--- /dev/null
+From 54f9d645a5453d0bfece0c465d34aaf072ea99fa Mon Sep 17 00:00:00 2001
+From: Jun Seo <jun.seo.93@proton.me>
+Date: Thu, 26 Feb 2026 10:08:20 +0900
+Subject: ALSA: usb-audio: Use correct version for UAC3 header validation
+
+From: Jun Seo <jun.seo.93@proton.me>
+
+commit 54f9d645a5453d0bfece0c465d34aaf072ea99fa upstream.
+
+The entry of the validators table for UAC3 AC header descriptor is
+defined with the wrong protocol version UAC_VERSION_2, while it should
+have been UAC_VERSION_3. This results in the validator never matching
+for actual UAC3 devices (protocol == UAC_VERSION_3), causing their
+header descriptors to bypass validation entirely. A malicious USB
+device presenting a truncated UAC3 header could exploit this to cause
+out-of-bounds reads when the driver later accesses unvalidated
+descriptor fields.
+
+The bug was introduced in the same commit as the recently fixed UAC3
+feature unit sub-type typo, and appears to be from the same copy-paste
+error when the UAC3 section was created from the UAC2 section.
+
+Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jun Seo <jun.seo.93@proton.me>
+Link: https://patch.msgid.link/20260226010820.36529-1-jun.seo.93@proton.me
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/validate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/validate.c
++++ b/sound/usb/validate.c
+@@ -281,7 +281,7 @@ static const struct usb_desc_validator a
+ /* UAC_VERSION_2, UAC2_SAMPLE_RATE_CONVERTER: not implemented yet */
+
+ /* UAC3 */
+- FIXED(UAC_VERSION_2, UAC_HEADER, struct uac3_ac_header_descriptor),
++ FIXED(UAC_VERSION_3, UAC_HEADER, struct uac3_ac_header_descriptor),
+ FIXED(UAC_VERSION_3, UAC_INPUT_TERMINAL,
+ struct uac3_input_terminal_descriptor),
+ FIXED(UAC_VERSION_3, UAC_OUTPUT_TERMINAL,
--- /dev/null
+From ab140365fb62c0bdab22b2f516aff563b2559e3b Mon Sep 17 00:00:00 2001
+From: Lars Ellenberg <lars.ellenberg@linbit.com>
+Date: Thu, 19 Feb 2026 15:20:12 +0100
+Subject: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lars Ellenberg <lars.ellenberg@linbit.com>
+
+commit ab140365fb62c0bdab22b2f516aff563b2559e3b upstream.
+
+Even though we check that we "should" be able to do lc_get_cumulative()
+while holding the device->al_lock spinlock, it may still fail,
+if some other code path decided to do lc_try_lock() with bad timing.
+
+If that happened, we logged "LOGIC BUG for enr=...",
+but still did not return an error.
+
+The rest of the code now assumed that this request has references
+for the relevant activity log extents.
+
+The implcations are that during an active resync, mutual exclusivity of
+resync versus application IO is not guaranteed. And a potential crash
+at this point may not realizs that these extents could have been target
+of in-flight IO and would need to be resynced just in case.
+
+Also, once the request completes, it will give up activity log references it
+does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().
+
+Fix:
+
+Do not crash the kernel for a condition that is harmless during normal
+operation: also catch "e->refcnt == 0", not only "e == NULL"
+when being noisy about "al_complete_io() called on inactive extent %u\n".
+
+And do not try to be smart and "guess" whether something will work, then
+be surprised when it does not.
+Deal with the fact that it may or may not work. If it does not, remember a
+possible "partially in activity log" state (only possible for requests that
+cross extent boundaries), and return an error code from
+drbd_al_begin_io_nonblock().
+
+A latter call for the same request will then resume from where we left off.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
+Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/drbd/drbd_actlog.c | 53 ++++++++++++++++---------------------
+ drivers/block/drbd/drbd_interval.h | 5 ++-
+ 2 files changed, 27 insertions(+), 31 deletions(-)
+
+--- a/drivers/block/drbd/drbd_actlog.c
++++ b/drivers/block/drbd/drbd_actlog.c
+@@ -483,38 +483,20 @@ void drbd_al_begin_io(struct drbd_device
+
+ int drbd_al_begin_io_nonblock(struct drbd_device *device, struct drbd_interval *i)
+ {
+- struct lru_cache *al = device->act_log;
+ /* for bios crossing activity log extent boundaries,
+ * we may need to activate two extents in one go */
+ unsigned first = i->sector >> (AL_EXTENT_SHIFT-9);
+ unsigned last = i->size == 0 ? first : (i->sector + (i->size >> 9) - 1) >> (AL_EXTENT_SHIFT-9);
+- unsigned nr_al_extents;
+- unsigned available_update_slots;
+ unsigned enr;
+
+- D_ASSERT(device, first <= last);
+-
+- nr_al_extents = 1 + last - first; /* worst case: all touched extends are cold. */
+- available_update_slots = min(al->nr_elements - al->used,
+- al->max_pending_changes - al->pending_changes);
+-
+- /* We want all necessary updates for a given request within the same transaction
+- * We could first check how many updates are *actually* needed,
+- * and use that instead of the worst-case nr_al_extents */
+- if (available_update_slots < nr_al_extents) {
+- /* Too many activity log extents are currently "hot".
+- *
+- * If we have accumulated pending changes already,
+- * we made progress.
+- *
+- * If we cannot get even a single pending change through,
+- * stop the fast path until we made some progress,
+- * or requests to "cold" extents could be starved. */
+- if (!al->pending_changes)
+- __set_bit(__LC_STARVING, &device->act_log->flags);
+- return -ENOBUFS;
++ if (i->partially_in_al_next_enr) {
++ D_ASSERT(device, first < i->partially_in_al_next_enr);
++ D_ASSERT(device, last >= i->partially_in_al_next_enr);
++ first = i->partially_in_al_next_enr;
+ }
+
++ D_ASSERT(device, first <= last);
++
+ /* Is resync active in this area? */
+ for (enr = first; enr <= last; enr++) {
+ struct lc_element *tmp;
+@@ -529,14 +511,21 @@ int drbd_al_begin_io_nonblock(struct drb
+ }
+ }
+
+- /* Checkout the refcounts.
