--- /dev/null
+From stable+bounces-225626-greg=kroah.com@vger.kernel.org Mon Mar 16 18:06:19 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 13:00:45 -0400
+Subject: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
+To: stable@vger.kernel.org
+Cc: Mehul Rao <mehulrao@gmail.com>, Takashi Iwai <tiwai@suse.de>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260316170045.993103-2-sashal@kernel.org>
+
+From: Mehul Rao <mehulrao@gmail.com>
+
+[ Upstream commit 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 ]
+
+In the drain loop, the local variable 'runtime' is reassigned to a
+linked stream's runtime (runtime = s->runtime at line 2157). After
+releasing the stream lock at line 2169, the code accesses
+runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size
+(lines 2170-2178) — all referencing the linked stream's runtime without
+any lock or refcount protecting its lifetime.
+
+A concurrent close() on the linked stream's fd triggers
+snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private()
+→ snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime).
+No synchronization prevents kfree(runtime) from completing while the
+drain path dereferences the stale pointer.
+
+Fix by caching the needed runtime fields (no_period_wakeup, rate,
+buffer_size) into local variables while still holding the stream lock,
+and using the cached values after the lock is released.
+
+Fixes: f2b3614cefb6 ("ALSA: PCM - Don't check DMA time-out too shortly")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mehul Rao <mehulrao@gmail.com>
+Link: https://patch.msgid.link/20260305193508.311096-1-mehulrao@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/pcm_native.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -2129,6 +2129,10 @@ static int snd_pcm_drain(struct snd_pcm_
+ for (;;) {
+ long tout;
+ struct snd_pcm_runtime *to_check;
++ unsigned int drain_rate;
++ snd_pcm_uframes_t drain_bufsz;
++ bool drain_no_period_wakeup;
++
+ if (signal_pending(current)) {
+ result = -ERESTARTSYS;
+ break;
+@@ -2148,16 +2152,25 @@ static int snd_pcm_drain(struct snd_pcm_
+ snd_pcm_group_unref(group, substream);
+ if (!to_check)
+ break; /* all drained */
++ /*
++ * Cache the runtime fields needed after unlock.
++ * A concurrent close() on the linked stream may free
++ * its runtime via snd_pcm_detach_substream() once we
++ * release the stream lock below.
++ */
++ drain_no_period_wakeup = to_check->no_period_wakeup;
++ drain_rate = to_check->rate;
++ drain_bufsz = to_check->buffer_size;
+ init_waitqueue_entry(&wait, current);
+ set_current_state(TASK_INTERRUPTIBLE);
+ add_wait_queue(&to_check->sleep, &wait);
+ snd_pcm_stream_unlock_irq(substream);
+- if (runtime->no_period_wakeup)
++ if (drain_no_period_wakeup)
+ tout = MAX_SCHEDULE_TIMEOUT;
+ else {
+ tout = 100;
+- if (runtime->rate) {
+- long t = runtime->buffer_size * 1100 / runtime->rate;
++ if (drain_rate) {
++ long t = drain_bufsz * 1100 / drain_rate;
+ tout = max(t, tout);
+ }
+ tout = msecs_to_jiffies(tout);
--- /dev/null
+From stable+bounces-225625-greg=kroah.com@vger.kernel.org Mon Mar 16 18:06:12 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 13:00:44 -0400
+Subject: ALSA: pcm: fix wait_time calculations
+To: stable@vger.kernel.org
+Cc: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>, Takashi Iwai <tiwai@suse.de>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260316170045.993103-1-sashal@kernel.org>
+
+From: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+
+[ Upstream commit 3ed2b549b39f57239aad50a255ece353997183fd ]
+
+... in wait_for_avail() and snd_pcm_drain().
+
+t was calculated in seconds, so it would be pretty much always zero, to
+be subsequently de-facto ignored due to being max(t, 10)'d. And then it
+(i.e., 10) would be treated as secs, which doesn't seem right.
+
+However, fixing it to properly calculate msecs would potentially cause
+timeouts when using twice the period size for the default timeout (which
+seems reasonable to me), so instead use the buffer size plus 10 percent
+to be on the safe side ... but that still seems insufficient, presumably
+because the hardware typically needs a moment to fire up. To compensate
+for this, we up the minimal timeout to 100ms, which is still two orders
+of magnitude less than the bogus minimum.
+
+substream->wait_time was also misinterpreted as jiffies, despite being
+documented as being in msecs. Only the soc/sof driver sets it - to 500,
+which looks very much like msecs were intended.
+
+Speaking of which, shouldn't snd_pcm_drain() also use substream->
+wait_time?
+
+As a drive-by, make the debug messages on timeout less confusing.
+
+Signed-off-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+Link: https://lore.kernel.org/r/20230405201219.2197774-1-oswald.buddenhagen@gmx.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Stable-dep-of: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/pcm_lib.c | 11 +++++------
+ sound/core/pcm_native.c | 8 ++++----
+ 2 files changed, 9 insertions(+), 10 deletions(-)
+
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -1843,15 +1843,14 @@ static int wait_for_avail(struct snd_pcm
+ if (substream->wait_time) {
+ wait_time = substream->wait_time;
+ } else {
+- wait_time = 10;
++ wait_time = 100;
+
+ if (runtime->rate) {
+- long t = runtime->period_size * 2 /
+- runtime->rate;
++ long t = runtime->buffer_size * 1100 / runtime->rate;
+ wait_time = max(t, wait_time);
+ }
+- wait_time = msecs_to_jiffies(wait_time * 1000);
+ }
++ wait_time = msecs_to_jiffies(wait_time);
+ }
+
+ for (;;) {
+@@ -1899,8 +1898,8 @@ static int wait_for_avail(struct snd_pcm
+ }
+ if (!tout) {
+ pcm_dbg(substream->pcm,
+- "%s write error (DMA or IRQ trouble?)\n",
+- is_playback ? "playback" : "capture");
++ "%s timeout (DMA or IRQ trouble?)\n",
++ is_playback ? "playback write" : "capture read");
+ err = -EIO;
+ break;
+ }
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -2155,12 +2155,12 @@ static int snd_pcm_drain(struct snd_pcm_
+ if (runtime->no_period_wakeup)
+ tout = MAX_SCHEDULE_TIMEOUT;
+ else {
+- tout = 10;
++ tout = 100;
+ if (runtime->rate) {
+- long t = runtime->period_size * 2 / runtime->rate;
++ long t = runtime->buffer_size * 1100 / runtime->rate;
+ tout = max(t, tout);
+ }
+- tout = msecs_to_jiffies(tout * 1000);
++ tout = msecs_to_jiffies(tout);
+ }
+ tout = schedule_timeout(tout);
+
+@@ -2183,7 +2183,7 @@ static int snd_pcm_drain(struct snd_pcm_
+ result = -ESTRPIPE;
+ else {
+ dev_dbg(substream->pcm->card->dev,
+- "playback drain error (DMA or IRQ trouble?)\n");
++ "playback drain timeout (DMA or IRQ trouble?)\n");
+ snd_pcm_stop(substream, SNDRV_PCM_STATE_SETUP);
+ result = -EIO;
+ }
--- /dev/null
+From stable+bounces-227066-greg=kroah.com@vger.kernel.org Wed Mar 18 14:17:26 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 09:14:21 -0400
+Subject: arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation
+To: stable@vger.kernel.org
+Cc: Catalin Marinas <catalin.marinas@arm.com>, Jianpeng Chang <jianpeng.chang.cn@windriver.com>, Will Deacon <will@kernel.org>, "Huang, Ying" <ying.huang@linux.alibaba.com>, Guenter Roeck <linux@roeck-us.net>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260318131421.723675-1-sashal@kernel.org>
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+[ Upstream commit c25c4aa3f79a488cc270507935a29c07dc6bddfc ]
+
+Commit 143937ca51cc ("arm64, mm: avoid always making PTE dirty in
+pte_mkwrite()") changed pte_mkwrite_novma() to only clear PTE_RDONLY
+when PTE_DIRTY is set. This was to allow writable-clean PTEs for swap
+pages that haven't actually been written.
+
+However, this broke kexec and hibernation for some platforms. Both go
+through trans_pgd_create_copy() -> _copy_pte(), which calls
+pte_mkwrite_novma() to make the temporary linear-map copy fully
+writable. With the updated pte_mkwrite_novma(), read-only kernel pages
+(without PTE_DIRTY) remain read-only in the temporary mapping.
+While such behaviour is fine for user pages where hardware DBM or
+trapping will make them writeable, subsequent in-kernel writes by the
+kexec relocation code will fault.
+
+Add PTE_DIRTY back to all _PAGE_KERNEL* protection definitions. This was
+the case prior to 5.4, commit aa57157be69f ("arm64: Ensure
+VM_WRITE|VM_SHARED ptes are clean by default"). With the kernel
+linear-map PTEs always having PTE_DIRTY set, pte_mkwrite_novma()
+correctly clears PTE_RDONLY.
+
+Fixes: 143937ca51cc ("arm64, mm: avoid always making PTE dirty in pte_mkwrite()")
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: stable@vger.kernel.org
+Reported-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
+Link: https://lore.kernel.org/r/20251204062722.3367201-1-jianpeng.chang.cn@windriver.com
+Cc: Will Deacon <will@kernel.org>
+Cc: Huang, Ying <ying.huang@linux.alibaba.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Huang Ying <ying.huang@linux.alibaba.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+[ added PTE_DIRTY to PAGE_KERNEL* macros directly instead of _PAGE_KERNEL* ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/pgtable-prot.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/include/asm/pgtable-prot.h
++++ b/arch/arm64/include/asm/pgtable-prot.h
+@@ -65,11 +65,11 @@ extern bool arm64_use_ng_mappings;
+
+ #define _PAGE_DEFAULT (_PROT_DEFAULT | PTE_ATTRINDX(MT_NORMAL))
+
+-#define PAGE_KERNEL __pgprot(PROT_NORMAL)
+-#define PAGE_KERNEL_RO __pgprot((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY)
+-#define PAGE_KERNEL_ROX __pgprot((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY)
+-#define PAGE_KERNEL_EXEC __pgprot(PROT_NORMAL & ~PTE_PXN)
+-#define PAGE_KERNEL_EXEC_CONT __pgprot((PROT_NORMAL & ~PTE_PXN) | PTE_CONT)
++#define PAGE_KERNEL __pgprot(PROT_NORMAL | PTE_DIRTY)
++#define PAGE_KERNEL_RO __pgprot((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY | PTE_DIRTY)
++#define PAGE_KERNEL_ROX __pgprot((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY | PTE_DIRTY)
++#define PAGE_KERNEL_EXEC __pgprot((PROT_NORMAL & ~PTE_PXN) | PTE_DIRTY)
++#define PAGE_KERNEL_EXEC_CONT __pgprot((PROT_NORMAL & ~PTE_PXN) | PTE_CONT | PTE_DIRTY)
+
+ #define PAGE_S2_MEMATTR(attr) \
+ ({ \
--- /dev/null
+From stable+bounces-227402-greg=kroah.com@vger.kernel.org Fri Mar 20 01:17:13 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 20:17:04 -0400
+Subject: btrfs: fix transaction abort on set received ioctl due to item overflow
+To: stable@vger.kernel.org
+Cc: Filipe Manana <fdmanana@suse.com>, Anand Jain <asj@kernel.org>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260320001704.3248188-1-sashal@kernel.org>
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 87f2c46003fce4d739138aab4af1942b1afdadac ]
+
+If the set received ioctl fails due to an item overflow when attempting to
+add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction
+since we did some metadata updates before.
+
+This means that if a user calls this ioctl with the same received UUID
+field for a lot of subvolumes, we will hit the overflow, trigger the
+transaction abort and turn the filesystem into RO mode. A malicious user
+could exploit this, and this ioctl does not even requires that a user
+has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.
+
+Fix this by doing an early check for item overflow before starting a
+transaction. This is also race safe because we are holding the subvol_sem
+semaphore in exclusive (write) mode.
+
+A test case for fstests will follow soon.
+
+Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
+CC: stable@vger.kernel.org # 3.12+
+Reviewed-by: Anand Jain <asj@kernel.org>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ A whole bunch of small things :) ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ctree.h | 2 ++
+ fs/btrfs/ioctl.c | 21 +++++++++++++++++++--
+ fs/btrfs/uuid-tree.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 67 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -2869,6 +2869,8 @@ int btrfs_uuid_tree_add(struct btrfs_tra
+ u64 subid);
+ int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, u8 *uuid, u8 type,
+ u64 subid);
++int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
++ u8 *uuid, u8 type);
+ int btrfs_uuid_tree_iterate(struct btrfs_fs_info *fs_info);
+
+ /* dir-item.c */
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -4486,6 +4486,25 @@ static long _btrfs_ioctl_set_received_su
+ goto out;
+ }
+
++ received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
++ BTRFS_UUID_SIZE);
++
++ /*
++ * Before we attempt to add the new received uuid, check if we have room
++ * for it in case there's already an item. If the size of the existing
++ * item plus this root's ID (u64) exceeds the maximum item size, we can
++ * return here without the need to abort a transaction. If we don't do
++ * this check, the btrfs_uuid_tree_add() call below would fail with
++ * -EOVERFLOW and result in a transaction abort. Malicious users could
++ * exploit this to turn the fs into RO mode.
