--- /dev/null
+From d119775f2bad827edc28071c061fdd4a91f889a5 Mon Sep 17 00:00:00 2001
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+Date: Wed, 6 May 2026 22:08:23 +0800
+Subject: af_unix: Reject SIOCATMARK on non-stream sockets
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+commit d119775f2bad827edc28071c061fdd4a91f889a5 upstream.
+
+SIOCATMARK reports whether the receive queue is at the urgent mark for
+MSG_OOB.
+
+In AF_UNIX, MSG_OOB is supported only for SOCK_STREAM sockets.
+SOCK_DGRAM and SOCK_SEQPACKET reject MSG_OOB in sendmsg() and recvmsg(),
+so they should not support SIOCATMARK either.
+
+Return -EOPNOTSUPP for non-stream sockets before checking the receive
+queue.
+
+Fixes: 314001f0bf92 ("af_unix: Add OOB support")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260506140825.2987635-1-n05ec@lzu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/unix/af_unix.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2807,6 +2807,9 @@ again:
+ goto out;
+ }
+
++ if (sk->sk_type != SOCK_STREAM)
++ return -EOPNOTSUPP;
++
+ mutex_lock(&u->iolock);
+ goto redo;
+ unlock:
--- /dev/null
+From 13920e4b7b784b40cf4519ff1f0f3e513476a499 Mon Sep 17 00:00:00 2001
+From: Naman Jain <namjain@linux.microsoft.com>
+Date: Fri, 10 Apr 2026 15:34:13 +0000
+Subject: block: add pgmap check to biovec_phys_mergeable
+
+From: Naman Jain <namjain@linux.microsoft.com>
+
+commit 13920e4b7b784b40cf4519ff1f0f3e513476a499 upstream.
+
+biovec_phys_mergeable() is used by the request merge, DMA mapping,
+and integrity merge paths to decide if two physically contiguous
+bvec segments can be coalesced into one. It currently has no check
+for whether the segments belong to different dev_pagemaps.
+
+When zone device memory is registered in multiple chunks, each chunk
+gets its own dev_pagemap. A single bio can legitimately contain
+bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at
+pgmap boundaries but the outer loop in bio_iov_iter_get_pages()
+continues filling the same bio. If such bvecs are physically
+contiguous, biovec_phys_mergeable() will coalesce them, making it
+impossible to recover the correct pgmap for the merged segment
+via page_pgmap().
+
+Add a zone_device_pages_have_same_pgmap() check to prevent merging
+bvec segments that span different pgmaps.
+
+Fixes: 49580e690755 ("block: add check when merging zone device pages")
+Cc: stable@vger.kernel.org
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
+Link: https://patch.msgid.link/20260410153414.4159050-2-namjain@linux.microsoft.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/block/blk.h
++++ b/block/blk.h
+@@ -95,6 +95,8 @@ static inline bool biovec_phys_mergeable
+
+ if (addr1 + vec1->bv_len != addr2)
+ return false;
++ if (!zone_device_pages_have_same_pgmap(vec1->bv_page, vec2->bv_page))
++ return false;
+ if (xen_domain() && !xen_biovec_phys_mergeable(vec1, vec2->bv_page))
+ return false;
+ if ((addr1 | mask) != ((addr2 + vec2->bv_len - 1) | mask))
--- /dev/null
+From d68ce834f8cf6cb2e77f3331df65166b35466b53 Mon Sep 17 00:00:00 2001
+From: Shyam Prasad N <sprasad@microsoft.com>
+Date: Tue, 28 Apr 2026 21:37:47 +0530
+Subject: cifs: abort open_cached_dir if we don't request leases
+
+From: Shyam Prasad N <sprasad@microsoft.com>
+
+commit d68ce834f8cf6cb2e77f3331df65166b35466b53 upstream.
+
+It is possible that SMB2_open_init may not set lease context based
+on the requested oplock level. This can happen when leases have been
+temporarily or permanently disabled. When this happens, we will have
+open_cached_dir making an open without lease context and the response
+will anyway be rejected by open_cached_dir (thereby forcing a close to
+discard this open). That's unnecessary two round-trips to the server.
+
+This change adds a check before making the open request to the server
+to make sure that SMB2_open_init did add the expected lease context
+to the open in open_cached_dir.
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Bharath SM <bharathsm@microsoft.com>
+Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cached_dir.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/smb/client/cached_dir.c
++++ b/fs/smb/client/cached_dir.c
+@@ -261,6 +261,14 @@ replay_again:
+ &rqst[0], &oplock, &oparms, utf16_path);
+ if (rc)
+ goto oshr_free;
++
++ if (oplock != SMB2_OPLOCK_LEVEL_II) {
++ rc = -EINVAL;
++ cifs_dbg(FYI, "%s: Oplock level %d not suitable for cached directory\n",
++ __func__, oplock);
++ goto oshr_free;
++ }
++
+ smb2_set_next_command(tcon, &rqst[0]);
+
+ memset(&qi_iov, 0, sizeof(qi_iov));
--- /dev/null
+From c208a2b95811d6e1ebae65d0d2fc13f73707f8e7 Mon Sep 17 00:00:00 2001
+From: Shyam Prasad N <sprasad@microsoft.com>
+Date: Mon, 30 Mar 2026 16:19:59 +0530
+Subject: cifs: change_conf needs to be called for session setup
+
+From: Shyam Prasad N <sprasad@microsoft.com>
+
+commit c208a2b95811d6e1ebae65d0d2fc13f73707f8e7 upstream.
+
+Today we skip calling change_conf for negotiates and session setup
+requests. This can be a problem for mchan as the immediate next call
+after session setup could be due to an I/O that is made on the
+mount point. For single channel, this is not a problem as
+there will be several calls after setting up session.
+
+This change enforces calling change_conf when the total credits contain
+enough for reservations for echoes and oplocks. We expect this to happen
+during the last session setup response. This way, echoes and oplocks are
+not disabled before the first request to the server. So if that first
+request is an open, it does not need to disable requesting leases.
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Bharath SM <bharathsm@microsoft.com>
+Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2ops.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/fs/smb/client/smb2ops.c
++++ b/fs/smb/client/smb2ops.c
+@@ -96,10 +96,21 @@ smb2_add_credits(struct TCP_Server_Info
+ }
+ WARN_ON_ONCE(server->in_flight == 0);
+ server->in_flight--;
++
++ /*
++ * Rebalance credits when an op drains in_flight. For session setup,
++ * do this only when the total accumulated credits are high enough (>2)
++ * so that a newly established secondary channel can reserve credits for
++ * echoes and oplocks. We expect this to happen at the end of the final
++ * session setup response.
++ */
+ if (server->in_flight == 0 &&
+ ((optype & CIFS_OP_MASK) != CIFS_NEG_OP) &&
+ ((optype & CIFS_OP_MASK) != CIFS_SESS_OP))
+ rc = change_conf(server);
++ else if (server->in_flight == 0 &&
++ ((optype & CIFS_OP_MASK) == CIFS_SESS_OP) && *val > 2)
++ rc = change_conf(server);
+ /*
+ * Sometimes server returns 0 credits on oplock break ack - we need to
+ * rebalance credits in this case.
--- /dev/null
+From f2c2fc93b4a3efdfcf3805ab74741826d343ff2c Mon Sep 17 00:00:00 2001
+From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+Date: Thu, 12 Feb 2026 16:57:50 +0800
+Subject: clk: imx: imx8-acm: fix flags for acm clocks
+
+From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+
+commit f2c2fc93b4a3efdfcf3805ab74741826d343ff2c upstream.
