--- /dev/null
+From 7da57a1cadd7e6da6a7dfa30506a9a36c378ded2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 21:13:57 -0700
+Subject: af_unix: Don't set -ECONNRESET for consumed OOB skb.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 2a5a4841846b079b5fca5752fe94e59346fbda40 ]
+
+Christian Brauner reported that even after MSG_OOB data is consumed,
+calling close() on the receiver socket causes the peer's recv() to
+return -ECONNRESET:
+
+ 1. send() and recv() an OOB data.
+
+ >>> from socket import *
+ >>> s1, s2 = socketpair(AF_UNIX, SOCK_STREAM)
+ >>> s1.send(b'x', MSG_OOB)
+ 1
+ >>> s2.recv(1, MSG_OOB)
+ b'x'
+
+ 2. close() for s2 sets ECONNRESET to s1->sk_err even though
+ s2 consumed the OOB data
+
+ >>> s2.close()
+ >>> s1.recv(10, MSG_DONTWAIT)
+ ...
+ ConnectionResetError: [Errno 104] Connection reset by peer
+
+Even after being consumed, the skb holding the OOB 1-byte data stays in
+the recv queue to mark the OOB boundary and break recv() at that point.
+
+This must be considered while close()ing a socket.
+
+Let's skip the leading consumed OOB skb while checking the -ECONNRESET
+condition in unix_release_sock().
+
+Fixes: 314001f0bf92 ("af_unix: Add OOB support")
+Reported-by: Christian Brauner <brauner@kernel.org>
+Closes: https://lore.kernel.org/netdev/20250529-sinkt-abfeuern-e7b08200c6b0@brauner/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Acked-by: Christian Brauner <brauner@kernel.org>
+Link: https://patch.msgid.link/20250619041457.1132791-4-kuni1840@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index eb916b2eb6739..12c4a27e1655c 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -516,6 +516,11 @@ static void unix_sock_destructor(struct sock *sk)
+ #endif
+ }
+
++static unsigned int unix_skb_len(const struct sk_buff *skb)
++{
++ return skb->len - UNIXCB(skb).consumed;
++}
++
+ static void unix_release_sock(struct sock *sk, int embrion)
+ {
+ struct unix_sock *u = unix_sk(sk);
+@@ -552,10 +557,16 @@ static void unix_release_sock(struct sock *sk, int embrion)
+
+ if (skpair != NULL) {
+ if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) {
++ struct sk_buff *skb = skb_peek(&sk->sk_receive_queue);
++
++#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
++ if (skb && !unix_skb_len(skb))
++ skb = skb_peek_next(skb, &sk->sk_receive_queue);
++#endif
+ unix_state_lock(skpair);
+ /* No more writes */
+ WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK);
+- if (!skb_queue_empty_lockless(&sk->sk_receive_queue) || embrion)
++ if (skb || embrion)
+ WRITE_ONCE(skpair->sk_err, ECONNRESET);
+ unix_state_unlock(skpair);
+ skpair->sk_state_change(skpair);
+@@ -2479,11 +2490,6 @@ static long unix_stream_data_wait(struct sock *sk, long timeo,
+ return timeo;
+ }
+
+-static unsigned int unix_skb_len(const struct sk_buff *skb)
+-{
+- return skb->len - UNIXCB(skb).consumed;
+-}
+-
+ struct unix_stream_read_state {
+ int (*recv_actor)(struct sk_buff *, int, int,
+ struct unix_stream_read_state *);
+--
+2.39.5
+
--- /dev/null
+From d33bd5d603c640964251f0dfceeba01c9dc2bc63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 20:05:25 +0900
+Subject: ALSA: usb-audio: Fix out-of-bounds read in
+ snd_usb_get_audioformat_uac3()
+
+From: Youngjun Lee <yjjuny.lee@samsung.com>
+
+[ Upstream commit fb4e2a6e8f28a3c0ad382e363aeb9cd822007b8a ]
+
+In snd_usb_get_audioformat_uac3(), the length value returned from
+snd_usb_ctl_msg() is used directly for memory allocation without
+validation. This length is controlled by the USB device.
+
+The allocated buffer is cast to a uac3_cluster_header_descriptor
+and its fields are accessed without verifying that the buffer
+is large enough. If the device returns a smaller than expected
+length, this leads to an out-of-bounds read.
+
+Add a length check to ensure the buffer is large enough for
+uac3_cluster_header_descriptor.
