--- /dev/null
+From 6ea3a44cef28add2d93b1ef119d84886cb1e3c9b Mon Sep 17 00:00:00 2001
+From: Pengjie Zhang <zhangpengjie2@huawei.com>
+Date: Wed, 10 Dec 2025 21:22:27 +0800
+Subject: ACPI: CPPC: Fix missing PCC check for guaranteed_perf
+
+From: Pengjie Zhang <zhangpengjie2@huawei.com>
+
+commit 6ea3a44cef28add2d93b1ef119d84886cb1e3c9b upstream.
+
+The current implementation overlooks the 'guaranteed_perf'
+register in this check.
+
+If the Guaranteed Performance register is located in the PCC
+subspace, the function currently attempts to read it without
+acquiring the lock and without sending the CMD_READ doorbell
+to the firmware. This can result in reading stale data.
+
+Fixes: 29523f095397 ("ACPI / CPPC: Add support for guaranteed performance")
+Signed-off-by: Pengjie Zhang <zhangpengjie2@huawei.com>
+Cc: 4.20+ <stable@vger.kernel.org> # 4.20+
+[ rjw: Subject and changelog edits ]
+Link: https://patch.msgid.link/20251210132227.1988380-1-zhangpengjie2@huawei.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/cppc_acpi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/cppc_acpi.c
++++ b/drivers/acpi/cppc_acpi.c
+@@ -1267,7 +1267,8 @@ int cppc_get_perf_caps(int cpunum, struc
+ /* Are any of the regs PCC ?*/
+ if (CPC_IN_PCC(highest_reg) || CPC_IN_PCC(lowest_reg) ||
+ CPC_IN_PCC(lowest_non_linear_reg) || CPC_IN_PCC(nominal_reg) ||
+- CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg)) {
++ CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg) ||
++ CPC_IN_PCC(guaranteed_reg)) {
+ if (pcc_ss_id < 0) {
+ pr_debug("Invalid pcc_ss_id\n");
+ return -ENODEV;
--- /dev/null
+From 7953794f741e94d30df9dafaaa4c031c85b891d6 Mon Sep 17 00:00:00 2001
+From: Ping Cheng <pinglinux@gmail.com>
+Date: Mon, 27 Oct 2025 13:37:42 -0700
+Subject: HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen
+
+From: Ping Cheng <pinglinux@gmail.com>
+
+commit 7953794f741e94d30df9dafaaa4c031c85b891d6 upstream.
+
+HID_GD_Z is mapped to ABS_Z for stylus and pen in hid-input.c. But HID_GD_Z
+should be used to report ABS_DISTANCE for stylus and pen as described at:
+Documentation/input/event-codes.rst#n226
+
+* ABS_DISTANCE:
+
+ - Used to describe the distance of a tool from an interaction surface. This
+ event should only be emitted while the tool is hovering, meaning in close
+ proximity of the device and while the value of the BTN_TOUCH code is 0. If
+ the input device may be used freely in three dimensions, consider ABS_Z
+ instead.
+ - BTN_TOOL_<name> should be set to 1 when the tool comes into detectable
+ proximity and set to 0 when the tool leaves detectable proximity.
+ BTN_TOOL_<name> signals the type of tool that is currently detected by the
+ hardware and is otherwise independent of ABS_DISTANCE and/or BTN_TOUCH.
+
+This patch makes the correct mapping. The ABS_DISTANCE is currently not mapped
+by any HID usage in hid-generic driver.
