Changelog in Linux kernel 6.12.96

 
6lowpan: fix NHC entry use-after-free on error path [+ + +]
Author: Yizhou Zhao <[email protected]>
Date:   Tue Jun 9 16:00:52 2026 +0800

    6lowpan: fix NHC entry use-after-free on error path
    
    commit 1720db928e5a58ca7d75ac1d514c3b73fd7061a7 upstream.
    
    lowpan_nhc_do_uncompression() looks up an NHC descriptor while holding
    lowpan_nhc_lock.  If the descriptor has no uncompress callback, the error
    path drops the lock before printing nhc->name.
    
    lowpan_nhc_del() removes descriptors under the same lock and then relies
    on synchronize_net() before the owning module can be unloaded.  That only
    waits for net RX RCU readers.  lowpan_header_decompress() is also exported
    and can be reached from callers that are not necessarily covered by the net
    core RX critical section, for example the Bluetooth 6LoWPAN L2CAP receive
    path.
    
    This leaves a race where one task drops lowpan_nhc_lock in the error path,
    another task unregisters and frees the matching descriptor after
    synchronize_net() returns, and the first task then dereferences nhc->name
    for the warning.
    
    With the post-unlock window widened, KASAN reports:
    
      BUG: KASAN: slab-use-after-free in lowpan_nhc_do_uncompression+0x1f4/0x220
      Read of size 8
      lowpan_nhc_do_uncompression
      lowpan_header_decompress
    
    Fix this by printing the warning before dropping lowpan_nhc_lock, so the
    descriptor name is read while unregister is still excluded.  The malformed
    packet is still rejected with -ENOTSUPP.
    
    Fixes: 92aa7c65d295 ("6lowpan: add generic nhc layer interface")
    Cc: [email protected]
    Reported-by: Yizhou Zhao <[email protected]>
    Reported-by: Yuxiang Yang <[email protected]>
    Reported-by: Ao Wang <[email protected]>
    Reported-by: Xuewei Feng <[email protected]>
    Reported-by: Qi Li <[email protected]>
    Reported-by: Ke Xu <[email protected]>
    Signed-off-by: Yizhou Zhao <[email protected]>
    Acked-by: Alexander Aring <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
ACPI: CPPC: Suppress UBSAN warning caused by field misuse [+ + +]
Author: Jeremy Linton <[email protected]>
Date:   Mon Jun 1 18:58:08 2026 -0500

    ACPI: CPPC: Suppress UBSAN warning caused by field misuse
    
    commit 1b1acf2dada0cc3931bb2cb9ff8832edfbee46a1 upstream.
    
    The definition of reg->access_width changes depending on the
    reg->space_id type.  Type ACPI_ADR_SPACE_PLATFORM_COMM uses
    access_width to indicate the PCC region, which can result in a UBSAN
    if the value is greater than 4.
    
    For example:
    
     UBSAN: shift-out-of-bounds in drivers/acpi/cppc_acpi.c:1090:9
     shift exponent 32 is too large for 32-bit type 'int'
     CPU: 61 UID: 0 PID: 1220 Comm: (udev-worker) Not tainted 7.0.10-201.fc44.aarch64 #1 PREEMPT(lazy)
     Hardware name: To be filled by O.E.M.
     Call trace:
      ...(trimming)
      ubsan_epilogue+0x10/0x48
      __ubsan_handle_shift_out_of_bounds+0xdc/0x1e0
      cpc_write+0x4d0/0x670
      cppc_set_perf+0x18c/0x490
      cppc_cpufreq_cpu_init+0x1c8/0x380 [cppc_cpufreq]
      ... (trimming)
    
    Lets fix this by validating the region type, as well as whether
    access_width has a value. Then since we are returning bit_width
    directly for ACPI_ADR_SPACE_PLATFORM_COMM, drop the code correcting
    the size.
    
    Fixes: 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system memory accesses")
    Signed-off-by: Jeremy Linton <[email protected]>
    Tested-by: Jarred White <[email protected]>
    Reviewed-by: Jarred White <[email protected]>
    Reviewed-by: Easwar Hariharan <[email protected]>
    Cc: All applicable <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Rafael J. Wysocki <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ACPI: NFIT: core: Fix possible NULL pointer dereference [+ + +]
Author: Rafael J. Wysocki <[email protected]>
Date:   Wed Jun 3 19:56:21 2026 +0200

    ACPI: NFIT: core: Fix possible NULL pointer dereference
    
    commit 027e128abb82788189d6d45b68e3e8e7329b67be upstream.
    
    After commit 9b311b7313d6 ("ACPI: NFIT: Install Notify() handler before
    getting NFIT table"), acpi_nfit_probe() installs an ACPI notify handler
    for the NFIT device before checking the presence of the NFIT table.  If
    that table is not there, 0 is returned without allocating the acpi_desc
    object and setting the driver data pointer of the NFIT device.  If the
    platform firmware triggers an NFIT_NOTIFY_UC_MEMORY_ERROR notification
    on the NFIT device at that point, acpi_nfit_uc_error_notify() will
    dereference a NULL pointer.
    
    Prevent that from occurring by adding an acpi_desc check against NULL
    to acpi_nfit_uc_error_notify().
    
    Fixes: 9b311b7313d6 ("ACPI: NFIT: Install Notify() handler before getting NFIT table")
    Signed-off-by: Rafael J. Wysocki <[email protected]>
    Cc: All applicable <[email protected]>
    Reviewed-by: Dave Jiang <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input parser [+ + +]
Author: Maoyi Xie <[email protected]>
Date:   Thu Jun 18 14:03:15 2026 +0800

    ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input parser
    
    commit f7f3f9fd81e7adbaa12c2e62ee07f0e094a543fd upstream.
    
    snd_usb_caiaq_tks4_dispatch() decodes the Traktor Kontrol S4 input
    stream in fixed 16-byte (TKS4_MSGBLOCK_SIZE) message blocks. On every
    iteration it advances buf and subtracts the block size while looping on
    "while (len)".
    
    len is urb->actual_length. That value is supplied by the device and is
    not guaranteed to be a multiple of 16. When a final short block leaves
    len between 1 and 15, the loop runs once more, reads up to buf[15], and
    then does "len -= TKS4_MSGBLOCK_SIZE". As len is unsigned this underflows
    to a huge value. The loop then keeps iterating and walking buf far past
    the end of the 512-byte ep4_in_buf, reading out of bounds until a bogus
    block id happens to be hit.
    
    Iterate only while a full message block is available. This stops the
    unsigned underflow and silently drops any trailing partial block, which
    carries no complete control value anyway.
    
    The sibling endpoint-4 parsers are not affected. The Traktor Kontrol X1
    and Maschine arms in snd_usb_caiaq_ep4_reply_dispatch() floor
    urb->actual_length before dispatching.
    
    Fixes: 15c5ab607045 ("ALSA: snd-usb-caiaq: Add support for Traktor Kontrol S4")
    Cc: [email protected]
    Signed-off-by: Maoyi Xie <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: cmipci: check snd_ctl_new1() return value [+ + +]
Author: Zhao Dongdong <[email protected]>
Date:   Wed May 27 20:09:13 2026 +0800

    ALSA: cmipci: check snd_ctl_new1() return value
    
    commit c205bd1b28fb7e5f1061a4e78813fad7d315cb3e upstream.
    
    snd_ctl_new1() can return NULL when memory allocation fails.
    snd_cmipci_spdif_controls() does not check the return value before
    dereferencing kctl->id.device, which can lead to a NULL pointer
    dereference.
    
    Add NULL checks after snd_ctl_new1() calls and return -ENOMEM if any
    fails.
    
    Assisted-by: Opencode:DeepSeek-V4-Flash
    Cc: [email protected]
    Fixes: f2f312ad88c6 ("ALSA: cmipci: Fix kctl->id initialization")
    Signed-off-by: Zhao Dongdong <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: es1938: check snd_ctl_new1() return value [+ + +]
Author: Zhao Dongdong <[email protected]>
Date:   Wed May 27 20:09:09 2026 +0800

    ALSA: es1938: check snd_ctl_new1() return value
    
    commit 1edd1f02dddd20aeb6066ded41017615766ea42f upstream.
    
    snd_ctl_new1() can return NULL when memory allocation fails.
    snd_es1938_mixer() does not check the return value before dereferencing
    the pointer, which can lead to a NULL pointer dereference.
    
    Add a NULL check after snd_ctl_new1() and return -ENOMEM if it fails.
    
    Assisted-by: Opencode:DeepSeek-V4-Flash
    Cc: [email protected]
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Zhao Dongdong <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: firewire: isight: bound the sample count to the packet payload [+ + +]
Author: Maoyi Xie <[email protected]>
Date:   Sun Jun 21 23:09:07 2026 +0800

    ALSA: firewire: isight: bound the sample count to the packet payload
    
    commit 29b9667982e4df2ed7744f86b1144f8bb58eb698 upstream.
    
    isight_packet() takes the frame count from the device iso packet and
    checks it only against the device claimed iso length.
    
            count = be32_to_cpu(payload->sample_count);
            if (likely(count <= (length - 16) / 4))
                    isight_samples(isight, payload->samples, count);
    
    length is the iso header data_length. It can be up to 0xffff. So the
    gate allows a count up to about 16379. isight_samples() then copies
    count frames out of payload->samples into the PCM DMA buffer.
    
    payload->samples holds only 2 * MAX_FRAMES_PER_PACKET values. The
    device multiplexes two samples per frame. A count past
    MAX_FRAMES_PER_PACKET reads past the payload. A count past the buffer
    size writes past runtime->dma_area. The smallest PCM buffer is larger
    than MAX_FRAMES_PER_PACKET. Bounding the count to MAX_FRAMES_PER_PACKET
    keeps both the read and the write in range.
    
    A malicious or faulty Apple iSight on the FireWire bus reaches this
    during a normal capture.
    
    Add the MAX_FRAMES_PER_PACKET bound to the gate.
    
    Fixes: 3a691b28a0ca ("ALSA: add Apple iSight microphone driver")
    Suggested-by: Takashi Sakamoto <[email protected]>
    Cc: [email protected]
    Signed-off-by: Maoyi Xie <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: gus: check snd_ctl_new1() return value [+ + +]
Author: Zhao Dongdong <[email protected]>
Date:   Wed May 27 20:09:10 2026 +0800

    ALSA: gus: check snd_ctl_new1() return value
    
    commit c7fa99d30c7a166a5e5db5a585ce7501ff68326b upstream.
    
    snd_ctl_new1() can return NULL when memory allocation fails.
    snd_gf1_pcm_volume_control() does not check the return value before
    dereferencing kctl->id.index, which can lead to a NULL pointer
    dereference.
    
    Add a NULL check after snd_ctl_new1() and return -ENOMEM if it fails.
    
    Assisted-by: Opencode:DeepSeek-V4-Flash
    Cc: [email protected]
    Fixes: c5ae57b1bb99 ("ALSA: gus: Fix kctl->id initialization")
    Signed-off-by: Zhao Dongdong <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: ice1712: check snd_ctl_new1() return value [+ + +]
Author: Zhao Dongdong <[email protected]>
Date:   Wed May 27 20:09:11 2026 +0800

    ALSA: ice1712: check snd_ctl_new1() return value
    
    commit 2b929b91b0f3bc6de8a844370049cd99ee8e31ff upstream.
    
    snd_ctl_new1() can return NULL when memory allocation fails. The
    ice1712 driver calls snd_ctl_new1() without checking the return value
    before dereferencing the pointer in multiple places (ice1712.c,
    ice1724.c, aureon.c), which can lead to NULL pointer dereferences.
    
    Add NULL checks after snd_ctl_new1() calls and return -ENOMEM if any
    fails.
    
    Assisted-by: Opencode:DeepSeek-V4-Flash
    Cc: [email protected]
    Fixes: b9a4efd61b6b ("ALSA: ice1712,ice1724: fix the kcontrol->id initialization")
    Signed-off-by: Zhao Dongdong <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: seq: Fix uninitialised heap leak in snd_seq_event_dup() [+ + +]
Author: HyeongJun An <[email protected]>
Date:   Wed Jun 24 08:38:40 2026 +0900

    ALSA: seq: Fix uninitialised heap leak in snd_seq_event_dup()
    
    commit 435990e25bf1f4af3e6df12a6fbfd1f7ba4a97d4 upstream.
    
    snd_seq_event_dup() copies an incoming event into a pool cell and, in
    the UMP-enabled build, clears the trailing cell->ump.raw.extra word that
    the memcpy() did not cover.  The guard deciding whether to clear it
    compares the copied size against sizeof(cell->event):
    
            memcpy(&cell->ump, event, size);
            if (size < sizeof(cell->event))
                    cell->ump.raw.extra = 0;
    
    For a legacy (non-UMP) event, size == sizeof(struct snd_seq_event) ==
    sizeof(cell->event), so the condition is false and the extra word keeps
    stale data.  The cell pool is allocated with kvmalloc() (not zeroed) and
    cells are reused via a free list, so that word holds uninitialised heap
    or leftover event data.
    
    When such a cell is delivered to a UMP client (client->midi_version > 0)
    that set SNDRV_SEQ_FILTER_NO_CONVERT -- so the legacy event reaches it
    unconverted -- snd_seq_read() reads it out as the larger struct
    snd_seq_ump_event and copies the stale word to user space, a 4-byte
    kernel heap infoleak to an unprivileged /dev/snd/seq client.
    
    Compare against sizeof(cell->ump) instead, so the trailing word is zeroed
    for every event shorter than the UMP cell.
    
    Fixes: 46397622a3fa ("ALSA: seq: Add UMP support")
    Cc: [email protected]
    Assisted-by: Claude:claude-opus-4-8
    Signed-off-by: HyeongJun An <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: usb-audio: avoid kobject path lookup in DualSense match [+ + +]
Author: Darvell Long <[email protected]>
Date:   Wed Jun 24 07:37:23 2026 -0700

    ALSA: usb-audio: avoid kobject path lookup in DualSense match
    
    commit 7693c0cc415f3a16a7a3355f245474a5e661be4e upstream.
    
    The DualSense jack-detection input handler verifies that a matching input
    device belongs to the same physical controller by building kobject path
    strings for both the input device and the USB audio device, then comparing
    the path prefix.
    
    This was observed when a weak physical connection caused the controller
    to rapidly disconnect and reconnect. During that repeated hotplug,
    snd_dualsense_ih_match() can run while the controller's USB device is
    being disconnected. kobject_get_path() walks ancestor kobjects and
    dereferences their names; if the USB device kobject name is no longer
    valid, this can fault in strlen():
    
      RIP: 0010:strlen+0x10/0x30
      Call Trace:
       kobject_get_path+0x34/0x150
       snd_dualsense_ih_match+0x49/0xd0 [snd_usb_audio]
       input_register_device+0x566/0x6a0
       ps_probe+0xb89/0x1590 [hid_playstation]
    
    The same ownership check can be done without building kobject path
    strings. The input device is parented below the HID device, USB interface
    and USB device, so walking the input device parent chain and comparing
    against the mixer USB device preserves the check without dereferencing
    kobject names during disconnect.
    
    Fixes: 79d561c4ec04 ("ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5")
    Cc: <[email protected]>
    Assisted-by: Cute:gpt-5.5
    Signed-off-by: Darvell Long <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: usb-audio: Propagate errors in scarlett_ctl_enum_put() [+ + +]
Author: Cássio Gabriel <[email protected]>
Date:   Sun Apr 19 17:30:30 2026 -0300

    ALSA: usb-audio: Propagate errors in scarlett_ctl_enum_put()
    
    commit 0f25cf1f02e3dba626791d949c759a48c0a44996 upstream.
    
    scarlett_ctl_enum_put() ignores the return value from
    snd_usb_set_cur_mix_value() and reports success whenever the
    requested enum value differs from the current one.
    
    If the SET_CUR request fails, the callback still returns success even
    though neither the hardware state nor the cached mixer value changed.
    
    Fixes: 76b188c4b370 ("ALSA: usb-audio: Scarlett mixer interface for 6i6, 18i6, 18i8 and 18i20")
    Cc: [email protected]
    Signed-off-by: Cássio Gabriel <[email protected]>
    Signed-off-by: Takashi Iwai <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: usb-audio: Propagate US-16x08 write errors in route/mix EQ-switch put callbacks [+ + +]
Author: Cássio Gabriel <[email protected]>
Date:   Sun Apr 19 17:30:31 2026 -0300

    ALSA: usb-audio: Propagate US-16x08 write errors in route/mix EQ-switch put callbacks
    
    commit 3c06aec8abda6ba068b58a8b7119cdb2a48456b1 upstream.
    
    Several US-16x08 mixer put callbacks log failed control URBs but
    still return success to userspace. That hides device write failures
    even though the requested value was not applied.
    
    Return the negative write error instead in the route, master, bus,
    channel, and EQ switch put callbacks.
    
    Fixes: d2bb390a2081 ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk")
    Cc: [email protected]
    Signed-off-by: Cássio Gabriel <[email protected]>
    Signed-off-by: Takashi Iwai <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: usb-audio: Roll back quirk control caches on write errors [+ + +]
Author: Cássio Gabriel <[email protected]>
Date:   Wed Apr 29 10:20:01 2026 -0300

    ALSA: usb-audio: Roll back quirk control caches on write errors
    
    commit 6380957fa24251856a532e48a46a4dc3d1ae26b6 upstream.
    
    Several mixer quirk callbacks cache the requested
    control value in kcontrol->private_value before
    issuing a single vendor or class write.
    
    Their paired get and resume paths consume that cache
    directly, so a failed write currently leaves software
    state changed even though the update did not succeed.
    That can make later reads report a value the device
    never accepted and can replay the stale cache on resume.
    
    Restore the previous cached value on failure in
    the Audigy2NX LED, Emu0204 channel switch,
    Xonar U1 output switch, Native Instruments controls,
    FTU effect program switch, and Sound Blaster E1 input source switch.
    
    Fixes: 9cf3689bfe07 ("ALSA: usb-audio: Add audigy2nx resume support")
    Fixes: 5f503ee9e270 ("ALSA: usb-audio: Add Emu0204 channel switch resume support")
    Fixes: 2bfb14c3b8fb ("ALSA: usb-audio: Add Xonar U1 resume support")
    Fixes: da6d276957ea ("ALSA: usb-audio: Add resume support for Native Instruments controls")
    Fixes: 0b4e9cfcef05 ("ALSA: usb-audio: Add resume support for FTU controls")
    Fixes: 388fdb8f882a ("ALSA: usb-audio: Support changing input on Sound Blaster E1")
    Cc: [email protected]
    Signed-off-by: Cássio Gabriel <[email protected]>
    Link: https://patch.msgid.link/20260429-alsa-usb-quirks-cache-rollback-v1-1-01b35c688b80@gmail.com
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: usb-audio: Update Babyface Pro control caches only after successful writes [+ + +]
Author: Cássio Gabriel <[email protected]>
Date:   Wed Apr 29 10:20:02 2026 -0300

    ALSA: usb-audio: Update Babyface Pro control caches only after successful writes
    
    commit d8f802ccf1fdbeb89d62748d6a0d0fbd442c8127 upstream.
    
    snd_bbfpro_ctl_put() and snd_bbfpro_vol_put()
    cache the requested packed control state in
    kcontrol->private_value before issuing the USB write.
    
    Their get and resume paths use that cached value directly,
    so a failed write can leave the driver reporting and later
    replaying a setting the hardware never accepted.
    
    Update the cached state only after a successful USB write.
    
    Fixes: 3e8f3bd04716 ("ALSA: usb-audio: RME Babyface Pro mixer patch")
    Cc: [email protected]
    Signed-off-by: Cássio Gabriel <[email protected]>
    Link: https://patch.msgid.link/20260429-alsa-usb-quirks-cache-rollback-v1-2-01b35c688b80@gmail.com
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: usb-audio: Update US-16x08 EQ/comp shadow state after successful writes [+ + +]
Author: Cássio Gabriel <[email protected]>
Date:   Sun Apr 19 17:30:32 2026 -0300

    ALSA: usb-audio: Update US-16x08 EQ/comp shadow state after successful writes
    
    commit a440c17869ecd71da0f295b62868fc742d09a8ba upstream.
    
    snd_us16x08_comp_put() and snd_us16x08_eq_put() update their
    software stores before sending the USB write. If the transfer
    fails, later get callbacks report a value the hardware never
    accepted.
    
    Build the outgoing message from the current store plus the
    pending value, then commit the store only after a successful
    write.
    
    Fixes: d2bb390a2081 ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk")
    Cc: [email protected]
    Signed-off-by: Cássio Gabriel <[email protected]>
    Signed-off-by: Takashi Iwai <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: virtio: Add missing 384 kHz PCM rate mapping [+ + +]
Author: Cássio Gabriel <[email protected]>
Date:   Fri May 15 10:32:25 2026 -0300

    ALSA: virtio: Add missing 384 kHz PCM rate mapping
    
    commit 83fbbcb7935ec6d2c8ba3bc133e8a0ead2ab0b2d upstream.
    
    The VirtIO sound UAPI defines VIRTIO_SND_PCM_RATE_384000, and ALSA
    has SNDRV_PCM_RATE_384000. However, virtio-snd's rate conversion
    tables stop at 192 kHz.
    
    A device advertising only 384 kHz is rejected as having no supported
    PCM frame rates. A device advertising 384 kHz together with lower rates
    does not expose 384 kHz through the ALSA hardware constraints. The
    selected ALSA rate also needs a reverse mapping for SET_PARAMS.
    
    Add the missing 384 kHz entries to both conversion tables.
    
    Fixes: 29b96bf50ba9 ("ALSA: virtio: build PCM devices and substream hardware descriptors")
    Fixes: da76e9f3e43a ("ALSA: virtio: PCM substream operators")
    Cc: [email protected]
    Signed-off-by: Cássio Gabriel <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: virtio: Validate control metadata from the device [+ + +]
Author: Cássio Gabriel <[email protected]>
Date:   Thu May 7 11:28:30 2026 -0300

    ALSA: virtio: Validate control metadata from the device
    
    commit c77a6cbb36ff8cbc1f084d94f8dcda5250935271 upstream.
    
    virtio-snd control handling trusts the device-provided control type and
    value count returned by the device.
    
    That metadata is then used directly to index g_v2a_type_map[] in
    virtsnd_kctl_info(), and to size loops and memcpy() operations in
    virtsnd_kctl_get() and virtsnd_kctl_put() against fixed-size
    virtio_snd_ctl_value and snd_ctl_elem_value arrays.
    
    A buggy or malicious device can therefore trigger out-of-bounds access by
    advertising an invalid control type or an oversized value count.
    
    Validate control type and count once in virtsnd_kctl_parse_cfg(), before
    querying enumerated items or exposing the control to ALSA.
    
    Fixes: d6568e3de42d ("ALSA: virtio: add support for audio controls")
    Cc: [email protected]
    Signed-off-by: Cássio Gabriel <[email protected]>
    Link: https://patch.msgid.link/20260507-alsa-virtio-validate-kctl-info-v1-1-7404fb12ec37@gmail.com
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: ymfpci: check snd_ctl_new1() return value [+ + +]
Author: Zhao Dongdong <[email protected]>
Date:   Wed May 27 20:09:12 2026 +0800

    ALSA: ymfpci: check snd_ctl_new1() return value
    
    commit e64d170346d00b580c0043de3e5ccb3e331c47d4 upstream.
    
    snd_ctl_new1() can return NULL when memory allocation fails.
    snd_ymfpci_create_spdif_controls() does not check the return value
    before dereferencing kctl->id.device, which can lead to a NULL pointer
    dereference.
    
    Add NULL checks after snd_ctl_new1() calls and return -ENOMEM if any
    fails.
    
    Assisted-by: Opencode:DeepSeek-V4-Flash
    Cc: [email protected]
    Fixes: c9b83ae4a160 ("ALSA: ymfpci: Fix kctl->id initialization")
    Signed-off-by: Zhao Dongdong <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
apparmor: advertise the tcp fast open fix is applied [+ + +]
Author: John Johansen <[email protected]>
Date:   Mon Jul 6 09:17:08 2026 -0400

    apparmor: advertise the tcp fast open fix is applied
    
    [ Upstream commit 2f6701a5ce6257ae7a64ddc6d89d0a08d2a034f8 ]
    
    The fix for tcp-fast-open ensures that the connect permission is being
    mediated correctly but it didn't add an artifact to the feature set to
    advertise the fix is available. Add an artifact so that the test suite
    can identify if the fix has not been properly applied or a new
    unexpected regression has occurred.
    
    Fixes: 4d587cd8a7215 ("apparmor: mediate the implicit connect of TCP fast open sendmsg")
    Signed-off-by: John Johansen <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
arm64: fpsimd: Fix type mismatch in sme_{save,load}_state() [+ + +]
Author: Mark Rutland <[email protected]>
Date:   Wed Jun 3 12:06:12 2026 +0100

    arm64: fpsimd: Fix type mismatch in sme_{save,load}_state()
    
    commit 247bd153905085c18ff9006cca1ccb96dfd18e7f upstream.
    
    The sme_save_state() and sme_load_state() functions take a 32-bit int
    argument that describes whether to save/restore ZT0. Their assembly
    implementations consume the entire 64-bit register containing this
    32-bit value, and will attempt to save/restore ZT0 if any bit of
    that 64-bit register is non-zero.
    
    Per the AAPCS64 parameter passing rules, the callee is responsible for
    any necessary widening, and the upper 32-bits are permitted to contain
    arbitrary values. If the upper 32 bits are non-zero, this could result
    in an unexpected attempt to save/restore ZT0, and consequently could
    lead to unexpected traps/undefs/faults.
    
    In practice compilers are very unlikely to generate code where the upper
    32-bits would be non-zero, but they are permitted to do so.
    
    Fix this by only consuming the low 32 bits of the register, and update
    comments accordingly.
    
    Fixes: 95fcec713259 ("arm64/sme: Implement context switching for ZT0")
    Signed-off-by: Mark Rutland <[email protected]>
    Cc: Catalin Marinas <[email protected]>
    Cc: Fuad Tabba <[email protected]>
    Cc: James Morse <[email protected]>
    Cc: Marc Zyngier <[email protected]>
    Cc: Mark Brown <[email protected]>
    Cc: Oliver Upton <[email protected]>
    Cc: Vladimir Murzin <[email protected]>
    Cc: Will Deacon <[email protected]>
    Cc: [email protected]
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
audit: Fix data races of skb_queue_len() readers on audit_queue [+ + +]
Author: Chi Wang <[email protected]>
Date:   Fri Jun 19 15:42:44 2026 +0800

    audit: Fix data races of skb_queue_len() readers on audit_queue
    
    commit c9a71daaecb2fb1d8c704545cc0b1c920b9bf5d7 upstream.
    
    Multiple readers access audit_queue.qlen via skb_queue_len() without
    holding the queue lock or using READ_ONCE(), while kauditd writes to
    this field via the skb_dequeue() → __skb_unlink() path with WRITE_ONCE()
    protected by a spinlock. This constitutes data races.
    
    All affected skb_queue_len(&audit_queue) call sites:
      - kauditd_thread() wait_event_freezable() condition
      - audit_receive_msg() AUDIT_GET handler (s.backlog assignment)
      - audit_receive() backlog check
      - audit_log_start() backlog check and pr_warn()
    
    KCSAN reports the following conflicting access pattern (one example):
    ==================================================================
    BUG: KCSAN: data-race in audit_log_start / skb_dequeue
    
    write (marked) to 0xffffffff8512ee20 of 4 bytes by task 661 on cpu 57:
     skb_dequeue+0x70/0xf0
     kauditd_send_queue+0x71/0x220
     kauditd_thread+0x1cb/0x430
     kthread+0x1c2/0x210
     ret_from_fork+0x162/0x1a0
     ret_from_fork_asm+0x1a/0x30
    
    read to 0xffffffff8512ee20 of 4 bytes by task 36586 on cpu 1:
     audit_log_start+0x2a0/0x6b0
     audit_core_dumps+0x64/0xa0
     do_coredump+0x14b/0x1260
     get_signal+0xeb2/0xf70
     arch_do_signal_or_restart+0x41/0x170
     exit_to_user_mode_loop+0xa2/0x1c0
     do_syscall_64+0x1a3/0x1c0
     entry_SYSCALL_64_after_hwframe+0x76/0xe0
    
    value changed: 0x00000001 -> 0x00000000
    ==================================================================
    
    Resolve the race by switching to lockless helper skb_queue_len_lockless(),
    which internally uses READ_ONCE() and properly pairs with the WRITE_ONCE()
    write accesses already present on the writer side.
    
    Cc: [email protected]
    Fixes: 3197542482df ("audit: rework audit_log_start()")
    Signed-off-by: Chi Wang <[email protected]>
    Reviewed-by: Ricardo Robaina <[email protected]>
    [PM: line length tweak]
    Signed-off-by: Paul Moore <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

audit: fix potential integer overflow in audit_log_n_hex() [+ + +]
Author: Ricardo Robaina <[email protected]>
Date:   Thu Jul 2 11:04:11 2026 -0300

    audit: fix potential integer overflow in audit_log_n_hex()
    
    commit 65dfde57d1e29ce2b76fc23dd565eccd5c0bc0f0 upstream.
    
    The function calculates new_len as len << 1 for hex encoding. This
    has two overflow risks: the shift itself can overflow when len is
    large, and the result can be truncated when assigned to new_len
    (declared as int) from the size_t calculation.
    
    Fix by using check_shl_overflow() to catch shift overflow and
    changing new_len and loop counter i to size_t to prevent truncation.
    
    Cc: [email protected]
    Fixes: 168b7173959f ("AUDIT: Clean up logging of untrusted strings")
    Reviewed-by: Richard Guy Briggs <[email protected]>
    Signed-off-by: Ricardo Robaina <[email protected]>
    [PM: remove vertical whitspace noise]
    Signed-off-by: Paul Moore <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
bcachefs: avoid truncating fiemap extent length [+ + +]
Author: Mikhail Dmitrichenko <[email protected]>
Date:   Fri Jul 3 14:48:13 2026 +0300

    bcachefs: avoid truncating fiemap extent length
    
    No upstream commit exists for this patch.
    
    bkey sizes are stored in sectors as u32, while fiemap reports byte
    lengths as u64. Shifting k.k->size before widening performs the
    conversion in 32 bits, so an extent of 4 GiB or larger can wrap before
    it is passed to fiemap_fill_next_extent().
    
    Compute the byte length after casting the sector count to u64 and reuse
    it for all bch2_fill_extent() cases.
    
    The same issue was fixed in bcachefs-tools, but there is no Linux
    upstream commit to backport to 6.12. The affected 6.12 implementation lives
    in fs/bcachefs/fs.c, while the bcachefs-tools fix touches
    fs/bcachefs/vfs/fiemap.c.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Link: https://lore.kernel.org/linux-bcachefs/[email protected]/
    Link: https://evilpiepirate.org/git/bcachefs-tools.git/commit/?id=6d9a895ed00d4b3868312df93253d2a817b0c6a3
    Signed-off-by: Mikhail Dmitrichenko <[email protected]>
    Acked-by: Kent Overstreet <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
binder: fix UAF in binder_free_transaction() [+ + +]
Author: Carlos Llamas <[email protected]>
Date:   Fri Jun 19 18:52:31 2026 +0000

    binder: fix UAF in binder_free_transaction()
    
    commit f223d27a546c1e1f48d38fd67760e78f068fe8c4 upstream.
    
    In binder_free_transaction(), the t->to_proc is read under the t->lock.
    However, once the t->lock is dropped, the to_proc can die in parallel.
    This leads to a use-after-free error when we attempt to acquire its
    inner lock right afterwards:
    
      ==================================================================
      BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x1a0
      Write of size 4 at addr ffff00001125da70 by task B/672
    
      CPU: 20 UID: 0 PID: 672 Comm: B Not tainted 7.1.0-rc6-00284-g8e65320d91cd #4 PREEMPT
      Hardware name: linux,dummy-virt (DT)
      Call trace:
       _raw_spin_lock+0xe4/0x1a0
       binder_free_transaction+0x8c/0x320
       binder_send_failed_reply+0x21c/0x2f8
       binder_thread_release+0x488/0x7e0
       binder_ioctl+0x12c0/0x29a0
      [...]
    
      Allocated by task 675:
       __kmalloc_cache_noprof+0x174/0x444
       binder_open+0x118/0xb70
       do_dentry_open+0x374/0x1040
       vfs_open+0x58/0x3bc
      [...]
    
      Freed by task 212:
       __kasan_slab_free+0x58/0x80
       kfree+0x1a0/0x4a4
       binder_proc_dec_tmpref+0x32c/0x5e0
       binder_deferred_func+0xc48/0x104c
       process_one_work+0x53c/0xbc0
      [...]
      ==================================================================
    
    To prevent this, pin the target thread (t->to_thread) to guarantee the
    target process remains alive. Undelivered transactions without a target
    thread are already safe, as the target process can only be the current
    context in those paths.
    
    Cc: stable <[email protected]>
    Reported-by: Alice Ryhl <[email protected]>
    Closes: https://lore.kernel.org/all/[email protected]/
    Fixes: a370003cc301 ("binder: fix possible UAF when freeing buffer")
    Signed-off-by: Carlos Llamas <[email protected]>
    Reviewed-by: Alice Ryhl <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

binder: fix UAF in binder_thread_release() [+ + +]
Author: Carlos Llamas <[email protected]>
Date:   Fri Jun 19 18:52:30 2026 +0000

    binder: fix UAF in binder_thread_release()
    
    commit 114a116aaa5f0295376cdf12da743c5bce3b20ce upstream.
    
    When a thread exits, binder_thread_release() walks its transaction stack
    to clear the t->from and t->to_proc that correspond with the exiting
    thread. However, a process dying in parallel might attempt to kfree some
    of these transactions. And if one of them has no associated t->to_proc,
    the t->to_proc->inner_lock will not be acquired.
    
    This means that transaction accesses in binder_thread_release() after
    t->to_proc has been cleared might race with binder_free_transaction()
    and cause a use-after-free error as reported by KASAN:
    
      ==================================================================
      BUG: KASAN: slab-use-after-free in binder_thread_release+0x5d0/0x798
      Write of size 8 at addr ffff000016627500 by task X/715
    
      CPU: 17 UID: 0 PID: 715 Comm: X Not tainted 7.1.0-rc5-00149-g8fde5d1d47f6 #30 PREEMPT
      Hardware name: linux,dummy-virt (DT)
      Call trace:
       binder_thread_release+0x5d0/0x798
       binder_ioctl+0x12c0/0x299c
       [...]
    
      Allocated by task 717 on cpu 18 at 67.267803s:
       __kasan_kmalloc+0xa0/0xbc
       __kmalloc_cache_noprof+0x174/0x444
       binder_transaction+0x554/0x8150
       binder_thread_write+0xa30/0x4354
       binder_ioctl+0x20f0/0x299c
       [...]
    
      Freed by task 202 on cpu 18 at 90.416221s:
       __kasan_slab_free+0x58/0x80
       kfree+0x1a0/0x4a4
       binder_free_transaction+0x150/0x294
       binder_send_failed_reply+0x398/0x6d8
       binder_release_work+0x3e4/0x4ec
       binder_deferred_func+0xbd8/0x104c
       [...]
      ==================================================================
    
    In order to avoid this, make sure that binder_free_transaction() reads
    the t->to_proc under the transaction lock. This will serialize the
    transaction release with the accesses in binder_thread_release(). Plus,
    it matches the documented locking rules for @to_proc.
    
    Cc: stable <[email protected]>
    Fixes: 7a4408c6bd3e ("binder: make sure accesses to proc/thread are safe")
    Reviewed-by: Alice Ryhl <[email protected]>
    Signed-off-by: Carlos Llamas <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
block: add a store_limit operations for sysfs entries [+ + +]
Author: Christoph Hellwig <[email protected]>
Date:   Tue Jul 7 18:37:27 2026 +0300

    block: add a store_limit operations for sysfs entries
    
    [ Upstream commit a16230649ce27f8ac7dd8a5b079d9657aa96de16 ]
    
    De-duplicate the code for updating queue limits by adding a store_limit
    method that allows having common code handle the actual queue limits
    update.
    
    Note that this is a pure refactoring patch and does not address the
    existing freeze vs limits lock order problem in the refactored code,
    which will be addressed next.
    
    [6.12.y-backport note: dropped "iostats_passthrough"
    queue limit parameter from the upstream commit,
    as this parameter does not exist in the 6.12 kernel branch]
    
    Signed-off-by: Christoph Hellwig <[email protected]>
    Reviewed-by: Ming Lei <[email protected]>
    Reviewed-by: Damien Le Moal <[email protected]>
    Reviewed-by: Martin K. Petersen <[email protected]>
    Reviewed-by: Nilay Shroff <[email protected]>
    Reviewed-by: Johannes Thumshirn <[email protected]>
    Reviewed-by: John Garry <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jens Axboe <[email protected]>
    Stable-dep-of: c99f66e4084a ("block: fix queue freeze vs limits lock order in sysfs store methods")
    Signed-off-by: Konstantin Andreev <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

block: fix queue freeze vs limits lock order in sysfs store methods [+ + +]
Author: Christoph Hellwig <[email protected]>
Date:   Tue Jul 7 18:37:28 2026 +0300

    block: fix queue freeze vs limits lock order in sysfs store methods
    
    [ Upstream commit c99f66e4084a62a2cc401c4704a84328aeddc9ec ]
    
    queue_attr_store() always freezes a device queue before calling the
    attribute store operation. For attributes that control queue limits, the
    store operation will also lock the queue limits with a call to
    queue_limits_start_update(). However, some drivers (e.g. SCSI sd) may
    need to issue commands to a device to obtain limit values from the
    hardware with the queue limits locked. This creates a potential ABBA
    deadlock situation if a user attempts to modify a limit (thus freezing
    the device queue) while the device driver starts a revalidation of the
    device queue limits.
    
    Avoid such deadlock by not freezing the queue before calling the
    ->store_limit() method in struct queue_sysfs_entry and instead use the
    queue_limits_commit_update_frozen helper to freeze the queue after taking
    the limits lock.
    
    This also removes taking the sysfs lock for the store_limit method as
    it doesn't protect anything here, but creates even more nesting.
    Hopefully it will go away from the actual sysfs methods entirely soon.
    
    (commit log adapted from a similar patch from  Damien Le Moal)
    
    Fixes: ff956a3be95b ("block: use queue_limits_commit_update in queue_discard_max_store")
    Fixes: 0327ca9d53bf ("block: use queue_limits_commit_update in queue_max_sectors_store")
    Signed-off-by: Christoph Hellwig <[email protected]>
    Reviewed-by: Ming Lei <[email protected]>
    Reviewed-by: Damien Le Moal <[email protected]>
    Reviewed-by: Martin K. Petersen <[email protected]>
    Reviewed-by: Nilay Shroff <[email protected]>
    Reviewed-by: Johannes Thumshirn <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jens Axboe <[email protected]>
    Signed-off-by: Konstantin Andreev <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

block: skip sync_blockdev() on surprise removal in bdev_mark_dead() [+ + +]
Author: Chao Shi <[email protected]>
Date:   Fri May 22 18:00:25 2026 -0400

    block: skip sync_blockdev() on surprise removal in bdev_mark_dead()
    
    commit 49f06cff50a4ccf3b7a1a662ceb892b3b21a527a upstream.
    
    bdev_mark_dead()'s @surprise == true means the device is already gone.
    The filesystem callback fs_bdev_mark_dead() honours this and skips
    sync_filesystem(), but the bare block device path (no ->mark_dead op)
    lost its !surprise guard when the holder ->mark_dead callback was wired
    up (see Fixes), and now calls sync_blockdev() unconditionally, which can
    hang forever waiting on writeback that can no longer complete.
    
    syzkaller hit this via nvme_reset_work()'s "I/O queues lost" path:
    nvme_mark_namespaces_dead() -> blk_mark_disk_dead() ->
    bdev_mark_dead(bdev, true) -> sync_blockdev() blocks in
    folio_wait_writeback(), wedging the reset worker and every task waiting
    on it.
    
    Skip the sync on surprise removal, matching fs_bdev_mark_dead();
    invalidate_bdev() still runs. Orderly removal (surprise == false) is
    unchanged.
    
    Found by FuzzNvme(Syzkaller with FEMU fuzzing framework).
    
    Fixes: d8530de5a6e8 ("block: call into the file system for bdev_mark_dead")
    Acked-by: Sungwoo Kim <[email protected]>
    Acked-by: Dave Tian <[email protected]>
    Acked-by: Weidong Zhu <[email protected]>
    Signed-off-by: Chao Shi <[email protected]>
    Reviewed-by: Christoph Hellwig <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jens Axboe <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
Bluetooth: bnep: pin L2CAP connection during netdev registration [+ + +]
Author: Yousef Alhouseen <[email protected]>
Date:   Sun Jun 28 02:50:58 2026 +0200

    Bluetooth: bnep: pin L2CAP connection during netdev registration
    
    commit bb067a99a0356196c0b89a95721985485ebce5a5 upstream.
    
    bnep_add_connection() reads the L2CAP connection without holding the
    channel lock, then passes its HCI device to register_netdev(). Controller
    teardown can clear and release that connection concurrently, leaving the
    network device registration path to dereference a freed parent device.
    
    Take a reference to the L2CAP connection while holding the channel lock.
    Retain it until register_netdev() has taken the parent device reference.
    
    Fixes: 65f53e9802db ("Bluetooth: Access BNEP session addresses through L2CAP channel")
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=fed5dce4553262f3b35c
    Cc: [email protected]
    Signed-off-by: Yousef Alhouseen <[email protected]>
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Bluetooth: btmtksdio: fix infinite loop in btmtksdio_txrx_work() [+ + +]
Author: Sergey Senozhatsky <[email protected]>
Date:   Tue Jun 9 21:10:06 2026 +0900

    Bluetooth: btmtksdio: fix infinite loop in btmtksdio_txrx_work()
    
    commit a257407e2bbbb099ed427719a50563f67fa366d8 upstream.
    
    Every once in a while we see a hung btmtksdio_flush() task:
    
     INFO: task kworker/u17:0:189 blocked for more than 122 seconds.
     __cancel_work_timer+0x3f4/0x460
     cancel_work_sync+0x1c/0x2c
     btmtksdio_flush+0x2c/0x40
     hci_dev_open_sync+0x10c4/0x2190
     [..]
    
    It all boils down to incorrect time_is_before_jiffies() usage in
    btmtksdio_txrx_work().  The btmtksdio_txrx_work() loop is expected
    to be terminated if running for longer than 5*HZ.  However the
    timeout check is twisted:  time_is_before_jiffies(old_jiffies + 5*HZ)
    evaluates to true when old_jiffies + 5*HZ is in the past i.e. when a
    timeout has occurred.  Using OR with time_is_before_jiffies(txrx_timeout)
    means that:
    - before the 5-second timeout: the condition is `int_status || false`,
      so it loops as long as there are pending interrupts.
    - after the 5-second timeout: the condition becomes `int_status || true`,
      which is always true.
    
    When the loop becomes infinite btmtksdio_txrx_work() loop never
    terminates and never releases the SDIO host.
    
    Fix loop termination condition to actually enforce a 5*HZ timeout.
    
    Fixes: 26270bc189ea4 ("Bluetooth: btmtksdio: move interrupt service to work")
    Cc: [email protected]
    Signed-off-by: Sergey Senozhatsky <[email protected]>
    Reviewed-by: Sean Wang <[email protected]>
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Bluetooth: btnxpuart: Fix out-of-bounds firmware read in nxp_recv_fw_req_v3() [+ + +]
Author: Maoyi Xie <[email protected]>
Date:   Wed Jun 17 16:36:52 2026 +0800

    Bluetooth: btnxpuart: Fix out-of-bounds firmware read in nxp_recv_fw_req_v3()
    
    commit badff6c3bed8923a1257a853f137d447976eec30 upstream.
    
    During the v3 firmware download the controller sends a v3_data_req with a
    32 bit offset and a 16 bit len. nxp_recv_fw_req_v3() checks only the lower
    bound of the offset and then sends firmware from that offset.
    
      nxpdev->fw_dnld_v3_offset = offset - nxpdev->fw_v3_offset_correction;
      serdev_device_write_buf(nxpdev->serdev, nxpdev->fw->data +
                              nxpdev->fw_dnld_v3_offset, len);
    
    Nothing checks that fw_dnld_v3_offset + len stays within nxpdev->fw->size,
    so a controller that asks for an offset or length past the firmware image
    makes the driver read past the end of nxpdev->fw->data and send that
    memory back over UART.
    
    nxp_recv_fw_req_v1() already bounds the same write. Add the equivalent
    check to the v3 path, reject the request when it falls outside the firmware
    image, and zero len on the error path so the fw_v3_prev_sent bookkeeping at
    free_skb stays consistent.
    
    Fixes: 689ca16e5232 ("Bluetooth: NXP: Add protocol support for NXP Bluetooth chipsets")
    Suggested-by: Neeraj Sanjay Kale <[email protected]>
    Reviewed-by: Neeraj Sanjay Kale <[email protected]>
    Cc: [email protected]
    Signed-off-by: Maoyi Xie <[email protected]>
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Bluetooth: btusb: Add USB ID 2c4e:0128 for Mercusys MA60XNB [+ + +]
Author: Zenm Chen <[email protected]>
Date:   Tue May 26 00:19:42 2026 +0800

    Bluetooth: btusb: Add USB ID 2c4e:0128 for Mercusys MA60XNB
    
    commit 88b4d528eda4ac71c2952b3458f2abbc80a91cd2 upstream.
    
    Add USB ID 2c4e:0128 for Mercusys MA60XNB, an RTL8851BU-based
    Wi-Fi + Bluetooth adapter.
    
    The information in /sys/kernel/debug/usb/devices about the Bluetooth
    device is listed as the below:
    
    T:  Bus=03 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#=  3 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=2c4e ProdID=0128 Rev= 0.00
    S:  Manufacturer=Realtek
    S:  Product=802.11ax WLAN Adapter
    S:  SerialNumber=00e04c000001
    C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=500mA
    A:  FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01
    I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
    E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
    I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
    E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
    I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
    I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
    I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
    I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
    I:  If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  63 Ivl=1ms
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  63 Ivl=1ms
    I:* If#= 2 Alt= 0 #EPs= 8 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtw89_8851bu
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Cc: [email protected] # 6.6.x
    Signed-off-by: Zenm Chen <[email protected]>
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Bluetooth: btusb: fix use-after-free on marvell probe failure [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Thu Jun 4 08:37:37 2026 +0200

    Bluetooth: btusb: fix use-after-free on marvell probe failure
    
    commit c5b600a3c05b1a7a110d558df935a8fc8a471c79 upstream.
    
    Make sure to stop any TX URBs submitted during Marvell OOB wakeup
    configuration on later probe failures to avoid use-after-free in the
    completion callback.
    
    This issue was reported by Sashiko while reviewing a fix for a wakeup
    source leak in the btusb probe errors paths.
    
    Link: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org
    Fixes: a4ccc9e33d2f ("Bluetooth: btusb: Configure Marvell to use one of the pins for oob wakeup")
    Cc: [email protected]      # 4.11
    Cc: Rajat Jain <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Bluetooth: btusb: fix use-after-free on registration failure [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Thu Jun 4 08:37:36 2026 +0200

    Bluetooth: btusb: fix use-after-free on registration failure
    
    commit eedc6867ebad73edbfaf9a0a65fbef7115cc4753 upstream.
    
    Make sure to release the sibling interfaces in case controller
    registration fails to avoid use-after-free and double-free when they are
    eventually disconnected.
    
    This issue was reported by Sashiko while reviewing a fix for a wakeup
    source leak in the btusb probe errors paths.
    
    Link: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org
    Fixes: 9bfa35fe422c ("[Bluetooth] Add SCO support to btusb driver")
    Fixes: 9d08f50401ac ("Bluetooth: btusb: Add support for Broadcom LM_DIAG interface")
    Cc: [email protected]      # 2.6.27
    Reviewed-by: Paul Menzel <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Bluetooth: btusb: fix wakeup source leak on probe failure [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Thu Jun 4 08:37:38 2026 +0200

    Bluetooth: btusb: fix wakeup source leak on probe failure
    
    commit 3d93e1bb0fb881fe3ef961d1120556658e9cac4d upstream.
    
    Make sure to disable wakeup on probe failure to avoid leaking the wakeup
    source.
    
    Fixes: fd913ef7ce61 ("Bluetooth: btusb: Add out-of-band wakeup support")
    Cc: [email protected]      # 4.11
    Cc: Rajat Jain <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Bluetooth: fix UAF in bt_accept_dequeue() [+ + +]
Author: Yousef Alhouseen <[email protected]>
Date:   Sun Jun 28 02:23:05 2026 +0200

    Bluetooth: fix UAF in bt_accept_dequeue()
    
    commit 4bd0b274054f2679f28b70222b607bb0afc3ab9a upstream.
    
    bt_accept_get() takes a temporary reference before dropping the accept
    queue lock. bt_accept_dequeue() currently drops that reference before
    bt_accept_unlink(), leaving only the queue reference.
    
    bt_accept_unlink() drops the queue reference. The subsequent
    sock_hold() therefore accesses freed memory if it was the final
    reference, as observed by KASAN during listening L2CAP socket cleanup.
    
    Retain the temporary queue-walk reference through unlink and hand it to
    the caller on success. Drop it explicitly on the closed and
    not-yet-connected paths.
    
    Fixes: ab1513597c6c ("Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()")
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=674ff7e4d7fdfd572afc
    Cc: [email protected]
    Signed-off-by: Yousef Alhouseen <[email protected]>
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Bluetooth: hci_uart: clear HCI_UART_SENDING when write_work is canceled [+ + +]
Author: Pauli Virtanen <[email protected]>
Date:   Sat Jun 13 21:43:37 2026 +0300

    Bluetooth: hci_uart: clear HCI_UART_SENDING when write_work is canceled
    
    commit 1b0d946d6f08bd39211385bc703a440911b41e46 upstream.
    
    HCI_UART_SENDING bit in tx_state means write_work is pending and blocks
    queueing it again.  Currently this bit is not cleared when canceling the
    work in hci_uart_close(), which blocks future writes when device is
    reopened later if write_work was pending.
    
    Fix by clearing HCI_UART_SENDING when canceling the work.
    
    Also make clearing of tx_skb safe by using disable_work_sync +
    enable_work instead of just cancel_work_sync.  hci_uart_flush() purges
    the proto tx queue so we can cancel the pending write_work there,
    instead of doing it just in hci_uart_close().  Re-enable and possibly
    requeue the work after queue flush.
    
    Fixes: c1bb9336ae6b ("Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths")
    Link: https://lore.kernel.org/linux-bluetooth/[email protected]/
    Cc: [email protected]
    Signed-off-by: Pauli Virtanen <[email protected]>
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Bluetooth: ISO: avoid NULL deref of conn in iso_conn_big_sync() [+ + +]
Author: Muhammad Bilal <[email protected]>
Date:   Sun Jun 21 21:23:05 2026 +0500

    Bluetooth: ISO: avoid NULL deref of conn in iso_conn_big_sync()
    
    commit d5541eb148da72d5e0a1bca8ecd171f9fc8b366f upstream.
    
    iso_conn_big_sync() drops the socket lock to call hci_get_route() and
    then re-acquires it, but dereferences iso_pi(sk)->conn->hcon afterwards
    without re-checking that conn is still valid.
    
    While the lock is dropped, the connection can be torn down under the
    same socket lock: iso_disconn_cfm() -> iso_conn_del() -> iso_chan_del()
    sets iso_pi(sk)->conn to NULL (and the broadcast teardown path can also
    clear conn->hcon on its own). When iso_conn_big_sync() re-acquires the
    lock and reads conn->hcon, conn may be NULL, causing a NULL pointer
    dereference (hcon is the first member of struct iso_conn).
    
    This path is reached from iso_sock_recvmsg() for a PA-sync broadcast
    sink socket (BT_SK_DEFER_SETUP | BT_SK_PA_SYNC), so the dropped-lock
    window can race with connection teardown driven by controller events.
    
    Re-validate iso_pi(sk)->conn and its hcon after re-acquiring the socket
    lock and bail out if the connection went away, as already done in the
    sibling iso_sock_rebind_bc().
    
    Fixes: 7a17308c17880d ("Bluetooth: iso: Fix circular lock in iso_conn_big_sync")
    Cc: [email protected]
    Signed-off-by: Muhammad Bilal <[email protected]>
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Bluetooth: L2CAP: validate option length before reading conf opt value [+ + +]
Author: Muhammad Bilal <[email protected]>
Date:   Sun Jun 21 00:56:35 2026 +0500

    Bluetooth: L2CAP: validate option length before reading conf opt value
    
    commit 687617555cedfb74c9e3cb85d759b908dcb17856 upstream.
    
    l2cap_get_conf_opt() derives the option length from the
    attacker-controlled opt->len field and immediately dereferences
    opt->val (as u8, get_unaligned_le16() or get_unaligned_le32(), or a
    raw pointer for the default case) before any caller has confirmed
    that opt->len bytes are present in the buffer. The callers
    (l2cap_parse_conf_req(), l2cap_parse_conf_rsp() and
    l2cap_conf_rfc_get()) only detect a malformed option afterwards, once
    the running length has gone negative, by which point the
    out-of-bounds read has already executed.
    
    An existing post-hoc length check keeps the garbage value from being
    consumed, so this is not a data leak in the current control flow. It
    is still a validate-after-use ordering bug: up to 4 bytes are read
    past the end of the buffer before it is known to contain them, and it
    is fragile to future changes in the callers.
    
    Fix it at the source. Pass the end of the buffer into
    l2cap_get_conf_opt() and refuse to touch opt->val unless the full
    option (header + value) fits. Each caller computes an end pointer
    once before the loop and checks the return value directly instead of
    inferring the error from a negative length.
    
    Fixes: 7c9cbd0b5e38 ("Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer")
    Cc: [email protected]
    Signed-off-by: Muhammad Bilal <[email protected]>
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Bluetooth: MGMT: Fix UAF of hci_conn_params in add_device_complete [+ + +]
Author: Samuel Page <[email protected]>
Date:   Mon Jun 15 16:09:22 2026 +0100

    Bluetooth: MGMT: Fix UAF of hci_conn_params in add_device_complete
    
    commit fa85d985f614bc3feb343000f14a1072e99b0df1 upstream.
    
    add_device_complete() runs from the hci_cmd_sync_work kworker, which
    holds only hci_req_sync_lock and *not* hci_dev_lock.  It calls
    hci_conn_params_lookup() and then dereferences the returned object
    (params->flags) without taking hci_dev_lock:
    
            params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
                                            le_addr_type(cp->addr.type));
            ...
            device_flags_changed(NULL, hdev, &cp->addr.bdaddr,
                                 cp->addr.type, hdev->conn_flags,
                                 params ? params->flags : 0);
    
    hci_conn_params_lookup() walks hdev->le_conn_params and is documented to
    require hdev->lock.  A concurrent MGMT_OP_REMOVE_DEVICE
    (remove_device()), which does run under hci_dev_lock, can call
    hci_conn_params_free() to list_del() and kfree() the very object the
    lookup returned, so the subsequent params->flags read touches freed
    memory [0].
    
    Hold hci_dev_lock() across the hci_conn_params_lookup() and the read of
    params->flags (and the matching event emission) so the lookup result
    cannot be freed by a concurrent remove_device() before it is used,
    honouring the locking contract of hci_conn_params_lookup().
    
    [0]: (trailing page/memory-state dump trimmed)
    BUG: KASAN: slab-use-after-free in add_device_complete+0x358/0x3d8 net/bluetooth/mgmt.c:7671
    Read of size 1 at addr ffff000017ab26c1 by task kworker/u9:8/388
    
    CPU: 1 UID: 0 PID: 388 Comm: kworker/u9:8 Not tainted 7.0.11 #20 PREEMPT
    Hardware name: linux,dummy-virt (DT)
    Workqueue: hci0 hci_cmd_sync_work
    Call trace:
     show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
     __dump_stack lib/dump_stack.c:94 [inline]
     dump_stack_lvl+0xb4/0xd4 lib/dump_stack.c:120
     print_address_description mm/kasan/report.c:378 [inline]
     print_report+0x118/0x5d8 mm/kasan/report.c:482
     kasan_report+0xb0/0xf4 mm/kasan/report.c:595
     __asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378
     add_device_complete+0x358/0x3d8 net/bluetooth/mgmt.c:7671
     hci_cmd_sync_work+0x14c/0x240 net/bluetooth/hci_sync.c:334
     process_one_work+0x628/0xd38 kernel/workqueue.c:3289
     process_scheduled_works kernel/workqueue.c:3372 [inline]
     worker_thread+0x7a8/0xac0 kernel/workqueue.c:3453
     kthread+0x39c/0x444 kernel/kthread.c:436
     ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
    
    Allocated by task 3401:
     kasan_save_stack+0x3c/0x64 mm/kasan/common.c:57
     kasan_save_track+0x20/0x3c mm/kasan/common.c:78
     kasan_save_alloc_info+0x40/0x54 mm/kasan/generic.c:570
     poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
     __kasan_kmalloc+0xd4/0xd8 mm/kasan/common.c:415
     kasan_kmalloc include/linux/kasan.h:263 [inline]
     __kmalloc_cache_noprof+0x1b0/0x458 mm/slub.c:5385
     kmalloc_noprof include/linux/slab.h:950 [inline]
     kzalloc_noprof include/linux/slab.h:1188 [inline]
     hci_conn_params_add+0x10c/0x4b0 net/bluetooth/hci_core.c:2279
     hci_conn_params_set net/bluetooth/mgmt.c:5162 [inline]
     add_device+0x5b4/0xa54 net/bluetooth/mgmt.c:7755
     hci_mgmt_cmd net/bluetooth/hci_sock.c:1721 [inline]
     hci_sock_sendmsg+0x10b4/0x1dd0 net/bluetooth/hci_sock.c:1841
     sock_sendmsg_nosec net/socket.c:727 [inline]
     __sock_sendmsg+0xe0/0x128 net/socket.c:742
     sock_write_iter+0x250/0x390 net/socket.c:1195
     new_sync_write fs/read_write.c:595 [inline]
     vfs_write+0x66c/0xab0 fs/read_write.c:688
     ksys_write+0x1fc/0x24c fs/read_write.c:740
     __do_sys_write fs/read_write.c:751 [inline]
     __se_sys_write fs/read_write.c:748 [inline]
     __arm64_sys_write+0x70/0xa4 fs/read_write.c:748
     __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
     invoke_syscall+0x84/0x2a8 arch/arm64/kernel/syscall.c:49
     el0_svc_common.constprop.0+0xe4/0x294 arch/arm64/kernel/syscall.c:132
     do_el0_svc+0x44/0x5c arch/arm64/kernel/syscall.c:151
     el0_svc+0x38/0xac arch/arm64/kernel/entry-common.c:724
     el0t_64_sync_handler+0xa0/0xe4 arch/arm64/kernel/entry-common.c:743
     el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
    
    Freed by task 3740:
     kasan_save_stack+0x3c/0x64 mm/kasan/common.c:57
     kasan_save_track+0x20/0x3c mm/kasan/common.c:78
     kasan_save_free_info+0x4c/0x74 mm/kasan/generic.c:584
     poison_slab_object mm/kasan/common.c:253 [inline]
     __kasan_slab_free+0x88/0xb8 mm/kasan/common.c:285
     kasan_slab_free include/linux/kasan.h:235 [inline]
     slab_free_hook mm/slub.c:2685 [inline]
     slab_free mm/slub.c:6170 [inline]
     kfree+0x14c/0x458 mm/slub.c:6488
     hci_conn_params_free+0x288/0x484 net/bluetooth/hci_core.c:2312
     remove_device+0x4b0/0x968 net/bluetooth/mgmt.c:7919
     hci_mgmt_cmd net/bluetooth/hci_sock.c:1721 [inline]
     hci_sock_sendmsg+0x10b4/0x1dd0 net/bluetooth/hci_sock.c:1841
     sock_sendmsg_nosec net/socket.c:727 [inline]
     __sock_sendmsg+0xe0/0x128 net/socket.c:742
     sock_write_iter+0x250/0x390 net/socket.c:1195
     new_sync_write fs/read_write.c:595 [inline]
     vfs_write+0x66c/0xab0 fs/read_write.c:688
     ksys_write+0x1fc/0x24c fs/read_write.c:740
     __do_sys_write fs/read_write.c:751 [inline]
     __se_sys_write fs/read_write.c:748 [inline]
     __arm64_sys_write+0x70/0xa4 fs/read_write.c:748
     __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
     invoke_syscall+0x84/0x2a8 arch/arm64/kernel/syscall.c:49
     el0_svc_common.constprop.0+0xe4/0x294 arch/arm64/kernel/syscall.c:132
     do_el0_svc+0x44/0x5c arch/arm64/kernel/syscall.c:151
     el0_svc+0x38/0xac arch/arm64/kernel/entry-common.c:724
     el0t_64_sync_handler+0xa0/0xe4 arch/arm64/kernel/entry-common.c:743
     el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
    
    Fixes: 1e2e3044c1bc ("Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags")
    Cc: [email protected]
    Assisted-by: Bynario AI
    Signed-off-by: Samuel Page <[email protected]>
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
bonding: fix xfrm offload feature setup on active-backup mode [+ + +]
Author: Hangbin Liu <[email protected]>
Date:   Thu Sep 25 02:33:03 2025 +0000

    bonding: fix xfrm offload feature setup on active-backup mode
    
    [ Upstream commit 5b66169f6be4847008c0aea50885ff0632151479 ]
    
    The active-backup bonding mode supports XFRM ESP offload. However, when
    a bond is added using command like `ip link add bond0 type bond mode 1
    miimon 100`, the `ethtool -k` command shows that the XFRM ESP offload is
    disabled. This occurs because, in bond_newlink(), we change bond link
    first and register bond device later. So the XFRM feature update in
    bond_option_mode_set() is not called as the bond device is not yet
    registered, leading to the offload feature not being set successfully.
    
    To resolve this issue, we can modify the code order in bond_newlink() to
    ensure that the bond device is registered first before changing the bond
    link parameters. This change will allow the XFRM ESP offload feature to be
    correctly enabled.
    
    Fixes: 007ab5345545 ("bonding: fix feature flag setting at init time")
    Signed-off-by: Hangbin Liu <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
bpf, arm64: Reject out-of-range B.cond targets [+ + +]
Author: Daniel Borkmann <[email protected]>
Date:   Thu Jul 2 16:07:56 2026 +0800

    bpf, arm64: Reject out-of-range B.cond targets
    
    commit 48d83d94930eb4db4c93d2de44838b9455cff626 upstream.
    
    aarch64_insn_gen_cond_branch_imm() calls label_imm_common() to
    compute a 19-bit signed byte offset for a conditional branch,
    but unlike its siblings aarch64_insn_gen_branch_imm() and
    aarch64_insn_gen_comp_branch_imm(), it does not check whether
    label_imm_common() returned its out-of-range sentinel (range)
    before feeding the value to aarch64_insn_encode_immediate().
    
    aarch64_insn_encode_immediate() unconditionally masks the value
    with the 19-bit field mask, so an offset that was rejected by
    label_imm_common() gets silently truncated. With the sentinel
    value SZ_1M, the resulting field ends up with bit 18 (the sign
    bit of the 19-bit signed displacement) set, and the CPU decodes
    it as a ~1 MiB *backward* branch, producing an incorrectly
    targeted B.cond instruction. For code-gen locations like the
    emit_bpf_tail_call() this function is the only barrier between
    an overflowing displacement and a silently miscompiled branch.
    
    Fix it by returning AARCH64_BREAK_FAULT when the offset is out
    of range, so callers see a loud failure instead of a silently
    misencoded branch. validate_code() scans the generated image
    for any AARCH64_BREAK_FAULT and then lets the JIT fail.
    
    Fixes: 345e0d35ecdd ("arm64: introduce aarch64_insn_gen_cond_branch_imm()")
    Fixes: c94ae4f7c5ec ("arm64: insn: remove BUG_ON from codegen")
    Signed-off-by: Daniel Borkmann <[email protected]>
    Reviewed-by: Puranjay Mohan <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Alexei Starovoitov <[email protected]>
    Signed-off-by: Shung-Hsi Yu <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>
 
bpf: Reject fragmented frames in devmap [+ + +]
Author: Zhao Zhang <[email protected]>
Date:   Tue Jun 2 16:43:33 2026 +0800

    bpf: Reject fragmented frames in devmap
    
    commit aa496720618f1a6054f1c870bf10b4f6c99bf656 upstream.
    
    Devmap broadcast redirects clone the packet for all but the last
    destination.
    
    For native XDP, that clone path copies only the linear xdp_frame data,
    while fragmented frames keep skb_shared_info in tailroom outside the
    linear area. Cloning such a frame leaves XDP_FLAGS_HAS_FRAGS set but
    without valid frag metadata, and the later free path can interpret
    uninitialized tail data as skb_shared_info, leading to an out-of-bounds
    access during frame return.
    
    Reject fragmented native XDP frames in dev_map_enqueue_clone().
    
    Add the same restriction to the generic XDP clone path in
    dev_map_redirect_clone(). Generic XDP represents fragmented packets as
    nonlinear skbs, and rejecting them here keeps clone-based broadcast
    support aligned between native and generic XDP.
    
    Fixes: e624d4ed4aa8 ("xdp: Extend xdp_redirect_map with broadcast support")
    Cc: [email protected]
    Reported-by: Yuan Tan <[email protected]>
    Reported-by: Zhengchuan Liang <[email protected]>
    Reported-by: Xin Liu <[email protected]>
    Assisted-by: Codex:GPT-5.4
    Signed-off-by: Zhao Zhang <[email protected]>
    Signed-off-by: Ren Wei <[email protected]>
    Reviewed-by: Emil Tsalapatis <[email protected]>
    Reviewed-by: Toke Høiland-Jørgensen <[email protected]>
    Link: https://lore.kernel.org/r/21c2d153dd25603d359069a02bf06779b51f6423.1780385378.git.zzhan461@ucr.edu
    Signed-off-by: Alexei Starovoitov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

bpf: Restore sysctl new-value from 1 to 0 [+ + +]
Author: Dawei Feng <[email protected]>
Date:   Wed Jun 3 18:53:17 2026 +0800

    bpf: Restore sysctl new-value from 1 to 0
    
    commit 2566c3b24219c5b30e35205cba029ff34ff7c78b upstream.
    
    Commit 4e63acdff864 ("bpf: Introduce bpf_sysctl_{get,set}_new_value
    helpers") changed the success return value to 0, but failed to update the
    corresponding check in __cgroup_bpf_run_filter_sysctl(). Since
    bpf_prog_run_array_cg() now returns 0 on success, the legacy ret == 1
    condition is never satisfied. As a result, the modified value is ignored,
    and bpf_sysctl_set_new_value() fails to replace the write buffer.
    
