--- /dev/null
+From b2e538a9827dd04ab5273bf4be8eb2edb84357b0 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 9 Dec 2024 10:56:12 +0100
+Subject: ALSA: control: Avoid WARN() for symlink errors
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit b2e538a9827dd04ab5273bf4be8eb2edb84357b0 upstream.
+
+Using WARN() for showing the error of symlink creations don't give
+more information than telling that something goes wrong, since the
+usual code path is a lregister callback from each control element
+creation. More badly, the use of WARN() rather confuses fuzzer as if
+it were serious issues.
+
+This patch downgrades the warning messages to use the normal dev_err()
+instead of WARN(). For making it clearer, add the function name to
+the prefix, too.
+
+Fixes: a135dfb5de15 ("ALSA: led control - add sysfs kcontrol LED marking layer")
+Reported-by: syzbot+4e7919b09c67ffd198ae@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/675664c7.050a0220.a30f1.018c.GAE@google.com
+Link: https://patch.msgid.link/20241209095614.4273-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[ Use card->ctl_dev.kobj to keep struct consistent. ]
+Signed-off-by: Robert Garcia <rob_garcia@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/control_led.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/sound/core/control_led.c
++++ b/sound/core/control_led.c
+@@ -693,10 +693,16 @@ static void snd_ctl_led_sysfs_add(struct
+ goto cerr;
+ led->cards[card->number] = led_card;
+ snprintf(link_name, sizeof(link_name), "led-%s", led->name);
+- WARN(sysfs_create_link(&card->ctl_dev.kobj, &led_card->dev.kobj, link_name),
+- "can't create symlink to controlC%i device\n", card->number);
+- WARN(sysfs_create_link(&led_card->dev.kobj, &card->card_dev.kobj, "card"),
+- "can't create symlink to card%i\n", card->number);
++ if (sysfs_create_link(&card->ctl_dev.kobj, &led_card->dev.kobj,
++ link_name))
++ dev_err(card->dev,
++ "%s: can't create symlink to controlC%i device\n",
++ __func__, card->number);
++ if (sysfs_create_link(&led_card->dev.kobj, &card->card_dev.kobj,
++ "card"))
++ dev_err(card->dev,
++ "%s: can't create symlink to card%i\n",
++ __func__, card->number);
+
+ continue;
+ cerr:
--- /dev/null
+From stable+bounces-225743-greg=kroah.com@vger.kernel.org Tue Mar 17 06:57:15 2026
+From: Johnny Hao <johnny_haocn@sina.com>
+Date: Tue, 17 Mar 2026 13:56:04 +0800
+Subject: ALSA: usb-audio: Kill timer properly at removal
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, Takashi Iwai <tiwai@suse.de>, syzbot+d8f72178ab6783a7daea@syzkaller.appspotmail.com, Johnny Hao <johnny_haocn@sina.com>
+Message-ID: <20260317055604.669076-1-johnny_haocn@sina.com>
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1 ]
+
+The USB-audio MIDI code initializes the timer, but in a rare case, the
+driver might be freed without the disconnect call. This leaves the
+timer in an active state while the assigned object is released via
+snd_usbmidi_free(), which ends up with a kernel warning when the debug
+configuration is enabled, as spotted by fuzzer.
+
+For avoiding the problem, put timer_shutdown_sync() at
+snd_usbmidi_free(), so that the timer can be killed properly.
+While we're at it, replace the existing timer_delete_sync() at the
+disconnect callback with timer_shutdown_sync(), too.
+
+Reported-by: syzbot+d8f72178ab6783a7daea@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/681c70d7.050a0220.a19a9.00c6.GAE@google.com
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250519212031.14436-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[ The context change is due to the commit 8fa7292fee5c
+("treewide: Switch/rename to timer_delete[_sync]()")
+in v6.15 which is irrelevant to the logic of this patch. ]
+Signed-off-by: Johnny Hao <johnny_haocn@sina.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/midi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -1530,6 +1530,7 @@ static void snd_usbmidi_free(struct snd_
+ snd_usbmidi_in_endpoint_delete(ep->in);
+ }
+ mutex_destroy(&umidi->mutex);
++ timer_shutdown_sync(&umidi->error_timer);
+ kfree(umidi);
+ }
+
+@@ -1553,7 +1554,7 @@ void snd_usbmidi_disconnect(struct list_
+ spin_unlock_irq(&umidi->disc_lock);
+ up_write(&umidi->disc_rwsem);
+
+- del_timer_sync(&umidi->error_timer);
++ timer_shutdown_sync(&umidi->error_timer);
+
+ for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
+ struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
--- /dev/null
+From stable+bounces-224649-greg=kroah.com@vger.kernel.org Wed Mar 11 09:12:27 2026
+From: Robert Garcia <rob_garcia@163.com>
+Date: Wed, 11 Mar 2026 16:10:46 +0800
+Subject: binfmt_misc: restore write access before closing files opened by open_exec()
+To: stable@vger.kernel.org, Zilin Guan <zilin@seu.edu.cn>
+Cc: Christian Brauner <brauner@kernel.org>, Alexander Viro <viro@zeniv.linux.org.uk>, Robert Garcia <rob_garcia@163.com>, Jan Kara <jack@suse.cz>, Eric Biederman <ebiederm@xmission.com>, Kees Cook <kees@kernel.org>, Andrew Morton <akpm@linux-foundation.org>, Helge Deller <deller@gmx.de>, Lior Ribak <liorribak@gmail.com>, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org
+Message-ID: <20260311081046.1668003-1-rob_garcia@163.com>
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 90f601b497d76f40fa66795c3ecf625b6aced9fd ]
+
+bm_register_write() opens an executable file using open_exec(), which
+internally calls do_open_execat() and denies write access on the file to
+avoid modification while it is being executed.
+
+However, when an error occurs, bm_register_write() closes the file using
+filp_close() directly. This does not restore the write permission, which
+may cause subsequent write operations on the same file to fail.
+
+Fix this by calling exe_file_allow_write_access() before filp_close() to
+restore the write permission properly.
+
+Fixes: e7850f4d844e ("binfmt_misc: fix possible deadlock in bm_register_write")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Link: https://patch.msgid.link/20251105022923.1813587-1-zilin@seu.edu.cn
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+[ Use allow_write_access() instead of exe_file_allow_write_access()
+according to commit 0357ef03c94ef
+("fs: don't block write during exec on pre-content watched files"). ]
+Signed-off-by: Robert Garcia <rob_garcia@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/binfmt_misc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/binfmt_misc.c
++++ b/fs/binfmt_misc.c
+@@ -816,8 +816,10 @@ out:
+ inode_unlock(d_inode(root));
+
+ if (err) {
+- if (f)
++ if (f) {
++ allow_write_access(f);
+ filp_close(f, NULL);
++ }
+ kfree(e);
+ return err;
+ }
--- /dev/null
+From alvalan9@foxmail.com Tue Feb 24 08:26:41 2026
+From: alvalan9@foxmail.com
+Date: Tue, 24 Feb 2026 07:26:24 +0000
+Subject: blk-mq: use quiesced elevator switch when reinitializing queues
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: Keith Busch <kbusch@kernel.org>, Ming Lei <ming.lei@redhat.com>, Christoph Hellwig <hch@lst.de>, Jens Axboe <axboe@kernel.dk>, Alva Lan <alvalan9@foxmail.com>
+Message-ID: <tencent_3FBE2535ACAD7066608E1AB4691F6A5E3F09@qq.com>
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit 8237c01f1696bc53c470493bf1fe092a107648a6 ]
+
+The hctx's run_work may be racing with the elevator switch when
+reinitializing hardware queues. The queue is merely frozen in this
+context, but that only prevents requests from allocating and doesn't
+stop the hctx work from running. The work may get an elevator pointer
+that's being torn down, and can result in use-after-free errors and
+kernel panics (example below). Use the quiesced elevator switch instead,
+and make the previous one static since it is now only used locally.
+
+ nvme nvme0: resetting controller
+ nvme nvme0: 32/0/0 default/read/poll queues
+ BUG: kernel NULL pointer dereference, address: 0000000000000008
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 80000020c8861067 P4D 80000020c8861067 PUD 250f8c8067 PMD 0
+ Oops: 0000 [#1] SMP PTI
+ Workqueue: kblockd blk_mq_run_work_fn
+ RIP: 0010:kyber_has_work+0x29/0x70
+
+...
+
+ Call Trace:
+ __blk_mq_do_dispatch_sched+0x83/0x2b0
+ __blk_mq_sched_dispatch_requests+0x12e/0x170
+ blk_mq_sched_dispatch_requests+0x30/0x60
+ __blk_mq_run_hw_queue+0x2b/0x50
+ process_one_work+0x1ef/0x380
+ worker_thread+0x2d/0x3e0
+
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20220927155652.3260724-1-kbusch@fb.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+[ Adjust context ]
+Signed-off-by: Alva Lan <alvalan9@foxmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq.c | 6 +++---
+ block/blk.h | 3 +--
+ block/elevator.c | 4 ++--
+ 3 files changed, 6 insertions(+), 7 deletions(-)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -3732,14 +3732,14 @@ static bool blk_mq_elv_switch_none(struc
+
+ mutex_lock(&q->sysfs_lock);
+ /*
+- * After elevator_switch_mq, the previous elevator_queue will be
++ * After elevator_switch, the previous elevator_queue will be
+ * released by elevator_release. The reference of the io scheduler
+ * module get by elevator_get will also be put. So we need to get
+ * a reference of the io scheduler module here to prevent it to be
+ * removed.
+ */
+ __module_get(qe->type->elevator_owner);
+- elevator_switch_mq(q, NULL);
++ elevator_switch(q, NULL);
+ mutex_unlock(&q->sysfs_lock);
+
+ return true;
+@@ -3764,7 +3764,7 @@ static void blk_mq_elv_switch_back(struc
+ kfree(qe);
+
+ mutex_lock(&q->sysfs_lock);
+- elevator_switch_mq(q, t);
++ elevator_switch(q, t);
+ mutex_unlock(&q->sysfs_lock);
+ }
+
+--- a/block/blk.h
++++ b/block/blk.h
+@@ -189,8 +189,7 @@ void blk_account_io_done(struct request
+
+ void blk_insert_flush(struct request *rq);
+
+-int elevator_switch_mq(struct request_queue *q,
+- struct elevator_type *new_e);
++int elevator_switch(struct request_queue *q, struct elevator_type *new_e);
+ void __elevator_exit(struct request_queue *, struct elevator_queue *);
+ int elv_register_queue(struct request_queue *q, bool uevent);
+ void elv_unregister_queue(struct request_queue *q);
+--- a/block/elevator.c
++++ b/block/elevator.c
+@@ -581,7 +581,7 @@ void elv_unregister(struct elevator_type
+ }
+ EXPORT_SYMBOL_GPL(elv_unregister);
+
+-int elevator_switch_mq(struct request_queue *q,
++static int elevator_switch_mq(struct request_queue *q,
+ struct elevator_type *new_e)
+ {
+ int ret;
+@@ -719,7 +719,7 @@ void elevator_init_mq(struct request_que
+ * need for the new one. this way we have a chance of going back to the old
+ * one, if the new one fails init for some reason.
+ */
+-static int elevator_switch(struct request_queue *q, struct elevator_type *new_e)
++int elevator_switch(struct request_queue *q, struct elevator_type *new_e)
+ {
+ int err;
+
--- /dev/null
+From stable+bounces-226955-greg=kroah.com@vger.kernel.org Wed Mar 18 05:41:13 2026
+From: Johnny Hao <johnny_haocn@sina.com>
+Date: Wed, 18 Mar 2026 12:40:10 +0800
+Subject: Bluetooth: af_bluetooth: Fix deadlock
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, Luiz Augusto von Dentz <luiz.von.dentz@intel.com>, Johnny Hao <johnny_haocn@sina.com>
+Message-ID: <20260318044010.3507623-1-johnny_haocn@sina.com>
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit f7b94bdc1ec107c92262716b073b3e816d4784fb ]
+
+Attemting to do sock_lock on .recvmsg may cause a deadlock as shown
+bellow, so instead of using sock_sock this uses sk_receive_queue.lock
+on bt_sock_ioctl to avoid the UAF:
+
+INFO: task kworker/u9:1:121 blocked for more than 30 seconds.
+ Not tainted 6.7.6-lemon #183
+Workqueue: hci0 hci_rx_work
+Call Trace:
+ <TASK>
+ __schedule+0x37d/0xa00
+ schedule+0x32/0xe0
+ __lock_sock+0x68/0xa0
+ ? __pfx_autoremove_wake_function+0x10/0x10
+ lock_sock_nested+0x43/0x50
+ l2cap_sock_recv_cb+0x21/0xa0
+ l2cap_recv_frame+0x55b/0x30a0
+ ? psi_task_switch+0xeb/0x270
+ ? finish_task_switch.isra.0+0x93/0x2a0
+ hci_rx_work+0x33a/0x3f0
+ process_one_work+0x13a/0x2f0
+ worker_thread+0x2f0/0x410
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0xe0/0x110
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x2c/0x50
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1b/0x30
+ </TASK>
+
+Fixes: 2e07e8348ea4 ("Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+[ The context change is due to the commit f4b41f062c42
+("net: remove noblock parameter from skb_recv_datagram()")
+in v5.19 which is irrelevant to the logic of this patch. ]
+Signed-off-by: Johnny Hao <johnny_haocn@sina.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/af_bluetooth.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/net/bluetooth/af_bluetooth.c
++++ b/net/bluetooth/af_bluetooth.c
+@@ -285,14 +285,11 @@ int bt_sock_recvmsg(struct socket *sock,
+ if (flags & MSG_OOB)
+ return -EOPNOTSUPP;
+
+- lock_sock(sk);
+-
+ skb = skb_recv_datagram(sk, flags, noblock, &err);
+ if (!skb) {
+ if (sk->sk_shutdown & RCV_SHUTDOWN)
+ err = 0;
+
+- release_sock(sk);
+ return err;
+ }
+
+@@ -318,8 +315,6 @@ int bt_sock_recvmsg(struct socket *sock,
+
+ skb_free_datagram(sk, skb);
+
+- release_sock(sk);
+-
+ if (flags & MSG_TRUNC)
+ copied = skblen;
+
+@@ -542,10 +537,11 @@ int bt_sock_ioctl(struct socket *sock, u
+ if (sk->sk_state == BT_LISTEN)
+ return -EINVAL;
+
+- lock_sock(sk);
++ spin_lock(&sk->sk_receive_queue.lock);
+ skb = skb_peek(&sk->sk_receive_queue);
+ amount = skb ? skb->len : 0;
+- release_sock(sk);
++ spin_unlock(&sk->sk_receive_queue.lock);
++
+ err = put_user(amount, (int __user *)arg);
+ break;
+
--- /dev/null
+From stable+bounces-223626-greg=kroah.com@vger.kernel.org Mon Mar 9 13:30:32 2026
+From: Ruohan Lan <ruohanlan@aliyun.com>
+Date: Mon, 9 Mar 2026 20:29:21 +0800
+Subject: Bluetooth: hci_core: Fix use-after-free in vhci_flush()
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-bluetooth@vger.kernel.org, Kuniyuki Iwashima <kuniyu@google.com>, syzbot+2faa4825e556199361f9@syzkaller.appspotmail.com, Paul Menzel <pmenzel@molgen.mpg.de>, Luiz Augusto von Dentz <luiz.von.dentz@intel.com>, Ruohan Lan <ruohanlan@aliyun.com>
+Message-ID: <20260309122921.628283-1-ruohanlan@aliyun.com>
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 1d6123102e9fbedc8d25bf4731da6d513173e49e ]
+
+syzbot reported use-after-free in vhci_flush() without repro. [0]
+
+>From the splat, a thread close()d a vhci file descriptor while
+its device was being used by iotcl() on another thread.
+
+Once the last fd refcnt is released, vhci_release() calls
+hci_unregister_dev(), hci_free_dev(), and kfree() for struct
+vhci_data, which is set to hci_dev->dev->driver_data.
+
+The problem is that there is no synchronisation after unlinking
+hdev from hci_dev_list in hci_unregister_dev(). There might be
+another thread still accessing the hdev which was fetched before
+the unlink operation.
+
+We can use SRCU for such synchronisation.
+
+Let's run hci_dev_reset() under SRCU and wait for its completion
+in hci_unregister_dev().
