--- /dev/null
+From af0db3c1f898144846d4c172531a199bb3ca375d Mon Sep 17 00:00:00 2001
+From: Sravan Kumar Gundu <sravankumarlpu@gmail.com>
+Date: Thu, 31 Jul 2025 15:36:18 -0500
+Subject: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit
+
+From: Sravan Kumar Gundu <sravankumarlpu@gmail.com>
+
+commit af0db3c1f898144846d4c172531a199bb3ca375d upstream.
+
+This issue triggers when a userspace program does an ioctl
+FBIOPUT_CON2FBMAP by passing console number and frame buffer number.
+Ideally this maps console to frame buffer and updates the screen if
+console is visible.
+
+As part of mapping it has to do resize of console according to frame
+buffer info. if this resize fails and returns from vc_do_resize() and
+continues further. At this point console and new frame buffer are mapped
+and sets display vars. Despite failure still it continue to proceed
+updating the screen at later stages where vc_data is related to previous
+frame buffer and frame buffer info and display vars are mapped to new
+frame buffer and eventully leading to out-of-bounds write in
+fast_imageblit(). This bheviour is excepted only when fg_console is
+equal to requested console which is a visible console and updates screen
+with invalid struct references in fbcon_putcs().
+
+Reported-and-tested-by: syzbot+c4b7aa0513823e2ea880@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c4b7aa0513823e2ea880
+Signed-off-by: Sravan Kumar Gundu <sravankumarlpu@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/fbcon.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/video/fbdev/core/fbcon.c
++++ b/drivers/video/fbdev/core/fbcon.c
+@@ -808,7 +808,8 @@ static void con2fb_init_display(struct v
+ fg_vc->vc_rows);
+ }
+
+- update_screen(vc_cons[fg_console].d);
++ if (fg_console != unit)
++ update_screen(vc_cons[fg_console].d);
+ }
+
+ /**
+@@ -1353,6 +1354,7 @@ static void fbcon_set_disp(struct fb_inf
+ struct vc_data *svc;
+ struct fbcon_ops *ops = info->fbcon_par;
+ int rows, cols;
++ unsigned long ret = 0;
+
+ p = &fb_display[unit];
+
+@@ -1403,11 +1405,10 @@ static void fbcon_set_disp(struct fb_inf
+ rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
+ cols /= vc->vc_font.width;
+ rows /= vc->vc_font.height;
+- vc_resize(vc, cols, rows);
++ ret = vc_resize(vc, cols, rows);
+
+- if (con_is_visible(vc)) {
++ if (con_is_visible(vc) && !ret)
+ update_screen(vc);
+- }
+ }
+
+ static __inline__ void ywrap_up(struct vc_data *vc, int count)
--- /dev/null
+From 33caa208dba6fa639e8a92fd0c8320b652e5550c Mon Sep 17 00:00:00 2001
+From: Haiyang Zhang <haiyangz@microsoft.com>
+Date: Wed, 6 Aug 2025 13:21:51 -0700
+Subject: hv_netvsc: Fix panic during namespace deletion with VF
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+commit 33caa208dba6fa639e8a92fd0c8320b652e5550c upstream.
+
+The existing code move the VF NIC to new namespace when NETDEV_REGISTER is
+received on netvsc NIC. During deletion of the namespace,
+default_device_exit_batch() >> default_device_exit_net() is called. When
+netvsc NIC is moved back and registered to the default namespace, it
+automatically brings VF NIC back to the default namespace. This will cause
+the default_device_exit_net() >> for_each_netdev_safe loop unable to detect
+the list end, and hit NULL ptr:
+
+[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0
+[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010
+[ 231.450246] #PF: supervisor read access in kernel mode
+[ 231.450579] #PF: error_code(0x0000) - not-present page
+[ 231.450916] PGD 17b8a8067 P4D 0
+[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI
+[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY
+[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024
+[ 231.452692] Workqueue: netns cleanup_net
+[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0
+[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00
+[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246
+[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb
+[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564
+[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000
+[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340
+[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340
+[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000
+[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0
+[ 231.458434] Call Trace:
+[ 231.458600] <TASK>
+[ 231.458777] ops_undo_list+0x100/0x220
+[ 231.459015] cleanup_net+0x1b8/0x300
+[ 231.459285] process_one_work+0x184/0x340
+
+To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid
+changing the netdev list when default_device_exit_net() is using it.