+
+Currently, the flags for the ACM clocks are set to 0. This configuration
+causes the fsl-sai audio driver to fail when attempting to set the
+sysclk, returning an EINVAL error. The following error messages
+highlight the issue:
+fsl-sai 59090000.sai: ASoC: error at snd_soc_dai_set_sysclk on 59090000.sai: -22
+imx-hdmi sound-hdmi: failed to set cpu sysclk: -22
+
+By setting the flag CLK_SET_RATE_NO_REPARENT, we signal that the ACM
+driver does not support reparenting and instead relies on the clock tree
+as defined in the device tree. This change resolves the issue with the
+fsl-sai audio driver.
+
+CC: stable@vger.kernel.org
+Fixes: d3a0946d7ac9 ("clk: imx: imx8: add audio clock mux driver")
+Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Link: https://patch.msgid.link/20260212085750.3253187-1-shengjiu.wang@nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/imx/clk-imx8-acm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/clk/imx/clk-imx8-acm.c
++++ b/drivers/clk/imx/clk-imx8-acm.c
+@@ -368,7 +368,8 @@ static int imx8_acm_clk_probe(struct pla
+ for (i = 0; i < priv->soc_data->num_sels; i++) {
+ hws[sels[i].clkid] = devm_clk_hw_register_mux_parent_data_table(dev,
+ sels[i].name, sels[i].parents,
+- sels[i].num_parents, 0,
++ sels[i].num_parents,
++ CLK_SET_RATE_NO_REPARENT,
+ base + sels[i].reg,
+ sels[i].shift, sels[i].width,
+ 0, NULL, NULL);
--- /dev/null
+From 2f7ae8ab6aa73daaf080d5332110357c29df9c36 Mon Sep 17 00:00:00 2001
+From: Conor Dooley <conor.dooley@microchip.com>
+Date: Tue, 24 Feb 2026 09:35:25 +0000
+Subject: clk: microchip: mpfs-ccc: fix out of bounds access during output registration
+
+From: Conor Dooley <conor.dooley@microchip.com>
+
+commit 2f7ae8ab6aa73daaf080d5332110357c29df9c36 upstream.
+
+UBSAN reported an out of bounds access during registration of the last
+two outputs. This out of bounds access occurs because space is only
+allocated in the hws array for two PLLs and the four output dividers
+that each has, but the defined IDs contain two DLLS and their two
+outputs each, which are not supported by the driver. The ID order is
+PLLs -> DLLs -> PLL outputs -> DLL outputs. Decrement the PLL output IDs
+by two while adding them to the array to avoid the problem.
+
+Fixes: d39fb172760e ("clk: microchip: add PolarFire SoC fabric clock support")
+CC: stable@vger.kernel.org
+Reviewed-by: Brian Masney <bmasney@redhat.com>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/microchip/clk-mpfs-ccc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/clk/microchip/clk-mpfs-ccc.c
++++ b/drivers/clk/microchip/clk-mpfs-ccc.c
+@@ -178,7 +178,7 @@ static int mpfs_ccc_register_outputs(str
+ return dev_err_probe(dev, ret, "failed to register clock id: %d\n",
+ out_hw->id);
+
+- data->hw_data.hws[out_hw->id] = &out_hw->divider.hw;
++ data->hw_data.hws[out_hw->id - 2] = &out_hw->divider.hw;
+ }
+
+ return 0;
+@@ -234,6 +234,10 @@ static int mpfs_ccc_probe(struct platfor
+ unsigned int num_clks;
+ int ret;
+
++ /*
++ * If DLLs get added here, mpfs_ccc_register_outputs() currently packs
++ * sparse clock IDs in the hws array
++ */
+ num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) +
+ ARRAY_SIZE(mpfs_ccc_pll1out_clks);
+
--- /dev/null
+From de019f203b0d472c98ead4081ad4f05d92c9b826 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 7 Apr 2026 11:50:27 +0200
+Subject: clk: rk808: fix OF node reference imbalance
+
+From: Johan Hovold <johan@kernel.org>
+
+commit de019f203b0d472c98ead4081ad4f05d92c9b826 upstream.
+
+The driver reuses the OF node of the parent multi-function device but
+fails to take another reference to balance the one dropped by the
+platform bus code when unbinding the MFD and deregistering the child
+devices.
+
+Fix this by using the intended helper for reusing OF nodes.
+
+Fixes: 2dc51ca822e4 ("clk: RK808: Reduce 'struct rk808' usage")
+Cc: stable@vger.kernel.org # 6.5
+Cc: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Reviewed-by: Brian Masney <bmasney@redhat.com>
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk-rk808.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/clk-rk808.c
++++ b/drivers/clk/clk-rk808.c
+@@ -153,7 +153,7 @@ static int rk808_clkout_probe(struct pla
+ struct rk808_clkout *rk808_clkout;
+ int ret;
+
+- dev->of_node = pdev->dev.parent->of_node;
++ device_set_of_node_from_dev(dev, dev->parent);
+
+ rk808_clkout = devm_kzalloc(dev,
+ sizeof(*rk808_clkout), GFP_KERNEL);
--- /dev/null
+From 64ed1e3e728afb57ba9acb59e69de930ead847d9 Mon Sep 17 00:00:00 2001
+From: Shrikanth Hegde <sshegde@linux.ibm.com>
+Date: Wed, 11 Mar 2026 11:47:09 +0530
+Subject: cpuidle: powerpc: avoid double clear when breaking snooze
+
+From: Shrikanth Hegde <sshegde@linux.ibm.com>
+
+commit 64ed1e3e728afb57ba9acb59e69de930ead847d9 upstream.
+
+snooze_loop is done often in any system which has fair bit of
+idle time. So it qualifies for even micro-optimizations.
+
+When breaking the snooze due to timeout, TIF_POLLING_NRFLAG is cleared
+twice. Clearing the bit invokes atomics. Avoid double clear and thereby
+avoid one atomic write.
+
+dev->poll_time_limit indicates whether the loop was broken due to
+timeout. Use that instead of defining a new variable.
+
+Fixes: 7ded429152e8 ("cpuidle: powerpc: no memory barrier after break from idle")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mukesh Kumar Chaurasiya (IBM) <mkchauras@gmail.com>
+Signed-off-by: Shrikanth Hegde <sshegde@linux.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20260311061709.1230440-1-sshegde@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpuidle/cpuidle-powernv.c | 5 ++++-
+ drivers/cpuidle/cpuidle-pseries.c | 5 ++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpuidle/cpuidle-powernv.c
++++ b/drivers/cpuidle/cpuidle-powernv.c
+@@ -95,7 +95,10 @@ static int snooze_loop(struct cpuidle_de
+
+ HMT_medium();
+ ppc64_runlatch_on();
+- clear_thread_flag(TIF_POLLING_NRFLAG);
++
++ /* Avoid double clear when breaking */
++ if (!dev->poll_time_limit)
++ clear_thread_flag(TIF_POLLING_NRFLAG);
+
+ local_irq_disable();
+
+--- a/drivers/cpuidle/cpuidle-pseries.c
++++ b/drivers/cpuidle/cpuidle-pseries.c
+@@ -63,7 +63,10 @@ int snooze_loop(struct cpuidle_device *d
+ }
+
+ HMT_medium();
+- clear_thread_flag(TIF_POLLING_NRFLAG);
++
++ /* Avoid double clear when breaking */
++ if (!dev->poll_time_limit)
++ clear_thread_flag(TIF_POLLING_NRFLAG);
+
+ raw_local_irq_disable();
+
--- /dev/null
+From 4652fefcda3c604c83d1ae28ede94544e2142f06 Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Sat, 15 Nov 2025 10:59:05 +0800
+Subject: extcon: ptn5150: handle pending IRQ events during system resume
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit 4652fefcda3c604c83d1ae28ede94544e2142f06 upstream.
