--- /dev/null
+From 634a4408c0615c523cf7531790f4f14a422b9206 Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristan@talencesecurity.com>
+Date: Tue, 21 Apr 2026 11:14:54 +0000
+Subject: Bluetooth: btmtk: validate WMT event SKB length before struct access
+
+From: Tristan Madani <tristan@talencesecurity.com>
+
+commit 634a4408c0615c523cf7531790f4f14a422b9206 upstream.
+
+btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to
+struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc
+(9 bytes) without first checking that the SKB contains enough data.
+A short firmware response causes out-of-bounds reads from SKB tailroom.
+
+Use skb_pull_data() to validate and advance past the base WMT event
+header. For the FUNC_CTRL case, pull the additional status field bytes
+before accessing them.
+
+Fixes: d019930b0049 ("Bluetooth: btmtk: move btusb_mtk_hci_wmt_sync to btmtk.c")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btmtk.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/bluetooth/btmtk.c
++++ b/drivers/bluetooth/btmtk.c
+@@ -654,8 +654,13 @@ static int btmtk_usb_hci_wmt_sync(struct
+ if (data->evt_skb == NULL)
+ goto err_free_wc;
+
+- /* Parse and handle the return WMT event */
+- wmt_evt = (struct btmtk_hci_wmt_evt *)data->evt_skb->data;
++ wmt_evt = skb_pull_data(data->evt_skb, sizeof(*wmt_evt));
++ if (!wmt_evt) {
++ bt_dev_err(hdev, "WMT event too short (%u bytes)",
++ data->evt_skb->len);
++ err = -EINVAL;
++ goto err_free_skb;
++ }
+ if (wmt_evt->whdr.op != hdr->op) {
+ bt_dev_err(hdev, "Wrong op received %d expected %d",
+ wmt_evt->whdr.op, hdr->op);
+@@ -671,6 +676,12 @@ static int btmtk_usb_hci_wmt_sync(struct
+ status = BTMTK_WMT_PATCH_DONE;
+ break;
+ case BTMTK_WMT_FUNC_CTRL:
++ if (!skb_pull_data(data->evt_skb,
++ sizeof(wmt_evt_funcc->status))) {
++ err = -EINVAL;
++ goto err_free_skb;
++ }
++
+ wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
+ if (be16_to_cpu(wmt_evt_funcc->status) == 0x404)
+ status = BTMTK_WMT_ON_DONE;
--- /dev/null
+From 5ddb8014261137cadaf83ab5617a588d80a22586 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Fri, 10 Apr 2026 15:29:52 -0400
+Subject: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 5ddb8014261137cadaf83ab5617a588d80a22586 upstream.
+
+hci_le_create_big_complete_evt() iterates over BT_BOUND connections for
+a BIG handle using a while loop, accessing ev->bis_handle[i++] on each
+iteration. However, there is no check that i stays within ev->num_bis
+before the array access.
+
+When a controller sends a LE_Create_BIG_Complete event with fewer
+bis_handle entries than there are BT_BOUND connections for that BIG,
+or with num_bis=0, the loop reads beyond the valid bis_handle[] flex
+array into adjacent heap memory. Since the out-of-bounds values
+typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()
+rejects them and the connection remains in BT_BOUND state. The same
+connection is then found again by hci_conn_hash_lookup_big_state(),
+creating an infinite loop with hci_dev_lock held.
+
+Fix this by terminating the BIG if in case not all BIS could be setup
+properly.
+
+Fixes: a0bfde167b50 ("Bluetooth: ISO: Add support for connecting multiple BISes")
+Cc: stable@vger.kernel.org
+Signed-off-by: ZhiTao Ou <hkbinbinbin@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_event.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -6973,9 +6973,29 @@ static void hci_le_create_big_complete_e
+ continue;
+ }
+
++ if (ev->num_bis <= i) {
++ bt_dev_err(hdev,
++ "Not enough BIS handles for BIG 0x%2.2x",
++ ev->handle);
++ ev->status = HCI_ERROR_UNSPECIFIED;
++ hci_connect_cfm(conn, ev->status);
++ hci_conn_del(conn);
++ continue;
++ }
++
+ if (hci_conn_set_handle(conn,
+- __le16_to_cpu(ev->bis_handle[i++])))
++ __le16_to_cpu(ev->bis_handle[i++]))) {
++ bt_dev_err(hdev,
++ "Failed to set BIS handle for BIG 0x%2.2x",
++ ev->handle);
++ /* Force error so BIG gets terminated as not all BIS
++ * could be connected.
++ */
++ ev->status = HCI_ERROR_UNSPECIFIED;
++ hci_connect_cfm(conn, ev->status);
++ hci_conn_del(conn);
+ continue;
++ }
+
+ conn->state = BT_CONNECTED;
+ set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
+@@ -6984,7 +7004,10 @@ static void hci_le_create_big_complete_e
+ hci_iso_setup_path(conn);
+ }
+
+- if (!ev->status && !i)
++ /* If there is an unexpected error or if no BISes have been connected
++ * for the BIG, terminate it.
++ */
++ if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i))
+ /* If no BISes have been connected for the BIG,
+ * terminate. This is in case all bound connections
+ * have been closed before the BIG creation
--- /dev/null
+From 78a88d43dab8d23aeef934ed8ce34d40e6b3d613 Mon Sep 17 00:00:00 2001
+From: Siwei Zhang <oss@fourdim.xyz>
+Date: Wed, 15 Apr 2026 16:53:36 -0400
+Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
+
+From: Siwei Zhang <oss@fourdim.xyz>
+
+commit 78a88d43dab8d23aeef934ed8ce34d40e6b3d613 upstream.
+
+Add the same NULL guard already present in
+l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
+
+Fixes: 8d836d71e222 ("Bluetooth: Access sk_sndtimeo indirectly in l2cap_core.c")
+Cc: stable@kernel.org
+Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1747,6 +1747,9 @@ static long l2cap_sock_get_sndtimeo_cb(s
+ {
+ struct sock *sk = chan->data;
+
++ if (!sk)
++ return 0;
++
+ return READ_ONCE(sk->sk_sndtimeo);
+ }
+
--- /dev/null
+From 0a120d96166301d7a95be75b52f843837dbd1219 Mon Sep 17 00:00:00 2001
+From: Siwei Zhang <oss@fourdim.xyz>
+Date: Wed, 15 Apr 2026 16:49:59 -0400
+Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
+
+From: Siwei Zhang <oss@fourdim.xyz>
+
+commit 0a120d96166301d7a95be75b52f843837dbd1219 upstream.
+
+Add the same NULL guard already present in
+l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
+
+Fixes: 80808e431e1e ("Bluetooth: Add l2cap_chan_ops abstraction")
+Cc: stable@kernel.org
+Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1480,6 +1480,9 @@ static struct l2cap_chan *l2cap_sock_new
+ {
+ struct sock *sk, *parent = chan->data;
+
++ if (!parent)
++ return NULL;
++
+ lock_sock(parent);
+
+ /* Check for backlog size */
--- /dev/null
+From 2ff1a41a912de8517b4482e946dd951b7d80edbf Mon Sep 17 00:00:00 2001
+From: Siwei Zhang <oss@fourdim.xyz>
+Date: Wed, 15 Apr 2026 16:51:36 -0400
+Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
+
+From: Siwei Zhang <oss@fourdim.xyz>
+
+commit 2ff1a41a912de8517b4482e946dd951b7d80edbf upstream.
+
+Add the same NULL guard already present in
+l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
+
+Fixes: 89bc500e41fc ("Bluetooth: Add state tracking to struct l2cap_chan")
+Cc: stable@kernel.org
+Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1643,6 +1643,9 @@ static void l2cap_sock_state_change_cb(s
+ {
+ struct sock *sk = chan->data;
+
++ if (!sk)
++ return;
++
+ sk->sk_state = state;
+
+ if (err)
--- /dev/null
+From 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Tue, 21 Apr 2026 13:08:44 -0400
+Subject: Bluetooth: virtio_bt: clamp rx length before skb_put
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 upstream.
+
+virtbt_rx_work() calls skb_put(skb, len) where len comes directly
+from virtqueue_get_buf() with no validation against the buffer we
+posted to the device. The RX skb is allocated in virtbt_add_inbuf()
+and exposed to virtio as exactly 1000 bytes via sg_init_one().
+
+Checking len against skb_tailroom(skb) is not sufficient because
+alloc_skb() can leave more tailroom than the 1000 bytes actually
+handed to the device. A malicious or buggy backend can therefore
+report used.len between 1001 and skb_tailroom(skb), causing skb_put()
+to include uninitialized kernel heap bytes that were never written by
+the device.
+
+The same path also accepts len == 0, in which case skb_put(skb, 0)
+leaves the skb empty but virtbt_rx_handle() still reads the pkt_type
+byte from skb->data, consuming uninitialized memory.
+
+Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and
+sg_init_one(), and gate virtbt_rx_work() on that same constant so
+the bound checked matches the buffer actually exposed to the device.
+Reject used.len == 0 in the same gate so an empty completion can
+no longer reach virtbt_rx_handle().