+
+Signed-off-by: Youngjun Lee <yjjuny.lee@samsung.com>
+Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
+Link: https://patch.msgid.link/20250623-uac3-oob-fix-v1-1-527303eaf40a@samsung.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/stream.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/usb/stream.c b/sound/usb/stream.c
+index e14c725acebf2..0f1558ef85553 100644
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -982,6 +982,8 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
+ * and request Cluster Descriptor
+ */
+ wLength = le16_to_cpu(hc_header.wLength);
++ if (wLength < sizeof(cluster))
++ return NULL;
+ cluster = kzalloc(wLength, GFP_KERNEL);
+ if (!cluster)
+ return ERR_PTR(-ENOMEM);
+--
+2.39.5
+
--- /dev/null
+From 67b0034a9a773c9880756920fee4bb2f5aa1661f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 14:28:44 +0000
+Subject: atm: clip: prevent NULL deref in clip_push()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b993ea46b3b601915ceaaf3c802adf11e7d6bac6 ]
+
+Blamed commit missed that vcc_destroy_socket() calls
+clip_push() with a NULL skb.
+
+If clip_devs is NULL, clip_push() then crashes when reading
+skb->truesize.
+
+Fixes: 93a2014afbac ("atm: fix a UAF in lec_arp_clear_vccs()")
+Reported-by: syzbot+1316233c4c6803382a8b@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68556f59.a00a0220.137b3.004e.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Gengming Liu <l.dmxcsnsbh@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/clip.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/net/atm/clip.c b/net/atm/clip.c
+index 294cb9efe3d38..511467bb7fe40 100644
+--- a/net/atm/clip.c
++++ b/net/atm/clip.c
+@@ -193,12 +193,6 @@ static void clip_push(struct atm_vcc *vcc, struct sk_buff *skb)
+
+ pr_debug("\n");
+
+- if (!clip_devs) {
+- atm_return(vcc, skb->truesize);
+- kfree_skb(skb);
+- return;
+- }
+-
+ if (!skb) {
+ pr_debug("removing VCC %p\n", clip_vcc);
+ if (clip_vcc->entry)
+@@ -208,6 +202,11 @@ static void clip_push(struct atm_vcc *vcc, struct sk_buff *skb)
+ return;
+ }
+ atm_return(vcc, skb->truesize);
++ if (!clip_devs) {
++ kfree_skb(skb);
++ return;
++ }
++
+ skb->dev = clip_vcc->entry ? clip_vcc->entry->neigh->dev : clip_devs;
+ /* clip_vcc->entry == NULL if we don't have an IP address yet */
+ if (!skb->dev) {
+--
+2.39.5
+
--- /dev/null
+From 4f79a5a454ee554a80ed2b4a09ceed7a997167db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 14:45:00 -0700
+Subject: atm: Release atm_dev_mutex after removing procfs in
+ atm_dev_deregister().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit a433791aeaea6e84df709e0b9584b9bbe040cd1c ]
+
+syzbot reported a warning below during atm_dev_register(). [0]
+
+Before creating a new device and procfs/sysfs for it, atm_dev_register()
+looks up a duplicated device by __atm_dev_lookup(). These operations are
+done under atm_dev_mutex.
+
+However, when removing a device in atm_dev_deregister(), it releases the
+mutex just after removing the device from the list that __atm_dev_lookup()
+iterates over.
+
+So, there will be a small race window where the device does not exist on
+the device list but procfs/sysfs are still not removed, triggering the
+splat.
+
+Let's hold the mutex until procfs/sysfs are removed in
+atm_dev_deregister().
+
+[0]:
+proc_dir_entry 'atm/atmtcp:0' already registered
+WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377
+Modules linked in:
+CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377
+Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48
+RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248
+RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001
+RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140
+R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444
+FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ proc_create_data+0xbe/0x110 fs/proc/generic.c:585
+ atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361
+ atm_dev_register+0x46d/0x890 net/atm/resources.c:113
+ atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369
+ atmtcp_attach drivers/atm/atmtcp.c:403 [inline]
+ atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464
+ do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159
+ sock_do_ioctl+0x115/0x280 net/socket.c:1190
+ sock_ioctl+0x227/0x6b0 net/socket.c:1311
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:907 [inline]
+ __se_sys_ioctl fs/ioctl.c:893 [inline]
+ __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f38b3b74459
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459
+RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005
+RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f
+R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac
+R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b
+ </TASK>
+
+Fixes: 64bf69ddff76 ("[ATM]: deregistration removes device from atm_devs list immediately")
+Reported-by: syzbot+8bd335d2ad3b93e80715@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/685316de.050a0220.216029.0087.GAE@google.com/
+Tested-by: syzbot+8bd335d2ad3b93e80715@syzkaller.appspotmail.com
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250624214505.570679-1-kuni1840@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/resources.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/atm/resources.c b/net/atm/resources.c
+index 995d29e7fb138..b19d851e1f443 100644
+--- a/net/atm/resources.c
++++ b/net/atm/resources.c
+@@ -146,11 +146,10 @@ void atm_dev_deregister(struct atm_dev *dev)
+ */
+ mutex_lock(&atm_dev_mutex);
+ list_del(&dev->dev_list);
+- mutex_unlock(&atm_dev_mutex);
+-
+ atm_dev_release_vccs(dev);
+ atm_unregister_sysfs(dev);
+ atm_proc_dev_deregister(dev);
++ mutex_unlock(&atm_dev_mutex);
+
+ atm_dev_put(dev);
+ }
+--
+2.39.5
+
--- /dev/null
+From 20dc6c62cb90cfcacca8ab83fd7a64630498da6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Jun 2025 18:03:29 -0400
+Subject: attach_recursive_mnt(): do not lock the covering tree when sliding
+ something under it
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit ce7df19686530920f2f6b636e71ce5eb1d9303ef ]
+
+If we are propagating across the userns boundary, we need to lock the
+mounts added there. However, in case when something has already
+been mounted there and we end up sliding a new tree under that,
+the stuff that had been there before should not get locked.
