--- /dev/null
+From stable+bounces-227513-greg=kroah.com@vger.kernel.org Fri Mar 20 11:21:06 2026
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 20 Mar 2026 11:20:40 +0100
+Subject: batman-adv: avoid OGM aggregation when skb tailroom is insufficient
+To: stable@vger.kernel.org
+Cc: Yang Yang <n05ec@lzu.edu.cn>, Yifan Wu <yifanwucs@gmail.com>, Juefei Pu <tomapufckgml@gmail.com>, Yuan Tan <tanyuan98@outlook.com>, Xin Liu <bird@lzu.edu.cn>, Sven Eckelmann <sven@narfation.org>, Simon Wunderlich <sw@simonwunderlich.de>
+Message-ID: <20260320102040.1648972-1-sven@narfation.org>
+
+From: Yang Yang <n05ec@lzu.edu.cn>
+
+commit 0d4aef630be9d5f9c1227d07669c26c4383b5ad0 upstream.
+
+When OGM aggregation state is toggled at runtime, an existing forwarded
+packet may have been allocated with only packet_len bytes, while a later
+packet can still be selected for aggregation. Appending in this case can
+hit skb_put overflow conditions.
+
+Reject aggregation when the target skb tailroom cannot accommodate the new
+packet. The caller then falls back to creating a new forward packet
+instead of appending.
+
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Cc: stable@vger.kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
+Signed-off-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Ao Zhou <n05ec@lzu.edu.cn>
+Signed-off-by: Yang Yang <n05ec@lzu.edu.cn>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+[ Adjust context ]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -464,6 +464,9 @@ batadv_iv_ogm_can_aggregate(const struct
+ !time_after_eq(aggregation_end_time, forw_packet->send_time))
+ return false;
+
++ if (skb_tailroom(forw_packet->skb) < packet_len)
++ return false;
++
+ if (aggregated_bytes > BATADV_MAX_AGGREGATION_BYTES)
+ return false;
+
--- /dev/null
+From stable+bounces-227348-greg=kroah.com@vger.kernel.org Thu Mar 19 18:18:47 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 13:04:44 -0400
+Subject: btrfs: fix transaction abort when snapshotting received subvolumes
+To: stable@vger.kernel.org
+Cc: Filipe Manana <fdmanana@suse.com>, Boris Burkov <boris@bur.io>, Qu Wenruo <wqu@suse.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319170444.2747784-1-sashal@kernel.org>
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit e1b18b959025e6b5dbad668f391f65d34b39595a ]
+
+Currently a user can trigger a transaction abort by snapshotting a
+previously received snapshot a bunch of times until we reach a
+BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we
+can store in a leaf). This is very likely not common in practice, but
+if it happens, it turns the filesystem into RO mode. The snapshot, send
+and set_received_subvol and subvol_setflags (used by receive) don't
+require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user
+could use this to turn a filesystem into RO mode and disrupt a system.
+
+Reproducer script:
+
+ $ cat test.sh
+ #!/bin/bash
+
+ DEV=/dev/sdi
+ MNT=/mnt/sdi
+
+ # Use smallest node size to make the test faster.
+ mkfs.btrfs -f --nodesize 4K $DEV
+ mount $DEV $MNT
+
+ # Create a subvolume and set it to RO so that it can be used for send.
+ btrfs subvolume create $MNT/sv
+ touch $MNT/sv/foo
+ btrfs property set $MNT/sv ro true
+
+ # Send and receive the subvolume into snaps/sv.
+ mkdir $MNT/snaps
+ btrfs send $MNT/sv | btrfs receive $MNT/snaps
+
+ # Now snapshot the received subvolume, which has a received_uuid, a
+ # lot of times to trigger the leaf overflow.
+ total=500
+ for ((i = 1; i <= $total; i++)); do
+ echo -ne "\rCreating snapshot $i/$total"
+ btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null
+ done
+ echo
+
+ umount $MNT
+
+When running the test:
+
+ $ ./test.sh
+ (...)
+ Create subvolume '/mnt/sdi/sv'
+ At subvol /mnt/sdi/sv
+ At subvol sv
+ Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type
+ Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system
+ Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system
+ Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system
+ Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system
+
+And in dmesg/syslog:
+
+ $ dmesg
+ (...)
+ [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!
+ [251067.629212] ------------[ cut here ]------------
+ [251067.630033] BTRFS: Transaction aborted (error -75)
+ [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235
+ [251067.632851] Modules linked in: btrfs dm_zero (...)
+ [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
+ [251067.646165] Tainted: [W]=WARN
+ [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
+ [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]
+ [251067.649984] Code: f0 48 0f (...)
+ [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292
+ [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3
+ [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750
+ [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820
+ [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0
+ [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5
+ [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000
+ [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0
+ [251067.661972] Call Trace:
+ [251067.662292] <TASK>
+ [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs]
+ [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs]
+ [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]
+ [251067.665238] ? _raw_spin_unlock+0x15/0x30
+ [251067.665837] ? record_root_in_trans+0xa2/0xd0 [btrfs]
+ [251067.666531] btrfs_mksubvol+0x330/0x580 [btrfs]
+ [251067.667145] btrfs_mksnapshot+0x74/0xa0 [btrfs]
+ [251067.667827] __btrfs_ioctl_snap_create+0x194/0x1d0 [btrfs]
+ [251067.668595] btrfs_ioctl_snap_create_v2+0x107/0x130 [btrfs]
+ [251067.669479] btrfs_ioctl+0x1580/0x2690 [btrfs]
+ [251067.670093] ? count_memcg_events+0x6d/0x180
+ [251067.670849] ? handle_mm_fault+0x1a0/0x2a0
+ [251067.671652] __x64_sys_ioctl+0x92/0xe0
+ [251067.672406] do_syscall_64+0x50/0xf20
+ [251067.673129] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ [251067.674096] RIP: 0033:0x7f2a495648db
+ [251067.674812] Code: 00 48 89 (...)
+ [251067.678227] RSP: 002b:00007ffc5aa57840 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ [251067.679691] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2a495648db
+ [251067.681145] RDX: 00007ffc5aa588b0 RSI: 0000000050009417 RDI: 0000000000000004
+ [251067.682511] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+ [251067.683842] R10: 000000000000000a R11: 0000000000000246 R12: 00007ffc5aa59910
+ [251067.685176] R13: 00007ffc5aa588b0 R14: 0000000000000004 R15: 0000000000000006
+ [251067.686524] </TASK>
+ [251067.686972] ---[ end trace 0000000000000000 ]---
+ [251067.687890] BTRFS: error (device sdi state A) in create_pending_snapshot:1907: errno=-75 unknown
+ [251067.689049] BTRFS info (device sdi state EA): forced readonly
+ [251067.689054] BTRFS warning (device sdi state EA): Skipping commit of aborted transaction.
