NODE: id %u, type %#x, height %u, "
+- "node_size %u, offset %d, "
+- "requested_len %d, corrected_len %d\n",
+- node->this, node->type, node->height,
+- node->tree->node_size, off, len, new_len);
+-
+- return new_len;
+- }
+-
+- return len;
+-}
+
+ /* Copy a specified range of bytes from the raw data of a node */
+ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
+index 9e1732a2b92a8..fe6a54c4083c3 100644
+--- a/fs/hfsplus/btree.c
++++ b/fs/hfsplus/btree.c
+@@ -393,6 +393,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
+ len = hfs_brec_lenoff(node, 2, &off16);
+ off = off16;
+
++ if (!is_bnode_offset_valid(node, off)) {
++ hfs_bnode_put(node);
++ return ERR_PTR(-EIO);
++ }
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ pagep = node->page + (off >> PAGE_SHIFT);
+ data = kmap_local_page(*pagep);
+diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
+index 5389918bbf29d..6c19935d6f505 100644
+--- a/fs/hfsplus/hfsplus_fs.h
++++ b/fs/hfsplus/hfsplus_fs.h
+@@ -575,6 +575,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree)
+ return class;
+ }
+
++static inline
++bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
++{
++ bool is_valid = off < node->tree->node_size;
++
++ if (!is_valid) {
++ pr_err("requested invalid offset: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off);
++ }
++
++ return is_valid;
++}
++
++static inline
++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
++{
++ unsigned int node_size;
++
++ if (!is_bnode_offset_valid(node, off))
++ return 0;
++
++ node_size = node->tree->node_size;
++
++ if ((off + len) > node_size) {
++ int new_len = (int)node_size - off;
++
++ pr_err("requested length has been corrected: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, "
++ "requested_len %d, corrected_len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len, new_len);
++
++ return new_len;
++ }
++
++ return len;
++}
++
+ /* compatibility */
+ #define hfsp_mt2ut(t) (struct timespec64){ .tv_sec = __hfsp_mt2ut(t) }
+ #define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec)
+--
+2.51.0
+
--- /dev/null
+From f91592bb5635373abe346911ce203d6309aa05e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 15:52:32 -0700
+Subject: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 4840ceadef4290c56cc422f0fc697655f3cbf070 ]
+
+The syzbot reported issue in __hfsplus_ext_cache_extent():
+
+[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0
+[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.199771][ T9350] ksys_write+0x23e/0x490
+[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.202054][ T9350]
+[ 70.202279][ T9350] Uninit was created at:
+[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80
+[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0
+[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0
+[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.207961][ T9350] ksys_write+0x23e/0x490
+[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.210230][ T9350]
+[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5
+[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.212115][ T9350] =====================================================
+[ 70.212734][ T9350] Disabling lock debugging due to kernel taint
+[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...
+[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5
+[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE
+[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.215999][ T9350] Call Trace:
+[ 70.216309][ T9350] <TASK>
+[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0
+[ 70.217025][ T9350] dump_stack+0x1e/0x30
+[ 70.217421][ T9350] panic+0x502/0xca0
+[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+
+[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...
+ kernel
+:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+set ...
+[ 70.221254][ T9350] ? __msan_warning+0x96/0x120
+[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0
+[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0
+[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0
+[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950
+[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130
+[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060
+[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460
+[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0
+[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0
+[ 70.228997][ T9350] ? ksys_write+0x23e/0x490
+[ 70.229458][ T9350] ? __x64_sys_write+0x97/0xf0
+[ 70.229939][ T9350] ? x64_sys_call+0x3015/0x3cf0
+[ 70.230432][ T9350] ? do_syscall_64+0xd9/0x1d0
+[ 70.230941][ T9350] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.231926][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.232738][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.233711][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.234516][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.235398][ T9350] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.236323][ T9350] ? hfsplus_brec_find+0x218/0x9f0
+[ 70.237090][ T9350] ? __pfx_hfs_find_rec_by_key+0x10/0x10
+[ 70.237938][ T9350] ? __msan_instrument_asm_store+0xbf/0xf0
+[ 70.238827][ T9350] ? __msan_metadata_ptr_for_store_4+0x27/0x40
+[ 70.239772][ T9350] ? __hfsplus_ext_write_extent+0x536/0x620
+[ 70.240666][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.241175][ T9350] __msan_warning+0x96/0x120
+[ 70.241645][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.242223][ T9350] hfsplus_file_extend+0x74f/0x1cf0
+[ 70.242748][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.243255][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.243878][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.244400][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.244967][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.245531][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
+[ 70.246079][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.246598][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.247105][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
+[ 70.247650][ T9350] ? __pfx_hfsplus_write_begin+0x10/0x10
+[ 70.248211][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.248752][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.249314][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.249856][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.250487][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.250930][ T9350] ? __pfx_generic_file_write_iter+0x10/0x10
+[ 70.251530][ T9350] ksys_write+0x23e/0x490
+[ 70.251974][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.252450][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.252924][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.253384][ T9350] ? irqentry_exit+0x16/0x60
+[ 70.253844][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.254430][ T9350] RIP: 0033:0x7f7a92adffc9
+[ 70.254873][ T9350] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 70.256674][ T9350] RSP: 002b:00007fff0bca3188 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
+[ 70.257485][ T9350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a92adffc9
+[ 70.258246][ T9350] RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000004
+[ 70.258998][ T9350] RBP: 00007fff0bca31a0 R08: 00007fff0bca31a0 R09: 00007fff0bca31a0
+[ 70.259769][ T9350] R10: 0000000000000000 R11: 0000000000000202 R12: 000055e0d75f8250
+[ 70.260520][ T9350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 70.261286][ T9350] </TASK>
+[ 70.262026][ T9350] Kernel Offset: disabled
+
+(gdb) l *__hfsplus_ext_cache_extent+0x7d0
+0xffffffff8318aef0 is in __hfsplus_ext_cache_extent (fs/hfsplus/extents.c:168).
+163 fd->key->ext.cnid = 0;
+164 res = hfs_brec_find(fd, hfs_find_rec_by_key);
+165 if (res && res != -ENOENT)
+166 return res;
+167 if (fd->key->ext.cnid != fd->search_key->ext.cnid ||
+168 fd->key->ext.fork_type != fd->search_key->ext.fork_type)
+169 return -ENOENT;
+170 if (fd->entrylength != sizeof(hfsplus_extent_rec))
+171 return -EIO;
+172 hfs_bnode_read(fd->bnode, extent, fd->entryoffset,
+
+The __hfsplus_ext_cache_extent() calls __hfsplus_ext_read_extent():
+
+res = __hfsplus_ext_read_extent(fd, hip->cached_extents, inode->i_ino,
+ block, HFSPLUS_IS_RSRC(inode) ?
+ HFSPLUS_TYPE_RSRC :
+ HFSPLUS_TYPE_DATA);
+
+And if inode->i_ino could be equal to zero or any non-available CNID,
+then hfs_brec_find() could not find the record in the tree. As a result,
+fd->key could be compared with fd->search_key. But hfsplus_find_init()
+uses kmalloc() for fd->key and fd->search_key allocation:
+
+int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+{
+<skipped>
+ ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+ fd->key = ptr + tree->max_key_len + 2;
+<skipped>
+}
+
+Finally, fd->key is still not initialized if hfs_brec_find()
+has found nothing.
+
+This patch changes kmalloc() on kzalloc() in hfs_find_init()
+and intializes fd->record, fd->keyoffset, fd->keylength,
+fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
+has been found nothing in the b-tree node.
+
+Reported-by: syzbot <syzbot+55ad87f38795d6787521@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=55ad87f38795d6787521
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250818225232.126402-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bfind.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c
+index 901e83d65d202..26ebac4c60424 100644
+--- a/fs/hfsplus/bfind.c
++++ b/fs/hfsplus/bfind.c
+@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+
+ fd->tree = tree;
+ fd->bnode = NULL;
+- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+@@ -158,6 +158,12 @@ int hfs_brec_find(struct hfs_find_data *fd, search_strategy_t do_key_compare)
+ __be32 data;
+ int height, res;
+
++ fd->record = -1;
++ fd->keyoffset = -1;
++ fd->keylength = -1;
++ fd->entryoffset = -1;
++ fd->entrylength = -1;
++
+ tree = fd->tree;
+ if (fd->bnode)
+ hfs_bnode_put(fd->bnode);
+--
+2.51.0
+
--- /dev/null
+From 5d874387ed59f4e1cafa52ceb34c388130099f44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Aug 2025 15:51:04 -0700
+Subject: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 9b3d15a758910bb98ba8feb4109d99cc67450ee4 ]
+
+The syzbot reported issue in hfsplus_delete_cat():
+
+[ 70.682285][ T9333] =====================================================
+[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0
+[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310
+[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810
+[ 70.685447][ T9333] do_rmdir+0x964/0xea0
+[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0
+[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0
+[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.687646][ T9333]
+[ 70.687856][ T9333] Uninit was stored to memory at:
+[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
+[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800
+[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600
+[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70
+[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0
+[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30
+[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0
+[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0
+[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.692773][ T9333]
+[ 70.692990][ T9333] Uninit was stored to memory at:
+[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
+[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800
+[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700
+[ 70.694911][ T9333] mount_bdev+0x37b/0x530
+[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60
+[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0
+[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0
+[ 70.696588][ T9333] do_new_mount+0x73e/0x1630
+[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0
+[ 70.697425][ T9333] __se_sys_mount+0x733/0x830
+[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150
+[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0
+[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.699730][ T9333]
+[ 70.699946][ T9333] Uninit was created at:
+[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60
+[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0
+[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0
+[ 70.701774][ T9333] allocate_slab+0x30e/0x1390
+[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0
+[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20
+[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0
+[ 70.703598][ T9333] alloc_inode+0x82/0x490
+[ 70.703984][ T9333] iget_locked+0x22e/0x1320
+[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0
+[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0
+[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700
+[ 70.705776][ T9333] mount_bdev+0x37b/0x530
+[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60
+[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0
+[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0
+[ 70.707444][ T9333] do_new_mount+0x73e/0x1630
+[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0
+[ 70.708270][ T9333] __se_sys_mount+0x733/0x830
+[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150
+[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0
+[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.710611][ T9333]
+[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17
+[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.712490][ T9333] =====================================================
+[ 70.713085][ T9333] Disabling lock debugging due to kernel taint
+[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...
+[ 70.714159][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Tainted: G B 6.12.0-rc6-dirty #17
+[ 70.715007][ T9333] Tainted: [B]=BAD_PAGE
+[ 70.715365][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.716311][ T9333] Call Trace:
+[ 70.716621][ T9333] <TASK>
+[ 70.716899][ T9333] dump_stack_lvl+0x1fd/0x2b0
+[ 70.717350][ T9333] dump_stack+0x1e/0x30
+[ 70.717743][ T9333] panic+0x502/0xca0
+[ 70.718116][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.718611][ T9333] kmsan_report+0x296/0x2a0
+[ 70.719038][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.719859][ T9333] ? __msan_warning+0x96/0x120
+[ 70.720345][ T9333] ? hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.720881][ T9333] ? hfsplus_delete_cat+0x105d/0x12b0
+[ 70.721412][ T9333] ? hfsplus_rmdir+0x13d/0x310
+[ 70.721880][ T9333] ? vfs_rmdir+0x5ba/0x810
+[ 70.722458][ T9333] ? do_rmdir+0x964/0xea0
+[ 70.722883][ T9333] ? __x64_sys_rmdir+0x71/0xb0
+[ 70.723397][ T9333] ? x64_sys_call+0xcd8/0x3cf0
+[ 70.723915][ T9333] ? do_syscall_64+0xd9/0x1d0
+[ 70.724454][ T9333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.725110][ T9333] ? vprintk_emit+0xd1f/0xe60
+[ 70.725616][ T9333] ? vprintk_default+0x3f/0x50
+[ 70.726175][ T9333] ? vprintk+0xce/0xd0
+[ 70.726628][ T9333] ? _printk+0x17e/0x1b0
+[ 70.727129][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.727739][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.728324][ T9333] __msan_warning+0x96/0x120
+[ 70.728854][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.729479][ T9333] hfsplus_delete_cat+0x105d/0x12b0
+[ 70.729984][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.730646][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.731296][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.731863][ T9333] hfsplus_rmdir+0x13d/0x310
+[ 70.732390][ T9333] ? __pfx_hfsplus_rmdir+0x10/0x10
+[ 70.732919][ T9333] vfs_rmdir+0x5ba/0x810
+[ 70.733416][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.734044][ T9333] do_rmdir+0x964/0xea0
+[ 70.734537][ T9333] __x64_sys_rmdir+0x71/0xb0
+[ 70.735032][ T9333] x64_sys_call+0xcd8/0x3cf0
+[ 70.735579][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.736092][ T9333] ? irqentry_exit+0x16/0x60
+[ 70.736637][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.737269][ T9333] RIP: 0033:0x7fa9424eafc9
+[ 70.737775][ T9333] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 70.739844][ T9333] RSP: 002b:00007fff099cd8d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000054
+[ 70.740760][ T9333] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa9424eafc9
+[ 70.741642][ T9333] RDX: 006c6f72746e6f63 RSI: 000000000000000a RDI: 0000000020000100
+[ 70.742543][ T9333] RBP: 00007fff099cd8e0 R08: 00007fff099cd910 R09: 00007fff099cd910
+[ 70.743376][ T9333] R10: 0000000000000000 R11: 0000000000000202 R12: 0000565430642260
+[ 70.744247][ T9333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 70.745082][ T9333] </TASK>
+
+The main reason of the issue that struct hfsplus_inode_info
+has not been properly initialized for the case of root folder.
+In the case of root folder, hfsplus_fill_super() calls
+the hfsplus_iget() that implements only partial initialization of
+struct hfsplus_inode_info and subfolders field is not
+initialized by hfsplus_iget() logic.
+
+This patch implements complete initialization of
+struct hfsplus_inode_info in the hfsplus_iget() logic with
+the goal to prevent likewise issues for the case of
+root folder.
+
+Reported-by: syzbot <syzbot+fdedff847a0e5e84c39f@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=fdedff847a0e5e84c39f
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250825225103.326401-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/super.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+index 97920202790f9..51364aacd4626 100644
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -67,13 +67,26 @@ struct inode *hfsplus_iget(struct super_block *sb, unsigned long ino)
+ if (!(inode->i_state & I_NEW))
+ return inode;
+
+- INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
+- spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
+- mutex_init(&HFSPLUS_I(inode)->extents_lock);
+- HFSPLUS_I(inode)->flags = 0;
++ atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
++ HFSPLUS_I(inode)->first_blocks = 0;
++ HFSPLUS_I(inode)->clump_blocks = 0;
++ HFSPLUS_I(inode)->alloc_blocks = 0;
++ HFSPLUS_I(inode)->cached_start = U32_MAX;
++ HFSPLUS_I(inode)->cached_blocks = 0;
++ memset(HFSPLUS_I(inode)->first_extents, 0, sizeof(hfsplus_extent_rec));
++ memset(HFSPLUS_I(inode)->cached_extents, 0, sizeof(hfsplus_extent_rec));
+ HFSPLUS_I(inode)->extent_state = 0;
++ mutex_init(&HFSPLUS_I(inode)->extents_lock);
+ HFSPLUS_I(inode)->rsrc_inode = NULL;
+- atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
++ HFSPLUS_I(inode)->create_date = 0;
++ HFSPLUS_I(inode)->linkid = 0;
++ HFSPLUS_I(inode)->flags = 0;
++ HFSPLUS_I(inode)->fs_blocks = 0;
++ HFSPLUS_I(inode)->userflags = 0;
++ HFSPLUS_I(inode)->subfolders = 0;
++ INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
++ spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
++ HFSPLUS_I(inode)->phys_size = 0;
+
+ if (inode->i_ino >= HFSPLUS_FIRSTUSER_CNID ||
+ inode->i_ino == HFSPLUS_ROOT_CNID) {
+--
+2.51.0
+
--- /dev/null
+From 35743ec26dd0c3229fa780e8306a199c038d7675 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Aug 2025 10:58:59 -0600
+Subject: hfsplus: return EIO when type of hidden directory mismatch in
+ hfsplus_fill_super()
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit 9282bc905f0949fab8cf86c0f620ca988761254c ]
+
+If Catalog File contains corrupted record for the case of
+hidden directory's type, regard it as I/O error instead of
+Invalid argument.
+
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250805165905.3390154-1-frank.li@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+index 51364aacd4626..0831cd7aa5deb 100644
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -544,7 +544,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent)
+ if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
+ hfs_find_exit(&fd);
+ if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
+- err = -EINVAL;
++ err = -EIO;
+ goto out_put_root;
+ }
+ inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id));
+--
+2.51.0
+
--- /dev/null
+From d6c58ab24ab691bc9d7d51e7b3a65d311e2a3e28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 14:06:05 +0800
+Subject: lkdtm: fortify: Fix potential NULL dereference on kmalloc failure
+
+From: Junjie Cao <junjie.cao@intel.com>
+
+[ Upstream commit 01c7344e21c2140e72282d9d16d79a61f840fc20 ]
+
+Add missing NULL pointer checks after kmalloc() calls in
+lkdtm_FORTIFY_STR_MEMBER() and lkdtm_FORTIFY_MEM_MEMBER() functions.
+
+Signed-off-by: Junjie Cao <junjie.cao@intel.com>
+Link: https://lore.kernel.org/r/20250814060605.5264-1-junjie.cao@intel.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/lkdtm/fortify.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/misc/lkdtm/fortify.c b/drivers/misc/lkdtm/fortify.c
+index 0159276656780..00ed2147113e6 100644
+--- a/drivers/misc/lkdtm/fortify.c
++++ b/drivers/misc/lkdtm/fortify.c
+@@ -44,6 +44,9 @@ static void lkdtm_FORTIFY_STR_MEMBER(void)
+ char *src;
+
+ src = kmalloc(size, GFP_KERNEL);
++ if (!src)
++ return;
++
+ strscpy(src, "over ten bytes", size);
+ size = strlen(src) + 1;
+
+@@ -109,6 +112,9 @@ static void lkdtm_FORTIFY_MEM_MEMBER(void)
+ char *src;
+
+ src = kmalloc(size, GFP_KERNEL);
++ if (!src)
++ return;
++
+ strscpy(src, "over ten bytes", size);
+ size = strlen(src) + 1;
+
+--
+2.51.0
+
--- /dev/null
+From e95d746e5a0b231d8b241742b22d151bc4549f59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Sep 2025 17:16:13 +0200
+Subject: m68k: bitops: Fix find_*_bit() signatures
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit 6d5674090543b89aac0c177d67e5fb32ddc53804 ]
+
+The function signatures of the m68k-optimized implementations of the
+find_{first,next}_{,zero_}bit() helpers do not match the generic
+variants.
+
+Fix this by changing all non-pointer inputs and outputs to "unsigned
+long", and updating a few local variables.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202509092305.ncd9mzaZ-lkp@intel.com/
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Acked-by: "Yury Norov (NVIDIA)" <yury.norov@gmail.com>
+Link: https://patch.msgid.link/de6919554fbb4cd1427155c6bafbac8a9df822c8.1757517135.git.geert@linux-m68k.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/bitops.h | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/arch/m68k/include/asm/bitops.h b/arch/m68k/include/asm/bitops.h
+index 14c64a6f12176..50ec92651d5a5 100644
+--- a/arch/m68k/include/asm/bitops.h
++++ b/arch/m68k/include/asm/bitops.h
+@@ -350,12 +350,12 @@ static inline bool xor_unlock_is_negative_byte(unsigned long mask,
+ #include <asm-generic/bitops/ffz.h>
+ #else
+
+-static inline int find_first_zero_bit(const unsigned long *vaddr,
+- unsigned size)
++static inline unsigned long find_first_zero_bit(const unsigned long *vaddr,
++ unsigned long size)
+ {
+ const unsigned long *p = vaddr;
+- int res = 32;
+- unsigned int words;
++ unsigned long res = 32;
++ unsigned long words;
+ unsigned long num;
+
+ if (!size)
+@@ -376,8 +376,9 @@ static inline int find_first_zero_bit(const unsigned long *vaddr,
+ }
+ #define find_first_zero_bit find_first_zero_bit
+
+-static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
+- int offset)
++static inline unsigned long find_next_zero_bit(const unsigned long *vaddr,
++ unsigned long size,
++ unsigned long offset)
+ {
+ const unsigned long *p = vaddr + (offset >> 5);
+ int bit = offset & 31UL, res;
+@@ -406,11 +407,12 @@ static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
+ }
+ #define find_next_zero_bit find_next_zero_bit
+
+-static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
++static inline unsigned long find_first_bit(const unsigned long *vaddr,
++ unsigned long size)
+ {
+ const unsigned long *p = vaddr;
+- int res = 32;
+- unsigned int words;
++ unsigned long res = 32;
++ unsigned long words;
+ unsigned long num;
+
+ if (!size)
+@@ -431,8 +433,9 @@ static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
+ }
+ #define find_first_bit find_first_bit
+
+-static inline int find_next_bit(const unsigned long *vaddr, int size,
+- int offset)
++static inline unsigned long find_next_bit(const unsigned long *vaddr,
++ unsigned long size,
++ unsigned long offset)
+ {
+ const unsigned long *p = vaddr + (offset >> 5);
+ int bit = offset & 31UL, res;
+--
+2.51.0
+
--- /dev/null
+From a066d502cf9850b915ceba681ab2b61f4adc42a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:37:07 +0200
+Subject: nios2: ensure that memblock.current_limit is set when setting pfn
+ limits
+
+From: Simon Schuster <schuster.simon@siemens-energy.com>
+
+[ Upstream commit a20b83cf45be2057f3d073506779e52c7fa17f94 ]
+
+On nios2, with CONFIG_FLATMEM set, the kernel relies on
+memblock_get_current_limit() to determine the limits of mem_map, in
+particular for max_low_pfn.
+Unfortunately, memblock.current_limit is only default initialized to
+MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading
+to situations where max_low_pfn can erroneously exceed the value of
+max_pfn and, thus, the valid range of available DRAM.
+
+This can in turn cause kernel-level paging failures, e.g.:
+
+[ 76.900000] Unable to handle kernel paging request at virtual address 20303000
+[ 76.900000] ea = c0080890, ra = c000462c, cause = 14
+[ 76.900000] Kernel panic - not syncing: Oops
+[ 76.900000] ---[ end Kernel panic - not syncing: Oops ]---
+
+This patch fixes this by pre-calculating memblock.current_limit
+based on the upper limits of the available memory ranges via
+adjust_lowmem_bounds, a simplified version of the equivalent
+implementation within the arm architecture.
+
+Signed-off-by: Simon Schuster <schuster.simon@siemens-energy.com>
+Signed-off-by: Andreas Oetken <andreas.oetken@siemens-energy.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/nios2/kernel/setup.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/arch/nios2/kernel/setup.c b/arch/nios2/kernel/setup.c
+index da122a5fa43b2..8528ab1f222cd 100644
+--- a/arch/nios2/kernel/setup.c
++++ b/arch/nios2/kernel/setup.c
+@@ -142,6 +142,20 @@ static void __init find_limits(unsigned long *min, unsigned long *max_low,
+ *max_high = PFN_DOWN(memblock_end_of_DRAM());
+ }
+
++static void __init adjust_lowmem_bounds(void)
++{
++ phys_addr_t block_start, block_end;
++ u64 i;
++ phys_addr_t memblock_limit = 0;
++
++ for_each_mem_range(i, &block_start, &block_end) {
++ if (block_end > memblock_limit)
++ memblock_limit = block_end;
++ }
++
++ memblock_set_current_limit(memblock_limit);
++}
++
+ void __init setup_arch(char **cmdline_p)
+ {
+ console_verbose();
+@@ -155,6 +169,7 @@ void __init setup_arch(char **cmdline_p)
+ /* Keep a copy of command line */
+ *cmdline_p = boot_command_line;
+
++ adjust_lowmem_bounds();
+ find_limits(&min_low_pfn, &max_low_pfn, &max_pfn);
+ max_mapnr = max_low_pfn;
+
+--
+2.51.0
+
--- /dev/null
+From e7976d202a4cc2371da82f20995347603e1067af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Sep 2025 22:28:41 -0700
+Subject: PCI: Test for bit underflow in pcie_set_readrq()
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 00e58ff924b3a684b076f9512fe2753be87b50e1 ]
+
+In preparation for the future commit ("bitops: Add __attribute_const__ to generic
+ffs()-family implementations"), which allows GCC's value range tracker
+to see past ffs(), GCC 8 on ARM thinks that it might be possible that
+"ffs(rq) - 8" used here:
+
+ v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8);
+
+could wrap below 0, leading to a very large value, which would be out of
+range for the FIELD_PREP() usage:
+
+drivers/pci/pci.c: In function 'pcie_set_readrq':
+include/linux/compiler_types.h:572:38: error: call to '__compiletime_assert_471' declared with attribute error: FIELD_PREP: value too large for the field
+...
