6.6-stable patches added patches: erofs-fix-the-out-of-bounds-nameoff-handling-for-trailing-dirents.patch iio-adc-ti-ads7950-use-iio_push_to_buffers_with_ts_unaligned.patch io_uring-poll-ensure-epoll_oneshot-is-propagated-for-epoll_uring_wake.patch io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch io_uring-timeout-check-unused-sqe-fields.patch md-raid10-fix-deadlock-with-check-operation-and-nowait-requests.patch mfd-stpmic1-attempt-system-shutdown-twice-in-case-pmic-is-confused.patch nvme-pci-add-nvme_quirk_disable_write_zeroes-for-kingston-om3sgp4.patch nvme-respect-nvme_quirk_disable_write_zeroes-when-wzsl-is-set.patch parisc-_llseek-syscall-is-only-available-for-32-bit-userspace.patch parisc-led-fix-reference-leak-on-failed-device-registration.patch rbd-fix-null-ptr-deref-when-device_add_disk-fails.patch remoteproc-xlnx-only-access-buffer-information-if-ipi-is-buffered.patch selftests-mqueue-fix-incorrectly-named-file.patch
diff --git a/queue-6.6/erofs-fix-the-out-of-bounds-nameoff-handling-for-trailing-dirents.patch b/queue-6.6/erofs-fix-the-out-of-bounds-nameoff-handling-for-trailing-dirents.patch new file mode 100644 index 0000000..621f823 --- /dev/null +++ b/queue-6.6/erofs-fix-the-out-of-bounds-nameoff-handling-for-trailing-dirents.patch
@@ -0,0 +1,88 @@ +From d18a3b5d337fa412a38e776e6b4b857a58836575 Mon Sep 17 00:00:00 2001 +From: Gao Xiang <hsiangkao@linux.alibaba.com> +Date: Tue, 21 Apr 2026 15:59:52 +0800 +Subject: erofs: fix the out-of-bounds nameoff handling for trailing dirents + +From: Gao Xiang <hsiangkao@linux.alibaba.com> + +commit d18a3b5d337fa412a38e776e6b4b857a58836575 upstream. + +Currently we already have boundary-checks for nameoffs, but the trailing +dirents are special since the namelens are calculated with strnlen() +with unchecked nameoffs. + +If a crafted EROFS has a trailing dirent with nameoff >= maxsize, +maxsize - nameoff can underflow, causing strnlen() to read past the +directory block. + +nameoff0 should also be verified to be a multiple of +`sizeof(struct erofs_dirent)` as well [1]. + +[1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com + +Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations") +Fixes: 33bac912840f ("staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()") +Reported-by: Yuhao Jiang <danisjiang@gmail.com> +Reported-by: Junrui Luo <moonafterrain@outlook.com> +Closes: https://lore.kernel.org/r/A0FD7E0F-7558-49B0-8BC8-EB1ECDB2479A@outlook.com +Cc: stable@vger.kernel.org +Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> +Reviewed-by: Chao Yu <chao@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/erofs/dir.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +--- a/fs/erofs/dir.c ++++ b/fs/erofs/dir.c +@@ -22,20 +22,18 @@ static int erofs_fill_dentries(struct in + nameoff = le16_to_cpu(de->nameoff); + de_name = (char *)dentry_blk + nameoff; + +- /* the last dirent in the block? */ +- if (de + 1 >= end) +- de_namelen = strnlen(de_name, maxsize - nameoff); +- else ++ /* non-trailing dirent in the directory block? */ ++ if (de + 1 < end) + de_namelen = le16_to_cpu(de[1].nameoff) - nameoff; ++ else if (maxsize <= nameoff) ++ goto err_bogus; ++ else ++ de_namelen = strnlen(de_name, maxsize - nameoff); + +- /* a corrupted entry is found */ +- if (nameoff + de_namelen > maxsize || +- de_namelen > EROFS_NAME_LEN) { +- erofs_err(dir->i_sb, "bogus dirent @ nid %llu", +- EROFS_I(dir)->nid); +- DBG_BUGON(1); +- return -EFSCORRUPTED; +- } ++ /* a corrupted entry is found (including negative namelen) */ ++ if (!in_range32(de_namelen, 1, EROFS_NAME_LEN) || ++ nameoff + de_namelen > maxsize) ++ goto err_bogus; + + if (!dir_emit(ctx, de_name, de_namelen, + le64_to_cpu(de->nid), d_type)) +@@ -44,6 +42,10 @@ static int erofs_fill_dentries(struct in + ctx->pos += sizeof(struct erofs_dirent); + } + return 0; ++err_bogus: ++ erofs_err(dir->i_sb, "bogus dirent @ nid %llu", EROFS_I(dir)->nid); ++ DBG_BUGON(1); ++ return -EFSCORRUPTED; + } + + static int erofs_readdir(struct file *f, struct dir_context *ctx) +@@ -72,7 +74,7 @@ static int erofs_readdir(struct file *f, + } + + nameoff = le16_to_cpu(de->nameoff); +- if (nameoff < sizeof(struct erofs_dirent) || nameoff >= bsz) { ++ if (!nameoff || nameoff >= bsz || (nameoff % sizeof(*de))) { + erofs_err(sb, "invalid de[0].nameoff %u @ nid %llu", + nameoff, EROFS_I(dir)->nid); + err = -EFSCORRUPTED;
diff --git a/queue-6.6/iio-adc-ti-ads7950-use-iio_push_to_buffers_with_ts_unaligned.patch b/queue-6.6/iio-adc-ti-ads7950-use-iio_push_to_buffers_with_ts_unaligned.patch new file mode 100644 index 0000000..3fb8760 --- /dev/null +++ b/queue-6.6/iio-adc-ti-ads7950-use-iio_push_to_buffers_with_ts_unaligned.patch