+ [251067.690119] BTRFS: error (device sdi state EA) in cleanup_transaction:2043: errno=-75 unknown
+ [251067.702028] BTRFS info (device sdi state EA): last unmount of filesystem 46dc3975-30a2-4a69-a18f-418b859cccda
+
+Fix this by ignoring -EOVERFLOW errors from btrfs_uuid_tree_add() in the
+snapshot creation code when attempting to add the
+BTRFS_UUID_KEY_RECEIVED_SUBVOL item. This is OK because it's not critical
+and we are still able to delete the snapshot, as snapshot/subvolume
+deletion ignores if a BTRFS_UUID_KEY_RECEIVED_SUBVOL is missing (see
+inode.c:btrfs_delete_subvolume()). As for send/receive, we can still do
+send/receive operations since it always peeks the first root ID in the
+existing BTRFS_UUID_KEY_RECEIVED_SUBVOL (it could peek any since all
+snapshots have the same content), and even if the key is missing, it
+falls back to searching by BTRFS_UUID_KEY_SUBVOL key.
+
+A test case for fstests will be sent soon.
+
+Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
+CC: stable@vger.kernel.org # 3.12+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ adapted error check condition to omit unlikely() wrapper ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/transaction.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -1894,6 +1894,22 @@ static noinline int create_pending_snaps
+ ret = btrfs_uuid_tree_add(trans, new_root_item->received_uuid,
+ BTRFS_UUID_KEY_RECEIVED_SUBVOL,
+ objectid);
++ /*
++ * We are creating of lot of snapshots of the same root that was
++ * received (has a received UUID) and reached a leaf's limit for
++ * an item. We can safely ignore this and avoid a transaction
++ * abort. A deletion of this snapshot will still work since we
++ * ignore if an item with a BTRFS_UUID_KEY_RECEIVED_SUBVOL key
++ * is missing (see btrfs_delete_subvolume()). Send/receive will
++ * work too since it peeks the first root id from the existing
++ * item (it could peek any), and in case it's missing it
++ * falls back to search by BTRFS_UUID_KEY_SUBVOL keys.
++ * Creation of a snapshot does not require CAP_SYS_ADMIN, so
++ * we don't want users triggering transaction aborts, either
++ * intentionally or not.
++ */
++ if (ret == -EOVERFLOW)
++ ret = 0;
+ if (ret && ret != -EEXIST) {
+ btrfs_abort_transaction(trans, ret);
+ goto fail;
--- /dev/null
+From bb5f1cd10101c2567bff4d0e760b74aee7c42f44 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jouni=20H=C3=B6gander?= <jouni.hogander@intel.com>
+Date: Wed, 4 Mar 2026 13:30:10 +0200
+Subject: drm/i915/dsc: Add helper for writing DSC Selective Update ET parameters
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jouni Högander <jouni.hogander@intel.com>
+
+commit bb5f1cd10101c2567bff4d0e760b74aee7c42f44 upstream.
+
+There are slice row per frame and pic height configuration in DSC Selective
+Update Parameter Set 1 register. Add helper for configuring these.
+
+v2:
+ - Add WARN_ON_ONCE if vdsc instances per pipe > 2
+ - instead of checking vdsc instances per pipe being > 1 check == 2
+
+Bspec: 71709
+Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
+Reviewed-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
+Link: https://patch.msgid.link/20260304113011.626542-4-jouni.hogander@intel.com
+(cherry picked from commit c8698d61aeb3f70fe33761ee9d3d0e131b5bc2eb)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+[tursulin: fixup forward declaration conflict]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_vdsc.c | 23 +++++++++++++++++++++++
+ drivers/gpu/drm/i915/display/intel_vdsc.h | 3 +++
+ 2 files changed, 26 insertions(+)
+
+--- a/drivers/gpu/drm/i915/display/intel_vdsc.c
++++ b/drivers/gpu/drm/i915/display/intel_vdsc.c
+@@ -723,6 +723,29 @@ void intel_dsc_dp_pps_write(struct intel
+ sizeof(dp_dsc_pps_sdp));
+ }
+
++void intel_dsc_su_et_parameters_configure(struct intel_dsb *dsb, struct intel_encoder *encoder,
++ const struct intel_crtc_state *crtc_state, int su_lines)
++{
++ struct intel_display *display = to_intel_display(crtc_state);
++ struct intel_crtc *crtc = to_intel_crtc(crtc_state->uapi.crtc);
++ const struct drm_dsc_config *vdsc_cfg = &crtc_state->dsc.config;
++ enum pipe pipe = crtc->pipe;
++ int vdsc_instances_per_pipe = intel_dsc_get_vdsc_per_pipe(crtc_state);
++ int slice_row_per_frame = su_lines / vdsc_cfg->slice_height;
++ u32 val;
++
++ drm_WARN_ON_ONCE(display->drm, su_lines % vdsc_cfg->slice_height);
++ drm_WARN_ON_ONCE(display->drm, vdsc_instances_per_pipe > 2);
++
++ val = DSC_SUPS0_SU_SLICE_ROW_PER_FRAME(slice_row_per_frame);
++ val |= DSC_SUPS0_SU_PIC_HEIGHT(su_lines);
++
++ intel_de_write_dsb(display, dsb, LNL_DSC0_SU_PARAMETER_SET_0(pipe), val);
++
++ if (vdsc_instances_per_pipe == 2)
++ intel_de_write_dsb(display, dsb, LNL_DSC1_SU_PARAMETER_SET_0(pipe), val);
++}
++
+ static i915_reg_t dss_ctl1_reg(struct intel_crtc *crtc, enum transcoder cpu_transcoder)
+ {
+ return is_pipe_dsc(crtc, cpu_transcoder) ?
+--- a/drivers/gpu/drm/i915/display/intel_vdsc.h
++++ b/drivers/gpu/drm/i915/display/intel_vdsc.h
+@@ -13,6 +13,7 @@ struct drm_printer;
+ enum transcoder;
+ struct intel_crtc;
+ struct intel_crtc_state;
++struct intel_dsb;
+ struct intel_encoder;
+
+ bool intel_dsc_source_support(const struct intel_crtc_state *crtc_state);
+@@ -29,6 +30,8 @@ void intel_dsc_dsi_pps_write(struct inte
+ const struct intel_crtc_state *crtc_state);
+ void intel_dsc_dp_pps_write(struct intel_encoder *encoder,
+ const struct intel_crtc_state *crtc_state);
++void intel_dsc_su_et_parameters_configure(struct intel_dsb *dsb, struct intel_encoder *encoder,
++ const struct intel_crtc_state *crtc_state, int su_lines);
+ void intel_vdsc_state_dump(struct drm_printer *p, int indent,
+ const struct intel_crtc_state *crtc_state);
+
--- /dev/null
+From c2c79c6d5b939ae8a42ddb884f576bddae685672 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jouni=20H=C3=B6gander?= <jouni.hogander@intel.com>
+Date: Wed, 4 Mar 2026 13:30:09 +0200
+Subject: drm/i915/dsc: Add Selective Update register definitions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jouni Högander <jouni.hogander@intel.com>
+
+commit c2c79c6d5b939ae8a42ddb884f576bddae685672 upstream.
