--- /dev/null
+From 2f12ae7bbd6511b6231eb5ed98145ee7ad3ec633 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 08:36:37 -0700
+Subject: ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands
+
+From: Igor Pylypiv <ipylypiv@google.com>
+
+[ Upstream commit 8ebf408e7d463eee02c348a3c8277b95587b710d ]
+
+Commit 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation")
+introduced ata_scsi_requeue_deferred_qc() to handle commands deferred
+during resets or NCQ failures. This deferral logic completed commands
+with DID_SOFT_ERROR to trigger a retry in the SCSI mid-layer.
+
+However, DID_SOFT_ERROR is subject to scsi_cmd_retry_allowed() checks.
+ATA PASS-THROUGH commands sent via SG_IO ioctl have scmd->allowed set
+to zero. This causes the mid-layer to fail the command immediately
+instead of retrying, even though the command was never actually issued
+to the hardware.
+
+Switch to DID_REQUEUE to ensure these commands are inserted back into
+the request queue regardless of retry limits.
+
+Fixes: 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation")
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Igor Pylypiv <ipylypiv@google.com>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-scsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
+index b55443e31f403..f3d0979082cb5 100644
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -1705,7 +1705,7 @@ void ata_scsi_requeue_deferred_qc(struct ata_port *ap)
+ /*
+ * If we have a deferred qc when a reset occurs or NCQ commands fail,
+ * do not try to be smart about what to do with this deferred command
+- * and simply retry it by completing it with DID_SOFT_ERROR.
++ * and simply requeue it by completing it with DID_REQUEUE.
+ */
+ if (!qc)
+ return;
+@@ -1714,7 +1714,7 @@ void ata_scsi_requeue_deferred_qc(struct ata_port *ap)
+ ap->deferred_qc = NULL;
+ cancel_work(&ap->deferred_qc_work);
+ ata_qc_free(qc);
+- scmd->result = (DID_SOFT_ERROR << 16);
++ scmd->result = (DID_REQUEUE << 16);
+ scsi_done(scmd);
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 363a4b85c0423884376ebce00390e50c4d599e83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 May 2026 15:55:04 +0800
+Subject: netfilter: nf_tables: unconditionally bump set->nelems before
+ insertion
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit def602e498a4f951da95c95b1b8ce8ae68aa733a ]
+
+In case that the set is full, a new element gets published then removed
+without waiting for the RCU grace period, while RCU reader can be
+walking over it already.
+
+To address this issue, add the element transaction even if set is full,
+but toggle the set_full flag to report -ENFILE so the abort path safely
+unwinds the set to its previous state.
+
+As for element updates, decrement set->nelems to restore it.
+
+A simpler fix is to call synchronize_rcu() in the error path.
+However, with a large batch adding elements to already maxed-out set,
+this could cause noticeable slowdown of such batches.
+
+Fixes: 35d0ac9070ef ("netfilter: nf_tables: fix set->nelems counting with no NLM_F_EXCL")
+Reported-by: Inseo An <y0un9sa@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+[ Minor conflict resolved. ]
+Signed-off-by: Li hongliang <1468888505@139.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index e373afdf0f072..838c9f49e4e01 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6981,6 +6981,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ enum nft_registers dreg;
+ struct nft_trans *trans;
+ u8 update_flags;
++ bool set_full = false;
+ u64 expiration;
+ u64 timeout;
+ int err, i;
+@@ -7267,10 +7268,18 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ if (err < 0)
+ goto err_elem_free;
+
++ if (!(flags & NFT_SET_ELEM_CATCHALL)) {
++ unsigned int max = nft_set_maxsize(set), nelems;
++
++ nelems = atomic_inc_return(&set->nelems);
++ if (nelems > max)
++ set_full = true;
++ }
++
+ trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
+ if (trans == NULL) {
+ err = -ENOMEM;
+- goto err_elem_free;
++ goto err_set_size;
+ }
+
+ ext->genmask = nft_genmask_cur(ctx->net);
+@@ -7312,7 +7321,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ nft_trans_elem_priv(trans) = elem_priv;