++ */
++ if (received_uuid_changed && !btrfs_is_empty_uuid(sa->uuid)) {
++ ret = btrfs_uuid_tree_check_overflow(fs_info, sa->uuid,
++ BTRFS_UUID_KEY_RECEIVED_SUBVOL);
++ if (ret < 0)
++ goto out;
++ }
++
+ /*
+ * 1 - root item
+ * 2 - uuid items (received uuid + subvol uuid)
+@@ -4501,8 +4520,6 @@ static long _btrfs_ioctl_set_received_su
+ sa->rtime.sec = ct.tv_sec;
+ sa->rtime.nsec = ct.tv_nsec;
+
+- received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
+- BTRFS_UUID_SIZE);
+ if (received_uuid_changed &&
+ !btrfs_is_empty_uuid(root_item->received_uuid)) {
+ ret = btrfs_uuid_tree_remove(trans, root_item->received_uuid,
+--- a/fs/btrfs/uuid-tree.c
++++ b/fs/btrfs/uuid-tree.c
+@@ -226,6 +226,52 @@ out:
+ return ret;
+ }
+
++/*
++ * Check if we can add one root ID to a UUID key.
++ * If the key does not yet exists, we can, otherwise only if extended item does
++ * not exceeds the maximum item size permitted by the leaf size.
++ *
++ * Returns 0 on success, negative value on error.
++ */
++int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
++ u8 *uuid, u8 type)
++{
++ struct btrfs_path *path = NULL;
++ int ret;
++ u32 item_size;
++ struct btrfs_key key;
++
++ if (WARN_ON_ONCE(!fs_info->uuid_root)) {
++ ret = -EINVAL;
++ goto out;
++ }
++
++ path = btrfs_alloc_path();
++ if (!path) {
++ ret = -ENOMEM;
++ goto out;
++ }
++
++ btrfs_uuid_to_key(uuid, type, &key);
++ ret = btrfs_search_slot(NULL, fs_info->uuid_root, &key, path, 0, 0);
++ if (ret < 0)
++ goto out;
++ if (ret > 0) {
++ ret = 0;
++ goto out;
++ }
++
++ item_size = btrfs_item_size(path->nodes[0], path->slots[0]);
++
++ if (sizeof(struct btrfs_item) + item_size + sizeof(u64) >
++ BTRFS_LEAF_DATA_SIZE(fs_info))
++ ret = -EOVERFLOW;
++
++out:
++ btrfs_free_path(path);
++ return ret;
++}
++
+ static int btrfs_uuid_iter_rem(struct btrfs_root *uuid_root, u8 *uuid, u8 type,
+ u64 subid)
+ {
--- /dev/null
+From stable+bounces-227367-greg=kroah.com@vger.kernel.org Thu Mar 19 19:38:35 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 14:34:41 -0400
+Subject: btrfs: fix transaction abort when snapshotting received subvolumes
+To: stable@vger.kernel.org
+Cc: Filipe Manana <fdmanana@suse.com>, Boris Burkov <boris@bur.io>, Qu Wenruo <wqu@suse.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319183441.2928953-1-sashal@kernel.org>
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit e1b18b959025e6b5dbad668f391f65d34b39595a ]
+
+Currently a user can trigger a transaction abort by snapshotting a
+previously received snapshot a bunch of times until we reach a
+BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we
+can store in a leaf). This is very likely not common in practice, but
+if it happens, it turns the filesystem into RO mode. The snapshot, send
+and set_received_subvol and subvol_setflags (used by receive) don't
+require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user
+could use this to turn a filesystem into RO mode and disrupt a system.
+
+Reproducer script:
+
+ $ cat test.sh
+ #!/bin/bash
+
+ DEV=/dev/sdi
+ MNT=/mnt/sdi
+
+ # Use smallest node size to make the test faster.
+ mkfs.btrfs -f --nodesize 4K $DEV
+ mount $DEV $MNT
+
+ # Create a subvolume and set it to RO so that it can be used for send.
+ btrfs subvolume create $MNT/sv
+ touch $MNT/sv/foo
+ btrfs property set $MNT/sv ro true
+
+ # Send and receive the subvolume into snaps/sv.
+ mkdir $MNT/snaps
+ btrfs send $MNT/sv | btrfs receive $MNT/snaps
+
+ # Now snapshot the received subvolume, which has a received_uuid, a
+ # lot of times to trigger the leaf overflow.
+ total=500
+ for ((i = 1; i <= $total; i++)); do
+ echo -ne "\rCreating snapshot $i/$total"
+ btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null
+ done
+ echo
+
+ umount $MNT
+
+When running the test:
+
+ $ ./test.sh
+ (...)
+ Create subvolume '/mnt/sdi/sv'
+ At subvol /mnt/sdi/sv
+ At subvol sv
+ Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type
+ Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system
+ Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system
+ Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system
+ Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system
+
+And in dmesg/syslog:
+
+ $ dmesg
+ (...)
+ [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!
+ [251067.629212] ------------[ cut here ]------------
+ [251067.630033] BTRFS: Transaction aborted (error -75)
+ [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235
+ [251067.632851] Modules linked in: btrfs dm_zero (...)
+ [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
+ [251067.646165] Tainted: [W]=WARN
+ [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
+ [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]
+ [251067.649984] Code: f0 48 0f (...)
+ [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292
+ [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3
+ [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750
+ [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820
+ [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0
+ [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5
+ [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000
+ [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0
+ [251067.661972] Call Trace:
+ [251067.662292] <TASK>
+ [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs]
+ [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs]
+ [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]
+ [251067.665238] ? _raw_spin_unlock+0x15/0x30
+ [251067.665837] ? record_root_in_trans+0xa2/0xd0 [btrfs]
+ [251067.666531] btrfs_mksubvol+0x330/0x580 [btrfs]
+ [251067.667145] btrfs_mksnapshot+0x74/0xa0 [btrfs]
+ [251067.667827] __btrfs_ioctl_snap_create+0x194/0x1d0 [btrfs]
+ [251067.668595] btrfs_ioctl_snap_create_v2+0x107/0x130 [btrfs]
+ [251067.669479] btrfs_ioctl+0x1580/0x2690 [btrfs]
+ [251067.670093] ? count_memcg_events+0x6d/0x180
+ [251067.670849] ? handle_mm_fault+0x1a0/0x2a0
+ [251067.671652] __x64_sys_ioctl+0x92/0xe0
+ [251067.672406] do_syscall_64+0x50/0xf20
+ [251067.673129] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ [251067.674096] RIP: 0033:0x7f2a495648db
+ [251067.674812] Code: 00 48 89 (...)
+ [251067.678227] RSP: 002b:00007ffc5aa57840 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ [251067.679691] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2a495648db
+ [251067.681145] RDX: 00007ffc5aa588b0 RSI: 0000000050009417 RDI: 0000000000000004
+ [251067.682511] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+ [251067.683842] R10: 000000000000000a R11: 0000000000000246 R12: 00007ffc5aa59910
+ [251067.685176] R13: 00007ffc5aa588b0 R14: 0000000000000004 R15: 0000000000000006
+ [251067.686524] </TASK>
+ [251067.686972] ---[ end trace 0000000000000000 ]---
+ [251067.687890] BTRFS: error (device sdi state A) in create_pending_snapshot:1907: errno=-75 unknown
+ [251067.689049] BTRFS info (device sdi state EA): forced readonly
+ [251067.689054] BTRFS warning (device sdi state EA): Skipping commit of aborted transaction.
+ [251067.690119] BTRFS: error (device sdi state EA) in cleanup_transaction:2043: errno=-75 unknown
+ [251067.702028] BTRFS info (device sdi state EA): last unmount of filesystem 46dc3975-30a2-4a69-a18f-418b859cccda
+
+Fix this by ignoring -EOVERFLOW errors from btrfs_uuid_tree_add() in the
+snapshot creation code when attempting to add the
+BTRFS_UUID_KEY_RECEIVED_SUBVOL item. This is OK because it's not critical
+and we are still able to delete the snapshot, as snapshot/subvolume
+deletion ignores if a BTRFS_UUID_KEY_RECEIVED_SUBVOL is missing (see
+inode.c:btrfs_delete_subvolume()). As for send/receive, we can still do
+send/receive operations since it always peeks the first root ID in the
+existing BTRFS_UUID_KEY_RECEIVED_SUBVOL (it could peek any since all
+snapshots have the same content), and even if the key is missing, it
+falls back to searching by BTRFS_UUID_KEY_SUBVOL key.
+
+A test case for fstests will be sent soon.
+
+Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
+CC: stable@vger.kernel.org # 3.12+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ adapted error check condition to omit unlikely() wrapper ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/transaction.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -1748,6 +1748,22 @@ static noinline int create_pending_snaps
+ ret = btrfs_uuid_tree_add(trans, new_root_item->received_uuid,
+ BTRFS_UUID_KEY_RECEIVED_SUBVOL,
+ objectid);
++ /*
++ * We are creating of lot of snapshots of the same root that was
++ * received (has a received UUID) and reached a leaf's limit for
++ * an item. We can safely ignore this and avoid a transaction
++ * abort. A deletion of this snapshot will still work since we
++ * ignore if an item with a BTRFS_UUID_KEY_RECEIVED_SUBVOL key
++ * is missing (see btrfs_delete_subvolume()). Send/receive will
++ * work too since it peeks the first root id from the existing
++ * item (it could peek any), and in case it's missing it
++ * falls back to search by BTRFS_UUID_KEY_SUBVOL keys.
++ * Creation of a snapshot does not require CAP_SYS_ADMIN, so
++ * we don't want users triggering transaction aborts, either
++ * intentionally or not.
++ */
++ if (ret == -EOVERFLOW)
++ ret = 0;
+ if (ret && ret != -EEXIST) {
+ btrfs_abort_transaction(trans, ret);
+ goto fail;
--- /dev/null
+From stable+bounces-225679-greg=kroah.com@vger.kernel.org Mon Mar 16 20:23:22 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 15:18:40 -0400
+Subject: can: gs_usb: gs_can_open(): always configure bitrates before starting device
+To: stable@vger.kernel.org
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260316191840.1350686-1-sashal@kernel.org>
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 2df6162785f31f1bbb598cfc3b08e4efc88f80b6 ]
+
+So far the driver populated the struct can_priv::do_set_bittiming() and
+struct can_priv::fd::do_set_data_bittiming() callbacks.
+
+Before bringing up the interface, user space has to configure the bitrates.
+With these callbacks the configuration is directly forwarded into the CAN
+hardware. Then the interface can be brought up.
+
+An ifdown-ifup cycle (without changing the bit rates) doesn't re-configure
+the bitrates in the CAN hardware. This leads to a problem with the
+CANable-2.5 [1] firmware, which resets the configured bit rates during
+ifdown.
+
+To fix the problem remove both bit timing callbacks and always configure
+the bitrates in the struct net_device_ops::ndo_open() callback.