+
+Use bt_dev_err_ratelimited() because the length value comes from an
+untrusted backend that can otherwise flood the kernel log.
+
+Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
+overflow in USB transport layer"), which hardened the USB 9p
+transport against unchecked device-reported length.
+
+Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length")
+Cc: stable@vger.kernel.org
+Cc: Soenke Huster <soenke.huster@eknoes.de>
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/virtio_bt.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/bluetooth/virtio_bt.c
++++ b/drivers/bluetooth/virtio_bt.c
+@@ -12,6 +12,7 @@
+ #include <net/bluetooth/hci_core.h>
+
+ #define VERSION "0.1"
++#define VIRTBT_RX_BUF_SIZE 1000
+
+ enum {
+ VIRTBT_VQ_TX,
+@@ -33,11 +34,11 @@ static int virtbt_add_inbuf(struct virti
+ struct sk_buff *skb;
+ int err;
+
+- skb = alloc_skb(1000, GFP_KERNEL);
++ skb = alloc_skb(VIRTBT_RX_BUF_SIZE, GFP_KERNEL);
+ if (!skb)
+ return -ENOMEM;
+
+- sg_init_one(sg, skb->data, 1000);
++ sg_init_one(sg, skb->data, VIRTBT_RX_BUF_SIZE);
+
+ err = virtqueue_add_inbuf(vq, sg, 1, skb, GFP_KERNEL);
+ if (err < 0) {
+@@ -227,8 +228,15 @@ static void virtbt_rx_work(struct work_s
+ if (!skb)
+ return;
+
+- skb_put(skb, len);
+- virtbt_rx_handle(vbt, skb);
++ if (!len || len > VIRTBT_RX_BUF_SIZE) {
++ bt_dev_err_ratelimited(vbt->hdev,
++ "rx reply len %u outside [1, %u]\n",
++ len, VIRTBT_RX_BUF_SIZE);
++ kfree_skb(skb);
++ } else {
++ skb_put(skb, len);
++ virtbt_rx_handle(vbt, skb);
++ }
+
+ if (virtbt_add_inbuf(vbt) < 0)
+ return;
--- /dev/null
+From daf23014e5d975e72ea9c02b5160d3fcf070ea47 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Tue, 21 Apr 2026 13:08:45 -0400
+Subject: Bluetooth: virtio_bt: validate rx pkt_type header length
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit daf23014e5d975e72ea9c02b5160d3fcf070ea47 upstream.
+
+virtbt_rx_handle() reads the leading pkt_type byte from the RX skb
+and forwards the remainder to hci_recv_frame() for every
+event/ACL/SCO/ISO type, without checking that the remaining payload
+is at least the fixed HCI header for that type.
+
+After the preceding patch bounds the backend-supplied used.len to
+[1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches
+hci_recv_frame() with skb->len already pulled to 0. If the byte
+happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification
+fast-path in hci_dev_classify_pkt_type() dereferences
+hci_acl_hdr(skb)->handle whenever the HCI device has an active
+CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of
+uninitialized RX-buffer data. The same hazard exists for every
+packet type the driver accepts because none of the switch cases in
+virtbt_rx_handle() check skb->len against the per-type minimum HCI
+header size before handing the frame to the core.
+
+After stripping pkt_type, require skb->len to cover the fixed
+header size for the selected type (event 2, ACL 4, SCO 3, ISO 4)
+before calling hci_recv_frame(); drop ratelimited otherwise.
+Unknown pkt_type values still take the original kfree_skb() default
+path.
+
+Use bt_dev_err_ratelimited() because both the length and pkt_type
+values come from an untrusted backend that can otherwise flood the
+kernel log.
+
+Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length")
+Cc: stable@vger.kernel.org
+Cc: Soenke Huster <soenke.huster@eknoes.de>
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/virtio_bt.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+--- a/drivers/bluetooth/virtio_bt.c
++++ b/drivers/bluetooth/virtio_bt.c
+@@ -198,6 +198,7 @@ static int virtbt_shutdown_generic(struc
+
+ static void virtbt_rx_handle(struct virtio_bluetooth *vbt, struct sk_buff *skb)
+ {
++ size_t min_hdr;
+ __u8 pkt_type;
+
+ pkt_type = *((__u8 *) skb->data);
+@@ -205,16 +206,32 @@ static void virtbt_rx_handle(struct virt
+
+ switch (pkt_type) {
+ case HCI_EVENT_PKT:
++ min_hdr = sizeof(struct hci_event_hdr);
++ break;
+ case HCI_ACLDATA_PKT:
++ min_hdr = sizeof(struct hci_acl_hdr);
++ break;
+ case HCI_SCODATA_PKT:
++ min_hdr = sizeof(struct hci_sco_hdr);
++ break;
+ case HCI_ISODATA_PKT:
+- hci_skb_pkt_type(skb) = pkt_type;
+- hci_recv_frame(vbt->hdev, skb);
++ min_hdr = sizeof(struct hci_iso_hdr);
+ break;
+ default:
+ kfree_skb(skb);
+- break;
++ return;
+ }
++
++ if (skb->len < min_hdr) {
++ bt_dev_err_ratelimited(vbt->hdev,
++ "rx pkt_type 0x%02x payload %u < hdr %zu\n",
++ pkt_type, skb->len, min_hdr);
++ kfree_skb(skb);
++ return;
++ }
++
++ hci_skb_pkt_type(skb) = pkt_type;
++ hci_recv_frame(vbt->hdev, skb);
+ }
+
+ static void virtbt_rx_work(struct work_struct *work)
--- /dev/null
+From bc0fcb9823cd0894934cf968b525c575833d7078 Mon Sep 17 00:00:00 2001
+From: Yilin Zhu <zylzyl2333@gmail.com>
+Date: Sun, 12 Apr 2026 13:07:54 +0800
+Subject: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
+
+From: Yilin Zhu <zylzyl2333@gmail.com>
+
+commit bc0fcb9823cd0894934cf968b525c575833d7078 upstream.
+
+xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not
+already have a dst attached. ip6_route_input_lookup() returns a
+referenced dst entry even when the lookup resolves to an error route.
+
+If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching
+the dst to the skb and without releasing the reference returned by the
+lookup. Repeated packets hitting this path therefore leak dst entries.
+
+Release the dst before jumping to the drop path.
+
+Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP")
+Cc: stable@kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ruide Cao <caoruide123@gmail.com>
+Signed-off-by: Yilin Zhu <zylzyl2333@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/xfrm6_protocol.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/xfrm6_protocol.c
++++ b/net/ipv6/xfrm6_protocol.c
+@@ -88,8 +88,10 @@ int xfrm6_rcv_encap(struct sk_buff *skb,
+
+ dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6,
+ skb, flags);
+- if (dst->error)
++ if (dst->error) {
++ dst_release(dst);
+ goto drop;
++ }
+ skb_dst_set(skb, dst);
+ }
+
--- /dev/null
+From f26faae96c411a70641e4d21b759475caa6122d5 Mon Sep 17 00:00:00 2001
+From: Tao Cui <cuitao@kylinos.cn>
+Date: Mon, 4 May 2026 09:00:38 +0800
+Subject: LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()
+
+From: Tao Cui <cuitao@kylinos.cn>
+
+commit f26faae96c411a70641e4d21b759475caa6122d5 upstream.
+
+In the ldptr (0x24...0x27) opcode decoding path, the default case only
+breaks out but without setting "ret" value to EMULATE_FAIL. This leaves
+run->mmio.len uninitialized (stale from a previous MMIO operation) while
+"ret" value remains EMULATE_DO_MMIO, causing the code to proceed with an
+incorrect MMIO length.
+
+Add "ret = EMULATE_FAIL" to match the other default branches in the same
+function (e.g. the 0x28...0x2e and 0x38 cases).
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Bibo Mao <maobibo@loongson.cn>
+Signed-off-by: Tao Cui <cuitao@kylinos.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kvm/exit.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/loongarch/kvm/exit.c
++++ b/arch/loongarch/kvm/exit.c
+@@ -390,6 +390,7 @@ int kvm_emu_mmio_read(struct kvm_vcpu *v
+ run->mmio.len = 8;
+ break;
+ default:
++ ret = EMULATE_FAIL;
+ break;
+ }
+ break;
--- /dev/null
+From 2adc8664018c1cc595c7c0c98474a33c7fe32a85 Mon Sep 17 00:00:00 2001
+From: Miguel Ojeda <ojeda@kernel.org>
+Date: Sun, 26 Apr 2026 16:42:01 +0200
+Subject: rust: allow `clippy::collapsible_if` globally
+
+From: Miguel Ojeda <ojeda@kernel.org>
+
+commit 2adc8664018c1cc595c7c0c98474a33c7fe32a85 upstream.
+
+Similar to `clippy::collapsible_match` (globally allowed in the previous
+commit), the `clippy::collapsible_if` lint [1] can make code harder to
+read in certain cases.
+
+Thus just let developers decide on their own.
+
+In addition, remove the existing `expect` we had.
+
+Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs).
