--- /dev/null
+From 6e3a4754717a74e931a9f00b5f953be708e07acb Mon Sep 17 00:00:00 2001
+From: Xi Ruoyao <xry111@xry111.site>
+Date: Tue, 21 Oct 2025 17:28:25 +0800
+Subject: ACPICA: Work around bogus -Wstringop-overread warning since GCC 11
+
+From: Xi Ruoyao <xry111@xry111.site>
+
+commit 6e3a4754717a74e931a9f00b5f953be708e07acb upstream.
+
+When ACPI_MISALIGNMENT_NOT_SUPPORTED is set, GCC can produce a bogus
+-Wstringop-overread warning, see [1].
+
+To me, it's very clear that we have a compiler bug here, thus just
+disable the warning.
+
+Fixes: a9d13433fe17 ("LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled")
+Link: https://lore.kernel.org/all/899f2dec-e8b9-44f4-ab8d-001e160a2aed@roeck-us.net/
+Link: https://github.com/acpica/acpica/commit/abf5b573
+Link: https://gcc.gnu.org/PR122073 [1]
+Co-developed-by: Saket Dumbre <saket.dumbre@intel.com>
+Signed-off-by: Saket Dumbre <saket.dumbre@intel.com>
+Signed-off-by: Xi Ruoyao <xry111@xry111.site>
+Acked-by: Huacai Chen <chenhuacai@loongson.cn>
+Cc: All applicable <stable@vger.kernel.org>
+[ rjw: Subject and changelog edits ]
+Link: https://patch.msgid.link/20251021092825.822007-1-xry111@xry111.site
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpica/tbprint.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/acpi/acpica/tbprint.c
++++ b/drivers/acpi/acpica/tbprint.c
+@@ -95,6 +95,11 @@ acpi_tb_print_table_header(acpi_physical
+ {
+ struct acpi_table_header local_header;
+
++#pragma GCC diagnostic push
++#if defined(__GNUC__) && __GNUC__ >= 11
++#pragma GCC diagnostic ignored "-Wstringop-overread"
++#endif
++
+ if (ACPI_COMPARE_NAMESEG(header->signature, ACPI_SIG_FACS)) {
+
+ /* FACS only has signature and length fields */
+@@ -135,4 +140,5 @@ acpi_tb_print_table_header(acpi_physical
+ local_header.asl_compiler_id,
+ local_header.asl_compiler_revision));
+ }
++#pragma GCC diagnostic pop
+ }
--- /dev/null
+From 2eead19334516c8e9927c11b448fbe512b1f18a1 Mon Sep 17 00:00:00 2001
+From: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
+Date: Tue, 23 Sep 2025 23:13:08 +0530
+Subject: arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()
+
+From: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
+
+commit 2eead19334516c8e9927c11b448fbe512b1f18a1 upstream.
+
+Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity()
+which causes the code to proceed with NULL clock pointers. The current
+logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both
+valid pointers and NULL, leading to potential NULL pointer dereference
+in clk_get_rate().
+
+Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns:
+"The error code within @ptr if it is an error pointer; 0 otherwise."
+
+This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL
+pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed)
+when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be
+called when of_clk_get() returns NULL.
+
+Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid
+pointers, preventing potential NULL pointer dereference in clk_get_rate().
+
+Cc: stable <stable@kernel.org>
+Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Fixes: b8fe128dad8f ("arch_topology: Adjust initial CPU capacities with current freq")
+Link: https://patch.msgid.link/20250923174308.1771906-1-kaushlendra.kumar@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/arch_topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/arch_topology.c
++++ b/drivers/base/arch_topology.c
+@@ -341,7 +341,7 @@ bool __init topology_parse_cpu_capacity(
+ * frequency (by keeping the initial capacity_freq_ref value).
+ */
+ cpu_clk = of_clk_get(cpu_node, 0);
+- if (!PTR_ERR_OR_ZERO(cpu_clk)) {
++ if (!IS_ERR_OR_NULL(cpu_clk)) {
+ per_cpu(capacity_freq_ref, cpu) =
+ clk_get_rate(cpu_clk) / HZ_PER_KHZ;
+ clk_put(cpu_clk);
--- /dev/null
+From 17679ac6df6c4830ba711835aa8cf961be36cfa1 Mon Sep 17 00:00:00 2001
+From: Dewei Meng <mengdewei@cqsoftware.com.cn>
+Date: Thu, 16 Oct 2025 14:10:11 +0800
+Subject: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots()
+
+From: Dewei Meng <mengdewei@cqsoftware.com.cn>
+
+commit 17679ac6df6c4830ba711835aa8cf961be36cfa1 upstream.
+
+If fs_info->super_copy or fs_info->super_for_commit allocated failed in
+btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info().
+Otherwise btrfs_check_leaked_roots() would access NULL pointer because
+fs_info->allocated_roots had not been initialised.
+
+syzkaller reported the following information:
+ ------------[ cut here ]------------
+ BUG: unable to handle page fault for address: fffffffffffffbb0
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0
+ Oops: Oops: 0000 [#1] SMP KASAN PTI
+ CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy)
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...)
+ RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]
+ RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]
+ RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline]
+ RIP: 0010:refcount_read include/linux/refcount.h:170 [inline]
+ RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230
+ [...]
+ Call Trace:
+ <TASK>
+ btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280
+ btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029
+ btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097
+ vfs_get_tree+0x98/0x320 fs/super.c:1759
+ do_new_mount+0x357/0x660 fs/namespace.c:3899
+ path_mount+0x716/0x19c0 fs/namespace.c:4226
+ do_mount fs/namespace.c:4239 [inline]
+ __do_sys_mount fs/namespace.c:4450 [inline]
+ __se_sys_mount fs/namespace.c:4427 [inline]
+ __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ RIP: 0033:0x7f032eaffa8d
+ [...]
+
+Fixes: 3bb17a25bcb0 ("btrfs: add get_tree callback for new mount API")
+CC: stable@vger.kernel.org # 6.12+
+Reviewed-by: Daniel Vacek <neelx@suse.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Dewei Meng <mengdewei@cqsoftware.com.cn>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -2029,7 +2029,13 @@ static int btrfs_get_tree_subvol(struct
+ fs_info->super_copy = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_KERNEL);
+ fs_info->super_for_commit = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_KERNEL);
+ if (!fs_info->super_copy || !fs_info->super_for_commit) {
+- btrfs_free_fs_info(fs_info);
++ /*
++ * Dont call btrfs_free_fs_info() to free it as it's still
++ * initialized partially.
++ */
++ kfree(fs_info->super_copy);
++ kfree(fs_info->super_for_commit);
++ kvfree(fs_info);
+ return -ENOMEM;
+ }
+ btrfs_init_fs_info(fs_info);
--- /dev/null
+From 8e93ac51e4c6dc399fad59ec21f55f2cfb46d27c Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Mon, 20 Oct 2025 11:51:03 +0200
+Subject: can: netlink: can_changelink(): allow disabling of automatic restart
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 8e93ac51e4c6dc399fad59ec21f55f2cfb46d27c upstream.
+
+Since the commit c1f3f9797c1f ("can: netlink: can_changelink(): fix NULL
+pointer deref of struct can_priv::do_set_mode"), the automatic restart
+delay can only be set for devices that implement the restart handler struct
+can_priv::do_set_mode. As it makes no sense to configure a automatic
+restart for devices that doesn't support it.
+
+However, since systemd commit 13ce5d4632e3 ("network/can: properly handle
+CAN.RestartSec=0") [1], systemd-networkd correctly handles a restart delay
+of "0" (i.e. the restart is disabled). Which means that a disabled restart
+is always configured in the kernel.
+
+On systems with both changes active this causes that CAN interfaces that
+don't implement a restart handler cannot be brought up by systemd-networkd.
+
+Solve this problem by allowing a delay of "0" to be configured, even if the
+device does not implement a restart handler.