+ nft_trans_elem_update_flags(trans) = update_flags;
+ nft_trans_commit_list_add_tail(ctx->net, trans);
+- goto err_elem_free;
++ goto err_set_size;
+ }
+ }
+ }
+@@ -7330,23 +7339,16 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ goto err_element_clash;
+ }
+
+- if (!(flags & NFT_SET_ELEM_CATCHALL)) {
+- unsigned int max = nft_set_maxsize(set);
+-
+- if (!atomic_add_unless(&set->nelems, 1, max)) {
+- err = -ENFILE;
+- goto err_set_full;
+- }
+- }
+-
+ nft_trans_elem_priv(trans) = elem.priv;
+ nft_trans_commit_list_add_tail(ctx->net, trans);
+- return 0;
+
+-err_set_full:
+- nft_setelem_remove(ctx->net, set, elem.priv);
++ return set_full ? -ENFILE : 0;
++
+ err_element_clash:
+ kfree(trans);
++err_set_size:
++ if (!(flags & NFT_SET_ELEM_CATCHALL))
++ atomic_dec(&set->nelems);
+ err_elem_free:
+ nf_tables_set_elem_destroy(ctx, set, elem.priv);
+ err_parse_data:
+--
+2.53.0
+
kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch
kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch
bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch
+netfilter-nf_tables-unconditionally-bump-set-nelems-.patch
+ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch
--- /dev/null
+From 9f9e67b9f13276d68d001926cca7066a96dc1b3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 08:36:37 -0700
+Subject: ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands
+
+From: Igor Pylypiv <ipylypiv@google.com>
+
+[ Upstream commit 8ebf408e7d463eee02c348a3c8277b95587b710d ]
+
+Commit 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation")
+introduced ata_scsi_requeue_deferred_qc() to handle commands deferred
+during resets or NCQ failures. This deferral logic completed commands
+with DID_SOFT_ERROR to trigger a retry in the SCSI mid-layer.
+
+However, DID_SOFT_ERROR is subject to scsi_cmd_retry_allowed() checks.
+ATA PASS-THROUGH commands sent via SG_IO ioctl have scmd->allowed set
+to zero. This causes the mid-layer to fail the command immediately
+instead of retrying, even though the command was never actually issued
+to the hardware.
+
+Switch to DID_REQUEUE to ensure these commands are inserted back into
+the request queue regardless of retry limits.
+
+Fixes: 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation")
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Igor Pylypiv <ipylypiv@google.com>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-scsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
+index 88689369db03d..e7c78b8d3c2c0 100644
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -1691,7 +1691,7 @@ void ata_scsi_requeue_deferred_qc(struct ata_port *ap)
+ /*
+ * If we have a deferred qc when a reset occurs or NCQ commands fail,
+ * do not try to be smart about what to do with this deferred command
+- * and simply retry it by completing it with DID_SOFT_ERROR.
++ * and simply requeue it by completing it with DID_REQUEUE.
+ */
+ if (!qc)
+ return;
+@@ -1700,7 +1700,7 @@ void ata_scsi_requeue_deferred_qc(struct ata_port *ap)
+ ap->deferred_qc = NULL;
+ cancel_work(&ap->deferred_qc_work);
+ ata_qc_free(qc);
+- scmd->result = (DID_SOFT_ERROR << 16);
++ scmd->result = (DID_REQUEUE << 16);
+ scsi_done(scmd);
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 6b37dea0b15bbd4a1b98f14dd22e5645223e741e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 May 2026 10:48:16 -0700
+Subject: fuse: avoid 0x10 fault in fuse_readahead when max_pages == 0
+
+From: Vlad Poenaru <vlad.wing@gmail.com>
+
+[ Upstream commit 4ea907108a5c ("fuse: use iomap for readahead") ]
+
+The upstream fix is the iomap conversion in commit 4ea907108a5c
+("fuse: use iomap for readahead"), which rewrote fuse_readahead()
+entirely and removed the buggy loop along with it. That refactor
+is too invasive to backport to the pre-iomap readahead path still
+used by 6.18.y (and earlier stable branches), so this is a minimal,
+equivalent fix to the same bug on those branches.
+
+When fc->max_read is smaller than PAGE_SIZE (common on aarch64 with
+64K base pages if the FUSE server advertises a small max_read in INIT),
+max_pages = min(fc->max_pages, fc->max_read / PAGE_SIZE) is 0, so
+cur_pages is 0 on every outer iteration.
