--- /dev/null
+From e0da8a8cac74f4b9f577979d131f0d2b88a84487 Mon Sep 17 00:00:00 2001
+From: Ziqing Chen <chenziqing@xiaomi.com>
+Date: Tue, 14 Apr 2026 21:24:37 +0800
+Subject: ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()
+
+From: Ziqing Chen <chenziqing@xiaomi.com>
+
+commit e0da8a8cac74f4b9f577979d131f0d2b88a84487 upstream.
+
+snd_ctl_elem_init_enum_names() advances pointer p through the names
+buffer while decrementing buf_len. If buf_len reaches zero but items
+remain, the next iteration calls strnlen(p, 0).
+
+While strnlen(p, 0) returns 0 and would hit the existing name_len == 0
+error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks
+maxlen against __builtin_dynamic_object_size(). When Clang loses track
+of p's object size inside the loop, this triggers a BRK exception panic
+before the return value is examined.
+
+Add a buf_len == 0 guard at the loop entry to prevent calling fortified
+strnlen() on an exhausted buffer.
+
+Found by kernel fuzz testing through Xiaomi Smartphone.
+
+Fixes: 8d448162bda5 ("ALSA: control: add support for ENUMERATED user space controls")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ziqing Chen <chenziqing@xiaomi.com>
+Link: https://patch.msgid.link/20260414132437.261304-1-chenziqing@xiaomi.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/control.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -1672,6 +1672,10 @@ static int snd_ctl_elem_init_enum_names(
+ /* check that there are enough valid names */
+ p = names;
+ for (i = 0; i < ue->info.value.enumerated.items; ++i) {
++ if (buf_len == 0) {
++ kvfree(names);
++ return -EINVAL;
++ }
+ name_len = strnlen(p, buf_len);
+ if (name_len == 0 || name_len >= 64 || name_len == buf_len) {
+ kvfree(names);
--- /dev/null
+From 25947cc5b2374cd5bf627fe3141496444260d04f Mon Sep 17 00:00:00 2001
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+Date: Sat, 4 Apr 2026 18:20:11 +0300
+Subject: ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
+
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+
+commit 25947cc5b2374cd5bf627fe3141496444260d04f upstream.
+
+ext2_iget() already rejects inodes with i_nlink == 0 when i_mode is
+zero or i_dtime is set, treating them as deleted. However, the case of
+i_nlink == 0 with a non-zero mode and zero dtime slips through. Since
+ext2 has no orphan list, such a combination can only result from
+filesystem corruption - a legitimate inode deletion always sets either
+i_dtime or clears i_mode before freeing the inode.
+
+A crafted image can exploit this gap to present such an inode to the
+VFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via
+ext2_unlink(), ext2_rename() and ext2_rmdir():
+
+WARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336
+CPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1
+Call Trace:
+ <TASK>
+ inode_dec_link_count include/linux/fs.h:2518 [inline]
+ ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295
+ vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477
+ do_unlinkat+0x53e/0x730 fs/namei.c:4541
+ __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587
+ do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+WARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336
+CPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1
+Call Trace:
+ <TASK>
+ inode_dec_link_count include/linux/fs.h:2518 [inline]
+ ext2_rename+0x35e/0x850 fs/ext2/namei.c:374
+ vfs_rename+0xf2f/0x2060 fs/namei.c:5021
+ do_renameat2+0xbe2/0xd50 fs/namei.c:5178
+ __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223
+ do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+WARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336
+CPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1
+Call Trace:
+ <TASK>
+ inode_dec_link_count include/linux/fs.h:2518 [inline]
+ ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311
+ vfs_rmdir+0x204/0x690 fs/namei.c:4348
+ do_rmdir+0x372/0x3e0 fs/namei.c:4407
+ __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577
+ do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Extend the existing i_nlink == 0 check to also catch this case,
+reporting the corruption via ext2_error() and returning -EFSCORRUPTED.
