--- /dev/null
+From stable+bounces-235776-greg=kroah.com@vger.kernel.org Sun Apr 12 03:02:44 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Apr 2026 21:02:30 -0400
+Subject: ACPI: EC: Evaluate _REG outside the EC scope more carefully
+To: stable@vger.kernel.org
+Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>, Hans de Goede <hdegoede@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260412010230.1904734-3-sashal@kernel.org>
+
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 71bf41b8e913ec9fc91f0d39ab8fb320229ec604 ]
+
+Commit 60fa6ae6e6d0 ("ACPI: EC: Install address space handler at the
+namespace root") caused _REG methods for EC operation regions outside
+the EC device scope to be evaluated which on some systems leads to the
+evaluation of _REG methods in the scopes of device objects representing
+devices that are not present and not functional according to the _STA
+return values. Some of those device objects represent EC "alternatives"
+and if _REG is evaluated for their operation regions, the platform
+firmware may be confused and the platform may start to behave
+incorrectly.
+
+To avoid this problem, only evaluate _REG for EC operation regions
+located in the scopes of device objects representing known-to-be-present
+devices.
+
+For this purpose, partially revert commit 60fa6ae6e6d0 and trigger the
+evaluation of _REG for EC operation regions from acpi_bus_attach() for
+the known-valid devices.
+
+Fixes: 60fa6ae6e6d0 ("ACPI: EC: Install address space handler at the namespace root")
+Link: https://lore.kernel.org/linux-acpi/1f76b7e2-1928-4598-8037-28a1785c2d13@redhat.com
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2298938
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2302253
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Cc: All applicable <stable@vger.kernel.org>
+Link: https://patch.msgid.link/23612351.6Emhk5qWAg@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/ec.c | 11 +++++++++--
+ drivers/acpi/internal.h | 1 +
+ drivers/acpi/scan.c | 2 ++
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -1512,12 +1512,13 @@ static bool install_gpio_irq_event_handl
+ static int ec_install_handlers(struct acpi_ec *ec, struct acpi_device *device,
+ bool call_reg)
+ {
+- acpi_handle scope_handle = ec == first_ec ? ACPI_ROOT_OBJECT : ec->handle;
+ acpi_status status;
+
+ acpi_ec_start(ec, false);
+
+ if (!test_bit(EC_FLAGS_EC_HANDLER_INSTALLED, &ec->flags)) {
++ acpi_handle scope_handle = ec == first_ec ? ACPI_ROOT_OBJECT : ec->handle;
++
+ acpi_ec_enter_noirq(ec);
+ status = acpi_install_address_space_handler_no_reg(scope_handle,
+ ACPI_ADR_SPACE_EC,
+@@ -1531,7 +1532,7 @@ static int ec_install_handlers(struct ac
+ }
+
+ if (call_reg && !test_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags)) {
+- acpi_execute_reg_methods(scope_handle, ACPI_UINT32_MAX, ACPI_ADR_SPACE_EC);
++ acpi_execute_reg_methods(ec->handle, ACPI_UINT32_MAX, ACPI_ADR_SPACE_EC);
+ set_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags);
+ }
+
+@@ -1749,6 +1750,12 @@ static int acpi_ec_remove(struct acpi_de
+ return 0;
+ }
+
++void acpi_ec_register_opregions(struct acpi_device *adev)
++{
++ if (first_ec && first_ec->handle != adev->handle)
++ acpi_execute_reg_methods(adev->handle, 1, ACPI_ADR_SPACE_EC);
++}
++
+ static acpi_status
+ ec_parse_io_ports(struct acpi_resource *resource, void *context)
+ {
+--- a/drivers/acpi/internal.h
++++ b/drivers/acpi/internal.h
+@@ -210,6 +210,7 @@ int acpi_ec_add_query_handler(struct acp
+ acpi_handle handle, acpi_ec_query_func func,
+ void *data);
+ void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit);
++void acpi_ec_register_opregions(struct acpi_device *adev);
+
+ #ifdef CONFIG_PM_SLEEP
+ void acpi_ec_flush_work(void);
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -2198,6 +2198,8 @@ static int acpi_bus_attach(struct acpi_d
+ if (device->handler)
+ goto ok;
+
++ acpi_ec_register_opregions(device);
++
+ if (!device->flags.initialized) {
+ device->flags.power_manageable =
+ device->power.states[ACPI_STATE_D0].flags.valid;
--- /dev/null
+From stable+bounces-235775-greg=kroah.com@vger.kernel.org Sun Apr 12 03:02:38 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Apr 2026 21:02:29 -0400
+Subject: ACPICA: Add a depth argument to acpi_execute_reg_methods()
+To: stable@vger.kernel.org
+Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>, Hans de Goede <hdegoede@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260412010230.1904734-2-sashal@kernel.org>
+
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+
+[ Upstream commit cdf65d73e001fde600b18d7e45afadf559425ce5 ]
+
+A subsequent change will need to pass a depth argument to
+acpi_execute_reg_methods(), so prepare that function for it.