+
+[1] https://github.com/systemd/systemd/commit/13ce5d4632e395521e6205c954493c7fc1c4c6e0
+
+Cc: stable@vger.kernel.org
+Cc: Andrei Lalaev <andrey.lalaev@gmail.com>
+Reported-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Closes: https://lore.kernel.org/all/20251020-certain-arrogant-vole-of-sunshine-141841-mkl@pengutronix.de
+Fixes: c1f3f9797c1f ("can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode")
+Link: https://patch.msgid.link/20251020-netlink-fix-restart-v1-1-3f53c7f8520b@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/dev/netlink.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/dev/netlink.c
++++ b/drivers/net/can/dev/netlink.c
+@@ -285,7 +285,9 @@ static int can_changelink(struct net_dev
+ }
+
+ if (data[IFLA_CAN_RESTART_MS]) {
+- if (!priv->do_set_mode) {
++ unsigned int restart_ms = nla_get_u32(data[IFLA_CAN_RESTART_MS]);
++
++ if (restart_ms != 0 && !priv->do_set_mode) {
+ NL_SET_ERR_MSG(extack,
+ "Device doesn't support restart from Bus Off");
+ return -EOPNOTSUPP;
+@@ -294,7 +296,7 @@ static int can_changelink(struct net_dev
+ /* Do not allow changing restart delay while running */
+ if (dev->flags & IFF_UP)
+ return -EBUSY;
+- priv->restart_ms = nla_get_u32(data[IFLA_CAN_RESTART_MS]);
++ priv->restart_ms = restart_ms;
+ }
+
+ if (data[IFLA_CAN_RESTART]) {
--- /dev/null
+From 5b2ff4873aeab972f919d5aea11c51393322bf58 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 20 Oct 2025 09:40:02 +0100
+Subject: cifs: Fix TCP_Server_Info::credits to be signed
+
+From: David Howells <dhowells@redhat.com>
+
+commit 5b2ff4873aeab972f919d5aea11c51393322bf58 upstream.
+
+Fix TCP_Server_Info::credits to be signed, just as echo_credits and
+oplock_credits are. This also fixes what ought to get at least a
+compilation warning if not an outright error in *get_credits_field() as a
+pointer to the unsigned server->credits field is passed back as a pointer
+to a signed int.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: linux-cifs@vger.kernel.org
+Cc: stable@vger.kernel.org
+Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Acked-by: Pavel Shilovskiy <pshilovskiy@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifsglob.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/smb/client/cifsglob.h
++++ b/fs/smb/client/cifsglob.h
+@@ -703,7 +703,7 @@ struct TCP_Server_Info {
+ bool nosharesock;
+ bool tcp_nodelay;
+ bool terminate;
+- unsigned int credits; /* send no more requests at once */
++ int credits; /* send no more requests at once */
+ unsigned int max_credits; /* can override large 32000 default at mnt */
+ unsigned int in_flight; /* number of requests on the wire to server */
+ unsigned int max_in_flight; /* max number of requests that were on wire */
--- /dev/null
+From 03521c892bb8d0712c23e158ae9bdf8705897df8 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Thu, 9 Oct 2025 16:15:08 +0200
+Subject: dma-debug: don't report false positives with DMA_BOUNCE_UNALIGNED_KMALLOC
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit 03521c892bb8d0712c23e158ae9bdf8705897df8 upstream.
+
+Commit 370645f41e6e ("dma-mapping: force bouncing if the kmalloc() size is
+not cache-line-aligned") introduced DMA_BOUNCE_UNALIGNED_KMALLOC feature
+and permitted architecture specific code configure kmalloc slabs with
+sizes smaller than the value of dma_get_cache_alignment().
+
+When that feature is enabled, the physical address of some small
+kmalloc()-ed buffers might be not aligned to the CPU cachelines, thus not
+really suitable for typical DMA. To properly handle that case a SWIOTLB
+buffer bouncing is used, so no CPU cache corruption occurs. When that
+happens, there is no point reporting a false-positive DMA-API warning that
+the buffer is not properly aligned, as this is not a client driver fault.
+
+[m.szyprowski@samsung.com: replace is_swiotlb_allocated() with is_swiotlb_active(), per Catalin]
+ Link: https://lkml.kernel.org/r/20251010173009.3916215-1-m.szyprowski@samsung.com
+Link: https://lkml.kernel.org/r/20251009141508.2342138-1-m.szyprowski@samsung.com
+Fixes: 370645f41e6e ("dma-mapping: force bouncing if the kmalloc() size is not cache-line-aligned")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Inki Dae <m.szyprowski@samsung.com>
+Cc: Robin Murohy <robin.murphy@arm.com>
+Cc: "Isaac J. Manjarres" <isaacmanjarres@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/dma/debug.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/dma/debug.c
++++ b/kernel/dma/debug.c
+@@ -23,6 +23,7 @@
+ #include <linux/ctype.h>
+ #include <linux/list.h>
+ #include <linux/slab.h>
++#include <linux/swiotlb.h>
+ #include <asm/sections.h>
+ #include "debug.h"
+
+@@ -594,7 +595,9 @@ static void add_dma_entry(struct dma_deb
+ if (rc == -ENOMEM) {
+ pr_err_once("cacheline tracking ENOMEM, dma-debug disabled\n");
+ global_disable = true;
+- } else if (rc == -EEXIST && !(attrs & DMA_ATTR_SKIP_CPU_SYNC)) {
++ } else if (rc == -EEXIST && !(attrs & DMA_ATTR_SKIP_CPU_SYNC) &&
++ !(IS_ENABLED(CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC) &&
++ is_swiotlb_active(entry->dev))) {
+ err_printk(entry->dev, entry,
+ "cacheline tracking EEXIST, overlapping mappings aren't supported\n");
+ }
--- /dev/null
+From bec947cbe9a65783adb475a5fb47980d7b4f4796 Mon Sep 17 00:00:00 2001
+From: Charlene Liu <Charlene.Liu@amd.com>
+Date: Mon, 29 Sep 2025 20:29:30 -0400
+Subject: drm/amd/display: increase max link count and fix link->enc NULL pointer access
+
+From: Charlene Liu <Charlene.Liu@amd.com>
+
+commit bec947cbe9a65783adb475a5fb47980d7b4f4796 upstream.
+
+[why]
+1.) dc->links[MAX_LINKS] array size smaller than actual requested.
+max_connector + max_dpia + 4 virtual = 14.
+increase from 12 to 14.
+
+2.) hw_init() access null LINK_ENC for dpia non display_endpoint.
+
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Meenakshikumar Somasundaram <meenakshikumar.somasundaram@amd.com>
+Reviewed-by: Chris Park <chris.park@amd.com>
+Signed-off-by: Charlene Liu <Charlene.Liu@amd.com>
+Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit d7f5a61e1b04ed87b008c8d327649d184dc5bb45)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 3 +++
+ drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h | 8 +++++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
+@@ -287,6 +287,9 @@ void dcn401_init_hw(struct dc *dc)
+ */
+ struct dc_link *link = dc->links[i];
+
++ if (link->ep_type != DISPLAY_ENDPOINT_PHY)
++ continue;
++
+ link->link_enc->funcs->hw_init(link->link_enc);
+
+ /* Check for enabled DIG to identify enabled display */
+--- a/drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h
++++ b/drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h
+@@ -44,7 +44,13 @@
+ */
+ #define MAX_PIPES 6
+ #define MAX_PHANTOM_PIPES (MAX_PIPES / 2)
+-#define MAX_LINKS (MAX_PIPES * 2 +2)
++
++#define MAX_DPIA 6
++#define MAX_CONNECTOR 6
++#define MAX_VIRTUAL_LINKS 4
++
++#define MAX_LINKS (MAX_DPIA + MAX_CONNECTOR + MAX_VIRTUAL_LINKS)
++
+ #define MAX_DIG_LINK_ENCODERS 7
+ #define MAX_DWB_PIPES 1
+ #define MAX_HPO_DP2_ENCODERS 4
--- /dev/null
+From a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a Mon Sep 17 00:00:00 2001
+From: Jakub Acs <acsjakub@amazon.de>
+Date: Wed, 1 Oct 2025 10:09:55 +0000
+Subject: fs/notify: call exportfs_encode_fid with s_umount
+
+From: Jakub Acs <acsjakub@amazon.de>
+
+commit a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a upstream.
+
+Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while
+the overlayfs is being unmounted, can lead to dereferencing NULL ptr.
+
+This issue was found by syzkaller.
