--- /dev/null
+From d237230728c567297f2f98b425d63156ab2ed17f Mon Sep 17 00:00:00 2001
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Date: Mon, 11 May 2026 11:04:08 +0100
+Subject: crypto: qat - remove unused character device and IOCTLs
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+commit d237230728c567297f2f98b425d63156ab2ed17f upstream.
+
+The QAT driver exposes a character device (qat_adf_ctl) with IOCTLs
+for device configuration, start, stop, status query and enumeration.
+These IOCTLs are not part of any public uAPI header and have no known
+in-tree or out-of-tree users. Device lifecycle is already managed via
+sysfs.
+
+The ioctl interface also increases the attack surface and is the
+subject of a number of bug reports.
+
+Remove the character device, the IOCTL definitions, and the related
+data structures (adf_dev_status_info, adf_user_cfg_key_val,
+adf_user_cfg_section, adf_user_cfg_ctl_data). Drop the now-unused
+adf_cfg_user.h header and strip adf_ctl_drv.c down to the minimal
+module_init/module_exit hooks for workqueue, AER, and crypto/compression
+algorithm registration.
+
+Clean up leftover dead code that was only reachable from the removed
+IOCTL paths: adf_cfg_del_all(), adf_devmgr_verify_id(),
+adf_devmgr_get_num_dev(), adf_devmgr_get_dev_by_id(),
+adf_get_vf_real_id() and the unused ADF_CFG macros.
+
+Additionally, drop the entry associated to QAT IOCTLs in
+ioctl-number.rst.
+
+Cc: stable@vger.kernel.org
+Fixes: d8cba25d2c68 ("crypto: qat - Intel(R) QAT driver framework")
+Reported-by: Zhi Wang <wangzhi@stu.xidian.edu.cn>
+Reported-by: Bin Yu <byu@xidian.edu.cn>
+Reported-by: MingYu Wang <w15303746062@163.com>
+Closes: https://lore.kernel.org/all/61d6d499.ab89.19b9b7f3186.Coremail.wangzhi_xd@stu.xidian.edu.cn/
+Link: https://lore.kernel.org/all/20260508034841.256794-1-w15303746062@163.com/
+Link: https://lore.kernel.org/all/20260508023542.256299-1-w15303746062@163.com/
+Link: https://lore.kernel.org/all/20260504025120.98242-1-w15303746062@163.com/
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/userspace-api/ioctl/ioctl-number.rst | 1
+ drivers/crypto/intel/qat/qat_common/adf_cfg.c | 10
+ drivers/crypto/intel/qat/qat_common/adf_cfg.h | 1
+ drivers/crypto/intel/qat/qat_common/adf_cfg_common.h | 32 -
+ drivers/crypto/intel/qat/qat_common/adf_cfg_user.h | 38 -
+ drivers/crypto/intel/qat/qat_common/adf_common_drv.h | 3
+ drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c | 404 -------------------
+ drivers/crypto/intel/qat/qat_common/adf_dev_mgr.c | 70 ---
+ 8 files changed, 1 insertion(+), 558 deletions(-)
+ delete mode 100644 drivers/crypto/intel/qat/qat_common/adf_cfg_user.h
+
+--- a/Documentation/userspace-api/ioctl/ioctl-number.rst
++++ b/Documentation/userspace-api/ioctl/ioctl-number.rst
+@@ -229,7 +229,6 @@ Code Seq# Include File
+ <mailto:gregkh@linuxfoundation.org>
+ 'a' all linux/atm*.h, linux/sonet.h ATM on linux
+ <http://lrcwww.epfl.ch/>
+-'a' 00-0F drivers/crypto/qat/qat_common/adf_cfg_common.h conflict! qat driver
+ 'b' 00-FF conflict! bit3 vme host bridge
+ <mailto:natalia@nikhefk.nikhef.nl>
+ 'b' 00-0F linux/dma-buf.h conflict!
+--- a/drivers/crypto/intel/qat/qat_common/adf_cfg.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_cfg.c
+@@ -103,16 +103,6 @@ static void adf_cfg_section_del_all(stru
+ static void adf_cfg_section_del_all_except(struct list_head *head,
+ const char *section_name);
+
+-void adf_cfg_del_all(struct adf_accel_dev *accel_dev)
+-{
+- struct adf_cfg_device_data *dev_cfg_data = accel_dev->cfg;
+-
+- down_write(&dev_cfg_data->lock);
+- adf_cfg_section_del_all(&dev_cfg_data->sec_list);
+- up_write(&dev_cfg_data->lock);
+- clear_bit(ADF_STATUS_CONFIGURED, &accel_dev->status);
+-}
+-
+ void adf_cfg_del_all_except(struct adf_accel_dev *accel_dev,
+ const char *section_name)
+ {
+--- a/drivers/crypto/intel/qat/qat_common/adf_cfg.h
++++ b/drivers/crypto/intel/qat/qat_common/adf_cfg.h
+@@ -34,7 +34,6 @@ void adf_cfg_dev_remove(struct adf_accel
+ void adf_cfg_dev_dbgfs_add(struct adf_accel_dev *accel_dev);
+ void adf_cfg_dev_dbgfs_rm(struct adf_accel_dev *accel_dev);
+ int adf_cfg_section_add(struct adf_accel_dev *accel_dev, const char *name);
+-void adf_cfg_del_all(struct adf_accel_dev *accel_dev);
+ void adf_cfg_del_all_except(struct adf_accel_dev *accel_dev,
+ const char *section_name);
+ int adf_cfg_add_key_value_param(struct adf_accel_dev *accel_dev,
+--- a/drivers/crypto/intel/qat/qat_common/adf_cfg_common.h
++++ b/drivers/crypto/intel/qat/qat_common/adf_cfg_common.h
+@@ -4,18 +4,11 @@
+ #define ADF_CFG_COMMON_H_
+
+ #include <linux/types.h>
+-#include <linux/ioctl.h>
+
+ #define ADF_CFG_MAX_STR_LEN 64
+ #define ADF_CFG_MAX_KEY_LEN_IN_BYTES ADF_CFG_MAX_STR_LEN
+ #define ADF_CFG_MAX_VAL_LEN_IN_BYTES ADF_CFG_MAX_STR_LEN
+ #define ADF_CFG_MAX_SECTION_LEN_IN_BYTES ADF_CFG_MAX_STR_LEN
+-#define ADF_CFG_BASE_DEC 10
+-#define ADF_CFG_BASE_HEX 16
+-#define ADF_CFG_ALL_DEVICES 0xFE
+-#define ADF_CFG_NO_DEVICE 0xFF
+-#define ADF_CFG_AFFINITY_WHATEVER 0xFF
+-#define MAX_DEVICE_NAME_SIZE 32
+ #define ADF_MAX_DEVICES (32 * 32)
+ #define ADF_DEVS_ARRAY_SIZE BITS_TO_LONGS(ADF_MAX_DEVICES)
+
+@@ -51,29 +44,4 @@ enum adf_device_type {
+ DEV_420XX,
+ DEV_6XXX,
+ };
+-
+-struct adf_dev_status_info {
+- enum adf_device_type type;
+- __u32 accel_id;
+- __u32 instance_id;
+- __u8 num_ae;
+- __u8 num_accel;
+- __u8 num_logical_accel;
+- __u8 banks_per_accel;
+- __u8 state;
+- __u8 bus;
+- __u8 dev;
+- __u8 fun;
+- char name[MAX_DEVICE_NAME_SIZE];
+-};
+-
+-#define ADF_CTL_IOC_MAGIC 'a'
+-#define IOCTL_CONFIG_SYS_RESOURCE_PARAMETERS _IOW(ADF_CTL_IOC_MAGIC, 0, \
+- struct adf_user_cfg_ctl_data)
+-#define IOCTL_STOP_ACCEL_DEV _IOW(ADF_CTL_IOC_MAGIC, 1, \
+- struct adf_user_cfg_ctl_data)
+-#define IOCTL_START_ACCEL_DEV _IOW(ADF_CTL_IOC_MAGIC, 2, \