+This rejects the inode at load time and prevents it from reaching any
+of the namei.c paths.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Link: https://patch.msgid.link/20260404152011.2590197-1-kovalev@altlinux.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext2/inode.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/fs/ext2/inode.c
++++ b/fs/ext2/inode.c
+@@ -1432,9 +1432,17 @@ struct inode *ext2_iget (struct super_bl
+ * the test is that same one that e2fsck uses
+ * NeilBrown 1999oct15
+ */
+- if (inode->i_nlink == 0 && (inode->i_mode == 0 || ei->i_dtime)) {
+- /* this inode is deleted */
+- ret = -ESTALE;
++ if (inode->i_nlink == 0) {
++ if (inode->i_mode == 0 || ei->i_dtime) {
++ /* this inode is deleted */
++ ret = -ESTALE;
++ } else {
++ ext2_error(sb, __func__,
++ "inode %lu has zero i_nlink with mode 0%o and no dtime, "
++ "filesystem may be corrupt",
++ ino, inode->i_mode);
++ ret = -EFSCORRUPTED;
++ }
+ goto bad_inode;
+ }
+ inode->i_blocks = le32_to_cpu(raw_inode->i_blocks);
--- /dev/null
+From 8cdf30813ea8ce881cecc08664144416dbdb3e16 Mon Sep 17 00:00:00 2001
+From: Josh Law <objecting@objecting.org>
+Date: Sun, 8 Mar 2026 20:20:28 +0000
+Subject: lib/ts_kmp: fix integer overflow in pattern length calculation
+
+From: Josh Law <objecting@objecting.org>
+
+commit 8cdf30813ea8ce881cecc08664144416dbdb3e16 upstream.
+
+The ts_kmp algorithm stores its prefix_tbl[] table and pattern in a single
+allocation sized from the pattern length. If the prefix_tbl[] size
+calculation wraps, the resulting allocation can be too small and
+subsequent pattern copies can overflow it.
+
+Fix this by rejecting zero-length patterns and by using overflow helpers
+before calculating the combined allocation size.
+
+
+This fixes a potential heap overflow. The pattern length calculation can
+wrap during a size_t addition, leading to an undersized allocation.
+Because the textsearch library is reachable from userspace via Netfilter's
+xt_string module, this is a security risk that should be backported to LTS
+kernels.
+
+Link: https://lkml.kernel.org/r/20260308202028.2889285-2-objecting@objecting.org
+Signed-off-by: Josh Law <objecting@objecting.org>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/ts_kmp.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/lib/ts_kmp.c
++++ b/lib/ts_kmp.c
+@@ -94,8 +94,22 @@ static struct ts_config *kmp_init(const
+ struct ts_config *conf;
+ struct ts_kmp *kmp;
+ int i;
+- unsigned int prefix_tbl_len = len * sizeof(unsigned int);
+- size_t priv_size = sizeof(*kmp) + len + prefix_tbl_len;
++ unsigned int prefix_tbl_len;
++ size_t priv_size;
++
++ /* Zero-length patterns would make kmp_find() read beyond kmp->pattern. */
++ if (unlikely(!len))
++ return ERR_PTR(-EINVAL);
++
++ /*
++ * kmp->pattern is stored immediately after the prefix_tbl[] table.
++ * Reject lengths that would wrap while sizing either region.
++ */
++ if (unlikely(check_mul_overflow(len, sizeof(*kmp->prefix_tbl),
++ &prefix_tbl_len) ||
++ check_add_overflow(sizeof(*kmp), (size_t)len, &priv_size) ||
++ check_add_overflow(priv_size, prefix_tbl_len, &priv_size)))
++ return ERR_PTR(-EINVAL);
+
+ conf = alloc_ts_config(priv_size, gfp_mask);
+ if (IS_ERR(conf))
--- /dev/null
+From 8cd35ceadcfc8c5da2eb7f7ce24525ce9d4ee62e Mon Sep 17 00:00:00 2001
+From: Ming Qian <ming.qian@oss.nxp.com>
+Date: Fri, 6 Mar 2026 14:59:50 +0800
+Subject: media: amphion: Fix race between m2m job_abort and device_run
+
+From: Ming Qian <ming.qian@oss.nxp.com>
+
+commit 8cd35ceadcfc8c5da2eb7f7ce24525ce9d4ee62e upstream.
+
+Fix kernel panic caused by race condition where v4l2_m2m_ctx_release()
+frees m2m_ctx while v4l2_m2m_try_run() is about to call device_run
+with the same context.