+drivers/pci/pci.c:5896:6: note: in expansion of macro 'FIELD_PREP'
+ v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8);
+ ^~~~~~~~~~
+
+If the result of the ffs() is bounds checked before being used in
+FIELD_PREP(), the value tracker seems happy again. :)
+
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Closes: https://lore.kernel.org/linux-pci/CA+G9fYuysVr6qT8bjF6f08WLyCJRG7aXAeSd2F7=zTaHHd7L+Q@mail.gmail.com/
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20250905052836.work.425-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 3d1365f558d3a..0dd548e2b3676 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -6048,6 +6048,7 @@ int pcie_set_readrq(struct pci_dev *dev, int rq)
+ {
+ u16 v;
+ int ret;
++ unsigned int firstbit;
+ struct pci_host_bridge *bridge = pci_find_host_bridge(dev->bus);
+
+ if (rq < 128 || rq > 4096 || !is_power_of_2(rq))
+@@ -6065,7 +6066,10 @@ int pcie_set_readrq(struct pci_dev *dev, int rq)
+ rq = mps;
+ }
+
+- v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8);
++ firstbit = ffs(rq);
++ if (firstbit < 8)
++ return -EINVAL;
++ v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, firstbit - 8);
+
+ if (bridge->no_inc_mrrs) {
+ int max_mrrs = pcie_get_readrq(dev);
+--
+2.51.0
+
--- /dev/null
+From 14e7f4f1d8560ddcafb9418e0efe922814066b2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Sep 2025 12:03:49 +0200
+Subject: powerpc/32: Remove PAGE_KERNEL_TEXT to fix startup failure
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 9316512b717f6f25c4649b3fdb0a905b6a318e9f ]
+
+PAGE_KERNEL_TEXT is an old macro that is used to tell kernel whether
+kernel text has to be mapped read-only or read-write based on build
+time options.
+
+But nowadays, with functionnalities like jump_labels, static links,
+etc ... more only less all kernels need to be read-write at some
+point, and some combinations of configs failed to work due to
+innacurate setting of PAGE_KERNEL_TEXT. On the other hand, today
+we have CONFIG_STRICT_KERNEL_RWX which implements a more controlled
+access to kernel modifications.
+
+Instead of trying to keep PAGE_KERNEL_TEXT accurate with all
+possible options that may imply kernel text modification, always
+set kernel text read-write at startup and rely on
+CONFIG_STRICT_KERNEL_RWX to provide accurate protection.
+
+Do this by passing PAGE_KERNEL_X to map_kernel_page() in
+__maping_ram_chunk() instead of passing PAGE_KERNEL_TEXT. Once
+this is done, the only remaining user of PAGE_KERNEL_TEXT is
+mmu_mark_initmem_nx() which uses it in a call to setibat().
+As setibat() ignores the RW/RO, we can seamlessly replace
+PAGE_KERNEL_TEXT by PAGE_KERNEL_X here as well and get rid of
+PAGE_KERNEL_TEXT completely.
+
+Reported-by: Erhard Furtner <erhard_f@mailbox.org>
+Closes: https://lore.kernel.org/all/342b4120-911c-4723-82ec-d8c9b03a8aef@mailbox.org/
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Tested-by: Andrew Donnellan <ajd@linux.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/8e2d793abf87ae3efb8f6dce10f974ac0eda61b8.1757412205.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/pgtable.h | 12 ------------
+ arch/powerpc/mm/book3s32/mmu.c | 4 ++--
+ arch/powerpc/mm/pgtable_32.c | 2 +-
+ 3 files changed, 3 insertions(+), 15 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/pgtable.h b/arch/powerpc/include/asm/pgtable.h
+index 2f72ad885332e..2ec5431ce1be2 100644
+--- a/arch/powerpc/include/asm/pgtable.h
++++ b/arch/powerpc/include/asm/pgtable.h
+@@ -20,18 +20,6 @@ struct mm_struct;
+ #include <asm/nohash/pgtable.h>
+ #endif /* !CONFIG_PPC_BOOK3S */
+
+-/*
+- * Protection used for kernel text. We want the debuggers to be able to
+- * set breakpoints anywhere, so don't write protect the kernel text
+- * on platforms where such control is possible.
+- */
+-#if defined(CONFIG_KGDB) || defined(CONFIG_XMON) || defined(CONFIG_BDI_SWITCH) || \
+- defined(CONFIG_KPROBES) || defined(CONFIG_DYNAMIC_FTRACE)
+-#define PAGE_KERNEL_TEXT PAGE_KERNEL_X
+-#else
+-#define PAGE_KERNEL_TEXT PAGE_KERNEL_ROX
+-#endif
+-
+ /* Make modules code happy. We don't set RO yet */
+ #define PAGE_KERNEL_EXEC PAGE_KERNEL_X
+
+diff --git a/arch/powerpc/mm/book3s32/mmu.c b/arch/powerpc/mm/book3s32/mmu.c
+index 2db167f4233f7..507e2ef50bd79 100644
+--- a/arch/powerpc/mm/book3s32/mmu.c
++++ b/arch/powerpc/mm/book3s32/mmu.c
+@@ -204,7 +204,7 @@ int mmu_mark_initmem_nx(void)
+
+ for (i = 0; i < nb - 1 && base < top;) {
+ size = bat_block_size(base, top);
+- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT);
++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X);
+ base += size;
+ }
+ if (base < top) {
+@@ -215,7 +215,7 @@ int mmu_mark_initmem_nx(void)
+ pr_warn("Some RW data is getting mapped X. "
+ "Adjust CONFIG_DATA_SHIFT to avoid that.\n");
+ }
+- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT);
++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X);
+ base += size;
+ }
+ for (; i < nb; i++)
+diff --git a/arch/powerpc/mm/pgtable_32.c b/arch/powerpc/mm/pgtable_32.c
+index 787b222063866..e52d036c7a831 100644
+--- a/arch/powerpc/mm/pgtable_32.c
++++ b/arch/powerpc/mm/pgtable_32.c
+@@ -109,7 +109,7 @@ static void __init __mapin_ram_chunk(unsigned long offset, unsigned long top)
+ p = memstart_addr + s;
+ for (; s < top; s += PAGE_SIZE) {
+ ktext = core_kernel_text(v);
+- map_kernel_page(v, p, ktext ? PAGE_KERNEL_TEXT : PAGE_KERNEL);
++ map_kernel_page(v, p, ktext ? PAGE_KERNEL_X : PAGE_KERNEL);
+ v += PAGE_SIZE;
+ p += PAGE_SIZE;
+ }
+--
+2.51.0
+
--- /dev/null
+From 597398e954d73509b77226e2e865451e422c9565 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Sep 2025 17:24:05 +0200
+Subject: s390/mm: Use __GFP_ACCOUNT for user page table allocations
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit 5671ce2a1fc6b4a16cff962423bc416b92cac3c8 ]
+
+Add missing kmemcg accounting of user page table allocations.
+
+Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/mm/pgalloc.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/arch/s390/mm/pgalloc.c b/arch/s390/mm/pgalloc.c
+index f5dece9353535..a2ec82ec78ac9 100644
+--- a/arch/s390/mm/pgalloc.c
++++ b/arch/s390/mm/pgalloc.c
+@@ -43,9 +43,13 @@ __initcall(page_table_register_sysctl);
+
+ unsigned long *crst_table_alloc(struct mm_struct *mm)
+ {
+- struct ptdesc *ptdesc = pagetable_alloc(GFP_KERNEL, CRST_ALLOC_ORDER);
++ gfp_t gfp = GFP_KERNEL_ACCOUNT;
++ struct ptdesc *ptdesc;
+ unsigned long *table;
+
++ if (mm == &init_mm)
++ gfp &= ~__GFP_ACCOUNT;
++ ptdesc = pagetable_alloc(gfp, CRST_ALLOC_ORDER);
+ if (!ptdesc)
+ return NULL;
+ table = ptdesc_to_virt(ptdesc);
+@@ -142,7 +146,7 @@ struct ptdesc *page_table_alloc_pgste(struct mm_struct *mm)
+ struct ptdesc *ptdesc;
+ u64 *table;
+
+- ptdesc = pagetable_alloc(GFP_KERNEL, 0);
++ ptdesc = pagetable_alloc(GFP_KERNEL_ACCOUNT, 0);
+ if (ptdesc) {
+ table = (u64 *)ptdesc_to_virt(ptdesc);
+ __arch_set_page_dat(table, 1);
+@@ -161,10 +165,13 @@ void page_table_free_pgste(struct ptdesc *ptdesc)
+
+ unsigned long *page_table_alloc(struct mm_struct *mm)
+ {
++ gfp_t gfp = GFP_KERNEL_ACCOUNT;
+ struct ptdesc *ptdesc;
+ unsigned long *table;
+
+- ptdesc = pagetable_alloc(GFP_KERNEL, 0);
++ if (mm == &init_mm)
++ gfp &= ~__GFP_ACCOUNT;
++ ptdesc = pagetable_alloc(gfp, 0);
+ if (!ptdesc)
+ return NULL;
+ if (!pagetable_pte_ctor(ptdesc)) {
+--
+2.51.0
+
--- /dev/null
+exec-fix-incorrect-type-for-ret.patch
+nios2-ensure-that-memblock.current_limit-is-set-when.patch
+hfs-clear-offset-and-space-out-of-valid-records-in-b.patch
+hfs-make-proper-initalization-of-struct-hfs_find_dat.patch
+hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch
+hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch
+hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch
+dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch
+hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch
+hfsplus-return-eio-when-type-of-hidden-directory-mis.patch
+binfmt_elf-preserve-original-elf-e_flags-for-core-du.patch
+pci-test-for-bit-underflow-in-pcie_set_readrq.patch
+lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch
+arm64-sysreg-correct-sign-definitions-for-eiesb-and-.patch
+gfs2-fix-unlikely-race-in-gdlm_put_lock.patch
+m68k-bitops-fix-find_-_bit-signatures.patch
+powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch
+drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch
+s390-mm-use-__gfp_account-for-user-page-table-alloca.patch
+smb-server-let-smb_direct_flush_send_list-invalidate.patch
+unbreak-make-tools-for-user-space-targets.patch
+bpf-replace-bpf_map_kmalloc_node-with-kmalloc_nolock.patch
--- /dev/null
+From cda37e4c09e0c11f1567c964e7bb8291fcedfb1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Sep 2025 22:22:35 +0200
+Subject: smb: server: let smb_direct_flush_send_list() invalidate a remote key
+ first
+
+From: Stefan Metzmacher <metze@samba.org>
+
+[ Upstream commit 1b53426334c3c942db47e0959a2527a4f815af50 ]
+
+If we want to invalidate a remote key we should do that as soon as
+possible, so do it in the first send work request.
+
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Cc: Steve French <smfrench@gmail.com>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: samba-technical@lists.samba.org
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/transport_rdma.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c
+index 05dfef7ad67f5..bf79c066a982e 100644
+--- a/fs/smb/server/transport_rdma.c
++++ b/fs/smb/server/transport_rdma.c
+@@ -938,12 +938,15 @@ static int smb_direct_flush_send_list(struct smb_direct_transport *t,
+ struct smb_direct_sendmsg,
+ list);
+
++ if (send_ctx->need_invalidate_rkey) {
++ first->wr.opcode = IB_WR_SEND_WITH_INV;
++ first->wr.ex.invalidate_rkey = send_ctx->remote_key;
++ send_ctx->need_invalidate_rkey = false;
++ send_ctx->remote_key = 0;
++ }
++
+ last->wr.send_flags = IB_SEND_SIGNALED;
+ last->wr.wr_cqe = &last->cqe;
+- if (is_last && send_ctx->need_invalidate_rkey) {
+- last->wr.opcode = IB_WR_SEND_WITH_INV;
+- last->wr.ex.invalidate_rkey = send_ctx->remote_key;
+- }
+
+ ret = smb_direct_post_send(t, &first->wr);
+ if (!ret) {
+--
+2.51.0
+
--- /dev/null
+From c58eca53b47ac8ecf38c74a40963084992aa210b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 12:24:20 -0700
+Subject: Unbreak 'make tools/*' for user-space targets
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit ee916dccd4df6e2fd19c3606c4735282b72f1473 ]
+
+This pattern isn't very documented, and apparently not used much outside
+of 'make tools/help', but it has existed for over a decade (since commit
+ea01fa9f63ae: "tools: Connect to the kernel build system").
+
+However, it doesn't work very well for most cases, particularly the
+useful "tools/all" target, because it overrides the LDFLAGS value with
+an empty one.
+
+And once overridden, 'make' will then not honor the tooling makefiles
+trying to change it - which then makes any LDFLAGS use in the tooling
+directory break, typically causing odd link errors.
+
+Remove that LDFLAGS override, since it seems to be entirely historical.
+The core kernel makefiles no longer modify LDFLAGS as part of the build,
+and use kernel-specific link flags instead (eg 'KBUILD_LDFLAGS' and
+friends).
+
+This allows more of the 'make tools/*' cases to work. I say 'more',
+because some of the tooling build rules make various other assumptions
+or have other issues, so it's still a bit hit-or-miss. But those issues
+tend to show up with the 'make -C tools xyz' pattern too, so now it's no
+longer an issue of this particular 'tools/*' build rule being special.
+
+Acked-by: Nathan Chancellor <nathan@kernel.org>
+Cc: Nicolas Schier <nicolas@fjasle.eu>
+Cc: Borislav Petkov <bp@alien8.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index d4c679b2d4bcf..0aa9fd3ab9a1c 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1372,11 +1372,11 @@ endif
+
+ tools/: FORCE
+ $(Q)mkdir -p $(objtree)/tools
+- $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/
++ $(Q)$(MAKE) O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/
+
+ tools/%: FORCE
+ $(Q)mkdir -p $(objtree)/tools
+- $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $*
++ $(Q)$(MAKE) O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $*
+
+ # ---------------------------------------------------------------------------
+ # Kernel selftest
+--
+2.51.0
+
--- /dev/null
+From 6ecc89d497aeb1887ff783ba735702ffe113ae65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 10:51:42 +0100
+Subject: arm64: sysreg: Correct sign definitions for EIESB and DoubleLock
+
+From: Fuad Tabba <tabba@google.com>
+
+[ Upstream commit f4d4ebc84995178273740f3e601e97fdefc561d2 ]
+
+The `ID_AA64MMFR4_EL1.EIESB` field, is an unsigned enumeration, but was
+incorrectly defined as a `SignedEnum` when introduced in commit
+cfc680bb04c5 ("arm64: sysreg: Add layout for ID_AA64MMFR4_EL1"). This is
+corrected to `UnsignedEnum`.
+
+Conversely, the `ID_AA64DFR0_EL1.DoubleLock` field, is a signed
+enumeration, but was incorrectly defined as an `UnsignedEnum`. This is
+corrected to `SignedEnum`, which wasn't correctly set when annotated as
+such in commit ad16d4cf0b4f ("arm64/sysreg: Initial unsigned annotations
+for ID registers").
+
+Signed-off-by: Fuad Tabba <tabba@google.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/tools/sysreg | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/tools/sysreg b/arch/arm64/tools/sysreg
+index 696ab1f32a674..2a37d4c26d870 100644
+--- a/arch/arm64/tools/sysreg
++++ b/arch/arm64/tools/sysreg
+@@ -1693,7 +1693,7 @@ UnsignedEnum 43:40 TraceFilt
+ 0b0000 NI
+ 0b0001 IMP
+ EndEnum
+-UnsignedEnum 39:36 DoubleLock
++SignedEnum 39:36 DoubleLock
+ 0b0000 IMP
+ 0b1111 NI
+ EndEnum
+@@ -2409,7 +2409,7 @@ UnsignedEnum 11:8 ASID2
+ 0b0000 NI
+ 0b0001 IMP
+ EndEnum
+-SignedEnum 7:4 EIESB
++UnsignedEnum 7:4 EIESB
+ 0b0000 NI
+ 0b0001 ToEL3
+ 0b0010 ToELx
+--
+2.51.0
+
--- /dev/null
+From 003abdd5f1a8f9b0e54ded266150d4b13c26a1aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Sep 2025 20:53:50 +0700
+Subject: binfmt_elf: preserve original ELF e_flags for core dumps
+
+From: Svetlana Parfenova <svetlana.parfenova@syntacore.com>
+
+[ Upstream commit 8c94db0ae97c72c253a615f990bd466b456e94f6 ]
+
+Some architectures, such as RISC-V, use the ELF e_flags field to encode
+ABI-specific information (e.g., ISA extensions, fpu support). Debuggers
+like GDB rely on these flags in core dumps to correctly interpret
+optional register sets. If the flags are missing or incorrect, GDB may
+warn and ignore valid data, for example:
+
+ warning: Unexpected size of section '.reg2/213' in core file.
+
+This can prevent access to fpu or other architecture-specific registers
+even when they were dumped.
+
+Save the e_flags field during ELF binary loading (in load_elf_binary())
+into the mm_struct, and later retrieve it during core dump generation
+(in fill_note_info()). Kconfig option CONFIG_ARCH_HAS_ELF_CORE_EFLAGS
+is introduced for architectures that require this behaviour.
+
+Signed-off-by: Svetlana Parfenova <svetlana.parfenova@syntacore.com>
+Link: https://lore.kernel.org/r/20250901135350.619485-1-svetlana.parfenova@syntacore.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/Kconfig | 1 +
+ fs/Kconfig.binfmt | 9 +++++++++
+ fs/binfmt_elf.c | 40 ++++++++++++++++++++++++++++++++++------
+ include/linux/mm_types.h | 5 +++++
+ 4 files changed, 49 insertions(+), 6 deletions(-)
+
+diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
+index 51dcd8eaa2435..74db054aa1b8b 100644
+--- a/arch/riscv/Kconfig
++++ b/arch/riscv/Kconfig
+@@ -28,6 +28,7 @@ config RISCV
+ select ARCH_HAS_DEBUG_VIRTUAL if MMU
+ select ARCH_HAS_DEBUG_VM_PGTABLE
+ select ARCH_HAS_DEBUG_WX
++ select ARCH_HAS_ELF_CORE_EFLAGS
+ select ARCH_HAS_FAST_MULTIPLIER
+ select ARCH_HAS_FORTIFY_SOURCE
+ select ARCH_HAS_GCOV_PROFILE_ALL
+diff --git a/fs/Kconfig.binfmt b/fs/Kconfig.binfmt
+index bd2f530e57408..1949e25c7741b 100644
+--- a/fs/Kconfig.binfmt
++++ b/fs/Kconfig.binfmt
+@@ -184,4 +184,13 @@ config EXEC_KUNIT_TEST
+ This builds the exec KUnit tests, which tests boundary conditions
+ of various aspects of the exec internals.
+
++config ARCH_HAS_ELF_CORE_EFLAGS
++ bool
++ depends on BINFMT_ELF && ELF_CORE
++ default n
++ help
++ Select this option if the architecture makes use of the e_flags
++ field in the ELF header to store ABI or other architecture-specific
++ information that should be preserved in core dumps.
++
+ endmenu
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 264fba0d44bdf..c126e3d0e7018 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -103,6 +103,21 @@ static struct linux_binfmt elf_format = {
+
+ #define BAD_ADDR(x) (unlikely((unsigned long)(x) >= TASK_SIZE))
+
++static inline void elf_coredump_set_mm_eflags(struct mm_struct *mm, u32 flags)
++{
++#ifdef CONFIG_ARCH_HAS_ELF_CORE_EFLAGS
++ mm->saved_e_flags = flags;
++#endif
++}
++
++static inline u32 elf_coredump_get_mm_eflags(struct mm_struct *mm, u32 flags)
++{
++#ifdef CONFIG_ARCH_HAS_ELF_CORE_EFLAGS
++ flags = mm->saved_e_flags;
++#endif
++ return flags;
++}
++
+ /*
+ * We need to explicitly zero any trailing portion of the page that follows
+ * p_filesz when it ends before the page ends (e.g. bss), otherwise this
+@@ -1290,6 +1305,8 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ mm->end_data = end_data;
+ mm->start_stack = bprm->p;
+
++ elf_coredump_set_mm_eflags(mm, elf_ex->e_flags);
++
+ /**
+ * DOC: "brk" handling
+ *
+@@ -1804,6 +1821,8 @@ static int fill_note_info(struct elfhdr *elf, int phdrs,
+ struct elf_thread_core_info *t;
+ struct elf_prpsinfo *psinfo;
+ struct core_thread *ct;
++ u16 machine;
++ u32 flags;
+
+ psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL);
+ if (!psinfo)
+@@ -1831,17 +1850,26 @@ static int fill_note_info(struct elfhdr *elf, int phdrs,
+ return 0;
+ }
+
+- /*
+- * Initialize the ELF file header.
+- */
+- fill_elf_header(elf, phdrs,
+- view->e_machine, view->e_flags);
++ machine = view->e_machine;
++ flags = view->e_flags;
+ #else
+ view = NULL;
+ info->thread_notes = 2;
+- fill_elf_header(elf, phdrs, ELF_ARCH, ELF_CORE_EFLAGS);
++ machine = ELF_ARCH;
++ flags = ELF_CORE_EFLAGS;
+ #endif
+
++ /*
++ * Override ELF e_flags with value taken from process,
++ * if arch needs that.
++ */
++ flags = elf_coredump_get_mm_eflags(dump_task->mm, flags);
++
++ /*
++ * Initialize the ELF file header.
++ */
++ fill_elf_header(elf, phdrs, machine, flags);
++
+ /*
+ * Allocate a structure for each thread.
+ */
+diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
+index a643fae8a3494..7f625c35128be 100644
+--- a/include/linux/mm_types.h
++++ b/include/linux/mm_types.h
+@@ -1107,6 +1107,11 @@ struct mm_struct {
+
+ unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */
+
++#ifdef CONFIG_ARCH_HAS_ELF_CORE_EFLAGS
++ /* the ABI-related flags from the ELF header. Used for core dump */
++ unsigned long saved_e_flags;
++#endif
++
+ struct percpu_counter rss_stat[NR_MM_COUNTERS];
+
+ struct linux_binfmt *binfmt;
+--
+2.51.0
+
--- /dev/null
+From 6bdff593fefe5d2206a689b580132e55189a3f47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 17:07:00 -0700
+Subject: bpf: Replace bpf_map_kmalloc_node() with kmalloc_nolock() to allocate
+ bpf_async_cb structures.
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+[ Upstream commit 5fb750e8a9ae123b2034771b864b8a21dbef65cd ]
+
+The following kmemleak splat:
+
+[ 8.105530] kmemleak: Trying to color unknown object at 0xff11000100e918c0 as Black
+[ 8.106521] Call Trace:
+[ 8.106521] <TASK>
+[ 8.106521] dump_stack_lvl+0x4b/0x70
+[ 8.106521] kvfree_call_rcu+0xcb/0x3b0
+[ 8.106521] ? hrtimer_cancel+0x21/0x40
+[ 8.106521] bpf_obj_free_fields+0x193/0x200
+[ 8.106521] htab_map_update_elem+0x29c/0x410
+[ 8.106521] bpf_prog_cfc8cd0f42c04044_overwrite_cb+0x47/0x4b
+[ 8.106521] bpf_prog_8c30cd7c4db2e963_overwrite_timer+0x65/0x86
+[ 8.106521] bpf_prog_test_run_syscall+0xe1/0x2a0
+
+happens due to the combination of features and fixes, but mainly due to
+commit 6d78b4473cdb ("bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()")
+It's using __GFP_HIGH, which instructs slub/kmemleak internals to skip
+kmemleak_alloc_recursive() on allocation, so subsequent kfree_rcu()->
+kvfree_call_rcu()->kmemleak_ignore() complains with the above splat.
