Changelog in Linux kernel 5.10.260

 
agp/amd64: Fix broken error propagation in agp_amd64_probe() [+ + +]
Author: Mingyu Wang <25181214217@stu.xidian.edu.cn>
Date:   Mon May 4 15:48:23 2026 +0800

    agp/amd64: Fix broken error propagation in agp_amd64_probe()
    
    commit b08472db93b1ccff84a7adec5779d47f0e9d3a30 upstream.
    
    A NULL pointer dereference was observed in the AMD64 AGP driver when
    running in a virtualized environment (e.g. qemu/kvm) without a physical
    AMD northbridge. The crash occurs in amd64_fetch_size() when attempting
    to dereference the pointer returned by node_to_amd_nb(0).
    
    The root cause of this crash is broken error propagation in
    agp_amd64_probe(): When no AMD northbridges are found, cache_nbs()
    correctly returns -ENODEV. However, the probe function erroneously
    checks the return value against exactly -1, rather than < 0.
    
    As a result, the hardware absence error is masked, allowing the driver
    to improperly proceed with initialization. It eventually calls
    agp_add_bridge(), which invokes amd64_fetch_size(). Since the hardware
    does not exist, node_to_amd_nb(0) returns NULL, leading to a General
    Protection Fault (GPF) when accessing its ->misc member.
    
    Fix the issue by correcting the error check in agp_amd64_probe() to
    abort properly when cache_nbs() returns any negative error code. This
    prevents the driver from erroneously proceeding without hardware, thereby
    avoiding the subsequent NULL pointer dereference at its source.
    
    Fixes: a32073bffc65 ("[PATCH] x86_64: Clean and enhance up K8 northbridge access code")
    Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Reviewed-by: Lukas Wunner <lukas@wunner.de>
    Cc: stable@vger.kernel.org # v2.6.18+
    Link: https://patch.msgid.link/20260504074823.99377-1-w15303746062@163.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:38 2026 +0200

    batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE
    
    commit 98b0fb191c878a64cbaebfe231d96d57576acf8c upstream.
    
    The lasttime field for claim, backbone_gw, and loopdetect tracks the
    jiffies value of the most recent activity and is used to detect timeouts.
    These accesses are not consistently protected by a lock, so
    READ_ONCE/WRITE_ONCE must be used to prevent data races caused by compiler
    optimizations.
    
    Cc: stable@kernel.org
    Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: dat: prevent false sharing between VLANs [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:50 2026 +0200

    batman-adv: dat: prevent false sharing between VLANs
    
    commit 20d7658b74169f86d4ac01b9185b3eadddf71f28 upstream.
    
    The local hash of DAT entries is supposed to be VLAN (VID) aware. But
    the adding to the hash and the search in the hash were not checking the VID
    information of the hash entries. The entries would therefore only be
    correctly separated when batadv_hash_dat() didn't select the same buckets
    for different VIDs.
    
    Cc: stable@kernel.org
    Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware")
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: frag: avoid underflow of TTL [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:42 2026 +0200

    batman-adv: frag: avoid underflow of TTL
    
    commit 493d9d2528e1a09b090e4b37f0f553def7bd5ce9 upstream.
    
    Packets with a TTL are using it to limit the amount of time this packet can
    be forwarded. But for batadv_frag_packet, the TTL was always only reduced
    but it was never evaluated. It could even underflow without any effect.
    
    Check the TTL in batadv_frag_skb_fwd() before attempting to prepare it for
    forwarding. This keeps it in sync with the not fragmented unicast packet.
    
    Cc: stable@kernel.org
    Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: frag: ensure fragment is writable before modifying TTL [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:41 2026 +0200

    batman-adv: frag: ensure fragment is writable before modifying TTL
    
    commit b7293c6e8c15b2db77809b25cf8389e35331b27a upstream.
    
    Before batman-adv is allowed to write to an skb, it either has to have its
    own copy of the skb or use skb_cow() to ensure that the data part is not
    shared. But batadv_frag_skb_fwd() modifies the TTL even when it is shared.
    
    Adding a skb_cow() right before this operation avoids this and can at the
    same time prepare it for the modifications required to forward the
    fragment.
    
    Cc: stable@kernel.org
    Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
    [ Context ]
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: prevent ELP transmission interval underflow [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:39 2026 +0200

    batman-adv: prevent ELP transmission interval underflow
    
    commit 5e50d4b8ae3ea622122d3c6a38d7f6fe68dfddca upstream.
    
    batadv_v_elp_start_timer() enqeues a delayed work. The time when it starts
    is randomly chosen between (elp_interval - BATADV_JITTER) and
    (elp_interval + BATADV_JITTER). The configured elp_interval must therefore
    be larger or equal to BATADV_JITTER to avoid that it causes an underflow of
    the unsigned integer. If this would happen, then a "fast" ELP interval
    would turn into a "day long" delay.
    
    At the same time, it must not be larger than the maximum value the variable
    can store.
    
    Cc: stable@kernel.org
    Fixes: a10800829040 ("batman-adv: Add elp_interval hardif genl configuration")
    [ Context ]
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tp_meter: add only finished tp_vars to lists [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:37 2026 +0200

    batman-adv: tp_meter: add only finished tp_vars to lists
    
    commit 15ccbf685222274f5add1387af58c2a41a95f81e upstream.
    
    When the receiver variables (aka "session") are initialized, then they are
    added to the list of sessions before the timer is set up. A RCU protected
    reader could therefore find the entry and run mod_setup before
    batadv_tp_init_recv() finished the timer initialization.
    
    The same is true for batadv_tp_start(), which must first initialize the
    finish_work and the test_length to avoid a similar problem.
    
    Cc: stable@kernel.org
    Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:45 2026 +0200

    batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE
    
    commit d67c728f07fca2ee6ffdc6dd4421cf2e8691f4d1 upstream.
    
    The last_recv_time field for batadv_tp_receiver tracks the jiffies value of
    the most recent activity and is used to detect timeouts. These accesses are
    not consistently protected by a lock, so READ_ONCE/WRITE_ONCE must be used
    to prevent data races caused by compiler optimizations.
    
    Cc: stable@kernel.org
    Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:34 2026 +0200

    batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd
    
    commit 33ccd52f3cc9ed46ce395199f89aa3234dc83314 upstream.
    
    The cwnd is always MSS <= cwnd <= 0x20000000. But the calculation in
    batadv_tp_update_cwnd() assumes unsigned 32 bit arithmetics.
    
        ((mss * 8) ** 2) / (cwnd * 8)
    
    In case cwnd is actually 0x20000000, it will be shifted by 3 bit to the
    left end up at 0x100000000 or U32_MAX + 1. It will therefore wrap around
    and be 0 - resulting in:
    
        ((mss * 8) ** 2) / 0
    
    This is of course invalid and cannot be calculated. The calculation should
    must be simplified to avoid this overflow:
    
       (mss ** 2) * 8 / cwnd
    
    It will keep the precision enhancement from the scaling (by 8) but avoid
    the overflow in the divisor.
    
    In theory, there could still be an overflow in the dividend. It is at the
    moment fixed to BATADV_TP_PLEN in batadv_tp_recv_ack() - so it is not an
    imminent problem. But allowing it to use the whole u32 bit range, would
    mean that it can still use up to 67 bits. To keep this calculation safe for
    32 bit arithmetic, mss must never use more than floor((32 - 3) / 2) bits -
    or in other words: must never be larger than 16383.
    
    Cc: stable@kernel.org
    Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tp_meter: avoid window underflow [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:33 2026 +0200

    batman-adv: tp_meter: avoid window underflow
    
    commit 765947b81fb54b6ebb0bc1cfe55c0fa399e002b8 upstream.
    
    In batadv_tp_avail(), win_left is calculated with 32-bit unsigned
    arithmetic: win_left = win_limit - tp_vars->last_sent;
    
    During Fast Recovery, cwnd is inflated and last_sent advances rapidly. When
    Fast Recovery ends, cwnd drops abruptly back to ss_threshold. If the newly
    shrunk win_limit is less than last_sent, the unsigned subtraction will
    underflow, wrapping to a massive positive value. Instead of returning that
    the window is full (unavailable), it returns that the sender can continue
    sending.
    
    To handle this situation, it must be checked whether the windows end
    sequence number (win_limit) has to be compared with the last sent sequence
    number. If it would be before the last sent sequence number, then more acks
    are needed before the transmission can be started again.
    
    Cc: stable@kernel.org
    Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tp_meter: fix fast recovery precondition [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:35 2026 +0200

    batman-adv: tp_meter: fix fast recovery precondition
    
    commit 2b0d08f08ed3b2174f05c43089ec65f3543a025b upstream.
    
    The fast recovery precondition checks if the recover (initialized to
    BATADV_TP_FIRST_SEQ) is bigger than the received ack. But since recover is
    only updated when this check is successful, it will never enter the fast
    recovery mode.
    
    According to RFC6582 Section 3.2 step 2, the check should actually be
    different:
    
    > When the third duplicate ACK is received, the TCP sender first
    > checks the value of recover to see if the Cumulative
    > Acknowledgment field covers more than recover
    
    The precondition must therefore check if recover is smaller than the
    received ack - basically swapping the operands of the current check.
    
    Cc: stable@kernel.org
    Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tp_meter: handle overlapping packets [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:47 2026 +0200

    batman-adv: tp_meter: handle overlapping packets
    
    commit cbde75c38b21f022891525078622587ad557b7c1 upstream.
    
    If the size of the packets would change during the transmission, it could
    happen that some retries of packets are overlapping. In this case, precise
    comparisons of sequence numbers by the receiver would be wrong. It is then
    necessary to check if the start sequence number to the end sequence number
    ("seqno + length") would contain a new range.
    
    If this is the case then this is enough to accept this packet. In all other
    cases, the packet still has to be dropped (and not acked).
    
    Cc: stable@kernel.org
    Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
    [ Switch to pre-splitted tp_vars structure names ]
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:36 2026 +0200

    batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection
    
    commit f54c85ed42a1b27a516cf2a4728f5a612b799e07 upstream.
    
    The recover variable and the last_sent sequence number are initialized on
    purpose as a really high value which will wrap-around after the first 2000
    bytes. The fast recovery precondition must therefore not use simple integer
    comparisons but use helpers which are aware of the sequence number
    wrap-arounds.
    
    Cc: stable@kernel.org
    Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tp_meter: initialize dec_cwnd explicitly [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:32 2026 +0200

    batman-adv: tp_meter: initialize dec_cwnd explicitly
    
    commit febfb1b86224489535312296ecfa3d4bf467f339 upstream.
    
    When batadv_tp_update_cwnd() is called, dec_cwnd is increased. But dec_cwnd
    is only initialixed (to 0) when a duplicate Ack was received or when cwnd
    is below the ss_threshold.
    
    Just initialize the cwnd during the initialization to avoid any potential
    access of uninitialized data.
    
    Cc: stable@kernel.org
    Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tp_meter: initialize dup_acks explicitly [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:31 2026 +0200

    batman-adv: tp_meter: initialize dup_acks explicitly
    
    commit b2b68b32a715e0328662801576974aa37b942b00 upstream.
    
    When an ack with a sequence number equal to the last_acked is received, the
    dup_acks counter is increased to decide whether fast retransmit should be
    performed. Only when the sequence numbers are not equal, the dup_acks is
    set to the initial value (0).
    
    But if the initial packet would have the sequence number
    BATADV_TP_FIRST_SEQ, dup_acks would not be initialized and atomic_inc would
    operate on an undefined starting value. It is therefore required to have it
    explicitly initialized during the start of the sender session.
    
    Cc: stable@kernel.org
    Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tp_meter: initialize last_recv_time during init [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:40 2026 +0200

    batman-adv: tp_meter: initialize last_recv_time during init
    
    commit 811cb00fa8cdc3f0a7f6eefc000a6888367c8c8f upstream.
    
    The last_recv_time is the most important indicator for a receiver session
    to figure out whether a session timed out or not. But this information was
    only initialized after the session was added to the tp_receiver_list and
    after the timer was started.
    
    In the worst case, the timer (function) could have tried to access this
    information before the actual initialization was reached. Like rest of the
    variables of the tp_meter receiver session, this field has to be filled out
    before any other (parallel running) context has the chance to access it.
    
    Cc: stable@kernel.org
    Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
    [ Context ]
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tp_meter: keep unacked list in ascending ordered [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:30 2026 +0200

    batman-adv: tp_meter: keep unacked list in ascending ordered
    
    commit 5aa8651527ea0b610e7a09fb3b8204c1398b9525 upstream.
    
    When batadv_tp_handle_out_of_order inserts a new entry in the list of
    unacked (out of order) packets, it searches from the entry with the newest
    sequence number towards oldest sequence number. If an entry is found which
    is older than the newly entry, the new entry has to be added after the
    found one to keep the ascending order.
    
    But for this operation list_add_tail() was used. But this function adds an
    entry _before_ another one. As result, the list would contain a lot of
    swapped sequence numbers. The consumer of this list
    (batadv_tp_ack_unordered()) would then fail to correctly ack packets.
    
    Cc: stable@kernel.org
    Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tp_meter: prevent parallel modifications of last_recv [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:46 2026 +0200

    batman-adv: tp_meter: prevent parallel modifications of last_recv
    
    commit 6dde0cfcb36e4d5b3de35b75696937478441eed4 upstream.
    
    When last_recv is updated to store the last receive sequence number, it is
    assuming that nothing is modifying in parallel while:
    
    * check for outdated packets is done
    * out of order check is performed (and packets are stored in out-of-order
      queue)
    * the out-of-order queue was searched for closed gaps
    * sequence number for next ack is calculated
    
    Nothing of that was actually protected. It could therefore happen that the
    last_recv was updated multiple times in parallel and the final sequence
    number was calculated with deltas which had no connection to the sequence
    number they were added to.
    
    Lock this whole region with the same lock which was already used to protect
    the unacked (out-of-order) list.
    
    Cc: stable@kernel.org
    Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
    [ Switch to pre-splitted tp_vars structure names ]
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tp_meter: restrict number of unacked list entries [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:44 2026 +0200

    batman-adv: tp_meter: restrict number of unacked list entries
    
    commit e7c775110e1858e5a7471a23a9c9658c0af9df89 upstream.
    
    When the unacked_list is unbound, an attacker could send messages with
    small lengths and appropriated seqno + gaps to force the receiver to
    allocate more and more unacked_list entries. And the end either causing an
    out-of-memory situation or increase the management overhead for the (large)
    list that significant portions of CPU cycles are wasted in searching
    through the list.
    
    When limiting the list to a specific number, it is important to still
    correctly add a new entry to the list. But if the list became larger than
    the limit, the last entry of the list (with the highest seqno) must be
    dropped to still allow the earlier seqnos to finish and therefore to
    continue the process. Otherwise, the process might get stuck with too high
    seqnos which are not handled by batadv_tp_ack_unordered().
    
    Cc: stable@kernel.org
    Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
    [ Switch to pre-splitted tp_vars structure names ]
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tt: don't merge change entries with different VIDs [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:48 2026 +0200

    batman-adv: tt: don't merge change entries with different VIDs
    
    commit f08e06c2d5c3e2434e7c773f2213f4a7dce6bc1e upstream.
    
    batadv_tt_local_event() merges/cancels events for the same client which
    would conflict or be duplicates. The matching of the queued events only
    compares the MAC address - the VLAN ID stored in each event is ignored.
    
    If a MAC would now appear on multiple VID, the two ADD change events (for
    VID 1 and VID 2) would be merged to a single vid event. The remote can
    therefore not calculate the correct TT table and desync. A full translation
    table exchange is required to recover from this state.
    
    A check of VID is therefore necessary to avoid such wrong merges/cancels.
    
    Cc: stable@kernel.org
    Fixes: c018ad3de61a ("batman-adv: add the VLAN ID attribute to the TT entry")
    [ Context ]
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tt: prevent TVLV entry number overflow [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri May 29 22:12:35 2026 +0200

    batman-adv: tt: prevent TVLV entry number overflow
    
    commit 99d9958fa10fb684b2a8e2c48a8d704122721420 upstream.
    
    The helpers to prepare the buffers for the local and global TT based
    replies are trying to sum up all TT entries which can be found for each
    VLAN. In theory, this sum can be too big for an u16 and therefore overflow.
    A too small buffer would then be allocated for the TVLV.
    
    The too small buffer will be handled gracefully by
    batadv_tt_tvlv_generate() and is not causing a buffer overflow - just a
    truncated reply. But this overflow shouldn't have happened in the first and
    the too small buffer should never have been allocated when an overflow was
    detected.
    
    Cc: stable@kernel.org
    Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tt: reject oversized local TVLV buffers [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri May 29 22:11:09 2026 +0200

    batman-adv: tt: reject oversized local TVLV buffers
    
    commit 1e9fab756f8395096d5bba7be0c373c4c8f5d165 upstream.
    
    The commit 3a359bf5c61d ("batman-adv: reject oversized global TT response
    buffers") added a check to ensure that a global return buffer size can be
    stored in an u16. The same buffer handling also exists for the local data
    buffer but was not touched.
    
    A similar check should be also be in place for the local TVLV buffer. It
    doesn't have the similar attack surface because it is only generated from
    locally discovered MAC addresses but the dynamic nature could still cause
    temporarily to large buffers.
    