+
+[1] https://github.com/Elmue/CANable-2.5-firmware-Slcan-and-Candlelight
+
+Cc: stable@vger.kernel.org
+Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
+Link: https://patch.msgid.link/20260219-gs_usb-always-configure-bitrates-v2-1-671f8ba5b0a5@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+[ No CAN-FD ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/gs_usb.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -413,9 +413,8 @@ static void gs_usb_receive_bulk_callback
+ }
+ }
+
+-static int gs_usb_set_bittiming(struct net_device *netdev)
++static int gs_usb_set_bittiming(struct gs_can *dev)
+ {
+- struct gs_can *dev = netdev_priv(netdev);
+ struct can_bittiming *bt = &dev->can.bittiming;
+ struct usb_interface *intf = dev->iface;
+ int rc;
+@@ -445,7 +444,7 @@ static int gs_usb_set_bittiming(struct n
+ kfree(dbt);
+
+ if (rc < 0)
+- dev_err(netdev->dev.parent, "Couldn't set bittimings (err=%d)",
++ dev_err(dev->netdev->dev.parent, "Couldn't set bittimings (err=%d)",
+ rc);
+
+ return (rc > 0) ? 0 : rc;
+@@ -675,6 +674,13 @@ static int gs_can_open(struct net_device
+ if (ctrlmode & CAN_CTRLMODE_3_SAMPLES)
+ flags |= GS_CAN_MODE_TRIPLE_SAMPLE;
+
++ rc = gs_usb_set_bittiming(dev);
++ if (rc) {
++ netdev_err(netdev, "failed to set bittiming: %pe\n", ERR_PTR(rc));
++ kfree(dm);
++ return rc;
++ }
++
+ /* finally start device */
+ dev->can.state = CAN_STATE_ERROR_ACTIVE;
+ dm->mode = cpu_to_le32(GS_CAN_MODE_START);
+@@ -888,7 +894,6 @@ static struct gs_can *gs_make_candev(uns
+ dev->can.state = CAN_STATE_STOPPED;
+ dev->can.clock.freq = le32_to_cpu(bt_const->fclk_can);
+ dev->can.bittiming_const = &dev->bt_const;
+- dev->can.do_set_bittiming = gs_usb_set_bittiming;
+
+ dev->can.ctrlmode_supported = 0;
+
--- /dev/null
+From stable+bounces-227200-greg=kroah.com@vger.kernel.org Thu Mar 19 02:37:50 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 21:37:02 -0400
+Subject: crypto: atmel-sha204a - Fix OOM ->tfm_count leak
+To: stable@vger.kernel.org
+Cc: Thorsten Blum <thorsten.blum@linux.dev>, Herbert Xu <herbert@gondor.apana.org.au>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319013702.1881447-1-sashal@kernel.org>
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+[ Upstream commit d240b079a37e90af03fd7dfec94930eb6c83936e ]
+
+If memory allocation fails, decrement ->tfm_count to avoid blocking
+future reads.
+
+Cc: stable@vger.kernel.org
+Fixes: da001fb651b0 ("crypto: atmel-i2c - add support for SHA204A random number generator")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+[ adapted kmalloc_obj() macro to kmalloc(sizeof()) ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/atmel-sha204a.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/atmel-sha204a.c
++++ b/drivers/crypto/atmel-sha204a.c
+@@ -52,9 +52,10 @@ static int atmel_sha204a_rng_read_nonblo
+ rng->priv = 0;
+ } else {
+ work_data = kmalloc(sizeof(*work_data), GFP_ATOMIC);
+- if (!work_data)
++ if (!work_data) {
++ atomic_dec(&i2c_priv->tfm_count);
+ return -ENOMEM;
+-
++ }
+ work_data->ctx = i2c_priv;
+ work_data->client = i2c_priv->client;
+
--- /dev/null
+From stable+bounces-227113-greg=kroah.com@vger.kernel.org Wed Mar 18 17:50:06 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 12:06:37 -0400
+Subject: drm/msm: Fix dma_free_attrs() buffer size
+To: stable@vger.kernel.org
+Cc: Thomas Fourier <fourier.thomas@gmail.com>, Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>, Rob Clark <robin.clark@oss.qualcomm.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260318160637.905031-1-sashal@kernel.org>
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit e4eb6e4dd6348dd00e19c2275e3fbaed304ca3bd ]
+
+The gpummu->table buffer is alloc'd with size TABLE_SIZE + 32 in
+a2xx_gpummu_new() but freed with size TABLE_SIZE in
+a2xx_gpummu_destroy().
+
+Change the free size to match the allocation.
+
+Fixes: c2052a4e5c99 ("drm/msm: implement a2xx mmu")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/707340/
+Message-ID: <20260226095714.12126-2-fourier.thomas@gmail.com>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_gpummu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/msm_gpummu.c
++++ b/drivers/gpu/drm/msm/msm_gpummu.c
+@@ -72,7 +72,7 @@ static void msm_gpummu_destroy(struct ms
+ {
+ struct msm_gpummu *gpummu = to_msm_gpummu(mmu);
+
+- dma_free_attrs(mmu->dev, TABLE_SIZE, gpummu->table, gpummu->pt_base,
++ dma_free_attrs(mmu->dev, TABLE_SIZE + 32, gpummu->table, gpummu->pt_base,
+ DMA_ATTR_FORCE_CONTIGUOUS);
+
+ kfree(gpummu);
--- /dev/null
+From stable+bounces-226616-greg=kroah.com@vger.kernel.org Tue Mar 17 18:16:00 2026
+From: inv.git-commit@tdk.com
+Date: Tue, 17 Mar 2026 17:10:59 +0000
+Subject: iio: imu: inv_icm42600: fix odr switch when turning buffer off
+To: stable@vger.kernel.org
+Cc: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>, Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Message-ID: <20260317171059.746423-1-inv.git-commit@tdk.com>
+
+From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+
+[ Upstream commit ffd32db8263d2d785a2c419486a450dc80693235 ]
+
+ODR switch is done in 2 steps when FIFO is on : change the ODR register
+value and acknowledge change when reading the FIFO ODR change flag.
+When we are switching odr and turning buffer off just afterward, we are
+losing the FIFO ODR change flag and ODR switch is blocked.
+
+Fix the issue by force applying any waiting ODR change when turning
+buffer off.
+
+Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping")
+Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c
++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c
+@@ -377,6 +377,7 @@ out_unlock:
+ static int inv_icm42600_buffer_postdisable(struct iio_dev *indio_dev)
+ {
+ struct inv_icm42600_state *st = iio_device_get_drvdata(indio_dev);
++ struct inv_icm42600_timestamp *ts = iio_priv(indio_dev);
+ struct device *dev = regmap_get_device(st->map);
+ unsigned int sensor;
+ unsigned int *watermark;
+@@ -398,6 +399,8 @@ static int inv_icm42600_buffer_postdisab
+
+ mutex_lock(&st->lock);
+
++ inv_icm42600_timestamp_apply_odr(ts, 0, 0, 0);
++
+ ret = inv_icm42600_buffer_set_fifo_en(st, st->fifo.en & ~sensor);
+ if (ret)
+ goto out_unlock;
--- /dev/null
+From stable+bounces-227403-greg=kroah.com@vger.kernel.org Fri Mar 20 01:22:18 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 20:22:08 -0400
+Subject: iio: light: bh1780: fix PM runtime leak on error path
+To: stable@vger.kernel.org
+Cc: Antoniu Miclaus <antoniu.miclaus@analog.com>, Linus Walleij <linusw@kernel.org>, Stable@vger.kernel.org, Jonathan Cameron <Jonathan.Cameron@huawei.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260320002208.3250719-1-sashal@kernel.org>
+
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+
+[ Upstream commit dd72e6c3cdea05cad24e99710939086f7a113fb5 ]
+
+Move pm_runtime_put_autosuspend() before the error check to ensure
+the PM runtime reference count is always decremented after
+pm_runtime_get_sync(), regardless of whether the read operation
+succeeds or fails.
+
+Fixes: 1f0477f18306 ("iio: light: new driver for the ROHM BH1780")
+Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Reviewed-by: Linus Walleij <linusw@kernel.org>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+[ moved both pm_runtime_mark_last_busy() and pm_runtime_put_autosuspend() before the error check instead of just pm_runtime_put_autosuspend() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/bh1780.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/light/bh1780.c
++++ b/drivers/iio/light/bh1780.c
+@@ -109,10 +109,10 @@ static int bh1780_read_raw(struct iio_de
+ case IIO_LIGHT:
+ pm_runtime_get_sync(&bh1780->client->dev);
+ value = bh1780_read_word(bh1780, BH1780_REG_DLOW);
+- if (value < 0)
+- return value;
+ pm_runtime_mark_last_busy(&bh1780->client->dev);
+ pm_runtime_put_autosuspend(&bh1780->client->dev);
++ if (value < 0)
++ return value;
+ *val = value;
+
+ return IIO_VAL_INT;
--- /dev/null
+From stable+bounces-227026-greg=kroah.com@vger.kernel.org Wed Mar 18 12:40:17 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 07:37:16 -0400
+Subject: iomap: reject delalloc mappings during writeback
+To: stable@vger.kernel.org
+Cc: "Darrick J. Wong" <djwong@kernel.org>, Christoph Hellwig <hch@lst.de>, Carlos Maiolino <cmaiolino@redhat.com>, Christian Brauner <brauner@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260318113716.629956-1-sashal@kernel.org>
+
+From: "Darrick J. Wong" <djwong@kernel.org>
+
+[ Upstream commit d320f160aa5ff36cdf83c645cca52b615e866e32 ]
+
+Filesystems should never provide a delayed allocation mapping to
+writeback; they're supposed to allocate the space before replying.
+This can lead to weird IO errors and crashes in the block layer if the
+filesystem is being malicious, or if it hadn't set iomap->dev because
+it's a delalloc mapping.
+
+Fix this by failing writeback on delalloc mappings. Currently no
+filesystems actually misbehave in this manner, but we ought to be
+stricter about things like that.
+
+Cc: stable@vger.kernel.org # v5.5
+Fixes: 598ecfbaa742ac ("iomap: lift the xfs writeback code to iomap")
+Signed-off-by: Darrick J. Wong <djwong@kernel.org>
+Link: https://patch.msgid.link/20260302173002.GL13829@frogsfrogsfrogs
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+[ Different error handling structure ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/iomap/buffered-io.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/iomap/buffered-io.c
++++ b/fs/iomap/buffered-io.c
+@@ -1364,10 +1364,13 @@ iomap_writepage_map(struct iomap_writepa
+ error = wpc->ops->map_blocks(wpc, inode, file_offset);
+ if (error)
+ break;
+- if (WARN_ON_ONCE(wpc->iomap.type == IOMAP_INLINE))
+- continue;
+ if (wpc->iomap.type == IOMAP_HOLE)
+ continue;
++ if (WARN_ON_ONCE(wpc->iomap.type != IOMAP_UNWRITTEN &&
++ wpc->iomap.type != IOMAP_MAPPED)) {
++ error = -EIO;
++ break;
++ }
+ iomap_add_to_ioend(inode, file_offset, page, iop, wpc, wbc,
+ &submit_list);
+ count++;
--- /dev/null
+From stable+bounces-225665-greg=kroah.com@vger.kernel.org Mon Mar 16 20:12:22 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 15:12:16 -0400
+Subject: KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC
+To: stable@vger.kernel.org
+Cc: Sean Christopherson <seanjc@google.com>, "Naveen N Rao (AMD)" <naveen@kernel.org>, Jim Mattson <jmattson@google.com>, Paolo Bonzini <pbonzini@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260316191216.1332463-1-sashal@kernel.org>
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 3989a6d036c8ec82c0de3614bed23a1dacd45de5 ]
+
+Initialize all per-vCPU AVIC control fields in the VMCB if AVIC is enabled
+in KVM and the VM has an in-kernel local APIC, i.e. if it's _possible_ the
+vCPU could activate AVIC at any point in its lifecycle. Configuring the
+VMCB if and only if AVIC is active "works" purely because of optimizations
+in kvm_create_lapic() to speculatively set apicv_active if AVIC is enabled
+*and* to defer updates until the first KVM_RUN. In quotes because KVM
+likely won't do the right thing if kvm_apicv_activated() is false, i.e. if
+a vCPU is created while APICv is inhibited at the VM level for whatever
+reason. E.g. if the inhibit is *removed* before KVM_REQ_APICV_UPDATE is
+handled in KVM_RUN, then __kvm_vcpu_update_apicv() will elide calls to
+vendor code due to seeing "apicv_active == activate".
+
+Cleaning up the initialization code will also allow fixing a bug where KVM
+incorrectly leaves CR8 interception enabled when AVIC is activated without
+creating a mess with respect to whether AVIC is activated or not.
