--- /dev/null
+From 985d3d6ad7d26a45e14a9e2418f9d5981769e23b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 10:17:47 -0500
+Subject: Bluetooth: HIDP: Fix possible UAF
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit dbf666e4fc9bdd975a61bf682b3f75cb0145eedd ]
+
+This fixes the following trace caused by not dropping l2cap_conn
+reference when user->remove callback is called:
+
+[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
+[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 97.809947] Call Trace:
+[ 97.809954] <TASK>
+[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
+[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
+[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
+[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
+[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
+[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
+[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
+[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
+[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
+[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
+[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
+[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
+[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
+[ 97.810404] __fput (fs/file_table.c:470)
+[ 97.810430] task_work_run (kernel/task_work.c:235)
+[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
+[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
+[ 97.810527] do_exit (kernel/exit.c:972)
+[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
+[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
+[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
+[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 97.810721] do_group_exit (kernel/exit.c:1093)
+[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
+[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
+[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810826] ? vfs_read (fs/read_write.c:555)
+[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
+[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
+[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
+[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
+[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811078] ? ksys_read (fs/read_write.c:707)
+[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
+[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
+[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
+[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
+[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
+[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
+[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+[ 97.811338] RIP: 0033:0x445cfe
+[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
+
+Code starting with the faulting instruction
+===========================================
+[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
+[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe
+[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004
+[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000
+[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8
+[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0
+[ 97.811453] </TASK>
+[ 98.402453] ==================================================================
+[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430
+[ 98.405361]
+[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 98.405600] Call Trace:
+[ 98.405607] <TASK>
+[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122)
+[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
+[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55)
+[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
+[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
+[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
+[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775)
+[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
+[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875)
+[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194)
+[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592)
+[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305)
+[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.406323] ? kthread (kernel/kthread.c:433)
+[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
+[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406523] ? kthread (kernel/kthread.c:433)
+[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406565] ? kthread (kernel/kthread.c:433)
+[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.406610] kthread (kernel/kthread.c:467)
+[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164)
+[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
+[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
+[ 98.406774] </TASK>
+[ 98.406780]
+[ 98.433693] The buggy address belongs to the physical page:
+[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4
+[ 98.435557] flags: 0x200000000000000(node=0|zone=2)
+[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000
+[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000
+[ 98.438115] page dumped because: kasan: bad access detected
+[ 98.438951]
+[ 98.439211] Memory state around the buggy address:
+[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.442458] ^
+[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.444768] ==================================================================
+[ 98.445719] Disabling lock debugging due to kernel taint
+[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400
+[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 98.450040] Tainted: [B]=BAD_PAGE
+[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 98.450059] Call Trace:
+[ 98.450065] <TASK>
+[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122)
+[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
+[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822)
+[ 98.450154] session_free (net/bluetooth/hidp/core.c:990)
+[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307)
+[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.450271] ? kthread (kernel/kthread.c:433)
+[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
+[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450528] ? kthread (kernel/kthread.c:433)
+[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450578] ? kthread (kernel/kthread.c:433)
+[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.450637] kthread (kernel/kthread.c:467)
+[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164)
+[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
+[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
+[ 98.450836] </TASK>
+
+Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers")
+Reported-by: soufiane el hachmi <kilwa10@gmail.com>
+Tested-by: soufiane el hachmi <kilwa10@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hidp/core.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
+index 3ff870599eb77..068c3c2505170 100644
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -987,7 +987,8 @@ static void session_free(struct kref *ref)
+ skb_queue_purge(&session->intr_transmit);
+ fput(session->intr_sock->file);
+ fput(session->ctrl_sock->file);
+- l2cap_conn_put(session->conn);
++ if (session->conn)
++ l2cap_conn_put(session->conn);
+ kfree(session);
+ }
+
+@@ -1165,6 +1166,15 @@ static void hidp_session_remove(struct l2cap_conn *conn,
+
+ down_write(&hidp_session_sem);
+
++ /* Drop L2CAP reference immediately to indicate that
++ * l2cap_unregister_user() shall not be called as it is already
++ * considered removed.
++ */
++ if (session->conn) {
++ l2cap_conn_put(session->conn);
++ session->conn = NULL;
++ }
++
+ hidp_session_terminate(session);
+
+ cancel_work_sync(&session->dev_init);
+@@ -1302,7 +1312,9 @@ static int hidp_session_thread(void *arg)
+ * Instead, this call has the same semantics as if user-space tried to
+ * delete the session.
+ */
+- l2cap_unregister_user(session->conn, &session->user);
++ if (session->conn)
++ l2cap_unregister_user(session->conn, &session->user);
++
+ hidp_session_put(session);
+
+ module_put_and_kthread_exit(0);
+--
+2.51.0
+
--- /dev/null
+From 9d6961e59b0ca5eedd1521afe3af8d99c0bdbf83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:25 +0100
+Subject: Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit e1d9a66889867c232657a9b6f25d451d7c3ab96f ]
+
+Core 6.0, Vol 3, Part A, 3.4.3:
+"If the SDU length field value exceeds the receiver's MTU, the receiver
+shall disconnect the channel..."
+
+This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P
+0x0027 -V le_public -I 100').
+
+Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index bac2abce4bd78..9c1d68b1e83b5 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -7639,8 +7639,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+ return -ENOBUFS;
+ }
+
+- if (chan->imtu < skb->len) {
+- BT_ERR("Too big LE L2CAP PDU");
++ if (skb->len > chan->imtu) {
++ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len,
++ chan->imtu);
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ return -ENOBUFS;
+ }
+
+@@ -7665,7 +7667,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+ sdu_len, skb->len, chan->imtu);
+
+ if (sdu_len > chan->imtu) {
+- BT_ERR("Too big LE L2CAP SDU length received");
++ BT_ERR("Too big LE L2CAP SDU length: len %u > %u",
++ skb->len, sdu_len);
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ err = -EMSGSIZE;
+ goto failed;
+ }
+--
+2.51.0
+
--- /dev/null
+From ba9d984b5a209e74d4866fdb087ec5342efe413a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:27 +0100
+Subject: Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit b6a2bf43aa37670432843bc73ae2a6288ba4d6f8 ]
+
+Core 6.0, Vol 3, Part A, 3.4.3:
+"... If the sum of the payload sizes for the K-frames exceeds the
+specified SDU length, the receiver shall disconnect the channel."
+
+This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
+0x0027 -V le_public').
+
+Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 9c1d68b1e83b5..ed113cfdce23b 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -7705,6 +7705,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+
+ if (chan->sdu->len + skb->len > chan->sdu_len) {
+ BT_ERR("Too much LE L2CAP data received");
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ err = -EINVAL;
+ goto failed;
+ }
+--
+2.51.0
+
--- /dev/null
+From afd083b9f006351f638e913ba1220afb166a48a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:28 +0100
+Subject: Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit 0e4d4dcc1a6e82cc6f9abf32193558efa7e1613d ]
+
+The last test step ("Test with Invalid public key X and Y, all set to
+0") expects to get an "DHKEY check failed" instead of "unspecified".
+
+Fixes: 6d19628f539f ("Bluetooth: SMP: Fail if remote and local public keys are identical")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
+index 79550d115364e..0871dca1ceac9 100644
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2738,7 +2738,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
+ if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
+ !crypto_memneq(key, smp->local_pk, 64)) {
+ bt_dev_err(hdev, "Remote and local public keys are identical");
+- return SMP_UNSPECIFIED;
++ return SMP_DHKEY_CHECK_FAILED;
+ }
+
+ memcpy(smp->remote_pk, key, 64);
+--
+2.51.0
+
--- /dev/null
+From 4919f88c3e20b81c47e47018ca960685fca4f93b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 21:06:01 +0800
+Subject: icmp: fix NULL pointer dereference in icmp_tag_validation()
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit 614aefe56af8e13331e50220c936fc0689cf5675 ]
+
+icmp_tag_validation() unconditionally dereferences the result of
+rcu_dereference(inet_protos[proto]) without checking for NULL.
+The inet_protos[] array is sparse -- only about 15 of 256 protocol
+numbers have registered handlers. When ip_no_pmtu_disc is set to 3
+(hardened PMTU mode) and the kernel receives an ICMP Fragmentation
+Needed error with a quoted inner IP header containing an unregistered
+protocol number, the NULL dereference causes a kernel panic in
+softirq context.
+
+ Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+ RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)
+ Call Trace:
+ <IRQ>
+ icmp_rcv (net/ipv4/icmp.c:1527)
+ ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)
+ ip_local_deliver_finish (net/ipv4/ip_input.c:242)
+ ip_local_deliver (net/ipv4/ip_input.c:262)
+ ip_rcv (net/ipv4/ip_input.c:573)
+ __netif_receive_skb_one_core (net/core/dev.c:6164)
+ process_backlog (net/core/dev.c:6628)
+ handle_softirqs (kernel/softirq.c:561)
+ </IRQ>
+
+Add a NULL check before accessing icmp_strict_tag_validation. If the
+protocol has no registered handler, return false since it cannot
+perform strict tag validation.
+
+Fixes: 8ed1dc44d3e9 ("ipv4: introduce hardened ip_no_pmtu_disc mode")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Link: https://patch.msgid.link/20260318130558.1050247-4-bestswngs@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index efeeed4f0517e..3c74fecce2382 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -844,10 +844,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
+
+ static bool icmp_tag_validation(int proto)
+ {
++ const struct net_protocol *ipprot;
+ bool ok;
+
+ rcu_read_lock();
+- ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation;
++ ipprot = rcu_dereference(inet_protos[proto]);
++ ok = ipprot ? ipprot->icmp_strict_tag_validation : false;
+ rcu_read_unlock();
+ return ok;
+ }
+--
+2.51.0
+
--- /dev/null
+From 23e8f902632e83131fc5803c08ba6cb7b2d48a8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Feb 2026 19:46:32 +0000
+Subject: igc: fix missing update of skb->tail in igc_xmit_frame()
+
+From: Kohei Enju <kohei@enjuk.jp>
+
+[ Upstream commit 0ffba246652faf4a36aedc66059c2f94e4c83ea5 ]
+
+igc_xmit_frame() misses updating skb->tail when the packet size is
+shorter than the minimum one.
+Use skb_put_padto() in alignment with other Intel Ethernet drivers.
+
+Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers")
+Signed-off-by: Kohei Enju <kohei@enjuk.jp>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 7593e8b7469c5..e59de43704b51 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -1522,11 +1522,8 @@ static netdev_tx_t igc_xmit_frame(struct sk_buff *skb,
+ /* The minimum packet size with TCTL.PSP set is 17 so pad the skb
+ * in order to meet this minimum size requirement.
+ */
+- if (skb->len < 17) {
+- if (skb_padto(skb, 17))
+- return NETDEV_TX_OK;
+- skb->len = 17;
+- }
++ if (skb_put_padto(skb, 17))
++ return NETDEV_TX_OK;
+
+ return igc_xmit_frame_ring(skb, igc_tx_queue_mapping(adapter, skb));
+ }
+--
+2.51.0
+
--- /dev/null
+From 5c34656e58af08f4d83b4b2bd0297a7aa506ad64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 12:18:52 -0700
+Subject: net: bcmgenet: increase WoL poll timeout
+
+From: Justin Chen <justin.chen@broadcom.com>
+
+[ Upstream commit 6cfc3bc02b977f2fba5f7268e6504d1931a774f7 ]
+
+Some systems require more than 5ms to get into WoL mode. Increase the
+timeout value to 50ms.
+
+Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code")
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20260312191852.3904571-1-justin.chen@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+index 35c12938cb348..ac402631576cc 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+@@ -102,7 +102,7 @@ static int bcmgenet_poll_wol_status(struct bcmgenet_priv *priv)
+ while (!(bcmgenet_rbuf_readl(priv, RBUF_STATUS)
+ & RBUF_STATUS_WOL)) {
+ retries++;
+- if (retries > 5) {
++ if (retries > 50) {
+ netdev_crit(dev, "polling wol mode timeout\n");
+ return -ETIMEDOUT;
+ }
+--
+2.51.0
+
--- /dev/null
+From 6eac891aefd3c61ee7e29a942c8d2cfa9255f0db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 17:50:34 -0700
+Subject: net: bonding: fix NULL deref in bond_debug_rlb_hash_show
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit 605b52497bf89b3b154674deb135da98f916e390 ]
+
+rlb_clear_slave intentionally keeps RLB hash-table entries on
+the rx_hashtbl_used_head list with slave set to NULL when no
+replacement slave is available. However, bond_debug_rlb_hash_show
+visites client_info->slave without checking if it's NULL.
+
+Other used-list iterators in bond_alb.c already handle this NULL-slave
+state safely:
+
+- rlb_update_client returns early on !client_info->slave
+- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance
+compare slave values before visiting
+- lb_req_update_subnet_clients continues if slave is NULL
+
+The following NULL deref crash can be trigger in
+bond_debug_rlb_hash_show:
+
+[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)
+[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286
+[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204
+[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078
+[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000
+[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0
+[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8
+[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000
+[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0
+[ 1.295897] Call Trace:
+[ 1.296134] seq_read_iter (fs/seq_file.c:231)
+[ 1.296341] seq_read (fs/seq_file.c:164)
+[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))
+[ 1.296658] vfs_read (fs/read_write.c:572)
+[ 1.296981] ksys_read (fs/read_write.c:717)
+[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+Add a NULL check and print "(none)" for entries with no assigned slave.
+
+Fixes: caafa84251b88 ("bonding: add the debugfs interface to see RLB hash table")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260317005034.1888794-1-xmei5@asu.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_debugfs.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_debugfs.c b/drivers/net/bonding/bond_debugfs.c
+index 8b6cf2bf9025a..bb31f986ae592 100644
+--- a/drivers/net/bonding/bond_debugfs.c
++++ b/drivers/net/bonding/bond_debugfs.c
+@@ -34,11 +34,17 @@ static int bond_debug_rlb_hash_show(struct seq_file *m, void *v)
+ for (; hash_index != RLB_NULL_INDEX;
+ hash_index = client_info->used_next) {
+ client_info = &(bond_info->rx_hashtbl[hash_index]);
+- seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n",
+- &client_info->ip_src,
+- &client_info->ip_dst,
+- &client_info->mac_dst,
+- client_info->slave->dev->name);
++ if (client_info->slave)
++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n",
++ &client_info->ip_src,
++ &client_info->ip_dst,
++ &client_info->mac_dst,
++ client_info->slave->dev->name);
++ else
++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM (none)\n",
++ &client_info->ip_src,
++ &client_info->ip_dst,
++ &client_info->mac_dst);
+ }
+
+ spin_unlock_bh(&bond->mode_lock);
+--
+2.51.0
+
--- /dev/null
+From af9f82aaee3bfbfaea7ed08e510ea4339a2ab707 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 08:42:12 +0000
+Subject: net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
+
+From: Anas Iqbal <mohd.abd.6602@gmail.com>
+
+[ Upstream commit b48731849609cbd8c53785a48976850b443153fd ]
+
+Smatch reports:
+drivers/net/dsa/bcm_sf2.c:997 bcm_sf2_sw_resume() warn:
+'priv->clk' from clk_prepare_enable() not released on lines: 983,990.
+
+The clock enabled by clk_prepare_enable() in bcm_sf2_sw_resume()
+is not released if bcm_sf2_sw_rst() or bcm_sf2_cfp_resume() fails.
+
+Add the missing clk_disable_unprepare() calls in the error paths
+to properly release the clock resource.
+
+Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks")
+Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Anas Iqbal <mohd.abd.6602@gmail.com>
+Link: https://patch.msgid.link/20260318084212.1287-1-mohd.abd.6602@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/bcm_sf2.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
+index d0f94a5fae5ae..7c64317e0f191 100644
+--- a/drivers/net/dsa/bcm_sf2.c
++++ b/drivers/net/dsa/bcm_sf2.c
+@@ -871,13 +871,17 @@ static int bcm_sf2_sw_resume(struct dsa_switch *ds)
+ ret = bcm_sf2_sw_rst(priv);
+ if (ret) {
+ pr_err("%s: failed to software reset switch\n", __func__);
++ if (!priv->wol_ports_mask)
++ clk_disable_unprepare(priv->clk);
+ return ret;
+ }
+
+ ret = bcm_sf2_cfp_resume(ds);
+- if (ret)
++ if (ret) {
++ if (!priv->wol_ports_mask)
++ clk_disable_unprepare(priv->clk);
+ return ret;
+-
++ }
+ if (priv->hw_params.num_gphy == 1)
+ bcm_sf2_gphy_enable_set(ds, true);
+
+--
+2.51.0
+
--- /dev/null
+From cbe51c17dae4fae0fcf715b9d0a84b750886954a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 13:38:25 +0300
+Subject: net: macb: fix uninitialized rx_fs_lock
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 34b11cc56e4369bc08b1f4c4a04222d75ed596ce ]
+
+If hardware doesn't support RX Flow Filters, rx_fs_lock spinlock is not
+initialized leading to the following assertion splat triggerable via
+set_rxnfc callback.
+
+INFO: trying to register non-static key.
+The code is fine but needs lockdep annotation, or maybe
+you didn't initialize this object before use?
+turning off the locking correctness validator.
+CPU: 1 PID: 949 Comm: syz.0.6 Not tainted 6.1.164+ #113
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106
+ assign_lock_key kernel/locking/lockdep.c:974 [inline]
+ register_lock_class+0x141b/0x17f0 kernel/locking/lockdep.c:1287
+ __lock_acquire+0x74f/0x6c40 kernel/locking/lockdep.c:4928
+ lock_acquire kernel/locking/lockdep.c:5662 [inline]
+ lock_acquire+0x190/0x4b0 kernel/locking/lockdep.c:5627
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
+ _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:162
+ gem_del_flow_filter drivers/net/ethernet/cadence/macb_main.c:3562 [inline]
+ gem_set_rxnfc+0x533/0xac0 drivers/net/ethernet/cadence/macb_main.c:3667
+ ethtool_set_rxnfc+0x18c/0x280 net/ethtool/ioctl.c:961
+ __dev_ethtool net/ethtool/ioctl.c:2956 [inline]
+ dev_ethtool+0x229c/0x6290 net/ethtool/ioctl.c:3095
+ dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510
+ sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215
+ sock_ioctl+0x577/0x6d0 net/socket.c:1320
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:46 [inline]
+ do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+A more straightforward solution would be to always initialize rx_fs_lock,
+just like rx_fs_list. However, in this case the driver set_rxnfc callback
+would return with a rather confusing error code, e.g. -EINVAL. So deny
+set_rxnfc attempts directly if the RX filtering feature is not supported
+by hardware.
+
+Fixes: ae8223de3df5 ("net: macb: Added support for RX filtering")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Link: https://patch.msgid.link/20260316103826.74506-2-pchelkin@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index c407e8d0eb618..f49e4e0494db3 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -3381,6 +3381,9 @@ static int gem_set_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd)
+ struct macb *bp = netdev_priv(netdev);
+ int ret;
+
++ if (!(netdev->hw_features & NETIF_F_NTUPLE))
++ return -EOPNOTSUPP;
++
+ switch (cmd->cmd) {
+ case ETHTOOL_SRXCLSRLINS:
+ if ((cmd->fs.location >= bp->max_tuples)
+--
+2.51.0
+
--- /dev/null
+From f1dc84919586550161ee190d98a8b54b62f92022 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 15:06:02 +0800
+Subject: net/rose: fix NULL pointer dereference in rose_transmit_link on
+ reconnect
+
+From: Jiayuan Chen <jiayuan.chen@shopee.com>
+
+[ Upstream commit e1f0a18c9564cdb16523c802e2c6fe5874e3d944 ]
+
+syzkaller reported a bug [1], and the reproducer is available at [2].
+
+ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN,
+TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects
+calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING
+(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT.
+
+When rose_connect() is called a second time while the first connection
+attempt is still in progress (TCP_SYN_SENT), it overwrites
+rose->neighbour via rose_get_neigh(). If that returns NULL, the socket
+is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL.
+When the socket is subsequently closed, rose_release() sees
+ROSE_STATE_1 and calls rose_write_internal() ->
+rose_transmit_link(skb, NULL), causing a NULL pointer dereference.
+
+Per connect(2), a second connect() while a connection is already in
+progress should return -EALREADY. Add this missing check for
+TCP_SYN_SENT to complete the state validation in rose_connect().
+
+[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271
+[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0027.GAE@google.com/T/
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260311070611.76913-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 04173c85d92b5..0130c13f73552 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -808,6 +808,11 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
+ goto out_release;
+ }
+
++ if (sk->sk_state == TCP_SYN_SENT) {
++ err = -EALREADY;
++ goto out_release;
++ }
++
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
+
+--
+2.51.0
+
--- /dev/null
+From 52b2cbb9a715927eaf04e474db8cce33e6d4db4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 16:16:43 +0200
+Subject: net: usb: aqc111: Do not perform PM inside suspend callback
+
+From: Nikola Z. Ivanov <zlatistiv@gmail.com>
+
+[ Upstream commit 069c8f5aebe4d5224cf62acc7d4b3486091c658a ]
+
+syzbot reports "task hung in rpm_resume"
+
+This is caused by aqc111_suspend calling
+the PM variant of its write_cmd routine.
+
+The simplified call trace looks like this:
+
+rpm_suspend()
+ usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING
+ aqc111_suspend() - called for the usb device interface
+ aqc111_write32_cmd()
+ usb_autopm_get_interface()
+ pm_runtime_resume_and_get()
+ rpm_resume() - here we call rpm_resume() on our parent
+ rpm_resume() - Here we wait for a status change that will never happen.
+
+At this point we block another task which holds
+rtnl_lock and locks up the whole networking stack.
+
+Fix this by replacing the write_cmd calls with their _nopm variants
+
+Reported-by: syzbot+48dc1e8dfc92faf1124c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=48dc1e8dfc92faf1124c
+Fixes: e58ba4544c77 ("net: usb: aqc111: Add support for wake on LAN by MAGIC packet")
+Signed-off-by: Nikola Z. Ivanov <zlatistiv@gmail.com>
+Link: https://patch.msgid.link/20260313141643.1181386-1-zlatistiv@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/aqc111.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
+index ab9431ea295ad..7d38ce2e77017 100644
+--- a/drivers/net/usb/aqc111.c
++++ b/drivers/net/usb/aqc111.c
+@@ -1400,14 +1400,14 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message)
+ aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC,
+ SFR_MEDIUM_STATUS_MODE, 2, ®16);
+
+- aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0,
+- WOL_CFG_SIZE, &wol_cfg);
+- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0,
+- &aqc111_data->phy_cfg);
++ aqc111_write_cmd_nopm(dev, AQ_WOL_CFG, 0, 0,
++ WOL_CFG_SIZE, &wol_cfg);
++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0,
++ &aqc111_data->phy_cfg);
+ } else {
+ aqc111_data->phy_cfg |= AQ_LOW_POWER;
+- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0,
+- &aqc111_data->phy_cfg);
++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0,
++ &aqc111_data->phy_cfg);
+
+ /* Disable RX path */
+ aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC,
+--
+2.51.0
+
--- /dev/null
+From c7ccddc64f7a7462617e9547e7688e1a8a7314c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Mar 2026 02:21:37 +0900
+Subject: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit 5cb81eeda909dbb2def209dd10636b51549a3f8a ]
+
+ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the
+netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the
+conntrack reference immediately after netlink_dump_start(). When the
+dump spans multiple rounds, the second recvmsg() triggers the dump
+callback which dereferences the now-freed conntrack via nfct_help(ct),
+leading to a use-after-free on ct->ext.
+
+The bug is that the netlink_dump_control has no .start or .done
+callbacks to manage the conntrack reference across dump rounds. Other
+dump functions in the same file (e.g. ctnetlink_get_conntrack) properly
+use .start/.done callbacks for this purpose.
+
+Fix this by adding .start and .done callbacks that hold and release the
+conntrack reference for the duration of the dump, and move the
+nfct_help() call after the cb->args[0] early-return check in the dump
+callback to avoid dereferencing ct->ext unnecessarily.
+
+ BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0
+ Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133
+
+ CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY
+ Call Trace:
+ <TASK>
+ ctnetlink_exp_ct_dump_table+0x4f/0x2e0
+ netlink_dump+0x333/0x880
+ netlink_recvmsg+0x3e2/0x4b0
+ ? aa_sk_perm+0x184/0x450
+ sock_recvmsg+0xde/0xf0
+
+ Allocated by task 133:
+ kmem_cache_alloc_noprof+0x134/0x440
+ __nf_conntrack_alloc+0xa8/0x2b0
+ ctnetlink_create_conntrack+0xa1/0x900
+ ctnetlink_new_conntrack+0x3cf/0x7d0
+ nfnetlink_rcv_msg+0x48e/0x510
+ netlink_rcv_skb+0xc9/0x1f0
+ nfnetlink_rcv+0xdb/0x220
+ netlink_unicast+0x3ec/0x590
+ netlink_sendmsg+0x397/0x690
+ __sys_sendmsg+0xf4/0x180
+
+ Freed by task 0:
+ slab_free_after_rcu_debug+0xad/0x1e0
+ rcu_core+0x5c3/0x9c0
+
+Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 98a4c41f6df19..9fe2c5b3523c5 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3197,7 +3197,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ struct nf_conn *ct = cb->data;
+- struct nf_conn_help *help = nfct_help(ct);
++ struct nf_conn_help *help;
+ u_int8_t l3proto = nfmsg->nfgen_family;
+ unsigned long last_id = cb->args[1];
+ struct nf_conntrack_expect *exp;
+@@ -3205,6 +3205,10 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ if (cb->args[0])
+ return 0;
+
++ help = nfct_help(ct);
++ if (!help)
++ return 0;
++
+ rcu_read_lock();
+
+ restart:
+@@ -3234,6 +3238,24 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ return skb->len;
+ }
+
++static int ctnetlink_dump_exp_ct_start(struct netlink_callback *cb)
++{
++ struct nf_conn *ct = cb->data;
++
++ if (!refcount_inc_not_zero(&ct->ct_general.use))
++ return -ENOENT;
++ return 0;
++}
++
++static int ctnetlink_dump_exp_ct_done(struct netlink_callback *cb)
++{
++ struct nf_conn *ct = cb->data;
++
++ if (ct)
++ nf_ct_put(ct);
++ return 0;
++}
++
+ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct sk_buff *skb,
+ const struct nlmsghdr *nlh,
+@@ -3249,6 +3271,8 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct nf_conntrack_zone zone;
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_ct_dump_table,
++ .start = ctnetlink_dump_exp_ct_start,
++ .done = ctnetlink_dump_exp_ct_done,
+ };
+
+ err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
+--
+2.51.0
+
--- /dev/null
+From d0150530d0f87112ab6118be3c85c0974a99c88f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Aug 2025 17:25:09 +0200
+Subject: netfilter: ctnetlink: remove refcounting in expectation dumpers
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 1492e3dcb2be3aa46d1963da96aa9593e4e4db5a ]
+
+Same pattern as previous patch: do not keep the expectation object
+alive via refcount, only store a cookie value and then use that
+as the skip hint for dump resumption.
+
+AFAICS this has the same issue as the one resolved in the conntrack
+dumper, when we do
+ if (!refcount_inc_not_zero(&exp->use))
+
+to increment the refcount, there is a chance that exp == last, which
+causes a double-increment of the refcount and subsequent memory leak.
+
+Fixes: cf6994c2b981 ("[NETFILTER]: nf_conntrack_netlink: sync expectation dumping with conntrack table dumping")
+Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Stable-dep-of: 5cb81eeda909 ("netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 41 ++++++++++++----------------
+ 1 file changed, 17 insertions(+), 24 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index f622fcad3f503..98a4c41f6df19 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3137,23 +3137,27 @@ ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item)
+ return 0;
+ }
+ #endif
+-static int ctnetlink_exp_done(struct netlink_callback *cb)
++
++static unsigned long ctnetlink_exp_id(const struct nf_conntrack_expect *exp)
+ {
+- if (cb->args[1])
+- nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
+- return 0;
++ unsigned long id = (unsigned long)exp;
++
++ id += nf_ct_get_id(exp->master);
++ id += exp->class;
++
++ return id ? id : 1;
+ }
+
+ static int
+ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct net *net = sock_net(skb->sk);
+- struct nf_conntrack_expect *exp, *last;
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ u_int8_t l3proto = nfmsg->nfgen_family;
++ unsigned long last_id = cb->args[1];
++ struct nf_conntrack_expect *exp;
+
+ rcu_read_lock();
+- last = (struct nf_conntrack_expect *)cb->args[1];
+ for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
+ restart:
+ hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]],
+@@ -3165,7 +3169,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ continue;
+
+ if (cb->args[1]) {
+- if (exp != last)
++ if (ctnetlink_exp_id(exp) != last_id)
+ continue;
+ cb->args[1] = 0;
+ }
+@@ -3174,9 +3178,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ cb->nlh->nlmsg_seq,
+ IPCTNL_MSG_EXP_NEW,
+ exp) < 0) {
+- if (!refcount_inc_not_zero(&exp->use))
+- continue;
+- cb->args[1] = (unsigned long)exp;
++ cb->args[1] = ctnetlink_exp_id(exp);
+ goto out;
+ }
+ }
+@@ -3187,32 +3189,30 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ }
+ out:
+ rcu_read_unlock();
+- if (last)
+- nf_ct_expect_put(last);
+-
+ return skb->len;
+ }
+
+ static int
+ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+- struct nf_conntrack_expect *exp, *last;
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ struct nf_conn *ct = cb->data;
+ struct nf_conn_help *help = nfct_help(ct);
+ u_int8_t l3proto = nfmsg->nfgen_family;
++ unsigned long last_id = cb->args[1];
++ struct nf_conntrack_expect *exp;
+
+ if (cb->args[0])
+ return 0;
+
+ rcu_read_lock();
+- last = (struct nf_conntrack_expect *)cb->args[1];
++
+ restart:
+ hlist_for_each_entry_rcu(exp, &help->expectations, lnode) {
+ if (l3proto && exp->tuple.src.l3num != l3proto)
+ continue;
+ if (cb->args[1]) {
+- if (exp != last)
++ if (ctnetlink_exp_id(exp) != last_id)
+ continue;
+ cb->args[1] = 0;
+ }
+@@ -3220,9 +3220,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ cb->nlh->nlmsg_seq,
+ IPCTNL_MSG_EXP_NEW,
+ exp) < 0) {
+- if (!refcount_inc_not_zero(&exp->use))
+- continue;
+- cb->args[1] = (unsigned long)exp;
++ cb->args[1] = ctnetlink_exp_id(exp);
+ goto out;
+ }
+ }
+@@ -3233,9 +3231,6 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ cb->args[0] = 1;
+ out:
+ rcu_read_unlock();
+- if (last)
+- nf_ct_expect_put(last);
+-
+ return skb->len;
+ }
+
+@@ -3254,7 +3249,6 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct nf_conntrack_zone zone;
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_ct_dump_table,
+- .done = ctnetlink_exp_done,
+ };
+
+ err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
+@@ -3305,7 +3299,6 @@ static int ctnetlink_get_expect(struct net *net, struct sock *ctnl,
+ else {
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_dump_table,
+- .done = ctnetlink_exp_done,
+ };
+ return netlink_dump_start(ctnl, skb, nlh, &c);
+ }
+--
+2.51.0
+
--- /dev/null
+From 37c7b46af8afb2127e45327dc3a7befdb3b87388 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:49:50 +0000
+Subject: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ]
+
+In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
+the packet, then decrements it by 1 to skip the protocol discriminator
+byte before passing it to DecodeH323_UserInformation(). If the encoded
+length is 0, the decrement wraps to -1, which is then passed as a
+large value to the decoder, leading to an out-of-bounds read.
+
+Add a check to ensure len is positive after the decrement.
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index c972e9488e16f..7b1497ed97d26 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
+ break;
+ p++;
+ len--;
++ if (len <= 0)
++ break;
+ return DecodeH323_UserInformation(buf, p, len,
+ &q931->UUIE);
+ }
+--
+2.51.0
+
--- /dev/null
+From 02bc845304b0f05e3a0a7123fe9ffa2292597bc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 02:29:32 +0000
+Subject: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a ]
+
+In decode_int(), the CONS case calls get_bits(bs, 2) to read a length
+value, then calls get_uint(bs, len) without checking that len bytes
+remain in the buffer. The existing boundary check only validates the
+2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()
+reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte
+slab-out-of-bounds read.
+
+Add a boundary check for len bytes after get_bits() and before
+get_uint().
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index 62aa22a078769..c972e9488e16f 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -331,6 +331,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f,
+ if (nf_h323_error_boundary(bs, 0, 2))
+ return H323_ERROR_BOUND;
+ len = get_bits(bs, 2) + 1;
++ if (nf_h323_error_boundary(bs, len, 0))
++ return H323_ERROR_BOUND;
+ BYTE_ALIGN(bs);
+ if (base && (f->attr & DECODE)) { /* timeToLive */
+ unsigned int v = get_uint(bs, len) + f->lb;
+--
+2.51.0
+
--- /dev/null
+From 5c4095e82eca0c3bd69733e86e7b2f3fcbc046c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Mar 2026 21:49:01 +0000
+Subject: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in
+ sip_help_tcp()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lukas Johannes Möller <research@johannes-moeller.dev>
+
+[ Upstream commit fbce58e719a17aa215c724473fd5baaa4a8dc57c ]
+
+sip_help_tcp() parses the SIP Content-Length header with
+simple_strtoul(), which returns unsigned long, but stores the result in
+unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are
+silently truncated before computing the SIP message boundary.
+
+For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,
+causing the parser to miscalculate where the current message ends. The
+loop then treats trailing data in the TCP segment as a second SIP
+message and processes it through the SDP parser.
+
+Fix this by changing clen to unsigned long to match the return type of
+simple_strtoul(), and reject Content-Length values that exceed the
+remaining TCP payload length.
+
+Fixes: f5b321bd37fb ("netfilter: nf_conntrack_sip: add TCP support")
+Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_sip.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
+index 751df19fe0f8a..5db17768ec2ad 100644
+--- a/net/netfilter/nf_conntrack_sip.c
++++ b/net/netfilter/nf_conntrack_sip.c
+@@ -1529,11 +1529,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
+ {
+ struct tcphdr *th, _tcph;
+ unsigned int dataoff, datalen;
+- unsigned int matchoff, matchlen, clen;
++ unsigned int matchoff, matchlen;
+ unsigned int msglen, origlen;
+ const char *dptr, *end;
+ s16 diff, tdiff = 0;
+ int ret = NF_ACCEPT;
++ unsigned long clen;
+ bool term;
+
+ if (ctinfo != IP_CT_ESTABLISHED &&
+@@ -1568,6 +1569,9 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
+ if (dptr + matchoff == end)
+ break;
+
++ if (clen > datalen)
++ break;
++
+ term = false;
+ for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
+ if (end[0] == '\r' && end[1] == '\n' &&
+--
+2.51.0
+
--- /dev/null
+From b333ff4b01117fa09f18292d5e82ee4cb6b9374a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 18:22:16 +0200
+Subject: netfilter: nft_ct: add seqadj extension for natted connections
+
+From: Andrii Melnychenko <a.melnychenko@vyos.io>
+
+[ Upstream commit 90918e3b6404c2a37837b8f11692471b4c512de2 ]
+
+Sequence adjustment may be required for FTP traffic with PASV/EPSV modes.
+due to need to re-write packet payload (IP, port) on the ftp control
+connection. This can require changes to the TCP length and expected
+seq / ack_seq.
+
+The easiest way to reproduce this issue is with PASV mode.
+Example ruleset:
+table inet ftp_nat {
+ ct helper ftp_helper {
+ type "ftp" protocol tcp
+ l3proto inet
+ }
+
+ chain prerouting {
+ type filter hook prerouting priority 0; policy accept;
+ tcp dport 21 ct state new ct helper set "ftp_helper"
+ }
+}
+table ip nat {
+ chain prerouting {
+ type nat hook prerouting priority -100; policy accept;
+ tcp dport 21 dnat ip prefix to ip daddr map {
+ 192.168.100.1 : 192.168.13.2/32 }
+ }
+
+ chain postrouting {
+ type nat hook postrouting priority 100 ; policy accept;
+ tcp sport 21 snat ip prefix to ip saddr map {
+ 192.168.13.2 : 192.168.100.1/32 }
+ }
+}
+
+Note that the ftp helper gets assigned *after* the dnat setup.
+
+The inverse (nat after helper assign) is handled by an existing
+check in nf_nat_setup_info() and will not show the problem.
+
+Topoloy:
+
+ +-------------------+ +----------------------------------+
+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 |
+ +-------------------+ +----------------------------------+
+ |
+ +-----------------------+
+ | Client: 192.168.100.2 |
+ +-----------------------+
+
+ftp nat changes do not work as expected in this case:
+Connected to 192.168.100.1.
+[..]
+ftp> epsv
+EPSV/EPRT on IPv4 off.
+ftp> ls
+227 Entering passive mode (192,168,100,1,209,129).
+421 Service not available, remote server has closed connection.
+
+Kernel logs:
+Missing nfct_seqadj_ext_add() setup call
+WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41
+[..]
+ __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]
+ nf_nat_ftp+0x142/0x280 [nf_nat_ftp]
+ help+0x4d1/0x880 [nf_conntrack_ftp]
+ nf_confirm+0x122/0x2e0 [nf_conntrack]
+ nf_hook_slow+0x3c/0xb0
+ ..
+
+Fix this by adding the required extension when a conntrack helper is assigned
+to a connection that has a nat binding.
+
+Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support")
+Signed-off-by: Andrii Melnychenko <a.melnychenko@vyos.io>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Stable-dep-of: 36eae0956f65 ("netfilter: nft_ct: drop pending enqueued packets on removal")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_ct.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index f95f1dbc48dea..0b194628818a5 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -22,6 +22,7 @@
+ #include <net/netfilter/nf_conntrack_timeout.h>
+ #include <net/netfilter/nf_conntrack_l4proto.h>
+ #include <net/netfilter/nf_conntrack_expect.h>
++#include <net/netfilter/nf_conntrack_seqadj.h>
+
+ struct nft_ct {
+ enum nft_ct_keys key:8;
+@@ -1106,6 +1107,10 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj,
+ if (help) {
+ rcu_assign_pointer(help->helper, to_assign);
+ set_bit(IPS_HELPER_BIT, &ct->status);
++
++ if ((ct->status & IPS_NAT_MASK) && !nfct_seqadj(ct))
++ if (!nfct_seqadj_ext_add(ct))
++ regs->verdict.code = NF_DROP;
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From c96c65c5c94db90d4af9a65b7507c9bd32cd99e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 13:48:47 +0100
+Subject: netfilter: nft_ct: drop pending enqueued packets on removal
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 36eae0956f659e48d5366d9b083d9417f3263ddc ]
+
+Packets sitting in nfqueue might hold a reference to:
+
+- templates that specify the conntrack zone, because a percpu area is
+ used and module removal is possible.
+- conntrack timeout policies and helper, where object removal leave
+ a stale reference.
+
+Since these objects can just go away, drop enqueued packets to avoid
+stale reference to them.
+
+If there is a need for finer grain removal, this logic can be revisited
+to make selective packet drop upon dependencies.
+
+Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_ct.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index 0b194628818a5..e788d5d9e7aeb 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -23,6 +23,7 @@
+ #include <net/netfilter/nf_conntrack_l4proto.h>
+ #include <net/netfilter/nf_conntrack_expect.h>
+ #include <net/netfilter/nf_conntrack_seqadj.h>
++#include "nf_internals.h"
+
+ struct nft_ct {
+ enum nft_ct_keys key:8;
+@@ -533,6 +534,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv)
+ #endif
+ #ifdef CONFIG_NF_CONNTRACK_ZONES
+ case NFT_CT_ZONE:
++ nf_queue_nf_hook_drop(ctx->net);
+ mutex_lock(&nft_ct_pcpu_mutex);
+ if (--nft_ct_pcpu_template_refcnt == 0)
+ nft_ct_tmpl_put_pcpu();
+@@ -930,6 +932,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx,
+ struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
+ struct nf_ct_timeout *timeout = priv->timeout;
+
++ nf_queue_nf_hook_drop(ctx->net);
+ nf_ct_untimeout(ctx->net, timeout);
+ nf_ct_netns_put(ctx->net, ctx->family);
+ kfree(priv->timeout);
+@@ -1062,6 +1065,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx,
+ {
+ struct nft_ct_helper_obj *priv = nft_obj_data(obj);
+
++ nf_queue_nf_hook_drop(ctx->net);
+ if (priv->helper4)
+ nf_conntrack_helper_put(priv->helper4);
+ if (priv->helper6)
+--
+2.51.0
+
--- /dev/null
+From 537ac20949e411b1f821ebd5b9a451bae8d50a77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 13:48:48 +0100
+Subject: netfilter: xt_CT: drop pending enqueued packets on template removal
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit f62a218a946b19bb59abdd5361da85fa4606b96b ]
+
+Templates refer to objects that can go away while packets are sitting in
+nfqueue refer to:
+
+- helper, this can be an issue on module removal.
+- timeout policy, nfnetlink_cttimeout might remove it.
+
+The use of templates with zone and event cache filter are safe, since
+this just copies values.
+
+Flush these enqueued packets in case the template rule gets removed.
+
+Fixes: 24de58f46516 ("netfilter: xt_CT: allow to attach timeout policy + glue code")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_CT.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
+index ffff1e1f79b91..6ad76f3a956cc 100644
+--- a/net/netfilter/xt_CT.c
++++ b/net/netfilter/xt_CT.c
+@@ -16,6 +16,7 @@
+ #include <net/netfilter/nf_conntrack_ecache.h>
+ #include <net/netfilter/nf_conntrack_timeout.h>
+ #include <net/netfilter/nf_conntrack_zones.h>
++#include "nf_internals.h"
+
+ static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct)
+ {
+@@ -270,6 +271,9 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par,
+ struct nf_conn_help *help;
+
+ if (ct) {
++ if (info->helper[0] || info->timeout[0])
++ nf_queue_nf_hook_drop(par->net);
++
+ help = nfct_help(ct);
+ if (help)
+ nf_conntrack_helper_put(help->helper);
+--
+2.51.0
+
--- /dev/null
+From 4fd94be20cfff57368223c2ddf0655811890bc11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:59:49 +0000
+Subject: netfilter: xt_time: use unsigned int for monthday bit shift
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit 00050ec08cecfda447e1209b388086d76addda3a ]
+
+The monthday field can be up to 31, and shifting a signed integer 1
+by 31 positions (1 << 31) is undefined behavior in C, as the result
+overflows a 32-bit signed int. Use 1U to ensure well-defined behavior
+for all valid monthday values.
+
+Change the weekday shift to 1U as well for consistency.
+
+Fixes: ee4411a1b1e0 ("[NETFILTER]: x_tables: add xt_time match")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_time.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
+index 6aa12d0f54e23..61de85e02a40f 100644
+--- a/net/netfilter/xt_time.c
++++ b/net/netfilter/xt_time.c
+@@ -227,13 +227,13 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par)
+
+ localtime_2(¤t_time, stamp);
+
+- if (!(info->weekdays_match & (1 << current_time.weekday)))
++ if (!(info->weekdays_match & (1U << current_time.weekday)))
+ return false;
+
+ /* Do not spend time computing monthday if all days match anyway */
+ if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) {
+ localtime_3(¤t_time, stamp);
+- if (!(info->monthdays_match & (1 << current_time.monthday)))
++ if (!(info->monthdays_match & (1U << current_time.monthday)))
+ return false;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From df17caf52a3a1f37901215eee58e6ae37fad0655 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 15:32:44 +0800
+Subject: nfnetlink_osf: validate individual option lengths in fingerprints
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit dbdfaae9609629a9569362e3b8f33d0a20fd783c ]
+
+nfnl_osf_add_callback() validates opt_num bounds and string
+NUL-termination but does not check individual option length fields.
+A zero-length option causes nf_osf_match_one() to enter the option
+matching loop even when foptsize sums to zero, which matches packets
+with no TCP options where ctx->optp is NULL:
+
+ Oops: general protection fault
+ KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
+ Call Trace:
+ nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
+ xt_osf_match_packet (net/netfilter/xt_osf.c:32)
+ ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
+ nf_hook_slow (net/netfilter/core.c:623)
+ ip_local_deliver (net/ipv4/ip_input.c:262)
+ ip_rcv (net/ipv4/ip_input.c:573)
+
+Additionally, an MSS option (kind=2) with length < 4 causes
+out-of-bounds reads when nf_osf_match_one() unconditionally accesses
+optp[2] and optp[3] for MSS value extraction. While RFC 9293
+section 3.2 specifies that the MSS option is always exactly 4
+bytes (Kind=2, Length=4), the check uses "< 4" rather than
+"!= 4" because lengths greater than 4 do not cause memory
+safety issues -- the buffer is guaranteed to be at least
+foptsize bytes by the ctx->optsize == foptsize check.
+
+Reject fingerprints where any option has zero length, or where an MSS
+option has length less than 4, at add time rather than trusting these
+values in the packet matching hot path.
+
+Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_osf.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
+index 573a372e760f4..a2d7bfb4c1a69 100644
+--- a/net/netfilter/nfnetlink_osf.c
++++ b/net/netfilter/nfnetlink_osf.c
+@@ -303,7 +303,9 @@ static int nfnl_osf_add_callback(struct net *net, struct sock *ctnl,
+ {
+ struct nf_osf_user_finger *f;
+ struct nf_osf_finger *kf = NULL, *sf;
++ unsigned int tot_opt_len = 0;
+ int err = 0;
++ int i;
+
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+@@ -319,6 +321,17 @@ static int nfnl_osf_add_callback(struct net *net, struct sock *ctnl,
+ if (f->opt_num > ARRAY_SIZE(f->opt))
+ return -EINVAL;
+
++ for (i = 0; i < f->opt_num; i++) {
++ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
++ return -EINVAL;
++ if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)
++ return -EINVAL;
++
++ tot_opt_len += f->opt[i].length;
++ if (tot_opt_len > MAX_IPOPTLEN)
++ return -EINVAL;
++ }
++
+ if (!memchr(f->genre, 0, MAXGENRELEN) ||
+ !memchr(f->subtype, 0, MAXGENRELEN) ||
+ !memchr(f->version, 0, MAXGENRELEN))
+--
+2.51.0
+
--- /dev/null
+From 42f882f65a6a454331dddf548027c6f25a04da2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 11:27:20 -0700
+Subject: PM: runtime: Fix a race condition related to device removal
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 29ab768277617452d88c0607c9299cdc63b6e9ff ]
+
+The following code in pm_runtime_work() may dereference the dev->parent
+pointer after the parent device has been freed:
+
+ /* Maybe the parent is now able to suspend. */
+ if (parent && !parent->power.ignore_children) {
+ spin_unlock(&dev->power.lock);
+
+ spin_lock(&parent->power.lock);
+ rpm_idle(parent, RPM_ASYNC);
+ spin_unlock(&parent->power.lock);
+
+ spin_lock(&dev->power.lock);
+ }
+
+Fix this by inserting a flush_work() call in pm_runtime_remove().
+
+Without this patch blktest block/001 triggers the following complaint
+sporadically:
+
+BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160
+Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081
+Workqueue: pm pm_runtime_work
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x61/0x80
+ print_address_description.constprop.0+0x8b/0x310
+ print_report+0xfd/0x1d7
+ kasan_report+0xd8/0x1d0
+ __kasan_check_byte+0x42/0x60
+ lock_acquire.part.0+0x38/0x230
+ lock_acquire+0x70/0x160
+ _raw_spin_lock+0x36/0x50
+ rpm_suspend+0xc6a/0xfe0
+ rpm_idle+0x578/0x770
+ pm_runtime_work+0xee/0x120
+ process_one_work+0xde3/0x1410
+ worker_thread+0x5eb/0xfe0
+ kthread+0x37b/0x480
+ ret_from_fork+0x6cb/0x920
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+
+Allocated by task 4314:
+ kasan_save_stack+0x2a/0x50
+ kasan_save_track+0x18/0x40
+ kasan_save_alloc_info+0x3d/0x50
+ __kasan_kmalloc+0xa0/0xb0
+ __kmalloc_noprof+0x311/0x990
+ scsi_alloc_target+0x122/0xb60 [scsi_mod]
+ __scsi_scan_target+0x101/0x460 [scsi_mod]
+ scsi_scan_channel+0x179/0x1c0 [scsi_mod]
+ scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]
+ store_scan+0x2d2/0x390 [scsi_mod]
+ dev_attr_store+0x43/0x80
+ sysfs_kf_write+0xde/0x140
+ kernfs_fop_write_iter+0x3ef/0x670
+ vfs_write+0x506/0x1470
+ ksys_write+0xfd/0x230
+ __x64_sys_write+0x76/0xc0
+ x64_sys_call+0x213/0x1810
+ do_syscall_64+0xee/0xfc0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Freed by task 4314:
+ kasan_save_stack+0x2a/0x50
+ kasan_save_track+0x18/0x40
+ kasan_save_free_info+0x3f/0x50
+ __kasan_slab_free+0x67/0x80
+ kfree+0x225/0x6c0
+ scsi_target_dev_release+0x3d/0x60 [scsi_mod]
+ device_release+0xa3/0x220
+ kobject_cleanup+0x105/0x3a0
+ kobject_put+0x72/0xd0
+ put_device+0x17/0x20
+ scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]
+ device_release+0xa3/0x220
+ kobject_cleanup+0x105/0x3a0
+ kobject_put+0x72/0xd0
+ put_device+0x17/0x20
+ scsi_device_put+0x7f/0xc0 [scsi_mod]
+ sdev_store_delete+0xa5/0x120 [scsi_mod]
+ dev_attr_store+0x43/0x80
+ sysfs_kf_write+0xde/0x140
+ kernfs_fop_write_iter+0x3ef/0x670
+ vfs_write+0x506/0x1470
+ ksys_write+0xfd/0x230
+ __x64_sys_write+0x76/0xc0
+ x64_sys_call+0x213/0x1810
+
+Reported-by: Ming Lei <ming.lei@redhat.com>
+Closes: https://lore.kernel.org/all/ZxdNvLNI8QaOfD2d@fedora/
+Reported-by: syzbot+6c905ab800f20cf4086c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68c13942.050a0220.2ff435.000b.GAE@google.com/
+Fixes: 5e928f77a09a ("PM: Introduce core framework for run-time PM of I/O devices (rev. 17)")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20260312182720.2776083-1-bvanassche@acm.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/runtime.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
+index d15d033be2c97..ec14c3089e329 100644
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -1776,6 +1776,7 @@ void pm_runtime_reinit(struct device *dev)
+ void pm_runtime_remove(struct device *dev)
+ {
+ __pm_runtime_disable(dev, false);
++ flush_work(&dev->power.work);
+ pm_runtime_reinit(dev);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 620927257ecacd1199ea97c69e111508c112404c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 13:25:41 +0100
+Subject: sched: idle: Consolidate the handling of two special cases
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit f4c31b07b136839e0fb3026f8a5b6543e3b14d2f ]
+
+There are two special cases in the idle loop that are handled
+inconsistently even though they are analogous.
+
+The first one is when a cpuidle driver is absent and the default CPU
+idle time power management implemented by the architecture code is used.
+In that case, the scheduler tick is stopped every time before invoking
+default_idle_call().
+
+The second one is when a cpuidle driver is present, but there is only
+one idle state in its table. In that case, the scheduler tick is never
+stopped at all.
+
+Since each of these approaches has its drawbacks, reconcile them with
+the help of one simple heuristic. Namely, stop the tick if the CPU has
+been woken up by it in the previous iteration of the idle loop, or let
+it tick otherwise.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Christian Loehle <christian.loehle@arm.com>
+Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
+Reviewed-by: Qais Yousef <qyousef@layalina.io>
+Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
+Fixes: ed98c3491998 ("sched: idle: Do not stop the tick before cpuidle_idle_call()")
+[ rjw: Added Fixes tag, changelog edits ]
+Link: https://patch.msgid.link/4741364.LvFx2qVVIh@rafael.j.wysocki
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/idle.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c
+index 8c38b4fe9ee72..50b18ba9ca9cd 100644
+--- a/kernel/sched/idle.c
++++ b/kernel/sched/idle.c
+@@ -158,6 +158,14 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev,
+ return cpuidle_enter(drv, dev, next_state);
+ }
+
++static void idle_call_stop_or_retain_tick(bool stop_tick)
++{
++ if (stop_tick || tick_nohz_tick_stopped())
++ tick_nohz_idle_stop_tick();
++ else
++ tick_nohz_idle_retain_tick();
++}
++
+ /**
+ * cpuidle_idle_call - the main idle function
+ *
+@@ -167,7 +175,7 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev,
+ * set, and it returns with polling set. If it ever stops polling, it
+ * must clear the polling bit.
+ */
+-static void cpuidle_idle_call(void)
++static void cpuidle_idle_call(bool stop_tick)
+ {
+ struct cpuidle_device *dev = cpuidle_get_device();
+ struct cpuidle_driver *drv = cpuidle_get_cpu_driver(dev);
+@@ -189,7 +197,7 @@ static void cpuidle_idle_call(void)
+ */
+
+ if (cpuidle_not_available(drv, dev)) {
+- tick_nohz_idle_stop_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ default_idle_call();
+ goto exit_idle;
+@@ -224,17 +232,19 @@ static void cpuidle_idle_call(void)
+ next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns);
+ call_cpuidle(drv, dev, next_state);
+ } else if (drv->state_count > 1) {
+- bool stop_tick = true;
++ /*
++ * stop_tick is expected to be true by default by cpuidle
++ * governors, which allows them to select idle states with
++ * target residency above the tick period length.
++ */
++ stop_tick = true;
+
+ /*
+ * Ask the cpuidle framework to choose a convenient idle state.
+ */
+ next_state = cpuidle_select(drv, dev, &stop_tick);
+
+- if (stop_tick || tick_nohz_tick_stopped())
+- tick_nohz_idle_stop_tick();
+- else
+- tick_nohz_idle_retain_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ entered_state = call_cpuidle(drv, dev, next_state);
+ /*
+@@ -242,7 +252,7 @@ static void cpuidle_idle_call(void)
+ */
+ cpuidle_reflect(dev, entered_state);
+ } else {
+- tick_nohz_idle_retain_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ /*
+ * If there is only a single idle state (or none), there is
+@@ -270,6 +280,7 @@ static void cpuidle_idle_call(void)
+ static void do_idle(void)
+ {
+ int cpu = smp_processor_id();
++ bool got_tick = false;
+
+ /*
+ * Check if we need to update blocked load
+@@ -312,8 +323,9 @@ static void do_idle(void)
+ tick_nohz_idle_restart_tick();
+ cpu_idle_poll();
+ } else {
+- cpuidle_idle_call();
++ cpuidle_idle_call(got_tick);
+ }
++ got_tick = tick_nohz_idle_got_tick();
+ arch_cpu_idle_exit();
+ }
+
+--
+2.51.0
+
smb-client-compare-macs-in-constant-time.patch
net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch
staging-rtl8723bs-fix-null-dereference-in-find_network.patch
+soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch
+wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch
+bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch
+bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch
+bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch
+bluetooth-hidp-fix-possible-uaf.patch
+net-rose-fix-null-pointer-dereference-in-rose_transm.patch
+netfilter-ctnetlink-remove-refcounting-in-expectatio.patch
+netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch
+netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch
+netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch
+netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch
+netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch
+netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch
+netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch
+netfilter-nf_conntrack_h323-check-for-zero-length-in.patch
+net-bcmgenet-increase-wol-poll-timeout.patch
+sched-idle-consolidate-the-handling-of-two-special-c.patch
+pm-runtime-fix-a-race-condition-related-to-device-re.patch
+net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch
+igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch
+wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch
+wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch
+net-macb-fix-uninitialized-rx_fs_lock.patch
+udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch
+net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch
+nfnetlink_osf-validate-individual-option-lengths-in-.patch
+net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch
+icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch
--- /dev/null
+From bebc9cba264ce30bcaf9b3ba17ba311978ca203d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 08:25:49 +0100
+Subject: soc: fsl: qbman: fix race condition in qman_destroy_fq
+
+From: Richard Genoud <richard.genoud@bootlin.com>
+
+[ Upstream commit 014077044e874e270ec480515edbc1cadb976cf2 ]
+
+When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between
+fq_table[fq->idx] state and freeing/allocating from the pool and
+WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.
+
+Indeed, we can have:
+ Thread A Thread B
+ qman_destroy_fq() qman_create_fq()
+ qman_release_fqid()
+ qman_shutdown_fq()
+ gen_pool_free()
+ -- At this point, the fqid is available again --
+ qman_alloc_fqid()
+ -- so, we can get the just-freed fqid in thread B --
+ fq->fqid = fqid;
+ fq->idx = fqid * 2;
+ WARN_ON(fq_table[fq->idx]);
+ fq_table[fq->idx] = fq;
+ fq_table[fq->idx] = NULL;
+
+And adding some logs between qman_release_fqid() and
+fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.
+
+To prevent that, ensure that fq_table[fq->idx] is set to NULL before
+gen_pool_free() is called by using smp_wmb().
+
+Fixes: c535e923bb97 ("soc/fsl: Introduce DPAA 1.x QMan device driver")
+Signed-off-by: Richard Genoud <richard.genoud@bootlin.com>
+Tested-by: CHAMPSEIX Thomas <thomas.champseix@alstomgroup.com>
+Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com
+Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qbman/qman.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
+index 7abc9b6a04ab6..0309ed2df0d71 100644
+--- a/drivers/soc/fsl/qbman/qman.c
++++ b/drivers/soc/fsl/qbman/qman.c
+@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq);
+
+ void qman_destroy_fq(struct qman_fq *fq)
+ {
++ int leaked;
++
+ /*
+ * We don't need to lock the FQ as it is a pre-condition that the FQ be
+ * quiesced. Instead, run some checks.
+@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq)
+ switch (fq->state) {
+ case qman_fq_state_parked:
+ case qman_fq_state_oos:
+- if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID))
+- qman_release_fqid(fq->fqid);
++ /*
++ * There's a race condition here on releasing the fqid,
++ * setting the fq_table to NULL, and freeing the fqid.
++ * To prevent it, this order should be respected:
++ */
++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) {
++ leaked = qman_shutdown_fq(fq->fqid);
++ if (leaked)
++ pr_debug("FQID %d leaked\n", fq->fqid);
++ }
+
+ DPAA_ASSERT(fq_table[fq->idx]);
+ fq_table[fq->idx] = NULL;
++
++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) {
++ /*
++ * fq_table[fq->idx] should be set to null before
++ * freeing fq->fqid otherwise it could by allocated by
++ * qman_alloc_fqid() while still being !NULL
++ */
++ smp_wmb();
++ gen_pool_free(qm_fqalloc, fq->fqid | DPAA_GENALLOC_OFF, 1);
++ }
+ return;
+ default:
+ break;
+--
+2.51.0
+
--- /dev/null
+From 717c37540b63c68b95fc2b18eb5391a94ed0cf50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 18:02:41 -0700
+Subject: udp_tunnel: fix NULL deref caused by udp_sock_create6 when
+ CONFIG_IPV6=n
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit b3a6df291fecf5f8a308953b65ca72b7fc9e015d ]
+
+When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0
+(success) without actually creating a socket. Callers such as
+fou_create() then proceed to dereference the uninitialized socket
+pointer, resulting in a NULL pointer dereference.
+
+The captured NULL deref crash:
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)
+ [...]
+ Call Trace:
+ <TASK>
+ genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)
+ genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)
+ [...]
+ netlink_rcv_skb (net/netlink/af_netlink.c:2550)
+ genl_rcv (net/netlink/genetlink.c:1219)
+ netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
+ netlink_sendmsg (net/netlink/af_netlink.c:1894)
+ __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))
+ __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))
+ __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+ entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)
+
+This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so
+callers correctly take their error paths. There is only one caller of
+the vulnerable function and only privileged users can trigger it.
+
+Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260317010241.1893893-1-xmei5@asu.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/udp_tunnel.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
+index 24ece06bad9ef..97a739c21f1f8 100644
+--- a/include/net/udp_tunnel.h
++++ b/include/net/udp_tunnel.h
+@@ -47,7 +47,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ struct socket **sockp)
+ {
+- return 0;
++ return -EPFNOSUPPORT;
+ }
+ #endif
+
+--
+2.51.0
+
--- /dev/null
+From 977d9797a52ca13070255a1410548206c5872985 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 21:36:59 +0530
+Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
+
+From: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
+
+[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ]
+
+When the nl80211 socket that originated a PMSR request is
+closed, cfg80211_release_pmsr() sets the request's nl_portid
+to zero and schedules pmsr_free_wk to process the abort
+asynchronously. If the interface is concurrently torn down
+before that work runs, cfg80211_pmsr_wdev_down() calls
+cfg80211_pmsr_process_abort() directly. However, the already-
+scheduled pmsr_free_wk work item remains pending and may run
+after the interface has been removed from the driver. This
+could cause the driver's abort_pmsr callback to operate on a
+torn-down interface, leading to undefined behavior and
+potential crashes.
+
+Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()
+before calling cfg80211_pmsr_process_abort(). This ensures any
+pending or in-progress work is drained before interface teardown
+proceeds, preventing the work from invoking the driver abort
+callback after the interface is gone.
+
+Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API")
+Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/pmsr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c
+index 7503c7dd71ab5..32cea07b98fd1 100644
+--- a/net/wireless/pmsr.c
++++ b/net/wireless/pmsr.c
+@@ -620,6 +620,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev)
+ }
+ spin_unlock_bh(&wdev->pmsr_lock);
+
++ cancel_work_sync(&wdev->pmsr_free_wk);
+ if (found)
+ cfg80211_pmsr_process_abort(wdev);
+
+--
+2.51.0
+
--- /dev/null
+From 3eda2e0b1b17c07a70d12351c2dda1592130c701 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 20:42:44 -0700
+Subject: wifi: mac80211: fix NULL deref in mesh_matches_local()
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd ]
+
+mesh_matches_local() unconditionally dereferences ie->mesh_config to
+compare mesh configuration parameters. When called from
+mesh_rx_csa_frame(), the parsed action-frame elements may not contain a
+Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a
+kernel NULL pointer dereference.
+
+The other two callers are already safe:
+ - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before
+ calling mesh_matches_local()
+ - mesh_plink_get_event() is only reached through
+ mesh_process_plink_frame(), which checks !elems->mesh_config, too
+
+mesh_rx_csa_frame() is the only caller that passes raw parsed elements
+to mesh_matches_local() without guarding mesh_config. An adjacent
+attacker can exploit this by sending a crafted CSA action frame that
+includes a valid Mesh ID IE but omits the Mesh Configuration IE,
+crashing the kernel.
+
+The captured crash log:
+
+Oops: general protection fault, probably for non-canonical address ...
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+Workqueue: events_unbound cfg80211_wiphy_work
+[...]
+Call Trace:
+ <TASK>
+ ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)
+ ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)
+ [...]
+ ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)
+ [...]
+ cfg80211_wiphy_work (net/wireless/core.c:426)
+ process_one_work (net/kernel/workqueue.c:3280)
+ ? assign_work (net/kernel/workqueue.c:1219)
+ worker_thread (net/kernel/workqueue.c:3352)
+ ? __pfx_worker_thread (net/kernel/workqueue.c:3385)
+ kthread (net/kernel/kthread.c:436)
+ [...]
+ ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)
+ </TASK>
+
+This patch adds a NULL check for ie->mesh_config at the top of
+mesh_matches_local() to return false early when the Mesh Configuration
+IE is absent.
+
+Fixes: 2e3c8736820b ("mac80211: support functions for mesh")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260318034244.2595020-1-xmei5@asu.edu
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index 20b8ff83e3dbd..4b09cd19c4e04 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -75,6 +75,9 @@ bool mesh_matches_local(struct ieee80211_sub_if_data *sdata,
+ * - MDA enabled
+ * - Power management control on fc
+ */
++ if (!ie->mesh_config)
++ return false;
++
+ if (!(ifmsh->mesh_id_len == ie->mesh_id_len &&
+ memcmp(ifmsh->mesh_id, ie->mesh_id, ie->mesh_id_len) == 0 &&
+ (ifmsh->mesh_pp_id == ie->mesh_config->meshconf_psel) &&
+--
+2.51.0
+
--- /dev/null
+From 0004147312f909cd1b0002bd36f5aef58a368d26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 23:46:36 -0700
+Subject: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not
+ enough headroom
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit deb353d9bb009638b7762cae2d0b6e8fdbb41a69 ]
+
+Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom
+before skb_push"), wl1271_tx_allocate() and with it
+wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.
+However, in wlcore_tx_work_locked(), a return value of -EAGAIN from
+wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being
+full. This causes the code to flush the buffer, put the skb back at the
+head of the queue, and immediately retry the same skb in a tight while
+loop.
+
+Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens
+immediately with GFP_ATOMIC, this will result in an infinite loop and a
+CPU soft lockup. Return -ENOMEM instead so the packet is dropped and
+the loop terminates.
+
+The problem was found by an experimental code review agent based on
+gemini-3.1-pro while reviewing backports into v6.18.y.
+
+Assisted-by: Gemini:gemini-3.1-pro
+Fixes: e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push")
+Cc: Peter Astrand <astrand@lysator.liu.se>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wlcore/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c
+index e86cc3425e997..ac1411db8e5a8 100644
+--- a/drivers/net/wireless/ti/wlcore/tx.c
++++ b/drivers/net/wireless/ti/wlcore/tx.c
+@@ -213,7 +213,7 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif,
+ if (skb_headroom(skb) < (total_len - skb->len) &&
+ pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) {
+ wl1271_free_tx_id(wl, id);
+- return -EAGAIN;
++ return -ENOMEM;
+ }
+ desc = skb_push(skb, total_len - skb->len);
+
+--
+2.51.0
+
--- /dev/null
+From f325ba94494d32ab9b4082de067ae32076245fb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 21:39:05 +0100
+Subject: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit bf504b229cb8d534eccbaeaa23eba34c05131e25 ]
+
+After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference
+in acpi_processor_errata_piix4()"), device pointers may be dereferenced
+after dropping references to the device objects pointed to by them,
+which may cause a use-after-free to occur.
+
+Moreover, debug messages about enabling the errata may be printed
+if the errata flags corresponding to them are unset.
+
+Address all of these issues by moving message printing to the points
+in the code where the errata flags are set.
+
+Fixes: f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()")
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Closes: https://lore.kernel.org/linux-acpi/938e2206-def5-4b7a-9b2c-d1fd37681d8a@roeck-us.net/
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://patch.msgid.link/5975693.DvuYhMxLoT@rafael.j.wysocki
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_processor.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c
+index 669398045c0fd..07acdaee6ce5c 100644
+--- a/drivers/acpi/acpi_processor.c
++++ b/drivers/acpi/acpi_processor.c
+@@ -96,6 +96,10 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev)
+ PCI_ANY_ID, PCI_ANY_ID, NULL);
+ if (ide_dev) {
+ errata.piix4.bmisx = pci_resource_start(ide_dev, 4);
++ if (errata.piix4.bmisx)
++ dev_dbg(&ide_dev->dev,
++ "Bus master activity detection (BM-IDE) erratum enabled\n");
++
+ pci_dev_put(ide_dev);
+ }
+
+@@ -114,20 +118,17 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev)
+ if (isa_dev) {
+ pci_read_config_byte(isa_dev, 0x76, &value1);
+ pci_read_config_byte(isa_dev, 0x77, &value2);
+- if ((value1 & 0x80) || (value2 & 0x80))
++ if ((value1 & 0x80) || (value2 & 0x80)) {
+ errata.piix4.fdma = 1;
++ dev_dbg(&isa_dev->dev,
++ "Type-F DMA livelock erratum (C3 disabled)\n");
++ }
+ pci_dev_put(isa_dev);
+ }
+
+ break;
+ }
+
+- if (ide_dev)
+- dev_dbg(&ide_dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n");
+-
+- if (isa_dev)
+- dev_dbg(&isa_dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n");
+-
+ return 0;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 876f741c9b42a51437c961bd87442fb82243f439 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 10:17:47 -0500
+Subject: Bluetooth: HIDP: Fix possible UAF
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit dbf666e4fc9bdd975a61bf682b3f75cb0145eedd ]
+
+This fixes the following trace caused by not dropping l2cap_conn
+reference when user->remove callback is called:
+
+[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
+[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 97.809947] Call Trace:
+[ 97.809954] <TASK>
+[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
+[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
+[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
+[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
+[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
+[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
+[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
+[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
+[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
+[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
+[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
+[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
+[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
+[ 97.810404] __fput (fs/file_table.c:470)
+[ 97.810430] task_work_run (kernel/task_work.c:235)
+[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
+[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
+[ 97.810527] do_exit (kernel/exit.c:972)
+[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
+[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
+[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
+[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 97.810721] do_group_exit (kernel/exit.c:1093)
+[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
+[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
+[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810826] ? vfs_read (fs/read_write.c:555)
+[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
+[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
+[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
+[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
+[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811078] ? ksys_read (fs/read_write.c:707)
+[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
+[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
+[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
+[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
+[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
+[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
+[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+[ 97.811338] RIP: 0033:0x445cfe
+[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
+
+Code starting with the faulting instruction
+===========================================
+[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
+[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe
+[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004
+[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000
+[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8
+[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0
+[ 97.811453] </TASK>
+[ 98.402453] ==================================================================
+[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430
+[ 98.405361]
+[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 98.405600] Call Trace:
+[ 98.405607] <TASK>
+[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122)
+[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
+[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55)
+[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
+[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
+[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
+[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775)
+[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
+[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875)
+[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194)
+[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592)
+[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305)
+[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.406323] ? kthread (kernel/kthread.c:433)
+[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
+[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406523] ? kthread (kernel/kthread.c:433)
+[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406565] ? kthread (kernel/kthread.c:433)
+[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.406610] kthread (kernel/kthread.c:467)
+[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164)
+[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
+[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
+[ 98.406774] </TASK>
+[ 98.406780]
+[ 98.433693] The buggy address belongs to the physical page:
+[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4
+[ 98.435557] flags: 0x200000000000000(node=0|zone=2)
+[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000
+[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000
+[ 98.438115] page dumped because: kasan: bad access detected
+[ 98.438951]
+[ 98.439211] Memory state around the buggy address:
+[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.442458] ^
+[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.444768] ==================================================================
+[ 98.445719] Disabling lock debugging due to kernel taint
+[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400
+[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 98.450040] Tainted: [B]=BAD_PAGE
+[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 98.450059] Call Trace:
+[ 98.450065] <TASK>
+[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122)
+[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
+[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822)
+[ 98.450154] session_free (net/bluetooth/hidp/core.c:990)
+[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307)
+[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.450271] ? kthread (kernel/kthread.c:433)
+[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
+[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450528] ? kthread (kernel/kthread.c:433)
+[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450578] ? kthread (kernel/kthread.c:433)
+[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.450637] kthread (kernel/kthread.c:467)
+[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164)
+[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
+[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
+[ 98.450836] </TASK>
+
+Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers")
+Reported-by: soufiane el hachmi <kilwa10@gmail.com>
+Tested-by: soufiane el hachmi <kilwa10@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hidp/core.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
+index 8ff45fb6f7007..968c02903ab49 100644
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -987,7 +987,8 @@ static void session_free(struct kref *ref)
+ skb_queue_purge(&session->intr_transmit);
+ fput(session->intr_sock->file);
+ fput(session->ctrl_sock->file);
+- l2cap_conn_put(session->conn);
++ if (session->conn)
++ l2cap_conn_put(session->conn);
+ kfree(session);
+ }
+
+@@ -1165,6 +1166,15 @@ static void hidp_session_remove(struct l2cap_conn *conn,
+
+ down_write(&hidp_session_sem);
+
++ /* Drop L2CAP reference immediately to indicate that
++ * l2cap_unregister_user() shall not be called as it is already
++ * considered removed.
++ */
++ if (session->conn) {
++ l2cap_conn_put(session->conn);
++ session->conn = NULL;
++ }
++
+ hidp_session_terminate(session);
+
+ cancel_work_sync(&session->dev_init);
+@@ -1302,7 +1312,9 @@ static int hidp_session_thread(void *arg)
+ * Instead, this call has the same semantics as if user-space tried to
+ * delete the session.
+ */
+- l2cap_unregister_user(session->conn, &session->user);
++ if (session->conn)
++ l2cap_unregister_user(session->conn, &session->user);
++
+ hidp_session_put(session);
+
+ module_put_and_kthread_exit(0);
+--
+2.51.0
+
--- /dev/null
+From 5564dd59f533d3f73bbe3df99733f734f70441c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:25 +0100
+Subject: Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit e1d9a66889867c232657a9b6f25d451d7c3ab96f ]
+
+Core 6.0, Vol 3, Part A, 3.4.3:
+"If the SDU length field value exceeds the receiver's MTU, the receiver
+shall disconnect the channel..."
+
+This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P
+0x0027 -V le_public -I 100').
+
+Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 740b5468f6dc8..601a4d9e4cdde 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -7629,8 +7629,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+ return -ENOBUFS;
+ }
+
+- if (chan->imtu < skb->len) {
+- BT_ERR("Too big LE L2CAP PDU");
++ if (skb->len > chan->imtu) {
++ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len,
++ chan->imtu);
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ return -ENOBUFS;
+ }
+
+@@ -7655,7 +7657,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+ sdu_len, skb->len, chan->imtu);
+
+ if (sdu_len > chan->imtu) {
+- BT_ERR("Too big LE L2CAP SDU length received");
++ BT_ERR("Too big LE L2CAP SDU length: len %u > %u",
++ skb->len, sdu_len);
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ err = -EMSGSIZE;
+ goto failed;
+ }
+--
+2.51.0
+
--- /dev/null
+From d440c8d7d5eba69e87419acd7b91e0557de8fd0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:27 +0100
+Subject: Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit b6a2bf43aa37670432843bc73ae2a6288ba4d6f8 ]
+
+Core 6.0, Vol 3, Part A, 3.4.3:
+"... If the sum of the payload sizes for the K-frames exceeds the
+specified SDU length, the receiver shall disconnect the channel."
+
+This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
+0x0027 -V le_public').
+
+Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 601a4d9e4cdde..5010c200b2c41 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -7695,6 +7695,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+
+ if (chan->sdu->len + skb->len > chan->sdu_len) {
+ BT_ERR("Too much LE L2CAP data received");
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ err = -EINVAL;
+ goto failed;
+ }
+--
+2.51.0
+
--- /dev/null
+From 3004bb7ec05c78062ae6188917b76d2e4ab9af18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 01:02:57 +0200
+Subject: Bluetooth: qca: fix ROM version reading on WCN3998 chips
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit 99b2c531e0e797119ae1b9195a8764ee98b00e65 ]
+
+WCN3998 uses a bit different format for rom version:
+
+[ 5.479978] Bluetooth: hci0: setting up wcn399x
+[ 5.633763] Bluetooth: hci0: QCA Product ID :0x0000000a
+[ 5.645350] Bluetooth: hci0: QCA SOC Version :0x40010224
+[ 5.650906] Bluetooth: hci0: QCA ROM Version :0x00001001
+[ 5.665173] Bluetooth: hci0: QCA Patch Version:0x00006699
+[ 5.679356] Bluetooth: hci0: QCA controller version 0x02241001
+[ 5.691109] Bluetooth: hci0: QCA Downloading qca/crbtfw21.tlv
+[ 6.680102] Bluetooth: hci0: QCA Downloading qca/crnv21.bin
+[ 6.842948] Bluetooth: hci0: QCA setup on UART is completed
+
+Fixes: 523760b7ff88 ("Bluetooth: hci_qca: Added support for WCN3998")
+Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btqca.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
+index 78244d53dbe0f..25e98ce4a5af9 100644
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -677,6 +677,8 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+ */
+ if (soc_type == QCA_WCN3988)
+ rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f);
++ else if (soc_type == QCA_WCN3998)
++ rom_ver = ((soc_ver & 0x0000f000) >> 0x07) | (soc_ver & 0x0000000f);
+ else
+ rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f);
+
+--
+2.51.0
+
--- /dev/null
+From 9656bce0b7a9a22393ff745ab4cd0deb3ea9e050 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:28 +0100
+Subject: Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit 0e4d4dcc1a6e82cc6f9abf32193558efa7e1613d ]
+
+The last test step ("Test with Invalid public key X and Y, all set to
+0") expects to get an "DHKEY check failed" instead of "unspecified".
+
+Fixes: 6d19628f539f ("Bluetooth: SMP: Fail if remote and local public keys are identical")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
+index d1ba41153b66a..1621c24aebf88 100644
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2737,7 +2737,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
+ if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
+ !crypto_memneq(key, smp->local_pk, 64)) {
+ bt_dev_err(hdev, "Remote and local public keys are identical");
+- return SMP_UNSPECIFIED;
++ return SMP_DHKEY_CHECK_FAILED;
+ }
+
+ memcpy(smp->remote_pk, key, 64);
+--
+2.51.0
+
--- /dev/null
+From b4df6b88cad204631b07b77d5ea64d5c672265f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 08:33:21 +0800
+Subject: btrfs: tree-checker: fix misleading root drop_level error message
+
+From: ZhengYuan Huang <gality369@gmail.com>
+
+[ Upstream commit fc1cd1f18c34f91e78362f9629ab9fd43b9dcab9 ]
+
+Fix tree-checker error message to report "invalid root drop_level"
+instead of the misleading "invalid root level".
+
+Fixes: 259ee7754b67 ("btrfs: tree-checker: Add ROOT_ITEM check")
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-checker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
+index 86042c1f89f0b..b0afa47032104 100644
+--- a/fs/btrfs/tree-checker.c
++++ b/fs/btrfs/tree-checker.c
+@@ -1183,7 +1183,7 @@ static int check_root_item(struct extent_buffer *leaf, struct btrfs_key *key,
+ }
+ if (unlikely(btrfs_root_drop_level(&ri) >= BTRFS_MAX_LEVEL)) {
+ generic_err(leaf, slot,
+- "invalid root level, have %u expect [0, %u]",
++ "invalid root drop_level, have %u expect [0, %u]",
+ btrfs_root_drop_level(&ri), BTRFS_MAX_LEVEL - 1);
+ return -EUCLEAN;
+ }
+--
+2.51.0
+
--- /dev/null
+From 6710d1ce574000293941adf93e42ca1c6993ef77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 21:08:19 +0800
+Subject: firmware: arm_scpi: Fix device_node reference leak in probe path
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit 879c001afbac3df94160334fe5117c0c83b2cf48 ]
+
+A device_node reference obtained from the device tree is not released
+on all error paths in the arm_scpi probe path. Specifically, a node
+returned by of_parse_phandle() could be leaked when the probe failed
+after the node was acquired. The probe function returns early and
+the shmem reference is not released.
+
+Use __free(device_node) scope-based cleanup to automatically release
+the reference when the variable goes out of scope.
+
+Fixes: ed7ecb883901 ("firmware: arm_scpi: Add compatibility checks for shmem node")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Message-Id: <20260121-arm_scpi_2-v2-1-702d7fa84acb@gmail.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scpi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c
+index 3de25e9d18ef8..2d85e783ae267 100644
+--- a/drivers/firmware/arm_scpi.c
++++ b/drivers/firmware/arm_scpi.c
+@@ -18,6 +18,7 @@
+
+ #include <linux/bitmap.h>
+ #include <linux/bitfield.h>
++#include <linux/cleanup.h>
+ #include <linux/device.h>
+ #include <linux/err.h>
+ #include <linux/export.h>
+@@ -945,13 +946,13 @@ static int scpi_probe(struct platform_device *pdev)
+ int idx = scpi_drvinfo->num_chans;
+ struct scpi_chan *pchan = scpi_drvinfo->channels + idx;
+ struct mbox_client *cl = &pchan->cl;
+- struct device_node *shmem = of_parse_phandle(np, "shmem", idx);
++ struct device_node *shmem __free(device_node) =
++ of_parse_phandle(np, "shmem", idx);
+
+ if (!of_match_node(shmem_of_match, shmem))
+ return -ENXIO;
+
+ ret = of_address_to_resource(shmem, 0, &res);
+- of_node_put(shmem);
+ if (ret) {
+ dev_err(dev, "failed to get SCPI payload mem resource\n");
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From c6c4165954193e4ecd3e7daf6cc23d3b90cb10c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 21:06:01 +0800
+Subject: icmp: fix NULL pointer dereference in icmp_tag_validation()
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit 614aefe56af8e13331e50220c936fc0689cf5675 ]
+
+icmp_tag_validation() unconditionally dereferences the result of
+rcu_dereference(inet_protos[proto]) without checking for NULL.
+The inet_protos[] array is sparse -- only about 15 of 256 protocol
+numbers have registered handlers. When ip_no_pmtu_disc is set to 3
+(hardened PMTU mode) and the kernel receives an ICMP Fragmentation
+Needed error with a quoted inner IP header containing an unregistered
+protocol number, the NULL dereference causes a kernel panic in
+softirq context.
+
+ Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+ RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)
+ Call Trace:
+ <IRQ>
+ icmp_rcv (net/ipv4/icmp.c:1527)
+ ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)
+ ip_local_deliver_finish (net/ipv4/ip_input.c:242)
+ ip_local_deliver (net/ipv4/ip_input.c:262)
+ ip_rcv (net/ipv4/ip_input.c:573)
+ __netif_receive_skb_one_core (net/core/dev.c:6164)
+ process_backlog (net/core/dev.c:6628)
+ handle_softirqs (kernel/softirq.c:561)
+ </IRQ>
+
+Add a NULL check before accessing icmp_strict_tag_validation. If the
+protocol has no registered handler, return false since it cannot
+perform strict tag validation.
+
+Fixes: 8ed1dc44d3e9 ("ipv4: introduce hardened ip_no_pmtu_disc mode")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Link: https://patch.msgid.link/20260318130558.1050247-4-bestswngs@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 8a70e51654264..0215e2510670a 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -845,10 +845,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
+
+ static bool icmp_tag_validation(int proto)
+ {
++ const struct net_protocol *ipprot;
+ bool ok;
+
+ rcu_read_lock();
+- ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation;
++ ipprot = rcu_dereference(inet_protos[proto]);
++ ok = ipprot ? ipprot->icmp_strict_tag_validation : false;
+ rcu_read_unlock();
+ return ok;
+ }
+--
+2.51.0
+
--- /dev/null
+From 2655eb95645c5e359b538b5346c4d2fba30b0c69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Feb 2026 19:46:32 +0000
+Subject: igc: fix missing update of skb->tail in igc_xmit_frame()
+
+From: Kohei Enju <kohei@enjuk.jp>
+
+[ Upstream commit 0ffba246652faf4a36aedc66059c2f94e4c83ea5 ]
+
+igc_xmit_frame() misses updating skb->tail when the packet size is
+shorter than the minimum one.
+Use skb_put_padto() in alignment with other Intel Ethernet drivers.
+
+Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers")
+Signed-off-by: Kohei Enju <kohei@enjuk.jp>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 6a9ad4231b0c2..d2825170c1e1d 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -1666,11 +1666,8 @@ static netdev_tx_t igc_xmit_frame(struct sk_buff *skb,
+ /* The minimum packet size with TCTL.PSP set is 17 so pad the skb
+ * in order to meet this minimum size requirement.
+ */
+- if (skb->len < 17) {
+- if (skb_padto(skb, 17))
+- return NETDEV_TX_OK;
+- skb->len = 17;
+- }
++ if (skb_put_padto(skb, 17))
++ return NETDEV_TX_OK;
+
+ return igc_xmit_frame_ring(skb, igc_tx_queue_mapping(adapter, skb));
+ }
+--
+2.51.0
+
--- /dev/null
+From 8a7e5de7d06275778907ba6588c7ac708fc10425 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 12:18:52 -0700
+Subject: net: bcmgenet: increase WoL poll timeout
+
+From: Justin Chen <justin.chen@broadcom.com>
+
+[ Upstream commit 6cfc3bc02b977f2fba5f7268e6504d1931a774f7 ]
+
+Some systems require more than 5ms to get into WoL mode. Increase the
+timeout value to 50ms.
+
+Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code")
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20260312191852.3904571-1-justin.chen@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+index 38d41028e98a0..a1126368f9ed7 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+@@ -101,7 +101,7 @@ static int bcmgenet_poll_wol_status(struct bcmgenet_priv *priv)
+ while (!(bcmgenet_rbuf_readl(priv, RBUF_STATUS)
+ & RBUF_STATUS_WOL)) {
+ retries++;
+- if (retries > 5) {
++ if (retries > 50) {
+ netdev_crit(dev, "polling wol mode timeout\n");
+ return -ETIMEDOUT;
+ }
+--
+2.51.0
+
--- /dev/null
+From 8f7939aa583660bc7fe3a65b758f3be35fb0d5b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 17:50:34 -0700
+Subject: net: bonding: fix NULL deref in bond_debug_rlb_hash_show
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit 605b52497bf89b3b154674deb135da98f916e390 ]
+
+rlb_clear_slave intentionally keeps RLB hash-table entries on
+the rx_hashtbl_used_head list with slave set to NULL when no
+replacement slave is available. However, bond_debug_rlb_hash_show
+visites client_info->slave without checking if it's NULL.
+
+Other used-list iterators in bond_alb.c already handle this NULL-slave
+state safely:
+
+- rlb_update_client returns early on !client_info->slave
+- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance
+compare slave values before visiting
+- lb_req_update_subnet_clients continues if slave is NULL
+
+The following NULL deref crash can be trigger in
+bond_debug_rlb_hash_show:
+
+[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)
+[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286
+[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204
+[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078
+[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000
+[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0
+[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8
+[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000
+[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0
+[ 1.295897] Call Trace:
+[ 1.296134] seq_read_iter (fs/seq_file.c:231)
+[ 1.296341] seq_read (fs/seq_file.c:164)
+[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))
+[ 1.296658] vfs_read (fs/read_write.c:572)
+[ 1.296981] ksys_read (fs/read_write.c:717)
+[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+Add a NULL check and print "(none)" for entries with no assigned slave.
+
+Fixes: caafa84251b88 ("bonding: add the debugfs interface to see RLB hash table")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260317005034.1888794-1-xmei5@asu.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_debugfs.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_debugfs.c b/drivers/net/bonding/bond_debugfs.c
+index 5940945266489..624bf1f745266 100644
+--- a/drivers/net/bonding/bond_debugfs.c
++++ b/drivers/net/bonding/bond_debugfs.c
+@@ -34,11 +34,17 @@ static int bond_debug_rlb_hash_show(struct seq_file *m, void *v)
+ for (; hash_index != RLB_NULL_INDEX;
+ hash_index = client_info->used_next) {
+ client_info = &(bond_info->rx_hashtbl[hash_index]);
+- seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n",
+- &client_info->ip_src,
+- &client_info->ip_dst,
+- &client_info->mac_dst,
+- client_info->slave->dev->name);
++ if (client_info->slave)
++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n",
++ &client_info->ip_src,
++ &client_info->ip_dst,
++ &client_info->mac_dst,
++ client_info->slave->dev->name);
++ else
++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM (none)\n",
++ &client_info->ip_src,
++ &client_info->ip_dst,
++ &client_info->mac_dst);
+ }
+
+ spin_unlock_bh(&bond->mode_lock);
+--
+2.51.0
+
--- /dev/null
+From af8a902676266dfd069809fe24dc394f07e78a32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 08:42:12 +0000
+Subject: net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
+
+From: Anas Iqbal <mohd.abd.6602@gmail.com>
+
+[ Upstream commit b48731849609cbd8c53785a48976850b443153fd ]
+
+Smatch reports:
+drivers/net/dsa/bcm_sf2.c:997 bcm_sf2_sw_resume() warn:
+'priv->clk' from clk_prepare_enable() not released on lines: 983,990.
+
+The clock enabled by clk_prepare_enable() in bcm_sf2_sw_resume()
+is not released if bcm_sf2_sw_rst() or bcm_sf2_cfp_resume() fails.
+
+Add the missing clk_disable_unprepare() calls in the error paths
+to properly release the clock resource.
+
+Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks")
+Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Anas Iqbal <mohd.abd.6602@gmail.com>
+Link: https://patch.msgid.link/20260318084212.1287-1-mohd.abd.6602@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/bcm_sf2.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
+index f259b0add5b2e..6105f4d8faf06 100644
+--- a/drivers/net/dsa/bcm_sf2.c
++++ b/drivers/net/dsa/bcm_sf2.c
+@@ -962,15 +962,19 @@ static int bcm_sf2_sw_resume(struct dsa_switch *ds)
+ ret = bcm_sf2_sw_rst(priv);
+ if (ret) {
+ pr_err("%s: failed to software reset switch\n", __func__);
++ if (!priv->wol_ports_mask)
++ clk_disable_unprepare(priv->clk);
+ return ret;
+ }
+
+ bcm_sf2_crossbar_setup(priv);
+
+ ret = bcm_sf2_cfp_resume(ds);
+- if (ret)
++ if (ret) {
++ if (!priv->wol_ports_mask)
++ clk_disable_unprepare(priv->clk);
+ return ret;
+-
++ }
+ if (priv->hw_params.num_gphy == 1)
+ bcm_sf2_gphy_enable_set(ds, true);
+
+--
+2.51.0
+
--- /dev/null
+From fe80ca35a81f25571b5beb49004894dc230e6b90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 13:38:25 +0300
+Subject: net: macb: fix uninitialized rx_fs_lock
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 34b11cc56e4369bc08b1f4c4a04222d75ed596ce ]
+
+If hardware doesn't support RX Flow Filters, rx_fs_lock spinlock is not
+initialized leading to the following assertion splat triggerable via
+set_rxnfc callback.
+
+INFO: trying to register non-static key.
+The code is fine but needs lockdep annotation, or maybe
+you didn't initialize this object before use?
+turning off the locking correctness validator.
+CPU: 1 PID: 949 Comm: syz.0.6 Not tainted 6.1.164+ #113
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106
+ assign_lock_key kernel/locking/lockdep.c:974 [inline]
+ register_lock_class+0x141b/0x17f0 kernel/locking/lockdep.c:1287
+ __lock_acquire+0x74f/0x6c40 kernel/locking/lockdep.c:4928
+ lock_acquire kernel/locking/lockdep.c:5662 [inline]
+ lock_acquire+0x190/0x4b0 kernel/locking/lockdep.c:5627
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
+ _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:162
+ gem_del_flow_filter drivers/net/ethernet/cadence/macb_main.c:3562 [inline]
+ gem_set_rxnfc+0x533/0xac0 drivers/net/ethernet/cadence/macb_main.c:3667
+ ethtool_set_rxnfc+0x18c/0x280 net/ethtool/ioctl.c:961
+ __dev_ethtool net/ethtool/ioctl.c:2956 [inline]
+ dev_ethtool+0x229c/0x6290 net/ethtool/ioctl.c:3095
+ dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510
+ sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215
+ sock_ioctl+0x577/0x6d0 net/socket.c:1320
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:46 [inline]
+ do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+A more straightforward solution would be to always initialize rx_fs_lock,
+just like rx_fs_list. However, in this case the driver set_rxnfc callback
+would return with a rather confusing error code, e.g. -EINVAL. So deny
+set_rxnfc attempts directly if the RX filtering feature is not supported
+by hardware.
+
+Fixes: ae8223de3df5 ("net: macb: Added support for RX filtering")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Link: https://patch.msgid.link/20260316103826.74506-2-pchelkin@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index d4a4d72460a42..6a3e9082bda8c 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -3572,6 +3572,9 @@ static int gem_set_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd)
+ struct macb *bp = netdev_priv(netdev);
+ int ret;
+
++ if (!(netdev->hw_features & NETIF_F_NTUPLE))
++ return -EOPNOTSUPP;
++
+ switch (cmd->cmd) {
+ case ETHTOOL_SRXCLSRLINS:
+ if ((cmd->fs.location >= bp->max_tuples)
+--
+2.51.0
+
--- /dev/null
+From 4fb4b68c1342009e5842511dcef70778473bad48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 12:22:04 -0700
+Subject: net: mana: fix use-after-free in mana_hwc_destroy_channel() by
+ reordering teardown
+
+From: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+
+[ Upstream commit fa103fc8f56954a60699a29215cb713448a39e87 ]
+
+A potential race condition exists in mana_hwc_destroy_channel() where
+hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and
+Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt
+handler to dereference freed memory, leading to a use-after-free or
+NULL pointer dereference in mana_hwc_handle_resp().
+
+mana_smc_teardown_hwc() signals the hardware to stop but does not
+synchronize against IRQ handlers already executing on other CPUs. The
+IRQ synchronization only happens in mana_hwc_destroy_cq() via
+mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs
+after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler()
+can dereference freed caller_ctx (and rxq->msg_buf) in
+mana_hwc_handle_resp().
+
+Fix this by reordering teardown to reverse-of-creation order: destroy
+the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This
+ensures all in-flight interrupt handlers complete before the memory they
+access is freed.
+
+Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/abHA3AjNtqa1nx9k@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c
+index 8b027bf6ede90..efd7ae1bab43c 100644
+--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
+@@ -749,9 +749,6 @@ void mana_hwc_destroy_channel(struct gdma_context *gc)
+ gc->max_num_cqs = 0;
+ }
+
+- kfree(hwc->caller_ctx);
+- hwc->caller_ctx = NULL;
+-
+ if (hwc->txq)
+ mana_hwc_destroy_wq(hwc, hwc->txq);
+
+@@ -761,6 +758,9 @@ void mana_hwc_destroy_channel(struct gdma_context *gc)
+ if (hwc->cq)
+ mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq);
+
++ kfree(hwc->caller_ctx);
++ hwc->caller_ctx = NULL;
++
+ mana_gd_free_res_map(&hwc->inflight_msg_res);
+
+ hwc->num_inflight_msg = 0;
+--
+2.51.0
+
--- /dev/null
+From 4bb8359550a5b871365e9f5c134df087baba07b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Oct 2021 17:54:07 -0700
+Subject: net: mana: Improve the HWC error handling
+
+From: Dexuan Cui <decui@microsoft.com>
+
+[ Upstream commit 62ea8b77ed3b7086561765df0226ebc7bb442020 ]
+
+Currently when the HWC creation fails, the error handling is flawed,
+e.g. if mana_hwc_create_channel() -> mana_hwc_establish_channel() fails,
+the resources acquired in mana_hwc_init_queues() is not released.
+
+Enhance mana_hwc_destroy_channel() to do the proper cleanup work and
+call it accordingly.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: fa103fc8f569 ("net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/microsoft/mana/gdma_main.c | 4 --
+ .../net/ethernet/microsoft/mana/hw_channel.c | 71 ++++++++-----------
+ 2 files changed, 31 insertions(+), 44 deletions(-)
+
+diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c
+index 7864611f55a77..f3e90313a4487 100644
+--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c
++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c
+@@ -1336,8 +1336,6 @@ static int mana_gd_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ clean_up_gdma:
+ mana_hwc_destroy_channel(gc);
+- vfree(gc->cq_table);
+- gc->cq_table = NULL;
+ remove_irq:
+ mana_gd_remove_irqs(pdev);
+ unmap_bar:
+@@ -1360,8 +1358,6 @@ static void mana_gd_remove(struct pci_dev *pdev)
+ mana_remove(&gc->mana);
+
+ mana_hwc_destroy_channel(gc);
+- vfree(gc->cq_table);
+- gc->cq_table = NULL;
+
+ mana_gd_remove_irqs(pdev);
+
+diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c
+index 508f83c29f325..8b027bf6ede90 100644
+--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
+@@ -315,9 +315,6 @@ static void mana_hwc_comp_event(void *ctx, struct gdma_queue *q_self)
+
+ static void mana_hwc_destroy_cq(struct gdma_context *gc, struct hwc_cq *hwc_cq)
+ {
+- if (!hwc_cq)
+- return;
+-
+ kfree(hwc_cq->comp_buf);
+
+ if (hwc_cq->gdma_cq)
+@@ -452,9 +449,6 @@ static void mana_hwc_dealloc_dma_buf(struct hw_channel_context *hwc,
+ static void mana_hwc_destroy_wq(struct hw_channel_context *hwc,
+ struct hwc_wq *hwc_wq)
+ {
+- if (!hwc_wq)
+- return;
+-
+ mana_hwc_dealloc_dma_buf(hwc, hwc_wq->msg_buf);
+
+ if (hwc_wq->gdma_wq)
+@@ -627,6 +621,7 @@ static int mana_hwc_establish_channel(struct gdma_context *gc, u16 *q_depth,
+ *max_req_msg_size = hwc->hwc_init_max_req_msg_size;
+ *max_resp_msg_size = hwc->hwc_init_max_resp_msg_size;
+
++ /* Both were set in mana_hwc_init_event_handler(). */
+ if (WARN_ON(cq->id >= gc->max_num_cqs))
+ return -EPROTO;
+
+@@ -642,9 +637,6 @@ static int mana_hwc_establish_channel(struct gdma_context *gc, u16 *q_depth,
+ static int mana_hwc_init_queues(struct hw_channel_context *hwc, u16 q_depth,
+ u32 max_req_msg_size, u32 max_resp_msg_size)
+ {
+- struct hwc_wq *hwc_rxq = NULL;
+- struct hwc_wq *hwc_txq = NULL;
+- struct hwc_cq *hwc_cq = NULL;
+ int err;
+
+ err = mana_hwc_init_inflight_msg(hwc, q_depth);
+@@ -657,44 +649,32 @@ static int mana_hwc_init_queues(struct hw_channel_context *hwc, u16 q_depth,
+ err = mana_hwc_create_cq(hwc, q_depth * 2,
+ mana_hwc_init_event_handler, hwc,
+ mana_hwc_rx_event_handler, hwc,
+- mana_hwc_tx_event_handler, hwc, &hwc_cq);
++ mana_hwc_tx_event_handler, hwc, &hwc->cq);
+ if (err) {
+ dev_err(hwc->dev, "Failed to create HWC CQ: %d\n", err);
+ goto out;
+ }
+- hwc->cq = hwc_cq;
+
+ err = mana_hwc_create_wq(hwc, GDMA_RQ, q_depth, max_req_msg_size,
+- hwc_cq, &hwc_rxq);
++ hwc->cq, &hwc->rxq);
+ if (err) {
+ dev_err(hwc->dev, "Failed to create HWC RQ: %d\n", err);
+ goto out;
+ }
+- hwc->rxq = hwc_rxq;
+
+ err = mana_hwc_create_wq(hwc, GDMA_SQ, q_depth, max_resp_msg_size,
+- hwc_cq, &hwc_txq);
++ hwc->cq, &hwc->txq);
+ if (err) {
+ dev_err(hwc->dev, "Failed to create HWC SQ: %d\n", err);
+ goto out;
+ }
+- hwc->txq = hwc_txq;
+
+ hwc->num_inflight_msg = q_depth;
+ hwc->max_req_msg_size = max_req_msg_size;
+
+ return 0;
+ out:
+- if (hwc_txq)
+- mana_hwc_destroy_wq(hwc, hwc_txq);
+-
+- if (hwc_rxq)
+- mana_hwc_destroy_wq(hwc, hwc_rxq);
+-
+- if (hwc_cq)
+- mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc_cq);
+-
+- mana_gd_free_res_map(&hwc->inflight_msg_res);
++ /* mana_hwc_create_channel() will do the cleanup.*/
+ return err;
+ }
+
+@@ -722,6 +702,9 @@ int mana_hwc_create_channel(struct gdma_context *gc)
+ gd->pdid = INVALID_PDID;
+ gd->doorbell = INVALID_DOORBELL;
+
++ /* mana_hwc_init_queues() only creates the required data structures,
++ * and doesn't touch the HWC device.
++ */
+ err = mana_hwc_init_queues(hwc, HW_CHANNEL_VF_BOOTSTRAP_QUEUE_DEPTH,
+ HW_CHANNEL_MAX_REQUEST_SIZE,
+ HW_CHANNEL_MAX_RESPONSE_SIZE);
+@@ -747,42 +730,50 @@ int mana_hwc_create_channel(struct gdma_context *gc)
+
+ return 0;
+ out:
+- kfree(hwc);
++ mana_hwc_destroy_channel(gc);
+ return err;
+ }
+
+ void mana_hwc_destroy_channel(struct gdma_context *gc)
+ {
+ struct hw_channel_context *hwc = gc->hwc.driver_data;
+- struct hwc_caller_ctx *ctx;
+
+- mana_smc_teardown_hwc(&gc->shm_channel, false);
++ if (!hwc)
++ return;
++
++ /* gc->max_num_cqs is set in mana_hwc_init_event_handler(). If it's
++ * non-zero, the HWC worked and we should tear down the HWC here.
++ */
++ if (gc->max_num_cqs > 0) {
++ mana_smc_teardown_hwc(&gc->shm_channel, false);
++ gc->max_num_cqs = 0;
++ }
+
+- ctx = hwc->caller_ctx;
+- kfree(ctx);
++ kfree(hwc->caller_ctx);
+ hwc->caller_ctx = NULL;
+
+- mana_hwc_destroy_wq(hwc, hwc->txq);
+- hwc->txq = NULL;
++ if (hwc->txq)
++ mana_hwc_destroy_wq(hwc, hwc->txq);
+
+- mana_hwc_destroy_wq(hwc, hwc->rxq);
+- hwc->rxq = NULL;
++ if (hwc->rxq)
++ mana_hwc_destroy_wq(hwc, hwc->rxq);
+
+- mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq);
+- hwc->cq = NULL;
++ if (hwc->cq)
++ mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq);
+
+ mana_gd_free_res_map(&hwc->inflight_msg_res);
+
+ hwc->num_inflight_msg = 0;
+
+- if (hwc->gdma_dev->pdid != INVALID_PDID) {
+- hwc->gdma_dev->doorbell = INVALID_DOORBELL;
+- hwc->gdma_dev->pdid = INVALID_PDID;
+- }
++ hwc->gdma_dev->doorbell = INVALID_DOORBELL;
++ hwc->gdma_dev->pdid = INVALID_PDID;
+
+ kfree(hwc);
+ gc->hwc.driver_data = NULL;
+ gc->hwc.gdma_context = NULL;
++
++ vfree(gc->cq_table);
++ gc->cq_table = NULL;
+ }
+
+ int mana_hwc_send_request(struct hw_channel_context *hwc, u32 req_len,
+--
+2.51.0
+
--- /dev/null
+From 205bbb646b912174e892fb0d67d864fdc03e4d50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 12:31:01 -0700
+Subject: net: mvpp2: guard flow control update with global_tx_fc in buffer
+ switching
+
+From: Muhammad Hammad Ijaz <mhijaz@amazon.com>
+
+[ Upstream commit 8a63baadf08453f66eb582fdb6dd234f72024723 ]
+
+mvpp2_bm_switch_buffers() unconditionally calls
+mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and
+shared buffer pool modes. This function programs CM3 flow control
+registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference
+priv->cm3_base without any NULL check.
+
+When the CM3 SRAM resource is not present in the device tree (the
+third reg entry added by commit 60523583b07c ("dts: marvell: add CM3
+SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains
+NULL and priv->global_tx_fc is false. Any operation that triggers
+mvpp2_bm_switch_buffers(), for example an MTU change that crosses
+the jumbo frame threshold, will crash:
+
+ Unable to handle kernel NULL pointer dereference at
+ virtual address 0000000000000000
+ Mem abort info:
+ ESR = 0x0000000096000006
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ pc : readl+0x0/0x18
+ lr : mvpp2_cm3_read.isra.0+0x14/0x20
+ Call trace:
+ readl+0x0/0x18
+ mvpp2_bm_pool_update_fc+0x40/0x12c
+ mvpp2_bm_pool_update_priv_fc+0x94/0xd8
+ mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0
+ mvpp2_change_mtu+0x140/0x380
+ __dev_set_mtu+0x1c/0x38
+ dev_set_mtu_ext+0x78/0x118
+ dev_set_mtu+0x48/0xa8
+ dev_ifsioc+0x21c/0x43c
+ dev_ioctl+0x2d8/0x42c
+ sock_ioctl+0x314/0x378
+
+Every other flow control call site in the driver already guards
+hardware access with either priv->global_tx_fc or port->tx_fc.
+mvpp2_bm_switch_buffers() is the only place that omits this check.
+
+Add the missing priv->global_tx_fc guard to both the disable and
+re-enable calls in mvpp2_bm_switch_buffers(), consistent with the
+rest of the driver.
+
+Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames")
+Signed-off-by: Muhammad Hammad Ijaz <mhijaz@amazon.com>
+Reviewed-by: Gunnar Kudrjavets <gunnarku@amazon.com>
+Link: https://patch.msgid.link/20260316193157.65748-1-mhijaz@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index 7fa880e62d096..fdfdd55fdb1dc 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -5006,7 +5006,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu)
+ if (priv->percpu_pools)
+ numbufs = port->nrxqs * 2;
+
+- if (change_percpu)
++ if (change_percpu && priv->global_tx_fc)
+ mvpp2_bm_pool_update_priv_fc(priv, false);
+
+ for (i = 0; i < numbufs; i++)
+@@ -5023,7 +5023,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu)
+ mvpp2_open(port->dev);
+ }
+
+- if (change_percpu)
++ if (change_percpu && priv->global_tx_fc)
+ mvpp2_bm_pool_update_priv_fc(priv, true);
+
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 8ae3768eb82b9dd205873dfef648ad8a03d7dad5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 15:06:02 +0800
+Subject: net/rose: fix NULL pointer dereference in rose_transmit_link on
+ reconnect
+
+From: Jiayuan Chen <jiayuan.chen@shopee.com>
+
+[ Upstream commit e1f0a18c9564cdb16523c802e2c6fe5874e3d944 ]
+
+syzkaller reported a bug [1], and the reproducer is available at [2].
+
+ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN,
+TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects
+calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING
+(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT.
+
+When rose_connect() is called a second time while the first connection
+attempt is still in progress (TCP_SYN_SENT), it overwrites
+rose->neighbour via rose_get_neigh(). If that returns NULL, the socket
+is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL.
+When the socket is subsequently closed, rose_release() sees
+ROSE_STATE_1 and calls rose_write_internal() ->
+rose_transmit_link(skb, NULL), causing a NULL pointer dereference.
+
+Per connect(2), a second connect() while a connection is already in
+progress should return -EALREADY. Add this missing check for
+TCP_SYN_SENT to complete the state validation in rose_connect().
+
+[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271
+[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0027.GAE@google.com/T/
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260311070611.76913-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 04173c85d92b5..0130c13f73552 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -808,6 +808,11 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
+ goto out_release;
+ }
+
++ if (sk->sk_state == TCP_SYN_SENT) {
++ err = -EALREADY;
++ goto out_release;
++ }
++
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
+
+--
+2.51.0
+
--- /dev/null
+From 4fd19b8be0a7428168905bbcbbee0773b27229b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:29:07 +0800
+Subject: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
+
+From: Jiayuan Chen <jiayuan.chen@shopee.com>
+
+[ Upstream commit 6d5e4538364b9ceb1ac2941a4deb86650afb3538 ]
+
+Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].
+
+smc_tcp_syn_recv_sock() is called in the TCP receive path
+(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP
+listening socket). It reads sk_user_data to get the smc_sock
+pointer. However, when the SMC listen socket is being closed
+concurrently, smc_close_active() sets clcsock->sk_user_data
+to NULL under sk_callback_lock, and then the smc_sock itself
+can be freed via sock_put() in smc_release().
+
+This leads to two issues:
+
+1) NULL pointer dereference: sk_user_data is NULL when
+ accessed.
+2) Use-after-free: sk_user_data is read as non-NULL, but the
+ smc_sock is freed before its fields (e.g., queued_smc_hs,
+ ori_af_ops) are accessed.
+
+The race window looks like this (the syzkaller crash [1]
+triggers via the SYN cookie path: tcp_get_cookie_sock() ->
+smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path
+has the same race):
+
+ CPU A (softirq) CPU B (process ctx)
+
+ tcp_v4_rcv()
+ TCP_NEW_SYN_RECV:
+ sk = req->rsk_listener
+ sock_hold(sk)
+ /* No lock on listener */
+ smc_close_active():
+ write_lock_bh(cb_lock)
+ sk_user_data = NULL
+ write_unlock_bh(cb_lock)
+ ...
+ smc_clcsock_release()
+ sock_put(smc->sk) x2
+ -> smc_sock freed!
+ tcp_check_req()
+ smc_tcp_syn_recv_sock():
+ smc = user_data(sk)
+ -> NULL or dangling
+ smc->queued_smc_hs
+ -> crash!
+
+Note that the clcsock and smc_sock are two independent objects
+with separate refcounts. TCP stack holds a reference on the
+clcsock, which keeps it alive, but this does NOT prevent the
+smc_sock from being freed.
+
+Fix this by using RCU and refcount_inc_not_zero() to safely
+access smc_sock. Since smc_tcp_syn_recv_sock() is called in
+the TCP three-way handshake path, taking read_lock_bh on
+sk_callback_lock is too heavy and would not survive a SYN
+flood attack. Using rcu_read_lock() is much more lightweight.
+
+- Set SOCK_RCU_FREE on the SMC listen socket so that
+ smc_sock freeing is deferred until after the RCU grace
+ period. This guarantees the memory is still valid when
+ accessed inside rcu_read_lock().
+- Use rcu_read_lock() to protect reading sk_user_data.
+- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the
+ smc_sock. If the refcount has already reached zero (close
+ path completed), it returns false and we bail out safely.
+
+Note: smc_hs_congested() has a similar lockless read of
+sk_user_data without rcu_read_lock(), but it only checks for
+NULL and accesses the global smc_hs_wq, never dereferencing
+any smc_sock field, so it is not affected.
+
+Reproducer was verified with mdelay injection and smc_run,
+the issue no longer occurs with this patch applied.
+
+[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9
+
+Fixes: 8270d9c21041 ("net/smc: Limit backlog connections")
+Reported-by: syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67eaf9b8.050a0220.3c3d88.004a.GAE@google.com/T/
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Link: https://patch.msgid.link/20260312092909.48325-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 23 +++++++++++++++++------
+ net/smc/smc.h | 5 +++++
+ net/smc/smc_close.c | 2 +-
+ 3 files changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index ea1a185327629..5425c46a2e7c7 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -81,7 +81,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
+ struct smc_sock *smc;
+ struct sock *child;
+
+- smc = smc_clcsock_user_data(sk);
++ rcu_read_lock();
++ smc = smc_clcsock_user_data_rcu(sk);
++ if (!smc || !refcount_inc_not_zero(&smc->sk.sk_refcnt)) {
++ rcu_read_unlock();
++ smc = NULL;
++ goto drop;
++ }
++ rcu_read_unlock();
+
+ if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
+ sk->sk_max_ack_backlog)
+@@ -103,11 +110,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
+ if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
+ inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
+ }
++ sock_put(&smc->sk);
+ return child;
+
+ drop:
+ dst_release(dst);
+ tcp_listendrop(sk);
++ if (smc)
++ sock_put(&smc->sk);
+ return NULL;
+ }
+
+@@ -175,7 +185,7 @@ static void smc_fback_restore_callbacks(struct smc_sock *smc)
+ struct sock *clcsk = smc->clcsock->sk;
+
+ write_lock_bh(&clcsk->sk_callback_lock);
+- clcsk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(clcsk, NULL);
+
+ smc_clcsock_restore_cb(&clcsk->sk_state_change, &smc->clcsk_state_change);
+ smc_clcsock_restore_cb(&clcsk->sk_data_ready, &smc->clcsk_data_ready);
+@@ -726,7 +736,7 @@ static void smc_fback_replace_callbacks(struct smc_sock *smc)
+ struct sock *clcsk = smc->clcsock->sk;
+
+ write_lock_bh(&clcsk->sk_callback_lock);
+- clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
++ __rcu_assign_sk_user_data_with_flags(clcsk, smc, SK_USER_DATA_NOCOPY);
+
+ smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change,
+ &smc->clcsk_state_change);
+@@ -2168,8 +2178,8 @@ static int smc_listen(struct socket *sock, int backlog)
+ * smc-specific sk_data_ready function
+ */
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+- smc->clcsock->sk->sk_user_data =
+- (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
++ __rcu_assign_sk_user_data_with_flags(smc->clcsock->sk, smc,
++ SK_USER_DATA_NOCOPY);
+ smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready,
+ smc_clcsock_data_ready, &smc->clcsk_data_ready);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+@@ -2187,10 +2197,11 @@ static int smc_listen(struct socket *sock, int backlog)
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+ &smc->clcsk_data_ready);
+- smc->clcsock->sk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+ goto out;
+ }
++ sock_set_flag(sk, SOCK_RCU_FREE);
+ sk->sk_max_ack_backlog = backlog;
+ sk->sk_ack_backlog = 0;
+ sk->sk_state = SMC_LISTEN;
+diff --git a/net/smc/smc.h b/net/smc/smc.h
+index 268dc975249f8..6455371430a3c 100644
+--- a/net/smc/smc.h
++++ b/net/smc/smc.h
+@@ -283,6 +283,11 @@ static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk)
+ ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY);
+ }
+
++static inline struct smc_sock *smc_clcsock_user_data_rcu(const struct sock *clcsk)
++{
++ return (struct smc_sock *)rcu_dereference_sk_user_data(clcsk);
++}
++
+ /* save target_cb in saved_cb, and replace target_cb with new_cb */
+ static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *),
+ void (*new_cb)(struct sock *),
+diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
+index 313ef522dfab4..e156039ff1e50 100644
+--- a/net/smc/smc_close.c
++++ b/net/smc/smc_close.c
+@@ -215,7 +215,7 @@ int smc_close_active(struct smc_sock *smc)
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+ &smc->clcsk_data_ready);
+- smc->clcsock->sk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+ rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
+ }
+--
+2.51.0
+
--- /dev/null
+From 75c0a11c2e1221cd473307f007a5be31e55dd490 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Apr 2022 15:56:19 +0800
+Subject: net/smc: Fix slab-out-of-bounds issue in fallback
+
+From: Wen Gu <guwen@linux.alibaba.com>
+
+[ Upstream commit 0558226cebee256aa3f8ec0cc5a800a10bf120a6 ]
+
+syzbot reported a slab-out-of-bounds/use-after-free issue,
+which was caused by accessing an already freed smc sock in
+fallback-specific callback functions of clcsock.
+
+This patch fixes the issue by restoring fallback-specific
+callback functions to original ones and resetting clcsock
+sk_user_data to NULL before freeing smc sock.
+
+Meanwhile, this patch introduces sk_callback_lock to make
+the access and assignment to sk_user_data mutually exclusive.
+
+Reported-by: syzbot+b425899ed22c6943e00b@syzkaller.appspotmail.com
+Fixes: 341adeec9ada ("net/smc: Forward wakeup to smc socket waitqueue after fallback")
+Link: https://lore.kernel.org/r/00000000000013ca8105d7ae3ada@google.com/
+Signed-off-by: Wen Gu <guwen@linux.alibaba.com>
+Acked-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 6d5e4538364b ("net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 80 ++++++++++++++++++++++++++++++++-------------
+ net/smc/smc_close.c | 2 ++
+ 2 files changed, 59 insertions(+), 23 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 5c6759d2e271d..ea1a185327629 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -170,11 +170,27 @@ struct proto smc_proto6 = {
+ };
+ EXPORT_SYMBOL_GPL(smc_proto6);
+
++static void smc_fback_restore_callbacks(struct smc_sock *smc)
++{
++ struct sock *clcsk = smc->clcsock->sk;
++
++ write_lock_bh(&clcsk->sk_callback_lock);
++ clcsk->sk_user_data = NULL;
++
++ smc_clcsock_restore_cb(&clcsk->sk_state_change, &smc->clcsk_state_change);
++ smc_clcsock_restore_cb(&clcsk->sk_data_ready, &smc->clcsk_data_ready);
++ smc_clcsock_restore_cb(&clcsk->sk_write_space, &smc->clcsk_write_space);
++ smc_clcsock_restore_cb(&clcsk->sk_error_report, &smc->clcsk_error_report);
++
++ write_unlock_bh(&clcsk->sk_callback_lock);
++}
++
+ static void smc_restore_fallback_changes(struct smc_sock *smc)
+ {
+ if (smc->clcsock->file) { /* non-accepted sockets have no file yet */
+ smc->clcsock->file->private_data = smc->sk.sk_socket;
+ smc->clcsock->file = NULL;
++ smc_fback_restore_callbacks(smc);
+ }
+ }
+
+@@ -659,48 +675,57 @@ static void smc_fback_forward_wakeup(struct smc_sock *smc, struct sock *clcsk,
+
+ static void smc_fback_state_change(struct sock *clcsk)
+ {
+- struct smc_sock *smc =
+- smc_clcsock_user_data(clcsk);
++ struct smc_sock *smc;
+
+- if (!smc)
+- return;
+- smc_fback_forward_wakeup(smc, clcsk, smc->clcsk_state_change);
++ read_lock_bh(&clcsk->sk_callback_lock);
++ smc = smc_clcsock_user_data(clcsk);
++ if (smc)
++ smc_fback_forward_wakeup(smc, clcsk,
++ smc->clcsk_state_change);
++ read_unlock_bh(&clcsk->sk_callback_lock);
+ }
+
+ static void smc_fback_data_ready(struct sock *clcsk)
+ {
+- struct smc_sock *smc =
+- smc_clcsock_user_data(clcsk);
++ struct smc_sock *smc;
+
+- if (!smc)
+- return;
+- smc_fback_forward_wakeup(smc, clcsk, smc->clcsk_data_ready);
++ read_lock_bh(&clcsk->sk_callback_lock);
++ smc = smc_clcsock_user_data(clcsk);
++ if (smc)
++ smc_fback_forward_wakeup(smc, clcsk,
++ smc->clcsk_data_ready);
++ read_unlock_bh(&clcsk->sk_callback_lock);
+ }
+
+ static void smc_fback_write_space(struct sock *clcsk)
+ {
+- struct smc_sock *smc =
+- smc_clcsock_user_data(clcsk);
++ struct smc_sock *smc;
+
+- if (!smc)
+- return;
+- smc_fback_forward_wakeup(smc, clcsk, smc->clcsk_write_space);
++ read_lock_bh(&clcsk->sk_callback_lock);
++ smc = smc_clcsock_user_data(clcsk);
++ if (smc)
++ smc_fback_forward_wakeup(smc, clcsk,
++ smc->clcsk_write_space);
++ read_unlock_bh(&clcsk->sk_callback_lock);
+ }
+
+ static void smc_fback_error_report(struct sock *clcsk)
+ {
+- struct smc_sock *smc =
+- smc_clcsock_user_data(clcsk);
++ struct smc_sock *smc;
+
+- if (!smc)
+- return;
+- smc_fback_forward_wakeup(smc, clcsk, smc->clcsk_error_report);
++ read_lock_bh(&clcsk->sk_callback_lock);
++ smc = smc_clcsock_user_data(clcsk);
++ if (smc)
++ smc_fback_forward_wakeup(smc, clcsk,
++ smc->clcsk_error_report);
++ read_unlock_bh(&clcsk->sk_callback_lock);
+ }
+
+ static void smc_fback_replace_callbacks(struct smc_sock *smc)
+ {
+ struct sock *clcsk = smc->clcsock->sk;
+
++ write_lock_bh(&clcsk->sk_callback_lock);
+ clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
+
+ smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change,
+@@ -711,6 +736,8 @@ static void smc_fback_replace_callbacks(struct smc_sock *smc)
+ &smc->clcsk_write_space);
+ smc_clcsock_replace_cb(&clcsk->sk_error_report, smc_fback_error_report,
+ &smc->clcsk_error_report);
++
++ write_unlock_bh(&clcsk->sk_callback_lock);
+ }
+
+ static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code)
+@@ -2095,17 +2122,20 @@ static void smc_tcp_listen_work(struct work_struct *work)
+
+ static void smc_clcsock_data_ready(struct sock *listen_clcsock)
+ {
+- struct smc_sock *lsmc =
+- smc_clcsock_user_data(listen_clcsock);
++ struct smc_sock *lsmc;
+
++ read_lock_bh(&listen_clcsock->sk_callback_lock);
++ lsmc = smc_clcsock_user_data(listen_clcsock);
+ if (!lsmc)
+- return;
++ goto out;
+ lsmc->clcsk_data_ready(listen_clcsock);
+ if (lsmc->sk.sk_state == SMC_LISTEN) {
+ sock_hold(&lsmc->sk); /* sock_put in smc_tcp_listen_work() */
+ if (!queue_work(smc_hs_wq, &lsmc->tcp_listen_work))
+ sock_put(&lsmc->sk);
+ }
++out:
++ read_unlock_bh(&listen_clcsock->sk_callback_lock);
+ }
+
+ static int smc_listen(struct socket *sock, int backlog)
+@@ -2137,10 +2167,12 @@ static int smc_listen(struct socket *sock, int backlog)
+ /* save original sk_data_ready function and establish
+ * smc-specific sk_data_ready function
+ */
++ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+ smc->clcsock->sk->sk_user_data =
+ (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
+ smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready,
+ smc_clcsock_data_ready, &smc->clcsk_data_ready);
++ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+
+ /* save original ops */
+ smc->ori_af_ops = inet_csk(smc->clcsock->sk)->icsk_af_ops;
+@@ -2152,9 +2184,11 @@ static int smc_listen(struct socket *sock, int backlog)
+
+ rc = kernel_listen(smc->clcsock, backlog);
+ if (rc) {
++ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+ &smc->clcsk_data_ready);
+ smc->clcsock->sk->sk_user_data = NULL;
++ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+ goto out;
+ }
+ sk->sk_max_ack_backlog = backlog;
+diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
+index 42f9a7cf9e671..313ef522dfab4 100644
+--- a/net/smc/smc_close.c
++++ b/net/smc/smc_close.c
+@@ -212,9 +212,11 @@ int smc_close_active(struct smc_sock *smc)
+ sk->sk_state = SMC_CLOSED;
+ sk->sk_state_change(sk); /* wake up accept */
+ if (smc->clcsock && smc->clcsock->sk) {
++ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+ &smc->clcsk_data_ready);
+ smc->clcsock->sk->sk_user_data = NULL;
++ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+ rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
+ }
+ smc_close_cleanup_listen(sk);
+--
+2.51.0
+
--- /dev/null
+From 92ab40790670bfea6f2a706127b4bb697beb4275 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Apr 2022 15:56:18 +0800
+Subject: net/smc: Only save the original clcsock callback functions
+
+From: Wen Gu <guwen@linux.alibaba.com>
+
+[ Upstream commit 97b9af7a70936e331170c79040cc9bf20071b566 ]
+
+Both listen and fallback process will save the current clcsock
+callback functions and establish new ones. But if both of them
+happen, the saved callback functions will be overwritten.
+
+So this patch introduces some helpers to ensure that only save
+the original callback functions of clcsock.
+
+Fixes: 341adeec9ada ("net/smc: Forward wakeup to smc socket waitqueue after fallback")
+Signed-off-by: Wen Gu <guwen@linux.alibaba.com>
+Acked-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 6d5e4538364b ("net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 55 +++++++++++++++++++++++++++++----------------
+ net/smc/smc.h | 29 ++++++++++++++++++++++++
+ net/smc/smc_close.c | 3 ++-
+ 3 files changed, 67 insertions(+), 20 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 2a642dfbc94a1..5c6759d2e271d 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -300,6 +300,7 @@ static struct sock *smc_sock_alloc(struct net *net, struct socket *sock,
+ sk->sk_prot->hash(sk);
+ sk_refcnt_debug_inc(sk);
+ mutex_init(&smc->clcsock_release_lock);
++ smc_init_saved_callbacks(smc);
+
+ return sk;
+ }
+@@ -696,9 +697,24 @@ static void smc_fback_error_report(struct sock *clcsk)
+ smc_fback_forward_wakeup(smc, clcsk, smc->clcsk_error_report);
+ }
+
++static void smc_fback_replace_callbacks(struct smc_sock *smc)
++{
++ struct sock *clcsk = smc->clcsock->sk;
++
++ clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
++
++ smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change,
++ &smc->clcsk_state_change);
++ smc_clcsock_replace_cb(&clcsk->sk_data_ready, smc_fback_data_ready,
++ &smc->clcsk_data_ready);
++ smc_clcsock_replace_cb(&clcsk->sk_write_space, smc_fback_write_space,
++ &smc->clcsk_write_space);
++ smc_clcsock_replace_cb(&clcsk->sk_error_report, smc_fback_error_report,
++ &smc->clcsk_error_report);
++}
++
+ static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code)
+ {
+- struct sock *clcsk;
+ int rc = 0;
+
+ mutex_lock(&smc->clcsock_release_lock);
+@@ -706,10 +722,7 @@ static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code)
+ rc = -EBADF;
+ goto out;
+ }
+- clcsk = smc->clcsock->sk;
+
+- if (smc->use_fallback)
+- goto out;
+ smc->use_fallback = true;
+ smc->fallback_rsn = reason_code;
+ smc_stat_fallback(smc);
+@@ -723,18 +736,7 @@ static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code)
+ * in smc sk->sk_wq and they should be woken up
+ * as clcsock's wait queue is woken up.
+ */
+- smc->clcsk_state_change = clcsk->sk_state_change;
+- smc->clcsk_data_ready = clcsk->sk_data_ready;
+- smc->clcsk_write_space = clcsk->sk_write_space;
+- smc->clcsk_error_report = clcsk->sk_error_report;
+-
+- clcsk->sk_state_change = smc_fback_state_change;
+- clcsk->sk_data_ready = smc_fback_data_ready;
+- clcsk->sk_write_space = smc_fback_write_space;
+- clcsk->sk_error_report = smc_fback_error_report;
+-
+- smc->clcsock->sk->sk_user_data =
+- (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
++ smc_fback_replace_callbacks(smc);
+ }
+ out:
+ mutex_unlock(&smc->clcsock_release_lock);
+@@ -1388,6 +1390,19 @@ static int smc_clcsock_accept(struct smc_sock *lsmc, struct smc_sock **new_smc)
+ * function; switch it back to the original sk_data_ready function
+ */
+ new_clcsock->sk->sk_data_ready = lsmc->clcsk_data_ready;
++
++ /* if new clcsock has also inherited the fallback-specific callback
++ * functions, switch them back to the original ones.
++ */
++ if (lsmc->use_fallback) {
++ if (lsmc->clcsk_state_change)
++ new_clcsock->sk->sk_state_change = lsmc->clcsk_state_change;
++ if (lsmc->clcsk_write_space)
++ new_clcsock->sk->sk_write_space = lsmc->clcsk_write_space;
++ if (lsmc->clcsk_error_report)
++ new_clcsock->sk->sk_error_report = lsmc->clcsk_error_report;
++ }
++
+ (*new_smc)->clcsock = new_clcsock;
+ out:
+ return rc;
+@@ -2122,10 +2137,10 @@ static int smc_listen(struct socket *sock, int backlog)
+ /* save original sk_data_ready function and establish
+ * smc-specific sk_data_ready function
+ */
+- smc->clcsk_data_ready = smc->clcsock->sk->sk_data_ready;
+- smc->clcsock->sk->sk_data_ready = smc_clcsock_data_ready;
+ smc->clcsock->sk->sk_user_data =
+ (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
++ smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready,
++ smc_clcsock_data_ready, &smc->clcsk_data_ready);
+
+ /* save original ops */
+ smc->ori_af_ops = inet_csk(smc->clcsock->sk)->icsk_af_ops;
+@@ -2137,7 +2152,9 @@ static int smc_listen(struct socket *sock, int backlog)
+
+ rc = kernel_listen(smc->clcsock, backlog);
+ if (rc) {
+- smc->clcsock->sk->sk_data_ready = smc->clcsk_data_ready;
++ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
++ &smc->clcsk_data_ready);
++ smc->clcsock->sk->sk_user_data = NULL;
+ goto out;
+ }
+ sk->sk_max_ack_backlog = backlog;
+diff --git a/net/smc/smc.h b/net/smc/smc.h
+index 1c00f1bba2cdb..268dc975249f8 100644
+--- a/net/smc/smc.h
++++ b/net/smc/smc.h
+@@ -269,12 +269,41 @@ static inline struct smc_sock *smc_sk(const struct sock *sk)
+ return (struct smc_sock *)sk;
+ }
+
++static inline void smc_init_saved_callbacks(struct smc_sock *smc)
++{
++ smc->clcsk_state_change = NULL;
++ smc->clcsk_data_ready = NULL;
++ smc->clcsk_write_space = NULL;
++ smc->clcsk_error_report = NULL;
++}
++
+ static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk)
+ {
+ return (struct smc_sock *)
+ ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY);
+ }
+
++/* save target_cb in saved_cb, and replace target_cb with new_cb */
++static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *),
++ void (*new_cb)(struct sock *),
++ void (**saved_cb)(struct sock *))
++{
++ /* only save once */
++ if (!*saved_cb)
++ *saved_cb = *target_cb;
++ *target_cb = new_cb;
++}
++
++/* restore target_cb to saved_cb, and reset saved_cb to NULL */
++static inline void smc_clcsock_restore_cb(void (**target_cb)(struct sock *),
++ void (**saved_cb)(struct sock *))
++{
++ if (!*saved_cb)
++ return;
++ *target_cb = *saved_cb;
++ *saved_cb = NULL;
++}
++
+ extern struct workqueue_struct *smc_hs_wq; /* wq for handshake work */
+ extern struct workqueue_struct *smc_close_wq; /* wq for close work */
+
+diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
+index bcd3ea894555d..42f9a7cf9e671 100644
+--- a/net/smc/smc_close.c
++++ b/net/smc/smc_close.c
+@@ -212,7 +212,8 @@ int smc_close_active(struct smc_sock *smc)
+ sk->sk_state = SMC_CLOSED;
+ sk->sk_state_change(sk); /* wake up accept */
+ if (smc->clcsock && smc->clcsock->sk) {
+- smc->clcsock->sk->sk_data_ready = smc->clcsk_data_ready;
++ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
++ &smc->clcsk_data_ready);
+ smc->clcsock->sk->sk_user_data = NULL;
+ rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
+ }
+--
+2.51.0
+
--- /dev/null
+From 297e2131710ae158d20fd34a9c623f60241d9b1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 16:16:43 +0200
+Subject: net: usb: aqc111: Do not perform PM inside suspend callback
+
+From: Nikola Z. Ivanov <zlatistiv@gmail.com>
+
+[ Upstream commit 069c8f5aebe4d5224cf62acc7d4b3486091c658a ]
+
+syzbot reports "task hung in rpm_resume"
+
+This is caused by aqc111_suspend calling
+the PM variant of its write_cmd routine.
+
+The simplified call trace looks like this:
+
+rpm_suspend()
+ usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING
+ aqc111_suspend() - called for the usb device interface
+ aqc111_write32_cmd()
+ usb_autopm_get_interface()
+ pm_runtime_resume_and_get()
+ rpm_resume() - here we call rpm_resume() on our parent
+ rpm_resume() - Here we wait for a status change that will never happen.
+
+At this point we block another task which holds
+rtnl_lock and locks up the whole networking stack.
+
+Fix this by replacing the write_cmd calls with their _nopm variants
+
+Reported-by: syzbot+48dc1e8dfc92faf1124c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=48dc1e8dfc92faf1124c
+Fixes: e58ba4544c77 ("net: usb: aqc111: Add support for wake on LAN by MAGIC packet")
+Signed-off-by: Nikola Z. Ivanov <zlatistiv@gmail.com>
+Link: https://patch.msgid.link/20260313141643.1181386-1-zlatistiv@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/aqc111.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
+index 00aba7e1d0b95..81093c4fb8194 100644
+--- a/drivers/net/usb/aqc111.c
++++ b/drivers/net/usb/aqc111.c
+@@ -1400,14 +1400,14 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message)
+ aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC,
+ SFR_MEDIUM_STATUS_MODE, 2, ®16);
+
+- aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0,
+- WOL_CFG_SIZE, &wol_cfg);
+- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0,
+- &aqc111_data->phy_cfg);
++ aqc111_write_cmd_nopm(dev, AQ_WOL_CFG, 0, 0,
++ WOL_CFG_SIZE, &wol_cfg);
++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0,
++ &aqc111_data->phy_cfg);
+ } else {
+ aqc111_data->phy_cfg |= AQ_LOW_POWER;
+- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0,
+- &aqc111_data->phy_cfg);
++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0,
++ &aqc111_data->phy_cfg);
+
+ /* Disable RX path */
+ aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC,
+--
+2.51.0
+
--- /dev/null
+From ef5e9ae81ff0dc5ca24b396f7410374d0d91024a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Mar 2026 02:21:37 +0900
+Subject: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit 5cb81eeda909dbb2def209dd10636b51549a3f8a ]
+
+ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the
+netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the
+conntrack reference immediately after netlink_dump_start(). When the
+dump spans multiple rounds, the second recvmsg() triggers the dump
+callback which dereferences the now-freed conntrack via nfct_help(ct),
+leading to a use-after-free on ct->ext.
