--- /dev/null
+From 5ddb8014261137cadaf83ab5617a588d80a22586 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Fri, 10 Apr 2026 15:29:52 -0400
+Subject: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 5ddb8014261137cadaf83ab5617a588d80a22586 upstream.
+
+hci_le_create_big_complete_evt() iterates over BT_BOUND connections for
+a BIG handle using a while loop, accessing ev->bis_handle[i++] on each
+iteration. However, there is no check that i stays within ev->num_bis
+before the array access.
+
+When a controller sends a LE_Create_BIG_Complete event with fewer
+bis_handle entries than there are BT_BOUND connections for that BIG,
+or with num_bis=0, the loop reads beyond the valid bis_handle[] flex
+array into adjacent heap memory. Since the out-of-bounds values
+typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()
+rejects them and the connection remains in BT_BOUND state. The same
+connection is then found again by hci_conn_hash_lookup_big_state(),
+creating an infinite loop with hci_dev_lock held.
+
+Fix this by terminating the BIG if in case not all BIS could be setup
+properly.
+
+Fixes: a0bfde167b50 ("Bluetooth: ISO: Add support for connecting multiple BISes")
+Cc: stable@vger.kernel.org
+Signed-off-by: ZhiTao Ou <hkbinbinbin@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_event.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -6874,9 +6874,29 @@ static void hci_le_create_big_complete_e
+ continue;
+ }
+
++ if (ev->num_bis <= i) {
++ bt_dev_err(hdev,
++ "Not enough BIS handles for BIG 0x%2.2x",
++ ev->handle);
++ ev->status = HCI_ERROR_UNSPECIFIED;
++ hci_connect_cfm(conn, ev->status);
++ hci_conn_del(conn);
++ continue;
++ }
++
+ if (hci_conn_set_handle(conn,
+- __le16_to_cpu(ev->bis_handle[i++])))
++ __le16_to_cpu(ev->bis_handle[i++]))) {
++ bt_dev_err(hdev,
++ "Failed to set BIS handle for BIG 0x%2.2x",
++ ev->handle);
++ /* Force error so BIG gets terminated as not all BIS
++ * could be connected.
++ */
++ ev->status = HCI_ERROR_UNSPECIFIED;
++ hci_connect_cfm(conn, ev->status);
++ hci_conn_del(conn);
+ continue;
++ }
+
+ conn->state = BT_CONNECTED;
+ set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
+@@ -6885,7 +6905,10 @@ static void hci_le_create_big_complete_e
+ hci_iso_setup_path(conn);
+ }
+
+- if (!ev->status && !i)
++ /* If there is an unexpected error or if no BISes have been connected
++ * for the BIG, terminate it.
++ */
++ if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i))
+ /* If no BISes have been connected for the BIG,
+ * terminate. This is in case all bound connections
+ * have been closed before the BIG creation
--- /dev/null
+From 0a120d96166301d7a95be75b52f843837dbd1219 Mon Sep 17 00:00:00 2001
+From: Siwei Zhang <oss@fourdim.xyz>
+Date: Wed, 15 Apr 2026 16:49:59 -0400
+Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
+
+From: Siwei Zhang <oss@fourdim.xyz>
+
+commit 0a120d96166301d7a95be75b52f843837dbd1219 upstream.
+
+Add the same NULL guard already present in
+l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
+
+Fixes: 80808e431e1e ("Bluetooth: Add l2cap_chan_ops abstraction")
+Cc: stable@kernel.org
+Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1464,6 +1464,9 @@ static struct l2cap_chan *l2cap_sock_new
+ {
+ struct sock *sk, *parent = chan->data;
+
++ if (!parent)
++ return NULL;
++
+ lock_sock(parent);
+
+ /* Check for backlog size */
--- /dev/null
+From 2ff1a41a912de8517b4482e946dd951b7d80edbf Mon Sep 17 00:00:00 2001
+From: Siwei Zhang <oss@fourdim.xyz>
+Date: Wed, 15 Apr 2026 16:51:36 -0400
+Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
+
+From: Siwei Zhang <oss@fourdim.xyz>
+
+commit 2ff1a41a912de8517b4482e946dd951b7d80edbf upstream.
