--- /dev/null
+From b14b076ce593f72585412fc7fd3747e03a5e3632 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 7 Jul 2025 14:34:29 +0100
+Subject: comedi: pcl812: Fix bit shift out of bounds
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit b14b076ce593f72585412fc7fd3747e03a5e3632 upstream.
+
+When checking for a supported IRQ number, the following test is used:
+
+ if ((1 << it->options[1]) & board->irq_bits) {
+
+However, `it->options[i]` is an unchecked `int` value from userspace, so
+the shift amount could be negative or out of bounds. Fix the test by
+requiring `it->options[1]` to be within bounds before proceeding with
+the original test. Valid `it->options[1]` values that select the IRQ
+will be in the range [1,15]. The value 0 explicitly disables the use of
+interrupts.
+
+Reported-by: syzbot+32de323b0addb9e114ff@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=32de323b0addb9e114ff
+Fixes: fcdb427bc7cf ("Staging: comedi: add pcl821 driver")
+Cc: stable@vger.kernel.org # 5.13+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20250707133429.73202-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/pcl812.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/comedi/drivers/pcl812.c
++++ b/drivers/comedi/drivers/pcl812.c
+@@ -1149,7 +1149,8 @@ static int pcl812_attach(struct comedi_d
+ if (IS_ERR(dev->pacer))
+ return PTR_ERR(dev->pacer);
+
+- if ((1 << it->options[1]) & board->irq_bits) {
++ if (it->options[1] > 0 && it->options[1] < 16 &&
++ (1 << it->options[1]) & board->irq_bits) {
+ ret = request_irq(it->options[1], pcl812_interrupt, 0,
+ dev->board_name, dev);
+ if (ret == 0)
--- /dev/null
+From 1fe16dc1a2f5057772e5391ec042ed7442966c9a Mon Sep 17 00:00:00 2001
+From: Sean Nyekjaer <sean@geanix.com>
+Date: Tue, 3 Jun 2025 14:25:44 +0200
+Subject: iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush
+
+From: Sean Nyekjaer <sean@geanix.com>
+
+commit 1fe16dc1a2f5057772e5391ec042ed7442966c9a upstream.
+
+fxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with
+iio_for_each_active_channel()) without making sure the indio_dev
+stays in buffer mode.
+There is a race if indio_dev exits buffer mode in the middle of the
+interrupt that flushes the fifo. Fix this by calling
+synchronize_irq() to ensure that no interrupt is currently running when
+disabling buffer mode.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read
+[...]
+_find_first_bit_le from fxls8962af_fifo_flush+0x17c/0x290
+fxls8962af_fifo_flush from fxls8962af_interrupt+0x80/0x178
+fxls8962af_interrupt from irq_thread_fn+0x1c/0x7c
+irq_thread_fn from irq_thread+0x110/0x1f4
+irq_thread from kthread+0xe0/0xfc
+kthread from ret_from_fork+0x14/0x2c
+
+Fixes: 79e3a5bdd9ef ("iio: accel: fxls8962af: add hw buffered sampling")
+Cc: stable@vger.kernel.org
+Suggested-by: David Lechner <dlechner@baylibre.com>
+Signed-off-by: Sean Nyekjaer <sean@geanix.com>
+Link: https://patch.msgid.link/20250603-fxlsrace-v2-1-5381b36ba1db@geanix.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/accel/fxls8962af-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iio/accel/fxls8962af-core.c
++++ b/drivers/iio/accel/fxls8962af-core.c
+@@ -865,6 +865,8 @@ static int fxls8962af_buffer_predisable(
+ if (ret)
+ return ret;
+
++ synchronize_irq(data->irq);
++
+ ret = __fxls8962af_fifo_set_mode(data, false);
+
+ if (data->enable_event)
--- /dev/null
+From 3281ddcea6429f7bc1fdb39d407752dd1371aba9 Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Sat, 7 Jun 2025 21:56:27 +0800
+Subject: iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+commit 3281ddcea6429f7bc1fdb39d407752dd1371aba9 upstream.
+
+The AXP717 ADC channel maps is missing a sentinel entry at the end. This
+causes a KASAN warning.
+
+Add the missing sentinel entry.
+
+Fixes: 5ba0cb92584b ("iio: adc: axp20x_adc: add support for AXP717 ADC")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Link: https://patch.msgid.link/20250607135627.2086850-1-wens@kernel.org
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/axp20x_adc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/adc/axp20x_adc.c
++++ b/drivers/iio/adc/axp20x_adc.c
+@@ -217,6 +217,7 @@ static struct iio_map axp717_maps[] = {
+ .consumer_channel = "batt_chrg_i",
+ .adc_channel_label = "batt_chrg_i",
+ },
++ { }
+ };
+
+ /*
--- /dev/null
+From 6d21f2c2dd843bceefd9455f2919f6bb526797f0 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@denx.de>
+Date: Fri, 16 May 2025 14:38:59 -0300
+Subject: iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[]
+
+From: Fabio Estevam <festevam@denx.de>
+
+commit 6d21f2c2dd843bceefd9455f2919f6bb526797f0 upstream.