+
+When the system is suspended and ptn5150 wakeup interrupt is disabled,
+any changes on ptn5150 will only be record in interrupt status
+registers and won't fire an IRQ since its trigger type is falling
+edge. So the HW interrupt line will keep at low state and any further
+changes won't trigger IRQ anymore. To fix it, this will schedule a
+work to check whether any IRQ are pending and handle it accordingly.
+
+Fixes: 4ed754de2d66 ("extcon: Add support for ptn5150 extcon driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Acked-by: MyungJoo Ham <myungjoo.ham@samsung.com>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Link: https://lore.kernel.org/lkml/20251115025905.1395347-1-xu.yang_2@nxp.com/
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/extcon/extcon-ptn5150.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/extcon/extcon-ptn5150.c
++++ b/drivers/extcon/extcon-ptn5150.c
+@@ -331,6 +331,19 @@ static int ptn5150_i2c_probe(struct i2c_
+ return 0;
+ }
+
++static int ptn5150_resume(struct device *dev)
++{
++ struct i2c_client *i2c = to_i2c_client(dev);
++ struct ptn5150_info *info = i2c_get_clientdata(i2c);
++
++ /* Need to check possible pending interrupt events */
++ schedule_work(&info->irq_work);
++
++ return 0;
++}
++
++static DEFINE_SIMPLE_DEV_PM_OPS(ptn5150_pm_ops, NULL, ptn5150_resume);
++
+ static const struct of_device_id ptn5150_dt_match[] = {
+ { .compatible = "nxp,ptn5150" },
+ { },
+@@ -346,6 +359,7 @@ MODULE_DEVICE_TABLE(i2c, ptn5150_i2c_id)
+ static struct i2c_driver ptn5150_i2c_driver = {
+ .driver = {
+ .name = "ptn5150",
++ .pm = pm_sleep_ptr(&ptn5150_pm_ops),
+ .of_match_table = ptn5150_dt_match,
+ },
+ .probe = ptn5150_i2c_probe,
--- /dev/null
+From bbee90e750262bfb406d66dc65c46d616d2b6673 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Date: Mon, 9 Mar 2026 13:42:37 +0100
+Subject: gpio: of: clear OF_POPULATED on hog nodes in remove path
+
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+
+commit bbee90e750262bfb406d66dc65c46d616d2b6673 upstream.
+
+The previously set OF_POPULATED flag should be cleared on the hog nodes
+when removing the chip.
+
+Cc: stable@vger.kernel.org
+Fixes: 63636d956c455 ("gpio: of: Add DT overlay support for GPIO hogs")
+Acked-by: Linus Walleij <linusw@kernel.org>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://patch.msgid.link/20260309-gpio-hog-fwnode-v2-1-4e61f3dbf06a@oss.qualcomm.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib-of.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib-of.c
++++ b/drivers/gpio/gpiolib-of.c
+@@ -1136,5 +1136,12 @@ int of_gpiochip_add(struct gpio_chip *ch
+
+ void of_gpiochip_remove(struct gpio_chip *chip)
+ {
+- of_node_put(dev_of_node(&chip->gpiodev->dev));
++ struct device_node *np = dev_of_node(&chip->gpiodev->dev);
++
++ for_each_child_of_node_scoped(np, child) {
++ if (of_property_present(child, "gpio-hog"))
++ of_node_clear_flag(child, OF_POPULATED);
++ }
++
++ of_node_put(np);
+ }
--- /dev/null
+From b31681206e3f527970a7c7ed807fbf6a028fc25b Mon Sep 17 00:00:00 2001
+From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Date: Tue, 28 Apr 2026 08:53:39 -0400
+Subject: hv_sock: fix ARM64 support
+
+From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+
+commit b31681206e3f527970a7c7ed807fbf6a028fc25b upstream.
+
+VMBUS ring buffers must be page aligned. Therefore, the current value of
+24K presents a challenge on ARM64 kernels (with 64K pages). So, use
+VMBUS_RING_SIZE() to ensure they are always aligned and large enough to
+hold all of the relevant data.
+
+Cc: stable@vger.kernel.org
+Fixes: 77ffe33363c0 ("hv_sock: use HV_HYP_PAGE_SIZE for Hyper-V communication")
+Tested-by: Dexuan Cui <decui@microsoft.com>
+Reviewed-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20260428125339.13963-1-hamzamahfooz@linux.microsoft.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/hyperv_transport.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/vmw_vsock/hyperv_transport.c
++++ b/net/vmw_vsock/hyperv_transport.c
+@@ -375,10 +375,10 @@ static void hvs_open_connection(struct v
+ } else {
+ sndbuf = max_t(int, sk->sk_sndbuf, RINGBUFFER_HVS_SND_SIZE);
+ sndbuf = min_t(int, sndbuf, RINGBUFFER_HVS_MAX_SIZE);
+- sndbuf = ALIGN(sndbuf, HV_HYP_PAGE_SIZE);
++ sndbuf = VMBUS_RING_SIZE(sndbuf);
+ rcvbuf = max_t(int, sk->sk_rcvbuf, RINGBUFFER_HVS_RCV_SIZE);
+ rcvbuf = min_t(int, rcvbuf, RINGBUFFER_HVS_MAX_SIZE);
+- rcvbuf = ALIGN(rcvbuf, HV_HYP_PAGE_SIZE);
++ rcvbuf = VMBUS_RING_SIZE(rcvbuf);
+ }
+
+ chan->max_pkt_size = HVS_MAX_PKT_SIZE;
--- /dev/null
+From 174606451fbb17db506ebaacdd5e203e57773d5f Mon Sep 17 00:00:00 2001
+From: Myeonghun Pak <mhun512@gmail.com>
+Date: Fri, 24 Apr 2026 22:50:51 +0900
+Subject: hwmon: (corsair-psu) Close HID device on probe errors
+
+From: Myeonghun Pak <mhun512@gmail.com>
+
+commit 174606451fbb17db506ebaacdd5e203e57773d5f upstream.
+
+corsairpsu_probe() opens the HID device before sending the device init
+and firmware-info commands. If either command fails, the error path jumps
+directly to fail_and_stop and skips hid_hw_close().
+
+Use the existing fail_and_close label for those post-open failures so the
+open count and low-level close callback are balanced before hid_hw_stop().
+
+Fixes: d115b51e0e56 ("hwmon: add Corsair PSU HID controller driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
+Reviewed-by: Wilken Gottwalt <wilken.gottwalt@posteo.net>
+Link: https://lore.kernel.org/r/20260424135107.13720-1-mhun512@gmail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/corsair-psu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hwmon/corsair-psu.c
++++ b/drivers/hwmon/corsair-psu.c
+@@ -805,13 +805,13 @@ static int corsairpsu_probe(struct hid_d
+ ret = corsairpsu_init(priv);
+ if (ret < 0) {
+ dev_err(&hdev->dev, "unable to initialize device (%d)\n", ret);
+- goto fail_and_stop;
++ goto fail_and_close;
+ }
+
+ ret = corsairpsu_fwinfo(priv);
+ if (ret < 0) {
+ dev_err(&hdev->dev, "unable to query firmware (%d)\n", ret);
+- goto fail_and_stop;
++ goto fail_and_close;
+ }
+
+ corsairpsu_get_criticals(priv);
--- /dev/null
+From d6cc7c99bf1f73eda7d565d224d791d16239bb41 Mon Sep 17 00:00:00 2001
+From: Sanman Pradhan <psanman@juniper.net>
+Date: Thu, 16 Apr 2026 21:59:30 +0000
+Subject: hwmon: (ltc2992) Clamp threshold writes to hardware range
+
+From: Sanman Pradhan <psanman@juniper.net>
+
+commit d6cc7c99bf1f73eda7d565d224d791d16239bb41 upstream.