+- * Given that we checked for available elements and update slots above,
+- * this has to be successful. */
++ /* Try to checkout the refcounts. */
+ for (enr = first; enr <= last; enr++) {
+ struct lc_element *al_ext;
+ al_ext = lc_get_cumulative(device->act_log, enr);
+- if (!al_ext)
+- drbd_info(device, "LOGIC BUG for enr=%u\n", enr);
++
++ if (!al_ext) {
++ /* Did not work. We may have exhausted the possible
++ * changes per transaction. Or raced with someone
++ * "locking" it against changes.
++ * Remember where to continue from.
++ */
++ if (enr > first)
++ i->partially_in_al_next_enr = enr;
++ return -ENOBUFS;
++ }
+ }
+ return 0;
+ }
+@@ -556,7 +545,11 @@ void drbd_al_complete_io(struct drbd_dev
+
+ for (enr = first; enr <= last; enr++) {
+ extent = lc_find(device->act_log, enr);
+- if (!extent) {
++ /* Yes, this masks a bug elsewhere. However, during normal
++ * operation this is harmless, so no need to crash the kernel
++ * by the BUG_ON(refcount == 0) in lc_put().
++ */
++ if (!extent || extent->refcnt == 0) {
+ drbd_err(device, "al_complete_io() called on inactive extent %u\n", enr);
+ continue;
+ }
+--- a/drivers/block/drbd/drbd_interval.h
++++ b/drivers/block/drbd/drbd_interval.h
+@@ -8,12 +8,15 @@
+ struct drbd_interval {
+ struct rb_node rb;
+ sector_t sector; /* start sector of the interval */
+- unsigned int size; /* size in bytes */
+ sector_t end; /* highest interval end in subtree */
++ unsigned int size; /* size in bytes */
+ unsigned int local:1 /* local or remote request? */;
+ unsigned int waiting:1; /* someone is waiting for completion */
+ unsigned int completed:1; /* this has been completed already;
+ * ignore for conflict detection */
++
++ /* to resume a partially successful drbd_al_begin_io_nonblock(); */
++ unsigned int partially_in_al_next_enr;
+ };
+
+ static inline void drbd_clear_interval(struct drbd_interval *i)
--- /dev/null
+From 0d195d3b205ca90db30d70d09d7bb6909aac178f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christoph=20B=C3=B6hmwalder?=
+ <christoph.boehmwalder@linbit.com>
+Date: Fri, 20 Feb 2026 12:39:37 +0100
+Subject: drbd: fix null-pointer dereference on local read error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+
+commit 0d195d3b205ca90db30d70d09d7bb6909aac178f upstream.
+
+In drbd_request_endio(), READ_COMPLETED_WITH_ERROR is passed to
+__req_mod() with a NULL peer_device:
+
+ __req_mod(req, what, NULL, &m);
+
+The READ_COMPLETED_WITH_ERROR handler then unconditionally passes this
+NULL peer_device to drbd_set_out_of_sync(), which dereferences it,
+causing a null-pointer dereference.
+
+Fix this by obtaining the peer_device via first_peer_device(device),
+matching how drbd_req_destroy() handles the same situation.
+
+Cc: stable@vger.kernel.org
+Reported-by: Tuo Li <islituo@gmail.com>
+Link: https://lore.kernel.org/linux-block/20260104165355.151864-1-islituo@gmail.com
+Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/drbd/drbd_req.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/drbd/drbd_req.c
++++ b/drivers/block/drbd/drbd_req.c
+@@ -621,7 +621,8 @@ int __req_mod(struct drbd_request *req,
+ break;
+
+ case READ_COMPLETED_WITH_ERROR:
+- drbd_set_out_of_sync(peer_device, req->i.sector, req->i.size);
++ drbd_set_out_of_sync(first_peer_device(device),
++ req->i.sector, req->i.size);
+ drbd_report_io_error(device, req);
+ __drbd_chk_io_error(device, DRBD_READ_ERROR);
+ fallthrough;
--- /dev/null
+From 117942ca43e2e3c3d121faae530989931b7f67e1 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Mon, 16 Feb 2026 11:02:48 -0400
+Subject: IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit 117942ca43e2e3c3d121faae530989931b7f67e1 upstream.
+
+Fix a user triggerable leak on the system call failure path.
+
+Cc: stable@vger.kernel.org
+Fixes: ec34a922d243 ("[PATCH] IB/mthca: Add SRQ implementation")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://patch.msgid.link/2-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mthca/mthca_provider.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/mthca/mthca_provider.c
++++ b/drivers/infiniband/hw/mthca/mthca_provider.c
+@@ -428,6 +428,8 @@ static int mthca_create_srq(struct ib_sr
+
+ if (context && ib_copy_to_udata(udata, &srq->srqn, sizeof(__u32))) {
+ mthca_free_srq(to_mdev(ibsrq->device), srq);
++ mthca_unmap_user_db(to_mdev(ibsrq->device), &context->uar,
++ context->db_tab, ucmd.db_index);
+ return -EFAULT;
+ }
+
+@@ -436,6 +438,7 @@ static int mthca_create_srq(struct ib_sr
+
+ static int mthca_destroy_srq(struct ib_srq *srq, struct ib_udata *udata)
+ {
++ mthca_free_srq(to_mdev(srq->device), to_msrq(srq));
+ if (udata) {
+ struct mthca_ucontext *context =
+ rdma_udata_to_drv_context(
+@@ -446,8 +449,6 @@ static int mthca_destroy_srq(struct ib_s
+ mthca_unmap_user_db(to_mdev(srq->device), &context->uar,
+ context->db_tab, to_msrq(srq)->db_index);
+ }
+-
+- mthca_free_srq(to_mdev(srq->device), to_msrq(srq));
+ return 0;
+ }
+
--- /dev/null
+From e35626f610f3d2b7953ccddf6a77453da22b3a9e Mon Sep 17 00:00:00 2001
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Tue, 24 Feb 2026 21:28:32 +0100
+Subject: net/sched: ets: fix divide by zero in the offload path
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+commit e35626f610f3d2b7953ccddf6a77453da22b3a9e upstream.