+
+Another option would be to restore hci_dev->destruct(), which was
+removed in commit 587ae086f6e4 ("Bluetooth: Remove unused
+hci-destruct cb"). However, this would not be a good solution, as
+we should not run hci_unregister_dev() while there are in-flight
+ioctl() requests, which could lead to another data-race KCSAN splat.
+
+Note that other drivers seem to have the same problem, for exmaple,
+virtbt_remove().
+
+[0]:
+BUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]
+BUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937
+Read of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718
+
+CPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:408 [inline]
+ print_report+0xd2/0x2b0 mm/kasan/report.c:521
+ kasan_report+0x118/0x150 mm/kasan/report.c:634
+ skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]
+ skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937
+ skb_queue_purge include/linux/skbuff.h:3368 [inline]
+ vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69
+ hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline]
+ hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592
+ sock_do_ioctl+0xd9/0x300 net/socket.c:1190
+ sock_ioctl+0x576/0x790 net/socket.c:1311
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:907 [inline]
+ __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fcf5b98e929
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929
+RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009
+RBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528
+ </TASK>
+
+Allocated by task 6535:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
+ __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
+ kasan_kmalloc include/linux/kasan.h:260 [inline]
+ __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359
+ kmalloc_noprof include/linux/slab.h:905 [inline]
+ kzalloc_noprof include/linux/slab.h:1039 [inline]
+ vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635
+ misc_open+0x2bc/0x330 drivers/char/misc.c:161
+ chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414
+ do_dentry_open+0xdf0/0x1970 fs/open.c:964
+ vfs_open+0x3b/0x340 fs/open.c:1094
+ do_open fs/namei.c:3887 [inline]
+ path_openat+0x2ee5/0x3830 fs/namei.c:4046
+ do_filp_open+0x1fa/0x410 fs/namei.c:4073
+ do_sys_openat2+0x121/0x1c0 fs/open.c:1437
+ do_sys_open fs/open.c:1452 [inline]
+ __do_sys_openat fs/open.c:1468 [inline]
+ __se_sys_openat fs/open.c:1463 [inline]
+ __x64_sys_openat+0x138/0x170 fs/open.c:1463
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Freed by task 6535:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
+ kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
+ poison_slab_object mm/kasan/common.c:247 [inline]
+ __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
+ kasan_slab_free include/linux/kasan.h:233 [inline]
+ slab_free_hook mm/slub.c:2381 [inline]
+ slab_free mm/slub.c:4643 [inline]
+ kfree+0x18e/0x440 mm/slub.c:4842
+ vhci_release+0xbc/0xd0 drivers/bluetooth/hci_vhci.c:671
+ __fput+0x44c/0xa70 fs/file_table.c:465
+ task_work_run+0x1d1/0x260 kernel/task_work.c:227
+ exit_task_work include/linux/task_work.h:40 [inline]
+ do_exit+0x6ad/0x22e0 kernel/exit.c:955
+ do_group_exit+0x21c/0x2d0 kernel/exit.c:1104
+ __do_sys_exit_group kernel/exit.c:1115 [inline]
+ __se_sys_exit_group kernel/exit.c:1113 [inline]
+ __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1113
+ x64_sys_call+0x21ba/0x21c0 arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The buggy address belongs to the object at ffff88807cb8d800
+ which belongs to the cache kmalloc-1k of size 1024
+The buggy address is located 88 bytes inside of
+ freed 1024-byte region [ffff88807cb8d800, ffff88807cb8dc00)
+
+Fixes: bf18c7118cf8 ("Bluetooth: vhci: Free driver_data on file release")
+Reported-by: syzbot+2faa4825e556199361f9@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=f62d64848fc4c7c30cd6
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Acked-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+[ Minor context conflict resolved. ]
+Signed-off-by: Ruohan Lan <ruohanlan@aliyun.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/hci_core.h | 2 ++
+ net/bluetooth/hci_core.c | 34 ++++++++++++++++++++++++++++++----
+ 2 files changed, 32 insertions(+), 4 deletions(-)
+
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -28,6 +28,7 @@
+ #include <linux/idr.h>
+ #include <linux/leds.h>
+ #include <linux/rculist.h>
++#include <linux/srcu.h>
+
+ #include <net/bluetooth/hci.h>
+ #include <net/bluetooth/hci_sock.h>
+@@ -308,6 +309,7 @@ struct amp_assoc {
+
+ struct hci_dev {
+ struct list_head list;
++ struct srcu_struct srcu;
+ struct mutex lock;
+
+ const char *name;
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -1048,7 +1048,7 @@ static int hci_linkpol_req(struct hci_re
+
+ /* Get HCI device by index.
+ * Device is held on return. */
+-struct hci_dev *hci_dev_get(int index)
++static struct hci_dev *__hci_dev_get(int index, int *srcu_index)
+ {
+ struct hci_dev *hdev = NULL, *d;
+
+@@ -1061,6 +1061,8 @@ struct hci_dev *hci_dev_get(int index)
+ list_for_each_entry(d, &hci_dev_list, list) {
+ if (d->id == index) {
+ hdev = hci_dev_hold(d);
++ if (srcu_index)
++ *srcu_index = srcu_read_lock(&d->srcu);
+ break;
+ }
+ }
+@@ -1068,6 +1070,22 @@ struct hci_dev *hci_dev_get(int index)
+ return hdev;
+ }
+
++struct hci_dev *hci_dev_get(int index)
++{
++ return __hci_dev_get(index, NULL);
++}
++
++static struct hci_dev *hci_dev_get_srcu(int index, int *srcu_index)
++{
++ return __hci_dev_get(index, srcu_index);
++}
++
++static void hci_dev_put_srcu(struct hci_dev *hdev, int srcu_index)
++{
++ srcu_read_unlock(&hdev->srcu, srcu_index);
++ hci_dev_put(hdev);
++}
++
+ /* ---- Inquiry support ---- */
+
+ bool hci_discovery_active(struct hci_dev *hdev)
+@@ -1918,9 +1936,9 @@ static int hci_dev_do_reset(struct hci_d
+ int hci_dev_reset(__u16 dev)
+ {
+ struct hci_dev *hdev;
+- int err;
++ int err, srcu_index;
+
+- hdev = hci_dev_get(dev);
++ hdev = hci_dev_get_srcu(dev, &srcu_index);
+ if (!hdev)
+ return -ENODEV;
+
+@@ -1942,7 +1960,7 @@ int hci_dev_reset(__u16 dev)
+ err = hci_dev_do_reset(hdev);
+
+ done:
+- hci_dev_put(hdev);
++ hci_dev_put_srcu(hdev, srcu_index);
+ return err;
+ }
+
+@@ -3780,6 +3798,11 @@ struct hci_dev *hci_alloc_dev_priv(int s
+ if (!hdev)
+ return NULL;
+
++ if (init_srcu_struct(&hdev->srcu)) {
++ kfree(hdev);
++ return NULL;
++ }
++
+ hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1);
+ hdev->esco_type = (ESCO_HV1);
+ hdev->link_mode = (HCI_LM_ACCEPT);
+@@ -4029,6 +4052,9 @@ void hci_unregister_dev(struct hci_dev *
+ list_del(&hdev->list);
+ write_unlock(&hci_dev_list_lock);
+
++ synchronize_srcu(&hdev->srcu);
++ cleanup_srcu_struct(&hdev->srcu);
++
+ cancel_work_sync(&hdev->rx_work);
+ cancel_work_sync(&hdev->cmd_work);
+ cancel_work_sync(&hdev->tx_work);
--- /dev/null
+From johnny_haocn@sina.com Tue Mar 10 07:15:37 2026
+From: Johnny Hao <johnny_haocn@sina.com>
+Date: Tue, 10 Mar 2026 14:15:27 +0800
+Subject: bpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, Kumar Kartikeya Dwivedi <memxor@gmail.com>, Alexei Starovoitov <ast@kernel.org>, Johnny Hao <johnny_haocn@sina.com>
+Message-ID: <20260310061527.1059694-1-johnny_haocn@sina.com>
+
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+
+[ Upstream commit 2fc31465c5373b5ca4edf2e5238558cb62902311 ]
+
+Precision markers need to be propagated whenever we have an ARG_CONST_*
+style argument, as the verifier cannot consider imprecise scalars to be
+equivalent for the purposes of states_equal check when such arguments
+refine the return value (in this case, set mem_size for PTR_TO_MEM). The
+resultant mem_size for the R0 is derived from the constant value, and if
+the verifier incorrectly prunes states considering them equivalent where
+such arguments exist (by seeing that both registers have reg->precise as
+false in regsafe), we can end up with invalid programs passing the
+verifier which can do access beyond what should have been the correct
+mem_size in that explored state.
+
+To show a concrete example of the problem:
+
+0000000000000000 <prog>:
+ 0: r2 = *(u32 *)(r1 + 80)
+ 1: r1 = *(u32 *)(r1 + 76)
+ 2: r3 = r1
+ 3: r3 += 4
+ 4: if r3 > r2 goto +18 <LBB5_5>
+ 5: w2 = 0
+ 6: *(u32 *)(r1 + 0) = r2
+ 7: r1 = *(u32 *)(r1 + 0)
+ 8: r2 = 1
+ 9: if w1 == 0 goto +1 <LBB5_3>
+ 10: r2 = -1
+
+0000000000000058 <LBB5_3>:
+ 11: r1 = 0 ll
+ 13: r3 = 0
+ 14: call bpf_ringbuf_reserve
+ 15: if r0 == 0 goto +7 <LBB5_5>
+ 16: r1 = r0
+ 17: r1 += 16777215
+ 18: w2 = 0
+ 19: *(u8 *)(r1 + 0) = r2
+ 20: r1 = r0
+ 21: r2 = 0
+ 22: call bpf_ringbuf_submit
+
+00000000000000b8 <LBB5_5>:
+ 23: w0 = 0
+ 24: exit
+
+For the first case, the single line execution's exploration will prune
+the search at insn 14 for the branch insn 9's second leg as it will be
+verified first using r2 = -1 (UINT_MAX), while as w1 at insn 9 will
+always be 0 so at runtime we don't get error for being greater than
+UINT_MAX/4 from bpf_ringbuf_reserve. The verifier during regsafe just
+sees reg->precise as false for both r2 registers in both states, hence
+considers them equal for purposes of states_equal.
+
+If we propagated precise markers using the backtracking support, we
+would use the precise marking to then ensure that old r2 (UINT_MAX) was
+within the new r2 (1) and this would never be true, so the verification
+would rightfully fail.
+
+The end result is that the out of bounds access at instruction 19 would
+be permitted without this fix.
+
+Note that reg->precise is always set to true when user does not have
+CAP_BPF (or when subprog count is greater than 1 (i.e. use of any static
+or global functions)), hence this is only a problem when precision marks
+need to be explicitly propagated (i.e. privileged users with CAP_BPF).
+
+A simplified test case has been included in the next patch to prevent
+future regressions.
+
+Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
+Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Link: https://lore.kernel.org/r/20220823185300.406-2-memxor@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+[ The context change is due to the commit 8ab4cdcf03d0
+("bpf: Tidy up verifier check_func_arg()") in v6.0
+which is irrelevant to the logic of this patch. ]
+Signed-off-by: Johnny Hao <johnny_haocn@sina.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5540,6 +5540,9 @@ skip_type_check:
+ return -EACCES;
+ }
+ meta->mem_size = reg->var_off.value;
++ err = mark_chain_precision(env, regno);
++ if (err)
++ return err;
+ } else if (arg_type_is_int_ptr(arg_type)) {
+ int size = int_ptr_type_to_size(arg_type);
+
--- /dev/null
+From stable+bounces-222795-greg=kroah.com@vger.kernel.org Tue Mar 3 07:01:10 2026
+From: Rahul Sharma <black.hawk@163.com>
+Date: Tue, 3 Mar 2026 14:00:34 +0800
+Subject: btrfs: do not strictly require dirty metadata threshold for metadata writepages
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, Qu Wenruo <wqu@suse.com>, Jan Kara <jack@suse.cz>, Boris Burkov <boris@bur.io>, David Sterba <dsterba@suse.com>, Rahul Sharma <black.hawk@163.com>
+Message-ID: <20260303060034.3997360-1-black.hawk@163.com>
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 4e159150a9a56d66d247f4b5510bed46fe58aa1c ]
+
+[BUG]
+There is an internal report that over 1000 processes are
+waiting at the io_schedule_timeout() of balance_dirty_pages(), causing
+a system hang and trigger a kernel coredump.
+
+The kernel is v6.4 kernel based, but the root problem still applies to
+any upstream kernel before v6.18.
+
+[CAUSE]
+>From Jan Kara for his wisdom on the dirty page balance behavior first.
+
+ This cgroup dirty limit was what was actually playing the role here
+ because the cgroup had only a small amount of memory and so the dirty
+ limit for it was something like 16MB.
+
+ Dirty throttling is responsible for enforcing that nobody can dirty
+ (significantly) more dirty memory than there's dirty limit. Thus when
+ a task is dirtying pages it periodically enters into balance_dirty_pages()
+ and we let it sleep there to slow down the dirtying.
+
+ When the system is over dirty limit already (either globally or within
+ a cgroup of the running task), we will not let the task exit from
+ balance_dirty_pages() until the number of dirty pages drops below the
+ limit.
+
+ So in this particular case, as I already mentioned, there was a cgroup
+ with relatively small amount of memory and as a result with dirty limit
+ set at 16MB. A task from that cgroup has dirtied about 28MB worth of
+ pages in btrfs btree inode and these were practically the only dirty
+ pages in that cgroup.
+
+So that means the only way to reduce the dirty pages of that cgroup is
+to writeback the dirty pages of btrfs btree inode, and only after that
+those processes can exit balance_dirty_pages().
+
+Now back to the btrfs part, btree_writepages() is responsible for
+writing back dirty btree inode pages.
+
+The problem here is, there is a btrfs internal threshold that if the
+btree inode's dirty bytes are below the 32M threshold, it will not
+do any writeback.
+
+This behavior is to batch as much metadata as possible so we won't write
+back those tree blocks and then later re-COW them again for another
+modification.
+
+This internal 32MiB is higher than the existing dirty page size (28MiB),
+meaning no writeback will happen, causing a deadlock between btrfs and
+cgroup:
+
+- Btrfs doesn't want to write back btree inode until more dirty pages
+
+- Cgroup/MM doesn't want more dirty pages for btrfs btree inode
+ Thus any process touching that btree inode is put into sleep until
+ the number of dirty pages is reduced.
+
+Thanks Jan Kara a lot for the analysis of the root cause.
+
+[ENHANCEMENT]
+Since kernel commit b55102826d7d ("btrfs: set AS_KERNEL_FILE on the
+btree_inode"), btrfs btree inode pages will only be charged to the root
+cgroup which should have a much larger limit than btrfs' 32MiB
+threshold.
+So it should not affect newer kernels.
+
+But for all current LTS kernels, they are all affected by this problem,
+and backporting the whole AS_KERNEL_FILE may not be a good idea.
+
+Even for newer kernels I still think it's a good idea to get
+rid of the internal threshold at btree_writepages(), since for most cases
+cgroup/MM has a better view of full system memory usage than btrfs' fixed
+threshold.
+
+For internal callers using btrfs_btree_balance_dirty() since that
+function is already doing internal threshold check, we don't need to
+bother them.
+
+But for external callers of btree_writepages(), just respect their
+requests and write back whatever they want, ignoring the internal
+btrfs threshold to avoid such deadlock on btree inode dirty page
+balancing.