+
+Cc: stable@vger.kernel.org
+Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Link: https://patch.msgid.link/1754511711-11188-1-git-send-email-haiyangz@linux.microsoft.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/hyperv_net.h | 3 +++
+ drivers/net/hyperv/netvsc_drv.c | 29 ++++++++++++++++++++++++++++-
+ 2 files changed, 31 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/hyperv/hyperv_net.h
++++ b/drivers/net/hyperv/hyperv_net.h
+@@ -1061,6 +1061,7 @@ struct net_device_context {
+ struct net_device __rcu *vf_netdev;
+ struct netvsc_vf_pcpu_stats __percpu *vf_stats;
+ struct delayed_work vf_takeover;
++ struct delayed_work vfns_work;
+
+ /* 1: allocated, serial number is valid. 0: not allocated */
+ u32 vf_alloc;
+@@ -1075,6 +1076,8 @@ struct net_device_context {
+ struct netvsc_device_info *saved_netvsc_dev_info;
+ };
+
++void netvsc_vfns_work(struct work_struct *w);
++
+ /* Azure hosts don't support non-TCP port numbers in hashing for fragmented
+ * packets. We can use ethtool to change UDP hash level when necessary.
+ */
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -2513,6 +2513,7 @@ static int netvsc_probe(struct hv_device
+ spin_lock_init(&net_device_ctx->lock);
+ INIT_LIST_HEAD(&net_device_ctx->reconfig_events);
+ INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup);
++ INIT_DELAYED_WORK(&net_device_ctx->vfns_work, netvsc_vfns_work);
+
+ net_device_ctx->vf_stats
+ = netdev_alloc_pcpu_stats(struct netvsc_vf_pcpu_stats);
+@@ -2655,6 +2656,8 @@ static void netvsc_remove(struct hv_devi
+ cancel_delayed_work_sync(&ndev_ctx->dwork);
+
+ rtnl_lock();
++ cancel_delayed_work_sync(&ndev_ctx->vfns_work);
++
+ nvdev = rtnl_dereference(ndev_ctx->nvdev);
+ if (nvdev) {
+ cancel_work_sync(&nvdev->subchan_work);
+@@ -2696,6 +2699,7 @@ static int netvsc_suspend(struct hv_devi
+ cancel_delayed_work_sync(&ndev_ctx->dwork);
+
+ rtnl_lock();
++ cancel_delayed_work_sync(&ndev_ctx->vfns_work);
+
+ nvdev = rtnl_dereference(ndev_ctx->nvdev);
+ if (nvdev == NULL) {
+@@ -2789,6 +2793,27 @@ static void netvsc_event_set_vf_ns(struc
+ }
+ }
+
++void netvsc_vfns_work(struct work_struct *w)
++{
++ struct net_device_context *ndev_ctx =
++ container_of(w, struct net_device_context, vfns_work.work);
++ struct net_device *ndev;
++
++ if (!rtnl_trylock()) {
++ schedule_delayed_work(&ndev_ctx->vfns_work, 1);
++ return;
++ }
++
++ ndev = hv_get_drvdata(ndev_ctx->device_ctx);
++ if (!ndev)
++ goto out;
++
++ netvsc_event_set_vf_ns(ndev);
++
++out:
++ rtnl_unlock();
++}
++
+ /*
+ * On Hyper-V, every VF interface is matched with a corresponding
+ * synthetic interface. The synthetic interface is presented first
+@@ -2799,10 +2824,12 @@ static int netvsc_netdev_event(struct no
+ unsigned long event, void *ptr)
+ {
+ struct net_device *event_dev = netdev_notifier_info_to_dev(ptr);
++ struct net_device_context *ndev_ctx;
+ int ret = 0;
+
+ if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) {
+- netvsc_event_set_vf_ns(event_dev);
++ ndev_ctx = netdev_priv(event_dev);
++ schedule_delayed_work(&ndev_ctx->vfns_work, 0);
+ return NOTIFY_DONE;
+ }
+
--- /dev/null
+From bda2859bff0b9596a19648f3740c697ce4c71496 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Mon, 7 Jul 2025 18:34:01 +0000
+Subject: media: uvcvideo: Do not mark valid metadata as invalid
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit bda2859bff0b9596a19648f3740c697ce4c71496 upstream.