+
+Offloading ETS requires computing each class' WRR weight: this is done by
+averaging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned
+int, the same integer size as the individual DRR quanta, can overflow and
+even cause division by zero, like it happened in the following splat:
+
+ Oops: divide error: 0000 [#1] SMP PTI
+ CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full)
+ Tainted: [E]=UNSIGNED_MODULE
+ Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+ RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]
+ Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44
+ RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246
+ RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660
+ RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe
+ R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe
+ R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000
+ FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0
+ Call Trace:
+ <TASK>
+ ets_qdisc_change+0x870/0xf40 [sch_ets]
+ qdisc_create+0x12b/0x540
+ tc_modify_qdisc+0x6d7/0xbd0
+ rtnetlink_rcv_msg+0x168/0x6b0
+ netlink_rcv_skb+0x5c/0x110
+ netlink_unicast+0x1d6/0x2b0
+ netlink_sendmsg+0x22e/0x470
+ ____sys_sendmsg+0x38a/0x3c0
+ ___sys_sendmsg+0x99/0xe0
+ __sys_sendmsg+0x8a/0xf0
+ do_syscall_64+0x111/0xf80
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ RIP: 0033:0x7f440b81c77e
+ Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa
+ RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e
+ RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003
+ RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8
+ R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980
+ </TASK>
+ Modules linked in: sch_ets(E) netdevsim(E)
+ ---[ end trace 0000000000000000 ]---
+ RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]
+ Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44
+ RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246
+ RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660
+ RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe
+ R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe
+ R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000
+ FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0
+ Kernel panic - not syncing: Fatal exception
+ Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+ ---[ end Kernel panic - not syncing: Fatal exception ]---
+
+Fix this using 64-bit integers for 'q_sum' and 'q_psum'.
+
+Cc: stable@vger.kernel.org
+Fixes: d35eb52bd2ac ("net: sch_ets: Make the ETS qdisc offloadable")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Link: https://patch.msgid.link/28504887df314588c7255e9911769c36f751edee.1771964872.git.dcaratti@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_ets.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/sched/sch_ets.c
++++ b/net/sched/sch_ets.c
+@@ -115,12 +115,12 @@ static void ets_offload_change(struct Qd
+ struct ets_sched *q = qdisc_priv(sch);
+ struct tc_ets_qopt_offload qopt;
+ unsigned int w_psum_prev = 0;
+- unsigned int q_psum = 0;
+- unsigned int q_sum = 0;
+ unsigned int quantum;
+ unsigned int w_psum;
+ unsigned int weight;
+ unsigned int i;
++ u64 q_psum = 0;
++ u64 q_sum = 0;
+
+ if (!tc_can_offload(dev) || !dev->netdev_ops->ndo_setup_tc)
+ return;
+@@ -138,8 +138,12 @@ static void ets_offload_change(struct Qd
+
+ for (i = 0; i < q->nbands; i++) {
+ quantum = q->classes[i].quantum;
+- q_psum += quantum;
+- w_psum = quantum ? q_psum * 100 / q_sum : 0;
++ if (quantum) {
++ q_psum += quantum;
++ w_psum = div64_u64(q_psum * 100, q_sum);
++ } else {
++ w_psum = 0;
++ }
+ weight = w_psum - w_psum_prev;
+ w_psum_prev = w_psum;
+
--- /dev/null
+From 1cb968a2013ffa8112d52ebe605009ea1c6a582c Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Sat, 24 Jan 2026 04:18:40 +0000
+Subject: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+commit 1cb968a2013ffa8112d52ebe605009ea1c6a582c upstream.
+
+syzbot reported memory leak of struct cred. [0]
+
+nfsd_nl_threads_set_doit() passes get_current_cred() to
+nfsd_svc(), but put_cred() is not called after that.
+
+The cred is finally passed down to _svc_xprt_create(),
+which calls get_cred() with the cred for struct svc_xprt.
+
+The ownership of the refcount by get_current_cred() is not
+transferred to anywhere and is just leaked.
+
+nfsd_svc() is also called from write_threads(), but it does
+not bump file->f_cred there.
+
+nfsd_nl_threads_set_doit() is called from sendmsg() and
+current->cred does not go away.
+
+Let's use current_cred() in nfsd_nl_threads_set_doit().
+
+[0]:
+BUG: memory leak
+unreferenced object 0xffff888108b89480 (size 184):
+ comm "syz-executor", pid 5994, jiffies 4294943386
+ hex dump (first 32 bytes):
+ 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace (crc 369454a7):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4958 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270
+ prepare_creds+0x22/0x600 kernel/cred.c:185
+ copy_creds+0x44/0x290 kernel/cred.c:286
+ copy_process+0x7a7/0x2870 kernel/fork.c:2086
+ kernel_clone+0xac/0x6e0 kernel/fork.c:2651
+ __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 924f4fb003ba ("NFSD: convert write_threads to netlink command")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+dd3b43aa0204089217ee@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69744674.a00a0220.33ccc7.0000.GAE@google.com/
+Tested-by: syzbot+dd3b43aa0204089217ee@syzkaller.appspotmail.com
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfsctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -1724,7 +1724,7 @@ int nfsd_nl_threads_set_doit(struct sk_b
+ scope = nla_data(attr);
+ }
+
+- ret = nfsd_svc(nrpools, nthreads, net, get_current_cred(), scope);
++ ret = nfsd_svc(nrpools, nthreads, net, current_cred(), scope);
+ if (ret > 0)
+ ret = 0;
+ out_unlock:
--- /dev/null
+From 26a7601471f62b95d56a81c3a8ccb551b5a6630f Mon Sep 17 00:00:00 2001
+From: Kurt Borja <kuurtb@gmail.com>
+Date: Sat, 7 Feb 2026 12:16:34 -0500
+Subject: platform/x86: dell-wmi: Add audio/mic mute key codes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+commit 26a7601471f62b95d56a81c3a8ccb551b5a6630f upstream.
+
+Add audio/mic mute key codes found in Alienware m18 r1 AMD.
+
+Cc: stable@vger.kernel.org
+Tested-by: Olexa Bilaniuk <obilaniu@gmail.com>
+Suggested-by: Olexa Bilaniuk <obilaniu@gmail.com>
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Acked-by: Pali Rohár <pali@kernel.org>
+Link: https://patch.msgid.link/20260207-mute-keys-v2-1-c55e5471c9c1@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/dell/dell-wmi-base.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/platform/x86/dell/dell-wmi-base.c
++++ b/drivers/platform/x86/dell/dell-wmi-base.c
+@@ -80,6 +80,12 @@ static const struct dmi_system_id dell_w
+ static const struct key_entry dell_wmi_keymap_type_0000[] = {
+ { KE_IGNORE, 0x003a, { KEY_CAPSLOCK } },
+
++ /* Audio mute toggle */
++ { KE_KEY, 0x0109, { KEY_MUTE } },
++
++ /* Mic mute toggle */
++ { KE_KEY, 0x0150, { KEY_MICMUTE } },
++
+ /* Meta key lock */
+ { KE_IGNORE, 0xe000, { KEY_RIGHTMETA } },
+
--- /dev/null
+From d1a196e0a6dcddd03748468a0e9e3100790fc85c Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Tue, 3 Mar 2026 12:30:51 +0100
+Subject: platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit d1a196e0a6dcddd03748468a0e9e3100790fc85c upstream.