+
+CC: stable@vger.kernel.org
+CC: Jan Kara <jack@suse.cz>
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ The context change is due to the commit 41044b41ad2c
+("btrfs: add helper to get fs_info from struct inode pointer")
+in v6.9 and the commit c66f2afc7148
+("btrfs: remove pointless writepages callback wrapper")
+in v6.10 which are irrelevant to the logic of this patch. ]
+Signed-off-by: Rahul Sharma <black.hawk@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/disk-io.c | 23 -----------------------
+ fs/btrfs/extent_io.c | 3 +--
+ fs/btrfs/extent_io.h | 3 +--
+ 3 files changed, 2 insertions(+), 27 deletions(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -912,29 +912,6 @@ static int btree_migratepage(struct addr
+ }
+ #endif
+
+-
+-static int btree_writepages(struct address_space *mapping,
+- struct writeback_control *wbc)
+-{
+- struct btrfs_fs_info *fs_info;
+- int ret;
+-
+- if (wbc->sync_mode == WB_SYNC_NONE) {
+-
+- if (wbc->for_kupdate)
+- return 0;
+-
+- fs_info = BTRFS_I(mapping->host)->root->fs_info;
+- /* this is a bit racy, but that's ok */
+- ret = __percpu_counter_compare(&fs_info->dirty_metadata_bytes,
+- BTRFS_DIRTY_METADATA_THRESH,
+- fs_info->dirty_metadata_batch);
+- if (ret < 0)
+- return 0;
+- }
+- return btree_write_cache_pages(mapping, wbc);
+-}
+-
+ static int btree_releasepage(struct page *page, gfp_t gfp_flags)
+ {
+ if (PageWriteback(page) || PageDirty(page))
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -4792,8 +4792,7 @@ static int submit_eb_page(struct page *p
+ return 1;
+ }
+
+-int btree_write_cache_pages(struct address_space *mapping,
+- struct writeback_control *wbc)
++int btree_writepages(struct address_space *mapping, struct writeback_control *wbc)
+ {
+ struct extent_buffer *eb_context = NULL;
+ struct extent_page_data epd = {
+--- a/fs/btrfs/extent_io.h
++++ b/fs/btrfs/extent_io.h
+@@ -187,8 +187,7 @@ int extent_write_locked_range(struct ino
+ int mode);
+ int extent_writepages(struct address_space *mapping,
+ struct writeback_control *wbc);
+-int btree_write_cache_pages(struct address_space *mapping,
+- struct writeback_control *wbc);
++int btree_writepages(struct address_space *mapping, struct writeback_control *wbc);
+ void extent_readahead(struct readahead_control *rac);
+ int extent_fiemap(struct btrfs_inode *inode, struct fiemap_extent_info *fieinfo,
+ u64 start, u64 len);
--- /dev/null
+From stable+bounces-222770-greg=kroah.com@vger.kernel.org Tue Mar 3 02:46:08 2026
+From: Alva Lan <alvalan9@foxmail.com>
+Date: Tue, 3 Mar 2026 09:45:22 +0800
+Subject: btrfs: send: check for inline extents in range_is_hole_in_parent()
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-btrfs@vger.kernel.org, Qu Wenruo <wqu@suse.com>, Filipe Manana <fdmanana@suse.com>, David Sterba <dsterba@suse.com>, Alva Lan <alvalan9@foxmail.com>
+Message-ID: <tencent_E33A07070D66A4018456A326E0C34932DE05@qq.com>
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ]
+
+Before accessing the disk_bytenr field of a file extent item we need
+to check if we are dealing with an inline extent.
+This is because for inline extents their data starts at the offset of
+the disk_bytenr field. So accessing the disk_bytenr
+means we are accessing inline data or in case the inline data is less
+than 8 bytes we can actually cause an invalid
+memory access if this inline extent item is the first item in the leaf
+or access metadata from other items.
+
+Fixes: 82bfb2e7b645 ("Btrfs: incremental send, fix unnecessary hole writes for sparse files")
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ Avoid leaking the path by using { ret = 0; goto out; } instead of
+returning directly. ]
+Signed-off-by: Alva Lan <alvalan9@foxmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/send.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -5892,6 +5892,10 @@ static int range_is_hole_in_parent(struc
+ extent_end = btrfs_file_extent_end(path);
+ if (extent_end <= start)
+ goto next;
++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE) {
++ ret = 0;
++ goto out;
++ }
+ if (btrfs_file_extent_disk_bytenr(leaf, fi) == 0) {
+ search_start = extent_end;
+ goto next;
--- /dev/null
+From stable+bounces-226958-greg=kroah.com@vger.kernel.org Wed Mar 18 06:22:23 2026
+From: Charles Xu <charles_xu@189.cn>
+Date: Wed, 18 Mar 2026 13:22:13 +0800
+Subject: can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs
+To: mkl@pengutronix.de, stable@vger.kernel.org
+Message-ID: <20260318052213.6144-1-charles_xu@189.cn>
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 516a0cd1c03fa266bb67dd87940a209fd4e53ce7 ]
+
+The driver lacks the cleanup of failed transfers of URBs. This reduces the
+number of available URBs per error by 1. This leads to reduced performance
+and ultimately to a complete stop of the transmission.
+
+If the sending of a bulk URB fails do proper cleanup:
+- increase netdev stats
+- mark the echo_sbk as free
+- free the driver's context and do accounting
+- wake the send queue
+
+Closes: https://github.com/candle-usb/candleLight_fw/issues/187
+Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Charles Xu <charles_xu@189.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/gs_usb.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -467,8 +467,21 @@ static void gs_usb_xmit_callback(struct
+ struct gs_can *dev = txc->dev;
+ struct net_device *netdev = dev->netdev;
+
+- if (urb->status)
+- netdev_info(netdev, "usb xmit fail %d\n", txc->echo_id);
++ if (!urb->status)
++ return;
++
++ if (urb->status != -ESHUTDOWN && net_ratelimit())
++ netdev_info(netdev, "failed to xmit URB %u: %pe\n",
++ txc->echo_id, ERR_PTR(urb->status));
++
++ netdev->stats.tx_dropped++;
++ netdev->stats.tx_errors++;
++
++ can_free_echo_skb(netdev, txc->echo_id, NULL);
++ gs_free_tx_context(txc);
++ atomic_dec(&dev->active_tx_urbs);
++
++ netif_wake_queue(netdev);
+
+ usb_free_coherent(urb->dev,
+ urb->transfer_buffer_length,
--- /dev/null
+From stable+bounces-223742-greg=kroah.com@vger.kernel.org Tue Mar 10 04:10:40 2026
+From: Johnny Hao <johnny_haocn@sina.com>
+Date: Tue, 10 Mar 2026 11:10:19 +0800
+Subject: dlm: fix possible lkb_resource null dereference
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, Alexander Aring <aahringo@redhat.com>, David Teigland <teigland@redhat.com>, Johnny Hao <johnny_haocn@sina.com>
+Message-ID: <20260310031019.3572626-1-johnny_haocn@sina.com>
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit b98333c67daf887c724cd692e88e2db9418c0861 ]
+
+This patch fixes a possible null pointer dereference when this function is
+called from request_lock() as lkb->lkb_resource is not assigned yet,
+only after validate_lock_args() by calling attach_lkb(). Another issue
+is that a resource name could be a non printable bytearray and we cannot
+assume to be ASCII coded.
+
+The log functionality is probably never being hit when DLM is used in
+normal way and no debug logging is enabled. The null pointer dereference
+can only occur on a new created lkb that does not have the resource
+assigned yet, it probably never hits the null pointer dereference but we
+should be sure that other changes might not change this behaviour and we
+actually can hit the mentioned null pointer dereference.
+
+In this patch we just drop the printout of the resource name, the lkb id
+is enough to make a possible connection to a resource name if this
+exists.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+[ The context change is due to the commit 9ac8ba46a701
+("fs: dlm: handle -EINVAL as log_error()") in v6.1
+which is irrelevant to the logic of this patch. ]
+Signed-off-by: Johnny Hao <johnny_haocn@sina.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dlm/lock.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -2923,10 +2923,9 @@ static int validate_lock_args(struct dlm
+ rv = 0;
+ out:
+ if (rv)
+- log_debug(ls, "validate_lock_args %d %x %x %x %d %d %s",
++ log_debug(ls, "validate_lock_args %d %x %x %x %d %d",
+ rv, lkb->lkb_id, lkb->lkb_flags, args->flags,
+- lkb->lkb_status, lkb->lkb_wait_type,
+- lkb->lkb_resource->res_name);
++ lkb->lkb_status, lkb->lkb_wait_type);
+ return rv;
+ }
+
--- /dev/null
+From stable+bounces-219756-greg=kroah.com@vger.kernel.org Thu Feb 26 07:14:34 2026
+From: Rahul Sharma <black.hawk@163.com>
+Date: Thu, 26 Feb 2026 14:12:31 +0800
+Subject: dm-verity: disable recursive forward error correction
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, Mikulas Patocka <mpatocka@redhat.com>, Guangwu Zhang <guazhang@redhat.com>, Sami Tolvanen <samitolvanen@google.com>, Eric Biggers <ebiggers@kernel.org>, Rahul Sharma <black.hawk@163.com>
+Message-ID: <20260226061231.2047105-1-black.hawk@163.com>
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit d9f3e47d3fae0c101d9094bc956ed24e7a0ee801 ]
+
+There are two problems with the recursive correction:
+
+1. It may cause denial-of-service. In fec_read_bufs, there is a loop that
+has 253 iterations. For each iteration, we may call verity_hash_for_block
+recursively. There is a limit of 4 nested recursions - that means that
+there may be at most 253^4 (4 billion) iterations. Red Hat QE team
+actually created an image that pushes dm-verity to this limit - and this
+image just makes the udev-worker process get stuck in the 'D' state.
+
+2. It doesn't work. In fec_read_bufs we store data into the variable
+"fio->bufs", but fio bufs is shared between recursive invocations, if
+"verity_hash_for_block" invoked correction recursively, it would
+overwrite partially filled fio->bufs.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reported-by: Guangwu Zhang <guazhang@redhat.com>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Eric Biggers <ebiggers@kernel.org>
+[ The context change is due to the commit bdf253d580d7
+("dm-verity: remove support for asynchronous hashes")
+in v6.18 and the commit 9356fcfe0ac4
+("dm verity: set DM_TARGET_SINGLETON feature flag") in v6.9
+which are irrelevant to the logic of this patch. ]
+Signed-off-by: Rahul Sharma <black.hawk@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-verity-fec.c | 4 +---
+ drivers/md/dm-verity-fec.h | 3 ---
+ 2 files changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/md/dm-verity-fec.c
++++ b/drivers/md/dm-verity-fec.c
+@@ -423,10 +423,8 @@ int verity_fec_decode(struct dm_verity *
+ if (!verity_fec_is_enabled(v))
+ return -EOPNOTSUPP;
+
+- if (fio->level >= DM_VERITY_FEC_MAX_RECURSION) {
+- DMWARN_LIMIT("%s: FEC: recursion too deep", v->data_dev->name);
++ if (fio->level)
+ return -EIO;
+- }
+
+ fio->level++;
+
+--- a/drivers/md/dm-verity-fec.h
++++ b/drivers/md/dm-verity-fec.h
+@@ -23,9 +23,6 @@
+ #define DM_VERITY_FEC_BUF_MAX \
+ (1 << (PAGE_SHIFT - DM_VERITY_FEC_BUF_RS_BITS))
+
+-/* maximum recursion level for verity_fec_decode */
+-#define DM_VERITY_FEC_MAX_RECURSION 4
+-
+ #define DM_VERITY_OPT_FEC_DEV "use_fec_from_device"
+ #define DM_VERITY_OPT_FEC_BLOCKS "fec_blocks"
+ #define DM_VERITY_OPT_FEC_START "fec_start"
--- /dev/null
+From jetlan9@163.com Sun Mar 1 04:07:20 2026
+From: Wenshan Lan <jetlan9@163.com>
+Date: Sun, 1 Mar 2026 11:06:21 +0800
+Subject: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: Guodong Xu <guodong@riscstar.com>, Juan Li <lijuan@linux.spacemit.com>, Vinod Koul <vkoul@kernel.org>, Wenshan Lan <jetlan9@163.com>
+Message-ID: <20260301030621.2448938-1-jetlan9@163.com>
+
+From: Guodong Xu <guodong@riscstar.com>
+
+[ Upstream commit a143545855bc2c6e1330f6f57ae375ac44af00a7 ]
+
+Add proper locking in mmp_pdma_residue() to prevent use-after-free when
+accessing descriptor list and descriptor contents.
+
+The race occurs when multiple threads call tx_status() while the tasklet
+on another CPU is freeing completed descriptors:
+
+CPU 0 CPU 1
+----- -----
+mmp_pdma_tx_status()
+mmp_pdma_residue()
+ -> NO LOCK held
+ list_for_each_entry(sw, ..)
+ DMA interrupt
+ dma_do_tasklet()
+ -> spin_lock(&desc_lock)
+ list_move(sw->node, ...)
+ spin_unlock(&desc_lock)
+ | dma_pool_free(sw) <- FREED!
+ -> access sw->desc <- UAF!
+
+This issue can be reproduced when running dmatest on the same channel with
+multiple threads (threads_per_chan > 1).
+
+Fix by protecting the chain_running list iteration and descriptor access
+with the chan->desc_lock spinlock.
+
+Signed-off-by: Juan Li <lijuan@linux.spacemit.com>
+Signed-off-by: Guodong Xu <guodong@riscstar.com>
+Link: https://patch.msgid.link/20251216-mmp-pdma-race-v1-1-976a224bb622@riscstar.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+[ Minor context conflict resolved. ]
+Signed-off-by: Wenshan Lan <jetlan9@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/mmp_pdma.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/dma/mmp_pdma.c
++++ b/drivers/dma/mmp_pdma.c
+@@ -764,6 +764,7 @@ static unsigned int mmp_pdma_residue(str
+ {
+ struct mmp_pdma_desc_sw *sw;
+ u32 curr, residue = 0;
++ unsigned long flags;
+ bool passed = false;
+ bool cyclic = chan->cyclic_first != NULL;
+
+@@ -779,6 +780,8 @@ static unsigned int mmp_pdma_residue(str
+ else
+ curr = readl(chan->phy->base + DSADR(chan->phy->idx));
+
++ spin_lock_irqsave(&chan->desc_lock, flags);
++
+ list_for_each_entry(sw, &chan->chain_running, node) {
+ u32 start, end, len;
+
+@@ -822,6 +825,7 @@ static unsigned int mmp_pdma_residue(str
+ continue;
+
+ if (sw->async_tx.cookie == cookie) {
++ spin_unlock_irqrestore(&chan->desc_lock, flags);
+ return residue;
+ } else {
+ residue = 0;
+@@ -829,6 +833,8 @@ static unsigned int mmp_pdma_residue(str
+ }
+ }
+
++ spin_unlock_irqrestore(&chan->desc_lock, flags);
++
+ /* We should only get here in case of cyclic transactions */
+ return residue;
+ }
--- /dev/null
+From stable+bounces-225497-greg=kroah.com@vger.kernel.org Mon Mar 16 04:29:15 2026
+From: Johnny Hao <johnny_haocn@sina.com>
+Date: Mon, 16 Mar 2026 11:28:51 +0800
+Subject: drm/amdgpu: unmap and remove csa_va properly
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, "Lang Yu" <Lang.Yu@amd.com>, "Christian König" <christian.koenig@amd.com>, "Alex Deucher" <alexander.deucher@amd.com>, "Johnny Hao" <johnny_haocn@sina.com>
+Message-ID: <20260316032851.3319377-1-johnny_haocn@sina.com>
+
+From: Lang Yu <Lang.Yu@amd.com>
+
+[ Upstream commit 5daff15cd013422bc6d1efcfe82b586800025384 ]
+
+Root PD BO should be reserved before unmap and remove
+a bo_va from VM otherwise lockdep will complain.
