--- /dev/null
+From stable+bounces-227510-greg=kroah.com@vger.kernel.org Fri Mar 20 11:19:08 2026
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 20 Mar 2026 11:18:44 +0100
+Subject: batman-adv: avoid OGM aggregation when skb tailroom is insufficient
+To: stable@vger.kernel.org
+Cc: Yang Yang <n05ec@lzu.edu.cn>, Yifan Wu <yifanwucs@gmail.com>, Juefei Pu <tomapufckgml@gmail.com>, Yuan Tan <tanyuan98@outlook.com>, Xin Liu <bird@lzu.edu.cn>, Sven Eckelmann <sven@narfation.org>, Simon Wunderlich <sw@simonwunderlich.de>
+Message-ID: <20260320101844.1630480-1-sven@narfation.org>
+
+From: Yang Yang <n05ec@lzu.edu.cn>
+
+commit 0d4aef630be9d5f9c1227d07669c26c4383b5ad0 upstream.
+
+When OGM aggregation state is toggled at runtime, an existing forwarded
+packet may have been allocated with only packet_len bytes, while a later
+packet can still be selected for aggregation. Appending in this case can
+hit skb_put overflow conditions.
+
+Reject aggregation when the target skb tailroom cannot accommodate the new
+packet. The caller then falls back to creating a new forward packet
+instead of appending.
+
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Cc: stable@vger.kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
+Signed-off-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Ao Zhou <n05ec@lzu.edu.cn>
+Signed-off-by: Yang Yang <n05ec@lzu.edu.cn>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+[ Adjust context ]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -464,6 +464,9 @@ batadv_iv_ogm_can_aggregate(const struct
+ !time_after_eq(aggregation_end_time, forw_packet->send_time))
+ return false;
+
++ if (skb_tailroom(forw_packet->skb) < packet_len)
++ return false;
++
+ if (aggregated_bytes > BATADV_MAX_AGGREGATION_BYTES)
+ return false;
+
--- /dev/null
+From stable+bounces-227371-greg=kroah.com@vger.kernel.org Thu Mar 19 19:55:10 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 14:54:43 -0400
+Subject: btrfs: fix transaction abort on file creation due to name hash collision
+To: stable@vger.kernel.org
+Cc: Filipe Manana <fdmanana@suse.com>, Boris Burkov <boris@bur.io>, Qu Wenruo <wqu@suse.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319185443.2942946-1-sashal@kernel.org>
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 2d1ababdedd4ba38867c2500eb7f95af5ddeeef7 ]
+
+If we attempt to create several files with names that result in the same
+hash, we have to pack them in same dir item and that has a limit inherent
+to the leaf size. However if we reach that limit, we trigger a transaction
+abort and turns the filesystem into RO mode. This allows for a malicious
+user to disrupt a system, without the need to have administration
+privileges/capabilities.
+
+Reproducer:
+
+ $ cat exploit-hash-collisions.sh
+ #!/bin/bash
+
+ DEV=/dev/sdi
+ MNT=/mnt/sdi
+
+ # Use smallest node size to make the test faster and require fewer file
+ # names that result in hash collision.
+ mkfs.btrfs -f --nodesize 4K $DEV
+ mount $DEV $MNT
+
+ # List of names that result in the same crc32c hash for btrfs.
+ declare -a names=(
+ 'foobar'
+ '%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC'
+ 'AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z'
+ 'CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4'
+ 'ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:'
+ 'HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO'
+ 'Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us'
+ 'KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY'
+ 'NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO'
+ 'Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU'
+ 'Ono7avN5GjC:_6dBJ_'
+ 'WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am'
+ 'WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k'
+ 'XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2'
+ 'd3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd'
+ 'ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm'
+ 'evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ'
+ 'gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky'
+ 'hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS'
+ 'isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz'
+ 'kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu'
+ 'lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN'
+ 'rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4='
+ 'uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn'
+ 'UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C'
+ 'y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW'
+ '8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc'
+ 'YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mCaaKGxb990jzaagRktDTyp'
+ '9hD2ApKa_t_7x-a@GCG28kY:7$M@5udI1myQ$x5udtggvagmCQcq9QXWRC5hoB0o-_zHQUqZI5rMcz_kbMgvN5jr63LeYA4Cj-c6F5Ugmx6DgVf@2Jqm%MafecpgooqreJ53P-QTS'
+ )
+
+ # Now create files with all those names in the same parent directory.
+ # It should not fail since a 4K leaf has enough space for them.
+ for name in "${names[@]}"; do
+ touch $MNT/$name
+ done
+
+ # Now add one more file name that causes a crc32c hash collision.
+ # This should fail, but it should not turn the filesystem into RO mode
+ # (which could be exploited by malicious users) due to a transaction
+ # abort.
+ touch $MNT/'W6tIm-VK2@BGC@IBfcgg6j_p:pxp_QUqtWpGD5Ok_GmijKOJJt'
+
+ # Check that we are able to create another file, with a name that does not cause
+ # a crc32c hash collision.
+ echo -n "hello world" > $MNT/baz
+
+ # Unmount and mount again, verify file baz exists and with the right content.
+ umount $MNT
+ mount $DEV $MNT
+ echo "File baz content: $(cat $MNT/baz)"
+
+ umount $MNT
+
+When running the reproducer:
+
+ $ ./exploit-hash-collisions.sh
+ (...)
+ touch: cannot touch '/mnt/sdi/W6tIm-VK2@BGC@IBfcgg6j_p:pxp_QUqtWpGD5Ok_GmijKOJJt': Value too large for defined data type
+ ./exploit-hash-collisions.sh: line 57: /mnt/sdi/baz: Read-only file system
+ cat: /mnt/sdi/baz: No such file or directory
+ File baz content:
+
+And the transaction abort stack trace in dmesg/syslog:
+
+ $ dmesg
+ (...)
+ [758240.509761] ------------[ cut here ]------------
+ [758240.510668] BTRFS: Transaction aborted (error -75)
+ [758240.511577] WARNING: fs/btrfs/inode.c:6854 at btrfs_create_new_inode+0x805/0xb50 [btrfs], CPU#6: touch/888644
+ [758240.513513] Modules linked in: btrfs dm_zero (...)
+ [758240.523221] CPU: 6 UID: 0 PID: 888644 Comm: touch Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
+ [758240.524621] Tainted: [W]=WARN
+ [758240.525037] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
+ [758240.526331] RIP: 0010:btrfs_create_new_inode+0x80b/0xb50 [btrfs]
+ [758240.527093] Code: 0f 82 cf (...)