+
+ltc2992_set_voltage(), ltc2992_set_current(), and ltc2992_set_power()
+do not validate the user-supplied value before converting it to a
+register value. This can result in:
+
+1. Negative input values wrapping to large positive register values.
+ For power, the negative long is implicitly cast to u64 in
+ mul_u64_u32_div(), producing an incorrect value. For voltage and
+ current, the negative converted value wraps when passed to
+ ltc2992_write_reg() as a u32.
+
+2. Intermediate arithmetic exceeding the range representable in u64 on
+ 64-bit platforms. In ltc2992_set_voltage(), (u64)val * 1000 can
+ exceed U64_MAX when val is a large positive long. In
+ ltc2992_set_current(), (u64)val * r_sense_uohm can overflow
+ similarly. In ltc2992_set_power(), the computed value may not fit
+ in u64.
+
+3. Register values exceeding the hardware field width. Voltage and
+ current threshold registers are 12-bit (stored left-justified in
+ 16 bits), and power threshold registers are 24-bit. Without
+ clamping, bits above the field width are truncated in
+ ltc2992_write_reg().
+
+Fix by clamping negative values to zero, clamping positive values to
+the rounded hardware-representable maximum (the value returned by the
+read path for a full-scale register) to prevent intermediate overflow,
+and clamping the converted register value to the hardware field width
+before writing. The existing conversion formula and rounding behavior
+are preserved.
+
+In the power write path, cancel the factor of 1000 from both the
+numerator (r_sense_uohm * 1000) and the denominator
+(VADC_UV_LSB * IADC_NANOV_LSB) to also eliminate a u32 overflow of
+r_sense_uohm * 1000 when r_sense_uohm exceeds about 4.29 ohms.
+
+Fixes: b0bd407e94b03 ("hwmon: (ltc2992) Add support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sanman Pradhan <psanman@juniper.net>
+Link: https://lore.kernel.org/r/20260416215904.101969-2-sanman.pradhan@hpe.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/ltc2992.c | 35 ++++++++++++++++++++++++++++-------
+ 1 file changed, 28 insertions(+), 7 deletions(-)
+
+--- a/drivers/hwmon/ltc2992.c
++++ b/drivers/hwmon/ltc2992.c
+@@ -421,10 +421,16 @@ static int ltc2992_get_voltage(struct lt
+
+ static int ltc2992_set_voltage(struct ltc2992_state *st, u32 reg, u32 scale, long val)
+ {
+- val = DIV_ROUND_CLOSEST(val * 1000, scale);
+- val = val << 4;
++ u32 reg_val;
++ long vmax;
++
++ vmax = DIV_ROUND_CLOSEST_ULL(0xFFFULL * scale, 1000);
++ val = max(val, 0L);
++ val = min(val, vmax);
++ reg_val = min(DIV_ROUND_CLOSEST_ULL((u64)val * 1000, scale),
++ 0xFFFULL) << 4;
+
+- return ltc2992_write_reg(st, reg, 2, val);
++ return ltc2992_write_reg(st, reg, 2, reg_val);
+ }
+
+ static int ltc2992_read_gpio_alarm(struct ltc2992_state *st, int nr_gpio, u32 attr, long *val)
+@@ -549,9 +555,15 @@ static int ltc2992_get_current(struct lt
+ static int ltc2992_set_current(struct ltc2992_state *st, u32 reg, u32 channel, long val)
+ {
+ u32 reg_val;
++ long cmax;
+
+- reg_val = DIV_ROUND_CLOSEST(val * st->r_sense_uohm[channel], LTC2992_IADC_NANOV_LSB);
+- reg_val = reg_val << 4;
++ cmax = DIV_ROUND_CLOSEST_ULL(0xFFFULL * LTC2992_IADC_NANOV_LSB,
++ st->r_sense_uohm[channel]);
++ val = max(val, 0L);
++ val = min(val, cmax);
++ reg_val = min(DIV_ROUND_CLOSEST_ULL((u64)val * st->r_sense_uohm[channel],
++ LTC2992_IADC_NANOV_LSB),
++ 0xFFFULL) << 4;
+
+ return ltc2992_write_reg(st, reg, 2, reg_val);
+ }
+@@ -624,9 +636,18 @@ static int ltc2992_get_power(struct ltc2
+ static int ltc2992_set_power(struct ltc2992_state *st, u32 reg, u32 channel, long val)
+ {
+ u32 reg_val;
++ u64 pmax, uval;
+
+- reg_val = mul_u64_u32_div(val, st->r_sense_uohm[channel] * 1000,
+- LTC2992_VADC_UV_LSB * LTC2992_IADC_NANOV_LSB);
++ uval = max(val, 0L);
++ pmax = mul_u64_u32_div(0xFFFFFFULL,
++ LTC2992_VADC_UV_LSB / 1000 *
++ LTC2992_IADC_NANOV_LSB,
++ st->r_sense_uohm[channel]);
++ uval = min(uval, pmax);
++ reg_val = min(mul_u64_u32_div(uval, st->r_sense_uohm[channel],
++ LTC2992_VADC_UV_LSB / 1000 *
++ LTC2992_IADC_NANOV_LSB),
++ 0xFFFFFFULL);
+
+ return ltc2992_write_reg(st, reg, 3, reg_val);
+ }
--- /dev/null
+From 2da0c1fd01dbd6b22844e8676585153dfc660cbe Mon Sep 17 00:00:00 2001
+From: Sanman Pradhan <psanman@juniper.net>
+Date: Thu, 16 Apr 2026 21:59:40 +0000
+Subject: hwmon: (ltc2992) Fix u32 overflow in power read path
+
+From: Sanman Pradhan <psanman@juniper.net>
+
+commit 2da0c1fd01dbd6b22844e8676585153dfc660cbe upstream.
+
+ltc2992_get_power() computes the divisor for mul_u64_u32_div() as
+r_sense_uohm * 1000. This multiplication overflows u32 when
+r_sense_uohm exceeds about 4.29 ohms (4294967 micro-ohms), producing
+a truncated divisor and an incorrect power reading.
+
+Cancel the factor of 1000 from both the numerator
+(VADC_UV_LSB * IADC_NANOV_LSB = 312500000) and the divisor
+(r_sense_uohm * 1000), giving (VADC_UV_LSB / 1000) * IADC_NANOV_LSB
+= 312500 as the numerator and plain r_sense_uohm as the divisor.
+The cancellation is exact because LTC2992_VADC_UV_LSB (25000) is
+divisible by 1000.
+
+This is the read-path counterpart of the write-path fix applied in
+the preceding patch.
+
+Fixes: b0bd407e94b03 ("hwmon: (ltc2992) Add support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sanman Pradhan <psanman@juniper.net>
+Link: https://lore.kernel.org/r/20260416215904.101969-3-sanman.pradhan@hpe.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/ltc2992.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/hwmon/ltc2992.c
++++ b/drivers/hwmon/ltc2992.c
+@@ -627,8 +627,10 @@ static int ltc2992_get_power(struct ltc2
+ if (reg_val < 0)
+ return reg_val;
+
+- *val = mul_u64_u32_div(reg_val, LTC2992_VADC_UV_LSB * LTC2992_IADC_NANOV_LSB,
+- st->r_sense_uohm[channel] * 1000);
++ *val = mul_u64_u32_div(reg_val,
++ LTC2992_VADC_UV_LSB / 1000 *
++ LTC2992_IADC_NANOV_LSB,
++ st->r_sense_uohm[channel]);
+
+ return 0;
+ }
--- /dev/null
+From cc427d24ac6442ffdeafd157a63c7c5b73ed4de4 Mon Sep 17 00:00:00 2001
+From: Mingming Cao <mmc@linux.ibm.com>
+Date: Fri, 24 Apr 2026 09:29:17 -0700
+Subject: ibmveth: Disable GSO for packets with small MSS
+
+From: Mingming Cao <mmc@linux.ibm.com>
+
+commit cc427d24ac6442ffdeafd157a63c7c5b73ed4de4 upstream.