+
+The bug is that the netlink_dump_control has no .start or .done
+callbacks to manage the conntrack reference across dump rounds. Other
+dump functions in the same file (e.g. ctnetlink_get_conntrack) properly
+use .start/.done callbacks for this purpose.
+
+Fix this by adding .start and .done callbacks that hold and release the
+conntrack reference for the duration of the dump, and move the
+nfct_help() call after the cb->args[0] early-return check in the dump
+callback to avoid dereferencing ct->ext unnecessarily.
+
+ BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0
+ Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133
+
+ CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY
+ Call Trace:
+ <TASK>
+ ctnetlink_exp_ct_dump_table+0x4f/0x2e0
+ netlink_dump+0x333/0x880
+ netlink_recvmsg+0x3e2/0x4b0
+ ? aa_sk_perm+0x184/0x450
+ sock_recvmsg+0xde/0xf0
+
+ Allocated by task 133:
+ kmem_cache_alloc_noprof+0x134/0x440
+ __nf_conntrack_alloc+0xa8/0x2b0
+ ctnetlink_create_conntrack+0xa1/0x900
+ ctnetlink_new_conntrack+0x3cf/0x7d0
+ nfnetlink_rcv_msg+0x48e/0x510
+ netlink_rcv_skb+0xc9/0x1f0
+ nfnetlink_rcv+0xdb/0x220
+ netlink_unicast+0x3ec/0x590
+ netlink_sendmsg+0x397/0x690
+ __sys_sendmsg+0xf4/0x180
+
+ Freed by task 0:
+ slab_free_after_rcu_debug+0xad/0x1e0
+ rcu_core+0x5c3/0x9c0
+
+Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index ba8d2c854fa89..055bff0a04da9 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3220,7 +3220,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ struct nf_conn *ct = cb->data;
+- struct nf_conn_help *help = nfct_help(ct);
++ struct nf_conn_help *help;
+ u_int8_t l3proto = nfmsg->nfgen_family;
+ unsigned long last_id = cb->args[1];
+ struct nf_conntrack_expect *exp;
+@@ -3228,6 +3228,10 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ if (cb->args[0])
+ return 0;
+
++ help = nfct_help(ct);
++ if (!help)
++ return 0;
++
+ rcu_read_lock();
+
+ restart:
+@@ -3257,6 +3261,24 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ return skb->len;
+ }
+
++static int ctnetlink_dump_exp_ct_start(struct netlink_callback *cb)
++{
++ struct nf_conn *ct = cb->data;
++
++ if (!refcount_inc_not_zero(&ct->ct_general.use))
++ return -ENOENT;
++ return 0;
++}
++
++static int ctnetlink_dump_exp_ct_done(struct netlink_callback *cb)
++{
++ struct nf_conn *ct = cb->data;
++
++ if (ct)
++ nf_ct_put(ct);
++ return 0;
++}
++
+ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct sk_buff *skb,
+ const struct nlmsghdr *nlh,
+@@ -3272,6 +3294,8 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct nf_conntrack_zone zone;
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_ct_dump_table,
++ .start = ctnetlink_dump_exp_ct_start,
++ .done = ctnetlink_dump_exp_ct_done,
+ };
+
+ err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
+--
+2.51.0
+
--- /dev/null
+From 918e25cb1306166ff66f58a081b2075cffe97a60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Aug 2025 17:25:09 +0200
+Subject: netfilter: ctnetlink: remove refcounting in expectation dumpers
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 1492e3dcb2be3aa46d1963da96aa9593e4e4db5a ]
+
+Same pattern as previous patch: do not keep the expectation object
+alive via refcount, only store a cookie value and then use that
+as the skip hint for dump resumption.
+
+AFAICS this has the same issue as the one resolved in the conntrack
+dumper, when we do
+ if (!refcount_inc_not_zero(&exp->use))
+
+to increment the refcount, there is a chance that exp == last, which
+causes a double-increment of the refcount and subsequent memory leak.
+
+Fixes: cf6994c2b981 ("[NETFILTER]: nf_conntrack_netlink: sync expectation dumping with conntrack table dumping")
+Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Stable-dep-of: 5cb81eeda909 ("netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 41 ++++++++++++----------------
+ 1 file changed, 17 insertions(+), 24 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 50f7531221c38..ba8d2c854fa89 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3160,23 +3160,27 @@ ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item)
+ return 0;
+ }
+ #endif
+-static int ctnetlink_exp_done(struct netlink_callback *cb)
++
++static unsigned long ctnetlink_exp_id(const struct nf_conntrack_expect *exp)
+ {
+- if (cb->args[1])
+- nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
+- return 0;
++ unsigned long id = (unsigned long)exp;
++
++ id += nf_ct_get_id(exp->master);
++ id += exp->class;
++
++ return id ? id : 1;
+ }
+
+ static int
+ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct net *net = sock_net(skb->sk);
+- struct nf_conntrack_expect *exp, *last;
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ u_int8_t l3proto = nfmsg->nfgen_family;
++ unsigned long last_id = cb->args[1];
++ struct nf_conntrack_expect *exp;
+
+ rcu_read_lock();
+- last = (struct nf_conntrack_expect *)cb->args[1];
+ for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
+ restart:
+ hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]],
+@@ -3188,7 +3192,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ continue;
+
+ if (cb->args[1]) {
+- if (exp != last)
++ if (ctnetlink_exp_id(exp) != last_id)
+ continue;
+ cb->args[1] = 0;
+ }
+@@ -3197,9 +3201,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ cb->nlh->nlmsg_seq,
+ IPCTNL_MSG_EXP_NEW,
+ exp) < 0) {
+- if (!refcount_inc_not_zero(&exp->use))
+- continue;
+- cb->args[1] = (unsigned long)exp;
++ cb->args[1] = ctnetlink_exp_id(exp);
+ goto out;
+ }
+ }
+@@ -3210,32 +3212,30 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ }
+ out:
+ rcu_read_unlock();
+- if (last)
+- nf_ct_expect_put(last);
+-
+ return skb->len;
+ }
+
+ static int
+ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+- struct nf_conntrack_expect *exp, *last;
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ struct nf_conn *ct = cb->data;
+ struct nf_conn_help *help = nfct_help(ct);
+ u_int8_t l3proto = nfmsg->nfgen_family;
++ unsigned long last_id = cb->args[1];
++ struct nf_conntrack_expect *exp;
+
+ if (cb->args[0])
+ return 0;
+
+ rcu_read_lock();
+- last = (struct nf_conntrack_expect *)cb->args[1];
++
+ restart:
+ hlist_for_each_entry_rcu(exp, &help->expectations, lnode) {
+ if (l3proto && exp->tuple.src.l3num != l3proto)
+ continue;
+ if (cb->args[1]) {
+- if (exp != last)
++ if (ctnetlink_exp_id(exp) != last_id)
+ continue;
+ cb->args[1] = 0;
+ }
+@@ -3243,9 +3243,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ cb->nlh->nlmsg_seq,
+ IPCTNL_MSG_EXP_NEW,
+ exp) < 0) {
+- if (!refcount_inc_not_zero(&exp->use))
+- continue;
+- cb->args[1] = (unsigned long)exp;
++ cb->args[1] = ctnetlink_exp_id(exp);
+ goto out;
+ }
+ }
+@@ -3256,9 +3254,6 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ cb->args[0] = 1;
+ out:
+ rcu_read_unlock();
+- if (last)
+- nf_ct_expect_put(last);
+-
+ return skb->len;
+ }
+
+@@ -3277,7 +3272,6 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct nf_conntrack_zone zone;
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_ct_dump_table,
+- .done = ctnetlink_exp_done,
+ };
+
+ err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
+@@ -3327,7 +3321,6 @@ static int ctnetlink_get_expect(struct sk_buff *skb,
+ else {
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_dump_table,
+- .done = ctnetlink_exp_done,
+ };
+ return netlink_dump_start(info->sk, skb, info->nlh, &c);
+ }
+--
+2.51.0
+
--- /dev/null
+From 9d5c23b70e75480af831c2505041ffd187db5118 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:49:50 +0000
+Subject: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ]
+
+In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
+the packet, then decrements it by 1 to skip the protocol discriminator
+byte before passing it to DecodeH323_UserInformation(). If the encoded
+length is 0, the decrement wraps to -1, which is then passed as a
+large value to the decoder, leading to an out-of-bounds read.
+
+Add a check to ensure len is positive after the decrement.
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index c972e9488e16f..7b1497ed97d26 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
+ break;
+ p++;
+ len--;
++ if (len <= 0)
++ break;
+ return DecodeH323_UserInformation(buf, p, len,
+ &q931->UUIE);
+ }
+--
+2.51.0
+
--- /dev/null
+From 493951c3fbd82d7b7c4e492183a87ad583f0a488 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 02:29:32 +0000
+Subject: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a ]
+
+In decode_int(), the CONS case calls get_bits(bs, 2) to read a length
+value, then calls get_uint(bs, len) without checking that len bytes
+remain in the buffer. The existing boundary check only validates the
+2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()
+reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte
+slab-out-of-bounds read.
+
+Add a boundary check for len bytes after get_bits() and before
+get_uint().
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index 62aa22a078769..c972e9488e16f 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -331,6 +331,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f,
+ if (nf_h323_error_boundary(bs, 0, 2))
+ return H323_ERROR_BOUND;
+ len = get_bits(bs, 2) + 1;
++ if (nf_h323_error_boundary(bs, len, 0))
++ return H323_ERROR_BOUND;
+ BYTE_ALIGN(bs);
+ if (base && (f->attr & DECODE)) { /* timeToLive */
+ unsigned int v = get_uint(bs, len) + f->lb;
+--
+2.51.0
+
--- /dev/null
+From b6cbb542b4dc425bbb551add51a480fbb031d7c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Mar 2026 21:49:01 +0000
+Subject: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in
+ sip_help_tcp()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lukas Johannes Möller <research@johannes-moeller.dev>
+
+[ Upstream commit fbce58e719a17aa215c724473fd5baaa4a8dc57c ]
+
+sip_help_tcp() parses the SIP Content-Length header with
+simple_strtoul(), which returns unsigned long, but stores the result in
+unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are
+silently truncated before computing the SIP message boundary.
+
+For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,
+causing the parser to miscalculate where the current message ends. The
+loop then treats trailing data in the TCP segment as a second SIP
+message and processes it through the SDP parser.
+
+Fix this by changing clen to unsigned long to match the return type of
+simple_strtoul(), and reject Content-Length values that exceed the
+remaining TCP payload length.
+
+Fixes: f5b321bd37fb ("netfilter: nf_conntrack_sip: add TCP support")
+Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_sip.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
+index 751df19fe0f8a..5db17768ec2ad 100644
+--- a/net/netfilter/nf_conntrack_sip.c
++++ b/net/netfilter/nf_conntrack_sip.c
+@@ -1529,11 +1529,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
+ {
+ struct tcphdr *th, _tcph;
+ unsigned int dataoff, datalen;
+- unsigned int matchoff, matchlen, clen;
++ unsigned int matchoff, matchlen;
+ unsigned int msglen, origlen;
+ const char *dptr, *end;
+ s16 diff, tdiff = 0;
+ int ret = NF_ACCEPT;
++ unsigned long clen;
+ bool term;
+
+ if (ctinfo != IP_CT_ESTABLISHED &&
+@@ -1568,6 +1569,9 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
+ if (dptr + matchoff == end)
+ break;
+
++ if (clen > datalen)
++ break;
++
+ term = false;
+ for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
+ if (end[0] == '\r' && end[1] == '\n' &&
+--
+2.51.0
+
--- /dev/null
+From 38c53a42fcdf1c2fcf70e31a69a8d9d25b067095 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 18:22:16 +0200
+Subject: netfilter: nft_ct: add seqadj extension for natted connections
+
+From: Andrii Melnychenko <a.melnychenko@vyos.io>
+
+[ Upstream commit 90918e3b6404c2a37837b8f11692471b4c512de2 ]
+
+Sequence adjustment may be required for FTP traffic with PASV/EPSV modes.
+due to need to re-write packet payload (IP, port) on the ftp control
+connection. This can require changes to the TCP length and expected
+seq / ack_seq.
+
+The easiest way to reproduce this issue is with PASV mode.
+Example ruleset:
+table inet ftp_nat {
+ ct helper ftp_helper {
+ type "ftp" protocol tcp
+ l3proto inet
+ }
+
+ chain prerouting {
+ type filter hook prerouting priority 0; policy accept;
+ tcp dport 21 ct state new ct helper set "ftp_helper"
+ }
+}
+table ip nat {
+ chain prerouting {
+ type nat hook prerouting priority -100; policy accept;
+ tcp dport 21 dnat ip prefix to ip daddr map {
+ 192.168.100.1 : 192.168.13.2/32 }
+ }
+
+ chain postrouting {
+ type nat hook postrouting priority 100 ; policy accept;
+ tcp sport 21 snat ip prefix to ip saddr map {
+ 192.168.13.2 : 192.168.100.1/32 }
+ }
+}
+
+Note that the ftp helper gets assigned *after* the dnat setup.
+
+The inverse (nat after helper assign) is handled by an existing
+check in nf_nat_setup_info() and will not show the problem.
+
+Topoloy:
+
+ +-------------------+ +----------------------------------+
+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 |
+ +-------------------+ +----------------------------------+
+ |
+ +-----------------------+
+ | Client: 192.168.100.2 |
+ +-----------------------+
+
+ftp nat changes do not work as expected in this case:
+Connected to 192.168.100.1.
+[..]
+ftp> epsv
+EPSV/EPRT on IPv4 off.
+ftp> ls
+227 Entering passive mode (192,168,100,1,209,129).
+421 Service not available, remote server has closed connection.
+
+Kernel logs:
+Missing nfct_seqadj_ext_add() setup call
+WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41
+[..]
+ __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]
+ nf_nat_ftp+0x142/0x280 [nf_nat_ftp]
+ help+0x4d1/0x880 [nf_conntrack_ftp]
+ nf_confirm+0x122/0x2e0 [nf_conntrack]
+ nf_hook_slow+0x3c/0xb0
+ ..
+
+Fix this by adding the required extension when a conntrack helper is assigned
+to a connection that has a nat binding.
+
+Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support")
+Signed-off-by: Andrii Melnychenko <a.melnychenko@vyos.io>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Stable-dep-of: 36eae0956f65 ("netfilter: nft_ct: drop pending enqueued packets on removal")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_ct.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index 83bb3f110ea84..3edfdf06bea6a 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -22,6 +22,7 @@
+ #include <net/netfilter/nf_conntrack_timeout.h>
+ #include <net/netfilter/nf_conntrack_l4proto.h>
+ #include <net/netfilter/nf_conntrack_expect.h>
++#include <net/netfilter/nf_conntrack_seqadj.h>
+
+ struct nft_ct {
+ enum nft_ct_keys key:8;
+@@ -1109,6 +1110,10 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj,
+ if (help) {
+ rcu_assign_pointer(help->helper, to_assign);
+ set_bit(IPS_HELPER_BIT, &ct->status);
++
++ if ((ct->status & IPS_NAT_MASK) && !nfct_seqadj(ct))
++ if (!nfct_seqadj_ext_add(ct))
++ regs->verdict.code = NF_DROP;
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 1253c72732896a7f888630adb2006a3439730f83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 13:48:47 +0100
+Subject: netfilter: nft_ct: drop pending enqueued packets on removal
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 36eae0956f659e48d5366d9b083d9417f3263ddc ]
+
+Packets sitting in nfqueue might hold a reference to:
+
+- templates that specify the conntrack zone, because a percpu area is
+ used and module removal is possible.
+- conntrack timeout policies and helper, where object removal leave
+ a stale reference.
+
+Since these objects can just go away, drop enqueued packets to avoid
+stale reference to them.
+
+If there is a need for finer grain removal, this logic can be revisited
+to make selective packet drop upon dependencies.
+
+Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_ct.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index 3edfdf06bea6a..9aa66a54e086b 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -23,6 +23,7 @@
+ #include <net/netfilter/nf_conntrack_l4proto.h>
+ #include <net/netfilter/nf_conntrack_expect.h>
+ #include <net/netfilter/nf_conntrack_seqadj.h>
++#include "nf_internals.h"
+
+ struct nft_ct {
+ enum nft_ct_keys key:8;
+@@ -533,6 +534,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv)
+ #endif
+ #ifdef CONFIG_NF_CONNTRACK_ZONES
+ case NFT_CT_ZONE:
++ nf_queue_nf_hook_drop(ctx->net);
+ mutex_lock(&nft_ct_pcpu_mutex);
+ if (--nft_ct_pcpu_template_refcnt == 0)
+ nft_ct_tmpl_put_pcpu();
+@@ -930,6 +932,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx,
+ struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
+ struct nf_ct_timeout *timeout = priv->timeout;
+
++ nf_queue_nf_hook_drop(ctx->net);
+ nf_ct_untimeout(ctx->net, timeout);
+ nf_ct_netns_put(ctx->net, ctx->family);
+ kfree(priv->timeout);
+@@ -1065,6 +1068,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx,
+ {
+ struct nft_ct_helper_obj *priv = nft_obj_data(obj);
+
++ nf_queue_nf_hook_drop(ctx->net);
+ if (priv->helper4)
+ nf_conntrack_helper_put(priv->helper4);
+ if (priv->helper6)
+--
+2.51.0
+
--- /dev/null
+From 20a6326f7e5692d6e9d4865462d2c4ad298e4c72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 13:48:48 +0100
+Subject: netfilter: xt_CT: drop pending enqueued packets on template removal
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit f62a218a946b19bb59abdd5361da85fa4606b96b ]
+
+Templates refer to objects that can go away while packets are sitting in
+nfqueue refer to:
+
+- helper, this can be an issue on module removal.
+- timeout policy, nfnetlink_cttimeout might remove it.
+
+The use of templates with zone and event cache filter are safe, since
+this just copies values.
+
+Flush these enqueued packets in case the template rule gets removed.
+
+Fixes: 24de58f46516 ("netfilter: xt_CT: allow to attach timeout policy + glue code")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_CT.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
+index 5d19cb059b197..3dd02482b437b 100644
+--- a/net/netfilter/xt_CT.c
++++ b/net/netfilter/xt_CT.c
+@@ -16,6 +16,7 @@
+ #include <net/netfilter/nf_conntrack_ecache.h>
+ #include <net/netfilter/nf_conntrack_timeout.h>
+ #include <net/netfilter/nf_conntrack_zones.h>
++#include "nf_internals.h"
+
+ static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct)
+ {
+@@ -269,6 +270,9 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par,
+ struct nf_conn_help *help;
+
+ if (ct) {
++ if (info->helper[0] || info->timeout[0])
++ nf_queue_nf_hook_drop(par->net);
++
+ help = nfct_help(ct);
+ if (help)
+ nf_conntrack_helper_put(help->helper);
+--
+2.51.0
+
--- /dev/null
+From 3d9f6fc6bbc3716633d03a3a1b9086ebf6dede29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:59:49 +0000
+Subject: netfilter: xt_time: use unsigned int for monthday bit shift
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit 00050ec08cecfda447e1209b388086d76addda3a ]
+
+The monthday field can be up to 31, and shifting a signed integer 1
+by 31 positions (1 << 31) is undefined behavior in C, as the result
+overflows a 32-bit signed int. Use 1U to ensure well-defined behavior
+for all valid monthday values.
+
+Change the weekday shift to 1U as well for consistency.
+
+Fixes: ee4411a1b1e0 ("[NETFILTER]: x_tables: add xt_time match")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_time.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
+index 6aa12d0f54e23..61de85e02a40f 100644
+--- a/net/netfilter/xt_time.c
++++ b/net/netfilter/xt_time.c
+@@ -227,13 +227,13 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par)
+
+ localtime_2(¤t_time, stamp);
+
+- if (!(info->weekdays_match & (1 << current_time.weekday)))
++ if (!(info->weekdays_match & (1U << current_time.weekday)))
+ return false;
+
+ /* Do not spend time computing monthday if all days match anyway */
+ if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) {
+ localtime_3(¤t_time, stamp);
+- if (!(info->monthdays_match & (1 << current_time.monthday)))
++ if (!(info->monthdays_match & (1U << current_time.monthday)))
+ return false;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From bd298356cf15ac648a46af60ad822e3b5829a473 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 15:32:44 +0800
+Subject: nfnetlink_osf: validate individual option lengths in fingerprints
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit dbdfaae9609629a9569362e3b8f33d0a20fd783c ]
+
+nfnl_osf_add_callback() validates opt_num bounds and string
+NUL-termination but does not check individual option length fields.
+A zero-length option causes nf_osf_match_one() to enter the option
+matching loop even when foptsize sums to zero, which matches packets
+with no TCP options where ctx->optp is NULL:
+
+ Oops: general protection fault
+ KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
+ Call Trace:
+ nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
+ xt_osf_match_packet (net/netfilter/xt_osf.c:32)
+ ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
+ nf_hook_slow (net/netfilter/core.c:623)
+ ip_local_deliver (net/ipv4/ip_input.c:262)
+ ip_rcv (net/ipv4/ip_input.c:573)
+
+Additionally, an MSS option (kind=2) with length < 4 causes
+out-of-bounds reads when nf_osf_match_one() unconditionally accesses
+optp[2] and optp[3] for MSS value extraction. While RFC 9293
+section 3.2 specifies that the MSS option is always exactly 4
+bytes (Kind=2, Length=4), the check uses "< 4" rather than
+"!= 4" because lengths greater than 4 do not cause memory
+safety issues -- the buffer is guaranteed to be at least
+foptsize bytes by the ctx->optsize == foptsize check.
+
+Reject fingerprints where any option has zero length, or where an MSS
+option has length less than 4, at add time rather than trusting these
+values in the packet matching hot path.
+
+Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_osf.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
+index 50723ba082890..da9d5d6de98f4 100644
+--- a/net/netfilter/nfnetlink_osf.c
++++ b/net/netfilter/nfnetlink_osf.c
+@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
+ {
+ struct nf_osf_user_finger *f;
+ struct nf_osf_finger *kf = NULL, *sf;
++ unsigned int tot_opt_len = 0;
+ int err = 0;
++ int i;
+
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
+ if (f->opt_num > ARRAY_SIZE(f->opt))
+ return -EINVAL;
+
++ for (i = 0; i < f->opt_num; i++) {
++ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
++ return -EINVAL;
++ if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)
++ return -EINVAL;
++
++ tot_opt_len += f->opt[i].length;
++ if (tot_opt_len > MAX_IPOPTLEN)
++ return -EINVAL;
++ }
++
+ if (!memchr(f->genre, 0, MAXGENRELEN) ||
+ !memchr(f->subtype, 0, MAXGENRELEN) ||
+ !memchr(f->version, 0, MAXGENRELEN))
+--
+2.51.0
+
--- /dev/null
+From d212f427919ffe5c67b92071de3eb653f1f83312 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Feb 2024 14:27:11 +0000
+Subject: of: Add cleanup.h based auto release via __free(device_node) markings
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 9448e55d032d99af8e23487f51a542d51b2f1a48 ]
+
+The recent addition of scope based cleanup support to the kernel
+provides a convenient tool to reduce the chances of leaking reference
+counts where of_node_put() should have been called in an error path.
+
+This enables
+ struct device_node *child __free(device_node) = NULL;
+
+ for_each_child_of_node(np, child) {
+ if (test)
+ return test;
+ }
+
+with no need for a manual call of of_node_put().
+A following patch will reduce the scope of the child variable to the
+for loop, to avoid an issues with ordering of autocleanup, and make it
+obvious when this assigned a non NULL value.
+
+In this simple example the gains are small but there are some very
+complex error handling cases buried in these loops that will be
+greatly simplified by enabling early returns with out the need
+for this manual of_node_put() call.
+
+Note that there are coccinelle checks in
+scripts/coccinelle/iterators/for_each_child.cocci to detect a failure
+to call of_node_put(). This new approach does not cause false positives.
+Longer term we may want to add scripting to check this new approach is
+done correctly with no double of_node_put() calls being introduced due
+to the auto cleanup. It may also be useful to script finding places
+this new approach is useful.
+
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/20240225142714.286440-2-jic23@kernel.org
+Signed-off-by: Rob Herring <robh@kernel.org>
+Stable-dep-of: 879c001afbac ("firmware: arm_scpi: Fix device_node reference leak in probe path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/of.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/linux/of.h b/include/linux/of.h
+index 29f657101f4f8..3c840c4879956 100644
+--- a/include/linux/of.h
++++ b/include/linux/of.h
+@@ -13,6 +13,7 @@
+ */
+ #include <linux/types.h>
+ #include <linux/bitops.h>
++#include <linux/cleanup.h>
+ #include <linux/errno.h>
+ #include <linux/kobject.h>
+ #include <linux/mod_devicetable.h>
+@@ -128,6 +129,7 @@ static inline struct device_node *of_node_get(struct device_node *node)
+ }
+ static inline void of_node_put(struct device_node *node) { }
+ #endif /* !CONFIG_OF_DYNAMIC */
++DEFINE_FREE(device_node, struct device_node *, if (_T) of_node_put(_T))
+
+ /* Pointer for first entry in chain of all nodes. */
+ extern struct device_node *of_root;
+--
+2.51.0
+
--- /dev/null
+From b95d03f667fe6fd5d5ba076394d3d329f2cce2da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 11:27:20 -0700
+Subject: PM: runtime: Fix a race condition related to device removal
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 29ab768277617452d88c0607c9299cdc63b6e9ff ]
+
+The following code in pm_runtime_work() may dereference the dev->parent
+pointer after the parent device has been freed:
+
+ /* Maybe the parent is now able to suspend. */
+ if (parent && !parent->power.ignore_children) {
+ spin_unlock(&dev->power.lock);
+
+ spin_lock(&parent->power.lock);
+ rpm_idle(parent, RPM_ASYNC);
+ spin_unlock(&parent->power.lock);
+
+ spin_lock(&dev->power.lock);
+ }
+
+Fix this by inserting a flush_work() call in pm_runtime_remove().
+
+Without this patch blktest block/001 triggers the following complaint
+sporadically:
+
+BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160
+Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081
+Workqueue: pm pm_runtime_work
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x61/0x80
+ print_address_description.constprop.0+0x8b/0x310
+ print_report+0xfd/0x1d7
+ kasan_report+0xd8/0x1d0
+ __kasan_check_byte+0x42/0x60
+ lock_acquire.part.0+0x38/0x230
+ lock_acquire+0x70/0x160
+ _raw_spin_lock+0x36/0x50
+ rpm_suspend+0xc6a/0xfe0
+ rpm_idle+0x578/0x770
+ pm_runtime_work+0xee/0x120
+ process_one_work+0xde3/0x1410
+ worker_thread+0x5eb/0xfe0
+ kthread+0x37b/0x480
+ ret_from_fork+0x6cb/0x920
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+
+Allocated by task 4314:
+ kasan_save_stack+0x2a/0x50
+ kasan_save_track+0x18/0x40
+ kasan_save_alloc_info+0x3d/0x50
+ __kasan_kmalloc+0xa0/0xb0
+ __kmalloc_noprof+0x311/0x990
+ scsi_alloc_target+0x122/0xb60 [scsi_mod]
+ __scsi_scan_target+0x101/0x460 [scsi_mod]
+ scsi_scan_channel+0x179/0x1c0 [scsi_mod]
+ scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]
+ store_scan+0x2d2/0x390 [scsi_mod]
+ dev_attr_store+0x43/0x80
+ sysfs_kf_write+0xde/0x140
+ kernfs_fop_write_iter+0x3ef/0x670
+ vfs_write+0x506/0x1470
+ ksys_write+0xfd/0x230
+ __x64_sys_write+0x76/0xc0
+ x64_sys_call+0x213/0x1810
+ do_syscall_64+0xee/0xfc0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Freed by task 4314:
+ kasan_save_stack+0x2a/0x50
+ kasan_save_track+0x18/0x40
+ kasan_save_free_info+0x3f/0x50
+ __kasan_slab_free+0x67/0x80
+ kfree+0x225/0x6c0
+ scsi_target_dev_release+0x3d/0x60 [scsi_mod]
+ device_release+0xa3/0x220
+ kobject_cleanup+0x105/0x3a0
+ kobject_put+0x72/0xd0
+ put_device+0x17/0x20
+ scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]
+ device_release+0xa3/0x220
+ kobject_cleanup+0x105/0x3a0
+ kobject_put+0x72/0xd0
+ put_device+0x17/0x20
+ scsi_device_put+0x7f/0xc0 [scsi_mod]
+ sdev_store_delete+0xa5/0x120 [scsi_mod]
+ dev_attr_store+0x43/0x80
+ sysfs_kf_write+0xde/0x140
+ kernfs_fop_write_iter+0x3ef/0x670
+ vfs_write+0x506/0x1470
+ ksys_write+0xfd/0x230
+ __x64_sys_write+0x76/0xc0
+ x64_sys_call+0x213/0x1810
+
+Reported-by: Ming Lei <ming.lei@redhat.com>
+Closes: https://lore.kernel.org/all/ZxdNvLNI8QaOfD2d@fedora/
+Reported-by: syzbot+6c905ab800f20cf4086c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68c13942.050a0220.2ff435.000b.GAE@google.com/
+Fixes: 5e928f77a09a ("PM: Introduce core framework for run-time PM of I/O devices (rev. 17)")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20260312182720.2776083-1-bvanassche@acm.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/runtime.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
+index 7dcf2498965a3..f94d9223ab151 100644
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -1774,6 +1774,7 @@ void pm_runtime_reinit(struct device *dev)
+ void pm_runtime_remove(struct device *dev)
+ {
+ __pm_runtime_disable(dev, false);
++ flush_work(&dev->power.work);
+ pm_runtime_reinit(dev);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 97972eaf1a4dac5dc97d09195c6a48283af2121d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 13:25:41 +0100
+Subject: sched: idle: Consolidate the handling of two special cases
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit f4c31b07b136839e0fb3026f8a5b6543e3b14d2f ]
+
+There are two special cases in the idle loop that are handled
+inconsistently even though they are analogous.
+
+The first one is when a cpuidle driver is absent and the default CPU
+idle time power management implemented by the architecture code is used.
+In that case, the scheduler tick is stopped every time before invoking
+default_idle_call().
+
+The second one is when a cpuidle driver is present, but there is only
+one idle state in its table. In that case, the scheduler tick is never
+stopped at all.
+
+Since each of these approaches has its drawbacks, reconcile them with
+the help of one simple heuristic. Namely, stop the tick if the CPU has
+been woken up by it in the previous iteration of the idle loop, or let
+it tick otherwise.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Christian Loehle <christian.loehle@arm.com>
+Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
+Reviewed-by: Qais Yousef <qyousef@layalina.io>
+Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
+Fixes: ed98c3491998 ("sched: idle: Do not stop the tick before cpuidle_idle_call()")
+[ rjw: Added Fixes tag, changelog edits ]
+Link: https://patch.msgid.link/4741364.LvFx2qVVIh@rafael.j.wysocki
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/idle.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c
+index 407835d23eacf..f1c58e2fc3b5c 100644
+--- a/kernel/sched/idle.c
++++ b/kernel/sched/idle.c
+@@ -158,6 +158,14 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev,
+ return cpuidle_enter(drv, dev, next_state);
+ }
+
++static void idle_call_stop_or_retain_tick(bool stop_tick)
++{
++ if (stop_tick || tick_nohz_tick_stopped())
++ tick_nohz_idle_stop_tick();
++ else
++ tick_nohz_idle_retain_tick();
++}
++
+ /**
+ * cpuidle_idle_call - the main idle function
+ *
+@@ -167,7 +175,7 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev,
+ * set, and it returns with polling set. If it ever stops polling, it
+ * must clear the polling bit.
+ */
+-static void cpuidle_idle_call(void)
++static void cpuidle_idle_call(bool stop_tick)
+ {
+ struct cpuidle_device *dev = cpuidle_get_device();
+ struct cpuidle_driver *drv = cpuidle_get_cpu_driver(dev);
+@@ -189,7 +197,7 @@ static void cpuidle_idle_call(void)
+ */
+
+ if (cpuidle_not_available(drv, dev)) {
+- tick_nohz_idle_stop_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ default_idle_call();
+ goto exit_idle;
+@@ -224,17 +232,19 @@ static void cpuidle_idle_call(void)
+ next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns);
+ call_cpuidle(drv, dev, next_state);
+ } else if (drv->state_count > 1) {
+- bool stop_tick = true;
++ /*
++ * stop_tick is expected to be true by default by cpuidle
++ * governors, which allows them to select idle states with
++ * target residency above the tick period length.
++ */
++ stop_tick = true;
+
+ /*
+ * Ask the cpuidle framework to choose a convenient idle state.
+ */
+ next_state = cpuidle_select(drv, dev, &stop_tick);
+
+- if (stop_tick || tick_nohz_tick_stopped())
+- tick_nohz_idle_stop_tick();
+- else
+- tick_nohz_idle_retain_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ entered_state = call_cpuidle(drv, dev, next_state);
+ /*
+@@ -242,7 +252,7 @@ static void cpuidle_idle_call(void)
+ */
+ cpuidle_reflect(dev, entered_state);
+ } else {
+- tick_nohz_idle_retain_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ /*
+ * If there is only a single idle state (or none), there is
+@@ -270,6 +280,7 @@ static void cpuidle_idle_call(void)
+ static void do_idle(void)
+ {
+ int cpu = smp_processor_id();
++ bool got_tick = false;
+
+ /*
+ * Check if we need to update blocked load
+@@ -312,8 +323,9 @@ static void do_idle(void)
+ tick_nohz_idle_restart_tick();
+ cpu_idle_poll();
+ } else {
+- cpuidle_idle_call();
++ cpuidle_idle_call(got_tick);
+ }
++ got_tick = tick_nohz_idle_got_tick();
+ arch_cpu_idle_exit();
+ }
+
+--
+2.51.0
+
mptcp-pm-avoid-sending-rm_addr-over-same-subflow.patch
pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch
batman-adv-avoid-ogm-aggregation-when-skb-tailroom-is-insufficient.patch
+btrfs-tree-checker-fix-misleading-root-drop_level-er.patch
+soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch
+wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch
+wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch
+of-add-cleanup.h-based-auto-release-via-__free-devic.patch
+firmware-arm_scpi-fix-device_node-reference-leak-in-.patch
+bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch
+bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch
+bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch
+bluetooth-hidp-fix-possible-uaf.patch
+bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch
+net-rose-fix-null-pointer-dereference-in-rose_transm.patch
+netfilter-ctnetlink-remove-refcounting-in-expectatio.patch
+netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch
+netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch
+netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch
+netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch
+netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch
+netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch
+netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch
+netfilter-nf_conntrack_h323-check-for-zero-length-in.patch
+net-bcmgenet-increase-wol-poll-timeout.patch
+net-mana-improve-the-hwc-error-handling.patch
+net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch
+sched-idle-consolidate-the-handling-of-two-special-c.patch
+pm-runtime-fix-a-race-condition-related-to-device-re.patch
+net-smc-only-save-the-original-clcsock-callback-func.patch
+net-smc-fix-slab-out-of-bounds-issue-in-fallback.patch
+net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch
+net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch
+igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch
+wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch
+wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch
+acpi-processor-fix-previous-acpi_processor_errata_pi.patch
+net-macb-fix-uninitialized-rx_fs_lock.patch
+udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch
+net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch
+nfnetlink_osf-validate-individual-option-lengths-in-.patch
+net-mvpp2-guard-flow-control-update-with-global_tx_f.patch
+net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch
+icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch
--- /dev/null
+From b221e472433e513b54b5011d01d74d87bb3dec30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 08:25:49 +0100
+Subject: soc: fsl: qbman: fix race condition in qman_destroy_fq
+
+From: Richard Genoud <richard.genoud@bootlin.com>
+
+[ Upstream commit 014077044e874e270ec480515edbc1cadb976cf2 ]
+
+When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between
+fq_table[fq->idx] state and freeing/allocating from the pool and
+WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.
+
+Indeed, we can have:
+ Thread A Thread B
+ qman_destroy_fq() qman_create_fq()
+ qman_release_fqid()
+ qman_shutdown_fq()
+ gen_pool_free()
+ -- At this point, the fqid is available again --
+ qman_alloc_fqid()
+ -- so, we can get the just-freed fqid in thread B --
+ fq->fqid = fqid;
+ fq->idx = fqid * 2;
+ WARN_ON(fq_table[fq->idx]);
+ fq_table[fq->idx] = fq;
+ fq_table[fq->idx] = NULL;
+
+And adding some logs between qman_release_fqid() and
+fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.
+
+To prevent that, ensure that fq_table[fq->idx] is set to NULL before
+gen_pool_free() is called by using smp_wmb().
+
+Fixes: c535e923bb97 ("soc/fsl: Introduce DPAA 1.x QMan device driver")
+Signed-off-by: Richard Genoud <richard.genoud@bootlin.com>
+Tested-by: CHAMPSEIX Thomas <thomas.champseix@alstomgroup.com>
+Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com
+Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qbman/qman.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
+index 7e9074519ad22..bcbf6bf2e8f45 100644
+--- a/drivers/soc/fsl/qbman/qman.c
++++ b/drivers/soc/fsl/qbman/qman.c
+@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq);
+
+ void qman_destroy_fq(struct qman_fq *fq)
+ {
++ int leaked;
++
+ /*
+ * We don't need to lock the FQ as it is a pre-condition that the FQ be
+ * quiesced. Instead, run some checks.
+@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq)
+ switch (fq->state) {
+ case qman_fq_state_parked:
+ case qman_fq_state_oos:
+- if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID))
+- qman_release_fqid(fq->fqid);
++ /*
++ * There's a race condition here on releasing the fqid,
++ * setting the fq_table to NULL, and freeing the fqid.
++ * To prevent it, this order should be respected:
++ */
++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) {
++ leaked = qman_shutdown_fq(fq->fqid);
++ if (leaked)
++ pr_debug("FQID %d leaked\n", fq->fqid);
++ }
+
+ DPAA_ASSERT(fq_table[fq->idx]);
+ fq_table[fq->idx] = NULL;
++
++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) {
++ /*
++ * fq_table[fq->idx] should be set to null before
++ * freeing fq->fqid otherwise it could by allocated by
++ * qman_alloc_fqid() while still being !NULL
++ */
++ smp_wmb();
++ gen_pool_free(qm_fqalloc, fq->fqid | DPAA_GENALLOC_OFF, 1);
++ }
+ return;
+ default:
+ break;
+--
+2.51.0
+
--- /dev/null
+From 78583ec5f47fd7a267cea6f399eb6d9f14532911 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 18:02:41 -0700
+Subject: udp_tunnel: fix NULL deref caused by udp_sock_create6 when
+ CONFIG_IPV6=n
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit b3a6df291fecf5f8a308953b65ca72b7fc9e015d ]
+
+When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0
+(success) without actually creating a socket. Callers such as
+fou_create() then proceed to dereference the uninitialized socket
+pointer, resulting in a NULL pointer dereference.
+
+The captured NULL deref crash:
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)
+ [...]
+ Call Trace:
+ <TASK>
+ genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)
+ genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)
+ [...]
+ netlink_rcv_skb (net/netlink/af_netlink.c:2550)
+ genl_rcv (net/netlink/genetlink.c:1219)
+ netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
+ netlink_sendmsg (net/netlink/af_netlink.c:1894)
+ __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))
+ __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))
+ __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+ entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)
+
+This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so
+callers correctly take their error paths. There is only one caller of
+the vulnerable function and only privileged users can trigger it.
+
+Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260317010241.1893893-1-xmei5@asu.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/udp_tunnel.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
+index 72394f441dad8..b6af537abdc5a 100644
+--- a/include/net/udp_tunnel.h
++++ b/include/net/udp_tunnel.h
+@@ -47,7 +47,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ struct socket **sockp)
+ {
+- return 0;
++ return -EPFNOSUPPORT;
+ }
+ #endif
+
+--
+2.51.0
+
--- /dev/null
+From 207026b86ae5c8a0e40ea5a7bcce8527742803c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 21:36:59 +0530
+Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
+
+From: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
+
+[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ]
+
+When the nl80211 socket that originated a PMSR request is
+closed, cfg80211_release_pmsr() sets the request's nl_portid
+to zero and schedules pmsr_free_wk to process the abort
+asynchronously. If the interface is concurrently torn down
+before that work runs, cfg80211_pmsr_wdev_down() calls
+cfg80211_pmsr_process_abort() directly. However, the already-
+scheduled pmsr_free_wk work item remains pending and may run
+after the interface has been removed from the driver. This
+could cause the driver's abort_pmsr callback to operate on a
+torn-down interface, leading to undefined behavior and
+potential crashes.
+
+Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()
+before calling cfg80211_pmsr_process_abort(). This ensures any
+pending or in-progress work is drained before interface teardown
+proceeds, preventing the work from invoking the driver abort
+callback after the interface is gone.
+
+Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API")
+Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/pmsr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c
+index 65fa39275f73f..92c62d36e9525 100644
+--- a/net/wireless/pmsr.c
++++ b/net/wireless/pmsr.c
+@@ -642,6 +642,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev)
+ }
+ spin_unlock_bh(&wdev->pmsr_lock);
+
++ cancel_work_sync(&wdev->pmsr_free_wk);
+ if (found)
+ cfg80211_pmsr_process_abort(wdev);
+
+--
+2.51.0
+
--- /dev/null
+From 3c6931945e1139e36c71f6c938a21c060833557b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 20:42:44 -0700
+Subject: wifi: mac80211: fix NULL deref in mesh_matches_local()
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd ]
+
+mesh_matches_local() unconditionally dereferences ie->mesh_config to
+compare mesh configuration parameters. When called from
+mesh_rx_csa_frame(), the parsed action-frame elements may not contain a
+Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a
+kernel NULL pointer dereference.
+
+The other two callers are already safe:
+ - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before
+ calling mesh_matches_local()
+ - mesh_plink_get_event() is only reached through
+ mesh_process_plink_frame(), which checks !elems->mesh_config, too
+
+mesh_rx_csa_frame() is the only caller that passes raw parsed elements
+to mesh_matches_local() without guarding mesh_config. An adjacent
+attacker can exploit this by sending a crafted CSA action frame that
+includes a valid Mesh ID IE but omits the Mesh Configuration IE,
+crashing the kernel.
+
+The captured crash log:
+
+Oops: general protection fault, probably for non-canonical address ...
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+Workqueue: events_unbound cfg80211_wiphy_work
+[...]
+Call Trace:
+ <TASK>
+ ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)
+ ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)
+ [...]
+ ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)
+ [...]
+ cfg80211_wiphy_work (net/wireless/core.c:426)
+ process_one_work (net/kernel/workqueue.c:3280)
+ ? assign_work (net/kernel/workqueue.c:1219)
+ worker_thread (net/kernel/workqueue.c:3352)
+ ? __pfx_worker_thread (net/kernel/workqueue.c:3385)
+ kthread (net/kernel/kthread.c:436)
+ [...]
+ ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)
+ </TASK>
+
+This patch adds a NULL check for ie->mesh_config at the top of
+mesh_matches_local() to return false early when the Mesh Configuration
+IE is absent.
+
+Fixes: 2e3c8736820b ("mac80211: support functions for mesh")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260318034244.2595020-1-xmei5@asu.edu
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index e75f53f08b611..167b0625b1a17 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -75,6 +75,9 @@ bool mesh_matches_local(struct ieee80211_sub_if_data *sdata,
+ * - MDA enabled
+ * - Power management control on fc
+ */
++ if (!ie->mesh_config)
++ return false;
++
+ if (!(ifmsh->mesh_id_len == ie->mesh_id_len &&
+ memcmp(ifmsh->mesh_id, ie->mesh_id, ie->mesh_id_len) == 0 &&
+ (ifmsh->mesh_pp_id == ie->mesh_config->meshconf_psel) &&
+--
+2.51.0
+
--- /dev/null
+From 1413c7f1b54b6332f1620b61a4697cd249d4fdb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Mar 2026 07:24:02 +0000
+Subject: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828 ]
+
+syzbot reported static_branch_dec() underflow in aql_enable_write(). [0]
+
+The problem is that aql_enable_write() does not serialise concurrent
+write()s to the debugfs.
+
+aql_enable_write() checks static_key_false(&aql_disable.key) and
+later calls static_branch_inc() or static_branch_dec(), but the
+state may change between the two calls.
+
+aql_disable does not need to track inc/dec.
+
+Let's use static_branch_enable() and static_branch_disable().
+
+[0]:
+val == 0
+WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288
+Modules linked in:
+CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full)
+Tainted: [U]=USER, [L]=SOFTLOCKUP
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
+RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311
+Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00
+RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4
+RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000
+RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a
+R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98
+FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0
+Call Trace:
+ <TASK>
+ __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline]
+ __static_key_slow_dec kernel/jump_label.c:321 [inline]
+ static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336
+ aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343
+ short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383
+ vfs_write+0x2aa/0x1070 fs/read_write.c:684
+ ksys_pwrite64 fs/read_write.c:793 [inline]
+ __do_sys_pwrite64 fs/read_write.c:801 [inline]
+ __se_sys_pwrite64 fs/read_write.c:798 [inline]
+ __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f530cf9aeb9
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
+RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9
+RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010
+RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000
+R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978
+ </TASK>
+
+Fixes: e908435e402a ("mac80211: introduce aql_enable node in debugfs")
+Reported-by: syzbot+feb9ce36a95341bb47a4@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69a8979e.a70a0220.b118c.0025.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260306072405.3649474-1-kuniyu@google.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/debugfs.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c
+index 8dbfe325ee66f..4bf59033c516b 100644
+--- a/net/mac80211/debugfs.c
++++ b/net/mac80211/debugfs.c
+@@ -296,7 +296,6 @@ static ssize_t aql_enable_read(struct file *file, char __user *user_buf,
+ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf,
+ size_t count, loff_t *ppos)
+ {
+- bool aql_disabled = static_key_false(&aql_disable.key);
+ char buf[3];
+ size_t len;
+
+@@ -311,15 +310,12 @@ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf,
+ if (len > 0 && buf[len - 1] == '\n')
+ buf[len - 1] = 0;
+
+- if (buf[0] == '0' && buf[1] == '\0') {
+- if (!aql_disabled)
+- static_branch_inc(&aql_disable);
+- } else if (buf[0] == '1' && buf[1] == '\0') {
+- if (aql_disabled)
+- static_branch_dec(&aql_disable);
+- } else {
++ if (buf[0] == '0' && buf[1] == '\0')
++ static_branch_enable(&aql_disable);
++ else if (buf[0] == '1' && buf[1] == '\0')
++ static_branch_disable(&aql_disable);
++ else
+ return -EINVAL;
+- }
+
+ return count;
+ }
+--
+2.51.0
+
--- /dev/null
+From 2cd3b9658f5de69b86478762bb9cf689eb68b5a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 23:46:36 -0700
+Subject: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not
+ enough headroom
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit deb353d9bb009638b7762cae2d0b6e8fdbb41a69 ]
+
+Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom
+before skb_push"), wl1271_tx_allocate() and with it
+wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.
+However, in wlcore_tx_work_locked(), a return value of -EAGAIN from
+wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being
+full. This causes the code to flush the buffer, put the skb back at the
+head of the queue, and immediately retry the same skb in a tight while
+loop.
+
+Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens
+immediately with GFP_ATOMIC, this will result in an infinite loop and a
+CPU soft lockup. Return -ENOMEM instead so the packet is dropped and
+the loop terminates.
+
+The problem was found by an experimental code review agent based on
+gemini-3.1-pro while reviewing backports into v6.18.y.
+
+Assisted-by: Gemini:gemini-3.1-pro
+Fixes: e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push")
+Cc: Peter Astrand <astrand@lysator.liu.se>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wlcore/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c
+index e86cc3425e997..ac1411db8e5a8 100644
+--- a/drivers/net/wireless/ti/wlcore/tx.c
++++ b/drivers/net/wireless/ti/wlcore/tx.c
+@@ -213,7 +213,7 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif,
+ if (skb_headroom(skb) < (total_len - skb->len) &&
+ pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) {
+ wl1271_free_tx_id(wl, id);
+- return -EAGAIN;
++ return -ENOMEM;
+ }
+ desc = skb_push(skb, total_len - skb->len);
+
+--
+2.51.0
+
--- /dev/null
+From 2e068fc7bd5175d0d13d98efc8cd30944ed4b496 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 21:39:05 +0100
+Subject: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit bf504b229cb8d534eccbaeaa23eba34c05131e25 ]
+
+After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference
+in acpi_processor_errata_piix4()"), device pointers may be dereferenced
+after dropping references to the device objects pointed to by them,
+which may cause a use-after-free to occur.
+
+Moreover, debug messages about enabling the errata may be printed
+if the errata flags corresponding to them are unset.
+
+Address all of these issues by moving message printing to the points
+in the code where the errata flags are set.
+
+Fixes: f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()")
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Closes: https://lore.kernel.org/linux-acpi/938e2206-def5-4b7a-9b2c-d1fd37681d8a@roeck-us.net/
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://patch.msgid.link/5975693.DvuYhMxLoT@rafael.j.wysocki
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_processor.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c
+index 669398045c0fd..07acdaee6ce5c 100644
+--- a/drivers/acpi/acpi_processor.c
++++ b/drivers/acpi/acpi_processor.c
+@@ -96,6 +96,10 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev)
+ PCI_ANY_ID, PCI_ANY_ID, NULL);
+ if (ide_dev) {
+ errata.piix4.bmisx = pci_resource_start(ide_dev, 4);
++ if (errata.piix4.bmisx)
++ dev_dbg(&ide_dev->dev,
++ "Bus master activity detection (BM-IDE) erratum enabled\n");
++
+ pci_dev_put(ide_dev);
+ }
+
+@@ -114,20 +118,17 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev)
+ if (isa_dev) {
+ pci_read_config_byte(isa_dev, 0x76, &value1);
+ pci_read_config_byte(isa_dev, 0x77, &value2);
+- if ((value1 & 0x80) || (value2 & 0x80))
++ if ((value1 & 0x80) || (value2 & 0x80)) {
+ errata.piix4.fdma = 1;
++ dev_dbg(&isa_dev->dev,
++ "Type-F DMA livelock erratum (C3 disabled)\n");
++ }
+ pci_dev_put(isa_dev);
+ }
+
+ break;
+ }
+
+- if (ide_dev)
+- dev_dbg(&ide_dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n");
+-
+- if (isa_dev)
+- dev_dbg(&isa_dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n");
+-
+ return 0;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From dbad7439dbad473304447307ddc67c8dfc4f2d04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 14:50:52 +0100
+Subject: Bluetooth: hci_sync: Fix hci_le_create_conn_sync
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+[ Upstream commit 2cabe7ff1001b7a197009cf50ba71701f9cbd354 ]
+
+While introducing hci_le_create_conn_sync the functionality
+of hci_connect_le was ported to hci_le_create_conn_sync including
+the disable of the scan before starting the connection.
+
+When this code was run non synchronously the immediate call that was
+setting the flag HCI_LE_SCAN_INTERRUPTED had an impact. Since the
+completion handler for the LE_SCAN_DISABLE was not immediately called.
+In the completion handler of the LE_SCAN_DISABLE event, this flag is
+checked to set the state of the hdev to DISCOVERY_STOPPED.
+
+With the synchronised approach the later setting of the
+HCI_LE_SCAN_INTERRUPTED flag has not the same effect. The completion
+handler would immediately fire in the LE_SCAN_DISABLE call, check for
+the flag, which is then not yet set and do nothing.
+
+To fix this issue and make the function call work as before, we move the
+setting of the flag HCI_LE_SCAN_INTERRUPTED before disabling the scan.
+
+Fixes: 8e8b92ee60de ("Bluetooth: hci_sync: Add hci_le_create_conn_sync")
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 5ad09900f8ff1..01b23fc71e610 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -6436,8 +6436,8 @@ int hci_le_create_conn_sync(struct hci_dev *hdev, struct hci_conn *conn)
+ * state.
+ */
+ if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {
+- hci_scan_disable_sync(hdev);
+ hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
++ hci_scan_disable_sync(hdev);
+ }
+
+ /* Update random address, but set require_privacy to false so
+--
+2.51.0
+
--- /dev/null
+From b71ee56228c813f6fc121a3c845b0670edb4660e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 10:17:47 -0500
+Subject: Bluetooth: HIDP: Fix possible UAF
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit dbf666e4fc9bdd975a61bf682b3f75cb0145eedd ]
+
+This fixes the following trace caused by not dropping l2cap_conn
+reference when user->remove callback is called:
+
+[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
+[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 97.809947] Call Trace:
+[ 97.809954] <TASK>
+[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
+[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
+[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
+[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
+[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
+[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
+[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
+[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
+[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
+[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
+[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
+[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
+[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
+[ 97.810404] __fput (fs/file_table.c:470)
+[ 97.810430] task_work_run (kernel/task_work.c:235)
+[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
+[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
+[ 97.810527] do_exit (kernel/exit.c:972)
+[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
+[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
+[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
+[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 97.810721] do_group_exit (kernel/exit.c:1093)
+[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
+[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
+[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810826] ? vfs_read (fs/read_write.c:555)
+[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
+[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
+[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
+[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
+[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811078] ? ksys_read (fs/read_write.c:707)
+[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
+[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
+[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
+[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
+[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
+[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
+[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+[ 97.811338] RIP: 0033:0x445cfe
+[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
+
+Code starting with the faulting instruction
+===========================================
+[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
+[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe
+[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004
+[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000
+[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8
+[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0
+[ 97.811453] </TASK>
+[ 98.402453] ==================================================================
+[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430
+[ 98.405361]
+[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 98.405600] Call Trace:
+[ 98.405607] <TASK>
+[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122)
+[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
+[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55)
+[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
+[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
+[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
+[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775)
+[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
+[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875)
+[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194)
+[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592)
+[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305)
+[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.406323] ? kthread (kernel/kthread.c:433)
+[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
+[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406523] ? kthread (kernel/kthread.c:433)
+[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406565] ? kthread (kernel/kthread.c:433)
+[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.406610] kthread (kernel/kthread.c:467)
+[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164)
+[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
+[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
+[ 98.406774] </TASK>
+[ 98.406780]
+[ 98.433693] The buggy address belongs to the physical page:
+[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4
+[ 98.435557] flags: 0x200000000000000(node=0|zone=2)
+[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000
+[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000
+[ 98.438115] page dumped because: kasan: bad access detected
+[ 98.438951]
+[ 98.439211] Memory state around the buggy address:
+[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.442458] ^
+[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.444768] ==================================================================
+[ 98.445719] Disabling lock debugging due to kernel taint
+[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400
+[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 98.450040] Tainted: [B]=BAD_PAGE
+[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 98.450059] Call Trace:
+[ 98.450065] <TASK>
+[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122)
+[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
+[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822)
+[ 98.450154] session_free (net/bluetooth/hidp/core.c:990)
+[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307)
+[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.450271] ? kthread (kernel/kthread.c:433)
+[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
+[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450528] ? kthread (kernel/kthread.c:433)
+[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450578] ? kthread (kernel/kthread.c:433)
+[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.450637] kthread (kernel/kthread.c:467)
+[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164)
+[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
+[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
+[ 98.450836] </TASK>
+
+Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers")
+Reported-by: soufiane el hachmi <kilwa10@gmail.com>
+Tested-by: soufiane el hachmi <kilwa10@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hidp/core.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
+index 82cc15ad963d8..b4e998e743f7a 100644
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -987,7 +987,8 @@ static void session_free(struct kref *ref)
+ skb_queue_purge(&session->intr_transmit);
+ fput(session->intr_sock->file);
+ fput(session->ctrl_sock->file);
+- l2cap_conn_put(session->conn);
++ if (session->conn)
++ l2cap_conn_put(session->conn);
+ kfree(session);
+ }
+
+@@ -1165,6 +1166,15 @@ static void hidp_session_remove(struct l2cap_conn *conn,
+
+ down_write(&hidp_session_sem);
+
++ /* Drop L2CAP reference immediately to indicate that
++ * l2cap_unregister_user() shall not be called as it is already
++ * considered removed.
++ */
++ if (session->conn) {
++ l2cap_conn_put(session->conn);
++ session->conn = NULL;
++ }
++
+ hidp_session_terminate(session);
+
+ cancel_work_sync(&session->dev_init);
+@@ -1302,7 +1312,9 @@ static int hidp_session_thread(void *arg)
+ * Instead, this call has the same semantics as if user-space tried to
+ * delete the session.
+ */
+- l2cap_unregister_user(session->conn, &session->user);
++ if (session->conn)
++ l2cap_unregister_user(session->conn, &session->user);
++
+ hidp_session_put(session);
+
+ module_put_and_kthread_exit(0);
+--
+2.51.0
+
--- /dev/null
+From 5bba9e5d01b7c653d7ecd6c6269eb9bc58c270c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:25 +0100
+Subject: Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit e1d9a66889867c232657a9b6f25d451d7c3ab96f ]
+
+Core 6.0, Vol 3, Part A, 3.4.3:
+"If the SDU length field value exceeds the receiver's MTU, the receiver
+shall disconnect the channel..."
+
+This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P
+0x0027 -V le_public -I 100').
+
+Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 7899600cd3724..db62b4f2c5210 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -7678,8 +7678,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+ return -ENOBUFS;
+ }
+
+- if (chan->imtu < skb->len) {
+- BT_ERR("Too big LE L2CAP PDU");
++ if (skb->len > chan->imtu) {
++ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len,
++ chan->imtu);
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ return -ENOBUFS;
+ }
+
+@@ -7705,7 +7707,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+ sdu_len, skb->len, chan->imtu);
+
+ if (sdu_len > chan->imtu) {
+- BT_ERR("Too big LE L2CAP SDU length received");
++ BT_ERR("Too big LE L2CAP SDU length: len %u > %u",
++ skb->len, sdu_len);
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ err = -EMSGSIZE;
+ goto failed;
+ }
+--
+2.51.0
+
--- /dev/null
+From ba0049d72eff1781d0ea4ffd7eb2ceb200cf9067 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:27 +0100
+Subject: Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit b6a2bf43aa37670432843bc73ae2a6288ba4d6f8 ]
+
+Core 6.0, Vol 3, Part A, 3.4.3:
+"... If the sum of the payload sizes for the K-frames exceeds the
+specified SDU length, the receiver shall disconnect the channel."
+
+This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
+0x0027 -V le_public').
+
+Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index db62b4f2c5210..e2ca5d95c96be 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -7745,6 +7745,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+
+ if (chan->sdu->len + skb->len > chan->sdu_len) {
+ BT_ERR("Too much LE L2CAP data received");
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ err = -EINVAL;
+ goto failed;
+ }
+--
+2.51.0
+
--- /dev/null
+From 9131170ca8126cce724a415c9e380f667fffaf18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 01:02:57 +0200
+Subject: Bluetooth: qca: fix ROM version reading on WCN3998 chips
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit 99b2c531e0e797119ae1b9195a8764ee98b00e65 ]
+
+WCN3998 uses a bit different format for rom version:
+
+[ 5.479978] Bluetooth: hci0: setting up wcn399x
+[ 5.633763] Bluetooth: hci0: QCA Product ID :0x0000000a
+[ 5.645350] Bluetooth: hci0: QCA SOC Version :0x40010224
+[ 5.650906] Bluetooth: hci0: QCA ROM Version :0x00001001
+[ 5.665173] Bluetooth: hci0: QCA Patch Version:0x00006699
+[ 5.679356] Bluetooth: hci0: QCA controller version 0x02241001
+[ 5.691109] Bluetooth: hci0: QCA Downloading qca/crbtfw21.tlv
+[ 6.680102] Bluetooth: hci0: QCA Downloading qca/crnv21.bin
+[ 6.842948] Bluetooth: hci0: QCA setup on UART is completed
+
+Fixes: 523760b7ff88 ("Bluetooth: hci_qca: Added support for WCN3998")
+Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btqca.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
+index 5651f40db1736..5b34da23adce7 100644
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -826,6 +826,8 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+ */
+ if (soc_type == QCA_WCN3988)
+ rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f);
++ else if (soc_type == QCA_WCN3998)
++ rom_ver = ((soc_ver & 0x0000f000) >> 0x07) | (soc_ver & 0x0000000f);
+ else
+ rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f);
+
+--
+2.51.0
+
--- /dev/null
+From c1340322c947ee5b47dc0525b3bcb55b51f8f671 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:28 +0100
+Subject: Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit 0e4d4dcc1a6e82cc6f9abf32193558efa7e1613d ]
+
+The last test step ("Test with Invalid public key X and Y, all set to
+0") expects to get an "DHKEY check failed" instead of "unspecified".
+
+Fixes: 6d19628f539f ("Bluetooth: SMP: Fail if remote and local public keys are identical")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
+index d8a77bfe65a62..4241d39393f3e 100644
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2737,7 +2737,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
+ if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
+ !crypto_memneq(key, smp->local_pk, 64)) {
+ bt_dev_err(hdev, "Remote and local public keys are identical");
+- return SMP_UNSPECIFIED;
++ return SMP_DHKEY_CHECK_FAILED;
+ }
+
+ memcpy(smp->remote_pk, key, 64);
+--
+2.51.0
+
--- /dev/null
+From 7b9f9a461c7c544372d47eb9cb9e57454372db97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 08:33:21 +0800
+Subject: btrfs: tree-checker: fix misleading root drop_level error message
+
+From: ZhengYuan Huang <gality369@gmail.com>
+
+[ Upstream commit fc1cd1f18c34f91e78362f9629ab9fd43b9dcab9 ]
+
+Fix tree-checker error message to report "invalid root drop_level"
+instead of the misleading "invalid root level".
+
+Fixes: 259ee7754b67 ("btrfs: tree-checker: Add ROOT_ITEM check")
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-checker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
+index d1b6bb8f08dd1..cafd7055ab090 100644
+--- a/fs/btrfs/tree-checker.c
++++ b/fs/btrfs/tree-checker.c
+@@ -1200,7 +1200,7 @@ static int check_root_item(struct extent_buffer *leaf, struct btrfs_key *key,
+ }
+ if (unlikely(btrfs_root_drop_level(&ri) >= BTRFS_MAX_LEVEL)) {
+ generic_err(leaf, slot,
+- "invalid root level, have %u expect [0, %u]",
++ "invalid root drop_level, have %u expect [0, %u]",
+ btrfs_root_drop_level(&ri), BTRFS_MAX_LEVEL - 1);
+ return -EUCLEAN;
+ }
+--
+2.51.0
+
--- /dev/null
+From 5b1aa5d8e909ffb7b4ff91e22256dbc00f982206 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 21:08:19 +0800
+Subject: firmware: arm_scpi: Fix device_node reference leak in probe path
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit 879c001afbac3df94160334fe5117c0c83b2cf48 ]
+
+A device_node reference obtained from the device tree is not released
+on all error paths in the arm_scpi probe path. Specifically, a node
+returned by of_parse_phandle() could be leaked when the probe failed
+after the node was acquired. The probe function returns early and
+the shmem reference is not released.
+
+Use __free(device_node) scope-based cleanup to automatically release
+the reference when the variable goes out of scope.
+
+Fixes: ed7ecb883901 ("firmware: arm_scpi: Add compatibility checks for shmem node")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Message-Id: <20260121-arm_scpi_2-v2-1-702d7fa84acb@gmail.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scpi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c
+index 3de25e9d18ef8..2d85e783ae267 100644
+--- a/drivers/firmware/arm_scpi.c
++++ b/drivers/firmware/arm_scpi.c
+@@ -18,6 +18,7 @@
+
+ #include <linux/bitmap.h>
+ #include <linux/bitfield.h>
++#include <linux/cleanup.h>
+ #include <linux/device.h>
+ #include <linux/err.h>
+ #include <linux/export.h>
+@@ -945,13 +946,13 @@ static int scpi_probe(struct platform_device *pdev)
+ int idx = scpi_drvinfo->num_chans;
+ struct scpi_chan *pchan = scpi_drvinfo->channels + idx;
+ struct mbox_client *cl = &pchan->cl;
+- struct device_node *shmem = of_parse_phandle(np, "shmem", idx);
++ struct device_node *shmem __free(device_node) =
++ of_parse_phandle(np, "shmem", idx);
+
+ if (!of_match_node(shmem_of_match, shmem))
+ return -ENXIO;
+
+ ret = of_address_to_resource(shmem, 0, &res);
+- of_node_put(shmem);
+ if (ret) {
+ dev_err(dev, "failed to get SCPI payload mem resource\n");
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From a543a3f9cba3856e6b38aecde65c9efd4650d83f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 11:01:37 +0100
+Subject: iavf: fix VLAN filter lost on add/delete race
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit fc9c69be594756b81b54c6bc40803fa6052f35ae ]
+
+When iavf_add_vlan() finds an existing filter in IAVF_VLAN_REMOVE
+state, it transitions the filter to IAVF_VLAN_ACTIVE assuming the
+pending delete can simply be cancelled. However, there is no guarantee
+that iavf_del_vlans() has not already processed the delete AQ request
+and removed the filter from the PF. In that case the filter remains in
+the driver's list as IAVF_VLAN_ACTIVE but is no longer programmed on
+the NIC. Since iavf_add_vlans() only picks up filters in
+IAVF_VLAN_ADD state, the filter is never re-added, and spoof checking
+drops all traffic for that VLAN.
+
+ CPU0 CPU1 Workqueue
+ ---- ---- ---------
+ iavf_del_vlan(vlan 100)
+ f->state = REMOVE
+ schedule AQ_DEL_VLAN
+ iavf_add_vlan(vlan 100)
+ f->state = ACTIVE
+ iavf_del_vlans()
+ f is ACTIVE, skip
+ iavf_add_vlans()
+ f is ACTIVE, skip
+
+ Filter is ACTIVE in driver but absent from NIC.
+
+Transition to IAVF_VLAN_ADD instead and schedule
+IAVF_FLAG_AQ_ADD_VLAN_FILTER so iavf_add_vlans() re-programs the
+filter. A duplicate add is idempotent on the PF.
+
+Fixes: 0c0da0e95105 ("iavf: refactor VLAN filter states")
+Signed-off-by: Petr Oros <poros@redhat.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 467ad433a47b9..667949e8833bf 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -831,10 +831,13 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter,
+ adapter->num_vlan_filters++;
+ iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER);
+ } else if (f->state == IAVF_VLAN_REMOVE) {
+- /* IAVF_VLAN_REMOVE means that VLAN wasn't yet removed.
+- * We can safely only change the state here.
++ /* Re-add the filter since we cannot tell whether the
++ * pending delete has already been processed by the PF.
++ * A duplicate add is harmless.
+ */
+- f->state = IAVF_VLAN_ACTIVE;
++ f->state = IAVF_VLAN_ADD;
++ iavf_schedule_aq_request(adapter,
++ IAVF_FLAG_AQ_ADD_VLAN_FILTER);
+ }
+
+ clearout:
+--
+2.51.0
+
--- /dev/null
+From a4a32f8b08857dd701a06e8bf467c75924acbffb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 21:06:01 +0800
+Subject: icmp: fix NULL pointer dereference in icmp_tag_validation()
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit 614aefe56af8e13331e50220c936fc0689cf5675 ]
+
+icmp_tag_validation() unconditionally dereferences the result of
+rcu_dereference(inet_protos[proto]) without checking for NULL.
+The inet_protos[] array is sparse -- only about 15 of 256 protocol
+numbers have registered handlers. When ip_no_pmtu_disc is set to 3
+(hardened PMTU mode) and the kernel receives an ICMP Fragmentation
+Needed error with a quoted inner IP header containing an unregistered
+protocol number, the NULL dereference causes a kernel panic in
+softirq context.
+
+ Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+ RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)
+ Call Trace:
+ <IRQ>
+ icmp_rcv (net/ipv4/icmp.c:1527)
+ ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)
+ ip_local_deliver_finish (net/ipv4/ip_input.c:242)
+ ip_local_deliver (net/ipv4/ip_input.c:262)
+ ip_rcv (net/ipv4/ip_input.c:573)
+ __netif_receive_skb_one_core (net/core/dev.c:6164)
+ process_backlog (net/core/dev.c:6628)
+ handle_softirqs (kernel/softirq.c:561)
+ </IRQ>
+
+Add a NULL check before accessing icmp_strict_tag_validation. If the
+protocol has no registered handler, return false since it cannot
+perform strict tag validation.
+
+Fixes: 8ed1dc44d3e9 ("ipv4: introduce hardened ip_no_pmtu_disc mode")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Link: https://patch.msgid.link/20260318130558.1050247-4-bestswngs@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 374ec3aba66e3..309d22f2858cc 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -864,10 +864,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
+
+ static bool icmp_tag_validation(int proto)
+ {
++ const struct net_protocol *ipprot;
+ bool ok;
+
+ rcu_read_lock();
+- ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation;
++ ipprot = rcu_dereference(inet_protos[proto]);
++ ok = ipprot ? ipprot->icmp_strict_tag_validation : false;
+ rcu_read_unlock();
+ return ok;
+ }
+--
+2.51.0
+
--- /dev/null
+From ba8bb54044a7f3fa0c3f8a6df64a1bab3322131b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Feb 2026 19:46:32 +0000
+Subject: igc: fix missing update of skb->tail in igc_xmit_frame()
+
+From: Kohei Enju <kohei@enjuk.jp>
+
+[ Upstream commit 0ffba246652faf4a36aedc66059c2f94e4c83ea5 ]
+
+igc_xmit_frame() misses updating skb->tail when the packet size is
+shorter than the minimum one.
+Use skb_put_padto() in alignment with other Intel Ethernet drivers.
+
+Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers")
+Signed-off-by: Kohei Enju <kohei@enjuk.jp>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 5bcdb1b7da29a..8f8312a250c83 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -1667,11 +1667,8 @@ static netdev_tx_t igc_xmit_frame(struct sk_buff *skb,
+ /* The minimum packet size with TCTL.PSP set is 17 so pad the skb
+ * in order to meet this minimum size requirement.
+ */
+- if (skb->len < 17) {
+- if (skb_padto(skb, 17))
+- return NETDEV_TX_OK;
+- skb->len = 17;
+- }
++ if (skb_put_padto(skb, 17))
++ return NETDEV_TX_OK;
+
+ return igc_xmit_frame_ring(skb, igc_tx_queue_mapping(adapter, skb));
+ }
+--
+2.51.0
+
--- /dev/null
+From 1157a749abaf5f9b50a936b93f7ee505203702cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 12:18:52 -0700
+Subject: net: bcmgenet: increase WoL poll timeout
+
+From: Justin Chen <justin.chen@broadcom.com>
+
+[ Upstream commit 6cfc3bc02b977f2fba5f7268e6504d1931a774f7 ]
+
+Some systems require more than 5ms to get into WoL mode. Increase the
+timeout value to 50ms.
+
+Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code")
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20260312191852.3904571-1-justin.chen@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+index 56781e7214978..3ab506ed94252 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+@@ -101,7 +101,7 @@ static int bcmgenet_poll_wol_status(struct bcmgenet_priv *priv)
+ while (!(bcmgenet_rbuf_readl(priv, RBUF_STATUS)
+ & RBUF_STATUS_WOL)) {
+ retries++;
+- if (retries > 5) {
++ if (retries > 50) {
+ netdev_crit(dev, "polling wol mode timeout\n");
+ return -ETIMEDOUT;
+ }
+--
+2.51.0
+
--- /dev/null
+From 77c64cc649fd1523857ed6941933ca004cfd6918 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 17:50:34 -0700
+Subject: net: bonding: fix NULL deref in bond_debug_rlb_hash_show
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit 605b52497bf89b3b154674deb135da98f916e390 ]
+
+rlb_clear_slave intentionally keeps RLB hash-table entries on
+the rx_hashtbl_used_head list with slave set to NULL when no
+replacement slave is available. However, bond_debug_rlb_hash_show
+visites client_info->slave without checking if it's NULL.
+
+Other used-list iterators in bond_alb.c already handle this NULL-slave
+state safely:
+
+- rlb_update_client returns early on !client_info->slave
+- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance
+compare slave values before visiting
+- lb_req_update_subnet_clients continues if slave is NULL
+
+The following NULL deref crash can be trigger in
+bond_debug_rlb_hash_show:
+
+[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)
+[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286
+[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204
+[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078
+[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000
+[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0
+[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8
+[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000
+[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0
+[ 1.295897] Call Trace:
+[ 1.296134] seq_read_iter (fs/seq_file.c:231)
+[ 1.296341] seq_read (fs/seq_file.c:164)
+[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))
+[ 1.296658] vfs_read (fs/read_write.c:572)
+[ 1.296981] ksys_read (fs/read_write.c:717)
+[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+Add a NULL check and print "(none)" for entries with no assigned slave.
+
+Fixes: caafa84251b88 ("bonding: add the debugfs interface to see RLB hash table")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260317005034.1888794-1-xmei5@asu.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_debugfs.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_debugfs.c b/drivers/net/bonding/bond_debugfs.c
+index 5940945266489..624bf1f745266 100644
+--- a/drivers/net/bonding/bond_debugfs.c
++++ b/drivers/net/bonding/bond_debugfs.c
+@@ -34,11 +34,17 @@ static int bond_debug_rlb_hash_show(struct seq_file *m, void *v)
+ for (; hash_index != RLB_NULL_INDEX;
+ hash_index = client_info->used_next) {
+ client_info = &(bond_info->rx_hashtbl[hash_index]);
+- seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n",
+- &client_info->ip_src,
+- &client_info->ip_dst,
+- &client_info->mac_dst,
+- client_info->slave->dev->name);
++ if (client_info->slave)
++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n",
++ &client_info->ip_src,
++ &client_info->ip_dst,
++ &client_info->mac_dst,
++ client_info->slave->dev->name);
++ else
++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM (none)\n",
++ &client_info->ip_src,
++ &client_info->ip_dst,
++ &client_info->mac_dst);
+ }
+
+ spin_unlock_bh(&bond->mode_lock);
+--
+2.51.0
+
--- /dev/null
+From 85bdbf7bb9d4551bb179a33319b335eacb3d4ee4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 08:42:12 +0000
+Subject: net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
+
+From: Anas Iqbal <mohd.abd.6602@gmail.com>
+
+[ Upstream commit b48731849609cbd8c53785a48976850b443153fd ]
+
+Smatch reports:
+drivers/net/dsa/bcm_sf2.c:997 bcm_sf2_sw_resume() warn:
+'priv->clk' from clk_prepare_enable() not released on lines: 983,990.
+
+The clock enabled by clk_prepare_enable() in bcm_sf2_sw_resume()
+is not released if bcm_sf2_sw_rst() or bcm_sf2_cfp_resume() fails.
+
+Add the missing clk_disable_unprepare() calls in the error paths
+to properly release the clock resource.
+
+Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks")
+Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Anas Iqbal <mohd.abd.6602@gmail.com>
+Link: https://patch.msgid.link/20260318084212.1287-1-mohd.abd.6602@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/bcm_sf2.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
+index 257df16768750..7defcfd1c213f 100644
+--- a/drivers/net/dsa/bcm_sf2.c
++++ b/drivers/net/dsa/bcm_sf2.c
+@@ -971,15 +971,19 @@ static int bcm_sf2_sw_resume(struct dsa_switch *ds)
+ ret = bcm_sf2_sw_rst(priv);
+ if (ret) {
+ pr_err("%s: failed to software reset switch\n", __func__);
++ if (!priv->wol_ports_mask)
++ clk_disable_unprepare(priv->clk);
+ return ret;
+ }
+
+ bcm_sf2_crossbar_setup(priv);
+
+ ret = bcm_sf2_cfp_resume(ds);
+- if (ret)
++ if (ret) {
++ if (!priv->wol_ports_mask)
++ clk_disable_unprepare(priv->clk);
+ return ret;
+-
++ }
+ if (priv->hw_params.num_gphy == 1)
+ bcm_sf2_gphy_enable_set(ds, true);
+
+--
+2.51.0
+
--- /dev/null
+From a898679d6de9604edb58ecadd7b213f2fcfeedea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 13:38:25 +0300
+Subject: net: macb: fix uninitialized rx_fs_lock
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 34b11cc56e4369bc08b1f4c4a04222d75ed596ce ]
+
+If hardware doesn't support RX Flow Filters, rx_fs_lock spinlock is not
+initialized leading to the following assertion splat triggerable via
+set_rxnfc callback.
+
+INFO: trying to register non-static key.
+The code is fine but needs lockdep annotation, or maybe
+you didn't initialize this object before use?
+turning off the locking correctness validator.
+CPU: 1 PID: 949 Comm: syz.0.6 Not tainted 6.1.164+ #113
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106
+ assign_lock_key kernel/locking/lockdep.c:974 [inline]
+ register_lock_class+0x141b/0x17f0 kernel/locking/lockdep.c:1287
+ __lock_acquire+0x74f/0x6c40 kernel/locking/lockdep.c:4928
+ lock_acquire kernel/locking/lockdep.c:5662 [inline]
+ lock_acquire+0x190/0x4b0 kernel/locking/lockdep.c:5627
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
+ _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:162
+ gem_del_flow_filter drivers/net/ethernet/cadence/macb_main.c:3562 [inline]
+ gem_set_rxnfc+0x533/0xac0 drivers/net/ethernet/cadence/macb_main.c:3667
+ ethtool_set_rxnfc+0x18c/0x280 net/ethtool/ioctl.c:961
+ __dev_ethtool net/ethtool/ioctl.c:2956 [inline]
+ dev_ethtool+0x229c/0x6290 net/ethtool/ioctl.c:3095
+ dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510
+ sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215
+ sock_ioctl+0x577/0x6d0 net/socket.c:1320
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:46 [inline]
+ do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+A more straightforward solution would be to always initialize rx_fs_lock,
+just like rx_fs_list. However, in this case the driver set_rxnfc callback
+would return with a rather confusing error code, e.g. -EINVAL. So deny
+set_rxnfc attempts directly if the RX filtering feature is not supported
+by hardware.
+
+Fixes: ae8223de3df5 ("net: macb: Added support for RX filtering")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Link: https://patch.msgid.link/20260316103826.74506-2-pchelkin@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 471e3ebd7c5de..412a821148d7b 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -3770,6 +3770,9 @@ static int gem_set_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd)
+ struct macb *bp = netdev_priv(netdev);
+ int ret;
+
++ if (!(netdev->hw_features & NETIF_F_NTUPLE))
++ return -EOPNOTSUPP;
++
+ switch (cmd->cmd) {
+ case ETHTOOL_SRXCLSRLINS:
+ if ((cmd->fs.location >= bp->max_tuples)
+--
+2.51.0
+
--- /dev/null
+From df370264b81f17541353e35641c3044fc387c793 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 12:22:04 -0700
+Subject: net: mana: fix use-after-free in mana_hwc_destroy_channel() by
+ reordering teardown
+
+From: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+
+[ Upstream commit fa103fc8f56954a60699a29215cb713448a39e87 ]
+
+A potential race condition exists in mana_hwc_destroy_channel() where
+hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and
+Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt
+handler to dereference freed memory, leading to a use-after-free or
+NULL pointer dereference in mana_hwc_handle_resp().
+
+mana_smc_teardown_hwc() signals the hardware to stop but does not
+synchronize against IRQ handlers already executing on other CPUs. The
+IRQ synchronization only happens in mana_hwc_destroy_cq() via
+mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs
+after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler()
+can dereference freed caller_ctx (and rxq->msg_buf) in
+mana_hwc_handle_resp().
+
+Fix this by reordering teardown to reverse-of-creation order: destroy
+the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This
+ensures all in-flight interrupt handlers complete before the memory they
+access is freed.
+
+Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/abHA3AjNtqa1nx9k@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c
+index 66a0552fc8b3a..8111f181f9572 100644
+--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
+@@ -757,9 +757,6 @@ void mana_hwc_destroy_channel(struct gdma_context *gc)
+ gc->max_num_cqs = 0;
+ }
+
+- kfree(hwc->caller_ctx);
+- hwc->caller_ctx = NULL;
+-
+ if (hwc->txq)
+ mana_hwc_destroy_wq(hwc, hwc->txq);
+
+@@ -769,6 +766,9 @@ void mana_hwc_destroy_channel(struct gdma_context *gc)
+ if (hwc->cq)
+ mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq);
+
++ kfree(hwc->caller_ctx);
++ hwc->caller_ctx = NULL;
++
+ mana_gd_free_res_map(&hwc->inflight_msg_res);
+
+ hwc->num_inflight_msg = 0;
+--
+2.51.0
+
--- /dev/null
+From d2baa94572f1f8a7044f6c8202d327a7fc49dbdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 12:31:01 -0700
+Subject: net: mvpp2: guard flow control update with global_tx_fc in buffer
+ switching
+
+From: Muhammad Hammad Ijaz <mhijaz@amazon.com>
+
+[ Upstream commit 8a63baadf08453f66eb582fdb6dd234f72024723 ]
+
+mvpp2_bm_switch_buffers() unconditionally calls
+mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and
+shared buffer pool modes. This function programs CM3 flow control
+registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference
+priv->cm3_base without any NULL check.
+
+When the CM3 SRAM resource is not present in the device tree (the
+third reg entry added by commit 60523583b07c ("dts: marvell: add CM3
+SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains
+NULL and priv->global_tx_fc is false. Any operation that triggers
+mvpp2_bm_switch_buffers(), for example an MTU change that crosses
+the jumbo frame threshold, will crash:
+
+ Unable to handle kernel NULL pointer dereference at
+ virtual address 0000000000000000
+ Mem abort info:
+ ESR = 0x0000000096000006
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ pc : readl+0x0/0x18
+ lr : mvpp2_cm3_read.isra.0+0x14/0x20
+ Call trace:
+ readl+0x0/0x18
+ mvpp2_bm_pool_update_fc+0x40/0x12c
+ mvpp2_bm_pool_update_priv_fc+0x94/0xd8
+ mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0
+ mvpp2_change_mtu+0x140/0x380
+ __dev_set_mtu+0x1c/0x38
+ dev_set_mtu_ext+0x78/0x118
+ dev_set_mtu+0x48/0xa8
+ dev_ifsioc+0x21c/0x43c
+ dev_ioctl+0x2d8/0x42c
+ sock_ioctl+0x314/0x378
+
+Every other flow control call site in the driver already guards
+hardware access with either priv->global_tx_fc or port->tx_fc.
+mvpp2_bm_switch_buffers() is the only place that omits this check.
+
+Add the missing priv->global_tx_fc guard to both the disable and
+re-enable calls in mvpp2_bm_switch_buffers(), consistent with the
+rest of the driver.
+
+Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames")
+Signed-off-by: Muhammad Hammad Ijaz <mhijaz@amazon.com>
+Reviewed-by: Gunnar Kudrjavets <gunnarku@amazon.com>
+Link: https://patch.msgid.link/20260316193157.65748-1-mhijaz@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index ec69bb90f5740..b42c2c498faa2 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -5009,7 +5009,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu)
+ if (priv->percpu_pools)
+ numbufs = port->nrxqs * 2;
+
+- if (change_percpu)
++ if (change_percpu && priv->global_tx_fc)
+ mvpp2_bm_pool_update_priv_fc(priv, false);
+
+ for (i = 0; i < numbufs; i++)
+@@ -5026,7 +5026,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu)
+ mvpp2_open(port->dev);
+ }
+
+- if (change_percpu)
++ if (change_percpu && priv->global_tx_fc)
+ mvpp2_bm_pool_update_priv_fc(priv, true);
+
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 582c62bb6a53027103ca667f16106d565bd739ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 15:06:02 +0800
+Subject: net/rose: fix NULL pointer dereference in rose_transmit_link on
+ reconnect
+
+From: Jiayuan Chen <jiayuan.chen@shopee.com>
+
+[ Upstream commit e1f0a18c9564cdb16523c802e2c6fe5874e3d944 ]
+
+syzkaller reported a bug [1], and the reproducer is available at [2].
+
+ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN,
+TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects
+calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING
+(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT.
+
+When rose_connect() is called a second time while the first connection
+attempt is still in progress (TCP_SYN_SENT), it overwrites
+rose->neighbour via rose_get_neigh(). If that returns NULL, the socket
+is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL.
+When the socket is subsequently closed, rose_release() sees
+ROSE_STATE_1 and calls rose_write_internal() ->
+rose_transmit_link(skb, NULL), causing a NULL pointer dereference.
+
+Per connect(2), a second connect() while a connection is already in
+progress should return -EALREADY. Add this missing check for
+TCP_SYN_SENT to complete the state validation in rose_connect().
+
+[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271
+[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0027.GAE@google.com/T/
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260311070611.76913-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index d13ec76a1fec3..066e2d91ce3d6 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -810,6 +810,11 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
+ goto out_release;
+ }
+
++ if (sk->sk_state == TCP_SYN_SENT) {
++ err = -EALREADY;
++ goto out_release;
++ }
++
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
+
+--
+2.51.0
+
--- /dev/null
+From 91f77b95bf15763fb1fad47cfbd70007c305b6f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 11:54:22 -0400
+Subject: net/sched: teql: Fix double-free in teql_master_xmit
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit 66360460cab63c248ca5b1070a01c0c29133b960 ]
+
+Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should
+be called using the seq_lock to avoid racing with the datapath. Failure
+to do so may cause crashes like the following:
+
+[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)
+[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318
+[ 238.029749][ T318]
+[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)
+[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+[ 238.029910][ T318] Call Trace:
+[ 238.029913][ T318] <TASK>
+[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122)
+[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
+[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139)
+[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+...
+[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139)
+[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)
+[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139)
+[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231)
+[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))
+[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139)
+...
+[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256)
+[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)
+[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+...
+[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034)
+[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)
+[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)
+[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)
+[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)
+[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)
+...
+[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s:
+[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58)
+[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
+[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369)
+[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)
+[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))
+[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713)
+[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)
+[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997)
+[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)
+[ 238.081469][ T318]
+[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s:
+[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58)
+[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
+[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))
+[ 238.085900][ T318] __kasan_slab_free (mm/kasan/common.c:287)
+[ 238.086439][ T318] kmem_cache_free (mm/slub.c:6168 (discriminator 3) mm/slub.c:6298 (discriminator 3))
+[ 238.087007][ T318] skb_release_data (net/core/skbuff.c:1139)
+[ 238.087491][ T318] consume_skb (net/core/skbuff.c:1451)
+[ 238.087757][ T318] teql_master_xmit (net/sched/sch_teql.c:358)
+[ 238.088116][ T318] dev_hard_start_xmit (./include/linux/netdevice.h:5324 ./include/linux/netdevice.h:5333 net/core/dev.c:3871 net/core/dev.c:3887)
+[ 238.088468][ T318] sch_direct_xmit (net/sched/sch_generic.c:347)
+[ 238.088820][ T318] __qdisc_run (net/sched/sch_generic.c:420 (discriminator 1))
+[ 238.089166][ T318] __dev_queue_xmit (./include/net/sch_generic.h:229 ./include/net/pkt_sched.h:121 ./include/net/pkt_sched.h:117 net/core/dev.c:4196 net/core/dev.c:4802)
+
+Workflow to reproduce:
+1. Initialize a TEQL topology (dummy0 and ifb0 as slaves, teql0 up).
+2. Start multiple sender workers continuously transmitting packets
+ through teql0 to drive teql_master_xmit().
+3. In parallel, repeatedly delete and re-add the root qdisc on
+ dummy0 and ifb0 via RTNETLINK, forcing frequent teardown and reset activity
+ (teql_destroy() / qdisc_reset()).
+4. After running both workloads concurrently for several iterations,
+ KASAN reports slab-use-after-free or double-free in the skb free path.
+
+Fix this by moving dev_reset_queue to sch_generic.h and calling it, instead
+of qdisc_reset, in teql_destroy since it handles both the lock and lockless
+cases correctly for root qdiscs.
+
+Fixes: 96009c7d500e ("sched: replace __QDISC_STATE_RUNNING bit with a spin lock")
+Reported-by: Xianrui Dong <keenanat2000@gmail.com>
+Tested-by: Xianrui Dong <keenanat2000@gmail.com>
+Co-developed-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260315155422.147256-1-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sch_generic.h | 28 ++++++++++++++++++++++++++++
+ net/sched/sch_generic.c | 27 ---------------------------
+ net/sched/sch_teql.c | 7 ++-----
+ 3 files changed, 30 insertions(+), 32 deletions(-)
+
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index 7bb73448de0d3..c5df4b7fe820c 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -662,6 +662,34 @@ void qdisc_destroy(struct Qdisc *qdisc);
+ void qdisc_put(struct Qdisc *qdisc);
+ void qdisc_put_unlocked(struct Qdisc *qdisc);
+ void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, int n, int len);
++
++static inline void dev_reset_queue(struct net_device *dev,
++ struct netdev_queue *dev_queue,
++ void *_unused)
++{
++ struct Qdisc *qdisc;
++ bool nolock;
++
++ qdisc = rtnl_dereference(dev_queue->qdisc_sleeping);
++ if (!qdisc)
++ return;
++
++ nolock = qdisc->flags & TCQ_F_NOLOCK;
++
++ if (nolock)
++ spin_lock_bh(&qdisc->seqlock);
++ spin_lock_bh(qdisc_lock(qdisc));
++
++ qdisc_reset(qdisc);
++
++ spin_unlock_bh(qdisc_lock(qdisc));
++ if (nolock) {
++ clear_bit(__QDISC_STATE_MISSED, &qdisc->state);
++ clear_bit(__QDISC_STATE_DRAINING, &qdisc->state);
++ spin_unlock_bh(&qdisc->seqlock);
++ }
++}
++
+ #ifdef CONFIG_NET_SCHED
+ int qdisc_offload_dump_helper(struct Qdisc *q, enum tc_setup_type type,
+ void *type_data);
+diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
+index 1b51b3038b4bd..c7727e9d0ea28 100644
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -1290,33 +1290,6 @@ static void dev_deactivate_queue(struct net_device *dev,
+ }
+ }
+
+-static void dev_reset_queue(struct net_device *dev,
+- struct netdev_queue *dev_queue,
+- void *_unused)
+-{
+- struct Qdisc *qdisc;
+- bool nolock;
+-
+- qdisc = rtnl_dereference(dev_queue->qdisc_sleeping);
+- if (!qdisc)
+- return;
+-
+- nolock = qdisc->flags & TCQ_F_NOLOCK;
+-
+- if (nolock)
+- spin_lock_bh(&qdisc->seqlock);
+- spin_lock_bh(qdisc_lock(qdisc));
+-
+- qdisc_reset(qdisc);
+-
+- spin_unlock_bh(qdisc_lock(qdisc));
+- if (nolock) {
+- clear_bit(__QDISC_STATE_MISSED, &qdisc->state);
+- clear_bit(__QDISC_STATE_DRAINING, &qdisc->state);
+- spin_unlock_bh(&qdisc->seqlock);
+- }
+-}
+-
+ static bool some_qdisc_is_busy(struct net_device *dev)
+ {
+ unsigned int i;
+diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
+index c89cb6eba27da..efcca26966213 100644
+--- a/net/sched/sch_teql.c
++++ b/net/sched/sch_teql.c
+@@ -146,15 +146,12 @@ teql_destroy(struct Qdisc *sch)
+ master->slaves = NEXT_SLAVE(q);
+ if (q == master->slaves) {
+ struct netdev_queue *txq;
+- spinlock_t *root_lock;
+
+ txq = netdev_get_tx_queue(master->dev, 0);
+ master->slaves = NULL;
+
+- root_lock = qdisc_root_sleeping_lock(rtnl_dereference(txq->qdisc));
+- spin_lock_bh(root_lock);
+- qdisc_reset(rtnl_dereference(txq->qdisc));
+- spin_unlock_bh(root_lock);
++ dev_reset_queue(master->dev,
++ txq, NULL);
+ }
+ }
+ skb_queue_purge(&dat->q);
+--
+2.51.0
+
--- /dev/null
+From 0c5bcf1655b3cd6f4a306e51227c529a2d969416 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:29:07 +0800
+Subject: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
+
+From: Jiayuan Chen <jiayuan.chen@shopee.com>
+
+[ Upstream commit 6d5e4538364b9ceb1ac2941a4deb86650afb3538 ]
+
+Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].
+
+smc_tcp_syn_recv_sock() is called in the TCP receive path
+(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP
+listening socket). It reads sk_user_data to get the smc_sock
+pointer. However, when the SMC listen socket is being closed
+concurrently, smc_close_active() sets clcsock->sk_user_data
+to NULL under sk_callback_lock, and then the smc_sock itself
+can be freed via sock_put() in smc_release().
+
+This leads to two issues:
+
+1) NULL pointer dereference: sk_user_data is NULL when
+ accessed.
+2) Use-after-free: sk_user_data is read as non-NULL, but the
+ smc_sock is freed before its fields (e.g., queued_smc_hs,
+ ori_af_ops) are accessed.
+
+The race window looks like this (the syzkaller crash [1]
+triggers via the SYN cookie path: tcp_get_cookie_sock() ->
+smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path
+has the same race):
+
+ CPU A (softirq) CPU B (process ctx)
+
+ tcp_v4_rcv()
+ TCP_NEW_SYN_RECV:
+ sk = req->rsk_listener
+ sock_hold(sk)
+ /* No lock on listener */
+ smc_close_active():
+ write_lock_bh(cb_lock)
+ sk_user_data = NULL
+ write_unlock_bh(cb_lock)
+ ...
+ smc_clcsock_release()
+ sock_put(smc->sk) x2
+ -> smc_sock freed!
+ tcp_check_req()
+ smc_tcp_syn_recv_sock():
+ smc = user_data(sk)
+ -> NULL or dangling
+ smc->queued_smc_hs
+ -> crash!
+
+Note that the clcsock and smc_sock are two independent objects
+with separate refcounts. TCP stack holds a reference on the
+clcsock, which keeps it alive, but this does NOT prevent the
+smc_sock from being freed.
+
+Fix this by using RCU and refcount_inc_not_zero() to safely
+access smc_sock. Since smc_tcp_syn_recv_sock() is called in
+the TCP three-way handshake path, taking read_lock_bh on
+sk_callback_lock is too heavy and would not survive a SYN
+flood attack. Using rcu_read_lock() is much more lightweight.
+
+- Set SOCK_RCU_FREE on the SMC listen socket so that
+ smc_sock freeing is deferred until after the RCU grace
+ period. This guarantees the memory is still valid when
+ accessed inside rcu_read_lock().
+- Use rcu_read_lock() to protect reading sk_user_data.
+- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the
+ smc_sock. If the refcount has already reached zero (close
+ path completed), it returns false and we bail out safely.
+
+Note: smc_hs_congested() has a similar lockless read of
+sk_user_data without rcu_read_lock(), but it only checks for
+NULL and accesses the global smc_hs_wq, never dereferencing
+any smc_sock field, so it is not affected.
+
+Reproducer was verified with mdelay injection and smc_run,
+the issue no longer occurs with this patch applied.
+
+[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9
+
+Fixes: 8270d9c21041 ("net/smc: Limit backlog connections")
+Reported-by: syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67eaf9b8.050a0220.3c3d88.004a.GAE@google.com/T/
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Link: https://patch.msgid.link/20260312092909.48325-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 23 +++++++++++++++++------
+ net/smc/smc.h | 5 +++++
+ net/smc/smc_close.c | 2 +-
+ 3 files changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index c951e5c483b51..a609b220b215d 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -123,7 +123,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
+ struct smc_sock *smc;
+ struct sock *child;
+
+- smc = smc_clcsock_user_data(sk);
++ rcu_read_lock();
++ smc = smc_clcsock_user_data_rcu(sk);
++ if (!smc || !refcount_inc_not_zero(&smc->sk.sk_refcnt)) {
++ rcu_read_unlock();
++ smc = NULL;
++ goto drop;
++ }
++ rcu_read_unlock();
+
+ if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
+ sk->sk_max_ack_backlog)
+@@ -145,11 +152,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
+ if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
+ inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
+ }
++ sock_put(&smc->sk);
+ return child;
+
+ drop:
+ dst_release(dst);
+ tcp_listendrop(sk);
++ if (smc)
++ sock_put(&smc->sk);
+ return NULL;
+ }
+
+@@ -248,7 +258,7 @@ static void smc_fback_restore_callbacks(struct smc_sock *smc)
+ struct sock *clcsk = smc->clcsock->sk;
+
+ write_lock_bh(&clcsk->sk_callback_lock);
+- clcsk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(clcsk, NULL);
+
+ smc_clcsock_restore_cb(&clcsk->sk_state_change, &smc->clcsk_state_change);
+ smc_clcsock_restore_cb(&clcsk->sk_data_ready, &smc->clcsk_data_ready);
+@@ -862,7 +872,7 @@ static void smc_fback_replace_callbacks(struct smc_sock *smc)
+ struct sock *clcsk = smc->clcsock->sk;
+
+ write_lock_bh(&clcsk->sk_callback_lock);
+- clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
++ __rcu_assign_sk_user_data_with_flags(clcsk, smc, SK_USER_DATA_NOCOPY);
+
+ smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change,
+ &smc->clcsk_state_change);
+@@ -2550,8 +2560,8 @@ static int smc_listen(struct socket *sock, int backlog)
+ * smc-specific sk_data_ready function
+ */
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+- smc->clcsock->sk->sk_user_data =
+- (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
++ __rcu_assign_sk_user_data_with_flags(smc->clcsock->sk, smc,
++ SK_USER_DATA_NOCOPY);
+ smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready,
+ smc_clcsock_data_ready, &smc->clcsk_data_ready);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+@@ -2572,10 +2582,11 @@ static int smc_listen(struct socket *sock, int backlog)
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+ &smc->clcsk_data_ready);
+- smc->clcsock->sk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+ goto out;
+ }
++ sock_set_flag(sk, SOCK_RCU_FREE);
+ sk->sk_max_ack_backlog = backlog;
+ sk->sk_ack_backlog = 0;
+ sk->sk_state = SMC_LISTEN;
+diff --git a/net/smc/smc.h b/net/smc/smc.h
+index bcb57e60b2155..f480b956c45ef 100644
+--- a/net/smc/smc.h
++++ b/net/smc/smc.h
+@@ -302,6 +302,11 @@ static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk)
+ ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY);
+ }
+
++static inline struct smc_sock *smc_clcsock_user_data_rcu(const struct sock *clcsk)
++{
++ return (struct smc_sock *)rcu_dereference_sk_user_data(clcsk);
++}
++
+ /* save target_cb in saved_cb, and replace target_cb with new_cb */
+ static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *),
+ void (*new_cb)(struct sock *),
+diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
+index 10219f55aad14..bb0313ef5f7c1 100644
+--- a/net/smc/smc_close.c
++++ b/net/smc/smc_close.c
+@@ -218,7 +218,7 @@ int smc_close_active(struct smc_sock *smc)
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+ &smc->clcsk_data_ready);
+- smc->clcsock->sk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+ rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
+ }
+--
+2.51.0
+
--- /dev/null
+From 840156303a6a221a0b6215bc4f16f15812bd1790 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 16:16:43 +0200
+Subject: net: usb: aqc111: Do not perform PM inside suspend callback
+
+From: Nikola Z. Ivanov <zlatistiv@gmail.com>
+
+[ Upstream commit 069c8f5aebe4d5224cf62acc7d4b3486091c658a ]
+
+syzbot reports "task hung in rpm_resume"
+
+This is caused by aqc111_suspend calling
+the PM variant of its write_cmd routine.
+
+The simplified call trace looks like this:
+
+rpm_suspend()
+ usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING
+ aqc111_suspend() - called for the usb device interface
+ aqc111_write32_cmd()
+ usb_autopm_get_interface()
+ pm_runtime_resume_and_get()
+ rpm_resume() - here we call rpm_resume() on our parent
+ rpm_resume() - Here we wait for a status change that will never happen.
+
+At this point we block another task which holds
+rtnl_lock and locks up the whole networking stack.
+
+Fix this by replacing the write_cmd calls with their _nopm variants
+
+Reported-by: syzbot+48dc1e8dfc92faf1124c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=48dc1e8dfc92faf1124c
+Fixes: e58ba4544c77 ("net: usb: aqc111: Add support for wake on LAN by MAGIC packet")
+Signed-off-by: Nikola Z. Ivanov <zlatistiv@gmail.com>
+Link: https://patch.msgid.link/20260313141643.1181386-1-zlatistiv@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/aqc111.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
+index 3ebb1f84d3025..f1820c0d4830f 100644
+--- a/drivers/net/usb/aqc111.c
++++ b/drivers/net/usb/aqc111.c
+@@ -1400,14 +1400,14 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message)
+ aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC,
+ SFR_MEDIUM_STATUS_MODE, 2, ®16);
+
+- aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0,
+- WOL_CFG_SIZE, &wol_cfg);
+- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0,
+- &aqc111_data->phy_cfg);
++ aqc111_write_cmd_nopm(dev, AQ_WOL_CFG, 0, 0,
++ WOL_CFG_SIZE, &wol_cfg);
++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0,
++ &aqc111_data->phy_cfg);
+ } else {
+ aqc111_data->phy_cfg |= AQ_LOW_POWER;
+- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0,
+- &aqc111_data->phy_cfg);
++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0,
++ &aqc111_data->phy_cfg);
+
+ /* Disable RX path */
+ aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC,
+--
+2.51.0
+
--- /dev/null
+From a3e0ae3aef193ce25e737123767aeb89047cd590 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Mar 2026 02:21:37 +0900
+Subject: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit 5cb81eeda909dbb2def209dd10636b51549a3f8a ]
+
+ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the
+netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the
+conntrack reference immediately after netlink_dump_start(). When the
+dump spans multiple rounds, the second recvmsg() triggers the dump
+callback which dereferences the now-freed conntrack via nfct_help(ct),
+leading to a use-after-free on ct->ext.
+
+The bug is that the netlink_dump_control has no .start or .done
+callbacks to manage the conntrack reference across dump rounds. Other
+dump functions in the same file (e.g. ctnetlink_get_conntrack) properly
+use .start/.done callbacks for this purpose.
+
+Fix this by adding .start and .done callbacks that hold and release the
+conntrack reference for the duration of the dump, and move the
+nfct_help() call after the cb->args[0] early-return check in the dump
+callback to avoid dereferencing ct->ext unnecessarily.
+
+ BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0
+ Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133
+
+ CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY
+ Call Trace:
+ <TASK>
+ ctnetlink_exp_ct_dump_table+0x4f/0x2e0
+ netlink_dump+0x333/0x880
+ netlink_recvmsg+0x3e2/0x4b0
+ ? aa_sk_perm+0x184/0x450
+ sock_recvmsg+0xde/0xf0
+
+ Allocated by task 133:
+ kmem_cache_alloc_noprof+0x134/0x440
+ __nf_conntrack_alloc+0xa8/0x2b0
+ ctnetlink_create_conntrack+0xa1/0x900
+ ctnetlink_new_conntrack+0x3cf/0x7d0
+ nfnetlink_rcv_msg+0x48e/0x510
+ netlink_rcv_skb+0xc9/0x1f0
+ nfnetlink_rcv+0xdb/0x220
+ netlink_unicast+0x3ec/0x590
+ netlink_sendmsg+0x397/0x690
+ __sys_sendmsg+0xf4/0x180
+
+ Freed by task 0:
+ slab_free_after_rcu_debug+0xad/0x1e0
+ rcu_core+0x5c3/0x9c0
+
+Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 5bf72773c69f7..30f332bcdc39d 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3204,7 +3204,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ struct nf_conn *ct = cb->data;
+- struct nf_conn_help *help = nfct_help(ct);
++ struct nf_conn_help *help;
+ u_int8_t l3proto = nfmsg->nfgen_family;
+ unsigned long last_id = cb->args[1];
+ struct nf_conntrack_expect *exp;
+@@ -3212,6 +3212,10 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ if (cb->args[0])
+ return 0;
+
++ help = nfct_help(ct);
++ if (!help)
++ return 0;
++
+ rcu_read_lock();
+
+ restart:
+@@ -3241,6 +3245,24 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ return skb->len;
+ }
+
++static int ctnetlink_dump_exp_ct_start(struct netlink_callback *cb)
++{
++ struct nf_conn *ct = cb->data;
++
++ if (!refcount_inc_not_zero(&ct->ct_general.use))
++ return -ENOENT;
++ return 0;
++}
++
++static int ctnetlink_dump_exp_ct_done(struct netlink_callback *cb)
++{
++ struct nf_conn *ct = cb->data;
++
++ if (ct)
++ nf_ct_put(ct);
++ return 0;
++}
++
+ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct sk_buff *skb,
+ const struct nlmsghdr *nlh,
+@@ -3256,6 +3278,8 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct nf_conntrack_zone zone;
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_ct_dump_table,
++ .start = ctnetlink_dump_exp_ct_start,
++ .done = ctnetlink_dump_exp_ct_done,
+ };
+
+ err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
+--
+2.51.0
+
--- /dev/null
+From c83a797210aa0cc5e0784152ac62bf3fa8ea95ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Aug 2025 17:25:09 +0200
+Subject: netfilter: ctnetlink: remove refcounting in expectation dumpers
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 1492e3dcb2be3aa46d1963da96aa9593e4e4db5a ]
+
+Same pattern as previous patch: do not keep the expectation object
+alive via refcount, only store a cookie value and then use that
+as the skip hint for dump resumption.
+
+AFAICS this has the same issue as the one resolved in the conntrack
+dumper, when we do
+ if (!refcount_inc_not_zero(&exp->use))
+
+to increment the refcount, there is a chance that exp == last, which
+causes a double-increment of the refcount and subsequent memory leak.
+
+Fixes: cf6994c2b981 ("[NETFILTER]: nf_conntrack_netlink: sync expectation dumping with conntrack table dumping")
+Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Stable-dep-of: 5cb81eeda909 ("netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 41 ++++++++++++----------------
+ 1 file changed, 17 insertions(+), 24 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index d3e28574ceb94..5bf72773c69f7 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3144,23 +3144,27 @@ ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item)
+ return 0;
+ }
+ #endif
+-static int ctnetlink_exp_done(struct netlink_callback *cb)
++
++static unsigned long ctnetlink_exp_id(const struct nf_conntrack_expect *exp)
+ {
+- if (cb->args[1])
+- nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
+- return 0;
++ unsigned long id = (unsigned long)exp;
++
++ id += nf_ct_get_id(exp->master);
++ id += exp->class;
++
++ return id ? id : 1;
+ }
+
+ static int
+ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct net *net = sock_net(skb->sk);
+- struct nf_conntrack_expect *exp, *last;
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ u_int8_t l3proto = nfmsg->nfgen_family;
++ unsigned long last_id = cb->args[1];
++ struct nf_conntrack_expect *exp;
+
+ rcu_read_lock();
+- last = (struct nf_conntrack_expect *)cb->args[1];
+ for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
+ restart:
+ hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]],
+@@ -3172,7 +3176,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ continue;
+
+ if (cb->args[1]) {
+- if (exp != last)
++ if (ctnetlink_exp_id(exp) != last_id)
+ continue;
+ cb->args[1] = 0;
+ }
+@@ -3181,9 +3185,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ cb->nlh->nlmsg_seq,
+ IPCTNL_MSG_EXP_NEW,
+ exp) < 0) {
+- if (!refcount_inc_not_zero(&exp->use))
+- continue;
+- cb->args[1] = (unsigned long)exp;
++ cb->args[1] = ctnetlink_exp_id(exp);
+ goto out;
+ }
+ }
+@@ -3194,32 +3196,30 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ }
+ out:
+ rcu_read_unlock();
+- if (last)
+- nf_ct_expect_put(last);
+-
+ return skb->len;
+ }
+
+ static int
+ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+- struct nf_conntrack_expect *exp, *last;
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ struct nf_conn *ct = cb->data;
+ struct nf_conn_help *help = nfct_help(ct);
+ u_int8_t l3proto = nfmsg->nfgen_family;
++ unsigned long last_id = cb->args[1];
++ struct nf_conntrack_expect *exp;
+
+ if (cb->args[0])
+ return 0;
+
+ rcu_read_lock();
+- last = (struct nf_conntrack_expect *)cb->args[1];
++
+ restart:
+ hlist_for_each_entry_rcu(exp, &help->expectations, lnode) {
+ if (l3proto && exp->tuple.src.l3num != l3proto)
+ continue;
+ if (cb->args[1]) {
+- if (exp != last)
++ if (ctnetlink_exp_id(exp) != last_id)
+ continue;
+ cb->args[1] = 0;
+ }
+@@ -3227,9 +3227,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ cb->nlh->nlmsg_seq,
+ IPCTNL_MSG_EXP_NEW,
+ exp) < 0) {
+- if (!refcount_inc_not_zero(&exp->use))
+- continue;
+- cb->args[1] = (unsigned long)exp;
++ cb->args[1] = ctnetlink_exp_id(exp);
+ goto out;
+ }
+ }
+@@ -3240,9 +3238,6 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ cb->args[0] = 1;
+ out:
+ rcu_read_unlock();
+- if (last)
+- nf_ct_expect_put(last);
+-
+ return skb->len;
+ }
+
+@@ -3261,7 +3256,6 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct nf_conntrack_zone zone;
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_ct_dump_table,
+- .done = ctnetlink_exp_done,
+ };
+
+ err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
+@@ -3311,7 +3305,6 @@ static int ctnetlink_get_expect(struct sk_buff *skb,
+ else {
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_dump_table,
+- .done = ctnetlink_exp_done,
+ };
+ return netlink_dump_start(info->sk, skb, info->nlh, &c);
+ }
+--
+2.51.0
+
--- /dev/null
+From 071a57c17b7b9ea548be69c726a7d5aae10561a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:49:50 +0000
+Subject: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ]
+
+In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
+the packet, then decrements it by 1 to skip the protocol discriminator
+byte before passing it to DecodeH323_UserInformation(). If the encoded
+length is 0, the decrement wraps to -1, which is then passed as a
+large value to the decoder, leading to an out-of-bounds read.
+
+Add a check to ensure len is positive after the decrement.
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index c972e9488e16f..7b1497ed97d26 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
+ break;
+ p++;
+ len--;
++ if (len <= 0)
++ break;
+ return DecodeH323_UserInformation(buf, p, len,
+ &q931->UUIE);
+ }
+--
+2.51.0
+
--- /dev/null
+From dcc0d9cc7cb99de26b77e95cadfb71f27ce61f5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 02:29:32 +0000
+Subject: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a ]
+
+In decode_int(), the CONS case calls get_bits(bs, 2) to read a length
+value, then calls get_uint(bs, len) without checking that len bytes
+remain in the buffer. The existing boundary check only validates the
+2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()
+reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte
+slab-out-of-bounds read.
+
+Add a boundary check for len bytes after get_bits() and before
+get_uint().
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index 62aa22a078769..c972e9488e16f 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -331,6 +331,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f,
+ if (nf_h323_error_boundary(bs, 0, 2))
+ return H323_ERROR_BOUND;
+ len = get_bits(bs, 2) + 1;
++ if (nf_h323_error_boundary(bs, len, 0))
++ return H323_ERROR_BOUND;
+ BYTE_ALIGN(bs);
+ if (base && (f->attr & DECODE)) { /* timeToLive */
+ unsigned int v = get_uint(bs, len) + f->lb;
+--
+2.51.0
+
--- /dev/null
+From 316eb5dc6c9cb5880266b08e203c43567832e305 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Mar 2026 21:49:01 +0000
+Subject: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in
+ sip_help_tcp()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lukas Johannes Möller <research@johannes-moeller.dev>
+
+[ Upstream commit fbce58e719a17aa215c724473fd5baaa4a8dc57c ]
+
+sip_help_tcp() parses the SIP Content-Length header with
+simple_strtoul(), which returns unsigned long, but stores the result in
+unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are
+silently truncated before computing the SIP message boundary.
+
+For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,
+causing the parser to miscalculate where the current message ends. The
+loop then treats trailing data in the TCP segment as a second SIP
+message and processes it through the SDP parser.
+
+Fix this by changing clen to unsigned long to match the return type of
+simple_strtoul(), and reject Content-Length values that exceed the
+remaining TCP payload length.
+
+Fixes: f5b321bd37fb ("netfilter: nf_conntrack_sip: add TCP support")
+Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_sip.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
+index d0eac27f6ba03..657839a58782a 100644
+--- a/net/netfilter/nf_conntrack_sip.c
++++ b/net/netfilter/nf_conntrack_sip.c
+@@ -1534,11 +1534,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
+ {
+ struct tcphdr *th, _tcph;
+ unsigned int dataoff, datalen;
+- unsigned int matchoff, matchlen, clen;
++ unsigned int matchoff, matchlen;
+ unsigned int msglen, origlen;
+ const char *dptr, *end;
+ s16 diff, tdiff = 0;
+ int ret = NF_ACCEPT;
++ unsigned long clen;
+ bool term;
+
+ if (ctinfo != IP_CT_ESTABLISHED &&
+@@ -1573,6 +1574,9 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
+ if (dptr + matchoff == end)
+ break;
+
++ if (clen > datalen)
++ break;
++
+ term = false;
+ for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
+ if (end[0] == '\r' && end[1] == '\n' &&
+--
+2.51.0
+
--- /dev/null
+From f78b574210ee9fe3d4910ff5578d4edf08f911fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 20:00:26 +0100
+Subject: netfilter: nf_tables: release flowtable after rcu grace period on
+ error
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce ]
+
+Call synchronize_rcu() after unregistering the hooks from error path,
+since a hook that already refers to this flowtable can be already
+registered, exposing this flowtable to packet path and nfnetlink_hook
+control plane.
+
+This error path is rare, it should only happen by reaching the maximum
+number hooks or by failing to set up to hardware offload, just call
+synchronize_rcu().
+
+There is a check for already used device hooks by different flowtable
+that could result in EEXIST at this late stage. The hook parser can be
+updated to perform this check earlier to this error path really becomes
+rarely exercised.
+
+Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
+when dumping hooks.
+
+Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index ac36183956515..11a5d5d715d56 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -8279,6 +8279,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
+ return 0;
+
+ err_flowtable_hooks:
++ synchronize_rcu();
+ nft_trans_destroy(trans);
+ err_flowtable_trans:
+ nft_hooks_destroy(&flowtable->hook_list);
+--
+2.51.0
+
--- /dev/null
+From 04028d03c0275832a59a645b1d4c5bb64c932766 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 18:22:16 +0200
+Subject: netfilter: nft_ct: add seqadj extension for natted connections
+
+From: Andrii Melnychenko <a.melnychenko@vyos.io>
+
+[ Upstream commit 90918e3b6404c2a37837b8f11692471b4c512de2 ]
+
+Sequence adjustment may be required for FTP traffic with PASV/EPSV modes.
+due to need to re-write packet payload (IP, port) on the ftp control
+connection. This can require changes to the TCP length and expected
+seq / ack_seq.
+
+The easiest way to reproduce this issue is with PASV mode.
+Example ruleset:
+table inet ftp_nat {
+ ct helper ftp_helper {
+ type "ftp" protocol tcp
+ l3proto inet
+ }
+
+ chain prerouting {
+ type filter hook prerouting priority 0; policy accept;
+ tcp dport 21 ct state new ct helper set "ftp_helper"
+ }
+}
+table ip nat {
+ chain prerouting {
+ type nat hook prerouting priority -100; policy accept;
+ tcp dport 21 dnat ip prefix to ip daddr map {
+ 192.168.100.1 : 192.168.13.2/32 }
+ }
+
+ chain postrouting {
+ type nat hook postrouting priority 100 ; policy accept;
+ tcp sport 21 snat ip prefix to ip saddr map {
+ 192.168.13.2 : 192.168.100.1/32 }
+ }
+}
+
+Note that the ftp helper gets assigned *after* the dnat setup.
+
+The inverse (nat after helper assign) is handled by an existing
+check in nf_nat_setup_info() and will not show the problem.
+
+Topoloy:
+
+ +-------------------+ +----------------------------------+
+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 |
+ +-------------------+ +----------------------------------+
+ |
+ +-----------------------+
+ | Client: 192.168.100.2 |
+ +-----------------------+
+
+ftp nat changes do not work as expected in this case:
+Connected to 192.168.100.1.
+[..]
+ftp> epsv
+EPSV/EPRT on IPv4 off.
+ftp> ls
+227 Entering passive mode (192,168,100,1,209,129).
+421 Service not available, remote server has closed connection.
+
+Kernel logs:
+Missing nfct_seqadj_ext_add() setup call
+WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41
+[..]
+ __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]
+ nf_nat_ftp+0x142/0x280 [nf_nat_ftp]
+ help+0x4d1/0x880 [nf_conntrack_ftp]
+ nf_confirm+0x122/0x2e0 [nf_conntrack]
+ nf_hook_slow+0x3c/0xb0
+ ..
+
+Fix this by adding the required extension when a conntrack helper is assigned
+to a connection that has a nat binding.
+
+Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support")
+Signed-off-by: Andrii Melnychenko <a.melnychenko@vyos.io>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Stable-dep-of: 36eae0956f65 ("netfilter: nft_ct: drop pending enqueued packets on removal")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_ct.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index 3641043ca8cc5..70783671a2b01 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -22,6 +22,7 @@
+ #include <net/netfilter/nf_conntrack_timeout.h>
+ #include <net/netfilter/nf_conntrack_l4proto.h>
+ #include <net/netfilter/nf_conntrack_expect.h>
++#include <net/netfilter/nf_conntrack_seqadj.h>
+
+ struct nft_ct {
+ enum nft_ct_keys key:8;
+@@ -1156,6 +1157,10 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj,
+ if (help) {
+ rcu_assign_pointer(help->helper, to_assign);
+ set_bit(IPS_HELPER_BIT, &ct->status);
++
++ if ((ct->status & IPS_NAT_MASK) && !nfct_seqadj(ct))
++ if (!nfct_seqadj_ext_add(ct))
++ regs->verdict.code = NF_DROP;
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From f5371d510163da0e4de50c2320b908fc381d26bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 13:48:47 +0100
+Subject: netfilter: nft_ct: drop pending enqueued packets on removal
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 36eae0956f659e48d5366d9b083d9417f3263ddc ]
+
+Packets sitting in nfqueue might hold a reference to:
+
+- templates that specify the conntrack zone, because a percpu area is
+ used and module removal is possible.
+- conntrack timeout policies and helper, where object removal leave
+ a stale reference.
+
+Since these objects can just go away, drop enqueued packets to avoid
+stale reference to them.
+
+If there is a need for finer grain removal, this logic can be revisited
+to make selective packet drop upon dependencies.
+
+Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_ct.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index 70783671a2b01..c5d78f2525226 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -23,6 +23,7 @@
+ #include <net/netfilter/nf_conntrack_l4proto.h>
+ #include <net/netfilter/nf_conntrack_expect.h>
+ #include <net/netfilter/nf_conntrack_seqadj.h>
++#include "nf_internals.h"
+
+ struct nft_ct {
+ enum nft_ct_keys key:8;
+@@ -537,6 +538,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv)
+ #endif
+ #ifdef CONFIG_NF_CONNTRACK_ZONES
+ case NFT_CT_ZONE:
++ nf_queue_nf_hook_drop(ctx->net);
+ mutex_lock(&nft_ct_pcpu_mutex);
+ if (--nft_ct_pcpu_template_refcnt == 0)
+ nft_ct_tmpl_put_pcpu();
+@@ -980,6 +982,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx,
+ struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
+ struct nf_ct_timeout *timeout = priv->timeout;
+
++ nf_queue_nf_hook_drop(ctx->net);
+ nf_ct_untimeout(ctx->net, timeout);
+ nf_ct_netns_put(ctx->net, ctx->family);
+ kfree(priv->timeout);
+@@ -1112,6 +1115,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx,
+ {
+ struct nft_ct_helper_obj *priv = nft_obj_data(obj);
+
++ nf_queue_nf_hook_drop(ctx->net);
+ if (priv->helper4)
+ nf_conntrack_helper_put(priv->helper4);
+ if (priv->helper6)
+--
+2.51.0
+
--- /dev/null
+From 20af8c4f99aa12afd3efacc3fbd25b805a05ec8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 13:48:48 +0100
+Subject: netfilter: xt_CT: drop pending enqueued packets on template removal
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit f62a218a946b19bb59abdd5361da85fa4606b96b ]
+
+Templates refer to objects that can go away while packets are sitting in
+nfqueue refer to:
+
+- helper, this can be an issue on module removal.
+- timeout policy, nfnetlink_cttimeout might remove it.
+
+The use of templates with zone and event cache filter are safe, since
+this just copies values.
+
+Flush these enqueued packets in case the template rule gets removed.
+
+Fixes: 24de58f46516 ("netfilter: xt_CT: allow to attach timeout policy + glue code")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_CT.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
+index 3ba94c34297cf..498f5871c84a0 100644
+--- a/net/netfilter/xt_CT.c
++++ b/net/netfilter/xt_CT.c
+@@ -16,6 +16,7 @@
+ #include <net/netfilter/nf_conntrack_ecache.h>
+ #include <net/netfilter/nf_conntrack_timeout.h>
+ #include <net/netfilter/nf_conntrack_zones.h>
++#include "nf_internals.h"
+
+ static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct)
+ {
+@@ -283,6 +284,9 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par,
+ struct nf_conn_help *help;
+
+ if (ct) {
++ if (info->helper[0] || info->timeout[0])
++ nf_queue_nf_hook_drop(par->net);
++
+ help = nfct_help(ct);
+ xt_ct_put_helper(help);
+
+--
+2.51.0
+
--- /dev/null
+From 61fcfa34ae1acc0b77ba04117e07d641cd62c921 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:59:49 +0000
+Subject: netfilter: xt_time: use unsigned int for monthday bit shift
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit 00050ec08cecfda447e1209b388086d76addda3a ]
+
+The monthday field can be up to 31, and shifting a signed integer 1
+by 31 positions (1 << 31) is undefined behavior in C, as the result
+overflows a 32-bit signed int. Use 1U to ensure well-defined behavior
+for all valid monthday values.
+
+Change the weekday shift to 1U as well for consistency.
+
+Fixes: ee4411a1b1e0 ("[NETFILTER]: x_tables: add xt_time match")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_time.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
+index 6aa12d0f54e23..61de85e02a40f 100644
+--- a/net/netfilter/xt_time.c
++++ b/net/netfilter/xt_time.c
+@@ -227,13 +227,13 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par)
+
+ localtime_2(¤t_time, stamp);
+
+- if (!(info->weekdays_match & (1 << current_time.weekday)))
++ if (!(info->weekdays_match & (1U << current_time.weekday)))
+ return false;
+
+ /* Do not spend time computing monthday if all days match anyway */
+ if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) {
+ localtime_3(¤t_time, stamp);
+- if (!(info->monthdays_match & (1 << current_time.monthday)))
++ if (!(info->monthdays_match & (1U << current_time.monthday)))
+ return false;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 42fee72384b0e7eb5ac6b329ad9731677761744c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 15:32:44 +0800
+Subject: nfnetlink_osf: validate individual option lengths in fingerprints
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit dbdfaae9609629a9569362e3b8f33d0a20fd783c ]
+
+nfnl_osf_add_callback() validates opt_num bounds and string
+NUL-termination but does not check individual option length fields.
+A zero-length option causes nf_osf_match_one() to enter the option
+matching loop even when foptsize sums to zero, which matches packets
+with no TCP options where ctx->optp is NULL:
+
+ Oops: general protection fault
+ KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
+ Call Trace:
+ nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
+ xt_osf_match_packet (net/netfilter/xt_osf.c:32)
+ ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
+ nf_hook_slow (net/netfilter/core.c:623)
+ ip_local_deliver (net/ipv4/ip_input.c:262)
+ ip_rcv (net/ipv4/ip_input.c:573)
+
+Additionally, an MSS option (kind=2) with length < 4 causes
+out-of-bounds reads when nf_osf_match_one() unconditionally accesses
+optp[2] and optp[3] for MSS value extraction. While RFC 9293
+section 3.2 specifies that the MSS option is always exactly 4
+bytes (Kind=2, Length=4), the check uses "< 4" rather than
+"!= 4" because lengths greater than 4 do not cause memory
+safety issues -- the buffer is guaranteed to be at least
+foptsize bytes by the ctx->optsize == foptsize check.
+
+Reject fingerprints where any option has zero length, or where an MSS
+option has length less than 4, at add time rather than trusting these
+values in the packet matching hot path.
+
+Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_osf.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
+index 50723ba082890..da9d5d6de98f4 100644
+--- a/net/netfilter/nfnetlink_osf.c
++++ b/net/netfilter/nfnetlink_osf.c
+@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
+ {
+ struct nf_osf_user_finger *f;
+ struct nf_osf_finger *kf = NULL, *sf;
++ unsigned int tot_opt_len = 0;
+ int err = 0;
++ int i;
+
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
+ if (f->opt_num > ARRAY_SIZE(f->opt))
+ return -EINVAL;
+
++ for (i = 0; i < f->opt_num; i++) {
++ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
++ return -EINVAL;
++ if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)
++ return -EINVAL;
++
++ tot_opt_len += f->opt[i].length;
++ if (tot_opt_len > MAX_IPOPTLEN)
++ return -EINVAL;
++ }
++
+ if (!memchr(f->genre, 0, MAXGENRELEN) ||
+ !memchr(f->subtype, 0, MAXGENRELEN) ||
+ !memchr(f->version, 0, MAXGENRELEN))
+--
+2.51.0
+
--- /dev/null
+From a70a6417f93dde7e6f9c8bf97019975ae8a13f71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 11:27:20 -0700
+Subject: PM: runtime: Fix a race condition related to device removal
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 29ab768277617452d88c0607c9299cdc63b6e9ff ]
+
+The following code in pm_runtime_work() may dereference the dev->parent
+pointer after the parent device has been freed:
+
+ /* Maybe the parent is now able to suspend. */
+ if (parent && !parent->power.ignore_children) {
+ spin_unlock(&dev->power.lock);
+
+ spin_lock(&parent->power.lock);
+ rpm_idle(parent, RPM_ASYNC);
+ spin_unlock(&parent->power.lock);
+
+ spin_lock(&dev->power.lock);
+ }
+
+Fix this by inserting a flush_work() call in pm_runtime_remove().
+
+Without this patch blktest block/001 triggers the following complaint
+sporadically:
+
+BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160
+Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081
+Workqueue: pm pm_runtime_work
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x61/0x80
+ print_address_description.constprop.0+0x8b/0x310
+ print_report+0xfd/0x1d7
+ kasan_report+0xd8/0x1d0
+ __kasan_check_byte+0x42/0x60
+ lock_acquire.part.0+0x38/0x230
+ lock_acquire+0x70/0x160
+ _raw_spin_lock+0x36/0x50
+ rpm_suspend+0xc6a/0xfe0
+ rpm_idle+0x578/0x770
+ pm_runtime_work+0xee/0x120
+ process_one_work+0xde3/0x1410
+ worker_thread+0x5eb/0xfe0
+ kthread+0x37b/0x480
+ ret_from_fork+0x6cb/0x920
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+
+Allocated by task 4314:
+ kasan_save_stack+0x2a/0x50
+ kasan_save_track+0x18/0x40
+ kasan_save_alloc_info+0x3d/0x50
+ __kasan_kmalloc+0xa0/0xb0
+ __kmalloc_noprof+0x311/0x990
+ scsi_alloc_target+0x122/0xb60 [scsi_mod]
+ __scsi_scan_target+0x101/0x460 [scsi_mod]
+ scsi_scan_channel+0x179/0x1c0 [scsi_mod]
+ scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]
+ store_scan+0x2d2/0x390 [scsi_mod]
+ dev_attr_store+0x43/0x80
+ sysfs_kf_write+0xde/0x140
+ kernfs_fop_write_iter+0x3ef/0x670
+ vfs_write+0x506/0x1470
+ ksys_write+0xfd/0x230
+ __x64_sys_write+0x76/0xc0
+ x64_sys_call+0x213/0x1810
+ do_syscall_64+0xee/0xfc0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Freed by task 4314:
+ kasan_save_stack+0x2a/0x50
+ kasan_save_track+0x18/0x40
+ kasan_save_free_info+0x3f/0x50
+ __kasan_slab_free+0x67/0x80
+ kfree+0x225/0x6c0
+ scsi_target_dev_release+0x3d/0x60 [scsi_mod]
+ device_release+0xa3/0x220
+ kobject_cleanup+0x105/0x3a0
+ kobject_put+0x72/0xd0
+ put_device+0x17/0x20
+ scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]
+ device_release+0xa3/0x220
+ kobject_cleanup+0x105/0x3a0
+ kobject_put+0x72/0xd0
+ put_device+0x17/0x20
+ scsi_device_put+0x7f/0xc0 [scsi_mod]
+ sdev_store_delete+0xa5/0x120 [scsi_mod]
+ dev_attr_store+0x43/0x80
+ sysfs_kf_write+0xde/0x140
+ kernfs_fop_write_iter+0x3ef/0x670
+ vfs_write+0x506/0x1470
+ ksys_write+0xfd/0x230
+ __x64_sys_write+0x76/0xc0
+ x64_sys_call+0x213/0x1810
+
+Reported-by: Ming Lei <ming.lei@redhat.com>
+Closes: https://lore.kernel.org/all/ZxdNvLNI8QaOfD2d@fedora/
+Reported-by: syzbot+6c905ab800f20cf4086c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68c13942.050a0220.2ff435.000b.GAE@google.com/
+Fixes: 5e928f77a09a ("PM: Introduce core framework for run-time PM of I/O devices (rev. 17)")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20260312182720.2776083-1-bvanassche@acm.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/runtime.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
+index ad043709d7f3f..ca86d7bf804ca 100644
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -1813,6 +1813,7 @@ void pm_runtime_reinit(struct device *dev)
+ void pm_runtime_remove(struct device *dev)
+ {
+ __pm_runtime_disable(dev, false);
++ flush_work(&dev->power.work);
+ pm_runtime_reinit(dev);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 10d0a59a3cfc0ea62fd2ce0ce6425c133caa58bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 13:25:41 +0100
+Subject: sched: idle: Consolidate the handling of two special cases
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit f4c31b07b136839e0fb3026f8a5b6543e3b14d2f ]
+
+There are two special cases in the idle loop that are handled
+inconsistently even though they are analogous.
+
+The first one is when a cpuidle driver is absent and the default CPU
+idle time power management implemented by the architecture code is used.
+In that case, the scheduler tick is stopped every time before invoking
+default_idle_call().
+
+The second one is when a cpuidle driver is present, but there is only
+one idle state in its table. In that case, the scheduler tick is never
+stopped at all.
+
+Since each of these approaches has its drawbacks, reconcile them with
+the help of one simple heuristic. Namely, stop the tick if the CPU has
+been woken up by it in the previous iteration of the idle loop, or let
+it tick otherwise.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Christian Loehle <christian.loehle@arm.com>
+Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
+Reviewed-by: Qais Yousef <qyousef@layalina.io>
+Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
+Fixes: ed98c3491998 ("sched: idle: Do not stop the tick before cpuidle_idle_call()")
+[ rjw: Added Fixes tag, changelog edits ]
+Link: https://patch.msgid.link/4741364.LvFx2qVVIh@rafael.j.wysocki
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/idle.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c
+index 6ff593a8eeb17..c5c09e0fbbe12 100644
+--- a/kernel/sched/idle.c
++++ b/kernel/sched/idle.c
+@@ -155,6 +155,14 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev,
+ return cpuidle_enter(drv, dev, next_state);
+ }
+
++static void idle_call_stop_or_retain_tick(bool stop_tick)
++{
++ if (stop_tick || tick_nohz_tick_stopped())
++ tick_nohz_idle_stop_tick();
++ else
++ tick_nohz_idle_retain_tick();
++}
++
+ /**
+ * cpuidle_idle_call - the main idle function
+ *
+@@ -164,7 +172,7 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev,
+ * set, and it returns with polling set. If it ever stops polling, it
+ * must clear the polling bit.