+
+Add definitions for DSC_SU_PARAMETER_SET_0_DSC0 and
+DSC_SU_PARAMETER_SET_0_DSC1 registers. These are for Selective Update Early
+Transport configuration.
+
+Bspec: 71709
+Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
+Reviewed-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
+Link: https://patch.msgid.link/20260304113011.626542-3-jouni.hogander@intel.com
+(cherry picked from commit 24f96d903daf3dcf8fafe84d3d22b80ef47ba493)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_vdsc_regs.h | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/gpu/drm/i915/display/intel_vdsc_regs.h
++++ b/drivers/gpu/drm/i915/display/intel_vdsc_regs.h
+@@ -186,6 +186,18 @@
+ #define DSC_PPS18_NSL_BPG_OFFSET(offset) REG_FIELD_PREP(DSC_PPS18_NSL_BPG_OFFSET_MASK, offset)
+ #define DSC_PPS18_SL_OFFSET_ADJ(offset) REG_FIELD_PREP(DSC_PPS18_SL_OFFSET_ADJ_MASK, offset)
+
++#define _LNL_DSC0_SU_PARAMETER_SET_0_PA 0x78064
++#define _LNL_DSC1_SU_PARAMETER_SET_0_PA 0x78164
++#define _LNL_DSC0_SU_PARAMETER_SET_0_PB 0x78264
++#define _LNL_DSC1_SU_PARAMETER_SET_0_PB 0x78364
++#define LNL_DSC0_SU_PARAMETER_SET_0(pipe) _MMIO_PIPE((pipe), _LNL_DSC0_SU_PARAMETER_SET_0_PA, _LNL_DSC0_SU_PARAMETER_SET_0_PB)
++#define LNL_DSC1_SU_PARAMETER_SET_0(pipe) _MMIO_PIPE((pipe), _LNL_DSC1_SU_PARAMETER_SET_0_PA, _LNL_DSC1_SU_PARAMETER_SET_0_PB)
++
++#define DSC_SUPS0_SU_SLICE_ROW_PER_FRAME_MASK REG_GENMASK(31, 20)
++#define DSC_SUPS0_SU_SLICE_ROW_PER_FRAME(rows) REG_FIELD_PREP(DSC_SUPS0_SU_SLICE_ROW_PER_FRAME_MASK, (rows))
++#define DSC_SUPS0_SU_PIC_HEIGHT_MASK REG_GENMASK(15, 0)
++#define DSC_SUPS0_SU_PIC_HEIGHT(h) REG_FIELD_PREP(DSC_SUPS0_SU_PIC_HEIGHT_MASK, (h))
++
+ /* Icelake Rate Control Buffer Threshold Registers */
+ #define DSCA_RC_BUF_THRESH_0 _MMIO(0x6B230)
+ #define DSCA_RC_BUF_THRESH_0_UDW _MMIO(0x6B230 + 4)
--- /dev/null
+From 5923a6e0459fdd3edac4ad5abccb24d777d8f1b6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jouni=20H=C3=B6gander?= <jouni.hogander@intel.com>
+Date: Wed, 4 Mar 2026 13:30:11 +0200
+Subject: drm/i915/psr: Write DSC parameters on Selective Update in ET mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jouni Högander <jouni.hogander@intel.com>
+
+commit 5923a6e0459fdd3edac4ad5abccb24d777d8f1b6 upstream.
+
+There are slice row per frame and pic height parameters in DSC that needs
+to be configured on every Selective Update in Early Transport mode. Use
+helper provided by DSC code to configure these on Selective Update when in
+Early Transport mode. Also fill crtc_state->psr2_su_area with full frame
+area on full frame update for DSC calculation.
+
+v2: move psr2_su_area under skip_sel_fetch_set_loop label
+
+Bspec: 68927, 71709
+Fixes: 467e4e061c44 ("drm/i915/psr: Enable psr2 early transport as possible")
+Cc: <stable@vger.kernel.org> # v6.9+
+Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
+Reviewed-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
+Link: https://patch.msgid.link/20260304113011.626542-5-jouni.hogander@intel.com
+(cherry picked from commit 3140af2fab505a4cd47d516284529bf1585628be)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_psr.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/gpu/drm/i915/display/intel_psr.c
++++ b/drivers/gpu/drm/i915/display/intel_psr.c
+@@ -41,6 +41,7 @@
+ #include "intel_psr.h"
+ #include "intel_psr_regs.h"
+ #include "intel_snps_phy.h"
++#include "intel_vdsc.h"
+ #include "skl_universal_plane.h"
+
+ /**
+@@ -2312,6 +2313,12 @@ void intel_psr2_program_trans_man_trk_ct
+
+ intel_de_write(display, PIPE_SRCSZ_ERLY_TPT(crtc->pipe),
+ crtc_state->pipe_srcsz_early_tpt);
++
++ if (!crtc_state->dsc.compression_enable)
++ return;
++
++ intel_dsc_su_et_parameters_configure(NULL, encoder, crtc_state,
++ drm_rect_height(&crtc_state->psr2_su_area));
+ }
+
+ static void psr2_man_trk_ctl_calc(struct intel_crtc_state *crtc_state,
+@@ -2693,6 +2700,10 @@ int intel_psr2_sel_fetch_update(struct i
+ }
+
+ skip_sel_fetch_set_loop:
++ if (full_update)
++ clip_area_update(&crtc_state->psr2_su_area, &crtc_state->pipe_src,
++ &crtc_state->pipe_src);
++
+ psr2_man_trk_ctl_calc(crtc_state, full_update);
+ crtc_state->pipe_srcsz_early_tpt =
+ psr2_pipe_srcsz_early_tpt_calc(crtc_state, full_update);
--- /dev/null
+From stable+bounces-227294-greg=kroah.com@vger.kernel.org Thu Mar 19 14:39:21 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 09:39:12 -0400
+Subject: kprobes: Remove unneeded goto
+To: stable@vger.kernel.org
+Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319133913.2477768-1-sashal@kernel.org>
+
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+
+[ Upstream commit 5e5b8b49335971b68b54afeb0e7ded004945af07 ]
+
+Remove unneeded gotos. Since the labels referred by these gotos have
+only one reference for each, we can replace those gotos with the
+referred code.