+
+To fix this imbalance, replace bpf_map_kmalloc_node() with
+kmalloc_nolock() and kfree_rcu() with call_rcu() + kfree_nolock() to
+make sure that the objects allocated with kmalloc_nolock() are freed
+with kfree_nolock() rather than the implicit kfree() that kfree_rcu()
+uses internally.
+
+Note, the kmalloc_nolock() happens under bpf_spin_lock_irqsave(), so
+it will always fail in PREEMPT_RT. This is not an issue at the moment,
+since bpf_timers are disabled in PREEMPT_RT. In the future
+bpf_spin_lock will be replaced with state machine similar to
+bpf_task_work.
+
+Fixes: 6d78b4473cdb ("bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()")
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Shakeel Butt <shakeel.butt@linux.dev>
+Acked-by: Harry Yoo <harry.yoo@oracle.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: linux-mm@kvack.org
+Link: https://lore.kernel.org/bpf/20251015000700.28988-1-alexei.starovoitov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h | 4 ++++
+ kernel/bpf/helpers.c | 25 ++++++++++++++-----------
+ kernel/bpf/syscall.c | 15 +++++++++++++++
+ 3 files changed, 33 insertions(+), 11 deletions(-)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 84826dc0a3268..6d6fbb057d431 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -2473,6 +2473,8 @@ int bpf_map_alloc_pages(const struct bpf_map *map, int nid,
+ #ifdef CONFIG_MEMCG
+ void *bpf_map_kmalloc_node(const struct bpf_map *map, size_t size, gfp_t flags,
+ int node);
++void *bpf_map_kmalloc_nolock(const struct bpf_map *map, size_t size, gfp_t flags,
++ int node);
+ void *bpf_map_kzalloc(const struct bpf_map *map, size_t size, gfp_t flags);
+ void *bpf_map_kvcalloc(struct bpf_map *map, size_t n, size_t size,
+ gfp_t flags);
+@@ -2485,6 +2487,8 @@ void __percpu *bpf_map_alloc_percpu(const struct bpf_map *map, size_t size,
+ */
+ #define bpf_map_kmalloc_node(_map, _size, _flags, _node) \
+ kmalloc_node(_size, _flags, _node)
++#define bpf_map_kmalloc_nolock(_map, _size, _flags, _node) \
++ kmalloc_nolock(_size, _flags, _node)
+ #define bpf_map_kzalloc(_map, _size, _flags) \
+ kzalloc(_size, _flags)
+ #define bpf_map_kvcalloc(_map, _n, _size, _flags) \
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index 9c750a6a895bf..57129fd8ec544 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -1216,13 +1216,20 @@ static void bpf_wq_work(struct work_struct *work)
+ rcu_read_unlock_trace();
+ }
+
++static void bpf_async_cb_rcu_free(struct rcu_head *rcu)
++{
++ struct bpf_async_cb *cb = container_of(rcu, struct bpf_async_cb, rcu);
++
++ kfree_nolock(cb);
++}
++
+ static void bpf_wq_delete_work(struct work_struct *work)
+ {
+ struct bpf_work *w = container_of(work, struct bpf_work, delete_work);
+
+ cancel_work_sync(&w->work);
+
+- kfree_rcu(w, cb.rcu);
++ call_rcu(&w->cb.rcu, bpf_async_cb_rcu_free);
+ }
+
+ static void bpf_timer_delete_work(struct work_struct *work)
+@@ -1231,13 +1238,13 @@ static void bpf_timer_delete_work(struct work_struct *work)
+
+ /* Cancel the timer and wait for callback to complete if it was running.
+ * If hrtimer_cancel() can be safely called it's safe to call
+- * kfree_rcu(t) right after for both preallocated and non-preallocated
++ * call_rcu() right after for both preallocated and non-preallocated
+ * maps. The async->cb = NULL was already done and no code path can see
+ * address 't' anymore. Timer if armed for existing bpf_hrtimer before
+ * bpf_timer_cancel_and_free will have been cancelled.
+ */
+ hrtimer_cancel(&t->timer);
+- kfree_rcu(t, cb.rcu);
++ call_rcu(&t->cb.rcu, bpf_async_cb_rcu_free);
+ }
+
+ static int __bpf_async_init(struct bpf_async_kern *async, struct bpf_map *map, u64 flags,
+@@ -1271,11 +1278,7 @@ static int __bpf_async_init(struct bpf_async_kern *async, struct bpf_map *map, u
+ goto out;
+ }
+
+- /* Allocate via bpf_map_kmalloc_node() for memcg accounting. Until
+- * kmalloc_nolock() is available, avoid locking issues by using
+- * __GFP_HIGH (GFP_ATOMIC & ~__GFP_RECLAIM).
+- */
+- cb = bpf_map_kmalloc_node(map, size, __GFP_HIGH, map->numa_node);
++ cb = bpf_map_kmalloc_nolock(map, size, 0, map->numa_node);
+ if (!cb) {
+ ret = -ENOMEM;
+ goto out;
+@@ -1316,7 +1319,7 @@ static int __bpf_async_init(struct bpf_async_kern *async, struct bpf_map *map, u
+ * or pinned in bpffs.
+ */
+ WRITE_ONCE(async->cb, NULL);
+- kfree(cb);
++ kfree_nolock(cb);
+ ret = -EPERM;
+ }
+ out:
+@@ -1581,7 +1584,7 @@ void bpf_timer_cancel_and_free(void *val)
+ * timer _before_ calling us, such that failing to cancel it here will
+ * cause it to possibly use struct hrtimer after freeing bpf_hrtimer.
+ * Therefore, we _need_ to cancel any outstanding timers before we do
+- * kfree_rcu, even though no more timers can be armed.
++ * call_rcu, even though no more timers can be armed.
+ *
+ * Moreover, we need to schedule work even if timer does not belong to
+ * the calling callback_fn, as on two different CPUs, we can end up in a
+@@ -1608,7 +1611,7 @@ void bpf_timer_cancel_and_free(void *val)
+ * completion.
+ */
+ if (hrtimer_try_to_cancel(&t->timer) >= 0)
+- kfree_rcu(t, cb.rcu);
++ call_rcu(&t->cb.rcu, bpf_async_cb_rcu_free);
+ else
+ queue_work(system_unbound_wq, &t->cb.delete_work);
+ } else {
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 0fbfa8532c392..0002fd4e5ad3f 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -518,6 +518,21 @@ void *bpf_map_kmalloc_node(const struct bpf_map *map, size_t size, gfp_t flags,
+ return ptr;
+ }
+
++void *bpf_map_kmalloc_nolock(const struct bpf_map *map, size_t size, gfp_t flags,
++ int node)
++{
++ struct mem_cgroup *memcg, *old_memcg;
++ void *ptr;
++
++ memcg = bpf_map_get_memcg(map);
++ old_memcg = set_active_memcg(memcg);
++ ptr = kmalloc_nolock(size, flags | __GFP_ACCOUNT, node);
++ set_active_memcg(old_memcg);
++ mem_cgroup_put(memcg);
++
++ return ptr;
++}
++
+ void *bpf_map_kzalloc(const struct bpf_map *map, size_t size, gfp_t flags)
+ {
+ struct mem_cgroup *memcg, *old_memcg;
+--
+2.51.0
+
--- /dev/null
+From fce158b82f4a31657511b44f93f2f45546f03d62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 00:07:42 -0700
+Subject: cgroup/misc: fix misc_res_type kernel-doc warning
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 0fbbcab7f9082cdc233da5e5e353f69830f11956 ]
+
+Format the kernel-doc for SCALE_HW_CALIB_INVALID correctly to
+avoid a kernel-doc warning:
+
+Warning: include/linux/misc_cgroup.h:26 Enum value
+ 'MISC_CG_RES_TDX' not described in enum 'misc_res_type'
+
+Fixes: 7c035bea9407 ("KVM: TDX: Register TDX host key IDs to cgroup misc controller")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/misc_cgroup.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/misc_cgroup.h b/include/linux/misc_cgroup.h
+index 71cf5bfc6349d..0cb36a3ffc479 100644
+--- a/include/linux/misc_cgroup.h
++++ b/include/linux/misc_cgroup.h
+@@ -19,7 +19,7 @@ enum misc_res_type {
+ MISC_CG_RES_SEV_ES,
+ #endif
+ #ifdef CONFIG_INTEL_TDX_HOST
+- /* Intel TDX HKIDs resource */
++ /** @MISC_CG_RES_TDX: Intel TDX HKIDs resource */
+ MISC_CG_RES_TDX,
+ #endif
+ /** @MISC_CG_RES_TYPES: count of enum misc_res_type constants */
+--
+2.51.0
+
--- /dev/null
+From b3d71f453687318b7e68d76930748caad33693f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 11:21:52 -0400
+Subject: dlm: check for defined force value in dlm_lockspace_release
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 6af515c9f3ccec3eb8a262ca86bef2c499d07951 ]
+
+Force values over 3 are undefined, so don't treat them as 3.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lockspace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
+index 1929327ffbe1c..ee11a70def92d 100644
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -730,7 +730,7 @@ static int release_lockspace(struct dlm_ls *ls, int force)
+
+ dlm_device_deregister(ls);
+
+- if (force < 3 && dlm_user_daemon_available())
++ if (force != 3 && dlm_user_daemon_available())
+ do_uevent(ls, 0);
+
+ dlm_recoverd_stop(ls);
+--
+2.51.0
+
--- /dev/null
+From 2e08949a7a9fbe258ea679c0712498cb7dbbe4a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 11:22:12 -0400
+Subject: dlm: move to rinfo for all middle conversion cases
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit a8abcff174f7f9ce4587c6451b1a2450d01f52c9 ]
+
+Since commit f74dacb4c8116 ("dlm: fix recovery of middle conversions")
+we introduced additional debugging information if we hit the middle
+conversion by using log_limit(). The DLM log_limit() functionality
+requires a DLM debug option being enabled. As this case is so rarely and
+excempt any potential introduced new issue with recovery we switching it
+to log_rinfo() ad this is ratelimited under normal DLM loglevel.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lock.c | 2 +-
+ fs/dlm/recover.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
+index 6dd3a524cd352..be938fdf17d96 100644
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -5576,7 +5576,7 @@ static int receive_rcom_lock_args(struct dlm_ls *ls, struct dlm_lkb *lkb,
+
+ if (rl->rl_status == DLM_LKSTS_CONVERT && middle_conversion(lkb)) {
+ /* We may need to adjust grmode depending on other granted locks. */
+- log_limit(ls, "%s %x middle convert gr %d rq %d remote %d %x",
++ log_rinfo(ls, "%s %x middle convert gr %d rq %d remote %d %x",
+ __func__, lkb->lkb_id, lkb->lkb_grmode,
+ lkb->lkb_rqmode, lkb->lkb_nodeid, lkb->lkb_remid);
+ rsb_set_flag(r, RSB_RECOVER_CONVERT);
+diff --git a/fs/dlm/recover.c b/fs/dlm/recover.c
+index be4240f09abd4..3ac020fb8139e 100644
+--- a/fs/dlm/recover.c
++++ b/fs/dlm/recover.c
+@@ -842,7 +842,7 @@ static void recover_conversion(struct dlm_rsb *r)
+ */
+ if (((lkb->lkb_grmode == DLM_LOCK_PR) && (other_grmode == DLM_LOCK_CW)) ||
+ ((lkb->lkb_grmode == DLM_LOCK_CW) && (other_grmode == DLM_LOCK_PR))) {
+- log_limit(ls, "%s %x gr %d rq %d, remote %d %x, other_lkid %u, other gr %d, set gr=NL",
++ log_rinfo(ls, "%s %x gr %d rq %d, remote %d %x, other_lkid %u, other gr %d, set gr=NL",
+ __func__, lkb->lkb_id, lkb->lkb_grmode,
+ lkb->lkb_rqmode, lkb->lkb_nodeid,
+ lkb->lkb_remid, other_lkid, other_grmode);
+--
+2.51.0
+
--- /dev/null
+From 6f18e6ed0827db2c6d044a30d67eabe0bcca2ce0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 18:14:19 +0800
+Subject: drivers/perf: hisi: Relax the event ID check in the framework
+
+From: Yicong Yang <yangyicong@hisilicon.com>
+
+[ Upstream commit 43de0ac332b815cf56dbdce63687de9acfd35d49 ]
+
+Event ID is only using the attr::config bit [7, 0] but we check the
+event range using the whole 64bit field. It blocks the usage of the
+rest field of attr::config. Relax the check by only using the
+bit [7, 0].
+
+Acked-by: Jonathan Cameron <jonathan.cameron@huawei.com>
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Signed-off-by: Yushan Wang <wangyushan12@huawei.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/hisilicon/hisi_uncore_pmu.c | 2 +-
+ drivers/perf/hisilicon/hisi_uncore_pmu.h | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/perf/hisilicon/hisi_uncore_pmu.c b/drivers/perf/hisilicon/hisi_uncore_pmu.c
+index a449651f79c9f..6594d64b03a9e 100644
+--- a/drivers/perf/hisilicon/hisi_uncore_pmu.c
++++ b/drivers/perf/hisilicon/hisi_uncore_pmu.c
+@@ -234,7 +234,7 @@ int hisi_uncore_pmu_event_init(struct perf_event *event)
+ return -EINVAL;
+
+ hisi_pmu = to_hisi_pmu(event->pmu);
+- if (event->attr.config > hisi_pmu->check_event)
++ if ((event->attr.config & HISI_EVENTID_MASK) > hisi_pmu->check_event)
+ return -EINVAL;
+
+ if (hisi_pmu->on_cpu == -1)
+diff --git a/drivers/perf/hisilicon/hisi_uncore_pmu.h b/drivers/perf/hisilicon/hisi_uncore_pmu.h
+index 777675838b808..e69660f72be67 100644
+--- a/drivers/perf/hisilicon/hisi_uncore_pmu.h
++++ b/drivers/perf/hisilicon/hisi_uncore_pmu.h
+@@ -43,7 +43,8 @@
+ return FIELD_GET(GENMASK_ULL(hi, lo), event->attr.config); \
+ }
+
+-#define HISI_GET_EVENTID(ev) (ev->hw.config_base & 0xff)
++#define HISI_EVENTID_MASK GENMASK(7, 0)
++#define HISI_GET_EVENTID(ev) ((ev)->hw.config_base & HISI_EVENTID_MASK)
+
+ #define HISI_PMU_EVTYPE_BITS 8
+ #define HISI_PMU_EVTYPE_SHIFT(idx) ((idx) % 4 * HISI_PMU_EVTYPE_BITS)
+--
+2.51.0
+
--- /dev/null
+From 71e2f237f283695de37cc95d28c2267d6cc98a8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Aug 2025 15:36:09 +0800
+Subject: exec: Fix incorrect type for ret
+
+From: Xichao Zhao <zhao.xichao@vivo.com>
+
+[ Upstream commit 5e088248375d171b80c643051e77ade6b97bc386 ]
+
+In the setup_arg_pages(), ret is declared as an unsigned long.
+The ret might take a negative value. Therefore, its type should
+be changed to int.
+
+Signed-off-by: Xichao Zhao <zhao.xichao@vivo.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20250825073609.219855-1-zhao.xichao@vivo.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index a69a2673f6311..1515e0585e259 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -599,7 +599,7 @@ int setup_arg_pages(struct linux_binprm *bprm,
+ unsigned long stack_top,
+ int executable_stack)
+ {
+- unsigned long ret;
++ int ret;
+ unsigned long stack_shift;
+ struct mm_struct *mm = current->mm;
+ struct vm_area_struct *vma = bprm->vma;
+--
+2.51.0
+
--- /dev/null
+From ea41b9cbeae0df8de635bd8f66f2671017ab638b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Oct 2025 15:19:07 +0200
+Subject: expfs: Fix exportfs_can_encode_fh() for EXPORT_FH_FID
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 48b77733d0dbaf8cd0a122712072f92b2d95d894 ]
+
+After commit 5402c4d4d200 ("exportfs: require ->fh_to_parent() to encode
+connectable file handles") we will fail to create non-decodable file
+handles for filesystems without export operations. Fix it.
+
+Fixes: 5402c4d4d200 ("exportfs: require ->fh_to_parent() to encode connectable file handles")
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/exportfs.h | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/exportfs.h b/include/linux/exportfs.h
+index cfb0dd1ea49c7..b80286a73d0a9 100644
+--- a/include/linux/exportfs.h
++++ b/include/linux/exportfs.h
+@@ -314,9 +314,6 @@ static inline bool exportfs_can_decode_fh(const struct export_operations *nop)
+ static inline bool exportfs_can_encode_fh(const struct export_operations *nop,
+ int fh_flags)
+ {
+- if (!nop)
+- return false;
+-
+ /*
+ * If a non-decodeable file handle was requested, we only need to make
+ * sure that filesystem did not opt-out of encoding fid.
+@@ -324,6 +321,10 @@ static inline bool exportfs_can_encode_fh(const struct export_operations *nop,
+ if (fh_flags & EXPORT_FH_FID)
+ return exportfs_can_encode_fid(nop);
+
++ /* Normal file handles cannot be created without export ops */
++ if (!nop)
++ return false;
++
+ /*
+ * If a connectable file handle was requested, we need to make sure that
+ * filesystem can also decode connected file handles.
+--
+2.51.0
+
--- /dev/null
+From b779efd620357797ddb956cd68d95debe4608a0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Aug 2025 23:34:03 +0200
+Subject: gfs2: Fix unlikely race in gdlm_put_lock
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit 28c4d9bc0708956c1a736a9e49fee71b65deee81 ]
+
+In gdlm_put_lock(), there is a small window of time in which the
+DFL_UNMOUNT flag has been set but the lockspace hasn't been released,
+yet. In that window, dlm may still call gdlm_ast() and gdlm_bast().
+To prevent it from dereferencing freed glock objects, only free the
+glock if the lockspace has actually been released.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Reviewed-by: Andrew Price <anprice@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/lock_dlm.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/fs/gfs2/lock_dlm.c b/fs/gfs2/lock_dlm.c
+index 6db37c20587d1..570e5ae6b73df 100644
+--- a/fs/gfs2/lock_dlm.c
++++ b/fs/gfs2/lock_dlm.c
+@@ -361,12 +361,6 @@ static void gdlm_put_lock(struct gfs2_glock *gl)
+ gfs2_sbstats_inc(gl, GFS2_LKS_DCOUNT);
+ gfs2_update_request_times(gl);
+
+- /* don't want to call dlm if we've unmounted the lock protocol */
+- if (test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) {
+- gfs2_glock_free(gl);
+- return;
+- }
+-
+ /*
+ * When the lockspace is released, all remaining glocks will be
+ * unlocked automatically. This is more efficient than unlocking them
+@@ -396,6 +390,11 @@ static void gdlm_put_lock(struct gfs2_glock *gl)
+ goto again;
+ }
+
++ if (error == -ENODEV) {
++ gfs2_glock_free(gl);
++ return;
++ }
++
+ if (error) {
+ fs_err(sdp, "gdlm_unlock %x,%llx err=%d\n",
+ gl->gl_name.ln_type,
+--
+2.51.0
+
--- /dev/null
+From 10c4fa2d72b0c10e89eb23c1650d32f9e0f6bbb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 12:49:19 -0700
+Subject: hfs: clear offset and space out of valid records in b-tree node
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 18b07c44f245beb03588b00b212b38fce9af7cc9 ]
+
+Currently, hfs_brec_remove() executes moving records
+towards the location of deleted record and it updates
+offsets of moved records. However, the hfs_brec_remove()
+logic ignores the "mess" of b-tree node's free space and
+it doesn't touch the offsets out of records number.
+Potentially, it could confuse fsck or driver logic or
+to be a reason of potential corruption cases.
+
+This patch reworks the logic of hfs_brec_remove()
+by means of clearing freed space of b-tree node
+after the records moving. And it clear the last
+offset that keeping old location of free space
+because now the offset before this one is keeping
+the actual offset to the free space after the record
+deletion.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250815194918.38165-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/brec.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
+index 896396554bcc1..b01db1fae147c 100644
+--- a/fs/hfs/brec.c
++++ b/fs/hfs/brec.c
+@@ -179,6 +179,7 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ struct hfs_btree *tree;
+ struct hfs_bnode *node, *parent;
+ int end_off, rec_off, data_off, size;
++ int src, dst, len;
+
+ tree = fd->tree;
+ node = fd->bnode;
+@@ -208,10 +209,14 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ }
+ hfs_bnode_write_u16(node, offsetof(struct hfs_bnode_desc, num_recs), node->num_recs);
+
+- if (rec_off == end_off)
+- goto skip;
+ size = fd->keylength + fd->entrylength;
+
++ if (rec_off == end_off) {
++ src = fd->keyoffset;
++ hfs_bnode_clear(node, src, size);
++ goto skip;
++ }
++
+ do {
+ data_off = hfs_bnode_read_u16(node, rec_off);
+ hfs_bnode_write_u16(node, rec_off + 2, data_off - size);
+@@ -219,9 +224,23 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ } while (rec_off >= end_off);
+
+ /* fill hole */
+- hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size,
+- data_off - fd->keyoffset - size);
++ dst = fd->keyoffset;
++ src = fd->keyoffset + size;
++ len = data_off - src;
++
++ hfs_bnode_move(node, dst, src, len);
++
++ src = dst + len;
++ len = data_off - src;
++
++ hfs_bnode_clear(node, src, len);
++
+ skip:
++ /*
++ * Remove the obsolete offset to free space.
++ */
++ hfs_bnode_write_u16(node, end_off, 0);
++
+ hfs_bnode_dump(node);
+ if (!fd->record)
+ hfs_brec_update_parent(fd);
+--
+2.51.0
+
--- /dev/null
+From c590875bc0905bece16cfd70414be46556206c9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Aug 2025 16:06:38 -0700
+Subject: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ]
+
+The syzbot reported issue in hfs_find_set_zero_bits():
+
+=====================================================
+BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
+ hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
+ hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151
+ hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408
+ hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353
+ __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151
+ block_write_begin fs/buffer.c:2262 [inline]
+ cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601
+ hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
+ cont_expand_zero fs/buffer.c:2528 [inline]
+ cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591
+ hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
+ hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494
+ hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654
+ notify_change+0x1993/0x1aa0 fs/attr.c:552
+ do_truncate+0x28f/0x310 fs/open.c:68
+ do_ftruncate+0x698/0x730 fs/open.c:195
+ do_sys_ftruncate fs/open.c:210 [inline]
+ __do_sys_ftruncate fs/open.c:215 [inline]
+ __se_sys_ftruncate fs/open.c:213 [inline]
+ __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213
+ x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:4154 [inline]
+ slab_alloc_node mm/slub.c:4197 [inline]
+ __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354
+ kmalloc_noprof include/linux/slab.h:905 [inline]
+ hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175
+ hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337
+ get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681
+ get_tree_bdev+0x38/0x50 fs/super.c:1704
+ hfs_get_tree+0x35/0x40 fs/hfs/super.c:388
+ vfs_get_tree+0xb0/0x5c0 fs/super.c:1804
+ do_new_mount+0x738/0x1610 fs/namespace.c:3902
+ path_mount+0x6db/0x1e90 fs/namespace.c:4226
+ do_mount fs/namespace.c:4239 [inline]
+ __do_sys_mount fs/namespace.c:4450 [inline]
+ __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427
+ __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427
+ x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
+=====================================================
+
+The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get():
+
+HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
+
+Finally, it can trigger the reported issue because kmalloc()
+doesn't clear the allocated memory. If allocated memory contains
+only zeros, then everything will work pretty fine.
+But if the allocated memory contains the "garbage", then
+it can affect the bitmap operations and it triggers
+the reported issue.
+
+This patch simply exchanges the kmalloc() on kzalloc()
+with the goal to guarantee the correctness of bitmap operations.
