--- /dev/null
+From d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 Mon Sep 17 00:00:00 2001
+From: Stanislav Fort <stanislav.fort@aisle.com>
+Date: Sun, 31 Aug 2025 16:56:23 +0200
+Subject: batman-adv: fix OOB read/write in network-coding decode
+
+From: Stanislav Fort <stanislav.fort@aisle.com>
+
+commit d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 upstream.
+
+batadv_nc_skb_decode_packet() trusts coded_len and checks only against
+skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing
+payload headroom, and the source skb length is not verified, allowing an
+out-of-bounds read and a small out-of-bounds write.
+
+Validate that coded_len fits within the payload area of both destination
+and source sk_buffs before XORing.
+
+Fixes: 2df5278b0267 ("batman-adv: network coding - receive coded packets and decode them")
+Cc: stable@vger.kernel.org
+Reported-by: Stanislav Fort <disclosure@aisle.com>
+Signed-off-by: Stanislav Fort <stanislav.fort@aisle.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/network-coding.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/network-coding.c
++++ b/net/batman-adv/network-coding.c
+@@ -1687,7 +1687,12 @@ batadv_nc_skb_decode_packet(struct batad
+
+ coding_len = ntohs(coded_packet_tmp.coded_len);
+
+- if (coding_len > skb->len)
++ /* ensure dst buffer is large enough (payload only) */
++ if (coding_len + h_size > skb->len)
++ return NULL;
++
++ /* ensure src buffer is large enough (payload only) */
++ if (coding_len + h_size > nc_packet->skb->len)
+ return NULL;
+
+ /* Here the magic is reversed:
--- /dev/null
+From 70bccd9855dae56942f2b18a08ba137bb54093a0 Mon Sep 17 00:00:00 2001
+From: Makar Semyonov <m.semenov@tssltd.ru>
+Date: Thu, 4 Sep 2025 15:28:41 +0300
+Subject: cifs: prevent NULL pointer dereference in UTF16 conversion
+
+From: Makar Semyonov <m.semenov@tssltd.ru>
+
+commit 70bccd9855dae56942f2b18a08ba137bb54093a0 upstream.
+
+There can be a NULL pointer dereference bug here. NULL is passed to
+__cifs_sfu_make_node without checks, which passes it unchecked to
+cifs_strndup_to_utf16, which in turn passes it to
+cifs_local_to_utf16_bytes where '*from' is dereferenced, causing a crash.
+
+This patch adds a check for NULL 'src' in cifs_strndup_to_utf16 and
+returns NULL early to prevent dereferencing NULL pointer.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE
+
+Signed-off-by: Makar Semyonov <m.semenov@tssltd.ru>
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifs_unicode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/smb/client/cifs_unicode.c
++++ b/fs/smb/client/cifs_unicode.c
+@@ -629,6 +629,9 @@ cifs_strndup_to_utf16(const char *src, c
+ int len;
+ __le16 *dst;
+
++ if (!src)
++ return NULL;
++
+ len = cifs_local_to_utf16_bytes(src, maxlen, cp);
+ len += 2; /* NULL */
+ dst = kmalloc(len, GFP_KERNEL);
--- /dev/null
+From 3ebf766c35464ebdeefb6068246267147503dc04 Mon Sep 17 00:00:00 2001
+From: Ivan Lipski <ivan.lipski@amd.com>
+Date: Wed, 20 Aug 2025 15:46:52 -0400
+Subject: drm/amd/display: Clear the CUR_ENABLE register on DCN314 w/out DPP PG
+
+From: Ivan Lipski <ivan.lipski@amd.com>
+
+commit 3ebf766c35464ebdeefb6068246267147503dc04 upstream.
+
+[Why&How]
+ON DCN314, clearing DPP SW structure without power gating it can cause a
+double cursor in full screen with non-native scaling.
+
+A W/A that clears CURSOR0_CONTROL cursor_enable flag if
+dcn10_plane_atomic_power_down is called and DPP power gating is disabled.
+
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4168
+Reviewed-by: Sun peng (Leo) Li <sunpeng.li@amd.com>
+Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 645f74f1dc119dad5a2c7bbc05cc315e76883011)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c | 9 +
+ drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.h | 2
+ drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c | 1
+ drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.c | 72 ++++++++++++++
+ drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.h | 2
+ drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_init.c | 1
+ drivers/gpu/drm/amd/display/dc/inc/hw/dpp.h | 3
+ 7 files changed, 90 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c
++++ b/drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c
+@@ -520,6 +520,15 @@ void dpp1_dppclk_control(
+ REG_UPDATE(DPP_CONTROL, DPP_CLOCK_ENABLE, 0);
+ }
+
++void dpp_force_disable_cursor(struct dpp *dpp_base)
++{
++ struct dcn10_dpp *dpp = TO_DCN10_DPP(dpp_base);
++
++ /* Force disable cursor */
++ REG_UPDATE(CURSOR0_CONTROL, CUR0_ENABLE, 0);
++ dpp_base->pos.cur0_ctl.bits.cur0_enable = 0;
++}
++
+ static const struct dpp_funcs dcn10_dpp_funcs = {
+ .dpp_read_state = dpp_read_state,
+ .dpp_reset = dpp_reset,
+--- a/drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.h
++++ b/drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.h
+@@ -1525,4 +1525,6 @@ void dpp1_construct(struct dcn10_dpp *dp
+
+ void dpp1_cm_get_gamut_remap(struct dpp *dpp_base,
+ struct dpp_grph_csc_adjustment *adjust);
++void dpp_force_disable_cursor(struct dpp *dpp_base);
++
+ #endif
+--- a/drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c
++++ b/drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c
+@@ -1497,6 +1497,7 @@ static struct dpp_funcs dcn30_dpp_funcs
+ .dpp_dppclk_control = dpp1_dppclk_control,
+ .dpp_set_hdr_multiplier = dpp3_set_hdr_multiplier,
+ .dpp_get_gamut_remap = dpp3_cm_get_gamut_remap,
++ .dpp_force_disable_cursor = dpp_force_disable_cursor,
+ };
+
+
+--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.c
+@@ -502,3 +502,75 @@ void dcn314_disable_link_output(struct d
+
+ apply_symclk_on_tx_off_wa(link);
+ }
++
++/**
++ * dcn314_dpp_pg_control - DPP power gate control.
++ *
++ * @hws: dce_hwseq reference.
++ * @dpp_inst: DPP instance reference.
++ * @power_on: true if we want to enable power gate, false otherwise.
++ *
++ * Enable or disable power gate in the specific DPP instance.
++ * If power gating is disabled, will force disable cursor in the DPP instance.