+
+Link: https://lore.kernel.org/all/173371211203.480397.13988907319659165160.stgit@devnote2/
+
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Stable-dep-of: 5ef268cb7a0a ("kprobes: Remove unneeded warnings from __arm_kprobe_ftrace()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kprobes.c | 45 +++++++++++++++++++++------------------------
+ 1 file changed, 21 insertions(+), 24 deletions(-)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1082,20 +1082,18 @@ static int __arm_kprobe_ftrace(struct kp
+
+ if (*cnt == 0) {
+ ret = register_ftrace_function(ops);
+- if (WARN(ret < 0, "Failed to register kprobe-ftrace (error %d)\n", ret))
+- goto err_ftrace;
++ if (WARN(ret < 0, "Failed to register kprobe-ftrace (error %d)\n", ret)) {
++ /*
++ * At this point, sinec ops is not registered, we should be sefe from
++ * registering empty filter.
++ */
++ ftrace_set_filter_ip(ops, (unsigned long)p->addr, 1, 0);
++ return ret;
++ }
+ }
+
+ (*cnt)++;
+ return ret;
+-
+-err_ftrace:
+- /*
+- * At this point, sinec ops is not registered, we should be sefe from
+- * registering empty filter.
+- */
+- ftrace_set_filter_ip(ops, (unsigned long)p->addr, 1, 0);
+- return ret;
+ }
+
+ static int arm_kprobe_ftrace(struct kprobe *p)
+@@ -1456,7 +1454,7 @@ _kprobe_addr(kprobe_opcode_t *addr, cons
+ unsigned long offset, bool *on_func_entry)
+ {
+ if ((symbol_name && addr) || (!symbol_name && !addr))
+- goto invalid;
++ return ERR_PTR(-EINVAL);
+
+ if (symbol_name) {
+ /*
+@@ -1486,11 +1484,10 @@ _kprobe_addr(kprobe_opcode_t *addr, cons
+ * at the start of the function.
+ */
+ addr = arch_adjust_kprobe_addr((unsigned long)addr, offset, on_func_entry);
+- if (addr)
+- return addr;
++ if (!addr)
++ return ERR_PTR(-EINVAL);
+
+-invalid:
+- return ERR_PTR(-EINVAL);
++ return addr;
+ }
+
+ static kprobe_opcode_t *kprobe_addr(struct kprobe *p)
+@@ -1513,15 +1510,15 @@ static struct kprobe *__get_valid_kprobe
+ if (unlikely(!ap))
+ return NULL;
+
+- if (p != ap) {
+- list_for_each_entry(list_p, &ap->list, list)
+- if (list_p == p)
+- /* kprobe p is a valid probe */
+- goto valid;
+- return NULL;
+- }
+-valid:
+- return ap;
++ if (p == ap)
++ return ap;
++
++ list_for_each_entry(list_p, &ap->list, list)
++ if (list_p == p)
++ /* kprobe p is a valid probe */
++ return ap;
++
++ return NULL;
+ }
+
+ /*
--- /dev/null
+From stable+bounces-227295-greg=kroah.com@vger.kernel.org Thu Mar 19 14:39:20 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 09:39:13 -0400
+Subject: kprobes: Remove unneeded warnings from __arm_kprobe_ftrace()
+To: stable@vger.kernel.org
+Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>, Zw Tang <shicenci@gmail.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319133913.2477768-2-sashal@kernel.org>
+
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+
+[ Upstream commit 5ef268cb7a0aac55521fd9881f1939fa94a8988e ]
+
+Remove unneeded warnings for handled errors from __arm_kprobe_ftrace()
+because all caller handled the error correctly.
+
+Link: https://lore.kernel.org/all/177261531182.1312989.8737778408503961141.stgit@mhiramat.tok.corp.google.com/
+
+Reported-by: Zw Tang <shicenci@gmail.com>
+Closes: https://lore.kernel.org/all/CAPHJ_V+J6YDb_wX2nhXU6kh466Dt_nyDSas-1i_Y8s7tqY-Mzw@mail.gmail.com/
+Fixes: 9c89bb8e3272 ("kprobes: treewide: Cleanup the error messages for kprobes")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kprobes.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1077,12 +1077,12 @@ static int __arm_kprobe_ftrace(struct kp
+ lockdep_assert_held(&kprobe_mutex);
+
+ ret = ftrace_set_filter_ip(ops, (unsigned long)p->addr, 0, 0);
+- if (WARN_ONCE(ret < 0, "Failed to arm kprobe-ftrace at %pS (error %d)\n", p->addr, ret))
++ if (ret < 0)
+ return ret;
+
+ if (*cnt == 0) {
+ ret = register_ftrace_function(ops);
+- if (WARN(ret < 0, "Failed to register kprobe-ftrace (error %d)\n", ret)) {
++ if (ret < 0) {
+ /*
+ * At this point, sinec ops is not registered, we should be sefe from
+ * registering empty filter.
--- /dev/null
+From 282343cf8a4a5a3603b1cb0e17a7083e4a593b03 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 13 Mar 2026 10:00:58 +0900
+Subject: ksmbd: unset conn->binding on failed binding request
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 282343cf8a4a5a3603b1cb0e17a7083e4a593b03 upstream.
+
+When a multichannel SMB2_SESSION_SETUP request with
+SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true
+but never clears it on the error path. This leaves the connection in
+a binding state where all subsequent ksmbd_session_lookup_all() calls
+fall back to the global sessions table. This fix it by clearing
+conn->binding = false in the error path.
+
+Cc: stable@vger.kernel.org
+Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1954,6 +1954,7 @@ out_err:
+ }
+ }
+ smb2_set_err_rsp(work);
++ conn->binding = false;
+ } else {
+ unsigned int iov_len;
+
--- /dev/null
+From 3a64125730cabc34fccfbc230c2667c2e14f7308 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 13 Mar 2026 10:01:29 +0900
+Subject: ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 3a64125730cabc34fccfbc230c2667c2e14f7308 upstream.
+
+Use sb->s_uuid for a proper volume identifier as the primary choice.
+For filesystems that do not provide a UUID, fall back to stfs.f_fsid
+obtained from vfs_statfs().