+
+No intentional functional changes.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Cc: All applicable <stable@vger.kernel.org>
+Link: https://patch.msgid.link/8451567.NyiUUSuA9g@rjwysocki.net
+Stable-dep-of: 71bf41b8e913 ("ACPI: EC: Evaluate _REG outside the EC scope more carefully")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpica/acevents.h | 2 +-
+ drivers/acpi/acpica/evregion.c | 6 ++++--
+ drivers/acpi/acpica/evxfregn.c | 10 +++++++---
+ drivers/acpi/ec.c | 2 +-
+ include/acpi/acpixf.h | 1 +
+ 5 files changed, 14 insertions(+), 7 deletions(-)
+
+--- a/drivers/acpi/acpica/acevents.h
++++ b/drivers/acpi/acpica/acevents.h
+@@ -188,7 +188,7 @@ acpi_ev_detach_region(union acpi_operand
+ u8 acpi_ns_is_locked);
+
+ void
+-acpi_ev_execute_reg_methods(struct acpi_namespace_node *node,
++acpi_ev_execute_reg_methods(struct acpi_namespace_node *node, u32 max_depth,
+ acpi_adr_space_type space_id, u32 function);
+
+ acpi_status
+--- a/drivers/acpi/acpica/evregion.c
++++ b/drivers/acpi/acpica/evregion.c
+@@ -65,6 +65,7 @@ acpi_status acpi_ev_initialize_op_region
+ acpi_gbl_default_address_spaces
+ [i])) {
+ acpi_ev_execute_reg_methods(acpi_gbl_root_node,
++ ACPI_UINT32_MAX,
+ acpi_gbl_default_address_spaces
+ [i], ACPI_REG_CONNECT);
+ }
+@@ -665,6 +666,7 @@ cleanup1:
+ * FUNCTION: acpi_ev_execute_reg_methods
+ *
+ * PARAMETERS: node - Namespace node for the device
++ * max_depth - Depth to which search for _REG
+ * space_id - The address space ID
+ * function - Passed to _REG: On (1) or Off (0)
+ *
+@@ -676,7 +678,7 @@ cleanup1:
+ ******************************************************************************/
+
+ void
+-acpi_ev_execute_reg_methods(struct acpi_namespace_node *node,
++acpi_ev_execute_reg_methods(struct acpi_namespace_node *node, u32 max_depth,
+ acpi_adr_space_type space_id, u32 function)
+ {
+ struct acpi_reg_walk_info info;
+@@ -710,7 +712,7 @@ acpi_ev_execute_reg_methods(struct acpi_
+ * regions and _REG methods. (i.e. handlers must be installed for all
+ * regions of this Space ID before we can run any _REG methods)
+ */
+- (void)acpi_ns_walk_namespace(ACPI_TYPE_ANY, node, ACPI_UINT32_MAX,
++ (void)acpi_ns_walk_namespace(ACPI_TYPE_ANY, node, max_depth,
+ ACPI_NS_WALK_UNLOCK, acpi_ev_reg_run, NULL,
+ &info, NULL);
+
+--- a/drivers/acpi/acpica/evxfregn.c
++++ b/drivers/acpi/acpica/evxfregn.c
+@@ -85,7 +85,8 @@ acpi_install_address_space_handler_inter
+ /* Run all _REG methods for this address space */
+
+ if (run_reg) {
+- acpi_ev_execute_reg_methods(node, space_id, ACPI_REG_CONNECT);
++ acpi_ev_execute_reg_methods(node, ACPI_UINT32_MAX, space_id,
++ ACPI_REG_CONNECT);
+ }
+
+ unlock_and_exit:
+@@ -261,6 +262,7 @@ ACPI_EXPORT_SYMBOL(acpi_remove_address_s
+ * FUNCTION: acpi_execute_reg_methods
+ *
+ * PARAMETERS: device - Handle for the device
++ * max_depth - Depth to which search for _REG
+ * space_id - The address space ID
+ *
+ * RETURN: Status
+@@ -269,7 +271,8 @@ ACPI_EXPORT_SYMBOL(acpi_remove_address_s
+ *
+ ******************************************************************************/
+ acpi_status
+-acpi_execute_reg_methods(acpi_handle device, acpi_adr_space_type space_id)
++acpi_execute_reg_methods(acpi_handle device, u32 max_depth,
++ acpi_adr_space_type space_id)
+ {
+ struct acpi_namespace_node *node;
+ acpi_status status;
+@@ -294,7 +297,8 @@ acpi_execute_reg_methods(acpi_handle dev
+
+ /* Run all _REG methods for this address space */
+
+- acpi_ev_execute_reg_methods(node, space_id, ACPI_REG_CONNECT);
++ acpi_ev_execute_reg_methods(node, max_depth, space_id,
++ ACPI_REG_CONNECT);
+ } else {
+ status = AE_BAD_PARAMETER;
+ }
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -1531,7 +1531,7 @@ static int ec_install_handlers(struct ac
+ }
+
+ if (call_reg && !test_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags)) {
+- acpi_execute_reg_methods(scope_handle, ACPI_ADR_SPACE_EC);
++ acpi_execute_reg_methods(scope_handle, ACPI_UINT32_MAX, ACPI_ADR_SPACE_EC);
+ set_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags);
+ }
+
+--- a/include/acpi/acpixf.h
++++ b/include/acpi/acpixf.h
+@@ -666,6 +666,7 @@ ACPI_EXTERNAL_RETURN_STATUS(acpi_status
+ void *context))
+ ACPI_EXTERNAL_RETURN_STATUS(acpi_status
+ acpi_execute_reg_methods(acpi_handle device,
++ u32 nax_depth,
+ acpi_adr_space_type
+ space_id))
+ ACPI_EXTERNAL_RETURN_STATUS(acpi_status
--- /dev/null
+From 471db2c2d4f80ee94225a1ef246e4f5011733e50 Mon Sep 17 00:00:00 2001
+From: "Lin.Cao" <lincao12@amd.com>
+Date: Thu, 15 May 2025 10:07:13 +0800
+Subject: drm/scheduler: signal scheduled fence when kill job
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lin.Cao <lincao12@amd.com>
+
+commit 471db2c2d4f80ee94225a1ef246e4f5011733e50 upstream.
+
+When an entity from application B is killed, drm_sched_entity_kill()
+removes all jobs belonging to that entity through
+drm_sched_entity_kill_jobs_work(). If application A's job depends on a
+scheduled fence from application B's job, and that fence is not properly
+signaled during the killing process, application A's dependency cannot be
+cleared.
+
+This leads to application A hanging indefinitely while waiting for a
+dependency that will never be resolved. Fix this issue by ensuring that
+scheduled fences are properly signaled when an entity is killed, allowing
+dependent applications to continue execution.
+
+Signed-off-by: Lin.Cao <lincao12@amd.com>
+Reviewed-by: Philipp Stanner <phasta@kernel.org>
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Link: https://lore.kernel.org/r/20250515020713.1110476-1-lincao12@amd.com
+[ Modified drm_sched_fence_scheduled(job->s_fence, NULL) to
+ drm_sched_fence_scheduled(job->s_fence) for kernel 6.1.y ]
+Signed-off-by: Leon Chen <leonchen.oss@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/scheduler/sched_entity.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/scheduler/sched_entity.c
++++ b/drivers/gpu/drm/scheduler/sched_entity.c
+@@ -196,6 +196,7 @@ static void drm_sched_entity_kill_jobs_w
+ {
+ struct drm_sched_job *job = container_of(wrk, typeof(*job), work);
+
++ drm_sched_fence_scheduled(job->s_fence);
+ drm_sched_fence_finished(job->s_fence);
+ WARN_ON(job->s_fence->parent);
+ job->sched->ops->free_job(job);
--- /dev/null
+From stable+bounces-235818-greg=kroah.com@vger.kernel.org Sun Apr 12 14:55:48 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 08:55:17 -0400
+Subject: net: rfkill: prevent unlimited numbers of rfkill events from being created
+To: stable@vger.kernel.org
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Johannes Berg <johannes@sipsolutions.net>, Yuan Tan <yuantan098@gmail.com>, Yifan Wu <yifanwucs@gmail.com>, Juefei Pu <tomapufckgml@gmail.com>, Xin Liu <bird@lzu.edu.cn>, stable <stable@kernel.org>, Johannes Berg <johannes.berg@intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260412125517.2219007-4-sashal@kernel.org>
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit ea245d78dec594372e27d8c79616baf49e98a4a1 ]
+
+Userspace can create an unlimited number of rfkill events if the system
+is so configured, while not consuming them from the rfkill file
+descriptor, causing a potential out of memory situation. Prevent this
+from bounding the number of pending rfkill events at a "large" number
+(i.e. 1000) to prevent abuses like this.
