--- /dev/null
+From stable+bounces-186221-greg=kroah.com@vger.kernel.org Fri Oct 17 02:11:11 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Oct 2025 20:11:02 -0400
+Subject: arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees
+To: stable@vger.kernel.org
+Cc: Stephan Gerhold <stephan.gerhold@linaro.org>, Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>, Bjorn Andersson <andersson@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251017001102.3477703-1-sashal@kernel.org>
+
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+
+[ Upstream commit 316294bb6695a43a9181973ecd4e6fb3e576a9f7 ]
+
+Reading the hardware registers of the &slimbam on RB3 reveals that the BAM
+supports only 23 pipes (channels) and supports 4 EEs instead of 2. This
+hasn't caused problems so far since nothing is using the extra channels,
+but attempting to use them would lead to crashes.
+
+The bam_dma driver might warn in the future if the num-channels in the DT
+are wrong, so correct the properties in the DT to avoid future regressions.
+
+Cc: stable@vger.kernel.org
+Fixes: 27ca1de07dc3 ("arm64: dts: qcom: sdm845: add slimbus nodes")
+Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250821-sdm845-slimbam-channels-v1-1-498f7d46b9ee@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/qcom/sdm845.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi
++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi
+@@ -4492,11 +4492,11 @@
+ compatible = "qcom,bam-v1.7.0";
+ qcom,controlled-remotely;
+ reg = <0 0x17184000 0 0x2a000>;
+- num-channels = <31>;
++ num-channels = <23>;
+ interrupts = <GIC_SPI 164 IRQ_TYPE_LEVEL_HIGH>;
+ #dma-cells = <1>;
+ qcom,ee = <1>;
+- qcom,num-ees = <2>;
++ qcom,num-ees = <4>;
+ iommus = <&apps_smmu 0x1806 0x0>;
+ };
+
--- /dev/null
+From stable+bounces-185503-greg=kroah.com@vger.kernel.org Mon Oct 13 21:42:28 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 15:42:17 -0400
+Subject: ASoC: codecs: wcd934x: Simplify with dev_err_probe
+To: stable@vger.kernel.org
+Cc: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>, Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251013194218.3571206-1-sashal@kernel.org>
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit fa92f4294283cc7d1f29151420be9e9336182518 ]
+
+Replace dev_err() in probe() path with dev_err_probe() to:
+1. Make code a bit simpler and easier to read,
+2. Do not print messages on deferred probe.
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20230418074630.8681-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/wcd934x.c | 19 +++++++------------
+ 1 file changed, 7 insertions(+), 12 deletions(-)
+
+--- a/sound/soc/codecs/wcd934x.c
++++ b/sound/soc/codecs/wcd934x.c
+@@ -5032,10 +5032,9 @@ static int wcd934x_codec_parse_data(stru
+ slim_get_logical_addr(wcd->sidev);
+ wcd->if_regmap = regmap_init_slimbus(wcd->sidev,
+ &wcd934x_ifc_regmap_config);
+- if (IS_ERR(wcd->if_regmap)) {
+- dev_err(dev, "Failed to allocate ifc register map\n");
+- return PTR_ERR(wcd->if_regmap);
+- }
++ if (IS_ERR(wcd->if_regmap))
++ return dev_err_probe(dev, PTR_ERR(wcd->if_regmap),
++ "Failed to allocate ifc register map\n");
+
+ of_property_read_u32(dev->parent->of_node, "qcom,dmic-sample-rate",
+ &wcd->dmic_sample_rate);
+@@ -5074,19 +5073,15 @@ static int wcd934x_codec_probe(struct pl
+ memcpy(wcd->tx_chs, wcd934x_tx_chs, sizeof(wcd934x_tx_chs));
+
+ irq = regmap_irq_get_virq(data->irq_data, WCD934X_IRQ_SLIMBUS);
+- if (irq < 0) {
+- dev_err(wcd->dev, "Failed to get SLIM IRQ\n");
+- return irq;
+- }
++ if (irq < 0)
++ return dev_err_probe(wcd->dev, irq, "Failed to get SLIM IRQ\n");
+
+ ret = devm_request_threaded_irq(dev, irq, NULL,
+ wcd934x_slim_irq_handler,
+ IRQF_TRIGGER_RISING,
+ "slim", wcd);
+- if (ret) {
+- dev_err(dev, "Failed to request slimbus irq\n");
+- return ret;
+- }
++ if (ret)
++ return dev_err_probe(dev, ret, "Failed to request slimbus irq\n");
+
+ wcd934x_register_mclk_output(wcd);
+ platform_set_drvdata(pdev, wcd);
--- /dev/null
+From stable+bounces-185504-greg=kroah.com@vger.kernel.org Mon Oct 13 21:42:31 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 15:42:18 -0400
+Subject: ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()
+To: stable@vger.kernel.org
+Cc: Ma Ke <make24@iscas.ac.cn>, Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>, Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251013194218.3571206-2-sashal@kernel.org>
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+[ Upstream commit 4e65bda8273c938039403144730923e77916a3d7 ]
+
+wcd934x_codec_parse_data() contains a device reference count leak in
+of_slim_get_device() where device_find_child() increases the reference
+count of the device but this reference is not properly decreased in
+the success path. Add put_device() in wcd934x_codec_parse_data() and
+add devm_add_action_or_reset() in the probe function, which ensures
+that the reference count of the device is correctly managed.