+
+Currently, the driver performs a length check of the metadata buffer
+before the actual metadata size is known and before the metadata is
+decided to be copied. This results in valid metadata buffers being
+incorrectly marked as invalid.
+
+Move the length check to occur after the metadata size is determined and
+is decided to be copied.
+
+Cc: stable@vger.kernel.org
+Fixes: 088ead255245 ("media: uvcvideo: Add a metadata device node")
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Hans de Goede <hansg@kernel.org>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Link: https://lore.kernel.org/r/20250707-uvc-meta-v8-1-ed17f8b1218b@chromium.org
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_video.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_video.c
++++ b/drivers/media/usb/uvc/uvc_video.c
+@@ -1414,12 +1414,6 @@ static void uvc_video_decode_meta(struct
+ if (!meta_buf || length == 2)
+ return;
+
+- if (meta_buf->length - meta_buf->bytesused <
+- length + sizeof(meta->ns) + sizeof(meta->sof)) {
+- meta_buf->error = 1;
+- return;
+- }
+-
+ has_pts = mem[1] & UVC_STREAM_PTS;
+ has_scr = mem[1] & UVC_STREAM_SCR;
+
+@@ -1440,6 +1434,12 @@ static void uvc_video_decode_meta(struct
+ !memcmp(scr, stream->clock.last_scr, 6)))
+ return;
+
++ if (meta_buf->length - meta_buf->bytesused <
++ length + sizeof(meta->ns) + sizeof(meta->sof)) {
++ meta_buf->error = 1;
++ return;
++ }
++
+ meta = (struct uvc_meta_buf *)((u8 *)meta_buf->mem + meta_buf->bytesused);
+ local_irq_save(flags);
+ time = uvc_video_get_time();
--- /dev/null
+From 782b6a718651eda3478b1824b37a8b3185d2740c Mon Sep 17 00:00:00 2001
+From: Youngjun Lee <yjjuny.lee@samsung.com>
+Date: Tue, 10 Jun 2025 21:41:07 +0900
+Subject: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
+
+From: Youngjun Lee <yjjuny.lee@samsung.com>
+
+commit 782b6a718651eda3478b1824b37a8b3185d2740c upstream.
+
+The buffer length check before calling uvc_parse_format() only ensured
+that the buffer has at least 3 bytes (buflen > 2), buf the function
+accesses buffer[3], requiring at least 4 bytes.
+
+This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.
+
+Fix it by checking that the buffer has at least 4 bytes in
+uvc_parse_format().
+
+Signed-off-by: Youngjun Lee <yjjuny.lee@samsung.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Link: https://lore.kernel.org/r/20250610124107.37360-1-yjjuny.lee@samsung.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -235,6 +235,9 @@ static int uvc_parse_format(struct uvc_d
+ unsigned int i, n;
+ u8 ftype;
+
++ if (buflen < 4)
++ return -EINVAL;
++
+ format->type = buffer[2];
+ format->index = buffer[3];
+ format->frames = frames;
--- /dev/null
+From 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 Mon Sep 17 00:00:00 2001
+From: Vedang Nagar <quic_vnagar@quicinc.com>
+Date: Mon, 19 May 2025 12:42:22 +0530
+Subject: media: venus: Fix OOB read due to missing payload bound check
+
+From: Vedang Nagar <quic_vnagar@quicinc.com>
+
+commit 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 upstream.
+
+Currently, The event_seq_changed() handler processes a variable number
+of properties sent by the firmware. The number of properties is indicated
+by the firmware and used to iterate over the payload. However, the
+payload size is not being validated against the actual message length.
+
+This can lead to out-of-bounds memory access if the firmware provides a
+property count that exceeds the data available in the payload. Such a
+condition can result in kernel crashes or potential information leaks if
+memory beyond the buffer is accessed.
+
+Fix this by properly validating the remaining size of the payload before
+each property access and updating bounds accordingly as properties are
+parsed.
+
+This ensures that property parsing is safely bounded within the received
+message buffer and protects against malformed or malicious firmware
+behavior.
