--- /dev/null
+From b32ae47a2b0a1fb4bd4942242847966d9b178222 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 27 Apr 2026 16:56:15 +0200
+Subject: ALSA: caiaq: Don't abort when no input device is available
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit b32ae47a2b0a1fb4bd4942242847966d9b178222 upstream.
+
+The previous fix to handle the error from setup_card() caused a
+regression for the models that have no dedicated input device;
+snd_usb_caiaq_input_init() just returns -EINVAL, and we treat it as a
+fatal error although it should be ignored.
+
+As a regression fix, change the error code to -ENODEV, and ignore this
+error in the callee, to continue probing.
+
+Fixes: 28abd224db4a ("ALSA: caiaq: Handle probe errors properly")
+Cc: <stable@vger.kernel.org>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221423
+Link: https://patch.msgid.link/20260427145642.6637-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/caiaq/device.c | 2 +-
+ sound/usb/caiaq/input.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/caiaq/device.c
++++ b/sound/usb/caiaq/device.c
+@@ -366,7 +366,7 @@ static int setup_card(struct snd_usb_cai
+
+ #ifdef CONFIG_SND_USB_CAIAQ_INPUT
+ ret = snd_usb_caiaq_input_init(cdev);
+- if (ret < 0) {
++ if (ret < 0 && ret != -ENODEV) {
+ dev_err(dev, "Unable to set up input system (ret=%d)\n", ret);
+ return ret;
+ }
+--- a/sound/usb/caiaq/input.c
++++ b/sound/usb/caiaq/input.c
+@@ -804,7 +804,7 @@ int snd_usb_caiaq_input_init(struct snd_
+
+ default:
+ /* no input methods supported on this device */
+- ret = -EINVAL;
++ ret = -ENODEV;
+ goto exit_free_idev;
+ }
+
--- /dev/null
+From 0a7b5221b5b51cc798fcfc3be00d02eade149d69 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 27 Apr 2026 14:37:53 +0200
+Subject: ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 0a7b5221b5b51cc798fcfc3be00d02eade149d69 upstream.
+
+The previous fix for handling the error from setup_card() missed that
+an internal URB cdev->ep1_in_urb might have been already submitted
+beforehand. In the normal case, this URB gets killed at the
+disconnection, but in the error path, we didn't do it, hence there can
+be a potential leak.
+
+Fix it in the error path for setup_card(), too.
+
+Fixes: 28abd224db4a ("ALSA: caiaq: Handle probe errors properly")
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20260427123819.890185-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/caiaq/device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/caiaq/device.c
++++ b/sound/usb/caiaq/device.c
+@@ -514,7 +514,7 @@ static int init_card(struct snd_usb_caia
+ card->private_free = card_free;
+ err = setup_card(cdev);
+ if (err < 0)
+- return err;
++ goto err_kill_urb;
+
+ return 0;
+
--- /dev/null
+From 7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b Mon Sep 17 00:00:00 2001
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+Date: Sun, 26 Apr 2026 05:49:34 +0530
+Subject: ALSA: caiaq: fix usb_dev refcount leak on probe failure
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+commit 7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b upstream.
+
+create_card() takes a reference on the USB device with usb_get_dev()
+and stores the matching usb_put_dev() in card_free(), which is
+installed as the snd_card's ->private_free destructor.
+
+However, ->private_free is only assigned near the end of init_card(),
+after several failure points (usb_set_interface(), EP type checks,
+usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its
+timeout). When any of those fail, init_card() returns an error to
+snd_probe(), which calls snd_card_free(card). Because ->private_free
+is still NULL, card_free() never runs, the usb_get_dev() reference
+is not dropped, and the struct usb_device leaks along with its
+descriptor allocations and device_private.
+
+syzbot reproduces this with a malformed UAC3 device whose only valid
+altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call
+fails with -EIO and triggers the leak.
+
+Move the ->private_free assignment into create_card(), immediately
+after usb_get_dev(), so that every error path reaching snd_card_free()
+balances the reference. card_free()'s callees (snd_usb_caiaq_input_free,
+free_urbs, kfree) already tolerate the partially-initialized state
+because the chip private area is zero-initialized by snd_card_new().