+
+Since commit 2718f15403fb ("iio: sanity check available_scan_masks array"),
+booting a board populated with a MAX11601 results in a flood of warnings:
+
+max1363 1-0064: available_scan_mask 8 subset of 0. Never used
+max1363 1-0064: available_scan_mask 9 subset of 0. Never used
+max1363 1-0064: available_scan_mask 10 subset of 0. Never used
+max1363 1-0064: available_scan_mask 11 subset of 0. Never used
+max1363 1-0064: available_scan_mask 12 subset of 0. Never used
+max1363 1-0064: available_scan_mask 13 subset of 0. Never used
+...
+
+These warnings are caused by incorrect offsets used for differential
+channels in the MAX1363_4X_CHANS() and MAX1363_8X_CHANS() macros.
+
+The max1363_mode_table[] defines the differential channel mappings as
+follows:
+
+MAX1363_MODE_DIFF_SINGLE(0, 1, 1 << 12),
+MAX1363_MODE_DIFF_SINGLE(2, 3, 1 << 13),
+MAX1363_MODE_DIFF_SINGLE(4, 5, 1 << 14),
+MAX1363_MODE_DIFF_SINGLE(6, 7, 1 << 15),
+MAX1363_MODE_DIFF_SINGLE(8, 9, 1 << 16),
+MAX1363_MODE_DIFF_SINGLE(10, 11, 1 << 17),
+MAX1363_MODE_DIFF_SINGLE(1, 0, 1 << 18),
+MAX1363_MODE_DIFF_SINGLE(3, 2, 1 << 19),
+MAX1363_MODE_DIFF_SINGLE(5, 4, 1 << 20),
+MAX1363_MODE_DIFF_SINGLE(7, 6, 1 << 21),
+MAX1363_MODE_DIFF_SINGLE(9, 8, 1 << 22),
+MAX1363_MODE_DIFF_SINGLE(11, 10, 1 << 23),
+
+Update the macros to follow this same pattern, ensuring that the scan masks
+are valid and preventing the warnings.
+
+Cc: stable@vger.kernel.org
+Suggested-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Acked-by: Matti Vaittinen <mazziesaccount@gmail.com>
+Link: https://patch.msgid.link/20250516173900.677821-1-festevam@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/max1363.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/drivers/iio/adc/max1363.c
++++ b/drivers/iio/adc/max1363.c
+@@ -504,10 +504,10 @@ static const struct iio_event_spec max13
+ MAX1363_CHAN_U(1, _s1, 1, bits, ev_spec, num_ev_spec), \
+ MAX1363_CHAN_U(2, _s2, 2, bits, ev_spec, num_ev_spec), \
+ MAX1363_CHAN_U(3, _s3, 3, bits, ev_spec, num_ev_spec), \
+- MAX1363_CHAN_B(0, 1, d0m1, 4, bits, ev_spec, num_ev_spec), \
+- MAX1363_CHAN_B(2, 3, d2m3, 5, bits, ev_spec, num_ev_spec), \
+- MAX1363_CHAN_B(1, 0, d1m0, 6, bits, ev_spec, num_ev_spec), \
+- MAX1363_CHAN_B(3, 2, d3m2, 7, bits, ev_spec, num_ev_spec), \
++ MAX1363_CHAN_B(0, 1, d0m1, 12, bits, ev_spec, num_ev_spec), \
++ MAX1363_CHAN_B(2, 3, d2m3, 13, bits, ev_spec, num_ev_spec), \
++ MAX1363_CHAN_B(1, 0, d1m0, 18, bits, ev_spec, num_ev_spec), \
++ MAX1363_CHAN_B(3, 2, d3m2, 19, bits, ev_spec, num_ev_spec), \
+ IIO_CHAN_SOFT_TIMESTAMP(8) \
+ }
+
+@@ -602,14 +602,14 @@ static const enum max1363_modes max11608
+ MAX1363_CHAN_U(5, _s5, 5, bits, NULL, 0), \
+ MAX1363_CHAN_U(6, _s6, 6, bits, NULL, 0), \
+ MAX1363_CHAN_U(7, _s7, 7, bits, NULL, 0), \
+- MAX1363_CHAN_B(0, 1, d0m1, 8, bits, NULL, 0), \
+- MAX1363_CHAN_B(2, 3, d2m3, 9, bits, NULL, 0), \
+- MAX1363_CHAN_B(4, 5, d4m5, 10, bits, NULL, 0), \
+- MAX1363_CHAN_B(6, 7, d6m7, 11, bits, NULL, 0), \
+- MAX1363_CHAN_B(1, 0, d1m0, 12, bits, NULL, 0), \
+- MAX1363_CHAN_B(3, 2, d3m2, 13, bits, NULL, 0), \
+- MAX1363_CHAN_B(5, 4, d5m4, 14, bits, NULL, 0), \
+- MAX1363_CHAN_B(7, 6, d7m6, 15, bits, NULL, 0), \
++ MAX1363_CHAN_B(0, 1, d0m1, 12, bits, NULL, 0), \
++ MAX1363_CHAN_B(2, 3, d2m3, 13, bits, NULL, 0), \
++ MAX1363_CHAN_B(4, 5, d4m5, 14, bits, NULL, 0), \
++ MAX1363_CHAN_B(6, 7, d6m7, 15, bits, NULL, 0), \
++ MAX1363_CHAN_B(1, 0, d1m0, 18, bits, NULL, 0), \
++ MAX1363_CHAN_B(3, 2, d3m2, 19, bits, NULL, 0), \
++ MAX1363_CHAN_B(5, 4, d5m4, 20, bits, NULL, 0), \
++ MAX1363_CHAN_B(7, 6, d7m6, 21, bits, NULL, 0), \
+ IIO_CHAN_SOFT_TIMESTAMP(16) \
+ }
+ static const struct iio_chan_spec max11602_channels[] = MAX1363_8X_CHANS(8);
--- /dev/null
+From 8d8d7c1dbc46aa07a76acab7336a42ddd900be10 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@denx.de>
+Date: Fri, 16 May 2025 14:39:00 -0300
+Subject: iio: adc: max1363: Reorder mode_list[] entries
+
+From: Fabio Estevam <festevam@denx.de>
+
+commit 8d8d7c1dbc46aa07a76acab7336a42ddd900be10 upstream.