+
+set_new_password() hex dumps the entire buffer, which contains plaintext
+password data, including current and new passwords. Remove the hex dump
+to avoid leaking credentials.
+
+Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Link: https://patch.msgid.link/20260303113050.58127-2-thorsten.blum@linux.dev
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c
+@@ -93,7 +93,6 @@ int set_new_password(const char *passwor
+ if (ret < 0)
+ goto out;
+
+- print_hex_dump_bytes("set new password data: ", DUMP_PREFIX_NONE, buffer, buffer_size);
+ ret = call_password_interface(wmi_priv.password_attr_wdev, buffer, buffer_size);
+ /* on success copy the new password to current password */
+ if (!ret)
--- /dev/null
+From 74586c6da9ea222a61c98394f2fc0a604748438c Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Mon, 16 Feb 2026 11:02:49 -0400
+Subject: RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit 74586c6da9ea222a61c98394f2fc0a604748438c upstream.
+
+struct irdma_create_ah_resp { // 8 bytes, no padding
+ __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx)
+ __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK
+};
+
+rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().
+
+The reserved members of the structure were not zeroed.
+
+Cc: stable@vger.kernel.org
+Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://patch.msgid.link/3-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -4589,7 +4589,7 @@ static int irdma_create_user_ah(struct i
+ #define IRDMA_CREATE_AH_MIN_RESP_LEN offsetofend(struct irdma_create_ah_resp, rsvd)
+ struct irdma_ah *ah = container_of(ibah, struct irdma_ah, ibah);
+ struct irdma_device *iwdev = to_iwdev(ibah->pd->device);
+- struct irdma_create_ah_resp uresp;
++ struct irdma_create_ah_resp uresp = {};
+ struct irdma_ah *parent_ah;
+ int err;
+
--- /dev/null
+From 1ac22c8eae81366101597d48360718dff9b9d980 Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Mon, 23 Feb 2026 15:27:28 -0800
+Subject: scsi: core: Fix refcount leak for tagset_refcnt
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit 1ac22c8eae81366101597d48360718dff9b9d980 upstream.
+
+This leak will cause a hang when tearing down the SCSI host. For example,
+iscsid hangs with the following call trace:
+
+[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured
+
+PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid"
+ #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4
+ #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f
+ #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0
+ #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f
+ #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b
+ #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]
+ #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]
+ #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]
+ #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6
+ #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef
+
+Fixes: 8fe4ce5836e9 ("scsi: core: Fix a use-after-free")
+Cc: stable@vger.kernel.org
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20260223232728.93350-1-junxiao.bi@oracle.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_scan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/scsi_scan.c
++++ b/drivers/scsi/scsi_scan.c
+@@ -354,6 +354,7 @@ static struct scsi_device *scsi_alloc_sd
+ * since we use this queue depth most of times.
+ */
+ if (scsi_realloc_sdev_budget_map(sdev, depth)) {
++ kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags);
+ put_device(&starget->dev);
+ kfree(sdev);
+ goto out;
--- /dev/null
+From 14d4ac19d1895397532eec407433c5d74d9da53b Mon Sep 17 00:00:00 2001
+From: Prithvi Tambewagh <activprithvi@gmail.com>
+Date: Mon, 16 Feb 2026 11:50:02 +0530
+Subject: scsi: target: Fix recursive locking in __configfs_open_file()
+
+From: Prithvi Tambewagh <activprithvi@gmail.com>
+
+commit 14d4ac19d1895397532eec407433c5d74d9da53b upstream.
+
+In flush_write_buffer, &p->frag_sem is acquired and then the loaded store
+function is called, which, here, is target_core_item_dbroot_store(). This
+function called filp_open(), following which these functions were called
+(in reverse order), according to the call trace:
+
+ down_read
+ __configfs_open_file
+ do_dentry_open
+ vfs_open
+ do_open
+ path_openat
+ do_filp_open
+ file_open_name
+ filp_open
+ target_core_item_dbroot_store
+ flush_write_buffer
+ configfs_write_iter
+
+target_core_item_dbroot_store() tries to validate the new file path by
+trying to open the file path provided to it; however, in this case, the bug
+report shows:
+
+db_root: not a directory: /sys/kernel/config/target/dbroot
+
+indicating that the same configfs file was tried to be opened, on which it
+is currently working on. Thus, it is trying to acquire frag_sem semaphore
+of the same file of which it already holds the semaphore obtained in
+flush_write_buffer(), leading to acquiring the semaphore in a nested manner
+and a possibility of recursive locking.
+
+Fix this by modifying target_core_item_dbroot_store() to use kern_path()
+instead of filp_open() to avoid opening the file using filesystem-specific
+function __configfs_open_file(), and further modifying it to make this fix
+compatible.
+
+Reported-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=f6e8174215573a84b797
+Tested-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com>
+Reviewed-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
+Link: https://patch.msgid.link/20260216062002.61937-1-activprithvi@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_configfs.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+--- a/drivers/target/target_core_configfs.c
++++ b/drivers/target/target_core_configfs.c
+@@ -108,8 +108,8 @@ static ssize_t target_core_item_dbroot_s
+ const char *page, size_t count)
+ {
+ ssize_t read_bytes;
+- struct file *fp;
+ ssize_t r = -EINVAL;
++ struct path path = {};
+
+ mutex_lock(&target_devices_lock);
+ if (target_devices) {
+@@ -131,17 +131,14 @@ static ssize_t target_core_item_dbroot_s
+ db_root_stage[read_bytes - 1] = '\0';
+
+ /* validate new db root before accepting it */
+- fp = filp_open(db_root_stage, O_RDONLY, 0);
+- if (IS_ERR(fp)) {
++ r = kern_path(db_root_stage, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path);
++ if (r) {
+ pr_err("db_root: cannot open: %s\n", db_root_stage);
++ if (r == -ENOTDIR)
++ pr_err("db_root: not a directory: %s\n", db_root_stage);
+ goto unlock;
+ }
+- if (!S_ISDIR(file_inode(fp)->i_mode)) {
+- filp_close(fp, NULL);
+- pr_err("db_root: not a directory: %s\n", db_root_stage);
+- goto unlock;
+- }
+- filp_close(fp, NULL);
++ path_put(&path);
+
+ strncpy(db_root, db_root_stage, read_bytes);
+ pr_debug("Target_Core_ConfigFS: db_root set to %s\n", db_root);
--- /dev/null
+From 1777f349ff41b62dfe27454b69c27b0bc99ffca5 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 3 Mar 2026 11:56:06 +0100
+Subject: selftests: mptcp: join: check removing signal+subflow endp
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 1777f349ff41b62dfe27454b69c27b0bc99ffca5 upstream.
