--- /dev/null
+From e06472bab2a5393430cc2fbc3211cd3602422c1e Mon Sep 17 00:00:00 2001
+From: Olivier Gayot <olivier.gayot@canonical.com>
+Date: Wed, 5 Mar 2025 10:21:54 +0800
+Subject: block: fix conversion of GPT partition name to 7-bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Olivier Gayot <olivier.gayot@canonical.com>
+
+commit e06472bab2a5393430cc2fbc3211cd3602422c1e upstream.
+
+The utf16_le_to_7bit function claims to, naively, convert a UTF-16
+string to a 7-bit ASCII string. By naively, we mean that it:
+ * drops the first byte of every character in the original UTF-16 string
+ * checks if all characters are printable, and otherwise replaces them
+ by exclamation mark "!".
+
+This means that theoretically, all characters outside the 7-bit ASCII
+range should be replaced by another character. Examples:
+
+ * lower-case alpha (ɒ) 0x0252 becomes 0x52 (R)
+ * ligature OE (œ) 0x0153 becomes 0x53 (S)
+ * hangul letter pieup (ㅂ) 0x3142 becomes 0x42 (B)
+ * upper-case gamma (Ɣ) 0x0194 becomes 0x94 (not printable) so gets
+ replaced by "!"
+
+The result of this conversion for the GPT partition name is passed to
+user-space as PARTNAME via udev, which is confusing and feels questionable.
+
+However, there is a flaw in the conversion function itself. By dropping
+one byte of each character and using isprint() to check if the remaining
+byte corresponds to a printable character, we do not actually guarantee
+that the resulting character is 7-bit ASCII.
+
+This happens because we pass 8-bit characters to isprint(), which
+in the kernel returns 1 for many values > 0x7f - as defined in ctype.c.
+
+This results in many values which should be replaced by "!" to be kept
+as-is, despite not being valid 7-bit ASCII. Examples:
+
+ * e with acute accent (é) 0x00E9 becomes 0xE9 - kept as-is because
+ isprint(0xE9) returns 1.
+ * euro sign (€) 0x20AC becomes 0xAC - kept as-is because isprint(0xAC)
+ returns 1.
+
+This way has broken pyudev utility[1], fixes it by using a mask of 7 bits
+instead of 8 bits before calling isprint.
+
+Link: https://github.com/pyudev/pyudev/issues/490#issuecomment-2685794648 [1]
+Link: https://lore.kernel.org/linux-block/4cac90c2-e414-4ebb-ae62-2a4589d9dc6e@canonical.com/
+Cc: Mulhern <amulhern@redhat.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Olivier Gayot <olivier.gayot@canonical.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20250305022154.3903128-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/partitions/efi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/block/partitions/efi.c
++++ b/block/partitions/efi.c
+@@ -682,7 +682,7 @@ static void utf16_le_to_7bit(const __le1
+ out[size] = 0;
+
+ while (i < size) {
+- u8 c = le16_to_cpu(in[i]) & 0xff;
++ u8 c = le16_to_cpu(in[i]) & 0x7f;
+
+ if (c && !isprint(c))
+ c = '!';
--- /dev/null
+From d8df010f72b8a32aaea393e36121738bb53ed905 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Fri, 21 Feb 2025 16:58:01 +0800
+Subject: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit d8df010f72b8a32aaea393e36121738bb53ed905 upstream.
+
+Add check for the return value of mgmt_alloc_skb() in
+mgmt_device_connected() to prevent null pointer dereference.
+
+Fixes: e96741437ef0 ("Bluetooth: mgmt: Make use of mgmt_send_event_skb in MGMT_EV_DEVICE_CONNECTED")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/mgmt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -9679,6 +9679,9 @@ void mgmt_device_connected(struct hci_de
+ sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0) +
+ eir_precalc_len(sizeof(conn->dev_class)));
+
++ if (!skb)
++ return;
++
+ ev = skb_put(skb, sizeof(*ev));
+ bacpy(&ev->addr.bdaddr, &conn->dst);
+ ev->addr.type = link_to_bdaddr(conn->type, conn->dst_type);
--- /dev/null
+From f2176a07e7b19f73e05c805cf3d130a2999154cb Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Fri, 21 Feb 2025 16:49:47 +0800
+Subject: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit f2176a07e7b19f73e05c805cf3d130a2999154cb upstream.
