--- /dev/null
+From 1af997cad473d505248df6d9577183bb91f69670 Mon Sep 17 00:00:00 2001
+From: Shawn Guo <shawnguo@kernel.org>
+Date: Fri, 27 Feb 2026 15:22:10 +0800
+Subject: arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges
+
+From: Shawn Guo <shawnguo@kernel.org>
+
+commit 1af997cad473d505248df6d9577183bb91f69670 upstream.
+
+Reboot starts failing on Poplar since commit 8424ecdde7df ("arm64: mm:
+Set ZONE_DMA size based on devicetree's dma-ranges"), which effectively
+changes zone_dma_bits from 30 to 32 for arm64 platforms that do not
+properly define dma-ranges in device tree. It's unclear how Poplar reboot
+gets broken by this change exactly, but a dma-ranges limiting zone_dma to
+the first 1 GB fixes the regression.
+
+Fixes: 2f20182ed670 ("arm64: dts: hisilicon: add dts files for hi3798cv200-poplar board")
+Cc: stable@vger.kernel.org
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi
++++ b/arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi
+@@ -81,6 +81,7 @@
+ #address-cells = <1>;
+ #size-cells = <1>;
+ ranges = <0x0 0x0 0xf0000000 0x10000000>;
++ dma-ranges = <0x0 0x0 0x0 0x40000000>;
+
+ crg: clock-reset-controller@8a22000 {
+ compatible = "hisilicon,hi3798cv200-crg", "syscon", "simple-mfd";
--- /dev/null
+From c1f2b0f2b5e37b2c27540a175aea2755a3799433 Mon Sep 17 00:00:00 2001
+From: Shawn Guo <shawnguo@kernel.org>
+Date: Fri, 27 Feb 2026 15:19:58 +0800
+Subject: arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity
+
+From: Shawn Guo <shawnguo@kernel.org>
+
+commit c1f2b0f2b5e37b2c27540a175aea2755a3799433 upstream.
+
+The PCIe reset GPIO on Poplar is actually active low. The active high
+worked before because kernel driver didn't respect the setting from DT.
+This is changed since commit 1d26a55fbeb9 ("PCI: histb: Switch to using
+gpiod API"), and thus PCIe on Poplar got brken since then.
+
+Fix the problem by correcting the polarity.
+
+Fixes: 32fa01761bd9 ("arm64: dts: hi3798cv200: enable PCIe support for poplar board")
+Cc: stable@vger.kernel.org
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/hisilicon/hi3798cv200-poplar.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/hisilicon/hi3798cv200-poplar.dts
++++ b/arch/arm64/boot/dts/hisilicon/hi3798cv200-poplar.dts
+@@ -179,7 +179,7 @@
+ };
+
+ &pcie {
+- reset-gpios = <&gpio4 4 GPIO_ACTIVE_HIGH>;
++ reset-gpios = <&gpio4 4 GPIO_ACTIVE_LOW>;
+ vpcie-supply = <®_pcie>;
+ status = "okay";
+ };
--- /dev/null
+From 3a359bf5c61d52e7f09754108309d637532164a6 Mon Sep 17 00:00:00 2001
+From: Ruide Cao <caoruide123@gmail.com>
+Date: Thu, 2 Apr 2026 23:12:31 +0800
+Subject: batman-adv: reject oversized global TT response buffers
+
+From: Ruide Cao <caoruide123@gmail.com>
+
+commit 3a359bf5c61d52e7f09754108309d637532164a6 upstream.
+
+batadv_tt_prepare_tvlv_global_data() builds the allocation length for a
+global TT response in 16-bit temporaries. When a remote originator
+advertises a large enough global TT, the TT payload length plus the VLAN
+header offset can exceed 65535 and wrap before kmalloc().
+
+The full-table response path still uses the original TT payload length when
+it fills tt_change, so the wrapped allocation is too small and
+batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object
+before the later packet-size check runs.
+
+Fix this by rejecting TT responses whose TVLV value length cannot fit in
+the 16-bit TVLV payload length field.