+
+fuse_io_alloc(NULL, 0) then calls fuse_folios_alloc(0, ...), which
+calls kzalloc(0, ...) and gets back ZERO_SIZE_PTR == (void *)16.
+The "if (!ia->ap.folios)" guard in fuse_io_alloc does not catch
+ZERO_SIZE_PTR, so fuse_io_alloc happily returns an ia whose
+ap.folios is 0x10.
+
+The inner "while (pages < cur_pages)" loop runs zero times, then
+fuse_send_readpages(ia, ...) dereferences ap->folios[0] in
+folio_pos(), faulting at virtual address 0x10:
+
+ Unable to handle kernel NULL pointer dereference at virtual address
+ 0000000000000010
+ fuse_readahead+0x14c/0x490
+ read_pages+0x80/0x318
+ page_cache_ra_unbounded+0x1c0/0x2b0
+ page_cache_ra_order+0xb8/0x368
+ page_cache_sync_ra+0x210/0x320
+ filemap_get_pages+0x290/0xdb0
+ generic_file_read_iter+0xd0/0x540
+ fuse_file_read_iter+0x8c/0x158
+ __arm64_sys_read+0x1a0/0x488
+
+addr2line on the aarch64 vmlinux maps fuse_readahead+0x14c to
+fs/fuse/file.c:897 inlined into :999, i.e. "folio_pos(ap->folios[0])"
+inside fuse_send_readpages. The faulting instruction "ldr x8, [x8]"
+loads ap->folios[0]; ap->folios was previously loaded as 0x10
+(ZERO_SIZE_PTR).
+
+Without this fix the function would also spin forever, since
+"nr_pages -= pages" makes no progress when pages stays 0; in practice
+the NULL deref masks the spin.
+
+Bail out of the outer loop if cur_pages is 0 -- there is no work we
+can issue via FUSE in this iteration, and remaining folios will be
+handled by read_pages() falling back to ->read_folio.
+
+Fixes: 3eab9d7bc2f4 ("fuse: convert readahead to use folios")
+Reported-by: Breno Leitao <leitao@debian.org>
+Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
+Signed-off-by: Vlad Poenaru <vlad.wing@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fuse/file.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index 00ff6374dc76b..50ade371298b3 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -974,6 +974,16 @@ static void fuse_readahead(struct readahead_control *rac)
+ unsigned cur_pages = min(max_pages, nr_pages);
+ unsigned int pages = 0;
+
++ /*
++ * If max_pages == 0 (e.g. fc->max_read < PAGE_SIZE on a
++ * 64K-page kernel), cur_pages is 0 and we cannot make
++ * progress. Bailing here avoids passing 0 to fuse_io_alloc,
++ * which would return an ia whose ap.folios is ZERO_SIZE_PTR
++ * (0x10) -- later dereferenced by fuse_send_readpages.
++ */
++ if (!cur_pages)
++ break;
++
+ if (fc->num_background >= fc->congestion_threshold &&
+ rac->ra->async_size >= readahead_count(rac))
+ /*
+--
+2.53.0
+
--- /dev/null
+From 37e4cebf1a3f36dbcffff802031f62281981cb84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 May 2026 16:14:36 +0200
+Subject: media: staging: imx: configure src_mux in csi_start
+
+From: Michael Tretter <m.tretter@pengutronix.de>
+
+[ Upstream commit ebeec2b000a90cd8aae86d1931ff5ef23af8284e ]
+
+After media_pipeline_start() was called, the media graph is assumed to
+be validated. It won't be validated again if a second stream starts.
+
+The imx-media-csi driver, however, changes hardware configuration in the
+link_validate() callback. This can result in started streams with
+misconfigured hardware.
+
+In the concrete example, the ipu2_csi1 is driven by a parallel video
+input. After the media pipeline has been started with this
+configuration, a second stream is configured to use ipu1_csi0 with
+MIPI-CSI input from imx6-mipi-csi2. This may require the reconfiguration
+of ipu1_csi0 with ipu_set_csi_src_mux(). Since the media pipeline is
+already running, link_validate won't be called, and the ipu1_csi0 won't
+be reconfigured. The resulting video is broken, because the ipu1_csi0 is
+misconfigured, but no error is reported.