@@ -0,0 +1,59 @@ +From 7806c060cceb2d6895efbb6cff2f2f17cf1ec5de Mon Sep 17 00:00:00 2001 +From: David Lechner <dlechner@baylibre.com> +Date: Sat, 14 Mar 2026 16:12:24 -0500 +Subject: iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned() + +From: David Lechner <dlechner@baylibre.com> + +commit 7806c060cceb2d6895efbb6cff2f2f17cf1ec5de upstream. + +Use iio_push_to_buffers_with_ts_unaligned() to avoid unaligned access +when writing the timestamp in the rx_buf. + +The previous implementation would have been fine on architectures that +support 4-byte alignment of 64-bit integers but could cause issues on +architectures that require 8-byte alignment. + +Fixes: 902c4b2446d4 ("iio: adc: New driver for TI ADS7950 chips") +Signed-off-by: David Lechner <dlechner@baylibre.com> +Cc: <Stable@vger.kernel.org> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/iio/adc/ti-ads7950.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/iio/adc/ti-ads7950.c ++++ b/drivers/iio/adc/ti-ads7950.c +@@ -47,8 +47,6 @@ + #define TI_ADS7950_MAX_CHAN 16 + #define TI_ADS7950_NUM_GPIOS 4 + +-#define TI_ADS7950_TIMESTAMP_SIZE (sizeof(int64_t) / sizeof(__be16)) +- + /* val = value, dec = left shift, bits = number of bits of the mask */ + #define TI_ADS7950_EXTRACT(val, dec, bits) \ + (((val) >> (dec)) & ((1 << (bits)) - 1)) +@@ -105,8 +103,7 @@ struct ti_ads7950_state { + * DMA (thus cache coherency maintenance) may require the + * transfer buffers to live in their own cache lines. + */ +- u16 rx_buf[TI_ADS7950_MAX_CHAN + 2 + TI_ADS7950_TIMESTAMP_SIZE] +- __aligned(IIO_DMA_MINALIGN); ++ u16 rx_buf[TI_ADS7950_MAX_CHAN + 2] __aligned(IIO_DMA_MINALIGN); + u16 tx_buf[TI_ADS7950_MAX_CHAN + 2]; + u16 single_tx; + u16 single_rx; +@@ -313,8 +310,10 @@ static irqreturn_t ti_ads7950_trigger_ha + if (ret < 0) + goto out; + +- iio_push_to_buffers_with_timestamp(indio_dev, &st->rx_buf[2], +- iio_get_time_ns(indio_dev)); ++ iio_push_to_buffers_with_ts_unaligned(indio_dev, &st->rx_buf[2], ++ sizeof(*st->rx_buf) * ++ TI_ADS7950_MAX_CHAN, ++ iio_get_time_ns(indio_dev)); + + out: + mutex_unlock(&st->slock);
diff --git a/queue-6.6/io_uring-poll-ensure-epoll_oneshot-is-propagated-for-epoll_uring_wake.patch b/queue-6.6/io_uring-poll-ensure-epoll_oneshot-is-propagated-for-epoll_uring_wake.patch new file mode 100644 index 0000000..bdd87dc --- /dev/null +++ b/queue-6.6/io_uring-poll-ensure-epoll_oneshot-is-propagated-for-epoll_uring_wake.patch
@@ -0,0 +1,52 @@ +From 1967f0b1cafdde37aa9e08e6021c14bcc484b7a5 Mon Sep 17 00:00:00 2001 +From: Jens Axboe <axboe@kernel.dk> +Date: Tue, 21 Apr 2026 13:24:33 -0600 +Subject: io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jens Axboe <axboe@kernel.dk> + +commit 1967f0b1cafdde37aa9e08e6021c14bcc484b7a5 upstream. + +Commit: + +aacf2f9f382c ("io_uring: fix req->apoll_events") + +fixed an issue where poll->events and req->apoll_events weren't +synchronized, but then when the commit referenced in Fixes got added, +it didn't ensure the same thing. + +If we mask in EPOLLONESHOT in the regular EPOLL_URING_WAKE path, then +ensure it's done for both. Including a link to the original report +below, even though it's mostly nonsense. But it includes a reproducer +that does show that IORING_CQE_F_MORE is set in the previous CQE, +while no more CQEs will be generated for this request. Just ignore +anything that pretends this is security related in any way, it's just +the typical AI nonsense. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/io-uring/CAM0zi7yQzF3eKncgHo4iVM5yFLAjsiob_ucqyWKs=hyd_GqiMg@mail.gmail.com/ +Reported-by: Azizcan Daştan <azizcan.d@mileniumsec.com> +Fixes: 4464853277d0 ("io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and wakeups") +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + io_uring/poll.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -441,8 +441,10 @@ static int io_poll_wake(struct wait_queu + * disable multishot as there is a circular dependency between + * CQ posting and triggering the event. + */ +- if (mask & EPOLL_URING_WAKE) ++ if (mask & EPOLL_URING_WAKE) { + poll->events |= EPOLLONESHOT; ++ req->apoll_events |= EPOLLONESHOT; ++ } + + /* optional, saves extra locking for removal in tw handler */ + if (mask && poll->events & EPOLLONESHOT) {
diff --git a/queue-6.6/io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch b/queue-6.6/io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch new file mode 100644 index 0000000..db15688 --- /dev/null +++ b/queue-6.6/io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch
@@ -0,0 +1,52 @@ +From 326941b22806cbf2df1fbfe902b7908b368cce42 Mon Sep 17 00:00:00 2001 +From: Longxuan Yu <ylong030@ucr.edu> +Date: Sun, 12 Apr 2026 16:38:20 +0800 +Subject: io_uring/poll: fix signed comparison in io_poll_get_ownership() + +From: Longxuan Yu <ylong030@ucr.edu> + +commit 326941b22806cbf2df1fbfe902b7908b368cce42 upstream. + +io_poll_get_ownership() uses a signed comparison to check whether +poll_refs has reached the threshold for the slowpath: + + if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS)) + +atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG +(BIT(31)) is set in poll_refs, the value becomes negative in +signed arithmetic, so the >= 128 comparison always evaluates to +false and the slowpath is never taken. + +Fix this by casting the atomic_read() result to unsigned int +before the comparison, so that the cancel flag is treated as a +large positive value and correctly triggers the slowpath. + +Fixes: a26a35e9019f ("io_uring: make poll refs more robust") +Cc: stable@vger.kernel.org +Reported-by: Yifan Wu <yifanwucs@gmail.com> +Reported-by: Juefei Pu <tomapufckgml@gmail.com> +Co-developed-by: Yuan Tan <yuantan098@gmail.com> +Signed-off-by: Yuan Tan <yuantan098@gmail.com> +Suggested-by: Xin Liu <bird@lzu.edu.cn> +Tested-by: Zhengchuan Liang <zcliangcn@gmail.com> +Signed-off-by: Longxuan Yu <ylong030@ucr.edu> +Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> +Reviewed-by: Pavel Begunkov <asml.silence@gmail.com> +Link: https://patch.msgid.link/3a3508b08bcd7f1bc3beff848ae6e1d73d355043.1775965597.git.ylong030@ucr.edu +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + io_uring/poll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -91,7 +91,7 @@ static bool io_poll_get_ownership_slowpa + */ + static inline bool io_poll_get_ownership(struct io_kiocb *req) + { +- if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS)) ++ if (unlikely((unsigned int)atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS)) + return io_poll_get_ownership_slowpath(req); + return !(atomic_fetch_inc(&req->poll_refs) & IO_POLL_REF_MASK); + }
diff --git a/queue-6.6/io_uring-timeout-check-unused-sqe-fields.patch b/queue-6.6/io_uring-timeout-check-unused-sqe-fields.patch new file mode 100644 index 0000000..451cd47 --- /dev/null +++ b/queue-6.6/io_uring-timeout-check-unused-sqe-fields.patch
@@ -0,0 +1,41 @@ +From 484ae637a3e3d909718de7c07afd3bb34b6b8504 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov <asml.silence@gmail.com> +Date: Mon, 2 Mar 2026 13:10:34 +0000 +Subject: io_uring/timeout: check unused sqe fields + +From: Pavel Begunkov <asml.silence@gmail.com> + +commit 484ae637a3e3d909718de7c07afd3bb34b6b8504 upstream. + +Zero check unused SQE fields addr3 and pad2 for timeout and timeout +update requests. They're not needed now, but could be used sometime +in the future. + +Cc: stable@vger.kernel.org +Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + io_uring/timeout.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/io_uring/timeout.c ++++ b/io_uring/timeout.c +@@ -428,6 +428,8 @@ int io_timeout_remove_prep(struct io_kio + + if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT))) + return -EINVAL; ++ if (sqe->addr3 || sqe->__pad2[0]) ++ return -EINVAL; + if (sqe->buf_index || sqe->len || sqe->splice_fd_in) + return -EINVAL; + +@@ -500,6 +502,8 @@ static int __io_timeout_prep(struct io_k + unsigned flags; + u32 off = READ_ONCE(sqe->off); + ++ if (sqe->addr3 || sqe->__pad2[0]) ++ return -EINVAL; + if (sqe->buf_index || sqe->len != 1 || sqe->splice_fd_in) + return -EINVAL; + if (off && is_timeout_link)
diff --git a/queue-6.6/md-raid10-fix-deadlock-with-check-operation-and-nowait-requests.patch b/queue-6.6/md-raid10-fix-deadlock-with-check-operation-and-nowait-requests.patch new file mode 100644 index 0000000..7e13000 --- /dev/null +++ b/queue-6.6/md-raid10-fix-deadlock-with-check-operation-and-nowait-requests.patch