+
+Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
+Cc: stable@vger.kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Ruide Cao <caoruide123@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/translation-table.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -844,8 +844,8 @@ batadv_tt_prepare_tvlv_global_data(struc
+ {
+ u16 num_vlan = 0;
+ u16 num_entries = 0;
+- u16 change_offset;
+- u16 tvlv_len;
++ u16 tvlv_len = 0;
++ unsigned int change_offset;
+ struct batadv_tvlv_tt_vlan_data *tt_vlan;
+ struct batadv_orig_node_vlan *vlan;
+ u8 *tt_change_ptr;
+@@ -863,6 +863,11 @@ batadv_tt_prepare_tvlv_global_data(struc
+ if (*tt_len < 0)
+ *tt_len = batadv_tt_len(num_entries);
+
++ if (change_offset > U16_MAX || *tt_len > U16_MAX - change_offset) {
++ *tt_len = 0;
++ goto out;
++ }
++
+ tvlv_len = *tt_len;
+ tvlv_len += change_offset;
+
--- /dev/null
+From 4c71fd099513bfa8acab529b626e1f0097b76061 Mon Sep 17 00:00:00 2001
+From: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
+Date: Wed, 1 Apr 2026 12:10:07 +0200
+Subject: drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
+
+From: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
+
+commit 4c71fd099513bfa8acab529b626e1f0097b76061 upstream.
+
+A use-after-free / refcount underflow is possible when the heartbeat
+worker and intel_engine_park_heartbeat() race to release the same
+engine->heartbeat.systole request.
+
+The heartbeat worker reads engine->heartbeat.systole and calls
+i915_request_put() on it when the request is complete, but clears
+the pointer in a separate, non-atomic step. Concurrently, a request
+retirement on another CPU can drop the engine wakeref to zero, triggering
+__engine_park() -> intel_engine_park_heartbeat(). If the heartbeat
+timer is pending at that point, cancel_delayed_work() returns true and
+intel_engine_park_heartbeat() reads the stale non-NULL systole pointer
+and calls i915_request_put() on it again, causing a refcount underflow:
+
+```
+<4> [487.221889] Workqueue: i915-unordered engine_retire [i915]
+<4> [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0
+...
+<4> [487.222707] Call Trace:
+<4> [487.222711] <TASK>
+<4> [487.222716] intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]
+<4> [487.223115] intel_engine_park_heartbeat+0x25/0x40 [i915]
+<4> [487.223566] __engine_park+0xb9/0x650 [i915]
+<4> [487.223973] ____intel_wakeref_put_last+0x2e/0xb0 [i915]
+<4> [487.224408] __intel_wakeref_put_last+0x72/0x90 [i915]
+<4> [487.224797] intel_context_exit_engine+0x7c/0x80 [i915]
+<4> [487.225238] intel_context_exit+0xf1/0x1b0 [i915]
+<4> [487.225695] i915_request_retire.part.0+0x1b9/0x530 [i915]
+<4> [487.226178] i915_request_retire+0x1c/0x40 [i915]
+<4> [487.226625] engine_retire+0x122/0x180 [i915]
+<4> [487.227037] process_one_work+0x239/0x760
+<4> [487.227060] worker_thread+0x200/0x3f0
+<4> [487.227068] ? __pfx_worker_thread+0x10/0x10
+<4> [487.227075] kthread+0x10d/0x150
+<4> [487.227083] ? __pfx_kthread+0x10/0x10
+<4> [487.227092] ret_from_fork+0x3d4/0x480
+<4> [487.227099] ? __pfx_kthread+0x10/0x10
+<4> [487.227107] ret_from_fork_asm+0x1a/0x30
+<4> [487.227141] </TASK>
+```
+
+Fix this by replacing the non-atomic pointer read + separate clear with
+xchg() in both racing paths. xchg() is a single indivisible hardware
+instruction that atomically reads the old pointer and writes NULL. This
+guarantees only one of the two concurrent callers obtains the non-NULL
+pointer and performs the put, the other gets NULL and skips it.
