--- /dev/null
+From 0adc752b4f7d82af7bd14f7cad3091b3b5d702ba Mon Sep 17 00:00:00 2001
+From: Sanman Pradhan <psanman@juniper.net>
+Date: Mon, 23 Mar 2026 00:24:25 +0000
+Subject: hwmon: (peci/cputemp) Fix crit_hyst returning delta instead of absolute temperature
+
+From: Sanman Pradhan <psanman@juniper.net>
+
+commit 0adc752b4f7d82af7bd14f7cad3091b3b5d702ba upstream.
+
+The hwmon sysfs ABI expects tempN_crit_hyst to report the temperature at
+which the critical condition clears, not the hysteresis delta from the
+critical limit.
+
+The peci cputemp driver currently returns tjmax - tcontrol for
+crit_hyst_type, which is the hysteresis margin rather than the
+corresponding absolute temperature.
+
+Return tcontrol directly, and update the documentation accordingly.
+
+Fixes: bf3608f338e9 ("hwmon: peci: Add cputemp driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sanman Pradhan <psanman@juniper.net>
+Link: https://lore.kernel.org/r/20260323002352.93417-2-sanman.pradhan@hpe.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/hwmon/peci-cputemp.rst | 10 ++++++----
+ drivers/hwmon/peci/cputemp.c | 2 +-
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+--- a/Documentation/hwmon/peci-cputemp.rst
++++ b/Documentation/hwmon/peci-cputemp.rst
+@@ -51,8 +51,9 @@ temp1_max Provides thermal control temp
+ temp1_crit Provides shutdown temperature of the CPU package which
+ is also known as the maximum processor junction
+ temperature, Tjmax or Tprochot.
+-temp1_crit_hyst Provides the hysteresis value from Tcontrol to Tjmax of
+- the CPU package.
++temp1_crit_hyst Provides the hysteresis temperature of the CPU
++ package. Returns Tcontrol, the temperature at which
++ the critical condition clears.
+
+ temp2_label "DTS"
+ temp2_input Provides current temperature of the CPU package scaled
+@@ -62,8 +63,9 @@ temp2_max Provides thermal control temp
+ temp2_crit Provides shutdown temperature of the CPU package which
+ is also known as the maximum processor junction
+ temperature, Tjmax or Tprochot.
+-temp2_crit_hyst Provides the hysteresis value from Tcontrol to Tjmax of
+- the CPU package.
++temp2_crit_hyst Provides the hysteresis temperature of the CPU
++ package. Returns Tcontrol, the temperature at which
++ the critical condition clears.
+
+ temp3_label "Tcontrol"
+ temp3_input Provides current Tcontrol temperature of the CPU
+--- a/drivers/hwmon/peci/cputemp.c
++++ b/drivers/hwmon/peci/cputemp.c
+@@ -133,7 +133,7 @@ static int get_temp_target(struct peci_c
+ *val = priv->temp.target.tjmax;
+ break;
+ case crit_hyst_type:
+- *val = priv->temp.target.tjmax - priv->temp.target.tcontrol;
++ *val = priv->temp.target.tcontrol;
+ break;
+ default:
+ ret = -EOPNOTSUPP;
--- /dev/null
+From b0c9d8ae71509f25690d57f2efddebf7f4b12194 Mon Sep 17 00:00:00 2001
+From: Sanman Pradhan <psanman@juniper.net>
+Date: Mon, 23 Mar 2026 00:24:37 +0000
+Subject: hwmon: (peci/cputemp) Fix off-by-one in cputemp_is_visible()
+
+From: Sanman Pradhan <psanman@juniper.net>
+
+commit b0c9d8ae71509f25690d57f2efddebf7f4b12194 upstream.
+
+cputemp_is_visible() validates the channel index against
+CPUTEMP_CHANNEL_NUMS, but currently uses '>' instead of '>='.
+As a result, channel == CPUTEMP_CHANNEL_NUMS is not rejected even though
+valid indices are 0 .. CPUTEMP_CHANNEL_NUMS - 1.
+
+Fix the bounds check by using '>=' so invalid channel indices are
+rejected before indexing the core bitmap.