+
+Add the same NULL guard already present in
+l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
+
+Fixes: 89bc500e41fc ("Bluetooth: Add state tracking to struct l2cap_chan")
+Cc: stable@kernel.org
+Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1627,6 +1627,9 @@ static void l2cap_sock_state_change_cb(s
+ {
+ struct sock *sk = chan->data;
+
++ if (!sk)
++ return;
++
+ sk->sk_state = state;
+
+ if (err)
--- /dev/null
+From 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Tue, 21 Apr 2026 13:08:44 -0400
+Subject: Bluetooth: virtio_bt: clamp rx length before skb_put
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 upstream.
+
+virtbt_rx_work() calls skb_put(skb, len) where len comes directly
+from virtqueue_get_buf() with no validation against the buffer we
+posted to the device. The RX skb is allocated in virtbt_add_inbuf()
+and exposed to virtio as exactly 1000 bytes via sg_init_one().
+
+Checking len against skb_tailroom(skb) is not sufficient because
+alloc_skb() can leave more tailroom than the 1000 bytes actually
+handed to the device. A malicious or buggy backend can therefore
+report used.len between 1001 and skb_tailroom(skb), causing skb_put()
+to include uninitialized kernel heap bytes that were never written by
+the device.
+
+The same path also accepts len == 0, in which case skb_put(skb, 0)
+leaves the skb empty but virtbt_rx_handle() still reads the pkt_type
+byte from skb->data, consuming uninitialized memory.
+
+Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and
+sg_init_one(), and gate virtbt_rx_work() on that same constant so
+the bound checked matches the buffer actually exposed to the device.
+Reject used.len == 0 in the same gate so an empty completion can
+no longer reach virtbt_rx_handle().
+
+Use bt_dev_err_ratelimited() because the length value comes from an
+untrusted backend that can otherwise flood the kernel log.
+
+Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
+overflow in USB transport layer"), which hardened the USB 9p
+transport against unchecked device-reported length.
+
+Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length")
+Cc: stable@vger.kernel.org
+Cc: Soenke Huster <soenke.huster@eknoes.de>
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/virtio_bt.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/bluetooth/virtio_bt.c
++++ b/drivers/bluetooth/virtio_bt.c
+@@ -12,6 +12,7 @@
+ #include <net/bluetooth/hci_core.h>
+
+ #define VERSION "0.1"
++#define VIRTBT_RX_BUF_SIZE 1000
+
+ enum {
+ VIRTBT_VQ_TX,
+@@ -33,11 +34,11 @@ static int virtbt_add_inbuf(struct virti
+ struct sk_buff *skb;
+ int err;
+
+- skb = alloc_skb(1000, GFP_KERNEL);
++ skb = alloc_skb(VIRTBT_RX_BUF_SIZE, GFP_KERNEL);
+ if (!skb)
+ return -ENOMEM;
+
+- sg_init_one(sg, skb->data, 1000);
++ sg_init_one(sg, skb->data, VIRTBT_RX_BUF_SIZE);
+
+ err = virtqueue_add_inbuf(vq, sg, 1, skb, GFP_KERNEL);
+ if (err < 0) {
+@@ -227,8 +228,15 @@ static void virtbt_rx_work(struct work_s
+ if (!skb)
+ return;
+
+- skb_put(skb, len);
+- virtbt_rx_handle(vbt, skb);
++ if (!len || len > VIRTBT_RX_BUF_SIZE) {
++ bt_dev_err_ratelimited(vbt->hdev,
++ "rx reply len %u outside [1, %u]\n",
++ len, VIRTBT_RX_BUF_SIZE);
++ kfree_skb(skb);
++ } else {
++ skb_put(skb, len);
++ virtbt_rx_handle(vbt, skb);
++ }
+
+ if (virtbt_add_inbuf(vbt) < 0)
+ return;
--- /dev/null
+From daf23014e5d975e72ea9c02b5160d3fcf070ea47 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Tue, 21 Apr 2026 13:08:45 -0400
+Subject: Bluetooth: virtio_bt: validate rx pkt_type header length
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit daf23014e5d975e72ea9c02b5160d3fcf070ea47 upstream.