++ */
++void dcn314_dpp_pg_control(
++ struct dce_hwseq *hws,
++ unsigned int dpp_inst,
++ bool power_on)
++{
++ uint32_t power_gate = power_on ? 0 : 1;
++ uint32_t pwr_status = power_on ? 0 : 2;
++
++
++ if (hws->ctx->dc->debug.disable_dpp_power_gate) {
++ /* Workaround for DCN314 with disabled power gating */
++ if (!power_on) {
++
++ /* Force disable cursor if power gating is disabled */
++ struct dpp *dpp = hws->ctx->dc->res_pool->dpps[dpp_inst];
++ if (dpp && dpp->funcs->dpp_force_disable_cursor)
++ dpp->funcs->dpp_force_disable_cursor(dpp);
++ }
++ return;
++ }
++ if (REG(DOMAIN1_PG_CONFIG) == 0)
++ return;
++
++ switch (dpp_inst) {
++ case 0: /* DPP0 */
++ REG_UPDATE(DOMAIN1_PG_CONFIG,
++ DOMAIN1_POWER_GATE, power_gate);
++
++ REG_WAIT(DOMAIN1_PG_STATUS,
++ DOMAIN1_PGFSM_PWR_STATUS, pwr_status,
++ 1, 1000);
++ break;
++ case 1: /* DPP1 */
++ REG_UPDATE(DOMAIN3_PG_CONFIG,
++ DOMAIN3_POWER_GATE, power_gate);
++
++ REG_WAIT(DOMAIN3_PG_STATUS,
++ DOMAIN3_PGFSM_PWR_STATUS, pwr_status,
++ 1, 1000);
++ break;
++ case 2: /* DPP2 */
++ REG_UPDATE(DOMAIN5_PG_CONFIG,
++ DOMAIN5_POWER_GATE, power_gate);
++
++ REG_WAIT(DOMAIN5_PG_STATUS,
++ DOMAIN5_PGFSM_PWR_STATUS, pwr_status,
++ 1, 1000);
++ break;
++ case 3: /* DPP3 */
++ REG_UPDATE(DOMAIN7_PG_CONFIG,
++ DOMAIN7_POWER_GATE, power_gate);
++
++ REG_WAIT(DOMAIN7_PG_STATUS,
++ DOMAIN7_PGFSM_PWR_STATUS, pwr_status,
++ 1, 1000);
++ break;
++ default:
++ BREAK_TO_DEBUGGER();
++ break;
++ }
++}
+--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.h
++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.h
+@@ -47,4 +47,6 @@ void dcn314_dpp_root_clock_control(struc
+
+ void dcn314_disable_link_output(struct dc_link *link, const struct link_resource *link_res, enum signal_type signal);
+
++void dcn314_dpp_pg_control(struct dce_hwseq *hws, unsigned int dpp_inst, bool power_on);
++
+ #endif /* __DC_HWSS_DCN314_H__ */
+--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_init.c
++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_init.c
+@@ -141,6 +141,7 @@ static const struct hwseq_private_funcs
+ .enable_power_gating_plane = dcn314_enable_power_gating_plane,
+ .dpp_root_clock_control = dcn314_dpp_root_clock_control,
+ .hubp_pg_control = dcn31_hubp_pg_control,
++ .dpp_pg_control = dcn314_dpp_pg_control,
+ .program_all_writeback_pipes_in_tree = dcn30_program_all_writeback_pipes_in_tree,
+ .update_odm = dcn314_update_odm,
+ .dsc_pg_control = dcn314_dsc_pg_control,
+--- a/drivers/gpu/drm/amd/display/dc/inc/hw/dpp.h
++++ b/drivers/gpu/drm/amd/display/dc/inc/hw/dpp.h
+@@ -349,6 +349,9 @@ struct dpp_funcs {
+ struct dpp *dpp_base,
+ enum dc_color_space color_space,
+ struct dc_csc_transform cursor_csc_color_matrix);
++
++ void (*dpp_force_disable_cursor)(struct dpp *dpp_base);
++
+ };
+
+
--- /dev/null
+From 71403f58b4bb6c13b71c05505593a355f697fd94 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 6 Aug 2025 10:47:50 -0400
+Subject: drm/amdgpu: drop hw access in non-DC audio fini
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 71403f58b4bb6c13b71c05505593a355f697fd94 upstream.
+
+We already disable the audio pins in hw_fini so
+there is no need to do it again in sw_fini.
+
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4481
+Cc: oushixiong <oushixiong1025@163.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 5eeb16ca727f11278b2917fd4311a7d7efb0bbd6)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 -----
+ drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 -----
+ drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 -----
+ drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 -----
+ 4 files changed, 20 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c
+@@ -1462,17 +1462,12 @@ static int dce_v10_0_audio_init(struct a
+
+ static void dce_v10_0_audio_fini(struct amdgpu_device *adev)
+ {
+- int i;
+-
+ if (!amdgpu_audio)
+ return;
+
+ if (!adev->mode_info.audio.enabled)
+ return;
+
+- for (i = 0; i < adev->mode_info.audio.num_pins; i++)
+- dce_v10_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false);
+-
+ adev->mode_info.audio.enabled = false;
+ }
+
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c
+@@ -1511,17 +1511,12 @@ static int dce_v11_0_audio_init(struct a
+
+ static void dce_v11_0_audio_fini(struct amdgpu_device *adev)
+ {
+- int i;
+-
+ if (!amdgpu_audio)
+ return;
+
+ if (!adev->mode_info.audio.enabled)
+ return;
+
+- for (i = 0; i < adev->mode_info.audio.num_pins; i++)
+- dce_v11_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false);
+-
+ adev->mode_info.audio.enabled = false;
+ }
+
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c
+@@ -1394,17 +1394,12 @@ static int dce_v6_0_audio_init(struct am
+
+ static void dce_v6_0_audio_fini(struct amdgpu_device *adev)
+ {
+- int i;
+-
+ if (!amdgpu_audio)
+ return;
+
+ if (!adev->mode_info.audio.enabled)
+ return;
+
+- for (i = 0; i < adev->mode_info.audio.num_pins; i++)
+- dce_v6_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false);
+-
+ adev->mode_info.audio.enabled = false;
+ }
+
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c
+@@ -1443,17 +1443,12 @@ static int dce_v8_0_audio_init(struct am
+
+ static void dce_v8_0_audio_fini(struct amdgpu_device *adev)
+ {
+- int i;
+-
+ if (!amdgpu_audio)
+ return;
+
+ if (!adev->mode_info.audio.enabled)
+ return;
+
+- for (i = 0; i < adev->mode_info.audio.num_pins; i++)
+- dce_v8_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false);
+-
+ adev->mode_info.audio.enabled = false;
+ }
+
--- /dev/null
+From 90fb7db49c6dbac961c6b8ebfd741141ffbc8545 Mon Sep 17 00:00:00 2001
+From: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Date: Sun, 17 Aug 2025 12:25:47 +0300
+Subject: e1000e: fix heap overflow in e1000_set_eeprom
+
+From: Vitaly Lifshits <vitaly.lifshits@intel.com>
+
+commit 90fb7db49c6dbac961c6b8ebfd741141ffbc8545 upstream.
+
+Fix a possible heap overflow in e1000_set_eeprom function by adding
+input validation for the requested length of the change in the EEPROM.
+In addition, change the variable type from int to size_t for better
+code practices and rearrange declarations to RCT.
+
+Cc: stable@vger.kernel.org
+Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)")
+Co-developed-by: Mikael Wessel <post@mikaelkw.online>
+Signed-off-by: Mikael Wessel <post@mikaelkw.online>
+Signed-off-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/intel/e1000e/ethtool.c
++++ b/drivers/net/ethernet/intel/e1000e/ethtool.c
+@@ -549,12 +549,12 @@ static int e1000_set_eeprom(struct net_d
+ {
+ struct e1000_adapter *adapter = netdev_priv(netdev);
+ struct e1000_hw *hw = &adapter->hw;
++ size_t total_len, max_len;
+ u16 *eeprom_buff;
+- void *ptr;
+- int max_len;
++ int ret_val = 0;
+ int first_word;
+ int last_word;
+- int ret_val = 0;
++ void *ptr;
+ u16 i;
+
+ if (eeprom->len == 0)
+@@ -569,6 +569,10 @@ static int e1000_set_eeprom(struct net_d
+
+ max_len = hw->nvm.word_size * 2;
+
++ if (check_add_overflow(eeprom->offset, eeprom->len, &total_len) ||
++ total_len > max_len)
++ return -EFBIG;
++
+ first_word = eeprom->offset >> 1;
+ last_word = (eeprom->offset + eeprom->len - 1) >> 1;
+ eeprom_buff = kmalloc(max_len, GFP_KERNEL);
--- /dev/null
+From 51337a9a3a404fde0f5337662ffc7699793dfeb5 Mon Sep 17 00:00:00 2001
+From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
+Date: Thu, 21 Aug 2025 13:07:35 +0100
+Subject: kasan: fix GCC mem-intrinsic prefix with sw tags
+
+From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
+
+commit 51337a9a3a404fde0f5337662ffc7699793dfeb5 upstream.
