--- /dev/null
+From d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 Mon Sep 17 00:00:00 2001
+From: Stanislav Fort <stanislav.fort@aisle.com>
+Date: Sun, 31 Aug 2025 16:56:23 +0200
+Subject: batman-adv: fix OOB read/write in network-coding decode
+
+From: Stanislav Fort <stanislav.fort@aisle.com>
+
+commit d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 upstream.
+
+batadv_nc_skb_decode_packet() trusts coded_len and checks only against
+skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing
+payload headroom, and the source skb length is not verified, allowing an
+out-of-bounds read and a small out-of-bounds write.
+
+Validate that coded_len fits within the payload area of both destination
+and source sk_buffs before XORing.
+
+Fixes: 2df5278b0267 ("batman-adv: network coding - receive coded packets and decode them")
+Cc: stable@vger.kernel.org
+Reported-by: Stanislav Fort <disclosure@aisle.com>
+Signed-off-by: Stanislav Fort <stanislav.fort@aisle.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/network-coding.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/network-coding.c
++++ b/net/batman-adv/network-coding.c
+@@ -1687,7 +1687,12 @@ batadv_nc_skb_decode_packet(struct batad
+
+ coding_len = ntohs(coded_packet_tmp.coded_len);
+
+- if (coding_len > skb->len)
++ /* ensure dst buffer is large enough (payload only) */
++ if (coding_len + h_size > skb->len)
++ return NULL;
++
++ /* ensure src buffer is large enough (payload only) */
++ if (coding_len + h_size > nc_packet->skb->len)
+ return NULL;
+
+ /* Here the magic is reversed:
--- /dev/null
+From 70bccd9855dae56942f2b18a08ba137bb54093a0 Mon Sep 17 00:00:00 2001
+From: Makar Semyonov <m.semenov@tssltd.ru>
+Date: Thu, 4 Sep 2025 15:28:41 +0300
+Subject: cifs: prevent NULL pointer dereference in UTF16 conversion
+
+From: Makar Semyonov <m.semenov@tssltd.ru>
+
+commit 70bccd9855dae56942f2b18a08ba137bb54093a0 upstream.
+
+There can be a NULL pointer dereference bug here. NULL is passed to
+__cifs_sfu_make_node without checks, which passes it unchecked to
+cifs_strndup_to_utf16, which in turn passes it to
+cifs_local_to_utf16_bytes where '*from' is dereferenced, causing a crash.
+
+This patch adds a check for NULL 'src' in cifs_strndup_to_utf16 and
+returns NULL early to prevent dereferencing NULL pointer.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE
+
+Signed-off-by: Makar Semyonov <m.semenov@tssltd.ru>
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifs_unicode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/smb/client/cifs_unicode.c
++++ b/fs/smb/client/cifs_unicode.c
+@@ -619,6 +619,9 @@ cifs_strndup_to_utf16(const char *src, c
+ int len;
+ __le16 *dst;
+
++ if (!src)
++ return NULL;
++
+ len = cifs_local_to_utf16_bytes(src, maxlen, cp);
+ len += 2; /* NULL */
+ dst = kmalloc(len, GFP_KERNEL);
--- /dev/null
+From 71403f58b4bb6c13b71c05505593a355f697fd94 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 6 Aug 2025 10:47:50 -0400
+Subject: drm/amdgpu: drop hw access in non-DC audio fini
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 71403f58b4bb6c13b71c05505593a355f697fd94 upstream.
+
+We already disable the audio pins in hw_fini so
+there is no need to do it again in sw_fini.