+
+Fixes: bf3608f338e9 ("hwmon: peci: Add cputemp driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sanman Pradhan <psanman@juniper.net>
+Link: https://lore.kernel.org/r/20260323002352.93417-3-sanman.pradhan@hpe.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/peci/cputemp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/peci/cputemp.c
++++ b/drivers/hwmon/peci/cputemp.c
+@@ -339,7 +339,7 @@ static umode_t cputemp_is_visible(const
+ {
+ const struct peci_cputemp *priv = data;
+
+- if (channel > CPUTEMP_CHANNEL_NUMS)
++ if (channel >= CPUTEMP_CHANNEL_NUMS)
+ return 0;
+
+ if (channel < channel_core)
--- /dev/null
+From f7e775c4694782844c66da5316fed82881835cf8 Mon Sep 17 00:00:00 2001
+From: Sanman Pradhan <psanman@juniper.net>
+Date: Thu, 19 Mar 2026 17:31:19 +0000
+Subject: hwmon: (pmbus/ina233) Fix error handling and sign extension in shunt voltage read
+
+From: Sanman Pradhan <psanman@juniper.net>
+
+commit f7e775c4694782844c66da5316fed82881835cf8 upstream.
+
+ina233_read_word_data() reads MFR_READ_VSHUNT via pmbus_read_word_data()
+but has two issues:
+
+1. The return value is not checked for errors before being used in
+ arithmetic. A negative error code from a failed I2C transaction is
+ passed directly to DIV_ROUND_CLOSEST(), producing garbage data.
+
+2. MFR_READ_VSHUNT is a 16-bit two's complement value. Negative shunt
+ voltages (values with bit 15 set) are treated as large positive
+ values since pmbus_read_word_data() returns them zero-extended in an
+ int. This leads to incorrect scaling in the VIN coefficient
+ conversion.
+
+Fix both issues by adding an error check, casting to s16 for proper
+sign extension, and clamping the result to a valid non-negative range.
+The clamp is necessary because read_word_data callbacks must return
+non-negative values on success (negative values indicate errors to the
+pmbus core).
+
+Fixes: b64b6cb163f16 ("hwmon: Add driver for TI INA233 Current and Power Monitor")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sanman Pradhan <psanman@juniper.net>
+Link: https://lore.kernel.org/r/20260319173055.125271-2-sanman.pradhan@hpe.com
+[groeck: Fixed clamp to avoid losing the sign bit]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/pmbus/ina233.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/pmbus/ina233.c b/drivers/hwmon/pmbus/ina233.c
+index 2d8b5a5347ed..7aebd854763a 100644
+--- a/drivers/hwmon/pmbus/ina233.c
++++ b/drivers/hwmon/pmbus/ina233.c
+@@ -72,7 +72,8 @@ static int ina233_read_word_data(struct i2c_client *client, int page,
+
+ /* Adjust returned value to match VIN coefficients */
+ /* VIN: 1.25 mV VSHUNT: 2.5 uV LSB */
+- ret = DIV_ROUND_CLOSEST(ret * 25, 12500);
++ ret = clamp_val(DIV_ROUND_CLOSEST((s16)ret * 25, 12500),
++ S16_MIN, S16_MAX) & 0xffff;
+ break;
+ default:
+ ret = -ENODATA;
+--
+2.53.0
+
--- /dev/null
+From 3075a3951f7708da5a8ab47b0b7d068a32f69e58 Mon Sep 17 00:00:00 2001
+From: Sanman Pradhan <psanman@juniper.net>
+Date: Thu, 19 Mar 2026 17:31:29 +0000
+Subject: hwmon: (pmbus/isl68137) Add mutex protection for AVS enable sysfs attributes
+
+From: Sanman Pradhan <psanman@juniper.net>
+
+commit 3075a3951f7708da5a8ab47b0b7d068a32f69e58 upstream.
+
+The custom avs0_enable and avs1_enable sysfs attributes access PMBus
+registers through the exported API helpers (pmbus_read_byte_data,
+pmbus_read_word_data, pmbus_write_word_data, pmbus_update_byte_data)
+without holding the PMBus update_lock mutex. These exported helpers do
+not acquire the mutex internally, unlike the core's internal callers
+which hold the lock before invoking them.
+
+The store callback is especially vulnerable: it performs a multi-step
+read-modify-write sequence (read VOUT_COMMAND, write VOUT_COMMAND, then
+update OPERATION) where concurrent access from another thread could
+interleave and corrupt the register state.
+
+Add pmbus_lock_interruptible()/pmbus_unlock() around both the show and
+store callbacks to serialize PMBus register access with the rest of the
+driver.
