--- /dev/null
+From e18190b7e97e9db6546390e6e0ceddae606892b2 Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sj@kernel.org>
+Date: Mon, 15 Sep 2025 20:15:49 -0700
+Subject: mm/damon/lru_sort: use param_ctx for damon_attrs staging
+
+From: SeongJae Park <sj@kernel.org>
+
+commit e18190b7e97e9db6546390e6e0ceddae606892b2 upstream.
+
+damon_lru_sort_apply_parameters() allocates a new DAMON context, stages
+user-specified DAMON parameters on it, and commits to running DAMON
+context at once, using damon_commit_ctx(). The code is, however, directly
+updating the monitoring attributes of the running context. And the
+attributes are over-written by later damon_commit_ctx() call. This means
+that the monitoring attributes parameters are not really working. Fix the
+wrong use of the parameter context.
+
+Link: https://lkml.kernel.org/r/20250916031549.115326-1-sj@kernel.org
+Fixes: a30969436428 ("mm/damon/lru_sort: use damon_commit_ctx()")
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Reviewed-by: Joshua Hahn <joshua.hahnjy@gmail.com>
+Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
+Cc: <stable@vger.kernel.org> [6.11+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/lru_sort.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/damon/lru_sort.c
++++ b/mm/damon/lru_sort.c
+@@ -203,7 +203,7 @@ static int damon_lru_sort_apply_paramete
+ goto out;
+ }
+
+- err = damon_set_attrs(ctx, &damon_lru_sort_mon_attrs);
++ err = damon_set_attrs(param_ctx, &damon_lru_sort_mon_attrs);
+ if (err)
+ goto out;
+
--- /dev/null
+From b93af2cc8e036754c0d9970d9ddc47f43cc94b9f Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sj@kernel.org>
+Date: Mon, 29 Sep 2025 17:44:09 -0700
+Subject: mm/damon/vaddr: do not repeat pte_offset_map_lock() until success
+
+From: SeongJae Park <sj@kernel.org>
+
+commit b93af2cc8e036754c0d9970d9ddc47f43cc94b9f upstream.
+
+DAMON's virtual address space operation set implementation (vaddr) calls
+pte_offset_map_lock() inside the page table walk callback function. This
+is for reading and writing page table accessed bits. If
+pte_offset_map_lock() fails, it retries by returning the page table walk
+callback function with ACTION_AGAIN.
+
+pte_offset_map_lock() can continuously fail if the target is a pmd
+migration entry, though. Hence it could cause an infinite page table walk
+if the migration cannot be done until the page table walk is finished.
+This indeed caused a soft lockup when CPU hotplugging and DAMON were
+running in parallel.
+
+Avoid the infinite loop by simply not retrying the page table walk. DAMON
+is promising only a best-effort accuracy, so missing access to such pages
+is no problem.
+
+Link: https://lkml.kernel.org/r/20250930004410.55228-1-sj@kernel.org
+Fixes: 7780d04046a2 ("mm/pagewalkers: ACTION_AGAIN if pte_offset_map_lock() fails")
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Reported-by: Xinyu Zheng <zhengxinyu6@huawei.com>
+Closes: https://lore.kernel.org/20250918030029.2652607-1-zhengxinyu6@huawei.com
+Acked-by: Hugh Dickins <hughd@google.com>
+Cc: <stable@vger.kernel.org> [6.5+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/vaddr.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/mm/damon/vaddr.c
++++ b/mm/damon/vaddr.c
+@@ -324,10 +324,8 @@ static int damon_mkold_pmd_entry(pmd_t *
+ }
+
+ pte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl);
+- if (!pte) {
+- walk->action = ACTION_AGAIN;
++ if (!pte)
+ return 0;
+- }
+ if (!pte_present(ptep_get(pte)))
+ goto out;
+ damon_ptep_mkold(pte, walk->vma, addr);
+@@ -479,10 +477,8 @@ regular_page:
+ #endif /* CONFIG_TRANSPARENT_HUGEPAGE */
+
+ pte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl);
+- if (!pte) {
+- walk->action = ACTION_AGAIN;
++ if (!pte)
+ return 0;
+- }
+ ptent = ptep_get(pte);
+ if (!pte_present(ptent))
+ goto out;
--- /dev/null
+From b322e88b3d553e85b4e15779491c70022783faa4 Mon Sep 17 00:00:00 2001
+From: Li RongQing <lirongqing@baidu.com>
+Date: Thu, 14 Aug 2025 18:23:33 +0800
+Subject: mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when max_huge_pages=0
+
+From: Li RongQing <lirongqing@baidu.com>
+
+commit b322e88b3d553e85b4e15779491c70022783faa4 upstream.
+
+Optimize hugetlb_pages_alloc_boot() to return immediately when
+max_huge_pages is 0, avoiding unnecessary CPU cycles and the below log
+message when hugepages aren't configured in the kernel command line.