+
+Add check for the return value of mgmt_alloc_skb() in
+mgmt_remote_name() to prevent null pointer dereference.
+
+Fixes: ba17bb62ce41 ("Bluetooth: Fix skb allocation in mgmt_remote_name() & mgmt_device_connected()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/mgmt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -10443,6 +10443,8 @@ void mgmt_remote_name(struct hci_dev *hd
+
+ skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND,
+ sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0));
++ if (!skb)
++ return;
+
+ ev = skb_put(skb, sizeof(*ev));
+ bacpy(&ev->addr.bdaddr, bdaddr);
--- /dev/null
+From 19fac3c93991502a22c5132824c40b6a2e64b136 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Tue, 18 Feb 2025 10:14:11 +0100
+Subject: dma: kmsan: export kmsan_handle_dma() for modules
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+commit 19fac3c93991502a22c5132824c40b6a2e64b136 upstream.
+
+kmsan_handle_dma() is used by virtio_ring() which can be built as a
+module. kmsan_handle_dma() needs to be exported otherwise building the
+virtio_ring fails.
+
+Export kmsan_handle_dma for modules.
+
+Link: https://lkml.kernel.org/r/20250218091411.MMS3wBN9@linutronix.de
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202502150634.qjxwSeJR-lkp@intel.com/
+Fixes: 7ade4f10779c ("dma: kmsan: unpoison DMA mappings")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitriy Vyukov <dvyukov@google.com>
+Cc: Macro Elver <elver@google.com>
+Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kmsan/hooks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/kmsan/hooks.c
++++ b/mm/kmsan/hooks.c
+@@ -346,6 +346,7 @@ void kmsan_handle_dma(struct page *page,
+ size -= to_go;
+ }
+ }
++EXPORT_SYMBOL_GPL(kmsan_handle_dma);
+
+ void kmsan_handle_dma_sg(struct scatterlist *sg, int nents,
+ enum dma_data_direction dir)
--- /dev/null
+From 3685024edd270f7c791f993157d65d3c928f3d6e Mon Sep 17 00:00:00 2001
+From: Ryan Roberts <ryan.roberts@arm.com>
+Date: Wed, 26 Feb 2025 12:16:09 +0000
+Subject: mm: don't skip arch_sync_kernel_mappings() in error paths
+
+From: Ryan Roberts <ryan.roberts@arm.com>
+
+commit 3685024edd270f7c791f993157d65d3c928f3d6e upstream.
+
+Fix callers that previously skipped calling arch_sync_kernel_mappings() if
+an error occurred during a pgtable update. The call is still required to
+sync any pgtable updates that may have occurred prior to hitting the error
+condition.
+
+These are theoretical bugs discovered during code review.
