--- /dev/null
+From d6db827b430bdcca3976cebca7bd69cca03cde2c Mon Sep 17 00:00:00 2001
+From: Ravi Hothi <ravi.hothi@oss.qualcomm.com>
+Date: Fri, 27 Feb 2026 20:15:34 +0530
+Subject: ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start
+
+From: Ravi Hothi <ravi.hothi@oss.qualcomm.com>
+
+commit d6db827b430bdcca3976cebca7bd69cca03cde2c upstream.
+
+During ADSP stop and start, the kernel crashes due to the order in which
+ASoC components are removed.
+
+On ADSP stop, the q6apm-audio .remove callback unloads topology and removes
+PCM runtimes during ASoC teardown. This deletes the RTDs that contain the
+q6apm DAI components before their removal pass runs, leaving those
+components still linked to the card and causing crashes on the next rebind.
+
+Fix this by ensuring that all dependent (child) components are removed
+first, and the q6apm component is removed last.
+
+[ 48.105720] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0
+[ 48.114763] Mem abort info:
+[ 48.117650] ESR = 0x0000000096000004
+[ 48.121526] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 48.127010] SET = 0, FnV = 0
+[ 48.130172] EA = 0, S1PTW = 0
+[ 48.133415] FSC = 0x04: level 0 translation fault
+[ 48.138446] Data abort info:
+[ 48.141422] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+[ 48.147079] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+[ 48.152354] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+[ 48.157859] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001173cf000
+[ 48.164517] [00000000000000d0] pgd=0000000000000000, p4d=0000000000000000
+[ 48.171530] Internal error: Oops: 0000000096000004 [#1] SMP
+[ 48.177348] Modules linked in: q6prm_clocks q6apm_lpass_dais q6apm_dai snd_q6dsp_common q6prm snd_q6apm 8021q garp mrp stp llc snd_soc_hdmi_codec apr pdr_interface phy_qcom_edp fastrpc qcom_pd_mapper rpmsg_ctrl qrtr_smd rpmsg_char qcom_pdr_msg qcom_iris v4l2_mem2mem videobuf2_dma_contig ath11k_pci msm ubwc_config at24 ath11k videobuf2_memops mac80211 ocmem videobuf2_v4l2 libarc4 drm_gpuvm mhi qrtr videodev drm_exec snd_soc_sc8280xp gpu_sched videobuf2_common nvmem_qcom_spmi_sdam snd_soc_qcom_sdw drm_dp_aux_bus qcom_q6v5_pas qcom_spmi_temp_alarm snd_soc_qcom_common rtc_pm8xxx qcom_pon drm_display_helper cec qcom_pil_info qcom_stats soundwire_bus drm_client_lib mc dispcc0_sa8775p videocc_sa8775p qcom_q6v5 camcc_sa8775p snd_soc_dmic phy_qcom_sgmii_eth snd_soc_max98357a i2c_qcom_geni snd_soc_core dwmac_qcom_ethqos llcc_qcom icc_bwmon qcom_sysmon snd_compress qcom_refgen_regulator coresight_stm stmmac_platform snd_pcm_dmaengine qcom_common coresight_tmc stmmac coresight_replicator qcom_glink_smem coresight_cti stm_core
+[ 48.177444] coresight_funnel snd_pcm ufs_qcom phy_qcom_qmp_usb gpi phy_qcom_snps_femto_v2 coresight phy_qcom_qmp_ufs qcom_wdt gpucc_sa8775p pcs_xpcs mdt_loader qcom_ice icc_osm_l3 qmi_helpers snd_timer snd soundcore display_connector qcom_rng nvmem_reboot_mode drm_kms_helper phy_qcom_qmp_pcie sha256 cfg80211 rfkill socinfo fuse drm backlight ipv6
+[ 48.301059] CPU: 2 UID: 0 PID: 293 Comm: kworker/u32:2 Not tainted 6.19.0-rc6-dirty #10 PREEMPT
+[ 48.310081] Hardware name: Qualcomm Technologies, Inc. Lemans EVK (DT)
+[ 48.316782] Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]
+[ 48.323672] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 48.330825] pc : mutex_lock+0xc/0x54
+[ 48.334514] lr : soc_dapm_shutdown_dapm+0x44/0x174 [snd_soc_core]
+[ 48.340794] sp : ffff800084ddb7b0
+[ 48.344207] x29: ffff800084ddb7b0 x28: ffff00009cd9cf30 x27: ffff00009cd9cc00
+[ 48.351544] x26: ffff000099610190 x25: ffffa31d2f19c810 x24: ffffa31d2f185098
+[ 48.358869] x23: ffff800084ddb7f8 x22: 0000000000000000 x21: 00000000000000d0
+[ 48.366198] x20: ffff00009ba6c338 x19: ffff00009ba6c338 x18: 00000000ffffffff
+[ 48.373528] x17: 000000040044ffff x16: ffffa31d4ae6dca8 x15: 072007740775076f
+[ 48.380853] x14: 0765076d07690774 x13: 00313a323a656369 x12: 767265733a637673
+[ 48.388182] x11: 00000000000003f9 x10: ffffa31d4c7dea98 x9 : 0000000000000001
+[ 48.395519] x8 : ffff00009a2aadc0 x7 : 0000000000000003 x6 : 0000000000000000
+[ 48.402854] x5 : 0000000000000000 x4 : 0000000000000028 x3 : ffff000ef397a698
+[ 48.410180] x2 : ffff00009a2aadc0 x1 : 0000000000000000 x0 : 00000000000000d0
+[ 48.417506] Call trace:
+[ 48.420025] mutex_lock+0xc/0x54 (P)
+[ 48.423712] snd_soc_dapm_shutdown+0x44/0xbc [snd_soc_core]
+[ 48.429447] soc_cleanup_card_resources+0x30/0x2c0 [snd_soc_core]
+[ 48.435719] snd_soc_bind_card+0x4dc/0xcc0 [snd_soc_core]
+[ 48.441278] snd_soc_add_component+0x27c/0x2c8 [snd_soc_core]
+[ 48.447192] snd_soc_register_component+0x9c/0xf4 [snd_soc_core]
+[ 48.453371] devm_snd_soc_register_component+0x64/0xc4 [snd_soc_core]
+[ 48.459994] apm_probe+0xb4/0x110 [snd_q6apm]
+[ 48.464479] apr_device_probe+0x24/0x40 [apr]
+[ 48.468964] really_probe+0xbc/0x298
+[ 48.472651] __driver_probe_device+0x78/0x12c
+[ 48.477132] driver_probe_device+0x40/0x160
+[ 48.481435] __device_attach_driver+0xb8/0x134
+[ 48.486011] bus_for_each_drv+0x80/0xdc
+[ 48.489964] __device_attach+0xa8/0x1b0
+[ 48.493916] device_initial_probe+0x50/0x54
+[ 48.498219] bus_probe_device+0x38/0xa0
+[ 48.502170] device_add+0x590/0x760
+[ 48.505761] device_register+0x20/0x30
+[ 48.509623] of_register_apr_devices+0x1d8/0x318 [apr]
+[ 48.514905] apr_pd_status+0x2c/0x54 [apr]
+[ 48.519114] pdr_notifier_work+0x8c/0xe0 [pdr_interface]
+[ 48.524570] process_one_work+0x150/0x294
+[ 48.528692] worker_thread+0x2d8/0x3d8
+[ 48.532551] kthread+0x130/0x204
+[ 48.535874] ret_from_fork+0x10/0x20
+[ 48.539559] Code: d65f03c0 d5384102 d503201f d2800001 (c8e17c02)
+[ 48.545823] ---[ end trace 0000000000000000 ]---
+
+Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ravi Hothi <ravi.hothi@oss.qualcomm.com>
+Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260227144534.278568-1-ravi.hothi@oss.qualcomm.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6apm-dai.c | 1 +
+ sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 1 +
+ sound/soc/qcom/qdsp6/q6apm.c | 1 +
+ 3 files changed, 3 insertions(+)
+
+--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
++++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
+@@ -838,6 +838,7 @@ static const struct snd_soc_component_dr
+ .ack = q6apm_dai_ack,
+ .compress_ops = &q6apm_dai_compress_ops,
+ .use_dai_pcm_id = true,
++ .remove_order = SND_SOC_COMP_ORDER_EARLY,
+ };
+
+ static int q6apm_dai_probe(struct platform_device *pdev)
+--- a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c
++++ b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c
+@@ -278,6 +278,7 @@ static const struct snd_soc_component_dr
+ .of_xlate_dai_name = q6dsp_audio_ports_of_xlate_dai_name,
+ .be_pcm_base = AUDIOREACH_BE_PCM_BASE,
+ .use_dai_pcm_id = true,
++ .remove_order = SND_SOC_COMP_ORDER_FIRST,
+ };
+
+ static int q6apm_lpass_dai_dev_probe(struct platform_device *pdev)
+--- a/sound/soc/qcom/qdsp6/q6apm.c
++++ b/sound/soc/qcom/qdsp6/q6apm.c
+@@ -712,6 +712,7 @@ static const struct snd_soc_component_dr
+ .name = APM_AUDIO_DRV_NAME,
+ .probe = q6apm_audio_probe,
+ .remove = q6apm_audio_remove,
++ .remove_order = SND_SOC_COMP_ORDER_LAST,
+ };
+
+ static int apm_probe(gpr_device_t *gdev)
--- /dev/null
+From 43323a5934b660afae687e8e4e95ac328615a5c4 Mon Sep 17 00:00:00 2001
+From: Max Kellermann <max.kellermann@ionos.com>
+Date: Tue, 24 Feb 2026 14:10:29 +0100
+Subject: ceph: add a bunch of missing ceph_path_info initializers
+
+From: Max Kellermann <max.kellermann@ionos.com>
+
+commit 43323a5934b660afae687e8e4e95ac328615a5c4 upstream.