+[ 3.702280] HugeTLB: allocation took 0ms with hugepage_allocation_threads=32
+
+Link: https://lkml.kernel.org/r/20250814102333.4428-1-lirongqing@baidu.com
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Reviewed-by: Dev Jain <dev.jain@arm.com>
+Tested-by: Dev Jain <dev.jain@arm.com>
+Reviewed-by: Jane Chu <jane.chu@oracle.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -3453,6 +3453,9 @@ static void __init hugetlb_hstate_alloc_
+ initialized = true;
+ }
+
++ if (!h->max_huge_pages)
++ return;
++
+ /* do node specific alloc */
+ if (hugetlb_hstate_alloc_pages_specific_nodes(h))
+ return;
--- /dev/null
+From 6a204d4b14c99232e05d35305c27ebce1c009840 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Date: Thu, 14 Aug 2025 14:22:45 -0300
+Subject: mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+commit 6a204d4b14c99232e05d35305c27ebce1c009840 upstream.
+
+Commit 524c48072e56 ("mm/page_alloc: rename ALLOC_HIGH to
+ALLOC_MIN_RESERVE") is the start of a series that explains how __GFP_HIGH,
+which implies ALLOC_MIN_RESERVE, is going to be used instead of
+__GFP_ATOMIC for high atomic reserves.
+
+Commit eb2e2b425c69 ("mm/page_alloc: explicitly record high-order atomic
+allocations in alloc_flags") introduced ALLOC_HIGHATOMIC for such
+allocations of order higher than 0. It still used __GFP_ATOMIC, though.
+
+Then, commit 1ebbb21811b7 ("mm/page_alloc: explicitly define how
+__GFP_HIGH non-blocking allocations accesses reserves") just turned that
+check for !__GFP_DIRECT_RECLAIM, ignoring that high atomic reserves were
+expected to test for __GFP_HIGH.
+
+This leads to high atomic reserves being added for high-order GFP_NOWAIT
+allocations and others that clear __GFP_DIRECT_RECLAIM, which is
+unexpected. Later, those reserves lead to 0-order allocations going to
+the slow path and starting reclaim.
+
+From /proc/pagetypeinfo, without the patch:
+
+Node 0, zone DMA, type HighAtomic 0 0 0 0 0 0 0 0 0 0 0
+Node 0, zone DMA32, type HighAtomic 1 8 10 9 7 3 0 0 0 0 0
+Node 0, zone Normal, type HighAtomic 64 20 12 5 0 0 0 0 0 0 0
+
+With the patch:
+
+Node 0, zone DMA, type HighAtomic 0 0 0 0 0 0 0 0 0 0 0
+Node 0, zone DMA32, type HighAtomic 0 0 0 0 0 0 0 0 0 0 0
+Node 0, zone Normal, type HighAtomic 0 0 0 0 0 0 0 0 0 0 0
+
+Link: https://lkml.kernel.org/r/20250814172245.1259625-1-cascardo@igalia.com
+Fixes: 1ebbb21811b7 ("mm/page_alloc: explicitly define how __GFP_HIGH non-blocking allocations accesses reserves")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Tested-by: Helen Koike <koike@igalia.com>
+Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
+Tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: NeilBrown <neilb@suse.de>
+Cc: Thierry Reding <thierry.reding@gmail.com>
+Cc: Brendan Jackman <jackmanb@google.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Zi Yan <ziy@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/page_alloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -4052,7 +4052,7 @@ gfp_to_alloc_flags(gfp_t gfp_mask, unsig
+ if (!(gfp_mask & __GFP_NOMEMALLOC)) {
+ alloc_flags |= ALLOC_NON_BLOCK;
+
+- if (order > 0)
++ if (order > 0 && (alloc_flags & ALLOC_MIN_RESERVE))
+ alloc_flags |= ALLOC_HIGHATOMIC;
+ }
+
--- /dev/null
+From 1ce6473d17e78e3cb9a40147658231731a551828 Mon Sep 17 00:00:00 2001
+From: Lance Yang <lance.yang@linux.dev>
+Date: Mon, 22 Sep 2025 10:14:58 +0800
+Subject: mm/thp: fix MTE tag mismatch when replacing zero-filled subpages
+
+From: Lance Yang <lance.yang@linux.dev>
+
+commit 1ce6473d17e78e3cb9a40147658231731a551828 upstream.
+
+When both THP and MTE are enabled, splitting a THP and replacing its
+zero-filled subpages with the shared zeropage can cause MTE tag mismatch
+faults in userspace.
+
+Remapping zero-filled subpages to the shared zeropage is unsafe, as the
+zeropage has a fixed tag of zero, which may not match the tag expected by
+the userspace pointer.