+
+v2: check fpriv->csa_va is not NULL instead of amdgpu_mcbp (christian)
+
+[14616.936827] WARNING: CPU: 6 PID: 1711 at drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c:1762 amdgpu_vm_bo_del+0x399/0x3f0 [amdgpu]
+[14616.937096] Call Trace:
+[14616.937097] <TASK>
+[14616.937102] amdgpu_driver_postclose_kms+0x249/0x2f0 [amdgpu]
+[14616.937187] drm_file_free+0x1d6/0x300 [drm]
+[14616.937207] drm_close_helper.isra.0+0x62/0x70 [drm]
+[14616.937220] drm_release+0x5e/0x100 [drm]
+[14616.937234] __fput+0x9f/0x280
+[14616.937239] ____fput+0xe/0x20
+[14616.937241] task_work_run+0x61/0x90
+[14616.937246] exit_to_user_mode_prepare+0x215/0x220
+[14616.937251] syscall_exit_to_user_mode+0x2a/0x60
+[14616.937254] do_syscall_64+0x48/0x90
+[14616.937257] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Signed-off-by: Lang Yu <Lang.Yu@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+[ The context change is due to the commit e56694f718f0
+("drm/amdgpu: rename amdgpu_vm_bo_rmv to _del")
+in v5.18 and the proper adoption is done which
+is irrelevant to the logic of this patch. ]
+Signed-off-by: Johnny Hao <johnny_haocn@sina.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 38 ++++++++++++++++++++++++++++++++
+ drivers/gpu/drm/amd/amdgpu/amdgpu_csa.h | 3 ++
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 10 +++-----
+ 3 files changed, 45 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c
+@@ -106,3 +106,41 @@ int amdgpu_map_static_csa(struct amdgpu_
+ ttm_eu_backoff_reservation(&ticket, &list);
+ return 0;
+ }
++
++int amdgpu_unmap_static_csa(struct amdgpu_device *adev, struct amdgpu_vm *vm,
++ struct amdgpu_bo *bo, struct amdgpu_bo_va *bo_va,
++ uint64_t csa_addr)
++{
++ struct ww_acquire_ctx ticket;
++ struct list_head list;
++ struct amdgpu_bo_list_entry pd;
++ struct ttm_validate_buffer csa_tv;
++ int r;
++
++ INIT_LIST_HEAD(&list);
++ INIT_LIST_HEAD(&csa_tv.head);
++ csa_tv.bo = &bo->tbo;
++ csa_tv.num_shared = 1;
++
++ list_add(&csa_tv.head, &list);
++ amdgpu_vm_get_pd_bo(vm, &list, &pd);
++
++ r = ttm_eu_reserve_buffers(&ticket, &list, true, NULL);
++ if (r) {
++ DRM_ERROR("failed to reserve CSA,PD BOs: err=%d\n", r);
++ return r;
++ }
++
++ r = amdgpu_vm_bo_unmap(adev, bo_va, csa_addr);
++ if (r) {
++ DRM_ERROR("failed to do bo_unmap on static CSA, err=%d\n", r);
++ ttm_eu_backoff_reservation(&ticket, &list);
++ return r;
++ }
++
++ amdgpu_vm_bo_rmv(adev, bo_va);
++
++ ttm_eu_backoff_reservation(&ticket, &list);
++
++ return 0;
++}
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.h
+@@ -34,6 +34,9 @@ int amdgpu_allocate_static_csa(struct am
+ int amdgpu_map_static_csa(struct amdgpu_device *adev, struct amdgpu_vm *vm,
+ struct amdgpu_bo *bo, struct amdgpu_bo_va **bo_va,
+ uint64_t csa_addr, uint32_t size);
++int amdgpu_unmap_static_csa(struct amdgpu_device *adev, struct amdgpu_vm *vm,
++ struct amdgpu_bo *bo, struct amdgpu_bo_va *bo_va,
++ uint64_t csa_addr);
+ void amdgpu_free_static_csa(struct amdgpu_bo **bo);
+
+ #endif
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+@@ -1273,14 +1273,12 @@ void amdgpu_driver_postclose_kms(struct
+ if (amdgpu_device_ip_get_ip_block(adev, AMD_IP_BLOCK_TYPE_VCE) != NULL)
+ amdgpu_vce_free_handles(adev, file_priv);
+
+- amdgpu_vm_bo_rmv(adev, fpriv->prt_va);
++ if (fpriv->csa_va) {
++ uint64_t csa_addr = amdgpu_csa_vaddr(adev) & AMDGPU_GMC_HOLE_MASK;
+
+- if (amdgpu_mcbp || amdgpu_sriov_vf(adev)) {
+- /* TODO: how to handle reserve failure */
+- BUG_ON(amdgpu_bo_reserve(adev->virt.csa_obj, true));
+- amdgpu_vm_bo_rmv(adev, fpriv->csa_va);
++ WARN_ON(amdgpu_unmap_static_csa(adev, &fpriv->vm, adev->virt.csa_obj,
++ fpriv->csa_va, csa_addr));
+ fpriv->csa_va = NULL;
+- amdgpu_bo_unreserve(adev->virt.csa_obj);
+ }
+
+ pasid = fpriv->vm.pasid;
--- /dev/null
+From b7d0a97b28083084ebdd8e5c6bccd12e6ec18faa Mon Sep 17 00:00:00 2001
+From: Ye Bin <yebin10@huawei.com>
+Date: Sat, 12 Oct 2024 00:44:50 +0800
+Subject: f2fs: fix null-ptr-deref in f2fs_submit_page_bio()
+
+From: Ye Bin <yebin10@huawei.com>
+
+commit b7d0a97b28083084ebdd8e5c6bccd12e6ec18faa upstream.
+
+There's issue as follows when concurrently installing the f2fs.ko
+module and mounting the f2fs file system:
+KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
+RIP: 0010:__bio_alloc+0x2fb/0x6c0 [f2fs]
+Call Trace:
+ <TASK>
+ f2fs_submit_page_bio+0x126/0x8b0 [f2fs]
+ __get_meta_page+0x1d4/0x920 [f2fs]
+ get_checkpoint_version.constprop.0+0x2b/0x3c0 [f2fs]
+ validate_checkpoint+0xac/0x290 [f2fs]
+ f2fs_get_valid_checkpoint+0x207/0x950 [f2fs]
+ f2fs_fill_super+0x1007/0x39b0 [f2fs]
+ mount_bdev+0x183/0x250
+ legacy_get_tree+0xf4/0x1e0
+ vfs_get_tree+0x88/0x340
+ do_new_mount+0x283/0x5e0
+ path_mount+0x2b2/0x15b0
+ __x64_sys_mount+0x1fe/0x270
+ do_syscall_64+0x5f/0x170
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Above issue happens as the biset of the f2fs file system is not
+initialized before register "f2fs_fs_type".
+To address above issue just register "f2fs_fs_type" at the last in
+init_f2fs_fs(). Ensure that all f2fs file system resources are
+initialized.
+
+Fixes: f543805fcd60 ("f2fs: introduce private bioset")
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ Minor context conflict resolved. ]
+Signed-off-by: Bin Lan <lanbincn@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/super.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -4634,9 +4634,6 @@ static int __init init_f2fs_fs(void)
+ err = register_shrinker(&f2fs_shrinker_info);
+ if (err)
+ goto free_sysfs;
+- err = register_filesystem(&f2fs_fs_type);
+- if (err)
+- goto free_shrinker;
+ f2fs_create_root_stats();
+ err = f2fs_init_post_read_processing();
+ if (err)
+@@ -4660,6 +4657,7 @@ static int __init init_f2fs_fs(void)
+ if (err)
+ goto free_compress_cache;
+ err = f2fs_init_xattr_cache();
++ err = register_filesystem(&f2fs_fs_type);
+ if (err)
+ goto free_casefold_cache;
+ return 0;
+@@ -4679,8 +4677,6 @@ free_post_read:
+ f2fs_destroy_post_read_processing();
+ free_root_stats:
+ f2fs_destroy_root_stats();
+- unregister_filesystem(&f2fs_fs_type);
+-free_shrinker:
+ unregister_shrinker(&f2fs_shrinker_info);
+ free_sysfs:
+ f2fs_exit_sysfs();
+@@ -4704,6 +4700,7 @@ fail:
+
+ static void __exit exit_f2fs_fs(void)
+ {
++ unregister_filesystem(&f2fs_fs_type);
+ f2fs_destroy_xattr_cache();
+ f2fs_destroy_casefold_cache();
+ f2fs_destroy_compress_cache();
+@@ -4713,7 +4710,6 @@ static void __exit exit_f2fs_fs(void)
+ f2fs_destroy_iostat_processing();
+ f2fs_destroy_post_read_processing();
+ f2fs_destroy_root_stats();
+- unregister_filesystem(&f2fs_fs_type);
+ unregister_shrinker(&f2fs_shrinker_info);
+ f2fs_exit_sysfs();
+ f2fs_destroy_garbage_collection_cache();
--- /dev/null
+From stable+bounces-223307-greg=kroah.com@vger.kernel.org Fri Mar 6 06:05:45 2026
+From: Rahul Sharma <black.hawk@163.com>
+Date: Fri, 6 Mar 2026 13:05:04 +0800
+Subject: f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, Chao Yu <chao@kernel.org>, Daeho Jeong <daehojeong@google.com>, Jaegeuk Kim <jaegeuk@kernel.org>, Rahul Sharma <black.hawk@163.com>
+Message-ID: <20260306050504.1395421-1-black.hawk@163.com>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 1005a3ca28e90c7a64fa43023f866b960a60f791 ]
+
+w/ "mode=lfs" mount option, generic/299 will cause system panic as below:
+
+------------[ cut here ]------------
+kernel BUG at fs/f2fs/segment.c:2835!
+Call Trace:
+ <TASK>
+ f2fs_allocate_data_block+0x6f4/0xc50
+ f2fs_map_blocks+0x970/0x1550
+ f2fs_iomap_begin+0xb2/0x1e0
+ iomap_iter+0x1d6/0x430
+ __iomap_dio_rw+0x208/0x9a0
+ f2fs_file_write_iter+0x6b3/0xfa0
+ aio_write+0x15d/0x2e0
+ io_submit_one+0x55e/0xab0
+ __x64_sys_io_submit+0xa5/0x230
+ do_syscall_64+0x84/0x2f0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+RIP: 0010:new_curseg+0x70f/0x720
+
+The root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may
+trigger foreground gc only if it allocates any physical block, it will be
+a little bit later when there is multiple threads writing data w/
+aio/dio/bufio method in parallel, since we always use OPU in lfs mode, so
+f2fs_map_blocks() does block allocations aggressively.
+
+In order to fix this issue, let's give a chance to trigger foreground
+gc in prior to block allocation in f2fs_map_blocks().
+
+Fixes: 36abef4e796d ("f2fs: introduce mode=lfs mount option")
+Cc: Daeho Jeong <daehojeong@google.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ The context change is due to the commit 2f51ade9524c
+("f2fs: f2fs_do_map_lock") in v6.3 which is irrelevant to
+the logic of this patch. ]
+Signed-off-by: Rahul Sharma <black.hawk@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/data.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -1523,8 +1523,11 @@ int f2fs_map_blocks(struct inode *inode,
+ }
+
+ next_dnode:
+- if (map->m_may_create)
++ if (map->m_may_create) {
++ if (f2fs_lfs_mode(sbi))
++ f2fs_balance_fs(sbi, true);
+ f2fs_do_map_lock(sbi, flag, true);
++ }
+
+ /* When reading holes, we need its node page */
+ set_new_dnode(&dn, inode, NULL, NULL, 0);
--- /dev/null
+From stable+bounces-225733-greg=kroah.com@vger.kernel.org Tue Mar 17 03:41:01 2026
+From: Robert Garcia <rob_garcia@163.com>
+Date: Tue, 17 Mar 2026 10:39:33 +0800
+Subject: f2fs: fix to wait on block writeback for post_read case
+To: stable@vger.kernel.org, Chao Yu <chao@kernel.org>
+Cc: Jaegeuk Kim <jaegeuk@kernel.org>, linux-f2fs-devel@lists.sourceforge.net, Robert Garcia <rob_garcia@163.com>, linux-kernel@vger.kernel.org
+Message-ID: <20260317023933.1654240-1-rob_garcia@163.com>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 55fdc1c24a1d6229fe0ecf31335fb9a2eceaaa00 ]
+
+If inode is compressed, but not encrypted, it missed to call
+f2fs_wait_on_block_writeback() to wait for GCed page writeback
+in IPU write path.
+
+Thread A GC-Thread
+ - f2fs_gc
+ - do_garbage_collect
+ - gc_data_segment
+ - move_data_block
+ - f2fs_submit_page_write
+ migrate normal cluster's block via
+ meta_inode's page cache
+- f2fs_write_single_data_page
+ - f2fs_do_write_data_page
+ - f2fs_inplace_write_data
+ - f2fs_submit_page_bio
+
+IRQ
+- f2fs_read_end_io
+ IRQ
+ old data overrides new data due to
+ out-of-order GC and common IO.
+ - f2fs_read_end_io
+
+Fixes: 4c8ff7095bef ("f2fs: support data compression")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ Minor context change fixed. ]
+Signed-off-by: Robert Garcia <rob_garcia@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/data.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -2537,9 +2537,6 @@ int f2fs_encrypt_one_page(struct f2fs_io
+
+ page = fio->compressed_page ? fio->compressed_page : fio->page;
+
+- /* wait for GCed page writeback via META_MAPPING */
+- f2fs_wait_on_block_writeback(inode, fio->old_blkaddr);
+-
+ if (fscrypt_inode_uses_inline_crypto(inode))
+ return 0;
+
+@@ -2718,6 +2715,11 @@ got_it:
+ err = -EFSCORRUPTED;
+ goto out_writepage;
+ }
++
++ /* wait for GCed page writeback via META_MAPPING */
++ if (fio->post_read)
++ f2fs_wait_on_block_writeback(inode, fio->old_blkaddr);
++
+ /*
+ * If current allocation needs SSR,
+ * it had better in-place writes for updated data.