+
+Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vedang Nagar <quic_vnagar@quicinc.com>
+Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Co-developed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_msgs.c | 83 ++++++++++++++++++---------
+ 1 file changed, 58 insertions(+), 25 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/hfi_msgs.c
++++ b/drivers/media/platform/qcom/venus/hfi_msgs.c
+@@ -33,8 +33,9 @@ static void event_seq_changed(struct ven
+ struct hfi_buffer_requirements *bufreq;
+ struct hfi_extradata_input_crop *crop;
+ struct hfi_dpb_counts *dpb_count;
++ u32 ptype, rem_bytes;
++ u32 size_read = 0;
+ u8 *data_ptr;
+- u32 ptype;
+
+ inst->error = HFI_ERR_NONE;
+
+@@ -44,86 +45,118 @@ static void event_seq_changed(struct ven
+ break;
+ default:
+ inst->error = HFI_ERR_SESSION_INVALID_PARAMETER;
+- goto done;
++ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event);
++ return;
+ }
+
+ event.event_type = pkt->event_data1;
+
+ num_properties_changed = pkt->event_data2;
+- if (!num_properties_changed) {
+- inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES;
+- goto done;
+- }
++ if (!num_properties_changed)
++ goto error;
+
+ data_ptr = (u8 *)&pkt->ext_event_data[0];
++ rem_bytes = pkt->shdr.hdr.size - sizeof(*pkt);
++
+ do {
++ if (rem_bytes < sizeof(u32))
++ goto error;
+ ptype = *((u32 *)data_ptr);
++
++ data_ptr += sizeof(u32);
++ rem_bytes -= sizeof(u32);
++
+ switch (ptype) {
+ case HFI_PROPERTY_PARAM_FRAME_SIZE:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_framesize))
++ goto error;
++
+ frame_sz = (struct hfi_framesize *)data_ptr;
+ event.width = frame_sz->width;
+ event.height = frame_sz->height;
+- data_ptr += sizeof(*frame_sz);
++ size_read = sizeof(struct hfi_framesize);
+ break;
+ case HFI_PROPERTY_PARAM_PROFILE_LEVEL_CURRENT:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_profile_level))
++ goto error;
++
+ profile_level = (struct hfi_profile_level *)data_ptr;
+ event.profile = profile_level->profile;
+ event.level = profile_level->level;
+- data_ptr += sizeof(*profile_level);
++ size_read = sizeof(struct hfi_profile_level);
+ break;
+ case HFI_PROPERTY_PARAM_VDEC_PIXEL_BITDEPTH:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_bit_depth))
++ goto error;
++
+ pixel_depth = (struct hfi_bit_depth *)data_ptr;
+ event.bit_depth = pixel_depth->bit_depth;
+- data_ptr += sizeof(*pixel_depth);
++ size_read = sizeof(struct hfi_bit_depth);
+ break;
+ case HFI_PROPERTY_PARAM_VDEC_PIC_STRUCT:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_pic_struct))
++ goto error;
++
+ pic_struct = (struct hfi_pic_struct *)data_ptr;
+ event.pic_struct = pic_struct->progressive_only;
+- data_ptr += sizeof(*pic_struct);
++ size_read = sizeof(struct hfi_pic_struct);
+ break;
+ case HFI_PROPERTY_PARAM_VDEC_COLOUR_SPACE:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_colour_space))
++ goto error;
++
+ colour_info = (struct hfi_colour_space *)data_ptr;
+ event.colour_space = colour_info->colour_space;
+- data_ptr += sizeof(*colour_info);
++ size_read = sizeof(struct hfi_colour_space);
+ break;
+ case HFI_PROPERTY_CONFIG_VDEC_ENTROPY:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(u32))
++ goto error;
++
+ event.entropy_mode = *(u32 *)data_ptr;
+- data_ptr += sizeof(u32);
++ size_read = sizeof(u32);
+ break;
+ case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_buffer_requirements))
++ goto error;
++
+ bufreq = (struct hfi_buffer_requirements *)data_ptr;
+ event.buf_count = hfi_bufreq_get_count_min(bufreq, ver);
+- data_ptr += sizeof(*bufreq);
++ size_read = sizeof(struct hfi_buffer_requirements);
+ break;
+ case HFI_INDEX_EXTRADATA_INPUT_CROP:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_extradata_input_crop))
++ goto error;
++
+ crop = (struct hfi_extradata_input_crop *)data_ptr;
+ event.input_crop.left = crop->left;
+ event.input_crop.top = crop->top;
+ event.input_crop.width = crop->width;
+ event.input_crop.height = crop->height;
+- data_ptr += sizeof(*crop);
++ size_read = sizeof(struct hfi_extradata_input_crop);