+Suggested-by: Gary Guo <gary@garyguo.net>
+Link: https://lore.kernel.org/rust-for-linux/DGROP5CHU1QZ.1OKJRAUZXE9WC@garyguo.net/
+Link: https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_if [1]
+Reviewed-by: Gary Guo <gary@garyguo.net>
+Link: https://patch.msgid.link/20260426144201.227108-2-ojeda@kernel.org
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile | 1 +
+ drivers/android/binder/range_alloc/array.rs | 1 -
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -483,6 +483,7 @@ export rust_common_flags := --edition=20
+ -Wclippy::as_ptr_cast_mut \
+ -Wclippy::as_underscore \
+ -Wclippy::cast_lossless \
++ -Aclippy::collapsible_if \
+ -Aclippy::collapsible_match \
+ -Wclippy::ignored_unit_patterns \
+ -Wclippy::mut_mut \
+--- a/drivers/android/binder/range_alloc/array.rs
++++ b/drivers/android/binder/range_alloc/array.rs
+@@ -204,7 +204,6 @@ impl<T> ArrayRangeAllocator<T> {
+ // caller will mark them as unused, which means that they can be freed if the system comes
+ // under memory pressure.
+ let mut freed_range = FreedRange::interior_pages(offset, size);
+- #[expect(clippy::collapsible_if)] // reads better like this
+ if offset % PAGE_SIZE != 0 {
+ if i == 0 || self.ranges[i - 1].endpoint() <= (offset & PAGE_MASK) {
+ freed_range.start_page_idx -= 1;
--- /dev/null
+From 838d852da8503372f3a1779bfbd1ccb93153ab4e Mon Sep 17 00:00:00 2001
+From: Miguel Ojeda <ojeda@kernel.org>
+Date: Sun, 26 Apr 2026 16:42:00 +0200
+Subject: rust: allow `clippy::collapsible_match` globally
+
+From: Miguel Ojeda <ojeda@kernel.org>
+
+commit 838d852da8503372f3a1779bfbd1ccb93153ab4e upstream.
+
+The `clippy::collapsible_match` lint [1] can make code harder to read
+in certain cases [2], e.g.
+
+ CLIPPY P rust/libmacros.so - due to command line change
+ warning: this `if` can be collapsed into the outer `match`
+ --> rust/pin-init/internal/src/helpers.rs:91:17
+ |
+ 91 | / if nesting == 1 {
+ 92 | | impl_generics.push(tt.clone());
+ 93 | | impl_generics.push(tt);
+ 94 | | skip_until_comma = false;
+ 95 | | }
+ | |_________________^
+ |
+ = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_match
+ = note: `-W clippy::collapsible-match` implied by `-W clippy::all`
+ = help: to override `-W clippy::all` add `#[allow(clippy::collapsible_match)]`
+ help: collapse nested if block
+ |
+ 90 ~ TokenTree::Punct(p) if skip_until_comma && p.as_char() == ','
+ 91 ~ && nesting == 1 => {
+ 92 | impl_generics.push(tt.clone());
+ 93 | impl_generics.push(tt);
+ 94 | skip_until_comma = false;
+ 95 ~ }
+ |
+
+The lint does not have much upside -- when the suggestion may be a good
+one, it would still read fine when nested anyway. And it is the kind of
+lint that may easily bias people to just apply the suggestion instead
+of allowing it.
+
+[ In addition, as Gary points out [3], the suggestion is also wrong [4] and
+ in the process of being fixed [5], possibly for Rust 1.97.0:
+
+ Link: https://lore.kernel.org/rust-for-linux/DI3YV94TH9I3.1SOHW51552497@garyguo.net/ [3]
+ Link: https://github.com/rust-lang/rust-clippy/issues/16875 [4]
+ Link: https://github.com/rust-lang/rust-clippy/pull/16878 [5]
+
+ - Miguel ]
+
+Thus just let developers decide on their own.
+
+Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs).
+Link: https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_match [1]
+Link: https://lore.kernel.org/rust-for-linux/CANiq72nWYJna_hdFxjQCQZK6yJBrr1Mb86iKavivV0U0BgufeA@mail.gmail.com/ [2]
+Reviewed-by: Gary Guo <gary@garyguo.net>
+Link: https://patch.msgid.link/20260426144201.227108-1-ojeda@kernel.org
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/Makefile
++++ b/Makefile
+@@ -483,6 +483,7 @@ export rust_common_flags := --edition=20
+ -Wclippy::as_ptr_cast_mut \
+ -Wclippy::as_underscore \
+ -Wclippy::cast_lossless \
++ -Aclippy::collapsible_match \
+ -Wclippy::ignored_unit_patterns \
+ -Wclippy::mut_mut \
+ -Wclippy::needless_bitwise_bool \
--- /dev/null
+From 2e42a17b8f6bc3c0cd69d7556b588011d3ec2394 Mon Sep 17 00:00:00 2001
+From: Eliot Courtney <ecourtney@nvidia.com>
+Date: Thu, 23 Apr 2026 21:36:52 +0900
+Subject: rust: drm: gem: clean up GEM state in init failure case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eliot Courtney <ecourtney@nvidia.com>
+
+commit 2e42a17b8f6bc3c0cd69d7556b588011d3ec2394 upstream.
+
+Currently, if `drm_gem_object_init` fails, the object is freed without
+any cleanup. Perform the cleanup in that case.
+
+Cc: stable@vger.kernel.org
+Fixes: c284d3e42338 ("rust: drm: gem: Add GEM object abstraction")
+Signed-off-by: Eliot Courtney <ecourtney@nvidia.com>
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Reviewed-by: Onur Özkan <work@onurozkan.dev>
+Link: https://patch.msgid.link/20260423-fix-gem-1-v1-1-e12e35f7bba9@nvidia.com
+[ Move safety comment closer to unsafe block to avoid a clippy warning.
+ - Danilo ]
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ rust/kernel/drm/gem/mod.rs | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/rust/kernel/drm/gem/mod.rs
++++ b/rust/kernel/drm/gem/mod.rs
+@@ -232,8 +232,17 @@ impl<T: DriverObject> Object<T> {
+ // SAFETY: `obj.as_raw()` is guaranteed to be valid by the initialization above.
+ unsafe { (*obj.as_raw()).funcs = &Self::OBJECT_FUNCS };
+
+- // SAFETY: The arguments are all valid per the type invariants.
+- to_result(unsafe { bindings::drm_gem_object_init(dev.as_raw(), obj.obj.get(), size) })?;
++ if let Err(err) =
++ // SAFETY: The arguments are all valid per the type invariants.
++ to_result(unsafe {
++ bindings::drm_gem_object_init(dev.as_raw(), obj.obj.get(), size)
++ })
++ {
++ // SAFETY: `drm_gem_object_init()` initializes the private GEM object state before
++ // failing, so `drm_gem_private_object_fini()` is the matching cleanup.
++ unsafe { bindings::drm_gem_private_object_fini(obj.obj.get()) };
++ return Err(err);
++ }
+
+ // SAFETY: We never move out of `Self`.
+ let ptr = KBox::into_raw(unsafe { Pin::into_inner_unchecked(obj) });
--- /dev/null
+From 1e5a8eed7821e7a43a31b4c1b3675a91be6bc6f6 Mon Sep 17 00:00:00 2001
+From: David Windsor <dwindsor@gmail.com>
+Date: Sun, 26 Apr 2026 19:23:49 -0400
+Subject: selinux: don't reserve xattr slot when we won't fill it
+
+From: David Windsor <dwindsor@gmail.com>
+
+commit 1e5a8eed7821e7a43a31b4c1b3675a91be6bc6f6 upstream.
+
+Move lsm_get_xattr_slot() below the SBLABEL_MNT check so we don't leave
+a NULL-named slot in the array when returning -EOPNOTSUPP; filesystem
+initxattrs() callbacks stop iterating at the first NULL ->name, silently
+dropping xattrs installed by later LSMs.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: David Windsor <dwindsor@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/hooks.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -2931,7 +2931,7 @@ static int selinux_inode_init_security(s
+ {
+ const struct cred_security_struct *crsec = selinux_cred(current_cred());
+ struct superblock_security_struct *sbsec;
+- struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
++ struct xattr *xattr;
+ u32 newsid, clen;
+ u16 newsclass;
+ int rc;
+@@ -2957,6 +2957,7 @@ static int selinux_inode_init_security(s
+ !(sbsec->flags & SBLABEL_MNT))
+ return -EOPNOTSUPP;
+
++ xattr = lsm_get_xattr_slot(xattrs, xattr_count);
+ if (xattr) {
+ rc = security_sid_to_context_force(newsid,
+ &context, &clen);
--- /dev/null
+From f92d542577db878acfd21cc18dab23d03023b217 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+Date: Fri, 10 Apr 2026 15:29:50 -0400
+Subject: selinux: fix avdcache auditing
+
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+
+commit f92d542577db878acfd21cc18dab23d03023b217 upstream.
+
+The per-task avdcache was incorrectly saving and reusing the
+audited vector computed by avc_audit_required() rather than
+recomputing based on the currently requested permissions and
+distinguishing the denied versus allowed cases. As a result,
+some permission checks were not being audited, e.g.