+
+KSM already avoids this problem by using memcmp_pages(), which on arm64
+intentionally reports MTE-tagged pages as non-identical to prevent unsafe
+merging.
+
+As suggested by David[1], this patch adopts the same pattern, replacing the
+memchr_inv() byte-level check with a call to pages_identical(). This
+leverages existing architecture-specific logic to determine if a page is
+truly identical to the shared zeropage.
+
+Having both the THP shrinker and KSM rely on pages_identical() makes the
+design more future-proof, IMO. Instead of handling quirks in generic code,
+we just let the architecture decide what makes two pages identical.
+
+[1] https://lore.kernel.org/all/ca2106a3-4bb2-4457-81af-301fd99fbef4@redhat.com
+
+Link: https://lkml.kernel.org/r/20250922021458.68123-1-lance.yang@linux.dev
+Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp")
+Signed-off-by: Lance Yang <lance.yang@linux.dev>
+Reported-by: Qun-wei Lin <Qun-wei.Lin@mediatek.com>
+Closes: https://lore.kernel.org/all/a7944523fcc3634607691c35311a5d59d1a3f8d4.camel@mediatek.com
+Suggested-by: David Hildenbrand <david@redhat.com>
+Acked-by: Zi Yan <ziy@nvidia.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Usama Arif <usamaarif642@gmail.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Reviewed-by: Wei Yang <richard.weiyang@gmail.com>
+Cc: Alistair Popple <apopple@nvidia.com>
+Cc: andrew.yang <andrew.yang@mediatek.com>
+Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: Barry Song <baohua@kernel.org>
+Cc: Byungchul Park <byungchul@sk.com>
+Cc: Charlie Jenkins <charlie@rivosinc.com>
+Cc: Chinwen Chang <chinwen.chang@mediatek.com>
+Cc: Dev Jain <dev.jain@arm.com>
+Cc: Domenico Cerasuolo <cerasuolodomenico@gmail.com>
+Cc: Gregory Price <gourry@gourry.net>
+Cc: "Huang, Ying" <ying.huang@linux.alibaba.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
+Cc: Kairui Song <ryncsn@gmail.com>
+Cc: Kalesh Singh <kaleshsingh@google.com>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Mariano Pache <npache@redhat.com>
+Cc: Mathew Brost <matthew.brost@intel.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Palmer Dabbelt <palmer@rivosinc.com>
+Cc: Rakie Kim <rakie.kim@sk.com>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Roman Gushchin <roman.gushchin@linux.dev>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: Samuel Holland <samuel.holland@sifive.com>
+Cc: Shakeel Butt <shakeel.butt@linux.dev>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Yu Zhao <yuzhao@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/huge_memory.c | 15 +++------------
+ mm/migrate.c | 8 +-------
+ 2 files changed, 4 insertions(+), 19 deletions(-)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -3715,32 +3715,23 @@ static unsigned long deferred_split_coun
+ static bool thp_underused(struct folio *folio)
+ {
+ int num_zero_pages = 0, num_filled_pages = 0;
+- void *kaddr;
+ int i;
+
+ if (khugepaged_max_ptes_none == HPAGE_PMD_NR - 1)
+ return false;
+
+ for (i = 0; i < folio_nr_pages(folio); i++) {
+- kaddr = kmap_local_folio(folio, i * PAGE_SIZE);
+- if (!memchr_inv(kaddr, 0, PAGE_SIZE)) {
+- num_zero_pages++;
+- if (num_zero_pages > khugepaged_max_ptes_none) {
+- kunmap_local(kaddr);
++ if (pages_identical(folio_page(folio, i), ZERO_PAGE(0))) {
++ if (++num_zero_pages > khugepaged_max_ptes_none)
+ return true;
+- }
+ } else {
+ /*
+ * Another path for early exit once the number
+ * of non-zero filled pages exceeds threshold.
+ */
+- num_filled_pages++;
+- if (num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) {
+- kunmap_local(kaddr);
++ if (++num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none)
+ return false;
+- }
+ }
+- kunmap_local(kaddr);
+ }
+ return false;
+ }
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -202,9 +202,7 @@ static bool try_to_map_unused_to_zeropag
+ unsigned long idx)
+ {
+ struct page *page = folio_page(folio, idx);
+- bool contains_data;
+ pte_t newpte;
+- void *addr;
+
+ if (PageCompound(page))
+ return false;
+@@ -221,11 +219,7 @@ static bool try_to_map_unused_to_zeropag
+ * this subpage has been non present. If the subpage is only zero-filled
+ * then map it to the shared zeropage.
