From 1a934c7412816f2f6ffe4667ae4a0bedbbc69e29 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 27 Oct 2025 12:45:11 +0100
Subject: [PATCH] 5.4-stable patches

added patches:
	arm64-cputype-add-neoverse-v3ae-definitions.patch
	arm64-errata-apply-workarounds-for-neoverse-v3ae.patch
	drm-amdgpu-use-atomic-functions-with-memory-barriers-for-vm-fault-info.patch
	ext4-avoid-potential-buffer-over-read-in-parse_apply_sb_mount_options.patch
	ext4-detect-invalid-inline_data-extents-flag-combination.patch
	jbd2-ensure-that-all-ongoing-i-o-complete-before-freeing-blocks.patch
	keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch
	media-s5p-mfc-remove-an-unused-uninitialized-variable.patch
	memory-samsung-exynos-srom-correct-alignment.patch
	memory-samsung-exynos-srom-fix-of_iomap-leak-in-exynos_srom_probe.patch
	nfsd-define-a-proc_layoutcommit-for-the-flexfiles-layout-type.patch
	nfsd-fix-last-write-offset-handling-in-layoutcommit.patch
	nfsd-minor-cleanup-in-layoutcommit-processing.patch
	padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch
	spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch
	spi-cadence-quadspi-flush-posted-register-writes-before-indac-access.patch
	vfs-don-t-leak-disconnected-dentries-on-umount.patch
---
 ...putype-add-neoverse-v3ae-definitions.patch |  49 +++++++
 ...-apply-workarounds-for-neoverse-v3ae.patch |  63 ++++++++
 ...th-memory-barriers-for-vm-fault-info.patch | 124 ++++++++++++++++
 ...read-in-parse_apply_sb_mount_options.patch |  56 ++++++++
 ...inline_data-extents-flag-combination.patch |  68 +++++++++
 ...g-i-o-complete-before-freeing-blocks.patch |  90 ++++++++++++
 ...compare-hmac-values-in-constant-time.patch |  68 +++++++++
 ...ove-an-unused-uninitialized-variable.patch | 135 ++++++++++++++++++
 ...amsung-exynos-srom-correct-alignment.patch |  94 ++++++++++++
 ...x-of_iomap-leak-in-exynos_srom_probe.patch |  60 ++++++++
 ...commit-for-the-flexfiles-layout-type.patch |  50 +++++++
 ...rite-offset-handling-in-layoutcommit.patch | 114 +++++++++++++++
 ...r-cleanup-in-layoutcommit-processing.patch |  50 +++++++
 ...u-when-reorder-sequence-wraps-around.patch |  44 ++++++
 queue-5.4/series                              |  17 +++
 ...ed-register-writes-before-dac-access.patch |  58 ++++++++
 ...-register-writes-before-indac-access.patch |  57 ++++++++
 ...leak-disconnected-dentries-on-umount.patch |  58 ++++++++
 18 files changed, 1255 insertions(+)
 create mode 100644 queue-5.4/arm64-cputype-add-neoverse-v3ae-definitions.patch
 create mode 100644 queue-5.4/arm64-errata-apply-workarounds-for-neoverse-v3ae.patch
 create mode 100644 queue-5.4/drm-amdgpu-use-atomic-functions-with-memory-barriers-for-vm-fault-info.patch
 create mode 100644 queue-5.4/ext4-avoid-potential-buffer-over-read-in-parse_apply_sb_mount_options.patch
 create mode 100644 queue-5.4/ext4-detect-invalid-inline_data-extents-flag-combination.patch
 create mode 100644 queue-5.4/jbd2-ensure-that-all-ongoing-i-o-complete-before-freeing-blocks.patch
 create mode 100644 queue-5.4/keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch
 create mode 100644 queue-5.4/media-s5p-mfc-remove-an-unused-uninitialized-variable.patch
 create mode 100644 queue-5.4/memory-samsung-exynos-srom-correct-alignment.patch
 create mode 100644 queue-5.4/memory-samsung-exynos-srom-fix-of_iomap-leak-in-exynos_srom_probe.patch
 create mode 100644 queue-5.4/nfsd-define-a-proc_layoutcommit-for-the-flexfiles-layout-type.patch
 create mode 100644 queue-5.4/nfsd-fix-last-write-offset-handling-in-layoutcommit.patch
 create mode 100644 queue-5.4/nfsd-minor-cleanup-in-layoutcommit-processing.patch
 create mode 100644 queue-5.4/padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch
 create mode 100644 queue-5.4/spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch
 create mode 100644 queue-5.4/spi-cadence-quadspi-flush-posted-register-writes-before-indac-access.patch
 create mode 100644 queue-5.4/vfs-don-t-leak-disconnected-dentries-on-umount.patch

diff --git a/queue-5.4/arm64-cputype-add-neoverse-v3ae-definitions.patch b/queue-5.4/arm64-cputype-add-neoverse-v3ae-definitions.patch
new file mode 100644
index 0000000000..0121a9b99d
--- /dev/null
+++ b/queue-5.4/arm64-cputype-add-neoverse-v3ae-definitions.patch
@@ -0,0 +1,49 @@
+From 3bbf004c4808e2c3241e5c1ad6cc102f38a03c39 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Fri, 19 Sep 2025 15:58:28 +0100
+Subject: arm64: cputype: Add Neoverse-V3AE definitions
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 3bbf004c4808e2c3241e5c1ad6cc102f38a03c39 upstream.
+
+Add cputype definitions for Neoverse-V3AE. These will be used for errata
+detection in subsequent patches.
+
+These values can be found in the Neoverse-V3AE TRM:
+
+  https://developer.arm.com/documentation/SDEN-2615521/9-0/
+
+... in section A.6.1 ("MIDR_EL1, Main ID Register").
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: James Morse <james.morse@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+[ Ryan: Trivial backport ]
+Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/cputype.h |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/include/asm/cputype.h
++++ b/arch/arm64/include/asm/cputype.h
+@@ -87,6 +87,7 @@
+ #define ARM_CPU_PART_NEOVERSE_V2	0xD4F
+ #define ARM_CPU_PART_CORTEX_A720	0xD81
+ #define ARM_CPU_PART_CORTEX_X4		0xD82
++#define ARM_CPU_PART_NEOVERSE_V3AE	0xD83
+ #define ARM_CPU_PART_NEOVERSE_V3	0xD84
+ #define ARM_CPU_PART_CORTEX_X925	0xD85
+ #define ARM_CPU_PART_CORTEX_A725	0xD87
+@@ -139,6 +140,7 @@
+ #define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2)
+ #define MIDR_CORTEX_A720 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720)
+ #define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4)
++#define MIDR_NEOVERSE_V3AE	MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE)
+ #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3)
+ #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925)
+ #define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725)
diff --git a/queue-5.4/arm64-errata-apply-workarounds-for-neoverse-v3ae.patch b/queue-5.4/arm64-errata-apply-workarounds-for-neoverse-v3ae.patch
new file mode 100644
index 0000000000..d5ce79a997
--- /dev/null
+++ b/queue-5.4/arm64-errata-apply-workarounds-for-neoverse-v3ae.patch
@@ -0,0 +1,63 @@
+From 0c33aa1804d101c11ba1992504f17a42233f0e11 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Fri, 19 Sep 2025 15:58:29 +0100
+Subject: arm64: errata: Apply workarounds for Neoverse-V3AE
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 0c33aa1804d101c11ba1992504f17a42233f0e11 upstream.
+
+Neoverse-V3AE is also affected by erratum #3312417, as described in its
+Software Developer Errata Notice (SDEN) document:
+
+  Neoverse V3AE (MP172) SDEN v9.0, erratum 3312417
+  https://developer.arm.com/documentation/SDEN-2615521/9-0/
+
+Enable the workaround for Neoverse-V3AE, and document this.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: James Morse <james.morse@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+[ Ryan: Trivial backport ]
+Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/arm64/silicon-errata.rst |    2 ++
+ arch/arm64/Kconfig                     |    1 +
+ arch/arm64/kernel/cpu_errata.c         |    1 +
+ 3 files changed, 4 insertions(+)
+
+--- a/Documentation/arm64/silicon-errata.rst
++++ b/Documentation/arm64/silicon-errata.rst
+@@ -134,6 +134,8 @@ stable kernels.