+
+Fixes: 80bb50e2d459 ("ALSA: caiaq: take a reference on the USB device in create_card()")
+Reported-by: syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=2afd7e71155c7e241560
+Tested-by: syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Link: https://patch.msgid.link/20260426001934.70813-1-kartikey406@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/caiaq/device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/caiaq/device.c
++++ b/sound/usb/caiaq/device.c
+@@ -423,6 +423,7 @@ static int create_card(struct usb_device
+
+ cdev = caiaqdev(card);
+ cdev->chip.dev = usb_get_dev(usb_dev);
++ card->private_free = card_free;
+ cdev->chip.card = card;
+ cdev->chip.usb_id = USB_ID(le16_to_cpu(usb_dev->descriptor.idVendor),
+ le16_to_cpu(usb_dev->descriptor.idProduct));
+@@ -511,7 +512,6 @@ static int init_card(struct snd_usb_caia
+ scnprintf(card->longname, sizeof(card->longname), "%s %s (%s)",
+ cdev->vendor_name, cdev->product_name, usbpath);
+
+- card->private_free = card_free;
+ err = setup_card(cdev);
+ if (err < 0)
+ goto err_kill_urb;
--- /dev/null
+From 5b484311507b5d403c1f7a45f6aa3778549e268b Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Mon, 13 Apr 2026 19:59:11 -0700
+Subject: driver core: Add kernel-doc for DEV_FLAG_COUNT enum value
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit 5b484311507b5d403c1f7a45f6aa3778549e268b upstream.
+
+Even though nobody should use this value (except when declaring the
+"flags" bitmap), kernel-doc still gets upset that it's not documented.
+It reports:
+
+ WARNING: ../include/linux/device.h:519
+ Enum value 'DEV_FLAG_COUNT' not described in enum 'struct_device_flags'
+
+Add the description of DEV_FLAG_COUNT.
+
+Fixes: a2225b6e834a ("driver core: Don't let a device probe until it's ready")
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Closes: https://lore.kernel.org/f318cd43-81fd-48b9-abf7-92af85f12f91@infradead.org
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://patch.msgid.link/20260413195910.1.I23aca74fe2d3636a47df196a80920fecb2643220@changeid
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/device.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/linux/device.h
++++ b/include/linux/device.h
+@@ -507,6 +507,7 @@ struct device_physical_location {
+ *
+ * @DEV_FLAG_READY_TO_PROBE: If set then device_add() has finished enough
+ * initialization that probe could be called.
++ * @DEV_FLAG_COUNT: Number of defined struct_device_flags.
+ */
+ enum struct_device_flags {
+ DEV_FLAG_READY_TO_PROBE = 0,
--- /dev/null
+From 095a8b0ad3c3b5cdc3850d961adb8a8f735220bb Mon Sep 17 00:00:00 2001
+From: Arjan van de Ven <arjan@linux.intel.com>
+Date: Mon, 20 Apr 2026 14:57:15 -0700
+Subject: drm/amdgpu: fix zero-size GDS range init on RDNA4
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arjan van de Ven <arjan@linux.intel.com>
+
+commit 095a8b0ad3c3b5cdc3850d961adb8a8f735220bb upstream.
+
+RDNA4 (GFX 12) hardware removes the GDS, GWS, and OA on-chip memory
+resources. The gfx_v12_0 initialisation code correctly leaves
+adev->gds.gds_size, adev->gds.gws_size, and adev->gds.oa_size at
+zero to reflect this.
+
+amdgpu_ttm_init() unconditionally calls amdgpu_ttm_init_on_chip() for
+each of these resources regardless of size. When the size is zero,
+amdgpu_ttm_init_on_chip() forwards the call to ttm_range_man_init(),
+which calls drm_mm_init(mm, 0, 0). drm_mm_init() immediately fires
+DRM_MM_BUG_ON(start + size <= start) -- trivially true when size is
+zero -- crashing the kernel during modprobe of amdgpu on an RX 9070 XT.
+
+Guard against this by returning 0 early from
+amdgpu_ttm_init_on_chip() when size_in_page is zero. This skips TTM
+resource manager registration for hardware resources that are absent,
+without affecting any other GPU type.