+
+This validates the previous commit: endpoints with both the signal and
+subflow flags should always be marked as used even if it was not
+possible to create new subflows due to the MPTCP PM limits.
+
+For this test, an extra endpoint is created with both the signal and the
+subflow flags, and limits are set not to create extra subflows. In this
+case, an ADD_ADDR is sent, but no subflows are created. Still, the local
+endpoint is marked as used, and no warning is fired when removing the
+endpoint, after having sent a RM_ADDR.
+
+The 'Fixes' tag here below is the same as the one from the previous
+commit: this patch here is not fixing anything wrong in the selftests,
+but it validates the previous fix for an issue introduced by this commit
+ID.
+
+Fixes: 85df533a787b ("mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-5-4b5462b6f016@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -2384,6 +2384,19 @@ remove_tests()
+ chk_rst_nr 0 0
+ fi
+
++ # signal+subflow with limits, remove
++ if reset "remove signal+subflow with limits"; then
++ pm_nl_set_limits $ns1 0 0
++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,subflow
++ pm_nl_set_limits $ns2 0 0
++ addr_nr_ns1=-1 speed=slow \
++ run_tests $ns1 $ns2 10.0.1.1
++ chk_join_nr 0 0 0
++ chk_add_nr 1 1
++ chk_rm_nr 1 0 invert
++ chk_rst_nr 0 0
++ fi
++
+ # addresses remove
+ if reset "remove addresses"; then
+ pm_nl_set_limits $ns1 3 3
--- /dev/null
+From 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 3 Mar 2026 11:56:02 +0100
+Subject: selftests: mptcp: more stable simult_flows tests
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 upstream.
+
+By default, the netem qdisc can keep up to 1000 packets under its belly
+to deal with the configured rate and delay. The simult flows test-case
+simulates very low speed links, to avoid problems due to slow CPUs and
+the TCP stack tend to transmit at a slightly higher rate than the
+(virtual) link constraints.
+
+All the above causes a relatively large amount of packets being enqueued
+in the netem qdiscs - the longer the transfer, the longer the queue -
+producing increasingly high TCP RTT samples and consequently increasingly
+larger receive buffer size due to DRS.
+
+When the receive buffer size becomes considerably larger than the needed
+size, the tests results can flake, i.e. because minimal inaccuracy in the
+pacing rate can lead to a single subflow usage towards the end of the
+connection for a considerable amount of data.
+
+Address the issue explicitly setting netem limits suitable for the
+configured link speeds and unflake all the affected tests.
+
+Fixes: 1a418cb8e888 ("mptcp: simult flow self-tests")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-1-4b5462b6f016@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/simult_flows.sh | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/simult_flows.sh
++++ b/tools/testing/selftests/net/mptcp/simult_flows.sh
+@@ -226,10 +226,13 @@ run_test()
+ for dev in ns2eth1 ns2eth2; do
+ tc -n $ns2 qdisc del dev $dev root >/dev/null 2>&1
+ done
+- tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1
+- tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2
+- tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1
+- tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2
++
++ # keep the queued pkts number low, or the RTT estimator will see
++ # increasing latency over time.
++ tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1 limit 50
++ tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2 limit 50
++ tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1 limit 50
++ tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2 limit 50
+
+ # time is measured in ms, account for transfer size, aggregated link speed
+ # and header overhead (10%)
can-usb-f81604-handle-bulk-write-errors-properly.patch
hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch
x86-efi-defer-freeing-of-boot-services-memory.patch
+platform-x86-dell-wmi-sysman-don-t-hex-dump-plaintext-password-data.patch
+platform-x86-dell-wmi-add-audio-mic-mute-key-codes.patch
+alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch
+wifi-radiotap-reject-radiotap-with-unknown-bits.patch
+wifi-cfg80211-cancel-rfkill_block-work-in-wiphy_unregister.patch
+wifi-mac80211-bounds-check-link_id-in-ieee80211_ml_reconfiguration.patch
+wifi-mac80211-fix-null-pointer-dereference-in-mesh_rx_csa_frame.patch
+ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch
+rdma-irdma-fix-kernel-stack-leak-in-irdma_create_user_ah.patch
+net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch
+nfsd-fix-cred-ref-leak-in-nfsd_nl_threads_set_doit.patch
+tracing-fix-warn_on-in-tracing_buffers_mmap_close.patch
+scsi-target-fix-recursive-locking-in-__configfs_open_file.patch
+squashfs-check-metadata-block-offset-is-within-range.patch
+drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch
+drbd-fix-null-pointer-dereference-on-local-read-error.patch
+smb-client-fix-cifs_pick_channel-when-channels-are-equally-loaded.patch
+smb-client-fix-broken-multichannel-with-krb5-signing.patch
+smb-client-don-t-log-plaintext-credentials-in-cifs_set_cifscreds.patch
+scsi-core-fix-refcount-leak-for-tagset_refcnt.patch
+selftests-mptcp-more-stable-simult_flows-tests.patch
+selftests-mptcp-join-check-removing-signal-subflow-endp.patch
--- /dev/null
+From 2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Thu, 26 Feb 2026 22:28:45 +0100
+Subject: smb: client: Don't log plaintext credentials in cifs_set_cifscreds
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit 2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d upstream.
+
+When debug logging is enabled, cifs_set_cifscreds() logs the key
+payload and exposes the plaintext username and password. Remove the
+debug log to avoid exposing credentials.
