--- /dev/null
+From 5591ce0069ddda97cdbbea596bed53e698f399c2 Mon Sep 17 00:00:00 2001
+From: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
+Date: Thu, 24 Apr 2025 11:59:14 +0200
+Subject: arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2
+
+From: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
+
+commit 5591ce0069ddda97cdbbea596bed53e698f399c2 upstream.
+
+Define vqmmc regulator-gpio for usdhc2 with vin-supply
+coming from LDO5.
+
+Without this definition LDO5 will be powered down, disabling
+SD card after bootup. This has been introduced in commit
+f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5").
+
+Fixes: 6a57f224f734 ("arm64: dts: freescale: add initial support for verdin imx8m mini")
+Fixes: f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5")
+Tested-by: Manuel Traut <manuel.traut@mt.com>
+Reviewed-by: Philippe Schenker <philippe.schenker@impulsing.ch>
+Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 ++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi
+@@ -148,6 +148,19 @@
+ startup-delay-us = <20000>;
+ };
+
++ reg_usdhc2_vqmmc: regulator-usdhc2-vqmmc {
++ compatible = "regulator-gpio";
++ pinctrl-names = "default";
++ pinctrl-0 = <&pinctrl_usdhc2_vsel>;
++ gpios = <&gpio1 4 GPIO_ACTIVE_HIGH>;
++ regulator-max-microvolt = <3300000>;
++ regulator-min-microvolt = <1800000>;
++ states = <1800000 0x1>,
++ <3300000 0x0>;
++ regulator-name = "PMIC_USDHC_VSELECT";
++ vin-supply = <®_nvcc_sd>;
++ };
++
+ reserved-memory {
+ #address-cells = <2>;
+ #size-cells = <2>;
+@@ -266,7 +279,7 @@
+ "SODIMM_19",
+ "",
+ "",
+- "",
++ "PMIC_USDHC_VSELECT",
+ "",
+ "",
+ "",
+@@ -787,6 +800,7 @@
+ pinctrl-2 = <&pinctrl_usdhc2_200mhz>, <&pinctrl_usdhc2_cd>;
+ pinctrl-3 = <&pinctrl_usdhc2_sleep>, <&pinctrl_usdhc2_cd_sleep>;
+ vmmc-supply = <®_usdhc2_vmmc>;
++ vqmmc-supply = <®_usdhc2_vqmmc>;
+ };
+
+ &wdog1 {
+@@ -1209,13 +1223,17 @@
+ <MX8MM_IOMUXC_NAND_CLE_GPIO3_IO5 0x6>; /* SODIMM 76 */
+ };
+
++ pinctrl_usdhc2_vsel: usdhc2vselgrp {
++ fsl,pins =
++ <MX8MM_IOMUXC_GPIO1_IO04_GPIO1_IO4 0x10>; /* PMIC_USDHC_VSELECT */
++ };
++
+ /*
+ * Note: Due to ERR050080 we use discrete external on-module resistors pulling-up to the
+ * on-module +V3.3_1.8_SD (LDO5) rail and explicitly disable the internal pull-ups here.
+ */
+ pinctrl_usdhc2: usdhc2grp {
+ fsl,pins =
+- <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>,
+ <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x90>, /* SODIMM 78 */
+ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x90>, /* SODIMM 74 */
+ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x90>, /* SODIMM 80 */
+@@ -1226,7 +1244,6 @@
+
+ pinctrl_usdhc2_100mhz: usdhc2-100mhzgrp {
+ fsl,pins =
+- <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>,
+ <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x94>,
+ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x94>,
+ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x94>,
+@@ -1237,7 +1254,6 @@
+
+ pinctrl_usdhc2_200mhz: usdhc2-200mhzgrp {
+ fsl,pins =
+- <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>,
+ <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x96>,
+ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x96>,
+ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x96>,
+@@ -1249,7 +1265,6 @@
+ /* Avoid backfeeding with removed card power */
+ pinctrl_usdhc2_sleep: usdhc2slpgrp {
+ fsl,pins =
+- <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x0>,
+ <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x0>,
+ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x0>,
+ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x0>,
--- /dev/null
+From 0713a1b3276b98c7dafbeefef00d7bc3a9119a84 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 2 May 2025 16:13:46 +0200
+Subject: can: mcan: m_can_class_unregister(): fix order of unregistration calls
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 0713a1b3276b98c7dafbeefef00d7bc3a9119a84 upstream.
+
+If a driver is removed, the driver framework invokes the driver's
+remove callback. A CAN driver's remove function calls
+unregister_candev(), which calls net_device_ops::ndo_stop further down
+in the call stack for interfaces which are in the "up" state.
+
+The removal of the module causes a warning, as can_rx_offload_del()
+deletes the NAPI, while it is still active, because the interface is
+still up.