+
+Race Condition Diagram:
+
+Thread 1 Thread 2
+-------- --------
+
+generic_shutdown_super()
+ shrink_dcache_for_umount
+ sb->s_root = NULL
+
+ |
+ | vfs_read()
+ | inotify_fdinfo()
+ | * inode get from mark *
+ | show_mark_fhandle(m, inode)
+ | exportfs_encode_fid(inode, ..)
+ | ovl_encode_fh(inode, ..)
+ | ovl_check_encode_origin(inode)
+ | * deref i_sb->s_root *
+ |
+ |
+ v
+ fsnotify_sb_delete(sb)
+
+Which then leads to:
+
+[ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
+[ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
+[ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none)
+
+<snip registers, unreliable trace>
+
+[ 32.143353] Call Trace:
+[ 32.143732] ovl_encode_fh+0xd5/0x170
+[ 32.144031] exportfs_encode_inode_fh+0x12f/0x300
+[ 32.144425] show_mark_fhandle+0xbe/0x1f0
+[ 32.145805] inotify_fdinfo+0x226/0x2d0
+[ 32.146442] inotify_show_fdinfo+0x1c5/0x350
+[ 32.147168] seq_show+0x530/0x6f0
+[ 32.147449] seq_read_iter+0x503/0x12a0
+[ 32.148419] seq_read+0x31f/0x410
+[ 32.150714] vfs_read+0x1f0/0x9e0
+[ 32.152297] ksys_read+0x125/0x240
+
+IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set
+to NULL in the unmount path.
+
+Fix it by protecting calling exportfs_encode_fid() from
+show_mark_fhandle() with s_umount lock.
+
+This form of fix was suggested by Amir in [1].
+
+[1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/
+
+Fixes: c45beebfde34 ("ovl: support encoding fid from inode with no alias")
+Signed-off-by: Jakub Acs <acsjakub@amazon.de>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Amir Goldstein <amir73il@gmail.com>
+Cc: Miklos Szeredi <miklos@szeredi.hu>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: linux-unionfs@vger.kernel.org
+Cc: linux-fsdevel@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/notify/fdinfo.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/notify/fdinfo.c
++++ b/fs/notify/fdinfo.c
+@@ -17,6 +17,7 @@
+ #include "fanotify/fanotify.h"
+ #include "fdinfo.h"
+ #include "fsnotify.h"
++#include "../internal.h"
+
+ #if defined(CONFIG_PROC_FS)
+
+@@ -46,7 +47,12 @@ static void show_mark_fhandle(struct seq
+
+ size = f->handle_bytes >> 2;
+
++ if (!super_trylock_shared(inode->i_sb))
++ return;
++
+ ret = exportfs_encode_fid(inode, (struct fid *)f->f_handle, &size);
++ up_read(&inode->i_sb->s_umount);
++
+ if ((ret == FILEID_INVALID) || (ret < 0))
+ return;
+
--- /dev/null
+From c4d35e635f3a65aec291a6045cae8c99cede5bba Mon Sep 17 00:00:00 2001
+From: William Breathitt Gray <wbg@kernel.org>
+Date: Mon, 20 Oct 2025 17:51:44 +0900
+Subject: gpio: 104-idio-16: Define maximum valid register address offset
+
+From: William Breathitt Gray <wbg@kernel.org>
+
+commit c4d35e635f3a65aec291a6045cae8c99cede5bba upstream.
+
+Attempting to load the 104-idio-16 module fails during regmap
+initialization with a return error -EINVAL. This is a result of the
+regmap cache failing initialization. Set the idio_16_regmap_config
+max_register member to fix this failure.
+
+Fixes: 2c210c9a34a3 ("gpio: 104-idio-16: Migrate to the regmap API")
+Reported-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
+Closes: https://lore.kernel.org/r/9b0375fd-235f-4ee1-a7fa-daca296ef6bf@nutanix.com
+Suggested-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: William Breathitt Gray <wbg@kernel.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20251020-fix-gpio-idio-16-regmap-v2-1-ebeb50e93c33@kernel.org
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-104-idio-16.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpio/gpio-104-idio-16.c
++++ b/drivers/gpio/gpio-104-idio-16.c
+@@ -59,6 +59,7 @@ static const struct regmap_config idio_1
+ .reg_stride = 1,
+ .val_bits = 8,
+ .io_port = true,
++ .max_register = 0x5,
+ .wr_table = &idio_16_wr_table,
+ .rd_table = &idio_16_rd_table,
+ .volatile_table = &idio_16_rd_table,
--- /dev/null
+From d37623132a6347b4ab9e2179eb3f2fa77863c364 Mon Sep 17 00:00:00 2001
+From: William Breathitt Gray <wbg@kernel.org>
+Date: Mon, 20 Oct 2025 17:51:45 +0900
+Subject: gpio: pci-idio-16: Define maximum valid register address offset
+
+From: William Breathitt Gray <wbg@kernel.org>
+
+commit d37623132a6347b4ab9e2179eb3f2fa77863c364 upstream.
+
+Attempting to load the pci-idio-16 module fails during regmap
+initialization with a return error -EINVAL. This is a result of the
+regmap cache failing initialization. Set the idio_16_regmap_config
+max_register member to fix this failure.
+
+Fixes: 73d8f3efc5c2 ("gpio: pci-idio-16: Migrate to the regmap API")
+Reported-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
+Closes: https://lore.kernel.org/r/9b0375fd-235f-4ee1-a7fa-daca296ef6bf@nutanix.com
+Suggested-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: William Breathitt Gray <wbg@kernel.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20251020-fix-gpio-idio-16-regmap-v2-2-ebeb50e93c33@kernel.org
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-pci-idio-16.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpio/gpio-pci-idio-16.c
++++ b/drivers/gpio/gpio-pci-idio-16.c
+@@ -41,6 +41,7 @@ static const struct regmap_config idio_1
+ .reg_stride = 1,
+ .val_bits = 8,
+ .io_port = true,
++ .max_register = 0x7,
+ .wr_table = &idio_16_wr_table,
+ .rd_table = &idio_16_rd_table,
+ .volatile_table = &idio_16_rd_table,
--- /dev/null
+From bf5570590a981d0659d0808d2d4bcda21b27a2a5 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Tue, 21 Oct 2025 20:38:22 +0100
+Subject: MIPS: Malta: Fix keyboard resource preventing i8042 driver from registering
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit bf5570590a981d0659d0808d2d4bcda21b27a2a5 upstream.
+
+MIPS Malta platform code registers the PCI southbridge legacy port I/O
+PS/2 keyboard range as a standard resource marked as busy. It prevents
+the i8042 driver from registering as it fails to claim the resource in
+a call to i8042_platform_init(). Consequently PS/2 keyboard and mouse
+devices cannot be used with this platform.
+
+Fix the issue by removing the busy marker from the standard reservation,
+making the driver register successfully:
+
+ serio: i8042 KBD port at 0x60,0x64 irq 1
+ serio: i8042 AUX port at 0x60,0x64 irq 12
+
+and the resource show up as expected among the legacy devices:
+
+ 00000000-00ffffff : MSC PCI I/O
+ 00000000-0000001f : dma1
+ 00000020-00000021 : pic1
+ 00000040-0000005f : timer
+ 00000060-0000006f : keyboard
+ 00000060-0000006f : i8042
+ 00000070-00000077 : rtc0
+ 00000080-0000008f : dma page reg
+ 000000a0-000000a1 : pic2
+ 000000c0-000000df : dma2
+ [...]
+
+If the i8042 driver has not been configured, then the standard resource
+will remain there preventing any conflicting dynamic assignment of this
+PCI port I/O address range.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Acked-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/alpine.DEB.2.21.2510211919240.8377@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mti-malta/malta-setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/mti-malta/malta-setup.c
++++ b/arch/mips/mti-malta/malta-setup.c
+@@ -47,7 +47,7 @@ static struct resource standard_io_resou
+ .name = "keyboard",
+ .start = 0x60,
+ .end = 0x6f,
+- .flags = IORESOURCE_IO | IORESOURCE_BUSY
++ .flags = IORESOURCE_IO
+ },
+ {
+ .name = "dma page reg",
--- /dev/null
+From 841a8bfcbad94bb1ba60f59ce34f75259074ae0d Mon Sep 17 00:00:00 2001
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Date: Sat, 11 Oct 2025 15:55:19 +0800
+Subject: mm: prevent poison consumption when splitting THP
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+commit 841a8bfcbad94bb1ba60f59ce34f75259074ae0d upstream.