+
+Cc: stable@vger.kernel.org
+Fixes: 67034bb9dd5e ("KVM: SVM: Add irqchip_split() checks before enabling AVIC")
+Fixes: 6c3e4422dd20 ("svm: Add support for dynamic APICv")
+Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Link: https://patch.msgid.link/20260203190711.458413-2-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[ Context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/avic.c | 2 +-
+ arch/x86/kvm/svm/svm.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/svm/avic.c
++++ b/arch/x86/kvm/svm/avic.c
+@@ -203,7 +203,7 @@ void avic_init_vmcb(struct vcpu_svm *svm
+ vmcb->control.avic_logical_id = lpa & AVIC_HPA_MASK;
+ vmcb->control.avic_physical_id = ppa & AVIC_HPA_MASK;
+ vmcb->control.avic_physical_id |= AVIC_MAX_PHYSICAL_ID_COUNT;
+- if (kvm_apicv_activated(svm->vcpu.kvm))
++ if (kvm_vcpu_apicv_active(&svm->vcpu))
+ vmcb->control.int_ctl |= AVIC_ENABLE_MASK;
+ else
+ vmcb->control.int_ctl &= ~AVIC_ENABLE_MASK;
+--- a/arch/x86/kvm/svm/svm.c
++++ b/arch/x86/kvm/svm/svm.c
+@@ -1230,7 +1230,7 @@ static void init_vmcb(struct vcpu_svm *s
+
+ svm_check_invpcid(svm);
+
+- if (kvm_vcpu_apicv_active(&svm->vcpu))
++ if (avic && irqchip_in_kernel(svm->vcpu.kvm))
+ avic_init_vmcb(svm);
+
+ /*
--- /dev/null
+From stable+bounces-227634-greg=kroah.com@vger.kernel.org Fri Mar 20 22:55:34 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Mar 2026 17:55:26 -0400
+Subject: mtd: Avoid boot crash in RedBoot partition table parser
+To: stable@vger.kernel.org
+Cc: Finn Thain <fthain@linux-m68k.org>, Kees Cook <kees@kernel.org>, linux-hardening@vger.kernel.org, Miquel Raynal <miquel.raynal@bootlin.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260320215526.133494-2-sashal@kernel.org>
+
+From: Finn Thain <fthain@linux-m68k.org>
+
+[ Upstream commit 8e2f8020270af7777d49c2e7132260983e4fc566 ]
+
+Given CONFIG_FORTIFY_SOURCE=y and a recent compiler,
+commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when
+available") produces the warning below and an oops.
+
+ Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000
+ ------------[ cut here ]------------
+ WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1
+ memcmp: detected buffer overflow: 15 byte read of buffer size 14
+ Modules linked in:
+ CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE
+
+As Kees said, "'names' is pointing to the final 'namelen' many bytes
+of the allocation ... 'namelen' could be basically any length at all.
+This fortify warning looks legit to me -- this code used to be reading
+beyond the end of the allocation."
+
+Since the size of the dynamic allocation is calculated with strlen()
+we can use strcmp() instead of memcmp() and remain within bounds.
+
+Cc: Kees Cook <kees@kernel.org>
+Cc: stable@vger.kernel.org
+Cc: linux-hardening@vger.kernel.org
+Link: https://lore.kernel.org/all/202602151911.AD092DFFCD@keescook/
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Suggested-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/parsers/redboot.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/parsers/redboot.c
++++ b/drivers/mtd/parsers/redboot.c
+@@ -270,9 +270,9 @@ nogood:
+
+ strcpy(names, fl->img->name);
+ #ifdef CONFIG_MTD_REDBOOT_PARTS_READONLY
+- if (!memcmp(names, "RedBoot", 8) ||
+- !memcmp(names, "RedBoot config", 15) ||
+- !memcmp(names, "FIS directory", 14)) {
++ if (!strcmp(names, "RedBoot") ||
++ !strcmp(names, "RedBoot config") ||
++ !strcmp(names, "FIS directory")) {
+ parts[i].mask_flags = MTD_WRITEABLE;
+ }
+ #endif
--- /dev/null
+From stable+bounces-227633-greg=kroah.com@vger.kernel.org Fri Mar 20 22:55:31 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Mar 2026 17:55:25 -0400
+Subject: mtd: partitions: redboot: fix style issues
+To: stable@vger.kernel.org
+Cc: Corentin Labbe <clabbe@baylibre.com>, Linus Walleij <linus.walleij@linaro.org>, Miquel Raynal <miquel.raynal@bootlin.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260320215526.133494-1-sashal@kernel.org>
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+[ Upstream commit eb1765c40530ccc8690b9dad88cec6aaa6bfb498 ]
+
+This patch fixes easy checkpatch issues.
+
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20210520114851.1274609-2-clabbe@baylibre.com
+Stable-dep-of: 8e2f8020270a ("mtd: Avoid boot crash in RedBoot partition table parser")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/parsers/redboot.c | 69 ++++++++++++++++++++----------------------
+ 1 file changed, 34 insertions(+), 35 deletions(-)
+
+--- a/drivers/mtd/parsers/redboot.c
++++ b/drivers/mtd/parsers/redboot.c
+@@ -17,15 +17,15 @@
+ #include <linux/module.h>
+
+ struct fis_image_desc {
+- unsigned char name[16]; // Null terminated name
+- uint32_t flash_base; // Address within FLASH of image
+- uint32_t mem_base; // Address in memory where it executes
+- uint32_t size; // Length of image
+- uint32_t entry_point; // Execution entry point
+- uint32_t data_length; // Length of actual data
+- unsigned char _pad[256-(16+7*sizeof(uint32_t))];
+- uint32_t desc_cksum; // Checksum over image descriptor
+- uint32_t file_cksum; // Checksum over image data
++ unsigned char name[16]; // Null terminated name
++ u32 flash_base; // Address within FLASH of image
++ u32 mem_base; // Address in memory where it executes
++ u32 size; // Length of image
++ u32 entry_point; // Execution entry point
++ u32 data_length; // Length of actual data
++ unsigned char _pad[256 - (16 + 7 * sizeof(u32))];
++ u32 desc_cksum; // Checksum over image descriptor
++ u32 file_cksum; // Checksum over image data
+ };
+
+ struct fis_list {
+@@ -91,12 +91,12 @@ static int parse_redboot_partitions(stru
+
+ parse_redboot_of(master);
+
+- if ( directory < 0 ) {
++ if (directory < 0) {
+ offset = master->size + directory * master->erasesize;
+ while (mtd_block_isbad(master, offset)) {
+ if (!offset) {
+- nogood:
+- printk(KERN_NOTICE "Failed to find a non-bad block to check for RedBoot partition table\n");
++nogood:
++ pr_notice("Failed to find a non-bad block to check for RedBoot partition table\n");
+ return -EIO;
+ }
+ offset -= master->erasesize;
+@@ -114,8 +114,8 @@ static int parse_redboot_partitions(stru
+ if (!buf)
+ return -ENOMEM;
+
+- printk(KERN_NOTICE "Searching for RedBoot partition table in %s at offset 0x%lx\n",
+- master->name, offset);
++ pr_notice("Searching for RedBoot partition table in %s at offset 0x%lx\n",
++ master->name, offset);
+
+ ret = mtd_read(master, offset, master->erasesize, &retlen,
+ (void *)buf);
+@@ -151,14 +151,13 @@ static int parse_redboot_partitions(stru
+ && swab32(buf[i].size) < master->erasesize)) {
+ int j;
+ /* Update numslots based on actual FIS directory size */
+- numslots = swab32(buf[i].size) / sizeof (struct fis_image_desc);
++ numslots = swab32(buf[i].size) / sizeof(struct fis_image_desc);
+ for (j = 0; j < numslots; ++j) {
+-
+ /* A single 0xff denotes a deleted entry.
+ * Two of them in a row is the end of the table.
+ */
+ if (buf[j].name[0] == 0xff) {
+- if (buf[j].name[1] == 0xff) {
++ if (buf[j].name[1] == 0xff) {
+ break;
+ } else {
+ continue;
+@@ -185,8 +184,8 @@ static int parse_redboot_partitions(stru
+ }
+ if (i == numslots) {
+ /* Didn't find it */
+- printk(KERN_NOTICE "No RedBoot partition table detected in %s\n",
+- master->name);
++ pr_notice("No RedBoot partition table detected in %s\n",
++ master->name);
+ ret = 0;
+ goto out;
+ }
+@@ -205,7 +204,7 @@ static int parse_redboot_partitions(stru
+ break;
+
+ new_fl = kmalloc(sizeof(struct fis_list), GFP_KERNEL);
+- namelen += strlen(buf[i].name)+1;
++ namelen += strlen(buf[i].name) + 1;
+ if (!new_fl) {
+ ret = -ENOMEM;
+ goto out;
+@@ -214,13 +213,13 @@ static int parse_redboot_partitions(stru
+ if (data && data->origin)
+ buf[i].flash_base -= data->origin;
+ else
+- buf[i].flash_base &= master->size-1;
++ buf[i].flash_base &= master->size - 1;
+
+ /* I'm sure the JFFS2 code has done me permanent damage.
+ * I now think the following is _normal_
+ */
+ prev = &fl;
+- while(*prev && (*prev)->img->flash_base < new_fl->img->flash_base)
++ while (*prev && (*prev)->img->flash_base < new_fl->img->flash_base)
+ prev = &(*prev)->next;
+ new_fl->next = *prev;
+ *prev = new_fl;
+@@ -240,7 +239,7 @@ static int parse_redboot_partitions(stru
+ }
+ }
+ #endif
+- parts = kzalloc(sizeof(*parts)*nrparts + nulllen + namelen, GFP_KERNEL);
++ parts = kzalloc(sizeof(*parts) * nrparts + nulllen + namelen, GFP_KERNEL);
+
+ if (!parts) {
+ ret = -ENOMEM;
+@@ -249,23 +248,22 @@ static int parse_redboot_partitions(stru
+
+ nullname = (char *)&parts[nrparts];
+ #ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED
+- if (nulllen > 0) {
++ if (nulllen > 0)
+ strcpy(nullname, nullstring);
+- }
+ #endif
+ names = nullname + nulllen;
+
+- i=0;
++ i = 0;
+
+ #ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED
+ if (fl->img->flash_base) {
+- parts[0].name = nullname;
+- parts[0].size = fl->img->flash_base;
+- parts[0].offset = 0;
++ parts[0].name = nullname;
++ parts[0].size = fl->img->flash_base;
++ parts[0].offset = 0;
+ i++;
+ }
+ #endif
+- for ( ; i<nrparts; i++) {
++ for ( ; i < nrparts; i++) {
+ parts[i].size = fl->img->size;
+ parts[i].offset = fl->img->flash_base;
+ parts[i].name = names;
+@@ -273,17 +271,17 @@ static int parse_redboot_partitions(stru
+ strcpy(names, fl->img->name);
+ #ifdef CONFIG_MTD_REDBOOT_PARTS_READONLY
+ if (!memcmp(names, "RedBoot", 8) ||
+- !memcmp(names, "RedBoot config", 15) ||
+- !memcmp(names, "FIS directory", 14)) {
++ !memcmp(names, "RedBoot config", 15) ||
++ !memcmp(names, "FIS directory", 14)) {
+ parts[i].mask_flags = MTD_WRITEABLE;
+ }
+ #endif
+- names += strlen(names)+1;
++ names += strlen(names) + 1;
+
+ #ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED
+- if(fl->next && fl->img->flash_base + fl->img->size + master->erasesize <= fl->next->img->flash_base) {
++ if (fl->next && fl->img->flash_base + fl->img->size + master->erasesize <= fl->next->img->flash_base) {
+ i++;
+- parts[i].offset = parts[i-1].size + parts[i-1].offset;
++ parts[i].offset = parts[i - 1].size + parts[i - 1].offset;
+ parts[i].size = fl->next->img->flash_base - parts[i].offset;
+ parts[i].name = nullname;
+ }
+@@ -297,6 +295,7 @@ static int parse_redboot_partitions(stru
+ out:
+ while (fl) {
+ struct fis_list *old = fl;
++
+ fl = fl->next;
+ kfree(old);
+ }
--- /dev/null
+From stable+bounces-224570-greg=kroah.com@vger.kernel.org Tue Mar 10 21:18:38 2026
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Tue, 10 Mar 2026 13:17:08 -0700
+Subject: net/tcp-md5: Fix MAC comparison to be constant-time
+To: stable@vger.kernel.org
+Cc: linux-crypto@vger.kernel.org, netdev@vger.kernel.org, Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers <ebiggers@kernel.org>, Jakub Kicinski <kuba@kernel.org>
+Message-ID: <20260310201708.120088-1-ebiggers@kernel.org>
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit 46d0d6f50dab706637f4c18a470aac20a21900d3 upstream.
+
+To prevent timing attacks, MACs need to be compared in constant
+time. Use the appropriate helper function for this.