+ */
+-static void cpuidle_idle_call(void)
++static void cpuidle_idle_call(bool stop_tick)
+ {
+ struct cpuidle_device *dev = cpuidle_get_device();
+ struct cpuidle_driver *drv = cpuidle_get_cpu_driver(dev);
+@@ -186,7 +194,7 @@ static void cpuidle_idle_call(void)
+ */
+
+ if (cpuidle_not_available(drv, dev)) {
+- tick_nohz_idle_stop_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ default_idle_call();
+ goto exit_idle;
+@@ -221,17 +229,19 @@ static void cpuidle_idle_call(void)
+ next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns);
+ call_cpuidle(drv, dev, next_state);
+ } else if (drv->state_count > 1) {
+- bool stop_tick = true;
++ /*
++ * stop_tick is expected to be true by default by cpuidle
++ * governors, which allows them to select idle states with
++ * target residency above the tick period length.
++ */
++ stop_tick = true;
+
+ /*
+ * Ask the cpuidle framework to choose a convenient idle state.
+ */
+ next_state = cpuidle_select(drv, dev, &stop_tick);
+
+- if (stop_tick || tick_nohz_tick_stopped())
+- tick_nohz_idle_stop_tick();
+- else
+- tick_nohz_idle_retain_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ entered_state = call_cpuidle(drv, dev, next_state);
+ /*
+@@ -239,7 +249,7 @@ static void cpuidle_idle_call(void)
+ */
+ cpuidle_reflect(dev, entered_state);
+ } else {
+- tick_nohz_idle_retain_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ /*
+ * If there is only a single idle state (or none), there is
+@@ -267,6 +277,7 @@ static void cpuidle_idle_call(void)
+ static void do_idle(void)
+ {
+ int cpu = smp_processor_id();
++ bool got_tick = false;
+
+ /*
+ * Check if we need to update blocked load
+@@ -309,8 +320,9 @@ static void do_idle(void)
+ tick_nohz_idle_restart_tick();
+ cpu_idle_poll();
+ } else {
+- cpuidle_idle_call();
++ cpuidle_idle_call(got_tick);
+ }
++ got_tick = tick_nohz_idle_got_tick();
+ arch_cpu_idle_exit();
+ }
+
+--
+2.51.0
+
net-stmmac-remove-support-for-lpi_intr_o.patch
pci-acpi-restrict-program_hpx_type2-to-aer-bits.patch
binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch
+btrfs-tree-checker-fix-misleading-root-drop_level-er.patch
+soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch
+wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch
+wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch
+firmware-arm_scpi-fix-device_node-reference-leak-in-.patch
+bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch
+bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch
+bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch
+bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch
+bluetooth-hidp-fix-possible-uaf.patch
+bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch
+net-rose-fix-null-pointer-dereference-in-rose_transm.patch
+netfilter-ctnetlink-remove-refcounting-in-expectatio.patch
+netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch
+netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch
+netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch
+netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch
+netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch
+netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch
+netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch
+netfilter-nf_conntrack_h323-check-for-zero-length-in.patch
+net-bcmgenet-increase-wol-poll-timeout.patch
+net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch
+sched-idle-consolidate-the-handling-of-two-special-c.patch
+pm-runtime-fix-a-race-condition-related-to-device-re.patch
+net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch
+net-sched-teql-fix-double-free-in-teql_master_xmit.patch
+net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch
+igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch
+iavf-fix-vlan-filter-lost-on-add-delete-race.patch
+wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch
+wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch
+acpi-processor-fix-previous-acpi_processor_errata_pi.patch
+net-macb-fix-uninitialized-rx_fs_lock.patch
+udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch
+net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch
+netfilter-nf_tables-release-flowtable-after-rcu-grac.patch
+nfnetlink_osf-validate-individual-option-lengths-in-.patch
+net-mvpp2-guard-flow-control-update-with-global_tx_f.patch
+net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch
+icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch
--- /dev/null
+From 4ccc837e120af6ba02083179ebe035301f41b005 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 08:25:49 +0100
+Subject: soc: fsl: qbman: fix race condition in qman_destroy_fq
+
+From: Richard Genoud <richard.genoud@bootlin.com>
+
+[ Upstream commit 014077044e874e270ec480515edbc1cadb976cf2 ]
+
+When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between
+fq_table[fq->idx] state and freeing/allocating from the pool and
+WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.
+
+Indeed, we can have:
+ Thread A Thread B
+ qman_destroy_fq() qman_create_fq()
+ qman_release_fqid()
+ qman_shutdown_fq()
+ gen_pool_free()
+ -- At this point, the fqid is available again --
+ qman_alloc_fqid()
+ -- so, we can get the just-freed fqid in thread B --
+ fq->fqid = fqid;
+ fq->idx = fqid * 2;
+ WARN_ON(fq_table[fq->idx]);
+ fq_table[fq->idx] = fq;
+ fq_table[fq->idx] = NULL;
+
+And adding some logs between qman_release_fqid() and
+fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.
+
+To prevent that, ensure that fq_table[fq->idx] is set to NULL before
+gen_pool_free() is called by using smp_wmb().
+
+Fixes: c535e923bb97 ("soc/fsl: Introduce DPAA 1.x QMan device driver")
+Signed-off-by: Richard Genoud <richard.genoud@bootlin.com>
+Tested-by: CHAMPSEIX Thomas <thomas.champseix@alstomgroup.com>
+Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com
+Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qbman/qman.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
+index 7e9074519ad22..bcbf6bf2e8f45 100644
+--- a/drivers/soc/fsl/qbman/qman.c
++++ b/drivers/soc/fsl/qbman/qman.c
+@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq);
+
+ void qman_destroy_fq(struct qman_fq *fq)
+ {
++ int leaked;
++
+ /*
+ * We don't need to lock the FQ as it is a pre-condition that the FQ be
+ * quiesced. Instead, run some checks.
+@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq)
+ switch (fq->state) {
+ case qman_fq_state_parked:
+ case qman_fq_state_oos:
+- if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID))
+- qman_release_fqid(fq->fqid);
++ /*
++ * There's a race condition here on releasing the fqid,
++ * setting the fq_table to NULL, and freeing the fqid.
++ * To prevent it, this order should be respected:
++ */
++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) {
++ leaked = qman_shutdown_fq(fq->fqid);
++ if (leaked)
++ pr_debug("FQID %d leaked\n", fq->fqid);
++ }
+
+ DPAA_ASSERT(fq_table[fq->idx]);
+ fq_table[fq->idx] = NULL;
++
++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) {
++ /*
++ * fq_table[fq->idx] should be set to null before
++ * freeing fq->fqid otherwise it could by allocated by
++ * qman_alloc_fqid() while still being !NULL
++ */
++ smp_wmb();
++ gen_pool_free(qm_fqalloc, fq->fqid | DPAA_GENALLOC_OFF, 1);
++ }
+ return;
+ default:
+ break;
+--
+2.51.0
+
--- /dev/null
+From 6b049762bae6a73055a9f52bd28201f587564606 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 18:02:41 -0700
+Subject: udp_tunnel: fix NULL deref caused by udp_sock_create6 when
+ CONFIG_IPV6=n
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit b3a6df291fecf5f8a308953b65ca72b7fc9e015d ]
+
+When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0
+(success) without actually creating a socket. Callers such as
+fou_create() then proceed to dereference the uninitialized socket
+pointer, resulting in a NULL pointer dereference.
+
+The captured NULL deref crash:
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)
+ [...]
+ Call Trace:
+ <TASK>
+ genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)
+ genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)
+ [...]
+ netlink_rcv_skb (net/netlink/af_netlink.c:2550)
+ genl_rcv (net/netlink/genetlink.c:1219)
+ netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
+ netlink_sendmsg (net/netlink/af_netlink.c:1894)
+ __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))
+ __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))
+ __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+ entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)
+
+This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so
+callers correctly take their error paths. There is only one caller of
+the vulnerable function and only privileged users can trigger it.
+
+Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260317010241.1893893-1-xmei5@asu.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/udp_tunnel.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
+index e5f81710b18f4..cd2bd3826d168 100644
+--- a/include/net/udp_tunnel.h
++++ b/include/net/udp_tunnel.h
+@@ -47,7 +47,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ struct socket **sockp)
+ {
+- return 0;
++ return -EPFNOSUPPORT;
+ }
+ #endif
+
+--
+2.51.0
+
--- /dev/null
+From 1a765511a6441894a6431064d144c8504bd35cd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 21:36:59 +0530
+Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
+
+From: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
+
+[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ]
+
+When the nl80211 socket that originated a PMSR request is
+closed, cfg80211_release_pmsr() sets the request's nl_portid
+to zero and schedules pmsr_free_wk to process the abort
+asynchronously. If the interface is concurrently torn down
+before that work runs, cfg80211_pmsr_wdev_down() calls
+cfg80211_pmsr_process_abort() directly. However, the already-
+scheduled pmsr_free_wk work item remains pending and may run
+after the interface has been removed from the driver. This
+could cause the driver's abort_pmsr callback to operate on a
+torn-down interface, leading to undefined behavior and
+potential crashes.
+
+Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()
+before calling cfg80211_pmsr_process_abort(). This ensures any
+pending or in-progress work is drained before interface teardown
+proceeds, preventing the work from invoking the driver abort
+callback after the interface is gone.
+
+Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API")
+Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/pmsr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c
+index d26daa0370e71..656464f2de516 100644
+--- a/net/wireless/pmsr.c
++++ b/net/wireless/pmsr.c
+@@ -640,6 +640,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev)
+ }
+ spin_unlock_bh(&wdev->pmsr_lock);
+
++ cancel_work_sync(&wdev->pmsr_free_wk);
+ if (found)
+ cfg80211_pmsr_process_abort(wdev);
+
+--
+2.51.0
+
--- /dev/null
+From 56a0491d0018404db6a433af1e9b6454778ac3d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 20:42:44 -0700
+Subject: wifi: mac80211: fix NULL deref in mesh_matches_local()
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd ]
+
+mesh_matches_local() unconditionally dereferences ie->mesh_config to
+compare mesh configuration parameters. When called from
+mesh_rx_csa_frame(), the parsed action-frame elements may not contain a
+Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a
+kernel NULL pointer dereference.
+
+The other two callers are already safe:
+ - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before
+ calling mesh_matches_local()
+ - mesh_plink_get_event() is only reached through
+ mesh_process_plink_frame(), which checks !elems->mesh_config, too
+
+mesh_rx_csa_frame() is the only caller that passes raw parsed elements
+to mesh_matches_local() without guarding mesh_config. An adjacent
+attacker can exploit this by sending a crafted CSA action frame that
+includes a valid Mesh ID IE but omits the Mesh Configuration IE,
+crashing the kernel.
+
+The captured crash log:
+
+Oops: general protection fault, probably for non-canonical address ...
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+Workqueue: events_unbound cfg80211_wiphy_work
+[...]
+Call Trace:
+ <TASK>
+ ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)
+ ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)
+ [...]
+ ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)
+ [...]
+ cfg80211_wiphy_work (net/wireless/core.c:426)
+ process_one_work (net/kernel/workqueue.c:3280)
+ ? assign_work (net/kernel/workqueue.c:1219)
+ worker_thread (net/kernel/workqueue.c:3352)
+ ? __pfx_worker_thread (net/kernel/workqueue.c:3385)
+ kthread (net/kernel/kthread.c:436)
+ [...]
+ ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)
+ </TASK>
+
+This patch adds a NULL check for ie->mesh_config at the top of
+mesh_matches_local() to return false early when the Mesh Configuration
+IE is absent.
+
+Fixes: 2e3c8736820b ("mac80211: support functions for mesh")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260318034244.2595020-1-xmei5@asu.edu
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index 3811486f243a7..1b928cd4545aa 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -75,6 +75,9 @@ bool mesh_matches_local(struct ieee80211_sub_if_data *sdata,
+ * - MDA enabled
+ * - Power management control on fc
+ */
++ if (!ie->mesh_config)
++ return false;
++
+ if (!(ifmsh->mesh_id_len == ie->mesh_id_len &&
+ memcmp(ifmsh->mesh_id, ie->mesh_id, ie->mesh_id_len) == 0 &&
+ (ifmsh->mesh_pp_id == ie->mesh_config->meshconf_psel) &&
+--
+2.51.0
+
--- /dev/null
+From cc4cc4f02fd5028b3b579cb2efa3d038c168a1f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Mar 2026 07:24:02 +0000
+Subject: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828 ]
+
+syzbot reported static_branch_dec() underflow in aql_enable_write(). [0]
+
+The problem is that aql_enable_write() does not serialise concurrent
+write()s to the debugfs.
+
+aql_enable_write() checks static_key_false(&aql_disable.key) and
+later calls static_branch_inc() or static_branch_dec(), but the
+state may change between the two calls.
+
+aql_disable does not need to track inc/dec.
+
+Let's use static_branch_enable() and static_branch_disable().
+
+[0]:
+val == 0
+WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288
+Modules linked in:
+CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full)
+Tainted: [U]=USER, [L]=SOFTLOCKUP
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
+RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311
+Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00
+RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4
+RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000
+RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a
+R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98
+FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0
+Call Trace:
+ <TASK>
+ __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline]
+ __static_key_slow_dec kernel/jump_label.c:321 [inline]
+ static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336
+ aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343
+ short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383
+ vfs_write+0x2aa/0x1070 fs/read_write.c:684
+ ksys_pwrite64 fs/read_write.c:793 [inline]
+ __do_sys_pwrite64 fs/read_write.c:801 [inline]
+ __se_sys_pwrite64 fs/read_write.c:798 [inline]
+ __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f530cf9aeb9
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
+RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9
+RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010
+RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000
+R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978
+ </TASK>
+
+Fixes: e908435e402a ("mac80211: introduce aql_enable node in debugfs")
+Reported-by: syzbot+feb9ce36a95341bb47a4@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69a8979e.a70a0220.b118c.0025.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260306072405.3649474-1-kuniyu@google.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/debugfs.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c
+index 78c7d60e8667c..175669aa8e744 100644
+--- a/net/mac80211/debugfs.c
++++ b/net/mac80211/debugfs.c
+@@ -326,7 +326,6 @@ static ssize_t aql_enable_read(struct file *file, char __user *user_buf,
+ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf,
+ size_t count, loff_t *ppos)
+ {
+- bool aql_disabled = static_key_false(&aql_disable.key);
+ char buf[3];
+ size_t len;
+
+@@ -341,15 +340,12 @@ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf,
+ if (len > 0 && buf[len - 1] == '\n')
+ buf[len - 1] = 0;
+
+- if (buf[0] == '0' && buf[1] == '\0') {
+- if (!aql_disabled)
+- static_branch_inc(&aql_disable);
+- } else if (buf[0] == '1' && buf[1] == '\0') {
+- if (aql_disabled)
+- static_branch_dec(&aql_disable);
+- } else {
++ if (buf[0] == '0' && buf[1] == '\0')
++ static_branch_enable(&aql_disable);
++ else if (buf[0] == '1' && buf[1] == '\0')
++ static_branch_disable(&aql_disable);
++ else
+ return -EINVAL;
+- }
+
+ return count;
+ }
+--
+2.51.0
+
--- /dev/null
+From faacf0ac917bd00b3c2f58795938b97900604f3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 23:46:36 -0700
+Subject: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not
+ enough headroom
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit deb353d9bb009638b7762cae2d0b6e8fdbb41a69 ]
+
+Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom
+before skb_push"), wl1271_tx_allocate() and with it
+wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.
+However, in wlcore_tx_work_locked(), a return value of -EAGAIN from
+wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being
+full. This causes the code to flush the buffer, put the skb back at the
+head of the queue, and immediately retry the same skb in a tight while
+loop.
+
+Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens
+immediately with GFP_ATOMIC, this will result in an infinite loop and a
+CPU soft lockup. Return -ENOMEM instead so the packet is dropped and
+the loop terminates.
+
+The problem was found by an experimental code review agent based on
+gemini-3.1-pro while reviewing backports into v6.18.y.
+
+Assisted-by: Gemini:gemini-3.1-pro
+Fixes: e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push")
+Cc: Peter Astrand <astrand@lysator.liu.se>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wlcore/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c
+index 75ad096676561..1c6373013f66a 100644
+--- a/drivers/net/wireless/ti/wlcore/tx.c
++++ b/drivers/net/wireless/ti/wlcore/tx.c
+@@ -213,7 +213,7 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif,
+ if (skb_headroom(skb) < (total_len - skb->len) &&
+ pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) {
+ wl1271_free_tx_id(wl, id);
+- return -EAGAIN;
++ return -ENOMEM;
+ }
+ desc = skb_push(skb, total_len - skb->len);
+
+--
+2.51.0
+
--- /dev/null
+From 345ed02682b130c7dba8d3025baca6c57f35dc76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 21:39:05 +0100
+Subject: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit bf504b229cb8d534eccbaeaa23eba34c05131e25 ]
+
+After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference
+in acpi_processor_errata_piix4()"), device pointers may be dereferenced
+after dropping references to the device objects pointed to by them,
+which may cause a use-after-free to occur.
+
+Moreover, debug messages about enabling the errata may be printed
+if the errata flags corresponding to them are unset.
+
+Address all of these issues by moving message printing to the points
+in the code where the errata flags are set.
+
+Fixes: f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()")
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Closes: https://lore.kernel.org/linux-acpi/938e2206-def5-4b7a-9b2c-d1fd37681d8a@roeck-us.net/
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://patch.msgid.link/5975693.DvuYhMxLoT@rafael.j.wysocki
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_processor.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c
+index d8674aee28c2e..848a012cd19fb 100644
+--- a/drivers/acpi/acpi_processor.c
++++ b/drivers/acpi/acpi_processor.c
+@@ -113,6 +113,10 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev)
+ PCI_ANY_ID, PCI_ANY_ID, NULL);
+ if (ide_dev) {
+ errata.piix4.bmisx = pci_resource_start(ide_dev, 4);
++ if (errata.piix4.bmisx)
++ dev_dbg(&ide_dev->dev,
++ "Bus master activity detection (BM-IDE) erratum enabled\n");
++
+ pci_dev_put(ide_dev);
+ }
+
+@@ -131,20 +135,17 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev)
+ if (isa_dev) {
+ pci_read_config_byte(isa_dev, 0x76, &value1);
+ pci_read_config_byte(isa_dev, 0x77, &value2);
+- if ((value1 & 0x80) || (value2 & 0x80))
++ if ((value1 & 0x80) || (value2 & 0x80)) {
+ errata.piix4.fdma = 1;
++ dev_dbg(&isa_dev->dev,
++ "Type-F DMA livelock erratum (C3 disabled)\n");
++ }
+ pci_dev_put(isa_dev);
+ }
+
+ break;
+ }
+
+- if (ide_dev)
+- dev_dbg(&ide_dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n");
+-
+- if (isa_dev)
+- dev_dbg(&isa_dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n");
+-
+ return 0;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 9ae8032d1f7b8a346371128cd30810e47d94b897 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Nov 2025 21:07:05 +0000
+Subject: arm64: dts: renesas: r9a09g057: Add RTC node
+
+From: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
+
+[ Upstream commit cfc733da4e79018f88d8ac5f3a5306abbba8ef89 ]
+
+Add RTC node to Renesas RZ/V2H ("R9A09G057") SoC DTSI.
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20251107210706.45044-4-ovidiu.panait.rb@renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Stable-dep-of: a3f34651de42 ("arm64: dts: renesas: r9a09g057: Remove wdt{0,2,3} nodes")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a09g057.dtsi | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi
+index 1ad5a1b6917fe..4676ee7561395 100644
+--- a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi
+@@ -241,6 +241,21 @@ wdt3: watchdog@13000400 {
+ status = "disabled";
+ };
+
++ rtc: rtc@11c00800 {
++ compatible = "renesas,r9a09g057-rtca3", "renesas,rz-rtca3";
++ reg = <0 0x11c00800 0 0x400>;
++ interrupts = <GIC_SPI 524 IRQ_TYPE_EDGE_RISING>,
++ <GIC_SPI 525 IRQ_TYPE_EDGE_RISING>,
++ <GIC_SPI 526 IRQ_TYPE_EDGE_RISING>;
++ interrupt-names = "alarm", "period", "carry";
++ clocks = <&cpg CPG_MOD 0x53>, <&rtxin_clk>;
++ clock-names = "bus", "counter";
++ power-domains = <&cpg>;
++ resets = <&cpg 0x79>, <&cpg 0x7a>;
++ reset-names = "rtc", "rtest";
++ status = "disabled";
++ };
++
+ scif: serial@11c01400 {
+ compatible = "renesas,scif-r9a09g057";
+ reg = <0 0x11c01400 0 0x400>;
+--
+2.51.0
+
--- /dev/null
+From a745faef23aa13c2b94ae7ed8089da46c7bb20c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Feb 2026 12:42:46 +0000
+Subject: arm64: dts: renesas: r9a09g057: Remove wdt{0,2,3} nodes
+
+From: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+
+[ Upstream commit a3f34651de4287138c0da19ba321ad72622b4af3 ]
+
+The HW user manual for the Renesas RZ/V2H(P) SoC (a.k.a r9a09g057)
+states that only WDT1 is supposed to be accessed by the CA55 cores.
+WDT0 is supposed to be used by the CM33 core, WDT2 is supposed
+to be used by the CR8 core 0, and WDT3 is supposed to be used
+by the CR8 core 1.
+
+Remove wdt{0,2,3} from the SoC specific device tree to make it
+compliant with the specification from the HW manual.
+
+This change is harmless as there are currently no users of the
+wdt{0,2,3} device tree nodes, only the wdt1 node is actually used.
+
+Fixes: 095105496e7d ("arm64: dts: renesas: r9a09g057: Add WDT0-WDT3 nodes")
+Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20260203124247.7320-3-fabrizio.castro.jz@renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a09g057.dtsi | 30 ----------------------
+ 1 file changed, 30 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi
+index 4676ee7561395..5c7b9e296f439 100644
+--- a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi
+@@ -201,16 +201,6 @@ ostm7: timer@12c03000 {
+ status = "disabled";
+ };
+
+- wdt0: watchdog@11c00400 {
+- compatible = "renesas,r9a09g057-wdt";
+- reg = <0 0x11c00400 0 0x400>;
+- clocks = <&cpg CPG_MOD 0x4b>, <&cpg CPG_MOD 0x4c>;
+- clock-names = "pclk", "oscclk";
+- resets = <&cpg 0x75>;
+- power-domains = <&cpg>;
+- status = "disabled";
+- };
+-
+ wdt1: watchdog@14400000 {
+ compatible = "renesas,r9a09g057-wdt";
+ reg = <0 0x14400000 0 0x400>;
+@@ -221,26 +211,6 @@ wdt1: watchdog@14400000 {
+ status = "disabled";
+ };
+
+- wdt2: watchdog@13000000 {
+- compatible = "renesas,r9a09g057-wdt";
+- reg = <0 0x13000000 0 0x400>;
+- clocks = <&cpg CPG_MOD 0x4f>, <&cpg CPG_MOD 0x50>;
+- clock-names = "pclk", "oscclk";
+- resets = <&cpg 0x77>;
+- power-domains = <&cpg>;
+- status = "disabled";
+- };
+-
+- wdt3: watchdog@13000400 {
+- compatible = "renesas,r9a09g057-wdt";
+- reg = <0 0x13000400 0 0x400>;
+- clocks = <&cpg CPG_MOD 0x51>, <&cpg CPG_MOD 0x52>;
+- clock-names = "pclk", "oscclk";
+- resets = <&cpg 0x78>;
+- power-domains = <&cpg>;
+- status = "disabled";
+- };
+-
+ rtc: rtc@11c00800 {
+ compatible = "renesas,r9a09g057-rtca3", "renesas,rz-rtca3";
+ reg = <0 0x11c00800 0 0x400>;
+--
+2.51.0
+
--- /dev/null
+From 7fbbf64ad9d780fbc55d8bb2ab03f5fb617d92e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 14:50:52 +0100
+Subject: Bluetooth: hci_sync: Fix hci_le_create_conn_sync
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+[ Upstream commit 2cabe7ff1001b7a197009cf50ba71701f9cbd354 ]
+
+While introducing hci_le_create_conn_sync the functionality
+of hci_connect_le was ported to hci_le_create_conn_sync including
+the disable of the scan before starting the connection.
+
+When this code was run non synchronously the immediate call that was
+setting the flag HCI_LE_SCAN_INTERRUPTED had an impact. Since the
+completion handler for the LE_SCAN_DISABLE was not immediately called.
+In the completion handler of the LE_SCAN_DISABLE event, this flag is
+checked to set the state of the hdev to DISCOVERY_STOPPED.
+
+With the synchronised approach the later setting of the
+HCI_LE_SCAN_INTERRUPTED flag has not the same effect. The completion
+handler would immediately fire in the LE_SCAN_DISABLE call, check for
+the flag, which is then not yet set and do nothing.
+
+To fix this issue and make the function call work as before, we move the
+setting of the flag HCI_LE_SCAN_INTERRUPTED before disabling the scan.
+
+Fixes: 8e8b92ee60de ("Bluetooth: hci_sync: Add hci_le_create_conn_sync")
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 00de90fee44a7..1656448649b9f 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -6552,8 +6552,8 @@ static int hci_le_create_conn_sync(struct hci_dev *hdev, void *data)
+ * state.
+ */
+ if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {
+- hci_scan_disable_sync(hdev);
+ hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
++ hci_scan_disable_sync(hdev);
+ }
+
+ /* Update random address, but set require_privacy to false so
+--
+2.51.0
+
--- /dev/null
+From 81b02ac45d82ed3bd64d09ef5a5bc6aace75afde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 10:17:47 -0500
+Subject: Bluetooth: HIDP: Fix possible UAF
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit dbf666e4fc9bdd975a61bf682b3f75cb0145eedd ]
+
+This fixes the following trace caused by not dropping l2cap_conn
+reference when user->remove callback is called:
+
+[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
+[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 97.809947] Call Trace:
+[ 97.809954] <TASK>
+[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
+[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
+[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
+[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
+[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
+[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
+[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
+[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
+[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
+[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
+[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
+[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
+[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
+[ 97.810404] __fput (fs/file_table.c:470)
+[ 97.810430] task_work_run (kernel/task_work.c:235)
+[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
+[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
+[ 97.810527] do_exit (kernel/exit.c:972)
+[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
+[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
+[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
+[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 97.810721] do_group_exit (kernel/exit.c:1093)
+[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
+[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
+[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810826] ? vfs_read (fs/read_write.c:555)
+[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
+[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
+[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
+[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
+[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811078] ? ksys_read (fs/read_write.c:707)
+[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
+[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
+[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
+[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
+[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
+[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
+[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+[ 97.811338] RIP: 0033:0x445cfe
+[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
+
+Code starting with the faulting instruction
+===========================================
+[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
+[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe
+[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004
+[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000
+[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8
+[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0
+[ 97.811453] </TASK>
+[ 98.402453] ==================================================================
+[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430
+[ 98.405361]
+[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 98.405600] Call Trace:
+[ 98.405607] <TASK>
+[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122)
+[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
+[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55)
+[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
+[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
+[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
+[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775)
+[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
+[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875)
+[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194)
+[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592)
+[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305)
+[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.406323] ? kthread (kernel/kthread.c:433)
+[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
+[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406523] ? kthread (kernel/kthread.c:433)
+[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406565] ? kthread (kernel/kthread.c:433)
+[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.406610] kthread (kernel/kthread.c:467)
+[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164)
+[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
+[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
+[ 98.406774] </TASK>
+[ 98.406780]
+[ 98.433693] The buggy address belongs to the physical page:
+[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4
+[ 98.435557] flags: 0x200000000000000(node=0|zone=2)
+[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000
+[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000
+[ 98.438115] page dumped because: kasan: bad access detected
+[ 98.438951]
+[ 98.439211] Memory state around the buggy address:
+[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.442458] ^
+[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.444768] ==================================================================
+[ 98.445719] Disabling lock debugging due to kernel taint
+[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400
+[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 98.450040] Tainted: [B]=BAD_PAGE
+[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 98.450059] Call Trace:
+[ 98.450065] <TASK>
+[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122)
+[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
+[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822)
+[ 98.450154] session_free (net/bluetooth/hidp/core.c:990)
+[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307)
+[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.450271] ? kthread (kernel/kthread.c:433)
+[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
+[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450528] ? kthread (kernel/kthread.c:433)
+[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450578] ? kthread (kernel/kthread.c:433)
+[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.450637] kthread (kernel/kthread.c:467)
+[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164)
+[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
+[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
+[ 98.450836] </TASK>
+
+Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers")
+Reported-by: soufiane el hachmi <kilwa10@gmail.com>
+Tested-by: soufiane el hachmi <kilwa10@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hidp/core.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
+index 707f229f896a1..40a6f1e20babc 100644
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -986,7 +986,8 @@ static void session_free(struct kref *ref)
+ skb_queue_purge(&session->intr_transmit);
+ fput(session->intr_sock->file);
+ fput(session->ctrl_sock->file);
+- l2cap_conn_put(session->conn);
++ if (session->conn)
++ l2cap_conn_put(session->conn);
+ kfree(session);
+ }
+
+@@ -1164,6 +1165,15 @@ static void hidp_session_remove(struct l2cap_conn *conn,
+
+ down_write(&hidp_session_sem);
+
++ /* Drop L2CAP reference immediately to indicate that
++ * l2cap_unregister_user() shall not be called as it is already
++ * considered removed.
++ */
++ if (session->conn) {
++ l2cap_conn_put(session->conn);
++ session->conn = NULL;
++ }
++
+ hidp_session_terminate(session);
+
+ cancel_work_sync(&session->dev_init);
+@@ -1301,7 +1311,9 @@ static int hidp_session_thread(void *arg)
+ * Instead, this call has the same semantics as if user-space tried to
+ * delete the session.
+ */
+- l2cap_unregister_user(session->conn, &session->user);
++ if (session->conn)
++ l2cap_unregister_user(session->conn, &session->user);
++
+ hidp_session_put(session);
+
+ module_put_and_kthread_exit(0);
+--
+2.51.0
+
--- /dev/null
+From 4bb988db5f7b002a06dbb9535d34f17cc01f09c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 15:23:01 -0500
+Subject: Bluetooth: ISO: Fix defer tests being unstable
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 62bcaa6b351b6dc400f6c6b83762001fd9f5c12d ]
+
+iso-tester defer tests seem to fail with hci_conn_hash_lookup_cig
+being unable to resolve a cig in set_cig_params_sync due a race
+where it is run immediatelly before hci_bind_cis is able to set
+the QoS settings into the hci_conn object.
+
+So this moves the assigning of the QoS settings to be done directly
+by hci_le_set_cig_params to prevent that from happening again.
+
+Fixes: 26afbd826ee3 ("Bluetooth: Add initial implementation of CIS connections")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index fa74fac5af778..447d29c67e7c1 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1868,6 +1868,8 @@ static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
+ return false;
+
+ done:
++ conn->iso_qos = *qos;
++
+ if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
+ UINT_PTR(qos->ucast.cig), NULL) < 0)
+ return false;
+@@ -1934,8 +1936,6 @@ struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
+ }
+
+ hci_conn_hold(cis);
+-
+- cis->iso_qos = *qos;
+ cis->state = BT_BOUND;
+
+ return cis;
+--
+2.51.0
+
--- /dev/null
+From bdf20a83b68b2a66721c7b341e871774b2cbd790 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Nov 2025 23:50:16 +0530
+Subject: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
+
+From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+
+[ Upstream commit 752a6c9596dd25efd6978a73ff21f3b592668f4a ]
+
+After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in
+hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to
+conn->users. However, l2cap_register_user() and l2cap_unregister_user()
+don't use conn->lock, creating a race condition where these functions can
+access conn->users and conn->hchan concurrently with l2cap_conn_del().
+
+This can lead to use-after-free and list corruption bugs, as reported
+by syzbot.
+
+Fix this by changing l2cap_register_user() and l2cap_unregister_user()
+to use conn->lock instead of hci_dev_lock(), ensuring consistent locking
+for the l2cap_conn structure.
+
+Reported-by: syzbot+14b6d57fb728e27ce23c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=14b6d57fb728e27ce23c
+Fixes: ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del")
+Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 560a17d36f7fa..7c131e4640b75 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -1686,17 +1686,15 @@ static void l2cap_info_timeout(struct work_struct *work)
+
+ int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ {
+- struct hci_dev *hdev = conn->hcon->hdev;
+ int ret;
+
+ /* We need to check whether l2cap_conn is registered. If it is not, we
+- * must not register the l2cap_user. l2cap_conn_del() is unregisters
+- * l2cap_conn objects, but doesn't provide its own locking. Instead, it
+- * relies on the parent hci_conn object to be locked. This itself relies
+- * on the hci_dev object to be locked. So we must lock the hci device
+- * here, too. */
++ * must not register the l2cap_user. l2cap_conn_del() unregisters
++ * l2cap_conn objects under conn->lock, and we use the same lock here
++ * to protect access to conn->users and conn->hchan.
++ */
+
+- hci_dev_lock(hdev);
++ mutex_lock(&conn->lock);
+
+ if (!list_empty(&user->list)) {
+ ret = -EINVAL;
+@@ -1717,16 +1715,14 @@ int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ ret = 0;
+
+ out_unlock:
+- hci_dev_unlock(hdev);
++ mutex_unlock(&conn->lock);
+ return ret;
+ }
+ EXPORT_SYMBOL(l2cap_register_user);
+
+ void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ {
+- struct hci_dev *hdev = conn->hcon->hdev;
+-
+- hci_dev_lock(hdev);
++ mutex_lock(&conn->lock);
+
+ if (list_empty(&user->list))
+ goto out_unlock;
+@@ -1735,7 +1731,7 @@ void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ user->remove(conn, user);
+
+ out_unlock:
+- hci_dev_unlock(hdev);
++ mutex_unlock(&conn->lock);
+ }
+ EXPORT_SYMBOL(l2cap_unregister_user);
+
+--
+2.51.0
+
--- /dev/null
+From 68e8dcccd275423198d53545a363c14a1e04e5d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:25 +0100
+Subject: Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit e1d9a66889867c232657a9b6f25d451d7c3ab96f ]
+
+Core 6.0, Vol 3, Part A, 3.4.3:
+"If the SDU length field value exceeds the receiver's MTU, the receiver
+shall disconnect the channel..."
+
+This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P
+0x0027 -V le_public -I 100').
+
+Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index a95949bc36b2a..de8e18fe50557 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -6619,8 +6619,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+ return -ENOBUFS;
+ }
+
+- if (chan->imtu < skb->len) {
+- BT_ERR("Too big LE L2CAP PDU");
++ if (skb->len > chan->imtu) {
++ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len,
++ chan->imtu);
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ return -ENOBUFS;
+ }
+
+@@ -6646,7 +6648,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+ sdu_len, skb->len, chan->imtu);
+
+ if (sdu_len > chan->imtu) {
+- BT_ERR("Too big LE L2CAP SDU length received");
++ BT_ERR("Too big LE L2CAP SDU length: len %u > %u",
++ skb->len, sdu_len);
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ err = -EMSGSIZE;
+ goto failed;
+ }
+--
+2.51.0
+
--- /dev/null
+From 018e3aa37e5cbc90c2964335a3bf1e2f9c7d4122 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:27 +0100
+Subject: Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit b6a2bf43aa37670432843bc73ae2a6288ba4d6f8 ]
+
+Core 6.0, Vol 3, Part A, 3.4.3:
+"... If the sum of the payload sizes for the K-frames exceeds the
+specified SDU length, the receiver shall disconnect the channel."
+
+This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
+0x0027 -V le_public').
+
+Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index de8e18fe50557..560a17d36f7fa 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -6686,6 +6686,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+
+ if (chan->sdu->len + skb->len > chan->sdu_len) {
+ BT_ERR("Too much LE L2CAP data received");
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ err = -EINVAL;
+ goto failed;
+ }
+--
+2.51.0
+
--- /dev/null
+From f67a9851c159acc0f25250522408290ad88aed94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 11:03:39 +0000
+Subject: Bluetooth: MGMT: Fix list corruption and UAF in command complete
+ handlers
+
+From: Wang Tao <wangtao554@huawei.com>
+
+[ Upstream commit 17f89341cb4281d1da0e2fb0de5406ab7c4e25ef ]
+
+Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced
+mgmt_pending_valid(), which not only validates the pending command but
+also unlinks it from the pending list if it is valid. This change in
+semantics requires updates to several completion handlers to avoid list
+corruption and memory safety issues.
+
+This patch addresses two left-over issues from the aforementioned rework:
+
+1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()
+is replaced with mgmt_pending_free() in the success path. Since
+mgmt_pending_valid() already unlinks the command at the beginning of
+the function, calling mgmt_pending_remove() leads to a double list_del()
+and subsequent list corruption/kernel panic.
+
+2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error
+path is removed. Since the current command is already unlinked by
+mgmt_pending_valid(), this foreach loop would incorrectly target other
+pending mesh commands, potentially freeing them while they are still being
+processed concurrently (leading to UAFs). The redundant mgmt_cmd_status()
+is also simplified to use cmd->opcode directly.
+
+Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs")
+Signed-off-by: Wang Tao <wangtao554@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 4894e6444900a..b1df591a53805 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -2172,10 +2172,7 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
+ sk = cmd->sk;
+
+ if (status) {
+- mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
+- status);
+- mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true,
+- cmd_status_rsp, &status);
++ mgmt_cmd_status(cmd->sk, hdev->id, cmd->opcode, status);
+ goto done;
+ }
+
+@@ -5354,7 +5351,7 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
+
+ mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
+ mgmt_status(status), &rp, sizeof(rp));
+- mgmt_pending_remove(cmd);
++ mgmt_pending_free(cmd);
+
+ hci_dev_unlock(hdev);
+ bt_dev_dbg(hdev, "add monitor %d complete, status %d",
+--
+2.51.0
+
--- /dev/null
+From de1733b51d4eea02448d428a89989e0447c8f343 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 01:02:57 +0200
+Subject: Bluetooth: qca: fix ROM version reading on WCN3998 chips
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit 99b2c531e0e797119ae1b9195a8764ee98b00e65 ]
+
+WCN3998 uses a bit different format for rom version:
+
+[ 5.479978] Bluetooth: hci0: setting up wcn399x
+[ 5.633763] Bluetooth: hci0: QCA Product ID :0x0000000a
+[ 5.645350] Bluetooth: hci0: QCA SOC Version :0x40010224
+[ 5.650906] Bluetooth: hci0: QCA ROM Version :0x00001001
+[ 5.665173] Bluetooth: hci0: QCA Patch Version:0x00006699
+[ 5.679356] Bluetooth: hci0: QCA controller version 0x02241001
+[ 5.691109] Bluetooth: hci0: QCA Downloading qca/crbtfw21.tlv
+[ 6.680102] Bluetooth: hci0: QCA Downloading qca/crnv21.bin
+[ 6.842948] Bluetooth: hci0: QCA setup on UART is completed
+
+Fixes: 523760b7ff88 ("Bluetooth: hci_qca: Added support for WCN3998")
+Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btqca.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
+index dd2c0485b9848..372427747cd64 100644
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -804,6 +804,8 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+ */
+ if (soc_type == QCA_WCN3988)
+ rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f);
++ else if (soc_type == QCA_WCN3998)
++ rom_ver = ((soc_ver & 0x0000f000) >> 0x07) | (soc_ver & 0x0000000f);
+ else
+ rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f);
+
+--
+2.51.0
+
--- /dev/null
+From 48f0ab25920c845873a6c1054f3da9954c030f5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:28 +0100
+Subject: Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit 0e4d4dcc1a6e82cc6f9abf32193558efa7e1613d ]
+
+The last test step ("Test with Invalid public key X and Y, all set to
+0") expects to get an "DHKEY check failed" instead of "unspecified".
+
+Fixes: 6d19628f539f ("Bluetooth: SMP: Fail if remote and local public keys are identical")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
+index 3a33fd06e6a4c..204c5fe3a8d08 100644
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2743,7 +2743,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
+ if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
+ !crypto_memneq(key, smp->local_pk, 64)) {
+ bt_dev_err(hdev, "Remote and local public keys are identical");
+- return SMP_UNSPECIFIED;
++ return SMP_DHKEY_CHECK_FAILED;
+ }
+
+ memcpy(smp->remote_pk, key, 64);
+--
+2.51.0
+
--- /dev/null
+From 9fd2ab95ca779086eecb6554c53cc191992372fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 10:41:52 +0000
+Subject: bonding: prevent potential infinite loop in bond_header_parse()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b7405dcf7385445e10821777143f18c3ce20fa04 ]
+
+bond_header_parse() can loop if a stack of two bonding devices is setup,
+because skb->dev always points to the hierarchy top.
+
+Add new "const struct net_device *dev" parameter to
+(struct header_ops)->parse() method to make sure the recursion
+is bounded, and that the final leaf parse method is called.
+
+Fixes: 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Tested-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Cc: Jay Vosburgh <jv@jvosburgh.net>
+Cc: Andrew Lunn <andrew+netdev@lunn.ch>
+Link: https://patch.msgid.link/20260315104152.1436867-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firewire/net.c | 5 +++--
+ drivers/net/bonding/bond_main.c | 8 +++++---
+ include/linux/etherdevice.h | 3 ++-
+ include/linux/if_ether.h | 3 ++-
+ include/linux/netdevice.h | 6 ++++--
+ net/ethernet/eth.c | 9 +++------
+ net/ipv4/ip_gre.c | 3 ++-
+ net/mac802154/iface.c | 4 +++-
+ net/phonet/af_phonet.c | 5 ++++-
+ 9 files changed, 28 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c
+index 1bf0e15c15408..423ead5fa9c13 100644
+--- a/drivers/firewire/net.c
++++ b/drivers/firewire/net.c
+@@ -257,9 +257,10 @@ static void fwnet_header_cache_update(struct hh_cache *hh,
+ memcpy((u8 *)hh->hh_data + HH_DATA_OFF(FWNET_HLEN), haddr, net->addr_len);
+ }
+
+-static int fwnet_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++static int fwnet_header_parse(const struct sk_buff *skb, const struct net_device *dev,
++ unsigned char *haddr)
+ {
+- memcpy(haddr, skb->dev->dev_addr, FWNET_ALEN);
++ memcpy(haddr, dev->dev_addr, FWNET_ALEN);
+
+ return FWNET_ALEN;
+ }
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index d11ca46a5b1f7..5035cfa74f1ac 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1563,9 +1563,11 @@ static int bond_header_create(struct sk_buff *skb, struct net_device *bond_dev,
+ return ret;
+ }
+
+-static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++static int bond_header_parse(const struct sk_buff *skb,
++ const struct net_device *dev,
++ unsigned char *haddr)
+ {
+- struct bonding *bond = netdev_priv(skb->dev);
++ struct bonding *bond = netdev_priv(dev);
+ const struct header_ops *slave_ops;
+ struct slave *slave;
+ int ret = 0;
+@@ -1575,7 +1577,7 @@ static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr)
+ if (slave) {
+ slave_ops = READ_ONCE(slave->dev->header_ops);
+ if (slave_ops && slave_ops->parse)
+- ret = slave_ops->parse(skb, haddr);
++ ret = slave_ops->parse(skb, slave->dev, haddr);
+ }
+ rcu_read_unlock();
+ return ret;
+diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h
+index ecf203f010343..a3ae683affa58 100644
+--- a/include/linux/etherdevice.h
++++ b/include/linux/etherdevice.h
+@@ -42,7 +42,8 @@ extern const struct header_ops eth_header_ops;
+
+ int eth_header(struct sk_buff *skb, struct net_device *dev, unsigned short type,
+ const void *daddr, const void *saddr, unsigned len);
+-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr);
++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev,
++ unsigned char *haddr);
+ int eth_header_cache(const struct neighbour *neigh, struct hh_cache *hh,
+ __be16 type);
+ void eth_header_cache_update(struct hh_cache *hh, const struct net_device *dev,
+diff --git a/include/linux/if_ether.h b/include/linux/if_ether.h
+index 8a9792a6427ad..47a0feffc1215 100644
+--- a/include/linux/if_ether.h
++++ b/include/linux/if_ether.h
+@@ -37,7 +37,8 @@ static inline struct ethhdr *inner_eth_hdr(const struct sk_buff *skb)
+ return (struct ethhdr *)skb_inner_mac_header(skb);
+ }
+
+-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr);
++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev,
++ unsigned char *haddr);
+
+ extern ssize_t sysfs_format_mac(char *buf, const unsigned char *addr, int len);
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 12edeeb172c4e..fcc1509ca7cb8 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -308,7 +308,9 @@ struct header_ops {
+ int (*create) (struct sk_buff *skb, struct net_device *dev,
+ unsigned short type, const void *daddr,
+ const void *saddr, unsigned int len);
+- int (*parse)(const struct sk_buff *skb, unsigned char *haddr);
++ int (*parse)(const struct sk_buff *skb,
++ const struct net_device *dev,
++ unsigned char *haddr);
+ int (*cache)(const struct neighbour *neigh, struct hh_cache *hh, __be16 type);
+ void (*cache_update)(struct hh_cache *hh,
+ const struct net_device *dev,
+@@ -3163,7 +3165,7 @@ static inline int dev_parse_header(const struct sk_buff *skb,
+
+ if (!dev->header_ops || !dev->header_ops->parse)
+ return 0;
+- return dev->header_ops->parse(skb, haddr);
++ return dev->header_ops->parse(skb, dev, haddr);
+ }
+
+ static inline __be16 dev_parse_header_protocol(const struct sk_buff *skb)
+diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c
+index 43e211e611b16..ca4e3a01237d0 100644
+--- a/net/ethernet/eth.c
++++ b/net/ethernet/eth.c
+@@ -193,14 +193,11 @@ __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev)
+ }
+ EXPORT_SYMBOL(eth_type_trans);
+
+-/**
+- * eth_header_parse - extract hardware address from packet
+- * @skb: packet to extract header from
+- * @haddr: destination buffer
+- */
+-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev,
++ unsigned char *haddr)
+ {
+ const struct ethhdr *eth = eth_hdr(skb);
++
+ memcpy(haddr, eth->h_source, ETH_ALEN);
+ return ETH_ALEN;
+ }
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index be85dbe74ac8c..084556b03a2e2 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -917,7 +917,8 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
+ return -(t->hlen + sizeof(*iph));
+ }
+
+-static int ipgre_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++static int ipgre_header_parse(const struct sk_buff *skb, const struct net_device *dev,
++ unsigned char *haddr)
+ {
+ const struct iphdr *iph = (const struct iphdr *) skb_mac_header(skb);
+ memcpy(haddr, &iph->saddr, 4);
+diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
+index 9e4631fade90c..000be60d95803 100644
+--- a/net/mac802154/iface.c
++++ b/net/mac802154/iface.c
+@@ -469,7 +469,9 @@ static int mac802154_header_create(struct sk_buff *skb,
+ }
+
+ static int
+-mac802154_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++mac802154_header_parse(const struct sk_buff *skb,
++ const struct net_device *dev,
++ unsigned char *haddr)
+ {
+ struct ieee802154_hdr hdr;
+
+diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c
+index a27efa4faa4ef..532ee4e10ba94 100644
+--- a/net/phonet/af_phonet.c
++++ b/net/phonet/af_phonet.c
+@@ -129,9 +129,12 @@ static int pn_header_create(struct sk_buff *skb, struct net_device *dev,
+ return 1;
+ }
+
+-static int pn_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++static int pn_header_parse(const struct sk_buff *skb,
++ const struct net_device *dev,
++ unsigned char *haddr)
+ {
+ const u8 *media = skb_mac_header(skb);
++
+ *haddr = *media;
+ return 1;
+ }
+--
+2.51.0
+
--- /dev/null
+From 533c5d5cd9d9387b5531603e0c417ea9d91fff63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 03:18:09 +0900
+Subject: bridge: cfm: Fix race condition in peer_mep deletion
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit 3715a00855316066cdda69d43648336367422127 ]
+
+When a peer MEP is being deleted, cancel_delayed_work_sync() is called
+on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in
+softirq context under rcu_read_lock (without RTNL) and can re-schedule
+ccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync()
+returning and kfree_rcu() being called.
+
+The following is a simple race scenario:
+
+ cpu0 cpu1
+
+mep_delete_implementation()
+ cancel_delayed_work_sync(ccm_rx_dwork);
+ br_cfm_frame_rx()
+ // peer_mep still in hlist
+ if (peer_mep->ccm_defect)
+ ccm_rx_timer_start()
+ queue_delayed_work(ccm_rx_dwork)
+ hlist_del_rcu(&peer_mep->head);
+ kfree_rcu(peer_mep, rcu);
+ ccm_rx_work_expired()
+ // on freed peer_mep
+
+To prevent this, cancel_delayed_work_sync() is replaced with
+disable_delayed_work_sync() in both peer MEP deletion paths, so
+that subsequent queue_delayed_work() calls from br_cfm_frame_rx()
+are silently rejected.
+
+The cc_peer_disable() helper retains cancel_delayed_work_sync()
+because it is also used for the CC enable/disable toggle path where
+the work must remain re-schedulable.
+
+Fixes: dc32cbb3dbd7 ("bridge: cfm: Kernel space implementation of CFM. CCM frame RX added.")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/abBgYT5K_FI9rD1a@v4bel
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_cfm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bridge/br_cfm.c b/net/bridge/br_cfm.c
+index a3c755d0a09de..ffa571e38c540 100644
+--- a/net/bridge/br_cfm.c
++++ b/net/bridge/br_cfm.c
+@@ -576,7 +576,7 @@ static void mep_delete_implementation(struct net_bridge *br,
+
+ /* Empty and free peer MEP list */
+ hlist_for_each_entry_safe(peer_mep, n_store, &mep->peer_mep_list, head) {
+- cancel_delayed_work_sync(&peer_mep->ccm_rx_dwork);
++ disable_delayed_work_sync(&peer_mep->ccm_rx_dwork);
+ hlist_del_rcu(&peer_mep->head);
+ kfree_rcu(peer_mep, rcu);
+ }
+@@ -732,7 +732,7 @@ int br_cfm_cc_peer_mep_remove(struct net_bridge *br, const u32 instance,
+ return -ENOENT;
+ }
+
+- cc_peer_disable(peer_mep);
++ disable_delayed_work_sync(&peer_mep->ccm_rx_dwork);
+
+ hlist_del_rcu(&peer_mep->head);
+ kfree_rcu(peer_mep, rcu);
+--
+2.51.0
+
--- /dev/null
+From 30e3decefb73f64b206301d2a97d1914021dd82b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Mar 2026 16:57:43 +0000
+Subject: btrfs: log new dentries when logging parent dir of a conflicting
+ inode
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 9573a365ff9ff45da9222d3fe63695ce562beb24 ]
+
+If we log the parent directory of a conflicting inode, we are not logging
+the new dentries of the directory, so when we finish we have the parent
+directory's inode marked as logged but we did not log its new dentries.
+As a consequence if the parent directory is explicitly fsynced later and
+it does not have any new changes since we logged it, the fsync is a no-op
+and after a power failure the new dentries are missing.
+
+Example scenario:
+
+ $ mkdir foo
+
+ $ sync
+
+ $rmdir foo
+
+ $ mkdir dir1
+ $ mkdir dir2
+
+ # A file with the same name and parent as the directory we just deleted
+ # and was persisted in a past transaction. So the deleted directory's
+ # inode is a conflicting inode of this new file's inode.
+ $ touch foo
+
+ $ ln foo dir2/link
+
+ # The fsync on dir2 will log the parent directory (".") because the
+ # conflicting inode (deleted directory) does not exists anymore, but it
+ # it does not log its new dentries (dir1).
+ $ xfs_io -c "fsync" dir2
+
+ # This fsync on the parent directory is no-op, since the previous fsync
+ # logged it (but without logging its new dentries).
+ $ xfs_io -c "fsync" .
+
+ <power failure>
+
+ # After log replay dir1 is missing.
+
+Fix this by ensuring we log new dir dentries whenever we log the parent
+directory of a no longer existing conflicting inode.
+
+A test case for fstests will follow soon.
+
+Reported-by: Vyacheslav Kovalevsky <slava.kovalevskiy.2014@gmail.com>
+Link: https://lore.kernel.org/linux-btrfs/182055fa-e9ce-4089-9f5f-4b8a23e8dd91@gmail.com/
+Fixes: a3baaf0d786e ("Btrfs: fix fsync after succession of renames and unlink/rmdir")
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index fa1199fb6b3dd..28dcf8a8997b5 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -5886,6 +5886,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans,
+ struct btrfs_root *root,
+ struct btrfs_log_ctx *ctx)
+ {
++ const bool orig_log_new_dentries = ctx->log_new_dentries;
+ int ret = 0;
+
+ /*
+@@ -5947,7 +5948,11 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans,
+ * dir index key range logged for the directory. So we
+ * must make sure the deletion is recorded.
+ */
++ ctx->log_new_dentries = false;
+ ret = btrfs_log_inode(trans, inode, LOG_INODE_ALL, ctx);
++ if (!ret && ctx->log_new_dentries)
++ ret = log_new_dir_dentries(trans, inode, ctx);
++
+ btrfs_add_delayed_iput(inode);
+ if (ret)
+ break;
+@@ -5982,6 +5987,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans,
+ break;
+ }
+
++ ctx->log_new_dentries = orig_log_new_dentries;
+ ctx->logging_conflict_inodes = false;
+ if (ret)
+ free_conflicting_inodes(ctx);
+--
+2.51.0
+
--- /dev/null
+From ed254ebdc643d4380e0ace97024527e2cb31a923 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 08:33:21 +0800
+Subject: btrfs: tree-checker: fix misleading root drop_level error message
+
+From: ZhengYuan Huang <gality369@gmail.com>
+
+[ Upstream commit fc1cd1f18c34f91e78362f9629ab9fd43b9dcab9 ]
+
+Fix tree-checker error message to report "invalid root drop_level"
+instead of the misleading "invalid root level".
+
+Fixes: 259ee7754b67 ("btrfs: tree-checker: Add ROOT_ITEM check")
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-checker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
+index 60bba7fbeb351..7e9475e2a047b 100644
+--- a/fs/btrfs/tree-checker.c
++++ b/fs/btrfs/tree-checker.c
+@@ -1244,7 +1244,7 @@ static int check_root_item(struct extent_buffer *leaf, struct btrfs_key *key,
+ }
+ if (unlikely(btrfs_root_drop_level(&ri) >= BTRFS_MAX_LEVEL)) {
+ generic_err(leaf, slot,
+- "invalid root level, have %u expect [0, %u]",
++ "invalid root drop_level, have %u expect [0, %u]",
+ btrfs_root_drop_level(&ri), BTRFS_MAX_LEVEL - 1);
+ return -EUCLEAN;
+ }
+--
+2.51.0
+
--- /dev/null
+From 4952e8ca24d5a04fde74ebd548acca93ec6ab3f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Jan 2026 01:49:09 +0800
+Subject: cache: ax45mp: Fix device node reference leak in ax45mp_cache_init()
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit 0528a348b04b327a4611e29589beb4c9ae81304a ]
+
+In ax45mp_cache_init(), of_find_matching_node() returns a device node
+with an incremented reference count that must be released with
+of_node_put(). The current code fails to call of_node_put() which
+causes a reference leak.
+
+Use the __free(device_node) attribute to ensure automatic cleanup when
+the variable goes out of scope.
+
+Fixes: d34599bcd2e4 ("cache: Add L2 cache management for Andes AX45MP RISC-V core")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cache/ax45mp_cache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cache/ax45mp_cache.c b/drivers/cache/ax45mp_cache.c
+index 1d7dd3d2c101c..934c5087ec2bd 100644
+--- a/drivers/cache/ax45mp_cache.c
++++ b/drivers/cache/ax45mp_cache.c
+@@ -178,11 +178,11 @@ static const struct of_device_id ax45mp_cache_ids[] = {
+
+ static int __init ax45mp_cache_init(void)
+ {
+- struct device_node *np;
+ struct resource res;
+ int ret;
+
+- np = of_find_matching_node(NULL, ax45mp_cache_ids);
++ struct device_node *np __free(device_node) =
++ of_find_matching_node(NULL, ax45mp_cache_ids);
+ if (!of_device_is_available(np))
+ return -ENODEV;
+
+--
+2.51.0
+
--- /dev/null
+From 52d2e36872ed75a2ac5c7d63cb401099c98f0e99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Jan 2026 01:13:45 +0800
+Subject: cache: starfive: fix device node leak in starlink_cache_init()
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit 3c85234b979af71cb9db5eb976ea08a468415767 ]
+
+of_find_matching_node() returns a device_node with refcount incremented.
+
+Use __free(device_node) attribute to automatically call of_node_put()
+when the variable goes out of scope, preventing the refcount leak.
+
+Fixes: cabff60ca77d ("cache: Add StarFive StarLink cache management")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cache/starfive_starlink_cache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cache/starfive_starlink_cache.c b/drivers/cache/starfive_starlink_cache.c
+index 24c7d078ca227..3a25d2d7c70ca 100644
+--- a/drivers/cache/starfive_starlink_cache.c
++++ b/drivers/cache/starfive_starlink_cache.c
+@@ -102,11 +102,11 @@ static const struct of_device_id starlink_cache_ids[] = {
+
+ static int __init starlink_cache_init(void)
+ {
+- struct device_node *np;
+ u32 block_size;
+ int ret;
+
+- np = of_find_matching_node(NULL, starlink_cache_ids);
++ struct device_node *np __free(device_node) =
++ of_find_matching_node(NULL, starlink_cache_ids);
+ if (!of_device_is_available(np))
+ return -ENODEV;
+
+--
+2.51.0
+
--- /dev/null
+From 4b4895ebac042d6ae5eeb8dceec184415b1faae8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 07:55:31 +0100
+Subject: clsact: Fix use-after-free in init/destroy rollback asymmetry
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit a0671125d4f55e1e98d9bde8a0b671941987e208 ]
+
+Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry.
+The latter is achieved by first fully initializing a clsact instance, and
+then in a second step having a replacement failure for the new clsact qdisc
+instance. clsact_init() initializes ingress first and then takes care of the
+egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon
+failure, the kernel will trigger the clsact_destroy() callback.
+
+Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the
+way how the transition is happening. If tcf_block_get_ext on the q->ingress_block
+ends up failing, we took the tcx_miniq_inc reference count on the ingress
+side, but not yet on the egress side. clsact_destroy() tests whether the
+{ingress,egress}_entry was non-NULL. However, even in midway failure on the
+replacement, both are in fact non-NULL with a valid egress_entry from the
+previous clsact instance.
+
+What we really need to test for is whether the qdisc instance-specific ingress
+or egress side previously got initialized. This adds a small helper for checking
+the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon
+clsact_destroy() in order to fix the use-after-free scenario. Convert the
+ingress_destroy() side as well so both are consistent to each other.
+
+Fixes: 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry")
+Reported-by: Keenan Dong <keenanat2000@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Martin KaFai Lau <martin.lau@kernel.org>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://patch.msgid.link/20260313065531.98639-1-daniel@iogearbox.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sch_generic.h | 5 +++++
+ net/sched/sch_ingress.c | 14 ++++++++------
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index 28a7aaa4c0cdf..d3e1f91f81cde 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -1406,6 +1406,11 @@ void mini_qdisc_pair_init(struct mini_Qdisc_pair *miniqp, struct Qdisc *qdisc,
+ void mini_qdisc_pair_block_init(struct mini_Qdisc_pair *miniqp,
+ struct tcf_block *block);
+
++static inline bool mini_qdisc_pair_inited(struct mini_Qdisc_pair *miniqp)
++{
++ return !!miniqp->p_miniq;
++}
++
+ void mq_change_real_num_tx(struct Qdisc *sch, unsigned int new_real_tx);
+
+ int sch_frag_xmit_hook(struct sk_buff *skb, int (*xmit)(struct sk_buff *skb));
+diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c
+index cc6051d4f2ef8..c3e18bae8fbfc 100644
+--- a/net/sched/sch_ingress.c
++++ b/net/sched/sch_ingress.c
+@@ -113,14 +113,15 @@ static void ingress_destroy(struct Qdisc *sch)
+ {
+ struct ingress_sched_data *q = qdisc_priv(sch);
+ struct net_device *dev = qdisc_dev(sch);
+- struct bpf_mprog_entry *entry = rtnl_dereference(dev->tcx_ingress);
++ struct bpf_mprog_entry *entry;
+
+ if (sch->parent != TC_H_INGRESS)
+ return;
+
+ tcf_block_put_ext(q->block, sch, &q->block_info);
+
+- if (entry) {
++ if (mini_qdisc_pair_inited(&q->miniqp)) {
++ entry = rtnl_dereference(dev->tcx_ingress);
+ tcx_miniq_dec(entry);
+ if (!tcx_entry_is_active(entry)) {
+ tcx_entry_update(dev, NULL, true);
+@@ -290,10 +291,9 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt,
+
+ static void clsact_destroy(struct Qdisc *sch)
+ {
++ struct bpf_mprog_entry *ingress_entry, *egress_entry;
+ struct clsact_sched_data *q = qdisc_priv(sch);
+ struct net_device *dev = qdisc_dev(sch);
+- struct bpf_mprog_entry *ingress_entry = rtnl_dereference(dev->tcx_ingress);
+- struct bpf_mprog_entry *egress_entry = rtnl_dereference(dev->tcx_egress);
+
+ if (sch->parent != TC_H_CLSACT)
+ return;
+@@ -301,7 +301,8 @@ static void clsact_destroy(struct Qdisc *sch)
+ tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info);
+ tcf_block_put_ext(q->egress_block, sch, &q->egress_block_info);
+
+- if (ingress_entry) {
++ if (mini_qdisc_pair_inited(&q->miniqp_ingress)) {
++ ingress_entry = rtnl_dereference(dev->tcx_ingress);
+ tcx_miniq_dec(ingress_entry);
+ if (!tcx_entry_is_active(ingress_entry)) {
+ tcx_entry_update(dev, NULL, true);
+@@ -309,7 +310,8 @@ static void clsact_destroy(struct Qdisc *sch)
+ }
+ }
+
+- if (egress_entry) {
++ if (mini_qdisc_pair_inited(&q->miniqp_egress)) {
++ egress_entry = rtnl_dereference(dev->tcx_egress);
+ tcx_miniq_dec(egress_entry);
+ if (!tcx_entry_is_active(egress_entry)) {
+ tcx_entry_update(dev, NULL, false);
+--
+2.51.0
+
--- /dev/null
+From a537951e04626deda029ef0756af8947c7ef6522 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 12:09:53 +0000
+Subject: firmware: arm_ffa: Remove vm_id argument in ffa_rxtx_unmap()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yeoreum Yun <yeoreum.yun@arm.com>
+
+[ Upstream commit a4e8473b775160f3ce978f621cf8dea2c7250433 ]
+
+According to the FF-A specification (DEN0077, v1.1, §13.7), when
+FFA_RXTX_UNMAP is invoked from any instance other than non-secure
+physical, the w1 register must be zero (MBZ). If a non-zero value is
+supplied in this context, the SPMC must return FFA_INVALID_PARAMETER.
+
+The Arm FF-A driver operates exclusively as a guest or non-secure
+physical instance where the partition ID is always zero and is not
+invoked from a hypervisor context where w1 carries a VM ID. In this
+execution model, the partition ID observed by the driver is always zero,
+and passing a VM ID is unnecessary and potentially invalid.
+
+Remove the vm_id parameter from ffa_rxtx_unmap() and ensure that the
+SMC call is issued with w1 implicitly zeroed, as required by the
+specification. This prevents invalid parameter errors and aligns the
+implementation with the defined FF-A ABI behavior.
+
+Fixes: 3bbfe9871005 ("firmware: arm_ffa: Add initial Arm FFA driver support")
+Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
+Message-Id: <20260304120953.847671-1-yeoreum.yun@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_ffa/driver.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
+index 9516ee870cd25..bec1fbaff7f34 100644
+--- a/drivers/firmware/arm_ffa/driver.c
++++ b/drivers/firmware/arm_ffa/driver.c
+@@ -206,12 +206,12 @@ static int ffa_rxtx_map(phys_addr_t tx_buf, phys_addr_t rx_buf, u32 pg_cnt)
+ return 0;
+ }
+
+-static int ffa_rxtx_unmap(u16 vm_id)
++static int ffa_rxtx_unmap(void)
+ {
+ ffa_value_t ret;
+
+ invoke_ffa_fn((ffa_value_t){
+- .a0 = FFA_RXTX_UNMAP, .a1 = PACK_TARGET_INFO(vm_id, 0),
++ .a0 = FFA_RXTX_UNMAP,
+ }, &ret);
+
+ if (ret.a0 == FFA_ERROR)
+@@ -1832,7 +1832,7 @@ static int __init ffa_init(void)
+
+ cleanup_notifs:
+ ffa_notifications_cleanup();
+- ffa_rxtx_unmap(drv_info->vm_id);
++ ffa_rxtx_unmap();
+ free_pages:
+ if (drv_info->tx_buffer)
+ free_pages_exact(drv_info->tx_buffer, rxtx_bufsz);
+@@ -1847,7 +1847,7 @@ static void __exit ffa_exit(void)
+ {
+ ffa_notifications_cleanup();
+ ffa_partitions_cleanup();
+- ffa_rxtx_unmap(drv_info->vm_id);
++ ffa_rxtx_unmap();
+ free_pages_exact(drv_info->tx_buffer, drv_info->rxtx_bufsz);
+ free_pages_exact(drv_info->rx_buffer, drv_info->rxtx_bufsz);
+ kfree(drv_info);
+--
+2.51.0
+
--- /dev/null
+From b2aff40282ecdc3f3d158d2f6754b1173799f892 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 21:08:19 +0800
+Subject: firmware: arm_scpi: Fix device_node reference leak in probe path
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit 879c001afbac3df94160334fe5117c0c83b2cf48 ]
+
+A device_node reference obtained from the device tree is not released
+on all error paths in the arm_scpi probe path. Specifically, a node
+returned by of_parse_phandle() could be leaked when the probe failed
+after the node was acquired. The probe function returns early and
+the shmem reference is not released.
+
+Use __free(device_node) scope-based cleanup to automatically release
+the reference when the variable goes out of scope.
+
+Fixes: ed7ecb883901 ("firmware: arm_scpi: Add compatibility checks for shmem node")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Message-Id: <20260121-arm_scpi_2-v2-1-702d7fa84acb@gmail.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scpi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c
+index f4d47577f83ee..2d33771917bb4 100644
+--- a/drivers/firmware/arm_scpi.c
++++ b/drivers/firmware/arm_scpi.c
+@@ -18,6 +18,7 @@
+
+ #include <linux/bitmap.h>
+ #include <linux/bitfield.h>
++#include <linux/cleanup.h>
+ #include <linux/device.h>
+ #include <linux/err.h>
+ #include <linux/export.h>
+@@ -940,13 +941,13 @@ static int scpi_probe(struct platform_device *pdev)
+ int idx = scpi_drvinfo->num_chans;
+ struct scpi_chan *pchan = scpi_drvinfo->channels + idx;
+ struct mbox_client *cl = &pchan->cl;
+- struct device_node *shmem = of_parse_phandle(np, "shmem", idx);
++ struct device_node *shmem __free(device_node) =
++ of_parse_phandle(np, "shmem", idx);
+
+ if (!of_match_node(shmem_of_match, shmem))
+ return -ENXIO;
+
+ ret = of_address_to_resource(shmem, 0, &res);
+- of_node_put(shmem);
+ if (ret) {
+ dev_err(dev, "failed to get SCPI payload mem resource\n");
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From 376335457549fca5774f326032a7c05878f3800d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 11:01:37 +0100
+Subject: iavf: fix VLAN filter lost on add/delete race
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit fc9c69be594756b81b54c6bc40803fa6052f35ae ]
+
+When iavf_add_vlan() finds an existing filter in IAVF_VLAN_REMOVE
+state, it transitions the filter to IAVF_VLAN_ACTIVE assuming the
+pending delete can simply be cancelled. However, there is no guarantee
+that iavf_del_vlans() has not already processed the delete AQ request
+and removed the filter from the PF. In that case the filter remains in
+the driver's list as IAVF_VLAN_ACTIVE but is no longer programmed on
+the NIC. Since iavf_add_vlans() only picks up filters in
+IAVF_VLAN_ADD state, the filter is never re-added, and spoof checking
+drops all traffic for that VLAN.
+
+ CPU0 CPU1 Workqueue
+ ---- ---- ---------
+ iavf_del_vlan(vlan 100)
+ f->state = REMOVE
+ schedule AQ_DEL_VLAN
+ iavf_add_vlan(vlan 100)
+ f->state = ACTIVE
+ iavf_del_vlans()
+ f is ACTIVE, skip
+ iavf_add_vlans()
+ f is ACTIVE, skip
+
+ Filter is ACTIVE in driver but absent from NIC.
+
+Transition to IAVF_VLAN_ADD instead and schedule
+IAVF_FLAG_AQ_ADD_VLAN_FILTER so iavf_add_vlans() re-programs the
+filter. A duplicate add is idempotent on the PF.
+
+Fixes: 0c0da0e95105 ("iavf: refactor VLAN filter states")
+Signed-off-by: Petr Oros <poros@redhat.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index dcd4f172ddc8a..5f07f37933a04 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -774,10 +774,13 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter,
+ adapter->num_vlan_filters++;
+ iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER);
+ } else if (f->state == IAVF_VLAN_REMOVE) {
+- /* IAVF_VLAN_REMOVE means that VLAN wasn't yet removed.
+- * We can safely only change the state here.
++ /* Re-add the filter since we cannot tell whether the
++ * pending delete has already been processed by the PF.
++ * A duplicate add is harmless.
+ */
+- f->state = IAVF_VLAN_ACTIVE;
++ f->state = IAVF_VLAN_ADD;
++ iavf_schedule_aq_request(adapter,
++ IAVF_FLAG_AQ_ADD_VLAN_FILTER);
+ }
+
+ clearout:
+--
+2.51.0
+
--- /dev/null
+From 6c23571e20241c2d1841dce977903a31b05cff34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 21:06:01 +0800
+Subject: icmp: fix NULL pointer dereference in icmp_tag_validation()
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit 614aefe56af8e13331e50220c936fc0689cf5675 ]
+
+icmp_tag_validation() unconditionally dereferences the result of
+rcu_dereference(inet_protos[proto]) without checking for NULL.
+The inet_protos[] array is sparse -- only about 15 of 256 protocol
+numbers have registered handlers. When ip_no_pmtu_disc is set to 3
+(hardened PMTU mode) and the kernel receives an ICMP Fragmentation
+Needed error with a quoted inner IP header containing an unregistered
+protocol number, the NULL dereference causes a kernel panic in
+softirq context.
+
+ Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+ RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)
+ Call Trace:
+ <IRQ>
+ icmp_rcv (net/ipv4/icmp.c:1527)
+ ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)
+ ip_local_deliver_finish (net/ipv4/ip_input.c:242)
+ ip_local_deliver (net/ipv4/ip_input.c:262)
+ ip_rcv (net/ipv4/ip_input.c:573)
+ __netif_receive_skb_one_core (net/core/dev.c:6164)
+ process_backlog (net/core/dev.c:6628)
+ handle_softirqs (kernel/softirq.c:561)
+ </IRQ>
+
+Add a NULL check before accessing icmp_strict_tag_validation. If the
+protocol has no registered handler, return false since it cannot
+perform strict tag validation.
+
+Fixes: 8ed1dc44d3e9 ("ipv4: introduce hardened ip_no_pmtu_disc mode")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Link: https://patch.msgid.link/20260318130558.1050247-4-bestswngs@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 8ab51b51cc9b2..58feb21ff967d 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -877,10 +877,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
+
+ static bool icmp_tag_validation(int proto)
+ {
++ const struct net_protocol *ipprot;
+ bool ok;
+
+ rcu_read_lock();
+- ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation;
++ ipprot = rcu_dereference(inet_protos[proto]);
++ ok = ipprot ? ipprot->icmp_strict_tag_validation : false;
+ rcu_read_unlock();
+ return ok;
+ }
+--
+2.51.0
+
--- /dev/null
+From 96f0ffdd33449931c669635dce7f9985b87caaa5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Feb 2026 19:46:32 +0000
+Subject: igc: fix missing update of skb->tail in igc_xmit_frame()
+
+From: Kohei Enju <kohei@enjuk.jp>
+
+[ Upstream commit 0ffba246652faf4a36aedc66059c2f94e4c83ea5 ]
+
+igc_xmit_frame() misses updating skb->tail when the packet size is
+shorter than the minimum one.
+Use skb_put_padto() in alignment with other Intel Ethernet drivers.
+
+Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers")
+Signed-off-by: Kohei Enju <kohei@enjuk.jp>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 18dad521aefcc..65134be59754f 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -1704,11 +1704,8 @@ static netdev_tx_t igc_xmit_frame(struct sk_buff *skb,
+ /* The minimum packet size with TCTL.PSP set is 17 so pad the skb
+ * in order to meet this minimum size requirement.
+ */
+- if (skb->len < 17) {
+- if (skb_padto(skb, 17))
+- return NETDEV_TX_OK;
+- skb->len = 17;
+- }
++ if (skb_put_padto(skb, 17))
++ return NETDEV_TX_OK;
+
+ return igc_xmit_frame_ring(skb, igc_tx_queue_mapping(adapter, skb));
+ }
+--
+2.51.0
+
--- /dev/null
+From 50fa98874afadbfc27e91730677f4794fcb0eb51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 10:58:29 +0100
+Subject: igc: fix page fault in XDP TX timestamps handling
+
+From: Zdenek Bouska <zdenek.bouska@siemens.com>
+
+[ Upstream commit 45b33e805bd39f615d9353a7194b2da5281332df ]
+
+If an XDP application that requested TX timestamping is shutting down
+while the link of the interface in use is still up the following kernel
+splat is reported:
+
+[ 883.803618] [ T1554] BUG: unable to handle page fault for address: ffffcfb6200fd008
+...
+[ 883.803650] [ T1554] Call Trace:
+[ 883.803652] [ T1554] <TASK>
+[ 883.803654] [ T1554] igc_ptp_tx_tstamp_event+0xdf/0x160 [igc]
+[ 883.803660] [ T1554] igc_tsync_interrupt+0x2d5/0x300 [igc]
+...
+
+During shutdown of the TX ring the xsk_meta pointers are left behind, so
+that the IRQ handler is trying to touch them.
+
+This issue is now being fixed by cleaning up the stale xsk meta data on
+TX shutdown. TX timestamps on other queues remain unaffected.
+
+Fixes: 15fd021bc427 ("igc: Add Tx hardware timestamp request for AF_XDP zero-copy packet")
+Signed-off-by: Zdenek Bouska <zdenek.bouska@siemens.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Florian Bezdeka <florian.bezdeka@siemens.com>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc.h | 2 ++
+ drivers/net/ethernet/intel/igc/igc_main.c | 7 +++++
+ drivers/net/ethernet/intel/igc/igc_ptp.c | 33 +++++++++++++++++++++++
+ 3 files changed, 42 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h
+index 79d5fc5ac4fce..24949a50037ef 100644
+--- a/drivers/net/ethernet/intel/igc/igc.h
++++ b/drivers/net/ethernet/intel/igc/igc.h
+@@ -745,6 +745,8 @@ ktime_t igc_ptp_rx_pktstamp(struct igc_adapter *adapter, __le32 *buf);
+ int igc_ptp_set_ts_config(struct net_device *netdev, struct ifreq *ifr);
+ int igc_ptp_get_ts_config(struct net_device *netdev, struct ifreq *ifr);
+ void igc_ptp_tx_hang(struct igc_adapter *adapter);
++void igc_ptp_clear_xsk_tx_tstamp_queue(struct igc_adapter *adapter,
++ u16 queue_id);
+ void igc_ptp_read(struct igc_adapter *adapter, struct timespec64 *ts);
+ void igc_ptp_tx_tstamp_event(struct igc_adapter *adapter);
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 65134be59754f..6fcf4fd7ee194 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -264,6 +264,13 @@ static void igc_clean_tx_ring(struct igc_ring *tx_ring)
+ /* reset next_to_use and next_to_clean */
+ tx_ring->next_to_use = 0;
+ tx_ring->next_to_clean = 0;
++
++ /* Clear any lingering XSK TX timestamp requests */
++ if (test_bit(IGC_RING_FLAG_TX_HWTSTAMP, &tx_ring->flags)) {
++ struct igc_adapter *adapter = netdev_priv(tx_ring->netdev);
++
++ igc_ptp_clear_xsk_tx_tstamp_queue(adapter, tx_ring->queue_index);
++ }
+ }
+
+ /**
+diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
+index a272d1a29eadb..9ff73e7532e5e 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
+@@ -587,6 +587,39 @@ static void igc_ptp_clear_tx_tstamp(struct igc_adapter *adapter)
+ spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags);
+ }
+
++/**
++ * igc_ptp_clear_xsk_tx_tstamp_queue - Clear pending XSK TX timestamps for a queue
++ * @adapter: Board private structure
++ * @queue_id: TX queue index to clear timestamps for
++ *
++ * Iterates over all TX timestamp registers and releases any pending
++ * timestamp requests associated with the given TX queue. This is
++ * called when an XDP pool is being disabled to ensure no stale
++ * timestamp references remain.
++ */
++void igc_ptp_clear_xsk_tx_tstamp_queue(struct igc_adapter *adapter, u16 queue_id)
++{
++ unsigned long flags;
++ int i;
++
++ spin_lock_irqsave(&adapter->ptp_tx_lock, flags);
++
++ for (i = 0; i < IGC_MAX_TX_TSTAMP_REGS; i++) {
++ struct igc_tx_timestamp_request *tstamp = &adapter->tx_tstamp[i];
++
++ if (tstamp->buffer_type != IGC_TX_BUFFER_TYPE_XSK)
++ continue;
++ if (tstamp->xsk_queue_index != queue_id)
++ continue;
++ if (!tstamp->xsk_tx_buffer)
++ continue;
++
++ igc_ptp_free_tx_buffer(adapter, tstamp);
++ }
++
++ spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags);
++}
++
+ static void igc_ptp_disable_tx_timestamp(struct igc_adapter *adapter)
+ {
+ struct igc_hw *hw = &adapter->hw;
+--
+2.51.0
+
--- /dev/null
+From 7c831f5192324eadb5fe050ab6da308f73535517 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 23:35:09 +0100
+Subject: mpls: add missing unregister_netdevice_notifier to mpls_init
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 99600f79b28c83c68bae199a3d8e95049a758308 ]
+
+If mpls_init() fails after registering mpls_dev_notifier, it never
+gets removed. Add the missing unregister_netdevice_notifier() call to
+the error handling path.
+
+Fixes: 5be2062e3080 ("mpls: Handle error of rtnl_register_module().")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/7c55363c4f743d19e2306204a134407c90a69bbb.1773228081.git.sd@queasysnail.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mpls/af_mpls.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
+index 3373b6b34dc7d..719dabb76ea21 100644
+--- a/net/mpls/af_mpls.c
++++ b/net/mpls/af_mpls.c
+@@ -2774,6 +2774,7 @@ static int __init mpls_init(void)
+ out_unregister_rtnl_af:
+ rtnl_af_unregister(&mpls_af_ops);
+ dev_remove_pack(&mpls_packet_type);
++ unregister_netdevice_notifier(&mpls_dev_notifier);
+ out_unregister_pernet:
+ unregister_pernet_subsys(&mpls_net_ops);
+ goto out;
+--
+2.51.0
+
--- /dev/null
+From b614a63ee76d5a6157aa7a87cf2f889eb6f0681d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 12:10:25 +0200
+Subject: net: airoha: fix PSE memory configuration in
+ airoha_fe_pse_ports_init()
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 8e38e08f2c560328a873c35aff1a0dbea6a7d084 ]
+
+Align PSE memory configuration to vendor SDK. In particular, increase
+initial value of PSE reserved memory in airoha_fe_pse_ports_init()
+routine by the value used for the second Packet Processor Engine (PPE2)
+and do not overwrite the default value.
+
+Introduced by commit 23020f049327 ("net: airoha: Introduce ethernet support
+for EN7581 SoC")
+
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241001-airoha-eth-pse-fix-v2-2-9a56cdffd074@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: d4a533ad249e ("net: airoha: Remove airoha_dev_stop() in airoha_remove()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/airoha_eth.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mediatek/airoha_eth.c b/drivers/net/ethernet/mediatek/airoha_eth.c
+index 6aa764b542eb5..cd2e888a8c52e 100644
+--- a/drivers/net/ethernet/mediatek/airoha_eth.c
++++ b/drivers/net/ethernet/mediatek/airoha_eth.c
+@@ -1172,11 +1172,13 @@ static void airoha_fe_pse_ports_init(struct airoha_eth *eth)
+ [FE_PSE_PORT_GDM4] = 2,
+ [FE_PSE_PORT_CDM5] = 2,
+ };
++ u32 all_rsv;
+ int q;
+
++ all_rsv = airoha_fe_get_pse_all_rsv(eth);
+ /* hw misses PPE2 oq rsv */
+- airoha_fe_set(eth, REG_FE_PSE_BUF_SET,
+- PSE_RSV_PAGES * pse_port_num_queues[FE_PSE_PORT_PPE2]);
++ all_rsv += PSE_RSV_PAGES * pse_port_num_queues[FE_PSE_PORT_PPE2];
++ airoha_fe_set(eth, REG_FE_PSE_BUF_SET, all_rsv);
+
+ /* CMD1 */
+ for (q = 0; q < pse_port_num_queues[FE_PSE_PORT_CDM1]; q++)
+--
+2.51.0
+
--- /dev/null
+From 116d17b786de0bb22260b305666ad71db532d8e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 13:17:09 +0100
+Subject: net: airoha: Read completion queue data in airoha_qdma_tx_napi_poll()
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 3affa310de523d63e52ea8e2efb3c476df29e414 ]
+
+In order to avoid any possible race, read completion queue head and
+pending entry in airoha_qdma_tx_napi_poll routine instead of doing it in
+airoha_irq_handler. Remove unused airoha_tx_irq_queue unused fields.
+This is a preliminary patch to add Qdisc offload for airoha_eth driver.
+
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/20241029-airoha-en7581-tx-napi-work-v1-1-96ad1686b946@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: d4a533ad249e ("net: airoha: Remove airoha_dev_stop() in airoha_remove()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/airoha_eth.c | 31 +++++++++-------------
+ 1 file changed, 13 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/ethernet/mediatek/airoha_eth.c b/drivers/net/ethernet/mediatek/airoha_eth.c
+index cd2e888a8c52e..1dc051749603e 100644
+--- a/drivers/net/ethernet/mediatek/airoha_eth.c
++++ b/drivers/net/ethernet/mediatek/airoha_eth.c
+@@ -752,11 +752,9 @@ struct airoha_tx_irq_queue {
+ struct airoha_qdma *qdma;
+
+ struct napi_struct napi;
+- u32 *q;
+
+ int size;
+- int queued;
+- u16 head;
++ u32 *q;
+ };
+
+ struct airoha_hw_stats {
+@@ -1655,25 +1653,31 @@ static int airoha_qdma_init_rx(struct airoha_qdma *qdma)
+ static int airoha_qdma_tx_napi_poll(struct napi_struct *napi, int budget)
+ {
+ struct airoha_tx_irq_queue *irq_q;
++ int id, done = 0, irq_queued;
+ struct airoha_qdma *qdma;
+ struct airoha_eth *eth;
+- int id, done = 0;
++ u32 status, head;
+
+ irq_q = container_of(napi, struct airoha_tx_irq_queue, napi);
+ qdma = irq_q->qdma;
+ id = irq_q - &qdma->q_tx_irq[0];
+ eth = qdma->eth;
+
+- while (irq_q->queued > 0 && done < budget) {
+- u32 qid, last, val = irq_q->q[irq_q->head];
++ status = airoha_qdma_rr(qdma, REG_IRQ_STATUS(id));
++ head = FIELD_GET(IRQ_HEAD_IDX_MASK, status);
++ head = head % irq_q->size;
++ irq_queued = FIELD_GET(IRQ_ENTRY_LEN_MASK, status);
++
++ while (irq_queued > 0 && done < budget) {
++ u32 qid, last, val = irq_q->q[head];
+ struct airoha_queue *q;
+
+ if (val == 0xff)
+ break;
+
+- irq_q->q[irq_q->head] = 0xff; /* mark as done */
+- irq_q->head = (irq_q->head + 1) % irq_q->size;
+- irq_q->queued--;
++ irq_q->q[head] = 0xff; /* mark as done */
++ head = (head + 1) % irq_q->size;
++ irq_queued--;
+ done++;
+
+ last = FIELD_GET(IRQ_DESC_IDX_MASK, val);
+@@ -2023,20 +2027,11 @@ static irqreturn_t airoha_irq_handler(int irq, void *dev_instance)
+
+ if (intr[0] & INT_TX_MASK) {
+ for (i = 0; i < ARRAY_SIZE(qdma->q_tx_irq); i++) {
+- struct airoha_tx_irq_queue *irq_q = &qdma->q_tx_irq[i];
+- u32 status, head;
+-
+ if (!(intr[0] & TX_DONE_INT_MASK(i)))
+ continue;
+
+ airoha_qdma_irq_disable(qdma, QDMA_INT_REG_IDX0,
+ TX_DONE_INT_MASK(i));
+-
+- status = airoha_qdma_rr(qdma, REG_IRQ_STATUS(i));
+- head = FIELD_GET(IRQ_HEAD_IDX_MASK, status);
+- irq_q->head = head % irq_q->size;
+- irq_q->queued = FIELD_GET(IRQ_ENTRY_LEN_MASK, status);
+-
+ napi_schedule(&qdma->q_tx_irq[i].napi);
+ }
+ }
+--
+2.51.0
+
--- /dev/null
+From 703ce5c0380843452b4a2024be85a56fd985f45d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 12:10:24 +0200
+Subject: net: airoha: read default PSE reserved pages value before updating
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 1f3e7ff4f296af1f4350f457d5bd82bc825e645a ]
+
+Store the default value for the number of PSE reserved pages in orig_val
+at the beginning of airoha_fe_set_pse_oq_rsv routine, before updating it
+with airoha_fe_set_pse_queue_rsv_pages().
+Introduce airoha_fe_get_pse_all_rsv utility routine.
+
+Introduced by commit 23020f049327 ("net: airoha: Introduce ethernet support
+for EN7581 SoC")
+
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241001-airoha-eth-pse-fix-v2-1-9a56cdffd074@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: d4a533ad249e ("net: airoha: Remove airoha_dev_stop() in airoha_remove()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/airoha_eth.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mediatek/airoha_eth.c b/drivers/net/ethernet/mediatek/airoha_eth.c
+index 20cf7ba9d7508..6aa764b542eb5 100644
+--- a/drivers/net/ethernet/mediatek/airoha_eth.c
++++ b/drivers/net/ethernet/mediatek/airoha_eth.c
+@@ -1116,17 +1116,23 @@ static void airoha_fe_set_pse_queue_rsv_pages(struct airoha_eth *eth,
+ PSE_CFG_WR_EN_MASK | PSE_CFG_OQRSV_SEL_MASK);
+ }
+
++static u32 airoha_fe_get_pse_all_rsv(struct airoha_eth *eth)
++{
++ u32 val = airoha_fe_rr(eth, REG_FE_PSE_BUF_SET);
++
++ return FIELD_GET(PSE_ALLRSV_MASK, val);
++}
++
+ static int airoha_fe_set_pse_oq_rsv(struct airoha_eth *eth,
+ u32 port, u32 queue, u32 val)
+ {
+- u32 orig_val, tmp, all_rsv, fq_limit;
++ u32 orig_val = airoha_fe_get_pse_queue_rsv_pages(eth, port, queue);
++ u32 tmp, all_rsv, fq_limit;
+
+ airoha_fe_set_pse_queue_rsv_pages(eth, port, queue, val);
+
+ /* modify all rsv */
+- orig_val = airoha_fe_get_pse_queue_rsv_pages(eth, port, queue);
+- tmp = airoha_fe_rr(eth, REG_FE_PSE_BUF_SET);
+- all_rsv = FIELD_GET(PSE_ALLRSV_MASK, tmp);
++ all_rsv = airoha_fe_get_pse_all_rsv(eth);
+ all_rsv += (val - orig_val);
+ airoha_fe_rmw(eth, REG_FE_PSE_BUF_SET, PSE_ALLRSV_MASK,
+ FIELD_PREP(PSE_ALLRSV_MASK, all_rsv));
+--
+2.51.0
+
--- /dev/null
+From 4bca766c287bcce10708e54d4a9e15d8fef5f2f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 12:27:00 +0100
+Subject: net: airoha: Remove airoha_dev_stop() in airoha_remove()
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit d4a533ad249e9fbdc2d0633f2ddd60a5b3a9a4ca ]
+
+Do not run airoha_dev_stop routine explicitly in airoha_remove()
+since ndo_stop() callback is already executed by unregister_netdev() in
+__dev_close_many routine if necessary and, doing so, we will end up causing
+an underflow in the qdma users atomic counters. Rely on networking subsystem
+to stop the device removing the airoha_eth module.
+
+Fixes: 23020f0493270 ("net: airoha: Introduce ethernet support for EN7581 SoC")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260313-airoha-remove-ndo_stop-remove-net-v2-1-67542c3ceeca@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/airoha_eth.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/airoha_eth.c b/drivers/net/ethernet/mediatek/airoha_eth.c
+index 1dc051749603e..da259c4b03fbf 100644
+--- a/drivers/net/ethernet/mediatek/airoha_eth.c
++++ b/drivers/net/ethernet/mediatek/airoha_eth.c
+@@ -2784,7 +2784,6 @@ static void airoha_remove(struct platform_device *pdev)
+ if (!port)
+ continue;
+
+- airoha_dev_stop(port->dev);
+ unregister_netdev(port->dev);
+ }
+ free_netdev(eth->napi_dev);
+--
+2.51.0
+
--- /dev/null
+From 3405ce68d783ff6797279fca7232342a57ba0bc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 12:18:52 -0700
+Subject: net: bcmgenet: increase WoL poll timeout
+
+From: Justin Chen <justin.chen@broadcom.com>
+
+[ Upstream commit 6cfc3bc02b977f2fba5f7268e6504d1931a774f7 ]
+
+Some systems require more than 5ms to get into WoL mode. Increase the
+timeout value to 50ms.
+
+Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code")
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20260312191852.3904571-1-justin.chen@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+index 3b082114f2e53..2033fb9d893e0 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+@@ -123,7 +123,7 @@ static int bcmgenet_poll_wol_status(struct bcmgenet_priv *priv)
+ while (!(bcmgenet_rbuf_readl(priv, RBUF_STATUS)
+ & RBUF_STATUS_WOL)) {
+ retries++;
+- if (retries > 5) {
++ if (retries > 50) {
+ netdev_crit(dev, "polling wol mode timeout\n");
+ return -ETIMEDOUT;
+ }
+--
+2.51.0
+
--- /dev/null
+From a807199e89dbc3eff0c1c4694b1dc30e61a0e4ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 17:50:34 -0700
+Subject: net: bonding: fix NULL deref in bond_debug_rlb_hash_show
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit 605b52497bf89b3b154674deb135da98f916e390 ]
+
+rlb_clear_slave intentionally keeps RLB hash-table entries on
+the rx_hashtbl_used_head list with slave set to NULL when no
+replacement slave is available. However, bond_debug_rlb_hash_show
+visites client_info->slave without checking if it's NULL.
+
+Other used-list iterators in bond_alb.c already handle this NULL-slave
+state safely:
+
+- rlb_update_client returns early on !client_info->slave
+- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance
+compare slave values before visiting
+- lb_req_update_subnet_clients continues if slave is NULL
+
+The following NULL deref crash can be trigger in
+bond_debug_rlb_hash_show:
+
+[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)
+[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286
+[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204
+[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078
+[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000
+[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0
+[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8
+[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000
+[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0
+[ 1.295897] Call Trace:
+[ 1.296134] seq_read_iter (fs/seq_file.c:231)
+[ 1.296341] seq_read (fs/seq_file.c:164)
+[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))
+[ 1.296658] vfs_read (fs/read_write.c:572)
+[ 1.296981] ksys_read (fs/read_write.c:717)
+[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+Add a NULL check and print "(none)" for entries with no assigned slave.
+
+Fixes: caafa84251b88 ("bonding: add the debugfs interface to see RLB hash table")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260317005034.1888794-1-xmei5@asu.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_debugfs.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_debugfs.c b/drivers/net/bonding/bond_debugfs.c
+index b19492a7f6ad1..3c1945c3e850a 100644
+--- a/drivers/net/bonding/bond_debugfs.c
++++ b/drivers/net/bonding/bond_debugfs.c
+@@ -34,11 +34,17 @@ static int bond_debug_rlb_hash_show(struct seq_file *m, void *v)
+ for (; hash_index != RLB_NULL_INDEX;
+ hash_index = client_info->used_next) {
+ client_info = &(bond_info->rx_hashtbl[hash_index]);
+- seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n",
+- &client_info->ip_src,
+- &client_info->ip_dst,
+- &client_info->mac_dst,
+- client_info->slave->dev->name);
++ if (client_info->slave)
++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n",
++ &client_info->ip_src,
++ &client_info->ip_dst,
++ &client_info->mac_dst,
++ client_info->slave->dev->name);
++ else
++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM (none)\n",
++ &client_info->ip_src,
++ &client_info->ip_dst,
++ &client_info->mac_dst);
+ }
+
+ spin_unlock_bh(&bond->mode_lock);
+--
+2.51.0
+
--- /dev/null
+From e573fe9dbf8d5b2f346b8ccd3a4b0d46a3ed5f40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 08:42:12 +0000
+Subject: net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
+
+From: Anas Iqbal <mohd.abd.6602@gmail.com>
+
+[ Upstream commit b48731849609cbd8c53785a48976850b443153fd ]
+
+Smatch reports:
+drivers/net/dsa/bcm_sf2.c:997 bcm_sf2_sw_resume() warn:
+'priv->clk' from clk_prepare_enable() not released on lines: 983,990.
+
+The clock enabled by clk_prepare_enable() in bcm_sf2_sw_resume()
+is not released if bcm_sf2_sw_rst() or bcm_sf2_cfp_resume() fails.
+
+Add the missing clk_disable_unprepare() calls in the error paths
+to properly release the clock resource.
+
+Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks")
+Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Anas Iqbal <mohd.abd.6602@gmail.com>
+Link: https://patch.msgid.link/20260318084212.1287-1-mohd.abd.6602@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/bcm_sf2.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
+index f1372830d5fa2..e680fff7d23fb 100644
+--- a/drivers/net/dsa/bcm_sf2.c
++++ b/drivers/net/dsa/bcm_sf2.c
+@@ -980,15 +980,19 @@ static int bcm_sf2_sw_resume(struct dsa_switch *ds)
+ ret = bcm_sf2_sw_rst(priv);
+ if (ret) {
+ pr_err("%s: failed to software reset switch\n", __func__);
++ if (!priv->wol_ports_mask)
++ clk_disable_unprepare(priv->clk);
+ return ret;
+ }
+
+ bcm_sf2_crossbar_setup(priv);
+
+ ret = bcm_sf2_cfp_resume(ds);
+- if (ret)
++ if (ret) {
++ if (!priv->wol_ports_mask)
++ clk_disable_unprepare(priv->clk);
+ return ret;
+-
++ }
+ if (priv->hw_params.num_gphy == 1)
+ bcm_sf2_gphy_enable_set(ds, true);
+
+--
+2.51.0
+
--- /dev/null
+From 5f7786762e6f8360af75da4de8d4c1605b4de857 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 13:38:25 +0300
+Subject: net: macb: fix uninitialized rx_fs_lock
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 34b11cc56e4369bc08b1f4c4a04222d75ed596ce ]
+
+If hardware doesn't support RX Flow Filters, rx_fs_lock spinlock is not
+initialized leading to the following assertion splat triggerable via
+set_rxnfc callback.
+
+INFO: trying to register non-static key.
+The code is fine but needs lockdep annotation, or maybe
+you didn't initialize this object before use?
+turning off the locking correctness validator.
+CPU: 1 PID: 949 Comm: syz.0.6 Not tainted 6.1.164+ #113
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106
+ assign_lock_key kernel/locking/lockdep.c:974 [inline]
+ register_lock_class+0x141b/0x17f0 kernel/locking/lockdep.c:1287
+ __lock_acquire+0x74f/0x6c40 kernel/locking/lockdep.c:4928
+ lock_acquire kernel/locking/lockdep.c:5662 [inline]
+ lock_acquire+0x190/0x4b0 kernel/locking/lockdep.c:5627
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
+ _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:162
+ gem_del_flow_filter drivers/net/ethernet/cadence/macb_main.c:3562 [inline]
+ gem_set_rxnfc+0x533/0xac0 drivers/net/ethernet/cadence/macb_main.c:3667
+ ethtool_set_rxnfc+0x18c/0x280 net/ethtool/ioctl.c:961
+ __dev_ethtool net/ethtool/ioctl.c:2956 [inline]
+ dev_ethtool+0x229c/0x6290 net/ethtool/ioctl.c:3095
+ dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510
+ sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215
+ sock_ioctl+0x577/0x6d0 net/socket.c:1320
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:46 [inline]
+ do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+A more straightforward solution would be to always initialize rx_fs_lock,
+just like rx_fs_list. However, in this case the driver set_rxnfc callback
+would return with a rather confusing error code, e.g. -EINVAL. So deny
+set_rxnfc attempts directly if the RX filtering feature is not supported
+by hardware.
+
+Fixes: ae8223de3df5 ("net: macb: Added support for RX filtering")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Link: https://patch.msgid.link/20260316103826.74506-2-pchelkin@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 533bd66fb485c..89aa50893d360 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -3845,6 +3845,9 @@ static int gem_set_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd)
+ struct macb *bp = netdev_priv(netdev);
+ int ret;
+
++ if (!(netdev->hw_features & NETIF_F_NTUPLE))
++ return -EOPNOTSUPP;
++
+ switch (cmd->cmd) {
+ case ETHTOOL_SRXCLSRLINS:
+ if ((cmd->fs.location >= bp->max_tuples)
+--
+2.51.0
+
--- /dev/null
+From 0352881291f9237975e64b00d5ea6a122a8e59fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 12:22:04 -0700
+Subject: net: mana: fix use-after-free in mana_hwc_destroy_channel() by
+ reordering teardown
+
+From: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+
+[ Upstream commit fa103fc8f56954a60699a29215cb713448a39e87 ]
+
+A potential race condition exists in mana_hwc_destroy_channel() where
+hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and
+Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt
+handler to dereference freed memory, leading to a use-after-free or
+NULL pointer dereference in mana_hwc_handle_resp().
+
+mana_smc_teardown_hwc() signals the hardware to stop but does not
+synchronize against IRQ handlers already executing on other CPUs. The
+IRQ synchronization only happens in mana_hwc_destroy_cq() via
+mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs
+after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler()
+can dereference freed caller_ctx (and rxq->msg_buf) in
+mana_hwc_handle_resp().
+
+Fix this by reordering teardown to reverse-of-creation order: destroy
+the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This
+ensures all in-flight interrupt handlers complete before the memory they
+access is freed.
+
+Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/abHA3AjNtqa1nx9k@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c
+index a00f915c51881..e07d0a9529782 100644
+--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
+@@ -778,9 +778,6 @@ void mana_hwc_destroy_channel(struct gdma_context *gc)
+ gc->max_num_cqs = 0;
+ }
+
+- kfree(hwc->caller_ctx);
+- hwc->caller_ctx = NULL;
+-
+ if (hwc->txq)
+ mana_hwc_destroy_wq(hwc, hwc->txq);
+
+@@ -790,6 +787,9 @@ void mana_hwc_destroy_channel(struct gdma_context *gc)
+ if (hwc->cq)
+ mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq);
+
++ kfree(hwc->caller_ctx);
++ hwc->caller_ctx = NULL;
++
+ mana_gd_free_res_map(&hwc->inflight_msg_res);
+
+ hwc->num_inflight_msg = 0;
+--
+2.51.0
+
--- /dev/null
+From 647fbee777c8c7a379c6ff6619adb226f497aefe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 11:46:01 +0200
+Subject: net/mlx5: qos: Restrict RTNL area to avoid a lock cycle
+
+From: Cosmin Ratiu <cratiu@nvidia.com>
+
+[ Upstream commit b7e3a5d9c0d66b7fb44f63aef3bd734821afa0c8 ]
+
+A lock dependency cycle exists where:
+1. mlx5_ib_roce_init -> mlx5_core_uplink_netdev_event_replay ->
+mlx5_blocking_notifier_call_chain (takes notifier_rwsem) ->
+mlx5e_mdev_notifier_event -> mlx5_netdev_notifier_register ->
+register_netdevice_notifier_dev_net (takes rtnl)
+=> notifier_rwsem -> rtnl
+
+2. mlx5e_probe -> _mlx5e_probe ->
+mlx5_core_uplink_netdev_set (takes uplink_netdev_lock) ->
+mlx5_blocking_notifier_call_chain (takes notifier_rwsem)
+=> uplink_netdev_lock -> notifier_rwsem
+
+3: devlink_nl_rate_set_doit -> devlink_nl_rate_set ->
+mlx5_esw_devlink_rate_leaf_tx_max_set -> esw_qos_devlink_rate_to_mbps ->
+mlx5_esw_qos_max_link_speed_get (takes rtnl) ->
+mlx5_esw_qos_lag_link_speed_get_locked ->
+mlx5_uplink_netdev_get (takes uplink_netdev_lock)
+=> rtnl -> uplink_netdev_lock
+=> BOOM! (lock cycle)
+
+Fix that by restricting the rtnl-protected section to just the necessary
+part, the call to netdev_master_upper_dev_get and speed querying, so
+that the last lock dependency is avoided and the cycle doesn't close.
+This is safe because mlx5_uplink_netdev_get uses netdev_hold to keep the
+uplink netdev alive while its master device is queried.
+
+Use this opportunity to rename the ambiguously-named "hold_rtnl_lock"
+argument to "take_rtnl" and remove the "_locked" suffix from
+mlx5_esw_qos_lag_link_speed_get_locked.
+
+Fixes: 6b4be64fd9fe ("net/mlx5e: Harden uplink netdev access against device unbind")
+Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260316094603.6999-2-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/esw/qos.c | 23 ++++++++-----------
+ 1 file changed, 9 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c
+index d8c304427e2ab..8c2e1d881a1a2 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c
+@@ -713,24 +713,24 @@ int mlx5_esw_qos_set_vport_rate(struct mlx5_eswitch *esw, struct mlx5_vport *vpo
+ return err;
+ }
+
+-static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev)
++static u32 mlx5_esw_qos_lag_link_speed_get(struct mlx5_core_dev *mdev,
++ bool take_rtnl)
+ {
+ struct ethtool_link_ksettings lksettings;
+ struct net_device *slave, *master;
+ u32 speed = SPEED_UNKNOWN;
+
+- /* Lock ensures a stable reference to master and slave netdevice
+- * while port speed of master is queried.
+- */
+- ASSERT_RTNL();
+-
+ slave = mlx5_uplink_netdev_get(mdev);
+ if (!slave)
+ goto out;
+
++ if (take_rtnl)
++ rtnl_lock();
+ master = netdev_master_upper_dev_get(slave);
+ if (master && !__ethtool_get_link_ksettings(master, &lksettings))
+ speed = lksettings.base.speed;
++ if (take_rtnl)
++ rtnl_unlock();
+
+ out:
+ mlx5_uplink_netdev_put(mdev, slave);
+@@ -738,20 +738,15 @@ static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev)
+ }
+
+ static int mlx5_esw_qos_max_link_speed_get(struct mlx5_core_dev *mdev, u32 *link_speed_max,
+- bool hold_rtnl_lock, struct netlink_ext_ack *extack)
++ bool take_rtnl,
++ struct netlink_ext_ack *extack)
+ {
+ int err;
+
+ if (!mlx5_lag_is_active(mdev))
+ goto skip_lag;
+
+- if (hold_rtnl_lock)
+- rtnl_lock();
+-
+- *link_speed_max = mlx5_esw_qos_lag_link_speed_get_locked(mdev);
+-
+- if (hold_rtnl_lock)
+- rtnl_unlock();
++ *link_speed_max = mlx5_esw_qos_lag_link_speed_get(mdev, take_rtnl);
+
+ if (*link_speed_max != (u32)SPEED_UNKNOWN)
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From e2c81813c58ef277ff63c83bf0a2a3c23a628a9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 11:46:03 +0200
+Subject: net/mlx5e: Fix race condition during IPSec ESN update
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit beb6e2e5976a128b0cccf10d158124422210c5ef ]
+
+In IPSec full offload mode, the device reports an ESN (Extended
+Sequence Number) wrap event to the driver. The driver validates this
+event by querying the IPSec ASO and checking that the esn_event_arm
+field is 0x0, which indicates an event has occurred. After handling
+the event, the driver must re-arm the context by setting esn_event_arm
+back to 0x1.
+
+A race condition exists in this handling path. After validating the
+event, the driver calls mlx5_accel_esp_modify_xfrm() to update the
+kernel's xfrm state. This function temporarily releases and
+re-acquires the xfrm state lock.
+
+So, need to acknowledge the event first by setting esn_event_arm to
+0x1. This prevents the driver from reprocessing the same ESN update if
+the hardware sends events for other reason. Since the next ESN update
+only occurs after nearly 2^31 packets are received, there's no risk of
+missing an update, as it will happen long after this handling has
+finished.
+
+Processing the event twice causes the ESN high-order bits (esn_msb) to
+be incremented incorrectly. The driver then programs the hardware with
+this invalid ESN state, which leads to anti-replay failures and a
+complete halt of IPSec traffic.
+
+Fix this by re-arming the ESN event immediately after it is validated,
+before calling mlx5_accel_esp_modify_xfrm(). This ensures that any
+spurious, duplicate events are correctly ignored, closing the race
+window.
+
+Fixes: fef06678931f ("net/mlx5e: Fix ESN update kernel panic")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260316094603.6999-4-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mlx5/core/en_accel/ipsec_offload.c | 33 ++++++++-----------
+ 1 file changed, 14 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+index bb2555706d082..40fe3d1e2342c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+@@ -311,10 +311,11 @@ static void mlx5e_ipsec_aso_update(struct mlx5e_ipsec_sa_entry *sa_entry,
+ mlx5e_ipsec_aso_query(sa_entry, data);
+ }
+
+-static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry,
+- u32 mode_param)
++static void
++mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry,
++ u32 mode_param,
++ struct mlx5_accel_esp_xfrm_attrs *attrs)
+ {
+- struct mlx5_accel_esp_xfrm_attrs attrs = {};
+ struct mlx5_wqe_aso_ctrl_seg data = {};
+
+ if (mode_param < MLX5E_IPSEC_ESN_SCOPE_MID) {
+@@ -324,18 +325,7 @@ static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry,
+ sa_entry->esn_state.overlap = 1;
+ }
+
+- mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, &attrs);
+-
+- /* It is safe to execute the modify below unlocked since the only flows
+- * that could affect this HW object, are create, destroy and this work.
+- *
+- * Creation flow can't co-exist with this modify work, the destruction
+- * flow would cancel this work, and this work is a single entity that
+- * can't conflict with it self.
+- */
+- spin_unlock_bh(&sa_entry->x->lock);
+- mlx5_accel_esp_modify_xfrm(sa_entry, &attrs);
+- spin_lock_bh(&sa_entry->x->lock);
++ mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, attrs);
+
+ data.data_offset_condition_operand =
+ MLX5_IPSEC_ASO_REMOVE_FLOW_PKT_CNT_OFFSET;
+@@ -452,7 +442,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ struct mlx5e_ipsec_work *work =
+ container_of(_work, struct mlx5e_ipsec_work, work);
+ struct mlx5e_ipsec_sa_entry *sa_entry = work->data;
++ struct mlx5_accel_esp_xfrm_attrs tmp = {};
+ struct mlx5_accel_esp_xfrm_attrs *attrs;
++ bool need_modify = false;
+ int ret;
+
+ attrs = &sa_entry->attrs;
+@@ -462,19 +454,22 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ if (ret)
+ goto unlock;
+
++ if (attrs->lft.soft_packet_limit != XFRM_INF)
++ mlx5e_ipsec_handle_limits(sa_entry);
++
+ if (attrs->replay_esn.trigger &&
+ !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) {
+ u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx,
+ mode_parameter);
+
+- mlx5e_ipsec_update_esn_state(sa_entry, mode_param);
++ mlx5e_ipsec_update_esn_state(sa_entry, mode_param, &tmp);
++ need_modify = true;
+ }
+
+- if (attrs->lft.soft_packet_limit != XFRM_INF)
+- mlx5e_ipsec_handle_limits(sa_entry);
+-
+ unlock:
+ spin_unlock_bh(&sa_entry->x->lock);
++ if (need_modify)
++ mlx5_accel_esp_modify_xfrm(sa_entry, &tmp);
+ kfree(work);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 3ba49bdbc10fc82f7bcb2a652bd45eede1588999 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 11:46:02 +0200
+Subject: net/mlx5e: Prevent concurrent access to IPSec ASO context
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 99b36850d881e2d65912b2520a1c80d0fcc9429a ]
+
+The query or updating IPSec offload object is through Access ASO WQE.
+The driver uses a single mlx5e_ipsec_aso struct for each PF, which
+contains a shared DMA-mapped context for all ASO operations.
+
+A race condition exists because the ASO spinlock is released before
+the hardware has finished processing WQE. If a second operation is
+initiated immediately after, it overwrites the shared context in the
+DMA area.
+
+When the first operation's completion is processed later, it reads
+this corrupted context, leading to unexpected behavior and incorrect
+results.
+
+This commit fixes the race by introducing a private context within
+each IPSec offload object. The shared ASO context is now copied to
+this private context while the ASO spinlock is held. Subsequent
+processing uses this saved, per-object context, ensuring its integrity
+is maintained.
+
+Fixes: 1ed78fc03307 ("net/mlx5e: Update IPsec soft and hard limits")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260316094603.6999-3-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/en_accel/ipsec.h | 1 +
+ .../mellanox/mlx5/core/en_accel/ipsec_offload.c | 17 ++++++++---------
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
+index a37c8a117d80f..2e5ca1cc29bb3 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
+@@ -274,6 +274,7 @@ struct mlx5e_ipsec_sa_entry {
+ struct mlx5e_ipsec_dwork *dwork;
+ struct mlx5e_ipsec_limits limits;
+ u32 rx_mapped_id;
++ u8 ctx[MLX5_ST_SZ_BYTES(ipsec_aso)];
+ };
+
+ struct mlx5_accel_pol_xfrm_attrs {
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+index 820debf3fbbf2..bb2555706d082 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+@@ -371,20 +371,18 @@ static void mlx5e_ipsec_aso_update_soft(struct mlx5e_ipsec_sa_entry *sa_entry,
+ static void mlx5e_ipsec_handle_limits(struct mlx5e_ipsec_sa_entry *sa_entry)
+ {
+ struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs;
+- struct mlx5e_ipsec *ipsec = sa_entry->ipsec;
+- struct mlx5e_ipsec_aso *aso = ipsec->aso;
+ bool soft_arm, hard_arm;
+ u64 hard_cnt;
+
+ lockdep_assert_held(&sa_entry->x->lock);
+
+- soft_arm = !MLX5_GET(ipsec_aso, aso->ctx, soft_lft_arm);
+- hard_arm = !MLX5_GET(ipsec_aso, aso->ctx, hard_lft_arm);
++ soft_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, soft_lft_arm);
++ hard_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, hard_lft_arm);
+ if (!soft_arm && !hard_arm)
+ /* It is not lifetime event */
+ return;
+
+- hard_cnt = MLX5_GET(ipsec_aso, aso->ctx, remove_flow_pkt_cnt);
++ hard_cnt = MLX5_GET(ipsec_aso, sa_entry->ctx, remove_flow_pkt_cnt);
+ if (!hard_cnt || hard_arm) {
+ /* It is possible to see packet counter equal to zero without
+ * hard limit event armed. Such situation can be if packet
+@@ -455,10 +453,8 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ container_of(_work, struct mlx5e_ipsec_work, work);
+ struct mlx5e_ipsec_sa_entry *sa_entry = work->data;
+ struct mlx5_accel_esp_xfrm_attrs *attrs;
+- struct mlx5e_ipsec_aso *aso;
+ int ret;
+
+- aso = sa_entry->ipsec->aso;
+ attrs = &sa_entry->attrs;
+
+ spin_lock_bh(&sa_entry->x->lock);
+@@ -467,8 +463,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ goto unlock;
+
+ if (attrs->replay_esn.trigger &&
+- !MLX5_GET(ipsec_aso, aso->ctx, esn_event_arm)) {
+- u32 mode_param = MLX5_GET(ipsec_aso, aso->ctx, mode_parameter);
++ !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) {
++ u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx,
++ mode_parameter);
+
+ mlx5e_ipsec_update_esn_state(sa_entry, mode_param);
+ }
+@@ -630,6 +627,8 @@ int mlx5e_ipsec_aso_query(struct mlx5e_ipsec_sa_entry *sa_entry,
+ /* We are in atomic context */
+ udelay(10);
+ } while (ret && time_is_after_jiffies(expires));
++ if (!ret)
++ memcpy(sa_entry->ctx, aso->ctx, MLX5_ST_SZ_BYTES(ipsec_aso));
+ spin_unlock_bh(&aso->lock);
+ return ret;
+ }
+--
+2.51.0
+
--- /dev/null
+From b46c0754e03f307d4da2b360ec14f6376b44433e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 12:31:01 -0700
+Subject: net: mvpp2: guard flow control update with global_tx_fc in buffer
+ switching
+
+From: Muhammad Hammad Ijaz <mhijaz@amazon.com>
+
+[ Upstream commit 8a63baadf08453f66eb582fdb6dd234f72024723 ]
+
+mvpp2_bm_switch_buffers() unconditionally calls
+mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and
+shared buffer pool modes. This function programs CM3 flow control
+registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference
+priv->cm3_base without any NULL check.
+
+When the CM3 SRAM resource is not present in the device tree (the
+third reg entry added by commit 60523583b07c ("dts: marvell: add CM3
+SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains
+NULL and priv->global_tx_fc is false. Any operation that triggers
+mvpp2_bm_switch_buffers(), for example an MTU change that crosses
+the jumbo frame threshold, will crash:
+
+ Unable to handle kernel NULL pointer dereference at
+ virtual address 0000000000000000
+ Mem abort info:
+ ESR = 0x0000000096000006
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ pc : readl+0x0/0x18
+ lr : mvpp2_cm3_read.isra.0+0x14/0x20
+ Call trace:
+ readl+0x0/0x18
+ mvpp2_bm_pool_update_fc+0x40/0x12c
+ mvpp2_bm_pool_update_priv_fc+0x94/0xd8
+ mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0
+ mvpp2_change_mtu+0x140/0x380
+ __dev_set_mtu+0x1c/0x38
+ dev_set_mtu_ext+0x78/0x118
+ dev_set_mtu+0x48/0xa8
+ dev_ifsioc+0x21c/0x43c
+ dev_ioctl+0x2d8/0x42c
+ sock_ioctl+0x314/0x378
+
+Every other flow control call site in the driver already guards
+hardware access with either priv->global_tx_fc or port->tx_fc.
+mvpp2_bm_switch_buffers() is the only place that omits this check.
+
+Add the missing priv->global_tx_fc guard to both the disable and
+re-enable calls in mvpp2_bm_switch_buffers(), consistent with the
+rest of the driver.
+
+Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames")
+Signed-off-by: Muhammad Hammad Ijaz <mhijaz@amazon.com>
+Reviewed-by: Gunnar Kudrjavets <gunnarku@amazon.com>
+Link: https://patch.msgid.link/20260316193157.65748-1-mhijaz@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index 66b5a80c9c28a..51e35c4d9ea97 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -5025,7 +5025,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu)
+ if (priv->percpu_pools)
+ numbufs = port->nrxqs * 2;
+
+- if (change_percpu)
++ if (change_percpu && priv->global_tx_fc)
+ mvpp2_bm_pool_update_priv_fc(priv, false);
+
+ for (i = 0; i < numbufs; i++)
+@@ -5050,7 +5050,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu)
+ mvpp2_open(port->dev);
+ }
+
+- if (change_percpu)
++ if (change_percpu && priv->global_tx_fc)
+ mvpp2_bm_pool_update_priv_fc(priv, true);
+
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From d02f536ed05036f518fa5ae2e668015000c6d808 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 15:06:02 +0800
+Subject: net/rose: fix NULL pointer dereference in rose_transmit_link on
+ reconnect
+
+From: Jiayuan Chen <jiayuan.chen@shopee.com>
+
+[ Upstream commit e1f0a18c9564cdb16523c802e2c6fe5874e3d944 ]
+
+syzkaller reported a bug [1], and the reproducer is available at [2].
+
+ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN,
+TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects
+calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING
+(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT.
+
+When rose_connect() is called a second time while the first connection
+attempt is still in progress (TCP_SYN_SENT), it overwrites
+rose->neighbour via rose_get_neigh(). If that returns NULL, the socket
+is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL.
+When the socket is subsequently closed, rose_release() sees
+ROSE_STATE_1 and calls rose_write_internal() ->
+rose_transmit_link(skb, NULL), causing a NULL pointer dereference.
+
+Per connect(2), a second connect() while a connection is already in
+progress should return -EALREADY. Add this missing check for
+TCP_SYN_SENT to complete the state validation in rose_connect().
+
+[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271
+[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0027.GAE@google.com/T/
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260311070611.76913-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 1676c9f4ab848..0223d6c34f0be 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -810,6 +810,11 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
+ goto out_release;
+ }
+
++ if (sk->sk_state == TCP_SYN_SENT) {
++ err = -EALREADY;
++ goto out_release;
++ }
++
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
+
+--
+2.51.0
+
--- /dev/null
+From 2223077502871ade1de760952ef7b3002c8f9479 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 11:54:22 -0400
+Subject: net/sched: teql: Fix double-free in teql_master_xmit
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit 66360460cab63c248ca5b1070a01c0c29133b960 ]
+
+Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should
+be called using the seq_lock to avoid racing with the datapath. Failure
+to do so may cause crashes like the following:
+
+[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)
+[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318
+[ 238.029749][ T318]
+[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)
+[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+[ 238.029910][ T318] Call Trace:
+[ 238.029913][ T318] <TASK>
+[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122)
+[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
+[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139)
+[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+...
+[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139)
+[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)
+[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139)
+[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231)
+[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))
+[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139)
+...
+[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256)
+[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)
+[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+...
+[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034)
+[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)
+[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)
+[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)
+[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)
+[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)
+...
+[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s:
+[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58)
+[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
+[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369)
+[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)
+[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))
+[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713)
+[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)
+[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997)
+[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)
+[ 238.081469][ T318]
+[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s:
+[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58)
+[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
+[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))
+[ 238.085900][ T318] __kasan_slab_free (mm/kasan/common.c:287)
+[ 238.086439][ T318] kmem_cache_free (mm/slub.c:6168 (discriminator 3) mm/slub.c:6298 (discriminator 3))
+[ 238.087007][ T318] skb_release_data (net/core/skbuff.c:1139)
+[ 238.087491][ T318] consume_skb (net/core/skbuff.c:1451)
+[ 238.087757][ T318] teql_master_xmit (net/sched/sch_teql.c:358)
+[ 238.088116][ T318] dev_hard_start_xmit (./include/linux/netdevice.h:5324 ./include/linux/netdevice.h:5333 net/core/dev.c:3871 net/core/dev.c:3887)
+[ 238.088468][ T318] sch_direct_xmit (net/sched/sch_generic.c:347)
+[ 238.088820][ T318] __qdisc_run (net/sched/sch_generic.c:420 (discriminator 1))
+[ 238.089166][ T318] __dev_queue_xmit (./include/net/sch_generic.h:229 ./include/net/pkt_sched.h:121 ./include/net/pkt_sched.h:117 net/core/dev.c:4196 net/core/dev.c:4802)
+
+Workflow to reproduce:
+1. Initialize a TEQL topology (dummy0 and ifb0 as slaves, teql0 up).
+2. Start multiple sender workers continuously transmitting packets
+ through teql0 to drive teql_master_xmit().
+3. In parallel, repeatedly delete and re-add the root qdisc on
+ dummy0 and ifb0 via RTNETLINK, forcing frequent teardown and reset activity
+ (teql_destroy() / qdisc_reset()).
+4. After running both workloads concurrently for several iterations,
+ KASAN reports slab-use-after-free or double-free in the skb free path.
+
+Fix this by moving dev_reset_queue to sch_generic.h and calling it, instead
+of qdisc_reset, in teql_destroy since it handles both the lock and lockless
+cases correctly for root qdiscs.
+
+Fixes: 96009c7d500e ("sched: replace __QDISC_STATE_RUNNING bit with a spin lock")
+Reported-by: Xianrui Dong <keenanat2000@gmail.com>
+Tested-by: Xianrui Dong <keenanat2000@gmail.com>
+Co-developed-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260315155422.147256-1-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sch_generic.h | 28 ++++++++++++++++++++++++++++
+ net/sched/sch_generic.c | 27 ---------------------------
+ net/sched/sch_teql.c | 7 ++-----
+ 3 files changed, 30 insertions(+), 32 deletions(-)
+
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index 75a0d6095d2eb..28a7aaa4c0cdf 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -696,6 +696,34 @@ void qdisc_destroy(struct Qdisc *qdisc);
+ void qdisc_put(struct Qdisc *qdisc);
+ void qdisc_put_unlocked(struct Qdisc *qdisc);
+ void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, int n, int len);
++
++static inline void dev_reset_queue(struct net_device *dev,
++ struct netdev_queue *dev_queue,
++ void *_unused)
++{
++ struct Qdisc *qdisc;
++ bool nolock;
++
++ qdisc = rtnl_dereference(dev_queue->qdisc_sleeping);
++ if (!qdisc)
++ return;
++
++ nolock = qdisc->flags & TCQ_F_NOLOCK;
++
++ if (nolock)
++ spin_lock_bh(&qdisc->seqlock);
++ spin_lock_bh(qdisc_lock(qdisc));
++
++ qdisc_reset(qdisc);
++
++ spin_unlock_bh(qdisc_lock(qdisc));
++ if (nolock) {
++ clear_bit(__QDISC_STATE_MISSED, &qdisc->state);
++ clear_bit(__QDISC_STATE_DRAINING, &qdisc->state);
++ spin_unlock_bh(&qdisc->seqlock);
++ }
++}
++
+ #ifdef CONFIG_NET_SCHED
+ int qdisc_offload_dump_helper(struct Qdisc *q, enum tc_setup_type type,
+ void *type_data);
+diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
+index d27383c54b70b..3e1dbb84bb837 100644
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -1297,33 +1297,6 @@ static void dev_deactivate_queue(struct net_device *dev,
+ }
+ }
+
+-static void dev_reset_queue(struct net_device *dev,
+- struct netdev_queue *dev_queue,
+- void *_unused)
+-{
+- struct Qdisc *qdisc;
+- bool nolock;
+-
+- qdisc = rtnl_dereference(dev_queue->qdisc_sleeping);
+- if (!qdisc)
+- return;
+-
+- nolock = qdisc->flags & TCQ_F_NOLOCK;
+-
+- if (nolock)
+- spin_lock_bh(&qdisc->seqlock);
+- spin_lock_bh(qdisc_lock(qdisc));
+-
+- qdisc_reset(qdisc);
+-
+- spin_unlock_bh(qdisc_lock(qdisc));
+- if (nolock) {
+- clear_bit(__QDISC_STATE_MISSED, &qdisc->state);
+- clear_bit(__QDISC_STATE_DRAINING, &qdisc->state);
+- spin_unlock_bh(&qdisc->seqlock);
+- }
+-}
+-
+ static bool some_qdisc_is_busy(struct net_device *dev)
+ {
+ unsigned int i;
+diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
+index 783300d8b0197..ec4039a201a2c 100644
+--- a/net/sched/sch_teql.c
++++ b/net/sched/sch_teql.c
+@@ -146,15 +146,12 @@ teql_destroy(struct Qdisc *sch)
+ master->slaves = NEXT_SLAVE(q);
+ if (q == master->slaves) {
+ struct netdev_queue *txq;
+- spinlock_t *root_lock;
+
+ txq = netdev_get_tx_queue(master->dev, 0);
+ master->slaves = NULL;
+
+- root_lock = qdisc_root_sleeping_lock(rtnl_dereference(txq->qdisc));
+- spin_lock_bh(root_lock);
+- qdisc_reset(rtnl_dereference(txq->qdisc));
+- spin_unlock_bh(root_lock);
++ dev_reset_queue(master->dev,
++ txq, NULL);
+ }
+ }
+ skb_queue_purge(&dat->q);
+--
+2.51.0
+
--- /dev/null
+From 9a224a1f62648519410091a3bb00edcdd754f040 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:29:07 +0800
+Subject: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
+
+From: Jiayuan Chen <jiayuan.chen@shopee.com>
+
+[ Upstream commit 6d5e4538364b9ceb1ac2941a4deb86650afb3538 ]
+
+Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].
+
+smc_tcp_syn_recv_sock() is called in the TCP receive path
+(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP
+listening socket). It reads sk_user_data to get the smc_sock
+pointer. However, when the SMC listen socket is being closed
+concurrently, smc_close_active() sets clcsock->sk_user_data
+to NULL under sk_callback_lock, and then the smc_sock itself
+can be freed via sock_put() in smc_release().
+
+This leads to two issues:
+
+1) NULL pointer dereference: sk_user_data is NULL when
+ accessed.
+2) Use-after-free: sk_user_data is read as non-NULL, but the
+ smc_sock is freed before its fields (e.g., queued_smc_hs,
+ ori_af_ops) are accessed.
+
+The race window looks like this (the syzkaller crash [1]
+triggers via the SYN cookie path: tcp_get_cookie_sock() ->
+smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path
+has the same race):
+
+ CPU A (softirq) CPU B (process ctx)
+
+ tcp_v4_rcv()
+ TCP_NEW_SYN_RECV:
+ sk = req->rsk_listener
+ sock_hold(sk)
+ /* No lock on listener */
+ smc_close_active():
+ write_lock_bh(cb_lock)
+ sk_user_data = NULL
+ write_unlock_bh(cb_lock)
+ ...
+ smc_clcsock_release()
+ sock_put(smc->sk) x2
+ -> smc_sock freed!
+ tcp_check_req()
+ smc_tcp_syn_recv_sock():
+ smc = user_data(sk)
+ -> NULL or dangling
+ smc->queued_smc_hs
+ -> crash!
+
+Note that the clcsock and smc_sock are two independent objects
+with separate refcounts. TCP stack holds a reference on the
+clcsock, which keeps it alive, but this does NOT prevent the
+smc_sock from being freed.
+
+Fix this by using RCU and refcount_inc_not_zero() to safely
+access smc_sock. Since smc_tcp_syn_recv_sock() is called in
+the TCP three-way handshake path, taking read_lock_bh on
+sk_callback_lock is too heavy and would not survive a SYN
+flood attack. Using rcu_read_lock() is much more lightweight.
+
+- Set SOCK_RCU_FREE on the SMC listen socket so that
+ smc_sock freeing is deferred until after the RCU grace
+ period. This guarantees the memory is still valid when
+ accessed inside rcu_read_lock().
+- Use rcu_read_lock() to protect reading sk_user_data.
+- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the
+ smc_sock. If the refcount has already reached zero (close
+ path completed), it returns false and we bail out safely.
+
+Note: smc_hs_congested() has a similar lockless read of
+sk_user_data without rcu_read_lock(), but it only checks for
+NULL and accesses the global smc_hs_wq, never dereferencing
+any smc_sock field, so it is not affected.
+
+Reproducer was verified with mdelay injection and smc_run,
+the issue no longer occurs with this patch applied.
+
+[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9
+
+Fixes: 8270d9c21041 ("net/smc: Limit backlog connections")
+Reported-by: syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67eaf9b8.050a0220.3c3d88.004a.GAE@google.com/T/
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Link: https://patch.msgid.link/20260312092909.48325-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 23 +++++++++++++++++------
+ net/smc/smc.h | 5 +++++
+ net/smc/smc_close.c | 2 +-
+ 3 files changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 02e08ac1da3aa..23bb360ebd07b 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -130,7 +130,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
+ struct smc_sock *smc;
+ struct sock *child;
+
+- smc = smc_clcsock_user_data(sk);
++ rcu_read_lock();
++ smc = smc_clcsock_user_data_rcu(sk);
++ if (!smc || !refcount_inc_not_zero(&smc->sk.sk_refcnt)) {
++ rcu_read_unlock();
++ smc = NULL;
++ goto drop;
++ }
++ rcu_read_unlock();
+
+ if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
+ sk->sk_max_ack_backlog)
+@@ -152,11 +159,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
+ if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
+ inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
+ }
++ sock_put(&smc->sk);
+ return child;
+
+ drop:
+ dst_release(dst);
+ tcp_listendrop(sk);
++ if (smc)
++ sock_put(&smc->sk);
+ return NULL;
+ }
+
+@@ -253,7 +263,7 @@ static void smc_fback_restore_callbacks(struct smc_sock *smc)
+ struct sock *clcsk = smc->clcsock->sk;
+
+ write_lock_bh(&clcsk->sk_callback_lock);
+- clcsk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(clcsk, NULL);
+
+ smc_clcsock_restore_cb(&clcsk->sk_state_change, &smc->clcsk_state_change);
+ smc_clcsock_restore_cb(&clcsk->sk_data_ready, &smc->clcsk_data_ready);
+@@ -901,7 +911,7 @@ static void smc_fback_replace_callbacks(struct smc_sock *smc)
+ struct sock *clcsk = smc->clcsock->sk;
+
+ write_lock_bh(&clcsk->sk_callback_lock);
+- clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
++ __rcu_assign_sk_user_data_with_flags(clcsk, smc, SK_USER_DATA_NOCOPY);
+
+ smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change,
+ &smc->clcsk_state_change);
+@@ -2663,8 +2673,8 @@ int smc_listen(struct socket *sock, int backlog)
+ * smc-specific sk_data_ready function
+ */
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+- smc->clcsock->sk->sk_user_data =
+- (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
++ __rcu_assign_sk_user_data_with_flags(smc->clcsock->sk, smc,
++ SK_USER_DATA_NOCOPY);
+ smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready,
+ smc_clcsock_data_ready, &smc->clcsk_data_ready);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+@@ -2685,10 +2695,11 @@ int smc_listen(struct socket *sock, int backlog)
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+ &smc->clcsk_data_ready);
+- smc->clcsock->sk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+ goto out;
+ }
++ sock_set_flag(sk, SOCK_RCU_FREE);
+ sk->sk_max_ack_backlog = backlog;
+ sk->sk_ack_backlog = 0;
+ sk->sk_state = SMC_LISTEN;
+diff --git a/net/smc/smc.h b/net/smc/smc.h
+index 7579f9622e010..f9d364a2167a7 100644
+--- a/net/smc/smc.h
++++ b/net/smc/smc.h
+@@ -346,6 +346,11 @@ static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk)
+ ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY);
+ }
+
++static inline struct smc_sock *smc_clcsock_user_data_rcu(const struct sock *clcsk)
++{
++ return (struct smc_sock *)rcu_dereference_sk_user_data(clcsk);
++}
++
+ /* save target_cb in saved_cb, and replace target_cb with new_cb */
+ static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *),
+ void (*new_cb)(struct sock *),
+diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
+index 10219f55aad14..bb0313ef5f7c1 100644
+--- a/net/smc/smc_close.c
++++ b/net/smc/smc_close.c
+@@ -218,7 +218,7 @@ int smc_close_active(struct smc_sock *smc)
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+ &smc->clcsk_data_ready);
+- smc->clcsock->sk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+ rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
+ }
+--
+2.51.0
+
--- /dev/null
+From 7ec34d6c2d697391c2eeb391ccd62df34a62ee28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 16:16:43 +0200
+Subject: net: usb: aqc111: Do not perform PM inside suspend callback
+
+From: Nikola Z. Ivanov <zlatistiv@gmail.com>
+
+[ Upstream commit 069c8f5aebe4d5224cf62acc7d4b3486091c658a ]
+
+syzbot reports "task hung in rpm_resume"
+
+This is caused by aqc111_suspend calling
+the PM variant of its write_cmd routine.