--- /dev/null
+From stable+bounces-222516-greg=kroah.com@vger.kernel.org Mon Mar 2 07:15:41 2026
+From: Jianqiang kang <jianqkang@sina.cn>
+Date: Mon, 2 Mar 2026 14:14:35 +0800
+Subject: fs: dlm: fix use after free in midcomms commit
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org, aahringo@redhat.com
+Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, ccaulfie@redhat.com, teigland@redhat.com, cluster-devel@redhat.com
+Message-ID: <20260302061435.2670935-1-jianqkang@sina.cn>
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 724b6bab0d75f1dc01fdfbf7fe8d4217a5cb90ba ]
+
+While working on processing dlm message in softirq context I experienced
+the following KASAN use-after-free warning:
+
+[ 151.760477] ==================================================================
+[ 151.761803] BUG: KASAN: use-after-free in dlm_midcomms_commit_mhandle+0x19d/0x4b0
+[ 151.763414] Read of size 4 at addr ffff88811a980c60 by task lock_torture/1347
+
+[ 151.765284] CPU: 7 PID: 1347 Comm: lock_torture Not tainted 6.1.0-rc4+ #2828
+[ 151.766778] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+16134+e5908aa2 04/01/2014
+[ 151.768726] Call Trace:
+[ 151.769277] <TASK>
+[ 151.769748] dump_stack_lvl+0x5b/0x86
+[ 151.770556] print_report+0x180/0x4c8
+[ 151.771378] ? kasan_complete_mode_report_info+0x7c/0x1e0
+[ 151.772241] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0
+[ 151.773069] kasan_report+0x93/0x1a0
+[ 151.773668] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0
+[ 151.774514] __asan_load4+0x7e/0xa0
+[ 151.775089] dlm_midcomms_commit_mhandle+0x19d/0x4b0
+[ 151.775890] ? create_message.isra.29.constprop.64+0x57/0xc0
+[ 151.776770] send_common+0x19f/0x1b0
+[ 151.777342] ? remove_from_waiters+0x60/0x60
+[ 151.778017] ? lock_downgrade+0x410/0x410
+[ 151.778648] ? __this_cpu_preempt_check+0x13/0x20
+[ 151.779421] ? rcu_lockdep_current_cpu_online+0x88/0xc0
+[ 151.780292] _convert_lock+0x46/0x150
+[ 151.780893] convert_lock+0x7b/0xc0
+[ 151.781459] dlm_lock+0x3ac/0x580
+[ 151.781993] ? 0xffffffffc0540000
+[ 151.782522] ? torture_stop+0x120/0x120 [dlm_locktorture]
+[ 151.783379] ? dlm_scan_rsbs+0xa70/0xa70
+[ 151.784003] ? preempt_count_sub+0xd6/0x130
+[ 151.784661] ? is_module_address+0x47/0x70
+[ 151.785309] ? torture_stop+0x120/0x120 [dlm_locktorture]
+[ 151.786166] ? 0xffffffffc0540000
+[ 151.786693] ? lockdep_init_map_type+0xc3/0x360
+[ 151.787414] ? 0xffffffffc0540000
+[ 151.787947] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture]
+[ 151.789004] ? torture_stop+0x120/0x120 [dlm_locktorture]
+[ 151.789858] ? 0xffffffffc0540000
+[ 151.790392] ? lock_torture_cleanup+0x20/0x20 [dlm_locktorture]
+[ 151.791347] ? delay_tsc+0x94/0xc0
+[ 151.791898] torture_ex_iter+0xc3/0xea [dlm_locktorture]
+[ 151.792735] ? torture_start+0x30/0x30 [dlm_locktorture]
+[ 151.793606] lock_torture+0x177/0x270 [dlm_locktorture]
+[ 151.794448] ? torture_dlm_lock_sync.isra.3+0x150/0x150 [dlm_locktorture]
+[ 151.795539] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]
+[ 151.796476] ? do_raw_spin_lock+0x11e/0x1e0
+[ 151.797152] ? mark_held_locks+0x34/0xb0
+[ 151.797784] ? _raw_spin_unlock_irqrestore+0x30/0x70
+[ 151.798581] ? __kthread_parkme+0x79/0x110
+[ 151.799246] ? trace_preempt_on+0x2a/0xf0
+[ 151.799902] ? __kthread_parkme+0x79/0x110
+[ 151.800579] ? preempt_count_sub+0xd6/0x130
+[ 151.801271] ? __kasan_check_read+0x11/0x20
+[ 151.801963] ? __kthread_parkme+0xec/0x110
+[ 151.802630] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]
+[ 151.803569] kthread+0x192/0x1d0
+[ 151.804104] ? kthread_complete_and_exit+0x30/0x30
+[ 151.804881] ret_from_fork+0x1f/0x30
+[ 151.805480] </TASK>
+
+[ 151.806111] Allocated by task 1347:
+[ 151.806681] kasan_save_stack+0x26/0x50
+[ 151.807308] kasan_set_track+0x25/0x30
+[ 151.807920] kasan_save_alloc_info+0x1e/0x30
+[ 151.808609] __kasan_slab_alloc+0x63/0x80
+[ 151.809263] kmem_cache_alloc+0x1ad/0x830
+[ 151.809916] dlm_allocate_mhandle+0x17/0x20
+[ 151.810590] dlm_midcomms_get_mhandle+0x96/0x260
+[ 151.811344] _create_message+0x95/0x180
+[ 151.811994] create_message.isra.29.constprop.64+0x57/0xc0
+[ 151.812880] send_common+0x129/0x1b0
+[ 151.813467] _convert_lock+0x46/0x150
+[ 151.814074] convert_lock+0x7b/0xc0
+[ 151.814648] dlm_lock+0x3ac/0x580
+[ 151.815199] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture]
+[ 151.816258] torture_ex_iter+0xc3/0xea [dlm_locktorture]
+[ 151.817129] lock_torture+0x177/0x270 [dlm_locktorture]
+[ 151.817986] kthread+0x192/0x1d0
+[ 151.818518] ret_from_fork+0x1f/0x30
+
+[ 151.819369] Freed by task 1336:
+[ 151.819890] kasan_save_stack+0x26/0x50
+[ 151.820514] kasan_set_track+0x25/0x30
+[ 151.821128] kasan_save_free_info+0x2e/0x50
+[ 151.821812] __kasan_slab_free+0x107/0x1a0
+[ 151.822483] kmem_cache_free+0x204/0x5e0
+[ 151.823152] dlm_free_mhandle+0x18/0x20
+[ 151.823781] dlm_mhandle_release+0x2e/0x40
+[ 151.824454] rcu_core+0x583/0x1330
+[ 151.825047] rcu_core_si+0xe/0x20
+[ 151.825594] __do_softirq+0xf4/0x5c2
+
+[ 151.826450] Last potentially related work creation:
+[ 151.827238] kasan_save_stack+0x26/0x50
+[ 151.827870] __kasan_record_aux_stack+0xa2/0xc0
+[ 151.828609] kasan_record_aux_stack_noalloc+0xb/0x20
+[ 151.829415] call_rcu+0x4c/0x760
+[ 151.829954] dlm_mhandle_delete+0x97/0xb0
+[ 151.830718] dlm_process_incoming_buffer+0x2fc/0xb30
+[ 151.831524] process_dlm_messages+0x16e/0x470
+[ 151.832245] process_one_work+0x505/0xa10
+[ 151.832905] worker_thread+0x67/0x650
+[ 151.833507] kthread+0x192/0x1d0
+[ 151.834046] ret_from_fork+0x1f/0x30
+
+[ 151.834900] The buggy address belongs to the object at ffff88811a980c30
+ which belongs to the cache dlm_mhandle of size 88
+[ 151.836894] The buggy address is located 48 bytes inside of
+ 88-byte region [ffff88811a980c30, ffff88811a980c88)
+
+[ 151.839007] The buggy address belongs to the physical page:
+[ 151.839904] page:0000000076cf5d62 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a980
+[ 151.841378] flags: 0x8000000000000200(slab|zone=2)
+[ 151.842141] raw: 8000000000000200 0000000000000000 dead000000000122 ffff8881089b43c0
+[ 151.843401] raw: 0000000000000000 0000000000220022 00000001ffffffff 0000000000000000
+[ 151.844640] page dumped because: kasan: bad access detected
+
+[ 151.845822] Memory state around the buggy address:
+[ 151.846602] ffff88811a980b00: fb fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb
+[ 151.847761] ffff88811a980b80: fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb fb
+[ 151.848921] >ffff88811a980c00: fb fb fc fc fc fc fa fb fb fb fb fb fb fb fb fb
+[ 151.850076] ^
+[ 151.851085] ffff88811a980c80: fb fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb
+[ 151.852269] ffff88811a980d00: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fc
+[ 151.853428] ==================================================================
+[ 151.855618] Disabling lock debugging due to kernel taint
+
+It is accessing a mhandle in dlm_midcomms_commit_mhandle() and the mhandle
+was freed by a call_rcu() call in dlm_process_incoming_buffer(),
+dlm_mhandle_delete(). It looks like it was freed because an ack of
+this message was received. There is a short race between committing the
+dlm message to be transmitted and getting an ack back. If the ack is
+faster than returning from dlm_midcomms_commit_msg_3_2(), then we run
+into a use-after free because we still need to reference the mhandle when
+calling srcu_read_unlock().
+
+To avoid that, we don't allow that mhandle to be freed between
+dlm_midcomms_commit_msg_3_2() and srcu_read_unlock() by using rcu read
+lock. We can do that because mhandle is protected by rcu handling.
+
+Cc: stable@vger.kernel.org
+Fixes: 489d8e559c65 ("fs: dlm: add reliable connection if reconnect")
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+[ Minor conflict resolved. ]
+Signed-off-by: Jianqiang kang <jianqkang@sina.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dlm/midcomms.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/dlm/midcomms.c
++++ b/fs/dlm/midcomms.c
+@@ -1131,8 +1131,15 @@ void dlm_midcomms_commit_mhandle(struct
+ kfree(mh);
+ break;
+ case DLM_VERSION_3_2:
++ /* held rcu read lock here, because we sending the
++ * dlm message out, when we do that we could receive
++ * an ack back which releases the mhandle and we
++ * get a use after free.
++ */
++ rcu_read_lock();
+ dlm_midcomms_commit_msg_3_2(mh);
+ srcu_read_unlock(&nodes_srcu, mh->idx);
++ rcu_read_unlock();
+ break;
+ default:
+ srcu_read_unlock(&nodes_srcu, mh->idx);
--- /dev/null
+From stable+bounces-224639-greg=kroah.com@vger.kernel.org Wed Mar 11 04:27:28 2026
+From: Johnny Hao <johnny_haocn@sina.com>
+Date: Wed, 11 Mar 2026 11:26:56 +0800
+Subject: gfs2: No more self recovery
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, Andreas Gruenbacher <agruenba@redhat.com>, Chunjie Zhu <chunjie.zhu@cloud.com>, Johnny Hao <johnny_haocn@sina.com>
+Message-ID: <20260311032656.2894235-1-johnny_haocn@sina.com>
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit deb016c1669002e48c431d6fd32ea1c20ef41756 ]
+
+When a node withdraws and it turns out that it is the only node that has
+the filesystem mounted, gfs2 currently tries to replay the local journal
+to bring the filesystem back into a consistent state. Not only is that
+a very bad idea, it has also never worked because gfs2_recover_func()
+will refuse to do anything during a withdraw.
+
+However, before even getting to this point, gfs2_recover_func()
+dereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before
+commit 04133b607a78 ("gfs2: Prevent double iput for journal on error")
+and is a NULL pointer dereference since then.
+
+Simply get rid of self recovery to fix that.
+
+Fixes: 601ef0d52e96 ("gfs2: Force withdraw to replay journals and wait for it to finish")
+Reported-by: Chunjie Zhu <chunjie.zhu@cloud.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+[ The context change is due to the commit f80d882edcf2
+("gfs2: Get rid of gfs2_glock_queue_put in signal_our_withdraw")
+in v6.10 which is irrelevant to the logic of this patch. ]
+Signed-off-by: Johnny Hao <johnny_haocn@sina.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/gfs2/util.c | 30 +++++++++++-------------------
+ 1 file changed, 11 insertions(+), 19 deletions(-)
+
+--- a/fs/gfs2/util.c
++++ b/fs/gfs2/util.c
+@@ -234,31 +234,23 @@ static void signal_our_withdraw(struct g
+ */
+ ret = gfs2_glock_nq(&sdp->sd_live_gh);
+
++ gfs2_glock_put(live_gl); /* drop extra reference we acquired */
++ clear_bit(SDF_WITHDRAW_RECOVERY, &sdp->sd_flags);
++
+ /*
+ * If we actually got the "live" lock in EX mode, there are no other
+- * nodes available to replay our journal. So we try to replay it
+- * ourselves. We hold the "live" glock to prevent other mounters
+- * during recovery, then just dequeue it and reacquire it in our
+- * normal SH mode. Just in case the problem that caused us to
+- * withdraw prevents us from recovering our journal (e.g. io errors
+- * and such) we still check if the journal is clean before proceeding
+- * but we may wait forever until another mounter does the recovery.
++ * nodes available to replay our journal.
+ */
+ if (ret == 0) {
+- fs_warn(sdp, "No other mounters found. Trying to recover our "
+- "own journal jid %d.\n", sdp->sd_lockstruct.ls_jid);
+- if (gfs2_recover_journal(sdp->sd_jdesc, 1))
+- fs_warn(sdp, "Unable to recover our journal jid %d.\n",
+- sdp->sd_lockstruct.ls_jid);
+- gfs2_glock_dq_wait(&sdp->sd_live_gh);
+- gfs2_holder_reinit(LM_ST_SHARED, LM_FLAG_NOEXP | GL_EXACT,
+- &sdp->sd_live_gh);
+- gfs2_glock_nq(&sdp->sd_live_gh);
++ fs_warn(sdp, "No other mounters found.\n");
++ /*
++ * We are about to release the lockspace. By keeping live_gl
++ * locked here, we ensure that the next mounter coming along
++ * will be a "first" mounter which will perform recovery.
++ */
++ goto skip_recovery;
+ }
+
+- gfs2_glock_queue_put(live_gl); /* drop extra reference we acquired */
+- clear_bit(SDF_WITHDRAW_RECOVERY, &sdp->sd_flags);
+-
+ /*
+ * At this point our journal is evicted, so we need to get a new inode
+ * for it. Once done, we need to call gfs2_find_jhead which
--- /dev/null
+From stable+bounces-225810-greg=kroah.com@vger.kernel.org Tue Mar 17 11:53:46 2026
+From: Leon Chen <leonchen.oss@139.com>
+Date: Tue, 17 Mar 2026 18:45:43 +0800
+Subject: ice: Add netif_device_attach/detach into PF reset flow
+To: kuba@kernel.org, igor.bagnucki@intel.com, dawid.osuchowski@linux.intel.com, himasekharx.reddy.pucha@intel.com, mschmidt@redhat.com, anthony.l.nguyen@intel.com
+Cc: stable@vger.kernel.org
+Message-ID: <20260317104543.4367-1-leonchen.oss@139.com>
+
+From: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
+
+[ Upstream commit d11a67634227f9f9da51938af085fb41a733848f ]
+
+Ethtool callbacks can be executed while reset is in progress and try to
+access deleted resources, e.g. getting coalesce settings can result in a
+NULL pointer dereference seen below.
+
+Reproduction steps:
+Once the driver is fully initialized, trigger reset:
+ # echo 1 > /sys/class/net/<interface>/device/reset
+when reset is in progress try to get coalesce settings using ethtool:
+ # ethtool -c <interface>
+
+BUG: kernel NULL pointer dereference, address: 0000000000000020
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] PREEMPT SMP PTI
+CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7
+RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice]
+RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206
+RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000
+R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40
+FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0
+Call Trace:
+<TASK>
+ice_get_coalesce+0x17/0x30 [ice]
+coalesce_prepare_data+0x61/0x80
+ethnl_default_doit+0xde/0x340
+genl_family_rcv_msg_doit+0xf2/0x150
+genl_rcv_msg+0x1b3/0x2c0
+netlink_rcv_skb+0x5b/0x110
+genl_rcv+0x28/0x40
+netlink_unicast+0x19c/0x290
+netlink_sendmsg+0x222/0x490
+__sys_sendto+0x1df/0x1f0
+__x64_sys_sendto+0x24/0x30
+do_syscall_64+0x82/0x160
+entry_SYSCALL_64_after_hwframe+0x76/0x7e
+RIP: 0033:0x7faee60d8e27
+
+Calling netif_device_detach() before reset makes the net core not call
+the driver when ethtool command is issued, the attempt to execute an
+ethtool command during reset will result in the following message:
+
+ netlink error: No such device
+
+instead of NULL pointer dereference. Once reset is done and
+ice_rebuild() is executing, the netif_device_attach() is called to allow
+for ethtool operations to occur again in a safe manner.
+
+Fixes: fcea6f3da546 ("ice: Add stats and ethtool support")
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Igor Bagnucki <igor.bagnucki@intel.com>
+Signed-off-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Reviewed-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+[ Minor changed in ice_prepare_for_reset() to make sure vsi available to
+access ]
+Signed-off-by: Leon Chen <leonchen.oss@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -479,6 +479,7 @@ static void
+ ice_prepare_for_reset(struct ice_pf *pf)
+ {
+ struct ice_hw *hw = &pf->hw;
++ struct ice_vsi *vsi = ice_get_main_vsi(pf);
+ unsigned int i;
+
+ /* already prepared for reset */
+@@ -495,6 +496,9 @@ ice_prepare_for_reset(struct ice_pf *pf)
+ ice_for_each_vf(pf, i)
+ ice_set_vf_state_qs_dis(&pf->vf[i]);
+
++ if (vsi && vsi->netdev)
++ netif_device_detach(vsi->netdev);
++
+ /* clear SW filtering DB */
+ ice_clear_hw_tbls(hw);
+ /* disable the VSIs and their queues that are not already DOWN */
+@@ -6417,6 +6421,7 @@ static void ice_update_pf_netdev_link(st
+ */
+ static void ice_rebuild(struct ice_pf *pf, enum ice_reset_req reset_type)
+ {
++ struct ice_vsi *vsi = ice_get_main_vsi(pf);
+ struct device *dev = ice_pf_to_dev(pf);
+ struct ice_hw *hw = &pf->hw;
+ enum ice_status ret;
+@@ -6538,6 +6543,9 @@ static void ice_rebuild(struct ice_pf *p
+ ice_rebuild_arfs(pf);
+ }
+
++ if (vsi && vsi->netdev)
++ netif_device_attach(vsi->netdev);
++
+ ice_update_pf_netdev_link(pf);
+
+ /* tell the firmware we are up */
--- /dev/null
+From stable+bounces-226578-greg=kroah.com@vger.kernel.org Tue Mar 17 18:23:12 2026
+From: inv.git-commit@tdk.com
+Date: Tue, 17 Mar 2026 17:08:08 +0000
+Subject: iio: imu: inv_icm42600: fix odr switch when turning buffer off
+To: stable@vger.kernel.org
+Cc: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>, Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Message-ID: <20260317170808.746087-1-inv.git-commit@tdk.com>
+
+From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+
+[ Upstream commit ffd32db8263d2d785a2c419486a450dc80693235 ]
+
+ODR switch is done in 2 steps when FIFO is on : change the ODR register
+value and acknowledge change when reading the FIFO ODR change flag.
+When we are switching odr and turning buffer off just afterward, we are
+losing the FIFO ODR change flag and ODR switch is blocked.
+
+Fix the issue by force applying any waiting ODR change when turning
+buffer off.