+
+Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/15880
+Fixes: 058179e72e09 ("drm/i915/gt: Replace hangcheck by heartbeats")
+Cc: <stable@vger.kernel.org> # v5.5+
+Signed-off-by: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
+Reviewed-by: Krzysztof Karas <krzysztof.karas@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://lore.kernel.org/r/d4c1c14255688dd07cc8044973c4f032a8d1559e.1775038106.git.sebastian.brzezinka@intel.com
+(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gt/intel_engine_heartbeat.c | 26 +++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gt/intel_engine_heartbeat.c
++++ b/drivers/gpu/drm/i915/gt/intel_engine_heartbeat.c
+@@ -116,10 +116,12 @@ static void heartbeat(struct work_struct
+ /* Just in case everything has gone horribly wrong, give it a kick */
+ intel_engine_flush_submission(engine);
+
+- rq = engine->heartbeat.systole;
+- if (rq && i915_request_completed(rq)) {
+- i915_request_put(rq);
+- engine->heartbeat.systole = NULL;
++ rq = xchg(&engine->heartbeat.systole, NULL);
++ if (rq) {
++ if (i915_request_completed(rq))
++ i915_request_put(rq);
++ else
++ engine->heartbeat.systole = rq;
+ }
+
+ if (!intel_engine_pm_get_if_awake(engine))
+@@ -200,8 +202,11 @@ static void heartbeat(struct work_struct
+ unlock:
+ mutex_unlock(&ce->timeline->mutex);
+ out:
+- if (!engine->i915->params.enable_hangcheck || !next_heartbeat(engine))
+- i915_request_put(fetch_and_zero(&engine->heartbeat.systole));
++ if (!engine->i915->params.enable_hangcheck || !next_heartbeat(engine)) {
++ rq = xchg(&engine->heartbeat.systole, NULL);
++ if (rq)
++ i915_request_put(rq);
++ }
+ intel_engine_pm_put(engine);
+ }
+
+@@ -215,8 +220,13 @@ void intel_engine_unpark_heartbeat(struc
+
+ void intel_engine_park_heartbeat(struct intel_engine_cs *engine)
+ {
+- if (cancel_delayed_work(&engine->heartbeat.work))
+- i915_request_put(fetch_and_zero(&engine->heartbeat.systole));
++ if (cancel_delayed_work(&engine->heartbeat.work)) {
++ struct i915_request *rq;
++
++ rq = xchg(&engine->heartbeat.systole, NULL);
++ if (rq)
++ i915_request_put(rq);
++ }
+ }
+
+ void intel_gt_unpark_heartbeats(struct intel_gt *gt)
--- /dev/null
+From dff34ef879c5e73298443956a8b391311ba78d57 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 27 Mar 2026 11:52:05 +0100
+Subject: mmc: vub300: fix NULL-deref on disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit dff34ef879c5e73298443956a8b391311ba78d57 upstream.
+
+Make sure to deregister the controller before dropping the reference to
+the driver data on disconnect to avoid NULL-pointer dereferences or
+use-after-free.
+
+Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver")
+Cc: stable@vger.kernel.org # 3.0+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/vub300.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/vub300.c
++++ b/drivers/mmc/host/vub300.c
+@@ -2371,8 +2371,8 @@ static void vub300_disconnect(struct usb
+ usb_set_intfdata(interface, NULL);
+ /* prevent more I/O from starting */
+ vub300->interface = NULL;
+- kref_put(&vub300->kref, vub300_delete);
+ mmc_remove_host(mmc);
++ kref_put(&vub300->kref, vub300_delete);
+ pr_info("USB vub300 remote SDIO host controller[%d]"
+ " now disconnected", ifnum);
+ return;
--- /dev/null
+From 6dede3967619b5944003227a5d09fdc21ed57d10 Mon Sep 17 00:00:00 2001
+From: David Carlier <devnexen@gmail.com>
+Date: Wed, 1 Apr 2026 22:12:18 +0100
+Subject: net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
+
+From: David Carlier <devnexen@gmail.com>
+
+commit 6dede3967619b5944003227a5d09fdc21ed57d10 upstream.
+
+When dma_map_single() fails in tse_start_xmit(), the function returns
+NETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the
+stack the packet was consumed, the skb is never freed, leaking memory
+on every DMA mapping failure.
+
+Add dev_kfree_skb_any() before returning to properly free the skb.
