--- /dev/null
+From 0a120d96166301d7a95be75b52f843837dbd1219 Mon Sep 17 00:00:00 2001
+From: Siwei Zhang <oss@fourdim.xyz>
+Date: Wed, 15 Apr 2026 16:49:59 -0400
+Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
+
+From: Siwei Zhang <oss@fourdim.xyz>
+
+commit 0a120d96166301d7a95be75b52f843837dbd1219 upstream.
+
+Add the same NULL guard already present in
+l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
+
+Fixes: 80808e431e1e ("Bluetooth: Add l2cap_chan_ops abstraction")
+Cc: stable@kernel.org
+Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1455,6 +1455,9 @@ static struct l2cap_chan *l2cap_sock_new
+ {
+ struct sock *sk, *parent = chan->data;
+
++ if (!parent)
++ return NULL;
++
+ lock_sock(parent);
+
+ /* Check for backlog size */
--- /dev/null
+From 2ff1a41a912de8517b4482e946dd951b7d80edbf Mon Sep 17 00:00:00 2001
+From: Siwei Zhang <oss@fourdim.xyz>
+Date: Wed, 15 Apr 2026 16:51:36 -0400
+Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
+
+From: Siwei Zhang <oss@fourdim.xyz>
+
+commit 2ff1a41a912de8517b4482e946dd951b7d80edbf upstream.
+
+Add the same NULL guard already present in
+l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
+
+Fixes: 89bc500e41fc ("Bluetooth: Add state tracking to struct l2cap_chan")
+Cc: stable@kernel.org
+Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1599,6 +1599,9 @@ static void l2cap_sock_state_change_cb(s
+ {
+ struct sock *sk = chan->data;
+
++ if (!sk)
++ return;
++
+ sk->sk_state = state;
+
+ if (err)
--- /dev/null
+From bc0fcb9823cd0894934cf968b525c575833d7078 Mon Sep 17 00:00:00 2001
+From: Yilin Zhu <zylzyl2333@gmail.com>
+Date: Sun, 12 Apr 2026 13:07:54 +0800
+Subject: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
+
+From: Yilin Zhu <zylzyl2333@gmail.com>
+
+commit bc0fcb9823cd0894934cf968b525c575833d7078 upstream.
+
+xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not
+already have a dst attached. ip6_route_input_lookup() returns a
+referenced dst entry even when the lookup resolves to an error route.
+
+If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching
+the dst to the skb and without releasing the reference returned by the
+lookup. Repeated packets hitting this path therefore leak dst entries.
+
+Release the dst before jumping to the drop path.
+
+Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP")
+Cc: stable@kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ruide Cao <caoruide123@gmail.com>
+Signed-off-by: Yilin Zhu <zylzyl2333@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/xfrm6_protocol.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/xfrm6_protocol.c
++++ b/net/ipv6/xfrm6_protocol.c
+@@ -88,8 +88,10 @@ int xfrm6_rcv_encap(struct sk_buff *skb,
+
+ dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6,
+ skb, flags);
+- if (dst->error)
++ if (dst->error) {
++ dst_release(dst);
+ goto drop;
++ }
+ skb_dst_set(skb, dst);
+ }
+
usb-serial-option-add-telit-cinterion-le910cx-compositions.patch
usb-ulpi-fix-memory-leak-on-ulpi_register-error-paths.patch
alsa-firewire-tascam-do-not-drop-unread-control-events.patch
+xfrm-provide-message-size-for-xfrm_msg_mapping.patch
+ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch
+bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch
+bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch
+spi-zynqmp-gqspi-fix-controller-deregistration.patch
--- /dev/null
+From 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:55 +0200
+Subject: spi: zynqmp-gqspi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks during driver unbind.
+
+Fixes: dfe11a11d523 ("spi: Add support for Zynq Ultrascale+ MPSoC GQSPI controller")
+Cc: stable@vger.kernel.org # 4.2: 64640f6c972e
+Cc: stable@vger.kernel.org # 4.2
+Cc: Ranjit Waghmode <ranjit.waghmode@xilinx.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-26-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-zynqmp-gqspi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-zynqmp-gqspi.c
++++ b/drivers/spi/spi-zynqmp-gqspi.c
+@@ -1175,7 +1175,7 @@ static int zynqmp_qspi_probe(struct plat
+ SPI_TX_DUAL | SPI_TX_QUAD;
+ ctlr->dev.of_node = np;
+
+- ret = devm_spi_register_controller(&pdev->dev, ctlr);
++ ret = spi_register_controller(ctlr);
+ if (ret) {
+ dev_err(&pdev->dev, "spi_register_controller failed\n");
+ goto clk_dis_all;
+@@ -1209,6 +1209,8 @@ static int zynqmp_qspi_remove(struct pla
+ {
+ struct zynqmp_qspi *xqspi = platform_get_drvdata(pdev);
+
++ spi_unregister_controller(xqspi->ctlr);
++
+ zynqmp_gqspi_write(xqspi, GQSPI_EN_OFST, 0x0);
+ clk_disable_unprepare(xqspi->refclk);
+ clk_disable_unprepare(xqspi->pclk);
--- /dev/null
+From 28465227c80fe417b4013c432be1f3737cb9f9a3 Mon Sep 17 00:00:00 2001
+From: Ruijie Li <ruijieli51@gmail.com>
+Date: Wed, 29 Apr 2026 00:41:43 +0800
+Subject: xfrm: provide message size for XFRM_MSG_MAPPING
+
+From: Ruijie Li <ruijieli51@gmail.com>
+
+commit 28465227c80fe417b4013c432be1f3737cb9f9a3 upstream.
+
+The compat 64=>32 translation path handles XFRM_MSG_MAPPING, but
+xfrm_msg_min[] does not provide the native payload size for this
+message type.
+
+Add the missing XFRM_MSG_MAPPING entry so compat translation can size
+and translate mapping notifications correctly.
+
+Fixes: 5461fc0c8d9f ("xfrm/compat: Add 64=>32-bit messages translator")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -2727,6 +2727,7 @@ const int xfrm_msg_min[XFRM_NR_MSGTYPES]
+ [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32),
+ [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
+ [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
++ [XFRM_MSG_MAPPING - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_mapping),
+ [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
+ [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
+ };
projects / thirdparty / kernel / stable-queue.git / commitdiff