+ +----------------+-----------------+-----------------+-----------------------------+
+ | ARM            | Neoverse-V3     | #3312417        | ARM64_ERRATUM_3194386       |
+ +----------------+-----------------+-----------------+-----------------------------+
++| ARM            | Neoverse-V3AE   | #3312417        | ARM64_ERRATUM_3194386       |
+++----------------+-----------------+-----------------+-----------------------------+
+ | ARM            | MMU-500         | #841119,826419  | N/A                         |
+ +----------------+-----------------+-----------------+-----------------------------+
+ +----------------+-----------------+-----------------+-----------------------------+
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -617,6 +617,7 @@ config ARM64_ERRATUM_3194386
+ 	  * ARM Neoverse-V1 erratum 3324341
+ 	  * ARM Neoverse V2 erratum 3324336
+ 	  * ARM Neoverse-V3 erratum 3312417
++	  * ARM Neoverse-V3AE erratum 3312417
+ 
+ 	  On affected cores "MSR SSBS, #0" instructions may not affect
+ 	  subsequent speculative instructions, which may permit unexepected
+--- a/arch/arm64/kernel/cpu_errata.c
++++ b/arch/arm64/kernel/cpu_errata.c
+@@ -863,6 +863,7 @@ static const struct midr_range erratum_s
+ 	MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
+ 	MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
+ 	MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
++	MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
+ 	{}
+ };
+ #endif
diff --git a/queue-5.4/drm-amdgpu-use-atomic-functions-with-memory-barriers-for-vm-fault-info.patch b/queue-5.4/drm-amdgpu-use-atomic-functions-with-memory-barriers-for-vm-fault-info.patch
new file mode 100644
index 0000000000..ef8f3ba04b
--- /dev/null
+++ b/queue-5.4/drm-amdgpu-use-atomic-functions-with-memory-barriers-for-vm-fault-info.patch
@@ -0,0 +1,124 @@
+From stable+bounces-188349-greg=kroah.com@vger.kernel.org Tue Oct 21 15:55:31 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 09:51:54 -0400
+Subject: drm/amdgpu: use atomic functions with memory barriers for vm fault info
+To: stable@vger.kernel.org
+Cc: Gui-Dong Han <hanguidong02@gmail.com>, Felix Kuehling <felix.kuehling@amd.com>, Alex Deucher <alexander.deucher@amd.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021135154.2145346-1-sashal@kernel.org>
+
+From: Gui-Dong Han <hanguidong02@gmail.com>
+
+[ Upstream commit 6df8e84aa6b5b1812cc2cacd6b3f5ccbb18cda2b ]
+
+The atomic variable vm_fault_info_updated is used to synchronize access to
+adev->gmc.vm_fault_info between the interrupt handler and
+get_vm_fault_info().
+
+The default atomic functions like atomic_set() and atomic_read() do not
+provide memory barriers. This allows for CPU instruction reordering,
+meaning the memory accesses to vm_fault_info and the vm_fault_info_updated
+flag are not guaranteed to occur in the intended order. This creates a
+race condition that can lead to inconsistent or stale data being used.
+
+The previous implementation, which used an explicit mb(), was incomplete
+and inefficient. It failed to account for all potential CPU reorderings,
+such as the access of vm_fault_info being reordered before the atomic_read
+of the flag. This approach is also more verbose and less performant than
+using the proper atomic functions with acquire/release semantics.
+
+Fix this by switching to atomic_set_release() and atomic_read_acquire().
+These functions provide the necessary acquire and release semantics,
+which act as memory barriers to ensure the correct order of operations.
+It is also more efficient and idiomatic than using explicit full memory
+barriers.
+
+Fixes: b97dfa27ef3a ("drm/amdgpu: save vm fault information for amdkfd")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
+Signed-off-by: Felix Kuehling <felix.kuehling@amd.com>
+Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+[ kept kgd_dev parameter and adev cast in amdgpu_amdkfd_gpuvm_get_vm_fault_info ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c |    5 ++---
+ drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c            |    7 +++----
+ drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c            |    7 +++----
+ 3 files changed, 8 insertions(+), 11 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+@@ -1572,10 +1572,9 @@ int amdgpu_amdkfd_gpuvm_get_vm_fault_inf
+ 	struct amdgpu_device *adev;
+ 
+ 	adev = (struct amdgpu_device *)kgd;
+-	if (atomic_read(&adev->gmc.vm_fault_info_updated) == 1) {
++	if (atomic_read_acquire(&adev->gmc.vm_fault_info_updated) == 1) {
+ 		*mem = *adev->gmc.vm_fault_info;
+-		mb();
+-		atomic_set(&adev->gmc.vm_fault_info_updated, 0);
++		atomic_set_release(&adev->gmc.vm_fault_info_updated, 0);
+ 	}
+ 	return 0;
+ }
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c
+@@ -1042,7 +1042,7 @@ static int gmc_v7_0_sw_init(void *handle
+ 					GFP_KERNEL);
+ 	if (!adev->gmc.vm_fault_info)
+ 		return -ENOMEM;
+-	atomic_set(&adev->gmc.vm_fault_info_updated, 0);
++	atomic_set_release(&adev->gmc.vm_fault_info_updated, 0);
+ 
+ 	return 0;
+ }
+@@ -1272,7 +1272,7 @@ static int gmc_v7_0_process_interrupt(st
+ 	vmid = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS,
+ 			     VMID);
+ 	if (amdgpu_amdkfd_is_kfd_vmid(adev, vmid)
+-		&& !atomic_read(&adev->gmc.vm_fault_info_updated)) {
++		&& !atomic_read_acquire(&adev->gmc.vm_fault_info_updated)) {
+ 		struct kfd_vm_fault_info *info = adev->gmc.vm_fault_info;
+ 		u32 protections = REG_GET_FIELD(status,
+ 					VM_CONTEXT1_PROTECTION_FAULT_STATUS,
+@@ -1288,8 +1288,7 @@ static int gmc_v7_0_process_interrupt(st
+ 		info->prot_read = protections & 0x8 ? true : false;
+ 		info->prot_write = protections & 0x10 ? true : false;
+ 		info->prot_exec = protections & 0x20 ? true : false;
+-		mb();
+-		atomic_set(&adev->gmc.vm_fault_info_updated, 1);
++		atomic_set_release(&adev->gmc.vm_fault_info_updated, 1);
+ 	}
+ 
+ 	return 0;
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
+@@ -1175,7 +1175,7 @@ static int gmc_v8_0_sw_init(void *handle
+ 					GFP_KERNEL);
+ 	if (!adev->gmc.vm_fault_info)
+ 		return -ENOMEM;
+-	atomic_set(&adev->gmc.vm_fault_info_updated, 0);
++	atomic_set_release(&adev->gmc.vm_fault_info_updated, 0);
+ 
+ 	return 0;
+ }
+@@ -1464,7 +1464,7 @@ static int gmc_v8_0_process_interrupt(st
+ 	vmid = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS,
+ 			     VMID);
+ 	if (amdgpu_amdkfd_is_kfd_vmid(adev, vmid)
+-		&& !atomic_read(&adev->gmc.vm_fault_info_updated)) {
++		&& !atomic_read_acquire(&adev->gmc.vm_fault_info_updated)) {
+ 		struct kfd_vm_fault_info *info = adev->gmc.vm_fault_info;
+ 		u32 protections = REG_GET_FIELD(status,
+ 					VM_CONTEXT1_PROTECTION_FAULT_STATUS,
+@@ -1480,8 +1480,7 @@ static int gmc_v8_0_process_interrupt(st
+ 		info->prot_read = protections & 0x8 ? true : false;
+ 		info->prot_write = protections & 0x10 ? true : false;
+ 		info->prot_exec = protections & 0x20 ? true : false;
+-		mb();
+-		atomic_set(&adev->gmc.vm_fault_info_updated, 1);
++		atomic_set_release(&adev->gmc.vm_fault_info_updated, 1);
+ 	}
+ 
+ 	return 0;
diff --git a/queue-5.4/ext4-avoid-potential-buffer-over-read-in-parse_apply_sb_mount_options.patch b/queue-5.4/ext4-avoid-potential-buffer-over-read-in-parse_apply_sb_mount_options.patch
new file mode 100644
index 0000000000..13438e062c
--- /dev/null
+++ b/queue-5.4/ext4-avoid-potential-buffer-over-read-in-parse_apply_sb_mount_options.patch
@@ -0,0 +1,56 @@
+From stable+bounces-188394-greg=kroah.com@vger.kernel.org Tue Oct 21 19:49:23 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 13:49:05 -0400
+Subject: ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
+To: stable@vger.kernel.org
+Cc: Theodore Ts'o <tytso@mit.edu>, Jan Kara <jack@suse.cz>, "Darrick J. Wong" <djwong@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021174905.2459401-1-sashal@kernel.org>
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+[ Upstream commit 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 ]
+
+Unlike other strings in the ext4 superblock, we rely on tune2fs to
+make sure s_mount_opts is NUL terminated.  Harden
+parse_apply_sb_mount_options() by treating s_mount_opts as a potential
+__nonstring.
