From 52ff4e6339230eb7ed43c7c659568843cfe5ee8e Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 19 May 2026 12:22:08 +0200
Subject: [PATCH] 5.10-stable patches

added patches:
	audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch
	audit-fix-incorrect-inheritable-capability-in-capset-records.patch
	crypto-af_alg-cap-aead-ad-length-to-0x80000000.patch
	net-atlantic-preserve-pci-wake-from-d3-on-shutdown-when-wol-enabled.patch
	netfilter-nft_ct-fix-missing-expect-put-in-obj-eval.patch
---
 ...-for-audit_trim-and-audit_make_equiv.patch | 47 +++++++++++++++++
 ...ritable-capability-in-capset-records.patch | 44 ++++++++++++++++
 ...alg-cap-aead-ad-length-to-0x80000000.patch | 31 ++++++++++++
 ...from-d3-on-shutdown-when-wol-enabled.patch | 50 +++++++++++++++++++
 ...t-fix-missing-expect-put-in-obj-eval.patch | 34 +++++++++++++
 queue-5.10/series                             |  5 ++
 6 files changed, 211 insertions(+)
 create mode 100644 queue-5.10/audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch
 create mode 100644 queue-5.10/audit-fix-incorrect-inheritable-capability-in-capset-records.patch
 create mode 100644 queue-5.10/crypto-af_alg-cap-aead-ad-length-to-0x80000000.patch
 create mode 100644 queue-5.10/net-atlantic-preserve-pci-wake-from-d3-on-shutdown-when-wol-enabled.patch
 create mode 100644 queue-5.10/netfilter-nft_ct-fix-missing-expect-put-in-obj-eval.patch

diff --git a/queue-5.10/audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch b/queue-5.10/audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch
new file mode 100644
index 0000000000..6a9ca1d6be
--- /dev/null
+++ b/queue-5.10/audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch
@@ -0,0 +1,47 @@
+From f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Tue, 12 May 2026 14:28:59 +0100
+Subject: audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
+
+From: Sergio Correia <scorreia@redhat.com>
+
+commit f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2 upstream.
+
+AUDIT_ADD_RULE and AUDIT_DEL_RULE correctly check for AUDIT_LOCKED
+and return -EPERM, but AUDIT_TRIM and AUDIT_MAKE_EQUIV do not. This
+allows a process with CAP_AUDIT_CONTROL to modify directory tree
+watches and equivalence mappings even when the audit configuration
+has been locked, undermining the purpose of the lock.
+
+Add AUDIT_LOCKED checks to both commands.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
+Assisted-by: Claude:claude-opus-4-6
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1430,6 +1430,8 @@ static int audit_receive_msg(struct sk_b
+ 		err = audit_list_rules_send(skb, seq);
+ 		break;
+ 	case AUDIT_TRIM:
++		if (audit_enabled == AUDIT_LOCKED)
++			return -EPERM;
+ 		audit_trim_trees();
+ 		audit_log_common_recv_msg(audit_context(), &ab,
+ 					  AUDIT_CONFIG_CHANGE);
+@@ -1442,6 +1444,8 @@ static int audit_receive_msg(struct sk_b
+ 		size_t msglen = data_len;
+ 		char *old, *new;
+ 
++		if (audit_enabled == AUDIT_LOCKED)
++			return -EPERM;
+ 		err = -EINVAL;
+ 		if (msglen < 2 * sizeof(u32))
+ 			break;
diff --git a/queue-5.10/audit-fix-incorrect-inheritable-capability-in-capset-records.patch b/queue-5.10/audit-fix-incorrect-inheritable-capability-in-capset-records.patch
new file mode 100644
index 0000000000..7a5548d602
--- /dev/null
+++ b/queue-5.10/audit-fix-incorrect-inheritable-capability-in-capset-records.patch
@@ -0,0 +1,44 @@
+From e4a640475e43f406fdfd56d370b1f34b0cbbc18d Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Tue, 12 May 2026 14:28:33 +0100
+Subject: audit: fix incorrect inheritable capability in CAPSET records
+
+From: Sergio Correia <scorreia@redhat.com>
+
+commit e4a640475e43f406fdfd56d370b1f34b0cbbc18d upstream.