+Because, newly created allocation bitmap should have all
+available blocks free. Potentially, initialization bitmap's read
+operation could not fill the whole allocated memory and
+"garbage" in the not initialized memory will be the reason of
+volume coruptions and file system driver bugs.
+
+Reported-by: syzbot <syzbot+773fa9d79b29bd8b6831@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/mdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
+index 8082eb01127cd..bf811347bb07d 100644
+--- a/fs/hfs/mdb.c
++++ b/fs/hfs/mdb.c
+@@ -172,7 +172,7 @@ int hfs_mdb_get(struct super_block *sb)
+ pr_warn("continuing without an alternate MDB\n");
+ }
+
+- HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
++ HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL);
+ if (!HFS_SB(sb)->bitmap)
+ goto out;
+
+--
+2.51.0
+
--- /dev/null
+From 48666f713d14ab9c2913eb7192a9e25459d53361 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 15:52:52 -0700
+Subject: hfs: make proper initalization of struct hfs_find_data
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit c62663a986acee7c4485c1fa9de5fc40194b6290 ]
+
+Potenatially, __hfs_ext_read_extent() could operate by
+not initialized values of fd->key after hfs_brec_find() call:
+
+static inline int __hfs_ext_read_extent(struct hfs_find_data *fd, struct hfs_extent *extent,
+ u32 cnid, u32 block, u8 type)
+{
+ int res;
+
+ hfs_ext_build_key(fd->search_key, cnid, block, type);
+ fd->key->ext.FNum = 0;
+ res = hfs_brec_find(fd);
+ if (res && res != -ENOENT)
+ return res;
+ if (fd->key->ext.FNum != fd->search_key->ext.FNum ||
+ fd->key->ext.FkType != fd->search_key->ext.FkType)
+ return -ENOENT;
+ if (fd->entrylength != sizeof(hfs_extent_rec))
+ return -EIO;
+ hfs_bnode_read(fd->bnode, extent, fd->entryoffset, sizeof(hfs_extent_rec));
+ return 0;
+}
+
+This patch changes kmalloc() on kzalloc() in hfs_find_init()
+and intializes fd->record, fd->keyoffset, fd->keylength,
+fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
+has been found nothing in the b-tree node.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250818225252.126427-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/bfind.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c
+index 34e9804e0f360..e46f650b5e9c2 100644
+--- a/fs/hfs/bfind.c
++++ b/fs/hfs/bfind.c
+@@ -21,7 +21,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+
+ fd->tree = tree;
+ fd->bnode = NULL;
+- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+@@ -115,6 +115,12 @@ int hfs_brec_find(struct hfs_find_data *fd)
+ __be32 data;
+ int height, res;
+
++ fd->record = -1;
++ fd->keyoffset = -1;
++ fd->keylength = -1;
++ fd->entryoffset = -1;
++ fd->entrylength = -1;
++
+ tree = fd->tree;
+ if (fd->bnode)
+ hfs_bnode_put(fd->bnode);
+--
+2.51.0
+
--- /dev/null
+From ec3e3fa5867b38c44e0d21413f937a58dc743b74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 22:17:34 +0800
+Subject: hfs: validate record offset in hfsplus_bmap_alloc
+
+From: Yang Chenzhi <yang.chenzhi@vivo.com>
+
+[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ]
+
+hfsplus_bmap_alloc can trigger a crash if a
+record offset or length is larger than node_size
+
+[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0
+[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183
+[ 15.265949]
+[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)
+[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 15.266167] Call Trace:
+[ 15.266168] <TASK>
+[ 15.266169] dump_stack_lvl+0x53/0x70
+[ 15.266173] print_report+0xd0/0x660
+[ 15.266181] kasan_report+0xce/0x100
+[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0
+[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0
+[ 15.266217] hfsplus_brec_insert+0x870/0xb00
+[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570
+[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910
+[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200
+[ 15.266233] hfsplus_file_extend+0x5a7/0x1000
+[ 15.266237] hfsplus_get_block+0x12b/0x8c0
+[ 15.266238] __block_write_begin_int+0x36b/0x12c0
+[ 15.266251] block_write_begin+0x77/0x110
+[ 15.266252] cont_write_begin+0x428/0x720
+[ 15.266259] hfsplus_write_begin+0x51/0x100
+[ 15.266262] cont_write_begin+0x272/0x720
+[ 15.266270] hfsplus_write_begin+0x51/0x100
+[ 15.266274] generic_perform_write+0x321/0x750
+[ 15.266285] generic_file_write_iter+0xc3/0x310
+[ 15.266289] __kernel_write_iter+0x2fd/0x800
+[ 15.266296] dump_user_range+0x2ea/0x910
+[ 15.266301] elf_core_dump+0x2a94/0x2ed0
+[ 15.266320] vfs_coredump+0x1d85/0x45e0
+[ 15.266349] get_signal+0x12e3/0x1990
+[ 15.266357] arch_do_signal_or_restart+0x89/0x580
+[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110
+[ 15.266364] asm_exc_page_fault+0x26/0x30
+[ 15.266366] RIP: 0033:0x41bd35
+[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f
+[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283
+[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000
+[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100
+[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000
+[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000
+[ 15.266376] </TASK>
+
+When calling hfsplus_bmap_alloc to allocate a free node, this function
+first retrieves the bitmap from header node and map node using node->page
+together with the offset and length from hfs_brec_lenoff
+
+```
+len = hfs_brec_lenoff(node, 2, &off16);
+off = off16;
+
+off += node->page_offset;
+pagep = node->page + (off >> PAGE_SHIFT);
+data = kmap_local_page(*pagep);
+```
+
+However, if the retrieved offset or length is invalid(i.e. exceeds
+node_size), the code may end up accessing pages outside the allocated
+range for this node.
+
+This patch adds proper validation of both offset and length before use,
+preventing out-of-bounds page access. Move is_bnode_offset_valid and
+check_and_correct_requested_length to hfsplus_fs.h, as they may be
+required by other functions.
+
+Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/
+Signed-off-by: Yang Chenzhi <yang.chenzhi@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bnode.c | 41 ----------------------------------------
+ fs/hfsplus/btree.c | 6 ++++++
+ fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 48 insertions(+), 41 deletions(-)
+
+diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
+index 14f4995588ff0..407d5152eb411 100644
+--- a/fs/hfsplus/bnode.c
++++ b/fs/hfsplus/bnode.c
+@@ -18,47 +18,6 @@
+ #include "hfsplus_fs.h"
+ #include "hfsplus_raw.h"
+
+-static inline
+-bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
+-{
+- bool is_valid = off < node->tree->node_size;
+-
+- if (!is_valid) {
+- pr_err("requested invalid offset: "
+- "NODE: id %u, type %#x, height %u, "
+- "node_size %u, offset %d\n",
+- node->this, node->type, node->height,
+- node->tree->node_size, off);
+- }
+-
+- return is_valid;
+-}
+-
+-static inline
+-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
+-{
+- unsigned int node_size;
+-
+- if (!is_bnode_offset_valid(node, off))
+- return 0;
+-
+- node_size = node->tree->node_size;
+-
+- if ((off + len) > node_size) {
+- int new_len = (int)node_size - off;
+-
+- pr_err("requested length has been corrected: "
+- "NODE: id %u, type %#x, height %u, "
+- "node_size %u, offset %d, "
+- "requested_len %d, corrected_len %d\n",
+- node->this, node->type, node->height,
+- node->tree->node_size, off, len, new_len);
+-
+- return new_len;
+- }
+-
+- return len;
+-}
+
+ /* Copy a specified range of bytes from the raw data of a node */
+ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
+index 9e1732a2b92a8..fe6a54c4083c3 100644
+--- a/fs/hfsplus/btree.c
++++ b/fs/hfsplus/btree.c
+@@ -393,6 +393,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
+ len = hfs_brec_lenoff(node, 2, &off16);
+ off = off16;
+
++ if (!is_bnode_offset_valid(node, off)) {
++ hfs_bnode_put(node);
++ return ERR_PTR(-EIO);
++ }
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ pagep = node->page + (off >> PAGE_SHIFT);
+ data = kmap_local_page(*pagep);
+diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
+index 2311e4be4e865..9dd18de0bc891 100644
+--- a/fs/hfsplus/hfsplus_fs.h
++++ b/fs/hfsplus/hfsplus_fs.h
+@@ -581,6 +581,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree)
+ return class;
+ }
+
++static inline
++bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
++{
++ bool is_valid = off < node->tree->node_size;
++
++ if (!is_valid) {
++ pr_err("requested invalid offset: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off);
++ }
++
++ return is_valid;
++}
++
++static inline
++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
++{
++ unsigned int node_size;
++
++ if (!is_bnode_offset_valid(node, off))
++ return 0;
++
++ node_size = node->tree->node_size;
++
++ if ((off + len) > node_size) {
++ int new_len = (int)node_size - off;
++
++ pr_err("requested length has been corrected: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, "
++ "requested_len %d, corrected_len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len, new_len);
++
++ return new_len;
++ }
++
++ return len;
++}
++
+ /* compatibility */
+ #define hfsp_mt2ut(t) (struct timespec64){ .tv_sec = __hfsp_mt2ut(t) }
+ #define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec)
+--
+2.51.0
+
--- /dev/null
+From ca538d008e40b8e8ff2254bc4ba3478d0728a13d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 15:52:32 -0700
+Subject: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 4840ceadef4290c56cc422f0fc697655f3cbf070 ]
+
+The syzbot reported issue in __hfsplus_ext_cache_extent():
+
+[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0
+[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.199771][ T9350] ksys_write+0x23e/0x490
+[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.202054][ T9350]
+[ 70.202279][ T9350] Uninit was created at:
+[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80
+[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0
+[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0
+[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.207961][ T9350] ksys_write+0x23e/0x490
+[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.210230][ T9350]
+[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5
+[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.212115][ T9350] =====================================================
+[ 70.212734][ T9350] Disabling lock debugging due to kernel taint
+[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...
+[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5
+[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE
+[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.215999][ T9350] Call Trace:
+[ 70.216309][ T9350] <TASK>
+[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0
+[ 70.217025][ T9350] dump_stack+0x1e/0x30
+[ 70.217421][ T9350] panic+0x502/0xca0
+[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+
+[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...
+ kernel
+:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+set ...
+[ 70.221254][ T9350] ? __msan_warning+0x96/0x120
+[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0
+[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0
+[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0
+[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950
+[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130
+[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060
+[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460
+[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0
+[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0
+[ 70.228997][ T9350] ? ksys_write+0x23e/0x490
+[ 70.229458][ T9350] ? __x64_sys_write+0x97/0xf0
+[ 70.229939][ T9350] ? x64_sys_call+0x3015/0x3cf0
+[ 70.230432][ T9350] ? do_syscall_64+0xd9/0x1d0
+[ 70.230941][ T9350] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.231926][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.232738][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.233711][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.234516][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.235398][ T9350] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.236323][ T9350] ? hfsplus_brec_find+0x218/0x9f0
+[ 70.237090][ T9350] ? __pfx_hfs_find_rec_by_key+0x10/0x10
+[ 70.237938][ T9350] ? __msan_instrument_asm_store+0xbf/0xf0
+[ 70.238827][ T9350] ? __msan_metadata_ptr_for_store_4+0x27/0x40
+[ 70.239772][ T9350] ? __hfsplus_ext_write_extent+0x536/0x620
+[ 70.240666][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.241175][ T9350] __msan_warning+0x96/0x120
+[ 70.241645][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.242223][ T9350] hfsplus_file_extend+0x74f/0x1cf0
+[ 70.242748][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.243255][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.243878][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.244400][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.244967][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.245531][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
+[ 70.246079][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.246598][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.247105][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
+[ 70.247650][ T9350] ? __pfx_hfsplus_write_begin+0x10/0x10
+[ 70.248211][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.248752][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.249314][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.249856][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.250487][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.250930][ T9350] ? __pfx_generic_file_write_iter+0x10/0x10
+[ 70.251530][ T9350] ksys_write+0x23e/0x490
+[ 70.251974][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.252450][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.252924][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.253384][ T9350] ? irqentry_exit+0x16/0x60
+[ 70.253844][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.254430][ T9350] RIP: 0033:0x7f7a92adffc9
+[ 70.254873][ T9350] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 70.256674][ T9350] RSP: 002b:00007fff0bca3188 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
+[ 70.257485][ T9350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a92adffc9
+[ 70.258246][ T9350] RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000004
+[ 70.258998][ T9350] RBP: 00007fff0bca31a0 R08: 00007fff0bca31a0 R09: 00007fff0bca31a0
+[ 70.259769][ T9350] R10: 0000000000000000 R11: 0000000000000202 R12: 000055e0d75f8250
+[ 70.260520][ T9350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 70.261286][ T9350] </TASK>
+[ 70.262026][ T9350] Kernel Offset: disabled
+
+(gdb) l *__hfsplus_ext_cache_extent+0x7d0
+0xffffffff8318aef0 is in __hfsplus_ext_cache_extent (fs/hfsplus/extents.c:168).
+163 fd->key->ext.cnid = 0;
+164 res = hfs_brec_find(fd, hfs_find_rec_by_key);
+165 if (res && res != -ENOENT)
+166 return res;
+167 if (fd->key->ext.cnid != fd->search_key->ext.cnid ||
+168 fd->key->ext.fork_type != fd->search_key->ext.fork_type)
+169 return -ENOENT;
+170 if (fd->entrylength != sizeof(hfsplus_extent_rec))
+171 return -EIO;
+172 hfs_bnode_read(fd->bnode, extent, fd->entryoffset,
+
+The __hfsplus_ext_cache_extent() calls __hfsplus_ext_read_extent():
+
+res = __hfsplus_ext_read_extent(fd, hip->cached_extents, inode->i_ino,
+ block, HFSPLUS_IS_RSRC(inode) ?
+ HFSPLUS_TYPE_RSRC :
+ HFSPLUS_TYPE_DATA);
+
+And if inode->i_ino could be equal to zero or any non-available CNID,
+then hfs_brec_find() could not find the record in the tree. As a result,
+fd->key could be compared with fd->search_key. But hfsplus_find_init()
+uses kmalloc() for fd->key and fd->search_key allocation:
+
+int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+{
+<skipped>
+ ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+ fd->key = ptr + tree->max_key_len + 2;
+<skipped>
+}
+
+Finally, fd->key is still not initialized if hfs_brec_find()
+has found nothing.
+
+This patch changes kmalloc() on kzalloc() in hfs_find_init()
+and intializes fd->record, fd->keyoffset, fd->keylength,
+fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
+has been found nothing in the b-tree node.
+
+Reported-by: syzbot <syzbot+55ad87f38795d6787521@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=55ad87f38795d6787521
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250818225232.126402-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bfind.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c
+index 901e83d65d202..26ebac4c60424 100644
+--- a/fs/hfsplus/bfind.c
++++ b/fs/hfsplus/bfind.c
+@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+
+ fd->tree = tree;
+ fd->bnode = NULL;
+- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+@@ -158,6 +158,12 @@ int hfs_brec_find(struct hfs_find_data *fd, search_strategy_t do_key_compare)
+ __be32 data;
+ int height, res;
+
++ fd->record = -1;
++ fd->keyoffset = -1;
++ fd->keylength = -1;
++ fd->entryoffset = -1;
++ fd->entrylength = -1;
++
+ tree = fd->tree;
+ if (fd->bnode)
+ hfs_bnode_put(fd->bnode);
+--
+2.51.0
+
--- /dev/null
+From 5b888c10d8c8ea54e4e888f1f3581f5dcac21979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Aug 2025 15:51:04 -0700
+Subject: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 9b3d15a758910bb98ba8feb4109d99cc67450ee4 ]
+
+The syzbot reported issue in hfsplus_delete_cat():
+
+[ 70.682285][ T9333] =====================================================
+[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0
+[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310
+[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810
+[ 70.685447][ T9333] do_rmdir+0x964/0xea0
+[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0
+[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0
+[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.687646][ T9333]
+[ 70.687856][ T9333] Uninit was stored to memory at:
+[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
+[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800
+[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600
+[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70
+[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0
+[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30
+[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0
+[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0
+[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.692773][ T9333]
+[ 70.692990][ T9333] Uninit was stored to memory at:
+[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
+[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800
+[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700
+[ 70.694911][ T9333] mount_bdev+0x37b/0x530
+[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60
+[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0
+[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0
+[ 70.696588][ T9333] do_new_mount+0x73e/0x1630
+[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0
+[ 70.697425][ T9333] __se_sys_mount+0x733/0x830
+[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150
+[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0
+[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.699730][ T9333]
+[ 70.699946][ T9333] Uninit was created at:
+[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60
+[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0
+[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0
+[ 70.701774][ T9333] allocate_slab+0x30e/0x1390
+[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0
+[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20
+[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0
+[ 70.703598][ T9333] alloc_inode+0x82/0x490
+[ 70.703984][ T9333] iget_locked+0x22e/0x1320
+[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0
+[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0
+[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700
+[ 70.705776][ T9333] mount_bdev+0x37b/0x530
+[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60
+[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0
+[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0
+[ 70.707444][ T9333] do_new_mount+0x73e/0x1630
+[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0
+[ 70.708270][ T9333] __se_sys_mount+0x733/0x830
+[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150
+[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0
+[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.710611][ T9333]
+[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17
+[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.712490][ T9333] =====================================================
+[ 70.713085][ T9333] Disabling lock debugging due to kernel taint
+[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...
+[ 70.714159][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Tainted: G B 6.12.0-rc6-dirty #17
+[ 70.715007][ T9333] Tainted: [B]=BAD_PAGE
+[ 70.715365][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.716311][ T9333] Call Trace:
+[ 70.716621][ T9333] <TASK>
+[ 70.716899][ T9333] dump_stack_lvl+0x1fd/0x2b0
+[ 70.717350][ T9333] dump_stack+0x1e/0x30
+[ 70.717743][ T9333] panic+0x502/0xca0
+[ 70.718116][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.718611][ T9333] kmsan_report+0x296/0x2a0
+[ 70.719038][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.719859][ T9333] ? __msan_warning+0x96/0x120
+[ 70.720345][ T9333] ? hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.720881][ T9333] ? hfsplus_delete_cat+0x105d/0x12b0
+[ 70.721412][ T9333] ? hfsplus_rmdir+0x13d/0x310
+[ 70.721880][ T9333] ? vfs_rmdir+0x5ba/0x810
+[ 70.722458][ T9333] ? do_rmdir+0x964/0xea0
+[ 70.722883][ T9333] ? __x64_sys_rmdir+0x71/0xb0
+[ 70.723397][ T9333] ? x64_sys_call+0xcd8/0x3cf0
+[ 70.723915][ T9333] ? do_syscall_64+0xd9/0x1d0
+[ 70.724454][ T9333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.725110][ T9333] ? vprintk_emit+0xd1f/0xe60
+[ 70.725616][ T9333] ? vprintk_default+0x3f/0x50
+[ 70.726175][ T9333] ? vprintk+0xce/0xd0
+[ 70.726628][ T9333] ? _printk+0x17e/0x1b0
+[ 70.727129][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.727739][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.728324][ T9333] __msan_warning+0x96/0x120
+[ 70.728854][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.729479][ T9333] hfsplus_delete_cat+0x105d/0x12b0
+[ 70.729984][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.730646][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.731296][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.731863][ T9333] hfsplus_rmdir+0x13d/0x310
+[ 70.732390][ T9333] ? __pfx_hfsplus_rmdir+0x10/0x10
+[ 70.732919][ T9333] vfs_rmdir+0x5ba/0x810
+[ 70.733416][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.734044][ T9333] do_rmdir+0x964/0xea0
+[ 70.734537][ T9333] __x64_sys_rmdir+0x71/0xb0
+[ 70.735032][ T9333] x64_sys_call+0xcd8/0x3cf0
+[ 70.735579][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.736092][ T9333] ? irqentry_exit+0x16/0x60
+[ 70.736637][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.737269][ T9333] RIP: 0033:0x7fa9424eafc9
+[ 70.737775][ T9333] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 70.739844][ T9333] RSP: 002b:00007fff099cd8d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000054
+[ 70.740760][ T9333] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa9424eafc9
+[ 70.741642][ T9333] RDX: 006c6f72746e6f63 RSI: 000000000000000a RDI: 0000000020000100
+[ 70.742543][ T9333] RBP: 00007fff099cd8e0 R08: 00007fff099cd910 R09: 00007fff099cd910
+[ 70.743376][ T9333] R10: 0000000000000000 R11: 0000000000000202 R12: 0000565430642260
+[ 70.744247][ T9333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 70.745082][ T9333] </TASK>
+
+The main reason of the issue that struct hfsplus_inode_info
+has not been properly initialized for the case of root folder.
+In the case of root folder, hfsplus_fill_super() calls
+the hfsplus_iget() that implements only partial initialization of
+struct hfsplus_inode_info and subfolders field is not
+initialized by hfsplus_iget() logic.
+
+This patch implements complete initialization of
+struct hfsplus_inode_info in the hfsplus_iget() logic with
+the goal to prevent likewise issues for the case of
+root folder.
+
+Reported-by: syzbot <syzbot+fdedff847a0e5e84c39f@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=fdedff847a0e5e84c39f
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250825225103.326401-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/super.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+index 86351bdc89859..2f215d1daf6d9 100644
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -68,13 +68,26 @@ struct inode *hfsplus_iget(struct super_block *sb, unsigned long ino)
+ if (!(inode->i_state & I_NEW))
+ return inode;
+
+- INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
+- spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
+- mutex_init(&HFSPLUS_I(inode)->extents_lock);
+- HFSPLUS_I(inode)->flags = 0;
++ atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
++ HFSPLUS_I(inode)->first_blocks = 0;
++ HFSPLUS_I(inode)->clump_blocks = 0;
++ HFSPLUS_I(inode)->alloc_blocks = 0;
++ HFSPLUS_I(inode)->cached_start = U32_MAX;
++ HFSPLUS_I(inode)->cached_blocks = 0;
++ memset(HFSPLUS_I(inode)->first_extents, 0, sizeof(hfsplus_extent_rec));
++ memset(HFSPLUS_I(inode)->cached_extents, 0, sizeof(hfsplus_extent_rec));
+ HFSPLUS_I(inode)->extent_state = 0;
++ mutex_init(&HFSPLUS_I(inode)->extents_lock);
+ HFSPLUS_I(inode)->rsrc_inode = NULL;
+- atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
++ HFSPLUS_I(inode)->create_date = 0;
++ HFSPLUS_I(inode)->linkid = 0;
++ HFSPLUS_I(inode)->flags = 0;
++ HFSPLUS_I(inode)->fs_blocks = 0;
++ HFSPLUS_I(inode)->userflags = 0;
++ HFSPLUS_I(inode)->subfolders = 0;
++ INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
++ spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
++ HFSPLUS_I(inode)->phys_size = 0;
+
+ if (inode->i_ino >= HFSPLUS_FIRSTUSER_CNID ||
+ inode->i_ino == HFSPLUS_ROOT_CNID) {
+--
+2.51.0
+
--- /dev/null
+From 7f430f205bd84d519c74758a6152e5af0ea40b30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Aug 2025 10:58:59 -0600
+Subject: hfsplus: return EIO when type of hidden directory mismatch in
+ hfsplus_fill_super()
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit 9282bc905f0949fab8cf86c0f620ca988761254c ]
+
+If Catalog File contains corrupted record for the case of
+hidden directory's type, regard it as I/O error instead of
+Invalid argument.
+
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250805165905.3390154-1-frank.li@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+index 2f215d1daf6d9..77ec048021a01 100644
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -537,7 +537,7 @@ static int hfsplus_fill_super(struct super_block *sb, struct fs_context *fc)
+ if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
+ hfs_find_exit(&fd);
+ if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
+- err = -EINVAL;
++ err = -EIO;
+ goto out_put_root;
+ }
+ inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id));
+--
+2.51.0
+
--- /dev/null
+From b33a92c3afb03c8d45bee92fb4460ab436517237 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 14:06:05 +0800
+Subject: lkdtm: fortify: Fix potential NULL dereference on kmalloc failure
+
+From: Junjie Cao <junjie.cao@intel.com>
+
+[ Upstream commit 01c7344e21c2140e72282d9d16d79a61f840fc20 ]
+
+Add missing NULL pointer checks after kmalloc() calls in
+lkdtm_FORTIFY_STR_MEMBER() and lkdtm_FORTIFY_MEM_MEMBER() functions.