+
+Link: https://lkml.kernel.org/r/20250226121610.2401743-1-ryan.roberts@arm.com
+Fixes: 2ba3e6947aed ("mm/vmalloc: track which page-table levels were modified")
+Fixes: 0c95cba49255 ("mm: apply_to_pte_range warn and fail if a large pte is encountered")
+Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Christop Hellwig <hch@infradead.org>
+Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory.c | 6 ++++--
+ mm/vmalloc.c | 4 ++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -2746,8 +2746,10 @@ static int __apply_to_page_range(struct
+ next = pgd_addr_end(addr, end);
+ if (pgd_none(*pgd) && !create)
+ continue;
+- if (WARN_ON_ONCE(pgd_leaf(*pgd)))
+- return -EINVAL;
++ if (WARN_ON_ONCE(pgd_leaf(*pgd))) {
++ err = -EINVAL;
++ break;
++ }
+ if (!pgd_none(*pgd) && WARN_ON_ONCE(pgd_bad(*pgd))) {
+ if (!create)
+ continue;
+--- a/mm/vmalloc.c
++++ b/mm/vmalloc.c
+@@ -558,13 +558,13 @@ static int vmap_small_pages_range_noflus
+ mask |= PGTBL_PGD_MODIFIED;
+ err = vmap_pages_p4d_range(pgd, addr, next, prot, pages, &nr, &mask);
+ if (err)
+- return err;
++ break;
+ } while (pgd++, addr = next, addr != end);
+
+ if (mask & ARCH_PAGE_TABLE_SYNC_MASK)
+ arch_sync_kernel_mappings(start, end);
+
+- return 0;
++ return err;
+ }
+
+ /*
--- /dev/null
+From 8fe9ed44dc29fba0786b7e956d2e87179e407582 Mon Sep 17 00:00:00 2001
+From: Hao Zhang <zhanghao1@kylinos.cn>
+Date: Thu, 27 Feb 2025 11:41:29 +0800
+Subject: mm/page_alloc: fix uninitialized variable
+
+From: Hao Zhang <zhanghao1@kylinos.cn>
+
+commit 8fe9ed44dc29fba0786b7e956d2e87179e407582 upstream.
+
+The variable "compact_result" is not initialized in function
+__alloc_pages_slowpath(). It causes should_compact_retry() to use an
+uninitialized value.
+
+Initialize variable "compact_result" with the value COMPACT_SKIPPED.
+
+BUG: KMSAN: uninit-value in __alloc_pages_slowpath+0xee8/0x16c0 mm/page_alloc.c:4416
+ __alloc_pages_slowpath+0xee8/0x16c0 mm/page_alloc.c:4416
+ __alloc_frozen_pages_noprof+0xa4c/0xe00 mm/page_alloc.c:4752
+ alloc_pages_mpol+0x4cd/0x890 mm/mempolicy.c:2270
+ alloc_frozen_pages_noprof mm/mempolicy.c:2341 [inline]
+ alloc_pages_noprof mm/mempolicy.c:2361 [inline]
+ folio_alloc_noprof+0x1dc/0x350 mm/mempolicy.c:2371
+ filemap_alloc_folio_noprof+0xa6/0x440 mm/filemap.c:1019
+ __filemap_get_folio+0xb9a/0x1840 mm/filemap.c:1970
+ grow_dev_folio fs/buffer.c:1039 [inline]
+ grow_buffers fs/buffer.c:1105 [inline]
+ __getblk_slow fs/buffer.c:1131 [inline]
+ bdev_getblk+0x2c9/0xab0 fs/buffer.c:1431
+ getblk_unmovable include/linux/buffer_head.h:369 [inline]
+ ext4_getblk+0x3b7/0xe50 fs/ext4/inode.c:864
+ ext4_bread_batch+0x9f/0x7d0 fs/ext4/inode.c:933
+ __ext4_find_entry+0x1ebb/0x36c0 fs/ext4/namei.c:1627
+ ext4_lookup_entry fs/ext4/namei.c:1729 [inline]
+ ext4_lookup+0x189/0xb40 fs/ext4/namei.c:1797
+ __lookup_slow+0x538/0x710 fs/namei.c:1793
+ lookup_slow+0x6a/0xd0 fs/namei.c:1810
+ walk_component fs/namei.c:2114 [inline]
+ link_path_walk+0xf29/0x1420 fs/namei.c:2479
+ path_openat+0x30f/0x6250 fs/namei.c:3985
+ do_filp_open+0x268/0x600 fs/namei.c:4016
+ do_sys_openat2+0x1bf/0x2f0 fs/open.c:1428
+ do_sys_open fs/open.c:1443 [inline]
+ __do_sys_openat fs/open.c:1459 [inline]
+ __se_sys_openat fs/open.c:1454 [inline]
+ __x64_sys_openat+0x2a1/0x310 fs/open.c:1454
+ x64_sys_call+0x36f5/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:258
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Local variable compact_result created at:
+ __alloc_pages_slowpath+0x66/0x16c0 mm/page_alloc.c:4218
+ __alloc_frozen_pages_noprof+0xa4c/0xe00 mm/page_alloc.c:4752
+
+Link: https://lkml.kernel.org/r/tencent_ED1032321D6510B145CDBA8CBA0093178E09@qq.com
+Reported-by: syzbot+0cfd5e38e96a5596f2b6@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0cfd5e38e96a5596f2b6
+Signed-off-by: Hao Zhang <zhanghao1@kylinos.cn>
+Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/page_alloc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -3936,6 +3936,7 @@ __alloc_pages_slowpath(gfp_t gfp_mask, u
+ restart:
+ compaction_retries = 0;
+ no_progress_loops = 0;
++ compact_result = COMPACT_SKIPPED;
+ compact_priority = DEF_COMPACT_PRIORITY;
+ cpuset_mems_cookie = read_mems_allowed_begin();
+ zonelist_iter_cookie = zonelist_iter_begin();
--- /dev/null
+From ce6d9c1c2b5cc785016faa11b48b6cd317eb367e Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@kernel.org>
+Date: Mon, 24 Feb 2025 21:20:02 -0500
+Subject: NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback
+
+From: Mike Snitzer <snitzer@kernel.org>
+
+commit ce6d9c1c2b5cc785016faa11b48b6cd317eb367e upstream.