+
+Fixes: 8a8798a5ff90 ("cifs: fetch credentials out of keyring for non-krb5 auth multiuser mounts")
+Cc: stable@vger.kernel.org
+Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/connect.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -2197,7 +2197,6 @@ cifs_set_cifscreds(struct smb3_fs_contex
+ /* find first : in payload */
+ payload = upayload->data;
+ delim = strnchr(payload, upayload->datalen, ':');
+- cifs_dbg(FYI, "payload=%s\n", payload);
+ if (!delim) {
+ cifs_dbg(FYI, "Unable to find ':' in payload (datalen=%d)\n",
+ upayload->datalen);
--- /dev/null
+From d9d1e319b39ea685ede59319002d567c159d23c3 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.org>
+Date: Wed, 25 Feb 2026 21:34:55 -0300
+Subject: smb: client: fix broken multichannel with krb5+signing
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+commit d9d1e319b39ea685ede59319002d567c159d23c3 upstream.
+
+When mounting a share with 'multichannel,max_channels=n,sec=krb5i',
+the client was duplicating signing key for all secondary channels,
+thus making the server fail all commands sent from secondary channels
+due to bad signatures.
+
+Every channel has its own signing key, so when establishing a new
+channel with krb5 auth, make sure to use the new session key as the
+derived key to generate channel's signing key in SMB2_auth_kerberos().
+
+Repro:
+
+$ mount.cifs //srv/share /mnt -o multichannel,max_channels=4,sec=krb5i
+$ sleep 5
+$ umount /mnt
+$ dmesg
+ ...
+ CIFS: VFS: sign fail cmd 0x5 message id 0x2
+ CIFS: VFS: \\srv SMB signature verification returned error = -13
+ CIFS: VFS: sign fail cmd 0x5 message id 0x2
+ CIFS: VFS: \\srv SMB signature verification returned error = -13
+ CIFS: VFS: sign fail cmd 0x4 message id 0x2
+ CIFS: VFS: \\srv SMB signature verification returned error = -13
+
+Reported-by: Xiaoli Feng <xifeng@redhat.com>
+Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Cc: David Howells <dhowells@redhat.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2pdu.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@ -1666,19 +1666,17 @@ SMB2_auth_kerberos(struct SMB2_sess_data
+ is_binding = (ses->ses_status == SES_GOOD);
+ spin_unlock(&ses->ses_lock);
+
+- /* keep session key if binding */
+- if (!is_binding) {
+- kfree_sensitive(ses->auth_key.response);
+- ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len,
+- GFP_KERNEL);
+- if (!ses->auth_key.response) {
+- cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n",
+- msg->sesskey_len);
+- rc = -ENOMEM;
+- goto out_put_spnego_key;
+- }
+- ses->auth_key.len = msg->sesskey_len;
++ kfree_sensitive(ses->auth_key.response);
++ ses->auth_key.response = kmemdup(msg->data,
++ msg->sesskey_len,
++ GFP_KERNEL);
++ if (!ses->auth_key.response) {
++ cifs_dbg(VFS, "%s: can't allocate (%u bytes) memory\n",
++ __func__, msg->sesskey_len);
++ rc = -ENOMEM;
++ goto out_put_spnego_key;
+ }
++ ses->auth_key.len = msg->sesskey_len;
+
+ sess_data->iov[1].iov_base = msg->data + msg->sesskey_len;
+ sess_data->iov[1].iov_len = msg->secblob_len;
--- /dev/null
+From 663c28469d3274d6456f206a6671c91493d85ff1 Mon Sep 17 00:00:00 2001
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+Date: Sat, 21 Feb 2026 01:59:44 -0300
+Subject: smb: client: fix cifs_pick_channel when channels are equally loaded
+
+From: Henrique Carvalho <henrique.carvalho@suse.com>
+
+commit 663c28469d3274d6456f206a6671c91493d85ff1 upstream.
+
+cifs_pick_channel uses (start % chan_count) when channels are equally
+loaded, but that can return a channel that failed the eligibility
+checks.
+
+Drop the fallback and return the scan-selected channel instead. If none
+is eligible, keep the existing behavior of using the primary channel.
+
+Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
+Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Acked-by: Meetakshi Setiya <msetiya@microsoft.com>
+Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/transport.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+--- a/fs/smb/client/transport.c
++++ b/fs/smb/client/transport.c
+@@ -1026,16 +1026,21 @@ cifs_cancelled_callback(struct mid_q_ent
+ }
+
+ /*
+- * Return a channel (master if none) of @ses that can be used to send
+- * regular requests.
++ * cifs_pick_channel - pick an eligible channel for network operations
+ *
+- * If we are currently binding a new channel (negprot/sess.setup),
+- * return the new incomplete channel.
++ * @ses: session reference
++ *
++ * Select an eligible channel (not terminating and not marked as needing
++ * reconnect), preferring the least loaded one. If no eligible channel is
++ * found, fall back to the primary channel (index 0).
++ *
++ * Return: TCP_Server_Info pointer for the chosen channel, or NULL if @ses is
++ * NULL.
+ */
+ struct TCP_Server_Info *cifs_pick_channel(struct cifs_ses *ses)
+ {
+ uint index = 0;
+- unsigned int min_in_flight = UINT_MAX, max_in_flight = 0;
++ unsigned int min_in_flight = UINT_MAX;
+ struct TCP_Server_Info *server = NULL;
+ int i, start, cur;
+
+@@ -1065,14 +1070,8 @@ struct TCP_Server_Info *cifs_pick_channe
+ min_in_flight = server->in_flight;
+ index = cur;
+ }
+- if (server->in_flight > max_in_flight)
+- max_in_flight = server->in_flight;
+ }
+
+- /* if all channels are equally loaded, fall back to round-robin */
+- if (min_in_flight == max_in_flight)
+- index = (uint)start % ses->chan_count;
+-
+ server = ses->chans[index].server;
+ spin_unlock(&ses->chan_lock);
+
--- /dev/null
+From fdb24a820a5832ec4532273282cbd4f22c291a0d Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Tue, 17 Feb 2026 05:09:55 +0000
+Subject: Squashfs: check metadata block offset is within range
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+commit fdb24a820a5832ec4532273282cbd4f22c291a0d upstream.
+
+Syzkaller reports a "general protection fault in squashfs_copy_data"
+
+This is ultimately caused by a corrupted index look-up table, which
+produces a negative metadata block offset.