+
+DRM_MM_BUG_ON() only asserts if CONFIG_DRM_DEBUG_MM is enabled in
+the kernel config. This is apparently rarely enabled as these chips
+have been in the market for over a year and this issue was only reported
+now.
+
+Link: https://lore.kernel.org/all/bug-221376-2300@https.bugzilla.kernel.org%2F/
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221376
+Oops-Analysis: http://oops.fenrus.org/reports/bugzilla.korg/221376/report.html
+Assisted-by: GitHub Copilot:Claude Sonnet 4.6 linux-kernel-oops-x86.
+Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: "Christian König" <christian.koenig@amd.com>
+Cc: amd-gfx@lists.freedesktop.org
+Cc: dri-devel@lists.freedesktop.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 5719ce5865279cad4fd5f01011fe037168503f2d)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+@@ -75,6 +75,9 @@ static int amdgpu_ttm_init_on_chip(struc
+ unsigned int type,
+ uint64_t size_in_page)
+ {
++ if (!size_in_page)
++ return 0;
++
+ return ttm_range_man_init(&adev->mman.bdev, type,
+ false, size_in_page);
+ }
--- /dev/null
+From 9e6bf146b55999a095bb14f73a843942456d1adc Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 21 Apr 2026 15:16:33 +0200
+Subject: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 9e6bf146b55999a095bb14f73a843942456d1adc upstream.
+
+ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps
+the next segment into ipv6_hdr->daddr, recompresses, then pulls the old
+header and pushes the new one plus the IPv6 header back. The
+recompressed header can be larger than the received one when the swap
+reduces the common-prefix length the segments share with daddr (CmprI=0,
+CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).
+
+pskb_expand_head() was gated on segments_left == 0, so on earlier
+segments the push consumed unchecked headroom. Once skb_push() leaves
+fewer than skb->mac_len bytes in front of data,
+skb_mac_header_rebuild()'s call to:
+
+ skb_set_mac_header(skb, -skb->mac_len);
+
+will store (data - head) - mac_len into the u16 mac_header field, which
+wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB
+past skb->head.
+
+A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two
+segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one
+pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.
+
+Fix this by expanding the head whenever the remaining room is less than
+the push size plus mac_len, and request that much extra so the rebuilt
+MAC header fits afterwards.
+
+Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr")
+Cc: stable <stable@kernel.org>
+Reported-by: Anthropic
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://patch.msgid.link/2026042133-gout-unvented-1bd9@gregkh
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/exthdrs.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/exthdrs.c
++++ b/net/ipv6/exthdrs.c
+@@ -491,6 +491,7 @@ static int ipv6_rpl_srh_rcv(struct sk_bu
+ struct net *net = dev_net(skb->dev);
+ struct inet6_dev *idev;
+ struct ipv6hdr *oldhdr;
++ unsigned int chdr_len;
+ unsigned char *buf;
+ int accept_rpl_seg;
+ int i, err;
+@@ -594,8 +595,10 @@ looped_back:
+ skb_pull(skb, ((hdr->hdrlen + 1) << 3));
+ skb_postpull_rcsum(skb, oldhdr,
+ sizeof(struct ipv6hdr) + ((hdr->hdrlen + 1) << 3));
+- if (unlikely(!hdr->segments_left)) {
+- if (pskb_expand_head(skb, sizeof(struct ipv6hdr) + ((chdr->hdrlen + 1) << 3), 0,
++ chdr_len = sizeof(struct ipv6hdr) + ((chdr->hdrlen + 1) << 3);
++ if (unlikely(!hdr->segments_left ||
++ skb_headroom(skb) < chdr_len + skb->mac_len)) {
++ if (pskb_expand_head(skb, chdr_len + skb->mac_len, 0,
+ GFP_ATOMIC)) {
+ __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_OUTDISCARDS);
+ kfree_skb(skb);
+@@ -605,7 +608,7 @@ looped_back:
+
+ oldhdr = ipv6_hdr(skb);
+ }
+- skb_push(skb, ((chdr->hdrlen + 1) << 3) + sizeof(struct ipv6hdr));
++ skb_push(skb, chdr_len);
+ skb_reset_network_header(skb);
+ skb_mac_header_rebuild(skb);
+ skb_set_transport_header(skb, sizeof(struct ipv6hdr));
--- /dev/null
+From f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e Mon Sep 17 00:00:00 2001
+From: Andrea Mayer <andrea.mayer@uniroma2.it>
+Date: Tue, 21 Apr 2026 11:47:35 +0200
+Subject: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
+
+From: Andrea Mayer <andrea.mayer@uniroma2.it>
+
+commit f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e upstream.
