--- /dev/null
+From 4d984b0574ff708e66152763fbfdef24ea40933f Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Wed, 7 Jan 2026 10:01:36 +0100
+Subject: atm: Fix dma_free_coherent() size
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit 4d984b0574ff708e66152763fbfdef24ea40933f upstream.
+
+The size of the buffer is not the same when alloc'd with
+dma_alloc_coherent() in he_init_tpdrq() and freed.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20260107090141.80900-2-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/he.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/atm/he.c
++++ b/drivers/atm/he.c
+@@ -1590,7 +1590,8 @@ he_stop(struct he_dev *he_dev)
+ he_dev->tbrq_base, he_dev->tbrq_phys);
+
+ if (he_dev->tpdrq_base)
+- dma_free_coherent(&he_dev->pci_dev->dev, CONFIG_TBRQ_SIZE * sizeof(struct he_tbrq),
++ dma_free_coherent(&he_dev->pci_dev->dev,
++ CONFIG_TPDRQ_SIZE * sizeof(struct he_tpdrq),
+ he_dev->tpdrq_base, he_dev->tpdrq_phys);
+
+ dma_pool_destroy(he_dev->tpd_pool);
--- /dev/null
+From 0ddd3bb4b14c9102c0267b3fd916c81fe5ab89c1 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Thu, 11 Dec 2025 16:33:44 +0400
+Subject: drm/pl111: Fix error handling in pl111_amba_probe
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 0ddd3bb4b14c9102c0267b3fd916c81fe5ab89c1 upstream.
+
+Jump to the existing dev_put label when devm_request_irq() fails
+so drm_dev_put() and of_reserved_mem_device_release() run
+instead of returning early and leaking resources.
+
+Found via static analysis and code review.
+
+Fixes: bed41005e617 ("drm/pl111: Initial drm/kms driver for pl111")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Linus Walleij <linusw@kernel.org>
+Link: https://patch.msgid.link/20251211123345.2392065-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/pl111/pl111_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/pl111/pl111_drv.c
++++ b/drivers/gpu/drm/pl111/pl111_drv.c
+@@ -297,7 +297,7 @@ static int pl111_amba_probe(struct amba_
+ variant->name, priv);
+ if (ret != 0) {
+ dev_err(dev, "%s failed irq %d\n", __func__, ret);
+- return ret;
++ goto dev_put;
+ }
+
+ ret = pl111_modeset_init(drm);
--- /dev/null
+From 74d74bb78aeccc9edc10db216d6be121cf7ec176 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Tue, 6 Jan 2026 21:20:23 -0800
+Subject: lib/crypto: aes: Fix missing MMU protection for AES S-box
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit 74d74bb78aeccc9edc10db216d6be121cf7ec176 upstream.
+
+__cacheline_aligned puts the data in the ".data..cacheline_aligned"
+section, which isn't marked read-only i.e. it doesn't receive MMU
+protection. Replace it with ____cacheline_aligned which does the right
+thing and just aligns the data while keeping it in ".rodata".
+
+Fixes: b5e0b032b6c3 ("crypto: aes - add generic time invariant AES cipher")
+Cc: stable@vger.kernel.org
+Reported-by: Qingfang Deng <dqfext@gmail.com>
+Closes: https://lore.kernel.org/r/20260105074712.498-1-dqfext@gmail.com/
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Link: https://lore.kernel.org/r/20260107052023.174620-1-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/crypto/aes.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/lib/crypto/aes.c
++++ b/lib/crypto/aes.c
+@@ -12,7 +12,7 @@
+ * Emit the sbox as volatile const to prevent the compiler from doing
+ * constant folding on sbox references involving fixed indexes.
+ */
+-static volatile const u8 __cacheline_aligned aes_sbox[] = {
++static volatile const u8 ____cacheline_aligned aes_sbox[] = {
+ 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
+ 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
+ 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
+@@ -47,7 +47,7 @@ static volatile const u8 __cacheline_ali
+ 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16,
+ };
+
+-static volatile const u8 __cacheline_aligned aes_inv_sbox[] = {
++static volatile const u8 ____cacheline_aligned aes_inv_sbox[] = {
+ 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
+ 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
+ 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
--- /dev/null
+From c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 5 Jan 2026 19:23:19 +0100
+Subject: libceph: make calc_target() set t->paused, not just clear it
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 upstream.
+
+Currently calc_target() clears t->paused if the request shouldn't be
+paused anymore, but doesn't ever set t->paused even though it's able to
+determine when the request should be paused. Setting t->paused is left
+to __submit_request() which is fine for regular requests but doesn't
+work for linger requests -- since __submit_request() doesn't operate
+on linger requests, there is nowhere for lreq->t.paused to be set.