+
+When performing memory error injection on a THP (Transparent Huge Page)
+mapped to userspace on an x86 server, the kernel panics with the following
+trace. The expected behavior is to terminate the affected process instead
+of panicking the kernel, as the x86 Machine Check code can recover from an
+in-userspace #MC.
+
+ mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134
+ mce: [Hardware Error]: RIP 10:<ffffffff8372f8bc> {memchr_inv+0x4c/0xf0}
+ mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db
+ mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320
+ mce: [Hardware Error]: Run the above through 'mcelog --ascii'
+ mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel
+ Kernel panic - not syncing: Fatal local machine check
+
+The root cause of this panic is that handling a memory failure triggered
+by an in-userspace #MC necessitates splitting the THP. The splitting
+process employs a mechanism, implemented in
+try_to_map_unused_to_zeropage(), which reads the pages in the THP to
+identify zero-filled pages. However, reading the pages in the THP results
+in a second in-kernel #MC, occurring before the initial memory_failure()
+completes, ultimately leading to a kernel panic. See the kernel panic
+call trace on the two #MCs.
+
+ First Machine Check occurs // [1]
+ memory_failure() // [2]
+ try_to_split_thp_page()
+ split_huge_page()
+ split_huge_page_to_list_to_order()
+ __folio_split() // [3]
+ remap_page()
+ remove_migration_ptes()
+ remove_migration_pte()
+ try_to_map_unused_to_zeropage() // [4]
+ memchr_inv() // [5]
+ Second Machine Check occurs // [6]
+ Kernel panic
+
+[1] Triggered by accessing a hardware-poisoned THP in userspace, which is
+ typically recoverable by terminating the affected process.
+
+[2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page().
+
+[3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page().
+
+[4] Try to map the unused THP to zeropage.
+
+[5] Re-access pages in the hw-poisoned THP in the kernel.
+
+[6] Triggered in-kernel, leading to a panic kernel.
+
+In Step[2], memory_failure() sets the poisoned flag on the page in the THP
+by TestSetPageHWPoison() before calling try_to_split_thp_page().
+
+As suggested by David Hildenbrand, fix this panic by not accessing to the
+poisoned page in the THP during zeropage identification, while continuing
+to scan unaffected pages in the THP for possible zeropage mapping. This
+prevents a second in-kernel #MC that would cause kernel panic in Step[4].
+
+Thanks to Andrew Zaborowski for his initial work on fixing this issue.
+
+Link: https://lkml.kernel.org/r/20251015064926.1887643-1-qiuxu.zhuo@intel.com
+Link: https://lkml.kernel.org/r/20251011075520.320862-1-qiuxu.zhuo@intel.com
+Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp")
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Reported-by: Farrah Chen <farrah.chen@intel.com>
+Suggested-by: David Hildenbrand <david@redhat.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Tested-by: Farrah Chen <farrah.chen@intel.com>
+Tested-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Acked-by: Lance Yang <lance.yang@linux.dev>
+Reviewed-by: Wei Yang <richard.weiyang@gmail.com>
+Acked-by: Zi Yan <ziy@nvidia.com>
+Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Barry Song <baohua@kernel.org>
+Cc: Dev Jain <dev.jain@arm.com>
+Cc: Jiaqi Yan <jiaqiyan@google.com>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: "Luck, Tony" <tony.luck@intel.com>
+Cc: Mariano Pache <npache@redhat.com>
+Cc: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/huge_memory.c | 3 +++
+ mm/migrate.c | 3 ++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -3720,6 +3720,9 @@ static bool thp_underused(struct folio *
+ if (khugepaged_max_ptes_none == HPAGE_PMD_NR - 1)
+ return false;
+
++ if (folio_contain_hwpoisoned_page(folio))
++ return false;
++
+ for (i = 0; i < folio_nr_pages(folio); i++) {
+ if (pages_identical(folio_page(folio, i), ZERO_PAGE(0))) {
+ if (++num_zero_pages > khugepaged_max_ptes_none)
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -203,8 +203,9 @@ static bool try_to_map_unused_to_zeropag
+ struct page *page = folio_page(folio, idx);
+ pte_t newpte;
+
+- if (PageCompound(page))
++ if (PageCompound(page) || PageHWPoison(page))
+ return false;
++
+ VM_BUG_ON_PAGE(!PageAnon(page), page);
+ VM_BUG_ON_PAGE(!PageLocked(page), page);
+ VM_BUG_ON_PAGE(pte_present(old_pte), page);
--- /dev/null
+From 10843e1492e474c02b91314963161731fa92af91 Mon Sep 17 00:00:00 2001
+From: Tonghao Zhang <tonghao@bamaicloud.com>
+Date: Tue, 21 Oct 2025 13:09:33 +0800
+Subject: net: bonding: fix possible peer notify event loss or dup issue
+
+From: Tonghao Zhang <tonghao@bamaicloud.com>
+
+commit 10843e1492e474c02b91314963161731fa92af91 upstream.
+
+If the send_peer_notif counter and the peer event notify are not synchronized.
+It may cause problems such as the loss or dup of peer notify event.
+
+Before this patch:
+- If should_notify_peers is true and the lock for send_peer_notif-- fails, peer
+ event may be sent again in next mii_monitor loop, because should_notify_peers
+ is still true.
+- If should_notify_peers is true and the lock for send_peer_notif-- succeeded,
+ but the lock for peer event fails, the peer event will be lost.
+
+This patch locks the RTNL for send_peer_notif, events, and commit simultaneously.
+
+Fixes: 07a4ddec3ce9 ("bonding: add an option to specify a delay between peer notifications")
+Cc: Jay Vosburgh <jv@jvosburgh.net>
+Cc: Andrew Lunn <andrew+netdev@lunn.ch>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Hangbin Liu <liuhangbin@gmail.com>
+Cc: Nikolay Aleksandrov <razor@blackwall.org>
+Cc: Vincent Bernat <vincent@bernat.ch>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Tonghao Zhang <tonghao@bamaicloud.com>
+Acked-by: Jay Vosburgh <jv@jvosburgh.net>
+Link: https://patch.msgid.link/20251021050933.46412-1-tonghao@bamaicloud.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 40 ++++++++++++++++++----------------------
+ 1 file changed, 18 insertions(+), 22 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2951,7 +2951,7 @@ static void bond_mii_monitor(struct work
+ {
+ struct bonding *bond = container_of(work, struct bonding,
+ mii_work.work);
+- bool should_notify_peers = false;
++ bool should_notify_peers;
+ bool commit;
+ unsigned long delay;
+ struct slave *slave;
+@@ -2963,30 +2963,33 @@ static void bond_mii_monitor(struct work
+ goto re_arm;
+
+ rcu_read_lock();
++
+ should_notify_peers = bond_should_notify_peers(bond);
+ commit = !!bond_miimon_inspect(bond);
+- if (bond->send_peer_notif) {
+- rcu_read_unlock();
+- if (rtnl_trylock()) {
+- bond->send_peer_notif--;
+- rtnl_unlock();
+- }
+- } else {
+- rcu_read_unlock();
+- }
+
+- if (commit) {
++ rcu_read_unlock();
++
++ if (commit || bond->send_peer_notif) {
+ /* Race avoidance with bond_close cancel of workqueue */
+ if (!rtnl_trylock()) {
+ delay = 1;
+- should_notify_peers = false;
+ goto re_arm;
+ }
+
+- bond_for_each_slave(bond, slave, iter) {
+- bond_commit_link_state(slave, BOND_SLAVE_NOTIFY_LATER);
++ if (commit) {
++ bond_for_each_slave(bond, slave, iter) {
++ bond_commit_link_state(slave,
++ BOND_SLAVE_NOTIFY_LATER);
++ }
++ bond_miimon_commit(bond);
++ }
++
++ if (bond->send_peer_notif) {
++ bond->send_peer_notif--;
++ if (should_notify_peers)
++ call_netdevice_notifiers(NETDEV_NOTIFY_PEERS,
++ bond->dev);
+ }
+- bond_miimon_commit(bond);
+
+ rtnl_unlock(); /* might sleep, hold no other locks */
+ }
+@@ -2994,13 +2997,6 @@ static void bond_mii_monitor(struct work
+ re_arm:
+ if (bond->params.miimon)
+ queue_delayed_work(bond->wq, &bond->mii_work, delay);
+-
+- if (should_notify_peers) {
+- if (!rtnl_trylock())
+- return;
+- call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, bond->dev);
+- rtnl_unlock();
+- }
+ }
+
+ static int bond_upper_dev_walk(struct net_device *upper,
--- /dev/null
+From 5370c31e84b0e0999c7b5ff949f4e104def35584 Mon Sep 17 00:00:00 2001
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Date: Fri, 17 Oct 2025 16:18:29 +0100
+Subject: net: ravb: Enforce descriptor type ordering
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+commit 5370c31e84b0e0999c7b5ff949f4e104def35584 upstream.