+
+The simplified call trace looks like this:
+
+rpm_suspend()
+ usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING
+ aqc111_suspend() - called for the usb device interface
+ aqc111_write32_cmd()
+ usb_autopm_get_interface()
+ pm_runtime_resume_and_get()
+ rpm_resume() - here we call rpm_resume() on our parent
+ rpm_resume() - Here we wait for a status change that will never happen.
+
+At this point we block another task which holds
+rtnl_lock and locks up the whole networking stack.
+
+Fix this by replacing the write_cmd calls with their _nopm variants
+
+Reported-by: syzbot+48dc1e8dfc92faf1124c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=48dc1e8dfc92faf1124c
+Fixes: e58ba4544c77 ("net: usb: aqc111: Add support for wake on LAN by MAGIC packet")
+Signed-off-by: Nikola Z. Ivanov <zlatistiv@gmail.com>
+Link: https://patch.msgid.link/20260313141643.1181386-1-zlatistiv@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/aqc111.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
+index 9201ee10a13f7..d316aa66dbc23 100644
+--- a/drivers/net/usb/aqc111.c
++++ b/drivers/net/usb/aqc111.c
+@@ -1400,14 +1400,14 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message)
+ aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC,
+ SFR_MEDIUM_STATUS_MODE, 2, ®16);
+
+- aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0,
+- WOL_CFG_SIZE, &wol_cfg);
+- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0,
+- &aqc111_data->phy_cfg);
++ aqc111_write_cmd_nopm(dev, AQ_WOL_CFG, 0, 0,
++ WOL_CFG_SIZE, &wol_cfg);
++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0,
++ &aqc111_data->phy_cfg);
+ } else {
+ aqc111_data->phy_cfg |= AQ_LOW_POWER;
+- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0,
+- &aqc111_data->phy_cfg);
++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0,
++ &aqc111_data->phy_cfg);
+
+ /* Disable RX path */
+ aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC,
+--
+2.51.0
+
--- /dev/null
+From 59d4de4b0bd458c6e1717fc4ad476eccafacaa49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 22:46:39 -0700
+Subject: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
+
+From: Tobi Gaertner <tob.gaertner@me.com>
+
+[ Upstream commit 2aa8a4fa8d5b7d0e1ebcec100e1a4d80a1f4b21a ]
+
+cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE
+entries fit within the skb. The first check correctly accounts for
+ndpoffset:
+
+ if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len)
+
+but the second check omits it:
+
+ if ((sizeof(struct usb_cdc_ncm_ndp16) +
+ ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len)
+
+This validates the DPE array size against the total skb length as if
+the NDP were at offset 0, rather than at ndpoffset. When the NDP is
+placed near the end of the NTB (large wNdpIndex), the DPE entries can
+extend past the skb data buffer even though the check passes.
+cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating
+the DPE array.
+
+Add ndpoffset to the nframes bounds check and use struct_size_t() to
+express the NDP-plus-DPE-array size more clearly.
+
+Fixes: ff06ab13a4cc ("net: cdc_ncm: splitting rx_fixup for code reuse")
+Signed-off-by: Tobi Gaertner <tob.gaertner@me.com>
+Link: https://patch.msgid.link/20260314054640.2895026-2-tob.gaertner@me.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_ncm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index 5c89e03f93d61..a006583e8e085 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1657,6 +1657,7 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset)
+ struct usbnet *dev = netdev_priv(skb_in->dev);
+ struct usb_cdc_ncm_ndp16 *ndp16;
+ int ret = -EINVAL;
++ size_t ndp_len;
+
+ if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n",
+@@ -1676,8 +1677,8 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset)
+ sizeof(struct usb_cdc_ncm_dpe16));
+ ret--; /* we process NDP entries except for the last one */
+
+- if ((sizeof(struct usb_cdc_ncm_ndp16) +
+- ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) {
++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp16, dpe16, ret);
++ if (ndpoffset + ndp_len > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret);
+ ret = -EINVAL;
+ }
+--
+2.51.0
+
--- /dev/null
+From be60e298711fd984bbaec5fe69940cb131311e27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 22:46:40 -0700
+Subject: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
+
+From: Tobi Gaertner <tob.gaertner@me.com>
+
+[ Upstream commit 77914255155e68a20aa41175edeecf8121dac391 ]
+
+The same bounds-check bug fixed for NDP16 in the previous patch also
+exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated
+against the total skb length without accounting for ndpoffset, allowing
+out-of-bounds reads when the NDP32 is placed near the end of the NTB.
+
+Add ndpoffset to the nframes bounds check and use struct_size_t() to
+express the NDP-plus-DPE-array size more clearly.
+
+Compile-tested only.
+
+Fixes: 0fa81b304a79 ("cdc_ncm: Implement the 32-bit version of NCM Transfer Block")
+Signed-off-by: Tobi Gaertner <tob.gaertner@me.com>
+Link: https://patch.msgid.link/20260314054640.2895026-3-tob.gaertner@me.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_ncm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index a006583e8e085..c00699cd3e350 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1694,6 +1694,7 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset)
+ struct usbnet *dev = netdev_priv(skb_in->dev);
+ struct usb_cdc_ncm_ndp32 *ndp32;
+ int ret = -EINVAL;
++ size_t ndp_len;
+
+ if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp32)) > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n",
+@@ -1713,8 +1714,8 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset)
+ sizeof(struct usb_cdc_ncm_dpe32));
+ ret--; /* we process NDP entries except for the last one */
+
+- if ((sizeof(struct usb_cdc_ncm_ndp32) +
+- ret * (sizeof(struct usb_cdc_ncm_dpe32))) > skb_in->len) {
++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp32, dpe32, ret);
++ if (ndpoffset + ndp_len > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret);
+ ret = -EINVAL;
+ }
+--
+2.51.0
+
--- /dev/null
+From f9030b657e91ad2bc2c970de57c067f6a53da9f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 12:23:08 +0100
+Subject: netfilter: bpf: defer hook memory release until rcu readers are done
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 24f90fa3994b992d1a09003a3db2599330a5232a ]
+
+Yiming Qian reports UaF when concurrent process is dumping hooks via
+nfnetlink_hooks:
+
+BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0
+Read of size 8 at addr ffff888003edbf88 by task poc/79
+Call Trace:
+ <TASK>
+ nfnl_hook_dump_one.isra.0+0xe71/0x10f0
+ netlink_dump+0x554/0x12b0
+ nfnl_hook_get+0x176/0x230
+ [..]
+
+Defer release until after concurrent readers have completed.
+
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_bpf_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
+index b5e4ca9026a8e..be5e8bd90a3eb 100644
+--- a/net/netfilter/nf_bpf_link.c
++++ b/net/netfilter/nf_bpf_link.c
+@@ -170,7 +170,7 @@ static int bpf_nf_link_update(struct bpf_link *link, struct bpf_prog *new_prog,
+
+ static const struct bpf_link_ops bpf_nf_link_lops = {
+ .release = bpf_nf_link_release,
+- .dealloc = bpf_nf_link_dealloc,
++ .dealloc_deferred = bpf_nf_link_dealloc,
+ .detach = bpf_nf_link_detach,
+ .show_fdinfo = bpf_nf_link_show_info,
+ .fill_link_info = bpf_nf_link_fill_link_info,
+--
+2.51.0
+
--- /dev/null
+From 29bd7f460f16056cbe437e92300d526de95e2b34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Mar 2026 02:21:37 +0900
+Subject: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit 5cb81eeda909dbb2def209dd10636b51549a3f8a ]
+
+ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the
+netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the
+conntrack reference immediately after netlink_dump_start(). When the
+dump spans multiple rounds, the second recvmsg() triggers the dump
+callback which dereferences the now-freed conntrack via nfct_help(ct),
+leading to a use-after-free on ct->ext.
+
+The bug is that the netlink_dump_control has no .start or .done
+callbacks to manage the conntrack reference across dump rounds. Other
+dump functions in the same file (e.g. ctnetlink_get_conntrack) properly
+use .start/.done callbacks for this purpose.
+
+Fix this by adding .start and .done callbacks that hold and release the
+conntrack reference for the duration of the dump, and move the
+nfct_help() call after the cb->args[0] early-return check in the dump
+callback to avoid dereferencing ct->ext unnecessarily.
+
+ BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0
+ Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133
+
+ CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY
+ Call Trace:
+ <TASK>
+ ctnetlink_exp_ct_dump_table+0x4f/0x2e0
+ netlink_dump+0x333/0x880
+ netlink_recvmsg+0x3e2/0x4b0
+ ? aa_sk_perm+0x184/0x450
+ sock_recvmsg+0xde/0xf0
+
+ Allocated by task 133:
+ kmem_cache_alloc_noprof+0x134/0x440
+ __nf_conntrack_alloc+0xa8/0x2b0
+ ctnetlink_create_conntrack+0xa1/0x900
+ ctnetlink_new_conntrack+0x3cf/0x7d0
+ nfnetlink_rcv_msg+0x48e/0x510
+ netlink_rcv_skb+0xc9/0x1f0
+ nfnetlink_rcv+0xdb/0x220
+ netlink_unicast+0x3ec/0x590
+ netlink_sendmsg+0x397/0x690
+ __sys_sendmsg+0xf4/0x180
+
+ Freed by task 0:
+ slab_free_after_rcu_debug+0xad/0x1e0
+ rcu_core+0x5c3/0x9c0
+
+Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 13836723223e0..627790fcb6bb0 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3206,7 +3206,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ struct nf_conn *ct = cb->data;
+- struct nf_conn_help *help = nfct_help(ct);
++ struct nf_conn_help *help;
+ u_int8_t l3proto = nfmsg->nfgen_family;
+ unsigned long last_id = cb->args[1];
+ struct nf_conntrack_expect *exp;
+@@ -3214,6 +3214,10 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ if (cb->args[0])
+ return 0;
+
++ help = nfct_help(ct);
++ if (!help)
++ return 0;
++
+ rcu_read_lock();
+
+ restart:
+@@ -3243,6 +3247,24 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ return skb->len;
+ }
+
++static int ctnetlink_dump_exp_ct_start(struct netlink_callback *cb)
++{
++ struct nf_conn *ct = cb->data;
++
++ if (!refcount_inc_not_zero(&ct->ct_general.use))
++ return -ENOENT;
++ return 0;
++}
++
++static int ctnetlink_dump_exp_ct_done(struct netlink_callback *cb)
++{
++ struct nf_conn *ct = cb->data;
++
++ if (ct)
++ nf_ct_put(ct);
++ return 0;
++}
++
+ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct sk_buff *skb,
+ const struct nlmsghdr *nlh,
+@@ -3258,6 +3280,8 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct nf_conntrack_zone zone;
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_ct_dump_table,
++ .start = ctnetlink_dump_exp_ct_start,
++ .done = ctnetlink_dump_exp_ct_done,
+ };
+
+ err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
+--
+2.51.0
+
--- /dev/null
+From e1bc9463859af7625f2e1342587d1a4d8a969d1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Aug 2025 17:25:09 +0200
+Subject: netfilter: ctnetlink: remove refcounting in expectation dumpers
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 1492e3dcb2be3aa46d1963da96aa9593e4e4db5a ]
+
+Same pattern as previous patch: do not keep the expectation object
+alive via refcount, only store a cookie value and then use that
+as the skip hint for dump resumption.
+
+AFAICS this has the same issue as the one resolved in the conntrack
+dumper, when we do
+ if (!refcount_inc_not_zero(&exp->use))
+
+to increment the refcount, there is a chance that exp == last, which
+causes a double-increment of the refcount and subsequent memory leak.
+
+Fixes: cf6994c2b981 ("[NETFILTER]: nf_conntrack_netlink: sync expectation dumping with conntrack table dumping")
+Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Stable-dep-of: 5cb81eeda909 ("netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 41 ++++++++++++----------------
+ 1 file changed, 17 insertions(+), 24 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 18a91c031554c..13836723223e0 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3146,23 +3146,27 @@ ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item)
+ return 0;
+ }
+ #endif
+-static int ctnetlink_exp_done(struct netlink_callback *cb)
++
++static unsigned long ctnetlink_exp_id(const struct nf_conntrack_expect *exp)
+ {
+- if (cb->args[1])
+- nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
+- return 0;
++ unsigned long id = (unsigned long)exp;
++
++ id += nf_ct_get_id(exp->master);
++ id += exp->class;
++
++ return id ? id : 1;
+ }
+
+ static int
+ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct net *net = sock_net(skb->sk);
+- struct nf_conntrack_expect *exp, *last;
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ u_int8_t l3proto = nfmsg->nfgen_family;
++ unsigned long last_id = cb->args[1];
++ struct nf_conntrack_expect *exp;
+
+ rcu_read_lock();
+- last = (struct nf_conntrack_expect *)cb->args[1];
+ for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
+ restart:
+ hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]],
+@@ -3174,7 +3178,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ continue;
+
+ if (cb->args[1]) {
+- if (exp != last)
++ if (ctnetlink_exp_id(exp) != last_id)
+ continue;
+ cb->args[1] = 0;
+ }
+@@ -3183,9 +3187,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ cb->nlh->nlmsg_seq,
+ IPCTNL_MSG_EXP_NEW,
+ exp) < 0) {
+- if (!refcount_inc_not_zero(&exp->use))
+- continue;
+- cb->args[1] = (unsigned long)exp;
++ cb->args[1] = ctnetlink_exp_id(exp);
+ goto out;
+ }
+ }
+@@ -3196,32 +3198,30 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ }
+ out:
+ rcu_read_unlock();
+- if (last)
+- nf_ct_expect_put(last);
+-
+ return skb->len;
+ }
+
+ static int
+ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+- struct nf_conntrack_expect *exp, *last;
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ struct nf_conn *ct = cb->data;
+ struct nf_conn_help *help = nfct_help(ct);
+ u_int8_t l3proto = nfmsg->nfgen_family;
++ unsigned long last_id = cb->args[1];
++ struct nf_conntrack_expect *exp;
+
+ if (cb->args[0])
+ return 0;
+
+ rcu_read_lock();
+- last = (struct nf_conntrack_expect *)cb->args[1];
++
+ restart:
+ hlist_for_each_entry_rcu(exp, &help->expectations, lnode) {
+ if (l3proto && exp->tuple.src.l3num != l3proto)
+ continue;
+ if (cb->args[1]) {
+- if (exp != last)
++ if (ctnetlink_exp_id(exp) != last_id)
+ continue;
+ cb->args[1] = 0;
+ }
+@@ -3229,9 +3229,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ cb->nlh->nlmsg_seq,
+ IPCTNL_MSG_EXP_NEW,
+ exp) < 0) {
+- if (!refcount_inc_not_zero(&exp->use))
+- continue;
+- cb->args[1] = (unsigned long)exp;
++ cb->args[1] = ctnetlink_exp_id(exp);
+ goto out;
+ }
+ }
+@@ -3242,9 +3240,6 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ cb->args[0] = 1;
+ out:
+ rcu_read_unlock();
+- if (last)
+- nf_ct_expect_put(last);
+-
+ return skb->len;
+ }
+
+@@ -3263,7 +3258,6 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct nf_conntrack_zone zone;
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_ct_dump_table,
+- .done = ctnetlink_exp_done,
+ };
+
+ err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
+@@ -3313,7 +3307,6 @@ static int ctnetlink_get_expect(struct sk_buff *skb,
+ else {
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_dump_table,
+- .done = ctnetlink_exp_done,
+ };
+ return netlink_dump_start(info->sk, skb, info->nlh, &c);
+ }
+--
+2.51.0
+
--- /dev/null
+From 8c4a29c35d560d898568474cbbb0f791bacd7f64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:49:50 +0000
+Subject: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ]
+
+In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
+the packet, then decrements it by 1 to skip the protocol discriminator
+byte before passing it to DecodeH323_UserInformation(). If the encoded
+length is 0, the decrement wraps to -1, which is then passed as a
+large value to the decoder, leading to an out-of-bounds read.
+
+Add a check to ensure len is positive after the decrement.
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index c972e9488e16f..7b1497ed97d26 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
+ break;
+ p++;
+ len--;
++ if (len <= 0)
++ break;
+ return DecodeH323_UserInformation(buf, p, len,
+ &q931->UUIE);
+ }
+--
+2.51.0
+
--- /dev/null
+From 63e2261dbf5931f1b0436797ee0049b5cb7cd306 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 02:29:32 +0000
+Subject: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a ]
+
+In decode_int(), the CONS case calls get_bits(bs, 2) to read a length
+value, then calls get_uint(bs, len) without checking that len bytes
+remain in the buffer. The existing boundary check only validates the
+2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()
+reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte
+slab-out-of-bounds read.
+
+Add a boundary check for len bytes after get_bits() and before
+get_uint().
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index 62aa22a078769..c972e9488e16f 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -331,6 +331,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f,
+ if (nf_h323_error_boundary(bs, 0, 2))
+ return H323_ERROR_BOUND;
+ len = get_bits(bs, 2) + 1;
++ if (nf_h323_error_boundary(bs, len, 0))
++ return H323_ERROR_BOUND;
+ BYTE_ALIGN(bs);
+ if (base && (f->attr & DECODE)) { /* timeToLive */
+ unsigned int v = get_uint(bs, len) + f->lb;
+--
+2.51.0
+
--- /dev/null
+From 0b8fd6bcab1a2bd498adf465e6c3a7a0d077e8d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Mar 2026 21:49:01 +0000
+Subject: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in
+ sip_help_tcp()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lukas Johannes Möller <research@johannes-moeller.dev>
+
+[ Upstream commit fbce58e719a17aa215c724473fd5baaa4a8dc57c ]
+
+sip_help_tcp() parses the SIP Content-Length header with
+simple_strtoul(), which returns unsigned long, but stores the result in
+unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are
+silently truncated before computing the SIP message boundary.
+
+For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,
+causing the parser to miscalculate where the current message ends. The
+loop then treats trailing data in the TCP segment as a second SIP
+message and processes it through the SDP parser.
+
+Fix this by changing clen to unsigned long to match the return type of
+simple_strtoul(), and reject Content-Length values that exceed the
+remaining TCP payload length.
+
+Fixes: f5b321bd37fb ("netfilter: nf_conntrack_sip: add TCP support")
+Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_sip.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
+index d0eac27f6ba03..657839a58782a 100644
+--- a/net/netfilter/nf_conntrack_sip.c
++++ b/net/netfilter/nf_conntrack_sip.c
+@@ -1534,11 +1534,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
+ {
+ struct tcphdr *th, _tcph;
+ unsigned int dataoff, datalen;
+- unsigned int matchoff, matchlen, clen;
++ unsigned int matchoff, matchlen;
+ unsigned int msglen, origlen;
+ const char *dptr, *end;
+ s16 diff, tdiff = 0;
+ int ret = NF_ACCEPT;
++ unsigned long clen;
+ bool term;
+
+ if (ctinfo != IP_CT_ESTABLISHED &&
+@@ -1573,6 +1574,9 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
+ if (dptr + matchoff == end)
+ break;
+
++ if (clen > datalen)
++ break;
++
+ term = false;
+ for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
+ if (end[0] == '\r' && end[1] == '\n' &&
+--
+2.51.0
+
--- /dev/null
+From a026fbd705b933a99c272ce8b08cd022c5bbcc97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 20:00:26 +0100
+Subject: netfilter: nf_tables: release flowtable after rcu grace period on
+ error
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce ]
+
+Call synchronize_rcu() after unregistering the hooks from error path,
+since a hook that already refers to this flowtable can be already
+registered, exposing this flowtable to packet path and nfnetlink_hook
+control plane.
+
+This error path is rare, it should only happen by reaching the maximum
+number hooks or by failing to set up to hardware offload, just call
+synchronize_rcu().
+
+There is a check for already used device hooks by different flowtable
+that could result in EEXIST at this late stage. The hook parser can be
+updated to perform this check earlier to this error path really becomes
+rarely exercised.
+
+Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
+when dumping hooks.
+
+Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 0c12560e94f3b..663c064135181 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -8966,6 +8966,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
+ return 0;
+
+ err_flowtable_hooks:
++ synchronize_rcu();
+ nft_trans_destroy(trans);
+ err_flowtable_trans:
+ nft_hooks_destroy(&flowtable->hook_list);
+--
+2.51.0
+
--- /dev/null
+From 9607162b6a8af47fa8c363cbbf8473dbb1b08acb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 13:48:47 +0100
+Subject: netfilter: nft_ct: drop pending enqueued packets on removal
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 36eae0956f659e48d5366d9b083d9417f3263ddc ]
+
+Packets sitting in nfqueue might hold a reference to:
+
+- templates that specify the conntrack zone, because a percpu area is
+ used and module removal is possible.
+- conntrack timeout policies and helper, where object removal leave
+ a stale reference.
+
+Since these objects can just go away, drop enqueued packets to avoid
+stale reference to them.
+
+If there is a need for finer grain removal, this logic can be revisited
+to make selective packet drop upon dependencies.
+
+Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_ct.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index 58a6ad7ed7a46..e361de439b773 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -23,6 +23,7 @@
+ #include <net/netfilter/nf_conntrack_l4proto.h>
+ #include <net/netfilter/nf_conntrack_expect.h>
+ #include <net/netfilter/nf_conntrack_seqadj.h>
++#include "nf_internals.h"
+
+ struct nft_ct_helper_obj {
+ struct nf_conntrack_helper *helper4;
+@@ -527,6 +528,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv)
+ #endif
+ #ifdef CONFIG_NF_CONNTRACK_ZONES
+ case NFT_CT_ZONE:
++ nf_queue_nf_hook_drop(ctx->net);
+ mutex_lock(&nft_ct_pcpu_mutex);
+ if (--nft_ct_pcpu_template_refcnt == 0)
+ nft_ct_tmpl_put_pcpu();
+@@ -997,6 +999,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx,
+ struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
+ struct nf_ct_timeout *timeout = priv->timeout;
+
++ nf_queue_nf_hook_drop(ctx->net);
+ nf_ct_untimeout(ctx->net, timeout);
+ nf_ct_netns_put(ctx->net, ctx->family);
+ kfree(priv->timeout);
+@@ -1129,6 +1132,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx,
+ {
+ struct nft_ct_helper_obj *priv = nft_obj_data(obj);
+
++ nf_queue_nf_hook_drop(ctx->net);
+ if (priv->helper4)
+ nf_conntrack_helper_put(priv->helper4);
+ if (priv->helper6)
+--
+2.51.0
+
--- /dev/null
+From afa7928aa65f5ad6645af46715301ac7be5add87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 13:48:48 +0100
+Subject: netfilter: xt_CT: drop pending enqueued packets on template removal
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit f62a218a946b19bb59abdd5361da85fa4606b96b ]
+
+Templates refer to objects that can go away while packets are sitting in
+nfqueue refer to:
+
+- helper, this can be an issue on module removal.
+- timeout policy, nfnetlink_cttimeout might remove it.
+
+The use of templates with zone and event cache filter are safe, since
+this just copies values.
+
+Flush these enqueued packets in case the template rule gets removed.
+
+Fixes: 24de58f46516 ("netfilter: xt_CT: allow to attach timeout policy + glue code")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_CT.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
+index 3ba94c34297cf..498f5871c84a0 100644
+--- a/net/netfilter/xt_CT.c
++++ b/net/netfilter/xt_CT.c
+@@ -16,6 +16,7 @@
+ #include <net/netfilter/nf_conntrack_ecache.h>
+ #include <net/netfilter/nf_conntrack_timeout.h>
+ #include <net/netfilter/nf_conntrack_zones.h>
++#include "nf_internals.h"
+
+ static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct)
+ {
+@@ -283,6 +284,9 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par,
+ struct nf_conn_help *help;
+
+ if (ct) {
++ if (info->helper[0] || info->timeout[0])
++ nf_queue_nf_hook_drop(par->net);
++
+ help = nfct_help(ct);
+ xt_ct_put_helper(help);
+
+--
+2.51.0
+
--- /dev/null
+From 26d31a318057476163e2a020829996920b54a463 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:59:49 +0000
+Subject: netfilter: xt_time: use unsigned int for monthday bit shift
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit 00050ec08cecfda447e1209b388086d76addda3a ]
+
+The monthday field can be up to 31, and shifting a signed integer 1
+by 31 positions (1 << 31) is undefined behavior in C, as the result
+overflows a 32-bit signed int. Use 1U to ensure well-defined behavior
+for all valid monthday values.
+
+Change the weekday shift to 1U as well for consistency.
+
+Fixes: ee4411a1b1e0 ("[NETFILTER]: x_tables: add xt_time match")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_time.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
+index 6aa12d0f54e23..61de85e02a40f 100644
+--- a/net/netfilter/xt_time.c
++++ b/net/netfilter/xt_time.c
+@@ -227,13 +227,13 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par)
+
+ localtime_2(¤t_time, stamp);
+
+- if (!(info->weekdays_match & (1 << current_time.weekday)))
++ if (!(info->weekdays_match & (1U << current_time.weekday)))
+ return false;
+
+ /* Do not spend time computing monthday if all days match anyway */
+ if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) {
+ localtime_3(¤t_time, stamp);
+- if (!(info->monthdays_match & (1 << current_time.monthday)))
++ if (!(info->monthdays_match & (1U << current_time.monthday)))
+ return false;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 731c558e6025e5888d485c7b4c987b936ca4095a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 12:38:59 +0100
+Subject: nf_tables: nft_dynset: fix possible stateful expression memleak in
+ error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 0548a13b5a145b16e4da0628b5936baf35f51b43 ]
+
+If cloning the second stateful expression in the element via GFP_ATOMIC
+fails, then the first stateful expression remains in place without being
+released.
+
+ Â unreferenced object (percpu) 0x607b97e9cab8 (size 16):
+ Â Â comm "softirq", pid 0, jiffies 4294931867
+ Â Â hex dump (first 16 bytes on cpu 3):
+ Â Â Â 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ Â Â backtrace (crc 0):
+ Â Â Â pcpu_alloc_noprof+0x453/0xd80
+ Â Â Â nft_counter_clone+0x9c/0x190 [nf_tables]
+ Â Â Â nft_expr_clone+0x8f/0x1b0 [nf_tables]
+ Â Â Â nft_dynset_new+0x2cb/0x5f0 [nf_tables]
+ Â Â Â nft_rhash_update+0x236/0x11c0 [nf_tables]
+ Â Â Â nft_dynset_eval+0x11f/0x670 [nf_tables]
+ Â Â Â nft_do_chain+0x253/0x1700 [nf_tables]
+ Â Â Â nft_do_chain_ipv4+0x18d/0x270 [nf_tables]
+ Â Â Â nf_hook_slow+0xaa/0x1e0
+ Â Â Â ip_local_deliver+0x209/0x330
+
+Fixes: 563125a73ac3 ("netfilter: nftables: generalize set extension to support for several expressions")
+Reported-by: Gurpreet Shergill <giki.shergill@proton.me>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tables.h | 2 ++
+ net/netfilter/nf_tables_api.c | 4 ++--
+ net/netfilter/nft_dynset.c | 10 +++++++++-
+ 3 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index 79296ed87b9b3..36964b86d336d 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -873,6 +873,8 @@ struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
+ u64 timeout, u64 expiration, gfp_t gfp);
+ int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_expr *expr_array[]);
++void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
++ struct nft_set_elem_expr *elem_expr);
+ void nft_set_elem_destroy(const struct nft_set *set,
+ const struct nft_elem_priv *elem_priv,
+ bool destroy_expr);
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 268d00ffee0cb..0c12560e94f3b 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6637,8 +6637,8 @@ static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+ }
+ }
+
+-static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+- struct nft_set_elem_expr *elem_expr)
++void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
++ struct nft_set_elem_expr *elem_expr)
+ {
+ struct nft_expr *expr;
+ u32 size;
+diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
+index e24493d9e7761..0b3c4f6a8decd 100644
+--- a/net/netfilter/nft_dynset.c
++++ b/net/netfilter/nft_dynset.c
+@@ -30,18 +30,26 @@ static int nft_dynset_expr_setup(const struct nft_dynset *priv,
+ const struct nft_set_ext *ext)
+ {
+ struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
++ struct nft_ctx ctx = {
++ .net = read_pnet(&priv->set->net),
++ .family = priv->set->table->family,
++ };
+ struct nft_expr *expr;
+ int i;
+
+ for (i = 0; i < priv->num_exprs; i++) {
+ expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
+ if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0)
+- return -1;
++ goto err_out;
+
+ elem_expr->size += priv->expr_array[i]->ops->size;
+ }
+
+ return 0;
++err_out:
++ nft_set_elem_expr_destroy(&ctx, elem_expr);
++
++ return -1;
+ }
+
+ static struct nft_elem_priv *nft_dynset_new(struct nft_set *set,
+--
+2.51.0
+
--- /dev/null
+From 9bd3c66765e7003ae49bc8c1b4abc6b1086b6468 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 15:32:44 +0800
+Subject: nfnetlink_osf: validate individual option lengths in fingerprints
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit dbdfaae9609629a9569362e3b8f33d0a20fd783c ]
+
+nfnl_osf_add_callback() validates opt_num bounds and string
+NUL-termination but does not check individual option length fields.
+A zero-length option causes nf_osf_match_one() to enter the option
+matching loop even when foptsize sums to zero, which matches packets
+with no TCP options where ctx->optp is NULL:
+
+ Oops: general protection fault
+ KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
+ Call Trace:
+ nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
+ xt_osf_match_packet (net/netfilter/xt_osf.c:32)
+ ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
+ nf_hook_slow (net/netfilter/core.c:623)
+ ip_local_deliver (net/ipv4/ip_input.c:262)
+ ip_rcv (net/ipv4/ip_input.c:573)
+
+Additionally, an MSS option (kind=2) with length < 4 causes
+out-of-bounds reads when nf_osf_match_one() unconditionally accesses
+optp[2] and optp[3] for MSS value extraction. While RFC 9293
+section 3.2 specifies that the MSS option is always exactly 4
+bytes (Kind=2, Length=4), the check uses "< 4" rather than
+"!= 4" because lengths greater than 4 do not cause memory
+safety issues -- the buffer is guaranteed to be at least
+foptsize bytes by the ctx->optsize == foptsize check.
+
+Reject fingerprints where any option has zero length, or where an MSS
+option has length less than 4, at add time rather than trusting these
+values in the packet matching hot path.
+
+Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_osf.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
+index c0fc431991e88..9fc9544d4bc53 100644
+--- a/net/netfilter/nfnetlink_osf.c
++++ b/net/netfilter/nfnetlink_osf.c
+@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
+ {
+ struct nf_osf_user_finger *f;
+ struct nf_osf_finger *kf = NULL, *sf;
++ unsigned int tot_opt_len = 0;
+ int err = 0;
++ int i;
+
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
+ if (f->opt_num > ARRAY_SIZE(f->opt))
+ return -EINVAL;
+
++ for (i = 0; i < f->opt_num; i++) {
++ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
++ return -EINVAL;
++ if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)
++ return -EINVAL;
++
++ tot_opt_len += f->opt[i].length;
++ if (tot_opt_len > MAX_IPOPTLEN)
++ return -EINVAL;
++ }
++
+ if (!memchr(f->genre, 0, MAXGENRELEN) ||
+ !memchr(f->subtype, 0, MAXGENRELEN) ||
+ !memchr(f->version, 0, MAXGENRELEN))
+--
+2.51.0
+
--- /dev/null
+From a75bd5b4dce083f09369c8319e903be57a0ff68f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 11:27:20 -0700
+Subject: PM: runtime: Fix a race condition related to device removal
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 29ab768277617452d88c0607c9299cdc63b6e9ff ]
+
+The following code in pm_runtime_work() may dereference the dev->parent
+pointer after the parent device has been freed:
+
+ /* Maybe the parent is now able to suspend. */
+ if (parent && !parent->power.ignore_children) {
+ spin_unlock(&dev->power.lock);
+
+ spin_lock(&parent->power.lock);
+ rpm_idle(parent, RPM_ASYNC);
+ spin_unlock(&parent->power.lock);
+
+ spin_lock(&dev->power.lock);
+ }
+
+Fix this by inserting a flush_work() call in pm_runtime_remove().
+
+Without this patch blktest block/001 triggers the following complaint
+sporadically:
+
+BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160
+Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081
+Workqueue: pm pm_runtime_work
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x61/0x80
+ print_address_description.constprop.0+0x8b/0x310
+ print_report+0xfd/0x1d7
+ kasan_report+0xd8/0x1d0
+ __kasan_check_byte+0x42/0x60
+ lock_acquire.part.0+0x38/0x230
+ lock_acquire+0x70/0x160
+ _raw_spin_lock+0x36/0x50
+ rpm_suspend+0xc6a/0xfe0
+ rpm_idle+0x578/0x770
+ pm_runtime_work+0xee/0x120
+ process_one_work+0xde3/0x1410
+ worker_thread+0x5eb/0xfe0
+ kthread+0x37b/0x480
+ ret_from_fork+0x6cb/0x920
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+
+Allocated by task 4314:
+ kasan_save_stack+0x2a/0x50
+ kasan_save_track+0x18/0x40
+ kasan_save_alloc_info+0x3d/0x50
+ __kasan_kmalloc+0xa0/0xb0
+ __kmalloc_noprof+0x311/0x990
+ scsi_alloc_target+0x122/0xb60 [scsi_mod]
+ __scsi_scan_target+0x101/0x460 [scsi_mod]
+ scsi_scan_channel+0x179/0x1c0 [scsi_mod]
+ scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]
+ store_scan+0x2d2/0x390 [scsi_mod]
+ dev_attr_store+0x43/0x80
+ sysfs_kf_write+0xde/0x140
+ kernfs_fop_write_iter+0x3ef/0x670
+ vfs_write+0x506/0x1470
+ ksys_write+0xfd/0x230
+ __x64_sys_write+0x76/0xc0
+ x64_sys_call+0x213/0x1810
+ do_syscall_64+0xee/0xfc0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Freed by task 4314:
+ kasan_save_stack+0x2a/0x50
+ kasan_save_track+0x18/0x40
+ kasan_save_free_info+0x3f/0x50
+ __kasan_slab_free+0x67/0x80
+ kfree+0x225/0x6c0
+ scsi_target_dev_release+0x3d/0x60 [scsi_mod]
+ device_release+0xa3/0x220
+ kobject_cleanup+0x105/0x3a0
+ kobject_put+0x72/0xd0
+ put_device+0x17/0x20
+ scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]
+ device_release+0xa3/0x220
+ kobject_cleanup+0x105/0x3a0
+ kobject_put+0x72/0xd0
+ put_device+0x17/0x20
+ scsi_device_put+0x7f/0xc0 [scsi_mod]
+ sdev_store_delete+0xa5/0x120 [scsi_mod]
+ dev_attr_store+0x43/0x80
+ sysfs_kf_write+0xde/0x140
+ kernfs_fop_write_iter+0x3ef/0x670
+ vfs_write+0x506/0x1470
+ ksys_write+0xfd/0x230
+ __x64_sys_write+0x76/0xc0
+ x64_sys_call+0x213/0x1810
+
+Reported-by: Ming Lei <ming.lei@redhat.com>
+Closes: https://lore.kernel.org/all/ZxdNvLNI8QaOfD2d@fedora/
+Reported-by: syzbot+6c905ab800f20cf4086c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68c13942.050a0220.2ff435.000b.GAE@google.com/
+Fixes: 5e928f77a09a ("PM: Introduce core framework for run-time PM of I/O devices (rev. 17)")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20260312182720.2776083-1-bvanassche@acm.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/runtime.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
+index 425c44f1e4d31..167ff6f7a3fec 100644
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -1856,6 +1856,7 @@ void pm_runtime_reinit(struct device *dev)
+ void pm_runtime_remove(struct device *dev)
+ {
+ __pm_runtime_disable(dev, false);
++ flush_work(&dev->power.work);
+ pm_runtime_reinit(dev);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 07b25d52b75d321b66c7dde40d431b4ab65a503a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 13:25:41 +0100
+Subject: sched: idle: Consolidate the handling of two special cases
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit f4c31b07b136839e0fb3026f8a5b6543e3b14d2f ]
+
+There are two special cases in the idle loop that are handled
+inconsistently even though they are analogous.
+
+The first one is when a cpuidle driver is absent and the default CPU
+idle time power management implemented by the architecture code is used.
+In that case, the scheduler tick is stopped every time before invoking
+default_idle_call().
+
+The second one is when a cpuidle driver is present, but there is only
+one idle state in its table. In that case, the scheduler tick is never
+stopped at all.
+
+Since each of these approaches has its drawbacks, reconcile them with
+the help of one simple heuristic. Namely, stop the tick if the CPU has
+been woken up by it in the previous iteration of the idle loop, or let
+it tick otherwise.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Christian Loehle <christian.loehle@arm.com>
+Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
+Reviewed-by: Qais Yousef <qyousef@layalina.io>
+Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
+Fixes: ed98c3491998 ("sched: idle: Do not stop the tick before cpuidle_idle_call()")
+[ rjw: Added Fixes tag, changelog edits ]
+Link: https://patch.msgid.link/4741364.LvFx2qVVIh@rafael.j.wysocki
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/idle.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c
+index b6a072a323a44..1f0f0d9a5a5cf 100644
+--- a/kernel/sched/idle.c
++++ b/kernel/sched/idle.c
+@@ -155,6 +155,14 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev,
+ return cpuidle_enter(drv, dev, next_state);
+ }
+
++static void idle_call_stop_or_retain_tick(bool stop_tick)
++{
++ if (stop_tick || tick_nohz_tick_stopped())
++ tick_nohz_idle_stop_tick();
++ else
++ tick_nohz_idle_retain_tick();
++}
++
+ /**
+ * cpuidle_idle_call - the main idle function
+ *
+@@ -164,7 +172,7 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev,
+ * set, and it returns with polling set. If it ever stops polling, it
+ * must clear the polling bit.
+ */
+-static void cpuidle_idle_call(void)
++static void cpuidle_idle_call(bool stop_tick)
+ {
+ struct cpuidle_device *dev = cpuidle_get_device();
+ struct cpuidle_driver *drv = cpuidle_get_cpu_driver(dev);
+@@ -180,7 +188,7 @@ static void cpuidle_idle_call(void)
+ }
+
+ if (cpuidle_not_available(drv, dev)) {
+- tick_nohz_idle_stop_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ default_idle_call();
+ goto exit_idle;
+@@ -215,17 +223,19 @@ static void cpuidle_idle_call(void)
+ next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns);
+ call_cpuidle(drv, dev, next_state);
+ } else if (drv->state_count > 1) {
+- bool stop_tick = true;
++ /*
++ * stop_tick is expected to be true by default by cpuidle
++ * governors, which allows them to select idle states with
++ * target residency above the tick period length.
++ */
++ stop_tick = true;
+
+ /*
+ * Ask the cpuidle framework to choose a convenient idle state.
+ */
+ next_state = cpuidle_select(drv, dev, &stop_tick);
+
+- if (stop_tick || tick_nohz_tick_stopped())
+- tick_nohz_idle_stop_tick();
+- else
+- tick_nohz_idle_retain_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ entered_state = call_cpuidle(drv, dev, next_state);
+ /*
+@@ -233,7 +243,7 @@ static void cpuidle_idle_call(void)
+ */
+ cpuidle_reflect(dev, entered_state);
+ } else {
+- tick_nohz_idle_retain_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ /*
+ * If there is only a single idle state (or none), there is
+@@ -261,6 +271,7 @@ static void cpuidle_idle_call(void)
+ static void do_idle(void)
+ {
+ int cpu = smp_processor_id();
++ bool got_tick = false;
+
+ /*
+ * Check if we need to update blocked load
+@@ -332,8 +343,9 @@ static void do_idle(void)
+ tick_nohz_idle_restart_tick();
+ cpu_idle_poll();
+ } else {
+- cpuidle_idle_call();
++ cpuidle_idle_call(got_tick);
+ }
++ got_tick = tick_nohz_idle_got_tick();
+ arch_cpu_idle_exit();
+ }
+
+--
+2.51.0
+
bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch
ata-libata-scsi-return-residual-for-emulated-scsi-commands.patch
ata-libata-scsi-report-correct-sense-field-pointer-in-ata_scsiop_maint_in.patch
+btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch
+btrfs-tree-checker-fix-misleading-root-drop_level-er.patch
+soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch
+cache-starfive-fix-device-node-leak-in-starlink_cach.patch
+cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch
+soc-rockchip-grf-add-missing-of_node_put-when-return.patch
+soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch
+soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch
+wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch
+wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch
+arm64-dts-renesas-r9a09g057-add-rtc-node.patch
+arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch
+firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch
+firmware-arm_scpi-fix-device_node-reference-leak-in-.patch
+bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch
+bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch
+bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch
+bluetooth-iso-fix-defer-tests-being-unstable.patch
+bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch
+bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch
+bluetooth-hidp-fix-possible-uaf.patch
+bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch
+bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch
+bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch
+net-rose-fix-null-pointer-dereference-in-rose_transm.patch
+mpls-add-missing-unregister_netdevice_notifier-to-mp.patch
+netfilter-ctnetlink-remove-refcounting-in-expectatio.patch
+netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch
+netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch
+netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch
+nf_tables-nft_dynset-fix-possible-stateful-expressio.patch
+netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch
+netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch
+netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch
+netfilter-nf_conntrack_h323-check-for-zero-length-in.patch
+net-bcmgenet-increase-wol-poll-timeout.patch
+net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch
+sched-idle-consolidate-the-handling-of-two-special-c.patch
+pm-runtime-fix-a-race-condition-related-to-device-re.patch
+bonding-prevent-potential-infinite-loop-in-bond_head.patch
+net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch
+net-sched-teql-fix-double-free-in-teql_master_xmit.patch
+net-airoha-read-default-pse-reserved-pages-value-bef.patch
+net-airoha-fix-pse-memory-configuration-in-airoha_fe.patch
+net-airoha-read-completion-queue-data-in-airoha_qdma.patch
+net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch
+net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch
+net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch
+clsact-fix-use-after-free-in-init-destroy-rollback-a.patch
+net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch
+igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch
+igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch
+iavf-fix-vlan-filter-lost-on-add-delete-race.patch
+wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch
+wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch
+acpi-processor-fix-previous-acpi_processor_errata_pi.patch
+net-macb-fix-uninitialized-rx_fs_lock.patch
+net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch
+net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch
+net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch
+udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch
+net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch
+netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch
+netfilter-nf_tables-release-flowtable-after-rcu-grac.patch
+nfnetlink_osf-validate-individual-option-lengths-in-.patch
+net-mvpp2-guard-flow-control-update-with-global_tx_f.patch
+net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch
+icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch
--- /dev/null
+From 2be19b8c4b8d98196b5b36f96f1a98547c9ec7b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Feb 2026 09:59:04 +0800
+Subject: soc: fsl: cpm1: qmc: Fix error check for devm_ioremap_resource() in
+ qmc_qe_init_resources()
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit 3f4e403304186d79fddace860360540fc3af97f9 ]
+
+Fix wrong variable used for error checking after devm_ioremap_resource()
+call. The function checks qmc->scc_pram instead of qmc->dpram, which
+could lead to incorrect error handling.
+
+Fixes: eb680d563089 ("soc: fsl: cpm1: qmc: Add support for QUICC Engine (QE) implementation")
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Acked-by: Herve Codina <herve.codina@bootlin.com>
+Link: https://lore.kernel.org/r/20260209015904.871269-1-nichen@iscas.ac.cn
+Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qe/qmc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/fsl/qe/qmc.c b/drivers/soc/fsl/qe/qmc.c
+index 36c0ccc06151f..cc7032a0ad8c3 100644
+--- a/drivers/soc/fsl/qe/qmc.c
++++ b/drivers/soc/fsl/qe/qmc.c
+@@ -1777,8 +1777,8 @@ static int qmc_qe_init_resources(struct qmc *qmc, struct platform_device *pdev)
+ return -EINVAL;
+ qmc->dpram_offset = res->start - qe_muram_dma(qe_muram_addr(0));
+ qmc->dpram = devm_ioremap_resource(qmc->dev, res);
+- if (IS_ERR(qmc->scc_pram))
+- return PTR_ERR(qmc->scc_pram);
++ if (IS_ERR(qmc->dpram))
++ return PTR_ERR(qmc->dpram);
+
+ return 0;
+ }
+--
+2.51.0
+
--- /dev/null
+From 4a004ad3f18e76733b0e19d1d3323a4860188b96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 08:25:49 +0100
+Subject: soc: fsl: qbman: fix race condition in qman_destroy_fq
+
+From: Richard Genoud <richard.genoud@bootlin.com>
+
+[ Upstream commit 014077044e874e270ec480515edbc1cadb976cf2 ]
+
+When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between
+fq_table[fq->idx] state and freeing/allocating from the pool and
+WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.
+
+Indeed, we can have:
+ Thread A Thread B
+ qman_destroy_fq() qman_create_fq()
+ qman_release_fqid()
+ qman_shutdown_fq()
+ gen_pool_free()
+ -- At this point, the fqid is available again --
+ qman_alloc_fqid()
+ -- so, we can get the just-freed fqid in thread B --
+ fq->fqid = fqid;
+ fq->idx = fqid * 2;
+ WARN_ON(fq_table[fq->idx]);
+ fq_table[fq->idx] = fq;
+ fq_table[fq->idx] = NULL;
+
+And adding some logs between qman_release_fqid() and
+fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.
+
+To prevent that, ensure that fq_table[fq->idx] is set to NULL before
+gen_pool_free() is called by using smp_wmb().
+
+Fixes: c535e923bb97 ("soc/fsl: Introduce DPAA 1.x QMan device driver")
+Signed-off-by: Richard Genoud <richard.genoud@bootlin.com>
+Tested-by: CHAMPSEIX Thomas <thomas.champseix@alstomgroup.com>
+Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com
+Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qbman/qman.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
+index 4dc8aba33d9b7..0791b41913383 100644
+--- a/drivers/soc/fsl/qbman/qman.c
++++ b/drivers/soc/fsl/qbman/qman.c
+@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq);
+
+ void qman_destroy_fq(struct qman_fq *fq)
+ {
++ int leaked;
++
+ /*
+ * We don't need to lock the FQ as it is a pre-condition that the FQ be
+ * quiesced. Instead, run some checks.
+@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq)
+ switch (fq->state) {
+ case qman_fq_state_parked:
+ case qman_fq_state_oos:
+- if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID))
+- qman_release_fqid(fq->fqid);
++ /*
++ * There's a race condition here on releasing the fqid,
++ * setting the fq_table to NULL, and freeing the fqid.
++ * To prevent it, this order should be respected:
++ */
++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) {
++ leaked = qman_shutdown_fq(fq->fqid);
++ if (leaked)
++ pr_debug("FQID %d leaked\n", fq->fqid);
++ }
+
+ DPAA_ASSERT(fq_table[fq->idx]);
+ fq_table[fq->idx] = NULL;
++
++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) {
++ /*
++ * fq_table[fq->idx] should be set to null before
++ * freeing fq->fqid otherwise it could by allocated by
++ * qman_alloc_fqid() while still being !NULL
++ */
++ smp_wmb();
++ gen_pool_free(qm_fqalloc, fq->fqid | DPAA_GENALLOC_OFF, 1);
++ }
+ return;
+ default:
+ break;
+--
+2.51.0
+
--- /dev/null
+From 97b7353e19f312177103ffad92e206b5b3de7ab9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Dec 2025 12:48:36 +0000
+Subject: soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 5a741f8cc6fe62542f955cd8d24933a1b6589cbd ]
+
+In mpfs_sys_controller_probe(), if of_get_mtd_device_by_node() fails,
+the function returns immediately without freeing the allocated memory
+for sys_controller, leading to a memory leak.
+
+Fix this by jumping to the out_free label to ensure the memory is
+properly freed.
+
+Also, consolidate the error handling for the mbox_request_channel()
+failure case to use the same label.
+
+Fixes: 742aa6c563d2 ("soc: microchip: mpfs: enable access to the system controller's flash")
+Co-developed-by: Jianhao Xu <jianhao.xu@seu.edu.cn>
+Signed-off-by: Jianhao Xu <jianhao.xu@seu.edu.cn>
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/microchip/mpfs-sys-controller.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/soc/microchip/mpfs-sys-controller.c b/drivers/soc/microchip/mpfs-sys-controller.c
+index 30bc45d17d343..81636cfecd37e 100644
+--- a/drivers/soc/microchip/mpfs-sys-controller.c
++++ b/drivers/soc/microchip/mpfs-sys-controller.c
+@@ -142,8 +142,10 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev)
+
+ sys_controller->flash = of_get_mtd_device_by_node(np);
+ of_node_put(np);
+- if (IS_ERR(sys_controller->flash))
+- return dev_err_probe(dev, PTR_ERR(sys_controller->flash), "Failed to get flash\n");
++ if (IS_ERR(sys_controller->flash)) {
++ ret = dev_err_probe(dev, PTR_ERR(sys_controller->flash), "Failed to get flash\n");
++ goto out_free;
++ }
+
+ no_flash:
+ sys_controller->client.dev = dev;
+@@ -155,8 +157,7 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev)
+ if (IS_ERR(sys_controller->chan)) {
+ ret = dev_err_probe(dev, PTR_ERR(sys_controller->chan),
+ "Failed to get mbox channel\n");
+- kfree(sys_controller);
+- return ret;
++ goto out_free;
+ }
+
+ init_completion(&sys_controller->c);
+@@ -174,6 +175,10 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev)
+ dev_info(&pdev->dev, "Registered MPFS system controller\n");
+
+ return 0;
++
++out_free:
++ kfree(sys_controller);
++ return ret;
+ }
+
+ static void mpfs_sys_controller_remove(struct platform_device *pdev)
+--
+2.51.0
+
--- /dev/null
+From 892c451632fb09279171cc8961b57fddf07afca4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Feb 2026 21:02:37 +0800
+Subject: soc: rockchip: grf: Add missing of_node_put() when returning
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+[ Upstream commit 24ed11ee5bacf9a9aca18fc6b47667c7f38d578b ]
+
+Fix the smatch checking:
+drivers/soc/rockchip/grf.c:249 rockchip_grf_init()
+warn: inconsistent refcounting 'np->kobj.kref.refcount.refs.counter':
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Fixes: 75fb63ae0312 ("soc: rockchip: grf: Support multiple grf to be handled")
+Closes: https://lore.kernel.org/all/aYXvgTcUJWQL2can@stanley.mountain/
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Link: https://patch.msgid.link/1770814957-17762-1-git-send-email-shawn.lin@rock-chips.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/rockchip/grf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/soc/rockchip/grf.c b/drivers/soc/rockchip/grf.c
+index dddfe349b3da3..6fd02220abf1d 100644
+--- a/drivers/soc/rockchip/grf.c
++++ b/drivers/soc/rockchip/grf.c
+@@ -217,6 +217,7 @@ static int __init rockchip_grf_init(void)
+ grf = syscon_node_to_regmap(np);
+ if (IS_ERR(grf)) {
+ pr_err("%s: could not get grf syscon\n", __func__);
++ of_node_put(np);
+ return PTR_ERR(grf);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 6db3c182ace290adfe770e64749dc44e69a8df6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 18:02:41 -0700
+Subject: udp_tunnel: fix NULL deref caused by udp_sock_create6 when
+ CONFIG_IPV6=n
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit b3a6df291fecf5f8a308953b65ca72b7fc9e015d ]
+
+When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0
+(success) without actually creating a socket. Callers such as
+fou_create() then proceed to dereference the uninitialized socket
+pointer, resulting in a NULL pointer dereference.
+
+The captured NULL deref crash:
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)
+ [...]
+ Call Trace:
+ <TASK>
+ genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)
+ genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)
+ [...]
+ netlink_rcv_skb (net/netlink/af_netlink.c:2550)
+ genl_rcv (net/netlink/genetlink.c:1219)
+ netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
+ netlink_sendmsg (net/netlink/af_netlink.c:1894)
+ __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))
+ __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))
+ __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+ entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)
+
+This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so
+callers correctly take their error paths. There is only one caller of
+the vulnerable function and only privileged users can trigger it.
+
+Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260317010241.1893893-1-xmei5@asu.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/udp_tunnel.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
+index a93dc51f6323e..6e2c5c77031f0 100644
+--- a/include/net/udp_tunnel.h
++++ b/include/net/udp_tunnel.h
+@@ -47,7 +47,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ struct socket **sockp)
+ {
+- return 0;
++ return -EPFNOSUPPORT;
+ }
+ #endif
+
+--
+2.51.0
+
--- /dev/null
+From 81bcecfece0af83f8a5326f8bbd4dd7a8531c057 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 21:36:59 +0530
+Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
+
+From: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
+
+[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ]
+
+When the nl80211 socket that originated a PMSR request is
+closed, cfg80211_release_pmsr() sets the request's nl_portid
+to zero and schedules pmsr_free_wk to process the abort
+asynchronously. If the interface is concurrently torn down
+before that work runs, cfg80211_pmsr_wdev_down() calls
+cfg80211_pmsr_process_abort() directly. However, the already-
+scheduled pmsr_free_wk work item remains pending and may run
+after the interface has been removed from the driver. This
+could cause the driver's abort_pmsr callback to operate on a
+torn-down interface, leading to undefined behavior and
+potential crashes.
+
+Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()
+before calling cfg80211_pmsr_process_abort(). This ensures any
+pending or in-progress work is drained before interface teardown
+proceeds, preventing the work from invoking the driver abort
+callback after the interface is gone.
+
+Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API")
+Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/pmsr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c
+index 0396fa19bdf19..d2b61b6ba58db 100644
+--- a/net/wireless/pmsr.c
++++ b/net/wireless/pmsr.c
+@@ -647,6 +647,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev)
+ }
+ spin_unlock_bh(&wdev->pmsr_lock);
+
++ cancel_work_sync(&wdev->pmsr_free_wk);
+ if (found)
+ cfg80211_pmsr_process_abort(wdev);
+
+--
+2.51.0
+
--- /dev/null
+From b907e6dc6112526633836dcb180a9bf02a49ede5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 20:42:44 -0700
+Subject: wifi: mac80211: fix NULL deref in mesh_matches_local()
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd ]
+
+mesh_matches_local() unconditionally dereferences ie->mesh_config to
+compare mesh configuration parameters. When called from
+mesh_rx_csa_frame(), the parsed action-frame elements may not contain a
+Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a
+kernel NULL pointer dereference.
+
+The other two callers are already safe:
+ - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before
+ calling mesh_matches_local()
+ - mesh_plink_get_event() is only reached through
+ mesh_process_plink_frame(), which checks !elems->mesh_config, too
+
+mesh_rx_csa_frame() is the only caller that passes raw parsed elements
+to mesh_matches_local() without guarding mesh_config. An adjacent
+attacker can exploit this by sending a crafted CSA action frame that
+includes a valid Mesh ID IE but omits the Mesh Configuration IE,
+crashing the kernel.
+
+The captured crash log:
+
+Oops: general protection fault, probably for non-canonical address ...
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+Workqueue: events_unbound cfg80211_wiphy_work
+[...]
+Call Trace:
+ <TASK>
+ ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)
+ ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)
+ [...]
+ ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)
+ [...]
+ cfg80211_wiphy_work (net/wireless/core.c:426)
+ process_one_work (net/kernel/workqueue.c:3280)
+ ? assign_work (net/kernel/workqueue.c:1219)
+ worker_thread (net/kernel/workqueue.c:3352)
+ ? __pfx_worker_thread (net/kernel/workqueue.c:3385)
+ kthread (net/kernel/kthread.c:436)
+ [...]
+ ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)
+ </TASK>
+
+This patch adds a NULL check for ie->mesh_config at the top of
+mesh_matches_local() to return false early when the Mesh Configuration
+IE is absent.
+
+Fixes: 2e3c8736820b ("mac80211: support functions for mesh")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260318034244.2595020-1-xmei5@asu.edu
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index 00bdf36e333e2..253f4b0642842 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -78,6 +78,9 @@ bool mesh_matches_local(struct ieee80211_sub_if_data *sdata,
+ * - MDA enabled
+ * - Power management control on fc
+ */
++ if (!ie->mesh_config)
++ return false;
++
+ if (!(ifmsh->mesh_id_len == ie->mesh_id_len &&
+ memcmp(ifmsh->mesh_id, ie->mesh_id, ie->mesh_id_len) == 0 &&
+ (ifmsh->mesh_pp_id == ie->mesh_config->meshconf_psel) &&
+--
+2.51.0
+
--- /dev/null
+From 574490de9b78c0211a5c5636bfa907d18c33bc32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Mar 2026 07:24:02 +0000
+Subject: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828 ]
+
+syzbot reported static_branch_dec() underflow in aql_enable_write(). [0]
+
+The problem is that aql_enable_write() does not serialise concurrent
+write()s to the debugfs.
+
+aql_enable_write() checks static_key_false(&aql_disable.key) and
+later calls static_branch_inc() or static_branch_dec(), but the
+state may change between the two calls.
+
+aql_disable does not need to track inc/dec.
+
+Let's use static_branch_enable() and static_branch_disable().
+
+[0]:
+val == 0
+WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288
+Modules linked in:
+CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full)
+Tainted: [U]=USER, [L]=SOFTLOCKUP
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
+RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311
+Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00
+RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4
+RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000
+RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a
+R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98
+FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0
+Call Trace:
+ <TASK>
+ __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline]
+ __static_key_slow_dec kernel/jump_label.c:321 [inline]
+ static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336
+ aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343
+ short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383
+ vfs_write+0x2aa/0x1070 fs/read_write.c:684
+ ksys_pwrite64 fs/read_write.c:793 [inline]
+ __do_sys_pwrite64 fs/read_write.c:801 [inline]
+ __se_sys_pwrite64 fs/read_write.c:798 [inline]
+ __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f530cf9aeb9
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
+RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9
+RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010
+RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000
+R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978
+ </TASK>
+
+Fixes: e908435e402a ("mac80211: introduce aql_enable node in debugfs")
+Reported-by: syzbot+feb9ce36a95341bb47a4@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69a8979e.a70a0220.b118c.0025.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260306072405.3649474-1-kuniyu@google.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/debugfs.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c
+index a0710ae0e7a49..e9b3b2c7b6faa 100644
+--- a/net/mac80211/debugfs.c
++++ b/net/mac80211/debugfs.c
+@@ -327,7 +327,6 @@ static ssize_t aql_enable_read(struct file *file, char __user *user_buf,
+ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf,
+ size_t count, loff_t *ppos)
+ {
+- bool aql_disabled = static_key_false(&aql_disable.key);
+ char buf[3];
+ size_t len;
+
+@@ -342,15 +341,12 @@ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf,
+ if (len > 0 && buf[len - 1] == '\n')
+ buf[len - 1] = 0;
+
+- if (buf[0] == '0' && buf[1] == '\0') {
+- if (!aql_disabled)
+- static_branch_inc(&aql_disable);
+- } else if (buf[0] == '1' && buf[1] == '\0') {
+- if (aql_disabled)
+- static_branch_dec(&aql_disable);
+- } else {
++ if (buf[0] == '0' && buf[1] == '\0')
++ static_branch_enable(&aql_disable);
++ else if (buf[0] == '1' && buf[1] == '\0')
++ static_branch_disable(&aql_disable);
++ else
+ return -EINVAL;
+- }
+
+ return count;
+ }
+--
+2.51.0
+
--- /dev/null
+From 97720bc9a80124b8777265df37d6324cde2c5434 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 23:46:36 -0700
+Subject: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not
+ enough headroom
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit deb353d9bb009638b7762cae2d0b6e8fdbb41a69 ]
+
+Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom
+before skb_push"), wl1271_tx_allocate() and with it
+wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.
+However, in wlcore_tx_work_locked(), a return value of -EAGAIN from
+wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being
+full. This causes the code to flush the buffer, put the skb back at the
+head of the queue, and immediately retry the same skb in a tight while
+loop.
+
+Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens
+immediately with GFP_ATOMIC, this will result in an infinite loop and a
+CPU soft lockup. Return -ENOMEM instead so the packet is dropped and
+the loop terminates.
+
+The problem was found by an experimental code review agent based on
+gemini-3.1-pro while reviewing backports into v6.18.y.
+
+Assisted-by: Gemini:gemini-3.1-pro
+Fixes: e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push")
+Cc: Peter Astrand <astrand@lysator.liu.se>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wlcore/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c
+index f251627c24c6e..3c0f8f3ba2668 100644
+--- a/drivers/net/wireless/ti/wlcore/tx.c
++++ b/drivers/net/wireless/ti/wlcore/tx.c
+@@ -210,7 +210,7 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif,
+ if (skb_headroom(skb) < (total_len - skb->len) &&
+ pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) {
+ wl1271_free_tx_id(wl, id);
+- return -EAGAIN;
++ return -ENOMEM;
+ }
+ desc = skb_push(skb, total_len - skb->len);
+
+--
+2.51.0
+
--- /dev/null
+From 1f76543ea57b822bb65cfc084eb183a3ab3ef1fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 21:39:05 +0100
+Subject: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit bf504b229cb8d534eccbaeaa23eba34c05131e25 ]
+
+After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference
+in acpi_processor_errata_piix4()"), device pointers may be dereferenced
+after dropping references to the device objects pointed to by them,
+which may cause a use-after-free to occur.
+
+Moreover, debug messages about enabling the errata may be printed
+if the errata flags corresponding to them are unset.
+
+Address all of these issues by moving message printing to the points
+in the code where the errata flags are set.
+
+Fixes: f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()")
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Closes: https://lore.kernel.org/linux-acpi/938e2206-def5-4b7a-9b2c-d1fd37681d8a@roeck-us.net/
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://patch.msgid.link/5975693.DvuYhMxLoT@rafael.j.wysocki
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_processor.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c
+index 85096ce7b658b..5a562e27d3a80 100644
+--- a/drivers/acpi/acpi_processor.c
++++ b/drivers/acpi/acpi_processor.c
+@@ -113,6 +113,10 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev)
+ PCI_ANY_ID, PCI_ANY_ID, NULL);
+ if (ide_dev) {
+ errata.piix4.bmisx = pci_resource_start(ide_dev, 4);
++ if (errata.piix4.bmisx)
++ dev_dbg(&ide_dev->dev,
++ "Bus master activity detection (BM-IDE) erratum enabled\n");
++
+ pci_dev_put(ide_dev);
+ }
+
+@@ -131,20 +135,17 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev)
+ if (isa_dev) {
+ pci_read_config_byte(isa_dev, 0x76, &value1);
+ pci_read_config_byte(isa_dev, 0x77, &value2);
+- if ((value1 & 0x80) || (value2 & 0x80))
++ if ((value1 & 0x80) || (value2 & 0x80)) {
+ errata.piix4.fdma = 1;
++ dev_dbg(&isa_dev->dev,
++ "Type-F DMA livelock erratum (C3 disabled)\n");
++ }
+ pci_dev_put(isa_dev);
+ }
+
+ break;
+ }
+
+- if (ide_dev)
+- dev_dbg(&ide_dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n");
+-
+- if (isa_dev)
+- dev_dbg(&isa_dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n");
+-
+ return 0;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 6a18c7ba3f38826b8c8079e862a90af533b8968d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 20:34:49 +0100
+Subject: ACPICA: Update the format of Arg3 of _DSM
+
+From: Saket Dumbre <saket.dumbre@intel.com>
+
+[ Upstream commit ab93d7eee94205430fc3b0532557cb0494bf2faf ]
+
+To get rid of type incompatibility warnings in Linux.
+
+Fixes: 81f92cff6d42 ("ACPICA: ACPI_TYPE_ANY does not include the package type")
+Link: https://github.com/acpica/acpica/commit/4fb74872dcec
+Signed-off-by: Saket Dumbre <saket.dumbre@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://patch.msgid.link/12856643.O9o76ZdvQC@rafael.j.wysocki
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/acpredef.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/acpica/acpredef.h b/drivers/acpi/acpica/acpredef.h
+index da2c45880cc7e..c9e65c6a20690 100644
+--- a/drivers/acpi/acpica/acpredef.h
++++ b/drivers/acpi/acpica/acpredef.h
+@@ -450,7 +450,7 @@ const union acpi_predefined_info acpi_gbl_predefined_methods[] = {
+
+ {{"_DSM",
+ METHOD_4ARGS(ACPI_TYPE_BUFFER, ACPI_TYPE_INTEGER, ACPI_TYPE_INTEGER,
+- ACPI_TYPE_ANY | ACPI_TYPE_PACKAGE) |
++ ACPI_TYPE_PACKAGE | ACPI_TYPE_ANY) |
+ ARG_COUNT_IS_MINIMUM,
+ METHOD_RETURNS(ACPI_RTYPE_ALL)}}, /* Must return a value, but it can be of any type */
+
+--
+2.51.0
+
--- /dev/null
+From d7ac5205375edfefa4ae842b6e4c16ee1f45050a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Nov 2025 21:07:05 +0000
+Subject: arm64: dts: renesas: r9a09g057: Add RTC node
+
+From: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
+
+[ Upstream commit cfc733da4e79018f88d8ac5f3a5306abbba8ef89 ]
+
+Add RTC node to Renesas RZ/V2H ("R9A09G057") SoC DTSI.
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20251107210706.45044-4-ovidiu.panait.rb@renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Stable-dep-of: a3f34651de42 ("arm64: dts: renesas: r9a09g057: Remove wdt{0,2,3} nodes")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a09g057.dtsi | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi
+index 630f7a98df386..f59c3040f536a 100644
+--- a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi
+@@ -586,6 +586,21 @@ wdt3: watchdog@13000400 {
+ status = "disabled";
+ };
+
++ rtc: rtc@11c00800 {
++ compatible = "renesas,r9a09g057-rtca3", "renesas,rz-rtca3";
++ reg = <0 0x11c00800 0 0x400>;
++ interrupts = <GIC_SPI 524 IRQ_TYPE_EDGE_RISING>,
++ <GIC_SPI 525 IRQ_TYPE_EDGE_RISING>,
++ <GIC_SPI 526 IRQ_TYPE_EDGE_RISING>;
++ interrupt-names = "alarm", "period", "carry";
++ clocks = <&cpg CPG_MOD 0x53>, <&rtxin_clk>;
++ clock-names = "bus", "counter";
++ power-domains = <&cpg>;
++ resets = <&cpg 0x79>, <&cpg 0x7a>;
++ reset-names = "rtc", "rtest";
++ status = "disabled";
++ };
++
+ scif: serial@11c01400 {
+ compatible = "renesas,scif-r9a09g057";
+ reg = <0 0x11c01400 0 0x400>;
+--
+2.51.0
+
--- /dev/null
+From 00ac1d07b536323be34132d39237adb39d91a285 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Feb 2026 12:42:46 +0000
+Subject: arm64: dts: renesas: r9a09g057: Remove wdt{0,2,3} nodes
+
+From: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+
+[ Upstream commit a3f34651de4287138c0da19ba321ad72622b4af3 ]
+
+The HW user manual for the Renesas RZ/V2H(P) SoC (a.k.a r9a09g057)
+states that only WDT1 is supposed to be accessed by the CA55 cores.
+WDT0 is supposed to be used by the CM33 core, WDT2 is supposed
+to be used by the CR8 core 0, and WDT3 is supposed to be used
+by the CR8 core 1.
+
+Remove wdt{0,2,3} from the SoC specific device tree to make it
+compliant with the specification from the HW manual.
+
+This change is harmless as there are currently no users of the
+wdt{0,2,3} device tree nodes, only the wdt1 node is actually used.
+
+Fixes: 095105496e7d ("arm64: dts: renesas: r9a09g057: Add WDT0-WDT3 nodes")
+Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20260203124247.7320-3-fabrizio.castro.jz@renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a09g057.dtsi | 30 ----------------------
+ 1 file changed, 30 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi
+index f59c3040f536a..100d5cab9b12f 100644
+--- a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi
+@@ -546,16 +546,6 @@ ostm7: timer@12c03000 {
+ status = "disabled";
+ };
+
+- wdt0: watchdog@11c00400 {
+- compatible = "renesas,r9a09g057-wdt";
+- reg = <0 0x11c00400 0 0x400>;
+- clocks = <&cpg CPG_MOD 0x4b>, <&cpg CPG_MOD 0x4c>;
+- clock-names = "pclk", "oscclk";
+- resets = <&cpg 0x75>;
+- power-domains = <&cpg>;
+- status = "disabled";
+- };
+-
+ wdt1: watchdog@14400000 {
+ compatible = "renesas,r9a09g057-wdt";
+ reg = <0 0x14400000 0 0x400>;
+@@ -566,26 +556,6 @@ wdt1: watchdog@14400000 {
+ status = "disabled";
+ };
+
+- wdt2: watchdog@13000000 {
+- compatible = "renesas,r9a09g057-wdt";
+- reg = <0 0x13000000 0 0x400>;
+- clocks = <&cpg CPG_MOD 0x4f>, <&cpg CPG_MOD 0x50>;
+- clock-names = "pclk", "oscclk";
+- resets = <&cpg 0x77>;
+- power-domains = <&cpg>;
+- status = "disabled";
+- };
+-
+- wdt3: watchdog@13000400 {
+- compatible = "renesas,r9a09g057-wdt";
+- reg = <0 0x13000400 0 0x400>;
+- clocks = <&cpg CPG_MOD 0x51>, <&cpg CPG_MOD 0x52>;
+- clock-names = "pclk", "oscclk";
+- resets = <&cpg 0x78>;
+- power-domains = <&cpg>;
+- status = "disabled";
+- };
+-
+ rtc: rtc@11c00800 {
+ compatible = "renesas,r9a09g057-rtca3", "renesas,rz-rtca3";
+ reg = <0 0x11c00800 0 0x400>;
+--
+2.51.0
+
--- /dev/null
+From 30b7c09897af635090aacff2a7b8ef762790389f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 13:17:41 +0000
+Subject: arm64: dts: renesas: r9a09g077: Fix CPG register region sizes
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit b12985ceca18bcf67f176883175d544daad5e00e ]
+
+The CPG register regions were incorrectly sized. Update them to match
+the actual hardware specification:
+ - First region (0x80280000): 0x1000 -> 0x10000 (64kiB)
+ - Second region (0x81280000): 0x9000 -> 0x10000 (64kiB)
+
+Fixes: d17b34744f5e4 ("arm64: dts: renesas: Add initial support for the Renesas RZ/T2H SoC")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20260213131742.3606334-2-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a09g077.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a09g077.dtsi b/arch/arm64/boot/dts/renesas/r9a09g077.dtsi
+index 7f1aca218c9fb..06aae2c635676 100644
+--- a/arch/arm64/boot/dts/renesas/r9a09g077.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a09g077.dtsi
+@@ -267,8 +267,8 @@ i2c2: i2c@81008000 {
+
+ cpg: clock-controller@80280000 {
+ compatible = "renesas,r9a09g077-cpg-mssr";
+- reg = <0 0x80280000 0 0x1000>,
+- <0 0x81280000 0 0x9000>;
++ reg = <0 0x80280000 0 0x10000>,
++ <0 0x81280000 0 0x10000>;
+ clocks = <&extal_clk>;
+ clock-names = "extal";
+ #clock-cells = <2>;
+--
+2.51.0
+
--- /dev/null
+From 83e6fd0b7a6d6b50431733144e43c663702742e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 13:17:42 +0000
+Subject: arm64: dts: renesas: r9a09g087: Fix CPG register region sizes
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit f459672cf3ffd3c062973838951418271aa2ceef ]
+
+The CPG register regions were incorrectly sized. Update them to match
+the actual hardware specification:
+ - First region (0x80280000): 0x1000 -> 0x10000 (64kiB)
+ - Second region (0x81280000): 0x9000 -> 0x10000 (64kiB)
+
+Fixes: 4b3d31f0b81fe ("arm64: dts: renesas: Add initial SoC DTSI for the RZ/N2H SoC")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20260213131742.3606334-3-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a09g087.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a09g087.dtsi b/arch/arm64/boot/dts/renesas/r9a09g087.dtsi
+index f06c19c73adb8..6dd80fa2755e8 100644
+--- a/arch/arm64/boot/dts/renesas/r9a09g087.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a09g087.dtsi
+@@ -267,8 +267,8 @@ i2c2: i2c@81008000 {
+
+ cpg: clock-controller@80280000 {
+ compatible = "renesas,r9a09g087-cpg-mssr";
+- reg = <0 0x80280000 0 0x1000>,
+- <0 0x81280000 0 0x9000>;
++ reg = <0 0x80280000 0 0x10000>,
++ <0 0x81280000 0 0x10000>;
+ clocks = <&extal_clk>;
+ clock-names = "extal";
+ #clock-cells = <2>;
+--
+2.51.0
+
--- /dev/null
+From 94102eea0426d7d043071e9a8d2ca9afaaa95786 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Mar 2026 15:57:03 +0200
+Subject: arm64: dts: renesas: rzg3s-smarc-som: Set bypass for Versa3 PLL2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+[ Upstream commit 6dcbb6f070cccabc6a13d640a5a84de581fdd761 ]
+
+The default settings for the Versa3 device on the Renesas RZ/G3S SMARC
+SoM board have PLL2 disabled. PLL2 was later enabled together with audio
+support, as it is required to support both 44.1 kHz and 48 kHz audio.
+
+With PLL2 enabled, it was observed that Linux occasionally either hangs
+during boot (the last log message being related to the I2C probe) or
+randomly crashes. This was mainly reproducible on cold boots. During
+debugging, it was also noticed that the Unicode replacement character (�)
+sometimes appears on the serial console. Further investigation traced this
+to the configuration applied through the Versa3 register at offset 0x1c,
+which controls PLL enablement.
+
+The appearance of the Unicode replacement character suggested an issue
+with the SoC reference clock. The RZ/G3S reference clock is provided by
+the Versa3 clock generator (REF output).
+
+After checking with the Renesas Versa3 hardware team, it was found that
+this is related to the PLL2 lock bit being set through the
+renesas,settings DT property.
+
+The PLL lock bit must be set to avoid unstable clock output from the PLL.
+However, due to the Versa3 hardware design, when a PLL lock bit is set,
+all outputs (including the REF clock) are temporarily disabled until the
+configured PLLs become stable.
+
+As an alternative, the bypass bit can be used. This does not interrupt the
+PLL2 output or any other Versa3 outputs, but it may result in temporary
+instability on PLL2 output while the configuration is applied. Since PLL2
+feeds only the audio path and audio is not used during early boot, this is
+acceptable and does not affect system boot.
+
+Drop the PLL2 lock bit and set the bypass bit instead.
+
+This has been tested with more than 1000 cold boots.
+
+Fixes: a94253232b04 ("arm64: dts: renesas: rzg3s-smarc-som: Add versa3 clock generator node")
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20260302135703.162601-1-claudiu.beznea.uj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi b/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi
+index 39845faec8943..a5d4d70e83c90 100644
+--- a/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi
++++ b/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi
+@@ -166,7 +166,7 @@ versa3: clock-generator@68 {
+ <100000000>;
+ renesas,settings = [
+ 80 00 11 19 4c 42 dc 2f 06 7d 20 1a 5f 1e f2 27
+- 00 40 00 00 00 00 00 00 06 0c 19 02 3f f0 90 86
++ 00 40 00 00 00 00 00 00 06 0c 19 02 3b f0 90 86
+ a0 80 30 30 9c
+ ];
+ };
+--
+2.51.0
+
--- /dev/null
+From 45a80b0047e09fac2f5c633d7e36abf82403a418 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 22:59:54 +0000
+Subject: arm64: dts: renesas: rzt2h-n2h-evk: Add ramp delay for SD0 card
+ regulator
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit bb70589b67039e491dd60cf71272884e926a0f95 ]
+
+Add a ramp delay of 60 uV/us to the vqmmc_sdhi0 voltage regulator to
+fix UHS-I SD card detection failures.
+
+Measurements on CN78 pin 4 showed the actual voltage ramp time to be
+21.86ms when switching between 3.3V and 1.8V. A 25ms ramp delay has
+been configured to provide adequate margin. The calculation is based
+on the voltage delta of 1.5V (3.3V - 1.8V):
+ 1500000 uV / 60 uV/us = 25000 us (25ms)
+
+Prior to this patch, UHS-I cards failed to initialize with:
+
+ mmc0: error -110 whilst initialising SD card
+
+After this patch, UHS-I cards are properly detected on SD0:
+
+ mmc0: new UHS-I speed SDR104 SDXC card at address aaaa
+ mmcblk0: mmc0:aaaa SR64G 59.5 GiB
+
+Fixes: d065453e5ee09 ("arm64: dts: renesas: rzt2h-rzn2h-evk: Enable SD card slot")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20260123225957.1007089-2-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi b/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi
+index 5384a43837c1d..9c6f712a62eff 100644
+--- a/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi
++++ b/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi
+@@ -49,6 +49,7 @@ vqmmc_sdhi0: regulator-vqmmc-sdhi0 {
+ regulator-max-microvolt = <3300000>;
+ gpios-states = <0>;
+ states = <3300000 0>, <1800000 1>;
++ regulator-ramp-delay = <60>;
+ };
+ #endif
+
+--
+2.51.0
+
--- /dev/null
+From b0359a7ff4679addf64e49ed26a8f8deaae5f10c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 22:59:57 +0000
+Subject: arm64: dts: renesas: rzv2-evk-cn15-sd: Add ramp delay for SD0
+ regulator
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 5c03465ecf6a56b7b261df9594f0e10612f53a50 ]
+
+Set an appropriate ramp delay for the SD0 I/O voltage regulator in the
+CN15 SD overlay to make UHS-I voltage switching reliable during card
+initialization.
+
+This issue was observed on the RZ/V2H EVK, while the same UHS-I cards
+worked on the RZ/V2N EVK without problems. Adding the ramp delay makes
+the behavior consistent and avoids SD init timeouts.
+
+Before this change SD0 could fail with:
+
+ mmc0: error -110 whilst initialising SD card
+
+With the delay in place UHS-I cards enumerate correctly:
+
+ mmc0: new UHS-I speed SDR104 SDXC card at address aaaa
+ mmcblk0: mmc0:aaaa SR64G 59.5 GiB
+ mmcblk0: p1
+
+Fixes: 3d6c2bc7629c8 ("arm64: dts: renesas: Add CN15 eMMC and SD overlays for RZ/V2H and RZ/V2N EVKs")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20260123225957.1007089-5-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso b/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso
+index 0af1e0a6c7f48..fc53c1aae3b52 100644
+--- a/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso
++++ b/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso
+@@ -25,6 +25,7 @@
+ regulator-max-microvolt = <3300000>;
+ gpios-states = <0>;
+ states = <3300000 0>, <1800000 1>;
++ regulator-ramp-delay = <60>;
+ };
+ };
+
+--
+2.51.0
+
--- /dev/null
+From c7a0623f85282d5d7c57c3da9cf5c78bc2c44d3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 14:50:52 +0100
+Subject: Bluetooth: hci_sync: Fix hci_le_create_conn_sync
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+[ Upstream commit 2cabe7ff1001b7a197009cf50ba71701f9cbd354 ]
+
+While introducing hci_le_create_conn_sync the functionality
+of hci_connect_le was ported to hci_le_create_conn_sync including
+the disable of the scan before starting the connection.
+
+When this code was run non synchronously the immediate call that was
+setting the flag HCI_LE_SCAN_INTERRUPTED had an impact. Since the
+completion handler for the LE_SCAN_DISABLE was not immediately called.
+In the completion handler of the LE_SCAN_DISABLE event, this flag is
+checked to set the state of the hdev to DISCOVERY_STOPPED.
+
+With the synchronised approach the later setting of the
+HCI_LE_SCAN_INTERRUPTED flag has not the same effect. The completion
+handler would immediately fire in the LE_SCAN_DISABLE call, check for
+the flag, which is then not yet set and do nothing.
+
+To fix this issue and make the function call work as before, we move the
+setting of the flag HCI_LE_SCAN_INTERRUPTED before disabling the scan.
+
+Fixes: 8e8b92ee60de ("Bluetooth: hci_sync: Add hci_le_create_conn_sync")
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 9f01837250a5e..e94b62844e1ef 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -6578,8 +6578,8 @@ static int hci_le_create_conn_sync(struct hci_dev *hdev, void *data)
+ * state.
+ */
+ if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {
+- hci_scan_disable_sync(hdev);
+ hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
++ hci_scan_disable_sync(hdev);
+ }
+
+ /* Update random address, but set require_privacy to false so
+--
+2.51.0
+
--- /dev/null
+From 2ef9bdb491152283baf4f099110c78148b6cc953 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 10:17:47 -0500
+Subject: Bluetooth: HIDP: Fix possible UAF
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit dbf666e4fc9bdd975a61bf682b3f75cb0145eedd ]
+
+This fixes the following trace caused by not dropping l2cap_conn
+reference when user->remove callback is called:
+
+[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
+[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 97.809947] Call Trace:
+[ 97.809954] <TASK>
+[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
+[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
+[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
+[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
+[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
+[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
+[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
+[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
+[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
+[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
+[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
+[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
+[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
+[ 97.810404] __fput (fs/file_table.c:470)
+[ 97.810430] task_work_run (kernel/task_work.c:235)
+[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
+[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
+[ 97.810527] do_exit (kernel/exit.c:972)
+[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
+[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
+[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
+[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 97.810721] do_group_exit (kernel/exit.c:1093)
+[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
+[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
+[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810826] ? vfs_read (fs/read_write.c:555)
+[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
+[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
+[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
+[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
+[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811078] ? ksys_read (fs/read_write.c:707)
+[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
+[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
+[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
+[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
+[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
+[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
+[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+[ 97.811338] RIP: 0033:0x445cfe
+[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
+
+Code starting with the faulting instruction
+===========================================
+[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
+[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe
+[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004
+[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000
+[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8
+[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0
+[ 97.811453] </TASK>
+[ 98.402453] ==================================================================
+[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430
+[ 98.405361]
+[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 98.405600] Call Trace:
+[ 98.405607] <TASK>
+[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122)
+[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
+[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55)
+[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
+[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
+[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
+[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775)
+[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
+[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875)
+[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194)
+[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592)
+[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305)
+[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.406323] ? kthread (kernel/kthread.c:433)
+[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
+[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406523] ? kthread (kernel/kthread.c:433)
+[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406565] ? kthread (kernel/kthread.c:433)
+[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.406610] kthread (kernel/kthread.c:467)
+[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164)
+[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
+[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
+[ 98.406774] </TASK>
+[ 98.406780]
+[ 98.433693] The buggy address belongs to the physical page:
+[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4
+[ 98.435557] flags: 0x200000000000000(node=0|zone=2)
+[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000
+[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000
+[ 98.438115] page dumped because: kasan: bad access detected
+[ 98.438951]
+[ 98.439211] Memory state around the buggy address:
+[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.442458] ^
+[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.444768] ==================================================================
+[ 98.445719] Disabling lock debugging due to kernel taint
+[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400
+[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 98.450040] Tainted: [B]=BAD_PAGE
+[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 98.450059] Call Trace:
+[ 98.450065] <TASK>
+[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122)
+[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
+[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822)
+[ 98.450154] session_free (net/bluetooth/hidp/core.c:990)
+[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307)
+[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.450271] ? kthread (kernel/kthread.c:433)
+[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
+[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450528] ? kthread (kernel/kthread.c:433)
+[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450578] ? kthread (kernel/kthread.c:433)
+[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.450637] kthread (kernel/kthread.c:467)
+[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164)
+[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
+[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
+[ 98.450836] </TASK>
+
+Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers")
+Reported-by: soufiane el hachmi <kilwa10@gmail.com>
+Tested-by: soufiane el hachmi <kilwa10@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hidp/core.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
+index 6724adce615b6..e0e4003815500 100644
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -986,7 +986,8 @@ static void session_free(struct kref *ref)
+ skb_queue_purge(&session->intr_transmit);
+ fput(session->intr_sock->file);
+ fput(session->ctrl_sock->file);
+- l2cap_conn_put(session->conn);
++ if (session->conn)
++ l2cap_conn_put(session->conn);
+ kfree(session);
+ }
+
+@@ -1164,6 +1165,15 @@ static void hidp_session_remove(struct l2cap_conn *conn,
+
+ down_write(&hidp_session_sem);
+
++ /* Drop L2CAP reference immediately to indicate that
++ * l2cap_unregister_user() shall not be called as it is already
++ * considered removed.
++ */
++ if (session->conn) {
++ l2cap_conn_put(session->conn);
++ session->conn = NULL;
++ }
++
+ hidp_session_terminate(session);
+
+ cancel_work_sync(&session->dev_init);
+@@ -1301,7 +1311,9 @@ static int hidp_session_thread(void *arg)
+ * Instead, this call has the same semantics as if user-space tried to
+ * delete the session.
+ */
+- l2cap_unregister_user(session->conn, &session->user);
++ if (session->conn)
++ l2cap_unregister_user(session->conn, &session->user);
++
+ hidp_session_put(session);
+
+ module_put_and_kthread_exit(0);
+--
+2.51.0
+
--- /dev/null
+From 624f1e5274df5f56747ac0600d1f793fe2b7c50c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 15:23:01 -0500
+Subject: Bluetooth: ISO: Fix defer tests being unstable
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 62bcaa6b351b6dc400f6c6b83762001fd9f5c12d ]
+
+iso-tester defer tests seem to fail with hci_conn_hash_lookup_cig
+being unable to resolve a cig in set_cig_params_sync due a race
+where it is run immediatelly before hci_bind_cis is able to set
+the QoS settings into the hci_conn object.
+
+So this moves the assigning of the QoS settings to be done directly
+by hci_le_set_cig_params to prevent that from happening again.
+
+Fixes: 26afbd826ee3 ("Bluetooth: Add initial implementation of CIS connections")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index 6a27ac5a751ca..8906526ff32c5 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1927,6 +1927,8 @@ static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
+ return false;
+
+ done:
++ conn->iso_qos = *qos;
++
+ if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
+ UINT_PTR(qos->ucast.cig), NULL) < 0)
+ return false;
+@@ -1996,8 +1998,6 @@ struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
+ }
+
+ hci_conn_hold(cis);
+-
+- cis->iso_qos = *qos;
+ cis->state = BT_BOUND;
+
+ return cis;
+--
+2.51.0
+
--- /dev/null
+From 41954a6dc3673898ea021d494c390ab64509eb50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Nov 2025 23:50:16 +0530
+Subject: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
+
+From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+
+[ Upstream commit 752a6c9596dd25efd6978a73ff21f3b592668f4a ]
+
+After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in
+hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to
+conn->users. However, l2cap_register_user() and l2cap_unregister_user()
+don't use conn->lock, creating a race condition where these functions can
+access conn->users and conn->hchan concurrently with l2cap_conn_del().
+
+This can lead to use-after-free and list corruption bugs, as reported
+by syzbot.
+
+Fix this by changing l2cap_register_user() and l2cap_unregister_user()
+to use conn->lock instead of hci_dev_lock(), ensuring consistent locking
+for the l2cap_conn structure.
+
+Reported-by: syzbot+14b6d57fb728e27ce23c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=14b6d57fb728e27ce23c
+Fixes: ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del")
+Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 05acc2e98f58f..9ea030fc9a9cc 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -1686,17 +1686,15 @@ static void l2cap_info_timeout(struct work_struct *work)
+
+ int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ {
+- struct hci_dev *hdev = conn->hcon->hdev;
+ int ret;
+
+ /* We need to check whether l2cap_conn is registered. If it is not, we
+- * must not register the l2cap_user. l2cap_conn_del() is unregisters
+- * l2cap_conn objects, but doesn't provide its own locking. Instead, it
+- * relies on the parent hci_conn object to be locked. This itself relies
+- * on the hci_dev object to be locked. So we must lock the hci device
+- * here, too. */
++ * must not register the l2cap_user. l2cap_conn_del() unregisters
++ * l2cap_conn objects under conn->lock, and we use the same lock here
++ * to protect access to conn->users and conn->hchan.
++ */
+
+- hci_dev_lock(hdev);
++ mutex_lock(&conn->lock);
+
+ if (!list_empty(&user->list)) {
+ ret = -EINVAL;
+@@ -1717,16 +1715,14 @@ int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ ret = 0;
+
+ out_unlock:
+- hci_dev_unlock(hdev);
++ mutex_unlock(&conn->lock);
+ return ret;
+ }
+ EXPORT_SYMBOL(l2cap_register_user);
+
+ void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ {
+- struct hci_dev *hdev = conn->hcon->hdev;
+-
+- hci_dev_lock(hdev);
++ mutex_lock(&conn->lock);
+
+ if (list_empty(&user->list))
+ goto out_unlock;
+@@ -1735,7 +1731,7 @@ void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ user->remove(conn, user);
+
+ out_unlock:
+- hci_dev_unlock(hdev);
++ mutex_unlock(&conn->lock);
+ }
+ EXPORT_SYMBOL(l2cap_unregister_user);
+
+--
+2.51.0
+
--- /dev/null
+From 758b13d8aee8ac360d82d6efa58df92e10d86aa8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:25 +0100
+Subject: Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit e1d9a66889867c232657a9b6f25d451d7c3ab96f ]
+
+Core 6.0, Vol 3, Part A, 3.4.3:
+"If the SDU length field value exceeds the receiver's MTU, the receiver
+shall disconnect the channel..."
+
+This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P
+0x0027 -V le_public -I 100').
+
+Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 319c87bd795d5..1618fe98dce71 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -6654,8 +6654,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+ return -ENOBUFS;
+ }
+
+- if (chan->imtu < skb->len) {
+- BT_ERR("Too big LE L2CAP PDU");
++ if (skb->len > chan->imtu) {
++ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len,
++ chan->imtu);
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ return -ENOBUFS;
+ }
+
+@@ -6681,7 +6683,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+ sdu_len, skb->len, chan->imtu);
+
+ if (sdu_len > chan->imtu) {
+- BT_ERR("Too big LE L2CAP SDU length received");
++ BT_ERR("Too big LE L2CAP SDU length: len %u > %u",
++ skb->len, sdu_len);
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ err = -EMSGSIZE;
+ goto failed;
+ }
+--
+2.51.0
+
--- /dev/null
+From f74fefa1af48f9410a9bedfded7158c3e442aa49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:27 +0100
+Subject: Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit b6a2bf43aa37670432843bc73ae2a6288ba4d6f8 ]
+
+Core 6.0, Vol 3, Part A, 3.4.3:
+"... If the sum of the payload sizes for the K-frames exceeds the
+specified SDU length, the receiver shall disconnect the channel."
+
+This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
+0x0027 -V le_public').
+
+Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 1618fe98dce71..05acc2e98f58f 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -6721,6 +6721,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+
+ if (chan->sdu->len + skb->len > chan->sdu_len) {
+ BT_ERR("Too much LE L2CAP data received");
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ err = -EINVAL;
+ goto failed;
+ }
+--
+2.51.0
+
--- /dev/null
+From 609ae8c9a22d8c300ba76dac9f27f890be94f660 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 11:03:39 +0000
+Subject: Bluetooth: MGMT: Fix list corruption and UAF in command complete
+ handlers
+
+From: Wang Tao <wangtao554@huawei.com>
+
+[ Upstream commit 17f89341cb4281d1da0e2fb0de5406ab7c4e25ef ]
+
+Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced
+mgmt_pending_valid(), which not only validates the pending command but
+also unlinks it from the pending list if it is valid. This change in
+semantics requires updates to several completion handlers to avoid list
+corruption and memory safety issues.
+
+This patch addresses two left-over issues from the aforementioned rework:
+
+1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()
+is replaced with mgmt_pending_free() in the success path. Since
+mgmt_pending_valid() already unlinks the command at the beginning of
+the function, calling mgmt_pending_remove() leads to a double list_del()
+and subsequent list corruption/kernel panic.
+
+2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error
+path is removed. Since the current command is already unlinked by
+mgmt_pending_valid(), this foreach loop would incorrectly target other
+pending mesh commands, potentially freeing them while they are still being
+processed concurrently (leading to UAFs). The redundant mgmt_cmd_status()
+is also simplified to use cmd->opcode directly.
+
+Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs")
+Signed-off-by: Wang Tao <wangtao554@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index ee2dd26b1b82b..1a270f0b17d9e 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -2183,10 +2183,7 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
+ sk = cmd->sk;
+
+ if (status) {
+- mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
+- status);
+- mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true,
+- cmd_status_rsp, &status);
++ mgmt_cmd_status(cmd->sk, hdev->id, cmd->opcode, status);
+ goto done;
+ }
+
+@@ -5295,7 +5292,7 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
+
+ mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
+ mgmt_status(status), &rp, sizeof(rp));
+- mgmt_pending_remove(cmd);
++ mgmt_pending_free(cmd);
+
+ hci_dev_unlock(hdev);
+ bt_dev_dbg(hdev, "add monitor %d complete, status %d",
+--
+2.51.0
+
--- /dev/null
+From 9d0812cb096c971bc484c934eb255b2a4871866f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 01:02:57 +0200
+Subject: Bluetooth: qca: fix ROM version reading on WCN3998 chips
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit 99b2c531e0e797119ae1b9195a8764ee98b00e65 ]
+
+WCN3998 uses a bit different format for rom version:
+
+[ 5.479978] Bluetooth: hci0: setting up wcn399x
+[ 5.633763] Bluetooth: hci0: QCA Product ID :0x0000000a
+[ 5.645350] Bluetooth: hci0: QCA SOC Version :0x40010224
+[ 5.650906] Bluetooth: hci0: QCA ROM Version :0x00001001
+[ 5.665173] Bluetooth: hci0: QCA Patch Version:0x00006699
+[ 5.679356] Bluetooth: hci0: QCA controller version 0x02241001
+[ 5.691109] Bluetooth: hci0: QCA Downloading qca/crbtfw21.tlv
+[ 6.680102] Bluetooth: hci0: QCA Downloading qca/crnv21.bin
+[ 6.842948] Bluetooth: hci0: QCA setup on UART is completed
+
+Fixes: 523760b7ff88 ("Bluetooth: hci_qca: Added support for WCN3998")
+Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btqca.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
+index 7c958d6065bec..86a48d009d1ba 100644
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -804,6 +804,8 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+ */
+ if (soc_type == QCA_WCN3988)
+ rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f);
++ else if (soc_type == QCA_WCN3998)
++ rom_ver = ((soc_ver & 0x0000f000) >> 0x07) | (soc_ver & 0x0000000f);
+ else
+ rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f);
+
+--
+2.51.0
+
--- /dev/null
+From 751cfe2fa827575fa7e3eaac7db6900a39d304d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:28 +0100
+Subject: Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit 0e4d4dcc1a6e82cc6f9abf32193558efa7e1613d ]
+
+The last test step ("Test with Invalid public key X and Y, all set to
+0") expects to get an "DHKEY check failed" instead of "unspecified".
+
+Fixes: 6d19628f539f ("Bluetooth: SMP: Fail if remote and local public keys are identical")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
+index 3a1ce04a7a536..9d96040745897 100644
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2743,7 +2743,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
+ if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
+ !crypto_memneq(key, smp->local_pk, 64)) {
+ bt_dev_err(hdev, "Remote and local public keys are identical");
+- return SMP_UNSPECIFIED;
++ return SMP_DHKEY_CHECK_FAILED;
+ }
+
+ memcpy(smp->remote_pk, key, 64);
+--
+2.51.0
+
--- /dev/null
+From 566ed90b31cdcc3043c4346c629da8629ea371cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 10:41:52 +0000
+Subject: bonding: prevent potential infinite loop in bond_header_parse()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b7405dcf7385445e10821777143f18c3ce20fa04 ]
+
+bond_header_parse() can loop if a stack of two bonding devices is setup,
+because skb->dev always points to the hierarchy top.
+
+Add new "const struct net_device *dev" parameter to
+(struct header_ops)->parse() method to make sure the recursion
+is bounded, and that the final leaf parse method is called.
+
+Fixes: 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Tested-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Cc: Jay Vosburgh <jv@jvosburgh.net>
+Cc: Andrew Lunn <andrew+netdev@lunn.ch>
+Link: https://patch.msgid.link/20260315104152.1436867-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firewire/net.c | 5 +++--
+ drivers/net/bonding/bond_main.c | 8 +++++---
+ include/linux/etherdevice.h | 3 ++-
+ include/linux/if_ether.h | 3 ++-
+ include/linux/netdevice.h | 6 ++++--
+ net/ethernet/eth.c | 9 +++------
+ net/ipv4/ip_gre.c | 3 ++-
+ net/mac802154/iface.c | 4 +++-
+ net/phonet/af_phonet.c | 5 ++++-
+ 9 files changed, 28 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c
+index 6d64467135395..e829454089550 100644
+--- a/drivers/firewire/net.c
++++ b/drivers/firewire/net.c
+@@ -257,9 +257,10 @@ static void fwnet_header_cache_update(struct hh_cache *hh,
+ memcpy((u8 *)hh->hh_data + HH_DATA_OFF(FWNET_HLEN), haddr, net->addr_len);
+ }
+
+-static int fwnet_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++static int fwnet_header_parse(const struct sk_buff *skb, const struct net_device *dev,
++ unsigned char *haddr)
+ {
+- memcpy(haddr, skb->dev->dev_addr, FWNET_ALEN);
++ memcpy(haddr, dev->dev_addr, FWNET_ALEN);
+
+ return FWNET_ALEN;
+ }
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index e8e261e0cb4e1..106cfe732a15e 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1497,9 +1497,11 @@ static int bond_header_create(struct sk_buff *skb, struct net_device *bond_dev,
+ return ret;
+ }
+
+-static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++static int bond_header_parse(const struct sk_buff *skb,
++ const struct net_device *dev,
++ unsigned char *haddr)
+ {
+- struct bonding *bond = netdev_priv(skb->dev);
++ struct bonding *bond = netdev_priv(dev);
+ const struct header_ops *slave_ops;
+ struct slave *slave;
+ int ret = 0;
+@@ -1509,7 +1511,7 @@ static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr)
+ if (slave) {
+ slave_ops = READ_ONCE(slave->dev->header_ops);
+ if (slave_ops && slave_ops->parse)
+- ret = slave_ops->parse(skb, haddr);
++ ret = slave_ops->parse(skb, slave->dev, haddr);
+ }
+ rcu_read_unlock();
+ return ret;
+diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h
+index 9a1eacf35d370..df8f88f63a706 100644
+--- a/include/linux/etherdevice.h
++++ b/include/linux/etherdevice.h
+@@ -42,7 +42,8 @@ extern const struct header_ops eth_header_ops;
+
+ int eth_header(struct sk_buff *skb, struct net_device *dev, unsigned short type,
+ const void *daddr, const void *saddr, unsigned len);
+-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr);
++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev,
++ unsigned char *haddr);
+ int eth_header_cache(const struct neighbour *neigh, struct hh_cache *hh,
+ __be16 type);
+ void eth_header_cache_update(struct hh_cache *hh, const struct net_device *dev,
+diff --git a/include/linux/if_ether.h b/include/linux/if_ether.h
+index 61b7335aa037c..ca9afa824aa4f 100644
+--- a/include/linux/if_ether.h
++++ b/include/linux/if_ether.h
+@@ -40,7 +40,8 @@ static inline struct ethhdr *inner_eth_hdr(const struct sk_buff *skb)
+ return (struct ethhdr *)skb_inner_mac_header(skb);
+ }
+
+-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr);
++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev,
++ unsigned char *haddr);
+
+ extern ssize_t sysfs_format_mac(char *buf, const unsigned char *addr, int len);
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 0f425a1f80409..20bd42fa160c9 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -311,7 +311,9 @@ struct header_ops {
+ int (*create) (struct sk_buff *skb, struct net_device *dev,
+ unsigned short type, const void *daddr,
+ const void *saddr, unsigned int len);
+- int (*parse)(const struct sk_buff *skb, unsigned char *haddr);
++ int (*parse)(const struct sk_buff *skb,
++ const struct net_device *dev,
++ unsigned char *haddr);
+ int (*cache)(const struct neighbour *neigh, struct hh_cache *hh, __be16 type);
+ void (*cache_update)(struct hh_cache *hh,
+ const struct net_device *dev,
+@@ -3427,7 +3429,7 @@ static inline int dev_parse_header(const struct sk_buff *skb,
+
+ if (!dev->header_ops || !dev->header_ops->parse)
+ return 0;
+- return dev->header_ops->parse(skb, haddr);
++ return dev->header_ops->parse(skb, dev, haddr);
+ }
+
+ static inline __be16 dev_parse_header_protocol(const struct sk_buff *skb)
+diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c
+index 43e211e611b16..ca4e3a01237d0 100644
+--- a/net/ethernet/eth.c
++++ b/net/ethernet/eth.c
+@@ -193,14 +193,11 @@ __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev)
+ }
+ EXPORT_SYMBOL(eth_type_trans);
+
+-/**
+- * eth_header_parse - extract hardware address from packet
+- * @skb: packet to extract header from
+- * @haddr: destination buffer
+- */
+-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev,
++ unsigned char *haddr)
+ {
+ const struct ethhdr *eth = eth_hdr(skb);
++
+ memcpy(haddr, eth->h_source, ETH_ALEN);
+ return ETH_ALEN;
+ }
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index e13244729ad8d..35f0baa99d409 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -919,7 +919,8 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
+ return -(t->hlen + sizeof(*iph));
+ }
+
+-static int ipgre_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++static int ipgre_header_parse(const struct sk_buff *skb, const struct net_device *dev,
++ unsigned char *haddr)
+ {
+ const struct iphdr *iph = (const struct iphdr *) skb_mac_header(skb);
+ memcpy(haddr, &iph->saddr, 4);
+diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
+index 9e4631fade90c..000be60d95803 100644
+--- a/net/mac802154/iface.c
++++ b/net/mac802154/iface.c
+@@ -469,7 +469,9 @@ static int mac802154_header_create(struct sk_buff *skb,
+ }
+
+ static int
+-mac802154_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++mac802154_header_parse(const struct sk_buff *skb,
++ const struct net_device *dev,
++ unsigned char *haddr)
+ {
+ struct ieee802154_hdr hdr;
+
+diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c
+index 238a9638d2b0f..d89225d6bfd3b 100644
+--- a/net/phonet/af_phonet.c
++++ b/net/phonet/af_phonet.c
+@@ -129,9 +129,12 @@ static int pn_header_create(struct sk_buff *skb, struct net_device *dev,
+ return 1;
+ }
+
+-static int pn_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++static int pn_header_parse(const struct sk_buff *skb,
++ const struct net_device *dev,
++ unsigned char *haddr)
+ {
+ const u8 *media = skb_mac_header(skb);
++
+ *haddr = *media;
+ return 1;
+ }
+--
+2.51.0
+
--- /dev/null
+From 4f236346a04c7bd36332356d97dd65b3432b0c0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 03:18:09 +0900
+Subject: bridge: cfm: Fix race condition in peer_mep deletion
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit 3715a00855316066cdda69d43648336367422127 ]
+
+When a peer MEP is being deleted, cancel_delayed_work_sync() is called
+on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in
+softirq context under rcu_read_lock (without RTNL) and can re-schedule
+ccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync()
+returning and kfree_rcu() being called.
+
+The following is a simple race scenario:
+
+ cpu0 cpu1
+
+mep_delete_implementation()
+ cancel_delayed_work_sync(ccm_rx_dwork);
+ br_cfm_frame_rx()
+ // peer_mep still in hlist
+ if (peer_mep->ccm_defect)
+ ccm_rx_timer_start()
+ queue_delayed_work(ccm_rx_dwork)
+ hlist_del_rcu(&peer_mep->head);
+ kfree_rcu(peer_mep, rcu);
+ ccm_rx_work_expired()
+ // on freed peer_mep
+
+To prevent this, cancel_delayed_work_sync() is replaced with
+disable_delayed_work_sync() in both peer MEP deletion paths, so
+that subsequent queue_delayed_work() calls from br_cfm_frame_rx()
+are silently rejected.
+
+The cc_peer_disable() helper retains cancel_delayed_work_sync()
+because it is also used for the CC enable/disable toggle path where
+the work must remain re-schedulable.
+
+Fixes: dc32cbb3dbd7 ("bridge: cfm: Kernel space implementation of CFM. CCM frame RX added.")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/abBgYT5K_FI9rD1a@v4bel
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_cfm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bridge/br_cfm.c b/net/bridge/br_cfm.c
+index c2c1c7d44c615..f4ca77d9b0e96 100644
+--- a/net/bridge/br_cfm.c
++++ b/net/bridge/br_cfm.c
+@@ -576,7 +576,7 @@ static void mep_delete_implementation(struct net_bridge *br,
+
+ /* Empty and free peer MEP list */
+ hlist_for_each_entry_safe(peer_mep, n_store, &mep->peer_mep_list, head) {
+- cancel_delayed_work_sync(&peer_mep->ccm_rx_dwork);
++ disable_delayed_work_sync(&peer_mep->ccm_rx_dwork);
+ hlist_del_rcu(&peer_mep->head);
+ kfree_rcu(peer_mep, rcu);
+ }
+@@ -732,7 +732,7 @@ int br_cfm_cc_peer_mep_remove(struct net_bridge *br, const u32 instance,
+ return -ENOENT;
+ }
+
+- cc_peer_disable(peer_mep);
++ disable_delayed_work_sync(&peer_mep->ccm_rx_dwork);
+
+ hlist_del_rcu(&peer_mep->head);
+ kfree_rcu(peer_mep, rcu);
+--
+2.51.0
+
--- /dev/null
+From 065ae1f4324ec33eef0aa08f9c7f85f1300af0da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Mar 2026 16:57:43 +0000
+Subject: btrfs: log new dentries when logging parent dir of a conflicting
+ inode
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 9573a365ff9ff45da9222d3fe63695ce562beb24 ]
+
+If we log the parent directory of a conflicting inode, we are not logging
+the new dentries of the directory, so when we finish we have the parent
+directory's inode marked as logged but we did not log its new dentries.
+As a consequence if the parent directory is explicitly fsynced later and
+it does not have any new changes since we logged it, the fsync is a no-op
+and after a power failure the new dentries are missing.
+
+Example scenario:
+
+ $ mkdir foo
+
+ $ sync
+
+ $rmdir foo
+
+ $ mkdir dir1
+ $ mkdir dir2
+
+ # A file with the same name and parent as the directory we just deleted
+ # and was persisted in a past transaction. So the deleted directory's
+ # inode is a conflicting inode of this new file's inode.
+ $ touch foo
+
+ $ ln foo dir2/link
+
+ # The fsync on dir2 will log the parent directory (".") because the
+ # conflicting inode (deleted directory) does not exists anymore, but it
+ # it does not log its new dentries (dir1).
+ $ xfs_io -c "fsync" dir2
+
+ # This fsync on the parent directory is no-op, since the previous fsync
+ # logged it (but without logging its new dentries).
+ $ xfs_io -c "fsync" .
+
+ <power failure>
+
+ # After log replay dir1 is missing.
+
+Fix this by ensuring we log new dir dentries whenever we log the parent
+directory of a no longer existing conflicting inode.
+
+A test case for fstests will follow soon.
+
+Reported-by: Vyacheslav Kovalevsky <slava.kovalevskiy.2014@gmail.com>
+Link: https://lore.kernel.org/linux-btrfs/182055fa-e9ce-4089-9f5f-4b8a23e8dd91@gmail.com/
+Fixes: a3baaf0d786e ("Btrfs: fix fsync after succession of renames and unlink/rmdir")
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 6c5db73c3e85f..7505a87522fd7 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -6203,6 +6203,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans,
+ struct btrfs_root *root,
+ struct btrfs_log_ctx *ctx)
+ {
++ const bool orig_log_new_dentries = ctx->log_new_dentries;
+ int ret = 0;
+
+ /*
+@@ -6264,7 +6265,11 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans,
+ * dir index key range logged for the directory. So we
+ * must make sure the deletion is recorded.
+ */
++ ctx->log_new_dentries = false;
+ ret = btrfs_log_inode(trans, inode, LOG_INODE_ALL, ctx);
++ if (!ret && ctx->log_new_dentries)
++ ret = log_new_dir_dentries(trans, inode, ctx);
++
+ btrfs_add_delayed_iput(inode);
+ if (ret)
+ break;
+@@ -6299,6 +6304,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans,
+ break;
+ }
+
++ ctx->log_new_dentries = orig_log_new_dentries;
+ ctx->logging_conflict_inodes = false;
+ if (ret)
+ free_conflicting_inodes(ctx);
+--
+2.51.0
+
--- /dev/null
+From 878b412aaa0298ba181559fd29b245c826d4eeb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 08:33:21 +0800
+Subject: btrfs: tree-checker: fix misleading root drop_level error message
+
+From: ZhengYuan Huang <gality369@gmail.com>
+
+[ Upstream commit fc1cd1f18c34f91e78362f9629ab9fd43b9dcab9 ]
+
+Fix tree-checker error message to report "invalid root drop_level"
+instead of the misleading "invalid root level".
+
+Fixes: 259ee7754b67 ("btrfs: tree-checker: Add ROOT_ITEM check")
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-checker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
+index 420c0f0e17c85..9b11b0a529dba 100644
+--- a/fs/btrfs/tree-checker.c
++++ b/fs/btrfs/tree-checker.c
+@@ -1256,7 +1256,7 @@ static int check_root_item(struct extent_buffer *leaf, struct btrfs_key *key,
+ }
+ if (unlikely(btrfs_root_drop_level(&ri) >= BTRFS_MAX_LEVEL)) {
+ generic_err(leaf, slot,
+- "invalid root level, have %u expect [0, %u]",
++ "invalid root drop_level, have %u expect [0, %u]",
+ btrfs_root_drop_level(&ri), BTRFS_MAX_LEVEL - 1);
+ return -EUCLEAN;
+ }
+--
+2.51.0
+
--- /dev/null
+From 9d6a4bc8ac90354a6bdcbf6d10dc5c5038708be5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Jan 2026 01:49:09 +0800
+Subject: cache: ax45mp: Fix device node reference leak in ax45mp_cache_init()
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit 0528a348b04b327a4611e29589beb4c9ae81304a ]
+
+In ax45mp_cache_init(), of_find_matching_node() returns a device node
+with an incremented reference count that must be released with
+of_node_put(). The current code fails to call of_node_put() which
+causes a reference leak.
+
+Use the __free(device_node) attribute to ensure automatic cleanup when
+the variable goes out of scope.
+
+Fixes: d34599bcd2e4 ("cache: Add L2 cache management for Andes AX45MP RISC-V core")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cache/ax45mp_cache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cache/ax45mp_cache.c b/drivers/cache/ax45mp_cache.c
+index 1d7dd3d2c101c..934c5087ec2bd 100644
+--- a/drivers/cache/ax45mp_cache.c
++++ b/drivers/cache/ax45mp_cache.c
+@@ -178,11 +178,11 @@ static const struct of_device_id ax45mp_cache_ids[] = {
+
+ static int __init ax45mp_cache_init(void)
+ {
+- struct device_node *np;
+ struct resource res;
+ int ret;
+
+- np = of_find_matching_node(NULL, ax45mp_cache_ids);
++ struct device_node *np __free(device_node) =
++ of_find_matching_node(NULL, ax45mp_cache_ids);
+ if (!of_device_is_available(np))
+ return -ENODEV;
+
+--
+2.51.0
+
--- /dev/null
+From f8acecc18a6ed86c70e807d36bfcc2f6e38aeda0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Jan 2026 01:13:45 +0800
+Subject: cache: starfive: fix device node leak in starlink_cache_init()
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit 3c85234b979af71cb9db5eb976ea08a468415767 ]
+
+of_find_matching_node() returns a device_node with refcount incremented.
+
+Use __free(device_node) attribute to automatically call of_node_put()
+when the variable goes out of scope, preventing the refcount leak.
+
+Fixes: cabff60ca77d ("cache: Add StarFive StarLink cache management")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cache/starfive_starlink_cache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cache/starfive_starlink_cache.c b/drivers/cache/starfive_starlink_cache.c
+index 24c7d078ca227..3a25d2d7c70ca 100644
+--- a/drivers/cache/starfive_starlink_cache.c
++++ b/drivers/cache/starfive_starlink_cache.c
+@@ -102,11 +102,11 @@ static const struct of_device_id starlink_cache_ids[] = {
+
+ static int __init starlink_cache_init(void)
+ {
+- struct device_node *np;
+ u32 block_size;
+ int ret;
+
+- np = of_find_matching_node(NULL, starlink_cache_ids);
++ struct device_node *np __free(device_node) =
++ of_find_matching_node(NULL, starlink_cache_ids);
+ if (!of_device_is_available(np))
+ return -ENODEV;
+
+--
+2.51.0
+
--- /dev/null
+From 696867eb8c7ee008db40f6fc4d2fb06c91e0f289 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 07:55:31 +0100
+Subject: clsact: Fix use-after-free in init/destroy rollback asymmetry
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit a0671125d4f55e1e98d9bde8a0b671941987e208 ]
+
+Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry.
+The latter is achieved by first fully initializing a clsact instance, and
+then in a second step having a replacement failure for the new clsact qdisc
+instance. clsact_init() initializes ingress first and then takes care of the
+egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon
+failure, the kernel will trigger the clsact_destroy() callback.
+
+Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the
+way how the transition is happening. If tcf_block_get_ext on the q->ingress_block
+ends up failing, we took the tcx_miniq_inc reference count on the ingress
+side, but not yet on the egress side. clsact_destroy() tests whether the
+{ingress,egress}_entry was non-NULL. However, even in midway failure on the
+replacement, both are in fact non-NULL with a valid egress_entry from the
+previous clsact instance.
+
+What we really need to test for is whether the qdisc instance-specific ingress
+or egress side previously got initialized. This adds a small helper for checking
+the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon
+clsact_destroy() in order to fix the use-after-free scenario. Convert the
+ingress_destroy() side as well so both are consistent to each other.
+
+Fixes: 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry")
+Reported-by: Keenan Dong <keenanat2000@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Martin KaFai Lau <martin.lau@kernel.org>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://patch.msgid.link/20260313065531.98639-1-daniel@iogearbox.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sch_generic.h | 5 +++++
+ net/sched/sch_ingress.c | 14 ++++++++------
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index 84c86decebdfa..059eb6cb54f13 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -1411,6 +1411,11 @@ void mini_qdisc_pair_init(struct mini_Qdisc_pair *miniqp, struct Qdisc *qdisc,
+ void mini_qdisc_pair_block_init(struct mini_Qdisc_pair *miniqp,
+ struct tcf_block *block);
+
++static inline bool mini_qdisc_pair_inited(struct mini_Qdisc_pair *miniqp)
++{
++ return !!miniqp->p_miniq;
++}
++
+ void mq_change_real_num_tx(struct Qdisc *sch, unsigned int new_real_tx);
+
+ int sch_frag_xmit_hook(struct sk_buff *skb, int (*xmit)(struct sk_buff *skb));
+diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c
+index cc6051d4f2ef8..c3e18bae8fbfc 100644
+--- a/net/sched/sch_ingress.c
++++ b/net/sched/sch_ingress.c
+@@ -113,14 +113,15 @@ static void ingress_destroy(struct Qdisc *sch)
+ {
+ struct ingress_sched_data *q = qdisc_priv(sch);
+ struct net_device *dev = qdisc_dev(sch);
+- struct bpf_mprog_entry *entry = rtnl_dereference(dev->tcx_ingress);
++ struct bpf_mprog_entry *entry;
+
+ if (sch->parent != TC_H_INGRESS)
+ return;
+
+ tcf_block_put_ext(q->block, sch, &q->block_info);
+
+- if (entry) {
++ if (mini_qdisc_pair_inited(&q->miniqp)) {
++ entry = rtnl_dereference(dev->tcx_ingress);
+ tcx_miniq_dec(entry);
+ if (!tcx_entry_is_active(entry)) {
+ tcx_entry_update(dev, NULL, true);
+@@ -290,10 +291,9 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt,
+
+ static void clsact_destroy(struct Qdisc *sch)
+ {
++ struct bpf_mprog_entry *ingress_entry, *egress_entry;
+ struct clsact_sched_data *q = qdisc_priv(sch);
+ struct net_device *dev = qdisc_dev(sch);
+- struct bpf_mprog_entry *ingress_entry = rtnl_dereference(dev->tcx_ingress);
+- struct bpf_mprog_entry *egress_entry = rtnl_dereference(dev->tcx_egress);
+
+ if (sch->parent != TC_H_CLSACT)
+ return;
+@@ -301,7 +301,8 @@ static void clsact_destroy(struct Qdisc *sch)
+ tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info);
+ tcf_block_put_ext(q->egress_block, sch, &q->egress_block_info);
+
+- if (ingress_entry) {
++ if (mini_qdisc_pair_inited(&q->miniqp_ingress)) {
++ ingress_entry = rtnl_dereference(dev->tcx_ingress);
+ tcx_miniq_dec(ingress_entry);
+ if (!tcx_entry_is_active(ingress_entry)) {
+ tcx_entry_update(dev, NULL, true);
+@@ -309,7 +310,8 @@ static void clsact_destroy(struct Qdisc *sch)
+ }
+ }
+
+- if (egress_entry) {
++ if (mini_qdisc_pair_inited(&q->miniqp_egress)) {
++ egress_entry = rtnl_dereference(dev->tcx_egress);
+ tcx_miniq_dec(egress_entry);
+ if (!tcx_entry_is_active(egress_entry)) {
+ tcx_entry_update(dev, NULL, false);
+--
+2.51.0
+
--- /dev/null
+From fd5d6791a37909029749b82b7ca796e3a975411c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 12:39:34 -0800
+Subject: crypto: ccp - Fix leaking the same page twice
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 5c52607c43c397b79a9852ce33fc61de58c3645c ]
+
+Commit 551120148b67 ("crypto: ccp - Fix a case where SNP_SHUTDOWN is
+missed") fixed a case where SNP is left in INIT state if page reclaim
+fails. It removes the transition to the INIT state for this command and
+adjusts the page state management.
+
+While doing this, it added a call to snp_leak_pages() after a call to
+snp_reclaim_pages() failed. Since snp_reclaim_pages() already calls
+snp_leak_pages() internally on the pages it fails to reclaim, calling
+it again leaks the exact same page twice.
+
+Fix by removing the extra call to snp_leak_pages().
+
+The problem was found by an experimental code review agent based on
+gemini-3.1-pro while reviewing backports into v6.18.y.
+
+Assisted-by: Gemini:gemini-3.1-pro
+Fixes: 551120148b67 ("crypto: ccp - Fix a case where SNP_SHUTDOWN is missed")
+Cc: Tycho Andersen (AMD) <tycho@kernel.org>
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Reviewed-by: Tycho Andersen (AMD) <tycho@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/sev-dev.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
+index b8da99bcb2432..86f5ed798d3c7 100644
+--- a/drivers/crypto/ccp/sev-dev.c
++++ b/drivers/crypto/ccp/sev-dev.c
+@@ -2381,10 +2381,8 @@ static int sev_ioctl_do_snp_platform_status(struct sev_issue_cmd *argp)
+ * in Firmware state on failure. Use snp_reclaim_pages() to
+ * transition either case back to Hypervisor-owned state.
+ */
+- if (snp_reclaim_pages(__pa(data), 1, true)) {
+- snp_leak_pages(__page_to_pfn(status_page), 1);
++ if (snp_reclaim_pages(__pa(data), 1, true))
+ return -EFAULT;
+- }
+ }
+
+ if (ret)
+--
+2.51.0
+
--- /dev/null
+From e00f30bd63bd6ffa58b8f7e54b243a0297851152 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 12:09:53 +0000
+Subject: firmware: arm_ffa: Remove vm_id argument in ffa_rxtx_unmap()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yeoreum Yun <yeoreum.yun@arm.com>
+
+[ Upstream commit a4e8473b775160f3ce978f621cf8dea2c7250433 ]
+
+According to the FF-A specification (DEN0077, v1.1, §13.7), when
+FFA_RXTX_UNMAP is invoked from any instance other than non-secure
+physical, the w1 register must be zero (MBZ). If a non-zero value is
+supplied in this context, the SPMC must return FFA_INVALID_PARAMETER.
+
+The Arm FF-A driver operates exclusively as a guest or non-secure
+physical instance where the partition ID is always zero and is not
+invoked from a hypervisor context where w1 carries a VM ID. In this
+execution model, the partition ID observed by the driver is always zero,
+and passing a VM ID is unnecessary and potentially invalid.
+
+Remove the vm_id parameter from ffa_rxtx_unmap() and ensure that the
+SMC call is issued with w1 implicitly zeroed, as required by the
+specification. This prevents invalid parameter errors and aligns the
+implementation with the defined FF-A ABI behavior.
+
+Fixes: 3bbfe9871005 ("firmware: arm_ffa: Add initial Arm FFA driver support")
+Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
+Message-Id: <20260304120953.847671-1-yeoreum.yun@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_ffa/driver.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
+index 11a702e7f641c..f6ceae987acbc 100644
+--- a/drivers/firmware/arm_ffa/driver.c
++++ b/drivers/firmware/arm_ffa/driver.c
+@@ -205,12 +205,12 @@ static int ffa_rxtx_map(phys_addr_t tx_buf, phys_addr_t rx_buf, u32 pg_cnt)
+ return 0;
+ }
+
+-static int ffa_rxtx_unmap(u16 vm_id)
++static int ffa_rxtx_unmap(void)
+ {
+ ffa_value_t ret;
+
+ invoke_ffa_fn((ffa_value_t){
+- .a0 = FFA_RXTX_UNMAP, .a1 = PACK_TARGET_INFO(vm_id, 0),
++ .a0 = FFA_RXTX_UNMAP,
+ }, &ret);
+
+ if (ret.a0 == FFA_ERROR)
+@@ -2093,7 +2093,7 @@ static int __init ffa_init(void)
+
+ pr_err("failed to setup partitions\n");
+ ffa_notifications_cleanup();
+- ffa_rxtx_unmap(drv_info->vm_id);
++ ffa_rxtx_unmap();
+ free_pages:
+ if (drv_info->tx_buffer)
+ free_pages_exact(drv_info->tx_buffer, rxtx_bufsz);
+@@ -2108,7 +2108,7 @@ static void __exit ffa_exit(void)
+ {
+ ffa_notifications_cleanup();
+ ffa_partitions_cleanup();
+- ffa_rxtx_unmap(drv_info->vm_id);
++ ffa_rxtx_unmap();
+ free_pages_exact(drv_info->tx_buffer, drv_info->rxtx_bufsz);
+ free_pages_exact(drv_info->rx_buffer, drv_info->rxtx_bufsz);
+ kfree(drv_info);
+--
+2.51.0
+
--- /dev/null
+From 1882f45bfc546a0c72744db88b79e4a00c147f6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 13:10:11 +0000
+Subject: firmware: arm_scmi: Fix NULL dereference on notify error path
+
+From: Cristian Marussi <cristian.marussi@arm.com>
+
+[ Upstream commit 555317d6100164748f7d09f80142739bd29f0cda ]
+
+Since commit b5daf93b809d1 ("firmware: arm_scmi: Avoid notifier
+registration for unsupported events") the call chains leading to the helper
+__scmi_event_handler_get_ops expect an ERR_PTR to be returned on failure to
+get an handler for the requested event key, while the current helper can
+still return a NULL when no handler could be found or created.
+
+Fix by forcing an ERR_PTR return value when the handler reference is NULL.
+
+Fixes: b5daf93b809d1 ("firmware: arm_scmi: Avoid notifier registration for unsupported events")
+Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Message-Id: <20260305131011.541444-1-cristian.marussi@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/notify.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/arm_scmi/notify.c b/drivers/firmware/arm_scmi/notify.c
+index dee9f238f6fdd..2047edbdc5f6b 100644
+--- a/drivers/firmware/arm_scmi/notify.c
++++ b/drivers/firmware/arm_scmi/notify.c
+@@ -1066,7 +1066,7 @@ static int scmi_register_event_handler(struct scmi_notify_instance *ni,
+ * since at creation time we usually want to have all setup and ready before
+ * events really start flowing.
+ *
+- * Return: A properly refcounted handler on Success, NULL on Failure
++ * Return: A properly refcounted handler on Success, ERR_PTR on Failure
+ */
+ static inline struct scmi_event_handler *
+ __scmi_event_handler_get_ops(struct scmi_notify_instance *ni,
+@@ -1113,7 +1113,7 @@ __scmi_event_handler_get_ops(struct scmi_notify_instance *ni,
+ }
+ mutex_unlock(&ni->pending_mtx);
+
+- return hndl;
++ return hndl ?: ERR_PTR(-ENODEV);
+ }
+
+ static struct scmi_event_handler *
+--
+2.51.0
+
--- /dev/null
+From 4e703d4867b01c4242a787bd5966fc9c0c4d0e5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 21:08:19 +0800
+Subject: firmware: arm_scpi: Fix device_node reference leak in probe path
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit 879c001afbac3df94160334fe5117c0c83b2cf48 ]
+
+A device_node reference obtained from the device tree is not released
+on all error paths in the arm_scpi probe path. Specifically, a node
+returned by of_parse_phandle() could be leaked when the probe failed
+after the node was acquired. The probe function returns early and
+the shmem reference is not released.
+
+Use __free(device_node) scope-based cleanup to automatically release
+the reference when the variable goes out of scope.
+
+Fixes: ed7ecb883901 ("firmware: arm_scpi: Add compatibility checks for shmem node")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Message-Id: <20260121-arm_scpi_2-v2-1-702d7fa84acb@gmail.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scpi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c
+index 87c323de17b90..398642cc25d90 100644
+--- a/drivers/firmware/arm_scpi.c
++++ b/drivers/firmware/arm_scpi.c
+@@ -18,6 +18,7 @@
+
+ #include <linux/bitmap.h>
+ #include <linux/bitfield.h>
++#include <linux/cleanup.h>
+ #include <linux/device.h>
+ #include <linux/err.h>
+ #include <linux/export.h>
+@@ -940,13 +941,13 @@ static int scpi_probe(struct platform_device *pdev)
+ int idx = scpi_drvinfo->num_chans;
+ struct scpi_chan *pchan = scpi_drvinfo->channels + idx;
+ struct mbox_client *cl = &pchan->cl;
+- struct device_node *shmem = of_parse_phandle(np, "shmem", idx);
++ struct device_node *shmem __free(device_node) =
++ of_parse_phandle(np, "shmem", idx);
+
+ if (!of_match_node(shmem_of_match, shmem))
+ return -ENXIO;
+
+ ret = of_address_to_resource(shmem, 0, &res);
+- of_node_put(shmem);
+ if (ret) {
+ dev_err(dev, "failed to get SCPI payload mem resource\n");
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From 33ce1071f6123f32595e973bb77cd6d22d307b42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 11:01:37 +0100
+Subject: iavf: fix VLAN filter lost on add/delete race
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit fc9c69be594756b81b54c6bc40803fa6052f35ae ]
+
+When iavf_add_vlan() finds an existing filter in IAVF_VLAN_REMOVE
+state, it transitions the filter to IAVF_VLAN_ACTIVE assuming the
+pending delete can simply be cancelled. However, there is no guarantee
+that iavf_del_vlans() has not already processed the delete AQ request
+and removed the filter from the PF. In that case the filter remains in
+the driver's list as IAVF_VLAN_ACTIVE but is no longer programmed on
+the NIC. Since iavf_add_vlans() only picks up filters in
+IAVF_VLAN_ADD state, the filter is never re-added, and spoof checking
+drops all traffic for that VLAN.
+
+ CPU0 CPU1 Workqueue
+ ---- ---- ---------
+ iavf_del_vlan(vlan 100)
+ f->state = REMOVE
+ schedule AQ_DEL_VLAN
+ iavf_add_vlan(vlan 100)
+ f->state = ACTIVE
+ iavf_del_vlans()
+ f is ACTIVE, skip
+ iavf_add_vlans()
+ f is ACTIVE, skip
+
+ Filter is ACTIVE in driver but absent from NIC.
+
+Transition to IAVF_VLAN_ADD instead and schedule
+IAVF_FLAG_AQ_ADD_VLAN_FILTER so iavf_add_vlans() re-programs the
+filter. A duplicate add is idempotent on the PF.
+
+Fixes: 0c0da0e95105 ("iavf: refactor VLAN filter states")
+Signed-off-by: Petr Oros <poros@redhat.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 03ab2a4276bbf..0a72d419782e5 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -757,10 +757,13 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter,
+ adapter->num_vlan_filters++;
+ iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER);
+ } else if (f->state == IAVF_VLAN_REMOVE) {
+- /* IAVF_VLAN_REMOVE means that VLAN wasn't yet removed.
+- * We can safely only change the state here.
++ /* Re-add the filter since we cannot tell whether the
++ * pending delete has already been processed by the PF.
++ * A duplicate add is harmless.
+ */
+- f->state = IAVF_VLAN_ACTIVE;
++ f->state = IAVF_VLAN_ADD;
++ iavf_schedule_aq_request(adapter,
++ IAVF_FLAG_AQ_ADD_VLAN_FILTER);
+ }
+
+ clearout:
+--
+2.51.0
+
--- /dev/null
+From aa8f8c892c42494f6694565cce774a2de93c5ffc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 21:06:01 +0800
+Subject: icmp: fix NULL pointer dereference in icmp_tag_validation()
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit 614aefe56af8e13331e50220c936fc0689cf5675 ]
+
+icmp_tag_validation() unconditionally dereferences the result of
+rcu_dereference(inet_protos[proto]) without checking for NULL.
+The inet_protos[] array is sparse -- only about 15 of 256 protocol
+numbers have registered handlers. When ip_no_pmtu_disc is set to 3
+(hardened PMTU mode) and the kernel receives an ICMP Fragmentation
+Needed error with a quoted inner IP header containing an unregistered
+protocol number, the NULL dereference causes a kernel panic in
+softirq context.
+
+ Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+ RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)
+ Call Trace:
+ <IRQ>
+ icmp_rcv (net/ipv4/icmp.c:1527)
+ ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)
+ ip_local_deliver_finish (net/ipv4/ip_input.c:242)
+ ip_local_deliver (net/ipv4/ip_input.c:262)
+ ip_rcv (net/ipv4/ip_input.c:573)
+ __netif_receive_skb_one_core (net/core/dev.c:6164)
+ process_backlog (net/core/dev.c:6628)
+ handle_softirqs (kernel/softirq.c:561)
+ </IRQ>
+
+Add a NULL check before accessing icmp_strict_tag_validation. If the
+protocol has no registered handler, return false since it cannot
+perform strict tag validation.
+
+Fixes: 8ed1dc44d3e9 ("ipv4: introduce hardened ip_no_pmtu_disc mode")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Link: https://patch.msgid.link/20260318130558.1050247-4-bestswngs@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 3e19a5d465b83..b39176b620785 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -879,10 +879,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
+
+ static bool icmp_tag_validation(int proto)
+ {
++ const struct net_protocol *ipprot;
+ bool ok;
+
+ rcu_read_lock();
+- ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation;
++ ipprot = rcu_dereference(inet_protos[proto]);
++ ok = ipprot ? ipprot->icmp_strict_tag_validation : false;
+ rcu_read_unlock();
+ return ok;
+ }
+--
+2.51.0
+
--- /dev/null
+From 6616fca4919d615bab401a2b68d463f533d299bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Feb 2026 19:46:32 +0000
+Subject: igc: fix missing update of skb->tail in igc_xmit_frame()
+
+From: Kohei Enju <kohei@enjuk.jp>
+
+[ Upstream commit 0ffba246652faf4a36aedc66059c2f94e4c83ea5 ]
+
+igc_xmit_frame() misses updating skb->tail when the packet size is
+shorter than the minimum one.