+
+Fixes: 038a9c3d1e424 ("hwmon: (pmbus/isl68137) Add driver for Intersil ISL68137 PWM Controller")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sanman Pradhan <psanman@juniper.net>
+Link: https://lore.kernel.org/r/20260319173055.125271-3-sanman.pradhan@hpe.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/pmbus/isl68137.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwmon/pmbus/isl68137.c
++++ b/drivers/hwmon/pmbus/isl68137.c
+@@ -94,7 +94,15 @@ static ssize_t isl68137_avs_enable_show_
+ int page,
+ char *buf)
+ {
+- int val = pmbus_read_byte_data(client, page, PMBUS_OPERATION);
++ int val;
++
++ val = pmbus_lock_interruptible(client);
++ if (val)
++ return val;
++
++ val = pmbus_read_byte_data(client, page, PMBUS_OPERATION);
++
++ pmbus_unlock(client);
+
+ if (val < 0)
+ return val;
+@@ -116,6 +124,10 @@ static ssize_t isl68137_avs_enable_store
+
+ op_val = result ? ISL68137_VOUT_AVS : 0;
+
++ rc = pmbus_lock_interruptible(client);
++ if (rc)
++ return rc;
++
+ /*
+ * Writes to VOUT setpoint over AVSBus will persist after the VRM is
+ * switched to PMBus control. Switching back to AVSBus control
+@@ -127,17 +139,20 @@ static ssize_t isl68137_avs_enable_store
+ rc = pmbus_read_word_data(client, page, 0xff,
+ PMBUS_VOUT_COMMAND);
+ if (rc < 0)
+- return rc;
++ goto unlock;
+
+ rc = pmbus_write_word_data(client, page, PMBUS_VOUT_COMMAND,
+ rc);
+ if (rc < 0)
+- return rc;
++ goto unlock;
+ }
+
+ rc = pmbus_update_byte_data(client, page, PMBUS_OPERATION,
+ ISL68137_VOUT_AVS, op_val);
+
++unlock:
++ pmbus_unlock(client);
++
+ return (rc < 0) ? rc : count;
+ }
+
--- /dev/null
+From 1744a6ef48b9a48f017e3e1a0d05de0a6978396e Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Thu, 12 Mar 2026 14:08:50 +0000
+Subject: KVM: arm64: Discard PC update state on vcpu reset
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 1744a6ef48b9a48f017e3e1a0d05de0a6978396e upstream.
+
+Our vcpu reset suffers from a particularly interesting flaw, as it
+does not correctly deal with state that will have an effect on the
+execution flow out of reset.
+
+Take the following completely random example, never seen in the wild
+and that never resulted in a couple of sleepless nights: /s
+
+- vcpu-A issues a PSCI_CPU_OFF using the SMC conduit
+
+- SMC being a trapped instruction (as opposed to HVC which is always
+ normally executed), we annotate the vcpu as needing to skip the
+ next instruction, which is the SMC itself
+
+- vcpu-A is now safely off
+
+- vcpu-B issues a PSCI_CPU_ON for vcpu-A, providing a starting PC
+
+- vcpu-A gets reset, get the new PC, and is sent on its merry way
+
+- right at the point of entering the guest, we notice that a PC
+ increment is pending (remember the earlier SMC?)
+
+- vcpu-A skips its first instruction...
+
+What could possibly go wrong?
+
+Well, I'm glad you asked. For pKVM as a NV guest, that first instruction
+is extremely significant, as it indicates whether the CPU is booting
+or resuming. Having skipped that instruction, nothing makes any sense
+anymore, and CPU hotplugging fails.
+
+This is all caused by the decoupling of PC update from the handling
+of an exception that triggers such update, making it non-obvious
+what affects what when.
+
+Fix this train wreck by discarding all the PC-affecting state on
+vcpu reset.
+
+Fixes: f5e30680616ab ("KVM: arm64: Move __adjust_pc out of line")
+Cc: stable@vger.kernel.org
+Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Joey Gouly <joey.gouly@arm.com>
+Link: https://patch.msgid.link/20260312140850.822968-1-maz@kernel.org
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/reset.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/arch/arm64/kvm/reset.c
++++ b/arch/arm64/kvm/reset.c
+@@ -247,6 +247,20 @@ void kvm_reset_vcpu(struct kvm_vcpu *vcp
+ kvm_vcpu_set_be(vcpu);
+
+ *vcpu_pc(vcpu) = target_pc;
++
++ /*
++ * We may come from a state where either a PC update was
++ * pending (SMC call resulting in PC being increpented to
++ * skip the SMC) or a pending exception. Make sure we get
++ * rid of all that, as this cannot be valid out of reset.
++ *
++ * Note that clearing the exception mask also clears PC
++ * updates, but that's an implementation detail, and we
++ * really want to make it explicit.