+
+ceph_mdsc_build_path() must be called with a zero-initialized
+ceph_path_info parameter, or else the following
+ceph_mdsc_free_path_info() may crash.
+
+Example crash (on Linux 6.18.12):
+
+ virt_to_cache: Object is not a Slab page!
+ WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6732 kmem_cache_free+0x316/0x400
+ [...]
+ Call Trace:
+ [...]
+ ceph_open+0x13d/0x3e0
+ do_dentry_open+0x134/0x480
+ vfs_open+0x2a/0xe0
+ path_openat+0x9a3/0x1160
+ [...]
+ cache_from_obj: Wrong slab cache. names_cache but object is from ceph_inode_info
+ WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6746 kmem_cache_free+0x2dd/0x400
+ [...]
+ kernel BUG at mm/slub.c:634!
+ Oops: invalid opcode: 0000 [#1] SMP NOPTI
+ RIP: 0010:__slab_free+0x1a4/0x350
+
+Some of the ceph_mdsc_build_path() callers had initializers, but
+others had not, even though they were all added by commit 15f519e9f883
+("ceph: fix race condition validating r_parent before applying state").
+The ones without initializer are suspectible to random crashes. (I can
+imagine it could even be possible to exploit this bug to elevate
+privileges.)
+
+Unfortunately, these Ceph functions are undocumented and its semantics
+can only be derived from the code. I see that ceph_mdsc_build_path()
+initializes the structure only on success, but not on error.
+
+Calling ceph_mdsc_free_path_info() after a failed
+ceph_mdsc_build_path() call does not even make sense, but that's what
+all callers do, and for it to be safe, the structure must be
+zero-initialized. The least intrusive approach to fix this is
+therefore to add initializers everywhere.
+
+Cc: stable@vger.kernel.org
+Fixes: 15f519e9f883 ("ceph: fix race condition validating r_parent before applying state")
+Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/debugfs.c | 4 ++--
+ fs/ceph/dir.c | 2 +-
+ fs/ceph/file.c | 4 ++--
+ fs/ceph/inode.c | 2 +-
+ 4 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/fs/ceph/debugfs.c
++++ b/fs/ceph/debugfs.c
+@@ -79,7 +79,7 @@ static int mdsc_show(struct seq_file *s,
+ if (req->r_inode) {
+ seq_printf(s, " #%llx", ceph_ino(req->r_inode));
+ } else if (req->r_dentry) {
+- struct ceph_path_info path_info;
++ struct ceph_path_info path_info = {0};
+ path = ceph_mdsc_build_path(mdsc, req->r_dentry, &path_info, 0);
+ if (IS_ERR(path))
+ path = NULL;
+@@ -98,7 +98,7 @@ static int mdsc_show(struct seq_file *s,
+ }
+
+ if (req->r_old_dentry) {
+- struct ceph_path_info path_info;
++ struct ceph_path_info path_info = {0};
+ path = ceph_mdsc_build_path(mdsc, req->r_old_dentry, &path_info, 0);
+ if (IS_ERR(path))
+ path = NULL;
+--- a/fs/ceph/dir.c
++++ b/fs/ceph/dir.c
+@@ -1363,7 +1363,7 @@ static int ceph_unlink(struct inode *dir
+ if (!dn) {
+ try_async = false;
+ } else {
+- struct ceph_path_info path_info;
++ struct ceph_path_info path_info = {0};
+ path = ceph_mdsc_build_path(mdsc, dn, &path_info, 0);
+ if (IS_ERR(path)) {
+ try_async = false;
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -397,7 +397,7 @@ int ceph_open(struct inode *inode, struc
+ if (!dentry) {
+ do_sync = true;
+ } else {
+- struct ceph_path_info path_info;
++ struct ceph_path_info path_info = {0};
+ path = ceph_mdsc_build_path(mdsc, dentry, &path_info, 0);
+ if (IS_ERR(path)) {
+ do_sync = true;
+@@ -807,7 +807,7 @@ int ceph_atomic_open(struct inode *dir,
+ if (!dn) {
+ try_async = false;
+ } else {
+- struct ceph_path_info path_info;
++ struct ceph_path_info path_info = {0};
+ path = ceph_mdsc_build_path(mdsc, dn, &path_info, 0);
+ if (IS_ERR(path)) {
+ try_async = false;
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -2551,7 +2551,7 @@ int __ceph_setattr(struct mnt_idmap *idm
+ if (!dentry) {
+ do_sync = true;
+ } else {
+- struct ceph_path_info path_info;
++ struct ceph_path_info path_info = {0};
+ path = ceph_mdsc_build_path(mdsc, dentry, &path_info, 0);
+ if (IS_ERR(path)) {
+ do_sync = true;
--- /dev/null
+From 081a0b78ef30f5746cda3e92e28b4d4ae92901d1 Mon Sep 17 00:00:00 2001
+From: Hristo Venev <hristo@venev.name>
+Date: Wed, 25 Feb 2026 19:07:56 +0200
+Subject: ceph: do not skip the first folio of the next object in writeback
+
+From: Hristo Venev <hristo@venev.name>
+
+commit 081a0b78ef30f5746cda3e92e28b4d4ae92901d1 upstream.
+
+When `ceph_process_folio_batch` encounters a folio past the end of the
+current object, it should leave it in the batch so that it is picked up
+in the next iteration.
+
+Removing the folio from the batch means that it does not get written
+back and remains dirty instead. This makes `fsync()` silently skip some
+of the data, delays capability release, and breaks coherence with
+`O_DIRECT`.
+
+The link below contains instructions for reproducing the bug.
+
+Cc: stable@vger.kernel.org
+Fixes: ce80b76dd327 ("ceph: introduce ceph_process_folio_batch() method")
+Link: https://tracker.ceph.com/issues/75156
+Signed-off-by: Hristo Venev <hristo@venev.name>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/addr.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/ceph/addr.c
++++ b/fs/ceph/addr.c
+@@ -1330,7 +1330,6 @@ int ceph_process_folio_batch(struct addr
+ } else if (rc == -E2BIG) {
+ rc = 0;
+ folio_unlock(folio);
+- ceph_wbc->fbatch.folios[i] = NULL;
+ break;
+ }
+
--- /dev/null
+From ce0123cbb4a40a2f1bbb815f292b26e96088639f Mon Sep 17 00:00:00 2001
+From: Max Kellermann <max.kellermann@ionos.com>
+Date: Fri, 5 Sep 2025 23:15:30 +0200
+Subject: ceph: fix i_nlink underrun during async unlink
+
+From: Max Kellermann <max.kellermann@ionos.com>
+
+commit ce0123cbb4a40a2f1bbb815f292b26e96088639f upstream.
+
+During async unlink, we drop the `i_nlink` counter before we receive
+the completion (that will eventually update the `i_nlink`) because "we
+assume that the unlink will succeed". That is not a bad idea, but it
+races against deletions by other clients (or against the completion of
+our own unlink) and can lead to an underrun which emits a WARNING like
+this one:
+
+ WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68
+ Modules linked in:
+ CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655
+ Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023
+ pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : drop_nlink+0x50/0x68
+ lr : ceph_unlink+0x6c4/0x720
+ sp : ffff80012173bc90
+ x29: ffff80012173bc90 x28: ffff086d0a45aaf8 x27: ffff0871d0eb5680
+ x26: ffff087f2a64a718 x25: 0000020000000180 x24: 0000000061c88647
+ x23: 0000000000000002 x22: ffff07ff9236d800 x21: 0000000000001203
+ x20: ffff07ff9237b000 x19: ffff088b8296afc0 x18: 00000000f3c93365
+ x17: 0000000000070000 x16: ffff08faffcbdfe8 x15: ffff08faffcbdfec
+ x14: 0000000000000000 x13: 45445f65645f3037 x12: 34385f6369706f74
+ x11: 0000a2653104bb20 x10: ffffd85f26d73290 x9 : ffffd85f25664f94
+ x8 : 00000000000000c0 x7 : 0000000000000000 x6 : 0000000000000002
+ x5 : 0000000000000081 x4 : 0000000000000481 x3 : 0000000000000000
+ x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff08727d3f91e8
+ Call trace:
+ drop_nlink+0x50/0x68 (P)
+ vfs_unlink+0xb0/0x2e8
+ do_unlinkat+0x204/0x288
+ __arm64_sys_unlinkat+0x3c/0x80
+ invoke_syscall.constprop.0+0x54/0xe8
+ do_el0_svc+0xa4/0xc8
+ el0_svc+0x18/0x58
+ el0t_64_sync_handler+0x104/0x130
+ el0t_64_sync+0x154/0x158
+
+In ceph_unlink(), a call to ceph_mdsc_submit_request() submits the
+CEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion.