    Fix this by checking for a return value of 0 instead, so cgroup/sysctl
    programs can correctly replace the pending sysctl buffer.
    
    This bug was discovered during a manual code review. Tested via a
    cgroup/sysctl BPF reproducer overriding writes to a target sysctl.
    Pre-fix, bpf_sysctl_set_new_value("foo") was silently ignored: the write
    returned 8192 and the value remained "600". Post-fix, the BPF replacement
    buffer properly propagates: the write returns 3 and the value updates to
    "foo".
    
    Fixes: f10d05966196 ("bpf: Make BPF_PROG_RUN_ARRAY return -err instead of allow boolean")
    Cc: [email protected]
    
    Acked-by: Yonghong Song <[email protected]>
    Signed-off-by: Zilin Guan <[email protected]>
    Signed-off-by: Dawei Feng <[email protected]>
    Reviewed-by: Jiayuan Chen <[email protected]>
    Acked-by: Xu Kuohai <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Alexei Starovoitov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

bpf: Validate BTF repeated field counts before expansion [+ + +]
Author: Paul Moses <[email protected]>
Date:   Fri Jun 5 23:43:09 2026 +0000

    bpf: Validate BTF repeated field counts before expansion
    
    commit b9452b594fd3aecbfd4aa0a6a1f741330a37dab7 upstream.
    
    btf_parse_struct_metas() walks user-supplied BTF during BPF_BTF_LOAD,
    and btf_repeat_fields() expands repeatable fields from array elements
    into the fixed BTF_FIELDS_MAX scratch array used by btf_parse_fields().
    
    The remaining-capacity check performs the expanded field count calculation
    in u32. A malformed BTF can wrap that calculation, causing the check to
    pass even when the expanded field count exceeds the scratch array
    capacity. The following memcpy() can then write past the end of the
    array.
    
    Use checked addition and multiplication before copying repeated fields
    and reject impossible counts.
    
    Fixes: 797d73ee232d ("bpf: Check the remaining info_cnt before repeating btf fields")
    Cc: [email protected]
    Signed-off-by: Paul Moses <[email protected]>
    Acked-by: Eduard Zingerman <[email protected]>
    Link: https://lore.kernel.org/bpf/[email protected]
    Signed-off-by: Kumar Kartikeya Dwivedi <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
btrfs: do not trim a device which is not writeable [+ + +]
Author: Qu Wenruo <[email protected]>
Date:   Tue Jun 2 13:34:46 2026 +0930

    btrfs: do not trim a device which is not writeable
    
    commit 1b1937eb08f51319bf71575484cde2b8c517aedc upstream.
    
    [BUG]
    There is a bug report that btrfs/242 can randomly fail with the
    following NULL pointer dereference:
    
      run fstests btrfs/242 at 2026-06-01 10:25:08
      BTRFS: device fsid d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 9 /dev/sdc (8:32) scanned by mount (122609)
      BTRFS info (device sdc): first mount of filesystem d4d7f234-487c-4787-88e4-47a8b68c9874
      BTRFS info (device sdc): using crc32c checksum algorithm
      BTRFS warning (device sdc): devid 2 uuid fbe72d72-3272-482d-80fb-ab88ed398192 is missing
      BTRFS warning (device sdc): devid 2 uuid fbe72d72-3272-482d-80fb-ab88ed398192 is missing
      BTRFS info (device sdc): allowing degraded mounts
      BTRFS info (device sdc): turning on async discard
      BTRFS info (device sdc): enabling free space tree
      Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018
      user pgtable: 4k pages, 48-bit VAs, pgdp=000000013fd6b000
      CPU: 4 UID: 0 PID: 122625 Comm: fstrim Not tainted 7.0.10-2-default #1 PREEMPT(full) openSUSE Tumbleweed e9a5f6b24978fba3bf015a992f865837fdfff3dd
      Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250812-19.fc42 08/12/2025
      pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
      pc : btrfs_trim_fs+0x34c/0xa00 [btrfs]
      lr : btrfs_trim_fs+0x1f0/0xa00 [btrfs]
      Call trace:
       btrfs_trim_fs+0x34c/0xa00 [btrfs f02c1d570ceea621c69d302ba75dd61868083840] (P)
       btrfs_ioctl_fitrim+0xe8/0x178 [btrfs f02c1d570ceea621c69d302ba75dd61868083840]
       btrfs_ioctl+0xdd4/0x2bd8 [btrfs f02c1d570ceea621c69d302ba75dd61868083840]
       __arm64_sys_ioctl+0xac/0x108
       invoke_syscall.constprop.0+0x5c/0xd0
       el0_svc_common.constprop.0+0x40/0xf0
       do_el0_svc+0x24/0x40
       el0_svc+0x40/0x1d0
       el0t_64_sync_handler+0xa0/0xe8
       el0t_64_sync+0x1b0/0x1b8
      Code: 17ffff83 f94017e0 f9002be0 f9402ea0 (f9400c00)
      ---[ end trace 0000000000000000  ]---
    
    Also the reporter is very kind to test the following ASSERT() added to
    btrfs_trim_free_extents_throttle():
    
            ASSERT(device->bdev,
                   "devid=%llu path=%s dev_state=0x%lx\n",
                   device->devid, btrfs_dev_name(device), device->dev_state);
    
    And it shows the following output:
    
      assertion failed: device->bdev, in extent-tree.c:6630 (devid=2 path=/dev/sdd dev_state=0x82)
    
    Which means the device->bdev is NULL, and the dev_state is
    BTRFS_DEV_STATE_IN_FS_METADATA | BTRFS_DEV_STATE_ITEM_FOUND, without
    BTRFS_DEV_STATE_WRITEABLE flag set.
    
    [CAUSE]
    The pc points to the following call chain:
    
      btrfs_trim_fs()
      |- btrfs_trim_free_extents()
         |- btrfs_trim_free_extents_throttle()
            |- bdev_max_discard_sectors(device->bdev)
    
    So the NULL pointer dereference is caused by device->bdev being NULL.
    
    This looks impossible by a quick glance, as just before calling
    btrfs_trim_free_extents_throttle(), we have skipped any device that has
    BTRFS_DEV_STATE_MISSING flag set.
    
    However in this particular case, there is a window where the missing
    device is later re-scanned, causing btrfs to remove the
    BTRFS_DEV_STATE_MISSING flag:
    
      btrfs_control_ioctl()
      |- btrfs_scan_one_device()
         |- device_list_add()
            |- rcu_assign_pointer(device->name, name);
            |  This updates the missing device's path to the new good path.
            |
            |- clear_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state)
               This removes the BTRFS_DEV_STATE_MISSING flag.
    
    This allows the missing device to re-appear and clear the
    BTRFS_DEV_STATE_MISSING flag.  However the device still does not have
    the BTRFS_DEV_STATE_WRITEABLE flag set, nor is its bdev pointer updated.
    
    The bdev pointer remains NULL, triggering the crash later.
    
    [FIX]
    This is a big de-synchronization between BTRFS_DEV_STATE_MISSING and
    device->bdev pointer, and shows a gap in btrfs's re-appearing-device
    handling.
    
    The proper handling of re-appearing device will need quite some extra
    work, which is out of the context of this small fix.
    
    Thankfully the regular bbio submission path has already handled it well
    by checking if the device->bdev is NULL before submitting.
    
    So here we just fix the crash by checking if the device is writeable and
    has a bdev pointer before calling bdev_max_discard_sectors().
    
    Reported-by: Su Yue <[email protected]>
    Link: https://lore.kernel.org/linux-btrfs/[email protected]/
    Fixes: 499f377f49f0 ("btrfs: iterate over unused chunk space in FITRIM")
    CC: [email protected] # 5.10+
    Reviewed-by: Filipe Manana <[email protected]>
    Signed-off-by: Qu Wenruo <[email protected]>
    Signed-off-by: David Sterba <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
clocksource/drivers/timer-tegra186: Fix support for multiple watchdog instances [+ + +]
Author: Kartik Rajput <[email protected]>
Date:   Thu May 7 21:15:54 2026 +0530

    clocksource/drivers/timer-tegra186: Fix support for multiple watchdog instances
    
    commit ca57bf46e7a94f8c53d05c376df9fcfdcb482100 upstream.
    
    Tegra SoCs support multiple watchdogs; currently only one (WDT0) is
    used. When multiple watchdogs are registered, tegra186_wdt_enable()
    overwrites the TKEIE(x) register, discarding any existing watchdog
    interrupt enable bits. As a result, enabling one watchdog inadvertently
    disables interrupts for the others.
    
    Fix this by preserving the existing TKEIE(x) value and updating it
    using a read-modify-write sequence.
    
    Fixes: 42cee19a9f83 ("clocksource: Add Tegra186 timers support")
    Cc: [email protected]
    Signed-off-by: Kartik Rajput <[email protected]>
    Signed-off-by: Daniel Lezcano <[email protected]>
    Reviewed-by: Jon Hunter <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
coresight: etb10: restore atomic_t for shared reading state [+ + +]
Author: Runyu Xiao <[email protected]>
Date:   Fri May 29 00:52:01 2026 +0800

    coresight: etb10: restore atomic_t for shared reading state
    
    commit fa09f08ede3db3050ae16ae1ed92c902d0cada23 upstream.
    
    The etb10 miscdevice uses drvdata->reading as a shared exclusivity gate
    for userspace buffer access. etb_open() claims that gate with
    local_cmpxchg(), and etb_release() clears it with local_set().
    
    That gate is shared per-device state rather than CPU-local state. A
    running system can reach it whenever /dev/<etb> is opened, closed, and
    reopened by different tasks while the device remains registered, so the
    same drvdata->reading variable may be claimed on one CPU and later
    cleared on another.
    
    This code used to use atomic_t for the same gate, but commit
    27b10da8fff2 ("coresight: etb10: moving to local atomic operations")
    changed it to local_t even though the access pattern remained cross-task
    and cross-CPU. Restore atomic_t together with atomic_cmpxchg() and
    atomic_set() so the exclusivity gate again uses a primitive intended
    for shared state.
    
    The issue was found on Linux v6.18.21 by our static analysis tool while
    scanning surviving local_t-on-shared-state sites, and then manually
    reviewed against the live etb10 file-op path.
    
    It was runtime-validated with a reproducible QEMU no-device KCSAN PoC
    that kept the same report-local contract:
    
      1. use one shared struct etb_drvdata carrier and its
         drvdata->reading gate;
      2. call etb_open() and etb_release() sequentially on that gate to
         confirm the original claim/clear path;
      3. bind the open side to CPU0 and the release side to CPU1 for the
         same gate to show cross-CPU ownership;
      4. run bound workers that repeatedly race etb_open() and
         etb_release() on the same gate until KCSAN reports a target hit.
    
    The harness recorded:
    
      L1 passed open=1 release=1
      reading_after_open=1 reading_after_release=0
      L2 passed open_cpu=0 release_cpu=1
      cross_cpu_release=1 reading_after=0 open_ret=0
    
    Representative KCSAN excerpt from the no-device validation run:
    
      BUG: KCSAN: data-race in etb_open.constprop.0.isra.0 [vuln_msv]
    
      write to 0xffffffffc0003810 of 4 bytes by task 216 on cpu 1:
       etb_open.constprop.0.isra.0+0x38/0x80 [vuln_msv]
       l3_worker_thread_fn+0x4f/0xf0 [vuln_msv]
       kthread+0x17e/0x1c0
       ret_from_fork+0x22/0x30
    
      read to 0xffffffffc0003810 of 4 bytes by task 215 on cpu 0:
       etb_open.constprop.0.isra.0+0x18/0x80 [vuln_msv]
       l3_worker_thread_fn+0x4f/0xf0 [vuln_msv]
       kthread+0x17e/0x1c0
       ret_from_fork+0x22/0x30
    
      value changed: 0x00000000 -> 0x00000001
    
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 215 Comm: etb10_l3_a Tainted: G           O       6.1.66 #2
    
    This no-device harness is not a real ETB10 hardware end-to-end run, but
    it preserves the same shared drvdata->reading gate and the same
    etb_open()/etb_release() claim/clear contract. No real ETB10 hardware
    was available for runtime testing.
    
    Build-tested with:
      make olddefconfig
      make -j"$(nproc)" drivers/hwtracing/coresight/coresight-etb10.o
    
    Fixes: 27b10da8fff2 ("coresight: etb10: moving to local atomic operations")
    Cc: [email protected]
    Signed-off-by: Runyu Xiao <[email protected]>
    Reviewed-by: James Clark <[email protected]>
    Signed-off-by: Suzuki K Poulose <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

coresight: ultrasoc-smb: Fix OOB write in smb_sync_perf_buffer() [+ + +]
Author: Junrui Luo <[email protected]>
Date:   Thu Jun 4 15:34:25 2026 +0800

    coresight: ultrasoc-smb: Fix OOB write in smb_sync_perf_buffer()
    
    commit 98495b5a4d77dd22e106f462b76e1093a55b29a7 upstream.
    
    When the SMB sink is used as a perf AUX sink, smb_update_buffer() calls
    smb_sync_perf_buffer() to copy hardware trace data into the perf AUX ring
    buffer pages. It derives pg_idx = head >> PAGE_SHIFT from @head, which is
    handle->head, and indexes dst_pages[pg_idx]. The pg_idx %= nr_pages
    normalization is only applied after the first loop iteration.
    
    This leaves the initial page index underived from the buffer size, which
    can result in an out-of-bounds write past dst_pages[] when head exceeds
    the AUX buffer size.
    
    Normalize head modulo the AUX buffer size before deriving the page index
    and offset, mirroring tmc_etr_sync_perf_buffer().
    
    Fixes: 06f5c2926aaa ("drivers/coresight: Add UltraSoc System Memory Buffer driver")
    Reported-by: Yuhao Jiang <[email protected]>
    Cc: [email protected]
    Signed-off-by: Junrui Luo <[email protected]>
    Signed-off-by: Suzuki K Poulose <[email protected]>
    Link: https://lore.kernel.org/r/SYBPR01MB788156B3380A36835DB22290AF102@SYBPR01MB7881.ausprd01.prod.outlook.com
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
cpufreq: Fix hotplug-suspend race during reboot [+ + +]
Author: Tianxiang Chen <[email protected]>
Date:   Wed Apr 8 22:19:14 2026 +0800

    cpufreq: Fix hotplug-suspend race during reboot
    
    commit a9029dd55696c651ee46912afa2a166fa456bb3e upstream.
    
    During system reboot, cpufreq_suspend() is called via the
    kernel_restart() -> device_shutdown() path. Unlike the normal system
    suspend path, the reboot path does not call freeze_processes(), so
    userspace processes and kernel threads remain active.
    
    This allows CPU hotplug operations to run concurrently with
    cpufreq_suspend(). The original code has no synchronization with CPU
    hotplug, leading to a race condition where governor_data can be freed
    by the hotplug path while cpufreq_suspend() is still accessing it,
    resulting in a null pointer dereference:
    
      Unable to handle kernel NULL pointer dereference
      Call Trace:
       do_kernel_fault+0x28/0x3c
       cpufreq_suspend+0xdc/0x160
       device_shutdown+0x18/0x200
       kernel_restart+0x40/0x80
       arm64_sys_reboot+0x1b0/0x200
    
    Fix this by adding cpus_read_lock()/cpus_read_unlock() to
    cpufreq_suspend() to block CPU hotplug operations while suspend is in
    progress.
    
    Fixes: 65650b35133f ("cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown")
    Signed-off-by: Tianxiang Chen <[email protected]>
    Reviewed-by: Zhongqiu Han <[email protected]>
    Cc: All applicable <[email protected]>
    [ rjw: Changelog edits ]
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Rafael J. Wysocki <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

cpufreq: intel_pstate: Sync policy->cur during CPU offline [+ + +]
Author: Fushuai Wang <[email protected]>
Date:   Wed May 20 11:21:19 2026 +0800

    cpufreq: intel_pstate: Sync policy->cur during CPU offline
    
    commit bcbdaa1086c25a8a5d48e04e1b82fdfb0682b681 upstream.
    
    When a CPU goes offline with HWP disabled, intel_pstate_set_min_pstate()
    sets the MSR_IA32_PERF_CTL to minimum frequency to prevent SMT siblings
    from being restricted. However, the policy->cur value was not updated,
    leaving it at the previous value.
    
    When the CPU comes back online, governor->limits() checks if target_freq
    equals policy->cur and skips the frequency adjustment if they match. Since
    policy->cur still holds the previous value, the governor does not call
    cpufreq_driver->target to update MSR_IA32_PERF_CTL.
    
    Fix this by synchronizing policy->cur with the hardware state when setting
    minimum pstate during CPU offline.
    
    Fixes: bb18008f8086 ("intel_pstate: Set core to min P state during core offline")
    Cc: [email protected] # 3.15+
    Suggested-by: Srinivas Pandruvada <[email protected]>
    Signed-off-by: Fushuai Wang <[email protected]>
    [ rjw: Subject refinement ]
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Rafael J. Wysocki <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

cpufreq: pcc: fix use-after-free and double free in _OSC evaluation [+ + +]
Author: Yuho Choi <[email protected]>
Date:   Thu Apr 16 10:46:21 2026 -0400

    cpufreq: pcc: fix use-after-free and double free in _OSC evaluation
    
    commit 266d3dd8b757b48a576e90f018b51f7b7563cc32 upstream.
    
    pcc_cpufreq_do_osc() calls acpi_evaluate_object() twice for the
    two-phase _OSC negotiation. Between the two calls it freed
    output.pointer but left output.length unchanged. Since
    acpi_evaluate_object() treats a non-zero length with a non-NULL
    pointer as an existing buffer to write into, the second call wrote
    into freed memory (use-after-free). The subsequent kfree(output.pointer)
    at out_free then freed the same pointer a second time (double free).
    
    Reset output.pointer to NULL and output.length to ACPI_ALLOCATE_BUFFER
    after freeing the first result, so ACPICA allocates a fresh buffer for
    each phase independently.
    
    Fixes: 0f1d683fb35d ("[CPUFREQ] Processor Clocking Control interface driver")
    Signed-off-by: Yuho Choi <[email protected]>
    Reviewed-by: Zhongqiu Han <[email protected]>
    Cc: All applicable <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Rafael J. Wysocki <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

cpufreq: qcom-cpufreq-hw: Fix possible double free [+ + +]
Author: Guangshuo Li <[email protected]>
Date:   Sat May 2 03:00:05 2026 +0800

    cpufreq: qcom-cpufreq-hw: Fix possible double free
    
    commit bcb8889c4981fdde42d4fd2c29a77d510fe21da2 upstream.
    
    qcom_cpufreq.data is allocated with devm_kzalloc() in probe() as an
    array of per-domain data. qcom_cpufreq_hw_cpu_init() stores a pointer to
    one element of this array in policy->driver_data.
    
    qcom_cpufreq_hw_cpu_exit() currently calls kfree() on policy->driver_data.
    This is not valid because the memory is devm-managed. For the first
    domain, this can free the devm-managed allocation while the devres entry
    is still active, leading to a possible double free when the platform
    device is later detached. For other domains, the pointer may refer to an
    element inside the array rather than the allocation base.
    
    Remove the kfree(data) call and let devres release qcom_cpufreq.data.
    
    This issue was found by a static analysis tool I am developing.
    
    Fixes: 054a3ef683a1 ("cpufreq: qcom-hw: Allocate qcom_cpufreq_data during probe")
    Cc: [email protected]
    Signed-off-by: Guangshuo Li <[email protected]>
    Reviewed-by: Zhongqiu Han <[email protected]>
    Signed-off-by: Viresh Kumar <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
crypto: af_alg - Remove zero-copy support from skcipher and aead [+ + +]
Author: Eric Biggers <[email protected]>
Date:   Mon May 4 15:53:28 2026 -0700

    crypto: af_alg - Remove zero-copy support from skcipher and aead
    
    commit ffdd2bc378953b525aca61902534e753f1f8e734 upstream.
    
    The zero-copy support is one of the riskiest aspects of AF_ALG.  It
    allows userspace to request cryptographic operations directly on
    pagecache pages of files like the 'su' binary.  It also allows userspace
    to concurrently modify the memory which is being operated on, a recipe
    for TOCTOU vulnerabilities.
    
    While zero-copy support is more valuable in other areas of the kernel
    like the frequently used networking and file I/O code, it has far less
    value in AF_ALG, which is a niche UAPI.  AF_ALG primarily just exists
    for backwards compatibility with a small set of userspace programs such
    as 'iwd' that haven't yet been fixed to use userspace crypto code.
    
    Originally AF_ALG was intended to be used to access hardware crypto
    accelerators.  However, it isn't an efficient interface for that anyway,
    and it turned out to be rarely used in this way in practice.
    
    Thus, the risks of the zero-copy support in AF_ALG vastly outweigh its
    benefits.  Let's just remove it.
    
    This commit removes it from the "skcipher" and "aead" algorithm types.
    "hash" will be handled separately.
    
    This is a soft break, not a hard break.  Even after this commit, it
    still works to use splice() or sendfile() to transfer data to an AF_ALG
    request socket from a pipe or any file, respectively.  What changes is
    just that the kernel now makes an internal, stable copy of the data
    before doing the crypto operation.  So performance is slightly reduced,
    but the UAPI isn't broken.  And, very importantly, it's much safer.
    
    Tested with libkcapi/test.sh.  All its test cases still pass.  I also
    verified that this would have prevented the copy.fail exploit as well.
    I also used a custom test program to verify that sendfile() still works.
    
    Fixes: 8ff590903d5f ("crypto: algif_skcipher - User-space interface for skcipher operations")
    Fixes: 400c40cf78da ("crypto: algif - add AEAD support")
    Reported-by: Taeyang Lee <[email protected]>
    Link: https://copy.fail/
    Reported-by: Feng Ning <[email protected]>
    Closes: https://lore.kernel.org/r/[email protected]
    Reviewed-by: Demi Marie Obenour <[email protected]>
    Cc: [email protected]
    Signed-off-by: Eric Biggers <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: amlogic - avoid double cleanup in meson_crypto_probe() [+ + +]
Author: Dawei Feng <[email protected]>
Date:   Fri May 8 12:24:16 2026 +0800

    crypto: amlogic - avoid double cleanup in meson_crypto_probe()
    
    commit 6d827ade51a24e18d81afb9f32756d339520a14c upstream.
    
    When meson_allocate_chanlist() fails after a partial allocation, it already
    unwinds the allocated chanlist state through its local error path.
    meson_crypto_probe() then jump to error_flow and calls
    meson_free_chanlist() again, causing the same per-flow resources to be torn
    down twice. In the reproduced failure path, the second teardown
    re-entered crypto_engine_exit() on an already destroyed worker and KASAN
    reported a slab-use-after-free in kthread_destroy_worker().
    
    Prevent double-free by handling partial allocation failures locally within
    meson_allocate_chanlist() and skipping the outer cleanup path.
    
    The bug was first flagged by an experimental analysis tool we are
    developing for kernel memory-management bugs while analyzing
    v6.13-rc1. The tool is still under development and is not yet publicly
    available.
    
    The bug was reproduced in a QEMU x86_64 guest booted with KASAN on v7.1,
    using the reproducer under tools/testing/meson_crypto_probe. The reproducer
    forces the second dma_alloc_attrs() call in the gxl-crypto probe path to
    return NULL, making meson_allocate_chanlist() fail after partial
    initialization. On the unpatched kernel this reliably triggered a
    slab-use-after-free. With this fix applied, the same reproducer no longer
    emits any KASAN report and the probe fails cleanly with -ENOMEM.
    
        ==================================================================
        BUG: KASAN: slab-use-after-free in kthread_destroy_worker+0xb2/0xd0
        Read of size 8 at addr ff1100010c057a68 by task insmod/265
    
        CPU: 1 UID: 0 PID: 265 Comm: insmod Tainted: G           O        7.1.0-rc2-00376-g810af9adc907-dirty #10 PREEMPT(lazy)
        Tainted: [O]=OOT_MODULE
        Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
        Call Trace:
         <TASK>
         dump_stack_lvl+0x68/0xa0
         print_report+0xcb/0x5e0
         ? __virt_addr_valid+0x21d/0x3f0
         ? kthread_destroy_worker+0xb2/0xd0
         ? kthread_destroy_worker+0xb2/0xd0
         kasan_report+0xca/0x100
         ? kthread_destroy_worker+0xb2/0xd0
         kthread_destroy_worker+0xb2/0xd0
         meson_crypto_probe+0x4d0/0xc10 [amlogic_gxl_crypto]
         platform_probe+0x99/0x140
         really_probe+0x1c6/0x6a0
         ? __pfx___device_attach_driver+0x10/0x10
         __driver_probe_device+0x248/0x310
         ? acpi_driver_match_device+0xb0/0x100
         driver_probe_device+0x48/0x210
         ? __pfx___device_attach_driver+0x10/0x10
         __device_attach_driver+0x160/0x320
         bus_for_each_drv+0x104/0x190
         ? __pfx_bus_for_each_drv+0x10/0x10
         ? _raw_spin_unlock_irqrestore+0x2c/0x50
         __device_attach+0x19d/0x3b0
         ? __pfx___device_attach+0x10/0x10
         ? do_raw_spin_unlock+0x53/0x220
         device_initial_probe+0x78/0xa0
         bus_probe_device+0x5b/0x130
         device_add+0xcfd/0x1430
         ? __pfx_device_add+0x10/0x10
         ? insert_resource+0x34/0x50
         ? lock_release+0xc9/0x290
         platform_device_add+0x24e/0x590
         ? __pfx_meson_crypto_probe_repro_init+0x10/0x10 [meson_crypto_probe_repro]
         meson_crypto_probe_repro_init+0x330/0xff0 [meson_crypto_probe_repro]
         do_one_initcall+0xc0/0x450
         ? __pfx_do_one_initcall+0x10/0x10
         ? _raw_spin_unlock_irqrestore+0x2c/0x50
         ? __create_object+0x59/0x80
         ? kasan_unpoison+0x27/0x60
         do_init_module+0x27b/0x7d0
         ? __pfx_do_init_module+0x10/0x10
         ? kasan_quarantine_put+0x84/0x1d0
         ? kfree+0x32c/0x510
         ? load_module+0x561e/0x5ff0
         load_module+0x54fe/0x5ff0
         ? __pfx_load_module+0x10/0x10
         ? security_file_permission+0x20/0x40
         ? kernel_read_file+0x23d/0x6e0
         ? mmap_region+0x235/0x4a0
         ? __pfx_kernel_read_file+0x10/0x10
         ? __file_has_perm+0x2c0/0x3e0
         init_module_from_file+0x158/0x180
         ? __pfx_init_module_from_file+0x10/0x10
         ? __lock_acquire+0x45a/0x1ba0
         ? idempotent_init_module+0x315/0x610
         ? lock_release+0xc9/0x290
         ? lockdep_init_map_type+0x4b/0x220
         ? do_raw_spin_unlock+0x53/0x220
         idempotent_init_module+0x330/0x610
         ? __pfx_idempotent_init_module+0x10/0x10
         ? __pfx_cred_has_capability.isra.0+0x10/0x10
         ? ksys_mmap_pgoff+0x385/0x520
         __x64_sys_finit_module+0xbe/0x120
         do_syscall_64+0x115/0x690
         entry_SYSCALL_64_after_hwframe+0x77/0x7f
        RIP: 0033:0x7f7d6d31690d
        Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f3 b4 0f 00 f7 d8 >
        RSP: 002b:00007fffc027ac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
        RAX: ffffffffffffffda RBX: 000055f7b81967c0 RCX: 00007f7d6d31690d
        RDX: 0000000000000000 RSI: 000055f79a0d6cd2 RDI: 0000000000000003
        RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
        R10: 0000000000000003 R11: 0000000000000246 R12: 000055f79a0d6cd2
        R13: 000055f7b8196790 R14: 000055f79a0d5888 R15: 000055f7b81968e0
         </TASK>
    
    Fixes: 48fe583fe541 ("crypto: amlogic - Add crypto accelerator for amlogic GXL")
    Cc: [email protected]
    Signed-off-by: Zilin Guan <[email protected]>
    Signed-off-by: Dawei Feng <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: caam - use print_hex_dump_devel to guard key hex dumps [+ + +]
Author: Thorsten Blum <[email protected]>
Date:   Mon Apr 27 18:39:37 2026 +0200

    crypto: caam - use print_hex_dump_devel to guard key hex dumps
    
    commit 3f57657b6ea23f933371f2c2846322f441773cee upstream.
    
    Use print_hex_dump_devel() for dumping sensitive key material in
    *_setkey() and gen_split_key() to avoid leaking secrets at runtime when
    CONFIG_DYNAMIC_DEBUG is enabled.
    
    Fixes: 6e005503199b ("crypto: caam - print debug messages at debug level")
    Cc: [email protected]
    Signed-off-by: Thorsten Blum <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: caam - use print_hex_dump_devel to guard key hex dumps again [+ + +]
Author: Thorsten Blum <[email protected]>
Date:   Mon Apr 27 18:39:39 2026 +0200

    crypto: caam - use print_hex_dump_devel to guard key hex dumps again
    
    commit 8005dc808bcce7d6cc2ae015a3cde1683bee602d upstream.
    
    Use print_hex_dump_devel() for dumping sensitive key material in
    *_setkey() to avoid leaking secrets at runtime when CONFIG_DYNAMIC_DEBUG
    is enabled.
    
    Fixes: 8d818c105501 ("crypto: caam/qi2 - add DPAA2-CAAM driver")
    Fixes: 226853ac3ebe ("crypto: caam/qi2 - add skcipher algorithms")
    Cc: [email protected]
    Signed-off-by: Thorsten Blum <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: ccp - Do not initialize SNP for ioctl(SNP_COMMIT) [+ + +]
Author: Tycho Andersen (AMD) <[email protected]>
Date:   Mon May 4 10:51:45 2026 -0600

    crypto: ccp - Do not initialize SNP for ioctl(SNP_COMMIT)
    
    commit 5a1364da2f04217a36e2fdfa2db4ee025b383a20 upstream.
    
    Sashiko notes:
    
    > if SEV initialization fails and KVM is actively running normal VMs, could a
    > userspace process trigger this code path via /dev/sev ioctls (e.g.,
    > SEV_PDH_GEN) and zero out MSR_VM_HSAVE_PA globally? Would the next VMRUN
    > execution for an active VM trigger a general protection fault and crash the
    > host?
    
    The SNP_COMMIT command does not require the firmware to be in any
    particular state. Skip initializing it if it was previously uninitialized.
    
    The SEV-SNP firmware specification doc 56860 does not mention SNP_COMMIT in
    Table 5 as a command that is allowed in the UNINIT state, but it is in fact
    allowed and a future documentation update will reflect that.
    
    Fixes: ceac7fb89e8d ("crypto: ccp - Ensure implicit SEV/SNP init and shutdown in ioctls")
    Reported-by: Sashiko
    Assisted-by: Gemini:gemini-3.1-pro-preview
    Link: https://sashiko.dev/#/patchset/20260324161301.1353976-1-tycho%40kernel.org
    CC: <[email protected]>
    Signed-off-by: Tycho Andersen (AMD) <[email protected]>
    Reviewed-by: Tom Lendacky <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: ccp - Do not initialize SNP for ioctl(SNP_VLEK_LOAD) [+ + +]
Author: Tycho Andersen (AMD) <[email protected]>
Date:   Mon May 4 10:51:46 2026 -0600

    crypto: ccp - Do not initialize SNP for ioctl(SNP_VLEK_LOAD)
    
    commit f91e9dbb5845d1e5abf1028e6df57dcf61583e1b upstream.
    
    Sashiko notes:
    
    > if SEV initialization fails and KVM is actively running normal VMs, could a
    > userspace process trigger this code path via /dev/sev ioctls (e.g.,
    > SEV_PDH_GEN) and zero out MSR_VM_HSAVE_PA globally? Would the next VMRUN
    > execution for an active VM trigger a general protection fault and crash the
    > host?
    
    The SEV firmware docs for SNP_VLEK_LOAD note:
    
    > On SNP_SHUTDOWN, the VLEK is deleted.
    
    That is, the initialization/shutdown wrapper here is pointless, because the
    firmware immediately throws away the key anyway. Instead, refuse to do
    anything if SNP has not been previously initialized.
    
    This is an ABI break: before, this was a no-op and almost certainly a
    mistake by userspace, and now it returns -ENODEV. ABI compatibility could be
    maintained here by simply returning 0 in the check instead.
    
    Fixes: ceac7fb89e8d ("crypto: ccp - Ensure implicit SEV/SNP init and shutdown in ioctls")
    Reported-by: Sashiko
    Assisted-by: Gemini:gemini-3.1-pro-preview
    Link: https://sashiko.dev/#/patchset/20260324161301.1353976-1-tycho%40kernel.org
    CC: <[email protected]>
    Signed-off-by: Tycho Andersen (AMD) <[email protected]>
    Reviewed-by: Tom Lendacky <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: ccp - Do not initialize SNP for SEV ioctls [+ + +]
Author: Tycho Andersen (AMD) <[email protected]>
Date:   Mon May 4 10:51:44 2026 -0600

    crypto: ccp - Do not initialize SNP for SEV ioctls
    
    commit fb1758e74b8061aacfbce7bbb7a7cc650537e167 upstream.
    
    Sashiko notes:
    
    > if SEV initialization fails and KVM is actively running normal VMs, could a
    > userspace process trigger this code path via /dev/sev ioctls (e.g.,
    > SEV_PDH_GEN) and zero out MSR_VM_HSAVE_PA globally? Would the next VMRUN
    > execution for an active VM trigger a general protection fault and crash the
    > host?
    
    sev_move_to_init_state() is called for ioctls requiring only SEV firmware:
    SEV_PEK_GEN, SEV_PDH_GEN, SEV_PEK_CSR, SEV_PEK_CERT_IMPORT, and
    SEV_PDH_CERT_EXPORT. After the firmware command, it does SEV_SHUTDOWN on
    the SEV firmware. Since these commands do not require SNP to be
    initialized, skip it by calling __sev_platform_init_locked() which only
    initializes the SEV firmware. This way SNP is not Initialized at all, and
    HSAVE_PA is not cleared.
    
    The previous code saved any SEV initialization firmware error to
    init_args.error and then threw it away and hardcoded the return value of
    INVALID_PLATFORM_STATE regardless of the real firmware error. This patch
    changes it to surface the underlying error, which is hopefully both more
    useful and doesn't cause any problems.
    
    Note that it is still safe to call __sev_firmware_shutdown() directly: it
    calls __sev_snp_shutdown_locked(), which skips SNP shutdown if SNP was not
    initialized.
    
    Fixes: ceac7fb89e8d ("crypto: ccp - Ensure implicit SEV/SNP init and shutdown in ioctls")
    Reported-by: Sashiko
    Assisted-by: Gemini:gemini-3.1-pro-preview
    Link: https://sashiko.dev/#/patchset/20260324161301.1353976-1-tycho%40kernel.org
    CC: <[email protected]>
    Signed-off-by: Tycho Andersen (AMD) <[email protected]>
    Reviewed-by: Tom Lendacky <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: drbg - Fix drbg_max_addtl() on 64-bit kernels [+ + +]
Author: Eric Biggers <[email protected]>
Date:   Sun Apr 19 23:33:48 2026 -0700

    crypto: drbg - Fix drbg_max_addtl() on 64-bit kernels
    
    commit 6f49f00c981bbb9ef602966f19bfdbef46b681d2 upstream.
    
    On 64-bit kernels, drbg_max_addtl() returns 2**35 bytes.  That's too
    large, for two reasons:
    
    1. SP800-90A says the maximum limit is 2**35 *bits*, not 2**35 bytes.
       So the implemented limit has confused bits and bytes.
    
    2. When drbg_kcapi_hash() calls crypto_shash_update() on the additional
       information string, the length is implicitly cast to 'unsigned int'.
       That truncates the additional information string to U32_MAX bytes.
    
    Fix the maximum additional information string length to always be
    U32_MAX - 1, causing an error to be returned for any longer lengths.
    
    Fixes: 541af946fe13 ("crypto: drbg - SP800-90A Deterministic Random Bit Generator")
    Cc: [email protected]
    Signed-off-by: Eric Biggers <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: drbg - Fix returning success on failure in CTR_DRBG [+ + +]
Author: Eric Biggers <[email protected]>
Date:   Sun Apr 19 23:33:45 2026 -0700

    crypto: drbg - Fix returning success on failure in CTR_DRBG
    
    commit 39a31ad9e2a5ed7e9c9c6f711dca96c8c8f5f26b upstream.
    
    drbg_ctr_generate() sometimes returns success when it fails, leaving the
    output buffer uninitialized.  Fix it.
    
    Fixes: cde001e4c3c3 ("crypto: rng - RNGs must return 0 in success case")
    Cc: [email protected]
    Signed-off-by: Eric Biggers <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: drbg - Fix the fips_enabled priority boost [+ + +]
Author: Eric Biggers <[email protected]>
Date:   Sun Apr 19 23:33:49 2026 -0700

    crypto: drbg - Fix the fips_enabled priority boost
    
    commit a8a1f93080efc83a9ff8452954429ae379e9e614 upstream.
    
    When fips_enabled=1, it seems to have been intended for one of the
    algorithms defined in crypto/drbg.c to be the highest priority "stdrng"
    algorithm, so that it is what is used by "stdrng" users.
    
    However, the code only boosts the priority to 400, which is less than
    the priority 500 used in drivers/crypto/caam/caamprng.c.  Thus, the CAAM
    RNG could be used instead.
    
    Fix this by boosting the priority by 2000 instead of 200.
    
    Fixes: 541af946fe13 ("crypto: drbg - SP800-90A Deterministic Random Bit Generator")
    Cc: [email protected]
    Signed-off-by: Eric Biggers <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: ecc - Fix carry overflow in vli multiplication [+ + +]
Author: Anastasia Tishchenko <[email protected]>
Date:   Wed May 13 13:57:40 2026 +0300

    crypto: ecc - Fix carry overflow in vli multiplication
    
    commit 27b536a2ec8e2f85a0380c2d13c9ecbc7aaab406 upstream.
    
    The carry flag calculation fails when r01.m_high is saturated
    (0xFFFFFFFFFFFFFFFF) and addition of lower bits overflows.
    
    The condition (r01.m_high < product.m_high) doesn't handle the case
    where r01.m_high == product.m_high and an additional carry exists
    from lower-bit overflow.
    
    When commit 3c4b23901a0c ("crypto: ecdh - Add ECDH software support")
    introduced crypto/ecc.c, it split the muladd() function in the
    micro-ecc library into separate mul_64_64() and add_128_128() helpers.
    It seems the check got lost in translation.
    
    Add proper handling for this boundary by accounting for the carry
    from the lower addition.
    
    Fixes: 3c4b23901a0c ("crypto: ecdh - Add ECDH software support")
    Signed-off-by: Anastasia Tishchenko <[email protected]>
    Cc: [email protected] # v4.8+
    Reviewed-by: Lukas Wunner <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: pcrypt - restore callback for non-parallel fallback [+ + +]
Author: Ruijie Li <[email protected]>
Date:   Mon May 25 19:45:21 2026 +0800

    crypto: pcrypt - restore callback for non-parallel fallback
    
    commit ed459fe319376e876de433d12b6c6772e612ca36 upstream.
    
    pcrypt installs pcrypt_aead_done() on the child AEAD request before
    trying to submit it through padata.  If padata_do_parallel() returns
    -EBUSY, pcrypt falls back to calling the child AEAD directly.
    
    That fallback must not keep the padata completion callback.  Otherwise
    an asynchronous completion runs pcrypt_aead_done() even though the
    request was never enrolled in padata.
    
    Restore the original request callback and callback data before calling
    the child AEAD directly.  This keeps the fallback path aligned with a
    direct AEAD request while leaving the parallel path unchanged.
    
    Fixes: 662f2f13e66d ("crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY")
    Cc: [email protected]
    Reported-by: Yuan Tan <[email protected]>
    Reported-by: Yifan Wu <[email protected]>
    Reported-by: Juefei Pu <[email protected]>
    Reported-by: Zhengchuan Liang <[email protected]>
    Reported-by: Xin Liu <[email protected]>
    Assisted-by: Codex:gpt-5.4
    Signed-off-by: Ruijie Li <[email protected]>
    Signed-off-by: Ren Wei <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: qat - keep VFs enabled during reset [+ + +]
Author: Ahsan Atta <[email protected]>
Date:   Wed May 13 17:16:54 2026 +0200

    crypto: qat - keep VFs enabled during reset
    
    commit 57518500053987672050dc2f7bf8a774d5d52fd9 upstream.
    
    When a reset is triggered via sysfs, the PCI core invokes the
    reset_prepare() callback while holding pci_dev_lock(), which includes
    the PCI configuration space access semaphore. If reset_prepare() calls
    adf_dev_down(), the call chain adf_dev_stop() -> adf_disable_sriov()
    -> pci_disable_sriov() attempts to acquire the same semaphore,
    resulting in a deadlock.
    
    Avoid this by skipping pci_disable_sriov() when ADF_STATUS_RESTARTING
    is set. During reset the PCI topology is preserved, so VF devices
    remain valid and enumerated across the reset. VF notification and the
    quiesce handshake via adf_pf2vf_notify_restarting() are still
    performed unconditionally so that VFs stop submitting work before the
    PF shuts down.
    
    Correspondingly, skip pci_enable_sriov() in adf_enable_sriov() when
    VFs are already present, since their PCI devices were preserved from
    before the restart.
    
    This is in preparation for adding reset_prepare() and reset_done()
    callbacks in adf_aer.c.
    
    Cc: [email protected]
    Signed-off-by: Ahsan Atta <[email protected]>
    Reviewed-by: Giovanni Cabiddu <[email protected]>
    Reviewed-by: Damian Muszynski <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: qat - notify fatal error before AER reset preparation [+ + +]
Author: Ahsan Atta <[email protected]>
Date:   Wed May 13 17:16:55 2026 +0200

    crypto: qat - notify fatal error before AER reset preparation
    
    commit 6931835f2fdd0cb9b1c7791748d7e67d0749056a upstream.
    
    Send fatal error notifications to subsystems and VFs as soon as
    AER error detection starts, before entering the reset preparation
    shutdown sequence.
    
    This reduces notification latency and ensures peers are informed
    immediately on fatal detection, rather than after restart-state setup
    and arbitration teardown.
    
    Cc: [email protected]
    Signed-off-by: Ahsan Atta <[email protected]>
    Reviewed-by: Giovanni Cabiddu <[email protected]>
    Reviewed-by: Damian Muszynski <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: qat - protect service table iterations with service_lock [+ + +]
Author: Ahsan Atta <[email protected]>
Date:   Wed May 20 13:41:55 2026 +0100

    crypto: qat - protect service table iterations with service_lock
    
    commit 5c6f845e77ec35f9b7b047cc8f9789bf397cdd3e upstream.
    
    The service_table list is protected by service_lock when entries are
    added or removed (in adf_service_add() and adf_service_remove()), but
    several functions iterate over the list without holding this lock.
    
    A concurrent adf_service_register() or adf_service_unregister() call
    could modify the list during traversal, leading to list corruption or
    a use-after-free.
    
    Fix this by holding service_lock across all list_for_each_entry()
    iterations of service_table in adf_dev_init(), adf_dev_start(),
    adf_dev_stop(), adf_dev_shutdown(), adf_dev_restarting_notify(),
    adf_dev_restarted_notify(), and adf_error_notifier().
    
    The lock ordering is safe: callers of the static helpers (adf_dev_up()
    and adf_dev_down()) acquire state_lock before service_lock, and no
    event_hld callback or service_lock holder ever acquires state_lock in
    the reverse order.
    
    Cc: [email protected]
    Fixes: d8cba25d2c68 ("crypto: qat - Intel(R) QAT driver framework")
    Signed-off-by: Ahsan Atta <[email protected]>
    Co-developed-by: Maksim Lukoshkov <[email protected]>
    Signed-off-by: Maksim Lukoshkov <[email protected]>
    Reviewed-by: Giovanni Cabiddu <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: qat - validate RSA CRT component lengths [+ + +]
Author: Giovanni Cabiddu <[email protected]>
Date:   Thu May 28 16:57:44 2026 +0100

    crypto: qat - validate RSA CRT component lengths
    
    commit b3ac78756588059729b9195fcc9f4b37d54057a5 upstream.
    
    The generic RSA key parser (rsa_helper.c) bounds each CRT component (p,
    q, dp, dq, qinv) by the modulus size n_sz, but qat_rsa_setkey_crt()
    allocates half-size DMA buffers (key_sz / 2) and right-aligns each
    component with:
    
        memcpy(dst + half_key_sz - len, src, len)
    
    When a CRT component is larger than half_key_sz the subtraction
    underflows and memcpy writes past the DMA buffer, causing memory
    corruption.
    
    Add a len > half_key_sz check next to the existing !len check for each
    of the five CRT components so the driver falls back to the non-CRT path
    instead of writing out of bounds.
    
    Fixes: 879f77e9071f ("crypto: qat - Add RSA CRT mode")
    Cc: [email protected]
    Signed-off-by: Giovanni Cabiddu <[email protected]>
    Reviewed-by: Ahsan Atta <[email protected]>
    Reviewed-by: Laurent M Coquerel <[email protected]>
    Tested-by: Laurent M Coquerel <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: talitos - add chaining of arbitrary number of descriptor for the SEC1 [+ + +]
Author: Paul Louvel <[email protected]>
Date:   Thu May 7 16:41:48 2026 +0200

    crypto: talitos - add chaining of arbitrary number of descriptor for the SEC1
    
    commit f126384ed55279c3b676f89d5ab547b8de8df782 upstream.
    
    The SEC1 hardware can process a chain of descriptors without host
    intervention. Only the hash implementation currently use this feature,
    but with a chain of at most 2 descriptors added in commit 37b5e8897eb5
    ("crypto: talitos - chain in buffered data for ahash on SEC1").
    
    Add supports for chaining an arbitrary number of descriptors in a chain.
    
    Adapt the ahash implementation to make it compatible.
    
    Cc: [email protected]
    Signed-off-by: Paul Louvel <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: talitos - move code in current_desc_hdr() into a standalone function [+ + +]
Author: Paul Louvel <[email protected]>
Date:   Thu May 7 16:41:51 2026 +0200

    crypto: talitos - move code in current_desc_hdr() into a standalone function
    
    commit f8713d9e6091755dd30f7f1cfa25f8440cddf81b upstream.
    
    Previously added code in current_desc_hdr() in order to add support for
    searching an offending descriptor inside a descriptor chain.
    
    Move that code into a standalone function to improve readability.
    
    Cc: [email protected]
    Signed-off-by: Paul Louvel <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: talitos - move dma mapping code in talitos_submit() into a standalone dma_map_request() function [+ + +]
Author: Paul Louvel <[email protected]>
Date:   Thu May 7 16:41:50 2026 +0200

    crypto: talitos - move dma mapping code in talitos_submit() into a standalone dma_map_request() function
    
    commit 5c0aa8cad7745505297103f05dda3fa06e8ac670 upstream.
    
    Previously added code to talitos_submit() in order to map an entire
    descriptor chain.
    
    Move that code into a standalone function to improve readability.
    
    Cc: [email protected]
    Signed-off-by: Paul Louvel <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: talitos - move dma unmapping code in flush_channel() into a standalone dma_unmap_request() function [+ + +]
Author: Paul Louvel <[email protected]>
Date:   Thu May 7 16:41:49 2026 +0200

    crypto: talitos - move dma unmapping code in flush_channel() into a standalone dma_unmap_request() function
    
    commit 4d9b0b7415b9e79a3d54d18b5ff230974ea78740 upstream.
    
    Previously added code to flush_channel() in order to unmap an entire
    descriptor.
    
    Move that code into a standalone function to improve readability.
    
    Cc: [email protected]
    Signed-off-by: Paul Louvel <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: talitos - use dma_sync_single_for_cpu() before reading descriptor header [+ + +]
Author: Paul Louvel <[email protected]>
Date:   Thu May 7 16:41:47 2026 +0200

    crypto: talitos - use dma_sync_single_for_cpu() before reading descriptor header
    
    commit e17ff3d6ff907dc8406261e8fd3e1fc8a908f0f6 upstream.
    
    In order to know if a descriptor has been processed by the device,
    the driver polls the FIFO to see if DESC_HDR_DONE is set on a descriptor
    header to confirm completion.
    The current code does not make sure that the CPU gets up to date data
    before reading the descriptor.
    
    Fix this by calling dma_sync_single_for_cpu() before reading memory
    written by the device.
    
    Cc: [email protected]
    Fixes: 58cdbc6d2263 ("crypto: talitos - fix hash on SEC1.")
    Signed-off-by: Paul Louvel <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: talitos/hash - drop workqueue mechanism for SEC1 [+ + +]
Author: Paul Louvel <[email protected]>
Date:   Thu May 7 16:41:54 2026 +0200

    crypto: talitos/hash - drop workqueue mechanism for SEC1
    
    commit be4802afb1700534e48cb776d0d1e772c27de130 upstream.
    
    Now that SEC1 hash uses hardware descriptor chaining instead of a
    workqueue to process requests exceeding TALITOS1_MAX_DATA_LEN, the
    workqueue code is no longer needed.
    
    Remove sec1_ahash_process_remaining(), the related fields from
    talitos_ahash_req_ctx (request_bufsl, areq, request_sl,
    remaining_ahash_request_bytes, current_ahash_request_bytes,
    sec1_ahash_process_remaining), the dead code in ahash_done(), and
    simplify ahash_process_req() to call ahash_process_req_one() directly
    with the original areq->src and areq->nbytes.
    
    Cc: [email protected]
    Signed-off-by: Paul Louvel <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: talitos/hash - fix SEC2 64k - 1 ahash request limitation [+ + +]
Author: Paul Louvel <[email protected]>
Date:   Thu May 7 16:41:57 2026 +0200

    crypto: talitos/hash - fix SEC2 64k - 1 ahash request limitation
    
    commit 6e12daff6ec125102a6fdcafc5aa7199f7ce8933 upstream.
    
    The problem described in commit 655ef638a2bc ("crypto: talitos - fix
    SEC1 32k ahash request limitation") also apply for the SEC2 hardware,
    but with a limitation of 64k - 1 bytes.
    
    Split ahash_done() into SEC1 and SEC2 paths: SEC1 continues to free the
    whole descriptor list at once, while SEC2 now iterates through
    descriptors one by one, submitting the next only after the previous
    completes, which is required since SEC2 cannot chain descriptors in
    hardware.
    
    Cc: [email protected]
    Fixes: c662b043cdca ("crypto: af_alg/hash: Support MSG_SPLICE_PAGES")
    Signed-off-by: Paul Louvel <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: talitos/hash - prepare SEC1 descriptor chaining, remove additional descriptor [+ + +]
Author: Paul Louvel <[email protected]>
Date:   Thu May 7 16:41:52 2026 +0200

    crypto: talitos/hash - prepare SEC1 descriptor chaining, remove additional descriptor
    
    commit 59b5d899e33701665f18abe6bebf987427876e3e upstream.
    
    Currently, when SEC1 has buffered data (nbuf != 0), the ahash code
    creates an additional descriptor on the fly inside
    common_nonsnoop_hash() to handle the remainder of the data. This
    approach is incompatible with the arbitrary-length descriptor chaining
    that follows.
    
    Remove the "additional descriptor" logic from common_nonsnoop_hash()
    and common_nonsnoop_hash_unmap().
    
    Also remove the nbytes adjustment for SEC1 in ahash_edesc_alloc()
    that subtracted nbuf.
    
    Cc: [email protected]
    Signed-off-by: Paul Louvel <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: talitos/hash - remove useless wrapper [+ + +]
Author: Paul Louvel <[email protected]>
Date:   Thu May 7 16:41:56 2026 +0200

    crypto: talitos/hash - remove useless wrapper
    
    commit 907ae6088c82c9abae2d26477fddd60df6ad003b upstream.
    
    ahash_process_req() was a wrapper used in commit 655ef638a2bc ("crypto:
    talitos - fix SEC1 32k ahash request limitation"). Rename
    ahash_process_req_one() to ahash_process_req() and remove the wrapper.
    
    Cc: [email protected]
    Signed-off-by: Paul Louvel <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: talitos/hash - rename first_desc/last_desc to first_request/last_request [+ + +]
Author: Paul Louvel <[email protected]>
Date:   Thu May 7 16:41:55 2026 +0200

    crypto: talitos/hash - rename first_desc/last_desc to first_request/last_request
    
    commit 8bcf00671400ac3b3a4cc3011e6c1496dbd880fd upstream.
    
    In talitos_ahash_req_ctx and talitos_export_state, the fields
    first_desc and last_desc describe request-level (not descriptor-level)
    state.  Rename them to first_request and last_request for clarity.
    last_desc is also removed from talitos_ahash_req_ctx as it is no
    longer used.
    
    Cc: [email protected]
    Signed-off-by: Paul Louvel <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: talitos/hash - use descriptor chaining for SEC1 instead of workqueue [+ + +]
Author: Paul Louvel <[email protected]>
Date:   Thu May 7 16:41:53 2026 +0200

    crypto: talitos/hash - use descriptor chaining for SEC1 instead of workqueue
    
    commit f1ede6d95d8ad3b32c6a552d2baab805bd00fc38 upstream.
    
    Rework the SEC1 ahash implementation to build a chain of hardware
    descriptors, replacing the previous approach of submitting one
    descriptor at a time via a workqueue, introduced by commit 655ef638a2bc
    ("crypto: talitos - fix SEC1 32k ahash request limitation").
    
    Introduce ahash_process_req_prepare() which iterates over the request
    data, allocating enough descriptors to cover the entire ahash request.
    The new fields (bufsl, src, first, last) are added to talitos_edesc for
    this purpose.
    
    common_nonsnoop_hash() no longer calls talitos_submit(); it only
    maps and sets up the descriptor.  Submission is now done by the caller
    after the chain is built.
    
    ahash_free_desc_list_from() takes over calling
    common_nonsnoop_hash_unmap() for each descriptor during cleanup.
    
    Compared to the workqueue based solution, request are slightly faster
    since there is no more scheduling latency induced by the workqueue, and
    only one interrupt is generated by the device at the end of a chain.
    
    Commit 655ef638a2bc ("crypto: talitos - fix SEC1 32k ahash request
    limitation") :
    
    $ /usr/libexec/libkcapi/sha256sum ./test_5M.bin
    013c5609d63c...  ./test_5M.bin
    real 0m 0.41s
    user 0m 0.01s
    sys  0m 0.07s
    
    Now :
    
    $ /usr/libexec/libkcapi/sha256sum ./test_5M.bin
    013c5609d63c...  ./test_5M.bin
    real 0m 0.33s
    user 0m 0.01s
    sys  0m 0.20s
    
    Tested on a system with an MPC885 SoC featuring the SEC1 Lite.
    
    The increase in sys time is due to the fact that commit 37b5e8897eb5
    ("crypto: talitos - chain in buffered data for ahash on SEC1") can no
    longer be applied.
    
    Cc: [email protected]
    Signed-off-by: Paul Louvel <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

crypto: tegra - fix refcount leak in tegra_se_host1x_submit() [+ + +]
Author: Wentao Liang <[email protected]>
Date:   Thu Jun 4 10:27:06 2026 +0000

    crypto: tegra - fix refcount leak in tegra_se_host1x_submit()
    
    commit 6ea0ce3a19f9c37a014099e2b0a46b27fa164564 upstream.
    
    The timeout error path in tegra_se_host1x_submit() returns without
    calling host1x_job_put(), while all other paths (success, submit
    error, pin error) properly release the job reference through the
    job_put label.  Since host1x_job_alloc() initializes the reference
    count and host1x_job_put() is required to drop it, omitting it on
    timeout causes a permanent refcount leak.
    
    Fix this by redirecting the timeout return to the existing job_put
    label, ensuring the job reference and any associated syncpt
    references are consistently released.
    
    Cc: [email protected]
    Fixes: 0880bb3b00c8 ("crypto: tegra - Add Tegra Security Engine driver")
    Signed-off-by: Wentao Liang <[email protected]>
    Reviewed-by: Akhil R <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
debugobjects: Plug race against a concurrent OOM disable [+ + +]
Author: Thomas Gleixner <[email protected]>
Date:   Sun Jun 21 16:47:44 2026 +0200

    debugobjects: Plug race against a concurrent OOM disable
    
    commit b81dde13cc163450dcb402dcc915ef13ba241e01 upstream.
    
    syzbot reported a puzzling splat:
    
       WARNING: kernel/time/hrtimer.c:443 at stub_timer+0xa/0x20
    
    stub_timer() is installed as timer callback function in
    hrtimer_fixup_assert_init(), which is invoked when
    debug_object_assert_init() can't find a shadow object. In that case debug
    objects emits a warning about it before invoking the fixup.
    
    Though the provided console log lacks this warning and instead has the
    following a few seconds before the splat:
    
         ODEBUG: Out of memory. ODEBUG disabled
    
    So the object was looked up in debug_object_assert_init() and the lookup
    failed due a concurrent out of memory situation which disabled debug
    objects and freed the shadow objects:
    
    debug_object_assert_init()
            if (!debug_objects_enabled)
                    return;                         obj = alloc();
                                                    if (!obj) {
                                                            // Out of memory
                                                            debug_objects_enabled = false;
                                                            free_objects();
            obj = lookup_or_alloc();
    
            // The lookup failed because the other side
            // removed the objects, so this returns
            // an error code as the object in question
            // is not statically initialized
    
            if (!IS_ERR_OR_NULL(obj))
                    return;
            if (!obj) {
                    debug_oom();
                    return;
            }
    
            print(...)
               if (!debug_objects_enabled)
                    return;
    
            fixup(...)
    
    The debug object splat is skipped because debug_objects_enabled is false,
    but the fixup callback is invoked unconditionally, which makes the timer
    disfunctional.
    
    This is only a problem in debug_object_assert_init() and
    debug_object_activate() as both have to handle statically initialized
    objects and therefore must handle the error pointer return case
    gracefully. All other places only handle the found/not found case and the
    NULL pointer return is a signal for OOM. Otherwise they get a valid shadow
    object.
    
    Plug the hole by checking whether debug objects are still enabled before
    invoking the print and fixup function in those two places.
    
    Fixes: b84d435cc228 ("debugobjects: Extend to assert that an object is initialized")
    Reported-by: [email protected]
    Signed-off-by: Thomas Gleixner <[email protected]>
    Cc: [email protected]
    Link: https://patch.msgid.link/874iiwlzlb.ffs@fw13
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
device property: initialize the remaining fields of fwnode_handle in fwnode_init() [+ + +]
Author: Bartosz Golaszewski <[email protected]>
Date:   Thu Jul 2 18:22:52 2026 -0400

    device property: initialize the remaining fields of fwnode_handle in fwnode_init()
    
    [ Upstream commit 7eba000621fff223dd7bab484d48918c7c77a307 ]
    
    If a firmware node is allocated on the stack (for instance: temporary
    software node whose life-time we control) or on the heap - but using a
    non-zeroing allocation function - and initialized using fwnode_init(),
    its secondary pointer will contain uninitialized memory which likely
    will be neither NULL nor IS_ERR() and so may end up being dereferenced
    (for example: in dev_to_swnode()). Set fwnode->secondary to NULL on
    initialization. While at it: initialize the remaining fields of struct
    fwnode_handle too just to be sure.
    
    Cc: [email protected]
    Fixes: 01bb86b380a3 ("driver core: Add fwnode_init()")
    Reviewed-by: Sakari Ailus <[email protected]>
    Reviewed-by: Rafael J. Wysocki (Intel) <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Signed-off-by: Bartosz Golaszewski <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    [ Fix typo in commit message. - Danilo ]
    Signed-off-by: Danilo Krummrich <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
dm-ioctl: report an error if a device has no table [+ + +]
Author: Mikulas Patocka <[email protected]>
Date:   Mon May 11 13:04:16 2026 +0200

    dm-ioctl: report an error if a device has no table
    
    commit 457e32348d606a77f9b20e25e989734189834c07 upstream.
    
    When we send a message to a device that has no table, the return code was
    not set. The code would return "2", which is not considered a valid return value.
    
    Signed-off-by: Mikulas Patocka <[email protected]>
    Cc: [email protected]
    Reviewed-by: Benjamin Marzinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
dma-buf/udmabuf: skip redundant cpu sync to fix cacheline EEXIST warning [+ + +]
Author: Mikhail Gavrilov <[email protected]>
Date:   Tue Mar 31 11:16:57 2026 +0500

    dma-buf/udmabuf: skip redundant cpu sync to fix cacheline EEXIST warning
    
    commit 504e2b4ab97a51d56d966cd36d0997ad30b65b2d upstream.
    
    When CONFIG_DMA_API_DEBUG_SG is enabled, importing a udmabuf into a DRM
    driver (e.g. amdgpu for video playback in GNOME Videos / Showtime)
    triggers a spurious warning:
    
      DMA-API: amdgpu 0000:03:00.0: cacheline tracking EEXIST, \
          overlapping mappings aren't supported
      WARNING: kernel/dma/debug.c:619 at add_dma_entry+0x473/0x5f0
    
    The call chain is:
    
      amdgpu_cs_ioctl
       -> amdgpu_ttm_backend_bind
        -> dma_buf_map_attachment
         -> [udmabuf] map_udmabuf -> get_sg_table
          -> dma_map_sgtable(dev, sg, direction, 0)  // attrs=0
           -> debug_dma_map_sg -> add_dma_entry -> EEXIST
    
    This happens because udmabuf builds a per-page scatter-gather list via
    sg_set_folio().  When begin_cpu_udmabuf() has already created an sg
    table mapped for the misc device, and an importer such as amdgpu maps
    the same pages for its own device via map_udmabuf(), the DMA debug
    infrastructure sees two active mappings whose physical addresses share
    cacheline boundaries and warns about the overlap.
    
    The DMA_ATTR_SKIP_CPU_SYNC flag suppresses this check in
    add_dma_entry() because it signals that no CPU cache maintenance is
    performed at map/unmap time, making the cacheline overlap harmless.
    
    All other major dma-buf exporters already pass this flag:
      - drm_gem_map_dma_buf() passes DMA_ATTR_SKIP_CPU_SYNC
      - amdgpu_dma_buf_map() passes DMA_ATTR_SKIP_CPU_SYNC
    
    The CPU sync at map/unmap time is also redundant for udmabuf:
    begin_cpu_udmabuf() and end_cpu_udmabuf() already perform explicit
    cache synchronization via dma_sync_sgtable_for_cpu/device() when CPU
    access is requested through the dma-buf interface.
    
    Pass DMA_ATTR_SKIP_CPU_SYNC to dma_map_sgtable() and
    dma_unmap_sgtable() in udmabuf to suppress the spurious warning and
    skip the redundant sync.
    
    Fixes: 284562e1f348 ("udmabuf: implement begin_cpu_access/end_cpu_access hooks")
    Cc: [email protected]
    Signed-off-by: Mikhail Gavrilov <[email protected]>
    Acked-by: Vivek Kasireddy <[email protected]>
    Signed-off-by: Vivek Kasireddy <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drm/amd: Fix set but not used warnings [+ + +]
Author: Tiezhu Yang <[email protected]>
Date:   Sun Jul 5 21:40:03 2026 -0700

    drm/amd: Fix set but not used warnings
    
    [ Upstream commit 46791d147d3ab3262298478106ef2a52fc7192e2 ]
    
    There are many set but not used warnings under drivers/gpu/drm/amd when
    compiling with the latest upstream mainline GCC:
    
      drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c:305:18: warning: variable ‘p’ set but not used [-Wunused-but-set-variable=]
      drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h:103:26: warning: variable ‘internal_reg_offset’ set but not used [-Wunused-but-set-variable=]
      ...
      drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h:164:26: warning: variable ‘internal_reg_offset’ set but not used [-Wunused-but-set-variable=]
      ...
      drivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:445:13: warning: variable ‘pipe_idx’ set but not used [-Wunused-but-set-variable=]
      drivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:875:21: warning: variable ‘pipe_idx’ set but not used [-Wunused-but-set-variable=]
    
    Remove the variables actually not used or add __maybe_unused attribute for
    the variables actually used to fix them, compile tested only.
    
    Signed-off-by: Tiezhu Yang <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Signed-off-by: Ron Economos <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
drm/i915: ensure segment offset never exceeds allowed max [+ + +]
Author: Krzysztof Karas <[email protected]>
Date:   Mon Nov 18 12:19:22 2024 +0000

    drm/i915: ensure segment offset never exceeds allowed max
    
    [ Upstream commit 2e0438f9c3d25eea8bc8e9b4dcff7edfb64cb9e7 ]
    
    Commit 255fc1703e42 ("drm/i915/gem: Calculate object page offset for
    partial memory mapping") introduced a new offset, which accounts for
    userspace mapping not starting from the beginning of object's scatterlist.
    
    This works fine for cases where first object pte is larger than the new
    offset - "r->sgt.curr" counter is set to the offset to match the difference
    in the number of total pages. However, if object's first pte's size is
    equal to or smaller than the offset, then information about the offset
    in userspace is covered up by moving "r->sgt" pointer in remap_sg():
    
            r->sgt.curr += PAGE_SIZE;
            if (r->sgt.curr >= r->sgt.max)
                    r->sgt = __sgt_iter(__sg_next(r->sgt.sgp), use_dma(r->iobase));
    
    This means that two or more pages from virtual memory are counted for
    only one page in object's memory, because after moving "r->sgt" pointer
    "r->sgt.curr" will be 0.
    
    We should account for this mismatch by moving "r->sgt" pointer to the
    next pte. For that we may use "r.sgt.max", which already holds the max
    allowed size. This change also eliminates possible confusion, when
    looking at i915_scatterlist.h and remap_io_sg() code: former has
    scatterlist pointer definition, which differentiates "s.max" value
    based on "dma" flag (sg_dma_len() is used only when the flag is
    enabled), while latter uses sg_dma_len() indiscriminately.
    
    This patch aims to resolve issue:
    https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/12031
    
    v3:
     - instead of checking if r.sgt.curr would exceed allowed max, changed
    the value in the while loop to be aligned with `dma` value
    
    v4:
     - remove unnecessary parent relation
    
    v5:
     - update commit message with explanation about page counting mismatch
     and link to the issue
    
    Signed-off-by: Krzysztof Karas <[email protected]>
    Reviewed-by: Andi Shyti <[email protected]>
    Signed-off-by: Andi Shyti <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/upbjdavlbcxku63ns4vstp5kgbn2anxwewpmnppszgb67fn66t@tfclfgkqijue
    Signed-off-by: Sasha Levin <[email protected]>

 
EDAC/i10nm: Don't fail probing if ADXL is missing [+ + +]
Author: Vasily Khoruzhick <[email protected]>
Date:   Tue Apr 14 11:17:16 2026 -0700

    EDAC/i10nm: Don't fail probing if ADXL is missing
    
    commit e360a6d65bb46c527a5909430a31d640cdd5036e upstream.
    
    ADXL is not present in Coreboot- or Slimbootloader-based BIOSes and as
    result, the driver fails to probe there.
    