+
+Cc: stable@vger.kernel.org
+Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -5438,7 +5438,6 @@ static int smb2_get_info_filesystem(stru
+ struct smb2_query_info_req *req,
+ struct smb2_query_info_rsp *rsp)
+ {
+- struct ksmbd_session *sess = work->sess;
+ struct ksmbd_conn *conn = work->conn;
+ struct ksmbd_share_config *share = work->tcon->share_conf;
+ int fsinfoclass = 0;
+@@ -5568,10 +5567,11 @@ static int smb2_get_info_filesystem(stru
+
+ info = (struct object_id_info *)(rsp->Buffer);
+
+- if (!user_guest(sess->user))
+- memcpy(info->objid, user_passkey(sess->user), 16);
++ if (path.mnt->mnt_sb->s_uuid_len == 16)
++ memcpy(info->objid, path.mnt->mnt_sb->s_uuid.b,
++ path.mnt->mnt_sb->s_uuid_len);
+ else
+- memset(info->objid, 0, 16);
++ memcpy(info->objid, &stfs.f_fsid, sizeof(stfs.f_fsid));
+
+ info->extended_info.magic = cpu_to_le32(EXTENDED_INFO_MAGIC);
+ info->extended_info.version = cpu_to_le32(1);
+++ /dev/null
-From stable+bounces-222393-greg=kroah.com@vger.kernel.org Sun Mar 1 03:36:28 2026
-From: Xiaolei Wang <xiaolei.wang@windriver.com>
-Date: Sun, 1 Mar 2026 10:35:32 +0800
-Subject: media: i2c: ov5647: use our own mutex for the ctrl lock
-To: sashal@kernel.org, stable@vger.kernel.org
-Cc: sakari.ailus@linux.intel.com, hverkuil+cisco@kernel.org, Xiaolei.Wang@windriver.com
-Message-ID: <20260301023535.2438766-1-xiaolei.wang@windriver.com>
-
-From: Xiaolei Wang <xiaolei.wang@windriver.com>
-
-[ Upstream commit 973e42fd5d2b397bff34f0c249014902dbf65912 ]
-
-__v4l2_ctrl_handler_setup() and __v4l2_ctrl_modify_range() contains an
-assertion to verify that the v4l2_ctrl_handler::lock is held, as it should
-only be called when the lock has already been acquired. Therefore use our
-own mutex for the ctrl lock, otherwise a warning will be reported.
-
-Fixes: 4974c2f19fd8 ("media: ov5647: Support gain, exposure and AWB controls")
-Cc: stable@vger.kernel.org
-Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
-[Sakari Ailus: Fix a minor conflict.]
-Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
-Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/media/i2c/ov5647.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/media/i2c/ov5647.c
-+++ b/drivers/media/i2c/ov5647.c
-@@ -1293,6 +1293,8 @@ static int ov5647_init_controls(struct o
-
- sensor->ctrls.lock = &sensor->lock;
-
-+ sensor->ctrls.lock = &sensor->lock;
-+
- v4l2_ctrl_new_std(&sensor->ctrls, &ov5647_ctrl_ops,
- V4L2_CID_AUTOGAIN, 0, 1, 1, 0);
-
--- /dev/null
+From stable+bounces-227549-greg=kroah.com@vger.kernel.org Fri Mar 20 15:14:09 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Mar 2026 10:14:00 -0400
+Subject: net: macb: Introduce gem_init_rx_ring()
+To: stable@vger.kernel.org
+Cc: Kevin Hao <haokexin@gmail.com>, Simon Horman <horms@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260320141401.4172666-1-sashal@kernel.org>
+
+From: Kevin Hao <haokexin@gmail.com>
+
+[ Upstream commit 1a7124ecd655bcaf1845197fe416aa25cff4c3ea ]
+
+Extract the initialization code for the GEM RX ring into a new function.
+This change will be utilized in a subsequent patch. No functional changes
+are introduced.
+
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260312-macb-versal-v1-1-467647173fa4@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 718d0766ce4c ("net: macb: Reinitialize tx/rx queue pointer registers and rx ring during resume")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -2700,6 +2700,14 @@ static void macb_init_tieoff(struct macb
+ desc->ctrl = 0;
+ }
+
++static void gem_init_rx_ring(struct macb_queue *queue)
++{
++ queue->rx_tail = 0;
++ queue->rx_prepared_head = 0;
++
++ gem_rx_refill(queue);
++}
++
+ static void gem_init_rings(struct macb *bp)
+ {
+ struct macb_queue *queue;
+@@ -2717,10 +2725,7 @@ static void gem_init_rings(struct macb *
+ queue->tx_head = 0;
+ queue->tx_tail = 0;
+
+- queue->rx_tail = 0;
+- queue->rx_prepared_head = 0;
+-
+- gem_rx_refill(queue);
++ gem_init_rx_ring(queue);
+ }
+
+ macb_init_tieoff(bp);
--- /dev/null
+From stable+bounces-227550-greg=kroah.com@vger.kernel.org Fri Mar 20 15:14:13 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Mar 2026 10:14:01 -0400
+Subject: net: macb: Reinitialize tx/rx queue pointer registers and rx ring during resume
+To: stable@vger.kernel.org
+Cc: Kevin Hao <haokexin@gmail.com>, Quanyang Wang <quanyang.wang@windriver.com>, Simon Horman <horms@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260320141401.4172666-2-sashal@kernel.org>
+
+From: Kevin Hao <haokexin@gmail.com>
+
+[ Upstream commit 718d0766ce4c7634ce62fa78b526ea7263487edd ]
+
+On certain platforms, such as AMD Versal boards, the tx/rx queue pointer
+registers are cleared after suspend, and the rx queue pointer register
+is also disabled during suspend if WOL is enabled. Previously, we assumed
+that these registers would be restored by macb_mac_link_up(). However,
+in commit bf9cf80cab81, macb_init_buffers() was moved from
+macb_mac_link_up() to macb_open(). Therefore, we should call
+macb_init_buffers() to reinitialize the tx/rx queue pointer registers
+during resume.
+
+Due to the reset of these two registers, we also need to adjust the
+tx/rx rings accordingly. The tx ring will be handled by
+gem_shuffle_tx_rings() in macb_mac_link_up(), so we only need to
+initialize the rx ring here.