+
+Ensure the TX descriptor type fields are published in a safe order so the
+DMA engine never begins processing a descriptor chain before all descriptor
+fields are fully initialised.
+
+For multi-descriptor transmits the driver writes DT_FEND into the last
+descriptor and DT_FSTART into the first. The DMA engine begins processing
+when it observes DT_FSTART. Move the dma_wmb() barrier so it executes
+immediately after DT_FEND and immediately before writing DT_FSTART
+(and before DT_FSINGLE in the single-descriptor case). This guarantees
+that all prior CPU writes to the descriptor memory are visible to the
+device before DT_FSTART is seen.
+
+This avoids a situation where compiler/CPU reordering could publish
+DT_FSTART ahead of DT_FEND or other descriptor fields, allowing the DMA to
+start on a partially initialised chain and causing corrupted transmissions
+or TX timeouts. Such a failure was observed on RZ/G2L with an RT kernel as
+transmit queue timeouts and device resets.
+
+Fixes: 2f45d1902acf ("ravb: minimize TX data copying")
+Cc: stable@vger.kernel.org
+Co-developed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Link: https://patch.msgid.link/20251017151830.171062-4-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -2203,13 +2203,25 @@ static netdev_tx_t ravb_start_xmit(struc
+
+ skb_tx_timestamp(skb);
+ }
+- /* Descriptor type must be set after all the above writes */
+- dma_wmb();
++
+ if (num_tx_desc > 1) {
+ desc->die_dt = DT_FEND;
+ desc--;
++ /* When using multi-descriptors, DT_FEND needs to get written
++ * before DT_FSTART, but the compiler may reorder the memory
++ * writes in an attempt to optimize the code.
++ * Use a dma_wmb() barrier to make sure DT_FEND and DT_FSTART
++ * are written exactly in the order shown in the code.
++ * This is particularly important for cases where the DMA engine
++ * is already running when we are running this code. If the DMA
++ * sees DT_FSTART without the corresponding DT_FEND it will enter
++ * an error condition.
++ */
++ dma_wmb();
+ desc->die_dt = DT_FSTART;
+ } else {
++ /* Descriptor type must be set after all the above writes */
++ dma_wmb();
+ desc->die_dt = DT_FSINGLE;
+ }
+ ravb_modify(ndev, TCCR, TCCR_TSRQ0 << q, TCCR_TSRQ0 << q);
--- /dev/null
+From 706136c5723626fcde8dd8f598a4dcd251e24927 Mon Sep 17 00:00:00 2001
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Date: Fri, 17 Oct 2025 16:18:30 +0100
+Subject: net: ravb: Ensure memory write completes before ringing TX doorbell
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+commit 706136c5723626fcde8dd8f598a4dcd251e24927 upstream.
+
+Add a final dma_wmb() barrier before triggering the transmit request
+(TCCR_TSRQ) to ensure all descriptor and buffer writes are visible to
+the DMA engine.
+
+According to the hardware manual, a read-back operation is required
+before writing to the doorbell register to guarantee completion of
+previous writes. Instead of performing a dummy read, a dma_wmb() is
+used to both enforce the same ordering semantics on the CPU side and
+also to ensure completion of writes.
+
+Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
+Cc: stable@vger.kernel.org
+Co-developed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Link: https://patch.msgid.link/20251017151830.171062-5-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -2224,6 +2224,14 @@ static netdev_tx_t ravb_start_xmit(struc
+ dma_wmb();
+ desc->die_dt = DT_FSINGLE;
+ }
++
++ /* Before ringing the doorbell we need to make sure that the latest
++ * writes have been committed to memory, otherwise it could delay
++ * things until the doorbell is rang again.
++ * This is in replacement of the read operation mentioned in the HW
++ * manuals.
++ */
++ dma_wmb();
+ ravb_modify(ndev, TCCR, TCCR_TSRQ0 << q, TCCR_TSRQ0 << q);
+
+ priv->cur_tx[q] += num_tx_desc;
--- /dev/null
+From 7f864458e9a6d2000b726d14b3d3a706ac92a3b0 Mon Sep 17 00:00:00 2001
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+Date: Tue, 14 Oct 2025 17:49:34 +0200
+Subject: net: stmmac: dwmac-rk: Fix disabling set_clock_selection
+
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+
+commit 7f864458e9a6d2000b726d14b3d3a706ac92a3b0 upstream.
+
+On all platforms set_clock_selection() writes to a GRF register. This
+requires certain clocks running and thus should happen before the
+clocks are disabled.
+
+This has been noticed on RK3576 Sige5, which hangs during system suspend
+when trying to suspend the second network interface. Note, that
+suspending the first interface works, because the second device ensures
+that the necessary clocks for the GRF are enabled.
+
+Cc: stable@vger.kernel.org
+Fixes: 2f2b60a0ec28 ("net: ethernet: stmmac: dwmac-rk: Add gmac support for rk3588")
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251014-rockchip-network-clock-fix-v1-1-c257b4afdf75@collabora.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
+@@ -1721,14 +1721,15 @@ static int gmac_clk_enable(struct rk_pri
+ }
+ } else {
+ if (bsp_priv->clk_enabled) {
++ if (bsp_priv->ops && bsp_priv->ops->set_clock_selection) {
++ bsp_priv->ops->set_clock_selection(bsp_priv,
++ bsp_priv->clock_input, false);
++ }
++
+ clk_bulk_disable_unprepare(bsp_priv->num_clks,
+ bsp_priv->clks);
+ clk_disable_unprepare(bsp_priv->clk_phy);
+
+- if (bsp_priv->ops && bsp_priv->ops->set_clock_selection)
+- bsp_priv->ops->set_clock_selection(bsp_priv,
+- bsp_priv->clock_input, false);
+-
+ bsp_priv->clk_enabled = false;
+ }
+ }
--- /dev/null
+From 75cea9860aa6b2350d90a8d78fed114d27c7eca2 Mon Sep 17 00:00:00 2001
+From: Michal Pecio <michal.pecio@gmail.com>
+Date: Tue, 14 Oct 2025 20:35:28 +0200
+Subject: net: usb: rtl8150: Fix frame padding
+
+From: Michal Pecio <michal.pecio@gmail.com>
+
+commit 75cea9860aa6b2350d90a8d78fed114d27c7eca2 upstream.
+
+TX frames aren't padded and unknown memory is sent into the ether.
+
+Theoretically, it isn't even guaranteed that the extra memory exists
+and can be sent out, which could cause further problems. In practice,
+I found that plenty of tailroom exists in the skb itself (in my test
+with ping at least) and skb_padto() easily succeeds, so use it here.
+
+In the event of -ENOMEM drop the frame like other drivers do.
+
+The use of one more padding byte instead of a USB zero-length packet
+is retained to avoid regression. I have a dodgy Etron xHCI controller
+which doesn't seem to support sending ZLPs at all.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251014203528.3f9783c4.michal.pecio@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/rtl8150.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/rtl8150.c
++++ b/drivers/net/usb/rtl8150.c
+@@ -685,9 +685,16 @@ static netdev_tx_t rtl8150_start_xmit(st
+ rtl8150_t *dev = netdev_priv(netdev);
+ int count, res;
+
++ /* pad the frame and ensure terminating USB packet, datasheet 9.2.3 */
++ count = max(skb->len, ETH_ZLEN);
++ if (count % 64 == 0)
++ count++;
++ if (skb_padto(skb, count)) {
++ netdev->stats.tx_dropped++;
++ return NETDEV_TX_OK;
++ }
++
+ netif_stop_queue(netdev);
+- count = (skb->len < 60) ? 60 : skb->len;
+- count = (count & 0x3f) ? count : count + 1;
+ dev->tx_skb = skb;
+ usb_fill_bulk_urb(dev->tx_urb, dev->udev, usb_sndbulkpipe(dev->udev, 2),
+ skb->data, count, write_bulk_callback, dev);
--- /dev/null
+From 78a63493f8e352296dbc7cb7b3f4973105e8679e Mon Sep 17 00:00:00 2001
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+Date: Thu, 9 Oct 2025 21:19:03 +0530
+Subject: ocfs2: clear extent cache after moving/defragmenting extents
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+commit 78a63493f8e352296dbc7cb7b3f4973105e8679e upstream.