+
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4481
+Cc: oushixiong <oushixiong1025@163.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 5eeb16ca727f11278b2917fd4311a7d7efb0bbd6)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 -----
+ drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 -----
+ drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 -----
+ drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 -----
+ 4 files changed, 20 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c
+@@ -1464,17 +1464,12 @@ static int dce_v10_0_audio_init(struct a
+
+ static void dce_v10_0_audio_fini(struct amdgpu_device *adev)
+ {
+- int i;
+-
+ if (!amdgpu_audio)
+ return;
+
+ if (!adev->mode_info.audio.enabled)
+ return;
+
+- for (i = 0; i < adev->mode_info.audio.num_pins; i++)
+- dce_v10_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false);
+-
+ adev->mode_info.audio.enabled = false;
+ }
+
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c
+@@ -1506,17 +1506,12 @@ static int dce_v11_0_audio_init(struct a
+
+ static void dce_v11_0_audio_fini(struct amdgpu_device *adev)
+ {
+- int i;
+-
+ if (!amdgpu_audio)
+ return;
+
+ if (!adev->mode_info.audio.enabled)
+ return;
+
+- for (i = 0; i < adev->mode_info.audio.num_pins; i++)
+- dce_v11_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false);
+-
+ adev->mode_info.audio.enabled = false;
+ }
+
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c
+@@ -1375,17 +1375,12 @@ static int dce_v6_0_audio_init(struct am
+
+ static void dce_v6_0_audio_fini(struct amdgpu_device *adev)
+ {
+- int i;
+-
+ if (!amdgpu_audio)
+ return;
+
+ if (!adev->mode_info.audio.enabled)
+ return;
+
+- for (i = 0; i < adev->mode_info.audio.num_pins; i++)
+- dce_v6_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false);
+-
+ adev->mode_info.audio.enabled = false;
+ }
+
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c
+@@ -1427,17 +1427,12 @@ static int dce_v8_0_audio_init(struct am
+
+ static void dce_v8_0_audio_fini(struct amdgpu_device *adev)
+ {
+- int i;
+-
+ if (!amdgpu_audio)
+ return;
+
+ if (!adev->mode_info.audio.enabled)
+ return;
+
+- for (i = 0; i < adev->mode_info.audio.num_pins; i++)
+- dce_v8_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false);
+-
+ adev->mode_info.audio.enabled = false;
+ }
+
--- /dev/null
+From 90fb7db49c6dbac961c6b8ebfd741141ffbc8545 Mon Sep 17 00:00:00 2001
+From: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Date: Sun, 17 Aug 2025 12:25:47 +0300
+Subject: e1000e: fix heap overflow in e1000_set_eeprom
+
+From: Vitaly Lifshits <vitaly.lifshits@intel.com>
+
+commit 90fb7db49c6dbac961c6b8ebfd741141ffbc8545 upstream.
+
+Fix a possible heap overflow in e1000_set_eeprom function by adding
+input validation for the requested length of the change in the EEPROM.
+In addition, change the variable type from int to size_t for better
+code practices and rearrange declarations to RCT.
+
+Cc: stable@vger.kernel.org
+Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)")
+Co-developed-by: Mikael Wessel <post@mikaelkw.online>
+Signed-off-by: Mikael Wessel <post@mikaelkw.online>
+Signed-off-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/intel/e1000e/ethtool.c
++++ b/drivers/net/ethernet/intel/e1000e/ethtool.c
+@@ -559,12 +559,12 @@ static int e1000_set_eeprom(struct net_d
+ {
+ struct e1000_adapter *adapter = netdev_priv(netdev);
+ struct e1000_hw *hw = &adapter->hw;
++ size_t total_len, max_len;
+ u16 *eeprom_buff;
+- void *ptr;
+- int max_len;
++ int ret_val = 0;
+ int first_word;
+ int last_word;
+- int ret_val = 0;
++ void *ptr;
+ u16 i;
+
+ if (eeprom->len == 0)
+@@ -579,6 +579,10 @@ static int e1000_set_eeprom(struct net_d
+
+ max_len = hw->nvm.word_size * 2;
+
++ if (check_add_overflow(eeprom->offset, eeprom->len, &total_len) ||
++ total_len > max_len)
++ return -EFBIG;
++
+ first_word = eeprom->offset >> 1;
+ last_word = (eeprom->offset + eeprom->len - 1) >> 1;
+ eeprom_buff = kmalloc(max_len, GFP_KERNEL);
--- /dev/null
+From a7195a3d67dace056af7ca65144a11874df79562 Mon Sep 17 00:00:00 2001
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Date: Mon, 1 Sep 2025 12:20:19 +0100
+Subject: net: pcs: rzn1-miic: Correct MODCTRL register offset
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+commit a7195a3d67dace056af7ca65144a11874df79562 upstream.