    Cc: stable@kernel.org
    Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
    [ Context ]
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tt: track roam count per VID [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:49 2026 +0200

    batman-adv: tt: track roam count per VID
    
    commit 12407d5f61c2653a64f2ff4b22f3c267f8420ef1 upstream.
    
    batadv_tt_check_roam_count() is supposed to track roaming of a TT entry.
    But TT entries are for a MAC + VID. The VID was completely missed and thus
    leads to incorrect detection of ROAM counts when a client MAC exists in
    multiple VLANs.
    
    Cc: stable@kernel.org
    Fixes: c018ad3de61a ("batman-adv: add the VLAN ID attribute to the TT entry")
    [ Context ]
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tvlv: avoid race of cifsnotfound handler state [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:52 2026 +0200

    batman-adv: tvlv: avoid race of cifsnotfound handler state
    
    commit edb557b2ba38fea2c5eb710cf366c797e187218c upstream.
    
    TVLV handlers can have the flag BATADV_TVLV_HANDLER_OGM_CIFNOTFND set to
    signal that the OGM handler should be called (with NULL for data) when the
    specific TVLV container was not found in the OGM. This is used by:
    
    * DAT
    * GW
    * Multicast (OGM + Tracker)
    
    The state whether the handler was executed was stored in the struct
    batadv_tvlv_handler. But the TVLV processing is started without any lock.
    Multiple parallel contexts processing TVLVs would therefore overwrite each
    others BATADV_TVLV_HANDLER_OGM_CALLED flag in the shared
    batadv_tvlv_handler.
    
    Drop the shared BATADV_TVLV_HANDLER_OGM_CALLED flag and instead determine,
    per TVLV buffer, whether a matching container was present by scanning the
    packet's buffer.
    
    Cc: stable@kernel.org
    Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
    [ Context ]
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: tvlv: enforce 2-byte alignment [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:51 2026 +0200

    batman-adv: tvlv: enforce 2-byte alignment
    
    commit 32a6799255525d6ea4da0f7e9e0e521ad9560a46 upstream.
    
    The fields of an aggregated OGM(v2) are accessed assuming (at least) 2-byte
    alignment, so a following OGM must start at an even offset. As the header
    length is even, an odd tvlv_len would misalign it and trigger unaligned
    accesses on strict-alignment architectures.
    
    Such a misaligned TVLV/OGM/OGMv2 is not created by a normal participant in
    the mesh. Therefore, reject such malformed packets.
    
    Cc: stable@kernel.org
    Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
    [ Drop change for non-existing mcast handling ]
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: v: prevent OGM aggregation on disabled hardif [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Fri Jun 26 18:09:43 2026 +0200

    batman-adv: v: prevent OGM aggregation on disabled hardif
    
    commit d11c00b95b2a3b3934007fc003dccc6fdcc061ad upstream.
    
    When an interface gets disabled, the worker is correctly disabled by
    batadv_hardif_disable_interface() -> ... -> batadv_v_ogm_iface_disable().
    In this process, the skb aggr_list is also freed.
    
    But batadv_v_ogm_send_meshif() can still queue new skbs (via
    batadv_v_ogm_queue_on_if()) to the aggr_list. This will only stop after all
    cores can no longer find the RCU protected list of hard interfaces. These
    queued skbs will never be freed or consumed by batadv_v_ogm_aggr_work.
    
    The batadv_v_ogm_iface_disable() function must block
    batadv_v_ogm_queue_on_if() to avoid leak of skbs.
    
    Cc: stable@kernel.org
    Fixes: f89255a02f1d ("batman-adv: BATMAN_V: introduce per hard-iface OGMv2 queues")
    [ Context ]
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bnxt_en: Fix NULL pointer dereference [+ + +]
Author: Kyle Meyer <kyle.meyer@hpe.com>
Date:   Tue Jun 16 11:55:38 2026 -0400

    bnxt_en: Fix NULL pointer dereference
    
    [ Upstream commit d930276f2cddd0b7294cac7a8fe7b877f6d9e08d ]
    
    PCIe errors detected by a Root Port or Downstream Port cause error
    recovery services to run on all subordinate devices regardless of
    administrative state.
    
    The .error_detected() callback, bnxt_io_error_detected(), disables
    and synchronizes IRQs via bnxt_disable_int_sync(), which calls
    bnxt_cp_num_to_irq_num() to map completion rings to IRQs using
    bp->bnapi.
    
    Since bp->bnapi is allocated on NIC open and freed on NIC close, PCIe
    error recovery on a closed NIC can dereference a NULL pointer.
    
    Check if bp->bnapi is NULL before disabling and synchronizing IRQs.
    
    Fixes: e5811b8c09df ("bnxt_en: Add IRQ remapping logic.")
    Cc: stable@vger.kernel.org
    Signed-off-by: Kyle Meyer <kyle.meyer@hpe.com>
    Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
    Link: https://patch.msgid.link/aiNM1CY2-StPilxW@hpe.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

bnxt_en: Modify bnxt_disable_int_sync() to be called more than once. [+ + +]
Author: Michael Chan <michael.chan@broadcom.com>
Date:   Tue Jun 16 11:55:37 2026 -0400

    bnxt_en: Modify bnxt_disable_int_sync() to be called more than once.
    
    [ Upstream commit 38290e37297087f7ea3ef7904b8f185d77c42976 ]
    
    In the event of a fatal firmware error, we want to disable IRQ early
    in the recovery sequence.  This change will allow it to be called
    safely again as part of the normal shutdown sequence.
    
    Reviewed-by: Edwin Peer <edwin.peer@broadcom.com>
    Reviewed-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Acked-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Stable-dep-of: d930276f2cdd ("bnxt_en: Fix NULL pointer dereference")
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
bpf: use kvfree() for replaced sysctl write buffer [+ + +]
Author: Dawei Feng <dawei.feng@seu.edu.cn>
Date:   Wed Jun 3 18:53:16 2026 +0800

    bpf: use kvfree() for replaced sysctl write buffer
    
    commit 4c21b5927d4364bfe7365f2700da5fea0ed0d004 upstream.
    
    proc_sys_call_handler() allocates its temporary sysctl buffer with
    kvzalloc() and passes it to __cgroup_bpf_run_filter_sysctl(). Since
    kvzalloc() may fall back to vmalloc() for large allocations, freeing
    that buffer with kfree() is wrong and can corrupt memory.
    
    Use kvfree() to safely handle both kmalloc and kvzalloc()/vmalloc
    allocations.
    
    The bug was first flagged by an experimental analysis tool we are
    developing for kernel memory-management bugs while analyzing
    v6.13-rc1. The tool is still under development and is not yet publicly
    available. Manual inspection confirms that the bug is still
    present in v7.1-rc5.
    
    Reproduced the bug based on v7.1-rc4 in a QEMU x86_64 guest booted with
    KASAN and CONFIG_FAILSLAB enabled. To exercise the replacement path, the
    test tree also included the accompanying fix for the stale ret == 1
    check in __cgroup_bpf_run_filter_sysctl(). The reproducer confines
    failslab injections to the proc_sys_call_handler() range, uses
    stacktrace-depth=32, and injects fail-nth=1 while writing 8191 bytes to
    /proc/sys/kernel/domainname from a task in the target cgroup. Under
    that setup, fail-nth=1 triggered the fault:
    
      BUG: unable to handle page fault for address: ffffeb0200024d48
      #PF: supervisor read access in kernel mode
      #PF: error_code(0x0000) - not-present page
      PGD 0 P4D 0
      Oops: Oops: 0000  SMP KASAN NOPTI
      CPU: 2 UID: 0 PID: 209 Comm: repro_proc_sys_ Not tainted 7.1.0-rc4-00686-g97625979a5d4  PREEMPT(lazy)
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
      RIP: 0010:kfree+0x6e/0x510
      ...
      Call Trace:
       <TASK>
       ? __cgroup_bpf_run_filter_sysctl+0x626/0xc30
       __cgroup_bpf_run_filter_sysctl+0x74d/0xc30
       ? __pfx___cgroup_bpf_run_filter_sysctl+0x10/0x10
       ? srso_return_thunk+0x5/0x5f
       ? __kvmalloc_node_noprof+0x345/0x870
       ? proc_sys_call_handler+0x250/0x480
       ? srso_return_thunk+0x5/0x5f
       proc_sys_call_handler+0x3a2/0x480
       ? __pfx_proc_sys_call_handler+0x10/0x10
       ? srso_return_thunk+0x5/0x5f
       ? selinux_file_permission+0x39f/0x500
       ? srso_return_thunk+0x5/0x5f
       ? lock_is_held_type+0x9e/0x120
       vfs_write+0x98e/0x1000
       ...
       </TASK>
    
    With this fix applied on top of the same test setup, rerunning the
    reproducer with fail-nth=1 yields no corresponding Oops reports.
    
    Fixes: 4508943794ef ("proc: use kvzalloc for our kernel buffer")
    Cc: stable@vger.kernel.org
    
    Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
    Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
    Acked-by: Yonghong Song <yonghong.song@linux.dev>
    Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
    Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
    Link: https://lore.kernel.org/r/20260603105317.944304-3-dawei.feng@seu.edu.cn
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
crypto: af_alg - Set merge to zero early in af_alg_sendmsg [+ + +]
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Wed Jul 1 19:01:21 2026 +0300

    crypto: af_alg - Set merge to zero early in af_alg_sendmsg
    
    commit 9574b2330dbd2b5459b74d3b5e9619d39299fc6f upstream.
    
    If an error causes af_alg_sendmsg to abort, ctx->merge may contain
    a garbage value from the previous loop.  This may then trigger a
    crash on the next entry into af_alg_sendmsg when it attempts to do
    a merge that can't be done.
    
    Fix this by setting ctx->merge to zero near the start of the loop.
    
    Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations")
    Reported-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
    Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Mikhail Dmitrichenko <mdmitrichenko@astralinux.ru>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

crypto: qat - remove unused character device and IOCTLs [+ + +]
Author: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Date:   Thu Jun 25 22:25:11 2026 -0400

    crypto: qat - remove unused character device and IOCTLs
    
    [ Upstream commit d237230728c567297f2f98b425d63156ab2ed17f ]
    
    The QAT driver exposes a character device (qat_adf_ctl) with IOCTLs
    for device configuration, start, stop, status query and enumeration.
    These IOCTLs are not part of any public uAPI header and have no known
    in-tree or out-of-tree users. Device lifecycle is already managed via
    sysfs.
    
    The ioctl interface also increases the attack surface and is the
    subject of a number of bug reports.
    
    Remove the character device, the IOCTL definitions, and the related
    data structures (adf_dev_status_info, adf_user_cfg_key_val,
    adf_user_cfg_section, adf_user_cfg_ctl_data). Drop the now-unused
    adf_cfg_user.h header and strip adf_ctl_drv.c down to the minimal
    module_init/module_exit hooks for workqueue, AER, and crypto/compression
    algorithm registration.
    
    Clean up leftover dead code that was only reachable from the removed
    IOCTL paths: adf_cfg_del_all(), adf_devmgr_verify_id(),
    adf_devmgr_get_num_dev(), adf_devmgr_get_dev_by_id(),
    adf_get_vf_real_id() and the unused ADF_CFG macros.
    
    Additionally, drop the entry associated to QAT IOCTLs in
    ioctl-number.rst.
    
    Cc: stable@vger.kernel.org
    Fixes: d8cba25d2c68 ("crypto: qat - Intel(R) QAT driver framework")
    Reported-by: Zhi Wang <wangzhi@stu.xidian.edu.cn>
    Reported-by: Bin Yu <byu@xidian.edu.cn>
    Reported-by: MingYu Wang <w15303746062@163.com>
    Closes: https://lore.kernel.org/all/61d6d499.ab89.19b9b7f3186.Coremail.wangzhi_xd@stu.xidian.edu.cn/
    Link: https://lore.kernel.org/all/20260508034841.256794-1-w15303746062@163.com/
    Link: https://lore.kernel.org/all/20260508023542.256299-1-w15303746062@163.com/
    Link: https://lore.kernel.org/all/20260504025120.98242-1-w15303746062@163.com/
    Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
    Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

crypto: qat - Replace kzalloc() + copy_from_user() with memdup_user() [+ + +]
Author: Thorsten Blum <thorsten.blum@linux.dev>
Date:   Thu Jun 25 22:25:09 2026 -0400

    crypto: qat - Replace kzalloc() + copy_from_user() with memdup_user()
    
    [ Upstream commit 1e26339703e2afd397037defa798682b2b93dcc0 ]
    
    Replace kzalloc() followed by copy_from_user() with memdup_user() to
    improve and simplify adf_ctl_alloc_resources(). memdup_user() returns
    either -ENOMEM or -EFAULT (instead of -EIO) if an error occurs.
    
    Remove the unnecessary device id initialization, since memdup_user()
    (like copy_from_user()) immediately overwrites it.
    
    No functional changes intended other than returning the more idiomatic
    error code -EFAULT.
    
    Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Stable-dep-of: d237230728c5 ("crypto: qat - remove unused character device and IOCTLs")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

crypto: qat - Return pointer directly in adf_ctl_alloc_resources [+ + +]
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Thu Jun 25 22:25:10 2026 -0400

    crypto: qat - Return pointer directly in adf_ctl_alloc_resources
    
    [ Upstream commit 5ce9891ea928208a915411ce8227f8c3e37e5ad9 ]
    
    Returning values through arguments is confusing and that has
    upset the compiler with the recent change to memdup_user:
    
    ../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c: In function ‘adf_ctl_ioctl’:
    ../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:308:26: warning: ‘ctl_data’ may be used uninitialized [-Wmaybe-uninitialized]
      308 |                  ctl_data->device_id);
          |                          ^~
    ../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:294:39: note: ‘ctl_data’ was declared here
      294 |         struct adf_user_cfg_ctl_data *ctl_data;
          |                                       ^~~~~~~~
    In function ‘adf_ctl_ioctl_dev_stop’,
        inlined from ‘adf_ctl_ioctl’ at ../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:386:9:
    ../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:273:48: warning: ‘ctl_data’ may be used uninitialized [-Wmaybe-uninitialized]
      273 |         ret = adf_ctl_is_device_in_use(ctl_data->device_id);
          |                                        ~~~~~~~~^~~~~~~~~~~
    ../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c: In function ‘adf_ctl_ioctl’:
    ../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:261:39: note: ‘ctl_data’ was declared here
      261 |         struct adf_user_cfg_ctl_data *ctl_data;
          |                                       ^~~~~~~~
    In function ‘adf_ctl_ioctl_dev_config’,
        inlined from ‘adf_ctl_ioctl’ at ../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:382:9:
    ../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:192:54: warning: ‘ctl_data’ may be used uninitialized [-Wmaybe-uninitialized]
      192 |         accel_dev = adf_devmgr_get_dev_by_id(ctl_data->device_id);
          |                                              ~~~~~~~~^~~~~~~~~~~
    ../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c: In function ‘adf_ctl_ioctl’:
    ../drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:185:39: note: ‘ctl_data’ was declared here
      185 |         struct adf_user_cfg_ctl_data *ctl_data;
          |                                       ^~~~~~~~
    
    Fix this by returning the pointer directly.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Reviewed-by: Thorsten Blum <thorsten.blum@linux.dev>
    Acked-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Stable-dep-of: d237230728c5 ("crypto: qat - remove unused character device and IOCTLs")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
dlm: prevent NPD when writing a positive value to event_done [+ + +]
Author: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Date:   Mon Feb 10 13:16:22 2025 -0600

    dlm: prevent NPD when writing a positive value to event_done
    
    commit 8e2bad543eca5c25cd02cbc63d72557934d45f13 upstream.
    
    do_uevent returns the value written to event_done. In case it is a
    positive value, new_lockspace would undo all the work, and lockspace
    would not be set. __dlm_new_lockspace, however, would treat that
    positive value as a success due to commit 8511a2728ab8 ("dlm: fix use
    count with multiple joins").
    
    Down the line, device_create_lockspace would pass that NULL lockspace to
    dlm_find_lockspace_local, leading to a NULL pointer dereference.
    
    Treating such positive values as successes prevents the problem. Given
    this has been broken for so long, this is unlikely to break userspace
    expectations.
    
    Fixes: 8511a2728ab8 ("dlm: fix use count with multiple joins")
    Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
    Signed-off-by: David Teigland <teigland@redhat.com>
    Signed-off-by: Nazar Kalashnikov <nazarkalashnikov0@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Documentation: ioctl-number: Extend "Include File" column width [+ + +]
Author: Bagas Sanjaya <bagasdotme@gmail.com>
Date:   Thu Jun 25 22:25:08 2026 -0400

    Documentation: ioctl-number: Extend "Include File" column width
    
    [ Upstream commit 15afd5def819e4df2a29cef6fcfa6ae7ba167c0f ]
    
    Extend width of "Include File" column to fit full path to
    papr-physical-attestation.h in later commit.
    
    Reviewed-by: Haren Myneni <haren@linux.ibm.com>
    Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
    Acked-by: Madhavan Srinivasan <maddy@linux.ibm.com>
    Signed-off-by: Jonathan Corbet <corbet@lwn.net>
    Link: https://lore.kernel.org/r/20250714015711.14525-3-bagasdotme@gmail.com
    Stable-dep-of: d237230728c5 ("crypto: qat - remove unused character device and IOCTLs")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs [+ + +]
Author: Dexuan Cui <decui@microsoft.com>
Date:   Wed Jun 17 08:45:49 2026 -0400

    Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs
    
    [ Upstream commit 016a25e4b0df4d77e7c258edee4aaf982e4ee809 ]
    
    If vmbus_reserve_fb() in the kdump/kexec kernel fails to properly reserve
    the framebuffer MMIO range (which is below 4GB) due to a Gen2 VM's
    screen.lfb_base being zero [1], there is an MMIO conflict between the
    drivers hyperv-drm and pci-hyperv: when the driver pci-hyperv's
    hv_allocate_config_window() calls vmbus_allocate_mmio() to get an
    MMIO range, typically it gets a 32-bit MMIO range that overlaps with the
    framebuffer MMIO range, and later hv_pci_enter_d0() fails with an
    error message "PCI Pass-through VSP failed D0 Entry with status" since
    the host thinks that PCI devices must not use MMIO space that the
    host has assigned to the framebuffer.
    