+
+The IIO core issues warnings when a scan mask is a subset of a previous
+entry in the available_scan_masks array.
+
+On a board using a MAX11601, the following warning is observed:
+
+max1363 1-0064: available_scan_mask 7 subset of 6. Never used
+
+This occurs because the entries in the max11607_mode_list[] array are not
+ordered correctly. To fix this, reorder the entries so that no scan mask is
+a subset of an earlier one.
+
+While at it, reorder the mode_list[] arrays for other supported chips as
+well, to prevent similar warnings on different variants.
+
+Note fixes tag dropped as these were introduced over many commits a long
+time back and the side effect until recently was a reduction in sampling
+rate due to reading too many channels when only a few were desired.
+Now we have a sanity check that reports this error but that is not
+where the issue was introduced.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Acked-by: Matti Vaittinen <mazziesaccount@gmail.com>
+Link: https://patch.msgid.link/20250516173900.677821-2-festevam@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/max1363.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+--- a/drivers/iio/adc/max1363.c
++++ b/drivers/iio/adc/max1363.c
+@@ -525,23 +525,23 @@ static const struct iio_chan_spec max136
+ /* Applies to max1236, max1237 */
+ static const enum max1363_modes max1236_mode_list[] = {
+ _s0, _s1, _s2, _s3,
+- s0to1, s0to2, s0to3,
++ s0to1, s0to2, s2to3, s0to3,
+ d0m1, d2m3, d1m0, d3m2,
+ d0m1to2m3, d1m0to3m2,
+- s2to3,
+ };
+
+ /* Applies to max1238, max1239 */
+ static const enum max1363_modes max1238_mode_list[] = {
+ _s0, _s1, _s2, _s3, _s4, _s5, _s6, _s7, _s8, _s9, _s10, _s11,
+ s0to1, s0to2, s0to3, s0to4, s0to5, s0to6,
++ s6to7, s6to8, s6to9, s6to10, s6to11,
+ s0to7, s0to8, s0to9, s0to10, s0to11,
+ d0m1, d2m3, d4m5, d6m7, d8m9, d10m11,
+ d1m0, d3m2, d5m4, d7m6, d9m8, d11m10,
+- d0m1to2m3, d0m1to4m5, d0m1to6m7, d0m1to8m9, d0m1to10m11,
+- d1m0to3m2, d1m0to5m4, d1m0to7m6, d1m0to9m8, d1m0to11m10,
+- s6to7, s6to8, s6to9, s6to10, s6to11,
+- d6m7to8m9, d6m7to10m11, d7m6to9m8, d7m6to11m10,
++ d0m1to2m3, d0m1to4m5, d0m1to6m7, d6m7to8m9,
++ d0m1to8m9, d6m7to10m11, d0m1to10m11, d1m0to3m2,
++ d1m0to5m4, d1m0to7m6, d7m6to9m8, d1m0to9m8,
++ d7m6to11m10, d1m0to11m10,
+ };
+
+ #define MAX1363_12X_CHANS(bits) { \
+@@ -577,16 +577,15 @@ static const struct iio_chan_spec max123
+
+ static const enum max1363_modes max11607_mode_list[] = {
+ _s0, _s1, _s2, _s3,
+- s0to1, s0to2, s0to3,
+- s2to3,
++ s0to1, s0to2, s2to3,
++ s0to3,
+ d0m1, d2m3, d1m0, d3m2,
+ d0m1to2m3, d1m0to3m2,
+ };
+
+ static const enum max1363_modes max11608_mode_list[] = {
+ _s0, _s1, _s2, _s3, _s4, _s5, _s6, _s7,
+- s0to1, s0to2, s0to3, s0to4, s0to5, s0to6, s0to7,
+- s6to7,
++ s0to1, s0to2, s0to3, s0to4, s0to5, s0to6, s6to7, s0to7,
+ d0m1, d2m3, d4m5, d6m7,
+ d1m0, d3m2, d5m4, d7m6,
+ d0m1to2m3, d0m1to4m5, d0m1to6m7,
--- /dev/null
+From e8ad595064f6ebd5d2d1a5d5d7ebe0efce623091 Mon Sep 17 00:00:00 2001
+From: Chen Ni <nichen@iscas.ac.cn>
+Date: Thu, 15 May 2025 16:31:01 +0800
+Subject: iio: adc: stm32-adc: Fix race in installing chained IRQ handler
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+commit e8ad595064f6ebd5d2d1a5d5d7ebe0efce623091 upstream.
