--- /dev/null
+From 55f0bfc0370539213202f4ce1a07615327ac4713 Mon Sep 17 00:00:00 2001
+From: Yun Lu <luyun@kylinos.cn>
+Date: Fri, 11 Jul 2025 17:33:00 +0800
+Subject: af_packet: fix soft lockup issue caused by tpacket_snd()
+
+From: Yun Lu <luyun@kylinos.cn>
+
+commit 55f0bfc0370539213202f4ce1a07615327ac4713 upstream.
+
+When MSG_DONTWAIT is not set, the tpacket_snd operation will wait for
+pending_refcnt to decrement to zero before returning. The pending_refcnt
+is decremented by 1 when the skb->destructor function is called,
+indicating that the skb has been successfully sent and needs to be
+destroyed.
+
+If an error occurs during this process, the tpacket_snd() function will
+exit and return error, but pending_refcnt may not yet have decremented to
+zero. Assuming the next send operation is executed immediately, but there
+are no available frames to be sent in tx_ring (i.e., packet_current_frame
+returns NULL), and skb is also NULL, the function will not execute
+wait_for_completion_interruptible_timeout() to yield the CPU. Instead, it
+will enter a do-while loop, waiting for pending_refcnt to be zero. Even
+if the previous skb has completed transmission, the skb->destructor
+function can only be invoked in the ksoftirqd thread (assuming NAPI
+threading is enabled). When both the ksoftirqd thread and the tpacket_snd
+operation happen to run on the same CPU, and the CPU trapped in the
+do-while loop without yielding, the ksoftirqd thread will not get
+scheduled to run. As a result, pending_refcnt will never be reduced to
+zero, and the do-while loop cannot exit, eventually leading to a CPU soft
+lockup issue.
+
+In fact, skb is true for all but the first iterations of that loop, and
+as long as pending_refcnt is not zero, even if incremented by a previous
+call, wait_for_completion_interruptible_timeout() should be executed to
+yield the CPU, allowing the ksoftirqd thread to be scheduled. Therefore,
+the execution condition of this function should be modified to check if
+pending_refcnt is not zero, instead of check skb.
+
+- if (need_wait && skb) {
++ if (need_wait && packet_read_pending(&po->tx_ring)) {
+
+As a result, the judgment conditions are duplicated with the end code of
+the while loop, and packet_read_pending() is a very expensive function.
+Actually, this loop can only exit when ph is NULL, so the loop condition
+can be changed to while (1), and in the "ph = NULL" branch, if the
+subsequent condition of if is not met, the loop can break directly. Now,
+the loop logic remains the same as origin but is clearer and more obvious.
+
+Fixes: 89ed5b519004 ("af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET")
+Cc: stable@kernel.org
+Suggested-by: LongJun Tang <tanglongjun@kylinos.cn>
+Signed-off-by: Yun Lu <luyun@kylinos.cn>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2800,15 +2800,21 @@ static int tpacket_snd(struct packet_soc
+ ph = packet_current_frame(po, &po->tx_ring,
+ TP_STATUS_SEND_REQUEST);
+ if (unlikely(ph == NULL)) {
+- if (need_wait && skb) {
++ /* Note: packet_read_pending() might be slow if we
++ * have to call it as it's per_cpu variable, but in
++ * fast-path we don't have to call it, only when ph
++ * is NULL, we need to check the pending_refcnt.
++ */
++ if (need_wait && packet_read_pending(&po->tx_ring)) {
+ timeo = wait_for_completion_interruptible_timeout(&po->skb_completion, timeo);
+ if (timeo <= 0) {
+ err = !timeo ? -ETIMEDOUT : -ERESTARTSYS;
+ goto out_put;
+ }
+- }
+- /* check for additional frames */
+- continue;
++ /* check for additional frames */
++ continue;
++ } else
++ break;
+ }
+
+ skb = NULL;
+@@ -2898,14 +2904,7 @@ tpacket_error:
+ }
+ packet_increment_head(&po->tx_ring);
+ len_sum += tp_len;
+- } while (likely((ph != NULL) ||
+- /* Note: packet_read_pending() might be slow if we have
+- * to call it as it's per_cpu variable, but in fast-path
+- * we already short-circuit the loop with the first
+- * condition, and luckily don't have to go that path
+- * anyway.
