--- /dev/null
+From cb481e59ea6cae3b7796ac1d7a22b6b24c3f3c0b Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko@kernel.org>
+Date: Mon, 1 Jun 2026 23:11:54 +0300
+Subject: KEYS: fix overflow in keyctl_pkey_params_get_2()
+
+From: Jarkko Sakkinen <jarkko@kernel.org>
+
+commit cb481e59ea6cae3b7796ac1d7a22b6b24c3f3c0b upstream.
+
+The length for the internal output buffer is calculated incorrectly, which
+can result overflow when a too small buffer is provided.
+
+Fix the bug by allocating internal output with the size of the maximum
+length of the cryptographic primitive instead of caller provided size.
+
+Link: https://lore.kernel.org/keyrings/20260531024914.3712130-1-jarkko@kernel.org/
+Cc: stable@vger.kernel.org # v4.20+
+Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
+Reported-by: Alessandro Groppo <ale.grpp@gmail.com>
+Tested-by: Alessandro Groppo <ale.grpp@gmail.com>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/keys/keyctl_pkey.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/security/keys/keyctl_pkey.c
++++ b/security/keys/keyctl_pkey.c
+@@ -138,28 +138,35 @@ static int keyctl_pkey_params_get_2(cons
+ if (uparams.in_len > info.max_dec_size ||
+ uparams.out_len > info.max_enc_size)
+ return -EINVAL;
++
++ params->out_len = info.max_enc_size;
+ break;
+ case KEYCTL_PKEY_DECRYPT:
+ if (uparams.in_len > info.max_enc_size ||
+ uparams.out_len > info.max_dec_size)
+ return -EINVAL;
++
++ params->out_len = info.max_dec_size;
+ break;
+ case KEYCTL_PKEY_SIGN:
+ if (uparams.in_len > info.max_data_size ||
+ uparams.out_len > info.max_sig_size)
+ return -EINVAL;
++
++ params->out_len = info.max_sig_size;
+ break;
+ case KEYCTL_PKEY_VERIFY:
+ if (uparams.in_len > info.max_data_size ||
+ uparams.in2_len > info.max_sig_size)
+ return -EINVAL;
++
++ params->out_len = info.max_sig_size;
+ break;
+ default:
+ BUG();
+ }
+
+ params->in_len = uparams.in_len;
+- params->out_len = uparams.out_len; /* Note: same as in2_len */
+ return 0;
+ }
+
--- /dev/null
+From fd15b457a86939c38aa12116adabd8ff686c5e51 Mon Sep 17 00:00:00 2001
+From: Shaomin Chen <eeesssooo020@gmail.com>
+Date: Wed, 10 Jun 2026 13:10:05 +0300
+Subject: keys: Pin request_key_auth payload in instantiate paths
+
+From: Shaomin Chen <eeesssooo020@gmail.com>
+
+commit fd15b457a86939c38aa12116adabd8ff686c5e51 upstream.
+
+A: request_key() B: KEYCTL_INSTANTIATE_IOV
+================ =========================
+
+create auth key
+store rka in auth key
+wait for helper
+ get auth key
+ load rka from auth key
+ copy user payload
+ sleep on #PF
+
+helper completed
+detach and free rka
+destroy auth key
+ wake up
+ use rka->target_key
+ **USE-AFTER-FREE**
+
+Give request_key_auth payloads a refcount. Take a payload reference while
+authkey->sem stabilizes the payload and revocation state. Hold that
+reference across the instantiate and reject paths. Drop the auth key
+owning reference from revoke and destroy.
+
+[jarkko: Replaced the first two paragraphs of text with an actual
+ concurrency scenario.]
+Cc: stable@vger.kernel.org # v5.10+
+Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys")
+Reported-by: Shaomin Chen <eeesssooo020@gmail.com>
+Closes: https://lore.kernel.org/r/20260519144403.436694-1-eeesssooo020@gmail.com
+Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/keys/request_key_auth-type.h | 2 ++
+ security/keys/internal.h | 2 ++
+ security/keys/keyctl.c | 24 ++++++++++++++++++------
+ security/keys/request_key_auth.c | 33 +++++++++++++++++++++++++++++++--
+ 4 files changed, 53 insertions(+), 8 deletions(-)
+
+--- a/include/keys/request_key_auth-type.h
++++ b/include/keys/request_key_auth-type.h
+@@ -9,12 +9,14 @@
+ #define _KEYS_REQUEST_KEY_AUTH_TYPE_H
+
+ #include <linux/key.h>
++#include <linux/refcount.h>
+
+ /*
+ * Authorisation record for request_key().