+
+Fixes: bf9cf80cab81 ("net: macb: Fix tx/rx malfunction after phy link down and up")
+Reported-by: Quanyang Wang <quanyang.wang@windriver.com>
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Tested-by: Quanyang Wang <quanyang.wang@windriver.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260312-macb-versal-v1-2-467647173fa4@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -5527,8 +5527,18 @@ static int __maybe_unused macb_resume(st
+ rtnl_unlock();
+ }
+
++ if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC))
++ macb_init_buffers(bp);
++
+ for (q = 0, queue = bp->queues; q < bp->num_queues;
+ ++q, ++queue) {
++ if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC)) {
++ if (macb_is_gem(bp))
++ gem_init_rx_ring(queue);
++ else
++ macb_init_rx_ring(queue);
++ }
++
+ napi_enable(&queue->napi_rx);
+ napi_enable(&queue->napi_tx);
+ }
--- /dev/null
+From stable+bounces-227285-greg=kroah.com@vger.kernel.org Thu Mar 19 13:55:32 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 08:51:38 -0400
+Subject: powerpc64/bpf: fix kfunc call support
+To: stable@vger.kernel.org
+Cc: Hari Bathini <hbathini@linux.ibm.com>, Madhavan Srinivasan <maddy@linux.ibm.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319125138.2389388-2-sashal@kernel.org>
+
+From: Hari Bathini <hbathini@linux.ibm.com>
+
+[ Upstream commit 01b6ac72729610ae732ca2a66e3a642e23f6cd60 ]
+
+Commit 61688a82e047 ("powerpc/bpf: enable kfunc call") inadvertently
+enabled kfunc call support for 32-bit powerpc but that support will
+not be possible until ABI mismatch between 32-bit powerpc and eBPF is
+handled in 32-bit powerpc JIT code. Till then, advertise support only
+for 64-bit powerpc. Also, in powerpc ABI, caller needs to extend the
+arguments properly based on signedness. The JIT code is responsible
+for handling this explicitly for kfunc calls as verifier can't handle
+this for each architecture-specific ABI needs. But this was not taken
+care of while kfunc call support was enabled for powerpc. Fix it by
+handling this with bpf_jit_find_kfunc_model() and using zero_extend()
+& sign_extend() helper functions.
+
+Fixes: 61688a82e047 ("powerpc/bpf: enable kfunc call")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20260303181031.390073-7-hbathini@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/net/bpf_jit_comp.c | 2
+ arch/powerpc/net/bpf_jit_comp64.c | 101 ++++++++++++++++++++++++++++++++++----
+ 2 files changed, 94 insertions(+), 9 deletions(-)
+
+--- a/arch/powerpc/net/bpf_jit_comp.c
++++ b/arch/powerpc/net/bpf_jit_comp.c
+@@ -362,7 +362,7 @@ void bpf_jit_free(struct bpf_prog *fp)
+
+ bool bpf_jit_supports_kfunc_call(void)
+ {
+- return true;
++ return IS_ENABLED(CONFIG_PPC64);
+ }
+
+ bool bpf_jit_supports_far_kfunc_call(void)
+--- a/arch/powerpc/net/bpf_jit_comp64.c
++++ b/arch/powerpc/net/bpf_jit_comp64.c
+@@ -293,6 +293,83 @@ int bpf_jit_emit_func_call_rel(u32 *imag
+ return 0;
+ }
+
++static int zero_extend(u32 *image, struct codegen_context *ctx, u32 src_reg, u32 dst_reg, u32 size)
++{
++ switch (size) {
++ case 1:
++ /* zero-extend 8 bits into 64 bits */
++ EMIT(PPC_RAW_RLDICL(dst_reg, src_reg, 0, 56));
++ return 0;
++ case 2:
++ /* zero-extend 16 bits into 64 bits */
++ EMIT(PPC_RAW_RLDICL(dst_reg, src_reg, 0, 48));
++ return 0;
++ case 4:
++ /* zero-extend 32 bits into 64 bits */
++ EMIT(PPC_RAW_RLDICL(dst_reg, src_reg, 0, 32));
++ fallthrough;
++ case 8:
++ /* Nothing to do */
++ return 0;
++ default:
++ return -1;
++ }
++}
++
++static int sign_extend(u32 *image, struct codegen_context *ctx, u32 src_reg, u32 dst_reg, u32 size)
++{
++ switch (size) {
++ case 1:
++ /* sign-extend 8 bits into 64 bits */
++ EMIT(PPC_RAW_EXTSB(dst_reg, src_reg));
++ return 0;
++ case 2:
++ /* sign-extend 16 bits into 64 bits */
++ EMIT(PPC_RAW_EXTSH(dst_reg, src_reg));
++ return 0;
++ case 4:
++ /* sign-extend 32 bits into 64 bits */
++ EMIT(PPC_RAW_EXTSW(dst_reg, src_reg));
++ fallthrough;
++ case 8:
++ /* Nothing to do */
++ return 0;
++ default:
++ return -1;
++ }
++}
++
++/*
++ * Handle powerpc ABI expectations from caller:
++ * - Unsigned arguments are zero-extended.
++ * - Signed arguments are sign-extended.
++ */
++static int prepare_for_kfunc_call(const struct bpf_prog *fp, u32 *image,
++ struct codegen_context *ctx,
++ const struct bpf_insn *insn)
++{
++ const struct btf_func_model *m = bpf_jit_find_kfunc_model(fp, insn);
++ int i;
++
++ if (!m)
++ return -1;
++
++ for (i = 0; i < m->nr_args; i++) {
++ /* Note that BPF ABI only allows up to 5 args for kfuncs */
++ u32 reg = bpf_to_ppc(BPF_REG_1 + i), size = m->arg_size[i];
++
++ if (!(m->arg_flags[i] & BTF_FMODEL_SIGNED_ARG)) {
++ if (zero_extend(image, ctx, reg, reg, size))
++ return -1;
++ } else {
++ if (sign_extend(image, ctx, reg, reg, size))
++ return -1;
++ }
++ }
++
++ return 0;
++}
++
+ static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
+ {
+ /*
+@@ -678,14 +755,16 @@ int bpf_jit_build_body(struct bpf_prog *
+ /* special mov32 for zext */
+ EMIT(PPC_RAW_RLWINM(dst_reg, dst_reg, 0, 0, 31));
+ break;
+- } else if (off == 8) {
+- EMIT(PPC_RAW_EXTSB(dst_reg, src_reg));
+- } else if (off == 16) {
+- EMIT(PPC_RAW_EXTSH(dst_reg, src_reg));
+- } else if (off == 32) {
+- EMIT(PPC_RAW_EXTSW(dst_reg, src_reg));
+- } else if (dst_reg != src_reg)
+- EMIT(PPC_RAW_MR(dst_reg, src_reg));
++ }
++ if (off == 0) {
++ /* MOV */
++ if (dst_reg != src_reg)
++ EMIT(PPC_RAW_MR(dst_reg, src_reg));
++ } else {
++ /* MOVSX: dst = (s8,s16,s32)src (off = 8,16,32) */
++ if (sign_extend(image, ctx, src_reg, dst_reg, off / 8))
++ return -1;
++ }
+ goto bpf_alu32_trunc;
+ case BPF_ALU | BPF_MOV | BPF_K: /* (u32) dst = imm */
+ case BPF_ALU64 | BPF_MOV | BPF_K: /* dst = (s64) imm */
+@@ -1079,6 +1158,12 @@ emit_clear:
+ if (ret < 0)
+ return ret;
+
++ /* Take care of powerpc ABI requirements before kfunc call */
++ if (insn[i].src_reg == BPF_PSEUDO_KFUNC_CALL) {
++ if (prepare_for_kfunc_call(fp, image, ctx, &insn[i]))
++ return -1;
++ }
++
+ ret = bpf_jit_emit_func_call_rel(image, fimage, ctx, func_addr);
+ if (ret)
+ return ret;
--- /dev/null
+From stable+bounces-227284-greg=kroah.com@vger.kernel.org Thu Mar 19 13:55:28 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 08:51:37 -0400
+Subject: powerpc64/bpf: Fold bpf_jit_emit_func_call_hlp() into bpf_jit_emit_func_call_rel()
+To: stable@vger.kernel.org
+Cc: Naveen N Rao <naveen@kernel.org>, Michael Ellerman <mpe@ellerman.id.au>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319125138.2389388-1-sashal@kernel.org>
+
+From: Naveen N Rao <naveen@kernel.org>
+
+[ Upstream commit 9670f6d2097c4f97e15c67920dfddc664d7ee91c ]
+
+Commit 61688a82e047 ("powerpc/bpf: enable kfunc call") enhanced
+bpf_jit_emit_func_call_hlp() to handle calls out to module region, where
+bpf progs are generated. The only difference now between
+bpf_jit_emit_func_call_hlp() and bpf_jit_emit_func_call_rel() is in
+handling of the initial pass where target function address is not known.