+
+Fix a race where a pending interrupt could be received and the handler
+called before the handler's data has been setup, by converting to
+irq_set_chained_handler_and_data().
+
+Fixes: 1add69880240 ("iio: adc: Add support for STM32 ADC core")
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Tested-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Reviewed-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Link: https://patch.msgid.link/20250515083101.3811350-1-nichen@iscas.ac.cn
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/stm32-adc-core.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/adc/stm32-adc-core.c
++++ b/drivers/iio/adc/stm32-adc-core.c
+@@ -429,10 +429,9 @@ static int stm32_adc_irq_probe(struct pl
+ return -ENOMEM;
+ }
+
+- for (i = 0; i < priv->cfg->num_irqs; i++) {
+- irq_set_chained_handler(priv->irq[i], stm32_adc_irq_handler);
+- irq_set_handler_data(priv->irq[i], priv);
+- }
++ for (i = 0; i < priv->cfg->num_irqs; i++)
++ irq_set_chained_handler_and_data(priv->irq[i],
++ stm32_adc_irq_handler, priv);
+
+ return 0;
+ }
--- /dev/null
+From da9374819eb3885636934c1006d450c3cb1a02ed Mon Sep 17 00:00:00 2001
+From: Markus Burri <markus.burri@mt.com>
+Date: Thu, 8 May 2025 15:06:07 +0200
+Subject: iio: backend: fix out-of-bound write
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Markus Burri <markus.burri@mt.com>
+
+commit da9374819eb3885636934c1006d450c3cb1a02ed upstream.
+
+The buffer is set to 80 character. If a caller write more characters,
+count is truncated to the max available space in "simple_write_to_buffer".
+But afterwards a string terminator is written to the buffer at offset count
+without boundary check. The zero termination is written OUT-OF-BOUND.
+
+Add a check that the given buffer is smaller then the buffer to prevent.
+
+Fixes: 035b4989211d ("iio: backend: make sure to NULL terminate stack buffer")
+Signed-off-by: Markus Burri <markus.burri@mt.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://patch.msgid.link/20250508130612.82270-2-markus.burri@mt.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/industrialio-backend.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/industrialio-backend.c
++++ b/drivers/iio/industrialio-backend.c
+@@ -155,11 +155,14 @@ static ssize_t iio_backend_debugfs_write
+ ssize_t rc;
+ int ret;
+
++ if (count >= sizeof(buf))
++ return -ENOSPC;
++
+ rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count);
+ if (rc < 0)
+ return rc;
+
+- buf[count] = '\0';
++ buf[rc] = '\0';
+
+ ret = sscanf(buf, "%i %i", &back->cached_reg_addr, &val);
+
--- /dev/null
+From 9f92e93e257b33e73622640a9205f8642ec16ddd Mon Sep 17 00:00:00 2001
+From: Maud Spierings <maudspierings@gocontroll.com>
+Date: Tue, 27 May 2025 08:36:08 +0200
+Subject: iio: common: st_sensors: Fix use of uninitialize device structs
+
+From: Maud Spierings <maudspierings@gocontroll.com>
+
+commit 9f92e93e257b33e73622640a9205f8642ec16ddd upstream.
+
+Throughout the various probe functions &indio_dev->dev is used before it
+is initialized. This caused a kernel panic in st_sensors_power_enable()
+when the call to devm_regulator_bulk_get_enable() fails and then calls
+dev_err_probe() with the uninitialized device.
+
+This seems to only cause a panic with dev_err_probe(), dev_err(),
+dev_warn() and dev_info() don't seem to cause a panic, but are fixed
+as well.