+
+Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping")
+Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c
++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c
+@@ -377,6 +377,7 @@ out_unlock:
+ static int inv_icm42600_buffer_postdisable(struct iio_dev *indio_dev)
+ {
+ struct inv_icm42600_state *st = iio_device_get_drvdata(indio_dev);
++ struct inv_icm42600_timestamp *ts = iio_priv(indio_dev);
+ struct device *dev = regmap_get_device(st->map);
+ unsigned int sensor;
+ unsigned int *watermark;
+@@ -398,6 +399,8 @@ static int inv_icm42600_buffer_postdisab
+
+ mutex_lock(&st->lock);
+
++ inv_icm42600_timestamp_apply_odr(ts, 0, 0, 0);
++
+ ret = inv_icm42600_buffer_set_fifo_en(st, st->fifo.en & ~sensor);
+ if (ret)
+ goto out_unlock;
--- /dev/null
+From stable+bounces-223006-greg=kroah.com@vger.kernel.org Wed Mar 4 08:36:35 2026
+From: Joonwon Kang <joonwonkang@google.com>
+Date: Wed, 4 Mar 2026 07:35:40 +0000
+Subject: mailbox: Prevent out-of-bounds access in of_mbox_index_xlate()
+To: stable@vger.kernel.org, jassisinghbrar@gmail.com
+Cc: linux-kernel@vger.kernel.org, sashal@kernel.org, Joonwon Kang <joonwonkang@google.com>
+Message-ID: <20260304073540.3227944-1-joonwonkang@google.com>
+
+From: Joonwon Kang <joonwonkang@google.com>
+
+[ Upstream commit fcd7f96c783626c07ee3ed75fa3739a8a2052310 ]
+
+Although it is guided that `#mbox-cells` must be at least 1, there are
+many instances of `#mbox-cells = <0>;` in the device tree. If that is
+the case and the corresponding mailbox controller does not provide
+`fw_xlate` and of_xlate` function pointers, `of_mbox_index_xlate()` will
+be used by default and out-of-bounds accesses could occur due to lack of
+bounds check in that function.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Joonwon Kang <joonwonkang@google.com>
+Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
+[ changed sp->nargs to sp->args_count in the code and
+fw_mbox_index_xlate() to of_mbox_index_xlate() in the commit message. ]
+Signed-off-by: Joonwon Kang <joonwonkang@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mailbox/mailbox.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/mailbox/mailbox.c
++++ b/drivers/mailbox/mailbox.c
+@@ -468,12 +468,10 @@ static struct mbox_chan *
+ of_mbox_index_xlate(struct mbox_controller *mbox,
+ const struct of_phandle_args *sp)
+ {
+- int ind = sp->args[0];
+-
+- if (ind >= mbox->num_chans)
++ if (sp->args_count < 1 || sp->args[0] >= mbox->num_chans)
+ return ERR_PTR(-EINVAL);
+
+- return &mbox->chans[ind];
++ return &mbox->chans[sp->args[0]];
+ }
+
+ /**
--- /dev/null
+From lanbincn@139.com Thu Feb 26 12:49:07 2026
+From: Bin Lan <lanbincn@139.com>
+Date: Thu, 26 Feb 2026 19:48:09 +0800
+Subject: net: add skb_header_pointer_careful() helper
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Bin Lan <lanbincn@139.com>
+Message-ID: <20260226114810.4142-1-lanbincn@139.com>
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 13e00fdc9236bd4d0bff4109d2983171fbcb74c4 ]
+
+This variant of skb_header_pointer() should be used in contexts
+where @offset argument is user-controlled and could be negative.
+
+Negative offsets are supported, as long as the zone starts
+between skb->head and skb->data.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260128141539.3404400-2-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Adjust context ]
+Signed-off-by: Bin Lan <lanbincn@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -3869,6 +3869,18 @@ skb_header_pointer(const struct sk_buff
+ skb_headlen(skb), buffer);
+ }
+
++/* Variant of skb_header_pointer() where @offset is user-controlled
++ * and potentially negative.
++ */
++static inline void * __must_check
++skb_header_pointer_careful(const struct sk_buff *skb, int offset,
++ int len, void *buffer)
++{
++ if (unlikely(offset < 0 && -offset > skb_headroom(skb)))
++ return NULL;
++ return skb_header_pointer(skb, offset, len, buffer);
++}
++
+ /**
+ * skb_needs_linearize - check if we need to linearize a given skb
+ * depending on the given device features.
--- /dev/null
+From lanbincn@139.com Thu Feb 26 12:49:11 2026
+From: Bin Lan <lanbincn@139.com>
+Date: Thu, 26 Feb 2026 19:48:10 +0800
+Subject: net/sched: cls_u32: use skb_header_pointer_careful()
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: Eric Dumazet <edumazet@google.com>, GangMin Kim <km.kim1503@gmail.com>, Jakub Kicinski <kuba@kernel.org>, Bin Lan <lanbincn@139.com>
+Message-ID: <20260226114810.4142-2-lanbincn@139.com>
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit cabd1a976375780dabab888784e356f574bbaed8 ]
+
+skb_header_pointer() does not fully validate negative @offset values.
+
+Use skb_header_pointer_careful() instead.
+
+GangMin Kim provided a report and a repro fooling u32_classify():
+
+BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
+net/sched/cls_u32.c:221
+
+Fixes: fbc2e7d9cf49 ("cls_u32: use skb_header_pointer() to dereference data safely")
+Reported-by: GangMin Kim <km.kim1503@gmail.com>
+Closes: https://lore.kernel.org/netdev/CANn89iJkyUZ=mAzLzC4GdcAgLuPnUoivdLaOs6B9rq5_erj76w@mail.gmail.com/T/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260128141539.3404400-3-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Bin Lan <lanbincn@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_u32.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/net/sched/cls_u32.c
++++ b/net/sched/cls_u32.c
+@@ -149,10 +149,8 @@ next_knode:
+ int toff = off + key->off + (off2 & key->offmask);
+ __be32 *data, hdata;
+
+- if (skb_headroom(skb) + toff > INT_MAX)
+- goto out;
+-
+- data = skb_header_pointer(skb, toff, 4, &hdata);
++ data = skb_header_pointer_careful(skb, toff, 4,
++ &hdata);
+ if (!data)
+ goto out;
+ if ((*data ^ key->val) & key->mask) {
+@@ -202,8 +200,9 @@ check_terminal:
+ if (ht->divisor) {
+ __be32 *data, hdata;
+
+- data = skb_header_pointer(skb, off + n->sel.hoff, 4,
+- &hdata);
++ data = skb_header_pointer_careful(skb,
++ off + n->sel.hoff,
++ 4, &hdata);
+ if (!data)
+ goto out;
+ sel = ht->divisor & u32_hash_fold(*data, &n->sel,
+@@ -217,7 +216,7 @@ check_terminal:
+ if (n->sel.flags & TC_U32_VAROFFSET) {
+ __be16 *data, hdata;
+
+- data = skb_header_pointer(skb,
++ data = skb_header_pointer_careful(skb,
+ off + n->sel.offoff,
+ 2, &hdata);
+ if (!data)
--- /dev/null
+From stable+bounces-225502-greg=kroah.com@vger.kernel.org Mon Mar 16 07:06:18 2026
+From: Rahul Sharma <black.hawk@163.com>
+Date: Mon, 16 Mar 2026 14:03:50 +0800
+Subject: net: stmmac: fix TSO DMA API usage causing oops
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, "Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>, Jon Hunter <jonathanh@nvidia.com>, Thierry Reding <thierry.reding@gmail.com>, Furong Xu <0x1207@gmail.com>, Jakub Kicinski <kuba@kernel.org>, Rahul Sharma <black.hawk@163.com>
+Message-ID: <20260316060350.2568-1-black.hawk@163.com>
+
+From: "Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit 4c49f38e20a57f8abaebdf95b369295b153d1f8e ]
+
+Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap
+for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s
+members to be later in stmmac_tso_xmit().
+
+The buf (dma cookie) and len stored in this structure are passed to
+dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that
+the dma cookie passed to dma_unmap_single() is the same as the value
+returned from dma_map_single(). However, by moving the assignment
+later, this is not the case when priv->dma_cap.addr64 > 32 as "des"
+is offset by proto_hdr_len.
+
+This causes problems such as:
+
+ dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed
+
+and with DMA_API_DEBUG enabled:
+
+ DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes]
+
+Fix this by maintaining "des" as the original DMA cookie, and use
+tso_des to pass the offset DMA cookie to stmmac_tso_allocator().
+
+Full details of the crashes can be found at:
+https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/
+https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/
+
+Reported-by: Jon Hunter <jonathanh@nvidia.com>
+Reported-by: Thierry Reding <thierry.reding@gmail.com>
+Fixes: 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data")
+Tested-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Furong Xu <0x1207@gmail.com>
+Link: https://patch.msgid.link/E1tJXcx-006N4Z-PC@rmk-PC.armlinux.org.uk
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ The context change is due to the commit 041cc86b3653
+("net: stmmac: Enable TSO on VLANs") in v6.11 which is irrelevant to
+the logic of this patch. ]
+Signed-off-by: Rahul Sharma <black.hawk@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -4034,9 +4034,9 @@ static netdev_tx_t stmmac_tso_xmit(struc
+ int tmp_pay_len = 0, first_tx;
+ struct stmmac_tx_queue *tx_q;
+ bool has_vlan, set_ic;
++ dma_addr_t tso_des, des;
+ u8 proto_hdr_len, hdr;
+ u32 pay_len, mss;
+- dma_addr_t des;
+ int i;
+
+ tx_q = &priv->tx_queue[queue];
+@@ -4120,14 +4120,15 @@ static netdev_tx_t stmmac_tso_xmit(struc
+
+ /* If needed take extra descriptors to fill the remaining payload */
+ tmp_pay_len = pay_len - TSO_MAX_BUFF_SIZE;
++ tso_des = des;
+ } else {
+ stmmac_set_desc_addr(priv, first, des);
+ tmp_pay_len = pay_len;
+- des += proto_hdr_len;
++ tso_des = des + proto_hdr_len;
+ pay_len = 0;
+ }
+
+- stmmac_tso_allocator(priv, des, tmp_pay_len, (nfrags == 0), queue);
++ stmmac_tso_allocator(priv, tso_des, tmp_pay_len, (nfrags == 0), queue);
+
+ /* In case two or more DMA transmit descriptors are allocated for this
+ * non-paged SKB data, the DMA buffer address should be saved to
--- /dev/null
+From jetlan9@163.com Mon Mar 23 09:01:18 2026
+From: Wenshan Lan <jetlan9@163.com>
+Date: Mon, 23 Mar 2026 16:00:21 +0800
+Subject: net: usb: lan78xx: Fix double free issue with interrupt buffer allocation
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: netdev@vger.kernel.org, Oleksij Rempel <o.rempel@pengutronix.de>, John Efstathiades <john.efstathiades@pebblebay.com>, Jakub Kicinski <kuba@kernel.org>, Wenshan Lan <jetlan9@163.com>
+Message-ID: <20260323080021.1172236-1-jetlan9@163.com>
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 03819abbeb11117dcbba40bfe322b88c0c88a6b6 ]
+
+In lan78xx_probe(), the buffer `buf` was being freed twice: once
+implicitly through `usb_free_urb(dev->urb_intr)` with the
+`URB_FREE_BUFFER` flag and again explicitly by `kfree(buf)`. This caused
+a double free issue.
+
+To resolve this, reordered `kmalloc()` and `usb_alloc_urb()` calls to
+simplify the initialization sequence and removed the redundant
+`kfree(buf)`. Now, `buf` is allocated after `usb_alloc_urb()`, ensuring
+it is correctly managed by `usb_fill_int_urb()` and freed by
+`usb_free_urb()` as intended.
+
+Fixes: a6df95cae40b ("lan78xx: Fix memory allocation bug")
+Cc: John Efstathiades <john.efstathiades@pebblebay.com>
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20241116130558.1352230-1-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Adjust context. Make the function usb_alloc_urb() call before
+kmalloc(). ]
+Signed-off-by: Wenshan Lan <jetlan9@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/lan78xx.c | 29 ++++++++++++++---------------
+ 1 file changed, 14 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -4111,29 +4111,30 @@ static int lan78xx_probe(struct usb_inte
+
+ period = ep_intr->desc.bInterval;
+ maxp = usb_maxpacket(dev->udev, dev->pipe_intr, 0);
+- buf = kmalloc(maxp, GFP_KERNEL);
+- if (!buf) {
++
++ dev->urb_intr = usb_alloc_urb(0, GFP_KERNEL);
++ if (!dev->urb_intr) {
+ ret = -ENOMEM;
+ goto out3;
+ }
+
+- dev->urb_intr = usb_alloc_urb(0, GFP_KERNEL);
+- if (!dev->urb_intr) {
++ buf = kmalloc(maxp, GFP_KERNEL);
++ if (!buf) {
+ ret = -ENOMEM;
+- goto out4;
+- } else {
+- usb_fill_int_urb(dev->urb_intr, dev->udev,
+- dev->pipe_intr, buf, maxp,
+- intr_complete, dev, period);
+- dev->urb_intr->transfer_flags |= URB_FREE_BUFFER;
++ goto free_urbs;
+ }
+
++ usb_fill_int_urb(dev->urb_intr, dev->udev,
++ dev->pipe_intr, buf, maxp,
++ intr_complete, dev, period);
++ dev->urb_intr->transfer_flags |= URB_FREE_BUFFER;
++
+ dev->maxpacket = usb_maxpacket(dev->udev, dev->pipe_out, 1);
+
+ /* Reject broken descriptors. */
+ if (dev->maxpacket == 0) {
+ ret = -ENODEV;
+- goto out5;
++ goto free_urbs;
+ }
+
+ /* driver requires remote-wakeup capability during autosuspend. */
+@@ -4141,7 +4142,7 @@ static int lan78xx_probe(struct usb_inte
+
+ ret = lan78xx_phy_init(dev);
+ if (ret < 0)
+- goto out5;
++ goto free_urbs;
+
+ ret = register_netdev(netdev);
+ if (ret != 0) {
+@@ -4163,10 +4164,8 @@ static int lan78xx_probe(struct usb_inte
+
+ out6:
+ phy_disconnect(netdev->phydev);
+-out5:
++free_urbs:
+ usb_free_urb(dev->urb_intr);
+-out4:
+- kfree(buf);
+ out3:
+ lan78xx_unbind(dev, intf);
+ out2:
--- /dev/null
+From stable+bounces-217802-greg=kroah.com@vger.kernel.org Mon Feb 23 18:24:30 2026
+From: Jaskaran Singh <jsingh@cloudlinux.com>
+Date: Mon, 23 Feb 2026 22:53:32 +0530
+Subject: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
+To: stable@vger.kernel.org, james.smart@broadcom.com, kbusch@kernel.org, axboe@fb.com, hch@lst.de, sagi@grimberg.me
+Cc: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org, Jaskaran Singh <jsingh@cloudlinux.com>, Marco Patalano <mpatalan@redhat.com>, Justin Tee <justin.tee@broadcom.com>, "Ewan D . Milne" <emilne@redhat.com>
+Message-ID: <20260223172332.291881-3-jsingh@cloudlinux.com>
+
+From: Jaskaran Singh <jsingh@cloudlinux.com>
+
+commit 0a2c5495b6d1ecb0fa18ef6631450f391a888256 upstream.
+
+nvme_fc_delete_assocation() waits for pending I/O to complete before
+returning, and an error can cause ->ioerr_work to be queued after
+cancel_work_sync() had been called. Move the call to cancel_work_sync() to
+be after nvme_fc_delete_association() to ensure ->ioerr_work is not running
+when the nvme_fc_ctrl object is freed. Otherwise the following can occur:
+
+[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL
+[ 1135.917705] ------------[ cut here ]------------
+[ 1135.922336] kernel BUG at lib/list_debug.c:52!
+[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI
+[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)
+[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025
+[ 1135.950969] Workqueue: 0x0 (nvme-wq)
+[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b
+[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046
+[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000
+[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0
+[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08
+[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100
+[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0
+[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000
+[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0
+[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
+[ 1136.055910] PKRU: 55555554
+[ 1136.058623] Call Trace:
+[ 1136.061074] <TASK>
+[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0
+[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0
+[ 1136.071898] ? move_linked_works+0x4a/0xa0
+[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.081744] ? __die_body.cold+0x8/0x12
+[ 1136.085584] ? die+0x2e/0x50
+[ 1136.088469] ? do_trap+0xca/0x110
+[ 1136.091789] ? do_error_trap+0x65/0x80
+[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.101289] ? exc_invalid_op+0x50/0x70
+[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20
+[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.120806] move_linked_works+0x4a/0xa0
+[ 1136.124733] worker_thread+0x216/0x3a0
+[ 1136.128485] ? __pfx_worker_thread+0x10/0x10
+[ 1136.132758] kthread+0xfa/0x240
+[ 1136.135904] ? __pfx_kthread+0x10/0x10
+[ 1136.139657] ret_from_fork+0x31/0x50
+[ 1136.143236] ? __pfx_kthread+0x10/0x10
+[ 1136.146988] ret_from_fork_asm+0x1a/0x30
+[ 1136.150915] </TASK>
+
+Fixes: 19fce0470f05 ("nvme-fc: avoid calling _nvme_fc_abort_outstanding_ios from interrupt context")
+Cc: stable@vger.kernel.org
+Tested-by: Marco Patalano <mpatalan@redhat.com>
+Reviewed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jaskaran Singh <jsingh@cloudlinux.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/fc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -3263,13 +3263,13 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc
+ {
+ struct nvme_fc_ctrl *ctrl = to_fc_ctrl(nctrl);
+
+- cancel_work_sync(&ctrl->ioerr_work);
+ cancel_delayed_work_sync(&ctrl->connect_work);
+ /*
+ * kill the association on the link side. this will block
+ * waiting for io to terminate
+ */
+ nvme_fc_delete_association(ctrl);
++ cancel_work_sync(&ctrl->ioerr_work);
+ }
+
+ static void
--- /dev/null
+From stable+bounces-225498-greg=kroah.com@vger.kernel.org Mon Mar 16 04:30:32 2026
+From: Leon Chen <leonchen.oss@139.com>
+Date: Mon, 16 Mar 2026 11:27:06 +0800
+Subject: nvmet: always initialize cqe.result
+To: dwagner@suse.de, hch@lst.de, kbusch@kernel.org
+Cc: stable@vger.kernel.org
+Message-ID: <20260316032706.2924-1-leonchen.oss@139.com>
+
+From: Daniel Wagner <dwagner@suse.de>
+
+[ Upstream commit cd0c1b8e045a8d2785342b385cb2684d9b48e426 ]
+
+The spec doesn't mandate that the first two double words (aka results)
+for the command queue entry need to be set to 0 when they are not
+used (not specified). Though, the target implemention returns 0 for TCP
+and FC but not for RDMA.