+
+Cc: stable@vger.kernel.org
+Fixes: 8b67f04ab9de ("ext4: Add mount options in superblock")
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Message-ID: <20250916-tune2fs-v2-1-d594dc7486f0@mit.edu>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+[ applied to ext4_fill_super() instead of parse_apply_sb_mount_options() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c |   10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3882,18 +3882,16 @@ static int ext4_fill_super(struct super_
+ 	}
+ 
+ 	if (sbi->s_es->s_mount_opts[0]) {
+-		char *s_mount_opts = kstrndup(sbi->s_es->s_mount_opts,
+-					      sizeof(sbi->s_es->s_mount_opts),
+-					      GFP_KERNEL);
+-		if (!s_mount_opts)
+-			goto failed_mount;
++		char s_mount_opts[65];
++
++		strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts,
++			    sizeof(s_mount_opts));
+ 		if (!parse_options(s_mount_opts, sb, &journal_devnum,
+ 				   &journal_ioprio, 0)) {
+ 			ext4_msg(sb, KERN_WARNING,
+ 				 "failed to parse options in superblock: %s",
+ 				 s_mount_opts);
+ 		}
+-		kfree(s_mount_opts);
+ 	}
+ 	sbi->s_def_mount_opt = sbi->s_mount_opt;
+ 	if (!parse_options((char *) data, sb, &journal_devnum,
diff --git a/queue-5.4/ext4-detect-invalid-inline_data-extents-flag-combination.patch b/queue-5.4/ext4-detect-invalid-inline_data-extents-flag-combination.patch
new file mode 100644
index 0000000000..567ad0e061
--- /dev/null
+++ b/queue-5.4/ext4-detect-invalid-inline_data-extents-flag-combination.patch
@@ -0,0 +1,68 @@
+From stable+bounces-188335-greg=kroah.com@vger.kernel.org Tue Oct 21 15:12:34 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 09:12:17 -0400
+Subject: ext4: detect invalid INLINE_DATA + EXTENTS flag combination
+To: stable@vger.kernel.org
+Cc: Deepanshu Kartikey <kartikey406@gmail.com>, stable@kernel.org, syzbot+038b7bf43423e132b308@syzkaller.appspotmail.com, Zhang Yi <yi.zhang@huawei.com>, Theodore Ts'o <tytso@mit.edu>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021131217.2071970-1-sashal@kernel.org>
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+[ Upstream commit 1d3ad183943b38eec2acf72a0ae98e635dc8456b ]
+
+syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity
+file on a corrupted ext4 filesystem mounted without a journal.
+
+The issue is that the filesystem has an inode with both the INLINE_DATA
+and EXTENTS flags set:
+
+    EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15:
+    comm syz.0.17: corrupted extent tree: lblk 0 < prev 66
+
+Investigation revealed that the inode has both flags set:
+    DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1
+
+This is an invalid combination since an inode should have either:
+- INLINE_DATA: data stored directly in the inode
+- EXTENTS: data stored in extent-mapped blocks
+
+Having both flags causes ext4_has_inline_data() to return true, skipping
+extent tree validation in __ext4_iget(). The unvalidated out-of-order
+extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer
+underflow when calculating hole sizes.
+
+Fix this by detecting this invalid flag combination early in ext4_iget()
+and rejecting the corrupted inode.
+
+Cc: stable@kernel.org
+Reported-and-tested-by: syzbot+038b7bf43423e132b308@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=038b7bf43423e132b308
+Suggested-by: Zhang Yi <yi.zhang@huawei.com>
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
+Message-ID: <20250930112810.315095-1-kartikey406@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/inode.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -5077,6 +5077,14 @@ struct inode *__ext4_iget(struct super_b
+ 	}
+ 	ei->i_flags = le32_to_cpu(raw_inode->i_flags);
+ 	ext4_set_inode_flags(inode);
++	/* Detect invalid flag combination - can't have both inline data and extents */
++	if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA) &&
++	    ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) {
++		ext4_error_inode(inode, function, line, 0,
++			"inode has both inline data and extents flags");
++		ret = -EFSCORRUPTED;
++		goto bad_inode;
++	}
+ 	inode->i_blocks = ext4_inode_blocks(raw_inode, ei);
+ 	ei->i_file_acl = le32_to_cpu(raw_inode->i_file_acl_lo);
+ 	if (ext4_has_feature_64bit(sb))
diff --git a/queue-5.4/jbd2-ensure-that-all-ongoing-i-o-complete-before-freeing-blocks.patch b/queue-5.4/jbd2-ensure-that-all-ongoing-i-o-complete-before-freeing-blocks.patch
new file mode 100644
index 0000000000..8755913458
--- /dev/null
+++ b/queue-5.4/jbd2-ensure-that-all-ongoing-i-o-complete-before-freeing-blocks.patch
@@ -0,0 +1,90 @@
+From stable+bounces-188281-greg=kroah.com@vger.kernel.org Tue Oct 21 03:42:30 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 21:42:22 -0400
+Subject: jbd2: ensure that all ongoing I/O complete before freeing blocks
+To: stable@vger.kernel.org
+Cc: Zhang Yi <yi.zhang@huawei.com>, stable@kernel.org, Jan Kara <jack@suse.cz>, Theodore Ts'o <tytso@mit.edu>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021014222.1974745-1-sashal@kernel.org>
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+[ Upstream commit 3c652c3a71de1d30d72dc82c3bead8deb48eb749 ]
+
+When releasing file system metadata blocks in jbd2_journal_forget(), if
+this buffer has not yet been checkpointed, it may have already been
+written back, currently be in the process of being written back, or has
+not yet written back.  jbd2_journal_forget() calls
+jbd2_journal_try_remove_checkpoint() to check the buffer's status and
+add it to the current transaction if it has not been written back. This
+buffer can only be reallocated after the transaction is committed.
+
+jbd2_journal_try_remove_checkpoint() attempts to lock the buffer and
+check its dirty status while holding the buffer lock. If the buffer has
+already been written back, everything proceeds normally. However, there
+are two issues. First, the function returns immediately if the buffer is
+locked by the write-back process. It does not wait for the write-back to
+complete. Consequently, until the current transaction is committed and
+the block is reallocated, there is no guarantee that the I/O will
+complete. This means that ongoing I/O could write stale metadata to the
+newly allocated block, potentially corrupting data. Second, the function
+unlocks the buffer as soon as it detects that the buffer is still dirty.
+If a concurrent write-back occurs immediately after this unlocking and
+before clear_buffer_dirty() is called in jbd2_journal_forget(), data
+corruption can theoretically still occur.
+
+Although these two issues are unlikely to occur in practice since the
+undergoing metadata writeback I/O does not take this long to complete,
+it's better to explicitly ensure that all ongoing I/O operations are
+completed.