+- struct adf_user_cfg_ctl_data)
+-#define IOCTL_STATUS_ACCEL_DEV _IOW(ADF_CTL_IOC_MAGIC, 3, __u32)
+-#define IOCTL_GET_NUM_DEVICES _IOW(ADF_CTL_IOC_MAGIC, 4, __s32)
+ #endif
+--- a/drivers/crypto/intel/qat/qat_common/adf_cfg_user.h
++++ /dev/null
+@@ -1,38 +0,0 @@
+-/* SPDX-License-Identifier: (BSD-3-Clause OR GPL-2.0-only) */
+-/* Copyright(c) 2014 - 2020 Intel Corporation */
+-#ifndef ADF_CFG_USER_H_
+-#define ADF_CFG_USER_H_
+-
+-#include "adf_cfg_common.h"
+-#include "adf_cfg_strings.h"
+-
+-struct adf_user_cfg_key_val {
+- char key[ADF_CFG_MAX_KEY_LEN_IN_BYTES];
+- char val[ADF_CFG_MAX_VAL_LEN_IN_BYTES];
+- union {
+- struct adf_user_cfg_key_val *next;
+- __u64 padding3;
+- };
+- enum adf_cfg_val_type type;
+-} __packed;
+-
+-struct adf_user_cfg_section {
+- char name[ADF_CFG_MAX_SECTION_LEN_IN_BYTES];
+- union {
+- struct adf_user_cfg_key_val *params;
+- __u64 padding1;
+- };
+- union {
+- struct adf_user_cfg_section *next;
+- __u64 padding3;
+- };
+-} __packed;
+-
+-struct adf_user_cfg_ctl_data {
+- union {
+- struct adf_user_cfg_section *config_section;
+- __u64 padding;
+- };
+- __u8 device_id;
+-} __packed;
+-#endif
+--- a/drivers/crypto/intel/qat/qat_common/adf_common_drv.h
++++ b/drivers/crypto/intel/qat/qat_common/adf_common_drv.h
+@@ -68,10 +68,7 @@ int adf_devmgr_add_dev(struct adf_accel_
+ void adf_devmgr_rm_dev(struct adf_accel_dev *accel_dev,
+ struct adf_accel_dev *pf);
+ struct list_head *adf_devmgr_get_head(void);
+-struct adf_accel_dev *adf_devmgr_get_dev_by_id(u32 id);
+ struct adf_accel_dev *adf_devmgr_pci_to_accel_dev(struct pci_dev *pci_dev);
+-int adf_devmgr_verify_id(u32 id);
+-void adf_devmgr_get_num_dev(u32 *num);
+ int adf_devmgr_in_reset(struct adf_accel_dev *accel_dev);
+ int adf_dev_started(struct adf_accel_dev *accel_dev);
+ int adf_dev_restarting_notify(struct adf_accel_dev *accel_dev);
+--- a/drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c
+@@ -2,410 +2,13 @@
+ /* Copyright(c) 2014 - 2020 Intel Corporation */
+
+ #include <crypto/algapi.h>
++#include <linux/errno.h>
+ #include <linux/module.h>
+-#include <linux/mutex.h>
+-#include <linux/slab.h>
+-#include <linux/fs.h>
+-#include <linux/bitops.h>
+-#include <linux/pci.h>
+-#include <linux/cdev.h>
+-#include <linux/uaccess.h>
+
+-#include "adf_accel_devices.h"
+ #include "adf_common_drv.h"
+-#include "adf_cfg.h"
+-#include "adf_cfg_common.h"
+-#include "adf_cfg_user.h"
+-
+-#define ADF_CFG_MAX_SECTION 512
+-#define ADF_CFG_MAX_KEY_VAL 256
+-
+-#define DEVICE_NAME "qat_adf_ctl"
+-
+-static DEFINE_MUTEX(adf_ctl_lock);
+-static long adf_ctl_ioctl(struct file *fp, unsigned int cmd, unsigned long arg);
+-
+-static const struct file_operations adf_ctl_ops = {
+- .owner = THIS_MODULE,
+- .unlocked_ioctl = adf_ctl_ioctl,
+- .compat_ioctl = compat_ptr_ioctl,
+-};
+-
+-static const struct class adf_ctl_class = {
+- .name = DEVICE_NAME,
+-};
+-
+-struct adf_ctl_drv_info {
+- unsigned int major;
+- struct cdev drv_cdev;
+-};
+-
+-static struct adf_ctl_drv_info adf_ctl_drv;
+-
+-static void adf_chr_drv_destroy(void)
+-{
+- device_destroy(&adf_ctl_class, MKDEV(adf_ctl_drv.major, 0));
+- cdev_del(&adf_ctl_drv.drv_cdev);
+- class_unregister(&adf_ctl_class);
+- unregister_chrdev_region(MKDEV(adf_ctl_drv.major, 0), 1);
+-}
+-
+-static int adf_chr_drv_create(void)
+-{
+- dev_t dev_id;
+- struct device *drv_device;
+- int ret;
+-
+- if (alloc_chrdev_region(&dev_id, 0, 1, DEVICE_NAME)) {
+- pr_err("QAT: unable to allocate chrdev region\n");
+- return -EFAULT;
+- }
+-
+- ret = class_register(&adf_ctl_class);
+- if (ret)
+- goto err_chrdev_unreg;
+-
+- adf_ctl_drv.major = MAJOR(dev_id);
+- cdev_init(&adf_ctl_drv.drv_cdev, &adf_ctl_ops);
+- if (cdev_add(&adf_ctl_drv.drv_cdev, dev_id, 1)) {
+- pr_err("QAT: cdev add failed\n");
+- goto err_class_destr;
+- }
+-
+- drv_device = device_create(&adf_ctl_class, NULL,
+- MKDEV(adf_ctl_drv.major, 0),
+- NULL, DEVICE_NAME);
+- if (IS_ERR(drv_device)) {
+- pr_err("QAT: failed to create device\n");
+- goto err_cdev_del;
+- }
+- return 0;
+-err_cdev_del:
+- cdev_del(&adf_ctl_drv.drv_cdev);
+-err_class_destr:
+- class_unregister(&adf_ctl_class);
+-err_chrdev_unreg:
+- unregister_chrdev_region(dev_id, 1);
+- return -EFAULT;
+-}
+-
+-static struct adf_user_cfg_ctl_data *adf_ctl_alloc_resources(unsigned long arg)
+-{
+- struct adf_user_cfg_ctl_data *cfg_data;
+-
+- cfg_data = memdup_user((void __user *)arg, sizeof(*cfg_data));
+- if (IS_ERR(cfg_data))
+- pr_err("QAT: failed to copy from user cfg_data.\n");
+- return cfg_data;
+-}
+-
+-static int adf_add_key_value_data(struct adf_accel_dev *accel_dev,
+- const char *section,
+- const struct adf_user_cfg_key_val *key_val)
+-{
+- if (key_val->type == ADF_HEX) {
+- long *ptr = (long *)key_val->val;
+- long val = *ptr;
+-
+- if (adf_cfg_add_key_value_param(accel_dev, section,
+- key_val->key, (void *)val,
+- key_val->type)) {
+- dev_err(&GET_DEV(accel_dev),
+- "failed to add hex keyvalue.\n");
+- return -EFAULT;
+- }
+- } else {
+- if (adf_cfg_add_key_value_param(accel_dev, section,
+- key_val->key, key_val->val,
+- key_val->type)) {
+- dev_err(&GET_DEV(accel_dev),
+- "failed to add keyvalue.\n");
+- return -EFAULT;
+- }
+- }
+- return 0;
+-}
+-
+-static int adf_copy_key_value_data(struct adf_accel_dev *accel_dev,
+- struct adf_user_cfg_ctl_data *ctl_data)
+-{
+- struct adf_user_cfg_key_val key_val;
+- struct adf_user_cfg_key_val *params_head;
+- struct adf_user_cfg_section section, *section_head;
+- int i, j;
+-
+- section_head = ctl_data->config_section;
+-
+- for (i = 0; section_head && i < ADF_CFG_MAX_SECTION; i++) {
+- if (copy_from_user(§ion, (void __user *)section_head,
+- sizeof(*section_head))) {
+- dev_err(&GET_DEV(accel_dev),
+- "failed to copy section info\n");
+- goto out_err;
+- }
+-
+- if (adf_cfg_section_add(accel_dev, section.name)) {