+ [758240.529211] RSP: 0018:ffffce64418fbb48 EFLAGS: 00010292
+ [758240.529935] RAX: 00000000ffffffd3 RBX: 0000000000000000 RCX: 00000000ffffffb5
+ [758240.531040] RDX: 0000000d04f33e06 RSI: 00000000ffffffb5 RDI: ffffffffc0919dd0
+ [758240.531920] RBP: ffffce64418fbc10 R08: 0000000000000000 R09: 00000000ffffffb5
+ [758240.532928] R10: 0000000000000000 R11: ffff8e52c0000000 R12: ffff8e53eee7d0f0
+ [758240.533818] R13: ffff8e57f70932a0 R14: ffff8e5417629568 R15: 0000000000000000
+ [758240.534664] FS: 00007f1959a2a740(0000) GS:ffff8e5b27cae000(0000) knlGS:0000000000000000
+ [758240.535821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [758240.536644] CR2: 00007f1959b10ce0 CR3: 000000012a2cc005 CR4: 0000000000370ef0
+ [758240.537517] Call Trace:
+ [758240.537828] <TASK>
+ [758240.538099] btrfs_create_common+0xbf/0x140 [btrfs]
+ [758240.538760] path_openat+0x111a/0x15b0
+ [758240.539252] do_filp_open+0xc2/0x170
+ [758240.539699] ? preempt_count_add+0x47/0xa0
+ [758240.540200] ? __virt_addr_valid+0xe4/0x1a0
+ [758240.540800] ? __check_object_size+0x1b3/0x230
+ [758240.541661] ? alloc_fd+0x118/0x180
+ [758240.542315] do_sys_openat2+0x70/0xd0
+ [758240.543012] __x64_sys_openat+0x50/0xa0
+ [758240.543723] do_syscall_64+0x50/0xf20
+ [758240.544462] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ [758240.545397] RIP: 0033:0x7f1959abc687
+ [758240.546019] Code: 48 89 fa (...)
+ [758240.548522] RSP: 002b:00007ffe16ff8690 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
+ [758240.566278] RAX: ffffffffffffffda RBX: 00007f1959a2a740 RCX: 00007f1959abc687
+ [758240.567068] RDX: 0000000000000941 RSI: 00007ffe16ffa333 RDI: ffffffffffffff9c
+ [758240.567860] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+ [758240.568707] R10: 00000000000001b6 R11: 0000000000000202 R12: 0000561eec7c4b90
+ [758240.569712] R13: 0000561eec7c311f R14: 00007ffe16ffa333 R15: 0000000000000000
+ [758240.570758] </TASK>
+ [758240.571040] ---[ end trace 0000000000000000 ]---
+ [758240.571681] BTRFS: error (device sdi state A) in btrfs_create_new_inode:6854: errno=-75 unknown
+ [758240.572899] BTRFS info (device sdi state EA): forced readonly
+
+Fix this by checking for hash collision, and if the adding a new name is
+possible, early in btrfs_create_new_inode() before we do any tree updates,
+so that we don't need to abort the transaction if we cannot add the new
+name due to the leaf size limit.
+
+A test case for fstests will be sent soon.
+
+Fixes: caae78e03234 ("btrfs: move common inode creation code into btrfs_create_new_inode()")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -6227,6 +6227,25 @@ int btrfs_create_new_inode(struct btrfs_
+ unsigned long ptr;
+ int ret;
+
++ if (!args->orphan && !args->subvol) {
++ /*
++ * Before anything else, check if we can add the name to the
++ * parent directory. We want to avoid a dir item overflow in
++ * case we have an existing dir item due to existing name
++ * hash collisions. We do this check here before we call
++ * btrfs_add_link() down below so that we can avoid a
++ * transaction abort (which could be exploited by malicious
++ * users).
++ *
++ * For subvolumes we already do this in btrfs_mksubvol().
++ */
++ ret = btrfs_check_dir_item_collision(BTRFS_I(dir)->root,
++ btrfs_ino(BTRFS_I(dir)),
++ name);
++ if (ret < 0)
++ return ret;
++ }
++
+ path = btrfs_alloc_path();
+ if (!path)
+ return -ENOMEM;
--- /dev/null
+From stable+bounces-227368-greg=kroah.com@vger.kernel.org Thu Mar 19 19:37:29 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 14:35:14 -0400
+Subject: btrfs: fix transaction abort on set received ioctl due to item overflow
+To: stable@vger.kernel.org
+Cc: Filipe Manana <fdmanana@suse.com>, Anand Jain <asj@kernel.org>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319183514.2930118-1-sashal@kernel.org>
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 87f2c46003fce4d739138aab4af1942b1afdadac ]
+
+If the set received ioctl fails due to an item overflow when attempting to
+add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction
+since we did some metadata updates before.
+
+This means that if a user calls this ioctl with the same received UUID
+field for a lot of subvolumes, we will hit the overflow, trigger the
+transaction abort and turn the filesystem into RO mode. A malicious user
+could exploit this, and this ioctl does not even requires that a user
+has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.
+
+Fix this by doing an early check for item overflow before starting a
+transaction. This is also race safe because we are holding the subvol_sem
+semaphore in exclusive (write) mode.
+
+A test case for fstests will follow soon.
+
+Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
+CC: stable@vger.kernel.org # 3.12+
+Reviewed-by: Anand Jain <asj@kernel.org>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ adapted BTRFS_PATH_AUTO_FREE macro to manual btrfs_free_path calls ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ioctl.c | 21 +++++++++++++++++++--
+ fs/btrfs/uuid-tree.c | 43 +++++++++++++++++++++++++++++++++++++++++++
+ fs/btrfs/uuid-tree.h | 2 ++
+ 3 files changed, 64 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3999,6 +3999,25 @@ static long _btrfs_ioctl_set_received_su
+ goto out;
+ }
+
++ received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
++ BTRFS_UUID_SIZE);
++
++ /*
++ * Before we attempt to add the new received uuid, check if we have room
++ * for it in case there's already an item. If the size of the existing
++ * item plus this root's ID (u64) exceeds the maximum item size, we can
++ * return here without the need to abort a transaction. If we don't do
++ * this check, the btrfs_uuid_tree_add() call below would fail with
++ * -EOVERFLOW and result in a transaction abort. Malicious users could
++ * exploit this to turn the fs into RO mode.