++ */
++ vcpu_clear_flag(vcpu, PENDING_EXCEPTION);
++ vcpu_clear_flag(vcpu, EXCEPT_MASK);
++ vcpu_clear_flag(vcpu, INCREMENT_PC);
+ vcpu_set_reg(vcpu, 0, reset_state.r0);
+ }
+
--- /dev/null
+From bef4f4a88b73e4cc550d25f665b8a9952af22773 Mon Sep 17 00:00:00 2001
+From: Yuchan Nam <entropy1110@gmail.com>
+Date: Fri, 6 Mar 2026 21:52:23 +0900
+Subject: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
+
+From: Yuchan Nam <entropy1110@gmail.com>
+
+commit bef4f4a88b73e4cc550d25f665b8a9952af22773 upstream.
+
+MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0)
+queue teardown paths. This can race request object cleanup against vb2
+queue cancellation and lead to use-after-free reports.
+
+We already serialize request queueing against STREAMON/OFF with
+req_queue_mutex. Extend that serialization to REQBUFS, and also take
+the same mutex in media_request_ioctl_reinit() so REINIT is in the
+same exclusion domain.
+
+This keeps request cleanup and queue cancellation from running in
+parallel for request-capable devices.
+
+Fixes: 6093d3002eab ("media: vb2: keep a reference to the request until dqbuf")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yuchan Nam <entropy1110@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/mc/mc-request.c | 5 +++++
+ drivers/media/v4l2-core/v4l2-ioctl.c | 5 +++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/mc/mc-request.c
++++ b/drivers/media/mc/mc-request.c
+@@ -190,6 +190,8 @@ static long media_request_ioctl_reinit(s
+ struct media_device *mdev = req->mdev;
+ unsigned long flags;
+
++ mutex_lock(&mdev->req_queue_mutex);
++
+ spin_lock_irqsave(&req->lock, flags);
+ if (req->state != MEDIA_REQUEST_STATE_IDLE &&
+ req->state != MEDIA_REQUEST_STATE_COMPLETE) {
+@@ -197,6 +199,7 @@ static long media_request_ioctl_reinit(s
+ "request: %s not in idle or complete state, cannot reinit\n",
+ req->debug_str);
+ spin_unlock_irqrestore(&req->lock, flags);
++ mutex_unlock(&mdev->req_queue_mutex);
+ return -EBUSY;
+ }
+ if (req->access_count) {
+@@ -204,6 +207,7 @@ static long media_request_ioctl_reinit(s
+ "request: %s is being accessed, cannot reinit\n",
+ req->debug_str);
+ spin_unlock_irqrestore(&req->lock, flags);
++ mutex_unlock(&mdev->req_queue_mutex);
+ return -EBUSY;
+ }
+ req->state = MEDIA_REQUEST_STATE_CLEANING;
+@@ -214,6 +218,7 @@ static long media_request_ioctl_reinit(s
+ spin_lock_irqsave(&req->lock, flags);
+ req->state = MEDIA_REQUEST_STATE_IDLE;
+ spin_unlock_irqrestore(&req->lock, flags);
++ mutex_unlock(&mdev->req_queue_mutex);
+
+ return 0;
+ }
+--- a/drivers/media/v4l2-core/v4l2-ioctl.c
++++ b/drivers/media/v4l2-core/v4l2-ioctl.c
+@@ -3079,13 +3079,14 @@ static long __video_do_ioctl(struct file
+ }
+
+ /*
+- * We need to serialize streamon/off with queueing new requests.
++ * We need to serialize streamon/off/reqbufs with queueing new requests.
+ * These ioctls may trigger the cancellation of a streaming
+ * operation, and that should not be mixed with queueing a new
+ * request at the same time.
+ */
+ if (v4l2_device_supports_requests(vfd->v4l2_dev) &&
+- (cmd == VIDIOC_STREAMON || cmd == VIDIOC_STREAMOFF)) {
++ (cmd == VIDIOC_STREAMON || cmd == VIDIOC_STREAMOFF ||
++ cmd == VIDIOC_REQBUFS)) {
+ req_queue_lock = &vfd->v4l2_dev->mdev->req_queue_mutex;
+
+ if (mutex_lock_interruptible(req_queue_lock))
--- /dev/null
+From fbddf68d7b4e1e6da7a78dd7fbd8ec376536584a Mon Sep 17 00:00:00 2001
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Date: Mon, 23 Mar 2026 08:36:35 -0700
+Subject: platform/x86: ISST: Correct locked bit width
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+commit fbddf68d7b4e1e6da7a78dd7fbd8ec376536584a upstream.
+
+SST-PP locked bit width is set to three bits. It should be only one bit.
+Use SST_PP_LOCK_WIDTH define instead of SST_PP_LEVEL_WIDTH.