+
+virtbt_rx_handle() reads the leading pkt_type byte from the RX skb
+and forwards the remainder to hci_recv_frame() for every
+event/ACL/SCO/ISO type, without checking that the remaining payload
+is at least the fixed HCI header for that type.
+
+After the preceding patch bounds the backend-supplied used.len to
+[1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches
+hci_recv_frame() with skb->len already pulled to 0. If the byte
+happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification
+fast-path in hci_dev_classify_pkt_type() dereferences
+hci_acl_hdr(skb)->handle whenever the HCI device has an active
+CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of
+uninitialized RX-buffer data. The same hazard exists for every
+packet type the driver accepts because none of the switch cases in
+virtbt_rx_handle() check skb->len against the per-type minimum HCI
+header size before handing the frame to the core.
+
+After stripping pkt_type, require skb->len to cover the fixed
+header size for the selected type (event 2, ACL 4, SCO 3, ISO 4)
+before calling hci_recv_frame(); drop ratelimited otherwise.
+Unknown pkt_type values still take the original kfree_skb() default
+path.
+
+Use bt_dev_err_ratelimited() because both the length and pkt_type
+values come from an untrusted backend that can otherwise flood the
+kernel log.
+
+Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length")
+Cc: stable@vger.kernel.org
+Cc: Soenke Huster <soenke.huster@eknoes.de>
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/virtio_bt.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+--- a/drivers/bluetooth/virtio_bt.c
++++ b/drivers/bluetooth/virtio_bt.c
+@@ -198,6 +198,7 @@ static int virtbt_shutdown_generic(struc
+
+ static void virtbt_rx_handle(struct virtio_bluetooth *vbt, struct sk_buff *skb)
+ {
++ size_t min_hdr;
+ __u8 pkt_type;
+
+ pkt_type = *((__u8 *) skb->data);
+@@ -205,16 +206,32 @@ static void virtbt_rx_handle(struct virt
+
+ switch (pkt_type) {
+ case HCI_EVENT_PKT:
++ min_hdr = sizeof(struct hci_event_hdr);
++ break;
+ case HCI_ACLDATA_PKT:
++ min_hdr = sizeof(struct hci_acl_hdr);
++ break;
+ case HCI_SCODATA_PKT:
++ min_hdr = sizeof(struct hci_sco_hdr);
++ break;
+ case HCI_ISODATA_PKT:
+- hci_skb_pkt_type(skb) = pkt_type;
+- hci_recv_frame(vbt->hdev, skb);
++ min_hdr = sizeof(struct hci_iso_hdr);
+ break;
+ default:
+ kfree_skb(skb);
+- break;
++ return;
+ }
++
++ if (skb->len < min_hdr) {
++ bt_dev_err_ratelimited(vbt->hdev,
++ "rx pkt_type 0x%02x payload %u < hdr %zu\n",
++ pkt_type, skb->len, min_hdr);
++ kfree_skb(skb);
++ return;
++ }
++
++ hci_skb_pkt_type(skb) = pkt_type;
++ hci_recv_frame(vbt->hdev, skb);
+ }
+
+ static void virtbt_rx_work(struct work_struct *work)
--- /dev/null
+From bc0fcb9823cd0894934cf968b525c575833d7078 Mon Sep 17 00:00:00 2001
+From: Yilin Zhu <zylzyl2333@gmail.com>
+Date: Sun, 12 Apr 2026 13:07:54 +0800
+Subject: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
+
+From: Yilin Zhu <zylzyl2333@gmail.com>
+
+commit bc0fcb9823cd0894934cf968b525c575833d7078 upstream.
+
+xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not
+already have a dst attached. ip6_route_input_lookup() returns a
+referenced dst entry even when the lookup resolves to an error route.
+
+If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching
+the dst to the skb and without releasing the reference returned by the
+lookup. Repeated packets hitting this path therefore leak dst entries.
+
+Release the dst before jumping to the drop path.