+
+The issue is reported and traced here: [1]
+
+Link: https://lore.kernel.org/all/AM7P189MB100986A83D2F28AF3FFAF976E39EA@AM7P189MB1009.EURP189.PROD.OUTLOOK.COM/ [1]
+Cc: stable@vger.kernel.org
+Signed-off-by: Maud Spierings <maudspierings@gocontroll.com>
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Link: https://... [1]
+Link: https://patch.msgid.link/20250527-st_iio_fix-v4-1-12d89801c761@gocontroll.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/accel/st_accel_core.c | 10 ++---
+ drivers/iio/common/st_sensors/st_sensors_core.c | 36 +++++++++------------
+ drivers/iio/common/st_sensors/st_sensors_trigger.c | 20 +++++------
+ 3 files changed, 31 insertions(+), 35 deletions(-)
+
+--- a/drivers/iio/accel/st_accel_core.c
++++ b/drivers/iio/accel/st_accel_core.c
+@@ -1353,6 +1353,7 @@ static int apply_acpi_orientation(struct
+ union acpi_object *ont;
+ union acpi_object *elements;
+ acpi_status status;
++ struct device *parent = indio_dev->dev.parent;
+ int ret = -EINVAL;
+ unsigned int val;
+ int i, j;
+@@ -1371,7 +1372,7 @@ static int apply_acpi_orientation(struct
+ };
+
+
+- adev = ACPI_COMPANION(indio_dev->dev.parent);
++ adev = ACPI_COMPANION(parent);
+ if (!adev)
+ return -ENXIO;
+
+@@ -1380,8 +1381,7 @@ static int apply_acpi_orientation(struct
+ if (status == AE_NOT_FOUND) {
+ return -ENXIO;
+ } else if (ACPI_FAILURE(status)) {
+- dev_warn(&indio_dev->dev, "failed to execute _ONT: %d\n",
+- status);
++ dev_warn(parent, "failed to execute _ONT: %d\n", status);
+ return status;
+ }
+
+@@ -1457,12 +1457,12 @@ static int apply_acpi_orientation(struct
+ }
+
+ ret = 0;
+- dev_info(&indio_dev->dev, "computed mount matrix from ACPI\n");
++ dev_info(parent, "computed mount matrix from ACPI\n");
+
+ out:
+ kfree(buffer.pointer);
+ if (ret)
+- dev_dbg(&indio_dev->dev,
++ dev_dbg(parent,
+ "failed to apply ACPI orientation data: %d\n", ret);
+
+ return ret;
+--- a/drivers/iio/common/st_sensors/st_sensors_core.c
++++ b/drivers/iio/common/st_sensors/st_sensors_core.c
+@@ -154,7 +154,7 @@ static int st_sensors_set_fullscale(stru
+ return err;
+
+ st_accel_set_fullscale_error:
+- dev_err(&indio_dev->dev, "failed to set new fullscale.\n");
++ dev_err(indio_dev->dev.parent, "failed to set new fullscale.\n");
+ return err;
+ }
+
+@@ -231,8 +231,7 @@ int st_sensors_power_enable(struct iio_d
+ ARRAY_SIZE(regulator_names),
+ regulator_names);
+ if (err)
+- return dev_err_probe(&indio_dev->dev, err,
+- "unable to enable supplies\n");
++ return dev_err_probe(parent, err, "unable to enable supplies\n");
+
+ return 0;
+ }
+@@ -241,13 +240,14 @@ EXPORT_SYMBOL_NS(st_sensors_power_enable
+ static int st_sensors_set_drdy_int_pin(struct iio_dev *indio_dev,
+ struct st_sensors_platform_data *pdata)
+ {
++ struct device *parent = indio_dev->dev.parent;
+ struct st_sensor_data *sdata = iio_priv(indio_dev);
+
+ /* Sensor does not support interrupts */
+ if (!sdata->sensor_settings->drdy_irq.int1.addr &&
+ !sdata->sensor_settings->drdy_irq.int2.addr) {
+ if (pdata->drdy_int_pin)
+- dev_info(&indio_dev->dev,
++ dev_info(parent,
+ "DRDY on pin INT%d specified, but sensor does not support interrupts\n",
+ pdata->drdy_int_pin);
+ return 0;
+@@ -256,29 +256,27 @@ static int st_sensors_set_drdy_int_pin(s
+ switch (pdata->drdy_int_pin) {
+ case 1:
+ if (!sdata->sensor_settings->drdy_irq.int1.mask) {
+- dev_err(&indio_dev->dev,
+- "DRDY on INT1 not available.\n");
++ dev_err(parent, "DRDY on INT1 not available.\n");
+ return -EINVAL;
+ }
+ sdata->drdy_int_pin = 1;
+ break;
+ case 2:
+ if (!sdata->sensor_settings->drdy_irq.int2.mask) {
+- dev_err(&indio_dev->dev,
+- "DRDY on INT2 not available.\n");
++ dev_err(parent, "DRDY on INT2 not available.\n");
+ return -EINVAL;
+ }
+ sdata->drdy_int_pin = 2;
+ break;
+ default:
+- dev_err(&indio_dev->dev, "DRDY on pdata not valid.\n");
++ dev_err(parent, "DRDY on pdata not valid.\n");
+ return -EINVAL;
+ }
+
+ if (pdata->open_drain) {
+ if (!sdata->sensor_settings->drdy_irq.int1.addr_od &&
+ !sdata->sensor_settings->drdy_irq.int2.addr_od)
+- dev_err(&indio_dev->dev,
++ dev_err(parent,
+ "open drain requested but unsupported.\n");
+ else
+ sdata->int_pin_open_drain = true;
+@@ -336,6 +334,7 @@ EXPORT_SYMBOL_NS(st_sensors_dev_name_pro
+ int st_sensors_init_sensor(struct iio_dev *indio_dev,
+ struct st_sensors_platform_data *pdata)
+ {
++ struct device *parent = indio_dev->dev.parent;
+ struct st_sensor_data *sdata = iio_priv(indio_dev);
+ struct st_sensors_platform_data *of_pdata;
+ int err = 0;