+
+seg6_input_core() and rpl_input() call ip6_route_input() which sets a
+NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking
+dst_hold() unconditionally.
+On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can
+release the underlying pcpu_rt between the lookup and the caching
+through a concurrent FIB lookup on a shared nexthop.
+Simplified race sequence:
+
+ ksoftirqd/X higher-prio task (same CPU X)
+ ----------- --------------------------------
+ seg6_input_core(,skb)/rpl_input(skb)
+ dst_cache_get()
+ -> miss
+ ip6_route_input(skb)
+ -> ip6_pol_route(,skb,flags)
+ [RT6_LOOKUP_F_DST_NOREF in flags]
+ -> FIB lookup resolves fib6_nh
+ [nhid=N route]
+ -> rt6_make_pcpu_route()
+ [creates pcpu_rt, refcount=1]
+ pcpu_rt->sernum = fib6_sernum
+ [fib6_sernum=W]
+ -> cmpxchg(fib6_nh.rt6i_pcpu,
+ NULL, pcpu_rt)
+ [slot was empty, store succeeds]
+ -> skb_dst_set_noref(skb, dst)
+ [dst is pcpu_rt, refcount still 1]
+
+ rt_genid_bump_ipv6()
+ -> bumps fib6_sernum
+ [fib6_sernum from W to Z]
+ ip6_route_output()
+ -> ip6_pol_route()
+ -> FIB lookup resolves fib6_nh
+ [nhid=N]
+ -> rt6_get_pcpu_route()
+ pcpu_rt->sernum != fib6_sernum
+ [W <> Z, stale]
+ -> prev = xchg(rt6i_pcpu, NULL)
+ -> dst_release(prev)
+ [prev is pcpu_rt,
+ refcount 1->0, dead]
+
+ dst = skb_dst(skb)
+ [dst is the dead pcpu_rt]
+ dst_cache_set_ip6(dst)
+ -> dst_hold() on dead dst
+ -> WARN / use-after-free
+
+For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without
+PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release
+the pcpu_rt. Shared nexthop objects provide such a path, as two routes
+pointing to the same nhid share the same fib6_nh and its rt6i_pcpu
+entry.
+
+Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after
+ip6_route_input() to force the NOREF dst into a refcounted one before
+caching.
+The output path is not affected as ip6_route_output() already returns a
+refcounted dst.
+
+Fixes: af4a2209b134 ("ipv6: sr: use dst_cache in seg6_input")
+Fixes: a7a29f9c361f ("net: ipv6: add rpl sr tunnel")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrea Mayer <andrea.mayer@uniroma2.it>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
+Link: https://patch.msgid.link/20260421094735.20997-1-andrea.mayer@uniroma2.it
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/rpl_iptunnel.c | 9 +++++++++
+ net/ipv6/seg6_iptunnel.c | 9 +++++++++
+ 2 files changed, 18 insertions(+)
+
+--- a/net/ipv6/rpl_iptunnel.c
++++ b/net/ipv6/rpl_iptunnel.c
+@@ -287,7 +287,16 @@ static int rpl_input(struct sk_buff *skb
+
+ if (!dst) {
+ ip6_route_input(skb);
++
++ /* ip6_route_input() sets a NOREF dst; force a refcount on it
++ * before caching or further use.
++ */
++ skb_dst_force(skb);
+ dst = skb_dst(skb);
++ if (unlikely(!dst)) {
++ err = -ENETUNREACH;
++ goto drop;
++ }
+
+ /* cache only if we don't create a dst reference loop */
+ if (!dst->error && lwtst != dst->lwtstate) {
+--- a/net/ipv6/seg6_iptunnel.c
++++ b/net/ipv6/seg6_iptunnel.c
+@@ -500,7 +500,16 @@ static int seg6_input_core(struct net *n
+
+ if (!dst) {
+ ip6_route_input(skb);
++
++ /* ip6_route_input() sets a NOREF dst; force a refcount on it
++ * before caching or further use.