+
+Let's make RDMA behave the same and thus explicitly initializing the
+result field. This prevents leaking any data from the stack.
+
+Signed-off-by: Daniel Wagner <dwagner@suse.de>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+[ Ignored the fabrics-cmd-auth.c, it was introduced in commit:db1312dd9548
+("nvmet: implement basic In-Band Authentication") ]
+Signed-off-by: Leon Chen <leonchen.oss@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/core.c | 1 +
+ drivers/nvme/target/fabrics-cmd.c | 6 ------
+ 2 files changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -932,6 +932,7 @@ bool nvmet_req_init(struct nvmet_req *re
+ req->metadata_sg_cnt = 0;
+ req->transfer_len = 0;
+ req->metadata_len = 0;
++ req->cqe->result.u64 = 0;
+ req->cqe->status = 0;
+ req->cqe->sq_head = 0;
+ req->ns = NULL;
+--- a/drivers/nvme/target/fabrics-cmd.c
++++ b/drivers/nvme/target/fabrics-cmd.c
+@@ -187,9 +187,6 @@ static void nvmet_execute_admin_connect(
+ if (status)
+ goto out;
+
+- /* zero out initial completion result, assign values as needed */
+- req->cqe->result.u32 = 0;
+-
+ if (c->recfmt != 0) {
+ pr_warn("invalid connect version (%d).\n",
+ le16_to_cpu(c->recfmt));
+@@ -255,9 +252,6 @@ static void nvmet_execute_io_connect(str
+ if (status)
+ goto out;
+
+- /* zero out initial completion result, assign values as needed */
+- req->cqe->result.u32 = 0;
+-
+ if (c->recfmt != 0) {
+ pr_warn("invalid connect version (%d).\n",
+ le16_to_cpu(c->recfmt));
--- /dev/null
+From stable+bounces-225735-greg=kroah.com@vger.kernel.org Tue Mar 17 03:58:16 2026
+From: Robert Garcia <rob_garcia@163.com>
+Date: Tue, 17 Mar 2026 10:55:58 +0800
+Subject: pstore: inode: Only d_invalidate() is needed
+To: stable@vger.kernel.org, Kees Cook <keescook@chromium.org>
+Cc: "Guilherme G . Piccoli" <gpiccoli@igalia.com>, Tony Luck <tony.luck@intel.com>, linux-hardening@vger.kernel.org, Robert Garcia <rob_garcia@163.com>, Anton Vorontsov <anton@enomsg.org>, Colin Cross <ccross@android.com>, linux-kernel@vger.kernel.org
+Message-ID: <20260317025558.1666400-1-rob_garcia@163.com>
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit a43e0fc5e9134a46515de2f2f8d4100b74e50de3 ]
+
+Unloading a modular pstore backend with records in pstorefs would
+trigger the dput() double-drop warning:
+
+ WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410
+
+Using the combo of d_drop()/dput() (as mentioned in
+Documentation/filesystems/vfs.rst) isn't the right approach here, and
+leads to the reference counting problem seen above. Use d_invalidate()
+and update the code to not bother checking for error codes that can
+never happen.
+
+Suggested-by: Alexander Viro <viro@zeniv.linux.org.uk>
+Fixes: 609e28bb139e ("pstore: Remove filesystem records when backend is unregistered")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+Cc: "Guilherme G. Piccoli" <gpiccoli@igalia.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-hardening@vger.kernel.org
+[ Minor context change fixed. ]
+Signed-off-by: Robert Garcia <rob_garcia@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/pstore/inode.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/fs/pstore/inode.c
++++ b/fs/pstore/inode.c
+@@ -312,7 +312,6 @@ int pstore_put_backend_records(struct ps
+ {
+ struct pstore_private *pos, *tmp;
+ struct dentry *root;
+- int rc = 0;
+
+ root = psinfo_lock_root();
+ if (!root)
+@@ -322,11 +321,8 @@ int pstore_put_backend_records(struct ps
+ list_for_each_entry_safe(pos, tmp, &records_list, list) {
+ if (pos->record->psi == psi) {
+ list_del_init(&pos->list);
+- rc = simple_unlink(d_inode(root), pos->dentry);
+- if (WARN_ON(rc))
+- break;
+- d_drop(pos->dentry);
+- dput(pos->dentry);
++ d_invalidate(pos->dentry);
++ simple_unlink(d_inode(root), pos->dentry);
+ pos->dentry = NULL;
+ }
+ }
+@@ -334,7 +330,7 @@ int pstore_put_backend_records(struct ps
+
+ inode_unlock(d_inode(root));
+
+- return rc;
++ return 0;
+ }
+
+ /*
--- /dev/null
+From stable+bounces-217801-greg=kroah.com@vger.kernel.org Mon Feb 23 18:30:29 2026
+From: Jaskaran Singh <jsingh@cloudlinux.com>
+Date: Mon, 23 Feb 2026 22:53:31 +0530
+Subject: Revert "nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()"
+To: stable@vger.kernel.org, james.smart@broadcom.com, kbusch@kernel.org, axboe@fb.com, hch@lst.de, sagi@grimberg.me
+Cc: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org, Jaskaran Singh <jsingh@cloudlinux.com>
+Message-ID: <20260223172332.291881-2-jsingh@cloudlinux.com>
+
+From: Jaskaran Singh <jsingh@cloudlinux.com>
+
+This reverts commit 60ba31330faf5677e2eebef7eac62ea9e42a200d.
+
+The backport of upstream commit 0a2c5495b6d1 was incorrectly applied.
+The cancel_work_sync() call for ->ioerr_work was added to
+nvme_fc_reset_ctrl_work() instead of nvme_fc_delete_ctrl().
+
+Revert this commit so the correct fix can be applied.
+
+Signed-off-by: Jaskaran Singh <jsingh@cloudlinux.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/fc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -3263,6 +3263,7 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc
+ {
+ struct nvme_fc_ctrl *ctrl = to_fc_ctrl(nctrl);
+
++ cancel_work_sync(&ctrl->ioerr_work);
+ cancel_delayed_work_sync(&ctrl->connect_work);
+ /*
+ * kill the association on the link side. this will block
+@@ -3333,7 +3334,6 @@ nvme_fc_reset_ctrl_work(struct work_stru
+
+ /* will block will waiting for io to terminate */
+ nvme_fc_delete_association(ctrl);
+- cancel_work_sync(&ctrl->ioerr_work);
+
+ if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING))
+ dev_err(ctrl->ctrl.device,
--- /dev/null
+From f775276edc0c505dc0f782773796c189f31a1123 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Mon, 2 Mar 2026 14:34:58 +0100
+Subject: s390/xor: Fix xor_xc_2() inline assembly constraints
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit f775276edc0c505dc0f782773796c189f31a1123 upstream.
+
+The inline assembly constraints for xor_xc_2() are incorrect. "bytes",
+"p1", and "p2" are input operands, while all three of them are modified
+within the inline assembly. Given that the function consists only of this
+inline assembly it seems unlikely that this may cause any problems, however
+fix this in any case.
+
+Fixes: 2cfc5f9ce7f5 ("s390/xor: optimized xor routing using the XC instruction")
+Cc: stable@vger.kernel.org
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Link: https://lore.kernel.org/r/20260302133500.1560531-2-hca@linux.ibm.com
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/lib/xor.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/lib/xor.c
++++ b/arch/s390/lib/xor.c
+@@ -28,8 +28,8 @@ static void xor_xc_2(unsigned long bytes
+ " j 3f\n"
+ "2: xc 0(1,%1),0(%2)\n"
+ "3:\n"
+- : : "d" (bytes), "a" (p1), "a" (p2)
+- : "0", "1", "cc", "memory");
++ : "+d" (bytes), "+a" (p1), "+a" (p2)
++ : : "0", "1", "cc", "memory");
+ }
+
+ static void xor_xc_3(unsigned long bytes, unsigned long *p1, unsigned long *p2,
ocfs2-fix-possible-deadlock-between-unlink-and-dio_end_io_write.patch
mm-blk-cgroup-fix-use-after-free-in-cgwb_release_workfn.patch
mptcp-fix-lock-class-name-family-in-pm_nl_create_listen_socket.patch
-xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch
tty-n_gsm-fix-deadlock-and-link-starvation-in-outgoing-data-path.patch
netdevsim-fix-memory-leak-of-nsim_dev-fa_cookie.patch
+revert-nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch
+nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch
+alsa-control-avoid-warn-for-symlink-errors.patch
+s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch
+f2fs-fix-null-ptr-deref-in-f2fs_submit_page_bio.patch
+wifi-iwlwifi-read-txq-read_ptr-under-lock.patch
+blk-mq-use-quiesced-elevator-switch-when-reinitializing-queues.patch
+dm-verity-disable-recursive-forward-error-correction.patch
+net-add-skb_header_pointer_careful-helper.patch
+net-sched-cls_u32-use-skb_header_pointer_careful.patch
+dmaengine-mmp_pdma-fix-race-condition-in-mmp_pdma_residue.patch
+fs-dlm-fix-use-after-free-in-midcomms-commit.patch
+spi-cadence-quadspi-implement-refcount-to-handle-unbind-during-busy.patch
+x86-uprobes-fix-xol-allocation-failure-for-32-bit-tasks.patch
+btrfs-send-check-for-inline-extents-in-range_is_hole_in_parent.patch
+btrfs-do-not-strictly-require-dirty-metadata-threshold-for-metadata-writepages.patch
+mailbox-prevent-out-of-bounds-access-in-of_mbox_index_xlate.patch
+bluetooth-hci_core-fix-use-after-free-in-vhci_flush.patch
+dlm-fix-possible-lkb_resource-null-dereference.patch
+bpf-do-mark_chain_precision-for-arg_const_alloc_size_or_zero.patch
+gfs2-no-more-self-recovery.patch
+binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch
+drm-amdgpu-unmap-and-remove-csa_va-properly.patch
+nvmet-always-initialize-cqe.result.patch
+net-stmmac-fix-tso-dma-api-usage-causing-oops.patch
+f2fs-fix-to-wait-on-block-writeback-for-post_read-case.patch
+pstore-inode-only-d_invalidate-is-needed.patch
+alsa-usb-audio-kill-timer-properly-at-removal.patch
+ice-add-netif_device_attach-detach-into-pf-reset-flow.patch
+iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch
+bluetooth-af_bluetooth-fix-deadlock.patch
+can-gs_usb-gs_usb_xmit_callback-fix-handling-of-failed-transmitted-urbs.patch
+vdpa-add-max-vqp-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch
+f2fs-fix-to-trigger-foreground-gc-during-f2fs_map_blocks-in-lfs-mode.patch
+sunrpc-lock-against-sock-changing-during-sysfs-read.patch
+net-usb-lan78xx-fix-double-free-issue-with-interrupt-buffer-allocation.patch
--- /dev/null
+From stable+bounces-222519-greg=kroah.com@vger.kernel.org Mon Mar 2 07:48:17 2026
+From: Robert Garcia <rob_garcia@163.com>
+Date: Mon, 2 Mar 2026 14:47:39 +0800
+Subject: spi: cadence-quadspi: Implement refcount to handle unbind during busy
+To: stable@vger.kernel.org, Khairul Anuar Romli <khairul.anuar.romli@altera.com>
+Cc: Mark Brown <broonie@kernel.org>, Niravkumar L Rabara <nirav.rabara@altera.com>, Robert Garcia <rob_garcia@163.com>, linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org
+Message-ID: <20260302064739.1924977-1-rob_garcia@163.com>
+
+From: Khairul Anuar Romli <khairul.anuar.romli@altera.com>
+
+[ Upstream commit 7446284023e8ef694fb392348185349c773eefb3 ]
+
+driver support indirect read and indirect write operation with
+assumption no force device removal(unbind) operation. However
+force device removal(removal) is still available to root superuser.
+
+Unbinding driver during operation causes kernel crash. This changes
+ensure driver able to handle such operation for indirect read and
+indirect write by implementing refcount to track attached devices
+to the controller and gracefully wait and until attached devices
+remove operation completed before proceed with removal operation.
+
+Signed-off-by: Khairul Anuar Romli <khairul.anuar.romli@altera.com>
+Reviewed-by: Matthew Gerlach <matthew.gerlach@altera.com>
+Reviewed-by: Niravkumar L Rabara <nirav.rabara@altera.com>
+Link: https://patch.msgid.link/8704fd6bd2ff4d37bba4a0eacf5eba3ba001079e.1756168074.git.khairul.anuar.romli@altera.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[Add cqspi defination in cqspi_exec_mem_op and minor context change fixed.]
+Signed-off-by: Robert Garcia <rob_garcia@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence-quadspi.c | 34 ++++++++++++++++++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+--- a/drivers/spi/spi-cadence-quadspi.c
++++ b/drivers/spi/spi-cadence-quadspi.c
+@@ -85,6 +85,8 @@ struct cqspi_st {
+ bool use_direct_mode;
+ struct cqspi_flash_pdata f_pdata[CQSPI_MAX_CHIPSELECT];
+ bool wr_completion;
++ refcount_t refcount;
++ refcount_t inflight_ops;
+ };
+
+ struct cqspi_driver_platdata {
+@@ -684,6 +686,9 @@ static int cqspi_indirect_read_execute(s
+ u8 *rxbuf_end = rxbuf + n_rx;
+ int ret = 0;
+
++ if (!refcount_read(&cqspi->refcount))
++ return -ENODEV;
++
+ writel(from_addr, reg_base + CQSPI_REG_INDIRECTRDSTARTADDR);
+ writel(remaining, reg_base + CQSPI_REG_INDIRECTRDBYTES);
+
+@@ -826,6 +831,9 @@ static int cqspi_indirect_write_execute(
+ unsigned int write_bytes;
+ int ret;
+
++ if (!refcount_read(&cqspi->refcount))
++ return -ENODEV;
++
+ writel(to_addr, reg_base + CQSPI_REG_INDIRECTWRSTARTADDR);
+ writel(remaining, reg_base + CQSPI_REG_INDIRECTWRBYTES);
+
+@@ -1210,11 +1218,29 @@ static int cqspi_mem_process(struct spi_
+ static int cqspi_exec_mem_op(struct spi_mem *mem, const struct spi_mem_op *op)
+ {
+ int ret;
++ struct cqspi_st *cqspi = spi_controller_get_devdata(mem->spi->controller);
++
++ if (refcount_read(&cqspi->inflight_ops) == 0)
++ return -ENODEV;
++
++ if (!refcount_read(&cqspi->refcount))
++ return -EBUSY;
++
++ refcount_inc(&cqspi->inflight_ops);
++
++ if (!refcount_read(&cqspi->refcount)) {
++ if (refcount_read(&cqspi->inflight_ops))
++ refcount_dec(&cqspi->inflight_ops);
++ return -EBUSY;
++ }
+
+ ret = cqspi_mem_process(mem, op);
+ if (ret)
+ dev_err(&mem->spi->dev, "operation failed with %d\n", ret);
+
++ if (refcount_read(&cqspi->inflight_ops) > 1)
++ refcount_dec(&cqspi->inflight_ops);
++
+ return ret;
+ }
+
+@@ -1564,6 +1590,9 @@ static int cqspi_probe(struct platform_d
+ cqspi->wr_completion = false;
+ }
+
++ refcount_set(&cqspi->refcount, 1);
++ refcount_set(&cqspi->inflight_ops, 1);
++
+ ret = devm_request_irq(dev, irq, cqspi_irq_handler, 0,
+ pdev->name, cqspi);
+ if (ret) {
+@@ -1613,6 +1642,11 @@ static int cqspi_remove(struct platform_
+ {
+ struct cqspi_st *cqspi = platform_get_drvdata(pdev);
+
++ refcount_set(&cqspi->refcount, 0);
++
++ if (!refcount_dec_and_test(&cqspi->inflight_ops))
++ cqspi_wait_idle(cqspi);
++
+ cqspi_controller_enable(cqspi, 0);
+
+ if (cqspi->rx_chan)
--- /dev/null
+From stable+bounces-226991-greg=kroah.com@vger.kernel.org Wed Mar 18 08:59:04 2026
+From: Robert Garcia <rob_garcia@163.com>
+Date: Wed, 18 Mar 2026 15:55:51 +0800
+Subject: SUNRPC: lock against ->sock changing during sysfs read
+To: stable@vger.kernel.org, Johannes Berg <johannes.berg@intel.com>
+Cc: Miri Korenblit <miriam.rachel.korenblit@intel.com>, Trond Myklebust <trond.myklebust@hammerspace.com>, Anna Schumaker <anna.schumaker@netapp.com>, Robert Garcia <rob_garcia@163.com>, "J . Bruce Fields" <bfields@fieldses.org>, Chuck Lever <chuck.lever@oracle.com>, "David S . Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, Olga Kornievskaia <kolga@netapp.com>, linux-nfs@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org
+Message-ID: <20260318075551.1668418-1-rob_garcia@163.com>
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit b49ea673e119f59c71645e2f65b3ccad857c90ee ]
+
+->sock can be set to NULL asynchronously unless ->recv_mutex is held.