+
+To fix the warning, first unregister the network interface, which
+calls net_device_ops::ndo_stop, which disables the NAPI, and then call
+can_rx_offload_del().
+
+Fixes: 1be37d3b0414 ("can: m_can: fix periph RX path: use rx-offload to ensure skbs are sent from softirq context")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250502-can-rx-offload-del-v1-3-59a9b131589d@pengutronix.de
+Reviewed-by: Markus Schneider-Pargmann <msp@baylibre.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/m_can/m_can.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -2125,9 +2125,9 @@ EXPORT_SYMBOL_GPL(m_can_class_register);
+
+ void m_can_class_unregister(struct m_can_classdev *cdev)
+ {
++ unregister_candev(cdev->net);
+ if (cdev->is_peripheral)
+ can_rx_offload_del(&cdev->offload);
+- unregister_candev(cdev->net);
+ }
+ EXPORT_SYMBOL_GPL(m_can_class_unregister);
+
--- /dev/null
+From 84f5eb833f53ae192baed4cfb8d9eaab43481fc9 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 2 May 2025 16:13:44 +0200
+Subject: can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 84f5eb833f53ae192baed4cfb8d9eaab43481fc9 upstream.
+
+If a driver is removed, the driver framework invokes the driver's
+remove callback. A CAN driver's remove function calls
+unregister_candev(), which calls net_device_ops::ndo_stop further down
+in the call stack for interfaces which are in the "up" state.
+
+With the mcp251xfd driver the removal of the module causes the
+following warning:
+
+| WARNING: CPU: 0 PID: 352 at net/core/dev.c:7342 __netif_napi_del_locked+0xc8/0xd8
+
+as can_rx_offload_del() deletes the NAPI, while it is still active,
+because the interface is still up.
+
+To fix the warning, first unregister the network interface, which
+calls net_device_ops::ndo_stop, which disables the NAPI, and then call
+can_rx_offload_del().
+
+Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250502-can-rx-offload-del-v1-1-59a9b131589d@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
+@@ -2179,8 +2179,8 @@ static void mcp251xfd_remove(struct spi_
+ struct mcp251xfd_priv *priv = spi_get_drvdata(spi);
+ struct net_device *ndev = priv->ndev;
+
+- can_rx_offload_del(&priv->offload);
+ mcp251xfd_unregister(priv);
++ can_rx_offload_del(&priv->offload);
+ spi->max_speed_hz = priv->spi_max_speed_hz_orig;
+ free_candev(ndev);
+ }
--- /dev/null
+From 650266ac4c7230c89bcd1307acf5c9c92cfa85e2 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Wed, 30 Apr 2025 11:05:54 +0300
+Subject: dm: add missing unlock on in dm_keyslot_evict()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 650266ac4c7230c89bcd1307acf5c9c92cfa85e2 upstream.
+
+We need to call dm_put_live_table() even if dm_get_live_table() returns
+NULL.
+
+Fixes: 9355a9eb21a5 ("dm: support key eviction from keyslot managers of underlying devices")
+Cc: stable@vger.kernel.org # v5.12+
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-table.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -1242,7 +1242,7 @@ static int dm_keyslot_evict(struct blk_c
+
+ t = dm_get_live_table(md, &srcu_idx);
+ if (!t)
+- return 0;
++ goto put_live_table;
+
+ for (unsigned int i = 0; i < t->num_targets; i++) {
+ struct dm_target *ti = dm_table_get_target(t, i);
+@@ -1253,6 +1253,7 @@ static int dm_keyslot_evict(struct blk_c
+ (void *)key);
+ }
+
++put_live_table:
+ dm_put_live_table(md, srcu_idx);
+ return 0;
+ }
--- /dev/null
+From c23c03bf1faa1e76be1eba35bad6da6a2a7c95ee Mon Sep 17 00:00:00 2001
+From: Cristian Marussi <cristian.marussi@arm.com>
+Date: Mon, 10 Mar 2025 17:58:00 +0000
+Subject: firmware: arm_scmi: Fix timeout checks on polling path
+
+From: Cristian Marussi <cristian.marussi@arm.com>
+
+commit c23c03bf1faa1e76be1eba35bad6da6a2a7c95ee upstream.
+
+Polling mode transactions wait for a reply busy-looping without holding a
+spinlock, but currently the timeout checks are based only on elapsed time:
+as a result we could hit a false positive whenever our busy-looping thread
+is pre-empted and scheduled out for a time greater than the polling
+timeout.
+
+Change the checks at the end of the busy-loop to make sure that the polling
+wasn't indeed successful or an out-of-order reply caused the polling to be
+forcibly terminated.
