--- /dev/null
+From af0db3c1f898144846d4c172531a199bb3ca375d Mon Sep 17 00:00:00 2001
+From: Sravan Kumar Gundu <sravankumarlpu@gmail.com>
+Date: Thu, 31 Jul 2025 15:36:18 -0500
+Subject: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit
+
+From: Sravan Kumar Gundu <sravankumarlpu@gmail.com>
+
+commit af0db3c1f898144846d4c172531a199bb3ca375d upstream.
+
+This issue triggers when a userspace program does an ioctl
+FBIOPUT_CON2FBMAP by passing console number and frame buffer number.
+Ideally this maps console to frame buffer and updates the screen if
+console is visible.
+
+As part of mapping it has to do resize of console according to frame
+buffer info. if this resize fails and returns from vc_do_resize() and
+continues further. At this point console and new frame buffer are mapped
+and sets display vars. Despite failure still it continue to proceed
+updating the screen at later stages where vc_data is related to previous
+frame buffer and frame buffer info and display vars are mapped to new
+frame buffer and eventully leading to out-of-bounds write in
+fast_imageblit(). This bheviour is excepted only when fg_console is
+equal to requested console which is a visible console and updates screen
+with invalid struct references in fbcon_putcs().
+
+Reported-and-tested-by: syzbot+c4b7aa0513823e2ea880@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c4b7aa0513823e2ea880
+Signed-off-by: Sravan Kumar Gundu <sravankumarlpu@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/fbcon.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/video/fbdev/core/fbcon.c
++++ b/drivers/video/fbdev/core/fbcon.c
+@@ -808,7 +808,8 @@ static void con2fb_init_display(struct v
+ fg_vc->vc_rows);
+ }
+
+- update_screen(vc_cons[fg_console].d);
++ if (fg_console != unit)
++ update_screen(vc_cons[fg_console].d);
+ }
+
+ /**
+@@ -1353,6 +1354,7 @@ static void fbcon_set_disp(struct fb_inf
+ struct vc_data *svc;
+ struct fbcon_ops *ops = info->fbcon_par;
+ int rows, cols;
++ unsigned long ret = 0;
+
+ p = &fb_display[unit];
+
+@@ -1403,11 +1405,10 @@ static void fbcon_set_disp(struct fb_inf
+ rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
+ cols /= vc->vc_font.width;
+ rows /= vc->vc_font.height;
+- vc_resize(vc, cols, rows);
++ ret = vc_resize(vc, cols, rows);
+
+- if (con_is_visible(vc)) {
++ if (con_is_visible(vc) && !ret)
+ update_screen(vc);
+- }
+ }
+
+ static __inline__ void ywrap_up(struct vc_data *vc, int count)
--- /dev/null
+From 33caa208dba6fa639e8a92fd0c8320b652e5550c Mon Sep 17 00:00:00 2001
+From: Haiyang Zhang <haiyangz@microsoft.com>
+Date: Wed, 6 Aug 2025 13:21:51 -0700
+Subject: hv_netvsc: Fix panic during namespace deletion with VF
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+commit 33caa208dba6fa639e8a92fd0c8320b652e5550c upstream.
+
+The existing code move the VF NIC to new namespace when NETDEV_REGISTER is
+received on netvsc NIC. During deletion of the namespace,
+default_device_exit_batch() >> default_device_exit_net() is called. When
+netvsc NIC is moved back and registered to the default namespace, it
+automatically brings VF NIC back to the default namespace. This will cause
+the default_device_exit_net() >> for_each_netdev_safe loop unable to detect
+the list end, and hit NULL ptr:
+
+[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0
+[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010
+[ 231.450246] #PF: supervisor read access in kernel mode
+[ 231.450579] #PF: error_code(0x0000) - not-present page
+[ 231.450916] PGD 17b8a8067 P4D 0
+[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI
+[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY
+[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024
+[ 231.452692] Workqueue: netns cleanup_net
+[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0
+[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00
+[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246
+[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb
+[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564
+[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000
+[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340
+[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340
+[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000
+[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0
+[ 231.458434] Call Trace:
+[ 231.458600] <TASK>
+[ 231.458777] ops_undo_list+0x100/0x220
+[ 231.459015] cleanup_net+0x1b8/0x300
+[ 231.459285] process_one_work+0x184/0x340
+
+To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid
+changing the netdev list when default_device_exit_net() is using it.