+
+Some physical adapters on Power systems do not support segmentation
+offload when the MSS is less than 224 bytes. Attempting to send such
+packets causes the adapter to freeze, stopping all traffic until
+manually reset.
+
+Implement ndo_features_check to disable GSO for packets with small MSS
+values. The network stack will perform software segmentation instead.
+
+The 224-byte minimum matches ibmvnic
+commit <f10b09ef687f> ("ibmvnic: Enforce stronger sanity checks
+on GSO packets")
+which uses the same physical adapters in SEA configurations.
+
+The issue occurs specifically when the hardware attempts to perform
+segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets
+(gso_segs == 1) do not trigger the problematic LSO code path and are
+transmitted normally without segmentation.
+
+Add an ndo_features_check callback to disable GSO when MSS < 224 bytes.
+Also call vlan_features_check() to ensure proper handling of VLAN packets,
+particularly QinQ (802.1ad) configurations where the hardware parser may
+not support certain offload features.
+
+Validated using iptables to force small MSS values. Without the fix,
+the adapter freezes. With the fix, packets are segmented in software
+and transmission succeeds. Comprehensive regression testing completedd
+(MSS tests, performance, stability).
+
+Fixes: 8641dd85799f ("ibmveth: Add support for TSO")
+Cc: stable@vger.kernel.org
+Reviewed-by: Brian King <bjking1@linux.ibm.com>
+Tested-by: Shaik Abdulla <shaik.abdulla1@ibm.com>
+Tested-by: Naveed Ahmed <naveedaus@in.ibm.com>
+Signed-off-by: Mingming Cao <mmc@linux.ibm.com>
+Link: https://patch.msgid.link/20260424162917.65725-1-mmc@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmveth.c | 22 ++++++++++++++++++++++
+ drivers/net/ethernet/ibm/ibmveth.h | 1 +
+ 2 files changed, 23 insertions(+)
+
+--- a/drivers/net/ethernet/ibm/ibmveth.c
++++ b/drivers/net/ethernet/ibm/ibmveth.c
+@@ -1630,6 +1630,27 @@ static int ibmveth_set_mac_addr(struct n
+ return 0;
+ }
+
++static netdev_features_t ibmveth_features_check(struct sk_buff *skb,
++ struct net_device *dev,
++ netdev_features_t features)
++{
++ /* Some physical adapters do not support segmentation offload with
++ * MSS < 224. Disable GSO for such packets to avoid adapter freeze.
++ * Note: Single-segment packets (gso_segs == 1) don't need this check
++ * as they bypass the LSO path and are transmitted without segmentation.
++ */
++ if (skb_is_gso(skb)) {
++ if (skb_shinfo(skb)->gso_size < IBMVETH_MIN_LSO_MSS) {
++ netdev_warn_once(dev,
++ "MSS %u too small for LSO, disabling GSO\n",
++ skb_shinfo(skb)->gso_size);
++ features &= ~NETIF_F_GSO_MASK;
++ }
++ }
++
++ return vlan_features_check(skb, features);
++}
++
+ static const struct net_device_ops ibmveth_netdev_ops = {
+ .ndo_open = ibmveth_open,
+ .ndo_stop = ibmveth_close,
+@@ -1641,6 +1662,7 @@ static const struct net_device_ops ibmve
+ .ndo_set_features = ibmveth_set_features,
+ .ndo_validate_addr = eth_validate_addr,
+ .ndo_set_mac_address = ibmveth_set_mac_addr,
++ .ndo_features_check = ibmveth_features_check,
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+ .ndo_poll_controller = ibmveth_poll_controller,
+ #endif
+--- a/drivers/net/ethernet/ibm/ibmveth.h
++++ b/drivers/net/ethernet/ibm/ibmveth.h
+@@ -36,6 +36,7 @@
+ #define IBMVETH_ILLAN_IPV4_TCP_CSUM 0x0000000000000002UL
+ #define IBMVETH_ILLAN_ACTIVE_TRUNK 0x0000000000000001UL
+
++#define IBMVETH_MIN_LSO_MSS 224 /* Minimum MSS for LSO */
+ /* hcall macros */
+ #define h_register_logical_lan(ua, buflst, rxq, fltlst, mac) \
+ plpar_hcall_norets(H_REGISTER_LOGICAL_LAN, ua, buflst, rxq, fltlst, mac)
--- /dev/null
+From 1d324c2f43f70c965f25c58cc3611c779adbe47e Mon Sep 17 00:00:00 2001
+From: Maoyi Xie <maoyixie.tju@gmail.com>
+Date: Thu, 30 Apr 2026 18:33:18 +0800
+Subject: ip6_gre: Use cached t->net in ip6erspan_changelink().
+
+From: Maoyi Xie <maoyixie.tju@gmail.com>
+
+commit 1d324c2f43f70c965f25c58cc3611c779adbe47e upstream.
+
+After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of
+rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns
+ip6gre hash via link_net. ip6erspan_changelink() was not converted in
+that series and still uses dev_net(dev), which diverges from the
+device's creation netns after IFLA_NET_NS_FD migration.
+
+This re-inserts the tunnel into the wrong per-netns hash. The
+original netns keeps a stale entry. When that netns is later
+destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a
+slab-use-after-free reported by KASAN, followed by a kernel BUG at
+net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().
+
+Reachable from an unprivileged user namespace (unshare --user
+--map-root-user --net).
+
+ip6gre_changelink() earlier in the same file already uses the cached
+t->net; only ip6erspan_changelink() has the wrong shape.
+
+Fixes: 2d665034f239 ("net: ip6_gre: Fix ip6erspan hlen calculation")
+Cc: stable@vger.kernel.org # v5.15+
+Signed-off-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260430103318.3206018-1-maoyi.xie@ntu.edu.sg
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_gre.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -2299,10 +2299,11 @@ static int ip6erspan_changelink(struct n
+ struct nlattr *data[],
+ struct netlink_ext_ack *extack)
+ {
+- struct ip6gre_net *ign = net_generic(dev_net(dev), ip6gre_net_id);
++ struct ip6_tnl *t = netdev_priv(dev);
+ struct __ip6_tnl_parm p;
+- struct ip6_tnl *t;
++ struct ip6gre_net *ign;
+
++ ign = net_generic(t->net, ip6gre_net_id);
+ t = ip6gre_changelink_common(dev, tb, data, &p, extack);
+ if (IS_ERR(t))
+ return PTR_ERR(t);
--- /dev/null
+From 694de316f607fe2473d52ca0707e3918e72c1562 Mon Sep 17 00:00:00 2001
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+Date: Wed, 29 Apr 2026 16:37:42 +0800
+Subject: net: libwx: fix VF illegal register access
+
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+
+commit 694de316f607fe2473d52ca0707e3918e72c1562 upstream.
+
+Register WX_CFG_PORT_ST is a PF restricted register. When a VF is
+initialized, attempting to read this register triggers an illegal
+register access, which lead to a system hang.
+
+When the device is VF, the bus function ID can be obtained directly from
+the PCI_FUNC(pdev->devfn).