+ */
+ struct request_key_auth {
+ struct rcu_head rcu;
++ refcount_t usage;
+ struct key *target_key;
+ struct key *dest_keyring;
+ const struct cred *cred;
+--- a/security/keys/internal.h
++++ b/security/keys/internal.h
+@@ -215,6 +215,8 @@ extern struct key *request_key_auth_new(
+ const void *callout_info,
+ size_t callout_len,
+ struct key *dest_keyring);
++struct request_key_auth *request_key_auth_get(struct key *authkey);
++void request_key_auth_put(struct request_key_auth *rka);
+
+ extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -1196,9 +1196,13 @@ static long keyctl_instantiate_key_commo
+ if (!instkey)
+ goto error;
+
+- rka = instkey->payload.data[0];
+- if (rka->target_key->serial != id)
++ rka = request_key_auth_get(instkey);
++ if (!rka) {
++ ret = -EKEYREVOKED;
+ goto error;
++ }
++ if (rka->target_key->serial != id)
++ goto error_put_rka;
+
+ /* pull the payload in if one was supplied */
+ payload = NULL;
+@@ -1207,7 +1211,7 @@ static long keyctl_instantiate_key_commo
+ ret = -ENOMEM;
+ payload = kvmalloc(plen, GFP_KERNEL);
+ if (!payload)
+- goto error;
++ goto error_put_rka;
+
+ ret = -EFAULT;
+ if (!copy_from_iter_full(payload, plen, from))
+@@ -1233,6 +1237,8 @@ static long keyctl_instantiate_key_commo
+
+ error2:
+ kvfree_sensitive(payload, plen);
++error_put_rka:
++ request_key_auth_put(rka);
+ error:
+ return ret;
+ }
+@@ -1358,15 +1364,19 @@ long keyctl_reject_key(key_serial_t id,
+ if (!instkey)
+ goto error;
+
+- rka = instkey->payload.data[0];
+- if (rka->target_key->serial != id)
++ rka = request_key_auth_get(instkey);
++ if (!rka) {
++ ret = -EKEYREVOKED;
+ goto error;
++ }
++ if (rka->target_key->serial != id)
++ goto error_put_rka;
+
+ /* find the destination keyring if present (which must also be
+ * writable) */
+ ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
+ if (ret < 0)
+- goto error;
++ goto error_put_rka;
+
+ /* instantiate the key and link it into a keyring */
+ ret = key_reject_and_link(rka->target_key, timeout, error,
+@@ -1379,6 +1389,8 @@ long keyctl_reject_key(key_serial_t id,
+ if (ret == 0)
+ keyctl_change_reqkey_auth(NULL);
+
++error_put_rka:
++ request_key_auth_put(rka);
+ error:
+ return ret;
+ }
+--- a/security/keys/request_key_auth.c
++++ b/security/keys/request_key_auth.c
+@@ -23,6 +23,7 @@ static void request_key_auth_describe(co
+ static void request_key_auth_revoke(struct key *);
+ static void request_key_auth_destroy(struct key *);
+ static long request_key_auth_read(const struct key *, char *, size_t);
++static void request_key_auth_rcu_disposal(struct rcu_head *);
+
+ /*
+ * The request-key authorisation key type definition.
+@@ -116,6 +117,31 @@ static void free_request_key_auth(struct
+ }
+
+ /*
++ * Take a reference to the request-key authorisation payload so callers can
++ * drop authkey->sem before doing operations that may sleep.
