--- /dev/null
+From bb120ad57def62e3f23e3d999c5fbed11f610993 Mon Sep 17 00:00:00 2001
+From: Alexey Nepomnyashih <sdl@nppct.ru>
+Date: Mon, 16 Mar 2026 19:18:22 +0000
+Subject: ALSA: firewire-lib: fix uninitialized local variable
+
+From: Alexey Nepomnyashih <sdl@nppct.ru>
+
+commit bb120ad57def62e3f23e3d999c5fbed11f610993 upstream.
+
+Similar to commit d8dc8720468a ("ALSA: firewire-lib: fix uninitialized
+local variable"), the local variable `curr_cycle_time` in
+process_rx_packets() is declared without initialization.
+
+When the tracepoint event is not probed, the variable may appear to be
+used without being initialized. In practice the value is only relevant
+when the tracepoint is enabled, however initializing it avoids potential
+use of an uninitialized value and improves code safety.
+
+Initialize `curr_cycle_time` to zero.
+
+Fixes: fef4e61b0b76 ("ALSA: firewire-lib: extend tracepoints event including CYCLE_TIME of 1394 OHCI")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexey Nepomnyashih <sdl@nppct.ru>
+Link: https://patch.msgid.link/20260316191824.83249-1-sdl@nppct.ru
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/firewire/amdtp-stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/amdtp-stream.c
++++ b/sound/firewire/amdtp-stream.c
+@@ -1179,7 +1179,7 @@ static void process_rx_packets(struct fw
+ struct pkt_desc *desc = s->packet_descs_cursor;
+ unsigned int pkt_header_length;
+ unsigned int packets;
+- u32 curr_cycle_time;
++ u32 curr_cycle_time = 0;
+ bool need_hw_irq;
+ int i;
+
--- /dev/null
+From d40a198e2b7821197c5c77b89d0130cc90f400f5 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Date: Thu, 26 Mar 2026 09:56:18 +0200
+Subject: ASoC: SOF: ipc4-topology: Allow bytes controls without initial payload
+
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+
+commit d40a198e2b7821197c5c77b89d0130cc90f400f5 upstream.
+
+It is unexpected, but allowed to have no initial payload for a bytes
+control and the code is prepared to handle this case, but the size check
+missed this corner case.
+
+Update the check for minimal size to allow the initial size to be 0.
+
+Cc: stable@vger.kernel.org
+Fixes: a653820700b8 ("ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls")
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
+Reviewed-by: Seppo Ingalsuo <seppo.ingalsuo@linux.intel.com>
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Link: https://patch.msgid.link/20260326075618.1603-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sof/ipc4-topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/sof/ipc4-topology.c
++++ b/sound/soc/sof/ipc4-topology.c
+@@ -2527,7 +2527,7 @@ static int sof_ipc4_control_load_bytes(s
+ return -EINVAL;
+ }
+
+- if (scontrol->priv_size < sizeof(struct sof_abi_hdr)) {
++ if (scontrol->priv_size && scontrol->priv_size < sizeof(struct sof_abi_hdr)) {
+ dev_err(sdev->dev,
+ "bytes control %s initial data size %zu is insufficient.\n",
+ scontrol->name, scontrol->priv_size);
--- /dev/null
+From b9c310d72783cc2f30d103eed83920a5a29c671a Mon Sep 17 00:00:00 2001
+From: Ali Norouzi <ali.norouzi@keysight.com>
+Date: Thu, 19 Mar 2026 16:47:44 +0100
+Subject: can: gw: fix OOB heap access in cgw_csum_crc8_rel()
+
+From: Ali Norouzi <ali.norouzi@keysight.com>
+
+commit b9c310d72783cc2f30d103eed83920a5a29c671a upstream.
+
+cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():
+
+ int from = calc_idx(crc8->from_idx, cf->len);
+ int to = calc_idx(crc8->to_idx, cf->len);
+ int res = calc_idx(crc8->result_idx, cf->len);
+
+ if (from < 0 || to < 0 || res < 0)
+ return;
+
+However, the loop and the result write then use the raw s8 fields directly
+instead of the computed variables:
+
+ for (i = crc8->from_idx; ...) /* BUG: raw negative index */
+ cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */
+
+With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,
+calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with
+i = -64, reading cf->data[-64], and the write goes to cf->data[-64].