+
+Fixes: a04ea57aae37 ("net: libwx: fix device bus LAN ID")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Link: https://patch.msgid.link/4D1F4452D21DE107+20260429083743.88961-1-jiawenwu@trustnetic.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/wangxun/libwx/wx_hw.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c
++++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c
+@@ -1667,8 +1667,11 @@ int wx_sw_init(struct wx *wx)
+ wx->oem_svid = pdev->subsystem_vendor;
+ wx->oem_ssid = pdev->subsystem_device;
+ wx->bus.device = PCI_SLOT(pdev->devfn);
+- wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID,
+- rd32(wx, WX_CFG_PORT_ST));
++ if (pdev->is_virtfn)
++ wx->bus.func = PCI_FUNC(pdev->devfn);
++ else
++ wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID,
++ rd32(wx, WX_CFG_PORT_ST));
+
+ if (wx->oem_svid == PCI_VENDOR_ID_WANGXUN) {
+ wx->subsystem_vendor_id = pdev->subsystem_vendor;
--- /dev/null
+From 44b550d88b267320459d518c0743a241ab2108fa Mon Sep 17 00:00:00 2001
+From: Nan Li <tonanli66@gmail.com>
+Date: Fri, 1 May 2026 09:08:44 +0800
+Subject: net/rds: handle zerocopy send cleanup before the message is queued
+
+From: Nan Li <tonanli66@gmail.com>
+
+commit 44b550d88b267320459d518c0743a241ab2108fa upstream.
+
+A zerocopy send can fail after user pages have been pinned but before
+the message is attached to the sending socket.
+
+The purge path currently infers zerocopy state from rm->m_rs, so an
+unqueued message can be cleaned up as if it owned normal payload pages.
+However, zerocopy ownership is really determined by the presence of
+op_mmp_znotifier, regardless of whether the message has reached the
+socket queue.
+
+Capture op_mmp_znotifier up front in rds_message_purge() and use it as
+the cleanup discriminator. If the message is already associated with a
+socket, keep the existing completion path. Otherwise, drop the pinned
+page accounting directly and release the notifier before putting the
+payload pages.
+
+This keeps early send failure cleanup consistent with the zerocopy
+lifetime rules without changing the normal queued completion path.
+
+Fixes: 0cebaccef3ac ("rds: zerocopy Tx support.")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Co-developed-by: Xiao Liu <lx24@stu.ynu.edu.cn>
+Signed-off-by: Xiao Liu <lx24@stu.ynu.edu.cn>
+Signed-off-by: Nan Li <tonanli66@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Allison Henderson <achender@kernel.org>
+Link: https://patch.msgid.link/d2ea98a6313d5467bac00f7c9fef8c7acddb9258.1777550074.git.tonanli66@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/message.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+--- a/net/rds/message.c
++++ b/net/rds/message.c
+@@ -129,24 +129,34 @@ static void rds_rm_zerocopy_callback(str
+ */
+ static void rds_message_purge(struct rds_message *rm)
+ {
++ struct rds_znotifier *znotifier;
+ unsigned long i, flags;
+- bool zcopy = false;
++ bool zcopy;
+
+ if (unlikely(test_bit(RDS_MSG_PAGEVEC, &rm->m_flags)))
+ return;
+
+ spin_lock_irqsave(&rm->m_rs_lock, flags);
++ znotifier = rm->data.op_mmp_znotifier;
++ rm->data.op_mmp_znotifier = NULL;
++ zcopy = !!znotifier;
++
+ if (rm->m_rs) {
+ struct rds_sock *rs = rm->m_rs;
+
+- if (rm->data.op_mmp_znotifier) {
+- zcopy = true;
+- rds_rm_zerocopy_callback(rs, rm->data.op_mmp_znotifier);
++ if (znotifier) {
++ rds_rm_zerocopy_callback(rs, znotifier);
+ rds_wake_sk_sleep(rs);
+- rm->data.op_mmp_znotifier = NULL;
+ }
+ sock_put(rds_rs_to_sk(rs));
+ rm->m_rs = NULL;
++ } else if (znotifier) {
++ /*
++ * Zerocopy can fail before the message is queued on the
++ * socket, so there is no rs to carry the notification.
++ */
++ mm_unaccount_pinned_pages(&znotifier->z_mmp);
++ kfree(rds_info_from_znotifier(znotifier));
+ }
+ spin_unlock_irqrestore(&rm->m_rs_lock, flags);
+
--- /dev/null
+From 0e7c074cfcd9bd93765505f9eb8b42f03ed2a744 Mon Sep 17 00:00:00 2001
+From: Pavitra Jha <jhapavitra98@gmail.com>
+Date: Fri, 1 May 2026 07:07:12 -0400
+Subject: net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
+
+From: Pavitra Jha <jhapavitra98@gmail.com>
+
+commit 0e7c074cfcd9bd93765505f9eb8b42f03ed2a744 upstream.
+
+t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as
+a loop bound over port_msg->data[] without checking that the message buffer
+contains sufficient data. A modem sending port_count=65535 in a 12-byte
+buffer triggers a slab-out-of-bounds read of up to 262140 bytes.
+
+Add a sizeof(*port_msg) check before accessing the port message header
+fields to guard against undersized messages.
+
+Add a struct_size() check after extracting port_count and before the loop.
+
+In t7xx_parse_host_rt_data(), guard the rt_feature header read with a
+remaining-buffer check before accessing data_len, validate feat_data_len
+against the actual remaining buffer to prevent OOB reads and signed
+integer overflow on offset.
+
+Pass msg_len from both call sites: skb->len at the DPMAIF path after
+skb_pull(), and the validated feat_data_len at the handshake path.
+
+Fixes: da45d2566a1d ("net: wwan: t7xx: Add control port")
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavitra Jha <jhapavitra98@gmail.com>
+Link: https://patch.msgid.link/20260501110713.145563-1-jhapavitra98@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wwan/t7xx/t7xx_modem_ops.c | 20 +++++++++++++++++---
+ drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c | 18 ++++++++++++++++--
+ drivers/net/wwan/t7xx/t7xx_port_proxy.h | 2 +-
+ 3 files changed, 34 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wwan/t7xx/t7xx_modem_ops.c
++++ b/drivers/net/wwan/t7xx/t7xx_modem_ops.c
+@@ -417,8 +417,20 @@ static int t7xx_parse_host_rt_data(struc
+
+ offset = sizeof(struct feature_query);
+ for (i = 0; i < FEATURE_COUNT && offset < data_length; i++) {
++ size_t remaining = data_length - offset;
++ size_t feat_data_len, feat_total;
++
++ if (remaining < sizeof(*rt_feature))
++ break;
++
+ rt_feature = data + offset;
+- offset += sizeof(*rt_feature) + le32_to_cpu(rt_feature->data_len);
++ feat_data_len = le32_to_cpu(rt_feature->data_len);
++
++ if (feat_data_len > remaining - sizeof(*rt_feature))
++ break;
++
++ feat_total = sizeof(*rt_feature) + feat_data_len;
++ offset += feat_total;
+
+ ft_spt_cfg = FIELD_GET(FEATURE_MSK, core->feature_set[i]);
+ if (ft_spt_cfg != MTK_FEATURE_MUST_BE_SUPPORTED)
+@@ -428,8 +440,10 @@ static int t7xx_parse_host_rt_data(struc
+ if (ft_spt_st != MTK_FEATURE_MUST_BE_SUPPORTED)
+ return -EINVAL;
+
+- if (i == RT_ID_MD_PORT_ENUM || i == RT_ID_AP_PORT_ENUM)
+- t7xx_port_enum_msg_handler(ctl->md, rt_feature->data);
++ if (i == RT_ID_MD_PORT_ENUM || i == RT_ID_AP_PORT_ENUM) {
++ t7xx_port_enum_msg_handler(ctl->md, rt_feature->data,
++ feat_data_len);
++ }
+ }
+
+ return 0;
+--- a/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c
++++ b/drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c
+@@ -117,6 +117,7 @@ static int fsm_ee_message_handler(struct
+ * t7xx_port_enum_msg_handler() - Parse the port enumeration message to create/remove nodes.