++ */
++ if (received_uuid_changed && !btrfs_is_empty_uuid(sa->uuid)) {
++ ret = btrfs_uuid_tree_check_overflow(fs_info, sa->uuid,
++ BTRFS_UUID_KEY_RECEIVED_SUBVOL);
++ if (ret < 0)
++ goto out;
++ }
++
+ /*
+ * 1 - root item
+ * 2 - uuid items (received uuid + subvol uuid)
+@@ -4014,8 +4033,6 @@ static long _btrfs_ioctl_set_received_su
+ sa->rtime.sec = ct.tv_sec;
+ sa->rtime.nsec = ct.tv_nsec;
+
+- received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
+- BTRFS_UUID_SIZE);
+ if (received_uuid_changed &&
+ !btrfs_is_empty_uuid(root_item->received_uuid)) {
+ ret = btrfs_uuid_tree_remove(trans, root_item->received_uuid,
+--- a/fs/btrfs/uuid-tree.c
++++ b/fs/btrfs/uuid-tree.c
+@@ -228,6 +228,49 @@ out:
+ return ret;
+ }
+
++/*
++ * Check if we can add one root ID to a UUID key.
++ * If the key does not yet exists, we can, otherwise only if extended item does
++ * not exceeds the maximum item size permitted by the leaf size.
++ *
++ * Returns 0 on success, negative value on error.
++ */
++int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
++ u8 *uuid, u8 type)
++{
++ struct btrfs_path *path;
++ int ret;
++ u32 item_size;
++ struct btrfs_key key;
++
++ if (WARN_ON_ONCE(!fs_info->uuid_root))
++ return -EINVAL;
++
++ path = btrfs_alloc_path();
++ if (!path)
++ return -ENOMEM;
++
++ btrfs_uuid_to_key(uuid, type, &key);
++ ret = btrfs_search_slot(NULL, fs_info->uuid_root, &key, path, 0, 0);
++ if (ret < 0) {
++ btrfs_free_path(path);
++ return ret;
++ }
++ if (ret > 0) {
++ btrfs_free_path(path);
++ return 0;
++ }
++
++ item_size = btrfs_item_size(path->nodes[0], path->slots[0]);
++ btrfs_free_path(path);
++
++ if (sizeof(struct btrfs_item) + item_size + sizeof(u64) >
++ BTRFS_LEAF_DATA_SIZE(fs_info))
++ return -EOVERFLOW;
++
++ return 0;
++}
++
+ static int btrfs_uuid_iter_rem(struct btrfs_root *uuid_root, u8 *uuid, u8 type,
+ u64 subid)
+ {
+--- a/fs/btrfs/uuid-tree.h
++++ b/fs/btrfs/uuid-tree.h
+@@ -7,6 +7,8 @@ int btrfs_uuid_tree_add(struct btrfs_tra
+ u64 subid);
+ int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, u8 *uuid, u8 type,
+ u64 subid);
++int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
++ u8 *uuid, u8 type);
+ int btrfs_uuid_tree_iterate(struct btrfs_fs_info *fs_info);
+
+ #endif
--- /dev/null
+From stable+bounces-227349-greg=kroah.com@vger.kernel.org Thu Mar 19 18:25:59 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 13:16:35 -0400
+Subject: btrfs: fix transaction abort when snapshotting received subvolumes
+To: stable@vger.kernel.org
+Cc: Filipe Manana <fdmanana@suse.com>, Boris Burkov <boris@bur.io>, Qu Wenruo <wqu@suse.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319171635.2755739-1-sashal@kernel.org>
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit e1b18b959025e6b5dbad668f391f65d34b39595a ]
+
+Currently a user can trigger a transaction abort by snapshotting a
+previously received snapshot a bunch of times until we reach a
+BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we
+can store in a leaf). This is very likely not common in practice, but
+if it happens, it turns the filesystem into RO mode. The snapshot, send
+and set_received_subvol and subvol_setflags (used by receive) don't
+require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user
+could use this to turn a filesystem into RO mode and disrupt a system.
+
+Reproducer script:
+
+ $ cat test.sh
+ #!/bin/bash
+
+ DEV=/dev/sdi
+ MNT=/mnt/sdi
+
+ # Use smallest node size to make the test faster.
+ mkfs.btrfs -f --nodesize 4K $DEV
+ mount $DEV $MNT
+
+ # Create a subvolume and set it to RO so that it can be used for send.
+ btrfs subvolume create $MNT/sv
+ touch $MNT/sv/foo
+ btrfs property set $MNT/sv ro true
+
+ # Send and receive the subvolume into snaps/sv.
+ mkdir $MNT/snaps
+ btrfs send $MNT/sv | btrfs receive $MNT/snaps
+
+ # Now snapshot the received subvolume, which has a received_uuid, a
+ # lot of times to trigger the leaf overflow.
+ total=500
+ for ((i = 1; i <= $total; i++)); do
+ echo -ne "\rCreating snapshot $i/$total"
+ btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null
+ done
+ echo
+
+ umount $MNT
+
+When running the test:
+
+ $ ./test.sh
+ (...)
+ Create subvolume '/mnt/sdi/sv'
+ At subvol /mnt/sdi/sv
+ At subvol sv
+ Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type
+ Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system
+ Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system
+ Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system
+ Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system
+
+And in dmesg/syslog:
+
+ $ dmesg
+ (...)
+ [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!
+ [251067.629212] ------------[ cut here ]------------
+ [251067.630033] BTRFS: Transaction aborted (error -75)
+ [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235
+ [251067.632851] Modules linked in: btrfs dm_zero (...)
+ [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
+ [251067.646165] Tainted: [W]=WARN
+ [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
+ [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]
+ [251067.649984] Code: f0 48 0f (...)
+ [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292
+ [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3
+ [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750
+ [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820
+ [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0
+ [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5
+ [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000
+ [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0
+ [251067.661972] Call Trace:
+ [251067.662292] <TASK>
+ [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs]
+ [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs]
+ [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]
+ [251067.665238] ? _raw_spin_unlock+0x15/0x30
+ [251067.665837] ? record_root_in_trans+0xa2/0xd0 [btrfs]
+ [251067.666531] btrfs_mksubvol+0x330/0x580 [btrfs]
+ [251067.667145] btrfs_mksnapshot+0x74/0xa0 [btrfs]
+ [251067.667827] __btrfs_ioctl_snap_create+0x194/0x1d0 [btrfs]
+ [251067.668595] btrfs_ioctl_snap_create_v2+0x107/0x130 [btrfs]
+ [251067.669479] btrfs_ioctl+0x1580/0x2690 [btrfs]
+ [251067.670093] ? count_memcg_events+0x6d/0x180
+ [251067.670849] ? handle_mm_fault+0x1a0/0x2a0
+ [251067.671652] __x64_sys_ioctl+0x92/0xe0
+ [251067.672406] do_syscall_64+0x50/0xf20
+ [251067.673129] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ [251067.674096] RIP: 0033:0x7f2a495648db
+ [251067.674812] Code: 00 48 89 (...)