+- */
+- (need_wait && packet_read_pending(&po->tx_ring))));
++ } while (1);
+
+ err = len_sum;
+ goto out_put;
--- /dev/null
+From c1ba3c0cbdb5e53a8ec5d708e99cd4c497028a13 Mon Sep 17 00:00:00 2001
+From: Yun Lu <luyun@kylinos.cn>
+Date: Fri, 11 Jul 2025 17:32:59 +0800
+Subject: af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd()
+
+From: Yun Lu <luyun@kylinos.cn>
+
+commit c1ba3c0cbdb5e53a8ec5d708e99cd4c497028a13 upstream.
+
+Due to the changes in commit 581073f626e3 ("af_packet: do not call
+packet_read_pending() from tpacket_destruct_skb()"), every time
+tpacket_destruct_skb() is executed, the skb_completion is marked as
+completed. When wait_for_completion_interruptible_timeout() returns
+completed, the pending_refcnt has not yet been reduced to zero.
+Therefore, when ph is NULL, the wait function may need to be called
+multiple times until packet_read_pending() finally returns zero.
+
+We should call sock_sndtimeo() only once, otherwise the SO_SNDTIMEO
+constraint could be way off.
+
+Fixes: 581073f626e3 ("af_packet: do not call packet_read_pending() from tpacket_destruct_skb()")
+Cc: stable@kernel.org
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Yun Lu <luyun@kylinos.cn>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2739,7 +2739,7 @@ static int tpacket_snd(struct packet_soc
+ int len_sum = 0;
+ int status = TP_STATUS_AVAILABLE;
+ int hlen, tlen, copylen = 0;
+- long timeo = 0;
++ long timeo;
+
+ mutex_lock(&po->pg_vec_lock);
+
+@@ -2793,6 +2793,7 @@ static int tpacket_snd(struct packet_soc
+ if ((size_max > dev->mtu + reserve + VLAN_HLEN) && !po->has_vnet_hdr)
+ size_max = dev->mtu + reserve + VLAN_HLEN;
+
++ timeo = sock_sndtimeo(&po->sk, msg->msg_flags & MSG_DONTWAIT);
+ reinit_completion(&po->skb_completion);
+
+ do {
+@@ -2800,7 +2801,6 @@ static int tpacket_snd(struct packet_soc
+ TP_STATUS_SEND_REQUEST);
+ if (unlikely(ph == NULL)) {
+ if (need_wait && skb) {
+- timeo = sock_sndtimeo(&po->sk, msg->msg_flags & MSG_DONTWAIT);
+ timeo = wait_for_completion_interruptible_timeout(&po->skb_completion, timeo);
+ if (timeo <= 0) {
+ err = !timeo ? -ETIMEDOUT : -ERESTARTSYS;
--- /dev/null
+From 188c6ba1dd925849c5d94885c8bbdeb0b3dcf510 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Tue, 1 Jul 2025 17:31:40 -0500
+Subject: dmaengine: nbpfaxi: Fix memory corruption in probe()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 188c6ba1dd925849c5d94885c8bbdeb0b3dcf510 upstream.
+
+The nbpf->chan[] array is allocated earlier in the nbpf_probe() function
+and it has "num_channels" elements. These three loops iterate one
+element farther than they should and corrupt memory.
+
+The changes to the second loop are more involved. In this case, we're
+copying data from the irqbuf[] array into the nbpf->chan[] array. If
+the data in irqbuf[i] is the error IRQ then we skip it, so the iterators
+are not in sync. I added a check to ensure that we don't go beyond the
+end of the irqbuf[] array. I'm pretty sure this can't happen, but it
+seemed harmless to add a check.
+
+On the other hand, after the loop has ended there is a check to ensure
+that the "chan" iterator is where we expect it to be. In the original
+code we went one element beyond the end of the array so the iterator
+wasn't in the correct place and it would always return -EINVAL. However,
+now it will always be in the correct place. I deleted the check since
+we know the result.