+
+Memory leak in regmap_init_slimbus() as the allocated regmap is not
+released when the device is removed. Using devm_regmap_init_slimbus()
+instead of regmap_init_slimbus() to ensure automatic regmap cleanup on
+device removal.
+
+Calling path: of_slim_get_device() -> of_find_slim_device() ->
+device_find_child(). As comment of device_find_child() says, 'NOTE:
+you will need to drop the reference with put_device() after use.'.
+
+Found by code review.
+
+Cc: stable@vger.kernel.org
+Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250923065212.26660-1-make24@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/wcd934x.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/codecs/wcd934x.c
++++ b/sound/soc/codecs/wcd934x.c
+@@ -5011,6 +5011,13 @@ static const struct snd_soc_component_dr
+ .num_dapm_routes = ARRAY_SIZE(wcd934x_audio_map),
+ };
+
++static void wcd934x_put_device_action(void *data)
++{
++ struct device *dev = data;
++
++ put_device(dev);
++}
++
+ static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd)
+ {
+ struct device *dev = &wcd->sdev->dev;
+@@ -5030,11 +5037,13 @@ static int wcd934x_codec_parse_data(stru
+ }
+
+ slim_get_logical_addr(wcd->sidev);
+- wcd->if_regmap = regmap_init_slimbus(wcd->sidev,
++ wcd->if_regmap = devm_regmap_init_slimbus(wcd->sidev,
+ &wcd934x_ifc_regmap_config);
+- if (IS_ERR(wcd->if_regmap))
++ if (IS_ERR(wcd->if_regmap)) {
++ put_device(&wcd->sidev->dev);
+ return dev_err_probe(dev, PTR_ERR(wcd->if_regmap),
+ "Failed to allocate ifc register map\n");
++ }
+
+ of_property_read_u32(dev->parent->of_node, "qcom,dmic-sample-rate",
+ &wcd->dmic_sample_rate);
+@@ -5065,6 +5074,10 @@ static int wcd934x_codec_probe(struct pl
+ return ret;
+ }
+
++ ret = devm_add_action_or_reset(dev, wcd934x_put_device_action, &wcd->sidev->dev);
++ if (ret)
++ return ret;
++
+ /* set default rate 9P6MHz */
+ regmap_update_bits(wcd->regmap, WCD934X_CODEC_RPM_CLK_MCLK_CFG,
+ WCD934X_CODEC_RPM_CLK_MCLK_CFG_MCLK_MASK,
--- /dev/null
+From stable+bounces-185568-greg=kroah.com@vger.kernel.org Tue Oct 14 05:03:44 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 23:03:34 -0400
+Subject: dm: fix NULL pointer dereference in __dm_suspend()
+To: stable@vger.kernel.org
+Cc: Zheng Qixing <zhengqixing@huawei.com>, Mikulas Patocka <mpatocka@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251014030334.3868139-1-sashal@kernel.org>
+
+From: Zheng Qixing <zhengqixing@huawei.com>
+
+[ Upstream commit 8d33a030c566e1f105cd5bf27f37940b6367f3be ]
+
+There is a race condition between dm device suspend and table load that
+can lead to null pointer dereference. The issue occurs when suspend is
+invoked before table load completes:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000054
+Oops: 0000 [#1] PREEMPT SMP PTI
+CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
+RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50
+Call Trace:
+ <TASK>
+ blk_mq_quiesce_queue+0x2c/0x50
+ dm_stop_queue+0xd/0x20
+ __dm_suspend+0x130/0x330
+ dm_suspend+0x11a/0x180
+ dev_suspend+0x27e/0x560
+ ctl_ioctl+0x4cf/0x850
+ dm_ctl_ioctl+0xd/0x20
+ vfs_ioctl+0x1d/0x50
+ __se_sys_ioctl+0x9b/0xc0
+ __x64_sys_ioctl+0x19/0x30
+ x64_sys_call+0x2c4a/0x4620
+ do_syscall_64+0x9e/0x1b0
+
+The issue can be triggered as below:
+
+T1 T2
+dm_suspend table_load
+__dm_suspend dm_setup_md_queue
+ dm_mq_init_request_queue
+ blk_mq_init_allocated_queue
+ => q->mq_ops = set->ops; (1)
+dm_stop_queue / dm_wait_for_completion
+=> q->tag_set NULL pointer! (2)
+ => q->tag_set = set; (3)
+
+Fix this by checking if a valid table (map) exists before performing
+request-based suspend and waiting for target I/O. When map is NULL,
+skip these table-dependent suspend steps.
+
+Even when map is NULL, no I/O can reach any target because there is
+no table loaded; I/O submitted in this state will fail early in the
+DM layer. Skipping the table-dependent suspend logic in this case
+is safe and avoids NULL pointer dereferences.