    This is especially an issue if pci-hyperv is built-in and hyperv-drm is
    built as a module. Consequently, the kdump/kexec kernel fails to detect
    PCI devices via pci-hyperv, and may fail to mount the root file system,
    which may reside in a NVMe disk. The issue described here has existed
    for SR-IOV VF NICs since day one of the pci-hyperv driver, and has been
    worked around on x64 when possible. With the recent introduction of
    ARM64 VMs that boot from NVMe, there is no workaround, so we need a
    formal fix.
    
    On Gen2 VMs, if the screen.lfb_base is 0 in the kdump/kexec kernel [1],
    fall back to the low MMIO base, which should be equal to the framebuffer
    MMIO base [2] (the statement is true according to my testing on x64
    Windows Server 2016, and on x64 and ARM64 Windows Server 2025 and on
    Azure. I checked with the Hyper-V team and they said the statement should
    continue to be true for Gen2 VMs). In the first kernel, screen.lfb_base
    is not 0; if the user specifies a very high resolution, it's not enough
    to only reserve 8MB: let's always reserve half of the space below 4GB,
    but cap the reservation to 128MB, which is the required framebuffer size
    of the highest resolution 7680*4320 supported by Hyper-V.
    
    While at it, fix the comparison "end > VTPM_BASE_ADDRESS" by changing
    the > to >=. Here the 'end' is an inclusive end (typically, it's
    0xFFFF_FFFF for the low MMIO range).
    
    Note: vmbus_reserve_fb() now also reserves an MMIO range at the beginning
    of the low MMIO range on CVMs, which have no framebuffers (the
    'screen.lfb_base' in vmbus_reserve_fb() is 0 for CVMs), just in case the
    host might treat the beginning of the low MMIO range specially [3]. BTW,
    the OpenHCL kernel is not affected by the change, because that kernel
    boots with DeviceTree rather than ACPI (so vmbus_reserve_fb() won't run
    there), and there is no framebuffer device for that kernel.
    
    Note: normally Gen1 VMs don't have the MMIO conflict issue because the
    framebuffer MMIO range (which is hardcoded to base=4GB-128MB and
    size=64MB for Gen1 VMs by the host) is always reported via the legacy PCI
    graphics device's BAR, so the kdump/kexec kernel can reserve the 64MB
    MMIO range; however, if the VM is configured to use a very high resolution
    and the required framebuffer size exceeds 64MB (AFAIK, in practice, this
    isn't a typical configuration by users), the hyperv-drm driver may need to
    allocate an MMIO range above 4GB and change the framebuffer MMIO location
    to the allocated MMIO range -- in this case, there can still be issues [4]
    which can't be easily fixed: any possible affected Gen1 users would have
    to use a resolution whose framebuffer size is <= 64MB, or switch to Gen2
    VMs.
    
    [1] https://lore.kernel.org/all/SA1PR21MB692176C1BC53BFC9EAE5CF8EBF51A@SA1PR21MB6921.namprd21.prod.outlook.com/
    [2] https://lore.kernel.org/all/SA1PR21MB69218F955B62DFF62E3E88D2BF222@SA1PR21MB6921.namprd21.prod.outlook.com/
    [3] https://lore.kernel.org/all/SN6PR02MB415726B17D5A6027CD1717E8D4342@SN6PR02MB4157.namprd02.prod.outlook.com/
    [4] https://lore.kernel.org/all/SA1PR21MB69213486F821CA5A2C793C81BF342@SA1PR21MB6921.namprd21.prod.outlook.com/
    
    Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs")
    CC: stable@vger.kernel.org
    Reviewed-by: Michael Kelley <mhklinux@outlook.com>
    Tested-by: Krister Johansen <kjlx@templeofstupid.com>
    Tested-by: Matthew Ruffell <matthew.ruffell@canonical.com>
    Signed-off-by: Dexuan Cui <decui@microsoft.com>
    Signed-off-by: Wei Liu <wei.liu@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/amd/display: Bound VBIOS record-chain walk loops [+ + +]
Author: Harry Wentland <harry.wentland@amd.com>
Date:   Tue May 12 15:24:22 2026 -0400

    drm/amd/display: Bound VBIOS record-chain walk loops
    
    [ Upstream commit ff287df16a1a58aca78b08d1f3ee09fc44da0351 ]
    
    [Why & How]
    All record-chain walk loops in bios_parser.c and bios_parser2.c use
    for(;;) and only terminate on a 0xFF record_type sentinel or zero
    record_size. A malformed VBIOS image missing the terminator record
    causes unbounded iteration at probe time, potentially hundreds of
    thousands of iterations with record_size=1. In the final iterations
    near the BIOS image boundary, struct casts beyond the 2-byte header
    validated by GET_IMAGE can also read out of bounds.
    
    Cap all 14 record-chain walk loops to BIOS_MAX_NUM_RECORD (256)
    iterations. The atombios.h defines up to 22 distinct record types
    and atomfirmware.h has 13. Assuming an average of less than 10
    records per type (which is reasonable since most are connector-
    based) 256 is a generous upper bound.
    
    Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
    Assisted-by: Copilot:claude-opus-4.6 Mythos
    Reviewed-by: Alex Hung <alex.hung@amd.com>
    Signed-off-by: Harry Wentland <harry.wentland@amd.com>
    Signed-off-by: Ray Wu <ray.wu@amd.com>
    Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    (cherry picked from commit 95700a3d660287ed657d6892f7be9ffc0e294a93)
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amd/display: Use krealloc_array() in dal_vector_reserve() [+ + +]
Author: Harry Wentland <harry.wentland@amd.com>
Date:   Thu Jun 18 08:55:08 2026 -0400

    drm/amd/display: Use krealloc_array() in dal_vector_reserve()
    
    [ Upstream commit da48bc4461b8a5ebfb9264c9b191a701d8e99009 ]
    
    [Why & How]
    dal_vector_reserve() computes the allocation size as
    "capacity * vector->struct_size" using uint32_t arithmetic, which can
    silently wrap to a small value on overflow. This would cause krealloc to
    return a smaller buffer than expected, leading to heap overflows on
    subsequent vector appends.
    
    Replace krealloc() with krealloc_array() which performs an internal
    overflow check and returns NULL on wrap, preventing the issue.
    
    Fixes: 2004f45ef83f ("drm/amd/display: Use kernel alloc/free")
    Assisted-by: Copilot:claude-opus-4.6
    Reviewed-by: Alex Hung <alex.hung@amd.com>
    Signed-off-by: Harry Wentland <harry.wentland@amd.com>
    Signed-off-by: Ray Wu <ray.wu@amd.com>
    Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    (cherry picked from commit 37668568641ccc4cc1dbca4923d0a16609dd5707)
    Cc: stable@vger.kernel.org
    [ changed `krealloc_array(p, capacity, struct_size)` to `krealloc(p, array_size(capacity, struct_size))` since krealloc_array() is absent in 5.10 ]
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
exfat: fix potential use-after-free in exfat_find_dir_entry() [+ + +]
Author: Michael Bommarito <michael.bommarito@gmail.com>
Date:   Wed Apr 22 11:58:44 2026 -0400

    exfat: fix potential use-after-free in exfat_find_dir_entry()
    
    commit 3f5f8ee9917cc2b9076ac533492d8a200edcabb8 upstream.
    
    In exfat_find_dir_entry(), the buffer_head obtained from
    exfat_get_dentry() is released with brelse(bh) before the fall-through
    TYPE_EXTEND branch reads the directory entry through ep (which points
    into bh->b_data):
    
            brelse(bh);
            if (entry_type == TYPE_EXTEND) {
                    ...
                    len = exfat_extract_uni_name(ep, entry_uniname);
                    ...
            }
    
    After brelse() drops our reference, nothing guarantees that the
    underlying page backing bh->b_data remains valid for the subsequent
    exfat_extract_uni_name() read. This is the same pattern fixed in
    commit fc961522ddbd ("exfat: Fix potential use after free in
    exfat_load_upcase_table()").
    
    Move brelse(bh) so it runs after ep is no longer dereferenced on
    each branch.
    
    Confirmed on QEMU x86_64 with CONFIG_KASAN=y + CONFIG_DEBUG_PAGEALLOC=y
    + CONFIG_PAGE_POISONING=y on linux-next, using a crafted exFAT image
    (long filename with same-hash collisions forcing the TYPE_EXTEND path).
    With a debug-only invalidate_bdev() inserted between brelse(bh) and
    the ep read to make the stale-deref window deterministic, the
    unpatched kernel faults:
    
      BUG: KASAN: use-after-free in exfat_find_dir_entry+0x133b/0x15a0
      BUG: unable to handle page fault for address: ffff88801a5fa0c2
      Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
      RIP: 0010:exfat_find_dir_entry+0x1188/0x15a0
    
    With this patch applied, the same instrumented harness completes
    cleanly under the same sanitizer stack. I have not reproduced a
    crash on an uninstrumented kernel under ordinary reclaim; the
    instrumented A/B establishes the lifetime violation and that the
    patch closes it, not an unaided triggerability claim.
    
    Fixes: ca06197382bd ("exfat: add directory operations")
    Cc: stable@vger.kernel.org
    Assisted-by: Claude:claude-opus-4-7
    Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
    Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ext4: add bounds check for inline data length in ext4_read_inline_page [+ + +]
Author: Yuto Ohnuki <ytohnuki@amazon.com>
Date:   Tue Jun 30 17:42:56 2026 +0100

    ext4: add bounds check for inline data length in ext4_read_inline_page
    
    [ Upstream commit 356227096eb66e41b23caf7045e6304877322edf ]
    
    ext4_read_inline_page() does not validate that the inline data length
    fits within a page before copying data. If the inline size exceeds
    PAGE_SIZE due to filesystem corruption, this could lead to a kernel
    memory write beyond the page boundary.
    
    Add a bounds check after computing len, returning -EFSCORRUPTED if the
    value exceeds PAGE_SIZE.
    
    The upstream commit replaced a BUG_ON(len > PAGE_SIZE) in
    ext4_read_inline_folio(). In 6.1 and earlier, the function is still named
    ext4_read_inline_page() and the BUG_ON was never present, so this patch
    adds the bounds check directly.
    
    Fixes: 46c7f254543d ("ext4: add read support for inline data")
    Signed-off-by: Yuto Ohnuki <ytohnuki@amazon.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
f2fs: validate ACL entry sizes in f2fs_acl_from_disk() [+ + +]
Author: Zhang Cen <rollkingzzc@gmail.com>
Date:   Mon Jun 15 15:19:54 2026 +0800

    f2fs: validate ACL entry sizes in f2fs_acl_from_disk()
    
    commit c4810ada31e80cbe4011467c4f3b1e93f94134f3 upstream.
    
    f2fs_acl_count() only validates the aggregate ACL xattr length. A
    malformed ACL can still place ACL_USER or ACL_GROUP in a slot that only
    contains struct f2fs_acl_entry_short bytes, and f2fs_acl_from_disk()
    then reads entry->e_id before verifying that a full entry fits.
    
    Require a short entry before reading e_tag and e_perm, and require a
    full entry before reading e_id for ACL_USER and ACL_GROUP. Return
    -EFSCORRUPTED from these new truncated-entry checks, while keeping the
    pre-existing -EINVAL paths unchanged.
    
    Validation reproduced this kernel report:
    KASAN slab-out-of-bounds in __f2fs_get_acl+0x6fb/0x7e0
    RIP: 0033:0x7f4b835ea7aa
    The buggy address belongs to the object at ffff888114589960 which belongs
    to the cache kmalloc-8 of size 8
    The buggy address is located 0 bytes to the right of allocated 8-byte
    region [ffff888114589960, ffff888114589968)
    Read of size 4
    Call trace:
      dump_stack_lvl+0x66/0xa0 (?:?)
      print_report+0xce/0x630 (?:?)
      __f2fs_get_acl+0x6fb/0x7e0 (fs/f2fs/acl.c:169)
      srso_alias_return_thunk+0x5/0xfbef5 (?:?)
      __virt_addr_valid+0x224/0x430 (?:?)
      kasan_report+0xe0/0x110 (?:?)
      __f2fs_get_acl+0x5/0x7e0 (fs/f2fs/acl.c:169)
      __get_acl+0x281/0x380 (?:?)
      vfs_get_acl+0x10b/0x190 (?:?)
      do_get_acl+0x2a/0x410 (?:?)
      do_get_acl+0x9/0x410 (?:?)
      do_getxattr+0xe8/0x260 (?:?)
      filename_getxattr+0xd1/0x140 (?:?)
      do_getname+0x2d/0x2d0 (?:?)
      path_getxattrat+0x16c/0x200 (?:?)
      lock_release+0xc8/0x290 (?:?)
      cgroup_update_frozen+0x9d/0x320 (?:?)
      lockdep_hardirqs_on_prepare+0xea/0x1a0 (?:?)
      trace_hardirqs_on+0x1a/0x170 (?:?)
      _raw_spin_unlock_irq+0x28/0x50 (?:?)
      do_syscall_64+0x115/0x6a0 (arch/x86/entry/syscall_64.c:87)
      entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)
    
    Cc: stable@kernel.org
    Fixes: af48b85b8cd3 ("f2fs: add xattr and acl functionalities")
    Assisted-by: Codex:gpt-5.5
    Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
    Reviewed-by: Chao Yu <chao@kernel.org>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var [+ + +]
Author: Ian Bridges <icb@fastmail.org>
Date:   Wed Jun 24 23:13:12 2026 -0500

    fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var
    
    commit 7f08fc10fa3d3366dc3af723970bd03d7d6d10e3 upstream.
    
    info->var, a framebuffer's current mode, is expected to have a matching
    entry in info->modelist. var_to_display() relies on this and treats a
    failed fb_match_mode() as "This should not happen". fb_set_var() keeps it
    true by adding the mode to the list on every change, and
    do_register_framebuffer() does the same at registration.
    
    store_modes() replaces the modelist from userspace. fb_new_modelist()
    validates the new modes but does not check that info->var still has a
    match. It relies on fbcon_new_modelist() to re-point consoles, but that
    only handles consoles mapped to the framebuffer. With fbcon unbound there
    are none, so info->var is left describing a mode that is no longer in the
    list.
    
    A later console takeover runs var_to_display(), where fb_match_mode()
    returns NULL and leaves fb_display[i].mode NULL. fbcon_switch() passes it
    to display_to_var(), and fb_videomode_to_var() dereferences the NULL mode.
    
    Keep the current mode in the list in fb_new_modelist(), the same way
    fb_set_var() does.
    
    Cc: stable@vger.kernel.org
    Assisted-by: Claude:claude-opus-4-8
    Signed-off-by: Ian Bridges <icb@fastmail.org>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode [+ + +]
Author: Steffen Persvold <spersvold@gmail.com>
Date:   Fri Jun 12 18:40:41 2026 +0200

    fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode
    
    commit d894c48a57d78206e4df9c90d4acfaf39394806a upstream.
    
    The 1920x1080@60 modedb entry has one too many initializers before
    its sync field: a stray "0" occupies the sync slot, which shifts the
    remaining values by one field. The entry therefore decodes as
    sync = 0, vmode = FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT (0x3,
    i.e. FB_VMODE_INTERLACED | FB_VMODE_DOUBLE), and flag =
    FB_VMODE_NONINTERLACED, instead of the intended sync = positive H/V,
    vmode = non-interlaced.
    
    fb_find_mode() then returns a 1920x1080 mode flagged as interlaced +
    doublescan with active-low syncs. Drivers that honour var->vmode and
    var->sync when programming display timing enable doublescan and the
    wrong sync polarity, corrupting the output.
    
    Drop the stray initializer so sync and vmode hold their intended
    values (positive H/V sync, non-interlaced), matching the adjacent
    1920x1200 entry.
    
    Fixes: c8902258b2b8 ("fbdev: modedb: Add 1920x1080 at 60 Hz video mode")
    Cc: stable@vger.kernel.org
    Signed-off-by: Steffen Persvold <spersvold@gmail.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
fpga: region: fix use-after-free in child_regions_with_firmware() [+ + +]
Author: Wentao Liang <vulab@iscas.ac.cn>
Date:   Wed Apr 8 15:45:34 2026 +0000

    fpga: region: fix use-after-free in child_regions_with_firmware()
    
    commit 54f3c5643ec523a04b6ec0e7c19eb10f5ebebdd3 upstream.
    
    Move of_node_put(child_region) after the error print to avoid accessing
    freed memory when pr_err() references child_region.
    