+
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://patch.msgid.link/2026033013-disfigure-scroll-e25e@gregkh
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rfkill/core.c | 35 ++++++++++++++++++++++++-----------
+ 1 file changed, 24 insertions(+), 11 deletions(-)
+
+--- a/net/rfkill/core.c
++++ b/net/rfkill/core.c
+@@ -73,11 +73,14 @@ struct rfkill_int_event {
+ struct rfkill_event_ext ev;
+ };
+
++/* Max rfkill events that can be "in-flight" for one data source */
++#define MAX_RFKILL_EVENT 1000
+ struct rfkill_data {
+ struct list_head list;
+ struct list_head events;
+ struct mutex mtx;
+ wait_queue_head_t read_wait;
++ u32 event_count;
+ bool input_handler;
+ u8 max_size;
+ };
+@@ -255,10 +258,12 @@ static void rfkill_global_led_trigger_un
+ }
+ #endif /* CONFIG_RFKILL_LEDS */
+
+-static void rfkill_fill_event(struct rfkill_event_ext *ev,
+- struct rfkill *rfkill,
+- enum rfkill_operation op)
++static int rfkill_fill_event(struct rfkill_int_event *int_ev,
++ struct rfkill *rfkill,
++ struct rfkill_data *data,
++ enum rfkill_operation op)
+ {
++ struct rfkill_event_ext *ev = &int_ev->ev;
+ unsigned long flags;
+
+ ev->idx = rfkill->idx;
+@@ -271,6 +276,15 @@ static void rfkill_fill_event(struct rfk
+ RFKILL_BLOCK_SW_PREV));
+ ev->hard_block_reasons = rfkill->hard_block_reasons;
+ spin_unlock_irqrestore(&rfkill->lock, flags);
++
++ scoped_guard(mutex, &data->mtx) {
++ if (data->event_count++ > MAX_RFKILL_EVENT) {
++ data->event_count--;
++ return -ENOSPC;
++ }
++ list_add_tail(&int_ev->list, &data->events);
++ }
++ return 0;
+ }
+
+ static void rfkill_send_events(struct rfkill *rfkill, enum rfkill_operation op)
+@@ -282,10 +296,10 @@ static void rfkill_send_events(struct rf
+ ev = kzalloc(sizeof(*ev), GFP_KERNEL);
+ if (!ev)
+ continue;
+- rfkill_fill_event(&ev->ev, rfkill, op);
+- mutex_lock(&data->mtx);
+- list_add_tail(&ev->list, &data->events);
+- mutex_unlock(&data->mtx);
++ if (rfkill_fill_event(ev, rfkill, data, op)) {
++ kfree(ev);
++ continue;
++ }
+ wake_up_interruptible(&data->read_wait);
+ }
+ }
+@@ -1190,10 +1204,8 @@ static int rfkill_fop_open(struct inode
+ if (!ev)
+ goto free;
+ rfkill_sync(rfkill);
+- rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD);
+- mutex_lock(&data->mtx);
+- list_add_tail(&ev->list, &data->events);
+- mutex_unlock(&data->mtx);
++ if (rfkill_fill_event(ev, rfkill, data, RFKILL_OP_ADD))
++ kfree(ev);
+ }
+ list_add(&data->list, &rfkill_fds);
+ mutex_unlock(&rfkill_global_mutex);
+@@ -1263,6 +1275,7 @@ static ssize_t rfkill_fop_read(struct fi
+ ret = -EFAULT;
+
+ list_del(&ev->list);
++ data->event_count--;
+ kfree(ev);
+ out:
+ mutex_unlock(&data->mtx);
--- /dev/null
+From stable+bounces-235817-greg=kroah.com@vger.kernel.org Sun Apr 12 14:55:40 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 08:55:16 -0400
+Subject: net: rfkill: reduce data->mtx scope in rfkill_fop_open
+To: stable@vger.kernel.org
+Cc: Johannes Berg <johannes.berg@intel.com>, syzbot+509238e523e032442b80@syzkaller.appspotmail.com, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260412125517.2219007-3-sashal@kernel.org>
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit f2ac54ebf85615a6d78f5eb213a8bbeeb17ebe5d ]
+
+In syzbot runs, lockdep reports that there's a (potential)
+deadlock here of data->mtx being locked recursively. This
+isn't really a deadlock since they are different instances,
+but lockdep cannot know, and teaching it would be far more
+difficult than other fixes.
+
+At the same time we don't even really _need_ the mutex to
+be locked in rfkill_fop_open(), since we're modifying only
+a completely fresh instance of 'data' (struct rfkill_data)
+that's not yet added to the global list.
+
+However, to avoid any reordering etc. within the globally
+locked section, and to make the code look more symmetric,
+we should still lock the data->events list manipulation,
+but also need to lock _only_ that. So do that.
+
+Reported-by: syzbot+509238e523e032442b80@syzkaller.appspotmail.com
+Fixes: 2c3dfba4cf84 ("rfkill: sync before userspace visibility/changes")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: ea245d78dec5 ("net: rfkill: prevent unlimited numbers of rfkill events from being created")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rfkill/core.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/rfkill/core.c
++++ b/net/rfkill/core.c
+@@ -1180,7 +1180,6 @@ static int rfkill_fop_open(struct inode
+ init_waitqueue_head(&data->read_wait);
+
+ mutex_lock(&rfkill_global_mutex);
+- mutex_lock(&data->mtx);
+ /*
+ * start getting events from elsewhere but hold mtx to get
+ * startup events added first
+@@ -1192,10 +1191,11 @@ static int rfkill_fop_open(struct inode
+ goto free;
+ rfkill_sync(rfkill);
+ rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD);
++ mutex_lock(&data->mtx);
+ list_add_tail(&ev->list, &data->events);
++ mutex_unlock(&data->mtx);
+ }
+ list_add(&data->list, &rfkill_fds);
+- mutex_unlock(&data->mtx);
+ mutex_unlock(&rfkill_global_mutex);
+
+ file->private_data = data;
+@@ -1203,7 +1203,6 @@ static int rfkill_fop_open(struct inode
+ return stream_open(inode, file);
+
+ free:
+- mutex_unlock(&data->mtx);
+ mutex_unlock(&rfkill_global_mutex);
+ mutex_destroy(&data->mtx);
+ list_for_each_entry_safe(ev, tmp, &data->events, list)
--- /dev/null
+From keerthana.kalyanasundaram@broadcom.com Mon Apr 13 06:40:15 2026
+From: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
+Date: Mon, 13 Apr 2026 04:32:47 +0000
+Subject: netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Stefano Brivio <sbrivio@redhat.com>, Mukul Sikka <mukul.sikka@broadcom.com>, Brennan Lamoreaux <brennan.lamoreaux@broadcom.com>, Keerthana K <keerthana.kalyanasundaram@broadcom.com>
+Message-ID: <20260413043247.3327855-1-keerthana.kalyanasundaram@broadcom.com>
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 07ace0bbe03b3d8e85869af1dec5e4087b1d57b8 upstream
+
+pipapo relies on kmalloc(0) returning ZERO_SIZE_PTR (i.e., not NULL
+but pointer is invalid).