+Use skb_put_padto() in alignment with other Intel Ethernet drivers.
+
+Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers")
+Signed-off-by: Kohei Enju <kohei@enjuk.jp>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 89a321a344d26..55d6feccc7745 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -1730,11 +1730,8 @@ static netdev_tx_t igc_xmit_frame(struct sk_buff *skb,
+ /* The minimum packet size with TCTL.PSP set is 17 so pad the skb
+ * in order to meet this minimum size requirement.
+ */
+- if (skb->len < 17) {
+- if (skb_padto(skb, 17))
+- return NETDEV_TX_OK;
+- skb->len = 17;
+- }
++ if (skb_put_padto(skb, 17))
++ return NETDEV_TX_OK;
+
+ return igc_xmit_frame_ring(skb, igc_tx_queue_mapping(adapter, skb));
+ }
+--
+2.51.0
+
--- /dev/null
+From c4e5ba49dc845c8323736d8aa8c1f6356de71c1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 10:58:29 +0100
+Subject: igc: fix page fault in XDP TX timestamps handling
+
+From: Zdenek Bouska <zdenek.bouska@siemens.com>
+
+[ Upstream commit 45b33e805bd39f615d9353a7194b2da5281332df ]
+
+If an XDP application that requested TX timestamping is shutting down
+while the link of the interface in use is still up the following kernel
+splat is reported:
+
+[ 883.803618] [ T1554] BUG: unable to handle page fault for address: ffffcfb6200fd008
+...
+[ 883.803650] [ T1554] Call Trace:
+[ 883.803652] [ T1554] <TASK>
+[ 883.803654] [ T1554] igc_ptp_tx_tstamp_event+0xdf/0x160 [igc]
+[ 883.803660] [ T1554] igc_tsync_interrupt+0x2d5/0x300 [igc]
+...
+
+During shutdown of the TX ring the xsk_meta pointers are left behind, so
+that the IRQ handler is trying to touch them.
+
+This issue is now being fixed by cleaning up the stale xsk meta data on
+TX shutdown. TX timestamps on other queues remain unaffected.
+
+Fixes: 15fd021bc427 ("igc: Add Tx hardware timestamp request for AF_XDP zero-copy packet")
+Signed-off-by: Zdenek Bouska <zdenek.bouska@siemens.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Florian Bezdeka <florian.bezdeka@siemens.com>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc.h | 2 ++
+ drivers/net/ethernet/intel/igc/igc_main.c | 7 +++++
+ drivers/net/ethernet/intel/igc/igc_ptp.c | 33 +++++++++++++++++++++++
+ 3 files changed, 42 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h
+index a427f05814c1a..17236813965d3 100644
+--- a/drivers/net/ethernet/intel/igc/igc.h
++++ b/drivers/net/ethernet/intel/igc/igc.h
+@@ -781,6 +781,8 @@ int igc_ptp_hwtstamp_set(struct net_device *netdev,
+ struct kernel_hwtstamp_config *config,
+ struct netlink_ext_ack *extack);
+ void igc_ptp_tx_hang(struct igc_adapter *adapter);
++void igc_ptp_clear_xsk_tx_tstamp_queue(struct igc_adapter *adapter,
++ u16 queue_id);
+ void igc_ptp_read(struct igc_adapter *adapter, struct timespec64 *ts);
+ void igc_ptp_tx_tstamp_event(struct igc_adapter *adapter);
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 55d6feccc7745..104d6ab2ce5fa 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -264,6 +264,13 @@ static void igc_clean_tx_ring(struct igc_ring *tx_ring)
+ /* reset next_to_use and next_to_clean */
+ tx_ring->next_to_use = 0;
+ tx_ring->next_to_clean = 0;
++
++ /* Clear any lingering XSK TX timestamp requests */
++ if (test_bit(IGC_RING_FLAG_TX_HWTSTAMP, &tx_ring->flags)) {
++ struct igc_adapter *adapter = netdev_priv(tx_ring->netdev);
++
++ igc_ptp_clear_xsk_tx_tstamp_queue(adapter, tx_ring->queue_index);
++ }
+ }
+
+ /**
+diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
+index 7aae83c108fd7..98491346d21b8 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
+@@ -576,6 +576,39 @@ static void igc_ptp_clear_tx_tstamp(struct igc_adapter *adapter)
+ spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags);
+ }
+
++/**
++ * igc_ptp_clear_xsk_tx_tstamp_queue - Clear pending XSK TX timestamps for a queue
++ * @adapter: Board private structure
++ * @queue_id: TX queue index to clear timestamps for
++ *
++ * Iterates over all TX timestamp registers and releases any pending
++ * timestamp requests associated with the given TX queue. This is
++ * called when an XDP pool is being disabled to ensure no stale
++ * timestamp references remain.
++ */
++void igc_ptp_clear_xsk_tx_tstamp_queue(struct igc_adapter *adapter, u16 queue_id)
++{
++ unsigned long flags;
++ int i;
++
++ spin_lock_irqsave(&adapter->ptp_tx_lock, flags);
++
++ for (i = 0; i < IGC_MAX_TX_TSTAMP_REGS; i++) {
++ struct igc_tx_timestamp_request *tstamp = &adapter->tx_tstamp[i];
++
++ if (tstamp->buffer_type != IGC_TX_BUFFER_TYPE_XSK)
++ continue;
++ if (tstamp->xsk_queue_index != queue_id)
++ continue;
++ if (!tstamp->xsk_tx_buffer)
++ continue;
++
++ igc_ptp_free_tx_buffer(adapter, tstamp);
++ }
++
++ spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags);
++}
++
+ static void igc_ptp_disable_tx_timestamp(struct igc_adapter *adapter)
+ {
+ struct igc_hw *hw = &adapter->hw;
+--
+2.51.0
+
--- /dev/null
+From fe7300f8c0868b9c4fcf6053fed3e3f5f4f37182 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Feb 2026 10:10:08 +0100
+Subject: libie: prevent memleak in fwlog code
+
+From: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+
+[ Upstream commit 6850deb61118345996f03b87817b4ae0f2f25c38 ]
+
+All cmd_buf buffers are allocated and need to be freed after usage.
+Add an error unwinding path that properly frees these buffers.
+
+The memory leak happens whenever fwlog configuration is changed. For
+example:
+
+$echo 256K > /sys/kernel/debug/ixgbe/0000\:32\:00.0/fwlog/log_size
+
+Fixes: 96a9a9341cda ("ice: configure FW logging")
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/libie/fwlog.c | 49 +++++++++++++++++-------
+ 1 file changed, 36 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/libie/fwlog.c b/drivers/net/ethernet/intel/libie/fwlog.c
+index 5d890d9d3c4d5..3b32986c2978a 100644
+--- a/drivers/net/ethernet/intel/libie/fwlog.c
++++ b/drivers/net/ethernet/intel/libie/fwlog.c
+@@ -433,17 +433,21 @@ libie_debugfs_module_write(struct file *filp, const char __user *buf,
+ module = libie_find_module_by_dentry(fwlog->debugfs_modules, dentry);
+ if (module < 0) {
+ dev_info(dev, "unknown module\n");
+- return -EINVAL;
++ count = -EINVAL;
++ goto free_cmd_buf;
+ }
+
+ cnt = sscanf(cmd_buf, "%s", user_val);
+- if (cnt != 1)
+- return -EINVAL;
++ if (cnt != 1) {
++ count = -EINVAL;
++ goto free_cmd_buf;
++ }
+
+ log_level = sysfs_match_string(libie_fwlog_level_string, user_val);
+ if (log_level < 0) {
+ dev_info(dev, "unknown log level '%s'\n", user_val);
+- return -EINVAL;
++ count = -EINVAL;
++ goto free_cmd_buf;
+ }
+
+ if (module != LIBIE_AQC_FW_LOG_ID_MAX) {
+@@ -458,6 +462,9 @@ libie_debugfs_module_write(struct file *filp, const char __user *buf,
+ fwlog->cfg.module_entries[i].log_level = log_level;
+ }
+
++free_cmd_buf:
++ kfree(cmd_buf);
++
+ return count;
+ }
+
+@@ -515,23 +522,31 @@ libie_debugfs_nr_messages_write(struct file *filp, const char __user *buf,
+ return PTR_ERR(cmd_buf);
+
+ ret = sscanf(cmd_buf, "%s", user_val);
+- if (ret != 1)
+- return -EINVAL;
++ if (ret != 1) {
++ count = -EINVAL;
++ goto free_cmd_buf;
++ }
+
+ ret = kstrtos16(user_val, 0, &nr_messages);
+- if (ret)
+- return ret;
++ if (ret) {
++ count = ret;
++ goto free_cmd_buf;
++ }
+
+ if (nr_messages < LIBIE_AQC_FW_LOG_MIN_RESOLUTION ||
+ nr_messages > LIBIE_AQC_FW_LOG_MAX_RESOLUTION) {
+ dev_err(dev, "Invalid FW log number of messages %d, value must be between %d - %d\n",
+ nr_messages, LIBIE_AQC_FW_LOG_MIN_RESOLUTION,
+ LIBIE_AQC_FW_LOG_MAX_RESOLUTION);
+- return -EINVAL;
++ count = -EINVAL;
++ goto free_cmd_buf;
+ }
+
+ fwlog->cfg.log_resolution = nr_messages;
+
++free_cmd_buf:
++ kfree(cmd_buf);
++
+ return count;
+ }
+
+@@ -588,8 +603,10 @@ libie_debugfs_enable_write(struct file *filp, const char __user *buf,
+ return PTR_ERR(cmd_buf);
+
+ ret = sscanf(cmd_buf, "%s", user_val);
+- if (ret != 1)
+- return -EINVAL;
++ if (ret != 1) {
++ ret = -EINVAL;
++ goto free_cmd_buf;
++ }
+
+ ret = kstrtobool(user_val, &enable);
+ if (ret)
+@@ -624,6 +641,8 @@ libie_debugfs_enable_write(struct file *filp, const char __user *buf,
+ */
+ if (WARN_ON(ret != (ssize_t)count && ret >= 0))
+ ret = -EIO;
++free_cmd_buf:
++ kfree(cmd_buf);
+
+ return ret;
+ }
+@@ -682,8 +701,10 @@ libie_debugfs_log_size_write(struct file *filp, const char __user *buf,
+ return PTR_ERR(cmd_buf);
+
+ ret = sscanf(cmd_buf, "%s", user_val);
+- if (ret != 1)
+- return -EINVAL;
++ if (ret != 1) {
++ ret = -EINVAL;
++ goto free_cmd_buf;
++ }
+
+ index = sysfs_match_string(libie_fwlog_log_size, user_val);
+ if (index < 0) {
+@@ -712,6 +733,8 @@ libie_debugfs_log_size_write(struct file *filp, const char __user *buf,
+ */
+ if (WARN_ON(ret != (ssize_t)count && ret >= 0))
+ ret = -EIO;
++free_cmd_buf:
++ kfree(cmd_buf);
+
+ return ret;
+ }
+--
+2.51.0
+
--- /dev/null
+From f7a5d2f4b2787ec5065e30a5c8786a327588e653 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 23:35:09 +0100
+Subject: mpls: add missing unregister_netdevice_notifier to mpls_init
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 99600f79b28c83c68bae199a3d8e95049a758308 ]
+
+If mpls_init() fails after registering mpls_dev_notifier, it never
+gets removed. Add the missing unregister_netdevice_notifier() call to
+the error handling path.
+
+Fixes: 5be2062e3080 ("mpls: Handle error of rtnl_register_module().")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/7c55363c4f743d19e2306204a134407c90a69bbb.1773228081.git.sd@queasysnail.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mpls/af_mpls.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
+index 25c88cba5c48b..1c70cb26e7ba1 100644
+--- a/net/mpls/af_mpls.c
++++ b/net/mpls/af_mpls.c
+@@ -2777,6 +2777,7 @@ static int __init mpls_init(void)
+ rtnl_af_unregister(&mpls_af_ops);
+ out_unregister_dev_type:
+ dev_remove_pack(&mpls_packet_type);
++ unregister_netdevice_notifier(&mpls_dev_notifier);
+ out_unregister_pernet:
+ unregister_pernet_subsys(&mpls_net_ops);
+ goto out;
+--
+2.51.0
+
--- /dev/null
+From 76a92e8854898e7ea5fc13281752698024b76690 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 19:21:59 +0800
+Subject: MPTCP: fix lock class name family in pm_nl_create_listen_socket
+
+From: Li Xiasong <lixiasong1@huawei.com>
+
+[ Upstream commit 7ab4a7c5d969642782b8a5b608da0dd02aa9f229 ]
+
+In mptcp_pm_nl_create_listen_socket(), use entry->addr.family
+instead of sk->sk_family for lock class setup. The 'sk' parameter
+is a netlink socket, not the MPTCP subflow socket being created.
+
+Fixes: cee4034a3db1 ("mptcp: fix lockdep false positive in mptcp_pm_nl_create_listen_socket()")
+Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260319112159.3118874-1-lixiasong1@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/pm_kernel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mptcp/pm_kernel.c b/net/mptcp/pm_kernel.c
+index 6fd393f451bf4..52d15df12f588 100644
+--- a/net/mptcp/pm_kernel.c
++++ b/net/mptcp/pm_kernel.c
+@@ -824,7 +824,7 @@ static struct lock_class_key mptcp_keys[2];
+ static int mptcp_pm_nl_create_listen_socket(struct sock *sk,
+ struct mptcp_pm_addr_entry *entry)
+ {
+- bool is_ipv6 = sk->sk_family == AF_INET6;
++ bool is_ipv6 = entry->addr.family == AF_INET6;
+ int addrlen = sizeof(struct sockaddr_in);
+ struct sockaddr_storage addr;
+ struct sock *newsk, *ssk;
+--
+2.51.0
+
--- /dev/null
+From fd823402f1afed3ffc5a59ea00c9406b4ef6f546 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 12:27:00 +0100
+Subject: net: airoha: Remove airoha_dev_stop() in airoha_remove()
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit d4a533ad249e9fbdc2d0633f2ddd60a5b3a9a4ca ]
+
+Do not run airoha_dev_stop routine explicitly in airoha_remove()
+since ndo_stop() callback is already executed by unregister_netdev() in
+__dev_close_many routine if necessary and, doing so, we will end up causing
+an underflow in the qdma users atomic counters. Rely on networking subsystem
+to stop the device removing the airoha_eth module.
+
+Fixes: 23020f0493270 ("net: airoha: Introduce ethernet support for EN7581 SoC")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260313-airoha-remove-ndo_stop-remove-net-v2-1-67542c3ceeca@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/airoha/airoha_eth.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
+index 0394ba6a90a9b..b16b9ae7d3311 100644
+--- a/drivers/net/ethernet/airoha/airoha_eth.c
++++ b/drivers/net/ethernet/airoha/airoha_eth.c
+@@ -3046,7 +3046,6 @@ static void airoha_remove(struct platform_device *pdev)
+ if (!port)
+ continue;
+
+- airoha_dev_stop(port->dev);
+ unregister_netdev(port->dev);
+ airoha_metadata_dst_free(port);
+ }
+--
+2.51.0
+
--- /dev/null
+From 31333cca8ad9a83d1fb47ca50c99a046798328fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 12:18:52 -0700
+Subject: net: bcmgenet: increase WoL poll timeout
+
+From: Justin Chen <justin.chen@broadcom.com>
+
+[ Upstream commit 6cfc3bc02b977f2fba5f7268e6504d1931a774f7 ]
+
+Some systems require more than 5ms to get into WoL mode. Increase the
+timeout value to 50ms.
+
+Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code")
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20260312191852.3904571-1-justin.chen@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+index 8fb5512882980..96d5d4f7f51fe 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+@@ -123,7 +123,7 @@ static int bcmgenet_poll_wol_status(struct bcmgenet_priv *priv)
+ while (!(bcmgenet_rbuf_readl(priv, RBUF_STATUS)
+ & RBUF_STATUS_WOL)) {
+ retries++;
+- if (retries > 5) {
++ if (retries > 50) {
+ netdev_crit(dev, "polling wol mode timeout\n");
+ return -ETIMEDOUT;
+ }
+--
+2.51.0
+
--- /dev/null
+From 982de054bffcaafdb9d5c004ffa22bacc9e508de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 17:50:34 -0700
+Subject: net: bonding: fix NULL deref in bond_debug_rlb_hash_show
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit 605b52497bf89b3b154674deb135da98f916e390 ]
+
+rlb_clear_slave intentionally keeps RLB hash-table entries on
+the rx_hashtbl_used_head list with slave set to NULL when no
+replacement slave is available. However, bond_debug_rlb_hash_show
+visites client_info->slave without checking if it's NULL.
+
+Other used-list iterators in bond_alb.c already handle this NULL-slave
+state safely:
+
+- rlb_update_client returns early on !client_info->slave
+- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance
+compare slave values before visiting
+- lb_req_update_subnet_clients continues if slave is NULL
+
+The following NULL deref crash can be trigger in
+bond_debug_rlb_hash_show:
+
+[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)
+[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286
+[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204
+[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078
+[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000
+[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0
+[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8
+[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000
+[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0
+[ 1.295897] Call Trace:
+[ 1.296134] seq_read_iter (fs/seq_file.c:231)
+[ 1.296341] seq_read (fs/seq_file.c:164)
+[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))
+[ 1.296658] vfs_read (fs/read_write.c:572)
+[ 1.296981] ksys_read (fs/read_write.c:717)
+[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+Add a NULL check and print "(none)" for entries with no assigned slave.
+
+Fixes: caafa84251b88 ("bonding: add the debugfs interface to see RLB hash table")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260317005034.1888794-1-xmei5@asu.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_debugfs.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_debugfs.c b/drivers/net/bonding/bond_debugfs.c
+index 8adbec7c5084a..8967b65f6d840 100644
+--- a/drivers/net/bonding/bond_debugfs.c
++++ b/drivers/net/bonding/bond_debugfs.c
+@@ -34,11 +34,17 @@ static int bond_debug_rlb_hash_show(struct seq_file *m, void *v)
+ for (; hash_index != RLB_NULL_INDEX;
+ hash_index = client_info->used_next) {
+ client_info = &(bond_info->rx_hashtbl[hash_index]);
+- seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n",
+- &client_info->ip_src,
+- &client_info->ip_dst,
+- &client_info->mac_dst,
+- client_info->slave->dev->name);
++ if (client_info->slave)
++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n",
++ &client_info->ip_src,
++ &client_info->ip_dst,
++ &client_info->mac_dst,
++ client_info->slave->dev->name);
++ else
++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM (none)\n",
++ &client_info->ip_src,
++ &client_info->ip_dst,
++ &client_info->mac_dst);
+ }
+
+ spin_unlock_bh(&bond->mode_lock);
+--
+2.51.0
+
--- /dev/null
+From ed71fde162ffd081052024f54cc1dbf2951b96de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 08:42:12 +0000
+Subject: net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
+
+From: Anas Iqbal <mohd.abd.6602@gmail.com>
+
+[ Upstream commit b48731849609cbd8c53785a48976850b443153fd ]
+
+Smatch reports:
+drivers/net/dsa/bcm_sf2.c:997 bcm_sf2_sw_resume() warn:
+'priv->clk' from clk_prepare_enable() not released on lines: 983,990.
+
+The clock enabled by clk_prepare_enable() in bcm_sf2_sw_resume()
+is not released if bcm_sf2_sw_rst() or bcm_sf2_cfp_resume() fails.
+
+Add the missing clk_disable_unprepare() calls in the error paths
+to properly release the clock resource.
+
+Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks")
+Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Anas Iqbal <mohd.abd.6602@gmail.com>
+Link: https://patch.msgid.link/20260318084212.1287-1-mohd.abd.6602@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/bcm_sf2.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
+index 960685596093b..de3efa3ce9a75 100644
+--- a/drivers/net/dsa/bcm_sf2.c
++++ b/drivers/net/dsa/bcm_sf2.c
+@@ -980,15 +980,19 @@ static int bcm_sf2_sw_resume(struct dsa_switch *ds)
+ ret = bcm_sf2_sw_rst(priv);
+ if (ret) {
+ pr_err("%s: failed to software reset switch\n", __func__);
++ if (!priv->wol_ports_mask)
++ clk_disable_unprepare(priv->clk);
+ return ret;
+ }
+
+ bcm_sf2_crossbar_setup(priv);
+
+ ret = bcm_sf2_cfp_resume(ds);
+- if (ret)
++ if (ret) {
++ if (!priv->wol_ports_mask)
++ clk_disable_unprepare(priv->clk);
+ return ret;
+-
++ }
+ if (priv->hw_params.num_gphy == 1)
+ bcm_sf2_gphy_enable_set(ds, true);
+
+--
+2.51.0
+
--- /dev/null
+From 87b12b0f857ee24fa2be3181df699d8d5574255f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 13:38:25 +0300
+Subject: net: macb: fix uninitialized rx_fs_lock
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 34b11cc56e4369bc08b1f4c4a04222d75ed596ce ]
+
+If hardware doesn't support RX Flow Filters, rx_fs_lock spinlock is not
+initialized leading to the following assertion splat triggerable via
+set_rxnfc callback.
+
+INFO: trying to register non-static key.
+The code is fine but needs lockdep annotation, or maybe
+you didn't initialize this object before use?
+turning off the locking correctness validator.
+CPU: 1 PID: 949 Comm: syz.0.6 Not tainted 6.1.164+ #113
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106
+ assign_lock_key kernel/locking/lockdep.c:974 [inline]
+ register_lock_class+0x141b/0x17f0 kernel/locking/lockdep.c:1287
+ __lock_acquire+0x74f/0x6c40 kernel/locking/lockdep.c:4928
+ lock_acquire kernel/locking/lockdep.c:5662 [inline]
+ lock_acquire+0x190/0x4b0 kernel/locking/lockdep.c:5627
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
+ _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:162
+ gem_del_flow_filter drivers/net/ethernet/cadence/macb_main.c:3562 [inline]
+ gem_set_rxnfc+0x533/0xac0 drivers/net/ethernet/cadence/macb_main.c:3667
+ ethtool_set_rxnfc+0x18c/0x280 net/ethtool/ioctl.c:961
+ __dev_ethtool net/ethtool/ioctl.c:2956 [inline]
+ dev_ethtool+0x229c/0x6290 net/ethtool/ioctl.c:3095
+ dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510
+ sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215
+ sock_ioctl+0x577/0x6d0 net/socket.c:1320
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:46 [inline]
+ do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+A more straightforward solution would be to always initialize rx_fs_lock,
+just like rx_fs_list. However, in this case the driver set_rxnfc callback
+would return with a rather confusing error code, e.g. -EINVAL. So deny
+set_rxnfc attempts directly if the RX filtering feature is not supported
+by hardware.
+
+Fixes: ae8223de3df5 ("net: macb: Added support for RX filtering")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Link: https://patch.msgid.link/20260316103826.74506-2-pchelkin@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 1db90df395fc7..4624db166a27b 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -4013,6 +4013,9 @@ static int gem_set_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd)
+ struct macb *bp = netdev_priv(netdev);
+ int ret;
+
++ if (!(netdev->hw_features & NETIF_F_NTUPLE))
++ return -EOPNOTSUPP;
++
+ switch (cmd->cmd) {
+ case ETHTOOL_SRXCLSRLINS:
+ if ((cmd->fs.location >= bp->max_tuples)
+--
+2.51.0
+
--- /dev/null
+From 80f02bbbc276f4e80d60baeb8a92add9f092e15d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 12:22:04 -0700
+Subject: net: mana: fix use-after-free in mana_hwc_destroy_channel() by
+ reordering teardown
+
+From: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+
+[ Upstream commit fa103fc8f56954a60699a29215cb713448a39e87 ]
+
+A potential race condition exists in mana_hwc_destroy_channel() where
+hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and
+Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt
+handler to dereference freed memory, leading to a use-after-free or
+NULL pointer dereference in mana_hwc_handle_resp().
+
+mana_smc_teardown_hwc() signals the hardware to stop but does not
+synchronize against IRQ handlers already executing on other CPUs. The
+IRQ synchronization only happens in mana_hwc_destroy_cq() via
+mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs
+after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler()
+can dereference freed caller_ctx (and rxq->msg_buf) in
+mana_hwc_handle_resp().
+
+Fix this by reordering teardown to reverse-of-creation order: destroy
+the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This
+ensures all in-flight interrupt handlers complete before the memory they
+access is freed.
+
+Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/abHA3AjNtqa1nx9k@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c
+index ada6c78a2bef4..21cddafba5061 100644
+--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
+@@ -802,9 +802,6 @@ void mana_hwc_destroy_channel(struct gdma_context *gc)
+ gc->max_num_cqs = 0;
+ }
+
+- kfree(hwc->caller_ctx);
+- hwc->caller_ctx = NULL;
+-
+ if (hwc->txq)
+ mana_hwc_destroy_wq(hwc, hwc->txq);
+
+@@ -814,6 +811,9 @@ void mana_hwc_destroy_channel(struct gdma_context *gc)
+ if (hwc->cq)
+ mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq);
+
++ kfree(hwc->caller_ctx);
++ hwc->caller_ctx = NULL;
++
+ mana_gd_free_res_map(&hwc->inflight_msg_res);
+
+ hwc->num_inflight_msg = 0;
+--
+2.51.0
+
--- /dev/null
+From a9cd1849e78c003b5ea419e35c18362dd45271fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 11:46:01 +0200
+Subject: net/mlx5: qos: Restrict RTNL area to avoid a lock cycle
+
+From: Cosmin Ratiu <cratiu@nvidia.com>
+
+[ Upstream commit b7e3a5d9c0d66b7fb44f63aef3bd734821afa0c8 ]
+
+A lock dependency cycle exists where:
+1. mlx5_ib_roce_init -> mlx5_core_uplink_netdev_event_replay ->
+mlx5_blocking_notifier_call_chain (takes notifier_rwsem) ->
+mlx5e_mdev_notifier_event -> mlx5_netdev_notifier_register ->
+register_netdevice_notifier_dev_net (takes rtnl)
+=> notifier_rwsem -> rtnl
+
+2. mlx5e_probe -> _mlx5e_probe ->
+mlx5_core_uplink_netdev_set (takes uplink_netdev_lock) ->
+mlx5_blocking_notifier_call_chain (takes notifier_rwsem)
+=> uplink_netdev_lock -> notifier_rwsem
+
+3: devlink_nl_rate_set_doit -> devlink_nl_rate_set ->
+mlx5_esw_devlink_rate_leaf_tx_max_set -> esw_qos_devlink_rate_to_mbps ->
+mlx5_esw_qos_max_link_speed_get (takes rtnl) ->
+mlx5_esw_qos_lag_link_speed_get_locked ->
+mlx5_uplink_netdev_get (takes uplink_netdev_lock)
+=> rtnl -> uplink_netdev_lock
+=> BOOM! (lock cycle)
+
+Fix that by restricting the rtnl-protected section to just the necessary
+part, the call to netdev_master_upper_dev_get and speed querying, so
+that the last lock dependency is avoided and the cycle doesn't close.
+This is safe because mlx5_uplink_netdev_get uses netdev_hold to keep the
+uplink netdev alive while its master device is queried.
+
+Use this opportunity to rename the ambiguously-named "hold_rtnl_lock"
+argument to "take_rtnl" and remove the "_locked" suffix from
+mlx5_esw_qos_lag_link_speed_get_locked.
+
+Fixes: 6b4be64fd9fe ("net/mlx5e: Harden uplink netdev access against device unbind")
+Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260316094603.6999-2-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/esw/qos.c | 23 ++++++++-----------
+ 1 file changed, 9 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c
+index 56e6f54b1e2ed..af58ad72906ff 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c
+@@ -1497,24 +1497,24 @@ static int esw_qos_node_enable_tc_arbitration(struct mlx5_esw_sched_node *node,
+ return err;
+ }
+
+-static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev)
++static u32 mlx5_esw_qos_lag_link_speed_get(struct mlx5_core_dev *mdev,
++ bool take_rtnl)
+ {
+ struct ethtool_link_ksettings lksettings;
+ struct net_device *slave, *master;
+ u32 speed = SPEED_UNKNOWN;
+
+- /* Lock ensures a stable reference to master and slave netdevice
+- * while port speed of master is queried.
+- */
+- ASSERT_RTNL();
+-
+ slave = mlx5_uplink_netdev_get(mdev);
+ if (!slave)
+ goto out;
+
++ if (take_rtnl)
++ rtnl_lock();
+ master = netdev_master_upper_dev_get(slave);
+ if (master && !__ethtool_get_link_ksettings(master, &lksettings))
+ speed = lksettings.base.speed;
++ if (take_rtnl)
++ rtnl_unlock();
+
+ out:
+ mlx5_uplink_netdev_put(mdev, slave);
+@@ -1522,20 +1522,15 @@ static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev)
+ }
+
+ static int mlx5_esw_qos_max_link_speed_get(struct mlx5_core_dev *mdev, u32 *link_speed_max,
+- bool hold_rtnl_lock, struct netlink_ext_ack *extack)
++ bool take_rtnl,
++ struct netlink_ext_ack *extack)
+ {
+ int err;
+
+ if (!mlx5_lag_is_active(mdev))
+ goto skip_lag;
+
+- if (hold_rtnl_lock)
+- rtnl_lock();
+-
+- *link_speed_max = mlx5_esw_qos_lag_link_speed_get_locked(mdev);
+-
+- if (hold_rtnl_lock)
+- rtnl_unlock();
++ *link_speed_max = mlx5_esw_qos_lag_link_speed_get(mdev, take_rtnl);
+
+ if (*link_speed_max != (u32)SPEED_UNKNOWN)
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 9c48f8f5ea3073ba668b76b31f97ace761c925a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 11:46:03 +0200
+Subject: net/mlx5e: Fix race condition during IPSec ESN update
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit beb6e2e5976a128b0cccf10d158124422210c5ef ]
+
+In IPSec full offload mode, the device reports an ESN (Extended
+Sequence Number) wrap event to the driver. The driver validates this
+event by querying the IPSec ASO and checking that the esn_event_arm
+field is 0x0, which indicates an event has occurred. After handling
+the event, the driver must re-arm the context by setting esn_event_arm
+back to 0x1.
+
+A race condition exists in this handling path. After validating the
+event, the driver calls mlx5_accel_esp_modify_xfrm() to update the
+kernel's xfrm state. This function temporarily releases and
+re-acquires the xfrm state lock.
+
+So, need to acknowledge the event first by setting esn_event_arm to
+0x1. This prevents the driver from reprocessing the same ESN update if
+the hardware sends events for other reason. Since the next ESN update
+only occurs after nearly 2^31 packets are received, there's no risk of
+missing an update, as it will happen long after this handling has
+finished.
+
+Processing the event twice causes the ESN high-order bits (esn_msb) to
+be incremented incorrectly. The driver then programs the hardware with
+this invalid ESN state, which leads to anti-replay failures and a
+complete halt of IPSec traffic.
+
+Fix this by re-arming the ESN event immediately after it is validated,
+before calling mlx5_accel_esp_modify_xfrm(). This ensures that any
+spurious, duplicate events are correctly ignored, closing the race
+window.
+
+Fixes: fef06678931f ("net/mlx5e: Fix ESN update kernel panic")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260316094603.6999-4-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mlx5/core/en_accel/ipsec_offload.c | 33 ++++++++-----------
+ 1 file changed, 14 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+index 2739ff490239d..e0611fa827971 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+@@ -310,10 +310,11 @@ static void mlx5e_ipsec_aso_update(struct mlx5e_ipsec_sa_entry *sa_entry,
+ mlx5e_ipsec_aso_query(sa_entry, data);
+ }
+
+-static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry,
+- u32 mode_param)
++static void
++mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry,
++ u32 mode_param,
++ struct mlx5_accel_esp_xfrm_attrs *attrs)
+ {
+- struct mlx5_accel_esp_xfrm_attrs attrs = {};
+ struct mlx5_wqe_aso_ctrl_seg data = {};
+
+ if (mode_param < MLX5E_IPSEC_ESN_SCOPE_MID) {
+@@ -323,18 +324,7 @@ static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry,
+ sa_entry->esn_state.overlap = 1;
+ }
+
+- mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, &attrs);
+-
+- /* It is safe to execute the modify below unlocked since the only flows
+- * that could affect this HW object, are create, destroy and this work.
+- *
+- * Creation flow can't co-exist with this modify work, the destruction
+- * flow would cancel this work, and this work is a single entity that
+- * can't conflict with it self.
+- */
+- spin_unlock_bh(&sa_entry->x->lock);
+- mlx5_accel_esp_modify_xfrm(sa_entry, &attrs);
+- spin_lock_bh(&sa_entry->x->lock);
++ mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, attrs);
+
+ data.data_offset_condition_operand =
+ MLX5_IPSEC_ASO_REMOVE_FLOW_PKT_CNT_OFFSET;
+@@ -451,7 +441,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ struct mlx5e_ipsec_work *work =
+ container_of(_work, struct mlx5e_ipsec_work, work);
+ struct mlx5e_ipsec_sa_entry *sa_entry = work->data;
++ struct mlx5_accel_esp_xfrm_attrs tmp = {};
+ struct mlx5_accel_esp_xfrm_attrs *attrs;
++ bool need_modify = false;
+ int ret;
+
+ attrs = &sa_entry->attrs;
+@@ -461,19 +453,22 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ if (ret)
+ goto unlock;
+
++ if (attrs->lft.soft_packet_limit != XFRM_INF)
++ mlx5e_ipsec_handle_limits(sa_entry);
++
+ if (attrs->replay_esn.trigger &&
+ !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) {
+ u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx,
+ mode_parameter);
+
+- mlx5e_ipsec_update_esn_state(sa_entry, mode_param);
++ mlx5e_ipsec_update_esn_state(sa_entry, mode_param, &tmp);
++ need_modify = true;
+ }
+
+- if (attrs->lft.soft_packet_limit != XFRM_INF)
+- mlx5e_ipsec_handle_limits(sa_entry);
+-
+ unlock:
+ spin_unlock_bh(&sa_entry->x->lock);
++ if (need_modify)
++ mlx5_accel_esp_modify_xfrm(sa_entry, &tmp);
+ kfree(work);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 33d203f921c5d580c41523ae8cdc751349d4da72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 11:46:02 +0200
+Subject: net/mlx5e: Prevent concurrent access to IPSec ASO context
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 99b36850d881e2d65912b2520a1c80d0fcc9429a ]
+
+The query or updating IPSec offload object is through Access ASO WQE.
+The driver uses a single mlx5e_ipsec_aso struct for each PF, which
+contains a shared DMA-mapped context for all ASO operations.
+
+A race condition exists because the ASO spinlock is released before
+the hardware has finished processing WQE. If a second operation is
+initiated immediately after, it overwrites the shared context in the
+DMA area.
+
+When the first operation's completion is processed later, it reads
+this corrupted context, leading to unexpected behavior and incorrect
+results.
+
+This commit fixes the race by introducing a private context within
+each IPSec offload object. The shared ASO context is now copied to
+this private context while the ASO spinlock is held. Subsequent
+processing uses this saved, per-object context, ensuring its integrity
+is maintained.
+
+Fixes: 1ed78fc03307 ("net/mlx5e: Update IPsec soft and hard limits")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260316094603.6999-3-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/en_accel/ipsec.h | 1 +
+ .../mellanox/mlx5/core/en_accel/ipsec_offload.c | 17 ++++++++---------
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
+index f8eaaf37963b1..abcbd38db9dbb 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
+@@ -287,6 +287,7 @@ struct mlx5e_ipsec_sa_entry {
+ struct mlx5e_ipsec_dwork *dwork;
+ struct mlx5e_ipsec_limits limits;
+ u32 rx_mapped_id;
++ u8 ctx[MLX5_ST_SZ_BYTES(ipsec_aso)];
+ };
+
+ struct mlx5_accel_pol_xfrm_attrs {
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+index ef7322d381af6..2739ff490239d 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+@@ -370,20 +370,18 @@ static void mlx5e_ipsec_aso_update_soft(struct mlx5e_ipsec_sa_entry *sa_entry,
+ static void mlx5e_ipsec_handle_limits(struct mlx5e_ipsec_sa_entry *sa_entry)
+ {
+ struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs;
+- struct mlx5e_ipsec *ipsec = sa_entry->ipsec;
+- struct mlx5e_ipsec_aso *aso = ipsec->aso;
+ bool soft_arm, hard_arm;
+ u64 hard_cnt;
+
+ lockdep_assert_held(&sa_entry->x->lock);
+
+- soft_arm = !MLX5_GET(ipsec_aso, aso->ctx, soft_lft_arm);
+- hard_arm = !MLX5_GET(ipsec_aso, aso->ctx, hard_lft_arm);
++ soft_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, soft_lft_arm);
++ hard_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, hard_lft_arm);
+ if (!soft_arm && !hard_arm)
+ /* It is not lifetime event */
+ return;
+
+- hard_cnt = MLX5_GET(ipsec_aso, aso->ctx, remove_flow_pkt_cnt);
++ hard_cnt = MLX5_GET(ipsec_aso, sa_entry->ctx, remove_flow_pkt_cnt);
+ if (!hard_cnt || hard_arm) {
+ /* It is possible to see packet counter equal to zero without
+ * hard limit event armed. Such situation can be if packet
+@@ -454,10 +452,8 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ container_of(_work, struct mlx5e_ipsec_work, work);
+ struct mlx5e_ipsec_sa_entry *sa_entry = work->data;
+ struct mlx5_accel_esp_xfrm_attrs *attrs;
+- struct mlx5e_ipsec_aso *aso;
+ int ret;
+
+- aso = sa_entry->ipsec->aso;
+ attrs = &sa_entry->attrs;
+
+ spin_lock_bh(&sa_entry->x->lock);
+@@ -466,8 +462,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ goto unlock;
+
+ if (attrs->replay_esn.trigger &&
+- !MLX5_GET(ipsec_aso, aso->ctx, esn_event_arm)) {
+- u32 mode_param = MLX5_GET(ipsec_aso, aso->ctx, mode_parameter);
++ !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) {
++ u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx,
++ mode_parameter);
+
+ mlx5e_ipsec_update_esn_state(sa_entry, mode_param);
+ }
+@@ -629,6 +626,8 @@ int mlx5e_ipsec_aso_query(struct mlx5e_ipsec_sa_entry *sa_entry,
+ /* We are in atomic context */
+ udelay(10);
+ } while (ret && time_is_after_jiffies(expires));
++ if (!ret)
++ memcpy(sa_entry->ctx, aso->ctx, MLX5_ST_SZ_BYTES(ipsec_aso));
+ spin_unlock_bh(&aso->lock);
+ return ret;
+ }
+--
+2.51.0
+
--- /dev/null
+From 08f3302f49d6e76eccf4fbd13a37e9a3a0a793b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 12:31:01 -0700
+Subject: net: mvpp2: guard flow control update with global_tx_fc in buffer
+ switching
+
+From: Muhammad Hammad Ijaz <mhijaz@amazon.com>
+
+[ Upstream commit 8a63baadf08453f66eb582fdb6dd234f72024723 ]
+
+mvpp2_bm_switch_buffers() unconditionally calls
+mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and
+shared buffer pool modes. This function programs CM3 flow control
+registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference
+priv->cm3_base without any NULL check.
+
+When the CM3 SRAM resource is not present in the device tree (the
+third reg entry added by commit 60523583b07c ("dts: marvell: add CM3
+SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains
+NULL and priv->global_tx_fc is false. Any operation that triggers
+mvpp2_bm_switch_buffers(), for example an MTU change that crosses
+the jumbo frame threshold, will crash:
+
+ Unable to handle kernel NULL pointer dereference at
+ virtual address 0000000000000000
+ Mem abort info:
+ ESR = 0x0000000096000006
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ pc : readl+0x0/0x18
+ lr : mvpp2_cm3_read.isra.0+0x14/0x20
+ Call trace:
+ readl+0x0/0x18
+ mvpp2_bm_pool_update_fc+0x40/0x12c
+ mvpp2_bm_pool_update_priv_fc+0x94/0xd8
+ mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0
+ mvpp2_change_mtu+0x140/0x380
+ __dev_set_mtu+0x1c/0x38
+ dev_set_mtu_ext+0x78/0x118
+ dev_set_mtu+0x48/0xa8
+ dev_ifsioc+0x21c/0x43c
+ dev_ioctl+0x2d8/0x42c
+ sock_ioctl+0x314/0x378
+
+Every other flow control call site in the driver already guards
+hardware access with either priv->global_tx_fc or port->tx_fc.
+mvpp2_bm_switch_buffers() is the only place that omits this check.
+
+Add the missing priv->global_tx_fc guard to both the disable and
+re-enable calls in mvpp2_bm_switch_buffers(), consistent with the
+rest of the driver.
+
+Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames")
+Signed-off-by: Muhammad Hammad Ijaz <mhijaz@amazon.com>
+Reviewed-by: Gunnar Kudrjavets <gunnarku@amazon.com>
+Link: https://patch.msgid.link/20260316193157.65748-1-mhijaz@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index ab0c99aa9f9a5..74d44510684bf 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -5018,7 +5018,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu)
+ if (priv->percpu_pools)
+ numbufs = port->nrxqs * 2;
+
+- if (change_percpu)
++ if (change_percpu && priv->global_tx_fc)
+ mvpp2_bm_pool_update_priv_fc(priv, false);
+
+ for (i = 0; i < numbufs; i++)
+@@ -5043,7 +5043,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu)
+ mvpp2_open(port->dev);
+ }
+
+- if (change_percpu)
++ if (change_percpu && priv->global_tx_fc)
+ mvpp2_bm_pool_update_priv_fc(priv, true);
+
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From c5d60846da57d1a62089a1b5827f1f96a35cf2ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 15:06:02 +0800
+Subject: net/rose: fix NULL pointer dereference in rose_transmit_link on
+ reconnect
+
+From: Jiayuan Chen <jiayuan.chen@shopee.com>
+
+[ Upstream commit e1f0a18c9564cdb16523c802e2c6fe5874e3d944 ]
+
+syzkaller reported a bug [1], and the reproducer is available at [2].
+
+ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN,
+TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects
+calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING
+(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT.
+
+When rose_connect() is called a second time while the first connection
+attempt is still in progress (TCP_SYN_SENT), it overwrites
+rose->neighbour via rose_get_neigh(). If that returns NULL, the socket
+is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL.
+When the socket is subsequently closed, rose_release() sees
+ROSE_STATE_1 and calls rose_write_internal() ->
+rose_transmit_link(skb, NULL), causing a NULL pointer dereference.
+
+Per connect(2), a second connect() while a connection is already in
+progress should return -EALREADY. Add this missing check for
+TCP_SYN_SENT to complete the state validation in rose_connect().
+
+[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271
+[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0027.GAE@google.com/T/
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260311070611.76913-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index fad6518e6e39b..53c9bc71f813d 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -810,6 +810,11 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
+ goto out_release;
+ }
+
++ if (sk->sk_state == TCP_SYN_SENT) {
++ err = -EALREADY;
++ goto out_release;
++ }
++
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
+
+--
+2.51.0
+
--- /dev/null
+From 12e7491b04d2474c74f1f2345ce23daf784bb705 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 11:54:22 -0400
+Subject: net/sched: teql: Fix double-free in teql_master_xmit
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit 66360460cab63c248ca5b1070a01c0c29133b960 ]
+
+Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should
+be called using the seq_lock to avoid racing with the datapath. Failure
+to do so may cause crashes like the following:
+
+[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)
+[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318
+[ 238.029749][ T318]
+[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)
+[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+[ 238.029910][ T318] Call Trace:
+[ 238.029913][ T318] <TASK>
+[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122)
+[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
+[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139)
+[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+...
+[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139)
+[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)
+[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139)
+[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231)
+[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))
+[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139)
+...
+[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256)
+[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)
+[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+...
+[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034)
+[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)
+[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)
+[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)
+[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)
+[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)
+...
+[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s:
+[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58)
+[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
+[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369)
+[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)
+[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))
+[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713)
+[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)
+[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997)
+[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)
+[ 238.081469][ T318]
+[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s:
+[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58)
+[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
+[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))
+[ 238.085900][ T318] __kasan_slab_free (mm/kasan/common.c:287)
+[ 238.086439][ T318] kmem_cache_free (mm/slub.c:6168 (discriminator 3) mm/slub.c:6298 (discriminator 3))
+[ 238.087007][ T318] skb_release_data (net/core/skbuff.c:1139)
+[ 238.087491][ T318] consume_skb (net/core/skbuff.c:1451)
+[ 238.087757][ T318] teql_master_xmit (net/sched/sch_teql.c:358)
+[ 238.088116][ T318] dev_hard_start_xmit (./include/linux/netdevice.h:5324 ./include/linux/netdevice.h:5333 net/core/dev.c:3871 net/core/dev.c:3887)
+[ 238.088468][ T318] sch_direct_xmit (net/sched/sch_generic.c:347)
+[ 238.088820][ T318] __qdisc_run (net/sched/sch_generic.c:420 (discriminator 1))
+[ 238.089166][ T318] __dev_queue_xmit (./include/net/sch_generic.h:229 ./include/net/pkt_sched.h:121 ./include/net/pkt_sched.h:117 net/core/dev.c:4196 net/core/dev.c:4802)
+
+Workflow to reproduce:
+1. Initialize a TEQL topology (dummy0 and ifb0 as slaves, teql0 up).
+2. Start multiple sender workers continuously transmitting packets
+ through teql0 to drive teql_master_xmit().
+3. In parallel, repeatedly delete and re-add the root qdisc on
+ dummy0 and ifb0 via RTNETLINK, forcing frequent teardown and reset activity
+ (teql_destroy() / qdisc_reset()).
+4. After running both workloads concurrently for several iterations,
+ KASAN reports slab-use-after-free or double-free in the skb free path.
+
+Fix this by moving dev_reset_queue to sch_generic.h and calling it, instead
+of qdisc_reset, in teql_destroy since it handles both the lock and lockless
+cases correctly for root qdiscs.
+
+Fixes: 96009c7d500e ("sched: replace __QDISC_STATE_RUNNING bit with a spin lock")
+Reported-by: Xianrui Dong <keenanat2000@gmail.com>
+Tested-by: Xianrui Dong <keenanat2000@gmail.com>
+Co-developed-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260315155422.147256-1-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sch_generic.h | 28 ++++++++++++++++++++++++++++
+ net/sched/sch_generic.c | 27 ---------------------------
+ net/sched/sch_teql.c | 7 ++-----
+ 3 files changed, 30 insertions(+), 32 deletions(-)
+
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index 1518454c906e1..84c86decebdfa 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -696,6 +696,34 @@ void qdisc_destroy(struct Qdisc *qdisc);
+ void qdisc_put(struct Qdisc *qdisc);
+ void qdisc_put_unlocked(struct Qdisc *qdisc);
+ void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, int n, int len);
++
++static inline void dev_reset_queue(struct net_device *dev,
++ struct netdev_queue *dev_queue,
++ void *_unused)
++{
++ struct Qdisc *qdisc;
++ bool nolock;
++
++ qdisc = rtnl_dereference(dev_queue->qdisc_sleeping);
++ if (!qdisc)
++ return;
++
++ nolock = qdisc->flags & TCQ_F_NOLOCK;
++
++ if (nolock)
++ spin_lock_bh(&qdisc->seqlock);
++ spin_lock_bh(qdisc_lock(qdisc));
++
++ qdisc_reset(qdisc);
++
++ spin_unlock_bh(qdisc_lock(qdisc));
++ if (nolock) {
++ clear_bit(__QDISC_STATE_MISSED, &qdisc->state);
++ clear_bit(__QDISC_STATE_DRAINING, &qdisc->state);
++ spin_unlock_bh(&qdisc->seqlock);
++ }
++}
++
+ #ifdef CONFIG_NET_SCHED
+ int qdisc_offload_dump_helper(struct Qdisc *q, enum tc_setup_type type,
+ void *type_data);
+diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
+index 7dee9748a56be..30d77ad7b81d2 100644
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -1297,33 +1297,6 @@ static void dev_deactivate_queue(struct net_device *dev,
+ }
+ }
+
+-static void dev_reset_queue(struct net_device *dev,
+- struct netdev_queue *dev_queue,
+- void *_unused)
+-{
+- struct Qdisc *qdisc;
+- bool nolock;
+-
+- qdisc = rtnl_dereference(dev_queue->qdisc_sleeping);
+- if (!qdisc)
+- return;
+-
+- nolock = qdisc->flags & TCQ_F_NOLOCK;
+-
+- if (nolock)
+- spin_lock_bh(&qdisc->seqlock);
+- spin_lock_bh(qdisc_lock(qdisc));
+-
+- qdisc_reset(qdisc);
+-
+- spin_unlock_bh(qdisc_lock(qdisc));
+- if (nolock) {
+- clear_bit(__QDISC_STATE_MISSED, &qdisc->state);
+- clear_bit(__QDISC_STATE_DRAINING, &qdisc->state);
+- spin_unlock_bh(&qdisc->seqlock);
+- }
+-}
+-
+ static bool some_qdisc_is_busy(struct net_device *dev)
+ {
+ unsigned int i;
+diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
+index 783300d8b0197..ec4039a201a2c 100644
+--- a/net/sched/sch_teql.c
++++ b/net/sched/sch_teql.c
+@@ -146,15 +146,12 @@ teql_destroy(struct Qdisc *sch)
+ master->slaves = NEXT_SLAVE(q);
+ if (q == master->slaves) {
+ struct netdev_queue *txq;
+- spinlock_t *root_lock;
+
+ txq = netdev_get_tx_queue(master->dev, 0);
+ master->slaves = NULL;
+
+- root_lock = qdisc_root_sleeping_lock(rtnl_dereference(txq->qdisc));
+- spin_lock_bh(root_lock);
+- qdisc_reset(rtnl_dereference(txq->qdisc));
+- spin_unlock_bh(root_lock);
++ dev_reset_queue(master->dev,
++ txq, NULL);
+ }
+ }
+ skb_queue_purge(&dat->q);
+--
+2.51.0
+
--- /dev/null
+From fee8a5a7ef83c2f8b5371c32e5e8fb0dbc355ebe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 09:10:14 -0700
+Subject: net: shaper: protect from late creation of hierarchy
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit d75ec7e8ba1979a1eb0b9211d94d749cdce849c8 ]
+
+We look up a netdev during prep of Netlink ops (pre- callbacks)
+and take a ref to it. Then later in the body of the callback
+we take its lock or RCU which are the actual protections.
+
+The netdev may get unregistered in between the time we take
+the ref and the time we lock it. We may allocate the hierarchy
+after flush has already run, which would lead to a leak.
+
+Take the instance lock in pre- already, this saves us from the race
+and removes the need for dedicated lock/unlock callbacks completely.
+After all, if there's any chance of write happening concurrently
+with the flush - we're back to leaking the hierarchy.
+
+We may take the lock for devices which don't support shapers but
+we're only dealing with SET operations here, not taking the lock
+would be optimizing for an error case.
+
+Fixes: 93954b40f6a4 ("net-shapers: implement NL set and delete operations")
+Link: https://lore.kernel.org/20260309173450.538026-1-p@1g4.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://patch.msgid.link/20260317161014.779569-2-kuba@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/netlink/specs/net_shaper.yaml | 12 +-
+ net/shaper/shaper.c | 134 +++++++++++---------
+ net/shaper/shaper_nl_gen.c | 12 +-
+ net/shaper/shaper_nl_gen.h | 5 +
+ 4 files changed, 89 insertions(+), 74 deletions(-)
+
+diff --git a/Documentation/netlink/specs/net_shaper.yaml b/Documentation/netlink/specs/net_shaper.yaml
+index 0b1b54be48f92..3f2ad772b64b1 100644
+--- a/Documentation/netlink/specs/net_shaper.yaml
++++ b/Documentation/netlink/specs/net_shaper.yaml
+@@ -247,8 +247,8 @@ operations:
+ flags: [admin-perm]
+
+ do:
+- pre: net-shaper-nl-pre-doit
+- post: net-shaper-nl-post-doit
++ pre: net-shaper-nl-pre-doit-write
++ post: net-shaper-nl-post-doit-write
+ request:
+ attributes:
+ - ifindex
+@@ -278,8 +278,8 @@ operations:
+ flags: [admin-perm]
+
+ do:
+- pre: net-shaper-nl-pre-doit
+- post: net-shaper-nl-post-doit
++ pre: net-shaper-nl-pre-doit-write
++ post: net-shaper-nl-post-doit-write
+ request:
+ attributes: *ns-binding
+
+@@ -309,8 +309,8 @@ operations:
+ flags: [admin-perm]
+
+ do:
+- pre: net-shaper-nl-pre-doit
+- post: net-shaper-nl-post-doit
++ pre: net-shaper-nl-pre-doit-write
++ post: net-shaper-nl-post-doit-write
+ request:
+ attributes:
+ - ifindex
+diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c
+index 081dac917dc2d..be9999ab62e39 100644
+--- a/net/shaper/shaper.c
++++ b/net/shaper/shaper.c
+@@ -36,24 +36,6 @@ static struct net_shaper_binding *net_shaper_binding_from_ctx(void *ctx)
+ return &((struct net_shaper_nl_ctx *)ctx)->binding;
+ }
+
+-static void net_shaper_lock(struct net_shaper_binding *binding)
+-{
+- switch (binding->type) {
+- case NET_SHAPER_BINDING_TYPE_NETDEV:
+- netdev_lock(binding->netdev);
+- break;
+- }
+-}
+-
+-static void net_shaper_unlock(struct net_shaper_binding *binding)
+-{
+- switch (binding->type) {
+- case NET_SHAPER_BINDING_TYPE_NETDEV:
+- netdev_unlock(binding->netdev);
+- break;
+- }
+-}
+-
+ static struct net_shaper_hierarchy *
+ net_shaper_hierarchy(struct net_shaper_binding *binding)
+ {
+@@ -219,12 +201,49 @@ static int net_shaper_ctx_setup(const struct genl_info *info, int type,
+ return 0;
+ }
+
++/* Like net_shaper_ctx_setup(), but for "write" handlers (never for dumps!)
++ * Acquires the lock protecting the hierarchy (instance lock for netdev).
++ */
++static int net_shaper_ctx_setup_lock(const struct genl_info *info, int type,
++ struct net_shaper_nl_ctx *ctx)
++{
++ struct net *ns = genl_info_net(info);
++ struct net_device *dev;
++ int ifindex;
++
++ if (GENL_REQ_ATTR_CHECK(info, type))
++ return -EINVAL;
++
++ ifindex = nla_get_u32(info->attrs[type]);
++ dev = netdev_get_by_index_lock(ns, ifindex);
++ if (!dev) {
++ NL_SET_BAD_ATTR(info->extack, info->attrs[type]);
++ return -ENOENT;
++ }
++
++ if (!dev->netdev_ops->net_shaper_ops) {
++ NL_SET_BAD_ATTR(info->extack, info->attrs[type]);
++ netdev_unlock(dev);
++ return -EOPNOTSUPP;
++ }
++
++ ctx->binding.type = NET_SHAPER_BINDING_TYPE_NETDEV;
++ ctx->binding.netdev = dev;
++ return 0;
++}
++
+ static void net_shaper_ctx_cleanup(struct net_shaper_nl_ctx *ctx)
+ {
+ if (ctx->binding.type == NET_SHAPER_BINDING_TYPE_NETDEV)
+ netdev_put(ctx->binding.netdev, &ctx->dev_tracker);
+ }
+
++static void net_shaper_ctx_cleanup_unlock(struct net_shaper_nl_ctx *ctx)
++{
++ if (ctx->binding.type == NET_SHAPER_BINDING_TYPE_NETDEV)
++ netdev_unlock(ctx->binding.netdev);
++}
++
+ static u32 net_shaper_handle_to_index(const struct net_shaper_handle *handle)
+ {
+ return FIELD_PREP(NET_SHAPER_SCOPE_MASK, handle->scope) |
+@@ -278,7 +297,7 @@ net_shaper_lookup(struct net_shaper_binding *binding,
+ }
+
+ /* Allocate on demand the per device shaper's hierarchy container.
+- * Called under the net shaper lock
++ * Called under the lock protecting the hierarchy (instance lock for netdev)
+ */
+ static struct net_shaper_hierarchy *
+ net_shaper_hierarchy_setup(struct net_shaper_binding *binding)
+@@ -697,6 +716,22 @@ void net_shaper_nl_post_doit(const struct genl_split_ops *ops,
+ net_shaper_generic_post(info);
+ }
+
++int net_shaper_nl_pre_doit_write(const struct genl_split_ops *ops,
++ struct sk_buff *skb, struct genl_info *info)
++{
++ struct net_shaper_nl_ctx *ctx = (struct net_shaper_nl_ctx *)info->ctx;
++
++ BUILD_BUG_ON(sizeof(*ctx) > sizeof(info->ctx));
++
++ return net_shaper_ctx_setup_lock(info, NET_SHAPER_A_IFINDEX, ctx);
++}
++
++void net_shaper_nl_post_doit_write(const struct genl_split_ops *ops,
++ struct sk_buff *skb, struct genl_info *info)
++{
++ net_shaper_ctx_cleanup_unlock((struct net_shaper_nl_ctx *)info->ctx);
++}
++
+ int net_shaper_nl_pre_dumpit(struct netlink_callback *cb)
+ {
+ struct net_shaper_nl_ctx *ctx = (struct net_shaper_nl_ctx *)cb->ctx;
+@@ -824,45 +859,38 @@ int net_shaper_nl_set_doit(struct sk_buff *skb, struct genl_info *info)
+
+ binding = net_shaper_binding_from_ctx(info->ctx);
+
+- net_shaper_lock(binding);
+ ret = net_shaper_parse_info(binding, info->attrs, info, &shaper,
+ &exists);
+ if (ret)
+- goto unlock;
++ return ret;
+
+ if (!exists)
+ net_shaper_default_parent(&shaper.handle, &shaper.parent);
+
+ hierarchy = net_shaper_hierarchy_setup(binding);
+- if (!hierarchy) {
+- ret = -ENOMEM;
+- goto unlock;
+- }
++ if (!hierarchy)
++ return -ENOMEM;
+
+ /* The 'set' operation can't create node-scope shapers. */
+ handle = shaper.handle;
+ if (handle.scope == NET_SHAPER_SCOPE_NODE &&
+- !net_shaper_lookup(binding, &handle)) {
+- ret = -ENOENT;
+- goto unlock;
+- }
++ !net_shaper_lookup(binding, &handle))
++ return -ENOENT;
+
+ ret = net_shaper_pre_insert(binding, &handle, info->extack);
+ if (ret)
+- goto unlock;
++ return ret;
+
+ ops = net_shaper_ops(binding);
+ ret = ops->set(binding, &shaper, info->extack);
+ if (ret) {
+ net_shaper_rollback(binding);
+- goto unlock;
++ return ret;
+ }
+
+ net_shaper_commit(binding, 1, &shaper);
+
+-unlock:
+- net_shaper_unlock(binding);
+- return ret;
++ return 0;
+ }
+
+ static int __net_shaper_delete(struct net_shaper_binding *binding,
+@@ -1091,35 +1119,26 @@ int net_shaper_nl_delete_doit(struct sk_buff *skb, struct genl_info *info)
+
+ binding = net_shaper_binding_from_ctx(info->ctx);
+
+- net_shaper_lock(binding);
+ ret = net_shaper_parse_handle(info->attrs[NET_SHAPER_A_HANDLE], info,
+ &handle);
+ if (ret)
+- goto unlock;
++ return ret;
+
+ hierarchy = net_shaper_hierarchy(binding);
+- if (!hierarchy) {
+- ret = -ENOENT;
+- goto unlock;
+- }
++ if (!hierarchy)
++ return -ENOENT;
+
+ shaper = net_shaper_lookup(binding, &handle);
+- if (!shaper) {
+- ret = -ENOENT;
+- goto unlock;
+- }
++ if (!shaper)
++ return -ENOENT;
+
+ if (handle.scope == NET_SHAPER_SCOPE_NODE) {
+ ret = net_shaper_pre_del_node(binding, shaper, info->extack);
+ if (ret)
+- goto unlock;
++ return ret;
+ }
+
+- ret = __net_shaper_delete(binding, shaper, info->extack);
+-
+-unlock:
+- net_shaper_unlock(binding);
+- return ret;
++ return __net_shaper_delete(binding, shaper, info->extack);
+ }
+
+ static int net_shaper_group_send_reply(struct net_shaper_binding *binding,
+@@ -1168,21 +1187,17 @@ int net_shaper_nl_group_doit(struct sk_buff *skb, struct genl_info *info)
+ if (!net_shaper_ops(binding)->group)
+ return -EOPNOTSUPP;
+
+- net_shaper_lock(binding);
+ leaves_count = net_shaper_list_len(info, NET_SHAPER_A_LEAVES);
+ if (!leaves_count) {
+ NL_SET_BAD_ATTR(info->extack,
+ info->attrs[NET_SHAPER_A_LEAVES]);
+- ret = -EINVAL;
+- goto unlock;
++ return -EINVAL;
+ }
+
+ leaves = kcalloc(leaves_count, sizeof(struct net_shaper) +
+ sizeof(struct net_shaper *), GFP_KERNEL);
+- if (!leaves) {
+- ret = -ENOMEM;
+- goto unlock;
+- }
++ if (!leaves)
++ return -ENOMEM;
+ old_nodes = (void *)&leaves[leaves_count];
+
+ ret = net_shaper_parse_node(binding, info->attrs, info, &node);
+@@ -1259,9 +1274,6 @@ int net_shaper_nl_group_doit(struct sk_buff *skb, struct genl_info *info)
+
+ free_leaves:
+ kfree(leaves);
+-
+-unlock:
+- net_shaper_unlock(binding);
+ return ret;
+
+ free_msg:
+@@ -1371,14 +1383,12 @@ static void net_shaper_flush(struct net_shaper_binding *binding)
+ if (!hierarchy)
+ return;
+
+- net_shaper_lock(binding);
+ xa_lock(&hierarchy->shapers);
+ xa_for_each(&hierarchy->shapers, index, cur) {
+ __xa_erase(&hierarchy->shapers, index);
+ kfree(cur);
+ }
+ xa_unlock(&hierarchy->shapers);
+- net_shaper_unlock(binding);
+
+ kfree(hierarchy);
+ }
+diff --git a/net/shaper/shaper_nl_gen.c b/net/shaper/shaper_nl_gen.c
+index 204c8ae8c7b14..c52abf13ff0c9 100644
+--- a/net/shaper/shaper_nl_gen.c
++++ b/net/shaper/shaper_nl_gen.c
+@@ -98,27 +98,27 @@ static const struct genl_split_ops net_shaper_nl_ops[] = {
+ },
+ {
+ .cmd = NET_SHAPER_CMD_SET,
+- .pre_doit = net_shaper_nl_pre_doit,
++ .pre_doit = net_shaper_nl_pre_doit_write,
+ .doit = net_shaper_nl_set_doit,
+- .post_doit = net_shaper_nl_post_doit,
++ .post_doit = net_shaper_nl_post_doit_write,
+ .policy = net_shaper_set_nl_policy,
+ .maxattr = NET_SHAPER_A_IFINDEX,
+ .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+ },
+ {
+ .cmd = NET_SHAPER_CMD_DELETE,
+- .pre_doit = net_shaper_nl_pre_doit,
++ .pre_doit = net_shaper_nl_pre_doit_write,
+ .doit = net_shaper_nl_delete_doit,
+- .post_doit = net_shaper_nl_post_doit,
++ .post_doit = net_shaper_nl_post_doit_write,
+ .policy = net_shaper_delete_nl_policy,
+ .maxattr = NET_SHAPER_A_IFINDEX,
+ .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+ },
+ {
+ .cmd = NET_SHAPER_CMD_GROUP,
+- .pre_doit = net_shaper_nl_pre_doit,
++ .pre_doit = net_shaper_nl_pre_doit_write,
+ .doit = net_shaper_nl_group_doit,
+- .post_doit = net_shaper_nl_post_doit,
++ .post_doit = net_shaper_nl_post_doit_write,
+ .policy = net_shaper_group_nl_policy,
+ .maxattr = NET_SHAPER_A_LEAVES,
+ .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+diff --git a/net/shaper/shaper_nl_gen.h b/net/shaper/shaper_nl_gen.h
+index cb7f9026fc239..1e20eebdedd71 100644
+--- a/net/shaper/shaper_nl_gen.h
++++ b/net/shaper/shaper_nl_gen.h
+@@ -17,12 +17,17 @@ extern const struct nla_policy net_shaper_leaf_info_nl_policy[NET_SHAPER_A_WEIGH
+
+ int net_shaper_nl_pre_doit(const struct genl_split_ops *ops,
+ struct sk_buff *skb, struct genl_info *info);
++int net_shaper_nl_pre_doit_write(const struct genl_split_ops *ops,
++ struct sk_buff *skb, struct genl_info *info);
+ int net_shaper_nl_cap_pre_doit(const struct genl_split_ops *ops,
+ struct sk_buff *skb, struct genl_info *info);
+ void
+ net_shaper_nl_post_doit(const struct genl_split_ops *ops, struct sk_buff *skb,
+ struct genl_info *info);
+ void
++net_shaper_nl_post_doit_write(const struct genl_split_ops *ops,
++ struct sk_buff *skb, struct genl_info *info);
++void
+ net_shaper_nl_cap_post_doit(const struct genl_split_ops *ops,
+ struct sk_buff *skb, struct genl_info *info);
+ int net_shaper_nl_pre_dumpit(struct netlink_callback *cb);
+--
+2.51.0
+
--- /dev/null
+From 398e25075be45d55a2dcf72a23d09179e24f7366 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 09:10:13 -0700
+Subject: net: shaper: protect late read accesses to the hierarchy
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 0f9ea7141f365b4f27226898e62220fb98ef8dc6 ]
+
+We look up a netdev during prep of Netlink ops (pre- callbacks)
+and take a ref to it. Then later in the body of the callback
+we take its lock or RCU which are the actual protections.
+
+This is not proper, a conversion from a ref to a locked netdev
+must include a liveness check (a check if the netdev hasn't been
+unregistered already). Fix the read cases (those under RCU).
+Writes needs a separate change to protect from creating the
+hierarchy after flush has already run.
+
+Fixes: 4b623f9f0f59 ("net-shapers: implement NL get operation")
+Reported-by: Paul Moses <p@1g4.org>
+Link: https://lore.kernel.org/20260309173450.538026-1-p@1g4.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://patch.msgid.link/20260317161014.779569-1-kuba@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/shaper/shaper.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c
+index 318a0567a6981..081dac917dc2d 100644
+--- a/net/shaper/shaper.c
++++ b/net/shaper/shaper.c
+@@ -65,6 +65,21 @@ net_shaper_hierarchy(struct net_shaper_binding *binding)
+ return NULL;
+ }
+
++static struct net_shaper_hierarchy *
++net_shaper_hierarchy_rcu(struct net_shaper_binding *binding)
++{
++ /* Readers look up the device and take a ref, then take RCU lock
++ * later at which point netdev may have been unregistered and flushed.
++ * READ_ONCE() pairs with WRITE_ONCE() in net_shaper_hierarchy_setup.
++ */
++ if (binding->type == NET_SHAPER_BINDING_TYPE_NETDEV &&
++ READ_ONCE(binding->netdev->reg_state) <= NETREG_REGISTERED)
++ return READ_ONCE(binding->netdev->net_shaper_hierarchy);
++
++ /* No other type supported yet. */
++ return NULL;
++}
++
+ static const struct net_shaper_ops *
+ net_shaper_ops(struct net_shaper_binding *binding)
+ {
+@@ -251,9 +266,10 @@ static struct net_shaper *
+ net_shaper_lookup(struct net_shaper_binding *binding,
+ const struct net_shaper_handle *handle)
+ {
+- struct net_shaper_hierarchy *hierarchy = net_shaper_hierarchy(binding);
+ u32 index = net_shaper_handle_to_index(handle);
++ struct net_shaper_hierarchy *hierarchy;
+
++ hierarchy = net_shaper_hierarchy_rcu(binding);
+ if (!hierarchy || xa_get_mark(&hierarchy->shapers, index,
+ NET_SHAPER_NOT_VALID))
+ return NULL;
+@@ -778,17 +794,19 @@ int net_shaper_nl_get_dumpit(struct sk_buff *skb,
+
+ /* Don't error out dumps performed before any set operation. */
+ binding = net_shaper_binding_from_ctx(ctx);
+- hierarchy = net_shaper_hierarchy(binding);
+- if (!hierarchy)
+- return 0;
+
+ rcu_read_lock();
++ hierarchy = net_shaper_hierarchy_rcu(binding);
++ if (!hierarchy)
++ goto out_unlock;
++
+ for (; (shaper = xa_find(&hierarchy->shapers, &ctx->start_index,
+ U32_MAX, XA_PRESENT)); ctx->start_index++) {
+ ret = net_shaper_fill_one(skb, binding, shaper, info);
+ if (ret)
+ break;
+ }
++out_unlock:
+ rcu_read_unlock();
+
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From 5eb7a708d74e15f5b0d31e7d19ce2a9c9ce061e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:29:07 +0800
+Subject: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
+
+From: Jiayuan Chen <jiayuan.chen@shopee.com>
+
+[ Upstream commit 6d5e4538364b9ceb1ac2941a4deb86650afb3538 ]
+
+Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].
+
+smc_tcp_syn_recv_sock() is called in the TCP receive path
+(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP
+listening socket). It reads sk_user_data to get the smc_sock
+pointer. However, when the SMC listen socket is being closed
+concurrently, smc_close_active() sets clcsock->sk_user_data
+to NULL under sk_callback_lock, and then the smc_sock itself
+can be freed via sock_put() in smc_release().
+
+This leads to two issues:
+
+1) NULL pointer dereference: sk_user_data is NULL when
+ accessed.
+2) Use-after-free: sk_user_data is read as non-NULL, but the
+ smc_sock is freed before its fields (e.g., queued_smc_hs,
+ ori_af_ops) are accessed.
+
+The race window looks like this (the syzkaller crash [1]
+triggers via the SYN cookie path: tcp_get_cookie_sock() ->
+smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path
+has the same race):
+
+ CPU A (softirq) CPU B (process ctx)
+
+ tcp_v4_rcv()
+ TCP_NEW_SYN_RECV:
+ sk = req->rsk_listener
+ sock_hold(sk)
+ /* No lock on listener */
+ smc_close_active():
+ write_lock_bh(cb_lock)
+ sk_user_data = NULL
+ write_unlock_bh(cb_lock)
+ ...
+ smc_clcsock_release()
+ sock_put(smc->sk) x2
+ -> smc_sock freed!
+ tcp_check_req()
+ smc_tcp_syn_recv_sock():
+ smc = user_data(sk)
+ -> NULL or dangling
+ smc->queued_smc_hs
+ -> crash!
+
+Note that the clcsock and smc_sock are two independent objects
+with separate refcounts. TCP stack holds a reference on the
+clcsock, which keeps it alive, but this does NOT prevent the
+smc_sock from being freed.
+
+Fix this by using RCU and refcount_inc_not_zero() to safely
+access smc_sock. Since smc_tcp_syn_recv_sock() is called in
+the TCP three-way handshake path, taking read_lock_bh on
+sk_callback_lock is too heavy and would not survive a SYN
+flood attack. Using rcu_read_lock() is much more lightweight.
+
+- Set SOCK_RCU_FREE on the SMC listen socket so that
+ smc_sock freeing is deferred until after the RCU grace
+ period. This guarantees the memory is still valid when
+ accessed inside rcu_read_lock().
+- Use rcu_read_lock() to protect reading sk_user_data.
+- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the
+ smc_sock. If the refcount has already reached zero (close
+ path completed), it returns false and we bail out safely.
+
+Note: smc_hs_congested() has a similar lockless read of
+sk_user_data without rcu_read_lock(), but it only checks for
+NULL and accesses the global smc_hs_wq, never dereferencing
+any smc_sock field, so it is not affected.
+
+Reproducer was verified with mdelay injection and smc_run,
+the issue no longer occurs with this patch applied.
+
+[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9
+
+Fixes: 8270d9c21041 ("net/smc: Limit backlog connections")
+Reported-by: syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67eaf9b8.050a0220.3c3d88.004a.GAE@google.com/T/
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Link: https://patch.msgid.link/20260312092909.48325-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 23 +++++++++++++++++------
+ net/smc/smc.h | 5 +++++
+ net/smc/smc_close.c | 2 +-
+ 3 files changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index efdadb2d8d390..6421c2e1c84de 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -131,7 +131,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
+ struct smc_sock *smc;
+ struct sock *child;
+
+- smc = smc_clcsock_user_data(sk);
++ rcu_read_lock();
++ smc = smc_clcsock_user_data_rcu(sk);
++ if (!smc || !refcount_inc_not_zero(&smc->sk.sk_refcnt)) {
++ rcu_read_unlock();
++ smc = NULL;
++ goto drop;
++ }
++ rcu_read_unlock();
+
+ if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
+ sk->sk_max_ack_backlog)
+@@ -153,11 +160,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
+ if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
+ inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
+ }
++ sock_put(&smc->sk);
+ return child;
+
+ drop:
+ dst_release(dst);
+ tcp_listendrop(sk);
++ if (smc)
++ sock_put(&smc->sk);
+ return NULL;
+ }
+
+@@ -254,7 +264,7 @@ static void smc_fback_restore_callbacks(struct smc_sock *smc)
+ struct sock *clcsk = smc->clcsock->sk;
+
+ write_lock_bh(&clcsk->sk_callback_lock);
+- clcsk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(clcsk, NULL);
+
+ smc_clcsock_restore_cb(&clcsk->sk_state_change, &smc->clcsk_state_change);
+ smc_clcsock_restore_cb(&clcsk->sk_data_ready, &smc->clcsk_data_ready);
+@@ -902,7 +912,7 @@ static void smc_fback_replace_callbacks(struct smc_sock *smc)
+ struct sock *clcsk = smc->clcsock->sk;
+
+ write_lock_bh(&clcsk->sk_callback_lock);
+- clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
++ __rcu_assign_sk_user_data_with_flags(clcsk, smc, SK_USER_DATA_NOCOPY);
+
+ smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change,
+ &smc->clcsk_state_change);
+@@ -2665,8 +2675,8 @@ int smc_listen(struct socket *sock, int backlog)
+ * smc-specific sk_data_ready function
+ */
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+- smc->clcsock->sk->sk_user_data =
+- (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
++ __rcu_assign_sk_user_data_with_flags(smc->clcsock->sk, smc,
++ SK_USER_DATA_NOCOPY);
+ smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready,
+ smc_clcsock_data_ready, &smc->clcsk_data_ready);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+@@ -2687,10 +2697,11 @@ int smc_listen(struct socket *sock, int backlog)
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+ &smc->clcsk_data_ready);
+- smc->clcsock->sk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+ goto out;
+ }
++ sock_set_flag(sk, SOCK_RCU_FREE);
+ sk->sk_max_ack_backlog = backlog;
+ sk->sk_ack_backlog = 0;
+ sk->sk_state = SMC_LISTEN;
+diff --git a/net/smc/smc.h b/net/smc/smc.h
+index 2c90849637398..ea45467c11409 100644
+--- a/net/smc/smc.h
++++ b/net/smc/smc.h
+@@ -346,6 +346,11 @@ static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk)
+ ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY);
+ }
+
++static inline struct smc_sock *smc_clcsock_user_data_rcu(const struct sock *clcsk)
++{
++ return (struct smc_sock *)rcu_dereference_sk_user_data(clcsk);
++}
++
+ /* save target_cb in saved_cb, and replace target_cb with new_cb */
+ static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *),
+ void (*new_cb)(struct sock *),
+diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
+index 10219f55aad14..bb0313ef5f7c1 100644
+--- a/net/smc/smc_close.c
++++ b/net/smc/smc_close.c
+@@ -218,7 +218,7 @@ int smc_close_active(struct smc_sock *smc)
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+ &smc->clcsk_data_ready);
+- smc->clcsock->sk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+ rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
+ }
+--
+2.51.0
+
--- /dev/null
+From 74f41f7316f9a4506a48b59a4e1b73293cc06a77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 16:16:43 +0200
+Subject: net: usb: aqc111: Do not perform PM inside suspend callback
+
+From: Nikola Z. Ivanov <zlatistiv@gmail.com>
+
+[ Upstream commit 069c8f5aebe4d5224cf62acc7d4b3486091c658a ]
+
+syzbot reports "task hung in rpm_resume"
+
+This is caused by aqc111_suspend calling
+the PM variant of its write_cmd routine.
+
+The simplified call trace looks like this:
+
+rpm_suspend()
+ usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING
+ aqc111_suspend() - called for the usb device interface
+ aqc111_write32_cmd()
+ usb_autopm_get_interface()
+ pm_runtime_resume_and_get()
+ rpm_resume() - here we call rpm_resume() on our parent
+ rpm_resume() - Here we wait for a status change that will never happen.
+
+At this point we block another task which holds
+rtnl_lock and locks up the whole networking stack.
+
+Fix this by replacing the write_cmd calls with their _nopm variants
+
+Reported-by: syzbot+48dc1e8dfc92faf1124c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=48dc1e8dfc92faf1124c
+Fixes: e58ba4544c77 ("net: usb: aqc111: Add support for wake on LAN by MAGIC packet")
+Signed-off-by: Nikola Z. Ivanov <zlatistiv@gmail.com>
+Link: https://patch.msgid.link/20260313141643.1181386-1-zlatistiv@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/aqc111.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
+index 9201ee10a13f7..d316aa66dbc23 100644
+--- a/drivers/net/usb/aqc111.c
++++ b/drivers/net/usb/aqc111.c
+@@ -1400,14 +1400,14 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message)
+ aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC,
+ SFR_MEDIUM_STATUS_MODE, 2, ®16);
+
+- aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0,
+- WOL_CFG_SIZE, &wol_cfg);
+- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0,
+- &aqc111_data->phy_cfg);
++ aqc111_write_cmd_nopm(dev, AQ_WOL_CFG, 0, 0,
++ WOL_CFG_SIZE, &wol_cfg);
++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0,
++ &aqc111_data->phy_cfg);
+ } else {
+ aqc111_data->phy_cfg |= AQ_LOW_POWER;
+- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0,
+- &aqc111_data->phy_cfg);
++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0,
++ &aqc111_data->phy_cfg);
+
+ /* Disable RX path */
+ aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC,
+--
+2.51.0
+
--- /dev/null
+From f3ded2204311bc1326a538ad2412107fcff00fac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 22:46:39 -0700
+Subject: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
+
+From: Tobi Gaertner <tob.gaertner@me.com>
+
+[ Upstream commit 2aa8a4fa8d5b7d0e1ebcec100e1a4d80a1f4b21a ]
+
+cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE
+entries fit within the skb. The first check correctly accounts for
+ndpoffset:
+
+ if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len)
+
+but the second check omits it:
+
+ if ((sizeof(struct usb_cdc_ncm_ndp16) +
+ ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len)
+
+This validates the DPE array size against the total skb length as if
+the NDP were at offset 0, rather than at ndpoffset. When the NDP is
+placed near the end of the NTB (large wNdpIndex), the DPE entries can
+extend past the skb data buffer even though the check passes.
+cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating
+the DPE array.
+
+Add ndpoffset to the nframes bounds check and use struct_size_t() to
+express the NDP-plus-DPE-array size more clearly.
+
+Fixes: ff06ab13a4cc ("net: cdc_ncm: splitting rx_fixup for code reuse")
+Signed-off-by: Tobi Gaertner <tob.gaertner@me.com>
+Link: https://patch.msgid.link/20260314054640.2895026-2-tob.gaertner@me.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_ncm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index 5d123df0a866b..a9d0162b5ee01 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1656,6 +1656,7 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset)
+ struct usbnet *dev = netdev_priv(skb_in->dev);
+ struct usb_cdc_ncm_ndp16 *ndp16;
+ int ret = -EINVAL;
++ size_t ndp_len;
+
+ if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n",
+@@ -1675,8 +1676,8 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset)
+ sizeof(struct usb_cdc_ncm_dpe16));
+ ret--; /* we process NDP entries except for the last one */
+
+- if ((sizeof(struct usb_cdc_ncm_ndp16) +
+- ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) {
++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp16, dpe16, ret);
++ if (ndpoffset + ndp_len > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret);
+ ret = -EINVAL;
+ }
+--
+2.51.0
+
--- /dev/null
+From 75a0b9c0fe2c85df60d8ee4189b507bac6c2ae0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 22:46:40 -0700
+Subject: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
+
+From: Tobi Gaertner <tob.gaertner@me.com>
+
+[ Upstream commit 77914255155e68a20aa41175edeecf8121dac391 ]
+
+The same bounds-check bug fixed for NDP16 in the previous patch also
+exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated
+against the total skb length without accounting for ndpoffset, allowing
+out-of-bounds reads when the NDP32 is placed near the end of the NTB.
+
+Add ndpoffset to the nframes bounds check and use struct_size_t() to
+express the NDP-plus-DPE-array size more clearly.
+
+Compile-tested only.
+
+Fixes: 0fa81b304a79 ("cdc_ncm: Implement the 32-bit version of NCM Transfer Block")
+Signed-off-by: Tobi Gaertner <tob.gaertner@me.com>
+Link: https://patch.msgid.link/20260314054640.2895026-3-tob.gaertner@me.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_ncm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index a9d0162b5ee01..81d7e99fc0f09 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1693,6 +1693,7 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset)
+ struct usbnet *dev = netdev_priv(skb_in->dev);
+ struct usb_cdc_ncm_ndp32 *ndp32;
+ int ret = -EINVAL;
++ size_t ndp_len;
+
+ if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp32)) > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n",
+@@ -1712,8 +1713,8 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset)
+ sizeof(struct usb_cdc_ncm_dpe32));
+ ret--; /* we process NDP entries except for the last one */
+
+- if ((sizeof(struct usb_cdc_ncm_ndp32) +
+- ret * (sizeof(struct usb_cdc_ncm_dpe32))) > skb_in->len) {
++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp32, dpe32, ret);
++ if (ndpoffset + ndp_len > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret);
+ ret = -EINVAL;
+ }
+--
+2.51.0
+
--- /dev/null
+From 45a4a70fa9f4e2b1972950c610fa79e2f4f5817f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 00:14:31 -0600
+Subject: netdevsim: drop PSP ext ref on forward failure
+
+From: Wesley Atwell <atwellwea@gmail.com>
+
+[ Upstream commit 7d9351435ebba08bbb60f42793175c9dc714d2fb ]
+
+nsim_do_psp() takes an extra reference to the PSP skb extension so the
+extension survives __dev_forward_skb(). That forward path scrubs the skb
+and drops attached skb extensions before nsim_psp_handle_ext() can
+reattach the PSP metadata.
+
+If __dev_forward_skb() fails in nsim_forward_skb(), the function returns
+before nsim_psp_handle_ext() can attach that extension to the skb, leaving
+the extra reference leaked.
+
+Drop the saved PSP extension reference before returning from the
+forward-failure path. Guard the put because plain or non-decapsulated
+traffic can also fail forwarding without ever taking the extra PSP
+reference.
+
+Fixes: f857478d6206 ("netdevsim: a basic test PSP implementation")
+Signed-off-by: Wesley Atwell <atwellwea@gmail.com>
+Reviewed-by: Daniel Zahka <daniel.zahka@gmail.com>
+Link: https://patch.msgid.link/20260317061431.1482716-1-atwellwea@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/netdevsim/netdev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/netdevsim/netdev.c b/drivers/net/netdevsim/netdev.c
+index fa1d97885caaf..06446b03cd9bc 100644
+--- a/drivers/net/netdevsim/netdev.c
++++ b/drivers/net/netdevsim/netdev.c
+@@ -109,8 +109,11 @@ static int nsim_forward_skb(struct net_device *tx_dev,
+ int ret;
+
+ ret = __dev_forward_skb(rx_dev, skb);
+- if (ret)
++ if (ret) {
++ if (psp_ext)
++ __skb_ext_put(psp_ext);
+ return ret;
++ }
+
+ nsim_psp_handle_ext(skb, psp_ext);
+
+--
+2.51.0
+
--- /dev/null
+From afda3eaf89f937b482605fd8ec32063c4fe48077 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 12:23:08 +0100
+Subject: netfilter: bpf: defer hook memory release until rcu readers are done
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 24f90fa3994b992d1a09003a3db2599330a5232a ]
+
+Yiming Qian reports UaF when concurrent process is dumping hooks via
+nfnetlink_hooks:
+
+BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0
+Read of size 8 at addr ffff888003edbf88 by task poc/79
+Call Trace:
+ <TASK>
+ nfnl_hook_dump_one.isra.0+0xe71/0x10f0
+ netlink_dump+0x554/0x12b0
+ nfnl_hook_get+0x176/0x230
+ [..]
+
+Defer release until after concurrent readers have completed.
+
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_bpf_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
+index 46e667a50d988..248840dbca1b2 100644
+--- a/net/netfilter/nf_bpf_link.c
++++ b/net/netfilter/nf_bpf_link.c
+@@ -170,7 +170,7 @@ static int bpf_nf_link_update(struct bpf_link *link, struct bpf_prog *new_prog,
+
+ static const struct bpf_link_ops bpf_nf_link_lops = {
+ .release = bpf_nf_link_release,
+- .dealloc = bpf_nf_link_dealloc,
++ .dealloc_deferred = bpf_nf_link_dealloc,
+ .detach = bpf_nf_link_detach,
+ .show_fdinfo = bpf_nf_link_show_info,
+ .fill_link_info = bpf_nf_link_fill_link_info,
+--
+2.51.0
+
--- /dev/null
+From c9078f4c873e19ccc8aecc9e61d72add85e54e48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Mar 2026 02:21:37 +0900
+Subject: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit 5cb81eeda909dbb2def209dd10636b51549a3f8a ]
+
+ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the
+netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the
+conntrack reference immediately after netlink_dump_start(). When the
+dump spans multiple rounds, the second recvmsg() triggers the dump
+callback which dereferences the now-freed conntrack via nfct_help(ct),
+leading to a use-after-free on ct->ext.
+
+The bug is that the netlink_dump_control has no .start or .done
+callbacks to manage the conntrack reference across dump rounds. Other
+dump functions in the same file (e.g. ctnetlink_get_conntrack) properly
+use .start/.done callbacks for this purpose.
+
+Fix this by adding .start and .done callbacks that hold and release the
+conntrack reference for the duration of the dump, and move the
+nfct_help() call after the cb->args[0] early-return check in the dump
+callback to avoid dereferencing ct->ext unnecessarily.
+
+ BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0
+ Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133
+
+ CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY
+ Call Trace:
+ <TASK>
+ ctnetlink_exp_ct_dump_table+0x4f/0x2e0
+ netlink_dump+0x333/0x880
+ netlink_recvmsg+0x3e2/0x4b0
+ ? aa_sk_perm+0x184/0x450
+ sock_recvmsg+0xde/0xf0
+
+ Allocated by task 133:
+ kmem_cache_alloc_noprof+0x134/0x440
+ __nf_conntrack_alloc+0xa8/0x2b0
+ ctnetlink_create_conntrack+0xa1/0x900
+ ctnetlink_new_conntrack+0x3cf/0x7d0
+ nfnetlink_rcv_msg+0x48e/0x510
+ netlink_rcv_skb+0xc9/0x1f0
+ nfnetlink_rcv+0xdb/0x220
+ netlink_unicast+0x3ec/0x590
+ netlink_sendmsg+0x397/0x690
+ __sys_sendmsg+0xf4/0x180
+
+ Freed by task 0:
+ slab_free_after_rcu_debug+0xad/0x1e0
+ rcu_core+0x5c3/0x9c0
+
+Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 3a04665adf992..f261dd48973fe 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3211,7 +3211,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ struct nf_conn *ct = cb->data;
+- struct nf_conn_help *help = nfct_help(ct);
++ struct nf_conn_help *help;
+ u_int8_t l3proto = nfmsg->nfgen_family;
+ unsigned long last_id = cb->args[1];
+ struct nf_conntrack_expect *exp;
+@@ -3219,6 +3219,10 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ if (cb->args[0])
+ return 0;
+
++ help = nfct_help(ct);
++ if (!help)
++ return 0;
++
+ rcu_read_lock();
+
+ restart:
+@@ -3248,6 +3252,24 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ return skb->len;
+ }
+
++static int ctnetlink_dump_exp_ct_start(struct netlink_callback *cb)
++{
++ struct nf_conn *ct = cb->data;
++
++ if (!refcount_inc_not_zero(&ct->ct_general.use))
++ return -ENOENT;
++ return 0;
++}
++
++static int ctnetlink_dump_exp_ct_done(struct netlink_callback *cb)
++{
++ struct nf_conn *ct = cb->data;
++
++ if (ct)
++ nf_ct_put(ct);
++ return 0;
++}
++
+ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct sk_buff *skb,
+ const struct nlmsghdr *nlh,
+@@ -3263,6 +3285,8 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct nf_conntrack_zone zone;
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_ct_dump_table,
++ .start = ctnetlink_dump_exp_ct_start,
++ .done = ctnetlink_dump_exp_ct_done,
+ };
+
+ err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
+--
+2.51.0
+
--- /dev/null
+From 31cf0bb5ac9647e08268143c44987be2391c25c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:49:50 +0000
+Subject: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ]
+
+In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
+the packet, then decrements it by 1 to skip the protocol discriminator
+byte before passing it to DecodeH323_UserInformation(). If the encoded
+length is 0, the decrement wraps to -1, which is then passed as a
+large value to the decoder, leading to an out-of-bounds read.
+
+Add a check to ensure len is positive after the decrement.
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index c972e9488e16f..7b1497ed97d26 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
+ break;
+ p++;
+ len--;
++ if (len <= 0)
++ break;
+ return DecodeH323_UserInformation(buf, p, len,
+ &q931->UUIE);
+ }
+--
+2.51.0
+
--- /dev/null
+From 1fa546c078c617310b491eca5b9b575aa72d645b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 02:29:32 +0000
+Subject: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a ]
+
+In decode_int(), the CONS case calls get_bits(bs, 2) to read a length
+value, then calls get_uint(bs, len) without checking that len bytes
+remain in the buffer. The existing boundary check only validates the
+2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()
+reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte
+slab-out-of-bounds read.
+
+Add a boundary check for len bytes after get_bits() and before
+get_uint().
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index 62aa22a078769..c972e9488e16f 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -331,6 +331,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f,
+ if (nf_h323_error_boundary(bs, 0, 2))
+ return H323_ERROR_BOUND;
+ len = get_bits(bs, 2) + 1;
++ if (nf_h323_error_boundary(bs, len, 0))
++ return H323_ERROR_BOUND;
+ BYTE_ALIGN(bs);
+ if (base && (f->attr & DECODE)) { /* timeToLive */
+ unsigned int v = get_uint(bs, len) + f->lb;
+--
+2.51.0
+
--- /dev/null
+From b6dbf78dfb6a70f6827e7824aedb1fdcbe8f0b5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Mar 2026 21:49:01 +0000
+Subject: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in
+ sip_help_tcp()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lukas Johannes Möller <research@johannes-moeller.dev>
+
+[ Upstream commit fbce58e719a17aa215c724473fd5baaa4a8dc57c ]
+
+sip_help_tcp() parses the SIP Content-Length header with
+simple_strtoul(), which returns unsigned long, but stores the result in
+unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are
+silently truncated before computing the SIP message boundary.
+
+For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,
+causing the parser to miscalculate where the current message ends. The
+loop then treats trailing data in the TCP segment as a second SIP
+message and processes it through the SDP parser.
+
+Fix this by changing clen to unsigned long to match the return type of
+simple_strtoul(), and reject Content-Length values that exceed the
+remaining TCP payload length.
+
+Fixes: f5b321bd37fb ("netfilter: nf_conntrack_sip: add TCP support")
+Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_sip.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
+index ca748f8dbff13..4ab5ef71d96db 100644
+--- a/net/netfilter/nf_conntrack_sip.c
++++ b/net/netfilter/nf_conntrack_sip.c
+@@ -1534,11 +1534,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
+ {
+ struct tcphdr *th, _tcph;
+ unsigned int dataoff, datalen;
+- unsigned int matchoff, matchlen, clen;
++ unsigned int matchoff, matchlen;
+ unsigned int msglen, origlen;
+ const char *dptr, *end;
+ s16 diff, tdiff = 0;
+ int ret = NF_ACCEPT;
++ unsigned long clen;
+ bool term;
+
+ if (ctinfo != IP_CT_ESTABLISHED &&
+@@ -1573,6 +1574,9 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
+ if (dptr + matchoff == end)
+ break;
+
++ if (clen > datalen)
++ break;
++
+ term = false;
+ for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
+ if (end[0] == '\r' && end[1] == '\n' &&
+--
+2.51.0
+
--- /dev/null
+From 83525458e33aafd6a0c9dc856f4ea790c29af213 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 20:00:26 +0100
+Subject: netfilter: nf_tables: release flowtable after rcu grace period on
+ error
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce ]
+
+Call synchronize_rcu() after unregistering the hooks from error path,
+since a hook that already refers to this flowtable can be already
+registered, exposing this flowtable to packet path and nfnetlink_hook
+control plane.
+
+This error path is rare, it should only happen by reaching the maximum
+number hooks or by failing to set up to hardware offload, just call
+synchronize_rcu().
+
+There is a check for already used device hooks by different flowtable
+that could result in EEXIST at this late stage. The hook parser can be
+updated to perform this check earlier to this error path really becomes
+rarely exercised.
+
+Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
+when dumping hooks.
+
+Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 0992869b33b35..a6a7fe216396d 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -9369,6 +9369,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
+ return 0;
+
+ err_flowtable_hooks:
++ synchronize_rcu();
+ nft_trans_destroy(trans);
+ err_flowtable_trans:
+ nft_hooks_destroy(&flowtable->hook_list);
+--
+2.51.0
+
--- /dev/null
+From 277cd18348c5a3eade2f8a7f3530ccbfaf9ef42e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 13:48:47 +0100
+Subject: netfilter: nft_ct: drop pending enqueued packets on removal
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 36eae0956f659e48d5366d9b083d9417f3263ddc ]
+
+Packets sitting in nfqueue might hold a reference to:
+
+- templates that specify the conntrack zone, because a percpu area is
+ used and module removal is possible.
+- conntrack timeout policies and helper, where object removal leave
+ a stale reference.
+
+Since these objects can just go away, drop enqueued packets to avoid
+stale reference to them.
+
+If there is a need for finer grain removal, this logic can be revisited
+to make selective packet drop upon dependencies.
+
+Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_ct.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index 6f2ae7cad7310..db1bf69f87750 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -23,6 +23,7 @@
+ #include <net/netfilter/nf_conntrack_l4proto.h>
+ #include <net/netfilter/nf_conntrack_expect.h>
+ #include <net/netfilter/nf_conntrack_seqadj.h>
++#include "nf_internals.h"
+
+ struct nft_ct_helper_obj {
+ struct nf_conntrack_helper *helper4;
+@@ -543,6 +544,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv)
+ #endif
+ #ifdef CONFIG_NF_CONNTRACK_ZONES
+ case NFT_CT_ZONE:
++ nf_queue_nf_hook_drop(ctx->net);
+ mutex_lock(&nft_ct_pcpu_mutex);
+ if (--nft_ct_pcpu_template_refcnt == 0)
+ nft_ct_tmpl_put_pcpu();
+@@ -1016,6 +1018,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx,
+ struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
+ struct nf_ct_timeout *timeout = priv->timeout;
+
++ nf_queue_nf_hook_drop(ctx->net);
+ nf_ct_untimeout(ctx->net, timeout);
+ nf_ct_netns_put(ctx->net, ctx->family);
+ kfree(priv->timeout);
+@@ -1148,6 +1151,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx,
+ {
+ struct nft_ct_helper_obj *priv = nft_obj_data(obj);
+
++ nf_queue_nf_hook_drop(ctx->net);
+ if (priv->helper4)
+ nf_conntrack_helper_put(priv->helper4);
+ if (priv->helper6)
+--
+2.51.0
+
--- /dev/null
+From 63fd4c6bbe511a88fccb70957af8094b69136a9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 13:48:48 +0100
+Subject: netfilter: xt_CT: drop pending enqueued packets on template removal
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit f62a218a946b19bb59abdd5361da85fa4606b96b ]
+
+Templates refer to objects that can go away while packets are sitting in
+nfqueue refer to:
+
+- helper, this can be an issue on module removal.
+- timeout policy, nfnetlink_cttimeout might remove it.
+
+The use of templates with zone and event cache filter are safe, since
+this just copies values.
+
+Flush these enqueued packets in case the template rule gets removed.
+
+Fixes: 24de58f46516 ("netfilter: xt_CT: allow to attach timeout policy + glue code")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_CT.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
+index 3ba94c34297cf..498f5871c84a0 100644
+--- a/net/netfilter/xt_CT.c
++++ b/net/netfilter/xt_CT.c
+@@ -16,6 +16,7 @@
+ #include <net/netfilter/nf_conntrack_ecache.h>
+ #include <net/netfilter/nf_conntrack_timeout.h>
+ #include <net/netfilter/nf_conntrack_zones.h>
++#include "nf_internals.h"
+
+ static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct)
+ {
+@@ -283,6 +284,9 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par,
+ struct nf_conn_help *help;
+
+ if (ct) {
++ if (info->helper[0] || info->timeout[0])
++ nf_queue_nf_hook_drop(par->net);
++
+ help = nfct_help(ct);
+ xt_ct_put_helper(help);
+
+--
+2.51.0
+
--- /dev/null
+From bddaf6758c6f6953d3595275368f65988be8e857 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:59:49 +0000
+Subject: netfilter: xt_time: use unsigned int for monthday bit shift
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit 00050ec08cecfda447e1209b388086d76addda3a ]
+
+The monthday field can be up to 31, and shifting a signed integer 1
+by 31 positions (1 << 31) is undefined behavior in C, as the result
+overflows a 32-bit signed int. Use 1U to ensure well-defined behavior
+for all valid monthday values.
+
+Change the weekday shift to 1U as well for consistency.
+
+Fixes: ee4411a1b1e0 ("[NETFILTER]: x_tables: add xt_time match")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_time.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
+index 6aa12d0f54e23..61de85e02a40f 100644
+--- a/net/netfilter/xt_time.c
++++ b/net/netfilter/xt_time.c
+@@ -227,13 +227,13 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par)
+
+ localtime_2(¤t_time, stamp);
+
+- if (!(info->weekdays_match & (1 << current_time.weekday)))
++ if (!(info->weekdays_match & (1U << current_time.weekday)))
+ return false;
+
+ /* Do not spend time computing monthday if all days match anyway */
+ if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) {
+ localtime_3(¤t_time, stamp);
+- if (!(info->monthdays_match & (1 << current_time.monthday)))
++ if (!(info->monthdays_match & (1U << current_time.monthday)))
+ return false;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 43d258f2b94dc1d08b4bdbe8663601e613a3c00b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 12:38:59 +0100
+Subject: nf_tables: nft_dynset: fix possible stateful expression memleak in
+ error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 0548a13b5a145b16e4da0628b5936baf35f51b43 ]
+
+If cloning the second stateful expression in the element via GFP_ATOMIC
+fails, then the first stateful expression remains in place without being
+released.
+
+ Â unreferenced object (percpu) 0x607b97e9cab8 (size 16):
+ Â Â comm "softirq", pid 0, jiffies 4294931867
+ Â Â hex dump (first 16 bytes on cpu 3):
+ Â Â Â 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ Â Â backtrace (crc 0):
+ Â Â Â pcpu_alloc_noprof+0x453/0xd80
+ Â Â Â nft_counter_clone+0x9c/0x190 [nf_tables]
+ Â Â Â nft_expr_clone+0x8f/0x1b0 [nf_tables]
+ Â Â Â nft_dynset_new+0x2cb/0x5f0 [nf_tables]
+ Â Â Â nft_rhash_update+0x236/0x11c0 [nf_tables]
+ Â Â Â nft_dynset_eval+0x11f/0x670 [nf_tables]
+ Â Â Â nft_do_chain+0x253/0x1700 [nf_tables]
+ Â Â Â nft_do_chain_ipv4+0x18d/0x270 [nf_tables]
+ Â Â Â nf_hook_slow+0xaa/0x1e0
+ Â Â Â ip_local_deliver+0x209/0x330
+
+Fixes: 563125a73ac3 ("netfilter: nftables: generalize set extension to support for several expressions")
+Reported-by: Gurpreet Shergill <giki.shergill@proton.me>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tables.h | 2 ++
+ net/netfilter/nf_tables_api.c | 4 ++--
+ net/netfilter/nft_dynset.c | 10 +++++++++-
+ 3 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index c18cffafc9696..4dc080f7f27c6 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -875,6 +875,8 @@ struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
+ u64 timeout, u64 expiration, gfp_t gfp);
+ int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_expr *expr_array[]);
++void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
++ struct nft_set_elem_expr *elem_expr);
+ void nft_set_elem_destroy(const struct nft_set *set,
+ const struct nft_elem_priv *elem_priv,
+ bool destroy_expr);
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index b6a575ec33159..0992869b33b35 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6863,8 +6863,8 @@ static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+ }
+ }
+
+-static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+- struct nft_set_elem_expr *elem_expr)
++void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
++ struct nft_set_elem_expr *elem_expr)
+ {
+ struct nft_expr *expr;
+ u32 size;
+diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
+index 7807d81296646..9123277be03ce 100644
+--- a/net/netfilter/nft_dynset.c
++++ b/net/netfilter/nft_dynset.c
+@@ -30,18 +30,26 @@ static int nft_dynset_expr_setup(const struct nft_dynset *priv,
+ const struct nft_set_ext *ext)
+ {
+ struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
++ struct nft_ctx ctx = {
++ .net = read_pnet(&priv->set->net),
++ .family = priv->set->table->family,
++ };
+ struct nft_expr *expr;
+ int i;
+
+ for (i = 0; i < priv->num_exprs; i++) {
+ expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
+ if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0)
+- return -1;
++ goto err_out;
+
+ elem_expr->size += priv->expr_array[i]->ops->size;
+ }
+
+ return 0;
++err_out:
++ nft_set_elem_expr_destroy(&ctx, elem_expr);
++
++ return -1;
+ }
+
+ struct nft_elem_priv *nft_dynset_new(struct nft_set *set,
+--
+2.51.0
+
--- /dev/null
+From c07d011d688c03db2b8f944c110649fcd5fbc706 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 15:32:44 +0800
+Subject: nfnetlink_osf: validate individual option lengths in fingerprints
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit dbdfaae9609629a9569362e3b8f33d0a20fd783c ]
+
+nfnl_osf_add_callback() validates opt_num bounds and string
+NUL-termination but does not check individual option length fields.
+A zero-length option causes nf_osf_match_one() to enter the option
+matching loop even when foptsize sums to zero, which matches packets
+with no TCP options where ctx->optp is NULL:
+
+ Oops: general protection fault
+ KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
+ Call Trace:
+ nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
+ xt_osf_match_packet (net/netfilter/xt_osf.c:32)
+ ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
+ nf_hook_slow (net/netfilter/core.c:623)
+ ip_local_deliver (net/ipv4/ip_input.c:262)
+ ip_rcv (net/ipv4/ip_input.c:573)
+
+Additionally, an MSS option (kind=2) with length < 4 causes
+out-of-bounds reads when nf_osf_match_one() unconditionally accesses
+optp[2] and optp[3] for MSS value extraction. While RFC 9293
+section 3.2 specifies that the MSS option is always exactly 4
+bytes (Kind=2, Length=4), the check uses "< 4" rather than
+"!= 4" because lengths greater than 4 do not cause memory
+safety issues -- the buffer is guaranteed to be at least
+foptsize bytes by the ctx->optsize == foptsize check.
+
+Reject fingerprints where any option has zero length, or where an MSS
+option has length less than 4, at add time rather than trusting these
+values in the packet matching hot path.
+
+Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_osf.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
+index c0fc431991e88..9fc9544d4bc53 100644
+--- a/net/netfilter/nfnetlink_osf.c
++++ b/net/netfilter/nfnetlink_osf.c
+@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
+ {
+ struct nf_osf_user_finger *f;
+ struct nf_osf_finger *kf = NULL, *sf;
++ unsigned int tot_opt_len = 0;
+ int err = 0;
++ int i;
+
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
+ if (f->opt_num > ARRAY_SIZE(f->opt))
+ return -EINVAL;
+
++ for (i = 0; i < f->opt_num; i++) {
++ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
++ return -EINVAL;
++ if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)
++ return -EINVAL;
++
++ tot_opt_len += f->opt[i].length;
++ if (tot_opt_len > MAX_IPOPTLEN)
++ return -EINVAL;
++ }
++
+ if (!memchr(f->genre, 0, MAXGENRELEN) ||
+ !memchr(f->subtype, 0, MAXGENRELEN) ||
+ !memchr(f->version, 0, MAXGENRELEN))
+--
+2.51.0
+
--- /dev/null
+From 5e4c58e0729665198d2c676a31b623504ca7beb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 11:27:20 -0700
+Subject: PM: runtime: Fix a race condition related to device removal
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 29ab768277617452d88c0607c9299cdc63b6e9ff ]
+
+The following code in pm_runtime_work() may dereference the dev->parent
+pointer after the parent device has been freed:
+
+ /* Maybe the parent is now able to suspend. */
+ if (parent && !parent->power.ignore_children) {
+ spin_unlock(&dev->power.lock);
+
+ spin_lock(&parent->power.lock);
+ rpm_idle(parent, RPM_ASYNC);
+ spin_unlock(&parent->power.lock);
+
+ spin_lock(&dev->power.lock);
+ }
+
+Fix this by inserting a flush_work() call in pm_runtime_remove().
+
+Without this patch blktest block/001 triggers the following complaint
+sporadically:
+
+BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160
+Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081
+Workqueue: pm pm_runtime_work
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x61/0x80
+ print_address_description.constprop.0+0x8b/0x310
+ print_report+0xfd/0x1d7
+ kasan_report+0xd8/0x1d0
+ __kasan_check_byte+0x42/0x60
+ lock_acquire.part.0+0x38/0x230
+ lock_acquire+0x70/0x160
+ _raw_spin_lock+0x36/0x50
+ rpm_suspend+0xc6a/0xfe0
+ rpm_idle+0x578/0x770
+ pm_runtime_work+0xee/0x120
+ process_one_work+0xde3/0x1410
+ worker_thread+0x5eb/0xfe0
+ kthread+0x37b/0x480
+ ret_from_fork+0x6cb/0x920
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+
+Allocated by task 4314:
+ kasan_save_stack+0x2a/0x50
+ kasan_save_track+0x18/0x40
+ kasan_save_alloc_info+0x3d/0x50
+ __kasan_kmalloc+0xa0/0xb0
+ __kmalloc_noprof+0x311/0x990
+ scsi_alloc_target+0x122/0xb60 [scsi_mod]
+ __scsi_scan_target+0x101/0x460 [scsi_mod]
+ scsi_scan_channel+0x179/0x1c0 [scsi_mod]
+ scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]
+ store_scan+0x2d2/0x390 [scsi_mod]
+ dev_attr_store+0x43/0x80
+ sysfs_kf_write+0xde/0x140
+ kernfs_fop_write_iter+0x3ef/0x670
+ vfs_write+0x506/0x1470
+ ksys_write+0xfd/0x230
+ __x64_sys_write+0x76/0xc0
+ x64_sys_call+0x213/0x1810
+ do_syscall_64+0xee/0xfc0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Freed by task 4314:
+ kasan_save_stack+0x2a/0x50
+ kasan_save_track+0x18/0x40
+ kasan_save_free_info+0x3f/0x50
+ __kasan_slab_free+0x67/0x80
+ kfree+0x225/0x6c0
+ scsi_target_dev_release+0x3d/0x60 [scsi_mod]
+ device_release+0xa3/0x220
+ kobject_cleanup+0x105/0x3a0
+ kobject_put+0x72/0xd0
+ put_device+0x17/0x20
+ scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]
+ device_release+0xa3/0x220
+ kobject_cleanup+0x105/0x3a0
+ kobject_put+0x72/0xd0
+ put_device+0x17/0x20
+ scsi_device_put+0x7f/0xc0 [scsi_mod]
+ sdev_store_delete+0xa5/0x120 [scsi_mod]
+ dev_attr_store+0x43/0x80
+ sysfs_kf_write+0xde/0x140
+ kernfs_fop_write_iter+0x3ef/0x670
+ vfs_write+0x506/0x1470
+ ksys_write+0xfd/0x230
+ __x64_sys_write+0x76/0xc0
+ x64_sys_call+0x213/0x1810
+
+Reported-by: Ming Lei <ming.lei@redhat.com>
+Closes: https://lore.kernel.org/all/ZxdNvLNI8QaOfD2d@fedora/
+Reported-by: syzbot+6c905ab800f20cf4086c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68c13942.050a0220.2ff435.000b.GAE@google.com/
+Fixes: 5e928f77a09a ("PM: Introduce core framework for run-time PM of I/O devices (rev. 17)")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20260312182720.2776083-1-bvanassche@acm.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/runtime.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
+index e882b5269ebec..6980a8dfced2c 100644
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -1896,6 +1896,7 @@ void pm_runtime_reinit(struct device *dev)
+ void pm_runtime_remove(struct device *dev)
+ {
+ __pm_runtime_disable(dev, false);
++ flush_work(&dev->power.work);
+ pm_runtime_reinit(dev);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 45b8ab24967d51540da53aebd54ca03a7268c0c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 13:25:41 +0100
+Subject: sched: idle: Consolidate the handling of two special cases
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit f4c31b07b136839e0fb3026f8a5b6543e3b14d2f ]
+
+There are two special cases in the idle loop that are handled
+inconsistently even though they are analogous.
+
+The first one is when a cpuidle driver is absent and the default CPU
+idle time power management implemented by the architecture code is used.
+In that case, the scheduler tick is stopped every time before invoking
+default_idle_call().
+
+The second one is when a cpuidle driver is present, but there is only
+one idle state in its table. In that case, the scheduler tick is never
+stopped at all.
+
+Since each of these approaches has its drawbacks, reconcile them with
+the help of one simple heuristic. Namely, stop the tick if the CPU has
+been woken up by it in the previous iteration of the idle loop, or let
+it tick otherwise.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Christian Loehle <christian.loehle@arm.com>
+Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
+Reviewed-by: Qais Yousef <qyousef@layalina.io>
+Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
+Fixes: ed98c3491998 ("sched: idle: Do not stop the tick before cpuidle_idle_call()")
+[ rjw: Added Fixes tag, changelog edits ]
+Link: https://patch.msgid.link/4741364.LvFx2qVVIh@rafael.j.wysocki
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/idle.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c
+index d9c515da328e5..bf92ae29361ed 100644
+--- a/kernel/sched/idle.c
++++ b/kernel/sched/idle.c
+@@ -160,6 +160,14 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev,
+ return cpuidle_enter(drv, dev, next_state);
+ }
+
++static void idle_call_stop_or_retain_tick(bool stop_tick)
++{
++ if (stop_tick || tick_nohz_tick_stopped())
++ tick_nohz_idle_stop_tick();
++ else
++ tick_nohz_idle_retain_tick();
++}
++
+ /**
+ * cpuidle_idle_call - the main idle function
+ *
+@@ -169,7 +177,7 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev,
+ * set, and it returns with polling set. If it ever stops polling, it
+ * must clear the polling bit.
+ */
+-static void cpuidle_idle_call(void)
++static void cpuidle_idle_call(bool stop_tick)
+ {
+ struct cpuidle_device *dev = cpuidle_get_device();
+ struct cpuidle_driver *drv = cpuidle_get_cpu_driver(dev);
+@@ -185,7 +193,7 @@ static void cpuidle_idle_call(void)
+ }
+
+ if (cpuidle_not_available(drv, dev)) {
+- tick_nohz_idle_stop_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ default_idle_call();
+ goto exit_idle;
+@@ -220,17 +228,19 @@ static void cpuidle_idle_call(void)
+ next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns);
+ call_cpuidle(drv, dev, next_state);
+ } else if (drv->state_count > 1) {
+- bool stop_tick = true;
++ /*
++ * stop_tick is expected to be true by default by cpuidle
++ * governors, which allows them to select idle states with
++ * target residency above the tick period length.
++ */
++ stop_tick = true;
+
+ /*
+ * Ask the cpuidle framework to choose a convenient idle state.
+ */
+ next_state = cpuidle_select(drv, dev, &stop_tick);
+
+- if (stop_tick || tick_nohz_tick_stopped())
+- tick_nohz_idle_stop_tick();
+- else
+- tick_nohz_idle_retain_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ entered_state = call_cpuidle(drv, dev, next_state);
+ /*
+@@ -238,7 +248,7 @@ static void cpuidle_idle_call(void)
+ */
+ cpuidle_reflect(dev, entered_state);
+ } else {
+- tick_nohz_idle_retain_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ /*
+ * If there is only a single idle state (or none), there is
+@@ -266,6 +276,7 @@ static void cpuidle_idle_call(void)
+ static void do_idle(void)
+ {
+ int cpu = smp_processor_id();
++ bool got_tick = false;
+
+ /*
+ * Check if we need to update blocked load
+@@ -336,8 +347,9 @@ static void do_idle(void)
+ tick_nohz_idle_restart_tick();
+ cpu_idle_poll();
+ } else {
+- cpuidle_idle_call();
++ cpuidle_idle_call(got_tick);
+ }
++ got_tick = tick_nohz_idle_got_tick();
+ arch_cpu_idle_exit();
+ }
+
+--
+2.51.0
+
drm-xe-open-code-ggtt-mmio-access-protection.patch
bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch
drm-i915-psr-compute-psr-entry_setup_frames-into-intel_crtc_state.patch
+btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch
+btrfs-tree-checker-fix-misleading-root-drop_level-er.patch
+soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch
+cache-starfive-fix-device-node-leak-in-starlink_cach.patch
+cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch
+soc-rockchip-grf-add-missing-of_node_put-when-return.patch
+soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch
+soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch
+tee-shm-remove-refcounting-of-kernel-pages.patch
+wifi-mac80211-remove-keys-after-disabling-beaconing.patch
+wifi-mac80211-use-jiffies_delta_to_msecs-for-sta_inf.patch
+wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch
+wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch
+arm64-dts-renesas-rzt2h-n2h-evk-add-ramp-delay-for-s.patch
+arm64-dts-renesas-rzv2-evk-cn15-sd-add-ramp-delay-fo.patch
+arm64-dts-renesas-r9a09g057-add-rtc-node.patch
+arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch
+arm64-dts-renesas-r9a09g077-fix-cpg-register-region-.patch
+arm64-dts-renesas-r9a09g087-fix-cpg-register-region-.patch
+arm64-dts-renesas-rzg3s-smarc-som-set-bypass-for-ver.patch
+firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch
+firmware-arm_scpi-fix-device_node-reference-leak-in-.patch
+firmware-arm_scmi-fix-null-dereference-on-notify-err.patch
+bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch
+bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch
+bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch
+bluetooth-iso-fix-defer-tests-being-unstable.patch
+bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch
+bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch
+bluetooth-hidp-fix-possible-uaf.patch
+bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch
+bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch
+bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch
+net-rose-fix-null-pointer-dereference-in-rose_transm.patch
+mpls-add-missing-unregister_netdevice_notifier-to-mp.patch
+netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch
+netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch
+netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch
+nf_tables-nft_dynset-fix-possible-stateful-expressio.patch
+netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch
+netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch
+netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch
+netfilter-nf_conntrack_h323-check-for-zero-length-in.patch
+crypto-ccp-fix-leaking-the-same-page-twice.patch
+net-bcmgenet-increase-wol-poll-timeout.patch
+net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch
+sched-idle-consolidate-the-handling-of-two-special-c.patch
+pm-runtime-fix-a-race-condition-related-to-device-re.patch
+bonding-prevent-potential-infinite-loop-in-bond_head.patch
+net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch
+net-sched-teql-fix-double-free-in-teql_master_xmit.patch
+net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch
+net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch
+net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch
+clsact-fix-use-after-free-in-init-destroy-rollback-a.patch
+net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch
+acpica-update-the-format-of-arg3-of-_dsm.patch
+igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch
+igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch
+iavf-fix-vlan-filter-lost-on-add-delete-race.patch
+libie-prevent-memleak-in-fwlog-code.patch
+wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch
+wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch
+wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch
+acpi-processor-fix-previous-acpi_processor_errata_pi.patch
+netdevsim-drop-psp-ext-ref-on-forward-failure.patch
+net-macb-fix-uninitialized-rx_fs_lock.patch
+net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch
+net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch
+net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch
+udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch
+net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch
+netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch
+netfilter-nf_tables-release-flowtable-after-rcu-grac.patch
+nfnetlink_osf-validate-individual-option-lengths-in-.patch
+net-mvpp2-guard-flow-control-update-with-global_tx_f.patch
+net-shaper-protect-late-read-accesses-to-the-hierarc.patch
+net-shaper-protect-from-late-creation-of-hierarchy.patch
+net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch
+icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch
+mptcp-fix-lock-class-name-family-in-pm_nl_create_lis.patch
--- /dev/null
+From eacd000a033f6201d592e3b1b0398611f4aa8145 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Feb 2026 09:59:04 +0800
+Subject: soc: fsl: cpm1: qmc: Fix error check for devm_ioremap_resource() in
+ qmc_qe_init_resources()
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit 3f4e403304186d79fddace860360540fc3af97f9 ]
+
+Fix wrong variable used for error checking after devm_ioremap_resource()
+call. The function checks qmc->scc_pram instead of qmc->dpram, which
+could lead to incorrect error handling.
+
+Fixes: eb680d563089 ("soc: fsl: cpm1: qmc: Add support for QUICC Engine (QE) implementation")
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Acked-by: Herve Codina <herve.codina@bootlin.com>
+Link: https://lore.kernel.org/r/20260209015904.871269-1-nichen@iscas.ac.cn
+Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qe/qmc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/fsl/qe/qmc.c b/drivers/soc/fsl/qe/qmc.c
+index da5ea6d356184..6db5ab05c2c1c 100644
+--- a/drivers/soc/fsl/qe/qmc.c
++++ b/drivers/soc/fsl/qe/qmc.c
+@@ -1799,8 +1799,8 @@ static int qmc_qe_init_resources(struct qmc *qmc, struct platform_device *pdev)
+ return -EINVAL;
+ qmc->dpram_offset = res->start - qe_muram_dma(qe_muram_addr(0));
+ qmc->dpram = devm_ioremap_resource(qmc->dev, res);
+- if (IS_ERR(qmc->scc_pram))
+- return PTR_ERR(qmc->scc_pram);
++ if (IS_ERR(qmc->dpram))
++ return PTR_ERR(qmc->dpram);
+
+ return 0;
+ }
+--
+2.51.0
+
--- /dev/null
+From 26e9d3bd358c1a9205b2adaa2fe7cbaea830261f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 08:25:49 +0100
+Subject: soc: fsl: qbman: fix race condition in qman_destroy_fq
+
+From: Richard Genoud <richard.genoud@bootlin.com>
+
+[ Upstream commit 014077044e874e270ec480515edbc1cadb976cf2 ]
+
+When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between
+fq_table[fq->idx] state and freeing/allocating from the pool and
+WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.
+
+Indeed, we can have:
+ Thread A Thread B
+ qman_destroy_fq() qman_create_fq()
+ qman_release_fqid()
+ qman_shutdown_fq()
+ gen_pool_free()
+ -- At this point, the fqid is available again --
+ qman_alloc_fqid()
+ -- so, we can get the just-freed fqid in thread B --
+ fq->fqid = fqid;
+ fq->idx = fqid * 2;
+ WARN_ON(fq_table[fq->idx]);
+ fq_table[fq->idx] = fq;
+ fq_table[fq->idx] = NULL;
+
+And adding some logs between qman_release_fqid() and
+fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.
+
+To prevent that, ensure that fq_table[fq->idx] is set to NULL before
+gen_pool_free() is called by using smp_wmb().
+
+Fixes: c535e923bb97 ("soc/fsl: Introduce DPAA 1.x QMan device driver")
+Signed-off-by: Richard Genoud <richard.genoud@bootlin.com>
+Tested-by: CHAMPSEIX Thomas <thomas.champseix@alstomgroup.com>
+Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com
+Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qbman/qman.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
+index 9be240999f877..43a4e8d58b9bc 100644
+--- a/drivers/soc/fsl/qbman/qman.c
++++ b/drivers/soc/fsl/qbman/qman.c
+@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq);
+
+ void qman_destroy_fq(struct qman_fq *fq)
+ {
++ int leaked;
++
+ /*
+ * We don't need to lock the FQ as it is a pre-condition that the FQ be
+ * quiesced. Instead, run some checks.
+@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq)
+ switch (fq->state) {
+ case qman_fq_state_parked:
+ case qman_fq_state_oos:
+- if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID))
+- qman_release_fqid(fq->fqid);
++ /*
++ * There's a race condition here on releasing the fqid,
++ * setting the fq_table to NULL, and freeing the fqid.
++ * To prevent it, this order should be respected:
++ */
++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) {
++ leaked = qman_shutdown_fq(fq->fqid);
++ if (leaked)
++ pr_debug("FQID %d leaked\n", fq->fqid);
++ }
+
+ DPAA_ASSERT(fq_table[fq->idx]);
+ fq_table[fq->idx] = NULL;
++
++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) {
++ /*
++ * fq_table[fq->idx] should be set to null before
++ * freeing fq->fqid otherwise it could by allocated by
++ * qman_alloc_fqid() while still being !NULL
++ */
++ smp_wmb();
++ gen_pool_free(qm_fqalloc, fq->fqid | DPAA_GENALLOC_OFF, 1);
++ }
+ return;
+ default:
+ break;
+--
+2.51.0
+
--- /dev/null
+From 3a51bf23f52786e756ad0434c88b6ba3978ac0fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Dec 2025 12:48:36 +0000
+Subject: soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 5a741f8cc6fe62542f955cd8d24933a1b6589cbd ]
+
+In mpfs_sys_controller_probe(), if of_get_mtd_device_by_node() fails,
+the function returns immediately without freeing the allocated memory
+for sys_controller, leading to a memory leak.
+
+Fix this by jumping to the out_free label to ensure the memory is
+properly freed.
+
+Also, consolidate the error handling for the mbox_request_channel()
+failure case to use the same label.
+
+Fixes: 742aa6c563d2 ("soc: microchip: mpfs: enable access to the system controller's flash")
+Co-developed-by: Jianhao Xu <jianhao.xu@seu.edu.cn>
+Signed-off-by: Jianhao Xu <jianhao.xu@seu.edu.cn>
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/microchip/mpfs-sys-controller.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/soc/microchip/mpfs-sys-controller.c b/drivers/soc/microchip/mpfs-sys-controller.c
+index 30bc45d17d343..81636cfecd37e 100644
+--- a/drivers/soc/microchip/mpfs-sys-controller.c
++++ b/drivers/soc/microchip/mpfs-sys-controller.c
+@@ -142,8 +142,10 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev)
+
+ sys_controller->flash = of_get_mtd_device_by_node(np);
+ of_node_put(np);
+- if (IS_ERR(sys_controller->flash))
+- return dev_err_probe(dev, PTR_ERR(sys_controller->flash), "Failed to get flash\n");
++ if (IS_ERR(sys_controller->flash)) {
++ ret = dev_err_probe(dev, PTR_ERR(sys_controller->flash), "Failed to get flash\n");
++ goto out_free;
++ }
+
+ no_flash:
+ sys_controller->client.dev = dev;
+@@ -155,8 +157,7 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev)
+ if (IS_ERR(sys_controller->chan)) {
+ ret = dev_err_probe(dev, PTR_ERR(sys_controller->chan),
+ "Failed to get mbox channel\n");
+- kfree(sys_controller);
+- return ret;
++ goto out_free;
+ }
+
+ init_completion(&sys_controller->c);
+@@ -174,6 +175,10 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev)
+ dev_info(&pdev->dev, "Registered MPFS system controller\n");
+
+ return 0;
++
++out_free:
++ kfree(sys_controller);
++ return ret;
+ }
+
+ static void mpfs_sys_controller_remove(struct platform_device *pdev)
+--
+2.51.0
+
--- /dev/null
+From 0a7162e81d3dd1ff59e444da69537efc98b78a92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Feb 2026 21:02:37 +0800
+Subject: soc: rockchip: grf: Add missing of_node_put() when returning
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+[ Upstream commit 24ed11ee5bacf9a9aca18fc6b47667c7f38d578b ]
+
+Fix the smatch checking:
+drivers/soc/rockchip/grf.c:249 rockchip_grf_init()
+warn: inconsistent refcounting 'np->kobj.kref.refcount.refs.counter':
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Fixes: 75fb63ae0312 ("soc: rockchip: grf: Support multiple grf to be handled")
+Closes: https://lore.kernel.org/all/aYXvgTcUJWQL2can@stanley.mountain/
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Link: https://patch.msgid.link/1770814957-17762-1-git-send-email-shawn.lin@rock-chips.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/rockchip/grf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/soc/rockchip/grf.c b/drivers/soc/rockchip/grf.c
+index db407fa279850..1f070e0becb52 100644
+--- a/drivers/soc/rockchip/grf.c
++++ b/drivers/soc/rockchip/grf.c
+@@ -216,6 +216,7 @@ static int __init rockchip_grf_init(void)
+ grf = syscon_node_to_regmap(np);
+ if (IS_ERR(grf)) {
+ pr_err("%s: could not get grf syscon\n", __func__);
++ of_node_put(np);
+ return PTR_ERR(grf);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From ccf6f7ed34a656d9d99557794e7cffea537e7dcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Feb 2026 14:19:59 +0530
+Subject: tee: shm: Remove refcounting of kernel pages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Wilcox <willy@infradead.org>
+
+[ Upstream commit 08d9a4580f71120be3c5b221af32dca00a48ceb0 ]
+
+Earlier TEE subsystem assumed to refcount all the memory pages to be
+shared with TEE implementation to be refcounted. However, the slab
+allocations within the kernel don't allow refcounting kernel pages.
+
+It is rather better to trust the kernel clients to not free pages while
+being shared with TEE implementation. Hence, remove refcounting of kernel
+pages from register_shm_helper() API.
+
+Fixes: b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page")
+Reported-by: Marco Felsch <m.felsch@pengutronix.de>
+Reported-by: Sven Püschel <s.pueschel@pengutronix.de>
+Signed-off-by: Matthew Wilcox <willy@infradead.org>
+Co-developed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
+Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
+Tested-by: Sven Püschel <s.pueschel@pengutronix.de>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tee/tee_shm.c | 27 ---------------------------
+ 1 file changed, 27 deletions(-)
+
+diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c
+index 4a47de4bb2e5c..898707ca21a8e 100644
+--- a/drivers/tee/tee_shm.c
++++ b/drivers/tee/tee_shm.c
+@@ -23,29 +23,11 @@ struct tee_shm_dma_mem {
+ struct page *page;
+ };
+
+-static void shm_put_kernel_pages(struct page **pages, size_t page_count)
+-{
+- size_t n;
+-
+- for (n = 0; n < page_count; n++)
+- put_page(pages[n]);
+-}
+-
+-static void shm_get_kernel_pages(struct page **pages, size_t page_count)
+-{
+- size_t n;
+-
+- for (n = 0; n < page_count; n++)
+- get_page(pages[n]);
+-}
+-
+ static void release_registered_pages(struct tee_shm *shm)
+ {
+ if (shm->pages) {
+ if (shm->flags & TEE_SHM_USER_MAPPED)
+ unpin_user_pages(shm->pages, shm->num_pages);
+- else
+- shm_put_kernel_pages(shm->pages, shm->num_pages);
+
+ kfree(shm->pages);
+ }
+@@ -477,13 +459,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
+ goto err_put_shm_pages;
+ }
+
+- /*
+- * iov_iter_extract_kvec_pages does not get reference on the pages,
+- * get a reference on them.
+- */
+- if (iov_iter_is_kvec(iter))
+- shm_get_kernel_pages(shm->pages, num_pages);
+-
+ shm->offset = off;
+ shm->size = len;
+ shm->num_pages = num_pages;
+@@ -499,8 +474,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
+ err_put_shm_pages:
+ if (!iov_iter_is_kvec(iter))
+ unpin_user_pages(shm->pages, shm->num_pages);
+- else
+- shm_put_kernel_pages(shm->pages, shm->num_pages);
+ err_free_shm_pages:
+ kfree(shm->pages);
+ err_free_shm:
+--
+2.51.0
+
--- /dev/null
+From 9af39cecf3c481916cb952f2b4490b9fde19e1a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 18:02:41 -0700
+Subject: udp_tunnel: fix NULL deref caused by udp_sock_create6 when
+ CONFIG_IPV6=n
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit b3a6df291fecf5f8a308953b65ca72b7fc9e015d ]
+
+When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0
+(success) without actually creating a socket. Callers such as
+fou_create() then proceed to dereference the uninitialized socket
+pointer, resulting in a NULL pointer dereference.
+
+The captured NULL deref crash:
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)
+ [...]
+ Call Trace:
+ <TASK>
+ genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)
+ genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)
+ [...]
+ netlink_rcv_skb (net/netlink/af_netlink.c:2550)
+ genl_rcv (net/netlink/genetlink.c:1219)
+ netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
+ netlink_sendmsg (net/netlink/af_netlink.c:1894)
+ __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))
+ __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))
+ __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+ entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)
+
+This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so
+callers correctly take their error paths. There is only one caller of
+the vulnerable function and only privileged users can trigger it.
+
+Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260317010241.1893893-1-xmei5@asu.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/udp_tunnel.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
+index 9acef2fbd2fdc..d97ee26ba4f66 100644
+--- a/include/net/udp_tunnel.h
++++ b/include/net/udp_tunnel.h
+@@ -47,7 +47,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ struct socket **sockp)
+ {
+- return 0;
++ return -EPFNOSUPPORT;
+ }
+ #endif
+
+--
+2.51.0
+
--- /dev/null
+From b4d299d035a00277470708dd71b0d3b18c3665b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 21:36:59 +0530
+Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
+
+From: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
+
+[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ]
+
+When the nl80211 socket that originated a PMSR request is
+closed, cfg80211_release_pmsr() sets the request's nl_portid
+to zero and schedules pmsr_free_wk to process the abort
+asynchronously. If the interface is concurrently torn down
+before that work runs, cfg80211_pmsr_wdev_down() calls
+cfg80211_pmsr_process_abort() directly. However, the already-
+scheduled pmsr_free_wk work item remains pending and may run
+after the interface has been removed from the driver. This
+could cause the driver's abort_pmsr callback to operate on a
+torn-down interface, leading to undefined behavior and
+potential crashes.
+
+Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()
+before calling cfg80211_pmsr_process_abort(). This ensures any
+pending or in-progress work is drained before interface teardown
+proceeds, preventing the work from invoking the driver abort
+callback after the interface is gone.
+
+Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API")
+Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/pmsr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c
+index a117f5093ca29..13801cf35e9fc 100644
+--- a/net/wireless/pmsr.c
++++ b/net/wireless/pmsr.c
+@@ -647,6 +647,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev)
+ }
+ spin_unlock_bh(&wdev->pmsr_lock);
+
++ cancel_work_sync(&wdev->pmsr_free_wk);
+ if (found)
+ cfg80211_pmsr_process_abort(wdev);
+
+--
+2.51.0
+
--- /dev/null
+From 38d9215943d4712c07a103e46580c924067a6b33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Mar 2026 06:54:55 +0000
+Subject: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit d5ad6ab61cbd89afdb60881f6274f74328af3ee9 ]
+
+ieee80211_tx_prepare_skb() has three error paths, but only two of them
+free the skb. The first error path (ieee80211_tx_prepare() returning
+TX_DROP) does not free it, while invoke_tx_handlers() failure and the
+fragmentation check both do.