+
+Fixes: 597599268e3b ("jbd2: discard dirty data when forgetting an un-journalled buffer")
+Cc: stable@kernel.org
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Message-ID: <20250916093337.3161016-2-yi.zhang@huaweicloud.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jbd2/transaction.c |   13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -1550,6 +1550,7 @@ int jbd2_journal_forget (handle_t *handl
+ 	int drop_reserve = 0;
+ 	int err = 0;
+ 	int was_modified = 0;
++	int wait_for_writeback = 0;
+ 
+ 	if (is_handle_aborted(handle))
+ 		return -EROFS;
+@@ -1675,18 +1676,22 @@ int jbd2_journal_forget (handle_t *handl
+ 		}
+ 
+ 		/*
+-		 * The buffer is still not written to disk, we should
+-		 * attach this buffer to current transaction so that the
+-		 * buffer can be checkpointed only after the current
+-		 * transaction commits.
++		 * The buffer has not yet been written to disk. We should
++		 * either clear the buffer or ensure that the ongoing I/O
++		 * is completed, and attach this buffer to current
++		 * transaction so that the buffer can be checkpointed only
++		 * after the current transaction commits.
+ 		 */
+ 		clear_buffer_dirty(bh);
++		wait_for_writeback = 1;
+ 		__jbd2_journal_file_buffer(jh, transaction, BJ_Forget);
+ 		spin_unlock(&journal->j_list_lock);
+ 	}
+ 
+ 	jbd_unlock_bh_state(bh);
+ 	__brelse(bh);
++	if (wait_for_writeback)
++		wait_on_buffer(bh);
+ drop:
+ 	if (drop_reserve) {
+ 		/* no need to reserve log space for this block -bzzz */
diff --git a/queue-5.4/keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch b/queue-5.4/keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch
new file mode 100644
index 0000000000..e3b137d6d7
--- /dev/null
+++ b/queue-5.4/keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch
@@ -0,0 +1,68 @@
+From stable+bounces-188198-greg=kroah.com@vger.kernel.org Mon Oct 20 18:28:07 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 12:27:23 -0400
+Subject: KEYS: trusted_tpm1: Compare HMAC values in constant time
+To: stable@vger.kernel.org
+Cc: Eric Biggers <ebiggers@kernel.org>, Jarkko Sakkinen <jarkko@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251020162723.1838996-1-sashal@kernel.org>
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+[ Upstream commit eed0e3d305530066b4fc5370107cff8ef1a0d229 ]
+
+To prevent timing attacks, HMAC value comparison needs to be constant
+time.  Replace the memcmp() with the correct function, crypto_memneq().
+
+[For the Fixes commit I used the commit that introduced the memcmp().
+It predates the introduction of crypto_memneq(), but it was still a bug
+at the time even though a helper function didn't exist yet.]
+
+Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+[ changed include from crypto/utils.h to crypto/algapi.h ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/keys/trusted.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/security/keys/trusted.c
++++ b/security/keys/trusted.c
+@@ -9,6 +9,7 @@
+  */
+ 
+ #include <crypto/hash_info.h>
++#include <crypto/algapi.h>
+ #include <linux/uaccess.h>
+ #include <linux/module.h>
+ #include <linux/init.h>
+@@ -248,7 +249,7 @@ int TSS_checkhmac1(unsigned char *buffer
+ 	if (ret < 0)
+ 		goto out;
+ 
+-	if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
++	if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE))
+ 		ret = -EINVAL;
+ out:
+ 	kzfree(sdesc);
+@@ -341,7 +342,7 @@ static int TSS_checkhmac2(unsigned char
+ 			  TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
+ 	if (ret < 0)
+ 		goto out;
+-	if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
++	if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
+ 		ret = -EINVAL;
+ 		goto out;
+ 	}
+@@ -350,7 +351,7 @@ static int TSS_checkhmac2(unsigned char
+ 			  TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
+ 	if (ret < 0)
+ 		goto out;
+-	if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
++	if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE))
+ 		ret = -EINVAL;
+ out:
+ 	kzfree(sdesc);
diff --git a/queue-5.4/media-s5p-mfc-remove-an-unused-uninitialized-variable.patch b/queue-5.4/media-s5p-mfc-remove-an-unused-uninitialized-variable.patch
new file mode 100644
index 0000000000..70dfcdb713
--- /dev/null
+++ b/queue-5.4/media-s5p-mfc-remove-an-unused-uninitialized-variable.patch
@@ -0,0 +1,135 @@
+From stable+bounces-187722-greg=kroah.com@vger.kernel.org Sat Oct 18 01:31:58 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 19:31:49 -0400
+Subject: media: s5p-mfc: remove an unused/uninitialized variable
+To: stable@vger.kernel.org
+Cc: Arnd Bergmann <arnd@arndb.de>, Hans Verkuil <hverkuil+cisco@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251017233149.37893-1-sashal@kernel.org>
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 7fa37ba25a1dfc084e24ea9acc14bf1fad8af14c ]
+
+The s5p_mfc_cmd_args structure in the v6 driver is never used, not
+initialized to anything other than zero, but as of clang-21 this
+causes a warning:
+
+drivers/media/platform/samsung/s5p-mfc/s5p_mfc_cmd_v6.c:45:7: error: variable 'h2r_args' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer]
+   45 |                                         &h2r_args);
+      |                                          ^~~~~~~~
+
+Just remove this for simplicity. Since the function is also called
+through a callback, this does require adding a trivial wrapper with
+the correct prototype.
+
+Fixes: f96f3cfa0bb8 ("[media] s5p-mfc: Update MFC v4l2 driver to support MFC6.x")
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc_cmd_v6.c |   35 ++++++++----------------
+ 1 file changed, 13 insertions(+), 22 deletions(-)
+
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc_cmd_v6.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_cmd_v6.c
+@@ -14,8 +14,7 @@
+ #include "s5p_mfc_opr.h"
+ #include "s5p_mfc_cmd_v6.h"
+ 
+-static int s5p_mfc_cmd_host2risc_v6(struct s5p_mfc_dev *dev, int cmd,
+-				struct s5p_mfc_cmd_args *args)
++static int s5p_mfc_cmd_host2risc_v6(struct s5p_mfc_dev *dev, int cmd)
+ {
+ 	mfc_debug(2, "Issue the command: %d\n", cmd);
+ 
+@@ -31,7 +30,6 @@ static int s5p_mfc_cmd_host2risc_v6(stru
+ 
+ static int s5p_mfc_sys_init_cmd_v6(struct s5p_mfc_dev *dev)
+ {
+-	struct s5p_mfc_cmd_args h2r_args;
+ 	struct s5p_mfc_buf_size_v6 *buf_size = dev->variant->buf_size->priv;
+ 	int ret;
+ 
+@@ -41,33 +39,23 @@ static int s5p_mfc_sys_init_cmd_v6(struc
+ 
+ 	mfc_write(dev, dev->ctx_buf.dma, S5P_FIMV_CONTEXT_MEM_ADDR_V6);
+ 	mfc_write(dev, buf_size->dev_ctx, S5P_FIMV_CONTEXT_MEM_SIZE_V6);
+-	return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SYS_INIT_V6,
+-					&h2r_args);
++	return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SYS_INIT_V6);
+ }
+ 
+ static int s5p_mfc_sleep_cmd_v6(struct s5p_mfc_dev *dev)