+
+Meanwhile, between this call and the following drop_nlink() call, a
+worker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or
+just a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own
+completion). These will lead to a set_nlink() call, updating the
+`i_nlink` counter to the value received from the MDS. If that new
+`i_nlink` value happens to be zero, it is illegal to decrement it
+further. But that is exactly what ceph_unlink() will do then.
+
+The WARNING can be reproduced this way:
+
+1. Force async unlink; only the async code path is affected. Having
+ no real clue about Ceph internals, I was unable to find out why the
+ MDS wouldn't give me the "Fxr" capabilities, so I patched
+ get_caps_for_async_unlink() to always succeed.
+
+ (Note that the WARNING dump above was found on an unpatched kernel,
+ without this kludge - this is not a theoretical bug.)
+
+2. Add a sleep call after ceph_mdsc_submit_request() so the unlink
+ completion gets handled by a worker thread before drop_nlink() is
+ called. This guarantees that the `i_nlink` is already zero before
+ drop_nlink() runs.
+
+The solution is to skip the counter decrement when it is already zero,
+but doing so without a lock is still racy (TOCTOU). Since
+ceph_fill_inode() and handle_cap_grant() both hold the
+`ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this
+seems like the proper lock to protect the `i_nlink` updates.
+
+I found prior art in NFS and SMB (using `inode.i_lock`) and AFS (using
+`afs_vnode.cb_lock`). All three have the zero check as well.
+
+Cc: stable@vger.kernel.org
+Fixes: 2ccb45462aea ("ceph: perform asynchronous unlink if we have sufficient caps")
+Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/dir.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/fs/ceph/dir.c
++++ b/fs/ceph/dir.c
+@@ -1339,6 +1339,7 @@ static int ceph_unlink(struct inode *dir
+ struct ceph_client *cl = fsc->client;
+ struct ceph_mds_client *mdsc = fsc->mdsc;
+ struct inode *inode = d_inode(dentry);
++ struct ceph_inode_info *ci = ceph_inode(inode);
+ struct ceph_mds_request *req;
+ bool try_async = ceph_test_mount_opt(fsc, ASYNC_DIROPS);
+ struct dentry *dn;
+@@ -1424,7 +1425,19 @@ retry:
+ * We have enough caps, so we assume that the unlink
+ * will succeed. Fix up the target inode and dcache.
+ */
+- drop_nlink(inode);
++
++ /*
++ * Protect the i_nlink update with i_ceph_lock
++ * to precent racing against ceph_fill_inode()
++ * handling our completion on a worker thread
++ * and don't decrement if i_nlink has already
++ * been updated to zero by this completion.
++ */
++ spin_lock(&ci->i_ceph_lock);
++ if (inode->i_nlink > 0)
++ drop_nlink(inode);
++ spin_unlock(&ci->i_ceph_lock);
++
+ d_delete(dentry);
+ } else {
+ spin_lock(&fsc->async_unlink_conflict_lock);
--- /dev/null
+From 040d159a45ded7f33201421a81df0aa2a86e5a0b Mon Sep 17 00:00:00 2001
+From: Max Kellermann <max.kellermann@ionos.com>
+Date: Tue, 24 Feb 2026 14:26:57 +0100
+Subject: ceph: fix memory leaks in ceph_mdsc_build_path()
+
+From: Max Kellermann <max.kellermann@ionos.com>
+
+commit 040d159a45ded7f33201421a81df0aa2a86e5a0b upstream.
+
+Add __putname() calls to error code paths that did not free the "path"
+pointer obtained by __getname(). If ownership of this pointer is not
+passed to the caller via path_info.path, the function must free it
+before returning.
+
+Cc: stable@vger.kernel.org
+Fixes: 3fd945a79e14 ("ceph: encode encrypted name in ceph_mdsc_build_path and dentry release")
+Fixes: 550f7ca98ee0 ("ceph: give up on paths longer than PATH_MAX")
+Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/mds_client.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -2768,6 +2768,7 @@ retry:
+ if (ret < 0) {
+ dput(parent);
+ dput(cur);
++ __putname(path);
+ return ERR_PTR(ret);
+ }
+
+@@ -2777,6 +2778,7 @@ retry:
+ if (len < 0) {
+ dput(parent);
+ dput(cur);
++ __putname(path);
+ return ERR_PTR(len);
+ }
+ }
+@@ -2813,6 +2815,7 @@ retry:
+ * cannot ever succeed. Creating paths that long is
+ * possible with Ceph, but Linux cannot use them.
+ */
++ __putname(path);
+ return ERR_PTR(-ENAMETOOLONG);
+ }
+
--- /dev/null
+From 7149be786da012afc6bae293d38f8c1fff1fb90d Mon Sep 17 00:00:00 2001
+From: Shenghao Yang <me@shenghaoyang.info>
+Date: Sun, 22 Feb 2026 13:45:51 +0800
+Subject: drm/gud: fix NULL crtc dereference on display disable
+
+From: Shenghao Yang <me@shenghaoyang.info>
+
+commit 7149be786da012afc6bae293d38f8c1fff1fb90d upstream.
+
+gud_plane_atomic_update() currently handles both crtc state and
+framebuffer updates - the complexity has led to a few accidental
+NULL pointer dereferences.
+
+Commit dc2d5ddb193e ("drm/gud: fix NULL fb and crtc dereferences
+on USB disconnect") [1] fixed an earlier dereference but planes
+can also be disabled in non-hotplug paths (e.g. display disables
+via the desktop environment). The drm_dev_enter() call would not
+cause an early return in those and subsequently oops on
+dereferencing crtc:
+
+BUG: kernel NULL pointer dereference, address: 00000000000005c8
+CPU: 6 UID: 1000 PID: 3473 Comm: kwin_wayland Not tainted 6.18.2-200.vanilla.gud.fc42.x86_64 #1 PREEMPT(lazy)
+RIP: 0010:gud_plane_atomic_update+0x148/0x470 [gud]
+ <TASK>
+ drm_atomic_helper_commit_planes+0x28e/0x310
+ drm_atomic_helper_commit_tail+0x2a/0x70
+ commit_tail+0xf1/0x150
+ drm_atomic_helper_commit+0x13c/0x180
+ drm_atomic_commit+0xb1/0xe0
+info ? __pfx___drm_printfn_info+0x10/0x10
+ drm_mode_atomic_ioctl+0x70f/0x7c0
+ ? __pfx_drm_mode_atomic_ioctl+0x10/0x10
+ drm_ioctl_kernel+0xae/0x100
+ drm_ioctl+0x2a8/0x550
+ ? __pfx_drm_mode_atomic_ioctl+0x10/0x10
+ __x64_sys_ioctl+0x97/0xe0
+ do_syscall_64+0x7e/0x7f0
+ ? __ct_user_enter+0x56/0xd0
+ ? do_syscall_64+0x158/0x7f0
+ ? __ct_user_enter+0x56/0xd0
+ ? do_syscall_64+0x158/0x7f0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Split out crtc handling from gud_plane_atomic_update() into
+atomic_enable() and atomic_disable() functions to delegate
+crtc state transitioning work to the DRM helpers.
+
+To preserve the gud state commit sequence [2], switch to
+the runtime PM version of drm_atomic_helper_commit_tail() which
+ensures that crtcs are enabled (hence sending the
+GUD_REQ_SET_CONTROLLER_ENABLE and GUD_REQ_SET_DISPLAY_ENABLE
+requests) before a framebuffer update is sent.