+
+Signed-off-by: Junjie Cao <junjie.cao@intel.com>
+Link: https://lore.kernel.org/r/20250814060605.5264-1-junjie.cao@intel.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/lkdtm/fortify.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/misc/lkdtm/fortify.c b/drivers/misc/lkdtm/fortify.c
+index 0159276656780..00ed2147113e6 100644
+--- a/drivers/misc/lkdtm/fortify.c
++++ b/drivers/misc/lkdtm/fortify.c
+@@ -44,6 +44,9 @@ static void lkdtm_FORTIFY_STR_MEMBER(void)
+ char *src;
+
+ src = kmalloc(size, GFP_KERNEL);
++ if (!src)
++ return;
++
+ strscpy(src, "over ten bytes", size);
+ size = strlen(src) + 1;
+
+@@ -109,6 +112,9 @@ static void lkdtm_FORTIFY_MEM_MEMBER(void)
+ char *src;
+
+ src = kmalloc(size, GFP_KERNEL);
++ if (!src)
++ return;
++
+ strscpy(src, "over ten bytes", size);
+ size = strlen(src) + 1;
+
+--
+2.51.0
+
--- /dev/null
+From 5a43c47579e215d287add268a61673a92d240d58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Sep 2025 17:16:13 +0200
+Subject: m68k: bitops: Fix find_*_bit() signatures
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit 6d5674090543b89aac0c177d67e5fb32ddc53804 ]
+
+The function signatures of the m68k-optimized implementations of the
+find_{first,next}_{,zero_}bit() helpers do not match the generic
+variants.
+
+Fix this by changing all non-pointer inputs and outputs to "unsigned
+long", and updating a few local variables.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202509092305.ncd9mzaZ-lkp@intel.com/
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Acked-by: "Yury Norov (NVIDIA)" <yury.norov@gmail.com>
+Link: https://patch.msgid.link/de6919554fbb4cd1427155c6bafbac8a9df822c8.1757517135.git.geert@linux-m68k.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/bitops.h | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/arch/m68k/include/asm/bitops.h b/arch/m68k/include/asm/bitops.h
+index 14c64a6f12176..50ec92651d5a5 100644
+--- a/arch/m68k/include/asm/bitops.h
++++ b/arch/m68k/include/asm/bitops.h
+@@ -350,12 +350,12 @@ static inline bool xor_unlock_is_negative_byte(unsigned long mask,
+ #include <asm-generic/bitops/ffz.h>
+ #else
+
+-static inline int find_first_zero_bit(const unsigned long *vaddr,
+- unsigned size)
++static inline unsigned long find_first_zero_bit(const unsigned long *vaddr,
++ unsigned long size)
+ {
+ const unsigned long *p = vaddr;
+- int res = 32;
+- unsigned int words;
++ unsigned long res = 32;
++ unsigned long words;
+ unsigned long num;
+
+ if (!size)
+@@ -376,8 +376,9 @@ static inline int find_first_zero_bit(const unsigned long *vaddr,
+ }
+ #define find_first_zero_bit find_first_zero_bit
+
+-static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
+- int offset)
++static inline unsigned long find_next_zero_bit(const unsigned long *vaddr,
++ unsigned long size,
++ unsigned long offset)
+ {
+ const unsigned long *p = vaddr + (offset >> 5);
+ int bit = offset & 31UL, res;
+@@ -406,11 +407,12 @@ static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
+ }
+ #define find_next_zero_bit find_next_zero_bit
+
+-static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
++static inline unsigned long find_first_bit(const unsigned long *vaddr,
++ unsigned long size)
+ {
+ const unsigned long *p = vaddr;
+- int res = 32;
+- unsigned int words;
++ unsigned long res = 32;
++ unsigned long words;
+ unsigned long num;
+
+ if (!size)
+@@ -431,8 +433,9 @@ static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
+ }
+ #define find_first_bit find_first_bit
+
+-static inline int find_next_bit(const unsigned long *vaddr, int size,
+- int offset)
++static inline unsigned long find_next_bit(const unsigned long *vaddr,
++ unsigned long size,
++ unsigned long offset)
+ {
+ const unsigned long *p = vaddr + (offset >> 5);
+ int bit = offset & 31UL, res;
+--
+2.51.0
+
--- /dev/null
+From dc12285030dab824f4a6827f4153a0ebb44270c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:37:07 +0200
+Subject: nios2: ensure that memblock.current_limit is set when setting pfn
+ limits
+
+From: Simon Schuster <schuster.simon@siemens-energy.com>
+
+[ Upstream commit a20b83cf45be2057f3d073506779e52c7fa17f94 ]
+
+On nios2, with CONFIG_FLATMEM set, the kernel relies on
+memblock_get_current_limit() to determine the limits of mem_map, in
+particular for max_low_pfn.
+Unfortunately, memblock.current_limit is only default initialized to
+MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading
+to situations where max_low_pfn can erroneously exceed the value of
+max_pfn and, thus, the valid range of available DRAM.
+
+This can in turn cause kernel-level paging failures, e.g.:
+
+[ 76.900000] Unable to handle kernel paging request at virtual address 20303000
+[ 76.900000] ea = c0080890, ra = c000462c, cause = 14
+[ 76.900000] Kernel panic - not syncing: Oops
+[ 76.900000] ---[ end Kernel panic - not syncing: Oops ]---
+
+This patch fixes this by pre-calculating memblock.current_limit
+based on the upper limits of the available memory ranges via
+adjust_lowmem_bounds, a simplified version of the equivalent
+implementation within the arm architecture.
+
+Signed-off-by: Simon Schuster <schuster.simon@siemens-energy.com>
+Signed-off-by: Andreas Oetken <andreas.oetken@siemens-energy.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/nios2/kernel/setup.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/arch/nios2/kernel/setup.c b/arch/nios2/kernel/setup.c
+index 2a40150142c36..f43f01c4ab934 100644
+--- a/arch/nios2/kernel/setup.c
++++ b/arch/nios2/kernel/setup.c
+@@ -142,6 +142,20 @@ static void __init find_limits(unsigned long *min, unsigned long *max_low,
+ *max_high = PFN_DOWN(memblock_end_of_DRAM());
+ }
+
++static void __init adjust_lowmem_bounds(void)
++{
++ phys_addr_t block_start, block_end;
++ u64 i;
++ phys_addr_t memblock_limit = 0;
++
++ for_each_mem_range(i, &block_start, &block_end) {
++ if (block_end > memblock_limit)
++ memblock_limit = block_end;
++ }
++
++ memblock_set_current_limit(memblock_limit);
++}
++
+ void __init setup_arch(char **cmdline_p)
+ {
+ console_verbose();
+@@ -157,6 +171,7 @@ void __init setup_arch(char **cmdline_p)
+ /* Keep a copy of command line */
+ *cmdline_p = boot_command_line;
+
++ adjust_lowmem_bounds();
+ find_limits(&min_low_pfn, &max_low_pfn, &max_pfn);
+
+ memblock_reserve(__pa_symbol(_stext), _end - _stext);
+--
+2.51.0
+
--- /dev/null
+From 8235a5ea6bc974a6c77d1f7cae5302c66ea0444d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Sep 2025 22:28:41 -0700
+Subject: PCI: Test for bit underflow in pcie_set_readrq()
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 00e58ff924b3a684b076f9512fe2753be87b50e1 ]
+
+In preparation for the future commit ("bitops: Add __attribute_const__ to generic
+ffs()-family implementations"), which allows GCC's value range tracker
+to see past ffs(), GCC 8 on ARM thinks that it might be possible that
+"ffs(rq) - 8" used here:
+
+ v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8);
+
+could wrap below 0, leading to a very large value, which would be out of
+range for the FIELD_PREP() usage:
+
+drivers/pci/pci.c: In function 'pcie_set_readrq':
+include/linux/compiler_types.h:572:38: error: call to '__compiletime_assert_471' declared with attribute error: FIELD_PREP: value too large for the field
+...
+drivers/pci/pci.c:5896:6: note: in expansion of macro 'FIELD_PREP'
+ v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8);
+ ^~~~~~~~~~
+
+If the result of the ffs() is bounds checked before being used in
+FIELD_PREP(), the value tracker seems happy again. :)
+
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Closes: https://lore.kernel.org/linux-pci/CA+G9fYuysVr6qT8bjF6f08WLyCJRG7aXAeSd2F7=zTaHHd7L+Q@mail.gmail.com/
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20250905052836.work.425-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index b0f4d98036cdd..005b92e6585e9 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -5932,6 +5932,7 @@ int pcie_set_readrq(struct pci_dev *dev, int rq)
+ {
+ u16 v;
+ int ret;
++ unsigned int firstbit;
+ struct pci_host_bridge *bridge = pci_find_host_bridge(dev->bus);
+
+ if (rq < 128 || rq > 4096 || !is_power_of_2(rq))
+@@ -5949,7 +5950,10 @@ int pcie_set_readrq(struct pci_dev *dev, int rq)
+ rq = mps;
+ }
+
+- v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8);
++ firstbit = ffs(rq);
++ if (firstbit < 8)
++ return -EINVAL;
++ v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, firstbit - 8);
+
+ if (bridge->no_inc_mrrs) {
+ int max_mrrs = pcie_get_readrq(dev);
+--
+2.51.0
+
--- /dev/null
+From eb9ad2d8179e35ff2199697751d22385789d8053 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Sep 2025 12:03:49 +0200
+Subject: powerpc/32: Remove PAGE_KERNEL_TEXT to fix startup failure
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 9316512b717f6f25c4649b3fdb0a905b6a318e9f ]
+
+PAGE_KERNEL_TEXT is an old macro that is used to tell kernel whether
+kernel text has to be mapped read-only or read-write based on build
+time options.
+
+But nowadays, with functionnalities like jump_labels, static links,
+etc ... more only less all kernels need to be read-write at some
+point, and some combinations of configs failed to work due to
+innacurate setting of PAGE_KERNEL_TEXT. On the other hand, today
+we have CONFIG_STRICT_KERNEL_RWX which implements a more controlled
+access to kernel modifications.
+
+Instead of trying to keep PAGE_KERNEL_TEXT accurate with all
+possible options that may imply kernel text modification, always
+set kernel text read-write at startup and rely on
+CONFIG_STRICT_KERNEL_RWX to provide accurate protection.
+
+Do this by passing PAGE_KERNEL_X to map_kernel_page() in
+__maping_ram_chunk() instead of passing PAGE_KERNEL_TEXT. Once
+this is done, the only remaining user of PAGE_KERNEL_TEXT is
+mmu_mark_initmem_nx() which uses it in a call to setibat().
+As setibat() ignores the RW/RO, we can seamlessly replace
+PAGE_KERNEL_TEXT by PAGE_KERNEL_X here as well and get rid of
+PAGE_KERNEL_TEXT completely.
+
+Reported-by: Erhard Furtner <erhard_f@mailbox.org>
+Closes: https://lore.kernel.org/all/342b4120-911c-4723-82ec-d8c9b03a8aef@mailbox.org/
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Tested-by: Andrew Donnellan <ajd@linux.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/8e2d793abf87ae3efb8f6dce10f974ac0eda61b8.1757412205.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/pgtable.h | 12 ------------
+ arch/powerpc/mm/book3s32/mmu.c | 4 ++--
+ arch/powerpc/mm/pgtable_32.c | 2 +-
+ 3 files changed, 3 insertions(+), 15 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/pgtable.h b/arch/powerpc/include/asm/pgtable.h
+index 93d77ad5a92fa..d8f944a5a0378 100644
+--- a/arch/powerpc/include/asm/pgtable.h
++++ b/arch/powerpc/include/asm/pgtable.h
+@@ -20,18 +20,6 @@ struct mm_struct;
+ #include <asm/nohash/pgtable.h>
+ #endif /* !CONFIG_PPC_BOOK3S */
+
+-/*
+- * Protection used for kernel text. We want the debuggers to be able to
+- * set breakpoints anywhere, so don't write protect the kernel text
+- * on platforms where such control is possible.
+- */
+-#if defined(CONFIG_KGDB) || defined(CONFIG_XMON) || defined(CONFIG_BDI_SWITCH) || \
+- defined(CONFIG_KPROBES) || defined(CONFIG_DYNAMIC_FTRACE)
+-#define PAGE_KERNEL_TEXT PAGE_KERNEL_X
+-#else
+-#define PAGE_KERNEL_TEXT PAGE_KERNEL_ROX
+-#endif
+-
+ /* Make modules code happy. We don't set RO yet */
+ #define PAGE_KERNEL_EXEC PAGE_KERNEL_X
+
+diff --git a/arch/powerpc/mm/book3s32/mmu.c b/arch/powerpc/mm/book3s32/mmu.c
+index be9c4106e22f0..c42ecdf94e48c 100644
+--- a/arch/powerpc/mm/book3s32/mmu.c
++++ b/arch/powerpc/mm/book3s32/mmu.c
+@@ -204,7 +204,7 @@ int mmu_mark_initmem_nx(void)
+
+ for (i = 0; i < nb - 1 && base < top;) {
+ size = bat_block_size(base, top);
+- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT);
++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X);
+ base += size;
+ }
+ if (base < top) {
+@@ -215,7 +215,7 @@ int mmu_mark_initmem_nx(void)
+ pr_warn("Some RW data is getting mapped X. "
+ "Adjust CONFIG_DATA_SHIFT to avoid that.\n");
+ }
+- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT);
++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X);
+ base += size;
+ }
+ for (; i < nb; i++)
+diff --git a/arch/powerpc/mm/pgtable_32.c b/arch/powerpc/mm/pgtable_32.c
+index 15276068f657d..0c9ef705803e9 100644
+--- a/arch/powerpc/mm/pgtable_32.c
++++ b/arch/powerpc/mm/pgtable_32.c
+@@ -104,7 +104,7 @@ static void __init __mapin_ram_chunk(unsigned long offset, unsigned long top)
+ p = memstart_addr + s;
+ for (; s < top; s += PAGE_SIZE) {
+ ktext = core_kernel_text(v);
+- map_kernel_page(v, p, ktext ? PAGE_KERNEL_TEXT : PAGE_KERNEL);
++ map_kernel_page(v, p, ktext ? PAGE_KERNEL_X : PAGE_KERNEL);
+ v += PAGE_SIZE;
+ p += PAGE_SIZE;
+ }
+--
+2.51.0
+
--- /dev/null
+From eac953ee2c397f36252a6eecbdd956c269165c93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 12:00:00 +0200
+Subject: riscv: cpufeature: add validation for zfa, zfh and zfhmin
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Léger <cleger@rivosinc.com>
+
+[ Upstream commit 2e2cf5581fccc562f7faf174ffb9866fed5cafbd ]
+
+These extensions depends on the F one. Add a validation callback
+checking for the F extension to be present. Now that extensions are
+correctly reported using the F/D presence, we can remove the
+has_fpu() check in hwprobe_isa_ext0().
+
+Signed-off-by: Clément Léger <cleger@rivosinc.com>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/r/20250527100001.33284-1-cleger@rivosinc.com
+Signed-off-by: Paul Walmsley <pjw@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/cpufeature.c | 6 +++---
+ arch/riscv/kernel/sys_hwprobe.c | 14 ++++++--------
+ 2 files changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c
+index 743d53415572e..67b59699357da 100644
+--- a/arch/riscv/kernel/cpufeature.c
++++ b/arch/riscv/kernel/cpufeature.c
+@@ -474,10 +474,10 @@ const struct riscv_isa_ext_data riscv_isa_ext[] = {
+ __RISCV_ISA_EXT_DATA(zacas, RISCV_ISA_EXT_ZACAS),
+ __RISCV_ISA_EXT_DATA(zalrsc, RISCV_ISA_EXT_ZALRSC),
+ __RISCV_ISA_EXT_DATA(zawrs, RISCV_ISA_EXT_ZAWRS),
+- __RISCV_ISA_EXT_DATA(zfa, RISCV_ISA_EXT_ZFA),
++ __RISCV_ISA_EXT_DATA_VALIDATE(zfa, RISCV_ISA_EXT_ZFA, riscv_ext_f_depends),
+ __RISCV_ISA_EXT_DATA_VALIDATE(zfbfmin, RISCV_ISA_EXT_ZFBFMIN, riscv_ext_f_depends),
+- __RISCV_ISA_EXT_DATA(zfh, RISCV_ISA_EXT_ZFH),
+- __RISCV_ISA_EXT_DATA(zfhmin, RISCV_ISA_EXT_ZFHMIN),
++ __RISCV_ISA_EXT_DATA_VALIDATE(zfh, RISCV_ISA_EXT_ZFH, riscv_ext_f_depends),
++ __RISCV_ISA_EXT_DATA_VALIDATE(zfhmin, RISCV_ISA_EXT_ZFHMIN, riscv_ext_f_depends),
+ __RISCV_ISA_EXT_DATA(zca, RISCV_ISA_EXT_ZCA),
+ __RISCV_ISA_EXT_DATA_VALIDATE(zcb, RISCV_ISA_EXT_ZCB, riscv_ext_zca_depends),
+ __RISCV_ISA_EXT_DATA_VALIDATE(zcd, RISCV_ISA_EXT_ZCD, riscv_ext_zcd_validate),
+diff --git a/arch/riscv/kernel/sys_hwprobe.c b/arch/riscv/kernel/sys_hwprobe.c
+index 0b170e18a2beb..3e9259790816e 100644
+--- a/arch/riscv/kernel/sys_hwprobe.c
++++ b/arch/riscv/kernel/sys_hwprobe.c
+@@ -153,14 +153,12 @@ static void hwprobe_isa_ext0(struct riscv_hwprobe *pair,
+ EXT_KEY(ZVKT);
+ }
+
+- if (has_fpu()) {
+- EXT_KEY(ZCD);
+- EXT_KEY(ZCF);
+- EXT_KEY(ZFA);
+- EXT_KEY(ZFBFMIN);
+- EXT_KEY(ZFH);
+- EXT_KEY(ZFHMIN);
+- }
++ EXT_KEY(ZCD);
++ EXT_KEY(ZCF);
++ EXT_KEY(ZFA);
++ EXT_KEY(ZFBFMIN);
++ EXT_KEY(ZFH);
++ EXT_KEY(ZFHMIN);
+
+ if (IS_ENABLED(CONFIG_RISCV_ISA_SUPM))
+ EXT_KEY(SUPM);
+--
+2.51.0
+
--- /dev/null
+From 34066c6032aff8e98d75e1793b606ac0e0d2fa26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 00:53:10 +0800
+Subject: riscv: mm: Return intended SATP mode for noXlvl options
+
+From: Junhui Liu <junhui.liu@pigmoral.tech>
+
+[ Upstream commit f3243bed39c26ce0f13e6392a634f91d409b2d02 ]
+
+Change the return value of match_noXlvl() to return the SATP mode that
+will be used, rather than the mode being disabled. This enables unified
+logic for return value judgement with the function that obtains mmu-type
+from the fdt, avoiding extra conversion. This only changes the naming,
+with no functional impact.
+
+Signed-off-by: Junhui Liu <junhui.liu@pigmoral.tech>
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Reviewed-by: Nutty Liu <liujingqi@lanxincomputing.com>
+Link: https://lore.kernel.org/r/20250722-satp-from-fdt-v1-1-5ba22218fa5f@pigmoral.tech
+Signed-off-by: Paul Walmsley <pjw@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/pi/cmdline_early.c | 4 ++--
+ arch/riscv/mm/init.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/riscv/kernel/pi/cmdline_early.c b/arch/riscv/kernel/pi/cmdline_early.c
+index fbcdc9e4e1432..389d086a07187 100644
+--- a/arch/riscv/kernel/pi/cmdline_early.c
++++ b/arch/riscv/kernel/pi/cmdline_early.c
+@@ -41,9 +41,9 @@ static char *get_early_cmdline(uintptr_t dtb_pa)
+ static u64 match_noXlvl(char *cmdline)
+ {
+ if (strstr(cmdline, "no4lvl"))
+- return SATP_MODE_48;
++ return SATP_MODE_39;
+ else if (strstr(cmdline, "no5lvl"))
+- return SATP_MODE_57;
++ return SATP_MODE_48;
+
+ return 0;
+ }
+diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
+index 15683ae13fa5d..054265b3f2680 100644
+--- a/arch/riscv/mm/init.c
++++ b/arch/riscv/mm/init.c
+@@ -864,9 +864,9 @@ static __init void set_satp_mode(uintptr_t dtb_pa)
+
+ kernel_map.page_offset = PAGE_OFFSET_L5;
+
+- if (satp_mode_cmdline == SATP_MODE_57) {
++ if (satp_mode_cmdline == SATP_MODE_48) {
+ disable_pgtable_l5();
+- } else if (satp_mode_cmdline == SATP_MODE_48) {
++ } else if (satp_mode_cmdline == SATP_MODE_39) {
+ disable_pgtable_l5();
+ disable_pgtable_l4();
+ return;
+--
+2.51.0
+
--- /dev/null
+From 3b56fd1881ce465e1cfedea8cd2d4ef70fde37ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 00:53:11 +0800
+Subject: riscv: mm: Use mmu-type from FDT to limit SATP mode
+
+From: Junhui Liu <junhui.liu@pigmoral.tech>
+
+[ Upstream commit 17e9521044c9b3ee839f861d1ac35c5b5c20d16b ]
+
+Some RISC-V implementations may hang when attempting to write an
+unsupported SATP mode, even though the latest RISC-V specification
+states such writes should have no effect. To avoid this issue, the
+logic for selecting SATP mode has been refined:
+
+The kernel now determines the SATP mode limit by taking the minimum of
+the value specified by the kernel command line (noXlvl) and the
+"mmu-type" property in the device tree (FDT). If only one is specified,
+use that.
+- If the resulting limit is sv48 or higher, the kernel will probe SATP
+ modes from this limit downward until a supported mode is found.
+- If the limit is sv39, the kernel will directly use sv39 without
+ probing.
+
+This ensures SATP mode selection is safe and compatible with both
+hardware and user configuration, minimizing the risk of hangs.