+
+Correct the Mode Control Register (MODCTRL) offset for RZ/N MIIC.
+According to the R-IN Engine and Ethernet Peripherals Manual (Rev.1.30)
+[0], Table 10.1 "Ethernet Accessory Register List", MODCTRL is at offset
+0x8, not 0x20 as previously defined.
+
+Offset 0x20 actually maps to the Port Trigger Control Register (PTCTRL),
+which controls PTP_MODE[3:0] and RGMII_CLKSEL[4]. Using this incorrect
+definition prevented the driver from configuring the SW_MODE[4:0] bits
+in MODCTRL, which control the internal connection of Ethernet ports. As
+a result, the MIIC could not be switched into the correct mode, leading
+to link setup failures and non-functional Ethernet ports on affected
+systems.
+
+[0] https://www.renesas.com/en/document/mah/rzn1d-group-rzn1s-group-rzn1l-group-users-manual-r-engine-and-ethernet-peripherals?r=1054571
+
+Fixes: 7dc54d3b8d91 ("net: pcs: add Renesas MII converter driver")
+Cc: stable@kernel.org
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://patch.msgid.link/20250901112019.16278-1-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/pcs/pcs-rzn1-miic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/pcs/pcs-rzn1-miic.c
++++ b/drivers/net/pcs/pcs-rzn1-miic.c
+@@ -18,7 +18,7 @@
+ #define MIIC_PRCMD 0x0
+ #define MIIC_ESID_CODE 0x4
+
+-#define MIIC_MODCTRL 0x20
++#define MIIC_MODCTRL 0x8
+ #define MIIC_MODCTRL_SW_MODE GENMASK(4, 0)
+
+ #define MIIC_CONVCTRL(port) (0x100 + (port) * 4)
--- /dev/null
+From f46e8ef8bb7b452584f2e75337b619ac51a7cadf Mon Sep 17 00:00:00 2001
+From: Edward Adam Davis <eadavis@qq.com>
+Date: Tue, 19 Aug 2025 21:41:02 +0800
+Subject: ocfs2: prevent release journal inode after journal shutdown
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+commit f46e8ef8bb7b452584f2e75337b619ac51a7cadf upstream.
+
+Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already
+been executed in ocfs2_dismount_volume(), so osb->journal must be NULL.
+Therefore, the following calltrace will inevitably fail when it reaches
+jbd2_journal_release_jbd_inode().
+
+ocfs2_dismount_volume()->
+ ocfs2_delete_osb()->
+ ocfs2_free_slot_info()->
+ __ocfs2_free_slot_info()->
+ evict()->
+ ocfs2_evict_inode()->
+ ocfs2_clear_inode()->
+ jbd2_journal_release_jbd_inode(osb->journal->j_journal,
+
+Adding osb->journal checks will prevent null-ptr-deref during the above
+execution path.
+
+Link: https://lkml.kernel.org/r/tencent_357489BEAEE4AED74CBD67D246DBD2C4C606@qq.com
+Fixes: da5e7c87827e ("ocfs2: cleanup journal init and shutdown")
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Reported-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=47d8cb2f2cc1517e515a
+Tested-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com
+Reviewed-by: Mark Tinguely <mark.tinguely@oracle.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/inode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ocfs2/inode.c
++++ b/fs/ocfs2/inode.c
+@@ -1205,6 +1205,9 @@ static void ocfs2_clear_inode(struct ino
+ * the journal is flushed before journal shutdown. Thus it is safe to
+ * have inodes get cleaned up after journal shutdown.
+ */
++ if (!osb->journal)
++ return;
++
+ jbd2_journal_release_jbd_inode(osb->journal->j_journal,
+ &oi->ip_jinode);
+ }
--- /dev/null
+From 2ce3d282bd5050fca8577defeff08ada0d55d062 Mon Sep 17 00:00:00 2001
+From: wangzijie <wangzijie1@honor.com>
+Date: Mon, 18 Aug 2025 20:31:02 +0800
+Subject: proc: fix missing pde_set_flags() for net proc files
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: wangzijie <wangzijie1@honor.com>
+
+commit 2ce3d282bd5050fca8577defeff08ada0d55d062 upstream.