+ */
+- addr = kmap_local_page(page);
+- contains_data = memchr_inv(addr, 0, PAGE_SIZE);
+- kunmap_local(addr);
+-
+- if (contains_data)
++ if (!pages_identical(page, ZERO_PAGE(0)))
+ return false;
+
+ newpte = pte_mkspecial(pfn_pte(my_zero_pfn(pvmw->address),
--- /dev/null
+From ab1c282c010c4f327bd7addc3c0035fd8e3c1721 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Wed, 6 Aug 2025 03:10:01 +0200
+Subject: NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit ab1c282c010c4f327bd7addc3c0035fd8e3c1721 upstream.
+
+Commit 5304877936c0 ("NFSD: Fix strncpy() fortify warning") replaced
+strncpy(,, sizeof(..)) with strlcpy(,, sizeof(..) - 1), but strlcpy()
+already guaranteed NUL-termination of the destination buffer and
+subtracting one byte potentially truncated the source string.
+
+The incorrect size was then carried over in commit 72f78ae00a8e ("NFSD:
+move from strlcpy with unused retval to strscpy") when switching from
+strlcpy() to strscpy().
+
+Fix this off-by-one error by using the full size of the destination
+buffer again.
+
+Cc: stable@vger.kernel.org
+Fixes: 5304877936c0 ("NFSD: Fix strncpy() fortify warning")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1372,7 +1372,7 @@ try_again:
+ return 0;
+ }
+ if (work) {
+- strscpy(work->nsui_ipaddr, ipaddr, sizeof(work->nsui_ipaddr) - 1);
++ strscpy(work->nsui_ipaddr, ipaddr, sizeof(work->nsui_ipaddr));
+ refcount_set(&work->nsui_refcnt, 2);
+ work->nsui_busy = true;
+ list_add_tail(&work->nsui_list, &nn->nfsd_ssc_mount_list);
--- /dev/null
+From a082e4b4d08a4a0e656d90c2c05da85f23e6d0c9 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <okorniev@redhat.com>
+Date: Thu, 21 Aug 2025 16:31:46 -0400
+Subject: nfsd: nfserr_jukebox in nlm_fopen should lead to a retry
+
+From: Olga Kornievskaia <okorniev@redhat.com>
+
+commit a082e4b4d08a4a0e656d90c2c05da85f23e6d0c9 upstream.
+
+When v3 NLM request finds a conflicting delegation, it triggers
+a delegation recall and nfsd_open fails with EAGAIN. nfsd_open
+then translates EAGAIN into nfserr_jukebox. In nlm_fopen, instead
+of returning nlm_failed for when there is a conflicting delegation,
+drop this NLM request so that the client retries. Once delegation
+is recalled and if a local lock is claimed, a retry would lead to
+nfsd returning a nlm_lck_blocked error or a successful nlm lock.
+
+Fixes: d343fce148a4 ("[PATCH] knfsd: Allow lockd to drop replies as appropriate")
+Cc: stable@vger.kernel.org # v6.6
+Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/lockd.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/fs/nfsd/lockd.c
++++ b/fs/nfsd/lockd.c
+@@ -48,6 +48,21 @@ nlm_fopen(struct svc_rqst *rqstp, struct
+ switch (nfserr) {
+ case nfs_ok:
+ return 0;
++ case nfserr_jukebox:
++ /* this error can indicate a presence of a conflicting
++ * delegation to an NLM lock request. Options are:
++ * (1) For now, drop this request and make the client
++ * retry. When delegation is returned, client's lock retry
++ * will complete.
++ * (2) NLM4_DENIED as per "spec" signals to the client
++ * that the lock is unavailable now but client can retry.
++ * Linux client implementation does not. It treats
++ * NLM4_DENIED same as NLM4_FAILED and errors the request.
++ * (3) For the future, treat this as blocked lock and try
++ * to callback when the delegation is returned but might
++ * not have a proper lock request to block on.
++ */
++ fallthrough;
+ case nfserr_dropit:
+ return nlm_drop_reply;
+ case nfserr_stale:
--- /dev/null
+From fa7a0a53eeb7e16402f82c3d5a9ef4bf5efe9357 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Fri, 26 Sep 2025 15:39:10 +0200
+Subject: s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit fa7a0a53eeb7e16402f82c3d5a9ef4bf5efe9357 upstream.
+
+If the decompressor is compiled with clang this can lead to the following
+warning:
+
+In file included from arch/s390/boot/startup.c:4:
+...
+In file included from ./include/linux/pgtable.h:6:
+./arch/s390/include/asm/pgtable.h:2065:48: warning: passing 'unsigned long *' to parameter of type
+ 'long *' converts between pointers to integer types with different sign [-Wpointer-sign]
+ 2065 | value = __atomic64_or_barrier(PGSTE_PCL_BIT, ptr);
+
+Add -Wno-pointer-sign to the decompressor compile flags, like it is also
+done for the kernel. This is similar to what was done for x86 to address
+the same problem [1].