+This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the
+start of the canfd_frame on the heap.
+
+The companion function cgw_csum_xor_rel() uses `from`/`to`/`res`
+correctly throughout; fix cgw_csum_crc8_rel() to match.
+
+Confirmed with KASAN on linux-7.0-rc2:
+ BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0
+ Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62
+
+To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.
+
+Fixes: 456a8a646b25 ("can: gw: add support for CAN FD frames")
+Cc: stable@vger.kernel.org
+Reported-by: Ali Norouzi <ali.norouzi@keysight.com>
+Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Ali Norouzi <ali.norouzi@keysight.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-1-c45d52c6d2d8@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/gw.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/can/gw.c
++++ b/net/can/gw.c
+@@ -374,10 +374,10 @@ static void cgw_csum_crc8_rel(struct can
+ return;
+
+ if (from <= to) {
+- for (i = crc8->from_idx; i <= crc8->to_idx; i++)
++ for (i = from; i <= to; i++)
+ crc = crc8->crctab[crc ^ cf->data[i]];
+ } else {
+- for (i = crc8->from_idx; i >= crc8->to_idx; i--)
++ for (i = from; i >= to; i--)
+ crc = crc8->crctab[crc ^ cf->data[i]];
+ }
+
+@@ -396,7 +396,7 @@ static void cgw_csum_crc8_rel(struct can
+ break;
+ }
+
+- cf->data[crc8->result_idx] = crc ^ crc8->final_xor_val;
++ cf->data[res] = crc ^ crc8->final_xor_val;
+ }
+
+ static void cgw_csum_crc8_pos(struct canfd_frame *cf,
--- /dev/null
+From 424e95d62110cdbc8fd12b40918f37e408e35a92 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Thu, 19 Mar 2026 16:47:45 +0100
+Subject: can: isotp: fix tx.buf use-after-free in isotp_sendmsg()
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 424e95d62110cdbc8fd12b40918f37e408e35a92 upstream.
+
+isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access
+to so->tx.buf. isotp_release() waits for ISOTP_IDLE via
+wait_event_interruptible() and then calls kfree(so->tx.buf).
+
+If a signal interrupts the wait_event_interruptible() inside close()
+while tx.state is ISOTP_SENDING, the loop exits early and release
+proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf)
+while sendmsg may still be reading so->tx.buf for the final CAN frame
+in isotp_fill_dataframe().
+
+The so->tx.buf can be allocated once when the standard tx.buf length needs
+to be extended. Move the kfree() of this potentially extended tx.buf to
+sk_destruct time when either isotp_sendmsg() and isotp_release() are done.
+
+Fixes: 96d1c81e6a04 ("can: isotp: add module parameter for maximum pdu size")
+Cc: stable@vger.kernel.org
+Reported-by: Ali Norouzi <ali.norouzi@keysight.com>
+Co-developed-by: Ali Norouzi <ali.norouzi@keysight.com>
+Signed-off-by: Ali Norouzi <ali.norouzi@keysight.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-2-c45d52c6d2d8@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/isotp.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -1229,12 +1229,6 @@ static int isotp_release(struct socket *
+ so->ifindex = 0;
+ so->bound = 0;
+
+- if (so->rx.buf != so->rx.sbuf)
+- kfree(so->rx.buf);
+-
+- if (so->tx.buf != so->tx.sbuf)
+- kfree(so->tx.buf);
+-
+ sock_orphan(sk);
+ sock->sk = NULL;
+
+@@ -1602,6 +1596,21 @@ static int isotp_notifier(struct notifie
+ return NOTIFY_DONE;
+ }
+
++static void isotp_sock_destruct(struct sock *sk)
++{
++ struct isotp_sock *so = isotp_sk(sk);
++
++ /* do the standard CAN sock destruct work */
++ can_sock_destruct(sk);
++
++ /* free potential extended PDU buffers */
++ if (so->rx.buf != so->rx.sbuf)
++ kfree(so->rx.buf);
++
++ if (so->tx.buf != so->tx.sbuf)
++ kfree(so->tx.buf);
++}
++
+ static int isotp_init(struct sock *sk)
+ {
+ struct isotp_sock *so = isotp_sk(sk);
+@@ -1648,6 +1657,9 @@ static int isotp_init(struct sock *sk)
+ list_add_tail(&so->notifier, &isotp_notifier_list);
+ spin_unlock(&isotp_notifier_lock);
+
++ /* re-assign default can_sock_destruct() reference */
++ sk->sk_destruct = isotp_sock_destruct;
++
+ return 0;
+ }
+
--- /dev/null
+From 6a28fb8cb28b9eb39a392e531d938a889eacafc5 Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Fri, 20 Mar 2026 15:08:14 +0530
+Subject: cpufreq: conservative: Reset requested_freq on limits change
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit 6a28fb8cb28b9eb39a392e531d938a889eacafc5 upstream.