+
+Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP")
+Cc: stable@kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ruide Cao <caoruide123@gmail.com>
+Signed-off-by: Yilin Zhu <zylzyl2333@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/xfrm6_protocol.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/xfrm6_protocol.c
++++ b/net/ipv6/xfrm6_protocol.c
+@@ -88,8 +88,10 @@ int xfrm6_rcv_encap(struct sk_buff *skb,
+
+ dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6,
+ skb, flags);
+- if (dst->error)
++ if (dst->error) {
++ dst_release(dst);
+ goto drop;
++ }
+ skb_dst_set(skb, dst);
+ }
+
--- /dev/null
+From 1e5a8eed7821e7a43a31b4c1b3675a91be6bc6f6 Mon Sep 17 00:00:00 2001
+From: David Windsor <dwindsor@gmail.com>
+Date: Sun, 26 Apr 2026 19:23:49 -0400
+Subject: selinux: don't reserve xattr slot when we won't fill it
+
+From: David Windsor <dwindsor@gmail.com>
+
+commit 1e5a8eed7821e7a43a31b4c1b3675a91be6bc6f6 upstream.
+
+Move lsm_get_xattr_slot() below the SBLABEL_MNT check so we don't leave
+a NULL-named slot in the array when returning -EOPNOTSUPP; filesystem
+initxattrs() callbacks stop iterating at the first NULL ->name, silently
+dropping xattrs installed by later LSMs.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: David Windsor <dwindsor@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/hooks.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -2903,7 +2903,7 @@ static int selinux_inode_init_security(s
+ {
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
+ struct superblock_security_struct *sbsec;
+- struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
++ struct xattr *xattr;
+ u32 newsid, clen;
+ int rc;
+ char *context;
+@@ -2930,6 +2930,7 @@ static int selinux_inode_init_security(s
+ !(sbsec->flags & SBLABEL_MNT))
+ return -EOPNOTSUPP;
+
++ xattr = lsm_get_xattr_slot(xattrs, xattr_count);
+ if (xattr) {
+ rc = security_sid_to_context_force(newsid,
+ &context, &clen);
--- /dev/null
+From 19cfa0099024bb9cd40f6d950caa7f47ff8e77f6 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+Date: Tue, 5 May 2026 08:49:49 -0400
+Subject: selinux: prune /sys/fs/selinux/disable
+
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+
+commit 19cfa0099024bb9cd40f6d950caa7f47ff8e77f6 upstream.
+
+Commit f22f9aaf6c3d ("selinux: remove the runtime disable
+functionality") removed the underlying SELinux runtime disable
+functionality but left everything else intact and started logging an
+error message to warn any residual users.
+
+Prune it to just log an error message once and to return count
+(i.e. all bytes written successfully) to avoid breaking
+userspace. This also fixes a local DoS from logspam.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/selinuxfs.c | 36 +++++++-----------------------------
+ 1 file changed, 7 insertions(+), 29 deletions(-)
+
+--- a/security/selinux/selinuxfs.c
++++ b/security/selinux/selinuxfs.c
+@@ -272,35 +272,13 @@ static ssize_t sel_write_disable(struct
+ size_t count, loff_t *ppos)
+
+ {
+- char *page;
+- ssize_t length;
+- int new_value;
+-
+- if (count >= PAGE_SIZE)
+- return -ENOMEM;
+-
+- /* No partial writes. */
+- if (*ppos != 0)
+- return -EINVAL;
+-
+- page = memdup_user_nul(buf, count);
+- if (IS_ERR(page))
+- return PTR_ERR(page);
+-
+- if (sscanf(page, "%d", &new_value) != 1) {
+- length = -EINVAL;
+- goto out;
+- }
+- length = count;
+-
+- if (new_value) {
+- pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n");
+- pr_err("SELinux: Runtime disable is not supported, use selinux=0 on the kernel cmdline.\n");
+- }
+-
+-out:
+- kfree(page);
+- return length;
++ /*
++ * Setting disable is no longer supported, see
++ * https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable
++ */
++ pr_err_once("SELinux: %s (%d) wrote to disable. This is no longer supported.\n",
++ current->comm, current->pid);
++ return count;
+ }
+
+ static const struct file_operations sel_disable_ops = {
--- /dev/null
+From 868f31e4061eca8c3cd607d79d954d5e54f204aa Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+Date: Thu, 30 Apr 2026 14:36:52 -0400
+Subject: selinux: shrink critical section in sel_write_load()
+
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+
+commit 868f31e4061eca8c3cd607d79d954d5e54f204aa upstream.