+
+[1] commit dca5203e3fe2 ("x86/boot: Add -Wno-pointer-sign to KBUILD_CFLAGS")
+
+Cc: stable@vger.kernel.org
+Reported-by: Gerd Bayer <gbayer@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/s390/Makefile
++++ b/arch/s390/Makefile
+@@ -25,6 +25,7 @@ endif
+ KBUILD_CFLAGS_DECOMPRESSOR := $(CLANG_FLAGS) -m64 -O2 -mpacked-stack -std=gnu11
+ KBUILD_CFLAGS_DECOMPRESSOR += -DDISABLE_BRANCH_PROFILING -D__NO_FORTIFY
+ KBUILD_CFLAGS_DECOMPRESSOR += -D__DECOMPRESSOR
++KBUILD_CFLAGS_DECOMPRESSOR += -Wno-pointer-sign
+ KBUILD_CFLAGS_DECOMPRESSOR += -fno-delete-null-pointer-checks -msoft-float -mbackchain
+ KBUILD_CFLAGS_DECOMPRESSOR += -fno-asynchronous-unwind-tables
+ KBUILD_CFLAGS_DECOMPRESSOR += -ffreestanding
--- /dev/null
+From 130e6de62107116eba124647116276266be0f84c Mon Sep 17 00:00:00 2001
+From: Jaehoon Kim <jhkim@linux.ibm.com>
+Date: Thu, 25 Sep 2025 17:47:08 +0200
+Subject: s390/dasd: enforce dma_alignment to ensure proper buffer validation
+
+From: Jaehoon Kim <jhkim@linux.ibm.com>
+
+commit 130e6de62107116eba124647116276266be0f84c upstream.
+
+The block layer validates buffer alignment using the device's
+dma_alignment value. If dma_alignment is smaller than
+logical_block_size(bp_block) -1, misaligned buffer incorrectly pass
+validation and propagate to the lower-level driver.
+
+This patch adjusts dma_alignment to be at least logical_block_size -1,
+ensuring that misalignment buffers are properly rejected at the block
+layer and do not reach the DASD driver unnecessarily.
+
+Fixes: 2a07bb64d801 ("s390/dasd: Remove DMA alignment")
+Reviewed-by: Stefan Haberland <sth@linux.ibm.com>
+Cc: stable@vger.kernel.org #6.11+
+Signed-off-by: Jaehoon Kim <jhkim@linux.ibm.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/s390/block/dasd.c
++++ b/drivers/s390/block/dasd.c
+@@ -332,6 +332,11 @@ static int dasd_state_basic_to_ready(str
+ lim.max_dev_sectors = device->discipline->max_sectors(block);
+ lim.max_hw_sectors = lim.max_dev_sectors;
+ lim.logical_block_size = block->bp_block;
++ /*
++ * Adjust dma_alignment to match block_size - 1
++ * to ensure proper buffer alignment checks in the block layer.
++ */
++ lim.dma_alignment = lim.logical_block_size - 1;
+
+ if (device->discipline->has_discard) {
+ unsigned int max_bytes;
--- /dev/null
+From 8f4ed0ce4857ceb444174503fc9058720d4faaa1 Mon Sep 17 00:00:00 2001
+From: Jaehoon Kim <jhkim@linux.ibm.com>
+Date: Thu, 25 Sep 2025 17:47:07 +0200
+Subject: s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request
+
+From: Jaehoon Kim <jhkim@linux.ibm.com>
+
+commit 8f4ed0ce4857ceb444174503fc9058720d4faaa1 upstream.
+
+Currently, if CCW request creation fails with -EINVAL, the DASD driver
+returns BLK_STS_IOERR to the block layer.
+
+This can happen, for example, when a user-space application such as QEMU
+passes a misaligned buffer, but the original cause of the error is
+masked as a generic I/O error.
+
+This patch changes the behavior so that -EINVAL is returned as
+BLK_STS_INVAL, allowing user space to properly detect alignment issues
+instead of interpreting them as I/O errors.
+
+Reviewed-by: Stefan Haberland <sth@linux.ibm.com>
+Cc: stable@vger.kernel.org #6.11+
+Signed-off-by: Jaehoon Kim <jhkim@linux.ibm.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/s390/block/dasd.c
++++ b/drivers/s390/block/dasd.c
+@@ -3117,12 +3117,14 @@ static blk_status_t do_dasd_request(stru
+ PTR_ERR(cqr) == -ENOMEM ||
+ PTR_ERR(cqr) == -EAGAIN) {
+ rc = BLK_STS_RESOURCE;
+- goto out;
++ } else if (PTR_ERR(cqr) == -EINVAL) {
++ rc = BLK_STS_INVAL;
++ } else {
++ DBF_DEV_EVENT(DBF_ERR, basedev,
++ "CCW creation failed (rc=%ld) on request %p",
++ PTR_ERR(cqr), req);
++ rc = BLK_STS_IOERR;
+ }
+- DBF_DEV_EVENT(DBF_ERR, basedev,
+- "CCW creation failed (rc=%ld) on request %p",
+- PTR_ERR(cqr), req);
+- rc = BLK_STS_IOERR;
+ goto out;
+ }
+ /*
--- /dev/null
+From 008385efd05e04d8dff299382df2e8be0f91d8a0 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Thu, 25 Sep 2025 12:32:37 +0200
+Subject: selftests: mptcp: join: validate C-flag + def limit
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 008385efd05e04d8dff299382df2e8be0f91d8a0 upstream.