+directory write checks after a previously cached directory
+search check.
+
+Cc: stable@vger.kernel.org
+Fixes: dde3a5d0f4dce ("selinux: move avdcache to per-task security struct")
+Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+[PM: line wrap tweaks]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/hooks.c | 31 +++++++++++++------------------
+ security/selinux/include/objsec.h | 4 +---
+ 2 files changed, 14 insertions(+), 21 deletions(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -3162,15 +3162,13 @@ static inline int task_avdcache_search(s
+ * @tsec: the task's security state
+ * @isec: the inode associated with the cache entry
+ * @avd: the AVD to cache
+- * @audited: the permission audit bitmask to cache
+ *
+- * Update the AVD cache in @tsec with the @avdc and @audited info associated
++ * Update the AVD cache in @tsec with the @avd info associated
+ * with @isec.
+ */
+ static inline void task_avdcache_update(struct task_security_struct *tsec,
+ struct inode_security_struct *isec,
+- struct av_decision *avd,
+- u32 audited)
++ struct av_decision *avd)
+ {
+ int spot;
+
+@@ -3182,9 +3180,7 @@ static inline void task_avdcache_update(
+ spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1);
+ tsec->avdcache.dir_spot = spot;
+ tsec->avdcache.dir[spot].isid = isec->sid;
+- tsec->avdcache.dir[spot].audited = audited;
+- tsec->avdcache.dir[spot].allowed = avd->allowed;
+- tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE;
++ tsec->avdcache.dir[spot].avd = *avd;
+ tsec->avdcache.permissive_neveraudit =
+ (avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT));
+ }
+@@ -3205,6 +3201,7 @@ static int selinux_inode_permission(stru
+ struct task_security_struct *tsec;
+ struct inode_security_struct *isec;
+ struct avdc_entry *avdc;
++ struct av_decision avd, *avdp = &avd;
+ int rc, rc2;
+ u32 audited, denied;
+
+@@ -3226,23 +3223,21 @@ static int selinux_inode_permission(stru
+ rc = task_avdcache_search(tsec, isec, &avdc);
+ if (likely(!rc)) {
+ /* Cache hit. */
+- audited = perms & avdc->audited;
+- denied = perms & ~avdc->allowed;
+- if (unlikely(denied && enforcing_enabled() &&
+- !avdc->permissive))
++ avdp = &avdc->avd;
++ denied = perms & ~avdp->allowed;
++ if (unlikely(denied) && enforcing_enabled() &&
++ !(avdp->flags & AVD_FLAGS_PERMISSIVE))
+ rc = -EACCES;
+ } else {
+- struct av_decision avd;
+-
+ /* Cache miss. */
+ rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass,
+- perms, 0, &avd);
+- audited = avc_audit_required(perms, &avd, rc,
+- (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0,
+- &denied);
+- task_avdcache_update(tsec, isec, &avd, audited);
++ perms, 0, avdp);
++ task_avdcache_update(tsec, isec, avdp);
+ }
+
++ audited = avc_audit_required(perms, avdp, rc,
++ (requested & MAY_ACCESS) ?
++ FILE__AUDIT_ACCESS : 0, &denied);
+ if (likely(!audited))
+ return rc;
+
+--- a/security/selinux/include/objsec.h
++++ b/security/selinux/include/objsec.h
+@@ -32,9 +32,7 @@
+
+ struct avdc_entry {
+ u32 isid; /* inode SID */
+- u32 allowed; /* allowed permission bitmask */
+- u32 audited; /* audited permission bitmask */
+- bool permissive; /* AVC permissive flag */
++ struct av_decision avd; /* av decision */
+ };
+
+ struct cred_security_struct {
--- /dev/null
+From 644132a48f4e28a1d949d162160869286f3e75de Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+Date: Tue, 5 May 2026 08:49:48 -0400
+Subject: selinux: prune /sys/fs/selinux/checkreqprot
+
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+
+commit 644132a48f4e28a1d949d162160869286f3e75de upstream.
+
+commit a7e4676e8e2cb ("selinux: remove the 'checkreqprot'
+functionality") removed the ability to modify the checkreqprot setting
+but left everything except the updating of the checkreqprot value
+intact. Aside from unnecessary processing, this could produce a local
+DoS from log spam and incorrectly calls selinux_ima_measure_state() on
+each write even though no state has changed. Prune it to just log an
+error message once and return count (i.e. all bytes written
+successfully) so that userspace never breaks.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/selinuxfs.c | 47 ++++++-------------------------------------
+ 1 file changed, 7 insertions(+), 40 deletions(-)
+
+--- a/security/selinux/selinuxfs.c
++++ b/security/selinux/selinuxfs.c
+@@ -676,46 +676,13 @@ static ssize_t sel_read_checkreqprot(str
+ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos)
+ {
+- char *page;
+- ssize_t length;
+- unsigned int new_value;
+-
+- length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
+- SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT,
+- NULL);
+- if (length)
+- return length;
+-
+- if (count >= PAGE_SIZE)
+- return -ENOMEM;
+-
+- /* No partial writes. */
+- if (*ppos != 0)
+- return -EINVAL;
+-
+- page = memdup_user_nul(buf, count);
+- if (IS_ERR(page))
+- return PTR_ERR(page);
+-
+- if (sscanf(page, "%u", &new_value) != 1) {
+- length = -EINVAL;
+- goto out;
+- }
+- length = count;
+-
+- if (new_value) {
+- char comm[sizeof(current->comm)];
+-
+- strscpy(comm, current->comm);
+- pr_err("SELinux: %s (%d) set checkreqprot to 1. This is no longer supported.\n",
+- comm, current->pid);
+- }
+-
+- selinux_ima_measure_state();
+-
+-out:
+- kfree(page);
+- return length;
++ /*
++ * Setting checkreqprot is no longer supported, see
++ * https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot
++ */
++ pr_err_once("SELinux: %s (%d) wrote to checkreqprot. This is no longer supported.\n",
++ current->comm, current->pid);
++ return count;
+ }
+ static const struct file_operations sel_checkreqprot_ops = {
+ .read = sel_read_checkreqprot,
--- /dev/null
+From 19cfa0099024bb9cd40f6d950caa7f47ff8e77f6 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+Date: Tue, 5 May 2026 08:49:49 -0400
+Subject: selinux: prune /sys/fs/selinux/disable
+
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+
+commit 19cfa0099024bb9cd40f6d950caa7f47ff8e77f6 upstream.
+
+Commit f22f9aaf6c3d ("selinux: remove the runtime disable
+functionality") removed the underlying SELinux runtime disable
+functionality but left everything else intact and started logging an
+error message to warn any residual users.
+
+Prune it to just log an error message once and to return count
+(i.e. all bytes written successfully) to avoid breaking
+userspace. This also fixes a local DoS from logspam.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/selinuxfs.c | 36 +++++++-----------------------------
+ 1 file changed, 7 insertions(+), 29 deletions(-)
+
+--- a/security/selinux/selinuxfs.c
++++ b/security/selinux/selinuxfs.c
+@@ -272,35 +272,13 @@ static ssize_t sel_write_disable(struct
+ size_t count, loff_t *ppos)
+
+ {
+- char *page;
+- ssize_t length;
+- int new_value;
+-
+- if (count >= PAGE_SIZE)
+- return -ENOMEM;
+-
+- /* No partial writes. */
+- if (*ppos != 0)
+- return -EINVAL;
+-
+- page = memdup_user_nul(buf, count);
+- if (IS_ERR(page))
+- return PTR_ERR(page);
+-
+- if (sscanf(page, "%d", &new_value) != 1) {
+- length = -EINVAL;
+- goto out;
+- }
+- length = count;
+-
+- if (new_value) {
+- pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n");
+- pr_err("SELinux: Runtime disable is not supported, use selinux=0 on the kernel cmdline.\n");
+- }
+-
+-out:
+- kfree(page);
+- return length;
++ /*
++ * Setting disable is no longer supported, see
++ * https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable
++ */
++ pr_err_once("SELinux: %s (%d) wrote to disable. This is no longer supported.\n",
++ current->comm, current->pid);
++ return count;
+ }
+
+ static const struct file_operations sel_disable_ops = {
--- /dev/null
+From ad1ac3d740cc6b858a99ab9c45c8c0574be7d1d3 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+Date: Tue, 5 May 2026 08:49:50 -0400
+Subject: selinux: prune /sys/fs/selinux/user
+
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+
+commit ad1ac3d740cc6b858a99ab9c45c8c0574be7d1d3 upstream.
+
+Remove the previously deprecated /sys/fs/selinux/user interface aside
+from a residual stub for userspace compatibility.
+
+Commit d7b6918e22c7 ("selinux: Deprecate /sys/fs/selinux/user") started
+the deprecation process for /sys/fs/selinux/user:
+
+ The selinuxfs "user" node allows userspace to request a list
+ of security contexts that can be reached for a given SELinux
+ user from a given starting context. This was used by libselinux
+ when various login-style programs requested contexts for
+ users, but libselinux stopped using it in 2020.