+
+Rework this to not call slab allocator when we'd request a 0-byte
+allocation.
+
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Mukul Sikka <mukul.sikka@broadcom.com>
+Signed-off-by: Brennan Lamoreaux <brennan.lamoreaux@broadcom.com>
+[Keerthana: In older stable branches (v6.6 and earlier), the allocation logic in
+pipapo_clone() still relies on `src->rules` rather than `src->rules_alloc`
+(introduced in v6.9 via 9f439bd6ef4f). Consequently, the previously
+backported INT_MAX clamping check uses `src->rules`. This patch correctly
+moves that `src->rules > (INT_MAX / ...)` check inside the new
+`if (src->rules > 0)` block]
+Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_set_pipapo.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -525,6 +525,8 @@ static struct nft_pipapo_elem *pipapo_ge
+ int i;
+
+ m = priv->clone;
++ if (m->bsize_max == 0)
++ return ret;
+
+ res_map = kmalloc_array(m->bsize_max, sizeof(*res_map), GFP_ATOMIC);
+ if (!res_map) {
+@@ -1395,14 +1397,20 @@ static struct nft_pipapo_match *pipapo_c
+ src->bsize * sizeof(*dst->lt) *
+ src->groups * NFT_PIPAPO_BUCKETS(src->bb));
+
+- if (src->rules > (INT_MAX / sizeof(*src->mt)))
+- goto out_mt;
++ if (src->rules > 0) {
++ if (src->rules > (INT_MAX / sizeof(*src->mt)))
++ goto out_mt;
++
++ dst->mt = kvmalloc_array(src->rules, sizeof(*src->mt),
++ GFP_KERNEL);
++ if (!dst->mt)
++ goto out_mt;
+
+- dst->mt = kvmalloc(src->rules * sizeof(*src->mt), GFP_KERNEL_ACCOUNT);
+- if (!dst->mt)
+- goto out_mt;
++ memcpy(dst->mt, src->mt, src->rules * sizeof(*src->mt));
++ } else {
++ dst->mt = NULL;
++ }
+
+- memcpy(dst->mt, src->mt, src->rules * sizeof(*src->mt));
+ src++;
+ dst++;
+ }
--- /dev/null
+From stable+bounces-235774-greg=kroah.com@vger.kernel.org Sun Apr 12 03:02:36 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Apr 2026 21:02:28 -0400
+Subject: Revert "ACPI: EC: Evaluate orphan _REG under EC device"
+To: stable@vger.kernel.org
+Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>, Hans de Goede <hdegoede@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260412010230.1904734-1-sashal@kernel.org>
+
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 779bac9994452f6a894524f70c00cfb0cd4b6364 ]
+
+This reverts commit 0e6b6dedf168 ("Revert "ACPI: EC: Evaluate orphan
+_REG under EC device") because the problem addressed by it will be
+addressed differently in what follows.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Cc: All applicable <stable@vger.kernel.org>
+Link: https://patch.msgid.link/3236716.5fSG56mABF@rjwysocki.net
+Stable-dep-of: 71bf41b8e913 ("ACPI: EC: Evaluate _REG outside the EC scope more carefully")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpica/acevents.h | 4 ---
+ drivers/acpi/acpica/evregion.c | 6 +++-
+ drivers/acpi/acpica/evxfregn.c | 54 -----------------------------------------
+ drivers/acpi/ec.c | 3 --
+ include/acpi/acpixf.h | 4 ---
+ 5 files changed, 5 insertions(+), 66 deletions(-)
+
+--- a/drivers/acpi/acpica/acevents.h
++++ b/drivers/acpi/acpica/acevents.h
+@@ -191,10 +191,6 @@ void
+ acpi_ev_execute_reg_methods(struct acpi_namespace_node *node,
+ acpi_adr_space_type space_id, u32 function);
+
+-void
+-acpi_ev_execute_orphan_reg_method(struct acpi_namespace_node *node,
+- acpi_adr_space_type space_id);
+-
+ acpi_status
+ acpi_ev_execute_reg_method(union acpi_operand_object *region_obj, u32 function);
+
+--- a/drivers/acpi/acpica/evregion.c
++++ b/drivers/acpi/acpica/evregion.c
+@@ -20,6 +20,10 @@ extern u8 acpi_gbl_default_address_space
+
+ /* Local prototypes */
+
++static void
++acpi_ev_execute_orphan_reg_method(struct acpi_namespace_node *device_node,
++ acpi_adr_space_type space_id);
++
+ static acpi_status
+ acpi_ev_reg_run(acpi_handle obj_handle,
+ u32 level, void *context, void **return_value);
+@@ -807,7 +811,7 @@ acpi_ev_reg_run(acpi_handle obj_handle,
+ *
+ ******************************************************************************/
+
+-void
++static void
+ acpi_ev_execute_orphan_reg_method(struct acpi_namespace_node *device_node,
+ acpi_adr_space_type space_id)
+ {
+--- a/drivers/acpi/acpica/evxfregn.c
++++ b/drivers/acpi/acpica/evxfregn.c
+@@ -304,57 +304,3 @@ acpi_execute_reg_methods(acpi_handle dev
+ }
+
+ ACPI_EXPORT_SYMBOL(acpi_execute_reg_methods)
+-
+-/*******************************************************************************
+- *
+- * FUNCTION: acpi_execute_orphan_reg_method
+- *
+- * PARAMETERS: device - Handle for the device
+- * space_id - The address space ID
+- *
+- * RETURN: Status
+- *
+- * DESCRIPTION: Execute an "orphan" _REG method that appears under an ACPI
+- * device. This is a _REG method that has no corresponding region
+- * within the device's scope.
+- *
+- ******************************************************************************/
+-acpi_status
+-acpi_execute_orphan_reg_method(acpi_handle device, acpi_adr_space_type space_id)
+-{
+- struct acpi_namespace_node *node;
+- acpi_status status;
+-
+- ACPI_FUNCTION_TRACE(acpi_execute_orphan_reg_method);
+-
+- /* Parameter validation */
+-
+- if (!device) {
+- return_ACPI_STATUS(AE_BAD_PARAMETER);
+- }
+-
+- status = acpi_ut_acquire_mutex(ACPI_MTX_NAMESPACE);
+- if (ACPI_FAILURE(status)) {
+- return_ACPI_STATUS(status);
+- }
+-
+- /* Convert and validate the device handle */
+-
+- node = acpi_ns_validate_handle(device);
+- if (node) {
+-
+- /*
+- * If an "orphan" _REG method is present in the device's scope
+- * for the given address space ID, run it.