+ break;
+ case HFI_PROPERTY_PARAM_VDEC_DPB_COUNTS:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_dpb_counts))
++ goto error;
++
+ dpb_count = (struct hfi_dpb_counts *)data_ptr;
+ event.buf_count = dpb_count->fw_min_cnt;
+- data_ptr += sizeof(*dpb_count);
++ size_read = sizeof(struct hfi_dpb_counts);
+ break;
+ default:
++ size_read = 0;
+ break;
+ }
++ data_ptr += size_read;
++ rem_bytes -= size_read;
+ num_properties_changed--;
+ } while (num_properties_changed > 0);
+
+-done:
++ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event);
++ return;
++
++error:
++ inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES;
+ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event);
+ }
+
--- /dev/null
+From 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 Mon Sep 17 00:00:00 2001
+From: Breno Leitao <leitao@debian.org>
+Date: Thu, 31 Jul 2025 02:57:18 -0700
+Subject: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock
+
+From: Breno Leitao <leitao@debian.org>
+
+commit 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 upstream.
+
+When netpoll is enabled, calling pr_warn_once() while holding
+kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock
+inversion with the netconsole subsystem. This occurs because
+pr_warn_once() may trigger netpoll, which eventually leads to
+__alloc_skb() and back into kmemleak code, attempting to reacquire
+kmemleak_lock.
+
+This is the path for the deadlock.
+
+mem_pool_alloc()
+ -> raw_spin_lock_irqsave(&kmemleak_lock, flags);
+ -> pr_warn_once()
+ -> netconsole subsystem
+ -> netpoll
+ -> __alloc_skb
+ -> __create_object
+ -> raw_spin_lock_irqsave(&kmemleak_lock, flags);
+
+Fix this by setting a flag and issuing the pr_warn_once() after
+kmemleak_lock is released.
+
+Link: https://lkml.kernel.org/r/20250731-kmemleak_lock-v1-1-728fd470198f@debian.org
+Fixes: c5665868183f ("mm: kmemleak: use the memory pool for early allocations")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kmemleak.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/mm/kmemleak.c
++++ b/mm/kmemleak.c
+@@ -452,6 +452,7 @@ static struct kmemleak_object *mem_pool_
+ {
+ unsigned long flags;
+ struct kmemleak_object *object;
++ bool warn = false;
+
+ /* try the slab allocator first */
+ if (object_cache) {
+@@ -469,8 +470,10 @@ static struct kmemleak_object *mem_pool_
+ else if (mem_pool_free_count)
+ object = &mem_pool[--mem_pool_free_count];
+ else
+- pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n");
++ warn = true;
+ raw_spin_unlock_irqrestore(&kmemleak_lock, flags);
++ if (warn)
++ pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n");
+
+ return object;
+ }
--- /dev/null
+From d1534ae23c2b6be350c8ab060803fbf6e9682adc Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Mon, 28 Jul 2025 15:02:48 -0400
+Subject: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()
+
+From: Waiman Long <longman@redhat.com>
+
+commit d1534ae23c2b6be350c8ab060803fbf6e9682adc upstream.
+
+A soft lockup warning was observed on a relative small system x86-64
+system with 16 GB of memory when running a debug kernel with kmemleak
+enabled.
+
+ watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134]
+
+The test system was running a workload with hot unplug happening in
+parallel. Then kemleak decided to disable itself due to its inability to
+allocate more kmemleak objects. The debug kernel has its
+CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000.
+
+The soft lockup happened in kmemleak_do_cleanup() when the existing
+kmemleak objects were being removed and deleted one-by-one in a loop via a
+workqueue. In this particular case, there are at least 40,000 objects
+that need to be processed and given the slowness of a debug kernel and the
+fact that a raw_spinlock has to be acquired and released in
+__delete_object(), it could take a while to properly handle all these
+objects.
+
+As kmemleak has been disabled in this case, the object removal and
+deletion process can be further optimized as locking isn't really needed.