+One consequence of this is that watches don't get reestablished on
+paused -> unpaused transitions in cases where requests have been paused
+long enough for the (paused) unwatch request to time out and for the
+subsequent (re)watch request to enter the paused state. On top of the
+watch not getting reestablished, rbd_reregister_watch() gets stuck with
+rbd_dev->watch_mutex held:
+
+ rbd_register_watch
+ __rbd_register_watch
+ ceph_osdc_watch
+ linger_reg_commit_wait
+
+It's waiting for lreq->reg_commit_wait to be completed, but for that to
+happen the respective request needs to end up on need_resend_linger list
+and be kicked when requests are unpaused. There is no chance for that
+if the request in question is never marked paused in the first place.
+
+The fact that rbd_dev->watch_mutex remains taken out forever then
+prevents the image from getting unmapped -- "rbd unmap" would inevitably
+hang in D state on an attempt to grab the mutex.
+
+Cc: stable@vger.kernel.org
+Reported-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osd_client.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/ceph/osd_client.c
++++ b/net/ceph/osd_client.c
+@@ -1529,6 +1529,7 @@ static enum calc_target_result calc_targ
+ struct ceph_pg_pool_info *pi;
+ struct ceph_pg pgid, last_pgid;
+ struct ceph_osds up, acting;
++ bool should_be_paused;
+ bool is_read = t->flags & CEPH_OSD_FLAG_READ;
+ bool is_write = t->flags & CEPH_OSD_FLAG_WRITE;
+ bool force_resend = false;
+@@ -1597,10 +1598,16 @@ static enum calc_target_result calc_targ
+ &last_pgid))
+ force_resend = true;
+
+- if (t->paused && !target_should_be_paused(osdc, t, pi)) {
+- t->paused = false;
++ should_be_paused = target_should_be_paused(osdc, t, pi);
++ if (t->paused && !should_be_paused) {
+ unpaused = true;
+ }
++ if (t->paused != should_be_paused) {
++ dout("%s t %p paused %d -> %d\n", __func__, t, t->paused,
++ should_be_paused);
++ t->paused = should_be_paused;
++ }
++
+ legacy_change = ceph_pg_compare(&t->pgid, &pgid) ||
+ ceph_osds_changed(&t->acting, &acting,
+ t->used_replica || any_change);
--- /dev/null
+From e3fe30e57649c551757a02e1cad073c47e1e075e Mon Sep 17 00:00:00 2001
+From: Tuo Li <islituo@gmail.com>
+Date: Sun, 21 Dec 2025 02:11:49 +0800
+Subject: libceph: make free_choose_arg_map() resilient to partial allocation
+
+From: Tuo Li <islituo@gmail.com>
+
+commit e3fe30e57649c551757a02e1cad073c47e1e075e upstream.
+
+free_choose_arg_map() may dereference a NULL pointer if its caller fails
+after a partial allocation.
+
+For example, in decode_choose_args(), if allocation of arg_map->args
+fails, execution jumps to the fail label and free_choose_arg_map() is
+called. Since arg_map->size is updated to a non-zero value before memory
+allocation, free_choose_arg_map() will iterate over arg_map->args and
+dereference a NULL pointer.
+
+To prevent this potential NULL pointer dereference and make
+free_choose_arg_map() more resilient, add checks for pointers before
+iterating.
+
+Cc: stable@vger.kernel.org
+Co-authored-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Tuo Li <islituo@gmail.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osdmap.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -225,22 +225,26 @@ static struct crush_choose_arg_map *allo
+
+ static void free_choose_arg_map(struct crush_choose_arg_map *arg_map)
+ {
+- if (arg_map) {
+- int i, j;
++ int i, j;
+
+- WARN_ON(!RB_EMPTY_NODE(&arg_map->node));
++ if (!arg_map)
++ return;
+
++ WARN_ON(!RB_EMPTY_NODE(&arg_map->node));
++
++ if (arg_map->args) {
+ for (i = 0; i < arg_map->size; i++) {
+ struct crush_choose_arg *arg = &arg_map->args[i];
+-
+- for (j = 0; j < arg->weight_set_size; j++)
+- kfree(arg->weight_set[j].weights);
+- kfree(arg->weight_set);
++ if (arg->weight_set) {
++ for (j = 0; j < arg->weight_set_size; j++)
++ kfree(arg->weight_set[j].weights);
++ kfree(arg->weight_set);
++ }
+ kfree(arg->ids);
+ }
+ kfree(arg_map->args);
+- kfree(arg_map);
+ }
++ kfree(arg_map);
+ }
+
+ DEFINE_RB_FUNCS(choose_arg_map, struct crush_choose_arg_map, choose_args_index,
--- /dev/null
+From 818156caffbf55cb4d368f9c3cac64e458fb49c9 Mon Sep 17 00:00:00 2001
+From: ziming zhang <ezrakiez@gmail.com>
+Date: Thu, 11 Dec 2025 16:52:58 +0800
+Subject: libceph: prevent potential out-of-bounds reads in handle_auth_done()
+
+From: ziming zhang <ezrakiez@gmail.com>
+
+commit 818156caffbf55cb4d368f9c3cac64e458fb49c9 upstream.