+
+This is subsequently passed to squashfs_copy_data (via
+squashfs_read_metadata) where the negative offset causes an out of bounds
+access.
+
+The fix is to check that the offset is within range in
+squashfs_read_metadata. This will trap this and other cases.
+
+Link: https://lkml.kernel.org/r/20260217050955.138351-1-phillip@squashfs.org.uk
+Fixes: f400e12656ab ("Squashfs: cache operations")
+Reported-by: syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/699234e2.a70a0220.2c38d7.00e2.GAE@google.com/
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/cache.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/squashfs/cache.c
++++ b/fs/squashfs/cache.c
+@@ -340,6 +340,9 @@ int squashfs_read_metadata(struct super_
+ if (unlikely(length < 0))
+ return -EIO;
+
++ if (unlikely(*offset < 0 || *offset >= SQUASHFS_METADATA_SIZE))
++ return -EIO;
++
+ while (length) {
+ entry = squashfs_cache_get(sb, msblk->block_cache, *block, 0);
+ if (entry->error) {
--- /dev/null
+From e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e Mon Sep 17 00:00:00 2001
+From: Qing Wang <wangqing7171@gmail.com>
+Date: Fri, 27 Feb 2026 10:58:42 +0800
+Subject: tracing: Fix WARN_ON in tracing_buffers_mmap_close
+
+From: Qing Wang <wangqing7171@gmail.com>
+
+commit e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e upstream.
+
+When a process forks, the child process copies the parent's VMAs but the
+user_mapped reference count is not incremented. As a result, when both the
+parent and child processes exit, tracing_buffers_mmap_close() is called
+twice. On the second call, user_mapped is already 0, causing the function to
+return -ENODEV and triggering a WARN_ON.
+
+Normally, this isn't an issue as the memory is mapped with VM_DONTCOPY set.
+But this is only a hint, and the application can call
+madvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the
+application does that, it can trigger this issue on fork.
+
+Fix it by incrementing the user_mapped reference count without re-mapping
+the pages in the VMA's open callback.
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Vincent Donnefort <vdonnefort@google.com>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Link: https://patch.msgid.link/20260227025842.1085206-1-wangqing7171@gmail.com
+Fixes: cf9f0f7c4c5bb ("tracing: Allow user-space mapping of the ring-buffer")
+Reported-by: syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=3b5dd2030fe08afdf65d
+Tested-by: syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com
+Signed-off-by: Qing Wang <wangqing7171@gmail.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/ring_buffer.h | 1 +
+ kernel/trace/ring_buffer.c | 21 +++++++++++++++++++++
+ kernel/trace/trace.c | 13 +++++++++++++
+ 3 files changed, 35 insertions(+)
+
+--- a/include/linux/ring_buffer.h
++++ b/include/linux/ring_buffer.h
+@@ -244,6 +244,7 @@ int trace_rb_cpu_prepare(unsigned int cp
+
+ int ring_buffer_map(struct trace_buffer *buffer, int cpu,
+ struct vm_area_struct *vma);
++void ring_buffer_map_dup(struct trace_buffer *buffer, int cpu);
+ int ring_buffer_unmap(struct trace_buffer *buffer, int cpu);
+ int ring_buffer_map_get_reader(struct trace_buffer *buffer, int cpu);
+ #endif /* _LINUX_RING_BUFFER_H */
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -7154,6 +7154,27 @@ unlock:
+ return err;
+ }
+
++/*
++ * This is called when a VMA is duplicated (e.g., on fork()) to increment
++ * the user_mapped counter without remapping pages.
++ */
++void ring_buffer_map_dup(struct trace_buffer *buffer, int cpu)
++{
++ struct ring_buffer_per_cpu *cpu_buffer;
++
++ if (WARN_ON(!cpumask_test_cpu(cpu, buffer->cpumask)))
++ return;
++
++ cpu_buffer = buffer->buffers[cpu];
++
++ guard(mutex)(&cpu_buffer->mapping_lock);
++
++ if (cpu_buffer->user_mapped)
++ __rb_inc_dec_mapped(cpu_buffer, true);
++ else
++ WARN(1, "Unexpected buffer stat, it should be mapped");
++}
++
+ int ring_buffer_unmap(struct trace_buffer *buffer, int cpu)
+ {
+ struct ring_buffer_per_cpu *cpu_buffer;
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -8274,6 +8274,18 @@ static inline int get_snapshot_map(struc
+ static inline void put_snapshot_map(struct trace_array *tr) { }
+ #endif
+
++/*
++ * This is called when a VMA is duplicated (e.g., on fork()) to increment
++ * the user_mapped counter without remapping pages.
++ */
++static void tracing_buffers_mmap_open(struct vm_area_struct *vma)
++{
++ struct ftrace_buffer_info *info = vma->vm_file->private_data;
++ struct trace_iterator *iter = &info->iter;
++
++ ring_buffer_map_dup(iter->array_buffer->buffer, iter->cpu_file);
++}
++
+ static void tracing_buffers_mmap_close(struct vm_area_struct *vma)
+ {
+ struct ftrace_buffer_info *info = vma->vm_file->private_data;
+@@ -8293,6 +8305,7 @@ static int tracing_buffers_may_split(str
+ }
+
+ static const struct vm_operations_struct tracing_buffers_vmops = {
++ .open = tracing_buffers_mmap_open,
+ .close = tracing_buffers_mmap_close,
+ .may_split = tracing_buffers_may_split,
+ };
--- /dev/null
+From 767d23ade706d5fa51c36168e92a9c5533c351a1 Mon Sep 17 00:00:00 2001
+From: Daniil Dulov <d.dulov@aladdin.ru>
+Date: Wed, 11 Feb 2026 11:20:24 +0300
+Subject: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
+
+From: Daniil Dulov <d.dulov@aladdin.ru>
+
+commit 767d23ade706d5fa51c36168e92a9c5533c351a1 upstream.
+
+There is a use-after-free error in cfg80211_shutdown_all_interfaces found
+by syzkaller:
+
+BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220
+Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326
+CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+Workqueue: events cfg80211_rfkill_block_work
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x116/0x1f0
+ print_report+0xcd/0x630
+ kasan_report+0xe0/0x110
+ cfg80211_shutdown_all_interfaces+0x213/0x220
+ cfg80211_rfkill_block_work+0x1e/0x30
+ process_one_work+0x9cf/0x1b70
+ worker_thread+0x6c8/0xf10
+ kthread+0x3c5/0x780
+ ret_from_fork+0x56d/0x700
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+The problem arises due to the rfkill_block work is not cancelled when wiphy
+is being unregistered. In order to fix the issue cancel the corresponding
+work in wiphy_unregister().