+- dev_err(&GET_DEV(accel_dev),
+- "failed to add section.\n");
+- goto out_err;
+- }
+-
+- params_head = section.params;
+-
+- for (j = 0; params_head && j < ADF_CFG_MAX_KEY_VAL; j++) {
+- if (copy_from_user(&key_val, (void __user *)params_head,
+- sizeof(key_val))) {
+- dev_err(&GET_DEV(accel_dev),
+- "Failed to copy keyvalue.\n");
+- goto out_err;
+- }
+- if (adf_add_key_value_data(accel_dev, section.name,
+- &key_val)) {
+- goto out_err;
+- }
+- params_head = key_val.next;
+- }
+- section_head = section.next;
+- }
+- return 0;
+-out_err:
+- adf_cfg_del_all(accel_dev);
+- return -EFAULT;
+-}
+-
+-static int adf_ctl_ioctl_dev_config(struct file *fp, unsigned int cmd,
+- unsigned long arg)
+-{
+- struct adf_user_cfg_ctl_data *ctl_data;
+- struct adf_accel_dev *accel_dev;
+- int ret = 0;
+-
+- ctl_data = adf_ctl_alloc_resources(arg);
+- if (IS_ERR(ctl_data))
+- return PTR_ERR(ctl_data);
+-
+- accel_dev = adf_devmgr_get_dev_by_id(ctl_data->device_id);
+- if (!accel_dev) {
+- ret = -EFAULT;
+- goto out;
+- }
+-
+- if (adf_dev_started(accel_dev)) {
+- ret = -EFAULT;
+- goto out;
+- }
+-
+- if (adf_copy_key_value_data(accel_dev, ctl_data)) {
+- ret = -EFAULT;
+- goto out;
+- }
+- set_bit(ADF_STATUS_CONFIGURED, &accel_dev->status);
+-out:
+- kfree(ctl_data);
+- return ret;
+-}
+-
+-static int adf_ctl_is_device_in_use(int id)
+-{
+- struct adf_accel_dev *dev;
+-
+- list_for_each_entry(dev, adf_devmgr_get_head(), list) {
+- if (id == dev->accel_id || id == ADF_CFG_ALL_DEVICES) {
+- if (adf_devmgr_in_reset(dev) || adf_dev_in_use(dev)) {
+- dev_info(&GET_DEV(dev),
+- "device qat_dev%d is busy\n",
+- dev->accel_id);
+- return -EBUSY;
+- }
+- }
+- }
+- return 0;
+-}
+-
+-static void adf_ctl_stop_devices(u32 id)
+-{
+- struct adf_accel_dev *accel_dev;
+-
+- list_for_each_entry(accel_dev, adf_devmgr_get_head(), list) {
+- if (id == accel_dev->accel_id || id == ADF_CFG_ALL_DEVICES) {
+- if (!adf_dev_started(accel_dev))
+- continue;
+-
+- /* First stop all VFs */
+- if (!accel_dev->is_vf)
+- continue;
+-
+- adf_dev_down(accel_dev);
+- }
+- }
+-
+- list_for_each_entry(accel_dev, adf_devmgr_get_head(), list) {
+- if (id == accel_dev->accel_id || id == ADF_CFG_ALL_DEVICES) {
+- if (!adf_dev_started(accel_dev))
+- continue;
+-
+- adf_dev_down(accel_dev);
+- }
+- }
+-}
+-
+-static int adf_ctl_ioctl_dev_stop(struct file *fp, unsigned int cmd,
+- unsigned long arg)
+-{
+- int ret;
+- struct adf_user_cfg_ctl_data *ctl_data;
+-
+- ctl_data = adf_ctl_alloc_resources(arg);
+- if (IS_ERR(ctl_data))
+- return PTR_ERR(ctl_data);
+-
+- if (adf_devmgr_verify_id(ctl_data->device_id)) {
+- pr_err("QAT: Device %d not found\n", ctl_data->device_id);
+- ret = -ENODEV;
+- goto out;
+- }
+-
+- ret = adf_ctl_is_device_in_use(ctl_data->device_id);
+- if (ret)
+- goto out;
+-
+- if (ctl_data->device_id == ADF_CFG_ALL_DEVICES)
+- pr_info("QAT: Stopping all acceleration devices.\n");
+- else
+- pr_info("QAT: Stopping acceleration device qat_dev%d.\n",
+- ctl_data->device_id);
+-
+- adf_ctl_stop_devices(ctl_data->device_id);
+-
+-out:
+- kfree(ctl_data);
+- return ret;
+-}
+-
+-static int adf_ctl_ioctl_dev_start(struct file *fp, unsigned int cmd,
+- unsigned long arg)
+-{
+- int ret;
+- struct adf_user_cfg_ctl_data *ctl_data;
+- struct adf_accel_dev *accel_dev;
+-
+- ctl_data = adf_ctl_alloc_resources(arg);
+- if (IS_ERR(ctl_data))
+- return PTR_ERR(ctl_data);
+-
+- ret = -ENODEV;
+- accel_dev = adf_devmgr_get_dev_by_id(ctl_data->device_id);
+- if (!accel_dev)
+- goto out;
+-
+- dev_info(&GET_DEV(accel_dev),
+- "Starting acceleration device qat_dev%d.\n",
+- ctl_data->device_id);
+-
+- ret = adf_dev_up(accel_dev, false);
+-
+- if (ret) {
+- dev_err(&GET_DEV(accel_dev), "Failed to start qat_dev%d\n",
+- ctl_data->device_id);
+- adf_dev_down(accel_dev);
+- }
+-out:
+- kfree(ctl_data);
+- return ret;
+-}
+-
+-static int adf_ctl_ioctl_get_num_devices(struct file *fp, unsigned int cmd,
+- unsigned long arg)
+-{
+- u32 num_devices = 0;
+-
+- adf_devmgr_get_num_dev(&num_devices);
+- if (copy_to_user((void __user *)arg, &num_devices, sizeof(num_devices)))
+- return -EFAULT;
+-
+- return 0;
+-}
+-
+-static int adf_ctl_ioctl_get_status(struct file *fp, unsigned int cmd,
+- unsigned long arg)
+-{
+- struct adf_hw_device_data *hw_data;
+- struct adf_dev_status_info dev_info;
+- struct adf_accel_dev *accel_dev;
+-
+- if (copy_from_user(&dev_info, (void __user *)arg,
+- sizeof(struct adf_dev_status_info))) {
+- pr_err("QAT: failed to copy from user.\n");
+- return -EFAULT;
+- }
+-
+- accel_dev = adf_devmgr_get_dev_by_id(dev_info.accel_id);
+- if (!accel_dev)
+- return -ENODEV;
+-
+- hw_data = accel_dev->hw_device;
+- dev_info.state = adf_dev_started(accel_dev) ? DEV_UP : DEV_DOWN;
+- dev_info.num_ae = hw_data->get_num_aes(hw_data);
+- dev_info.num_accel = hw_data->get_num_accels(hw_data);
+- dev_info.num_logical_accel = hw_data->num_logical_accel;
+- dev_info.banks_per_accel = hw_data->num_banks
+- / hw_data->num_logical_accel;
+- strscpy(dev_info.name, hw_data->dev_class->name, sizeof(dev_info.name));
+- dev_info.instance_id = hw_data->instance_id;
+- dev_info.type = hw_data->dev_class->type;
+- dev_info.bus = accel_to_pci_dev(accel_dev)->bus->number;
+- dev_info.dev = PCI_SLOT(accel_to_pci_dev(accel_dev)->devfn);
+- dev_info.fun = PCI_FUNC(accel_to_pci_dev(accel_dev)->devfn);
+-
+- if (copy_to_user((void __user *)arg, &dev_info,
+- sizeof(struct adf_dev_status_info))) {
+- dev_err(&GET_DEV(accel_dev), "failed to copy status.\n");
+- return -EFAULT;
+- }
+- return 0;
+-}
+-
+-static long adf_ctl_ioctl(struct file *fp, unsigned int cmd, unsigned long arg)
+-{
+- int ret;
+-
+- if (mutex_lock_interruptible(&adf_ctl_lock))
+- return -EFAULT;
+-
+- switch (cmd) {
+- case IOCTL_CONFIG_SYS_RESOURCE_PARAMETERS:
+- ret = adf_ctl_ioctl_dev_config(fp, cmd, arg);