+ [251067.678227] RSP: 002b:00007ffc5aa57840 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ [251067.679691] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2a495648db
+ [251067.681145] RDX: 00007ffc5aa588b0 RSI: 0000000050009417 RDI: 0000000000000004
+ [251067.682511] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+ [251067.683842] R10: 000000000000000a R11: 0000000000000246 R12: 00007ffc5aa59910
+ [251067.685176] R13: 00007ffc5aa588b0 R14: 0000000000000004 R15: 0000000000000006
+ [251067.686524] </TASK>
+ [251067.686972] ---[ end trace 0000000000000000 ]---
+ [251067.687890] BTRFS: error (device sdi state A) in create_pending_snapshot:1907: errno=-75 unknown
+ [251067.689049] BTRFS info (device sdi state EA): forced readonly
+ [251067.689054] BTRFS warning (device sdi state EA): Skipping commit of aborted transaction.
+ [251067.690119] BTRFS: error (device sdi state EA) in cleanup_transaction:2043: errno=-75 unknown
+ [251067.702028] BTRFS info (device sdi state EA): last unmount of filesystem 46dc3975-30a2-4a69-a18f-418b859cccda
+
+Fix this by ignoring -EOVERFLOW errors from btrfs_uuid_tree_add() in the
+snapshot creation code when attempting to add the
+BTRFS_UUID_KEY_RECEIVED_SUBVOL item. This is OK because it's not critical
+and we are still able to delete the snapshot, as snapshot/subvolume
+deletion ignores if a BTRFS_UUID_KEY_RECEIVED_SUBVOL is missing (see
+inode.c:btrfs_delete_subvolume()). As for send/receive, we can still do
+send/receive operations since it always peeks the first root ID in the
+existing BTRFS_UUID_KEY_RECEIVED_SUBVOL (it could peek any since all
+snapshots have the same content), and even if the key is missing, it
+falls back to searching by BTRFS_UUID_KEY_SUBVOL key.
+
+A test case for fstests will be sent soon.
+
+Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
+CC: stable@vger.kernel.org # 3.12+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ adapted error check condition to omit unlikely() wrapper ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/transaction.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -1877,6 +1877,22 @@ static noinline int create_pending_snaps
+ ret = btrfs_uuid_tree_add(trans, new_root_item->received_uuid,
+ BTRFS_UUID_KEY_RECEIVED_SUBVOL,
+ objectid);
++ /*
++ * We are creating of lot of snapshots of the same root that was
++ * received (has a received UUID) and reached a leaf's limit for
++ * an item. We can safely ignore this and avoid a transaction
++ * abort. A deletion of this snapshot will still work since we
++ * ignore if an item with a BTRFS_UUID_KEY_RECEIVED_SUBVOL key
++ * is missing (see btrfs_delete_subvolume()). Send/receive will
++ * work too since it peeks the first root id from the existing
++ * item (it could peek any), and in case it's missing it
++ * falls back to search by BTRFS_UUID_KEY_SUBVOL keys.
++ * Creation of a snapshot does not require CAP_SYS_ADMIN, so
++ * we don't want users triggering transaction aborts, either
++ * intentionally or not.
++ */
++ if (ret == -EOVERFLOW)
++ ret = 0;
+ if (ret && ret != -EEXIST) {
+ btrfs_abort_transaction(trans, ret);
+ goto fail;
--- /dev/null
+From stable+bounces-227374-greg=kroah.com@vger.kernel.org Thu Mar 19 20:36:05 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 15:35:58 -0400
+Subject: iio: light: bh1780: fix PM runtime leak on error path
+To: stable@vger.kernel.org
+Cc: Antoniu Miclaus <antoniu.miclaus@analog.com>, Linus Walleij <linusw@kernel.org>, Stable@vger.kernel.org, Jonathan Cameron <Jonathan.Cameron@huawei.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319193558.3026481-1-sashal@kernel.org>
+
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+
+[ Upstream commit dd72e6c3cdea05cad24e99710939086f7a113fb5 ]
+
+Move pm_runtime_put_autosuspend() before the error check to ensure
+the PM runtime reference count is always decremented after
+pm_runtime_get_sync(), regardless of whether the read operation
+succeeds or fails.
+
+Fixes: 1f0477f18306 ("iio: light: new driver for the ROHM BH1780")
+Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Reviewed-by: Linus Walleij <linusw@kernel.org>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+[ moved both pm_runtime_mark_last_busy() and pm_runtime_put_autosuspend() before the error check instead of just pm_runtime_put_autosuspend() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/bh1780.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/light/bh1780.c
++++ b/drivers/iio/light/bh1780.c
+@@ -109,10 +109,10 @@ static int bh1780_read_raw(struct iio_de
+ case IIO_LIGHT:
+ pm_runtime_get_sync(&bh1780->client->dev);
+ value = bh1780_read_word(bh1780, BH1780_REG_DLOW);
+- if (value < 0)
+- return value;
+ pm_runtime_mark_last_busy(&bh1780->client->dev);
+ pm_runtime_put_autosuspend(&bh1780->client->dev);
++ if (value < 0)
++ return value;
+ *val = value;
+
+ return IIO_VAL_INT;
--- /dev/null
+From stable+bounces-227301-greg=kroah.com@vger.kernel.org Thu Mar 19 14:53:48 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 09:52:11 -0400
+Subject: kprobes: Remove unneeded goto
+To: stable@vger.kernel.org
+Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319135212.2484493-1-sashal@kernel.org>
+
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+
+[ Upstream commit 5e5b8b49335971b68b54afeb0e7ded004945af07 ]
+
+Remove unneeded gotos. Since the labels referred by these gotos have
+only one reference for each, we can replace those gotos with the
+referred code.