+Fold that logic into bpf_jit_emit_func_call_hlp() and rename it to
+bpf_jit_emit_func_call_rel() to simplify bpf function call JIT code.
+
+We don't actually need to load/restore TOC across a call out to a
+different kernel helper or to a different bpf program since they all
+work with the kernel TOC. We only need to do it if we have to call out
+to a module function. So, guard TOC load/restore with appropriate
+conditions.
+
+Signed-off-by: Naveen N Rao <naveen@kernel.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://patch.msgid.link/20241030070850.1361304-10-hbathini@linux.ibm.com
+Stable-dep-of: 01b6ac727296 ("powerpc64/bpf: fix kfunc call support")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/net/bpf_jit_comp64.c | 61 ++++++++++----------------------------
+ 1 file changed, 17 insertions(+), 44 deletions(-)
+
+--- a/arch/powerpc/net/bpf_jit_comp64.c
++++ b/arch/powerpc/net/bpf_jit_comp64.c
+@@ -202,14 +202,22 @@ void bpf_jit_build_epilogue(u32 *image,
+ EMIT(PPC_RAW_BLR());
+ }
+
+-static int
+-bpf_jit_emit_func_call_hlp(u32 *image, u32 *fimage, struct codegen_context *ctx, u64 func)
++int bpf_jit_emit_func_call_rel(u32 *image, u32 *fimage, struct codegen_context *ctx, u64 func)
+ {
+ unsigned long func_addr = func ? ppc_function_entry((void *)func) : 0;
+ long reladdr;
+
+- if (WARN_ON_ONCE(!kernel_text_address(func_addr)))
+- return -EINVAL;
++ /* bpf to bpf call, func is not known in the initial pass. Emit 5 nops as a placeholder */
++ if (!func) {
++ for (int i = 0; i < 5; i++)
++ EMIT(PPC_RAW_NOP());
++ /* elfv1 needs an additional instruction to load addr from descriptor */
++ if (IS_ENABLED(CONFIG_PPC64_ELF_ABI_V1))
++ EMIT(PPC_RAW_NOP());
++ EMIT(PPC_RAW_MTCTR(_R12));
++ EMIT(PPC_RAW_BCTRL());
++ return 0;
++ }
+
+ #ifdef CONFIG_PPC_KERNEL_PCREL
+ reladdr = func_addr - local_paca->kernelbase;
+@@ -266,7 +274,8 @@ bpf_jit_emit_func_call_hlp(u32 *image, u
+ * We can clobber r2 since we get called through a
+ * function pointer (so caller will save/restore r2).
+ */
+- EMIT(PPC_RAW_LD(_R2, bpf_to_ppc(TMP_REG_2), 8));
++ if (is_module_text_address(func_addr))
++ EMIT(PPC_RAW_LD(_R2, bpf_to_ppc(TMP_REG_2), 8));
+ } else {
+ PPC_LI64(_R12, func);
+ EMIT(PPC_RAW_MTCTR(_R12));
+@@ -276,46 +285,14 @@ bpf_jit_emit_func_call_hlp(u32 *image, u
+ * Load r2 with kernel TOC as kernel TOC is used if function address falls
+ * within core kernel text.
+ */
+- EMIT(PPC_RAW_LD(_R2, _R13, offsetof(struct paca_struct, kernel_toc)));
++ if (is_module_text_address(func_addr))
++ EMIT(PPC_RAW_LD(_R2, _R13, offsetof(struct paca_struct, kernel_toc)));
+ }
+ #endif
+
+ return 0;
+ }
+
+-int bpf_jit_emit_func_call_rel(u32 *image, u32 *fimage, struct codegen_context *ctx, u64 func)
+-{
+- unsigned int i, ctx_idx = ctx->idx;
+-
+- if (WARN_ON_ONCE(func && is_module_text_address(func)))
+- return -EINVAL;
+-
+- /* skip past descriptor if elf v1 */
+- func += FUNCTION_DESCR_SIZE;
+-
+- /* Load function address into r12 */
+- PPC_LI64(_R12, func);
+-
+- /* For bpf-to-bpf function calls, the callee's address is unknown
+- * until the last extra pass. As seen above, we use PPC_LI64() to
+- * load the callee's address, but this may optimize the number of
+- * instructions required based on the nature of the address.
+- *
+- * Since we don't want the number of instructions emitted to increase,
+- * we pad the optimized PPC_LI64() call with NOPs to guarantee that
+- * we always have a five-instruction sequence, which is the maximum
+- * that PPC_LI64() can emit.
+- */
+- if (!image)
+- for (i = ctx->idx - ctx_idx; i < 5; i++)
+- EMIT(PPC_RAW_NOP());
+-
+- EMIT(PPC_RAW_MTCTR(_R12));
+- EMIT(PPC_RAW_BCTRL());
+-
+- return 0;
+-}
+-
+ static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
+ {
+ /*
+@@ -1102,11 +1079,7 @@ emit_clear:
+ if (ret < 0)
+ return ret;
+
+- if (func_addr_fixed)
+- ret = bpf_jit_emit_func_call_hlp(image, fimage, ctx, func_addr);
+- else
+- ret = bpf_jit_emit_func_call_rel(image, fimage, ctx, func_addr);
+-
++ ret = bpf_jit_emit_func_call_rel(image, fimage, ctx, func_addr);
+ if (ret)
+ return ret;
+
--- /dev/null
+From stable+bounces-227260-greg=kroah.com@vger.kernel.org Thu Mar 19 11:56:09 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 06:50:31 -0400
+Subject: s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute
+To: stable@vger.kernel.org
+Cc: Harald Freudenberger <freude@linux.ibm.com>, Ingo Franzki <ifranzki@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319105031.2298863-1-sashal@kernel.org>
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+[ Upstream commit 598bbefa8032cc58b564a81d1ad68bd815c8dc0f ]
+
+The serialnr sysfs attribute for CCA cards when queried always
+used the default domain for sending the request down to the card.