+@@ -343,7 +342,7 @@ int st_sensors_init_sensor(struct iio_de
+ mutex_init(&sdata->odr_lock);
+
+ /* If OF/DT pdata exists, it will take precedence of anything else */
+- of_pdata = st_sensors_dev_probe(indio_dev->dev.parent, pdata);
++ of_pdata = st_sensors_dev_probe(parent, pdata);
+ if (IS_ERR(of_pdata))
+ return PTR_ERR(of_pdata);
+ if (of_pdata)
+@@ -370,7 +369,7 @@ int st_sensors_init_sensor(struct iio_de
+ if (err < 0)
+ return err;
+ } else
+- dev_info(&indio_dev->dev, "Full-scale not possible\n");
++ dev_info(parent, "Full-scale not possible\n");
+
+ err = st_sensors_set_odr(indio_dev, sdata->odr);
+ if (err < 0)
+@@ -405,7 +404,7 @@ int st_sensors_init_sensor(struct iio_de
+ mask = sdata->sensor_settings->drdy_irq.int2.mask_od;
+ }
+
+- dev_info(&indio_dev->dev,
++ dev_info(parent,
+ "set interrupt line to open drain mode on pin %d\n",
+ sdata->drdy_int_pin);
+ err = st_sensors_write_data_with_mask(indio_dev, addr,
+@@ -594,21 +593,20 @@ EXPORT_SYMBOL_NS(st_sensors_get_settings
+ int st_sensors_verify_id(struct iio_dev *indio_dev)
+ {
+ struct st_sensor_data *sdata = iio_priv(indio_dev);
++ struct device *parent = indio_dev->dev.parent;
+ int wai, err;
+
+ if (sdata->sensor_settings->wai_addr) {
+ err = regmap_read(sdata->regmap,
+ sdata->sensor_settings->wai_addr, &wai);
+ if (err < 0) {
+- dev_err(&indio_dev->dev,
+- "failed to read Who-Am-I register.\n");
+- return err;
++ return dev_err_probe(parent, err,
++ "failed to read Who-Am-I register.\n");
+ }
+
+ if (sdata->sensor_settings->wai != wai) {
+- dev_warn(&indio_dev->dev,
+- "%s: WhoAmI mismatch (0x%x).\n",
+- indio_dev->name, wai);
++ dev_warn(parent, "%s: WhoAmI mismatch (0x%x).\n",
++ indio_dev->name, wai);
+ }
+ }
+
+--- a/drivers/iio/common/st_sensors/st_sensors_trigger.c
++++ b/drivers/iio/common/st_sensors/st_sensors_trigger.c
+@@ -127,7 +127,7 @@ int st_sensors_allocate_trigger(struct i
+ sdata->trig = devm_iio_trigger_alloc(parent, "%s-trigger",
+ indio_dev->name);
+ if (sdata->trig == NULL) {
+- dev_err(&indio_dev->dev, "failed to allocate iio trigger.\n");
++ dev_err(parent, "failed to allocate iio trigger.\n");
+ return -ENOMEM;
+ }
+
+@@ -143,7 +143,7 @@ int st_sensors_allocate_trigger(struct i
+ case IRQF_TRIGGER_FALLING:
+ case IRQF_TRIGGER_LOW:
+ if (!sdata->sensor_settings->drdy_irq.addr_ihl) {
+- dev_err(&indio_dev->dev,
++ dev_err(parent,
+ "falling/low specified for IRQ but hardware supports only rising/high: will request rising/high\n");
+ if (irq_trig == IRQF_TRIGGER_FALLING)
+ irq_trig = IRQF_TRIGGER_RISING;
+@@ -156,21 +156,19 @@ int st_sensors_allocate_trigger(struct i
+ sdata->sensor_settings->drdy_irq.mask_ihl, 1);
+ if (err < 0)
+ return err;
+- dev_info(&indio_dev->dev,
++ dev_info(parent,
+ "interrupts on the falling edge or active low level\n");
+ }
+ break;
+ case IRQF_TRIGGER_RISING:
+- dev_info(&indio_dev->dev,
+- "interrupts on the rising edge\n");
++ dev_info(parent, "interrupts on the rising edge\n");
+ break;
+ case IRQF_TRIGGER_HIGH:
+- dev_info(&indio_dev->dev,
+- "interrupts active high level\n");
++ dev_info(parent, "interrupts active high level\n");
+ break;
+ default:
+ /* This is the most preferred mode, if possible */
+- dev_err(&indio_dev->dev,
++ dev_err(parent,
+ "unsupported IRQ trigger specified (%lx), enforce rising edge\n", irq_trig);
+ irq_trig = IRQF_TRIGGER_RISING;
+ }
+@@ -179,7 +177,7 @@ int st_sensors_allocate_trigger(struct i
+ if (irq_trig == IRQF_TRIGGER_FALLING ||
+ irq_trig == IRQF_TRIGGER_RISING) {
+ if (!sdata->sensor_settings->drdy_irq.stat_drdy.addr) {
+- dev_err(&indio_dev->dev,
++ dev_err(parent,
+ "edge IRQ not supported w/o stat register.\n");
+ return -EOPNOTSUPP;
+ }
+@@ -214,13 +212,13 @@ int st_sensors_allocate_trigger(struct i
+ sdata->trig->name,
+ sdata->trig);
+ if (err) {
+- dev_err(&indio_dev->dev, "failed to request trigger IRQ.\n");
++ dev_err(parent, "failed to request trigger IRQ.\n");
+ return err;
+ }
+
+ err = devm_iio_trigger_register(parent, sdata->trig);
+ if (err < 0) {
+- dev_err(&indio_dev->dev, "failed to register iio trigger.\n");
++ dev_err(parent, "failed to register iio trigger.\n");
+ return err;
+ }
+ indio_dev->trig = iio_trigger_get(sdata->trig);
--- /dev/null
+From 6a5abf8cf182f577c7ae6c62f14debc9754ec986 Mon Sep 17 00:00:00 2001
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+Date: Wed, 16 Jul 2025 21:35:06 +0200
+Subject: s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+commit 6a5abf8cf182f577c7ae6c62f14debc9754ec986 upstream.