+
+Move ipu_set_csi_src_mux from csi_link_validate to csi_start to ensure
+that input to ipu1_csi0 is configured correctly when starting the
+stream. This is a local reconfiguration in ipu1_csi0 and is possible
+while the media pipeline is running.
+
+Since csi_start() is called with priv->lock already locked,
+csi_set_src() must not lock priv->lock again. Thus, the mutex_lock() is
+dropped.
+
+Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
+Fixes: 4a34ec8e470c ("[media] media: imx: Add CSI subdev driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/imx/imx-media-csi.c | 44 ++++++++++++-----------
+ 1 file changed, 24 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/staging/media/imx/imx-media-csi.c b/drivers/staging/media/imx/imx-media-csi.c
+index 55a7d8f38465b..1bc644f73a9d1 100644
+--- a/drivers/staging/media/imx/imx-media-csi.c
++++ b/drivers/staging/media/imx/imx-media-csi.c
+@@ -744,6 +744,28 @@ static int csi_setup(struct csi_priv *priv,
+ return 0;
+ }
+
++static void csi_set_src(struct csi_priv *priv,
++ struct v4l2_mbus_config *mbus_cfg)
++{
++ bool is_csi2;
++
++ is_csi2 = !is_parallel_bus(mbus_cfg);
++ if (is_csi2) {
++ /*
++ * NOTE! It seems the virtual channels from the mipi csi-2
++ * receiver are used only for routing by the video mux's,
++ * or for hard-wired routing to the CSI's. Once the stream
++ * enters the CSI's however, they are treated internally
++ * in the IPU as virtual channel 0.
++ */
++ ipu_csi_set_mipi_datatype(priv->csi, 0,
++ &priv->format_mbus[CSI_SINK_PAD]);
++ }
++
++ /* select either parallel or MIPI-CSI2 as input to CSI */
++ ipu_set_csi_src_mux(priv->ipu, priv->csi_id, is_csi2);
++}
++
+ static int csi_start(struct csi_priv *priv)
+ {
+ struct v4l2_mbus_config mbus_cfg = { .type = 0 };
+@@ -760,6 +782,8 @@ static int csi_start(struct csi_priv *priv)
+ input_fi = &priv->frame_interval[CSI_SINK_PAD];
+ output_fi = &priv->frame_interval[priv->active_output_pad];
+
++ csi_set_src(priv, &mbus_cfg);
++
+ /* start upstream */
+ ret = v4l2_subdev_call(priv->src_sd, video, s_stream, 1);
+ ret = (ret && ret != -ENOIOCTLCMD) ? ret : 0;
+@@ -1130,7 +1154,6 @@ static int csi_link_validate(struct v4l2_subdev *sd,
+ {
+ struct csi_priv *priv = v4l2_get_subdevdata(sd);
+ struct v4l2_mbus_config mbus_cfg = { .type = 0 };
+- bool is_csi2;
+ int ret;
+
+ ret = v4l2_subdev_link_validate_default(sd, link,
+@@ -1145,25 +1168,6 @@ static int csi_link_validate(struct v4l2_subdev *sd,
+ return ret;
+ }
+
+- mutex_lock(&priv->lock);
+-
+- is_csi2 = !is_parallel_bus(&mbus_cfg);
+- if (is_csi2) {
+- /*
+- * NOTE! It seems the virtual channels from the mipi csi-2
+- * receiver are used only for routing by the video mux's,
+- * or for hard-wired routing to the CSI's. Once the stream
+- * enters the CSI's however, they are treated internally
+- * in the IPU as virtual channel 0.
+- */
+- ipu_csi_set_mipi_datatype(priv->csi, 0,
+- &priv->format_mbus[CSI_SINK_PAD]);
+- }
+-
+- /* select either parallel or MIPI-CSI2 as input to CSI */
+- ipu_set_csi_src_mux(priv->ipu, priv->csi_id, is_csi2);
+-
+- mutex_unlock(&priv->lock);
+ return ret;
+ }
+
+--
+2.53.0
+
hid-pass-the-buffer-size-to-hid_report_raw_event.patch
hid-core-introduce-hid_safe_input_report.patch
hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch
+fuse-avoid-0x10-fault-in-fuse_readahead-when-max_pag.patch
+ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch
+media-staging-imx-configure-src_mux-in-csi_start.patch
--- /dev/null
+From e49f874445e39df28b17808d9a9dd5d197af1a1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 May 2026 18:44:10 +0800
+Subject: ASoC: SOF: Intel: hda: Fix NULL pointer dereference
+
+From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+
+[ Upstream commit 16c589567a956d46a7c1363af3f64de3d420af20 ]
+
+If there's a mismatch between the DAI links in the machine driver and
+the topology, it is possible that the playback/capture widget is not
+set, especially in the case of loopback capture for echo reference
+where we use the dummy DAI link. Return the error when the widget is not
+set to avoid a null pointer dereference like below when the topology is
+broken.