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 1f87f7d3a3b4 ("cfg80211: add rfkill support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
+Link: https://patch.msgid.link/20260211082024.1967588-1-d.dulov@aladdin.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -1174,6 +1174,7 @@ void wiphy_unregister(struct wiphy *wiph
+ /* this has nothing to do now but make sure it's gone */
+ cancel_work_sync(&rdev->wiphy_work);
+
++ cancel_work_sync(&rdev->rfkill_block);
+ cancel_work_sync(&rdev->conn_work);
+ flush_work(&rdev->event_work);
+ cancel_delayed_work_sync(&rdev->dfs_update_channels_wk);
--- /dev/null
+From 162d331d833dc73a3e905a24c44dd33732af1fc5 Mon Sep 17 00:00:00 2001
+From: Ariel Silver <arielsilver77@gmail.com>
+Date: Fri, 20 Feb 2026 10:11:29 +0000
+Subject: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration
+
+From: Ariel Silver <arielsilver77@gmail.com>
+
+commit 162d331d833dc73a3e905a24c44dd33732af1fc5 upstream.
+
+link_id is taken from the ML Reconfiguration element (control & 0x000f),
+so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS
+(15) elements, so index 15 is out-of-bounds. Skip subelements with
+link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds
+write.
+
+Fixes: 8eb8dd2ffbbb ("wifi: mac80211: Support link removal using Reconfiguration ML element")
+Reported-by: Ariel Silver <arielsilver77@gmail.com>
+Signed-off-by: Ariel Silver <arielsilver77@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260220101129.1202657-1-Ariel.Silver@cybereason.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mlme.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -6256,6 +6256,9 @@ static void ieee80211_ml_reconfiguration
+ control = le16_to_cpu(prof->control);
+ link_id = control & IEEE80211_MLE_STA_RECONF_CONTROL_LINK_ID;
+
++ if (link_id >= IEEE80211_MLD_MAX_NUM_LINKS)
++ continue;
++
+ removed_links |= BIT(link_id);
+
+ /* the MAC address should not be included, but handle it */
--- /dev/null
+From 017c1792525064a723971f0216e6ef86a8c7af11 Mon Sep 17 00:00:00 2001
+From: Vahagn Vardanian <vahagn@redrays.io>
+Date: Mon, 23 Feb 2026 00:00:00 +0000
+Subject: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
+
+From: Vahagn Vardanian <vahagn@redrays.io>
+
+commit 017c1792525064a723971f0216e6ef86a8c7af11 upstream.
+
+In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced
+at lines 1638 and 1642 without a prior NULL check:
+
+ ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
+ ...
+ pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);
+
+The mesh_matches_local() check above only validates the Mesh ID,
+Mesh Configuration, and Supported Rates IEs. It does not verify the
+presence of the Mesh Channel Switch Parameters IE (element ID 118).
+When a received CSA action frame omits that IE, ieee802_11_parse_elems()
+leaves elems->mesh_chansw_params_ie as NULL, and the unconditional
+dereference causes a kernel NULL pointer dereference.
+
+A remote mesh peer with an established peer link (PLINK_ESTAB) can
+trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame
+that includes a matching Mesh ID and Mesh Configuration IE but omits the
+Mesh Channel Switch Parameters IE. No authentication beyond the default
+open mesh peering is required.
+
+Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]
+ CR2: 0000000000000000
+
+Fix by adding a NULL check for mesh_chansw_params_ie after
+mesh_matches_local() returns, consistent with how other optional IEs
+are guarded throughout the mesh code.
+
+The bug has been present since v3.13 (released 2014-01-19).
+
+Fixes: 8f2535b92d68 ("mac80211: process the CSA frame for mesh accordingly")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vahagn Vardanian <vahagn@redrays.io>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mesh.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -1631,6 +1631,9 @@ static void mesh_rx_csa_frame(struct iee
+ if (!mesh_matches_local(sdata, elems))
+ goto free;
+
++ if (!elems->mesh_chansw_params_ie)
++ goto free;
++
+ ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
+ if (!--ifmsh->chsw_ttl)
+ fwd_csa = false;
--- /dev/null
+From c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 17 Feb 2026 13:05:26 +0100
+Subject: wifi: radiotap: reject radiotap with unknown bits
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 upstream.
+
+The radiotap parser is currently only used with the radiotap
+namespace (not with vendor namespaces), but if the undefined
+field 18 is used, the alignment/size is unknown as well. In
+this case, iterator->_next_ns_data isn't initialized (it's
+only set for skipping vendor namespaces), and syzbot points
+out that we later compare against this uninitialized value.
+
+Fix this by moving the rejection of unknown radiotap fields
+down to after the in-namespace lookup, so it will really use
+iterator->_next_ns_data only for vendor namespaces, even in
+case undefined fields are present.
+
+Cc: stable@vger.kernel.org
+Fixes: 33e5a2f776e3 ("wireless: update radiotap parser")
+Reported-by: syzbot+b09c1af8764c0097bb19@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/69944a91.a70a0220.2c38d7.00fc.GAE@google.com
+Link: https://patch.msgid.link/20260217120526.162647-2-johannes@sipsolutions.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/radiotap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/wireless/radiotap.c
++++ b/net/wireless/radiotap.c
+@@ -239,14 +239,14 @@ int ieee80211_radiotap_iterator_next(
+ default:
+ if (!iterator->current_namespace ||
+ iterator->_arg_index >= iterator->current_namespace->n_bits) {
+- if (iterator->current_namespace == &radiotap_ns)
+- return -ENOENT;
+ align = 0;
+ } else {
+ align = iterator->current_namespace->align_size[iterator->_arg_index].align;
+ size = iterator->current_namespace->align_size[iterator->_arg_index].size;
+ }
+ if (!align) {
++ if (iterator->current_namespace == &radiotap_ns)
++ return -ENOENT;
+ /* skip all subsequent data */
+ iterator->_arg = iterator->_next_ns_data;
+ /* give up on this namespace */
projects / thirdparty / kernel / stable-queue.git / commitdiff