+
+Commit 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic") has
+accidentally removed the critical piece of commit c730fce7c70c
+("s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL"), causing
+intermittent kernel panics in e.g. perf's on_switch() prog to reappear.
+
+Restore the fix and add a comment.
+
+Fixes: 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250716194524.48109-2-iii@linux.ibm.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/net/bpf_jit_comp.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -544,7 +544,15 @@ static void bpf_jit_plt(struct bpf_plt *
+ {
+ memcpy(plt, &bpf_plt, sizeof(*plt));
+ plt->ret = ret;
+- plt->target = target;
++ /*
++ * (target == NULL) implies that the branch to this PLT entry was
++ * patched and became a no-op. However, some CPU could have jumped
++ * to this PLT entry before patching and may be still executing it.
++ *
++ * Since the intention in this case is to make the PLT entry a no-op,
++ * make the target point to the return label instead of NULL.
++ */
++ plt->target = target ?: ret;
+ }
+
+ /*
net-libwx-fix-the-using-of-rx-buffer-dma.patch
net-libwx-properly-reset-rx-ring-descriptor.patch
pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch
+s390-bpf-fix-bpf_arch_text_poke-with-new_addr-null-again.patch
+smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch
+soc-aspeed-lpc-snoop-cleanup-resources-in-stack-order.patch
+soc-aspeed-lpc-snoop-don-t-disable-channels-that-aren-t-enabled.patch
+iio-accel-fxls8962af-fix-use-after-free-in-fxls8962af_fifo_flush.patch
+iio-adc-axp20x_adc-add-missing-sentinel-to-axp717-adc-channel-maps.patch
+iio-adc-max1363-fix-max1363_4x_chans-max1363_8x_chans.patch
+iio-adc-max1363-reorder-mode_list-entries.patch
+iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch
+iio-backend-fix-out-of-bound-write.patch
+iio-common-st_sensors-fix-use-of-uninitialize-device-structs.patch
+comedi-pcl812-fix-bit-shift-out-of-bounds.patch
--- /dev/null
+From b220bed63330c0e1733dc06ea8e75d5b9962b6b6 Mon Sep 17 00:00:00 2001
+From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+Date: Sat, 5 Jul 2025 10:51:18 +0800
+Subject: smb: client: fix use-after-free in crypt_message when using async crypto
+
+From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+
+commit b220bed63330c0e1733dc06ea8e75d5b9962b6b6 upstream.
+
+The CVE-2024-50047 fix removed asynchronous crypto handling from
+crypt_message(), assuming all crypto operations are synchronous.
+However, when hardware crypto accelerators are used, this can cause
+use-after-free crashes:
+
+ crypt_message()
+ // Allocate the creq buffer containing the req
+ creq = smb2_get_aead_req(..., &req);
+
+ // Async encryption returns -EINPROGRESS immediately
+ rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
+
+ // Free creq while async operation is still in progress
+ kvfree_sensitive(creq, ...);
+
+Hardware crypto modules often implement async AEAD operations for
+performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS,
+the operation completes asynchronously. Without crypto_wait_req(),
+the function immediately frees the request buffer, leading to crashes
+when the driver later accesses the freed memory.
+
+This results in a use-after-free condition when the hardware crypto
+driver later accesses the freed request structure, leading to kernel
+crashes with NULL pointer dereferences.
+
+The issue occurs because crypto_alloc_aead() with mask=0 doesn't
+guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in
+the mask, async implementations can be selected.
+
+Fix by restoring the async crypto handling:
+- DECLARE_CRYPTO_WAIT(wait) for completion tracking
+- aead_request_set_callback() for async completion notification
+- crypto_wait_req() to wait for operation completion
+
+This ensures the request buffer isn't freed until the crypto operation
+completes, whether synchronous or asynchronous, while preserving the
+CVE-2024-50047 fix.
+
+Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption")
+Link: https://lore.kernel.org/all/8b784a13-87b0-4131-9ff9-7a8993538749@huaweicloud.com/
+Cc: stable@vger.kernel.org
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2ops.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/smb2ops.c
++++ b/fs/smb/client/smb2ops.c
+@@ -4342,6 +4342,7 @@ crypt_message(struct TCP_Server_Info *se
+ u8 key[SMB3_ENC_DEC_KEY_SIZE];
+ struct aead_request *req;
+ u8 *iv;
++ DECLARE_CRYPTO_WAIT(wait);
+ unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize);
+ void *creq;
+ size_t sensitive_size;
+@@ -4392,7 +4393,11 @@ crypt_message(struct TCP_Server_Info *se
+ aead_request_set_crypt(req, sg, sg, crypt_len, iv);
+ aead_request_set_ad(req, assoc_data_len);
+
+- rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
++ aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
++ crypto_req_done, &wait);
++
++ rc = crypto_wait_req(enc ? crypto_aead_encrypt(req)
++ : crypto_aead_decrypt(req), &wait);
+
+ if (!rc && enc)
+ memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);
--- /dev/null
+From 8481d59be606d2338dbfe14b04cdbd1a3402c150 Mon Sep 17 00:00:00 2001
+From: Andrew Jeffery <andrew@codeconstruct.com.au>
+Date: Mon, 16 Jun 2025 22:43:38 +0930
+Subject: soc: aspeed: lpc-snoop: Cleanup resources in stack-order
+
+From: Andrew Jeffery <andrew@codeconstruct.com.au>
+
+commit 8481d59be606d2338dbfe14b04cdbd1a3402c150 upstream.