+
+Cc: stable@vger.kernel.org
+Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Link: https://patch.msgid.link/1754511711-11188-1-git-send-email-haiyangz@linux.microsoft.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/hyperv_net.h | 3 +++
+ drivers/net/hyperv/netvsc_drv.c | 29 ++++++++++++++++++++++++++++-
+ 2 files changed, 31 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/hyperv/hyperv_net.h
++++ b/drivers/net/hyperv/hyperv_net.h
+@@ -1057,6 +1057,7 @@ struct net_device_context {
+ struct net_device __rcu *vf_netdev;
+ struct netvsc_vf_pcpu_stats __percpu *vf_stats;
+ struct delayed_work vf_takeover;
++ struct delayed_work vfns_work;
+
+ /* 1: allocated, serial number is valid. 0: not allocated */
+ u32 vf_alloc;
+@@ -1071,6 +1072,8 @@ struct net_device_context {
+ struct netvsc_device_info *saved_netvsc_dev_info;
+ };
+
++void netvsc_vfns_work(struct work_struct *w);
++
+ /* Azure hosts don't support non-TCP port numbers in hashing for fragmented
+ * packets. We can use ethtool to change UDP hash level when necessary.
+ */
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -2508,6 +2508,7 @@ static int netvsc_probe(struct hv_device
+ spin_lock_init(&net_device_ctx->lock);
+ INIT_LIST_HEAD(&net_device_ctx->reconfig_events);
+ INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup);
++ INIT_DELAYED_WORK(&net_device_ctx->vfns_work, netvsc_vfns_work);
+
+ net_device_ctx->vf_stats
+ = netdev_alloc_pcpu_stats(struct netvsc_vf_pcpu_stats);
+@@ -2647,6 +2648,8 @@ static int netvsc_remove(struct hv_devic
+ cancel_delayed_work_sync(&ndev_ctx->dwork);
+
+ rtnl_lock();
++ cancel_delayed_work_sync(&ndev_ctx->vfns_work);
++
+ nvdev = rtnl_dereference(ndev_ctx->nvdev);
+ if (nvdev) {
+ cancel_work_sync(&nvdev->subchan_work);
+@@ -2689,6 +2692,7 @@ static int netvsc_suspend(struct hv_devi
+ cancel_delayed_work_sync(&ndev_ctx->dwork);
+
+ rtnl_lock();
++ cancel_delayed_work_sync(&ndev_ctx->vfns_work);
+
+ nvdev = rtnl_dereference(ndev_ctx->nvdev);
+ if (nvdev == NULL) {
+@@ -2782,6 +2786,27 @@ static void netvsc_event_set_vf_ns(struc
+ }
+ }
+
++void netvsc_vfns_work(struct work_struct *w)
++{
++ struct net_device_context *ndev_ctx =
++ container_of(w, struct net_device_context, vfns_work.work);
++ struct net_device *ndev;
++
++ if (!rtnl_trylock()) {
++ schedule_delayed_work(&ndev_ctx->vfns_work, 1);
++ return;
++ }
++
++ ndev = hv_get_drvdata(ndev_ctx->device_ctx);
++ if (!ndev)
++ goto out;
++
++ netvsc_event_set_vf_ns(ndev);
++
++out:
++ rtnl_unlock();
++}
++
+ /*
+ * On Hyper-V, every VF interface is matched with a corresponding
+ * synthetic interface. The synthetic interface is presented first
+@@ -2792,10 +2817,12 @@ static int netvsc_netdev_event(struct no
+ unsigned long event, void *ptr)
+ {
+ struct net_device *event_dev = netdev_notifier_info_to_dev(ptr);
++ struct net_device_context *ndev_ctx;
+ int ret = 0;
+
+ if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) {
+- netvsc_event_set_vf_ns(event_dev);
++ ndev_ctx = netdev_priv(event_dev);
++ schedule_delayed_work(&ndev_ctx->vfns_work, 0);
+ return NOTIFY_DONE;
+ }
+
--- /dev/null
+From bda2859bff0b9596a19648f3740c697ce4c71496 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Mon, 7 Jul 2025 18:34:01 +0000
+Subject: media: uvcvideo: Do not mark valid metadata as invalid
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit bda2859bff0b9596a19648f3740c697ce4c71496 upstream.