+ Kernel support will be removed no sooner than Dec 2025.
+
+A pr_warn() message has been in place since Linux v6.13, and a 5
+second sleep was introduced since Linux v6.17 to help make it more
+noticeable.
+
+We are now past the stated deadline of Dec 2025, so remove the
+underlying functionality and replace it with a stub that returns a
+'0\0' buffer to avoid breaking userspace. This also avoids a local DoS
+from logspam and an uninterruptible sleep delay.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ .../{obsolete => removed}/sysfs-selinux-user | 0
+ Documentation/ABI/obsolete/sysfs-selinux-user | 12 --
+ Documentation/ABI/removed/sysfs-selinux-user | 12 ++
+ security/selinux/include/security.h | 2
+ security/selinux/selinuxfs.c | 68 +-------------
+ security/selinux/ss/services.c | 125 --------------------------
+ 5 files changed, 17 insertions(+), 202 deletions(-)
+ rename Documentation/ABI/{obsolete => removed}/sysfs-selinux-user (100%)
+
+--- a/Documentation/ABI/obsolete/sysfs-selinux-user
++++ /dev/null
+@@ -1,12 +0,0 @@
+-What: /sys/fs/selinux/user
+-Date: April 2005 (predates git)
+-KernelVersion: 2.6.12-rc2 (predates git)
+-Contact: selinux@vger.kernel.org
+-Description:
+-
+- The selinuxfs "user" node allows userspace to request a list
+- of security contexts that can be reached for a given SELinux
+- user from a given starting context. This was used by libselinux
+- when various login-style programs requested contexts for
+- users, but libselinux stopped using it in 2020.
+- Kernel support will be removed no sooner than Dec 2025.
+--- /dev/null
++++ b/Documentation/ABI/removed/sysfs-selinux-user
+@@ -0,0 +1,12 @@
++What: /sys/fs/selinux/user
++Date: April 2005 (predates git)
++KernelVersion: 2.6.12-rc2 (predates git)
++Contact: selinux@vger.kernel.org
++Description:
++
++ The selinuxfs "user" node allows userspace to request a list
++ of security contexts that can be reached for a given SELinux
++ user from a given starting context. This was used by libselinux
++ when various login-style programs requested contexts for
++ users, but libselinux stopped using it in 2020.
++ Kernel support will be removed no sooner than Dec 2025.
+--- a/security/selinux/include/security.h
++++ b/security/selinux/include/security.h
+@@ -301,8 +301,6 @@ int security_context_to_sid_default(cons
+ int security_context_to_sid_force(const char *scontext, u32 scontext_len,
+ u32 *sid);
+
+-int security_get_user_sids(u32 fromsid, const char *username, u32 **sids, u32 *nel);
+-
+ int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
+
+ int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
+--- a/security/selinux/selinuxfs.c
++++ b/security/selinux/selinuxfs.c
+@@ -1005,69 +1005,11 @@ out:
+
+ static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
+ {
+- char *con = NULL, *user = NULL, *ptr;
+- u32 sid, *sids = NULL;
+- ssize_t length;
+- char *newcon;
+- int rc;
+- u32 i, len, nsids;
+-
+- pr_warn_ratelimited("SELinux: %s (%d) wrote to /sys/fs/selinux/user!"
+- " This will not be supported in the future; please update your"
+- " userspace.\n", current->comm, current->pid);
+- ssleep(5);
+-
+- length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
+- SECCLASS_SECURITY, SECURITY__COMPUTE_USER,
+- NULL);
+- if (length)
+- goto out;
+-
+- length = -ENOMEM;
+- con = kzalloc(size + 1, GFP_KERNEL);
+- if (!con)
+- goto out;
+-
+- length = -ENOMEM;
+- user = kzalloc(size + 1, GFP_KERNEL);
+- if (!user)
+- goto out;
+-
+- length = -EINVAL;
+- if (sscanf(buf, "%s %s", con, user) != 2)
+- goto out;
+-
+- length = security_context_str_to_sid(con, &sid, GFP_KERNEL);
+- if (length)
+- goto out;
+-
+- length = security_get_user_sids(sid, user, &sids, &nsids);
+- if (length)
+- goto out;
+-
+- length = sprintf(buf, "%u", nsids) + 1;
+- ptr = buf + length;
+- for (i = 0; i < nsids; i++) {
+- rc = security_sid_to_context(sids[i], &newcon, &len);
+- if (rc) {
+- length = rc;
+- goto out;
+- }
+- if ((length + len) >= SIMPLE_TRANSACTION_LIMIT) {
+- kfree(newcon);
+- length = -ERANGE;
+- goto out;
+- }
+- memcpy(ptr, newcon, len);
+- kfree(newcon);
+- ptr += len;
+- length += len;
+- }
+-out:
+- kfree(sids);
+- kfree(user);
+- kfree(con);
+- return length;
++ pr_err_once("SELinux: %s (%d) wrote to user. This is no longer supported.\n",
++ current->comm, current->pid);
++ buf[0] = '0';
++ buf[1] = 0;
++ return 2;
+ }
+
+ static ssize_t sel_write_member(struct file *file, char *buf, size_t size)
+--- a/security/selinux/ss/services.c
++++ b/security/selinux/ss/services.c
+@@ -2746,131 +2746,6 @@ out:
+ return rc;
+ }
+
+-#define SIDS_NEL 25
+-
+-/**
+- * security_get_user_sids - Obtain reachable SIDs for a user.
+- * @fromsid: starting SID
+- * @username: username
+- * @sids: array of reachable SIDs for user
+- * @nel: number of elements in @sids
+- *
+- * Generate the set of SIDs for legal security contexts
+- * for a given user that can be reached by @fromsid.
+- * Set *@sids to point to a dynamically allocated
+- * array containing the set of SIDs. Set *@nel to the
+- * number of elements in the array.
+- */
+-
+-int security_get_user_sids(u32 fromsid,
+- const char *username,
+- u32 **sids,
+- u32 *nel)
+-{
+- struct selinux_policy *policy;
+- struct policydb *policydb;
+- struct sidtab *sidtab;
+- struct context *fromcon, usercon;
+- u32 *mysids = NULL, *mysids2, sid;
+- u32 i, j, mynel, maxnel = SIDS_NEL;
+- struct user_datum *user;
+- struct role_datum *role;
+- struct ebitmap_node *rnode, *tnode;
+- int rc;
+-
+- *sids = NULL;
+- *nel = 0;
+-
+- if (!selinux_initialized())
+- return 0;
+-
+- mysids = kcalloc(maxnel, sizeof(*mysids), GFP_KERNEL);
+- if (!mysids)
+- return -ENOMEM;
+-
+-retry:
+- mynel = 0;
+- rcu_read_lock();
+- policy = rcu_dereference(selinux_state.policy);
+- policydb = &policy->policydb;
+- sidtab = policy->sidtab;
+-
+- context_init(&usercon);
+-
+- rc = -EINVAL;
+- fromcon = sidtab_search(sidtab, fromsid);
+- if (!fromcon)
+- goto out_unlock;
+-
+- rc = -EINVAL;
+- user = symtab_search(&policydb->p_users, username);
+- if (!user)
+- goto out_unlock;
+-
+- usercon.user = user->value;
+-
+- ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
+- role = policydb->role_val_to_struct[i];
+- usercon.role = i + 1;
+- ebitmap_for_each_positive_bit(&role->types, tnode, j) {
+- usercon.type = j + 1;
+-
+- if (mls_setup_user_range(policydb, fromcon, user,
+- &usercon))
+- continue;
+-
+- rc = sidtab_context_to_sid(sidtab, &usercon, &sid);
+- if (rc == -ESTALE) {
+- rcu_read_unlock();
+- goto retry;
+- }
+- if (rc)
+- goto out_unlock;
+- if (mynel < maxnel) {
+- mysids[mynel++] = sid;
+- } else {
+- rc = -ENOMEM;
+- maxnel += SIDS_NEL;
+- mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
+- if (!mysids2)
+- goto out_unlock;
+- memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
+- kfree(mysids);
+- mysids = mysids2;
+- mysids[mynel++] = sid;
+- }
+- }
+- }
+- rc = 0;
+-out_unlock:
+- rcu_read_unlock();
+- if (rc || !mynel) {
+- kfree(mysids);
+- return rc;
+- }
+-
+- rc = -ENOMEM;
+- mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
+- if (!mysids2) {
+- kfree(mysids);
+- return rc;
+- }
+- for (i = 0, j = 0; i < mynel; i++) {
+- struct av_decision dummy_avd;
+- rc = avc_has_perm_noaudit(fromsid, mysids[i],
+- SECCLASS_PROCESS, /* kernel value */
+- PROCESS__TRANSITION, AVC_STRICT,
+- &dummy_avd);
+- if (!rc)
+- mysids2[j++] = mysids[i];
+- cond_resched();
+- }
+- kfree(mysids);
+- *sids = mysids2;
+- *nel = j;
+- return 0;
+-}
+-
+ /**
+ * __security_genfs_sid - Helper to obtain a SID for a file in a filesystem
+ * @policy: policy
--- /dev/null
+From 868f31e4061eca8c3cd607d79d954d5e54f204aa Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+Date: Thu, 30 Apr 2026 14:36:52 -0400
+Subject: selinux: shrink critical section in sel_write_load()
+
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+
+commit 868f31e4061eca8c3cd607d79d954d5e54f204aa upstream.