    Since commit 2738c69a8813 ("EDAC/i10nm: Add driver decoder for Ice Lake
    and Tremont CPUs"), i10nm_edac supports driver decoder. Switch to driver
    decoding when ADXL is not present.
    
    Signed-off-by: Vasily Khoruzhick <[email protected]>
    Signed-off-by: Tony Luck <[email protected]>
    Reviewed-by: Qiuxu Zhuo <[email protected]>
    Cc: [email protected] # v6.1+
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
exfat: bound uniname advance in exfat_find_dir_entry() [+ + +]
Author: Bryam Vargas <[email protected]>
Date:   Fri Jun 12 14:29:06 2026 -0500

    exfat: bound uniname advance in exfat_find_dir_entry()
    
    commit 3a1230e7b043c62737b05a3e9275ca83a43ad20a upstream.
    
    In exfat_find_dir_entry(), each TYPE_EXTEND (file name) entry advances the
    output pointer by a fixed amount while the loop guard only tracks the
    accumulated name length:
    
            if (++order == 2)
                    uniname = p_uniname->name;
            else
                    uniname += EXFAT_FILE_NAME_LEN;
            len = exfat_extract_uni_name(ep, entry_uniname);
            name_len += len;
            unichar = *(uniname+len);
            *(uniname+len) = 0x0;
    
    uniname grows by EXFAT_FILE_NAME_LEN (15) per name entry, but name_len
    grows only by the actual extracted length, which is shorter when a name
    fragment contains an early NUL.  The only guard is
    `name_len >= MAX_NAME_LENGTH`, so a crafted directory with many short
    name fragments lets uniname run far past the
    p_uniname->name[MAX_NAME_LENGTH + 3] buffer while name_len stays small,
    causing an out-of-bounds read and write at *(uniname+len).
    
    The sibling extractor exfat_get_uniname_from_ext_entry() already stops
    on a short fragment (the lockstep `len != EXFAT_FILE_NAME_LEN` guard
    added in commit d42334578eba ("exfat: check if filename entries exceeds
    max filename length")); exfat_find_dir_entry() never got the
    equivalent.  Track the per-entry write offset as a count and reject a
    fragment once the offset, or the offset plus the extracted length, would
    exceed MAX_NAME_LENGTH, before forming the output pointer.
    
    Fixes: ca06197382bd ("exfat: add directory operations")
    Cc: [email protected]
    Suggested-by: Namjae Jeon <[email protected]>
    Signed-off-by: Bryam Vargas <[email protected]>
    Signed-off-by: Namjae Jeon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
f2fs: atomic: fix UAF issue on f2fs_inode_info.atomic_inode [+ + +]
Author: Chao Yu <[email protected]>
Date:   Fri Jul 3 09:23:42 2026 -0400

    f2fs: atomic: fix UAF issue on f2fs_inode_info.atomic_inode
    
    [ Upstream commit e0288584baa5dc41df4a829a023c4c1b33fe53d7 ]
    
    - ioctl(F2FS_IOC_GARBAGE_COLLECT_RANGE)         - shrink
     - f2fs_gc
      - gc_data_segment
       - ra_data_block(cow_inode)
        - mapping = F2FS_I(inode)->atomic_inode->i_mapping
        : f2fs_is_cow_file(cow_inode) is true
                                                     - f2fs_evict_inode(atomic_inode)
                                                      - clear_inode_flag(fi->cow_inode, FI_COW_FILE)
                                                      - F2FS_I(fi->cow_inode)->atomic_inode = NULL
                                                      ...
                                                      - truncate_inode_pages_final(atomic_inode)
        - f2fs_grab_cache_folio(mapping)
        : create folio in atomic_inode->mapping
                                                      - clear_inode(atomic_inode)
                                                       - BUG_ON(atomic_inode->i_data.nrpages)
    
    We need to add a reference on fi->atomic_inode before using its mapping
    field during garbage collection, otherwise, it will cause UAF issue.
    
    Cc: [email protected]
    Cc: Daeho Jeong <[email protected]>
    Cc: Sunmin Jeong <[email protected]>
    Fixes: 3db1de0e582c ("f2fs: change the current atomic write way")
    Fixes: f18d00769336 ("f2fs: use meta inode for GC of COW file")
    Signed-off-by: Chao Yu <[email protected]>
    Signed-off-by: Jaegeuk Kim <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

f2fs: bound i_inline_xattr_size for non-inline-xattr inodes [+ + +]
Author: Bryam Vargas <[email protected]>
Date:   Fri Jul 3 10:26:35 2026 -0400

    f2fs: bound i_inline_xattr_size for non-inline-xattr inodes
    
    [ Upstream commit 378acf3cf19b6af6cba55e8dd1154c4e1504bae8 ]
    
    When the flexible_inline_xattr feature is enabled, do_read_inode() loads
    the on-disk i_inline_xattr_size unconditionally:
    
            if (f2fs_sb_has_flexible_inline_xattr(sbi))
                    fi->i_inline_xattr_size = le16_to_cpu(ri->i_inline_xattr_size);
    
    but sanity_check_inode() only range-checks it when the inode also has the
    FI_INLINE_XATTR flag set.  An inode that carries an inline dentry or inline
    data but not FI_INLINE_XATTR -- the normal layout for an inline
    directory -- therefore keeps a fully attacker-controlled
    i_inline_xattr_size from a crafted image.
    
    get_inline_xattr_addrs() returns that value with no flag gating, so it
    feeds the inode geometry:
    
            MAX_INLINE_DATA()  = 4 * (CUR_ADDRS_PER_INODE - i_inline_xattr_size - 1)
            NR_INLINE_DENTRY() = MAX_INLINE_DATA() * BITS_PER_BYTE / (...)
            addrs_per_page()   = CUR_ADDRS_PER_INODE - i_inline_xattr_size
    
    A large i_inline_xattr_size drives MAX_INLINE_DATA() and NR_INLINE_DENTRY()
    negative, so make_dentry_ptr_inline() sets d->max (int) to a negative
    value.  The inline directory walk then compares an unsigned long bit_pos
    against that negative d->max, which is promoted to a huge unsigned bound,
    and reads far past the inline area:
    
            while (bit_pos < d->max)                /* fs/f2fs/dir.c */
                    ... test_bit_le(bit_pos, d->bitmap) / d->dentry[bit_pos] ...
    
    Mounting a crafted image and reading such a directory triggers an
    out-of-bounds read in f2fs_fill_dentries(); the same underflow also
    corrupts ADDRS_PER_INODE for regular files.
    
    Validate i_inline_xattr_size against MAX_INLINE_XATTR_SIZE whenever the
    flexible_inline_xattr feature is enabled -- i.e. whenever the value is
    loaded from disk and consumed -- and keep the lower MIN_INLINE_XATTR_SIZE
    bound gated on inodes that actually carry an inline xattr, so legitimate
    inodes with i_inline_xattr_size == 0 are still accepted.
    
    Cc: [email protected]
    Fixes: 6afc662e68b5 ("f2fs: support flexible inline xattr size")
    Signed-off-by: Bryam Vargas <[email protected]>
    Reviewed-by: Chao Yu <[email protected]>
    Signed-off-by: Jaegeuk Kim <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

f2fs: fix listxattr handling of corrupted xattr entries [+ + +]
Author: Keshav Verma <[email protected]>
Date:   Fri Jul 3 14:50:15 2026 -0400

    f2fs: fix listxattr handling of corrupted xattr entries
    
    [ Upstream commit 5ef5bc304f23c3fe255d4936472378dcb74d0e94 ]
    
    Validate the xattr entry before reading its fields in f2fs_listxattr().
    Return -EFSCORRUPTED when the entry is outside the valid xattr storage
    area instead of returning a successful partial result.
    
    Fixes: 688078e7f36c ("f2fs: fix to avoid memory leakage in f2fs_listxattr")
    Cc: [email protected]
    Reviewed-by: Chao Yu <[email protected]>
    Signed-off-by: Keshav Verma <[email protected]>
    Signed-off-by: Jaegeuk Kim <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

f2fs: fix potential deadlock in f2fs_balance_fs() [+ + +]
Author: Ruipeng Qi <[email protected]>
Date:   Fri Jul 3 14:24:12 2026 -0400

    f2fs: fix potential deadlock in f2fs_balance_fs()
    
    [ Upstream commit dd3114870771562036fdcf5abe813956f36d224d ]
    
    When the f2fs filesystem space is nearly exhausted, we encounter deadlock
    issues as below:
    
    INFO: task A:1890 blocked for more than 120 seconds.
          Tainted: G           O       6.12.41-g3fe07ddf05ab #1
    "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
    task:A    state:D stack:0     pid:1890  tgid:1626  ppid:1153   flags:0x00000204
    Call trace:
     __switch_to+0xf4/0x158
     __schedule+0x27c/0x908
     schedule+0x3c/0x118
     io_schedule+0x44/0x68
     folio_wait_bit_common+0x174/0x370
     folio_wait_bit+0x20/0x38
     folio_wait_writeback+0x54/0xc8
     truncate_inode_partial_folio+0x70/0x1e0
     truncate_inode_pages_range+0x1b0/0x450
     truncate_pagecache+0x54/0x88
     f2fs_file_write_iter+0x3e8/0xb80
     do_iter_readv_writev+0xf0/0x1e0
     vfs_writev+0x138/0x2c8
     do_writev+0x88/0x130
     __arm64_sys_writev+0x28/0x40
     invoke_syscall+0x50/0x120
     el0_svc_common.constprop.0+0xc8/0xf0
     do_el0_svc+0x24/0x38
     el0_svc+0x30/0xf8
     el0t_64_sync_handler+0x120/0x130
     el0t_64_sync+0x190/0x198
    
    INFO: task kworker/u8:11:2680853 blocked for more than 120 seconds.
          Tainted: G           O       6.12.41-g3fe07ddf05ab #1
    "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
    task:kworker/u8:11   state:D stack:0     pid:2680853 tgid:2680853 ppid:2      flags:0x00000208
    Workqueue: writeback wb_workfn (flush-254:0)
    Call trace:
     __switch_to+0xf4/0x158
     __schedule+0x27c/0x908
     schedule+0x3c/0x118
     io_schedule+0x44/0x68
     folio_wait_bit_common+0x174/0x370
     __filemap_get_folio+0x214/0x348
     pagecache_get_page+0x20/0x70
     f2fs_get_read_data_page+0x150/0x3e8
     f2fs_get_lock_data_page+0x2c/0x160
     move_data_page+0x50/0x478
     do_garbage_collect+0xd38/0x1528
     f2fs_gc+0x240/0x7e0
     f2fs_balance_fs+0x1a0/0x208
     f2fs_write_single_data_page+0x6e4/0x730
     f2fs_write_cache_pages+0x378/0x9b0
     f2fs_write_data_pages+0x2e4/0x388
     do_writepages+0x8c/0x2c8
     __writeback_single_inode+0x4c/0x498
     writeback_sb_inodes+0x234/0x4a8
     __writeback_inodes_wb+0x58/0x118
     wb_writeback+0x2f8/0x3c0
     wb_workfn+0x2c4/0x508
     process_one_work+0x180/0x408
     worker_thread+0x258/0x368
     kthread+0x118/0x128
     ret_from_fork+0x10/0x200
    
    INFO: task kworker/u8:8:2641297 blocked for more than 120 seconds.
          Tainted: G           O       6.12.41-g3fe07ddf05ab #1
    "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
    task:kworker/u8:8    state:D stack:0     pid:2641297 tgid:2641297 ppid:2      flags:0x00000208
    Workqueue: writeback wb_workfn (flush-254:0)
    Call trace:
     __switch_to+0xf4/0x158
     __schedule+0x27c/0x908
     rt_mutex_schedule+0x30/0x60
     __rt_mutex_slowlock_locked.constprop.0+0x460/0x8a8
     rwbase_write_lock+0x24c/0x378
     down_write+0x1c/0x30
     f2fs_balance_fs+0x184/0x208
     f2fs_write_inode+0xf4/0x328
     __writeback_single_inode+0x370/0x498
     writeback_sb_inodes+0x234/0x4a8
     __writeback_inodes_wb+0x58/0x118
     wb_writeback+0x2f8/0x3c0
     wb_workfn+0x2c4/0x508
     process_one_work+0x180/0x408
     worker_thread+0x258/0x368
     kthread+0x118/0x128
     ret_from_fork+0x10/0x20
    
    INFO: task B:1902 blocked for more than 120 seconds.
          Tainted: G           O       6.12.41-g3fe07ddf05ab #1
    "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
    task:B     state:D stack:0     pid:1902  tgid:1626  ppid:1153   flags:0x0000020c
    Call trace:
     __switch_to+0xf4/0x158
     __schedule+0x27c/0x908
     rt_mutex_schedule+0x30/0x60
     __rt_mutex_slowlock_locked.constprop.0+0x460/0x8a8
     rwbase_write_lock+0x24c/0x378
     down_write+0x1c/0x30
     f2fs_balance_fs+0x184/0x208
     f2fs_map_blocks+0x94c/0x1110
     f2fs_file_write_iter+0x228/0xb80
     do_iter_readv_writev+0xf0/0x1e0
     vfs_writev+0x138/0x2c8
     do_writev+0x88/0x130
     __arm64_sys_writev+0x28/0x40
     invoke_syscall+0x50/0x120
     el0_svc_common.constprop.0+0xc8/0xf0
     do_el0_svc+0x24/0x38
     el0_svc+0x30/0xf8
     el0t_64_sync_handler+0x120/0x130
     el0t_64_sync+0x190/0x198
    
    INFO: task sync:2769849 blocked for more than 120 seconds.
          Tainted: G           O       6.12.41-g3fe07ddf05ab #1
    "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
    task:sync            state:D stack:0     pid:2769849 tgid:2769849 ppid:736    flags:0x0000020c
    Call trace:
     __switch_to+0xf4/0x158
     __schedule+0x27c/0x908
     schedule+0x3c/0x118
     wb_wait_for_completion+0xb0/0xe8
     sync_inodes_sb+0xc8/0x2b0
     sync_inodes_one_sb+0x24/0x38
     iterate_supers+0xa8/0x138
     ksys_sync+0x54/0xc8
     __arm64_sys_sync+0x18/0x30
     invoke_syscall+0x50/0x120
     el0_svc_common.constprop.0+0xc8/0xf0
     do_el0_svc+0x24/0x38
     el0_svc+0x30/0xf8
     el0t_64_sync_handler+0x120/0x130
     el0t_64_sync+0x190/0x198
    
    The root cause is a potential deadlock between the following tasks:
    
    kworker/u8:11                           Thread A
    - f2fs_write_single_data_page
     - f2fs_do_write_data_page
      - folio_start_writeback(X)
      - f2fs_outplace_write_data
       - bio_add_folio(X)
     - folio_unlock(X)
                                            - truncate_inode_pages_range
                                             - __filemap_get_folio(X, FGP_LOCK)
                                             - truncate_inode_partial_folio(X)
                                              - folio_wait_writeback(X)
     - f2fs_balance_fs
      - f2fs_gc
       - do_garbage_collect
        - move_data_page
         - f2fs_get_lock_data_page
          - __filemap_get_folio(X, FGP_LOCK)
    
    Both threads try to access folio X. Thread A holds the lock but waits
    for writeback, while kworker waits for the lock. This causes a deadlock.
    
    Other threads also enter D state, waiting for locks such as gc_lock and
    writepages.
    
    OPU/IPU DATA folio are all affected by this issue. To avoid such
    potential deadlocks, always commit these cached folios before
    triggering f2fs_gc() in f2fs_balance_fs().
    
    Suggested-by: Chao Yu <[email protected]>
    Reviewed-by: Chao Yu <[email protected]>
    Signed-off-by: Ruipeng Qi <[email protected]>
    Signed-off-by: Jaegeuk Kim <[email protected]>
    Stable-dep-of: 8b4468ec023d ("f2fs: fix potential deadlock in gc_merge path of f2fs_balance_fs()")
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

f2fs: fix potential deadlock in gc_merge path of f2fs_balance_fs() [+ + +]
Author: Chao Yu <[email protected]>
Date:   Fri Jul 3 14:24:13 2026 -0400

    f2fs: fix potential deadlock in gc_merge path of f2fs_balance_fs()
    
    [ Upstream commit 8b4468ec023d0d1b4669dfb867588997cc03a06b ]
    
    When we mount device w/ gc_merge mount option, we may suffer below
    potential deadlock:
    
    Kworker                                 GC trehad                       Truncator
    - f2fs_write_cache_pages
     - f2fs_write_single_data_page
      - f2fs_do_write_data_page
       - folio_start_writeback  --- set writeback flag on folio
       - f2fs_outplace_write_data
       : cached folio in internal bio cache
      - f2fs_balance_fs
       - wake_up(gc_thread)
       : wake up gc thread to run foreground GC
       - finish_wait(fggc_wq)
       : wait on the waitqueue --- wait on GC thread to finish the work
                                                                            - truncate_inode_pages_range
                                                                             - __filemap_get_folio(, FGP_LOCK)  --- lock folio
                                                                             - truncate_inode_partial_folio
                                                                              - folio_wait_writeback            --- wait on writeback being cleared
                                            - do_garbage_collect
                                             - move_data_page
                                              - f2fs_get_lock_data_folio
                                               - lock on folio  --- blocked on folio's lock
    
    In order to avoid such deadlock, let's call below functions to commit
    cached bios in GC_MERGE path of f2fs_balance_fs() as the same as we did
    in NOGC_MERGE path.
    - f2fs_submit_merged_write(sbi, DATA);
    - f2fs_submit_all_merged_ipu_writes(sbi);
    
    Cc: [email protected]
    Fixes: 351df4b20115 ("f2fs: add segment operations")
    Cc: Ruipeng Qi <[email protected]>
    Reported: Sandeep Dhavale <[email protected]>
    Signed-off-by: Chao Yu <[email protected]>
    Signed-off-by: Chao Yu <[email protected]>
    Signed-off-by: Jaegeuk Kim <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

f2fs: validate orphan inode entry count [+ + +]
Author: Wenjie Qi <[email protected]>
Date:   Fri Jul 3 08:34:00 2026 -0400

    f2fs: validate orphan inode entry count
    
    [ Upstream commit 846c499a65816d13f1186e3090e825e8bb8bcb8b ]
    
    f2fs_recover_orphan_inodes() trusts the orphan block entry_count when
    replaying orphan inodes from the checkpoint pack. A corrupted entry_count
    larger than F2FS_ORPHANS_PER_BLOCK makes the recovery loop read past the
    ino[] array and interpret footer or following data as inode numbers.
    
    On a crafted image, mounting an unpatched kernel can drive orphan recovery
    into f2fs_bug_on() and panic the kernel. Validate entry_count before
    consuming entries so corrupted checkpoint data fails the mount with
    -EFSCORRUPTED and requests fsck instead.
    
    Set ERROR_INCONSISTENT_ORPHAN as well, so the corruption reason can be
    recorded in the superblock s_errors[] field. This gives fsck a persistent
    hint even though mount-time orphan recovery failure may leave no chance to
    persist SBI_NEED_FSCK through a checkpoint.
    
    Cc: [email protected]
    Fixes: 127e670abfa7 ("f2fs: add checkpoint operations")
    Signed-off-by: Wenjie Qi <[email protected]>
    Reviewed-by: Chao Yu <[email protected]>
    Signed-off-by: Jaegeuk Kim <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
fbdev: fbcon: fix out-of-bounds read in err_out of fbcon_do_set_font() [+ + +]
Author: Mingyu Wang <[email protected]>
Date:   Sat Jul 4 23:11:39 2026 -0400

    fbdev: fbcon: fix out-of-bounds read in err_out of fbcon_do_set_font()
    
    [ Upstream commit 8fdc8c2057eea08d40ce2c8eed41ff9e451c65c2 ]
    
    When fbcon_do_set_font() fails (e.g., due to a memory allocation failure
    inside vc_resize() under heavy memory pressure), it jumps to the `err_out`
    label to roll back the console state. However, the current rollback logic
    forgets to restore the `hi_font` state, leading to a severe state machine
    corruption.
    
    Earlier in the function, `set_vc_hi_font()` might be called to change
    `vc->vc_hi_font_mask` and mutate the screen buffer. If `vc_resize()`
    subsequently fails, the `err_out` path restores `vc_font.charcount`
    but entirely skips rolling back the `vc_hi_font_mask` and the screen
    buffer.
    
    This mismatch leaves the terminal in a desynchronized state. Because
    `vc_hi_font_mask` remains set, the VT subsystem will still accept
    character indices greater than 255 from userspace and write them to the
    screen buffer. Subsequent rendering calls (e.g., `fbcon_putcs()`) will
    then use these inflated indices to access the reverted, 256-character
    font array, leading to a deterministic out-of-bounds read and potential
    kernel memory disclosure.
    
    Fix this by adding the missing rollback logic for the `hi_font` mask
    and screen buffer in the error path.
    
    Fixes: a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed")
    Cc: [email protected]
    Signed-off-by: Mingyu Wang <[email protected]>
    Reviewed-by: Thomas Zimmermann <[email protected]>
    Signed-off-by: Helge Deller <[email protected]>
    [ Adjust context ]
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
firmware_loader: fix device reference leak in firmware_upload_register() [+ + +]
Author: Guangshuo Li <[email protected]>
Date:   Tue May 5 17:12:31 2026 +0800

    firmware_loader: fix device reference leak in firmware_upload_register()
    
    commit 896df22ee57648b0c505bd76ddbc6b2341834696 upstream.
    
    firmware_upload_register()
      -> fw_create_instance()
         -> device_initialize()
    
    After fw_create_instance() succeeds, the lifetime of the embedded struct
    device is expected to be managed through the device core reference
    counting, since fw_create_instance() has already called
    device_initialize().
    
    In firmware_upload_register(), if alloc_lookup_fw_priv() fails after
    fw_create_instance() succeeds, the code reaches free_fw_sysfs and frees
    fw_sysfs directly instead of releasing the device reference with
    put_device(). This may leave the reference count of the embedded struct
    device unbalanced, resulting in a refcount leak.
    
    The issue was identified by a static analysis tool I developed and
    confirmed by manual review. Fix this by using put_device(fw_dev) in the
    failure path and letting fw_dev_release() handle the final cleanup,
    instead of freeing the instance directly from the error path.
    
    Fixes: 97730bbb242c ("firmware_loader: Add firmware-upload support")
    Cc: [email protected]
    Signed-off-by: Guangshuo Li <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Danilo Krummrich <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked() [+ + +]
Author: Deepanshu Kartikey <[email protected]>
Date:   Thu Mar 19 13:15:46 2026 +0530

    fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()
    
    [ Upstream commit d7ea8495fd307b58f8867acd81a1b40075b1d3ba ]
    
    When a compressed or sparse attribute has its clusters frame-aligned,
    vcn is rounded down to the frame start using cmask, which can result
    in vcn != vcn0. In this case, vcn and vcn0 may reside in different
    attribute segments.
    
    The code already handles the case where vcn is in a different segment
    by loading its runs before allocation. However, it fails to load runs
    for vcn0 when vcn0 resides in a different segment than vcn. This causes
    run_lookup_entry() to return SPARSE_LCN for vcn0 since its segment was
    never loaded into the in-memory run list, triggering the WARN_ON(1).
    
    Fix this by adding a missing check for vcn0 after the existing vcn
    segment check. If vcn0 falls outside the current segment range
    [svcn, evcn1), find and load the attribute segment containing vcn0
    before performing the run lookup.
    
    The following scenario triggers the bug:
      attr_data_get_block_locked()
        vcn = vcn0 & cmask        <- vcn != vcn0 after frame alignment
        load runs for vcn segment <- vcn0 segment not loaded!
        attr_allocate_clusters()  <- allocation succeeds
        run_lookup_entry(vcn0)    <- vcn0 not in run -> SPARSE_LCN
        WARN_ON(1)                <- bug fires here!
    
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=c1e9aedbd913fadad617
    Fixes: c380b52f6c57 ("fs/ntfs3: Change new sparse cluster processing")
    Signed-off-by: Deepanshu Kartikey <[email protected]>
    Signed-off-by: Konstantin Komarov <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

fs/ntfs3: fsync files by syncing parent inodes [+ + +]
Author: Konstantin Komarov <[email protected]>
Date:   Fri Dec 12 14:12:18 2025 +0300

    fs/ntfs3: fsync files by syncing parent inodes
    
    [ Upstream commit dcd9d6a47199565d83d61a11bbf91fa2ade4d676 ]
    
    Some xfstests expect fsync() on a file or directory to also persist
    directory metadata up the parent chain. Using generic_file_fsync() is not
    sufficient for ntfs, because parent directories are not explicitly
    written out.
    
    Signed-off-by: Konstantin Komarov <[email protected]>
    Stable-dep-of: d7ea8495fd30 ("fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()")
    Signed-off-by: Sasha Levin <[email protected]>

fs/ntfs3: rename ni_readpage_cmpr into ni_read_folio_cmpr [+ + +]
Author: Konstantin Komarov <[email protected]>
Date:   Mon Dec 8 22:57:46 2025 +0300

    fs/ntfs3: rename ni_readpage_cmpr into ni_read_folio_cmpr
    
    [ Upstream commit 4248f563f0b76f3fb74b2a28ee068bf66fcbbedf ]
    
    The old "readpage" naming is still used in ni_readpage_cmpr(), even though
    the vfs has transitioned to the folio-based read_folio() API.
    
    This patch performs a straightforward renaming of the helper:
    ni_readpage_cmpr() -> ni_read_folio_cmpr().
    
    Signed-off-by: Konstantin Komarov <[email protected]>
    Stable-dep-of: d7ea8495fd30 ("fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()")
    Signed-off-by: Sasha Levin <[email protected]>

fs/ntfs3: validate Dirty Page Table capacity in log_replay copy_lcns [+ + +]
Author: Yunpeng Tian <[email protected]>
Date:   Mon May 4 07:19:43 2026 -0700

    fs/ntfs3: validate Dirty Page Table capacity in log_replay copy_lcns
    
    commit 57382ec6ac63b63dce2789e835fded28b698ae79 upstream.
    
    In the analysis pass of $LogFile journal replay, log_replay() copies
    LCNs from each action log record into an existing Dirty Page Table
    (DPT) entry without bounding the destination index. A crafted NTFS
    image with DPT entry lcns_follow=1 and an action log record with
    lcns_follow=2 produces a kernel slab out-of-bounds write at mount
    time:
    
      BUG: KASAN: slab-out-of-bounds in log_replay+0x654c/0xdb60
      Write of size 8 at addr ffff8880095e1040 by task mount
    
    Two attacker-controlled fields can drive j+i past the allocated
    page_lcns[] array:
    
      1. dp->lcns_follow (capacity) can be smaller than lrh->lcns_follow.
      2. lrh->target_vcn may be smaller than dp->vcn, making the u64
         subtraction wrap to a huge size_t.
    
    Validate target VCN delta and per-record LCN count against the
    DPT entry capacity, bail via the existing out: cleanup label with
    -EINVAL.
    
    This mirrors the bounds-check pattern added in commit b2bc7c44ed17
    ("fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot")
    and commit 0ca0485e4b2e ("fs/ntfs3: validate rec->used in
    journal-replay file record check").
    
    Fixes: b46acd6a6a62 ("fs/ntfs3: Add NTFS journal")
    Reported-by: Yunpeng Tian <[email protected]>
    Reported-by: Mingda Zhang <[email protected]>
    Reported-by: Gongming Wang <[email protected]>
    Reported-by: Peiyuan Xu <[email protected]>
    Reported-by: Qinrun Dai <[email protected]>
    Cc: [email protected]
    Signed-off-by: Yunpeng Tian <[email protected]>
    Signed-off-by: Konstantin Komarov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

fs/ntfs3: zero-fill folios beyond i_valid in ntfs_read_folio() [+ + +]
Author: Konstantin Komarov <[email protected]>
Date:   Fri Dec 12 14:38:10 2025 +0300

    fs/ntfs3: zero-fill folios beyond i_valid in ntfs_read_folio()
    
    [ Upstream commit 356fa248168be90109b66f32a61b8eaedc98424a ]
    
    Handle ntfs_read_folio() early when the folio offset is beyond i_valid
    by zero-filling the folio and marking it uptodate. This avoids needless
    I/O and locking, improves read performance.
    
    Signed-off-by: Konstantin Komarov <[email protected]>
    Stable-dep-of: d7ea8495fd30 ("fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()")
    [ sashal: dropped the is_bad_ni() bail-out; 6.12 lacks is_bad_ni()/ni_bad
      (introduced upstream by 519b078998ce6e) ]
    Signed-off-by: Sasha Levin <[email protected]>

 
fuse: clear intr_entry in fuse_resend and fuse_remove_pending_req [+ + +]
Author: Ji'an Zhou <[email protected]>
Date:   Tue Jun 9 09:58:51 2026 +0000

    fuse: clear intr_entry in fuse_resend and fuse_remove_pending_req
    
    commit f8fce75fedf73ac72aa09163deb8f4291fdcaad2 upstream.
    
    When fuse_resend() moves a request from fpq->processing back to
    fiq->pending, it sets FR_PENDING and clears FR_SENT but does not
    remove the requests intr_entry from fiq->interrupts.  If the
    request had FR_INTERRUPTED set from a prior signal, intr_entry
    remains dangling on fiq->interrupts.  When the requesting task
    then receives a fatal signal, fuse_remove_pending_req() sees
    FR_PENDING=1, removes the request from fiq->pending and frees it
    via the refcount path, also without cleaning intr_entry.  The
    stale intr_entry causes use-after-free when fuse_read_interrupt()
    iterates fiq->interrupts:
      - list_del_init(&req->intr_entry) -> UAF write on freed slab
      - req->in.h.unique -> UAF read, data leaked to userspace
    
    Remove intr_entry from fiq->interrupts in fuse_resend() for
    interrupted requests before they are placed back on fiq->pending.
    
    Add a WARN_ON if the intr_entry is not empty on request destruction.
    
    Fixes: 760eac73f9f6 ("fuse: Introduce a new notification type for resend pending requests")
    Cc: [email protected] # 6.9
    Signed-off-by: Ji'an Zhou <[email protected]>
    Signed-off-by: Miklos Szeredi <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

fuse: fix device node leak in cuse_process_init_reply() [+ + +]
Author: Alberto Ruiz <[email protected]>
Date:   Wed Apr 8 17:23:40 2026 +0200

    fuse: fix device node leak in cuse_process_init_reply()
    
    commit 9fa4f7a53406430ee9982f2f636a15b338185122 upstream.
    
    If device_add() succeeds during CUSE initialization but a subsequent
    step (cdev_alloc() or cdev_add()) fails, the error path calls
    put_device() without first calling device_del().  This leaks the
    devtmpfs entry created by device_add(), leaving a stale /dev/<name>
    node that persists until reboot.
    
    Since the cuse_conn is never linked into cuse_conntbl on the failure
    path, cuse_channel_release() sees cc->dev == NULL and skips
    device_unregister(), so no other code path cleans up the node.
    
    This has several consequences:
    
     - The device name is permanently poisoned: any subsequent attempt to
       create a CUSE device with the same name hits the stale sysfs entry,
       device_add() fails, and the new device is aborted.
    
     - The collision manifests as ENODEV returned to userspace with no
       dmesg diagnostic, making it very difficult to debug.
    
     - The failure is self-perpetuating: once a name is leaked, all future
       attempts with that name fail identically.
    
    Fix this by introducing an err_dev label that calls device_del() to
    undo device_add() before falling through to err_unlock.  The existing
    err_unlock path from a device_add() failure correctly skips device_del()
    since the device was never added.
    
    Testing instructions can be found at the lore link below.
    
    Link: https://lore.kernel.org/all/[email protected]/
    Signed-off-by: Alberto Ruiz <[email protected]>
    Fixes: 151060ac1314 ("CUSE: implement CUSE - Character device in Userspace")
    Cc: [email protected]
    Signed-off-by: Miklos Szeredi <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

fuse: re-lock request before returning from fuse_ref_folio() [+ + +]
Author: Joanne Koong <[email protected]>
Date:   Mon May 18 22:28:07 2026 -0700

    fuse: re-lock request before returning from fuse_ref_folio()
    
    commit b5befa80fdbe287a98480effed9564712924add5 upstream.
    
    fuse_ref_folio() unlocks the request but does not re-lock it before
    returning. fuse_chan_abort() can end the request and the async end
    callback (eg fuse_writepage_free()) can free the args while the
    subsequent copy chain logic after fuse_ref_folio() accesses them,
    leading to use-after-free issues.
    
    Fix this by locking the request in fuse_ref_folio() before returning.
    
    Fixes: c3021629a0d8 ("fuse: support splice() reading from fuse device")
    Cc: [email protected]
    Signed-off-by: Joanne Koong <[email protected]>
    Signed-off-by: Miklos Szeredi <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
gpio: eic-sprd: use raw_spinlock_t in the irq startup path [+ + +]
Author: Runyu Xiao <[email protected]>
Date:   Wed Jun 17 23:40:35 2026 +0800

    gpio: eic-sprd: use raw_spinlock_t in the irq startup path
    
    commit 90f0109019e6817eb40a486671b7722d1544ae29 upstream.
    
    sprd_eic_irq_unmask() enables the GPIO IRQ and then updates controller
    state through sprd_eic_update(), which takes sprd_eic->lock with
    spin_lock_irqsave().  The callback can be reached from irq_startup()
    while setting up a requested IRQ.  That path is not sleepable, but on
    PREEMPT_RT a regular spinlock_t becomes a sleeping lock.
    
    This issue was found by our static analysis tool and then manually
    reviewed against the current tree.
    
    The grounded PoC kept the request_threaded_irq() -> __setup_irq() ->
    irq_startup() -> sprd_eic_irq_unmask() -> sprd_eic_update() carrier and
    used the original spin_lock_irqsave(&sprd_eic->lock) edge.  Lockdep
    reported:
    
      BUG: sleeping function called from invalid context
      hardirqs last disabled at ... __setup_irq.constprop.0 ... [vuln_msv]
      sprd_rt_spin_lock_irqsave+0x1c/0x30 [vuln_msv]
      sprd_eic_update.constprop.0+0x48/0x90 [vuln_msv]
      sprd_eic_irq_unmask.constprop.0+0x35/0x50 [vuln_msv]
      __setup_irq.constprop.0+0xd/0x30 [vuln_msv]
    
    Convert the Spreadtrum EIC controller lock to raw_spinlock_t.  The
    locked section only serializes MMIO register updates and does not contain
    sleepable operations, so keeping it non-sleeping is appropriate for the
    irqchip callbacks.
    
    Fixes: 25518e024e3a ("gpio: Add Spreadtrum EIC driver support")
    Cc: [email protected]
    Signed-off-by: Runyu Xiao <[email protected]>
    Reviewed-by: Sebastian Andrzej Siewior <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Bartosz Golaszewski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

gpio: rockchip: change the GPIO version judgment logic [+ + +]
Author: Ye Zhang <[email protected]>
Date:   Mon Jul 6 18:17:11 2026 +0200

    gpio: rockchip: change the GPIO version judgment logic
    
    [ Upstream commit 41209307cad7f14c387c68375a93b50e54261a53 ]
    
    Have a list of valid IDs and default to -ENODEV.
    
    Signed-off-by: Ye Zhang <[email protected]>
    Reviewed-by: Sebastian Reichel <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Bartosz Golaszewski <[email protected]>
    Signed-off-by: Heiko Stuebner <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

gpio: rockchip: fix generic IRQ chip leak on remove [+ + +]
Author: Marco Scardovi <[email protected]>
Date:   Mon Jul 6 18:17:13 2026 +0200

    gpio: rockchip: fix generic IRQ chip leak on remove
    
    [ Upstream commit 1c1e0fc88d6ef65bf15d517853251f75ab9d18c3 ]
    
    The driver allocates domain generic chips using
    irq_alloc_domain_generic_chips() during probe. However, on driver
    remove/teardown, the generic chips are not automatically freed when the
    IRQ domain is removed because the domain flags do not include
    IRQ_DOMAIN_FLAG_DESTROY_GC.
    
    This causes both the domain generic chips structure and the associated
    generic chips to be leaked. Additionally, the generic chips remain on
    the global gc_list and may later be visited by generic IRQ chip suspend,
    resume, or shutdown callbacks after the GPIO bank has been removed,
    potentially resulting in a use-after-free and kernel crash.
    
    Fix the resource leak by explicitly calling
    irq_domain_remove_generic_chips() before removing the IRQ domain in
    rockchip_gpio_remove().
    
    Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio")
    Assisted-by: Antigravity:gemini-3.5-flash
    Signed-off-by: Marco Scardovi <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Bartosz Golaszewski <[email protected]>
    Signed-off-by: Heiko Stuebner <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

gpio: rockchip: teardown bugs and resource leaks [+ + +]
Author: Marco Scardovi <[email protected]>
Date:   Mon Jul 6 18:17:12 2026 +0200

    gpio: rockchip: teardown bugs and resource leaks
    
    [ Upstream commit 9500077678230e36d22bf16d2b9539c13e59a801 ]
    
    Address several teardown issues and resource leaks in the driver's remove
    path and error handling:
    
    1. Debounce clock reference leak: The debounce clock (bank->db_clk) is
       obtained using of_clk_get() which increments the clock's reference
       count, but clk_put() is never called. Register a devm action to
       cleanly release it on unbind. Note that of_clk_get(..., 1) remains
       necessary over devm_clk_get() because the DT binding does not define
       clock-names, precluding name-based lookup.
    
    2. Unregistered chained IRQ handler: The chained IRQ handler is not
       disconnected in remove(). If a stray interrupt fires after the driver
       is removed, the kernel attempts to execute a stale handler, leading
       to a panic. Fix this by clearing the handler in remove().
    
    3. IRQ domain leak: The linear IRQ domain and its generic chips are
       allocated manually during probe but never removed. Remove the IRQ
       domain during driver teardown to free the associated generic chips
       and mappings.
    
    Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio")
    Assisted-by: Antigravity:gemini-3.5-flash
    Signed-off-by: Marco Scardovi <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    [Bartosz: don't emit an error message on devres allocation failure]
    Signed-off-by: Bartosz Golaszewski <[email protected]>
    Signed-off-by: Heiko Stuebner <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
hfs/hfsplus: zero-initialize buffer in hfs_bnode_read [+ + +]
Author: Tristan Madani <[email protected]>
Date:   Tue May 5 11:12:59 2026 +0000

    hfs/hfsplus: zero-initialize buffer in hfs_bnode_read
    
    commit d67aadee19ffdf3cc8520c5a4f4d5b2916d30baf upstream.
    
    hfs_bnode_read() can return early without writing to the output buffer
    when is_bnode_offset_valid() fails or when check_and_correct_requested_
    length() corrects the length to zero.  Callers such as hfs_bnode_read_
    u16() and hfs_bnode_read_u8() pass stack-allocated buffers and use the
    result unconditionally, leading to KMSAN uninit-value reports.
    
    Rather than initializing at each individual call site, zero the buffer
    at the start of hfs_bnode_read() before any validation checks.  This
    ensures all callers in both hfs and hfsplus get a deterministic zero
    value regardless of which early-return path is taken.
    
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
    Tested-by: [email protected]
    Fixes: a431930c9bac ("hfs: fix slab-out-of-bounds in hfs_bnode_read()")
    Cc: [email protected]
    Signed-off-by: Tristan Madani <[email protected]>
    Reviewed-by: Viacheslav Dubeyko <[email protected]>
    Signed-off-by: Viacheslav Dubeyko <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Viacheslav Dubeyko <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
HID: hid-goodix-spi: validate report size to prevent stack buffer overflow [+ + +]
Author: Tianchu Chen <[email protected]>
Date:   Fri May 29 13:42:47 2026 +0000

    HID: hid-goodix-spi: validate report size to prevent stack buffer overflow
    
    commit db0a0768d09273aadadeb76730cd658d720333a4 upstream.
    
    goodix_hid_set_raw_report() builds a protocol frame in a 128-byte stack
    buffer (tmp_buf), writing an 11-12 byte header followed by the
    caller-supplied report data.  The HID core caps report size at
    HID_MAX_BUFFER_SIZE (16384) by default, while the driver does not set
    hid_ll_driver.max_buffer_size and performs no bounds checking before
    copying the payload:
    
        memcpy(tmp_buf + tx_len, buf, len);
    
    A hidraw SET_REPORT ioctl with a report larger than ~116 bytes
    overflows the stack buffer.
    
    Add a size check after constructing the header, rejecting reports that
    would exceed the buffer capacity.
    
    Discovered by Atuin - Automated Vulnerability Discovery Engine.
    
    Fixes: 75e16c8ce283 ("HID: hid-goodix: Add Goodix HID-over-SPI driver")
    Cc: [email protected]
    Signed-off-by: Tianchu Chen <[email protected]>
    Reviewed-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Jiri Kosina <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

HID: letsketch: fix UAF on inrange_timer at driver unbind [+ + +]
Author: Manish Khadka <[email protected]>
Date:   Fri May 15 22:27:00 2026 +0545

    HID: letsketch: fix UAF on inrange_timer at driver unbind
    
    commit 46c8beeccd8ab2c863827254a85ea877654a3534 upstream.
    
    letsketch_driver does not provide a .remove callback, but
    letsketch_probe() arms a per-device timer:
    
        timer_setup(&data->inrange_timer, letsketch_inrange_timeout, 0);
    
    The timer is re-armed from letsketch_raw_event() with a 100 ms
    timeout on every pen-in-range report, and its callback dereferences
    data->input_tablet to deliver a synthetic BTN_TOOL_PEN release.
    
    letsketch_data is allocated with devm_kzalloc(), and its input_dev
    fields are devm-allocated via letsketch_setup_input_tablet().  On
    device unbind (USB unplug or rmmod), the HID core runs its default
    teardown and devm cleanup frees both letsketch_data and the input
    devices.  Because no .remove callback exists, nothing drains the
    timer first: if raw_event armed it within ~100 ms of the unbind,
    the pending timer fires on freed memory.  This is a UAF read of
    data and of data->input_tablet, followed by input_report_key() /
    input_sync() into the freed input_dev.
    
    The same problem can occur on the probe error path: if
    hid_hw_start() enabled I/O on an always-poll-quirk device and then
    failed, raw_event may have armed the timer before devm releases
    data.
    
    Fix by adding a .remove callback that calls hid_hw_stop() first.
    hid_hw_stop() synchronously kills the URBs that deliver raw_event(),
    so once it returns no path can re-arm the timer.  timer_shutdown_sync()
    then drains any in-flight callback and permanently disables further
    mod_timer() calls.  Apply the same timer_shutdown_sync() in the probe
    error path so the timer is guaranteed not to outlive data.
    
    Fixes: 33a5c2793451 ("HID: Add new Letsketch tablet driver")
    Cc: [email protected]
    Signed-off-by: Manish Khadka <[email protected]>
    Signed-off-by: Jiri Kosina <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

HID: lg-g15: cancel pending work on remove to fix a use-after-free [+ + +]
Author: Maoyi Xie <[email protected]>
Date:   Thu Jun 18 15:06:35 2026 +0800

    HID: lg-g15: cancel pending work on remove to fix a use-after-free
    
    commit 7705b4140d188ce22656f6e541ae7ef834c7e11a upstream.
    
    lg_g15_data is allocated with devm and holds a work item. The report
    handlers schedule that work straight from device input.
    lg_g15_event() and lg_g15_v2_event() do it on the backlight cycle key,
    and lg_g510_leds_event() does it too. The worker dereferences the
    lg_g15_data back through container_of.
    
    The driver had no remove callback and never cancelled the work. So if a
    report scheduled the work and the keyboard was then unplugged, devres
    freed lg_g15_data while the work was still pending or running, and the
    worker touched freed memory. This is a use-after-free. It is reachable
    as a race on device unplug.
    
    Add a remove callback that cancels the work before devres frees the
    state. g15->work is only initialized for the models that schedule it
    (G15, G15 v2, G510). The G13 and Z-10 leave it zeroed, so guard the
    cancel on g15->work.func to avoid cancelling a work that was never set
    up. The g15 NULL test mirrors the one already in lg_g15_raw_event().
    
    Fixes: 97b741aba918 ("HID: lg-g15: Add keyboard and LCD backlight control")
    Cc: [email protected]
    Suggested-by: Hans de Goede <[email protected]>
    Signed-off-by: Maoyi Xie <[email protected]>
    Reviewed-by: Hans de Goede <[email protected]>
    Signed-off-by: Jiri Kosina <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

HID: sensor-hub: Add sensor_hub_input_attr_read_values() for multi-byte reads [+ + +]
Author: Srinivas Pandruvada <[email protected]>
Date:   Wed Jun 10 16:29:09 2026 +0800

    HID: sensor-hub: Add sensor_hub_input_attr_read_values() for multi-byte reads
    
    commit f784fcea450617055d2d12eec5b2f6e0e38bf878 upstream.
    
    sensor_hub_input_attr_get_raw_value() is limited to returning a single
    32-bit value, which is insufficient for sensors that report data larger
    than 32 bits, such as a quaternion with four s16 elements.
    
    Add sensor_hub_input_attr_read_values() that accepts a caller-provided
    buffer and accumulates incoming data until the buffer is full. The two
    paths are distinguished in sensor_hub_raw_event() by pending.max_raw_size
    being non-zero, preserving backward compatibility.
    
    Signed-off-by: Srinivas Pandruvada <[email protected]>
    Co-developed-by: Zhang Lixu <[email protected]>
    Signed-off-by: Zhang Lixu <[email protected]>
    Acked-by: Jiri Kosina <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

HID: wacom: stop hardware after post-start probe failures [+ + +]
Author: Myeonghun Pak <[email protected]>
Date:   Thu Jun 4 13:56:58 2026 +0900

    HID: wacom: stop hardware after post-start probe failures
    
    commit ec2612b8ad9e642596db011dd8b6568ef1edeaa1 upstream.
    
    wacom_parse_and_register() starts HID hardware before registering inputs
    and initializing pad LEDs/remotes. Those later steps can fail, but their
    error paths currently release Wacom resources without stopping the HID
    hardware.
    
    Route post-hid_hw_start() failures through hid_hw_stop() before
    releasing driver resources.
    
    This issue was identified during our ongoing static-analysis research while
    reviewing kernel code.
    
    Fixes: c1d6708bf0d3 ("HID: wacom: Do not register input devices until after hid_hw_start")
    Cc: [email protected]
    Co-developed-by: Ijae Kim <[email protected]>
    Signed-off-by: Ijae Kim <[email protected]>
    Signed-off-by: Myeonghun Pak <[email protected]>
    Reviewed-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Jiri Kosina <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
hwrng: jh7110 - fix refcount leak in starfive_trng_read() [+ + +]
Author: Wentao Liang <[email protected]>
Date:   Wed Jun 3 11:03:27 2026 +0000

    hwrng: jh7110 - fix refcount leak in starfive_trng_read()
    
    commit 8d13f7a8450206e3f820cdb26e33e91d181071b4 upstream.
    
    The starfive_trng_read() function acquires a runtime PM reference
    via pm_runtime_get_sync() but fails to release it on two error
    paths.  If starfive_trng_wait_idle() or starfive_trng_cmd() returns
    an error, the function exits without calling
    pm_runtime_put_sync_autosuspend(), leaving the runtime PM usage
    counter permanently elevated and preventing the device from entering
    runtime suspend.
    
    Refactor the function to use a unified error path that calls
    pm_runtime_put_sync_autosuspend() before returning.
    
    Cc: [email protected]
    Fixes: c388f458bc34 ("hwrng: starfive - Add TRNG driver for StarFive SoC")
    Signed-off-by: Wentao Liang <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

hwrng: virtio: clamp device-reported used.len at copy_data() [+ + +]
Author: Michael Bommarito <[email protected]>
Date:   Sun May 31 10:22:51 2026 -0400

    hwrng: virtio: clamp device-reported used.len at copy_data()
    
    commit e3046eeada299f917a8ad883af4434bfb86556b1 upstream.
    
    random_recv_done() stores the device-reported used.len directly into
    vi->data_avail.  copy_data() then indexes vi->data[] using
    vi->data_idx (advanced by previous copy_data() calls) and issues a
    memcpy() without re-validating either value against the posted
    buffer size sizeof(vi->data) (SMP_CACHE_BYTES bytes, typically 32
    or 64).
    
    A malicious or buggy virtio-rng backend can set used.len beyond
    sizeof(vi->data), steering the memcpy() past the end of the inline
    array into adjacent kmalloc-1k slab bytes.  hwrng_fillfn() mixes
    those bytes into the guest RNG, and guest root can also observe
    them directly via /dev/hwrng.
    
    Concrete impact is inside the guest:
    
     - Memory-safety / hardening: any virtio-rng backend that
       over-reports used.len causes the driver to read past vi->data
       into unrelated slab contents.  hwrng_fillfn() is a kernel thread
       that runs as soon as the device is probed; no guest userspace
       interaction is required to first-trigger the OOB.
    
     - Cross-boundary leak (confidential-compute threat model): a
       malicious hypervisor cooperating with a malicious or compromised
       guest root userspace can use /dev/hwrng as a leak channel for
       guest-kernel heap data.  The host sets a large used.len, guest
       root reads /dev/hwrng, and the returned bytes contain guest
       kernel slab contents that were adjacent to vi->data.  In
       practice, confidential-compute guests (SEV-SNP, TDX) usually
       disable virtio-rng entirely, so this path is narrow, but the
       fix is still worth carrying because the underlying
       memory-safety bug contaminates the guest RNG on any host.
    
    KASAN confirms the OOB on a 7.1-rc4 guest whose virtio-rng backend
    has been patched to report used.len = 0x10000:
    
      BUG: KASAN: slab-out-of-bounds in virtio_read+0x394/0x5d0
      Read of size 64 at addr ffff88800ae0ba20 by task hwrng/52
      Call Trace:
       __asan_memcpy+0x23/0x60
       virtio_read+0x394/0x5d0
       hwrng_fillfn+0xb2/0x470
       kthread+0x2cc/0x3a0
      Allocated by task 1:
       probe_common+0xa5/0x660
       virtio_dev_probe+0x549/0xbc0
      The buggy address belongs to the object at ffff88800ae0b800
       which belongs to the cache kmalloc-1k of size 1024
      The buggy address is located 0 bytes to the right of
       allocated 544-byte region [ffff88800ae0b800, ffff88800ae0ba20)
    
    Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
    overflow in USB transport layer"), which hardened
    usb9pfs_rx_complete() against unchecked device-reported length in
    the USB 9p transport.
    
    With the clamp at point of use and array_index_nospec() in place,
    the same harness boots cleanly: copy_data() returns zero for the
    bogus report, the device-supplied bytes after data_idx are
    discarded, and the driver issues a fresh request.
    
    Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.")
    Cc: [email protected]
    Suggested-by: Michael S. Tsirkin <[email protected]>
    Signed-off-by: Michael Bommarito <[email protected]>
    Assisted-by: Claude:claude-opus-4-8
    Signed-off-by: Michael S. Tsirkin <[email protected]>
    Message-ID: <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
i2c: core: fix adapter debugfs creation [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Mon May 11 16:37:10 2026 +0200

    i2c: core: fix adapter debugfs creation
    
    commit 07d5fb537928aad4369aaff0cbae73ba38a719af upstream.
    
    Clients can be registered from bus notifier callbacks so the debugfs
    directory needs to be created before registering the adapter as clients
    use that directory as their debugfs parent.
    
    Move debugfs creation before adapter registration to avoid having
    clients create their debugfs directories in the debugfs root (which is
    also more likely to fail due to name collisions).
    
    Note that failure to allocate the adapter name must now be handled
    explicitly as debugfs_create_dir() cannot handle a NULL name (unlike
    device_add() which returns an error).
    
    Fixes: 73febd775bdb ("i2c: create debugfs entry per adapter")
    Cc: [email protected]      # 6.8
    Cc: Wolfram Sang <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Wolfram Sang <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

i2c: core: fix adapter deregistration race [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Mon May 11 16:37:13 2026 +0200

    i2c: core: fix adapter deregistration race
    
    commit b1a58ed9eab146b36f41a55db8f5d7ce9fdedf3f upstream.
    
    Adapters can be looked up by their id using i2c_get_adapter() which
    takes a reference to the embedded struct device.
    
    Remove the adapter from the IDR before tearing it down during
    deregistration (and on registration failure) to make sure its resources
    are not accessed after having been freed (e.g. the device name).
    
    Fixes: 35fc37f81881 ("i2c: Limit core locking to the necessary sections")
    Cc: [email protected]      # 2.6.31
    Cc: Jean Delvare <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Wolfram Sang <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

i2c: core: fix adapter probe deferral loop [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Mon May 11 16:37:09 2026 +0200

    i2c: core: fix adapter probe deferral loop
    
    commit 158efa411c57111d87bf265a3776614f32d70007 upstream.
    
    Drivers must not probe defer after having registered devices as that
    will trigger a probe loop if the devices bind to a driver (cf. commit
    fbc35b45f9f6 ("Add documentation on meaning of -EPROBE_DEFER")).
    
    Move the recovery initialisation, where the GPIO lookup may fail, before
    registering the adapter to prevent this.
    
    Fixes: 75820314de26 ("i2c: core: add generic I2C GPIO recovery")
    Cc: [email protected]      # 5.9
    Cc: Codrin Ciubotariu <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Wolfram Sang <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

i2c: core: fix hang on adapter registration failure [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Mon May 11 16:37:07 2026 +0200

    i2c: core: fix hang on adapter registration failure
    
    commit 3c7e164344e5bcf6f274bbf59a3274f5caad9bc1 upstream.
    
    Clients may be registered from bus notifier callbacks when the adapter
    is registered. On a subsequent error during registration, the adapter
    references taken by such clients prevent the wait for the references to
    be released from ever completing.
    
    Fix this by refactoring client deregistration and deregistering also on
    late adapter registration failures.
    
    Fixes: f8756c67b3de ("i2c: core: call of_i2c_setup_smbus_alert in i2c_register_adapter")
    Cc: [email protected]      # 4.15
    Cc: Phil Reid <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Wolfram Sang <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

i2c: core: fix irq domain leak on adapter registration failure [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Mon May 11 16:37:06 2026 +0200

    i2c: core: fix irq domain leak on adapter registration failure
    
    commit 8ce19524e4cc2462685f596a6402fbd8fb984ab2 upstream.
    
    Make sure to tear down the host notify irq domain on adapter
    registration failure to avoid leaking it.
    
    This issue was flagged by Sashiko when reviewing another adapter
    registration fix.
    
    Fixes: 4d5538f5882a ("i2c: use an IRQ to report Host Notify events, not alert")
    Cc: [email protected]      # 4.10
    Cc: Benjamin Tissoires <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Wolfram Sang <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

i2c: core: fix NULL-deref on adapter registration failure [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Mon May 11 16:37:08 2026 +0200

    i2c: core: fix NULL-deref on adapter registration failure
    
    commit 2295d2bb101faa663fbc45fadbb3fec45f107441 upstream.
    
    If adapter registration ever fails the release callback would trigger a
    NULL-pointer dereference as the completion struct has not been
    initialised.
    
    Note that before the offending commit this would instead have resulted
    in a minor memory leak of the adapter name.
    
    Fixes: 3f8c4f5e9a57 ("i2c: core: fix reference leak in i2c_register_adapter()")
    Cc: [email protected]
    Cc: Joe Hattori <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Wolfram Sang <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

i2c: mpc: Fix timeout calculations [+ + +]
Author: Andy Shevchenko <[email protected]>
Date:   Thu Jun 18 16:49:34 2026 +0200

    i2c: mpc: Fix timeout calculations
    
    commit 2e9a7f68329be41792c0b123c28e6c53c2fa2249 upstream.
    
    At first glance the harmless cleanup of the driver does nothing bad.
    However, as the operator precedence list states the '*' (multiplication)
    and '/' division operators have order 5 with left-to-right associativity
    the *= has order 17 and associativity right-to-left. It wouldn't be
    a problem to replace
    
            foo = foo * HZ / 1000000;
    
    with
    
            foo *= HZ / 1000000;
    
    if HZ constant is in Hertz. The problem is that in the Linux kernel HZ is
    defined in jiffy units, which is order of magnitude smaller than a million.
    That's why operator precedence has a crucial role here. Fix the regression
    by reverting pre-optimized calculations.
    
    Fixes: be40a3ae719f ("i2c: mpc: Use of_property_read_u32 instead of of_get_property")
    Signed-off-by: Andy Shevchenko <[email protected]>
    Cc: <[email protected]> # v6.4+
    Reviewed-by: Chris Packham <[email protected]>
    Signed-off-by: Andi Shyti <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

i2c: stm32f7: truncate clock period instead of rounding it [+ + +]
Author: Guillermo Rodríguez <[email protected]>
Date:   Thu Jun 11 12:48:56 2026 +0200

    i2c: stm32f7: truncate clock period instead of rounding it
    
    commit 111bb7f9f4a90b32e495d70a607c67b137f3074a upstream.
    
    stm32f7_i2c_compute_timing() derives the I2C clock source period
    (i2cclk) with DIV_ROUND_CLOSEST, which may round it up. When the
    period is overestimated, all timings computed from it (SCLDEL,
    SDADEL, SCLL, SCLH) come out shorter on the wire than calculated,
    and the resulting bus rate can exceed the requested speed, violating
    the I2C specification minimums for tLOW and tHIGH.
    
    For example, with a 104.45 MHz clock source (e.g. PCLK1, the
    reset-default I2C clock source on STM32MP1), i2cclk is rounded from
    9.574 ns up to 10 ns. Requesting a 400 kHz fast mode bus with
    72/27 ns rise/fall times and no analog/digital filters then produces
    an actual bus rate of 415.6 kHz with tLOW = 1254 ns, violating both
    the 400 kHz maximum rate and the 1300 ns tLOW minimum of the
    specification.
    
    Truncate the period instead, so that it can only be underestimated.
    The error then falls on the safe side: the programmed timings come
    out slightly longer than computed and the bus runs marginally below
    the target rate (375.3 kHz in the example above) while meeting the
    specification.
    
    i2cbus is left rounded-to-closest: it is only used as the target of
    the clk_error comparison and is never multiplied into the programmed
    timings, so nearest rounding remains accurate there.
    
    Fixes: aeb068c57214 ("i2c: i2c-stm32f7: add driver")
    Signed-off-by: Guillermo Rodríguez <[email protected]>
    Cc: <[email protected]> # v4.14+
    Acked-by: Alain Volmat <[email protected]>
    Reviewed-by: Pierre-Yves MORDRET <[email protected]>
    Signed-off-by: Andi Shyti <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
iio: accel: bmc150: clamp the device-reported FIFO frame count [+ + +]
Author: Bryam Vargas <[email protected]>
Date:   Sat Jun 13 02:18:39 2026 -0500

    iio: accel: bmc150: clamp the device-reported FIFO frame count
    
    commit ce0e1cae26096fe959a0da5563a6d6d5a801d5fb upstream.
    
    __bmc150_accel_fifo_flush() copies the number of samples the device
    reports in its hardware FIFO into an on-stack buffer
    
            u16 buffer[BMC150_ACCEL_FIFO_LENGTH * 3];
    
    which is sized for at most BMC150_ACCEL_FIFO_LENGTH (32) samples. The
    frame count is read from the FIFO_STATUS register and only masked to its
    7 valid bits:
    
            count = val & 0x7F;
    
    so it can be 0..127. The only other limit applied to it is the optional
    caller-supplied sample budget:
    
            if (samples && count > samples)
                    count = samples;
    
    which does not constrain count on the flush-all path (samples == 0), and
    leaves it well above 32 whenever samples is larger. count samples are
    then transferred into buffer[]:
    
            bmc150_accel_fifo_transfer(data, (u8 *)buffer, count);
    
    bmc150_accel_fifo_transfer() reads count * 6 bytes through regmap, so a
    malfunctioning, malicious or counterfeit accelerometer (or an attacker
    tampering with the I2C/SPI bus) that reports up to 127 frames writes up
    to 762 bytes into the 192-byte buffer: a stack out-of-bounds write of up
    to 570 bytes that clobbers the stack canary, saved registers and the
    return address.
    
    Clamp count to BMC150_ACCEL_FIFO_LENGTH, the number of samples buffer[]
    is sized for, before the transfer, mirroring the watermark clamp already
    done in bmc150_accel_set_watermark(). A well-formed flush reports at most
    BMC150_ACCEL_FIFO_LENGTH frames, so legitimate devices are unaffected.
    
    Fixes: 3bbec9773389 ("iio: bmc150_accel: add support for hardware fifo")
    Cc: [email protected]
    Signed-off-by: Bryam Vargas <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: accel: kxsd9: fix runtime PM imbalance on write_raw() error [+ + +]
Author: Biren Pandya <[email protected]>
Date:   Sun Jun 14 12:45:46 2026 +0530

    iio: accel: kxsd9: fix runtime PM imbalance on write_raw() error
    
    commit 44a5fd874bb6873bdaec59f722c1d57832fbc9df upstream.
    
    kxsd9_write_raw() takes a runtime PM reference with pm_runtime_get_sync()
    but returns -EINVAL directly when a scale with a non-zero integer part is
    requested, skipping the matching pm_runtime_put_autosuspend(). This leaks
    a runtime PM usage-counter reference on every such write, after which the
    device can no longer autosuspend.
    
    Set the error code and fall through to the existing put instead of
    returning early.
    
    Fixes: 9a9a369d6178 ("iio: accel: kxsd9: Deploy system and runtime PM")
    Signed-off-by: Biren Pandya <[email protected]>
    Assisted-by: Claude:claude-opus-4-8 coccinelle
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: adc: lpc32xx: Initialize completion before requesting IRQ [+ + +]
Author: Maxwell Doose <[email protected]>
Date:   Fri Jun 12 19:58:10 2026 -0500

    iio: adc: lpc32xx: Initialize completion before requesting IRQ
    
    commit e561b35633f450ee607e87a6401d97f156a0cd54 upstream.
    
    In the report from Jaeyoung Chung:
    
    "lpc32xx_adc_probe() in drivers/iio/adc/lpc32xx_adc.c registers its
    interrupt handler with devm_request_irq() before it initializes
    st->completion with init_completion(). If an interrupt arrives after
    devm_request_irq() and before init_completion(), the handler calls
    complete() on an uninitialized completion, causing a kernel panic.
    
    The probe path, in lpc32xx_adc_probe():
    
        iodev = devm_iio_device_alloc(&pdev->dev, sizeof(*st)); /* st kzalloc-zeroed */
        ...
        retval = devm_request_irq(&pdev->dev, irq, lpc32xx_adc_isr, 0,
                                  LPC32XXAD_NAME, st);           /* register handler */
        ...
        init_completion(&st->completion);                       /* initialize completion */
    
    lpc32xx_adc_isr() calls complete():
    
        complete(&st->completion);
    
    If the device raises an interrupt before init_completion() runs,
    complete() acquires the uninitialized wait.lock and walks the zeroed
    task_list in swake_up_locked(). The zeroed task_list makes list_empty()
    return false, so swake_up_locked() dereferences a NULL list entry,
    triggering a KASAN wild-memory-access."
    
    Fix the chance of a spurious IRQ causing an uninitialized pointer
    dereference by moving init_completion() above devm_request_irq().
    
    Fixes: 7901b2a1453e ("staging:iio:adc:lpc32xx rename local state structure to _state")
    Reported-by: Sangyun Kim <[email protected]>
    Reported-by: Kyungwook Boo <[email protected]>
    Reported-by: Jaeyoung Chung <[email protected]>
    Closes: https://lore.kernel.org/linux-iio/[email protected]/
    Signed-off-by: Maxwell Doose <[email protected]>
    Reviewed-by: Vladimir Zapolskiy <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: adc: spear: Initialize completion before requesting IRQ [+ + +]
Author: Maxwell Doose <[email protected]>
Date:   Fri Jun 12 19:58:11 2026 -0500

    iio: adc: spear: Initialize completion before requesting IRQ
    
    commit 3ee2128b6f0eb0be7b6cb8f6e0f1f113a65201a0 upstream.
    
    In the report from Jaeyoung Chung:
    
    "spear_adc_probe() in drivers/iio/adc/spear_adc.c registers its
    interrupt handler with devm_request_irq() before it initializes
    st->completion with init_completion(). If an interrupt arrives after
    devm_request_irq() and before init_completion(), the handler calls
    complete() on an uninitialized completion, causing a kernel panic.
    
    The probe path, in spear_adc_probe():
    
        iodev = devm_iio_device_alloc(&pdev->dev, sizeof(*st)); /* st kzalloc-zeroed */
        ...
        retval = devm_request_irq(&pdev->dev, irq, spear_adc_isr, 0,
                                  LPC32XXAD_NAME, st);           /* register handler */
        ...
        init_completion(&st->completion);                       /* initialize completion */
    
    spear_adc_isr() calls complete():
    
        complete(&st->completion);
    
    If the device raises an interrupt before init_completion() runs,
    complete() acquires the uninitialized wait.lock and walks the zeroed
    task_list in swake_up_locked(). The zeroed task_list makes list_empty()
    return false, so swake_up_locked() dereferences a NULL list entry,
    triggering a KASAN wild-memory-access."
    
    Fix the chance of a spurious IRQ causing an uninitialized pointer
    dereference by moving init_completion() above devm_request_irq().
    
    Fixes: b586e5d9eee0 ("staging:iio:adc:spear rename device specific state structure to _state")
    Reported-by: Sangyun Kim <[email protected]>
    Reported-by: Kyungwook Boo <[email protected]>
    Reported-by: Jaeyoung Chung <[email protected]>
    Closes: https://lore.kernel.org/linux-iio/[email protected]/
    Signed-off-by: Maxwell Doose <[email protected]>
    Reviewed-by: Vladimir Zapolskiy <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: adc: ti-ads1119: fix PM reference leak in buffer preenable [+ + +]
Author: Guangshuo Li <[email protected]>
Date:   Wed Jun 3 20:16:40 2026 +0800

    iio: adc: ti-ads1119: fix PM reference leak in buffer preenable
    
    commit adf4bc07f814da8329278d32600147f5a150938c upstream.
    
    ads1119_triggered_buffer_preenable() resumes the device with
    pm_runtime_resume_and_get() before starting a conversion.
    
    If i2c_smbus_write_byte() fails, the function returns the error directly
    and leaves the runtime PM usage counter elevated. The matching
    postdisable callback is not called when preenable fails, so the reference
    is leaked and the device may remain runtime-active indefinitely.
    
    Store the I2C transfer result in ret and drop the runtime PM reference on
    failure before returning the error.
    
    Fixes: a9306887eba41 ("iio: adc: ti-ads1119: Add driver")
    Signed-off-by: Guangshuo Li <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: adc: ti-ads124s08: Return reset GPIO lookup errors [+ + +]
Author: Pengpeng Hou <[email protected]>
Date:   Thu Jun 25 13:44:07 2026 +0800

    iio: adc: ti-ads124s08: Return reset GPIO lookup errors
    
    commit 7dc4de2aa6316f1d044cde21f5acfec5f3ec6b47 upstream.
    
    devm_gpiod_get_optional() returns NULL when the optional GPIO is absent,
    but returns an ERR_PTR when the GPIO provider lookup fails, including
    probe deferral.
    