+
+Add kfree_skb() to the first error path so all three are consistent,
+and remove the now-redundant frees in callers (ath9k, mt76,
+mac80211_hwsim) to avoid double-free.
+
+Document the skb ownership guarantee in the function's kdoc.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://patch.msgid.link/20260314065455.2462900-1-nbd@nbd.name
+Fixes: 06be6b149f7e ("mac80211: add ieee80211_tx_prepare_skb() helper function")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/channel.c | 6 ++----
+ drivers/net/wireless/mediatek/mt76/scan.c | 4 +---
+ drivers/net/wireless/virtual/mac80211_hwsim.c | 1 -
+ include/net/mac80211.h | 4 +++-
+ net/mac80211/tx.c | 4 +++-
+ 5 files changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/channel.c b/drivers/net/wireless/ath/ath9k/channel.c
+index 121e51ce1bc0e..8b27d8cc086ab 100644
+--- a/drivers/net/wireless/ath/ath9k/channel.c
++++ b/drivers/net/wireless/ath/ath9k/channel.c
+@@ -1006,7 +1006,7 @@ static void ath_scan_send_probe(struct ath_softc *sc,
+ skb_set_queue_mapping(skb, IEEE80211_AC_VO);
+
+ if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, NULL))
+- goto error;
++ return;
+
+ txctl.txq = sc->tx.txq_map[IEEE80211_AC_VO];
+ if (ath_tx_start(sc->hw, skb, &txctl))
+@@ -1119,10 +1119,8 @@ ath_chanctx_send_vif_ps_frame(struct ath_softc *sc, struct ath_vif *avp,
+
+ skb->priority = 7;
+ skb_set_queue_mapping(skb, IEEE80211_AC_VO);
+- if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta)) {
+- dev_kfree_skb_any(skb);
++ if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta))
+ return false;
+- }
+ break;
+ default:
+ return false;
+diff --git a/drivers/net/wireless/mediatek/mt76/scan.c b/drivers/net/wireless/mediatek/mt76/scan.c
+index 5a875aac410fc..3d9cf6f5e137f 100644
+--- a/drivers/net/wireless/mediatek/mt76/scan.c
++++ b/drivers/net/wireless/mediatek/mt76/scan.c
+@@ -63,10 +63,8 @@ mt76_scan_send_probe(struct mt76_dev *dev, struct cfg80211_ssid *ssid)
+
+ rcu_read_lock();
+
+- if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL)) {
+- ieee80211_free_txskb(phy->hw, skb);
++ if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL))
+ goto out;
+- }
+
+ info = IEEE80211_SKB_CB(skb);
+ if (req->no_cck)
+diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c
+index 2f263d89d2d69..20815fdc9d376 100644
+--- a/drivers/net/wireless/virtual/mac80211_hwsim.c
++++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
+@@ -3021,7 +3021,6 @@ static void hw_scan_work(struct work_struct *work)
+ hwsim->tmp_chan->band,
+ NULL)) {
+ rcu_read_unlock();
+- kfree_skb(probe);
+ continue;
+ }
+
+diff --git a/include/net/mac80211.h b/include/net/mac80211.h
+index a55085cf4ec49..ac2546b121385 100644
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -7289,7 +7289,9 @@ void ieee80211_report_wowlan_wakeup(struct ieee80211_vif *vif,
+ * @band: the band to transmit on
+ * @sta: optional pointer to get the station to send the frame to
+ *
+- * Return: %true if the skb was prepared, %false otherwise
++ * Return: %true if the skb was prepared, %false otherwise.
++ * On failure, the skb is freed by this function; callers must not
++ * free it again.
+ *
+ * Note: must be called under RCU lock
+ */
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 160667be3f4d2..2f830001b0cd6 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1896,8 +1896,10 @@ bool ieee80211_tx_prepare_skb(struct ieee80211_hw *hw,
+ struct ieee80211_tx_data tx;
+ struct sk_buff *skb2;
+
+- if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP)
++ if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP) {
++ kfree_skb(skb);
+ return false;
++ }
+
+ info->band = band;
+ info->control.vif = vif;
+--
+2.51.0
+
--- /dev/null
+From 43c6a2174d8ad01117d0b835e5729489ec658b95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 20:42:44 -0700
+Subject: wifi: mac80211: fix NULL deref in mesh_matches_local()
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd ]
+
+mesh_matches_local() unconditionally dereferences ie->mesh_config to
+compare mesh configuration parameters. When called from
+mesh_rx_csa_frame(), the parsed action-frame elements may not contain a
+Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a
+kernel NULL pointer dereference.
+
+The other two callers are already safe:
+ - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before
+ calling mesh_matches_local()
+ - mesh_plink_get_event() is only reached through
+ mesh_process_plink_frame(), which checks !elems->mesh_config, too
+
+mesh_rx_csa_frame() is the only caller that passes raw parsed elements
+to mesh_matches_local() without guarding mesh_config. An adjacent
+attacker can exploit this by sending a crafted CSA action frame that
+includes a valid Mesh ID IE but omits the Mesh Configuration IE,
+crashing the kernel.
+
+The captured crash log:
+
+Oops: general protection fault, probably for non-canonical address ...
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+Workqueue: events_unbound cfg80211_wiphy_work
+[...]
+Call Trace:
+ <TASK>
+ ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)
+ ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)
+ [...]
+ ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)
+ [...]
+ cfg80211_wiphy_work (net/wireless/core.c:426)
+ process_one_work (net/kernel/workqueue.c:3280)
+ ? assign_work (net/kernel/workqueue.c:1219)
+ worker_thread (net/kernel/workqueue.c:3352)
+ ? __pfx_worker_thread (net/kernel/workqueue.c:3385)
+ kthread (net/kernel/kthread.c:436)
+ [...]
+ ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)
+ </TASK>
+
+This patch adds a NULL check for ie->mesh_config at the top of
+mesh_matches_local() to return false early when the Mesh Configuration
+IE is absent.
+
+Fixes: 2e3c8736820b ("mac80211: support functions for mesh")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260318034244.2595020-1-xmei5@asu.edu
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index e235ab7a5651c..4b0eebd5c7cf8 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -79,6 +79,9 @@ bool mesh_matches_local(struct ieee80211_sub_if_data *sdata,
+ * - MDA enabled
+ * - Power management control on fc
+ */
++ if (!ie->mesh_config)
++ return false;
++
+ if (!(ifmsh->mesh_id_len == ie->mesh_id_len &&
+ memcmp(ifmsh->mesh_id, ie->mesh_id, ie->mesh_id_len) == 0 &&
+ (ifmsh->mesh_pp_id == ie->mesh_config->meshconf_psel) &&
+--
+2.51.0
+
--- /dev/null
+From e0f55465b6250a94eef8ccd470d16290d92e4225 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Mar 2026 07:24:02 +0000
+Subject: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828 ]
+
+syzbot reported static_branch_dec() underflow in aql_enable_write(). [0]
+
+The problem is that aql_enable_write() does not serialise concurrent
+write()s to the debugfs.
+
+aql_enable_write() checks static_key_false(&aql_disable.key) and
+later calls static_branch_inc() or static_branch_dec(), but the
+state may change between the two calls.
+
+aql_disable does not need to track inc/dec.
+
+Let's use static_branch_enable() and static_branch_disable().
+
+[0]:
+val == 0
+WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288
+Modules linked in:
+CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full)
+Tainted: [U]=USER, [L]=SOFTLOCKUP
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
+RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311
+Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00
+RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4
+RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000
+RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a
+R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98
+FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0
+Call Trace:
+ <TASK>
+ __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline]
+ __static_key_slow_dec kernel/jump_label.c:321 [inline]
+ static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336
+ aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343
+ short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383
+ vfs_write+0x2aa/0x1070 fs/read_write.c:684
+ ksys_pwrite64 fs/read_write.c:793 [inline]
+ __do_sys_pwrite64 fs/read_write.c:801 [inline]
+ __se_sys_pwrite64 fs/read_write.c:798 [inline]
+ __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f530cf9aeb9
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
+RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9
+RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010
+RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000
+R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978
+ </TASK>
+
+Fixes: e908435e402a ("mac80211: introduce aql_enable node in debugfs")
+Reported-by: syzbot+feb9ce36a95341bb47a4@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69a8979e.a70a0220.b118c.0025.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260306072405.3649474-1-kuniyu@google.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/debugfs.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c
+index d02f07368c511..687a66cd49433 100644
+--- a/net/mac80211/debugfs.c
++++ b/net/mac80211/debugfs.c
+@@ -320,7 +320,6 @@ static ssize_t aql_enable_read(struct file *file, char __user *user_buf,
+ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf,
+ size_t count, loff_t *ppos)
+ {
+- bool aql_disabled = static_key_false(&aql_disable.key);
+ char buf[3];
+ size_t len;
+
+@@ -335,15 +334,12 @@ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf,
+ if (len > 0 && buf[len - 1] == '\n')
+ buf[len - 1] = 0;
+
+- if (buf[0] == '0' && buf[1] == '\0') {
+- if (!aql_disabled)
+- static_branch_inc(&aql_disable);
+- } else if (buf[0] == '1' && buf[1] == '\0') {
+- if (aql_disabled)
+- static_branch_dec(&aql_disable);
+- } else {
++ if (buf[0] == '0' && buf[1] == '\0')
++ static_branch_enable(&aql_disable);
++ else if (buf[0] == '1' && buf[1] == '\0')
++ static_branch_disable(&aql_disable);
++ else
+ return -EINVAL;
+- }
+
+ return count;
+ }
+--
+2.51.0
+
--- /dev/null
+From 0cc1ad6c442deb817db4e8ba2e3e192cdbdc132f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Mar 2026 15:03:39 +0100
+Subject: wifi: mac80211: remove keys after disabling beaconing
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 708bbb45537780a8d3721ca1e0cf1932c1d1bf5f ]
+
+We shouldn't remove keys before disable beaconing, at least when
+beacon protection is used, since that would remove keys that are
+still used for beacon transmission at the same time. Stop before
+removing keys so there's no race.
+
+Fixes: af2d14b01c32 ("mac80211: Beacon protection using the new BIGTK (STA)")
+Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20260303150339.574e7887b3ab.I50d708f5aa22584506a91d0da7f8a73ba39fceac@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index e18df59951a82..d32eacbb7517d 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1872,12 +1872,6 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev,
+
+ __sta_info_flush(sdata, true, link_id, NULL);
+
+- ieee80211_remove_link_keys(link, &keys);
+- if (!list_empty(&keys)) {
+- synchronize_net();
+- ieee80211_free_key_list(local, &keys);
+- }
+-
+ ieee80211_stop_mbssid(sdata);
+ RCU_INIT_POINTER(link_conf->tx_bss_conf, NULL);
+
+@@ -1889,6 +1883,12 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev,
+ ieee80211_link_info_change_notify(sdata, link,
+ BSS_CHANGED_BEACON_ENABLED);
+
++ ieee80211_remove_link_keys(link, &keys);
++ if (!list_empty(&keys)) {
++ synchronize_net();
++ ieee80211_free_key_list(local, &keys);
++ }
++
+ if (sdata->wdev.links[link_id].cac_started) {
+ chandef = link_conf->chanreq.oper;
+ wiphy_delayed_work_cancel(wiphy, &link->dfs_cac_timer_work);
+--
+2.51.0
+
--- /dev/null
+From aed56b2e99326a35a2d3e2854d6fe4473ab84ff6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Mar 2026 17:06:39 +0100
+Subject: wifi: mac80211: use jiffies_delta_to_msecs() for sta_info inactive
+ times
+
+From: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
+
+[ Upstream commit ac6f24cc9c0a9aefa55ec9696dcafa971d4d760b ]
+
+Inactive times of around 0xffffffff milliseconds have been observed on
+an ath9k device on ARM. This is likely due to a memory ordering race in
+the jiffies_to_msecs(jiffies - last_active()) calculation causing an
+overflow when the observed jiffies is below ieee80211_sta_last_active().
+
+Use jiffies_delta_to_msecs() instead to avoid this problem.
+
+Fixes: 7bbdd2d98797 ("mac80211: implement station stats retrieval")
+Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
+Link: https://patch.msgid.link/20260303161701.31808-1-nicolas.cavallari@green-communications.fr
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/sta_info.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
+index 1a995bc301b19..b0d9bb830f293 100644
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -2759,7 +2759,9 @@ static void sta_set_link_sinfo(struct sta_info *sta,
+ }
+
+ link_sinfo->inactive_time =
+- jiffies_to_msecs(jiffies - ieee80211_sta_last_active(sta, link_id));
++ jiffies_delta_to_msecs(jiffies -
++ ieee80211_sta_last_active(sta,
++ link_id));
+
+ if (!(link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES64) |
+ BIT_ULL(NL80211_STA_INFO_TX_BYTES)))) {
+@@ -2992,7 +2994,8 @@ void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo,
+ sinfo->connected_time = ktime_get_seconds() - sta->last_connected;
+ sinfo->assoc_at = sta->assoc_at;
+ sinfo->inactive_time =
+- jiffies_to_msecs(jiffies - ieee80211_sta_last_active(sta, -1));
++ jiffies_delta_to_msecs(jiffies -
++ ieee80211_sta_last_active(sta, -1));
+
+ if (!(sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES64) |
+ BIT_ULL(NL80211_STA_INFO_TX_BYTES)))) {
+--
+2.51.0
+
--- /dev/null
+From 3f13ece2adc940b9b7a2a3f5c0cc722bbc65e0bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 23:46:36 -0700
+Subject: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not
+ enough headroom
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit deb353d9bb009638b7762cae2d0b6e8fdbb41a69 ]
+
+Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom
+before skb_push"), wl1271_tx_allocate() and with it
+wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.
+However, in wlcore_tx_work_locked(), a return value of -EAGAIN from
+wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being
+full. This causes the code to flush the buffer, put the skb back at the
+head of the queue, and immediately retry the same skb in a tight while
+loop.
+
+Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens
+immediately with GFP_ATOMIC, this will result in an infinite loop and a
+CPU soft lockup. Return -ENOMEM instead so the packet is dropped and
+the loop terminates.
+
+The problem was found by an experimental code review agent based on
+gemini-3.1-pro while reviewing backports into v6.18.y.
+
+Assisted-by: Gemini:gemini-3.1-pro
+Fixes: e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push")
+Cc: Peter Astrand <astrand@lysator.liu.se>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wlcore/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c
+index f251627c24c6e..3c0f8f3ba2668 100644
+--- a/drivers/net/wireless/ti/wlcore/tx.c
++++ b/drivers/net/wireless/ti/wlcore/tx.c
+@@ -210,7 +210,7 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif,
+ if (skb_headroom(skb) < (total_len - skb->len) &&
+ pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) {
+ wl1271_free_tx_id(wl, id);
+- return -EAGAIN;
++ return -ENOMEM;
+ }
+ desc = skb_push(skb, total_len - skb->len);
+
+--
+2.51.0
+
--- /dev/null
+From 14e3c7a73b3ec057e94bb3e82ac33cd33e4e4843 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 21:39:05 +0100
+Subject: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit bf504b229cb8d534eccbaeaa23eba34c05131e25 ]
+
+After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference
+in acpi_processor_errata_piix4()"), device pointers may be dereferenced
+after dropping references to the device objects pointed to by them,
+which may cause a use-after-free to occur.
+
+Moreover, debug messages about enabling the errata may be printed
+if the errata flags corresponding to them are unset.
+
+Address all of these issues by moving message printing to the points
+in the code where the errata flags are set.
+
+Fixes: f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()")
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Closes: https://lore.kernel.org/linux-acpi/938e2206-def5-4b7a-9b2c-d1fd37681d8a@roeck-us.net/
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://patch.msgid.link/5975693.DvuYhMxLoT@rafael.j.wysocki
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_processor.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c
+index 85096ce7b658b..5a562e27d3a80 100644
+--- a/drivers/acpi/acpi_processor.c
++++ b/drivers/acpi/acpi_processor.c
+@@ -113,6 +113,10 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev)
+ PCI_ANY_ID, PCI_ANY_ID, NULL);
+ if (ide_dev) {
+ errata.piix4.bmisx = pci_resource_start(ide_dev, 4);
++ if (errata.piix4.bmisx)
++ dev_dbg(&ide_dev->dev,
++ "Bus master activity detection (BM-IDE) erratum enabled\n");
++
+ pci_dev_put(ide_dev);
+ }
+
+@@ -131,20 +135,17 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev)
+ if (isa_dev) {
+ pci_read_config_byte(isa_dev, 0x76, &value1);
+ pci_read_config_byte(isa_dev, 0x77, &value2);
+- if ((value1 & 0x80) || (value2 & 0x80))
++ if ((value1 & 0x80) || (value2 & 0x80)) {
+ errata.piix4.fdma = 1;
++ dev_dbg(&isa_dev->dev,
++ "Type-F DMA livelock erratum (C3 disabled)\n");
++ }
+ pci_dev_put(isa_dev);
+ }
+
+ break;
+ }
+
+- if (ide_dev)
+- dev_dbg(&ide_dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n");
+-
+- if (isa_dev)
+- dev_dbg(&isa_dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n");
+-
+ return 0;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 5902fbdb71f7106a64d470d65c936549aae35345 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 20:34:49 +0100
+Subject: ACPICA: Update the format of Arg3 of _DSM
+
+From: Saket Dumbre <saket.dumbre@intel.com>
+
+[ Upstream commit ab93d7eee94205430fc3b0532557cb0494bf2faf ]
+
+To get rid of type incompatibility warnings in Linux.
+
+Fixes: 81f92cff6d42 ("ACPICA: ACPI_TYPE_ANY does not include the package type")
+Link: https://github.com/acpica/acpica/commit/4fb74872dcec
+Signed-off-by: Saket Dumbre <saket.dumbre@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://patch.msgid.link/12856643.O9o76ZdvQC@rafael.j.wysocki
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/acpredef.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/acpica/acpredef.h b/drivers/acpi/acpica/acpredef.h
+index da2c45880cc7e..c9e65c6a20690 100644
+--- a/drivers/acpi/acpica/acpredef.h
++++ b/drivers/acpi/acpica/acpredef.h
+@@ -450,7 +450,7 @@ const union acpi_predefined_info acpi_gbl_predefined_methods[] = {
+
+ {{"_DSM",
+ METHOD_4ARGS(ACPI_TYPE_BUFFER, ACPI_TYPE_INTEGER, ACPI_TYPE_INTEGER,
+- ACPI_TYPE_ANY | ACPI_TYPE_PACKAGE) |
++ ACPI_TYPE_PACKAGE | ACPI_TYPE_ANY) |
+ ARG_COUNT_IS_MINIMUM,
+ METHOD_RETURNS(ACPI_RTYPE_ALL)}}, /* Must return a value, but it can be of any type */
+
+--
+2.51.0
+
--- /dev/null
+From 88f9c738cf4e62b41d6d7b0833d616aca9439f35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 05:40:40 +0000
+Subject: af_unix: Give up GC if MSG_PEEK intervened.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit e5b31d988a41549037b8d8721a3c3cae893d8670 ]
+
+Igor Ushakov reported that GC purged the receive queue of
+an alive socket due to a race with MSG_PEEK with a nice repro.
+
+This is the exact same issue previously fixed by commit
+cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK").
+
+After GC was replaced with the current algorithm, the cited
+commit removed the locking dance in unix_peek_fds() and
+reintroduced the same issue.
+
+The problem is that MSG_PEEK bumps a file refcount without
+interacting with GC.
+
+Consider an SCC containing sk-A and sk-B, where sk-A is
+close()d but can be recv()ed via sk-B.
+
+The bad thing happens if sk-A is recv()ed with MSG_PEEK from
+sk-B and sk-B is close()d while GC is checking unix_vertex_dead()
+for sk-A and sk-B.
+
+ GC thread User thread
+ --------- -----------
+ unix_vertex_dead(sk-A)
+ -> true <------.
+ \
+ `------ recv(sk-B, MSG_PEEK)
+ invalidate !! -> sk-A's file refcount : 1 -> 2
+
+ close(sk-B)
+ -> sk-B's file refcount : 2 -> 1
+ unix_vertex_dead(sk-B)
+ -> true
+
+Initially, sk-A's file refcount is 1 by the inflight fd in sk-B
+recvq. GC thinks sk-A is dead because the file refcount is the
+same as the number of its inflight fds.
+
+However, sk-A's file refcount is bumped silently by MSG_PEEK,
+which invalidates the previous evaluation.
+
+At this moment, sk-B's file refcount is 2; one by the open fd,
+and one by the inflight fd in sk-A. The subsequent close()
+releases one refcount by the former.
+
+Finally, GC incorrectly concludes that both sk-A and sk-B are dead.
+
+One option is to restore the locking dance in unix_peek_fds(),
+but we can resolve this more elegantly thanks to the new algorithm.
+
+The point is that the issue does not occur without the subsequent
+close() and we actually do not need to synchronise MSG_PEEK with
+the dead SCC detection.
+
+When the issue occurs, close() and GC touch the same file refcount.
+If GC sees the refcount being decremented by close(), it can just
+give up garbage-collecting the SCC.
+
+Therefore, we only need to signal the race during MSG_PEEK with
+a proper memory barrier to make it visible to the GC.
+
+Let's use seqcount_t to notify GC when MSG_PEEK occurs and let
+it defer the SCC to the next run.
+
+This way no locking is needed on the MSG_PEEK side, and we can
+avoid imposing a penalty on every MSG_PEEK unnecessarily.
+
+Note that we can retry within unix_scc_dead() if MSG_PEEK is
+detected, but we do not do so to avoid hung task splat from
+abusive MSG_PEEK calls.
+
+Fixes: 118f457da9ed ("af_unix: Remove lock dance in unix_peek_fds().")
+Reported-by: Igor Ushakov <sysroot314@gmail.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260311054043.1231316-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 2 ++
+ net/unix/af_unix.h | 1 +
+ net/unix/garbage.c | 79 ++++++++++++++++++++++++++++++----------------
+ 3 files changed, 54 insertions(+), 28 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 6965b9a49d68a..3db79e83d2114 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1958,6 +1958,8 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)
+ static void unix_peek_fds(struct scm_cookie *scm, struct sk_buff *skb)
+ {
+ scm->fp = scm_fp_dup(UNIXCB(skb).fp);
++
++ unix_peek_fpl(scm->fp);
+ }
+
+ static void unix_destruct_scm(struct sk_buff *skb)
+diff --git a/net/unix/af_unix.h b/net/unix/af_unix.h
+index c4f1b2da363de..8119dbeef3a3c 100644
+--- a/net/unix/af_unix.h
++++ b/net/unix/af_unix.h
+@@ -29,6 +29,7 @@ void unix_del_edges(struct scm_fp_list *fpl);
+ void unix_update_edges(struct unix_sock *receiver);
+ int unix_prepare_fpl(struct scm_fp_list *fpl);
+ void unix_destroy_fpl(struct scm_fp_list *fpl);
++void unix_peek_fpl(struct scm_fp_list *fpl);
+ void unix_schedule_gc(struct user_struct *user);
+
+ /* SOCK_DIAG */
+diff --git a/net/unix/garbage.c b/net/unix/garbage.c
+index 25f65817faab9..aaa5f5bf51cad 100644
+--- a/net/unix/garbage.c
++++ b/net/unix/garbage.c
+@@ -318,6 +318,25 @@ void unix_destroy_fpl(struct scm_fp_list *fpl)
+ unix_free_vertices(fpl);
+ }
+
++static bool gc_in_progress;
++static seqcount_t unix_peek_seq = SEQCNT_ZERO(unix_peek_seq);
++
++void unix_peek_fpl(struct scm_fp_list *fpl)
++{
++ static DEFINE_SPINLOCK(unix_peek_lock);
++
++ if (!fpl || !fpl->count_unix)
++ return;
++
++ if (!READ_ONCE(gc_in_progress))
++ return;
++
++ /* Invalidate the final refcnt check in unix_vertex_dead(). */
++ spin_lock(&unix_peek_lock);
++ raw_write_seqcount_barrier(&unix_peek_seq);
++ spin_unlock(&unix_peek_lock);
++}
++
+ static bool unix_vertex_dead(struct unix_vertex *vertex)
+ {
+ struct unix_edge *edge;
+@@ -351,6 +370,36 @@ static bool unix_vertex_dead(struct unix_vertex *vertex)
+ return true;
+ }
+
++static LIST_HEAD(unix_visited_vertices);
++static unsigned long unix_vertex_grouped_index = UNIX_VERTEX_INDEX_MARK2;
++
++static bool unix_scc_dead(struct list_head *scc, bool fast)
++{
++ struct unix_vertex *vertex;
++ bool scc_dead = true;
++ unsigned int seq;
++
++ seq = read_seqcount_begin(&unix_peek_seq);
++
++ list_for_each_entry_reverse(vertex, scc, scc_entry) {
++ /* Don't restart DFS from this vertex. */
++ list_move_tail(&vertex->entry, &unix_visited_vertices);
++
++ /* Mark vertex as off-stack for __unix_walk_scc(). */
++ if (!fast)
++ vertex->index = unix_vertex_grouped_index;
++
++ if (scc_dead)
++ scc_dead = unix_vertex_dead(vertex);
++ }
++
++ /* If MSG_PEEK intervened, defer this SCC to the next round. */
++ if (read_seqcount_retry(&unix_peek_seq, seq))
++ return false;
++
++ return scc_dead;
++}
++
+ static void unix_collect_skb(struct list_head *scc, struct sk_buff_head *hitlist)
+ {
+ struct unix_vertex *vertex;
+@@ -404,9 +453,6 @@ static bool unix_scc_cyclic(struct list_head *scc)
+ return false;
+ }
+
+-static LIST_HEAD(unix_visited_vertices);
+-static unsigned long unix_vertex_grouped_index = UNIX_VERTEX_INDEX_MARK2;
+-
+ static unsigned long __unix_walk_scc(struct unix_vertex *vertex,
+ unsigned long *last_index,
+ struct sk_buff_head *hitlist)
+@@ -474,9 +520,7 @@ static unsigned long __unix_walk_scc(struct unix_vertex *vertex,
+ }
+
+ if (vertex->index == vertex->scc_index) {
+- struct unix_vertex *v;
+ struct list_head scc;
+- bool scc_dead = true;
+
+ /* SCC finalised.
+ *
+@@ -485,18 +529,7 @@ static unsigned long __unix_walk_scc(struct unix_vertex *vertex,
+ */
+ __list_cut_position(&scc, &vertex_stack, &vertex->scc_entry);
+
+- list_for_each_entry_reverse(v, &scc, scc_entry) {
+- /* Don't restart DFS from this vertex in unix_walk_scc(). */
+- list_move_tail(&v->entry, &unix_visited_vertices);
+-
+- /* Mark vertex as off-stack. */
+- v->index = unix_vertex_grouped_index;
+-
+- if (scc_dead)
+- scc_dead = unix_vertex_dead(v);
+- }
+-
+- if (scc_dead) {
++ if (unix_scc_dead(&scc, false)) {
+ unix_collect_skb(&scc, hitlist);
+ } else {
+ if (unix_vertex_max_scc_index < vertex->scc_index)
+@@ -550,19 +583,11 @@ static void unix_walk_scc_fast(struct sk_buff_head *hitlist)
+ while (!list_empty(&unix_unvisited_vertices)) {
+ struct unix_vertex *vertex;
+ struct list_head scc;
+- bool scc_dead = true;
+
+ vertex = list_first_entry(&unix_unvisited_vertices, typeof(*vertex), entry);
+ list_add(&scc, &vertex->scc_entry);
+
+- list_for_each_entry_reverse(vertex, &scc, scc_entry) {
+- list_move_tail(&vertex->entry, &unix_visited_vertices);
+-
+- if (scc_dead)
+- scc_dead = unix_vertex_dead(vertex);
+- }
+-
+- if (scc_dead) {
++ if (unix_scc_dead(&scc, true)) {
+ cyclic_sccs--;
+ unix_collect_skb(&scc, hitlist);
+ }
+@@ -577,8 +602,6 @@ static void unix_walk_scc_fast(struct sk_buff_head *hitlist)
+ cyclic_sccs ? UNIX_GRAPH_CYCLIC : UNIX_GRAPH_NOT_CYCLIC);
+ }
+
+-static bool gc_in_progress;
+-
+ static void unix_gc(struct work_struct *work)
+ {
+ struct sk_buff_head hitlist;
+--
+2.51.0
+
--- /dev/null
+From 78984a253d44f958e8a3283e39ddaab87dc2ff0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 17:29:01 +0100
+Subject: arm64: dts: renesas: r8a78000: Fix out-of-range SPI interrupt numbers
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 85c2601e2c2feb60980c7ca23de28c49472f61f1 ]
+
+SPI interrupts are in the range 0-987. Extended SPI interrupts should
+use GIC_ESPI, instead of abusing GIC_SPI with a manual offset of 4064.
+
+Fixes: 63500d12cf76d003 ("arm64: dts: renesas: Add R8A78000 SoC support")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/1f9dd274720ea1b66617a5dd84f76c3efc829dc8.1772641415.git.geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r8a78000.dtsi | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r8a78000.dtsi b/arch/arm64/boot/dts/renesas/r8a78000.dtsi
+index 4c97298fa7634..3e1c98903cea0 100644
+--- a/arch/arm64/boot/dts/renesas/r8a78000.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a78000.dtsi
+@@ -698,7 +698,7 @@ scif0: serial@c0700000 {
+ compatible = "renesas,scif-r8a78000",
+ "renesas,rcar-gen5-scif", "renesas,scif";
+ reg = <0 0xc0700000 0 0x40>;
+- interrupts = <GIC_SPI 4074 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_ESPI 10 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&dummy_clk_sgasyncd16>, <&dummy_clk_sgasyncd16>, <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ status = "disabled";
+@@ -708,7 +708,7 @@ scif1: serial@c0704000 {
+ compatible = "renesas,scif-r8a78000",
+ "renesas,rcar-gen5-scif", "renesas,scif";
+ reg = <0 0xc0704000 0 0x40>;
+- interrupts = <GIC_SPI 4075 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_ESPI 11 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&dummy_clk_sgasyncd16>, <&dummy_clk_sgasyncd16>, <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ status = "disabled";
+@@ -718,7 +718,7 @@ scif3: serial@c0708000 {
+ compatible = "renesas,scif-r8a78000",
+ "renesas,rcar-gen5-scif", "renesas,scif";
+ reg = <0 0xc0708000 0 0x40>;
+- interrupts = <GIC_SPI 4076 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_ESPI 12 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&dummy_clk_sgasyncd16>, <&dummy_clk_sgasyncd16>, <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ status = "disabled";
+@@ -728,7 +728,7 @@ scif4: serial@c070c000 {
+ compatible = "renesas,scif-r8a78000",
+ "renesas,rcar-gen5-scif", "renesas,scif";
+ reg = <0 0xc070c000 0 0x40>;
+- interrupts = <GIC_SPI 4077 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_ESPI 13 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&dummy_clk_sgasyncd16>, <&dummy_clk_sgasyncd16>, <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ status = "disabled";
+@@ -738,7 +738,7 @@ hscif0: serial@c0710000 {
+ compatible = "renesas,hscif-r8a78000",
+ "renesas,rcar-gen5-hscif", "renesas,hscif";
+ reg = <0 0xc0710000 0 0x60>;
+- interrupts = <GIC_SPI 4078 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_ESPI 14 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&dummy_clk_sgasyncd4>, <&dummy_clk_sgasyncd4>, <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ status = "disabled";
+@@ -748,7 +748,7 @@ hscif1: serial@c0714000 {
+ compatible = "renesas,hscif-r8a78000",
+ "renesas,rcar-gen5-hscif", "renesas,hscif";
+ reg = <0 0xc0714000 0 0x60>;
+- interrupts = <GIC_SPI 4079 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_ESPI 15 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&dummy_clk_sgasyncd4>, <&dummy_clk_sgasyncd4>, <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ status = "disabled";
+@@ -758,7 +758,7 @@ hscif2: serial@c0718000 {
+ compatible = "renesas,hscif-r8a78000",
+ "renesas,rcar-gen5-hscif", "renesas,hscif";
+ reg = <0 0xc0718000 0 0x60>;
+- interrupts = <GIC_SPI 4080 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_ESPI 16 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&dummy_clk_sgasyncd4>, <&dummy_clk_sgasyncd4>, <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ status = "disabled";
+@@ -768,7 +768,7 @@ hscif3: serial@c071c000 {
+ compatible = "renesas,hscif-r8a78000",
+ "renesas,rcar-gen5-hscif", "renesas,hscif";
+ reg = <0 0xc071c000 0 0x60>;
+- interrupts = <GIC_SPI 4081 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_ESPI 17 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&dummy_clk_sgasyncd4>, <&dummy_clk_sgasyncd4>, <&scif_clk>;
+ clock-names = "fck", "brg_int", "scif_clk";
+ status = "disabled";
+--
+2.51.0
+
--- /dev/null
+From d90ae1397c70ffb4835bad335b0ed9a24ecde9e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Feb 2026 12:42:46 +0000
+Subject: arm64: dts: renesas: r9a09g057: Remove wdt{0,2,3} nodes
+
+From: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+
+[ Upstream commit a3f34651de4287138c0da19ba321ad72622b4af3 ]
+
+The HW user manual for the Renesas RZ/V2H(P) SoC (a.k.a r9a09g057)
+states that only WDT1 is supposed to be accessed by the CA55 cores.
+WDT0 is supposed to be used by the CM33 core, WDT2 is supposed
+to be used by the CR8 core 0, and WDT3 is supposed to be used
+by the CR8 core 1.
+
+Remove wdt{0,2,3} from the SoC specific device tree to make it
+compliant with the specification from the HW manual.
+
+This change is harmless as there are currently no users of the
+wdt{0,2,3} device tree nodes, only the wdt1 node is actually used.
+
+Fixes: 095105496e7d ("arm64: dts: renesas: r9a09g057: Add WDT0-WDT3 nodes")
+Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20260203124247.7320-3-fabrizio.castro.jz@renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a09g057.dtsi | 30 ----------------------
+ 1 file changed, 30 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi
+index 4df32d7e99981..3d7f4dae5c195 100644
+--- a/arch/arm64/boot/dts/renesas/r9a09g057.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a09g057.dtsi
+@@ -581,16 +581,6 @@ ostm7: timer@12c03000 {
+ status = "disabled";
+ };
+
+- wdt0: watchdog@11c00400 {
+- compatible = "renesas,r9a09g057-wdt";
+- reg = <0 0x11c00400 0 0x400>;
+- clocks = <&cpg CPG_MOD 0x4b>, <&cpg CPG_MOD 0x4c>;
+- clock-names = "pclk", "oscclk";
+- resets = <&cpg 0x75>;
+- power-domains = <&cpg>;
+- status = "disabled";
+- };
+-
+ wdt1: watchdog@14400000 {
+ compatible = "renesas,r9a09g057-wdt";
+ reg = <0 0x14400000 0 0x400>;
+@@ -601,26 +591,6 @@ wdt1: watchdog@14400000 {
+ status = "disabled";
+ };
+
+- wdt2: watchdog@13000000 {
+- compatible = "renesas,r9a09g057-wdt";
+- reg = <0 0x13000000 0 0x400>;
+- clocks = <&cpg CPG_MOD 0x4f>, <&cpg CPG_MOD 0x50>;
+- clock-names = "pclk", "oscclk";
+- resets = <&cpg 0x77>;
+- power-domains = <&cpg>;
+- status = "disabled";
+- };
+-
+- wdt3: watchdog@13000400 {
+- compatible = "renesas,r9a09g057-wdt";
+- reg = <0 0x13000400 0 0x400>;
+- clocks = <&cpg CPG_MOD 0x51>, <&cpg CPG_MOD 0x52>;
+- clock-names = "pclk", "oscclk";
+- resets = <&cpg 0x78>;
+- power-domains = <&cpg>;
+- status = "disabled";
+- };
+-
+ rtc: rtc@11c00800 {
+ compatible = "renesas,r9a09g057-rtca3", "renesas,rz-rtca3";
+ reg = <0 0x11c00800 0 0x400>;
+--
+2.51.0
+
--- /dev/null
+From 52e4adc79d8ac1cf2fae692753af38bddfd41beb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 13:17:41 +0000
+Subject: arm64: dts: renesas: r9a09g077: Fix CPG register region sizes
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit b12985ceca18bcf67f176883175d544daad5e00e ]
+
+The CPG register regions were incorrectly sized. Update them to match
+the actual hardware specification:
+ - First region (0x80280000): 0x1000 -> 0x10000 (64kiB)
+ - Second region (0x81280000): 0x9000 -> 0x10000 (64kiB)
+
+Fixes: d17b34744f5e4 ("arm64: dts: renesas: Add initial support for the Renesas RZ/T2H SoC")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20260213131742.3606334-2-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a09g077.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a09g077.dtsi b/arch/arm64/boot/dts/renesas/r9a09g077.dtsi
+index f5fa6ca064097..5f4d30f75cbde 100644
+--- a/arch/arm64/boot/dts/renesas/r9a09g077.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a09g077.dtsi
+@@ -747,8 +747,8 @@ mii_conv3: mii-conv@3 {
+
+ cpg: clock-controller@80280000 {
+ compatible = "renesas,r9a09g077-cpg-mssr";
+- reg = <0 0x80280000 0 0x1000>,
+- <0 0x81280000 0 0x9000>;
++ reg = <0 0x80280000 0 0x10000>,
++ <0 0x81280000 0 0x10000>;
+ clocks = <&extal_clk>;
+ clock-names = "extal";
+ #clock-cells = <2>;
+--
+2.51.0
+
--- /dev/null
+From 1d0eb78ce2754d16cb681157bd71808a9e927ae1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 13:17:42 +0000
+Subject: arm64: dts: renesas: r9a09g087: Fix CPG register region sizes
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit f459672cf3ffd3c062973838951418271aa2ceef ]
+
+The CPG register regions were incorrectly sized. Update them to match
+the actual hardware specification:
+ - First region (0x80280000): 0x1000 -> 0x10000 (64kiB)
+ - Second region (0x81280000): 0x9000 -> 0x10000 (64kiB)
+
+Fixes: 4b3d31f0b81fe ("arm64: dts: renesas: Add initial SoC DTSI for the RZ/N2H SoC")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20260213131742.3606334-3-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a09g087.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a09g087.dtsi b/arch/arm64/boot/dts/renesas/r9a09g087.dtsi
+index 361a9235f00d9..46f2b1fd98dc3 100644
+--- a/arch/arm64/boot/dts/renesas/r9a09g087.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a09g087.dtsi
+@@ -750,8 +750,8 @@ mii_conv3: mii-conv@3 {
+
+ cpg: clock-controller@80280000 {
+ compatible = "renesas,r9a09g087-cpg-mssr";
+- reg = <0 0x80280000 0 0x1000>,
+- <0 0x81280000 0 0x9000>;
++ reg = <0 0x80280000 0 0x10000>,
++ <0 0x81280000 0 0x10000>;
+ clocks = <&extal_clk>;
+ clock-names = "extal";
+ #clock-cells = <2>;
+--
+2.51.0
+
--- /dev/null
+From fc7a7524cae76e202f52607c467f166a8c4b79c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Mar 2026 15:57:03 +0200
+Subject: arm64: dts: renesas: rzg3s-smarc-som: Set bypass for Versa3 PLL2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+[ Upstream commit 6dcbb6f070cccabc6a13d640a5a84de581fdd761 ]
+
+The default settings for the Versa3 device on the Renesas RZ/G3S SMARC
+SoM board have PLL2 disabled. PLL2 was later enabled together with audio
+support, as it is required to support both 44.1 kHz and 48 kHz audio.
+
+With PLL2 enabled, it was observed that Linux occasionally either hangs
+during boot (the last log message being related to the I2C probe) or
+randomly crashes. This was mainly reproducible on cold boots. During
+debugging, it was also noticed that the Unicode replacement character (�)
+sometimes appears on the serial console. Further investigation traced this
+to the configuration applied through the Versa3 register at offset 0x1c,
+which controls PLL enablement.
+
+The appearance of the Unicode replacement character suggested an issue
+with the SoC reference clock. The RZ/G3S reference clock is provided by
+the Versa3 clock generator (REF output).
+
+After checking with the Renesas Versa3 hardware team, it was found that
+this is related to the PLL2 lock bit being set through the
+renesas,settings DT property.
+
+The PLL lock bit must be set to avoid unstable clock output from the PLL.
+However, due to the Versa3 hardware design, when a PLL lock bit is set,
+all outputs (including the REF clock) are temporarily disabled until the
+configured PLLs become stable.
+
+As an alternative, the bypass bit can be used. This does not interrupt the
+PLL2 output or any other Versa3 outputs, but it may result in temporary
+instability on PLL2 output while the configuration is applied. Since PLL2
+feeds only the audio path and audio is not used during early boot, this is
+acceptable and does not affect system boot.
+
+Drop the PLL2 lock bit and set the bypass bit instead.
+
+This has been tested with more than 1000 cold boots.
+
+Fixes: a94253232b04 ("arm64: dts: renesas: rzg3s-smarc-som: Add versa3 clock generator node")
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20260302135703.162601-1-claudiu.beznea.uj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi b/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi
+index 6f25ab6179829..fbfa6cfb19297 100644
+--- a/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi
++++ b/arch/arm64/boot/dts/renesas/rzg3s-smarc-som.dtsi
+@@ -162,7 +162,7 @@ versa3: clock-generator@68 {
+ <100000000>;
+ renesas,settings = [
+ 80 00 11 19 4c 42 dc 2f 06 7d 20 1a 5f 1e f2 27
+- 00 40 00 00 00 00 00 00 06 0c 19 02 3f f0 90 86
++ 00 40 00 00 00 00 00 00 06 0c 19 02 3b f0 90 86
+ a0 80 30 30 9c
+ ];
+ };
+--
+2.51.0
+
--- /dev/null
+From 09049e72f1597f142d43f400267571711d8598ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 22:59:54 +0000
+Subject: arm64: dts: renesas: rzt2h-n2h-evk: Add ramp delay for SD0 card
+ regulator
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit bb70589b67039e491dd60cf71272884e926a0f95 ]
+
+Add a ramp delay of 60 uV/us to the vqmmc_sdhi0 voltage regulator to
+fix UHS-I SD card detection failures.
+
+Measurements on CN78 pin 4 showed the actual voltage ramp time to be
+21.86ms when switching between 3.3V and 1.8V. A 25ms ramp delay has
+been configured to provide adequate margin. The calculation is based
+on the voltage delta of 1.5V (3.3V - 1.8V):
+ 1500000 uV / 60 uV/us = 25000 us (25ms)
+
+Prior to this patch, UHS-I cards failed to initialize with:
+
+ mmc0: error -110 whilst initialising SD card
+
+After this patch, UHS-I cards are properly detected on SD0:
+
+ mmc0: new UHS-I speed SDR104 SDXC card at address aaaa
+ mmcblk0: mmc0:aaaa SR64G 59.5 GiB
+
+Fixes: d065453e5ee09 ("arm64: dts: renesas: rzt2h-rzn2h-evk: Enable SD card slot")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20260123225957.1007089-2-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi b/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi
+index 63bd91690b540..890e4ddc1e78b 100644
+--- a/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi
++++ b/arch/arm64/boot/dts/renesas/rzt2h-n2h-evk-common.dtsi
+@@ -53,6 +53,7 @@ vqmmc_sdhi0: regulator-vqmmc-sdhi0 {
+ regulator-max-microvolt = <3300000>;
+ gpios-states = <0>;
+ states = <3300000 0>, <1800000 1>;
++ regulator-ramp-delay = <60>;
+ };
+ #endif
+
+--
+2.51.0
+
--- /dev/null
+From aeb470d307da2538f8a31e30241de67d8644971d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 22:59:57 +0000
+Subject: arm64: dts: renesas: rzv2-evk-cn15-sd: Add ramp delay for SD0
+ regulator
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 5c03465ecf6a56b7b261df9594f0e10612f53a50 ]
+
+Set an appropriate ramp delay for the SD0 I/O voltage regulator in the
+CN15 SD overlay to make UHS-I voltage switching reliable during card
+initialization.
+
+This issue was observed on the RZ/V2H EVK, while the same UHS-I cards
+worked on the RZ/V2N EVK without problems. Adding the ramp delay makes
+the behavior consistent and avoids SD init timeouts.
+
+Before this change SD0 could fail with:
+
+ mmc0: error -110 whilst initialising SD card
+
+With the delay in place UHS-I cards enumerate correctly:
+
+ mmc0: new UHS-I speed SDR104 SDXC card at address aaaa
+ mmcblk0: mmc0:aaaa SR64G 59.5 GiB
+ mmcblk0: p1
+
+Fixes: 3d6c2bc7629c8 ("arm64: dts: renesas: Add CN15 eMMC and SD overlays for RZ/V2H and RZ/V2N EVKs")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20260123225957.1007089-5-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso b/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso
+index 0af1e0a6c7f48..fc53c1aae3b52 100644
+--- a/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso
++++ b/arch/arm64/boot/dts/renesas/rzv2-evk-cn15-sd.dtso
+@@ -25,6 +25,7 @@
+ regulator-max-microvolt = <3300000>;
+ gpios-states = <0>;
+ states = <3300000 0>, <1800000 1>;
++ regulator-ramp-delay = <60>;
+ };
+ };
+
+--
+2.51.0
+
--- /dev/null
+From 33462ef03c88eca85ac2d8e025625f04297b1e8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 14:50:52 +0100
+Subject: Bluetooth: hci_sync: Fix hci_le_create_conn_sync
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+[ Upstream commit 2cabe7ff1001b7a197009cf50ba71701f9cbd354 ]
+
+While introducing hci_le_create_conn_sync the functionality
+of hci_connect_le was ported to hci_le_create_conn_sync including
+the disable of the scan before starting the connection.
+
+When this code was run non synchronously the immediate call that was
+setting the flag HCI_LE_SCAN_INTERRUPTED had an impact. Since the
+completion handler for the LE_SCAN_DISABLE was not immediately called.
+In the completion handler of the LE_SCAN_DISABLE event, this flag is
+checked to set the state of the hdev to DISCOVERY_STOPPED.
+
+With the synchronised approach the later setting of the
+HCI_LE_SCAN_INTERRUPTED flag has not the same effect. The completion
+handler would immediately fire in the LE_SCAN_DISABLE call, check for
+the flag, which is then not yet set and do nothing.
+
+To fix this issue and make the function call work as before, we move the
+setting of the flag HCI_LE_SCAN_INTERRUPTED before disabling the scan.
+
+Fixes: 8e8b92ee60de ("Bluetooth: hci_sync: Add hci_le_create_conn_sync")
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 80b601e344ae3..43b36581e336d 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -6596,8 +6596,8 @@ static int hci_le_create_conn_sync(struct hci_dev *hdev, void *data)
+ * state.
+ */
+ if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {
+- hci_scan_disable_sync(hdev);
+ hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
++ hci_scan_disable_sync(hdev);
+ }
+
+ /* Update random address, but set require_privacy to false so
+--
+2.51.0
+
--- /dev/null
+From daa60f39fe3952819691f9a1f278572a83cb4a8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 10:17:47 -0500
+Subject: Bluetooth: HIDP: Fix possible UAF
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit dbf666e4fc9bdd975a61bf682b3f75cb0145eedd ]
+
+This fixes the following trace caused by not dropping l2cap_conn
+reference when user->remove callback is called:
+
+[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
+[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 97.809947] Call Trace:
+[ 97.809954] <TASK>
+[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
+[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
+[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
+[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
+[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
+[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
+[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
+[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
+[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
+[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
+[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
+[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
+[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
+[ 97.810404] __fput (fs/file_table.c:470)
+[ 97.810430] task_work_run (kernel/task_work.c:235)
+[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
+[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
+[ 97.810527] do_exit (kernel/exit.c:972)
+[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
+[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
+[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
+[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 97.810721] do_group_exit (kernel/exit.c:1093)
+[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
+[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
+[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810826] ? vfs_read (fs/read_write.c:555)
+[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
+[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
+[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
+[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
+[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811078] ? ksys_read (fs/read_write.c:707)
+[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
+[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
+[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
+[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
+[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
+[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
+[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+[ 97.811338] RIP: 0033:0x445cfe
+[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
+
+Code starting with the faulting instruction
+===========================================
+[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
+[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe
+[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004
+[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000
+[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8
+[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0
+[ 97.811453] </TASK>
+[ 98.402453] ==================================================================
+[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430
+[ 98.405361]
+[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 98.405600] Call Trace:
+[ 98.405607] <TASK>
+[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122)
+[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
+[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55)
+[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
+[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
+[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
+[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775)
+[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
+[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875)
+[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194)
+[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592)
+[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305)
+[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.406323] ? kthread (kernel/kthread.c:433)
+[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
+[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406523] ? kthread (kernel/kthread.c:433)
+[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406565] ? kthread (kernel/kthread.c:433)
+[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.406610] kthread (kernel/kthread.c:467)
+[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164)
+[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
+[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
+[ 98.406774] </TASK>
+[ 98.406780]
+[ 98.433693] The buggy address belongs to the physical page:
+[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4
+[ 98.435557] flags: 0x200000000000000(node=0|zone=2)
+[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000
+[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000
+[ 98.438115] page dumped because: kasan: bad access detected
+[ 98.438951]
+[ 98.439211] Memory state around the buggy address:
+[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.442458] ^
+[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.444768] ==================================================================
+[ 98.445719] Disabling lock debugging due to kernel taint
+[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400
+[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 98.450040] Tainted: [B]=BAD_PAGE
+[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 98.450059] Call Trace:
+[ 98.450065] <TASK>
+[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122)
+[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
+[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822)
+[ 98.450154] session_free (net/bluetooth/hidp/core.c:990)
+[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307)
+[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.450271] ? kthread (kernel/kthread.c:433)
+[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
+[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450528] ? kthread (kernel/kthread.c:433)
+[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450578] ? kthread (kernel/kthread.c:433)
+[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.450637] kthread (kernel/kthread.c:467)
+[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164)
+[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
+[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
+[ 98.450836] </TASK>
+
+Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers")
+Reported-by: soufiane el hachmi <kilwa10@gmail.com>
+Tested-by: soufiane el hachmi <kilwa10@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hidp/core.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
+index 6724adce615b6..e0e4003815500 100644
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -986,7 +986,8 @@ static void session_free(struct kref *ref)
+ skb_queue_purge(&session->intr_transmit);
+ fput(session->intr_sock->file);
+ fput(session->ctrl_sock->file);
+- l2cap_conn_put(session->conn);
++ if (session->conn)
++ l2cap_conn_put(session->conn);
+ kfree(session);
+ }
+
+@@ -1164,6 +1165,15 @@ static void hidp_session_remove(struct l2cap_conn *conn,
+
+ down_write(&hidp_session_sem);
+
++ /* Drop L2CAP reference immediately to indicate that
++ * l2cap_unregister_user() shall not be called as it is already
++ * considered removed.
++ */
++ if (session->conn) {
++ l2cap_conn_put(session->conn);
++ session->conn = NULL;
++ }
++
+ hidp_session_terminate(session);
+
+ cancel_work_sync(&session->dev_init);
+@@ -1301,7 +1311,9 @@ static int hidp_session_thread(void *arg)
+ * Instead, this call has the same semantics as if user-space tried to
+ * delete the session.
+ */
+- l2cap_unregister_user(session->conn, &session->user);
++ if (session->conn)
++ l2cap_unregister_user(session->conn, &session->user);
++
+ hidp_session_put(session);
+
+ module_put_and_kthread_exit(0);
+--
+2.51.0
+
--- /dev/null
+From 03833a16b30e6de304738488b43055ed05634f6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 15:23:01 -0500
+Subject: Bluetooth: ISO: Fix defer tests being unstable
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 62bcaa6b351b6dc400f6c6b83762001fd9f5c12d ]
+
+iso-tester defer tests seem to fail with hci_conn_hash_lookup_cig
+being unable to resolve a cig in set_cig_params_sync due a race
+where it is run immediatelly before hci_bind_cis is able to set
+the QoS settings into the hci_conn object.
+
+So this moves the assigning of the QoS settings to be done directly
+by hci_le_set_cig_params to prevent that from happening again.
+
+Fixes: 26afbd826ee3 ("Bluetooth: Add initial implementation of CIS connections")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index dc085856f5e91..0f512c2c2fd3c 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1944,6 +1944,8 @@ static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
+ return false;
+
+ done:
++ conn->iso_qos = *qos;
++
+ if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
+ UINT_PTR(qos->ucast.cig), NULL) < 0)
+ return false;
+@@ -2013,8 +2015,6 @@ struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
+ }
+
+ hci_conn_hold(cis);
+-
+- cis->iso_qos = *qos;
+ cis->state = BT_BOUND;
+
+ return cis;
+--
+2.51.0
+
--- /dev/null
+From aa58570ea6976a29fc50e38b0b6014617ed46c5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Nov 2025 23:50:16 +0530
+Subject: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
+
+From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+
+[ Upstream commit 752a6c9596dd25efd6978a73ff21f3b592668f4a ]
+
+After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in
+hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to
+conn->users. However, l2cap_register_user() and l2cap_unregister_user()
+don't use conn->lock, creating a race condition where these functions can
+access conn->users and conn->hchan concurrently with l2cap_conn_del().
+
+This can lead to use-after-free and list corruption bugs, as reported
+by syzbot.
+
+Fix this by changing l2cap_register_user() and l2cap_unregister_user()
+to use conn->lock instead of hci_dev_lock(), ensuring consistent locking
+for the l2cap_conn structure.
+
+Reported-by: syzbot+14b6d57fb728e27ce23c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=14b6d57fb728e27ce23c
+Fixes: ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del")
+Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 05acc2e98f58f..9ea030fc9a9cc 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -1686,17 +1686,15 @@ static void l2cap_info_timeout(struct work_struct *work)
+
+ int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ {
+- struct hci_dev *hdev = conn->hcon->hdev;
+ int ret;
+
+ /* We need to check whether l2cap_conn is registered. If it is not, we
+- * must not register the l2cap_user. l2cap_conn_del() is unregisters
+- * l2cap_conn objects, but doesn't provide its own locking. Instead, it
+- * relies on the parent hci_conn object to be locked. This itself relies
+- * on the hci_dev object to be locked. So we must lock the hci device
+- * here, too. */
++ * must not register the l2cap_user. l2cap_conn_del() unregisters
++ * l2cap_conn objects under conn->lock, and we use the same lock here
++ * to protect access to conn->users and conn->hchan.
++ */
+
+- hci_dev_lock(hdev);
++ mutex_lock(&conn->lock);
+
+ if (!list_empty(&user->list)) {
+ ret = -EINVAL;
+@@ -1717,16 +1715,14 @@ int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ ret = 0;
+
+ out_unlock:
+- hci_dev_unlock(hdev);
++ mutex_unlock(&conn->lock);
+ return ret;
+ }
+ EXPORT_SYMBOL(l2cap_register_user);
+
+ void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ {
+- struct hci_dev *hdev = conn->hcon->hdev;
+-
+- hci_dev_lock(hdev);
++ mutex_lock(&conn->lock);
+
+ if (list_empty(&user->list))
+ goto out_unlock;
+@@ -1735,7 +1731,7 @@ void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ user->remove(conn, user);
+
+ out_unlock:
+- hci_dev_unlock(hdev);
++ mutex_unlock(&conn->lock);
+ }
+ EXPORT_SYMBOL(l2cap_unregister_user);
+
+--
+2.51.0
+
--- /dev/null
+From 2081cdc2602cb443160c1b04fd20e24148f9a2b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:25 +0100
+Subject: Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit e1d9a66889867c232657a9b6f25d451d7c3ab96f ]
+
+Core 6.0, Vol 3, Part A, 3.4.3:
+"If the SDU length field value exceeds the receiver's MTU, the receiver
+shall disconnect the channel..."
+
+This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P
+0x0027 -V le_public -I 100').
+
+Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 319c87bd795d5..1618fe98dce71 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -6654,8 +6654,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+ return -ENOBUFS;
+ }
+
+- if (chan->imtu < skb->len) {
+- BT_ERR("Too big LE L2CAP PDU");
++ if (skb->len > chan->imtu) {
++ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len,
++ chan->imtu);
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ return -ENOBUFS;
+ }
+
+@@ -6681,7 +6683,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+ sdu_len, skb->len, chan->imtu);
+
+ if (sdu_len > chan->imtu) {
+- BT_ERR("Too big LE L2CAP SDU length received");
++ BT_ERR("Too big LE L2CAP SDU length: len %u > %u",
++ skb->len, sdu_len);
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ err = -EMSGSIZE;
+ goto failed;
+ }
+--
+2.51.0
+
--- /dev/null
+From 312abdc9676f3da68d114e86044e2cc6048bdad3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:27 +0100
+Subject: Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit b6a2bf43aa37670432843bc73ae2a6288ba4d6f8 ]
+
+Core 6.0, Vol 3, Part A, 3.4.3:
+"... If the sum of the payload sizes for the K-frames exceeds the
+specified SDU length, the receiver shall disconnect the channel."
+
+This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
+0x0027 -V le_public').
+
+Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 1618fe98dce71..05acc2e98f58f 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -6721,6 +6721,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+
+ if (chan->sdu->len + skb->len > chan->sdu_len) {
+ BT_ERR("Too much LE L2CAP data received");
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ err = -EINVAL;
+ goto failed;
+ }
+--
+2.51.0
+
--- /dev/null
+From b17e08daca0be65de40f5f5803e0227c8dbf00e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 11:03:39 +0000
+Subject: Bluetooth: MGMT: Fix list corruption and UAF in command complete
+ handlers
+
+From: Wang Tao <wangtao554@huawei.com>
+
+[ Upstream commit 17f89341cb4281d1da0e2fb0de5406ab7c4e25ef ]
+
+Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced
+mgmt_pending_valid(), which not only validates the pending command but
+also unlinks it from the pending list if it is valid. This change in
+semantics requires updates to several completion handlers to avoid list
+corruption and memory safety issues.
+
+This patch addresses two left-over issues from the aforementioned rework:
+
+1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()
+is replaced with mgmt_pending_free() in the success path. Since
+mgmt_pending_valid() already unlinks the command at the beginning of
+the function, calling mgmt_pending_remove() leads to a double list_del()
+and subsequent list corruption/kernel panic.
+
+2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error
+path is removed. Since the current command is already unlinked by
+mgmt_pending_valid(), this foreach loop would incorrectly target other
+pending mesh commands, potentially freeing them while they are still being
+processed concurrently (leading to UAFs). The redundant mgmt_cmd_status()
+is also simplified to use cmd->opcode directly.
+
+Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs")
+Signed-off-by: Wang Tao <wangtao554@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 0e46f9e08b106..2c63f49c33018 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -2195,10 +2195,7 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
+ sk = cmd->sk;
+
+ if (status) {
+- mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
+- status);
+- mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true,
+- cmd_status_rsp, &status);
++ mgmt_cmd_status(cmd->sk, hdev->id, cmd->opcode, status);
+ goto done;
+ }
+
+@@ -5377,7 +5374,7 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
+
+ mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
+ mgmt_status(status), &rp, sizeof(rp));
+- mgmt_pending_remove(cmd);
++ mgmt_pending_free(cmd);
+
+ hci_dev_unlock(hdev);
+ bt_dev_dbg(hdev, "add monitor %d complete, status %d",
+--
+2.51.0
+
--- /dev/null
+From c7005aa0bfe6fc4b5a8eb80db8694e474607f734 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 01:02:57 +0200
+Subject: Bluetooth: qca: fix ROM version reading on WCN3998 chips
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit 99b2c531e0e797119ae1b9195a8764ee98b00e65 ]
+
+WCN3998 uses a bit different format for rom version:
+
+[ 5.479978] Bluetooth: hci0: setting up wcn399x
+[ 5.633763] Bluetooth: hci0: QCA Product ID :0x0000000a
+[ 5.645350] Bluetooth: hci0: QCA SOC Version :0x40010224
+[ 5.650906] Bluetooth: hci0: QCA ROM Version :0x00001001
+[ 5.665173] Bluetooth: hci0: QCA Patch Version:0x00006699
+[ 5.679356] Bluetooth: hci0: QCA controller version 0x02241001
+[ 5.691109] Bluetooth: hci0: QCA Downloading qca/crbtfw21.tlv
+[ 6.680102] Bluetooth: hci0: QCA Downloading qca/crnv21.bin
+[ 6.842948] Bluetooth: hci0: QCA setup on UART is completed
+
+Fixes: 523760b7ff88 ("Bluetooth: hci_qca: Added support for WCN3998")
+Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btqca.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
+index 7c958d6065bec..86a48d009d1ba 100644
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -804,6 +804,8 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+ */
+ if (soc_type == QCA_WCN3988)
+ rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f);
++ else if (soc_type == QCA_WCN3998)
++ rom_ver = ((soc_ver & 0x0000f000) >> 0x07) | (soc_ver & 0x0000000f);
+ else
+ rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f);
+
+--
+2.51.0
+
--- /dev/null
+From 1de26d65d4c5b1c6eaebdf3694b14f74c9bf553a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:28 +0100
+Subject: Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit 0e4d4dcc1a6e82cc6f9abf32193558efa7e1613d ]
+
+The last test step ("Test with Invalid public key X and Y, all set to
+0") expects to get an "DHKEY check failed" instead of "unspecified".
+
+Fixes: 6d19628f539f ("Bluetooth: SMP: Fail if remote and local public keys are identical")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
+index 3a1ce04a7a536..9d96040745897 100644
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2743,7 +2743,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
+ if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
+ !crypto_memneq(key, smp->local_pk, 64)) {
+ bt_dev_err(hdev, "Remote and local public keys are identical");
+- return SMP_UNSPECIFIED;
++ return SMP_DHKEY_CHECK_FAILED;
+ }
+
+ memcpy(smp->remote_pk, key, 64);
+--
+2.51.0
+
--- /dev/null
+From 81c56a2756bddeba2590057ca8fc17039a6db726 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 10:41:52 +0000
+Subject: bonding: prevent potential infinite loop in bond_header_parse()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b7405dcf7385445e10821777143f18c3ce20fa04 ]
+
+bond_header_parse() can loop if a stack of two bonding devices is setup,
+because skb->dev always points to the hierarchy top.
+
+Add new "const struct net_device *dev" parameter to
+(struct header_ops)->parse() method to make sure the recursion
+is bounded, and that the final leaf parse method is called.
+
+Fixes: 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Tested-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Cc: Jay Vosburgh <jv@jvosburgh.net>
+Cc: Andrew Lunn <andrew+netdev@lunn.ch>
+Link: https://patch.msgid.link/20260315104152.1436867-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firewire/net.c | 5 +++--
+ drivers/net/bonding/bond_main.c | 8 +++++---
+ include/linux/etherdevice.h | 3 ++-
+ include/linux/if_ether.h | 3 ++-
+ include/linux/netdevice.h | 6 ++++--
+ net/ethernet/eth.c | 9 +++------
+ net/ipv4/ip_gre.c | 3 ++-
+ net/mac802154/iface.c | 4 +++-
+ net/phonet/af_phonet.c | 5 ++++-
+ 9 files changed, 28 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c
+index 6d64467135395..e829454089550 100644
+--- a/drivers/firewire/net.c
++++ b/drivers/firewire/net.c
+@@ -257,9 +257,10 @@ static void fwnet_header_cache_update(struct hh_cache *hh,
+ memcpy((u8 *)hh->hh_data + HH_DATA_OFF(FWNET_HLEN), haddr, net->addr_len);
+ }
+
+-static int fwnet_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++static int fwnet_header_parse(const struct sk_buff *skb, const struct net_device *dev,
++ unsigned char *haddr)
+ {
+- memcpy(haddr, skb->dev->dev_addr, FWNET_ALEN);
++ memcpy(haddr, dev->dev_addr, FWNET_ALEN);
+
+ return FWNET_ALEN;
+ }
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index e8e261e0cb4e1..106cfe732a15e 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1497,9 +1497,11 @@ static int bond_header_create(struct sk_buff *skb, struct net_device *bond_dev,
+ return ret;
+ }
+
+-static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++static int bond_header_parse(const struct sk_buff *skb,
++ const struct net_device *dev,
++ unsigned char *haddr)
+ {
+- struct bonding *bond = netdev_priv(skb->dev);
++ struct bonding *bond = netdev_priv(dev);
+ const struct header_ops *slave_ops;
+ struct slave *slave;
+ int ret = 0;
+@@ -1509,7 +1511,7 @@ static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr)
+ if (slave) {
+ slave_ops = READ_ONCE(slave->dev->header_ops);
+ if (slave_ops && slave_ops->parse)
+- ret = slave_ops->parse(skb, haddr);
++ ret = slave_ops->parse(skb, slave->dev, haddr);
+ }
+ rcu_read_unlock();
+ return ret;
+diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h
+index 9a1eacf35d370..df8f88f63a706 100644
+--- a/include/linux/etherdevice.h
++++ b/include/linux/etherdevice.h
+@@ -42,7 +42,8 @@ extern const struct header_ops eth_header_ops;
+
+ int eth_header(struct sk_buff *skb, struct net_device *dev, unsigned short type,
+ const void *daddr, const void *saddr, unsigned len);
+-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr);
++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev,
++ unsigned char *haddr);
+ int eth_header_cache(const struct neighbour *neigh, struct hh_cache *hh,
+ __be16 type);
+ void eth_header_cache_update(struct hh_cache *hh, const struct net_device *dev,
+diff --git a/include/linux/if_ether.h b/include/linux/if_ether.h
+index 61b7335aa037c..ca9afa824aa4f 100644
+--- a/include/linux/if_ether.h
++++ b/include/linux/if_ether.h
+@@ -40,7 +40,8 @@ static inline struct ethhdr *inner_eth_hdr(const struct sk_buff *skb)
+ return (struct ethhdr *)skb_inner_mac_header(skb);
+ }
+
+-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr);
++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev,
++ unsigned char *haddr);
+
+ extern ssize_t sysfs_format_mac(char *buf, const unsigned char *addr, int len);
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 444e52eb8ed99..1216f050f0699 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -311,7 +311,9 @@ struct header_ops {
+ int (*create) (struct sk_buff *skb, struct net_device *dev,
+ unsigned short type, const void *daddr,
+ const void *saddr, unsigned int len);
+- int (*parse)(const struct sk_buff *skb, unsigned char *haddr);
++ int (*parse)(const struct sk_buff *skb,
++ const struct net_device *dev,
++ unsigned char *haddr);
+ int (*cache)(const struct neighbour *neigh, struct hh_cache *hh, __be16 type);
+ void (*cache_update)(struct hh_cache *hh,
+ const struct net_device *dev,
+@@ -3442,7 +3444,7 @@ static inline int dev_parse_header(const struct sk_buff *skb,
+
+ if (!dev->header_ops || !dev->header_ops->parse)
+ return 0;
+- return dev->header_ops->parse(skb, haddr);
++ return dev->header_ops->parse(skb, dev, haddr);
+ }
+
+ static inline __be16 dev_parse_header_protocol(const struct sk_buff *skb)
+diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c
+index 13a63b48b7eeb..d9faadbe9b6c8 100644
+--- a/net/ethernet/eth.c
++++ b/net/ethernet/eth.c
+@@ -193,14 +193,11 @@ __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev)
+ }
+ EXPORT_SYMBOL(eth_type_trans);
+
+-/**
+- * eth_header_parse - extract hardware address from packet
+- * @skb: packet to extract header from
+- * @haddr: destination buffer
+- */
+-int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++int eth_header_parse(const struct sk_buff *skb, const struct net_device *dev,
++ unsigned char *haddr)
+ {
+ const struct ethhdr *eth = eth_hdr(skb);
++
+ memcpy(haddr, eth->h_source, ETH_ALEN);
+ return ETH_ALEN;
+ }
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index e13244729ad8d..35f0baa99d409 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -919,7 +919,8 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
+ return -(t->hlen + sizeof(*iph));
+ }
+
+-static int ipgre_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++static int ipgre_header_parse(const struct sk_buff *skb, const struct net_device *dev,
++ unsigned char *haddr)
+ {
+ const struct iphdr *iph = (const struct iphdr *) skb_mac_header(skb);
+ memcpy(haddr, &iph->saddr, 4);
+diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
+index 9e4631fade90c..000be60d95803 100644
+--- a/net/mac802154/iface.c
++++ b/net/mac802154/iface.c
+@@ -469,7 +469,9 @@ static int mac802154_header_create(struct sk_buff *skb,
+ }
+
+ static int
+-mac802154_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++mac802154_header_parse(const struct sk_buff *skb,
++ const struct net_device *dev,
++ unsigned char *haddr)
+ {
+ struct ieee802154_hdr hdr;
+
+diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c
+index 238a9638d2b0f..d89225d6bfd3b 100644
+--- a/net/phonet/af_phonet.c
++++ b/net/phonet/af_phonet.c
+@@ -129,9 +129,12 @@ static int pn_header_create(struct sk_buff *skb, struct net_device *dev,
+ return 1;
+ }
+
+-static int pn_header_parse(const struct sk_buff *skb, unsigned char *haddr)
++static int pn_header_parse(const struct sk_buff *skb,
++ const struct net_device *dev,
++ unsigned char *haddr)
+ {
+ const u8 *media = skb_mac_header(skb);
++
+ *haddr = *media;
+ return 1;
+ }
+--
+2.51.0
+
--- /dev/null
+From 7d466b727ccce42b4fdc27448b1fde40b147c80c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 03:18:09 +0900
+Subject: bridge: cfm: Fix race condition in peer_mep deletion
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit 3715a00855316066cdda69d43648336367422127 ]
+
+When a peer MEP is being deleted, cancel_delayed_work_sync() is called
+on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in
+softirq context under rcu_read_lock (without RTNL) and can re-schedule
+ccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync()
+returning and kfree_rcu() being called.
+
+The following is a simple race scenario:
+
+ cpu0 cpu1
+
+mep_delete_implementation()
+ cancel_delayed_work_sync(ccm_rx_dwork);
+ br_cfm_frame_rx()
+ // peer_mep still in hlist
+ if (peer_mep->ccm_defect)
+ ccm_rx_timer_start()
+ queue_delayed_work(ccm_rx_dwork)
+ hlist_del_rcu(&peer_mep->head);
+ kfree_rcu(peer_mep, rcu);
+ ccm_rx_work_expired()
+ // on freed peer_mep
+
+To prevent this, cancel_delayed_work_sync() is replaced with
+disable_delayed_work_sync() in both peer MEP deletion paths, so
+that subsequent queue_delayed_work() calls from br_cfm_frame_rx()
+are silently rejected.
+
+The cc_peer_disable() helper retains cancel_delayed_work_sync()
+because it is also used for the CC enable/disable toggle path where
+the work must remain re-schedulable.
+
+Fixes: dc32cbb3dbd7 ("bridge: cfm: Kernel space implementation of CFM. CCM frame RX added.")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/abBgYT5K_FI9rD1a@v4bel
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_cfm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bridge/br_cfm.c b/net/bridge/br_cfm.c
+index c2c1c7d44c615..f4ca77d9b0e96 100644
+--- a/net/bridge/br_cfm.c
++++ b/net/bridge/br_cfm.c
+@@ -576,7 +576,7 @@ static void mep_delete_implementation(struct net_bridge *br,
+
+ /* Empty and free peer MEP list */
+ hlist_for_each_entry_safe(peer_mep, n_store, &mep->peer_mep_list, head) {
+- cancel_delayed_work_sync(&peer_mep->ccm_rx_dwork);
++ disable_delayed_work_sync(&peer_mep->ccm_rx_dwork);
+ hlist_del_rcu(&peer_mep->head);
+ kfree_rcu(peer_mep, rcu);
+ }
+@@ -732,7 +732,7 @@ int br_cfm_cc_peer_mep_remove(struct net_bridge *br, const u32 instance,
+ return -ENOENT;
+ }
+
+- cc_peer_disable(peer_mep);
++ disable_delayed_work_sync(&peer_mep->ccm_rx_dwork);
+
+ hlist_del_rcu(&peer_mep->head);
+ kfree_rcu(peer_mep, rcu);
+--
+2.51.0
+
--- /dev/null
+From f92d7adc9538a2d41246c310d858fbbbdfcd1d9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Mar 2026 16:57:43 +0000
+Subject: btrfs: log new dentries when logging parent dir of a conflicting
+ inode
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 9573a365ff9ff45da9222d3fe63695ce562beb24 ]
+
+If we log the parent directory of a conflicting inode, we are not logging
+the new dentries of the directory, so when we finish we have the parent
+directory's inode marked as logged but we did not log its new dentries.
+As a consequence if the parent directory is explicitly fsynced later and
+it does not have any new changes since we logged it, the fsync is a no-op
+and after a power failure the new dentries are missing.
+
+Example scenario:
+
+ $ mkdir foo
+
+ $ sync
+
+ $rmdir foo
+
+ $ mkdir dir1
+ $ mkdir dir2
+
+ # A file with the same name and parent as the directory we just deleted
+ # and was persisted in a past transaction. So the deleted directory's
+ # inode is a conflicting inode of this new file's inode.
+ $ touch foo
+
+ $ ln foo dir2/link
+
+ # The fsync on dir2 will log the parent directory (".") because the
+ # conflicting inode (deleted directory) does not exists anymore, but it
+ # it does not log its new dentries (dir1).
+ $ xfs_io -c "fsync" dir2
+
+ # This fsync on the parent directory is no-op, since the previous fsync
+ # logged it (but without logging its new dentries).
+ $ xfs_io -c "fsync" .
+
+ <power failure>
+
+ # After log replay dir1 is missing.
+
+Fix this by ensuring we log new dir dentries whenever we log the parent
+directory of a no longer existing conflicting inode.
+
+A test case for fstests will follow soon.
+
+Reported-by: Vyacheslav Kovalevsky <slava.kovalevskiy.2014@gmail.com>
+Link: https://lore.kernel.org/linux-btrfs/182055fa-e9ce-4089-9f5f-4b8a23e8dd91@gmail.com/
+Fixes: a3baaf0d786e ("Btrfs: fix fsync after succession of renames and unlink/rmdir")
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 6cffcf0c3e7af..6c40f48cc194d 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -6195,6 +6195,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans,
+ struct btrfs_root *root,
+ struct btrfs_log_ctx *ctx)
+ {
++ const bool orig_log_new_dentries = ctx->log_new_dentries;
+ int ret = 0;
+
+ /*
+@@ -6256,7 +6257,11 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans,
+ * dir index key range logged for the directory. So we
+ * must make sure the deletion is recorded.
+ */
++ ctx->log_new_dentries = false;
+ ret = btrfs_log_inode(trans, inode, LOG_INODE_ALL, ctx);
++ if (!ret && ctx->log_new_dentries)
++ ret = log_new_dir_dentries(trans, inode, ctx);
++
+ btrfs_add_delayed_iput(inode);
+ if (ret)
+ break;
+@@ -6291,6 +6296,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans,
+ break;
+ }
+
++ ctx->log_new_dentries = orig_log_new_dentries;
+ ctx->logging_conflict_inodes = false;
+ if (ret)
+ free_conflicting_inodes(ctx);
+--
+2.51.0
+
--- /dev/null
+From 37f99088e1f524c820251ad92d932999a2cb06a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 08:33:21 +0800
+Subject: btrfs: tree-checker: fix misleading root drop_level error message
+
+From: ZhengYuan Huang <gality369@gmail.com>
+
+[ Upstream commit fc1cd1f18c34f91e78362f9629ab9fd43b9dcab9 ]
+
+Fix tree-checker error message to report "invalid root drop_level"
+instead of the misleading "invalid root level".
+
+Fixes: 259ee7754b67 ("btrfs: tree-checker: Add ROOT_ITEM check")
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-checker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
+index 12d6ae49bc078..59794d726fd27 100644
+--- a/fs/btrfs/tree-checker.c
++++ b/fs/btrfs/tree-checker.c
+@@ -1256,7 +1256,7 @@ static int check_root_item(struct extent_buffer *leaf, struct btrfs_key *key,
+ }
+ if (unlikely(btrfs_root_drop_level(&ri) >= BTRFS_MAX_LEVEL)) {
+ generic_err(leaf, slot,
+- "invalid root level, have %u expect [0, %u]",
++ "invalid root drop_level, have %u expect [0, %u]",
+ btrfs_root_drop_level(&ri), BTRFS_MAX_LEVEL - 1);
+ return -EUCLEAN;
+ }
+--
+2.51.0
+
--- /dev/null
+From ebe7f179c84be9e948051d57624ae588445de18b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Jan 2026 01:49:09 +0800
+Subject: cache: ax45mp: Fix device node reference leak in ax45mp_cache_init()
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit 0528a348b04b327a4611e29589beb4c9ae81304a ]
+
+In ax45mp_cache_init(), of_find_matching_node() returns a device node
+with an incremented reference count that must be released with
+of_node_put(). The current code fails to call of_node_put() which
+causes a reference leak.
+
+Use the __free(device_node) attribute to ensure automatic cleanup when
+the variable goes out of scope.
+
+Fixes: d34599bcd2e4 ("cache: Add L2 cache management for Andes AX45MP RISC-V core")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cache/ax45mp_cache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cache/ax45mp_cache.c b/drivers/cache/ax45mp_cache.c
+index 1d7dd3d2c101c..934c5087ec2bd 100644
+--- a/drivers/cache/ax45mp_cache.c
++++ b/drivers/cache/ax45mp_cache.c
+@@ -178,11 +178,11 @@ static const struct of_device_id ax45mp_cache_ids[] = {
+
+ static int __init ax45mp_cache_init(void)
+ {
+- struct device_node *np;
+ struct resource res;
+ int ret;
+
+- np = of_find_matching_node(NULL, ax45mp_cache_ids);
++ struct device_node *np __free(device_node) =
++ of_find_matching_node(NULL, ax45mp_cache_ids);
+ if (!of_device_is_available(np))
+ return -ENODEV;
+
+--
+2.51.0
+
--- /dev/null
+From da4bf827d1eea0cefe467fb749d3791570f592e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Jan 2026 01:13:45 +0800
+Subject: cache: starfive: fix device node leak in starlink_cache_init()
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit 3c85234b979af71cb9db5eb976ea08a468415767 ]
+
+of_find_matching_node() returns a device_node with refcount incremented.
+
+Use __free(device_node) attribute to automatically call of_node_put()
+when the variable goes out of scope, preventing the refcount leak.
+
+Fixes: cabff60ca77d ("cache: Add StarFive StarLink cache management")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cache/starfive_starlink_cache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cache/starfive_starlink_cache.c b/drivers/cache/starfive_starlink_cache.c
+index 24c7d078ca227..3a25d2d7c70ca 100644
+--- a/drivers/cache/starfive_starlink_cache.c
++++ b/drivers/cache/starfive_starlink_cache.c
+@@ -102,11 +102,11 @@ static const struct of_device_id starlink_cache_ids[] = {
+
+ static int __init starlink_cache_init(void)
+ {
+- struct device_node *np;
+ u32 block_size;
+ int ret;
+
+- np = of_find_matching_node(NULL, starlink_cache_ids);
++ struct device_node *np __free(device_node) =
++ of_find_matching_node(NULL, starlink_cache_ids);
+ if (!of_device_is_available(np))
+ return -ENODEV;
+
+--
+2.51.0
+
--- /dev/null
+From 634fc35df2fd75d28a7328b5a1f6eec4147ad807 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 07:55:31 +0100
+Subject: clsact: Fix use-after-free in init/destroy rollback asymmetry
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit a0671125d4f55e1e98d9bde8a0b671941987e208 ]
+
+Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry.
+The latter is achieved by first fully initializing a clsact instance, and
+then in a second step having a replacement failure for the new clsact qdisc
+instance. clsact_init() initializes ingress first and then takes care of the
+egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon
+failure, the kernel will trigger the clsact_destroy() callback.
+
+Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the
+way how the transition is happening. If tcf_block_get_ext on the q->ingress_block
+ends up failing, we took the tcx_miniq_inc reference count on the ingress
+side, but not yet on the egress side. clsact_destroy() tests whether the
+{ingress,egress}_entry was non-NULL. However, even in midway failure on the
+replacement, both are in fact non-NULL with a valid egress_entry from the
+previous clsact instance.
+
+What we really need to test for is whether the qdisc instance-specific ingress
+or egress side previously got initialized. This adds a small helper for checking
+the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon
+clsact_destroy() in order to fix the use-after-free scenario. Convert the
+ingress_destroy() side as well so both are consistent to each other.
+
+Fixes: 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry")
+Reported-by: Keenan Dong <keenanat2000@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Martin KaFai Lau <martin.lau@kernel.org>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://patch.msgid.link/20260313065531.98639-1-daniel@iogearbox.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sch_generic.h | 5 +++++
+ net/sched/sch_ingress.c | 14 ++++++++------
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index cafb266a0b80d..c3d657359a3d2 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -1457,6 +1457,11 @@ void mini_qdisc_pair_init(struct mini_Qdisc_pair *miniqp, struct Qdisc *qdisc,
+ void mini_qdisc_pair_block_init(struct mini_Qdisc_pair *miniqp,
+ struct tcf_block *block);
+
++static inline bool mini_qdisc_pair_inited(struct mini_Qdisc_pair *miniqp)
++{
++ return !!miniqp->p_miniq;
++}
++
+ void mq_change_real_num_tx(struct Qdisc *sch, unsigned int new_real_tx);
+
+ int sch_frag_xmit_hook(struct sk_buff *skb, int (*xmit)(struct sk_buff *skb));
+diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c
+index cc6051d4f2ef8..c3e18bae8fbfc 100644
+--- a/net/sched/sch_ingress.c
++++ b/net/sched/sch_ingress.c
+@@ -113,14 +113,15 @@ static void ingress_destroy(struct Qdisc *sch)
+ {
+ struct ingress_sched_data *q = qdisc_priv(sch);
+ struct net_device *dev = qdisc_dev(sch);
+- struct bpf_mprog_entry *entry = rtnl_dereference(dev->tcx_ingress);
++ struct bpf_mprog_entry *entry;
+
+ if (sch->parent != TC_H_INGRESS)
+ return;
+
+ tcf_block_put_ext(q->block, sch, &q->block_info);
+
+- if (entry) {
++ if (mini_qdisc_pair_inited(&q->miniqp)) {
++ entry = rtnl_dereference(dev->tcx_ingress);
+ tcx_miniq_dec(entry);
+ if (!tcx_entry_is_active(entry)) {
+ tcx_entry_update(dev, NULL, true);
+@@ -290,10 +291,9 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt,
+
+ static void clsact_destroy(struct Qdisc *sch)
+ {
++ struct bpf_mprog_entry *ingress_entry, *egress_entry;
+ struct clsact_sched_data *q = qdisc_priv(sch);
+ struct net_device *dev = qdisc_dev(sch);
+- struct bpf_mprog_entry *ingress_entry = rtnl_dereference(dev->tcx_ingress);
+- struct bpf_mprog_entry *egress_entry = rtnl_dereference(dev->tcx_egress);
+
+ if (sch->parent != TC_H_CLSACT)
+ return;
+@@ -301,7 +301,8 @@ static void clsact_destroy(struct Qdisc *sch)
+ tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info);
+ tcf_block_put_ext(q->egress_block, sch, &q->egress_block_info);
+
+- if (ingress_entry) {
++ if (mini_qdisc_pair_inited(&q->miniqp_ingress)) {
++ ingress_entry = rtnl_dereference(dev->tcx_ingress);
+ tcx_miniq_dec(ingress_entry);
+ if (!tcx_entry_is_active(ingress_entry)) {
+ tcx_entry_update(dev, NULL, true);
+@@ -309,7 +310,8 @@ static void clsact_destroy(struct Qdisc *sch)
+ }
+ }
+
+- if (egress_entry) {
++ if (mini_qdisc_pair_inited(&q->miniqp_egress)) {
++ egress_entry = rtnl_dereference(dev->tcx_egress);
+ tcx_miniq_dec(egress_entry);
+ if (!tcx_entry_is_active(egress_entry)) {
+ tcx_entry_update(dev, NULL, false);
+--
+2.51.0
+
--- /dev/null
+From e71909831d17dcd9ba0a18ddc7b2b9a167de220f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 12:39:34 -0800
+Subject: crypto: ccp - Fix leaking the same page twice
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 5c52607c43c397b79a9852ce33fc61de58c3645c ]
+
+Commit 551120148b67 ("crypto: ccp - Fix a case where SNP_SHUTDOWN is
+missed") fixed a case where SNP is left in INIT state if page reclaim
+fails. It removes the transition to the INIT state for this command and
+adjusts the page state management.
+
+While doing this, it added a call to snp_leak_pages() after a call to
+snp_reclaim_pages() failed. Since snp_reclaim_pages() already calls
+snp_leak_pages() internally on the pages it fails to reclaim, calling
+it again leaks the exact same page twice.
+
+Fix by removing the extra call to snp_leak_pages().
+
+The problem was found by an experimental code review agent based on
+gemini-3.1-pro while reviewing backports into v6.18.y.
+
+Assisted-by: Gemini:gemini-3.1-pro
+Fixes: 551120148b67 ("crypto: ccp - Fix a case where SNP_SHUTDOWN is missed")
+Cc: Tycho Andersen (AMD) <tycho@kernel.org>
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Reviewed-by: Tycho Andersen (AMD) <tycho@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/sev-dev.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
+index 0d90b5f6a4548..a554fe3de3fd2 100644
+--- a/drivers/crypto/ccp/sev-dev.c
++++ b/drivers/crypto/ccp/sev-dev.c
+@@ -2408,10 +2408,8 @@ static int sev_ioctl_do_snp_platform_status(struct sev_issue_cmd *argp)
+ * in Firmware state on failure. Use snp_reclaim_pages() to
+ * transition either case back to Hypervisor-owned state.
+ */
+- if (snp_reclaim_pages(__pa(data), 1, true)) {
+- snp_leak_pages(__page_to_pfn(status_page), 1);
++ if (snp_reclaim_pages(__pa(data), 1, true))
+ return -EFAULT;
+- }
+ }
+
+ if (ret)
+--
+2.51.0
+
--- /dev/null
+From 7ea0507d33b2d86877400fd28a5a8a5388805ae9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2026 12:09:53 +0000
+Subject: firmware: arm_ffa: Remove vm_id argument in ffa_rxtx_unmap()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yeoreum Yun <yeoreum.yun@arm.com>
+
+[ Upstream commit a4e8473b775160f3ce978f621cf8dea2c7250433 ]
+
+According to the FF-A specification (DEN0077, v1.1, §13.7), when
+FFA_RXTX_UNMAP is invoked from any instance other than non-secure
+physical, the w1 register must be zero (MBZ). If a non-zero value is
+supplied in this context, the SPMC must return FFA_INVALID_PARAMETER.
+
+The Arm FF-A driver operates exclusively as a guest or non-secure
+physical instance where the partition ID is always zero and is not
+invoked from a hypervisor context where w1 carries a VM ID. In this
+execution model, the partition ID observed by the driver is always zero,
+and passing a VM ID is unnecessary and potentially invalid.
+
+Remove the vm_id parameter from ffa_rxtx_unmap() and ensure that the
+SMC call is issued with w1 implicitly zeroed, as required by the
+specification. This prevents invalid parameter errors and aligns the
+implementation with the defined FF-A ABI behavior.
+
+Fixes: 3bbfe9871005 ("firmware: arm_ffa: Add initial Arm FFA driver support")
+Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
+Message-Id: <20260304120953.847671-1-yeoreum.yun@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_ffa/driver.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
+index 11a702e7f641c..f6ceae987acbc 100644
+--- a/drivers/firmware/arm_ffa/driver.c
++++ b/drivers/firmware/arm_ffa/driver.c
+@@ -205,12 +205,12 @@ static int ffa_rxtx_map(phys_addr_t tx_buf, phys_addr_t rx_buf, u32 pg_cnt)
+ return 0;
+ }
+
+-static int ffa_rxtx_unmap(u16 vm_id)
++static int ffa_rxtx_unmap(void)
+ {
+ ffa_value_t ret;
+
+ invoke_ffa_fn((ffa_value_t){
+- .a0 = FFA_RXTX_UNMAP, .a1 = PACK_TARGET_INFO(vm_id, 0),
++ .a0 = FFA_RXTX_UNMAP,
+ }, &ret);
+
+ if (ret.a0 == FFA_ERROR)
+@@ -2093,7 +2093,7 @@ static int __init ffa_init(void)
+
+ pr_err("failed to setup partitions\n");
+ ffa_notifications_cleanup();
+- ffa_rxtx_unmap(drv_info->vm_id);
++ ffa_rxtx_unmap();
+ free_pages:
+ if (drv_info->tx_buffer)
+ free_pages_exact(drv_info->tx_buffer, rxtx_bufsz);
+@@ -2108,7 +2108,7 @@ static void __exit ffa_exit(void)
+ {
+ ffa_notifications_cleanup();
+ ffa_partitions_cleanup();
+- ffa_rxtx_unmap(drv_info->vm_id);
++ ffa_rxtx_unmap();
+ free_pages_exact(drv_info->tx_buffer, drv_info->rxtx_bufsz);
+ free_pages_exact(drv_info->rx_buffer, drv_info->rxtx_bufsz);
+ kfree(drv_info);
+--
+2.51.0
+
--- /dev/null
+From 69675acc191070674fada7bc7c894ef1c624b922 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 13:10:11 +0000
+Subject: firmware: arm_scmi: Fix NULL dereference on notify error path
+
+From: Cristian Marussi <cristian.marussi@arm.com>
+
+[ Upstream commit 555317d6100164748f7d09f80142739bd29f0cda ]
+
+Since commit b5daf93b809d1 ("firmware: arm_scmi: Avoid notifier
+registration for unsupported events") the call chains leading to the helper
+__scmi_event_handler_get_ops expect an ERR_PTR to be returned on failure to
+get an handler for the requested event key, while the current helper can
+still return a NULL when no handler could be found or created.
+
+Fix by forcing an ERR_PTR return value when the handler reference is NULL.
+
+Fixes: b5daf93b809d1 ("firmware: arm_scmi: Avoid notifier registration for unsupported events")
+Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Message-Id: <20260305131011.541444-1-cristian.marussi@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/notify.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/arm_scmi/notify.c b/drivers/firmware/arm_scmi/notify.c
+index dee9f238f6fdd..2047edbdc5f6b 100644
+--- a/drivers/firmware/arm_scmi/notify.c
++++ b/drivers/firmware/arm_scmi/notify.c
+@@ -1066,7 +1066,7 @@ static int scmi_register_event_handler(struct scmi_notify_instance *ni,
+ * since at creation time we usually want to have all setup and ready before
+ * events really start flowing.
+ *
+- * Return: A properly refcounted handler on Success, NULL on Failure
++ * Return: A properly refcounted handler on Success, ERR_PTR on Failure
+ */
+ static inline struct scmi_event_handler *
+ __scmi_event_handler_get_ops(struct scmi_notify_instance *ni,
+@@ -1113,7 +1113,7 @@ __scmi_event_handler_get_ops(struct scmi_notify_instance *ni,
+ }
+ mutex_unlock(&ni->pending_mtx);
+
+- return hndl;
++ return hndl ?: ERR_PTR(-ENODEV);
+ }
+
+ static struct scmi_event_handler *
+--
+2.51.0
+
--- /dev/null
+From f977d83802cfd813ce06aaa5373fca3b16a1ad59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 21:08:19 +0800
+Subject: firmware: arm_scpi: Fix device_node reference leak in probe path
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit 879c001afbac3df94160334fe5117c0c83b2cf48 ]
+
+A device_node reference obtained from the device tree is not released
+on all error paths in the arm_scpi probe path. Specifically, a node
+returned by of_parse_phandle() could be leaked when the probe failed
+after the node was acquired. The probe function returns early and
+the shmem reference is not released.
+
+Use __free(device_node) scope-based cleanup to automatically release
+the reference when the variable goes out of scope.
+
+Fixes: ed7ecb883901 ("firmware: arm_scpi: Add compatibility checks for shmem node")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Message-Id: <20260121-arm_scpi_2-v2-1-702d7fa84acb@gmail.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scpi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c
+index 87c323de17b90..398642cc25d90 100644
+--- a/drivers/firmware/arm_scpi.c
++++ b/drivers/firmware/arm_scpi.c
+@@ -18,6 +18,7 @@
+
+ #include <linux/bitmap.h>
+ #include <linux/bitfield.h>
++#include <linux/cleanup.h>
+ #include <linux/device.h>
+ #include <linux/err.h>
+ #include <linux/export.h>
+@@ -940,13 +941,13 @@ static int scpi_probe(struct platform_device *pdev)
+ int idx = scpi_drvinfo->num_chans;
+ struct scpi_chan *pchan = scpi_drvinfo->channels + idx;
+ struct mbox_client *cl = &pchan->cl;
+- struct device_node *shmem = of_parse_phandle(np, "shmem", idx);
++ struct device_node *shmem __free(device_node) =
++ of_parse_phandle(np, "shmem", idx);
+
+ if (!of_match_node(shmem_of_match, shmem))
+ return -ENXIO;
+
+ ret = of_address_to_resource(shmem, 0, &res);
+- of_node_put(shmem);
+ if (ret) {
+ dev_err(dev, "failed to get SCPI payload mem resource\n");
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From a47a3a94bf5c2fa12bc9bca96bb2c94ba9257b59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 11:01:37 +0100
+Subject: iavf: fix VLAN filter lost on add/delete race
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit fc9c69be594756b81b54c6bc40803fa6052f35ae ]
+
+When iavf_add_vlan() finds an existing filter in IAVF_VLAN_REMOVE
+state, it transitions the filter to IAVF_VLAN_ACTIVE assuming the
+pending delete can simply be cancelled. However, there is no guarantee
+that iavf_del_vlans() has not already processed the delete AQ request
+and removed the filter from the PF. In that case the filter remains in
+the driver's list as IAVF_VLAN_ACTIVE but is no longer programmed on
+the NIC. Since iavf_add_vlans() only picks up filters in
+IAVF_VLAN_ADD state, the filter is never re-added, and spoof checking
+drops all traffic for that VLAN.
+
+ CPU0 CPU1 Workqueue
+ ---- ---- ---------
+ iavf_del_vlan(vlan 100)
+ f->state = REMOVE
+ schedule AQ_DEL_VLAN
+ iavf_add_vlan(vlan 100)
+ f->state = ACTIVE
+ iavf_del_vlans()
+ f is ACTIVE, skip
+ iavf_add_vlans()
+ f is ACTIVE, skip
+
+ Filter is ACTIVE in driver but absent from NIC.
+
+Transition to IAVF_VLAN_ADD instead and schedule
+IAVF_FLAG_AQ_ADD_VLAN_FILTER so iavf_add_vlans() re-programs the
+filter. A duplicate add is idempotent on the PF.
+
+Fixes: 0c0da0e95105 ("iavf: refactor VLAN filter states")
+Signed-off-by: Petr Oros <poros@redhat.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 03ab2a4276bbf..0a72d419782e5 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -757,10 +757,13 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter,
+ adapter->num_vlan_filters++;
+ iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER);
+ } else if (f->state == IAVF_VLAN_REMOVE) {
+- /* IAVF_VLAN_REMOVE means that VLAN wasn't yet removed.
+- * We can safely only change the state here.
++ /* Re-add the filter since we cannot tell whether the
++ * pending delete has already been processed by the PF.
++ * A duplicate add is harmless.
+ */
+- f->state = IAVF_VLAN_ACTIVE;
++ f->state = IAVF_VLAN_ADD;
++ iavf_schedule_aq_request(adapter,
++ IAVF_FLAG_AQ_ADD_VLAN_FILTER);
+ }
+
+ clearout:
+--
+2.51.0
+
--- /dev/null
+From cff388b65b93af0550fa012b9a7ab310f9998cd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 21:06:01 +0800
+Subject: icmp: fix NULL pointer dereference in icmp_tag_validation()
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit 614aefe56af8e13331e50220c936fc0689cf5675 ]
+
+icmp_tag_validation() unconditionally dereferences the result of
+rcu_dereference(inet_protos[proto]) without checking for NULL.
+The inet_protos[] array is sparse -- only about 15 of 256 protocol
+numbers have registered handlers. When ip_no_pmtu_disc is set to 3
+(hardened PMTU mode) and the kernel receives an ICMP Fragmentation
+Needed error with a quoted inner IP header containing an unregistered
+protocol number, the NULL dereference causes a kernel panic in
+softirq context.
+
+ Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+ RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)
+ Call Trace:
+ <IRQ>
+ icmp_rcv (net/ipv4/icmp.c:1527)
+ ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)
+ ip_local_deliver_finish (net/ipv4/ip_input.c:242)
+ ip_local_deliver (net/ipv4/ip_input.c:262)
+ ip_rcv (net/ipv4/ip_input.c:573)
+ __netif_receive_skb_one_core (net/core/dev.c:6164)
+ process_backlog (net/core/dev.c:6628)
+ handle_softirqs (kernel/softirq.c:561)
+ </IRQ>
+
+Add a NULL check before accessing icmp_strict_tag_validation. If the
+protocol has no registered handler, return false since it cannot
+perform strict tag validation.
+
+Fixes: 8ed1dc44d3e9 ("ipv4: introduce hardened ip_no_pmtu_disc mode")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Link: https://patch.msgid.link/20260318130558.1050247-4-bestswngs@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 471dd862f6639..e619b73f5063e 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -1067,10 +1067,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
+
+ static bool icmp_tag_validation(int proto)
+ {
++ const struct net_protocol *ipprot;
+ bool ok;
+
+ rcu_read_lock();
+- ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation;
++ ipprot = rcu_dereference(inet_protos[proto]);
++ ok = ipprot ? ipprot->icmp_strict_tag_validation : false;
+ rcu_read_unlock();
+ return ok;
+ }
+--
+2.51.0
+
--- /dev/null
+From f7221e8072cab9f48fe1588a53aa6d3cb7da5e37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Feb 2026 19:46:32 +0000
+Subject: igc: fix missing update of skb->tail in igc_xmit_frame()
+
+From: Kohei Enju <kohei@enjuk.jp>
+
+[ Upstream commit 0ffba246652faf4a36aedc66059c2f94e4c83ea5 ]
+
+igc_xmit_frame() misses updating skb->tail when the packet size is
+shorter than the minimum one.
+Use skb_put_padto() in alignment with other Intel Ethernet drivers.
+
+Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers")
+Signed-off-by: Kohei Enju <kohei@enjuk.jp>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 4439eeb378c1f..6a174d46929e2 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -1730,11 +1730,8 @@ static netdev_tx_t igc_xmit_frame(struct sk_buff *skb,
+ /* The minimum packet size with TCTL.PSP set is 17 so pad the skb
+ * in order to meet this minimum size requirement.
+ */
+- if (skb->len < 17) {
+- if (skb_padto(skb, 17))
+- return NETDEV_TX_OK;
+- skb->len = 17;
+- }
++ if (skb_put_padto(skb, 17))
++ return NETDEV_TX_OK;
+
+ return igc_xmit_frame_ring(skb, igc_tx_queue_mapping(adapter, skb));
+ }
+--
+2.51.0
+
--- /dev/null
+From fab85634b691cdb6dc0be87f783d65081c38f270 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 10:58:29 +0100
+Subject: igc: fix page fault in XDP TX timestamps handling
+
+From: Zdenek Bouska <zdenek.bouska@siemens.com>
+
+[ Upstream commit 45b33e805bd39f615d9353a7194b2da5281332df ]
+
+If an XDP application that requested TX timestamping is shutting down
+while the link of the interface in use is still up the following kernel
+splat is reported:
+
+[ 883.803618] [ T1554] BUG: unable to handle page fault for address: ffffcfb6200fd008
+...
+[ 883.803650] [ T1554] Call Trace:
+[ 883.803652] [ T1554] <TASK>
+[ 883.803654] [ T1554] igc_ptp_tx_tstamp_event+0xdf/0x160 [igc]
+[ 883.803660] [ T1554] igc_tsync_interrupt+0x2d5/0x300 [igc]
+...
+
+During shutdown of the TX ring the xsk_meta pointers are left behind, so
+that the IRQ handler is trying to touch them.
+
+This issue is now being fixed by cleaning up the stale xsk meta data on
+TX shutdown. TX timestamps on other queues remain unaffected.
+
+Fixes: 15fd021bc427 ("igc: Add Tx hardware timestamp request for AF_XDP zero-copy packet")
+Signed-off-by: Zdenek Bouska <zdenek.bouska@siemens.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Florian Bezdeka <florian.bezdeka@siemens.com>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc.h | 2 ++
+ drivers/net/ethernet/intel/igc/igc_main.c | 7 +++++
+ drivers/net/ethernet/intel/igc/igc_ptp.c | 33 +++++++++++++++++++++++
+ 3 files changed, 42 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h
+index a427f05814c1a..17236813965d3 100644
+--- a/drivers/net/ethernet/intel/igc/igc.h
++++ b/drivers/net/ethernet/intel/igc/igc.h
+@@ -781,6 +781,8 @@ int igc_ptp_hwtstamp_set(struct net_device *netdev,
+ struct kernel_hwtstamp_config *config,
+ struct netlink_ext_ack *extack);
+ void igc_ptp_tx_hang(struct igc_adapter *adapter);
++void igc_ptp_clear_xsk_tx_tstamp_queue(struct igc_adapter *adapter,
++ u16 queue_id);
+ void igc_ptp_read(struct igc_adapter *adapter, struct timespec64 *ts);
+ void igc_ptp_tx_tstamp_event(struct igc_adapter *adapter);
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 6a174d46929e2..b1ca2079e5cf3 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -264,6 +264,13 @@ static void igc_clean_tx_ring(struct igc_ring *tx_ring)
+ /* reset next_to_use and next_to_clean */
+ tx_ring->next_to_use = 0;
+ tx_ring->next_to_clean = 0;
++
++ /* Clear any lingering XSK TX timestamp requests */
++ if (test_bit(IGC_RING_FLAG_TX_HWTSTAMP, &tx_ring->flags)) {
++ struct igc_adapter *adapter = netdev_priv(tx_ring->netdev);
++
++ igc_ptp_clear_xsk_tx_tstamp_queue(adapter, tx_ring->queue_index);
++ }
+ }
+
+ /**
+diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
+index 44ee193867661..3d6b2264164af 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
+@@ -577,6 +577,39 @@ static void igc_ptp_clear_tx_tstamp(struct igc_adapter *adapter)
+ spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags);
+ }
+
++/**
++ * igc_ptp_clear_xsk_tx_tstamp_queue - Clear pending XSK TX timestamps for a queue
++ * @adapter: Board private structure
++ * @queue_id: TX queue index to clear timestamps for
++ *
++ * Iterates over all TX timestamp registers and releases any pending
++ * timestamp requests associated with the given TX queue. This is
++ * called when an XDP pool is being disabled to ensure no stale
++ * timestamp references remain.
++ */
++void igc_ptp_clear_xsk_tx_tstamp_queue(struct igc_adapter *adapter, u16 queue_id)
++{
++ unsigned long flags;
++ int i;
++
++ spin_lock_irqsave(&adapter->ptp_tx_lock, flags);
++
++ for (i = 0; i < IGC_MAX_TX_TSTAMP_REGS; i++) {
++ struct igc_tx_timestamp_request *tstamp = &adapter->tx_tstamp[i];
++
++ if (tstamp->buffer_type != IGC_TX_BUFFER_TYPE_XSK)
++ continue;
++ if (tstamp->xsk_queue_index != queue_id)
++ continue;
++ if (!tstamp->xsk_tx_buffer)
++ continue;
++
++ igc_ptp_free_tx_buffer(adapter, tstamp);
++ }
++
++ spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags);
++}
++
+ static void igc_ptp_disable_tx_timestamp(struct igc_adapter *adapter)
+ {
+ struct igc_hw *hw = &adapter->hw;
+--
+2.51.0
+
--- /dev/null
+From 4721b78418df52583a27d10456b3596824f60a0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 12:31:10 +0000
+Subject: ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8431c602f551549f082bbfa67f3003f2d8e3e132 ]
+
+Blamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which
+call iptunnel_xmit_stats().
+
+iptunnel_xmit_stats() was assuming tunnels were only using
+NETDEV_PCPU_STAT_TSTATS.
+
+@syncp offset in pcpu_sw_netstats and pcpu_dstats is different.
+
+32bit kernels would either have corruptions or freezes if the syncp
+sequence was overwritten.
+
+This patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid
+a potential cache line miss since iptunnel_xmit_stats() needs to read it.
+
+Fixes: 6fa6de302246 ("geneve: Handle stats using NETDEV_PCPU_STAT_DSTATS.")
+Fixes: be226352e8dc ("vxlan: Handle stats using NETDEV_PCPU_STAT_DSTATS.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Link: https://patch.msgid.link/20260311123110.1471930-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netdevice.h | 3 +--
+ include/net/ip_tunnels.h | 30 +++++++++++++++++++++++-------
+ 2 files changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 65d85dc9c8f05..444e52eb8ed99 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -2153,6 +2153,7 @@ struct net_device {
+ unsigned long state;
+ unsigned int flags;
+ unsigned short hard_header_len;
++ enum netdev_stat_type pcpu_stat_type:8;
+ netdev_features_t features;
+ struct inet6_dev __rcu *ip6_ptr;
+ __cacheline_group_end(net_device_read_txrx);
+@@ -2401,8 +2402,6 @@ struct net_device {
+ void *ml_priv;
+ enum netdev_ml_priv_type ml_priv_type;
+
+- enum netdev_stat_type pcpu_stat_type:8;
+-
+ #if IS_ENABLED(CONFIG_GARP)
+ struct garp_port __rcu *garp_port;
+ #endif
+diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
+index 80662f8120803..1f577a4f8ce9b 100644
+--- a/include/net/ip_tunnels.h
++++ b/include/net/ip_tunnels.h
+@@ -665,13 +665,29 @@ static inline int iptunnel_pull_offloads(struct sk_buff *skb)
+ static inline void iptunnel_xmit_stats(struct net_device *dev, int pkt_len)
+ {
+ if (pkt_len > 0) {
+- struct pcpu_sw_netstats *tstats = get_cpu_ptr(dev->tstats);
+-
+- u64_stats_update_begin(&tstats->syncp);
+- u64_stats_add(&tstats->tx_bytes, pkt_len);
+- u64_stats_inc(&tstats->tx_packets);
+- u64_stats_update_end(&tstats->syncp);
+- put_cpu_ptr(tstats);
++ if (dev->pcpu_stat_type == NETDEV_PCPU_STAT_DSTATS) {
++ struct pcpu_dstats *dstats = get_cpu_ptr(dev->dstats);
++
++ u64_stats_update_begin(&dstats->syncp);
++ u64_stats_add(&dstats->tx_bytes, pkt_len);
++ u64_stats_inc(&dstats->tx_packets);
++ u64_stats_update_end(&dstats->syncp);
++ put_cpu_ptr(dstats);
++ return;
++ }
++ if (dev->pcpu_stat_type == NETDEV_PCPU_STAT_TSTATS) {
++ struct pcpu_sw_netstats *tstats = get_cpu_ptr(dev->tstats);
++
++ u64_stats_update_begin(&tstats->syncp);
++ u64_stats_add(&tstats->tx_bytes, pkt_len);
++ u64_stats_inc(&tstats->tx_packets);
++ u64_stats_update_end(&tstats->syncp);
++ put_cpu_ptr(tstats);
++ return;
++ }
++ pr_err_once("iptunnel_xmit_stats pcpu_stat_type=%d\n",
++ dev->pcpu_stat_type);
++ WARN_ON_ONCE(1);
+ return;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 18de305c1203751972d54c879b1360501332e90d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 15:33:01 +0800
+Subject: ipv6: add NULL checks for idev in SRv6 paths
+
+From: Minhong He <heminhong@kylinos.cn>
+
+[ Upstream commit 06413793526251870e20402c39930804f14d59c0 ]
+
+__in6_dev_get() can return NULL when the device has no IPv6 configuration
+(e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER).
+
+Add NULL checks for idev returned by __in6_dev_get() in both
+seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL
+pointer dereferences.
+
+Fixes: 1ababeba4a21 ("ipv6: implement dataplane support for rthdr type 4 (Segment Routing Header)")
+Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support")
+Signed-off-by: Minhong He <heminhong@kylinos.cn>
+Reviewed-by: Andrea Mayer <andrea.mayer@uniroma2.it>
+Link: https://patch.msgid.link/20260316073301.106643-1-heminhong@kylinos.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/exthdrs.c | 4 ++++
+ net/ipv6/seg6_hmac.c | 2 ++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
+index 310836a0cf17b..1d509b6d16bbd 100644
+--- a/net/ipv6/exthdrs.c
++++ b/net/ipv6/exthdrs.c
+@@ -379,6 +379,10 @@ static int ipv6_srh_rcv(struct sk_buff *skb)
+ hdr = (struct ipv6_sr_hdr *)skb_transport_header(skb);
+
+ idev = __in6_dev_get(skb->dev);
++ if (!idev) {
++ kfree_skb(skb);
++ return -1;
++ }
+
+ accept_seg6 = min(READ_ONCE(net->ipv6.devconf_all->seg6_enabled),
+ READ_ONCE(idev->cnf.seg6_enabled));
+diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c
+index ee6bac0160ace..e6964c6b0d381 100644
+--- a/net/ipv6/seg6_hmac.c
++++ b/net/ipv6/seg6_hmac.c
+@@ -184,6 +184,8 @@ bool seg6_hmac_validate_skb(struct sk_buff *skb)
+ int require_hmac;
+
+ idev = __in6_dev_get(skb->dev);
++ if (!idev)
++ return false;
+
+ srh = (struct ipv6_sr_hdr *)skb_transport_header(skb);
+
+--
+2.51.0
+
--- /dev/null
+From d1ea593cd42518208dcdeb375ab188f0380f845b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Feb 2026 10:10:08 +0100
+Subject: libie: prevent memleak in fwlog code
+
+From: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+
+[ Upstream commit 6850deb61118345996f03b87817b4ae0f2f25c38 ]
+
+All cmd_buf buffers are allocated and need to be freed after usage.
+Add an error unwinding path that properly frees these buffers.
+
+The memory leak happens whenever fwlog configuration is changed. For
+example:
+
+$echo 256K > /sys/kernel/debug/ixgbe/0000\:32\:00.0/fwlog/log_size
+
+Fixes: 96a9a9341cda ("ice: configure FW logging")
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/libie/fwlog.c | 49 +++++++++++++++++-------
+ 1 file changed, 36 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/libie/fwlog.c b/drivers/net/ethernet/intel/libie/fwlog.c
+index 5d890d9d3c4d5..3b32986c2978a 100644
+--- a/drivers/net/ethernet/intel/libie/fwlog.c
++++ b/drivers/net/ethernet/intel/libie/fwlog.c
+@@ -433,17 +433,21 @@ libie_debugfs_module_write(struct file *filp, const char __user *buf,
+ module = libie_find_module_by_dentry(fwlog->debugfs_modules, dentry);
+ if (module < 0) {
+ dev_info(dev, "unknown module\n");
+- return -EINVAL;
++ count = -EINVAL;
++ goto free_cmd_buf;
+ }
+
+ cnt = sscanf(cmd_buf, "%s", user_val);
+- if (cnt != 1)
+- return -EINVAL;
++ if (cnt != 1) {
++ count = -EINVAL;
++ goto free_cmd_buf;
++ }
+
+ log_level = sysfs_match_string(libie_fwlog_level_string, user_val);
+ if (log_level < 0) {
+ dev_info(dev, "unknown log level '%s'\n", user_val);
+- return -EINVAL;
++ count = -EINVAL;
++ goto free_cmd_buf;
+ }
+
+ if (module != LIBIE_AQC_FW_LOG_ID_MAX) {
+@@ -458,6 +462,9 @@ libie_debugfs_module_write(struct file *filp, const char __user *buf,
+ fwlog->cfg.module_entries[i].log_level = log_level;
+ }
+
++free_cmd_buf:
++ kfree(cmd_buf);
++
+ return count;
+ }
+
+@@ -515,23 +522,31 @@ libie_debugfs_nr_messages_write(struct file *filp, const char __user *buf,
+ return PTR_ERR(cmd_buf);
+
+ ret = sscanf(cmd_buf, "%s", user_val);
+- if (ret != 1)
+- return -EINVAL;
++ if (ret != 1) {
++ count = -EINVAL;
++ goto free_cmd_buf;
++ }
+
+ ret = kstrtos16(user_val, 0, &nr_messages);
+- if (ret)
+- return ret;
++ if (ret) {
++ count = ret;
++ goto free_cmd_buf;
++ }
+
+ if (nr_messages < LIBIE_AQC_FW_LOG_MIN_RESOLUTION ||
+ nr_messages > LIBIE_AQC_FW_LOG_MAX_RESOLUTION) {
+ dev_err(dev, "Invalid FW log number of messages %d, value must be between %d - %d\n",
+ nr_messages, LIBIE_AQC_FW_LOG_MIN_RESOLUTION,
+ LIBIE_AQC_FW_LOG_MAX_RESOLUTION);
+- return -EINVAL;
++ count = -EINVAL;
++ goto free_cmd_buf;
+ }
+
+ fwlog->cfg.log_resolution = nr_messages;
+
++free_cmd_buf:
++ kfree(cmd_buf);
++
+ return count;
+ }
+
+@@ -588,8 +603,10 @@ libie_debugfs_enable_write(struct file *filp, const char __user *buf,
+ return PTR_ERR(cmd_buf);
+
+ ret = sscanf(cmd_buf, "%s", user_val);
+- if (ret != 1)
+- return -EINVAL;
++ if (ret != 1) {
++ ret = -EINVAL;
++ goto free_cmd_buf;
++ }
+
+ ret = kstrtobool(user_val, &enable);
+ if (ret)
+@@ -624,6 +641,8 @@ libie_debugfs_enable_write(struct file *filp, const char __user *buf,
+ */
+ if (WARN_ON(ret != (ssize_t)count && ret >= 0))
+ ret = -EIO;
++free_cmd_buf:
++ kfree(cmd_buf);
+
+ return ret;
+ }
+@@ -682,8 +701,10 @@ libie_debugfs_log_size_write(struct file *filp, const char __user *buf,
+ return PTR_ERR(cmd_buf);
+
+ ret = sscanf(cmd_buf, "%s", user_val);
+- if (ret != 1)
+- return -EINVAL;
++ if (ret != 1) {
++ ret = -EINVAL;
++ goto free_cmd_buf;
++ }
+
+ index = sysfs_match_string(libie_fwlog_log_size, user_val);
+ if (index < 0) {
+@@ -712,6 +733,8 @@ libie_debugfs_log_size_write(struct file *filp, const char __user *buf,
+ */
+ if (WARN_ON(ret != (ssize_t)count && ret >= 0))
+ ret = -EIO;
++free_cmd_buf:
++ kfree(cmd_buf);
+
+ return ret;
+ }
+--
+2.51.0
+
--- /dev/null
+From a0035e2d5323dfc87bd46daf1a55b0bfabaeb6dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 23:35:09 +0100
+Subject: mpls: add missing unregister_netdevice_notifier to mpls_init
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 99600f79b28c83c68bae199a3d8e95049a758308 ]
+
+If mpls_init() fails after registering mpls_dev_notifier, it never
+gets removed. Add the missing unregister_netdevice_notifier() call to
+the error handling path.
+
+Fixes: 5be2062e3080 ("mpls: Handle error of rtnl_register_module().")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/7c55363c4f743d19e2306204a134407c90a69bbb.1773228081.git.sd@queasysnail.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mpls/af_mpls.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
+index 580aac112dd21..c57f10e2ef269 100644
+--- a/net/mpls/af_mpls.c
++++ b/net/mpls/af_mpls.c
+@@ -2854,6 +2854,7 @@ static int __init mpls_init(void)
+ rtnl_af_unregister(&mpls_af_ops);
+ out_unregister_dev_type:
+ dev_remove_pack(&mpls_packet_type);
++ unregister_netdevice_notifier(&mpls_dev_notifier);
+ out_unregister_pernet:
+ unregister_pernet_subsys(&mpls_net_ops);
+ goto out;
+--
+2.51.0
+
--- /dev/null
+From 5f56655a909d66207f84d95fc514e4bafe620e76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 19:21:59 +0800
+Subject: MPTCP: fix lock class name family in pm_nl_create_listen_socket
+
+From: Li Xiasong <lixiasong1@huawei.com>
+
+[ Upstream commit 7ab4a7c5d969642782b8a5b608da0dd02aa9f229 ]
+
+In mptcp_pm_nl_create_listen_socket(), use entry->addr.family
+instead of sk->sk_family for lock class setup. The 'sk' parameter
+is a netlink socket, not the MPTCP subflow socket being created.
+
+Fixes: cee4034a3db1 ("mptcp: fix lockdep false positive in mptcp_pm_nl_create_listen_socket()")
+Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260319112159.3118874-1-lixiasong1@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/pm_kernel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mptcp/pm_kernel.c b/net/mptcp/pm_kernel.c
+index 0ef43993e15ad..17eb50276e778 100644
+--- a/net/mptcp/pm_kernel.c
++++ b/net/mptcp/pm_kernel.c
+@@ -838,7 +838,7 @@ static struct lock_class_key mptcp_keys[2];
+ static int mptcp_pm_nl_create_listen_socket(struct sock *sk,
+ struct mptcp_pm_addr_entry *entry)
+ {
+- bool is_ipv6 = sk->sk_family == AF_INET6;
++ bool is_ipv6 = entry->addr.family == AF_INET6;
+ int addrlen = sizeof(struct sockaddr_in);
+ struct sockaddr_storage addr;
+ struct sock *newsk, *ssk;
+--
+2.51.0
+
--- /dev/null
+From ece3d421a4e2c8e5199b7ad3772b715489adc4f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 12:27:00 +0100
+Subject: net: airoha: Remove airoha_dev_stop() in airoha_remove()
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit d4a533ad249e9fbdc2d0633f2ddd60a5b3a9a4ca ]
+
+Do not run airoha_dev_stop routine explicitly in airoha_remove()
+since ndo_stop() callback is already executed by unregister_netdev() in
+__dev_close_many routine if necessary and, doing so, we will end up causing
+an underflow in the qdma users atomic counters. Rely on networking subsystem
+to stop the device removing the airoha_eth module.
+
+Fixes: 23020f0493270 ("net: airoha: Introduce ethernet support for EN7581 SoC")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260313-airoha-remove-ndo_stop-remove-net-v2-1-67542c3ceeca@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/airoha/airoha_eth.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
+index 315d97036ac1d..c37a1b86180f3 100644
+--- a/drivers/net/ethernet/airoha/airoha_eth.c
++++ b/drivers/net/ethernet/airoha/airoha_eth.c
+@@ -3080,7 +3080,6 @@ static void airoha_remove(struct platform_device *pdev)
+ if (!port)
+ continue;
+
+- airoha_dev_stop(port->dev);
+ unregister_netdev(port->dev);
+ airoha_metadata_dst_free(port);
+ }
+--
+2.51.0
+
--- /dev/null
+From 8d1436df1b5f0871acac498f83e1c2ff765a2e68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 12:18:52 -0700
+Subject: net: bcmgenet: increase WoL poll timeout
+
+From: Justin Chen <justin.chen@broadcom.com>
+
+[ Upstream commit 6cfc3bc02b977f2fba5f7268e6504d1931a774f7 ]
+
+Some systems require more than 5ms to get into WoL mode. Increase the
+timeout value to 50ms.
+
+Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code")
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20260312191852.3904571-1-justin.chen@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+index 8fb5512882980..96d5d4f7f51fe 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+@@ -123,7 +123,7 @@ static int bcmgenet_poll_wol_status(struct bcmgenet_priv *priv)
+ while (!(bcmgenet_rbuf_readl(priv, RBUF_STATUS)
+ & RBUF_STATUS_WOL)) {
+ retries++;
+- if (retries > 5) {
++ if (retries > 50) {
+ netdev_crit(dev, "polling wol mode timeout\n");
+ return -ETIMEDOUT;
+ }
+--
+2.51.0
+
--- /dev/null
+From 7d9d509736cf5c3d8141c8fde88a595309789472 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 17:50:34 -0700
+Subject: net: bonding: fix NULL deref in bond_debug_rlb_hash_show
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit 605b52497bf89b3b154674deb135da98f916e390 ]
+
+rlb_clear_slave intentionally keeps RLB hash-table entries on
+the rx_hashtbl_used_head list with slave set to NULL when no
+replacement slave is available. However, bond_debug_rlb_hash_show
+visites client_info->slave without checking if it's NULL.
+
+Other used-list iterators in bond_alb.c already handle this NULL-slave
+state safely:
+
+- rlb_update_client returns early on !client_info->slave
+- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance
+compare slave values before visiting
+- lb_req_update_subnet_clients continues if slave is NULL
+
+The following NULL deref crash can be trigger in
+bond_debug_rlb_hash_show:
+
+[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)
+[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286
+[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204
+[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078
+[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000
+[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0
+[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8
+[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000
+[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0
+[ 1.295897] Call Trace:
+[ 1.296134] seq_read_iter (fs/seq_file.c:231)
+[ 1.296341] seq_read (fs/seq_file.c:164)
+[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))
+[ 1.296658] vfs_read (fs/read_write.c:572)
+[ 1.296981] ksys_read (fs/read_write.c:717)
+[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+Add a NULL check and print "(none)" for entries with no assigned slave.
+
+Fixes: caafa84251b88 ("bonding: add the debugfs interface to see RLB hash table")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260317005034.1888794-1-xmei5@asu.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_debugfs.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_debugfs.c b/drivers/net/bonding/bond_debugfs.c
+index 8adbec7c5084a..8967b65f6d840 100644
+--- a/drivers/net/bonding/bond_debugfs.c
++++ b/drivers/net/bonding/bond_debugfs.c
+@@ -34,11 +34,17 @@ static int bond_debug_rlb_hash_show(struct seq_file *m, void *v)
+ for (; hash_index != RLB_NULL_INDEX;
+ hash_index = client_info->used_next) {
+ client_info = &(bond_info->rx_hashtbl[hash_index]);
+- seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n",
+- &client_info->ip_src,
+- &client_info->ip_dst,
+- &client_info->mac_dst,
+- client_info->slave->dev->name);
++ if (client_info->slave)
++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n",
++ &client_info->ip_src,
++ &client_info->ip_dst,
++ &client_info->mac_dst,
++ client_info->slave->dev->name);
++ else
++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM (none)\n",
++ &client_info->ip_src,
++ &client_info->ip_dst,
++ &client_info->mac_dst);
+ }
+
+ spin_unlock_bh(&bond->mode_lock);
+--
+2.51.0
+
--- /dev/null
+From b48a4d4e2bc5d04f92837c71d56f249853ee1d3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 08:42:12 +0000
+Subject: net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
+
+From: Anas Iqbal <mohd.abd.6602@gmail.com>
+
+[ Upstream commit b48731849609cbd8c53785a48976850b443153fd ]
+
+Smatch reports:
+drivers/net/dsa/bcm_sf2.c:997 bcm_sf2_sw_resume() warn:
+'priv->clk' from clk_prepare_enable() not released on lines: 983,990.
+
+The clock enabled by clk_prepare_enable() in bcm_sf2_sw_resume()
+is not released if bcm_sf2_sw_rst() or bcm_sf2_cfp_resume() fails.
+
+Add the missing clk_disable_unprepare() calls in the error paths
+to properly release the clock resource.
+
+Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks")
+Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Anas Iqbal <mohd.abd.6602@gmail.com>
+Link: https://patch.msgid.link/20260318084212.1287-1-mohd.abd.6602@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/bcm_sf2.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
+index 960685596093b..de3efa3ce9a75 100644
+--- a/drivers/net/dsa/bcm_sf2.c
++++ b/drivers/net/dsa/bcm_sf2.c
+@@ -980,15 +980,19 @@ static int bcm_sf2_sw_resume(struct dsa_switch *ds)
+ ret = bcm_sf2_sw_rst(priv);
+ if (ret) {
+ pr_err("%s: failed to software reset switch\n", __func__);
++ if (!priv->wol_ports_mask)
++ clk_disable_unprepare(priv->clk);
+ return ret;
+ }
+
+ bcm_sf2_crossbar_setup(priv);
+
+ ret = bcm_sf2_cfp_resume(ds);
+- if (ret)
++ if (ret) {
++ if (!priv->wol_ports_mask)
++ clk_disable_unprepare(priv->clk);
+ return ret;
+-
++ }
+ if (priv->hw_params.num_gphy == 1)
+ bcm_sf2_gphy_enable_set(ds, true);
+
+--
+2.51.0
+
--- /dev/null
+From c5152e540b4f86e5edba48d41138a96c8d6bac6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 13:38:25 +0300
+Subject: net: macb: fix uninitialized rx_fs_lock
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 34b11cc56e4369bc08b1f4c4a04222d75ed596ce ]
+
+If hardware doesn't support RX Flow Filters, rx_fs_lock spinlock is not
+initialized leading to the following assertion splat triggerable via
+set_rxnfc callback.
+
+INFO: trying to register non-static key.
+The code is fine but needs lockdep annotation, or maybe
+you didn't initialize this object before use?
+turning off the locking correctness validator.
+CPU: 1 PID: 949 Comm: syz.0.6 Not tainted 6.1.164+ #113
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106
+ assign_lock_key kernel/locking/lockdep.c:974 [inline]
+ register_lock_class+0x141b/0x17f0 kernel/locking/lockdep.c:1287
+ __lock_acquire+0x74f/0x6c40 kernel/locking/lockdep.c:4928
+ lock_acquire kernel/locking/lockdep.c:5662 [inline]
+ lock_acquire+0x190/0x4b0 kernel/locking/lockdep.c:5627
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
+ _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:162
+ gem_del_flow_filter drivers/net/ethernet/cadence/macb_main.c:3562 [inline]
+ gem_set_rxnfc+0x533/0xac0 drivers/net/ethernet/cadence/macb_main.c:3667
+ ethtool_set_rxnfc+0x18c/0x280 net/ethtool/ioctl.c:961
+ __dev_ethtool net/ethtool/ioctl.c:2956 [inline]
+ dev_ethtool+0x229c/0x6290 net/ethtool/ioctl.c:3095
+ dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510
+ sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215
+ sock_ioctl+0x577/0x6d0 net/socket.c:1320
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:46 [inline]
+ do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+A more straightforward solution would be to always initialize rx_fs_lock,
+just like rx_fs_list. However, in this case the driver set_rxnfc callback
+would return with a rather confusing error code, e.g. -EINVAL. So deny
+set_rxnfc attempts directly if the RX filtering feature is not supported
+by hardware.
+
+Fixes: ae8223de3df5 ("net: macb: Added support for RX filtering")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Link: https://patch.msgid.link/20260316103826.74506-2-pchelkin@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index a0802177a7a24..1a46e27bfbb4a 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -3979,6 +3979,9 @@ static int gem_set_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd)
+ struct macb *bp = netdev_priv(netdev);
+ int ret;
+
++ if (!(netdev->hw_features & NETIF_F_NTUPLE))
++ return -EOPNOTSUPP;
++
+ switch (cmd->cmd) {
+ case ETHTOOL_SRXCLSRLINS:
+ if ((cmd->fs.location >= bp->max_tuples)
+--
+2.51.0
+
--- /dev/null
+From 70e56ed1644aaf4e7da71a2e477f21191a91ce15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 12:22:04 -0700
+Subject: net: mana: fix use-after-free in mana_hwc_destroy_channel() by
+ reordering teardown
+
+From: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+
+[ Upstream commit fa103fc8f56954a60699a29215cb713448a39e87 ]
+
+A potential race condition exists in mana_hwc_destroy_channel() where
+hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and
+Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt
+handler to dereference freed memory, leading to a use-after-free or
+NULL pointer dereference in mana_hwc_handle_resp().
+
+mana_smc_teardown_hwc() signals the hardware to stop but does not
+synchronize against IRQ handlers already executing on other CPUs. The
+IRQ synchronization only happens in mana_hwc_destroy_cq() via
+mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs
+after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler()
+can dereference freed caller_ctx (and rxq->msg_buf) in
+mana_hwc_handle_resp().
+
+Fix this by reordering teardown to reverse-of-creation order: destroy
+the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This
+ensures all in-flight interrupt handlers complete before the memory they
+access is freed.
+
+Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/abHA3AjNtqa1nx9k@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c
+index aa4e2731e2ba7..840c6b8957c90 100644
+--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
+@@ -814,9 +814,6 @@ void mana_hwc_destroy_channel(struct gdma_context *gc)
+ gc->max_num_cqs = 0;
+ }
+
+- kfree(hwc->caller_ctx);
+- hwc->caller_ctx = NULL;
+-
+ if (hwc->txq)
+ mana_hwc_destroy_wq(hwc, hwc->txq);
+
+@@ -826,6 +823,9 @@ void mana_hwc_destroy_channel(struct gdma_context *gc)
+ if (hwc->cq)
+ mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq);
+
++ kfree(hwc->caller_ctx);
++ hwc->caller_ctx = NULL;
++
+ mana_gd_free_res_map(&hwc->inflight_msg_res);
+
+ hwc->num_inflight_msg = 0;
+--
+2.51.0
+
--- /dev/null
+From ffcacb1755e8eb4288673bb41fbce78baa771165 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 11:46:01 +0200
+Subject: net/mlx5: qos: Restrict RTNL area to avoid a lock cycle
+
+From: Cosmin Ratiu <cratiu@nvidia.com>
+
+[ Upstream commit b7e3a5d9c0d66b7fb44f63aef3bd734821afa0c8 ]
+
+A lock dependency cycle exists where:
+1. mlx5_ib_roce_init -> mlx5_core_uplink_netdev_event_replay ->
+mlx5_blocking_notifier_call_chain (takes notifier_rwsem) ->
+mlx5e_mdev_notifier_event -> mlx5_netdev_notifier_register ->
+register_netdevice_notifier_dev_net (takes rtnl)
+=> notifier_rwsem -> rtnl
+
+2. mlx5e_probe -> _mlx5e_probe ->
+mlx5_core_uplink_netdev_set (takes uplink_netdev_lock) ->
+mlx5_blocking_notifier_call_chain (takes notifier_rwsem)
+=> uplink_netdev_lock -> notifier_rwsem
+
+3: devlink_nl_rate_set_doit -> devlink_nl_rate_set ->
+mlx5_esw_devlink_rate_leaf_tx_max_set -> esw_qos_devlink_rate_to_mbps ->
+mlx5_esw_qos_max_link_speed_get (takes rtnl) ->
+mlx5_esw_qos_lag_link_speed_get_locked ->
+mlx5_uplink_netdev_get (takes uplink_netdev_lock)
+=> rtnl -> uplink_netdev_lock
+=> BOOM! (lock cycle)
+
+Fix that by restricting the rtnl-protected section to just the necessary
+part, the call to netdev_master_upper_dev_get and speed querying, so
+that the last lock dependency is avoided and the cycle doesn't close.
+This is safe because mlx5_uplink_netdev_get uses netdev_hold to keep the
+uplink netdev alive while its master device is queried.
+
+Use this opportunity to rename the ambiguously-named "hold_rtnl_lock"
+argument to "take_rtnl" and remove the "_locked" suffix from
+mlx5_esw_qos_lag_link_speed_get_locked.
+
+Fixes: 6b4be64fd9fe ("net/mlx5e: Harden uplink netdev access against device unbind")
+Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260316094603.6999-2-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/esw/qos.c | 23 ++++++++-----------
+ 1 file changed, 9 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c
+index 4278bcb04c72e..2e11574b3a81f 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c
+@@ -1490,24 +1490,24 @@ static int esw_qos_node_enable_tc_arbitration(struct mlx5_esw_sched_node *node,
+ return err;
+ }
+
+-static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev)
++static u32 mlx5_esw_qos_lag_link_speed_get(struct mlx5_core_dev *mdev,
++ bool take_rtnl)
+ {
+ struct ethtool_link_ksettings lksettings;
+ struct net_device *slave, *master;
+ u32 speed = SPEED_UNKNOWN;
+
+- /* Lock ensures a stable reference to master and slave netdevice
+- * while port speed of master is queried.