@@ -0,0 +1,100 @@ +From 7d96f3120a7fb7210d21b520c5b6f495da6ba436 Mon Sep 17 00:00:00 2001 +From: Josh Hunt <johunt@akamai.com> +Date: Mon, 2 Mar 2026 19:56:19 -0500 +Subject: md/raid10: fix deadlock with check operation and nowait requests + +From: Josh Hunt <johunt@akamai.com> + +commit 7d96f3120a7fb7210d21b520c5b6f495da6ba436 upstream. + +When an array check is running it will raise the barrier at which point +normal requests will become blocked and increment the nr_pending value to +signal there is work pending inside of wait_barrier(). NOWAIT requests +do not block and so will return immediately with an error, and additionally +do not increment nr_pending in wait_barrier(). Upstream change commit +43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") added a +call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit +this condition. raid_end_bio_io() eventually calls allow_barrier() and +it will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even +though the corresponding increment on nr_pending didn't happen in the +NOWAIT case. + +This can be easily seen by starting a check operation while an application +is doing nowait IO on the same array. This results in a deadlocked state +due to nr_pending value underflowing and so the md resync thread gets stuck +waiting for nr_pending to == 0. + +Output of r10conf state of the array when we hit this condition: + +crash> struct r10conf + barrier = 1, + nr_pending = { + counter = -41 + }, + nr_waiting = 15, + nr_queued = 0, + +Example of md_sync thread stuck waiting on raise_barrier() and other +requests stuck in wait_barrier(): + +md1_resync +[<0>] raise_barrier+0xce/0x1c0 +[<0>] raid10_sync_request+0x1ca/0x1ed0 +[<0>] md_do_sync+0x779/0x1110 +[<0>] md_thread+0x90/0x160 +[<0>] kthread+0xbe/0xf0 +[<0>] ret_from_fork+0x34/0x50 +[<0>] ret_from_fork_asm+0x1a/0x30 + +kworker/u1040:2+flush-253:4 +[<0>] wait_barrier+0x1de/0x220 +[<0>] regular_request_wait+0x30/0x180 +[<0>] raid10_make_request+0x261/0x1000 +[<0>] md_handle_request+0x13b/0x230 +[<0>] __submit_bio+0x107/0x1f0 +[<0>] submit_bio_noacct_nocheck+0x16f/0x390 +[<0>] ext4_io_submit+0x24/0x40 +[<0>] ext4_do_writepages+0x254/0xc80 +[<0>] ext4_writepages+0x84/0x120 +[<0>] do_writepages+0x7a/0x260 +[<0>] __writeback_single_inode+0x3d/0x300 +[<0>] writeback_sb_inodes+0x1dd/0x470 +[<0>] __writeback_inodes_wb+0x4c/0xe0 +[<0>] wb_writeback+0x18b/0x2d0 +[<0>] wb_workfn+0x2a1/0x400 +[<0>] process_one_work+0x149/0x330 +[<0>] worker_thread+0x2d2/0x410 +[<0>] kthread+0xbe/0xf0 +[<0>] ret_from_fork+0x34/0x50 +[<0>] ret_from_fork_asm+0x1a/0x30 + +Fixes: 43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") +Cc: stable@vger.kernel.org +Signed-off-by: Josh Hunt <johunt@akamai.com> +Link: https://lore.kernel.org/linux-raid/20260303005619.1352958-1-johunt@akamai.com +Signed-off-by: Yu Kuai <yukuai@fnnas.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/md/raid10.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1204,7 +1204,7 @@ static void raid10_read_request(struct m + } + + if (!regular_request_wait(mddev, conf, bio, r10_bio->sectors)) { +- raid_end_bio_io(r10_bio); ++ free_r10bio(r10_bio); + return; + } + +@@ -1425,7 +1425,7 @@ static void raid10_write_request(struct + + sectors = r10_bio->sectors; + if (!regular_request_wait(mddev, conf, bio, sectors)) { +- raid_end_bio_io(r10_bio); ++ free_r10bio(r10_bio); + return; + } +
diff --git a/queue-6.6/mfd-stpmic1-attempt-system-shutdown-twice-in-case-pmic-is-confused.patch b/queue-6.6/mfd-stpmic1-attempt-system-shutdown-twice-in-case-pmic-is-confused.patch new file mode 100644 index 0000000..251d941 --- /dev/null +++ b/queue-6.6/mfd-stpmic1-attempt-system-shutdown-twice-in-case-pmic-is-confused.patch
@@ -0,0 +1,62 @@ +From ffdc5c51f8bcd0e5e8255ca275a0a3b958475d99 Mon Sep 17 00:00:00 2001 +From: Marek Vasut <marex@nabladev.com> +Date: Thu, 22 Jan 2026 12:13:21 +0100 +Subject: mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused + +From: Marek Vasut <marex@nabladev.com> + +commit ffdc5c51f8bcd0e5e8255ca275a0a3b958475d99 upstream. + +Attempt to shut down again, in case the first attempt failed. +The STPMIC1 might get confused and the first regmap_update_bits() +returns with -ETIMEDOUT / -110 . If that or similar transient +failure occurs, try to shut down again. If the second attempt +fails, there is some bigger problem, report it to user. + +Cc: stable@vger.kernel.org +Fixes: 6e9df38f359a ("mfd: stpmic1: Add PMIC poweroff via sys-off handler") +Signed-off-by: Marek Vasut <marex@nabladev.com> +Link: https://patch.msgid.link/20260122111423.62591-1-marex@nabladev.com +Signed-off-by: Lee Jones <lee@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/mfd/stpmic1.