    Probe currently logs the ERR_PTR case as if the reset GPIO were simply
    absent and keeps the error pointer in reset_gpio. Later ads124s_reset()
    treats any non-NULL reset_gpio as a valid descriptor and passes it to
    gpiod_set_value_cansleep().
    
    Return the lookup error instead of retaining the ERR_PTR.
    
    Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code")
    Cc: [email protected]
    Reviewed-by: Joshua Crofts <[email protected]>
    Signed-off-by: Pengpeng Hou <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: backend: fix uninitialized data in debugfs [+ + +]
Author: Dan Carpenter <[email protected]>
Date:   Mon May 25 10:16:11 2026 +0300

    iio: backend: fix uninitialized data in debugfs
    
    commit a6e8b14a4897d0b6df9744f33d0a30e6b92368eb upstream.
    
    If the *ppos value is non-zero then simple_write_to_buffer() will not
    initialize the start of the buf[] buffer.  Non-zero ppos values aren't
    going to work at all.  Check for that at the start of the function and
    return -ENOSPC.
    
    Fixes: cdf01e0809a4 ("iio: backend: add debugFs interface")
    Signed-off-by: Dan Carpenter <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: chemical: scd30: Cleanup initializations and fix sign-extension bug [+ + +]
Author: Maxwell Doose <[email protected]>
Date:   Tue May 26 17:55:24 2026 -0500

    iio: chemical: scd30: Cleanup initializations and fix sign-extension bug
    
    commit 60d877910a43c305b5165131b258a17b1d772d57 upstream.
    
    Include linux/bitfield.h for FIELD_GET().
    
    Create new macros for bit manipulation in combination with manual bit
    manipulation being replaced with FIELD_GET().
    
    The current variable declaration and initializations are barely readable
    and use comma separations across multiple lines. Refactor the
    initializations so that mantissa and exp have separate declarations and
    sign gets initialized later.
    
    In addition (and due to the nature of the cleanup), fix a sign-extension
    bug where, float32 would get bitwise anded with ~BIT(31)
    (which is 0xFFFFFFFF7FFFFFFF) which corrupted the exponent.
    
    Fixes: 64b3d8b1b0f5c ("iio: chemical: scd30: add core driver")
    Reported-by: sashiko <[email protected]>
    Closes: https://sashiko.dev/#/patchset/20260524020309.18618-1-m32285159%40gmail.com
    Signed-off-by: Maxwell Doose <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: common: st_sensors: honour channel endianness in read_axis_data [+ + +]
Author: Herman van Hazendonk <[email protected]>
Date:   Tue Jun 16 15:02:04 2026 +0200

    iio: common: st_sensors: honour channel endianness in read_axis_data
    
    commit 55052184ac9011db2ea983e54d6c21f0b1079a12 upstream.
    
    st_sensors_read_axis_data() unconditionally decoded multi-byte
    results with get_unaligned_le16() / get_unaligned_le24() regardless
    of the channel's declared scan_type.endianness.
    
    For every ST sensor that has used this helper since it was introduced
    this happened to be fine because the ST IMU/accel/gyro/pressure
    families publish their data registers as little-endian and the
    channel specs in those drivers declare IIO_LE accordingly.
    
    The LSM303DLH magnetometer however publishes its X/Y/Z output as a
    pair of big-endian bytes (the H register sits at the lower address,
    0x03/0x05/0x07, and the L register immediately after), and its
    channel specs in st_magn_core.c correctly declare IIO_BE -- but
    read_axis_data() ignored that and decoded as little-endian, swapping
    the high and low bytes of every magnetometer sample. The LSM303DLHC
    and LSM303DLM share the same st_magn_16bit_channels (IIO_BE) and
    were therefore byte-swapped by the same bug; users of those parts
    will see different in_magn_*_raw values after this fix lands.
    
    The bug is most visible on a stationary chip: in earth's field the
    true X reading is small and the high byte sits at 0x00, so swapping
    the bytes pins sysfs X at exactly the low byte's pattern (e.g. 0x00F0
    = 240). Y and Z still appear "to vary" because their magnitudes are
    larger and the noise in the low byte produces big swings in the
    swapped high byte:
    
      before (LSM303DLH flat, sysfs in_magn_*_raw):
          X=240 (stuck), Y= 12032..23296, Z=-16128..-9728
    
      after (direct i2c-dev big-endian decode, same chip same orientation):
          X≈-4096, Y≈210, Z≈80     (sensible values reflecting earth's
                                    ambient field at low gauss range)
    
    Fix read_axis_data() to dispatch on ch->scan_type.endianness and
    call get_unaligned_be16() / get_unaligned_be24() when the channel
    declares IIO_BE. Existing IIO_LE consumers (st_accel, st_gyro,
    st_pressure, st_lsm6dsx and others) are unaffected because their
    channel specs already declare IIO_LE and the LE path is unchanged.
    
    While restructuring the branches, replace the previously implicit
    silent-success-with-uninitialised-*data fall-through for
    byte_for_channel outside 1..3 with an explicit return -EINVAL. No
    in-tree ST sensor publishes such a channel, but the new behaviour
    is strictly safer than handing userspace garbage.
    
    Fixes: 23491b513bcd ("iio:common: Add STMicroelectronics common library")
    Cc: [email protected]
    Assisted-by: Claude:claude-opus-4-7 sparse smatch clang-analyzer coccinelle checkpatch
    Assisted-by: Sashiko:claude-opus-4-7
    Signed-off-by: Herman van Hazendonk <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: event: Fix event FIFO reset race [+ + +]
Author: Lars-Peter Clausen <[email protected]>
Date:   Mon Jul 6 21:48:26 2026 -0700

    iio: event: Fix event FIFO reset race
    
    commit af791d295737ea6b6ff2c8d8488462a49c14af01 upstream.
    
    `iio_event_getfd()` creates the event file descriptor with
    `anon_inode_getfd()`, which allocates a new fd, creates the anonymous
    file and installs it in the process fd table before returning to the
    caller.
    
    The IIO code resets the event FIFO after `anon_inode_getfd()` has returned,
    but before `IIO_GET_EVENT_FD_IOCTL` has copied the fd number to userspace.
    But since fd tables are shared between threads, another thread can guess
    the newly allocated fd number and issue a `read()` on it as soon as the fd
    has been installed.
    
    This means the `kfifo_to_user()` in `iio_event_chrdev_read()` can run in
    parallel with the `kfifo_reset_out()` in `iio_event_getfd()`.
    
    The kfifo documentation says that `kfifo_reset_out()` is only safe when it
    is called from the reader thread and there is only one concurrent reader.
    Otherwise it is dangerous and must be handled in the same way as
    `kfifo_reset()`.
    
    If that happens, `kfifo_to_user()` can advance the FIFO `out` index based
    on state from before the reset, after the reset has already moved the `out`
    index to the current `in` index. That can leave the FIFO with an `out`
    index past the `in` index. A later `read()` can then see an underflowed
    FIFO length and copy more data than the event FIFO buffer contains. This
    can result in an out-of-bounds read and leak adjacent kernel memory to
    userspace.
    
    Move the FIFO reset before `anon_inode_getfd()`. At that point the event fd is
    marked busy, but the new fd has not been installed yet, so userspace cannot
    access it while the FIFO is reset.
    
    Fixes: b91accafbb10 ("iio:event: Fix and cleanup locking")
    Reported-by: Codex:gpt-5.5
    Signed-off-by: Lars-Peter Clausen <[email protected]>
    Reviewed-by: Nuno Sá <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: gyro: bmg160: bail out when bandwidth/filter is not in table [+ + +]
Author: Stepan Ionichev <[email protected]>
Date:   Sun May 10 07:35:00 2026 +0500

    iio: gyro: bmg160: bail out when bandwidth/filter is not in table
    
    commit 8320c77e67382d5d55d77043a5f60a867d408a2b upstream.
    
    bmg160_get_filter() walks bmg160_samp_freq_table[] looking for the entry
    matching the bw_bits value read from the chip:
    
            for (i = 0; i < ARRAY_SIZE(bmg160_samp_freq_table); ++i) {
                    if (bmg160_samp_freq_table[i].bw_bits == bw_bits)
                            break;
            }
            *val = bmg160_samp_freq_table[i].filter;
    
    If no entry matches, i ends up equal to the array size and the next line
    reads one slot past the end. bmg160_set_filter() has the same shape, driven
    by 'val' instead of bw_bits.
    
    smatch flags both:
    
      drivers/iio/gyro/bmg160_core.c:204 bmg160_get_filter() error:
      buffer overflow 'bmg160_samp_freq_table' 7 <= 7
      drivers/iio/gyro/bmg160_core.c:222 bmg160_set_filter() error:
      buffer overflow 'bmg160_samp_freq_table' 7 <= 7
    
    Return -EINVAL when no entry matches.
    
    The set_filter() path is reachable from userspace via the sysfs
    in_anglvel_filter_low_pass_3db_frequency interface, so userspace can
    trivially trigger the out-of-bounds read with a value that is not in
    bmg160_samp_freq_table[].filter.
    
    Fixes: 22b46c45fb9b ("iio:gyro:bmg160 Gyro Sensor driver")
    Signed-off-by: Stepan Ionichev <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: gyro: bmg160: wait full startup time after mode change at probe [+ + +]
Author: Stepan Ionichev <[email protected]>
Date:   Mon May 11 11:40:20 2026 +0500

    iio: gyro: bmg160: wait full startup time after mode change at probe
    
    commit 088fcb9b567f8723074ad9eb1bf5cb46f8a0096b upstream.
    
    bmg160_chip_init() calls bmg160_set_mode(BMG160_MODE_NORMAL) and
    then waits only 500-1000 us. Per the BMG160 datasheet
    (BST-BMG160-DS000-07 Rev. 1.0, May 2013), the start-up and wake-up
    times (tsu, twusm) are 30 ms.
    
    The same file already waits BMG160_MAX_STARTUP_TIME_MS (80 ms)
    in bmg160_runtime_resume() after the same set_mode(NORMAL)
    operation. The 500 us value at probe was likely a unit mix-up;
    the old comment said "500 ms" while the code used microseconds.
    
    Reuse the same constant via msleep() and add a code comment
    explaining the datasheet basis for the wait. Without this,
    register writes that follow the mode change can hit the chip
    before it is ready.
    
    Fixes: 22b46c45fb9b ("iio:gyro:bmg160 Gyro Sensor driver")
    Signed-off-by: Stepan Ionichev <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: imu: adis: add IRQF_NO_THREAD to non-FIFO trigger IRQ [+ + +]
Author: Runyu Xiao <[email protected]>
Date:   Thu Jun 4 09:42:46 2026 +0800

    iio: imu: adis: add IRQF_NO_THREAD to non-FIFO trigger IRQ
    
    commit 6e1b9bff1202da55c464e36bd34a2b6863d7fe30 upstream.
    
    devm_adis_probe_trigger() registers iio_trigger_generic_data_rdy_poll()
    through devm_request_irq() on the non-FIFO path, but it does not add
    IRQF_NO_THREAD to the IRQ flags.
    
    When the kernel is booted with forced IRQ threading, the parent IRQ can
    otherwise be threaded by the IRQ core and the subsequent IIO trigger
    child IRQ is then dispatched from irq/... thread context instead of
    hardirq context. Because iio_trigger_generic_data_rdy_poll()
    immediately drives iio_trigger_poll(), this violates the hardirq-only
    IIO trigger helper contract and can push downstream trigger consumers
    through the wrong execution context.
    
    Add IRQF_NO_THREAD on top of the existing adis->irq_flag value for the
    non-FIFO request_irq() path, while preserving the current trigger
    polarity and IRQF_NO_AUTOEN behavior.
    
    Fixes: fec86c6b8369 ("iio: imu: adis: Add Managed device functions")
    Cc: [email protected]
    Signed-off-by: Runyu Xiao <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: imu: bmi160: add IRQF_NO_THREAD to data-ready trigger IRQ [+ + +]
Author: Runyu Xiao <[email protected]>
Date:   Thu Jun 4 09:42:47 2026 +0800

    iio: imu: bmi160: add IRQF_NO_THREAD to data-ready trigger IRQ
    
    commit cd5a6a5096b246e10600da3ac47a1274ce9573c8 upstream.
    
    bmi160_probe_trigger() registers iio_trigger_generic_data_rdy_poll()
    through devm_request_irq(), but it passes only irq_type and does not add
    IRQF_NO_THREAD.
    
    When the kernel is booted with forced IRQ threading, the parent IRQ can
    otherwise be threaded by the IRQ core and the subsequent IIO trigger
    child IRQ is dispatched from irq/... thread context instead of hardirq
    context. Because the handler immediately pushes the event into
    iio_trigger_poll(), this violates the hardirq-only IIO trigger helper
    contract and can drive downstream trigger consumers through the wrong
    execution context.
    
    Add IRQF_NO_THREAD on top of irq_type when registering the BMI160 data-
    ready trigger handler.
    
    Fixes: 895bf81e6bbf ("iio:bmi160: add drdy interrupt support")
    Cc: [email protected]
    Signed-off-by: Runyu Xiao <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: imu: inv_icm42600: fix timestamp clock period by using lower value [+ + +]
Author: Jean-Baptiste Maneyrol <[email protected]>
Date:   Tue Jun 23 16:22:15 2026 +0200

    iio: imu: inv_icm42600: fix timestamp clock period by using lower value
    
    commit 8b0b864c11a2e2ada470f9d5010e1c2bf1eceef2 upstream.
    
    Clock period value is used for computing periods of sampling. There is
    no need for it to be higher than the maximum odr, otherwise we are
    losing precision in the computation for nothing.
    
    Switch clock period value to maximum odr period (8kHz).
    
    Fixes: 0ecc363ccea7 ("iio: make invensense timestamp module generic")
    Cc: [email protected]
    Signed-off-by: Jean-Baptiste Maneyrol <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: imu: inv_icm42600: fix timestamping by limiting FIFO reading [+ + +]
Author: Jean-Baptiste Maneyrol <[email protected]>
Date:   Mon Jun 29 21:51:55 2026 +0200

    iio: imu: inv_icm42600: fix timestamping by limiting FIFO reading
    
    commit affe3f077d7a4eeb25937f5323ff059a54b4712c upstream.
    
    Timestamps are made by measuring the chip clock using the watermark
    interrupts. If we read more than watermark samples as done today, we
    are reducing the period between interrupts and distort the time
    measurement. Fix that by reading only watermark samples in the
    interrupt case.
    
    Fixes: 7f85e42a6c54 ("iio: imu: inv_icm42600: add buffer support in iio devices")
    Cc: [email protected]
    Signed-off-by: Jean-Baptiste Maneyrol <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: imu: st_lsm6dsx: deselect shub page before reading whoami [+ + +]
Author: Andreas Kempe <[email protected]>
Date:   Thu Jul 2 10:41:23 2026 +0000

    iio: imu: st_lsm6dsx: deselect shub page before reading whoami
    
    commit aede83625ff5d9539508582036df30c809d51058 upstream.
    
    As part of driver initialization, e.g. st_lsm6dsx_init_shub() selects
    the shub register page using st_lsm6dsx_set_page(). Selecting the shub
    register page shadows the regular register space so whoami, among other
    registers, is no longer accessible.
    
    In applications where the IMU is permanently powered separately from the
    processor, there is a window where a reset of the CPU leaves the IMU in
    the shub register page. Once this occurs, any subsequent probe attempt
    fails because of the register shadowing.
    
    Using the ism330dlc, the error typically looks like
    
        st_lsm6dsx_i2c 3-006a: unsupported whoami [10]
    
    with the unknown whoami read from a reserved register in the shub page.
    
    The reset register is also shadowed by the page select, preventing a
    reset from recovering the chip.
    
    Unconditionally clear the shub page before the whoami readout to ensure
    normal register access and allow the initialization to proceed.
    
    Place the fix in st_lsm6dsx_check_whoami() before the whoami check
    because hw->settings, which st_lsm6dsx_set_page() relies on, is first
    assigned in that function.
    
    Placing the fix in a more logical place than the whoami check would
    require a bigger restructuring of the code.
    
    Fixes: c91c1c844ebd ("iio: imu: st_lsm6dsx: add i2c embedded controller support")
    Signed-off-by: Andreas Kempe <[email protected]>
    Acked-by: Lorenzo Bianconi <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: light: al3010: fix incorrect scale for the highest gain range [+ + +]
Author: Vidhu Sarwal <[email protected]>
Date:   Sat Jul 4 17:22:45 2026 +0530

    iio: light: al3010: fix incorrect scale for the highest gain range
    
    commit aa411adc6ce40ad1a55ebc965f255a4cfc0005f8 upstream.
    
    al3010_scales[] encodes the highest gain range as {0, 1187200}.
    For IIO_VAL_INT_PLUS_MICRO, the fractional part must be less than
    1000000, so the scale 1.1872 should instead be represented as
    { 1, 187200 }.
    
    Since write_raw() compares the value from userspace against this
    table, writing the advertised 1.1872 scale never matches the malformed
    entry and returns -EINVAL. As a result, the highest gain range cannot
    be selected. Reading the scale in that state also reports the malformed
    value.
    
    Fixes: c36b5195ab70 ("iio: light: add Dyna-Image AL3010 driver")
    Signed-off-by: Vidhu Sarwal <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: light: gp2ap002: fix runtime PM leak on read error [+ + +]
Author: Biren Pandya <[email protected]>
Date:   Sun Jun 14 12:45:49 2026 +0530

    iio: light: gp2ap002: fix runtime PM leak on read error
    
    commit 38b72267b7e22768a1f26d9935de4e1752a1dc85 upstream.
    
    gp2ap002_read_raw() calls pm_runtime_get_sync() before reading the
    lux value, but if gp2ap002_get_lux() fails, it returns directly. This
    skips the pm_runtime_put_autosuspend() call at the "out" label,
    permanently leaking a runtime PM reference and preventing the device
    from autosuspending.
    
    Replace the direct return with a "goto out" to ensure the reference
    is properly dropped on the error path.
    
    Fixes: f6dbf83c17cb ("iio: light: gp2ap002: Take runtime PM reference on light read")
    Signed-off-by: Biren Pandya <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: light: opt3001: fix missing state reset on timeout [+ + +]
Author: Joshua Crofts <[email protected]>
Date:   Tue May 26 13:15:29 2026 +0200

    iio: light: opt3001: fix missing state reset on timeout
    
    commit c123ca6ee26ad98f70a866ff428b08145c5a24fe upstream.
    
    Currently in the function opt3001_get_processed(), there is a check
    that directly returns -ETIMEDOUT if the conversion IRQ times out,
    completely bypassing the err label, leaving ok_to_ignore_lock
    permanently true, potentially breaking the device's falling threshold
    interrupt detection.
    
    Assign -ETIMEDOUT to the return variable and jump to the error label
    to ensure ok_to_ignore_lock is properly reset.
    
    Fixes: 26d90b559057 ("iio: light: opt3001: Fixed timeout error when 0 lux")
    Reported-by: Sashiko <[email protected]>
    Closes: https://sashiko.dev/#/patchset/20260525-opt3001-cleanup-v4-0-65b36a174f78%40gmail.com?part=1
    Signed-off-by: Joshua Crofts <[email protected]>
    Cc: [email protected]
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: light: tsl2591: return actual error from probe IRQ failure [+ + +]
Author: Stepan Ionichev <[email protected]>
Date:   Mon May 18 14:43:11 2026 +0500

    iio: light: tsl2591: return actual error from probe IRQ failure
    
    commit a00ffd15674bfaf8b906503c1600e3d8709af56c upstream.
    
    When devm_request_threaded_irq() fails, probe logs the error and
    then returns -EINVAL, dropping the real error code and breaking the
    deferred-probe flow for -EPROBE_DEFER.
    
    Return ret directly; the IRQ subsystem already prints on failure.
    
    Fixes: 2335f0d7c790 ("iio: light: Added AMS tsl2591 driver implementation")
    Cc: [email protected]
    Signed-off-by: Stepan Ionichev <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: light: veml6030: fix channel type when pushing events [+ + +]
Author: Javier Carrasco <[email protected]>
Date:   Thu May 14 14:01:11 2026 +1300

    iio: light: veml6030: fix channel type when pushing events
    
    commit c52bb33b641ebaae3e209f97714cb1758206f7d9 upstream.
    
    The events are registered for IIO_LIGHT and not for IIO_INTENSITY.
    Use the correct channel type.
    
    When at it, fix minor checkpatch code style warning (alignment).
    
    Cc: [email protected]
    Fixes: 7b779f573c48 ("iio: light: add driver for veml6030 ambient light sensor")
    Signed-off-by: Javier Carrasco <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: magnetometer: ak8975: Add missed pm_runtime_put_autosuspend() call [+ + +]
Author: Andy Shevchenko <[email protected]>
Date:   Wed May 6 10:27:55 2026 +0200

    iio: magnetometer: ak8975: Add missed pm_runtime_put_autosuspend() call
    
    commit e94944d7364d3ddb273539492f9bd9c9a622549a upstream.
    
    On the failure in the ak8975_read_axis() the PM runtime gets unbalanced.
    Balance it by calling pm_runtime_put_autosuspend() on error path as well.
    
    Fixes: cde4cb5dd422 ("iio: magn: ak8975: deploy runtime and system PM")
    Reported-by: Sashiko <[email protected]>
    Closes: https://sashiko.dev/#/patchset/20260505-magnetometer-fixes-v5-0-831b9b5550fc%40gmail.com
    Signed-off-by: Andy Shevchenko <[email protected]>
    Reviewed-by: Joshua Crofts <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: resolver: ad2s1210: notify trigger and clear state on fault read error [+ + +]
Author: Stepan Ionichev <[email protected]>
Date:   Fri May 15 18:31:38 2026 +0500

    iio: resolver: ad2s1210: notify trigger and clear state on fault read error
    
    commit 70247658d0e783c93b48fcbc3b81d99e992ff478 upstream.
    
    ad2s1210_trigger_handler() walks several scan-mask branches and uses
    "goto error_ret" to land on the iio_trigger_notify_done() teardown at
    the bottom of the function for every I/O error -- except the
    MOD_CONFIG fault-register read, which uses a bare "return ret":
    
            if (st->fixed_mode == MOD_CONFIG) {
                    unsigned int reg_val;
    
                    ret = regmap_read(st->regmap, AD2S1210_REG_FAULT, ®_val);
                    if (ret < 0)
                            return ret;
                    ...
            }
    
    Two problems on that path:
    
      - the handler returns a negative errno where the prototype expects
        an irqreturn_t (IRQ_HANDLED / IRQ_NONE), so the caller in the
        IIO core sees a value outside the enum;
      - iio_trigger_notify_done() is skipped, leaving the trigger
        busy-flag set. A single transient SPI/regmap error on the fault
        read then wedges the trigger so subsequent samples are dropped
        until the consumer is detached.
    
    Convert the error path to "goto error_ret" so the failure path goes
    through the same notify_done() teardown as every other error in the
    handler.
    
    Fixes: f9b9ff95be8c ("iio: resolver: ad2s1210: add support for adi,fixed-mode")
    Signed-off-by: Stepan Ionichev <[email protected]>
    Reviewed-by: David Lechner <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: temperature: Build mlx90635 with CONFIG_MLX90635 [+ + +]
Author: Pengpeng Hou <[email protected]>
Date:   Thu Jun 25 13:42:59 2026 +0800

    iio: temperature: Build mlx90635 with CONFIG_MLX90635
    
    commit 63a76e3a587c4143e8e24e8a6b0c232fa0676034 upstream.
    
    drivers/iio/temperature/Kconfig has a dedicated MLX90635 option, but
    the Makefile currently builds mlx90635.o under CONFIG_MLX90632.
    
    This means enabling CONFIG_MLX90635 alone does not carry its provider
    object into the build, while enabling CONFIG_MLX90632 unexpectedly also
    builds mlx90635.o.
    
    Gate mlx90635.o on the matching generated Kconfig symbol.
    
    Fixes: a1d1ba5e1c28 ("iio: temperature: mlx90635 MLX90635 IR Temperature sensor")
    Cc: [email protected]
    Signed-off-by: Pengpeng Hou <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Acked-by: Crt Mori <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: temperature: ltc2983: Fix n_wires default bypassing rotation check [+ + +]
Author: Liviu Stan <[email protected]>
Date:   Mon May 25 19:39:28 2026 +0300

    iio: temperature: ltc2983: Fix n_wires default bypassing rotation check
    
    commit 434c150752675f44dc52c384a7fa22e5176bc35a upstream.
    
    When adi,number-of-wires is absent, n_wires is left at 0. The binding
    documents a default of 2 wires, matching the hardware default. However
    the current-rotate validation checks n_wires == 2 || n_wires == 3, so
    with n_wires = 0 the guard is bypassed and adi,current-rotate is accepted
    for a 2-wire RTD.
    
    Initialize n_wires = 2 to match the binding default and ensure the
    rotation check fires correctly when the property is absent.
    
    Fixes: f110f3188e56 ("iio: temperature: Add support for LTC2983")
    Signed-off-by: Liviu Stan <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: temperature: ltc2983: Fix reinit_completion() called after conversion start [+ + +]
Author: Liviu Stan <[email protected]>
Date:   Mon May 25 19:39:29 2026 +0300

    iio: temperature: ltc2983: Fix reinit_completion() called after conversion start
    
    commit 5cb9fdb446bfc3ae0524496f53fb68e67051701b upstream.
    
    reinit_completion() was called after regmap_write() initiated the hardware
    conversion, creating a race window where the interrupt could fire and call
    complete() before reinit_completion() reset the completion.
    
    Move reinit_completion() before the regmap_write() to close the race.
    ltc2983_eeprom_cmd() already does it in the correct order.
    
    Fixes: f110f3188e56 ("iio: temperature: Add support for LTC2983")
    Signed-off-by: Liviu Stan <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
Input: elan_i2c - prevent division by zero and arithmetic underflow [+ + +]
Author: Ranjan Kumar <[email protected]>
Date:   Mon Jun 22 22:31:05 2026 -0700

    Input: elan_i2c - prevent division by zero and arithmetic underflow
    
    commit df2b818fa009c10ff6ba875a1663ff001cda9558 upstream.
    
    The Elan I2C touchpad driver queries the device for its physical
    dimensions and trace counts to calculate the device resolution and width.
    However, if the device firmware or device tree provides invalid zero
    values for x_traces or y_traces, it results in a fatal division-by-zero
    exception leading to a kernel panic during device probe.
    
    Add checks to ensure these parameters are non-zero before performing
    the division. If invalid trace values are detected, fall back to a safe
    default of 1.
    
    Additionally, prevent an arithmetic underflow in the touch reporting
    logic. Previously, if the calculated or fallback width was smaller than
    ETP_FWIDTH_REDUCE (90), the subtraction would underflow, resulting in a
    massive unsigned integer being reported to userspace. Clamp the adjusted
    width to a minimum of 0 to safely handle small physical dimensions and
    fallback scenarios.
    
    Completing the probe with safe fallback values ensures the sysfs nodes
    are created, keeping the firmware update path intact so a recovery
    firmware can be flashed to the device.
    
    Fixes: 6696777c6506 ("Input: add driver for Elan I2C/SMbus touchpad")
    Fixes: e3a9a1290688 ("Input: elan_i2c - do not query the info if they are provided")
    Signed-off-by: Ranjan Kumar <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Cc: [email protected]
    Signed-off-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Input: goodix - clamp the device-reported contact count [+ + +]
Author: Bryam Vargas <[email protected]>
Date:   Fri Jun 12 21:10:33 2026 -0500

    Input: goodix - clamp the device-reported contact count
    
    commit 5ed62a96e06be4e94b8296b7932afee550a70e04 upstream.
    
    goodix_ts_read_input_report() copies the number of touch points reported
    by the device into an on-stack buffer
    
            u8 point_data[2 + GOODIX_MAX_CONTACT_SIZE * GOODIX_MAX_CONTACTS];
    
    which is sized for at most GOODIX_MAX_CONTACTS (10) contacts. The only
    runtime check bounds the per-interrupt count against ts->max_touch_num,
    but that value is taken verbatim from a 4-bit field of the device
    configuration block and is never clamped:
    
            ts->max_touch_num = ts->config[MAX_CONTACTS_LOC] & 0x0f;
    
    The nibble can be 0..15, so a malfunctioning, malicious or counterfeit
    controller (or an attacker tampering with the I2C bus) can advertise up
    to 15 contacts. goodix_ts_read_input_report() then accepts a touch_num
    of up to 15 and the second goodix_i2c_read() writes
    ts->contact_size * (touch_num - 1) bytes past the one-contact header into
    point_data - up to 30 bytes (45 with the 9-byte report format) beyond the
    92-byte buffer: a stack out-of-bounds write.
    
    Clamp max_touch_num to GOODIX_MAX_CONTACTS, the number of contacts
    point_data[] is sized for, when reading it from the configuration.
    
    Fixes: a7ac7c95d468 ("Input: goodix - use max touch number from device config")
    Cc: [email protected]
    Signed-off-by: Bryam Vargas <[email protected]>
    Reviewed-by: Hans de Goede <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Input: iforce - bound the device-reported force-feedback effect index [+ + +]
Author: Bryam Vargas <[email protected]>
Date:   Mon Jun 22 20:47:50 2026 -0700

    Input: iforce - bound the device-reported force-feedback effect index
    
    commit 0e9943d2e4c63496b6ca84bc66fd3c71d40558e2 upstream.
    
    iforce_process_packet() handles a status report (packet id 0x02) by
    taking a force-feedback effect index straight from the device wire and
    using it to address the per-effect state array:
    
            i = data[1] & 0x7f;
            if (data[1] & 0x80) {
                    if (!test_and_set_bit(FF_CORE_IS_PLAYED,
                                          iforce->core_effects[i].flags))
                            ...
            } else if (test_and_clear_bit(FF_CORE_IS_PLAYED,
                                          iforce->core_effects[i].flags)) {
                    ...
            }
    
    The index is masked only with 0x7f, so it ranges 0..127, but
    core_effects[] holds only IFORCE_EFFECTS_MAX (32) entries.  For an index
    of 32..127 the test_and_set_bit()/test_and_clear_bit() is an
    out-of-bounds single-bit read-modify-write past the array.  core_effects[]
    is the second-to-last member of struct iforce, so the write lands in the
    trailing members and beyond the embedding kzalloc()'d iforce_serio /
    iforce_usb object.
    
    data[1] is unvalidated device payload on both transports (the USB
    interrupt endpoint and serio), and the status path is not gated on force
    feedback being present, so a malicious or counterfeit device can set or
    clear a bit at an attacker-chosen offset past the object.
    
    Reject an out-of-range index instead of indexing with it.  Bound against
    the array dimension IFORCE_EFFECTS_MAX rather than dev->ff->max_effects so
    the check guarantees memory safety regardless of how many effects the
    device registered.  A legitimate "effect started/stopped" status always
    carries an index below IFORCE_EFFECTS_MAX, so well-formed devices are
    unaffected; the neighbouring mark_core_as_ready() loop is already bounded
    and is left untouched.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Bryam Vargas <[email protected]>
    Cc: [email protected]
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Input: maple_keyb - set driver data before registering input device [+ + +]
Author: Dmitry Torokhov <[email protected]>
Date:   Mon Jun 29 18:44:41 2026 -0700

    Input: maple_keyb - set driver data before registering input device
    
    commit 536394ec81419b67d9f4f0028812c4372397be1b upstream.
    
    Set maple driver data before calling input_register_device() to
    ensure that it is available if the device is opened immediately and
    the callback is triggered.
    
    Cc: [email protected]
    Assisted-by: Antigravity:gemini-3.5-flash
    Signed-off-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Input: maplecontrol - set driver data before registering input device [+ + +]
Author: Dmitry Torokhov <[email protected]>
Date:   Mon Jun 29 22:49:15 2026 -0700

    Input: maplecontrol - set driver data before registering input device
    
    commit fe938ee497d58c644f6910cfe6ae155f6fb3e523 upstream.
    
    Set maple driver data before calling input_register_device() to
    ensure that it is available if the device is opened immediately and
    the callback is triggered.
    
    Cc: [email protected]
    Assisted-by: Antigravity:gemini-3.5-flash
    Tested-by: Florian Fuchs <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Input: maplemouse - fix NULL pointer dereference in open() [+ + +]
Author: Florian Fuchs <[email protected]>
Date:   Mon Jun 29 18:33:42 2026 -0700

    Input: maplemouse - fix NULL pointer dereference in open()
    
    commit ee89db004238bd0b034f2a6176e175561658750b upstream.
    
    Commit 555c765b0cc2 ("Input: mouse - drop unnecessary calls to
    input_set_drvdata") dropped the input_set_drvdata() call in probe
    because the data appeared to be unused. However, dc_mouse_open() and
    dc_mouse_close() were using maple_get_drvdata(to_maple_dev(&dev->dev)).
    This appears to be accessing the data attached to an instance of
    maple_device structure, while in reality this actually retrieves driver
    data from the input device's embedded struct device (doing invalid
    conversion of input device structure to maple device). After
    input_set_drvdata() was removed, that lookup started returning NULL and
    opening the input device dereferences mse->mdev.
    
    Restore input_set_drvdata() and convert open() and close() to use
    input_get_drvdata() so the dependency is no longer hidden.
    
    Fixes: 6b3480855aad ("maple: input: fix up maple mouse driver")
    Fixes: 555c765b0cc2 ("Input: mouse - drop unnecessary calls to input_set_drvdata")
    Signed-off-by: Florian Fuchs <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Cc: [email protected]
    Signed-off-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Input: maplemouse - set driver data before registering input device [+ + +]
Author: Dmitry Torokhov <[email protected]>
Date:   Mon Jun 29 22:47:34 2026 -0700

    Input: maplemouse - set driver data before registering input device
    
    commit 738f24bbbc95dd50cb4229d1ed62a05f29db2bda upstream.
    
    Set maple driver data before calling input_register_device() to
    ensure that it is available if the device is opened immediately and
    the callback is triggered.
    
    Cc: [email protected]
    Assisted-by: Antigravity:gemini-3.5-flash
    Tested-by: Florian Fuchs <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Input: mms114 - fix multi-touch slot corruption [+ + +]
Author: Dmitry Torokhov <[email protected]>
Date:   Fri Jul 3 23:01:12 2026 -0700

    Input: mms114 - fix multi-touch slot corruption
    
    commit adea84ee6cdea611146c4251d3c1616f5a09feca upstream.
    
    If the touchscreen controller reports a touch ID of 0, the driver
    calculates the slot ID as touch->id - 1, which underflows to UINT_MAX.
    This is passed to input_mt_slot() as -1.
    
    Since the input core ignores negative slot values, the active slot remains
    unchanged. The driver then reports the touch coordinates for the previously
    active slot, corrupting its state.
    
    Fix this by rejecting touch reports with ID 0.
    
    Fixes: 07b8481d4aff ("Input: add MELFAS mms114 touchscreen driver")
    Cc: [email protected]
    Reported-by: [email protected]
    Assisted-by: Antigravity:gemini-3.5-flash
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Input: mms114 - fix touch indexing for MMS134S and MMS136 [+ + +]
Author: Dmitry Torokhov <[email protected]>
Date:   Mon Jun 22 22:35:18 2026 -0700

    Input: mms114 - fix touch indexing for MMS134S and MMS136
    
    commit a6ac4e24c1a8a533bb61035184fdcc7eede4cc8d upstream.
    
    The MMS134S and MMS136 touch controllers have an event size of 6 bytes
    rather than 8 bytes. When __mms114_read_reg() reads the touch data
    packet from the device into the touch buffer, the events are packed
    tightly at 6-byte intervals. However, the driver iterates through the
    events using standard C array indexing (touch[index]), where each
    element is sizeof(struct mms114_touch) (8 bytes) apart. As a result, any
    touch events beyond the first one are read from incorrect offsets and
    parsed improperly.
    
    Fix this by explicitly calculating the byte offset for each touch event
    based on the device's specific event size.
    
    Fixes: 53fefdd1d3a3 ("Input: mms114 - support MMS136")
    Fixes: ab108678195f ("Input: mms114 - support MMS134S")
    Reported-by: [email protected]
    Assisted-by: Antigravity:gemini-3.5-flash
    Reviewed-by: Bryam Vargas <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Cc: [email protected]
    Signed-off-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Input: mms114 - reject an oversized device packet size [+ + +]
Author: Bryam Vargas <[email protected]>
Date:   Sun Jun 14 14:19:43 2026 -0700

    Input: mms114 - reject an oversized device packet size
    
    commit 66725039f7090afe14c31bd259e2059a68f04023 upstream.
    
    mms114_interrupt() reads a packet of touch data from the device into a
    fixed-size on-stack buffer
    
            struct mms114_touch touch[MMS114_MAX_TOUCH];
    
    which holds MMS114_MAX_TOUCH (10) events of MMS114_EVENT_SIZE (8) bytes,
    i.e. 80 bytes. The length of the I2C read into it is taken verbatim from
    the device:
    
            packet_size = mms114_read_reg(data, MMS114_PACKET_SIZE);
            if (packet_size <= 0)
                    goto out;
            ...
            error = __mms114_read_reg(data, MMS114_INFORMATION, packet_size,
                            (u8 *)touch);
    
    packet_size is a single device register byte (0x0F) and the only check
    is the lower bound packet_size <= 0; it is never bounded against the
    size of touch[]. A malfunctioning, malicious or counterfeit controller
    (or an attacker tampering with the I2C bus) can report a packet_size of
    up to 255, so __mms114_read_reg() writes up to 175 bytes past the end of
    touch[] on the IRQ-thread stack: a stack out-of-bounds write that can
    overwrite the stack canary, saved registers and the return address.
    
    A well-formed device never reports more than the buffer holds, so reject
    an oversized packet and drop the report, consistent with the handler's
    other error paths, rather than reading past the buffer.
    
    Fixes: 07b8481d4aff ("Input: add MELFAS mms114 touchscreen driver")
    Signed-off-by: Bryam Vargas <[email protected]>
    Cc: [email protected]
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Input: synaptics-rmi4 - bound the F30 keymap to the GPIO/LED count [+ + +]
Author: Bryam Vargas <[email protected]>
Date:   Sun Jun 14 00:36:12 2026 -0500

    Input: synaptics-rmi4 - bound the F30 keymap to the GPIO/LED count
    
    commit d577e46785d45484b2ab7e7309c49b18764bf56c upstream.
    
    rmi_f30_map_gpios() allocates gpioled_key_map with
    min(gpioled_count, TRACKSTICK_RANGE_END) == at most 6 entries, but
    rmi_f30_attention() iterates the full f30->gpioled_count (device query
    register, range 0..31) and dereferences gpioled_key_map[i], and
    input->keycodemax is set to the full gpioled_count while input->keycode
    points at the 6-entry allocation.
    
    A device that reports gpioled_count > 6 with GPIO support enabled
    therefore causes an out-of-bounds read on the attention interrupt and
    out-of-bounds read/write through the EVIOCGKEYCODE/EVIOCSKEYCODE ioctls,
    which bound the index only against keycodemax. This is the same defect
    as the F3A handler, which was copied from F30.
    
    Size the keymap for the full gpioled_count; the mapping loop still
    assigns only the first min(gpioled_count, TRACKSTICK_RANGE_END) entries.
    
    Fixes: 3e64fcbdbd10 ("Input: synaptics-rmi4 - limit the range of what GPIOs are buttons")
    Cc: [email protected]
    Signed-off-by: Bryam Vargas <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Input: synaptics-rmi4 - bound the F3A keymap to the GPIO count [+ + +]
Author: Bryam Vargas <[email protected]>
Date:   Sun Jun 14 00:36:11 2026 -0500

    Input: synaptics-rmi4 - bound the F3A keymap to the GPIO count
    
    commit 57c10915f2c16c90e0d46ad00876bf39ece40fc2 upstream.
    
    rmi_f3a_initialize() takes the GPIO count from the device query register
    (f3a->gpio_count = buf & RMI_F3A_GPIO_COUNT, range 0..127).
    rmi_f3a_map_gpios() then allocates gpio_key_map with
    min(gpio_count, TRACKSTICK_RANGE_END) == at most 6 entries, but
    rmi_f3a_attention() iterates the full gpio_count and dereferences
    gpio_key_map[i], and input->keycodemax is set to the full gpio_count
    while input->keycode points at the 6-entry allocation.
    
    A device that reports gpio_count > 6 therefore causes an out-of-bounds
    read of gpio_key_map[] on every attention interrupt, and out-of-bounds
    accesses through the input core's default keymap ioctls: EVIOCGKEYCODE
    reads past the buffer (leaking adjacent slab memory to user space) and
    EVIOCSKEYCODE writes a caller-controlled value past it, for any process
    able to open the evdev node, since input_default_getkeycode() and
    input_default_setkeycode() only bound the index against keycodemax.
    
    Size the keymap for the full gpio_count. The mapping loop is unchanged:
    it still assigns only the first min(gpio_count, TRACKSTICK_RANGE_END)
    entries; the remaining slots stay KEY_RESERVED (devm_kcalloc zero-fills)
    and are skipped when reporting.
    
    Fixes: 9e4c596bfd00 ("Input: synaptics-rmi4 - add support for F3A")
    Cc: [email protected]
    Signed-off-by: Bryam Vargas <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Input: synaptics-rmi4 - unregister function handlers on physical driver registration failure [+ + +]
Author: Haoxiang Li <[email protected]>
Date:   Wed Jun 10 16:41:16 2026 -0700

    Input: synaptics-rmi4 - unregister function handlers on physical driver registration failure
    
    commit 6251f7d3472c0409e30f8d6a24f10d33d12e3f9a upstream.
    
    If rmi_register_physical_driver() fails, the current error path
    unregisters only the RMI bus. The function handlers registered
    earlier remain registered with the driver core.
    
    Add a separate error path to unregister the function handlers
    before unregistering the bus in this failure case.
    
    Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
    Signed-off-by: Haoxiang Li <[email protected]>
    Cc: [email protected]
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

Input: touchwin - reset the packet index on every complete packet [+ + +]
Author: Bryam Vargas <[email protected]>
Date:   Sat Jun 13 20:07:20 2026 -0500

    Input: touchwin - reset the packet index on every complete packet
    
    commit 478cdd736f2ce3114f90e775d7358136d3977b94 upstream.
    
    tw_interrupt() accumulates each non-zero serial byte into a fixed
    three-byte buffer with a running index that is only reset once a full
    packet has been received *and* the device's two Y bytes agree:
    
            tw->data[tw->idx++] = data;
            if (tw->idx == TW_LENGTH && tw->data[1] == tw->data[2]) {
                    ...
                    tw->idx = 0;
            }
    
    The reset is gated on tw->data[1] == tw->data[2], a value the device
    controls.  A malicious, malfunctioning or counterfeit Touchwindow
    peripheral can stream non-zero bytes whose 2nd and 3rd bytes differ: the
    index reaches TW_LENGTH without the equality holding, is never reset, and
    keeps growing, so tw->data[tw->idx++] walks off the end of the three-byte
    array and the rest of the heap-allocated struct tw, one attacker-chosen
    byte at a time -- an unbounded, device-driven heap out-of-bounds write.
    
    Reset the index on every completed packet and report an event only when
    the two Y bytes match, like the other serio touchscreen drivers do.
    
    Fixes: 11ea3173d5f2 ("Input: add driver for Touchwin serial touchscreens")
    Cc: [email protected]
    Signed-off-by: Bryam Vargas <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
io_uring/io-wq: re-check IO_WQ_BIT_EXIT for each linked work item [+ + +]
Author: Runyu Xiao <[email protected]>
Date:   Thu May 28 01:22:03 2026 +0800

    io_uring/io-wq: re-check IO_WQ_BIT_EXIT for each linked work item
    
    commit 29bef9934b2521f787bb15dd1985d4c0d12ae02a upstream.
    
    commit 10dc95939817 ("io_uring/io-wq: check IO_WQ_BIT_EXIT inside work
    run loop") fixed the obvious case where io_worker_handle_work() took one
    exit-bit snapshot before draining pending work, but the fix stops one
    level too early.
    
    io_worker_handle_work() now re-checks IO_WQ_BIT_EXIT in its outer work
    run loop, yet it still snapshots that bit once before processing a whole
    dependent linked-work chain. If io_wq_exit_start() sets IO_WQ_BIT_EXIT
    after the first linked item has started, the remaining linked items can
    still reuse stale do_kill = false, skip IO_WQ_WORK_CANCEL, and continue
    running after exit has begun.
    
    Move the check further inside, so it covers linked items too. Note: this
    is a syzbot special as it loves setting up tons of slow linked work on
    weird devices like msr that take forever to read, and immediately close
    the ring. Exit then takes a long time.
    
    Fixes: 10dc95939817 ("io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop")
    Cc: [email protected]
    Signed-off-by: Runyu Xiao <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jens Axboe <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
iommu/amd: Don't split flush for amd_iommu_domain_flush_all() [+ + +]
Author: Weinan Liu <[email protected]>
Date:   Thu May 28 22:31:47 2026 +0000

    iommu/amd: Don't split flush for amd_iommu_domain_flush_all()
    
    commit 69fe699afe1afcb730164b86c228483c2da05f94 upstream.
    
    We have observed multiple full invalidations occurring during device
    detach when we are done using the vfio-device.
    
    blocked_domain_attach_device()
      -> detach_device()
        -> amd_iommu_domain_flush_all()
          -> amd_iommu_domain_flush_pages(..., CMD_INV_IOMMU_ALL_PAGES_ADDRESS)
    
            while (size != 0) {
    
              -> __domain_flush_pages( flush_size /* power of 2 flush_size */)
                -> domain_flush_pages_v1()
                  -> build_inv_iommu_pages()
                    -> build_inv_address()
    
             }
    
    build_inv_address() will trigger a full invalidation  if the chunk
    size > (1 << 51). Consequently, the guest will issue multiple full
    invalidations for a single call to  amd_iommu_domain_flush_all()
    
    Without this patch, we will see 10 time instead of 1 time full
    invalidations for every amd_iommu_domain_flush_all().
    
    Cc: [email protected]
    Fixes: a270be1b3fdf ("iommu/amd: Use only natural aligned flushes in a VM")
    Suggested-by: Josef Bacik <[email protected]>
    Suggested-by: Jason Gunthorpe <[email protected]>
    Signed-off-by: Weinan Liu <[email protected]>
    Reviewed-by: Wei Wang <[email protected]>
    Reviewed-by: Jason Gunthorpe <[email protected]>
    Reviewed-by: Samiullah Khawaja <[email protected]>
    Reviewed-by: Suravee Suthikulpanit <[email protected]>
    Reviewed-by: Vasant Hegde <[email protected]>
    Signed-off-by: Joerg Roedel <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
iommufd: Set upper bounds on cache invalidation entry_num and entry_len [+ + +]
Author: Nicolin Chen <[email protected]>
Date:   Wed Jun 3 14:26:53 2026 -0700

    iommufd: Set upper bounds on cache invalidation entry_num and entry_len
    
    commit 4d70986002f2f3eaaed89124fb2522bded38b016 upstream.
    
    iommufd_hwpt_invalidate() takes a user-controlled entry_num and entry_len,
    each bounded only by U32_MAX. An entry_len beyond the kernel's struct size
    makes the copy helper verify the extra bytes are zero, scanning that excess
    in one uninterruptible pass; a multi-gigabyte value over zeroed user memory
    trips the soft-lockup watchdog.
    
    A large entry_num is the other half, driving the backend invalidation loop
    with no reschedule. The VT-d nested handler, for one, copies each entry and
    flushes caches per iteration, pinning the CPU on a non-preemptible kernel.
    
    Cap both in the ioctl. entry_len is held under PAGE_SIZE, above any request
    struct, and entry_num under 1 << 19, the order of a hardware invalidation
    queue and well beyond any real batch, bounding the per-call loop length.
    
    Fixes: 8c6eabae3807 ("iommufd: Add IOMMU_HWPT_INVALIDATE")
    Link: https://patch.msgid.link/r/447fa93663f7526eb361719e83fa8b649464483d.1780521606.git.nicolinc@nvidia.com
    Cc: [email protected]
    Assisted-by: Claude:claude-opus-4-8
    Signed-off-by: Nicolin Chen <[email protected]>
    Reviewed-by: Lu Baolu <[email protected]>
    Signed-off-by: Jason Gunthorpe <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
ipv4: igmp: remove multicast group from hash table on device destruction [+ + +]
Author: Yuyang Huang <[email protected]>
Date:   Thu Jul 2 08:50:14 2026 +0900

    ipv4: igmp: remove multicast group from hash table on device destruction
    
    commit 7993211bde166471dffac074dc965489f86531f8 upstream.
    
    When a device is destroyed under RTNL, ip_mc_destroy_dev() iterates through
    the multicast list and calls ip_ma_put() on each membership, scheduling
    them for RCU reclamation. However, they are not unlinked from the device's
    multicast hash table (mc_hash).
    
    Since the device remains published in dev->ip_ptr until after
    ip_mc_destroy_dev() completes, concurrent RCU readers traversing mc_hash
    can still locate and access the multicast group after its refcount is
    decremented. If the RCU callback runs and frees the group while a reader is
    accessing it, a use-after-free occurs.
    
    Fix this by unlinking the multicast group from mc_hash using
    ip_mc_hash_remove() before scheduling it for reclamation.
    
    BUG: KASAN: slab-use-after-free in ip_check_mc_rcu+0x149/0x3f0
    Read of size 4 at addr ffff888009bf1408 by task mausezahn/2276
    
    Call Trace:
     <IRQ>
     dump_stack_lvl+0x67/0x90
     print_report+0x175/0x7c0
     kasan_report+0x147/0x180
     ip_check_mc_rcu+0x149/0x3f0
     udp_v4_early_demux+0x36d/0x12d0
     ip_rcv_finish_core+0xb8b/0x1390
     ip_rcv_finish+0x54/0x120
     NF_HOOK+0x213/0x2b0
     __netif_receive_skb+0x126/0x340
     process_backlog+0x4f2/0xf00
     __napi_poll+0x92/0x2c0
     net_rx_action+0x583/0xc60
     handle_softirqs+0x236/0x7f0
     do_softirq+0x57/0x80
     </IRQ>
    
    Allocated by task 2239:
     kasan_save_track+0x3e/0x80
     __kasan_kmalloc+0x72/0x90
     ____ip_mc_inc_group+0x31a/0xa40
     __ip_mc_join_group+0x334/0x3f0
     do_ip_setsockopt+0x16fa/0x2010
     ip_setsockopt+0x3f/0x90
     do_sock_setsockopt+0x1ad/0x300
    
    Freed by task 0:
     kasan_save_track+0x3e/0x80
     kasan_save_free_info+0x40/0x50
     __kasan_slab_free+0x3a/0x60
     __rcu_free_sheaf_prepare+0xd4/0x220
     rcu_free_sheaf+0x36/0x190
     rcu_core+0x8d9/0x12f0
     handle_softirqs+0x236/0x7f0
    
    Fixes: e9897071350b ("igmp: hash a hash table to speedup ip_check_mc_rcu()")
    Cc: [email protected]
    Signed-off-by: Yuyang Huang <[email protected]>
    Reviewed-by: Kuniyuki Iwashima <[email protected]>
    Reviewed-by: Ido Schimmel <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
isofs: bound Rock Ridge symlink components to the SL record [+ + +]
Author: Bryam Vargas <[email protected]>
Date:   Sun Jun 7 01:18:27 2026 +0000

    isofs: bound Rock Ridge symlink components to the SL record
    
    commit 5fa1d6a5ec2356d2107dead614437c66fa7138b1 upstream.
    
    get_symlink_chunk() and the SL handling in
    parse_rock_ridge_inode_internal() walk the variable-length components of
    a Rock Ridge "SL" (symbolic link) record.  Each component is a two-byte
    header (flags, len) followed by len bytes of text, so it occupies
    slp->len + 2 bytes.  Both loops read slp->len and advance to the next
    component, and get_symlink_chunk() additionally does
    memcpy(rpnt, slp->text, slp->len), but neither checks that the component
    lies within the SL record before dereferencing it.
    
    A crafted SL record whose component declares a len that runs past the
    record (rr->len) therefore triggers an out-of-bounds read of up to 255
    bytes.  When the record sits at the tail of its backing buffer - for
    example a small kmalloc()ed continuation block reached through a CE
    record - the read crosses the allocation; get_symlink_chunk() then
    copies the out-of-bounds bytes into the symlink body returned to user
    space by readlink(), disclosing adjacent kernel memory.
    
    ISO 9660 images are routinely mounted from untrusted removable media -
    desktop environments auto-mount them (e.g. via udisks2) without
    CAP_SYS_ADMIN - so the record contents are attacker-controlled.
    
    Reject any component that does not fit in the remaining record bytes
    before using it.  In get_symlink_chunk() return NULL, like the existing
    output-buffer (plimit) checks, so a malformed record makes readlink()
    fail with -EIO rather than silently returning a truncated target; in
    parse_rock_ridge_inode_internal() stop the inode-size walk.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: [email protected]
    Suggested-by: Michael Bommarito <[email protected]>
    Signed-off-by: Bryam Vargas <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jan Kara <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
ksmbd: add a permission check for FSCTL_SET_ZERO_DATA [+ + +]
Author: Gil Portnoy <[email protected]>
Date:   Wed Jun 10 20:07:04 2026 +0900

    ksmbd: add a permission check for FSCTL_SET_ZERO_DATA
    
    commit 3320ba068198adc144c89d6661b805acce01735b upstream.
    
    FSCTL_SET_ZERO_DATA in smb2_ioctl() destroys file data via
    ksmbd_vfs_zero_data() -> vfs_fallocate(PUNCH_HOLE/ZERO_RANGE) after
    checking only the share-level KSMBD_TREE_CONN_FLAG_WRITABLE, with no
    per-handle access check. A handle opened with only FILE_WRITE_ATTRIBUTES
    still yields an FMODE_WRITE filp (FILE_WRITE_ATTRIBUTES is part of
    FILE_WRITE_DESIRE_ACCESS_LE, so smb2_create_open_flags() opens it
    O_WRONLY), so the vfs_fallocate FMODE_WRITE check does not stop it; only
    the missing fp->daccess gate would. Reproduced on mainline 7.1-rc7 with
    KASAN by an authenticated SMB client: a FILE_WRITE_ATTRIBUTES-only handle
    zeroed 4096 bytes of file data it had no FILE_WRITE_DATA right to
    (6/6; a FILE_READ_DATA-only handle was correctly denied).
    
    This is the unfixed sibling of commit cc57232cae23 ("ksmbd: fix FSCTL
    permission bypass by adding a permission check for FSCTL_SET_SPARSE").
    Because SET_ZERO_DATA writes data (not an attribute), require
    FILE_WRITE_DATA.
    
    Cc: [email protected]
    Signed-off-by: Gil Portnoy <[email protected]>
    Acked-by: Namjae Jeon <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ksmbd: add a WRITE_DAC/WRITE_OWNER check to SMB2 SET_INFO SECURITY [+ + +]
Author: Gil Portnoy <[email protected]>
Date:   Tue Jun 9 00:00:00 2026 +0000

    ksmbd: add a WRITE_DAC/WRITE_OWNER check to SMB2 SET_INFO SECURITY
    
    commit 44df157a1183a7f746caa970c169255da5ac61f8 upstream.
    
    commit cc57232cae23 ("ksmbd: fix FSCTL permission bypass by adding a
    permission check for FSCTL_SET_SPARSE") added a fp->daccess gate to
    fsctl_set_sparse and noted that "similar handle-level checks exist in other
    functions but are missing here." The SMB2 SET_INFO SECURITY arm is one of
    the missing ones, and the most security-relevant: smb2_set_info_sec() calls
    set_info_sec() with no per-handle access check.
    
    set_info_sec() (fs/smb/server/smbacl.c) re-permissions the file: it
    rewrites owner/group/mode via notify_change(), rewrites the POSIX ACL via
    set_posix_acl(), and on KSMBD_SHARE_FLAG_ACL_XATTR shares removes and
    rewrites the Windows security descriptor via ksmbd_vfs_set_sd_xattr().
    Every other persistent-mutation arm of the sibling handler
    smb2_set_info_file() checks fp->daccess first (FILE_WRITE_DATA /
    FILE_DELETE / FILE_WRITE_EA / FILE_WRITE_ATTRIBUTES); the SECURITY arm —
    which mutates the access control itself — is the only one with no gate.
    
    A client can therefore open a handle with FILE_WRITE_ATTRIBUTES only (no
    FILE_WRITE_DAC / FILE_WRITE_OWNER) and use SMB2_SET_INFO with InfoType
    SMB2_O_INFO_SECURITY to rewrite the file's DACL and owner, granting itself
    access the handle's daccess never carried. Unlike the FSCTL data arms this
    is a metadata/xattr operation, so there is no FMODE_WRITE VFS backstop —
    the missing fp->daccess check is the entire gate.
    
    Setting a security descriptor is the WRITE_DAC / WRITE_OWNER operation, so
    require at least one of those on the handle before re-permissioning the
    file. -EACCES is mapped to STATUS_ACCESS_DENIED by smb2_set_info().
    
    Cc: [email protected]
    Signed-off-by: Gil Portnoy <[email protected]>
    Acked-by: Namjae Jeon <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ksmbd: add per-handle permission check to FILE_LINK_INFORMATION [+ + +]
Author: Gil Portnoy <[email protected]>
Date:   Wed Jun 10 20:13:51 2026 +0900

    ksmbd: add per-handle permission check to FILE_LINK_INFORMATION
    
    commit 13f3942f2bf45856bb751faed2f0c4618f41ca20 upstream.
    
    The FILE_LINK_INFORMATION arm of smb2_set_info_file() calls
    smb2_create_link() with no per-handle fp->daccess check. On the
    ReplaceIfExists path smb2_create_link() unlinks an existing file at the
    target name (ksmbd_vfs_remove_file) and creates a hardlink
    (ksmbd_vfs_link); neither helper checks daccess. A handle opened with
    FILE_READ_DATA only (no FILE_DELETE, no FILE_WRITE_DATA) can therefore
    delete an arbitrary file in the share and plant a hardlink over its name.
    
    The sibling delete/move arms in the same switch already gate:
    FILE_RENAME_INFORMATION and FILE_DISPOSITION_INFORMATION both require
    FILE_DELETE_LE; FILE_FULL_EA_INFORMATION requires FILE_WRITE_EA_LE. Gate
    the link arm the same way as its closest analogue (rename), since it
    mutates the namespace and, on replace, deletes an existing entry.
    
    This is a sibling of commit cc57232cae23 ("ksmbd: fix FSCTL permission
    bypass by adding a permission check for FSCTL_SET_SPARSE").
    
    Cc: [email protected]
    Signed-off-by: Gil Portnoy <[email protected]>
    Acked-by: Namjae Jeon <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ksmbd: add permission checks for FSCTL_DUPLICATE_EXTENTS_TO_FILE [+ + +]
Author: Gil Portnoy <[email protected]>
Date:   Fri Jun 12 07:15:38 2026 +0900

    ksmbd: add permission checks for FSCTL_DUPLICATE_EXTENTS_TO_FILE
    
    commit 388e4139db27a9e3612c9d356b826f5b1ff6a9e3 upstream.
    
    The FSCTL_DUPLICATE_EXTENTS_TO_FILE arm of smb2_ioctl() overwrites the
    destination file's data via vfs_clone_file_range() with neither the
    share-level KSMBD_TREE_CONN_FLAG_WRITABLE check nor a per-handle
    fp->daccess check that the other write-bearing arms carry. A client can
    overwrite destination data on a read-only share, or from a handle opened
    with only FILE_WRITE_ATTRIBUTES (which still yields an FMODE_WRITE filp).
    FILE_WRITE_ATTRIBUTES-only destination handle overwrote the file's data via
    the clone. Add both checks, matching the FSCTL_SET_SPARSE permission fix;
    require FILE_WRITE_DATA since this writes data.
    
    Cc: [email protected]
    Signed-off-by: Gil Portnoy <[email protected]>
    Acked-by: Namjae Jeon <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ksmbd: enforce FILE_READ_ATTRIBUTES on SMB_FIND_FILE_POSIX_INFORMATION [+ + +]
Author: Gil Portnoy <[email protected]>
Date:   Thu Jun 11 22:59:51 2026 +0900

    ksmbd: enforce FILE_READ_ATTRIBUTES on SMB_FIND_FILE_POSIX_INFORMATION
    
    commit 20c8442dc1003f9f7bb522d3dcd81d09ea59a79e upstream.
    
    find_file_posix_info() in smb2_query_info() returns file metadata (owner
    uid, group gid, mode, inode, size, allocation size, hard-link count and all
    four timestamps) but performs no per-handle access check. Every sibling
    query handler gates on the handle's granted access first --
    get_file_basic_info(), get_file_all_info(), get_file_network_open_info()
    and get_file_attribute_tag_info() all reject a handle lacking
    FILE_READ_ATTRIBUTES_LE with -EACCES. The POSIX handler is gated only by
    the connection-scoped tcon->posix_extensions flag, which is not a
    per-handle authorization, so a handle opened with only FILE_WRITE_DATA is
    correctly denied FileBasicInformation yet is allowed the strict-superset
    POSIX info. Mirror the FILE_READ_ATTRIBUTES_LE gate the sibling info
    handlers already use.
    
    Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
    Cc: [email protected]
    Signed-off-by: Gil Portnoy <[email protected]>
    Acked-by: Namjae Jeon <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ksmbd: fix UAF of struct file_lock in SMB2_LOCK deferred-lock cancellation [+ + +]
Author: Davide Ornaghi <[email protected]>
Date:   Sat Jun 6 16:11:04 2026 +0900

    ksmbd: fix UAF of struct file_lock in SMB2_LOCK deferred-lock cancellation
    
    commit d20d1c8ba5765d1d12eefc0aee6385ab3f240e1e upstream.
    
    When a blocking byte-range lock request is deferred in the
    FILE_LOCK_DEFERRED path, ksmbd registers the asynchronous work into
    the connection's async_requests list via setup_async_work(). The cancel
    callback smb2_remove_blocked_lock() holds a reference to the flock.
    
    If the lock waiter is subsequently woken up but the work state is no
    longer KSMBD_WORK_ACTIVE (e.g., due to a concurrent cancellation), the
    cleanup path calls locks_free_lock(flock) without dequeuing the work from
    the async_requests list. Concurrently, smb2_cancel() walks the list
    under conn->request_lock and invokes the cancel callback, which then
    dereferences the already freed 'flock'. This leads to a slab-use-after-free
    inside __wake_up_common.
    
    Fix this by restructuring the cleanup logic after the worker returns
    from ksmbd_vfs_posix_lock_wait(). Move list_del(&smb_lock->llist) and
    release_async_work(work) to the top of the cleanup block. This guarantees
    that the async work is completely dequeued and serialized under
    conn->request_lock before locks_free_lock(flock) is called, rendering
    the flock unreachable for any concurrent smb2_cancel().
    
    Cc: [email protected]
    Signed-off-by: Davide Ornaghi <[email protected]>
    Signed-off-by: Namjae Jeon <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ksmbd: fix use-after-free of a deferred file_lock on SMB2_CLOSE then SMB2_CANCEL [+ + +]
Author: Gil Portnoy <[email protected]>
Date:   Wed Jun 10 19:53:14 2026 +0900

    ksmbd: fix use-after-free of a deferred file_lock on SMB2_CLOSE then SMB2_CANCEL
    
    commit 10f293a07f9e10e988b0ae44e2e99c631f5a68e0 upstream.
    
    Commit f580d27e8928 ("ksmbd: fix use-after-free of a deferred file_lock on
    double SMB2_CANCEL") made smb2_cancel() skip a work whose state is
    KSMBD_WORK_CANCELLED, so its cancel_fn cannot be fired a second time. But
    KSMBD_WORK has three states (ACTIVE, CANCELLED, CLOSED), and the same
    freeing producer path is reached for CLOSED too:
    
      SMB2_CLOSE on the locking handle -> set_close_state_blocked_works() sets
      the deferred work's state to KSMBD_WORK_CLOSED and wakes the smb2_lock()
      worker. The worker takes the non-ACTIVE early-exit, locks_free_lock()s
      the file_lock and, because the state is not KSMBD_WORK_CANCELLED, takes
      the STATUS_RANGE_NOT_LOCKED branch with "goto out2" -- which, like the
      cancelled branch, skips release_async_work(). The work stays on
      conn->async_requests with a live cancel_fn = smb2_remove_blocked_lock
      pointing at the freed file_lock.
    
    A subsequent SMB2_CANCEL for the same AsyncId then passes the
    KSMBD_WORK_CANCELLED-only guard (its state is KSMBD_WORK_CLOSED), so
    smb2_cancel() fires cancel_fn again over the freed file_lock -- the same
    use-after-free fixed, via SMB2_CLOSE instead of a first SMB2_CANCEL:
    
      BUG: KASAN: slab-use-after-free in __locks_delete_block
        __locks_delete_block
        locks_delete_block
        ksmbd_vfs_posix_lock_unblock
        smb2_remove_blocked_lock
        smb2_cancel                 <- 2nd SMB2_CANCEL fires cancel_fn
        handle_ksmbd_work
      Allocated by ...: locks_alloc_lock <- smb2_lock
      Freed by ...:     locks_free_lock  <- smb2_lock (non-ACTIVE early-exit)
      ... cache file_lock_cache of size 192
    
    Reproduced on mainline 7.1-rc7 (which already contains f580d27e8928) with
    KASAN by an authenticated SMB client; the double-SMB2_CANCEL control is
    silent on that kernel, so the splat is attributable to the CLOSE trigger.
    
    Only an ACTIVE deferred work may have its cancel_fn fired: both terminal
    states (CANCELLED and CLOSED) reach the smb2_lock() early-exit that frees
    the file_lock and skips release_async_work(). Guard on KSMBD_WORK_ACTIVE
    so any non-active work is skipped.
    
    Fixes: f580d27e8928 ("ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL")
    Cc: [email protected]
    Signed-off-by: Gil Portnoy <[email protected]>
    Acked-by: Namjae Jeon <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ksmbd: require source read access for duplicate extents [+ + +]
Author: Namjae Jeon <[email protected]>
Date:   Sat Jun 13 22:00:02 2026 +0900

    ksmbd: require source read access for duplicate extents
    
    commit cedff600f1642aa982178503552f0d007bc829c8 upstream.
    
    FSCTL_DUPLICATE_EXTENTS_TO_FILE passes the source file directly to
    vfs_clone_file_range() or vfs_copy_file_range() without checking the SMB
    access mask granted to the source handle. A handle opened with attribute
    access can consequently be used to copy file contents into an
    attacker-readable destination.
    
    Require FILE_READ_DATA on the source handle before either VFS operation,
    matching other ksmbd data-copy paths.
    