+
+Fixes: c4576aed8d85 ("dm: fix request-based dm's use of dm_wait_for_completion")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+[ omitted DMF_QUEUE_STOPPED flag setting and braces absent in 5.15 ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2457,7 +2457,7 @@ static int __dm_suspend(struct mapped_de
+ {
+ bool do_lockfs = suspend_flags & DM_SUSPEND_LOCKFS_FLAG;
+ bool noflush = suspend_flags & DM_SUSPEND_NOFLUSH_FLAG;
+- int r;
++ int r = 0;
+
+ lockdep_assert_held(&md->suspend_lock);
+
+@@ -2509,7 +2509,7 @@ static int __dm_suspend(struct mapped_de
+ * Stop md->queue before flushing md->wq in case request-based
+ * dm defers requests to md->wq from md->queue.
+ */
+- if (dm_request_based(md))
++ if (map && dm_request_based(md))
+ dm_stop_queue(md->queue);
+
+ flush_workqueue(md->wq);
+@@ -2519,7 +2519,8 @@ static int __dm_suspend(struct mapped_de
+ * We call dm_wait_for_completion to wait for all existing requests
+ * to finish.
+ */
+- r = dm_wait_for_completion(md, task_state);
++ if (map)
++ r = dm_wait_for_completion(md, task_state);
+ if (!r)
+ set_bit(dmf_suspended_flag, &md->flags);
+
--- /dev/null
+From stable+bounces-185514-greg=kroah.com@vger.kernel.org Mon Oct 13 22:45:32 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 16:41:24 -0400
+Subject: fs: udf: fix OOB read in lengthAllocDescs handling
+To: stable@vger.kernel.org
+Cc: Larshin Sergey <Sergey.Larshin@kaspersky.com>, syzbot+8743fca924afed42f93e@syzkaller.appspotmail.com, Jan Kara <jack@suse.cz>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251013204124.3599728-2-sashal@kernel.org>
+
+From: Larshin Sergey <Sergey.Larshin@kaspersky.com>
+
+[ Upstream commit 3bd5e45c2ce30e239d596becd5db720f7eb83c99 ]
+
+When parsing Allocation Extent Descriptor, lengthAllocDescs comes from
+on-disk data and must be validated against the block size. Crafted or
+corrupted images may set lengthAllocDescs so that the total descriptor
+length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,
+leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and
+trigger a KASAN use-after-free read.
+
+BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
+Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309
+
+CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
+ udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261
+ udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179
+ extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46
+ udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106
+ udf_release_file+0xc1/0x120 fs/udf/file.c:185
+ __fput+0x23f/0x880 fs/file_table.c:431
+ task_work_run+0x24f/0x310 kernel/task_work.c:239
+ exit_task_work include/linux/task_work.h:43 [inline]
+ do_exit+0xa2f/0x28e0 kernel/exit.c:939
+ do_group_exit+0x207/0x2c0 kernel/exit.c:1088
+ __do_sys_exit_group kernel/exit.c:1099 [inline]
+ __se_sys_exit_group kernel/exit.c:1097 [inline]
+ __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
+ x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Validate the computed total length against epos->bh->b_size.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Reported-by: syzbot+8743fca924afed42f93e@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+
+Signed-off-by: Larshin Sergey <Sergey.Larshin@kaspersky.com>
+Link: https://patch.msgid.link/20250922131358.745579-1-Sergey.Larshin@kaspersky.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/inode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -2199,6 +2199,9 @@ int8_t udf_current_aext(struct inode *in
+ if (check_add_overflow(sizeof(struct allocExtDesc),
+ le32_to_cpu(header->lengthAllocDescs), &alen))
+ return -1;
++
++ if (alen > epos->bh->b_size)
++ return -1;
+ }
+
+ switch (iinfo->i_alloc_type) {
--- /dev/null
+From stable+bounces-185491-greg=kroah.com@vger.kernel.org Mon Oct 13 19:52:59 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 13:51:46 -0400
+Subject: KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O
+To: stable@vger.kernel.org
+Cc: Sean Christopherson <seanjc@google.com>, syzbot+cc2032ba16cc2018ca25@syzkaller.appspotmail.com, Jim Mattson <jmattson@google.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251013175146.3408710-1-sashal@kernel.org>
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit e750f85391286a4c8100275516973324b621a269 ]
+
+When completing emulation of instruction that generated a userspace exit
+for I/O, don't recheck L1 intercepts as KVM has already finished that
+phase of instruction execution, i.e. has already committed to allowing L2
+to perform I/O. If L1 (or host userspace) modifies the I/O permission
+bitmaps during the exit to userspace, KVM will treat the access as being
+intercepted despite already having emulated the I/O access.
+
+Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.
+Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the
+intended "recipient") can reach the code in question. gp_interception()'s
+use is mutually exclusive with is_guest_mode(), and
+complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with
+EMULTYPE_SKIP.
+
+The bad behavior was detected by a syzkaller program that toggles port I/O
+interception during the userspace I/O exit, ultimately resulting in a WARN
+on vcpu->arch.pio.count being non-zero due to KVM no completing emulation
+of the I/O instruction.