+
+Perform an explicit bounds check on payload_len to avoid a possible
+out-of-bounds access in the callout.
+
+[ idryomov: changelog ]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: ziming zhang <ezrakiez@gmail.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/messenger_v2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ceph/messenger_v2.c
++++ b/net/ceph/messenger_v2.c
+@@ -2068,7 +2068,9 @@ static int process_auth_done(struct ceph
+
+ ceph_decode_64_safe(&p, end, global_id, bad);
+ ceph_decode_32_safe(&p, end, con->v2.con_mode, bad);
++
+ ceph_decode_32_safe(&p, end, payload_len, bad);
++ ceph_decode_need(&p, end, payload_len, bad);
+
+ dout("%s con %p global_id %llu con_mode %d payload_len %d\n",
+ __func__, con, global_id, con->v2.con_mode, payload_len);
--- /dev/null
+From e00c3f71b5cf75681dbd74ee3f982a99cb690c2b Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 15 Dec 2025 11:53:31 +0100
+Subject: libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit e00c3f71b5cf75681dbd74ee3f982a99cb690c2b upstream.
+
+If the osdmap is (maliciously) corrupted such that the incremental
+osdmap epoch is different from what is expected, there is no need to
+BUG. Instead, just declare the incremental osdmap to be invalid.
+
+Cc: stable@vger.kernel.org
+Reported-by: ziming zhang <ezrakiez@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osdmap.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -1959,11 +1959,13 @@ struct ceph_osdmap *osdmap_apply_increme
+ sizeof(u64) + sizeof(u32), e_inval);
+ ceph_decode_copy(p, &fsid, sizeof(fsid));
+ epoch = ceph_decode_32(p);
+- BUG_ON(epoch != map->epoch+1);
+ ceph_decode_copy(p, &modified, sizeof(modified));
+ new_pool_max = ceph_decode_64(p);
+ new_flags = ceph_decode_32(p);
+
++ if (epoch != map->epoch + 1)
++ goto e_inval;
++
+ /* full map? */
+ ceph_decode_32_safe(p, end, len, e_inval);
+ if (len > 0) {
--- /dev/null
+From e84b48d31b5008932c0a0902982809fbaa1d3b70 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 29 Dec 2025 15:14:48 +0100
+Subject: libceph: return the handler error from mon_handle_auth_done()
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit e84b48d31b5008932c0a0902982809fbaa1d3b70 upstream.
+
+Currently any error from ceph_auth_handle_reply_done() is propagated
+via finish_auth() but isn't returned from mon_handle_auth_done(). This
+results in higher layers learning that (despite the monitor considering
+us to be successfully authenticated) something went wrong in the
+authentication phase and reacting accordingly, but msgr2 still trying
+to proceed with establishing the session in the background. In the
+case of secure mode this can trigger a WARN in setup_crypto() and later
+lead to a NULL pointer dereference inside of prepare_auth_signature().
+
+Cc: stable@vger.kernel.org
+Fixes: cd1a677cad99 ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)")
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/mon_client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ceph/mon_client.c
++++ b/net/ceph/mon_client.c
+@@ -1418,7 +1418,7 @@ static int mon_handle_auth_done(struct c
+ if (!ret)
+ finish_hunting(monc);
+ mutex_unlock(&monc->mutex);
+- return 0;
++ return ret;
+ }
+
+ static int mon_handle_auth_bad_method(struct ceph_connection *con,
--- /dev/null
+From 420f423defcf6d0af2263d38da870ca4a20c0990 Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Mon, 15 Dec 2025 12:59:15 +0200
+Subject: mei: me: add nova lake point S DID
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit 420f423defcf6d0af2263d38da870ca4a20c0990 upstream.
+
+Add Nova Lake S device id.