+
+GCC doesn't support "hwasan-kernel-mem-intrinsic-prefix", only
+"asan-kernel-mem-intrinsic-prefix"[0], while LLVM supports both. This is
+already taken into account when checking
+"CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX", but not in the KASAN Makefile
+adding those parameters when "CONFIG_KASAN_SW_TAGS" is enabled.
+
+Replace the version check with "CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX",
+which already validates that mem-intrinsic prefix parameter can be used,
+and choose the correct name depending on compiler.
+
+GCC 13 and above trigger "CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX" which
+prevents `mem{cpy,move,set}()` being redefined in "mm/kasan/shadow.c"
+since commit 36be5cba99f6 ("kasan: treat meminstrinsic as builtins in
+uninstrumented files"), as we expect the compiler to prefix those calls
+with `__(hw)asan_` instead. But as the option passed to GCC has been
+incorrect, the compiler has not been emitting those prefixes, effectively
+never calling the instrumented versions of `mem{cpy,move,set}()` with
+"CONFIG_KASAN_SW_TAGS" enabled.
+
+If "CONFIG_FORTIFY_SOURCES" is enabled, this issue would be mitigated as
+it redefines `mem{cpy,move,set}()` and properly aliases the
+`__underlying_mem*()` that will be called to the instrumented versions.
+
+Link: https://lkml.kernel.org/r/20250821120735.156244-1-ada.coupriediaz@arm.com
+Link: https://gcc.gnu.org/onlinedocs/gcc-13.4.0/gcc/Optimize-Options.html [0]
+Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
+Fixes: 36be5cba99f6 ("kasan: treat meminstrinsic as builtins in uninstrumented files")
+Reviewed-by: Yeoreum Yun <yeoreum.yun@arm.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Cc: Dmitriy Vyukov <dvyukov@google.com>
+Cc: Marco Elver <elver@google.com>
+Cc: Marc Rutland <mark.rutland@arm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/Makefile.kasan | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/scripts/Makefile.kasan
++++ b/scripts/Makefile.kasan
+@@ -86,10 +86,14 @@ kasan_params += hwasan-instrument-stack=
+ hwasan-use-short-granules=0 \
+ hwasan-inline-all-checks=0
+
+-# Instrument memcpy/memset/memmove calls by using instrumented __hwasan_mem*().
+-ifeq ($(call clang-min-version, 150000)$(call gcc-min-version, 130000),y)
+- kasan_params += hwasan-kernel-mem-intrinsic-prefix=1
+-endif
++# Instrument memcpy/memset/memmove calls by using instrumented __(hw)asan_mem*().
++ifdef CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX
++ ifdef CONFIG_CC_IS_GCC
++ kasan_params += asan-kernel-mem-intrinsic-prefix=1
++ else
++ kasan_params += hwasan-kernel-mem-intrinsic-prefix=1
++ endif
++endif # CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX
+
+ endif # CONFIG_KASAN_SW_TAGS
+
--- /dev/null
+From ca47c44d36a9ad3268d17f89789104a471c07f81 Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <wahrenst@gmx.net>
+Date: Wed, 27 Aug 2025 13:53:41 +0200
+Subject: microchip: lan865x: Fix LAN8651 autoloading
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+commit ca47c44d36a9ad3268d17f89789104a471c07f81 upstream.
+
+Add missing IDs for LAN8651 devices, which are also defined in the
+DT bindings.
+
+Fixes: 5cd2340cb6a3 ("microchip: lan865x: add driver support for Microchip's LAN865X MAC-PHY")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Cc: stable@kernel.org
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20250827115341.34608-4-wahrenst@gmx.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/microchip/lan865x/lan865x.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/microchip/lan865x/lan865x.c b/drivers/net/ethernet/microchip/lan865x/lan865x.c
+index 9d94c8fb8b91..79b800d2b72c 100644
+--- a/drivers/net/ethernet/microchip/lan865x/lan865x.c
++++ b/drivers/net/ethernet/microchip/lan865x/lan865x.c
+@@ -425,12 +425,14 @@ static void lan865x_remove(struct spi_device *spi)
+
+ static const struct spi_device_id lan865x_ids[] = {
+ { .name = "lan8650" },
++ { .name = "lan8651" },
+ {},
+ };
+ MODULE_DEVICE_TABLE(spi, lan865x_ids);
+
+ static const struct of_device_id lan865x_dt_ids[] = {
+ { .compatible = "microchip,lan8650" },
++ { .compatible = "microchip,lan8651" },
+ { /* Sentinel */ }
+ };
+ MODULE_DEVICE_TABLE(of, lan865x_dt_ids);
+--
+2.51.0
+
--- /dev/null
+From c7217963eb779be0a7627dd2121152fa6786ecf7 Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <wahrenst@gmx.net>
+Date: Wed, 27 Aug 2025 13:53:40 +0200
+Subject: microchip: lan865x: Fix module autoloading
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+commit c7217963eb779be0a7627dd2121152fa6786ecf7 upstream.
+
+Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded
+based on the alias from spi_device_id table. While at this, fix
+the misleading variable name (spidev is unrelated to this driver).
+
+Fixes: 5cd2340cb6a3 ("microchip: lan865x: add driver support for Microchip's LAN865X MAC-PHY")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Cc: stable@kernel.org
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20250827115341.34608-3-wahrenst@gmx.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/microchip/lan865x/lan865x.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/lan865x/lan865x.c b/drivers/net/ethernet/microchip/lan865x/lan865x.c
+index 84c41f193561..9d94c8fb8b91 100644
+--- a/drivers/net/ethernet/microchip/lan865x/lan865x.c
++++ b/drivers/net/ethernet/microchip/lan865x/lan865x.c
+@@ -423,10 +423,11 @@ static void lan865x_remove(struct spi_device *spi)
+ free_netdev(priv->netdev);
+ }
+
+-static const struct spi_device_id spidev_spi_ids[] = {
++static const struct spi_device_id lan865x_ids[] = {
+ { .name = "lan8650" },
+ {},
+ };
++MODULE_DEVICE_TABLE(spi, lan865x_ids);
+
+ static const struct of_device_id lan865x_dt_ids[] = {
+ { .compatible = "microchip,lan8650" },
+@@ -441,7 +442,7 @@ static struct spi_driver lan865x_driver = {
+ },
+ .probe = lan865x_probe,
+ .remove = lan865x_remove,
+- .id_table = spidev_spi_ids,
++ .id_table = lan865x_ids,
+ };
+ module_spi_driver(lan865x_driver);
+
+--
+2.51.0
+
--- /dev/null
+From b3852ae3105ec1048535707545d23c1e519c190f Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <wahrenst@gmx.net>
+Date: Wed, 27 Aug 2025 13:53:39 +0200
+Subject: net: ethernet: oa_tc6: Handle failure of spi_setup
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+commit b3852ae3105ec1048535707545d23c1e519c190f upstream.
+
+There is no guarantee that spi_setup succeed, so properly handle
+the error case.
+
+Fixes: aa58bec064ab ("net: ethernet: oa_tc6: implement register write operation")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Cc: stable@kernel.org
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20250827115341.34608-2-wahrenst@gmx.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/oa_tc6.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/oa_tc6.c
++++ b/drivers/net/ethernet/oa_tc6.c
+@@ -1249,7 +1249,8 @@ struct oa_tc6 *oa_tc6_init(struct spi_de
+
+ /* Set the SPI controller to pump at realtime priority */
+ tc6->spi->rt = true;
+- spi_setup(tc6->spi);
++ if (spi_setup(tc6->spi) < 0)
++ return NULL;
+
+ tc6->spi_ctrl_tx_buf = devm_kzalloc(&tc6->spi->dev,
+ OA_TC6_CTRL_SPI_BUF_SIZE,
--- /dev/null
+From a7195a3d67dace056af7ca65144a11874df79562 Mon Sep 17 00:00:00 2001
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Date: Mon, 1 Sep 2025 12:20:19 +0100
+Subject: net: pcs: rzn1-miic: Correct MODCTRL register offset
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+commit a7195a3d67dace056af7ca65144a11874df79562 upstream.