+
+[1] https://lore.kernel.org/all/20251231055039.44266-1-me@shenghaoyang.info/
+[2] https://github.com/notro/gud/wiki/GUD-Protocol#display-state
+
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/r/202601142159.0v8ilfVs-lkp@intel.com/
+Fixes: 73cfd166e045 ("drm/gud: Replace simple display pipe with DRM atomic helpers")
+Cc: <stable@vger.kernel.org> # 6.19.x
+Cc: <stable@vger.kernel.org> # 6.18.x
+Signed-off-by: Shenghao Yang <me@shenghaoyang.info>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Acked-by: Ruben Wauters <rubenru09@aol.com>
+Signed-off-by: Ruben Wauters <rubenru09@aol.com>
+Link: https://patch.msgid.link/20260222054551.80864-1-me@shenghaoyang.info
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/gud/gud_drv.c | 9 +++++-
+ drivers/gpu/drm/gud/gud_internal.h | 4 ++
+ drivers/gpu/drm/gud/gud_pipe.c | 54 ++++++++++++++++++++++++-------------
+ 3 files changed, 48 insertions(+), 19 deletions(-)
+
+--- a/drivers/gpu/drm/gud/gud_drv.c
++++ b/drivers/gpu/drm/gud/gud_drv.c
+@@ -339,7 +339,9 @@ static int gud_stats_debugfs(struct seq_
+ }
+
+ static const struct drm_crtc_helper_funcs gud_crtc_helper_funcs = {
+- .atomic_check = drm_crtc_helper_atomic_check
++ .atomic_check = drm_crtc_helper_atomic_check,
++ .atomic_enable = gud_crtc_atomic_enable,
++ .atomic_disable = gud_crtc_atomic_disable,
+ };
+
+ static const struct drm_crtc_funcs gud_crtc_funcs = {
+@@ -364,6 +366,10 @@ static const struct drm_plane_funcs gud_
+ DRM_GEM_SHADOW_PLANE_FUNCS,
+ };
+
++static const struct drm_mode_config_helper_funcs gud_mode_config_helpers = {
++ .atomic_commit_tail = drm_atomic_helper_commit_tail_rpm,
++};
++
+ static const struct drm_mode_config_funcs gud_mode_config_funcs = {
+ .fb_create = drm_gem_fb_create_with_dirty,
+ .atomic_check = drm_atomic_helper_check,
+@@ -499,6 +505,7 @@ static int gud_probe(struct usb_interfac
+ drm->mode_config.min_height = le32_to_cpu(desc.min_height);
+ drm->mode_config.max_height = le32_to_cpu(desc.max_height);
+ drm->mode_config.funcs = &gud_mode_config_funcs;
++ drm->mode_config.helper_private = &gud_mode_config_helpers;
+
+ /* Format init */
+ formats_dev = devm_kmalloc(dev, GUD_FORMATS_MAX_NUM, GFP_KERNEL);
+--- a/drivers/gpu/drm/gud/gud_internal.h
++++ b/drivers/gpu/drm/gud/gud_internal.h
+@@ -62,6 +62,10 @@ int gud_usb_set_u8(struct gud_device *gd
+
+ void gud_clear_damage(struct gud_device *gdrm);
+ void gud_flush_work(struct work_struct *work);
++void gud_crtc_atomic_enable(struct drm_crtc *crtc,
++ struct drm_atomic_state *state);
++void gud_crtc_atomic_disable(struct drm_crtc *crtc,
++ struct drm_atomic_state *state);
+ int gud_plane_atomic_check(struct drm_plane *plane,
+ struct drm_atomic_state *state);
+ void gud_plane_atomic_update(struct drm_plane *plane,
+--- a/drivers/gpu/drm/gud/gud_pipe.c
++++ b/drivers/gpu/drm/gud/gud_pipe.c
+@@ -580,6 +580,39 @@ out:
+ return ret;
+ }
+
++void gud_crtc_atomic_enable(struct drm_crtc *crtc,
++ struct drm_atomic_state *state)
++{
++ struct drm_device *drm = crtc->dev;
++ struct gud_device *gdrm = to_gud_device(drm);
++ int idx;
++
++ if (!drm_dev_enter(drm, &idx))
++ return;
++
++ gud_usb_set_u8(gdrm, GUD_REQ_SET_CONTROLLER_ENABLE, 1);
++ gud_usb_set(gdrm, GUD_REQ_SET_STATE_COMMIT, 0, NULL, 0);
++ gud_usb_set_u8(gdrm, GUD_REQ_SET_DISPLAY_ENABLE, 1);
++
++ drm_dev_exit(idx);
++}
++
++void gud_crtc_atomic_disable(struct drm_crtc *crtc,
++ struct drm_atomic_state *state)
++{
++ struct drm_device *drm = crtc->dev;
++ struct gud_device *gdrm = to_gud_device(drm);
++ int idx;
++
++ if (!drm_dev_enter(drm, &idx))
++ return;
++
++ gud_usb_set_u8(gdrm, GUD_REQ_SET_DISPLAY_ENABLE, 0);
++ gud_usb_set_u8(gdrm, GUD_REQ_SET_CONTROLLER_ENABLE, 0);
++
++ drm_dev_exit(idx);
++}
++
+ void gud_plane_atomic_update(struct drm_plane *plane,
+ struct drm_atomic_state *atomic_state)
+ {
+@@ -607,24 +640,12 @@ void gud_plane_atomic_update(struct drm_
+ mutex_unlock(&gdrm->damage_lock);
+ }
+
+- if (!drm_dev_enter(drm, &idx))
++ if (!crtc || !drm_dev_enter(drm, &idx))
+ return;
+
+- if (!old_state->fb)
+- gud_usb_set_u8(gdrm, GUD_REQ_SET_CONTROLLER_ENABLE, 1);
+-
+- if (fb && (crtc->state->mode_changed || crtc->state->connectors_changed))
+- gud_usb_set(gdrm, GUD_REQ_SET_STATE_COMMIT, 0, NULL, 0);
+-
+- if (crtc->state->active_changed)
+- gud_usb_set_u8(gdrm, GUD_REQ_SET_DISPLAY_ENABLE, crtc->state->active);
+-
+- if (!fb)
+- goto ctrl_disable;
+-
+ ret = drm_gem_fb_begin_cpu_access(fb, DMA_FROM_DEVICE);
+ if (ret)
+- goto ctrl_disable;
++ goto out;
+
+ drm_atomic_helper_damage_iter_init(&iter, old_state, new_state);
+ drm_atomic_for_each_plane_damage(&iter, &damage)
+@@ -632,9 +653,6 @@ void gud_plane_atomic_update(struct drm_
+
+ drm_gem_fb_end_cpu_access(fb, DMA_FROM_DEVICE);
+
+-ctrl_disable:
+- if (!crtc->state->enable)
+- gud_usb_set_u8(gdrm, GUD_REQ_SET_CONTROLLER_ENABLE, 0);
+-
++out:
+ drm_dev_exit(idx);
+ }
--- /dev/null
+From c45f7263100cece247dd3fa5fe277bd97fdb5687 Mon Sep 17 00:00:00 2001
+From: Liwei Song <liwei.song@windriver.com>
+Date: Thu, 12 Feb 2026 12:00:35 +0800
+Subject: firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled
+
+From: Liwei Song <liwei.song@windriver.com>
+
+commit c45f7263100cece247dd3fa5fe277bd97fdb5687 upstream.
+
+When the Remote System Update (RSU) isn't enabled in the First Stage
+Boot Loader (FSBL), the driver encounters a NULL pointer dereference when
+excute svc_normal_to_secure_thread() thread, resulting in a kernel panic:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
+Mem abort info:
+...
+Data abort info:
+...
+[0000000000000008] user address but active_mm is swapper
+Internal error: Oops: 0000000096000004 [#1] SMP
+Modules linked in:
+CPU: 0 UID: 0 PID: 79 Comm: svc_smc_hvc_thr Not tainted 6.19.0-rc8-yocto-standard+ #59 PREEMPT
+Hardware name: SoCFPGA Stratix 10 SoCDK (DT)
+pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : svc_normal_to_secure_thread+0x38c/0x990
+lr : svc_normal_to_secure_thread+0x144/0x990
+...
+Call trace:
+ svc_normal_to_secure_thread+0x38c/0x990 (P)
+ kthread+0x150/0x210
+ ret_from_fork+0x10/0x20
+Code: 97cfc113 f9400260 aa1403e1 f9400400 (f9400402)
+---[ end trace 0000000000000000 ]---
+
+The issue occurs because rsu_send_async_msg() fails when RSU is not enabled
+in firmware, causing the channel to be freed via stratix10_svc_free_channel().
+However, the probe function continues execution and registers
+svc_normal_to_secure_thread(), which subsequently attempts to access the
+already-freed channel, triggering the NULL pointer dereference.
+
+Fix this by properly cleaning up the async client and returning early on
+failure, preventing the thread from being used with an invalid channel.
+
+Fixes: 15847537b623 ("firmware: stratix10-rsu: Migrate RSU driver to use stratix10 asynchronous framework.")
+Cc: stable@kernel.org
+Signed-off-by: Liwei Song <liwei.song@windriver.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/stratix10-rsu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/firmware/stratix10-rsu.c b/drivers/firmware/stratix10-rsu.c
+index 41da07c445a6..e1912108a0fe 100644
+--- a/drivers/firmware/stratix10-rsu.c
++++ b/drivers/firmware/stratix10-rsu.c
+@@ -768,7 +768,9 @@ static int stratix10_rsu_probe(struct platform_device *pdev)
+ rsu_async_status_callback);
+ if (ret) {
+ dev_err(dev, "Error, getting RSU status %i\n", ret);
++ stratix10_svc_remove_async_client(priv->chan);
+ stratix10_svc_free_channel(priv->chan);
++ return ret;
+ }
+
+ /* get DCMF version from firmware */
+--
+2.53.0
+
--- /dev/null
+From e113f0b46d19626ec15388bcb91432c9a4fd6261 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Fri, 13 Mar 2026 23:14:14 +0900
+Subject: kprobes: avoid crash when rmmod/insmod after ftrace killed
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit e113f0b46d19626ec15388bcb91432c9a4fd6261 upstream.
+
+After we hit ftrace is killed by some errors, the kernel crash if
+we remove modules in which kprobe probes.
+
+BUG: unable to handle page fault for address: fffffbfff805000d
+PGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0
+Oops: Oops: 0000 [#1] SMP KASAN PTI
+CPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE
+Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+RIP: 0010:kprobes_module_callback+0x89/0x790
+RSP: 0018:ffff88812e157d30 EFLAGS: 00010a02
+RAX: 1ffffffff805000d RBX: dffffc0000000000 RCX: ffffffff86a8de90
+RDX: ffffed1025c2af9b RSI: 0000000000000008 RDI: ffffffffc0280068
+RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed1025c2af9a
+R10: ffff88812e157cd7 R11: 205d323130325420 R12: 0000000000000002
+R13: ffffffffc0290488 R14: 0000000000000002 R15: ffffffffc0280040
+FS: 00007fbc450dd740(0000) GS:ffff888420331000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: fffffbfff805000d CR3: 000000010f624000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ notifier_call_chain+0xc6/0x280
+ blocking_notifier_call_chain+0x60/0x90
+ __do_sys_delete_module.constprop.0+0x32a/0x4e0
+ do_syscall_64+0x5d/0xfa0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+This is because the kprobe on ftrace does not correctly handles
+the kprobe_ftrace_disabled flag set by ftrace_kill().