+
+Currently sel_write_load() takes the policy mutex earlier than
+necessary. Move the taking of the mutex later. This avoids
+holding it unnecessarily across the vmalloc() and copy_from_user()
+of the policy data.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/selinuxfs.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+--- a/security/selinux/selinuxfs.c
++++ b/security/selinux/selinuxfs.c
+@@ -583,34 +583,31 @@ static ssize_t sel_write_load(struct fil
+ if (!count)
+ return -EINVAL;
+
+- mutex_lock(&selinux_state.policy_mutex);
+-
+ length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
+ SECCLASS_SECURITY, SECURITY__LOAD_POLICY, NULL);
+ if (length)
+- goto out;
++ return length;
+
+ data = vmalloc(count);
+- if (!data) {
+- length = -ENOMEM;
+- goto out;
+- }
++ if (!data)
++ return -ENOMEM;
+ if (copy_from_user(data, buf, count) != 0) {
+ length = -EFAULT;
+ goto out;
+ }
+
++ mutex_lock(&selinux_state.policy_mutex);
+ length = security_load_policy(data, count, &load_state);
+ if (length) {
+ pr_warn_ratelimited("SELinux: failed to load policy\n");
+- goto out;
++ goto out_unlock;
+ }
+ fsi = file_inode(file)->i_sb->s_fs_info;
+ length = sel_make_policy_nodes(fsi, load_state.policy);
+ if (length) {
+ pr_warn_ratelimited("SELinux: failed to initialize selinuxfs\n");
+ selinux_policy_cancel(&load_state);
+- goto out;
++ goto out_unlock;
+ }
+
+ selinux_policy_commit(&load_state);
+@@ -620,8 +617,9 @@ static ssize_t sel_write_load(struct fil
+ from_kuid(&init_user_ns, audit_get_loginuid(current)),
+ audit_get_sessionid(current));
+
+-out:
++out_unlock:
+ mutex_unlock(&selinux_state.policy_mutex);
++out:
+ vfree(data);
+ return length;
+ }
--- /dev/null
+From 032e70aff025d7c519af9ab791cd084380619263 Mon Sep 17 00:00:00 2001
+From: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
+Date: Fri, 24 Apr 2026 15:37:53 +0800
+Subject: selinux: use sk blob accessor in socket permission helpers
+
+From: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
+
+commit 032e70aff025d7c519af9ab791cd084380619263 upstream.
+
+SELinux socket state lives in the composite LSM socket blob.
+
+sock_has_perm() and nlmsg_sock_has_extended_perms() currently
+dereference sk->sk_security directly, which assumes the SELinux socket
+blob is at offset zero.
+
+In stacked configurations that assumption does not hold. If another LSM
+allocates socket blob storage before SELinux, these helpers may read the
+wrong blob and feed invalid SID and class values into AVC checks.
+
+Use selinux_sock() instead of accessing sk->sk_security directly.
+
+Fixes: d1d991efaf34 ("selinux: Add netlink xperm support")
+Cc: stable@vger.kernel.org # v6.13+
+Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/hooks.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -4780,7 +4780,7 @@ static bool sock_skip_has_perm(u32 sid)
+
+ static int sock_has_perm(struct sock *sk, u32 perms)
+ {
+- struct sk_security_struct *sksec = sk->sk_security;
++ struct sk_security_struct *sksec = selinux_sock(sk);
+ struct common_audit_data ad;
+ struct lsm_network_audit net;
+
+@@ -6087,7 +6087,7 @@ static unsigned int selinux_ip_postroute
+
+ static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type)
+ {
+- struct sk_security_struct *sksec = sk->sk_security;
++ struct sk_security_struct *sksec = selinux_sock(sk);
+ struct common_audit_data ad;
+ u8 driver;
+ u8 xperm;
alsa-seq-fix-ump-group-16-filtering.patch
powerpc-kdump-fix-kasan-sanitization-flag-for-core_-bits-.o.patch
x86-efi-restore-irq-state-in-efi-page-fault-handler.patch
+xfrm-provide-message-size-for-xfrm_msg_mapping.patch
+xfrm-defensively-unhash-xfrm_state-lists-in-__xfrm_state_delete.patch
+ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch
+xfrm-ah-account-for-esn-high-bits-in-async-callbacks.patch
+selinux-fix-avdcache-auditing.patch
+selinux-use-sk-blob-accessor-in-socket-permission-helpers.patch
+selinux-don-t-reserve-xattr-slot-when-we-won-t-fill-it.patch
+selinux-shrink-critical-section-in-sel_write_load.patch
+selinux-prune-sys-fs-selinux-checkreqprot.patch
+selinux-prune-sys-fs-selinux-disable.patch
+selinux-prune-sys-fs-selinux-user.patch
+loongarch-kvm-fix-missing-emulate_fail-in-kvm_emu_mmio_read.patch
+bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch
+bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch
+bluetooth-btmtk-validate-wmt-event-skb-length-before-struct-access.patch
+bluetooth-hci_event-fix-oob-read-and-infinite-loop-in-hci_le_create_big_complete_evt.patch
+bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch
+bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch
+bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch
+rust-drm-gem-clean-up-gem-state-in-init-failure-case.patch
+rust-allow-clippy-collapsible_match-globally.patch
+rust-allow-clippy-collapsible_if-globally.patch
+spi-syncuacer-fix-controller-deregistration.patch
+spi-sun4i-fix-controller-deregistration.patch
+spi-ti-qspi-fix-controller-deregistration.patch
+spi-sun6i-fix-controller-deregistration.patch
+spi-zynqmp-gqspi-fix-controller-deregistration.patch
+spi-s3c64xx-fix-null-deref-on-driver-unbind.patch
+staging-vme_user-fix-root-device-leak-on-init-failure.patch
--- /dev/null
+From 45daacbead8a009844bd5dba6cfa731332184d17 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 11:49:25 +0200
+Subject: spi: s3c64xx: fix NULL-deref on driver unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 45daacbead8a009844bd5dba6cfa731332184d17 upstream.
+
+A change moving DMA channel allocation from probe() back to
+s3c64xx_spi_prepare_transfer() failed to remove the corresponding
+deallocation from remove().
+
+Drop the bogus DMA channel release from remove() to avoid triggering a
+NULL-pointer dereference on driver unbind.
+
+This issue was flagged by Sashiko when reviewing a controller
+deregistration fix.
+
+Fixes: f52b03c70744 ("spi: s3c64xx: requests spi-dma channel only during data transfer")
+Cc: stable@vger.kernel.org # 6.0
+Cc: Adithya K V <adithya.kv@samsung.com>
+Link: https://sashiko.dev/#/patchset/20260410081757.503099-1-johan%40kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410094925.518343-1-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-s3c64xx.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/spi/spi-s3c64xx.c
++++ b/drivers/spi/spi-s3c64xx.c
+@@ -1402,11 +1402,6 @@ static void s3c64xx_spi_remove(struct pl
+
+ writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
+
+- if (!is_polling(sdd)) {
+- dma_release_channel(sdd->rx_dma.ch);
+- dma_release_channel(sdd->tx_dma.ch);
+- }
+-
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
--- /dev/null
+From 42108a2f03e0fdeabe9d02d085bdb058baa1189f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:48 +0200
+Subject: spi: sun4i: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 42108a2f03e0fdeabe9d02d085bdb058baa1189f upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks during driver unbind.
+
+Fixes: b5f6517948cc ("spi: sunxi: Add Allwinner A10 SPI controller driver")
+Cc: stable@vger.kernel.org # 3.15
+Cc: Maxime Ripard <mripard@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-19-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-sun4i.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-sun4i.c
++++ b/drivers/spi/spi-sun4i.c
+@@ -505,7 +505,7 @@ static int sun4i_spi_probe(struct platfo
+ pm_runtime_enable(&pdev->dev);
+ pm_runtime_idle(&pdev->dev);
+
+- ret = devm_spi_register_controller(&pdev->dev, host);
++ ret = spi_register_controller(host);
+ if (ret) {
+ dev_err(&pdev->dev, "cannot register SPI host\n");
+ goto err_pm_disable;
+@@ -523,7 +523,15 @@ err_free_host:
+
+ static void sun4i_spi_remove(struct platform_device *pdev)
+ {
++ struct spi_controller *host = platform_get_drvdata(pdev);
++
++ spi_controller_get(host);
++
++ spi_unregister_controller(host);
++
+ pm_runtime_force_suspend(&pdev->dev);
++
++ spi_controller_put(host);
+ }
+
+ static const struct of_device_id sun4i_spi_match[] = {
--- /dev/null
+From d874a1c33aee0d88fb4ba2f8aeadaa9f1965209a Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:49 +0200
+Subject: spi: sun6i: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d874a1c33aee0d88fb4ba2f8aeadaa9f1965209a upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks during driver unbind.