    Fixes: 0fa20cdfcc1f ("fpga: fpga-region: device tree control for FPGA")
    Cc: stable@vger.kernel.org
    Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
    [ Yilun: Fix the Fixes tag ]
    Reviewed-by: Xu Yilun <yilun.xu@intel.com>
    Link: https://lore.kernel.org/r/20260408154534.404327-1-vulab@iscas.ac.cn
    Signed-off-by: Xu Yilun <yilun.xu@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios [+ + +]
Author: Jann Horn <jannh@google.com>
Date:   Tue Jun 16 21:00:23 2026 +0200

    fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios
    
    [ Upstream commit 4e3d1b2c48ca6c55f1e9ca7f8dccc76f120f276c ]
    
    FUSE_NOTIFY_RETRIEVE must be limited to uptodate folios; !uptodate folios
    can contain uninitialized data.
    Since FUSE_NOTIFY_RETRIEVE is intended to only return data that is already
    in the page cache and not wait for data from the FUSE daemon, treat
    !uptodate folios as if they weren't present.
    
    This only has security impact on systems that don't enable automatic
    zero-initialization of all page allocations via
    CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1.
    
    Cc: stable@kernel.org
    Fixes: 2d45ba381a74 ("fuse: add retrieve request")
    Signed-off-by: Jann Horn <jannh@google.com>
    Link: https://patch.msgid.link/20260519-fuse-retrieve-uptodate-v1-1-a7a1912a37f9@google.com
    Acked-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
    [adjusted for stable: page instead of folio]
    Signed-off-by: Jann Horn <jannh@google.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
hv: utils: handle and propagate errors in kvp_register [+ + +]
Author: Thorsten Blum <thorsten.blum@linux.dev>
Date:   Tue Jun 16 14:37:18 2026 -0400

    hv: utils: handle and propagate errors in kvp_register
    
    [ Upstream commit 3fcf923302a8f5c0dc3af3d2ca2657cb5fae4297 ]
    
    Make kvp_register() return an error code instead of silently ignoring
    failures, and propagate the error from kvp_handle_handshake() instead of
    returning success.
    
    This propagates both kzalloc_obj() and hvutil_transport_send() failures
    to kvp_handle_handshake() and thus to kvp_on_msg().
    
    Fixes: 245ba56a52a3 ("Staging: hv: Implement key/value pair (KVP)")
    Cc: stable@vger.kernel.org
    Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
    Reviewed-by: Long Li <longli@microsoft.com>
    Signed-off-by: Wei Liu <wei.liu@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
i2c: stub: Reject I2C block transfers with invalid length [+ + +]
Author: Weiming Shi <bestswngs@gmail.com>
Date:   Wed Apr 15 01:23:39 2026 +0800

    i2c: stub: Reject I2C block transfers with invalid length
    
    commit 6036b5067a8199ba7a2dc7b377d4b9dd276d5f9e upstream.
    
    The I2C_SMBUS_I2C_BLOCK_DATA case in stub_xfer() uses data->block[0]
    as the transfer length. The existing check only clamps it to avoid
    overrunning the chip->words[256] register array, but does not validate
    it against I2C_SMBUS_BLOCK_MAX (32), which is the limit of the union
    i2c_smbus_data.block buffer (34 bytes total). The driver is a
    development/test tool (CONFIG_I2C_STUB=m, not built by default)
    that must be loaded with a chip_addr= parameter.
    
    A local user with access to /dev/i2c-* can issue an I2C_SMBUS ioctl
    with I2C_SMBUS_I2C_BLOCK_DATA and data->block[0] > 32, causing
    stub_xfer() to read or write past the end of the union
    i2c_smbus_data.block buffer:
    
     BUG: KASAN: stack-out-of-bounds in stub_xfer (drivers/i2c/i2c-stub.c:223)
     Read of size 1 at addr ffff88800abcfd92 by task exploit/81
     Call Trace:
      <TASK>
      stub_xfer (drivers/i2c/i2c-stub.c:223)
      __i2c_smbus_xfer (drivers/i2c/i2c-core-smbus.c:593)
      i2c_smbus_xfer (drivers/i2c/i2c-core-smbus.c:536)
      i2cdev_ioctl_smbus (drivers/i2c/i2c-dev.c:391)
      i2cdev_ioctl (drivers/i2c/i2c-dev.c:478)
      __x64_sys_ioctl (fs/ioctl.c:583)
      do_syscall_64 (arch/x86/entry/syscall_64.c:94)
      entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
      </TASK>
    
    The bug exists because i2c-stub implements .smbus_xfer directly,
    bypassing the I2C_SMBUS_BLOCK_MAX validation in
    i2c_smbus_xfer_emulated(). The I2C_SMBUS_BLOCK_DATA case in the same
    function correctly validates against I2C_SMBUS_BLOCK_MAX, but the
    I2C_SMBUS_I2C_BLOCK_DATA case does not.
    
    Fix by rejecting transfers with data->block[0] == 0 or
    data->block[0] > I2C_SMBUS_BLOCK_MAX with -EINVAL, consistent with
    both the I2C_SMBUS_BLOCK_DATA case in the same function and the
    I2C_SMBUS_I2C_BLOCK_DATA validation in i2c_smbus_xfer_emulated().
    
    Fixes: 4710317891e4 ("i2c-stub: Implement I2C block support")
    Reported-by: Xiang Mei <xmei5@asu.edu>
    Signed-off-by: Weiming Shi <bestswngs@gmail.com>
    Reviewed-by: Jean Delvare <jdelvare@suse.de>
    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ip6_vti: set netns_immutable on the fallback device. [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Jun 8 15:59:18 2026 +0000

    ip6_vti: set netns_immutable on the fallback device.
    
    [ Upstream commit d289d5307762d1838aaece22c6b6fcad9e8865f9 ]
    
    john1988 and Noam Rathaus reported that vti6_init_net() does not set the
    netns_immutable flag on the per-netns fallback tunnel device (ip6_vti0).
    
    Other similar tunnel drivers (like ip6_tunnel, sit, ip6_gre, and ip_tunnel)
    correctly set this flag during their fallback device initialization to
    prevent them from being moved to another network namespace.
    
    Fixes: 61220ab34948 ("vti6: Enable namespace changing")
    Reported-by: Noam Rathaus <noamr@ssd-disclosure.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Link: https://patch.msgid.link/20260608155918.787644-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    [Salvatore Bonaccorso: Backport for version without 0c493da86374 ("net:
    rename netns_local to netns_immutable") in v6.15-rc1 and without
    05c1280a2bcf ("netdev_features: convert NETIF_F_NETNS_LOCAL to
    dev->netns_local") in v6.12-rc1 and use NETIF_F_NETNS_LOCAL device
    feature.]
    Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove [+ + +]
Author: Qingshuang Fu <fuqingshuang@kylinos.cn>
Date:   Thu Jun 18 10:13:52 2026 +0800

    irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove
    
    commit 37738fdf2ab1e504d1c63ce5bc0aeb6452d8f057 upstream.
    
    The driver allocates domain generic chips using
    irq_alloc_domain_generic_chips() during probe and sets up chained
    handlers using irq_set_chained_handler_and_data(). However, on driver
    removal, the generic chips are not freed and the chained handlers are
    not removed.
    
    The generic chips remain on the global gc_list and may later be accessed by
    generic interrupt chip suspend, resume, or shutdown callbacks after the
    driver has been removed, potentially resulting in a use-after-free and
    kernel crash.
    
    The chained handlers that were installed in probe for peripheral and
    syswake interrupts are also left dangling, which can lead to spurious
    interrupts accessing freed memory.
    
    Fix these issues by:
    
      - Setting IRQ_DOMAIN_FLAG_DESTROY_GC flag in domain->flags, so the
        core code automatically removes generic chips when irq_domain_remove()
        is called
    
      - Clearing all chained handlers with NULL in pdc_intc_remove()
    
    Fixes: b6ef9161e43a ("irq-imgpdc: add ImgTec PDC irqchip driver")
    Signed-off-by: Qingshuang Fu <fuqingshuang@kylinos.cn>
    Signed-off-by: Thomas Gleixner <tglx@kernel.org>
    Cc: stable@vger.kernel.org
    Link: https://patch.msgid.link/20260618021352.661773-1-fffsqian@163.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
KEYS: fix overflow in keyctl_pkey_params_get_2() [+ + +]
Author: Jarkko Sakkinen <jarkko@kernel.org>
Date:   Mon Jun 1 23:11:54 2026 +0300

    KEYS: fix overflow in keyctl_pkey_params_get_2()
    
    commit cb481e59ea6cae3b7796ac1d7a22b6b24c3f3c0b upstream.
    
    The length for the internal output buffer is calculated incorrectly, which
    can result overflow when a too small buffer is provided.
    
    Fix the bug by allocating internal output with the size of the maximum
    length of the cryptographic primitive instead of caller provided size.
    
    Link: https://lore.kernel.org/keyrings/20260531024914.3712130-1-jarkko@kernel.org/
    Cc: stable@vger.kernel.org # v4.20+
    Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
    Reported-by: Alessandro Groppo <ale.grpp@gmail.com>
    Tested-by: Alessandro Groppo <ale.grpp@gmail.com>
    Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
keys: Pin request_key_auth payload in instantiate paths [+ + +]
Author: Shaomin Chen <eeesssooo020@gmail.com>
Date:   Wed Jun 10 13:10:05 2026 +0300

    keys: Pin request_key_auth payload in instantiate paths
    
    commit fd15b457a86939c38aa12116adabd8ff686c5e51 upstream.
    
    A: request_key()       B: KEYCTL_INSTANTIATE_IOV
    ================       =========================
    
    create auth key
    store rka in auth key
    wait for helper
                           get auth key
                           load rka from auth key
                           copy user payload
                           sleep on #PF
    
    helper completed
    detach and free rka
    destroy auth key
                           wake up
                           use rka->target_key
                           **USE-AFTER-FREE**
    
    Give request_key_auth payloads a refcount.  Take a payload reference while
    authkey->sem stabilizes the payload and revocation state.  Hold that
    reference across the instantiate and reject paths.  Drop the auth key
    owning reference from revoke and destroy.
    
    [jarkko: Replaced the first two paragraphs of text with an actual
     concurrency scenario.]
    Cc: stable@vger.kernel.org # v5.10+
    Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys")
    Reported-by: Shaomin Chen <eeesssooo020@gmail.com>
    Closes: https://lore.kernel.org/r/20260519144403.436694-1-eeesssooo020@gmail.com
    Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com>
    Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path [+ + +]
Author: Ashutosh Desai <ashutoshdesai993@gmail.com>
Date:   Fri May 1 13:35:32 2026 -0700

    KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path
    
    commit 78ee2d50185a037b3d2452a97f3dad69c3f7f389 upstream.
    
    In sev_dbg_crypt(), the per-iteration transfer length is bounded by
    the source page offset (PAGE_SIZE - s_off) but not by the destination
    page offset (PAGE_SIZE - d_off).  When d_off > s_off, the encrypt
    path (__sev_dbg_encrypt_user) performs a read-modify-write using a
    single-page intermediate buffer (dst_tpage):
    
      1. __sev_dbg_decrypt() expands the size to round_up(len + (d_off & 15), 16)
         before issuing the PSP command.  If len + (d_off & 15) > PAGE_SIZE,
         the PSP writes beyond the end of the 4096-byte dst_tpage allocation.
    
      2. The subsequent memcpy()/copy_from_user() into
         page_address(dst_tpage) + (d_off & 15) of 'len' bytes overflows
         by up to 15 bytes under the same condition.
    
    Trigger example: s_off = 0, d_off = 1, debug.len = PAGE_SIZE -
    the PSP is instructed to write round_up(4097, 16) = 4112 bytes to
    a 4096-byte buffer.
    
    Fix by also bounding len by (PAGE_SIZE - d_off), the same check that
    sev_send_update_data() already performs for its single-page guest
    region.
    
     ==================================================================
     BUG: KASAN: slab-use-after-free in sev_dbg_crypt+0x993/0xd10 [kvm_amd]
     Write of size 4095 at addr ff110062293bb009 by task sev_dbg_test/228214
    
     CPU: 96 UID: 0 PID: 228214 Comm: sev_dbg_test Tainted: G     U  W           7.0.0-smp--5ce9b0c48211-dbg #156 PREEMPTLAZY
     Tainted: [U]=USER, [W]=WARN
     Hardware name: Google Astoria/astoria, BIOS 0.20250817.1-0 08/25/2025
     Call Trace:
      <TASK>
      dump_stack_lvl+0x54/0x70
      print_report+0xbc/0x260
      kasan_report+0xa2/0xd0
      kasan_check_range+0x25f/0x2c0
      __asan_memcpy+0x40/0x70
      sev_dbg_crypt+0x993/0xd10 [kvm_amd]
      sev_mem_enc_ioctl+0x33c/0x450 [kvm_amd]
      kvm_vm_ioctl+0x65d/0x6d0 [kvm]
      __se_sys_ioctl+0xb2/0x100
      do_syscall_64+0xe8/0x870
      entry_SYSCALL_64_after_hwframe+0x4b/0x53
      </TASK>
    
     The buggy address belongs to the physical page:
     page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7fe72b6a0 pfn:0x62293bb
     memcg:ff11000112827d82
     flags: 0x1400000000000000(node=1|zone=1)
     raw: 1400000000000000 0000000000000000 dead000000000122 0000000000000000
     raw: 00000007fe72b6a0 0000000000000000 00000001ffffffff ff11000112827d82
     page dumped because: kasan: bad access detected
    
     Memory state around the buggy address:
      ff110062293bbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      ff110062293bbf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     >ff110062293bc000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                        ^
      ff110062293bc080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      ff110062293bc100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
     ==================================================================
     Disabling lock debugging due to kernel taint
    
    Fixes: 24f41fb23a39 ("KVM: SVM: Add support for SEV DEBUG_DECRYPT command")
    Fixes: 7d1594f5d94b ("KVM: SVM: Add support for SEV DEBUG_ENCRYPT command")
    Cc: stable@vger.kernel.org
    Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
    [sean: add sample KASAN splat, Fixes, and stable@]
    Link: https://patch.msgid.link/20260501203537.2120074-2-seanjc@google.com
    Signed-off-by: Sean Christopherson <seanjc@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Linux: Linux 5.10.260 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sat Jul 4 13:38:41 2026 +0200

    Linux 5.10.260
    
    Link: https://lore.kernel.org/r/20260702155108.949633242@linuxfoundation.org
    Tested-by: Brett A C Sheffield <bacs@librecast.net>
    Tested-by: Pavel Machek (CIP) <pavel@nabladev.com>
    Tested-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mac802154: llsec: add skb_cow_data() before in-place crypto [+ + +]
Author: Doruk Tan Ozturk <doruk@0sec.ai>
Date:   Tue May 26 20:37:26 2026 +0200

    mac802154: llsec: add skb_cow_data() before in-place crypto
    
    commit 84a04eb5b210643bd67aab81ff805d32f62aa865 upstream.
    
    llsec_do_encrypt_unauth(), llsec_do_encrypt_auth(),
    llsec_do_decrypt_unauth(), and llsec_do_decrypt_auth() all perform
    in-place cryptographic transformations on skb data.  They build a
    scatterlist with sg_init_one() pointing into the skb's linear data area
    and then pass the same scatterlist as both src and dst to the crypto API
    (e.g. crypto_skcipher_encrypt/decrypt, crypto_aead_encrypt/decrypt).
    
    On the RX path, __ieee802154_rx_handle_packet() clones the received skb
    before handing it to each subscriber via ieee802154_subif_frame().  The
    cloned skb shares the same underlying data buffer via reference
    counting.  When llsec_do_decrypt() subsequently modifies this shared
    buffer in place, it corrupts data that other clones -- potentially
    belonging to other sockets or subsystems -- still reference.
    
    On the TX path, similar data sharing can occur when an skb's head has
    been cloned (skb_cloned() returns true).
    
    The fix is to call skb_cow_data() before performing any in-place crypto
    operation.  skb_cow_data() ensures that the skb's data area is not
    shared: if the skb head is cloned or the data spans multiple fragments,
    it copies the data into a private buffer that can be safely modified in
    place.  This is the same pattern used by:
    
      - ESP (net/ipv4/esp4.c, net/ipv6/esp6.c)
      - MACsec (drivers/net/macsec.c)
      - WireGuard (drivers/net/wireguard/receive.c)
      - TIPC (net/tipc/crypto.c)
    
    Without this guard, in-place crypto on shared skb data leads to:
      - Silent data corruption of other skb clones
      - Use-after-free when the crypto API scatterwalk writes through a
        page that has already been freed by another clone's kfree_skb()
      - Kernel crashes under concurrent 802.15.4 traffic with security
        enabled (KASAN/KMSAN reports slab-use-after-free)
    
    Found by 0sec (https://0sec.ai) using automated source analysis.
    
    Fixes: 4c14a2fb5d14 ("mac802154: add llsec decryption method")
    Fixes: 03556e4d0dbb ("mac802154: add llsec encryption method")
    Cc: stable@vger.kernel.org
    Reported-by: Doruk Tan Ozturk <doruk@0sec.ai>
    Closes: https://lore.kernel.org/linux-wpan/20260525161806.96158-1-doruk@0sec.ai/
    Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
    Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
    Closes: <link to your mail on lore>
    Link: https://lore.kernel.org/20260526183726.56100-1-doruk@0sec.ai
    Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si [+ + +]
Author: Ruslan Valiyev <linuxoid@gmail.com>
Date:   Tue Mar 17 17:05:44 2026 +0000

    media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si
    
    commit 7d8bf3d8f91073f4db347ed3aa6302b56107499c upstream.
    
    syzbot reported a general protection fault in
    vidtv_psi_ts_psi_write_into [1].
    
    vidtv_mux_get_pid_ctx() can return NULL, but vidtv_mux_push_si() does
    not check for this before dereferencing the returned pointer to access
    the continuity counter. This leads to a general protection fault when
    accessing a near-NULL address.
    