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/drivers/mfd/stpmic1.c ++++ b/drivers/mfd/stpmic1.c +@@ -16,6 +16,8 @@ + + #include <dt-bindings/mfd/st,stpmic1.h> + ++#define STPMIC1_MAX_RETRIES 2 ++ + #define STPMIC1_MAIN_IRQ 0 + + static const struct regmap_range stpmic1_readable_ranges[] = { +@@ -121,9 +123,23 @@ static const struct regmap_irq_chip stpm + static int stpmic1_power_off(struct sys_off_data *data) + { + struct stpmic1 *ddata = data->cb_data; ++ int ret; ++ ++ /* ++ * Attempt to shut down again, in case the first attempt failed. ++ * The STPMIC1 might get confused and the first regmap_update_bits() ++ * returns with -ETIMEDOUT / -110 . If that or similar transient ++ * failure occurs, try to shut down again. If the second attempt ++ * fails, there is some bigger problem, report it to user. ++ */ ++ for (int retries = 0; retries < STPMIC1_MAX_RETRIES; retries++) { ++ ret = regmap_update_bits(ddata->regmap, MAIN_CR, SOFTWARE_SWITCH_OFF, ++ SOFTWARE_SWITCH_OFF); ++ if (!ret) ++ return NOTIFY_DONE; ++ } + +- regmap_update_bits(ddata->regmap, MAIN_CR, +- SOFTWARE_SWITCH_OFF, SOFTWARE_SWITCH_OFF); ++ dev_err(ddata->dev, "Failed to access PMIC I2C bus (%d)\n", ret); + + return NOTIFY_DONE; + }
diff --git a/queue-6.6/nvme-pci-add-nvme_quirk_disable_write_zeroes-for-kingston-om3sgp4.patch b/queue-6.6/nvme-pci-add-nvme_quirk_disable_write_zeroes-for-kingston-om3sgp4.patch new file mode 100644 index 0000000..984848b --- /dev/null +++ b/queue-6.6/nvme-pci-add-nvme_quirk_disable_write_zeroes-for-kingston-om3sgp4.patch
@@ -0,0 +1,41 @@ +From a8eebf9699d69987cc49cec4e4fdb4111ab32423 Mon Sep 17 00:00:00 2001 +From: Robert Beckett <bob.beckett@collabora.com> +Date: Fri, 20 Mar 2026 19:22:09 +0000 +Subject: nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4 + +From: Robert Beckett <bob.beckett@collabora.com> + +commit a8eebf9699d69987cc49cec4e4fdb4111ab32423 upstream. + +The Kingston OM3SGP42048K2-A00 (PCI ID 2646:502f) firmware has a race +condition when processing concurrent write zeroes and DSM (discard) +commands, causing spurious "LBA Out of Range" errors and IOMMU page +faults at address 0x0. + +The issue is reliably triggered by running two concurrent mkfs commands +on different partitions of the same drive, which generates interleaved +write zeroes and discard operations. + +Disable write zeroes for this device, matching the pattern used for +other Kingston OM* drives that have similar firmware issues. + +Cc: stable@vger.kernel.org +Signed-off-by: Robert Beckett <bob.beckett@collabora.com> +Assisted-by: claude-opus-4-6-v1 +Signed-off-by: Keith Busch <kbusch@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3589,6 +3589,8 @@ static const struct pci_device_id nvme_i + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, + { PCI_DEVICE(0x2646, 0x501E), /* KINGSTON OM3PGP4xxxxQ OS21011 NVMe SSD */ + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, ++ { PCI_DEVICE(0x2646, 0x502F), /* KINGSTON OM3SGP4xxxxK NVMe SSD */ ++ .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, + { PCI_DEVICE(0x1f40, 0x1202), /* Netac Technologies Co. NV3000 NVMe SSD */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x1f40, 0x5236), /* Netac Technologies Co. NV7000 NVMe SSD */
diff --git a/queue-6.6/nvme-respect-nvme_quirk_disable_write_zeroes-when-wzsl-is-set.patch b/queue-6.6/nvme-respect-nvme_quirk_disable_write_zeroes-when-wzsl-is-set.patch new file mode 100644 index 0000000..795cb1c --- /dev/null +++ b/queue-6.6/nvme-respect-nvme_quirk_disable_write_zeroes-when-wzsl-is-set.patch
@@ -0,0 +1,41 @@ +From 40f0496b617b431f8d2dd94d7f785c1121f8a68a Mon Sep 17 00:00:00 2001 +From: Robert Beckett <bob.beckett@collabora.com> +Date: Fri, 20 Mar 2026 19:22:08 +0000 +Subject: nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set + +From: Robert Beckett <bob.beckett@collabora.com> + +commit 40f0496b617b431f8d2dd94d7f785c1121f8a68a upstream. + +The NVM Command Set Identify Controller data may report a non-zero +Write Zeroes Size Limit (wzsl). When present, nvme_init_non_mdts_limits() +unconditionally overrides max_zeroes_sectors from wzsl, even if +NVME_QUIRK_DISABLE_WRITE_ZEROES previously set it to zero. + +This effectively re-enables write zeroes for devices that need it +disabled, defeating the quirk. Several Kingston OM* drives rely on +this quirk to avoid firmware issues with write zeroes commands. + +Check for the quirk before applying the wzsl override. + +Fixes: 5befc7c26e5a ("nvme: implement non-mdts command limits") +Cc: stable@vger.kernel.org +Signed-off-by: Robert Beckett <bob.beckett@collabora.com> +Assisted-by: claude-opus-4-6-v1 +Signed-off-by: Keith Busch <kbusch@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/nvme/host/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2943,7 +2943,7 @@ static int nvme_init_non_mdts_limits(str + if (id->dmrl) + ctrl->max_discard_segments = id->dmrl; + ctrl->dmrsl = le32_to_cpu(id->dmrsl); +- if (id->wzsl) ++ if (id->wzsl && !(ctrl->quirks & NVME_QUIRK_DISABLE_WRITE_ZEROES)) + ctrl->max_zeroes_sectors = nvme_mps_to_sectors(ctrl, id->wzsl); + + free_data:
diff --git a/queue-6.6/parisc-_llseek-syscall-is-only-available-for-32-bit-userspace.patch b/queue-6.6/parisc-_llseek-syscall-is-only-available-for-32-bit-userspace.patch new file mode 100644 index 0000000..d36e6e5 --- /dev/null +++ b/queue-6.6/parisc-_llseek-syscall-is-only-available-for-32-bit-userspace.patch
@@ -0,0 +1,27 @@ +From da3680f564bd787ce974f9931e6e924d908b3b2a Mon Sep 17 00:00:00 2001 +From: Helge Deller <deller@gmx.de> +Date: Tue, 7 Apr 2026 23:56:28 +0200 +Subject: parisc: _llseek syscall is only available for 32-bit userspace + +From: Helge Deller <deller@gmx.de> + +commit da3680f564bd787ce974f9931e6e924d908b3b2a upstream. + +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller <deller@gmx.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/parisc/kernel/syscalls/syscall.tbl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/kernel/syscalls/syscall.tbl ++++ b/arch/parisc/kernel/syscalls/syscall.tbl +@@ -154,7 +154,7 @@ + # 137 was afs_syscall + 138 common setfsuid sys_setfsuid + 139 common setfsgid sys_setfsgid +-140 common _llseek sys_llseek ++140 32 _llseek sys_llseek + 141 common getdents sys_getdents compat_sys_getdents + 142 common _newselect sys_select compat_sys_select + 143 common flock sys_flock
diff --git a/queue-6.6/parisc-led-fix-reference-leak-on-failed-device-registration.patch b/queue-6.6/parisc-led-fix-reference-leak-on-failed-device-registration.patch new file mode 100644 index 0000000..76a7773 --- /dev/null +++ b/queue-6.6/parisc-led-fix-reference-leak-on-failed-device-registration.patch
@@ -0,0 +1,50 @@ +From 707610bcccbd0327530938e33f3f33211a640a4e Mon Sep 17 00:00:00 2001 +From: Guangshuo Li <lgs201920130244@gmail.com> +Date: Thu, 16 Apr 2026 01:05:15 +0800 +Subject: parisc: led: fix reference leak on failed device registration + +From: Guangshuo Li <lgs201920130244@gmail.com> + +commit 707610bcccbd0327530938e33f3f33211a640a4e upstream. + +When platform_device_register() fails in startup_leds(), the embedded +struct device in platform_leds has already been initialized by +device_initialize(), but the failure path only reports the error and +does not drop the device reference for the current platform device: + + startup_leds() + -> platform_device_register(&platform_leds) + -> device_initialize(&platform_leds.dev) + -> setup_pdev_dma_masks(&platform_leds) + -> platform_device_add(&platform_leds) + +This leads to a reference leak when platform_device_register() fails. +Fix this by calling platform_device_put() after reporting the error. + +The issue was identified by a static analysis tool I developed and +confirmed by manual review. + +Fixes: 789e527adfc33 ("parisc: led: Rewrite LED/LCD driver to utilizize Linux LED subsystem") +Cc: stable@vger.kernel.org +Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com> +Signed-off-by: Helge Deller <deller@gmx.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/parisc/led.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/parisc/led.c ++++ b/drivers/parisc/led.c +@@ -547,8 +547,10 @@ static void __init register_led_regions( + + static int __init startup_leds(void) + { +- if (platform_device_register(&platform_leds)) +- printk(KERN_INFO "LED: failed to register LEDs\n"); ++ if (platform_device_register(&platform_leds)) { ++ pr_info("LED: failed to register LEDs\n"); ++ platform_device_put(&platform_leds); ++ } + register_led_regions(); + return 0; + }
diff --git a/queue-6.6/rbd-fix-null-ptr-deref-when-device_add_disk-fails.patch b/queue-6.6/rbd-fix-null-ptr-deref-when-device_add_disk-fails.patch new file mode 100644 index 0000000..b42c79b --- /dev/null +++ b/queue-6.6/rbd-fix-null-ptr-deref-when-device_add_disk-fails.patch