+
+Signed-off-by: Junhui Liu <junhui.liu@pigmoral.tech>
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Reviewed-by: Nutty Liu <liujingqi@lanxincomputing.com>
+Link: https://lore.kernel.org/r/20250722-satp-from-fdt-v1-2-5ba22218fa5f@pigmoral.tech
+Signed-off-by: Paul Walmsley <pjw@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/pi/fdt_early.c | 40 ++++++++++++++++++++++++++++++++
+ arch/riscv/kernel/pi/pi.h | 1 +
+ arch/riscv/mm/init.c | 11 ++++++---
+ 3 files changed, 49 insertions(+), 3 deletions(-)
+
+diff --git a/arch/riscv/kernel/pi/fdt_early.c b/arch/riscv/kernel/pi/fdt_early.c
+index 9bdee2fafe47e..a12ff8090f190 100644
+--- a/arch/riscv/kernel/pi/fdt_early.c
++++ b/arch/riscv/kernel/pi/fdt_early.c
+@@ -3,6 +3,7 @@
+ #include <linux/init.h>
+ #include <linux/libfdt.h>
+ #include <linux/ctype.h>
++#include <asm/csr.h>
+
+ #include "pi.h"
+
+@@ -183,3 +184,42 @@ bool fdt_early_match_extension_isa(const void *fdt, const char *ext_name)
+
+ return ret;
+ }
++
++/**
++ * set_satp_mode_from_fdt - determine SATP mode based on the MMU type in fdt
++ *
++ * @dtb_pa: physical address of the device tree blob
++ *
++ * Returns the SATP mode corresponding to the MMU type of the first enabled CPU,
++ * 0 otherwise
++ */
++u64 set_satp_mode_from_fdt(uintptr_t dtb_pa)
++{
++ const void *fdt = (const void *)dtb_pa;
++ const char *mmu_type;
++ int node, parent;
++
++ parent = fdt_path_offset(fdt, "/cpus");
++ if (parent < 0)
++ return 0;
++
++ fdt_for_each_subnode(node, fdt, parent) {
++ if (!fdt_node_name_eq(fdt, node, "cpu"))
++ continue;
++
++ if (!fdt_device_is_available(fdt, node))
++ continue;
++
++ mmu_type = fdt_getprop(fdt, node, "mmu-type", NULL);
++ if (!mmu_type)
++ break;
++
++ if (!strcmp(mmu_type, "riscv,sv39"))
++ return SATP_MODE_39;
++ else if (!strcmp(mmu_type, "riscv,sv48"))
++ return SATP_MODE_48;
++ break;
++ }
++
++ return 0;
++}
+diff --git a/arch/riscv/kernel/pi/pi.h b/arch/riscv/kernel/pi/pi.h
+index 21141d84fea60..3fee2cfddf7cf 100644
+--- a/arch/riscv/kernel/pi/pi.h
++++ b/arch/riscv/kernel/pi/pi.h
+@@ -14,6 +14,7 @@ u64 get_kaslr_seed(uintptr_t dtb_pa);
+ u64 get_kaslr_seed_zkr(const uintptr_t dtb_pa);
+ bool set_nokaslr_from_cmdline(uintptr_t dtb_pa);
+ u64 set_satp_mode_from_cmdline(uintptr_t dtb_pa);
++u64 set_satp_mode_from_fdt(uintptr_t dtb_pa);
+
+ bool fdt_early_match_extension_isa(const void *fdt, const char *ext_name);
+
+diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
+index 054265b3f2680..85cb70b10c071 100644
+--- a/arch/riscv/mm/init.c
++++ b/arch/riscv/mm/init.c
+@@ -816,6 +816,7 @@ static __meminit pgprot_t pgprot_from_va(uintptr_t va)
+
+ #if defined(CONFIG_64BIT) && !defined(CONFIG_XIP_KERNEL)
+ u64 __pi_set_satp_mode_from_cmdline(uintptr_t dtb_pa);
++u64 __pi_set_satp_mode_from_fdt(uintptr_t dtb_pa);
+
+ static void __init disable_pgtable_l5(void)
+ {
+@@ -855,18 +856,22 @@ static void __init set_mmap_rnd_bits_max(void)
+ * underlying hardware: establish 1:1 mapping in 4-level page table mode
+ * then read SATP to see if the configuration was taken into account
+ * meaning sv48 is supported.
++ * The maximum SATP mode is limited by both the command line and the "mmu-type"
++ * property in the device tree, since some platforms may hang if an unsupported
++ * SATP mode is attempted.
+ */
+ static __init void set_satp_mode(uintptr_t dtb_pa)
+ {
+ u64 identity_satp, hw_satp;
+ uintptr_t set_satp_mode_pmd = ((unsigned long)set_satp_mode) & PMD_MASK;
+- u64 satp_mode_cmdline = __pi_set_satp_mode_from_cmdline(dtb_pa);
++ u64 satp_mode_limit = min_not_zero(__pi_set_satp_mode_from_cmdline(dtb_pa),
++ __pi_set_satp_mode_from_fdt(dtb_pa));
+
+ kernel_map.page_offset = PAGE_OFFSET_L5;
+
+- if (satp_mode_cmdline == SATP_MODE_48) {
++ if (satp_mode_limit == SATP_MODE_48) {
+ disable_pgtable_l5();
+- } else if (satp_mode_cmdline == SATP_MODE_39) {
++ } else if (satp_mode_limit == SATP_MODE_39) {
+ disable_pgtable_l5();
+ disable_pgtable_l4();
+ return;
+--
+2.51.0
+
--- /dev/null
+From 603e5c81bf149b04b935d003302f2ab781da6b74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Sep 2025 17:24:05 +0200
+Subject: s390/mm: Use __GFP_ACCOUNT for user page table allocations
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit 5671ce2a1fc6b4a16cff962423bc416b92cac3c8 ]
+
+Add missing kmemcg accounting of user page table allocations.
+
+Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/mm/pgalloc.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/arch/s390/mm/pgalloc.c b/arch/s390/mm/pgalloc.c
+index d2f6f1f6d2fcb..ad3e0f7f7fc1f 100644
+--- a/arch/s390/mm/pgalloc.c
++++ b/arch/s390/mm/pgalloc.c
+@@ -16,9 +16,13 @@
+
+ unsigned long *crst_table_alloc(struct mm_struct *mm)
+ {
+- struct ptdesc *ptdesc = pagetable_alloc(GFP_KERNEL, CRST_ALLOC_ORDER);
++ gfp_t gfp = GFP_KERNEL_ACCOUNT;
++ struct ptdesc *ptdesc;
+ unsigned long *table;
+
++ if (mm == &init_mm)
++ gfp &= ~__GFP_ACCOUNT;
++ ptdesc = pagetable_alloc(gfp, CRST_ALLOC_ORDER);
+ if (!ptdesc)
+ return NULL;
+ table = ptdesc_to_virt(ptdesc);
+@@ -117,7 +121,7 @@ struct ptdesc *page_table_alloc_pgste(struct mm_struct *mm)
+ struct ptdesc *ptdesc;
+ u64 *table;
+
+- ptdesc = pagetable_alloc(GFP_KERNEL, 0);
++ ptdesc = pagetable_alloc(GFP_KERNEL_ACCOUNT, 0);
+ if (ptdesc) {
+ table = (u64 *)ptdesc_to_virt(ptdesc);
+ __arch_set_page_dat(table, 1);
+@@ -136,10 +140,13 @@ void page_table_free_pgste(struct ptdesc *ptdesc)
+
+ unsigned long *page_table_alloc(struct mm_struct *mm)
+ {
++ gfp_t gfp = GFP_KERNEL_ACCOUNT;
+ struct ptdesc *ptdesc;
+ unsigned long *table;
+
+- ptdesc = pagetable_alloc(GFP_KERNEL, 0);
++ if (mm == &init_mm)
++ gfp &= ~__GFP_ACCOUNT;
++ ptdesc = pagetable_alloc(gfp, 0);
+ if (!ptdesc)
+ return NULL;
+ if (!pagetable_pte_ctor(mm, ptdesc)) {
+--
+2.51.0
+
--- /dev/null
+From 89d55fd4e5ebd4ada91fcdce5cb0a1f5285da9aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 11:43:50 +0200
+Subject: s390/pkey: Forward keygenflags to ep11_unwrapkey
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+[ Upstream commit 11aa54ba4cfa5390ea47c9a1fc62502abce1f6b9 ]
+
+The pkey ioctl PKEY_CLR2SECK2 describes in the pkey.h header file
+the parameter 'keygenflags' which is forwarded to the handler
+functions which actually deal with the clear key to secure key
+operation. The ep11 handler module function ep11_clr2keyblob()
+function receives this parameter but does not forward it to the
+underlying function ep11_unwrapkey() on invocation. So in the end
+the user of this ioctl could not forward additional key generation
+flags to the ep11 implementation and thus was unable to modify the
+key generation process in any way. So now call ep11_unwrapkey()
+with the real keygenflags instead of 0 and thus the user of this
+ioctl can for example via keygenflags provide valid combinations
+of XCP_BLOB_* flags.
+
+Suggested-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/zcrypt_ep11misc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/s390/crypto/zcrypt_ep11misc.c b/drivers/s390/crypto/zcrypt_ep11misc.c
+index 3bf09a89a0894..e92e2fd8ce5da 100644
+--- a/drivers/s390/crypto/zcrypt_ep11misc.c
++++ b/drivers/s390/crypto/zcrypt_ep11misc.c
+@@ -1405,7 +1405,9 @@ int ep11_clr2keyblob(u16 card, u16 domain, u32 keybitsize, u32 keygenflags,
+ /* Step 3: import the encrypted key value as a new key */
+ rc = ep11_unwrapkey(card, domain, kek, keklen,
+ encbuf, encbuflen, 0, def_iv,
+- keybitsize, 0, keybuf, keybufsize, keytype, xflags);
++ keybitsize, keygenflags,
++ keybuf, keybufsize,
++ keytype, xflags);
+ if (rc) {
+ ZCRYPT_DBF_ERR("%s importing key value as new key failed, rc=%d\n",
+ __func__, rc);
+--
+2.51.0
+
sched-fair-block-delayed-tasks-on-throttled-hierarchy-during-dequeue.patch
+expfs-fix-exportfs_can_encode_fh-for-export_fh_fid.patch
+cgroup-misc-fix-misc_res_type-kernel-doc-warning.patch
+dlm-move-to-rinfo-for-all-middle-conversion-cases.patch
+exec-fix-incorrect-type-for-ret.patch
+nios2-ensure-that-memblock.current_limit-is-set-when.patch
+s390-pkey-forward-keygenflags-to-ep11_unwrapkey.patch
+hfs-clear-offset-and-space-out-of-valid-records-in-b.patch
+hfs-make-proper-initalization-of-struct-hfs_find_dat.patch
+hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch
+hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch
+hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch
+dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch
+hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch
+hfsplus-return-eio-when-type-of-hidden-directory-mis.patch
+binfmt_elf-preserve-original-elf-e_flags-for-core-du.patch
+pci-test-for-bit-underflow-in-pcie_set_readrq.patch
+lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch
+arm64-sysreg-correct-sign-definitions-for-eiesb-and-.patch
+gfs2-fix-unlikely-race-in-gdlm_put_lock.patch
+m68k-bitops-fix-find_-_bit-signatures.patch
+powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch
+riscv-mm-return-intended-satp-mode-for-noxlvl-option.patch
+riscv-mm-use-mmu-type-from-fdt-to-limit-satp-mode.patch
+riscv-cpufeature-add-validation-for-zfa-zfh-and-zfhm.patch
+drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch
+s390-mm-use-__gfp_account-for-user-page-table-alloca.patch
+smb-client-queue-post_recv_credits_work-also-if-the-.patch
+smb-client-limit-the-range-of-info-receive_credit_ta.patch
+smb-client-make-use-of-ib_wc_status_msg-and-skip-ib_.patch
+smb-server-let-smb_direct_flush_send_list-invalidate.patch
+unbreak-make-tools-for-user-space-targets.patch
+bpf-replace-bpf_map_kmalloc_node-with-kmalloc_nolock.patch
--- /dev/null
+From 23e98a4673ee74e9d7ea69bb2971f109de6982ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 15:01:35 +0200
+Subject: smb: client: limit the range of info->receive_credit_target
+
+From: Stefan Metzmacher <metze@samba.org>
+
+[ Upstream commit 9219f8cac296769324bbe8a28c289586114244c4 ]
+
+This simplifies further changes...
+
+Cc: Steve French <smfrench@gmail.com>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: Long Li <longli@microsoft.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: samba-technical@lists.samba.org
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/smbdirect.c | 7 ++++++-
+ fs/smb/client/smbdirect.h | 2 +-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
+index b3e04b410afe6..cbf1deff11065 100644
+--- a/fs/smb/client/smbdirect.c
++++ b/fs/smb/client/smbdirect.c
+@@ -429,6 +429,7 @@ static bool process_negotiation_response(
+ return false;
+ }
+ info->receive_credit_target = le16_to_cpu(packet->credits_requested);
++ info->receive_credit_target = min_t(u16, info->receive_credit_target, sp->recv_credit_max);
+
+ if (packet->credits_granted == 0) {
+ log_rdma_event(ERR, "error: credits_granted==0\n");
+@@ -537,7 +538,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+ struct smbdirect_socket_parameters *sp = &sc->parameters;
+ struct smbd_connection *info =
+ container_of(sc, struct smbd_connection, socket);
+- int old_recv_credit_target;
++ u16 old_recv_credit_target;
+ u32 data_offset = 0;
+ u32 data_length = 0;
+ u32 remaining_data_length = 0;
+@@ -603,6 +604,10 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+ old_recv_credit_target = info->receive_credit_target;
+ info->receive_credit_target =
+ le16_to_cpu(data_transfer->credits_requested);
++ info->receive_credit_target =
++ min_t(u16, info->receive_credit_target, sp->recv_credit_max);
++ info->receive_credit_target =
++ max_t(u16, info->receive_credit_target, 1);
+ if (le16_to_cpu(data_transfer->credits_granted)) {
+ atomic_add(le16_to_cpu(data_transfer->credits_granted),
+ &info->send_credits);
+diff --git a/fs/smb/client/smbdirect.h b/fs/smb/client/smbdirect.h
+index 4ca9b2b2c57f9..ed362267dd11d 100644
+--- a/fs/smb/client/smbdirect.h
++++ b/fs/smb/client/smbdirect.h
+@@ -63,7 +63,7 @@ struct smbd_connection {
+ int protocol;
+ atomic_t send_credits;
+ atomic_t receive_credits;
+- int receive_credit_target;
++ u16 receive_credit_target;
+
+ /* Memory registrations */
+ /* Maximum number of RDMA read/write outstanding on this connection */
+--
+2.51.0
+
--- /dev/null
+From 7710c87e550d9baeacc5e0b67e39f643ae493446 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Aug 2025 09:44:07 +0200
+Subject: smb: client: make use of ib_wc_status_msg() and skip
+ IB_WC_WR_FLUSH_ERR logging
+
+From: Stefan Metzmacher <metze@samba.org>
+
+[ Upstream commit a8e970358b31a5abba8b5737a67ba7b8d26f4258 ]
+
+There's no need to get log message for every IB_WC_WR_FLUSH_ERR
+completion, but any other error should be logged at level ERR.
+
+Cc: Steve French <smfrench@gmail.com>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: Long Li <longli@microsoft.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: samba-technical@lists.samba.org
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/smbdirect.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
+index cbf1deff11065..99fad70356c57 100644
+--- a/fs/smb/client/smbdirect.c
++++ b/fs/smb/client/smbdirect.c
+@@ -362,8 +362,8 @@ static void send_done(struct ib_cq *cq, struct ib_wc *wc)
+ struct smbd_connection *info =
+ container_of(sc, struct smbd_connection, socket);
+
+- log_rdma_send(INFO, "smbdirect_send_io 0x%p completed wc->status=%d\n",
+- request, wc->status);
++ log_rdma_send(INFO, "smbdirect_send_io 0x%p completed wc->status=%s\n",
++ request, ib_wc_status_msg(wc->status));
+
+ for (i = 0; i < request->num_sge; i++)
+ ib_dma_unmap_single(sc->ib.dev,
+@@ -372,8 +372,9 @@ static void send_done(struct ib_cq *cq, struct ib_wc *wc)
+ DMA_TO_DEVICE);
+
+ if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) {
+- log_rdma_send(ERR, "wc->status=%d wc->opcode=%d\n",
+- wc->status, wc->opcode);
++ if (wc->status != IB_WC_WR_FLUSH_ERR)
++ log_rdma_send(ERR, "wc->status=%s wc->opcode=%d\n",
++ ib_wc_status_msg(wc->status), wc->opcode);
+ mempool_free(request, sc->send_io.mem.pool);
+ smbd_disconnect_rdma_connection(info);
+ return;
+@@ -543,13 +544,16 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+ u32 data_length = 0;
+ u32 remaining_data_length = 0;
+
+- log_rdma_recv(INFO, "response=0x%p type=%d wc status=%d wc opcode %d byte_len=%d pkey_index=%u\n",
+- response, sc->recv_io.expected, wc->status, wc->opcode,
++ log_rdma_recv(INFO,
++ "response=0x%p type=%d wc status=%s wc opcode %d byte_len=%d pkey_index=%u\n",
++ response, sc->recv_io.expected,
++ ib_wc_status_msg(wc->status), wc->opcode,
+ wc->byte_len, wc->pkey_index);
+
+ if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_RECV) {
+- log_rdma_recv(INFO, "wc->status=%d opcode=%d\n",
+- wc->status, wc->opcode);
++ if (wc->status != IB_WC_WR_FLUSH_ERR)
++ log_rdma_recv(ERR, "wc->status=%s opcode=%d\n",
++ ib_wc_status_msg(wc->status), wc->opcode);
+ goto error;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From f7ded367e7e9696555e35471b3e58de69ce637d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Aug 2025 17:53:55 +0200
+Subject: smb: client: queue post_recv_credits_work also if the peer raises the
+ credit target
+
+From: Stefan Metzmacher <metze@samba.org>
+
+[ Upstream commit 02548c477a90481c1fd0d6e7c84b4504ec2fcc12 ]
+
+This is already handled in the server, but currently it done
+in a very complex way there. So we do it much simpler.
+
+Note that put_receive_buffer() will take care of it
+in case data_length is 0.
+
+Cc: Steve French <smfrench@gmail.com>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: Long Li <longli@microsoft.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: samba-technical@lists.samba.org
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/smbdirect.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
+index 6480945c24592..b3e04b410afe6 100644
+--- a/fs/smb/client/smbdirect.c
++++ b/fs/smb/client/smbdirect.c
+@@ -537,6 +537,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+ struct smbdirect_socket_parameters *sp = &sc->parameters;
+ struct smbd_connection *info =
+ container_of(sc, struct smbd_connection, socket);
++ int old_recv_credit_target;
+ u32 data_offset = 0;
+ u32 data_length = 0;
+ u32 remaining_data_length = 0;
+@@ -599,6 +600,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+ }
+
+ atomic_dec(&info->receive_credits);
++ old_recv_credit_target = info->receive_credit_target;
+ info->receive_credit_target =
+ le16_to_cpu(data_transfer->credits_requested);
+ if (le16_to_cpu(data_transfer->credits_granted)) {
+@@ -629,6 +631,9 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
+ * reassembly queue and wake up the reading thread
+ */
+ if (data_length) {
++ if (info->receive_credit_target > old_recv_credit_target)
++ queue_work(info->workqueue, &info->post_send_credits_work);
++
+ enqueue_reassembly(info, response, data_length);
+ wake_up_interruptible(&sc->recv_io.reassembly.wait_queue);
+ } else
+--
+2.51.0
+
--- /dev/null
+From cce44aca7a8d17ee6ae93fcc3ae3d221efecb82d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Sep 2025 22:22:35 +0200
+Subject: smb: server: let smb_direct_flush_send_list() invalidate a remote key
+ first
+
+From: Stefan Metzmacher <metze@samba.org>
+
+[ Upstream commit 1b53426334c3c942db47e0959a2527a4f815af50 ]
+
+If we want to invalidate a remote key we should do that as soon as
+possible, so do it in the first send work request.
+
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Cc: Steve French <smfrench@gmail.com>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: samba-technical@lists.samba.org
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/transport_rdma.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c
+index e1f659d3b4cf5..2363244ff5f75 100644
+--- a/fs/smb/server/transport_rdma.c
++++ b/fs/smb/server/transport_rdma.c
+@@ -939,12 +939,15 @@ static int smb_direct_flush_send_list(struct smb_direct_transport *t,
+ struct smb_direct_sendmsg,
+ list);
+
++ if (send_ctx->need_invalidate_rkey) {
++ first->wr.opcode = IB_WR_SEND_WITH_INV;
++ first->wr.ex.invalidate_rkey = send_ctx->remote_key;
++ send_ctx->need_invalidate_rkey = false;
++ send_ctx->remote_key = 0;
++ }
++
+ last->wr.send_flags = IB_SEND_SIGNALED;
+ last->wr.wr_cqe = &last->cqe;
+- if (is_last && send_ctx->need_invalidate_rkey) {
+- last->wr.opcode = IB_WR_SEND_WITH_INV;
+- last->wr.ex.invalidate_rkey = send_ctx->remote_key;
+- }
+
+ ret = smb_direct_post_send(t, &first->wr);
+ if (!ret) {
+--
+2.51.0
+
--- /dev/null
+From 01b4f8d8199edf6642f30d50002247e1aa38d0b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 12:24:20 -0700
+Subject: Unbreak 'make tools/*' for user-space targets
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit ee916dccd4df6e2fd19c3606c4735282b72f1473 ]
+
+This pattern isn't very documented, and apparently not used much outside
+of 'make tools/help', but it has existed for over a decade (since commit
+ea01fa9f63ae: "tools: Connect to the kernel build system").
+
+However, it doesn't work very well for most cases, particularly the
+useful "tools/all" target, because it overrides the LDFLAGS value with
+an empty one.
+
+And once overridden, 'make' will then not honor the tooling makefiles
+trying to change it - which then makes any LDFLAGS use in the tooling
+directory break, typically causing odd link errors.
+
+Remove that LDFLAGS override, since it seems to be entirely historical.
+The core kernel makefiles no longer modify LDFLAGS as part of the build,
+and use kernel-specific link flags instead (eg 'KBUILD_LDFLAGS' and
+friends).
+
+This allows more of the 'make tools/*' cases to work. I say 'more',
+because some of the tooling build rules make various other assumptions
+or have other issues, so it's still a bit hit-or-miss. But those issues
+tend to show up with the 'make -C tools xyz' pattern too, so now it's no
+longer an issue of this particular 'tools/*' build rule being special.
+
+Acked-by: Nathan Chancellor <nathan@kernel.org>
+Cc: Nicolas Schier <nicolas@fjasle.eu>
+Cc: Borislav Petkov <bp@alien8.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 072a3be625510..356bf65e5e7a2 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1444,11 +1444,11 @@ endif
+
+ tools/: FORCE
+ $(Q)mkdir -p $(objtree)/tools
+- $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/
++ $(Q)$(MAKE) O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/
+
+ tools/%: FORCE
+ $(Q)mkdir -p $(objtree)/tools
+- $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $*
++ $(Q)$(MAKE) O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $*
+
+ # ---------------------------------------------------------------------------
+ # Kernel selftest
+--
+2.51.0
+
--- /dev/null
+From 0dbde2d11c9b9d3069a9e35e67c904b5be33c597 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 11:21:52 -0400
+Subject: dlm: check for defined force value in dlm_lockspace_release
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 6af515c9f3ccec3eb8a262ca86bef2c499d07951 ]
+
+Force values over 3 are undefined, so don't treat them as 3.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lockspace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
+index 0455dddb0797c..0b17657690d4d 100644
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -802,7 +802,7 @@ static int release_lockspace(struct dlm_ls *ls, int force)
+
+ dlm_device_deregister(ls);
+
+- if (force < 3 && dlm_user_daemon_available())
++ if (force != 3 && dlm_user_daemon_available())
+ do_uevent(ls, 0);
+
+ dlm_recoverd_stop(ls);
+--
+2.51.0
+
--- /dev/null
+From 800564dd0c87c52056cc5ca180ec64dab83891e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Aug 2025 18:14:19 +0800
+Subject: drivers/perf: hisi: Relax the event ID check in the framework
+
+From: Yicong Yang <yangyicong@hisilicon.com>
+
+[ Upstream commit 43de0ac332b815cf56dbdce63687de9acfd35d49 ]
+
+Event ID is only using the attr::config bit [7, 0] but we check the
+event range using the whole 64bit field. It blocks the usage of the
+rest field of attr::config. Relax the check by only using the
+bit [7, 0].
+
+Acked-by: Jonathan Cameron <jonathan.cameron@huawei.com>
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Signed-off-by: Yushan Wang <wangyushan12@huawei.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/hisilicon/hisi_uncore_pmu.c | 2 +-
+ drivers/perf/hisilicon/hisi_uncore_pmu.h | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/perf/hisilicon/hisi_uncore_pmu.c b/drivers/perf/hisilicon/hisi_uncore_pmu.c
+index 04031450d5fec..c3013059cca82 100644
+--- a/drivers/perf/hisilicon/hisi_uncore_pmu.c
++++ b/drivers/perf/hisilicon/hisi_uncore_pmu.c
+@@ -212,7 +212,7 @@ int hisi_uncore_pmu_event_init(struct perf_event *event)
+ return -EINVAL;
+
+ hisi_pmu = to_hisi_pmu(event->pmu);
+- if (event->attr.config > hisi_pmu->check_event)
++ if ((event->attr.config & HISI_EVENTID_MASK) > hisi_pmu->check_event)
+ return -EINVAL;
+
+ if (hisi_pmu->on_cpu == -1)
+diff --git a/drivers/perf/hisilicon/hisi_uncore_pmu.h b/drivers/perf/hisilicon/hisi_uncore_pmu.h
+index 92402aa69d70f..67d1c3d3a41c0 100644
+--- a/drivers/perf/hisilicon/hisi_uncore_pmu.h
++++ b/drivers/perf/hisilicon/hisi_uncore_pmu.h
+@@ -43,7 +43,8 @@
+ return FIELD_GET(GENMASK_ULL(hi, lo), event->attr.config); \
+ }
+
+-#define HISI_GET_EVENTID(ev) (ev->hw.config_base & 0xff)
++#define HISI_EVENTID_MASK GENMASK(7, 0)
++#define HISI_GET_EVENTID(ev) ((ev)->hw.config_base & HISI_EVENTID_MASK)
+
+ #define HISI_PMU_EVTYPE_BITS 8
+ #define HISI_PMU_EVTYPE_SHIFT(idx) ((idx) % 4 * HISI_PMU_EVTYPE_BITS)
+--
+2.51.0
+
--- /dev/null
+From 100082a00ed73695cfdf985b7a290075429dfe8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Aug 2025 15:36:09 +0800
+Subject: exec: Fix incorrect type for ret
+
+From: Xichao Zhao <zhao.xichao@vivo.com>
+
+[ Upstream commit 5e088248375d171b80c643051e77ade6b97bc386 ]
+
+In the setup_arg_pages(), ret is declared as an unsigned long.