+- break;
+-
+- case IOCTL_STOP_ACCEL_DEV:
+- ret = adf_ctl_ioctl_dev_stop(fp, cmd, arg);
+- break;
+-
+- case IOCTL_START_ACCEL_DEV:
+- ret = adf_ctl_ioctl_dev_start(fp, cmd, arg);
+- break;
+-
+- case IOCTL_GET_NUM_DEVICES:
+- ret = adf_ctl_ioctl_get_num_devices(fp, cmd, arg);
+- break;
+-
+- case IOCTL_STATUS_ACCEL_DEV:
+- ret = adf_ctl_ioctl_get_status(fp, cmd, arg);
+- break;
+- default:
+- pr_err_ratelimited("QAT: Invalid ioctl %d\n", cmd);
+- ret = -EFAULT;
+- break;
+- }
+- mutex_unlock(&adf_ctl_lock);
+- return ret;
+-}
+
+ static int __init adf_register_ctl_device_driver(void)
+ {
+- if (adf_chr_drv_create())
+- goto err_chr_dev;
+-
+ if (adf_init_misc_wq())
+ goto err_misc_wq;
+
+@@ -437,15 +40,11 @@ err_pf_wq:
+ err_aer:
+ adf_exit_misc_wq();
+ err_misc_wq:
+- adf_chr_drv_destroy();
+-err_chr_dev:
+- mutex_destroy(&adf_ctl_lock);
+ return -EFAULT;
+ }
+
+ static void __exit adf_unregister_ctl_device_driver(void)
+ {
+- adf_chr_drv_destroy();
+ adf_exit_misc_wq();
+ adf_exit_aer();
+ adf_exit_vf_wq();
+@@ -453,7 +52,6 @@ static void __exit adf_unregister_ctl_de
+ qat_crypto_unregister();
+ qat_compression_unregister();
+ adf_clean_vf_map(false);
+- mutex_destroy(&adf_ctl_lock);
+ }
+
+ module_init(adf_register_ctl_device_driver);
+--- a/drivers/crypto/intel/qat/qat_common/adf_dev_mgr.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_dev_mgr.c
+@@ -45,19 +45,6 @@ static struct vf_id_map *adf_find_vf(u32
+ return NULL;
+ }
+
+-static int adf_get_vf_real_id(u32 fake)
+-{
+- struct list_head *itr;
+-
+- list_for_each(itr, &vfs_table) {
+- struct vf_id_map *ptr =
+- list_entry(itr, struct vf_id_map, list);
+- if (ptr->fake_id == fake)
+- return ptr->id;
+- }
+- return -1;
+-}
+-
+ /**
+ * adf_clean_vf_map() - Cleans VF id mappings
+ * @vf: flag indicating whether mappings is cleaned
+@@ -304,63 +291,6 @@ struct adf_accel_dev *adf_devmgr_pci_to_
+ }
+ EXPORT_SYMBOL_GPL(adf_devmgr_pci_to_accel_dev);
+
+-struct adf_accel_dev *adf_devmgr_get_dev_by_id(u32 id)
+-{
+- struct list_head *itr;
+- int real_id;
+-
+- mutex_lock(&table_lock);
+- real_id = adf_get_vf_real_id(id);
+- if (real_id < 0)
+- goto unlock;
+-
+- id = real_id;
+-
+- list_for_each(itr, &accel_table) {
+- struct adf_accel_dev *ptr =
+- list_entry(itr, struct adf_accel_dev, list);
+- if (ptr->accel_id == id) {
+- mutex_unlock(&table_lock);
+- return ptr;
+- }
+- }
+-unlock:
+- mutex_unlock(&table_lock);
+- return NULL;
+-}
+-
+-int adf_devmgr_verify_id(u32 id)
+-{
+- if (id == ADF_CFG_ALL_DEVICES)
+- return 0;
+-
+- if (adf_devmgr_get_dev_by_id(id))
+- return 0;
+-
+- return -ENODEV;
+-}
+-
+-static int adf_get_num_dettached_vfs(void)
+-{
+- struct list_head *itr;
+- int vfs = 0;
+-
+- mutex_lock(&table_lock);
+- list_for_each(itr, &vfs_table) {
+- struct vf_id_map *ptr =
+- list_entry(itr, struct vf_id_map, list);
+- if (ptr->bdf != ~0 && !ptr->attached)
+- vfs++;
+- }
+- mutex_unlock(&table_lock);
+- return vfs;
+-}
+-
+-void adf_devmgr_get_num_dev(u32 *num)
+-{
+- *num = num_devices - adf_get_num_dettached_vfs();
+-}
+-
+ /**
+ * adf_dev_in_use() - Check whether accel_dev is currently in use
+ * @accel_dev: Pointer to acceleration device.
--- /dev/null
+From a2b8d7827f48ee54a686cb80e4a1d0ff954ec42a Mon Sep 17 00:00:00 2001
+From: Georgi Djakov <georgi.djakov@oss.qualcomm.com>
+Date: Thu, 14 May 2026 02:26:57 -0700
+Subject: drivers/base/memory: set mem->altmap after successful device registration
+
+From: Georgi Djakov <georgi.djakov@oss.qualcomm.com>
+
+commit a2b8d7827f48ee54a686cb80e4a1d0ff954ec42a upstream.
+
+If __add_memory_block() fails at xa_store() (under memory pressure for
+example), device_unregister() is called, which eventually triggers
+memory_block_release() with mem->altmap still set, causing a
+WARN_ON(mem->altmap). This was triggered by modifying virtio-mem driver.
+
+Fix this by delaying the assignment of mem->altmap until after
+__add_memory_block() has succeeded.
+
+Link: https://lore.kernel.org/20260514092657.3057141-1-georgi.djakov@oss.qualcomm.com
+Fixes: 1a8c64e11043 ("mm/memory_hotplug: embed vmem_altmap details in memory block")
+Signed-off-by: Georgi Djakov <georgi.djakov@oss.qualcomm.com>
+Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
+Cc: Vishal Verma <vishal.l.verma@intel.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Richard Cheng <icheng@nvidia.com>
+Cc: David Hildenbrand <david@kernel.org>
+Cc: Georgi Djakov <djakov@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: "Rafael J. Wysocki" <rafael@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/memory.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/base/memory.c
++++ b/drivers/base/memory.c
+@@ -807,7 +807,6 @@ static int add_memory_block(unsigned lon
+ mem->start_section_nr = block_id * sections_per_block;
+ mem->state = state;
+ mem->nid = nid;
+- mem->altmap = altmap;
+ INIT_LIST_HEAD(&mem->group_next);
+
+ #ifndef CONFIG_NUMA
+@@ -825,6 +824,8 @@ static int add_memory_block(unsigned lon
+ if (ret)
+ return ret;
+
++ mem->altmap = altmap;
++
+ if (group) {
+ mem->group = group;
+ list_add(&mem->group_next, &group->memory_blocks);
--- /dev/null
+From 95e8a48d7a85d4226934020e57815a3316d3a14b Mon Sep 17 00:00:00 2001
+From: Sam Daly <sam@samdaly.ie>
+Date: Thu, 14 May 2026 18:23:20 +0200
+Subject: iio: adc: ti-ads1298: add bounds check to pga_settings index
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sam Daly <sam@samdaly.ie>
+
+commit 95e8a48d7a85d4226934020e57815a3316d3a14b upstream.
+
+ads1298_pga_settings has 7 elements but ADS1298_MASK_CH_PGA can yield
+values 0-7. If it yields a value >= 7, this causes an out-of-bounds
+array access. Add a bounds check and return -EINVAL if the index
+is out of range.
+
+Note that the remaining value b111 is reserved so should not be seen
+in a correctly functioning system.