+
+ WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm]
+ Modules linked in: kvm_intel kvm irqbypass
+ CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+ RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm]
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ kvm_fast_pio+0xd6/0x1d0 [kvm]
+ vmx_handle_exit+0x149/0x610 [kvm_intel]
+ kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm]
+ kvm_vcpu_ioctl+0x244/0x8c0 [kvm]
+ __x64_sys_ioctl+0x8a/0xd0
+ do_syscall_64+0x5d/0xc60
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+ </TASK>
+
+Reported-by: syzbot+cc2032ba16cc2018ca25@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68790db4.a00a0220.3af5df.0020.GAE@google.com
+Fixes: 8a76d7f25f8f ("KVM: x86: Add x86 callback for intercept check")
+Cc: stable@vger.kernel.org
+Cc: Jim Mattson <jmattson@google.com>
+Link: https://lore.kernel.org/r/20250715190638.1899116-1-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+[ is_guest_mode() was open coded ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/emulate.c | 11 ++++-------
+ arch/x86/kvm/kvm_emulate.h | 2 +-
+ arch/x86/kvm/x86.c | 9 ++++++++-
+ 3 files changed, 13 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -5544,12 +5544,11 @@ void init_decode_cache(struct x86_emulat
+ ctxt->mem_read.end = 0;
+ }
+
+-int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
++int x86_emulate_insn(struct x86_emulate_ctxt *ctxt, bool check_intercepts)
+ {
+ const struct x86_emulate_ops *ops = ctxt->ops;
+ int rc = X86EMUL_CONTINUE;
+ int saved_dst_type = ctxt->dst.type;
+- unsigned emul_flags;
+
+ ctxt->mem_read.pos = 0;
+
+@@ -5563,8 +5562,6 @@ int x86_emulate_insn(struct x86_emulate_
+ rc = emulate_ud(ctxt);
+ goto done;
+ }
+-
+- emul_flags = ctxt->ops->get_hflags(ctxt);
+ if (unlikely(ctxt->d &
+ (No64|Undefined|Sse|Mmx|Intercept|CheckPerm|Priv|Prot|String))) {
+ if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
+@@ -5598,7 +5595,7 @@ int x86_emulate_insn(struct x86_emulate_
+ fetch_possible_mmx_operand(&ctxt->dst);
+ }
+
+- if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && ctxt->intercept) {
++ if (unlikely(check_intercepts) && ctxt->intercept) {
+ rc = emulator_check_intercept(ctxt, ctxt->intercept,
+ X86_ICPT_PRE_EXCEPT);
+ if (rc != X86EMUL_CONTINUE)
+@@ -5627,7 +5624,7 @@ int x86_emulate_insn(struct x86_emulate_
+ goto done;
+ }
+
+- if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
++ if (unlikely(check_intercepts) && (ctxt->d & Intercept)) {
+ rc = emulator_check_intercept(ctxt, ctxt->intercept,
+ X86_ICPT_POST_EXCEPT);
+ if (rc != X86EMUL_CONTINUE)
+@@ -5681,7 +5678,7 @@ int x86_emulate_insn(struct x86_emulate_
+
+ special_insn:
+
+- if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
++ if (unlikely(check_intercepts) && (ctxt->d & Intercept)) {
+ rc = emulator_check_intercept(ctxt, ctxt->intercept,
+ X86_ICPT_POST_MEMACCESS);
+ if (rc != X86EMUL_CONTINUE)
+--- a/arch/x86/kvm/kvm_emulate.h
++++ b/arch/x86/kvm/kvm_emulate.h
+@@ -499,7 +499,7 @@ bool x86_page_table_writing_insn(struct
+ #define EMULATION_RESTART 1
+ #define EMULATION_INTERCEPTED 2
+ void init_decode_cache(struct x86_emulate_ctxt *ctxt);
+-int x86_emulate_insn(struct x86_emulate_ctxt *ctxt);
++int x86_emulate_insn(struct x86_emulate_ctxt *ctxt, bool check_intercepts);
+ int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
+ u16 tss_selector, int idt_index, int reason,
+ bool has_error_code, u32 error_code);
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -7668,7 +7668,14 @@ restart:
+ ctxt->exception.address = 0;
+ }
+
+- r = x86_emulate_insn(ctxt);
++ /*
++ * Check L1's instruction intercepts when emulating instructions for
++ * L2, unless KVM is re-emulating a previously decoded instruction,
++ * e.g. to complete userspace I/O, in which case KVM has already
++ * checked the intercepts.
++ */
++ r = x86_emulate_insn(ctxt, is_guest_mode(vcpu) &&
++ !(emulation_type & EMULTYPE_NO_DECODE));
+
+ if (r == EMULATION_INTERCEPTED)
+ return 1;
--- /dev/null
+From stable+bounces-185529-greg=kroah.com@vger.kernel.org Tue Oct 14 00:40:20 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 18:36:18 -0400
+Subject: media: mc: Clear minor number before put device
+To: stable@vger.kernel.org
+Cc: Edward Adam Davis <eadavis@qq.com>, syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com, Sakari Ailus <sakari.ailus@linux.intel.com>, Hans Verkuil <hverkuil+cisco@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251013223618.3673050-1-sashal@kernel.org>
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit 8cfc8cec1b4da88a47c243a11f384baefd092a50 ]
+
+The device minor should not be cleared after the device is released.