+
+Signed-off-by: Ping Cheng <ping.cheng@wacom.com>
+Cc: stable@kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-input.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -871,7 +871,7 @@ static void hidinput_configure_usage(str
+
+ switch (usage->hid) {
+ /* These usage IDs map directly to the usage codes. */
+- case HID_GD_X: case HID_GD_Y: case HID_GD_Z:
++ case HID_GD_X: case HID_GD_Y:
+ case HID_GD_RX: case HID_GD_RY: case HID_GD_RZ:
+ if (field->flags & HID_MAIN_ITEM_RELATIVE)
+ map_rel(usage->hid & 0xf);
+@@ -879,6 +879,22 @@ static void hidinput_configure_usage(str
+ map_abs_clear(usage->hid & 0xf);
+ break;
+
++ case HID_GD_Z:
++ /* HID_GD_Z is mapped to ABS_DISTANCE for stylus/pen */
++ if (field->flags & HID_MAIN_ITEM_RELATIVE) {
++ map_rel(usage->hid & 0xf);
++ } else {
++ if (field->application == HID_DG_PEN ||
++ field->physical == HID_DG_PEN ||
++ field->logical == HID_DG_STYLUS ||
++ field->physical == HID_DG_STYLUS ||
++ field->application == HID_DG_DIGITIZER)
++ map_abs_clear(ABS_DISTANCE);
++ else
++ map_abs_clear(usage->hid & 0xf);
++ }
++ break;
++
+ case HID_GD_WHEEL:
+ if (field->flags & HID_MAIN_ITEM_RELATIVE) {
+ set_bit(REL_WHEEL, input->relbit);
--- /dev/null
+From aed3716db7fff74919cc5775ca3a80c8bb246489 Mon Sep 17 00:00:00 2001
+From: Christoffer Sandberg <cs@tuxedo.de>
+Date: Mon, 24 Nov 2025 21:31:34 +0100
+Subject: Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table
+
+From: Christoffer Sandberg <cs@tuxedo.de>
+
+commit aed3716db7fff74919cc5775ca3a80c8bb246489 upstream.
+
+The device occasionally wakes up from suspend with missing input on the
+internal keyboard and the following suspend attempt results in an instant
+wake-up. The quirks fix both issues for this device.
+
+Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251124203336.64072-1-wse@tuxedocomputers.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/serio/i8042-acpipnpio.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/serio/i8042-acpipnpio.h
++++ b/drivers/input/serio/i8042-acpipnpio.h
+@@ -1169,6 +1169,13 @@ static const struct dmi_system_id i8042_
+ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS |
+ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
+ },
++ {
++ .matches = {
++ DMI_MATCH(DMI_BOARD_NAME, "X5KK45xS_X5SP45xS"),
++ },
++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS |
++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
++ },
+ /*
+ * A lot of modern Clevo barebones have touchpad and/or keyboard issues
+ * after suspend fixable with the forcenorestore quirk.
--- /dev/null
+From e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c Mon Sep 17 00:00:00 2001
+From: Minseong Kim <ii4gsp@gmail.com>
+Date: Fri, 12 Dec 2025 00:29:23 -0800
+Subject: Input: lkkbd - disable pending work before freeing device
+
+From: Minseong Kim <ii4gsp@gmail.com>
+
+commit e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c upstream.
+
+lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work
+handler lkkbd_reinit() dereferences the lkkbd structure and its
+serio/input_dev fields.
+
+lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd
+structure without preventing the reinit work from being queued again
+until serio_close() returns. This can allow the work handler to run
+after the structure has been freed, leading to a potential use-after-free.
+
+Use disable_work_sync() instead of cancel_work_sync() to ensure the
+reinit work cannot be re-queued, and call it both in lkkbd_disconnect()
+and in lkkbd_connect() error paths after serio_open().
+
+Signed-off-by: Minseong Kim <ii4gsp@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251212052314.16139-1-ii4gsp@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/lkkbd.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/keyboard/lkkbd.c
++++ b/drivers/input/keyboard/lkkbd.c
+@@ -670,7 +670,8 @@ static int lkkbd_connect(struct serio *s
+
+ return 0;
+
+- fail3: serio_close(serio);
++ fail3: disable_work_sync(&lk->tq);
++ serio_close(serio);
+ fail2: serio_set_drvdata(serio, NULL);
+ fail1: input_free_device(input_dev);
+ kfree(lk);
+@@ -684,6 +685,8 @@ static void lkkbd_disconnect(struct seri
+ {
+ struct lkkbd *lk = serio_get_drvdata(serio);
+
++ disable_work_sync(&lk->tq);
++
+ input_get_device(lk->dev);
+ input_unregister_device(lk->dev);
+ serio_close(serio);
--- /dev/null
+From 248d3a73a0167dce15ba100477c3e778c4787178 Mon Sep 17 00:00:00 2001
+From: Junjie Cao <junjie.cao@intel.com>
+Date: Thu, 18 Dec 2025 21:56:59 -0800
+Subject: Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
+
+From: Junjie Cao <junjie.cao@intel.com>
+
+commit 248d3a73a0167dce15ba100477c3e778c4787178 upstream.