+
+Assisted-by: gkh_clanker_2000
+Cc: stable <stable@kernel.org>
+Cc: Jonathan Cameron <jic23@kernel.org>
+Cc: David Lechner <dlechner@baylibre.com>
+Cc: "Nuno SĂ¡" <nuno.sa@analog.com>
+Cc: Andy Shevchenko <andy@kernel.org>
+Signed-off-by: Sam Daly <sam@samdaly.ie>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-ads1298.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/ti-ads1298.c
++++ b/drivers/iio/adc/ti-ads1298.c
+@@ -279,6 +279,7 @@ static const u8 ads1298_pga_settings[] =
+ static int ads1298_get_scale(struct ads1298_private *priv,
+ int channel, int *val, int *val2)
+ {
++ unsigned int pga_idx;
+ int ret;
+ unsigned int regval;
+ u8 gain;
+@@ -302,7 +303,11 @@ static int ads1298_get_scale(struct ads1
+ if (ret)
+ return ret;
+
+- gain = ads1298_pga_settings[FIELD_GET(ADS1298_MASK_CH_PGA, regval)];
++ pga_idx = FIELD_GET(ADS1298_MASK_CH_PGA, regval);
++ if (pga_idx >= ARRAY_SIZE(ads1298_pga_settings))
++ return -EINVAL;
++
++ gain = ads1298_pga_settings[pga_idx];
+ *val /= gain; /* Full scale is VREF / gain */
+
+ *val2 = ADS1298_BITS_PER_SAMPLE - 1; /* Signed, hence the -1 */
--- /dev/null
+From 307dc4240bd41852d9e0912921e298160db1c109 Mon Sep 17 00:00:00 2001
+From: Sam Daly <sam@samdaly.ie>
+Date: Thu, 14 May 2026 18:23:21 +0200
+Subject: iio: light: veml6075: add bounds check to veml6075_it_ms index
+
+From: Sam Daly <sam@samdaly.ie>
+
+commit 307dc4240bd41852d9e0912921e298160db1c109 upstream.
+
+veml6075_it_ms has 5 elements but VEML6075_CONF_IT can yield values 0-7.
+If it returns a value >= 5, this causes an out-of-bounds array access.
+Add a bounds check and return -EINVAL if the index is out of range.
+
+The problem values are reserved so should never be read from the
+register. Hence this is hardening against fault device, missprogramming
+or bus corruption.
+
+Assisted-by: gkh_clanker_2000
+Cc: stable <stable@kernel.org>
+Signed-off-by: Sam Daly <sam@samdaly.ie>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/veml6075.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/light/veml6075.c
++++ b/drivers/iio/light/veml6075.c
+@@ -100,7 +100,7 @@ static const struct iio_chan_spec veml60
+
+ static int veml6075_request_measurement(struct veml6075_data *data)
+ {
+- int ret, conf, int_time;
++ int ret, conf, int_time, int_index;
+
+ ret = regmap_read(data->regmap, VEML6075_CMD_CONF, &conf);
+ if (ret < 0)
+@@ -117,7 +117,11 @@ static int veml6075_request_measurement(
+ * time for all possible configurations. Using a 1.50 factor simplifies
+ * operations and ensures reliability under all circumstances.
+ */
+- int_time = veml6075_it_ms[FIELD_GET(VEML6075_CONF_IT, conf)];
++ int_index = FIELD_GET(VEML6075_CONF_IT, conf);
++ if (int_index >= ARRAY_SIZE(veml6075_it_ms))
++ return -EINVAL;
++
++ int_time = veml6075_it_ms[int_index];
+ msleep(int_time + (int_time / 2));
+
+ /* shutdown again, data registers are still accessible */
--- /dev/null
+From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:37 -0700
+Subject: Input: rmi4 - fix bit count in bitmap_copy()
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream.
+
+bitmap_copy() takes number of bits, not bytes (or longs). Correct
+the bit count in rmi_driver_set_irq_bits() and
+rmi_driver_clear_irq_bits().
+
+Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -388,9 +388,8 @@ static int rmi_driver_set_irq_bits(struc
+ __func__);
+ goto error_unlock;
+ }
+- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
+- data->num_of_irq_regs);
+
++ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
+ bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count);
+
+ error_unlock:
+@@ -419,8 +418,8 @@ static int rmi_driver_clear_irq_bits(str
+ __func__);
+ goto error_unlock;
+ }
+- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
+- data->num_of_irq_regs);
++
++ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
+
+ error_unlock:
+ mutex_unlock(&data->irq_mutex);
--- /dev/null
+From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:35 -0700
+Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data()
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream.
+
+kfifo_put() returns 0 if the FIFO is full. In this case, we must
+free the memory allocated for the attention data to avoid a leak.
+
+Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -183,7 +183,11 @@ void rmi_set_attn_data(struct rmi_device
+ attn_data.size = size;
+ attn_data.data = fifo_data;
+
+- kfifo_put(&drvdata->attn_fifo, attn_data);
++ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) {
++ dev_warn_ratelimited(&rmi_dev->dev,
++ "Failed to enqueue attention data, FIFO full\n");
++ kfree(fifo_data);
++ }
+ }
+ EXPORT_SYMBOL_GPL(rmi_set_attn_data);
+
--- /dev/null
+From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:34 -0700
+Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream.
+
+RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This
+may overflow num_subpackets in struct rmi_register_desc_item which is
+defined as a u8.
+
+Fix this by changing the type of num_subpackets to u16.
+
+Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.h | 2 +-
+ drivers/input/rmi4/rmi_f12.c | 7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/rmi4/rmi_driver.h
++++ b/drivers/input/rmi4/rmi_driver.h
+@@ -53,7 +53,7 @@ struct pdt_entry {
+ struct rmi_register_desc_item {
+ u16 reg;
+ unsigned long reg_size;
+- u8 num_subpackets;
++ u16 num_subpackets;
+ unsigned long subpacket_map[BITS_TO_LONGS(
+ RMI_REG_DESC_SUBPACKET_BITS)];
+ };
+--- a/drivers/input/rmi4/rmi_f12.c
++++ b/drivers/input/rmi4/rmi_f12.c
+@@ -467,6 +467,13 @@ static int rmi_f12_probe(struct rmi_func
+ f12->data1 = item;
+ f12->data1_offset = data_offset;
+ data_offset += item->reg_size;
++
++ if (item->num_subpackets > 255) {
++ dev_err(&fn->dev, "Too many fingers declared: %d\n",
++ item->num_subpackets);
++ return -EINVAL;
++ }
++
+ sensor->nbr_fingers = item->num_subpackets;
+ sensor->report_abs = 1;
+ sensor->attn_size += item->reg_size;
--- /dev/null
+From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:31 -0700
+Subject: Input: rmi4 - fix register descriptor address calculation
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream.
+
+When reading the register descriptor, the base address is incremented by
+1 to read the presence register block. However, after reading the
+presence register block, the address is incorrectly incremented by only
+1 byte (++addr) instead of the actual size of the presence block
+(size_presence_reg). This causes the subsequent structure block read to
+read from the wrong memory location if the presence block is larger than
+1 byte.
+
+Fix this by advancing the address by size_presence_reg.
+
+Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -594,7 +594,7 @@ int rmi_read_register_desc(struct rmi_de
+ ret = rmi_read_block(d, addr, buf, size_presence_reg);
+ if (ret)
+ return ret;
+- ++addr;
++ addr += size_presence_reg;
+
+ if (buf[0] == 0) {
+ presense_offset = 3;
--- /dev/null
+From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:33 -0700
+Subject: Input: rmi4 - fix type overflow in register counts
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream.
+
+The number of registers in the RMI4 register descriptor is populated
+by counting the bits in the presence map using bitmap_weight(). Since
+the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS),
+storing this count in a u8 can overflow to 0 if all 256 bits are set.
+
+Change the num_registers field in struct rmi_register_descriptor
+from u8 to u16 to prevent potential integer overflow and ensure safe
+processing of devices reporting large descriptors.