+
+RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]
+
+Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
+Reviewed-by: Mateusz Redzynia <mateuszx.redzynia@intel.com>
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://patch.msgid.link/20260204081833.16630-10-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[ Minor context conflict resolved. ]
+Signed-off-by: Alva Lan <alvalan9@foxmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/intel/hda-dai.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/intel/hda-dai.c b/sound/soc/sof/intel/hda-dai.c
+index 19ec1a45737ea..097bcc7822a7d 100644
+--- a/sound/soc/sof/intel/hda-dai.c
++++ b/sound/soc/sof/intel/hda-dai.c
+@@ -77,11 +77,22 @@ static const struct hda_dai_widget_dma_ops *
+ hda_dai_get_ops(struct snd_pcm_substream *substream, struct snd_soc_dai *cpu_dai)
+ {
+ struct snd_soc_dapm_widget *w = snd_soc_dai_get_widget(cpu_dai, substream->stream);
+- struct snd_sof_widget *swidget = w->dobj.private;
++ struct snd_sof_widget *swidget;
+ struct snd_sof_dev *sdev;
+ struct snd_sof_dai *sdai;
+
++ /*
++ * this is unlikely if the topology and the machine driver DAI links match.
++ * But if there's a missing DAI link in topology, this will prevent a NULL pointer
++ * dereference later on.
++ */
++ if (!w) {
++ dev_err(cpu_dai->dev, "%s: widget is NULL\n", __func__);
++ return NULL;
++ }
++
+ sdev = widget_to_sdev(w);
++ swidget = w->dobj.private;
+
+ /*
+ * The swidget parameter of hda_select_dai_widget_ops() is ignored in
+--
+2.53.0
+
--- /dev/null
+From 1b6a8ce84e356b18b281f75d3902f05cc697fa58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 May 2026 15:55:18 +0800
+Subject: netfilter: nf_tables: unconditionally bump set->nelems before
+ insertion
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit def602e498a4f951da95c95b1b8ce8ae68aa733a ]
+
+In case that the set is full, a new element gets published then removed
+without waiting for the RCU grace period, while RCU reader can be
+walking over it already.
+
+To address this issue, add the element transaction even if set is full,
+but toggle the set_full flag to report -ENFILE so the abort path safely
+unwinds the set to its previous state.
+
+As for element updates, decrement set->nelems to restore it.
+
+A simpler fix is to call synchronize_rcu() in the error path.
+However, with a large batch adding elements to already maxed-out set,
+this could cause noticeable slowdown of such batches.