@@ -0,0 +1,116 @@ +From d1fef92e414433ca7b89abf85cb0df42b8d475eb Mon Sep 17 00:00:00 2001 +From: Dawei Feng <dawei.feng@seu.edu.cn> +Date: Sun, 19 Apr 2026 17:03:48 +0800 +Subject: rbd: fix null-ptr-deref when device_add_disk() fails + +From: Dawei Feng <dawei.feng@seu.edu.cn> + +commit d1fef92e414433ca7b89abf85cb0df42b8d475eb upstream. + +do_rbd_add() publishes the device with device_add() before calling +device_add_disk(). If device_add_disk() fails after device_add() +succeeds, the error path calls rbd_free_disk() directly and then later +falls through to rbd_dev_device_release(), which calls rbd_free_disk() +again. This double teardown can leave blk-mq cleanup operating on +invalid state and trigger a null-ptr-deref in +__blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set(). + +Fix this by following the normal remove ordering: call device_del() +before rbd_dev_device_release() when device_add_disk() fails after +device_add(). That keeps the teardown sequence consistent and avoids +re-entering disk cleanup through the wrong path. + +The bug was first flagged by an experimental analysis tool we are +developing for kernel memory-management bugs while analyzing +v6.13-rc1. The tool is still under development and is not yet publicly +available. + +We reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64 +guest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer +confines failslab injections to the __add_disk() range and injects +fail-nth while mapping an RBD image through +/sys/bus/rbd/add_single_major. + +On the unpatched kernel, fail-nth=4 reliably triggered the fault: + + Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + CPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy) + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 + RIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240 + Code: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 <80> 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00 + RSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246 + RAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000 + RDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4 + RBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b + R10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000 + R13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004 + FS: 00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0 + PKRU: 55555554 + Call Trace: + <TASK> + blk_mq_free_tag_set+0x77/0x460 + do_rbd_add+0x1446/0x2b80 + ? __pfx_do_rbd_add+0x10/0x10 + ? lock_acquire+0x18c/0x300 + ? find_held_lock+0x2b/0x80 + ? sysfs_file_kobj+0xb6/0x1b0 + ? __pfx_sysfs_kf_write+0x10/0x10 + kernfs_fop_write_iter+0x2f4/0x4a0 + vfs_write+0x98e/0x1000 + ? expand_files+0x51f/0x850 + ? __pfx_vfs_write+0x10/0x10 + ksys_write+0xf2/0x1d0 + ? __pfx_ksys_write+0x10/0x10 + do_syscall_64+0x115/0x690 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x7f0fbea15907 + Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 + RSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907 + RDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001 + RBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141 + R10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058 + R13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004 + </TASK> + +With this fix applied, rerunning the reproducer over fail-nth=1..256 +yields no KASAN reports. + +[ idryomov: rename err_out_device_del -> err_out_device ] + +Cc: stable@vger.kernel.org +Fixes: 27c97abc30e2 ("rbd: add add_disk() error handling") +Signed-off-by: Zilin Guan <zilin@seu.edu.cn> +Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn> +Reviewed-by: Ilya Dryomov <idryomov@gmail.com> +Signed-off-by: Ilya Dryomov <idryomov@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/block/rbd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -7172,7 +7172,7 @@ static ssize_t do_rbd_add(const char *bu + + rc = device_add_disk(&rbd_dev->dev, rbd_dev->disk, NULL); + if (rc) +- goto err_out_cleanup_disk; ++ goto err_out_device; + + spin_lock(&rbd_dev_list_lock); + list_add_tail(&rbd_dev->node, &rbd_dev_list); +@@ -7186,8 +7186,8 @@ out: + module_put(THIS_MODULE); + return rc; + +-err_out_cleanup_disk: +- rbd_free_disk(rbd_dev); ++err_out_device: ++ device_del(&rbd_dev->dev); + err_out_image_lock: + rbd_dev_image_unlock(rbd_dev); + rbd_dev_device_release(rbd_dev);
diff --git a/queue-6.6/remoteproc-xlnx-only-access-buffer-information-if-ipi-is-buffered.patch b/queue-6.6/remoteproc-xlnx-only-access-buffer-information-if-ipi-is-buffered.patch new file mode 100644 index 0000000..d6d8086 --- /dev/null +++ b/queue-6.6/remoteproc-xlnx-only-access-buffer-information-if-ipi-is-buffered.patch