+
+Currently sel_write_load() takes the policy mutex earlier than
+necessary. Move the taking of the mutex later. This avoids
+holding it unnecessarily across the vmalloc() and copy_from_user()
+of the policy data.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/selinuxfs.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+--- a/security/selinux/selinuxfs.c
++++ b/security/selinux/selinuxfs.c
+@@ -594,34 +594,31 @@ static ssize_t sel_write_load(struct fil
+ if (!count)
+ return -EINVAL;
+
+- mutex_lock(&selinux_state.policy_mutex);
+-
+ length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
+ SECCLASS_SECURITY, SECURITY__LOAD_POLICY, NULL);
+ if (length)
+- goto out;
++ return length;
+
+ data = vmalloc(count);
+- if (!data) {
+- length = -ENOMEM;
+- goto out;
+- }
++ if (!data)
++ return -ENOMEM;
+ if (copy_from_user(data, buf, count) != 0) {
+ length = -EFAULT;
+ goto out;
+ }
+
++ mutex_lock(&selinux_state.policy_mutex);
+ length = security_load_policy(data, count, &load_state);
+ if (length) {
+ pr_warn_ratelimited("SELinux: failed to load policy\n");
+- goto out;
++ goto out_unlock;
+ }
+ fsi = file_inode(file)->i_sb->s_fs_info;
+ length = sel_make_policy_nodes(fsi, load_state.policy);
+ if (length) {
+ pr_warn_ratelimited("SELinux: failed to initialize selinuxfs\n");
+ selinux_policy_cancel(&load_state);
+- goto out;
++ goto out_unlock;
+ }
+
+ selinux_policy_commit(&load_state);
+@@ -631,8 +628,9 @@ static ssize_t sel_write_load(struct fil
+ from_kuid(&init_user_ns, audit_get_loginuid(current)),
+ audit_get_sessionid(current));
+
+-out:
++out_unlock:
+ mutex_unlock(&selinux_state.policy_mutex);
++out:
+ vfree(data);
+ return length;
+ }
usb-ulpi-fix-memory-leak-on-ulpi_register-error-paths.patch
alsa-firewire-tascam-do-not-drop-unread-control-events.patch
powerpc-kdump-fix-kasan-sanitization-flag-for-core_-bits-.o.patch
+xfrm-provide-message-size-for-xfrm_msg_mapping.patch
+ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch
+selinux-don-t-reserve-xattr-slot-when-we-won-t-fill-it.patch
+selinux-shrink-critical-section-in-sel_write_load.patch
+selinux-prune-sys-fs-selinux-disable.patch
+bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch
+bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch
+bluetooth-hci_event-fix-oob-read-and-infinite-loop-in-hci_le_create_big_complete_evt.patch
+bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch
+bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch
+spi-zynqmp-gqspi-fix-controller-deregistration.patch
+spi-s3c64xx-fix-null-deref-on-driver-unbind.patch
+staging-vme_user-fix-root-device-leak-on-init-failure.patch
--- /dev/null
+From 45daacbead8a009844bd5dba6cfa731332184d17 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 11:49:25 +0200
+Subject: spi: s3c64xx: fix NULL-deref on driver unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 45daacbead8a009844bd5dba6cfa731332184d17 upstream.
+
+A change moving DMA channel allocation from probe() back to
+s3c64xx_spi_prepare_transfer() failed to remove the corresponding
+deallocation from remove().
+
+Drop the bogus DMA channel release from remove() to avoid triggering a
+NULL-pointer dereference on driver unbind.
+
+This issue was flagged by Sashiko when reviewing a controller
+deregistration fix.