+
+Correct the Mode Control Register (MODCTRL) offset for RZ/N MIIC.
+According to the R-IN Engine and Ethernet Peripherals Manual (Rev.1.30)
+[0], Table 10.1 "Ethernet Accessory Register List", MODCTRL is at offset
+0x8, not 0x20 as previously defined.
+
+Offset 0x20 actually maps to the Port Trigger Control Register (PTCTRL),
+which controls PTP_MODE[3:0] and RGMII_CLKSEL[4]. Using this incorrect
+definition prevented the driver from configuring the SW_MODE[4:0] bits
+in MODCTRL, which control the internal connection of Ethernet ports. As
+a result, the MIIC could not be switched into the correct mode, leading
+to link setup failures and non-functional Ethernet ports on affected
+systems.
+
+[0] https://www.renesas.com/en/document/mah/rzn1d-group-rzn1s-group-rzn1l-group-users-manual-r-engine-and-ethernet-peripherals?r=1054571
+
+Fixes: 7dc54d3b8d91 ("net: pcs: add Renesas MII converter driver")
+Cc: stable@kernel.org
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://patch.msgid.link/20250901112019.16278-1-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/pcs/pcs-rzn1-miic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/pcs/pcs-rzn1-miic.c
++++ b/drivers/net/pcs/pcs-rzn1-miic.c
+@@ -19,7 +19,7 @@
+ #define MIIC_PRCMD 0x0
+ #define MIIC_ESID_CODE 0x4
+
+-#define MIIC_MODCTRL 0x20
++#define MIIC_MODCTRL 0x8
+ #define MIIC_MODCTRL_SW_MODE GENMASK(4, 0)
+
+ #define MIIC_CONVCTRL(port) (0x100 + (port) * 4)
--- /dev/null
+From f46e8ef8bb7b452584f2e75337b619ac51a7cadf Mon Sep 17 00:00:00 2001
+From: Edward Adam Davis <eadavis@qq.com>
+Date: Tue, 19 Aug 2025 21:41:02 +0800
+Subject: ocfs2: prevent release journal inode after journal shutdown
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+commit f46e8ef8bb7b452584f2e75337b619ac51a7cadf upstream.
+
+Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already
+been executed in ocfs2_dismount_volume(), so osb->journal must be NULL.
+Therefore, the following calltrace will inevitably fail when it reaches
+jbd2_journal_release_jbd_inode().
+
+ocfs2_dismount_volume()->
+ ocfs2_delete_osb()->
+ ocfs2_free_slot_info()->
+ __ocfs2_free_slot_info()->
+ evict()->
+ ocfs2_evict_inode()->
+ ocfs2_clear_inode()->
+ jbd2_journal_release_jbd_inode(osb->journal->j_journal,
+
+Adding osb->journal checks will prevent null-ptr-deref during the above
+execution path.
+
+Link: https://lkml.kernel.org/r/tencent_357489BEAEE4AED74CBD67D246DBD2C4C606@qq.com
+Fixes: da5e7c87827e ("ocfs2: cleanup journal init and shutdown")
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Reported-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=47d8cb2f2cc1517e515a
+Tested-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com
+Reviewed-by: Mark Tinguely <mark.tinguely@oracle.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/inode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ocfs2/inode.c
++++ b/fs/ocfs2/inode.c
+@@ -1205,6 +1205,9 @@ static void ocfs2_clear_inode(struct ino
+ * the journal is flushed before journal shutdown. Thus it is safe to
+ * have inodes get cleaned up after journal shutdown.
+ */
++ if (!osb->journal)
++ return;
++
+ jbd2_journal_release_jbd_inode(osb->journal->j_journal,
+ &oi->ip_jinode);
+ }
--- /dev/null
+From ee4d098cbc9160f573b5c1b5a51d6158efdb2896 Mon Sep 17 00:00:00 2001
+From: Yin Tirui <yintirui@huawei.com>
+Date: Tue, 19 Aug 2025 15:55:10 +0800
+Subject: of_numa: fix uninitialized memory nodes causing kernel panic
+
+From: Yin Tirui <yintirui@huawei.com>
+
+commit ee4d098cbc9160f573b5c1b5a51d6158efdb2896 upstream.
+
+When there are memory-only nodes (nodes without CPUs), these nodes are not
+properly initialized, causing kernel panic during boot.
+
+of_numa_init
+ of_numa_parse_cpu_nodes
+ node_set(nid, numa_nodes_parsed);
+ of_numa_parse_memory_nodes
+
+In of_numa_parse_cpu_nodes, numa_nodes_parsed gets updated only for nodes
+containing CPUs. Memory-only nodes should have been updated in
+of_numa_parse_memory_nodes, but they weren't.
+
+Subsequently, when free_area_init() attempts to access NODE_DATA() for
+these uninitialized memory nodes, the kernel panics due to NULL pointer
+dereference.
+
+This can be reproduced on ARM64 QEMU with 1 CPU and 2 memory nodes:
+
+qemu-system-aarch64 \
+-cpu host -nographic \
+-m 4G -smp 1 \
+-machine virt,accel=kvm,gic-version=3,iommu=smmuv3 \
+-object memory-backend-ram,size=2G,id=mem0 \
+-object memory-backend-ram,size=2G,id=mem1 \
+-numa node,nodeid=0,memdev=mem0 \
+-numa node,nodeid=1,memdev=mem1 \
+-kernel $IMAGE \
+-hda $DISK \
+-append "console=ttyAMA0 root=/dev/vda rw earlycon"
+
+[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x481fd010]
+[ 0.000000] Linux version 6.17.0-rc1-00001-gabb4b3daf18c-dirty (yintirui@local) (gcc (GCC) 12.3.1, GNU ld (GNU Binutils) 2.41) #52 SMP PREEMPT Mon Aug 18 09:49:40 CST 2025
+[ 0.000000] KASLR enabled
+[ 0.000000] random: crng init done
+[ 0.000000] Machine model: linux,dummy-virt
+[ 0.000000] efi: UEFI not found.