+ {
+-	struct s5p_mfc_cmd_args h2r_args;
+-
+-	memset(&h2r_args, 0, sizeof(struct s5p_mfc_cmd_args));
+-	return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SLEEP_V6,
+-			&h2r_args);
++	return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SLEEP_V6);
+ }
+ 
+ static int s5p_mfc_wakeup_cmd_v6(struct s5p_mfc_dev *dev)
+ {
+-	struct s5p_mfc_cmd_args h2r_args;
+-
+-	memset(&h2r_args, 0, sizeof(struct s5p_mfc_cmd_args));
+-	return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_WAKEUP_V6,
+-					&h2r_args);
++	return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_WAKEUP_V6);
+ }
+ 
+ /* Open a new instance and get its number */
+ static int s5p_mfc_open_inst_cmd_v6(struct s5p_mfc_ctx *ctx)
+ {
+ 	struct s5p_mfc_dev *dev = ctx->dev;
+-	struct s5p_mfc_cmd_args h2r_args;
+ 	int codec_type;
+ 
+ 	mfc_debug(2, "Requested codec mode: %d\n", ctx->codec_mode);
+@@ -129,23 +117,20 @@ static int s5p_mfc_open_inst_cmd_v6(stru
+ 	mfc_write(dev, ctx->ctx.size, S5P_FIMV_CONTEXT_MEM_SIZE_V6);
+ 	mfc_write(dev, 0, S5P_FIMV_D_CRC_CTRL_V6); /* no crc */
+ 
+-	return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_OPEN_INSTANCE_V6,
+-					&h2r_args);
++	return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_OPEN_INSTANCE_V6);
+ }
+ 
+ /* Close instance */
+ static int s5p_mfc_close_inst_cmd_v6(struct s5p_mfc_ctx *ctx)
+ {
+ 	struct s5p_mfc_dev *dev = ctx->dev;
+-	struct s5p_mfc_cmd_args h2r_args;
+ 	int ret = 0;
+ 
+ 	dev->curr_ctx = ctx->num;
+ 	if (ctx->state != MFCINST_FREE) {
+ 		mfc_write(dev, ctx->inst_no, S5P_FIMV_INSTANCE_ID_V6);
+ 		ret = s5p_mfc_cmd_host2risc_v6(dev,
+-					S5P_FIMV_H2R_CMD_CLOSE_INSTANCE_V6,
+-					&h2r_args);
++					S5P_FIMV_H2R_CMD_CLOSE_INSTANCE_V6);
+ 	} else {
+ 		ret = -EINVAL;
+ 	}
+@@ -153,9 +138,15 @@ static int s5p_mfc_close_inst_cmd_v6(str
+ 	return ret;
+ }
+ 
++static int s5p_mfc_cmd_host2risc_v6_args(struct s5p_mfc_dev *dev, int cmd,
++				    struct s5p_mfc_cmd_args *ignored)
++{
++	return s5p_mfc_cmd_host2risc_v6(dev, cmd);
++}
++
+ /* Initialize cmd function pointers for MFC v6 */
+ static struct s5p_mfc_hw_cmds s5p_mfc_cmds_v6 = {
+-	.cmd_host2risc = s5p_mfc_cmd_host2risc_v6,
++	.cmd_host2risc = s5p_mfc_cmd_host2risc_v6_args,
+ 	.sys_init_cmd = s5p_mfc_sys_init_cmd_v6,
+ 	.sleep_cmd = s5p_mfc_sleep_cmd_v6,
+ 	.wakeup_cmd = s5p_mfc_wakeup_cmd_v6,
diff --git a/queue-5.4/memory-samsung-exynos-srom-correct-alignment.patch b/queue-5.4/memory-samsung-exynos-srom-correct-alignment.patch
new file mode 100644
index 0000000000..d39c445fa0
--- /dev/null
+++ b/queue-5.4/memory-samsung-exynos-srom-correct-alignment.patch
@@ -0,0 +1,94 @@
+From stable+bounces-188412-greg=kroah.com@vger.kernel.org Tue Oct 21 20:56:06 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 14:55:57 -0400
+Subject: memory: samsung: exynos-srom: Correct alignment
+To: stable@vger.kernel.org
+Cc: Krzysztof Kozlowski <krzk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021185558.2643476-1-sashal@kernel.org>
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 90de1c75d8acd83e9a699b93153307a1e411ef3a ]
+
+Align indentation with open parenthesis (or fix existing alignment).
+
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Stable-dep-of: 6744085079e7 ("memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/memory/samsung/exynos-srom.c |   22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/drivers/memory/samsung/exynos-srom.c
++++ b/drivers/memory/samsung/exynos-srom.c
+@@ -47,9 +47,9 @@ struct exynos_srom {
+ 	struct exynos_srom_reg_dump *reg_offset;
+ };
+ 
+-static struct exynos_srom_reg_dump *exynos_srom_alloc_reg_dump(
+-		const unsigned long *rdump,
+-		unsigned long nr_rdump)
++static struct exynos_srom_reg_dump *
++exynos_srom_alloc_reg_dump(const unsigned long *rdump,
++			   unsigned long nr_rdump)
+ {
+ 	struct exynos_srom_reg_dump *rd;
+ 	unsigned int i;
+@@ -116,7 +116,7 @@ static int exynos_srom_probe(struct plat
+ 	}
+ 
+ 	srom = devm_kzalloc(&pdev->dev,
+-			sizeof(struct exynos_srom), GFP_KERNEL);
++			    sizeof(struct exynos_srom), GFP_KERNEL);
+ 	if (!srom)
+ 		return -ENOMEM;
+ 
+@@ -130,7 +130,7 @@ static int exynos_srom_probe(struct plat
+ 	platform_set_drvdata(pdev, srom);
+ 
+ 	srom->reg_offset = exynos_srom_alloc_reg_dump(exynos_srom_offsets,
+-			ARRAY_SIZE(exynos_srom_offsets));
++						      ARRAY_SIZE(exynos_srom_offsets));
+ 	if (!srom->reg_offset) {
+ 		iounmap(srom->reg_base);
+ 		return -ENOMEM;
+@@ -157,16 +157,16 @@ static int exynos_srom_probe(struct plat
+ 
+ #ifdef CONFIG_PM_SLEEP
+ static void exynos_srom_save(void __iomem *base,
+-				    struct exynos_srom_reg_dump *rd,
+-				    unsigned int num_regs)
++			     struct exynos_srom_reg_dump *rd,
++			     unsigned int num_regs)
+ {
+ 	for (; num_regs > 0; --num_regs, ++rd)
+ 		rd->value = readl(base + rd->offset);
+ }
+ 
+ static void exynos_srom_restore(void __iomem *base,
+-				      const struct exynos_srom_reg_dump *rd,
+-				      unsigned int num_regs)
++				const struct exynos_srom_reg_dump *rd,
++				unsigned int num_regs)
+ {
+ 	for (; num_regs > 0; --num_regs, ++rd)
+ 		writel(rd->value, base + rd->offset);
+@@ -177,7 +177,7 @@ static int exynos_srom_suspend(struct de
+ 	struct exynos_srom *srom = dev_get_drvdata(dev);
+ 
+ 	exynos_srom_save(srom->reg_base, srom->reg_offset,
+-				ARRAY_SIZE(exynos_srom_offsets));
++			 ARRAY_SIZE(exynos_srom_offsets));
+ 	return 0;
+ }
+ 
+@@ -186,7 +186,7 @@ static int exynos_srom_resume(struct dev
+ 	struct exynos_srom *srom = dev_get_drvdata(dev);
+ 
+ 	exynos_srom_restore(srom->reg_base, srom->reg_offset,
+-				ARRAY_SIZE(exynos_srom_offsets));
++			    ARRAY_SIZE(exynos_srom_offsets));
+ 	return 0;
+ }
+ #endif
diff --git a/queue-5.4/memory-samsung-exynos-srom-fix-of_iomap-leak-in-exynos_srom_probe.patch b/queue-5.4/memory-samsung-exynos-srom-fix-of_iomap-leak-in-exynos_srom_probe.patch
new file mode 100644
index 0000000000..e0634b09ba
--- /dev/null
+++ b/queue-5.4/memory-samsung-exynos-srom-fix-of_iomap-leak-in-exynos_srom_probe.patch
@@ -0,0 +1,60 @@
+From stable+bounces-188413-greg=kroah.com@vger.kernel.org Tue Oct 21 20:56:10 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 14:55:58 -0400
+Subject: memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe
+To: stable@vger.kernel.org
+Cc: Zhen Ni <zhen.ni@easystack.cn>, Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021185558.2643476-2-sashal@kernel.org>
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+[ Upstream commit 6744085079e785dae5f7a2239456135407c58b25 ]
+
+The of_platform_populate() call at the end of the function has a
+possible failure path, causing a resource leak.
+
+Replace of_iomap() with devm_platform_ioremap_resource() to ensure
+automatic cleanup of srom->reg_base.