+
+IOW, lock_mnt_tree() should be called before we reparent the
+preexisting tree on top of what we are adding.
+
+Fixes: 3bd045cc9c4b ("separate copying and locking mount tree on cross-userns copies")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/namespace.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 900738eab33ff..adb966833a4b9 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2205,14 +2205,14 @@ static int attach_recursive_mnt(struct mount *source_mnt,
+ hlist_for_each_entry_safe(child, n, &tree_list, mnt_hash) {
+ struct mount *q;
+ hlist_del_init(&child->mnt_hash);
+- q = __lookup_mnt(&child->mnt_parent->mnt,
+- child->mnt_mountpoint);
+- if (q)
+- mnt_change_mountpoint(child, smp, q);
+ /* Notice when we are propagating across user namespaces */
+ if (child->mnt_parent->mnt_ns->user_ns != user_ns)
+ lock_mnt_tree(child);
+ child->mnt.mnt_flags &= ~MNT_LOCKED;
++ q = __lookup_mnt(&child->mnt_parent->mnt,
++ child->mnt_mountpoint);
++ if (q)
++ mnt_change_mountpoint(child, smp, q);
+ commit_tree(child);
+ }
+ put_mountpoint(smp);
+--
+2.39.5
+
--- /dev/null
+From 70c33cfb9063e92fcab2fcb654f541c36861fdc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 09:19:33 +0800
+Subject: libbpf: Fix null pointer dereference in btf_dump__free on allocation
+ failure
+
+From: Yuan Chen <chenyuan@kylinos.cn>
+
+[ Upstream commit aa485e8789d56a4573f7c8d000a182b749eaa64d ]
+
+When btf_dump__new() fails to allocate memory for the internal hashmap
+(btf_dump->type_names), it returns an error code. However, the cleanup
+function btf_dump__free() does not check if btf_dump->type_names is NULL
+before attempting to free it. This leads to a null pointer dereference
+when btf_dump__free() is called on a btf_dump object.
+
+Fixes: 351131b51c7a ("libbpf: add btf_dump API for BTF-to-C conversion")
+Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250618011933.11423-1-chenyuan_fl@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf_dump.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c
+index c2bf996fcba82..d62b2d2e8aacb 100644
+--- a/tools/lib/bpf/btf_dump.c
++++ b/tools/lib/bpf/btf_dump.c
+@@ -220,6 +220,9 @@ static void btf_dump_free_names(struct hashmap *map)
+ size_t bkt;
+ struct hashmap_entry *cur;
+
++ if (!map)
++ return;
++
+ hashmap__for_each_entry(map, cur, bkt)
+ free((void *)cur->key);
+
+--
+2.39.5
+
--- /dev/null
+From 4072e3a098fccca4daa4dbdab6f6155b0803a799 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 17:35:12 +0100
+Subject: net: enetc: Correct endianness handling in _enetc_rd_reg64
+
+From: Simon Horman <horms@kernel.org>
+
+[ Upstream commit 7b515f35a911fdc31fbde6531828dcd6ae9803d3 ]
+
+enetc_hw.h provides two versions of _enetc_rd_reg64.
+One which simply calls ioread64() when available.
+And another that composes the 64-bit result from ioread32() calls.
+
+In the second case the code appears to assume that each ioread32() call
+returns a little-endian value. However both the shift and logical or
+used to compose the return value would not work correctly on big endian
+systems if this were the case. Moreover, this is inconsistent with the
+first case where the return value of ioread64() is assumed to be in host
+byte order.