+
+To prevent this error, check kprobe_ftrace_disabled in
+__disarm_kprobe_ftrace() and skip all ftrace related operations.
+
+Link: https://lore.kernel.org/all/176473947565.1727781.13110060700668331950.stgit@mhiramat.tok.corp.google.com/
+
+Reported-by: Ye Bin <yebin10@huawei.com>
+Closes: https://lore.kernel.org/all/20251125020536.2484381-1-yebin@huaweicloud.com/
+Fixes: ae6aa16fdc16 ("kprobes: introduce ftrace based optimization")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kprobes.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1104,6 +1104,10 @@ static int __disarm_kprobe_ftrace(struct
+ int ret;
+
+ lockdep_assert_held(&kprobe_mutex);
++ if (unlikely(kprobe_ftrace_disabled)) {
++ /* Now ftrace is disabled forever, disarm is already done. */
++ return 0;
++ }
+
+ if (*cnt == 1) {
+ ret = unregister_ftrace_function(ops);
--- /dev/null
+From a5a373705081d7cc6363e16990e2361b0b362314 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Sun, 8 Mar 2026 17:57:23 +0100
+Subject: libceph: admit message frames only in CEPH_CON_S_OPEN state
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit a5a373705081d7cc6363e16990e2361b0b362314 upstream.
+
+Similar checks are performed for all control frames, but an early check
+for message frames was missing. process_message() is already set up to
+terminate the loop in case the state changes while con->ops->dispatch()
+handler is being executed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Alex Markuze <amarkuze@redhat.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/messenger_v2.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/ceph/messenger_v2.c
++++ b/net/ceph/messenger_v2.c
+@@ -2904,6 +2904,11 @@ static int __handle_control(struct ceph_
+ if (con->v2.in_desc.fd_tag != FRAME_TAG_MESSAGE)
+ return process_control(con, p, end);
+
++ if (con->state != CEPH_CON_S_OPEN) {
++ con->error_msg = "protocol error, unexpected message";
++ return -EINVAL;
++ }
++
+ ret = process_message_header(con, p, end);
+ if (ret < 0)
+ return ret;
--- /dev/null
+From b282c43ed156ae15ea76748fc15cd5c39dc9ab72 Mon Sep 17 00:00:00 2001
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Date: Tue, 10 Mar 2026 15:28:15 +0100
+Subject: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
+
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+
+commit b282c43ed156ae15ea76748fc15cd5c39dc9ab72 upstream.
+
+This patch fixes an out-of-bounds access in ceph_handle_auth_reply()
+that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In
+ceph_handle_auth_reply(), the value of the payload_len field of such a
+message is stored in a variable of type int. A value greater than
+INT_MAX leads to an integer overflow and is interpreted as a negative
+value. This leads to decrementing the pointer address by this value and
+subsequently accessing it because ceph_decode_need() only checks that
+the memory access does not exceed the end address of the allocation.
+
+This patch fixes the issue by changing the data type of payload_len to
+u32. Additionally, the data type of result_msg_len is changed to u32,
+as it is also a variable holding a non-negative length.
+
+Also, an additional layer of sanity checks is introduced, ensuring that
+directly after reading it from the message, payload_len and
+result_msg_len are not greater than the overall segment length.
+
+BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph]
+Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262
+
+CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+Workqueue: ceph-msgr ceph_con_workfn [libceph]
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x76/0xa0
+ print_report+0xd1/0x620
+ ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+ ? kasan_complete_mode_report_info+0x72/0x210
+ kasan_report+0xe7/0x130
+ ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]
+ ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]
+ __asan_report_load_n_noabort+0xf/0x20
+ ceph_handle_auth_reply+0x642/0x7a0 [libceph]
+ mon_dispatch+0x973/0x23d0 [libceph]
+ ? apparmor_socket_recvmsg+0x6b/0xa0
+ ? __pfx_mon_dispatch+0x10/0x10 [libceph]
+ ? __kasan_check_write+0x14/0x30i
+ ? mutex_unlock+0x7f/0xd0
+ ? __pfx_mutex_unlock+0x10/0x10
+ ? __pfx_do_recvmsg+0x10/0x10 [libceph]
+ ceph_con_process_message+0x1f1/0x650 [libceph]
+ process_message+0x1e/0x450 [libceph]
+ ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]
+ ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]
+ ? save_fpregs_to_fpstate+0xb0/0x230
+ ? raw_spin_rq_unlock+0x17/0xa0
+ ? finish_task_switch.isra.0+0x13b/0x760
+ ? __switch_to+0x385/0xda0
+ ? __kasan_check_write+0x14/0x30
+ ? mutex_lock+0x8d/0xe0
+ ? __pfx_mutex_lock+0x10/0x10
+ ceph_con_workfn+0x248/0x10c0 [libceph]
+ process_one_work+0x629/0xf80
+ ? __kasan_check_write+0x14/0x30
+ worker_thread+0x87f/0x1570
+ ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+ ? __pfx_try_to_wake_up+0x10/0x10
+ ? kasan_print_address_stack_frame+0x1f7/0x280
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0x396/0x830
+ ? __pfx__raw_spin_lock_irq+0x10/0x10
+ ? __pfx_kthread+0x10/0x10
+ ? __kasan_check_write+0x14/0x30
+ ? recalc_sigpending+0x180/0x210
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x3f7/0x610
+ ? __pfx_ret_from_fork+0x10/0x10
+ ? __switch_to+0x385/0xda0
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+[ idryomov: replace if statements with ceph_decode_need() for
+ payload_len and result_msg_len ]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/auth.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ceph/auth.c
++++ b/net/ceph/auth.c
+@@ -205,9 +205,9 @@ int ceph_handle_auth_reply(struct ceph_a
+ s32 result;
+ u64 global_id;
+ void *payload, *payload_end;
+- int payload_len;
++ u32 payload_len;
+ char *result_msg;
+- int result_msg_len;
++ u32 result_msg_len;
+ int ret = -EINVAL;
+
+ mutex_lock(&ac->mutex);
+@@ -217,10 +217,12 @@ int ceph_handle_auth_reply(struct ceph_a
+ result = ceph_decode_32(&p);
+ global_id = ceph_decode_64(&p);
+ payload_len = ceph_decode_32(&p);
++ ceph_decode_need(&p, end, payload_len, bad);
+ payload = p;
+ p += payload_len;
+ ceph_decode_need(&p, end, sizeof(u32), bad);
+ result_msg_len = ceph_decode_32(&p);
++ ceph_decode_need(&p, end, result_msg_len, bad);
+ result_msg = p;
+ p += result_msg_len;
+ if (p != end)
--- /dev/null
+From 69fb5d91bba44ecf7eb80530b85fa4fb028921d5 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Sun, 8 Mar 2026 17:38:00 +0100
+Subject: libceph: prevent potential out-of-bounds reads in process_message_header()
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 69fb5d91bba44ecf7eb80530b85fa4fb028921d5 upstream.
+
+If the message frame is (maliciously) corrupted in a way that the
+length of the control segment ends up being less than the size of the
+message header or a different frame is made to look like a message
+frame, out-of-bounds reads may ensue in process_message_header().
+
+Perform an explicit bounds check before decoding the message header.
+
+Cc: stable@vger.kernel.org
+Reported-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Alex Markuze <amarkuze@redhat.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/messenger_v2.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/ceph/messenger_v2.c
++++ b/net/ceph/messenger_v2.c
+@@ -2832,12 +2832,15 @@ static int process_message_header(struct
+ void *p, void *end)
+ {
+ struct ceph_frame_desc *desc = &con->v2.in_desc;
+- struct ceph_msg_header2 *hdr2 = p;
++ struct ceph_msg_header2 *hdr2;
+ struct ceph_msg_header hdr;
+ int skip;
+ int ret;
+ u64 seq;
+
++ ceph_decode_need(&p, end, sizeof(*hdr2), bad);
++ hdr2 = p;
++
+ /* verify seq# */
+ seq = le64_to_cpu(hdr2->seq);
+ if ((s64)seq - (s64)con->in_seq < 1) {
+@@ -2868,6 +2871,10 @@ static int process_message_header(struct
+ WARN_ON(!con->in_msg);
+ WARN_ON(con->in_msg->con != con);
+ return 1;
++
++bad:
++ pr_err("failed to decode message header\n");
++ return -EINVAL;
+ }
+
+ static int process_message(struct ceph_connection *con)
--- /dev/null
+From c4c22b846eceff05b1129b8844a80310e55a7f87 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Sun, 8 Mar 2026 20:01:27 +0100
+Subject: libceph: reject preamble if control segment is empty
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit c4c22b846eceff05b1129b8844a80310e55a7f87 upstream.