+
+Fixes: bbd2190ce96d ("Altera TSE: Add main and header file for Altera Ethernet Driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: David Carlier <devnexen@gmail.com>
+Link: https://patch.msgid.link/20260401211218.279185-1-devnexen@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/altera/altera_tse_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/altera/altera_tse_main.c
++++ b/drivers/net/ethernet/altera/altera_tse_main.c
+@@ -591,6 +591,7 @@ static netdev_tx_t tse_start_xmit(struct
+ DMA_TO_DEVICE);
+ if (dma_mapping_error(priv->device, dma_addr)) {
+ netdev_err(priv->dev, "%s: DMA mapping error\n", __func__);
++ dev_kfree_skb_any(skb);
+ ret = NETDEV_TX_OK;
+ goto out;
+ }
--- /dev/null
+From b76254c55dc8f23edc089027dd3f8792554c69fb Mon Sep 17 00:00:00 2001
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Date: Thu, 2 Apr 2026 15:12:07 +0800
+Subject: net: qualcomm: qca_uart: report the consumed byte on RX skb allocation failure
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+commit b76254c55dc8f23edc089027dd3f8792554c69fb upstream.
+
+qca_tty_receive() consumes each input byte before checking whether a
+completed frame needs a fresh receive skb. When the current byte completes
+a frame, the driver delivers that frame and then allocates a new skb for
+the next one.
+
+If that allocation fails, the current code returns i even though data[i]
+has already been consumed and may already have completed the delivered
+frame. Since serdev interprets the return value as the number of accepted
+bytes, this under-reports progress by one byte and can replay the final
+byte of the completed frame into a fresh parser state on the next call.
+
+Return i + 1 in that failure path so the accepted-byte count matches the
+actual receive-state progress.
+
+Fixes: dfc768fbe618 ("net: qualcomm: add QCA7000 UART driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260402071207.4036-1-pengpeng@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qualcomm/qca_uart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qualcomm/qca_uart.c
++++ b/drivers/net/ethernet/qualcomm/qca_uart.c
+@@ -115,7 +115,7 @@ qca_tty_receive(struct serdev_device *se
+ if (!qca->rx_skb) {
+ netdev_dbg(netdev, "recv: out of RX resources\n");
+ n_stats->rx_errors++;
+- return i;
++ return i + 1;
+ }
+ }
+ }
--- /dev/null
+From 51f4e090b9f87b40c21b6daadb5c06e6c0a07b67 Mon Sep 17 00:00:00 2001
+From: Tyllis Xu <livelycarpet87@gmail.com>
+Date: Tue, 31 Mar 2026 23:47:07 -0500
+Subject: net: stmmac: fix integer underflow in chain mode
+
+From: Tyllis Xu <livelycarpet87@gmail.com>
+
+commit 51f4e090b9f87b40c21b6daadb5c06e6c0a07b67 upstream.
+
+The jumbo_frm() chain-mode implementation unconditionally computes
+
+ len = nopaged_len - bmax;
+
+where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is
+BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit()
+decides to invoke jumbo_frm() based on skb->len (total length including
+page fragments):
+
+ is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);
+
+When a packet has a small linear portion (nopaged_len <= bmax) but a
+large total length due to page fragments (skb->len > bmax), the
+subtraction wraps as an unsigned integer, producing a huge len value
+(~0xFFFFxxxx). This causes the while (len != 0) loop to execute
+hundreds of thousands of iterations, passing skb->data + bmax * i
+pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less
+SoCs (the typical deployment for stmmac), this maps arbitrary kernel
+memory to the DMA engine, constituting a kernel memory disclosure and
+potential memory corruption from hardware.
+
+Fix this by introducing a buf_len local variable clamped to
+min(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then
+always safe: it is zero when the linear portion fits within a single
+descriptor, causing the while (len != 0) loop to be skipped naturally,
+and the fragment loop in stmmac_xmit() handles page fragments afterward.