+If for any reason exactly this default domain is disabled then
+the attribute code fails to retrieve the CCA info and the sysfs
+entry shows an empty string. Works as designed but the serial
+number is a card attribute and thus it does not matter which
+domain is used for the query. So if there are other domains on
+this card available, these could be used.
+
+So extend the code to use AUTOSEL_DOM for the domain value to
+address any online domain within the card for querying the cca
+info and thus show the serialnr as long as there is one domain
+usable regardless of the default domain setting.
+
+Fixes: 8f291ebf3270 ("s390/zcrypt: enable card/domain autoselect on ep11 cprbs")
+Suggested-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+[ preserved zc->online as the fourth argument to cca_get_info() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/crypto/zcrypt_ccamisc.c | 12 +++++++-----
+ drivers/s390/crypto/zcrypt_cex4.c | 3 +--
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/s390/crypto/zcrypt_ccamisc.c
++++ b/drivers/s390/crypto/zcrypt_ccamisc.c
+@@ -1665,11 +1665,13 @@ static int fetch_cca_info(u16 cardnr, u1
+
+ memset(ci, 0, sizeof(*ci));
+
+- /* get first info from zcrypt device driver about this apqn */
+- rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
+- if (rc)
+- return rc;
+- ci->hwtype = devstat.hwtype;
++ /* if specific domain given, fetch status and hw info for this apqn */
++ if (domain != AUTOSEL_DOM) {
++ rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
++ if (rc)
++ return rc;
++ ci->hwtype = devstat.hwtype;
++ }
+
+ /* prep page for rule array and var array use */
+ pg = (u8 *)__get_free_page(GFP_KERNEL);
+--- a/drivers/s390/crypto/zcrypt_cex4.c
++++ b/drivers/s390/crypto/zcrypt_cex4.c
+@@ -85,8 +85,7 @@ static ssize_t cca_serialnr_show(struct
+
+ memset(&ci, 0, sizeof(ci));
+
+- if (ap_domain_index >= 0)
+- cca_get_info(ac->id, ap_domain_index, &ci, zc->online);
++ cca_get_info(ac->id, AUTOSEL_DOM, &ci, zc->online);
+
+ return sysfs_emit(buf, "%s\n", ci.serial);
+ }
f2fs-fix-to-avoid-migrating-empty-section.patch
blk-throttle-fix-access-race-during-throttle-policy-activation.patch
dmaengine-mmp_pdma-fix-race-condition-in-mmp_pdma_residue.patch
-media-i2c-ov5647-use-our-own-mutex-for-the-ctrl-lock.patch
net-dsa-properly-keep-track-of-conduit-reference.patch
binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch
xfs-get-rid-of-the-xchk_xfile_-_descr-calls.patch
mac80211-fix-crash-in-ieee80211_chan_bw_change-for-ap_vlan-stations.patch
bluetooth-l2cap-fix-type-confusion-in-l2cap_ecred_reconf_rsp.patch
bluetooth-l2cap-validate-l2cap_info_rsp-payload-length-before-access.patch
+smb-client-fix-krb5-mount-with-username-option.patch
+ksmbd-unset-conn-binding-on-failed-binding-request.patch
+ksmbd-use-volume-uuid-in-fs_object_id_information.patch
+drm-i915-dsc-add-selective-update-register-definitions.patch
+drm-i915-dsc-add-helper-for-writing-dsc-selective-update-et-parameters.patch
+drm-i915-psr-write-dsc-parameters-on-selective-update-in-et-mode.patch
+s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch
+powerpc64-bpf-fold-bpf_jit_emit_func_call_hlp-into-bpf_jit_emit_func_call_rel.patch
+powerpc64-bpf-fix-kfunc-call-support.patch
+kprobes-remove-unneeded-goto.patch
+kprobes-remove-unneeded-warnings-from-__arm_kprobe_ftrace.patch
+btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch
+batman-adv-avoid-ogm-aggregation-when-skb-tailroom-is-insufficient.patch
+net-macb-introduce-gem_init_rx_ring.patch
+net-macb-reinitialize-tx-rx-queue-pointer-registers-and-rx-ring-during-resume.patch
--- /dev/null
+From 12b4c5d98cd7ca46d5035a57bcd995df614c14e1 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.org>
+Date: Fri, 13 Mar 2026 00:03:38 -0300
+Subject: smb: client: fix krb5 mount with username option
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+commit 12b4c5d98cd7ca46d5035a57bcd995df614c14e1 upstream.
+
+Customer reported that some of their krb5 mounts were failing against
+a single server as the client was trying to mount the shares with
+wrong credentials. It turned out the client was reusing SMB session
+from first mount to try mounting the other shares, even though a
+different username= option had been specified to the other mounts.
+
+By using username mount option along with sec=krb5 to search for
+principals from keytab is supported by cifs.upcall(8) since
+cifs-utils-4.8. So fix this by matching username mount option in
+match_session() even with Kerberos.
+
+For example, the second mount below should fail with -ENOKEY as there
+is no 'foobar' principal in keytab (/etc/krb5.keytab). The client
+ends up reusing SMB session from first mount to perform the second
+one, which is wrong.
+
+```
+$ ktutil
+ktutil: add_entry -password -p testuser -k 1 -e aes256-cts
+Password for testuser@ZELDA.TEST:
+ktutil: write_kt /etc/krb5.keytab
+ktutil: quit
+$ klist -ke
+Keytab name: FILE:/etc/krb5.keytab
+KVNO Principal
+ ---- ----------------------------------------------------------------
+ 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96)
+$ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser
+$ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar
+$ mount -t cifs | grep -Po 'username=\K\w+'
+testuser
+testuser
+```
+
+Reported-by: Oscar Santos <ossantos@redhat.com>
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Cc: David Howells <dhowells@redhat.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/connect.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -1906,6 +1906,10 @@ static int match_session(struct cifs_ses
+ case Kerberos:
+ if (!uid_eq(ctx->cred_uid, ses->cred_uid))
+ return 0;
++ if (strncmp(ses->user_name ?: "",
++ ctx->username ?: "",
++ CIFS_MAX_USERNAME_LEN))
++ return 0;
+ break;
+ case NTLMv2:
+ case RawNTLMSSP:
projects / thirdparty / kernel / stable-queue.git / commitdiff
