--- /dev/null
+From e0dd02979a6f1ca378fb173d5e36dd591ee8ef3f Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 12 Mar 2026 08:59:25 -0600
+Subject: io_uring/kbuf: check if target buffer list is still legacy on recycle
+
+From: Jens Axboe <axboe@kernel.dk>
+
+Commit c2c185be5c85d37215397c8e8781abf0a69bec1f upstream.
+
+There's a gap between when the buffer was grabbed and when it
+potentially gets recycled, where if the list is empty, someone could've
+upgraded it to a ring provided type. This can happen if the request
+is forced via io-wq. The legacy recycling is missing checking if the
+buffer_list still exists, and if it's of the correct type. Add those
+checks.
+
+Cc: stable@vger.kernel.org
+Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers")
+Reported-by: Keenan Dong <keenanat2000@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/kbuf.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/io_uring/kbuf.c
++++ b/io_uring/kbuf.c
+@@ -70,9 +70,15 @@ void io_kbuf_recycle_legacy(struct io_ki
+
+ buf = req->kbuf;
+ bl = io_buffer_get_list(ctx, buf->bgid);
+- list_add(&buf->list, &bl->buf_list);
++ /*
++ * If the buffer list was upgraded to a ring-based one, or removed,
++ * while the request was in-flight in io-wq, drop it.
++ */
++ if (bl && !bl->is_mapped)
++ list_add(&buf->list, &bl->buf_list);
+ req->flags &= ~REQ_F_BUFFER_SELECTED;
+ req->buf_index = buf->bgid;
++ req->kbuf = NULL;
+
+ io_ring_submit_unlock(ctx, issue_flags);
+ return;
--- /dev/null
+From david@kernel.org Thu Mar 19 14:49:55 2026
+From: "David Hildenbrand (Arm)" <david@kernel.org>
+Date: Tue, 3 Mar 2026 11:12:45 +0100
+Subject: mm/mempolicy: fix wrong mmap_read_unlock() in migrate_to_node()
+To: stable@vger.kernel.org
+Cc: linux-mm <linux-mm@kvack.org>, "David Hildenbrand (Arm)" <david@kernel.org>, Li Ying <liying3@sungrowpower.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Andrew Morton <akpm@linux-foundation.org>, Matthew Wilcox <willy@infradead.org>, Christoph Lameter <cl@linux.com>, "Liam R . Howlett" <Liam.Howlett@Oracle.com>
+Message-ID: <20260303101245.22290-1-david@kernel.org>
+
+From: "David Hildenbrand (Arm)" <david@kernel.org>
+
+The backport of commit 091c1dd2d4df ("mm/mempolicy: fix migrate_to_node()
+assuming there is at least one VMA in a MM") contains an error:
+migrate_to_node() does not lock the mmap_lock itself, that is handled by
+the caller instead.
+
+So let's drop the wrong mmap_read_unlock(). Fortunately, this path is
+very hard to hit in practice.
+
+Fixes: a13b2b9b0b0b ("mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM")
+Reported-by: Li Ying <liying3@sungrowpower.com>
+Closes: https://lore.kernel.org/r/aaZgUNxAyKC2IwuG@casper.infradead.org
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Gregory Price <gourry@gourry.net>
+Reviewed-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
+Signed-off-by: David Hildenbrand (Arm) <david@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mempolicy.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -1071,10 +1071,8 @@ static long migrate_to_node(struct mm_st
+
+ VM_BUG_ON(!(flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)));
+ vma = find_vma(mm, 0);
+- if (unlikely(!vma)) {
+- mmap_read_unlock(mm);
++ if (unlikely(!vma))
+ return 0;
+- }
+
+ /*
+ * This does not migrate the range, but isolates all pages that
--- /dev/null
+From 674c5ff0f440a051ebf299d29a4c013133d81a65 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Mon, 2 Mar 2026 14:35:00 +0100
+Subject: s390/stackleak: Fix __stackleak_poison() inline assembly constraint
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit 674c5ff0f440a051ebf299d29a4c013133d81a65 upstream.
+
+The __stackleak_poison() inline assembly comes with a "count" operand where
+the "d" constraint is used. "count" is used with the exrl instruction and
+"d" means that the compiler may allocate any register from 0 to 15.
+
+If the compiler would allocate register 0 then the exrl instruction would
+not or the value of "count" into the executed instruction - resulting in a
+stackframe which is only partially poisoned.
+
+Use the correct "a" constraint, which excludes register 0 from register
+allocation.