+However, it is probably not worth the effort to optimize for such an edge
+case that should rarely happen. So the simple solution is to call
+cond_resched() at periodic interval in the iteration loop to avoid soft
+lockup.
+
+Link: https://lkml.kernel.org/r/20250728190248.605750-1-longman@redhat.com
+Signed-off-by: Waiman Long <longman@redhat.com>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kmemleak.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/mm/kmemleak.c
++++ b/mm/kmemleak.c
+@@ -2006,6 +2006,7 @@ static const struct file_operations kmem
+ static void __kmemleak_do_cleanup(void)
+ {
+ struct kmemleak_object *object, *tmp;
++ unsigned int cnt = 0;
+
+ /*
+ * Kmemleak has already been disabled, no need for RCU list traversal
+@@ -2014,6 +2015,10 @@ static void __kmemleak_do_cleanup(void)
+ list_for_each_entry_safe(object, tmp, &object_list, object_list) {
+ __remove_object(object);
+ __delete_object(object);
++
++ /* Call cond_resched() once per 64 iterations to avoid soft lockup */
++ if (!(++cnt & 0x3f))
++ cond_resched();
+ }
+ }
+
--- /dev/null
+From 963f1b20a8d2a098954606b9725cd54336a2a86c Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Wed, 25 Jun 2025 00:39:33 -0700
+Subject: parisc: Makefile: fix a typo in palo.conf
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 963f1b20a8d2a098954606b9725cd54336a2a86c upstream.
+
+Correct "objree" to "objtree". "objree" is not defined.
+
+Fixes: 75dd47472b92 ("kbuild: remove src and obj from the top Makefile")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
+Cc: Helge Deller <deller@gmx.de>
+Cc: linux-parisc@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v5.3+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/parisc/Makefile
++++ b/arch/parisc/Makefile
+@@ -139,7 +139,7 @@ palo lifimage: vmlinuz
+ fi
+ @if test ! -f "$(PALOCONF)"; then \
+ cp $(srctree)/arch/parisc/defpalo.conf $(objtree)/palo.conf; \
+- echo 'A generic palo config file ($(objree)/palo.conf) has been created for you.'; \
++ echo 'A generic palo config file ($(objtree)/palo.conf) has been created for you.'; \
+ echo 'You should check it and re-run "make palo".'; \
+ echo 'WARNING: the "lifimage" file is now placed in this directory by default!'; \
+ false; \
--- /dev/null
+From c18646248fed07683d4cee8a8af933fc4fe83c0d Mon Sep 17 00:00:00 2001
+From: Pedro Falcato <pfalcato@suse.de>
+Date: Tue, 29 Jul 2025 13:03:48 +0100
+Subject: RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages
+
+From: Pedro Falcato <pfalcato@suse.de>
+
+commit c18646248fed07683d4cee8a8af933fc4fe83c0d upstream.
+
+Ever since commit c2ff29e99a76 ("siw: Inline do_tcp_sendpages()"),
+we have been doing this:
+
+static int siw_tcp_sendpages(struct socket *s, struct page **page, int offset,
+ size_t size)
+[...]
+ /* Calculate the number of bytes we need to push, for this page
+ * specifically */
+ size_t bytes = min_t(size_t, PAGE_SIZE - offset, size);
+ /* If we can't splice it, then copy it in, as normal */
+ if (!sendpage_ok(page[i]))
+ msg.msg_flags &= ~MSG_SPLICE_PAGES;
+ /* Set the bvec pointing to the page, with len $bytes */
+ bvec_set_page(&bvec, page[i], bytes, offset);
+ /* Set the iter to $size, aka the size of the whole sendpages (!!!) */
+ iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size);
+try_page_again:
+ lock_sock(sk);
+ /* Sendmsg with $size size (!!!) */
+ rv = tcp_sendmsg_locked(sk, &msg, size);
+
+This means we've been sending oversized iov_iters and tcp_sendmsg calls
+for a while. This has a been a benign bug because sendpage_ok() always
+returned true. With the recent slab allocator changes being slowly
+introduced into next (that disallow sendpage on large kmalloc
+allocations), we have recently hit out-of-bounds crashes, due to slight
+differences in iov_iter behavior between the MSG_SPLICE_PAGES and
+"regular" copy paths:
+
+(MSG_SPLICE_PAGES)
+skb_splice_from_iter
+ iov_iter_extract_pages
+ iov_iter_extract_bvec_pages
+ uses i->nr_segs to correctly stop in its tracks before OoB'ing everywhere
+ skb_splice_from_iter gets a "short" read
+
+(!MSG_SPLICE_PAGES)
+skb_copy_to_page_nocache copy=iov_iter_count
+ [...]