+
+Fixes: 31d2f803c19c ("firmware: arm_scmi: Add sync_cmds_completed_on_ret transport flag")
+Reported-by: Huangjie <huangjie1663@phytium.com.cn>
+Closes: https://lore.kernel.org/arm-scmi/20250123083323.2363749-1-jackhuang021@gmail.com/
+Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
+Cc: stable@vger.kernel.org # 5.18.x
+Message-Id: <20250310175800.1444293-1-cristian.marussi@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/arm_scmi/driver.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/firmware/arm_scmi/driver.c
++++ b/drivers/firmware/arm_scmi/driver.c
+@@ -1017,7 +1017,8 @@ static void xfer_put(const struct scmi_p
+ }
+
+ static bool scmi_xfer_done_no_timeout(struct scmi_chan_info *cinfo,
+- struct scmi_xfer *xfer, ktime_t stop)
++ struct scmi_xfer *xfer, ktime_t stop,
++ bool *ooo)
+ {
+ struct scmi_info *info = handle_to_scmi_info(cinfo->handle);
+
+@@ -1026,7 +1027,7 @@ static bool scmi_xfer_done_no_timeout(st
+ * in case of out-of-order receptions of delayed responses
+ */
+ return info->desc->ops->poll_done(cinfo, xfer) ||
+- try_wait_for_completion(&xfer->done) ||
++ (*ooo = try_wait_for_completion(&xfer->done)) ||
+ ktime_after(ktime_get(), stop);
+ }
+
+@@ -1042,15 +1043,17 @@ static int scmi_wait_for_reply(struct de
+ * itself to support synchronous commands replies.
+ */
+ if (!desc->sync_cmds_completed_on_ret) {
++ bool ooo = false;
++
+ /*
+ * Poll on xfer using transport provided .poll_done();
+ * assumes no completion interrupt was available.
+ */
+ ktime_t stop = ktime_add_ms(ktime_get(), timeout_ms);
+
+- spin_until_cond(scmi_xfer_done_no_timeout(cinfo,
+- xfer, stop));
+- if (ktime_after(ktime_get(), stop)) {
++ spin_until_cond(scmi_xfer_done_no_timeout(cinfo, xfer,
++ stop, &ooo));
++ if (!ooo && !info->desc->ops->poll_done(cinfo, xfer)) {
+ dev_err(dev,
+ "timed out in resp(caller: %pS) - polling\n",
+ (void *)_RET_IP_);
--- /dev/null
+From 36991c1ccde2d5a521577c448ffe07fcccfe104d Mon Sep 17 00:00:00 2001
+From: Sean Heelan <seanheelan@gmail.com>
+Date: Tue, 6 May 2025 22:04:52 +0900
+Subject: ksmbd: Fix UAF in __close_file_table_ids
+
+From: Sean Heelan <seanheelan@gmail.com>
+
+commit 36991c1ccde2d5a521577c448ffe07fcccfe104d upstream.
+
+A use-after-free is possible if one thread destroys the file
+via __ksmbd_close_fd while another thread holds a reference to
+it. The existing checks on fp->refcount are not sufficient to
+prevent this.
+
+The fix takes ft->lock around the section which removes the
+file from the file table. This prevents two threads acquiring the
+same file pointer via __close_file_table_ids, as well as the other
+functions which retrieve a file from the IDR and which already use
+this same lock.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Heelan <seanheelan@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs_cache.c | 33 ++++++++++++++++++++++++++-------
+ 1 file changed, 26 insertions(+), 7 deletions(-)
+
+--- a/fs/smb/server/vfs_cache.c
++++ b/fs/smb/server/vfs_cache.c
+@@ -644,21 +644,40 @@ __close_file_table_ids(struct ksmbd_file
+ bool (*skip)(struct ksmbd_tree_connect *tcon,
+ struct ksmbd_file *fp))
+ {
+- unsigned int id;
+- struct ksmbd_file *fp;
+- int num = 0;
++ struct ksmbd_file *fp;
++ unsigned int id = 0;
++ int num = 0;
+
+- idr_for_each_entry(ft->idr, fp, id) {
+- if (skip(tcon, fp))
++ while (1) {
++ write_lock(&ft->lock);
++ fp = idr_get_next(ft->idr, &id);
++ if (!fp) {
++ write_unlock(&ft->lock);
++ break;
++ }
++
++ if (skip(tcon, fp) ||
++ !atomic_dec_and_test(&fp->refcount)) {
++ id++;
++ write_unlock(&ft->lock);
+ continue;
++ }
+
+ set_close_state_blocked_works(fp);
++ idr_remove(ft->idr, fp->volatile_id);
++ fp->volatile_id = KSMBD_NO_FID;
++ write_unlock(&ft->lock);
++
++ down_write(&fp->f_ci->m_lock);
++ list_del_init(&fp->node);
++ up_write(&fp->f_ci->m_lock);
+
+- if (!atomic_dec_and_test(&fp->refcount))
+- continue;
+ __ksmbd_close_fd(ft, fp);
++
+ num++;
++ id++;
+ }
++
+ return num;
+ }
+
--- /dev/null
+From 0ca6df4f40cf4c32487944aaf48319cb6c25accc Mon Sep 17 00:00:00 2001
+From: Norbert Szetei <norbert@doyensec.com>
+Date: Fri, 2 May 2025 08:21:58 +0900
+Subject: ksmbd: prevent out-of-bounds stream writes by validating *pos
+
+From: Norbert Szetei <norbert@doyensec.com>
+
+commit 0ca6df4f40cf4c32487944aaf48319cb6c25accc upstream.