+[ 0.000000] earlycon: pl11 at MMIO 0x0000000009000000 (options '')
+[ 0.000000] printk: legacy bootconsole [pl11] enabled
+[ 0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT
+[ 0.000000] NODE_DATA(0) allocated [mem 0xbfffd9c0-0xbfffffff]
+[ 0.000000] node 1 must be removed before remove section 23
+[ 0.000000] Zone ranges:
+[ 0.000000] DMA [mem 0x0000000040000000-0x00000000ffffffff]
+[ 0.000000] DMA32 empty
+[ 0.000000] Normal [mem 0x0000000100000000-0x000000013fffffff]
+[ 0.000000] Movable zone start for each node
+[ 0.000000] Early memory node ranges
+[ 0.000000] node 0: [mem 0x0000000040000000-0x00000000bfffffff]
+[ 0.000000] node 1: [mem 0x00000000c0000000-0x000000013fffffff]
+[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff]
+[ 0.000000] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0
+[ 0.000000] Mem abort info:
+[ 0.000000] ESR = 0x0000000096000004
+[ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 0.000000] SET = 0, FnV = 0
+[ 0.000000] EA = 0, S1PTW = 0
+[ 0.000000] FSC = 0x04: level 0 translation fault
+[ 0.000000] Data abort info:
+[ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+[ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+[ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+[ 0.000000] [00000000000000a0] user address but active_mm is swapper
+[ 0.000000] Internal error: Oops: 0000000096000004 [#1] SMP
+[ 0.000000] Modules linked in:
+[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.17.0-rc1-00001-g760c6dabf762-dirty #54 PREEMPT
+[ 0.000000] Hardware name: linux,dummy-virt (DT)
+[ 0.000000] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 0.000000] pc : free_area_init+0x50c/0xf9c
+[ 0.000000] lr : free_area_init+0x5c0/0xf9c
+[ 0.000000] sp : ffffa02ca0f33c00
+[ 0.000000] x29: ffffa02ca0f33cb0 x28: 0000000000000000 x27: 0000000000000000
+[ 0.000000] x26: 4ec4ec4ec4ec4ec5 x25: 00000000000c0000 x24: 00000000000c0000
+[ 0.000000] x23: 0000000000040000 x22: 0000000000000000 x21: ffffa02ca0f3b368
+[ 0.000000] x20: ffffa02ca14c7b98 x19: 0000000000000000 x18: 0000000000000002
+[ 0.000000] x17: 000000000000cacc x16: 0000000000000001 x15: 0000000000000001
+[ 0.000000] x14: 0000000080000000 x13: 0000000000000018 x12: 0000000000000002
+[ 0.000000] x11: ffffa02ca0fd4f00 x10: ffffa02ca14bab20 x9 : ffffa02ca14bab38
+[ 0.000000] x8 : 00000000000c0000 x7 : 0000000000000001 x6 : 0000000000000002
+[ 0.000000] x5 : 0000000140000000 x4 : ffffa02ca0f33c90 x3 : ffffa02ca0f33ca0
+[ 0.000000] x2 : ffffa02ca0f33c98 x1 : 0000000080000000 x0 : 0000000000000001
+[ 0.000000] Call trace:
+[ 0.000000] free_area_init+0x50c/0xf9c (P)
+[ 0.000000] bootmem_init+0x110/0x1dc
+[ 0.000000] setup_arch+0x278/0x60c
+[ 0.000000] start_kernel+0x70/0x748
+[ 0.000000] __primary_switched+0x88/0x90
+[ 0.000000] Code: d503201f b98093e0 52800016 f8607a93 (f9405260)
+[ 0.000000] ---[ end trace 0000000000000000 ]---
+[ 0.000000] Kernel panic - not syncing: Attempted to kill the idle task!
+[ 0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]---
+
+Link: https://lkml.kernel.org/r/20250819075510.2079961-1-yintirui@huawei.com
+Fixes: 767507654c22 ("arch_numa: switch over to numa_memblks")
+Signed-off-by: Yin Tirui <yintirui@huawei.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
+Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Chen Jun <chenjun102@huawei.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Joanthan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Rob Herring <robh@kernel.org>
+Cc: Saravana Kannan <saravanak@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/of_numa.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/of/of_numa.c
++++ b/drivers/of/of_numa.c
+@@ -62,8 +62,11 @@ static int __init of_numa_parse_memory_n
+ r = -EINVAL;
+ }
+
+- for (i = 0; !r && !of_address_to_resource(np, i, &rsrc); i++)
++ for (i = 0; !r && !of_address_to_resource(np, i, &rsrc); i++) {
+ r = numa_add_memblk(nid, rsrc.start, rsrc.end + 1);
++ if (!r)
++ node_set(nid, numa_nodes_parsed);
++ }
+
+ if (!i || r) {
+ of_node_put(np);
--- /dev/null
+From c96f86217bb28e019403bb8f59eacd8ad5a7ad1a Mon Sep 17 00:00:00 2001
+From: Christoffer Sandberg <cs@tuxedo.de>
+Date: Wed, 27 Aug 2025 15:13:51 +0200
+Subject: platform/x86/amd/pmc: Add TUXEDO IB Pro Gen10 AMD to spurious 8042 quirks list
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christoffer Sandberg <cs@tuxedo.de>
+
+commit c96f86217bb28e019403bb8f59eacd8ad5a7ad1a upstream.
+
+Prevents instant wakeup ~1s after suspend.
+
+It seems to be kernel/system dependent if the IRQ actually manages to wake
+the system every time or if it gets ignored (and everything works as
+expected).
+
+Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250827131424.16436-1-wse@tuxedocomputers.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/amd/pmc/pmc-quirks.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c
++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+@@ -242,6 +242,20 @@ static const struct dmi_system_id fwbug_
+ DMI_MATCH(DMI_PRODUCT_NAME, "Lafite Pro V 14M"),
+ }
+ },
++ {
++ .ident = "TUXEDO InfinityBook Pro 14/15 AMD Gen10",
++ .driver_data = &quirk_spurious_8042,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_NAME, "XxHP4NAx"),
++ }
++ },
++ {
++ .ident = "TUXEDO InfinityBook Pro 14/15 AMD Gen10",
++ .driver_data = &quirk_spurious_8042,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_NAME, "XxKK4NAx_XxSP4NAx"),
++ }
++ },
+ {}
+ };
+
--- /dev/null
+From 2ce3d282bd5050fca8577defeff08ada0d55d062 Mon Sep 17 00:00:00 2001
+From: wangzijie <wangzijie1@honor.com>
+Date: Mon, 18 Aug 2025 20:31:02 +0800
+Subject: proc: fix missing pde_set_flags() for net proc files
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: wangzijie <wangzijie1@honor.com>
+
+commit 2ce3d282bd5050fca8577defeff08ada0d55d062 upstream.
+
+To avoid potential UAF issues during module removal races, we use
+pde_set_flags() to save proc_ops flags in PDE itself before
+proc_register(), and then use pde_has_proc_*() helpers instead of directly
+dereferencing pde->proc_ops->*.
+
+However, the pde_set_flags() call was missing when creating net related
+proc files. This omission caused incorrect behavior which FMODE_LSEEK was
+being cleared inappropriately in proc_reg_open() for net proc files. Lars
+reported it in this link[1].
+
+Fix this by ensuring pde_set_flags() is called when register proc entry,
+and add NULL check for proc_ops in pde_set_flags().