+
+Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
+Fixes: 658ddaaf6694 ("tcp: md5: RST: getting md5 key from listener")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Link: https://patch.msgid.link/20260302203409.13388-1-ebiggers@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_ipv4.c | 5 +++--
+ net/ipv6/tcp_ipv6.c | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -78,6 +78,7 @@
+ #include <linux/inetdevice.h>
+ #include <linux/btf_ids.h>
+
++#include <crypto/algapi.h>
+ #include <crypto/hash.h>
+ #include <linux/scatterlist.h>
+
+@@ -764,7 +765,7 @@ static void tcp_v4_send_reset(const stru
+
+
+ genhash = tcp_v4_md5_hash_skb(newhash, key, NULL, skb);
+- if (genhash || memcmp(hash_location, newhash, 16) != 0)
++ if (genhash || crypto_memneq(hash_location, newhash, 16))
+ goto out;
+
+ }
+@@ -1451,7 +1452,7 @@ static bool tcp_v4_inbound_md5_hash(cons
+ hash_expected,
+ NULL, skb);
+
+- if (genhash || memcmp(hash_location, newhash, 16) != 0) {
++ if (genhash || crypto_memneq(hash_location, newhash, 16)) {
+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE);
+ net_info_ratelimited("MD5 Hash failed for (%pI4, %d)->(%pI4, %d)%s L3 index %d\n",
+ &iph->saddr, ntohs(th->source),
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -63,6 +63,7 @@
+ #include <linux/proc_fs.h>
+ #include <linux/seq_file.h>
+
++#include <crypto/algapi.h>
+ #include <crypto/hash.h>
+ #include <linux/scatterlist.h>
+
+@@ -810,7 +811,7 @@ static bool tcp_v6_inbound_md5_hash(cons
+ hash_expected,
+ NULL, skb);
+
+- if (genhash || memcmp(hash_location, newhash, 16) != 0) {
++ if (genhash || crypto_memneq(hash_location, newhash, 16)) {
+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE);
+ net_info_ratelimited("MD5 Hash %s for [%pI6c]:%u->[%pI6c]:%u L3 index %d\n",
+ genhash ? "failed" : "mismatch",
+@@ -1071,7 +1072,7 @@ static void tcp_v6_send_reset(const stru
+ goto out;
+
+ genhash = tcp_v6_md5_hash_skb(newhash, key, NULL, skb);
+- if (genhash || memcmp(hash_location, newhash, 16) != 0)
++ if (genhash || crypto_memneq(hash_location, newhash, 16))
+ goto out;
+ }
+ #endif
--- /dev/null
+From stable+bounces-227525-greg=kroah.com@vger.kernel.org Fri Mar 20 12:39:52 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Mar 2026 07:39:38 -0400
+Subject: nfsd: define exports_proc_ops with CONFIG_PROC_FS
+To: stable@vger.kernel.org
+Cc: Tom Rix <trix@redhat.com>, Jeff Layton <jlayton@kernel.org>, Chuck Lever <chuck.lever@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260320113939.3971291-1-sashal@kernel.org>
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 340086da9a87820b40601141a0e9e87c954ac006 ]
+
+gcc with W=1 and ! CONFIG_PROC_FS
+fs/nfsd/nfsctl.c:161:30: error: ‘exports_proc_ops’
+ defined but not used [-Werror=unused-const-variable=]
+ 161 | static const struct proc_ops exports_proc_ops = {
+ | ^~~~~~~~~~~~~~~~
+
+The only use of exports_proc_ops is when CONFIG_PROC_FS
+is defined, so its definition should be likewise conditional.
+
+Signed-off-by: Tom Rix <trix@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Stable-dep-of: e7fcf179b82d ("NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfsctl.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -155,18 +155,6 @@ static int exports_net_open(struct net *
+ return 0;
+ }
+
+-static int exports_proc_open(struct inode *inode, struct file *file)
+-{
+- return exports_net_open(current->nsproxy->net_ns, file);
+-}
+-
+-static const struct proc_ops exports_proc_ops = {
+- .proc_open = exports_proc_open,
+- .proc_read = seq_read,
+- .proc_lseek = seq_lseek,
+- .proc_release = seq_release,
+-};
+-
+ static int exports_nfsd_open(struct inode *inode, struct file *file)
+ {
+ return exports_net_open(inode->i_sb->s_fs_info, file);
+@@ -1423,6 +1411,19 @@ static struct file_system_type nfsd_fs_t
+ MODULE_ALIAS_FS("nfsd");
+
+ #ifdef CONFIG_PROC_FS
++
++static int exports_proc_open(struct inode *inode, struct file *file)
++{
++ return exports_net_open(current->nsproxy->net_ns, file);
++}
++
++static const struct proc_ops exports_proc_ops = {
++ .proc_open = exports_proc_open,
++ .proc_read = seq_read,
++ .proc_lseek = seq_lseek,
++ .proc_release = seq_release,
++};
++
+ static int create_proc_exports_entry(void)
+ {
+ struct proc_dir_entry *entry;
--- /dev/null
+From stable+bounces-227532-greg=kroah.com@vger.kernel.org Fri Mar 20 12:49:59 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Mar 2026 07:48:45 -0400
+Subject: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
+To: stable@vger.kernel.org
+Cc: Jeff Layton <jlayton@kernel.org>, stable@kernel.org, Nicholas Carlini <npc@anthropic.com>, Chuck Lever <chuck.lever@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260320114846.3998380-1-sashal@kernel.org>
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 5133b61aaf437e5f25b1b396b14242a6bb0508e2 ]
+
+The NFSv4.0 replay cache uses a fixed 112-byte inline buffer
+(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.
+This size was calculated based on OPEN responses and does not account
+for LOCK denied responses, which include the conflicting lock owner as
+a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).
+
+When a LOCK operation is denied due to a conflict with an existing lock
+that has a large owner, nfsd4_encode_operation() copies the full encoded
+response into the undersized replay buffer via read_bytes_from_xdr_buf()
+with no bounds check. This results in a slab-out-of-bounds write of up
+to 944 bytes past the end of the buffer, corrupting adjacent heap memory.
+
+This can be triggered remotely by an unauthenticated attacker with two
+cooperating NFSv4.0 clients: one sets a lock with a large owner string,
+then the other requests a conflicting lock to provoke the denial.
+
+We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full
+opaque, but that would increase the size of every stateowner, when most
+lockowners are not that large.
+
+Instead, fix this by checking the encoded response length against
+NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the
+response is too large, set rp_buflen to 0 to skip caching the replay
+payload. The status is still cached, and the client already received the
+correct response on the original request.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@kernel.org
+Reported-by: Nicholas Carlini <npc@anthropic.com>
+Tested-by: Nicholas Carlini <npc@anthropic.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+[ replaced `op_status_offset + XDR_UNIT` with existing `post_err_offset` variable ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4xdr.c | 9 +++++++--
+ fs/nfsd/state.h | 17 ++++++++++++-----
+ 2 files changed, 19 insertions(+), 7 deletions(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -5438,9 +5438,14 @@ nfsd4_encode_operation(struct nfsd4_comp
+ int len = xdr->buf->len - post_err_offset;
+
+ so->so_replay.rp_status = op->status;
+- so->so_replay.rp_buflen = len;
+- read_bytes_from_xdr_buf(xdr->buf, post_err_offset,
++ if (len <= NFSD4_REPLAY_ISIZE) {
++ so->so_replay.rp_buflen = len;
++ read_bytes_from_xdr_buf(xdr->buf,
++ post_err_offset,
+ so->so_replay.rp_buf, len);
++ } else {
++ so->so_replay.rp_buflen = 0;
++ }
+ }
+ status:
+ *p = op->status;
+--- a/fs/nfsd/state.h
++++ b/fs/nfsd/state.h
+@@ -430,11 +430,18 @@ struct nfs4_client_reclaim {
+ struct xdr_netobj cr_princhash;
+ };
+
+-/* A reasonable value for REPLAY_ISIZE was estimated as follows:
+- * The OPEN response, typically the largest, requires
+- * 4(status) + 8(stateid) + 20(changeinfo) + 4(rflags) + 8(verifier) +
+- * 4(deleg. type) + 8(deleg. stateid) + 4(deleg. recall flag) +
+- * 20(deleg. space limit) + ~32(deleg. ace) = 112 bytes
++/*
++ * REPLAY_ISIZE is sized for an OPEN response with delegation:
++ * 4(status) + 8(stateid) + 20(changeinfo) + 4(rflags) +
++ * 8(verifier) + 4(deleg. type) + 8(deleg. stateid) +
++ * 4(deleg. recall flag) + 20(deleg. space limit) +
++ * ~32(deleg. ace) = 112 bytes
++ *
++ * Some responses can exceed this. A LOCK denial includes the conflicting
++ * lock owner, which can be up to 1024 bytes (NFS4_OPAQUE_LIMIT). Responses
++ * larger than REPLAY_ISIZE are not cached in rp_ibuf; only rp_status is
++ * saved. Enlarging this constant increases the size of every
++ * nfs4_stateowner.
+ */
+
+ #define NFSD4_REPLAY_ISIZE 112
--- /dev/null
+From stable+bounces-227526-greg=kroah.com@vger.kernel.org Fri Mar 20 12:39:56 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Mar 2026 07:39:39 -0400
+Subject: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
+To: stable@vger.kernel.org
+Cc: Chuck Lever <chuck.lever@oracle.com>, Misbah Anjum N <misanjum@linux.ibm.com>, Jeff Layton <jlayton@kernel.org>, NeilBrown <neil@brown.name>, Olga Kornievskaia <okorniev@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260320113939.3971291-2-sashal@kernel.org>
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit e7fcf179b82d3a3730fd8615da01b087cc654d0b ]
+
+The /proc/fs/nfs/exports proc entry is created at module init
+and persists for the module's lifetime. exports_proc_open()
+captures the caller's current network namespace and stores
+its svc_export_cache in seq->private, but takes no reference
+on the namespace. If the namespace is subsequently torn down
+(e.g. container destruction after the opener does setns() to a
+different namespace), nfsd_net_exit() calls nfsd_export_shutdown()
+which frees the cache. Subsequent reads on the still-open fd
+dereference the freed cache_detail, walking a freed hash table.
+
+Hold a reference on the struct net for the lifetime of the open
+file descriptor. This prevents nfsd_net_exit() from running --
+and thus prevents nfsd_export_shutdown() from freeing the cache
+-- while any exports fd is open. cache_detail already stores
+its net pointer (cd->net, set by cache_create_net()), so
+exports_release() can retrieve it without additional per-file
+storage.
+
+Reported-by: Misbah Anjum N <misanjum@linux.ibm.com>
+Closes: https://lore.kernel.org/linux-nfs/dcd371d3a95815a84ba7de52cef447b8@linux.ibm.com/
+Fixes: 96d851c4d28d ("nfsd: use proper net while reading "exports" file")
+Cc: stable@vger.kernel.org
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: NeilBrown <neil@brown.name>
+Tested-by: Olga Kornievskaia <okorniev@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfsctl.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -152,9 +152,19 @@ static int exports_net_open(struct net *
+
+ seq = file->private_data;
+ seq->private = nn->svc_export_cache;
++ get_net(net);
+ return 0;
+ }
+
++static int exports_release(struct inode *inode, struct file *file)
++{
++ struct seq_file *seq = file->private_data;
++ struct cache_detail *cd = seq->private;
++
++ put_net(cd->net);
++ return seq_release(inode, file);
++}
++
+ static int exports_nfsd_open(struct inode *inode, struct file *file)
+ {
+ return exports_net_open(inode->i_sb->s_fs_info, file);
+@@ -164,7 +174,7 @@ static const struct file_operations expo
+ .open = exports_nfsd_open,
+ .read = seq_read,
+ .llseek = seq_lseek,
+- .release = seq_release,
++ .release = exports_release,
+ };
+
+ static int export_features_show(struct seq_file *m, void *v)
+@@ -1421,7 +1431,7 @@ static const struct proc_ops exports_pro
+ .proc_open = exports_proc_open,
+ .proc_read = seq_read,
+ .proc_lseek = seq_lseek,
+- .proc_release = seq_release,
++ .proc_release = exports_release,
+ };
+
+ static int create_proc_exports_entry(void)
--- /dev/null
+From stable+bounces-227059-greg=kroah.com@vger.kernel.org Wed Mar 18 13:44:10 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 08:43:11 -0400
+Subject: pmdomain: bcm: bcm2835-power: Fix broken reset status read
+To: stable@vger.kernel.org
+Cc: "Maíra Canal" <mcanal@igalia.com>, "Florian Fainelli" <florian.fainelli@broadcom.com>, "Stefan Wahren" <wahrenst@gmx.net>, "Ulf Hansson" <ulf.hansson@linaro.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20260318124311.706015-1-sashal@kernel.org>
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 550bae2c0931dbb664a61b08c21cf156f0a5362a ]
+
+bcm2835_reset_status() has a misplaced parenthesis on every PM_READ()
+call. Since PM_READ(reg) expands to readl(power->base + (reg)), the
+expression:
+
+ PM_READ(PM_GRAFX & PM_V3DRSTN)
+
+computes the bitwise AND of the register offset PM_GRAFX with the
+bitmask PM_V3DRSTN before using the result as a register offset, reading
+from the wrong MMIO address instead of the intended PM_GRAFX register.
+The same issue affects the PM_IMAGE cases.
+
+Fix by moving the closing parenthesis so PM_READ() receives only the
+register offset, and the bitmask is applied to the value returned by
+the read.
+
+Fixes: 670c672608a1 ("soc: bcm: bcm2835-pm: Add support for power domains under a new binding.")