+
+Add PF_KCOMPACTD flag and current_is_kcompactd() helper to check for it so
+nfs_release_folio() can skip calling nfs_wb_folio() from kcompactd.
+
+Otherwise NFS can deadlock waiting for kcompactd enduced writeback which
+recurses back to NFS (which triggers writeback to NFSD via NFS loopback
+mount on the same host, NFSD blocks waiting for XFS's call to
+__filemap_get_folio):
+
+6070.550357] INFO: task kcompactd0:58 blocked for more than 4435 seconds.
+
+{---
+[58] "kcompactd0"
+[<0>] folio_wait_bit+0xe8/0x200
+[<0>] folio_wait_writeback+0x2b/0x80
+[<0>] nfs_wb_folio+0x80/0x1b0 [nfs]
+[<0>] nfs_release_folio+0x68/0x130 [nfs]
+[<0>] split_huge_page_to_list_to_order+0x362/0x840
+[<0>] migrate_pages_batch+0x43d/0xb90
+[<0>] migrate_pages_sync+0x9a/0x240
+[<0>] migrate_pages+0x93c/0x9f0
+[<0>] compact_zone+0x8e2/0x1030
+[<0>] compact_node+0xdb/0x120
+[<0>] kcompactd+0x121/0x2e0
+[<0>] kthread+0xcf/0x100
+[<0>] ret_from_fork+0x31/0x40
+[<0>] ret_from_fork_asm+0x1a/0x30
+---}
+
+[akpm@linux-foundation.org: fix build]
+Link: https://lkml.kernel.org/r/20250225022002.26141-1-snitzer@kernel.org
+Fixes: 96780ca55e3c ("NFS: fix up nfs_release_folio() to try to release the page")
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Cc: Anna Schumaker <anna.schumaker@oracle.com>
+Cc: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/file.c | 3 ++-
+ include/linux/compaction.h | 5 +++++
+ include/linux/sched.h | 2 +-
+ mm/compaction.c | 3 +++
+ 4 files changed, 11 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/file.c
++++ b/fs/nfs/file.c
+@@ -29,6 +29,7 @@
+ #include <linux/pagemap.h>
+ #include <linux/gfp.h>
+ #include <linux/swap.h>
++#include <linux/compaction.h>
+
+ #include <linux/uaccess.h>
+ #include <linux/filelock.h>
+@@ -450,7 +451,7 @@ static bool nfs_release_folio(struct fol
+ /* If the private flag is set, then the folio is not freeable */
+ if (folio_test_private(folio)) {
+ if ((current_gfp_context(gfp) & GFP_KERNEL) != GFP_KERNEL ||
+- current_is_kswapd())
++ current_is_kswapd() || current_is_kcompactd())
+ return false;
+ if (nfs_wb_folio(folio_file_mapping(folio)->host, folio) < 0)
+ return false;
+--- a/include/linux/compaction.h
++++ b/include/linux/compaction.h
+@@ -80,6 +80,11 @@ static inline unsigned long compact_gap(
+ return 2UL << order;
+ }
+
++static inline int current_is_kcompactd(void)
++{
++ return current->flags & PF_KCOMPACTD;
++}
++
+ #ifdef CONFIG_COMPACTION
+
+ extern unsigned int extfrag_for_order(struct zone *zone, unsigned int order);
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -1746,7 +1746,7 @@ extern struct pid *cad_pid;