+
+Race sequence:
+ v4l2_m2m_try_run(): v4l2_m2m_ctx_release():
+ lock/unlock v4l2_m2m_cancel_job()
+ job_abort()
+ v4l2_m2m_job_finish()
+ kfree(m2m_ctx) <- frees ctx
+ device_run() <- use-after-free crash at 0x538
+
+Crash trace:
+ Unable to handle kernel read from unreadable memory at virtual address
+ 0000000000000538
+ v4l2_m2m_try_run+0x78/0x138
+ v4l2_m2m_device_run_work+0x14/0x20
+
+The amphion vpu driver does not rely on the m2m framework's device_run
+callback to perform encode/decode operations.
+
+Fix the race by preventing m2m framework job scheduling entirely:
+- Add job_ready callback returning 0 (no jobs ready for m2m framework)
+- Remove job_abort callback to avoid the race condition
+
+Fixes: 3cd084519c6f ("media: amphion: add vpu v4l2 m2m support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/amphion/vpu_v4l2.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/platform/amphion/vpu_v4l2.c
++++ b/drivers/media/platform/amphion/vpu_v4l2.c
+@@ -441,17 +441,14 @@ static void vpu_m2m_device_run(void *pri
+ {
+ }
+
+-static void vpu_m2m_job_abort(void *priv)
++static int vpu_m2m_job_ready(void *priv)
+ {
+- struct vpu_inst *inst = priv;
+- struct v4l2_m2m_ctx *m2m_ctx = inst->fh.m2m_ctx;
+-
+- v4l2_m2m_job_finish(m2m_ctx->m2m_dev, m2m_ctx);
++ return 0;
+ }
+
+ static const struct v4l2_m2m_ops vpu_m2m_ops = {
+ .device_run = vpu_m2m_device_run,
+- .job_abort = vpu_m2m_job_abort
++ .job_ready = vpu_m2m_job_ready,
+ };
+
+ static int vpu_vb2_queue_setup(struct vb2_queue *vq,
--- /dev/null
+From 943b1f27a3eead21b22e2531a5432ea5910b60eb Mon Sep 17 00:00:00 2001
+From: Chen Ni <nichen@iscas.ac.cn>
+Date: Wed, 4 Feb 2026 10:48:59 +0800
+Subject: media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe()
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+commit 943b1f27a3eead21b22e2531a5432ea5910b60eb upstream.
+
+The devm_gpiod_get_optional() function may return an error pointer
+(ERR_PTR) in case of a genuine failure during GPIO acquisition,
+not just NULL which indicates the legitimate absence of an optional
+GPIO.
+
+Add an IS_ERR() check after the function call to catch such errors and
+propagate them to the probe function, ensuring the driver fails to load
+safely rather than proceeding with an invalid pointer.
+
+Fixes: 1283b3b8f82b ("media: i2c: Add driver for Sony IMX219 sensor")
+Cc: stable@vger.kernel.org
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Reviewed-by: Jai Luthra <jai.luthra@ideasonboard.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/imx219.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/i2c/imx219.c
++++ b/drivers/media/i2c/imx219.c
+@@ -1274,6 +1274,9 @@ static int imx219_probe(struct i2c_clien
+ /* Request optional enable pin */
+ imx219->reset_gpio = devm_gpiod_get_optional(dev, "reset",
+ GPIOD_OUT_HIGH);
++ if (IS_ERR(imx219->reset_gpio))
++ return dev_err_probe(dev, PTR_ERR(imx219->reset_gpio),
++ "failed to get reset gpio\n");
+
+ /*
+ * The sensor must be powered for imx219_identify_module()
--- /dev/null
+From 34c519feef3e4fcff1078dc8bdb25fbbbd10303f Mon Sep 17 00:00:00 2001
+From: Fan Wu <fanwu01@zju.edu.cn>
+Date: Wed, 4 Mar 2026 03:19:34 +0000
+Subject: media: mtk-jpeg: fix use-after-free in release path due to uncancelled work
+
+From: Fan Wu <fanwu01@zju.edu.cn>
+
+commit 34c519feef3e4fcff1078dc8bdb25fbbbd10303f upstream.
+
+The mtk_jpeg_release() function frees the context structure (ctx) without
+first cancelling any pending or running work in ctx->jpeg_work. This
+creates a race window where the workqueue callback may still be accessing
+the context memory after it has been freed.