+
+Fixes: 35d0ac9070ef ("netfilter: nf_tables: fix set->nelems counting with no NLM_F_EXCL")
+Reported-by: Inseo An <y0un9sa@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+[ Minor conflict resolved. ]
+Signed-off-by: Li hongliang <1468888505@139.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 28 +++++++++++++++-------------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index a0914a92e07dd..6fc88bf511092 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6803,6 +6803,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_data_desc desc;
+ enum nft_registers dreg;
+ struct nft_trans *trans;
++ bool set_full = false;
+ u64 timeout;
+ u64 expiration;
+ int err, i;
+@@ -7095,10 +7096,18 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ if (err < 0)
+ goto err_elem_free;
+
++ if (!(flags & NFT_SET_ELEM_CATCHALL)) {
++ unsigned int max = nft_set_maxsize(set), nelems;
++
++ nelems = atomic_inc_return(&set->nelems);
++ if (nelems > max)
++ set_full = true;
++ }
++
+ trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
+ if (trans == NULL) {
+ err = -ENOMEM;
+- goto err_elem_free;
++ goto err_set_size;
+ }
+
+ ext->genmask = nft_genmask_cur(ctx->net);
+@@ -7130,23 +7139,16 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ goto err_element_clash;
+ }
+
+- if (!(flags & NFT_SET_ELEM_CATCHALL)) {
+- unsigned int max = nft_set_maxsize(set);
+-
+- if (!atomic_add_unless(&set->nelems, 1, max)) {
+- err = -ENFILE;
+- goto err_set_full;
+- }
+- }
+-
+ nft_trans_elem(trans) = elem;
+ nft_trans_commit_list_add_tail(ctx->net, trans);
+- return 0;
+
+-err_set_full:
+- nft_setelem_remove(ctx->net, set, &elem);
++ return set_full ? -ENFILE : 0;
++
+ err_element_clash:
+ kfree(trans);
++err_set_size:
++ if (!(flags & NFT_SET_ELEM_CATCHALL))
++ atomic_dec(&set->nelems);
+ err_elem_free:
+ nf_tables_set_elem_destroy(ctx, set, elem.priv);
+ err_parse_data:
+--
+2.53.0
+
kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch
kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch
kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch
+netfilter-nf_tables-unconditionally-bump-set-nelems-.patch
+asoc-sof-intel-hda-fix-null-pointer-dereference.patch
--- /dev/null
+From e63aad22143ca1d93dc973e5f8a1643adcc58a4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 08:36:37 -0700
+Subject: ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands
+
+From: Igor Pylypiv <ipylypiv@google.com>
+
+[ Upstream commit 8ebf408e7d463eee02c348a3c8277b95587b710d ]
+
+Commit 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation")
+introduced ata_scsi_requeue_deferred_qc() to handle commands deferred
+during resets or NCQ failures. This deferral logic completed commands
+with DID_SOFT_ERROR to trigger a retry in the SCSI mid-layer.
+
+However, DID_SOFT_ERROR is subject to scsi_cmd_retry_allowed() checks.
+ATA PASS-THROUGH commands sent via SG_IO ioctl have scmd->allowed set
+to zero. This causes the mid-layer to fail the command immediately
+instead of retrying, even though the command was never actually issued
+to the hardware.
+
+Switch to DID_REQUEUE to ensure these commands are inserted back into
+the request queue regardless of retry limits.
+
+Fixes: 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation")
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Igor Pylypiv <ipylypiv@google.com>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-scsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
+index 3b65df914ebbe..cd607911d7248 100644
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -1692,7 +1692,7 @@ void ata_scsi_requeue_deferred_qc(struct ata_port *ap)
+ /*
+ * If we have a deferred qc when a reset occurs or NCQ commands fail,
+ * do not try to be smart about what to do with this deferred command
+- * and simply retry it by completing it with DID_SOFT_ERROR.
++ * and simply requeue it by completing it with DID_REQUEUE.
+ */
+ if (!qc)
+ return;
+@@ -1701,7 +1701,7 @@ void ata_scsi_requeue_deferred_qc(struct ata_port *ap)
+ ap->deferred_qc = NULL;
+ cancel_work(&ap->deferred_qc_work);
+ ata_qc_free(qc);
+- scmd->result = (DID_SOFT_ERROR << 16);
++ scmd->result = (DID_REQUEUE << 16);
+ scsi_done(scmd);
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 0c7e4dc5d4988b94e236a18bb290c3033cdc42cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Nov 2025 11:34:34 +0100
+Subject: media: staging: imx: configure src_mux in csi_start
+
+From: Michael Tretter <m.tretter@pengutronix.de>
+
+[ Upstream commit ebeec2b000a90cd8aae86d1931ff5ef23af8284e ]
+
+After media_pipeline_start() was called, the media graph is assumed to
+be validated. It won't be validated again if a second stream starts.
+
+The imx-media-csi driver, however, changes hardware configuration in the
+link_validate() callback. This can result in started streams with
+misconfigured hardware.
+
+In the concrete example, the ipu2_csi1 is driven by a parallel video
+input. After the media pipeline has been started with this
+configuration, a second stream is configured to use ipu1_csi0 with
+MIPI-CSI input from imx6-mipi-csi2. This may require the reconfiguration
+of ipu1_csi0 with ipu_set_csi_src_mux(). Since the media pipeline is
+already running, link_validate won't be called, and the ipu1_csi0 won't
+be reconfigured. The resulting video is broken, because the ipu1_csi0 is
+misconfigured, but no error is reported.