+
+This issue was detected by smatch static analysis:
+drivers/memory/samsung/exynos-srom.c:155 exynos_srom_probe()warn:
+'srom->reg_base' from of_iomap() not released on lines: 155.
+
+Fixes: 8ac2266d8831 ("memory: samsung: exynos-srom: Add support for bank configuration")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Link: https://lore.kernel.org/r/20250806025538.306593-1-zhen.ni@easystack.cn
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/memory/samsung/exynos-srom.c |   10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/memory/samsung/exynos-srom.c
++++ b/drivers/memory/samsung/exynos-srom.c
+@@ -121,20 +121,18 @@ static int exynos_srom_probe(struct plat
+ 		return -ENOMEM;
+ 
+ 	srom->dev = dev;
+-	srom->reg_base = of_iomap(np, 0);
+-	if (!srom->reg_base) {
++	srom->reg_base = devm_platform_ioremap_resource(pdev, 0);
++	if (IS_ERR(srom->reg_base)) {
+ 		dev_err(&pdev->dev, "iomap of exynos srom controller failed\n");
+-		return -ENOMEM;
++		return PTR_ERR(srom->reg_base);
+ 	}
+ 
+ 	platform_set_drvdata(pdev, srom);
+ 
+ 	srom->reg_offset = exynos_srom_alloc_reg_dump(exynos_srom_offsets,
+ 						      ARRAY_SIZE(exynos_srom_offsets));
+-	if (!srom->reg_offset) {
+-		iounmap(srom->reg_base);
++	if (!srom->reg_offset)
+ 		return -ENOMEM;
+-	}
+ 
+ 	for_each_child_of_node(np, child) {
+ 		if (exynos_srom_configure_bank(srom, child)) {
diff --git a/queue-5.4/nfsd-define-a-proc_layoutcommit-for-the-flexfiles-layout-type.patch b/queue-5.4/nfsd-define-a-proc_layoutcommit-for-the-flexfiles-layout-type.patch
new file mode 100644
index 0000000000..17b259a540
--- /dev/null
+++ b/queue-5.4/nfsd-define-a-proc_layoutcommit-for-the-flexfiles-layout-type.patch
@@ -0,0 +1,50 @@
+From stable+bounces-188278-greg=kroah.com@vger.kernel.org Tue Oct 21 03:11:04 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 21:10:56 -0400
+Subject: NFSD: Define a proc_layoutcommit for the FlexFiles layout type
+To: stable@vger.kernel.org
+Cc: Chuck Lever <chuck.lever@oracle.com>, Robert Morris <rtm@csail.mit.edu>, Thomas Haynes <loghyr@hammerspace.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021011056.1964892-1-sashal@kernel.org>
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 4b47a8601b71ad98833b447d465592d847b4dc77 ]
+
+Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT
+operation on a FlexFiles layout.
+
+Reported-by: Robert Morris <rtm@csail.mit.edu>
+Closes: https://lore.kernel.org/linux-nfs/152f99b2-ba35-4dec-93a9-4690e625dccd@oracle.com/T/#t
+Cc: Thomas Haynes <loghyr@hammerspace.com>
+Cc: stable@vger.kernel.org
+Fixes: 9b9960a0ca47 ("nfsd: Add a super simple flex file server")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+[ removed struct svc_rqst parameter from nfsd4_ff_proc_layoutcommit ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/flexfilelayout.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/nfsd/flexfilelayout.c
++++ b/fs/nfsd/flexfilelayout.c
+@@ -124,6 +124,13 @@ nfsd4_ff_proc_getdeviceinfo(struct super
+ 	return 0;
+ }
+ 
++static __be32
++nfsd4_ff_proc_layoutcommit(struct inode *inode,
++		struct nfsd4_layoutcommit *lcp)
++{
++	return nfs_ok;
++}
++
+ const struct nfsd4_layout_ops ff_layout_ops = {
+ 	.notify_types		=
+ 			NOTIFY_DEVICEID4_DELETE | NOTIFY_DEVICEID4_CHANGE,
+@@ -132,4 +139,5 @@ const struct nfsd4_layout_ops ff_layout_
+ 	.encode_getdeviceinfo	= nfsd4_ff_encode_getdeviceinfo,
+ 	.proc_layoutget		= nfsd4_ff_proc_layoutget,
+ 	.encode_layoutget	= nfsd4_ff_encode_layoutget,
++	.proc_layoutcommit	= nfsd4_ff_proc_layoutcommit,
+ };
diff --git a/queue-5.4/nfsd-fix-last-write-offset-handling-in-layoutcommit.patch b/queue-5.4/nfsd-fix-last-write-offset-handling-in-layoutcommit.patch
new file mode 100644
index 0000000000..a6e0a10c19
--- /dev/null
+++ b/queue-5.4/nfsd-fix-last-write-offset-handling-in-layoutcommit.patch
@@ -0,0 +1,114 @@
+From stable+bounces-188085-greg=kroah.com@vger.kernel.org Mon Oct 20 14:58:05 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 08:57:40 -0400
+Subject: NFSD: Fix last write offset handling in layoutcommit
+To: stable@vger.kernel.org
+Cc: Sergey Bashirov <sergeybashirov@gmail.com>, Konstantin Evtushenko <koevtushenko@yandex.com>, Christoph Hellwig <hch@lst.de>, Jeff Layton <jlayton@kernel.org>, Chuck Lever <chuck.lever@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251020125740.1762043-2-sashal@kernel.org>
+
+From: Sergey Bashirov <sergeybashirov@gmail.com>
+
+[ Upstream commit d68886bae76a4b9b3484d23e5b7df086f940fa38 ]
+
+The data type of loca_last_write_offset is newoffset4 and is switched
+on a boolean value, no_newoffset, that indicates if a previous write
+occurred or not. If no_newoffset is FALSE, an offset is not given.
+This means that client does not try to update the file size. Thus,
+server should not try to calculate new file size and check if it fits
+into the segment range. See RFC 8881, section 12.5.4.2.
+
+Sometimes the current incorrect logic may cause clients to hang when
+trying to sync an inode. If layoutcommit fails, the client marks the
+inode as dirty again.