+
+Fixes: 9e14868dc952 ("media: mc: Clear minor number reservation at unregistration time")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=031d0cfd7c362817963f
+Tested-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+[ moved clear_bit from media_devnode_release callback to media_devnode_unregister before put_device ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/mc/mc-devnode.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/media/mc/mc-devnode.c
++++ b/drivers/media/mc/mc-devnode.c
+@@ -50,11 +50,6 @@ static void media_devnode_release(struct
+ {
+ struct media_devnode *devnode = to_media_devnode(cd);
+
+- mutex_lock(&media_devnode_lock);
+- /* Mark device node number as free */
+- clear_bit(devnode->minor, media_devnode_nums);
+- mutex_unlock(&media_devnode_lock);
+-
+ /* Release media_devnode and perform other cleanups as needed. */
+ if (devnode->release)
+ devnode->release(devnode);
+@@ -283,6 +278,7 @@ void media_devnode_unregister(struct med
+ /* Delete the cdev on this minor as well */
+ cdev_device_del(&devnode->cdev, &devnode->dev);
+ devnode->media_dev = NULL;
++ clear_bit(devnode->minor, media_devnode_nums);
+ mutex_unlock(&media_devnode_lock);
+
+ put_device(&devnode->dev);
--- /dev/null
+From stable+bounces-185552-greg=kroah.com@vger.kernel.org Tue Oct 14 01:57:02 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 19:56:22 -0400
+Subject: mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type
+To: stable@vger.kernel.org
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>, Hans de Goede <hdegoede@redhat.com>, Lee Jones <lee@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251013235623.3733198-2-sashal@kernel.org>
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 9eb99c08508714906db078b5efbe075329a3fb06 ]
+
+REGCACHE_NONE is the default type of the cache when not provided.
+Drop unneeded explicit assignment to it.
+
+Note, it's defined to 0, and if ever be redefined, it will break
+literally a lot of the drivers, so it very unlikely to happen.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20250129152823.1802273-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Stable-dep-of: 64e0d839c589 ("mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/intel_soc_pmic_chtdc_ti.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/mfd/intel_soc_pmic_chtdc_ti.c
++++ b/drivers/mfd/intel_soc_pmic_chtdc_ti.c
+@@ -82,7 +82,6 @@ static const struct regmap_config chtdc_
+ .reg_bits = 8,
+ .val_bits = 8,
+ .max_register = 0xff,
+- .cache_type = REGCACHE_NONE,
+ };
+
+ static const struct regmap_irq chtdc_ti_irqs[] = {
--- /dev/null
+From stable+bounces-185551-greg=kroah.com@vger.kernel.org Tue Oct 14 01:56:59 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 19:56:21 -0400
+Subject: mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register value
+To: stable@vger.kernel.org
+Cc: Hans de Goede <hdegoede@redhat.com>, Andy Shevchenko <andy@kernel.org>, Lee Jones <lee@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251013235623.3733198-1-sashal@kernel.org>
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 70e997e0107e5ed85c1a3ef2adfccbe351c29d71 ]
+
+The max_register = 128 setting in the regmap config is not valid.
+
+The Intel Dollar Cove TI PMIC has an eeprom unlock register at address 0x88
+and a number of EEPROM registers at 0xF?. Increase max_register to 0xff so
+that these registers can be accessed.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Link: https://lore.kernel.org/r/20241208150028.325349-1-hdegoede@redhat.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Stable-dep-of: 64e0d839c589 ("mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/intel_soc_pmic_chtdc_ti.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mfd/intel_soc_pmic_chtdc_ti.c
++++ b/drivers/mfd/intel_soc_pmic_chtdc_ti.c
+@@ -81,7 +81,7 @@ static struct mfd_cell chtdc_ti_dev[] =
+ static const struct regmap_config chtdc_ti_regmap_config = {
+ .reg_bits = 8,
+ .val_bits = 8,
+- .max_register = 128,
++ .max_register = 0xff,
+ .cache_type = REGCACHE_NONE,
+ };
+
--- /dev/null
+From stable+bounces-185553-greg=kroah.com@vger.kernel.org Tue Oct 14 01:57:05 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 19:56:23 -0400
+Subject: mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag
+To: stable@vger.kernel.org
+Cc: Hans de Goede <hansg@kernel.org>, Andy Shevchenko <andy@kernel.org>, Lee Jones <lee@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251013235623.3733198-3-sashal@kernel.org>
+
+From: Hans de Goede <hansg@kernel.org>
+
+[ Upstream commit 64e0d839c589f4f2ecd2e3e5bdb5cee6ba6bade9 ]
+
+Testing has shown that reading multiple registers at once (for 10-bit
+ADC values) does not work. Set the use_single_read regmap_config flag
+to make regmap split these for us.
+
+This should fix temperature opregion accesses done by
+drivers/acpi/pmic/intel_pmic_chtdc_ti.c and is also necessary for
+the upcoming drivers for the ADC and battery MFD cells.