+
+Move ipu_set_csi_src_mux from csi_link_validate to csi_start to ensure
+that input to ipu1_csi0 is configured correctly when starting the
+stream. This is a local reconfiguration in ipu1_csi0 and is possible
+while the media pipeline is running.
+
+Since csi_start() is called with priv->lock already locked,
+csi_set_src() must not lock priv->lock again. Thus, the mutex_lock() is
+dropped.
+
+Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
+Fixes: 4a34ec8e470c ("[media] media: imx: Add CSI subdev driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/imx/imx-media-csi.c | 44 ++++++++++++-----------
+ 1 file changed, 24 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/staging/media/imx/imx-media-csi.c b/drivers/staging/media/imx/imx-media-csi.c
+index 55a7d8f38465b..1bc644f73a9d1 100644
+--- a/drivers/staging/media/imx/imx-media-csi.c
++++ b/drivers/staging/media/imx/imx-media-csi.c
+@@ -744,6 +744,28 @@ static int csi_setup(struct csi_priv *priv,
+ return 0;
+ }
+
++static void csi_set_src(struct csi_priv *priv,
++ struct v4l2_mbus_config *mbus_cfg)
++{
++ bool is_csi2;
++
++ is_csi2 = !is_parallel_bus(mbus_cfg);
++ if (is_csi2) {
++ /*
++ * NOTE! It seems the virtual channels from the mipi csi-2
++ * receiver are used only for routing by the video mux's,
++ * or for hard-wired routing to the CSI's. Once the stream
++ * enters the CSI's however, they are treated internally
++ * in the IPU as virtual channel 0.
++ */
++ ipu_csi_set_mipi_datatype(priv->csi, 0,
++ &priv->format_mbus[CSI_SINK_PAD]);
++ }
++
++ /* select either parallel or MIPI-CSI2 as input to CSI */
++ ipu_set_csi_src_mux(priv->ipu, priv->csi_id, is_csi2);
++}
++
+ static int csi_start(struct csi_priv *priv)
+ {
+ struct v4l2_mbus_config mbus_cfg = { .type = 0 };
+@@ -760,6 +782,8 @@ static int csi_start(struct csi_priv *priv)
+ input_fi = &priv->frame_interval[CSI_SINK_PAD];
+ output_fi = &priv->frame_interval[priv->active_output_pad];
+
++ csi_set_src(priv, &mbus_cfg);
++
+ /* start upstream */
+ ret = v4l2_subdev_call(priv->src_sd, video, s_stream, 1);
+ ret = (ret && ret != -ENOIOCTLCMD) ? ret : 0;
+@@ -1130,7 +1154,6 @@ static int csi_link_validate(struct v4l2_subdev *sd,
+ {
+ struct csi_priv *priv = v4l2_get_subdevdata(sd);
+ struct v4l2_mbus_config mbus_cfg = { .type = 0 };
+- bool is_csi2;
+ int ret;
+
+ ret = v4l2_subdev_link_validate_default(sd, link,
+@@ -1145,25 +1168,6 @@ static int csi_link_validate(struct v4l2_subdev *sd,
+ return ret;
+ }
+
+- mutex_lock(&priv->lock);
+-
+- is_csi2 = !is_parallel_bus(&mbus_cfg);
+- if (is_csi2) {
+- /*
+- * NOTE! It seems the virtual channels from the mipi csi-2
+- * receiver are used only for routing by the video mux's,
+- * or for hard-wired routing to the CSI's. Once the stream
+- * enters the CSI's however, they are treated internally
+- * in the IPU as virtual channel 0.
+- */
+- ipu_csi_set_mipi_datatype(priv->csi, 0,
+- &priv->format_mbus[CSI_SINK_PAD]);
+- }
+-
+- /* select either parallel or MIPI-CSI2 as input to CSI */
+- ipu_set_csi_src_mux(priv->ipu, priv->csi_id, is_csi2);
+-
+- mutex_unlock(&priv->lock);
+ return ret;
+ }
+
+--
+2.53.0
+
rseq-implement-read-only-abi-enforcement-for-optimiz.patch
rseq-reenable-performance-optimizations-conditionall.patch
hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch
+ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch
+media-staging-imx-configure-src_mux-in-csi_start.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