+
+__audit_log_capset() records the effective capability set into the
+inheritable field due to a copy-paste error. Every CAPSET audit
+record therefore reports cap_pi (process inheritable) with the value
+of cap_effective instead of cap_inheritable.
+
+This silently corrupts audit data used for compliance and forensic
+analysis: an attacker who modifies inheritable capabilities to
+prepare for a privilege-escalating exec would have the change masked
+in the audit trail.
+
+The bug has been present since the original introduction of CAPSET
+audit records in 2008.
+
+Cc: stable@vger.kernel.org
+Fixes: e68b75a027bb ("When the capset syscall is used it is not possible for audit to record the actual capbilities being added/removed.  This patch adds a new record type which emits the target pid and the eff, inh, and perm cap sets.")
+Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
+Assisted-by: Claude:claude-opus-4-6
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/auditsc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -2582,7 +2582,7 @@ void __audit_log_capset(const struct cre
+ 	struct audit_context *context = audit_context();
+ 	context->capset.pid = task_tgid_nr(current);
+ 	context->capset.cap.effective   = new->cap_effective;
+-	context->capset.cap.inheritable = new->cap_effective;
++	context->capset.cap.inheritable = new->cap_inheritable;
+ 	context->capset.cap.permitted   = new->cap_permitted;
+ 	context->capset.cap.ambient     = new->cap_ambient;
+ 	context->type = AUDIT_CAPSET;
diff --git a/queue-5.10/crypto-af_alg-cap-aead-ad-length-to-0x80000000.patch b/queue-5.10/crypto-af_alg-cap-aead-ad-length-to-0x80000000.patch
new file mode 100644
index 0000000000..24e2d85b35
--- /dev/null
+++ b/queue-5.10/crypto-af_alg-cap-aead-ad-length-to-0x80000000.patch
@@ -0,0 +1,31 @@
+From e4c06479d7059888adf2f22bc1ebcf053bf691a2 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 5 May 2026 17:02:45 +0800
+Subject: crypto: af_alg - Cap AEAD AD length to 0x80000000
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit e4c06479d7059888adf2f22bc1ebcf053bf691a2 upstream.
+
+In order to prevent arithmetic overflows when checking the TX
+buffer size, cap the associated data length to 0x80000000.
+
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Fixes: 400c40cf78da ("crypto: algif - add AEAD support")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/af_alg.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -478,6 +478,8 @@ static int af_alg_cmsg_send(struct msghd
+ 			if (cmsg->cmsg_len < CMSG_LEN(sizeof(u32)))
+ 				return -EINVAL;
+ 			con->aead_assoclen = *(u32 *)CMSG_DATA(cmsg);
++			if (con->aead_assoclen >= 0x80000000u)
++				return -EINVAL;
+ 			break;
+ 
+ 		default:
diff --git a/queue-5.10/net-atlantic-preserve-pci-wake-from-d3-on-shutdown-when-wol-enabled.patch b/queue-5.10/net-atlantic-preserve-pci-wake-from-d3-on-shutdown-when-wol-enabled.patch
new file mode 100644
index 0000000000..fdd1d0b5fe
--- /dev/null
+++ b/queue-5.10/net-atlantic-preserve-pci-wake-from-d3-on-shutdown-when-wol-enabled.patch
@@ -0,0 +1,50 @@
+From 2c308cf34284420963607d677d576a2b4124d8bd Mon Sep 17 00:00:00 2001
+From: Zoran Ilievski <goodboy@rexbytes.com>
+Date: Mon, 11 May 2026 08:40:02 +0200
+Subject: net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
+
+From: Zoran Ilievski <goodboy@rexbytes.com>
+
+commit 2c308cf34284420963607d677d576a2b4124d8bd upstream.