+
+Fixes: ea009e4769fa ("platform/x86: ISST: Add SST-PP support via TPMI")
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260323153635.3263828-1-srinivas.pandruvada@linux.intel.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
++++ b/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
+@@ -871,7 +871,7 @@ static int isst_if_get_perf_level(void _
+ _read_pp_info("current_level", perf_level.current_level, SST_PP_STATUS_OFFSET,
+ SST_PP_LEVEL_START, SST_PP_LEVEL_WIDTH, SST_MUL_FACTOR_NONE)
+ _read_pp_info("locked", perf_level.locked, SST_PP_STATUS_OFFSET,
+- SST_PP_LOCK_START, SST_PP_LEVEL_WIDTH, SST_MUL_FACTOR_NONE)
++ SST_PP_LOCK_START, SST_PP_LOCK_WIDTH, SST_MUL_FACTOR_NONE)
+ _read_pp_info("feature_state", perf_level.feature_state, SST_PP_STATUS_OFFSET,
+ SST_PP_FEATURE_STATE_START, SST_PP_FEATURE_STATE_WIDTH, SST_MUL_FACTOR_NONE)
+ perf_level.enabled = !!(power_domain_info->sst_header.cap_mask & BIT(1));
--- /dev/null
+From a08aaf3968aec5d05cd32c801b8cc0c61da69c41 Mon Sep 17 00:00:00 2001
+From: Abhijit Gangurde <abhijit.gangurde@amd.com>
+Date: Fri, 27 Feb 2026 11:48:09 +0530
+Subject: RDMA/ionic: Preserve and set Ethernet source MAC after ib_ud_header_init()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Abhijit Gangurde <abhijit.gangurde@amd.com>
+
+commit a08aaf3968aec5d05cd32c801b8cc0c61da69c41 upstream.
+
+ionic_build_hdr() populated the Ethernet source MAC (hdr->eth.smac_h) by
+passing the header’s storage directly to rdma_read_gid_l2_fields().
+However, ib_ud_header_init() is called after that and re-initializes the
+UD header, which wipes the previously written smac_h. As a result, packets
+are emitted with an zero source MAC address on the wire.
+
+Correct the source MAC by reading the GID-derived smac into a temporary
+buffer and copy it after ib_ud_header_init() completes.
+
+Fixes: e8521822c733 ("RDMA/ionic: Register device ops for control path")
+Cc: stable@vger.kernel.org # 6.18
+Signed-off-by: Abhijit Gangurde <abhijit.gangurde@amd.com>
+Link: https://patch.msgid.link/20260227061809.2979990-1-abhijit.gangurde@amd.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/ionic/ionic_controlpath.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/ionic/ionic_controlpath.c b/drivers/infiniband/hw/ionic/ionic_controlpath.c
+index 4842931f5316..a5671da3db64 100644
+--- a/drivers/infiniband/hw/ionic/ionic_controlpath.c
++++ b/drivers/infiniband/hw/ionic/ionic_controlpath.c
+@@ -508,6 +508,7 @@ static int ionic_build_hdr(struct ionic_ibdev *dev,
+ {
+ const struct ib_global_route *grh;
+ enum rdma_network_type net;
++ u8 smac[ETH_ALEN];
+ u16 vlan;
+ int rc;
+
+@@ -518,7 +519,7 @@ static int ionic_build_hdr(struct ionic_ibdev *dev,
+
+ grh = rdma_ah_read_grh(attr);
+
+- rc = rdma_read_gid_l2_fields(grh->sgid_attr, &vlan, &hdr->eth.smac_h[0]);
++ rc = rdma_read_gid_l2_fields(grh->sgid_attr, &vlan, smac);
+ if (rc)
+ return rc;
+
+@@ -536,6 +537,7 @@ static int ionic_build_hdr(struct ionic_ibdev *dev,
+ if (rc)
+ return rc;
+
++ ether_addr_copy(hdr->eth.smac_h, smac);
+ ether_addr_copy(hdr->eth.dmac_h, attr->roce.dmac);
+
+ if (net == RDMA_NETWORK_IPV4) {
+--
+2.53.0
+
can-netlink-can_changelink-add-missing-error-handling-to-call-can_ctrlmode_changelink.patch
cpufreq-conservative-reset-requested_freq-on-limits-change.patch
kbuild-delete-.builtin-dtbs.s-when-running-make-clean.patch
+thermal-intel-int340x-soc_slider-set-offset-only-for-balanced-mode.patch
+rdma-ionic-preserve-and-set-ethernet-source-mac-after-ib_ud_header_init.patch
+platform-x86-isst-correct-locked-bit-width.patch
+kvm-arm64-discard-pc-update-state-on-vcpu-reset.patch
+hwmon-pmbus-ina233-fix-error-handling-and-sign-extension-in-shunt-voltage-read.patch
+hwmon-pmbus-isl68137-add-mutex-protection-for-avs-enable-sysfs-attributes.patch