+- */
+- ASSERT_RTNL();
+-
+ slave = mlx5_uplink_netdev_get(mdev);
+ if (!slave)
+ goto out;
+
++ if (take_rtnl)
++ rtnl_lock();
+ master = netdev_master_upper_dev_get(slave);
+ if (master && !__ethtool_get_link_ksettings(master, &lksettings))
+ speed = lksettings.base.speed;
++ if (take_rtnl)
++ rtnl_unlock();
+
+ out:
+ mlx5_uplink_netdev_put(mdev, slave);
+@@ -1515,20 +1515,15 @@ static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev)
+ }
+
+ static int mlx5_esw_qos_max_link_speed_get(struct mlx5_core_dev *mdev, u32 *link_speed_max,
+- bool hold_rtnl_lock, struct netlink_ext_ack *extack)
++ bool take_rtnl,
++ struct netlink_ext_ack *extack)
+ {
+ int err;
+
+ if (!mlx5_lag_is_active(mdev))
+ goto skip_lag;
+
+- if (hold_rtnl_lock)
+- rtnl_lock();
+-
+- *link_speed_max = mlx5_esw_qos_lag_link_speed_get_locked(mdev);
+-
+- if (hold_rtnl_lock)
+- rtnl_unlock();
++ *link_speed_max = mlx5_esw_qos_lag_link_speed_get(mdev, take_rtnl);
+
+ if (*link_speed_max != (u32)SPEED_UNKNOWN)
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 711f10b59669106d0e3d2ca01791b0c2fc0b80d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 11:46:03 +0200
+Subject: net/mlx5e: Fix race condition during IPSec ESN update
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit beb6e2e5976a128b0cccf10d158124422210c5ef ]
+
+In IPSec full offload mode, the device reports an ESN (Extended
+Sequence Number) wrap event to the driver. The driver validates this
+event by querying the IPSec ASO and checking that the esn_event_arm
+field is 0x0, which indicates an event has occurred. After handling
+the event, the driver must re-arm the context by setting esn_event_arm
+back to 0x1.
+
+A race condition exists in this handling path. After validating the
+event, the driver calls mlx5_accel_esp_modify_xfrm() to update the
+kernel's xfrm state. This function temporarily releases and
+re-acquires the xfrm state lock.
+
+So, need to acknowledge the event first by setting esn_event_arm to
+0x1. This prevents the driver from reprocessing the same ESN update if
+the hardware sends events for other reason. Since the next ESN update
+only occurs after nearly 2^31 packets are received, there's no risk of
+missing an update, as it will happen long after this handling has
+finished.
+
+Processing the event twice causes the ESN high-order bits (esn_msb) to
+be incremented incorrectly. The driver then programs the hardware with
+this invalid ESN state, which leads to anti-replay failures and a
+complete halt of IPSec traffic.
+
+Fix this by re-arming the ESN event immediately after it is validated,
+before calling mlx5_accel_esp_modify_xfrm(). This ensures that any
+spurious, duplicate events are correctly ignored, closing the race
+window.
+
+Fixes: fef06678931f ("net/mlx5e: Fix ESN update kernel panic")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260316094603.6999-4-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mlx5/core/en_accel/ipsec_offload.c | 33 ++++++++-----------
+ 1 file changed, 14 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+index 2739ff490239d..e0611fa827971 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+@@ -310,10 +310,11 @@ static void mlx5e_ipsec_aso_update(struct mlx5e_ipsec_sa_entry *sa_entry,
+ mlx5e_ipsec_aso_query(sa_entry, data);
+ }
+
+-static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry,
+- u32 mode_param)
++static void
++mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry,
++ u32 mode_param,
++ struct mlx5_accel_esp_xfrm_attrs *attrs)
+ {
+- struct mlx5_accel_esp_xfrm_attrs attrs = {};
+ struct mlx5_wqe_aso_ctrl_seg data = {};
+
+ if (mode_param < MLX5E_IPSEC_ESN_SCOPE_MID) {
+@@ -323,18 +324,7 @@ static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry,
+ sa_entry->esn_state.overlap = 1;
+ }
+
+- mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, &attrs);
+-
+- /* It is safe to execute the modify below unlocked since the only flows
+- * that could affect this HW object, are create, destroy and this work.
+- *
+- * Creation flow can't co-exist with this modify work, the destruction
+- * flow would cancel this work, and this work is a single entity that
+- * can't conflict with it self.
+- */
+- spin_unlock_bh(&sa_entry->x->lock);
+- mlx5_accel_esp_modify_xfrm(sa_entry, &attrs);
+- spin_lock_bh(&sa_entry->x->lock);
++ mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, attrs);
+
+ data.data_offset_condition_operand =
+ MLX5_IPSEC_ASO_REMOVE_FLOW_PKT_CNT_OFFSET;
+@@ -451,7 +441,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ struct mlx5e_ipsec_work *work =
+ container_of(_work, struct mlx5e_ipsec_work, work);
+ struct mlx5e_ipsec_sa_entry *sa_entry = work->data;
++ struct mlx5_accel_esp_xfrm_attrs tmp = {};
+ struct mlx5_accel_esp_xfrm_attrs *attrs;
++ bool need_modify = false;
+ int ret;
+
+ attrs = &sa_entry->attrs;
+@@ -461,19 +453,22 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ if (ret)
+ goto unlock;
+
++ if (attrs->lft.soft_packet_limit != XFRM_INF)
++ mlx5e_ipsec_handle_limits(sa_entry);
++
+ if (attrs->replay_esn.trigger &&
+ !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) {
+ u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx,
+ mode_parameter);
+
+- mlx5e_ipsec_update_esn_state(sa_entry, mode_param);
++ mlx5e_ipsec_update_esn_state(sa_entry, mode_param, &tmp);
++ need_modify = true;
+ }
+
+- if (attrs->lft.soft_packet_limit != XFRM_INF)
+- mlx5e_ipsec_handle_limits(sa_entry);
+-
+ unlock:
+ spin_unlock_bh(&sa_entry->x->lock);
++ if (need_modify)
++ mlx5_accel_esp_modify_xfrm(sa_entry, &tmp);
+ kfree(work);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 1aa76291ebe229adb7d8b4733a46cc806d1626e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 11:46:02 +0200
+Subject: net/mlx5e: Prevent concurrent access to IPSec ASO context
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 99b36850d881e2d65912b2520a1c80d0fcc9429a ]
+
+The query or updating IPSec offload object is through Access ASO WQE.
+The driver uses a single mlx5e_ipsec_aso struct for each PF, which
+contains a shared DMA-mapped context for all ASO operations.
+
+A race condition exists because the ASO spinlock is released before
+the hardware has finished processing WQE. If a second operation is
+initiated immediately after, it overwrites the shared context in the
+DMA area.
+
+When the first operation's completion is processed later, it reads
+this corrupted context, leading to unexpected behavior and incorrect
+results.
+
+This commit fixes the race by introducing a private context within
+each IPSec offload object. The shared ASO context is now copied to
+this private context while the ASO spinlock is held. Subsequent
+processing uses this saved, per-object context, ensuring its integrity
+is maintained.
+
+Fixes: 1ed78fc03307 ("net/mlx5e: Update IPsec soft and hard limits")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260316094603.6999-3-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/en_accel/ipsec.h | 1 +
+ .../mellanox/mlx5/core/en_accel/ipsec_offload.c | 17 ++++++++---------
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
+index f8eaaf37963b1..abcbd38db9dbb 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
+@@ -287,6 +287,7 @@ struct mlx5e_ipsec_sa_entry {
+ struct mlx5e_ipsec_dwork *dwork;
+ struct mlx5e_ipsec_limits limits;
+ u32 rx_mapped_id;
++ u8 ctx[MLX5_ST_SZ_BYTES(ipsec_aso)];
+ };
+
+ struct mlx5_accel_pol_xfrm_attrs {
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+index ef7322d381af6..2739ff490239d 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+@@ -370,20 +370,18 @@ static void mlx5e_ipsec_aso_update_soft(struct mlx5e_ipsec_sa_entry *sa_entry,
+ static void mlx5e_ipsec_handle_limits(struct mlx5e_ipsec_sa_entry *sa_entry)
+ {
+ struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs;
+- struct mlx5e_ipsec *ipsec = sa_entry->ipsec;
+- struct mlx5e_ipsec_aso *aso = ipsec->aso;
+ bool soft_arm, hard_arm;
+ u64 hard_cnt;
+
+ lockdep_assert_held(&sa_entry->x->lock);
+
+- soft_arm = !MLX5_GET(ipsec_aso, aso->ctx, soft_lft_arm);
+- hard_arm = !MLX5_GET(ipsec_aso, aso->ctx, hard_lft_arm);
++ soft_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, soft_lft_arm);
++ hard_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, hard_lft_arm);
+ if (!soft_arm && !hard_arm)
+ /* It is not lifetime event */
+ return;
+
+- hard_cnt = MLX5_GET(ipsec_aso, aso->ctx, remove_flow_pkt_cnt);
++ hard_cnt = MLX5_GET(ipsec_aso, sa_entry->ctx, remove_flow_pkt_cnt);
+ if (!hard_cnt || hard_arm) {
+ /* It is possible to see packet counter equal to zero without
+ * hard limit event armed. Such situation can be if packet
+@@ -454,10 +452,8 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ container_of(_work, struct mlx5e_ipsec_work, work);
+ struct mlx5e_ipsec_sa_entry *sa_entry = work->data;
+ struct mlx5_accel_esp_xfrm_attrs *attrs;
+- struct mlx5e_ipsec_aso *aso;
+ int ret;
+
+- aso = sa_entry->ipsec->aso;
+ attrs = &sa_entry->attrs;
+
+ spin_lock_bh(&sa_entry->x->lock);
+@@ -466,8 +462,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ goto unlock;
+
+ if (attrs->replay_esn.trigger &&
+- !MLX5_GET(ipsec_aso, aso->ctx, esn_event_arm)) {
+- u32 mode_param = MLX5_GET(ipsec_aso, aso->ctx, mode_parameter);
++ !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) {
++ u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx,
++ mode_parameter);
+
+ mlx5e_ipsec_update_esn_state(sa_entry, mode_param);
+ }
+@@ -629,6 +626,8 @@ int mlx5e_ipsec_aso_query(struct mlx5e_ipsec_sa_entry *sa_entry,
+ /* We are in atomic context */
+ udelay(10);
+ } while (ret && time_is_after_jiffies(expires));
++ if (!ret)
++ memcpy(sa_entry->ctx, aso->ctx, MLX5_ST_SZ_BYTES(ipsec_aso));
+ spin_unlock_bh(&aso->lock);
+ return ret;
+ }
+--
+2.51.0
+
--- /dev/null
+From 03d251be6b4dd77cd4775314d456a5c044ad625d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 12:31:01 -0700
+Subject: net: mvpp2: guard flow control update with global_tx_fc in buffer
+ switching
+
+From: Muhammad Hammad Ijaz <mhijaz@amazon.com>
+
+[ Upstream commit 8a63baadf08453f66eb582fdb6dd234f72024723 ]
+
+mvpp2_bm_switch_buffers() unconditionally calls
+mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and
+shared buffer pool modes. This function programs CM3 flow control
+registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference
+priv->cm3_base without any NULL check.
+
+When the CM3 SRAM resource is not present in the device tree (the
+third reg entry added by commit 60523583b07c ("dts: marvell: add CM3
+SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains
+NULL and priv->global_tx_fc is false. Any operation that triggers
+mvpp2_bm_switch_buffers(), for example an MTU change that crosses
+the jumbo frame threshold, will crash:
+
+ Unable to handle kernel NULL pointer dereference at
+ virtual address 0000000000000000
+ Mem abort info:
+ ESR = 0x0000000096000006
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ pc : readl+0x0/0x18
+ lr : mvpp2_cm3_read.isra.0+0x14/0x20
+ Call trace:
+ readl+0x0/0x18
+ mvpp2_bm_pool_update_fc+0x40/0x12c
+ mvpp2_bm_pool_update_priv_fc+0x94/0xd8
+ mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0
+ mvpp2_change_mtu+0x140/0x380
+ __dev_set_mtu+0x1c/0x38
+ dev_set_mtu_ext+0x78/0x118
+ dev_set_mtu+0x48/0xa8
+ dev_ifsioc+0x21c/0x43c
+ dev_ioctl+0x2d8/0x42c
+ sock_ioctl+0x314/0x378
+
+Every other flow control call site in the driver already guards
+hardware access with either priv->global_tx_fc or port->tx_fc.
+mvpp2_bm_switch_buffers() is the only place that omits this check.
+
+Add the missing priv->global_tx_fc guard to both the disable and
+re-enable calls in mvpp2_bm_switch_buffers(), consistent with the
+rest of the driver.
+
+Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames")
+Signed-off-by: Muhammad Hammad Ijaz <mhijaz@amazon.com>
+Reviewed-by: Gunnar Kudrjavets <gunnarku@amazon.com>
+Link: https://patch.msgid.link/20260316193157.65748-1-mhijaz@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index 33426fded919a..789e14bb1377a 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -5018,7 +5018,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu)
+ if (priv->percpu_pools)
+ numbufs = port->nrxqs * 2;
+
+- if (change_percpu)
++ if (change_percpu && priv->global_tx_fc)
+ mvpp2_bm_pool_update_priv_fc(priv, false);
+
+ for (i = 0; i < numbufs; i++)
+@@ -5043,7 +5043,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu)
+ mvpp2_open(port->dev);
+ }
+
+- if (change_percpu)
++ if (change_percpu && priv->global_tx_fc)
+ mvpp2_bm_pool_update_priv_fc(priv, true);
+
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 8de52074ce0e1f85dc52bfdf2d9794b69d23c9eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 15:06:02 +0800
+Subject: net/rose: fix NULL pointer dereference in rose_transmit_link on
+ reconnect
+
+From: Jiayuan Chen <jiayuan.chen@shopee.com>
+
+[ Upstream commit e1f0a18c9564cdb16523c802e2c6fe5874e3d944 ]
+
+syzkaller reported a bug [1], and the reproducer is available at [2].
+
+ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN,
+TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects
+calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING
+(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT.
+
+When rose_connect() is called a second time while the first connection
+attempt is still in progress (TCP_SYN_SENT), it overwrites
+rose->neighbour via rose_get_neigh(). If that returns NULL, the socket
+is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL.
+When the socket is subsequently closed, rose_release() sees
+ROSE_STATE_1 and calls rose_write_internal() ->
+rose_transmit_link(skb, NULL), causing a NULL pointer dereference.
+
+Per connect(2), a second connect() while a connection is already in
+progress should return -EALREADY. Add this missing check for
+TCP_SYN_SENT to complete the state validation in rose_connect().
+
+[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271
+[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0027.GAE@google.com/T/
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260311070611.76913-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index c0f5a515a8ce5..de18af4e40660 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -811,6 +811,11 @@ static int rose_connect(struct socket *sock, struct sockaddr_unsized *uaddr, int
+ goto out_release;
+ }
+
++ if (sk->sk_state == TCP_SYN_SENT) {
++ err = -EALREADY;
++ goto out_release;
++ }
++
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
+
+--
+2.51.0
+
--- /dev/null
+From 8a32dad3133f4ce6c21aa70e265ef5ea19bcd468 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 11:54:22 -0400
+Subject: net/sched: teql: Fix double-free in teql_master_xmit
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit 66360460cab63c248ca5b1070a01c0c29133b960 ]
+
+Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should
+be called using the seq_lock to avoid racing with the datapath. Failure
+to do so may cause crashes like the following:
+
+[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)
+[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318
+[ 238.029749][ T318]
+[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)
+[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+[ 238.029910][ T318] Call Trace:
+[ 238.029913][ T318] <TASK>
+[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122)
+[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
+[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139)
+[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+...
+[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139)
+[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)
+[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139)
+[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231)
+[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))
+[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139)
+...
+[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256)
+[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)
+[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+...
+[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034)
+[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)
+[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)
+[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)
+[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)
+[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)
+...
+[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s:
+[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58)
+[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
+[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369)
+[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)
+[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))
+[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713)
+[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)
+[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997)
+[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)
+[ 238.081469][ T318]
+[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s:
+[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58)
+[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
+[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))
+[ 238.085900][ T318] __kasan_slab_free (mm/kasan/common.c:287)
+[ 238.086439][ T318] kmem_cache_free (mm/slub.c:6168 (discriminator 3) mm/slub.c:6298 (discriminator 3))
+[ 238.087007][ T318] skb_release_data (net/core/skbuff.c:1139)
+[ 238.087491][ T318] consume_skb (net/core/skbuff.c:1451)
+[ 238.087757][ T318] teql_master_xmit (net/sched/sch_teql.c:358)
+[ 238.088116][ T318] dev_hard_start_xmit (./include/linux/netdevice.h:5324 ./include/linux/netdevice.h:5333 net/core/dev.c:3871 net/core/dev.c:3887)
+[ 238.088468][ T318] sch_direct_xmit (net/sched/sch_generic.c:347)
+[ 238.088820][ T318] __qdisc_run (net/sched/sch_generic.c:420 (discriminator 1))
+[ 238.089166][ T318] __dev_queue_xmit (./include/net/sch_generic.h:229 ./include/net/pkt_sched.h:121 ./include/net/pkt_sched.h:117 net/core/dev.c:4196 net/core/dev.c:4802)
+
+Workflow to reproduce:
+1. Initialize a TEQL topology (dummy0 and ifb0 as slaves, teql0 up).
+2. Start multiple sender workers continuously transmitting packets
+ through teql0 to drive teql_master_xmit().
+3. In parallel, repeatedly delete and re-add the root qdisc on
+ dummy0 and ifb0 via RTNETLINK, forcing frequent teardown and reset activity
+ (teql_destroy() / qdisc_reset()).
+4. After running both workloads concurrently for several iterations,
+ KASAN reports slab-use-after-free or double-free in the skb free path.
+
+Fix this by moving dev_reset_queue to sch_generic.h and calling it, instead
+of qdisc_reset, in teql_destroy since it handles both the lock and lockless
+cases correctly for root qdiscs.
+
+Fixes: 96009c7d500e ("sched: replace __QDISC_STATE_RUNNING bit with a spin lock")
+Reported-by: Xianrui Dong <keenanat2000@gmail.com>
+Tested-by: Xianrui Dong <keenanat2000@gmail.com>
+Co-developed-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260315155422.147256-1-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sch_generic.h | 28 ++++++++++++++++++++++++++++
+ net/sched/sch_generic.c | 27 ---------------------------
+ net/sched/sch_teql.c | 7 ++-----
+ 3 files changed, 30 insertions(+), 32 deletions(-)
+
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index d5d55cb21686d..cafb266a0b80d 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -716,6 +716,34 @@ void qdisc_destroy(struct Qdisc *qdisc);
+ void qdisc_put(struct Qdisc *qdisc);
+ void qdisc_put_unlocked(struct Qdisc *qdisc);
+ void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, int n, int len);
++
++static inline void dev_reset_queue(struct net_device *dev,
++ struct netdev_queue *dev_queue,
++ void *_unused)
++{
++ struct Qdisc *qdisc;
++ bool nolock;
++
++ qdisc = rtnl_dereference(dev_queue->qdisc_sleeping);
++ if (!qdisc)
++ return;
++
++ nolock = qdisc->flags & TCQ_F_NOLOCK;
++
++ if (nolock)
++ spin_lock_bh(&qdisc->seqlock);
++ spin_lock_bh(qdisc_lock(qdisc));
++
++ qdisc_reset(qdisc);
++
++ spin_unlock_bh(qdisc_lock(qdisc));
++ if (nolock) {
++ clear_bit(__QDISC_STATE_MISSED, &qdisc->state);
++ clear_bit(__QDISC_STATE_DRAINING, &qdisc->state);
++ spin_unlock_bh(&qdisc->seqlock);
++ }
++}
++
+ #ifdef CONFIG_NET_SCHED
+ int qdisc_offload_dump_helper(struct Qdisc *q, enum tc_setup_type type,
+ void *type_data);
+diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
+index 852e603c17551..8b07d194c4c35 100644
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -1290,33 +1290,6 @@ static void dev_deactivate_queue(struct net_device *dev,
+ }
+ }
+
+-static void dev_reset_queue(struct net_device *dev,
+- struct netdev_queue *dev_queue,
+- void *_unused)
+-{
+- struct Qdisc *qdisc;
+- bool nolock;
+-
+- qdisc = rtnl_dereference(dev_queue->qdisc_sleeping);
+- if (!qdisc)
+- return;
+-
+- nolock = qdisc->flags & TCQ_F_NOLOCK;
+-
+- if (nolock)
+- spin_lock_bh(&qdisc->seqlock);
+- spin_lock_bh(qdisc_lock(qdisc));
+-
+- qdisc_reset(qdisc);
+-
+- spin_unlock_bh(qdisc_lock(qdisc));
+- if (nolock) {
+- clear_bit(__QDISC_STATE_MISSED, &qdisc->state);
+- clear_bit(__QDISC_STATE_DRAINING, &qdisc->state);
+- spin_unlock_bh(&qdisc->seqlock);
+- }
+-}
+-
+ static bool some_qdisc_is_busy(struct net_device *dev)
+ {
+ unsigned int i;
+diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
+index 783300d8b0197..ec4039a201a2c 100644
+--- a/net/sched/sch_teql.c
++++ b/net/sched/sch_teql.c
+@@ -146,15 +146,12 @@ teql_destroy(struct Qdisc *sch)
+ master->slaves = NEXT_SLAVE(q);
+ if (q == master->slaves) {
+ struct netdev_queue *txq;
+- spinlock_t *root_lock;
+
+ txq = netdev_get_tx_queue(master->dev, 0);
+ master->slaves = NULL;
+
+- root_lock = qdisc_root_sleeping_lock(rtnl_dereference(txq->qdisc));
+- spin_lock_bh(root_lock);
+- qdisc_reset(rtnl_dereference(txq->qdisc));
+- spin_unlock_bh(root_lock);
++ dev_reset_queue(master->dev,
++ txq, NULL);
+ }
+ }
+ skb_queue_purge(&dat->q);
+--
+2.51.0
+
--- /dev/null
+From 9dc4c787ab7ac8b6137d4eae1ab5e9871c5cafd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 09:10:14 -0700
+Subject: net: shaper: protect from late creation of hierarchy
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit d75ec7e8ba1979a1eb0b9211d94d749cdce849c8 ]
+
+We look up a netdev during prep of Netlink ops (pre- callbacks)
+and take a ref to it. Then later in the body of the callback
+we take its lock or RCU which are the actual protections.
+
+The netdev may get unregistered in between the time we take
+the ref and the time we lock it. We may allocate the hierarchy
+after flush has already run, which would lead to a leak.
+
+Take the instance lock in pre- already, this saves us from the race
+and removes the need for dedicated lock/unlock callbacks completely.
+After all, if there's any chance of write happening concurrently
+with the flush - we're back to leaking the hierarchy.
+
+We may take the lock for devices which don't support shapers but
+we're only dealing with SET operations here, not taking the lock
+would be optimizing for an error case.
+
+Fixes: 93954b40f6a4 ("net-shapers: implement NL set and delete operations")
+Link: https://lore.kernel.org/20260309173450.538026-1-p@1g4.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://patch.msgid.link/20260317161014.779569-2-kuba@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/netlink/specs/net_shaper.yaml | 12 +-
+ net/shaper/shaper.c | 134 +++++++++++---------
+ net/shaper/shaper_nl_gen.c | 12 +-
+ net/shaper/shaper_nl_gen.h | 5 +
+ 4 files changed, 89 insertions(+), 74 deletions(-)
+
+diff --git a/Documentation/netlink/specs/net_shaper.yaml b/Documentation/netlink/specs/net_shaper.yaml
+index 0b1b54be48f92..3f2ad772b64b1 100644
+--- a/Documentation/netlink/specs/net_shaper.yaml
++++ b/Documentation/netlink/specs/net_shaper.yaml
+@@ -247,8 +247,8 @@ operations:
+ flags: [admin-perm]
+
+ do:
+- pre: net-shaper-nl-pre-doit
+- post: net-shaper-nl-post-doit
++ pre: net-shaper-nl-pre-doit-write
++ post: net-shaper-nl-post-doit-write
+ request:
+ attributes:
+ - ifindex
+@@ -278,8 +278,8 @@ operations:
+ flags: [admin-perm]
+
+ do:
+- pre: net-shaper-nl-pre-doit
+- post: net-shaper-nl-post-doit
++ pre: net-shaper-nl-pre-doit-write
++ post: net-shaper-nl-post-doit-write
+ request:
+ attributes: *ns-binding
+
+@@ -309,8 +309,8 @@ operations:
+ flags: [admin-perm]
+
+ do:
+- pre: net-shaper-nl-pre-doit
+- post: net-shaper-nl-post-doit
++ pre: net-shaper-nl-pre-doit-write
++ post: net-shaper-nl-post-doit-write
+ request:
+ attributes:
+ - ifindex
+diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c
+index 081dac917dc2d..be9999ab62e39 100644
+--- a/net/shaper/shaper.c
++++ b/net/shaper/shaper.c
+@@ -36,24 +36,6 @@ static struct net_shaper_binding *net_shaper_binding_from_ctx(void *ctx)
+ return &((struct net_shaper_nl_ctx *)ctx)->binding;
+ }
+
+-static void net_shaper_lock(struct net_shaper_binding *binding)
+-{
+- switch (binding->type) {
+- case NET_SHAPER_BINDING_TYPE_NETDEV:
+- netdev_lock(binding->netdev);
+- break;
+- }
+-}
+-
+-static void net_shaper_unlock(struct net_shaper_binding *binding)
+-{
+- switch (binding->type) {
+- case NET_SHAPER_BINDING_TYPE_NETDEV:
+- netdev_unlock(binding->netdev);
+- break;
+- }
+-}
+-
+ static struct net_shaper_hierarchy *
+ net_shaper_hierarchy(struct net_shaper_binding *binding)
+ {
+@@ -219,12 +201,49 @@ static int net_shaper_ctx_setup(const struct genl_info *info, int type,
+ return 0;
+ }
+
++/* Like net_shaper_ctx_setup(), but for "write" handlers (never for dumps!)
++ * Acquires the lock protecting the hierarchy (instance lock for netdev).
++ */
++static int net_shaper_ctx_setup_lock(const struct genl_info *info, int type,
++ struct net_shaper_nl_ctx *ctx)
++{
++ struct net *ns = genl_info_net(info);
++ struct net_device *dev;
++ int ifindex;
++
++ if (GENL_REQ_ATTR_CHECK(info, type))
++ return -EINVAL;
++
++ ifindex = nla_get_u32(info->attrs[type]);
++ dev = netdev_get_by_index_lock(ns, ifindex);
++ if (!dev) {
++ NL_SET_BAD_ATTR(info->extack, info->attrs[type]);
++ return -ENOENT;
++ }
++
++ if (!dev->netdev_ops->net_shaper_ops) {
++ NL_SET_BAD_ATTR(info->extack, info->attrs[type]);
++ netdev_unlock(dev);
++ return -EOPNOTSUPP;
++ }
++
++ ctx->binding.type = NET_SHAPER_BINDING_TYPE_NETDEV;
++ ctx->binding.netdev = dev;
++ return 0;
++}
++
+ static void net_shaper_ctx_cleanup(struct net_shaper_nl_ctx *ctx)
+ {
+ if (ctx->binding.type == NET_SHAPER_BINDING_TYPE_NETDEV)
+ netdev_put(ctx->binding.netdev, &ctx->dev_tracker);
+ }
+
++static void net_shaper_ctx_cleanup_unlock(struct net_shaper_nl_ctx *ctx)
++{
++ if (ctx->binding.type == NET_SHAPER_BINDING_TYPE_NETDEV)
++ netdev_unlock(ctx->binding.netdev);
++}
++
+ static u32 net_shaper_handle_to_index(const struct net_shaper_handle *handle)
+ {
+ return FIELD_PREP(NET_SHAPER_SCOPE_MASK, handle->scope) |
+@@ -278,7 +297,7 @@ net_shaper_lookup(struct net_shaper_binding *binding,
+ }
+
+ /* Allocate on demand the per device shaper's hierarchy container.
+- * Called under the net shaper lock
++ * Called under the lock protecting the hierarchy (instance lock for netdev)
+ */
+ static struct net_shaper_hierarchy *
+ net_shaper_hierarchy_setup(struct net_shaper_binding *binding)
+@@ -697,6 +716,22 @@ void net_shaper_nl_post_doit(const struct genl_split_ops *ops,
+ net_shaper_generic_post(info);
+ }
+
++int net_shaper_nl_pre_doit_write(const struct genl_split_ops *ops,
++ struct sk_buff *skb, struct genl_info *info)
++{
++ struct net_shaper_nl_ctx *ctx = (struct net_shaper_nl_ctx *)info->ctx;
++
++ BUILD_BUG_ON(sizeof(*ctx) > sizeof(info->ctx));
++
++ return net_shaper_ctx_setup_lock(info, NET_SHAPER_A_IFINDEX, ctx);
++}
++
++void net_shaper_nl_post_doit_write(const struct genl_split_ops *ops,
++ struct sk_buff *skb, struct genl_info *info)
++{
++ net_shaper_ctx_cleanup_unlock((struct net_shaper_nl_ctx *)info->ctx);
++}
++
+ int net_shaper_nl_pre_dumpit(struct netlink_callback *cb)
+ {
+ struct net_shaper_nl_ctx *ctx = (struct net_shaper_nl_ctx *)cb->ctx;
+@@ -824,45 +859,38 @@ int net_shaper_nl_set_doit(struct sk_buff *skb, struct genl_info *info)
+
+ binding = net_shaper_binding_from_ctx(info->ctx);
+
+- net_shaper_lock(binding);
+ ret = net_shaper_parse_info(binding, info->attrs, info, &shaper,
+ &exists);
+ if (ret)
+- goto unlock;
++ return ret;
+
+ if (!exists)
+ net_shaper_default_parent(&shaper.handle, &shaper.parent);
+
+ hierarchy = net_shaper_hierarchy_setup(binding);
+- if (!hierarchy) {
+- ret = -ENOMEM;
+- goto unlock;
+- }
++ if (!hierarchy)
++ return -ENOMEM;
+
+ /* The 'set' operation can't create node-scope shapers. */
+ handle = shaper.handle;
+ if (handle.scope == NET_SHAPER_SCOPE_NODE &&
+- !net_shaper_lookup(binding, &handle)) {
+- ret = -ENOENT;
+- goto unlock;
+- }
++ !net_shaper_lookup(binding, &handle))
++ return -ENOENT;
+
+ ret = net_shaper_pre_insert(binding, &handle, info->extack);
+ if (ret)
+- goto unlock;
++ return ret;
+
+ ops = net_shaper_ops(binding);
+ ret = ops->set(binding, &shaper, info->extack);
+ if (ret) {
+ net_shaper_rollback(binding);
+- goto unlock;
++ return ret;
+ }
+
+ net_shaper_commit(binding, 1, &shaper);
+
+-unlock:
+- net_shaper_unlock(binding);
+- return ret;
++ return 0;
+ }
+
+ static int __net_shaper_delete(struct net_shaper_binding *binding,
+@@ -1091,35 +1119,26 @@ int net_shaper_nl_delete_doit(struct sk_buff *skb, struct genl_info *info)
+
+ binding = net_shaper_binding_from_ctx(info->ctx);
+
+- net_shaper_lock(binding);
+ ret = net_shaper_parse_handle(info->attrs[NET_SHAPER_A_HANDLE], info,
+ &handle);
+ if (ret)
+- goto unlock;
++ return ret;
+
+ hierarchy = net_shaper_hierarchy(binding);
+- if (!hierarchy) {
+- ret = -ENOENT;
+- goto unlock;
+- }
++ if (!hierarchy)
++ return -ENOENT;
+
+ shaper = net_shaper_lookup(binding, &handle);
+- if (!shaper) {
+- ret = -ENOENT;
+- goto unlock;
+- }
++ if (!shaper)
++ return -ENOENT;
+
+ if (handle.scope == NET_SHAPER_SCOPE_NODE) {
+ ret = net_shaper_pre_del_node(binding, shaper, info->extack);
+ if (ret)
+- goto unlock;
++ return ret;
+ }
+
+- ret = __net_shaper_delete(binding, shaper, info->extack);
+-
+-unlock:
+- net_shaper_unlock(binding);
+- return ret;
++ return __net_shaper_delete(binding, shaper, info->extack);
+ }
+
+ static int net_shaper_group_send_reply(struct net_shaper_binding *binding,
+@@ -1168,21 +1187,17 @@ int net_shaper_nl_group_doit(struct sk_buff *skb, struct genl_info *info)
+ if (!net_shaper_ops(binding)->group)
+ return -EOPNOTSUPP;
+
+- net_shaper_lock(binding);
+ leaves_count = net_shaper_list_len(info, NET_SHAPER_A_LEAVES);
+ if (!leaves_count) {
+ NL_SET_BAD_ATTR(info->extack,
+ info->attrs[NET_SHAPER_A_LEAVES]);
+- ret = -EINVAL;
+- goto unlock;
++ return -EINVAL;
+ }
+
+ leaves = kcalloc(leaves_count, sizeof(struct net_shaper) +
+ sizeof(struct net_shaper *), GFP_KERNEL);
+- if (!leaves) {
+- ret = -ENOMEM;
+- goto unlock;
+- }
++ if (!leaves)
++ return -ENOMEM;
+ old_nodes = (void *)&leaves[leaves_count];
+
+ ret = net_shaper_parse_node(binding, info->attrs, info, &node);
+@@ -1259,9 +1274,6 @@ int net_shaper_nl_group_doit(struct sk_buff *skb, struct genl_info *info)
+
+ free_leaves:
+ kfree(leaves);
+-
+-unlock:
+- net_shaper_unlock(binding);
+ return ret;
+
+ free_msg:
+@@ -1371,14 +1383,12 @@ static void net_shaper_flush(struct net_shaper_binding *binding)
+ if (!hierarchy)
+ return;
+
+- net_shaper_lock(binding);
+ xa_lock(&hierarchy->shapers);
+ xa_for_each(&hierarchy->shapers, index, cur) {
+ __xa_erase(&hierarchy->shapers, index);
+ kfree(cur);
+ }
+ xa_unlock(&hierarchy->shapers);
+- net_shaper_unlock(binding);
+
+ kfree(hierarchy);
+ }
+diff --git a/net/shaper/shaper_nl_gen.c b/net/shaper/shaper_nl_gen.c
+index e8cccc4c11803..9b29be3ef19a8 100644
+--- a/net/shaper/shaper_nl_gen.c
++++ b/net/shaper/shaper_nl_gen.c
+@@ -99,27 +99,27 @@ static const struct genl_split_ops net_shaper_nl_ops[] = {
+ },
+ {
+ .cmd = NET_SHAPER_CMD_SET,
+- .pre_doit = net_shaper_nl_pre_doit,
++ .pre_doit = net_shaper_nl_pre_doit_write,
+ .doit = net_shaper_nl_set_doit,
+- .post_doit = net_shaper_nl_post_doit,
++ .post_doit = net_shaper_nl_post_doit_write,
+ .policy = net_shaper_set_nl_policy,
+ .maxattr = NET_SHAPER_A_IFINDEX,
+ .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+ },
+ {
+ .cmd = NET_SHAPER_CMD_DELETE,
+- .pre_doit = net_shaper_nl_pre_doit,
++ .pre_doit = net_shaper_nl_pre_doit_write,
+ .doit = net_shaper_nl_delete_doit,
+- .post_doit = net_shaper_nl_post_doit,
++ .post_doit = net_shaper_nl_post_doit_write,
+ .policy = net_shaper_delete_nl_policy,
+ .maxattr = NET_SHAPER_A_IFINDEX,
+ .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+ },
+ {
+ .cmd = NET_SHAPER_CMD_GROUP,
+- .pre_doit = net_shaper_nl_pre_doit,
++ .pre_doit = net_shaper_nl_pre_doit_write,
+ .doit = net_shaper_nl_group_doit,
+- .post_doit = net_shaper_nl_post_doit,
++ .post_doit = net_shaper_nl_post_doit_write,
+ .policy = net_shaper_group_nl_policy,
+ .maxattr = NET_SHAPER_A_LEAVES,
+ .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+diff --git a/net/shaper/shaper_nl_gen.h b/net/shaper/shaper_nl_gen.h
+index ec41c90431a4c..42c46c52c7751 100644
+--- a/net/shaper/shaper_nl_gen.h
++++ b/net/shaper/shaper_nl_gen.h
+@@ -18,12 +18,17 @@ extern const struct nla_policy net_shaper_leaf_info_nl_policy[NET_SHAPER_A_WEIGH
+
+ int net_shaper_nl_pre_doit(const struct genl_split_ops *ops,
+ struct sk_buff *skb, struct genl_info *info);
++int net_shaper_nl_pre_doit_write(const struct genl_split_ops *ops,
++ struct sk_buff *skb, struct genl_info *info);
+ int net_shaper_nl_cap_pre_doit(const struct genl_split_ops *ops,
+ struct sk_buff *skb, struct genl_info *info);
+ void
+ net_shaper_nl_post_doit(const struct genl_split_ops *ops, struct sk_buff *skb,
+ struct genl_info *info);
+ void
++net_shaper_nl_post_doit_write(const struct genl_split_ops *ops,
++ struct sk_buff *skb, struct genl_info *info);
++void
+ net_shaper_nl_cap_post_doit(const struct genl_split_ops *ops,
+ struct sk_buff *skb, struct genl_info *info);
+ int net_shaper_nl_pre_dumpit(struct netlink_callback *cb);
+--
+2.51.0
+
--- /dev/null
+From a099f2c12aa6fd850feff2dd16379e94f9e5131f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 09:10:13 -0700
+Subject: net: shaper: protect late read accesses to the hierarchy
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 0f9ea7141f365b4f27226898e62220fb98ef8dc6 ]
+
+We look up a netdev during prep of Netlink ops (pre- callbacks)
+and take a ref to it. Then later in the body of the callback
+we take its lock or RCU which are the actual protections.
+
+This is not proper, a conversion from a ref to a locked netdev
+must include a liveness check (a check if the netdev hasn't been
+unregistered already). Fix the read cases (those under RCU).
+Writes needs a separate change to protect from creating the
+hierarchy after flush has already run.
+
+Fixes: 4b623f9f0f59 ("net-shapers: implement NL get operation")
+Reported-by: Paul Moses <p@1g4.org>
+Link: https://lore.kernel.org/20260309173450.538026-1-p@1g4.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://patch.msgid.link/20260317161014.779569-1-kuba@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/shaper/shaper.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c
+index 318a0567a6981..081dac917dc2d 100644
+--- a/net/shaper/shaper.c
++++ b/net/shaper/shaper.c
+@@ -65,6 +65,21 @@ net_shaper_hierarchy(struct net_shaper_binding *binding)
+ return NULL;
+ }
+
++static struct net_shaper_hierarchy *
++net_shaper_hierarchy_rcu(struct net_shaper_binding *binding)
++{
++ /* Readers look up the device and take a ref, then take RCU lock
++ * later at which point netdev may have been unregistered and flushed.
++ * READ_ONCE() pairs with WRITE_ONCE() in net_shaper_hierarchy_setup.
++ */
++ if (binding->type == NET_SHAPER_BINDING_TYPE_NETDEV &&
++ READ_ONCE(binding->netdev->reg_state) <= NETREG_REGISTERED)
++ return READ_ONCE(binding->netdev->net_shaper_hierarchy);
++
++ /* No other type supported yet. */
++ return NULL;
++}
++
+ static const struct net_shaper_ops *
+ net_shaper_ops(struct net_shaper_binding *binding)
+ {
+@@ -251,9 +266,10 @@ static struct net_shaper *
+ net_shaper_lookup(struct net_shaper_binding *binding,
+ const struct net_shaper_handle *handle)
+ {
+- struct net_shaper_hierarchy *hierarchy = net_shaper_hierarchy(binding);
+ u32 index = net_shaper_handle_to_index(handle);
++ struct net_shaper_hierarchy *hierarchy;
+
++ hierarchy = net_shaper_hierarchy_rcu(binding);
+ if (!hierarchy || xa_get_mark(&hierarchy->shapers, index,
+ NET_SHAPER_NOT_VALID))
+ return NULL;
+@@ -778,17 +794,19 @@ int net_shaper_nl_get_dumpit(struct sk_buff *skb,
+
+ /* Don't error out dumps performed before any set operation. */
+ binding = net_shaper_binding_from_ctx(ctx);
+- hierarchy = net_shaper_hierarchy(binding);
+- if (!hierarchy)
+- return 0;
+
+ rcu_read_lock();
++ hierarchy = net_shaper_hierarchy_rcu(binding);
++ if (!hierarchy)
++ goto out_unlock;
++
+ for (; (shaper = xa_find(&hierarchy->shapers, &ctx->start_index,
+ U32_MAX, XA_PRESENT)); ctx->start_index++) {
+ ret = net_shaper_fill_one(skb, binding, shaper, info);
+ if (ret)
+ break;
+ }
++out_unlock:
+ rcu_read_unlock();
+
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From ee92650fb61e6f52ccb134560e82a3c3aedb59bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:29:07 +0800
+Subject: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
+
+From: Jiayuan Chen <jiayuan.chen@shopee.com>
+
+[ Upstream commit 6d5e4538364b9ceb1ac2941a4deb86650afb3538 ]
+
+Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].
+
+smc_tcp_syn_recv_sock() is called in the TCP receive path
+(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP
+listening socket). It reads sk_user_data to get the smc_sock
+pointer. However, when the SMC listen socket is being closed
+concurrently, smc_close_active() sets clcsock->sk_user_data
+to NULL under sk_callback_lock, and then the smc_sock itself
+can be freed via sock_put() in smc_release().
+
+This leads to two issues:
+
+1) NULL pointer dereference: sk_user_data is NULL when
+ accessed.
+2) Use-after-free: sk_user_data is read as non-NULL, but the
+ smc_sock is freed before its fields (e.g., queued_smc_hs,
+ ori_af_ops) are accessed.
+
+The race window looks like this (the syzkaller crash [1]
+triggers via the SYN cookie path: tcp_get_cookie_sock() ->
+smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path
+has the same race):
+
+ CPU A (softirq) CPU B (process ctx)
+
+ tcp_v4_rcv()
+ TCP_NEW_SYN_RECV:
+ sk = req->rsk_listener
+ sock_hold(sk)
+ /* No lock on listener */
+ smc_close_active():
+ write_lock_bh(cb_lock)
+ sk_user_data = NULL
+ write_unlock_bh(cb_lock)
+ ...
+ smc_clcsock_release()
+ sock_put(smc->sk) x2
+ -> smc_sock freed!
+ tcp_check_req()
+ smc_tcp_syn_recv_sock():
+ smc = user_data(sk)
+ -> NULL or dangling
+ smc->queued_smc_hs
+ -> crash!
+
+Note that the clcsock and smc_sock are two independent objects
+with separate refcounts. TCP stack holds a reference on the
+clcsock, which keeps it alive, but this does NOT prevent the
+smc_sock from being freed.
+
+Fix this by using RCU and refcount_inc_not_zero() to safely
+access smc_sock. Since smc_tcp_syn_recv_sock() is called in
+the TCP three-way handshake path, taking read_lock_bh on
+sk_callback_lock is too heavy and would not survive a SYN
+flood attack. Using rcu_read_lock() is much more lightweight.
+
+- Set SOCK_RCU_FREE on the SMC listen socket so that
+ smc_sock freeing is deferred until after the RCU grace
+ period. This guarantees the memory is still valid when
+ accessed inside rcu_read_lock().
+- Use rcu_read_lock() to protect reading sk_user_data.
+- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the
+ smc_sock. If the refcount has already reached zero (close
+ path completed), it returns false and we bail out safely.
+
+Note: smc_hs_congested() has a similar lockless read of
+sk_user_data without rcu_read_lock(), but it only checks for
+NULL and accesses the global smc_hs_wq, never dereferencing
+any smc_sock field, so it is not affected.
+
+Reproducer was verified with mdelay injection and smc_run,
+the issue no longer occurs with this patch applied.
+
+[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9
+
+Fixes: 8270d9c21041 ("net/smc: Limit backlog connections")
+Reported-by: syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67eaf9b8.050a0220.3c3d88.004a.GAE@google.com/T/
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Link: https://patch.msgid.link/20260312092909.48325-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 23 +++++++++++++++++------
+ net/smc/smc.h | 5 +++++
+ net/smc/smc_close.c | 2 +-
+ 3 files changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 18c56b0d7ad53..765f26aaca93d 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -131,7 +131,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
+ struct smc_sock *smc;
+ struct sock *child;
+
+- smc = smc_clcsock_user_data(sk);
++ rcu_read_lock();
++ smc = smc_clcsock_user_data_rcu(sk);
++ if (!smc || !refcount_inc_not_zero(&smc->sk.sk_refcnt)) {
++ rcu_read_unlock();
++ smc = NULL;
++ goto drop;
++ }
++ rcu_read_unlock();
+
+ if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
+ sk->sk_max_ack_backlog)
+@@ -153,11 +160,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
+ if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
+ inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
+ }
++ sock_put(&smc->sk);
+ return child;
+
+ drop:
+ dst_release(dst);
+ tcp_listendrop(sk);
++ if (smc)
++ sock_put(&smc->sk);
+ return NULL;
+ }
+
+@@ -254,7 +264,7 @@ static void smc_fback_restore_callbacks(struct smc_sock *smc)
+ struct sock *clcsk = smc->clcsock->sk;
+
+ write_lock_bh(&clcsk->sk_callback_lock);
+- clcsk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(clcsk, NULL);
+
+ smc_clcsock_restore_cb(&clcsk->sk_state_change, &smc->clcsk_state_change);
+ smc_clcsock_restore_cb(&clcsk->sk_data_ready, &smc->clcsk_data_ready);
+@@ -902,7 +912,7 @@ static void smc_fback_replace_callbacks(struct smc_sock *smc)
+ struct sock *clcsk = smc->clcsock->sk;
+
+ write_lock_bh(&clcsk->sk_callback_lock);
+- clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
++ __rcu_assign_sk_user_data_with_flags(clcsk, smc, SK_USER_DATA_NOCOPY);
+
+ smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change,
+ &smc->clcsk_state_change);
+@@ -2665,8 +2675,8 @@ int smc_listen(struct socket *sock, int backlog)
+ * smc-specific sk_data_ready function
+ */
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+- smc->clcsock->sk->sk_user_data =
+- (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
++ __rcu_assign_sk_user_data_with_flags(smc->clcsock->sk, smc,
++ SK_USER_DATA_NOCOPY);
+ smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready,
+ smc_clcsock_data_ready, &smc->clcsk_data_ready);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+@@ -2687,10 +2697,11 @@ int smc_listen(struct socket *sock, int backlog)
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+ &smc->clcsk_data_ready);
+- smc->clcsock->sk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+ goto out;
+ }
++ sock_set_flag(sk, SOCK_RCU_FREE);
+ sk->sk_max_ack_backlog = backlog;
+ sk->sk_ack_backlog = 0;
+ sk->sk_state = SMC_LISTEN;
+diff --git a/net/smc/smc.h b/net/smc/smc.h
+index 9e6af72784baa..52145df83f6e7 100644
+--- a/net/smc/smc.h
++++ b/net/smc/smc.h
+@@ -346,6 +346,11 @@ static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk)
+ ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY);
+ }
+
++static inline struct smc_sock *smc_clcsock_user_data_rcu(const struct sock *clcsk)
++{
++ return (struct smc_sock *)rcu_dereference_sk_user_data(clcsk);
++}
++
+ /* save target_cb in saved_cb, and replace target_cb with new_cb */
+ static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *),
+ void (*new_cb)(struct sock *),
+diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
+index 10219f55aad14..bb0313ef5f7c1 100644
+--- a/net/smc/smc_close.c
++++ b/net/smc/smc_close.c
+@@ -218,7 +218,7 @@ int smc_close_active(struct smc_sock *smc)
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+ &smc->clcsk_data_ready);
+- smc->clcsock->sk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+ rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
+ }
+--
+2.51.0
+
--- /dev/null
+From 4d9a71cccdbe0e712979af32322ac29e2178d233 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 15:24:41 +0530
+Subject: net: ti: icssg-prueth: Fix memory leak in XDP_DROP for non-zero-copy
+ mode
+
+From: Meghana Malladi <m-malladi@ti.com>
+
+[ Upstream commit 719d3e71691db7c4f1658ba5a6d1472928121594 ]
+
+Page recycling was removed from the XDP_DROP path in emac_run_xdp() to
+avoid conflicts with AF_XDP zero-copy mode, which uses xsk_buff_free()
+instead.
+
+However, this causes a memory leak when running XDP programs that drop
+packets in non-zero-copy mode (standard page pool mode). The pages are
+never returned to the page pool, leading to OOM conditions.
+
+Fix this by handling cleanup in the caller, emac_rx_packet().
+When emac_run_xdp() returns ICSSG_XDP_CONSUMED for XDP_DROP, the
+caller now recycles the page back to the page pool. The zero-copy
+path, emac_rx_packet_zc() already handles cleanup correctly with
+xsk_buff_free().
+
+Fixes: 7a64bb388df3 ("net: ti: icssg-prueth: Add AF_XDP zero copy for RX")
+Signed-off-by: Meghana Malladi <m-malladi@ti.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260311095441.1691636-1-m-malladi@ti.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/icssg/icssg_common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/ti/icssg/icssg_common.c b/drivers/net/ethernet/ti/icssg/icssg_common.c
+index 090aa74d3ce72..a9b5f86bc71bc 100644
+--- a/drivers/net/ethernet/ti/icssg/icssg_common.c
++++ b/drivers/net/ethernet/ti/icssg/icssg_common.c
+@@ -1075,6 +1075,11 @@ static int emac_rx_packet(struct prueth_emac *emac, u32 flow_id, u32 *xdp_state)
+ xdp_prepare_buff(&xdp, pa, PRUETH_HEADROOM, pkt_len, false);
+
+ *xdp_state = emac_run_xdp(emac, &xdp, &pkt_len);
++ if (*xdp_state == ICSSG_XDP_CONSUMED) {
++ page_pool_recycle_direct(pool, page);
++ goto requeue;
++ }
++
+ if (*xdp_state != ICSSG_XDP_PASS)
+ goto requeue;
+ headroom = xdp.data - xdp.data_hard_start;
+--
+2.51.0
+
--- /dev/null
+From 3ba43e9b03a3a37c0ff10e567601fb1698b4c578 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 16:16:43 +0200
+Subject: net: usb: aqc111: Do not perform PM inside suspend callback
+
+From: Nikola Z. Ivanov <zlatistiv@gmail.com>
+
+[ Upstream commit 069c8f5aebe4d5224cf62acc7d4b3486091c658a ]
+
+syzbot reports "task hung in rpm_resume"
+
+This is caused by aqc111_suspend calling
+the PM variant of its write_cmd routine.
+
+The simplified call trace looks like this:
+
+rpm_suspend()
+ usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING
+ aqc111_suspend() - called for the usb device interface
+ aqc111_write32_cmd()
+ usb_autopm_get_interface()
+ pm_runtime_resume_and_get()
+ rpm_resume() - here we call rpm_resume() on our parent
+ rpm_resume() - Here we wait for a status change that will never happen.
+
+At this point we block another task which holds
+rtnl_lock and locks up the whole networking stack.
+
+Fix this by replacing the write_cmd calls with their _nopm variants
+
+Reported-by: syzbot+48dc1e8dfc92faf1124c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=48dc1e8dfc92faf1124c
+Fixes: e58ba4544c77 ("net: usb: aqc111: Add support for wake on LAN by MAGIC packet")
+Signed-off-by: Nikola Z. Ivanov <zlatistiv@gmail.com>
+Link: https://patch.msgid.link/20260313141643.1181386-1-zlatistiv@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/aqc111.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
+index 9201ee10a13f7..d316aa66dbc23 100644
+--- a/drivers/net/usb/aqc111.c
++++ b/drivers/net/usb/aqc111.c
+@@ -1400,14 +1400,14 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message)
+ aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC,
+ SFR_MEDIUM_STATUS_MODE, 2, ®16);
+
+- aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0,
+- WOL_CFG_SIZE, &wol_cfg);
+- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0,
+- &aqc111_data->phy_cfg);
++ aqc111_write_cmd_nopm(dev, AQ_WOL_CFG, 0, 0,
++ WOL_CFG_SIZE, &wol_cfg);
++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0,
++ &aqc111_data->phy_cfg);
+ } else {
+ aqc111_data->phy_cfg |= AQ_LOW_POWER;
+- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0,
+- &aqc111_data->phy_cfg);
++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0,
++ &aqc111_data->phy_cfg);
+
+ /* Disable RX path */
+ aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC,
+--
+2.51.0
+
--- /dev/null
+From 59beefa152be2a1af40f46326455048234680d27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 22:46:39 -0700
+Subject: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
+
+From: Tobi Gaertner <tob.gaertner@me.com>
+
+[ Upstream commit 2aa8a4fa8d5b7d0e1ebcec100e1a4d80a1f4b21a ]
+
+cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE
+entries fit within the skb. The first check correctly accounts for
+ndpoffset:
+
+ if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len)
+
+but the second check omits it:
+
+ if ((sizeof(struct usb_cdc_ncm_ndp16) +
+ ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len)
+
+This validates the DPE array size against the total skb length as if
+the NDP were at offset 0, rather than at ndpoffset. When the NDP is
+placed near the end of the NTB (large wNdpIndex), the DPE entries can
+extend past the skb data buffer even though the check passes.
+cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating
+the DPE array.
+
+Add ndpoffset to the nframes bounds check and use struct_size_t() to
+express the NDP-plus-DPE-array size more clearly.
+
+Fixes: ff06ab13a4cc ("net: cdc_ncm: splitting rx_fixup for code reuse")
+Signed-off-by: Tobi Gaertner <tob.gaertner@me.com>
+Link: https://patch.msgid.link/20260314054640.2895026-2-tob.gaertner@me.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_ncm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index 5d123df0a866b..a9d0162b5ee01 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1656,6 +1656,7 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset)
+ struct usbnet *dev = netdev_priv(skb_in->dev);
+ struct usb_cdc_ncm_ndp16 *ndp16;
+ int ret = -EINVAL;
++ size_t ndp_len;
+
+ if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n",
+@@ -1675,8 +1676,8 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset)
+ sizeof(struct usb_cdc_ncm_dpe16));
+ ret--; /* we process NDP entries except for the last one */
+
+- if ((sizeof(struct usb_cdc_ncm_ndp16) +
+- ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) {
++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp16, dpe16, ret);
++ if (ndpoffset + ndp_len > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret);
+ ret = -EINVAL;
+ }
+--
+2.51.0
+
--- /dev/null
+From 0317bc75292fca43e57b26db82828e6c0bdf04e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 22:46:40 -0700
+Subject: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
+
+From: Tobi Gaertner <tob.gaertner@me.com>
+
+[ Upstream commit 77914255155e68a20aa41175edeecf8121dac391 ]
+
+The same bounds-check bug fixed for NDP16 in the previous patch also
+exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated
+against the total skb length without accounting for ndpoffset, allowing
+out-of-bounds reads when the NDP32 is placed near the end of the NTB.
+
+Add ndpoffset to the nframes bounds check and use struct_size_t() to
+express the NDP-plus-DPE-array size more clearly.
+
+Compile-tested only.
+
+Fixes: 0fa81b304a79 ("cdc_ncm: Implement the 32-bit version of NCM Transfer Block")
+Signed-off-by: Tobi Gaertner <tob.gaertner@me.com>
+Link: https://patch.msgid.link/20260314054640.2895026-3-tob.gaertner@me.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_ncm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index a9d0162b5ee01..81d7e99fc0f09 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1693,6 +1693,7 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset)
+ struct usbnet *dev = netdev_priv(skb_in->dev);
+ struct usb_cdc_ncm_ndp32 *ndp32;
+ int ret = -EINVAL;
++ size_t ndp_len;
+
+ if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp32)) > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n",
+@@ -1712,8 +1713,8 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset)
+ sizeof(struct usb_cdc_ncm_dpe32));
+ ret--; /* we process NDP entries except for the last one */
+
+- if ((sizeof(struct usb_cdc_ncm_ndp32) +
+- ret * (sizeof(struct usb_cdc_ncm_dpe32))) > skb_in->len) {
++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp32, dpe32, ret);
++ if (ndpoffset + ndp_len > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret);
+ ret = -EINVAL;
+ }
+--
+2.51.0
+
--- /dev/null
+From 0ddbd055a1a654a77a565e04c394d44f4e71edeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 00:14:31 -0600
+Subject: netdevsim: drop PSP ext ref on forward failure
+
+From: Wesley Atwell <atwellwea@gmail.com>
+
+[ Upstream commit 7d9351435ebba08bbb60f42793175c9dc714d2fb ]
+
+nsim_do_psp() takes an extra reference to the PSP skb extension so the
+extension survives __dev_forward_skb(). That forward path scrubs the skb
+and drops attached skb extensions before nsim_psp_handle_ext() can
+reattach the PSP metadata.
+
+If __dev_forward_skb() fails in nsim_forward_skb(), the function returns
+before nsim_psp_handle_ext() can attach that extension to the skb, leaving
+the extra reference leaked.
+
+Drop the saved PSP extension reference before returning from the
+forward-failure path. Guard the put because plain or non-decapsulated
+traffic can also fail forwarding without ever taking the extra PSP
+reference.
+
+Fixes: f857478d6206 ("netdevsim: a basic test PSP implementation")
+Signed-off-by: Wesley Atwell <atwellwea@gmail.com>
+Reviewed-by: Daniel Zahka <daniel.zahka@gmail.com>
+Link: https://patch.msgid.link/20260317061431.1482716-1-atwellwea@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/netdevsim/netdev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/netdevsim/netdev.c b/drivers/net/netdevsim/netdev.c
+index 6927c1962277a..62223ad2d63f9 100644
+--- a/drivers/net/netdevsim/netdev.c
++++ b/drivers/net/netdevsim/netdev.c
+@@ -109,8 +109,11 @@ static int nsim_forward_skb(struct net_device *tx_dev,
+ int ret;
+
+ ret = __dev_forward_skb(rx_dev, skb);
+- if (ret)
++ if (ret) {
++ if (psp_ext)
++ __skb_ext_put(psp_ext);
+ return ret;
++ }
+
+ nsim_psp_handle_ext(skb, psp_ext);
+
+--
+2.51.0
+
--- /dev/null
+From 39eb670e9a0be6095d943a2cdcaf8e1035e07024 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 12:23:08 +0100
+Subject: netfilter: bpf: defer hook memory release until rcu readers are done
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 24f90fa3994b992d1a09003a3db2599330a5232a ]
+
+Yiming Qian reports UaF when concurrent process is dumping hooks via
+nfnetlink_hooks:
+
+BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0
+Read of size 8 at addr ffff888003edbf88 by task poc/79
+Call Trace:
+ <TASK>
+ nfnl_hook_dump_one.isra.0+0xe71/0x10f0
+ netlink_dump+0x554/0x12b0
+ nfnl_hook_get+0x176/0x230
+ [..]
+
+Defer release until after concurrent readers have completed.
+
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_bpf_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
+index 46e667a50d988..248840dbca1b2 100644
+--- a/net/netfilter/nf_bpf_link.c
++++ b/net/netfilter/nf_bpf_link.c
+@@ -170,7 +170,7 @@ static int bpf_nf_link_update(struct bpf_link *link, struct bpf_prog *new_prog,
+
+ static const struct bpf_link_ops bpf_nf_link_lops = {
+ .release = bpf_nf_link_release,
+- .dealloc = bpf_nf_link_dealloc,
++ .dealloc_deferred = bpf_nf_link_dealloc,
+ .detach = bpf_nf_link_detach,
+ .show_fdinfo = bpf_nf_link_show_info,
+ .fill_link_info = bpf_nf_link_fill_link_info,
+--
+2.51.0
+
--- /dev/null
+From e700099eabe66f9a47b39bb489cbd7514b9c5bdb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Mar 2026 00:28:29 +0100
+Subject: netfilter: conntrack: add missing netlink policy validations
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05 ]
+
+Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.
+
+These attributes are used by the kernel without any validation.
+Extend the netlink policies accordingly.
+
+Quoting the reporter:
+ nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE
+ value directly to ct->proto.sctp.state without checking that it is
+ within the valid range. [..]
+
+ and: ... with exp->dir = 100, the access at
+ ct->master->tuplehash[100] reads 5600 bytes past the start of a
+ 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by
+ UBSAN.
+
+Fixes: 076a0ca02644 ("netfilter: ctnetlink: add NAT support for expectations")
+Fixes: a258860e01b8 ("netfilter: ctnetlink: add full support for SCTP to ctnetlink")
+Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 2 +-
+ net/netfilter/nf_conntrack_proto_sctp.c | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index f261dd48973fe..d9f33a6c807c8 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3488,7 +3488,7 @@ ctnetlink_change_expect(struct nf_conntrack_expect *x,
+
+ #if IS_ENABLED(CONFIG_NF_NAT)
+ static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
+- [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 },
++ [CTA_EXPECT_NAT_DIR] = NLA_POLICY_MAX(NLA_BE32, IP_CT_DIR_REPLY),
+ [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
+ };
+ #endif
+diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
+index 7c6f7c9f73320..645d2c43ebf7a 100644
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -582,7 +582,8 @@ static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
+ }
+
+ static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
+- [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
++ [CTA_PROTOINFO_SCTP_STATE] = NLA_POLICY_MAX(NLA_U8,
++ SCTP_CONNTRACK_HEARTBEAT_SENT),
+ [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
+ [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
+ };
+--
+2.51.0
+
--- /dev/null
+From 970675ee789a0349f5fbe5f56d9f2529f261c2f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Mar 2026 02:21:37 +0900
+Subject: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit 5cb81eeda909dbb2def209dd10636b51549a3f8a ]
+
+ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the
+netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the
+conntrack reference immediately after netlink_dump_start(). When the
+dump spans multiple rounds, the second recvmsg() triggers the dump
+callback which dereferences the now-freed conntrack via nfct_help(ct),
+leading to a use-after-free on ct->ext.
+
+The bug is that the netlink_dump_control has no .start or .done
+callbacks to manage the conntrack reference across dump rounds. Other
+dump functions in the same file (e.g. ctnetlink_get_conntrack) properly
+use .start/.done callbacks for this purpose.
+
+Fix this by adding .start and .done callbacks that hold and release the
+conntrack reference for the duration of the dump, and move the
+nfct_help() call after the cb->args[0] early-return check in the dump
+callback to avoid dereferencing ct->ext unnecessarily.
+
+ BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0
+ Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133
+
+ CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY
+ Call Trace:
+ <TASK>
+ ctnetlink_exp_ct_dump_table+0x4f/0x2e0
+ netlink_dump+0x333/0x880
+ netlink_recvmsg+0x3e2/0x4b0
+ ? aa_sk_perm+0x184/0x450
+ sock_recvmsg+0xde/0xf0
+
+ Allocated by task 133:
+ kmem_cache_alloc_noprof+0x134/0x440
+ __nf_conntrack_alloc+0xa8/0x2b0
+ ctnetlink_create_conntrack+0xa1/0x900
+ ctnetlink_new_conntrack+0x3cf/0x7d0
+ nfnetlink_rcv_msg+0x48e/0x510
+ netlink_rcv_skb+0xc9/0x1f0
+ nfnetlink_rcv+0xdb/0x220
+ netlink_unicast+0x3ec/0x590
+ netlink_sendmsg+0x397/0x690
+ __sys_sendmsg+0xf4/0x180
+
+ Freed by task 0:
+ slab_free_after_rcu_debug+0xad/0x1e0
+ rcu_core+0x5c3/0x9c0
+
+Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 3a04665adf992..f261dd48973fe 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3211,7 +3211,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ struct nf_conn *ct = cb->data;
+- struct nf_conn_help *help = nfct_help(ct);
++ struct nf_conn_help *help;
+ u_int8_t l3proto = nfmsg->nfgen_family;
+ unsigned long last_id = cb->args[1];
+ struct nf_conntrack_expect *exp;
+@@ -3219,6 +3219,10 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ if (cb->args[0])
+ return 0;
+
++ help = nfct_help(ct);
++ if (!help)
++ return 0;
++
+ rcu_read_lock();
+
+ restart:
+@@ -3248,6 +3252,24 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ return skb->len;
+ }
+
++static int ctnetlink_dump_exp_ct_start(struct netlink_callback *cb)
++{
++ struct nf_conn *ct = cb->data;
++
++ if (!refcount_inc_not_zero(&ct->ct_general.use))
++ return -ENOENT;
++ return 0;
++}
++
++static int ctnetlink_dump_exp_ct_done(struct netlink_callback *cb)
++{
++ struct nf_conn *ct = cb->data;
++
++ if (ct)
++ nf_ct_put(ct);
++ return 0;
++}
++
+ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct sk_buff *skb,
+ const struct nlmsghdr *nlh,
+@@ -3263,6 +3285,8 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct nf_conntrack_zone zone;
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_ct_dump_table,
++ .start = ctnetlink_dump_exp_ct_start,
++ .done = ctnetlink_dump_exp_ct_done,
+ };
+
+ err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
+--
+2.51.0
+
--- /dev/null
+From 326653108784977e90fe90305ea556c6c76785cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:49:50 +0000
+Subject: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ]
+
+In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
+the packet, then decrements it by 1 to skip the protocol discriminator
+byte before passing it to DecodeH323_UserInformation(). If the encoded
+length is 0, the decrement wraps to -1, which is then passed as a
+large value to the decoder, leading to an out-of-bounds read.
+
+Add a check to ensure len is positive after the decrement.
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index c972e9488e16f..7b1497ed97d26 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
+ break;
+ p++;
+ len--;
++ if (len <= 0)
++ break;
+ return DecodeH323_UserInformation(buf, p, len,
+ &q931->UUIE);
+ }
+--
+2.51.0
+
--- /dev/null
+From 62140a73955a2a60b0534b865de265d47e34cec6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 02:29:32 +0000
+Subject: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a ]
+
+In decode_int(), the CONS case calls get_bits(bs, 2) to read a length
+value, then calls get_uint(bs, len) without checking that len bytes
+remain in the buffer. The existing boundary check only validates the
+2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()
+reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte
+slab-out-of-bounds read.
+
+Add a boundary check for len bytes after get_bits() and before
+get_uint().
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index 62aa22a078769..c972e9488e16f 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -331,6 +331,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f,
+ if (nf_h323_error_boundary(bs, 0, 2))
+ return H323_ERROR_BOUND;
+ len = get_bits(bs, 2) + 1;
++ if (nf_h323_error_boundary(bs, len, 0))
++ return H323_ERROR_BOUND;
+ BYTE_ALIGN(bs);
+ if (base && (f->attr & DECODE)) { /* timeToLive */
+ unsigned int v = get_uint(bs, len) + f->lb;
+--
+2.51.0
+
--- /dev/null
+From a43b75e20b8daffe8a2140f6fd8d39ac22e4aa65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Mar 2026 21:49:01 +0000
+Subject: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in
+ sip_help_tcp()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lukas Johannes Möller <research@johannes-moeller.dev>
+
+[ Upstream commit fbce58e719a17aa215c724473fd5baaa4a8dc57c ]
+
+sip_help_tcp() parses the SIP Content-Length header with
+simple_strtoul(), which returns unsigned long, but stores the result in
+unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are
+silently truncated before computing the SIP message boundary.
+
+For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,
+causing the parser to miscalculate where the current message ends. The
+loop then treats trailing data in the TCP segment as a second SIP
+message and processes it through the SDP parser.
+
+Fix this by changing clen to unsigned long to match the return type of
+simple_strtoul(), and reject Content-Length values that exceed the
+remaining TCP payload length.
+
+Fixes: f5b321bd37fb ("netfilter: nf_conntrack_sip: add TCP support")
+Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_sip.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
+index ca748f8dbff13..4ab5ef71d96db 100644
+--- a/net/netfilter/nf_conntrack_sip.c
++++ b/net/netfilter/nf_conntrack_sip.c
+@@ -1534,11 +1534,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
+ {
+ struct tcphdr *th, _tcph;
+ unsigned int dataoff, datalen;
+- unsigned int matchoff, matchlen, clen;
++ unsigned int matchoff, matchlen;
+ unsigned int msglen, origlen;
+ const char *dptr, *end;
+ s16 diff, tdiff = 0;
+ int ret = NF_ACCEPT;
++ unsigned long clen;
+ bool term;
+
+ if (ctinfo != IP_CT_ESTABLISHED &&
+@@ -1573,6 +1574,9 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
+ if (dptr + matchoff == end)
+ break;
+
++ if (clen > datalen)
++ break;
++
+ term = false;
+ for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
+ if (end[0] == '\r' && end[1] == '\n' &&
+--
+2.51.0
+
--- /dev/null
+From 411ca0397bb7f860ee767fcdfdcdfda5441c1921 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Mar 2026 15:39:33 +0100
+Subject: netfilter: nf_flow_table_ip: reset mac header before vlan push
+
+From: Eric Woudstra <ericwouds@gmail.com>
+
+[ Upstream commit a3aca98aec9a278ee56da4f8013bfa1dd1a1c298 ]
+
+With double vlan tagged packets in the fastpath, getting the error:
+
+skb_vlan_push got skb with skb->data not at mac header (offset 18)
+
+Call skb_reset_mac_header() before calling skb_vlan_push().
+
+Fixes: c653d5a78f34 ("netfilter: flowtable: inline vlan encapsulation in xmit path")
+Signed-off-by: Eric Woudstra <ericwouds@gmail.com>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_flow_table_ip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
+index 78883343e5d68..458895e9e1f85 100644
+--- a/net/netfilter/nf_flow_table_ip.c
++++ b/net/netfilter/nf_flow_table_ip.c
+@@ -576,6 +576,7 @@ static int nf_flow_encap_push(struct sk_buff *skb,
+ switch (tuple->encap[i].proto) {
+ case htons(ETH_P_8021Q):
+ case htons(ETH_P_8021AD):
++ skb_reset_mac_header(skb);
+ if (skb_vlan_push(skb, tuple->encap[i].proto,
+ tuple->encap[i].id) < 0)
+ return -1;
+--
+2.51.0
+
--- /dev/null
+From 703614e5d24989eba0232d209cd9aede20cb6bad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 20:00:26 +0100
+Subject: netfilter: nf_tables: release flowtable after rcu grace period on
+ error
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce ]
+
+Call synchronize_rcu() after unregistering the hooks from error path,
+since a hook that already refers to this flowtable can be already
+registered, exposing this flowtable to packet path and nfnetlink_hook
+control plane.
+
+This error path is rare, it should only happen by reaching the maximum
+number hooks or by failing to set up to hardware offload, just call
+synchronize_rcu().
+
+There is a check for already used device hooks by different flowtable
+that could result in EEXIST at this late stage. The hook parser can be
+updated to perform this check earlier to this error path really becomes
+rarely exercised.
+
+Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
+when dumping hooks.
+
+Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 03321b800707c..fdbb1e20499bd 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -9203,6 +9203,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
+ return 0;
+
+ err_flowtable_hooks:
++ synchronize_rcu();
+ nft_trans_destroy(trans);
+ err_flowtable_trans:
+ nft_hooks_destroy(&flowtable->hook_list);
+--
+2.51.0
+
--- /dev/null
+From 42c484b0116ae21c1fd6522ee1194db418815f14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 13:48:47 +0100
+Subject: netfilter: nft_ct: drop pending enqueued packets on removal
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 36eae0956f659e48d5366d9b083d9417f3263ddc ]
+
+Packets sitting in nfqueue might hold a reference to:
+
+- templates that specify the conntrack zone, because a percpu area is
+ used and module removal is possible.
+- conntrack timeout policies and helper, where object removal leave
+ a stale reference.
+
+Since these objects can just go away, drop enqueued packets to avoid
+stale reference to them.
+
+If there is a need for finer grain removal, this logic can be revisited
+to make selective packet drop upon dependencies.
+
+Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_ct.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index 6f2ae7cad7310..db1bf69f87750 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -23,6 +23,7 @@
+ #include <net/netfilter/nf_conntrack_l4proto.h>
+ #include <net/netfilter/nf_conntrack_expect.h>
+ #include <net/netfilter/nf_conntrack_seqadj.h>
++#include "nf_internals.h"
+
+ struct nft_ct_helper_obj {
+ struct nf_conntrack_helper *helper4;
+@@ -543,6 +544,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv)
+ #endif
+ #ifdef CONFIG_NF_CONNTRACK_ZONES
+ case NFT_CT_ZONE:
++ nf_queue_nf_hook_drop(ctx->net);
+ mutex_lock(&nft_ct_pcpu_mutex);
+ if (--nft_ct_pcpu_template_refcnt == 0)
+ nft_ct_tmpl_put_pcpu();
+@@ -1016,6 +1018,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx,
+ struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
+ struct nf_ct_timeout *timeout = priv->timeout;
+
++ nf_queue_nf_hook_drop(ctx->net);
+ nf_ct_untimeout(ctx->net, timeout);
+ nf_ct_netns_put(ctx->net, ctx->family);
+ kfree(priv->timeout);
+@@ -1148,6 +1151,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx,
+ {
+ struct nft_ct_helper_obj *priv = nft_obj_data(obj);
+
++ nf_queue_nf_hook_drop(ctx->net);
+ if (priv->helper4)
+ nf_conntrack_helper_put(priv->helper4);
+ if (priv->helper6)
+--
+2.51.0
+
--- /dev/null
+From a2c3106c31c7c98739be1b76e4aa56b0c7040fe4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 13:48:48 +0100
+Subject: netfilter: xt_CT: drop pending enqueued packets on template removal
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit f62a218a946b19bb59abdd5361da85fa4606b96b ]
+
+Templates refer to objects that can go away while packets are sitting in
+nfqueue refer to:
+
+- helper, this can be an issue on module removal.
+- timeout policy, nfnetlink_cttimeout might remove it.
+
+The use of templates with zone and event cache filter are safe, since
+this just copies values.
+
+Flush these enqueued packets in case the template rule gets removed.
+
+Fixes: 24de58f46516 ("netfilter: xt_CT: allow to attach timeout policy + glue code")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_CT.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
+index 3ba94c34297cf..498f5871c84a0 100644
+--- a/net/netfilter/xt_CT.c
++++ b/net/netfilter/xt_CT.c
+@@ -16,6 +16,7 @@
+ #include <net/netfilter/nf_conntrack_ecache.h>
+ #include <net/netfilter/nf_conntrack_timeout.h>
+ #include <net/netfilter/nf_conntrack_zones.h>
++#include "nf_internals.h"
+
+ static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct)
+ {
+@@ -283,6 +284,9 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par,
+ struct nf_conn_help *help;
+
+ if (ct) {
++ if (info->helper[0] || info->timeout[0])
++ nf_queue_nf_hook_drop(par->net);
++
+ help = nfct_help(ct);
+ xt_ct_put_helper(help);
+
+--
+2.51.0
+
--- /dev/null
+From 312ba393b75a0c52655a07e08b47427399f2f6bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:59:49 +0000
+Subject: netfilter: xt_time: use unsigned int for monthday bit shift
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit 00050ec08cecfda447e1209b388086d76addda3a ]
+
+The monthday field can be up to 31, and shifting a signed integer 1
+by 31 positions (1 << 31) is undefined behavior in C, as the result
+overflows a 32-bit signed int. Use 1U to ensure well-defined behavior
+for all valid monthday values.
+
+Change the weekday shift to 1U as well for consistency.
+
+Fixes: ee4411a1b1e0 ("[NETFILTER]: x_tables: add xt_time match")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_time.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
+index 6aa12d0f54e23..61de85e02a40f 100644
+--- a/net/netfilter/xt_time.c
++++ b/net/netfilter/xt_time.c
+@@ -227,13 +227,13 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par)
+
+ localtime_2(¤t_time, stamp);
+
+- if (!(info->weekdays_match & (1 << current_time.weekday)))
++ if (!(info->weekdays_match & (1U << current_time.weekday)))
+ return false;
+
+ /* Do not spend time computing monthday if all days match anyway */
+ if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) {
+ localtime_3(¤t_time, stamp);
+- if (!(info->monthdays_match & (1 << current_time.monthday)))
++ if (!(info->monthdays_match & (1U << current_time.monthday)))
+ return false;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 2ea4dd366785bc7877d517493775b1229c71fb2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 12:38:59 +0100
+Subject: nf_tables: nft_dynset: fix possible stateful expression memleak in
+ error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 0548a13b5a145b16e4da0628b5936baf35f51b43 ]
+
+If cloning the second stateful expression in the element via GFP_ATOMIC
+fails, then the first stateful expression remains in place without being
+released.
+
+ Â unreferenced object (percpu) 0x607b97e9cab8 (size 16):
+ Â Â comm "softirq", pid 0, jiffies 4294931867
+ Â Â hex dump (first 16 bytes on cpu 3):
+ Â Â Â 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ Â Â backtrace (crc 0):
+ Â Â Â pcpu_alloc_noprof+0x453/0xd80
+ Â Â Â nft_counter_clone+0x9c/0x190 [nf_tables]
+ Â Â Â nft_expr_clone+0x8f/0x1b0 [nf_tables]
+ Â Â Â nft_dynset_new+0x2cb/0x5f0 [nf_tables]
+ Â Â Â nft_rhash_update+0x236/0x11c0 [nf_tables]
+ Â Â Â nft_dynset_eval+0x11f/0x670 [nf_tables]
+ Â Â Â nft_do_chain+0x253/0x1700 [nf_tables]
+ Â Â Â nft_do_chain_ipv4+0x18d/0x270 [nf_tables]
+ Â Â Â nf_hook_slow+0xaa/0x1e0
+ Â Â Â ip_local_deliver+0x209/0x330
+
+Fixes: 563125a73ac3 ("netfilter: nftables: generalize set extension to support for several expressions")
+Reported-by: Gurpreet Shergill <giki.shergill@proton.me>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tables.h | 2 ++
+ net/netfilter/nf_tables_api.c | 4 ++--
+ net/netfilter/nft_dynset.c | 10 +++++++++-
+ 3 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index c18cffafc9696..4dc080f7f27c6 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -875,6 +875,8 @@ struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
+ u64 timeout, u64 expiration, gfp_t gfp);
+ int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_expr *expr_array[]);
++void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
++ struct nft_set_elem_expr *elem_expr);
+ void nft_set_elem_destroy(const struct nft_set *set,
+ const struct nft_elem_priv *elem_priv,
+ bool destroy_expr);
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index c9a76c760b17c..03321b800707c 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6744,8 +6744,8 @@ static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+ }
+ }
+
+-static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+- struct nft_set_elem_expr *elem_expr)
++void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
++ struct nft_set_elem_expr *elem_expr)
+ {
+ struct nft_expr *expr;
+ u32 size;
+diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
+index 7807d81296646..9123277be03ce 100644
+--- a/net/netfilter/nft_dynset.c
++++ b/net/netfilter/nft_dynset.c
+@@ -30,18 +30,26 @@ static int nft_dynset_expr_setup(const struct nft_dynset *priv,
+ const struct nft_set_ext *ext)
+ {
+ struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
++ struct nft_ctx ctx = {
++ .net = read_pnet(&priv->set->net),
++ .family = priv->set->table->family,
++ };
+ struct nft_expr *expr;
+ int i;
+
+ for (i = 0; i < priv->num_exprs; i++) {
+ expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
+ if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0)
+- return -1;
++ goto err_out;
+
+ elem_expr->size += priv->expr_array[i]->ops->size;
+ }
+
+ return 0;
++err_out:
++ nft_set_elem_expr_destroy(&ctx, elem_expr);
++
++ return -1;
+ }
+
+ struct nft_elem_priv *nft_dynset_new(struct nft_set *set,
+--
+2.51.0
+
--- /dev/null
+From 5b115e03427e9d1750893f6170c4ce9fa2e1d805 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 15:32:44 +0800
+Subject: nfnetlink_osf: validate individual option lengths in fingerprints
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit dbdfaae9609629a9569362e3b8f33d0a20fd783c ]
+
+nfnl_osf_add_callback() validates opt_num bounds and string
+NUL-termination but does not check individual option length fields.
+A zero-length option causes nf_osf_match_one() to enter the option
+matching loop even when foptsize sums to zero, which matches packets
+with no TCP options where ctx->optp is NULL:
+
+ Oops: general protection fault
+ KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
+ Call Trace:
+ nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
+ xt_osf_match_packet (net/netfilter/xt_osf.c:32)
+ ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
+ nf_hook_slow (net/netfilter/core.c:623)
+ ip_local_deliver (net/ipv4/ip_input.c:262)
+ ip_rcv (net/ipv4/ip_input.c:573)
+
+Additionally, an MSS option (kind=2) with length < 4 causes
+out-of-bounds reads when nf_osf_match_one() unconditionally accesses
+optp[2] and optp[3] for MSS value extraction. While RFC 9293
+section 3.2 specifies that the MSS option is always exactly 4
+bytes (Kind=2, Length=4), the check uses "< 4" rather than
+"!= 4" because lengths greater than 4 do not cause memory
+safety issues -- the buffer is guaranteed to be at least
+foptsize bytes by the ctx->optsize == foptsize check.
+
+Reject fingerprints where any option has zero length, or where an MSS
+option has length less than 4, at add time rather than trusting these
+values in the packet matching hot path.
+
+Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_osf.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
+index c0fc431991e88..9fc9544d4bc53 100644
+--- a/net/netfilter/nfnetlink_osf.c
++++ b/net/netfilter/nfnetlink_osf.c
+@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
+ {
+ struct nf_osf_user_finger *f;
+ struct nf_osf_finger *kf = NULL, *sf;
++ unsigned int tot_opt_len = 0;
+ int err = 0;
++ int i;
+
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
+ if (f->opt_num > ARRAY_SIZE(f->opt))
+ return -EINVAL;
+
++ for (i = 0; i < f->opt_num; i++) {
++ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
++ return -EINVAL;
++ if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)
++ return -EINVAL;
++
++ tot_opt_len += f->opt[i].length;
++ if (tot_opt_len > MAX_IPOPTLEN)
++ return -EINVAL;
++ }
++
+ if (!memchr(f->genre, 0, MAXGENRELEN) ||
+ !memchr(f->subtype, 0, MAXGENRELEN) ||
+ !memchr(f->version, 0, MAXGENRELEN))
+--
+2.51.0
+
--- /dev/null
+From e9d764f64a955f018200795452b8e980db4c6fbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 11:27:20 -0700
+Subject: PM: runtime: Fix a race condition related to device removal
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 29ab768277617452d88c0607c9299cdc63b6e9ff ]
+
+The following code in pm_runtime_work() may dereference the dev->parent
+pointer after the parent device has been freed:
+
+ /* Maybe the parent is now able to suspend. */
+ if (parent && !parent->power.ignore_children) {
+ spin_unlock(&dev->power.lock);
+
+ spin_lock(&parent->power.lock);
+ rpm_idle(parent, RPM_ASYNC);
+ spin_unlock(&parent->power.lock);
+
+ spin_lock(&dev->power.lock);
+ }
+
+Fix this by inserting a flush_work() call in pm_runtime_remove().
+
+Without this patch blktest block/001 triggers the following complaint
+sporadically:
+
+BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160
+Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081
+Workqueue: pm pm_runtime_work
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x61/0x80
+ print_address_description.constprop.0+0x8b/0x310
+ print_report+0xfd/0x1d7
+ kasan_report+0xd8/0x1d0
+ __kasan_check_byte+0x42/0x60
+ lock_acquire.part.0+0x38/0x230
+ lock_acquire+0x70/0x160
+ _raw_spin_lock+0x36/0x50
+ rpm_suspend+0xc6a/0xfe0
+ rpm_idle+0x578/0x770
+ pm_runtime_work+0xee/0x120
+ process_one_work+0xde3/0x1410
+ worker_thread+0x5eb/0xfe0
+ kthread+0x37b/0x480
+ ret_from_fork+0x6cb/0x920
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+
+Allocated by task 4314:
+ kasan_save_stack+0x2a/0x50
+ kasan_save_track+0x18/0x40
+ kasan_save_alloc_info+0x3d/0x50
+ __kasan_kmalloc+0xa0/0xb0
+ __kmalloc_noprof+0x311/0x990
+ scsi_alloc_target+0x122/0xb60 [scsi_mod]
+ __scsi_scan_target+0x101/0x460 [scsi_mod]
+ scsi_scan_channel+0x179/0x1c0 [scsi_mod]
+ scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]
+ store_scan+0x2d2/0x390 [scsi_mod]
+ dev_attr_store+0x43/0x80
+ sysfs_kf_write+0xde/0x140
+ kernfs_fop_write_iter+0x3ef/0x670
+ vfs_write+0x506/0x1470
+ ksys_write+0xfd/0x230
+ __x64_sys_write+0x76/0xc0
+ x64_sys_call+0x213/0x1810
+ do_syscall_64+0xee/0xfc0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Freed by task 4314:
+ kasan_save_stack+0x2a/0x50
+ kasan_save_track+0x18/0x40
+ kasan_save_free_info+0x3f/0x50
+ __kasan_slab_free+0x67/0x80
+ kfree+0x225/0x6c0
+ scsi_target_dev_release+0x3d/0x60 [scsi_mod]
+ device_release+0xa3/0x220
+ kobject_cleanup+0x105/0x3a0
+ kobject_put+0x72/0xd0
+ put_device+0x17/0x20
+ scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]
+ device_release+0xa3/0x220
+ kobject_cleanup+0x105/0x3a0
+ kobject_put+0x72/0xd0
+ put_device+0x17/0x20
+ scsi_device_put+0x7f/0xc0 [scsi_mod]
+ sdev_store_delete+0xa5/0x120 [scsi_mod]
+ dev_attr_store+0x43/0x80
+ sysfs_kf_write+0xde/0x140
+ kernfs_fop_write_iter+0x3ef/0x670
+ vfs_write+0x506/0x1470
+ ksys_write+0xfd/0x230
+ __x64_sys_write+0x76/0xc0
+ x64_sys_call+0x213/0x1810
+
+Reported-by: Ming Lei <ming.lei@redhat.com>
+Closes: https://lore.kernel.org/all/ZxdNvLNI8QaOfD2d@fedora/
+Reported-by: syzbot+6c905ab800f20cf4086c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68c13942.050a0220.2ff435.000b.GAE@google.com/
+Fixes: 5e928f77a09a ("PM: Introduce core framework for run-time PM of I/O devices (rev. 17)")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20260312182720.2776083-1-bvanassche@acm.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/runtime.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
+index 0ee8ea971aa46..335288e8b5b31 100644
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -1895,6 +1895,7 @@ void pm_runtime_reinit(struct device *dev)
+ void pm_runtime_remove(struct device *dev)
+ {
+ __pm_runtime_disable(dev, false);
++ flush_work(&dev->power.work);
+ pm_runtime_reinit(dev);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 6eeed4f464e547301c36e990850604f3ff2f4fbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 13:25:41 +0100
+Subject: sched: idle: Consolidate the handling of two special cases
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit f4c31b07b136839e0fb3026f8a5b6543e3b14d2f ]
+
+There are two special cases in the idle loop that are handled
+inconsistently even though they are analogous.
+
+The first one is when a cpuidle driver is absent and the default CPU
+idle time power management implemented by the architecture code is used.
+In that case, the scheduler tick is stopped every time before invoking
+default_idle_call().
+
+The second one is when a cpuidle driver is present, but there is only
+one idle state in its table. In that case, the scheduler tick is never
+stopped at all.
+
+Since each of these approaches has its drawbacks, reconcile them with
+the help of one simple heuristic. Namely, stop the tick if the CPU has
+been woken up by it in the previous iteration of the idle loop, or let
+it tick otherwise.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Christian Loehle <christian.loehle@arm.com>
+Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
+Reviewed-by: Qais Yousef <qyousef@layalina.io>
+Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
+Fixes: ed98c3491998 ("sched: idle: Do not stop the tick before cpuidle_idle_call()")
+[ rjw: Added Fixes tag, changelog edits ]
+Link: https://patch.msgid.link/4741364.LvFx2qVVIh@rafael.j.wysocki
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/idle.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c
+index 69c70d509e1cf..8e00d95fb3388 100644
+--- a/kernel/sched/idle.c
++++ b/kernel/sched/idle.c
+@@ -161,6 +161,14 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev,
+ return cpuidle_enter(drv, dev, next_state);
+ }
+
++static void idle_call_stop_or_retain_tick(bool stop_tick)
++{
++ if (stop_tick || tick_nohz_tick_stopped())
++ tick_nohz_idle_stop_tick();
++ else
++ tick_nohz_idle_retain_tick();
++}
++
+ /**
+ * cpuidle_idle_call - the main idle function
+ *
+@@ -170,7 +178,7 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev,
+ * set, and it returns with polling set. If it ever stops polling, it
+ * must clear the polling bit.
+ */
+-static void cpuidle_idle_call(void)
++static void cpuidle_idle_call(bool stop_tick)
+ {
+ struct cpuidle_device *dev = cpuidle_get_device();
+ struct cpuidle_driver *drv = cpuidle_get_cpu_driver(dev);
+@@ -186,7 +194,7 @@ static void cpuidle_idle_call(void)
+ }
+
+ if (cpuidle_not_available(drv, dev)) {
+- tick_nohz_idle_stop_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ default_idle_call();
+ goto exit_idle;
+@@ -222,17 +230,19 @@ static void cpuidle_idle_call(void)
+ next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns);
+ call_cpuidle(drv, dev, next_state);
+ } else if (drv->state_count > 1) {
+- bool stop_tick = true;
++ /*
++ * stop_tick is expected to be true by default by cpuidle
++ * governors, which allows them to select idle states with
++ * target residency above the tick period length.
++ */
++ stop_tick = true;
+
+ /*
+ * Ask the cpuidle framework to choose a convenient idle state.
+ */
+ next_state = cpuidle_select(drv, dev, &stop_tick);
+
+- if (stop_tick || tick_nohz_tick_stopped())
+- tick_nohz_idle_stop_tick();
+- else
+- tick_nohz_idle_retain_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ entered_state = call_cpuidle(drv, dev, next_state);
+ /*
+@@ -240,7 +250,7 @@ static void cpuidle_idle_call(void)
+ */
+ cpuidle_reflect(dev, entered_state);
+ } else {
+- tick_nohz_idle_retain_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ /*
+ * If there is only a single idle state (or none), there is
+@@ -268,6 +278,7 @@ static void cpuidle_idle_call(void)
+ static void do_idle(void)
+ {
+ int cpu = smp_processor_id();
++ bool got_tick = false;
+
+ /*
+ * Check if we need to update blocked load
+@@ -338,8 +349,9 @@ static void do_idle(void)
+ tick_nohz_idle_restart_tick();
+ cpu_idle_poll();
+ } else {
+- cpuidle_idle_call();
++ cpuidle_idle_call(got_tick);
+ }
++ got_tick = tick_nohz_idle_got_tick();
+ arch_cpu_idle_exit();
+ }
+
+--
+2.51.0
+
drm-xe-fix-missing-runtime-pm-reference-in-ccs_mode_store.patch
drm-xe-open-code-ggtt-mmio-access-protection.patch
bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch
+btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch
+btrfs-tree-checker-fix-misleading-root-drop_level-er.patch
+soc-microchip-mpfs-fix-memory-leak-in-mpfs_sys_contr.patch
+cache-starfive-fix-device-node-leak-in-starlink_cach.patch
+cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch
+soc-rockchip-grf-add-missing-of_node_put-when-return.patch
+soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch
+soc-fsl-cpm1-qmc-fix-error-check-for-devm_ioremap_re.patch
+tee-shm-remove-refcounting-of-kernel-pages.patch
+wifi-mac80211-remove-keys-after-disabling-beaconing.patch
+wifi-mac80211-use-jiffies_delta_to_msecs-for-sta_inf.patch
+wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch
+wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch
+arm64-dts-renesas-rzt2h-n2h-evk-add-ramp-delay-for-s.patch
+arm64-dts-renesas-rzv2-evk-cn15-sd-add-ramp-delay-fo.patch
+arm64-dts-renesas-r9a09g057-remove-wdt-0-2-3-nodes.patch
+arm64-dts-renesas-r9a09g077-fix-cpg-register-region-.patch
+arm64-dts-renesas-r9a09g087-fix-cpg-register-region-.patch
+arm64-dts-renesas-rzg3s-smarc-som-set-bypass-for-ver.patch
+arm64-dts-renesas-r8a78000-fix-out-of-range-spi-inte.patch
+firmware-arm_ffa-remove-vm_id-argument-in-ffa_rxtx_u.patch
+firmware-arm_scpi-fix-device_node-reference-leak-in-.patch
+firmware-arm_scmi-fix-null-dereference-on-notify-err.patch
+bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch
+bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch
+bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch
+bluetooth-iso-fix-defer-tests-being-unstable.patch
+bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch
+bluetooth-mgmt-fix-list-corruption-and-uaf-in-comman.patch
+bluetooth-hidp-fix-possible-uaf.patch
+bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch
+bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch
+af_unix-give-up-gc-if-msg_peek-intervened.patch
+bridge-cfm-fix-race-condition-in-peer_mep-deletion.patch
+net-rose-fix-null-pointer-dereference-in-rose_transm.patch
+ip_tunnel-adapt-iptunnel_xmit_stats-to-netdev_pcpu_s.patch
+mpls-add-missing-unregister_netdevice_notifier-to-mp.patch
+netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch
+netfilter-conntrack-add-missing-netlink-policy-valid.patch
+netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch
+netfilter-nf_flow_table_ip-reset-mac-header-before-v.patch
+netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch
+nf_tables-nft_dynset-fix-possible-stateful-expressio.patch
+netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch
+netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch
+netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch
+netfilter-nf_conntrack_h323-check-for-zero-length-in.patch
+crypto-ccp-fix-leaking-the-same-page-twice.patch
+net-bcmgenet-increase-wol-poll-timeout.patch
+net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch
+net-ti-icssg-prueth-fix-memory-leak-in-xdp_drop-for-.patch
+sched-idle-consolidate-the-handling-of-two-special-c.patch
+pm-runtime-fix-a-race-condition-related-to-device-re.patch
+bonding-prevent-potential-infinite-loop-in-bond_head.patch
+net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch
+net-sched-teql-fix-double-free-in-teql_master_xmit.patch
+net-airoha-remove-airoha_dev_stop-in-airoha_remove.patch
+net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch
+net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch
+clsact-fix-use-after-free-in-init-destroy-rollback-a.patch
+net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch
+acpica-update-the-format-of-arg3-of-_dsm.patch
+igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch
+igc-fix-page-fault-in-xdp-tx-timestamps-handling.patch
+iavf-fix-vlan-filter-lost-on-add-delete-race.patch
+libie-prevent-memleak-in-fwlog-code.patch
+wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch
+wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch
+wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch
+acpi-processor-fix-previous-acpi_processor_errata_pi.patch
+netdevsim-drop-psp-ext-ref-on-forward-failure.patch
+net-macb-fix-uninitialized-rx_fs_lock.patch
+ipv6-add-null-checks-for-idev-in-srv6-paths.patch
+net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch
+net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch
+net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch
+udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch
+net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch
+netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch
+netfilter-nf_tables-release-flowtable-after-rcu-grac.patch
+nfnetlink_osf-validate-individual-option-lengths-in-.patch
+net-mvpp2-guard-flow-control-update-with-global_tx_f.patch
+net-shaper-protect-late-read-accesses-to-the-hierarc.patch
+net-shaper-protect-from-late-creation-of-hierarchy.patch
+net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch
+icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch
+mptcp-fix-lock-class-name-family-in-pm_nl_create_lis.patch
--- /dev/null
+From 641f5ca21a793578fad28179ad80e4b6db8bc4ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Feb 2026 09:59:04 +0800
+Subject: soc: fsl: cpm1: qmc: Fix error check for devm_ioremap_resource() in
+ qmc_qe_init_resources()
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit 3f4e403304186d79fddace860360540fc3af97f9 ]
+
+Fix wrong variable used for error checking after devm_ioremap_resource()
+call. The function checks qmc->scc_pram instead of qmc->dpram, which
+could lead to incorrect error handling.
+
+Fixes: eb680d563089 ("soc: fsl: cpm1: qmc: Add support for QUICC Engine (QE) implementation")
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Acked-by: Herve Codina <herve.codina@bootlin.com>
+Link: https://lore.kernel.org/r/20260209015904.871269-1-nichen@iscas.ac.cn
+Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qe/qmc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/fsl/qe/qmc.c b/drivers/soc/fsl/qe/qmc.c
+index da5ea6d356184..6db5ab05c2c1c 100644
+--- a/drivers/soc/fsl/qe/qmc.c
++++ b/drivers/soc/fsl/qe/qmc.c
+@@ -1799,8 +1799,8 @@ static int qmc_qe_init_resources(struct qmc *qmc, struct platform_device *pdev)
+ return -EINVAL;
+ qmc->dpram_offset = res->start - qe_muram_dma(qe_muram_addr(0));
+ qmc->dpram = devm_ioremap_resource(qmc->dev, res);
+- if (IS_ERR(qmc->scc_pram))
+- return PTR_ERR(qmc->scc_pram);
++ if (IS_ERR(qmc->dpram))
++ return PTR_ERR(qmc->dpram);
+
+ return 0;
+ }
+--
+2.51.0
+
--- /dev/null
+From a2d364c7b01e0c3b4d6367a6d84350752d1099bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 08:25:49 +0100
+Subject: soc: fsl: qbman: fix race condition in qman_destroy_fq
+
+From: Richard Genoud <richard.genoud@bootlin.com>
+
+[ Upstream commit 014077044e874e270ec480515edbc1cadb976cf2 ]
+
+When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between
+fq_table[fq->idx] state and freeing/allocating from the pool and
+WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.
+
+Indeed, we can have:
+ Thread A Thread B
+ qman_destroy_fq() qman_create_fq()
+ qman_release_fqid()
+ qman_shutdown_fq()
+ gen_pool_free()
+ -- At this point, the fqid is available again --
+ qman_alloc_fqid()
+ -- so, we can get the just-freed fqid in thread B --
+ fq->fqid = fqid;
+ fq->idx = fqid * 2;
+ WARN_ON(fq_table[fq->idx]);
+ fq_table[fq->idx] = fq;
+ fq_table[fq->idx] = NULL;
+
+And adding some logs between qman_release_fqid() and
+fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.
+
+To prevent that, ensure that fq_table[fq->idx] is set to NULL before
+gen_pool_free() is called by using smp_wmb().
+
+Fixes: c535e923bb97 ("soc/fsl: Introduce DPAA 1.x QMan device driver")
+Signed-off-by: Richard Genoud <richard.genoud@bootlin.com>
+Tested-by: CHAMPSEIX Thomas <thomas.champseix@alstomgroup.com>
+Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com
+Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qbman/qman.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
+index 6b392b3ad4b15..39a3e7aab6ff2 100644
+--- a/drivers/soc/fsl/qbman/qman.c
++++ b/drivers/soc/fsl/qbman/qman.c
+@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq);
+
+ void qman_destroy_fq(struct qman_fq *fq)
+ {
++ int leaked;
++
+ /*
+ * We don't need to lock the FQ as it is a pre-condition that the FQ be
+ * quiesced. Instead, run some checks.
+@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq)
+ switch (fq->state) {
+ case qman_fq_state_parked:
+ case qman_fq_state_oos:
+- if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID))
+- qman_release_fqid(fq->fqid);
++ /*
++ * There's a race condition here on releasing the fqid,
++ * setting the fq_table to NULL, and freeing the fqid.
++ * To prevent it, this order should be respected:
++ */
++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) {
++ leaked = qman_shutdown_fq(fq->fqid);
++ if (leaked)
++ pr_debug("FQID %d leaked\n", fq->fqid);
++ }
+
+ DPAA_ASSERT(fq_table[fq->idx]);
+ fq_table[fq->idx] = NULL;
++
++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) {
++ /*
++ * fq_table[fq->idx] should be set to null before
++ * freeing fq->fqid otherwise it could by allocated by
++ * qman_alloc_fqid() while still being !NULL
++ */
++ smp_wmb();
++ gen_pool_free(qm_fqalloc, fq->fqid | DPAA_GENALLOC_OFF, 1);
++ }
+ return;
+ default:
+ break;
+--
+2.51.0
+
--- /dev/null
+From 2474c616643e5324cc8855dc73f1f6f410122fda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Dec 2025 12:48:36 +0000
+Subject: soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 5a741f8cc6fe62542f955cd8d24933a1b6589cbd ]
+
+In mpfs_sys_controller_probe(), if of_get_mtd_device_by_node() fails,
+the function returns immediately without freeing the allocated memory
+for sys_controller, leading to a memory leak.
+
+Fix this by jumping to the out_free label to ensure the memory is
+properly freed.
+
+Also, consolidate the error handling for the mbox_request_channel()
+failure case to use the same label.
+
+Fixes: 742aa6c563d2 ("soc: microchip: mpfs: enable access to the system controller's flash")
+Co-developed-by: Jianhao Xu <jianhao.xu@seu.edu.cn>
+Signed-off-by: Jianhao Xu <jianhao.xu@seu.edu.cn>
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/microchip/mpfs-sys-controller.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/soc/microchip/mpfs-sys-controller.c b/drivers/soc/microchip/mpfs-sys-controller.c
+index 30bc45d17d343..81636cfecd37e 100644
+--- a/drivers/soc/microchip/mpfs-sys-controller.c
++++ b/drivers/soc/microchip/mpfs-sys-controller.c
+@@ -142,8 +142,10 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev)
+
+ sys_controller->flash = of_get_mtd_device_by_node(np);
+ of_node_put(np);
+- if (IS_ERR(sys_controller->flash))
+- return dev_err_probe(dev, PTR_ERR(sys_controller->flash), "Failed to get flash\n");
++ if (IS_ERR(sys_controller->flash)) {
++ ret = dev_err_probe(dev, PTR_ERR(sys_controller->flash), "Failed to get flash\n");
++ goto out_free;
++ }
+
+ no_flash:
+ sys_controller->client.dev = dev;
+@@ -155,8 +157,7 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev)
+ if (IS_ERR(sys_controller->chan)) {
+ ret = dev_err_probe(dev, PTR_ERR(sys_controller->chan),
+ "Failed to get mbox channel\n");
+- kfree(sys_controller);
+- return ret;
++ goto out_free;
+ }
+
+ init_completion(&sys_controller->c);
+@@ -174,6 +175,10 @@ static int mpfs_sys_controller_probe(struct platform_device *pdev)
+ dev_info(&pdev->dev, "Registered MPFS system controller\n");
+
+ return 0;
++
++out_free:
++ kfree(sys_controller);
++ return ret;
+ }
+
+ static void mpfs_sys_controller_remove(struct platform_device *pdev)
+--
+2.51.0
+
--- /dev/null
+From 0c45faaa5547d6934c43f1f583553ae691990363 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Feb 2026 21:02:37 +0800
+Subject: soc: rockchip: grf: Add missing of_node_put() when returning
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+[ Upstream commit 24ed11ee5bacf9a9aca18fc6b47667c7f38d578b ]
+
+Fix the smatch checking:
+drivers/soc/rockchip/grf.c:249 rockchip_grf_init()
+warn: inconsistent refcounting 'np->kobj.kref.refcount.refs.counter':
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Fixes: 75fb63ae0312 ("soc: rockchip: grf: Support multiple grf to be handled")
+Closes: https://lore.kernel.org/all/aYXvgTcUJWQL2can@stanley.mountain/
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Link: https://patch.msgid.link/1770814957-17762-1-git-send-email-shawn.lin@rock-chips.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/rockchip/grf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/soc/rockchip/grf.c b/drivers/soc/rockchip/grf.c
+index 04937c40da471..b459607c118aa 100644
+--- a/drivers/soc/rockchip/grf.c
++++ b/drivers/soc/rockchip/grf.c
+@@ -231,6 +231,7 @@ static int __init rockchip_grf_init(void)
+ grf = syscon_node_to_regmap(np);
+ if (IS_ERR(grf)) {
+ pr_err("%s: could not get grf syscon\n", __func__);
++ of_node_put(np);
+ return PTR_ERR(grf);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From b590a0d5e3eabab1b0eb08a63d3632cb6d7b40cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Feb 2026 14:19:59 +0530
+Subject: tee: shm: Remove refcounting of kernel pages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Wilcox <willy@infradead.org>
+
+[ Upstream commit 08d9a4580f71120be3c5b221af32dca00a48ceb0 ]
+
+Earlier TEE subsystem assumed to refcount all the memory pages to be
+shared with TEE implementation to be refcounted. However, the slab
+allocations within the kernel don't allow refcounting kernel pages.
+
+It is rather better to trust the kernel clients to not free pages while
+being shared with TEE implementation. Hence, remove refcounting of kernel
+pages from register_shm_helper() API.
+
+Fixes: b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page")
+Reported-by: Marco Felsch <m.felsch@pengutronix.de>
+Reported-by: Sven Püschel <s.pueschel@pengutronix.de>
+Signed-off-by: Matthew Wilcox <willy@infradead.org>
+Co-developed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
+Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
+Tested-by: Sven Püschel <s.pueschel@pengutronix.de>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tee/tee_shm.c | 27 ---------------------------
+ 1 file changed, 27 deletions(-)
+
+diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c
+index 4a47de4bb2e5c..898707ca21a8e 100644
+--- a/drivers/tee/tee_shm.c
++++ b/drivers/tee/tee_shm.c
+@@ -23,29 +23,11 @@ struct tee_shm_dma_mem {
+ struct page *page;
+ };
+
+-static void shm_put_kernel_pages(struct page **pages, size_t page_count)
+-{
+- size_t n;
+-
+- for (n = 0; n < page_count; n++)
+- put_page(pages[n]);
+-}
+-
+-static void shm_get_kernel_pages(struct page **pages, size_t page_count)
+-{
+- size_t n;
+-
+- for (n = 0; n < page_count; n++)
+- get_page(pages[n]);
+-}
+-
+ static void release_registered_pages(struct tee_shm *shm)
+ {
+ if (shm->pages) {
+ if (shm->flags & TEE_SHM_USER_MAPPED)
+ unpin_user_pages(shm->pages, shm->num_pages);
+- else
+- shm_put_kernel_pages(shm->pages, shm->num_pages);
+
+ kfree(shm->pages);
+ }
+@@ -477,13 +459,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
+ goto err_put_shm_pages;
+ }
+
+- /*
+- * iov_iter_extract_kvec_pages does not get reference on the pages,
+- * get a reference on them.
+- */
+- if (iov_iter_is_kvec(iter))
+- shm_get_kernel_pages(shm->pages, num_pages);
+-
+ shm->offset = off;
+ shm->size = len;
+ shm->num_pages = num_pages;
+@@ -499,8 +474,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags,
+ err_put_shm_pages:
+ if (!iov_iter_is_kvec(iter))
+ unpin_user_pages(shm->pages, shm->num_pages);
+- else
+- shm_put_kernel_pages(shm->pages, shm->num_pages);
+ err_free_shm_pages:
+ kfree(shm->pages);
+ err_free_shm:
+--
+2.51.0
+
--- /dev/null
+From 3ff2d9e6a417df29764a7bba03b3889559dae1a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 18:02:41 -0700
+Subject: udp_tunnel: fix NULL deref caused by udp_sock_create6 when
+ CONFIG_IPV6=n
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit b3a6df291fecf5f8a308953b65ca72b7fc9e015d ]
+
+When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0
+(success) without actually creating a socket. Callers such as
+fou_create() then proceed to dereference the uninitialized socket
+pointer, resulting in a NULL pointer dereference.
+
+The captured NULL deref crash:
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)
+ [...]
+ Call Trace:
+ <TASK>
+ genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)
+ genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)
+ [...]
+ netlink_rcv_skb (net/netlink/af_netlink.c:2550)
+ genl_rcv (net/netlink/genetlink.c:1219)
+ netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
+ netlink_sendmsg (net/netlink/af_netlink.c:1894)
+ __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))
+ __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))
+ __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+ entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)
+
+This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so
+callers correctly take their error paths. There is only one caller of
+the vulnerable function and only privileged users can trigger it.
+
+Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260317010241.1893893-1-xmei5@asu.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/udp_tunnel.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
+index 9acef2fbd2fdc..d97ee26ba4f66 100644
+--- a/include/net/udp_tunnel.h
++++ b/include/net/udp_tunnel.h
+@@ -47,7 +47,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ struct socket **sockp)
+ {
+- return 0;
++ return -EPFNOSUPPORT;
+ }
+ #endif
+
+--
+2.51.0
+
--- /dev/null
+From c10b06e64cfdb9fc2ecc5a49e7c1f33a7c91bf2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 21:36:59 +0530
+Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
+
+From: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
+
+[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ]
+
+When the nl80211 socket that originated a PMSR request is
+closed, cfg80211_release_pmsr() sets the request's nl_portid
+to zero and schedules pmsr_free_wk to process the abort
+asynchronously. If the interface is concurrently torn down
+before that work runs, cfg80211_pmsr_wdev_down() calls
+cfg80211_pmsr_process_abort() directly. However, the already-
+scheduled pmsr_free_wk work item remains pending and may run
+after the interface has been removed from the driver. This
+could cause the driver's abort_pmsr callback to operate on a
+torn-down interface, leading to undefined behavior and
+potential crashes.
+
+Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()
+before calling cfg80211_pmsr_process_abort(). This ensures any
+pending or in-progress work is drained before interface teardown
+proceeds, preventing the work from invoking the driver abort
+callback after the interface is gone.
+
+Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API")
+Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/pmsr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c
+index a117f5093ca29..13801cf35e9fc 100644
+--- a/net/wireless/pmsr.c
++++ b/net/wireless/pmsr.c
+@@ -647,6 +647,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev)
+ }
+ spin_unlock_bh(&wdev->pmsr_lock);
+
++ cancel_work_sync(&wdev->pmsr_free_wk);
+ if (found)
+ cfg80211_pmsr_process_abort(wdev);
+
+--
+2.51.0
+
--- /dev/null
+From a4a302b6ec1437ea09cd8f3111d1064d06bd3354 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Mar 2026 06:54:55 +0000
+Subject: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit d5ad6ab61cbd89afdb60881f6274f74328af3ee9 ]
+
+ieee80211_tx_prepare_skb() has three error paths, but only two of them
+free the skb. The first error path (ieee80211_tx_prepare() returning
+TX_DROP) does not free it, while invoke_tx_handlers() failure and the
+fragmentation check both do.
+
+Add kfree_skb() to the first error path so all three are consistent,
+and remove the now-redundant frees in callers (ath9k, mt76,
+mac80211_hwsim) to avoid double-free.
+
+Document the skb ownership guarantee in the function's kdoc.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://patch.msgid.link/20260314065455.2462900-1-nbd@nbd.name
+Fixes: 06be6b149f7e ("mac80211: add ieee80211_tx_prepare_skb() helper function")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/channel.c | 6 ++----
+ drivers/net/wireless/mediatek/mt76/scan.c | 4 +---
+ drivers/net/wireless/virtual/mac80211_hwsim.c | 1 -
+ include/net/mac80211.h | 4 +++-
+ net/mac80211/tx.c | 4 +++-
+ 5 files changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/channel.c b/drivers/net/wireless/ath/ath9k/channel.c
+index 121e51ce1bc0e..8b27d8cc086ab 100644
+--- a/drivers/net/wireless/ath/ath9k/channel.c
++++ b/drivers/net/wireless/ath/ath9k/channel.c
+@@ -1006,7 +1006,7 @@ static void ath_scan_send_probe(struct ath_softc *sc,
+ skb_set_queue_mapping(skb, IEEE80211_AC_VO);
+
+ if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, NULL))
+- goto error;
++ return;
+
+ txctl.txq = sc->tx.txq_map[IEEE80211_AC_VO];
+ if (ath_tx_start(sc->hw, skb, &txctl))
+@@ -1119,10 +1119,8 @@ ath_chanctx_send_vif_ps_frame(struct ath_softc *sc, struct ath_vif *avp,
+
+ skb->priority = 7;
+ skb_set_queue_mapping(skb, IEEE80211_AC_VO);
+- if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta)) {
+- dev_kfree_skb_any(skb);
++ if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta))
+ return false;
+- }
+ break;
+ default:
+ return false;
+diff --git a/drivers/net/wireless/mediatek/mt76/scan.c b/drivers/net/wireless/mediatek/mt76/scan.c
+index ff9176cdee3de..63b0447e55c15 100644
+--- a/drivers/net/wireless/mediatek/mt76/scan.c
++++ b/drivers/net/wireless/mediatek/mt76/scan.c
+@@ -63,10 +63,8 @@ mt76_scan_send_probe(struct mt76_dev *dev, struct cfg80211_ssid *ssid)
+
+ rcu_read_lock();
+
+- if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL)) {
+- ieee80211_free_txskb(phy->hw, skb);
++ if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL))
+ goto out;
+- }
+
+ info = IEEE80211_SKB_CB(skb);
+ if (req->no_cck)
+diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c
+index 79cc63272134d..cfbd0c50be1c9 100644
+--- a/drivers/net/wireless/virtual/mac80211_hwsim.c
++++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
+@@ -3021,7 +3021,6 @@ static void hw_scan_work(struct work_struct *work)
+ hwsim->tmp_chan->band,
+ NULL)) {
+ rcu_read_unlock();
+- kfree_skb(probe);
+ continue;
+ }
+
+diff --git a/include/net/mac80211.h b/include/net/mac80211.h
+index c2e49542626c8..706f87c6d905a 100644
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -7291,7 +7291,9 @@ void ieee80211_report_wowlan_wakeup(struct ieee80211_vif *vif,
+ * @band: the band to transmit on
+ * @sta: optional pointer to get the station to send the frame to
+ *
+- * Return: %true if the skb was prepared, %false otherwise
++ * Return: %true if the skb was prepared, %false otherwise.
++ * On failure, the skb is freed by this function; callers must not
++ * free it again.
+ *
+ * Note: must be called under RCU lock
+ */
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 1b55e83404135..0692fbb6c489e 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1898,8 +1898,10 @@ bool ieee80211_tx_prepare_skb(struct ieee80211_hw *hw,
+ struct ieee80211_tx_data tx;
+ struct sk_buff *skb2;
+
+- if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP)
++ if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP) {
++ kfree_skb(skb);
+ return false;
++ }
+
+ info->band = band;
+ info->control.vif = vif;
+--
+2.51.0
+
--- /dev/null
+From f3da6c3e7bbbf9dc195f57dc3e14b7952c202c33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 20:42:44 -0700
+Subject: wifi: mac80211: fix NULL deref in mesh_matches_local()
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd ]
+
+mesh_matches_local() unconditionally dereferences ie->mesh_config to
+compare mesh configuration parameters. When called from
+mesh_rx_csa_frame(), the parsed action-frame elements may not contain a
+Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a
+kernel NULL pointer dereference.
+
+The other two callers are already safe:
+ - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before
+ calling mesh_matches_local()
+ - mesh_plink_get_event() is only reached through
+ mesh_process_plink_frame(), which checks !elems->mesh_config, too
+
+mesh_rx_csa_frame() is the only caller that passes raw parsed elements
+to mesh_matches_local() without guarding mesh_config. An adjacent
+attacker can exploit this by sending a crafted CSA action frame that
+includes a valid Mesh ID IE but omits the Mesh Configuration IE,
+crashing the kernel.
+
+The captured crash log:
+
+Oops: general protection fault, probably for non-canonical address ...
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+Workqueue: events_unbound cfg80211_wiphy_work
+[...]
+Call Trace:
+ <TASK>
+ ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)
+ ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)
+ [...]
+ ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)
+ [...]
+ cfg80211_wiphy_work (net/wireless/core.c:426)
+ process_one_work (net/kernel/workqueue.c:3280)
+ ? assign_work (net/kernel/workqueue.c:1219)
+ worker_thread (net/kernel/workqueue.c:3352)
+ ? __pfx_worker_thread (net/kernel/workqueue.c:3385)
+ kthread (net/kernel/kthread.c:436)
+ [...]
+ ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)
+ </TASK>
+
+This patch adds a NULL check for ie->mesh_config at the top of
+mesh_matches_local() to return false early when the Mesh Configuration
+IE is absent.
+
+Fixes: 2e3c8736820b ("mac80211: support functions for mesh")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260318034244.2595020-1-xmei5@asu.edu
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index 129e814abe764..d7f691325746c 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -79,6 +79,9 @@ bool mesh_matches_local(struct ieee80211_sub_if_data *sdata,
+ * - MDA enabled
+ * - Power management control on fc
+ */
++ if (!ie->mesh_config)
++ return false;
++
+ if (!(ifmsh->mesh_id_len == ie->mesh_id_len &&
+ memcmp(ifmsh->mesh_id, ie->mesh_id, ie->mesh_id_len) == 0 &&
+ (ifmsh->mesh_pp_id == ie->mesh_config->meshconf_psel) &&
+--
+2.51.0
+
--- /dev/null
+From 50868a0718205baa520f63585f387686cfc28245 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Mar 2026 07:24:02 +0000
+Subject: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828 ]
+
+syzbot reported static_branch_dec() underflow in aql_enable_write(). [0]
+
+The problem is that aql_enable_write() does not serialise concurrent
+write()s to the debugfs.
+
+aql_enable_write() checks static_key_false(&aql_disable.key) and
+later calls static_branch_inc() or static_branch_dec(), but the
+state may change between the two calls.
+
+aql_disable does not need to track inc/dec.
+
+Let's use static_branch_enable() and static_branch_disable().
+
+[0]:
+val == 0
+WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288
+Modules linked in:
+CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full)
+Tainted: [U]=USER, [L]=SOFTLOCKUP
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
+RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311
+Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00
+RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4
+RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000
+RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a
+R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98
+FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0
+Call Trace:
+ <TASK>
+ __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline]
+ __static_key_slow_dec kernel/jump_label.c:321 [inline]
+ static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336
+ aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343
+ short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383
+ vfs_write+0x2aa/0x1070 fs/read_write.c:684
+ ksys_pwrite64 fs/read_write.c:793 [inline]
+ __do_sys_pwrite64 fs/read_write.c:801 [inline]
+ __se_sys_pwrite64 fs/read_write.c:798 [inline]
+ __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f530cf9aeb9
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
+RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9
+RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010
+RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000
+R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978
+ </TASK>
+
+Fixes: e908435e402a ("mac80211: introduce aql_enable node in debugfs")
+Reported-by: syzbot+feb9ce36a95341bb47a4@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69a8979e.a70a0220.b118c.0025.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260306072405.3649474-1-kuniyu@google.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/debugfs.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c
+index d02f07368c511..687a66cd49433 100644
+--- a/net/mac80211/debugfs.c
++++ b/net/mac80211/debugfs.c
+@@ -320,7 +320,6 @@ static ssize_t aql_enable_read(struct file *file, char __user *user_buf,
+ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf,
+ size_t count, loff_t *ppos)
+ {
+- bool aql_disabled = static_key_false(&aql_disable.key);
+ char buf[3];
+ size_t len;
+
+@@ -335,15 +334,12 @@ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf,
+ if (len > 0 && buf[len - 1] == '\n')
+ buf[len - 1] = 0;
+
+- if (buf[0] == '0' && buf[1] == '\0') {
+- if (!aql_disabled)
+- static_branch_inc(&aql_disable);
+- } else if (buf[0] == '1' && buf[1] == '\0') {
+- if (aql_disabled)
+- static_branch_dec(&aql_disable);
+- } else {
++ if (buf[0] == '0' && buf[1] == '\0')
++ static_branch_enable(&aql_disable);
++ else if (buf[0] == '1' && buf[1] == '\0')
++ static_branch_disable(&aql_disable);
++ else
+ return -EINVAL;
+- }
+
+ return count;
+ }
+--
+2.51.0
+
--- /dev/null
+From 3366fe80b2801399f1efa44ebaf5339e8765de64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Mar 2026 15:03:39 +0100
+Subject: wifi: mac80211: remove keys after disabling beaconing
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 708bbb45537780a8d3721ca1e0cf1932c1d1bf5f ]
+
+We shouldn't remove keys before disable beaconing, at least when
+beacon protection is used, since that would remove keys that are
+still used for beacon transmission at the same time. Stop before
+removing keys so there's no race.
+
+Fixes: af2d14b01c32 ("mac80211: Beacon protection using the new BIGTK (STA)")
+Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20260303150339.574e7887b3ab.I50d708f5aa22584506a91d0da7f8a73ba39fceac@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index c81091a5cc3a3..e480b48e8365d 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1889,12 +1889,6 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev,
+
+ __sta_info_flush(sdata, true, link_id, NULL);
+
+- ieee80211_remove_link_keys(link, &keys);
+- if (!list_empty(&keys)) {
+- synchronize_net();
+- ieee80211_free_key_list(local, &keys);
+- }
+-
+ ieee80211_stop_mbssid(sdata);
+ RCU_INIT_POINTER(link_conf->tx_bss_conf, NULL);
+
+@@ -1906,6 +1900,12 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev,
+ ieee80211_link_info_change_notify(sdata, link,
+ BSS_CHANGED_BEACON_ENABLED);
+
++ ieee80211_remove_link_keys(link, &keys);
++ if (!list_empty(&keys)) {
++ synchronize_net();
++ ieee80211_free_key_list(local, &keys);
++ }
++
+ if (sdata->wdev.links[link_id].cac_started) {
+ chandef = link_conf->chanreq.oper;
+ wiphy_delayed_work_cancel(wiphy, &link->dfs_cac_timer_work);
+--
+2.51.0
+
--- /dev/null
+From edd7d4cff46dd5118795631ddf8b4a4594ea5dc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Mar 2026 17:06:39 +0100
+Subject: wifi: mac80211: use jiffies_delta_to_msecs() for sta_info inactive
+ times
+
+From: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
+
+[ Upstream commit ac6f24cc9c0a9aefa55ec9696dcafa971d4d760b ]
+
+Inactive times of around 0xffffffff milliseconds have been observed on
+an ath9k device on ARM. This is likely due to a memory ordering race in
+the jiffies_to_msecs(jiffies - last_active()) calculation causing an
+overflow when the observed jiffies is below ieee80211_sta_last_active().
+
+Use jiffies_delta_to_msecs() instead to avoid this problem.
+
+Fixes: 7bbdd2d98797 ("mac80211: implement station stats retrieval")
+Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
+Link: https://patch.msgid.link/20260303161701.31808-1-nicolas.cavallari@green-communications.fr
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/sta_info.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
+index 1a995bc301b19..b0d9bb830f293 100644
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -2759,7 +2759,9 @@ static void sta_set_link_sinfo(struct sta_info *sta,
+ }
+
+ link_sinfo->inactive_time =
+- jiffies_to_msecs(jiffies - ieee80211_sta_last_active(sta, link_id));
++ jiffies_delta_to_msecs(jiffies -
++ ieee80211_sta_last_active(sta,
++ link_id));
+
+ if (!(link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES64) |
+ BIT_ULL(NL80211_STA_INFO_TX_BYTES)))) {
+@@ -2992,7 +2994,8 @@ void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo,
+ sinfo->connected_time = ktime_get_seconds() - sta->last_connected;
+ sinfo->assoc_at = sta->assoc_at;
+ sinfo->inactive_time =
+- jiffies_to_msecs(jiffies - ieee80211_sta_last_active(sta, -1));
++ jiffies_delta_to_msecs(jiffies -
++ ieee80211_sta_last_active(sta, -1));
+
+ if (!(sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES64) |
+ BIT_ULL(NL80211_STA_INFO_TX_BYTES)))) {
+--
+2.51.0
+
--- /dev/null
+From 5bba9b1cb4ed5a7aa48cd0d6afaca82292767d05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 23:46:36 -0700
+Subject: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not
+ enough headroom
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit deb353d9bb009638b7762cae2d0b6e8fdbb41a69 ]
+
+Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom
+before skb_push"), wl1271_tx_allocate() and with it
+wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.
+However, in wlcore_tx_work_locked(), a return value of -EAGAIN from
+wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being
+full. This causes the code to flush the buffer, put the skb back at the
+head of the queue, and immediately retry the same skb in a tight while
+loop.
+
+Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens
+immediately with GFP_ATOMIC, this will result in an infinite loop and a
+CPU soft lockup. Return -ENOMEM instead so the packet is dropped and
+the loop terminates.
+
+The problem was found by an experimental code review agent based on
+gemini-3.1-pro while reviewing backports into v6.18.y.
+
+Assisted-by: Gemini:gemini-3.1-pro
+Fixes: e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push")
+Cc: Peter Astrand <astrand@lysator.liu.se>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wlcore/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c
+index 6241866d39df6..75cfbcfb7626d 100644
+--- a/drivers/net/wireless/ti/wlcore/tx.c
++++ b/drivers/net/wireless/ti/wlcore/tx.c
+@@ -210,7 +210,7 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif,
+ if (skb_headroom(skb) < (total_len - skb->len) &&
+ pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) {
+ wl1271_free_tx_id(wl, id);
+- return -EAGAIN;
++ return -ENOMEM;
+ }
+ desc = skb_push(skb, total_len - skb->len);
+
+--
+2.51.0
+
--- /dev/null
+From 5d3af2ab1c0940a5566628190b2f6e15f8ead2d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 21:39:05 +0100
+Subject: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit bf504b229cb8d534eccbaeaa23eba34c05131e25 ]
+
+After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference
+in acpi_processor_errata_piix4()"), device pointers may be dereferenced
+after dropping references to the device objects pointed to by them,
+which may cause a use-after-free to occur.
+
+Moreover, debug messages about enabling the errata may be printed
+if the errata flags corresponding to them are unset.
+
+Address all of these issues by moving message printing to the points
+in the code where the errata flags are set.
+
+Fixes: f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()")
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Closes: https://lore.kernel.org/linux-acpi/938e2206-def5-4b7a-9b2c-d1fd37681d8a@roeck-us.net/
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://patch.msgid.link/5975693.DvuYhMxLoT@rafael.j.wysocki
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_processor.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c
+index 5e409f86f0709..55f0ea3535055 100644
+--- a/drivers/acpi/acpi_processor.c
++++ b/drivers/acpi/acpi_processor.c
+@@ -102,6 +102,10 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev)
+ PCI_ANY_ID, PCI_ANY_ID, NULL);
+ if (ide_dev) {
+ errata.piix4.bmisx = pci_resource_start(ide_dev, 4);
++ if (errata.piix4.bmisx)
++ dev_dbg(&ide_dev->dev,
++ "Bus master activity detection (BM-IDE) erratum enabled\n");
++
+ pci_dev_put(ide_dev);
+ }
+
+@@ -120,20 +124,17 @@ static int acpi_processor_errata_piix4(struct pci_dev *dev)
+ if (isa_dev) {
+ pci_read_config_byte(isa_dev, 0x76, &value1);
+ pci_read_config_byte(isa_dev, 0x77, &value2);
+- if ((value1 & 0x80) || (value2 & 0x80))
++ if ((value1 & 0x80) || (value2 & 0x80)) {
+ errata.piix4.fdma = 1;
++ dev_dbg(&isa_dev->dev,
++ "Type-F DMA livelock erratum (C3 disabled)\n");
++ }
+ pci_dev_put(isa_dev);
+ }
+
+ break;
+ }
+
+- if (ide_dev)
+- dev_dbg(&ide_dev->dev, "Bus master activity detection (BM-IDE) erratum enabled\n");
+-
+- if (isa_dev)
+- dev_dbg(&isa_dev->dev, "Type-F DMA livelock erratum (C3 disabled)\n");
+-
+ return 0;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From f38b1ee87a1bb0255f84717aa823ef3bdd554941 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 14:50:52 +0100
+Subject: Bluetooth: hci_sync: Fix hci_le_create_conn_sync
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+[ Upstream commit 2cabe7ff1001b7a197009cf50ba71701f9cbd354 ]
+
+While introducing hci_le_create_conn_sync the functionality
+of hci_connect_le was ported to hci_le_create_conn_sync including
+the disable of the scan before starting the connection.
+
+When this code was run non synchronously the immediate call that was
+setting the flag HCI_LE_SCAN_INTERRUPTED had an impact. Since the
+completion handler for the LE_SCAN_DISABLE was not immediately called.
+In the completion handler of the LE_SCAN_DISABLE event, this flag is
+checked to set the state of the hdev to DISCOVERY_STOPPED.
+
+With the synchronised approach the later setting of the
+HCI_LE_SCAN_INTERRUPTED flag has not the same effect. The completion
+handler would immediately fire in the LE_SCAN_DISABLE call, check for
+the flag, which is then not yet set and do nothing.
+
+To fix this issue and make the function call work as before, we move the
+setting of the flag HCI_LE_SCAN_INTERRUPTED before disabling the scan.
+
+Fixes: 8e8b92ee60de ("Bluetooth: hci_sync: Add hci_le_create_conn_sync")
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 6a14f76071077..6192f70e4d393 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -6555,8 +6555,8 @@ static int hci_le_create_conn_sync(struct hci_dev *hdev, void *data)
+ * state.
+ */
+ if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {
+- hci_scan_disable_sync(hdev);
+ hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
++ hci_scan_disable_sync(hdev);
+ }
+
+ /* Update random address, but set require_privacy to false so
+--
+2.51.0
+
--- /dev/null
+From 1a6d446fd3da37f176f8dcc0f554cfd3c3549661 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 10:17:47 -0500
+Subject: Bluetooth: HIDP: Fix possible UAF
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit dbf666e4fc9bdd975a61bf682b3f75cb0145eedd ]
+
+This fixes the following trace caused by not dropping l2cap_conn
+reference when user->remove callback is called:
+
+[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
+[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 97.809947] Call Trace:
+[ 97.809954] <TASK>
+[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
+[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
+[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
+[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
+[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
+[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
+[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
+[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
+[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
+[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
+[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
+[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
+[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
+[ 97.810404] __fput (fs/file_table.c:470)
+[ 97.810430] task_work_run (kernel/task_work.c:235)
+[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
+[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
+[ 97.810527] do_exit (kernel/exit.c:972)
+[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
+[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
+[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
+[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 97.810721] do_group_exit (kernel/exit.c:1093)
+[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
+[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
+[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810826] ? vfs_read (fs/read_write.c:555)
+[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
+[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
+[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
+[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
+[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811078] ? ksys_read (fs/read_write.c:707)
+[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
+[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
+[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
+[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
+[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
+[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
+[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+[ 97.811338] RIP: 0033:0x445cfe
+[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
+
+Code starting with the faulting instruction
+===========================================
+[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
+[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe
+[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004
+[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000
+[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8
+[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0
+[ 97.811453] </TASK>
+[ 98.402453] ==================================================================
+[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430
+[ 98.405361]
+[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 98.405600] Call Trace:
+[ 98.405607] <TASK>
+[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122)
+[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
+[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55)
+[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
+[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
+[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
+[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
+[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775)
+[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
+[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875)
+[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194)
+[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592)
+[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
+[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305)
+[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.406323] ? kthread (kernel/kthread.c:433)
+[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
+[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406523] ? kthread (kernel/kthread.c:433)
+[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406565] ? kthread (kernel/kthread.c:433)
+[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.406610] kthread (kernel/kthread.c:467)
+[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164)
+[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
+[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
+[ 98.406774] </TASK>
+[ 98.406780]
+[ 98.433693] The buggy address belongs to the physical page:
+[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4
+[ 98.435557] flags: 0x200000000000000(node=0|zone=2)
+[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000
+[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000
+[ 98.438115] page dumped because: kasan: bad access detected
+[ 98.438951]
+[ 98.439211] Memory state around the buggy address:
+[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.442458] ^
+[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 98.444768] ==================================================================
+[ 98.445719] Disabling lock debugging due to kernel taint
+[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400
+[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy)
+[ 98.450040] Tainted: [B]=BAD_PAGE
+[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
+[ 98.450059] Call Trace:
+[ 98.450065] <TASK>
+[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122)
+[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
+[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822)
+[ 98.450154] session_free (net/bluetooth/hidp/core.c:990)
+[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307)
+[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.450271] ? kthread (kernel/kthread.c:433)
+[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
+[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
+[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
+[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450528] ? kthread (kernel/kthread.c:433)
+[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450578] ? kthread (kernel/kthread.c:433)
+[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
+[ 98.450637] kthread (kernel/kthread.c:467)
+[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164)
+[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
+[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412)
+[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
+[ 98.450836] </TASK>
+
+Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers")
+Reported-by: soufiane el hachmi <kilwa10@gmail.com>
+Tested-by: soufiane el hachmi <kilwa10@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hidp/core.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
+index 707f229f896a1..40a6f1e20babc 100644
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -986,7 +986,8 @@ static void session_free(struct kref *ref)
+ skb_queue_purge(&session->intr_transmit);
+ fput(session->intr_sock->file);
+ fput(session->ctrl_sock->file);
+- l2cap_conn_put(session->conn);
++ if (session->conn)
++ l2cap_conn_put(session->conn);
+ kfree(session);
+ }
+
+@@ -1164,6 +1165,15 @@ static void hidp_session_remove(struct l2cap_conn *conn,
+
+ down_write(&hidp_session_sem);
+
++ /* Drop L2CAP reference immediately to indicate that
++ * l2cap_unregister_user() shall not be called as it is already
++ * considered removed.