+
+It appears that the correct approach is for both versions to treat the
+return value of ioread*() functions as being in host byte order. And
+this patch corrects the ioread32()-based version to do so.
+
+This is a bug but would only manifest on big endian systems
+that make use of the ioread32-based implementation of _enetc_rd_reg64.
+While all in-tree users of this driver are little endian and
+make use of the ioread64-based implementation of _enetc_rd_reg64.
+Thus, no in-tree user of this driver is affected by this bug.
+
+Flagged by Sparse.
+Compile tested only.
+
+Fixes: 16eb4c85c964 ("enetc: Add ethtool statistics")
+Closes: https://lore.kernel.org/all/AM9PR04MB850500D3FC24FE23DEFCEA158879A@AM9PR04MB8505.eurprd04.prod.outlook.com/
+Signed-off-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Wei Fang <wei.fang@nxp.com>
+Link: https://patch.msgid.link/20250624-etnetc-le-v1-1-a73a95d96e4e@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/enetc/enetc_hw.h b/drivers/net/ethernet/freescale/enetc/enetc_hw.h
+index 0f5f081a5bafe..392348e285571 100644
+--- a/drivers/net/ethernet/freescale/enetc/enetc_hw.h
++++ b/drivers/net/ethernet/freescale/enetc/enetc_hw.h
+@@ -459,7 +459,7 @@ static inline u64 _enetc_rd_reg64(void __iomem *reg)
+ tmp = ioread32(reg + 4);
+ } while (high != tmp);
+
+- return le64_to_cpu((__le64)high << 32 | low);
++ return (u64)high << 32 | low;
+ }
+ #endif
+
+--
+2.39.5
+
--- /dev/null
+From 9eb7ba3f53840124c788101fd43311c7c9bb291a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 11:32:58 -0700
+Subject: net: selftests: fix TCP packet checksum
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 8d89661a36dd3bb8c9902cff36dc0c144dce3faf ]
+
+The length in the pseudo header should be the length of the L3 payload
+AKA the L4 header+payload. The selftest code builds the packet from
+the lower layers up, so all the headers are pushed already when it
+constructs L4. We need to subtract the lower layer headers from skb->len.
+
+Fixes: 3e1e58d64c3d ("net: add generic selftest support")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Gerhard Engleder <gerhard@engleder-embedded.com>
+Reported-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20250624183258.3377740-1-kuba@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/selftests.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/selftests.c b/net/core/selftests.c
+index 29ca19ec82bb4..63938efd5b55f 100644
+--- a/net/core/selftests.c
++++ b/net/core/selftests.c
+@@ -160,8 +160,9 @@ static struct sk_buff *net_test_get_skb(struct net_device *ndev,
+ skb->csum = 0;
+ skb->ip_summed = CHECKSUM_PARTIAL;
+ if (attr->tcp) {
+- thdr->check = ~tcp_v4_check(skb->len, ihdr->saddr,
+- ihdr->daddr, 0);
++ int l4len = skb->len - skb_transport_offset(skb);
++
++ thdr->check = ~tcp_v4_check(l4len, ihdr->saddr, ihdr->daddr, 0);
+ skb->csum_start = skb_transport_header(skb) - skb->head;
+ skb->csum_offset = offsetof(struct tcphdr, check);
+ } else {
+--
+2.39.5
+
i2c-tiny-usb-disable-zero-length-read-messages.patch
i2c-robotfuzz-osif-disable-zero-length-read-messages.patch
s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch
+atm-clip-prevent-null-deref-in-clip_push.patch
+alsa-usb-audio-fix-out-of-bounds-read-in-snd_usb_get.patch
+attach_recursive_mnt-do-not-lock-the-covering-tree-w.patch
+libbpf-fix-null-pointer-dereference-in-btf_dump__fre.patch
+wifi-mac80211-fix-beacon-interval-calculation-overfl.patch
+af_unix-don-t-set-econnreset-for-consumed-oob-skb.patch
+vsock-uapi-fix-linux-vm_sockets.h-userspace-compilat.patch
+um-ubd-add-missing-error-check-in-start_io_thread.patch
+net-enetc-correct-endianness-handling-in-_enetc_rd_r.patch
+atm-release-atm_dev_mutex-after-removing-procfs-in-a.patch
+net-selftests-fix-tcp-packet-checksum.patch
--- /dev/null
+From 2eb96b5c290186139b383d3a774ce0af7b2a5477 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 20:44:25 +0800
+Subject: um: ubd: Add missing error check in start_io_thread()
+
+From: Tiwei Bie <tiwei.btw@antgroup.com>
+
+[ Upstream commit c55c7a85e02a7bfee20a3ffebdff7cbeb41613ef ]
+
+The subsequent call to os_set_fd_block() overwrites the previous
+return value. OR the two return values together to fix it.