+
+Cc: stable@vger.kernel.org
+Fixes: b45b262cefd5 ("dmaengine: add a driver for AMBA AXI NBPF DMAC IP cores")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/b13c5225-7eff-448c-badc-a2c98e9bcaca@sabinyo.mountain
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/nbpfaxi.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/dma/nbpfaxi.c
++++ b/drivers/dma/nbpfaxi.c
+@@ -1356,7 +1356,7 @@ static int nbpf_probe(struct platform_de
+ if (irqs == 1) {
+ eirq = irqbuf[0];
+
+- for (i = 0; i <= num_channels; i++)
++ for (i = 0; i < num_channels; i++)
+ nbpf->chan[i].irq = irqbuf[0];
+ } else {
+ eirq = platform_get_irq_byname(pdev, "error");
+@@ -1366,16 +1366,15 @@ static int nbpf_probe(struct platform_de
+ if (irqs == num_channels + 1) {
+ struct nbpf_channel *chan;
+
+- for (i = 0, chan = nbpf->chan; i <= num_channels;
++ for (i = 0, chan = nbpf->chan; i < num_channels;
+ i++, chan++) {
+ /* Skip the error IRQ */
+ if (irqbuf[i] == eirq)
+ i++;
++ if (i >= ARRAY_SIZE(irqbuf))
++ return -EINVAL;
+ chan->irq = irqbuf[i];
+ }
+-
+- if (chan != nbpf->chan + num_channels)
+- return -EINVAL;
+ } else {
+ /* 2 IRQs and more than one channel */
+ if (irqbuf[0] == eirq)
+@@ -1383,7 +1382,7 @@ static int nbpf_probe(struct platform_de
+ else
+ irq = irqbuf[0];
+
+- for (i = 0; i <= num_channels; i++)
++ for (i = 0; i < num_channels; i++)
+ nbpf->chan[i].irq = irq;
+ }
+ }
--- /dev/null
+From 0a9e7405131380b57e155f10242b2e25d2e51852 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 9 Jul 2025 11:55:46 +0200
+Subject: isofs: Verify inode mode when loading from disk
+
+From: Jan Kara <jack@suse.cz>
+
+commit 0a9e7405131380b57e155f10242b2e25d2e51852 upstream.
+
+Verify that the inode mode is sane when loading it from the disk to
+avoid complaints from VFS about setting up invalid inodes.
+
+Reported-by: syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/20250709095545.31062-2-jack@suse.cz
+Acked-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/isofs/inode.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/isofs/inode.c
++++ b/fs/isofs/inode.c
+@@ -1492,9 +1492,16 @@ static int isofs_read_inode(struct inode
+ inode->i_op = &page_symlink_inode_operations;
+ inode_nohighmem(inode);
+ inode->i_data.a_ops = &isofs_symlink_aops;
+- } else
++ } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) ||
++ S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
+ /* XXX - parse_rock_ridge_inode() had already set i_rdev. */
+ init_special_inode(inode, inode->i_mode, inode->i_rdev);
++ } else {
++ printk(KERN_DEBUG "ISOFS: Invalid file type 0%04o for inode %lu.\n",
++ inode->i_mode, inode->i_ino);
++ ret = -EIO;
++ goto fail;
++ }
+
+ ret = 0;
+ out:
--- /dev/null
+From 21b34a3a204ed616373a12ec17dc127ebe51eab3 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Tue, 15 Jul 2025 15:56:05 -0700
+Subject: memstick: core: Zero initialize id_reg in h_memstick_read_dev_id()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 21b34a3a204ed616373a12ec17dc127ebe51eab3 upstream.
+
+A new warning in clang [1] points out that id_reg is uninitialized then
+passed to memstick_init_req() as a const pointer:
+
+ drivers/memstick/core/memstick.c:330:59: error: variable 'id_reg' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer]
+ 330 | memstick_init_req(&card->current_mrq, MS_TPC_READ_REG, &id_reg,
+ | ^~~~~~
+
+Commit de182cc8e882 ("drivers/memstick/core/memstick.c: avoid -Wnonnull
+warning") intentionally passed this variable uninitialized to avoid an
+-Wnonnull warning from a NULL value that was previously there because
+id_reg is never read from the call to memstick_init_req() in
+h_memstick_read_dev_id(). Just zero initialize id_reg to avoid the
+warning, which is likely happening in the majority of builds using
+modern compilers that support '-ftrivial-auto-var-init=zero'.