+ #define PF_USED_MATH 0x00002000 /* If unset the fpu must be initialized before use */
+ #define PF_USER_WORKER 0x00004000 /* Kernel thread cloned from userspace thread */
+ #define PF_NOFREEZE 0x00008000 /* This thread should not be frozen */
+-#define PF__HOLE__00010000 0x00010000
++#define PF_KCOMPACTD 0x00010000 /* I am kcompactd */
+ #define PF_KSWAPD 0x00020000 /* I am kswapd */
+ #define PF_MEMALLOC_NOFS 0x00040000 /* All allocation requests will inherit GFP_NOFS */
+ #define PF_MEMALLOC_NOIO 0x00080000 /* All allocation requests will inherit GFP_NOIO */
+--- a/mm/compaction.c
++++ b/mm/compaction.c
+@@ -3050,6 +3050,7 @@ static int kcompactd(void *p)
+ if (!cpumask_empty(cpumask))
+ set_cpus_allowed_ptr(tsk, cpumask);
+
++ current->flags |= PF_KCOMPACTD;
+ set_freezable();
+
+ pgdat->kcompactd_max_order = 0;
+@@ -3106,6 +3107,8 @@ static int kcompactd(void *p)
+ pgdat->proactive_compact_trigger = false;
+ }
+
++ current->flags &= ~PF_KCOMPACTD;
++
+ return 0;
+ }
+
--- /dev/null
+From e842f9a1edf306bf36fe2a4d847a0b0d458770de Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Thu, 27 Feb 2025 12:11:31 +0800
+Subject: rapidio: add check for rio_add_net() in rio_scan_alloc_net()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit e842f9a1edf306bf36fe2a4d847a0b0d458770de upstream.
+
+The return value of rio_add_net() should be checked. If it fails,
+put_device() should be called to free the memory and give up the reference
+initialized in rio_add_net().
+
+Link: https://lkml.kernel.org/r/20250227041131.3680761-1-haoxiang_li2024@163.com
+Fixes: e6b585ca6e81 ("rapidio: move net allocation into core code")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rapidio/rio-scan.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/rapidio/rio-scan.c
++++ b/drivers/rapidio/rio-scan.c
+@@ -871,7 +871,10 @@ static struct rio_net *rio_scan_alloc_ne
+ dev_set_name(&net->dev, "rnet_%d", net->id);
+ net->dev.parent = &mport->dev;
+ net->dev.release = rio_scan_release_dev;
+- rio_add_net(net);
++ if (rio_add_net(net)) {
++ put_device(&net->dev);
++ net = NULL;
++ }
+ }
+
+ return net;
--- /dev/null
+From b2ef51c74b0171fde7eb69b6152d3d2f743ef269 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Thu, 27 Feb 2025 15:34:09 +0800
+Subject: rapidio: fix an API misues when rio_add_net() fails
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit b2ef51c74b0171fde7eb69b6152d3d2f743ef269 upstream.
+
+rio_add_net() calls device_register() and fails when device_register()
+fails. Thus, put_device() should be used rather than kfree(). Add
+"mport->net = NULL;" to avoid a use after free issue.