    Cc: [email protected]
    Reported-by: Musaab Khan <[email protected]>
    Signed-off-by: Namjae Jeon <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ksmbd: run set info with opener credentials [+ + +]
Author: Namjae Jeon <[email protected]>
Date:   Sat Jun 13 22:00:01 2026 +0900

    ksmbd: run set info with opener credentials
    
    commit b383bcad3d2fe634b26efbce53e22bbb5753a520 upstream.
    
    SMB2 SET_INFO handlers call path-based VFS helpers after checking the
    access mask granted to the SMB handle. Those helpers perform their owner,
    inode permission and LSM checks using the current ksmbd worker credentials.
    
    Run the complete SET_INFO dispatch with the credentials captured when the
    handle was opened. This also removes the separate security information
    credential setup and keeps all SET_INFO classes under one credential scope.
    
    Direct override_creds() is used because it can nest with the request
    credential overrides already used by rename and link helpers.
    
    Cc: [email protected]
    Reported-by: Musaab Khan <[email protected]>
    Signed-off-by: Namjae Jeon <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ksmbd: serialize QUERY_DIRECTORY requests per file [+ + +]
Author: Namjae Jeon <[email protected]>
Date:   Fri Jun 12 08:00:00 2026 +0900

    ksmbd: serialize QUERY_DIRECTORY requests per file
    
    commit be6d26bf27499977c746abc163659915082348d8 upstream.
    
    smb2_query_dir() stores a pointer to its stack-allocated private data in
    the ksmbd_file readdir_data. Concurrent QUERY_DIRECTORY requests using the
    same file handle can overwrite this pointer while an iterate_dir() callback
    is still using it, resulting in a stack use-after-free.
    
    Add a per-file mutex and hold it while accessing the shared directory
    enumeration state. The lock covers scan restart, dot entry state,
    readdir_data setup and iteration, and response construction. This prevents
    another request from replacing readdir_data.private before the current
    request has finished using it and also serializes the shared file position.
    
    Cc: [email protected]
    Reported-by: [email protected] # ZDI-CAN-30527
    Signed-off-by: Namjae Jeon <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ksmbd: use opener credentials for ADS I/O [+ + +]
Author: Namjae Jeon <[email protected]>
Date:   Sat Jun 13 22:00:03 2026 +0900

    ksmbd: use opener credentials for ADS I/O
    
    commit baa5e094886fffa7e6272edcb5e08be5ce28262c upstream.
    
    Alternate data streams are stored as xattrs. Unlike regular file I/O,
    their read and write paths therefore call VFS xattr helpers which recheck
    inode permissions and LSM policy using the current task credentials.
    
    Run ADS I/O with the credentials captured when the SMB handle was opened.
    
    Cc: [email protected]
    Reported-by: Musaab Khan <[email protected]>
    Signed-off-by: Namjae Jeon <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ksmbd: use opener credentials for delete-on-close [+ + +]
Author: Namjae Jeon <[email protected]>
Date:   Sat Jun 13 22:00:00 2026 +0900

    ksmbd: use opener credentials for delete-on-close
    
    commit 52e2f21911158ec961cd5aae19c56460db382af0 upstream.
    
    Delete-on-close can be completed by deferred or durable handle teardown,
    where no request work is available. Both the base-file unlink and the ADS
    xattr removal consequently run with the ksmbd worker credentials and can
    bypass filesystem permission checks.
    
    Run both operations with the credentials captured in struct file when the
    handle was opened. This preserves the authenticated user's fsuid, fsgid,
    supplementary groups and capability restrictions at final close.
    
    Cc: [email protected]
    Reported-by: Musaab Khan <[email protected]>
    Signed-off-by: Namjae Jeon <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
KVM: VMX: Grab vmcs12 on CR8 interception update iff vCPU is in guest mode [+ + +]
Author: Sean Christopherson <[email protected]>
Date:   Thu Jun 18 10:43:46 2026 -0700

    KVM: VMX: Grab vmcs12 on CR8 interception update iff vCPU is in guest mode
    
    commit 7ef78d71ca713d8c00f7c34ddcf276c808143f77 upstream.
    
    When updating CR8 intercepts, get vmcs12 if and only if the vCPU is in
    guest mode so that a future change can have update CR8 intercepts during
    vCPU creation, without running afoul of get_vmcs12()'s lockdep assertion.
    
      ------------[ cut here ]------------
      debug_locks && !(lock_is_held(&(&vcpu->mutex)->dep_map) || !refcount_read(&vcpu->kvm->users_count))
      WARNING: arch/x86/kvm/vmx/nested.h:61 at get_vmcs12 arch/x86/kvm/vmx/nested.h:60 [inline], CPU#0: syz.2.19/5879
      WARNING: arch/x86/kvm/vmx/nested.h:61 at vmx_update_cr8_intercept+0x3de/0x4e0 arch/x86/kvm/vmx/vmx.c:6879, CPU#0: syz.2.19/5879
      Modules linked in:
      CPU: 0 UID: 0 PID: 5879 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT(full)
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
      RIP: 0010:get_vmcs12 arch/x86/kvm/vmx/nested.h:60 [inline]
      RIP: 0010:vmx_update_cr8_intercept+0x3de/0x4e0 arch/x86/kvm/vmx/vmx.c:6879
      Call Trace:
       <TASK>
       apic_update_ppr arch/x86/kvm/lapic.c:984 [inline]
       kvm_lapic_reset+0x1c24/0x2980 arch/x86/kvm/lapic.c:3023
       kvm_vcpu_reset+0x44c/0x1bf0 arch/x86/kvm/x86.c:12986
       kvm_arch_vcpu_create+0x746/0x8b0 arch/x86/kvm/x86.c:12847
       kvm_vm_ioctl_create_vcpu+0x428/0x930 virt/kvm/kvm_main.c:4201
       kvm_vm_ioctl+0x893/0xd50 virt/kvm/kvm_main.c:5159
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:597 [inline]
       __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
       </TASK>
    
    No functional change intended.
    
    Reported-by: syzbot ci <[email protected]>
    Closes: https://lore.kernel.org/all/[email protected]
    Cc: [email protected]
    Signed-off-by: Sean Christopherson <[email protected]>
    Message-ID: <[email protected]>
    Signed-off-by: Paolo Bonzini <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

KVM: VMX: Refresh GUEST_PENDING_DBG_EXCEPTIONS.BS on all injected #DBs [+ + +]
Author: Sean Christopherson <[email protected]>
Date:   Fri May 15 15:26:29 2026 -0700

    KVM: VMX: Refresh GUEST_PENDING_DBG_EXCEPTIONS.BS on all injected #DBs
    
    commit c5bad4fa2d5dfd8c25140051a9807eba387a19b8 upstream.
    
    Move KVM's stuffing of GUEST_PENDING_DBG_EXCEPTIONS.BS when RFLAGS.TF=1 and
    MOV/POP SS or STI blocking is active into the exception injection code so
    that KVM fixes up the VMCS for all injected #DBs, not only those that are
    reflected back into the guest after #DB interception.  E.g. if KVM queues
    a #DB in the emulator, or more importantly if userspace does save/restore
    exactly on the #DB+shadow boundary, then KVM needs to massage the VMCS to
    avoid the VM-Entry consistency check.
    
    Opportunistically update the wording of the comment to describe the
    behavior as a workaround of flawed CPU behavior/architecture, to make it
    clear that the *only* thing KVM is doing is fudging around a consistency
    check.  Per the SDM:
    
      There are no pending debug exceptions after VM entry if any of the
      following are true:
    
        * The VM entry is vectoring with one of the following interruption
          types: external interrupt, non-maskable interrupt (NMI), hardware
          exception, or privileged software exception.
    
    I.e. forcing GUEST_PENDING_DBG_EXCEPTIONS.BS does *not* impact guest-
    visible behavior.
    
    Fixes: b9bed78e2fa9 ("KVM: VMX: Set vmcs.PENDING_DBG.BS on #DB in STI/MOVSS blocking shadow")
    Cc: [email protected]
    Reported-by: Hou Wenlong <[email protected]>
    Closes: https://lore.kernel.org/all/b1a294bc9ed4dae532474a5dc6c8cb6e5962de7c.1757416809.git.houwenlong.hwl@antgroup.com
    Reviewed-by: Hou Wenlong <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Sean Christopherson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

KVM: x86: Ensure vendor's exit handler runs before fastpath userspace exits [+ + +]
Author: Sean Christopherson <[email protected]>
Date:   Thu Apr 23 09:26:27 2026 -0700

    KVM: x86: Ensure vendor's exit handler runs before fastpath userspace exits
    
    commit 0ffedf43910e44b76c2c1db4e9fbf12b268190c1 upstream.
    
    Move the handling of fastpath userspace exits into vendor code to ensure
    KVM runs vendor specific operations that need to run before userspace gains
    control of the vCPU.  E.g. for VMX (and soon to be for SVM as well), KVM
    needs to flush the PML buffer prior to exiting to userspace, otherwise any
    memory written by the final KVM_RUN might never be flagged as dirty.
    
    Note, waiting to snapshot CR0 and CR3 until svm_handle_exit() is flawed in
    general, as that risks consuming stale state in a fastpath handler.  That
    will be addressed in a future change.
    
    Fixes: f7f39c50edb9 ("KVM: x86: Exit to userspace if fastpath triggers one on instruction skip")
    Cc: [email protected]
    Cc: Nikunj A. Dadhania <[email protected]>
    Reviewed-by: Nikunj A. Dadhania <[email protected]>
    Reviewed-by: Kai Huang <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Sean Christopherson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
Linux: Linux 6.12.96 [+ + +]
Author: Greg Kroah-Hartman <[email protected]>
Date:   Sat Jul 18 16:52:17 2026 +0200

    Linux 6.12.96
    
    Link: https://lore.kernel.org/r/[email protected]
    Tested-by: Brett A C Sheffield <[email protected]>
    Tested-by: Florian Fainelli <[email protected]>
    Tested-by: Peter Schneider <[email protected]>
    Tested-by: Salvatore Bonaccorso <[email protected]>
    Tested-by: Miguel Ojeda <[email protected]>
    Tested-by: Francesco Dolcini <[email protected]>
    Tested-by: Dominique Martinet <[email protected]>
    Tested-by: Ron Economos <[email protected]>
    Tested-by: Shuah Khan <[email protected]>
    Tested-by: Pavel Machek (CIP) <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Tested-by: Brett A C Sheffield <[email protected]>
    Tested-by: Florian Fainelli <[email protected]>
    Tested-by: Pavel Machek (CIP) <[email protected]>
    Tested-by: Peter Schneider <[email protected]>
    Tested-by: Mark Brown <[email protected]>
    Tested-by: Miguel Ojeda <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
locking/rtmutex: Make sure we wake anything on the wake_q when we release the lock->wait_lock [+ + +]
Author: John Stultz <[email protected]>
Date:   Mon Jul 6 08:50:05 2026 -0400

    locking/rtmutex: Make sure we wake anything on the wake_q when we release the lock->wait_lock
    
    [ Upstream commit 4a077914578183ec397ad09f7156a357e00e5d72 ]
    
    Bert reported seeing occasional boot hangs when running with
    PREEPT_RT and bisected it down to commit 894d1b3db41c
    ("locking/mutex: Remove wakeups from under mutex::wait_lock").
    
    It looks like I missed a few spots where we drop the wait_lock and
    potentially call into schedule without waking up the tasks on the
    wake_q structure. Since the tasks being woken are ww_mutex tasks
    they need to be able to run to release the mutex and unblock the
    task that currently is planning to wake them. Thus we can deadlock.
    
    So make sure we wake the wake_q tasks when we unlock the wait_lock.
    
    Closes: https://lore.kernel.org/lkml/[email protected]
    Fixes: 894d1b3db41c ("locking/mutex: Remove wakeups from under mutex::wait_lock")
    Reported-by: Bert Karwatzki <[email protected]>
    Signed-off-by: John Stultz <[email protected]>
    Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
    Link: https://lkml.kernel.org/r/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
LoongArch: Add PIO for early access before ACPI PCI root register [+ + +]
Author: Huacai Chen <[email protected]>
Date:   Thu Jun 25 13:03:47 2026 +0800

    LoongArch: Add PIO for early access before ACPI PCI root register
    
    commit 6061e65f95713b01f4313cda6637dfe3aa5412b4 upstream.
    
    For ACPI system we suppose the ISA/LPC PIO range is registered together
    with PCI root bridge. But the fact is there may be some early access to
    the ISA/LPC PIO range before ACPI PCI root register (most of them are
    due to abnormal BIOS). Unconditionally register the ISA/LPC PIO range
    usually causes ACPI PCI root register fail because of the address range
    confliction. So we add a pair of helpers: acpi_add_early_pio() to add
    PIO for early access, and acpi_remove_early_pio() to remove PIO before
    PCI root register. Since acpi_remove_early_pio() may be called multiple
    times, we add an acpi_pio flag to ensure PIO be removed only once.
    
    Cc: <[email protected]>
    Tested-by: Yuanzhen Gan <[email protected]>
    Signed-off-by: Huacai Chen <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
media: mtk-jpeg: cancel workqueue on release for supported platforms only [+ + +]
Author: Louis-Alexis Eyraud <[email protected]>
Date:   Wed Apr 1 11:44:15 2026 +0200

    media: mtk-jpeg: cancel workqueue on release for supported platforms only
    
    commit b1845a227fda37b2fe5327df3ca0015d7e290235 upstream.
    
    Since a recent fix the mtk_jpeg_release function cancels any pending
    or running work present in the driver workqueue using
    cancel_work_sync function.
    Currently, only the multicore based variants use this workqueue and they
    have the jpeg_worker platform data field initialized with a workqueue
    callback function. For the others, this field value remain NULL by
    default.
    The cancel_work_sync function is unconditionally called in
    mtk_jpeg_release function, even for the variants that do not use the
    workqueue. This call generates a WARN_ON print in __flush_work because
    the workqueue callback function presence check fails in __flush_work
    function (used by cancel_work_sync).
    
    So, to avoid these warnings, call cancel_work_sync only if a workqueue
    callback is defined in platform data.
    
    Fixes: 34c519feef3e ("media: mtk-jpeg: fix use-after-free in release path due to uncancelled work")
    Cc: [email protected]
    Signed-off-by: Louis-Alexis Eyraud <[email protected]>
    Reviewed-by: Nicolas Dufresne <[email protected]>
    Signed-off-by: Nicolas Dufresne <[email protected]>
    Signed-off-by: Hans Verkuil <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

media: staging: ipu3-imgu: Add range check for imgu_css_cfg_acc_stripe [+ + +]
Author: Ricardo Ribalda <[email protected]>
Date:   Thu May 7 20:58:10 2026 +0000

    media: staging: ipu3-imgu: Add range check for imgu_css_cfg_acc_stripe
    
    commit c32fe4c4918c9aa49f61359e3b42619c4d8686de upstream.
    
    If the driver's stripe information is invalid it can result in an integer
    underflow. Add a range check to avoid this kind of error.
    
    This patch fixes the following smatch error:
    drivers/staging/media/ipu3/ipu3-css-params.c:1792 imgu_css_cfg_acc_stripe() warn: 'acc->stripe.bds_out_stripes[0]->width - 2 * f' 4294967168 can't fit into 65535 'acc->stripe.bds_out_stripes[1]->offset'
    
    Cc: [email protected]
    Fixes: e11110a5b744 ("media: staging/intel-ipu3: css: Compute and program ccs")
    Signed-off-by: Ricardo Ribalda <[email protected]>
    Signed-off-by: Hans Verkuil <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mfd: cros_ec: Delay dev_set_drvdata() until probe success [+ + +]
Author: Andrei Kuchynski <[email protected]>
Date:   Mon Apr 27 13:17:21 2026 +0000

    mfd: cros_ec: Delay dev_set_drvdata() until probe success
    
    commit 8b2c1d41bc36c100b38ce5ee6def246c527eaf8a upstream.
    
    If ec_device_probe() fails, cros_ec_class_release releases memory for the
    cros_ec_dev structure. However, because the drvdata was already set,
    sub-drivers like cros_ec_typec can still retrieve the stale pointer via the
    platform device. This leads to a use-after-free when cros_ec_typec attempts
    to access &typec->ec->ec->dev on a device that has already been released.
    Move dev_set_drvdata() to ensure that the pointer is only made available
    once all initialization steps have succeeded.
    
     sysfs: cannot create duplicate filename '/class/chromeos/cros_ec'
     Call trace:
      sysfs_do_create_link_sd+0x94/0xdc
      sysfs_create_link+0x30/0x44
      device_add_class_symlinks+0x90/0x13c
      device_add+0xf0/0x50c
      ec_device_probe+0x150/0x4f0
      platform_probe+0xa0/0xe0
     ...
     BUG: KASAN: invalid-access in __memcpy+0x44/0x230
     Write at addr f5ffff809e2d33ac by task kworker/u32:5/125
     Pointer tag: [f5], memory tag: [fe]
     Tainted : [W]=WARN, [O]=OOT_MODULE
     Hardware name: Google Navi unprovisioned 0x7FFFFFFF/sku0 board/sku3
     Workqueue: events_unbound deferred_probe_work_func
     Call trace:
      __memcpy+0x44/0x230
      cros_ec_check_features+0x60/0xcc [cros_ec_proto]
      cros_typec_probe+0xe8/0x6e0 [cros_ec_typec]
      platform_probe+0xa0/0xe0
    
    Cc: [email protected]
    Fixes: 1c1d152cc5ac ("platform/chrome: cros_ec_dev - utilize new cdev_device_add helper function")
    Co-developed-by: Sergey Senozhatsky <[email protected]>
    Signed-off-by: Sergey Senozhatsky <[email protected]>
    Signed-off-by: Andrei Kuchynski <[email protected]>
    Reviewed-by: Benson Leung <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Lee Jones <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mm/damon/ops-common: handle extreme intervals in damon_hot_score() [+ + +]
Author: SeongJae Park <[email protected]>
Date:   Tue Jun 23 06:58:31 2026 -0700

    mm/damon/ops-common: handle extreme intervals in damon_hot_score()
    
    commit 35d4a3cf70a855b50e53189ac2f8463e20a02046 upstream.
    
    Fix three issues in damon_hot_score() that comes from wrong handling of
    extreme (zero or too high) monitoring intervals user setup.
    
    When the user sets sampling interval zero, damon_max_nr_accesses(), which
    is called from damon_hot_score(), causes a divide-by-zero.  Needless to
    say, it is a problem.
    
    When the user sets the aggregation interval zero, the function returns
    zero.  It is wrong, since the real maximum nr_acceses in the setup should
    be one.  Worse yet, it can cause another divide-by-zero from its caller,
    damon_hot_score(), since it uses damon_max_nr_accesses() return value as a
    denominator.
    
    When the user sets the aggregation interval very high, damon_hot_score()
    could return a value out of [0, DAMOS_MAX_SCORE] range.  Since the return
    value is used as an index to the regions_score_histogram array, which is
    DAMOS_MAX_SCORE+1 size, it causes out of bounds array access.
    
    The issues can be relatively easily reproduced like below.  The sysfs
    write permission is required, though.
    
        # ./damo start --damos_action lru_prio --damos_quota_space 100M \
                --damos_quota_interval 1s
        # cd /sys/kernel/mm/damon/admin/kdamonds/0
        # echo 0 > contexts/0/monitoring_attrs/intervals/sample_us
        # echo 0 > contexts/0/monitoring_attrs/intervals/aggr_us
        # echo commit > state
        # dmesg
        [...]
        [  131.329762] Oops: divide error: 0000 [#1] SMP NOPTI
        [...]
        [  131.336089] RIP: 0010:damon_hot_score+0x27/0xd0
        [...]
    
    Fix the divide-by-zero intervals problems by explicitly handling the zero
    intervals in damon_max_nr_accesses().  Fix the out-of-bound array access
    by applying [0, DAMOS_MAX_SCORE] bounds before returning from
    damon_hot_score().
    
    The issue was discovered [1] by Sashiko.
    
    Link: https://lore.kernel.org/[email protected]
    Link: https://lore.kernel.org/[email protected] [1]
    Fixes: 198f0f4c58b9 ("mm/damon/vaddr,paddr: support pageout prioritization")
    Signed-off-by: SeongJae Park <[email protected]>
    Cc: <[email protected]> # 5.16.x
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mm/khugepaged: write all dirty file folios when collapsing [+ + +]
Author: Pedro Falcato <[email protected]>
Date:   Wed Jul 8 16:13:57 2026 +0100

    mm/khugepaged: write all dirty file folios when collapsing
    
    [There is no upstream commit, as this code was removed by upstream
     commit 044925f9b565 ("mm: fs: remove filemap_nr_thps*() functions and their users")]
    
    As-is, khugepaged and writable-file opening exclude each other. A file
    cannot be open writeable and have THPs (because the filesystem is not aware
    of them). khugepaged will never collapse file pages for files that are
    opened writeable. On an open(O_RDWR/O_WRONLY), the page cache for that
    particular file is dropped. This is fine because nothing could've been
    dirtied.
    
    However, there is an edge-case: collapse_file() might not be able to
    coexist with concurrent writers, but it can coexist with dirty folios
    (from previous writers). Therefore, the following can happen:
    
    open(file, O_RDWR)
    write(file)
    close(file)
    madvise(file_mapping, MADV_COLLAPSE, some non-dirty range)
    open(file, O_RDWR)
     nr_thps > 0
      truncate_inode_pages()
        /* THPs are cleared out, but so are the dirty folios */
    
    When this edge-case happens, there is data loss, as the dirty folios are
    fully discarded.
    
    Fix it by fully writing back the page cache (and waiting) when collapsing
    file THPs. Doing so provides the guarantee that no dirty folio will be
    observed while there are active THPs. To fully ensure this is safe, the
    invalidate_lock needs to be held while doing the writeout, so that
    do_dentry_open()'s page cache truncation excludes this write-and-wait.
    
    As a side effect, move the nr_thps counter bumping outside the i_pages
    lock. This is correct since the counter itself is an atomic_t and the
    producer <-> consumer correctness is provided by a full memory barrier:
    smp_mb() in collapse_file()/memory barrier implied by full ordering in
    get_write_access() -> atomic_inc_unless_negative().
    
    Cc: [email protected]
    Cc: Alexander Viro <[email protected]>
    Cc: Christian Brauner <[email protected]>
    Cc: Jan Kara <[email protected]>
    Cc: Matthew Wilcox <[email protected]>
    Cc: Song Liu <[email protected]>
    Cc: Eric Hagberg <[email protected]>
    Cc: Zi Yan <[email protected]>
    Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS")
    Reported-by: Gregg Leventhal <[email protected]>
    Closes: https://lore.kernel.org/linux-mm/CAFN_u7H_0ECF3jixP=T=U7AH5=Q3wQNvJMo8an3VqUDMerQfUw@mail.gmail.com/
    Tested-by: Zi Yan <[email protected]>
    Tested-by: Lance Yang <[email protected]>
    Signed-off-by: Pedro Falcato <[email protected]>
    Acked-by: David Hildenbrand (Arm) <[email protected]>
    Reviewed-by: Matthew Wilcox (Oracle) <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
mm/shrinker: do not hold RCU lock in shrinker_debugfs_count_show() [+ + +]
Author: Shakeel Butt <[email protected]>
Date:   Wed Jun 10 16:20:48 2026 -0700

    mm/shrinker: do not hold RCU lock in shrinker_debugfs_count_show()
    
    commit b902890c62d200b3509cb5e09cf1e0a66553c128 upstream.
    
    Reading the debugfs "count" file of a memcg-aware shrinker can sleep
    inside an RCU read-side critical section:
    
      BUG: sleeping function called from invalid context at kernel/cgroup/rstat.c:421
      RCU nest depth: 1, expected: 0
       css_rstat_flush
       mem_cgroup_flush_stats
       zswap_shrinker_count
       shrinker_debugfs_count_show
    
    shrinker_debugfs_count_show() invokes the ->count_objects() callback under
    rcu_read_lock().  The zswap callback flushes memcg stats via
    css_rstat_flush(), which may sleep, so it must not run under RCU.
    
    The RCU lock is not needed here.  mem_cgroup_iter() takes RCU internally
    and returns a memcg holding a css reference (dropped on the next iteration
    or by mem_cgroup_iter_break()), so the memcg stays alive without it.  The
    shrinker is kept alive by the open debugfs file: shrinker_free() removes
    the debugfs entries via debugfs_remove_recursive(), which waits for
    in-flight readers to drain, before call_rcu(..., shrinker_free_rcu_cb).
    The sibling "scan" handler already invokes the sleeping ->scan_objects()
    callback with no RCU section.
    
    Drop the rcu_read_lock()/rcu_read_unlock().
    
    Link: https://lore.kernel.org/[email protected]
    Fixes: 5035ebc644ae ("mm: shrinkers: introduce debugfs interface for memory shrinkers")
    Signed-off-by: Shakeel Butt <[email protected]>
    Reported-by: Zenghui Yu <[email protected]>
    Closes: https://lore.kernel.org/all/[email protected]/
    Suggested-by: Nhat Pham <[email protected]>
    Reviewed-by: SeongJae Park <[email protected]>
    Reviewed-by: Qi Zheng <[email protected]>
    Tested-by: Zenghui Yu (Huawei) <[email protected]>
    Reviewed-by: Nhat Pham <[email protected]>
    Acked-by: Muchun Song <[email protected]>
    Reviewed-by: Roman Gushchin <[email protected]>
    Cc: Dave Chinner <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mm/slab: do not limit zeroing to orig_size when only red zoning is enabled [+ + +]
Author: Vlastimil Babka (SUSE) <[email protected]>
Date:   Wed Jun 10 17:40:03 2026 +0200

    mm/slab: do not limit zeroing to orig_size when only red zoning is enabled
    
    commit 648927ceb84021a25a0fbd5673740956f318d534 upstream.
    
    When init (zeroing) on allocation is requested, for kmalloc() we
    generally have to zero the full object size even if a smaller size is
    requested, in order to provide krealloc()'s __GFP_ZERO guarantees.
    
    But if we track the requested size, krealloc() uses that information to
    do the right thing, so we can zero only the requested size. With red
    zoning also enabled, any extra size became part of the red zone, so it
    must not be zeroed and thus we must zero only the requested size.
    
    However the current check is imprecise, and will trigger also when only
    SLAB_RED_ZONE is enabled without SLAB_STORE_USER (which enables tracking
    the requested size). This means enabling red zoning alone can compromise
    krealloc()'s __GFP_ZERO contract.
    
    Fix this by using slub_debug_orig_size() instead, which is the exact
    check for whether the requested size is tracked. We don't need to care
    if red zoning is also enabled or not. Also update and expand the
    comment accordingly.
    
    Fixes: 9ce67395f5a0 ("mm/slub: only zero requested size of buffer for kzalloc when debug enabled")
    Cc: [email protected]
    Link: https://patch.msgid.link/[email protected]
    Reviewed-by: Harry Yoo (Oracle) <[email protected]>
    Reviewed-by: Hao Li <[email protected]>
    Signed-off-by: Vlastimil Babka (SUSE) <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mm/swap: add cond_resched() in swap_reclaim_full_clusters to prevent softlockup [+ + +]
Author: Zijiang Huang <[email protected]>
Date:   Wed May 6 21:09:19 2026 +0800

    mm/swap: add cond_resched() in swap_reclaim_full_clusters to prevent softlockup
    
    commit 66366d291f666ddeda5f8c84f253e308de3e6b55 upstream.
    
    We hit a real softlockup in an internal stress test environment.  The
    workload was LTP memory/swap stress on a large arm64 machine, with 320
    CPUs, about 1TB memory and an 8.6GB swap device.  The system was under
    heavy load and the swap device had a large number of full clusters.  The
    softlockup was triggered during a stress test after about 3 days.
    
    So, add periodic cond_resched() calls during large full_clusters
    reclaim operations to prevent softlockup issues.
    
    Detailed call trace as follow:
    
    PID: 3817773  TASK: ffff0883bb28b780  CPU: 48   COMMAND: "kworker/48:7"
       #0 [ffff800080183d10] __crash_kexec at ffffa4c1361e5de4
       #1 [ffff800080183d90] panic at ffffa4c1360d5e9c
       #2 [ffff800080183e20] watchdog_timer_fn at ffffa4c136231fa8
       ...
      #16 [ffff8000c4ad3cb0] swap_cache_del_folio at ffffa4c1363e1614
      #17 [ffff8000c4ad3ce0] __try_to_reclaim_swap at ffffa4c1363e4bfc
      #18 [ffff8000c4ad3d40] swap_reclaim_full_clusters at ffffa4c1363e5474
      #19 [ffff8000c4ad3da0] swap_reclaim_work at ffffa4c1363e550c
      #20 [ffff8000c4ad3dc0] process_one_work at ffffa4c136102edc
      #21 [ffff8000c4ad3e10] worker_thread at ffffa4c136103398
      #22 [ffff8000c4ad3e70] kthread at ffffa4c13610d95c
    
    Link: https://lore.kernel.org/[email protected]
    Fixes: 5168a68eb78f ("mm, swap: avoid over reclaim of full clusters")
    Signed-off-by: Zijiang Huang <[email protected]>
    Reviewed-by: Kairui Song <[email protected]>
    Reviewed-by: Hao Peng <[email protected]>
    Reviewed-by: albinwyang <[email protected]>
    Reviewed-by: Baoquan He <[email protected]>
    Acked-by: Chris Li <[email protected]>
    Cc: Barry Song <[email protected]>
    Cc: Kairui Song <[email protected]>
    Cc: Kemeng Shi <[email protected]>
    Cc: Nhat Pham <[email protected]>
    Cc: Youngjun Park <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mm/vmalloc: take vmap_purge_lock in shrinker [+ + +]
Author: Uladzislau Rezki (Sony) <[email protected]>
Date:   Fri May 8 15:10:50 2026 -0400

    mm/vmalloc: take vmap_purge_lock in shrinker
    
    [ Upstream commit ec05f51f1e65bce95528543eb73fda56fd201d94 ]
    
    decay_va_pool_node() can be invoked concurrently from two paths:
    __purge_vmap_area_lazy() when pools are being purged, and the shrinker via
    vmap_node_shrink_scan().
    
    However, decay_va_pool_node() is not safe to run concurrently, and the
    shrinker path currently lacks serialization, leading to races and possible
    leaks.
    
    Protect decay_va_pool_node() by taking vmap_purge_lock in the shrinker
    path to ensure serialization with purge users.
    
    Link: https://lore.kernel.org/[email protected]
    Fixes: 7679ba6b36db ("mm: vmalloc: add a shrinker to drain vmap pools")
    Signed-off-by: Uladzislau Rezki (Sony) <[email protected]>
    Reviewed-by: Baoquan He <[email protected]>
    Cc: chenyichong <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    [ kept index-based loop instead of for_each_vmap_node() helper ]
    Signed-off-by: Sasha Levin <[email protected]>

 
mm: do file ownership checks with the proper mount idmap [+ + +]
Author: Pedro Falcato <[email protected]>
Date:   Thu Jun 25 16:38:53 2026 +0100

    mm: do file ownership checks with the proper mount idmap
    
    commit e187bc02f8fa4226d62814592cf064ee4557c470 upstream.
    
    Ever since idmapped mounts were introduced, inode ownership checks (for
    side-channel protection) in mincore() and madvise(MADV_PAGEOUT) were done
    against the nop_mnt_idmap, which completely ignores the file's mount's
    idmap.  This results in odd edgecases like:
    
    1) mount/bind-mount with an idmap userA:userB:1
    2) userB runs an owner_or_capable() check on file that is owned by userA
    on-disk/in-memory, but owned by userB after idmap translation
    3) owner_or_capable() mysteriously fails as the correct idmap wasn't supplied
    
    In the case of mincore/madvise MADV_PAGEOUT, this is usually benign,
    because file_permission(file, MAY_WRITE) will probably succeed, as it uses
    the proper idmap internally, but it does not need to be the case on e.g a
    0444 file where even the owner itself doesn't have permissions to write to
    it.
    
    Since this is clearly not trivial to get right, introduce a
    file_owner_or_capable() that can carry the correct semantics, and switch
    the various users in mm to it.
    
    The issue was found by manual code inspection & an off-list discussion
    with Jan Kara.
    
    Link: https://lore.kernel.org/[email protected]
    Fixes: 9caccd41541a ("fs: introduce MOUNT_ATTR_IDMAP")
    Signed-off-by: Pedro Falcato <[email protected]>
    Reviewed-by: Jan Kara <[email protected]>
    Reviewed-by: Christian Brauner (Amutable) <[email protected]>
    Acked-by: David Hildenbrand (Arm) <[email protected]>
    Cc: Al Viro <[email protected]>
    Cc: Jann Horn <[email protected]>
    Cc: Liam R. Howlett <[email protected]>
    Cc: Matthew Wilcox (Oracle) <[email protected]>
    Cc: Vlastimil Babka <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

mm: fix mmap errno value when MAP_DROPPABLE is not supported [+ + +]
Author: Anthony Yznaga <[email protected]>
Date:   Wed Apr 15 20:39:37 2026 -0700

    mm: fix mmap errno value when MAP_DROPPABLE is not supported
    
    commit d86c9e971af2315119a78c564a802fafcebf1b6b upstream.
    
    Patch series "fix MAP_DROPPABLE not supported errno", v4.
    
    Mark Brown reported seeing a regression in -next on 32 bit arm with the
    mlock selftests.  Before exiting and marking the tests failed, the
    following message was logged after an attempt to create a MAP_DROPPABLE
    mapping:
    
    Bail out! mmap error: Unknown error 524
    
    It turns out error 524 is ENOTSUPP which is an error that userspace is not
    supposed to see, but it indicates in this instance that MAP_DROPPABLE is
    not supported.
    
    The first patch changes the errno returned to EOPNOTSUPP.  The second
    patch is a second version of a prior patch to introduce selftests to
    verify locking behavior with droppable mappings with the additional change
    to skip the tests when MAP_DROPPABLE is not supported.  The third patch
    fixes the MAP_DROPPABLE selftest so that it is run by the framework and
    skips if MAP_DROPPABLE is not supported.
    
    
    This patch (of 3):
    
    On configs where MAP_DROPPABLE is not supported (currently any 32-bit
    config except for PPC32), mmap fails with errno set to ENOTSUPP.  However,
    ENOTSUPP is not a standard error value that userspace knows about.  The
    acceptable userspace-visible errno to use is EOPNOTSUPP.  checkpatch.pl
    has a warning to this effect.
    
    Link: https://lore.kernel.org/[email protected]
    Link: https://lore.kernel.org/[email protected]
    Fixes: 9651fcedf7b9 ("mm: add MAP_DROPPABLE for designating always lazily freeable mappings")
    Signed-off-by: Anthony Yznaga <[email protected]>
    Acked-by: David Hildenbrand (Arm) <[email protected]>
    Acked-by: Vlastimil Babka (SUSE) <[email protected]>
    Reported-by: Mark Brown <[email protected]>
    Reviewed-by: Pedro Falcato <[email protected]>
    Reviewed-by: Lorenzo Stoakes (Oracle) <[email protected]>
    Cc: Jann Horn <[email protected]>
    Cc: Jason A. Donenfeld <[email protected]>
    Cc: Liam Howlett <[email protected]>
    Cc: Michal Hocko <[email protected]>
    Cc: Mike Rapoport <[email protected]>
    Cc: Shuah Khan <[email protected]>
    Cc: Suren Baghdasaryan <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

mm: shrinker: fix NULL pointer dereference in debugfs [+ + +]
Author: Qi Zheng <[email protected]>
Date:   Wed Jun 17 17:00:52 2026 +0800

    mm: shrinker: fix NULL pointer dereference in debugfs
    
    commit e30453c61e185e914fde83c650e268067b140218 upstream.
    
    shrinker_debugfs_add() creates both "count" and "scan" debugfs files
    unconditionally.
    
    That assumes every shrinker implements both count_objects() and
    scan_objects(), which is not guaranteed.  For example, the xen-backend
    shrinker sets count_objects() but leaves scan_objects() NULL, so writing
    to its scan file calls through a NULL function pointer and panics the
    kernel:
    
    BUG: kernel NULL pointer dereference, address: 0000000000000000
    RIP: 0010:0x0
    Code: Unable to access opcode bytes at 0xffffffffffffffd6.
    Call Trace:
     <TASK>
     shrinker_debugfs_scan_write+0x12e/0x270
     full_proxy_write+0x5f/0x90
     vfs_write+0xde/0x420
     ? filp_flush+0x75/0x90
     ? filp_close+0x1d/0x30
     ? do_dup2+0xb8/0x120
     ksys_write+0x68/0xf0
     ? filp_flush+0x75/0x90
     do_syscall_64+0xb3/0x5b0
     entry_SYSCALL_64_after_hwframe+0x76/0x7e
    
    The count path has the same issue in principle if a shrinker omits
    count_objects().
    
    To fix it, only create "count" and "scan" debugfs files when the
    corresponding callbacks are present.
    
    Link: https://lore.kernel.org/[email protected]
    Fixes: bbf535fd6f06 ("mm: shrinkers: add scan interface for shrinker debugfs")
    Signed-off-by: Qi Zheng <[email protected]>
    Reviewed-by: Muchun Song <[email protected]>
    Cc: Dave Chinner <[email protected]>
    Cc: Qi Zheng <[email protected]>
    Cc: Roman Gushchin <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

mm: shrinker: fix shrinker_info teardown race with expansion [+ + +]
Author: Qi Zheng <[email protected]>
Date:   Wed Jun 17 16:56:58 2026 +0800

    mm: shrinker: fix shrinker_info teardown race with expansion
    
    commit 65476d31d8056e859c48580f82295ce159196ffe upstream.
    
    expand_shrinker_info() iterates all visible memcgs under shrinker_mutex,
    including memcgs that have not finished ->css_online() yet.
    
    Once pn->shrinker_info has been published, teardown must stay serialized
    with expand_shrinker_info() until that memcg is either fully online or no
    longer visible to iteration.  Today alloc_shrinker_info() breaks that rule
    by dropping shrinker_mutex before freeing a partially initialized
    shrinker_info array, which may cause the following race:
    
    CPU0                   CPU1
    ====                   ====
    
    css_create
    --> list_add_tail_rcu(&css->sibling, &parent_css->children);
        online_css
        --> mem_cgroup_css_online
            --> alloc_shrinker_info
                --> alloc node0 info
                    rcu_assign_pointer(C->node0->shrinker_info, old0)
                    alloc node1 info -> FAIL -> goto err
                    mutex_unlock(shrinker_mutex)
    
                           shrinker_alloc()
                           --> shrinker_memcg_alloc
                               --> mutex_lock(shrinker_mutex)
                                   expand_shrinker_info
                                   --> mem_cgroup_iter see the memcg
                                       expand_one_shrinker_info
                                       --> old0 = C->node0->shrinker_info
                                           memcpy(new->unit, old0->unit, ...);
    
                    free_shrinker_info
                    --> kvfree(old0);
    
                                           /* double free !! */
                                           kvfree_rcu(old0, rcu);
    
    The same problem exists later in mem_cgroup_css_online().  If
    alloc_shrinker_info() succeeds but a subsequent objcg allocation fails,
    the free_objcg -> free_shrinker_info() unwind path tears down the already
    published pn->shrinker_info arrays without shrinker_mutex.  The
    expand_one_shrinker_info() can race with that teardown in the same way,
    leading to use-after-free or double-free of the old shrinker_info.
    
    Fix this by serializing shrinker_info teardown with shrinker_mutex, and by
    keeping alloc_shrinker_info() error cleanup inside the locked section.
    
    Link: https://lore.kernel.org/[email protected]
    Fixes: 307bececcd12 ("mm: shrinker: add a secondary array for shrinker_info::{map, nr_deferred}")
    Signed-off-by: Qi Zheng <[email protected]>
    Acked-by: Muchun Song <[email protected]>
    Cc: Dave Chinner <[email protected]>
    Cc: Qi Zheng <[email protected]>
    Cc: Roman Gushchin <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
module: decompress: check return value of module_extend_max_pages() [+ + +]
Author: Andrii Kuchmenko <[email protected]>
Date:   Mon May 18 17:32:33 2026 +0300

    module: decompress: check return value of module_extend_max_pages()
    
    commit 786d2d84416a9a1c1a47b71a68d679d886284be2 upstream.
    
    module_extend_max_pages() calls kvrealloc() internally and returns
    -ENOMEM on allocation failure. The return value is never checked.
    
    If the initial allocation fails, info->pages remains NULL and
    info->max_pages remains 0. Subsequent calls to module_get_next_page()
    will attempt to dynamically grow the array by calling
    module_extend_max_pages(info, 0) since info->used_pages is 0. This
    results in kvrealloc(NULL, 0) returning ZERO_SIZE_PTR, which is treated
    as a success, leading to a dereference of ZERO_SIZE_PTR and a kernel
    oops.
    
    Fix: add the missing error check after module_extend_max_pages() and
    return immediately on failure. This matches the pattern used by every
    other kvrealloc() caller in the module loading path.
    
    Fixes: b1ae6dc41eaa ("module: add in-kernel support for decompressing")
    Cc: Dmitry Torokhov <[email protected]>
    Cc: Luis Chamberlain <[email protected]>
    Cc: [email protected]
    Signed-off-by: Andrii Kuchmenko <[email protected]>
    Reviewed-by: Christophe Leroy (CS GROUP) <[email protected]>
    [Sami: Corrected the analysis in the commit message.]
    Signed-off-by: Sami Tolvanen <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
net: af_key: initialize alg_key_len for IPComp states [+ + +]
Author: Zijing Yin <[email protected]>
Date:   Mon Jun 8 07:44:41 2026 -0700

    net: af_key: initialize alg_key_len for IPComp states
    
    commit d129c3177d7b1138fd5066fcc63a698b3ba415b0 upstream.
    
    pfkey_msg2xfrm_state() handles the IPComp (SADB_X_SATYPE_IPCOMP) case by
    allocating x->calg and copying only the algorithm name:
    
            x->calg = kmalloc_obj(*x->calg);
            if (!x->calg) {
                    err = -ENOMEM;
                    goto out;
            }
            strcpy(x->calg->alg_name, a->name);
            x->props.calgo = sa->sadb_sa_encrypt;
    
    Unlike the authentication (x->aalg) and encryption (x->ealg) branches of
    the same function, the compression branch never initializes
    calg->alg_key_len.  IPComp carries no key and the allocation only
    reserves sizeof(struct xfrm_algo) (i.e. no room for a key), so the field
    is left containing uninitialized slab data.
    
    calg->alg_key_len is later used as a length by xfrm_algo_clone() when an
    IPComp state is cloned during XFRM_MSG_MIGRATE:
    
            xfrm_state_migrate()
              xfrm_state_clone_and_setup()
                x->calg = xfrm_algo_clone(orig->calg);
                  kmemdup(orig, xfrm_alg_len(orig));
    
    where xfrm_alg_len() returns sizeof(*alg) + (alg_key_len + 7) / 8.  With
    a non-zero garbage alg_key_len, kmemdup() reads past the end of the
    68-byte calg object.  Adding an IPComp SA via PF_KEY and then migrating
    it triggers (net-next, KASAN, init_on_alloc=0):
    
      BUG: KASAN: slab-out-of-bounds in kmemdup_noprof+0x44/0x60
      Read of size 4164 at addr ff11000025a74980 by task diag2/9287
      CPU: 3 UID: 0 PID: 9287 Comm: diag2 7.1.0-rc6-g903db046d557 #1
      Call Trace:
       <TASK>
       dump_stack_lvl+0x10e/0x1f0
       print_report+0xf7/0x600
       kasan_report+0xe4/0x120
       kasan_check_range+0x105/0x1b0
       __asan_memcpy+0x23/0x60
       kmemdup_noprof+0x44/0x60
       xfrm_state_migrate+0x70a/0x1da0
       xfrm_migrate+0x753/0x18a0
       xfrm_do_migrate+0xb47/0xf10
       xfrm_user_rcv_msg+0x411/0xb50
       netlink_rcv_skb+0x158/0x420
       xfrm_netlink_rcv+0x71/0x90
       netlink_unicast+0x584/0x850
       netlink_sendmsg+0x8b0/0xdc0
       ____sys_sendmsg+0x9f7/0xb90
       ___sys_sendmsg+0x134/0x1d0
       __sys_sendmsg+0x16d/0x220
       do_syscall_64+0x116/0x7d0
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
       </TASK>
    
      Allocated by task 9287:
       kasan_save_stack+0x33/0x60
       kasan_save_track+0x14/0x30
       __kasan_kmalloc+0xaa/0xb0
       pfkey_add+0x2652/0x2ea0
       pfkey_process+0x6d0/0x830
       pfkey_sendmsg+0x42c/0x850
       __sys_sendto+0x461/0x4b0
       __x64_sys_sendto+0xe0/0x1c0
       do_syscall_64+0x116/0x7d0
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
      The buggy address belongs to the object at ff11000025a74980
       which belongs to the cache kmalloc-96 of size 96
      The buggy address is located 0 bytes inside of
       allocated 68-byte region [ff11000025a74980, ff11000025a749c4)
    
    Depending on the uninitialized value the same field can instead request
    an oversized kmemdup() allocation and make the migration clone fail.
    
    The XFRM netlink path is not affected: verify_one_alg() rejects an
    XFRMA_ALG_COMP attribute shorter than xfrm_alg_len(), so a calg added via
    XFRM_MSG_NEWSA is always self-consistent.
    
    Initialize calg->alg_key_len to 0, matching the aalg/ealg branches.
    
    Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
    Cc: [email protected]
    Signed-off-by: Zijing Yin <[email protected]>
    Reviewed-by: Sabrina Dubroca <[email protected]>
    Signed-off-by: Steffen Klassert <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

net: ipv4: bound TCP reordering sysctl writes and MTU probe sizes [+ + +]
Author: Wyatt Feng <[email protected]>
Date:   Mon Jun 15 18:31:18 2026 +0800

    net: ipv4: bound TCP reordering sysctl writes and MTU probe sizes
    
    commit efb8763d7bbb40cff4cc55a6b62c3095a038149c upstream.
    
    Reject invalid `net.ipv4.tcp_reordering` values before they reach TCP
    socket state. The sysctl is stored as an `int` but copied into the
    `u32` `tp->reordering` field for new sockets, so negative writes wrap
    to large values.
    
    With `tcp_mtu_probing=2`, the wrapped value can overflow the
    `tcp_mtu_probe()` size calculation and drive the MTU probing path into
    an out-of-bounds read. Route `tcp_reordering` writes through
    `proc_dointvec_minmax()` and require it to be at least 1. Also require
    `tcp_max_reordering` to be at least 1 so the configured maximum cannot
    become negative either.
    
    When registering the table for a non-init network namespace, relocate
    `extra2` pointers that refer into `init_net.ipv4` so the
    `tcp_reordering` upper bound follows that namespace's
    `tcp_max_reordering`.
    
    Harden `tcp_mtu_probe()` itself by computing `size_needed` as `u64`.
    This keeps the send queue and window checks from being bypassed through
    signed integer overflow.
    
    Fixes: 91cc17c0e5e5 ("[TCP]: MTUprobe: receiver window & data available checks fixed")
    Cc: [email protected]
    Reported-by: Yuan Tan <[email protected]>
    Reported-by: Zhengchuan Liang <[email protected]>
    Reported-by: Xin Liu <[email protected]>
    Suggested-by: Eric Dumazet <[email protected]>
    Signed-off-by: Wyatt Feng <[email protected]>
    Signed-off-by: Ren Wei <[email protected]>
    Reviewed-by: Eric Dumazet <[email protected]>
    Link: https://patch.msgid.link/1a5b7e1ef4d70fbad8c8ee0b82d8405f3c964a3d.1781395200.git.bronzed_45_vested@icloud.com
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

net: usb: kalmia: bound RX frame length in kalmia_rx_fixup() [+ + +]
Author: Maoyi Xie <[email protected]>
Date:   Mon Jun 22 16:01:57 2026 +0800

    net: usb: kalmia: bound RX frame length in kalmia_rx_fixup()
    
    commit 47b6bcef6e679593d2e86e04ee72c46a4e2f7139 upstream.
    
    kalmia_rx_fixup() computes usb_packet_length = skb->len - (2 *
    KALMIA_HEADER_LENGTH) as a u16, guarded only by a pre-loop check that
    skb->len is at least KALMIA_HEADER_LENGTH, which is 6. A device can
    deliver a short bulk-IN frame with skb->len in the 6 to 11 range, or
    leave a short trailing remainder on a later loop iteration. Either case
    underflows usb_packet_length to about 65530.
    
    That bypasses the usb_packet_length < ether_packet_length truncation path.
    The device-supplied ether_packet_length, a le16 up to 65535 read from
    header_start[2], then drives a memcmp() and the following skb_trim() and
    skb_pull() past the end of the rx buffer. The rx buffer is hard_mtu * 10,
    which is 14000 bytes. That is an out of bounds read.
    
    Require both the start and end framing headers to be present before
    subtracting them, on every loop iteration.
    
    Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730")
    Cc: [email protected]
    Signed-off-by: Maoyi Xie <[email protected]>
    Reviewed-by: Andrew Lunn <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
netfilter: ctnetlink: use nf_ct_exp_net() in expectation dump [+ + +]
Author: Pratham Gupta <[email protected]>
Date:   Mon May 4 22:11:57 2026 -0700

    netfilter: ctnetlink: use nf_ct_exp_net() in expectation dump
    
    commit a7f57320bbbc67e347bf5fff4b4a9bab980d5956 upstream.
    
    Commit 02a3231b6d82 ("netfilter: nf_conntrack_expect: store netns and zone in expectation")
    introduced exp->net so RCU-only expectation paths no longer need to
    dereference exp->master for netns lookups.
    
    Commit 3db5647984de ("netfilter: nf_conntrack_expect: skip expectations in other netns via proc")
    updated the proc path accordingly, but ctnetlink_exp_dump_table() still
    compares against nf_ct_net(exp->master).
    
    Use nf_ct_exp_net(exp) here as well so the netlink dump path matches
    the rest of the March 2026 expectation netns/RCU cleanup.
    
    Fixes: 02a3231b6d82 ("netfilter: nf_conntrack_expect: store netns and zone in expectation")
    Cc: [email protected]
    Signed-off-by: Pratham Gupta <[email protected]>
    Signed-off-by: Florian Westphal <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

netfilter: ebtables: module names must be null-terminated [+ + +]
Author: Florian Westphal <[email protected]>
Date:   Sat Jul 4 12:05:15 2026 +0200

    netfilter: ebtables: module names must be null-terminated
    
    commit 084d23f818321390509e9738a0b08bbf46df6425 upstream.
    
    We need to explicitly check the length, else we may pass non-null
    terminated string to request_module().
    
    Cc: [email protected]
    Fixes: bcf493428840 ("netfilter: ebtables: Fix extension lookup with identical name")
    Signed-off-by: Florian Westphal <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

netfilter: ebtables: terminate table name before find_table_lock() [+ + +]
Author: Xiang Mei <[email protected]>
Date:   Sun Jul 5 14:58:00 2026 -0700

    netfilter: ebtables: terminate table name before find_table_lock()
    
    commit a622d2e9608c9dff47fc2e5759ac7aa3a836b45d upstream.
    
    update_counters() and compat_update_counters() forward a user-supplied
    32-byte table name to find_table_lock() without NUL-terminating it. On a
    lookup miss, find_inlist_lock() calls try_then_request_module(..., "%s%s",
    "ebtable_", name), and vsnprintf() reads past the name field and the
    stack object until it hits a zero byte.
    
      BUG: KASAN: stack-out-of-bounds in string (lib/vsprintf.c:648 lib/vsprintf.c:730)
      Read of size 1 at addr ffff8880119dfb20 by task exploit/147
      Call Trace:
      ...
       string (lib/vsprintf.c:648 lib/vsprintf.c:730)
       vsnprintf (lib/vsprintf.c:2945)
       __request_module (kernel/module/kmod.c:150)
       do_update_counters.isra.0 (net/bridge/netfilter/ebtables.c:371 net/bridge/netfilter/ebtables.c:380)
       update_counters (net/bridge/netfilter/ebtables.c:1440)
       do_ebt_set_ctl (net/bridge/netfilter/ebtables.c:2573)
       nf_setsockopt (net/netfilter/nf_sockopt.c:101)
       ip_setsockopt (net/ipv4/ip_sockglue.c:1424)
       raw_setsockopt (net/ipv4/raw.c:847)
       __sys_setsockopt (net/socket.c:2393)
      ...
    
    compat_do_replace() shares the same unterminated name via
    compat_copy_ebt_replace_from_user(); terminate it there too so all
    find_table_lock() callers behave alike. The other callers already
    terminate the name after the copy.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
    Cc: [email protected]
    Reported-by: Weiming Shi <[email protected]>
    Assisted-by: Claude:claude-opus-4-8
    Signed-off-by: Xiang Mei <[email protected]>
    Signed-off-by: Florian Westphal <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

netfilter: handle unreadable frags [+ + +]
Author: Florian Westphal <[email protected]>
Date:   Sun Jul 5 15:29:13 2026 +0200

    netfilter: handle unreadable frags
    
    commit da5b58478a9c1b85608c9e40a3b8432d071b409e upstream.
    
    sashiko reports:
     When an skb with unreadable fragments (such as from devmem TCP, where
     skb_frags_readable(skb) returns false) is processed by the u32 module,
     skb_copy_bits() will safely return a negative error code [..]
    
    xt_u32: bail out with hotdrop in this case.
    gather_frags: return -1, just as if we had no fragment header.
    nfnetlink_queue: restrict to the linear part.
    nfnetlink_log: restrict to the linear part.
    
    v2:
     - skb_zerocopy helpers don't copy readable flag, i.e. nfnetlink_queue
     is broken too
     xt_u32 shouldn't return true if hotdrop was set.
    
    Fixes: 65249feb6b3d ("net: add support for skbs with unreadable frags")
    Cc: [email protected]
    Acked-by: Mina Almasry <[email protected]>
    Signed-off-by: Florian Westphal <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

netfilter: ipset: fix race between dump and ip_set_list resize [+ + +]
Author: Xiang Mei <[email protected]>
Date:   Wed Jun 24 18:00:06 2026 -0700

    netfilter: ipset: fix race between dump and ip_set_list resize
    
    commit 7cd9103283b26b917360ec99d7d2f2d761bcf1ab upstream.
    
    The release path of ip_set_dump_do() and ip_set_dump_done() read
    inst->ip_set_list via ip_set_ref_netlink(), a plain rcu_dereference_raw()
    of the array pointer. These run from netlink_recvmsg() without the nfnl
    mutex and without an RCU read-side critical section.
    
    A concurrent ip_set_create() can grow the array: it publishes the new
    array, calls synchronize_net() and then kvfree()s the old one. Since the
    dump paths read the array outside any RCU reader, synchronize_net() does
    not wait for them and the old array can be freed while they still index
    into it, causing a use-after-free.
    
    The dumped set itself stays pinned via set->ref_netlink, so only the
    array load needs protecting. Take rcu_read_lock() around it, matching
    ip_set_get_byname() and __ip_set_put_byindex().
    
      BUG: KASAN: slab-use-after-free in ip_set_dump_do (net/netfilter/ipset/ip_set_core.c:1697)
      Read of size 8 at addr ffff88800b5c4018 by task exploit/150
      Call Trace:
       ...
       kasan_report (mm/kasan/report.c:595)
       ip_set_dump_do (net/netfilter/ipset/ip_set_core.c:1697)
       netlink_dump (net/netlink/af_netlink.c:2325)
       netlink_recvmsg (net/netlink/af_netlink.c:1976)
       sock_recvmsg (net/socket.c:1159)
       __sys_recvfrom (net/socket.c:2315)
       ...
      Oops: general protection fault, probably for non-canonical address ... KASAN NOPTI
      KASAN: maybe wild-memory-access in range [0x02d6...d0-0x02d6...d7]
      RIP: 0010:ip_set_dump_do (net/netfilter/ipset/ip_set_core.c:1698)
      Kernel panic - not syncing: Fatal exception
    
    Fixes: 8a02bdd50b2e ("netfilter: ipset: Fix calling ip_set() macro at dumping")
    Cc: [email protected]
    Reported-by: Weiming Shi <[email protected]>
    Assisted-by: Claude:claude-opus-4-8
    Signed-off-by: Xiang Mei <[email protected]>
    Acked-by: Jozsef Kadlecsik <[email protected]>
    Signed-off-by: Florian Westphal <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
netpoll: fix a use-after-free on shutdown path [+ + +]
Author: Breno Leitao <[email protected]>
Date:   Thu Jun 25 05:03:18 2026 -0700

    netpoll: fix a use-after-free on shutdown path
    
    commit 45f1458a85017a023f138b22ac5c76abd477db42 upstream.
    
    There is a use-after-free error on netpoll, which is clearly detected by
    KASAN.
    
          BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0x3b/0x80
          Read of size 1 at addr ... by task kworker/9:1
          Workqueue: events queue_process
          Call Trace:
           skb_dequeue+0x1e/0xb0
           queue_process+0x2c/0x600
           process_scheduled_works+0x4b6/0x850
           worker_thread+0x414/0x5a0
          Allocated by task 242:
           __netpoll_setup+0x201/0x4a0
           netpoll_setup+0x249/0x550
           enabled_store+0x32f/0x380
          Freed by task 0:
           kfree+0x1b7/0x540
           rcu_core+0x3f8/0x7a0
    
    The problem happens when there is a pending TX worker running in
    parallel with the cleanup path.
    
    This is what happens on netpoll shutdown path:
    
    1) __netpoll_cleanup() is called
    2) set dev->npinfo to NULL
    3) call_rcu() with rcu_cleanup_netpoll_info()
      3.1) rcu_cleanup_netpoll_info() tries to cancel all workers with
           cancel_delayed_work(), but doesn't wait for the worker to finish
    4) and kfree(npinfo);
    
    Because 3.1) doesn't really cancel the work, as the comment says "we
    can't call cancel_delayed_work_sync here, as we are in softirq", the TX
    worker can run after 4).
    
    Tl;DR: queue_process() is not an RCU reader, it reaches npinfo through
    the work item via container_of().
    
    Use disable_delayed_work_sync() to ensure the worker is completely
    stopped and prevent any future re-arming attempts. Once npinfo is set
    to NULL, senders will bail out and not queue new work. The disable flag
    ensures any in-flight re-arming attempts also fail silently.
    
    In the future, we can do the cleanup inline here without needing the
    npinfo->rcu rcu_head, but that is net-next material.
    
    Cc: [email protected]
    Fixes: 38e6bc185d95 ("netpoll: make __netpoll_cleanup non-block")
    Reviewed-by: Pavan Chebbi <[email protected]>
    Signed-off-by: Breno Leitao <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
nfs_common: rename functions that invalidate LOCALIO nfs_clients [+ + +]
Author: Mike Snitzer <[email protected]>
Date:   Sat Jul 4 23:11:47 2026 -0400

    nfs_common: rename functions that invalidate LOCALIO nfs_clients
    
    [ Upstream commit b49f049a22227df701bfbca083d6cc859496e615 ]
    
    Rename nfs_uuid_invalidate_one_client to nfs_localio_disable_client.
    Rename nfs_uuid_invalidate_clients to nfs_localio_invalidate_clients.
    
    Signed-off-by: Mike Snitzer <[email protected]>
    Reviewed-by: NeilBrown <[email protected]>
    Reviewed-by: Jeff Layton <[email protected]>
    Signed-off-by: Anna Schumaker <[email protected]>
    Stable-dep-of: 2c6bb3c40bc2 ("NFSv4/flexfiles: reject zero filehandle version count")
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
nfsd: add nfsd_file_{get,put} to 'nfs_to' nfsd_localio_operations [+ + +]
Author: Mike Snitzer <[email protected]>
Date:   Sat Jul 4 23:11:46 2026 -0400

    nfsd: add nfsd_file_{get,put} to 'nfs_to' nfsd_localio_operations
    
    [ Upstream commit a61466315d7afca032342183a57e62d5e3a3157c ]
    
    In later a commit LOCALIO must call both nfsd_file_get and
    nfsd_file_put to manage extra nfsd_file references.
    
    Signed-off-by: Mike Snitzer <[email protected]>
    Reviewed-by: Jeff Layton <[email protected]>
    Acked-by: Chuck Lever <[email protected]>
    Signed-off-by: Anna Schumaker <[email protected]>
    Stable-dep-of: 2c6bb3c40bc2 ("NFSv4/flexfiles: reject zero filehandle version count")
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

nfsd: change nfs4_client_to_reclaim() to allocate data [+ + +]
Author: NeilBrown <[email protected]>
Date:   Mon Sep 8 11:38:33 2025 +1000

    nfsd: change nfs4_client_to_reclaim() to allocate data
    
    [ Upstream commit 4552f4e3f2c96597914f07b060d5c5db84420ddd ]
    
    The calling convention for nfs4_client_to_reclaim() is clumsy in that
    the caller needs to free memory if the function fails.  It is much
    cleaner if the function frees its own memory.
    
    This patch changes nfs4_client_to_reclaim() to re-allocate the .data
    fields to be stored in the newly allocated struct nfs4_client_reclaim,
    and to free everything on failure.
    
    __cld_pipe_inprogress_downcall() needs to allocate the data anyway to
    copy it from user-space, so now that data is allocated twice.  I think
    that is a small price to pay for a cleaner interface.
    
    Signed-off-by: NeilBrown <[email protected]>
    Reviewed-by: Jeff Layton <[email protected]>
    Signed-off-by: Chuck Lever <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

nfsd: fix file change detection in CB_GETATTR [+ + +]
Author: Scott Mayhew <[email protected]>
Date:   Thu Jul 2 16:27:48 2026 -0400

    nfsd: fix file change detection in CB_GETATTR
    
    commit 304d81a2fbf2b454def4debcb38ea173911b72cd upstream.
    
    RFC 8881, section 10.4.3 doesn't say anything about caching the file
    size in the delegation record, nor does it say anything about comparing
    a cached file size with the size reported by the client in the
    CB_GETATTR reply for the purpose of determining if the client holds
    modified data for the file.
    
    What section 10.4.3 of RFC 8881 does say is that the server should
    compare the *current* file size with the size reported by the client
    holding the delegation in the CB_GETATTR reply, and if they differ to
    treat it as a modification regardless of the change attribute retrieved
    via the CB_GETATTR.
    
    Doing otherwise would cause the server to believe the client holding the
    delegation has a modified version of the file, even if the client
    flushed the modifications to the server prior to the CB_GETATTR.  This
    would have the added side effect of subsequent CB_GETATTRs causing
    updates to the mtime, ctime, and change attribute even if the client
    holding the delegation makes no further updates to the file.
    
    Modify nfsd4_deleg_getattr_conflict() to obtain the current file size
    via i_size_read().  Retain the ncf_cur_fsize field, since it's a
    convenient way to return the file size back to nfsd4_encode_fattr4(),
    but don't use it for the purpose of detecting file changes.  Remove the
    unnecessary initialization of ncf_cur_fsize in nfs4_open_delegation().
    
    Also, if we recall the delegation (because the client didn't respond to
    the CB_GETATTR), then skip the logic that checks the nfs4_cb_fattr
    fields.
    
    Fixes: c5967721e106 ("NFSD: handle GETATTR conflict with write delegation")
    Cc: [email protected]
    Signed-off-by: Scott Mayhew <[email protected]>
    Signed-off-by: Chuck Lever <[email protected]>
    [ cel: no deleg_ts in 6.12.y; dropped the now-dead ncf_cur_fsize init ]
    Signed-off-by: Chuck Lever <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

nfsd: move name lookup out of nfsd4_list_rec_dir() [+ + +]
Author: NeilBrown <[email protected]>
Date:   Mon Sep 15 12:55:13 2025 +1000

    nfsd: move name lookup out of nfsd4_list_rec_dir()
    
    [ Upstream commit 89bd77cf436bf25e448817a662ebf76515f22863 ]
    
    nfsd4_list_rec_dir() is called with two different callbacks.
    One of the callbacks uses vfs_rmdir() to remove the directory.
    The other doesn't use the dentry at all, just the name.
    
    As only one callback needs the dentry, this patch moves the lookup into
    that callback.  This prepares of changes to how directory operations
    are locked.
    
    Signed-off-by: NeilBrown <[email protected]>
    Reviewed-by: Jeff Layton <[email protected]>
    Signed-off-by: Chuck Lever <[email protected]>
    Stable-dep-of: 4552f4e3f2c9 ("nfsd: change nfs4_client_to_reclaim() to allocate data")
    Signed-off-by: Sasha Levin <[email protected]>

nfsd: release layout stid on setlease failure [+ + +]
Author: Chris Mason <[email protected]>
Date:   Thu Jul 2 16:27:49 2026 -0400

    nfsd: release layout stid on setlease failure
    
    commit 30d55c8aabb261bc3f427d6b9aae7ef6206063f9 upstream.
    
    nfs4_alloc_stid() publishes the new stid into cl->cl_stateids via
    idr_alloc_cyclic() under cl_lock before returning to
    nfsd4_alloc_layout_stateid(). When nfsd4_layout_setlease() then
    fails, the error path frees the layout stateid directly with
    kmem_cache_free() without ever calling idr_remove(), leaving the
    IDR slot pointing at freed slab memory. Any subsequent IDR walker
    (states_show, client teardown) dereferences the dangling pointer.
    
    The correct teardown for an IDR-published stid is nfs4_put_stid(),
    which removes the IDR slot under cl_lock, dispatches sc_free
    (nfsd4_free_layout_stateid) to release ls->ls_file via
    nfsd4_close_layout(), and drops the nfs4_file reference in its
    tail.
    
    Replace the manual nfsd_file_put + put_nfs4_file + kmem_cache_free
    cleanup with a single nfs4_put_stid(stp).
    
    Fixes: c5c707f96fc9 ("nfsd: implement pNFS layout recalls")
    Cc: [email protected]
    Signed-off-by: Chris Mason <[email protected]>
    Reviewed-by: Jeff Layton <[email protected]>
    Signed-off-by: Chuck Lever <[email protected]>
    Signed-off-by: Chuck Lever <[email protected]>
    [ cel: no ls_fence_work in 6.12.y; dropped INIT_DELAYED_WORK hunk ]
    Signed-off-by: Chuck Lever <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
NFSv4/flexfiles: Add data structure support for striped layouts [+ + +]
Author: Jonathan Curley <[email protected]>
Date:   Sat Jul 4 23:11:49 2026 -0400

    NFSv4/flexfiles: Add data structure support for striped layouts
    
    [ Upstream commit d442670c0f63c46b7f348f68fb2002af597708f2 ]
    
    Adds a new struct nfs4_ff_layout_ds_stripe that represents a data
    server stripe within a layout. A new dynamically allocated array of
    this type has been added to nfs4_ff_layout_mirror and per stripe
    configuration information has been moved from the mirror type to the
    stripe based on the RFC.
    