+- */
+-
+- acpi_ev_execute_orphan_reg_method(node, space_id);
+- } else {
+- status = AE_BAD_PARAMETER;
+- }
+-
+- (void)acpi_ut_release_mutex(ACPI_MTX_NAMESPACE);
+- return_ACPI_STATUS(status);
+-}
+-
+-ACPI_EXPORT_SYMBOL(acpi_execute_orphan_reg_method)
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -1532,9 +1532,6 @@ static int ec_install_handlers(struct ac
+
+ if (call_reg && !test_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags)) {
+ acpi_execute_reg_methods(scope_handle, ACPI_ADR_SPACE_EC);
+- if (scope_handle != ec->handle)
+- acpi_execute_orphan_reg_method(ec->handle, ACPI_ADR_SPACE_EC);
+-
+ set_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags);
+ }
+
+--- a/include/acpi/acpixf.h
++++ b/include/acpi/acpixf.h
+@@ -669,10 +669,6 @@ ACPI_EXTERNAL_RETURN_STATUS(acpi_status
+ acpi_adr_space_type
+ space_id))
+ ACPI_EXTERNAL_RETURN_STATUS(acpi_status
+- acpi_execute_orphan_reg_method(acpi_handle device,
+- acpi_adr_space_type
+- space_id))
+-ACPI_EXTERNAL_RETURN_STATUS(acpi_status
+ acpi_remove_address_space_handler(acpi_handle
+ device,
+ acpi_adr_space_type
--- /dev/null
+From stable+bounces-235849-greg=kroah.com@vger.kernel.org Sun Apr 12 22:03:00 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 16:02:51 -0400
+Subject: Revert "mptcp: add needs_id for netlink appending addr"
+To: stable@vger.kernel.org
+Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Geliang Tang <geliang@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260412200251.2405108-1-sashal@kernel.org>
+
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+
+[ Upstream commit 8e2760eaab778494fc1fa257031e0e1799647f46 ]
+
+This commit was originally adding the ability to add MPTCP endpoints
+with ID 0 by accident. The in-kernel PM, handling MPTCP endpoints at the
+net namespace level, is not supposed to handle endpoints with such ID,
+because this ID 0 is reserved to the initial subflow, as mentioned in
+the MPTCPv1 protocol [1], a per-connection setting.
+
+Note that 'ip mptcp endpoint add id 0' stops early with an error, but
+other tools might still request the in-kernel PM to create MPTCP
+endpoints with this restricted ID 0.
+
+In other words, it was wrong to call the mptcp_pm_has_addr_attr_id
+helper to check whether the address ID attribute is set: if it was set
+to 0, a new MPTCP endpoint would be created with ID 0, which is not
+expected, and might cause various issues later.
+
+Fixes: 584f38942626 ("mptcp: add needs_id for netlink appending addr")
+Cc: stable@vger.kernel.org
+Link: https://datatracker.ietf.org/doc/html/rfc8684#section-3.2-9 [1]
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260407-net-mptcp-revert-pm-needs-id-v2-1-7a25cbc324f8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ applied changes to net/mptcp/pm_netlink.c instead of renamed net/mptcp/pm_kernel.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 24 +++++-------------------
+ 1 file changed, 5 insertions(+), 19 deletions(-)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -1080,7 +1080,7 @@ static void __mptcp_pm_release_addr_entr
+
+ static int mptcp_pm_nl_append_new_local_addr(struct pm_nl_pernet *pernet,
+ struct mptcp_pm_addr_entry *entry,
+- bool needs_id, bool replace)
++ bool replace)
+ {
+ struct mptcp_pm_addr_entry *cur, *del_entry = NULL;
+ unsigned int addr_max;
+@@ -1133,7 +1133,7 @@ static int mptcp_pm_nl_append_new_local_
+ }
+ }
+
+- if (!entry->addr.id && needs_id) {
++ if (!entry->addr.id) {
+ find_next:
+ entry->addr.id = find_next_zero_bit(pernet->id_bitmap,
+ MPTCP_PM_MAX_ADDR_ID + 1,
+@@ -1144,7 +1144,7 @@ find_next:
+ }
+ }
+
+- if (!entry->addr.id && needs_id)
++ if (!entry->addr.id)
+ goto out;
+
+ __set_bit(entry->addr.id, pernet->id_bitmap);
+@@ -1271,7 +1271,7 @@ int mptcp_pm_nl_get_local_id(struct mptc
+ entry->ifindex = 0;
+ entry->flags = MPTCP_PM_ADDR_FLAG_IMPLICIT;
+ entry->lsk = NULL;
+- ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, true, false);
++ ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, false);
+ if (ret < 0)
+ kfree(entry);
+
+@@ -1513,18 +1513,6 @@ next:
+ return 0;
+ }
+
+-static bool mptcp_pm_has_addr_attr_id(const struct nlattr *attr,
+- struct genl_info *info)
+-{
+- struct nlattr *tb[MPTCP_PM_ADDR_ATTR_MAX + 1];
+-
+- if (!nla_parse_nested_deprecated(tb, MPTCP_PM_ADDR_ATTR_MAX, attr,
+- mptcp_pm_addr_policy, info->extack) &&
+- tb[MPTCP_PM_ADDR_ATTR_ID])
+- return true;
+- return false;
+-}
+-
+ static int mptcp_nl_cmd_add_addr(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct nlattr *attr = info->attrs[MPTCP_PM_ATTR_ADDR];
+@@ -1566,9 +1554,7 @@ static int mptcp_nl_cmd_add_addr(struct
+ goto out_free;
+ }
+ }
+- ret = mptcp_pm_nl_append_new_local_addr(pernet, entry,
+- !mptcp_pm_has_addr_attr_id(attr, info),
+- true);
++ ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, true);
+ if (ret < 0) {
+ GENL_SET_ERR_MSG(info, "too many addresses or duplicate one");
+ goto out_free;
--- /dev/null
+From stable+bounces-235816-greg=kroah.com@vger.kernel.org Sun Apr 12 14:55:30 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 08:55:15 -0400
+Subject: rfkill: sync before userspace visibility/changes
+To: stable@vger.kernel.org
+Cc: Johannes Berg <johannes.berg@intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260412125517.2219007-2-sashal@kernel.org>
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 2c3dfba4cf84ac4f306cc6653b37b6dd6859ae9d ]
+
+If userspace quickly opens /dev/rfkill after a new
+instance was created, it might see the old state of
+the instance from before the sync work runs and may
+even _change_ the state, only to have the sync work
+change it again.