+
+Free the kfifo after unregistering the miscdev in
+aspeed_lpc_disable_snoop() as the kfifo is initialised before the
+miscdev in aspeed_lpc_enable_snoop().
+
+Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev")
+Cc: stable@vger.kernel.org
+Cc: Jean Delvare <jdelvare@suse.de>
+Acked-by: Jean Delvare <jdelvare@suse.de>
+Link: https://patch.msgid.link/20250616-aspeed-lpc-snoop-fixes-v2-1-3cdd59c934d3@codeconstruct.com.au
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/aspeed/aspeed-lpc-snoop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+@@ -263,8 +263,8 @@ static void aspeed_lpc_disable_snoop(str
+ return;
+ }
+
+- kfifo_free(&lpc_snoop->chan[channel].fifo);
+ misc_deregister(&lpc_snoop->chan[channel].miscdev);
++ kfifo_free(&lpc_snoop->chan[channel].fifo);
+ }
+
+ static int aspeed_lpc_snoop_probe(struct platform_device *pdev)
--- /dev/null
+From 56448e78a6bb4e1a8528a0e2efe94eff0400c247 Mon Sep 17 00:00:00 2001
+From: Andrew Jeffery <andrew@codeconstruct.com.au>
+Date: Mon, 16 Jun 2025 22:43:39 +0930
+Subject: soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled
+
+From: Andrew Jeffery <andrew@codeconstruct.com.au>
+
+commit 56448e78a6bb4e1a8528a0e2efe94eff0400c247 upstream.
+
+Mitigate e.g. the following:
+
+ # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind
+ ...
+ [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write
+ [ 120.373866] [00000004] *pgd=00000000
+ [ 120.377910] Internal error: Oops: 805 [#1] SMP ARM
+ [ 120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-00009-g926217bc7d7d-dirty #20 NONE
+ ...
+ [ 120.679543] Call trace:
+ [ 120.679559] misc_deregister from aspeed_lpc_snoop_remove+0x84/0xac
+ [ 120.692462] aspeed_lpc_snoop_remove from platform_remove+0x28/0x38
+ [ 120.700996] platform_remove from device_release_driver_internal+0x188/0x200
+ ...
+
+Fixes: 9f4f9ae81d0a ("drivers/misc: add Aspeed LPC snoop driver")
+Cc: stable@vger.kernel.org
+Cc: Jean Delvare <jdelvare@suse.de>
+Acked-by: Jean Delvare <jdelvare@suse.de>
+Link: https://patch.msgid.link/20250616-aspeed-lpc-snoop-fixes-v2-2-3cdd59c934d3@codeconstruct.com.au
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/aspeed/aspeed-lpc-snoop.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+@@ -58,6 +58,7 @@ struct aspeed_lpc_snoop_model_data {
+ };
+
+ struct aspeed_lpc_snoop_channel {
++ bool enabled;
+ struct kfifo fifo;
+ wait_queue_head_t wq;
+ struct miscdevice miscdev;
+@@ -190,6 +191,9 @@ static int aspeed_lpc_enable_snoop(struc
+ const struct aspeed_lpc_snoop_model_data *model_data =
+ of_device_get_match_data(dev);
+
++ if (WARN_ON(lpc_snoop->chan[channel].enabled))
++ return -EBUSY;
++
+ init_waitqueue_head(&lpc_snoop->chan[channel].wq);
+ /* Create FIFO datastructure */
+ rc = kfifo_alloc(&lpc_snoop->chan[channel].fifo,
+@@ -236,6 +240,8 @@ static int aspeed_lpc_enable_snoop(struc
+ regmap_update_bits(lpc_snoop->regmap, HICRB,
+ hicrb_en, hicrb_en);
+
++ lpc_snoop->chan[channel].enabled = true;
++
+ return 0;
+
+ err_misc_deregister:
+@@ -248,6 +254,9 @@ err_free_fifo:
+ static void aspeed_lpc_disable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
+ int channel)
+ {
++ if (!lpc_snoop->chan[channel].enabled)
++ return;
++
+ switch (channel) {
+ case 0:
+ regmap_update_bits(lpc_snoop->regmap, HICR5,
+@@ -263,6 +272,8 @@ static void aspeed_lpc_disable_snoop(str
+ return;
+ }
+
++ lpc_snoop->chan[channel].enabled = false;
++ /* Consider improving safety wrt concurrent reader(s) */
+ misc_deregister(&lpc_snoop->chan[channel].miscdev);
+ kfifo_free(&lpc_snoop->chan[channel].fifo);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