+
+Fixes: 3558fe900e8a ("spi: sunxi: Add Allwinner A31 SPI controller driver")
+Cc: stable@vger.kernel.org # 3.15
+Cc: Maxime Ripard <mripard@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-20-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-sun6i.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-sun6i.c
++++ b/drivers/spi/spi-sun6i.c
+@@ -743,7 +743,7 @@ static int sun6i_spi_probe(struct platfo
+ pm_runtime_set_active(&pdev->dev);
+ pm_runtime_enable(&pdev->dev);
+
+- ret = devm_spi_register_controller(&pdev->dev, host);
++ ret = spi_register_controller(host);
+ if (ret) {
+ dev_err(&pdev->dev, "cannot register SPI host\n");
+ goto err_pm_disable;
+@@ -769,12 +769,18 @@ static void sun6i_spi_remove(struct plat
+ {
+ struct spi_controller *host = platform_get_drvdata(pdev);
+
++ spi_controller_get(host);
++
++ spi_unregister_controller(host);
++
+ pm_runtime_force_suspend(&pdev->dev);
+
+ if (host->dma_tx)
+ dma_release_channel(host->dma_tx);
+ if (host->dma_rx)
+ dma_release_channel(host->dma_rx);
++
++ spi_controller_put(host);
+ }
+
+ static const struct sun6i_spi_cfg sun6i_a31_spi_cfg = {
--- /dev/null
+From 75d849c3452e9611de031db45b3149ba9a99035f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:50 +0200
+Subject: spi: syncuacer: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 75d849c3452e9611de031db45b3149ba9a99035f upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks during driver unbind.
+
+Fixes: b0823ee35cf9 ("spi: Add spi driver for Socionext SynQuacer platform")
+Cc: stable@vger.kernel.org # 5.3
+Cc: Masahisa Kojima <masahisa.kojima@linaro.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-21-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-synquacer.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-synquacer.c
++++ b/drivers/spi/spi-synquacer.c
+@@ -719,7 +719,7 @@ static int synquacer_spi_probe(struct pl
+ pm_runtime_set_active(sspi->dev);
+ pm_runtime_enable(sspi->dev);
+
+- ret = devm_spi_register_controller(sspi->dev, host);
++ ret = spi_register_controller(host);
+ if (ret)
+ goto disable_pm;
+
+@@ -740,9 +740,15 @@ static void synquacer_spi_remove(struct
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct synquacer_spi *sspi = spi_controller_get_devdata(host);
+
++ spi_controller_get(host);
++
++ spi_unregister_controller(host);
++
+ pm_runtime_disable(sspi->dev);
+
+ clk_disable_unprepare(sspi->clk);
++
++ spi_controller_put(host);
+ }
+
+ static int __maybe_unused synquacer_spi_suspend(struct device *dev)
--- /dev/null
+From 0c18a1bacbb1d8b8aa34d3d004a2cb8226c8b1ea Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:53 +0200
+Subject: spi: ti-qspi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 0c18a1bacbb1d8b8aa34d3d004a2cb8226c8b1ea upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks during driver unbind.
+
+Note that the controller is suspended before disabling and releasing
+resources since commit 3ac066e2227c ("spi: spi-ti-qspi: Suspend the
+queue before removing the device") which avoids issues like unclocked
+accesses but prevents SPI device drivers from doing I/O during
+deregistration.
+
+Fixes: 3b3a80019ff1 ("spi: ti-qspi: one only one interrupt handler")
+Cc: stable@vger.kernel.org # 3.13
+Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-24-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-ti-qspi.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+--- a/drivers/spi/spi-ti-qspi.c
++++ b/drivers/spi/spi-ti-qspi.c
+@@ -889,7 +889,7 @@ no_dma:
+ qspi->mmap_enabled = false;
+ qspi->current_cs = -1;
+
+- ret = devm_spi_register_controller(&pdev->dev, host);
++ ret = spi_register_controller(host);
+ if (!ret)
+ return 0;
+
+@@ -904,19 +904,17 @@ free_host:
+ static void ti_qspi_remove(struct platform_device *pdev)
+ {
+ struct ti_qspi *qspi = platform_get_drvdata(pdev);
+- int rc;
+
+- rc = spi_controller_suspend(qspi->host);
+- if (rc) {
+- dev_alert(&pdev->dev, "spi_controller_suspend() failed (%pe)\n",
+- ERR_PTR(rc));
+- return;
+- }
++ spi_controller_get(qspi->host);
++
++ spi_unregister_controller(qspi->host);
+
+ pm_runtime_put_sync(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+
+ ti_qspi_dma_cleanup(qspi);
++
++ spi_controller_put(qspi->host);
+ }
+
+ static const struct dev_pm_ops ti_qspi_pm_ops = {
--- /dev/null
+From 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:55 +0200
+Subject: spi: zynqmp-gqspi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks during driver unbind.
+
+Fixes: dfe11a11d523 ("spi: Add support for Zynq Ultrascale+ MPSoC GQSPI controller")
+Cc: stable@vger.kernel.org # 4.2: 64640f6c972e
+Cc: stable@vger.kernel.org # 4.2
+Cc: Ranjit Waghmode <ranjit.waghmode@xilinx.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-26-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-zynqmp-gqspi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-zynqmp-gqspi.c
++++ b/drivers/spi/spi-zynqmp-gqspi.c
+@@ -1324,7 +1324,7 @@ static int zynqmp_qspi_probe(struct plat
+ ctlr->dev.of_node = np;
+ ctlr->auto_runtime_pm = true;
+
+- ret = devm_spi_register_controller(&pdev->dev, ctlr);
++ ret = spi_register_controller(ctlr);
+ if (ret) {
+ dev_err(&pdev->dev, "spi_register_controller failed\n");
+ goto clk_dis_all;
+@@ -1362,6 +1362,8 @@ static void zynqmp_qspi_remove(struct pl
+
+ pm_runtime_get_sync(&pdev->dev);
+
++ spi_unregister_controller(xqspi->ctlr);
++
+ zynqmp_gqspi_write(xqspi, GQSPI_EN_OFST, 0x0);
+
+ pm_runtime_disable(&pdev->dev);
--- /dev/null
+From 32c91e8ee039777d0b95b914633fc6a42607959c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 24 Apr 2026 12:49:10 +0200
+Subject: staging: vme_user: fix root device leak on init failure
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 32c91e8ee039777d0b95b914633fc6a42607959c upstream.
+
+Make sure to deregister and free the root device in case module
+initialisation fails.
+
+Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
+Cc: stable@vger.kernel.org # 4.9
+Cc: Martyn Welch <martyn@welchs.me.uk>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260424104910.2619349-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vme_user/vme_fake.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/vme_user/vme_fake.c
++++ b/drivers/staging/vme_user/vme_fake.c
+@@ -1230,6 +1230,8 @@ err_master:
+ err_driver:
+ kfree(fake_bridge);
+ err_struct:
++ root_device_unregister(vme_root);
++
+ return retval;
+ }
+
--- /dev/null
+From ec54093e6a8f87e800bb6aa15eb7fc1e33faa524 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Sun, 19 Apr 2026 18:35:42 -0400
+Subject: xfrm: ah: account for ESN high bits in async callbacks
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit ec54093e6a8f87e800bb6aa15eb7fc1e33faa524 upstream.
+
+AH allocates its temporary auth/ICV layout differently when ESN is enabled:
+the async ahash setup appends a 4-byte seqhi slot before the ICV or
+auth_data area, but the async completion callbacks still reconstruct the
+temporary layout as if seqhi were absent.
+
+With an async AH implementation selected, that makes AH copy or compare
+the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH
+with ESN and forced async hmac(sha1), ping fails with 100% packet loss,
+and the callback logs show the pre-fix drift:
+
+ ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24
+ ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36
+
+Reconstruct the callback-side layout the same way the setup path built it
+by skipping the ESN seqhi slot before locating the saved auth_data or ICV.
+Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV
+computation, so the async callbacks must account for the seqhi slot.
+
+Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows
+the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24
+expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o
+build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the
+change has not been tested against a real async hardware AH engine.