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/bcm/bcm2835-power.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/soc/bcm/bcm2835-power.c
++++ b/drivers/soc/bcm/bcm2835-power.c
+@@ -566,11 +566,11 @@ static int bcm2835_reset_status(struct r
+
+ switch (id) {
+ case BCM2835_RESET_V3D:
+- return !PM_READ(PM_GRAFX & PM_V3DRSTN);
++ return !(PM_READ(PM_GRAFX) & PM_V3DRSTN);
+ case BCM2835_RESET_H264:
+- return !PM_READ(PM_IMAGE & PM_H264RSTN);
++ return !(PM_READ(PM_IMAGE) & PM_H264RSTN);
+ case BCM2835_RESET_ISP:
+- return !PM_READ(PM_IMAGE & PM_ISPRSTN);
++ return !(PM_READ(PM_IMAGE) & PM_ISPRSTN);
+ default:
+ return -EINVAL;
+ }
--- /dev/null
+From stable+bounces-227766-greg=kroah.com@vger.kernel.org Sat Mar 21 13:45:40 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Mar 2026 08:45:35 -0400
+Subject: pmdomain: bcm: bcm2835-power: Increase ASB control timeout
+To: stable@vger.kernel.org
+Cc: "Maíra Canal" <mcanal@igalia.com>, "Stefan Wahren" <wahrenst@gmx.net>, "Ulf Hansson" <ulf.hansson@linaro.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20260321124535.271540-1-sashal@kernel.org>
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit b826d2c0b0ecb844c84431ba6b502e744f5d919a ]
+
+The bcm2835_asb_control() function uses a tight polling loop to wait
+for the ASB bridge to acknowledge a request. During intensive workloads,
+this handshake intermittently fails for V3D's master ASB on BCM2711,
+resulting in "Failed to disable ASB master for v3d" errors during
+runtime PM suspend. As a consequence, the failed power-off leaves V3D in
+a broken state, leading to bus faults or system hangs on later accesses.
+
+As the timeout is insufficient in some scenarios, increase the polling
+timeout from 1us to 5us, which is still negligible in the context of a
+power domain transition. Also, replace the open-coded ktime_get_ns()/
+cpu_relax() polling loop with readl_poll_timeout_atomic().
+
+Cc: stable@vger.kernel.org
+Fixes: 670c672608a1 ("soc: bcm: bcm2835-pm: Add support for power domains under a new binding.")
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ adapted unified bcm2835_asb_control() function changes to separate bcm2835_asb_enable() and bcm2835_asb_disable() functions ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/bcm/bcm2835-power.c | 27 +++++++++++----------------
+ 1 file changed, 11 insertions(+), 16 deletions(-)
+
+--- a/drivers/soc/bcm/bcm2835-power.c
++++ b/drivers/soc/bcm/bcm2835-power.c
+@@ -9,6 +9,7 @@
+ #include <linux/clk.h>
+ #include <linux/delay.h>
+ #include <linux/io.h>
++#include <linux/iopoll.h>
+ #include <linux/mfd/bcm2835-pm.h>
+ #include <linux/module.h>
+ #include <linux/platform_device.h>
+@@ -150,40 +151,34 @@ struct bcm2835_power {
+
+ static int bcm2835_asb_enable(struct bcm2835_power *power, u32 reg)
+ {
+- u64 start;
++ u32 val;
+
+ if (!reg)
+ return 0;
+
+- start = ktime_get_ns();
+-
+ /* Enable the module's async AXI bridges. */
+ ASB_WRITE(reg, ASB_READ(reg) & ~ASB_REQ_STOP);
+- while (ASB_READ(reg) & ASB_ACK) {
+- cpu_relax();
+- if (ktime_get_ns() - start >= 1000)
+- return -ETIMEDOUT;
+- }
++
++ if (readl_poll_timeout_atomic(power->asb + reg, val,
++ !(val & ASB_ACK), 0, 5))
++ return -ETIMEDOUT;
+
+ return 0;
+ }
+
+ static int bcm2835_asb_disable(struct bcm2835_power *power, u32 reg)
+ {
+- u64 start;
++ u32 val;
+
+ if (!reg)
+ return 0;
+
+- start = ktime_get_ns();
+-
+ /* Enable the module's async AXI bridges. */
+ ASB_WRITE(reg, ASB_READ(reg) | ASB_REQ_STOP);
+- while (!(ASB_READ(reg) & ASB_ACK)) {
+- cpu_relax();
+- if (ktime_get_ns() - start >= 1000)
+- return -ETIMEDOUT;
+- }
++
++ if (readl_poll_timeout_atomic(power->asb + reg, val,
++ !!(val & ASB_ACK), 0, 5))
++ return -ETIMEDOUT;
+
+ return 0;
+ }
--- /dev/null
+From stable+bounces-226990-greg=kroah.com@vger.kernel.org Wed Mar 18 08:58:18 2026
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Wed, 18 Mar 2026 08:55:10 +0100
+Subject: s390/xor: Fix xor_xc_2() inline assembly constraints
+To: stable@vger.kernel.org
+Cc: Heiko Carstens <hca@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com>
+Message-ID: <20260318075510.4102927-1-hca@linux.ibm.com>
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+The inline assembly constraints for xor_xc_2() are incorrect. "bytes",
+"p1", and "p2" are input operands, while all three of them are modified
+within the inline assembly. Given that the function consists only of this
+inline assembly it seems unlikely that this may cause any problems, however
+fix this in any case.
+
+Fixes: 2cfc5f9ce7f5 ("s390/xor: optimized xor routing using the XC instruction")
+Cc: stable@vger.kernel.org
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Link: https://lore.kernel.org/r/20260302133500.1560531-2-hca@linux.ibm.com
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+(cherry picked from commit f775276edc0c505dc0f782773796c189f31a1123)
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/lib/xor.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/lib/xor.c
++++ b/arch/s390/lib/xor.c
+@@ -28,8 +28,8 @@ static void xor_xc_2(unsigned long bytes
+ " j 3f\n"
+ "2: xc 0(1,%1),0(%2)\n"
+ "3:\n"
+- : : "d" (bytes), "a" (p1), "a" (p2)
+- : "0", "1", "cc", "memory");
++ : "+d" (bytes), "+a" (p1), "+a" (p2)
++ : : "0", "1", "cc", "memory");
+ }
+
+ static void xor_xc_3(unsigned long bytes, unsigned long *p1, unsigned long *p2,
--- /dev/null
+From stable+bounces-227277-greg=kroah.com@vger.kernel.org Thu Mar 19 12:52:29 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 07:50:01 -0400
+Subject: s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute
+To: stable@vger.kernel.org
+Cc: Harald Freudenberger <freude@linux.ibm.com>, Ingo Franzki <ifranzki@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319115001.2359762-1-sashal@kernel.org>
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+[ Upstream commit 598bbefa8032cc58b564a81d1ad68bd815c8dc0f ]
+
+The serialnr sysfs attribute for CCA cards when queried always
+used the default domain for sending the request down to the card.
+If for any reason exactly this default domain is disabled then
+the attribute code fails to retrieve the CCA info and the sysfs
+entry shows an empty string. Works as designed but the serial
+number is a card attribute and thus it does not matter which
+domain is used for the query. So if there are other domains on
+this card available, these could be used.
+
+So extend the code to use AUTOSEL_DOM for the domain value to
+address any online domain within the card for querying the cca
+info and thus show the serialnr as long as there is one domain
+usable regardless of the default domain setting.
+
+Fixes: 8f291ebf3270 ("s390/zcrypt: enable card/domain autoselect on ep11 cprbs")
+Suggested-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+[ preserved zc->online as the fourth argument to cca_get_info() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/crypto/zcrypt_ccamisc.c | 12 +++++++-----
+ drivers/s390/crypto/zcrypt_cex4.c | 3 +--
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/s390/crypto/zcrypt_ccamisc.c
++++ b/drivers/s390/crypto/zcrypt_ccamisc.c
+@@ -1680,11 +1680,13 @@ static int fetch_cca_info(u16 cardnr, u1
+
+ memset(ci, 0, sizeof(*ci));
+
+- /* get first info from zcrypt device driver about this apqn */
+- rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
+- if (rc)
+- return rc;
+- ci->hwtype = devstat.hwtype;
++ /* if specific domain given, fetch status and hw info for this apqn */
++ if (domain != AUTOSEL_DOM) {
++ rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
++ if (rc)
++ return rc;
++ ci->hwtype = devstat.hwtype;
++ }
+
+ /* prep page for rule array and var array use */
+ pg = (u8 *) __get_free_page(GFP_KERNEL);
+--- a/drivers/s390/crypto/zcrypt_cex4.c
++++ b/drivers/s390/crypto/zcrypt_cex4.c
+@@ -84,8 +84,7 @@ static ssize_t cca_serialnr_show(struct
+
+ memset(&ci, 0, sizeof(ci));
+
+- if (ap_domain_index >= 0)
+- cca_get_info(ac->id, ap_domain_index, &ci, zc->online);
++ cca_get_info(ac->id, AUTOSEL_DOM, &ci, zc->online);
+
+ return scnprintf(buf, PAGE_SIZE, "%s\n", ci.serial);
+ }
net-phy-register-phy-led_triggers-during-probe-to-avoid-ab-ba-deadlock.patch
drm-amd-display-use-gfp_atomic-in-dc_create_stream_for_sink.patch
net-sched-act_gate-snapshot-parameters-with-rcu-on-replace.patch
+s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch
+iomap-reject-delalloc-mappings-during-writeback.patch
+tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch
+pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch
+iio-light-bh1780-fix-pm-runtime-leak-on-error-path.patch
+btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch
+btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch
+smb-client-fix-atomic-open-with-o_direct-o_sync.patch
+smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch
+s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch
+xfs-ensure-dquot-item-is-deleted-from-ail-only-after-log-shutdown.patch
+xfs-fix-integer-overflow-in-bmap-intent-sort-comparator.patch
+crypto-atmel-sha204a-fix-oom-tfm_count-leak.patch
+drm-msm-fix-dma_free_attrs-buffer-size.patch
+arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch
+nfsd-define-exports_proc_ops-with-config_proc_fs.patch
+nfsd-hold-net-reference-for-the-lifetime-of-proc-fs-nfs-exports-fd.patch
+nfsd-fix-heap-overflow-in-nfsv4.0-lock-replay-cache.patch
+mtd-partitions-redboot-fix-style-issues.patch
+mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch
+pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch
+iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch
+usb-roles-get-usb-role-switch-from-parent-only-for-usb-b-connector.patch
+usb-gadget-f_tcm-fix-null-pointer-dereferences-in-nexus-handling.patch
+can-gs_usb-gs_can_open-always-configure-bitrates-before-starting-device.patch
+kvm-svm-initialize-avic-vmcb-fields-if-avic-is-enabled-with-in-kernel-apic.patch
+alsa-pcm-fix-wait_time-calculations.patch
+alsa-pcm-fix-use-after-free-on-linked-stream-runtime-in-snd_pcm_drain.patch
+smb-client-compare-macs-in-constant-time.patch
+net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch
+staging-rtl8723bs-fix-null-dereference-in-find_network.patch
--- /dev/null
+From stable+bounces-224558-greg=kroah.com@vger.kernel.org Tue Mar 10 20:51:21 2026
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Tue, 10 Mar 2026 12:51:10 -0700
+Subject: smb: client: Compare MACs in constant time
+To: stable@vger.kernel.org
+Cc: linux-crypto@vger.kernel.org, linux-cifs@vger.kernel.org, Eric Biggers <ebiggers@kernel.org>, "Paulo Alcantara (Red Hat)" <pc@manguebit.org>, Steve French <stfrench@microsoft.com>
+Message-ID: <20260310195110.70753-1-ebiggers@kernel.org>
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit 26bc83b88bbbf054f0980a4a42047a8d1e210e4c upstream.
+
+To prevent timing attacks, MAC comparisons need to be constant-time.