+
+Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/rmi4/rmi_driver.h
++++ b/drivers/input/rmi4/rmi_driver.h
+@@ -65,7 +65,7 @@ struct rmi_register_desc_item {
+ struct rmi_register_descriptor {
+ unsigned long struct_size;
+ unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)];
+- u8 num_registers;
++ u16 num_registers;
+ struct rmi_register_desc_item *registers;
+ };
+
--- /dev/null
+From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:36 -0700
+Subject: Input: rmi4 - iterative IRQ handler
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream.
+
+The current IRQ handler uses recursion to drain the attention FIFO,
+which can lead to stack overflow on deep queues. Convert it to a
+loop.
+
+Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -198,24 +198,24 @@ static irqreturn_t rmi_irq_fn(int irq, v
+ struct rmi4_attn_data attn_data = {0};
+ int ret, count;
+
+- count = kfifo_get(&drvdata->attn_fifo, &attn_data);
+- if (count) {
+- *(drvdata->irq_status) = attn_data.irq_status;
+- drvdata->attn_data = attn_data;
+- }
++ do {
++ count = kfifo_get(&drvdata->attn_fifo, &attn_data);
++ if (count) {
++ *drvdata->irq_status = attn_data.irq_status;
++ drvdata->attn_data = attn_data;
++ }
+
+- ret = rmi_process_interrupt_requests(rmi_dev);
+- if (ret)
+- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
+- "Failed to process interrupt request: %d\n", ret);
++ ret = rmi_process_interrupt_requests(rmi_dev);
++ if (ret)
++ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
++ "Failed to process interrupt request: %d\n",
++ ret);
+
+- if (count) {
+- kfree(attn_data.data);
+- drvdata->attn_data.data = NULL;
+- }
+-
+- if (!kfifo_is_empty(&drvdata->attn_fifo))
+- return rmi_irq_fn(irq, dev_id);
++ if (count) {
++ kfree(attn_data.data);
++ drvdata->attn_data.data = NULL;
++ }
++ } while (!kfifo_is_empty(&drvdata->attn_fifo));
+
+ return IRQ_HANDLED;
+ }
--- /dev/null
+From 0adb483fbf2dc43c875cd7550a58b41e92efc52d Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:32 -0700
+Subject: Input: rmi4 - refactor register descriptor parsing
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 0adb483fbf2dc43c875cd7550a58b41e92efc52d upstream.
+
+Factor out parsing a register descriptor item from
+rmi_read_register_desc() and ensure there are no out-of-bounds accesses.
+
+Use get_unaligned_le16() and get_unaligned_le32() for reading multi-byte
+values.
+
+Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-2-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.c | 124 ++++++++++++++++++++++++----------------
+ 1 file changed, 76 insertions(+), 48 deletions(-)
+
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -22,6 +22,7 @@
+ #include <uapi/linux/input.h>
+ #include <linux/rmi.h>
+ #include <linux/export.h>
++#include <linux/unaligned.h>
+ #include "rmi_bus.h"
+ #include "rmi_driver.h"
+
+@@ -558,30 +559,74 @@ int rmi_scan_pdt(struct rmi_device *rmi_
+ return retval < 0 ? retval : 0;
+ }
+
++static int rmi_parse_register_desc_item(struct rmi_register_desc_item *item,
++ const u8 *buf, size_t size)
++{
++ unsigned int offset = 0;
++ unsigned int map_offset = 0;
++ int b;
++
++ if (offset >= size)
++ return -EIO;
++
++ item->reg_size = buf[offset++];
++ if (item->reg_size == 0) {
++ if (size - offset < 2)
++ return -EIO;
++ item->reg_size = get_unaligned_le16(&buf[offset]);
++ offset += 2;
++ }
++
++ if (item->reg_size == 0) {
++ if (size - offset < 4)
++ return -EIO;
++ item->reg_size = get_unaligned_le32(&buf[offset]);
++ offset += 4;
++ }
++
++ do {
++ if (offset >= size)
++ return -EIO;
++
++ for (b = 0; b < 7; b++) {
++ if (buf[offset] & BIT(b)) {
++ if (map_offset >= RMI_REG_DESC_SUBPACKET_BITS)
++ return -EIO;
++ __set_bit(map_offset, item->subpacket_map);
++ }
++ ++map_offset;
++ }
++ } while (buf[offset++] & BIT(7));
++
++ item->num_subpackets = bitmap_weight(item->subpacket_map,
++ RMI_REG_DESC_SUBPACKET_BITS);
++
++ return offset;
++}
++
+ int rmi_read_register_desc(struct rmi_device *d, u16 addr,
+- struct rmi_register_descriptor *rdesc)
++ struct rmi_register_descriptor *rdesc)
+ {
+ int ret;
+ u8 size_presence_reg;
+ u8 buf[35];
+- int presense_offset = 1;
+- u8 *struct_buf;
+- int reg;
+- int offset = 0;
+- int map_offset = 0;
++ unsigned int presence_offset;
++ unsigned int map_offset;
++ unsigned int offset;
++ unsigned int reg;
+ int i;
+ int b;
+
+ /*
+ * The first register of the register descriptor is the size of
+- * the register descriptor's presense register.
++ * the register descriptor's presence register.
+ */
+ ret = rmi_read(d, addr, &size_presence_reg);
+ if (ret)
+ return ret;
+ ++addr;
+
+- if (size_presence_reg < 0 || size_presence_reg > 35)
++ if (size_presence_reg < 1 || size_presence_reg > 35)
+ return -EIO;
+
+ memset(buf, 0, sizeof(buf));
+@@ -597,16 +642,23 @@ int rmi_read_register_desc(struct rmi_de
+ addr += size_presence_reg;
+
+ if (buf[0] == 0) {
+- presense_offset = 3;
+- rdesc->struct_size = buf[1] | (buf[2] << 8);
++ if (size_presence_reg < 3)
++ return -EIO;
++ presence_offset = 3;
++ rdesc->struct_size = get_unaligned_le16(&buf[1]);
+ } else {
++ presence_offset = 1;
+ rdesc->struct_size = buf[0];
+ }
+
+- for (i = presense_offset; i < size_presence_reg; i++) {
++ map_offset = 0;
++ for (i = presence_offset; i < size_presence_reg; i++) {
+ for (b = 0; b < 8; b++) {
+- if (buf[i] & (0x1 << b))
++ if (buf[i] & BIT(b)) {
++ if (map_offset >= RMI_REG_DESC_PRESENSE_BITS)
++ return -EIO;
+ bitmap_set(rdesc->presense_map, map_offset, 1);
++ }
+ ++map_offset;
+ }
+ }
+@@ -626,7 +678,7 @@ int rmi_read_register_desc(struct rmi_de
+ * I'm not using devm_kzalloc here since it will not be retained
+ * after exiting this function
+ */
+- struct_buf = kzalloc(rdesc->struct_size, GFP_KERNEL);
++ u8 *struct_buf __free(kfree) = kzalloc(rdesc->struct_size, GFP_KERNEL);
+ if (!struct_buf)
+ return -ENOMEM;
+
+@@ -638,56 +690,32 @@ int rmi_read_register_desc(struct rmi_de
+ */
+ ret = rmi_read_block(d, addr, struct_buf, rdesc->struct_size);
+ if (ret)
+- goto free_struct_buff;
++ return ret;
+
+ reg = find_first_bit(rdesc->presense_map, RMI_REG_DESC_PRESENSE_BITS);
++ offset = 0;
+ for (i = 0; i < rdesc->num_registers; i++) {
+ struct rmi_register_desc_item *item = &rdesc->registers[i];
+- int reg_size = struct_buf[offset];
++ int item_size;
+
+- ++offset;
+- if (reg_size == 0) {
+- reg_size = struct_buf[offset] |
+- (struct_buf[offset + 1] << 8);
+- offset += 2;
+- }
+-
+- if (reg_size == 0) {
+- reg_size = struct_buf[offset] |
+- (struct_buf[offset + 1] << 8) |
+- (struct_buf[offset + 2] << 16) |
+- (struct_buf[offset + 3] << 24);
+- offset += 4;
+- }
++ item_size = rmi_parse_register_desc_item(item,
++ &struct_buf[offset],
++ rdesc->struct_size - offset);
++ if (item_size < 0)
++ return item_size;
+
+ item->reg = reg;
+- item->reg_size = reg_size;
+-
+- map_offset = 0;
+-
+- do {
+- for (b = 0; b < 7; b++) {
+- if (struct_buf[offset] & (0x1 << b))
+- bitmap_set(item->subpacket_map,
+- map_offset, 1);
+- ++map_offset;
+- }
+- } while (struct_buf[offset++] & 0x80);
+-
+- item->num_subpackets = bitmap_weight(item->subpacket_map,
+- RMI_REG_DESC_SUBPACKET_BITS);
++ offset += item_size;
+
+ rmi_dbg(RMI_DEBUG_CORE, &d->dev,
+ "%s: reg: %d reg size: %ld subpackets: %d\n", __func__,
+ item->reg, item->reg_size, item->num_subpackets);
+
+ reg = find_next_bit(rdesc->presense_map,
+- RMI_REG_DESC_PRESENSE_BITS, reg + 1);
++ RMI_REG_DESC_PRESENSE_BITS, reg + 1);
+ }
+
+-free_struct_buff:
+- kfree(struct_buf);
+- return ret;
++ return 0;
+ }
+
+ const struct rmi_register_desc_item *rmi_get_register_desc_item(
--- /dev/null
+From 609ca17d869d04ba249e32cdcbf13c0b1c66f43c Mon Sep 17 00:00:00 2001
+From: Gil Portnoy <dddhkts1@gmail.com>
+Date: Thu, 11 Jun 2026 22:59:19 +0900
+Subject: ksmbd: reject non-VALID session in compound request branch
+
+From: Gil Portnoy <dddhkts1@gmail.com>
+
+commit 609ca17d869d04ba249e32cdcbf13c0b1c66f43c upstream.