+
+The extent map cache can become stale when extents are moved or
+defragmented, causing subsequent operations to see outdated extent flags.
+This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters().
+
+The problem occurs when:
+1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED
+2. ioctl(FITRIM) triggers ocfs2_move_extents()
+3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2)
+4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent()
+ which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0)
+5. The extent map cache is not invalidated after the move
+6. Later write() operations read stale cached flags (0x2) but disk has
+ updated flags (0x0), causing a mismatch
+7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers
+
+Fix by clearing the extent map cache after each extent move/defrag
+operation in __ocfs2_move_extents_range(). This ensures subsequent
+operations read fresh extent data from disk.
+
+Link: https://lore.kernel.org/all/20251009142917.517229-1-kartikey406@gmail.com/T/
+Link: https://lkml.kernel.org/r/20251009154903.522339-1-kartikey406@gmail.com
+Fixes: 53069d4e7695 ("Ocfs2/move_extents: move/defrag extents within a certain range.")
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Reported-by: syzbot+6fdd8fa3380730a4b22c@syzkaller.appspotmail.com
+Tested-by: syzbot+6fdd8fa3380730a4b22c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?id=2959889e1f6e216585ce522f7e8bc002b46ad9e7
+Reviewed-by: Mark Fasheh <mark@fasheh.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/move_extents.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/ocfs2/move_extents.c
++++ b/fs/ocfs2/move_extents.c
+@@ -868,6 +868,11 @@ static int __ocfs2_move_extents_range(st
+ mlog_errno(ret);
+ goto out;
+ }
++ /*
++ * Invalidate extent cache after moving/defragging to prevent
++ * stale cached data with outdated extent flags.
++ */
++ ocfs2_extent_map_trunc(inode, cpos);
+
+ context->clusters_moved += alloc_size;
+ next:
--- /dev/null
+From 10fad4012234a7dea621ae17c0c9486824f645a0 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Sat, 18 Oct 2025 14:27:15 +0200
+Subject: Revert "cpuidle: menu: Avoid discarding useful information"
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 10fad4012234a7dea621ae17c0c9486824f645a0 upstream.
+
+It is reported that commit 85975daeaa4d ("cpuidle: menu: Avoid discarding
+useful information") led to a performance regression on Intel Jasper Lake
+systems because it reduced the time spent by CPUs in idle state C7 which
+is correlated to the maximum frequency the CPUs can get to because of an
+average running power limit [1].
+
+Before that commit, get_typical_interval() would have returned UINT_MAX
+whenever it had been unable to make a high-confidence prediction which
+had led to selecting the deepest available idle state too often and
+both power and performance had been inadequate as a result of that on
+some systems. However, this had not been a problem on systems with
+relatively aggressive average running power limits, like the Jasper Lake
+systems in question, because on those systems it was compensated by the
+ability to run CPUs faster.
+
+It was addressed by causing get_typical_interval() to return a number
+based on the recent idle duration information available to it even if it
+could not make a high-confidence prediction, but that clearly did not
+take the possible correlation between idle power and available CPU
+capacity into account.
+
+For this reason, revert most of the changes made by commit 85975daeaa4d,
+except for one cosmetic cleanup, and add a comment explaining the
+rationale for returning UINT_MAX from get_typical_interval() when it
+is unable to make a high-confidence prediction.
+
+Fixes: 85975daeaa4d ("cpuidle: menu: Avoid discarding useful information")
+Closes: https://lore.kernel.org/linux-pm/36iykr223vmcfsoysexug6s274nq2oimcu55ybn6ww4il3g3cv@cohflgdbpnq7/ [1]
+Reported-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://patch.msgid.link/3663603.iIbC2pHGDl@rafael.j.wysocki
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpuidle/governors/menu.c | 21 +++++++++------------
+ 1 file changed, 9 insertions(+), 12 deletions(-)
+
+--- a/drivers/cpuidle/governors/menu.c
++++ b/drivers/cpuidle/governors/menu.c
+@@ -199,20 +199,17 @@ again:
+ *
+ * This can deal with workloads that have long pauses interspersed
+ * with sporadic activity with a bunch of short pauses.
++ *
++ * However, if the number of remaining samples is too small to exclude
++ * any more outliers, allow the deepest available idle state to be
++ * selected because there are systems where the time spent by CPUs in
++ * deep idle states is correlated to the maximum frequency the CPUs
++ * can get to. On those systems, shallow idle states should be avoided
++ * unless there is a clear indication that the given CPU is most likley
++ * going to be woken up shortly.
+ */
+- if (divisor * 4 <= INTERVALS * 3) {
+- /*
+- * If there are sufficiently many data points still under
+- * consideration after the outliers have been eliminated,
+- * returning without a prediction would be a mistake because it
+- * is likely that the next interval will not exceed the current
+- * maximum, so return the latter in that case.
+- */
+- if (divisor >= INTERVALS / 2)
+- return max;
+-
++ if (divisor * 4 <= INTERVALS * 3)
+ return UINT_MAX;
+- }
+
+ thresh = max - 1;
+ goto again;
--- /dev/null
+From d68460bc31f9c8c6fc81fbb56ec952bec18409f1 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 20 Oct 2025 22:53:27 +0200
+Subject: selftests: mptcp: join: mark 'flush re-add' as skipped if not supported
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit d68460bc31f9c8c6fc81fbb56ec952bec18409f1 upstream.
+
+The call to 'continue_if' was missing: it properly marks a subtest as
+'skipped' if the attached condition is not valid.
+
+Without that, the test is wrongly marked as passed on older kernels.
+
+Fixes: e06959e9eebd ("selftests: mptcp: join: test for flush/re-add endpoints")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251020-net-mptcp-c-flag-late-add-addr-v1-2-8207030cb0e8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -3897,7 +3897,7 @@ endpoint_tests()
+
+ # flush and re-add
+ if reset_with_tcp_filter "flush re-add" ns2 10.0.3.2 REJECT OUTPUT &&
+- mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then
++ continue_if mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then
+ pm_nl_set_limits $ns1 0 2
+ pm_nl_set_limits $ns2 1 2
+ # broadcast IP: no packet for this address will be received on ns1
--- /dev/null
+From 973f80d715bd2504b4db6e049f292e694145cd79 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 20 Oct 2025 22:53:28 +0200
+Subject: selftests: mptcp: join: mark implicit tests as skipped if not supported
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 973f80d715bd2504b4db6e049f292e694145cd79 upstream.
+
+The call to 'continue_if' was missing: it properly marks a subtest as
+'skipped' if the attached condition is not valid.
+
+Without that, the test is wrongly marked as passed on older kernels.