+Replace the memcmp() with the correct function, crypto_memneq().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifsencrypt.c | 3 ++-
+ fs/cifs/smb2transport.c | 4 +++-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/cifsencrypt.c
++++ b/fs/cifs/cifsencrypt.c
+@@ -36,6 +36,7 @@
+ #include <linux/fips.h>
+ #include <crypto/arc4.h>
+ #include <crypto/aead.h>
++#include <crypto/algapi.h>
+
+ int __cifs_calc_signature(struct smb_rqst *rqst,
+ struct TCP_Server_Info *server, char *signature,
+@@ -255,7 +256,7 @@ int cifs_verify_signature(struct smb_rqs
+ /* cifs_dump_mem("what we think it should be: ",
+ what_we_think_sig_should_be, 16); */
+
+- if (memcmp(server_response_sig, what_we_think_sig_should_be, 8))
++ if (crypto_memneq(server_response_sig, what_we_think_sig_should_be, 8))
+ return -EACCES;
+ else
+ return 0;
+--- a/fs/cifs/smb2transport.c
++++ b/fs/cifs/smb2transport.c
+@@ -31,6 +31,7 @@
+ #include <asm/processor.h>
+ #include <linux/mempool.h>
+ #include <linux/highmem.h>
++#include <crypto/algapi.h>
+ #include <crypto/aead.h>
+ #include "smb2pdu.h"
+ #include "cifsglob.h"
+@@ -687,7 +688,8 @@ smb2_verify_signature(struct smb_rqst *r
+ if (rc)
+ return rc;
+
+- if (memcmp(server_response_sig, shdr->Signature, SMB2_SIGNATURE_SIZE)) {
++ if (crypto_memneq(server_response_sig, shdr->Signature,
++ SMB2_SIGNATURE_SIZE)) {
+ cifs_dbg(VFS, "sign fail cmd 0x%x message id 0x%llx\n",
+ shdr->Command, shdr->MessageId);
+ return -EACCES;
--- /dev/null
+From stable+bounces-227346-greg=kroah.com@vger.kernel.org Thu Mar 19 17:52:20 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 12:51:41 -0400
+Subject: smb: client: fix atomic open with O_DIRECT & O_SYNC
+To: stable@vger.kernel.org
+Cc: Paulo Alcantara <pc@manguebit.org>, David Howells <dhowells@redhat.com>, Henrique Carvalho <henrique.carvalho@suse.com>, Tom Talpey <tom@talpey.com>, linux-cifs@vger.kernel.org, Steve French <stfrench@microsoft.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319165141.2733759-1-sashal@kernel.org>
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+[ Upstream commit 4a7d2729dc99437dbb880a64c47828c0d191b308 ]
+
+When user application requests O_DIRECT|O_SYNC along with O_CREAT on
+open(2), CREATE_NO_BUFFER and CREATE_WRITE_THROUGH bits were missed in
+CREATE request when performing an atomic open, thus leading to
+potentially data integrity issues.
+
+Fix this by setting those missing bits in CREATE request when
+O_DIRECT|O_SYNC has been specified in cifs_do_create().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Reviewed-by: David Howells <dhowells@redhat.com>
+Acked-by: Henrique Carvalho <henrique.carvalho@suse.com>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+[ adapted file paths from fs/smb/client/ to fs/cifs/ ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifsglob.h | 11 +++++++++++
+ fs/cifs/dir.c | 1 +
+ fs/cifs/file.c | 17 +++--------------
+ 3 files changed, 15 insertions(+), 14 deletions(-)
+
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -26,6 +26,7 @@
+ #include <linux/mm.h>
+ #include <linux/mempool.h>
+ #include <linux/workqueue.h>
++#include <linux/fcntl.h>
+ #include "cifs_fs_sb.h"
+ #include "cifsacl.h"
+ #include <crypto/internal/hash.h>
+@@ -2124,4 +2125,14 @@ static inline bool cifs_ses_exiting(stru
+ return ret;
+ }
+
++static inline int cifs_open_create_options(unsigned int oflags, int opts)
++{
++ /* O_SYNC also has bit for O_DSYNC so following check picks up either */
++ if (oflags & O_SYNC)
++ opts |= CREATE_WRITE_THROUGH;
++ if (oflags & O_DIRECT)
++ opts |= CREATE_NO_BUFFER;
++ return opts;
++}
++
+ #endif /* _CIFS_GLOB_H */
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -348,6 +348,7 @@ cifs_do_create(struct inode *inode, stru
+ goto out;
+ }
+
++ create_options |= cifs_open_create_options(oflags, create_options);
+ /*
+ * if we're not using unix extensions, see if we need to set
+ * ATTR_READONLY on the create call
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -216,19 +216,13 @@ cifs_nt_open(char *full_path, struct ino
+ *********************************************************************/
+
+ disposition = cifs_get_disposition(f_flags);
+-
+ /* BB pass O_SYNC flag through on file attributes .. BB */
+
+ buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+- /* O_SYNC also has bit for O_DSYNC so following check picks up either */
+- if (f_flags & O_SYNC)
+- create_options |= CREATE_WRITE_THROUGH;
+-
+- if (f_flags & O_DIRECT)
+- create_options |= CREATE_NO_BUFFER;
++ create_options |= cifs_open_create_options(f_flags, create_options);
+
+ oparms.tcon = tcon;
+ oparms.cifs_sb = cifs_sb;
+@@ -750,13 +744,8 @@ cifs_reopen_file(struct cifsFileInfo *cf
+ }
+
+ desired_access = cifs_convert_flags(cfile->f_flags);
+-
+- /* O_SYNC also has bit for O_DSYNC so following check picks up either */
+- if (cfile->f_flags & O_SYNC)
+- create_options |= CREATE_WRITE_THROUGH;
+-
+- if (cfile->f_flags & O_DIRECT)
+- create_options |= CREATE_NO_BUFFER;
++ create_options |= cifs_open_create_options(cfile->f_flags,
++ create_options);
+
+ if (server->ops->get_lease_key)
+ server->ops->get_lease_key(inode, &cfile->fid);
--- /dev/null
+From stable+bounces-227338-greg=kroah.com@vger.kernel.org Thu Mar 19 17:17:03 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 12:06:21 -0400
+Subject: smb: client: fix iface port assignment in parse_server_interfaces
+To: stable@vger.kernel.org
+Cc: Henrique Carvalho <henrique.carvalho@suse.com>, "Dr. Thomas Orgis" <thomas.orgis@uni-hamburg.de>, Enzo Matsumiya <ematsumiya@suse.de>, Steve French <stfrench@microsoft.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319160621.2651487-1-sashal@kernel.org>
+
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+
+[ Upstream commit d4c7210d2f3ea481a6481f03040a64d9077a6172 ]
+
+parse_server_interfaces() initializes interface socket addresses with
+CIFS_PORT. When the mount uses a non-default port this overwrites the
+configured destination port.
+
+Later, cifs_chan_update_iface() copies this sockaddr into server->dstaddr,
+causing reconnect attempts to use the wrong port after server interface
+updates.
+
+Use the existing port from server->dstaddr instead.
+
+Cc: stable@vger.kernel.org
+Fixes: fe856be475f7 ("CIFS: parse and store info on iface queries")
+Tested-by: Dr. Thomas Orgis <thomas.orgis@uni-hamburg.de>
+Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
+Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+[ adapted struct types, function signature, lock name, and file path ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2ops.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -437,7 +437,7 @@ smb3_negotiate_rsize(struct cifs_tcon *t
+
+ static int
+ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf,
+- size_t buf_len,
++ size_t buf_len, struct cifs_ses *ses,
+ struct cifs_server_iface **iface_list,
+ size_t *iface_count)
+ {
+@@ -447,6 +447,7 @@ parse_server_interfaces(struct network_i
+ struct iface_info_ipv4 *p4;
+ struct iface_info_ipv6 *p6;
+ struct cifs_server_iface *info;
++ __be16 port;
+ ssize_t bytes_left;
+ size_t next = 0;
+ int nb_iface = 0;
+@@ -493,6 +494,15 @@ parse_server_interfaces(struct network_i
+ goto out;
+ }
+
++ spin_lock(&cifs_tcp_ses_lock);
++ if (ses->server->dstaddr.ss_family == AF_INET)
++ port = ((struct sockaddr_in *)&ses->server->dstaddr)->sin_port;
++ else if (ses->server->dstaddr.ss_family == AF_INET6)
++ port = ((struct sockaddr_in6 *)&ses->server->dstaddr)->sin6_port;
++ else
++ port = cpu_to_be16(CIFS_PORT);
++ spin_unlock(&cifs_tcp_ses_lock);
++
+ info = *iface_list;
+ bytes_left = buf_len;
+ p = buf;
+@@ -519,7 +529,7 @@ parse_server_interfaces(struct network_i
+ memcpy(&addr4->sin_addr, &p4->IPv4Address, 4);
+
+ /* [MS-SMB2] 2.2.32.5.1.1 Clients MUST ignore these */
+- addr4->sin_port = cpu_to_be16(CIFS_PORT);
++ addr4->sin_port = port;
+
+ cifs_dbg(FYI, "%s: ipv4 %pI4\n", __func__,
+ &addr4->sin_addr);
+@@ -533,7 +543,7 @@ parse_server_interfaces(struct network_i
+ /* [MS-SMB2] 2.2.32.5.1.2 Clients MUST ignore these */
+ addr6->sin6_flowinfo = 0;
+ addr6->sin6_scope_id = 0;
+- addr6->sin6_port = cpu_to_be16(CIFS_PORT);
++ addr6->sin6_port = port;
+
+ cifs_dbg(FYI, "%s: ipv6 %pI6\n", __func__,
+ &addr6->sin6_addr);
+@@ -600,7 +610,7 @@ SMB3_request_interfaces(const unsigned i
+ goto out;
+ }
+
+- rc = parse_server_interfaces(out_buf, ret_data_len,
++ rc = parse_server_interfaces(out_buf, ret_data_len, ses,
+ &iface_list, &iface_count);
+ if (rc)
+ goto out;
--- /dev/null
+From ethantidmore06@gmail.com Tue Mar 10 03:48:36 2026
+From: Ethan Tidmore <ethantidmore06@gmail.com>
+Date: Mon, 9 Mar 2026 21:48:15 -0500
+Subject: staging: rtl8723bs: fix null dereference in find_network
+To: stable@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, sashal@kernel.org, Ethan Tidmore <ethantidmore06@gmail.com>
+Message-ID: <20260310024815.53668-1-ethantidmore06@gmail.com>
+
+From: Ethan Tidmore <ethantidmore06@gmail.com>
+
+[ Upstream commit 41460a19654c32d39fd0e3a3671cd8d4b7b8479f ]
+
+The variable pwlan has the possibility of being NULL when passed into
+rtw_free_network_nolock() which would later dereference the variable.
+
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
+Link: https://patch.msgid.link/20260202205429.20181-1-ethantidmore06@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_mlme.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
++++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
+@@ -967,10 +967,12 @@ static void find_network(struct adapter
+ struct wlan_network *tgt_network = &pmlmepriv->cur_network;
+
+ pwlan = rtw_find_network(&pmlmepriv->scanned_queue, tgt_network->network.MacAddress);
+- if (pwlan)
+- pwlan->fixed = false;
+- else
++ if (!pwlan) {
+ RT_TRACE(_module_rtl871x_mlme_c_, _drv_err_, ("rtw_free_assoc_resources : pwlan == NULL\n\n"));
++ return;
++ }
++
++ pwlan->fixed = false;
+
+ if (check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE) &&
+ (adapter->stapriv.asoc_sta_count == 1))
--- /dev/null
+From stable+bounces-227030-greg=kroah.com@vger.kernel.org Wed Mar 18 12:42:18 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 07:42:11 -0400
+Subject: tracing: Fix syscall events activation by ensuring refcount hits zero
+To: stable@vger.kernel.org
+Cc: Huiwen He <hehuiwen@kylinos.cn>, Masami Hiramatsu <mhiramat@kernel.org>, Mathieu Desnoyers <mathieu.desnoyers@efficios.com>, "Steven Rostedt (Google)" <rostedt@goodmis.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260318114212.632889-1-sashal@kernel.org>
+
+From: Huiwen He <hehuiwen@kylinos.cn>
+
+[ Upstream commit 0a663b764dbdf135a126284f454c9f01f95a87d4 ]
+
+When multiple syscall events are specified in the kernel command line
+(e.g., trace_event=syscalls:sys_enter_openat,syscalls:sys_enter_close),
+they are often not captured after boot, even though they appear enabled
+in the tracing/set_event file.
+
+The issue stems from how syscall events are initialized. Syscall
+tracepoints require the global reference count (sys_tracepoint_refcount)
+to transition from 0 to 1 to trigger the registration of the syscall
+work (TIF_SYSCALL_TRACEPOINT) for tasks, including the init process (pid 1).
+
+The current implementation of early_enable_events() with disable_first=true
+used an interleaved sequence of "Disable A -> Enable A -> Disable B -> Enable B".
+If multiple syscalls are enabled, the refcount never drops to zero,
+preventing the 0->1 transition that triggers actual registration.
+
+Fix this by splitting early_enable_events() into two distinct phases:
+1. Disable all events specified in the buffer.
+2. Enable all events specified in the buffer.
+
+This ensures the refcount hits zero before re-enabling, allowing syscall
+events to be properly activated during early boot.
+
+The code is also refactored to use a helper function to avoid logic
+duplication between the disable and enable phases.