    Signed-off-by: Jonathan Curley <[email protected]>
    Signed-off-by: Anna Schumaker <[email protected]>
    Stable-dep-of: 2c6bb3c40bc2 ("NFSv4/flexfiles: reject zero filehandle version count")
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

NFSv4/flexfiles: reject zero filehandle version count [+ + +]
Author: Michael Bommarito <[email protected]>
Date:   Sat Jul 4 23:11:50 2026 -0400

    NFSv4/flexfiles: reject zero filehandle version count
    
    [ Upstream commit 2c6bb3c40bc24f6aa8dfbe6fe98c3ad6389203f2 ]
    
    ff_layout_alloc_lseg() decodes the filehandle-version array count
    from the flexfiles layout body. The value is used as the count for
    kzalloc_objs(), and the current code only rejects NULL.
    
    A zero count yields ZERO_SIZE_PTR, which can be stored in
    dss_info->fh_versions even though later flexfiles paths assume that at
    least one filehandle version exists.
    
    Reject fh_count == 0 before the allocation, matching the existing zero
    version_count validation in the flexfiles GETDEVICEINFO parser.
    
    A QEMU/KASAN run with a malformed flexfiles layout hit:
    
      KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
      RIP: 0010:ff_layout_encode_ff_layoutupdate.isra.0+0x15f/0x750
      ff_layout_encode_layoutreturn+0x683/0x970
      nfs4_xdr_enc_layoutreturn+0x278/0x3a0
      Kernel panic - not syncing: Fatal exception
    
    The patched kernel rejects the malformed layout without KASAN/oops/panic,
    and a valid fh_count=1 regression still opens, reads, and unmounts cleanly.
    
    Cc: [email protected]
    Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver")
    Assisted-by: Claude:claude-opus-4-7
    Signed-off-by: Michael Bommarito <[email protected]>
    Signed-off-by: Anna Schumaker <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

NFSv4/flexfiles: Remove cred local variable dependency [+ + +]
Author: Jonathan Curley <[email protected]>
Date:   Sat Jul 4 23:11:48 2026 -0400

    NFSv4/flexfiles: Remove cred local variable dependency
    
    [ Upstream commit fec80afc41afa3016421115427df8d00dc491ee5 ]
    
    No-op preparation change to remove dependency on cred local
    variable. Subsequent striping diff has a cred per stripe so this local
    variable can't be trusted to be the same.
    
    Signed-off-by: Jonathan Curley <[email protected]>
    Signed-off-by: Anna Schumaker <[email protected]>
    Stable-dep-of: 2c6bb3c40bc2 ("NFSv4/flexfiles: reject zero filehandle version count")
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
NFSv4: include MAY_WRITE in open permission mask for O_TRUNC [+ + +]
Author: Benjamin Coddington <[email protected]>
Date:   Thu Jun 11 17:02:15 2026 -0400

    NFSv4: include MAY_WRITE in open permission mask for O_TRUNC
    
    commit 5140f099ecd8a2f2808b7f7b720ee1bad8468974 upstream.
    
    POSIX requires write permission to truncate a file, so an open() that
    specifies O_TRUNC must be authorized for write access regardless of the
    O_ACCMODE access mode.
    
    nfs_open_permission_mask() builds the access mask passed to
    nfs_may_open(), which is the local authorization gate for OPENs the
    client serves itself from a cached write delegation via the
    can_open_delegated() path in nfs4_try_open_cached().  The mask is
    derived from O_ACCMODE alone, so an open(O_RDONLY | O_TRUNC) against a
    file the caller cannot write requests only MAY_READ and passes the
    local check.  The OPEN is then satisfied locally and the truncation is
    issued to the server as a SETATTR(size=0) over the delegation stateid,
    which the server accepts under standard write-delegation semantics.
    POSIX requires that this open fail with EACCES.
    
    Include MAY_WRITE in the mask whenever O_TRUNC is set so the local
    check matches the access the server would have enforced.
    
    Suggested-by: Trond Myklebust <[email protected]>
    Fixes: af22f94ae02a ("NFSv4: Simplify _nfs4_do_access()")
    Cc: [email protected]
    Signed-off-by: Benjamin Coddington <[email protected]>
    Signed-off-by: Anna Schumaker <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
nilfs2: reject CLEAN_SEGMENTS ioctl with out-of-range segment numbers [+ + +]
Author: Deepanshu Kartikey <[email protected]>
Date:   Sun May 3 13:33:29 2026 +0900

    nilfs2: reject CLEAN_SEGMENTS ioctl with out-of-range segment numbers
    
    commit 0e7a690fe435f8d5ea3feb7c1d8d73ba7e8b8aa9 upstream.
    
    Syzbot reported a hung task in nilfs_transaction_begin() where multiple
    tasks performing chmod() on a nilfs2 mount blocked for over 143 seconds
    waiting to acquire ns_segctor_sem for read:
    
      INFO: task syz.0.17:5918 blocked for more than 143 seconds.
      Call Trace:
       schedule+0x164/0x360
       rwsem_down_read_slowpath+0x6d9/0x940
       down_read+0x99/0x2e0
       nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
       nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
       notify_change+0xc1a/0xf40
       chmod_common+0x273/0x4a0
       do_fchmodat+0x12d/0x230
    
    The writer holding ns_segctor_sem was a concurrent
    NILFS_IOCTL_CLEAN_SEGMENTS caller, stuck inside printk while emitting
    per-element warnings from nilfs_sufile_updatev():
    
       __nilfs_msg+0x373/0x450 fs/nilfs2/super.c:78
       nilfs_sufile_updatev+0x21c/0x6d0 fs/nilfs2/sufile.c:186
       nilfs_sufile_freev fs/nilfs2/sufile.h:93 [inline]
       nilfs_free_segments fs/nilfs2/segment.c:1140 [inline]
       nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1261 [inline]
       nilfs_segctor_do_construct+0x1f55/0x76c0
       nilfs_clean_segments+0x3bd/0xa50
       nilfs_ioctl_clean_segments fs/nilfs2/ioctl.c:922 [inline]
       nilfs_ioctl+0x261f/0x2780
    
    The root cause is that user-supplied segment numbers are not validated
    before nilfs_clean_segments() begins doing work; the range check on
    each segnum is performed deep inside the call chain by
    nilfs_sufile_updatev(), which emits a nilfs_warn() per invalid entry
    while still holding the segctor lock and the sufile mi_sem.  Under load
    (repeated invocations across multiple mounts saturating the global
    printk path), the cumulative printk latency keeps ns_segctor_sem held
    long enough to trip the hung_task watchdog, blocking concurrent
    operations such as chmod() that need ns_segctor_sem for read.
    
    Fix by validating the contents of kbufs[4] in nilfs_clean_segments()
    immediately after acquiring ns_segctor_sem via nilfs_transaction_lock().
    Holding ns_segctor_sem serializes the check against
    nilfs_ioctl_resize(), which can modify ns_nsegments, so the validation
    uses a consistent value.  Out-of-range segment numbers are rejected
    with -EINVAL before any segment-cleaning work begins, so the bad
    entries never reach the per-element diagnostic path inside
    nilfs_sufile_updatev().
    
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=62f0f99d2f2bb8e3bbd7
    Tested-by: [email protected]
    Cc: [email protected]
    Signed-off-by: Deepanshu Kartikey <[email protected]>
    Fixes: 071cb4b81987 ("nilfs2: eliminate removal list of segments")
    Signed-off-by: Ryusuke Konishi <[email protected]>
    Signed-off-by: Viacheslav Dubeyko <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
NTB: epf: Avoid calling pci_irq_vector() from hardirq context [+ + +]
Author: Koichiro Den <[email protected]>
Date:   Wed Mar 4 17:30:28 2026 +0900

    NTB: epf: Avoid calling pci_irq_vector() from hardirq context
    
    commit 4dcddc1c794d1c65eda68f1f8dd04a0fecc0870f upstream.
    
    ntb_epf_vec_isr() calls pci_irq_vector() in hardirq context to derive
    the vector number. pci_irq_vector() calls msi_get_virq() that takes a
    mutex and can therefore trigger "scheduling while atomic" splats:
    
      BUG: scheduling while atomic: kworker/u33:0/55/0x00010001
      ...
      Call trace:
       ...
       schedule+0x38/0x110
       schedule_preempt_disabled+0x28/0x50
       __mutex_lock.constprop.0+0x848/0x908
       __mutex_lock_slowpath+0x18/0x30
       mutex_lock+0x4c/0x60
       msi_domain_get_virq+0xe8/0x138
       pci_irq_vector+0x2c/0x60
       ntb_epf_vec_isr+0x28/0x120 [ntb_hw_epf]
       __handle_irq_event_percpu+0x70/0x3a8
       handle_irq_event+0x48/0x100
       handle_edge_irq+0x100/0x1c8
       ...
    
    Cache the Linux IRQ number for vector 0 when vectors are allocated and
    use it as a base in the ISR. Running the ISR in a threaded IRQ handler
    would also avoid the problem, but that would be unnecessary here.
    
    Fixes: 812ce2f8d14e ("NTB: Add support for EPF PCI Non-Transparent Bridge")
    Signed-off-by: Koichiro Den <[email protected]>
    Signed-off-by: Manivannan Sadhasivam <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Reviewed-by: Dave Jiang <[email protected]>
    Cc: [email protected] # v5.12+
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

NTB: epf: Fix request_irq() unwind in ntb_epf_init_isr() [+ + +]
Author: Koichiro Den <[email protected]>
Date:   Wed Mar 4 17:30:27 2026 +0900

    NTB: epf: Fix request_irq() unwind in ntb_epf_init_isr()
    
    commit fcba26efe5efc7441f5505f4ccc69791214b40be upstream.
    
    ntb_epf_init_isr() requests multiple MSI/MSI-X vectors in a loop. If
    request_irq() fails part-way through, it jumps straight to
    pci_free_irq_vectors() without freeing already requested IRQs.
    
    Fix the error path by freeing any successfully requested IRQs before
    releasing the vectors.
    
    Fixes: 812ce2f8d14e ("NTB: Add support for EPF PCI Non-Transparent Bridge")
    Signed-off-by: Koichiro Den <[email protected]>
    Signed-off-by: Manivannan Sadhasivam <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Reviewed-by: Dave Jiang <[email protected]>
    Cc: [email protected] # v5.12+
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
nvme-multipath: set BIO_REMAPPED on bios remapped to per-path namespace disks [+ + +]
Author: Achkinazi, Igor <[email protected]>
Date:   Thu May 28 15:24:27 2026 +0000

    nvme-multipath: set BIO_REMAPPED on bios remapped to per-path namespace disks
    
    commit 88bac2c1a72b8f4f71e9845699aa872df04e5850 upstream.
    
    When nvme_ns_head_submit_bio() remaps a bio from the multipath head to a
    per-path namespace, bio_set_dev() clears BIO_REMAPPED.  The remapped bio
    is then resubmitted through submit_bio_noacct() which calls
    bio_check_eod() because BIO_REMAPPED is not set.
    
    This races with nvme_ns_remove() which zeroes the per-path capacity
    before synchronize_srcu():
    
      CPU 0 (IO submission)
      ---------------------
      srcu_read_lock()
      nvme_find_path() -> ns
        [NVME_NS_READY is set]
    
      CPU 1 (namespace removal)
      -------------------------
      clear_bit(NVME_NS_READY)
      set_capacity(ns->disk, 0)
      synchronize_srcu()  <- blocks
    
      CPU 0 (IO submission)
      ---------------------
      bio_set_dev(bio, ns->disk->part0)
        [clears BIO_REMAPPED]
      submit_bio_noacct(bio)
        -> bio_check_eod() sees capacity=0
        -> bio fails with IO error
    
    The SRCU read lock prevents synchronize_srcu() from completing, but does
    not prevent set_capacity(0) from executing.  The bio fails the EOD check
    before it reaches the NVMe driver, so nvme_failover_req() never gets a
    chance to redirect it to another path of multipath.  IO errors are
    reported to the application despite another path being available.
    
    On older kernels (before commit 0b64682e78f7 "block: skip unnecessary
    checks for split bio"), the same race was also reachable through split
    remainders resubmitted via submit_bio_noacct().
    
    Fix this by setting BIO_REMAPPED after bio_set_dev() in
    nvme_ns_head_submit_bio().  This skips bio_check_eod() on the per-path
    device; the EOD check already passed on the multipath head.
    
    NVMe per-path namespace devices are always whole disks (bd_partno=0), so
    the blk_partition_remap() skip also gated by BIO_REMAPPED is a no-op.
    The flag does not persist across failover and cannot go stale if the
    namespace geometry changes between attempts: nvme_failover_req() calls
    bio_set_dev() to redirect the bio back to the multipath head, which
    clears BIO_REMAPPED.  When nvme_requeue_work() resubmits through
    submit_bio_noacct(), bio_check_eod() runs normally against the current
    capacity.
    
    Same approach as commit 3a905c37c351 ("block: skip bio_check_eod for
    partition-remapped bios").
    
    Fixes: a7c7f7b2b641 ("nvme: use bio_set_dev to assign ->bi_bdev")
    Cc: [email protected]
    Reviewed-by: Christoph Hellwig <[email protected]>
    Signed-off-by: Igor Achkinazi <[email protected]>
    Signed-off-by: Keith Busch <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
nvme: target: rdma: fix ndev refcount leak on queue connect [+ + +]
Author: Wentao Liang <[email protected]>
Date:   Wed May 27 08:45:44 2026 +0000

    nvme: target: rdma: fix ndev refcount leak on queue connect
    
    commit badc53620fe813b3a9f727ef9526f98567c2c898 upstream.
    
    nvmet_rdma_queue_connect() calls nvmet_rdma_find_get_device() which
    acquires a reference on the returned ndev via kref_get(). On the path
    where the host queue backlog is exceeded and the function returns
    NVME_SC_CONNECT_CTRL_BUSY, reference of ndev is not released, leaking
    the kref.
    
    Fix this by adding a goto to the existing put_device label before the
    early return.
    
    Fixes: 31deaeb11ba7 ("nvmet-rdma: avoid circular locking dependency on install_queue()")
    Cc: [email protected]
    Reviewed-by: Christoph Hellwig <[email protected]>
    Signed-off-by: Wentao Liang <[email protected]>
    Signed-off-by: Keith Busch <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
nvmet-auth: validate reply message payload bounds against transfer length [+ + +]
Author: Tianchu Chen <[email protected]>
Date:   Fri May 29 14:18:39 2026 +0000

    nvmet-auth: validate reply message payload bounds against transfer length
    
    commit 3a413ece2504c70aa34a20be4dafec04e8c741f9 upstream.
    
    nvmet_auth_reply() accesses the variable-length rval[] array using
    attacker-controlled hl (hash length) and dhvlen (DH value length) fields
    without verifying they fit within the allocated buffer of tl bytes.
    
    A malicious NVMe-oF initiator can craft a DHCHAP_REPLY message with a
    small transfer length but large hl/dhvlen values, causing out-of-bounds
    heap reads when the target processes the DH public key (rval + 2*hl) or
    performs the host response memcmp.
    
    With DH authentication configured, the OOB pointer is passed directly to
    sg_init_one() and read by crypto_kpp_compute_shared_secret(), reaching
    up to 526 bytes past the buffer. This is exploitable pre-authentication.
    
    Add bounds validation ensuring sizeof(*data) + 2*hl + dhvlen <= tl before
    any access to the variable-length fields.
    
    Discovered by Atuin - Automated Vulnerability Discovery Engine.
    
    Fixes: db1312dd9548 ("nvmet: implement basic In-Band Authentication")
    Cc: [email protected]
    Reviewed-by: Hannes Reinecke <[email protected]>
    Signed-off-by: Tianchu Chen <[email protected]>
    Signed-off-by: Keith Busch <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
nvmet: fix pre-auth out-of-bounds heap read in Discovery Get Log Page [+ + +]
Author: Bryam Vargas <[email protected]>
Date:   Wed May 27 15:00:00 2026 -0500

    nvmet: fix pre-auth out-of-bounds heap read in Discovery Get Log Page
    
    commit 53cd102a7a56079b11b897835bd9b94c14e6322c upstream.
    
    nvmet_execute_disc_get_log_page() validates only the dword alignment
    of the host-supplied Log Page Offset (lpo).  The 64-bit offset is then
    added to a small kzalloc'd buffer that holds the discovery log page
    and the result is passed straight to nvmet_copy_to_sgl(), which
    memcpy()s data_len bytes out to the host with no source-side bound
    check:
    
        u64 offset      = nvmet_get_log_page_offset(req->cmd);  /* 64-bit host */
        size_t data_len = nvmet_get_log_page_len(req->cmd);     /* 32-bit host */
        ...
        if (offset & 0x3) { ... }                               /* only check */
        ...
        alloc_len = sizeof(*hdr) + entry_size * discovery_log_entries(req);
        buffer = kzalloc(alloc_len, GFP_KERNEL);
        ...
        status = nvmet_copy_to_sgl(req, 0, buffer + offset, data_len);
    
    The Discovery controller is unauthenticated -- nvmet_host_allowed()
    returns true unconditionally for the discovery subsystem -- so the call
    is reachable pre-authentication by any TCP/RDMA/FC peer that can reach
    the nvmet target.  With a discovery log page of ~1 KiB, an attacker
    requesting up to 4 KiB starting at offset == alloc_len reads the next
    slab page out and gets its content returned over the fabric (an
    empirical run on a default nvmet-tcp loopback target leaked 81
    canonical kernel pointers in one Get Log Page response).  Pointing the
    offset at unmapped kernel memory faults the in-kernel memcpy and
    crashes (or panics, on panic_on_oops=1) the target host instead.
    
    The attacker-controlled source-side offset pattern
    "nvmet_copy_to_sgl(req, 0, buffer + ATTACKER_OFFSET, ...)" is unique
    to nvmet_execute_disc_get_log_page in the entire nvmet codebase: every
    other Get Log Page handler in admin-cmd.c either ignores lpo (and
    silently starts every response at offset 0) or tracks a local
    destination offset with a fixed source pointer.
    
    Validate the host-supplied offset against the log page size, cap the
    copy length to what is actually available, and zero-fill any remainder
    of the host transfer buffer.  The zero-fill matches the existing
    short-response pattern in nvmet_execute_get_log_changed_ns()
    (admin-cmd.c) and prevents leaking transport SGL contents when the
    host asks for more bytes than the log page contains.
    
    Fixes: a07b4970f464 ("nvmet: add a generic NVMe target")
    Cc: [email protected]
    Reviewed-by: Chaitanya Kulkarni <[email protected]>
    Reviewed-by: Christoph Hellwig <[email protected]>
    Signed-off-by: Bryam Vargas <[email protected]>
    Signed-off-by: Keith Busch <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
OPP: of: Fix potential memory leak in opp_parse_supplies() [+ + +]
Author: Abdun Nihaal <[email protected]>
Date:   Mon May 11 12:12:11 2026 +0530

    OPP: of: Fix potential memory leak in opp_parse_supplies()
    
    commit 69f888381d2ecbe18ed9f112c096f8fd3623db98 upstream.
    
    The memory allocated for microvolt, microamp and microwatt is not freed
    in one of the paths in opp_parse_supplies() which returns directly.
    Fix that by adding a goto to the error unwind ladder.
    
    Fixes: 2eedf62e66c2 ("OPP: decouple dt properties in opp_parse_supplies()")
    Cc: [email protected]
    Signed-off-by: Abdun Nihaal <[email protected]>
    Signed-off-by: Viresh Kumar <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
partitions: aix: bound the pp_count scan to the ppe array [+ + +]
Author: Bryam Vargas <[email protected]>
Date:   Sun Jun 7 06:41:43 2026 +0000

    partitions: aix: bound the pp_count scan to the ppe array
    
    commit 2dc0bfd2fe355fb930de63c2f2eb8ced8570c579 upstream.
    
    aix_partition() reads the physical volume descriptor into a fixed-size
    struct pvd and then scans its physical-partition-extent array:
    
            int numpps = be16_to_cpu(pvd->pp_count);
            ...
            for (i = 0; i < numpps; i += 1) {
                    struct ppe *p = pvd->ppe + i;
                    ...
                    lp_ix = be16_to_cpu(p->lp_ix);
    
    pvd points at a single kmalloc()'d struct pvd whose ppe[] member holds a
    fixed ARRAY_SIZE(pvd->ppe) (1016) entries, but the loop runs up to the
    on-disk pp_count.  pp_count is an unvalidated __be16 read straight from
    the descriptor, so a crafted AIX image with pp_count larger than 1016
    drives the loop to read pvd->ppe[i] past the end of the allocation (up
    to 65535 entries, ~2 MB out of bounds).
    
    The partition scan runs without mounting anything, when a block device
    with a crafted AIX/IBM partition table appears (an attacker-supplied
    image attached with losetup -P, or a device auto-scanned by udev), via
    msdos_partition() -> aix_partition().
    
    Clamp the scan to the number of entries the ppe[] array can hold.
    
    Fixes: 6ceea22bbbc8 ("partitions: add aix lvm partition support files")
    Cc: [email protected]
    Signed-off-by: Bryam Vargas <[email protected]>
    Acked-by: Philippe De Muyter <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jens Axboe <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
PCI: altera: Do not dispose parent IRQ mapping [+ + +]
Author: Mahesh Vaidya <[email protected]>
Date:   Thu Apr 30 13:43:29 2026 -0700

    PCI: altera: Do not dispose parent IRQ mapping
    
    commit 5ef4bac02189bee0b7c170e352d7a38e13fe9678 upstream.
    
    altera_pcie_irq_teardown() calls irq_dispose_mapping() on pcie->irq.
    However, pcie->irq is the parent IRQ returned by platform_get_irq(), not
    the mapping created by Altera INTx irq_domain.
    
    The Altera driver only sets the chained handler on the parent IRQ. It
    should detach that handler during teardown, but it should not dispose the
    parent IRQ mapping, which belongs to the parent interrupt controller's
    irq_domain.
    
    Drop irq_dispose_mapping(pcie->irq) from the teardown path.
    
    Note that during irqchip remove(), the child IRQs should've disposed. But
    since the chained handler itself is removed, there is no way the stale
    child IRQs (if exists) could fire. So it is safe here.
    
    Fixes: ec15c4d0d5d2 ("PCI: altera: Allow building as module")
    Signed-off-by: Mahesh Vaidya <[email protected]>
    [mani: added a note about IRQ disposal]
    Signed-off-by: Manivannan Sadhasivam <[email protected]>
    Reviewed-by: Subhransu S. Prusty <[email protected]>
    Cc: [email protected]
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

PCI: Always lift 2.5GT/s restriction in PCIe failed link retraining [+ + +]
Author: Maciej W. Rozycki <[email protected]>
Date:   Mon Jul 13 23:25:49 2026 +0100

    PCI: Always lift 2.5GT/s restriction in PCIe failed link retraining
    
    commit 72780f7964684939d7d2f69c348876213b184484 upstream.
    
    Discard Vendor:Device ID matching in the PCIe failed link retraining quirk
    and ignore the link status for the removal of the 2.5GT/s speed clamp,
    whether applied by the quirk itself or the firmware earlier on.  Revert to
    the original target link speed if this final link retraining has failed.
    
    This is so that link training noise in hot-plug scenarios does not make a
    link remain clamped to the 2.5GT/s speed where an event race has led the
    quirk to apply the speed clamp for one device, only to leave it in place
    for a subsequent device to be plugged in.
    
    Refer to the Link Capabilities register directly for the maximum link speed
    determination so as to streamline backporting.
    
    Fixes: a89c82249c37 ("PCI: Work around PCIe link training failures")
    Signed-off-by: Maciej W. Rozycki <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Tested-by: Alok Tiwari <[email protected]>
    Cc: [email protected] # v6.5+
    Link: https://patch.msgid.link/[email protected]
    [ Update for missing PCIe link speed helpers for 6.12.y. ]
    Signed-off-by: Maciej W. Rozycki <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

PCI: host-common: Request bus reassignment when not probe-only [+ + +]
Author: Ratheesh Kannoth <[email protected]>
Date:   Tue Apr 14 13:47:30 2026 +0530

    PCI: host-common: Request bus reassignment when not probe-only
    
    commit fda8749ba73638f5bbca3ffb39bc6861eb3b23fa upstream.
    
    pci_host_common_init() is used by several generic ECAM host drivers.
    After PCI core changes around pci_flags and preserve_config, these hosts
    no longer opted into full bus number reassignment the way they did
    before, which broke enumeration of devices on a Marvell CN106XX board.
    
    When PCI_PROBE_ONLY is not set, add PCI_REASSIGN_ALL_BUS so
    pci_scan_bridge_extend() takes the reassignment path: bus numbers can be
    assigned from firmware EA data (e.g. pci_ea_fixed_busnrs()). Skip the
    flag in probe-only mode so existing assignments are not overridden.
    
    Fixes: 7246a4520b4b ("PCI: Use preserve_config in place of pci_flags")
    Closes: https://lore.kernel.org/all/abkqm_LCd9zAM8cW@rkannoth-OptiPlex-7090/
    Signed-off-by: Ratheesh Kannoth <[email protected]>
    [mani: added stable tag]
    Signed-off-by: Manivannan Sadhasivam <[email protected]>
    [bhelgaas: add problem report link]
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Cc: [email protected]
    Cc: Vidya Sagar <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

PCI: imx6: Fix IMX6SX_GPR12_PCIE_TEST_POWERDOWN handling [+ + +]
Author: Richard Zhu <[email protected]>
Date:   Thu Mar 19 17:08:44 2026 +0800

    PCI: imx6: Fix IMX6SX_GPR12_PCIE_TEST_POWERDOWN handling
    
    commit aad953fb4eed0df5486cd54ccad80ac197678e01 upstream.
    
    The IMX6SX_GPR12_PCIE_TEST_POWERDOWN bit does not control the PCIe
    reference clock on i.MX6SX. Instead, it is part of i.MX6SX PCIe core
    reset sequence.
    
    Move the IMX6SX_GPR12_PCIE_TEST_POWERDOWN assertion/deassertion into
    the core reset functions to properly reflect its purpose. Remove the
    .enable_ref_clk() callback for i.MX6SX since it was incorrectly
    manipulating this bit.
    
    Fixes: e3c06cd063d6 ("PCI: imx6: Add initial imx6sx support")
    Signed-off-by: Richard Zhu <[email protected]>
    Signed-off-by: Manivannan Sadhasivam <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Reviewed-by: Frank Li <[email protected]>
    Cc: [email protected]
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

PCI: loongson: Override PCIe bridge supported speeds for Loongson-3C6000 series [+ + +]
Author: Ziyao Li <[email protected]>
Date:   Sun Apr 12 18:17:31 2026 +0800

    PCI: loongson: Override PCIe bridge supported speeds for Loongson-3C6000 series
    
    commit e373c789bac0ad73b472d8b44714df3bd18a4edf upstream.
    
    Older steppings of the Loongson-3C6000 series incorrectly report the
    supported link speeds on their PCIe bridges (device IDs 0x3c19, 0x3c29)
    as only 2.5 GT/s, despite the upstream bus supporting speeds from
    2.5 GT/s up to 16 GT/s.
    
    As a result, since commit 774c71c52aa4 ("PCI/bwctrl: Enable only if more
    than one speed is supported"), bwctrl will be disabled if there's only
    one 2.5 GT/s value in vector 'supported_speeds'.
    
    Manually override the 'supported_speeds' field for affected PCIe bridges
    with those found on the upstream bus to correctly reflect the supported
    link speeds.  Updating the speeds to reflect what the hardware actually
    supports avoids quirks in drivers consuming the speed information.
    
    This commit was originally found from AOSC OS[1].
    
    Fixes: cd89edda4002 ("PCI: loongson: Add ACPI init support")
    Signed-off-by: Ayden Meng <[email protected]>
    Signed-off-by: Mingcong Bai <[email protected]>
    [Ziyao Li: move from drivers/pci/quirks.c to drivers/pci/controller/pci-loongson.c]
    Signed-off-by: Ziyao Li <[email protected]>
    [Xi Ruoyao: Fixed falling through logic, added debug log, Fixes tag and rebased to 7.0-rc7]
    Signed-off-by: Xi Ruoyao <[email protected]>
    Signed-off-by: Manivannan Sadhasivam <[email protected]>
    [bhelgaas: commit log, https://lore.kernel.org/all/[email protected]]
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Tested-by: Lain Fearyncess Yang <[email protected]>
    Tested-by: Ayden Meng <[email protected]>
    Tested-by: Mingcong Bai <[email protected]>
    Reviewed-by: Huacai Chen <[email protected]>
    Cc: [email protected]
    Link: https://github.com/AOSC-Tracking/linux/commit/4392f441363abdf6fa0a0433d73175a17f493454
    Link: https://github.com/AOSC-Tracking/linux/pull/2 #1
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
perf trace beauty fcntl: Fix build with older kernel headers [+ + +]
Author: Florian Fainelli <[email protected]>
Date:   Wed May 13 12:23:46 2026 -0700

    perf trace beauty fcntl: Fix build with older kernel headers
    
    commit 7ee7f48413c42b90230de4a8e40898b757bc8e82 upstream.
    
    Toolchains with older kernel headers that do not include upstream commit
    c75b1d9421f80f41 ("fs: add fcntl() interface for setting/getting write
    life time hints") will now fail to build perf due to missing definitions
    for F_GET_RW_HINT/F_SET_RW_HINT/F_GET_FILE_RW_HINT/F_SET_FILE_RW_HINT.
    
    Provide a fallback definition for these when they are not already
    defined.
    
    Fixes: 9c47f66748381ecb ("perf trace beauty fcntl: Basic 'arg' beautifier")
    Reviewed-by: Ian Rogers <[email protected]>
    Signed-off-by: Florian Fainelli <[email protected]>
    Cc: Adrian Hunter <[email protected]>
    Cc: Alexander Shishkin <[email protected]>
    Cc: Ingo Molnar <[email protected]>
    Cc: James Clark <[email protected]>
    Cc: Jiri Olsa <[email protected]>
    Cc: Mark Rutland <[email protected]>
    Cc: Markus Mayer <[email protected]>
    Cc: Namhyung Kim <[email protected]>
    Cc: Peter Zijlstra <[email protected]>
    Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
perf/arm-cmn: Fix DVM node events [+ + +]
Author: Robin Murphy <[email protected]>
Date:   Fri May 29 15:33:45 2026 +0100

    perf/arm-cmn: Fix DVM node events
    
    commit 5936245125f78d896fdb1bbc2ae79213e28a6579 upstream.
    
    The new DVM node events added in CMN-700 also apply to CMN S3; fix
    the model encoding so that we can expose the aliases and handle
    occupancy filtering on newer CMNs too.
    
    Cc: [email protected]
    Fixes: 0dc2f4963f7e ("perf/arm-cmn: Support CMN S3")
    Signed-off-by: Robin Murphy <[email protected]>
    Signed-off-by: Will Deacon <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
perf/core: Detach event groups during remove_on_exec [+ + +]
Author: Taeyang Lee <[email protected]>
Date:   Thu Jul 9 23:29:08 2026 +0900

    perf/core: Detach event groups during remove_on_exec
    
    [ Upstream commit 037a3c43edfb597665dd34457cd22b14692f2ba3 ]
    
    perf_event_remove_on_exec() removes events by calling
    perf_event_exit_event(). For top-level events, this removes the event from
    the context with DETACH_EXIT only.
    
    This can leave inconsistent group state when a removed event is a group
    leader and the group contains siblings without remove_on_exec. If the group
    was active, the surviving siblings can remain active and attached to the
    removed leader's sibling list, but are no longer represented by a valid
    group leader on the PMU context active lists.
    
    A later close of the removed leader uses DETACH_GROUP and can promote the
    still-active siblings from this stale group state. The next schedule-in can
    then add an already-linked active_list entry again, corrupting the PMU
    context active list.
    
    With DEBUG_LIST enabled, this is caught as a list_add double-add in
    merge_sched_in().
    
    Fix this by detaching group relationships when remove_on_exec removes an
    event. This preserves the existing task-exit and revoke behavior, while
    ensuring surviving siblings are ungrouped before the removed event leaves
    the context.
    
    Fixes: 2e498d0a74e5 ("perf: Add support for event removal on exec")
    Signed-off-by: Taeyang Lee <[email protected]>
    Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
perf: Fix dangling cgroup pointer in cpuctx backport [+ + +]
Author: Wentao Guan <[email protected]>
Date:   Fri Jul 3 00:48:25 2026 +0800

    perf: Fix dangling cgroup pointer in cpuctx backport
    
    recently backport of ("perf: Fix dangling cgroup pointer in cpuctx")
    use a middle version, so aligned with the upstream commit:
    commit 3b7a34aebbdf ("perf: Fix dangling cgroup pointer in cpuctx")
    
    This is a fix for stable v6.12.94 backport commit, so no upstream commit.
    
    Link: https://lore.kernel.org/all/2026070200-uneaten-smock-4130@gregkh/
    Fixes: 46f5623f9b0e ("perf: Fix dangling cgroup pointer in cpuctx")
    Signed-off-by: Wentao Guan <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
platform/x86: intel-hid: Protect ACPI notify handler against recursion [+ + +]
Author: HyeongJun An <[email protected]>
Date:   Sat Jun 6 02:49:05 2026 +0900

    platform/x86: intel-hid: Protect ACPI notify handler against recursion
    
    commit c085d82613d5618814b84406c8b2d64f1bc305e7 upstream.
    
    Since commit e2ffcda16290 ("ACPI: OSL: Allow Notify () handlers to run on
    all CPUs") ACPI notify handlers like the intel-hid notify_handler() may
    run on multiple CPU cores racing with themselves.
    
    On convertibles and detachables (matched by DMI chassis-type 31 and 32 in
    dmi_auto_add_switch[]) the SW_TABLET_MODE input device is registered
    lazily from notify_handler() on the first tablet-mode event, via
    intel_hid_switches_setup(). When two such events race on different CPUs
    both can pass the !priv->switches check and register the priv->switches
    input device twice, resulting in a duplicate sysfs entry and a subsequent
    NULL pointer dereference.
    
    This is the same class of bug fixed by commit e075c3b13a0a ("platform/x86:
    intel-vbtn: Protect ACPI notify handler against recursion") for the
    sibling intel-vbtn driver.
    
    Protect intel-hid notify_handler() from racing with itself with a mutex
    to fix this.
    
    Fixes: e2ffcda16290 ("ACPI: OSL: Allow Notify () handlers to run on all CPUs")
    Cc: [email protected]
    Signed-off-by: HyeongJun An <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Reviewed-by: Ilpo Järvinen <[email protected]>
    Signed-off-by: Ilpo Järvinen <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
posix-cpu-timers: Fix pid refcount leak in do_cpu_nanosleep() error path [+ + +]
Author: WenTao Liang <[email protected]>
Date:   Fri Jun 12 00:17:38 2026 +0800

    posix-cpu-timers: Fix pid refcount leak in do_cpu_nanosleep() error path
    
    commit 87bd2ad568e15b90d5f7d4bcd70342d05dad649c upstream.
    
    In do_cpu_nanosleep(), posix_cpu_timer_create() takes a pid reference
    via get_pid() and stores it in timer.it.cpu.pid. If the subsequent
    posix_cpu_timer_set() call fails, the function returns immediately
    without calling posix_cpu_timer_del() to release the pid reference,
    causing a leak.
    
    Fix it by calling posix_cpu_timer_del() before the unlock-and-return
    on the error path, consistent with the other exit paths in the same
    function.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: WenTao Liang <[email protected]>
    Signed-off-by: Thomas Gleixner <[email protected]>
    Reviewed-by: Frederic Weisbecker <[email protected]>
    Cc: [email protected]
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg [+ + +]
Author: Zhenhao Wan <[email protected]>
Date:   Fri Jun 12 01:15:54 2026 +0800

    RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg
    
    commit 963af8d97a8c6a117134a8d0db1415e0489200b1 upstream.
    
    When the server answers an RTRS READ, rdma_write_sg() builds the source
    scatter/gather entry for the IB_WR_RDMA_WRITE that returns data to the
    peer. Its length is taken directly from the wire descriptor:
    
      plist->length = le32_to_cpu(id->rd_msg->desc[0].len);
    
    rd_msg points into the chunk buffer that the remote peer filled via
    RDMA-WRITE-WITH-IMM (rtrs_srv_rdma_done() -> process_io_req() ->
    process_read()), so desc[0].len is attacker-controlled and, before this
    change, was only rejected when zero. The source address is the fixed
    chunk start (dma_addr[msg_id]) and the source lkey is the PD-wide
    local_dma_lkey, which is not tied to the chunk's MR mapping, so the verbs
    layer does not constrain the transfer length to max_chunk_size. msg_id
    and off are bounded against queue_depth and max_chunk_size in
    rtrs_srv_rdma_done(), but desc[0].len is a separate field that was not
    checked against the chunk size.
    
    A peer that advertises desc[0].len larger than max_chunk_size can make
    the posted RDMA write read past the chunk's mapped region. The resulting
    behaviour depends on the IOMMU configuration: with no IOMMU or in
    passthrough mode the read may extend into memory adjacent to the chunk
    and be returned to the peer, which can disclose host memory; with a
    translating IOMMU the out-of-range access is expected to fault and abort
    the connection. In either case the transfer exceeds what the protocol
    permits and is driven by a remote peer.
    
    Reject a descriptor length above max_chunk_size, mirroring the existing
    off >= max_chunk_size bound in rtrs_srv_rdma_done(). Legitimate clients
    do not exceed it: the client sets desc[0].len to its MR length, which is
    capped at the negotiated max_io_size (max_chunk_size - MAX_HDR_SIZE).
    
    Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality")
    Link: https://patch.msgid.link/r/[email protected]
    Reported-by: Yuhao Jiang <[email protected]>
    Cc: [email protected]
    Signed-off-by: Zhenhao Wan <[email protected]>
    Reviewed-by: Md Haris Iqbal <[email protected]>
    Signed-off-by: Jason Gunthorpe <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
RDMA/siw: bound Read Response placement to the RREAD length [+ + +]
Author: Michael Bommarito <[email protected]>
Date:   Tue Jun 2 15:47:00 2026 -0400

    RDMA/siw: bound Read Response placement to the RREAD length
    
    commit 7d29f7e9dbd844cae4d3e559cf78324b9642fd6b upstream.
    
    In drivers/infiniband/sw/siw/siw_qp_rx.c, siw_proc_rresp() places each
    inbound Read Response DDP segment at sge->laddr + wqe->processed and then
    accumulates wqe->processed, but it never checks the running total against
    the sink buffer length on continuation segments. siw_check_sge() resolves
    and validates the sink memory only on the first fragment (the if (!*mem)
    branch), and siw_rresp_check_ntoh() compares the cumulative length against
    wqe->bytes only on the final segment (the !frx->more_ddp_segs guard).
    
    A connected siw peer that answers an outstanding RREAD with Read Response
    segments that keep the DDP Last flag clear, carrying more total payload
    than the RREAD requested, drives wqe->processed past the validated sink
    buffer; the next siw_rx_data() call writes out of bounds at
    sge->laddr + wqe->processed. siw runs iWARP over ordinary routable TCP,
    so the peer is the remote end of an established RDMA connection and needs
    no local privilege.
    
    Bound every segment before placement, exactly as siw_proc_send() and
    siw_proc_write() already do for their tagged and untagged paths, and
    terminate the connection with a base-or-bounds DDP error when the
    Read Response would overrun the sink buffer.
    
    This is the second receive-path length fix for this file. A separate
    change rejects an MPA FPDU length that underflows the per-fragment
    remainder in the header decode; that guard does not cover this case,
    because here each individual segment length is self-consistent and only
    the accumulated placement offset overruns the buffer.
    
    Fixes: 8b6a361b8c48 ("rdma/siw: receive path")
    Link: https://patch.msgid.link/r/[email protected]
    Cc: [email protected]
    Assisted-by: Claude:claude-opus-4-8
    Signed-off-by: Michael Bommarito <[email protected]>
    Signed-off-by: Jason Gunthorpe <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
regulator: scmi: fix of_node refcount leak in scmi_regulator_probe() [+ + +]
Author: Wentao Liang <[email protected]>
Date:   Wed May 27 10:48:50 2026 +0000

    regulator: scmi: fix of_node refcount leak in scmi_regulator_probe()
    
    commit fa11039d6cdff84584a3ef8cc1f5e1b56e045da2 upstream.
    
    scmi_regulator_probe() calls of_find_node_by_name() which takes a
    reference on the returned device node. On the error path where
    process_scmi_regulator_of_node() fails, the function returns without
    calling of_node_put() on the child node, leaking the reference.
    
    Add of_node_put(np) on the error path to properly release the
    reference.
    
    Cc: [email protected]
    Fixes: 0fbeae70ee7c ("regulator: add SCMI driver")
    Signed-off-by: Wentao Liang <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
riscv: mm: Unconditionally sfence.vma for spurious fault [+ + +]
Author: Vivian Wang <[email protected]>
Date:   Tue Mar 3 13:29:49 2026 +0800

    riscv: mm: Unconditionally sfence.vma for spurious fault
    
    commit 1b2c6b56a9fa0dcbef461039937de22b1cbecc7d upstream.
    
    Svvptc does not guarantee that it's safe to just return here. Since we
    have already cleared our bit, if, theoretically, the bounded timeframe
    for the accessed page to become valid still hasn't happened after sret,
    we could fault again and actually crash.
    
    Hopefully, these spurious faults should be rare enough that this is an
    acceptable slowdown.
    
    Cc: [email protected]
    Fixes: 503638e0babf ("riscv: Stop emitting preventive sfence.vma for new vmalloc mappings")
    Signed-off-by: Vivian Wang <[email protected]>
    Link: https://patch.msgid.link/20260303-handle-kfence-protect-spurious-fault-v2-5-f80d8354d79d@iscas.ac.cn
    Signed-off-by: Paul Walmsley <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
rust: kasan: KASAN+RUST requires clang [+ + +]
Author: Alice Ryhl <[email protected]>
Date:   Thu Jul 9 20:03:59 2026 +0200

    rust: kasan: KASAN+RUST requires clang
    
    [ Upstream commit 5b271543d0f08e9733d4732721e960e285f6448f ]
    
    Kernel KASAN involves passing various llvm/gcc specific arguments to
    the C and Rust compiler. Since these arguments differ between llvm and
    gcc, it's not safe to mix an llvm-based rustc with a gcc build when
    kasan is enabled.
    
    Signed-off-by: Alice Ryhl <[email protected]>
    Reviewed-by: Gary Guo <[email protected]>
    Cc: [email protected]
    Fixes: e3117404b411 ("kbuild: rust: Enable KASAN support")
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Miguel Ojeda <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

rust: Kbuild: set frame-pointer llvm module flag for CONFIG_FRAME_POINTER [+ + +]
Author: Alice Ryhl <[email protected]>
Date:   Tue Jun 16 12:30:38 2026 +0000

    rust: Kbuild: set frame-pointer llvm module flag for CONFIG_FRAME_POINTER
    
    commit 191f49f1e38b1c10eb44b0f967c6175c884ef7db upstream.
    
    Due to a rustc bug, the -Cforce-frame-pointers=y flag only emits the
    frame-pointer annotation for functions, but not for the module. This
    means that functions generated by the LLVM backend such as
    'asan.module_ctor' do not receive the frame-pointer annotation.
    
    This is likely to lead to broken backtraces and may also cause issues
    with ftrace if these features are used with functions generated by the
    LLVM backend.
    
    Thus, use -Zllvm_module_flag to work around this rustc bug if using a
    rustc without the fix.
    
    [ The fix [1] has landed for Rust 1.98.0 (expected release on
      2026-08-20). - Miguel ]
    
    Cc: [email protected] # 6.12.y and later (flag not available in pinned Rust in older LTSs).
    Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support")
    Link: https://github.com/rust-lang/rust/pull/156980 [1]
    Signed-off-by: Alice Ryhl <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    [ - Adjusted Cc: stable@ as discussed.
      - Added comment with link to the PR, similar to what we did in commit
        ac35b5580ace ("rust: arm64: set uwtable llvm module flag for
        CONFIG_UNWIND_TABLES").
        - Miguel ]
    Signed-off-by: Miguel Ojeda <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
sched/rt: Have RT_PUSH_IPI be default off for non PREEMPT_RT [+ + +]
Author: Steven Rostedt <[email protected]>
Date:   Fri May 15 10:37:40 2026 -0400

    sched/rt: Have RT_PUSH_IPI be default off for non PREEMPT_RT
    
    commit dd29c017aed628076e915fe4cdfb5392fd4c5cab upstream.
    
    RT migration is done aggressively. When a CPU schedules out a high
    priority RT task for a lower priority task, it will look to see if there's
    any RT tasks that are waiting to run on another CPU that is of higher
    priority than the task this CPU is about to run. If it finds one, it will
    pull that task over to the CPU and allow it to run there instead.
    
    Normally, this pulling is done by looking at the RT overloaded mask (rto)
    which contains all the CPUs in the scheduler domain with RT tasks that are
    waiting to run due to a higher priority RT task currently running on their
    CPU. The CPU that is about to schedule a lower priority task will grab the
    rq lock of the overloaded CPU and move the RT task from that CPU's runqueue
    to the local one and schedule the higher priority RT task.
    
    This caused issues when a lot of CPUs would schedule a lower priority task
    at the same time. They would all try to grab the same runqueue lock of
    the CPU with the overloaded RT tasks. Only the first CPU that got in will
    get that task. All the others would wait until they got the runqueue lock
    and see there's nothing to pull and do nothing. On systems with lots of
    CPUs, this caused a large latency (up to 500us) which is beyond what
    PREEMPT_RT is to allow.
    
    The solution to that was to create an RT_PUSH_IPI logic. When any CPU
    wanted to pull a task, instead of grabbing the runqueue lock of the
    overloaded CPU, it would start by sending an IPI to the overloaded CPU,
    and that IPI handler would have the CPU with the waiting RT task do a push
    instead. Then that handler would send an IPI to the next CPU with
    overloaded RT tasks, and so on. Note, after the first CPU starts this
    process, if another CPU wanted to do a pull, it would see that the process
    has already begun and would only increment a counter to have the IPIs
    continue again.
    
    The RT_PUSH_IPI solved the latency problem with PREEMPT_RT but could cause
    a new issue with non PREEMPT_RT. Namely, softirqs run in a threaded
    context on PREEMPT_RT but they can run in an interrupt context in non-RT.
    
    If an IPI lands on a CPU that has just woken up multiple RT tasks and the
    current CPU is running a non RT or a low priority RT task, instead of
    doing a push, it would simply do a schedule on that CPU. But if a softirq
    was also executing on this CPU, the schedule would need to wait until the
    softirq finished. Until then, the CPU would still be considered overloaded
    as there are RT tasks still waiting to run on it.
    
    A live lock occurred on a workload that was doing heavy networking traffic
    on a large machine where the softirqs would run 500us out of 750us. And it
    would also be waking up RT tasks, causing the RT pull logic to be
    constantly executed.
    
    When a softirq triggered on a CPU with RT tasks queued but not running
    yet, and the other CPUs would see this CPU as being overloaded, they would
    send an IPI over to it. The CPU would notice that the waiting RT tasks are
    of higher priority than the currently running task and simply schedule
    that CPU instead. But because the softirq was executing, before it could
    schedule, it would receive another IPI to do the same. The amount of IPIs
    would slow down the currently running softirq so much that before it could
    return back to task context, it would execute another softirq never
    allowing the CPU to schedule. This live locked that CPU.
    
    As RT_PUSH_IPI was created to help PREEMPT_RT, make it default off if
    PREEMPT_RT is not enabled.
    
    Fixes: b6366f048e0c ("sched/rt: Use IPI to trigger RT task push migration instead of pulling")
    Closes: https://lore.kernel.org/all/[email protected]/
    Reported-by: Tejun Heo <[email protected]>
    Signed-off-by: Steven Rostedt <[email protected]>
    Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
    Cc: [email protected]
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
selftests/mm: pagemap_ioctl: use the correct page size for transact_test() [+ + +]
Author: Zenghui Yu <[email protected]>
Date:   Sun Jun 28 18:11:18 2026 +0800

    selftests/mm: pagemap_ioctl: use the correct page size for transact_test()
    
    commit dccf636bf1e68c3fda92f0c9e1018ab7e0ac8b2c upstream.
    
    There are several places in transact_test() where we use the hardcoded
    0x1000 (4k) as page size, which is not always correct for architectures
    supporting multiple page sizes.
    
    Switch to use the correct page size.  Otherwise ./ksft_pagemap.sh on a
    16k-page-size arm64 box fails with
    
     $ ./ksft_pagemap.sh
     [...]
     # ok 96 mprotect_tests Both pages written after remap and mprotect
     # ok 97 mprotect_tests Clear and make the pages written
     # Bail out! ioctl failed
     # # Planned tests != run tests (117 != 97)
     # # Totals: pass:97 fail:0 xfail:0 xpass:0 skip:0 error:0
     # [FAIL]
     not ok 1 pagemap_ioctl # exit=1
     # SUMMARY: PASS=0 SKIP=0 FAIL=1
     1..1
    
    Link: https://lore.kernel.org/[email protected]
    Fixes: 46fd75d4a3c9 ("selftests: mm: add pagemap ioctl tests")
    Signed-off-by: Zenghui Yu <[email protected]>
    Cc: Muhammad Usama Anjum <[email protected]>
    Cc: David Hildenbrand <[email protected]>
    Cc: Liam R. Howlett <[email protected]>
    Cc: Lorenzo Stoakes <[email protected]>
    Cc: Michal Hocko <[email protected]>
    Cc: Mike Rapoport <[email protected]>
    Cc: Shuah Khan <[email protected]>
    Cc: Suren Baghdasaryan <[email protected]>
    Cc: Vlastimil Babka <[email protected]>
    Cc: Zenghui Yu <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
selftests: mm: fix and speedup "droppable" test [+ + +]
Author: David Hildenbrand (Arm) <[email protected]>
Date:   Thu Jun 11 12:01:55 2026 +0200

    selftests: mm: fix and speedup "droppable" test
    
    commit cc13a7a618fe8354f16d74c06aaf9565a68e9ebd upstream.
    
    The droppable test currently relies on creating memory pressure in a child
    process to trigger dropping the droppable pages.
    
    That not only takes a long time on some machines (allocating and filling
    all that memory), on large machines this will not work as we hardcode the
    area size to 134217728 bytes.
    
    ...  further, we rely on timeouts to detect that memory was not dropped,
    which is really suboptimal.
    
    Instead, let's just use MADV_PAGEOUT on a 2 MiB region.  MADV_PAGEOUT
    works with droppable memory even without swap.
    
    There is the low chance of MADV_PAGEOUT failing to drop a page because of
    speculative references.  We'll wait 1s and retry 10 times to rule that
    unlikely case out as best as we can.
    
    On a machine without swap:
    
            $ ./droppable
            TAP version 13
            1..1
            ok 1 madvise(MADV_PAGEOUT) behavior
            # Totals: pass:1 fail:0 xfail:0 xpass:0 skip:0 error:0
    
    Link: https://lore.kernel.org/[email protected]
    Fixes: 9651fcedf7b9 ("mm: add MAP_DROPPABLE for designating always lazily freeable mappings")
    Signed-off-by: David Hildenbrand (Arm) <[email protected]>
    Reported-by: Aishwarya TCV <[email protected]>
    Tested-by: Sarthak Sharma <[email protected]>
    Tested-by: Lance Yang <[email protected]>
    Reviewed-by: Dev Jain <[email protected]>
    Reviewed-by: SeongJae Park <[email protected]>
    Tested-by: Lorenzo Stoakes <[email protected]>
    Reviewed-by: Lorenzo Stoakes <[email protected]>
    Reviewed-by: Jason A. Donenfeld <[email protected]>
    Cc: Anthony Yznaga <[email protected]>
    Cc: Liam R. Howlett <[email protected]>
    Cc: Mark Brown <[email protected]>
    Cc: Michal Hocko <[email protected]>
    Cc: Mike Rapoport <[email protected]>
    Cc: Shuah Khan <[email protected]>
    Cc: Suren Baghdasaryan <[email protected]>
    Cc: Vlastimil Babka <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
serial: 8250_mid: Disable DMA for selected platforms [+ + +]
Author: Andy Shevchenko <[email protected]>
Date:   Fri Jun 26 11:49:37 2026 +0200

    serial: 8250_mid: Disable DMA for selected platforms
    
    commit b1b4efea05a56c0995e4702a86d6624b4fdff32f upstream.
    
    In accordance with Errata (specification updates)
    HSUART May Stop Functioning when DMA is Active.
    
    - Denverton document #572409, rev 3.4, DNV60
    - Ice Lake Xeon D document #714070, ICXD65
    - Snowridge document #731931, SNR44
    
    For a quick fix just disable the respective callbacks during the device probe.
    Depending on the future development we might remove them completely.
    
    Reported-by: micas-opensource <[email protected]>
    Closes: https://lore.kernel.org/linux-serial/[email protected]/
    Fixes: 6ede6dcd87aa ("serial: 8250_mid: add support for DMA engine handling from UART MMIO")
    Cc: stable <[email protected]>
    Signed-off-by: Andy Shevchenko <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
smb/client: Fix error code in smb2_aead_req_alloc() [+ + +]
Author: Dan Carpenter <[email protected]>
Date:   Thu Jun 11 10:35:28 2026 +0300

    smb/client: Fix error code in smb2_aead_req_alloc()
    
    commit 61f28012e5650c619223decdb7970e0d3162e949 upstream.
    
    The "*num_sgs" variable is a u32 so "ERR_PTR(*num_sgs)" doesn't work.
    We would have to do something similar to the previous line where it's
    cast to int and then long.  However, it's simpler to store the return in
    an int ret variable.
    
    This bug would eventually result in a crash when dereference the invalid
    error pointer.
    
    Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list")
    Cc: [email protected]
    Signed-off-by: Dan Carpenter <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
smb: client: fix atime clamp check in read completion [+ + +]
Author: Xu Rao <[email protected]>
Date:   Tue Jul 7 21:30:17 2026 +0800

    smb: client: fix atime clamp check in read completion
    
    commit 0b043279e73880bee21d3b1f221bafda5af1b27e upstream.
    
    cifs_rreq_done() updates the inode atime to current_time(inode) after a
    netfs read.  It then preserves the CIFS rule that atime should not be
    older than mtime, because some applications break if atime is less than
    mtime.  That rule only requires clamping when atime < mtime.
    
    The current check uses the raw non-zero result of timespec64_compare().
    It therefore takes the clamp path for both atime < mtime and
    atime > mtime.  The latter is the normal case when reading an older file:
    the newly recorded atime is newer than the file mtime.  The completion
    handler then immediately moves atime back to mtime, losing the access
    time that was just recorded.  Userspace tools that rely on atime, such as
    stat, find -atime, backup tools or cold-data classifiers, can therefore
    see a recently read CIFS file as not recently accessed.
    
    This is easy to miss because the bug is silent: read I/O still succeeds,
    no error is reported, and many systems either do not check atime after
    reads or mount with policies such as relatime/noatime.  It becomes
    visible when a CIFS file has an mtime older than the current time, the
    file is read, and the local inode atime is inspected before a later
    revalidation replaces the cached timestamps.
    
    Clamp only when atime is actually older than mtime.  This matches the
    same atime/mtime rule used when applying CIFS inode attributes.
    
    Fixes: 69c3c023af25 ("cifs: Implement netfslib hooks")
    Cc: [email protected]
    Signed-off-by: Xu Rao <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

smb: client: fix change notify replay double-free [+ + +]
Author: Henrique Carvalho <[email protected]>
Date:   Thu Jun 18 17:34:37 2026 -0300

    smb: client: fix change notify replay double-free
    
    commit 145f820dcbb2cced374f2532f8a61a44dce4a615 upstream.
    
    A response-bearing attempt can return a replayable error and free its
    response buffer. If SMB2_notify_init() fails before the next send, cleanup
    retains the previous buffer type and frees that response again.
    
    Reset response bookkeeping before each attempt to prevent the stale free.
    
    Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
    Cc: [email protected]
    Signed-off-by: Henrique Carvalho <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

smb: client: fix double-free in SMB2_close() replay [+ + +]
Author: Henrique Carvalho <[email protected]>
Date:   Thu Jun 18 17:34:35 2026 -0300

    smb: client: fix double-free in SMB2_close() replay
    
    commit f96e1cdcb63ed3321142ff2fcdf784e32cda8fee upstream.
    
    A response-bearing attempt can return a replayable error and free its
    response buffer. If SMB2_close_init() fails before the next send, cleanup
    retains the previous buffer type and frees that response again.
    
    Reset response bookkeeping before each attempt to prevent the stale free.
    
    Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
    Cc: [email protected]
    Signed-off-by: Henrique Carvalho <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

smb: client: fix double-free in SMB2_flush() replay [+ + +]
Author: Zhao Zhang <[email protected]>
Date:   Thu Jun 18 23:28:05 2026 +0800

    smb: client: fix double-free in SMB2_flush() replay
    
    commit 4be31c943a3a27a5a0251dbb8f5cb89059ec3d5a upstream.
    
    SMB2_flush() keeps its response buffer bookkeeping across replay
    attempts. If a replayable flush response is received and the retry then
    fails before cifs_send_recv() stores a replacement response, flush_exit
    will free the stale response pointer a second time.
    
    Reinitialize resp_buftype and rsp_iov at the top of the replay loop so
    cleanup only acts on response state produced by the current attempt.
    This fixes a double-free without changing replay handling for successful
    requests.
    
    Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
    Cc: [email protected]
    Reported-by: Yuan Tan <[email protected]>
    Reported-by: Zhengchuan Liang <[email protected]>
    Reported-by: Xin Liu <[email protected]>
    Assisted-by: Codex:GPT-5.4
    Acked-by: Henrique Carvalho <[email protected]>
    Signed-off-by: Zhao Zhang <[email protected]>
    Signed-off-by: Ren Wei <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

smb: client: fix double-free in SMB2_ioctl() replay [+ + +]
Author: Henrique Carvalho <[email protected]>
Date:   Thu Jun 18 17:34:34 2026 -0300

    smb: client: fix double-free in SMB2_ioctl() replay
    
    commit f9bbadb6c94583e3b4af1afc449bfceb1d1ddec9 upstream.
    
    A response-bearing attempt can return a replayable error and free its
    response buffer. If SMB2_ioctl_init() fails before the next send, cleanup
    retains the previous buffer type and frees that response again.
    
    Reset response bookkeeping before each attempt to prevent the stale free.
    
    Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
    Cc: [email protected]
    Signed-off-by: Henrique Carvalho <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

smb: client: fix double-free in SMB2_open() replay [+ + +]
Author: Henrique Carvalho <[email protected]>
Date:   Thu Jun 18 17:34:33 2026 -0300

    smb: client: fix double-free in SMB2_open() replay
    
    commit b55e182f2324bc6a604c21a47aa6c448f719a532 upstream.
    
    A response-bearing attempt can return a replayable error and free its
    response buffer. If SMB2_open_init() fails before the next send, cleanup
    retains the previous buffer type and frees that response again.
    
    Reset response bookkeeping before each attempt to prevent the stale free.
    
    Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
    Cc: [email protected]
    Signed-off-by: Henrique Carvalho <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

smb: client: Fix next buffer leak in receive_encrypted_standard() [+ + +]
Author: Haoxiang Li <[email protected]>
Date:   Tue Jun 23 09:45:38 2026 +0800

    smb: client: Fix next buffer leak in receive_encrypted_standard()
    
    commit 1c6267a1d5cf4c73b656f8181b310cbbb3e4767b upstream.
    
    receive_encrypted_standard() allocates next_buffer before checking
    whether the number of compound PDUs already reached MAX_COMPOUND. If
    the limit check fails, the function returns immediately and the newly
    allocated next_buffer is not assigned to server->smallbuf/server->bigbuf,
    making it leaked.
    
    Move the MAX_COMPOUND check before allocating next_buffer.
    
    Fixes: b24df3e30cbf ("cifs: update receive_encrypted_standard to handle compounded responses")
    Cc: [email protected]
    Signed-off-by: Haoxiang Li <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

smb: client: fix query directory replay double-free [+ + +]
Author: Henrique Carvalho <[email protected]>
Date:   Thu Jun 18 17:34:38 2026 -0300

    smb: client: fix query directory replay double-free
    
    commit 9647492b5e41954be59d5157eddbcd4cdc1656f7 upstream.
    
    A response-bearing attempt can return a replayable error and free its
    response buffer. If SMB2_query_directory_init() fails before the next send,
    cleanup retains the previous buffer type and frees that response again.
    
    Reset response bookkeeping before each attempt to prevent the stale free.
    
    Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
    Cc: [email protected]
    Signed-off-by: Henrique Carvalho <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

smb: client: fix query_info() replay double-free [+ + +]
Author: Henrique Carvalho <[email protected]>
Date:   Thu Jun 18 17:34:36 2026 -0300

    smb: client: fix query_info() replay double-free
    
    commit 2a88561d66eb855813cf004a0abe648bbb17de5e upstream.
    
    A response-bearing attempt can return a replayable error and free its
    response buffer. If SMB2_query_info_init() fails before the next send,
    cleanup retains the previous buffer type and frees that response again.
    
    Reset response bookkeeping before each attempt to prevent the stale free.
    
    Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
    Cc: [email protected]
    Signed-off-by: Henrique Carvalho <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

smb: client: harden POSIX SID length parsing [+ + +]
Author: Zihan Xi <[email protected]>
Date:   Sun Jun 28 17:19:24 2026 +0800

    smb: client: harden POSIX SID length parsing
    
    commit 7ad2bcf2441430bb2e918fb3ef9a90d775a6e422 upstream.
    
    posix_info_sid_size() reads sid[1] to obtain the subauthority count,
    but its existing boundary check still accepts buffers with only one
    remaining byte. Require two bytes before reading sid[1] so all client
    paths that reuse the helper reject truncated POSIX SIDs safely.
    
    Fixes: 349e13ad30b4 ("cifs: add smb2 POSIX info level")
    Cc: [email protected]
    Reported-by: Yuan Tan <[email protected]>
    Reported-by: Yifan Wu <[email protected]>
    Reported-by: Juefei Pu <[email protected]>
    Reported-by: Xin Liu <[email protected]>
    Assisted-by: Codex:gpt-5.4
    Signed-off-by: Zihan Xi <[email protected]>
    Signed-off-by: Ren Wei <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

smb: client: mask server-provided mode to 07777 in modefromsid [+ + +]
Author: Norbert Manthey <[email protected]>
Date:   Thu Jul 9 15:54:39 2026 +0000

    smb: client: mask server-provided mode to 07777 in modefromsid
    
    commit e3d9c7160d483fc8f9e225aafad8ecbbc43f3151 upstream.
    
    When modefromsid is active, parse_dacl() applies the server-provided
    sub_auth[2] value from the NFS mode SID to cf_mode without masking to
    07777. Apply the correct masking, same as in the read path.
    
    Fixes: e2f8fbfb8d09c ("cifs: get mode bits from special sid on stat")
    Signed-off-by: Norbert Manthey <[email protected]>
    Assisted-by: Kiro:claude-opus-4.6
    Cc: [email protected]
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

smb: client: reject overlapping data areas in SMB2 responses [+ + +]
Author: Shoichiro Miyamoto <[email protected]>
Date:   Sat Jul 11 22:33:26 2026 +0900

    smb: client: reject overlapping data areas in SMB2 responses
    
    commit 8986c932905ea508d66da421eb2eb6e676ace1fe upstream.
    
    Commit 53b7c271f06b ("smb: client: restrict implied bcc[0] exemption to
    responses without data area") restricted the implied bcc[0] length
    exception to responses without a data area. However, the overlap
    handling in __smb2_calc_size() clears data_length, which can make an
    invalid response appear to have no data area and so qualify for the
    exception.
    
    Track data area overlap separately and reject such responses before
    applying the length compatibility exceptions.
    
    Fixes: 53b7c271f06b ("smb: client: restrict implied bcc[0] exemption to responses without data area")
    Cc: [email protected]
    Signed-off-by: Shoichiro Miyamoto <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

smb: client: restrict implied bcc[0] exemption to responses without data area [+ + +]
Author: Shoichiro Miyamoto <[email protected]>
Date:   Tue Jul 7 20:23:58 2026 +0900

    smb: client: restrict implied bcc[0] exemption to responses without data area
    
    commit 53b7c271f06be4dd5cfc8c6ef552a8355c891a7f upstream.
    
    smb2_check_message() has a long-standing quirk that accepts a response
    whose calculated length is one byte larger than the bytes actually
    received ("server can return one byte more due to implied bcc[0]").
    This was introduced to accommodate servers that omit the trailing bcc[0]
    overlap byte when no data area is present.
    
    However, the exemption is applied unconditionally, regardless of whether
    the command actually carries a data area (has_smb2_data_area[]).  When a
    response with a data area is subject to the +1 exemption, the reported
    data can extend one byte beyond the bytes actually received, yet
    smb2_check_message() still accepts it.  The subsequent decoder then reads
    past the end of the receive buffer.  This is reachable during NEGOTIATE
    and SESSION_SETUP, before the session is established.
    