@@ -0,0 +1,54 @@ +From 38dd6ccfdfbbe865569a52fe1ba9fa1478f672e6 Mon Sep 17 00:00:00 2001 +From: Ben Levinsky <ben.levinsky@amd.com> +Date: Tue, 3 Mar 2026 15:51:27 -0800 +Subject: remoteproc: xlnx: Only access buffer information if IPI is buffered + +From: Ben Levinsky <ben.levinsky@amd.com> + +commit 38dd6ccfdfbbe865569a52fe1ba9fa1478f672e6 upstream. + +In the receive callback check if message is NULL to prevent +possibility of crash by NULL pointer dereferencing. + +Signed-off-by: Ben Levinsky <ben.levinsky@amd.com> +Signed-off-by: Tanmay Shah <tanmay.shah@amd.com> +Fixes: 5dfb28c257b7 ("remoteproc: xilinx: Add mailbox channels for rpmsg") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20260303235127.2317955-3-tanmay.shah@amd.com +Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/remoteproc/xlnx_r5_remoteproc.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/drivers/remoteproc/xlnx_r5_remoteproc.c ++++ b/drivers/remoteproc/xlnx_r5_remoteproc.c +@@ -179,17 +179,19 @@ static void zynqmp_r5_mb_rx_cb(struct mb + + ipi = container_of(cl, struct mbox_info, mbox_cl); + +- /* copy data from ipi buffer to r5_core */ ++ /* copy data from ipi buffer to r5_core if IPI is buffered. */ + ipi_msg = (struct zynqmp_ipi_message *)msg; +- buf_msg = (struct zynqmp_ipi_message *)ipi->rx_mc_buf; +- len = ipi_msg->len; +- if (len > IPI_BUF_LEN_MAX) { +- dev_warn(cl->dev, "msg size exceeded than %d\n", +- IPI_BUF_LEN_MAX); +- len = IPI_BUF_LEN_MAX; ++ if (ipi_msg) { ++ buf_msg = (struct zynqmp_ipi_message *)ipi->rx_mc_buf; ++ len = ipi_msg->len; ++ if (len > IPI_BUF_LEN_MAX) { ++ dev_warn(cl->dev, "msg size exceeded than %d\n", ++ IPI_BUF_LEN_MAX); ++ len = IPI_BUF_LEN_MAX; ++ } ++ buf_msg->len = len; ++ memcpy(buf_msg->data, ipi_msg->data, len); + } +- buf_msg->len = len; +- memcpy(buf_msg->data, ipi_msg->data, len); + + /* received and processed interrupt ack */ + if (mbox_send_message(ipi->rx_chan, NULL) < 0)
diff --git a/queue-6.6/selftests-mqueue-fix-incorrectly-named-file.patch b/queue-6.6/selftests-mqueue-fix-incorrectly-named-file.patch new file mode 100644 index 0000000..95a67fd --- /dev/null +++ b/queue-6.6/selftests-mqueue-fix-incorrectly-named-file.patch
@@ -0,0 +1,41 @@ +From 64fac99037689020ad97e472ae898e96ea3616dc Mon Sep 17 00:00:00 2001 +From: Simon Liebold <simonlie@amazon.de> +Date: Thu, 12 Mar 2026 14:02:00 +0000 +Subject: selftests/mqueue: Fix incorrectly named file + +From: Simon Liebold <simonlie@amazon.de> + +commit 64fac99037689020ad97e472ae898e96ea3616dc upstream. + +Commit 85506aca2eb4 ("selftests/mqueue: Set timeout to 180 seconds") +intended to increase the timeout for mq_perf_tests from the default +kselftest limit of 45 seconds to 180 seconds. + +Unfortunately, the file storing this information was incorrectly named +`setting` instead of `settings`, causing the kselftest runner not to +pick up the limit and keep using the default 45 seconds limit. + +Fix this by renaming it to `settings` to ensure that the kselftest +runner uses the increased timeout of 180 seconds for this test. + +Fixes: 85506aca2eb4 ("selftests/mqueue: Set timeout to 180 seconds") +Cc: <stable@vger.kernel.org> # 5.10.y +Signed-off-by: Simon Liebold <simonlie@amazon.de> +Link: https://lore.kernel.org/r/20260312140200.2224850-1-simonlie@amazon.de +Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + tools/testing/selftests/mqueue/{setting => settings} | 0 + tools/testing/selftests/mqueue/setting | 1 - + tools/testing/selftests/mqueue/settings | 1 + + 2 files changed, 1 insertion(+), 1 deletion(-) + rename tools/testing/selftests/mqueue/{setting => settings} (100%) + +--- a/tools/testing/selftests/mqueue/setting ++++ /dev/null +@@ -1 +0,0 @@ +-timeout=180 +--- /dev/null ++++ b/tools/testing/selftests/mqueue/settings +@@ -0,0 +1 @@ ++timeout=180
diff --git a/queue-6.6/series b/queue-6.6/series index 4742fe0..85d0874 100644 --- a/queue-6.6/series +++ b/queue-6.6/series
@@ -42,3 +42,17 @@ alsa-aoa-i2sbus-fix-of-node-lifetime-handling.patch alsa-ctxfi-add-fallback-to-default-rsr-for-s-pdif.patch alsa-seq_oss-return-full-count-for-successful-seq_fullsize-writes.patch +erofs-fix-the-out-of-bounds-nameoff-handling-for-trailing-dirents.patch +md-raid10-fix-deadlock-with-check-operation-and-nowait-requests.patch +mfd-stpmic1-attempt-system-shutdown-twice-in-case-pmic-is-confused.patch +nvme-pci-add-nvme_quirk_disable_write_zeroes-for-kingston-om3sgp4.patch +nvme-respect-nvme_quirk_disable_write_zeroes-when-wzsl-is-set.patch +parisc-_llseek-syscall-is-only-available-for-32-bit-userspace.patch +parisc-led-fix-reference-leak-on-failed-device-registration.patch +remoteproc-xlnx-only-access-buffer-information-if-ipi-is-buffered.patch +selftests-mqueue-fix-incorrectly-named-file.patch +rbd-fix-null-ptr-deref-when-device_add_disk-fails.patch +io_uring-timeout-check-unused-sqe-fields.patch +iio-adc-ti-ads7950-use-iio_push_to_buffers_with_ts_unaligned.patch +io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch +io_uring-poll-ensure-epoll_oneshot-is-propagated-for-epoll_uring_wake.patch