+
+Link: https://lkml.kernel.org/r/20250227073409.3696854-1-haoxiang_li2024@163.com
+Fixes: e8de370188d0 ("rapidio: add mport char device driver")
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Yang Yingliang <yangyingliang@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rapidio/devices/rio_mport_cdev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/rapidio/devices/rio_mport_cdev.c
++++ b/drivers/rapidio/devices/rio_mport_cdev.c
+@@ -1740,7 +1740,8 @@ static int rio_mport_add_riodev(struct m
+ err = rio_add_net(net);
+ if (err) {
+ rmcd_debug(RDEV, "failed to register net, err=%d", err);
+- kfree(net);
++ put_device(&net->dev);
++ mport->net = NULL;
+ goto cleanup;
+ }
+ }
--- /dev/null
+From 5623bc23a1cb9f9a9470fa73b3a20321dc4c4870 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Tue, 25 Feb 2025 10:53:10 +0100
+Subject: s390/traps: Fix test_monitor_call() inline assembly
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit 5623bc23a1cb9f9a9470fa73b3a20321dc4c4870 upstream.
+
+The test_monitor_call() inline assembly uses the xgr instruction, which
+also modifies the condition code, to clear a register. However the clobber
+list of the inline assembly does not specify that the condition code is
+modified, which may lead to incorrect code generation.
+
+Use the lhi instruction instead to clear the register without that the
+condition code is modified. Furthermore this limits clearing to the lower
+32 bits of val, since its type is int.
+
+Fixes: 17248ea03674 ("s390: fix __EMIT_BUG() macro")
+Cc: stable@vger.kernel.org
+Reviewed-by: Juergen Christ <jchrist@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/traps.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/s390/kernel/traps.c
++++ b/arch/s390/kernel/traps.c
+@@ -276,10 +276,10 @@ static void __init test_monitor_call(voi
+ return;
+ asm volatile(
+ " mc 0,0\n"
+- "0: xgr %0,%0\n"
++ "0: lhi %[val],0\n"
+ "1:\n"
+- EX_TABLE(0b,1b)
+- : "+d" (val));
++ EX_TABLE(0b, 1b)
++ : [val] "+d" (val));
+ if (!val)
+ panic("Monitor call doesn't work!\n");
+ }
x86-cpu-validate-cpuid-leaf-0x2-edx-output.patch
x86-cpu-properly-parse-cpuid-leaf-0x2-tlb-descriptor-0x63.patch
mptcp-fix-scheduling-while-atomic-in-mptcp_pm_nl_append_new_local_addr.patch
+bluetooth-add-check-for-mgmt_alloc_skb-in-mgmt_remote_name.patch
+bluetooth-add-check-for-mgmt_alloc_skb-in-mgmt_device_connected.patch
+wifi-cfg80211-regulatory-improve-invalid-hints-checking.patch
+wifi-nl80211-reject-cooked-mode-if-it-is-set-along-with-other-flags.patch
+rapidio-add-check-for-rio_add_net-in-rio_scan_alloc_net.patch
+rapidio-fix-an-api-misues-when-rio_add_net-fails.patch
+dma-kmsan-export-kmsan_handle_dma-for-modules.patch
+s390-traps-fix-test_monitor_call-inline-assembly.patch
+nfs-fix-nfs_release_folio-to-not-deadlock-via-kcompactd-writeback.patch
+block-fix-conversion-of-gpt-partition-name-to-7-bit.patch
+mm-page_alloc-fix-uninitialized-variable.patch
+mm-don-t-skip-arch_sync_kernel_mappings-in-error-paths.patch
--- /dev/null
+From 59b348be7597c4a9903cb003c69e37df20c04a30 Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Fri, 28 Feb 2025 16:46:57 +0300
+Subject: wifi: cfg80211: regulatory: improve invalid hints checking
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit 59b348be7597c4a9903cb003c69e37df20c04a30 upstream.
+
+Syzbot keeps reporting an issue [1] that occurs when erroneous symbols
+sent from userspace get through into user_alpha2[] via
+regulatory_hint_user() call. Such invalid regulatory hints should be
+rejected.
+
+While a sanity check from commit 47caf685a685 ("cfg80211: regulatory:
+reject invalid hints") looks to be enough to deter these very cases,
+there is a way to get around it due to 2 reasons.
+
+1) The way isalpha() works, symbols other than latin lower and
+upper letters may be used to determine a country/domain.
+For instance, greek letters will also be considered upper/lower
+letters and for such characters isalpha() will return true as well.