+So it is important to hold that mutex. Otherwise a sysfs read can
+trigger an oops.
+Commit 17f09d3f619a ("SUNRPC: Check if the xprt is connected before
+handling sysfs reads") appears to attempt to fix this problem, but it
+only narrows the race window.
+
+Fixes: 17f09d3f619a ("SUNRPC: Check if the xprt is connected before handling sysfs reads")
+Fixes: a8482488a7d6 ("SUNRPC query transport's source port")
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Robert Garcia <rob_garcia@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/sysfs.c | 5 ++++-
+ net/sunrpc/xprtsock.c | 7 ++++++-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/sunrpc/sysfs.c
++++ b/net/sunrpc/sysfs.c
+@@ -113,11 +113,14 @@ static ssize_t rpc_sysfs_xprt_srcaddr_sh
+ return 0;
+
+ sock = container_of(xprt, struct sock_xprt, xprt);
+- if (kernel_getsockname(sock->sock, (struct sockaddr *)&saddr) < 0)
++ mutex_lock(&sock->recv_mutex);
++ if (sock->sock == NULL ||
++ kernel_getsockname(sock->sock, (struct sockaddr *)&saddr) < 0)
+ goto out;
+
+ ret = sprintf(buf, "%pISc\n", &saddr);
+ out:
++ mutex_unlock(&sock->recv_mutex);
+ xprt_put(xprt);
+ return ret + 1;
+ }
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -1680,7 +1680,12 @@ static int xs_get_srcport(struct sock_xp
+ unsigned short get_srcport(struct rpc_xprt *xprt)
+ {
+ struct sock_xprt *sock = container_of(xprt, struct sock_xprt, xprt);
+- return xs_sock_getport(sock->sock);
++ unsigned short ret = 0;
++ mutex_lock(&sock->recv_mutex);
++ if (sock->sock)
++ ret = xs_sock_getport(sock->sock);
++ mutex_unlock(&sock->recv_mutex);
++ return ret;
+ }
+ EXPORT_SYMBOL(get_srcport);
+
--- /dev/null
+From stable+bounces-223041-greg=kroah.com@vger.kernel.org Wed Mar 4 13:06:17 2026
+From: Alva Lan <alvalan9@foxmail.com>
+Date: Wed, 4 Mar 2026 20:05:20 +0800
+Subject: vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: mst@redhat.com, jasowang@redhat.com, xuanzhuo@linux.alibaba.com, eperezma@redhat.com, Lin Ma <linma@zju.edu.cn>, Alva Lan <alvalan9@foxmail.com>
+Message-ID: <tencent_809270D680389230500DD8B455354E1F1408@qq.com>
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit 5d6ba607d6cb5c58a4ddf33381e18c83dbb4098f ]
+
+The vdpa_nl_policy structure is used to validate the nlattr when parsing
+the incoming nlmsg. It will ensure the attribute being described produces
+a valid nlattr pointer in info->attrs before entering into each handler
+in vdpa_nl_ops.
+
+That is to say, the missing part in vdpa_nl_policy may lead to illegal
+nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.
+
+This patch adds the missing nla_policy for vdpa max vqp attr to avoid
+such bugs.
+
+Fixes: ad69dd0bf26b ("vdpa: Introduce query of device config layout")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Cc: stable@vger.kernel.org
+Message-Id: <20230727175757.73988-7-dtatulea@nvidia.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+[ Minor context conflict resolved. ]
+Signed-off-by: Alva Lan <alvalan9@foxmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vdpa/vdpa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/vdpa/vdpa.c
++++ b/drivers/vdpa/vdpa.c
+@@ -847,6 +847,7 @@ static const struct nla_policy vdpa_nl_p
+ [VDPA_ATTR_MGMTDEV_BUS_NAME] = { .type = NLA_NUL_STRING },
+ [VDPA_ATTR_MGMTDEV_DEV_NAME] = { .type = NLA_STRING },
+ [VDPA_ATTR_DEV_NAME] = { .type = NLA_STRING },
++ [VDPA_ATTR_DEV_NET_CFG_MAX_VQP] = { .type = NLA_U16 },
+ };
+
+ static const struct genl_ops vdpa_nl_ops[] = {
--- /dev/null
+From c2ace6300600c634553657785dfe5ea0ed688ac2 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 19 Mar 2024 10:10:22 +0200
+Subject: wifi: iwlwifi: read txq->read_ptr under lock
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit c2ace6300600c634553657785dfe5ea0ed688ac2 upstream.
+
+If we read txq->read_ptr without lock, we can read the same
+value twice, then obtain the lock, and reclaim from there
+to two different places, but crucially reclaim the same
+entry twice, resulting in the WARN_ONCE() a little later.
+Fix that by reading txq->read_ptr under lock.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20240319100755.bf4c62196504.I978a7ca56c6bd6f1bf42c15aa923ba03366a840b@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+[ Change read_ptr definition according to commit
+413be839bfca9("wifi: iwlwifi: add a validity check of queue_id in iwl_txq_reclaim"). ]
+Signed-off-by: Robert Garcia <rob_garcia@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/queue/tx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/queue/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/queue/tx.c
+@@ -1524,7 +1524,7 @@ void iwl_txq_reclaim(struct iwl_trans *t
+ {
+ struct iwl_txq *txq = trans->txqs.txq[txq_id];
+ int tfd_num = iwl_txq_get_cmd_index(txq, ssn);
+- int read_ptr = iwl_txq_get_cmd_index(txq, txq->read_ptr);
++ int read_ptr;
+ int last_to_free;
+
+ /* This function is not meant to release cmd queue*/
+@@ -1532,6 +1532,7 @@ void iwl_txq_reclaim(struct iwl_trans *t
+ return;
+
+ spin_lock_bh(&txq->lock);
++ read_ptr = iwl_txq_get_cmd_index(txq, txq->read_ptr);
+
+ if (!test_bit(txq_id, trans->txqs.queue_used)) {
+ IWL_DEBUG_TX_QUEUES(trans, "Q %d inactive - ignoring idx %d\n",
--- /dev/null
+From stable+bounces-222631-greg=kroah.com@vger.kernel.org Mon Mar 2 16:48:40 2026
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Mon, 2 Mar 2026 16:42:20 +0100
+Subject: x86/uprobes: Fix XOL allocation failure for 32-bit tasks
+To: Sasha Levin <sashal@kernel.org>
+Cc: stable@vger.kernel.org, Paulo Andrade <pandrade@redhat.com>, "Peter Zijlstra (Intel)" <peterz@infradead.org>, linux-trace-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org
+Message-ID: <aaWv3NJi9WAPj8CT@redhat.com>
+Content-Disposition: inline
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+[ Upstream commit d55c571e4333fac71826e8db3b9753fadfbead6a ]
+
+This script
+
+ #!/usr/bin/bash
+
+ echo 0 > /proc/sys/kernel/randomize_va_space
+
+ echo 'void main(void) {}' > TEST.c
+
+ # -fcf-protection to ensure that the 1st endbr32 insn can't be emulated
+ gcc -m32 -fcf-protection=branch TEST.c -o test
+
+ bpftrace -e 'uprobe:./test:main {}' -c ./test
+
+"hangs", the probed ./test task enters an endless loop.
+
+The problem is that with randomize_va_space == 0
+get_unmapped_area(TASK_SIZE - PAGE_SIZE) called by xol_add_vma() can not
+just return the "addr == TASK_SIZE - PAGE_SIZE" hint, this addr is used
+by the stack vma.
+
+arch_get_unmapped_area_topdown() doesn't take TIF_ADDR32 into account and
+in_32bit_syscall() is false, this leads to info.high_limit > TASK_SIZE.
+vm_unmapped_area() happily returns the high address > TASK_SIZE and then
+get_unmapped_area() returns -ENOMEM after the "if (addr > TASK_SIZE - len)"
+check.
+
+handle_swbp() doesn't report this failure (probably it should) and silently
+restarts the probed insn. Endless loop.
+
+I think that the right fix should change the x86 get_unmapped_area() paths
+to rely on TIF_ADDR32 rather than in_32bit_syscall(). Note also that if
+CONFIG_X86_X32_ABI=y, in_x32_syscall() falsely returns true in this case
+because ->orig_ax = -1.
+
+But we need a simple fix for -stable, so this patch just sets TS_COMPAT if
+the probed task is 32-bit to make in_ia32_syscall() true.
+
+Fixes: 1b028f784e8c ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()")
+Reported-by: Paulo Andrade <pandrade@redhat.com>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/all/aV5uldEvV7pb4RA8@redhat.com/
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/aWO7Fdxn39piQnxu@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/uprobes.c | 24 ++++++++++++++++++++++++
+ include/linux/uprobes.h | 1 +
+ kernel/events/uprobes.c | 10 +++++++---
+ 3 files changed, 32 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/uprobes.c
++++ b/arch/x86/kernel/uprobes.c
+@@ -1097,3 +1097,27 @@ bool arch_uretprobe_is_alive(struct retu
+ else
+ return regs->sp <= ret->stack;
+ }
++
++#ifdef CONFIG_IA32_EMULATION
++unsigned long arch_uprobe_get_xol_area(void)
++{
++ struct thread_info *ti = current_thread_info();
++ unsigned long vaddr;
++
++ /*
++ * HACK: we are not in a syscall, but x86 get_unmapped_area() paths
++ * ignore TIF_ADDR32 and rely on in_32bit_syscall() to calculate
++ * vm_unmapped_area_info.high_limit.
++ *
++ * The #ifdef above doesn't cover the CONFIG_X86_X32_ABI=y case,
++ * but in this case in_32bit_syscall() -> in_x32_syscall() always
++ * (falsely) returns true because ->orig_ax == -1.
++ */
++ if (test_thread_flag(TIF_ADDR32))
++ ti->status |= TS_COMPAT;
++ vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0);
++ ti->status &= ~TS_COMPAT;
++
++ return vaddr;
++}
++#endif
+--- a/include/linux/uprobes.h
++++ b/include/linux/uprobes.h
+@@ -138,6 +138,7 @@ extern bool arch_uretprobe_is_alive(stru
+ extern bool arch_uprobe_ignore(struct arch_uprobe *aup, struct pt_regs *regs);
+ extern void arch_uprobe_copy_ixol(struct page *page, unsigned long vaddr,
+ void *src, unsigned long len);
++extern unsigned long arch_uprobe_get_xol_area(void);
+ #else /* !CONFIG_UPROBES */
+ struct uprobes_state {
+ };
+--- a/kernel/events/uprobes.c
++++ b/kernel/events/uprobes.c
+@@ -1437,6 +1437,12 @@ void uprobe_munmap(struct vm_area_struct
+ set_bit(MMF_RECALC_UPROBES, &vma->vm_mm->flags);
+ }
+
++unsigned long __weak arch_uprobe_get_xol_area(void)
++{
++ /* Try to map as high as possible, this is only a hint. */
++ return get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0);
++}
++
+ /* Slot allocation for XOL */
+ static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
+ {
+@@ -1452,9 +1458,7 @@ static int xol_add_vma(struct mm_struct
+ }
+
+ if (!area->vaddr) {
+- /* Try to map as high as possible, this is only a hint. */
+- area->vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE,
+- PAGE_SIZE, 0, 0);
++ area->vaddr = arch_uprobe_get_xol_area();
+ if (IS_ERR_VALUE(area->vaddr)) {
+ ret = area->vaddr;
+ goto fail;
+++ /dev/null
-From johnny_haocn@sina.com Fri Mar 27 06:59:57 2026
-From: Johnny Hao <johnny_haocn@sina.com>
-Date: Fri, 27 Mar 2026 13:59:50 +0800
-Subject: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame()
-To: gregkh@linuxfoundation.org, stable@vger.kernel.org
-Cc: linux-kernel@vger.kernel.org, Alexey Nepomnyashih <sdl@nppct.ru>, Jakub Kicinski <kuba@kernel.org>, Johnny Hao <johnny_haocn@sina.com>
-Message-ID: <20260327055950.2618928-1-johnny_haocn@sina.com>
-
-From: Alexey Nepomnyashih <sdl@nppct.ru>
-
-[ Upstream commit cc3628dcd851ddd8d418bf0c897024b4621ddc92 ]
-
-The function xdp_convert_buff_to_frame() may return NULL if it fails
-to correctly convert the XDP buffer into an XDP frame due to memory
-constraints, internal errors, or invalid data. Failing to check for NULL
-may lead to a NULL pointer dereference if the result is used later in
-processing, potentially causing crashes, data corruption, or undefined
-behavior.
-
-On XDP redirect failure, the associated page must be released explicitly
-if it was previously retained via get_page(). Failing to do so may result
-in a memory leak, as the pages reference count is not decremented.
-
-Cc: stable@vger.kernel.org # v5.9+
-Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
-Signed-off-by: Alexey Nepomnyashih <sdl@nppct.ru>
-Link: https://patch.msgid.link/20250417122118.1009824-1-sdl@nppct.ru
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Johnny Hao <johnny_haocn@sina.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/xen-netfront.c | 17 ++++++++++++-----
- 1 file changed, 12 insertions(+), 5 deletions(-)
-
---- a/drivers/net/xen-netfront.c
-+++ b/drivers/net/xen-netfront.c
-@@ -982,20 +982,27 @@ static u32 xennet_run_xdp(struct netfron
- act = bpf_prog_run_xdp(prog, xdp);
- switch (act) {
- case XDP_TX:
-- get_page(pdata);
- xdpf = xdp_convert_buff_to_frame(xdp);
-+ if (unlikely(!xdpf)) {
-+ trace_xdp_exception(queue->info->netdev, prog, act);
-+ break;
-+ }
-+ get_page(pdata);
- err = xennet_xdp_xmit(queue->info->netdev, 1, &xdpf, 0);
-- if (unlikely(!err))
-+ if (unlikely(err <= 0)) {
-+ if (err < 0)
-+ trace_xdp_exception(queue->info->netdev, prog, act);
- xdp_return_frame_rx_napi(xdpf);
-- else if (unlikely(err < 0))
-- trace_xdp_exception(queue->info->netdev, prog, act);
-+ }
- break;
- case XDP_REDIRECT:
- get_page(pdata);
- err = xdp_do_redirect(queue->info->netdev, xdp, prog);
- *need_xdp_flush = true;
-- if (unlikely(err))
-+ if (unlikely(err)) {
- trace_xdp_exception(queue->info->netdev, prog, act);
-+ xdp_return_buff(xdp);
-+ }
- break;
- case XDP_PASS:
- case XDP_DROP:
projects / thirdparty / kernel / stable-queue.git / commitdiff