+
+A recently reported issue highlighted that the cached requested_freq
+is not guaranteed to stay in sync with policy->cur. If the platform
+changes the actual CPU frequency after the governor sets one (e.g.
+due to platform-specific frequency scaling) and a re-sync occurs
+later, policy->cur may diverge from requested_freq.
+
+This can lead to incorrect behavior in the conservative governor.
+For example, the governor may assume the CPU is already running at
+the maximum frequency and skip further increases even though there
+is still headroom.
+
+Avoid this by resetting the cached requested_freq to policy->cur on
+detecting a change in policy limits.
+
+Reported-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Tested-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://lore.kernel.org/all/20260210115458.3493646-1-zhenglifeng1@huawei.com/
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
+Cc: All applicable <stable@vger.kernel.org>
+Link: https://patch.msgid.link/d846a141a98ac0482f20560fcd7525c0f0ec2f30.1773999467.git.viresh.kumar@linaro.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cpufreq_conservative.c | 12 ++++++++++++
+ drivers/cpufreq/cpufreq_governor.c | 3 +++
+ drivers/cpufreq/cpufreq_governor.h | 1 +
+ 3 files changed, 16 insertions(+)
+
+--- a/drivers/cpufreq/cpufreq_conservative.c
++++ b/drivers/cpufreq/cpufreq_conservative.c
+@@ -313,6 +313,17 @@ static void cs_start(struct cpufreq_poli
+ dbs_info->requested_freq = policy->cur;
+ }
+
++static void cs_limits(struct cpufreq_policy *policy)
++{
++ struct cs_policy_dbs_info *dbs_info = to_dbs_info(policy->governor_data);
++
++ /*
++ * The limits have changed, so may have the current frequency. Reset
++ * requested_freq to avoid any unintended outcomes due to the mismatch.
++ */
++ dbs_info->requested_freq = policy->cur;
++}
++
+ static struct dbs_governor cs_governor = {
+ .gov = CPUFREQ_DBS_GOVERNOR_INITIALIZER("conservative"),
+ .kobj_type = { .default_groups = cs_groups },
+@@ -322,6 +333,7 @@ static struct dbs_governor cs_governor =
+ .init = cs_init,
+ .exit = cs_exit,
+ .start = cs_start,
++ .limits = cs_limits,
+ };
+
+ #define CPU_FREQ_GOV_CONSERVATIVE (cs_governor.gov)
+--- a/drivers/cpufreq/cpufreq_governor.c
++++ b/drivers/cpufreq/cpufreq_governor.c
+@@ -563,6 +563,7 @@ EXPORT_SYMBOL_GPL(cpufreq_dbs_governor_s
+
+ void cpufreq_dbs_governor_limits(struct cpufreq_policy *policy)
+ {
++ struct dbs_governor *gov = dbs_governor_of(policy);
+ struct policy_dbs_info *policy_dbs;
+
+ /* Protect gov->gdbs_data against cpufreq_dbs_governor_exit() */
+@@ -574,6 +575,8 @@ void cpufreq_dbs_governor_limits(struct
+ mutex_lock(&policy_dbs->update_mutex);
+ cpufreq_policy_apply_limits(policy);
+ gov_update_sample_delay(policy_dbs, 0);
++ if (gov->limits)
++ gov->limits(policy);
+ mutex_unlock(&policy_dbs->update_mutex);
+
+ out:
+--- a/drivers/cpufreq/cpufreq_governor.h
++++ b/drivers/cpufreq/cpufreq_governor.h
+@@ -138,6 +138,7 @@ struct dbs_governor {
+ int (*init)(struct dbs_data *dbs_data);
+ void (*exit)(struct dbs_data *dbs_data);
+ void (*start)(struct cpufreq_policy *policy);
++ void (*limits)(struct cpufreq_policy *policy);
+ };
+
+ static inline struct dbs_governor *dbs_governor_of(struct cpufreq_policy *policy)
--- /dev/null
+From 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 Mon Sep 17 00:00:00 2001
+From: Hyunwoo Kim <imv4bel@gmail.com>
+Date: Tue, 17 Mar 2026 08:52:01 +0900
+Subject: ksmbd: do not expire session on binding failure
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+commit 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 upstream.