+
+Fixes: 9cf514ccfacb ("nfsd: implement pNFS operations")
+Cc: stable@vger.kernel.org
+Co-developed-by: Konstantin Evtushenko <koevtushenko@yandex.com>
+Signed-off-by: Konstantin Evtushenko <koevtushenko@yandex.com>
+Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+[ replaced inode_get_mtime() with inode->i_mtime and removed rqstp parameter from proc_layoutcommit() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/blocklayout.c |    5 ++---
+ fs/nfsd/nfs4proc.c    |   30 +++++++++++++++---------------
+ 2 files changed, 17 insertions(+), 18 deletions(-)
+
+--- a/fs/nfsd/blocklayout.c
++++ b/fs/nfsd/blocklayout.c
+@@ -120,7 +120,6 @@ static __be32
+ nfsd4_block_commit_blocks(struct inode *inode, struct nfsd4_layoutcommit *lcp,
+ 		struct iomap *iomaps, int nr_iomaps)
+ {
+-	loff_t new_size = lcp->lc_last_wr + 1;
+ 	struct iattr iattr = { .ia_valid = 0 };
+ 	int error;
+ 
+@@ -130,9 +129,9 @@ nfsd4_block_commit_blocks(struct inode *
+ 	iattr.ia_valid |= ATTR_ATIME | ATTR_CTIME | ATTR_MTIME;
+ 	iattr.ia_atime = iattr.ia_ctime = iattr.ia_mtime = lcp->lc_mtime;
+ 
+-	if (new_size > i_size_read(inode)) {
++	if (lcp->lc_size_chg) {
+ 		iattr.ia_valid |= ATTR_SIZE;
+-		iattr.ia_size = new_size;
++		iattr.ia_size = lcp->lc_newsize;
+ 	}
+ 
+ 	error = inode->i_sb->s_export_op->commit_blocks(inode, iomaps,
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1701,7 +1701,6 @@ nfsd4_layoutcommit(struct svc_rqst *rqst
+ 	const struct nfsd4_layout_seg *seg = &lcp->lc_seg;
+ 	struct svc_fh *current_fh = &cstate->current_fh;
+ 	const struct nfsd4_layout_ops *ops;
+-	loff_t new_size = lcp->lc_last_wr + 1;
+ 	struct inode *inode;
+ 	struct nfs4_layout_stateid *ls;
+ 	__be32 nfserr;
+@@ -1716,13 +1715,21 @@ nfsd4_layoutcommit(struct svc_rqst *rqst
+ 		goto out;
+ 	inode = d_inode(current_fh->fh_dentry);
+ 
+-	nfserr = nfserr_inval;
+-	if (new_size <= seg->offset)
+-		goto out;
+-	if (new_size > seg->offset + seg->length)
+-		goto out;
+-	if (!lcp->lc_newoffset && new_size > i_size_read(inode))
+-		goto out;
++	lcp->lc_size_chg = false;
++	if (lcp->lc_newoffset) {
++		loff_t new_size = lcp->lc_last_wr + 1;
++
++		nfserr = nfserr_inval;
++		if (new_size <= seg->offset)
++			goto out;
++		if (new_size > seg->offset + seg->length)
++			goto out;
++
++		if (new_size > i_size_read(inode)) {
++			lcp->lc_size_chg = true;
++			lcp->lc_newsize = new_size;
++		}
++	}
+ 
+ 	nfserr = nfsd4_preprocess_layout_stateid(rqstp, cstate, &lcp->lc_sid,
+ 						false, lcp->lc_layout_type,
+@@ -1738,13 +1745,6 @@ nfsd4_layoutcommit(struct svc_rqst *rqst
+ 	/* LAYOUTCOMMIT does not require any serialization */
+ 	mutex_unlock(&ls->ls_mutex);
+ 
+-	if (new_size > i_size_read(inode)) {
+-		lcp->lc_size_chg = 1;
+-		lcp->lc_newsize = new_size;
+-	} else {
+-		lcp->lc_size_chg = 0;
+-	}
+-
+ 	nfserr = ops->proc_layoutcommit(inode, lcp);
+ 	nfs4_put_stid(&ls->ls_stid);
+ out:
diff --git a/queue-5.4/nfsd-minor-cleanup-in-layoutcommit-processing.patch b/queue-5.4/nfsd-minor-cleanup-in-layoutcommit-processing.patch
new file mode 100644
index 0000000000..77a2de390d
--- /dev/null
+++ b/queue-5.4/nfsd-minor-cleanup-in-layoutcommit-processing.patch
@@ -0,0 +1,50 @@
+From stable+bounces-188084-greg=kroah.com@vger.kernel.org Mon Oct 20 14:58:05 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 08:57:39 -0400
+Subject: NFSD: Minor cleanup in layoutcommit processing
+To: stable@vger.kernel.org
+Cc: Sergey Bashirov <sergeybashirov@gmail.com>, Christoph Hellwig <hch@lst.de>, Chuck Lever <chuck.lever@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251020125740.1762043-1-sashal@kernel.org>
+
+From: Sergey Bashirov <sergeybashirov@gmail.com>
+
+[ Upstream commit 274365a51d88658fb51cca637ba579034e90a799 ]
+
+Remove dprintk in nfsd4_layoutcommit. These are not needed
+in day to day usage, and the information is also available
+in Wireshark when capturing NFS traffic.
+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Stable-dep-of: d68886bae76a ("NFSD: Fix last write offset handling in layoutcommit")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c |   12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1717,18 +1717,12 @@ nfsd4_layoutcommit(struct svc_rqst *rqst
+ 	inode = d_inode(current_fh->fh_dentry);
+ 
+ 	nfserr = nfserr_inval;
+-	if (new_size <= seg->offset) {
+-		dprintk("pnfsd: last write before layout segment\n");
++	if (new_size <= seg->offset)
+ 		goto out;
+-	}
+-	if (new_size > seg->offset + seg->length) {
+-		dprintk("pnfsd: last write beyond layout segment\n");
++	if (new_size > seg->offset + seg->length)
+ 		goto out;
+-	}
+-	if (!lcp->lc_newoffset && new_size > i_size_read(inode)) {
+-		dprintk("pnfsd: layoutcommit beyond EOF\n");
++	if (!lcp->lc_newoffset && new_size > i_size_read(inode))
+ 		goto out;
+-	}
+ 
+ 	nfserr = nfsd4_preprocess_layout_stateid(rqstp, cstate, &lcp->lc_sid,
+ 						false, lcp->lc_layout_type,
diff --git a/queue-5.4/padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch b/queue-5.4/padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch
new file mode 100644
index 0000000000..3b2060eaa2
--- /dev/null
+++ b/queue-5.4/padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch
@@ -0,0 +1,44 @@
+From stable+bounces-188145-greg=kroah.com@vger.kernel.org Mon Oct 20 17:44:23 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 11:41:31 -0400
+Subject: padata: Reset next CPU when reorder sequence wraps around
+To: stable@vger.kernel.org
+Cc: Xiao Liang <shaw.leon@gmail.com>, Herbert Xu <herbert@gondor.apana.org.au>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251020154131.1822336-1-sashal@kernel.org>
+
+From: Xiao Liang <shaw.leon@gmail.com>
+
+[ Upstream commit 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b ]
+
+When seq_nr wraps around, the next reorder job with seq 0 is hashed to
+the first CPU in padata_do_serial(). Correspondingly, need reset pd->cpu
+to the first one when pd->processed wraps around. Otherwise, if the
+number of used CPUs is not a power of 2, padata_find_next() will be
+checking a wrong list, hence deadlock.
+
+Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in padata_reorder")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+[ moved from padata_reorder() to padata_find_next() function ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/padata.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -204,7 +204,11 @@ static struct padata_priv *padata_find_n
+ 		list_del_init(&padata->list);
+ 		atomic_dec(&pd->reorder_objects);
+ 		++pd->processed;
+-		pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false);
++		/* When sequence wraps around, reset to the first CPU. */
++		if (unlikely(pd->processed == 0))
++			pd->cpu = cpumask_first(pd->cpumask.pcpu);
++		else
++			pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false);
+ 	}
+ 
+ 	spin_unlock(&reorder->lock);
diff --git a/queue-5.4/series b/queue-5.4/series
index 1c84847b40..0c291c51ee 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -204,3 +204,20 @@ usb-core-quirks-add-huawei-me906s-to-wakeup-quirk.patch
 xhci-dbc-enable-back-dbc-in-resume-if-it-was-enabled-before-suspend.patch
 binder-remove-invalid-inc-weak-check.patch
 comedi-fix-divide-by-zero-in-comedi_buf_munge.patch
+arm64-cputype-add-neoverse-v3ae-definitions.patch
+arm64-errata-apply-workarounds-for-neoverse-v3ae.patch
+memory-samsung-exynos-srom-correct-alignment.patch
+memory-samsung-exynos-srom-fix-of_iomap-leak-in-exynos_srom_probe.patch
+spi-cadence-quadspi-flush-posted-register-writes-before-indac-access.patch
+spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch
+ext4-avoid-potential-buffer-over-read-in-parse_apply_sb_mount_options.patch
+drm-amdgpu-use-atomic-functions-with-memory-barriers-for-vm-fault-info.patch
+ext4-detect-invalid-inline_data-extents-flag-combination.patch
+jbd2-ensure-that-all-ongoing-i-o-complete-before-freeing-blocks.patch
+vfs-don-t-leak-disconnected-dentries-on-umount.patch
+nfsd-define-a-proc_layoutcommit-for-the-flexfiles-layout-type.patch
+keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch
+padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch
+nfsd-minor-cleanup-in-layoutcommit-processing.patch
+nfsd-fix-last-write-offset-handling-in-layoutcommit.patch
+media-s5p-mfc-remove-an-unused-uninitialized-variable.patch
diff --git a/queue-5.4/spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch b/queue-5.4/spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch
new file mode 100644
index 0000000000..e7e3ca531d
--- /dev/null
+++ b/queue-5.4/spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch
@@ -0,0 +1,58 @@
+From stable+bounces-188397-greg=kroah.com@vger.kernel.org Tue Oct 21 20:14:18 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 14:14:06 -0400
+Subject: spi: cadence-quadspi: Flush posted register writes before DAC access
+To: stable@vger.kernel.org
+Cc: Pratyush Yadav <pratyush@kernel.org>, Santhosh Kumar K <s-k6@ti.com>, Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021181406.2495307-1-sashal@kernel.org>
+
+From: Pratyush Yadav <pratyush@kernel.org>
+
+[ Upstream commit 1ad55767e77a853c98752ed1e33b68049a243bd7 ]
+
+cqspi_read_setup() and cqspi_write_setup() program the address width as
+the last step in the setup. This is likely to be immediately followed by
+a DAC region read/write. On TI K3 SoCs the DAC region is on a different
+endpoint from the register region. This means that the order of the two
+operations is not guaranteed, and they might be reordered at the
+interconnect level. It is possible that the DAC read/write goes through
+before the address width update goes through. In this situation if the
+previous command used a different address width the OSPI command is sent
+with the wrong number of address bytes, resulting in an invalid command
+and undefined behavior.