+
+Fixes: d4d573d0334d ("{IPv4,xfrm} Add ESN support for AH egress part")
+Fixes: d8b2a8600b0e ("{IPv4,xfrm} Add ESN support for AH ingress part")
+Fixes: 26dd70c3fad3 ("{IPv6,xfrm} Add ESN support for AH egress part")
+Fixes: 8d6da6f32557 ("{IPv6,xfrm} Add ESN support for AH ingress part")
+Cc: stable@vger.kernel.org
+Assisted-by: Codex:gpt-5-4
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ah4.c | 14 ++++++++++++--
+ net/ipv6/ah6.c | 14 ++++++++++++--
+ 2 files changed, 24 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/ah4.c
++++ b/net/ipv4/ah4.c
+@@ -124,9 +124,14 @@ static void ah_output_done(void *data, i
+ struct iphdr *top_iph = ip_hdr(skb);
+ struct ip_auth_hdr *ah = ip_auth_hdr(skb);
+ int ihl = ip_hdrlen(skb);
++ int seqhi_len = 0;
++ __be32 *seqhi;
+
++ if (x->props.flags & XFRM_STATE_ESN)
++ seqhi_len = sizeof(*seqhi);
+ iph = AH_SKB_CB(skb)->tmp;
+- icv = ah_tmp_icv(iph, ihl);
++ seqhi = (__be32 *)((char *)iph + ihl);
++ icv = ah_tmp_icv(seqhi, seqhi_len);
+ memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
+
+ top_iph->tos = iph->tos;
+@@ -270,12 +275,17 @@ static void ah_input_done(void *data, in
+ struct ip_auth_hdr *ah = ip_auth_hdr(skb);
+ int ihl = ip_hdrlen(skb);
+ int ah_hlen = (ah->hdrlen + 2) << 2;
++ int seqhi_len = 0;
++ __be32 *seqhi;
+
+ if (err)
+ goto out;
+
++ if (x->props.flags & XFRM_STATE_ESN)
++ seqhi_len = sizeof(*seqhi);
+ work_iph = AH_SKB_CB(skb)->tmp;
+- auth_data = ah_tmp_auth(work_iph, ihl);
++ seqhi = (__be32 *)((char *)work_iph + ihl);
++ auth_data = ah_tmp_auth(seqhi, seqhi_len);
+ icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
+
+ err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
+--- a/net/ipv6/ah6.c
++++ b/net/ipv6/ah6.c
+@@ -317,14 +317,19 @@ static void ah6_output_done(void *data,
+ struct ipv6hdr *top_iph = ipv6_hdr(skb);
+ struct ip_auth_hdr *ah = ip_auth_hdr(skb);
+ struct tmp_ext *iph_ext;
++ int seqhi_len = 0;
++ __be32 *seqhi;
+
+ extlen = skb_network_header_len(skb) - sizeof(struct ipv6hdr);
+ if (extlen)
+ extlen += sizeof(*iph_ext);
+
++ if (x->props.flags & XFRM_STATE_ESN)
++ seqhi_len = sizeof(*seqhi);
+ iph_base = AH_SKB_CB(skb)->tmp;
+ iph_ext = ah_tmp_ext(iph_base);
+- icv = ah_tmp_icv(iph_ext, extlen);
++ seqhi = (__be32 *)((char *)iph_ext + extlen);
++ icv = ah_tmp_icv(seqhi, seqhi_len);
+
+ memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
+ memcpy(top_iph, iph_base, IPV6HDR_BASELEN);
+@@ -471,13 +476,18 @@ static void ah6_input_done(void *data, i
+ struct ip_auth_hdr *ah = ip_auth_hdr(skb);
+ int hdr_len = skb_network_header_len(skb);
+ int ah_hlen = ipv6_authlen(ah);
++ int seqhi_len = 0;
++ __be32 *seqhi;
+
+ if (err)
+ goto out;
+
++ if (x->props.flags & XFRM_STATE_ESN)
++ seqhi_len = sizeof(*seqhi);
+ work_iph = AH_SKB_CB(skb)->tmp;
+ auth_data = ah_tmp_auth(work_iph, hdr_len);
+- icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
++ seqhi = (__be32 *)(auth_data + ahp->icv_trunc_len);
++ icv = ah_tmp_icv(seqhi, seqhi_len);
+
+ err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
+ if (err)
--- /dev/null
+From 14acf9652e5690de3c7486c6db5fb8dafd0a32a3 Mon Sep 17 00:00:00 2001
+From: Michal Kosiorek <mkosiorek121@gmail.com>
+Date: Wed, 29 Apr 2026 10:54:51 +0200
+Subject: xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
+
+From: Michal Kosiorek <mkosiorek121@gmail.com>
+
+commit 14acf9652e5690de3c7486c6db5fb8dafd0a32a3 upstream.
+
+KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s
+hlist_del_rcu calls under syzkaller load on linux-6.12.y stable
+(reproduced on 6.12.47, also reachable via the same code path on
+torvalds/master and on the ipsec tree). Nine unique signatures cluster
+in the xfrm_state lifecycle, the load-bearing one being:
+
+ BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]
+ BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]
+ BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c
+ Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435
+
+ Workqueue: netns cleanup_net
+ Call Trace:
+ __hlist_del / hlist_del_rcu
+ __xfrm_state_delete
+ xfrm_state_delete
+ xfrm_state_flush
+ xfrm_state_fini
+ ops_exit_list
+ cleanup_net
+
+The other observed signatures hit the same slab object from
+__xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB
+write variant of __xfrm_state_delete, all on the byseq/byspi
+hash chains.
+
+__xfrm_state_delete() guards its byseq and byspi unhashes with
+value-based predicates:
+
+ if (x->km.seq)
+ hlist_del_rcu(&x->byseq);
+ if (x->id.spi)
+ hlist_del_rcu(&x->byspi);
+
+while everywhere else in the file (e.g. state_cache, state_cache_input)
+the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets
+x->id.spi = newspi inside xfrm_state_lock and then immediately inserts
+into byspi, but a path that observes x->id.spi != 0 outside of
+xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently
+with whether x is actually on the list. The same holds for x->km.seq
+versus byseq, and the bydst/bysrc unhashes have no predicate at all,
+so a second __xfrm_state_delete() on the same object writes through
+LIST_POISON pprev.
+
+The defensive change here:
+
+ - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,
+ bysrc, byseq and byspi so a second deletion is a no-op rather
+ than a write through LIST_POISON pprev. The byseq/byspi nodes
+ are already initialised in xfrm_state_alloc().
+ - Test hlist_unhashed() rather than the value predicate for
+ byseq/byspi, so the unhash decision tracks list state rather than
+ mutable scalar fields.
+
+Empirical verification: applied this patch on top of v6.12.47, rebuilt,
+and re-ran the same syzkaller harness for 1h16m on a previously-crashy
+configuration that produced ~100 hits each of slab-use-after-free
+Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in
+__xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at
+~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo
+confirms the xfrm_state slab is actively allocated and freed during
+the run (~143 KiB resident), so the fuzzer is still exercising those
+code paths -- they just no longer crash.
+
+Reproduction:
+
+ - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV
+ - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db
+ - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal
+ - 9 unique signatures collected in ~9h, all within xfrm_state
+ lifecycle
+
+Fixes: fe9f1d8779cb ("xfrm: add state hashtable keyed by seq")
+Fixes: 7b4dc3600e48 ("[XFRM]: Do not add a state whose SPI is zero to the SPI hash.")
+Reported-by: Michal Kosiorek <mkosiorek121@gmail.com>
+Tested-by: Michal Kosiorek <mkosiorek121@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Michal Kosiorek <mkosiorek121@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_state.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -818,17 +818,17 @@ int __xfrm_state_delete(struct xfrm_stat
+
+ spin_lock(&net->xfrm.xfrm_state_lock);
+ list_del(&x->km.all);
+- hlist_del_rcu(&x->bydst);
+- hlist_del_rcu(&x->bysrc);
+- if (x->km.seq)
+- hlist_del_rcu(&x->byseq);
++ hlist_del_init_rcu(&x->bydst);
++ hlist_del_init_rcu(&x->bysrc);
++ if (!hlist_unhashed(&x->byseq))
++ hlist_del_init_rcu(&x->byseq);
+ if (!hlist_unhashed(&x->state_cache))
+ hlist_del_rcu(&x->state_cache);
+ if (!hlist_unhashed(&x->state_cache_input))
+ hlist_del_rcu(&x->state_cache_input);
+
+- if (x->id.spi)
+- hlist_del_rcu(&x->byspi);
++ if (!hlist_unhashed(&x->byspi))
++ hlist_del_init_rcu(&x->byspi);
+ net->xfrm.state_num--;
+ xfrm_nat_keepalive_state_updated(x);
+ spin_unlock(&net->xfrm.xfrm_state_lock);
--- /dev/null
+From 28465227c80fe417b4013c432be1f3737cb9f9a3 Mon Sep 17 00:00:00 2001
+From: Ruijie Li <ruijieli51@gmail.com>
+Date: Wed, 29 Apr 2026 00:41:43 +0800
+Subject: xfrm: provide message size for XFRM_MSG_MAPPING
+
+From: Ruijie Li <ruijieli51@gmail.com>
+
+commit 28465227c80fe417b4013c432be1f3737cb9f9a3 upstream.
+
+The compat 64=>32 translation path handles XFRM_MSG_MAPPING, but
+xfrm_msg_min[] does not provide the native payload size for this
+message type.
+
+Add the missing XFRM_MSG_MAPPING entry so compat translation can size
+and translate mapping notifications correctly.
+
+Fixes: 5461fc0c8d9f ("xfrm/compat: Add 64=>32-bit messages translator")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -3314,6 +3314,7 @@ const int xfrm_msg_min[XFRM_NR_MSGTYPES]
+ [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32),
+ [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
+ [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
++ [XFRM_MSG_MAPPING - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_mapping),
+ [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
+ [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
+ };
projects / thirdparty / kernel / stable-queue.git / commitdiff