+
+Fixes: 286a83721720 ("stmmac: add CHAINED descriptor mode support (V4)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com>
+Link: https://patch.msgid.link/20260401044708.1386919-1-LivelyCarpet87@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/chain_mode.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/chain_mode.c
++++ b/drivers/net/ethernet/stmicro/stmmac/chain_mode.c
+@@ -20,7 +20,7 @@ static int jumbo_frm(void *p, struct sk_
+ unsigned int nopaged_len = skb_headlen(skb);
+ struct stmmac_priv *priv = tx_q->priv_data;
+ unsigned int entry = tx_q->cur_tx;
+- unsigned int bmax, des2;
++ unsigned int bmax, buf_len, des2;
+ unsigned int i = 1, len;
+ struct dma_desc *desc;
+
+@@ -31,17 +31,18 @@ static int jumbo_frm(void *p, struct sk_
+ else
+ bmax = BUF_SIZE_2KiB;
+
+- len = nopaged_len - bmax;
++ buf_len = min_t(unsigned int, nopaged_len, bmax);
++ len = nopaged_len - buf_len;
+
+ des2 = dma_map_single(priv->device, skb->data,
+- bmax, DMA_TO_DEVICE);
++ buf_len, DMA_TO_DEVICE);
+ desc->des2 = cpu_to_le32(des2);
+ if (dma_mapping_error(priv->device, des2))
+ return -1;
+ tx_q->tx_skbuff_dma[entry].buf = des2;
+- tx_q->tx_skbuff_dma[entry].len = bmax;
++ tx_q->tx_skbuff_dma[entry].len = buf_len;
+ /* do not close the descriptor and do not set own bit */
+- stmmac_prepare_tx_desc(priv, desc, 1, bmax, csum, STMMAC_CHAIN_MODE,
++ stmmac_prepare_tx_desc(priv, desc, 1, buf_len, csum, STMMAC_CHAIN_MODE,
+ 0, false, skb->len);
+
+ while (len != 0) {
--- /dev/null
+From a9b8b18364fffce4c451e6f6fd218fa4ab646705 Mon Sep 17 00:00:00 2001
+From: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
+Date: Fri, 3 Apr 2026 09:36:17 +0800
+Subject: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
+
+From: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
+
+commit a9b8b18364fffce4c451e6f6fd218fa4ab646705 upstream.
+
+The -EBUSY handling in tls_do_encryption(), introduced by commit
+859054147318 ("net: tls: handle backlogging of crypto requests"), has
+a use-after-free due to double cleanup of encrypt_pending and the
+scatterlist entry.
+
+When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to
+the cryptd backlog and the async callback tls_encrypt_done() will be
+invoked upon completion. That callback unconditionally restores the
+scatterlist entry (sge->offset, sge->length) and decrements
+ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an
+error, the synchronous error path in tls_do_encryption() performs the
+same cleanup again, double-decrementing encrypt_pending and
+double-restoring the scatterlist.
+
+The double-decrement corrupts the encrypt_pending sentinel (initialized
+to 1), making tls_encrypt_async_wait() permanently skip the wait for
+pending async callbacks. A subsequent sendmsg can then free the
+tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still
+pending, resulting in a use-after-free when the callback fires on the
+freed record.
+
+Fix this by skipping the synchronous cleanup when the -EBUSY async
+wait returns an error, since the callback has already handled
+encrypt_pending and sge restoration.
+
+Fixes: 859054147318 ("net: tls: handle backlogging of crypto requests")
+Cc: stable@vger.kernel.org
+Signed-off-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/20260403013617.2838875-1-ramdhan@starlabs.sg
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_sw.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -568,6 +568,16 @@ static int tls_do_encryption(struct sock
+ if (rc == -EBUSY) {
+ rc = tls_encrypt_async_wait(ctx);
+ rc = rc ?: -EINPROGRESS;
++ /*
++ * The async callback tls_encrypt_done() has already
++ * decremented encrypt_pending and restored the sge on
++ * both success and error. Skip the synchronous cleanup
++ * below on error, just remove the record and return.
++ */
++ if (rc != -EINPROGRESS) {
++ list_del(&rec->list);
++ return rc;
++ }
+ }
+ if (!rc || rc != -EINPROGRESS) {
+ atomic_dec(&ctx->encrypt_pending);
--- /dev/null
+From f8dca15a1b190787bbd03285304b569631160eda Mon Sep 17 00:00:00 2001
+From: Tuan Do <tuan@calif.io>
+Date: Fri, 3 Apr 2026 00:33:17 -0700
+Subject: netfilter: nft_ct: fix use-after-free in timeout object destroy
+
+From: Tuan Do <tuan@calif.io>
+
+commit f8dca15a1b190787bbd03285304b569631160eda upstream.
+
+nft_ct_timeout_obj_destroy() frees the timeout object with kfree()
+immediately after nf_ct_untimeout(), without waiting for an RCU grace
+period. Concurrent packet processing on other CPUs may still hold
+RCU-protected references to the timeout object obtained via
+rcu_dereference() in nf_ct_timeout_data().
+
+Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer
+freeing until after an RCU grace period, matching the approach already
+used in nfnetlink_cttimeout.c.