+
+Read back the size register to make sure the write gets flushed before
+accessing the DAC region.
+
+Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller")
+CC: stable@vger.kernel.org
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
+Message-ID: <20250905185958.3575037-3-s-k6@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[ backported to drivers/mtd/spi-nor ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/cadence-quadspi.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/spi-nor/cadence-quadspi.c
++++ b/drivers/mtd/spi-nor/cadence-quadspi.c
+@@ -496,6 +496,7 @@ static int cqspi_read_setup(struct spi_n
+ 	reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK;
+ 	reg |= (nor->addr_width - 1);
+ 	writel(reg, reg_base + CQSPI_REG_SIZE);
++	readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */
+ 	return 0;
+ }
+ 
+@@ -609,6 +610,7 @@ static int cqspi_write_setup(struct spi_
+ 	reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK;
+ 	reg |= (nor->addr_width - 1);
+ 	writel(reg, reg_base + CQSPI_REG_SIZE);
++	readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */
+ 	return 0;
+ }
+ 
diff --git a/queue-5.4/spi-cadence-quadspi-flush-posted-register-writes-before-indac-access.patch b/queue-5.4/spi-cadence-quadspi-flush-posted-register-writes-before-indac-access.patch
new file mode 100644
index 0000000000..d37dafb55e
--- /dev/null
+++ b/queue-5.4/spi-cadence-quadspi-flush-posted-register-writes-before-indac-access.patch
@@ -0,0 +1,57 @@
+From stable+bounces-188398-greg=kroah.com@vger.kernel.org Tue Oct 21 20:23:33 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Oct 2025 14:23:26 -0400
+Subject: spi: cadence-quadspi: Flush posted register writes before INDAC access
+To: stable@vger.kernel.org
+Cc: Pratyush Yadav <pratyush@kernel.org>, Santhosh Kumar K <s-k6@ti.com>, Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021182326.2505523-1-sashal@kernel.org>
+
+From: Pratyush Yadav <pratyush@kernel.org>
+
+[ Upstream commit 29e0b471ccbd674d20d4bbddea1a51e7105212c5 ]
+
+cqspi_indirect_read_execute() and cqspi_indirect_write_execute() first
+set the enable bit on APB region and then start reading/writing to the
+AHB region. On TI K3 SoCs these regions lie on different endpoints. This
+means that the order of the two operations is not guaranteed, and they
+might be reordered at the interconnect level.
+
+It is possible for the AHB write to be executed before the APB write to
+enable the indirect controller, causing the transaction to be invalid
+and the write erroring out. Read back the APB region write before
+accessing the AHB region to make sure the write got flushed and the race
+condition is eliminated.
+
+Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller")
+CC: stable@vger.kernel.org
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
+Message-ID: <20250905185958.3575037-2-s-k6@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[ applied changes to drivers/mtd/spi-nor/cadence-quadspi.c instead of drivers/spi/spi-cadence-quadspi.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/cadence-quadspi.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mtd/spi-nor/cadence-quadspi.c
++++ b/drivers/mtd/spi-nor/cadence-quadspi.c
+@@ -523,6 +523,7 @@ static int cqspi_indirect_read_execute(s
+ 	reinit_completion(&cqspi->transfer_complete);
+ 	writel(CQSPI_REG_INDIRECTRD_START_MASK,
+ 	       reg_base + CQSPI_REG_INDIRECTRD);
++	readl(reg_base + CQSPI_REG_INDIRECTRD); /* Flush posted write. */
+ 
+ 	while (remaining > 0) {
+ 		if (!wait_for_completion_timeout(&cqspi->transfer_complete,
+@@ -633,6 +634,8 @@ static int cqspi_indirect_write_execute(
+ 	reinit_completion(&cqspi->transfer_complete);
+ 	writel(CQSPI_REG_INDIRECTWR_START_MASK,
+ 	       reg_base + CQSPI_REG_INDIRECTWR);
++	readl(reg_base + CQSPI_REG_INDIRECTWR); /* Flush posted write. */
++
+ 	/*
+ 	 * As per 66AK2G02 TRM SPRUHY8F section 11.15.5.3 Indirect Access
+ 	 * Controller programming sequence, couple of cycles of
diff --git a/queue-5.4/vfs-don-t-leak-disconnected-dentries-on-umount.patch b/queue-5.4/vfs-don-t-leak-disconnected-dentries-on-umount.patch
new file mode 100644
index 0000000000..fa7710d262
--- /dev/null
+++ b/queue-5.4/vfs-don-t-leak-disconnected-dentries-on-umount.patch
@@ -0,0 +1,58 @@
+From stable+bounces-188280-greg=kroah.com@vger.kernel.org Tue Oct 21 03:19:24 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Oct 2025 21:19:11 -0400
+Subject: vfs: Don't leak disconnected dentries on umount
+To: stable@vger.kernel.org
+Cc: Jan Kara <jack@suse.cz>, syzbot+1d79ebe5383fc016cf07@syzkaller.appspotmail.com, Christian Brauner <brauner@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251021011911.1967865-1-sashal@kernel.org>
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 56094ad3eaa21e6621396cc33811d8f72847a834 ]
+
+When user calls open_by_handle_at() on some inode that is not cached, we
+will create disconnected dentry for it. If such dentry is a directory,
+exportfs_decode_fh_raw() will then try to connect this dentry to the
+dentry tree through reconnect_path(). It may happen for various reasons
+(such as corrupted fs or race with rename) that the call to
+lookup_one_unlocked() in reconnect_one() will fail to find the dentry we
+are trying to reconnect and instead create a new dentry under the
+parent. Now this dentry will not be marked as disconnected although the
+parent still may well be disconnected (at least in case this
+inconsistency happened because the fs is corrupted and .. doesn't point
+to the real parent directory). This creates inconsistency in
+disconnected flags but AFAICS it was mostly harmless. At least until
+commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon")
+which removed adding of most disconnected dentries to sb->s_anon list.
+Thus after this commit cleanup of disconnected dentries implicitely
+relies on the fact that dput() will immediately reclaim such dentries.
+However when some leaf dentry isn't marked as disconnected, as in the
+scenario described above, the reclaim doesn't happen and the dentries
+are "leaked". Memory reclaim can eventually reclaim them but otherwise
+they stay in memory and if umount comes first, we hit infamous "Busy
+inodes after unmount" bug. Make sure all dentries created under a
+disconnected parent are marked as disconnected as well.
+
+Reported-by: syzbot+1d79ebe5383fc016cf07@syzkaller.appspotmail.com
+Fixes: f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon")
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+[ relocated DCACHE_DISCONNECTED propagation from d_alloc_parallel() to d_alloc() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dcache.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -1782,6 +1782,8 @@ struct dentry *d_alloc(struct dentry * p
+ 	__dget_dlock(parent);
+ 	dentry->d_parent = parent;
+ 	list_add(&dentry->d_child, &parent->d_subdirs);
++	if (parent->d_flags & DCACHE_DISCONNECTED)
++		dentry->d_flags |= DCACHE_DISCONNECTED;
+ 	spin_unlock(&parent->d_lock);
+ 
+ 	return dentry;
-- 
2.47.3