+
+[wangzijie1@honor.com: stash pde->proc_ops in a local const variable, per Christian]
+ Link: https://lkml.kernel.org/r/20250821105806.1453833-1-wangzijie1@honor.com
+Link: https://lkml.kernel.org/r/20250818123102.959595-1-wangzijie1@honor.com
+Link: https://lore.kernel.org/all/20250815195616.64497967@chagall.paradoxon.rec/ [1]
+Fixes: ff7ec8dc1b64 ("proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al")
+Signed-off-by: wangzijie <wangzijie1@honor.com>
+Reported-by: Lars Wendler <polynomial-c@gmx.de>
+Tested-by: Stefano Brivio <sbrivio@redhat.com>
+Tested-by: Petr Vaněk <pv@excello.cz>
+Tested by: Lars Wendler <polynomial-c@gmx.de>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Cc: Kirill A. Shutemov <k.shutemov@gmail.com>
+Cc: wangzijie <wangzijie1@honor.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/generic.c | 38 +++++++++++++++++++++-----------------
+ 1 file changed, 21 insertions(+), 17 deletions(-)
+
+--- a/fs/proc/generic.c
++++ b/fs/proc/generic.c
+@@ -362,6 +362,25 @@ static const struct inode_operations pro
+ .setattr = proc_notify_change,
+ };
+
++static void pde_set_flags(struct proc_dir_entry *pde)
++{
++ const struct proc_ops *proc_ops = pde->proc_ops;
++
++ if (!proc_ops)
++ return;
++
++ if (proc_ops->proc_flags & PROC_ENTRY_PERMANENT)
++ pde->flags |= PROC_ENTRY_PERMANENT;
++ if (proc_ops->proc_read_iter)
++ pde->flags |= PROC_ENTRY_proc_read_iter;
++#ifdef CONFIG_COMPAT
++ if (proc_ops->proc_compat_ioctl)
++ pde->flags |= PROC_ENTRY_proc_compat_ioctl;
++#endif
++ if (proc_ops->proc_lseek)
++ pde->flags |= PROC_ENTRY_proc_lseek;
++}
++
+ /* returns the registered entry, or frees dp and returns NULL on failure */
+ struct proc_dir_entry *proc_register(struct proc_dir_entry *dir,
+ struct proc_dir_entry *dp)
+@@ -369,6 +388,8 @@ struct proc_dir_entry *proc_register(str
+ if (proc_alloc_inum(&dp->low_ino))
+ goto out_free_entry;
+
++ pde_set_flags(dp);
++
+ write_lock(&proc_subdir_lock);
+ dp->parent = dir;
+ if (pde_subdir_insert(dir, dp) == false) {
+@@ -557,20 +578,6 @@ struct proc_dir_entry *proc_create_reg(c
+ return p;
+ }
+
+-static void pde_set_flags(struct proc_dir_entry *pde)
+-{
+- if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT)
+- pde->flags |= PROC_ENTRY_PERMANENT;
+- if (pde->proc_ops->proc_read_iter)
+- pde->flags |= PROC_ENTRY_proc_read_iter;
+-#ifdef CONFIG_COMPAT
+- if (pde->proc_ops->proc_compat_ioctl)
+- pde->flags |= PROC_ENTRY_proc_compat_ioctl;
+-#endif
+- if (pde->proc_ops->proc_lseek)
+- pde->flags |= PROC_ENTRY_proc_lseek;
+-}
+-
+ struct proc_dir_entry *proc_create_data(const char *name, umode_t mode,
+ struct proc_dir_entry *parent,
+ const struct proc_ops *proc_ops, void *data)
+@@ -581,7 +588,6 @@ struct proc_dir_entry *proc_create_data(
+ if (!p)
+ return NULL;
+ p->proc_ops = proc_ops;
+- pde_set_flags(p);
+ return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_data);
+@@ -632,7 +638,6 @@ struct proc_dir_entry *proc_create_seq_p
+ p->proc_ops = &proc_seq_ops;
+ p->seq_ops = ops;
+ p->state_size = state_size;
+- pde_set_flags(p);
+ return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_seq_private);
+@@ -663,7 +668,6 @@ struct proc_dir_entry *proc_create_singl
+ return NULL;
+ p->proc_ops = &proc_single_ops;
+ p->single_show = show;
+- pde_set_flags(p);
+ return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_single_data);
--- /dev/null
+From 5ebf512f335053a42482ebff91e46c6dc156bf8c Mon Sep 17 00:00:00 2001
+From: Christian Loehle <christian.loehle@arm.com>
+Date: Wed, 3 Sep 2025 16:48:32 +0100
+Subject: sched: Fix sched_numa_find_nth_cpu() if mask offline
+
+From: Christian Loehle <christian.loehle@arm.com>
+
+commit 5ebf512f335053a42482ebff91e46c6dc156bf8c upstream.
+
+sched_numa_find_nth_cpu() uses a bsearch to look for the 'closest'
+CPU in sched_domains_numa_masks and given cpus mask. However they
+might not intersect if all CPUs in the cpus mask are offline. bsearch
+will return NULL in that case, bail out instead of dereferencing a
+bogus pointer.
+
+The previous behaviour lead to this bug when using maxcpus=4 on an
+rk3399 (LLLLbb) (i.e. booting with all big CPUs offline):
+
+[ 1.422922] Unable to handle kernel paging request at virtual address ffffff8000000000
+[ 1.423635] Mem abort info:
+[ 1.423889] ESR = 0x0000000096000006
+[ 1.424227] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 1.424715] SET = 0, FnV = 0
+[ 1.424995] EA = 0, S1PTW = 0
+[ 1.425279] FSC = 0x06: level 2 translation fault
+[ 1.425735] Data abort info:
+[ 1.425998] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
+[ 1.426499] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+[ 1.426952] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+[ 1.427428] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000004a9f000
+[ 1.428038] [ffffff8000000000] pgd=18000000f7fff403, p4d=18000000f7fff403, pud=18000000f7fff403, pmd=0000000000000000
+[ 1.429014] Internal error: Oops: 0000000096000006 [#1] SMP
+[ 1.429525] Modules linked in:
+[ 1.429813] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc4-dirty #343 PREEMPT
+[ 1.430559] Hardware name: Pine64 RockPro64 v2.1 (DT)
+[ 1.431012] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 1.431634] pc : sched_numa_find_nth_cpu+0x2a0/0x488
+[ 1.432094] lr : sched_numa_find_nth_cpu+0x284/0x488
+[ 1.432543] sp : ffffffc084e1b960
+[ 1.432843] x29: ffffffc084e1b960 x28: ffffff80078a8800 x27: ffffffc0846eb1d0
+[ 1.433495] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
+[ 1.434144] x23: 0000000000000000 x22: fffffffffff7f093 x21: ffffffc081de6378
+[ 1.434792] x20: 0000000000000000 x19: 0000000ffff7f093 x18: 00000000ffffffff
+[ 1.435441] x17: 3030303866666666 x16: 66663d736b73616d x15: ffffffc104e1b5b7
+[ 1.436091] x14: 0000000000000000 x13: ffffffc084712860 x12: 0000000000000372
+[ 1.436739] x11: 0000000000000126 x10: ffffffc08476a860 x9 : ffffffc084712860
+[ 1.437389] x8 : 00000000ffffefff x7 : ffffffc08476a860 x6 : 0000000000000000
+[ 1.438036] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000
+[ 1.438683] x2 : 0000000000000000 x1 : ffffffc0846eb000 x0 : ffffff8000407b68
+[ 1.439332] Call trace:
+[ 1.439559] sched_numa_find_nth_cpu+0x2a0/0x488 (P)
+[ 1.440016] smp_call_function_any+0xc8/0xd0
+[ 1.440416] armv8_pmu_init+0x58/0x27c
+[ 1.440770] armv8_cortex_a72_pmu_init+0x20/0x2c
+[ 1.441199] arm_pmu_device_probe+0x1e4/0x5e8
+[ 1.441603] armv8_pmu_device_probe+0x1c/0x28
+[ 1.442007] platform_probe+0x5c/0xac
+[ 1.442347] really_probe+0xbc/0x298
+[ 1.442683] __driver_probe_device+0x78/0x12c
+[ 1.443087] driver_probe_device+0xdc/0x160
+[ 1.443475] __driver_attach+0x94/0x19c
+[ 1.443833] bus_for_each_dev+0x74/0xd4
+[ 1.444190] driver_attach+0x24/0x30
+[ 1.444525] bus_add_driver+0xe4/0x208
+[ 1.444874] driver_register+0x60/0x128
+[ 1.445233] __platform_driver_register+0x24/0x30
+[ 1.445662] armv8_pmu_driver_init+0x28/0x4c
+[ 1.446059] do_one_initcall+0x44/0x25c
+[ 1.446416] kernel_init_freeable+0x1dc/0x3bc
+[ 1.446820] kernel_init+0x20/0x1d8
+[ 1.447151] ret_from_fork+0x10/0x20
+[ 1.447493] Code: 90022e21 f000e5f5 910de2b5 2a1703e2 (f8767803)
+[ 1.448040] ---[ end trace 0000000000000000 ]---
+[ 1.448483] note: swapper/0[1] exited with preempt_count 1
+[ 1.449047] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
+[ 1.449741] SMP: stopping secondary CPUs
+[ 1.450105] Kernel Offset: disabled
+[ 1.450419] CPU features: 0x000000,00080000,20002001,0400421b
+[ 1.450935] Memory Limit: none
+[ 1.451217] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]---
+
+Yury: with the fix, the function returns cpu == nr_cpu_ids, and later in
+
+ smp_call_function_any ->
+ smp_call_function_single ->
+ generic_exec_single
+
+we test the cpu for '>= nr_cpu_ids' and return -ENXIO. So everything is
+handled correctly.