+
+Link: https://lore.kernel.org/all/173371211203.480397.13988907319659165160.stgit@devnote2/
+
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Stable-dep-of: 5ef268cb7a0a ("kprobes: Remove unneeded warnings from __arm_kprobe_ftrace()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kprobes.c | 45 +++++++++++++++++++++------------------------
+ 1 file changed, 21 insertions(+), 24 deletions(-)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1083,20 +1083,18 @@ static int __arm_kprobe_ftrace(struct kp
+
+ if (*cnt == 0) {
+ ret = register_ftrace_function(ops);
+- if (WARN(ret < 0, "Failed to register kprobe-ftrace (error %d)\n", ret))
+- goto err_ftrace;
++ if (WARN(ret < 0, "Failed to register kprobe-ftrace (error %d)\n", ret)) {
++ /*
++ * At this point, sinec ops is not registered, we should be sefe from
++ * registering empty filter.
++ */
++ ftrace_set_filter_ip(ops, (unsigned long)p->addr, 1, 0);
++ return ret;
++ }
+ }
+
+ (*cnt)++;
+ return ret;
+-
+-err_ftrace:
+- /*
+- * At this point, sinec ops is not registered, we should be sefe from
+- * registering empty filter.
+- */
+- ftrace_set_filter_ip(ops, (unsigned long)p->addr, 1, 0);
+- return ret;
+ }
+
+ static int arm_kprobe_ftrace(struct kprobe *p)
+@@ -1457,7 +1455,7 @@ _kprobe_addr(kprobe_opcode_t *addr, cons
+ unsigned long offset, bool *on_func_entry)
+ {
+ if ((symbol_name && addr) || (!symbol_name && !addr))
+- goto invalid;
++ return ERR_PTR(-EINVAL);
+
+ if (symbol_name) {
+ /*
+@@ -1487,11 +1485,10 @@ _kprobe_addr(kprobe_opcode_t *addr, cons
+ * at the start of the function.
+ */
+ addr = arch_adjust_kprobe_addr((unsigned long)addr, offset, on_func_entry);
+- if (addr)
+- return addr;
++ if (!addr)
++ return ERR_PTR(-EINVAL);
+
+-invalid:
+- return ERR_PTR(-EINVAL);
++ return addr;
+ }
+
+ static kprobe_opcode_t *kprobe_addr(struct kprobe *p)
+@@ -1514,15 +1511,15 @@ static struct kprobe *__get_valid_kprobe
+ if (unlikely(!ap))
+ return NULL;
+
+- if (p != ap) {
+- list_for_each_entry(list_p, &ap->list, list)
+- if (list_p == p)
+- /* kprobe p is a valid probe */
+- goto valid;
+- return NULL;
+- }
+-valid:
+- return ap;
++ if (p == ap)
++ return ap;
++
++ list_for_each_entry(list_p, &ap->list, list)
++ if (list_p == p)
++ /* kprobe p is a valid probe */
++ return ap;
++
++ return NULL;
+ }
+
+ /*
--- /dev/null
+From stable+bounces-227302-greg=kroah.com@vger.kernel.org Thu Mar 19 14:53:52 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 09:52:12 -0400
+Subject: kprobes: Remove unneeded warnings from __arm_kprobe_ftrace()
+To: stable@vger.kernel.org
+Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>, Zw Tang <shicenci@gmail.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260319135212.2484493-2-sashal@kernel.org>
+
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+
+[ Upstream commit 5ef268cb7a0aac55521fd9881f1939fa94a8988e ]
+
+Remove unneeded warnings for handled errors from __arm_kprobe_ftrace()
+because all caller handled the error correctly.
+
+Link: https://lore.kernel.org/all/177261531182.1312989.8737778408503961141.stgit@mhiramat.tok.corp.google.com/
+
+Reported-by: Zw Tang <shicenci@gmail.com>
+Closes: https://lore.kernel.org/all/CAPHJ_V+J6YDb_wX2nhXU6kh466Dt_nyDSas-1i_Y8s7tqY-Mzw@mail.gmail.com/
+Fixes: 9c89bb8e3272 ("kprobes: treewide: Cleanup the error messages for kprobes")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kprobes.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1078,12 +1078,12 @@ static int __arm_kprobe_ftrace(struct kp
+ lockdep_assert_held(&kprobe_mutex);
+
+ ret = ftrace_set_filter_ip(ops, (unsigned long)p->addr, 0, 0);
+- if (WARN_ONCE(ret < 0, "Failed to arm kprobe-ftrace at %pS (error %d)\n", p->addr, ret))
++ if (ret < 0)
+ return ret;
+
+ if (*cnt == 0) {
+ ret = register_ftrace_function(ops);
+- if (WARN(ret < 0, "Failed to register kprobe-ftrace (error %d)\n", ret)) {
++ if (ret < 0) {
+ /*
+ * At this point, sinec ops is not registered, we should be sefe from
+ * registering empty filter.
--- /dev/null
+From 282343cf8a4a5a3603b1cb0e17a7083e4a593b03 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 13 Mar 2026 10:00:58 +0900
+Subject: ksmbd: unset conn->binding on failed binding request
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 282343cf8a4a5a3603b1cb0e17a7083e4a593b03 upstream.
+
+When a multichannel SMB2_SESSION_SETUP request with
+SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true
+but never clears it on the error path. This leaves the connection in
+a binding state where all subsequent ksmbd_session_lookup_all() calls
+fall back to the global sessions table. This fix it by clearing
+conn->binding = false in the error path.
+
+Cc: stable@vger.kernel.org
+Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1934,6 +1934,7 @@ out_err:
+ }
+ }
+ smb2_set_err_rsp(work);
++ conn->binding = false;
+ } else {
+ unsigned int iov_len;
+
--- /dev/null
+From stable+bounces-227558-greg=kroah.com@vger.kernel.org Fri Mar 20 16:09:49 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Mar 2026 10:57:45 -0400
+Subject: net: macb: Introduce gem_init_rx_ring()
+To: stable@vger.kernel.org
+Cc: Kevin Hao <haokexin@gmail.com>, Simon Horman <horms@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260320145746.4187361-2-sashal@kernel.org>
+
+From: Kevin Hao <haokexin@gmail.com>
+
+[ Upstream commit 1a7124ecd655bcaf1845197fe416aa25cff4c3ea ]
+
+Extract the initialization code for the GEM RX ring into a new function.
+This change will be utilized in a subsequent patch. No functional changes
+are introduced.