+ copy_from_iter
+ /* this doesn't help */
+ if (unlikely(iter->count < len))
+ len = iter->count;
+ iterate_bvec
+ ... and we run off the bvecs
+
+Fix this by properly setting the iov_iter's byte count, plus sending the
+correct byte count to tcp_sendmsg_locked.
+
+Link: https://patch.msgid.link/r/20250729120348.495568-1-pfalcato@suse.de
+Cc: stable@vger.kernel.org
+Fixes: c2ff29e99a76 ("siw: Inline do_tcp_sendpages()")
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202507220801.50a7210-lkp@intel.com
+Reviewed-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Pedro Falcato <pfalcato@suse.de>
+Acked-by: Bernard Metzler <bernard.metzler@linux.dev>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/siw/siw_qp_tx.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/sw/siw/siw_qp_tx.c
++++ b/drivers/infiniband/sw/siw/siw_qp_tx.c
+@@ -340,18 +340,17 @@ static int siw_tcp_sendpages(struct sock
+ if (!sendpage_ok(page[i]))
+ msg.msg_flags &= ~MSG_SPLICE_PAGES;
+ bvec_set_page(&bvec, page[i], bytes, offset);
+- iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size);
++ iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, bytes);
+
+ try_page_again:
+ lock_sock(sk);
+- rv = tcp_sendmsg_locked(sk, &msg, size);
++ rv = tcp_sendmsg_locked(sk, &msg, bytes);
+ release_sock(sk);
+
+ if (rv > 0) {
+ size -= rv;
+ sent += rv;
+ if (rv != bytes) {
+- offset += rv;
+ bytes -= rv;
+ goto try_page_again;
+ }
btrfs-fix-log-tree-replay-failure-due-to-file-with-0-links-and-extents.patch
btrfs-zoned-do-not-select-metadata-bg-as-finish-target.patch
btrfs-do-not-allow-relocation-of-partially-dropped-subvolumes.patch
+fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch
+hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch
+parisc-makefile-fix-a-typo-in-palo.conf.patch
+mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch
+mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch
+media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch
+media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch
+media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch
+tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch
+rdma-siw-fix-the-sendmsg-byte-count-in-siw_tcp_sendpages.patch
--- /dev/null
+From a477629baa2a0e9991f640af418e8c973a1c08e3 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Thu, 19 Jun 2025 11:30:51 +0200
+Subject: tools/nolibc: fix spelling of FD_SETBITMASK in FD_* macros
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Willy Tarreau <w@1wt.eu>
+
+commit a477629baa2a0e9991f640af418e8c973a1c08e3 upstream.
+
+While nolibc-test does test syscalls, it doesn't test as much the rest
+of the macros, and a wrong spelling of FD_SETBITMASK in commit
+feaf75658783a broke programs using either FD_SET() or FD_CLR() without
+being noticed. Let's fix these macros.
+
+Fixes: feaf75658783a ("nolibc: fix fd_set type")
+Cc: stable@vger.kernel.org # v6.2+
+Acked-by: Thomas Weißschuh <linux@weissschuh.net>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/include/nolibc/types.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/include/nolibc/types.h
++++ b/tools/include/nolibc/types.h
+@@ -128,7 +128,7 @@ typedef struct {
+ int __fd = (fd); \
+ if (__fd >= 0) \
+ __set->fds[__fd / FD_SETIDXMASK] &= \
+- ~(1U << (__fd & FX_SETBITMASK)); \
++ ~(1U << (__fd & FD_SETBITMASK)); \
+ } while (0)
+
+ #define FD_SET(fd, set) do { \
+@@ -145,7 +145,7 @@ typedef struct {
+ int __r = 0; \
+ if (__fd >= 0) \
+ __r = !!(__set->fds[__fd / FD_SETIDXMASK] & \
+-1U << (__fd & FD_SET_BITMASK)); \
++1U << (__fd & FD_SETBITMASK)); \
+ __r; \
+ })
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