+hwmon-peci-cputemp-fix-crit_hyst-returning-delta-instead-of-absolute-temperature.patch
+hwmon-peci-cputemp-fix-off-by-one-in-cputemp_is_visible.patch
+media-mc-v4l2-serialize-reinit-and-reqbufs-with-req_queue_mutex.patch
+xfrm-iptfs-validate-inner-ipv4-header-length-in-iptfs-payload.patch
+xfrm-iptfs-only-publish-mode_data-after-clone-setup.patch
+virt-tdx-guest-fix-handling-of-host-controlled-quote-buffer-length.patch
+virtio_net-fix-uaf-on-dst_ops-when-iff_xmit_dst_release-is-cleared-and-napi_tx-is-false.patch
--- /dev/null
+From 7dfe9846016b15816e287a4650be1ff1b48c5ab4 Mon Sep 17 00:00:00 2001
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Date: Tue, 24 Mar 2026 10:23:46 -0700
+Subject: thermal: intel: int340x: soc_slider: Set offset only for balanced mode
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+commit 7dfe9846016b15816e287a4650be1ff1b48c5ab4 upstream.
+
+The slider offset can be set via debugfs for balanced mode. The offset
+should be only applicable in balanced mode. For other modes, it should
+be 0 when writing to MMIO offset,
+
+Fixes: 8306bcaba06d ("thermal: intel: int340x: Add module parameter to change slider offset")
+Tested-by: Erin Park <erin.park@intel.com>
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Cc: 6.18+ <stable@vger.kernel.org> # 6.18+
+[ rjw: Subject and changelog tweaks ]
+Link: https://patch.msgid.link/20260324172346.3317145-1-srinivas.pandruvada@linux.intel.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ .../intel/int340x_thermal/processor_thermal_soc_slider.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/intel/int340x_thermal/processor_thermal_soc_slider.c b/drivers/thermal/intel/int340x_thermal/processor_thermal_soc_slider.c
+index 49ff3bae7271..91f291627132 100644
+--- a/drivers/thermal/intel/int340x_thermal/processor_thermal_soc_slider.c
++++ b/drivers/thermal/intel/int340x_thermal/processor_thermal_soc_slider.c
+@@ -176,15 +176,21 @@ static inline void write_soc_slider(struct proc_thermal_device *proc_priv, u64 v
+
+ static void set_soc_power_profile(struct proc_thermal_device *proc_priv, int slider)
+ {
++ u8 offset;
+ u64 val;
+
+ val = read_soc_slider(proc_priv);
+ val &= ~SLIDER_MASK;
+ val |= FIELD_PREP(SLIDER_MASK, slider) | BIT(SLIDER_ENABLE_BIT);
+
++ if (slider == SOC_SLIDER_VALUE_MINIMUM || slider == SOC_SLIDER_VALUE_MAXIMUM)
++ offset = 0;
++ else
++ offset = slider_offset;
++
+ /* Set the slider offset from module params */
+ val &= ~SLIDER_OFFSET_MASK;
+- val |= FIELD_PREP(SLIDER_OFFSET_MASK, slider_offset);
++ val |= FIELD_PREP(SLIDER_OFFSET_MASK, offset);
+
+ write_soc_slider(proc_priv, val);
+ }
+--
+2.53.0
+
--- /dev/null
+From c3fd16c3b98ed726294feab2f94f876290bf7b61 Mon Sep 17 00:00:00 2001
+From: Zubin Mithra <zsm@google.com>
+Date: Wed, 18 Mar 2026 13:40:13 +0000
+Subject: virt: tdx-guest: Fix handling of host controlled 'quote' buffer length
+
+From: Zubin Mithra <zsm@google.com>
+
+commit c3fd16c3b98ed726294feab2f94f876290bf7b61 upstream.
+
+Validate host controlled value `quote_buf->out_len` that determines how
+many bytes of the quote are copied out to guest userspace. In TDX
+environments with remote attestation, quotes are not considered private,
+and can be forwarded to an attestation server.
+
+Catch scenarios where the host specifies a response length larger than
+the guest's allocation, or otherwise races modifying the response while
+the guest consumes it.
+
+This prevents contents beyond the pages allocated for `quote_buf`
+(up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace,
+and possibly forwarded in attestation requests.
+
+Recall that some deployments want per-container configs-tsm-report
+interfaces, so the leak may cross container protection boundaries, not
+just local root.