+The ret might take a negative value. Therefore, its type should
+be changed to int.
+
+Signed-off-by: Xichao Zhao <zhao.xichao@vivo.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20250825073609.219855-1-zhao.xichao@vivo.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index ee71a315cc51f..a7dfac338a22c 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -748,7 +748,7 @@ int setup_arg_pages(struct linux_binprm *bprm,
+ unsigned long stack_top,
+ int executable_stack)
+ {
+- unsigned long ret;
++ int ret;
+ unsigned long stack_shift;
+ struct mm_struct *mm = current->mm;
+ struct vm_area_struct *vma = bprm->vma;
+--
+2.51.0
+
--- /dev/null
+From 26f1d58b79533996ad8284a9c06b426c6c0fb92d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 12:49:19 -0700
+Subject: hfs: clear offset and space out of valid records in b-tree node
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 18b07c44f245beb03588b00b212b38fce9af7cc9 ]
+
+Currently, hfs_brec_remove() executes moving records
+towards the location of deleted record and it updates
+offsets of moved records. However, the hfs_brec_remove()
+logic ignores the "mess" of b-tree node's free space and
+it doesn't touch the offsets out of records number.
+Potentially, it could confuse fsck or driver logic or
+to be a reason of potential corruption cases.
+
+This patch reworks the logic of hfs_brec_remove()
+by means of clearing freed space of b-tree node
+after the records moving. And it clear the last
+offset that keeping old location of free space
+because now the offset before this one is keeping
+the actual offset to the free space after the record
+deletion.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250815194918.38165-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/brec.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
+index 896396554bcc1..b01db1fae147c 100644
+--- a/fs/hfs/brec.c
++++ b/fs/hfs/brec.c
+@@ -179,6 +179,7 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ struct hfs_btree *tree;
+ struct hfs_bnode *node, *parent;
+ int end_off, rec_off, data_off, size;
++ int src, dst, len;
+
+ tree = fd->tree;
+ node = fd->bnode;
+@@ -208,10 +209,14 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ }
+ hfs_bnode_write_u16(node, offsetof(struct hfs_bnode_desc, num_recs), node->num_recs);
+
+- if (rec_off == end_off)
+- goto skip;
+ size = fd->keylength + fd->entrylength;
+
++ if (rec_off == end_off) {
++ src = fd->keyoffset;
++ hfs_bnode_clear(node, src, size);
++ goto skip;
++ }
++
+ do {
+ data_off = hfs_bnode_read_u16(node, rec_off);
+ hfs_bnode_write_u16(node, rec_off + 2, data_off - size);
+@@ -219,9 +224,23 @@ int hfs_brec_remove(struct hfs_find_data *fd)
+ } while (rec_off >= end_off);
+
+ /* fill hole */
+- hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size,
+- data_off - fd->keyoffset - size);
++ dst = fd->keyoffset;
++ src = fd->keyoffset + size;
++ len = data_off - src;
++
++ hfs_bnode_move(node, dst, src, len);
++
++ src = dst + len;
++ len = data_off - src;
++
++ hfs_bnode_clear(node, src, len);
++
+ skip:
++ /*
++ * Remove the obsolete offset to free space.
++ */
++ hfs_bnode_write_u16(node, end_off, 0);
++
+ hfs_bnode_dump(node);
+ if (!fd->record)
+ hfs_brec_update_parent(fd);
+--
+2.51.0
+
--- /dev/null
+From 848851eb3e41f90a6dd3ca247c47e8d5ef5a88ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Aug 2025 16:06:38 -0700
+Subject: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ]
+
+The syzbot reported issue in hfs_find_set_zero_bits():
+
+=====================================================
+BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
+ hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
+ hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151
+ hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408
+ hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353
+ __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151
+ block_write_begin fs/buffer.c:2262 [inline]
+ cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601
+ hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
+ cont_expand_zero fs/buffer.c:2528 [inline]
+ cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591
+ hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
+ hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494
+ hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654
+ notify_change+0x1993/0x1aa0 fs/attr.c:552
+ do_truncate+0x28f/0x310 fs/open.c:68
+ do_ftruncate+0x698/0x730 fs/open.c:195
+ do_sys_ftruncate fs/open.c:210 [inline]
+ __do_sys_ftruncate fs/open.c:215 [inline]
+ __se_sys_ftruncate fs/open.c:213 [inline]
+ __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213
+ x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:4154 [inline]
+ slab_alloc_node mm/slub.c:4197 [inline]
+ __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354
+ kmalloc_noprof include/linux/slab.h:905 [inline]
+ hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175
+ hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337
+ get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681
+ get_tree_bdev+0x38/0x50 fs/super.c:1704
+ hfs_get_tree+0x35/0x40 fs/hfs/super.c:388
+ vfs_get_tree+0xb0/0x5c0 fs/super.c:1804
+ do_new_mount+0x738/0x1610 fs/namespace.c:3902
+ path_mount+0x6db/0x1e90 fs/namespace.c:4226
+ do_mount fs/namespace.c:4239 [inline]
+ __do_sys_mount fs/namespace.c:4450 [inline]
+ __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427
+ __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427
+ x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
+=====================================================
+
+The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get():
+
+HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
+
+Finally, it can trigger the reported issue because kmalloc()
+doesn't clear the allocated memory. If allocated memory contains
+only zeros, then everything will work pretty fine.
+But if the allocated memory contains the "garbage", then
+it can affect the bitmap operations and it triggers
+the reported issue.
+
+This patch simply exchanges the kmalloc() on kzalloc()
+with the goal to guarantee the correctness of bitmap operations.
+Because, newly created allocation bitmap should have all
+available blocks free. Potentially, initialization bitmap's read
+operation could not fill the whole allocated memory and
+"garbage" in the not initialized memory will be the reason of
+volume coruptions and file system driver bugs.
+
+Reported-by: syzbot <syzbot+773fa9d79b29bd8b6831@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/mdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
+index 8082eb01127cd..bf811347bb07d 100644
+--- a/fs/hfs/mdb.c
++++ b/fs/hfs/mdb.c
+@@ -172,7 +172,7 @@ int hfs_mdb_get(struct super_block *sb)
+ pr_warn("continuing without an alternate MDB\n");
+ }
+
+- HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
++ HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL);
+ if (!HFS_SB(sb)->bitmap)
+ goto out;
+
+--
+2.51.0
+
--- /dev/null
+From 9cc9d53afa975fec7cc2c8fb47ce9e02522dbc7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 15:52:52 -0700
+Subject: hfs: make proper initalization of struct hfs_find_data
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit c62663a986acee7c4485c1fa9de5fc40194b6290 ]
+
+Potenatially, __hfs_ext_read_extent() could operate by
+not initialized values of fd->key after hfs_brec_find() call:
+
+static inline int __hfs_ext_read_extent(struct hfs_find_data *fd, struct hfs_extent *extent,
+ u32 cnid, u32 block, u8 type)
+{
+ int res;
+
+ hfs_ext_build_key(fd->search_key, cnid, block, type);
+ fd->key->ext.FNum = 0;
+ res = hfs_brec_find(fd);
+ if (res && res != -ENOENT)
+ return res;
+ if (fd->key->ext.FNum != fd->search_key->ext.FNum ||
+ fd->key->ext.FkType != fd->search_key->ext.FkType)
+ return -ENOENT;
+ if (fd->entrylength != sizeof(hfs_extent_rec))
+ return -EIO;
+ hfs_bnode_read(fd->bnode, extent, fd->entryoffset, sizeof(hfs_extent_rec));
+ return 0;
+}
+
+This patch changes kmalloc() on kzalloc() in hfs_find_init()
+and intializes fd->record, fd->keyoffset, fd->keylength,
+fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
+has been found nothing in the b-tree node.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250818225252.126427-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/bfind.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c
+index 34e9804e0f360..e46f650b5e9c2 100644
+--- a/fs/hfs/bfind.c
++++ b/fs/hfs/bfind.c
+@@ -21,7 +21,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+
+ fd->tree = tree;
+ fd->bnode = NULL;
+- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+@@ -115,6 +115,12 @@ int hfs_brec_find(struct hfs_find_data *fd)
+ __be32 data;
+ int height, res;
+
++ fd->record = -1;
++ fd->keyoffset = -1;
++ fd->keylength = -1;
++ fd->entryoffset = -1;
++ fd->entrylength = -1;
++
+ tree = fd->tree;
+ if (fd->bnode)
+ hfs_bnode_put(fd->bnode);
+--
+2.51.0
+
--- /dev/null
+From 564a3a37a03dc8cb1d67b33a034c843cc86f0f2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 22:17:34 +0800
+Subject: hfs: validate record offset in hfsplus_bmap_alloc
+
+From: Yang Chenzhi <yang.chenzhi@vivo.com>
+
+[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ]
+
+hfsplus_bmap_alloc can trigger a crash if a
+record offset or length is larger than node_size
+
+[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0
+[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183
+[ 15.265949]
+[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)
+[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 15.266167] Call Trace:
+[ 15.266168] <TASK>
+[ 15.266169] dump_stack_lvl+0x53/0x70
+[ 15.266173] print_report+0xd0/0x660
+[ 15.266181] kasan_report+0xce/0x100
+[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0
+[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0
+[ 15.266217] hfsplus_brec_insert+0x870/0xb00
+[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570
+[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910
+[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200
+[ 15.266233] hfsplus_file_extend+0x5a7/0x1000
+[ 15.266237] hfsplus_get_block+0x12b/0x8c0
+[ 15.266238] __block_write_begin_int+0x36b/0x12c0
+[ 15.266251] block_write_begin+0x77/0x110
+[ 15.266252] cont_write_begin+0x428/0x720
+[ 15.266259] hfsplus_write_begin+0x51/0x100
+[ 15.266262] cont_write_begin+0x272/0x720
+[ 15.266270] hfsplus_write_begin+0x51/0x100
+[ 15.266274] generic_perform_write+0x321/0x750
+[ 15.266285] generic_file_write_iter+0xc3/0x310
+[ 15.266289] __kernel_write_iter+0x2fd/0x800
+[ 15.266296] dump_user_range+0x2ea/0x910
+[ 15.266301] elf_core_dump+0x2a94/0x2ed0
+[ 15.266320] vfs_coredump+0x1d85/0x45e0
+[ 15.266349] get_signal+0x12e3/0x1990
+[ 15.266357] arch_do_signal_or_restart+0x89/0x580
+[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110
+[ 15.266364] asm_exc_page_fault+0x26/0x30
+[ 15.266366] RIP: 0033:0x41bd35
+[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f
+[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283
+[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000
+[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100
+[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000
+[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000
+[ 15.266376] </TASK>
+
+When calling hfsplus_bmap_alloc to allocate a free node, this function
+first retrieves the bitmap from header node and map node using node->page
+together with the offset and length from hfs_brec_lenoff
+
+```
+len = hfs_brec_lenoff(node, 2, &off16);
+off = off16;
+
+off += node->page_offset;
+pagep = node->page + (off >> PAGE_SHIFT);
+data = kmap_local_page(*pagep);
+```
+
+However, if the retrieved offset or length is invalid(i.e. exceeds
+node_size), the code may end up accessing pages outside the allocated
+range for this node.
+
+This patch adds proper validation of both offset and length before use,
+preventing out-of-bounds page access. Move is_bnode_offset_valid and
+check_and_correct_requested_length to hfsplus_fs.h, as they may be
+required by other functions.
+
+Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/
+Signed-off-by: Yang Chenzhi <yang.chenzhi@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bnode.c | 41 ----------------------------------------
+ fs/hfsplus/btree.c | 6 ++++++
+ fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 48 insertions(+), 41 deletions(-)
+
+diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
+index 14f4995588ff0..407d5152eb411 100644
+--- a/fs/hfsplus/bnode.c
++++ b/fs/hfsplus/bnode.c
+@@ -18,47 +18,6 @@
+ #include "hfsplus_fs.h"
+ #include "hfsplus_raw.h"
+
+-static inline
+-bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
+-{
+- bool is_valid = off < node->tree->node_size;
+-
+- if (!is_valid) {
+- pr_err("requested invalid offset: "
+- "NODE: id %u, type %#x, height %u, "
+- "node_size %u, offset %d\n",
+- node->this, node->type, node->height,
+- node->tree->node_size, off);
+- }
+-
+- return is_valid;
+-}
+-
+-static inline
+-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
+-{
+- unsigned int node_size;
+-
+- if (!is_bnode_offset_valid(node, off))
+- return 0;
+-
+- node_size = node->tree->node_size;
+-
+- if ((off + len) > node_size) {
+- int new_len = (int)node_size - off;
+-
+- pr_err("requested length has been corrected: "
+- "NODE: id %u, type %#x, height %u, "
+- "node_size %u, offset %d, "
+- "requested_len %d, corrected_len %d\n",
+- node->this, node->type, node->height,
+- node->tree->node_size, off, len, new_len);
+-
+- return new_len;
+- }
+-
+- return len;
+-}
+
+ /* Copy a specified range of bytes from the raw data of a node */
+ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
+index 9e1732a2b92a8..fe6a54c4083c3 100644
+--- a/fs/hfsplus/btree.c
++++ b/fs/hfsplus/btree.c
+@@ -393,6 +393,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
+ len = hfs_brec_lenoff(node, 2, &off16);
+ off = off16;
+
++ if (!is_bnode_offset_valid(node, off)) {
++ hfs_bnode_put(node);
++ return ERR_PTR(-EIO);
++ }
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ pagep = node->page + (off >> PAGE_SHIFT);
+ data = kmap_local_page(*pagep);
+diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
+index 1473b04fc0f31..e67b35cb5ccc7 100644
+--- a/fs/hfsplus/hfsplus_fs.h
++++ b/fs/hfsplus/hfsplus_fs.h
+@@ -574,6 +574,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree)
+ return class;
+ }
+
++static inline
++bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
++{
++ bool is_valid = off < node->tree->node_size;
++
++ if (!is_valid) {
++ pr_err("requested invalid offset: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off);
++ }
++
++ return is_valid;
++}
++
++static inline
++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
++{
++ unsigned int node_size;
++
++ if (!is_bnode_offset_valid(node, off))
++ return 0;
++
++ node_size = node->tree->node_size;
++
++ if ((off + len) > node_size) {
++ int new_len = (int)node_size - off;
++
++ pr_err("requested length has been corrected: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, "
++ "requested_len %d, corrected_len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len, new_len);
++
++ return new_len;
++ }
++
++ return len;
++}
++
+ /* compatibility */
+ #define hfsp_mt2ut(t) (struct timespec64){ .tv_sec = __hfsp_mt2ut(t) }
+ #define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec)
+--
+2.51.0
+
--- /dev/null
+From 3f85fb1aa37a35bd39237b46ff5706a6918b7554 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 15:52:32 -0700
+Subject: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 4840ceadef4290c56cc422f0fc697655f3cbf070 ]
+
+The syzbot reported issue in __hfsplus_ext_cache_extent():
+
+[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0
+[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.199771][ T9350] ksys_write+0x23e/0x490
+[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.202054][ T9350]
+[ 70.202279][ T9350] Uninit was created at:
+[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80
+[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0
+[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0
+[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.207961][ T9350] ksys_write+0x23e/0x490
+[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.210230][ T9350]
+[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5
+[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.212115][ T9350] =====================================================
+[ 70.212734][ T9350] Disabling lock debugging due to kernel taint
+[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...
+[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5
+[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE
+[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.215999][ T9350] Call Trace:
+[ 70.216309][ T9350] <TASK>
+[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0
+[ 70.217025][ T9350] dump_stack+0x1e/0x30
+[ 70.217421][ T9350] panic+0x502/0xca0
+[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+
+[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...
+ kernel
+:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+set ...
+[ 70.221254][ T9350] ? __msan_warning+0x96/0x120
+[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0
+[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0
+[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0
+[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950
+[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130
+[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060
+[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460
+[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0
+[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0
+[ 70.228997][ T9350] ? ksys_write+0x23e/0x490
+[ 70.229458][ T9350] ? __x64_sys_write+0x97/0xf0
+[ 70.229939][ T9350] ? x64_sys_call+0x3015/0x3cf0
+[ 70.230432][ T9350] ? do_syscall_64+0xd9/0x1d0
+[ 70.230941][ T9350] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.231926][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.232738][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.233711][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.234516][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.235398][ T9350] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.236323][ T9350] ? hfsplus_brec_find+0x218/0x9f0
+[ 70.237090][ T9350] ? __pfx_hfs_find_rec_by_key+0x10/0x10
+[ 70.237938][ T9350] ? __msan_instrument_asm_store+0xbf/0xf0
+[ 70.238827][ T9350] ? __msan_metadata_ptr_for_store_4+0x27/0x40
+[ 70.239772][ T9350] ? __hfsplus_ext_write_extent+0x536/0x620
+[ 70.240666][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.241175][ T9350] __msan_warning+0x96/0x120
+[ 70.241645][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
+[ 70.242223][ T9350] hfsplus_file_extend+0x74f/0x1cf0
+[ 70.242748][ T9350] hfsplus_get_block+0xe16/0x17b0
+[ 70.243255][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.243878][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.244400][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.244967][ T9350] __block_write_begin_int+0x962/0x2ce0
+[ 70.245531][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
+[ 70.246079][ T9350] cont_write_begin+0x1000/0x1950
+[ 70.246598][ T9350] hfsplus_write_begin+0x85/0x130
+[ 70.247105][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
+[ 70.247650][ T9350] ? __pfx_hfsplus_write_begin+0x10/0x10
+[ 70.248211][ T9350] generic_perform_write+0x3e8/0x1060
+[ 70.248752][ T9350] __generic_file_write_iter+0x215/0x460
+[ 70.249314][ T9350] generic_file_write_iter+0x109/0x5e0
+[ 70.249856][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
+[ 70.250487][ T9350] vfs_write+0xb0f/0x14e0
+[ 70.250930][ T9350] ? __pfx_generic_file_write_iter+0x10/0x10
+[ 70.251530][ T9350] ksys_write+0x23e/0x490
+[ 70.251974][ T9350] __x64_sys_write+0x97/0xf0
+[ 70.252450][ T9350] x64_sys_call+0x3015/0x3cf0
+[ 70.252924][ T9350] do_syscall_64+0xd9/0x1d0
+[ 70.253384][ T9350] ? irqentry_exit+0x16/0x60
+[ 70.253844][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.254430][ T9350] RIP: 0033:0x7f7a92adffc9
+[ 70.254873][ T9350] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 70.256674][ T9350] RSP: 002b:00007fff0bca3188 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
+[ 70.257485][ T9350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a92adffc9
+[ 70.258246][ T9350] RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000004
+[ 70.258998][ T9350] RBP: 00007fff0bca31a0 R08: 00007fff0bca31a0 R09: 00007fff0bca31a0
+[ 70.259769][ T9350] R10: 0000000000000000 R11: 0000000000000202 R12: 000055e0d75f8250
+[ 70.260520][ T9350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 70.261286][ T9350] </TASK>
+[ 70.262026][ T9350] Kernel Offset: disabled
+
+(gdb) l *__hfsplus_ext_cache_extent+0x7d0
+0xffffffff8318aef0 is in __hfsplus_ext_cache_extent (fs/hfsplus/extents.c:168).
+163 fd->key->ext.cnid = 0;
+164 res = hfs_brec_find(fd, hfs_find_rec_by_key);
+165 if (res && res != -ENOENT)
+166 return res;
+167 if (fd->key->ext.cnid != fd->search_key->ext.cnid ||
+168 fd->key->ext.fork_type != fd->search_key->ext.fork_type)
+169 return -ENOENT;
+170 if (fd->entrylength != sizeof(hfsplus_extent_rec))
+171 return -EIO;
+172 hfs_bnode_read(fd->bnode, extent, fd->entryoffset,
+
+The __hfsplus_ext_cache_extent() calls __hfsplus_ext_read_extent():
+
+res = __hfsplus_ext_read_extent(fd, hip->cached_extents, inode->i_ino,
+ block, HFSPLUS_IS_RSRC(inode) ?
+ HFSPLUS_TYPE_RSRC :
+ HFSPLUS_TYPE_DATA);
+
+And if inode->i_ino could be equal to zero or any non-available CNID,
+then hfs_brec_find() could not find the record in the tree. As a result,
+fd->key could be compared with fd->search_key. But hfsplus_find_init()
+uses kmalloc() for fd->key and fd->search_key allocation:
+
+int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+{
+<skipped>
+ ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+ fd->key = ptr + tree->max_key_len + 2;
+<skipped>
+}
+
+Finally, fd->key is still not initialized if hfs_brec_find()
+has found nothing.
+
+This patch changes kmalloc() on kzalloc() in hfs_find_init()
+and intializes fd->record, fd->keyoffset, fd->keylength,
+fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
+has been found nothing in the b-tree node.
+
+Reported-by: syzbot <syzbot+55ad87f38795d6787521@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=55ad87f38795d6787521
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250818225232.126402-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bfind.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c
+index 901e83d65d202..26ebac4c60424 100644
+--- a/fs/hfsplus/bfind.c
++++ b/fs/hfsplus/bfind.c
+@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+
+ fd->tree = tree;
+ fd->bnode = NULL;
+- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ if (!ptr)
+ return -ENOMEM;
+ fd->search_key = ptr;
+@@ -158,6 +158,12 @@ int hfs_brec_find(struct hfs_find_data *fd, search_strategy_t do_key_compare)
+ __be32 data;
+ int height, res;
+
++ fd->record = -1;
++ fd->keyoffset = -1;
++ fd->keylength = -1;
++ fd->entryoffset = -1;
++ fd->entrylength = -1;
++
+ tree = fd->tree;
+ if (fd->bnode)
+ hfs_bnode_put(fd->bnode);
+--
+2.51.0
+
--- /dev/null
+From e0dceaeccfb2cd43f936c8bcddffc7d0f4d0848f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Aug 2025 15:51:04 -0700
+Subject: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 9b3d15a758910bb98ba8feb4109d99cc67450ee4 ]
+
+The syzbot reported issue in hfsplus_delete_cat():
+
+[ 70.682285][ T9333] =====================================================
+[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0
+[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310
+[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810
+[ 70.685447][ T9333] do_rmdir+0x964/0xea0
+[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0
+[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0
+[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.687646][ T9333]
+[ 70.687856][ T9333] Uninit was stored to memory at:
+[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
+[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800
+[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600
+[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70
+[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0
+[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30
+[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0
+[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0
+[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.692773][ T9333]
+[ 70.692990][ T9333] Uninit was stored to memory at:
+[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
+[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800
+[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700
+[ 70.694911][ T9333] mount_bdev+0x37b/0x530
+[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60
+[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0
+[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0
+[ 70.696588][ T9333] do_new_mount+0x73e/0x1630
+[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0
+[ 70.697425][ T9333] __se_sys_mount+0x733/0x830
+[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150
+[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0
+[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.699730][ T9333]
+[ 70.699946][ T9333] Uninit was created at:
+[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60
+[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0
+[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0
+[ 70.701774][ T9333] allocate_slab+0x30e/0x1390
+[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0
+[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20
+[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0
+[ 70.703598][ T9333] alloc_inode+0x82/0x490
+[ 70.703984][ T9333] iget_locked+0x22e/0x1320
+[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0
+[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0
+[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700
+[ 70.705776][ T9333] mount_bdev+0x37b/0x530
+[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60
+[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0
+[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0
+[ 70.707444][ T9333] do_new_mount+0x73e/0x1630
+[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0
+[ 70.708270][ T9333] __se_sys_mount+0x733/0x830
+[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150
+[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0
+[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.710611][ T9333]
+[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17
+[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.712490][ T9333] =====================================================
+[ 70.713085][ T9333] Disabling lock debugging due to kernel taint
+[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...