++ */
++ skb_dst_force(skb);
+ dst = skb_dst(skb);
++ if (unlikely(!dst)) {
++ err = -ENETUNREACH;
++ goto drop;
++ }
+
+ /* cache only if we don't create a dst reference loop */
+ if (!dst->error && lwtst != dst->lwtstate) {
--- /dev/null
+From fe11e5c40817b84abaa5d83bfb6586d8412bfd07 Mon Sep 17 00:00:00 2001
+From: Kai Ma <k4729.23098@gmail.com>
+Date: Wed, 22 Apr 2026 22:54:18 +0800
+Subject: netfilter: reject zero shift in nft_bitwise
+
+From: Kai Ma <k4729.23098@gmail.com>
+
+commit fe11e5c40817b84abaa5d83bfb6586d8412bfd07 upstream.
+
+Reject zero shift operands for nft_bitwise left and right shift
+expressions during initialization.
+
+The carry propagation logic computes the carry from the adjacent 32-bit
+word using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this
+into a 32-bit shift, which is undefined behaviour.
+
+Reject zero shift operands in the control plane, alongside the existing
+check for values greater than or equal to 32, so malformed rules never
+reach the packet path.
+
+Fixes: 567d746b55bc ("netfilter: bitwise: add support for shifts.")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Kai Ma <k4729.23098@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_bitwise.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_bitwise.c
++++ b/net/netfilter/nft_bitwise.c
+@@ -149,7 +149,8 @@ static int nft_bitwise_init_shift(struct
+ if (err < 0)
+ return err;
+
+- if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
++ if (!priv->data.data[0] ||
++ priv->data.data[0] >= BITS_PER_TYPE(u32)) {
+ nft_data_release(&priv->data, desc.type);
+ return -EINVAL;
+ }
--- /dev/null
+From 55b2984c96c37f909bbfe8851f13152693951382 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 23 Apr 2026 21:09:06 +0100
+Subject: rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
+
+From: David Howells <dhowells@redhat.com>
+
+commit 55b2984c96c37f909bbfe8851f13152693951382 upstream.
+
+Fix rxrpc_input_call_event() to only unshare DATA packets and not ACK,
+ABORT, etc..
+
+And with that, rxrpc_input_packet() doesn't need to take a pointer to the
+pointer to the packet, so change that to just a pointer.
+
+Fixes: 1f2740150f90 ("rxrpc: Fix potential UAF after skb_unshare() failure")
+Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Jeffrey Altman <jaltman@auristor.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/20260423200909.3049438-2-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/call_event.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/rxrpc/call_event.c
++++ b/net/rxrpc/call_event.c
+@@ -345,7 +345,8 @@ bool rxrpc_input_call_event(struct rxrpc
+ if (skb) {
+ struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
+
+- if (sp->hdr.securityIndex != 0 &&
++ if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
++ sp->hdr.securityIndex != 0 &&
+ skb_cloned(skb)) {
+ /* Unshare the packet so that it can be modified for
+ * in-place decryption.
mm-prevent-droppable-mappings-from-being-locked.patch
crypto-authencesn-reject-short-ahash-digests-during-instance-creation.patch
net-bonding-fix-use-after-free-in-bond_xmit_broadcast.patch
+driver-core-add-kernel-doc-for-dev_flag_count-enum-value.patch
+alsa-caiaq-fix-potentially-leftover-ep1_in_urb-at-error-path.patch
+alsa-caiaq-don-t-abort-when-no-input-device-is-available.patch
+rxrpc-fix-rxrpc_input_call_event-to-only-unshare-data-packets.patch
+ipv6-rpl-reserve-mac_len-headroom-when-recompressed-srh-grows.patch
+drm-amdgpu-fix-zero-size-gds-range-init-on-rdna4.patch
+alsa-caiaq-fix-usb_dev-refcount-leak-on-probe-failure.patch
+net-ipv6-fix-noref-dst-use-in-seg6-and-rpl-lwtunnels.patch
+netfilter-reject-zero-shift-in-nft_bitwise.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