+
+Fixes: 6bac0606fdba ("mfd: Add support for Cherry Trail Dollar Cove TI PMIC")
+Cc: stable@vger.kernel.org
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Link: https://lore.kernel.org/r/20250804133240.312383-1-hansg@kernel.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/intel_soc_pmic_chtdc_ti.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mfd/intel_soc_pmic_chtdc_ti.c
++++ b/drivers/mfd/intel_soc_pmic_chtdc_ti.c
+@@ -82,6 +82,8 @@ static const struct regmap_config chtdc_
+ .reg_bits = 8,
+ .val_bits = 8,
+ .max_register = 0xff,
++ /* The hardware does not support reading multiple registers at once */
++ .use_single_read = true,
+ };
+
+ static const struct regmap_irq chtdc_ti_irqs[] = {
--- /dev/null
+From stable+bounces-184695-greg=kroah.com@vger.kernel.org Mon Oct 13 17:35:28 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 11:09:32 -0400
+Subject: net/9p: fix double req put in p9_fd_cancelled
+To: stable@vger.kernel.org
+Cc: Nalivayko Sergey <Sergey.Nalivayko@kaspersky.com>, Dominique Martinet <asmadeus@codewreck.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251013150932.3383360-1-sashal@kernel.org>
+
+From: Nalivayko Sergey <Sergey.Nalivayko@kaspersky.com>
+
+[ Upstream commit 674b56aa57f9379854cb6798c3bbcef7e7b51ab7 ]
+
+Syzkaller reports a KASAN issue as below:
+
+general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI
+KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]
+CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+RIP: 0010:__list_del include/linux/list.h:114 [inline]
+RIP: 0010:__list_del_entry include/linux/list.h:137 [inline]
+RIP: 0010:list_del include/linux/list.h:148 [inline]
+RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734
+
+Call Trace:
+ <TASK>
+ p9_client_flush+0x351/0x440 net/9p/client.c:614
+ p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734
+ p9_client_version net/9p/client.c:920 [inline]
+ p9_client_create+0xb51/0x1240 net/9p/client.c:1027
+ v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408
+ v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126
+ legacy_get_tree+0x108/0x220 fs/fs_context.c:632
+ vfs_get_tree+0x8e/0x300 fs/super.c:1573
+ do_new_mount fs/namespace.c:3056 [inline]
+ path_mount+0x6a6/0x1e90 fs/namespace.c:3386
+ do_mount fs/namespace.c:3399 [inline]
+ __do_sys_mount fs/namespace.c:3607 [inline]
+ __se_sys_mount fs/namespace.c:3584 [inline]
+ __x64_sys_mount+0x283/0x300 fs/namespace.c:3584
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+This happens because of a race condition between:
+
+- The 9p client sending an invalid flush request and later cleaning it up;
+- The 9p client in p9_read_work() canceled all pending requests.
+
+ Thread 1 Thread 2
+ ...
+ p9_client_create()
+ ...
+ p9_fd_create()
+ ...
+ p9_conn_create()
+ ...
+ // start Thread 2
+ INIT_WORK(&m->rq, p9_read_work);
+ p9_read_work()
+ ...
+ p9_client_rpc()
+ ...
+ ...
+ p9_conn_cancel()
+ ...
+ spin_lock(&m->req_lock);
+ ...
+ p9_fd_cancelled()
+ ...
+ ...
+ spin_unlock(&m->req_lock);
+ // status rewrite
+ p9_client_cb(m->client, req, REQ_STATUS_ERROR)
+ // first remove
+ list_del(&req->req_list);
+ ...
+
+ spin_lock(&m->req_lock)
+ ...
+ // second remove
+ list_del(&req->req_list);
+ spin_unlock(&m->req_lock)
+ ...
+
+Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list in
+p9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystem
+client where the req_list could be deleted simultaneously by both
+p9_read_work and p9_fd_cancelled functions, but for the case where req->status
+equals REQ_STATUS_RCVD.
+
+Update the check for req->status in p9_fd_cancelled to skip processing not
+just received requests, but anything that is not SENT, as whatever
+changed the state from SENT also removed the request from its list.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: afd8d6541155 ("9P: Add cancelled() to the transport functions.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nalivayko Sergey <Sergey.Nalivayko@kaspersky.com>
+Message-ID: <20250715154815.3501030-1-Sergey.Nalivayko@kaspersky.com>
+[updated the check from status == RECV || status == ERROR to status != SENT]
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+[ replaced m->req_lock with client->lock ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/trans_fd.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -711,10 +711,10 @@ static int p9_fd_cancelled(struct p9_cli
+ p9_debug(P9_DEBUG_TRANS, "client %p req %p\n", client, req);
+
+ spin_lock(&client->lock);
+- /* Ignore cancelled request if message has been received
+- * before lock.