+
+KASAN report:
+ BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0
+ Read of size 4 at addr ffff8881035fe19c by task exploit/80
+
+ Call Trace:
+ nf_conntrack_tcp_packet+0x1381/0x29d0
+ nf_conntrack_in+0x612/0x8b0
+ nf_hook_slow+0x70/0x100
+ __ip_local_out+0x1b2/0x210
+ tcp_sendmsg_locked+0x722/0x1580
+ __sys_sendto+0x2d8/0x320
+
+ Allocated by task 75:
+ nft_ct_timeout_obj_init+0xf6/0x290
+ nft_obj_init+0x107/0x1b0
+ nf_tables_newobj+0x680/0x9c0
+ nfnetlink_rcv_batch+0xc29/0xe00
+
+ Freed by task 26:
+ nft_obj_destroy+0x3f/0xa0
+ nf_tables_trans_destroy_work+0x51c/0x5c0
+ process_one_work+0x2c4/0x5a0
+
+Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tuan Do <tuan@calif.io>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/netfilter/nf_conntrack_timeout.h | 1 +
+ net/netfilter/nft_ct.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/net/netfilter/nf_conntrack_timeout.h
++++ b/include/net/netfilter/nf_conntrack_timeout.h
+@@ -14,6 +14,7 @@
+ struct nf_ct_timeout {
+ __u16 l3num;
+ const struct nf_conntrack_l4proto *l4proto;
++ struct rcu_head rcu;
+ char data[];
+ };
+
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -935,7 +935,7 @@ static void nft_ct_timeout_obj_destroy(c
+ nf_queue_nf_hook_drop(ctx->net);
+ nf_ct_untimeout(ctx->net, timeout);
+ nf_ct_netns_put(ctx->net, ctx->family);
+- kfree(priv->timeout);
++ kfree_rcu(priv->timeout, rcu);
+ }
+
+ static int nft_ct_timeout_obj_dump(struct sk_buff *skb,
--- /dev/null
+From c71ba669b570c7b3f86ec875be222ea11dacb352 Mon Sep 17 00:00:00 2001
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Date: Sun, 5 Apr 2026 08:40:00 +0800
+Subject: nfc: pn533: allocate rx skb before consuming bytes
+
+From: Pengpeng Hou <pengpeng@iscas.ac.cn>
+
+commit c71ba669b570c7b3f86ec875be222ea11dacb352 upstream.
+
+pn532_receive_buf() reports the number of accepted bytes to the serdev
+core. The current code consumes bytes into recv_skb and may already hand
+a complete frame to pn533_recv_frame() before allocating a fresh receive
+buffer.
+
+If that alloc_skb() fails, the callback returns 0 even though it has
+already consumed bytes, and it leaves recv_skb as NULL for the next
+receive callback. That breaks the receive_buf() accounting contract and
+can also lead to a NULL dereference on the next skb_put_u8().
+
+Allocate the receive skb lazily before consuming the next byte instead.
+If allocation fails, return the number of bytes already accepted.
+
+Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
+Link: https://patch.msgid.link/20260405094003.3-pn533-v2-pengpeng@iscas.ac.cn
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/pn533/uart.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/nfc/pn533/uart.c
++++ b/drivers/nfc/pn533/uart.c
+@@ -211,6 +211,13 @@ static int pn532_receive_buf(struct serd
+
+ del_timer(&dev->cmd_timeout);
+ for (i = 0; i < count; i++) {
++ if (!dev->recv_skb) {
++ dev->recv_skb = alloc_skb(PN532_UART_SKB_BUFF_LEN,
++ GFP_KERNEL);
++ if (!dev->recv_skb)
++ return i;
++ }
++
+ if (unlikely(!skb_tailroom(dev->recv_skb)))
+ skb_trim(dev->recv_skb, 0);
+
+@@ -219,9 +226,7 @@ static int pn532_receive_buf(struct serd
+ continue;
+
+ pn533_recv_frame(dev->priv, dev->recv_skb, 0);
+- dev->recv_skb = alloc_skb(PN532_UART_SKB_BUFF_LEN, GFP_KERNEL);
+- if (!dev->recv_skb)
+- return 0;
++ dev->recv_skb = NULL;
+ }
+
+ return i;
apparmor-fix-differential-encoding-verification.patch
apparmor-fix-race-on-rawdata-dereference.patch
apparmor-fix-race-between-freeing-data-and-fs-accessing-it.patch
+netfilter-nft_ct-fix-use-after-free-in-timeout-object-destroy.patch
+tipc-fix-bc_ackers-underflow-on-duplicate-grp_ack_msg.patch