+
+When a multichannel session binding request fails (e.g. wrong password),
+the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED.
+However, during binding, sess points to the target session looked up via
+ksmbd_session_lookup_slowpath() -- which belongs to another connection's
+user. This allows a remote attacker to invalidate any active session by
+simply sending a binding request with a wrong password (DoS).
+
+Fix this by skipping session expiration when the failed request was
+a binding attempt, since the session does not belong to the current
+connection. The reference taken by ksmbd_session_lookup_slowpath() is
+still correctly released via ksmbd_user_session_put().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1945,8 +1945,14 @@ out_err:
+ if (sess->user && sess->user->flags & KSMBD_USER_FLAG_DELAY_SESSION)
+ try_delay = true;
+
+- sess->last_active = jiffies;
+- sess->state = SMB2_SESSION_EXPIRED;
++ /*
++ * For binding requests, session belongs to another
++ * connection. Do not expire it.
++ */
++ if (!(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) {
++ sess->last_active = jiffies;
++ sess->state = SMB2_SESSION_EXPIRED;
++ }
+ ksmbd_user_session_put(sess);
+ work->sess = NULL;
+ if (try_delay) {
--- /dev/null
+From 309b44ed684496ed3f9c5715d10b899338623512 Mon Sep 17 00:00:00 2001
+From: Werner Kasselman <werner@verivus.com>
+Date: Tue, 17 Mar 2026 07:55:37 +0000
+Subject: ksmbd: fix memory leaks and NULL deref in smb2_lock()
+
+From: Werner Kasselman <werner@verivus.com>
+
+commit 309b44ed684496ed3f9c5715d10b899338623512 upstream.
+
+smb2_lock() has three error handling issues after list_del() detaches
+smb_lock from lock_list at no_check_cl:
+
+1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK
+ path, goto out leaks smb_lock and its flock because the out:
+ handler only iterates lock_list and rollback_list, neither of
+ which contains the detached smb_lock.
+
+2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out
+ leaks smb_lock and flock for the same reason. The error code
+ returned to the dispatcher is also stale.
+
+3) In the rollback path, smb_flock_init() can return NULL on
+ allocation failure. The result is dereferenced unconditionally,
+ causing a kernel NULL pointer dereference. Add a NULL check to
+ prevent the crash and clean up the bookkeeping; the VFS lock
+ itself cannot be rolled back without the allocation and will be
+ released at file or connection teardown.
+
+Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before
+the if(!rc) check in the UNLOCK branch so all exit paths share one
+free site, and by freeing smb_lock and flock before goto out in the
+non-UNLOCK branch. Propagate the correct error code in both cases.
+Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding
+a NULL check for locks_free_lock(rlock) in the shared cleanup.
+
+Found via call-graph analysis using sqry.