+
+The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows
+wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds
+access when used as index in 'config_pins[wire_order[i]]'.
+
+Since config_pins has 4 elements (indices 0-3), the valid range for
+wire_order should be 0-3. Fix the off-by-one error by using >= instead
+of > in the validation check.
+
+Signed-off-by: Junjie Cao <junjie.cao@intel.com>
+Link: https://patch.msgid.link/20251114062817.852698-1-junjie.cao@intel.com
+Fixes: bb76dc09ddfc ("input: ti_am33x_tsc: Order of TSC wires, made configurable")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/ti_am335x_tsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/ti_am335x_tsc.c
++++ b/drivers/input/touchscreen/ti_am335x_tsc.c
+@@ -86,7 +86,7 @@ static int titsc_config_wires(struct tit
+ wire_order[i] = ts_dev->config_inp[i] & 0x0F;
+ if (WARN_ON(analog_line[i] > 7))
+ return -EINVAL;
+- if (WARN_ON(wire_order[i] > ARRAY_SIZE(config_pins)))
++ if (WARN_ON(wire_order[i] >= ARRAY_SIZE(config_pins)))
+ return -EINVAL;
+ }
+
--- /dev/null
+From 95d7a890e4b03e198836d49d699408fd1867cb55 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sun, 14 Dec 2025 15:06:34 +0900
+Subject: ksmbd: fix buffer validation by including null terminator size in EA length
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 95d7a890e4b03e198836d49d699408fd1867cb55 upstream.
+
+The smb2_set_ea function, which handles Extended Attributes (EA),
+was performing buffer validation checks that incorrectly omitted the size
+of the null terminating character (+1 byte) for EA Name.
+This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where
+the null terminator is expected to be present in the buffer, ensuring
+the validation accurately reflects the total required buffer size.
+
+Cc: stable@vger.kernel.org
+Reported-by: Roger <roger.andersen@protonmail.com>
+Reported-by: Stanislas Polu <spolu@dust.tt>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -2354,7 +2354,7 @@ static int smb2_set_ea(struct smb2_ea_in
+ int rc = 0;
+ unsigned int next = 0;
+
+- if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength +
++ if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + 1 +
+ le16_to_cpu(eabuf->EaValueLength))
+ return -EINVAL;
+
+@@ -2430,7 +2430,7 @@ next:
+ break;
+ }
+
+- if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength +
++ if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + 1 +
+ le16_to_cpu(eabuf->EaValueLength)) {
+ rc = -EINVAL;
+ break;
--- /dev/null
+From cafb57f7bdd57abba87725eb4e82bbdca4959644 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sun, 14 Dec 2025 15:05:56 +0900
+Subject: ksmbd: Fix refcount leak when invalid session is found on session lookup
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit cafb57f7bdd57abba87725eb4e82bbdca4959644 upstream.
+
+When a session is found but its state is not SMB2_SESSION_VALID, It
+indicates that no valid session was found, but it is missing to decrement
+the reference count acquired by the session lookup, which results in
+a reference count leak. This patch fixes the issue by explicitly calling
+ksmbd_user_session_put to release the reference to the session.
+
+Cc: stable@vger.kernel.org
+Reported-by: Alexandre <roger.andersen@protonmail.com>
+Reported-by: Stanislas Polu <spolu@dust.tt>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/mgmt/user_session.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -312,8 +312,10 @@ struct ksmbd_session *ksmbd_session_look
+ sess = ksmbd_session_lookup(conn, id);
+ if (!sess && conn->binding)
+ sess = ksmbd_session_lookup_slowpath(id);
+- if (sess && sess->state != SMB2_SESSION_VALID)
++ if (sess && sess->state != SMB2_SESSION_VALID) {
++ ksmbd_user_session_put(sess);
+ sess = NULL;
++ }
+ return sess;
+ }
+
--- /dev/null
+From 5d510ac31626ed157d2182149559430350cf2104 Mon Sep 17 00:00:00 2001
+From: Qianchang Zhao <pioooooooooip@gmail.com>
+Date: Sun, 9 Nov 2025 10:00:55 +0900
+Subject: ksmbd: skip lock-range check on equal size to avoid size==0 underflow
+
+From: Qianchang Zhao <pioooooooooip@gmail.com>
+
+commit 5d510ac31626ed157d2182149559430350cf2104 upstream.