+
+Currently, the driver performs a length check of the metadata buffer
+before the actual metadata size is known and before the metadata is
+decided to be copied. This results in valid metadata buffers being
+incorrectly marked as invalid.
+
+Move the length check to occur after the metadata size is determined and
+is decided to be copied.
+
+Cc: stable@vger.kernel.org
+Fixes: 088ead255245 ("media: uvcvideo: Add a metadata device node")
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Hans de Goede <hansg@kernel.org>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Link: https://lore.kernel.org/r/20250707-uvc-meta-v8-1-ed17f8b1218b@chromium.org
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_video.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_video.c
++++ b/drivers/media/usb/uvc/uvc_video.c
+@@ -1353,12 +1353,6 @@ static void uvc_video_decode_meta(struct
+ if (!meta_buf || length == 2)
+ return;
+
+- if (meta_buf->length - meta_buf->bytesused <
+- length + sizeof(meta->ns) + sizeof(meta->sof)) {
+- meta_buf->error = 1;
+- return;
+- }
+-
+ has_pts = mem[1] & UVC_STREAM_PTS;
+ has_scr = mem[1] & UVC_STREAM_SCR;
+
+@@ -1379,6 +1373,12 @@ static void uvc_video_decode_meta(struct
+ !memcmp(scr, stream->clock.last_scr, 6)))
+ return;
+
++ if (meta_buf->length - meta_buf->bytesused <
++ length + sizeof(meta->ns) + sizeof(meta->sof)) {
++ meta_buf->error = 1;
++ return;
++ }
++
+ meta = (struct uvc_meta_buf *)((u8 *)meta_buf->mem + meta_buf->bytesused);
+ local_irq_save(flags);
+ time = uvc_video_get_time();
--- /dev/null
+From 782b6a718651eda3478b1824b37a8b3185d2740c Mon Sep 17 00:00:00 2001
+From: Youngjun Lee <yjjuny.lee@samsung.com>
+Date: Tue, 10 Jun 2025 21:41:07 +0900
+Subject: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
+
+From: Youngjun Lee <yjjuny.lee@samsung.com>
+
+commit 782b6a718651eda3478b1824b37a8b3185d2740c upstream.
+
+The buffer length check before calling uvc_parse_format() only ensured
+that the buffer has at least 3 bytes (buflen > 2), buf the function
+accesses buffer[3], requiring at least 4 bytes.
+
+This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.
+
+Fix it by checking that the buffer has at least 4 bytes in
+uvc_parse_format().
+
+Signed-off-by: Youngjun Lee <yjjuny.lee@samsung.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Link: https://lore.kernel.org/r/20250610124107.37360-1-yjjuny.lee@samsung.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -233,6 +233,9 @@ static int uvc_parse_format(struct uvc_d
+ unsigned int i, n;
+ u8 ftype;
+
++ if (buflen < 4)
++ return -EINVAL;
++
+ format->type = buffer[2];
+ format->index = buffer[3];
+
--- /dev/null
+From 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 Mon Sep 17 00:00:00 2001
+From: Breno Leitao <leitao@debian.org>
+Date: Thu, 31 Jul 2025 02:57:18 -0700
+Subject: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock
+
+From: Breno Leitao <leitao@debian.org>
+
+commit 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 upstream.