+
+Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
+Cc: stable@vger.kernel.org
+Suggested-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
+Signed-off-by: Werner Kasselman <werner@verivus.com>
+Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 29 +++++++++++++++++++----------
+ 1 file changed, 19 insertions(+), 10 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -7552,14 +7552,15 @@ retry:
+ rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL);
+ skip:
+ if (smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) {
++ locks_free_lock(flock);
++ kfree(smb_lock);
+ if (!rc) {
+ ksmbd_debug(SMB, "File unlocked\n");
+ } else if (rc == -ENOENT) {
+ rsp->hdr.Status = STATUS_NOT_LOCKED;
++ err = rc;
+ goto out;
+ }
+- locks_free_lock(flock);
+- kfree(smb_lock);
+ } else {
+ if (rc == FILE_LOCK_DEFERRED) {
+ void **argv;
+@@ -7628,6 +7629,9 @@ skip:
+ spin_unlock(&work->conn->llist_lock);
+ ksmbd_debug(SMB, "successful in taking lock\n");
+ } else {
++ locks_free_lock(flock);
++ kfree(smb_lock);
++ err = rc;
+ goto out;
+ }
+ }
+@@ -7658,13 +7662,17 @@ out:
+ struct file_lock *rlock = NULL;
+
+ rlock = smb_flock_init(filp);
+- rlock->c.flc_type = F_UNLCK;
+- rlock->fl_start = smb_lock->start;
+- rlock->fl_end = smb_lock->end;
+-
+- rc = vfs_lock_file(filp, F_SETLK, rlock, NULL);
+- if (rc)
+- pr_err("rollback unlock fail : %d\n", rc);
++ if (rlock) {
++ rlock->c.flc_type = F_UNLCK;
++ rlock->fl_start = smb_lock->start;
++ rlock->fl_end = smb_lock->end;
++
++ rc = vfs_lock_file(filp, F_SETLK, rlock, NULL);
++ if (rc)
++ pr_err("rollback unlock fail : %d\n", rc);
++ } else {
++ pr_err("rollback unlock alloc failed\n");
++ }
+
+ list_del(&smb_lock->llist);
+ spin_lock(&work->conn->llist_lock);
+@@ -7674,7 +7682,8 @@ out:
+ spin_unlock(&work->conn->llist_lock);
+
+ locks_free_lock(smb_lock->fl);
+- locks_free_lock(rlock);
++ if (rlock)
++ locks_free_lock(rlock);
+ kfree(smb_lock);
+ }
+ out2:
--- /dev/null
+From beef2634f81f1c086208191f7228bce1d366493d Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 19 Mar 2026 21:00:02 +0900
+Subject: ksmbd: fix potencial OOB in get_file_all_info() for compound requests
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit beef2634f81f1c086208191f7228bce1d366493d upstream.
+
+When a compound request consists of QUERY_DIRECTORY + QUERY_INFO
+(FILE_ALL_INFORMATION) and the first command consumes nearly the entire
+max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16()
+with PATH_MAX, causing out-of-bounds write beyond the response buffer.
+In get_file_all_info(), there was a missing validation check for
+the client-provided OutputBufferLength before copying the filename into
+FileName field of the smb2_file_all_info structure.
+If the filename length exceeds the available buffer space, it could lead to
+potential buffer overflows or memory corruption during smbConvertToUTF16
+conversion. This calculating the actual free buffer size using
+smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is
+insufficient and updating smbConvertToUTF16 to use the actual filename
+length (clamped by PATH_MAX) to ensure a safe copy operation.
+
+Cc: stable@vger.kernel.org
+Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
+Reported-by: Asim Viladi Oglu Manizada <manizada@pm.me>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -4941,7 +4941,8 @@ static int get_file_all_info(struct ksmb
+ int conv_len;
+ char *filename;
+ u64 time;
+- int ret;
++ int ret, buf_free_len, filename_len;
++ struct smb2_query_info_req *req = ksmbd_req_buf_next(work);
+
+ if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) {
+ ksmbd_debug(SMB, "no right to read the attributes : 0x%x\n",
+@@ -4953,6 +4954,16 @@ static int get_file_all_info(struct ksmb
+ if (IS_ERR(filename))
+ return PTR_ERR(filename);
+
++ filename_len = strlen(filename);
++ buf_free_len = smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_info_rsp, Buffer) +
++ offsetof(struct smb2_file_all_info, FileName),
++ le32_to_cpu(req->OutputBufferLength));
++ if (buf_free_len < (filename_len + 1) * 2) {
++ kfree(filename);
++ return -EINVAL;
++ }
++
+ ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS,
+ AT_STATX_SYNC_AS_STAT);
+ if (ret) {
+@@ -4988,7 +4999,8 @@ static int get_file_all_info(struct ksmb
+ file_info->Mode = fp->coption;
+ file_info->AlignmentRequirement = 0;
+ conv_len = smbConvertToUTF16((__le16 *)file_info->FileName, filename,
+- PATH_MAX, conn->local_nls, 0);
++ min(filename_len, PATH_MAX),
++ conn->local_nls, 0);
+ conv_len *= 2;
+ file_info->FileNameLength = cpu_to_le32(conv_len);
+ rsp->OutputBufferLength =
--- /dev/null
+From 0e55f63dd08f09651d39e1b709a91705a8a0ddcb Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 13 Mar 2026 14:45:58 +0900
+Subject: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 0e55f63dd08f09651d39e1b709a91705a8a0ddcb upstream.