+
+Race condition:
+
+ CPU 0 (release) CPU 1 (workqueue)
+ ---------------- ------------------
+ close()
+ mtk_jpeg_release()
+ mtk_jpegenc_worker()
+ ctx = work->data
+ // accessing ctx
+
+ kfree(ctx) // freed!
+ access ctx // UAF!
+
+The work is queued via queue_work() during JPEG encode/decode operations
+(via mtk_jpeg_device_run). If the device is closed while work is pending
+or running, the work handler will access freed memory.
+
+Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This
+ordering is critical: if cancel_work_sync() is called after mutex_lock(),
+and the work handler also tries to acquire the same mutex, it would cause
+a deadlock.
+
+Note: The open error path does NOT need cancel_work_sync() because
+INIT_WORK() only initializes the work structure - it does not schedule
+it. Work is only scheduled later during ioctl operations.
+
+Fixes: 5fb1c2361e56 ("mtk-jpegenc: add jpeg encode worker interface")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
++++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
+@@ -1214,6 +1214,7 @@ static int mtk_jpeg_release(struct file
+ struct mtk_jpeg_dev *jpeg = video_drvdata(file);
+ struct mtk_jpeg_ctx *ctx = mtk_jpeg_fh_to_ctx(file->private_data);
+
++ cancel_work_sync(&ctx->jpeg_work);
+ mutex_lock(&jpeg->lock);
+ v4l2_m2m_ctx_release(ctx->fh.m2m_ctx);
+ v4l2_ctrl_handler_free(&ctx->ctrl_hdl);
--- /dev/null
+From f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8 Mon Sep 17 00:00:00 2001
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+Date: Sat, 11 Apr 2026 23:10:26 +0800
+Subject: net: caif: clear client service pointer on teardown
+
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+
+commit f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8 upstream.
+
+`caif_connect()` can tear down an existing client after remote shutdown by
+calling `caif_disconnect_client()` followed by `caif_free_client()`.
+`caif_free_client()` releases the service layer referenced by
+`adap_layer->dn`, but leaves that pointer stale.
+
+When the socket is later destroyed, `caif_sock_destructor()` calls
+`caif_free_client()` again and dereferences the freed service pointer.
+
+Clear the client/service links before releasing the service object so
+repeated teardown becomes harmless.
+
+Fixes: 43e369210108 ("caif: Move refcount from service layer to sock and dev.")
+Cc: stable@kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Link: https://patch.msgid.link/9f3d37847c0037568aae698ca23cd47c6691acb0.1775897577.git.zcliangcn@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/cfsrvl.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/net/caif/cfsrvl.c
++++ b/net/caif/cfsrvl.c
+@@ -197,10 +197,20 @@ bool cfsrvl_phyid_match(struct cflayer *
+
+ void caif_free_client(struct cflayer *adap_layer)
+ {
++ struct cflayer *serv_layer;
+ struct cfsrvl *servl;
+- if (adap_layer == NULL || adap_layer->dn == NULL)
++
++ if (!adap_layer)
++ return;
++
++ serv_layer = adap_layer->dn;
++ if (!serv_layer)
+ return;
+- servl = container_obj(adap_layer->dn);
++
++ layer_set_dn(adap_layer, NULL);
++ layer_set_up(serv_layer, NULL);
++
++ servl = container_obj(serv_layer);
+ servl->release(&servl->layer);
+ }
+ EXPORT_SYMBOL(caif_free_client);
--- /dev/null
+From 7809fea20c9404bfcfa6112ec08d1fe1d3520beb Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Date: Thu, 9 Apr 2026 23:04:16 +0530
+Subject: net: qrtr: ns: Fix use-after-free in driver remove()
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+
+commit 7809fea20c9404bfcfa6112ec08d1fe1d3520beb upstream.
+
+In the remove callback, if a packet arrives after destroy_workqueue() is
+called, but before sock_release(), the qrtr_ns_data_ready() callback will
+try to queue the work, causing use-after-free issue.
+
+Fix this issue by saving the default 'sk_data_ready' callback during
+qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at
+the start of remove(). This ensures that even if a packet arrives after
+destroy_workqueue(), the work struct will not be dereferenced.
+
+Note that it is also required to ensure that the RX threads are completed
+before destroying the workqueue, because the threads could be using the
+qrtr_ns_data_ready() callback.