+
+The previous commit adds an exception for the C-flag case. The
+'mptcp_join.sh' selftest is extended to validate this case.
+
+In this subtest, there is a typical CDN deployment with a client where
+MPTCP endpoints have been 'automatically' configured:
+
+- the server set net.mptcp.allow_join_initial_addr_port=0
+
+- the client has multiple 'subflow' endpoints, and the default limits:
+ not accepting ADD_ADDRs.
+
+Without the parent patch, the client is not able to establish new
+subflows using its 'subflow' endpoints. The parent commit fixes that.
+
+The 'Fixes' tag here below is the same as the one from the previous
+commit: this patch here is not fixing anything wrong in the selftests,
+but it validates the previous fix for an issue introduced by this commit
+ID.
+
+Fixes: df377be38725 ("mptcp: add deny_join_id0 in mptcp_options_received")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250925-net-next-mptcp-c-flag-laminar-v1-2-ad126cc47c6b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -3160,6 +3160,17 @@ deny_join_id0_tests()
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr 1 1 1
+ fi
++
++ # default limits, server deny join id 0 + signal
++ if reset_with_allow_join_id0 "default limits, server deny join id 0" 0 1; then
++ pm_nl_set_limits $ns1 0 2
++ pm_nl_set_limits $ns2 0 2
++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
++ pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow
++ run_tests $ns1 $ns2 10.0.1.1
++ chk_join_nr 2 2 2
++ fi
+ }
+
+ fullmesh_tests()
x86-fred-remove-endbr64-from-fred-entry-points.patch
x86-umip-check-that-the-instruction-opcode-is-at-least-two-bytes.patch
x86-umip-fix-decoding-of-register-forms-of-0f-01-sgdt-and-sidt-aliases.patch
+selftests-mptcp-join-validate-c-flag-def-limit.patch
+s390-dasd-enforce-dma_alignment-to-ensure-proper-buffer-validation.patch
+s390-dasd-return-blk_sts_inval-for-einval-from-do_dasd_request.patch
+s390-add-wno-pointer-sign-to-kbuild_cflags_decompressor.patch
+slab-prevent-warnings-when-slab-obj_exts-vector-allocation-fails.patch
+slab-mark-slab-obj_exts-allocation-failures-unconditionally.patch
+wifi-ath11k-hal-srng-don-t-deinitialize-and-re-initialize-again.patch
+wifi-mt76-mt7925u-add-vid-pid-for-netgear-a9000.patch
+wifi-mt76-mt7921u-add-vid-pid-for-netgear-a7500.patch
+mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages.patch
+mm-page_alloc-only-set-alloc_highatomic-for-__gpf_high-allocations.patch
+mm-hugetlb-early-exit-from-hugetlb_pages_alloc_boot-when-max_huge_pages-0.patch
+mm-damon-vaddr-do-not-repeat-pte_offset_map_lock-until-success.patch
+mm-damon-lru_sort-use-param_ctx-for-damon_attrs-staging.patch
+nfsd-fix-destination-buffer-size-in-nfsd4_ssc_setup_dul.patch
+nfsd-nfserr_jukebox-in-nlm_fopen-should-lead-to-a-retry.patch
--- /dev/null
+From f7381b9116407ba2a429977c80ff8df953ea9354 Mon Sep 17 00:00:00 2001
+From: Suren Baghdasaryan <surenb@google.com>
+Date: Mon, 15 Sep 2025 13:09:18 -0700
+Subject: slab: mark slab->obj_exts allocation failures unconditionally
+
+From: Suren Baghdasaryan <surenb@google.com>
+
+commit f7381b9116407ba2a429977c80ff8df953ea9354 upstream.
+
+alloc_slab_obj_exts() should mark failed obj_exts vector allocations
+independent on whether the vector is being allocated for a new or an
+existing slab. Current implementation skips doing this for existing
+slabs. Fix this by marking failed allocations unconditionally.