+ * @md: Modem context.
+ * @msg: Message.
++ * @msg_len: Length of @msg in bytes.
+ *
+ * Used to control create/remove device node.
+ *
+@@ -124,12 +125,18 @@ static int fsm_ee_message_handler(struct
+ * * 0 - Success.
+ * * -EFAULT - Message check failure.
+ */
+-int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg)
++int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg, size_t msg_len)
+ {
+ struct device *dev = &md->t7xx_dev->pdev->dev;
+ unsigned int version, port_count, i;
+ struct port_msg *port_msg = msg;
+
++ if (msg_len < sizeof(*port_msg)) {
++ dev_err(dev, "Port enum msg too short for header: need %zu, have %zu\n",
++ sizeof(*port_msg), msg_len);
++ return -EINVAL;
++ }
++
+ version = FIELD_GET(PORT_MSG_VERSION, le32_to_cpu(port_msg->info));
+ if (version != PORT_ENUM_VER ||
+ le32_to_cpu(port_msg->head_pattern) != PORT_ENUM_HEAD_PATTERN ||
+@@ -141,6 +148,13 @@ int t7xx_port_enum_msg_handler(struct t7
+ }
+
+ port_count = FIELD_GET(PORT_MSG_PRT_CNT, le32_to_cpu(port_msg->info));
++
++ if (msg_len < struct_size(port_msg, data, port_count)) {
++ dev_err(dev, "Port enum msg too short: need %zu, have %zu\n",
++ struct_size(port_msg, data, port_count), msg_len);
++ return -EINVAL;
++ }
++
+ for (i = 0; i < port_count; i++) {
+ u32 port_info = le32_to_cpu(port_msg->data[i]);
+ unsigned int ch_id;
+@@ -191,7 +205,7 @@ static int control_msg_handler(struct t7
+
+ case CTL_ID_PORT_ENUM:
+ skb_pull(skb, sizeof(*ctrl_msg_h));
+- ret = t7xx_port_enum_msg_handler(ctl->md, (struct port_msg *)skb->data);
++ ret = t7xx_port_enum_msg_handler(ctl->md, (struct port_msg *)skb->data, skb->len);
+ if (!ret)
+ ret = port_ctl_send_msg_to_md(port, CTL_ID_PORT_ENUM, 0);
+ else
+--- a/drivers/net/wwan/t7xx/t7xx_port_proxy.h
++++ b/drivers/net/wwan/t7xx/t7xx_port_proxy.h
+@@ -95,7 +95,7 @@ void t7xx_port_proxy_reset(struct port_p
+ void t7xx_port_proxy_uninit(struct port_proxy *port_prox);
+ int t7xx_port_proxy_init(struct t7xx_modem *md);
+ void t7xx_port_proxy_md_status_notify(struct port_proxy *port_prox, unsigned int state);
+-int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg);
++int t7xx_port_enum_msg_handler(struct t7xx_modem *md, void *msg, size_t msg_len);
+ int t7xx_port_proxy_chl_enable_disable(struct port_proxy *port_prox, unsigned int ch_id,
+ bool en_flag);
+
--- /dev/null
+From 37b0dc5e279f35036fb638d1e187197b6c05a76d Mon Sep 17 00:00:00 2001
+From: Hongling Zeng <zenghongling@kylinos.cn>
+Date: Sun, 3 May 2026 12:17:44 +0800
+Subject: parisc: Fix IRQ leak in LASI driver
+
+From: Hongling Zeng <zenghongling@kylinos.cn>
+
+commit 37b0dc5e279f35036fb638d1e187197b6c05a76d upstream.
+
+When request_irq() succeeds but gsc_common_setup() fails later,
+the IRQ is never released. Fix this by adding proper error handling
+with goto labels to ensure resources are released in LIFO order.
+
+Detected by Smatch:
+ drivers/parisc/lasi.c:216 lasi_init_chip() warn: 'lasi->gsc_irq.irq'
+from request_irq() not released on lines: 207.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <error27@gmail.com>
+Closes: https://lore.kernel.org/r/202604180957.4QdAIxP6-lkp@intel.com/
+Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
+Cc: stable@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/parisc/lasi.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/parisc/lasi.c
++++ b/drivers/parisc/lasi.c
+@@ -193,8 +193,7 @@ static int __init lasi_init_chip(struct
+
+ ret = request_irq(lasi->gsc_irq.irq, gsc_asic_intr, 0, "lasi", lasi);
+ if (ret < 0) {
+- kfree(lasi);
+- return ret;
++ goto err_free;
+ }
+
+ /* enable IRQ's for devices below LASI */
+@@ -203,8 +202,7 @@ static int __init lasi_init_chip(struct
+ /* Done init'ing, register this driver */
+ ret = gsc_common_setup(dev, lasi);
+ if (ret) {
+- kfree(lasi);
+- return ret;
++ goto err_irq;
+ }
+
+ gsc_fixup_irqs(dev, lasi, lasi_choose_irq);
+@@ -214,6 +212,12 @@ static int __init lasi_init_chip(struct
+ SYS_OFF_PRIO_DEFAULT, lasi_power_off, lasi);
+
+ return ret;
++
++err_irq:
++ free_irq(lasi->gsc_irq.irq, lasi);
++err_free:
++ kfree(lasi);
++ return ret;
+ }
+
+ static struct parisc_device_id lasi_tbl[] __initdata = {
fanotify-fix-false-positive-on-permission-events.patch
mtd-spi-nor-debugfs-fix-out-of-bounds-read-in-spi_nor_params_show.patch
net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch
+sound-ua101-fix-division-by-zero-at-probe.patch
+net-libwx-fix-vf-illegal-register-access.patch
+ip6_gre-use-cached-t-net-in-ip6erspan_changelink.patch
+net-rds-handle-zerocopy-send-cleanup-before-the-message-is-queued.patch
+net-wwan-t7xx-validate-port_count-against-message-length-in-t7xx_port_enum_msg_handler.patch
+parisc-fix-irq-leak-in-lasi-driver.patch
+hwmon-ltc2992-clamp-threshold-writes-to-hardware-range.patch
+hwmon-ltc2992-fix-u32-overflow-in-power-read-path.patch
+clk-rk808-fix-of-node-reference-imbalance.patch
+hwmon-corsair-psu-close-hid-device-on-probe-errors.patch
+af_unix-reject-siocatmark-on-non-stream-sockets.patch
+block-add-pgmap-check-to-biovec_phys_mergeable.patch
+cifs-abort-open_cached_dir-if-we-don-t-request-leases.patch
+cifs-change_conf-needs-to-be-called-for-session-setup.patch
+extcon-ptn5150-handle-pending-irq-events-during-system-resume.patch
+gpio-of-clear-of_populated-on-hog-nodes-in-remove-path.patch
+hv_sock-fix-arm64-support.patch
+ibmveth-disable-gso-for-packets-with-small-mss.patch
+udf-reject-descriptors-with-oversized-crc-length.patch
+thermal-drivers-sprd-fix-temperature-clamping-in-sprd_thm_temp_to_rawdata.patch
+thermal-drivers-sprd-fix-raw-temperature-clamping-in-sprd_thm_rawdata_to_temp.patch
+spi-topcliff-pch-fix-use-after-free-on-unbind.patch
+clk-imx-imx8-acm-fix-flags-for-acm-clocks.patch
+clk-microchip-mpfs-ccc-fix-out-of-bounds-access-during-output-registration.patch
+cpuidle-powerpc-avoid-double-clear-when-breaking-snooze.patch
--- /dev/null
+From d1f73f169c1014463b5060e3f60813e13ddc7b87 Mon Sep 17 00:00:00 2001
+From: SeungJu Cheon <suunj1331@gmail.com>
+Date: Sun, 26 Apr 2026 20:12:39 +0900
+Subject: sound: ua101: fix division by zero at probe
+
+From: SeungJu Cheon <suunj1331@gmail.com>
+
+commit d1f73f169c1014463b5060e3f60813e13ddc7b87 upstream.