    The root cause is that vidtv_mux_pid_ctx_init() does not check the
    return value of vidtv_mux_create_pid_ctx_once() for PMT section PIDs.
    If the allocation fails, the PID context is never created, but init
    returns success. The subsequent vidtv_mux_push_si() call then gets
    NULL from vidtv_mux_get_pid_ctx() and crashes.
    
    Fix both the root cause (add error check in vidtv_mux_pid_ctx_init
    for PMT PIDs) and add defensive NULL checks in vidtv_mux_push_si for
    all vidtv_mux_get_pid_ctx() calls.
    
    [1]
    Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
    KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
    Workqueue: events vidtv_mux_tick
    RIP: 0010:vidtv_psi_ts_psi_write_into+0x54a/0xbc0 drivers/media/test-drivers/vidtv/vidtv_psi.c:197
    Call Trace:
     <TASK>
     vidtv_psi_table_header_write_into drivers/media/test-drivers/vidtv/vidtv_psi.c:799 [inline]
     vidtv_psi_pmt_write_into+0x3b2/0xa70 drivers/media/test-drivers/vidtv/vidtv_psi.c:1231
     vidtv_mux_push_si+0x932/0xe80 drivers/media/test-drivers/vidtv/vidtv_mux.c:196
     vidtv_mux_tick+0xe9b/0x1480 drivers/media/test-drivers/vidtv/vidtv_mux.c:408
    
    Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver")
    Cc: stable@vger.kernel.org
    Reported-by: syzbot+814c351d094f4f1a1b86@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=814c351d094f4f1a1b86
    Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
    Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
MIPS: DEC: Prevent initial console buffer from landing in XKPHYS [+ + +]
Author: Maciej W. Rozycki <macro@orcam.me.uk>
Date:   Wed May 6 23:42:27 2026 +0100

    MIPS: DEC: Prevent initial console buffer from landing in XKPHYS
    
    commit 7fb13fd35110ebe95eb053faf79d018f51144d85 upstream.
    
    In 64-bit configurations calling the initial console output handler from
    a kernel thread other than the initial one will result in a situation
    where the stack has been placed in the XKPHYS 64-bit memory segment and
    consequently so has been the buffer allocated there that is used as the
    argument corresponding to the `%s' output conversion specifier for the
    firmware's printf() entry point.
    
    This 64-bit address will then be truncated by 32-bit firmware, resulting
    in an attempt to access the wrong memory location, which in turn will
    cause all kinds of unpredictable behaviour, such as a kernel crash:
    
      Console: colour dummy device 160x64
      Calibrating delay loop... 49.36 BogoMIPS (lpj=192512)
      pid_max: default: 32768 minimum: 301
      CPU 0 Unable to handle kernel paging request at virtual address 000000000203bd00, epc == ffffffffbfc08364, ra == ffffffffbfc08800
      Oops[#1]:
      CPU: 0 PID: 0 Comm: swapper Not tainted 5.18.0-rc2-00254-gfb649bda6f56-dirty #121
      $ 0   : 0000000000000000 0000000000000001 0000000000000023 ffffffff80684ba0
      $ 4   : 000000000203bd00 ffffffffbfc0f3b4 ffffffffffffffff 0000000000000073
      $ 8   : 0a303d7469000000 0000000000000000 0000000000000073 ffffffffbfc0f473
      $12   : 0000000000000002 0000000000000000 ffffffff80684c1c 0000000000000000
      $16   : 0000000000000000 ffffffff80596dc9 0000000000000000 ffffffffbfc09240
      $20   : ffffffff80684c40 ffffffffbfc0f400 000000000000002d 000000000000002b
      $24   : ffffffffffffffbf 000000000203bd00
      $28   : ffffffff805f0000 ffffffff80684b58 0000000000000030 ffffffffbfc08800
      Hi    : 0000000000000000
      Lo    : 0000000000000aa8
      epc   : ffffffffbfc08364 0xffffffffbfc08364
      ra    : ffffffffbfc08800 0xffffffffbfc08800
      Status: 140120e2        KX SX UX KERNEL EXL
      Cause : 00000008 (ExcCode 02)
      BadVA : 000000000203bd00
      PrId  : 00000430 (R4000SC)
      Modules linked in:
      Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____), tls=0000000000000000)
      Stack : 0000000000000000 0000000000000000 0000000000000000 0000004d0000004d
              80684cc0806a2a40 80596dc80000004d 8061000000000000 bfc0850c80684c38
              0000000000000000 000000000203bd00 0000000000000000 0000000000000000
              0000000000000000 00000000bfc0f3b4 0000000000000000 0000000000000000
              0000000000000000 0000000000000000 0000000000000000 0000000000000000
              0000000000000000 0000000000000000 0000000000000000 0000000000000000
              0000002500000000 0000000000000000 0000000000000000 802c1a7400000000
              0203bd0080596dc8 0203bd4d69000000 6c61632000000018 5f746567646e6172
              6c616320625f6d6f 5f736e5f6d6f7266 206361323778302b 303d74696e726320
              806a0a38806b0000 806a0a38806b0000 00000000806b0000 80683c58806b0000
              ...
      Call Trace:
    
      Code: a082ffff  03e00008  00601021 <80820000> 00001821  10400005  24840001  80820000  24630001
    
      ---[ end trace 0000000000000000 ]---
      Kernel panic - not syncing: Fatal exception in interrupt
    
      KN04 V2.1k    (PC: 0xa0026768, SP: 0x806848e8)
      >>
    
    In this case the pointer in $4 was truncated from 0x980000000203bd00 to
    0x000000000203bd00.
    
    This may happen when no final console driver has been enabled in the
    configuration and consequently the initial console continues being used
    late into bootstrap or with an upcoming change that will switch the zs
    driver to use a platform device, which in turn will make the console
    handover happen only after other kernel threads have already been
    started.
    
    Fix the issue by making the buffer static and initdata, and therefore
    placed in the CKSEG0 32-bit compatibility segment, observing that the
    console output handler is called with the console lock held, implying
    no need for this code to be reentrant.  Add an assertion to verify the
    buffer actually has been placed in a compatibility segment.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
    Cc: stable@vger.kernel.org # v2.6.12+
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
misc: fastrpc: Add dma_mask to fastrpc_channel_ctx [+ + +]
Author: Abel Vesa <abelvesa@kernel.org>
Date:   Tue Jun 16 18:40:03 2026 -0400

    misc: fastrpc: Add dma_mask to fastrpc_channel_ctx
    
    [ Upstream commit 9bde43a0e2f469961e18d0a3496a9a74379c22bf ]
    
    dma_set_mask_and_coherent only updates the mask to which the device
    dma_mask pointer points to. Add a dma_mask to the channel ctx and set
    the device dma_mask to point to that, otherwise the dma_set_mask will
    return an error and the dma_set_coherent_mask will be skipped too.
    
    Co-developed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
    Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Link: https://lore.kernel.org/r/20221125071405.148786-11-srinivas.kandagatla@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Stable-dep-of: 5401fb4fe10f ("misc: fastrpc: Fix NULL pointer dereference in rpmsg callback")
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

misc: fastrpc: fix DMA address corruption due to find_vma misuse [+ + +]
Author: Junrui Luo <moonafterrain@outlook.com>
Date:   Wed Jun 17 15:09:17 2026 -0400

    misc: fastrpc: fix DMA address corruption due to find_vma misuse
    
    [ Upstream commit 464c6ad2aa16e1e1df9d559289199356493d1e00 ]
    
    fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided
    pointer and compute a DMA address offset. When the address falls in a gap
    before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows,
    corrupting the DMA address sent to the DSP.
    
    Replace find_vma() with vma_lookup(), which returns NULL when the address
    is not contained within any VMA.
    
    Cc: stable@vger.kernel.org
    Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
    Reported-by: Yuhao Jiang <danisjiang@gmail.com>
    Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
    Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
    Link: https://patch.msgid.link/20260530204528.116920-3-srini@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    [ adapted `vma_lookup(mm, ptr)` to `find_vma(mm, ptr)` plus a `ptr >= vma->vm_start` guard since `vma_lookup()` does not exist in 5.10 ]
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

misc: fastrpc: Fix NULL pointer dereference in rpmsg callback [+ + +]
Author: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
Date:   Tue Jun 16 18:40:04 2026 -0400

    misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
    
    [ Upstream commit 5401fb4fe10fac6134c308495df18ed74aebb9c4 ]
    
    A NULL pointer dereference was observed on Hawi at boot when the DSP
    sends a glink message before fastrpc_rpmsg_probe() has completed
    initialization:
    
      Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178
      pc : _raw_spin_lock_irqsave+0x34/0x8c
      lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
      ...
      Call trace:
       _raw_spin_lock_irqsave+0x34/0x8c (P)
       fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
       qcom_glink_native_rx+0x538/0x6a4
       qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem]
    
    The faulting address 0x178 corresponds to the lock variable inside
    struct fastrpc_channel_ctx, confirming that cctx is NULL when
    fastrpc_rpmsg_callback() attempts to take the spinlock.
    
    There are two issues here. First, dev_set_drvdata() is called before
    spin_lock_init() and idr_init(), leaving a window where the callback
    can retrieve a valid cctx pointer but operate on an uninitialized
    spinlock. Second, the rpmsg channel becomes live as soon as the driver
    is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata()
    is called at all, resulting in dev_get_drvdata() returning NULL.
    
    Fix both issues by moving all cctx initialization ahead of
    dev_set_drvdata() so the structure is fully initialized before it
    becomes visible to the callback, and add a NULL check in
    fastrpc_rpmsg_callback() as a guard against any remaining window.
    
    Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
    Reviewed-by: Bjorn Andersson <andersson@kernel.org>
    Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
    Link: https://patch.msgid.link/20260530204528.116920-4-srini@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC [+ + +]
Author: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Date:   Wed Jun 17 13:20:51 2026 -0400

    mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC
    
    [ Upstream commit f48ee49726ee4ab545fd2dc644f169c0809b19b3 ]
    
    The RZ/G2H (R8A774E1) SoC was previously handled via the generic
    "renesas,rcar-gen3-sdhi" fallback compatible string. However, because
    the SDHI IP on RZ/G2H is identical with the R-Car H3-N (R8A77951), it
    requires the specific quirks and configuration defined in
    `of_r8a7795_compatible` rather than the generic Gen3 data.
    
    Add the explicit "renesas,sdhi-r8a774e1" match entry to map it correctly.
    Note that the DT binding file renesas,sdhi.yaml does not need an update
    as the entry for this SoC is already present.
    
    Fixes: 31941342888d ("arm64: dts: renesas: r8a774e1: Add SDHI nodes")
    Cc: stable@vger.kernel.org
    Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
    Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Ulf Hansson <ulfh@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mptcp: fix missing wakeups in edge scenarios [+ + +]
Author: Paolo Abeni <pabeni@redhat.com>
Date:   Tue Jun 16 14:37:23 2026 -0400

    mptcp: fix missing wakeups in edge scenarios
    
    [ Upstream commit 9d8d28738f24b75616d6ca7a27cb4aed88520343 ]
    
    The mptcp_recvmsg() can fill MPTCP socket receive queue via
    mptcp_move_skbs(), but currently does not try to wakeup any listener,
    because the same process is going to check the receive queue soon.
    
    When multiple threads are reading from the same fd, the above can
    cause stall. Add the missing wakeup.
    
    Fixes: 6771bfd9ee24 ("mptcp: update mptcp ack sequence from work queue")
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-1-856831229976@kernel.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
net/sched: act_pedit: check static offsets a priori [+ + +]
Author: Pedro Tammela <pctammela@mojatatu.com>
Date:   Thu Jun 18 15:53:44 2026 +0800

    net/sched: act_pedit: check static offsets a priori
    
    [ Upstream commit e1201bc781c28766720e78a5e099ffa568be4d74 ]
    
    Static key offsets should always be on 32 bit boundaries. Validate them on
    create/update time for static offsets and move the datapath validation
    for runtime offsets only.
    
    iproute2 already errors out if a given offset and data size cannot be
    packed to a 32 bit boundary. This change will make sure users which
    create/update pedit instances directly via netlink also error out,
    instead of finding out when packets are traversing.
    
    Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/sched: act_pedit: fix action bind logic [+ + +]
Author: Pedro Tammela <pctammela@mojatatu.com>
Date:   Sat Jun 27 02:07:35 2026 +0800

    net/sched: act_pedit: fix action bind logic
    
    [ Upstream commit e9e42292ea76a8358b0c02ffd530d78e133a1b73 ]
    
    The TC architecture allows filters and actions to be created independently.
    In filters the user can reference action objects using:
    tc action add action pedit ... index 1
    tc filter add ... action pedit index 1
    
    In the current code for act_pedit this is broken as it checks netlink
    attributes for create/update before actually checking if we are binding to an
    existing action.
    
    tdc results:
    1..69
    ok 1 319a - Add pedit action that mangles IP TTL
    ok 2 7e67 - Replace pedit action with invalid goto chain
    ok 3 377e - Add pedit action with RAW_OP offset u32
    ok 4 a0ca - Add pedit action with RAW_OP offset u32 (INVALID)
    ok 5 dd8a - Add pedit action with RAW_OP offset u16 u16
    ok 6 53db - Add pedit action with RAW_OP offset u16 (INVALID)
    ok 7 5c7e - Add pedit action with RAW_OP offset u8 add value
    ok 8 2893 - Add pedit action with RAW_OP offset u8 quad
    ok 9 3a07 - Add pedit action with RAW_OP offset u8-u16-u8
    ok 10 ab0f - Add pedit action with RAW_OP offset u16-u8-u8
    ok 11 9d12 - Add pedit action with RAW_OP offset u32 set u16 clear u8 invert
    ok 12 ebfa - Add pedit action with RAW_OP offset overflow u32 (INVALID)
    ok 13 f512 - Add pedit action with RAW_OP offset u16 at offmask shift set
    ok 14 c2cb - Add pedit action with RAW_OP offset u32 retain value
    ok 15 1762 - Add pedit action with RAW_OP offset u8 clear value
    ok 16 bcee - Add pedit action with RAW_OP offset u8 retain value
    ok 17 e89f - Add pedit action with RAW_OP offset u16 retain value
    ok 18 c282 - Add pedit action with RAW_OP offset u32 clear value
    ok 19 c422 - Add pedit action with RAW_OP offset u16 invert value
    ok 20 d3d3 - Add pedit action with RAW_OP offset u32 invert value
    ok 21 57e5 - Add pedit action with RAW_OP offset u8 preserve value
    ok 22 99e0 - Add pedit action with RAW_OP offset u16 preserve value
    ok 23 1892 - Add pedit action with RAW_OP offset u32 preserve value
    ok 24 4b60 - Add pedit action with RAW_OP negative offset u16/u32 set value
    ok 25 a5a7 - Add pedit action with LAYERED_OP eth set src
    ok 26 86d4 - Add pedit action with LAYERED_OP eth set src & dst
    ok 27 f8a9 - Add pedit action with LAYERED_OP eth set dst
    ok 28 c715 - Add pedit action with LAYERED_OP eth set src (INVALID)
    ok 29 8131 - Add pedit action with LAYERED_OP eth set dst (INVALID)
    ok 30 ba22 - Add pedit action with LAYERED_OP eth type set/clear sequence
    ok 31 dec4 - Add pedit action with LAYERED_OP eth set type (INVALID)
    ok 32 ab06 - Add pedit action with LAYERED_OP eth add type
    ok 33 918d - Add pedit action with LAYERED_OP eth invert src
    ok 34 a8d4 - Add pedit action with LAYERED_OP eth invert dst
    ok 35 ee13 - Add pedit action with LAYERED_OP eth invert type
    ok 36 7588 - Add pedit action with LAYERED_OP ip set src
    ok 37 0fa7 - Add pedit action with LAYERED_OP ip set dst
    ok 38 5810 - Add pedit action with LAYERED_OP ip set src & dst
    ok 39 1092 - Add pedit action with LAYERED_OP ip set ihl & dsfield
    ok 40 02d8 - Add pedit action with LAYERED_OP ip set ttl & protocol
    ok 41 3e2d - Add pedit action with LAYERED_OP ip set ttl (INVALID)
    ok 42 31ae - Add pedit action with LAYERED_OP ip ttl clear/set
    ok 43 486f - Add pedit action with LAYERED_OP ip set duplicate fields
    ok 44 e790 - Add pedit action with LAYERED_OP ip set ce, df, mf, firstfrag, nofrag fields
    ok 45 cc8a - Add pedit action with LAYERED_OP ip set tos
    ok 46 7a17 - Add pedit action with LAYERED_OP ip set precedence
    ok 47 c3b6 - Add pedit action with LAYERED_OP ip add tos
    ok 48 43d3 - Add pedit action with LAYERED_OP ip add precedence
    ok 49 438e - Add pedit action with LAYERED_OP ip clear tos
    ok 50 6b1b - Add pedit action with LAYERED_OP ip clear precedence
    ok 51 824a - Add pedit action with LAYERED_OP ip invert tos
    ok 52 106f - Add pedit action with LAYERED_OP ip invert precedence
    ok 53 6829 - Add pedit action with LAYERED_OP beyond ip set dport & sport
    ok 54 afd8 - Add pedit action with LAYERED_OP beyond ip set icmp_type & icmp_code
    ok 55 3143 - Add pedit action with LAYERED_OP beyond ip set dport (INVALID)
    ok 56 815c - Add pedit action with LAYERED_OP ip6 set src
    ok 57 4dae - Add pedit action with LAYERED_OP ip6 set dst
    ok 58 fc1f - Add pedit action with LAYERED_OP ip6 set src & dst
    ok 59 6d34 - Add pedit action with LAYERED_OP ip6 dst retain value (INVALID)
    ok 60 94bb - Add pedit action with LAYERED_OP ip6 traffic_class
    ok 61 6f5e - Add pedit action with LAYERED_OP ip6 flow_lbl
    ok 62 6795 - Add pedit action with LAYERED_OP ip6 set payload_len, nexthdr, hoplimit
    ok 63 1442 - Add pedit action with LAYERED_OP tcp set dport & sport
    ok 64 b7ac - Add pedit action with LAYERED_OP tcp sport set (INVALID)
    ok 65 cfcc - Add pedit action with LAYERED_OP tcp flags set
    ok 66 3bc4 - Add pedit action with LAYERED_OP tcp set dport, sport & flags fields
    ok 67 f1c8 - Add pedit action with LAYERED_OP udp set dport & sport
    ok 68 d784 - Add pedit action with mixed RAW/LAYERED_OP #1
    ok 69 70ca - Add pedit action with mixed RAW/LAYERED_OP #2
    