+
+Fixes: 2a405f6bb3a5 ("s390/stackleak: provide fast __stackleak_poison() implementation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Link: https://lore.kernel.org/r/20260302133500.1560531-4-hca@linux.ibm.com
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/processor.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/include/asm/processor.h
++++ b/arch/s390/include/asm/processor.h
+@@ -146,7 +146,7 @@ static __always_inline void __stackleak_
+ " j 4f\n"
+ "3: mvc 8(1,%[addr]),0(%[addr])\n"
+ "4:\n"
+- : [addr] "+&a" (erase_low), [count] "+&d" (count), [tmp] "=&a" (tmp)
++ : [addr] "+&a" (erase_low), [count] "+&a" (count), [tmp] "=&a" (tmp)
+ : [poison] "d" (poison)
+ : "memory", "cc"
+ );
--- /dev/null
+From f775276edc0c505dc0f782773796c189f31a1123 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Mon, 2 Mar 2026 14:34:58 +0100
+Subject: s390/xor: Fix xor_xc_2() inline assembly constraints
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit f775276edc0c505dc0f782773796c189f31a1123 upstream.
+
+The inline assembly constraints for xor_xc_2() are incorrect. "bytes",
+"p1", and "p2" are input operands, while all three of them are modified
+within the inline assembly. Given that the function consists only of this
+inline assembly it seems unlikely that this may cause any problems, however
+fix this in any case.
+
+Fixes: 2cfc5f9ce7f5 ("s390/xor: optimized xor routing using the XC instruction")
+Cc: stable@vger.kernel.org
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Link: https://lore.kernel.org/r/20260302133500.1560531-2-hca@linux.ibm.com
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/lib/xor.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/lib/xor.c
++++ b/arch/s390/lib/xor.c
+@@ -29,8 +29,8 @@ static void xor_xc_2(unsigned long bytes
+ " j 3f\n"
+ "2: xc 0(1,%1),0(%2)\n"
+ "3:\n"
+- : : "d" (bytes), "a" (p1), "a" (p2)
+- : "0", "1", "cc", "memory");
++ : "+d" (bytes), "+a" (p1), "+a" (p2)
++ : : "0", "1", "cc", "memory");
+ }
+
+ static void xor_xc_3(unsigned long bytes, unsigned long * __restrict p1,
--- /dev/null
+From 598bbefa8032cc58b564a81d1ad68bd815c8dc0f Mon Sep 17 00:00:00 2001
+From: Harald Freudenberger <freude@linux.ibm.com>
+Date: Fri, 27 Feb 2026 14:30:51 +0100
+Subject: s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+commit 598bbefa8032cc58b564a81d1ad68bd815c8dc0f upstream.
+
+The serialnr sysfs attribute for CCA cards when queried always
+used the default domain for sending the request down to the card.
+If for any reason exactly this default domain is disabled then
+the attribute code fails to retrieve the CCA info and the sysfs
+entry shows an empty string. Works as designed but the serial
+number is a card attribute and thus it does not matter which
+domain is used for the query. So if there are other domains on
+this card available, these could be used.
+
+So extend the code to use AUTOSEL_DOM for the domain value to
+address any online domain within the card for querying the cca
+info and thus show the serialnr as long as there is one domain
+usable regardless of the default domain setting.
+
+Fixes: 8f291ebf3270 ("s390/zcrypt: enable card/domain autoselect on ep11 cprbs")
+Suggested-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+[ preserved zc->online as the fourth argument to cca_get_info() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/crypto/zcrypt_ccamisc.c | 12 +++++++-----
+ drivers/s390/crypto/zcrypt_cex4.c | 3 +--
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/s390/crypto/zcrypt_ccamisc.c
++++ b/drivers/s390/crypto/zcrypt_ccamisc.c
+@@ -1687,11 +1687,13 @@ static int fetch_cca_info(u16 cardnr, u1
+
+ memset(ci, 0, sizeof(*ci));
+
+- /* get first info from zcrypt device driver about this apqn */
+- rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
+- if (rc)
+- return rc;
+- ci->hwtype = devstat.hwtype;
++ /* if specific domain given, fetch status and hw info for this apqn */
++ if (domain != AUTOSEL_DOM) {
++ rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
++ if (rc)
++ return rc;
++ ci->hwtype = devstat.hwtype;
++ }
+
+ /* prep page for rule array and var array use */
+ pg = (u8 *)__get_free_page(GFP_KERNEL);
+--- a/drivers/s390/crypto/zcrypt_cex4.c
++++ b/drivers/s390/crypto/zcrypt_cex4.c
+@@ -85,8 +85,7 @@ static ssize_t cca_serialnr_show(struct
+
+ memset(&ci, 0, sizeof(ci));
+
+- if (ap_domain_index >= 0)
+- cca_get_info(ac->id, ap_domain_index, &ci, zc->online);
++ cca_get_info(ac->id, AUTOSEL_DOM, &ci, zc->online);
+
+ return sysfs_emit(buf, "%s\n", ci.serial);
+ }
binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch
net-stmmac-remove-support-for-lpi_intr_o.patch
mptcp-pm-in-kernel-always-set-id-as-avail-when-rm-endp.patch
+s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch
+s390-stackleak-fix-__stackleak_poison-inline-assembly-constraint.patch
+s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch
+mm-mempolicy-fix-wrong-mmap_read_unlock-in-migrate_to_node.patch
+io_uring-kbuf-check-if-target-buffer-list-is-still-legacy-on-recycle.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