+
+While head_onwire_len() has a branch to handle ctrl_len == 0 case,
+prepare_read_control() always sets up a kvec for the CRC meaning that
+a non-empty control segment is effectively assumed. All frames that
+clients deal with meet that assumption, so let's make it official and
+treat the preamble with an empty control segment as malformed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Alex Markuze <amarkuze@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/messenger_v2.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/net/ceph/messenger_v2.c
++++ b/net/ceph/messenger_v2.c
+@@ -392,7 +392,7 @@ static int head_onwire_len(int ctrl_len,
+ int head_len;
+ int rem_len;
+
+- BUG_ON(ctrl_len < 0 || ctrl_len > CEPH_MSG_MAX_CONTROL_LEN);
++ BUG_ON(ctrl_len < 1 || ctrl_len > CEPH_MSG_MAX_CONTROL_LEN);
+
+ if (secure) {
+ head_len = CEPH_PREAMBLE_SECURE_LEN;
+@@ -401,9 +401,7 @@ static int head_onwire_len(int ctrl_len,
+ head_len += padded_len(rem_len) + CEPH_GCM_TAG_LEN;
+ }
+ } else {
+- head_len = CEPH_PREAMBLE_PLAIN_LEN;
+- if (ctrl_len)
+- head_len += ctrl_len + CEPH_CRC_LEN;
++ head_len = CEPH_PREAMBLE_PLAIN_LEN + ctrl_len + CEPH_CRC_LEN;
+ }
+ return head_len;
+ }
+@@ -528,11 +526,16 @@ static int decode_preamble(void *p, stru
+ desc->fd_aligns[i] = ceph_decode_16(&p);
+ }
+
+- if (desc->fd_lens[0] < 0 ||
++ /*
++ * This would fire for FRAME_TAG_WAIT (it has one empty
++ * segment), but we should never get it as client.
++ */
++ if (desc->fd_lens[0] < 1 ||
+ desc->fd_lens[0] > CEPH_MSG_MAX_CONTROL_LEN) {
+ pr_err("bad control segment length %d\n", desc->fd_lens[0]);
+ return -EINVAL;
+ }
++
+ if (desc->fd_lens[1] < 0 ||
+ desc->fd_lens[1] > CEPH_MSG_MAX_FRONT_LEN) {
+ pr_err("bad front segment length %d\n", desc->fd_lens[1]);
+@@ -549,10 +552,6 @@ static int decode_preamble(void *p, stru
+ return -EINVAL;
+ }
+
+- /*
+- * This would fire for FRAME_TAG_WAIT (it has one empty
+- * segment), but we should never get it as client.
+- */
+ if (!desc->fd_lens[desc->fd_seg_cnt - 1]) {
+ pr_err("last segment empty, segment count %d\n",
+ desc->fd_seg_cnt);
--- /dev/null
+From 770444611f047dbfd4517ec0bc1b179d40c2f346 Mon Sep 17 00:00:00 2001
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Date: Thu, 26 Feb 2026 16:07:31 +0100
+Subject: libceph: Use u32 for non-negative values in ceph_monmap_decode()
+
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+
+commit 770444611f047dbfd4517ec0bc1b179d40c2f346 upstream.
+
+This patch fixes unnecessary implicit conversions that change signedness
+of blob_len and num_mon in ceph_monmap_decode().
+Currently blob_len and num_mon are (signed) int variables. They are used
+to hold values that are always non-negative and get assigned in
+ceph_decode_32_safe(), which is meant to assign u32 values. Both
+variables are subsequently used as unsigned values, and the value of
+num_mon is further assigned to monmap->num_mon, which is of type u32.
+Therefore, both variables should be of type u32. This is especially
+relevant for num_mon. If the value read from the incoming message is
+very large, it is interpreted as a negative value, and the check for
+num_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to
+allocate a very large chunk of memory for monmap, which will most likely
+fail. In this case, an unnecessary attempt to allocate memory is
+performed, and -ENOMEM is returned instead of -EINVAL.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/mon_client.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ceph/mon_client.c
++++ b/net/ceph/mon_client.c
+@@ -72,8 +72,8 @@ static struct ceph_monmap *ceph_monmap_d
+ struct ceph_monmap *monmap = NULL;
+ struct ceph_fsid fsid;
+ u32 struct_len;
+- int blob_len;
+- int num_mon;
++ u32 blob_len;
++ u32 num_mon;
+ u8 struct_v;
+ u32 epoch;
+ int ret;
+@@ -112,7 +112,7 @@ static struct ceph_monmap *ceph_monmap_d
+ }
+ ceph_decode_32_safe(p, end, num_mon, e_inval);
+
+- dout("%s fsid %pU epoch %u num_mon %d\n", __func__, &fsid, epoch,
++ dout("%s fsid %pU epoch %u num_mon %u\n", __func__, &fsid, epoch,
+ num_mon);
+ if (num_mon > CEPH_MAX_MON)
+ goto e_inval;
--- /dev/null
+From 09833d99db36d74456a4d13eb29c32d56ff8f2b6 Mon Sep 17 00:00:00 2001
+From: Alexander Potapenko <glider@google.com>
+Date: Fri, 13 Feb 2026 10:54:10 +0100
+Subject: mm/kfence: disable KFENCE upon KASAN HW tags enablement
+
+From: Alexander Potapenko <glider@google.com>
+
+commit 09833d99db36d74456a4d13eb29c32d56ff8f2b6 upstream.
+
+KFENCE does not currently support KASAN hardware tags. As a result, the
+two features are incompatible when enabled simultaneously.
+
+Given that MTE provides deterministic protection and KFENCE is a
+sampling-based debugging tool, prioritize the stronger hardware
+protections. Disable KFENCE initialization and free the pre-allocated
+pool if KASAN hardware tags are detected to ensure the system maintains
+the security guarantees provided by MTE.
+
+Link: https://lkml.kernel.org/r/20260213095410.1862978-1-glider@google.com
+Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure")
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Suggested-by: Marco Elver <elver@google.com>
+Reviewed-by: Marco Elver <elver@google.com>
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Ernesto Martinez Garcia <ernesto.martinezgarcia@tugraz.at>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: Kees Cook <kees@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kfence/core.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/mm/kfence/core.c
++++ b/mm/kfence/core.c
+@@ -13,6 +13,7 @@
+ #include <linux/hash.h>
+ #include <linux/irq_work.h>
+ #include <linux/jhash.h>
++#include <linux/kasan-enabled.h>
+ #include <linux/kcsan-checks.h>
+ #include <linux/kfence.h>
+ #include <linux/kmemleak.h>
+@@ -912,6 +913,20 @@ void __init kfence_alloc_pool_and_metada
+ return;
+
+ /*
++ * If KASAN hardware tags are enabled, disable KFENCE, because it
++ * does not support MTE yet.
++ */
++ if (kasan_hw_tags_enabled()) {
++ pr_info("disabled as KASAN HW tags are enabled\n");
++ if (__kfence_pool) {
++ memblock_free(__kfence_pool, KFENCE_POOL_SIZE);
++ __kfence_pool = NULL;
++ }
++ kfence_sample_interval = 0;
++ return;
++ }
++
++ /*
+ * If the pool has already been initialized by arch, there is no need to
+ * re-allocate the memory pool.
+ */
--- /dev/null
+From d155aab90fffa00f93cea1f107aef0a3d548b2ff Mon Sep 17 00:00:00 2001
+From: Alexander Potapenko <glider@google.com>
+Date: Fri, 20 Feb 2026 15:49:40 +0100
+Subject: mm/kfence: fix KASAN hardware tag faults during late enablement
+
+From: Alexander Potapenko <glider@google.com>
+
+commit d155aab90fffa00f93cea1f107aef0a3d548b2ff upstream.
+
+When KASAN hardware tags are enabled, re-enabling KFENCE late (via
+/sys/module/kfence/parameters/sample_interval) causes KASAN faults.
+
+This happens because the KFENCE pool and metadata are allocated via the
+page allocator, which tags the memory, while KFENCE continues to access it
+using untagged pointers during initialization.
+
+Use __GFP_SKIP_KASAN for late KFENCE pool and metadata allocations to
+ensure the memory remains untagged, consistent with early allocations from
+memblock. To support this, add __GFP_SKIP_KASAN to the allowlist in
+__alloc_contig_verify_gfp_mask().