+
+To avoid potential UAF issues during module removal races, we use
+pde_set_flags() to save proc_ops flags in PDE itself before
+proc_register(), and then use pde_has_proc_*() helpers instead of directly
+dereferencing pde->proc_ops->*.
+
+However, the pde_set_flags() call was missing when creating net related
+proc files. This omission caused incorrect behavior which FMODE_LSEEK was
+being cleared inappropriately in proc_reg_open() for net proc files. Lars
+reported it in this link[1].
+
+Fix this by ensuring pde_set_flags() is called when register proc entry,
+and add NULL check for proc_ops in pde_set_flags().
+
+[wangzijie1@honor.com: stash pde->proc_ops in a local const variable, per Christian]
+ Link: https://lkml.kernel.org/r/20250821105806.1453833-1-wangzijie1@honor.com
+Link: https://lkml.kernel.org/r/20250818123102.959595-1-wangzijie1@honor.com
+Link: https://lore.kernel.org/all/20250815195616.64497967@chagall.paradoxon.rec/ [1]
+Fixes: ff7ec8dc1b64 ("proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al")
+Signed-off-by: wangzijie <wangzijie1@honor.com>
+Reported-by: Lars Wendler <polynomial-c@gmx.de>
+Tested-by: Stefano Brivio <sbrivio@redhat.com>
+Tested-by: Petr Vaněk <pv@excello.cz>
+Tested by: Lars Wendler <polynomial-c@gmx.de>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Cc: Kirill A. Shutemov <k.shutemov@gmail.com>
+Cc: wangzijie <wangzijie1@honor.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/generic.c | 38 +++++++++++++++++++++-----------------
+ 1 file changed, 21 insertions(+), 17 deletions(-)
+
+--- a/fs/proc/generic.c
++++ b/fs/proc/generic.c
+@@ -363,6 +363,25 @@ static const struct inode_operations pro
+ .setattr = proc_notify_change,
+ };
+
++static void pde_set_flags(struct proc_dir_entry *pde)
++{
++ const struct proc_ops *proc_ops = pde->proc_ops;
++
++ if (!proc_ops)
++ return;
++
++ if (proc_ops->proc_flags & PROC_ENTRY_PERMANENT)
++ pde->flags |= PROC_ENTRY_PERMANENT;
++ if (proc_ops->proc_read_iter)
++ pde->flags |= PROC_ENTRY_proc_read_iter;
++#ifdef CONFIG_COMPAT
++ if (proc_ops->proc_compat_ioctl)
++ pde->flags |= PROC_ENTRY_proc_compat_ioctl;
++#endif
++ if (proc_ops->proc_lseek)
++ pde->flags |= PROC_ENTRY_proc_lseek;
++}
++
+ /* returns the registered entry, or frees dp and returns NULL on failure */
+ struct proc_dir_entry *proc_register(struct proc_dir_entry *dir,
+ struct proc_dir_entry *dp)
+@@ -370,6 +389,8 @@ struct proc_dir_entry *proc_register(str
+ if (proc_alloc_inum(&dp->low_ino))
+ goto out_free_entry;
+
++ pde_set_flags(dp);
++
+ write_lock(&proc_subdir_lock);
+ dp->parent = dir;
+ if (pde_subdir_insert(dir, dp) == false) {
+@@ -558,20 +579,6 @@ struct proc_dir_entry *proc_create_reg(c
+ return p;
+ }
+
+-static void pde_set_flags(struct proc_dir_entry *pde)
+-{
+- if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT)
+- pde->flags |= PROC_ENTRY_PERMANENT;
+- if (pde->proc_ops->proc_read_iter)
+- pde->flags |= PROC_ENTRY_proc_read_iter;
+-#ifdef CONFIG_COMPAT
+- if (pde->proc_ops->proc_compat_ioctl)
+- pde->flags |= PROC_ENTRY_proc_compat_ioctl;
+-#endif
+- if (pde->proc_ops->proc_lseek)
+- pde->flags |= PROC_ENTRY_proc_lseek;
+-}
+-
+ struct proc_dir_entry *proc_create_data(const char *name, umode_t mode,
+ struct proc_dir_entry *parent,