+
+Fixes: cd7f55359c90 ("sched: add sched_numa_find_nth_cpu()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Loehle <christian.loehle@arm.com>
+Signed-off-by: Yury Norov (NVIDIA) <yury.norov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/topology.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/sched/topology.c
++++ b/kernel/sched/topology.c
+@@ -2174,6 +2174,8 @@ int sched_numa_find_nth_cpu(const struct
+ goto unlock;
+
+ hop_masks = bsearch(&k, k.masks, sched_domains_numa_levels, sizeof(k.masks[0]), hop_cmp);
++ if (!hop_masks)
++ goto unlock;
+ hop = hop_masks - k.masks;
+
+ ret = hop ?
--- /dev/null
+From 9dba9a45c348e8460da97c450cddf70b2056deb3 Mon Sep 17 00:00:00 2001
+From: John Evans <evans1210144@gmail.com>
+Date: Thu, 28 Aug 2025 12:40:08 +0800
+Subject: scsi: lpfc: Fix buffer free/clear order in deferred receive path
+
+From: John Evans <evans1210144@gmail.com>
+
+commit 9dba9a45c348e8460da97c450cddf70b2056deb3 upstream.
+
+Fix a use-after-free window by correcting the buffer release sequence in
+the deferred receive path. The code freed the RQ buffer first and only
+then cleared the context pointer under the lock. Concurrent paths (e.g.,
+ABTS and the repost path) also inspect and release the same pointer under
+the lock, so the old order could lead to double-free/UAF.
+
+Note that the repost path already uses the correct pattern: detach the
+pointer under the lock, then free it after dropping the lock. The
+deferred path should do the same.
+
+Fixes: 472e146d1cf3 ("scsi: lpfc: Correct upcalling nvmet_fc transport during io done downcall")
+Cc: stable@vger.kernel.org
+Signed-off-by: John Evans <evans1210144@gmail.com>
+Link: https://lore.kernel.org/r/20250828044008.743-1-evans1210144@gmail.com
+Reviewed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_nvmet.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_nvmet.c
++++ b/drivers/scsi/lpfc/lpfc_nvmet.c
+@@ -1243,7 +1243,7 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar
+ struct lpfc_nvmet_tgtport *tgtp;
+ struct lpfc_async_xchg_ctx *ctxp =
+ container_of(rsp, struct lpfc_async_xchg_ctx, hdlrctx.fcp_req);
+- struct rqb_dmabuf *nvmebuf = ctxp->rqb_buffer;
++ struct rqb_dmabuf *nvmebuf;
+ struct lpfc_hba *phba = ctxp->phba;
+ unsigned long iflag;
+
+@@ -1251,13 +1251,18 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar
+ lpfc_nvmeio_data(phba, "NVMET DEFERRCV: xri x%x sz %d CPU %02x\n",
+ ctxp->oxid, ctxp->size, raw_smp_processor_id());
+
++ spin_lock_irqsave(&ctxp->ctxlock, iflag);
++ nvmebuf = ctxp->rqb_buffer;
+ if (!nvmebuf) {
++ spin_unlock_irqrestore(&ctxp->ctxlock, iflag);
+ lpfc_printf_log(phba, KERN_INFO, LOG_NVME_IOERR,
+ "6425 Defer rcv: no buffer oxid x%x: "
+ "flg %x ste %x\n",
+ ctxp->oxid, ctxp->flag, ctxp->state);
+ return;
+ }
++ ctxp->rqb_buffer = NULL;
++ spin_unlock_irqrestore(&ctxp->ctxlock, iflag);
+
+ tgtp = phba->targetport->private;
+ if (tgtp)
+@@ -1265,9 +1270,6 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar
+
+ /* Free the nvmebuf since a new buffer already replaced it */
+ nvmebuf->hrq->rqbp->rqb_free_buffer(phba, nvmebuf);
+- spin_lock_irqsave(&ctxp->ctxlock, iflag);
+- ctxp->rqb_buffer = NULL;
+- spin_unlock_irqrestore(&ctxp->ctxlock, iflag);
+ }
+
+ /**
mm-move-page-table-sync-declarations-to-linux-pgtable.h.patch
mm-fix-possible-deadlock-in-kmemleak.patch
mm-slub-avoid-wake-up-kswapd-in-set_track_prepare.patch
+sched-fix-sched_numa_find_nth_cpu-if-mask-offline.patch
+kasan-fix-gcc-mem-intrinsic-prefix-with-sw-tags.patch
+ocfs2-prevent-release-journal-inode-after-journal-shutdown.patch
+proc-fix-missing-pde_set_flags-for-net-proc-files.patch
+of_numa-fix-uninitialized-memory-nodes-causing-kernel-panic.patch
+soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch
+wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch
+wifi-mt76-mt7925u-use-connac3-tx-aggr-check-in-tx-complete.patch
+wifi-mt76-mt7996-initialize-hdr-before-passing-to-skb_put_data.patch
+wifi-mt76-mt7925-fix-the-wrong-bss-cleanup-for-sap.patch
+net-ethernet-oa_tc6-handle-failure-of-spi_setup.patch
+drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch
+drm-amd-display-clear-the-cur_enable-register-on-dcn314-w-out-dpp-pg.patch
+platform-x86-amd-pmc-add-tuxedo-ib-pro-gen10-amd-to-spurious-8042-quirks-list.patch
+scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch
+batman-adv-fix-oob-read-write-in-network-coding-decode.patch
+cifs-prevent-null-pointer-dereference-in-utf16-conversion.patch
+e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch
+net-pcs-rzn1-miic-correct-modctrl-register-offset.patch
+microchip-lan865x-fix-module-autoloading.patch
+microchip-lan865x-fix-lan8651-autoloading.patch
--- /dev/null
+From 25daf9af0ac1bf12490b723b5efaf8dcc85980bc Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Date: Wed, 30 Jul 2025 15:51:51 -0500
+Subject: soc: qcom: mdt_loader: Deal with zero e_shentsize
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+commit 25daf9af0ac1bf12490b723b5efaf8dcc85980bc upstream.
+
+Firmware that doesn't provide section headers leave both e_shentsize and
+e_shnum 0, which obvious isn't compatible with the newly introduced
+stricter checks.
+
+Make the section-related checks conditional on either of these values
+being non-zero.
+
+Fixes: 9f9967fed9d0 ("soc: qcom: mdt_loader: Ensure we don't read past the ELF header")
+Reported-by: Val Packett <val@packett.cool>
+Closes: https://lore.kernel.org/all/ece307c3-7d65-440f-babd-88cf9705b908@packett.cool/
+Reported-by: Neil Armstrong <neil.armstrong@linaro.org>
+Closes: https://lore.kernel.org/all/aec9cd03-6fc2-4dc8-b937-8b7cf7bf4128@linaro.org/
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Fixes: 9f35ab0e53cc ("soc: qcom: mdt_loader: Fix error return values in mdt_header_valid()")
+Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-QRD
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250730-mdt-loader-shentsize-zero-v1-1-04f43186229c@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/mdt_loader.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/soc/qcom/mdt_loader.c
++++ b/drivers/soc/qcom/mdt_loader.c
+@@ -39,12 +39,14 @@ static bool mdt_header_valid(const struc
+ if (phend > fw->size)
+ return false;
+
+- if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
+- return false;
++ if (ehdr->e_shentsize || ehdr->e_shnum) {
++ if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
++ return false;
+
+- shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
+- if (shend > fw->size)
+- return false;
++ shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
++ if (shend > fw->size)
++ return false;
++ }
+
+ return true;
+ }
--- /dev/null
+From 55424e7b9eeb141d9c8d8a8740ee131c28490425 Mon Sep 17 00:00:00 2001
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Date: Mon, 28 Jul 2025 13:26:12 +0800
+Subject: wifi: mt76: mt7925: fix the wrong bss cleanup for SAP
+
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+
+commit 55424e7b9eeb141d9c8d8a8740ee131c28490425 upstream.