+
+Fixes: 36c4127ae8dd ("selftests: mptcp: join: skip implicit tests if not supported")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251020-net-mptcp-c-flag-late-add-addr-v1-3-8207030cb0e8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -3722,7 +3722,7 @@ endpoint_tests()
+ # subflow_rebuild_header is needed to support the implicit flag
+ # userspace pm type prevents add_addr
+ if reset "implicit EP" &&
+- mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then
++ continue_if mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then
+ pm_nl_set_limits $ns1 2 2
+ pm_nl_set_limits $ns2 2 2
+ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
+@@ -3747,7 +3747,7 @@ endpoint_tests()
+ fi
+
+ if reset_with_tcp_filter "delete and re-add" ns2 10.0.3.2 REJECT OUTPUT &&
+- mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then
++ continue_if mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then
+ start_events
+ pm_nl_set_limits $ns1 0 3
+ pm_nl_set_limits $ns2 0 3
sctp-avoid-null-dereference-when-chunk-data-buffer-i.patch
net-phy-micrel-always-set-shared-phydev-for-lan8814.patch
net-mlx5-fix-ipsec-cleanup-over-mpv-device.patch
+fs-notify-call-exportfs_encode_fid-with-s_umount.patch
+net-bonding-fix-possible-peer-notify-event-loss-or-dup-issue.patch
+dma-debug-don-t-report-false-positives-with-dma_bounce_unaligned_kmalloc.patch
+arch_topology-fix-incorrect-error-check-in-topology_parse_cpu_capacity.patch
+btrfs-directly-free-partially-initialized-fs_info-in-btrfs_check_leaked_roots.patch
+gpio-pci-idio-16-define-maximum-valid-register-address-offset.patch
+gpio-104-idio-16-define-maximum-valid-register-address-offset.patch
+xfs-fix-locking-in-xchk_nlinks_collect_dir.patch
+revert-cpuidle-menu-avoid-discarding-useful-information.patch
+slab-avoid-race-on-slab-obj_exts-in-alloc_slab_obj_exts.patch
+slab-fix-obj_ext-mistakenly-considered-null-due-to-race-condition.patch
+acpica-work-around-bogus-wstringop-overread-warning-since-gcc-11.patch
+can-netlink-can_changelink-allow-disabling-of-automatic-restart.patch
+cifs-fix-tcp_server_info-credits-to-be-signed.patch
+mips-malta-fix-keyboard-resource-preventing-i8042-driver-from-registering.patch
+ocfs2-clear-extent-cache-after-moving-defragmenting-extents.patch
+vsock-fix-lock-inversion-in-vsock_assign_transport.patch
+net-stmmac-dwmac-rk-fix-disabling-set_clock_selection.patch
+net-usb-rtl8150-fix-frame-padding.patch
+net-ravb-enforce-descriptor-type-ordering.patch
+net-ravb-ensure-memory-write-completes-before-ringing-tx-doorbell.patch
+selftests-mptcp-join-mark-flush-re-add-as-skipped-if-not-supported.patch
+selftests-mptcp-join-mark-implicit-tests-as-skipped-if-not-supported.patch
+mm-prevent-poison-consumption-when-splitting-thp.patch
+drm-amd-display-increase-max-link-count-and-fix-link-enc-null-pointer-access.patch
--- /dev/null
+From 6ed8bfd24ce1cb31742b09a3eb557cd008533eec Mon Sep 17 00:00:00 2001
+From: Hao Ge <gehao@kylinos.cn>
+Date: Tue, 21 Oct 2025 09:03:53 +0800
+Subject: slab: Avoid race on slab->obj_exts in alloc_slab_obj_exts
+
+From: Hao Ge <gehao@kylinos.cn>
+
+commit 6ed8bfd24ce1cb31742b09a3eb557cd008533eec upstream.
+
+If two competing threads enter alloc_slab_obj_exts() and one of them
+fails to allocate the object extension vector, it might override the
+valid slab->obj_exts allocated by the other thread with
+OBJEXTS_ALLOC_FAIL. This will cause the thread that lost this race and
+expects a valid pointer to dereference a NULL pointer later on.
+
+Update slab->obj_exts atomically using cmpxchg() to avoid
+slab->obj_exts overrides by racing threads.
+
+Thanks for Vlastimil and Suren's help with debugging.
+
+Fixes: f7381b911640 ("slab: mark slab->obj_exts allocation failures unconditionally")
+Cc: <stable@vger.kernel.org>
+Suggested-by: Suren Baghdasaryan <surenb@google.com>
+Signed-off-by: Hao Ge <gehao@kylinos.cn>
+Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
+Reviewed-by: Suren Baghdasaryan <surenb@google.com>
+Link: https://patch.msgid.link/20251021010353.1187193-1-hao.ge@linux.dev
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slub.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -1943,7 +1943,7 @@ static inline void mark_objexts_empty(st
+
+ static inline void mark_failed_objexts_alloc(struct slab *slab)
+ {
+- slab->obj_exts = OBJEXTS_ALLOC_FAIL;
++ cmpxchg(&slab->obj_exts, 0, OBJEXTS_ALLOC_FAIL);
+ }
+
+ static inline void handle_failed_objexts_alloc(unsigned long obj_exts,
+@@ -2008,6 +2008,7 @@ int alloc_slab_obj_exts(struct slab *sla
+ #ifdef CONFIG_MEMCG
+ new_exts |= MEMCG_DATA_OBJEXTS;
+ #endif
++retry:
+ old_exts = READ_ONCE(slab->obj_exts);
+ handle_failed_objexts_alloc(old_exts, vec, objects);
+ if (new_slab) {
+@@ -2017,8 +2018,7 @@ int alloc_slab_obj_exts(struct slab *sla
+ * be simply assigned.
+ */
+ slab->obj_exts = new_exts;
+- } else if ((old_exts & ~OBJEXTS_FLAGS_MASK) ||
+- cmpxchg(&slab->obj_exts, old_exts, new_exts) != old_exts) {
++ } else if (old_exts & ~OBJEXTS_FLAGS_MASK) {
+ /*
+ * If the slab is already in use, somebody can allocate and
+ * assign slabobj_exts in parallel. In this case the existing
+@@ -2027,6 +2027,9 @@ int alloc_slab_obj_exts(struct slab *sla
+ mark_objexts_empty(vec);
+ kfree(vec);
+ return 0;
++ } else if (cmpxchg(&slab->obj_exts, old_exts, new_exts) != old_exts) {
++ /* Retry if a racing thread changed slab->obj_exts from under us. */
++ goto retry;
+ }
+
+ kmemleak_not_leak(vec);
--- /dev/null
+From 7f434e1d9a17ca5f567c9796c9c105a65c18db9a Mon Sep 17 00:00:00 2001
+From: Hao Ge <gehao@kylinos.cn>
+Date: Thu, 23 Oct 2025 22:33:13 +0800
+Subject: slab: Fix obj_ext mistakenly considered NULL due to race condition
+
+From: Hao Ge <gehao@kylinos.cn>
+
+commit 7f434e1d9a17ca5f567c9796c9c105a65c18db9a upstream.
+
+If two competing threads enter alloc_slab_obj_exts(), and the one that
+allocates the vector wins the cmpxchg(), the other thread that failed
+allocation mistakenly assumes that slab->obj_exts is still empty due to
+its own allocation failure. This will then trigger warnings with
+CONFIG_MEM_ALLOC_PROFILING_DEBUG checks in the subsequent free path.
+
+Therefore, let's check the result of cmpxchg() to see if marking the
+allocation as failed was successful. If it wasn't, check whether the
+winning side has succeeded its allocation (it might have been also
+marking it as failed) and if yes, return success.
+
+Suggested-by: Harry Yoo <harry.yoo@oracle.com>
+Fixes: f7381b911640 ("slab: mark slab->obj_exts allocation failures unconditionally")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hao Ge <gehao@kylinos.cn>
+Link: https://patch.msgid.link/20251023143313.1327968-1-hao.ge@linux.dev
+Reviewed-by: Suren Baghdasaryan <surenb@google.com>
+Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slub.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -1941,9 +1941,9 @@ static inline void mark_objexts_empty(st
+ }
+ }
+
+-static inline void mark_failed_objexts_alloc(struct slab *slab)
++static inline bool mark_failed_objexts_alloc(struct slab *slab)
+ {
+- cmpxchg(&slab->obj_exts, 0, OBJEXTS_ALLOC_FAIL);
++ return cmpxchg(&slab->obj_exts, 0, OBJEXTS_ALLOC_FAIL) == 0;
+ }
+
+ static inline void handle_failed_objexts_alloc(unsigned long obj_exts,
+@@ -1965,7 +1965,7 @@ static inline void handle_failed_objexts
+ #else /* CONFIG_MEM_ALLOC_PROFILING_DEBUG */
+
+ static inline void mark_objexts_empty(struct slabobj_ext *obj_exts) {}
+-static inline void mark_failed_objexts_alloc(struct slab *slab) {}
++static inline bool mark_failed_objexts_alloc(struct slab *slab) { return false; }
+ static inline void handle_failed_objexts_alloc(unsigned long obj_exts,
+ struct slabobj_ext *vec, unsigned int objects) {}
+
+@@ -1998,8 +1998,14 @@ int alloc_slab_obj_exts(struct slab *sla
+ vec = kcalloc_node(objects, sizeof(struct slabobj_ext), gfp,
+ slab_nid(slab));
+ if (!vec) {
+- /* Mark vectors which failed to allocate */
+- mark_failed_objexts_alloc(slab);
++ /*
++ * Try to mark vectors which failed to allocate.