+
+Fix this by doing the sync inline where needed, not
+just for /dev/rfkill but also for sysfs.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: ea245d78dec5 ("net: rfkill: prevent unlimited numbers of rfkill events from being created")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rfkill/core.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+--- a/net/rfkill/core.c
++++ b/net/rfkill/core.c
+@@ -48,6 +48,7 @@ struct rfkill {
+ bool persistent;
+ bool polling_paused;
+ bool suspended;
++ bool need_sync;
+
+ const struct rfkill_ops *ops;
+ void *data;
+@@ -368,6 +369,17 @@ static void rfkill_set_block(struct rfki
+ rfkill_event(rfkill);
+ }
+
++static void rfkill_sync(struct rfkill *rfkill)
++{
++ lockdep_assert_held(&rfkill_global_mutex);
++
++ if (!rfkill->need_sync)
++ return;
++
++ rfkill_set_block(rfkill, rfkill_global_states[rfkill->type].cur);
++ rfkill->need_sync = false;
++}
++
+ static void rfkill_update_global_state(enum rfkill_type type, bool blocked)
+ {
+ int i;
+@@ -730,6 +742,10 @@ static ssize_t soft_show(struct device *
+ {
+ struct rfkill *rfkill = to_rfkill(dev);
+
++ mutex_lock(&rfkill_global_mutex);
++ rfkill_sync(rfkill);
++ mutex_unlock(&rfkill_global_mutex);
++
+ return sysfs_emit(buf, "%d\n", (rfkill->state & RFKILL_BLOCK_SW) ? 1 : 0);
+ }
+
+@@ -751,6 +767,7 @@ static ssize_t soft_store(struct device
+ return -EINVAL;
+
+ mutex_lock(&rfkill_global_mutex);
++ rfkill_sync(rfkill);
+ rfkill_set_block(rfkill, state);
+ mutex_unlock(&rfkill_global_mutex);
+
+@@ -783,6 +800,10 @@ static ssize_t state_show(struct device
+ {
+ struct rfkill *rfkill = to_rfkill(dev);
+
++ mutex_lock(&rfkill_global_mutex);
++ rfkill_sync(rfkill);
++ mutex_unlock(&rfkill_global_mutex);
++
+ return sysfs_emit(buf, "%d\n", user_state_from_blocked(rfkill->state));
+ }
+
+@@ -805,6 +826,7 @@ static ssize_t state_store(struct device
+ return -EINVAL;
+
+ mutex_lock(&rfkill_global_mutex);
++ rfkill_sync(rfkill);
+ rfkill_set_block(rfkill, state == RFKILL_USER_STATE_SOFT_BLOCKED);
+ mutex_unlock(&rfkill_global_mutex);
+
+@@ -1032,14 +1054,10 @@ static void rfkill_uevent_work(struct wo
+
+ static void rfkill_sync_work(struct work_struct *work)
+ {
+- struct rfkill *rfkill;
+- bool cur;
+-
+- rfkill = container_of(work, struct rfkill, sync_work);
++ struct rfkill *rfkill = container_of(work, struct rfkill, sync_work);
+
+ mutex_lock(&rfkill_global_mutex);
+- cur = rfkill_global_states[rfkill->type].cur;
+- rfkill_set_block(rfkill, cur);
++ rfkill_sync(rfkill);
+ mutex_unlock(&rfkill_global_mutex);
+ }
+
+@@ -1087,6 +1105,7 @@ int __must_check rfkill_register(struct
+ round_jiffies_relative(POLL_INTERVAL));
+
+ if (!rfkill->persistent || rfkill_epo_lock_active) {
++ rfkill->need_sync = true;
+ schedule_work(&rfkill->sync_work);
+ } else {
+ #ifdef CONFIG_RFKILL_INPUT
+@@ -1171,6 +1190,7 @@ static int rfkill_fop_open(struct inode
+ ev = kzalloc(sizeof(*ev), GFP_KERNEL);
+ if (!ev)
+ goto free;
++ rfkill_sync(rfkill);
+ rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD);
+ list_add_tail(&ev->list, &data->events);
+ }
--- /dev/null
+From stable+bounces-235815-greg=kroah.com@vger.kernel.org Sun Apr 12 14:55:22 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 08:55:14 -0400
+Subject: rfkill: Use sysfs_emit() to instead of sprintf()
+To: stable@vger.kernel.org
+Cc: Bo Liu <liubo03@inspur.com>, Simon Horman <simon.horman@corigine.com>, Johannes Berg <johannes.berg@intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260412125517.2219007-1-sashal@kernel.org>
+
+From: Bo Liu <liubo03@inspur.com>
+
+[ Upstream commit 796703baead0c2862f7f2ebb9b177590af533035 ]
+
+Follow the advice of the Documentation/filesystems/sysfs.rst and show()
+should only use sysfs_emit() or sysfs_emit_at() when formatting the
+value to be returned to user space.
+
+Signed-off-by: Bo Liu <liubo03@inspur.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230206081641.3193-1-liubo03@inspur.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: ea245d78dec5 ("net: rfkill: prevent unlimited numbers of rfkill events from being created")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rfkill/core.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/net/rfkill/core.c
++++ b/net/rfkill/core.c
+@@ -685,7 +685,7 @@ static ssize_t name_show(struct device *
+ {
+ struct rfkill *rfkill = to_rfkill(dev);
+
+- return sprintf(buf, "%s\n", rfkill->name);
++ return sysfs_emit(buf, "%s\n", rfkill->name);
+ }
+ static DEVICE_ATTR_RO(name);
+
+@@ -694,7 +694,7 @@ static ssize_t type_show(struct device *
+ {
+ struct rfkill *rfkill = to_rfkill(dev);
+
+- return sprintf(buf, "%s\n", rfkill_types[rfkill->type]);
++ return sysfs_emit(buf, "%s\n", rfkill_types[rfkill->type]);
+ }
+ static DEVICE_ATTR_RO(type);
+
+@@ -703,7 +703,7 @@ static ssize_t index_show(struct device
+ {
+ struct rfkill *rfkill = to_rfkill(dev);
+
+- return sprintf(buf, "%d\n", rfkill->idx);
++ return sysfs_emit(buf, "%d\n", rfkill->idx);
+ }
+ static DEVICE_ATTR_RO(index);
+
+@@ -712,7 +712,7 @@ static ssize_t persistent_show(struct de
+ {
+ struct rfkill *rfkill = to_rfkill(dev);
+
+- return sprintf(buf, "%d\n", rfkill->persistent);
++ return sysfs_emit(buf, "%d\n", rfkill->persistent);
+ }
+ static DEVICE_ATTR_RO(persistent);
+
+@@ -721,7 +721,7 @@ static ssize_t hard_show(struct device *
+ {
+ struct rfkill *rfkill = to_rfkill(dev);
+
+- return sprintf(buf, "%d\n", (rfkill->state & RFKILL_BLOCK_HW) ? 1 : 0 );
++ return sysfs_emit(buf, "%d\n", (rfkill->state & RFKILL_BLOCK_HW) ? 1 : 0);
+ }
+ static DEVICE_ATTR_RO(hard);
+
+@@ -730,7 +730,7 @@ static ssize_t soft_show(struct device *
+ {
+ struct rfkill *rfkill = to_rfkill(dev);
+