++ */
++struct request_key_auth *request_key_auth_get(struct key *authkey)
++{
++ struct request_key_auth *rka;
++
++ down_read(&authkey->sem);
++ rka = dereference_key_locked(authkey);
++ if (rka && !test_bit(KEY_FLAG_REVOKED, &authkey->flags))
++ refcount_inc(&rka->usage);
++ else
++ rka = NULL;
++ up_read(&authkey->sem);
++
++ return rka;
++}
++
++void request_key_auth_put(struct request_key_auth *rka)
++{
++ if (rka && refcount_dec_and_test(&rka->usage))
++ call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
++}
++
++/*
+ * Dispose of the request_key_auth record under RCU conditions
+ */
+ static void request_key_auth_rcu_disposal(struct rcu_head *rcu)
+@@ -136,8 +162,10 @@ static void request_key_auth_revoke(stru
+ struct request_key_auth *rka = dereference_key_locked(key);
+
+ kenter("{%d}", key->serial);
++ if (!rka)
++ return;
+ rcu_assign_keypointer(key, NULL);
+- call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
++ request_key_auth_put(rka);
+ }
+
+ /*
+@@ -150,7 +178,7 @@ static void request_key_auth_destroy(str
+ kenter("{%d}", key->serial);
+ if (rka) {
+ rcu_assign_keypointer(key, NULL);
+- call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
++ request_key_auth_put(rka);
+ }
+ }
+
+@@ -174,6 +202,7 @@ struct key *request_key_auth_new(struct
+ rka = kzalloc(sizeof(*rka), GFP_KERNEL);
+ if (!rka)
+ goto error;
++ refcount_set(&rka->usage, 1);
+ rka->callout_info = kmemdup(callout_info, callout_len, GFP_KERNEL);
+ if (!rka->callout_info)
+ goto error_free_rka;
--- /dev/null
+From d876153680e3d721d385e554def919bce3d18c74 Mon Sep 17 00:00:00 2001
+From: Koichiro Den <den@valinux.co.jp>
+Date: Wed, 4 Mar 2026 11:05:27 +0900
+Subject: NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR
+
+From: Koichiro Den <den@valinux.co.jp>
+
+commit d876153680e3d721d385e554def919bce3d18c74 upstream.
+
+When BAR_PEER_SPAD and BAR_CONFIG share one PCI BAR, the module teardown
+path ends up calling pci_iounmap() on the same iomem with some offset,
+which is unnecessary and triggers a kernel warning like the following:
+
+ Trying to vunmap() nonexistent vm area (0000000069a5ffe8)
+ WARNING: mm/vmalloc.c:3470 at vunmap+0x58/0x68, CPU#5: modprobe/2937
+ [...]
+ Call trace:
+ vunmap+0x58/0x68 (P)
+ iounmap+0x34/0x48
+ pci_iounmap+0x2c/0x40
+ ntb_epf_pci_remove+0x44/0x80 [ntb_hw_epf]
+ pci_device_remove+0x48/0xf8
+ device_remove+0x50/0x88
+ device_release_driver_internal+0x1c8/0x228
+ driver_detach+0x50/0xb0
+ bus_remove_driver+0x74/0x100
+ driver_unregister+0x34/0x68
+ pci_unregister_driver+0x34/0xa0
+ ntb_epf_pci_driver_exit+0x14/0xfe0 [ntb_hw_epf]
+ [...]
+
+Fix it by unmapping only when PEER_SPAD and CONFIG use difference bars.
+
+Cc: stable@vger.kernel.org
+Fixes: e75d5ae8ab88 ("NTB: epf: Allow more flexibility in the memory BAR map method")
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Koichiro Den <den@valinux.co.jp>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ntb/hw/epf/ntb_hw_epf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/ntb/hw/epf/ntb_hw_epf.c
++++ b/drivers/ntb/hw/epf/ntb_hw_epf.c
+@@ -649,7 +649,8 @@ static void ntb_epf_deinit_pci(struct nt
+ struct pci_dev *pdev = ndev->ntb.pdev;
+
+ pci_iounmap(pdev, ndev->ctrl_reg);
+- pci_iounmap(pdev, ndev->peer_spad_reg);
++ if (ndev->barno_map[BAR_PEER_SPAD] != ndev->barno_map[BAR_CONFIG])
++ pci_iounmap(pdev, ndev->peer_spad_reg);
+ pci_iounmap(pdev, ndev->db_reg);
+
+ pci_clear_master(pdev);
net-skmsg-preserve-sg.copy-across-sg-transforms.patch
apparmor-mediate-the-implicit-connect-of-tcp-fast-open-sendmsg.patch
apparmor-fix-use-after-free-in-rawdata-dedup-loop.patch
+ntb-epf-avoid-pci_iounmap-with-offset-when-peer_spad-and-config-share-bar.patch
+keys-fix-overflow-in-keyctl_pkey_params_get_2.patch
+keys-pin-request_key_auth-payload-in-instantiate-paths.patch
+wifi-mt76-mt76x2u-add-support-for-elecom-wdc-867su3s.patch
+wifi-ath11k-fix-warning-when-unbinding.patch
+wifi-rtlwifi-rtl8821ae-fix-c2h-bit-location-in-rx-descriptor.patch
--- /dev/null
+From 8b7a26b6681922a38cd5a7829ace61f8e54df9b7 Mon Sep 17 00:00:00 2001
+From: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
+Date: Mon, 20 Apr 2026 13:01:29 +0200
+Subject: wifi: ath11k: fix warning when unbinding
+
+From: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
+
+commit 8b7a26b6681922a38cd5a7829ace61f8e54df9b7 upstream.