+ const struct proc_ops *proc_ops, void *data)
+@@ -582,7 +589,6 @@ struct proc_dir_entry *proc_create_data(
+ if (!p)
+ return NULL;
+ p->proc_ops = proc_ops;
+- pde_set_flags(p);
+ return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_data);
+@@ -633,7 +639,6 @@ struct proc_dir_entry *proc_create_seq_p
+ p->proc_ops = &proc_seq_ops;
+ p->seq_ops = ops;
+ p->state_size = state_size;
+- pde_set_flags(p);
+ return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_seq_private);
+@@ -664,7 +669,6 @@ struct proc_dir_entry *proc_create_singl
+ return NULL;
+ p->proc_ops = &proc_single_ops;
+ p->single_show = show;
+- pde_set_flags(p);
+ return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_single_data);
--- /dev/null
+From 9dba9a45c348e8460da97c450cddf70b2056deb3 Mon Sep 17 00:00:00 2001
+From: John Evans <evans1210144@gmail.com>
+Date: Thu, 28 Aug 2025 12:40:08 +0800
+Subject: scsi: lpfc: Fix buffer free/clear order in deferred receive path
+
+From: John Evans <evans1210144@gmail.com>
+
+commit 9dba9a45c348e8460da97c450cddf70b2056deb3 upstream.
+
+Fix a use-after-free window by correcting the buffer release sequence in
+the deferred receive path. The code freed the RQ buffer first and only
+then cleared the context pointer under the lock. Concurrent paths (e.g.,
+ABTS and the repost path) also inspect and release the same pointer under
+the lock, so the old order could lead to double-free/UAF.
+
+Note that the repost path already uses the correct pattern: detach the
+pointer under the lock, then free it after dropping the lock. The
+deferred path should do the same.
+
+Fixes: 472e146d1cf3 ("scsi: lpfc: Correct upcalling nvmet_fc transport during io done downcall")
+Cc: stable@vger.kernel.org
+Signed-off-by: John Evans <evans1210144@gmail.com>
+Link: https://lore.kernel.org/r/20250828044008.743-1-evans1210144@gmail.com
+Reviewed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_nvmet.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_nvmet.c
++++ b/drivers/scsi/lpfc/lpfc_nvmet.c
+@@ -1243,7 +1243,7 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar
+ struct lpfc_nvmet_tgtport *tgtp;
+ struct lpfc_async_xchg_ctx *ctxp =
+ container_of(rsp, struct lpfc_async_xchg_ctx, hdlrctx.fcp_req);
+- struct rqb_dmabuf *nvmebuf = ctxp->rqb_buffer;
++ struct rqb_dmabuf *nvmebuf;
+ struct lpfc_hba *phba = ctxp->phba;
+ unsigned long iflag;
+
+@@ -1251,13 +1251,18 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar
+ lpfc_nvmeio_data(phba, "NVMET DEFERRCV: xri x%x sz %d CPU %02x\n",
+ ctxp->oxid, ctxp->size, raw_smp_processor_id());
+
++ spin_lock_irqsave(&ctxp->ctxlock, iflag);
++ nvmebuf = ctxp->rqb_buffer;
+ if (!nvmebuf) {
++ spin_unlock_irqrestore(&ctxp->ctxlock, iflag);
+ lpfc_printf_log(phba, KERN_INFO, LOG_NVME_IOERR,
+ "6425 Defer rcv: no buffer oxid x%x: "
+ "flg %x ste %x\n",
+ ctxp->oxid, ctxp->flag, ctxp->state);
+ return;
+ }
++ ctxp->rqb_buffer = NULL;
++ spin_unlock_irqrestore(&ctxp->ctxlock, iflag);
+
+ tgtp = phba->targetport->private;
+ if (tgtp)
+@@ -1265,9 +1270,6 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar
+
+ /* Free the nvmebuf since a new buffer already replaced it */
+ nvmebuf->hrq->rqbp->rqb_free_buffer(phba, nvmebuf);
+- spin_lock_irqsave(&ctxp->ctxlock, iflag);
+- ctxp->rqb_buffer = NULL;