++ * If this operation fails, there may be a racing process
++ * that has already completed the allocation.
++ */
++ if (!mark_failed_objexts_alloc(slab) &&
++ slab_obj_exts(slab))
++ return 0;
+
+ return -ENOMEM;
+ }
--- /dev/null
+From f7c877e7535260cc7a21484c994e8ce7e8cb6780 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Tue, 21 Oct 2025 14:17:18 +0200
+Subject: vsock: fix lock inversion in vsock_assign_transport()
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit f7c877e7535260cc7a21484c994e8ce7e8cb6780 upstream.
+
+Syzbot reported a potential lock inversion deadlock between
+vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called.
+
+The issue was introduced by commit 687aa0c5581b ("vsock: Fix
+transport_* TOCTOU") which added vsock_register_mutex locking in
+vsock_assign_transport() around the transport->release() call, that can
+call vsock_linger(). vsock_assign_transport() can be called with sk_lock
+held. vsock_linger() calls sk_wait_event() that temporarily releases and
+re-acquires sk_lock. During this window, if another thread hold
+vsock_register_mutex while trying to acquire sk_lock, a circular
+dependency is created.
+
+Fix this by releasing vsock_register_mutex before calling
+transport->release() and vsock_deassign_transport(). This is safe
+because we don't need to hold vsock_register_mutex while releasing the
+old transport, and we ensure the new transport won't disappear by
+obtaining a module reference first via try_module_get().
+
+Reported-by: syzbot+10e35716f8e4929681fa@syzkaller.appspotmail.com
+Tested-by: syzbot+10e35716f8e4929681fa@syzkaller.appspotmail.com
+Fixes: 687aa0c5581b ("vsock: Fix transport_* TOCTOU")
+Cc: mhal@rbox.co
+Cc: stable@vger.kernel.org
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20251021121718.137668-1-sgarzare@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 38 +++++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -487,12 +487,26 @@ int vsock_assign_transport(struct vsock_
+ goto err;
+ }
+
+- if (vsk->transport) {
+- if (vsk->transport == new_transport) {
+- ret = 0;
+- goto err;
+- }
++ if (vsk->transport && vsk->transport == new_transport) {
++ ret = 0;
++ goto err;
++ }
++
++ /* We increase the module refcnt to prevent the transport unloading
++ * while there are open sockets assigned to it.
++ */
++ if (!new_transport || !try_module_get(new_transport->module)) {
++ ret = -ENODEV;
++ goto err;
++ }
++
++ /* It's safe to release the mutex after a successful try_module_get().
++ * Whichever transport `new_transport` points at, it won't go away until
++ * the last module_put() below or in vsock_deassign_transport().
++ */
++ mutex_unlock(&vsock_register_mutex);
+
++ if (vsk->transport) {
+ /* transport->release() must be called with sock lock acquired.
+ * This path can only be taken during vsock_connect(), where we
+ * have already held the sock lock. In the other cases, this
+@@ -512,20 +526,6 @@ int vsock_assign_transport(struct vsock_
+ vsk->peer_shutdown = 0;
+ }
+
+- /* We increase the module refcnt to prevent the transport unloading
+- * while there are open sockets assigned to it.
+- */
+- if (!new_transport || !try_module_get(new_transport->module)) {
+- ret = -ENODEV;
+- goto err;
+- }
+-
+- /* It's safe to release the mutex after a successful try_module_get().
+- * Whichever transport `new_transport` points at, it won't go away until
+- * the last module_put() below or in vsock_deassign_transport().
+- */
+- mutex_unlock(&vsock_register_mutex);
+-
+ if (sk->sk_type == SOCK_SEQPACKET) {
+ if (!new_transport->seqpacket_allow ||
+ !new_transport->seqpacket_allow(remote_cid)) {
--- /dev/null
+From f477af0cfa0487eddec66ffe10fd9df628ba6f52 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <djwong@kernel.org>
+Date: Tue, 21 Oct 2025 11:30:43 -0700
+Subject: xfs: fix locking in xchk_nlinks_collect_dir
+
+From: Darrick J. Wong <djwong@kernel.org>
+
+commit f477af0cfa0487eddec66ffe10fd9df628ba6f52 upstream.
+
+On a filesystem with parent pointers, xchk_nlinks_collect_dir walks both
+the directory entries (data fork) and the parent pointers (attr fork) to
+determine the correct link count. Unfortunately I forgot to update the
+lock mode logic to handle the case of a directory whose attr fork is in
+btree format and has not yet been loaded *and* whose data fork doesn't
+need loading.
+
+This leads to a bunch of assertions from xfs/286 in xfs_iread_extents
+because we only took ILOCK_SHARED, not ILOCK_EXCL. You'd need the rare
+happenstance of a directory with a large number of non-pptr extended
+attributes set and enough memory pressure to cause the directory to be
+evicted and partially reloaded from disk.
+
+I /think/ this only started in 6.18-rc1 because I've started seeing OOM
+errors with the maple tree slab using 70% of memory, and this didn't
+happen in 6.17. Yay dynamic systems!
+
+Cc: stable@vger.kernel.org # v6.10
+Fixes: 77ede5f44b0d86 ("xfs: walk directory parent pointers to determine backref count")
+Signed-off-by: Darrick J. Wong <djwong@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/scrub/nlinks.c | 34 +++++++++++++++++++++++++++++++---
+ 1 file changed, 31 insertions(+), 3 deletions(-)
+
+diff --git a/fs/xfs/scrub/nlinks.c b/fs/xfs/scrub/nlinks.c
+index 26721fab5cab..091c79e432e5 100644
+--- a/fs/xfs/scrub/nlinks.c
++++ b/fs/xfs/scrub/nlinks.c
+@@ -376,6 +376,36 @@ xchk_nlinks_collect_pptr(
+ return error;
+ }
+
++static uint
++xchk_nlinks_ilock_dir(
++ struct xfs_inode *ip)
++{
++ uint lock_mode = XFS_ILOCK_SHARED;
++
++ /*
++ * We're going to scan the directory entries, so we must be ready to
++ * pull the data fork mappings into memory if they aren't already.
++ */
++ if (xfs_need_iread_extents(&ip->i_df))
++ lock_mode = XFS_ILOCK_EXCL;
++
++ /*
++ * We're going to scan the parent pointers, so we must be ready to
++ * pull the attr fork mappings into memory if they aren't already.
++ */
++ if (xfs_has_parent(ip->i_mount) && xfs_inode_has_attr_fork(ip) &&
++ xfs_need_iread_extents(&ip->i_af))
++ lock_mode = XFS_ILOCK_EXCL;
++
++ /*
++ * Take the IOLOCK so that other threads cannot start a directory
++ * update while we're scanning.
++ */
++ lock_mode |= XFS_IOLOCK_SHARED;
++ xfs_ilock(ip, lock_mode);
++ return lock_mode;
++}
++
+ /* Walk a directory to bump the observed link counts of the children. */
+ STATIC int
+ xchk_nlinks_collect_dir(
+@@ -394,8 +424,7 @@ xchk_nlinks_collect_dir(
+ return 0;
+
+ /* Prevent anyone from changing this directory while we walk it. */
+- xfs_ilock(dp, XFS_IOLOCK_SHARED);
+- lock_mode = xfs_ilock_data_map_shared(dp);
++ lock_mode = xchk_nlinks_ilock_dir(dp);
+
+ /*
+ * The dotdot entry of an unlinked directory still points to the last
+@@ -452,7 +481,6 @@ xchk_nlinks_collect_dir(
+ xchk_iscan_abort(&xnc->collect_iscan);
+ out_unlock:
+ xfs_iunlock(dp, lock_mode);
+- xfs_iunlock(dp, XFS_IOLOCK_SHARED);
+ return error;
+ }
+
+--
+2.51.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