+
+When netpoll is enabled, calling pr_warn_once() while holding
+kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock
+inversion with the netconsole subsystem. This occurs because
+pr_warn_once() may trigger netpoll, which eventually leads to
+__alloc_skb() and back into kmemleak code, attempting to reacquire
+kmemleak_lock.
+
+This is the path for the deadlock.
+
+mem_pool_alloc()
+ -> raw_spin_lock_irqsave(&kmemleak_lock, flags);
+ -> pr_warn_once()
+ -> netconsole subsystem
+ -> netpoll
+ -> __alloc_skb
+ -> __create_object
+ -> raw_spin_lock_irqsave(&kmemleak_lock, flags);
+
+Fix this by setting a flag and issuing the pr_warn_once() after
+kmemleak_lock is released.
+
+Link: https://lkml.kernel.org/r/20250731-kmemleak_lock-v1-1-728fd470198f@debian.org
+Fixes: c5665868183f ("mm: kmemleak: use the memory pool for early allocations")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kmemleak.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/mm/kmemleak.c
++++ b/mm/kmemleak.c
+@@ -441,6 +441,7 @@ static struct kmemleak_object *mem_pool_
+ {
+ unsigned long flags;
+ struct kmemleak_object *object;
++ bool warn = false;
+
+ /* try the slab allocator first */
+ if (object_cache) {
+@@ -458,8 +459,10 @@ static struct kmemleak_object *mem_pool_
+ else if (mem_pool_free_count)
+ object = &mem_pool[--mem_pool_free_count];
+ else
+- pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n");
++ warn = true;
+ raw_spin_unlock_irqrestore(&kmemleak_lock, flags);
++ if (warn)
++ pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n");
+
+ return object;
+ }
--- /dev/null
+From d1534ae23c2b6be350c8ab060803fbf6e9682adc Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Mon, 28 Jul 2025 15:02:48 -0400
+Subject: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()
+
+From: Waiman Long <longman@redhat.com>
+
+commit d1534ae23c2b6be350c8ab060803fbf6e9682adc upstream.
+
+A soft lockup warning was observed on a relative small system x86-64
+system with 16 GB of memory when running a debug kernel with kmemleak
+enabled.
+
+ watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134]
+
+The test system was running a workload with hot unplug happening in
+parallel. Then kemleak decided to disable itself due to its inability to
+allocate more kmemleak objects. The debug kernel has its
+CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000.
+
+The soft lockup happened in kmemleak_do_cleanup() when the existing
+kmemleak objects were being removed and deleted one-by-one in a loop via a
+workqueue. In this particular case, there are at least 40,000 objects
+that need to be processed and given the slowness of a debug kernel and the
+fact that a raw_spinlock has to be acquired and released in
+__delete_object(), it could take a while to properly handle all these
+objects.
+
+As kmemleak has been disabled in this case, the object removal and
+deletion process can be further optimized as locking isn't really needed.
+However, it is probably not worth the effort to optimize for such an edge
+case that should rarely happen. So the simple solution is to call
+cond_resched() at periodic interval in the iteration loop to avoid soft
+lockup.