+
+Link: https://lkml.kernel.org/r/20260220144940.2779209-1-glider@google.com
+Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure")
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Suggested-by: Ernesto Martinez Garcia <ernesto.martinezgarcia@tugraz.at>
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: Kees Cook <kees@kernel.org>
+Cc: Marco Elver <elver@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kfence/core.c | 14 ++++++++------
+ mm/page_alloc.c | 3 ++-
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+--- a/mm/kfence/core.c
++++ b/mm/kfence/core.c
+@@ -984,14 +984,14 @@ static int kfence_init_late(void)
+ #ifdef CONFIG_CONTIG_ALLOC
+ struct page *pages;
+
+- pages = alloc_contig_pages(nr_pages_pool, GFP_KERNEL, first_online_node,
+- NULL);
++ pages = alloc_contig_pages(nr_pages_pool, GFP_KERNEL | __GFP_SKIP_KASAN,
++ first_online_node, NULL);
+ if (!pages)
+ return -ENOMEM;
+
+ __kfence_pool = page_to_virt(pages);
+- pages = alloc_contig_pages(nr_pages_meta, GFP_KERNEL, first_online_node,
+- NULL);
++ pages = alloc_contig_pages(nr_pages_meta, GFP_KERNEL | __GFP_SKIP_KASAN,
++ first_online_node, NULL);
+ if (pages)
+ kfence_metadata_init = page_to_virt(pages);
+ #else
+@@ -1001,11 +1001,13 @@ static int kfence_init_late(void)
+ return -EINVAL;
+ }
+
+- __kfence_pool = alloc_pages_exact(KFENCE_POOL_SIZE, GFP_KERNEL);
++ __kfence_pool = alloc_pages_exact(KFENCE_POOL_SIZE,
++ GFP_KERNEL | __GFP_SKIP_KASAN);
+ if (!__kfence_pool)
+ return -ENOMEM;
+
+- kfence_metadata_init = alloc_pages_exact(KFENCE_METADATA_SIZE, GFP_KERNEL);
++ kfence_metadata_init = alloc_pages_exact(KFENCE_METADATA_SIZE,
++ GFP_KERNEL | __GFP_SKIP_KASAN);
+ #endif
+
+ if (!kfence_metadata_init)
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -6941,7 +6941,8 @@ static int __alloc_contig_verify_gfp_mas
+ {
+ const gfp_t reclaim_mask = __GFP_IO | __GFP_FS | __GFP_RECLAIM;
+ const gfp_t action_mask = __GFP_COMP | __GFP_RETRY_MAYFAIL | __GFP_NOWARN |
+- __GFP_ZERO | __GFP_ZEROTAGS | __GFP_SKIP_ZERO;
++ __GFP_ZERO | __GFP_ZEROTAGS | __GFP_SKIP_ZERO |
++ __GFP_SKIP_KASAN;
+ const gfp_t cc_action_mask = __GFP_RETRY_MAYFAIL | __GFP_NOWARN;
+
+ /*
--- /dev/null
+From 079c24d5690262e83ee476e2a548e416f3237511 Mon Sep 17 00:00:00 2001
+From: Kalesh Singh <kaleshsingh@google.com>
+Date: Thu, 19 Feb 2026 15:36:56 -0800
+Subject: mm/tracing: rss_stat: ensure curr is false from kthread context
+
+From: Kalesh Singh <kaleshsingh@google.com>
+
+commit 079c24d5690262e83ee476e2a548e416f3237511 upstream.
+
+The rss_stat trace event allows userspace tools, like Perfetto [1], to
+inspect per-process RSS metric changes over time.
+
+The curr field was introduced to rss_stat in commit e4dcad204d3a
+("rss_stat: add support to detect RSS updates of external mm"). Its
+intent is to indicate whether the RSS update is for the mm_struct of the
+current execution context; and is set to false when operating on a remote
+mm_struct (e.g., via kswapd or a direct reclaimer).
+
+However, an issue arises when a kernel thread temporarily adopts a user
+process's mm_struct. Kernel threads do not have their own mm_struct and
+normally have current->mm set to NULL. To operate on user memory, they
+can "borrow" a memory context using kthread_use_mm(), which sets
+current->mm to the user process's mm.
+
+This can be observed, for example, in the USB Function Filesystem (FFS)
+driver. The ffs_user_copy_worker() handles AIO completions and uses
+kthread_use_mm() to copy data to a user-space buffer. If a page fault
+occurs during this copy, the fault handler executes in the kthread's
+context.
+
+At this point, current is the kthread, but current->mm points to the user
+process's mm. Since the rss_stat event (from the page fault) is for that
+same mm, the condition current->mm == mm becomes true, causing curr to be
+incorrectly set to true when the trace event is emitted.
+
+This is misleading because it suggests the mm belongs to the kthread,
+confusing userspace tools that track per-process RSS changes and
+corrupting their mm_id-to-process association.
+
+Fix this by ensuring curr is always false when the trace event is emitted
+from a kthread context by checking for the PF_KTHREAD flag.
+
+Link: https://lkml.kernel.org/r/20260219233708.1971199-1-kaleshsingh@google.com
+Link: https://perfetto.dev/ [1]
+Fixes: e4dcad204d3a ("rss_stat: add support to detect RSS updates of external mm")
+Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
+Acked-by: Zi Yan <ziy@nvidia.com>
+Acked-by: SeongJae Park <sj@kernel.org>
+Reviewed-by: Pedro Falcato <pfalcato@suse.de>
+Cc: "David Hildenbrand (Arm)" <david@kernel.org>
+Cc: Joel Fernandes <joel@joelfernandes.org>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: <stable@vger.kernel.org> [5.10+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/trace/events/kmem.h | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/include/trace/events/kmem.h
++++ b/include/trace/events/kmem.h
+@@ -440,7 +440,13 @@ TRACE_EVENT(rss_stat,
+
+ TP_fast_assign(
+ __entry->mm_id = mm_ptr_to_hash(mm);
+- __entry->curr = !!(current->mm == mm);
++ /*
++ * curr is true if the mm matches the current task's mm_struct.
++ * Since kthreads (PF_KTHREAD) have no mm_struct of their own
++ * but can borrow one via kthread_use_mm(), we must filter them
++ * out to avoid incorrectly attributing the RSS update to them.
++ */
++ __entry->curr = current->mm == mm && !(current->flags & PF_KTHREAD);
+ __entry->member = member;
+ __entry->size = (percpu_counter_sum_positive(&mm->rss_stat[member])
+ << PAGE_SHIFT);
--- /dev/null
+From 901084c51a0a8fb42a3f37d2e9c62083c495f824 Mon Sep 17 00:00:00 2001
+From: Penghe Geng <pgeng@nvidia.com>
+Date: Thu, 19 Feb 2026 15:29:54 -0500
+Subject: mmc: core: Avoid bitfield RMW for claim/retune flags
+
+From: Penghe Geng <pgeng@nvidia.com>
+
+commit 901084c51a0a8fb42a3f37d2e9c62083c495f824 upstream.
+
+Move claimed and retune control flags out of the bitfield word to
+avoid unrelated RMW side effects in asynchronous contexts.
+
+The host->claimed bit shared a word with retune flags. Writes to claimed
+in __mmc_claim_host() or retune_now in mmc_mq_queue_rq() can overwrite
+other bits when concurrent updates happen in other contexts, triggering
+spurious WARN_ON(!host->claimed). Convert claimed, can_retune,
+retune_now and retune_paused to bool to remove shared-word coupling.
+
+Fixes: 6c0cedd1ef952 ("mmc: core: Introduce host claiming by context")
+Fixes: 1e8e55b67030c ("mmc: block: Add CQE support")
+Cc: stable@vger.kernel.org
+Suggested-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Penghe Geng <pgeng@nvidia.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mmc/host.h | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/include/linux/mmc/host.h
++++ b/include/linux/mmc/host.h
+@@ -486,14 +486,12 @@ struct mmc_host {
+
+ struct mmc_ios ios; /* current io bus settings */
+
++ bool claimed; /* host exclusively claimed */
++
+ /* group bitfields together to minimize padding */
+ unsigned int use_spi_crc:1;
+- unsigned int claimed:1; /* host exclusively claimed */
+ unsigned int doing_init_tune:1; /* initial tuning in progress */
+- unsigned int can_retune:1; /* re-tuning can be used */
+ unsigned int doing_retune:1; /* re-tuning in progress */
+- unsigned int retune_now:1; /* do re-tuning at next req */
+- unsigned int retune_paused:1; /* re-tuning is temporarily disabled */
+ unsigned int retune_crc_disable:1; /* don't trigger retune upon crc */
+ unsigned int can_dma_map_merge:1; /* merging can be used */
+ unsigned int vqmmc_enabled:1; /* vqmmc regulator is enabled */
+@@ -508,6 +506,9 @@ struct mmc_host {
+ int rescan_disable; /* disable card detection */
+ int rescan_entered; /* used with nonremovable devices */
+
++ bool can_retune; /* re-tuning can be used */
++ bool retune_now; /* do re-tuning at next req */
++ bool retune_paused; /* re-tuning is temporarily disabled */
+ int need_retune; /* re-tuning is needed */
+ int hold_retune; /* hold off re-tuning */
+ unsigned int retune_period; /* re-tuning period in secs */
--- /dev/null
+From 6465a8bbb0f6ad98aeb66dc9ea19c32c193a610b Mon Sep 17 00:00:00 2001
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Fri, 16 Jan 2026 08:55:30 +0800
+Subject: mmc: dw_mmc-rockchip: Fix runtime PM support for internal phase support
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+commit 6465a8bbb0f6ad98aeb66dc9ea19c32c193a610b upstream.
+
+RK3576 is the first platform to introduce internal phase support, and
+subsequent platforms are expected to adopt a similar design. In this
+architecture, runtime suspend powers off the attached power domain, which
+resets registers, including vendor-specific ones such as SDMMC_TIMING_CON0,
+SDMMC_TIMING_CON1, and SDMMC_MISC_CON. These registers must be saved and
+restored, a requirement that falls outside the scope of the dw_mmc core.