    Fixes: 71d0ed7079df ("net/act_pedit: Support using offset relative to the conventional network headers")
    Fixes: f67169fef8db ("net/sched: act_pedit: fix WARN() in the traffic path")
    Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
    Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/sched: act_pedit: free pedit keys on bail from offset check [+ + +]
Author: Pedro Tammela <pctammela@mojatatu.com>
Date:   Thu Jun 18 15:53:52 2026 +0800

    net/sched: act_pedit: free pedit keys on bail from offset check
    
    [ Upstream commit 1b483d9f5805c7e3d628d4995e97f4311fcb82eb ]
    
    Ido Schimmel reports a memleak on a syzkaller instance:
       BUG: memory leak
       unreferenced object 0xffff88803d45e400 (size 1024):
         comm "syz-executor292", pid 563, jiffies 4295025223 (age 51.781s)
         hex dump (first 32 bytes):
           28 bd 70 00 fb db df 25 02 00 14 1f ff 02 00 02  (.p....%........
           00 32 00 00 1f 00 00 00 ac 14 14 3e 08 00 07 00  .2.........>....
         backtrace:
           [<ffffffff81bd0f2c>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
           [<ffffffff81bd0f2c>] slab_post_alloc_hook mm/slab.h:772 [inline]
           [<ffffffff81bd0f2c>] slab_alloc_node mm/slub.c:3452 [inline]
           [<ffffffff81bd0f2c>] __kmem_cache_alloc_node+0x25c/0x320 mm/slub.c:3491
           [<ffffffff81a865d9>] __do_kmalloc_node mm/slab_common.c:966 [inline]
           [<ffffffff81a865d9>] __kmalloc+0x59/0x1a0 mm/slab_common.c:980
           [<ffffffff83aa85c3>] kmalloc include/linux/slab.h:584 [inline]
           [<ffffffff83aa85c3>] tcf_pedit_init+0x793/0x1ae0 net/sched/act_pedit.c:245
           [<ffffffff83a90623>] tcf_action_init_1+0x453/0x6e0 net/sched/act_api.c:1394
           [<ffffffff83a90e58>] tcf_action_init+0x5a8/0x950 net/sched/act_api.c:1459
           [<ffffffff83a96258>] tcf_action_add+0x118/0x4e0 net/sched/act_api.c:1985
           [<ffffffff83a96997>] tc_ctl_action+0x377/0x490 net/sched/act_api.c:2044
           [<ffffffff83920a8d>] rtnetlink_rcv_msg+0x46d/0xd70 net/core/rtnetlink.c:6395
           [<ffffffff83b24305>] netlink_rcv_skb+0x185/0x490 net/netlink/af_netlink.c:2575
           [<ffffffff83901806>] rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6413
           [<ffffffff83b21cae>] netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
           [<ffffffff83b21cae>] netlink_unicast+0x5be/0x8a0 net/netlink/af_netlink.c:1365
           [<ffffffff83b2293f>] netlink_sendmsg+0x9af/0xed0 net/netlink/af_netlink.c:1942
           [<ffffffff8380c39f>] sock_sendmsg_nosec net/socket.c:724 [inline]
           [<ffffffff8380c39f>] sock_sendmsg net/socket.c:747 [inline]
           [<ffffffff8380c39f>] ____sys_sendmsg+0x3ef/0xaa0 net/socket.c:2503
           [<ffffffff838156d2>] ___sys_sendmsg+0x122/0x1c0 net/socket.c:2557
           [<ffffffff8381594f>] __sys_sendmsg+0x11f/0x200 net/socket.c:2586
           [<ffffffff83815ab0>] __do_sys_sendmsg net/socket.c:2595 [inline]
           [<ffffffff83815ab0>] __se_sys_sendmsg net/socket.c:2593 [inline]
           [<ffffffff83815ab0>] __x64_sys_sendmsg+0x80/0xc0 net/socket.c:2593
    
    The recently added static offset check missed a free to the key buffer when
    bailing out on error.
    
    Fixes: e1201bc781c2 ("net/sched: act_pedit: check static offsets a priori")
    Reported-by: Ido Schimmel <idosch@idosch.org>
    Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
    Reviewed-by: Ido Schimmel <idosch@nvidia.com>
    Tested-by: Ido Schimmel <idosch@nvidia.com>
    Link: https://lore.kernel.org/r/20230425144725.669262-1-pctammela@mojatatu.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/sched: act_pedit: Parse L3 Header for L4 offset [+ + +]
Author: Max Tottenham <mtottenh@akamai.com>
Date:   Thu Jun 18 15:53:48 2026 +0800

    net/sched: act_pedit: Parse L3 Header for L4 offset
    
    [ Upstream commit 6c02568fd1ae53099b4ab86365c5be1ff15f586b ]
    
    Instead of relying on skb->transport_header being set correctly, opt
    instead to parse the L3 header length out of the L3 headers for both
    IPv4/IPv6 when the Extended Layer Op for tcp/udp is used. This fixes a
    bug if GRO is disabled, when GRO is disabled skb->transport_header is
    set by __netif_receive_skb_core() to point to the L3 header, it's later
    fixed by the upper protocol layers, but act_pedit will receive the SKB
    before the fixups are completed. The existing behavior causes the
    following to edit the L3 header if GRO is disabled instead of the UDP
    header:
    
        tc filter add dev eth0 ingress protocol ip flower ip_proto udp \
     dst_ip 192.168.1.3 action pedit ex munge udp set dport 18053
    
    Also re-introduce a rate-limited warning if we were unable to extract
    the header offset when using the 'ex' interface.
    
    Fixes: 71d0ed7079df ("net/act_pedit: Support using offset relative to
    the conventional network headers")
    Signed-off-by: Max Tottenham <mtottenh@akamai.com>
    Reviewed-by: Josh Hunt <johunt@akamai.com>
    Reported-by: kernel test robot <lkp@intel.com>
    Closes: https://lore.kernel.org/oe-kbuild-all/202305261541.N165u9TZ-lkp@intel.com/
    Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    (cherry picked from commit 6c02568fd1ae53099b4ab86365c5be1ff15f586b)
    Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/sched: act_pedit: rate limit datapath messages [+ + +]
Author: Pedro Tammela <pctammela@mojatatu.com>
Date:   Thu Jun 18 15:53:46 2026 +0800

    net/sched: act_pedit: rate limit datapath messages
    
    [ Upstream commit e3c9673e2f6e1b3aa4bb87c570336e10f364c28a ]
    
    Unbounded info messages in the pedit datapath can flood the printk
    ring buffer quite easily depending on the action created.
    As these messages are informational, usually printing some, not all,
    is enough to bring attention to the real issue.
    
    Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/sched: act_pedit: remove extra check for key type [+ + +]
Author: Pedro Tammela <pctammela@mojatatu.com>
Date:   Thu Jun 18 15:53:42 2026 +0800

    net/sched: act_pedit: remove extra check for key type
    
    [ Upstream commit 577140180ba28d0d37bc898c7bd6702c83aa106f ]
    
    The netlink parsing already validates the key 'htype'.
    Remove the datapath check as it's redundant.
    
    Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/sched: act_pedit: use NLA_POLICY for parsing 'ex' keys [+ + +]
Author: Pedro Tammela <pctammela@mojatatu.com>
Date:   Thu Jun 18 15:53:36 2026 +0800

    net/sched: act_pedit: use NLA_POLICY for parsing 'ex' keys
    
    [ Upstream commit 5036034572b79daa6d6600338e8e8229e2a44b09 ]
    
    Transform two checks in the 'ex' key parsing into netlink policies
    removing extra if checks.
    
    Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
net/sched: cls_u32: use skb_header_pointer_careful() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Jun 18 01:08:07 2026 -0700

    net/sched: cls_u32: use skb_header_pointer_careful()
    
    [ Upstream commit cabd1a976375780dabab888784e356f574bbaed8 ]
    
    skb_header_pointer() does not fully validate negative @offset values.
    
    Use skb_header_pointer_careful() instead.
    
    GangMin Kim provided a report and a repro fooling u32_classify():
    
    BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
    net/sched/cls_u32.c:221
    
    Fixes: fbc2e7d9cf49 ("cls_u32: use skb_header_pointer() to dereference data safely")
    Reported-by: GangMin Kim <km.kim1503@gmail.com>
    Closes: https://lore.kernel.org/netdev/CANn89iJkyUZ=mAzLzC4GdcAgLuPnUoivdLaOs6B9rq5_erj76w@mail.gmail.com/T/
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Link: https://patch.msgid.link/20260128141539.3404400-3-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Bin Lan <lanbincn@139.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    [ Shivani: Modified to apply on 5.10.y ]
    Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/sched: fix pedit partial COW leading to page cache corruption [+ + +]
Author: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
Date:   Thu Jun 18 15:53:50 2026 +0800

    net/sched: fix pedit partial COW leading to page cache corruption
    
    [ Upstream commit 899ee91156e57784090c5565e4f31bd7dbffbc5a ]
    
    tcf_pedit_act() computes the COW range for skb_ensure_writable()
    once before the key loop using tcfp_off_max_hint, but the hint does
    not account for the runtime header offset added by typed keys. This
    can leave part of the write region un-COW'd.
    
    Fix by moving skb_ensure_writable() inside the per-key loop where
    the actual write offset is known, and add overflow checking on the
    offset arithmetic. For negative offsets (e.g. Ethernet header edits
    at ingress), use skb_cow() to COW the headroom instead. Guard
    offset_valid() against INT_MIN, where negation is undefined.
    
    Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
    Reported-by: Yiming Qian <yimingqian591@gmail.com>
    Reported-by: Keenan Dong <keenanat2000@gmail.com>
    Reported-by: Han Guidong <2045gemini@gmail.com>
    Reported-by: Zhang Cen <rollkingzzc@gmail.com>
    Reviewed-by: Han Guidong <2045gemini@gmail.com>
    Tested-by: Han Guidong <2045gemini@gmail.com>
    Reviewed-by: Davide Caratti <dcaratti@redhat.com>
    Tested-by: Davide Caratti <dcaratti@redhat.com>
    Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
    Tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
    Reviewed-by: Victor Nogueira <victor@mojatatu.com>
    Tested-by: Victor Nogueira <victor@mojatatu.com>
    Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
    Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
    Link: https://patch.msgid.link/20260531123221.48732-1-jhs@mojatatu.com
    [rename include file from linux/unaligned.h to asm/unaligned.h]
    Conflicts:
            include/net/tc_act/tc_pedit.h
            net/sched/act_pedit.c
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/sched: simplify tcf_pedit_act [+ + +]
Author: Pedro Tammela <pctammela@mojatatu.com>
Date:   Thu Jun 18 15:53:40 2026 +0800

    net/sched: simplify tcf_pedit_act
    
    [ Upstream commit 95b069382351826c0ae37938070aa82dbeaf288d ]
    
    Remove the check for a negative number of keys as
    this cannot ever happen
    
    Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/sched: transition act_pedit to rcu and percpu stats [+ + +]
Author: Pedro Tammela <pctammela@mojatatu.com>
Date:   Thu Jun 18 15:53:38 2026 +0800

    net/sched: transition act_pedit to rcu and percpu stats
    
    [ Upstream commit 52cf89f78c01bf39973f3e70d366921d70faff7a ]
    
    The software pedit action didn't get the same love as some of the
    other actions and it's still using spinlocks and shared stats in the
    datapath.
    Transition the action to rcu and percpu stats as this improves the
    action's performance dramatically on multiple cpu deployments.
    
    Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
    Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Conflicts:
            net/sched/act_pedit.c
    Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net: 9p: fix refcount leak in p9_read_work() error handling [+ + +]
Author: Hangyu Hua <hbh25y@gmail.com>
Date:   Thu Jun 18 15:19:21 2026 +0000

    net: 9p: fix refcount leak in p9_read_work() error handling
    
    commit 4ac7573e1f9333073fa8d303acc941c9b7ab7f61 upstream.
    
    p9_req_put need to be called when m->rreq->rc.sdata is NULL to avoid
    temporary refcount leak.
    
    Link: https://lkml.kernel.org/r/20220712104438.30800-1-hbh25y@gmail.com
    Fixes: 728356dedeff ("9p: Add refcount to p9_req_t")
    Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
    [Dominique: commit wording adjustments, p9_req_put argument fixes for rebase]
    Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
    [Alexander: this branch doesn't contain 8b11ff098af4 ("9p: Add client parameter
     to p9_req_put()"), therefore the parameter is removed from the added line]
    Signed-off-by: Alexander Martyniuk <alexevgmart@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: add skb_header_pointer_careful() helper [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Jun 18 01:08:06 2026 -0700

    net: add skb_header_pointer_careful() helper
    
    [ Upstream commit 13e00fdc9236bd4d0bff4109d2983171fbcb74c4 ]
    
    This variant of skb_header_pointer() should be used in contexts
    where @offset argument is user-controlled and could be negative.
    
    Negative offsets are supported, as long as the zone starts
    between skb->head and skb->data.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Link: https://patch.msgid.link/20260128141539.3404400-2-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    [ Adjust context ]
    Signed-off-by: Bin Lan <lanbincn@139.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    [ Shivani: Modified to apply on 5.10.y ]
    Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: cpsw_new: Fix potential unregister of netdev that has not been registered yet [+ + +]
Author: Kevin Hao <haokexin@gmail.com>
Date:   Tue Jun 30 23:07:17 2026 +0300

    net: cpsw_new: Fix potential unregister of netdev that has not been registered yet
    
    commit 9d724b34fbe13b71865ad0906a4be97571f19cf5 upstream.
    
    If an error occurs during register_netdev() for the first MAC in
    cpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL,
    cpsw->slaves[1].ndev would remain unchanged. This could later cause
    cpsw_unregister_ports() to attempt unregistering the second MAC.
    To address this, add a check for ndev->reg_state before calling
    unregister_netdev(). With this change, setting cpsw->slaves[i].ndev
    to NULL becomes unnecessary and can be removed accordingly.
    
    Fixes: ed3525eda4c4 ("net: ethernet: ti: introduce cpsw switchdev based driver part 1 - dual-emac")
    Signed-off-by: Kevin Hao <haokexin@gmail.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
    Link: https://patch.msgid.link/20260205-cpsw-error-path-v1-2-6e58bae6b299@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Wenshan Lan <jetlan9@163.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Elizaveta Tereshkina <etereshkina@astralinux.ru>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: phonet: free phonet_device after RCU grace period [+ + +]
Author: Santosh Kalluri <santosh.kalluri129@gmail.com>
Date:   Wed Jun 17 10:55:38 2026 -0400

    net: phonet: free phonet_device after RCU grace period
    
    [ Upstream commit 71de0177b28da751f407581a4515cf4d762f6296 ]
    
    phonet_device_destroy() removes a phonet_device from the per-net device
    list with list_del_rcu(), but frees it immediately. RCU readers walking
    the same list can still hold a pointer to the object after it has been
    removed, leading to a slab-use-after-free.
    
    Use kfree_rcu(), matching the lifetime rule already used by
    phonet_address_del() for the same object type.
    
    Fixes: eeb74a9d45f7 ("Phonet: convert devices list to RCU")
    Cc: stable@vger.kernel.org
    Signed-off-by: Santosh Kalluri <santosh.kalluri129@gmail.com>
    Acked-by: Rémi Denis-Courmont <remi@remlab.net>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink() [+ + +]
Author: Weiming Shi <bestswngs@gmail.com>
Date:   Thu May 14 05:25:12 2026 -0700

    net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink()
    
    commit d00c953a8f69921f484b629801766da68f27f658 upstream.
    
    rmnet_dellink() removes the endpoint from the hash table with
    hlist_del_init_rcu() and then immediately frees it with kfree(). However,
    RCU readers on the receive path (rmnet_rx_handler ->
    __rmnet_map_ingress_handler) may still hold a reference to the endpoint and
    dereference ep->egress_dev after the memory has been freed. The endpoint is
    a kmalloc-32 object, and the stale read at offset 8 corresponds to the
    egress_dev pointer.
    