+
+Cc: stable@vger.kernel.org
+Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260409-qrtr-fix-v3-5-00a8a5ff2b51@oss.qualcomm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/qrtr/ns.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/net/qrtr/ns.c
++++ b/net/qrtr/ns.c
+@@ -24,6 +24,7 @@ static struct {
+ struct list_head lookups;
+ struct workqueue_struct *workqueue;
+ struct work_struct work;
++ void (*saved_data_ready)(struct sock *sk);
+ int local_node;
+ } qrtr_ns;
+
+@@ -706,6 +707,7 @@ int qrtr_ns_init(void)
+ goto err_sock;
+ }
+
++ qrtr_ns.saved_data_ready = qrtr_ns.sock->sk->sk_data_ready;
+ qrtr_ns.sock->sk->sk_data_ready = qrtr_ns_data_ready;
+
+ sq.sq_port = QRTR_PORT_CTRL;
+@@ -746,6 +748,10 @@ int qrtr_ns_init(void)
+ return 0;
+
+ err_wq:
++ write_lock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
++ qrtr_ns.sock->sk->sk_data_ready = qrtr_ns.saved_data_ready;
++ write_unlock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
++
+ destroy_workqueue(qrtr_ns.workqueue);
+ err_sock:
+ sock_release(qrtr_ns.sock);
+@@ -755,7 +761,12 @@ EXPORT_SYMBOL_GPL(qrtr_ns_init);
+
+ void qrtr_ns_remove(void)
+ {
++ write_lock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
++ qrtr_ns.sock->sk->sk_data_ready = qrtr_ns.saved_data_ready;
++ write_unlock_bh(&qrtr_ns.sock->sk->sk_callback_lock);
++
+ cancel_work_sync(&qrtr_ns.work);
++ synchronize_net();
+ destroy_workqueue(qrtr_ns.workqueue);
+
+ /* sock_release() expects the two references that were put during
--- /dev/null
+From fe72340daaf1af588be88056faf98965f39e6032 Mon Sep 17 00:00:00 2001
+From: Luxiao Xu <rakukuip@gmail.com>
+Date: Sat, 11 Apr 2026 23:10:10 +0800
+Subject: net: strparser: fix skb_head leak in strp_abort_strp()
+
+From: Luxiao Xu <rakukuip@gmail.com>
+
+commit fe72340daaf1af588be88056faf98965f39e6032 upstream.
+
+When the stream parser is aborted, for example after a message assembly timeout,
+it can still hold a reference to a partially assembled message in
+strp->skb_head.
+
+That skb is not released in strp_abort_strp(), which leaks the partially
+assembled message and can be triggered repeatedly to exhaust memory.
+
+Fix this by freeing strp->skb_head and resetting the parser state in the
+abort path. Leave strp_stop() unchanged so final cleanup still happens in
+strp_done() after the work and timer have been synchronized.
+
+Fixes: 43a0c6751a32 ("strparser: Stream parser for messages")
+Cc: stable@kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Link: https://patch.msgid.link/ade3857a9404999ce9a1c27ec523efc896072678.1775482694.git.rakukuip@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/strparser/strparser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/strparser/strparser.c
++++ b/net/strparser/strparser.c
+@@ -45,6 +45,14 @@ static void strp_abort_strp(struct strpa
+
+ strp->stopped = 1;
+
++ if (strp->skb_head) {
++ kfree_skb(strp->skb_head);
++ strp->skb_head = NULL;
++ }
++
++ strp->skb_nextp = NULL;
++ strp->need_bytes = 0;
++
+ if (strp->sk) {
+ struct sock *sk = strp->sk;
+
--- /dev/null
+From 07fd339b2c253205794bea5d9b4b7548a4546c56 Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Thu, 9 Apr 2026 03:48:59 +0000
+Subject: of: unittest: fix use-after-free in testdrv_probe()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit 07fd339b2c253205794bea5d9b4b7548a4546c56 upstream.
+
+The function testdrv_probe() retrieves the device_node from the PCI
+device, applies an overlay, and then immediately calls of_node_put(dn).
+This releases the reference held by the PCI core, potentially freeing
+the node if the reference count drops to zero. Later, the same freed
+pointer 'dn' is passed to of_platform_default_populate(), leading to a
+use-after-free.
+
+The reference to pdev->dev.of_node is owned by the device model and
+should not be released by the driver. Remove the erroneous of_node_put()
+to prevent premature freeing.