+- spin_unlock_irqrestore(&ctxp->ctxlock, iflag);
+ }
+
+ /**
pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch
x86-mm-64-define-arch_page_table_sync_mask-and-arch_sync_kernel_mappings.patch
mm-move-page-table-sync-declarations-to-linux-pgtable.h.patch
+ocfs2-prevent-release-journal-inode-after-journal-shutdown.patch
+proc-fix-missing-pde_set_flags-for-net-proc-files.patch
+wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch
+drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch
+scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch
+batman-adv-fix-oob-read-write-in-network-coding-decode.patch
+cifs-prevent-null-pointer-dereference-in-utf16-conversion.patch
+e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch
+net-pcs-rzn1-miic-correct-modctrl-register-offset.patch
--- /dev/null
+From 0e20450829ca3c1dbc2db536391537c57a40fe0b Mon Sep 17 00:00:00 2001
+From: Qianfeng Rong <rongqianfeng@vivo.com>
+Date: Fri, 15 Aug 2025 10:30:50 +0800
+Subject: wifi: mwifiex: Initialize the chan_stats array to zero
+
+From: Qianfeng Rong <rongqianfeng@vivo.com>
+
+commit 0e20450829ca3c1dbc2db536391537c57a40fe0b upstream.
+
+The adapter->chan_stats[] array is initialized in
+mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out
+memory. The array is filled in mwifiex_update_chan_statistics()
+and then the user can query the data in mwifiex_cfg80211_dump_survey().
+
+There are two potential issues here. What if the user calls
+mwifiex_cfg80211_dump_survey() before the data has been filled in.
+Also the mwifiex_update_chan_statistics() function doesn't necessarily
+initialize the whole array. Since the array was not initialized at
+the start that could result in an information leak.
+
+Also this array is pretty small. It's a maximum of 900 bytes so it's
+more appropriate to use kcalloc() instead vmalloc().
+
+Cc: stable@vger.kernel.org
+Fixes: bf35443314ac ("mwifiex: channel statistics support for mwifiex")
+Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/20250815023055.477719-1-rongqianfeng@vivo.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +++--
+ drivers/net/wireless/marvell/mwifiex/main.c | 4 ++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+@@ -4316,8 +4316,9 @@ int mwifiex_init_channel_scan_gap(struct
+ * additional active scan request for hidden SSIDs on passive channels.
+ */
+ adapter->num_in_chan_stats = 2 * (n_channels_bg + n_channels_a);
+- adapter->chan_stats = vmalloc(array_size(sizeof(*adapter->chan_stats),
+- adapter->num_in_chan_stats));
++ adapter->chan_stats = kcalloc(adapter->num_in_chan_stats,
++ sizeof(*adapter->chan_stats),
++ GFP_KERNEL);
+
+ if (!adapter->chan_stats)
+ return -ENOMEM;
+--- a/drivers/net/wireless/marvell/mwifiex/main.c
++++ b/drivers/net/wireless/marvell/mwifiex/main.c
+@@ -664,7 +664,7 @@ static int _mwifiex_fw_dpc(const struct
+ goto done;
+
+ err_add_intf:
+- vfree(adapter->chan_stats);
++ kfree(adapter->chan_stats);
+ err_init_chan_scan:
+ wiphy_unregister(adapter->wiphy);
+ wiphy_free(adapter->wiphy);
+@@ -1486,7 +1486,7 @@ static void mwifiex_uninit_sw(struct mwi
+ wiphy_free(adapter->wiphy);
+ adapter->wiphy = NULL;
+
+- vfree(adapter->chan_stats);
++ kfree(adapter->chan_stats);
+ mwifiex_free_cmd_buffers(adapter);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