      BUG: unable to handle page fault for address: ffffffffde942eef
      Oops: 0002 [#1] SMP NOPTI
      CPU: 1 UID: 0 PID: 137 Comm: poc_write Not tainted 7.0.0+ #4 PREEMPTLAZY
      RIP: 0010:rmnet_vnd_rx_fixup (rmnet_vnd.c:27)
      Call Trace:
       <TASK>
       __rmnet_map_ingress_handler (rmnet_handlers.c:48 rmnet_handlers.c:101)
       rmnet_rx_handler (rmnet_handlers.c:129 rmnet_handlers.c:235)
       __netif_receive_skb_core.constprop.0 (net/core/dev.c:6096)
       __netif_receive_skb_one_core (net/core/dev.c:6208)
       netif_receive_skb (net/core/dev.c:6467)
       tun_get_user (drivers/net/tun.c:1955)
       tun_chr_write_iter (drivers/net/tun.c:2003)
       vfs_write (fs/read_write.c:688)
       ksys_write (fs/read_write.c:740)
       </TASK>
    
    Add an rcu_head field to struct rmnet_endpoint and replace kfree() with
    kfree_rcu() so the endpoint memory remains valid through the RCU grace
    period. Also remove the rmnet_vnd_dellink() call and inline only the
    nr_rmnet_devs decrement, since rmnet_vnd_dellink() would set
    ep->egress_dev to NULL during the grace period, creating a data race
    with lockless readers.
    
    Fixes: ceed73a2cf4a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
    Reported-by: Xiang Mei <xmei5@asu.edu>
    Signed-off-by: Weiming Shi <bestswngs@gmail.com>
    Link: https://patch.msgid.link/20260514122511.3083479-2-bestswngs@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
netdevsim: Fix memory leak of nsim_dev->fa_cookie [+ + +]
Author: Wang Yufen <wangyufen@huawei.com>
Date:   Fri Jun 19 12:15:06 2026 +0300

    netdevsim: Fix memory leak of nsim_dev->fa_cookie
    
    commit 064bc7312bd09a48798418663090be0c776183db upstream.
    
    kmemleak reports this issue:
    
    unreferenced object 0xffff8881bac872d0 (size 8):
      comm "sh", pid 58603, jiffies 4481524462 (age 68.065s)
      hex dump (first 8 bytes):
        04 00 00 00 de ad be ef                          ........
      backtrace:
        [<00000000c80b8577>] __kmalloc+0x49/0x150
        [<000000005292b8c6>] nsim_dev_trap_fa_cookie_write+0xc1/0x210 [netdevsim]
        [<0000000093d78e77>] full_proxy_write+0xf3/0x180
        [<000000005a662c16>] vfs_write+0x1c5/0xaf0
        [<000000007aabf84a>] ksys_write+0xed/0x1c0
        [<000000005f1d2e47>] do_syscall_64+0x3b/0x90
        [<000000006001c6ec>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    The issue occurs in the following scenarios:
    
    nsim_dev_trap_fa_cookie_write()
      kmalloc() fa_cookie
      nsim_dev->fa_cookie = fa_cookie
    ..
    nsim_drv_remove()
    
    The fa_cookie allocked in nsim_dev_trap_fa_cookie_write() is not freed. To
    fix, add kfree(nsim_dev->fa_cookie) to nsim_drv_remove().
    
    Fixes: d3cbb907ae57 ("netdevsim: add ACL trap reporting cookie as a metadata")
    Signed-off-by: Wang Yufen <wangyufen@huawei.com>
    Cc: Jiri Pirko <jiri@mellanox.com>
    Link: https://lore.kernel.org/r/1668504625-14698-1-git-send-email-wangyufen@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    [ The context change is due to the commit 5e388f3dc38c
    ("netdevsim: move vfconfig to nsim_dev") in v5.16
    which is irrelevant to the logic of this patch. ]
    Signed-off-by: Mikhail Dmitrichenko <mdmitrichenko@astralinux.ru>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nfsd: check get_user() return when reading princhashlen [+ + +]
Author: Dominik Woźniak <stalion@gmail.com>
Date:   Thu May 21 17:46:56 2026 +0200

    nfsd: check get_user() return when reading princhashlen
    
    commit e186fa1c057f5eccb22afb1e83e34c0627085868 upstream.
    
    In __cld_pipe_inprogress_downcall(), the get_user() that reads
    princhashlen from the userspace cld_msg_v2 buffer does not check its
    return value. A failing copy leaves princhashlen with uninitialised
    stack contents, which are then used to drive memdup_user() and stored
    as princhash.len on the resulting reclaim record. The other get_user()
    calls in this function all check the return; only this one is missed,
    which is most likely a copy-paste oversight from when v2 upcalls were
    introduced.
    
    Mirror the existing pattern used a few lines above for namelen.
    namecopy is declared with __free(kfree) so the early return cleans up
    the already-allocated buffer automatically.
    
    Fixes: 6ee95d1c8991 ("nfsd: add support for upcall version 2")
    Cc: stable@vger.kernel.org
    Signed-off-by: Dominik Woźniak <stalion@gmail.com>
    Reviewed-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

nfsd: fix posix_acl leak on SETACL decode failure [+ + +]
Author: Jeff Layton <jlayton@kernel.org>
Date:   Thu May 21 13:51:43 2026 -0400

    nfsd: fix posix_acl leak on SETACL decode failure
    
    commit 0853ac544c590880d797b04daa33fcb72b6be0e1 upstream.
    
    nfsaclsvc_decode_setaclargs() and nfs3svc_decode_setaclargs() each
    call nfs_stream_decode_acl() twice, first for NFS_ACL and then for
    NFS_DFACL.  Each successful call transfers ownership of a freshly
    allocated posix_acl into argp->acl_access or argp->acl_default.  If
    the first call succeeds but the second fails, the decoder returns
    false and argp->acl_access is left dangling.
    
    ACLPROC2_SETACL.pc_release was wired to nfssvc_release_attrstat and
    ACLPROC3_SETACL.pc_release was wired to nfs3svc_release_fhandle.
    Both only call fh_put() and have no knowledge of the ACL fields on
    argp.  The posix_acl_release() pairs sat at the out: labels inside
    nfsacld_proc_setacl() and nfsd3_proc_setacl(), but svc_process()
    skips pc_func when pc_decode returns false, so that cleanup is
    unreachable on decode failure:
    
        svc_process_common()
          pc_decode()                  /* decode_setaclargs: false */
          /* pc_func skipped */
          pc_release()                 /* fh_put only -- ACLs leaked */
    
    The orphaned posix_acl is leaked for the lifetime of the server.
    
    Fix by adding nfsaclsvc_release_setacl() and nfs3svc_release_setacl(),
    which release both argp->acl_access and argp->acl_default in addition
    to fh_put(), and wiring them as pc_release for their respective SETACL
    procedures.  pc_release runs on every path svc_process() takes after
    decode, including decode failure, so the posix_acl_release() pairs are
    removed from the proc functions' out: labels to keep ownership in one
    place.  This matches the existing release_getacl() pattern used by
    the sibling GETACL procedures.
    
    Fixes: a257cdd0e217 ("[PATCH] NFSD: Add server support for NFSv3 ACLs.")
    Cc: stable@vger.kernel.org
    Assisted-by: kres:claude-opus-4-7
    Signed-off-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
NFSD: Fix SECINFO_NO_NAME decode error cleanup [+ + +]
Author: Guannan Wang <wgnbuaa@gmail.com>
Date:   Thu May 21 16:03:32 2026 +0800

    NFSD: Fix SECINFO_NO_NAME decode error cleanup
    
    commit 9e18e83b8846a5c3fe13fc8a464b4865d33996c6 upstream.
    
    nfsd4_decode_secinfo_no_name() currently initializes sin_exp after
    decoding sin_style. If the XDR stream is truncated, the decoder returns
    nfserr_bad_xdr before sin_exp is initialized.
    
    Since commit 3fdc54646234 ("NFSD: Reduce amount of struct
    nfsd4_compoundargs that needs clearing"), the inline iops array is not
    cleared between RPC calls. A failed SECINFO_NO_NAME decode can therefore
    leave sin_exp holding stale union contents from a previous operation.
    
    The error response path still invokes nfsd4_secinfo_no_name_release(),
    which calls exp_put() on a non-NULL sin_exp.
    
    Initialize sin_exp before the first failable decode step, matching
    nfsd4_decode_secinfo().
    
    Fixes: 3fdc54646234 ("NFSD: Reduce amount of struct nfsd4_compoundargs that needs clearing")
    Cc: stable@vger.kernel.org
    Signed-off-by: Guannan Wang <wgnbuaa@gmail.com>
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ocfs2: reject oversized group bitmap descriptors [+ + +]
Author: Zhang Cen <rollkingzzc@gmail.com>
Date:   Sun May 24 19:12:48 2026 +0800

    ocfs2: reject oversized group bitmap descriptors
    
    commit 9bd541e09dffff27e5bec0f9f45b0228173a5375 upstream.
    
    ocfs2_validate_gd_parent() only bounds bg_bits against the parent
    allocator's chain geometry.  A malicious descriptor can still claim a
    bg_size/bg_bits pair that exceeds the bitmap bytes that physically fit in
    the group descriptor block, so later bitmap scans and bit updates can run
    past bg_bitmap.
    
    Add a physical-cap check based on ocfs2_group_bitmap_size() for the parent
    allocator type and reject descriptors whose bg_size or bg_bits exceed that
    capacity.  Keep the existing chain geometry check so both the on-disk
    bitmap layout and the allocator metadata must agree before the descriptor
    is used.
    
    Validation reproduced this kernel report:
    KASAN use-after-free in _find_next_bit+0x7f/0xc0
    Read of size 8
    Call trace:
      dump_stack_lvl+0x66/0xa0 (?:?)
      print_report+0xd0/0x630 (?:?)
      _find_next_bit+0x7f/0xc0 (?:?)
      srso_alias_return_thunk+0x5/0xfbef5 (?:?)
      __virt_addr_valid+0x188/0x2f0 (?:?)
      kasan_report+0xe4/0x120 (?:?)
      ocfs2_find_max_contig_free_bits+0x35/0x70 (fs/ocfs2/suballoc.c:1375)
      ocfs2_block_group_set_bits+0x472/0x4b0 (fs/ocfs2/suballoc.c:1457)
      ocfs2_cluster_group_search+0x16b/0x440 (fs/ocfs2/suballoc.c:86)
      ocfs2_bg_discontig_fix_result+0x1ef/0x230 (fs/ocfs2/suballoc.c:1786)
      ocfs2_search_chain+0x8f8/0x10a0 (fs/ocfs2/suballoc.c:1886)
      get_page_from_freelist+0x70e/0x2370 (?:?)
      lock_release+0xc6/0x290 (?:?)
      do_raw_spin_unlock+0x9a/0x100 (?:?)
      kasan_unpoison+0x27/0x60 (?:?)
      __bfs+0x147/0x240 (?:?)
      get_page_from_freelist+0x83d/0x2370 (?:?)
      ocfs2_claim_suballoc_bits+0x38c/0xe70 (fs/ocfs2/suballoc.c:96)
      sched_domains_numa_masks_clear+0x70/0xd0 (?:?)
      check_irq_usage+0xe8/0xb70 (?:?)
      __ocfs2_claim_clusters+0x18d/0x4c0 (fs/ocfs2/suballoc.c:2497)
      check_path+0x24/0x50 (?:?)
      rcu_is_watching+0x20/0x50 (?:?)
      check_prev_add+0xfd/0xd00 (?:?)
      ocfs2_add_clusters_in_btree+0x17d/0x810 (fs/ocfs2/suballoc.c:?)
      __folio_batch_add_and_move+0x1f5/0x3d0 (?:?)
      ocfs2_add_inode_data+0xd9/0x120 (fs/ocfs2/suballoc.c:?)
      filemap_add_folio+0x105/0x1f0 (?:?)
      ocfs2_write_begin_nolock+0x29f7/0x2f80 (fs/ocfs2/suballoc.c:3043)
      ocfs2_read_inode_block+0xb5/0x110 (fs/ocfs2/suballoc.c:?)
      down_write+0xf5/0x180 (?:?)
      ocfs2_write_begin+0x180/0x240 (fs/ocfs2/suballoc.c:?)
      __mark_inode_dirty+0x758/0x9a0 (?:?)
      inode_to_bdi+0x41/0x90 (?:?)
      balance_dirty_pages_ratelimited_flags+0xf8/0x1d0 (?:?)
      generic_perform_write+0x252/0x440 (?:?)
      mnt_put_write_access_file+0x16/0x70 (?:?)
      file_update_time_flags+0xe4/0x200 (?:?)
      ocfs2_file_write_iter+0x80a/0x1320 (fs/ocfs2/suballoc.c:?)
      lock_acquire+0x184/0x2f0 (?:?)
      ksys_write+0xd2/0x170 (?:?)
      apparmor_file_permission+0xf5/0x310 (?:?)
      read_zero+0x8d/0x140 (?:?)
      lock_is_held_type+0x8f/0x100 (?:?)
    
    Link: https://lore.kernel.org/20260524111248.1429884-1-rollkingzzc@gmail.com
    Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
    Assisted-by: Codex:gpt-5.5
    Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: Heming Zhao <heming.zhao@suse.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
phonet: Pass ifindex to fill_addr(). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@google.com>
Date:   Wed Jun 17 10:55:36 2026 -0400

    phonet: Pass ifindex to fill_addr().
    
    [ Upstream commit 08a9572be36819b5d9011604edfa5db6c5062a7a ]
    
    We will convert addr_doit() and getaddr_dumpit() to RCU, both
    of which call fill_addr().
    
    The former will call phonet_address_notify() outside of RCU
    due to GFP_KERNEL, so dev will not be available in fill_addr().
    
    Let's pass ifindex directly to fill_addr().
    
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Stable-dep-of: 71de0177b28d ("net: phonet: free phonet_device after RCU grace period")
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

phonet: Pass net and ifindex to phonet_address_notify(). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@google.com>
Date:   Wed Jun 17 10:55:37 2026 -0400

    phonet: Pass net and ifindex to phonet_address_notify().
    
    [ Upstream commit 68ed5c38b512b734caf3da1f87db4a99fcfe3002 ]
    
    Currently, phonet_address_notify() fetches netns and ifindex from dev.
    
    Once addr_doit() is converted to RCU, phonet_address_notify() will be
    called outside of RCU due to GFP_KERNEL, and dev will be unavailable
    there.
    
    Let's pass net and ifindex to phonet_address_notify().
    
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Stable-dep-of: 71de0177b28d ("net: phonet: free phonet_device after RCU grace period")
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
pNFS: Fix use-after-free in pnfs_update_layout() [+ + +]
Author: Wentao Liang <vulab@iscas.ac.cn>
Date:   Mon May 18 13:10:36 2026 +0000

    pNFS: Fix use-after-free in pnfs_update_layout()
    
    commit 13e198a90ca4050f4bee8a3f23680389a6563ccc upstream.
    
    When hitting the NFS_LAYOUT_RETURN branch in pnfs_update_layout(),
    the code calls pnfs_prepare_to_retry_layoutget(lo). If it succeeds,
    pnfs_put_layout_hdr(lo) is called before trace_pnfs_update_layout(),
    which still references 'lo'. This results in a use-after-free when the
    tracepoint accesses lo's fields.
    
    Fix this by moving the tracepoint call before pnfs_put_layout_hdr(lo).
    
    Fixes: 2c8d5fc37fe2 ("pNFS: Stricter ordering of layoutget and layoutreturn")
    Cc: stable@vger.kernel.org
    Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
    Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
RDMA/bnxt_re: zero shared page before exposing to userspace [+ + +]
Author: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
Date:   Sat May 9 10:40:11 2026 +0200

    RDMA/bnxt_re: zero shared page before exposing to userspace
    
    commit f6b079629becfa977f9c51fe53ad2e6dcc55ef44 upstream.
    
    bnxt_re_alloc_ucontext() allocates uctx->shpg via
    __get_free_page(GFP_KERNEL). The buddy allocator does not zero pages
    without __GFP_ZERO, so the page contains stale kernel data from
    whatever object most recently freed it.
    
    The page is then mapped into userspace via vm_insert_page() under
    BNXT_RE_MMAP_SH_PAGE in bnxt_re_mmap(). The driver only ever writes
    4 bytes (a u32 AVID) at offset BNXT_RE_AVID_OFFT (0x10) inside
    bnxt_re_create_ah(); the remaining 4092 bytes of the page are exposed
    to userspace unsanitised, leaking kernel memory contents.
    
    Any user with access to /dev/infiniband/uverbsX on a host with a
    bnxt_re device (typically rdma group membership) can read this data
    via a single mmap() at pgoff 0 after IB_USER_VERBS_CMD_GET_CONTEXT.
    
    Other shared pages in the same file already use get_zeroed_page()
    correctly:
    
      drivers/infiniband/hw/bnxt_re/ib_verbs.c
          srq->uctx_srq_page = (void *)get_zeroed_page(GFP_KERNEL);
          cq->uctx_cq_page  = (void *)get_zeroed_page(GFP_KERNEL);
    
    uctx->shpg is the only outlier. Bring it in line with the existing
    convention by switching to get_zeroed_page().
    
    Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
    Signed-off-by: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
    Link: https://patch.msgid.link/20260509084011.11971-1-pomzm67@gmail.com
    Signed-off-by: Leon Romanovsky <leon@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
regulator: core: fix locking in regulator_resolve_supply() error path [+ + +]
Author: André Draszik <andre.draszik@linaro.org>
Date:   Fri Jan 9 08:38:38 2026 +0000

    regulator: core: fix locking in regulator_resolve_supply() error path
    
    commit 497330b203d2c59c5ff3fa4c34d14494d7203bc3 upstream.
    