+- return sprintf(buf, "%d\n", (rfkill->state & RFKILL_BLOCK_SW) ? 1 : 0 );
++ return sysfs_emit(buf, "%d\n", (rfkill->state & RFKILL_BLOCK_SW) ? 1 : 0);
+ }
+
+ static ssize_t soft_store(struct device *dev, struct device_attribute *attr,
+@@ -764,7 +764,7 @@ static ssize_t hard_block_reasons_show(s
+ {
+ struct rfkill *rfkill = to_rfkill(dev);
+
+- return sprintf(buf, "0x%lx\n", rfkill->hard_block_reasons);
++ return sysfs_emit(buf, "0x%lx\n", rfkill->hard_block_reasons);
+ }
+ static DEVICE_ATTR_RO(hard_block_reasons);
+
+@@ -783,7 +783,7 @@ static ssize_t state_show(struct device
+ {
+ struct rfkill *rfkill = to_rfkill(dev);
+
+- return sprintf(buf, "%d\n", user_state_from_blocked(rfkill->state));
++ return sysfs_emit(buf, "%d\n", user_state_from_blocked(rfkill->state));
+ }
+
+ static ssize_t state_store(struct device *dev, struct device_attribute *attr,
--- /dev/null
+From stable+bounces-235848-greg=kroah.com@vger.kernel.org Sun Apr 12 22:02:56 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Apr 2026 16:02:48 -0400
+Subject: seg6: separate dst_cache for input and output paths in seg6 lwtunnel
+To: stable@vger.kernel.org
+Cc: Andrea Mayer <andrea.mayer@uniroma2.it>, Nicolas Dichtel <nicolas.dichtel@6wind.com>, Justin Iurman <justin.iurman@gmail.com>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260412200248.2405054-1-sashal@kernel.org>
+
+From: Andrea Mayer <andrea.mayer@uniroma2.it>
+
+[ Upstream commit c3812651b522fe8437ebb7063b75ddb95b571643 ]
+
+The seg6 lwtunnel uses a single dst_cache per encap route, shared
+between seg6_input_core() and seg6_output_core(). These two paths
+can perform the post-encap SID lookup in different routing contexts
+(e.g., ip rules matching on the ingress interface, or VRF table
+separation). Whichever path runs first populates the cache, and the
+other reuses it blindly, bypassing its own lookup.
+
+Fix this by splitting the cache into cache_input and cache_output,
+so each path maintains its own cached dst independently.
+
+Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrea Mayer <andrea.mayer@uniroma2.it>
+Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
+Link: https://patch.msgid.link/20260404004405.4057-2-andrea.mayer@uniroma2.it
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ added missing dst reference loop guard in seg6_output_core() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/seg6_iptunnel.c | 41 ++++++++++++++++++++++++++++-------------
+ 1 file changed, 28 insertions(+), 13 deletions(-)
+
+--- a/net/ipv6/seg6_iptunnel.c
++++ b/net/ipv6/seg6_iptunnel.c
+@@ -48,7 +48,8 @@ static size_t seg6_lwt_headroom(struct s
+ }
+
+ struct seg6_lwt {
+- struct dst_cache cache;
++ struct dst_cache cache_input;
++ struct dst_cache cache_output;
+ struct seg6_iptunnel_encap tuninfo[];
+ };
+
+@@ -486,7 +487,7 @@ static int seg6_input_core(struct net *n
+ slwt = seg6_lwt_lwtunnel(lwtst);
+
+ local_bh_disable();
+- dst = dst_cache_get(&slwt->cache);
++ dst = dst_cache_get(&slwt->cache_input);
+ local_bh_enable();
+
+ err = seg6_do_srh(skb, dst);
+@@ -502,7 +503,7 @@ static int seg6_input_core(struct net *n
+ /* cache only if we don't create a dst reference loop */
+ if (!dst->error && lwtst != dst->lwtstate) {
+ local_bh_disable();
+- dst_cache_set_ip6(&slwt->cache, dst,
++ dst_cache_set_ip6(&slwt->cache_input, dst,
+ &ipv6_hdr(skb)->saddr);
+ local_bh_enable();
+ }
+@@ -561,7 +562,7 @@ static int seg6_output_core(struct net *
+ slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate);
+
+ local_bh_disable();
+- dst = dst_cache_get(&slwt->cache);
++ dst = dst_cache_get(&slwt->cache_output);
+ local_bh_enable();
+
+ err = seg6_do_srh(skb, dst);
+@@ -586,9 +587,12 @@ static int seg6_output_core(struct net *
+ goto drop;
+ }
+
+- local_bh_disable();
+- dst_cache_set_ip6(&slwt->cache, dst, &fl6.saddr);
+- local_bh_enable();
++ /* cache only if we don't create a dst reference loop */
++ if (orig_dst->lwtstate != dst->lwtstate) {
++ local_bh_disable();
++ dst_cache_set_ip6(&slwt->cache_output, dst, &fl6.saddr);
++ local_bh_enable();
++ }
+
+ err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
+ if (unlikely(err))
+@@ -695,11 +699,13 @@ static int seg6_build_state(struct net *
+
+ slwt = seg6_lwt_lwtunnel(newts);
+
+- err = dst_cache_init(&slwt->cache, GFP_ATOMIC);
+- if (err) {
+- kfree(newts);
+- return err;
+- }
++ err = dst_cache_init(&slwt->cache_input, GFP_ATOMIC);
++ if (err)
++ goto err_free_newts;
++
++ err = dst_cache_init(&slwt->cache_output, GFP_ATOMIC);
++ if (err)
++ goto err_destroy_input;
+
+ memcpy(&slwt->tuninfo, tuninfo, tuninfo_len);
+
+@@ -714,11 +720,20 @@ static int seg6_build_state(struct net *
+ *ts = newts;
+
+ return 0;
++
++err_destroy_input:
++ dst_cache_destroy(&slwt->cache_input);
++err_free_newts:
++ kfree(newts);
++ return err;
+ }
+
+ static void seg6_destroy_state(struct lwtunnel_state *lwt)
+ {
+- dst_cache_destroy(&seg6_lwt_lwtunnel(lwt)->cache);
++ struct seg6_lwt *slwt = seg6_lwt_lwtunnel(lwt);
++
++ dst_cache_destroy(&slwt->cache_input);
++ dst_cache_destroy(&slwt->cache_output);
+ }
+
+ static int seg6_fill_encap_info(struct sk_buff *skb,
apparmor-fix-differential-encoding-verification.patch
apparmor-fix-race-on-rawdata-dereference.patch
apparmor-fix-race-between-freeing-data-and-fs-accessing-it.patch
+usb-gadget-u_ether-fix-race-between-gether_disconnect-and-eth_stop.patch
+revert-acpi-ec-evaluate-orphan-_reg-under-ec-device.patch
+acpica-add-a-depth-argument-to-acpi_execute_reg_methods.patch
+acpi-ec-evaluate-_reg-outside-the-ec-scope-more-carefully.patch
+usb-gadget-f_hid-move-list-and-spinlock-inits-from-bind-to-alloc.patch
+rfkill-use-sysfs_emit-to-instead-of-sprintf.patch