+
+ksmbd_vfs_stream_write() did not validate whether the write offset
+(*pos) was within the bounds of the existing stream data length (v_len).
+If *pos was greater than or equal to v_len, this could lead to an
+out-of-bounds memory write.
+
+This patch adds a check to ensure *pos is less than v_len before
+proceeding. If the condition fails, -EINVAL is returned.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Norbert Szetei <norbert@doyensec.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/smb/server/vfs.c
++++ b/fs/smb/server/vfs.c
+@@ -443,6 +443,13 @@ static int ksmbd_vfs_stream_write(struct
+ goto out;
+ }
+
++ if (v_len <= *pos) {
++ pr_err("stream write position %lld is out of bounds (stream length: %zd)\n",
++ *pos, v_len);
++ err = -EINVAL;
++ goto out;
++ }
++
+ if (v_len < size) {
+ wbuf = kvzalloc(size, GFP_KERNEL);
+ if (!wbuf) {
--- /dev/null
+From 53e3e5babc0963a92d856a5ec0ce92c59f54bc12 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 30 Apr 2025 11:18:28 +0900
+Subject: ksmbd: prevent rename with empty string
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 53e3e5babc0963a92d856a5ec0ce92c59f54bc12 upstream.
+
+Client can send empty newname string to ksmbd server.
+It will cause a kernel oops from d_alloc.
+This patch return the error when attempting to rename
+a file or directory with an empty new name string.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -632,6 +632,11 @@ smb2_get_name(const char *src, const int
+ return name;
+ }
+
++ if (*name == '\0') {
++ kfree(name);
++ return ERR_PTR(-EINVAL);
++ }
++
+ if (*name == '\\') {
+ pr_err("not allow directory name included leading slash\n");
+ kfree(name);
--- /dev/null
+dm-add-missing-unlock-on-in-dm_keyslot_evict.patch
+arm64-dts-imx8mm-verdin-link-reg_usdhc2_vqmmc-to-usdhc2.patch
+firmware-arm_scmi-fix-timeout-checks-on-polling-path.patch
+can-mcan-m_can_class_unregister-fix-order-of-unregistration-calls.patch
+wifi-cfg80211-fix-out-of-bounds-access-during-multi-link-element-defragmentation.patch
+can-mcp251xfd-mcp251xfd_remove-fix-order-of-unregistration-calls.patch
+ksmbd-prevent-rename-with-empty-string.patch
+ksmbd-prevent-out-of-bounds-stream-writes-by-validating-pos.patch
+ksmbd-fix-uaf-in-__close_file_table_ids.patch
--- /dev/null
+From 023c1f2f0609218103cbcb48e0104b144d4a16dc Mon Sep 17 00:00:00 2001
+From: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
+Date: Thu, 24 Apr 2025 18:01:42 +0530
+Subject: wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation
+
+From: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
+
+commit 023c1f2f0609218103cbcb48e0104b144d4a16dc upstream.
+
+Currently during the multi-link element defragmentation process, the
+multi-link element length added to the total IEs length when calculating
+the length of remaining IEs after the multi-link element in
+cfg80211_defrag_mle(). This could lead to out-of-bounds access if the
+multi-link element or its corresponding fragment elements are the last
+elements in the IEs buffer.
+
+To address this issue, correctly calculate the remaining IEs length by
+deducting the multi-link element end offset from total IEs end offset.
+
+Cc: stable@vger.kernel.org
+Fixes: 2481b5da9c6b ("wifi: cfg80211: handle BSS data contained in ML probe responses")
+Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
+Link: https://patch.msgid.link/20250424-fix_mle_defragmentation_oob_access-v1-1-84412a1743fa@quicinc.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/scan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -2511,7 +2511,7 @@ cfg80211_defrag_mle(const struct element
+ /* Required length for first defragmentation */
+ buf_len = mle->datalen - 1;
+ for_each_element(elem, mle->data + mle->datalen,
+- ielen - sizeof(*mle) + mle->datalen) {
++ ie + ielen - mle->data - mle->datalen) {
+ if (elem->id != WLAN_EID_FRAGMENT)
+ break;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