+
+If there is an error during some initialization related to firmware,
+the buffers dp->tx_ring[i].tx_status are released.
+However this is released again when the device is unbinded (ath11k_pci),
+and we get:
+WARNING: CPU: 0 PID: 6231 at mm/slub.c:4368 free_large_kmalloc+0x57/0x90
+Call Trace:
+free_large_kmalloc
+ath11k_dp_free
+ath11k_core_deinit
+ath11k_pci_remove
+...
+
+The issue is always reproducible from a VM because the MSI addressing
+initialization is failing.
+
+In order to fix the issue, just set the buffers to NULL after releasing in
+order to avoid the double free.
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260420110130.509670-1-jtornosm@redhat.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/dp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/ath/ath11k/dp.c
++++ b/drivers/net/wireless/ath/ath11k/dp.c
+@@ -1039,6 +1039,7 @@ void ath11k_dp_free(struct ath11k_base *
+ idr_destroy(&dp->tx_ring[i].txbuf_idr);
+ spin_unlock_bh(&dp->tx_ring[i].tx_idr_lock);
+ kfree(dp->tx_ring[i].tx_status);
++ dp->tx_ring[i].tx_status = NULL;
+ }
+
+ /* Deinit any SOC level resource */
--- /dev/null
+From f4ce0664e9f0387873b181777891741c33e19465 Mon Sep 17 00:00:00 2001
+From: Zenm Chen <zenmchen@gmail.com>
+Date: Tue, 7 Apr 2026 23:44:30 +0800
+Subject: wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S
+
+From: Zenm Chen <zenmchen@gmail.com>
+
+commit f4ce0664e9f0387873b181777891741c33e19465 upstream.
+
+Add the ID 056e:400a to the table to support an additional MT7612U
+adapter: ELECOM WDC-867SU3S.
+
+Compile tested only.
+
+Cc: stable@vger.kernel.org # 5.10.x
+Signed-off-by: Zenm Chen <zenmchen@gmail.com>
+Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/20260407154430.9184-1-zenmchen@gmail.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
+@@ -16,6 +16,7 @@ static const struct usb_device_id mt76x2
+ { USB_DEVICE(0x0e8d, 0x7612) }, /* Aukey USBAC1200 - Alfa AWUS036ACM */
+ { USB_DEVICE(0x057c, 0x8503) }, /* Avm FRITZ!WLAN AC860 */
+ { USB_DEVICE(0x7392, 0xb711) }, /* Edimax EW 7722 UAC */
++ { USB_DEVICE(0x056e, 0x400a) }, /* ELECOM WDC-867SU3S */
+ { USB_DEVICE(0x0e8d, 0x7632) }, /* HC-M7662BU1 */
+ { USB_DEVICE(0x0471, 0x2126) }, /* LiteOn WN4516R module, nonstandard USB connector */
+ { USB_DEVICE(0x0471, 0x7600) }, /* LiteOn WN4519R module, nonstandard USB connector */
--- /dev/null
+From 83d38df6929118c3f996b9e3351c2d5014073d87 Mon Sep 17 00:00:00 2001
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Date: Sat, 25 Apr 2026 22:32:58 +0300
+Subject: wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+commit 83d38df6929118c3f996b9e3351c2d5014073d87 upstream.
+
+Bit 28 of double word 2 in the RX descriptor indicates if the packet is
+a normal 802.11 frame, or a message from the wifi firmware to the
+driver (Card 2 Host).
+
+Commit f5678bfe1cdc ("rtlwifi: rtl8821ae: Replace local bit manipulation
+macros") mistakenly made the driver look for this bit in double word 1,
+causing packet loss and Bluetooth coexistence problems.
+
+Fixes: f5678bfe1cdc ("rtlwifi: rtl8821ae: Replace local bit manipulation macros")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/04da7398-cedb-425a-a810-5772ab10139d@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8821ae/trx.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/trx.h
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/trx.h
+@@ -291,7 +291,7 @@ static inline int get_rx_desc_paggr(__le
+
+ static inline int get_rx_status_desc_rpt_sel(__le32 *__pdesc)
+ {
+- return le32_get_bits(*(__pdesc + 1), BIT(28));
++ return le32_get_bits(*(__pdesc + 2), BIT(28));
+ }
+
+ static inline int get_rx_desc_rxmcs(__le32 *__pdesc)