    The resulting out-of-bounds reads are visible under KASAN when mounting
    against a non-conforming server; both the SPNEGO/negTokenInit and the
    NTLMSSP challenge decoders are affected:
    
      BUG: KASAN: slab-out-of-bounds in asn1_ber_decoder+0x16a7/0x1b00
      Read of size 1 at addr ffff8880084d67c0 by task mount.cifs/81
      CPU: 1 UID: 0 PID: 81 Comm: mount.cifs Not tainted 7.1.0-rc6 #1
      Call Trace:
       <TASK>
       dump_stack_lvl+0x4e/0x70
       print_report+0x157/0x4c9
       kasan_report+0xce/0x100
       asn1_ber_decoder+0x16a7/0x1b00
       decode_negTokenInit+0x19/0x30
       SMB2_negotiate+0x31d9/0x4c90
       cifs_negotiate_protocol+0x1f2/0x3f0
       cifs_get_smb_ses+0x93f/0x17e0
       cifs_mount_get_session+0x7f/0x3a0
       cifs_mount+0xb4/0xcf0
       cifs_smb3_do_mount+0x23a/0x1500
       smb3_get_tree+0x3b0/0x630
       vfs_get_tree+0x82/0x2d0
       fc_mount+0x10/0x1b0
       path_mount+0x50d/0x1de0
       __x64_sys_mount+0x20b/0x270
       do_syscall_64+0xee/0x590
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
       </TASK>
      Allocated by task 85:
       kmem_cache_alloc_noprof+0x106/0x380
       mempool_alloc_noprof+0x116/0x1e0
       cifs_small_buf_get+0x31/0x80
       allocate_buffers+0x10d/0x2b0
       cifs_demultiplex_thread+0x1d5/0x1d50
       kthread+0x2c6/0x390
       ret_from_fork+0x36e/0x5a0
       ret_from_fork_asm+0x1a/0x30
      The buggy address is located 0 bytes to the right of
       allocated 448-byte region [ffff8880084d6600, ffff8880084d67c0)
       which belongs to the cache cifs_small_rq of size 448
    
      BUG: KASAN: slab-out-of-bounds in kmemdup_noprof+0x36/0x50
      Read of size 329 at addr ffff88800726c678 by task mount.cifs/89
      CPU: 0 UID: 0 PID: 89 Comm: mount.cifs Tainted: G    B      7.1.0-rc6 #1
      Call Trace:
       <TASK>
       dump_stack_lvl+0x4e/0x70
       print_report+0x157/0x4c9
       kasan_report+0xce/0x100
       kasan_check_range+0x10f/0x1e0
       __asan_memcpy+0x23/0x60
       kmemdup_noprof+0x36/0x50
       decode_ntlmssp_challenge+0x457/0x680
       SMB2_sess_auth_rawntlmssp_negotiate+0x6f0/0xcb0
       SMB2_sess_setup+0x219/0x4f0
       cifs_setup_session+0x248/0xaf0
       cifs_get_smb_ses+0xf79/0x17e0
       cifs_mount_get_session+0x7f/0x3a0
       cifs_mount+0xb4/0xcf0
       cifs_smb3_do_mount+0x23a/0x1500
       smb3_get_tree+0x3b0/0x630
       vfs_get_tree+0x82/0x2d0
       fc_mount+0x10/0x1b0
       path_mount+0x50d/0x1de0
       __x64_sys_mount+0x20b/0x270
       do_syscall_64+0xee/0x590
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
       </TASK>
      Allocated by task 93:
       kmem_cache_alloc_noprof+0x106/0x380
       mempool_alloc_noprof+0x116/0x1e0
       cifs_small_buf_get+0x31/0x80
       allocate_buffers+0x10d/0x2b0
       cifs_demultiplex_thread+0x1d5/0x1d50
       kthread+0x2c6/0x390
       ret_from_fork+0x36e/0x5a0
       ret_from_fork_asm+0x1a/0x30
      The buggy address is located 120 bytes inside of
       allocated 448-byte region [ffff88800726c600, ffff88800726c7c0)
       which belongs to the cache cifs_small_rq of size 448
    
    Restrict the +1 exemption to responses that have no data area, so that
    it still covers the bcc[0] omission it was meant for.  When a data area
    is present, the +1 discrepancy instead means the reported data length
    overruns the received buffer, so the response must be rejected.
    
    Fixes: 093b2bdad322 ("CIFS: Make demultiplex_thread work with SMB2 code")
    Cc: [email protected]
    Signed-off-by: Shoichiro Miyamoto <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

smb: client: use unaligned reads in parse_posix_ctxt() [+ + +]
Author: Zihan Xi <[email protected]>
Date:   Wed Jul 1 18:23:21 2026 +0800

    smb: client: use unaligned reads in parse_posix_ctxt()
    
    commit b86467cd2691192ad4809a5a6e922fc24b8e9839 upstream.
    
    The server controls create-context DataOffset, so the POSIX context data
    pointer may be misaligned on strict-alignment architectures. Use
    get_unaligned_le32() when reading nlink, reparse_tag, and mode.
    
    Fixes: 69dda3059e7a ("cifs: add SMB2_open() arg to return POSIX data")
    Cc: [email protected]
    Signed-off-by: Zihan Xi <[email protected]>
    Signed-off-by: Ren Wei <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
spi: fsl-lpspi: replace dmaengine_terminate_all() with dmaengine_terminate_sync() [+ + +]
Author: Carlos Song <[email protected]>
Date:   Mon May 25 14:23:56 2026 +0800

    spi: fsl-lpspi: replace dmaengine_terminate_all() with dmaengine_terminate_sync()
    
    commit e703ce47691b967fe9b4057fb1d062273211afa9 upstream.
    
    dmaengine_terminate_all() has been deprecated, so replace it with
    dmaengine_terminate_sync().
    
    Fixes: 09c04466ce7e ("spi: lpspi: add dma mode support")
    Cc: [email protected]
    Signed-off-by: Carlos Song <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

spi: fsl-lpspi: terminate the RX channel on TX prepare failure path [+ + +]
Author: Carlos Song <[email protected]>
Date:   Mon May 25 14:23:57 2026 +0800

    spi: fsl-lpspi: terminate the RX channel on TX prepare failure path
    
    commit 01980b5da56e573d62798d0ff6c86bcaa2b22cbe upstream.
    
    When dmaengine_prep_slave_sg() fails for the TX channel, the error path
    terminates the TX DMA channel but leaves the RX channel running. Since
    the RX channel was already submitted and issued prior to preparing
    the TX descriptor, returning -EINVAL causes the SPI core to unmap the
    DMA buffers while the RX DMA engine continues writing to them, leading
    to potential memory corruption or use-after-free.
    
    Terminate the RX channel before returning on the TX prepare failure path.
    
    Fixes: 09c04466ce7e ("spi: lpspi: add dma mode support")
    Cc: [email protected]
    Signed-off-by: Carlos Song <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
staging: media: atomisp: reduce load_primary_binaries() stack usage [+ + +]
Author: Arnd Bergmann <[email protected]>
Date:   Wed Mar 25 13:59:43 2026 +0100

    staging: media: atomisp: reduce load_primary_binaries() stack usage
    
    commit f4d51e55dd47ef467fbe37d8575e20eee41b092d upstream.
    
    The load_primary_binaries() function is overly complex and has som large
    variables on the stack, which can cause warnings depending on CONFIG_FRAME_WARN
    setting:
    
    drivers/staging/media/atomisp/pci/sh_css.c: In function 'load_primary_binaries':
    drivers/staging/media/atomisp/pci/sh_css.c:5260:1: error: the frame size of 1560 bytes is larger than 1536 bytes [-Werror=frame-larger-than=]
    
    Half of the stack usage is for the prim_descr[] array, but only one
    member of the array is used at any given time.
    
    Reduce the stack usage by turning the array into a single structure.
    
    Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
    Cc: [email protected]
    Signed-off-by: Arnd Bergmann <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Signed-off-by: Sakari Ailus <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() [+ + +]
Author: Alexandru Hossu <[email protected]>
Date:   Fri May 22 02:45:27 2026 +0200

    staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie()
    
    commit 5a752a616e756844388a1a45404db9fc29fec655 upstream.
    
    supplicant_ie is a 256-byte array in struct security_priv. The WPA and
    WPA2 IE copy paths use:
    
        memcpy(padapter->securitypriv.supplicant_ie, &pwpa[0], wpa_ielen + 2);
    
    where wpa_ielen is the raw IE length field (u8, 0-255). When a local user
    supplies a connect request via nl80211 with a crafted WPA IE of length 255,
    wpa_ielen + 2 equals 257, overflowing the 256-byte buffer by one byte into
    the adjacent last_mic_err_time field.
    
    rtw_parse_wpa_ie() does not prevent this: its length consistency check
    compares *(wpa_ie+1) against (u8)(wpa_ie_len-2), which is (u8)(255) == 255
    when wpa_ie_len = 257, so the check passes silently.
    
    Add explicit bounds checks for both the WPA and WPA2 paths before the
    memcpy, rejecting any IE whose total size (wpa_ielen + 2) exceeds the
    supplicant_ie buffer.
    
    Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
    Cc: stable <[email protected]>
    Reviewed-by: Luka Gejak <[email protected]>
    Signed-off-by: Alexandru Hossu <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop [+ + +]
Author: Alexandru Hossu <[email protected]>
Date:   Fri May 22 02:45:29 2026 +0200

    staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop
    
    commit f9654207e92283e0acac5d64fe5f8835383b5a23 upstream.
    
    The IE parsing loop in OnAssocRsp() advances by (pIE->length + 2) each
    iteration but only guards on i < pkt_len. When a malicious AP sends an
    AssocResponse whose last IE has only one byte remaining in the frame
    (the element_id byte lands at pkt_len-1), the loop reads pIE->length
    from pframe[pkt_len], which is one byte past the allocated receive buffer.
    
    Additionally, even when the header bytes are in bounds, pIE->length
    itself can extend the data window beyond pkt_len, silently passing a
    truncated IE to the handler functions.
    
    Add two guards at the top of the loop body:
      1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
      2. Break if the IE's declared data extends past pkt_len.
    
    Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
    Cc: stable <[email protected]>
    Signed-off-by: Alexandru Hossu <[email protected]>
    Reviewed-by: Luka Gejak <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop [+ + +]
Author: Alexandru Hossu <[email protected]>
Date:   Fri May 22 02:45:25 2026 +0200

    staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop
    
    commit ed51de4a86e173c3b0ef78e039c2e49e08b11f16 upstream.
    
    The IE parsing loop in update_beacon_info() advances by
    (pIE->length + 2) each iteration but only guards on i < len.
    When a malicious AP sends a Beacon whose last IE has only one byte
    remaining in the frame (the element_id byte lands at len-1), the loop
    reads pIE->length from one byte past the allocated receive buffer.
    
    Additionally, even when the header bytes are in bounds, pIE->length
    itself can extend the data window beyond len, passing a truncated IE
    to the handler functions.
    
    Add two guards at the top of the loop body:
      1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
      2. Break if the IE's declared data extends past len.
    
    Also replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length
    for consistency with the sizeof(*pIE) guards added above.
    
    Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
    Cc: stable <[email protected]>
    Reviewed-by: Luka Gejak <[email protected]>
    Signed-off-by: Alexandru Hossu <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() [+ + +]
Author: Alexandru Hossu <[email protected]>
Date:   Fri May 22 02:45:26 2026 +0200

    staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl()
    
    commit ef61d628dfad38fead1fd2e08979ae9126d011d5 upstream.
    
    Two IE parsing loops are missing the header bounds checks before they
    dereference pIE->length:
    
     - issue_assocreq() walks pmlmeinfo->network.ies to build the
       association request. If the stored IE data ends with only an
       element_id byte and no length byte, pIE->length is read one byte
       past the end of the buffer.
    
     - join_cmd_hdl() walks pnetwork->ies during station join and has
       the same problem under the same conditions.
    
    Both buffers are filled from AP beacon and probe-response frames, so a
    malicious AP that sends a truncated final IE can trigger the issue.
    
    Apply the two-guard pattern established in update_beacon_info():
      1. Break if fewer than sizeof(*pIE) bytes remain.
      2. Break if the IE's declared data extends past the buffer end.
    
    Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
    Cc: stable <[email protected]>
    Reviewed-by: Luka Gejak <[email protected]>
    Signed-off-by: Alexandru Hossu <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() IE loop [+ + +]
Author: Alexandru Hossu <[email protected]>
Date:   Fri May 22 02:45:30 2026 +0200

    staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() IE loop
    
    commit 3bf39f711ff27c64be8680a8938bcc5001982e81 upstream.
    
    The loop in is_ap_in_tkip() iterates over IEs without verifying that
    enough bytes remain before dereferencing the IE header or its payload:
    
    - pIE->element_id and pIE->length are read without checking that
      i + sizeof(*pIE) <= ie_length, so a truncated IE at the end of the
      buffer causes an OOB read.
    
    - For WLAN_EID_VENDOR_SPECIFIC the code compares pIE->data + 12,
      which requires pIE->length >= 16.  For WLAN_EID_RSN it compares
      pIE->data + 8, requiring pIE->length >= 12.  Neither requirement
      is checked.
    
    Add the missing IE header and payload bounds checks and guard each
    data access with an explicit pIE->length minimum, matching the
    pattern established in update_beacon_info().
    
    Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
    Cc: stable <[email protected]>
    Signed-off-by: Alexandru Hossu <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

staging: rtl8723bs: fix OOB write in HT_caps_handler() [+ + +]
Author: Alexandru Hossu <[email protected]>
Date:   Fri May 22 02:45:28 2026 +0200

    staging: rtl8723bs: fix OOB write in HT_caps_handler()
    
    commit f8001e1a516ba3b495728c65b61f799cbfad6bd0 upstream.
    
    HT_caps_handler() iterates pIE->length bytes and writes into
    HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
    HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
    802.11 AssocResponse frame and is never validated, a malicious AP can
    set it up to 255, causing up to 229 bytes of out-of-bounds writes into
    adjacent fields of struct mlme_ext_info.
    
    Truncate the iteration count to the size of HT_caps.u.HT_cap using
    umin() so that data from a longer-than-expected IE is silently ignored
    rather than written out of bounds, preserving interoperability with APs
    that pad the element. An early return on oversized IEs was considered
    but rejected: it would bypass the pmlmeinfo->HT_caps_enable = 1
    assignment that precedes the loop, silently disabling HT mode for APs
    that append extra bytes to the HT Capabilities IE.
    
    Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
    Cc: stable <[email protected]>
    Signed-off-by: Alexandru Hossu <[email protected]>
    Reviewed-by: Luka Gejak <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

staging: rtl8723bs: fix WEP length underflow and OOB read in OnAuth() [+ + +]
Author: Alexandru Hossu <[email protected]>
Date:   Fri May 22 02:46:05 2026 +0200

    staging: rtl8723bs: fix WEP length underflow and OOB read in OnAuth()
    
    commit a1fc19d61f661d47204f095b593de507884849f7 upstream.
    
    OnAuth() has two bugs in the shared-key authentication path.
    
    When the Privacy bit is set, rtw_wep_decrypt() is called without
    verifying that the frame is long enough to contain a valid WEP IV and
    ICV.  Inside rtw_wep_decrypt(), length is computed as:
    
        length = len - WLAN_HDR_A3_LEN - iv_len
    
    and then passed as (length - 4) to crc32_le().  If len is less than
    WLAN_HDR_A3_LEN + iv_len + icv_len (32 bytes), length - 4 is negative
    and, after the implicit cast to size_t, causes crc32_le() to read far
    beyond the frame buffer.  Add a minimum length check before accessing
    the IV field and calling the decryption path.
    
    When processing a seq=3 response, rtw_get_ie() stores the Challenge
    Text IE length in ie_len, but the subsequent memcmp() always reads 128
    bytes regardless of ie_len.  IEEE 802.11 mandates a challenge text of
    exactly 128 bytes; reject any IE whose length field differs, matching
    the check already applied to OnAuthClient().
    
    Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
    Cc: stable <[email protected]>
    Signed-off-by: Alexandru Hossu <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

staging: vme_user: bound slave read/write to the kern_buf size [+ + +]
Author: Michael Tautschnig <[email protected]>
Date:   Thu Jun 18 13:47:09 2026 +0200

    staging: vme_user: bound slave read/write to the kern_buf size
    
    commit 9f32f38265014fac7f5dc9490fb01a638ce6e121 upstream.
    
    The SLAVE-path helpers buffer_to_user() and buffer_from_user() copy
    'count' bytes into/out of the fixed-size kern_buf (size_buf ==
    PCI_BUF_SIZE == 0x20000, 128 KiB) using *ppos as the offset, without
    bounding *ppos + count against size_buf.
    
    vme_user_write()/vme_user_read() only clamp count to the VME window size
    (image_size = vme_get_size(resource)), which VME_SET_SLAVE sets from the
    user-supplied slave.size -- validated against the VME address space (up
    to VME_A32_MAX = 4 GiB), not against PCI_BUF_SIZE.  When the window
    exceeds 128 KiB, a write()/read() copies past the kern_buf allocation.
    
    Clamp count against size_buf in both helpers, with an early return when
    *ppos is already at/after the buffer end.  *ppos is >= 0 here (the caller
    rejects negative offsets), so size_buf - *ppos cannot wrap.  This mirrors
    the existing clamp in the MASTER-path helpers resource_to_user() /
    resource_from_user(), and matches the read()/write() convention of a
    short transfer at end-of-buffer.
    
    Found by static analysis (CodeQL taint tracking + CBMC bounded model
    checking) and confirmed dynamically under KASAN with the vme_fake bridge:
    
      BUG: KASAN: slab-out-of-bounds in _copy_from_user+0x2d/0x80
      Write of size 262144 at addr ffff888004100000 by task trigger/68
        _copy_from_user+0x2d/0x80
        vme_user_write+0x13e/0x240 [vme_user]
        vfs_write+0x1b8/0x7a0
        ksys_write+0xb8/0x150
    
    Fixes: f00a86d98a1e ("Staging: vme: add VME userspace driver")
    Cc: stable <[email protected]>
    Signed-off-by: Michael Tautschnig <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

staging: vme_user: fix location monitor leak in fake bridge [+ + +]
Author: Hao-Qun Huang <[email protected]>
Date:   Sat Jul 4 14:58:15 2026 +0800

    staging: vme_user: fix location monitor leak in fake bridge
    
    commit e8422d89e8af41d87f0e9db564be8e2634f4c602 upstream.
    
    fake_init() allocates a location monitor resource and links it into
    fake_bridge->lm_resources. The init error path frees this list, but
    fake_exit() only frees the slave and master resource lists. Loading
    and unloading the module therefore triggers a kmemleak warning:
    
      unreferenced object 0xffff8b8b82aebe40 (size 64):
        comm "init", pid 1, jiffies 4294894572
        backtrace (crc c1e013ef):
          kmemleak_alloc+0x4e/0x90
          __kmalloc_cache_noprof+0x338/0x430
          0xffffffffc0602246
          do_one_initcall+0x4f/0x320
          do_init_module+0x68/0x270
          load_module+0x2a3b/0x2d90
    
    Free the lm_resources list in fake_exit() as well, before fake_bridge
    is freed.
    
    Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
    Cc: stable <[email protected]>
    Cc: Martyn Welch <[email protected]>
    Assisted-by: Claude:claude-fable-5
    Signed-off-by: Hao-Qun Huang <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

staging: vme_user: fix location monitor leak in tsi148 bridge [+ + +]
Author: Hao-Qun Huang <[email protected]>
Date:   Sat Jul 4 14:58:16 2026 +0800

    staging: vme_user: fix location monitor leak in tsi148 bridge
    
    commit 151edde741f8bc7f2931c5f44ab376d32b0c8beb upstream.
    
    tsi148_probe() allocates a location monitor resource and links it into
    tsi148_bridge->lm_resources. The probe error path frees this list, but
    tsi148_remove() only frees the dma, slave and master resource lists, so
    the location monitor resource is leaked on device unbind or module
    unload.
    
    Free the lm_resources list in tsi148_remove() as well, before
    tsi148_bridge is freed.
    
    Fixes: d22b8ed9a3b0 ("Staging: vme: add Tundra TSI148 VME-PCI Bridge driver")
    Cc: stable <[email protected]>
    Cc: Martyn Welch <[email protected]>
    Assisted-by: Claude:claude-fable-5
    Signed-off-by: Hao-Qun Huang <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
tipc: fix out-of-bounds read in broadcast Gap ACK blocks [+ + +]
Author: Samuel Page <[email protected]>
Date:   Thu Jun 25 15:38:15 2026 +0100

    tipc: fix out-of-bounds read in broadcast Gap ACK blocks
    
    commit 2b66974a1b6134a4bbc3bfed181f7418f688eb54 upstream.
    
    A broadcast PROTOCOL/STATE_MSG can carry a Gap ACK blocks record in its
    data area. tipc_get_gap_ack_blks() only verifies that the record's len
    field is self-consistent with its ugack_cnt/bgack_cnt counts
    (sz == struct_size(p, gacks, ugack_cnt + bgack_cnt)); it does not check
    that the record actually fits in the message data area, msg_data_sz().
    
    The unicast caller tipc_link_proto_rcv() bounds it ("if (glen > dlen)
    break;"), but the broadcast caller tipc_bcast_sync_rcv() discards the
    returned size, so tipc_link_advance_transmq() copies the record off the
    receive skb with an attacker-controlled count:
    
            this_ga = kmemdup(ga, struct_size(ga, gacks, ga->bgack_cnt),
                              GFP_ATOMIC);
    
    A TIPC neighbour that negotiated TIPC_GAP_ACK_BLOCK triggers it with one
    ordinary broadcast STATE_MSG (msg_bc_ack_invalid() clear), sized so its
    data area is short, carrying a Gap ACK record with len = 0x400,
    bgack_cnt = 0xff and ugack_cnt = 0. len then equals
    struct_size(p, gacks, 255), so the consistency check passes and ga is
    non-NULL; kmemdup() reads struct_size(ga, gacks, 255) = 1024 bytes out
    of the much smaller skb:
    
      BUG: KASAN: slab-out-of-bounds in kmemdup_noprof+0x48/0x60
      Read of size 1024 at addr ffff0000c7030d38 by task poc864/69
      Call trace:
       kmemdup_noprof+0x48/0x60
       tipc_link_advance_transmq+0x86c/0xb80
       tipc_link_bc_ack_rcv+0x19c/0x1e0
       tipc_bcast_sync_rcv+0x1c4/0x2c4
       tipc_rcv+0x85c/0x1340
       tipc_l2_rcv_msg+0xac/0x104
      The buggy address belongs to the object at ffff0000c7030d00
       which belongs to the cache skbuff_small_head of size 704
      The buggy address is located 56 bytes inside of
       allocated 704-byte region [ffff0000c7030d00, ffff0000c7030fc0)
    
    The copied-out bytes are subsequently consumed as gap/ack values, but
    the read is already out of bounds at the kmemdup() regardless of how
    they are used.
    
    The unicast STATE path drops such a message: "if (glen > dlen) break;"
    skips the rest of STATE_MSG handling and the skb is freed. Make the
    broadcast path drop it too. tipc_bcast_sync_rcv() now bounds the record
    against msg_data_sz() and, when it does not fit, reports it back through
    tipc_node_bc_sync_rcv() to tipc_rcv() so the skb is discarded rather than
    processed. ga is not cleared on this path: ga == NULL already means
    "legacy peer without Selective ACK", a distinct legitimate state.
    
    Fixes: d7626b5acff9 ("tipc: introduce Gap ACK blocks for broadcast link")
    Cc: [email protected]
    Signed-off-by: Samuel Page <[email protected]>
    Reviewed-by: Tung Nguyen <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
tools/mm/slabinfo: fix total_objects attribute name [+ + +]
Author: Yichong Chen <[email protected]>
Date:   Fri Jun 12 15:13:59 2026 +0800

    tools/mm/slabinfo: fix total_objects attribute name
    
    commit 892a7864730775c3dbee2a39e9ead4fa8d4256e7 upstream.
    
    SLUB exports the total_objects sysfs attribute, but slabinfo tries to read
    objects_total. As a result, the lookup fails and the field remains zero.
    
    Use the correct attribute name and rename the corresponding structure
    member to match.
    
    Fixes: 205ab99dd103 ("slub: Update statistics handling for variable order slabs")
    Signed-off-by: Yichong Chen <[email protected]>
    Cc: <[email protected]>
    Reviewed-by: SeongJae Park <[email protected]>
    Link: https://patch.msgid.link/96556748872BB47E+20260612071359.649946-1-chenyichong@uniontech.com
    Signed-off-by: Vlastimil Babka (SUSE) <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

tools/mm/slabinfo: Fix trace disable logic inversion [+ + +]
Author: Xuewen Wang <[email protected]>
Date:   Mon May 18 14:21:57 2026 +0800

    tools/mm/slabinfo: Fix trace disable logic inversion
    
    commit 235ab68d67eadbef1fdbfb771f21f5bacc77a2ae upstream.
    
    The disable trace path in slab_debug() had a logic error where it would
    set trace=1 instead of trace=0. This made trace functionality permanently
    enabled once turned on for any slab cache.
    
    Fixes: a87615b8f9e2 ("SLUB: slabinfo upgrade")
    Cc: [email protected]
    Reviewed-by: SeongJae Park <[email protected]>
    Signed-off-by: Xuewen Wang <[email protected]>
    WARNING: From:/Signed-off-by: email address mismatch: 'From: wangxuewen <[email protected]>' != 'Signed-off-by: wangxuewen <[email protected]>'
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Vlastimil Babka (SUSE) <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
tracing: Prevent out-of-bounds read in glob matching [+ + +]
Author: Huihui Huang <[email protected]>
Date:   Wed Jul 1 18:28:46 2026 +0800

    tracing: Prevent out-of-bounds read in glob matching
    
    commit 0a6070839b1ef276d5b05bedfb787743e140fb17 upstream.
    
    String event fields are not necessarily NUL-terminated, so the filter
    predicate functions (filter_pred_string(), filter_pred_strloc() and
    filter_pred_strrelloc()) pass the field length to the regex match
    callbacks, and the length-aware matchers honour it.
    
    regex_match_glob() was the exception: it ignored the length and called
    glob_match(), which scans the string until it hits a NUL byte. Some
    string fields are not NUL-terminated. One example is the dynamic char
    array of the xfs_* namespace tracepoints, which is copied without a
    trailing NUL. For such a field, glob matching reads past the end of
    the event field, causing a KASAN slab-out-of-bounds read in
    glob_match(), reached via regex_match_glob() and filter_match_preds()
    from the xfs_lookup tracepoint.
    
    Add a length-bounded glob_match_len() and use it from regex_match_glob()
    so glob matching always stops at the field boundary. The matching loop
    is factored into a shared helper so glob_match() keeps its behaviour.
    
    Fixes: 60f1d5e3bac4 ("ftrace: Support full glob matching")
    Cc: [email protected]
    Link: https://patch.msgid.link/da1aaf125fc3b63320b0c540fd6afa7c3d5b4f1a.1782836943.git.hhhuang@smu.edu.sg
    Reported-by: Yuan Tan <[email protected]>
    Reported-by: Yifan Wu <[email protected]>
    Reported-by: Juefei Pu <[email protected]>
    Reported-by: Zhengchuan Liang <[email protected]>
    Reported-by: Xin Liu <[email protected]>
    Assisted-by: Codex:GPT-5.4
    Signed-off-by: Huihui Huang <[email protected]>
    Signed-off-by: Ren Wei <[email protected]>
    Acked-by: Masami Hiramatsu (Google) <[email protected]>
    Signed-off-by: Steven Rostedt <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
udf: validate free block extents against the partition length [+ + +]
Author: Michael Bommarito <[email protected]>
Date:   Fri May 15 10:23:27 2026 -0400

    udf: validate free block extents against the partition length
    
    commit 5f0419457f89dce1a3f1c8e62a3adf2f39ab8168 upstream.
    
    udf_free_blocks() checks the logical block number and count against the
    partition length, but drops the extent offset from that final bound.  A
    crafted extent can pass the guard while logicalBlockNum + offset + count
    points past the partition, which later indexes past the space bitmap
    array.
    
    A single ftruncate(2) on a file backed by such an extent reliably
    panics the kernel.  This is a local availability issue.  On desktop
    systems where UDisks/polkit allows the active user to mount removable
    UDF media without CAP_SYS_ADMIN, an unprivileged local user can supply
    the crafted filesystem and trigger the panic by truncating a writable
    file on it.  Systems that require root or CAP_SYS_ADMIN to mount the
    image have a higher prerequisite.
    
    No confidentiality or integrity impact is claimed: the reproduced
    primitive is an out-of-bounds read of a bitmap pointer slot followed by
    a kernel panic.
    
    Use the already computed logicalBlockNum + offset + count value for the
    partition length check.  Also make load_block_bitmap() reject an
    out-of-range block group before indexing s_block_bitmap[], so corrupted
    callers cannot walk past the flexible array.
    
    Fixes: 56e69e59751d ("udf: prevent integer overflow in udf_bitmap_free_blocks()")
    Cc: [email protected]
    Assisted-by: Claude:claude-opus-4-7
    Signed-off-by: Michael Bommarito <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jan Kara <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

udf: validate sparing table length as an entry count, not a byte count [+ + +]
Author: Bryam Vargas <[email protected]>
Date:   Fri Jun 12 01:40:01 2026 -0500

    udf: validate sparing table length as an entry count, not a byte count
    
    commit 3ec997bd5508e9b25210b5bbec89031629cdb093 upstream.
    
    udf_load_sparable_map() accepts a sparing table when
    
            sizeof(*st) + le16_to_cpu(st->reallocationTableLen) > sb->s_blocksize
    
    is false, i.e. it treats reallocationTableLen as a number of BYTES that
    must fit in the block.  But the table is walked as an array of 8-byte
    sparingEntry elements:
    
            for (i = 0; i < le16_to_cpu(st->reallocationTableLen); i++) {
                    struct sparingEntry *entry = &st->mapEntry[i];
                    ... entry->origLocation ...
            }
    
    in udf_get_pblock_spar15() and udf_relocate_blocks().  A
    reallocationTableLen of N therefore passes the check whenever
    sizeof(*st) + N <= blocksize, yet the consumers index
    sizeof(*st) + N * sizeof(struct sparingEntry) bytes -- up to ~8x the
    block.  On a crafted UDF image this is an out-of-bounds read in
    udf_get_pblock_spar15(); udf_relocate_blocks() additionally feeds the
    same length to udf_update_tag(), whose crc_itu_t() reads far past the
    block, and its memmove() through st->mapEntry[] is an out-of-bounds
    write.
    
    Validate reallocationTableLen as the entry count it is, with
    struct_size().
    
    Fixes: 1df2ae31c724 ("udf: Fortify loading of sparing table")
    Cc: [email protected]
    Signed-off-by: Bryam Vargas <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jan Kara <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

udf: validate VAT header length against the VAT inode size [+ + +]
Author: Bryam Vargas <[email protected]>
Date:   Fri Jun 12 02:53:31 2026 -0500

    udf: validate VAT header length against the VAT inode size
    
    commit d8202786b3d75125c84ebc4de6d946f92fde0ee8 upstream.
    
    udf_load_vat() takes the virtual partition's start offset straight from
    the on-disk VAT 2.0 header without checking it against the VAT inode
    size:
    
            map->s_type_specific.s_virtual.s_start_offset =
                    le16_to_cpu(vat20->lengthHeader);
            map->s_type_specific.s_virtual.s_num_entries =
                    (sbi->s_vat_inode->i_size -
                            map->s_type_specific.s_virtual.s_start_offset) >> 2;
    
    lengthHeader is a fully attacker-controlled 16-bit value.  If it exceeds
    the VAT inode size, the s_num_entries subtraction underflows to a huge
    count, which defeats the "block > s_num_entries" bound in
    udf_get_pblock_virt15(); and on the ICB-inline path that function reads
    
            ((__le32 *)(iinfo->i_data + s_start_offset))[block]
    
    so a large s_start_offset indexes past the inode's in-ICB data.  Mounting
    a crafted UDF image with a virtual (VAT) partition then triggers an
    out-of-bounds read.
    
    Reject a VAT whose header length does not leave room for at least one
    entry within the VAT inode.
    
    Fixes: fa5e08156335 ("udf: Handle VAT packed inside inode properly")
    Cc: [email protected]
    Signed-off-by: Bryam Vargas <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jan Kara <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
udmabuf: fix DMA direction mismatch in release_udmabuf() [+ + +]
Author: Mikhail Gavrilov <[email protected]>
Date:   Sun Mar 15 04:27:22 2026 +0500

    udmabuf: fix DMA direction mismatch in release_udmabuf()
    
    commit fb7b1a0ab25a6077d26cb3829e31743972d4f31d upstream.
    
    begin_cpu_udmabuf() maps the sg_table with the caller-provided direction
    (e.g., DMA_TO_DEVICE for a write-only sync), and caches it in ubuf->sg
    for reuse.  However, release_udmabuf() always unmaps this sg_table with
    a hardcoded DMA_BIDIRECTIONAL, regardless of the direction that was
    originally used for the mapping.
    
    With CONFIG_DMA_API_DEBUG=y this produces:
    
      DMA-API: misc udmabuf: device driver frees DMA memory with different
      direction [device address=0x000000044a123000] [size=4096 bytes]
      [mapped with DMA_TO_DEVICE] [unmapped with DMA_BIDIRECTIONAL]
    
    The issue was found during video playback when GStreamer performed a
    write-only DMA_BUF_IOCTL_SYNC on a udmabuf.  It can be reproduced
    with CONFIG_DMA_API_DEBUG=y by creating a udmabuf from a memfd,
    performing a write-only sync (DMA_BUF_SYNC_WRITE without
    DMA_BUF_SYNC_READ), and closing the file descriptor.
    
    Fix this by storing the DMA direction used when the sg_table is first
    created in begin_cpu_udmabuf(), and passing that same direction to
    put_sg_table() in release_udmabuf().
    
    Fixes: 284562e1f348 ("udmabuf: implement begin_cpu_access/end_cpu_access hooks")
    Cc: [email protected]
    Signed-off-by: Mikhail Gavrilov <[email protected]>
    Reviewed-by: Vivek Kasireddy <[email protected]>
    Signed-off-by: Vivek Kasireddy <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
usb: cdc_acm: Add quirk for Uniden BC125AT scanner [+ + +]
Author: Jared Baldridge <[email protected]>
Date:   Sat May 30 18:19:48 2026 -0400

    usb: cdc_acm: Add quirk for Uniden BC125AT scanner
    
    commit 6eba58568f6cc3ff8515a00b05e258d8cfb72b72 upstream.
    
    Uniden BC125AT radio scanner has a USB interface which fails to work
    with the cdc_acm driver:
     usb 1-1: new full-speed USB device number 2 using uhci_hcd
     cdc_acm 1-1:1.0: Zero length descriptor references
     cdc_acm 1-1:1.0: probe with driver cdc_acm failed with error -22
     usbcore: registered new interface driver cdc_acm
    
    Adding the NO_UNION_NORMAL quirk for the device fixes the issue:
    
     usb 1-1: new full-speed USB device number 2 using uhci_hcd
     cdc_acm 1-1:1.0: ttyACM0: USB ACM device
     usbcore: registered new interface driver cdc_acm
    
    `lsusb -v` of the device:
    
     Bus 001 Device 002: ID 1965:0017 Uniden Corporation BC125AT
     Negotiated speed: Full Speed (12Mbps)
     Device Descriptor:
       bLength                18
       bDescriptorType         1
       bcdUSB               2.00
       bDeviceClass            2 Communications
       bDeviceSubClass         0 [unknown]
       bDeviceProtocol         0
       bMaxPacketSize0        64
       idVendor           0x1965 Uniden Corporation
       idProduct          0x0017 BC125AT
       bcdDevice            0.01
       iManufacturer           1 Uniden America Corp.
       iProduct                2 BC125AT
       iSerial                 3 0001
       bNumConfigurations      1
       Configuration Descriptor:
         bLength                 9
         bDescriptorType         2
         wTotalLength       0x0030
         bNumInterfaces          2
         bConfigurationValue     1
         iConfiguration          0
         bmAttributes         0x80
           (Bus Powered)
         MaxPower              500mA
         Interface Descriptor:
           bLength                 9
           bDescriptorType         4
           bInterfaceNumber        0
           bAlternateSetting       0
           bNumEndpoints           1
           bInterfaceClass         2 Communications
           bInterfaceSubClass      2 Abstract (modem)
           bInterfaceProtocol      0
           iInterface              0
           Endpoint Descriptor:
             bLength                 7
             bDescriptorType         5
             bEndpointAddress     0x87  EP 7 IN
             bmAttributes            3
               Transfer Type            Interrupt
               Synch Type               None
               Usage Type               Data
             wMaxPacketSize     0x0008  1x 8 bytes
             bInterval              10
         Interface Descriptor:
           bLength                 9
           bDescriptorType         4
           bInterfaceNumber        1
           bAlternateSetting       0
           bNumEndpoints           2
           bInterfaceClass        10 CDC Data
           bInterfaceSubClass      0 [unknown]
           bInterfaceProtocol      0
           iInterface              0
           Endpoint Descriptor:
             bLength                 7
             bDescriptorType         5
             bEndpointAddress     0x81  EP 1 IN
             bmAttributes            2
               Transfer Type            Bulk
               Synch Type               None
               Usage Type               Data
             wMaxPacketSize     0x0040  1x 64 bytes
             bInterval               0
           Endpoint Descriptor:
             bLength                 7
             bDescriptorType         5
             bEndpointAddress     0x02  EP 2 OUT
             bmAttributes            2
               Transfer Type            Bulk
               Synch Type               None
               Usage Type               Data
             wMaxPacketSize     0x0040  1x 64 bytes
             bInterval               0
     Device Status:     0x0000
       (Bus Powered)
    
    Signed-off-by: Jared Baldridge <[email protected]>
    Cc: stable <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: cdnsp: fix stream context array leak in cdnsp_alloc_stream_info() [+ + +]
Author: Haoxiang Li <[email protected]>
Date:   Mon Jun 22 13:26:27 2026 +0800

    usb: cdnsp: fix stream context array leak in cdnsp_alloc_stream_info()
    
    commit 3348f444a4ce43dd5c2d1aa41634cb6eff33aa64 upstream.
    
    cdnsp_alloc_stream_info() allocates stream_info->stream_ctx_array with
    cdnsp_alloc_stream_ctx(). If a later stream ring allocation or stream
    mapping update fails, the error path frees the allocated stream rings
    and stream_rings array, but leaves stream_ctx_array allocated.
    
    Free the stream context array before falling through to the stream_rings
    cleanup path.
    
    Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
    Cc: stable <[email protected]>
    Signed-off-by: Haoxiang Li <[email protected]>
    Acked-by: Peter Chen <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
USB: chaoskey: Fix slab-use-after-free in chaoskey_release() [+ + +]
Author: Alan Stern <[email protected]>
Date:   Tue Jun 9 13:37:36 2026 -0400

    USB: chaoskey: Fix slab-use-after-free in chaoskey_release()
    
    commit abf76d3239dee97b66e7241ad04811f1ce562e28 upstream.
    
    The chaoskey driver has a use-after-free bug in its release routine.
    If the user closes the device file after the USB device has been
    unplugged, a debugging log statement will try to access the
    usb_interface structure after it has been deallocated:
    
            BUG: KASAN: slab-use-after-free in dev_driver_string (drivers/base/core.c:2406)
            Read of size 8 at addr ffff888168e8a0b8 by task chaoskey_raw_re/10106
    
            Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
            Call Trace:
             <TASK>
             dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
             print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
             kasan_report (mm/kasan/report.c:595)
             dev_driver_string (drivers/base/core.c:2406)
             __dynamic_dev_dbg (lib/dynamic_debug.c:906)
             chaoskey_release (drivers/usb/misc/chaoskey.c:323)
             __fput (fs/file_table.c:510)
             fput_close_sync (fs/file_table.c:615)
             __x64_sys_close (fs/open.c:1507 fs/open.c:1492 fs/open.c:1492)
             do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
             entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
    
    The driver's last reference to the interface structure is dropped in
    the chaoskey_free() routine, so the code must not use the interface --
    even in a debugging statement -- after that routine returns.
    (Exception: If we know that another reference is held by someone else,
    such as the device core while the disconnect routine runs, there's no
    problem.  Thanks to Johan Hovold for pointing this out.)
    
    Since the bad access is part of an unimportant debugging statement,
    we can fix the problem simply by removing the whole statement.
    
    Reported-by: Shuangpeng Bai <[email protected]>
    Closes: https://lore.kernel.org/linux-usb/[email protected]/
    Tested-by: Shuangpeng Bai <[email protected]>
    Signed-off-by: Alan Stern <[email protected]>
    Fixes: 66e3e591891d ("usb: Add driver for Altus Metrum ChaosKey device (v2)")
    Cc: stable <[email protected]>
    Reviewed-by: Johan Hovold <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

USB: core: add USB_QUIRK_NO_LPM for VIA Labs USB 2.0 hub [+ + +]
Author: Rodrigo Lugathe da Conceição Alves <[email protected]>
Date:   Wed Jun 3 08:36:26 2026 -0300

    USB: core: add USB_QUIRK_NO_LPM for VIA Labs USB 2.0 hub
    
    commit bd728c3d9b1cc0bb0fda6a7055c5c8b55d7477b2 upstream.
    
    The VIA Labs, Inc. USB 2.0 hub controller (2109:2817),
    found in a KVM switch, fails to enumerate high-power devices during
    cold boot and system restart.
    
    Applying the kernel parameter
      usbcore.quirks=2109:2817:k
    resolves the issue.
    
    Enumeration failure log:
      usb 1-1.2.3: device descriptor read/64, error -32
      usb 1-1.2.3: Device not responding to setup address.
      usb 1-1.2.3: device not accepting address 11, error -71
      usb 1-1.2-port3: unable to enumerate USB device
    
    Add USB_QUIRK_NO_LPM for this device.
    
    Signed-off-by: Rodrigo Lugathe da Conceição Alves <[email protected]>
    Cc: stable <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
usb: dwc3: meson-g12a: fix refcount leak in dwc3_meson_g12a_resume() [+ + +]
Author: WenTao Liang <[email protected]>
Date:   Thu Jun 11 21:11:21 2026 +0800

    usb: dwc3: meson-g12a: fix refcount leak in dwc3_meson_g12a_resume()
    
    commit 692c354bef03b77b30e57e61934da502c8a12d45 upstream.
    
    If dwc3_meson_g12a_resume() succeeds in calling
    reset_control_reset(), an internal triggered_count reference is
    acquired. If any later step fails (usb_init, phy_init,
    phy_power_on, regulator_enable, or usb_post_init), the function
    returns the error without rearming the reset control. This leaks
    the reference and leaves the reset control in a triggered state,
    causing future reset_control_reset() calls to incorrectly return
    early as if already reset.
    
    Add an error path that calls reset_control_rearm() to balance
    the reference before returning the error.
    
    Cc: stable <[email protected]>
    Fixes: 5b0ba0caaf3a ("usb: dwc3: meson-g12a: refactor usb init")
    Signed-off-by: WenTao Liang <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: dwc3: run gadget disconnect from sleepable suspend context [+ + +]
Author: Runyu Xiao <[email protected]>
Date:   Fri Jun 12 13:20:05 2026 +0800

    usb: dwc3: run gadget disconnect from sleepable suspend context
    
    commit 010382937fb69892b3469ac4d30af072262f59e8 upstream.
    
    dwc3_gadget_suspend() takes dwc->lock with IRQs disabled and then calls
    dwc3_disconnect_gadget().  For async callbacks that helper only uses
    plain spin_unlock()/spin_lock(), so the gadget ->disconnect() callback
    still runs with IRQs disabled and any sleepable callback trips Lockdep.
    
    This issue was found by our static analysis tool and then manually
    reviewed against the current tree.
    
    The grounded PoC kept the dwc3_gadget_suspend() ->
    dwc3_disconnect_gadget() -> gadget_driver->disconnect() chain, and
    Lockdep reported:
    
      BUG: sleeping function called from invalid context
      gadget_disconnect+0x21/0x39 [vuln_msv]
      dwc3_gadget_suspend.constprop.0+0x2b/0x42 [vuln_msv]
    
    Keep the disconnect callback selection in one common helper, but add a
    sleepable suspend-side wrapper which snapshots the callback under
    dwc->lock and then runs it after spin_unlock_irqrestore().  The regular
    event path still uses the existing spin_unlock()/spin_lock() window.
    
    Fixes: c8540870af4c ("usb: dwc3: gadget: Improve dwc3_gadget_suspend() and dwc3_gadget_resume()")
    Cc: stable <[email protected]>
    Signed-off-by: Runyu Xiao <[email protected]>
    Acked-by: Thinh Nguyen <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: free iso schedules on failed submit [+ + +]
Author: Dawei Feng <[email protected]>
Date:   Tue Jun 30 15:14:19 2026 +0800

    usb: free iso schedules on failed submit
    
    commit b9399d25fbb34a05bbe76eeedd730f62ff2670e9 upstream.
    
    EHCI and FOTG210 isochronous submits build an ehci_iso_sched before
    linking the URB to the endpoint queue, and keep the staged schedule in
    urb->hcpriv until iso_stream_schedule() and the link helpers consume it.
    If the controller is no longer accessible, or usb_hcd_link_urb_to_ep()
    fails, submit jumps to done_not_linked before that handoff happens and
    leaks the staged schedule still attached to urb->hcpriv.
    
    Free the staged schedule from done_not_linked when submit fails before
    the URB is linked and clear urb->hcpriv after the free.
    
    The bug was first flagged by an experimental analysis tool we are
    developing for kernel memory-management bugs while analyzing
    v6.13-rc1. The tool is still under development and is not yet publicly
    available. Manual inspection confirms that the bug is still
    present in v7.1.1.
    
    An x86_64 allyesconfig build showed no new warnings. As we do not have an
    EHCI host controller with a USB isochronous device to test with, no
    runtime testing was able to be performed.
    
    Fixes: 8de98402652c ("[PATCH] USB: Fix USB suspend/resume crasher (#2)")
    Fixes: e9df41c5c589 ("USB: make HCDs responsible for managing endpoint queues")
    Fixes: 7d50195f6c50 ("usb: host: Faraday fotg210-hcd driver")
    Cc: stable <[email protected]>
    Signed-off-by: Dawei Feng <[email protected]>
    Reviewed-by: Alan Stern <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: gadget: composite: fix dead empty check in the USB_DT_OTG handler [+ + +]
Author: Maoyi Xie <[email protected]>
Date:   Wed May 27 23:08:32 2026 +0800

    usb: gadget: composite: fix dead empty check in the USB_DT_OTG handler
    
    commit f8f680609c2b3ab795ffcd6f21585b6dfc46d395 upstream.
    
    The OTG branch of composite_setup() falls back to the first
    configuration when none is selected:
    
            if (cdev->config)
                    config = cdev->config;
            else
                    config = list_first_entry(&cdev->configs,
                                              struct usb_configuration, list);
            if (!config)
                    goto done;
            ...
            memcpy(req->buf, config->descriptors[0], value);
    
    list_first_entry() never returns NULL. On an empty list it returns
    container_of() of the list head. So the "if (!config)" check is dead.
    
    When cdev->configs is empty, config points at the head inside struct
    usb_composite_dev. config->descriptors[0] reads whatever sits at that
    offset. The memcpy copies up to w_length bytes of it into the response
    buffer.
    
    cdev->configs can be empty in two cases. One is a teardown race on
    gadget unbind with a control transfer in flight. The other is a driver
    that sets is_otg before it adds a config. A reproducer that holds
    cdev->configs empty triggers a KASAN fault in this branch.
    
    Use list_first_entry_or_null() so the existing check does its job.
    
    Fixes: 53e6242db8d6 ("usb: gadget: composite: add USB_DT_OTG request handling")
    Cc: stable <[email protected]>
    Signed-off-by: Maoyi Xie <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: gadget: f_fs: Fix DMA fence leak [+ + +]
Author: Paul Cercueil <[email protected]>
Date:   Tue Jun 9 17:29:05 2026 +0200

    usb: gadget: f_fs: Fix DMA fence leak
    
    commit baa6b6068a3f2bf2ed525a1cb37975905dadc658 upstream.
    
    In ffs_dmabuf_transfer(), a ffs_dma_fence object is kmalloc'd, with the
    underlying dma_fence later initialized by dma_fence_init(), which sets
    its kref counter to 1. Then, dma_resv_add_fence() gets a second
    reference, and a pointer to the ffs_dma_fence is passed as the
    usb_request's "context" field.
    
    The dma-resv mechanism will manage the second reference, but the first
    reference is never properly released; the ffs_dmabuf_cleanup() function
    decreases the reference count, but only to balance with the reference
    grab in ffs_dmabuf_signal_done().
    
    The code will then slowly leak memory as more ffs_dma_fence objects are
    created without being ever freed.
    
    Address this issue by transferring ownership of the fence to the DMA
    reservation object, by calling dma_fence_put() right after
    dma_resv_add_fence(). The ffs_dma_fence then gets properly discarded
    after being signalled.
    
    Fixes: 7b07a2a7ca02 ("usb: gadget: functionfs: Add DMABUF import interface")
    Cc: stable <[email protected]>
    Signed-off-by: Paul Cercueil <[email protected]>
    Tested-by: Nuno Sá <[email protected]>
    Reviewed-by: Nuno Sá <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: gadget: f_fs: Initialize epfile->in early to fix endpoint direction checks [+ + +]
Author: Neill Kapron <[email protected]>
Date:   Fri Jun 19 04:06:03 2026 +0000

    usb: gadget: f_fs: Initialize epfile->in early to fix endpoint direction checks
    
    commit 82cfd4739011bdc7e87b5d585703427e89ddfaa5 upstream.
    
    When parsing endpoint descriptors, ffs_data_got_descs() generates the
    eps_addrmap which contains the endpoint direction. However, epfile->in
    was previously only populated in ffs_func_eps_enable() which executes
    upon USB host connection. As a result, early userspace ioctls like
    FUNCTIONFS_DMABUF_ATTACH that run before the host connects would see
    epfile->in as 0, leading to incorrect DMA directions.
    
    By moving the initialization to ffs_epfiles_create(), epfile->in is
    accurate before userspace opens the endpoint files.
    
    Fixes: 7b07a2a7ca02 ("usb: gadget: functionfs: Add DMABUF import interface")
    Cc: stable <[email protected]>
    Assisted-by: Antigravity:gemini-3.1-pro
    Signed-off-by: Neill Kapron <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: gadget: f_printer: take kref only for successful open [+ + +]
Author: Xu Rao <[email protected]>
Date:   Fri Jun 26 14:46:17 2026 +0800

    usb: gadget: f_printer: take kref only for successful open
    
    commit 30adce93d5c4a5a1ec29d9249e3fdfcc391d406b upstream.
    
    printer_open() returns -EBUSY when the character device is already
    open, but it increments dev->kref regardless of the return value. VFS
    does not call ->release() for a failed open, so every rejected second
    open permanently leaks one reference.
    
    Move kref_get() into the successful-open branch.
    
    Fixes: e8d5f92b8d30 ("usb: gadget: function: printer: fix use-after-free in __lock_acquire")
    Cc: stable <[email protected]>
    Signed-off-by: Xu Rao <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: gadget: function: rndis: add length check for header [+ + +]
Author: Griffin Kroah-Hartman <[email protected]>
Date:   Wed Jul 8 13:08:59 2026 +0200

    usb: gadget: function: rndis: add length check for header
    
    commit 21b5bf155435008e0fb0736795289788e63d426f upstream.
    
    Add a length check for the rndis header in rndis_rm_hdr, to ensure that
    MessageType, MessageLength, DataOffset, and DataLength fields are
    present before they are accessed.
    
    Assisted-by: gkh_clanker_2000
    Cc: stable <[email protected]>
    Signed-off-by: Griffin Kroah-Hartman <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: gadget: function: rndis: add length check to response query [+ + +]
Author: Griffin Kroah-Hartman <[email protected]>
Date:   Wed Jul 8 13:08:58 2026 +0200

    usb: gadget: function: rndis: add length check to response query
    
    commit 95f90eea070837f7c72207d5520f805bdefc3bc5 upstream.
    
    Add variable representations for BufLength and BufOffset in
    rndis_query_response(), and perform a length check on them.
    
    This is identical to how rndis_set_response() handles these parameters.
    
    Assisted-by: gkh_clanker_2000
    Cc: stable <[email protected]>
    Signed-off-by: Griffin Kroah-Hartman <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: gadget: udc: Fix use-after-free in gadget_match_driver [+ + +]
Author: Jimmy Hu <[email protected]>
Date:   Thu Jun 25 15:37:04 2026 +0800

    usb: gadget: udc: Fix use-after-free in gadget_match_driver
    
    commit 67e511d2989eb1c8c588b599ce2fcc6bb8e6f7ea upstream.
    
    The udc structure acts as the management structure for the gadget,
    but their lifecycles are decoupled. A race condition exists where
    usb_del_gadget() frees the udc memory (e.g., via mode-switch work)
    while gadget_match_driver() concurrently accesses the freed udc memory
    (e.g., via configfs), causing a Use-After-Free (UAF) that triggers a
    NULL pointer dereference when the freed memory is zeroed:
    
    [39430.908615][ T1171] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
    [39430.911397][ T1171] pc : __pi_strcmp+0x20/0x140
    [39430.911441][ T1171] lr : gadget_match_driver+0x34/0x60
    ...
    [39430.911890][ T1171]  usb_gadget_register_driver_owner+0x50/0xf8
    [39430.911910][ T1171]  gadget_dev_desc_UDC_store+0xf4/0x140
    [39430.931308][ T1171]  configfs_write_iter+0xec/0x134
    
    [39430.957058][ T1171] Workqueue: events_freezable __dwc3_set_mode
    [39430.957287][ T1171]  dwc3_gadget_exit+0x34/0x8c
    [39430.957304][ T1171]  __dwc3_set_mode+0xc0/0x664
    
    Fix this by ensuring the udc structure remains allocated until the
    gadget is released. To achieve this, introduce a new
    usb_gadget_release() routine to the core. When the gadget is added,
    usb_add_gadget() stores the gadget's release routine in the udc
    structure and takes a reference to the udc. When the gadget is
    released, usb_gadget_release() drops the reference to the udc and
    then calls the gadget's release routine.
    
    Suggested-by: Alan Stern <[email protected]>
    Cc: stable <[email protected]>
    Signed-off-by: Jimmy Hu <[email protected]>
    Reviewed-by: Alan Stern <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
USB: idmouse: fix use-after-free on disconnect race [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Mon Jun 22 17:26:10 2026 +0200

    USB: idmouse: fix use-after-free on disconnect race
    
    commit ff002c153f9722caece3983cc23dc4d9d4652cb4 upstream.
    
    mutex_unlock() may access the mutex structure after releasing the lock
    and therefore cannot be used to manage lifetime of objects directly
    (unlike spinlocks and refcounts). [1][2]
    
    Use a kref to release the driver data to avoid use-after-free in
    mutex_unlock() when release() races with disconnect().
    
    [1] a51749ab34d9 ("locking/mutex: Document that mutex_unlock() is
                       non-atomic")
    [2] 2b9d9e0a9ba0 ("locking/mutex: Clarify that mutex_unlock(), and most
                       other sleeping locks, can still use the lock object
                       after it's unlocked")
    
    Fixes: 54d2bc068fd2 ("USB: fix locking in idmouse")
    Cc: [email protected]      # 2.6.24
    Cc: Oliver Neukum <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

USB: iowarrior: fix use-after-free on disconnect [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Sat May 23 19:05:23 2026 +0200

    USB: iowarrior: fix use-after-free on disconnect
    
    commit bc0e4f16c44e50daa0b1ea729934baa3b4815dee upstream.
    
    Submitted write URBs are not stopped on close() and therefore need to be
    stopped unconditionally on disconnect() to avoid use-after-free in the
    completion handler.
    
    Fixes: b5f8d46867ca ("USB: iowarrior: fix use-after-free after driver unbind")
    Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
    Reported-by: [email protected]
    Link: https://lore.kernel.org/all/[email protected]/
    Cc: stable <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

USB: ldusb: fix use-after-free on disconnect race [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Mon Jun 22 17:26:11 2026 +0200

    USB: ldusb: fix use-after-free on disconnect race
    
    commit 19bdfc7b3c179331eafa423d87e1336f43bbfeb8 upstream.
    
    mutex_unlock() may access the mutex structure after releasing the lock
    and therefore cannot be used to manage lifetime of objects directly
    (unlike spinlocks and refcounts). [1][2]
    
    Use a kref to release the driver data to avoid use-after-free in
    mutex_unlock() when release() races with disconnect().
    
    [1] a51749ab34d9 ("locking/mutex: Document that mutex_unlock() is
                       non-atomic")
    [2] 2b9d9e0a9ba0 ("locking/mutex: Clarify that mutex_unlock(), and most
                       other sleeping locks, can still use the lock object
                       after it's unlocked")
    
    Fixes: ce0d7d3f575f ("usb: ldusb: ld_usb semaphore to mutex")
    Cc: stable <[email protected]>
    Cc: Daniel Walker <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

USB: legousbtower: fix use-after-free on disconnect race [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Mon Jun 22 17:26:12 2026 +0200

    USB: legousbtower: fix use-after-free on disconnect race
    
    commit 62fc8eb1b1481051f7bab4aa93d79809053dd09f upstream.
    
    mutex_unlock() may access the mutex structure after releasing the lock
    and therefore cannot be used to manage lifetime of objects directly
    (unlike spinlocks and refcounts). [1][2]
    
    Use a kref to release the driver data to avoid use-after-free in
    mutex_unlock() when release() races with disconnect().
    
    [1] a51749ab34d9 ("locking/mutex: Document that mutex_unlock() is
                       non-atomic")
    [2] 2b9d9e0a9ba0 ("locking/mutex: Clarify that mutex_unlock(), and most
                       other sleeping locks, can still use the lock object
                       after it's unlocked")
    
    Fixes: 18bcbcfe9ca2 ("USB: misc: legousbtower: semaphore to mutex")
    Cc: stable <[email protected]>
    Cc: Daniel Walker <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

USB: misc: uss720: unregister parport on probe failure [+ + +]
Author: Myeonghun Pak <[email protected]>
Date:   Tue Jul 7 00:10:49 2026 +0900

    USB: misc: uss720: unregister parport on probe failure
    
    commit b4ecbdc4f8830f5586c4a5cfc384c00f20f8f8b3 upstream.
    
    uss720_probe() registers a parport before reading the 1284 register used
    to detect unsupported Belkin F5U002 adapters. If get_1284_register()
    fails, the error path drops the driver private data and the USB device
    reference, but leaves the parport device registered.
    
    Leaving the port registered is more than a private allocation leak:
    parport_register_port() has already reserved a parport number and
    registered the parport bus device, while pp->private_data still points at
    the private data that the common error path is about to release.
    
    Undo the pre-announce registration in the get_1284_register() failure
    branch before jumping to the common private-data cleanup path. Clear
    priv->pp first, matching the disconnect path and avoiding a stale pointer
    in the private data.
    
    This issue was identified during our ongoing static-analysis research while
    reviewing kernel code.
    
    Fixes: 3295f1b866bf ("usb: misc: uss720: check for incompatible versions of the Belkin F5U002")
    Cc: stable <[email protected]>
    Co-developed-by: Ijae Kim <[email protected]>
    Signed-off-by: Ijae Kim <[email protected]>
    Signed-off-by: Myeonghun Pak <[email protected]>
    Reviewed-by: Alex Henrie <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
usb: mtu3: unmap request DMA on queue failure [+ + +]
Author: Haoxiang Li <[email protected]>
Date:   Tue Jun 23 17:33:25 2026 +0800

    usb: mtu3: unmap request DMA on queue failure
    
    commit 0bddda5a11665c210339de76d27ebbd1a2e0b43c upstream.
    
    mtu3_gadget_queue() maps the request before checking whether
    the QMU GPD ring can accept another transfer. the request is
    returned with -EAGAIN before it is linked on the endpoint
    request list if mtu3_prepare_transfer() fails.
    
    Normal completion and dequeue paths unmap requests from
    mtu3_req_complete(), but this error path never reaches that
    helper, so the DMA mapping is left active. Unmap the request
    before returning from the failed queue path.
    
    Fixes: df2069acb005 ("usb: Add MediaTek USB3 DRD driver")
    Cc: stable <[email protected]>
    Signed-off-by: Haoxiang Li <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
USB: quirks: add NO_LPM for the Samsung T5 EVO Portable SSD [+ + +]
Author: Erich E. Hoover <[email protected]>
Date:   Tue Jun 2 14:45:08 2026 -0600

    USB: quirks: add NO_LPM for the Samsung T5 EVO Portable SSD
    
    commit fc591787785b9709a0bb65a7df3ba2537d611c47 upstream.
    
    The Samsung T5 EVO Portable SSD (04e8:6200) exhibit two forms of
    link instability when USB Link Power Management is enabled:
    
      1. The units fail to initialize properly on first detection,
      resulting in a lockup in the drive where it must be power cycled
      or the kernel will not recognize the presence of the device.
    
      2. If used for sustained operations (small amounts of continuous
      data are transferred to the unit) then the unit will "hiccup"
      after roughly 8 hours of use and will disconnect and reconnect.
      This has a certain probability of triggering the first issue,
      but also causes mount points to become invalid since the device
      gets issued a new letter.
    
    Signed-off-by: Erich E. Hoover <[email protected]>
    Cc: stable <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

USB: serial: digi_acceleport: fix broken rx after throttle [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Tue Jun 23 17:08:15 2026 +0200

    USB: serial: digi_acceleport: fix broken rx after throttle
    
    commit 83a3dfc018943b05b6daf3a6f891833e1aabfa1f upstream.
    
    If the port is closed while throttled, the read urb is never resubmitted
    and the port will not receive any further data until the device is
    reconnected (or the driver is rebound).
    
    Clear the throttle flags and submit the urb if needed when opening the
    port.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: [email protected]
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

USB: serial: digi_acceleport: fix hard lockup on disconnect [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Tue Jun 23 17:11:10 2026 +0200

    USB: serial: digi_acceleport: fix hard lockup on disconnect
    
    commit 5c1ea24b53bf3bfb859f0a05573997487975da23 upstream.
    
    If submitting the OOB write urb fails persistently (e.g if the device is
    being disconnected) the driver would loop indefinitely with interrupts
    disabled.
    
    Check for urb submission errors when sending OOB commands to avoid
    hanging if, for example, open(), set_termios() or close() races with a
    physical disconnect.
    
    This is issue was flagged by Sashiko when reviewing an unrelated change
    to the driver.
    
    Link: https://sashiko.dev/#/patchset/20260610132232.356139-1-johan%40kernel.org?part=1
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: [email protected]
    Reviewed-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

USB: serial: digi_acceleport: fix write buffer corruption [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Tue Jun 23 17:12:29 2026 +0200

    USB: serial: digi_acceleport: fix write buffer corruption
    
    commit 24ca1fea8f2753bf33e1d458ec1ae5d9b7796a65 upstream.
    
    The digi_write_inb_command() is supposed to wait for the write urb to
    become available or return an error, but instead it updates the transfer
    buffer and tries to resubmit the urb on timeout.
    
    To make things worse, for commands like break control where no timeout
    is used, the driver would corrupt the urb immediately due to a broken
    jiffies comparison (on 32-bit machines this takes five minutes of uptime
    to trigger due to INITIAL_JIFFIES).
    
    Fix this by adding the missing return on timeout and waiting
    indefinitely when no timeout has been specified as intended.
    
    This issue was (sort of) flagged by Sashiko when reviewing an unrelated
    change to the driver.
    
    Link: https://sashiko.dev/#/patchset/20260610132232.356139-1-johan%40kernel.org?part=11
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: [email protected]
    Reviewed-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

USB: serial: keyspan_pda: fix information leak [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Mon Jun 29 14:45:26 2026 +0200

    USB: serial: keyspan_pda: fix information leak
    
    commit 6bfc8d01ac4068eced509f8fc74d0cd205e4dcec upstream.
    
    The write() callback is supposed to return the number of characters
    accepted or a negative errno. Since the addition of write fifo support
    the keyspan_pda implementation will however return the number characters
    submitted to the device if the write urb is not already in use. If this
    number is larger than the number of characters passed to write(), the
    line discipline continues writing data from beyond the tty write buffer.
    
    Fix the information leak by making sure that keyspan_pda_write_start()
    returns zero on success as intended.
    
    Fixes: 034e38e8f687 ("USB: serial: keyspan_pda: add write-fifo support")
    Cc: [email protected]      # 5.11
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

USB: serial: option: add Telit Cinterion FE990D50 compositions [+ + +]
Author: Fabio Porcedda <[email protected]>
Date:   Fri Jun 12 13:39:16 2026 +0200

    USB: serial: option: add Telit Cinterion FE990D50 compositions
    
    commit b33ab1dd80f5c1742f49eb6ec7b337c5ffcf3d32 upstream.
    
    Add support for Telit Cinterion FE990D50 compositions:
    
    0x990: RNDIS + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
           tty (diag) + ADPL + adb
    T:  Bus=01 Lev=01 Prnt=01 Port=06 Cnt=03 Dev#=  3 Spd=480  MxCh= 0
    D:  Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=1bc7 ProdID=0990 Rev=06.06
    S:  Manufacturer=Telit Cinterion
    S:  Product=FE990
    S:  SerialNumber=90b6a3ed
    C:  #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA
    I:  If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host
    E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
    I:  If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=88(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=8a(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
    E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
    E:  Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 8 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
    E:  Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
    E:  Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    0x991: rmnet + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
           tty (diag) + ADPL + adb
    T:  Bus=01 Lev=01 Prnt=01 Port=06 Cnt=03 Dev#=  9 Spd=480  MxCh= 0
    D:  Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=1bc7 ProdID=0991 Rev=06.06
    S:  Manufacturer=Telit Cinterion
    S:  Product=FE990
    S:  SerialNumber=90b6a3ed
    C:  #Ifs= 9 Cfg#= 1 Atr=e0 MxPwr=500mA
    I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=(none)
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
    I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=88(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=8a(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
    E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
    E:  Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
    E:  Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
    E:  Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    0x992: MBIM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
           tty (diag) + ADPL + adb
    T:  Bus=01 Lev=01 Prnt=01 Port=06 Cnt=03 Dev#= 12 Spd=480  MxCh= 0
    D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=1bc7 ProdID=0992 Rev=06.06
    S:  Manufacturer=Telit Cinterion
    S:  Product=FE990
    S:  SerialNumber=90b6a3ed
    C:  #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA
    I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
    E:  Ad=82(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=88(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=8a(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
    E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
    E:  Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 8 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
    E:  Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
    E:  Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    0x993: ECM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (AT) +
           tty (diag) + ADPL + adb
    T:  Bus=01 Lev=01 Prnt=01 Port=06 Cnt=03 Dev#= 15 Spd=480  MxCh= 0
    D:  Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=1bc7 ProdID=0993 Rev=06.06
    S:  Manufacturer=Telit Cinterion
    S:  Product=FE990
    S:  SerialNumber=90b6a3ed
    C:  #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA
    I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
    E:  Ad=82(I) Atr=03(Int.) MxPS=  16 Ivl=32ms
    I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=88(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=8a(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
    E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
    E:  Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 8 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
    E:  Ad=8d(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
    E:  Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Cc: [email protected]
    Signed-off-by: Fabio Porcedda <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
usb: sl811-hcd: disable controller wakeup on remove [+ + +]
Author: Myeonghun Pak <[email protected]>
Date:   Wed Jul 1 21:16:25 2026 +0900

    usb: sl811-hcd: disable controller wakeup on remove
    
    commit 4e8ba83ac4d311992e6a4c21de5dd705010df06e upstream.
    
    sl811h_probe() enables the HCD controller device as a wakeup source after
    usb_add_hcd() succeeds, but sl811h_remove() removes the HCD and releases
    the driver resources without disabling that wakeup source.
    
    Disable controller wakeup after usb_remove_hcd() and before usb_put_hcd()
    so the wakeup source object is detached while the controller device pointer
    is still available.
    
    This issue was identified during our ongoing static-analysis research while
    reviewing kernel code.
    
    Fixes: 3c9740a117d4 ("usb: hcd: move controller wakeup setting initialization to individual driver")
    Cc: stable <[email protected]>
    Co-developed-by: Ijae Kim <[email protected]>
    Signed-off-by: Ijae Kim <[email protected]>
    Signed-off-by: Myeonghun Pak <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
USB: storage: include US_FL_NO_SAME in quirks mask [+ + +]
Author: Xu Rao <[email protected]>
Date:   Tue Jun 2 13:38:42 2026 +0800

    USB: storage: include US_FL_NO_SAME in quirks mask
    
    commit 2c00e09e3f9f06f8434f5ea2ee6179ce46692ee6 upstream.
    
    usb_stor_adjust_quirks() parses the usb-storage.quirks module
    parameter into a new flag set and then applies it with the quirk
    mask to override built-in flags.
    