+
+After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"),
+response buffer management was changed to use dynamic iov array.
+In the new design, smb2_calc_max_out_buf_len() expects the second
+argument (hdr2_len) to be the offset of ->Buffer field in the
+response structure, not a hardcoded magic number.
+Fix the remaining call sites to use the correct offsetof() value.
+
+Cc: stable@vger.kernel.org
+Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -4458,8 +4458,9 @@ int smb2_query_dir(struct ksmbd_work *wo
+ d_info.wptr = (char *)rsp->Buffer;
+ d_info.rptr = (char *)rsp->Buffer;
+ d_info.out_buf_len =
+- smb2_calc_max_out_buf_len(work, 8,
+- le32_to_cpu(req->OutputBufferLength));
++ smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_directory_rsp, Buffer),
++ le32_to_cpu(req->OutputBufferLength));
+ if (d_info.out_buf_len < 0) {
+ rc = -EINVAL;
+ goto err_out;
+@@ -4726,8 +4727,9 @@ static int smb2_get_ea(struct ksmbd_work
+ }
+
+ buf_free_len =
+- smb2_calc_max_out_buf_len(work, 8,
+- le32_to_cpu(req->OutputBufferLength));
++ smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_info_rsp, Buffer),
++ le32_to_cpu(req->OutputBufferLength));
+ if (buf_free_len < 0)
+ return -EINVAL;
+
+@@ -5040,8 +5042,9 @@ static int get_file_stream_info(struct k
+ file_info = (struct smb2_file_stream_info *)rsp->Buffer;
+
+ buf_free_len =
+- smb2_calc_max_out_buf_len(work, 8,
+- le32_to_cpu(req->OutputBufferLength));
++ smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_info_rsp, Buffer),
++ le32_to_cpu(req->OutputBufferLength));
+ if (buf_free_len < 0)
+ goto out;
+
+@@ -8140,8 +8143,9 @@ int smb2_ioctl(struct ksmbd_work *work)
+ buffer = (char *)req + le32_to_cpu(req->InputOffset);
+
+ cnt_code = le32_to_cpu(req->CtlCode);
+- ret = smb2_calc_max_out_buf_len(work, 48,
+- le32_to_cpu(req->MaxOutputResponse));
++ ret = smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_ioctl_rsp, Buffer),
++ le32_to_cpu(req->MaxOutputResponse));
+ if (ret < 0) {
+ rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+ goto out;
--- /dev/null
+From c5c0a268b38adffbb2e70e6957017537ff54c157 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Thu, 26 Mar 2026 14:38:44 +0100
+Subject: s390/barrier: Make array_index_mask_nospec() __always_inline
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit c5c0a268b38adffbb2e70e6957017537ff54c157 upstream.
+
+Mark array_index_mask_nospec() as __always_inline to guarantee the
+mitigation is emitted inline regardless of compiler inlining decisions.
+
+Fixes: e2dd833389cc ("s390: add optimized array_index_mask_nospec")
+Cc: stable@kernel.org
+Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/barrier.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/include/asm/barrier.h
++++ b/arch/s390/include/asm/barrier.h
+@@ -62,8 +62,8 @@ do { \
+ * @size: number of elements in array
+ */
+ #define array_index_mask_nospec array_index_mask_nospec
+-static inline unsigned long array_index_mask_nospec(unsigned long index,
+- unsigned long size)
++static __always_inline unsigned long array_index_mask_nospec(unsigned long index,
++ unsigned long size)
+ {
+ unsigned long mask;
+
--- /dev/null
+From 0738d395aab8fae3b5a3ad3fc640630c91693c27 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Thu, 26 Mar 2026 19:50:14 +0100
+Subject: s390/entry: Scrub r12 register on kernel entry
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit 0738d395aab8fae3b5a3ad3fc640630c91693c27 upstream.
+
+Before commit f33f2d4c7c80 ("s390/bp: remove TIF_ISOLATE_BP"),
+all entry handlers loaded r12 with the current task pointer
+(lg %r12,__LC_CURRENT) for use by the BPENTER/BPEXIT macros. That
+commit removed TIF_ISOLATE_BP, dropping both the branch prediction
+macros and the r12 load, but did not add r12 to the register clearing
+sequence.