+
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260312-macb-versal-v1-1-467647173fa4@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 718d0766ce4c ("net: macb: Reinitialize tx/rx queue pointer registers and rx ring during resume")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -2700,6 +2700,14 @@ static void macb_init_tieoff(struct macb
+ desc->ctrl = 0;
+ }
+
++static void gem_init_rx_ring(struct macb_queue *queue)
++{
++ queue->rx_tail = 0;
++ queue->rx_prepared_head = 0;
++
++ gem_rx_refill(queue);
++}
++
+ static void gem_init_rings(struct macb *bp)
+ {
+ struct macb_queue *queue;
+@@ -2717,10 +2725,7 @@ static void gem_init_rings(struct macb *
+ queue->tx_head = 0;
+ queue->tx_tail = 0;
+
+- queue->rx_tail = 0;
+- queue->rx_prepared_head = 0;
+-
+- gem_rx_refill(queue);
++ gem_init_rx_ring(queue);
+ }
+
+ macb_init_tieoff(bp);
--- /dev/null
+From stable+bounces-227557-greg=kroah.com@vger.kernel.org Fri Mar 20 16:06:53 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Mar 2026 10:57:44 -0400
+Subject: net: macb: queue tie-off or disable during WOL suspend
+To: stable@vger.kernel.org
+Cc: Vineeth Karumanchi <vineeth.karumanchi@amd.com>, Harini Katakam <harini.katakam@amd.com>, Andrew Lunn <andrew@lunn.ch>, Claudiu Beznea <claudiu.beznea@tuxon.dev>, Paolo Abeni <pabeni@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260320145746.4187361-1-sashal@kernel.org>
+
+From: Vineeth Karumanchi <vineeth.karumanchi@amd.com>
+
+[ Upstream commit 759cc793ebfc2d1a02f357ae97e5dcdcd63f758f ]
+
+When GEM is used as a wake device, it is not mandatory for the RX DMA
+to be active. The RX engine in IP only needs to receive and identify
+a wake packet through an interrupt. The wake packet is of no further
+significance; hence, it is not required to be copied into memory.
+By disabling RX DMA during suspend, we can avoid unnecessary DMA
+processing of any incoming traffic.
+
+During suspend, perform either of the below operations:
+
+- tie-off/dummy descriptor: Disable unused queues by connecting
+ them to a looped descriptor chain without free slots.
+
+- queue disable: The newer IP version allows disabling individual queues.
+
+Co-developed-by: Harini Katakam <harini.katakam@amd.com>
+Signed-off-by: Harini Katakam <harini.katakam@amd.com>
+Signed-off-by: Vineeth Karumanchi <vineeth.karumanchi@amd.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Tested-by: Claudiu Beznea <claudiu.beznea@tuxon.dev> # on SAMA7G5
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 718d0766ce4c ("net: macb: Reinitialize tx/rx queue pointer registers and rx ring during resume")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb.h | 7 +++
+ drivers/net/ethernet/cadence/macb_main.c | 60 +++++++++++++++++++++++++++++--
+ 2 files changed, 64 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/cadence/macb.h
++++ b/drivers/net/ethernet/cadence/macb.h
+@@ -645,6 +645,10 @@
+ #define GEM_T2OFST_OFFSET 0 /* offset value */
+ #define GEM_T2OFST_SIZE 7
+
++/* Bitfields in queue pointer registers */
++#define MACB_QUEUE_DISABLE_OFFSET 0 /* disable queue */
++#define MACB_QUEUE_DISABLE_SIZE 1
++
+ /* Offset for screener type 2 compare values (T2CMPOFST).
+ * Note the offset is applied after the specified point,
+ * e.g. GEM_T2COMPOFST_ETYPE denotes the EtherType field, so an offset
+@@ -733,6 +737,7 @@
+ #define MACB_CAPS_NEEDS_RSTONUBR 0x00000100
+ #define MACB_CAPS_MIIONRGMII 0x00000200
+ #define MACB_CAPS_NEED_TSUCLK 0x00000400
++#define MACB_CAPS_QUEUE_DISABLE 0x00000800
+ #define MACB_CAPS_PCS 0x01000000
+ #define MACB_CAPS_HIGH_SPEED 0x02000000
+ #define MACB_CAPS_CLK_HW_CHG 0x04000000
+@@ -1253,6 +1258,8 @@ struct macb {
+ u32 (*macb_reg_readl)(struct macb *bp, int offset);
+ void (*macb_reg_writel)(struct macb *bp, int offset, u32 value);
+
++ struct macb_dma_desc *rx_ring_tieoff;
++ dma_addr_t rx_ring_tieoff_dma;
+ size_t rx_buffer_size;
+
+ unsigned int rx_ring_size;
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -2573,6 +2573,12 @@ static void macb_free_consistent(struct
+ unsigned int q;
+ int size;
+
++ if (bp->rx_ring_tieoff) {
++ dma_free_coherent(&bp->pdev->dev, macb_dma_desc_get_size(bp),
++ bp->rx_ring_tieoff, bp->rx_ring_tieoff_dma);
++ bp->rx_ring_tieoff = NULL;
++ }
++
+ bp->macbgem_ops.mog_free_rx_buffers(bp);
+
+ for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue) {
+@@ -2664,6 +2670,16 @@ static int macb_alloc_consistent(struct
+ if (bp->macbgem_ops.mog_alloc_rx_buffers(bp))
+ goto out_err;
+
++ /* Required for tie off descriptor for PM cases */
++ if (!(bp->caps & MACB_CAPS_QUEUE_DISABLE)) {
++ bp->rx_ring_tieoff = dma_alloc_coherent(&bp->pdev->dev,
++ macb_dma_desc_get_size(bp),
++ &bp->rx_ring_tieoff_dma,
++ GFP_KERNEL);
++ if (!bp->rx_ring_tieoff)
++ goto out_err;
++ }
++
+ return 0;
+
+ out_err:
+@@ -2671,6 +2687,19 @@ out_err:
+ return -ENOMEM;
+ }
+
++static void macb_init_tieoff(struct macb *bp)
++{
++ struct macb_dma_desc *desc = bp->rx_ring_tieoff;
++
++ if (bp->caps & MACB_CAPS_QUEUE_DISABLE)
++ return;
++ /* Setup a wrapping descriptor with no free slots
++ * (WRAP and USED) to tie off/disable unused RX queues.