+
+Fixes: f4738f56d1dc ("virt: tdx-guest: Add Quote generation support using TSM_REPORTS")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zubin Mithra <zsm@google.com>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: Kiryl Shutsemau (Meta) <kas@kernel.org>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/virt/coco/tdx-guest/tdx-guest.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/virt/coco/tdx-guest/tdx-guest.c
++++ b/drivers/virt/coco/tdx-guest/tdx-guest.c
+@@ -169,6 +169,8 @@ static void tdx_mr_deinit(const struct a
+ #define GET_QUOTE_SUCCESS 0
+ #define GET_QUOTE_IN_FLIGHT 0xffffffffffffffff
+
++#define TDX_QUOTE_MAX_LEN (GET_QUOTE_BUF_SIZE - sizeof(struct tdx_quote_buf))
++
+ /* struct tdx_quote_buf: Format of Quote request buffer.
+ * @version: Quote format version, filled by TD.
+ * @status: Status code of Quote request, filled by VMM.
+@@ -267,6 +269,7 @@ static int tdx_report_new_locked(struct
+ u8 *buf;
+ struct tdx_quote_buf *quote_buf = quote_data;
+ struct tsm_report_desc *desc = &report->desc;
++ u32 out_len;
+ int ret;
+ u64 err;
+
+@@ -304,12 +307,17 @@ static int tdx_report_new_locked(struct
+ return ret;
+ }
+
+- buf = kvmemdup(quote_buf->data, quote_buf->out_len, GFP_KERNEL);
++ out_len = READ_ONCE(quote_buf->out_len);
++
++ if (out_len > TDX_QUOTE_MAX_LEN)
++ return -EFBIG;
++
++ buf = kvmemdup(quote_buf->data, out_len, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+ report->outblob = buf;
+- report->outblob_len = quote_buf->out_len;
++ report->outblob_len = out_len;
+
+ /*
+ * TODO: parse the PEM-formatted cert chain out of the quote buffer when
--- /dev/null
+From ba8bda9a0896746053aa97ac6c3e08168729172c Mon Sep 17 00:00:00 2001
+From: xietangxin <xietangxin@yeah.net>
+Date: Thu, 12 Mar 2026 10:54:06 +0800
+Subject: virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false
+
+From: xietangxin <xietangxin@yeah.net>
+
+commit ba8bda9a0896746053aa97ac6c3e08168729172c upstream.
+
+A UAF issue occurs when the virtio_net driver is configured with napi_tx=N
+and the device's IFF_XMIT_DST_RELEASE flag is cleared
+(e.g., during the configuration of tc route filter rules).
+
+When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack
+expects the driver to hold the reference to skb->dst until the packet
+is fully transmitted and freed. In virtio_net with napi_tx=N,
+skbs may remain in the virtio transmit ring for an extended period.
+
+If the network namespace is destroyed while these skbs are still pending,
+the corresponding dst_ops structure has freed. When a subsequent packet
+is transmitted, free_old_xmit() is triggered to clean up old skbs.
+It then calls dst_release() on the skb associated with the stale dst_entry.
+Since the dst_ops (referenced by the dst_entry) has already been freed,
+a UAF kernel paging request occurs.
+
+fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release
+the dst reference before the skb is queued in virtio_net.
+
+Call Trace:
+ Unable to handle kernel paging request at virtual address ffff80007e150000
+ CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT
+ ...
+ percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)
+ dst_release+0xe0/0x110 net/core/dst.c:177
+ skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177
+ sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255
+ dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469
+ napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527
+ __free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net]
+ free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]
+ start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]
+ ...