+
+Fixes: f52b03c70744 ("spi: s3c64xx: requests spi-dma channel only during data transfer")
+Cc: stable@vger.kernel.org # 6.0
+Cc: Adithya K V <adithya.kv@samsung.com>
+Link: https://sashiko.dev/#/patchset/20260410081757.503099-1-johan%40kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410094925.518343-1-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-s3c64xx.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/spi/spi-s3c64xx.c
++++ b/drivers/spi/spi-s3c64xx.c
+@@ -1338,11 +1338,6 @@ static void s3c64xx_spi_remove(struct pl
+
+ writel(0, sdd->regs + S3C64XX_SPI_INT_EN);
+
+- if (!is_polling(sdd)) {
+- dma_release_channel(sdd->rx_dma.ch);
+- dma_release_channel(sdd->tx_dma.ch);
+- }
+-
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
--- /dev/null
+From 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:55 +0200
+Subject: spi: zynqmp-gqspi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks during driver unbind.
+
+Fixes: dfe11a11d523 ("spi: Add support for Zynq Ultrascale+ MPSoC GQSPI controller")
+Cc: stable@vger.kernel.org # 4.2: 64640f6c972e
+Cc: stable@vger.kernel.org # 4.2
+Cc: Ranjit Waghmode <ranjit.waghmode@xilinx.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-26-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-zynqmp-gqspi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-zynqmp-gqspi.c
++++ b/drivers/spi/spi-zynqmp-gqspi.c
+@@ -1324,7 +1324,7 @@ static int zynqmp_qspi_probe(struct plat
+ ctlr->dev.of_node = np;
+ ctlr->auto_runtime_pm = true;
+
+- ret = devm_spi_register_controller(&pdev->dev, ctlr);
++ ret = spi_register_controller(ctlr);
+ if (ret) {
+ dev_err(&pdev->dev, "spi_register_controller failed\n");
+ goto clk_dis_all;
+@@ -1365,6 +1365,8 @@ static void zynqmp_qspi_remove(struct pl
+
+ pm_runtime_get_sync(&pdev->dev);
+
++ spi_unregister_controller(xqspi->ctlr);
++
+ zynqmp_gqspi_write(xqspi, GQSPI_EN_OFST, 0x0);
+
+ pm_runtime_disable(&pdev->dev);
--- /dev/null
+From 32c91e8ee039777d0b95b914633fc6a42607959c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 24 Apr 2026 12:49:10 +0200
+Subject: staging: vme_user: fix root device leak on init failure
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 32c91e8ee039777d0b95b914633fc6a42607959c upstream.
+
+Make sure to deregister and free the root device in case module
+initialisation fails.
+
+Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
+Cc: stable@vger.kernel.org # 4.9
+Cc: Martyn Welch <martyn@welchs.me.uk>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260424104910.2619349-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vme_user/vme_fake.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/vme_user/vme_fake.c
++++ b/drivers/staging/vme_user/vme_fake.c
+@@ -1235,6 +1235,8 @@ err_master:
+ err_driver:
+ kfree(fake_bridge);
+ err_struct:
++ root_device_unregister(vme_root);
++
+ return retval;
+ }
+
--- /dev/null
+From 28465227c80fe417b4013c432be1f3737cb9f9a3 Mon Sep 17 00:00:00 2001
+From: Ruijie Li <ruijieli51@gmail.com>
+Date: Wed, 29 Apr 2026 00:41:43 +0800
+Subject: xfrm: provide message size for XFRM_MSG_MAPPING
+
+From: Ruijie Li <ruijieli51@gmail.com>
+
+commit 28465227c80fe417b4013c432be1f3737cb9f9a3 upstream.
+
+The compat 64=>32 translation path handles XFRM_MSG_MAPPING, but
+xfrm_msg_min[] does not provide the native payload size for this
+message type.
+
+Add the missing XFRM_MSG_MAPPING entry so compat translation can size
+and translate mapping notifications correctly.
+
+Fixes: 5461fc0c8d9f ("xfrm/compat: Add 64=>32-bit messages translator")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -3015,6 +3015,7 @@ const int xfrm_msg_min[XFRM_NR_MSGTYPES]
+ [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32),
+ [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
+ [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
++ [XFRM_MSG_MAPPING - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_mapping),
+ [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
+ [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
+ };
projects / thirdparty / kernel / stable-queue.git / commitdiff