+
+Cc: stable@vger.kernel.org
+Fixes: de182cc8e882 ("drivers/memstick/core/memstick.c: avoid -Wnonnull warning")
+Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1]
+Closes: https://github.com/ClangBuiltLinux/linux/issues/2105
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/r/20250715-memstick-fix-uninit-const-pointer-v1-1-f6753829c27a@kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/memstick/core/memstick.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/memstick/core/memstick.c
++++ b/drivers/memstick/core/memstick.c
+@@ -324,7 +324,7 @@ EXPORT_SYMBOL(memstick_init_req);
+ static int h_memstick_read_dev_id(struct memstick_dev *card,
+ struct memstick_request **mrq)
+ {
+- struct ms_id_register id_reg;
++ struct ms_id_register id_reg = {};
+
+ if (!(*mrq)) {
+ memstick_init_req(&card->current_mrq, MS_TPC_READ_REG, &id_reg,
--- /dev/null
+From ff09b71bf9daeca4f21d6e5e449641c9fad75b53 Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Mon, 30 Jun 2025 11:35:07 +0200
+Subject: mmc: bcm2835: Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit ff09b71bf9daeca4f21d6e5e449641c9fad75b53 upstream.
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: 2f5da678351f ("mmc: bcm2835: Properly handle dmaengine_prep_slave_sg")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250630093510.82871-2-fourier.thomas@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/bcm2835.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/bcm2835.c
++++ b/drivers/mmc/host/bcm2835.c
+@@ -507,7 +507,8 @@ void bcm2835_prepare_dma(struct bcm2835_
+ DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
+
+ if (!desc) {
+- dma_unmap_sg(dma_chan->device->dev, data->sg, sg_len, dir_data);
++ dma_unmap_sg(dma_chan->device->dev, data->sg, data->sg_len,
++ dir_data);
+ return;
+ }
+
--- /dev/null
+From 50c78f398e92fafa1cbba3469c95fe04b2e4206d Mon Sep 17 00:00:00 2001
+From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+Date: Thu, 26 Jun 2025 08:24:42 -0300
+Subject: mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models
+
+From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+
+commit 50c78f398e92fafa1cbba3469c95fe04b2e4206d upstream.
+
+Disable command queuing on Intel GLK-based Positivo models.
+
+Without this quirk, CQE (Command Queuing Engine) causes instability
+or I/O errors during operation. Disabling it ensures stable
+operation on affected devices.
+
+Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+Fixes: bedf9fc01ff1 ("mmc: sdhci: Workaround broken command queuing on Intel GLK")
+Cc: stable@vger.kernel.org
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20250626112442.9791-1-edson.drosdeck@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-pci-core.c
++++ b/drivers/mmc/host/sdhci-pci-core.c
+@@ -969,7 +969,8 @@ static bool glk_broken_cqhci(struct sdhc
+ {
+ return slot->chip->pdev->device == PCI_DEVICE_ID_INTEL_GLK_EMMC &&
+ (dmi_match(DMI_BIOS_VENDOR, "LENOVO") ||
+- dmi_match(DMI_SYS_VENDOR, "IRBIS"));
++ dmi_match(DMI_SYS_VENDOR, "IRBIS") ||
++ dmi_match(DMI_SYS_VENDOR, "Positivo Tecnologia SA"));
+ }
+
+ static bool jsl_broken_hs400es(struct sdhci_pci_slot *slot)
--- /dev/null
+From 6d0b1c01847fedd7c85a5cdf59b8cfc7d14512e6 Mon Sep 17 00:00:00 2001
+From: Judith Mendez <jm@ti.com>
+Date: Thu, 26 Jun 2025 18:14:52 -0500
+Subject: mmc: sdhci_am654: Workaround for Errata i2312
+
+From: Judith Mendez <jm@ti.com>
+
+commit 6d0b1c01847fedd7c85a5cdf59b8cfc7d14512e6 upstream.
+
+Errata i2312 [0] for K3 silicon mentions the maximum obtainable
+timeout through MMC host controller is 700ms. And for commands taking
+longer than 700ms, hardware timeout should be disabled and software
+timeout should be used.
+
+The workaround for Errata i2312 can be achieved by adding
+SDHCI_QUIRK2_DISABLE_HW_TIMEOUT quirk in sdhci_am654.