+- */
+- if (req->status == REQ_STATUS_RCVD) {
++ /* Ignore cancelled request if status changed since the request was
++ * processed in p9_client_flush()
++ */
++ if (req->status != REQ_STATUS_SENT) {
+ spin_unlock(&client->lock);
+ return 0;
+ }
ext4-correctly-handle-queries-for-metadata-mappings.patch
ext4-guard-against-ea-inode-refcount-underflow-in-xattr-update.patch
lib-crypto-curve25519-hacl64-disable-kasan-with-clang-17-and-older.patch
+arm64-dts-qcom-sdm845-fix-slimbam-num-channels-ees.patch
+tracing-fix-race-condition-in-kprobe-initialization-causing-null-pointer-dereference.patch
+dm-fix-null-pointer-dereference-in-__dm_suspend.patch
+mfd-intel_soc_pmic_chtdc_ti-fix-invalid-regmap-config-max_register-value.patch
+mfd-intel_soc_pmic_chtdc_ti-drop-unneeded-assignment-for-cache_type.patch
+mfd-intel_soc_pmic_chtdc_ti-set-use_single_read-regmap_config-flag.patch
+media-mc-clear-minor-number-before-put-device.patch
+squashfs-add-additional-inode-sanity-checking.patch
+squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch
+udf-fix-uninit-value-use-in-udf_get_fileshortad.patch
+fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch
+asoc-codecs-wcd934x-simplify-with-dev_err_probe.patch
+asoc-wcd934x-fix-error-handling-in-wcd934x_codec_parse_data.patch
+kvm-x86-don-t-re-check-l1-intercepts-when-completing-userspace-i-o.patch
+net-9p-fix-double-req-put-in-p9_fd_cancelled.patch
--- /dev/null
+From stable+bounces-185523-greg=kroah.com@vger.kernel.org Tue Oct 14 00:05:43 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 17:57:00 -0400
+Subject: Squashfs: add additional inode sanity checking
+To: stable@vger.kernel.org
+Cc: Phillip Lougher <phillip@squashfs.org.uk>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251013215701.3645486-1-sashal@kernel.org>
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+[ Upstream commit 9ee94bfbe930a1b39df53fa2d7b31141b780eb5a ]
+
+Patch series "Squashfs: performance improvement and a sanity check".
+
+This patchset adds an additional sanity check when reading regular file
+inodes, and adds support for SEEK_DATA/SEEK_HOLE lseek() whence values.
+
+This patch (of 2):
+
+Add an additional sanity check when reading regular file inodes.
+
+A regular file if the file size is an exact multiple of the filesystem
+block size cannot have a fragment. This is because by definition a
+fragment block stores tailends which are not a whole block in size.
+
+Link: https://lkml.kernel.org/r/20250923220652.568416-1-phillip@squashfs.org.uk
+Link: https://lkml.kernel.org/r/20250923220652.568416-2-phillip@squashfs.org.uk
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 9f1c14c1de1b ("Squashfs: reject negative file sizes in squashfs_read_inode()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/inode.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+--- a/fs/squashfs/inode.c
++++ b/fs/squashfs/inode.c
+@@ -140,8 +140,17 @@ int squashfs_read_inode(struct inode *in
+ if (err < 0)
+ goto failed_read;
+
++ inode->i_size = le32_to_cpu(sqsh_ino->file_size);
+ frag = le32_to_cpu(sqsh_ino->fragment);
+ if (frag != SQUASHFS_INVALID_FRAG) {
++ /*
++ * the file cannot have a fragment (tailend) and have a
++ * file size a multiple of the block size
++ */
++ if ((inode->i_size & (msblk->block_size - 1)) == 0) {
++ err = -EINVAL;
++ goto failed_read;
++ }
+ frag_offset = le32_to_cpu(sqsh_ino->offset);
+ frag_size = squashfs_frag_lookup(sb, frag, &frag_blk);
+ if (frag_size < 0) {
+@@ -155,7 +164,6 @@ int squashfs_read_inode(struct inode *in
+ }
+
+ set_nlink(inode, 1);
+- inode->i_size = le32_to_cpu(sqsh_ino->file_size);
+ inode->i_fop = &generic_ro_fops;
+ inode->i_mode |= S_IFREG;
+ inode->i_blocks = ((inode->i_size - 1) >> 9) + 1;
+@@ -184,8 +192,17 @@ int squashfs_read_inode(struct inode *in
+ if (err < 0)
+ goto failed_read;
+
++ inode->i_size = le64_to_cpu(sqsh_ino->file_size);
+ frag = le32_to_cpu(sqsh_ino->fragment);
+ if (frag != SQUASHFS_INVALID_FRAG) {
++ /*
++ * the file cannot have a fragment (tailend) and have a
++ * file size a multiple of the block size
++ */
++ if ((inode->i_size & (msblk->block_size - 1)) == 0) {
++ err = -EINVAL;
++ goto failed_read;
++ }
+ frag_offset = le32_to_cpu(sqsh_ino->offset);
+ frag_size = squashfs_frag_lookup(sb, frag, &frag_blk);
+ if (frag_size < 0) {
+@@ -200,7 +217,6 @@ int squashfs_read_inode(struct inode *in
+
+ xattr_id = le32_to_cpu(sqsh_ino->xattr);
+ set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+- inode->i_size = le64_to_cpu(sqsh_ino->file_size);
+ inode->i_op = &squashfs_inode_ops;
+ inode->i_fop = &generic_ro_fops;
+ inode->i_mode |= S_IFREG;
--- /dev/null
+From stable+bounces-185522-greg=kroah.com@vger.kernel.org Tue Oct 14 00:05:44 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 17:57:01 -0400
+Subject: Squashfs: reject negative file sizes in squashfs_read_inode()
+To: stable@vger.kernel.org
+Cc: Phillip Lougher <phillip@squashfs.org.uk>, syzbot+f754e01116421e9754b9@syzkaller.appspotmail.com, Amir Goldstein <amir73il@gmail.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251013215701.3645486-2-sashal@kernel.org>
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+[ Upstream commit 9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b ]
+
+Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs.
+
+This warning is ultimately caused because the underlying Squashfs file
+system returns a file with a negative file size.
+
+This commit checks for a negative file size and returns EINVAL.