+
+Fixes: 26409dd04589 ("of: unittest: Add pci_dt_testdrv pci driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Link: https://patch.msgid.link/20260409034859.429071-1-vulab@iscas.ac.cn
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/unittest.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -3862,7 +3862,6 @@ static int testdrv_probe(struct pci_dev
+
+ size = info->dtbo_end - info->dtbo_begin;
+ ret = of_overlay_fdt_apply(info->dtbo_begin, size, &ovcs_id, dn);
+- of_node_put(dn);
+ if (ret)
+ return ret;
+
--- /dev/null
+From 3446beddba450c8d6f9aca2f028712ac527fead3 Mon Sep 17 00:00:00 2001
+From: Koichiro Den <den@valinux.co.jp>
+Date: Thu, 26 Feb 2026 17:41:39 +0900
+Subject: PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
+
+From: Koichiro Den <den@valinux.co.jp>
+
+commit 3446beddba450c8d6f9aca2f028712ac527fead3 upstream.
+
+epf_ntb_epc_destroy() duplicates the teardown that the caller is
+supposed to do later. This leads to an oops when .allow_link fails or
+when .drop_link is performed. Remove the helper.
+
+Also drop pci_epc_put(). EPC device refcounting is tied to configfs EPC
+group lifetime, and pci_epc_put() in the .drop_link path is sufficient.
+
+Fixes: 8b821cf76150 ("PCI: endpoint: Add EP function driver to provide NTB functionality")
+Signed-off-by: Koichiro Den <den@valinux.co.jp>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260226084142.2226875-3-den@valinux.co.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/functions/pci-epf-ntb.c | 56 ---------------------------
+ 1 file changed, 2 insertions(+), 54 deletions(-)
+
+--- a/drivers/pci/endpoint/functions/pci-epf-ntb.c
++++ b/drivers/pci/endpoint/functions/pci-epf-ntb.c
+@@ -1495,47 +1495,6 @@ err_alloc_peer_mem:
+ }
+
+ /**
+- * epf_ntb_epc_destroy_interface() - Cleanup NTB EPC interface
+- * @ntb: NTB device that facilitates communication between HOST1 and HOST2
+- * @type: PRIMARY interface or SECONDARY interface
+- *
+- * Unbind NTB function device from EPC and relinquish reference to pci_epc
+- * for each of the interface.
+- */
+-static void epf_ntb_epc_destroy_interface(struct epf_ntb *ntb,
+- enum pci_epc_interface_type type)
+-{
+- struct epf_ntb_epc *ntb_epc;
+- struct pci_epc *epc;
+- struct pci_epf *epf;
+-
+- if (type < 0)
+- return;
+-
+- epf = ntb->epf;
+- ntb_epc = ntb->epc[type];
+- if (!ntb_epc)
+- return;
+- epc = ntb_epc->epc;
+- pci_epc_remove_epf(epc, epf, type);
+- pci_epc_put(epc);
+-}
+-
+-/**
+- * epf_ntb_epc_destroy() - Cleanup NTB EPC interface
+- * @ntb: NTB device that facilitates communication between HOST1 and HOST2
+- *
+- * Wrapper for epf_ntb_epc_destroy_interface() to cleanup all the NTB interfaces
+- */
+-static void epf_ntb_epc_destroy(struct epf_ntb *ntb)
+-{
+- enum pci_epc_interface_type type;
+-
+- for (type = PRIMARY_INTERFACE; type <= SECONDARY_INTERFACE; type++)
+- epf_ntb_epc_destroy_interface(ntb, type);
+-}
+-
+-/**
+ * epf_ntb_epc_create_interface() - Create and initialize NTB EPC interface
+ * @ntb: NTB device that facilitates communication between HOST1 and HOST2
+ * @epc: struct pci_epc to which a particular NTB interface should be associated
+@@ -1614,15 +1573,8 @@ static int epf_ntb_epc_create(struct epf
+
+ ret = epf_ntb_epc_create_interface(ntb, epf->sec_epc,
+ SECONDARY_INTERFACE);
+- if (ret) {
++ if (ret)
+ dev_err(dev, "SECONDARY intf: Fail to create NTB EPC\n");
+- goto err_epc_create;
+- }
+-
+- return 0;
+-