+
+Fixes: f88f0bdfc32f ("um: UBD Improvements")
+Signed-off-by: Tiwei Bie <tiwei.btw@antgroup.com>
+Link: https://patch.msgid.link/20250606124428.148164-2-tiwei.btw@antgroup.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/ubd_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/um/drivers/ubd_user.c b/arch/um/drivers/ubd_user.c
+index a1afe414ce481..fb5b1e7c133d8 100644
+--- a/arch/um/drivers/ubd_user.c
++++ b/arch/um/drivers/ubd_user.c
+@@ -41,7 +41,7 @@ int start_io_thread(unsigned long sp, int *fd_out)
+ *fd_out = fds[1];
+
+ err = os_set_fd_block(*fd_out, 0);
+- err = os_set_fd_block(kernel_fd, 0);
++ err |= os_set_fd_block(kernel_fd, 0);
+ if (err) {
+ printk("start_io_thread - failed to set nonblocking I/O.\n");
+ goto out_close;
+--
+2.39.5
+
--- /dev/null
+From cab4f54854dae9915f5b299fbd3fc55481647309 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 12:00:53 +0200
+Subject: vsock/uapi: fix linux/vm_sockets.h userspace compilation errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit 22bbc1dcd0d6785fb390c41f0dd5b5e218d23bdd ]
+
+If a userspace application just include <linux/vm_sockets.h> will fail
+to build with the following errors:
+
+ /usr/include/linux/vm_sockets.h:182:39: error: invalid application of ‘sizeof’ to incomplete type ‘struct sockaddr’
+ 182 | unsigned char svm_zero[sizeof(struct sockaddr) -
+ | ^~~~~~
+ /usr/include/linux/vm_sockets.h:183:39: error: ‘sa_family_t’ undeclared here (not in a function)
+ 183 | sizeof(sa_family_t) -
+ |
+
+Include <sys/socket.h> for userspace (guarded by ifndef __KERNEL__)
+where `struct sockaddr` and `sa_family_t` are defined.
+We already do something similar in <linux/mptcp.h> and <linux/if.h>.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Reported-by: Daan De Meyer <daan.j.demeyer@gmail.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20250623100053.40979-1-sgarzare@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/vm_sockets.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/include/uapi/linux/vm_sockets.h b/include/uapi/linux/vm_sockets.h
+index 46918a1852d7b..4263c85593fa0 100644
+--- a/include/uapi/linux/vm_sockets.h
++++ b/include/uapi/linux/vm_sockets.h
+@@ -17,6 +17,10 @@
+ #ifndef _UAPI_VM_SOCKETS_H
+ #define _UAPI_VM_SOCKETS_H
+
++#ifndef __KERNEL__
++#include <sys/socket.h> /* for struct sockaddr and sa_family_t */
++#endif
++
+ #include <linux/socket.h>
+ #include <linux/types.h>
+
+--
+2.39.5
+
--- /dev/null
+From fc558ec08143cd6515323d354574fd86765cb762 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Jun 2025 22:32:09 +1000
+Subject: wifi: mac80211: fix beacon interval calculation overflow
+
+From: Lachlan Hodges <lachlan.hodges@morsemicro.com>
+
+[ Upstream commit 7a3750ff0f2e8fee338a9c168f429f6c37f0e820 ]
+
+As we are converting from TU to usecs, a beacon interval of
+100*1024 usecs will lead to integer wrapping. To fix change
+to use a u32.
+
+Fixes: 057d5f4ba1e4 ("mac80211: sync dtim_count to TSF")
+Signed-off-by: Lachlan Hodges <lachlan.hodges@morsemicro.com>
+Link: https://patch.msgid.link/20250621123209.511796-1-lachlan.hodges@morsemicro.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/util.c b/net/mac80211/util.c
+index cc78d3cba45e4..07512f0d5576e 100644
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -4350,7 +4350,7 @@ void ieee80211_recalc_dtim(struct ieee80211_local *local,
+ {
+ u64 tsf = drv_get_tsf(local, sdata);
+ u64 dtim_count = 0;
+- u16 beacon_int = sdata->vif.bss_conf.beacon_int * 1024;
++ u32 beacon_int = sdata->vif.bss_conf.beacon_int * 1024;
+ u8 dtim_period = sdata->vif.bss_conf.dtim_period;
+ struct ps_data *ps;
+ u8 bcns_from_dtim;
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