+
+When size equals the current i_size (including 0), the code used to call
+check_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1`
+and can underflow for size==0. Skip the equal case.
+
+Cc: stable@vger.kernel.org
+Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
+Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
+Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/vfs.c
++++ b/fs/smb/server/vfs.c
+@@ -330,6 +330,9 @@ static int check_lock_range(struct file
+ struct file_lock_context *ctx = file_inode(filp)->i_flctx;
+ int error = 0;
+
++ if (start == end)
++ return 0;
++
+ if (!ctx || list_empty_careful(&ctx->flc_posix))
+ return 0;
+
+@@ -830,7 +833,7 @@ int ksmbd_vfs_truncate(struct ksmbd_work
+ if (size < inode->i_size) {
+ err = check_lock_range(filp, size,
+ inode->i_size - 1, WRITE);
+- } else {
++ } else if (size > inode->i_size) {
+ err = check_lock_range(filp, inode->i_size,
+ size - 1, WRITE);
+ }
--- /dev/null
+From d3ecb12e2e04ce53c95f933c462f2d8b150b965b Mon Sep 17 00:00:00 2001
+From: Jared Kangas <jkangas@redhat.com>
+Date: Fri, 12 Dec 2025 07:03:17 -0800
+Subject: mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig
+
+From: Jared Kangas <jkangas@redhat.com>
+
+commit d3ecb12e2e04ce53c95f933c462f2d8b150b965b upstream.
+
+MMC_SDHCI_ESDHC_IMX requires ARCH_MXC despite also being used on
+ARCH_S32, which results in unmet dependencies when compiling strictly
+for ARCH_S32. Resolve this by adding ARCH_S32 as an alternative to
+ARCH_MXC in the driver's dependencies.
+
+Fixes: 5c4f00627c9a ("mmc: sdhci-esdhc-imx: add NXP S32G2 support")
+Cc: stable@bvger.kernel.org
+Signed-off-by: Jared Kangas <jkangas@redhat.com>
+Reviewed-by: Haibo Chen <haibo.chen@nxp.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/Kconfig
++++ b/drivers/mmc/host/Kconfig
+@@ -279,14 +279,14 @@ config MMC_SDHCI_ESDHC_MCF
+
+ config MMC_SDHCI_ESDHC_IMX
+ tristate "SDHCI support for the Freescale eSDHC/uSDHC i.MX controller"
+- depends on ARCH_MXC || COMPILE_TEST
++ depends on ARCH_MXC || ARCH_S32 || COMPILE_TEST
+ depends on MMC_SDHCI_PLTFM
+ depends on OF
+ select MMC_SDHCI_IO_ACCESSORS
+ select MMC_CQHCI
+ help
+ This selects the Freescale eSDHC/uSDHC controller support
+- found on i.MX25, i.MX35 i.MX5x and i.MX6x.
++ found on i.MX25, i.MX35, i.MX5x, i.MX6x, and S32G.
+
+ If you have a controller with this interface, say Y or M here.
+
--- /dev/null
+From 188e0fa5a679570ea35474575e724d8211423d17 Mon Sep 17 00:00:00 2001
+From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+Date: Sat, 29 Nov 2025 15:07:18 +0530
+Subject: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
+
+From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+
+commit 188e0fa5a679570ea35474575e724d8211423d17 upstream.