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Link: https://patch.msgid.link/20260224023544.1250787-1-hehuiwen@kylinos.cn
+Fixes: ce1039bd3a89 ("tracing: Fix enabling of syscall events on the command line")
+Signed-off-by: Huiwen He <hehuiwen@kylinos.cn>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events.c | 51 +++++++++++++++++++++++++++++++-------------
+ 1 file changed, 36 insertions(+), 15 deletions(-)
+
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -3393,27 +3393,23 @@ static __init int event_trace_memsetup(v
+ return 0;
+ }
+
+-static __init void
+-early_enable_events(struct trace_array *tr, bool disable_first)
++/*
++ * Helper function to enable or disable a comma-separated list of events
++ * from the bootup buffer.
++ */
++static __init void __early_set_events(struct trace_array *tr, bool enable)
+ {
+ char *buf = bootup_event_buf;
+ char *token;
+- int ret;
+-
+- while (true) {
+- token = strsep(&buf, ",");
+-
+- if (!token)
+- break;
+
++ while ((token = strsep(&buf, ","))) {
+ if (*token) {
+- /* Restarting syscalls requires that we stop them first */
+- if (disable_first)
++ if (enable) {
++ if (ftrace_set_clr_event(tr, token, 1))
++ pr_warn("Failed to enable trace event: %s\n", token);
++ } else {
+ ftrace_set_clr_event(tr, token, 0);
+-
+- ret = ftrace_set_clr_event(tr, token, 1);
+- if (ret)
+- pr_warn("Failed to enable trace event: %s\n", token);
++ }
+ }
+
+ /* Put back the comma to allow this to be called again */
+@@ -3422,6 +3418,31 @@ early_enable_events(struct trace_array *
+ }
+ }
+
++/**
++ * early_enable_events - enable events from the bootup buffer
++ * @tr: The trace array to enable the events in
++ * @disable_first: If true, disable all events before enabling them
++ *
++ * This function enables events from the bootup buffer. If @disable_first
++ * is true, it will first disable all events in the buffer before enabling
++ * them.
++ *
++ * For syscall events, which rely on a global refcount to register the
++ * SYSCALL_WORK_SYSCALL_TRACEPOINT flag (especially for pid 1), we must
++ * ensure the refcount hits zero before re-enabling them. A simple
++ * "disable then enable" per-event is not enough if multiple syscalls are
++ * used, as the refcount will stay above zero. Thus, we need a two-phase
++ * approach: disable all, then enable all.
++ */
++static __init void
++early_enable_events(struct trace_array *tr, bool disable_first)
++{
++ if (disable_first)
++ __early_set_events(tr, false);
++
++ __early_set_events(tr, true);
++}
++
+ static __init int event_trace_enable(void)
+ {
+ struct trace_array *tr = top_trace_array();
--- /dev/null
+From sashal@kernel.org Mon Mar 16 22:23:28 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 17:23:25 -0400
+Subject: usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
+To: stable@vger.kernel.org
+Cc: Jiasheng Jiang <jiashengjiangcool@gmail.com>, stable <stable@kernel.org>, Thinh Nguyen <Thinh.Nguyen@synopsys.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260316212325.1415578-1-sashal@kernel.org>
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+[ Upstream commit b9fde507355342a2d64225d582dc8b98ff5ecb19 ]
+
+The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically
+managed and tied to userspace configuration via ConfigFS. It can be
+NULL if the USB host sends requests before the nexus is fully
+established or immediately after it is dropped.
+
+Currently, functions like `bot_submit_command()` and the data
+transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately
+dereference `tv_nexus->tvn_se_sess` without any validation. If a
+malicious or misconfigured USB host sends a BOT (Bulk-Only Transport)
+command during this race window, it triggers a NULL pointer
+dereference, leading to a kernel panic (local DoS).
+
+This exposes an inconsistent API usage within the module, as peer
+functions like `usbg_submit_command()` and `bot_send_bad_response()`
+correctly implement a NULL check for `tv_nexus` before proceeding.
+
+Fix this by bringing consistency to the nexus handling. Add the
+missing `if (!tv_nexus)` checks to the vulnerable BOT command and
+request processing paths, aborting the command gracefully with an
+error instead of crashing the system.
+
+Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Reviewed-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://patch.msgid.link/20260219023834.17976-1-jiashengjiangcool@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_tcm.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/usb/gadget/function/f_tcm.c
++++ b/drivers/usb/gadget/function/f_tcm.c
+@@ -1032,6 +1032,13 @@ static void usbg_cmd_work(struct work_st
+ se_cmd = &cmd->se_cmd;
+ tpg = cmd->fu->tpg;
+ tv_nexus = tpg->tpg_nexus;
++ if (!tv_nexus) {
++ struct usb_gadget *gadget = fuas_to_gadget(cmd->fu);
++
++ dev_err(&gadget->dev, "Missing nexus, ignoring command\n");
++ return;
++ }
++
+ dir = get_cmd_dir(cmd->cmd_buf);
+ if (dir < 0) {
+ transport_init_se_cmd(se_cmd,
+@@ -1162,6 +1169,13 @@ static void bot_cmd_work(struct work_str
+ se_cmd = &cmd->se_cmd;
+ tpg = cmd->fu->tpg;
+ tv_nexus = tpg->tpg_nexus;
++ if (!tv_nexus) {
++ struct usb_gadget *gadget = fuas_to_gadget(cmd->fu);
++
++ dev_err(&gadget->dev, "Missing nexus, ignoring command\n");
++ return;
++ }
++
+ dir = get_cmd_dir(cmd->cmd_buf);
+ if (dir < 0) {
+ transport_init_se_cmd(se_cmd,
--- /dev/null
+From stable+bounces-225712-greg=kroah.com@vger.kernel.org Mon Mar 16 23:29:37 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 18:28:15 -0400
+Subject: usb: roles: get usb role switch from parent only for usb-b-connector
+To: stable@vger.kernel.org
+Cc: Xu Yang <xu.yang_2@nxp.com>, stable <stable@kernel.org>, Arnaud Ferraris <arnaud.ferraris@collabora.com>, Heikki Krogerus <heikki.krogerus@linux.intel.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260316222815.1434974-1-sashal@kernel.org>
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+[ Upstream commit 8345b1539faa49fcf9c9439c3cbd97dac6eca171 ]
+
+usb_role_switch_is_parent() was walking up to the parent node and checking
+for the "usb-role-switch" property regardless of the type of the passed
+fwnode. This could cause unrelated device nodes to be probed as potential
+role switch parent, leading to spurious matches and "-EPROBE_DEFER" being
+returned infinitely.
+
+Till now only Type-B connector node will have a parent node which may
+present "usb-role-switch" property and register the role switch device.
+For Type-C connector node, its parent node will always be a Type-C chip
+device which will never register the role switch device. However, it may
+still present a non-boolean "usb-role-switch = <&usb_controller>" property
+for historical compatibility.
+
+So restrict the helper to only operate on Type-B connector when attempting
+to get the role switch from parent node.
+
+Fixes: 6fadd72943b8 ("usb: roles: get usb-role-switch from parent")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Tested-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://patch.msgid.link/20260309074313.2809867-3-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ replace fwnode_device_is_compatible() call with it's expansion ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/roles/class.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/roles/class.c
++++ b/drivers/usb/roles/class.c
+@@ -108,9 +108,14 @@ static void *usb_role_switch_match(struc
+ static struct usb_role_switch *
+ usb_role_switch_is_parent(struct fwnode_handle *fwnode)
+ {
+- struct fwnode_handle *parent = fwnode_get_parent(fwnode);
++ struct fwnode_handle *parent;
+ struct device *dev;
+
++ if (fwnode_property_match_string(fwnode, "compatible", "usb-b-connector") < 0)
++ return NULL;
++
++ parent = fwnode_get_parent(fwnode);
++
+ if (!fwnode_property_present(parent, "usb-role-switch")) {
+ fwnode_handle_put(parent);
+ return NULL;
--- /dev/null
+From stable+bounces-227271-greg=kroah.com@vger.kernel.org Thu Mar 19 12:48:22 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 07:40:01 -0400
+Subject: xfs: ensure dquot item is deleted from AIL only after log shutdown
+To: stable@vger.kernel.org
+Cc: Long Li <leo.lilong@huawei.com>, Carlos Maiolino <cmaiolino@redhat.com>, Christoph Hellwig <hch@lst.de>, Carlos Maiolino <cem@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319114001.2348820-1-sashal@kernel.org>
+
+From: Long Li <leo.lilong@huawei.com>
+
+[ Upstream commit 186ac39b8a7d3ec7ce9c5dd45e5c2730177f375c ]
+
+In xfs_qm_dqflush(), when a dquot flush fails due to corruption
+(the out_abort error path), the original code removed the dquot log
+item from the AIL before calling xfs_force_shutdown(). This ordering
+introduces a subtle race condition that can lead to data loss after
+a crash.
+
+The AIL tracks the oldest dirty metadata in the journal. The position
+of the tail item in the AIL determines the log tail LSN, which is the
+oldest LSN that must be preserved for crash recovery. When an item is
+removed from the AIL, the log tail can advance past the LSN of that item.
+
+The race window is as follows: if the dquot item happens to be at
+the tail of the log, removing it from the AIL allows the log tail
+to advance. If a concurrent log write is sampling the tail LSN at
+the same time and subsequently writes a complete checkpoint (i.e.,
+one containing a commit record) to disk before the shutdown takes
+effect, the journal will no longer protect the dquot's last
+modification. On the next mount, log recovery will not replay the
+dquot changes, even though they were never written back to disk,
+resulting in silent data loss.
+
+Fix this by calling xfs_force_shutdown() before xfs_trans_ail_delete()
+in the out_abort path. Once the log is shut down, no new log writes
+can complete with an updated tail LSN, making it safe to remove the
+dquot item from the AIL.
+
+Cc: stable@vger.kernel.org
+Fixes: b707fffda6a3 ("xfs: abort consistently on dquot flush failure")
+Signed-off-by: Long Li <leo.lilong@huawei.com>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+[ adapted error path to preserve existing out_unlock label between xfs_trans_ail_delete and xfs_dqfunlock ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_dquot.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_dquot.c
++++ b/fs/xfs/xfs_dquot.c
+@@ -1324,9 +1324,15 @@ xfs_qm_dqflush(
+ return 0;
+
+ out_abort:
++ /*
++ * Shut down the log before removing the dquot item from the AIL.
++ * Otherwise, the log tail may advance past this item's LSN while
++ * log writes are still in progress, making these unflushed changes
++ * unrecoverable on the next mount.
++ */
++ xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
+ dqp->q_flags &= ~XFS_DQFLAG_DIRTY;
+ xfs_trans_ail_delete(lip, 0);
+- xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
+ out_unlock:
+ xfs_dqfunlock(dqp);
+ return error;
--- /dev/null
+From stable+bounces-227273-greg=kroah.com@vger.kernel.org Thu Mar 19 12:43:23 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 07:40:07 -0400
+Subject: xfs: fix integer overflow in bmap intent sort comparator
+To: stable@vger.kernel.org
+Cc: Long Li <leo.lilong@huawei.com>, "Darrick J. Wong" <djwong@kernel.org>, Carlos Maiolino <cem@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319114007.2348969-1-sashal@kernel.org>
+
+From: Long Li <leo.lilong@huawei.com>
+
+[ Upstream commit 362c490980867930a098b99f421268fbd7ca05fd ]
+
+xfs_bmap_update_diff_items() sorts bmap intents by inode number using
+a subtraction of two xfs_ino_t (uint64_t) values, with the result
+truncated to int. This is incorrect when two inode numbers differ by
+more than INT_MAX (2^31 - 1), which is entirely possible on large XFS
+filesystems.
+
+Fix this by replacing the subtraction with cmp_int().
+
+Cc: <stable@vger.kernel.org> # v4.9
+Fixes: 9f3afb57d5f1 ("xfs: implement deferred bmbt map/unmap operations")
+Signed-off-by: Long Li <leo.lilong@huawei.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+[ replaced `bi_entry()` macro with `container_of()` and inlined `cmp_int()` as a manual three-way comparison expression ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_bmap_item.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_bmap_item.c
++++ b/fs/xfs/xfs_bmap_item.c
+@@ -273,7 +273,8 @@ xfs_bmap_update_diff_items(
+
+ ba = container_of(a, struct xfs_bmap_intent, bi_list);
+ bb = container_of(b, struct xfs_bmap_intent, bi_list);
+- return ba->bi_owner->i_ino - bb->bi_owner->i_ino;
++ return (ba->bi_owner->i_ino > bb->bi_owner->i_ino) -
++ (ba->bi_owner->i_ino < bb->bi_owner->i_ino);
+ }
+
+ /* Set the map extent flags for this mapping. */
projects / thirdparty / kernel / stable-queue.git / commitdiff