+
+Reproduction Steps:
+NETDEV="enp3s0"
+
+config_qdisc_route_filter() {
+ tc qdisc del dev $NETDEV root
+ tc qdisc add dev $NETDEV root handle 1: prio
+ tc filter add dev $NETDEV parent 1:0 \
+ protocol ip prio 100 route to 100 flowid 1:1
+ ip route add 192.168.1.100/32 dev $NETDEV realm 100
+}
+
+test_ns() {
+ ip netns add testns
+ ip link set $NETDEV netns testns
+ ip netns exec testns ifconfig $NETDEV 10.0.32.46/24
+ ip netns exec testns ping -c 1 10.0.32.1
+ ip netns del testns
+}
+
+config_qdisc_route_filter
+
+test_ns
+sleep 2
+test_ns
+
+Fixes: f2fc6a54585a ("[NETNS][IPV6] route6 - move ip6_dst_ops inside the network namespace")
+Cc: stable@vger.kernel.org
+Signed-off-by: xietangxin <xietangxin@yeah.net>
+Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Fixes: 0287587884b1 ("net: better IFF_XMIT_DST_RELEASE support")
+Link: https://patch.msgid.link/20260312025406.15641-1-xietangxin@yeah.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -3414,6 +3414,7 @@ static netdev_tx_t start_xmit(struct sk_
+ /* Don't wait up for transmitted skbs to be freed. */
+ if (!use_napi) {
+ skb_orphan(skb);
++ skb_dst_drop(skb);
+ nf_reset_ct(skb);
+ }
+
--- /dev/null
+From d849a2f7309fc0616e79d13b008b0a47e0458b6e Mon Sep 17 00:00:00 2001
+From: Paul Moses <p@1g4.org>
+Date: Mon, 16 Mar 2026 14:56:51 +0000
+Subject: xfrm: iptfs: only publish mode_data after clone setup
+
+From: Paul Moses <p@1g4.org>
+
+commit d849a2f7309fc0616e79d13b008b0a47e0458b6e upstream.
+
+iptfs_clone_state() stores x->mode_data before allocating the reorder
+window. If that allocation fails, the code frees the cloned state and
+returns -ENOMEM, leaving x->mode_data pointing at freed memory.
+
+The xfrm clone unwind later runs destroy_state() through x->mode_data,
+so the failed clone path tears down IPTFS state that clone_state()
+already freed.
+
+Keep the cloned IPTFS state private until all allocations succeed so
+failed clones leave x->mode_data unset. The destroy path already
+handles a NULL mode_data pointer.
+
+Fixes: 6be02e3e4f37 ("xfrm: iptfs: handle reordering of received packets")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paul Moses <p@1g4.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_iptfs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/xfrm/xfrm_iptfs.c
++++ b/net/xfrm/xfrm_iptfs.c
+@@ -2664,9 +2664,6 @@ static int iptfs_clone_state(struct xfrm
+ if (!xtfs)
+ return -ENOMEM;
+
+- x->mode_data = xtfs;
+- xtfs->x = x;
+-
+ xtfs->ra_newskb = NULL;
+ if (xtfs->cfg.reorder_win_size) {
+ xtfs->w_saved = kcalloc(xtfs->cfg.reorder_win_size,
+@@ -2677,6 +2674,9 @@ static int iptfs_clone_state(struct xfrm
+ }
+ }
+
++ x->mode_data = xtfs;
++ xtfs->x = x;
++
+ return 0;
+ }
+
--- /dev/null
+From 0d10393d5eac33cbd92f7a41fddca12c41d3cb7e Mon Sep 17 00:00:00 2001
+From: Roshan Kumar <roshaen09@gmail.com>
+Date: Sun, 1 Mar 2026 10:56:38 +0000
+Subject: xfrm: iptfs: validate inner IPv4 header length in IPTFS payload
+
+From: Roshan Kumar <roshaen09@gmail.com>
+
+commit 0d10393d5eac33cbd92f7a41fddca12c41d3cb7e upstream.
+
+Add validation of the inner IPv4 packet tot_len and ihl fields parsed
+from decrypted IPTFS payloads in __input_process_payload(). A crafted
+ESP packet containing an inner IPv4 header with tot_len=0 causes an
+infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the
+data offset never advances and the while(data < tail) loop never
+terminates, spinning forever in softirq context.
+
+Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct
+iphdr), which catches both the tot_len=0 case and malformed ihl values.
+The normal IP stack performs this validation in ip_rcv_core(), but IPTFS
+extracts and processes inner packets before they reach that layer.
+
+Reported-by: Roshan Kumar <roshaen09@gmail.com>
+Fixes: 6c82d2433671 ("xfrm: iptfs: add basic receive packet (tunnel egress) handling")
+Cc: stable@vger.kernel.org
+Signed-off-by: Roshan Kumar <roshaen09@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_iptfs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/xfrm/xfrm_iptfs.c
++++ b/net/xfrm/xfrm_iptfs.c
+@@ -997,6 +997,11 @@ static bool __input_process_payload(stru
+
+ iplen = be16_to_cpu(iph->tot_len);
+ iphlen = iph->ihl << 2;
++ if (iplen < iphlen || iphlen < sizeof(*iph)) {
++ XFRM_INC_STATS(net,
++ LINUX_MIB_XFRMINHDRERROR);
++ goto done;
++ }
+ protocol = cpu_to_be16(ETH_P_IP);
+ XFRM_MODE_SKB_CB(skbseq->root_skb)->tos = iph->tos;
+ } else if (iph->version == 0x6) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