+
+Fixes: 59903441f5e4 ("mmc: dw_mmc-rockchip: Add internal phase support")
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Tested-by: Marco Schirrmeister <mschirrmeister@gmail.com>
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/dw_mmc-rockchip.c | 38 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 37 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/dw_mmc-rockchip.c
++++ b/drivers/mmc/host/dw_mmc-rockchip.c
+@@ -36,6 +36,8 @@ struct dw_mci_rockchip_priv_data {
+ int default_sample_phase;
+ int num_phases;
+ bool internal_phase;
++ int sample_phase;
++ int drv_phase;
+ };
+
+ /*
+@@ -574,9 +576,43 @@ static void dw_mci_rockchip_remove(struc
+ dw_mci_pltfm_remove(pdev);
+ }
+
++static int dw_mci_rockchip_runtime_suspend(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct dw_mci *host = platform_get_drvdata(pdev);
++ struct dw_mci_rockchip_priv_data *priv = host->priv;
++
++ if (priv->internal_phase) {
++ priv->sample_phase = rockchip_mmc_get_phase(host, true);
++ priv->drv_phase = rockchip_mmc_get_phase(host, false);
++ }
++
++ return dw_mci_runtime_suspend(dev);
++}
++
++static int dw_mci_rockchip_runtime_resume(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct dw_mci *host = platform_get_drvdata(pdev);
++ struct dw_mci_rockchip_priv_data *priv = host->priv;
++ int ret;
++
++ ret = dw_mci_runtime_resume(dev);
++ if (ret)
++ return ret;
++
++ if (priv->internal_phase) {
++ rockchip_mmc_set_phase(host, true, priv->sample_phase);
++ rockchip_mmc_set_phase(host, false, priv->drv_phase);
++ mci_writel(host, MISC_CON, MEM_CLK_AUTOGATE_ENABLE);
++ }
++
++ return ret;
++}
++
+ static const struct dev_pm_ops dw_mci_rockchip_dev_pm_ops = {
+ SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, pm_runtime_force_resume)
+- RUNTIME_PM_OPS(dw_mci_runtime_suspend, dw_mci_runtime_resume, NULL)
++ RUNTIME_PM_OPS(dw_mci_rockchip_runtime_suspend, dw_mci_rockchip_runtime_resume, NULL)
+ };
+
+ static struct platform_driver dw_mci_rockchip_pltfm_driver = {
--- /dev/null
+From af12e64ae0661546e8b4f5d30d55c5f53a11efe7 Mon Sep 17 00:00:00 2001
+From: Felix Gu <ustc.gu@gmail.com>
+Date: Tue, 20 Jan 2026 22:26:46 +0800
+Subject: mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+commit af12e64ae0661546e8b4f5d30d55c5f53a11efe7 upstream.
+
+When calling of_parse_phandle_with_args(), the caller is responsible
+to call of_node_put() to release the reference of device node.
+In of_get_dml_pipe_index(), it does not release the reference.
+
+Fixes: 9cb15142d0e3 ("mmc: mmci: Add qcom dml support to the driver.")
+Signed-off-by: Felix Gu <gu_0233@qq.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mmci_qcom_dml.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/mmci_qcom_dml.c
++++ b/drivers/mmc/host/mmci_qcom_dml.c
+@@ -109,6 +109,7 @@ static int of_get_dml_pipe_index(struct
+ &dma_spec))
+ return -ENODEV;
+
++ of_node_put(dma_spec.np);
+ if (dma_spec.args_count)
+ return dma_spec.args[0];
+
--- /dev/null
+From 79ad471530e0baef0dce991816013df55e401d9c Mon Sep 17 00:00:00 2001
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+Date: Mon, 16 Feb 2026 14:15:43 -0500
+Subject: mmc: sdhci-brcmstb: use correct register offset for V1 pin_sel restore
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+commit 79ad471530e0baef0dce991816013df55e401d9c upstream.
+
+The restore path for SDIO_CFG_CORE_V1 was incorrectly using
+SDIO_CFG_SD_PIN_SEL (offset 0x44) instead of SDIO_CFG_V1_SD_PIN_SEL
+(offset 0x54), causing the wrong register to be written on resume.
+The save path already uses the correct V1-specific offset. This
+affects BCM7445 and BCM72116 platforms which use the V1 config core.
+
+Fixes: b7e614802e3f ("mmc: sdhci-brcmstb: save and restore registers during PM")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Cc: stable@vger.kernel.org
+Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-brcmstb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-brcmstb.c b/drivers/mmc/host/sdhci-brcmstb.c
+index c9442499876c..57e45951644e 100644
+--- a/drivers/mmc/host/sdhci-brcmstb.c
++++ b/drivers/mmc/host/sdhci-brcmstb.c
+@@ -116,7 +116,7 @@ static void sdhci_brcmstb_restore_regs(struct mmc_host *mmc, enum cfg_core_ver v
+ writel(sr->boot_main_ctl, priv->boot_regs + SDIO_BOOT_MAIN_CTL);
+
+ if (ver == SDIO_CFG_CORE_V1) {
+- writel(sr->sd_pin_sel, cr + SDIO_CFG_SD_PIN_SEL);
++ writel(sr->sd_pin_sel, cr + SDIO_CFG_V1_SD_PIN_SEL);
+ return;
+ }
+
+--
+2.53.0
+
revert-usb-gadget-f_ncm-align-net_device-lifecycle-with-bind-unbind.patch
revert-usb-gadget-u_ether-add-gether_opts-for-config-caching.patch
usb-gadget-f_ncm-fix-net_device-lifecycle-with-device_move.patch
+mm-tracing-rss_stat-ensure-curr-is-false-from-kthread-context.patch
+mm-kfence-fix-kasan-hardware-tag-faults-during-late-enablement.patch
+mmc-mmci-fix-device_node-reference-leak-in-of_get_dml_pipe_index.patch
+mm-kfence-disable-kfence-upon-kasan-hw-tags-enablement.patch
+mmc-sdhci-brcmstb-use-correct-register-offset-for-v1-pin_sel-restore.patch
+mmc-dw_mmc-rockchip-fix-runtime-pm-support-for-internal-phase-support.patch
+mmc-core-avoid-bitfield-rmw-for-claim-retune-flags.patch
+asoc-qcom-qdsp6-fix-q6apm-remove-ordering-during-adsp-stop-and-start.patch
+tipc-fix-divide-by-zero-in-tipc_sk_filter_connect.patch
+firmware-stratix10-rsu-fix-null-pointer-dereference-when-rsu-is-disabled.patch
+kprobes-avoid-crash-when-rmmod-insmod-after-ftrace-killed.patch
+ceph-add-a-bunch-of-missing-ceph_path_info-initializers.patch
+libceph-fix-potential-out-of-bounds-access-in-ceph_handle_auth_reply.patch
+drm-gud-fix-null-crtc-dereference-on-display-disable.patch
+libceph-reject-preamble-if-control-segment-is-empty.patch
+libceph-prevent-potential-out-of-bounds-reads-in-process_message_header.patch
+libceph-use-u32-for-non-negative-values-in-ceph_monmap_decode.patch
+libceph-admit-message-frames-only-in-ceph_con_s_open-state.patch
+ceph-fix-i_nlink-underrun-during-async-unlink.patch
+ceph-do-not-skip-the-first-folio-of-the-next-object-in-writeback.patch
+ceph-fix-memory-leaks-in-ceph_mdsc_build_path.patch
--- /dev/null
+From 6c5a9baa15de240e747263aba435a0951da8d8d2 Mon Sep 17 00:00:00 2001
+From: Mehul Rao <mehulrao@gmail.com>
+Date: Tue, 10 Mar 2026 13:07:30 -0400
+Subject: tipc: fix divide-by-zero in tipc_sk_filter_connect()
+
+From: Mehul Rao <mehulrao@gmail.com>
+
+commit 6c5a9baa15de240e747263aba435a0951da8d8d2 upstream.
+
+A user can set conn_timeout to any value via
+setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a
+SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in
+tipc_sk_filter_connect() executes:
+
+ delay %= (tsk->conn_timeout / 4);
+
+If conn_timeout is in the range [0, 3], the integer division yields 0,
+and the modulo operation triggers a divide-by-zero exception, causing a
+kernel oops/panic.
+
+Fix this by clamping conn_timeout to a minimum of 4 at the point of use
+in tipc_sk_filter_connect().
+
+Oops: divide error: 0000 [#1] SMP KASAN NOPTI
+CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+
+RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362)
+Call Trace:
+ tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406)
+ __release_sock (include/net/sock.h:1185 net/core/sock.c:3213)
+ release_sock (net/core/sock.c:3797)
+ tipc_connect (net/tipc/socket.c:2570)
+ __sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098)
+
+Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mehul Rao <mehulrao@gmail.com>
+Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
+Link: https://patch.msgid.link/20260310170730.28841-1-mehulrao@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2233,6 +2233,8 @@ static bool tipc_sk_filter_connect(struc
+ if (skb_queue_empty(&sk->sk_write_queue))
+ break;
+ get_random_bytes(&delay, 2);
++ if (tsk->conn_timeout < 4)
++ tsk->conn_timeout = 4;
+ delay %= (tsk->conn_timeout / 4);
+ delay = msecs_to_jiffies(delay + 100);
+ sk_reset_timer(sk, &sk->sk_timer, jiffies + delay);
projects / thirdparty / kernel / stable-queue.git / commitdiff