++ */
++ macb_set_addr(bp, desc, MACB_BIT(RX_WRAP) | MACB_BIT(RX_USED));
++ desc->ctrl = 0;
++}
++
+ static void gem_init_rings(struct macb *bp)
+ {
+ struct macb_queue *queue;
+@@ -2694,6 +2723,7 @@ static void gem_init_rings(struct macb *
+ gem_rx_refill(queue);
+ }
+
++ macb_init_tieoff(bp);
+ }
+
+ static void macb_init_rings(struct macb *bp)
+@@ -2711,6 +2741,8 @@ static void macb_init_rings(struct macb
+ bp->queues[0].tx_head = 0;
+ bp->queues[0].tx_tail = 0;
+ desc->ctrl |= MACB_BIT(TX_WRAP);
++
++ macb_init_tieoff(bp);
+ }
+
+ static void macb_reset_hw(struct macb *bp)
+@@ -5302,6 +5334,7 @@ static int __maybe_unused macb_suspend(s
+ unsigned long flags;
+ unsigned int q;
+ int err;
++ u32 tmp;
+
+ if (!device_may_wakeup(&bp->dev->dev))
+ phy_exit(bp->sgmii_phy);
+@@ -5311,17 +5344,38 @@ static int __maybe_unused macb_suspend(s
+
+ if (bp->wol & MACB_WOL_ENABLED) {
+ spin_lock_irqsave(&bp->lock, flags);
+- /* Flush all status bits */
+- macb_writel(bp, TSR, -1);
+- macb_writel(bp, RSR, -1);
++
++ /* Disable Tx and Rx engines before disabling the queues,
++ * this is mandatory as per the IP spec sheet
++ */
++ tmp = macb_readl(bp, NCR);
++ macb_writel(bp, NCR, tmp & ~(MACB_BIT(TE) | MACB_BIT(RE)));
+ for (q = 0, queue = bp->queues; q < bp->num_queues;
+ ++q, ++queue) {
++ /* Disable RX queues */
++ if (bp->caps & MACB_CAPS_QUEUE_DISABLE) {
++ queue_writel(queue, RBQP, MACB_BIT(QUEUE_DISABLE));
++ } else {
++ /* Tie off RX queues */
++ queue_writel(queue, RBQP,
++ lower_32_bits(bp->rx_ring_tieoff_dma));
++#ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT
++ queue_writel(queue, RBQPH,
++ upper_32_bits(bp->rx_ring_tieoff_dma));
++#endif
++ }
+ /* Disable all interrupts */
+ queue_writel(queue, IDR, -1);
+ queue_readl(queue, ISR);
+ if (bp->caps & MACB_CAPS_ISR_CLEAR_ON_WRITE)
+ queue_writel(queue, ISR, -1);
+ }
++ /* Enable Receive engine */
++ macb_writel(bp, NCR, tmp | MACB_BIT(RE));
++ /* Flush all status bits */
++ macb_writel(bp, TSR, -1);
++ macb_writel(bp, RSR, -1);
++
+ /* Change interrupt handler and
+ * Enable WoL IRQ on queue 0
+ */
--- /dev/null
+From stable+bounces-227559-greg=kroah.com@vger.kernel.org Fri Mar 20 16:07:11 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Mar 2026 10:57:46 -0400
+Subject: net: macb: Reinitialize tx/rx queue pointer registers and rx ring during resume
+To: stable@vger.kernel.org
+Cc: Kevin Hao <haokexin@gmail.com>, Quanyang Wang <quanyang.wang@windriver.com>, Simon Horman <horms@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260320145746.4187361-3-sashal@kernel.org>
+
+From: Kevin Hao <haokexin@gmail.com>
+
+[ Upstream commit 718d0766ce4c7634ce62fa78b526ea7263487edd ]
+
+On certain platforms, such as AMD Versal boards, the tx/rx queue pointer
+registers are cleared after suspend, and the rx queue pointer register
+is also disabled during suspend if WOL is enabled. Previously, we assumed
+that these registers would be restored by macb_mac_link_up(). However,
+in commit bf9cf80cab81, macb_init_buffers() was moved from
+macb_mac_link_up() to macb_open(). Therefore, we should call
+macb_init_buffers() to reinitialize the tx/rx queue pointer registers
+during resume.
+
+Due to the reset of these two registers, we also need to adjust the
+tx/rx rings accordingly. The tx ring will be handled by
+gem_shuffle_tx_rings() in macb_mac_link_up(), so we only need to
+initialize the rx ring here.
+
+Fixes: bf9cf80cab81 ("net: macb: Fix tx/rx malfunction after phy link down and up")
+Reported-by: Quanyang Wang <quanyang.wang@windriver.com>
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Tested-by: Quanyang Wang <quanyang.wang@windriver.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260312-macb-versal-v1-2-467647173fa4@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -5500,8 +5500,18 @@ static int __maybe_unused macb_resume(st
+ rtnl_unlock();
+ }
+
++ if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC))
++ macb_init_buffers(bp);
++
+ for (q = 0, queue = bp->queues; q < bp->num_queues;
+ ++q, ++queue) {
++ if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC)) {
++ if (macb_is_gem(bp))
++ gem_init_rx_ring(queue);
++ else
++ macb_init_rx_ring(queue);
++ }
++
+ napi_enable(&queue->napi_rx);
+ napi_enable(&queue->napi_tx);
+ }
--- /dev/null
+From stable+bounces-227519-greg=kroah.com@vger.kernel.org Fri Mar 20 12:25:10 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Mar 2026 07:21:17 -0400
+Subject: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
+To: stable@vger.kernel.org
+Cc: Jeff Layton <jlayton@kernel.org>, stable@kernel.org, Nicholas Carlini <npc@anthropic.com>, Chuck Lever <chuck.lever@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260320112117.3880626-1-sashal@kernel.org>
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 5133b61aaf437e5f25b1b396b14242a6bb0508e2 ]
+
+The NFSv4.0 replay cache uses a fixed 112-byte inline buffer
+(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.
+This size was calculated based on OPEN responses and does not account
+for LOCK denied responses, which include the conflicting lock owner as
+a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).
+
+When a LOCK operation is denied due to a conflict with an existing lock
+that has a large owner, nfsd4_encode_operation() copies the full encoded
+response into the undersized replay buffer via read_bytes_from_xdr_buf()
+with no bounds check. This results in a slab-out-of-bounds write of up
+to 944 bytes past the end of the buffer, corrupting adjacent heap memory.