+
+Fixes: 09c46563ff6d ("codetag: debug: introduce OBJEXTS_ALLOC_FAIL to mark failed slab_ext allocations")
+Reported-by: Shakeel Butt <shakeel.butt@linux.dev>
+Closes: https://lore.kernel.org/all/avhakjldsgczmq356gkwmvfilyvf7o6temvcmtt5lqd4fhp5rk@47gp2ropyixg/
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Cc: stable@vger.kernel.org # v6.10+
+Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slub.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -1999,8 +1999,7 @@ int alloc_slab_obj_exts(struct slab *sla
+ slab_nid(slab));
+ if (!vec) {
+ /* Mark vectors which failed to allocate */
+- if (new_slab)
+- mark_failed_objexts_alloc(slab);
++ mark_failed_objexts_alloc(slab);
+
+ return -ENOMEM;
+ }
--- /dev/null
+From 4038016397da5c1cebb10e7c85a36d06123724a8 Mon Sep 17 00:00:00 2001
+From: Suren Baghdasaryan <surenb@google.com>
+Date: Mon, 15 Sep 2025 13:09:17 -0700
+Subject: slab: prevent warnings when slab obj_exts vector allocation fails
+
+From: Suren Baghdasaryan <surenb@google.com>
+
+commit 4038016397da5c1cebb10e7c85a36d06123724a8 upstream.
+
+When object extension vector allocation fails, we set slab->obj_exts to
+OBJEXTS_ALLOC_FAIL to indicate the failure. Later, once the vector is
+successfully allocated, we will use this flag to mark codetag references
+stored in that vector as empty to avoid codetag warnings.
+
+slab_obj_exts() used to retrieve the slab->obj_exts vector pointer checks
+slab->obj_exts for being either NULL or a pointer with MEMCG_DATA_OBJEXTS
+bit set. However it does not handle the case when slab->obj_exts equals
+OBJEXTS_ALLOC_FAIL. Add the missing condition to avoid extra warning.
+
+Fixes: 09c46563ff6d ("codetag: debug: introduce OBJEXTS_ALLOC_FAIL to mark failed slab_ext allocations")
+Reported-by: Shakeel Butt <shakeel.butt@linux.dev>
+Closes: https://lore.kernel.org/all/jftidhymri2af5u3xtcqry3cfu6aqzte3uzlznhlaylgrdztsi@5vpjnzpsemf5/
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Cc: stable@vger.kernel.org # v6.10+
+Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slab.h | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/mm/slab.h
++++ b/mm/slab.h
+@@ -572,8 +572,12 @@ static inline struct slabobj_ext *slab_o
+ unsigned long obj_exts = READ_ONCE(slab->obj_exts);
+
+ #ifdef CONFIG_MEMCG
+- VM_BUG_ON_PAGE(obj_exts && !(obj_exts & MEMCG_DATA_OBJEXTS),
+- slab_page(slab));
++ /*
++ * obj_exts should be either NULL, a valid pointer with
++ * MEMCG_DATA_OBJEXTS bit set or be equal to OBJEXTS_ALLOC_FAIL.
++ */
++ VM_BUG_ON_PAGE(obj_exts && !(obj_exts & MEMCG_DATA_OBJEXTS) &&
++ obj_exts != OBJEXTS_ALLOC_FAIL, slab_page(slab));
+ VM_BUG_ON_PAGE(obj_exts & MEMCG_DATA_KMEM, slab_page(slab));
+ #endif
+ return (struct slabobj_ext *)(obj_exts & ~OBJEXTS_FLAGS_MASK);
--- /dev/null
+From 32be3ca4cf78b309dfe7ba52fe2d7cc3c23c5634 Mon Sep 17 00:00:00 2001
+From: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Date: Tue, 22 Jul 2025 10:31:21 +0500
+Subject: wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again
+
+From: Muhammad Usama Anjum <usama.anjum@collabora.com>
+
+commit 32be3ca4cf78b309dfe7ba52fe2d7cc3c23c5634 upstream.
+
+Don't deinitialize and reinitialize the HAL helpers. The dma memory is
+deallocated and there is high possibility that we'll not be able to get
+the same memory allocated from dma when there is high memory pressure.
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Cc: stable@vger.kernel.org
+Cc: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Link: https://patch.msgid.link/20250722053121.1145001-1-usama.anjum@collabora.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/core.c | 6 +-----
+ drivers/net/wireless/ath/ath11k/hal.c | 16 ++++++++++++++++
+ drivers/net/wireless/ath/ath11k/hal.h | 1 +
+ 3 files changed, 18 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/core.c
++++ b/drivers/net/wireless/ath/ath11k/core.c
+@@ -1936,14 +1936,10 @@ static int ath11k_core_reconfigure_on_cr
+ mutex_unlock(&ab->core_lock);
+
+ ath11k_dp_free(ab);
+- ath11k_hal_srng_deinit(ab);
++ ath11k_hal_srng_clear(ab);
+
+ ab->free_vdev_map = (1LL << (ab->num_radios * TARGET_NUM_VDEVS(ab))) - 1;
+
+- ret = ath11k_hal_srng_init(ab);
+- if (ret)
+- return ret;
+-
+ clear_bit(ATH11K_FLAG_CRASH_FLUSH, &ab->dev_flags);
+
+ ret = ath11k_core_qmi_firmware_ready(ab);
+--- a/drivers/net/wireless/ath/ath11k/hal.c
++++ b/drivers/net/wireless/ath/ath11k/hal.c
+@@ -1383,6 +1383,22 @@ void ath11k_hal_srng_deinit(struct ath11
+ }
+ EXPORT_SYMBOL(ath11k_hal_srng_deinit);
+
++void ath11k_hal_srng_clear(struct ath11k_base *ab)
++{
++ /* No need to memset rdp and wrp memory since each individual
++ * segment would get cleared in ath11k_hal_srng_src_hw_init()
++ * and ath11k_hal_srng_dst_hw_init().