    If late enabling of a supply regulator fails in
    regulator_resolve_supply(), the code currently triggers a lockdep
    warning:
    
        WARNING: drivers/regulator/core.c:2649 at _regulator_put+0x80/0xa0, CPU#6: kworker/u32:4/596
        ...
        Call trace:
         _regulator_put+0x80/0xa0 (P)
         regulator_resolve_supply+0x7cc/0xbe0
         regulator_register_resolve_supply+0x28/0xb8
    
    as the regulator_list_mutex must be held when calling _regulator_put().
    
    To solve this, simply switch to using regulator_put().
    
    While at it, we should also make sure that no concurrent access happens
    to our rdev while we clear out the supply pointer. Add appropriate
    locking to ensure that.
    
    While the code in question will be removed altogether in a follow-up
    commit, I believe it is still beneficial to have this corrected before
    removal for future reference.
    
    Fixes: 36a1f1b6ddc6 ("regulator: core: Fix memory leak in regulator_resolve_supply()")
    Fixes: 8e5356a73604 ("regulator: core: Clear the supply pointer if enabling fails")
    Signed-off-by: André Draszik <andre.draszik@linaro.org>
    Link: https://patch.msgid.link/20260109-regulators-defer-v2-2-1a25dc968e60@linaro.org
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Nazar Kalashnikov <nazarkalashnikov0@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ring-buffer: Remove ring_buffer_read_prepare_sync() [+ + +]
Author: Bjoern Doebel <doebel@amazon.de>
Date:   Tue Jun 30 06:06:34 2026 +0000

    ring-buffer: Remove ring_buffer_read_prepare_sync()
    
    [ Upstream commit 119a5d573622ae90ba730d18acfae9bb75d77b9a ]
    
    When the ring buffer was first introduced, reading the non-consuming
    "trace" file required disabling the writing of the ring buffer. To make
    sure the writing was fully disabled before iterating the buffer with a
    non-consuming read, it would set the disable flag of the buffer and then
    call an RCU synchronization to make sure all the buffers were
    synchronized.
    
    The function ring_buffer_read_start() originally  would initialize the
    iterator and call an RCU synchronization, but this was for each individual
    per CPU buffer where this would get called many times on a machine with
    many CPUs before the trace file could be read. The commit 72c9ddfd4c5bf
    ("ring-buffer: Make non-consuming read less expensive with lots of cpus.")
    separated ring_buffer_read_start into ring_buffer_read_prepare(),
    ring_buffer_read_sync() and then ring_buffer_read_start() to allow each of
    the per CPU buffers to be prepared, call the read_buffer_read_sync() once,
    and then the ring_buffer_read_start() for each of the CPUs which made
    things much faster.
    
    The commit 1039221cc278 ("ring-buffer: Do not disable recording when there
    is an iterator") removed the requirement of disabling the recording of the
    ring buffer in order to iterate it, but it did not remove the
    synchronization that was happening that was required to wait for all the
    buffers to have no more writers. It's now OK for the buffers to have
    writers and no synchronization is needed.
    
    Remove the synchronization and put back the interface for the ring buffer
    iterator back before commit 72c9ddfd4c5bf was applied.
    
    Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Link: https://lore.kernel.org/20250630180440.3eabb514@batman.local.home
    Reported-by: David Howells <dhowells@redhat.com>
    Fixes: 1039221cc278 ("ring-buffer: Do not disable recording when there is an iterator")
    Tested-by: David Howells <dhowells@redhat.com>
    Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    
    Assisted-by: Kiro:claude-opus-4.8
    [doebel@amazon.de: move patch section using guard() macro into a
    separate block to address declaration after statement warning.]
    Signed-off-by: Bjoern Doebel <doebel@amazon.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd [+ + +]
Author: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Date:   Wed Jun 17 22:19:09 2026 -0400

    slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd
    
    [ Upstream commit 2a9d50e9ea406e0c8735938484adc20515ef1b47 ]
    
    When the remoteproc starts in parallel with the NGD driver being probed,
    or the remoteproc is already up when the PDR lookup is being registered,
    or in the theoretical event that we get an interrupt from the hardware,
    these callbacks will operate on uninitialized data. This result in
    issues to boot the affected boards.
    
    One such example can be seen in the following fault, where
    qcom_slim_ngd_ssr_pdr_notify() schedules work on the NULL ngd_up_work.
    
    [   21.858578] ------------[ cut here ]------------
    [   21.858745] WARNING: kernel/workqueue.c:2338 at __queue_work+0x5e0/0x790, CPU#2: kworker/2:2/116
    ...
    [   21.859251] Call trace:
    [   21.859255]  __queue_work+0x5e0/0x790 (P)
    [   21.859265]  queue_work_on+0x6c/0xf0
    [   21.859273]  qcom_slim_ngd_ssr_pdr_notify+0x110/0x150 [slim_qcom_ngd_ctrl]
    [   21.859304]  qcom_slim_ngd_ssr_notify+0x24/0x40 [slim_qcom_ngd_ctrl]
    [   21.859318]  notifier_call_chain+0xa4/0x230
    [   21.859329]  srcu_notifier_call_chain+0x64/0xb8
    [   21.859338]  ssr_notify_start+0x40/0x78 [qcom_common]
    [   21.859355]  rproc_start+0x130/0x230
    [   21.859367]  rproc_boot+0x3d4/0x518
    ...
    
    Move the enablement of interrupts, and the registration of SSR and PDR
    until after the NGD device has been registered.
    
    This could be further refined by moving initialization to the control
    driver probe and by removing the platform driver model from the picture.
    
    Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
    Cc: stable@vger.kernel.org
    Reviewed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
    Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
    Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
    Link: https://patch.msgid.link/20260530204421.116824-6-srini@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    [ dropped absent PDR/SSR registration block and kept 5.10's `res->start`/`dev_err` IRQ idiom, adding only `IRQF_NO_AUTOEN` plus a deferred `enable_irq(res->start)` after `of_qcom_slim_ngd_register()` ]
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done [+ + +]
Author: Doruk Tan Ozturk <doruk@0sec.ai>
Date:   Wed Jun 17 09:58:18 2026 +0200

    tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done
    
    commit bda3348872a2ef0d19f2df6aa8cb5025adce2f20 upstream.
    
    tipc_aead_decrypt() goes straight from tipc_bearer_hold(b) to
    crypto_aead_decrypt(req) without taking a reference on the netns, unlike
    the encrypt path. When crypto_aead_decrypt() is offloaded asynchronously
    (e.g. the SIMD aead wrapper queuing to cryptd), the cryptd worker runs
    tipc_aead_decrypt_done() later. If the bearer's netns is torn down in the
    meantime, cleanup_net() -> tipc_exit_net() -> tipc_crypto_stop() frees the
    per-netns tipc_crypto, and the completion then reads it:
    tipc_aead_decrypt_done() dereferences aead->crypto->stats and
    aead->crypto->net, and tipc_crypto_rcv_complete() dereferences
    aead->crypto->aead[] and the node table -- reading freed memory.
    
    Decoded KASAN splat (v7.1-rc7, CONFIG_KASAN_INLINE + TIPC + TIPC_CRYPTO):
    
      BUG: KASAN: slab-use-after-free in tipc_aead_decrypt_done (net/tipc/crypto.c:999)
      Read of size 8 at addr ffff8881056258a8 by task kworker/u16:2/51
      Workqueue: events_unbound
      Call Trace:
       tipc_aead_decrypt_done (net/tipc/crypto.c:999)
       process_one_work (kernel/workqueue.c:3314)
       worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
       kthread (kernel/kthread.c:436)
       ret_from_fork (arch/x86/kernel/process.c:158)
       ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
    
      Allocated by task 169:
       __kasan_kmalloc (mm/kasan/common.c:398 mm/kasan/common.c:415)
       tipc_crypto_start (net/tipc/crypto.c:1502)
       tipc_init_net (net/tipc/core.c:72)
       ops_init (net/core/net_namespace.c:137)
       setup_net (net/core/net_namespace.c:446)
       copy_net_ns (net/core/net_namespace.c:579)
       create_new_namespaces (kernel/nsproxy.c:132)
       __x64_sys_unshare (kernel/fork.c:3316)
       do_syscall_64 (arch/x86/entry/syscall_64.c:63)
       entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
    
      Freed by task 8:
       kfree (mm/slub.c:6566)
       tipc_exit_net (net/tipc/core.c:119)
       cleanup_net (net/core/net_namespace.c:704)
       process_one_work (kernel/workqueue.c:3314)
       kthread (kernel/kthread.c:436)
    
    This is the same class of bug that commit e279024617134 ("net/tipc: fix
    slab-use-after-free Read in tipc_aead_encrypt_done") fixed for the encrypt
    side. The encrypt path takes maybe_get_net(aead->crypto->net) before
    crypto_aead_encrypt() and drops it with put_net() on the synchronous
    return paths and in tipc_aead_encrypt_done(); the -EINPROGRESS/-EBUSY
    return keeps the reference for the async callback to release. The decrypt
    path was left without the equivalent guard.
    
    Mirror the encrypt-side fix on the decrypt path: take a net reference
    before crypto_aead_decrypt() (failing with -ENODEV and the matching
    bearer put if it cannot be acquired), keep it across the
    -EINPROGRESS/-EBUSY async return, and drop it with put_net() on the
    synchronous success/error return and at the end of
    tipc_aead_decrypt_done().
    
    Reproduced under KASAN on v7.1-rc7: a UDP bearer with a cluster key is
    flooded with crafted encrypted frames from an unknown peer (driving the
    cluster-key decrypt path) while the bearer's netns is repeatedly torn
    down. The completion must run asynchronously to outlive
    tipc_crypto_stop(); on x86 the stock aesni gcm(aes) now decrypts
    synchronously, so the async path was exercised via cryptd offload. The
    unguarded aead->crypto dereference in tipc_aead_decrypt_done() is the
    unpatched upstream path; tipc_aead_decrypt() still lacks
    maybe_get_net(aead->crypto->net), so the completion can outlive the free
    on any config where crypto_aead_decrypt() goes async.
    
    Found by 0sec automated security-research tooling (https://0sec.ai).
    
    Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
    Cc: stable@vger.kernel.org
    Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
    Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
    Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20260617075818.37431-1-doruk@0sec.ai
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
usb: cdns3: gadget: fix NULL pointer dereference in ep_queue [+ + +]
Author: Yongchao Wu <yongchao.wu@autochips.com>
Date:   Tue Mar 31 08:04:07 2026 +0800

    usb: cdns3: gadget: fix NULL pointer dereference in ep_queue
    
    commit 7f6f127b9bc34bed35f56faf7ecb1561d6b39000 upstream.
    
    When the gadget endpoint is disabled or not yet configured, the ep->desc
    pointer can be NULL. This leads to a NULL pointer dereference when
    __cdns3_gadget_ep_queue() is called, causing a kernel crash.
    
    Add a check to return -ESHUTDOWN if ep->desc is NULL, which is the
    standard return code for unconfigured endpoints.
    
    This prevents potential crashes when ep_queue is called on endpoints
    that are not ready.
    
    Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Yongchao Wu <yongchao.wu@autochips.com>
    Acked-by: Peter Chen <peter.chen@kernel.org>
    Link: https://patch.msgid.link/20260331000407.613298-1-yongchao.wu@autochips.com
    Signed-off-by: Mikhail Dmitrichenko <mdmitrichenko@astralinux.ru>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write [+ + +]
Author: Yi Yang <yiyang13@huawei.com>
Date:   Thu Jun 4 06:07:34 2026 +0000

    vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write
    
    commit a287620312dc6dcb9a093417a0e589bf30fcf38a upstream.
    
    A KASAN null-ptr-deref was observed in vcs_notifier():
    
    BUG: KASAN: null-ptr-deref in vcs_notifier+0x98/0x130
    Read of size 2 at addr qmp_cmd_name: qmp_capabilities, arguments: {}
    
    The issue is a race condition in vcs_write(). When the console_lock is
    temporarily dropped (to copy data from userspace), the vc_data pointer
    obtained from vcs_vc() may become stale. After re-acquiring the lock,
    vcs_vc() is called again to re-validate the pointer. If the vc has been
    deallocated in the meantime, vcs_vc() returns NULL, and the while loop
    breaks (with written > 0). However, after the loop, vcs_scr_updated(vc)
    is still called with the now-NULL vc pointer, leading to a null pointer
    dereference in the notifier chain (vcs_notifier dereferences param->vc).
    
    Fix this by adding a NULL check for vc before calling vcs_scr_updated().
    
    Fixes: 8fb9ea65c9d1 ("vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF")
    Cc: stable@vger.kernel.org
    Signed-off-by: Yi Yang <yiyang13@huawei.com>
    Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
    Link: https://patch.msgid.link/20260604060734.2914976-1-yiyang13@huawei.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
vfio/iommu_type1: replace kfree with kvfree [+ + +]
Author: Jiacheng Shi <billsjc@sjtu.edu.cn>
Date:   Sun Dec 12 01:16:00 2021 -0800

    vfio/iommu_type1: replace kfree with kvfree
    
    [ Upstream commit 2bed2ced40c97b8540ff38df0149e8ecb2bf4c65 ]
    
    Variables allocated by kvzalloc should not be freed by kfree.
    Because they may be allocated by vmalloc.
    So we replace kfree with kvfree here.
    
    Fixes: d6a4c185660c ("vfio iommu: Implementation of ioctl for dirty pages tracking")
    Signed-off-by: Jiacheng Shi <billsjc@sjtu.edu.cn>
    Link: https://lore.kernel.org/r/20211212091600.2560-1-billsjc@sjtu.edu.cn
    Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
virtiofs: fix UAF on submount umount [+ + +]
Author: Miklos Szeredi <mszeredi@redhat.com>
Date:   Thu Jun 25 13:56:09 2026 -0400

    virtiofs: fix UAF on submount umount
    
    [ Upstream commit 06b41351779e9289e8785694ade9042ae85e41ea ]
    
    iput() called from fuse_release_end() can Oops if the super block has
    already been destroyed.  Normally this is prevented by waiting for
    num_waiting to go down to zero before commencing with super block shutdown.
    
    This only works, however, for the last submount instance, as the wait
    counter is per connection, not per superblock.
    
    Revert to using synchronous release requests for the auto_submounts case,
    which is virtiofs only at this time.
    
    Reported-by: Aurélien Bombo <abombo@microsoft.com>
    Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
    Cc: Greg Kurz <gkurz@redhat.com>
    Closes: https://github.com/kata-containers/kata-containers/issues/12589
    Fixes: 26e5c67deb2e ("fuse: fix livelock in synchronous file put from fuseblk workers")
    Cc: stable@vger.kernel.org
    Reviewed-by: Greg Kurz <gkurz@redhat.com>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
wifi: ath11k: fix warning when unbinding [+ + +]
Author: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
Date:   Mon Apr 20 13:01:29 2026 +0200

    wifi: ath11k: fix warning when unbinding
    
    commit 8b7a26b6681922a38cd5a7829ace61f8e54df9b7 upstream.
    
    If there is an error during some initialization related to firmware,
    the buffers dp->tx_ring[i].tx_status are released.
    However this is released again when the device is unbinded (ath11k_pci),
    and we get:
    WARNING: CPU: 0 PID: 6231 at mm/slub.c:4368 free_large_kmalloc+0x57/0x90
    Call Trace:
    free_large_kmalloc
    ath11k_dp_free
    ath11k_core_deinit
    ath11k_pci_remove
    ...
    
    The issue is always reproducible from a VM because the MSI addressing
    initialization is failing.
    
    In order to fix the issue, just set the buffers to NULL after releasing in
    order to avoid the double free.
    
    Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
    Cc: stable@vger.kernel.org
    Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
    Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
    Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
    Link: https://patch.msgid.link/20260420110130.509670-1-jtornosm@redhat.com
    Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S [+ + +]
Author: Zenm Chen <zenmchen@gmail.com>
Date:   Tue Apr 7 23:44:30 2026 +0800

    wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S
    
    commit f4ce0664e9f0387873b181777891741c33e19465 upstream.
    
    Add the ID 056e:400a to the table to support an additional MT7612U
    adapter: ELECOM WDC-867SU3S.
    
    Compile tested only.
    
    Cc: stable@vger.kernel.org # 5.10.x
    Signed-off-by: Zenm Chen <zenmchen@gmail.com>
    Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
    Link: https://patch.msgid.link/20260407154430.9184-1-zenmchen@gmail.com
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor [+ + +]
Author: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Date:   Sat Apr 25 22:32:58 2026 +0300

    wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor
    
    commit 83d38df6929118c3f996b9e3351c2d5014073d87 upstream.
    
    Bit 28 of double word 2 in the RX descriptor indicates if the packet is
    a normal 802.11 frame, or a message from the wifi firmware to the
    driver (Card 2 Host).
    
    Commit f5678bfe1cdc ("rtlwifi: rtl8821ae: Replace local bit manipulation
    macros") mistakenly made the driver look for this bit in double word 1,
    causing packet loss and Bluetooth coexistence problems.
    
    Fixes: f5678bfe1cdc ("rtlwifi: rtl8821ae: Replace local bit manipulation macros")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
    Acked-by: Ping-Ke Shih <pkshih@realtek.com>
    Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
    Link: https://patch.msgid.link/04da7398-cedb-425a-a810-5772ab10139d@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>