+
+Add a missing sanity check for bNrChannels in detect_usb_format()
+to prevent a division by zero in playback_urb_complete() and
+capture_urb_complete().
+
+USB core does not validate class-specific descriptor fields such
+as bNrChannels, so drivers must verify them before use. If a
+device provides bNrChannels = 0, frame_bytes becomes zero and is
+later used as a divisor in the URB completion handlers, leading
+to a kernel crash.
+
+Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support")
+Cc: stable@vger.kernel.org
+Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
+Link: https://patch.msgid.link/20260426111239.103296-1-suunj1331@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/misc/ua101.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/usb/misc/ua101.c
++++ b/sound/usb/misc/ua101.c
+@@ -994,6 +994,13 @@ static int detect_usb_format(struct ua10
+
+ ua->capture.channels = fmt_capture->bNrChannels;
+ ua->playback.channels = fmt_playback->bNrChannels;
++ if (!ua->capture.channels || !ua->playback.channels) {
++ dev_err(&ua->dev->dev,
++ "invalid channel count: capture %u, playback %u\n",
++ ua->capture.channels, ua->playback.channels);
++ return -EINVAL;
++ }
++
+ ua->capture.frame_bytes =
+ fmt_capture->bSubframeSize * ua->capture.channels;
+ ua->playback.frame_bytes =
--- /dev/null
+From 9d72732fe70c11424bc90ed466c7ccfa58b42a9a Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 14 Apr 2026 15:43:19 +0200
+Subject: spi: topcliff-pch: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 9d72732fe70c11424bc90ed466c7ccfa58b42a9a upstream.
+
+Give the driver a chance to flush its queue before releasing the DMA
+buffers on driver unbind
+
+Fixes: c37f3c2749b5 ("spi/topcliff_pch: DMA support")
+Cc: stable@vger.kernel.org # 3.1
+Cc: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260414134319.978196-9-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-topcliff-pch.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/spi/spi-topcliff-pch.c
++++ b/drivers/spi/spi-topcliff-pch.c
+@@ -1406,9 +1406,6 @@ static void pch_spi_pd_remove(struct pla
+ dev_dbg(&plat_dev->dev, "%s:[ch%d] irq=%d\n",
+ __func__, plat_dev->id, board_dat->pdev->irq);
+
+- if (use_dma)
+- pch_free_dma_buf(board_dat, data);
+-
+ /* check for any pending messages; no action is taken if the queue
+ * is still full; but at least we tried. Unload anyway */
+ count = 500;
+@@ -1432,6 +1429,9 @@ static void pch_spi_pd_remove(struct pla
+ free_irq(board_dat->pdev->irq, data);
+ }
+
++ if (use_dma)
++ pch_free_dma_buf(board_dat, data);
++
+ pci_iounmap(board_dat->pdev, data->io_remap_addr);
+ spi_unregister_master(data->master);
+ }
--- /dev/null
+From b3414148bbc1f9cd56217e58a558c6ac4fd1b4a6 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Sat, 7 Mar 2026 11:24:21 +0100
+Subject: thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit b3414148bbc1f9cd56217e58a558c6ac4fd1b4a6 upstream.
+
+The raw temperature data was never clamped to SPRD_THM_RAW_DATA_LOW or
+SPRD_THM_RAW_DATA_HIGH because the return value of clamp() was not used.
+Fix this by assigning the clamped value to 'rawdata'.
+
+Casting SPRD_THM_RAW_DATA_LOW and SPRD_THM_RAW_DATA_HIGH to u32 is also
+redundant and can be removed.
+
+Fixes: 554fdbaf19b1 ("thermal: sprd: Add Spreadtrum thermal driver support")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
+Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260307102422.306055-2-thorsten.blum@linux.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/sprd_thermal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/thermal/sprd_thermal.c
++++ b/drivers/thermal/sprd_thermal.c
+@@ -178,7 +178,7 @@ static int sprd_thm_sensor_calibration(s
+ static int sprd_thm_rawdata_to_temp(struct sprd_thermal_sensor *sen,
+ u32 rawdata)
+ {
+- clamp(rawdata, (u32)SPRD_THM_RAW_DATA_LOW, (u32)SPRD_THM_RAW_DATA_HIGH);
++ rawdata = clamp(rawdata, SPRD_THM_RAW_DATA_LOW, SPRD_THM_RAW_DATA_HIGH);
+
+ /*
+ * According to the thermal datasheet, the formula of converting
--- /dev/null
+From 83c0f9a5d679a6f8d84fc49b2f62ea434ccab4b6 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Sat, 7 Mar 2026 11:24:20 +0100
+Subject: thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit 83c0f9a5d679a6f8d84fc49b2f62ea434ccab4b6 upstream.
+
+The temperature was never clamped to SPRD_THM_TEMP_LOW or
+SPRD_THM_TEMP_HIGH because the return value of clamp() was not used. Fix
+this by assigning the clamped value to 'temp'.
+
+Casting SPRD_THM_TEMP_LOW and SPRD_THM_TEMP_HIGH to int is also
+redundant and can be removed.
+
+Fixes: 554fdbaf19b1 ("thermal: sprd: Add Spreadtrum thermal driver support")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
+Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260307102422.306055-1-thorsten.blum@linux.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/sprd_thermal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/thermal/sprd_thermal.c
++++ b/drivers/thermal/sprd_thermal.c
+@@ -192,7 +192,7 @@ static int sprd_thm_temp_to_rawdata(int
+ {
+ u32 val;
+
+- clamp(temp, (int)SPRD_THM_TEMP_LOW, (int)SPRD_THM_TEMP_HIGH);
++ temp = clamp(temp, SPRD_THM_TEMP_LOW, SPRD_THM_TEMP_HIGH);
+
+ /*
+ * According to the thermal datasheet, the formula of converting
--- /dev/null
+From 55d41b0a20128e86b9e960dd2e3f0a2d69a18df7 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Mon, 13 Apr 2026 17:12:40 -0400
+Subject: udf: reject descriptors with oversized CRC length
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 55d41b0a20128e86b9e960dd2e3f0a2d69a18df7 upstream.
+
+udf_read_tagged() skips CRC verification when descCRCLength +
+sizeof(struct tag) exceeds the block size. A crafted UDF image can
+set descCRCLength to an oversized value to bypass CRC validation
+entirely; the descriptor is then accepted based solely on the 8-bit
+tag checksum, which is trivially recomputable.
+
+Reject such descriptors instead of silently accepting them. A
+legitimate single-block descriptor should never have a CRC length that
+exceeds the block.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-6
+Assisted-by: Codex:gpt-5-4
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Link: https://patch.msgid.link/20260413211240.853662-1-michael.bommarito@gmail.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/misc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/udf/misc.c
++++ b/fs/udf/misc.c
+@@ -230,8 +230,12 @@ struct buffer_head *udf_read_tagged(stru
+ }
+
+ /* Verify the descriptor CRC */
+- if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize ||
+- le16_to_cpu(tag_p->descCRC) == crc_itu_t(0,
++ if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize) {
++ udf_err(sb, "block %u: CRC length %u exceeds block size\n",
++ block, le16_to_cpu(tag_p->descCRCLength));
++ goto error_out;
++ }
++ if (le16_to_cpu(tag_p->descCRC) == crc_itu_t(0,
+ bh->b_data + sizeof(struct tag),
+ le16_to_cpu(tag_p->descCRCLength)))
+ return bh;
projects / thirdparty / kernel / stable-queue.git / commitdiff