+
+smb2_check_user_session() takes a shortcut for any operation that is not
+the first in a COMPOUND request: it reuses work->sess (the session bound by
+the first operation) and validates only the SessionId, then returns
+"valid". It never re-checks work->sess->state == SMB2_SESSION_VALID, and a
+SessionId of 0xFFFFFFFFFFFFFFFF (ULLONG_MAX, the MS-SMB2 related-operation
+value) skips even the id comparison. The standalone path
+(ksmbd_session_lookup_all() plus the SESSION_SETUP state machine) does
+enforce the VALID state; the compound branch bypasses all of it.
+
+A SESSION_SETUP carrying only an NTLM Type-1 (NtLmNegotiate) blob publishes
+a fresh SMB2_SESSION_IN_PROGRESS session whose sess->user is still NULL
+(->user is assigned later, by ntlm_authenticate()). Used as operation 1 of
+a COMPOUND with operation 2 = TREE_CONNECT (related, SessionId=ULLONG_MAX,
+\\host\IPC$), the tree-connect then runs on that IN_PROGRESS session and
+reaches ksmbd_ipc_tree_connect_request(), which dereferences
+user_name(sess->user) with sess->user == NULL (transport_ipc.c:687/701/704)
+-> remote NULL-pointer dereference and a kernel Oops that wedges the ksmbd
+worker for all clients.
+
+Reject any non-first compound operation that lands on a session which is
+not SMB2_SESSION_VALID, mirroring the validity the standalone lookup path
+enforces. SESSION_SETUP itself legitimately runs on an IN_PROGRESS session,
+but it is never carried as a non-first compound operation, so multi-leg
+authentication is unaffected by this check.
+
+Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -613,6 +613,11 @@ int smb2_check_user_session(struct ksmbd
+ sess_id, work->sess->id);
+ return -EINVAL;
+ }
++ if (work->sess->state != SMB2_SESSION_VALID) {
++ pr_err("compound request on a non-valid session (state %d)\n",
++ work->sess->state);
++ return -EINVAL;
++ }
+ return 1;
+ }
+
--- /dev/null
+From 7d8bf3d8f91073f4db347ed3aa6302b56107499c Mon Sep 17 00:00:00 2001
+From: Ruslan Valiyev <linuxoid@gmail.com>
+Date: Tue, 17 Mar 2026 17:05:44 +0000
+Subject: media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si
+
+From: Ruslan Valiyev <linuxoid@gmail.com>
+
+commit 7d8bf3d8f91073f4db347ed3aa6302b56107499c upstream.
+
+syzbot reported a general protection fault in
+vidtv_psi_ts_psi_write_into [1].
+
+vidtv_mux_get_pid_ctx() can return NULL, but vidtv_mux_push_si() does
+not check for this before dereferencing the returned pointer to access
+the continuity counter. This leads to a general protection fault when
+accessing a near-NULL address.
+
+The root cause is that vidtv_mux_pid_ctx_init() does not check the
+return value of vidtv_mux_create_pid_ctx_once() for PMT section PIDs.
+If the allocation fails, the PID context is never created, but init
+returns success. The subsequent vidtv_mux_push_si() call then gets
+NULL from vidtv_mux_get_pid_ctx() and crashes.
+
+Fix both the root cause (add error check in vidtv_mux_pid_ctx_init
+for PMT PIDs) and add defensive NULL checks in vidtv_mux_push_si for
+all vidtv_mux_get_pid_ctx() calls.
+
+[1]
+Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+Workqueue: events vidtv_mux_tick
+RIP: 0010:vidtv_psi_ts_psi_write_into+0x54a/0xbc0 drivers/media/test-drivers/vidtv/vidtv_psi.c:197
+Call Trace:
+ <TASK>
+ vidtv_psi_table_header_write_into drivers/media/test-drivers/vidtv/vidtv_psi.c:799 [inline]
+ vidtv_psi_pmt_write_into+0x3b2/0xa70 drivers/media/test-drivers/vidtv/vidtv_psi.c:1231
+ vidtv_mux_push_si+0x932/0xe80 drivers/media/test-drivers/vidtv/vidtv_mux.c:196
+ vidtv_mux_tick+0xe9b/0x1480 drivers/media/test-drivers/vidtv/vidtv_mux.c:408
+
+Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+814c351d094f4f1a1b86@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=814c351d094f4f1a1b86
+Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/vidtv/vidtv_mux.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/test-drivers/vidtv/vidtv_mux.c
++++ b/drivers/media/test-drivers/vidtv/vidtv_mux.c
+@@ -101,7 +101,8 @@ static int vidtv_mux_pid_ctx_init(struct
+ /* add a ctx for all PMT sections */
+ while (p) {
+ pid = vidtv_psi_get_pat_program_pid(p);
+- vidtv_mux_create_pid_ctx_once(m, pid);
++ if (!vidtv_mux_create_pid_ctx_once(m, pid))
++ goto free;
+ p = p->next;
+ }
+
+@@ -170,6 +171,9 @@ static u32 vidtv_mux_push_si(struct vidt
+ nit_ctx = vidtv_mux_get_pid_ctx(m, VIDTV_NIT_PID);
+ eit_ctx = vidtv_mux_get_pid_ctx(m, VIDTV_EIT_PID);
+
++ if (!pat_ctx || !sdt_ctx || !nit_ctx || !eit_ctx)
++ return 0;
++
+ pat_args.offset = m->mux_buf_offset;
+ pat_args.continuity_counter = &pat_ctx->cc;
+
+@@ -186,6 +190,8 @@ static u32 vidtv_mux_push_si(struct vidt
+ }
+
+ pmt_ctx = vidtv_mux_get_pid_ctx(m, pmt_pid);
++ if (!pmt_ctx)
++ continue;
+
+ pmt_args.offset = m->mux_buf_offset;
+ pmt_args.pmt = m->si.pmt_secs[i];
--- /dev/null
+From 10fc708b4de7f86002d2d735a2dbf3b5b7f65692 Mon Sep 17 00:00:00 2001
+From: Stepan Ionichev <sozdayvek@gmail.com>
+Date: Thu, 14 May 2026 19:37:45 +0500
+Subject: serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails
+
+From: Stepan Ionichev <sozdayvek@gmail.com>
+
+commit 10fc708b4de7f86002d2d735a2dbf3b5b7f65692 upstream.