+-err_epc_create:
+- epf_ntb_epc_destroy_interface(ntb, PRIMARY_INTERFACE);
+
+ return ret;
+ }
+@@ -1887,7 +1839,7 @@ static int epf_ntb_bind(struct pci_epf *
+ ret = epf_ntb_init_epc_bar(ntb);
+ if (ret) {
+ dev_err(dev, "Failed to create NTB EPC\n");
+- goto err_bar_init;
++ return ret;
+ }
+
+ ret = epf_ntb_config_spad_bar_alloc_interface(ntb);
+@@ -1909,9 +1861,6 @@ static int epf_ntb_bind(struct pci_epf *
+ err_bar_alloc:
+ epf_ntb_config_spad_bar_free(ntb);
+
+-err_bar_init:
+- epf_ntb_epc_destroy(ntb);
+-
+ return ret;
+ }
+
+@@ -1927,7 +1876,6 @@ static void epf_ntb_unbind(struct pci_ep
+
+ epf_ntb_epc_cleanup(ntb);
+ epf_ntb_config_spad_bar_free(ntb);
+- epf_ntb_epc_destroy(ntb);
+ }
+
+ #define EPF_NTB_R(_name) \
--- /dev/null
+From 41d78cb724f4b40b7548af420ccfe524b14023bb Mon Sep 17 00:00:00 2001
+From: Rong Zhang <i@rong.moe>
+Date: Wed, 4 Mar 2026 03:47:56 +0800
+Subject: Revert "ALSA: usb: Increase volume range that triggers a warning"
+
+From: Rong Zhang <i@rong.moe>
+
+commit 41d78cb724f4b40b7548af420ccfe524b14023bb upstream.
+
+UAC uses 2 bytes to store volume values, so the maximum volume range is
+0xFFFF (65535, val = -32768/32767/1).
+
+The reverted commit bumpped the range of triggering the warning to >
+65535, effectively making the range check a no-op. It didn't fix
+anything but covered any potential problems and deviated from the
+original intention of the range check.
+
+This reverts commit 6b971191fcfc9e3c2c0143eea22534f1f48dbb62.
+
+Fixes: 6b971191fcfc ("ALSA: usb: Increase volume range that triggers a warning")
+Cc: stable@vger.kernel.org
+Signed-off-by: Rong Zhang <i@rong.moe>
+Acked-by: Arun Raghavan <arunr@valvesoftware.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20260303194805.266158-2-i@rong.moe
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1814,10 +1814,11 @@ static void __build_feature_ctl(struct u
+
+ range = (cval->max - cval->min) / cval->res;
+ /*
+- * There are definitely devices with a range of ~20,000, so let's be
+- * conservative and allow for a bit more.
++ * Are there devices with volume range more than 255? I use a bit more
++ * to be sure. 384 is a resolution magic number found on Logitech
++ * devices. It will definitively catch all buggy Logitech devices.
+ */
+- if (range > 65535) {
++ if (range > 384) {
+ usb_audio_warn(mixer->chip,
+ "Warning! Unlikely big volume range (=%u), cval->res is probably wrong.",
+ range);
spi-imx-fix-use-after-free-on-unbind.patch
f2fs-fix-to-detect-potential-corrupted-nid-in-free_n.patch
crypto-pcrypt-fix-handling-of-may_backlog-requests.patch
+of-unittest-fix-use-after-free-in-testdrv_probe.patch
+media-amphion-fix-race-between-m2m-job_abort-and-device_run.patch
+alsa-control-validate-buf_len-before-strnlen-in-snd_ctl_elem_init_enum_names.patch
+net-caif-clear-client-service-pointer-on-teardown.patch
+net-strparser-fix-skb_head-leak-in-strp_abort_strp.patch
+media-mtk-jpeg-fix-use-after-free-in-release-path-due-to-uncancelled-work.patch
+pci-endpoint-pci-epf-ntb-remove-duplicate-resource-teardown.patch
+revert-alsa-usb-increase-volume-range-that-triggers-a-warning.patch
+lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch
+media-i2c-imx219-check-return-value-of-devm_gpiod_get_optional-in-imx219_probe.patch
+net-qrtr-ns-fix-use-after-free-in-driver-remove.patch
+ext2-reject-inodes-with-zero-i_nlink-and-valid-mode-in-ext2_iget.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