+wifi-brcmsmac-fix-dma_free_coherent-size.patch
+arm64-dts-hisilicon-poplar-correct-pcie-reset-gpio-polarity.patch
+arm64-dts-hisilicon-hi3798cv200-add-missing-dma-ranges.patch
+nfc-pn533-allocate-rx-skb-before-consuming-bytes.patch
+batman-adv-reject-oversized-global-tt-response-buffers.patch
+net-tls-fix-use-after-free-in-ebusy-error-path-of-tls_do_encryption.patch
+net-altera-tse-fix-skb-leak-on-dma-mapping-error-in-tse_start_xmit.patch
+drm-i915-gt-fix-refcount-underflow-in-intel_engine_park_heartbeat.patch
+mmc-vub300-fix-null-deref-on-disconnect.patch
+net-qualcomm-qca_uart-report-the-consumed-byte-on-rx-skb-allocation-failure.patch
+net-stmmac-fix-integer-underflow-in-chain-mode.patch
--- /dev/null
+From 48a5fe38772b6f039522469ee6131a67838221a8 Mon Sep 17 00:00:00 2001
+From: Oleh Konko <security@1seal.org>
+Date: Thu, 2 Apr 2026 09:48:57 +0000
+Subject: tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
+
+From: Oleh Konko <security@1seal.org>
+
+commit 48a5fe38772b6f039522469ee6131a67838221a8 upstream.
+
+The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements
+bc_ackers on every inbound group ACK, even when the same member has
+already acknowledged the current broadcast round.
+
+Because bc_ackers is a u16, a duplicate ACK received after the last
+legitimate ACK wraps the counter to 65535. Once wrapped,
+tipc_group_bc_cong() keeps reporting congestion and later group
+broadcasts on the affected socket stay blocked until the group is
+recreated.
+
+Fix this by ignoring duplicate or stale ACKs before touching bc_acked or
+bc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and
+prevents the underflow path.
+
+Fixes: 2f487712b893 ("tipc: guarantee that group broadcast doesn't bypass group unicast")
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleh Konko <security@1seal.org>
+Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/41a4833f368641218e444fdcff822039.security@1seal.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/group.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/group.c
++++ b/net/tipc/group.c
+@@ -746,6 +746,7 @@ void tipc_group_proto_rcv(struct tipc_gr
+ u32 port = msg_origport(hdr);
+ struct tipc_member *m, *pm;
+ u16 remitted, in_flight;
++ u16 acked;
+
+ if (!grp)
+ return;
+@@ -798,7 +799,10 @@ void tipc_group_proto_rcv(struct tipc_gr
+ case GRP_ACK_MSG:
+ if (!m)
+ return;
+- m->bc_acked = msg_grp_bc_acked(hdr);
++ acked = msg_grp_bc_acked(hdr);
++ if (less_eq(acked, m->bc_acked))
++ return;
++ m->bc_acked = acked;
+ if (--grp->bc_ackers)
+ return;
+ list_del_init(&m->small_win);
--- /dev/null
+From 12cd7632757a54ce586e36040210b1a738a0fc53 Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Wed, 18 Feb 2026 14:07:37 +0100
+Subject: wifi: brcmsmac: Fix dma_free_coherent() size
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit 12cd7632757a54ce586e36040210b1a738a0fc53 upstream.
+
+dma_alloc_consistent() may change the size to align it. The new size is
+saved in alloced.
+
+Change the free size to match the allocation size.
+
+Fixes: 5b435de0d786 ("net: wireless: add brcm80211 drivers")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20260218130741.46566-3-fourier.thomas@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c
+@@ -483,7 +483,7 @@ static void *dma_ringalloc(struct dma_in
+ if (((desc_strtaddr + size - 1) & boundary) != (desc_strtaddr
+ & boundary)) {
+ *alignbits = dma_align_sizetobits(size);
+- dma_free_coherent(di->dmadev, size, va, *descpa);
++ dma_free_coherent(di->dmadev, *alloced, va, *descpa);
+ va = dma_alloc_consistent(di, size, *alignbits,
+ alloced, descpa);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