    The mask is meant to cover the flags that can be overridden by
    the module parameter. The 'k' quirk character sets US_FL_NO_SAME,
    but US_FL_NO_SAME is not included in the mask.
    
    As a result, the module parameter can set US_FL_NO_SAME, but it
    cannot clear a built-in US_FL_NO_SAME flag by providing an override
    entry that omits 'k'.
    
    Add US_FL_NO_SAME to the mask so that the module parameter can
    override it in the same way as the other supported flags.
    
    Fixes: 8010622c86ca ("USB: UAS: introduce a quirk to set no_write_same")
    Cc: stable <[email protected]>
    Signed-off-by: Xu Rao <[email protected]>
    Reviewed-by: Alan Stern <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
usb: typec: anx7411: use devm_pm_runtime_enable() [+ + +]
Author: Myeonghun Pak <[email protected]>
Date:   Wed Jul 1 20:40:06 2026 +0900

    usb: typec: anx7411: use devm_pm_runtime_enable()
    
    commit 0ef7cc27da8b9e315a4a5a665c68c44206f5e559 upstream.
    
    anx7411_i2c_probe() enables runtime PM before returning successfully, but
    anx7411_i2c_remove() tears down the Type-C partner state, workqueue, dummy
    I2C device, mux, switch and port without disabling runtime PM.
    
    Use devm_pm_runtime_enable() so runtime PM is disabled automatically on
    driver detach. Since devres action registration can fail, route that
    failure through the existing probe unwind path.
    
    This issue was identified during our ongoing static-analysis research while
    reviewing kernel code.
    
    Fixes: fe6d8a9c8e64 ("usb: typec: anx7411: Add Analogix PD ANX7411 support")
    Cc: stable <[email protected]>
    Co-developed-by: Ijae Kim <[email protected]>
    Signed-off-by: Ijae Kim <[email protected]>
    Signed-off-by: Myeonghun Pak <[email protected]>
    Reviewed-by: Heikki Krogerus <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: typec: class: drop PD lookup reference [+ + +]
Author: Shuangpeng Bai <[email protected]>
Date:   Thu Jul 2 15:13:29 2026 -0400

    usb: typec: class: drop PD lookup reference
    
    commit 43ae2f90b70cda374c487c1639a01d0f14e5d583 upstream.
    
    usb_power_delivery_find() wraps class_find_device_by_name(). That helper
    returns a device reference that must be released by the caller.
    
    select_usb_power_delivery_store() only needs this reference while calling
    the pd_set callback. Drop it once the callback returns. Otherwise the sysfs
    write can pin the selected USB Power Delivery object and prevent it from
    being released on unregister.
    
    Fixes: a7cff92f0635 ("usb: typec: USB Power Delivery helpers for ports and partners")
    Cc: stable <[email protected]>
    Signed-off-by: Shuangpeng Bai <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: typec: tcpci_rt1711h: unregister TCPCI port with devres [+ + +]
Author: Myeonghun Pak <[email protected]>
Date:   Mon Jul 6 23:53:12 2026 +0900

    usb: typec: tcpci_rt1711h: unregister TCPCI port with devres
    
    commit e8da46d99d3710106e7c44db14566bf9b57386b5 upstream.
    
    rt1711h_probe() registers the TCPCI port before requesting the interrupt
    and enabling alert interrupts. If either of those later steps fails, the
    probe function returns without unregistering the TCPCI port. The explicit
    unregister currently only happens from the remove callback.
    
    Register a devres action immediately after tcpci_register_port() succeeds,
    so tcpci_unregister_port() runs on later probe failures and on driver
    detach. Drop the remove callback to avoid unregistering the same port
    twice.
    
    This issue was identified during our ongoing static-analysis research while
    reviewing kernel code.
    
    Fixes: 302c570bf36e ("usb: typec: tcpci_rt1711h: avoid screaming irq causing boot hangs")
    Cc: stable <[email protected]>
    Co-developed-by: Ijae Kim <[email protected]>
    Signed-off-by: Ijae Kim <[email protected]>
    Signed-off-by: Myeonghun Pak <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: typec: tcpm: Fix VDM type for Enter Mode commands [+ + +]
Author: Andy Yan <[email protected]>
Date:   Thu Jun 4 18:50:24 2026 +0800

    usb: typec: tcpm: Fix VDM type for Enter Mode commands
    
    commit 9cff680e47632b7723cb19f9c5e63669063c3417 upstream.
    
    VDO() second parameter is VDM type (bit 15): 1 for SVDM, 0 for UVDM.
    Using 'vdo ? 2 : 1' corrupts SVID low bit when vdo is non-NULL
    (2 << 15 = BIT(16)). Enter Mode is always SVDM, hardcode to 1.
    
    Fixes: 8face9aa57c8 ("usb: typec: Add parameter for the VDO to typec_altmode_enter()")
    Cc: stable <[email protected]>
    Signed-off-by: Andy Yan <[email protected]>
    Reviewed-by: Heikki Krogerus <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: typec: tcpm: Validate SVID index in svdm_consume_modes() [+ + +]
Author: Badhri Jagan Sridharan <[email protected]>
Date:   Mon Jun 22 22:08:03 2026 +0000

    usb: typec: tcpm: Validate SVID index in svdm_consume_modes()
    
    commit 7b681dd5fbf60b24a13c14661e5b7735759fb491 upstream.
    
    In svdm_consume_modes(), the SVID value is read from pmdata->svids using
    pmdata->svid_index as an array index without bounds validation:
    
        paltmode->svid = pmdata->svids[pmdata->svid_index];
    
    If pmdata->svid_index is driven beyond SVID_DISCOVERY_MAX (16), it results
    in an out-of-bounds read of the pmdata->svids array. Because pd_mode_data
    is embedded inside struct tcpm_port, indexing past svids reads into
    adjacent fields. In particular:
    - At index 16, it reads the altmodes count.
    - At index 18 and beyond, it reads into altmode_desc[], which contains
      partner-supplied SVDM Discovery Modes VDOs.
    
    By injecting a chosen SVID into altmode_desc[0].vdo and driving svid_index
    to 20, the partner can force paltmode->svid to be loaded with an arbitrary,
    partner- chosen SVID, which is then registered via
    typec_partner_register_altmode().
    
    Fix this by validating that pmdata->svid_index is non-negative and strictly
    less than pmdata->nsvids before accessing the pmdata->svids array inside
    svdm_consume_modes().
    
    Assisted-by: Antigravity:gemini-3.5-flash
    Fixes: 4ab8c18d4d67 ("usb: typec: Register a device for every mode")
    Cc: stable <[email protected]>
    Signed-off-by: Badhri Jagan Sridharan <[email protected]>
    Reviewed-by: RD Babiera <[email protected]>
    Acked-by: Heikki Krogerus <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: typec: ucsi: cancel pending work on system suspend [+ + +]
Author: Paul Menzel <[email protected]>
Date:   Fri Jul 3 13:07:37 2026 +0200

    usb: typec: ucsi: cancel pending work on system suspend
    
    commit 7c4a234bd31a64a8dbd0140dc812da592c5e0787 upstream.
    
    On a Dell XPS 13 9360 (BIOS 2.21.0), entering system suspend (deep/S3)
    races a pending UCSI connector-change worker against the ACPI EC teardown.
    The worker evaluates the UCSI _DSM (GET_CONNECTOR_STATUS), whose AML
    accesses the Embedded Controller. By that point the ACPI EC has already
    been stopped for suspend, so the EC address space handler rejects the
    access with AE_BAD_PARAMETER, aborting the AML and failing the connector
    query:
    
        [22314.689495] ACPI: EC: interrupt blocked
        [22314.711981] ACPI: PM: Preparing to enter system sleep state S3
        [22314.743260] ACPI: EC: event blocked
        [22314.743265] ACPI: EC: EC stopped
        [22314.743267] ACPI: PM: Saving platform NVS memory
        [22314.744241] ACPI Error: AE_BAD_PARAMETER, Returned by Handler for [EmbeddedControl] (20260408/evregion-303)
        [22314.744432] ACPI Error: Aborting method \_SB.PCI0.LPCB.ECDV.ECW1 due to previous error (AE_BAD_PARAMETER) (20260408/psparse-543)
        [22314.744673] ACPI Error: Aborting method \ECWB due to previous error (AE_BAD_PARAMETER) (20260408/psparse-543)
        [22314.745201] ACPI Error: Aborting method \_SB.UBTC._DSM due to previous error (AE_BAD_PARAMETER) (20260408/psparse-543)
        [22314.745394] ACPI: \_SB_.UBTC: failed to evaluate _DSM c298836f-a47c-e411-ad36-631042b5008f rev:1 func:1 (0x1001)
        [22314.745414] ucsi_acpi USBC000:00: ucsi_acpi_dsm: failed to evaluate _DSM 1
        [22314.745424] ucsi_acpi USBC000:00: ucsi_handle_connector_change: GET_CONNECTOR_STATUS failed (-5)
    
    ucsi_acpi implements a resume callback but no suspend callback, so nothing
    cancels the connector-change work before the firmware/EC is torn down.
    
    Add a `ucsi_suspend()` core helper that cancels the pending init and
    connector-change work, and wire it into ucsi_acpi's PM ops. The connector
    state is re-read on resume by `ucsi_resume()`, so cancelling the work loses
    nothing.
    
    Fixes: 4e3a50293c2b ("usb: typec: ucsi: acpi: Implement resume callback")
    Cc: stable <[email protected]>
    Signed-off-by: Paul Menzel <[email protected]>
    Assisted-by: Claude Opus 4.8
    Reviewed-by: Heikki Krogerus <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: typec: ucsi: ccg: Fix use-after-free of ucsi on remove [+ + +]
Author: Fan Wu <[email protected]>
Date:   Tue Jun 16 13:20:11 2026 +0000

    usb: typec: ucsi: ccg: Fix use-after-free of ucsi on remove
    
    commit 1f0bdc2884b67de337215079bba166df0cdf4ac5 upstream.
    
    The threaded IRQ handler ccg_irq_handler() calls ucsi_notify_common(),
    which on a connector-change event calls ucsi_connector_change() and
    schedules connector work.  In ucsi_ccg_remove(), ucsi_destroy() frees
    uc->ucsi (kfree) before free_irq() is called, so a handler invocation
    already in flight may access the freed object after ucsi_destroy().
    
      CPU 0 (remove)            | CPU 1 (threaded IRQ)
        ucsi_destroy(uc->ucsi)  |   ccg_irq_handler()
          kfree(ucsi) // FREE   |     ucsi_notify_common(uc->ucsi) // USE
    
    Move free_irq() before ucsi_destroy() in the remove path.  It is kept
    after ucsi_unregister(): ucsi_unregister() cancels connector work whose
    handler issues GET_CONNECTOR_STATUS through ucsi_send_command_common(),
    which waits for a completion that is signalled from the IRQ handler, so
    the IRQ must stay active until that work has been cancelled.
    
    The probe error path already orders free_irq() before ucsi_destroy().
    
    This bug was found by static analysis.
    
    Fixes: e32fd989ac1c ("usb: typec: ucsi: ccg: Move to the new API")
    Cc: stable <[email protected]>
    Signed-off-by: Fan Wu <[email protected]>
    Reviewed-by: Heikki Krogerus <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: typec: ucsi: Invert DisplayPort role assignment [+ + +]
Author: Andrei Kuchynski <[email protected]>
Date:   Mon Jun 1 14:28:37 2026 +0000

    usb: typec: ucsi: Invert DisplayPort role assignment
    
    commit d092d7edf8faefa3e27b9fc7f0e7904b06c833a2 upstream.
    
    The existing implementation assigned these flags backwards, configuring
    the partner's DisplayPort role to match the port's role instead of
    complementing it.
    This prevents proper configuration during DP altmode activation, often
    causing `pin_assignment` to remain 0 in `dp_altmode_configure()` and
    resulting in VDM negotiation failures:
    
        [  583.328246] typec port1.1: VDM 0xff01a150 failed
    
    Additionally, the fix ensures that the `pin_assignment` sysfs attribute
    displays the correct values.
    
    Cc: stable <[email protected]>
    Fixes: af8622f6a585 ("usb: typec: ucsi: Support for DisplayPort alt mode")
    Signed-off-by: Andrei Kuchynski <[email protected]>
    Reviewed-by: Heikki Krogerus <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: typec: ucsi: Pass full DP config payload in SET_NEW_CAM for DP alt mode [+ + +]
Author: Madhu M <[email protected]>
Date:   Fri Jun 19 21:03:11 2026 +0530

    usb: typec: ucsi: Pass full DP config payload in SET_NEW_CAM for DP alt mode
    
    commit 735a461d060d4eeb2f9732aba1295bc32a3982e2 upstream.
    
    In the UCSI Specification Revision 3.1 RC1, bits 32-63 of the SET_NEW_CAM
    command hold the 32-bit Alternate Mode Specific (AMSpecific) field.
    
    For DisplayPort Alternate Mode, this field must contain the full
    32-bit DisplayPort configuration VDO payload that the OPM wants the
    connector to operate in, rather than just the pin assignment value.
    This AMSpecific value follows the DisplayPort Configurations defined
    in the DisplayPort Alt Mode on USB Type-C Specification v2.1a,
    Table 5-13: SOP DisplayPort Configurations.
    
    Fixes: af8622f6a585 ("usb: typec: ucsi: Support for DisplayPort alt mode")
    Cc: stable <[email protected]>
    Signed-off-by: Madhu M <[email protected]>
    Reviewed-by: Jameson Thies <[email protected]>
    Reviewed-by: Andrei Kuchynski <[email protected]>
    Reviewed-by: Heikki Krogerus <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
USB: ulpi: fix memory leak on registration failure [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Mon Jun 8 16:58:03 2026 +0200

    USB: ulpi: fix memory leak on registration failure
    
    commit 8af6812795869a66e9b26044f455b13deecdb69c upstream.
    
    The allocated device name is never freed on early ULPI device
    registration failures.
    
    Fix this by initialising the device structure earlier and releasing the
    initial reference whenever registration fails.
    
    Fixes: 289fcff4bcdb ("usb: add bus type for USB ULPI")
    Cc: stable <[email protected]>
    Cc: Heikki Krogerus <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

USB: usb-storage: ene_ub6250: restore media-ready check [+ + +]
Author: Xu Rao <[email protected]>
Date:   Fri Jun 26 15:06:07 2026 +0800

    USB: usb-storage: ene_ub6250: restore media-ready check
    
    commit 5fc3f333c001f1e308bbcdeecdec0d054d24338b upstream.
    
    Commit 1892bf90677a ("USB: usb-storage: Fix use of bitfields for
    hardware data in ene_ub6250.c") converted the media status fields from
    bitfields to bit masks.
    
    The original ene_transport() test called ene_init() only when neither
    media type was ready:
    
            !(sd_ready || ms_ready)
    
    The converted test became:
    
            !sd_ready || ms_ready
    
    This is not equivalent. Restore the original semantics by testing that
    both ready bits are clear before calling ene_init().
    
    Fixes: 1892bf90677a ("USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c")
    Cc: stable <[email protected]>
    Signed-off-by: Xu Rao <[email protected]>
    Reviewed-by: Alan Stern <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
usb: xhci: Fix sleep in atomic context in xhci_free_streams() [+ + +]
Author: 胡连勤 <[email protected]>
Date:   Fri Jul 3 17:40:33 2026 +0300

    usb: xhci: Fix sleep in atomic context in xhci_free_streams()
    
    commit 42c37c4b75d38b51d84f31a8e29427f5e06a7c2a upstream.
    
    When a USB device with active stream endpoints is disconnected,
    xhci_free_streams() is called from the hub_event workqueue to
    free the stream resources.  It calls xhci_free_stream_info()
    while holding xhci->lock with irqs disabled.
    
    xhci_free_stream_info() invokes xhci_free_stream_ctx(), which
    calls dma_free_coherent() for large stream context arrays.
    
    dma_free_coherent() can sleep (e.g. via vunmap), triggering
    a BUG when called from atomic context.
    
    Call trace:
     dma_free_attrs+0x174/0x220
     xhci_free_stream_info+0xd0/0x11c
     xhci_free_streams+0x278/0x37c
     usb_free_streams+0x98/0xc0
     usb_unbind_interface+0x1b8/0x2f8
     device_release_driver_internal+0x1d4/0x2cc
     device_release_driver+0x18/0x28
     bus_remove_device+0x160/0x1a4
     device_del+0x1ec/0x350
     usb_disable_device+0x98/0x214
     usb_disconnect+0xf0/0x35c
     hub_event+0xab4/0x19ec
     process_one_work+0x278/0x63c
    
    Fix this by saving the stream_info pointers and clearing the
    ep references under the lock, then calling xhci_free_stream_info()
    outside the lock where sleeping is allowed.
    
    Fixes: 8df75f42f8e6 ("USB: xhci: Add memory allocation for USB3 bulk streams.")
    Cc: stable <[email protected]>
    Signed-off-by: Lianqin Hu <[email protected]>
    Signed-off-by: Mathias Nyman <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
usbip: tools: support SuperSpeedPlus devices [+ + +]
Author: Yichong Chen <[email protected]>
Date:   Wed Jun 17 10:06:13 2026 +0800

    usbip: tools: support SuperSpeedPlus devices
    
    commit 195e667c8719480c320cd48ac0fbf1cb81d6ffe0 upstream.
    
    USB devices running at SuperSpeedPlus report "10000" or "20000" in
    their sysfs speed attribute. usbip currently maps only "5000" to
    USB_SPEED_SUPER, so a SuperSpeedPlus device is imported as
    USB_SPEED_UNKNOWN.
    
    The attach request is then rejected by vhci_hcd:
    
      vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
    
    Map the SuperSpeedPlus sysfs speed values to USB_SPEED_SUPER_PLUS, use
    the SuperSpeed VHCI hub for SuperSpeedPlus devices, and recognize the
    gadget current_speed string used by the kernel.
    
    Fixes: b2316645ca5e ("usb: show speed "10000" in sysfs for USB 3.1 SuperSpeedPlus devices")
    Cc: stable <[email protected]>
    Signed-off-by: Yichong Chen <[email protected]>
    Reviewed-by: Shuah Khan <[email protected]>
    Link: https://patch.msgid.link/00C828F338E43447+20260617020613.199086-1-chenyichong@uniontech.com
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usbip: vudc: fix NULL deref in vep_dequeue() [+ + +]
Author: Sam Day <[email protected]>
Date:   Fri Jun 26 14:29:10 2026 +1000

    usbip: vudc: fix NULL deref in vep_dequeue()
    
    commit c5371e0b91b24159a3ebaa61e70b0980bcf03c0a upstream.
    
    vep_alloc_request() wasn't initializing vrequest->udc, so cancellations
    on the FunctionFS AIO path were arriving in vep_dequeue without a valid
    UDC reference.
    
    Since vrequest->udc is never actually properly used anywhere, we opt to
    remove it, and update vep_dequeue to obtain a reference to the udc with
    ep_to_vudc(), consistent with the other vep_ ops.
    
    AFAICT this bug has existed for ~10 years. Seems that nobody has really
    stressed the FunctionFS AIO path on usbip's vudc.
    
    I tested this fix in a QEMU aarch64 guest driving FunctionFS endpoints
    via AIO. Before the fix, running `usbip attach` from the host would
    cause the guest to oops with the following backtrace:
    
    Call trace:
     vep_dequeue+0x1c/0xe4 (P)
     usb_ep_dequeue+0x14/0x20
     ffs_aio_cancel+0x24/0x34
     __arm64_sys_io_cancel+0xb0/0x124
     do_el0_svc+0x68/0x100
     el0_svc+0x18/0x5c
     el0t_64_sync_handler+0x98/0xdc
     el0t_64_sync+0x154/0x158
    
    Assisted-by: opencode:openai/gpt-5.5
    Cc: stable <[email protected]>
    Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
    Reviewed-by: Igor Kotrasinski <[email protected]>
    Signed-off-by: Sam Day <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
userfaultfd: gate must_wait writability check on pte_present() [+ + +]
Author: Kiryl Shutsemau <[email protected]>
Date:   Thu Jul 2 16:49:05 2026 +0100

    userfaultfd: gate must_wait writability check on pte_present()
    
    [ Upstream commit 8e80af52db652fbc41320eee45a4f73bc029faf2 ]
    
    userfaultfd_must_wait() and userfaultfd_huge_must_wait() read the PTE
    without taking the page table lock and then apply pte_write() /
    huge_pte_write() to it.  Those accessors decode bits from the present
    encoding only; on a swap or migration entry they read the offset bits that
    happen to share the same position and return an undefined result.
    
    The intent of the check is "is this fault still WP-blocked?".  A
    non-marker swap entry means the page is in transit -- the userfault
    context the original fault delivered against is no longer the same, and
    the swap-in or migration completion path will re-deliver a fresh fault if
    userspace still needs to handle it.  Worst case under the current code the
    garbage write bit says "wait", and the thread stays asleep until a
    UFFDIO_WAKE that may never arrive.
    
    Gate the writability check on pte_present() so the lockless re-check only
    inspects present-PTE bits when the entry is actually present.  The
    non-present, non-marker case returns "don't wait" and lets the fault path
    retry.
    
    Link: https://lore.kernel.org/[email protected]
    Fixes: 369cd2121be4 ("userfaultfd: hugetlbfs: userfaultfd_huge_must_wait for hugepmd ranges")
    Fixes: 63b2d4174c4a ("userfaultfd: wp: add the writeprotect API to userfaultfd ioctl")
    Signed-off-by: Kiryl Shutsemau <[email protected]>
    Reported-by: Sashiko AI review <[email protected]>
    Reviewed-by: Lorenzo Stoakes <[email protected]>
    Cc: David Hildenbrand <[email protected]>
    Cc: Michal Hocko <[email protected]>
    Cc: Mike Rapoport <[email protected]>
    Cc: Peter Xu <[email protected]>
    Cc: Suren Baghdasaryan <[email protected]>
    Cc: Vlastimil Babka <[email protected]>
    Cc: Balbir Singh <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    
    [ kas: apply to fs/userfaultfd.c and fold the pte_present()/
      huge_pte_present() gate into the existing writability checks; this tree
      predates the marker/return-style refactor of these functions ]
    Signed-off-by: Kiryl Shutsemau <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
vfio/pci: Fix racy bitfields and tighten struct layout [+ + +]
Author: Alex Williamson <[email protected]>
Date:   Mon Jun 15 13:12:31 2026 -0600

    vfio/pci: Fix racy bitfields and tighten struct layout
    
    commit e73638e55f861758d49f14d7bb5dba3035981cd7 upstream.
    
    Bitfield operations are not atomic, they use a read-modify-write
    pattern, therefore we should be careful not to pack bitfields that
    can be concurrently updated into the same storage unit.
    
    This split takes a binary approach: flags that are only modified
    pre/post open/close remain bitfields, flags modified from user
    action, including actions that reach across to another device (ex.
    reset) use dedicated storage units.
    
    Note that the virq_disabled and bardirty flags are relocated to fill
    an existing hole in the structure.
    
    Bitfield justifications:
    
      has_dyn_msix: written only in vfio_pci_core_enable()
      pci_2_3: written only in vfio_pci_core_enable()
      reset_works: written only in vfio_pci_core_enable()
      extended_caps: written only in vfio_cap_len() under vfio_config_init()
      has_vga: written only in vfio_pci_core_enable()
      nointx: written only in vfio_pci_core_enable()
      needs_pm_restore: written only in vfio_pci_probe_power_state()
      disable_idle_d3: written only at .init in vfio_pci_core_init_dev()
    
    Dedicated storage units:
    
      virq_disabled: written by guest INTx command writes in
                     vfio_basic_config_write() while the device is open
      bardirty: written by guest BAR writes in vfio_basic_config_write()
                while the device is open
      pm_intx_masked: written in the runtime-PM suspend path.
      pm_runtime_engaged: written by low-power feature entry/exit paths
      needs_reset: set in vfio_pci_core_disable() and cleared for devices in
                   the set by vfio_pci_dev_set_try_reset()
      sriov_active: written by vfio_pci_core_sriov_configure() via sysfs
                    sriov_numvfs while bound.
    
    Fixes: 9cd0f6d5cbb6 ("vfio/pci: Use bitfield for struct vfio_pci_core_device flags")
    Cc: [email protected]
    Assisted-by: Claude:claude-opus-4-8
    Signed-off-by: Alex Williamson <[email protected]>
    Reviewed-by: Kevin Tian <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Alex Williamson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

vfio/pci: Latch disable_idle_d3 per device [+ + +]
Author: Alex Williamson <[email protected]>
Date:   Mon Jun 15 13:12:29 2026 -0600

    vfio/pci: Latch disable_idle_d3 per device
    
    commit 4575e9aac5336d1365138c0284773bf8da4b1fa3 upstream.
    
    When disable_idle_d3 was introduced in vfio-pci, it directly manipulated
    the device power state with pci_set_power_state().  There were no
    refcounts to maintain or balanced operations, we could unconditionally
    bring the device to D0 and conditionally move it to D3hot.  Therefore
    the module parameter was made writable.
    
    Later, in commit c61302aa48f7 ("vfio/pci: Move module parameters to
    vfio_pci.c"), as part of the vfio-pci-core split, the writable aspect
    of the module parameter was nullified.  The parameter value could still
    be changed through sysfs, but the vfio-pci driver latched the values
    into vfio-pci-core globals at module init.  Loading the vfio-pci module,
    or unloading and reloading, with non-default or different values could
    change the globals relative to existing devices bound to vfio-pci
    variant drivers.
    
    Runtime PM was introduced in commit 7ab5e10eda02 ("vfio/pci: Move the
    unused device into low power state with runtime PM"), which marks the
    point where power states became refcounted.  PM get and put operations
    need to be balanced, but the same module operations noted above can
    change the global variables relative to those devices already bound to
    vfio-pci variant drivers.  This introduces a window where PM operations
    can now become unbalanced.
    
    To resolve this with a narrow footprint for stable backports, the
    disable_idle_d3 flag is latched into the vfio_pci_core_device at the
    time of initialization, such that the device always operates with a
    consistent value.
    
    NB. vfio_pci_dev_set_try_reset() now unconditionally raises the
    runtime PM usage count around bus reset to account for disable_idle_d3
    becoming a per-device rather than global flag.  When this flag is set,
    the additional get/put pair is harmless and allows continued use of the
    shared vfio_pci_dev_set_pm_runtime_get() helper.
    
    Fixes: 7ab5e10eda02 ("vfio/pci: Move the unused device into low power state with runtime PM")
    Cc: [email protected]
    Assisted-by: Claude:claude-opus-4-8
    Signed-off-by: Alex Williamson <[email protected]>
    Reviewed-by: Kevin Tian <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Alex Williamson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

vfio/pci: Release the VGA arbiter client on register_device() failure [+ + +]
Author: Alex Williamson <[email protected]>
Date:   Mon Jun 15 13:12:30 2026 -0600

    vfio/pci: Release the VGA arbiter client on register_device() failure
    
    commit daedde7f024ecf88bc8e832ed40cf2c795f0796a upstream.
    
    The re-order in the Fixes commit below displaced vfio_pci_vga_init() as
    the last failure point of what is now vfio_pci_core_register_device()
    without introducing an unwind for the VGA arbiter registration.
    
    In current kernels this is mostly benign because vfio_pci_set_decode()
    only uses pci_dev state, but the original failure path could leave a
    callback with a freed vdev cookie.  The stale registration also becomes
    unsafe again once the callback follows drvdata to the vfio device.
    
    Add the required VGA unwind callout.
    
    Fixes: 4aeec3984ddc ("vfio/pci: Re-order vfio_pci_probe()")
    Cc: [email protected]
    Assisted-by: Claude:claude-opus-4-8
    Signed-off-by: Alex Williamson <[email protected]>
    Reviewed-by: Kevin Tian <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Alex Williamson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

vfio/pci: Use a private flag to prevent power state change with VFs [+ + +]
Author: Raghavendra Rao Ananta <[email protected]>
Date:   Thu May 14 17:34:49 2026 +0000

    vfio/pci: Use a private flag to prevent power state change with VFs
    
    commit 40ef3edf151e184d021917a5c4c771cc0870844a upstream.
    
    The current implementation uses pci_num_vf() while holding the
    memory_lock to prevent changing the power state of a PF when
    VFs are enabled. This creates a lockdep circular dependency
    warning because memory_lock is held during device probing.
    
    [  286.997167] ======================================================
    [  287.003363] WARNING: possible circular locking dependency detected
    [  287.009562] 7.0.0-dbg-DEV #3 Tainted: G S
    [  287.015074] ------------------------------------------------------
    [  287.021270] vfio_pci_sriov_/18636 is trying to acquire lock:
    [  287.026942] ff45bea2294d4968 (&vdev->memory_lock){+.+.}-{4:4}, at:
    vfio_pci_core_runtime_resume+0x1f/0xa0
    [  287.036530]
    [  287.036530] but task is already holding lock:
    [  287.042383] ff45bea3a96b8230 (&new_dev_set->lock){+.+.}-{4:4}, at:
    vfio_group_fops_unl_ioctl+0x44d/0x7b0
    [  287.051879]
    [  287.051879] which lock already depends on the new lock.
    [  287.051879]
    [  287.060070]
    [  287.060070] the existing dependency chain (in reverse order) is:
    [  287.067568]
    [  287.067568] -> #2 (&new_dev_set->lock){+.+.}-{4:4}:
    [  287.073941]        __mutex_lock+0x92/0xb80
    [  287.078058]        vfio_assign_device_set+0x66/0x1b0
    [  287.083042]        vfio_pci_core_register_device+0xd1/0x2a0
    [  287.088638]        vfio_pci_probe+0xd2/0x100
    [  287.092933]        local_pci_probe_callback+0x4d/0xa0
    [  287.098001]        process_scheduled_works+0x2ca/0x680
    [  287.103158]        worker_thread+0x1e8/0x2f0
    [  287.107452]        kthread+0x10c/0x140
    [  287.111230]        ret_from_fork+0x18e/0x360
    [  287.115519]        ret_from_fork_asm+0x1a/0x30
    [  287.119983]
    [  287.119983] -> #1 ((work_completion)(&arg.work)){+.+.}-{0:0}:
    [  287.127219]        __flush_work+0x345/0x490
    [  287.131429]        pci_device_probe+0x2e3/0x490
    [  287.135979]        really_probe+0x1f9/0x4e0
    [  287.140180]        __driver_probe_device+0x77/0x100
    [  287.145079]        driver_probe_device+0x1e/0x110
    [  287.149803]        __device_attach_driver+0xe3/0x170
    [  287.154789]        bus_for_each_drv+0x125/0x150
    [  287.159346]        __device_attach+0xca/0x1a0
    [  287.163720]        device_initial_probe+0x34/0x50
    [  287.168445]        pci_bus_add_device+0x6e/0x90
    [  287.172995]        pci_iov_add_virtfn+0x3c9/0x3e0
    [  287.177719]        sriov_add_vfs+0x2c/0x60
    [  287.181838]        sriov_enable+0x306/0x4a0
    [  287.186038]        vfio_pci_core_sriov_configure+0x184/0x220
    [  287.191715]        sriov_numvfs_store+0xd9/0x1c0
    [  287.196351]        kernfs_fop_write_iter+0x13f/0x1d0
    [  287.201338]        vfs_write+0x2be/0x3b0
    [  287.205286]        ksys_write+0x73/0x100
    [  287.209233]        do_syscall_64+0x14d/0x750
    [  287.213529]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
    [  287.219120]
    [  287.219120] -> #0 (&vdev->memory_lock){+.+.}-{4:4}:
    [  287.225491]        __lock_acquire+0x14c6/0x2800
    [  287.230048]        lock_acquire+0xd3/0x2f0
    [  287.234168]        down_write+0x3a/0xc0
    [  287.238019]        vfio_pci_core_runtime_resume+0x1f/0xa0
    [  287.243436]        __rpm_callback+0x8c/0x310
    [  287.247730]        rpm_resume+0x529/0x6f0
    [  287.251765]        __pm_runtime_resume+0x68/0x90
    [  287.256402]        vfio_pci_core_enable+0x44/0x310
    [  287.261216]        vfio_pci_open_device+0x1c/0x80
    [  287.265947]        vfio_df_open+0x10f/0x150
    [  287.270148]        vfio_group_fops_unl_ioctl+0x4a4/0x7b0
    [  287.275476]        __se_sys_ioctl+0x71/0xc0
    [  287.279679]        do_syscall_64+0x14d/0x750
    [  287.283975]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
    [  287.289559]
    [  287.289559] other info that might help us debug this:
    [  287.289559]
    [  287.297582] Chain exists of:
    [  287.297582]   &vdev->memory_lock --> (work_completion)(&arg.work)
    --> &new_dev_set->lock
    [  287.297582]
    [  287.310023]  Possible unsafe locking scenario:
    [  287.310023]
    [  287.315961]        CPU0                    CPU1
    [  287.320510]        ----                    ----
    [  287.325059]   lock(&new_dev_set->lock);
    [  287.328917]
    lock((work_completion)(&arg.work));
    [  287.336153]                                lock(&new_dev_set->lock);
    [  287.342523]   lock(&vdev->memory_lock);
    [  287.346382]
    [  287.346382]  *** DEADLOCK ***
    [  287.346382]
    [  287.352315] 2 locks held by vfio_pci_sriov_/18636:
    [  287.357125]  #0: ff45bea208ed3e18 (&group->group_lock){+.+.}-{4:4},
    at: vfio_group_fops_unl_ioctl+0x3e3/0x7b0
    [  287.367048]  #1: ff45bea3a96b8230 (&new_dev_set->lock){+.+.}-{4:4},
    at: vfio_group_fops_unl_ioctl+0x44d/0x7b0
    [  287.376976]
    [  287.376976] stack backtrace:
    [  287.381353] CPU: 191 UID: 0 PID: 18636 Comm: vfio_pci_sriov_
    Tainted: G S                  7.0.0-dbg-DEV #3 PREEMPTLAZY
    [  287.381355] Tainted: [S]=CPU_OUT_OF_SPEC
    [  287.381356] Call Trace:
    [  287.381357]  <TASK>
    [  287.381358]  dump_stack_lvl+0x54/0x70
    [  287.381361]  print_circular_bug+0x2e1/0x300
    [  287.381363]  check_noncircular+0xf9/0x120
    [  287.381364]  ? __lock_acquire+0x5b4/0x2800
    [  287.381366]  __lock_acquire+0x14c6/0x2800
    [  287.381368]  ? pci_mmcfg_read+0x4f/0x220
    [  287.381370]  ? pci_mmcfg_write+0x57/0x220
    [  287.381371]  ? lock_acquire+0xd3/0x2f0
    [  287.381373]  ? pci_mmcfg_write+0x57/0x220
    [  287.381374]  ? lock_release+0xef/0x360
    [  287.381376]  ? vfio_pci_core_runtime_resume+0x1f/0xa0
    [  287.381377]  lock_acquire+0xd3/0x2f0
    [  287.381378]  ? vfio_pci_core_runtime_resume+0x1f/0xa0
    [  287.381379]  ? lock_is_held_type+0x76/0x100
    [  287.381382]  down_write+0x3a/0xc0
    [  287.381382]  ? vfio_pci_core_runtime_resume+0x1f/0xa0
    [  287.381383]  vfio_pci_core_runtime_resume+0x1f/0xa0
    [  287.381384]  ? __pfx_pci_pm_runtime_resume+0x10/0x10
    [  287.381385]  __rpm_callback+0x8c/0x310
    [  287.381386]  ? ktime_get_mono_fast_ns+0x3d/0xb0
    [  287.381389]  ? __pfx_pci_pm_runtime_resume+0x10/0x10
    [  287.381390]  rpm_resume+0x529/0x6f0
    [  287.381392]  ? lock_is_held_type+0x76/0x100
    [  287.381394]  __pm_runtime_resume+0x68/0x90
    [  287.381396]  vfio_pci_core_enable+0x44/0x310
    [  287.381398]  vfio_pci_open_device+0x1c/0x80
    [  287.381399]  vfio_df_open+0x10f/0x150
    [  287.381401]  vfio_group_fops_unl_ioctl+0x4a4/0x7b0
    [  287.381402]  __se_sys_ioctl+0x71/0xc0
    [  287.381404]  do_syscall_64+0x14d/0x750
    [  287.381405]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
    [  287.381406]  ? trace_irq_disable+0x25/0xd0
    [  287.381409]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Introduce a private flag 'sriov_active' in the vfio_pci_core_device
    struct. This  allows the driver to track the SR-IOV power state requirement
    without  relying on pci_num_vf() while holding the memory_lock. The lock is
    now  only held to set the flag and ensure the device is in D0, after which
    pci_enable_sriov() can be called without the lock.
    
    Fixes: f4162eb1e2fc ("vfio/pci: Change the PF power state to D0 before enabling VFs")
    Cc: [email protected]
    Suggested-by: Jason Gunthorpe <[email protected]>
    Suggested-by: Alex Williamson <[email protected]>
    Signed-off-by: Raghavendra Rao Ananta <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    [promote bitfield to plain bool to avoid storage-unit races]
    Signed-off-by: Alex Williamson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
vfio: prevent infinite loop in vfio_mig_get_next_state() on blocked arc [+ + +]
Author: Junrui Luo <[email protected]>
Date:   Tue Jun 2 16:58:48 2026 +0800

    vfio: prevent infinite loop in vfio_mig_get_next_state() on blocked arc
    
    commit a26b499b757cfc8bbff1088bb1b844639e250893 upstream.
    
    vfio_mig_get_next_state() walks vfio_from_fsm_table[] one step at a time,
    looping to skip optional states the device does not support until
    *next_fsm is supported. A blocked transition is encoded as
    VFIO_DEVICE_STATE_ERROR, which the trailing return reports as -EINVAL.
    
    The skip loop does not account for the ERROR sentinel.
    state_flags_table[ERROR] is ~0U and vfio_from_fsm_table[ERROR][*] is
    ERROR, so once *next_fsm becomes ERROR the loop condition stays true and
    *next_fsm never changes. The blocked arcs STOP_COPY -> PRE_COPY and
    STOP_COPY -> PRE_COPY_P2P map to ERROR yet pass the support check on a
    precopy-capable device, causing the loop to spin forever while holding
    the driver state mutex. This can result in a soft lockup, and a panic
    with softlockup_panic set.
    
    Terminate the skip loop on the ERROR sentinel so a blocked transition
    falls through to the existing return and reports -EINVAL.
    
    Fixes: 4db52602a607 ("vfio: Extend the device migration protocol with PRE_COPY")
    Reported-by: Yuhao Jiang <[email protected]>
    Cc: [email protected]
    Signed-off-by: Junrui Luo <[email protected]>
    Reviewed-by: Kevin Tian <[email protected]>
    Reviewed-by: Jason Gunthorpe <[email protected]>
    Link: https://lore.kernel.org/r/SYBPR01MB7881290BBDE79B61AE6A017FAF122@SYBPR01MB7881.ausprd01.prod.outlook.com
    Signed-off-by: Alex Williamson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

vfio: Remove device debugfs before releasing devres [+ + +]
Author: Alex Williamson <[email protected]>
Date:   Mon Jun 15 14:47:00 2026 -0600

    vfio: Remove device debugfs before releasing devres
    
    commit dc7fe87de492ea7f33a72b78d26650b75bf37f4f upstream.
    
    VFIO device debugfs files created with debugfs_create_devm_seqfile()
    store a devres allocated debugfs_devm_entry as inode private data.
    vfio_unregister_group_dev() currently calls vfio_device_del() before
    vfio_device_debugfs_exit(), but device_del() releases devres.  This can
    leave debugfs entries visible with stale inode private data while
    unregister waits for userspace references to drain.
    
    Remove the per-device debugfs tree before vfio_device_del().  The debugfs
    view is diagnostic only, so losing it at the start of unregister is
    preferable to preserving entries whose backing storage may already have
    been released.
    
    Complete the teardown by clearing the per-device debugfs root after
    removal.  This matches the global debugfs root cleanup and prevents
    future users from mistaking a removed dentry for a live debugfs tree
    during the remainder of unregister.
    
    Fixes: 2202844e4468 ("vfio/migration: Add debugfs to live migration driver")
    Reported-by: Sashiko AI Review <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Cc: [email protected]
    Cc: Longfang Liu <[email protected]>
    Assisted-by: OpenAI Codex:gpt-5
    Signed-off-by: Alex Williamson <[email protected]>
    Reviewed-by: Kevin Tian <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Alex Williamson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
virtio-mmio: fix device release warning on module unload [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Mon Apr 27 16:37:10 2026 +0200

    virtio-mmio: fix device release warning on module unload
    
    commit c687bc35694698ec4c7f92bf929c3d659f0cecb8 upstream.
    
    Driver core expects devices to be allocated dynamically and complains
    loudly when a device that lacks a release function is freed.
    
    Use __root_device_register() to allocate and register the root device
    instead of open coding using a static device.
    
    Note that root_device_register(), which also creates a link to the
    module, cannot be used as the device is registered when parsing the
    module parameters which happens before the module kobject has been set
    up.
    
    Fixes: 81a054ce0b46 ("virtio-mmio: Devices parameter parsing")
    Cc: [email protected]      # 3.5
    Cc: Pawel Moll <[email protected]>
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Michael S. Tsirkin <[email protected]>
    Message-ID: <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
virtio_pci: fix vq info pointer lookup via wrong index [+ + +]
Author: Ammar Faizi <[email protected]>
Date:   Sun Mar 15 21:18:08 2026 +0700

    virtio_pci: fix vq info pointer lookup via wrong index
    
    commit f7d380fb525c13bdd114369a1979c80c346e6abc upstream.
    
    Unbinding a virtio balloon device:
    
        echo virtio0 > /sys/bus/virtio/drivers/virtio_balloon/unbind
    
    triggers a NULL pointer dereference. The dmesg says:
    
        BUG: kernel NULL pointer dereference, address: 0000000000000008
        [...]
        RIP: 0010:__list_del_entry_valid_or_report+0x5/0xf0
        Call Trace:
        <TASK>
        vp_del_vqs+0x121/0x230
        remove_common+0x135/0x150
        virtballoon_remove+0xee/0x100
        virtio_dev_remove+0x3b/0x80
        device_release_driver_internal+0x187/0x2c0
        unbind_store+0xb9/0xe0
        kernfs_fop_write_iter.llvm.11660790530567441834+0xf6/0x180
        vfs_write+0x2a9/0x3b0
        ksys_write+0x5c/0xd0
        do_syscall_64+0x54/0x230
        entry_SYSCALL_64_after_hwframe+0x29/0x31
        [...]
        </TASK>
    
    The virtio_balloon device registers 5 queues (inflate, deflate, stats,
    free_page, reporting) but only the first two are unconditional. The
    stats, free_page and reporting queues are each conditional on their
    respective feature bits. When any of these features are absent, the
    corresponding vqs_info entry has name == NULL, creating holes in the
    array.
    
    The root cause is an indexing mismatch introduced when vq info storage
    was changed to be passed as an argument. vp_find_vqs_msix() and
    vp_find_vqs_intx() store the info pointer at vp_dev->vqs[i], where 'i'
    is the caller's sparse array index. However, the virtqueue itself gets
    vq->index assigned from queue_idx, a dense index that skips NULL
    entries. When holes exist, 'i' and queue_idx diverge. Later,
    vp_del_vqs() looks up info via vp_dev->vqs[vq->index] using the dense
    index into the sparsely-populated array, and hits NULL.
    
    Fix this by storing info at vp_dev->vqs[queue_idx] instead of
    vp_dev->vqs[i], so the store index matches the lookup index
    (vq->index). Apply the fix to both the MSIX and INTX paths.
    
    Cc: Yichun Zhang <[email protected]>
    Cc: Jiri Pirko <[email protected]>
    Cc: [email protected] # v6.11+
    Tested-by: Yuka <[email protected]>
    Fixes: 89a1c435aec2 ("virtio_pci: pass vq info as an argument to vp_setup_vq()")
    Signed-off-by: Ammar Faizi <[email protected]>
    Message-Id: <[email protected]>
    Signed-off-by: Michael S. Tsirkin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
watchdog: apple: Add "apple,t8103-wdt" compatible [+ + +]
Author: Janne Grunau <[email protected]>
Date:   Wed Dec 31 13:07:21 2025 +0100

    watchdog: apple: Add "apple,t8103-wdt" compatible
    
    commit 14ca4868886f2188401fe06cd7bf01a330b3fb99 upstream.
    
    After discussion with the devicetree maintainers we agreed to not extend
    lists with the generic compatible "apple,wdt" anymore [1]. Use
    "apple,t8103-wdt" as base compatible as it is the SoC the driver and
    bindings were written for.
    
    [1]: https://lore.kernel.org/asahi/[email protected]/
    
    Fixes: 4ed224aeaf66 ("watchdog: Add Apple SoC watchdog driver")
    Cc: [email protected]
    Reviewed-by: Neal Gompa <[email protected]>
    Signed-off-by: Janne Grunau <[email protected]>
    Link: https://lore.kernel.org/r/20251231-watchdog-apple-t8103-base-compat-v1-1-1702a02e0c45@jannau.net
    Signed-off-by: Guenter Roeck <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
writeback: fix race between cgroup_writeback_umount() and inode_switch_wbs() [+ + +]
Author: Baokun Li <[email protected]>
Date:   Thu May 21 17:50:14 2026 +0800

    writeback: fix race between cgroup_writeback_umount() and inode_switch_wbs()
    
    commit cba38ec4cbd3a7b8b942a8d52531a05be8a9ff0d upstream.
    
    When a container exits, the following BUG_ON() is occasionally triggered:
    
    ==================================================================
     VFS: Busy inodes after unmount of sdb (ext4)
     ------------[ cut here ]------------
     kernel BUG at fs/super.c:695!
     CPU: 3 PID: 6 Comm: containerd-shim Tainted: G OE K 6.6 #1
     pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
     pc : generic_shutdown_super+0xf0/0x100
     lr : generic_shutdown_super+0xf0/0x100
     Call trace:
      generic_shutdown_super+0xf0/0x100
      kill_block_super+0x20/0x48
      ext4_kill_sb+0x28/0x60
      deactivate_locked_super+0x54/0x130
      deactivate_super+0x84/0xa0
      cleanup_mnt+0xa4/0x140
      __cleanup_mnt+0x18/0x28
      task_work_run+0x78/0xe0
      do_notify_resume+0x204/0x240
    ==================================================================
    
    The root cause is a race between cgroup_writeback_umount() and
    inode_switch_wbs()/cleanup_offline_cgwb(). There is a window between
    inode_prepare_wbs_switch() returning true and the subsequent
    wb_queue_isw() call. Following is the process that triggers the issue:
    
          CPU A (umount)           |          CPU B (writeback)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                     inode_switch_wbs/cleanup_offline_cgwb
                                      atomic_inc(&isw_nr_in_flight)
                                      inode_prepare_wbs_switch
                                       -> passes SB_ACTIVE check
                                       __iget(inode)
     generic_shutdown_super
      sb->s_flags &= ~SB_ACTIVE
      cgroup_writeback_umount(sb)
       smp_mb()
       atomic_read(&isw_nr_in_flight)
       rcu_barrier()
        -> no pending RCU callbacks
       flush_workqueue(isw_wq)
        -> nothing queued, returns
      evict_inodes(sb)
       -> Inode skipped as isw still holds a ref.
      sop->put_super(sb)
       /* destroys percpu counters */
      -> VFS: Busy inodes after unmount!
                                      wb_queue_isw()
                                       queue_work(isw_wq, ...)
                                      /* later in work function */
                                      inode_switch_wbs_work_fn
                                       process_inode_switch_wbs
                                        iput() -> evict
                                         percpu_counter_dec() // UAF!
    
    Fix this by extending the RCU read-side critical section in
    inode_switch_wbs() and cleanup_offline_cgwb() to cover from
    inode_prepare_wbs_switch() through wb_queue_isw().  Since there is
    no sleep in this window, rcu_read_lock() can be used.  Then add a
    synchronize_rcu() in cgroup_writeback_umount() before the existing
    rcu_barrier(), so that all in-flight switchers that have passed the
    SB_ACTIVE check have completed queue_work() before flush_workqueue()
    is called.
    
    The existing rcu_barrier() is intentionally retained so this fix can
    be backported unchanged to stable kernels (5.10.y, 6.6.y, ...) that
    still queue switches via queue_rcu_work(). It is a no-op on current
    mainline (since commit e1b849cfa6b6 ("writeback: Avoid contention on
    wb->list_lock when switching inodes")) and is removed in a follow-up
    patch.
    
    Fixes: a1a0e23e4903 ("writeback: flush inode cgroup wb switches instead of pinning super_block")
    Cc: [email protected]
    Suggested-by: Jan Kara <[email protected]>
    Link: https://lore.kernel.org/all/mxnjq2l6guusfchvauxr3v7c4bwjasybxlleqbbh4efloeqspz@iqylk76ohufz
    Reviewed-by: Jan Kara <[email protected]>
    Signed-off-by: Baokun Li <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Acked-by: Tejun Heo <[email protected]>
    Signed-off-by: Christian Brauner (Amutable) <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
X.509: Fix validation of ASN.1 certificate header [+ + +]
Author: Lukas Wunner <[email protected]>
Date:   Thu May 14 08:55:58 2026 +0200

    X.509: Fix validation of ASN.1 certificate header
    
    commit 3b626ba431c4501512ad07549310685e07fe4706 upstream.
    
    x509_load_certificate_list() seeks to enforce that a certificate starts
    with 0x30 0x82 (ASN.1 SEQUENCE tag followed by a length of more than 256
    and less than 65535 bytes).
    
    But it only enforces that *either* of those two byte values are present,
    instead of checking for the *conjunction* of the two values.  Fix it.
    
    Fixes: 631cc66eb9ea ("MODSIGN: Provide module signing public keys to the kernel")
    Reported-by: Sashiko <[email protected]>
    Closes: https://lore.kernel.org/r/[email protected]/
    Signed-off-by: Lukas Wunner <[email protected]>
    Cc: [email protected] # v3.7+
    Reviewed-by: Ignat Korchagin <[email protected]>
    Reviewed-by: Alistair Francis <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
x86,fs/resctrl: Prevent out-of-bounds access while offlining CPU when SNC enabled [+ + +]
Author: Reinette Chatre <[email protected]>
Date:   Mon Jul 13 21:12:36 2026 -0700

    x86,fs/resctrl: Prevent out-of-bounds access while offlining CPU when SNC enabled
    
    commit fc16126cc11d9f507130bf84ab137ee0938c900e upstream.
    
    The architecture updates the cpu_mask in a domain's header to track which
    online CPUs are associated with the domain. When this mask becomes empty
    the architecture initiates offline of the domain that includes calling
    on resctrl fs to offline the domain. If it is a monitoring domain in
    which LLC occupancy is tracked resctrl fs forces the limbo handler to
    clear all busy RMID state associated with the domain.
    
    The limbo handler always reads the current event value associated with a
    busy RMID irrespective of it being checked as part of regular "is it still
    busy" check or whether it will be forced released anyway. When reading an
    RMID on a system with SNC enabled the "logical RMID" is converted to the
    "physical RMID" and this conversion requires the NUMA node ID of the
    resctrl monitoring domain that is in turn determined by querying the NUMA
    node ID of any CPU belonging to the monitoring domain.
    
    When the monitoring domain is going offline its cpu_mask is empty causing
    the NUMA node ID query via cpu_to_node() to be done with "nr_cpu_ids" as
    argument resulting in an out-of-bounds access.
    
    Refactor the limbo handler to skip reading the RMID when the RMID will
    just be forced to no longer be dirty in the domain anyway. Add a safety
    check to the architecture's RMID reader to protect against this scenario.
    
    Fixes: e13db55b5a0d ("x86/resctrl: Introduce snc_nodes_per_l3_cache")
    Closes: https://sashiko.dev/#/patchset/cover.1780456704.git.reinette.chatre%40intel.com?part=9
    Reported-by: Sashiko <[email protected]>
    Signed-off-by: Reinette Chatre <[email protected]>
    Signed-off-by: Borislav Petkov (AMD) <[email protected]>
    Cc: <[email protected]>
    Link: https://patch.msgid.link/16137433df42f85013b2f7a53626795cbd6637b9.1781029125.git.reinette.chatre@intel.com
    Signed-off-by: Sasha Levin <[email protected]>

 
xfs: clamp timestamp nanoseconds correctly [+ + +]
Author: Darrick J. Wong <[email protected]>
Date:   Mon Jul 13 23:07:15 2026 -0700

    xfs: clamp timestamp nanoseconds correctly
    
    commit 15e38a9366b31d3d61081ead115f1dff59379e24 upstream.
    
    LOLLM noticed an off-by-one error in the nsec clamping; fix that so that
    we never have tv_nsec == 1e9.
    
    Cc: [email protected] # v6.8
    Fixes: 2d295fe65776d1 ("xfs: repair inode records")
    Signed-off-by: "Darrick J. Wong" <[email protected]>
    Assisted-by: LOLLM # finding obvious bugs
    Reviewed-by: Christoph Hellwig <[email protected]>
    Signed-off-by: Carlos Maiolino <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

xfs: don't wrap around quota ids in dqiterate [+ + +]
Author: Darrick J. Wong <[email protected]>
Date:   Mon Jul 13 23:04:55 2026 -0700

    xfs: don't wrap around quota ids in dqiterate
    
    commit d766e4e5e85d829629c3ba503802fe1303d7b591 upstream.
    
    LOLLM noticed that q_id is an unsigned 32-bit variable.  If it happens
    to be set to XFS_DQ_ID_MAX due to a filesystem that actually has a dquot
    for ID_MAX, then this addition will truncate to zero and the iteration
    starts over.  Fix this by casting to u64.
    
    Cc: [email protected] # v6.8
    Fixes: 21d7500929c8a0 ("xfs: improve dquot iteration for scrub")
    Signed-off-by: "Darrick J. Wong" <[email protected]>
    Assisted-by: LOLLM # finding obvious bugs
    Reviewed-by: Christoph Hellwig <[email protected]>
    Signed-off-by: Carlos Maiolino <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

xfs: don't zap bmbt forks if they are MAXLEVELS tall [+ + +]
Author: Darrick J. Wong <[email protected]>
Date:   Mon Jul 13 23:07:30 2026 -0700

    xfs: don't zap bmbt forks if they are MAXLEVELS tall
    
    commit 59c462b0f5cfa107794228051724b34ae9334168 upstream.
    
    LOLLM noticed a discrepancy between the bmbt level checks in the libxfs
    bmbt code vs. the inode repair code.  We do actually allow a bmbt root
    that proclaims to have a height of XFS_BM_MAXLEVELS.
    
    Cc: [email protected] # v6.8
    Fixes: e744cef2060559 ("xfs: zap broken inode forks")
    Signed-off-by: "Darrick J. Wong" <[email protected]>
    Assisted-by: LOLLM # finding obvious bugs
    Reviewed-by: Christoph Hellwig <[email protected]>
    Signed-off-by: Carlos Maiolino <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

xfs: fail recovery on a committed log item with no regions [+ + +]
Author: Weiming Shi <[email protected]>
Date:   Thu Jul 2 09:20:00 2026 -0700

    xfs: fail recovery on a committed log item with no regions
    
    commit 2094dab19d45c487285617b7b68913d0cc0c1211 upstream.
    
    If the first op of a transaction is a bare transaction header
    (len == sizeof(struct xfs_trans_header)), xlog_recover_add_to_trans()
    adds an item but no region, leaving it on r_itemq with ri_cnt == 0 and
    ri_buf == NULL.
    
    The header can be split across op records, so later ops may still add
    regions; the item is only invalid if the transaction commits with none.
    The runtime commit path never emits such a transaction, so this only
    happens on a crafted log.  It came from an AI-assisted code audit of the
    recovery parser.
    
    xlog_recover_reorder_trans() calls ITEM_TYPE() on the item, which reads
    *(unsigned short *)item->ri_buf[0].iov_base and faults on the NULL
    ri_buf.  Reject it there, before the commit handlers that also read
    ri_buf[0].
    
     KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
     RIP: 0010:xlog_recover_reorder_trans (fs/xfs/xfs_log_recover.c:1836)
      xlog_recover_commit_trans (fs/xfs/xfs_log_recover.c:2043)
      xlog_recover_process_data (fs/xfs/xfs_log_recover.c:2501)
      xlog_do_recovery_pass (fs/xfs/xfs_log_recover.c:3244)
      xlog_recover (fs/xfs/xfs_log_recover.c:3493)
      xfs_log_mount (fs/xfs/xfs_log.c:618)
      xfs_mountfs (fs/xfs/xfs_mount.c:1034)
      xfs_fs_fill_super (fs/xfs/xfs_super.c:1938)
      vfs_get_tree (fs/super.c:1695)
      path_mount (fs/namespace.c:4161)
      __x64_sys_mount (fs/namespace.c:4367)
    
    Fixes: 89cebc847729 ("xfs: validate transaction header length on log recovery")
    Cc: [email protected] # v4.3
    Reported-by: Xiang Mei <[email protected]>
    Assisted-by: Claude:claude-opus-4-8
    Signed-off-by: Weiming Shi <[email protected]>
    Reviewed-by: Christoph Hellwig <[email protected]>
    Reviewed-by: "Darrick J. Wong" <[email protected]>
    Signed-off-by: Carlos Maiolino <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

xfs: fix exchmaps reservation limit check [+ + +]
Author: Yingjie Gao <[email protected]>
Date:   Thu Jun 4 20:03:17 2026 +0800

    xfs: fix exchmaps reservation limit check
    
    commit 0a5213bbff62b51c7d4999ac8c7e11ea57d00d45 upstream.
    
    xfs_exchmaps_estimate_overhead() adds the bmbt and rmapbt
    overhead to a local resblks variable, but the final UINT_MAX
    check still tests req->resblks.  That is the reservation value
    from before the overhead was added.
    
    The computed value is stored back in req->resblks and later passed
    to xfs_trans_alloc(), whose block reservation argument is unsigned
    int.  Check the computed reservation so the existing limit applies
    to the value that will be used.
    
    Fixes: 966ceafc7a43 ("xfs: create deferred log items for file mapping exchanges")
    Cc: [email protected] # v6.10
    Signed-off-by: Yingjie Gao <[email protected]>
    Reviewed-by: "Darrick J. Wong" <[email protected]>
    Signed-off-by: Carlos Maiolino <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

xfs: fix null pointer dereference in tracepoint [+ + +]
Author: Andrey Albershteyn <[email protected]>
Date:   Thu Jul 9 17:24:07 2026 +0200

    xfs: fix null pointer dereference in tracepoint
    
    commit 9202ee546b0cd71004eed7598546efe4660097da upstream.
    
    If dfp is not NULL we exit early here, when dfp is NULL it's allocated
    in xfs_defer_alloc() but not assigned. The tracepoint tries to
    dereference members of dfp struct.
    
    Signed-off-by: Andrey Albershteyn <[email protected]>
    Cc: [email protected] # v6.8
    Fixes: 3f3cec031099c3 ("xfs: force small EFIs for reaping btree extents")
    Reviewed-by: "Darrick J. Wong" <[email protected]>
    Signed-off-by: Carlos Maiolino <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

xfs: fix pointer arithmetic error on 32-bit systems [+ + +]
Author: Darrick J. Wong <[email protected]>
Date:   Tue Jun 9 21:57:24 2026 -0700

    xfs: fix pointer arithmetic error on 32-bit systems
    
    commit 84eec3f7fc73144d1a230c9e8ad92721e37dcaab upstream.
    
    The translation of the old XFS_BMBT_KEY_ADDR macro into a static
    function is not correct on 32-bit systems because the sizeof() argument
    went from being a xfs_bmbt_key_t (i.e. a struct) to a (struct
    xfs_bmbt_key *) (i.e. a pointer to the same struct).  On 64-bit systems
    this turns out ok because they are the same size, but on 32-bit systems
    this is catastrophic because they are not the same size.  So far there
    have been no complaints, most likely because the xfs developers urge
    against running it on 32-bit systems.  But this needs fixing asap.
    
    Cc: [email protected] # v6.12
    Fixes: 79124b37400635 ("xfs: replace shouty XFS_BM{BT,DR} macros")
    Signed-off-by: "Darrick J. Wong" <[email protected]>
    Reviewed-by: Christoph Hellwig <[email protected]>
    Signed-off-by: Carlos Maiolino <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

xfs: fix unreachable BIGTIME check in dquot flush validation [+ + +]
Author: Alexey Nepomnyashih <[email protected]>
Date:   Wed Jun 3 20:41:47 2026 +0000

    xfs: fix unreachable BIGTIME check in dquot flush validation
    
    commit 03866d130ed33ab68cc7faaf4bf2c4abef96d42e upstream.
    
    The dqp->q_id == 0 check inside the XFS_DQTYPE_BIGTIME block is
    unreachable because root dquots return successfully earlier. Reject root
    dquots with XFS_DQTYPE_BIGTIME before that early return, preserving the
    intended validation and removing the unreachable condition.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: 4ea1ff3b4968 ("xfs: widen ondisk quota expiration timestamps to handle y2038+")
    Cc: [email protected] # v5.10+
    Signed-off-by: Alexey Nepomnyashih <[email protected]>
    Reviewed-by: "Darrick J. Wong" <[email protected]>
    Reviewed-by: Allison Henderson <[email protected]>
    Signed-off-by: Carlos Maiolino <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

xfs: fully check the parent handle when it points to the rootdir [+ + +]
Author: Darrick J. Wong <[email protected]>
Date:   Mon Jul 13 23:06:59 2026 -0700

    xfs: fully check the parent handle when it points to the rootdir
    
    commit ba150ce63453ccd74bae1404c1dfedbd01ecfd55 upstream.
    
    LOLLM noticed that the directory tree path checking declares the path to
    be ok if the inumber in the parent pointer reaches the root directory.
    Unfortunately, it neglects to check that the generation is correct.  Fix
    that by moving the generation check up.
    
    Cc: [email protected] # v6.10
    Fixes: 928b721a11789a ("xfs: teach online scrub to find directory tree structure problems")
    Signed-off-by: "Darrick J. Wong" <[email protected]>
    Assisted-by: LOLLM # finding obvious bugs
    Reviewed-by: Christoph Hellwig <[email protected]>
    Signed-off-by: Carlos Maiolino <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

xfs: release dquot buffer after dqflush failure [+ + +]
Author: Yingjie Gao <[email protected]>
Date:   Thu Jun 25 21:16:23 2026 +0800

    xfs: release dquot buffer after dqflush failure
    
    commit 0c1b3a823a22af623d55f225fe2ac7e8b9052821 upstream.
    
    xfs_qm_dqpurge() gets a locked buffer from xfs_dquot_use_attached_buf().
    If xfs_qm_dqflush() fails, the error path skips xfs_buf_relse() and then
    calls xfs_dquot_detach_buf(), which tries to lock the same buffer again.
    
    Release the buffer after xfs_qm_dqflush() returns so the error path drops
    the caller hold and unlocks the buffer before the dquot is detached,
    matching the other dqflush callers.
    
    Fixes: a40fe30868ba ("xfs: separate dquot buffer reads from xfs_dqflush")
    Cc: [email protected] # v6.13+
    Signed-off-by: Yingjie Gao <[email protected]>
    Reviewed-by: "Darrick J. Wong" <[email protected]>
    Signed-off-by: Carlos Maiolino <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

xfs: resample the data fork mapping after cycling ILOCK [+ + +]
Author: Darrick J. Wong <[email protected]>
Date:   Mon Jul 13 23:03:44 2026 -0700

    xfs: resample the data fork mapping after cycling ILOCK
    
    commit 2f4acd0fcd862e22eab45690ec2c08c80b6ef2e7 upstream.
    
    xfs_reflink_fill_{cow_hole,delalloc} are both presented with an inode,
    a data fork mapping, and a cow fork mapping.  Unfortunately, these two
    helpers cycle the ILOCK to grab a transaction, which means that the
    mappings are stale as soon as we reacquire the ILOCK.  Currently we
    refresh the cow fork mapping by re-calling xfs_find_trim_cow_extent, but
    we don't refresh the data fork mapping beforehand, which means that the
    xfs_bmap_trim_cow in that function queries the refcount btree about the
    wrong physical blocks and returns an inaccurate value in *shared.
    
    If *shared is now false, the directio write proceeds with a stale data
    fork mapping.  Fix this by querying the data fork mapping if the
    sequence counter changes across the ILOCK cycle.
    
    Cc: [email protected]
    Cc: [email protected] # v4.11
    Fixes: 3c68d44a2b49a0 ("xfs: allocate direct I/O COW blocks in iomap_begin")
    Signed-off-by: "Darrick J. Wong" <[email protected]>
    Reviewed-by: Christoph Hellwig <[email protected]>
    Reviewed-by: Carlos Maiolino <[email protected]>
    Signed-off-by: Carlos Maiolino <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

xfs: set xfarray killable sort correctly [+ + +]
Author: Darrick J. Wong <[email protected]>
Date:   Mon Jul 13 23:06:12 2026 -0700

    xfs: set xfarray killable sort correctly
    
    commit 540ddc626245f12f56326ee0c1601f71ebb41d64 upstream.
    
    LOLLM noticed that we *disable* interruptible sorts when the KILLABLE
    flag is set.  This is backwards.  Fix the incorrect logic, and rename
    the variable to make the connection more obvious.
    
    Cc: [email protected] # v6.10
    Fixes: 271557de7cbfde ("xfs: reduce the rate of cond_resched calls inside scrub")
    Signed-off-by: "Darrick J. Wong" <[email protected]>
    Assisted-by: LOLLM # finding obvious bugs
    Reviewed-by: Christoph Hellwig <[email protected]>
    Signed-off-by: Carlos Maiolino <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

xfs: use null daddr for unset first bad log block [+ + +]
Author: Yousef Alhouseen <[email protected]>
Date:   Tue Jun 30 12:06:07 2026 +0200

    xfs: use null daddr for unset first bad log block
    
    commit cc9af5e461ea5f6e37738f3f1e41c45a9b7f45d6 upstream.
    
    xlog_do_recovery_pass() may return before setting first_bad.  The caller
    must distinguish that case from an error at a valid log block, including
    block zero after the log wraps.
    
    Initialize first_bad to XFS_BUF_DADDR_NULL and test it explicitly before
    treating the error as a torn write.
    
    Fixes: 7088c4136fa1 ("xfs: detect and trim torn writes during log recovery")
    Suggested-by: Darrick J. Wong <[email protected]>
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=b7dfbed0c6c2b5e9fd34
    Cc: [email protected] # v4.5
    Signed-off-by: Yousef Alhouseen <[email protected]>
    Reviewed-by: "Darrick J. Wong" <[email protected]>
    Signed-off-by: Carlos Maiolino <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>