+
+Link: https://lkml.kernel.org/r/20250728190248.605750-1-longman@redhat.com
+Signed-off-by: Waiman Long <longman@redhat.com>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kmemleak.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/mm/kmemleak.c
++++ b/mm/kmemleak.c
+@@ -1992,6 +1992,7 @@ static const struct file_operations kmem
+ static void __kmemleak_do_cleanup(void)
+ {
+ struct kmemleak_object *object, *tmp;
++ unsigned int cnt = 0;
+
+ /*
+ * Kmemleak has already been disabled, no need for RCU list traversal
+@@ -2000,6 +2001,10 @@ static void __kmemleak_do_cleanup(void)
+ list_for_each_entry_safe(object, tmp, &object_list, object_list) {
+ __remove_object(object);
+ __delete_object(object);
++
++ /* Call cond_resched() once per 64 iterations to avoid soft lockup */
++ if (!(++cnt & 0x3f))
++ cond_resched();
+ }
+ }
+
--- /dev/null
+From 963f1b20a8d2a098954606b9725cd54336a2a86c Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Wed, 25 Jun 2025 00:39:33 -0700
+Subject: parisc: Makefile: fix a typo in palo.conf
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 963f1b20a8d2a098954606b9725cd54336a2a86c upstream.
+
+Correct "objree" to "objtree". "objree" is not defined.
+
+Fixes: 75dd47472b92 ("kbuild: remove src and obj from the top Makefile")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
+Cc: Helge Deller <deller@gmx.de>
+Cc: linux-parisc@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v5.3+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/parisc/Makefile
++++ b/arch/parisc/Makefile
+@@ -137,7 +137,7 @@ palo lifimage: vmlinuz
+ fi
+ @if test ! -f "$(PALOCONF)"; then \
+ cp $(srctree)/arch/parisc/defpalo.conf $(objtree)/palo.conf; \
+- echo 'A generic palo config file ($(objree)/palo.conf) has been created for you.'; \
++ echo 'A generic palo config file ($(objtree)/palo.conf) has been created for you.'; \
+ echo 'You should check it and re-run "make palo".'; \
+ echo 'WARNING: the "lifimage" file is now placed in this directory by default!'; \
+ false; \
btrfs-zoned-do-not-remove-unwritten-non-data-block-group.patch
btrfs-fix-log-tree-replay-failure-due-to-file-with-0-links-and-extents.patch
btrfs-do-not-allow-relocation-of-partially-dropped-subvolumes.patch
+fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch
+hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch
+parisc-makefile-fix-a-typo-in-palo.conf.patch
+mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch
+mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch
+media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch
+media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch
+tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch
--- /dev/null
+From a477629baa2a0e9991f640af418e8c973a1c08e3 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Thu, 19 Jun 2025 11:30:51 +0200
+Subject: tools/nolibc: fix spelling of FD_SETBITMASK in FD_* macros
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Willy Tarreau <w@1wt.eu>
+
+commit a477629baa2a0e9991f640af418e8c973a1c08e3 upstream.
+
+While nolibc-test does test syscalls, it doesn't test as much the rest
+of the macros, and a wrong spelling of FD_SETBITMASK in commit
+feaf75658783a broke programs using either FD_SET() or FD_CLR() without
+being noticed. Let's fix these macros.
+
+Fixes: feaf75658783a ("nolibc: fix fd_set type")
+Cc: stable@vger.kernel.org # v6.2+
+Acked-by: Thomas Weißschuh <linux@weissschuh.net>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/include/nolibc/types.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/include/nolibc/types.h
++++ b/tools/include/nolibc/types.h
+@@ -102,7 +102,7 @@ typedef struct {
+ int __fd = (fd); \
+ if (__fd >= 0) \
+ __set->fds[__fd / FD_SETIDXMASK] &= \
+- ~(1U << (__fd & FX_SETBITMASK)); \
++ ~(1U << (__fd & FD_SETBITMASK)); \
+ } while (0)
+
+ #define FD_SET(fd, set) do { \
+@@ -119,7 +119,7 @@ typedef struct {
+ int __r = 0; \
+ if (__fd >= 0) \
+ __r = !!(__set->fds[__fd / FD_SETIDXMASK] & \
+-1U << (__fd & FD_SET_BITMASK)); \
++1U << (__fd & FD_SETBITMASK)); \
+ __r; \
+ })
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