+
+Cc: stable <stable@kernel.org>
+Co-developed-by: Tomas Winkler <tomasw@gmail.com>
+Signed-off-by: Tomas Winkler <tomasw@gmail.com>
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Link: https://patch.msgid.link/20251215105915.1672659-1-alexander.usyskin@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/hw-me-regs.h | 2 ++
+ drivers/misc/mei/pci-me.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -122,6 +122,8 @@
+
+ #define MEI_DEV_ID_WCL_P 0x4D70 /* Wildcat Lake P */
+
++#define MEI_DEV_ID_NVL_S 0x6E68 /* Nova Lake Point S */
++
+ /*
+ * MEI HW Section
+ */
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -128,6 +128,8 @@ static const struct pci_device_id mei_me
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_WCL_P, MEI_ME_PCH15_CFG)},
+
++ {MEI_PCI_DEVICE(MEI_DEV_ID_NVL_S, MEI_ME_PCH15_CFG)},
++
+ /* required last entry */
+ {0, }
+ };
--- /dev/null
+From a4e305ed60f7c41bbf9aabc16dd75267194e0de3 Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Tue, 6 Jan 2026 10:47:21 +0100
+Subject: net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit a4e305ed60f7c41bbf9aabc16dd75267194e0de3 upstream.
+
+pdev can be null and free_ring: can be called in 1297 with a null
+pdev.
+
+Fixes: 55c82617c3e8 ("3c59x: convert to generic DMA API")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20260106094731.25819-2-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/3com/3c59x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/3com/3c59x.c
++++ b/drivers/net/ethernet/3com/3c59x.c
+@@ -1471,7 +1471,7 @@ static int vortex_probe1(struct device *
+ return 0;
+
+ free_ring:
+- dma_free_coherent(&pdev->dev,
++ dma_free_coherent(gendev,
+ sizeof(struct boom_rx_desc) * RX_RING_SIZE +
+ sizeof(struct boom_tx_desc) * TX_RING_SIZE,
+ vp->rx_ring, vp->rx_ring_dma);
revert-iommu-amd-skip-enabling-command-event-buffers-for-kdump.patch
net-ethtool-fix-the-error-condition-in-ethtool_get_phy_stats_ethtool.patch
usb-gadget-lpc32xx_udc-fix-clock-imbalance-in-error-path.patch
+atm-fix-dma_free_coherent-size.patch
+net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch
+mei-me-add-nova-lake-point-s-did.patch
+lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch
+drm-pl111-fix-error-handling-in-pl111_amba_probe.patch
+wifi-avoid-kernel-infoleak-from-struct-iw_point.patch
+libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch
+libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch
+libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch
+libceph-return-the-handler-error-from-mon_handle_auth_done.patch
+libceph-make-calc_target-set-t-paused-not-just-clear-it.patch
--- /dev/null
+From 21cbf883d073abbfe09e3924466aa5e0449e7261 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 8 Jan 2026 10:19:27 +0000
+Subject: wifi: avoid kernel-infoleak from struct iw_point
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 21cbf883d073abbfe09e3924466aa5e0449e7261 upstream.
+
+struct iw_point has a 32bit hole on 64bit arches.
+
+struct iw_point {
+ void __user *pointer; /* Pointer to the data (in user space) */
+ __u16 length; /* number of fields or size in bytes */
+ __u16 flags; /* Optional params */
+};
+
+Make sure to zero the structure to avoid disclosing 32bits of kernel data
+to user space.
+
+Fixes: 87de87d5e47f ("wext: Dispatch and handle compat ioctls entirely in net/wireless/wext.c")
+Reported-by: syzbot+bfc7323743ca6dbcc3d3@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/695f83f3.050a0220.1c677c.0392.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260108101927.857582-1-edumazet@google.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/wext-core.c | 4 ++++
+ net/wireless/wext-priv.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+--- a/net/wireless/wext-core.c
++++ b/net/wireless/wext-core.c
+@@ -1084,6 +1084,10 @@ static int compat_standard_call(struct n
+ return ioctl_standard_call(dev, iwr, cmd, info, handler);
+
+ iwp_compat = (struct compat_iw_point *) &iwr->u.data;
++
++ /* struct iw_point has a 32bit hole on 64bit arches. */
++ memset(&iwp, 0, sizeof(iwp));
++
+ iwp.pointer = compat_ptr(iwp_compat->pointer);
+ iwp.length = iwp_compat->length;
+ iwp.flags = iwp_compat->flags;
+--- a/net/wireless/wext-priv.c
++++ b/net/wireless/wext-priv.c
+@@ -228,6 +228,10 @@ int compat_private_call(struct net_devic
+ struct iw_point iwp;
+
+ iwp_compat = (struct compat_iw_point *) &iwr->u.data;
++
++ /* struct iw_point has a 32bit hole on 64bit arches. */
++ memset(&iwp, 0, sizeof(iwp));
++
+ iwp.pointer = compat_ptr(iwp_compat->pointer);
+ iwp.length = iwp_compat->length;
+ iwp.flags = iwp_compat->flags;
projects / thirdparty / kernel / stable-queue.git / commitdiff