+
+Add the missing xgr %r12,%r12 to make the register scrub consistent
+across all entry points.
+
+Fixes: f33f2d4c7c80 ("s390/bp: remove TIF_ISOLATE_BP")
+Cc: stable@kernel.org
+Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/entry.S | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/s390/kernel/entry.S
++++ b/arch/s390/kernel/entry.S
+@@ -286,6 +286,7 @@ SYM_CODE_START(system_call)
+ xgr %r9,%r9
+ xgr %r10,%r10
+ xgr %r11,%r11
++ xgr %r12,%r12
+ la %r2,STACK_FRAME_OVERHEAD(%r15) # pointer to pt_regs
+ mvc __PT_R8(64,%r2),__LC_SAVE_AREA(%r13)
+ MBEAR %r2,%r13
+@@ -431,6 +432,7 @@ SYM_CODE_START(\name)
+ xgr %r6,%r6
+ xgr %r7,%r7
+ xgr %r10,%r10
++ xgr %r12,%r12
+ xc __PT_FLAGS(8,%r11),__PT_FLAGS(%r11)
+ mvc __PT_R8(64,%r11),__LC_SAVE_AREA(%r13)
+ MBEAR %r11,%r13
+@@ -523,6 +525,7 @@ SYM_CODE_START(mcck_int_handler)
+ xgr %r6,%r6
+ xgr %r7,%r7
+ xgr %r10,%r10
++ xgr %r12,%r12
+ stmg %r8,%r9,__PT_PSW(%r11)
+ xc __PT_FLAGS(8,%r11),__PT_FLAGS(%r11)
+ xc __SF_BACKCHAIN(8,%r15),__SF_BACKCHAIN(%r15)
--- /dev/null
+From 48b8814e25d073dd84daf990a879a820bad2bcbd Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 24 Mar 2026 17:34:05 +0100
+Subject: s390/syscalls: Add spectre boundary for syscall dispatch table
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 48b8814e25d073dd84daf990a879a820bad2bcbd upstream.
+
+The s390 syscall number is directly controlled by userspace, but does
+not have an array_index_nospec() boundary to prevent access past the
+syscall function pointer tables.
+
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Fixes: 56e62a737028 ("s390: convert to generic entry")
+Cc: stable@kernel.org
+Assisted-by: gkh_clanker_2000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Link: https://lore.kernel.org/r/2026032404-sterling-swoosh-43e6@gregkh
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/syscall.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/s390/kernel/syscall.c
++++ b/arch/s390/kernel/syscall.c
+@@ -13,6 +13,7 @@
+ */
+
+ #include <linux/errno.h>
++#include <linux/nospec.h>
+ #include <linux/sched.h>
+ #include <linux/mm.h>
+ #include <linux/fs.h>
+@@ -114,6 +115,7 @@ static void do_syscall(struct pt_regs *r
+ if (likely(nr >= NR_syscalls))
+ goto out;
+ do {
++ nr = array_index_nospec(nr, NR_syscalls);
+ regs->gprs[2] = current->thread.sys_call_table[nr](regs);
+ } while (test_and_clear_pt_regs_flag(regs, PIF_EXECVE_PGSTE_RESTART));
+ out:
asoc-adau1372-fix-unchecked-clk_prepare_enable-retur.patch
asoc-adau1372-fix-clock-leak-on-pll-lock-failure.patch
spi-spi-fsl-lpspi-fix-teardown-order-issue-uaf.patch
+s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch
+s390-barrier-make-array_index_mask_nospec-__always_inline.patch
+s390-entry-scrub-r12-register-on-kernel-entry.patch
+ksmbd-replace-hardcoded-hdr2_len-with-offsetof-in-smb2_calc_max_out_buf_len.patch
+ksmbd-fix-potencial-oob-in-get_file_all_info-for-compound-requests.patch
+ksmbd-fix-memory-leaks-and-null-deref-in-smb2_lock.patch
+ksmbd-do-not-expire-session-on-binding-failure.patch
+alsa-firewire-lib-fix-uninitialized-local-variable.patch
+asoc-sof-ipc4-topology-allow-bytes-controls-without-initial-payload.patch
+can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch
+can-isotp-fix-tx.buf-use-after-free-in-isotp_sendmsg.patch
+cpufreq-conservative-reset-requested_freq-on-limits-change.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