+
+[0] https://www.ti.com/lit/pdf/sprz487
+
+Signed-off-by: Judith Mendez <jm@ti.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Fixes: 41fd4caeb00b ("mmc: sdhci_am654: Add Initial Support for AM654 SDHCI driver")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250626231452.3460987-1-jm@ti.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci_am654.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/host/sdhci_am654.c
++++ b/drivers/mmc/host/sdhci_am654.c
+@@ -558,7 +558,8 @@ static struct sdhci_ops sdhci_am654_ops
+ static const struct sdhci_pltfm_data sdhci_am654_pdata = {
+ .ops = &sdhci_am654_ops,
+ .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
+- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN,
++ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN |
++ SDHCI_QUIRK2_DISABLE_HW_TIMEOUT,
+ };
+
+ static const struct sdhci_am654_driver_data sdhci_am654_sr1_drvdata = {
+@@ -588,7 +589,8 @@ static struct sdhci_ops sdhci_j721e_8bit
+ static const struct sdhci_pltfm_data sdhci_j721e_8bit_pdata = {
+ .ops = &sdhci_j721e_8bit_ops,
+ .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
+- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN,
++ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN |
++ SDHCI_QUIRK2_DISABLE_HW_TIMEOUT,
+ };
+
+ static const struct sdhci_am654_driver_data sdhci_j721e_8bit_drvdata = {
+@@ -612,7 +614,8 @@ static struct sdhci_ops sdhci_j721e_4bit
+ static const struct sdhci_pltfm_data sdhci_j721e_4bit_pdata = {
+ .ops = &sdhci_j721e_4bit_ops,
+ .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
+- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN,
++ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN |
++ SDHCI_QUIRK2_DISABLE_HW_TIMEOUT,
+ };
+
+ static const struct sdhci_am654_driver_data sdhci_j721e_4bit_drvdata = {
--- /dev/null
+From 17ba793f381eb813596d6de1cc6820bcbda5ed8b Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Tue, 15 Jul 2025 16:15:40 -0700
+Subject: phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 17ba793f381eb813596d6de1cc6820bcbda5ed8b upstream.
+
+A new warning in clang [1] points out a place in pep_sock_accept() where
+dst is uninitialized then passed as a const pointer to pep_find_pipe():
+
+ net/phonet/pep.c:829:37: error: variable 'dst' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer]
+ 829 | newsk = pep_find_pipe(&pn->hlist, &dst, pipe_handle);
+ | ^~~:
+
+Move the call to pn_skb_get_dst_sockaddr(), which initializes dst, to
+before the call to pep_find_pipe(), so that dst is consistently used
+initialized throughout the function.
+
+Cc: stable@vger.kernel.org
+Fixes: f7ae8d59f661 ("Phonet: allocate sock from accept syscall rather than soft IRQ")
+Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1]
+Closes: https://github.com/ClangBuiltLinux/linux/issues/2101
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://patch.msgid.link/20250715-net-phonet-fix-uninit-const-pointer-v1-1-8efd1bd188b3@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/phonet/pep.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/phonet/pep.c
++++ b/net/phonet/pep.c
+@@ -825,6 +825,7 @@ static struct sock *pep_sock_accept(stru
+ }
+
+ /* Check for duplicate pipe handle */
++ pn_skb_get_dst_sockaddr(skb, &dst);
+ newsk = pep_find_pipe(&pn->hlist, &dst, pipe_handle);
+ if (unlikely(newsk)) {
+ __sock_put(newsk);
+@@ -849,7 +850,6 @@ static struct sock *pep_sock_accept(stru
+ newsk->sk_destruct = pipe_destruct;
+
+ newpn = pep_sk(newsk);
+- pn_skb_get_dst_sockaddr(skb, &dst);
+ pn_skb_get_src_sockaddr(skb, &src);
+ newpn->pn_sk.sobject = pn_sockaddr_get_object(&dst);
+ newpn->pn_sk.dobject = pn_sockaddr_get_object(&src);
hid-core-ensure-the-allocated-report-buffer-can-contain-the-reserved-report-id.patch
hid-core-ensure-__hid_request-reserves-the-report-id-as-the-first-byte.patch
hid-core-do-not-bypass-hid_hw_raw_request.patch
+phonet-pep-move-call-to-pn_skb_get_dst_sockaddr-earlier-in-pep_sock_accept.patch
+af_packet-fix-the-so_sndtimeo-constraint-not-effective-on-tpacked_snd.patch
+af_packet-fix-soft-lockup-issue-caused-by-tpacket_snd.patch
+dmaengine-nbpfaxi-fix-memory-corruption-in-probe.patch
+isofs-verify-inode-mode-when-loading-from-disk.patch
+memstick-core-zero-initialize-id_reg-in-h_memstick_read_dev_id.patch
+mmc-bcm2835-fix-dma_unmap_sg-nents-value.patch
+mmc-sdhci-pci-quirk-for-broken-command-queuing-on-intel-glk-based-positivo-models.patch
+mmc-sdhci_am654-workaround-for-errata-i2312.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