+However, ISO-3166-1 alpha2 codes should only hold latin
+characters.
+
+2) While processing a user regulatory request, between
+reg_process_hint_user() and regulatory_hint_user() there happens to
+be a call to queue_regulatory_request() which modifies letters in
+request->alpha2[] with toupper(). This works fine for latin symbols,
+less so for weird letter characters from the second part of _ctype[].
+
+Syzbot triggers a warning in is_user_regdom_saved() by first sending
+over an unexpected non-latin letter that gets malformed by toupper()
+into a character that ends up failing isalpha() check.
+
+Prevent this by enhancing is_an_alpha2() to ensure that incoming
+symbols are latin letters and nothing else.
+
+[1] Syzbot report:
+------------[ cut here ]------------
+Unexpected user alpha2: A�
+WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline]
+WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline]
+WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516
+Modules linked in:
+CPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+Workqueue: events_power_efficient crda_timeout_work
+RIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline]
+RIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline]
+RIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516
+...
+Call Trace:
+ <TASK>
+ crda_timeout_work+0x27/0x50 net/wireless/reg.c:542
+ process_one_work kernel/workqueue.c:3229 [inline]
+ process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
+ worker_thread+0x870/0xd30 kernel/workqueue.c:3391
+ kthread+0x2f2/0x390 kernel/kthread.c:389
+ ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+ </TASK>
+
+Reported-by: syzbot+e10709ac3c44f3d4e800@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=e10709ac3c44f3d4e800
+Fixes: 09d989d179d0 ("cfg80211: add regulatory hint disconnect support")
+Cc: stable@kernel.org
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Link: https://patch.msgid.link/20250228134659.1577656-1-n.zhandarovich@fintech.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/reg.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -405,7 +405,8 @@ static bool is_an_alpha2(const char *alp
+ {
+ if (!alpha2)
+ return false;
+- return isalpha(alpha2[0]) && isalpha(alpha2[1]);
++ return isascii(alpha2[0]) && isalpha(alpha2[0]) &&
++ isascii(alpha2[1]) && isalpha(alpha2[1]);
+ }
+
+ static bool alpha2_equal(const char *alpha2_x, const char *alpha2_y)
--- /dev/null
+From 49f27f29446a5bfe633dd2cc0cfebd48a1a5e77f Mon Sep 17 00:00:00 2001
+From: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
+Date: Fri, 31 Jan 2025 20:26:55 +0500
+Subject: wifi: nl80211: reject cooked mode if it is set along with other flags
+
+From: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
+
+commit 49f27f29446a5bfe633dd2cc0cfebd48a1a5e77f upstream.
+
+It is possible to set both MONITOR_FLAG_COOK_FRAMES and MONITOR_FLAG_ACTIVE
+flags simultaneously on the same monitor interface from the userspace. This
+causes a sub-interface to be created with no IEEE80211_SDATA_IN_DRIVER bit
+set because the monitor interface is in the cooked state and it takes
+precedence over all other states. When the interface is then being deleted
+the kernel calls WARN_ONCE() from check_sdata_in_driver() because of missing
+that bit.
+
+Fix this by rejecting MONITOR_FLAG_COOK_FRAMES if it is set along with
+other flags.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 66f7ac50ed7c ("nl80211: Add monitor interface configuration flags")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+2e5c1e55b9e5c28a3da7@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=2e5c1e55b9e5c28a3da7
+Signed-off-by: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
+Link: https://patch.msgid.link/20250131152657.5606-1-v.shevtsov@mt-integration.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/nl80211.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -4102,6 +4102,11 @@ static int parse_monitor_flags(struct nl
+ if (flags[flag])
+ *mntrflags |= (1<<flag);
+
++ /* cooked monitor mode is incompatible with other modes */
++ if (*mntrflags & MONITOR_FLAG_COOK_FRAMES &&
++ *mntrflags != MONITOR_FLAG_COOK_FRAMES)
++ return -EOPNOTSUPP;
++
+ *mntrflags |= MONITOR_FLAG_CHANGED;
+
+ return 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