+
+dw8250_probe() registers the 8250 port via serial8250_register_8250_port()
+and then, if the device has a clock, registers a clock notifier. If
+clk_notifier_register() fails, probe returns the error but leaves the
+8250 port registered. The matching serial8250_unregister_port() lives
+in dw8250_remove(), which is not called when probe fails, so the port
+slot stays occupied until the device is rebound or the system is
+rebooted. The devm-allocated driver data is freed while the port still
+references it (via the saved private_data and serial_in/serial_out
+callbacks), so any access to that port slot before a rebind is a
+use-after-free hazard.
+
+Unregister the port on the clk_notifier_register() error path.
+
+Fixes: cc816969d7b5 ("serial: 8250_dw: Fix common clocks usage race condition")
+Cc: stable@vger.kernel.org
+Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://patch.msgid.link/20260514143746.23671-2-sozdayvek@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_dw.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_dw.c
++++ b/drivers/tty/serial/8250/8250_dw.c
+@@ -850,8 +850,10 @@ static int dw8250_probe(struct platform_
+ */
+ if (data->clk) {
+ err = clk_notifier_register(data->clk, &data->clk_notifier);
+- if (err)
++ if (err) {
++ serial8250_unregister_port(data->data.line);
+ return dev_err_probe(dev, err, "Failed to set the clock notifier\n");
++ }
+ queue_work(system_dfl_wq, &data->clk_work);
+ }
+
--- /dev/null
+From b93062b6d8a1b2d9bad235cac25558a909819026 Mon Sep 17 00:00:00 2001
+From: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
+Date: Thu, 28 May 2026 22:48:07 +0530
+Subject: serial: qcom_geni: Fix RX DMA stall when SE_DMA_RX_LEN_IN is zero
+
+From: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
+
+commit b93062b6d8a1b2d9bad235cac25558a909819026 upstream.
+
+In qcom_geni_serial_handle_rx_dma(), geni_se_rx_dma_unprep() clears
+port->rx_dma_addr before SE_DMA_RX_LEN_IN is read. If the register is zero,
+for example when the RX stale counter fires on an idle line, the handler
+returns without calling geni_se_rx_dma_prep().
+
+The next RX DMA interrupt then hits the !port->rx_dma_addr guard and
+returns immediately, so the RX DMA buffer is never rearmed and later input
+is lost.
+
+Keep the handler on the rearm path when rx_in is zero. Warn about the
+unexpected zero-length DMA completion, skip received-data handling, and
+always call geni_se_rx_dma_prep().
+
+Fixes: 2aaa43c70778 ("tty: serial: qcom-geni-serial: add support for serial engine DMA")
+Cc: stable@vger.kernel.org
+Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260528-serial-rx-0-byte-fix-v2-1-b4195cfe342f@oss.qualcomm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/qcom_geni_serial.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/serial/qcom_geni_serial.c
++++ b/drivers/tty/serial/qcom_geni_serial.c
+@@ -905,12 +905,9 @@ static void qcom_geni_serial_handle_rx_d
+ port->rx_dma_addr = 0;
+
+ rx_in = readl(uport->membase + SE_DMA_RX_LEN_IN);
+- if (!rx_in) {
+- dev_warn(uport->dev, "serial engine reports 0 RX bytes in!\n");
+- return;
+- }
+-
+- if (!drop)
++ if (!rx_in)
++ dev_warn_ratelimited(uport->dev, "serial engine reports 0 RX bytes in!\n");
++ else if (!drop)
+ handle_rx_uart(uport, rx_in);
+
+ ret = geni_se_rx_dma_prep(&port->se, port->rx_buf,
fuse-re-lock-request-before-replacing-page-cache-folio.patch
revert-nfsd-defer-sub-object-cleanup-in-export-put-callbacks.patch
agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch
+iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch
+iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch
+input-rmi4-fix-register-descriptor-address-calculation.patch
+input-rmi4-refactor-register-descriptor-parsing.patch
+input-rmi4-fix-type-overflow-in-register-counts.patch
+input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch
+input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch
+input-rmi4-iterative-irq-handler.patch
+input-rmi4-fix-bit-count-in-bitmap_copy.patch
+crypto-qat-remove-unused-character-device-and-ioctls.patch
+vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch
+serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch
+serial-8250_dw-unregister-8250-port-if-clk_notifier_register-fails.patch
+drivers-base-memory-set-mem-altmap-after-successful-device-registration.patch
+ksmbd-reject-non-valid-session-in-compound-request-branch.patch
+media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch
+virtiofs-fix-uaf-on-submount-umount.patch
--- /dev/null
+From a287620312dc6dcb9a093417a0e589bf30fcf38a Mon Sep 17 00:00:00 2001
+From: Yi Yang <yiyang13@huawei.com>
+Date: Thu, 4 Jun 2026 06:07:34 +0000
+Subject: vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write
+
+From: Yi Yang <yiyang13@huawei.com>
+
+commit a287620312dc6dcb9a093417a0e589bf30fcf38a upstream.
+
+A KASAN null-ptr-deref was observed in vcs_notifier():
+
+BUG: KASAN: null-ptr-deref in vcs_notifier+0x98/0x130
+Read of size 2 at addr qmp_cmd_name: qmp_capabilities, arguments: {}
+
+The issue is a race condition in vcs_write(). When the console_lock is
+temporarily dropped (to copy data from userspace), the vc_data pointer
+obtained from vcs_vc() may become stale. After re-acquiring the lock,
+vcs_vc() is called again to re-validate the pointer. If the vc has been
+deallocated in the meantime, vcs_vc() returns NULL, and the while loop
+breaks (with written > 0). However, after the loop, vcs_scr_updated(vc)
+is still called with the now-NULL vc pointer, leading to a null pointer
+dereference in the notifier chain (vcs_notifier dereferences param->vc).
+
+Fix this by adding a NULL check for vc before calling vcs_scr_updated().
+
+Fixes: 8fb9ea65c9d1 ("vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yi Yang <yiyang13@huawei.com>
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://patch.msgid.link/20260604060734.2914976-1-yiyang13@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vc_screen.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/vc_screen.c
++++ b/drivers/tty/vt/vc_screen.c
+@@ -686,7 +686,7 @@ vcs_write(struct file *file, const char
+ }
+ *ppos += written;
+ ret = written;
+- if (written)
++ if (written && vc)
+ vcs_scr_updated(vc);
+
+ return ret;
--- /dev/null
+From 06b41351779e9289e8785694ade9042ae85e41ea Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 28 May 2026 10:58:24 +0200
+Subject: virtiofs: fix UAF on submount umount
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 06b41351779e9289e8785694ade9042ae85e41ea upstream.
+
+iput() called from fuse_release_end() can Oops if the super block has
+already been destroyed. Normally this is prevented by waiting for
+num_waiting to go down to zero before commencing with super block shutdown.
+
+This only works, however, for the last submount instance, as the wait
+counter is per connection, not per superblock.
+
+Revert to using synchronous release requests for the auto_submounts case,
+which is virtiofs only at this time.
+
+Reported-by: Aurélien Bombo <abombo@microsoft.com>
+Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Cc: Greg Kurz <gkurz@redhat.com>
+Closes: https://github.com/kata-containers/kata-containers/issues/12589
+Fixes: 26e5c67deb2e ("fuse: fix livelock in synchronous file put from fuseblk workers")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kurz <gkurz@redhat.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/file.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -380,8 +380,14 @@ void fuse_file_release(struct inode *ino
+ * aio and closes the fd before the aio completes. Since aio takes its
+ * own ref to the file, the IO completion has to drop the ref, which is
+ * how the fuse server can end up closing its clients' files.
++ *
++ * Exception is virtio-fs, which is not affected by the above (server is
++ * on host, cannot close open files in guest). Virtio-fs needs sync
++ * release, because the num_waiting mechanism to wait for all requests
++ * before commencing with fs shutdown doesn't work if submounts are
++ * used.
+ */
+- fuse_file_put(ff, false);
++ fuse_file_put(ff, ff->fm->fc->auto_submounts);
+ }
+
+ void fuse_release_common(struct file *file, bool isdir)
projects / thirdparty / kernel / stable-queue.git / commitdiff