+[ 70.714159][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Tainted: G B 6.12.0-rc6-dirty #17
+[ 70.715007][ T9333] Tainted: [B]=BAD_PAGE
+[ 70.715365][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.716311][ T9333] Call Trace:
+[ 70.716621][ T9333] <TASK>
+[ 70.716899][ T9333] dump_stack_lvl+0x1fd/0x2b0
+[ 70.717350][ T9333] dump_stack+0x1e/0x30
+[ 70.717743][ T9333] panic+0x502/0xca0
+[ 70.718116][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.718611][ T9333] kmsan_report+0x296/0x2a0
+[ 70.719038][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.719859][ T9333] ? __msan_warning+0x96/0x120
+[ 70.720345][ T9333] ? hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.720881][ T9333] ? hfsplus_delete_cat+0x105d/0x12b0
+[ 70.721412][ T9333] ? hfsplus_rmdir+0x13d/0x310
+[ 70.721880][ T9333] ? vfs_rmdir+0x5ba/0x810
+[ 70.722458][ T9333] ? do_rmdir+0x964/0xea0
+[ 70.722883][ T9333] ? __x64_sys_rmdir+0x71/0xb0
+[ 70.723397][ T9333] ? x64_sys_call+0xcd8/0x3cf0
+[ 70.723915][ T9333] ? do_syscall_64+0xd9/0x1d0
+[ 70.724454][ T9333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.725110][ T9333] ? vprintk_emit+0xd1f/0xe60
+[ 70.725616][ T9333] ? vprintk_default+0x3f/0x50
+[ 70.726175][ T9333] ? vprintk+0xce/0xd0
+[ 70.726628][ T9333] ? _printk+0x17e/0x1b0
+[ 70.727129][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.727739][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.728324][ T9333] __msan_warning+0x96/0x120
+[ 70.728854][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
+[ 70.729479][ T9333] hfsplus_delete_cat+0x105d/0x12b0
+[ 70.729984][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.730646][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
+[ 70.731296][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
+[ 70.731863][ T9333] hfsplus_rmdir+0x13d/0x310
+[ 70.732390][ T9333] ? __pfx_hfsplus_rmdir+0x10/0x10
+[ 70.732919][ T9333] vfs_rmdir+0x5ba/0x810
+[ 70.733416][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
+[ 70.734044][ T9333] do_rmdir+0x964/0xea0
+[ 70.734537][ T9333] __x64_sys_rmdir+0x71/0xb0
+[ 70.735032][ T9333] x64_sys_call+0xcd8/0x3cf0
+[ 70.735579][ T9333] do_syscall_64+0xd9/0x1d0
+[ 70.736092][ T9333] ? irqentry_exit+0x16/0x60
+[ 70.736637][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 70.737269][ T9333] RIP: 0033:0x7fa9424eafc9
+[ 70.737775][ T9333] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 70.739844][ T9333] RSP: 002b:00007fff099cd8d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000054
+[ 70.740760][ T9333] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa9424eafc9
+[ 70.741642][ T9333] RDX: 006c6f72746e6f63 RSI: 000000000000000a RDI: 0000000020000100
+[ 70.742543][ T9333] RBP: 00007fff099cd8e0 R08: 00007fff099cd910 R09: 00007fff099cd910
+[ 70.743376][ T9333] R10: 0000000000000000 R11: 0000000000000202 R12: 0000565430642260
+[ 70.744247][ T9333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 70.745082][ T9333] </TASK>
+
+The main reason of the issue that struct hfsplus_inode_info
+has not been properly initialized for the case of root folder.
+In the case of root folder, hfsplus_fill_super() calls
+the hfsplus_iget() that implements only partial initialization of
+struct hfsplus_inode_info and subfolders field is not
+initialized by hfsplus_iget() logic.
+
+This patch implements complete initialization of
+struct hfsplus_inode_info in the hfsplus_iget() logic with
+the goal to prevent likewise issues for the case of
+root folder.
+
+Reported-by: syzbot <syzbot+fdedff847a0e5e84c39f@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=fdedff847a0e5e84c39f
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250825225103.326401-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/super.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+index 1986b4f18a901..8c086f16dd589 100644
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -67,13 +67,26 @@ struct inode *hfsplus_iget(struct super_block *sb, unsigned long ino)
+ if (!(inode->i_state & I_NEW))
+ return inode;
+
+- INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
+- spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
+- mutex_init(&HFSPLUS_I(inode)->extents_lock);
+- HFSPLUS_I(inode)->flags = 0;
++ atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
++ HFSPLUS_I(inode)->first_blocks = 0;
++ HFSPLUS_I(inode)->clump_blocks = 0;
++ HFSPLUS_I(inode)->alloc_blocks = 0;
++ HFSPLUS_I(inode)->cached_start = U32_MAX;
++ HFSPLUS_I(inode)->cached_blocks = 0;
++ memset(HFSPLUS_I(inode)->first_extents, 0, sizeof(hfsplus_extent_rec));
++ memset(HFSPLUS_I(inode)->cached_extents, 0, sizeof(hfsplus_extent_rec));
+ HFSPLUS_I(inode)->extent_state = 0;
++ mutex_init(&HFSPLUS_I(inode)->extents_lock);
+ HFSPLUS_I(inode)->rsrc_inode = NULL;
+- atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
++ HFSPLUS_I(inode)->create_date = 0;
++ HFSPLUS_I(inode)->linkid = 0;
++ HFSPLUS_I(inode)->flags = 0;
++ HFSPLUS_I(inode)->fs_blocks = 0;
++ HFSPLUS_I(inode)->userflags = 0;
++ HFSPLUS_I(inode)->subfolders = 0;
++ INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
++ spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
++ HFSPLUS_I(inode)->phys_size = 0;
+
+ if (inode->i_ino >= HFSPLUS_FIRSTUSER_CNID ||
+ inode->i_ino == HFSPLUS_ROOT_CNID) {
+--
+2.51.0
+
--- /dev/null
+From f4181d677e4f50123ff4a1ed83193eaca5d34c2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Aug 2025 10:58:59 -0600
+Subject: hfsplus: return EIO when type of hidden directory mismatch in
+ hfsplus_fill_super()
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit 9282bc905f0949fab8cf86c0f620ca988761254c ]
+
+If Catalog File contains corrupted record for the case of
+hidden directory's type, regard it as I/O error instead of
+Invalid argument.
+
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250805165905.3390154-1-frank.li@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
+index 8c086f16dd589..7e889820a63d0 100644
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -538,7 +538,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent)
+ if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
+ hfs_find_exit(&fd);
+ if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
+- err = -EINVAL;
++ err = -EIO;
+ goto out_put_root;
+ }
+ inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id));
+--
+2.51.0
+
--- /dev/null
+From 0f01557fb50cb8b50f5e74837c4f377d834680d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 14:06:05 +0800
+Subject: lkdtm: fortify: Fix potential NULL dereference on kmalloc failure
+
+From: Junjie Cao <junjie.cao@intel.com>
+
+[ Upstream commit 01c7344e21c2140e72282d9d16d79a61f840fc20 ]
+
+Add missing NULL pointer checks after kmalloc() calls in
+lkdtm_FORTIFY_STR_MEMBER() and lkdtm_FORTIFY_MEM_MEMBER() functions.
+
+Signed-off-by: Junjie Cao <junjie.cao@intel.com>
+Link: https://lore.kernel.org/r/20250814060605.5264-1-junjie.cao@intel.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/lkdtm/fortify.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/misc/lkdtm/fortify.c b/drivers/misc/lkdtm/fortify.c
+index 0159276656780..00ed2147113e6 100644
+--- a/drivers/misc/lkdtm/fortify.c
++++ b/drivers/misc/lkdtm/fortify.c
+@@ -44,6 +44,9 @@ static void lkdtm_FORTIFY_STR_MEMBER(void)
+ char *src;
+
+ src = kmalloc(size, GFP_KERNEL);
++ if (!src)
++ return;
++
+ strscpy(src, "over ten bytes", size);
+ size = strlen(src) + 1;
+
+@@ -109,6 +112,9 @@ static void lkdtm_FORTIFY_MEM_MEMBER(void)
+ char *src;
+
+ src = kmalloc(size, GFP_KERNEL);
++ if (!src)
++ return;
++
+ strscpy(src, "over ten bytes", size);
+ size = strlen(src) + 1;
+
+--
+2.51.0
+
--- /dev/null
+From 2b88dcbaee68a0633a43d006b528a20c18c804e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Sep 2025 17:16:13 +0200
+Subject: m68k: bitops: Fix find_*_bit() signatures
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit 6d5674090543b89aac0c177d67e5fb32ddc53804 ]
+
+The function signatures of the m68k-optimized implementations of the
+find_{first,next}_{,zero_}bit() helpers do not match the generic
+variants.
+
+Fix this by changing all non-pointer inputs and outputs to "unsigned
+long", and updating a few local variables.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202509092305.ncd9mzaZ-lkp@intel.com/
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Acked-by: "Yury Norov (NVIDIA)" <yury.norov@gmail.com>
+Link: https://patch.msgid.link/de6919554fbb4cd1427155c6bafbac8a9df822c8.1757517135.git.geert@linux-m68k.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/bitops.h | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/arch/m68k/include/asm/bitops.h b/arch/m68k/include/asm/bitops.h
+index e984af71df6be..d86aa744cb8fc 100644
+--- a/arch/m68k/include/asm/bitops.h
++++ b/arch/m68k/include/asm/bitops.h
+@@ -329,12 +329,12 @@ arch___test_and_change_bit(unsigned long nr, volatile unsigned long *addr)
+ #include <asm-generic/bitops/ffz.h>
+ #else
+
+-static inline int find_first_zero_bit(const unsigned long *vaddr,
+- unsigned size)
++static inline unsigned long find_first_zero_bit(const unsigned long *vaddr,
++ unsigned long size)
+ {
+ const unsigned long *p = vaddr;
+- int res = 32;
+- unsigned int words;
++ unsigned long res = 32;
++ unsigned long words;
+ unsigned long num;
+
+ if (!size)
+@@ -355,8 +355,9 @@ static inline int find_first_zero_bit(const unsigned long *vaddr,
+ }
+ #define find_first_zero_bit find_first_zero_bit
+
+-static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
+- int offset)
++static inline unsigned long find_next_zero_bit(const unsigned long *vaddr,
++ unsigned long size,
++ unsigned long offset)
+ {
+ const unsigned long *p = vaddr + (offset >> 5);
+ int bit = offset & 31UL, res;
+@@ -385,11 +386,12 @@ static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
+ }
+ #define find_next_zero_bit find_next_zero_bit
+
+-static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
++static inline unsigned long find_first_bit(const unsigned long *vaddr,
++ unsigned long size)
+ {
+ const unsigned long *p = vaddr;
+- int res = 32;
+- unsigned int words;
++ unsigned long res = 32;
++ unsigned long words;
+ unsigned long num;
+
+ if (!size)
+@@ -410,8 +412,9 @@ static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
+ }
+ #define find_first_bit find_first_bit
+
+-static inline int find_next_bit(const unsigned long *vaddr, int size,
+- int offset)
++static inline unsigned long find_next_bit(const unsigned long *vaddr,
++ unsigned long size,
++ unsigned long offset)
+ {
+ const unsigned long *p = vaddr + (offset >> 5);
+ int bit = offset & 31UL, res;
+--
+2.51.0
+
--- /dev/null
+From af76b9c7a3c4a648322a29592a4cb881a019bffd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:37:07 +0200
+Subject: nios2: ensure that memblock.current_limit is set when setting pfn
+ limits
+
+From: Simon Schuster <schuster.simon@siemens-energy.com>
+
+[ Upstream commit a20b83cf45be2057f3d073506779e52c7fa17f94 ]
+
+On nios2, with CONFIG_FLATMEM set, the kernel relies on
+memblock_get_current_limit() to determine the limits of mem_map, in
+particular for max_low_pfn.
+Unfortunately, memblock.current_limit is only default initialized to
+MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading
+to situations where max_low_pfn can erroneously exceed the value of
+max_pfn and, thus, the valid range of available DRAM.
+
+This can in turn cause kernel-level paging failures, e.g.:
+
+[ 76.900000] Unable to handle kernel paging request at virtual address 20303000
+[ 76.900000] ea = c0080890, ra = c000462c, cause = 14
+[ 76.900000] Kernel panic - not syncing: Oops
+[ 76.900000] ---[ end Kernel panic - not syncing: Oops ]---
+
+This patch fixes this by pre-calculating memblock.current_limit
+based on the upper limits of the available memory ranges via
+adjust_lowmem_bounds, a simplified version of the equivalent
+implementation within the arm architecture.
+
+Signed-off-by: Simon Schuster <schuster.simon@siemens-energy.com>
+Signed-off-by: Andreas Oetken <andreas.oetken@siemens-energy.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/nios2/kernel/setup.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/arch/nios2/kernel/setup.c b/arch/nios2/kernel/setup.c
+index 8582ed9658447..5308c76122817 100644
+--- a/arch/nios2/kernel/setup.c
++++ b/arch/nios2/kernel/setup.c
+@@ -147,6 +147,20 @@ static void __init find_limits(unsigned long *min, unsigned long *max_low,
+ *max_high = PFN_DOWN(memblock_end_of_DRAM());
+ }
+
++static void __init adjust_lowmem_bounds(void)
++{
++ phys_addr_t block_start, block_end;
++ u64 i;
++ phys_addr_t memblock_limit = 0;
++
++ for_each_mem_range(i, &block_start, &block_end) {
++ if (block_end > memblock_limit)
++ memblock_limit = block_end;
++ }
++
++ memblock_set_current_limit(memblock_limit);
++}
++
+ void __init setup_arch(char **cmdline_p)
+ {
+ console_verbose();
+@@ -160,6 +174,7 @@ void __init setup_arch(char **cmdline_p)
+ /* Keep a copy of command line */
+ *cmdline_p = boot_command_line;
+
++ adjust_lowmem_bounds();
+ find_limits(&min_low_pfn, &max_low_pfn, &max_pfn);
+ max_mapnr = max_low_pfn;
+
+--
+2.51.0
+
--- /dev/null
+From 5eecfe4b1809895352aeb3523d0e24d7e36332a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Sep 2025 12:03:49 +0200
+Subject: powerpc/32: Remove PAGE_KERNEL_TEXT to fix startup failure
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 9316512b717f6f25c4649b3fdb0a905b6a318e9f ]
+
+PAGE_KERNEL_TEXT is an old macro that is used to tell kernel whether
+kernel text has to be mapped read-only or read-write based on build
+time options.
+
+But nowadays, with functionnalities like jump_labels, static links,
+etc ... more only less all kernels need to be read-write at some
+point, and some combinations of configs failed to work due to
+innacurate setting of PAGE_KERNEL_TEXT. On the other hand, today
+we have CONFIG_STRICT_KERNEL_RWX which implements a more controlled
+access to kernel modifications.
+
+Instead of trying to keep PAGE_KERNEL_TEXT accurate with all
+possible options that may imply kernel text modification, always
+set kernel text read-write at startup and rely on
+CONFIG_STRICT_KERNEL_RWX to provide accurate protection.
+
+Do this by passing PAGE_KERNEL_X to map_kernel_page() in
+__maping_ram_chunk() instead of passing PAGE_KERNEL_TEXT. Once
+this is done, the only remaining user of PAGE_KERNEL_TEXT is
+mmu_mark_initmem_nx() which uses it in a call to setibat().
+As setibat() ignores the RW/RO, we can seamlessly replace
+PAGE_KERNEL_TEXT by PAGE_KERNEL_X here as well and get rid of
+PAGE_KERNEL_TEXT completely.
+
+Reported-by: Erhard Furtner <erhard_f@mailbox.org>
+Closes: https://lore.kernel.org/all/342b4120-911c-4723-82ec-d8c9b03a8aef@mailbox.org/
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Tested-by: Andrew Donnellan <ajd@linux.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/8e2d793abf87ae3efb8f6dce10f974ac0eda61b8.1757412205.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/pgtable.h | 12 ------------
+ arch/powerpc/mm/book3s32/mmu.c | 4 ++--
+ arch/powerpc/mm/pgtable_32.c | 2 +-
+ 3 files changed, 3 insertions(+), 15 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/pgtable.h b/arch/powerpc/include/asm/pgtable.h
+index d0ee46de248ea..74502f91ed936 100644
+--- a/arch/powerpc/include/asm/pgtable.h
++++ b/arch/powerpc/include/asm/pgtable.h
+@@ -20,18 +20,6 @@ struct mm_struct;
+ #include <asm/nohash/pgtable.h>
+ #endif /* !CONFIG_PPC_BOOK3S */
+
+-/*
+- * Protection used for kernel text. We want the debuggers to be able to
+- * set breakpoints anywhere, so don't write protect the kernel text
+- * on platforms where such control is possible.
+- */
+-#if defined(CONFIG_KGDB) || defined(CONFIG_XMON) || defined(CONFIG_BDI_SWITCH) || \
+- defined(CONFIG_KPROBES) || defined(CONFIG_DYNAMIC_FTRACE)
+-#define PAGE_KERNEL_TEXT PAGE_KERNEL_X
+-#else
+-#define PAGE_KERNEL_TEXT PAGE_KERNEL_ROX
+-#endif
+-
+ /* Make modules code happy. We don't set RO yet */
+ #define PAGE_KERNEL_EXEC PAGE_KERNEL_X
+
+diff --git a/arch/powerpc/mm/book3s32/mmu.c b/arch/powerpc/mm/book3s32/mmu.c
+index 850783cfa9c73..1b1848761a000 100644
+--- a/arch/powerpc/mm/book3s32/mmu.c
++++ b/arch/powerpc/mm/book3s32/mmu.c
+@@ -204,7 +204,7 @@ void mmu_mark_initmem_nx(void)
+
+ for (i = 0; i < nb - 1 && base < top;) {
+ size = bat_block_size(base, top);
+- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT);
++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X);
+ base += size;
+ }
+ if (base < top) {
+@@ -215,7 +215,7 @@ void mmu_mark_initmem_nx(void)
+ pr_warn("Some RW data is getting mapped X. "
+ "Adjust CONFIG_DATA_SHIFT to avoid that.\n");
+ }
+- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT);
++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X);
+ base += size;
+ }
+ for (; i < nb; i++)
+diff --git a/arch/powerpc/mm/pgtable_32.c b/arch/powerpc/mm/pgtable_32.c
+index 5c02fd08d61ef..69fac96c2dcd1 100644
+--- a/arch/powerpc/mm/pgtable_32.c
++++ b/arch/powerpc/mm/pgtable_32.c
+@@ -109,7 +109,7 @@ static void __init __mapin_ram_chunk(unsigned long offset, unsigned long top)
+ p = memstart_addr + s;
+ for (; s < top; s += PAGE_SIZE) {
+ ktext = core_kernel_text(v);
+- map_kernel_page(v, p, ktext ? PAGE_KERNEL_TEXT : PAGE_KERNEL);
++ map_kernel_page(v, p, ktext ? PAGE_KERNEL_X : PAGE_KERNEL);
+ v += PAGE_SIZE;
+ p += PAGE_SIZE;
+ }
+--
+2.51.0
+
--- /dev/null
+exec-fix-incorrect-type-for-ret.patch
+nios2-ensure-that-memblock.current_limit-is-set-when.patch
+hfs-clear-offset-and-space-out-of-valid-records-in-b.patch
+hfs-make-proper-initalization-of-struct-hfs_find_dat.patch
+hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch
+hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch
+hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch
+dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch
+hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch
+hfsplus-return-eio-when-type-of-hidden-directory-mis.patch
+lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch
+m68k-bitops-fix-find_-_bit-signatures.patch
+powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch
+drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch
+smb-server-let-smb_direct_flush_send_list-invalidate.patch
+unbreak-make-tools-for-user-space-targets.patch
--- /dev/null
+From 51e8e248c1308c1673b1465b20876de64ec1d44b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Sep 2025 22:22:35 +0200
+Subject: smb: server: let smb_direct_flush_send_list() invalidate a remote key
+ first
+
+From: Stefan Metzmacher <metze@samba.org>
+
+[ Upstream commit 1b53426334c3c942db47e0959a2527a4f815af50 ]
+
+If we want to invalidate a remote key we should do that as soon as
+possible, so do it in the first send work request.
+
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Cc: Steve French <smfrench@gmail.com>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: samba-technical@lists.samba.org
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/transport_rdma.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c
+index 31c1ac256e1be..91e85a1a154fd 100644
+--- a/fs/smb/server/transport_rdma.c
++++ b/fs/smb/server/transport_rdma.c
+@@ -938,12 +938,15 @@ static int smb_direct_flush_send_list(struct smb_direct_transport *t,
+ struct smb_direct_sendmsg,
+ list);
+
++ if (send_ctx->need_invalidate_rkey) {
++ first->wr.opcode = IB_WR_SEND_WITH_INV;
++ first->wr.ex.invalidate_rkey = send_ctx->remote_key;
++ send_ctx->need_invalidate_rkey = false;
++ send_ctx->remote_key = 0;
++ }
++
+ last->wr.send_flags = IB_SEND_SIGNALED;
+ last->wr.wr_cqe = &last->cqe;
+- if (is_last && send_ctx->need_invalidate_rkey) {
+- last->wr.opcode = IB_WR_SEND_WITH_INV;
+- last->wr.ex.invalidate_rkey = send_ctx->remote_key;
+- }
+
+ ret = smb_direct_post_send(t, &first->wr);
+ if (!ret) {
+--
+2.51.0
+
--- /dev/null
+From 61b79a073d706c05876699604548efc05200180f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 12:24:20 -0700
+Subject: Unbreak 'make tools/*' for user-space targets
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit ee916dccd4df6e2fd19c3606c4735282b72f1473 ]
+
+This pattern isn't very documented, and apparently not used much outside
+of 'make tools/help', but it has existed for over a decade (since commit
+ea01fa9f63ae: "tools: Connect to the kernel build system").
+
+However, it doesn't work very well for most cases, particularly the
+useful "tools/all" target, because it overrides the LDFLAGS value with
+an empty one.
+
+And once overridden, 'make' will then not honor the tooling makefiles
+trying to change it - which then makes any LDFLAGS use in the tooling
+directory break, typically causing odd link errors.
+
+Remove that LDFLAGS override, since it seems to be entirely historical.
+The core kernel makefiles no longer modify LDFLAGS as part of the build,
+and use kernel-specific link flags instead (eg 'KBUILD_LDFLAGS' and
+friends).
+
+This allows more of the 'make tools/*' cases to work. I say 'more',
+because some of the tooling build rules make various other assumptions
+or have other issues, so it's still a bit hit-or-miss. But those issues
+tend to show up with the 'make -C tools xyz' pattern too, so now it's no
+longer an issue of this particular 'tools/*' build rule being special.
+
+Acked-by: Nathan Chancellor <nathan@kernel.org>
+Cc: Nicolas Schier <nicolas@fjasle.eu>
+Cc: Borislav Petkov <bp@alien8.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index ad3952fb542d3..de7b2f9a50338 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1358,11 +1358,11 @@ endif
+
+ tools/: FORCE
+ $(Q)mkdir -p $(objtree)/tools
+- $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/
++ $(Q)$(MAKE) O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/
+
+ tools/%: FORCE
+ $(Q)mkdir -p $(objtree)/tools
+- $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $*
++ $(Q)$(MAKE) O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $*
+
+ # ---------------------------------------------------------------------------
+ # Kernel selftest
+--
+2.51.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