+
+prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std
+but doesn't check if the allocation failed. If __pskb_copy() returns
+NULL, skb_clone() is called with a NULL pointer, causing a crash:
+
+Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI
+KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
+CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041
+Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c
+RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207
+RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480
+RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000
+RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee
+R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000
+R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00
+FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0
+Call Trace:
+ <TASK>
+ hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]
+ hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741
+ hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84
+ __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966
+ __netif_receive_skb_one_core net/core/dev.c:6077 [inline]
+ __netif_receive_skb+0x72/0x380 net/core/dev.c:6192
+ netif_receive_skb_internal net/core/dev.c:6278 [inline]
+ netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337
+ tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485
+ tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953
+ tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x5c9/0xb30 fs/read_write.c:686
+ ksys_write+0x145/0x250 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f0449f8e1ff
+Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
+RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff
+RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8
+RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000
+R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001
+R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003
+ </TASK>
+
+Add a NULL check immediately after __pskb_copy() to handle allocation
+failures gracefully.
+
+Reported-by: syzbot+2fa344348a579b779e05@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=2fa344348a579b779e05
+Fixes: f266a683a480 ("net/hsr: Better frame dispatch")
+Cc: stable@vger.kernel.org
+Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+Reviewed-by: Felix Maurer <fmaurer@redhat.com>
+Tested-by: Felix Maurer <fmaurer@redhat.com>
+Link: https://patch.msgid.link/20251129093718.25320-1-ssrane_b23@ee.vjti.ac.in
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/hsr/hsr_forward.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -176,6 +176,8 @@ struct sk_buff *prp_get_untagged_frame(s
+ __pskb_copy(frame->skb_prp,
+ skb_headroom(frame->skb_prp),
+ GFP_ATOMIC);
++ if (!frame->skb_std)
++ return NULL;
+ } else {
+ /* Unexpected */
+ WARN_ONCE(1, "%s:%d: Unexpected frame received (port_src %s)\n",
spi-cadence-quadspi-add-missing-clk_disable_unprepar.patch
spi-cadence-quadspi-fix-clock-disable-on-probe-failu.patch
block-rnbd-clt-fix-leaked-id-in-init_dev.patch
+ksmbd-skip-lock-range-check-on-equal-size-to-avoid-size-0-underflow.patch
+ksmbd-fix-refcount-leak-when-invalid-session-is-found-on-session-lookup.patch
+ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch
+hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch
+input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch
+input-lkkbd-disable-pending-work-before-freeing-device.patch
+input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch
+acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch
+spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch
+mmc-sdhci-esdhc-imx-add-alternate-arch_s32-dependency-to-kconfig.patch
+net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch
--- /dev/null
+From 1417927df8049a0194933861e9b098669a95c762 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+Date: Thu, 20 Nov 2025 09:34:49 +0100
+Subject: spi: fsl-cpm: Check length parity before switching to 16 bit mode
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+commit 1417927df8049a0194933861e9b098669a95c762 upstream.
+
+Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers
+with even size") failed to make sure that the size is really even
+before switching to 16 bit mode. Until recently the problem went
+unnoticed because kernfs uses a pre-allocated bounce buffer of size
+PAGE_SIZE for reading EEPROM.
+
+But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API")
+introduced an additional dynamically allocated bounce buffer whose size
+is exactly the size of the transfer, leading to a buffer overrun in
+the fsl-cpm driver when that size is odd.
+
+Add the missing length parity verification and remain in 8 bit mode
+when the length is not even.
+
+Fixes: fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size")
+Cc: stable@vger.kernel.org
+Closes: https://lore.kernel.org/all/638496dd-ec60-4e53-bad7-eb657f67d580@csgroup.eu/
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Reviewed-by: Sverdlin Alexander <alexander.sverdlin@siemens.com>
+Link: https://patch.msgid.link/3c4d81c3923c93f95ec56702a454744a4bad3cfc.1763627618.git.christophe.leroy@csgroup.eu
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-fsl-spi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-fsl-spi.c
++++ b/drivers/spi/spi-fsl-spi.c
+@@ -352,7 +352,7 @@ static int fsl_spi_prepare_message(struc
+ if (t->bits_per_word == 16 || t->bits_per_word == 32)
+ t->bits_per_word = 8; /* pretend its 8 bits */
+ if (t->bits_per_word == 8 && t->len >= 256 &&
+- (mpc8xxx_spi->flags & SPI_CPM1))
++ !(t->len & 1) && (mpc8xxx_spi->flags & SPI_CPM1))
+ t->bits_per_word = 16;
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