+
+The shutdown handler aq_pci_shutdown() unconditionally calls
+pci_wake_from_d3(pdev, false), clearing the PCI PME_En bit even when
+wake-on-LAN has been configured. While aq_nic_shutdown() correctly
+programs the NIC firmware via aq_nic_set_power() to listen for magic
+packets, the PCI subsystem will not propagate the resulting PME wake
+event from D3, so the system never wakes after poweroff.
+
+WOL from suspend (S3) is unaffected because aq_suspend_common() does
+not touch pci_wake_from_d3() and relies on the PM core's wake
+configuration via device_may_wakeup().
+
+This affects all atlantic-supported NICs (AQC107/108/111/112/113);
+users have reported that WOL works if the atlantic driver is never
+loaded, but breaks once it has run its shutdown path.
+
+Pass the configured WOL state to pci_wake_from_d3() instead of a
+literal false, so the PCI PME_En bit is preserved when the user has
+armed WOL via ethtool.
+
+Fixes: 90869ddfefeb ("net: aquantia: Implement pci shutdown callback")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zoran Ilievski <goodboy@rexbytes.com>
+Reviewed-by: Sukhdeep Singh <sukhdeeps@marvell.com>
+Link: https://patch.msgid.link/20260511064002.1857-1-goodboy@rexbytes.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
+@@ -380,7 +380,7 @@ static void aq_pci_shutdown(struct pci_d
+ 	pci_disable_device(pdev);
+ 
+ 	if (system_state == SYSTEM_POWER_OFF) {
+-		pci_wake_from_d3(pdev, false);
++		pci_wake_from_d3(pdev, self->aq_hw->aq_nic_cfg->wol);
+ 		pci_set_power_state(pdev, PCI_D3hot);
+ 	}
+ }
diff --git a/queue-5.10/netfilter-nft_ct-fix-missing-expect-put-in-obj-eval.patch b/queue-5.10/netfilter-nft_ct-fix-missing-expect-put-in-obj-eval.patch
new file mode 100644
index 0000000000..9c4d998b64
--- /dev/null
+++ b/queue-5.10/netfilter-nft_ct-fix-missing-expect-put-in-obj-eval.patch
@@ -0,0 +1,34 @@
+From 19f94b6fee75b3ef7fbc06f3745b9a771a8a19a4 Mon Sep 17 00:00:00 2001
+From: Li Xiasong <lixiasong1@huawei.com>
+Date: Thu, 7 May 2026 22:04:23 +0800
+Subject: netfilter: nft_ct: fix missing expect put in obj eval
+
+From: Li Xiasong <lixiasong1@huawei.com>
+
+commit 19f94b6fee75b3ef7fbc06f3745b9a771a8a19a4 upstream.
+
+nft_ct_expect_obj_eval() allocates an expectation and may call
+nf_ct_expect_related(), but never drops its local reference.
+
+Add nf_ct_expect_put(exp) before return to balance allocation.
+
+Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_ct.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -1296,6 +1296,8 @@ static void nft_ct_expect_obj_eval(struc
+ 
+ 	if (nf_ct_expect_related(exp, 0) != 0)
+ 		regs->verdict.code = NF_DROP;
++
++	nf_ct_expect_put(exp);
+ }
+ 
+ static const struct nla_policy nft_ct_expect_policy[NFTA_CT_EXPECT_MAX + 1] = {
diff --git a/queue-5.10/series b/queue-5.10/series
index 8eef2d7c29..fb0c7c47cb 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -510,3 +510,8 @@ flow_dissector-do-not-count-vlan-tags-inside-tunnel-.patch
 net-sched-sch_pie-annotate-more-data-races-in-pie_du.patch
 rtc-allow-rtc_read_alarm-without-read_alarm-callback.patch
 alarmtimer-check-rtc-features-instead-of-ops.patch
+crypto-af_alg-cap-aead-ad-length-to-0x80000000.patch
+audit-fix-incorrect-inheritable-capability-in-capset-records.patch
+netfilter-nft_ct-fix-missing-expect-put-in-obj-eval.patch
+net-atlantic-preserve-pci-wake-from-d3-on-shutdown-when-wol-enabled.patch
+audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch
-- 
2.47.3