+
+When in SAP mode, if a STA disconnect, the SAP's BSS
+should not be cleared.
+
+Fixes: 0ebb60da8416 ("wifi: mt76: mt7925: adjust rm BSS flow to prevent next connection failure")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Link: https://patch.msgid.link/20250728052612.39751-1-mingyen.hsieh@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7925/main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+@@ -1187,6 +1187,9 @@ mt7925_mac_sta_remove_links(struct mt792
+ struct mt792x_bss_conf *mconf;
+ struct mt792x_link_sta *mlink;
+
++ if (vif->type == NL80211_IFTYPE_AP)
++ break;
++
+ link_sta = mt792x_sta_to_link_sta(vif, sta, link_id);
+ if (!link_sta)
+ continue;
--- /dev/null
+From c22769de25095c6777e8acb68a1349a3257fc955 Mon Sep 17 00:00:00 2001
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Date: Mon, 18 Aug 2025 10:02:03 +0800
+Subject: wifi: mt76: mt7925u: use connac3 tx aggr check in tx complete
+
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+
+commit c22769de25095c6777e8acb68a1349a3257fc955 upstream.
+
+MT7925 is a connac3 device; using the connac2 helper mis-parses
+TXWI and breaks AMPDU/BA accounting. Use the connac3-specific
+helper mt7925_tx_check_aggr() instead,
+
+Cc: stable@vger.kernel.org
+Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
+Reported-by: Nick Morrow <morrownr@gmail.com>
+Tested-by: Nick Morrow <morrownr@gmail.com>
+Tested-on: Netgear A9000 USB WiFi adapter
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Link: https://patch.msgid.link/20250818020203.992338-1-mingyen.hsieh@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
+@@ -1459,7 +1459,7 @@ void mt7925_usb_sdio_tx_complete_skb(str
+ sta = wcid_to_sta(wcid);
+
+ if (sta && likely(e->skb->protocol != cpu_to_be16(ETH_P_PAE)))
+- mt76_connac2_tx_check_aggr(sta, txwi);
++ mt7925_tx_check_aggr(sta, e->skb, wcid);
+
+ skb_pull(e->skb, headroom);
+ mt76_tx_complete_skb(mdev, e->wcid, e->skb);
--- /dev/null
+From 87b07a1fbc6b5c23d3b3584ab4288bc9106d3274 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Tue, 15 Jul 2025 15:33:25 -0700
+Subject: wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 87b07a1fbc6b5c23d3b3584ab4288bc9106d3274 upstream.
+
+A new warning in clang [1] points out a couple of places where a hdr
+variable is not initialized then passed along to skb_put_data().
+
+ drivers/net/wireless/mediatek/mt76/mt7996/mcu.c:1894:21: warning: variable 'hdr' is uninitialized when passed as a const pointer argument here [-Wuninitialized-const-pointer]
+ 1894 | skb_put_data(skb, &hdr, sizeof(hdr));
+ | ^~~
+ drivers/net/wireless/mediatek/mt76/mt7996/mcu.c:3386:21: warning: variable 'hdr' is uninitialized when passed as a const pointer argument here [-Wuninitialized-const-pointer]
+ 3386 | skb_put_data(skb, &hdr, sizeof(hdr));
+ | ^~~
+
+Zero initialize these headers as done in other places in the driver when
+there is nothing stored in the header.
+
+Cc: stable@vger.kernel.org
+Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
+Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1]
+Closes: https://github.com/ClangBuiltLinux/linux/issues/2104
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://patch.msgid.link/20250715-mt7996-fix-uninit-const-pointer-v1-1-b5d8d11d7b78@kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+@@ -1834,8 +1834,8 @@ mt7996_mcu_get_mmps_mode(enum ieee80211_
+ int mt7996_mcu_set_fixed_rate_ctrl(struct mt7996_dev *dev,
+ void *data, u16 version)
+ {
++ struct uni_header hdr = {};
+ struct ra_fixed_rate *req;
+- struct uni_header hdr;
+ struct sk_buff *skb;
+ struct tlv *tlv;
+ int len;
+@@ -3115,7 +3115,7 @@ int mt7996_mcu_set_hdr_trans(struct mt79
+ {
+ struct {
+ u8 __rsv[4];
+- } __packed hdr;
++ } __packed hdr = {};
+ struct hdr_trans_blacklist *req_blacklist;
+ struct hdr_trans_en *req_en;
+ struct sk_buff *skb;
--- /dev/null
+From 0e20450829ca3c1dbc2db536391537c57a40fe0b Mon Sep 17 00:00:00 2001
+From: Qianfeng Rong <rongqianfeng@vivo.com>
+Date: Fri, 15 Aug 2025 10:30:50 +0800
+Subject: wifi: mwifiex: Initialize the chan_stats array to zero
+
+From: Qianfeng Rong <rongqianfeng@vivo.com>
+
+commit 0e20450829ca3c1dbc2db536391537c57a40fe0b upstream.
+
+The adapter->chan_stats[] array is initialized in
+mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out
+memory. The array is filled in mwifiex_update_chan_statistics()
+and then the user can query the data in mwifiex_cfg80211_dump_survey().
+
+There are two potential issues here. What if the user calls
+mwifiex_cfg80211_dump_survey() before the data has been filled in.
+Also the mwifiex_update_chan_statistics() function doesn't necessarily
+initialize the whole array. Since the array was not initialized at
+the start that could result in an information leak.
+
+Also this array is pretty small. It's a maximum of 900 bytes so it's
+more appropriate to use kcalloc() instead vmalloc().
+
+Cc: stable@vger.kernel.org
+Fixes: bf35443314ac ("mwifiex: channel statistics support for mwifiex")
+Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/20250815023055.477719-1-rongqianfeng@vivo.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +++--
+ drivers/net/wireless/marvell/mwifiex/main.c | 4 ++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+@@ -4680,8 +4680,9 @@ int mwifiex_init_channel_scan_gap(struct
+ * additional active scan request for hidden SSIDs on passive channels.
+ */
+ adapter->num_in_chan_stats = 2 * (n_channels_bg + n_channels_a);
+- adapter->chan_stats = vmalloc(array_size(sizeof(*adapter->chan_stats),
+- adapter->num_in_chan_stats));
++ adapter->chan_stats = kcalloc(adapter->num_in_chan_stats,
++ sizeof(*adapter->chan_stats),
++ GFP_KERNEL);
+
+ if (!adapter->chan_stats)
+ return -ENOMEM;
+--- a/drivers/net/wireless/marvell/mwifiex/main.c
++++ b/drivers/net/wireless/marvell/mwifiex/main.c
+@@ -667,7 +667,7 @@ static int _mwifiex_fw_dpc(const struct
+ goto done;
+
+ err_add_intf:
+- vfree(adapter->chan_stats);
++ kfree(adapter->chan_stats);
+ err_init_chan_scan:
+ wiphy_unregister(adapter->wiphy);
+ wiphy_free(adapter->wiphy);
+@@ -1515,7 +1515,7 @@ static void mwifiex_uninit_sw(struct mwi
+ wiphy_free(adapter->wiphy);
+ adapter->wiphy = NULL;
+
+- vfree(adapter->chan_stats);
++ kfree(adapter->chan_stats);
+ mwifiex_free_cmd_buffers(adapter);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