+rfkill-sync-before-userspace-visibility-changes.patch
+net-rfkill-reduce-data-mtx-scope-in-rfkill_fop_open.patch
+net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch
+seg6-separate-dst_cache-for-input-and-output-paths-in-seg6-lwtunnel.patch
+revert-mptcp-add-needs_id-for-netlink-appending-addr.patch
+drm-scheduler-signal-scheduled-fence-when-kill-job.patch
+netfilter-nft_set_pipapo-do-not-rely-on-zero_size_ptr.patch
--- /dev/null
+From stable+bounces-235779-greg=kroah.com@vger.kernel.org Sun Apr 12 03:47:26 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Apr 2026 21:47:15 -0400
+Subject: usb: gadget: f_hid: move list and spinlock inits from bind to alloc
+To: stable@vger.kernel.org
+Cc: Michael Zimmermann <sigmaepsilon92@gmail.com>, stable <stable@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260412014715.1926028-1-sashal@kernel.org>
+
+From: Michael Zimmermann <sigmaepsilon92@gmail.com>
+
+[ Upstream commit 4e0a88254ad59f6c53a34bf5fa241884ec09e8b2 ]
+
+There was an issue when you did the following:
+- setup and bind an hid gadget
+- open /dev/hidg0
+- use the resulting fd in EPOLL_CTL_ADD
+- unbind the UDC
+- bind the UDC
+- use the fd in EPOLL_CTL_DEL
+
+When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported
+within remove_wait_queue (via ep_remove_wait_queue). After some
+debugging I found out that the queues, which f_hid registers via
+poll_wait were the problem. These were initialized using
+init_waitqueue_head inside hidg_bind. So effectively, the bind function
+re-initialized the queues while there were still items in them.
+
+The solution is to move the initialization from hidg_bind to hidg_alloc
+to extend their lifetimes to the lifetime of the function instance.
+
+Additionally, I found many other possibly problematic init calls in the
+bind function, which I moved as well.
+
+Signed-off-by: Michael Zimmermann <sigmaepsilon92@gmail.com>
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/20260331184844.2388761-1-sigmaepsilon92@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_hid.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_hid.c
++++ b/drivers/usb/gadget/function/f_hid.c
+@@ -996,13 +996,8 @@ static int hidg_bind(struct usb_configur
+ if (status)
+ goto fail;
+
+- spin_lock_init(&hidg->write_spinlock);
+ hidg->write_pending = 1;
+ hidg->req = NULL;
+- spin_lock_init(&hidg->read_spinlock);
+- init_waitqueue_head(&hidg->write_queue);
+- init_waitqueue_head(&hidg->read_queue);
+- INIT_LIST_HEAD(&hidg->completed_out_req);
+
+ /* create char device */
+ cdev_init(&hidg->cdev, &f_hidg_fops);
+@@ -1272,6 +1267,12 @@ static struct usb_function *hidg_alloc(s
+ mutex_lock(&opts->lock);
+ ++opts->refcnt;
+
++ spin_lock_init(&hidg->write_spinlock);
++ spin_lock_init(&hidg->read_spinlock);
++ init_waitqueue_head(&hidg->write_queue);
++ init_waitqueue_head(&hidg->read_queue);
++ INIT_LIST_HEAD(&hidg->completed_out_req);
++
+ device_initialize(&hidg->dev);
+ hidg->dev.release = hidg_release;
+ hidg->dev.class = hidg_class;
--- /dev/null
+From stable+bounces-235732-greg=kroah.com@vger.kernel.org Sat Apr 11 16:13:58 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Apr 2026 10:11:18 -0400
+Subject: usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop
+To: stable@vger.kernel.org
+Cc: Kuen-Han Tsai <khtsai@google.com>, stable <stable@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260411141118.767712-1-sashal@kernel.org>
+
+From: Kuen-Han Tsai <khtsai@google.com>
+
+[ Upstream commit e1eabb072c75681f78312c484ccfffb7430f206e ]
+
+A race condition between gether_disconnect() and eth_stop() leads to a
+NULL pointer dereference. Specifically, if eth_stop() is triggered
+concurrently while gether_disconnect() is tearing down the endpoints,
+eth_stop() attempts to access the cleared endpoint descriptor, causing
+the following NPE:
+
+ Unable to handle kernel NULL pointer dereference
+ Call trace:
+ __dwc3_gadget_ep_enable+0x60/0x788
+ dwc3_gadget_ep_enable+0x70/0xe4
+ usb_ep_enable+0x60/0x15c
+ eth_stop+0xb8/0x108
+
+Because eth_stop() crashes while holding the dev->lock, the thread
+running gether_disconnect() fails to acquire the same lock and spins
+forever, resulting in a hardlockup:
+
+ Core - Debugging Information for Hardlockup core(7)
+ Call trace:
+ queued_spin_lock_slowpath+0x94/0x488
+ _raw_spin_lock+0x64/0x6c
+ gether_disconnect+0x19c/0x1e8
+ ncm_set_alt+0x68/0x1a0
+ composite_setup+0x6a0/0xc50
+
+The root cause is that the clearing of dev->port_usb in
+gether_disconnect() is delayed until the end of the function.
+
+Move the clearing of dev->port_usb to the very beginning of
+gether_disconnect() while holding dev->lock. This cuts off the link
+immediately, ensuring eth_stop() will see dev->port_usb as NULL and
+safely bail out.
+
+Fixes: 2b3d942c4878 ("usb ethernet gadget: split out network core")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
+Link: https://patch.msgid.link/20260311-gether-disconnect-npe-v1-1-454966adf7c7@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_ether.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/function/u_ether.c
++++ b/drivers/usb/gadget/function/u_ether.c
+@@ -1175,6 +1175,10 @@ void gether_disconnect(struct gether *li
+
+ DBG(dev, "%s\n", __func__);
+
++ spin_lock(&dev->lock);
++ dev->port_usb = NULL;
++ spin_unlock(&dev->lock);
++
+ netif_stop_queue(dev->net);
+ netif_carrier_off(dev->net);
+
+@@ -1212,10 +1216,6 @@ void gether_disconnect(struct gether *li
+ dev->header_len = 0;
+ dev->unwrap = NULL;
+ dev->wrap = NULL;
+-
+- spin_lock(&dev->lock);
+- dev->port_usb = NULL;
+- spin_unlock(&dev->lock);
+ }
+ EXPORT_SYMBOL_GPL(gether_disconnect);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