++ */
++ memset(ab->hal.srng_list, 0,
++ sizeof(ab->hal.srng_list));
++ memset(ab->hal.shadow_reg_addr, 0,
++ sizeof(ab->hal.shadow_reg_addr));
++ ab->hal.avail_blk_resource = 0;
++ ab->hal.current_blk_index = 0;
++ ab->hal.num_shadow_reg_configured = 0;
++}
++EXPORT_SYMBOL(ath11k_hal_srng_clear);
++
+ void ath11k_hal_dump_srng_stats(struct ath11k_base *ab)
+ {
+ struct hal_srng *srng;
+--- a/drivers/net/wireless/ath/ath11k/hal.h
++++ b/drivers/net/wireless/ath/ath11k/hal.h
+@@ -965,6 +965,7 @@ int ath11k_hal_srng_setup(struct ath11k_
+ struct hal_srng_params *params);
+ int ath11k_hal_srng_init(struct ath11k_base *ath11k);
+ void ath11k_hal_srng_deinit(struct ath11k_base *ath11k);
++void ath11k_hal_srng_clear(struct ath11k_base *ab);
+ void ath11k_hal_dump_srng_stats(struct ath11k_base *ab);
+ void ath11k_hal_srng_get_shadow_config(struct ath11k_base *ab,
+ u32 **cfg, u32 *len);
--- /dev/null
+From fc6627ca8a5f811b601aea74e934cf8a048c88ac Mon Sep 17 00:00:00 2001
+From: Nick Morrow <morrownr@gmail.com>
+Date: Fri, 12 Sep 2025 15:45:56 -0500
+Subject: wifi: mt76: mt7921u: Add VID/PID for Netgear A7500
+
+From: Nick Morrow <morrownr@gmail.com>
+
+commit fc6627ca8a5f811b601aea74e934cf8a048c88ac upstream.
+
+Add VID/PID 0846/9065 for Netgear A7500.
+
+Reported-by: Autumn Dececco <autumndececco@gmail.com>
+Tested-by: Autumn Dececco <autumndececco@gmail.com>
+Signed-off-by: Nick Morrow <morrownr@gmail.com>
+Cc: stable@vger.kernel.org
+Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/80bacfd6-6073-4ce5-be32-ae9580832337@gmail.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/usb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/usb.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/usb.c
+@@ -21,6 +21,9 @@ static const struct usb_device_id mt7921
+ /* Netgear, Inc. [A8000,AXE3000] */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x0846, 0x9060, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM },
++ /* Netgear, Inc. A7500 */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x0846, 0x9065, 0xff, 0xff, 0xff),
++ .driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM },
+ /* TP-Link TXE50UH */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x35bc, 0x0107, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM },
--- /dev/null
+From f6159b2051e157550d7609e19d04471609c6050b Mon Sep 17 00:00:00 2001
+From: Nick Morrow <morrownr@gmail.com>
+Date: Tue, 8 Jul 2025 16:40:42 -0500
+Subject: wifi: mt76: mt7925u: Add VID/PID for Netgear A9000
+
+From: Nick Morrow <morrownr@gmail.com>
+
+commit f6159b2051e157550d7609e19d04471609c6050b upstream.
+
+Add VID/PID 0846/9072 for recently released Netgear A9000.
+
+Signed-off-by: Nick Morrow <morrownr@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/7afd3c3c-e7cf-4bd9-801d-bdfc76def506@gmail.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7925/usb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/usb.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/usb.c
+@@ -12,6 +12,9 @@
+ static const struct usb_device_id mt7925u_device_table[] = {
+ { USB_DEVICE_AND_INTERFACE_INFO(0x0e8d, 0x7925, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t)MT7925_FIRMWARE_WM },
++ /* Netgear, Inc. A9000 */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x0846, 0x9072, 0xff, 0xff, 0xff),
++ .driver_info = (kernel_ulong_t)MT7925_FIRMWARE_WM },
+ { },
+ };
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