+
+This can be triggered remotely by an unauthenticated attacker with two
+cooperating NFSv4.0 clients: one sets a lock with a large owner string,
+then the other requests a conflicting lock to provoke the denial.
+
+We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full
+opaque, but that would increase the size of every stateowner, when most
+lockowners are not that large.
+
+Instead, fix this by checking the encoded response length against
+NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the
+response is too large, set rp_buflen to 0 to skip caching the replay
+payload. The status is still cached, and the client already received the
+correct response on the original request.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@kernel.org
+Reported-by: Nicholas Carlini <npc@anthropic.com>
+Tested-by: Nicholas Carlini <npc@anthropic.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+[ replaced `op_status_offset + XDR_UNIT` with existing `post_err_offset` variable ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4xdr.c | 9 +++++++--
+ fs/nfsd/state.h | 17 ++++++++++++-----
+ 2 files changed, 19 insertions(+), 7 deletions(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -5425,9 +5425,14 @@ nfsd4_encode_operation(struct nfsd4_comp
+ int len = xdr->buf->len - post_err_offset;
+
+ so->so_replay.rp_status = op->status;
+- so->so_replay.rp_buflen = len;
+- read_bytes_from_xdr_buf(xdr->buf, post_err_offset,
++ if (len <= NFSD4_REPLAY_ISIZE) {
++ so->so_replay.rp_buflen = len;
++ read_bytes_from_xdr_buf(xdr->buf,
++ post_err_offset,
+ so->so_replay.rp_buf, len);
++ } else {
++ so->so_replay.rp_buflen = 0;
++ }
+ }
+ status:
+ *p = op->status;
+--- a/fs/nfsd/state.h
++++ b/fs/nfsd/state.h
+@@ -430,11 +430,18 @@ struct nfs4_client_reclaim {
+ struct xdr_netobj cr_princhash;
+ };
+
+-/* A reasonable value for REPLAY_ISIZE was estimated as follows:
+- * The OPEN response, typically the largest, requires
+- * 4(status) + 8(stateid) + 20(changeinfo) + 4(rflags) + 8(verifier) +
+- * 4(deleg. type) + 8(deleg. stateid) + 4(deleg. recall flag) +
+- * 20(deleg. space limit) + ~32(deleg. ace) = 112 bytes
++/*
++ * REPLAY_ISIZE is sized for an OPEN response with delegation:
++ * 4(status) + 8(stateid) + 20(changeinfo) + 4(rflags) +
++ * 8(verifier) + 4(deleg. type) + 8(deleg. stateid) +
++ * 4(deleg. recall flag) + 20(deleg. space limit) +
++ * ~32(deleg. ace) = 112 bytes
++ *
++ * Some responses can exceed this. A LOCK denial includes the conflicting
++ * lock owner, which can be up to 1024 bytes (NFS4_OPAQUE_LIMIT). Responses
++ * larger than REPLAY_ISIZE are not cached in rp_ibuf; only rp_status is
++ * saved. Enlarging this constant increases the size of every
++ * nfs4_stateowner.
+ */
+
+ #define NFSD4_REPLAY_ISIZE 112
parisc-flush-correct-cache-in-cacheflush-syscall.patch
bluetooth-l2cap-fix-type-confusion-in-l2cap_ecred_reconf_rsp.patch
bluetooth-l2cap-validate-l2cap_info_rsp-payload-length-before-access.patch
+smb-client-fix-krb5-mount-with-username-option.patch
+ksmbd-unset-conn-binding-on-failed-binding-request.patch
+kprobes-remove-unneeded-goto.patch
+kprobes-remove-unneeded-warnings-from-__arm_kprobe_ftrace.patch
+btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch
+btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch
+btrfs-fix-transaction-abort-on-file-creation-due-to-name-hash-collision.patch
+iio-light-bh1780-fix-pm-runtime-leak-on-error-path.patch
+batman-adv-avoid-ogm-aggregation-when-skb-tailroom-is-insufficient.patch
+nfsd-fix-heap-overflow-in-nfsv4.0-lock-replay-cache.patch
+net-macb-queue-tie-off-or-disable-during-wol-suspend.patch
+net-macb-introduce-gem_init_rx_ring.patch
+net-macb-reinitialize-tx-rx-queue-pointer-registers-and-rx-ring-during-resume.patch
--- /dev/null
+From 12b4c5d98cd7ca46d5035a57bcd995df614c14e1 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.org>
+Date: Fri, 13 Mar 2026 00:03:38 -0300
+Subject: smb: client: fix krb5 mount with username option
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+commit 12b4c5d98cd7ca46d5035a57bcd995df614c14e1 upstream.
+
+Customer reported that some of their krb5 mounts were failing against
+a single server as the client was trying to mount the shares with
+wrong credentials. It turned out the client was reusing SMB session
+from first mount to try mounting the other shares, even though a
+different username= option had been specified to the other mounts.
+
+By using username mount option along with sec=krb5 to search for
+principals from keytab is supported by cifs.upcall(8) since
+cifs-utils-4.8. So fix this by matching username mount option in
+match_session() even with Kerberos.
+
+For example, the second mount below should fail with -ENOKEY as there
+is no 'foobar' principal in keytab (/etc/krb5.keytab). The client
+ends up reusing SMB session from first mount to perform the second
+one, which is wrong.
+
+```
+$ ktutil
+ktutil: add_entry -password -p testuser -k 1 -e aes256-cts
+Password for testuser@ZELDA.TEST:
+ktutil: write_kt /etc/krb5.keytab
+ktutil: quit
+$ klist -ke
+Keytab name: FILE:/etc/krb5.keytab
+KVNO Principal
+ ---- ----------------------------------------------------------------
+ 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96)
+$ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser
+$ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar
+$ mount -t cifs | grep -Po 'username=\K\w+'
+testuser
+testuser
+```
+
+Reported-by: Oscar Santos <ossantos@redhat.com>
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Cc: David Howells <dhowells@redhat.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/connect.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -1922,6 +1922,10 @@ static int match_session(struct cifs_ses
+ case Kerberos:
+ if (!uid_eq(ctx->cred_uid, ses->cred_uid))
+ return 0;
++ if (strncmp(ses->user_name ?: "",
++ ctx->username ?: "",
++ CIFS_MAX_USERNAME_LEN))
++ return 0;
+ break;
+ case NTLMv2:
+ case RawNTLMSSP:
projects / thirdparty / kernel / stable-queue.git / commitdiff