++ */
++ if (session->conn) {
++ l2cap_conn_put(session->conn);
++ session->conn = NULL;
++ }
++
+ hidp_session_terminate(session);
+
+ cancel_work_sync(&session->dev_init);
+@@ -1301,7 +1311,9 @@ static int hidp_session_thread(void *arg)
+ * Instead, this call has the same semantics as if user-space tried to
+ * delete the session.
+ */
+- l2cap_unregister_user(session->conn, &session->user);
++ if (session->conn)
++ l2cap_unregister_user(session->conn, &session->user);
++
+ hidp_session_put(session);
+
+ module_put_and_kthread_exit(0);
+--
+2.51.0
+
--- /dev/null
+From 66e1e6ac63fed60fbe2975c7c903629e07da63d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 15:23:01 -0500
+Subject: Bluetooth: ISO: Fix defer tests being unstable
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 62bcaa6b351b6dc400f6c6b83762001fd9f5c12d ]
+
+iso-tester defer tests seem to fail with hci_conn_hash_lookup_cig
+being unable to resolve a cig in set_cig_params_sync due a race
+where it is run immediatelly before hci_bind_cis is able to set
+the QoS settings into the hci_conn object.
+
+So this moves the assigning of the QoS settings to be done directly
+by hci_le_set_cig_params to prevent that from happening again.
+
+Fixes: 26afbd826ee3 ("Bluetooth: Add initial implementation of CIS connections")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index 30feeaf7e6424..97e48c1f69aff 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1837,6 +1837,8 @@ static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
+ return false;
+
+ done:
++ conn->iso_qos = *qos;
++
+ if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
+ UINT_PTR(qos->ucast.cig), NULL) < 0)
+ return false;
+@@ -1903,8 +1905,6 @@ struct hci_conn *hci_bind_cis(struct hci_dev *hdev, bdaddr_t *dst,
+ }
+
+ hci_conn_hold(cis);
+-
+- cis->iso_qos = *qos;
+ cis->state = BT_BOUND;
+
+ return cis;
+--
+2.51.0
+
--- /dev/null
+From 6edbf1c4030bc1c12e81b38e49df0490d48f53af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Nov 2025 23:50:16 +0530
+Subject: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
+
+From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+
+[ Upstream commit 752a6c9596dd25efd6978a73ff21f3b592668f4a ]
+
+After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in
+hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to
+conn->users. However, l2cap_register_user() and l2cap_unregister_user()
+don't use conn->lock, creating a race condition where these functions can
+access conn->users and conn->hchan concurrently with l2cap_conn_del().
+
+This can lead to use-after-free and list corruption bugs, as reported
+by syzbot.
+
+Fix this by changing l2cap_register_user() and l2cap_unregister_user()
+to use conn->lock instead of hci_dev_lock(), ensuring consistent locking
+for the l2cap_conn structure.
+
+Reported-by: syzbot+14b6d57fb728e27ce23c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=14b6d57fb728e27ce23c
+Fixes: ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del")
+Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 4ab738e651837..7f807e0b0992f 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -1686,17 +1686,15 @@ static void l2cap_info_timeout(struct work_struct *work)
+
+ int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ {
+- struct hci_dev *hdev = conn->hcon->hdev;
+ int ret;
+
+ /* We need to check whether l2cap_conn is registered. If it is not, we
+- * must not register the l2cap_user. l2cap_conn_del() is unregisters
+- * l2cap_conn objects, but doesn't provide its own locking. Instead, it
+- * relies on the parent hci_conn object to be locked. This itself relies
+- * on the hci_dev object to be locked. So we must lock the hci device
+- * here, too. */
++ * must not register the l2cap_user. l2cap_conn_del() unregisters
++ * l2cap_conn objects under conn->lock, and we use the same lock here
++ * to protect access to conn->users and conn->hchan.
++ */
+
+- hci_dev_lock(hdev);
++ mutex_lock(&conn->lock);
+
+ if (!list_empty(&user->list)) {
+ ret = -EINVAL;
+@@ -1717,16 +1715,14 @@ int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ ret = 0;
+
+ out_unlock:
+- hci_dev_unlock(hdev);
++ mutex_unlock(&conn->lock);
+ return ret;
+ }
+ EXPORT_SYMBOL(l2cap_register_user);
+
+ void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ {
+- struct hci_dev *hdev = conn->hcon->hdev;
+-
+- hci_dev_lock(hdev);
++ mutex_lock(&conn->lock);
+
+ if (list_empty(&user->list))
+ goto out_unlock;
+@@ -1735,7 +1731,7 @@ void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
+ user->remove(conn, user);
+
+ out_unlock:
+- hci_dev_unlock(hdev);
++ mutex_unlock(&conn->lock);
+ }
+ EXPORT_SYMBOL(l2cap_unregister_user);
+
+--
+2.51.0
+
--- /dev/null
+From 2f59bb6d1cb6c38d12b85250ef2e179cf1676f27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:25 +0100
+Subject: Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit e1d9a66889867c232657a9b6f25d451d7c3ab96f ]
+
+Core 6.0, Vol 3, Part A, 3.4.3:
+"If the SDU length field value exceeds the receiver's MTU, the receiver
+shall disconnect the channel..."
+
+This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P
+0x0027 -V le_public -I 100').
+
+Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 0253bdbbfc593..94dee7c227f74 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -6610,8 +6610,10 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+ return -ENOBUFS;
+ }
+
+- if (chan->imtu < skb->len) {
+- BT_ERR("Too big LE L2CAP PDU");
++ if (skb->len > chan->imtu) {
++ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len,
++ chan->imtu);
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ return -ENOBUFS;
+ }
+
+@@ -6637,7 +6639,9 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+ sdu_len, skb->len, chan->imtu);
+
+ if (sdu_len > chan->imtu) {
+- BT_ERR("Too big LE L2CAP SDU length received");
++ BT_ERR("Too big LE L2CAP SDU length: len %u > %u",
++ skb->len, sdu_len);
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ err = -EMSGSIZE;
+ goto failed;
+ }
+--
+2.51.0
+
--- /dev/null
+From 982449d4fbb36ab87859fc8bb34a14f13b217a76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:27 +0100
+Subject: Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit b6a2bf43aa37670432843bc73ae2a6288ba4d6f8 ]
+
+Core 6.0, Vol 3, Part A, 3.4.3:
+"... If the sum of the payload sizes for the K-frames exceeds the
+specified SDU length, the receiver shall disconnect the channel."
+
+This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
+0x0027 -V le_public').
+
+Fixes: aac23bf63659 ("Bluetooth: Implement LE L2CAP reassembly")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 94dee7c227f74..4ab738e651837 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -6677,6 +6677,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
+
+ if (chan->sdu->len + skb->len > chan->sdu_len) {
+ BT_ERR("Too much LE L2CAP data received");
++ l2cap_send_disconn_req(chan, ECONNRESET);
+ err = -EINVAL;
+ goto failed;
+ }
+--
+2.51.0
+
--- /dev/null
+From be5629c1bf517f18c38154b328f184e673c6674d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 01:02:57 +0200
+Subject: Bluetooth: qca: fix ROM version reading on WCN3998 chips
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit 99b2c531e0e797119ae1b9195a8764ee98b00e65 ]
+
+WCN3998 uses a bit different format for rom version:
+
+[ 5.479978] Bluetooth: hci0: setting up wcn399x
+[ 5.633763] Bluetooth: hci0: QCA Product ID :0x0000000a
+[ 5.645350] Bluetooth: hci0: QCA SOC Version :0x40010224
+[ 5.650906] Bluetooth: hci0: QCA ROM Version :0x00001001
+[ 5.665173] Bluetooth: hci0: QCA Patch Version:0x00006699
+[ 5.679356] Bluetooth: hci0: QCA controller version 0x02241001
+[ 5.691109] Bluetooth: hci0: QCA Downloading qca/crbtfw21.tlv
+[ 6.680102] Bluetooth: hci0: QCA Downloading qca/crnv21.bin
+[ 6.842948] Bluetooth: hci0: QCA setup on UART is completed
+
+Fixes: 523760b7ff88 ("Bluetooth: hci_qca: Added support for WCN3998")
+Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btqca.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
+index 5651f40db1736..5b34da23adce7 100644
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -826,6 +826,8 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+ */
+ if (soc_type == QCA_WCN3988)
+ rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f);
++ else if (soc_type == QCA_WCN3998)
++ rom_ver = ((soc_ver & 0x0000f000) >> 0x07) | (soc_ver & 0x0000000f);
+ else
+ rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f);
+
+--
+2.51.0
+
--- /dev/null
+From 32224a11f4c215fa23ddad1e4510c4fd9eac862d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 18:07:28 +0100
+Subject: Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
+
+From: Christian Eggers <ceggers@arri.de>
+
+[ Upstream commit 0e4d4dcc1a6e82cc6f9abf32193558efa7e1613d ]
+
+The last test step ("Test with Invalid public key X and Y, all set to
+0") expects to get an "DHKEY check failed" instead of "unspecified".
+
+Fixes: 6d19628f539f ("Bluetooth: SMP: Fail if remote and local public keys are identical")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
+index e7ee13fe83a74..62c8eab1b84a5 100644
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2744,7 +2744,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
+ if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
+ !crypto_memneq(key, smp->local_pk, 64)) {
+ bt_dev_err(hdev, "Remote and local public keys are identical");
+- return SMP_UNSPECIFIED;
++ return SMP_DHKEY_CHECK_FAILED;
+ }
+
+ memcpy(smp->remote_pk, key, 64);
+--
+2.51.0
+
--- /dev/null
+From 8b83e1c9a733adad7495c1802e74f947e024db73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Mar 2026 16:57:43 +0000
+Subject: btrfs: log new dentries when logging parent dir of a conflicting
+ inode
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 9573a365ff9ff45da9222d3fe63695ce562beb24 ]
+
+If we log the parent directory of a conflicting inode, we are not logging
+the new dentries of the directory, so when we finish we have the parent
+directory's inode marked as logged but we did not log its new dentries.
+As a consequence if the parent directory is explicitly fsynced later and
+it does not have any new changes since we logged it, the fsync is a no-op
+and after a power failure the new dentries are missing.
+
+Example scenario:
+
+ $ mkdir foo
+
+ $ sync
+
+ $rmdir foo
+
+ $ mkdir dir1
+ $ mkdir dir2
+
+ # A file with the same name and parent as the directory we just deleted
+ # and was persisted in a past transaction. So the deleted directory's
+ # inode is a conflicting inode of this new file's inode.
+ $ touch foo
+
+ $ ln foo dir2/link
+
+ # The fsync on dir2 will log the parent directory (".") because the
+ # conflicting inode (deleted directory) does not exists anymore, but it
+ # it does not log its new dentries (dir1).
+ $ xfs_io -c "fsync" dir2
+
+ # This fsync on the parent directory is no-op, since the previous fsync
+ # logged it (but without logging its new dentries).
+ $ xfs_io -c "fsync" .
+
+ <power failure>
+
+ # After log replay dir1 is missing.
+
+Fix this by ensuring we log new dir dentries whenever we log the parent
+directory of a no longer existing conflicting inode.
+
+A test case for fstests will follow soon.
+
+Reported-by: Vyacheslav Kovalevsky <slava.kovalevskiy.2014@gmail.com>
+Link: https://lore.kernel.org/linux-btrfs/182055fa-e9ce-4089-9f5f-4b8a23e8dd91@gmail.com/
+Fixes: a3baaf0d786e ("Btrfs: fix fsync after succession of renames and unlink/rmdir")
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 882bb3c04c23f..c77852dc32399 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -5856,6 +5856,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans,
+ struct btrfs_root *root,
+ struct btrfs_log_ctx *ctx)
+ {
++ const bool orig_log_new_dentries = ctx->log_new_dentries;
+ int ret = 0;
+
+ /*
+@@ -5917,7 +5918,11 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans,
+ * dir index key range logged for the directory. So we
+ * must make sure the deletion is recorded.
+ */
++ ctx->log_new_dentries = false;
+ ret = btrfs_log_inode(trans, inode, LOG_INODE_ALL, ctx);
++ if (!ret && ctx->log_new_dentries)
++ ret = log_new_dir_dentries(trans, inode, ctx);
++
+ btrfs_add_delayed_iput(inode);
+ if (ret)
+ break;
+@@ -5952,6 +5957,7 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans,
+ break;
+ }
+
++ ctx->log_new_dentries = orig_log_new_dentries;
+ ctx->logging_conflict_inodes = false;
+ if (ret)
+ free_conflicting_inodes(ctx);
+--
+2.51.0
+
--- /dev/null
+From 68cac4d9001aa8cc53036e6b8cb68a49e08f82ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 08:33:21 +0800
+Subject: btrfs: tree-checker: fix misleading root drop_level error message
+
+From: ZhengYuan Huang <gality369@gmail.com>
+
+[ Upstream commit fc1cd1f18c34f91e78362f9629ab9fd43b9dcab9 ]
+
+Fix tree-checker error message to report "invalid root drop_level"
+instead of the misleading "invalid root level".
+
+Fixes: 259ee7754b67 ("btrfs: tree-checker: Add ROOT_ITEM check")
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-checker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
+index e38994ac14848..d2c36b765c83a 100644
+--- a/fs/btrfs/tree-checker.c
++++ b/fs/btrfs/tree-checker.c
+@@ -1220,7 +1220,7 @@ static int check_root_item(struct extent_buffer *leaf, struct btrfs_key *key,
+ }
+ if (unlikely(btrfs_root_drop_level(&ri) >= BTRFS_MAX_LEVEL)) {
+ generic_err(leaf, slot,
+- "invalid root level, have %u expect [0, %u]",
++ "invalid root drop_level, have %u expect [0, %u]",
+ btrfs_root_drop_level(&ri), BTRFS_MAX_LEVEL - 1);
+ return -EUCLEAN;
+ }
+--
+2.51.0
+
--- /dev/null
+From 6fffdd3f50e69589ecd016373e8e91c1e069edc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Jan 2026 01:49:09 +0800
+Subject: cache: ax45mp: Fix device node reference leak in ax45mp_cache_init()
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit 0528a348b04b327a4611e29589beb4c9ae81304a ]
+
+In ax45mp_cache_init(), of_find_matching_node() returns a device node
+with an incremented reference count that must be released with
+of_node_put(). The current code fails to call of_node_put() which
+causes a reference leak.
+
+Use the __free(device_node) attribute to ensure automatic cleanup when
+the variable goes out of scope.
+
+Fixes: d34599bcd2e4 ("cache: Add L2 cache management for Andes AX45MP RISC-V core")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cache/ax45mp_cache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cache/ax45mp_cache.c b/drivers/cache/ax45mp_cache.c
+index 1d7dd3d2c101c..934c5087ec2bd 100644
+--- a/drivers/cache/ax45mp_cache.c
++++ b/drivers/cache/ax45mp_cache.c
+@@ -178,11 +178,11 @@ static const struct of_device_id ax45mp_cache_ids[] = {
+
+ static int __init ax45mp_cache_init(void)
+ {
+- struct device_node *np;
+ struct resource res;
+ int ret;
+
+- np = of_find_matching_node(NULL, ax45mp_cache_ids);
++ struct device_node *np __free(device_node) =
++ of_find_matching_node(NULL, ax45mp_cache_ids);
+ if (!of_device_is_available(np))
+ return -ENODEV;
+
+--
+2.51.0
+
--- /dev/null
+From dd230bfe813a5e044c15f3231b6f1d3a27db181e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 07:55:31 +0100
+Subject: clsact: Fix use-after-free in init/destroy rollback asymmetry
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit a0671125d4f55e1e98d9bde8a0b671941987e208 ]
+
+Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry.
+The latter is achieved by first fully initializing a clsact instance, and
+then in a second step having a replacement failure for the new clsact qdisc
+instance. clsact_init() initializes ingress first and then takes care of the
+egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon
+failure, the kernel will trigger the clsact_destroy() callback.
+
+Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the
+way how the transition is happening. If tcf_block_get_ext on the q->ingress_block
+ends up failing, we took the tcx_miniq_inc reference count on the ingress
+side, but not yet on the egress side. clsact_destroy() tests whether the
+{ingress,egress}_entry was non-NULL. However, even in midway failure on the
+replacement, both are in fact non-NULL with a valid egress_entry from the
+previous clsact instance.
+
+What we really need to test for is whether the qdisc instance-specific ingress
+or egress side previously got initialized. This adds a small helper for checking
+the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon
+clsact_destroy() in order to fix the use-after-free scenario. Convert the
+ingress_destroy() side as well so both are consistent to each other.
+
+Fixes: 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry")
+Reported-by: Keenan Dong <keenanat2000@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Martin KaFai Lau <martin.lau@kernel.org>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://patch.msgid.link/20260313065531.98639-1-daniel@iogearbox.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sch_generic.h | 5 +++++
+ net/sched/sch_ingress.c | 14 ++++++++------
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index 15f4a0548d824..385af747b0b4e 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -1365,6 +1365,11 @@ void mini_qdisc_pair_init(struct mini_Qdisc_pair *miniqp, struct Qdisc *qdisc,
+ void mini_qdisc_pair_block_init(struct mini_Qdisc_pair *miniqp,
+ struct tcf_block *block);
+
++static inline bool mini_qdisc_pair_inited(struct mini_Qdisc_pair *miniqp)
++{
++ return !!miniqp->p_miniq;
++}
++
+ void mq_change_real_num_tx(struct Qdisc *sch, unsigned int new_real_tx);
+
+ int sch_frag_xmit_hook(struct sk_buff *skb, int (*xmit)(struct sk_buff *skb));
+diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c
+index 8dde3548dc11c..70d668cb0db81 100644
+--- a/net/sched/sch_ingress.c
++++ b/net/sched/sch_ingress.c
+@@ -113,14 +113,15 @@ static void ingress_destroy(struct Qdisc *sch)
+ {
+ struct ingress_sched_data *q = qdisc_priv(sch);
+ struct net_device *dev = qdisc_dev(sch);
+- struct bpf_mprog_entry *entry = rtnl_dereference(dev->tcx_ingress);
++ struct bpf_mprog_entry *entry;
+
+ if (sch->parent != TC_H_INGRESS)
+ return;
+
+ tcf_block_put_ext(q->block, sch, &q->block_info);
+
+- if (entry) {
++ if (mini_qdisc_pair_inited(&q->miniqp)) {
++ entry = rtnl_dereference(dev->tcx_ingress);
+ tcx_miniq_dec(entry);
+ if (!tcx_entry_is_active(entry)) {
+ tcx_entry_update(dev, NULL, true);
+@@ -289,10 +290,9 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt,
+
+ static void clsact_destroy(struct Qdisc *sch)
+ {
++ struct bpf_mprog_entry *ingress_entry, *egress_entry;
+ struct clsact_sched_data *q = qdisc_priv(sch);
+ struct net_device *dev = qdisc_dev(sch);
+- struct bpf_mprog_entry *ingress_entry = rtnl_dereference(dev->tcx_ingress);
+- struct bpf_mprog_entry *egress_entry = rtnl_dereference(dev->tcx_egress);
+
+ if (sch->parent != TC_H_CLSACT)
+ return;
+@@ -300,7 +300,8 @@ static void clsact_destroy(struct Qdisc *sch)
+ tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info);
+ tcf_block_put_ext(q->egress_block, sch, &q->egress_block_info);
+
+- if (ingress_entry) {
++ if (mini_qdisc_pair_inited(&q->miniqp_ingress)) {
++ ingress_entry = rtnl_dereference(dev->tcx_ingress);
+ tcx_miniq_dec(ingress_entry);
+ if (!tcx_entry_is_active(ingress_entry)) {
+ tcx_entry_update(dev, NULL, true);
+@@ -308,7 +309,8 @@ static void clsact_destroy(struct Qdisc *sch)
+ }
+ }
+
+- if (egress_entry) {
++ if (mini_qdisc_pair_inited(&q->miniqp_egress)) {
++ egress_entry = rtnl_dereference(dev->tcx_egress);
+ tcx_miniq_dec(egress_entry);
+ if (!tcx_entry_is_active(egress_entry)) {
+ tcx_entry_update(dev, NULL, false);
+--
+2.51.0
+
--- /dev/null
+From cb2be583f0709561f27dd31253b87da3dfbbebea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 21:08:19 +0800
+Subject: firmware: arm_scpi: Fix device_node reference leak in probe path
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+[ Upstream commit 879c001afbac3df94160334fe5117c0c83b2cf48 ]
+
+A device_node reference obtained from the device tree is not released
+on all error paths in the arm_scpi probe path. Specifically, a node
+returned by of_parse_phandle() could be leaked when the probe failed
+after the node was acquired. The probe function returns early and
+the shmem reference is not released.
+
+Use __free(device_node) scope-based cleanup to automatically release
+the reference when the variable goes out of scope.
+
+Fixes: ed7ecb883901 ("firmware: arm_scpi: Add compatibility checks for shmem node")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Message-Id: <20260121-arm_scpi_2-v2-1-702d7fa84acb@gmail.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scpi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c
+index 3de25e9d18ef8..2d85e783ae267 100644
+--- a/drivers/firmware/arm_scpi.c
++++ b/drivers/firmware/arm_scpi.c
+@@ -18,6 +18,7 @@
+
+ #include <linux/bitmap.h>
+ #include <linux/bitfield.h>
++#include <linux/cleanup.h>
+ #include <linux/device.h>
+ #include <linux/err.h>
+ #include <linux/export.h>
+@@ -945,13 +946,13 @@ static int scpi_probe(struct platform_device *pdev)
+ int idx = scpi_drvinfo->num_chans;
+ struct scpi_chan *pchan = scpi_drvinfo->channels + idx;
+ struct mbox_client *cl = &pchan->cl;
+- struct device_node *shmem = of_parse_phandle(np, "shmem", idx);
++ struct device_node *shmem __free(device_node) =
++ of_parse_phandle(np, "shmem", idx);
+
+ if (!of_match_node(shmem_of_match, shmem))
+ return -ENXIO;
+
+ ret = of_address_to_resource(shmem, 0, &res);
+- of_node_put(shmem);
+ if (ret) {
+ dev_err(dev, "failed to get SCPI payload mem resource\n");
+ return ret;
+--
+2.51.0
+
--- /dev/null
+From 6ef452f048a1f98d9c9281386e3515e2ca342c09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Feb 2026 11:01:37 +0100
+Subject: iavf: fix VLAN filter lost on add/delete race
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit fc9c69be594756b81b54c6bc40803fa6052f35ae ]
+
+When iavf_add_vlan() finds an existing filter in IAVF_VLAN_REMOVE
+state, it transitions the filter to IAVF_VLAN_ACTIVE assuming the
+pending delete can simply be cancelled. However, there is no guarantee
+that iavf_del_vlans() has not already processed the delete AQ request
+and removed the filter from the PF. In that case the filter remains in
+the driver's list as IAVF_VLAN_ACTIVE but is no longer programmed on
+the NIC. Since iavf_add_vlans() only picks up filters in
+IAVF_VLAN_ADD state, the filter is never re-added, and spoof checking
+drops all traffic for that VLAN.
+
+ CPU0 CPU1 Workqueue
+ ---- ---- ---------
+ iavf_del_vlan(vlan 100)
+ f->state = REMOVE
+ schedule AQ_DEL_VLAN
+ iavf_add_vlan(vlan 100)
+ f->state = ACTIVE
+ iavf_del_vlans()
+ f is ACTIVE, skip
+ iavf_add_vlans()
+ f is ACTIVE, skip
+
+ Filter is ACTIVE in driver but absent from NIC.
+
+Transition to IAVF_VLAN_ADD instead and schedule
+IAVF_FLAG_AQ_ADD_VLAN_FILTER so iavf_add_vlans() re-programs the
+filter. A duplicate add is idempotent on the PF.
+
+Fixes: 0c0da0e95105 ("iavf: refactor VLAN filter states")
+Signed-off-by: Petr Oros <poros@redhat.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index f6a748ae1c959..02e07fe6a0528 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -802,10 +802,13 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter,
+ adapter->num_vlan_filters++;
+ iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER);
+ } else if (f->state == IAVF_VLAN_REMOVE) {
+- /* IAVF_VLAN_REMOVE means that VLAN wasn't yet removed.
+- * We can safely only change the state here.
++ /* Re-add the filter since we cannot tell whether the
++ * pending delete has already been processed by the PF.
++ * A duplicate add is harmless.
+ */
+- f->state = IAVF_VLAN_ACTIVE;
++ f->state = IAVF_VLAN_ADD;
++ iavf_schedule_aq_request(adapter,
++ IAVF_FLAG_AQ_ADD_VLAN_FILTER);
+ }
+
+ clearout:
+--
+2.51.0
+
--- /dev/null
+From fcbf73e865e669002f26a424c5aab0335f513c05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 21:06:01 +0800
+Subject: icmp: fix NULL pointer dereference in icmp_tag_validation()
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit 614aefe56af8e13331e50220c936fc0689cf5675 ]
+
+icmp_tag_validation() unconditionally dereferences the result of
+rcu_dereference(inet_protos[proto]) without checking for NULL.
+The inet_protos[] array is sparse -- only about 15 of 256 protocol
+numbers have registered handlers. When ip_no_pmtu_disc is set to 3
+(hardened PMTU mode) and the kernel receives an ICMP Fragmentation
+Needed error with a quoted inner IP header containing an unregistered
+protocol number, the NULL dereference causes a kernel panic in
+softirq context.
+
+ Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+ RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)
+ Call Trace:
+ <IRQ>
+ icmp_rcv (net/ipv4/icmp.c:1527)
+ ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)
+ ip_local_deliver_finish (net/ipv4/ip_input.c:242)
+ ip_local_deliver (net/ipv4/ip_input.c:262)
+ ip_rcv (net/ipv4/ip_input.c:573)
+ __netif_receive_skb_one_core (net/core/dev.c:6164)
+ process_backlog (net/core/dev.c:6628)
+ handle_softirqs (kernel/softirq.c:561)
+ </IRQ>
+
+Add a NULL check before accessing icmp_strict_tag_validation. If the
+protocol has no registered handler, return false since it cannot
+perform strict tag validation.
+
+Fixes: 8ed1dc44d3e9 ("ipv4: introduce hardened ip_no_pmtu_disc mode")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Link: https://patch.msgid.link/20260318130558.1050247-4-bestswngs@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 784591ed5bb7c..64a0bc633a3eb 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -870,10 +870,12 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
+
+ static bool icmp_tag_validation(int proto)
+ {
++ const struct net_protocol *ipprot;
+ bool ok;
+
+ rcu_read_lock();
+- ok = rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation;
++ ipprot = rcu_dereference(inet_protos[proto]);
++ ok = ipprot ? ipprot->icmp_strict_tag_validation : false;
+ rcu_read_unlock();
+ return ok;
+ }
+--
+2.51.0
+
--- /dev/null
+From 7ffef30b1b37d25b36250e4c562cebd73764dbe6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Feb 2026 19:46:32 +0000
+Subject: igc: fix missing update of skb->tail in igc_xmit_frame()
+
+From: Kohei Enju <kohei@enjuk.jp>
+
+[ Upstream commit 0ffba246652faf4a36aedc66059c2f94e4c83ea5 ]
+
+igc_xmit_frame() misses updating skb->tail when the packet size is
+shorter than the minimum one.
+Use skb_put_padto() in alignment with other Intel Ethernet drivers.
+
+Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers")
+Signed-off-by: Kohei Enju <kohei@enjuk.jp>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 3e1408e1c1fcf..13c41facfc976 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -1700,11 +1700,8 @@ static netdev_tx_t igc_xmit_frame(struct sk_buff *skb,
+ /* The minimum packet size with TCTL.PSP set is 17 so pad the skb
+ * in order to meet this minimum size requirement.
+ */
+- if (skb->len < 17) {
+- if (skb_padto(skb, 17))
+- return NETDEV_TX_OK;
+- skb->len = 17;
+- }
++ if (skb_put_padto(skb, 17))
++ return NETDEV_TX_OK;
+
+ return igc_xmit_frame_ring(skb, igc_tx_queue_mapping(adapter, skb));
+ }
+--
+2.51.0
+
--- /dev/null
+From cacb0a13da84a781de3445525487864f0fa4e5b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 23:35:09 +0100
+Subject: mpls: add missing unregister_netdevice_notifier to mpls_init
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 99600f79b28c83c68bae199a3d8e95049a758308 ]
+
+If mpls_init() fails after registering mpls_dev_notifier, it never
+gets removed. Add the missing unregister_netdevice_notifier() call to
+the error handling path.
+
+Fixes: 5be2062e3080 ("mpls: Handle error of rtnl_register_module().")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/7c55363c4f743d19e2306204a134407c90a69bbb.1773228081.git.sd@queasysnail.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mpls/af_mpls.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
+index 5a4b175b78c8c..0561a530ecf0d 100644
+--- a/net/mpls/af_mpls.c
++++ b/net/mpls/af_mpls.c
+@@ -2775,6 +2775,7 @@ static int __init mpls_init(void)
+ out_unregister_rtnl_af:
+ rtnl_af_unregister(&mpls_af_ops);
+ dev_remove_pack(&mpls_packet_type);
++ unregister_netdevice_notifier(&mpls_dev_notifier);
+ out_unregister_pernet:
+ unregister_pernet_subsys(&mpls_net_ops);
+ goto out;
+--
+2.51.0
+
--- /dev/null
+From 4852e4c0d55d85e11a8eec8cc72f47f4ae0e6e31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 12:18:52 -0700
+Subject: net: bcmgenet: increase WoL poll timeout
+
+From: Justin Chen <justin.chen@broadcom.com>
+
+[ Upstream commit 6cfc3bc02b977f2fba5f7268e6504d1931a774f7 ]
+
+Some systems require more than 5ms to get into WoL mode. Increase the
+timeout value to 50ms.
+
+Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code")
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20260312191852.3904571-1-justin.chen@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+index 3b082114f2e53..2033fb9d893e0 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+@@ -123,7 +123,7 @@ static int bcmgenet_poll_wol_status(struct bcmgenet_priv *priv)
+ while (!(bcmgenet_rbuf_readl(priv, RBUF_STATUS)
+ & RBUF_STATUS_WOL)) {
+ retries++;
+- if (retries > 5) {
++ if (retries > 50) {
+ netdev_crit(dev, "polling wol mode timeout\n");
+ return -ETIMEDOUT;
+ }
+--
+2.51.0
+
--- /dev/null
+From e8d1785205d6ff296dfaa7983f78344560eeb9a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 17:50:34 -0700
+Subject: net: bonding: fix NULL deref in bond_debug_rlb_hash_show
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit 605b52497bf89b3b154674deb135da98f916e390 ]
+
+rlb_clear_slave intentionally keeps RLB hash-table entries on
+the rx_hashtbl_used_head list with slave set to NULL when no
+replacement slave is available. However, bond_debug_rlb_hash_show
+visites client_info->slave without checking if it's NULL.
+
+Other used-list iterators in bond_alb.c already handle this NULL-slave
+state safely:
+
+- rlb_update_client returns early on !client_info->slave
+- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance
+compare slave values before visiting
+- lb_req_update_subnet_clients continues if slave is NULL
+
+The following NULL deref crash can be trigger in
+bond_debug_rlb_hash_show:
+
+[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)
+[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286
+[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204
+[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078
+[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000
+[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0
+[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8
+[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000
+[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0
+[ 1.295897] Call Trace:
+[ 1.296134] seq_read_iter (fs/seq_file.c:231)
+[ 1.296341] seq_read (fs/seq_file.c:164)
+[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))
+[ 1.296658] vfs_read (fs/read_write.c:572)
+[ 1.296981] ksys_read (fs/read_write.c:717)
+[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+Add a NULL check and print "(none)" for entries with no assigned slave.
+
+Fixes: caafa84251b88 ("bonding: add the debugfs interface to see RLB hash table")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260317005034.1888794-1-xmei5@asu.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_debugfs.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_debugfs.c b/drivers/net/bonding/bond_debugfs.c
+index b19492a7f6ad1..3c1945c3e850a 100644
+--- a/drivers/net/bonding/bond_debugfs.c
++++ b/drivers/net/bonding/bond_debugfs.c
+@@ -34,11 +34,17 @@ static int bond_debug_rlb_hash_show(struct seq_file *m, void *v)
+ for (; hash_index != RLB_NULL_INDEX;
+ hash_index = client_info->used_next) {
+ client_info = &(bond_info->rx_hashtbl[hash_index]);
+- seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n",
+- &client_info->ip_src,
+- &client_info->ip_dst,
+- &client_info->mac_dst,
+- client_info->slave->dev->name);
++ if (client_info->slave)
++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM %s\n",
++ &client_info->ip_src,
++ &client_info->ip_dst,
++ &client_info->mac_dst,
++ client_info->slave->dev->name);
++ else
++ seq_printf(m, "%-15pI4 %-15pI4 %-17pM (none)\n",
++ &client_info->ip_src,
++ &client_info->ip_dst,
++ &client_info->mac_dst);
+ }
+
+ spin_unlock_bh(&bond->mode_lock);
+--
+2.51.0
+
--- /dev/null
+From 8934258bd466150a945001da5b1a1bbc33a7c08d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Mar 2026 08:42:12 +0000
+Subject: net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
+
+From: Anas Iqbal <mohd.abd.6602@gmail.com>
+
+[ Upstream commit b48731849609cbd8c53785a48976850b443153fd ]
+
+Smatch reports:
+drivers/net/dsa/bcm_sf2.c:997 bcm_sf2_sw_resume() warn:
+'priv->clk' from clk_prepare_enable() not released on lines: 983,990.
+
+The clock enabled by clk_prepare_enable() in bcm_sf2_sw_resume()
+is not released if bcm_sf2_sw_rst() or bcm_sf2_cfp_resume() fails.
+
+Add the missing clk_disable_unprepare() calls in the error paths
+to properly release the clock resource.
+
+Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks")
+Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Anas Iqbal <mohd.abd.6602@gmail.com>
+Link: https://patch.msgid.link/20260318084212.1287-1-mohd.abd.6602@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/bcm_sf2.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
+index 257df16768750..7defcfd1c213f 100644
+--- a/drivers/net/dsa/bcm_sf2.c
++++ b/drivers/net/dsa/bcm_sf2.c
+@@ -971,15 +971,19 @@ static int bcm_sf2_sw_resume(struct dsa_switch *ds)
+ ret = bcm_sf2_sw_rst(priv);
+ if (ret) {
+ pr_err("%s: failed to software reset switch\n", __func__);
++ if (!priv->wol_ports_mask)
++ clk_disable_unprepare(priv->clk);
+ return ret;
+ }
+
+ bcm_sf2_crossbar_setup(priv);
+
+ ret = bcm_sf2_cfp_resume(ds);
+- if (ret)
++ if (ret) {
++ if (!priv->wol_ports_mask)
++ clk_disable_unprepare(priv->clk);
+ return ret;
+-
++ }
+ if (priv->hw_params.num_gphy == 1)
+ bcm_sf2_gphy_enable_set(ds, true);
+
+--
+2.51.0
+
--- /dev/null
+From 2aa220557c0f041b3871e71f60433d21e8f6bbe6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 13:38:25 +0300
+Subject: net: macb: fix uninitialized rx_fs_lock
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 34b11cc56e4369bc08b1f4c4a04222d75ed596ce ]
+
+If hardware doesn't support RX Flow Filters, rx_fs_lock spinlock is not
+initialized leading to the following assertion splat triggerable via
+set_rxnfc callback.
+
+INFO: trying to register non-static key.
+The code is fine but needs lockdep annotation, or maybe
+you didn't initialize this object before use?
+turning off the locking correctness validator.
+CPU: 1 PID: 949 Comm: syz.0.6 Not tainted 6.1.164+ #113
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106
+ assign_lock_key kernel/locking/lockdep.c:974 [inline]
+ register_lock_class+0x141b/0x17f0 kernel/locking/lockdep.c:1287
+ __lock_acquire+0x74f/0x6c40 kernel/locking/lockdep.c:4928
+ lock_acquire kernel/locking/lockdep.c:5662 [inline]
+ lock_acquire+0x190/0x4b0 kernel/locking/lockdep.c:5627
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
+ _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:162
+ gem_del_flow_filter drivers/net/ethernet/cadence/macb_main.c:3562 [inline]
+ gem_set_rxnfc+0x533/0xac0 drivers/net/ethernet/cadence/macb_main.c:3667
+ ethtool_set_rxnfc+0x18c/0x280 net/ethtool/ioctl.c:961
+ __dev_ethtool net/ethtool/ioctl.c:2956 [inline]
+ dev_ethtool+0x229c/0x6290 net/ethtool/ioctl.c:3095
+ dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510
+ sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215
+ sock_ioctl+0x577/0x6d0 net/socket.c:1320
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:46 [inline]
+ do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+A more straightforward solution would be to always initialize rx_fs_lock,
+just like rx_fs_list. However, in this case the driver set_rxnfc callback
+would return with a rather confusing error code, e.g. -EINVAL. So deny
+set_rxnfc attempts directly if the RX filtering feature is not supported
+by hardware.
+
+Fixes: ae8223de3df5 ("net: macb: Added support for RX filtering")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Link: https://patch.msgid.link/20260316103826.74506-2-pchelkin@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 1907820a7209e..693688a580022 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -3855,6 +3855,9 @@ static int gem_set_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd)
+ struct macb *bp = netdev_priv(netdev);
+ int ret;
+
++ if (!(netdev->hw_features & NETIF_F_NTUPLE))
++ return -EOPNOTSUPP;
++
+ switch (cmd->cmd) {
+ case ETHTOOL_SRXCLSRLINS:
+ if ((cmd->fs.location >= bp->max_tuples)
+--
+2.51.0
+
--- /dev/null
+From 6476ab160238350b8e43fa50b6e3bf21586bb820 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 12:22:04 -0700
+Subject: net: mana: fix use-after-free in mana_hwc_destroy_channel() by
+ reordering teardown
+
+From: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+
+[ Upstream commit fa103fc8f56954a60699a29215cb713448a39e87 ]
+
+A potential race condition exists in mana_hwc_destroy_channel() where
+hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and
+Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt
+handler to dereference freed memory, leading to a use-after-free or
+NULL pointer dereference in mana_hwc_handle_resp().
+
+mana_smc_teardown_hwc() signals the hardware to stop but does not
+synchronize against IRQ handlers already executing on other CPUs. The
+IRQ synchronization only happens in mana_hwc_destroy_cq() via
+mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs
+after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler()
+can dereference freed caller_ctx (and rxq->msg_buf) in
+mana_hwc_handle_resp().
+
+Fix this by reordering teardown to reverse-of-creation order: destroy
+the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This
+ensures all in-flight interrupt handlers complete before the memory they
+access is freed.
+
+Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/abHA3AjNtqa1nx9k@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c
+index 9d6426d4158e3..148dda6570fc5 100644
+--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
+@@ -776,9 +776,6 @@ void mana_hwc_destroy_channel(struct gdma_context *gc)
+ gc->max_num_cqs = 0;
+ }
+
+- kfree(hwc->caller_ctx);
+- hwc->caller_ctx = NULL;
+-
+ if (hwc->txq)
+ mana_hwc_destroy_wq(hwc, hwc->txq);
+
+@@ -788,6 +785,9 @@ void mana_hwc_destroy_channel(struct gdma_context *gc)
+ if (hwc->cq)
+ mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq);
+
++ kfree(hwc->caller_ctx);
++ hwc->caller_ctx = NULL;
++
+ mana_gd_free_res_map(&hwc->inflight_msg_res);
+
+ hwc->num_inflight_msg = 0;
+--
+2.51.0
+
--- /dev/null
+From 51d02bada6833bae8bb8cbb5ac1921f80a000109 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 11:46:01 +0200
+Subject: net/mlx5: qos: Restrict RTNL area to avoid a lock cycle
+
+From: Cosmin Ratiu <cratiu@nvidia.com>
+
+[ Upstream commit b7e3a5d9c0d66b7fb44f63aef3bd734821afa0c8 ]
+
+A lock dependency cycle exists where:
+1. mlx5_ib_roce_init -> mlx5_core_uplink_netdev_event_replay ->
+mlx5_blocking_notifier_call_chain (takes notifier_rwsem) ->
+mlx5e_mdev_notifier_event -> mlx5_netdev_notifier_register ->
+register_netdevice_notifier_dev_net (takes rtnl)
+=> notifier_rwsem -> rtnl
+
+2. mlx5e_probe -> _mlx5e_probe ->
+mlx5_core_uplink_netdev_set (takes uplink_netdev_lock) ->
+mlx5_blocking_notifier_call_chain (takes notifier_rwsem)
+=> uplink_netdev_lock -> notifier_rwsem
+
+3: devlink_nl_rate_set_doit -> devlink_nl_rate_set ->
+mlx5_esw_devlink_rate_leaf_tx_max_set -> esw_qos_devlink_rate_to_mbps ->
+mlx5_esw_qos_max_link_speed_get (takes rtnl) ->
+mlx5_esw_qos_lag_link_speed_get_locked ->
+mlx5_uplink_netdev_get (takes uplink_netdev_lock)
+=> rtnl -> uplink_netdev_lock
+=> BOOM! (lock cycle)
+
+Fix that by restricting the rtnl-protected section to just the necessary
+part, the call to netdev_master_upper_dev_get and speed querying, so
+that the last lock dependency is avoided and the cycle doesn't close.
+This is safe because mlx5_uplink_netdev_get uses netdev_hold to keep the
+uplink netdev alive while its master device is queried.
+
+Use this opportunity to rename the ambiguously-named "hold_rtnl_lock"
+argument to "take_rtnl" and remove the "_locked" suffix from
+mlx5_esw_qos_lag_link_speed_get_locked.
+
+Fixes: 6b4be64fd9fe ("net/mlx5e: Harden uplink netdev access against device unbind")
+Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260316094603.6999-2-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/esw/qos.c | 23 ++++++++-----------
+ 1 file changed, 9 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c
+index 05fbd2098b268..71df503f40d6d 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c
+@@ -713,24 +713,24 @@ int mlx5_esw_qos_set_vport_rate(struct mlx5_eswitch *esw, struct mlx5_vport *vpo
+ return err;
+ }
+
+-static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev)
++static u32 mlx5_esw_qos_lag_link_speed_get(struct mlx5_core_dev *mdev,
++ bool take_rtnl)
+ {
+ struct ethtool_link_ksettings lksettings;
+ struct net_device *slave, *master;
+ u32 speed = SPEED_UNKNOWN;
+
+- /* Lock ensures a stable reference to master and slave netdevice
+- * while port speed of master is queried.
+- */
+- ASSERT_RTNL();
+-
+ slave = mlx5_uplink_netdev_get(mdev);
+ if (!slave)
+ goto out;
+
++ if (take_rtnl)
++ rtnl_lock();
+ master = netdev_master_upper_dev_get(slave);
+ if (master && !__ethtool_get_link_ksettings(master, &lksettings))
+ speed = lksettings.base.speed;
++ if (take_rtnl)
++ rtnl_unlock();
+
+ out:
+ mlx5_uplink_netdev_put(mdev, slave);
+@@ -738,20 +738,15 @@ static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev)
+ }
+
+ static int mlx5_esw_qos_max_link_speed_get(struct mlx5_core_dev *mdev, u32 *link_speed_max,
+- bool hold_rtnl_lock, struct netlink_ext_ack *extack)
++ bool take_rtnl,
++ struct netlink_ext_ack *extack)
+ {
+ int err;
+
+ if (!mlx5_lag_is_active(mdev))
+ goto skip_lag;
+
+- if (hold_rtnl_lock)
+- rtnl_lock();
+-
+- *link_speed_max = mlx5_esw_qos_lag_link_speed_get_locked(mdev);
+-
+- if (hold_rtnl_lock)
+- rtnl_unlock();
++ *link_speed_max = mlx5_esw_qos_lag_link_speed_get(mdev, take_rtnl);
+
+ if (*link_speed_max != (u32)SPEED_UNKNOWN)
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 9d79acebefa0fa44ef61dc6014cde59eab767039 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 11:46:03 +0200
+Subject: net/mlx5e: Fix race condition during IPSec ESN update
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit beb6e2e5976a128b0cccf10d158124422210c5ef ]
+
+In IPSec full offload mode, the device reports an ESN (Extended
+Sequence Number) wrap event to the driver. The driver validates this
+event by querying the IPSec ASO and checking that the esn_event_arm
+field is 0x0, which indicates an event has occurred. After handling
+the event, the driver must re-arm the context by setting esn_event_arm
+back to 0x1.
+
+A race condition exists in this handling path. After validating the
+event, the driver calls mlx5_accel_esp_modify_xfrm() to update the
+kernel's xfrm state. This function temporarily releases and
+re-acquires the xfrm state lock.
+
+So, need to acknowledge the event first by setting esn_event_arm to
+0x1. This prevents the driver from reprocessing the same ESN update if
+the hardware sends events for other reason. Since the next ESN update
+only occurs after nearly 2^31 packets are received, there's no risk of
+missing an update, as it will happen long after this handling has
+finished.
+
+Processing the event twice causes the ESN high-order bits (esn_msb) to
+be incremented incorrectly. The driver then programs the hardware with
+this invalid ESN state, which leads to anti-replay failures and a
+complete halt of IPSec traffic.
+
+Fix this by re-arming the ESN event immediately after it is validated,
+before calling mlx5_accel_esp_modify_xfrm(). This ensures that any
+spurious, duplicate events are correctly ignored, closing the race
+window.
+
+Fixes: fef06678931f ("net/mlx5e: Fix ESN update kernel panic")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260316094603.6999-4-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mlx5/core/en_accel/ipsec_offload.c | 33 ++++++++-----------
+ 1 file changed, 14 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+index eab368dea0e27..fd03aa4f47b5a 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+@@ -309,10 +309,11 @@ static void mlx5e_ipsec_aso_update(struct mlx5e_ipsec_sa_entry *sa_entry,
+ mlx5e_ipsec_aso_query(sa_entry, data);
+ }
+
+-static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry,
+- u32 mode_param)
++static void
++mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry,
++ u32 mode_param,
++ struct mlx5_accel_esp_xfrm_attrs *attrs)
+ {
+- struct mlx5_accel_esp_xfrm_attrs attrs = {};
+ struct mlx5_wqe_aso_ctrl_seg data = {};
+
+ if (mode_param < MLX5E_IPSEC_ESN_SCOPE_MID) {
+@@ -322,18 +323,7 @@ static void mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry,
+ sa_entry->esn_state.overlap = 1;
+ }
+
+- mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, &attrs);
+-
+- /* It is safe to execute the modify below unlocked since the only flows
+- * that could affect this HW object, are create, destroy and this work.
+- *
+- * Creation flow can't co-exist with this modify work, the destruction
+- * flow would cancel this work, and this work is a single entity that
+- * can't conflict with it self.
+- */
+- spin_unlock_bh(&sa_entry->x->lock);
+- mlx5_accel_esp_modify_xfrm(sa_entry, &attrs);
+- spin_lock_bh(&sa_entry->x->lock);
++ mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, attrs);
+
+ data.data_offset_condition_operand =
+ MLX5_IPSEC_ASO_REMOVE_FLOW_PKT_CNT_OFFSET;
+@@ -450,7 +440,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ struct mlx5e_ipsec_work *work =
+ container_of(_work, struct mlx5e_ipsec_work, work);
+ struct mlx5e_ipsec_sa_entry *sa_entry = work->data;
++ struct mlx5_accel_esp_xfrm_attrs tmp = {};
+ struct mlx5_accel_esp_xfrm_attrs *attrs;
++ bool need_modify = false;
+ int ret;
+
+ attrs = &sa_entry->attrs;
+@@ -460,19 +452,22 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ if (ret)
+ goto unlock;
+
++ if (attrs->lft.soft_packet_limit != XFRM_INF)
++ mlx5e_ipsec_handle_limits(sa_entry);
++
+ if (attrs->replay_esn.trigger &&
+ !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) {
+ u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx,
+ mode_parameter);
+
+- mlx5e_ipsec_update_esn_state(sa_entry, mode_param);
++ mlx5e_ipsec_update_esn_state(sa_entry, mode_param, &tmp);
++ need_modify = true;
+ }
+
+- if (attrs->lft.soft_packet_limit != XFRM_INF)
+- mlx5e_ipsec_handle_limits(sa_entry);
+-
+ unlock:
+ spin_unlock_bh(&sa_entry->x->lock);
++ if (need_modify)
++ mlx5_accel_esp_modify_xfrm(sa_entry, &tmp);
+ kfree(work);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From f019586d1626d8563a0a7ee60e5cfce4587f5c4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 11:46:02 +0200
+Subject: net/mlx5e: Prevent concurrent access to IPSec ASO context
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 99b36850d881e2d65912b2520a1c80d0fcc9429a ]
+
+The query or updating IPSec offload object is through Access ASO WQE.
+The driver uses a single mlx5e_ipsec_aso struct for each PF, which
+contains a shared DMA-mapped context for all ASO operations.
+
+A race condition exists because the ASO spinlock is released before
+the hardware has finished processing WQE. If a second operation is
+initiated immediately after, it overwrites the shared context in the
+DMA area.
+
+When the first operation's completion is processed later, it reads
+this corrupted context, leading to unexpected behavior and incorrect
+results.
+
+This commit fixes the race by introducing a private context within
+each IPSec offload object. The shared ASO context is now copied to
+this private context while the ASO spinlock is held. Subsequent
+processing uses this saved, per-object context, ensuring its integrity
+is maintained.
+
+Fixes: 1ed78fc03307 ("net/mlx5e: Update IPsec soft and hard limits")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260316094603.6999-3-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/en_accel/ipsec.h | 1 +
+ .../mellanox/mlx5/core/en_accel/ipsec_offload.c | 17 ++++++++---------
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
+index 9e7c42c2f77b2..bb8942b1a23d2 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
+@@ -266,6 +266,7 @@ struct mlx5e_ipsec_sa_entry {
+ struct mlx5e_ipsec_dwork *dwork;
+ struct mlx5e_ipsec_limits limits;
+ u32 rx_mapped_id;
++ u8 ctx[MLX5_ST_SZ_BYTES(ipsec_aso)];
+ };
+
+ struct mlx5_accel_pol_xfrm_attrs {
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+index 940e350058d10..eab368dea0e27 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+@@ -369,20 +369,18 @@ static void mlx5e_ipsec_aso_update_soft(struct mlx5e_ipsec_sa_entry *sa_entry,
+ static void mlx5e_ipsec_handle_limits(struct mlx5e_ipsec_sa_entry *sa_entry)
+ {
+ struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs;
+- struct mlx5e_ipsec *ipsec = sa_entry->ipsec;
+- struct mlx5e_ipsec_aso *aso = ipsec->aso;
+ bool soft_arm, hard_arm;
+ u64 hard_cnt;
+
+ lockdep_assert_held(&sa_entry->x->lock);
+
+- soft_arm = !MLX5_GET(ipsec_aso, aso->ctx, soft_lft_arm);
+- hard_arm = !MLX5_GET(ipsec_aso, aso->ctx, hard_lft_arm);
++ soft_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, soft_lft_arm);
++ hard_arm = !MLX5_GET(ipsec_aso, sa_entry->ctx, hard_lft_arm);
+ if (!soft_arm && !hard_arm)
+ /* It is not lifetime event */
+ return;
+
+- hard_cnt = MLX5_GET(ipsec_aso, aso->ctx, remove_flow_pkt_cnt);
++ hard_cnt = MLX5_GET(ipsec_aso, sa_entry->ctx, remove_flow_pkt_cnt);
+ if (!hard_cnt || hard_arm) {
+ /* It is possible to see packet counter equal to zero without
+ * hard limit event armed. Such situation can be if packet
+@@ -453,10 +451,8 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ container_of(_work, struct mlx5e_ipsec_work, work);
+ struct mlx5e_ipsec_sa_entry *sa_entry = work->data;
+ struct mlx5_accel_esp_xfrm_attrs *attrs;
+- struct mlx5e_ipsec_aso *aso;
+ int ret;
+
+- aso = sa_entry->ipsec->aso;
+ attrs = &sa_entry->attrs;
+
+ spin_lock_bh(&sa_entry->x->lock);
+@@ -465,8 +461,9 @@ static void mlx5e_ipsec_handle_event(struct work_struct *_work)
+ goto unlock;
+
+ if (attrs->replay_esn.trigger &&
+- !MLX5_GET(ipsec_aso, aso->ctx, esn_event_arm)) {
+- u32 mode_param = MLX5_GET(ipsec_aso, aso->ctx, mode_parameter);
++ !MLX5_GET(ipsec_aso, sa_entry->ctx, esn_event_arm)) {
++ u32 mode_param = MLX5_GET(ipsec_aso, sa_entry->ctx,
++ mode_parameter);
+
+ mlx5e_ipsec_update_esn_state(sa_entry, mode_param);
+ }
+@@ -628,6 +625,8 @@ int mlx5e_ipsec_aso_query(struct mlx5e_ipsec_sa_entry *sa_entry,
+ /* We are in atomic context */
+ udelay(10);
+ } while (ret && time_is_after_jiffies(expires));
++ if (!ret)
++ memcpy(sa_entry->ctx, aso->ctx, MLX5_ST_SZ_BYTES(ipsec_aso));
+ spin_unlock_bh(&aso->lock);
+ return ret;
+ }
+--
+2.51.0
+
--- /dev/null
+From 9b2061f04e3d82bc8a1f215192f14ed7e41de351 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 12:31:01 -0700
+Subject: net: mvpp2: guard flow control update with global_tx_fc in buffer
+ switching
+
+From: Muhammad Hammad Ijaz <mhijaz@amazon.com>
+
+[ Upstream commit 8a63baadf08453f66eb582fdb6dd234f72024723 ]
+
+mvpp2_bm_switch_buffers() unconditionally calls
+mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and
+shared buffer pool modes. This function programs CM3 flow control
+registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference
+priv->cm3_base without any NULL check.
+
+When the CM3 SRAM resource is not present in the device tree (the
+third reg entry added by commit 60523583b07c ("dts: marvell: add CM3
+SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains
+NULL and priv->global_tx_fc is false. Any operation that triggers
+mvpp2_bm_switch_buffers(), for example an MTU change that crosses
+the jumbo frame threshold, will crash:
+
+ Unable to handle kernel NULL pointer dereference at
+ virtual address 0000000000000000
+ Mem abort info:
+ ESR = 0x0000000096000006
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ pc : readl+0x0/0x18
+ lr : mvpp2_cm3_read.isra.0+0x14/0x20
+ Call trace:
+ readl+0x0/0x18
+ mvpp2_bm_pool_update_fc+0x40/0x12c
+ mvpp2_bm_pool_update_priv_fc+0x94/0xd8
+ mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0
+ mvpp2_change_mtu+0x140/0x380
+ __dev_set_mtu+0x1c/0x38
+ dev_set_mtu_ext+0x78/0x118
+ dev_set_mtu+0x48/0xa8
+ dev_ifsioc+0x21c/0x43c
+ dev_ioctl+0x2d8/0x42c
+ sock_ioctl+0x314/0x378
+
+Every other flow control call site in the driver already guards
+hardware access with either priv->global_tx_fc or port->tx_fc.
+mvpp2_bm_switch_buffers() is the only place that omits this check.
+
+Add the missing priv->global_tx_fc guard to both the disable and
+re-enable calls in mvpp2_bm_switch_buffers(), consistent with the
+rest of the driver.
+
+Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames")
+Signed-off-by: Muhammad Hammad Ijaz <mhijaz@amazon.com>
+Reviewed-by: Gunnar Kudrjavets <gunnarku@amazon.com>
+Link: https://patch.msgid.link/20260316193157.65748-1-mhijaz@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index aabc39f7690f8..410c9dea4fa2e 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -5012,7 +5012,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu)
+ if (priv->percpu_pools)
+ numbufs = port->nrxqs * 2;
+
+- if (change_percpu)
++ if (change_percpu && priv->global_tx_fc)
+ mvpp2_bm_pool_update_priv_fc(priv, false);
+
+ for (i = 0; i < numbufs; i++)
+@@ -5037,7 +5037,7 @@ static int mvpp2_bm_switch_buffers(struct mvpp2 *priv, bool percpu)
+ mvpp2_open(port->dev);
+ }
+
+- if (change_percpu)
++ if (change_percpu && priv->global_tx_fc)
+ mvpp2_bm_pool_update_priv_fc(priv, true);
+
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 010e1833c15f7117be13bda50dd9284e1d07329e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Mar 2026 15:06:02 +0800
+Subject: net/rose: fix NULL pointer dereference in rose_transmit_link on
+ reconnect
+
+From: Jiayuan Chen <jiayuan.chen@shopee.com>
+
+[ Upstream commit e1f0a18c9564cdb16523c802e2c6fe5874e3d944 ]
+
+syzkaller reported a bug [1], and the reproducer is available at [2].
+
+ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN,
+TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects
+calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING
+(-ECONNREFUSED), but lacks a check for TCP_SYN_SENT.
+
+When rose_connect() is called a second time while the first connection
+attempt is still in progress (TCP_SYN_SENT), it overwrites
+rose->neighbour via rose_get_neigh(). If that returns NULL, the socket
+is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL.
+When the socket is subsequently closed, rose_release() sees
+ROSE_STATE_1 and calls rose_write_internal() ->
+rose_transmit_link(skb, NULL), causing a NULL pointer dereference.
+
+Per connect(2), a second connect() while a connection is already in
+progress should return -EALREADY. Add this missing check for
+TCP_SYN_SENT to complete the state validation in rose_connect().
+
+[1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271
+[2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+d00f90e0af54102fb271@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0027.GAE@google.com/T/
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260311070611.76913-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 1cc5eaeb1c608..e80bc7788bec5 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -810,6 +810,11 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
+ goto out_release;
+ }
+
++ if (sk->sk_state == TCP_SYN_SENT) {
++ err = -EALREADY;
++ goto out_release;
++ }
++
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
+
+--
+2.51.0
+
--- /dev/null
+From 98198770adf9933beb9cfe7bbdd94899860119dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Mar 2026 11:54:22 -0400
+Subject: net/sched: teql: Fix double-free in teql_master_xmit
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit 66360460cab63c248ca5b1070a01c0c29133b960 ]
+
+Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should
+be called using the seq_lock to avoid racing with the datapath. Failure
+to do so may cause crashes like the following:
+
+[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)
+[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318
+[ 238.029749][ T318]
+[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)
+[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+[ 238.029910][ T318] Call Trace:
+[ 238.029913][ T318] <TASK>
+[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122)
+[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
+[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139)
+[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+...
+[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139)
+[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)
+[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139)
+[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231)
+[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))
+[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139)
+...
+[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256)
+[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)
+[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+...
+[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034)
+[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)
+[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)
+[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)
+[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)
+[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
+[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)
+...
+[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s:
+[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58)
+[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
+[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369)
+[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)
+[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))
+[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713)
+[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)
+[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997)
+[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)
+[ 238.081469][ T318]
+[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s:
+[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58)
+[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))
+[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))
+[ 238.085900][ T318] __kasan_slab_free (mm/kasan/common.c:287)
+[ 238.086439][ T318] kmem_cache_free (mm/slub.c:6168 (discriminator 3) mm/slub.c:6298 (discriminator 3))
+[ 238.087007][ T318] skb_release_data (net/core/skbuff.c:1139)
+[ 238.087491][ T318] consume_skb (net/core/skbuff.c:1451)
+[ 238.087757][ T318] teql_master_xmit (net/sched/sch_teql.c:358)
+[ 238.088116][ T318] dev_hard_start_xmit (./include/linux/netdevice.h:5324 ./include/linux/netdevice.h:5333 net/core/dev.c:3871 net/core/dev.c:3887)
+[ 238.088468][ T318] sch_direct_xmit (net/sched/sch_generic.c:347)
+[ 238.088820][ T318] __qdisc_run (net/sched/sch_generic.c:420 (discriminator 1))
+[ 238.089166][ T318] __dev_queue_xmit (./include/net/sch_generic.h:229 ./include/net/pkt_sched.h:121 ./include/net/pkt_sched.h:117 net/core/dev.c:4196 net/core/dev.c:4802)
+
+Workflow to reproduce:
+1. Initialize a TEQL topology (dummy0 and ifb0 as slaves, teql0 up).
+2. Start multiple sender workers continuously transmitting packets
+ through teql0 to drive teql_master_xmit().
+3. In parallel, repeatedly delete and re-add the root qdisc on
+ dummy0 and ifb0 via RTNETLINK, forcing frequent teardown and reset activity
+ (teql_destroy() / qdisc_reset()).
+4. After running both workloads concurrently for several iterations,
+ KASAN reports slab-use-after-free or double-free in the skb free path.
+
+Fix this by moving dev_reset_queue to sch_generic.h and calling it, instead
+of qdisc_reset, in teql_destroy since it handles both the lock and lockless
+cases correctly for root qdiscs.
+
+Fixes: 96009c7d500e ("sched: replace __QDISC_STATE_RUNNING bit with a spin lock")
+Reported-by: Xianrui Dong <keenanat2000@gmail.com>
+Tested-by: Xianrui Dong <keenanat2000@gmail.com>
+Co-developed-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260315155422.147256-1-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sch_generic.h | 28 ++++++++++++++++++++++++++++
+ net/sched/sch_generic.c | 27 ---------------------------
+ net/sched/sch_teql.c | 7 ++-----
+ 3 files changed, 30 insertions(+), 32 deletions(-)
+
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index 232b7b22e993a..15f4a0548d824 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -694,6 +694,34 @@ void qdisc_destroy(struct Qdisc *qdisc);
+ void qdisc_put(struct Qdisc *qdisc);
+ void qdisc_put_unlocked(struct Qdisc *qdisc);
+ void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, int n, int len);
++
++static inline void dev_reset_queue(struct net_device *dev,
++ struct netdev_queue *dev_queue,
++ void *_unused)
++{
++ struct Qdisc *qdisc;
++ bool nolock;
++
++ qdisc = rtnl_dereference(dev_queue->qdisc_sleeping);
++ if (!qdisc)
++ return;
++
++ nolock = qdisc->flags & TCQ_F_NOLOCK;
++
++ if (nolock)
++ spin_lock_bh(&qdisc->seqlock);
++ spin_lock_bh(qdisc_lock(qdisc));
++
++ qdisc_reset(qdisc);
++
++ spin_unlock_bh(qdisc_lock(qdisc));
++ if (nolock) {
++ clear_bit(__QDISC_STATE_MISSED, &qdisc->state);
++ clear_bit(__QDISC_STATE_DRAINING, &qdisc->state);
++ spin_unlock_bh(&qdisc->seqlock);
++ }
++}
++
+ #ifdef CONFIG_NET_SCHED
+ int qdisc_offload_dump_helper(struct Qdisc *q, enum tc_setup_type type,
+ void *type_data);
+diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
+index c1c67da2d3fc4..714e51f8d46e9 100644
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -1290,33 +1290,6 @@ static void dev_deactivate_queue(struct net_device *dev,
+ }
+ }
+
+-static void dev_reset_queue(struct net_device *dev,
+- struct netdev_queue *dev_queue,
+- void *_unused)
+-{
+- struct Qdisc *qdisc;
+- bool nolock;
+-
+- qdisc = rtnl_dereference(dev_queue->qdisc_sleeping);
+- if (!qdisc)
+- return;
+-
+- nolock = qdisc->flags & TCQ_F_NOLOCK;
+-
+- if (nolock)
+- spin_lock_bh(&qdisc->seqlock);
+- spin_lock_bh(qdisc_lock(qdisc));
+-
+- qdisc_reset(qdisc);
+-
+- spin_unlock_bh(qdisc_lock(qdisc));
+- if (nolock) {
+- clear_bit(__QDISC_STATE_MISSED, &qdisc->state);
+- clear_bit(__QDISC_STATE_DRAINING, &qdisc->state);
+- spin_unlock_bh(&qdisc->seqlock);
+- }
+-}
+-
+ static bool some_qdisc_is_busy(struct net_device *dev)
+ {
+ unsigned int i;
+diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
+index c89cb6eba27da..efcca26966213 100644
+--- a/net/sched/sch_teql.c
++++ b/net/sched/sch_teql.c
+@@ -146,15 +146,12 @@ teql_destroy(struct Qdisc *sch)
+ master->slaves = NEXT_SLAVE(q);
+ if (q == master->slaves) {
+ struct netdev_queue *txq;
+- spinlock_t *root_lock;
+
+ txq = netdev_get_tx_queue(master->dev, 0);
+ master->slaves = NULL;
+
+- root_lock = qdisc_root_sleeping_lock(rtnl_dereference(txq->qdisc));
+- spin_lock_bh(root_lock);
+- qdisc_reset(rtnl_dereference(txq->qdisc));
+- spin_unlock_bh(root_lock);
++ dev_reset_queue(master->dev,
++ txq, NULL);
+ }
+ }
+ skb_queue_purge(&dat->q);
+--
+2.51.0
+
--- /dev/null
+From 66aa4249ada8f4a7d0d6ffccafbffc94ef3c6073 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 17:29:07 +0800
+Subject: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
+
+From: Jiayuan Chen <jiayuan.chen@shopee.com>
+
+[ Upstream commit 6d5e4538364b9ceb1ac2941a4deb86650afb3538 ]
+
+Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].
+
+smc_tcp_syn_recv_sock() is called in the TCP receive path
+(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP
+listening socket). It reads sk_user_data to get the smc_sock
+pointer. However, when the SMC listen socket is being closed
+concurrently, smc_close_active() sets clcsock->sk_user_data
+to NULL under sk_callback_lock, and then the smc_sock itself
+can be freed via sock_put() in smc_release().
+
+This leads to two issues:
+
+1) NULL pointer dereference: sk_user_data is NULL when
+ accessed.
+2) Use-after-free: sk_user_data is read as non-NULL, but the
+ smc_sock is freed before its fields (e.g., queued_smc_hs,
+ ori_af_ops) are accessed.
+
+The race window looks like this (the syzkaller crash [1]
+triggers via the SYN cookie path: tcp_get_cookie_sock() ->
+smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path
+has the same race):
+
+ CPU A (softirq) CPU B (process ctx)
+
+ tcp_v4_rcv()
+ TCP_NEW_SYN_RECV:
+ sk = req->rsk_listener
+ sock_hold(sk)
+ /* No lock on listener */
+ smc_close_active():
+ write_lock_bh(cb_lock)
+ sk_user_data = NULL
+ write_unlock_bh(cb_lock)
+ ...
+ smc_clcsock_release()
+ sock_put(smc->sk) x2
+ -> smc_sock freed!
+ tcp_check_req()
+ smc_tcp_syn_recv_sock():
+ smc = user_data(sk)
+ -> NULL or dangling
+ smc->queued_smc_hs
+ -> crash!
+
+Note that the clcsock and smc_sock are two independent objects
+with separate refcounts. TCP stack holds a reference on the
+clcsock, which keeps it alive, but this does NOT prevent the
+smc_sock from being freed.
+
+Fix this by using RCU and refcount_inc_not_zero() to safely
+access smc_sock. Since smc_tcp_syn_recv_sock() is called in
+the TCP three-way handshake path, taking read_lock_bh on
+sk_callback_lock is too heavy and would not survive a SYN
+flood attack. Using rcu_read_lock() is much more lightweight.
+
+- Set SOCK_RCU_FREE on the SMC listen socket so that
+ smc_sock freeing is deferred until after the RCU grace
+ period. This guarantees the memory is still valid when
+ accessed inside rcu_read_lock().
+- Use rcu_read_lock() to protect reading sk_user_data.
+- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the
+ smc_sock. If the refcount has already reached zero (close
+ path completed), it returns false and we bail out safely.
+
+Note: smc_hs_congested() has a similar lockless read of
+sk_user_data without rcu_read_lock(), but it only checks for
+NULL and accesses the global smc_hs_wq, never dereferencing
+any smc_sock field, so it is not affected.
+
+Reproducer was verified with mdelay injection and smc_run,
+the issue no longer occurs with this patch applied.
+
+[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9
+
+Fixes: 8270d9c21041 ("net/smc: Limit backlog connections")
+Reported-by: syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67eaf9b8.050a0220.3c3d88.004a.GAE@google.com/T/
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
+Link: https://patch.msgid.link/20260312092909.48325-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 23 +++++++++++++++++------
+ net/smc/smc.h | 5 +++++
+ net/smc/smc_close.c | 2 +-
+ 3 files changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index b3bfd0f18d418..0e9a3b8da6a63 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -124,7 +124,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
+ struct smc_sock *smc;
+ struct sock *child;
+
+- smc = smc_clcsock_user_data(sk);
++ rcu_read_lock();
++ smc = smc_clcsock_user_data_rcu(sk);
++ if (!smc || !refcount_inc_not_zero(&smc->sk.sk_refcnt)) {
++ rcu_read_unlock();
++ smc = NULL;
++ goto drop;
++ }
++ rcu_read_unlock();
+
+ if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
+ sk->sk_max_ack_backlog)
+@@ -146,11 +153,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
+ if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
+ inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
+ }
++ sock_put(&smc->sk);
+ return child;
+
+ drop:
+ dst_release(dst);
+ tcp_listendrop(sk);
++ if (smc)
++ sock_put(&smc->sk);
+ return NULL;
+ }
+
+@@ -249,7 +259,7 @@ static void smc_fback_restore_callbacks(struct smc_sock *smc)
+ struct sock *clcsk = smc->clcsock->sk;
+
+ write_lock_bh(&clcsk->sk_callback_lock);
+- clcsk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(clcsk, NULL);
+
+ smc_clcsock_restore_cb(&clcsk->sk_state_change, &smc->clcsk_state_change);
+ smc_clcsock_restore_cb(&clcsk->sk_data_ready, &smc->clcsk_data_ready);
+@@ -882,7 +892,7 @@ static void smc_fback_replace_callbacks(struct smc_sock *smc)
+ struct sock *clcsk = smc->clcsock->sk;
+
+ write_lock_bh(&clcsk->sk_callback_lock);
+- clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
++ __rcu_assign_sk_user_data_with_flags(clcsk, smc, SK_USER_DATA_NOCOPY);
+
+ smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change,
+ &smc->clcsk_state_change);
+@@ -2651,8 +2661,8 @@ static int smc_listen(struct socket *sock, int backlog)
+ * smc-specific sk_data_ready function
+ */
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+- smc->clcsock->sk->sk_user_data =
+- (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
++ __rcu_assign_sk_user_data_with_flags(smc->clcsock->sk, smc,
++ SK_USER_DATA_NOCOPY);
+ smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready,
+ smc_clcsock_data_ready, &smc->clcsk_data_ready);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+@@ -2673,10 +2683,11 @@ static int smc_listen(struct socket *sock, int backlog)
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+ &smc->clcsk_data_ready);
+- smc->clcsock->sk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+ goto out;
+ }
++ sock_set_flag(sk, SOCK_RCU_FREE);
+ sk->sk_max_ack_backlog = backlog;
+ sk->sk_ack_backlog = 0;
+ sk->sk_state = SMC_LISTEN;
+diff --git a/net/smc/smc.h b/net/smc/smc.h
+index 36699ba551887..49bf6971610df 100644
+--- a/net/smc/smc.h
++++ b/net/smc/smc.h
+@@ -304,6 +304,11 @@ static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk)
+ ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY);
+ }
+
++static inline struct smc_sock *smc_clcsock_user_data_rcu(const struct sock *clcsk)
++{
++ return (struct smc_sock *)rcu_dereference_sk_user_data(clcsk);
++}
++
+ /* save target_cb in saved_cb, and replace target_cb with new_cb */
+ static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *),
+ void (*new_cb)(struct sock *),
+diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
+index 10219f55aad14..bb0313ef5f7c1 100644
+--- a/net/smc/smc_close.c
++++ b/net/smc/smc_close.c
+@@ -218,7 +218,7 @@ int smc_close_active(struct smc_sock *smc)
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
+ smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+ &smc->clcsk_data_ready);
+- smc->clcsock->sk->sk_user_data = NULL;
++ rcu_assign_sk_user_data(smc->clcsock->sk, NULL);
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
+ rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
+ }
+--
+2.51.0
+
--- /dev/null
+From 66d153138c5802eb316de1329a8ebc95fcf337a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 16:16:43 +0200
+Subject: net: usb: aqc111: Do not perform PM inside suspend callback
+
+From: Nikola Z. Ivanov <zlatistiv@gmail.com>
+
+[ Upstream commit 069c8f5aebe4d5224cf62acc7d4b3486091c658a ]
+
+syzbot reports "task hung in rpm_resume"
+
+This is caused by aqc111_suspend calling
+the PM variant of its write_cmd routine.
+
+The simplified call trace looks like this:
+
+rpm_suspend()
+ usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING
+ aqc111_suspend() - called for the usb device interface
+ aqc111_write32_cmd()
+ usb_autopm_get_interface()
+ pm_runtime_resume_and_get()
+ rpm_resume() - here we call rpm_resume() on our parent
+ rpm_resume() - Here we wait for a status change that will never happen.
+
+At this point we block another task which holds
+rtnl_lock and locks up the whole networking stack.
+
+Fix this by replacing the write_cmd calls with their _nopm variants
+
+Reported-by: syzbot+48dc1e8dfc92faf1124c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=48dc1e8dfc92faf1124c
+Fixes: e58ba4544c77 ("net: usb: aqc111: Add support for wake on LAN by MAGIC packet")
+Signed-off-by: Nikola Z. Ivanov <zlatistiv@gmail.com>
+Link: https://patch.msgid.link/20260313141643.1181386-1-zlatistiv@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/aqc111.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
+index 3ebb1f84d3025..f1820c0d4830f 100644
+--- a/drivers/net/usb/aqc111.c
++++ b/drivers/net/usb/aqc111.c
+@@ -1400,14 +1400,14 @@ static int aqc111_suspend(struct usb_interface *intf, pm_message_t message)
+ aqc111_write16_cmd_nopm(dev, AQ_ACCESS_MAC,
+ SFR_MEDIUM_STATUS_MODE, 2, ®16);
+
+- aqc111_write_cmd(dev, AQ_WOL_CFG, 0, 0,
+- WOL_CFG_SIZE, &wol_cfg);
+- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0,
+- &aqc111_data->phy_cfg);
++ aqc111_write_cmd_nopm(dev, AQ_WOL_CFG, 0, 0,
++ WOL_CFG_SIZE, &wol_cfg);
++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0,
++ &aqc111_data->phy_cfg);
+ } else {
+ aqc111_data->phy_cfg |= AQ_LOW_POWER;
+- aqc111_write32_cmd(dev, AQ_PHY_OPS, 0, 0,
+- &aqc111_data->phy_cfg);
++ aqc111_write32_cmd_nopm(dev, AQ_PHY_OPS, 0, 0,
++ &aqc111_data->phy_cfg);
+
+ /* Disable RX path */
+ aqc111_read16_cmd_nopm(dev, AQ_ACCESS_MAC,
+--
+2.51.0
+
--- /dev/null
+From a2d88fa63e021931d526330b6a6250df69e14cdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 22:46:39 -0700
+Subject: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
+
+From: Tobi Gaertner <tob.gaertner@me.com>
+
+[ Upstream commit 2aa8a4fa8d5b7d0e1ebcec100e1a4d80a1f4b21a ]
+
+cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE
+entries fit within the skb. The first check correctly accounts for
+ndpoffset:
+
+ if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len)
+
+but the second check omits it:
+
+ if ((sizeof(struct usb_cdc_ncm_ndp16) +
+ ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len)
+
+This validates the DPE array size against the total skb length as if
+the NDP were at offset 0, rather than at ndpoffset. When the NDP is
+placed near the end of the NTB (large wNdpIndex), the DPE entries can
+extend past the skb data buffer even though the check passes.
+cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating
+the DPE array.
+
+Add ndpoffset to the nframes bounds check and use struct_size_t() to
+express the NDP-plus-DPE-array size more clearly.
+
+Fixes: ff06ab13a4cc ("net: cdc_ncm: splitting rx_fixup for code reuse")
+Signed-off-by: Tobi Gaertner <tob.gaertner@me.com>
+Link: https://patch.msgid.link/20260314054640.2895026-2-tob.gaertner@me.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_ncm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index 22554daaf6ff1..ae7a2829fe49d 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1656,6 +1656,7 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset)
+ struct usbnet *dev = netdev_priv(skb_in->dev);
+ struct usb_cdc_ncm_ndp16 *ndp16;
+ int ret = -EINVAL;
++ size_t ndp_len;
+
+ if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n",
+@@ -1675,8 +1676,8 @@ int cdc_ncm_rx_verify_ndp16(struct sk_buff *skb_in, int ndpoffset)
+ sizeof(struct usb_cdc_ncm_dpe16));
+ ret--; /* we process NDP entries except for the last one */
+
+- if ((sizeof(struct usb_cdc_ncm_ndp16) +
+- ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) {
++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp16, dpe16, ret);
++ if (ndpoffset + ndp_len > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret);
+ ret = -EINVAL;
+ }
+--
+2.51.0
+
--- /dev/null
+From f92bc34d4f3608eb004fc2d679288a3374db6238 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 22:46:40 -0700
+Subject: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
+
+From: Tobi Gaertner <tob.gaertner@me.com>
+
+[ Upstream commit 77914255155e68a20aa41175edeecf8121dac391 ]
+
+The same bounds-check bug fixed for NDP16 in the previous patch also
+exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated
+against the total skb length without accounting for ndpoffset, allowing
+out-of-bounds reads when the NDP32 is placed near the end of the NTB.
+
+Add ndpoffset to the nframes bounds check and use struct_size_t() to
+express the NDP-plus-DPE-array size more clearly.
+
+Compile-tested only.
+
+Fixes: 0fa81b304a79 ("cdc_ncm: Implement the 32-bit version of NCM Transfer Block")
+Signed-off-by: Tobi Gaertner <tob.gaertner@me.com>
+Link: https://patch.msgid.link/20260314054640.2895026-3-tob.gaertner@me.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_ncm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index ae7a2829fe49d..56dfd4cd2aa4f 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1693,6 +1693,7 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset)
+ struct usbnet *dev = netdev_priv(skb_in->dev);
+ struct usb_cdc_ncm_ndp32 *ndp32;
+ int ret = -EINVAL;
++ size_t ndp_len;
+
+ if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp32)) > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "invalid NDP offset <%u>\n",
+@@ -1712,8 +1713,8 @@ int cdc_ncm_rx_verify_ndp32(struct sk_buff *skb_in, int ndpoffset)
+ sizeof(struct usb_cdc_ncm_dpe32));
+ ret--; /* we process NDP entries except for the last one */
+
+- if ((sizeof(struct usb_cdc_ncm_ndp32) +
+- ret * (sizeof(struct usb_cdc_ncm_dpe32))) > skb_in->len) {
++ ndp_len = struct_size_t(struct usb_cdc_ncm_ndp32, dpe32, ret);
++ if (ndpoffset + ndp_len > skb_in->len) {
+ netif_dbg(dev, rx_err, dev->net, "Invalid nframes = %d\n", ret);
+ ret = -EINVAL;
+ }
+--
+2.51.0
+
--- /dev/null
+From 76e0365b2771ffa38b973403138b6ccc73f60737 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 12:23:08 +0100
+Subject: netfilter: bpf: defer hook memory release until rcu readers are done
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 24f90fa3994b992d1a09003a3db2599330a5232a ]
+
+Yiming Qian reports UaF when concurrent process is dumping hooks via
+nfnetlink_hooks:
+
+BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0
+Read of size 8 at addr ffff888003edbf88 by task poc/79
+Call Trace:
+ <TASK>
+ nfnl_hook_dump_one.isra.0+0xe71/0x10f0
+ netlink_dump+0x554/0x12b0
+ nfnl_hook_get+0x176/0x230
+ [..]
+
+Defer release until after concurrent readers have completed.
+
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_bpf_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
+index 658e401b7937e..c65502aa12557 100644
+--- a/net/netfilter/nf_bpf_link.c
++++ b/net/netfilter/nf_bpf_link.c
+@@ -170,7 +170,7 @@ static int bpf_nf_link_update(struct bpf_link *link, struct bpf_prog *new_prog,
+
+ static const struct bpf_link_ops bpf_nf_link_lops = {
+ .release = bpf_nf_link_release,
+- .dealloc = bpf_nf_link_dealloc,
++ .dealloc_deferred = bpf_nf_link_dealloc,
+ .detach = bpf_nf_link_detach,
+ .show_fdinfo = bpf_nf_link_show_info,
+ .fill_link_info = bpf_nf_link_fill_link_info,
+--
+2.51.0
+
--- /dev/null
+From f9c2c1d656aac2e04a77d60bf1a40b9e923fa7e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Mar 2026 02:21:37 +0900
+Subject: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit 5cb81eeda909dbb2def209dd10636b51549a3f8a ]
+
+ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the
+netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the
+conntrack reference immediately after netlink_dump_start(). When the
+dump spans multiple rounds, the second recvmsg() triggers the dump
+callback which dereferences the now-freed conntrack via nfct_help(ct),
+leading to a use-after-free on ct->ext.
+
+The bug is that the netlink_dump_control has no .start or .done
+callbacks to manage the conntrack reference across dump rounds. Other
+dump functions in the same file (e.g. ctnetlink_get_conntrack) properly
+use .start/.done callbacks for this purpose.
+
+Fix this by adding .start and .done callbacks that hold and release the
+conntrack reference for the duration of the dump, and move the
+nfct_help() call after the cb->args[0] early-return check in the dump
+callback to avoid dereferencing ct->ext unnecessarily.
+
+ BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0
+ Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133
+
+ CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY
+ Call Trace:
+ <TASK>
+ ctnetlink_exp_ct_dump_table+0x4f/0x2e0
+ netlink_dump+0x333/0x880
+ netlink_recvmsg+0x3e2/0x4b0
+ ? aa_sk_perm+0x184/0x450
+ sock_recvmsg+0xde/0xf0
+
+ Allocated by task 133:
+ kmem_cache_alloc_noprof+0x134/0x440
+ __nf_conntrack_alloc+0xa8/0x2b0
+ ctnetlink_create_conntrack+0xa1/0x900
+ ctnetlink_new_conntrack+0x3cf/0x7d0
+ nfnetlink_rcv_msg+0x48e/0x510
+ netlink_rcv_skb+0xc9/0x1f0
+ nfnetlink_rcv+0xdb/0x220
+ netlink_unicast+0x3ec/0x590
+ netlink_sendmsg+0x397/0x690
+ __sys_sendmsg+0xf4/0x180
+
+ Freed by task 0:
+ slab_free_after_rcu_debug+0xad/0x1e0
+ rcu_core+0x5c3/0x9c0
+
+Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 237468202a0be..b4761a060e7a0 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3200,7 +3200,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ struct nf_conn *ct = cb->data;
+- struct nf_conn_help *help = nfct_help(ct);
++ struct nf_conn_help *help;
+ u_int8_t l3proto = nfmsg->nfgen_family;
+ unsigned long last_id = cb->args[1];
+ struct nf_conntrack_expect *exp;
+@@ -3208,6 +3208,10 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ if (cb->args[0])
+ return 0;
+
++ help = nfct_help(ct);
++ if (!help)
++ return 0;
++
+ rcu_read_lock();
+
+ restart:
+@@ -3237,6 +3241,24 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ return skb->len;
+ }
+
++static int ctnetlink_dump_exp_ct_start(struct netlink_callback *cb)
++{
++ struct nf_conn *ct = cb->data;
++
++ if (!refcount_inc_not_zero(&ct->ct_general.use))
++ return -ENOENT;
++ return 0;
++}
++
++static int ctnetlink_dump_exp_ct_done(struct netlink_callback *cb)
++{
++ struct nf_conn *ct = cb->data;
++
++ if (ct)
++ nf_ct_put(ct);
++ return 0;
++}
++
+ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct sk_buff *skb,
+ const struct nlmsghdr *nlh,
+@@ -3252,6 +3274,8 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct nf_conntrack_zone zone;
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_ct_dump_table,
++ .start = ctnetlink_dump_exp_ct_start,
++ .done = ctnetlink_dump_exp_ct_done,
+ };
+
+ err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
+--
+2.51.0
+
--- /dev/null
+From 7554aacaae72c842e24b7abb4aee06c403c713c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Aug 2025 17:25:09 +0200
+Subject: netfilter: ctnetlink: remove refcounting in expectation dumpers
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 1492e3dcb2be3aa46d1963da96aa9593e4e4db5a ]
+
+Same pattern as previous patch: do not keep the expectation object
+alive via refcount, only store a cookie value and then use that
+as the skip hint for dump resumption.
+
+AFAICS this has the same issue as the one resolved in the conntrack
+dumper, when we do
+ if (!refcount_inc_not_zero(&exp->use))
+
+to increment the refcount, there is a chance that exp == last, which
+causes a double-increment of the refcount and subsequent memory leak.
+
+Fixes: cf6994c2b981 ("[NETFILTER]: nf_conntrack_netlink: sync expectation dumping with conntrack table dumping")
+Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Stable-dep-of: 5cb81eeda909 ("netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 41 ++++++++++++----------------
+ 1 file changed, 17 insertions(+), 24 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 928bd2013289a..237468202a0be 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3140,23 +3140,27 @@ ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item)
+ return 0;
+ }
+ #endif
+-static int ctnetlink_exp_done(struct netlink_callback *cb)
++
++static unsigned long ctnetlink_exp_id(const struct nf_conntrack_expect *exp)
+ {
+- if (cb->args[1])
+- nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
+- return 0;
++ unsigned long id = (unsigned long)exp;
++
++ id += nf_ct_get_id(exp->master);
++ id += exp->class;
++
++ return id ? id : 1;
+ }
+
+ static int
+ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct net *net = sock_net(skb->sk);
+- struct nf_conntrack_expect *exp, *last;
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ u_int8_t l3proto = nfmsg->nfgen_family;
++ unsigned long last_id = cb->args[1];
++ struct nf_conntrack_expect *exp;
+
+ rcu_read_lock();
+- last = (struct nf_conntrack_expect *)cb->args[1];
+ for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
+ restart:
+ hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]],
+@@ -3168,7 +3172,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ continue;
+
+ if (cb->args[1]) {
+- if (exp != last)
++ if (ctnetlink_exp_id(exp) != last_id)
+ continue;
+ cb->args[1] = 0;
+ }
+@@ -3177,9 +3181,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ cb->nlh->nlmsg_seq,
+ IPCTNL_MSG_EXP_NEW,
+ exp) < 0) {
+- if (!refcount_inc_not_zero(&exp->use))
+- continue;
+- cb->args[1] = (unsigned long)exp;
++ cb->args[1] = ctnetlink_exp_id(exp);
+ goto out;
+ }
+ }
+@@ -3190,32 +3192,30 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ }
+ out:
+ rcu_read_unlock();
+- if (last)
+- nf_ct_expect_put(last);
+-
+ return skb->len;
+ }
+
+ static int
+ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+- struct nf_conntrack_expect *exp, *last;
+ struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+ struct nf_conn *ct = cb->data;
+ struct nf_conn_help *help = nfct_help(ct);
+ u_int8_t l3proto = nfmsg->nfgen_family;
++ unsigned long last_id = cb->args[1];
++ struct nf_conntrack_expect *exp;
+
+ if (cb->args[0])
+ return 0;
+
+ rcu_read_lock();
+- last = (struct nf_conntrack_expect *)cb->args[1];
++
+ restart:
+ hlist_for_each_entry_rcu(exp, &help->expectations, lnode) {
+ if (l3proto && exp->tuple.src.l3num != l3proto)
+ continue;
+ if (cb->args[1]) {
+- if (exp != last)
++ if (ctnetlink_exp_id(exp) != last_id)
+ continue;
+ cb->args[1] = 0;
+ }
+@@ -3223,9 +3223,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ cb->nlh->nlmsg_seq,
+ IPCTNL_MSG_EXP_NEW,
+ exp) < 0) {
+- if (!refcount_inc_not_zero(&exp->use))
+- continue;
+- cb->args[1] = (unsigned long)exp;
++ cb->args[1] = ctnetlink_exp_id(exp);
+ goto out;
+ }
+ }
+@@ -3236,9 +3234,6 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+ cb->args[0] = 1;
+ out:
+ rcu_read_unlock();
+- if (last)
+- nf_ct_expect_put(last);
+-
+ return skb->len;
+ }
+
+@@ -3257,7 +3252,6 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
+ struct nf_conntrack_zone zone;
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_ct_dump_table,
+- .done = ctnetlink_exp_done,
+ };
+
+ err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
+@@ -3307,7 +3301,6 @@ static int ctnetlink_get_expect(struct sk_buff *skb,
+ else {
+ struct netlink_dump_control c = {
+ .dump = ctnetlink_exp_dump_table,
+- .done = ctnetlink_exp_done,
+ };
+ return netlink_dump_start(info->sk, skb, info->nlh, &c);
+ }
+--
+2.51.0
+
--- /dev/null
+From 6d5623ad84cb731c4004907055a7c5b74d2a9aab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:49:50 +0000
+Subject: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ]
+
+In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
+the packet, then decrements it by 1 to skip the protocol discriminator
+byte before passing it to DecodeH323_UserInformation(). If the encoded
+length is 0, the decrement wraps to -1, which is then passed as a
+large value to the decoder, leading to an out-of-bounds read.
+
+Add a check to ensure len is positive after the decrement.
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index c972e9488e16f..7b1497ed97d26 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
+ break;
+ p++;
+ len--;
++ if (len <= 0)
++ break;
+ return DecodeH323_UserInformation(buf, p, len,
+ &q931->UUIE);
+ }
+--
+2.51.0
+
--- /dev/null
+From f346443a507b638d97b3b1d71fb7b130e00ed9fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 02:29:32 +0000
+Subject: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a ]
+
+In decode_int(), the CONS case calls get_bits(bs, 2) to read a length
+value, then calls get_uint(bs, len) without checking that len bytes
+remain in the buffer. The existing boundary check only validates the
+2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()
+reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte
+slab-out-of-bounds read.
+
+Add a boundary check for len bytes after get_bits() and before
+get_uint().
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index 62aa22a078769..c972e9488e16f 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -331,6 +331,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f,
+ if (nf_h323_error_boundary(bs, 0, 2))
+ return H323_ERROR_BOUND;
+ len = get_bits(bs, 2) + 1;
++ if (nf_h323_error_boundary(bs, len, 0))
++ return H323_ERROR_BOUND;
+ BYTE_ALIGN(bs);
+ if (base && (f->attr & DECODE)) { /* timeToLive */
+ unsigned int v = get_uint(bs, len) + f->lb;
+--
+2.51.0
+
--- /dev/null
+From aa4bab9ed05ca48fd2ec0e617243f90dc802aa0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Mar 2026 21:49:01 +0000
+Subject: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in
+ sip_help_tcp()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lukas Johannes Möller <research@johannes-moeller.dev>
+
+[ Upstream commit fbce58e719a17aa215c724473fd5baaa4a8dc57c ]
+
+sip_help_tcp() parses the SIP Content-Length header with
+simple_strtoul(), which returns unsigned long, but stores the result in
+unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are
+silently truncated before computing the SIP message boundary.
+
+For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,
+causing the parser to miscalculate where the current message ends. The
+loop then treats trailing data in the TCP segment as a second SIP
+message and processes it through the SDP parser.
+
+Fix this by changing clen to unsigned long to match the return type of
+simple_strtoul(), and reject Content-Length values that exceed the
+remaining TCP payload length.
+
+Fixes: f5b321bd37fb ("netfilter: nf_conntrack_sip: add TCP support")
+Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_sip.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
+index d0eac27f6ba03..657839a58782a 100644
+--- a/net/netfilter/nf_conntrack_sip.c
++++ b/net/netfilter/nf_conntrack_sip.c
+@@ -1534,11 +1534,12 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
+ {
+ struct tcphdr *th, _tcph;
+ unsigned int dataoff, datalen;
+- unsigned int matchoff, matchlen, clen;
++ unsigned int matchoff, matchlen;
+ unsigned int msglen, origlen;
+ const char *dptr, *end;
+ s16 diff, tdiff = 0;
+ int ret = NF_ACCEPT;
++ unsigned long clen;
+ bool term;
+
+ if (ctinfo != IP_CT_ESTABLISHED &&
+@@ -1573,6 +1574,9 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
+ if (dptr + matchoff == end)
+ break;
+
++ if (clen > datalen)
++ break;
++
+ term = false;
+ for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
+ if (end[0] == '\r' && end[1] == '\n' &&
+--
+2.51.0
+
--- /dev/null
+From 662be15e4fc47570f1d198144a07e2bd6866ee8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 20:00:26 +0100
+Subject: netfilter: nf_tables: release flowtable after rcu grace period on
+ error
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce ]
+
+Call synchronize_rcu() after unregistering the hooks from error path,
+since a hook that already refers to this flowtable can be already
+registered, exposing this flowtable to packet path and nfnetlink_hook
+control plane.
+
+This error path is rare, it should only happen by reaching the maximum
+number hooks or by failing to set up to hardware offload, just call
+synchronize_rcu().
+
+There is a check for already used device hooks by different flowtable
+that could result in EEXIST at this late stage. The hook parser can be
+updated to perform this check earlier to this error path really becomes
+rarely exercised.
+
+Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
+when dumping hooks.
+
+Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 41614e897ec8f..a3f7c7ae55b8c 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -8772,6 +8772,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
+ return 0;
+
+ err_flowtable_hooks:
++ synchronize_rcu();
+ nft_trans_destroy(trans);
+ err_flowtable_trans:
+ nft_hooks_destroy(&flowtable->hook_list);
+--
+2.51.0
+
--- /dev/null
+From 86ab1be6ac735d2a388345dbee94f5590500e94d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Oct 2025 18:22:16 +0200
+Subject: netfilter: nft_ct: add seqadj extension for natted connections
+
+From: Andrii Melnychenko <a.melnychenko@vyos.io>
+
+[ Upstream commit 90918e3b6404c2a37837b8f11692471b4c512de2 ]
+
+Sequence adjustment may be required for FTP traffic with PASV/EPSV modes.
+due to need to re-write packet payload (IP, port) on the ftp control
+connection. This can require changes to the TCP length and expected
+seq / ack_seq.
+
+The easiest way to reproduce this issue is with PASV mode.
+Example ruleset:
+table inet ftp_nat {
+ ct helper ftp_helper {
+ type "ftp" protocol tcp
+ l3proto inet
+ }
+
+ chain prerouting {
+ type filter hook prerouting priority 0; policy accept;
+ tcp dport 21 ct state new ct helper set "ftp_helper"
+ }
+}
+table ip nat {
+ chain prerouting {
+ type nat hook prerouting priority -100; policy accept;
+ tcp dport 21 dnat ip prefix to ip daddr map {
+ 192.168.100.1 : 192.168.13.2/32 }
+ }
+
+ chain postrouting {
+ type nat hook postrouting priority 100 ; policy accept;
+ tcp sport 21 snat ip prefix to ip saddr map {
+ 192.168.13.2 : 192.168.100.1/32 }
+ }
+}
+
+Note that the ftp helper gets assigned *after* the dnat setup.
+
+The inverse (nat after helper assign) is handled by an existing
+check in nf_nat_setup_info() and will not show the problem.
+
+Topoloy:
+
+ +-------------------+ +----------------------------------+
+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 |
+ +-------------------+ +----------------------------------+
+ |
+ +-----------------------+
+ | Client: 192.168.100.2 |
+ +-----------------------+
+
+ftp nat changes do not work as expected in this case:
+Connected to 192.168.100.1.
+[..]
+ftp> epsv
+EPSV/EPRT on IPv4 off.
+ftp> ls
+227 Entering passive mode (192,168,100,1,209,129).
+421 Service not available, remote server has closed connection.
+
+Kernel logs:
+Missing nfct_seqadj_ext_add() setup call
+WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41
+[..]
+ __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]
+ nf_nat_ftp+0x142/0x280 [nf_nat_ftp]
+ help+0x4d1/0x880 [nf_conntrack_ftp]
+ nf_confirm+0x122/0x2e0 [nf_conntrack]
+ nf_hook_slow+0x3c/0xb0
+ ..
+
+Fix this by adding the required extension when a conntrack helper is assigned
+to a connection that has a nat binding.
+
+Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support")
+Signed-off-by: Andrii Melnychenko <a.melnychenko@vyos.io>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Stable-dep-of: 36eae0956f65 ("netfilter: nft_ct: drop pending enqueued packets on removal")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_ct.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index 3ec63852d058f..1070d68f9e77f 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -22,6 +22,7 @@
+ #include <net/netfilter/nf_conntrack_timeout.h>
+ #include <net/netfilter/nf_conntrack_l4proto.h>
+ #include <net/netfilter/nf_conntrack_expect.h>
++#include <net/netfilter/nf_conntrack_seqadj.h>
+
+ struct nft_ct_helper_obj {
+ struct nf_conntrack_helper *helper4;
+@@ -1173,6 +1174,10 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj,
+ if (help) {
+ rcu_assign_pointer(help->helper, to_assign);
+ set_bit(IPS_HELPER_BIT, &ct->status);
++
++ if ((ct->status & IPS_NAT_MASK) && !nfct_seqadj(ct))
++ if (!nfct_seqadj_ext_add(ct))
++ regs->verdict.code = NF_DROP;
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 59f4f20882acae6fb1c025b9a3ce271ec623f5b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 13:48:47 +0100
+Subject: netfilter: nft_ct: drop pending enqueued packets on removal
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 36eae0956f659e48d5366d9b083d9417f3263ddc ]
+
+Packets sitting in nfqueue might hold a reference to:
+
+- templates that specify the conntrack zone, because a percpu area is
+ used and module removal is possible.
+- conntrack timeout policies and helper, where object removal leave
+ a stale reference.
+
+Since these objects can just go away, drop enqueued packets to avoid
+stale reference to them.
+
+If there is a need for finer grain removal, this logic can be revisited
+to make selective packet drop upon dependencies.
+
+Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_ct.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index 1070d68f9e77f..128eb0ac37742 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -23,6 +23,7 @@
+ #include <net/netfilter/nf_conntrack_l4proto.h>
+ #include <net/netfilter/nf_conntrack_expect.h>
+ #include <net/netfilter/nf_conntrack_seqadj.h>
++#include "nf_internals.h"
+
+ struct nft_ct_helper_obj {
+ struct nf_conntrack_helper *helper4;
+@@ -527,6 +528,7 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv)
+ #endif
+ #ifdef CONFIG_NF_CONNTRACK_ZONES
+ case NFT_CT_ZONE:
++ nf_queue_nf_hook_drop(ctx->net);
+ mutex_lock(&nft_ct_pcpu_mutex);
+ if (--nft_ct_pcpu_template_refcnt == 0)
+ nft_ct_tmpl_put_pcpu();
+@@ -997,6 +999,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx,
+ struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
+ struct nf_ct_timeout *timeout = priv->timeout;
+
++ nf_queue_nf_hook_drop(ctx->net);
+ nf_ct_untimeout(ctx->net, timeout);
+ nf_ct_netns_put(ctx->net, ctx->family);
+ kfree(priv->timeout);
+@@ -1129,6 +1132,7 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx,
+ {
+ struct nft_ct_helper_obj *priv = nft_obj_data(obj);
+
++ nf_queue_nf_hook_drop(ctx->net);
+ if (priv->helper4)
+ nf_conntrack_helper_put(priv->helper4);
+ if (priv->helper6)
+--
+2.51.0
+
--- /dev/null
+From 69732f8926e713f43bb3eac059f7f9fbc02e5fa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 13:48:48 +0100
+Subject: netfilter: xt_CT: drop pending enqueued packets on template removal
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit f62a218a946b19bb59abdd5361da85fa4606b96b ]
+
+Templates refer to objects that can go away while packets are sitting in
+nfqueue refer to:
+
+- helper, this can be an issue on module removal.
+- timeout policy, nfnetlink_cttimeout might remove it.
+
+The use of templates with zone and event cache filter are safe, since
+this just copies values.
+
+Flush these enqueued packets in case the template rule gets removed.
+
+Fixes: 24de58f46516 ("netfilter: xt_CT: allow to attach timeout policy + glue code")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_CT.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
+index 3ba94c34297cf..498f5871c84a0 100644
+--- a/net/netfilter/xt_CT.c
++++ b/net/netfilter/xt_CT.c
+@@ -16,6 +16,7 @@
+ #include <net/netfilter/nf_conntrack_ecache.h>
+ #include <net/netfilter/nf_conntrack_timeout.h>
+ #include <net/netfilter/nf_conntrack_zones.h>
++#include "nf_internals.h"
+
+ static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct)
+ {
+@@ -283,6 +284,9 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par,
+ struct nf_conn_help *help;
+
+ if (ct) {
++ if (info->helper[0] || info->timeout[0])
++ nf_queue_nf_hook_drop(par->net);
++
+ help = nfct_help(ct);
+ xt_ct_put_helper(help);
+
+--
+2.51.0
+
--- /dev/null
+From fd1adb968b59b0cd9c7a5ced82748dce126179ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 14:59:49 +0000
+Subject: netfilter: xt_time: use unsigned int for monthday bit shift
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jenny Guanni Qu <qguanni@gmail.com>
+
+[ Upstream commit 00050ec08cecfda447e1209b388086d76addda3a ]
+
+The monthday field can be up to 31, and shifting a signed integer 1
+by 31 positions (1 << 31) is undefined behavior in C, as the result
+overflows a 32-bit signed int. Use 1U to ensure well-defined behavior
+for all valid monthday values.
+
+Change the weekday shift to 1U as well for consistency.
+
+Fixes: ee4411a1b1e0 ("[NETFILTER]: x_tables: add xt_time match")
+Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
+Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
+Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_time.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
+index 6aa12d0f54e23..61de85e02a40f 100644
+--- a/net/netfilter/xt_time.c
++++ b/net/netfilter/xt_time.c
+@@ -227,13 +227,13 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par)
+
+ localtime_2(¤t_time, stamp);
+
+- if (!(info->weekdays_match & (1 << current_time.weekday)))
++ if (!(info->weekdays_match & (1U << current_time.weekday)))
+ return false;
+
+ /* Do not spend time computing monthday if all days match anyway */
+ if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) {
+ localtime_3(¤t_time, stamp);
+- if (!(info->monthdays_match & (1 << current_time.monthday)))
++ if (!(info->monthdays_match & (1U << current_time.monthday)))
+ return false;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From c6e56b5ca74c091e544b42ab4e0e8005eff94011 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Mar 2026 15:32:44 +0800
+Subject: nfnetlink_osf: validate individual option lengths in fingerprints
+
+From: Weiming Shi <bestswngs@gmail.com>
+
+[ Upstream commit dbdfaae9609629a9569362e3b8f33d0a20fd783c ]
+
+nfnl_osf_add_callback() validates opt_num bounds and string
+NUL-termination but does not check individual option length fields.
+A zero-length option causes nf_osf_match_one() to enter the option
+matching loop even when foptsize sums to zero, which matches packets
+with no TCP options where ctx->optp is NULL:
+
+ Oops: general protection fault
+ KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
+ Call Trace:
+ nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
+ xt_osf_match_packet (net/netfilter/xt_osf.c:32)
+ ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
+ nf_hook_slow (net/netfilter/core.c:623)
+ ip_local_deliver (net/ipv4/ip_input.c:262)
+ ip_rcv (net/ipv4/ip_input.c:573)
+
+Additionally, an MSS option (kind=2) with length < 4 causes
+out-of-bounds reads when nf_osf_match_one() unconditionally accesses
+optp[2] and optp[3] for MSS value extraction. While RFC 9293
+section 3.2 specifies that the MSS option is always exactly 4
+bytes (Kind=2, Length=4), the check uses "< 4" rather than
+"!= 4" because lengths greater than 4 do not cause memory
+safety issues -- the buffer is guaranteed to be at least
+foptsize bytes by the ctx->optsize == foptsize check.
+
+Reject fingerprints where any option has zero length, or where an MSS
+option has length less than 4, at add time rather than trusting these
+values in the packet matching hot path.
+
+Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
+Reported-by: Xiang Mei <xmei5@asu.edu>
+Signed-off-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_osf.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
+index 50723ba082890..da9d5d6de98f4 100644
+--- a/net/netfilter/nfnetlink_osf.c
++++ b/net/netfilter/nfnetlink_osf.c
+@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
+ {
+ struct nf_osf_user_finger *f;
+ struct nf_osf_finger *kf = NULL, *sf;
++ unsigned int tot_opt_len = 0;
+ int err = 0;
++ int i;
+
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
+ if (f->opt_num > ARRAY_SIZE(f->opt))
+ return -EINVAL;
+
++ for (i = 0; i < f->opt_num; i++) {
++ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
++ return -EINVAL;
++ if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)
++ return -EINVAL;
++
++ tot_opt_len += f->opt[i].length;
++ if (tot_opt_len > MAX_IPOPTLEN)
++ return -EINVAL;
++ }
++
+ if (!memchr(f->genre, 0, MAXGENRELEN) ||
+ !memchr(f->subtype, 0, MAXGENRELEN) ||
+ !memchr(f->version, 0, MAXGENRELEN))
+--
+2.51.0
+
--- /dev/null
+From 915ad709996515b5d2b1272b01b506f917c62741 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Mar 2026 11:27:20 -0700
+Subject: PM: runtime: Fix a race condition related to device removal
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 29ab768277617452d88c0607c9299cdc63b6e9ff ]
+
+The following code in pm_runtime_work() may dereference the dev->parent
+pointer after the parent device has been freed:
+
+ /* Maybe the parent is now able to suspend. */
+ if (parent && !parent->power.ignore_children) {
+ spin_unlock(&dev->power.lock);
+
+ spin_lock(&parent->power.lock);
+ rpm_idle(parent, RPM_ASYNC);
+ spin_unlock(&parent->power.lock);
+
+ spin_lock(&dev->power.lock);
+ }
+
+Fix this by inserting a flush_work() call in pm_runtime_remove().
+
+Without this patch blktest block/001 triggers the following complaint
+sporadically:
+
+BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160
+Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081
+Workqueue: pm pm_runtime_work
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x61/0x80
+ print_address_description.constprop.0+0x8b/0x310
+ print_report+0xfd/0x1d7
+ kasan_report+0xd8/0x1d0
+ __kasan_check_byte+0x42/0x60
+ lock_acquire.part.0+0x38/0x230
+ lock_acquire+0x70/0x160
+ _raw_spin_lock+0x36/0x50
+ rpm_suspend+0xc6a/0xfe0
+ rpm_idle+0x578/0x770
+ pm_runtime_work+0xee/0x120
+ process_one_work+0xde3/0x1410
+ worker_thread+0x5eb/0xfe0
+ kthread+0x37b/0x480
+ ret_from_fork+0x6cb/0x920
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+
+Allocated by task 4314:
+ kasan_save_stack+0x2a/0x50
+ kasan_save_track+0x18/0x40
+ kasan_save_alloc_info+0x3d/0x50
+ __kasan_kmalloc+0xa0/0xb0
+ __kmalloc_noprof+0x311/0x990
+ scsi_alloc_target+0x122/0xb60 [scsi_mod]
+ __scsi_scan_target+0x101/0x460 [scsi_mod]
+ scsi_scan_channel+0x179/0x1c0 [scsi_mod]
+ scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]
+ store_scan+0x2d2/0x390 [scsi_mod]
+ dev_attr_store+0x43/0x80
+ sysfs_kf_write+0xde/0x140
+ kernfs_fop_write_iter+0x3ef/0x670
+ vfs_write+0x506/0x1470
+ ksys_write+0xfd/0x230
+ __x64_sys_write+0x76/0xc0
+ x64_sys_call+0x213/0x1810
+ do_syscall_64+0xee/0xfc0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Freed by task 4314:
+ kasan_save_stack+0x2a/0x50
+ kasan_save_track+0x18/0x40
+ kasan_save_free_info+0x3f/0x50
+ __kasan_slab_free+0x67/0x80
+ kfree+0x225/0x6c0
+ scsi_target_dev_release+0x3d/0x60 [scsi_mod]
+ device_release+0xa3/0x220
+ kobject_cleanup+0x105/0x3a0
+ kobject_put+0x72/0xd0
+ put_device+0x17/0x20
+ scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]
+ device_release+0xa3/0x220
+ kobject_cleanup+0x105/0x3a0
+ kobject_put+0x72/0xd0
+ put_device+0x17/0x20
+ scsi_device_put+0x7f/0xc0 [scsi_mod]
+ sdev_store_delete+0xa5/0x120 [scsi_mod]
+ dev_attr_store+0x43/0x80
+ sysfs_kf_write+0xde/0x140
+ kernfs_fop_write_iter+0x3ef/0x670
+ vfs_write+0x506/0x1470
+ ksys_write+0xfd/0x230
+ __x64_sys_write+0x76/0xc0
+ x64_sys_call+0x213/0x1810
+
+Reported-by: Ming Lei <ming.lei@redhat.com>
+Closes: https://lore.kernel.org/all/ZxdNvLNI8QaOfD2d@fedora/
+Reported-by: syzbot+6c905ab800f20cf4086c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68c13942.050a0220.2ff435.000b.GAE@google.com/
+Fixes: 5e928f77a09a ("PM: Introduce core framework for run-time PM of I/O devices (rev. 17)")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20260312182720.2776083-1-bvanassche@acm.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/runtime.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
+index b28fb11cd6db8..2766bdc9158ab 100644
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -1854,6 +1854,7 @@ void pm_runtime_reinit(struct device *dev)
+ void pm_runtime_remove(struct device *dev)
+ {
+ __pm_runtime_disable(dev, false);
++ flush_work(&dev->power.work);
+ pm_runtime_reinit(dev);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From c48e2b31c3891421ebfa088289350286079d9794 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Mar 2026 13:25:41 +0100
+Subject: sched: idle: Consolidate the handling of two special cases
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit f4c31b07b136839e0fb3026f8a5b6543e3b14d2f ]
+
+There are two special cases in the idle loop that are handled
+inconsistently even though they are analogous.
+
+The first one is when a cpuidle driver is absent and the default CPU
+idle time power management implemented by the architecture code is used.
+In that case, the scheduler tick is stopped every time before invoking
+default_idle_call().
+
+The second one is when a cpuidle driver is present, but there is only
+one idle state in its table. In that case, the scheduler tick is never
+stopped at all.
+
+Since each of these approaches has its drawbacks, reconcile them with
+the help of one simple heuristic. Namely, stop the tick if the CPU has
+been woken up by it in the previous iteration of the idle loop, or let
+it tick otherwise.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Christian Loehle <christian.loehle@arm.com>
+Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
+Reviewed-by: Qais Yousef <qyousef@layalina.io>
+Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
+Fixes: ed98c3491998 ("sched: idle: Do not stop the tick before cpuidle_idle_call()")
+[ rjw: Added Fixes tag, changelog edits ]
+Link: https://patch.msgid.link/4741364.LvFx2qVVIh@rafael.j.wysocki
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/idle.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c
+index ecf555ad158ab..20a8f0f972e63 100644
+--- a/kernel/sched/idle.c
++++ b/kernel/sched/idle.c
+@@ -134,6 +134,14 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev,
+ return cpuidle_enter(drv, dev, next_state);
+ }
+
++static void idle_call_stop_or_retain_tick(bool stop_tick)
++{
++ if (stop_tick || tick_nohz_tick_stopped())
++ tick_nohz_idle_stop_tick();
++ else
++ tick_nohz_idle_retain_tick();
++}
++
+ /**
+ * cpuidle_idle_call - the main idle function
+ *
+@@ -143,7 +151,7 @@ static int call_cpuidle(struct cpuidle_driver *drv, struct cpuidle_device *dev,
+ * set, and it returns with polling set. If it ever stops polling, it
+ * must clear the polling bit.
+ */
+-static void cpuidle_idle_call(void)
++static void cpuidle_idle_call(bool stop_tick)
+ {
+ struct cpuidle_device *dev = cpuidle_get_device();
+ struct cpuidle_driver *drv = cpuidle_get_cpu_driver(dev);
+@@ -165,7 +173,7 @@ static void cpuidle_idle_call(void)
+ */
+
+ if (cpuidle_not_available(drv, dev)) {
+- tick_nohz_idle_stop_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ default_idle_call();
+ goto exit_idle;
+@@ -200,17 +208,19 @@ static void cpuidle_idle_call(void)
+ next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns);
+ call_cpuidle(drv, dev, next_state);
+ } else if (drv->state_count > 1) {
+- bool stop_tick = true;
++ /*
++ * stop_tick is expected to be true by default by cpuidle
++ * governors, which allows them to select idle states with
++ * target residency above the tick period length.
++ */
++ stop_tick = true;
+
+ /*
+ * Ask the cpuidle framework to choose a convenient idle state.
+ */
+ next_state = cpuidle_select(drv, dev, &stop_tick);
+
+- if (stop_tick || tick_nohz_tick_stopped())
+- tick_nohz_idle_stop_tick();
+- else
+- tick_nohz_idle_retain_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ entered_state = call_cpuidle(drv, dev, next_state);
+ /*
+@@ -218,7 +228,7 @@ static void cpuidle_idle_call(void)
+ */
+ cpuidle_reflect(dev, entered_state);
+ } else {
+- tick_nohz_idle_retain_tick();
++ idle_call_stop_or_retain_tick(stop_tick);
+
+ /*
+ * If there is only a single idle state (or none), there is
+@@ -246,6 +256,7 @@ static void cpuidle_idle_call(void)
+ static void do_idle(void)
+ {
+ int cpu = smp_processor_id();
++ bool got_tick = false;
+
+ /*
+ * Check if we need to update blocked load
+@@ -288,8 +299,9 @@ static void do_idle(void)
+ tick_nohz_idle_restart_tick();
+ cpu_idle_poll();
+ } else {
+- cpuidle_idle_call();
++ cpuidle_idle_call(got_tick);
+ }
++ got_tick = tick_nohz_idle_got_tick();
+ arch_cpu_idle_exit();
+ }
+
+--
+2.51.0
+
drm-radeon-apply-state-adjust-rules-to-some-additional-hainan-vairants.patch
drm-amdgpu-apply-state-adjust-rules-to-some-additional-hainan-vairants.patch
drm-amd-display-wrap-dcn32_override_min_req_memclk-in-dc_fp_-start-end.patch
+btrfs-log-new-dentries-when-logging-parent-dir-of-a-.patch
+btrfs-tree-checker-fix-misleading-root-drop_level-er.patch
+cache-ax45mp-fix-device-node-reference-leak-in-ax45m.patch
+soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch
+wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch
+wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch
+firmware-arm_scpi-fix-device_node-reference-leak-in-.patch
+bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch
+bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch
+bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch
+bluetooth-iso-fix-defer-tests-being-unstable.patch
+bluetooth-hci_sync-fix-hci_le_create_conn_sync.patch
+bluetooth-hidp-fix-possible-uaf.patch
+bluetooth-l2cap-fix-use-after-free-in-l2cap_unregist.patch
+bluetooth-qca-fix-rom-version-reading-on-wcn3998-chi.patch
+net-rose-fix-null-pointer-dereference-in-rose_transm.patch
+mpls-add-missing-unregister_netdevice_notifier-to-mp.patch
+netfilter-ctnetlink-remove-refcounting-in-expectatio.patch
+netfilter-ctnetlink-fix-use-after-free-in-ctnetlink_.patch
+netfilter-nf_conntrack_sip-fix-content-length-u32-tr.patch
+netfilter-nf_conntrack_h323-fix-oob-read-in-decode_i.patch
+netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch
+netfilter-nft_ct-drop-pending-enqueued-packets-on-re.patch
+netfilter-xt_ct-drop-pending-enqueued-packets-on-tem.patch
+netfilter-xt_time-use-unsigned-int-for-monthday-bit-.patch
+netfilter-nf_conntrack_h323-check-for-zero-length-in.patch
+net-bcmgenet-increase-wol-poll-timeout.patch
+net-mana-fix-use-after-free-in-mana_hwc_destroy_chan.patch
+sched-idle-consolidate-the-handling-of-two-special-c.patch
+pm-runtime-fix-a-race-condition-related-to-device-re.patch
+net-smc-fix-null-dereference-and-uaf-in-smc_tcp_syn_.patch
+net-sched-teql-fix-double-free-in-teql_master_xmit.patch
+net-usb-cdc_ncm-add-ndpoffset-to-ndp16-nframes-bound.patch
+net-usb-cdc_ncm-add-ndpoffset-to-ndp32-nframes-bound.patch
+clsact-fix-use-after-free-in-init-destroy-rollback-a.patch
+net-usb-aqc111-do-not-perform-pm-inside-suspend-call.patch
+igc-fix-missing-update-of-skb-tail-in-igc_xmit_frame.patch
+iavf-fix-vlan-filter-lost-on-add-delete-race.patch
+wifi-mac80211-fix-null-deref-in-mesh_matches_local.patch
+wifi-wlcore-return-enomem-instead-of-eagain-if-there.patch
+acpi-processor-fix-previous-acpi_processor_errata_pi.patch
+net-macb-fix-uninitialized-rx_fs_lock.patch
+net-mlx5-qos-restrict-rtnl-area-to-avoid-a-lock-cycl.patch
+net-mlx5e-prevent-concurrent-access-to-ipsec-aso-con.patch
+net-mlx5e-fix-race-condition-during-ipsec-esn-update.patch
+udp_tunnel-fix-null-deref-caused-by-udp_sock_create6.patch
+net-bonding-fix-null-deref-in-bond_debug_rlb_hash_sh.patch
+netfilter-bpf-defer-hook-memory-release-until-rcu-re.patch
+netfilter-nf_tables-release-flowtable-after-rcu-grac.patch
+nfnetlink_osf-validate-individual-option-lengths-in-.patch
+net-mvpp2-guard-flow-control-update-with-global_tx_f.patch
+net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch
+icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch
--- /dev/null
+From e58d03a913bfd62b698032d3dc8f6471c6ad44d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 08:25:49 +0100
+Subject: soc: fsl: qbman: fix race condition in qman_destroy_fq
+
+From: Richard Genoud <richard.genoud@bootlin.com>
+
+[ Upstream commit 014077044e874e270ec480515edbc1cadb976cf2 ]
+
+When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between
+fq_table[fq->idx] state and freeing/allocating from the pool and
+WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.
+
+Indeed, we can have:
+ Thread A Thread B
+ qman_destroy_fq() qman_create_fq()
+ qman_release_fqid()
+ qman_shutdown_fq()
+ gen_pool_free()
+ -- At this point, the fqid is available again --
+ qman_alloc_fqid()
+ -- so, we can get the just-freed fqid in thread B --
+ fq->fqid = fqid;
+ fq->idx = fqid * 2;
+ WARN_ON(fq_table[fq->idx]);
+ fq_table[fq->idx] = fq;
+ fq_table[fq->idx] = NULL;
+
+And adding some logs between qman_release_fqid() and
+fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.
+
+To prevent that, ensure that fq_table[fq->idx] is set to NULL before
+gen_pool_free() is called by using smp_wmb().
+
+Fixes: c535e923bb97 ("soc/fsl: Introduce DPAA 1.x QMan device driver")
+Signed-off-by: Richard Genoud <richard.genoud@bootlin.com>
+Tested-by: CHAMPSEIX Thomas <thomas.champseix@alstomgroup.com>
+Link: https://lore.kernel.org/r/20251223072549.397625-1-richard.genoud@bootlin.com
+Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qbman/qman.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c
+index 7e9074519ad22..bcbf6bf2e8f45 100644
+--- a/drivers/soc/fsl/qbman/qman.c
++++ b/drivers/soc/fsl/qbman/qman.c
+@@ -1827,6 +1827,8 @@ EXPORT_SYMBOL(qman_create_fq);
+
+ void qman_destroy_fq(struct qman_fq *fq)
+ {
++ int leaked;
++
+ /*
+ * We don't need to lock the FQ as it is a pre-condition that the FQ be
+ * quiesced. Instead, run some checks.
+@@ -1834,11 +1836,29 @@ void qman_destroy_fq(struct qman_fq *fq)
+ switch (fq->state) {
+ case qman_fq_state_parked:
+ case qman_fq_state_oos:
+- if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID))
+- qman_release_fqid(fq->fqid);
++ /*
++ * There's a race condition here on releasing the fqid,
++ * setting the fq_table to NULL, and freeing the fqid.
++ * To prevent it, this order should be respected:
++ */
++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID)) {
++ leaked = qman_shutdown_fq(fq->fqid);
++ if (leaked)
++ pr_debug("FQID %d leaked\n", fq->fqid);
++ }
+
+ DPAA_ASSERT(fq_table[fq->idx]);
+ fq_table[fq->idx] = NULL;
++
++ if (fq_isset(fq, QMAN_FQ_FLAG_DYNAMIC_FQID) && !leaked) {
++ /*
++ * fq_table[fq->idx] should be set to null before
++ * freeing fq->fqid otherwise it could by allocated by
++ * qman_alloc_fqid() while still being !NULL
++ */
++ smp_wmb();
++ gen_pool_free(qm_fqalloc, fq->fqid | DPAA_GENALLOC_OFF, 1);
++ }
+ return;
+ default:
+ break;
+--
+2.51.0
+
--- /dev/null
+From 2b3a5278ce4b6f81725d4b10ce0a28bd143fc2ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2026 18:02:41 -0700
+Subject: udp_tunnel: fix NULL deref caused by udp_sock_create6 when
+ CONFIG_IPV6=n
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit b3a6df291fecf5f8a308953b65ca72b7fc9e015d ]
+
+When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0
+(success) without actually creating a socket. Callers such as
+fou_create() then proceed to dereference the uninitialized socket
+pointer, resulting in a NULL pointer dereference.
+
+The captured NULL deref crash:
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)
+ [...]
+ Call Trace:
+ <TASK>
+ genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)
+ genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)
+ [...]
+ netlink_rcv_skb (net/netlink/af_netlink.c:2550)
+ genl_rcv (net/netlink/genetlink.c:1219)
+ netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
+ netlink_sendmsg (net/netlink/af_netlink.c:1894)
+ __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))
+ __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))
+ __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+ entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)
+
+This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so
+callers correctly take their error paths. There is only one caller of
+the vulnerable function and only privileged users can trigger it.
+
+Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260317010241.1893893-1-xmei5@asu.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/udp_tunnel.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
+index 29251c3519cf0..0e6eb40cd7778 100644
+--- a/include/net/udp_tunnel.h
++++ b/include/net/udp_tunnel.h
+@@ -47,7 +47,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ struct socket **sockp)
+ {
+- return 0;
++ return -EPFNOSUPPORT;
+ }
+ #endif
+
+--
+2.51.0
+
--- /dev/null
+From 2715c4645a81af2371c651f0cde77108ccad98f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Mar 2026 21:36:59 +0530
+Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
+
+From: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
+
+[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ]
+
+When the nl80211 socket that originated a PMSR request is
+closed, cfg80211_release_pmsr() sets the request's nl_portid
+to zero and schedules pmsr_free_wk to process the abort
+asynchronously. If the interface is concurrently torn down
+before that work runs, cfg80211_pmsr_wdev_down() calls
+cfg80211_pmsr_process_abort() directly. However, the already-
+scheduled pmsr_free_wk work item remains pending and may run
+after the interface has been removed from the driver. This
+could cause the driver's abort_pmsr callback to operate on a
+torn-down interface, leading to undefined behavior and
+potential crashes.
+
+Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()
+before calling cfg80211_pmsr_process_abort(). This ensures any
+pending or in-progress work is drained before interface teardown
+proceeds, preventing the work from invoking the driver abort
+callback after the interface is gone.
+
+Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API")
+Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/pmsr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c
+index 841a4516793b1..77cb1de9fc13b 100644
+--- a/net/wireless/pmsr.c
++++ b/net/wireless/pmsr.c
+@@ -641,6 +641,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev)
+ }
+ spin_unlock_bh(&wdev->pmsr_lock);
+
++ cancel_work_sync(&wdev->pmsr_free_wk);
+ if (found)
+ cfg80211_pmsr_process_abort(wdev);
+
+--
+2.51.0
+
--- /dev/null
+From bf18c45fcd815ffa54117200aeddb745e29b8eac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 20:42:44 -0700
+Subject: wifi: mac80211: fix NULL deref in mesh_matches_local()
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd ]
+
+mesh_matches_local() unconditionally dereferences ie->mesh_config to
+compare mesh configuration parameters. When called from
+mesh_rx_csa_frame(), the parsed action-frame elements may not contain a
+Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a
+kernel NULL pointer dereference.
+
+The other two callers are already safe:
+ - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before
+ calling mesh_matches_local()
+ - mesh_plink_get_event() is only reached through
+ mesh_process_plink_frame(), which checks !elems->mesh_config, too
+
+mesh_rx_csa_frame() is the only caller that passes raw parsed elements
+to mesh_matches_local() without guarding mesh_config. An adjacent
+attacker can exploit this by sending a crafted CSA action frame that
+includes a valid Mesh ID IE but omits the Mesh Configuration IE,
+crashing the kernel.
+
+The captured crash log:
+
+Oops: general protection fault, probably for non-canonical address ...
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+Workqueue: events_unbound cfg80211_wiphy_work
+[...]
+Call Trace:
+ <TASK>
+ ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)
+ ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)
+ [...]
+ ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)
+ [...]
+ cfg80211_wiphy_work (net/wireless/core.c:426)
+ process_one_work (net/kernel/workqueue.c:3280)
+ ? assign_work (net/kernel/workqueue.c:1219)
+ worker_thread (net/kernel/workqueue.c:3352)
+ ? __pfx_worker_thread (net/kernel/workqueue.c:3385)
+ kthread (net/kernel/kthread.c:436)
+ [...]
+ ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)
+ </TASK>
+
+This patch adds a NULL check for ie->mesh_config at the top of
+mesh_matches_local() to return false early when the Mesh Configuration
+IE is absent.
+
+Fixes: 2e3c8736820b ("mac80211: support functions for mesh")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/20260318034244.2595020-1-xmei5@asu.edu
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index 3e6e0497520d6..0899443e83cda 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -76,6 +76,9 @@ bool mesh_matches_local(struct ieee80211_sub_if_data *sdata,
+ * - MDA enabled
+ * - Power management control on fc
+ */
++ if (!ie->mesh_config)
++ return false;
++
+ if (!(ifmsh->mesh_id_len == ie->mesh_id_len &&
+ memcmp(ifmsh->mesh_id, ie->mesh_id, ie->mesh_id_len) == 0 &&
+ (ifmsh->mesh_pp_id == ie->mesh_config->meshconf_psel) &&
+--
+2.51.0
+
--- /dev/null
+From 1a437d7b870552887365e2340a45288b166b3cc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Mar 2026 07:24:02 +0000
+Subject: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828 ]
+
+syzbot reported static_branch_dec() underflow in aql_enable_write(). [0]
+
+The problem is that aql_enable_write() does not serialise concurrent
+write()s to the debugfs.
+
+aql_enable_write() checks static_key_false(&aql_disable.key) and
+later calls static_branch_inc() or static_branch_dec(), but the
+state may change between the two calls.
+
+aql_disable does not need to track inc/dec.
+
+Let's use static_branch_enable() and static_branch_disable().
+
+[0]:
+val == 0
+WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288
+Modules linked in:
+CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full)
+Tainted: [U]=USER, [L]=SOFTLOCKUP
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
+RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311
+Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00
+RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4
+RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000
+RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a
+R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98
+FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0
+Call Trace:
+ <TASK>
+ __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline]
+ __static_key_slow_dec kernel/jump_label.c:321 [inline]
+ static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336
+ aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343
+ short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383
+ vfs_write+0x2aa/0x1070 fs/read_write.c:684
+ ksys_pwrite64 fs/read_write.c:793 [inline]
+ __do_sys_pwrite64 fs/read_write.c:801 [inline]
+ __se_sys_pwrite64 fs/read_write.c:798 [inline]
+ __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f530cf9aeb9
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
+RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9
+RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010
+RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000
+R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978
+ </TASK>
+
+Fixes: e908435e402a ("mac80211: introduce aql_enable node in debugfs")
+Reported-by: syzbot+feb9ce36a95341bb47a4@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69a8979e.a70a0220.b118c.0025.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260306072405.3649474-1-kuniyu@google.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/debugfs.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c
+index 207f772bd8ce2..bd7c5dfeaa8c5 100644
+--- a/net/mac80211/debugfs.c
++++ b/net/mac80211/debugfs.c
+@@ -326,7 +326,6 @@ static ssize_t aql_enable_read(struct file *file, char __user *user_buf,
+ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf,
+ size_t count, loff_t *ppos)
+ {
+- bool aql_disabled = static_key_false(&aql_disable.key);
+ char buf[3];
+ size_t len;
+
+@@ -341,15 +340,12 @@ static ssize_t aql_enable_write(struct file *file, const char __user *user_buf,
+ if (len > 0 && buf[len - 1] == '\n')
+ buf[len - 1] = 0;
+
+- if (buf[0] == '0' && buf[1] == '\0') {
+- if (!aql_disabled)
+- static_branch_inc(&aql_disable);
+- } else if (buf[0] == '1' && buf[1] == '\0') {
+- if (aql_disabled)
+- static_branch_dec(&aql_disable);
+- } else {
++ if (buf[0] == '0' && buf[1] == '\0')
++ static_branch_enable(&aql_disable);
++ else if (buf[0] == '1' && buf[1] == '\0')
++ static_branch_disable(&aql_disable);
++ else
+ return -EINVAL;
+- }
+
+ return count;
+ }
+--
+2.51.0
+
--- /dev/null
+From f15b48473131b496d007edf4811292ab3ad9f2ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Mar 2026 23:46:36 -0700
+Subject: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not
+ enough headroom
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit deb353d9bb009638b7762cae2d0b6e8fdbb41a69 ]
+
+Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom
+before skb_push"), wl1271_tx_allocate() and with it
+wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.
+However, in wlcore_tx_work_locked(), a return value of -EAGAIN from
+wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being
+full. This causes the code to flush the buffer, put the skb back at the
+head of the queue, and immediately retry the same skb in a tight while
+loop.
+
+Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens
+immediately with GFP_ATOMIC, this will result in an infinite loop and a
+CPU soft lockup. Return -ENOMEM instead so the packet is dropped and
+the loop terminates.
+
+The problem was found by an experimental code review agent based on
+gemini-3.1-pro while reviewing backports into v6.18.y.
+
+Assisted-by: Gemini:gemini-3.1-pro
+Fixes: e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push")
+Cc: Peter Astrand <astrand@lysator.liu.se>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wlcore/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c
+index 75ad096676561..1c6373013f66a 100644
+--- a/drivers/net/wireless/ti/wlcore/tx.c
++++ b/drivers/net/wireless/ti/wlcore/tx.c
+@@ -213,7 +213,7 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif,
+ if (skb_headroom(skb) < (total_len - skb->len) &&
+ pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) {
+ wl1271_free_tx_id(wl, id);
+- return -EAGAIN;
++ return -ENOMEM;
+ }
+ desc = skb_push(skb, total_len - skb->len);
+
+--
+2.51.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