+
+[phillip@squashfs.org.uk: only need to check 64 bit quantity]
+ Link: https://lkml.kernel.org/r/20250926222305.110103-1-phillip@squashfs.org.uk
+Link: https://lkml.kernel.org/r/20250926215935.107233-1-phillip@squashfs.org.uk
+Fixes: 6545b246a2c8 ("Squashfs: inode operations")
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Reported-by: syzbot+f754e01116421e9754b9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68d580e5.a00a0220.303701.0019.GAE@google.com/
+Cc: Amir Goldstein <amir73il@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/inode.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/squashfs/inode.c
++++ b/fs/squashfs/inode.c
+@@ -193,6 +193,10 @@ int squashfs_read_inode(struct inode *in
+ goto failed_read;
+
+ inode->i_size = le64_to_cpu(sqsh_ino->file_size);
++ if (inode->i_size < 0) {
++ err = -EINVAL;
++ goto failed_read;
++ }
+ frag = le32_to_cpu(sqsh_ino->fragment);
+ if (frag != SQUASHFS_INVALID_FRAG) {
+ /*
--- /dev/null
+From stable+bounces-185652-greg=kroah.com@vger.kernel.org Tue Oct 14 14:47:42 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 08:46:22 -0400
+Subject: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference
+To: stable@vger.kernel.org
+Cc: Yuan Chen <chenyuan@kylinos.cn>, "Masami Hiramatsu (Google)" <mhiramat@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251014124622.3222-1-sashal@kernel.org>
+
+From: Yuan Chen <chenyuan@kylinos.cn>
+
+[ Upstream commit 9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f ]
+
+There is a critical race condition in kprobe initialization that can lead to
+NULL pointer dereference and kernel crash.
+
+[1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000
+...
+[1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO)
+[1135630.269239] pc : kprobe_perf_func+0x30/0x260
+[1135630.277643] lr : kprobe_dispatcher+0x44/0x60
+[1135630.286041] sp : ffffaeff4977fa40
+[1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400
+[1135630.302837] x27: 0000000000000000 x26: 0000000000000000
+[1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528
+[1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50
+[1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50
+[1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000
+[1135630.349985] x17: 0000000000000000 x16: 0000000000000000
+[1135630.359285] x15: 0000000000000000 x14: 0000000000000000
+[1135630.368445] x13: 0000000000000000 x12: 0000000000000000
+[1135630.377473] x11: 0000000000000000 x10: 0000000000000000
+[1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000
+[1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000
+[1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000
+[1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006
+[1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000
+[1135630.429410] Call trace:
+[1135630.434828] kprobe_perf_func+0x30/0x260
+[1135630.441661] kprobe_dispatcher+0x44/0x60
+[1135630.448396] aggr_pre_handler+0x70/0xc8
+[1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0
+[1135630.462435] brk_handler+0xbc/0xd8
+[1135630.468437] do_debug_exception+0x84/0x138
+[1135630.475074] el1_dbg+0x18/0x8c
+[1135630.480582] security_file_permission+0x0/0xd0
+[1135630.487426] vfs_write+0x70/0x1c0
+[1135630.493059] ksys_write+0x5c/0xc8
+[1135630.498638] __arm64_sys_write+0x24/0x30
+[1135630.504821] el0_svc_common+0x78/0x130
+[1135630.510838] el0_svc_handler+0x38/0x78
+[1135630.516834] el0_svc+0x8/0x1b0
+
+kernel/trace/trace_kprobe.c: 1308
+0xffff3df8995039ec <kprobe_perf_func+0x2c>: ldr x21, [x24,#120]
+include/linux/compiler.h: 294
+0xffff3df8995039f0 <kprobe_perf_func+0x30>: ldr x1, [x21,x0]
+
+kernel/trace/trace_kprobe.c
+1308: head = this_cpu_ptr(call->perf_events);
+1309: if (hlist_empty(head))
+1310: return 0;
+
+crash> struct trace_event_call -o
+struct trace_event_call {
+ ...
+ [120] struct hlist_head *perf_events; //(call->perf_event)
+ ...
+}
+
+crash> struct trace_event_call ffffaf015340e528
+struct trace_event_call {
+ ...
+ perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0
+ ...
+}
+
+Race Condition Analysis:
+
+The race occurs between kprobe activation and perf_events initialization:
+
+ CPU0 CPU1
+ ==== ====
+ perf_kprobe_init
+ perf_trace_event_init
+ tp_event->perf_events = list;(1)
+ tp_event->class->reg (2)← KPROBE ACTIVE
+ Debug exception triggers
+ ...
+ kprobe_dispatcher
+ kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE)
+ head = this_cpu_ptr(call->perf_events)(3)
+ (perf_events is still NULL)
+
+Problem:
+1. CPU0 executes (1) assigning tp_event->perf_events = list
+2. CPU0 executes (2) enabling kprobe functionality via class->reg()
+3. CPU1 triggers and reaches kprobe_dispatcher
+4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed)
+5. CPU1 calls kprobe_perf_func() and crashes at (3) because
+ call->perf_events is still NULL
+
+CPU1 sees that kprobe functionality is enabled but does not see that
+perf_events has been assigned.
+
+Add pairing read and write memory barriers to guarantee that if CPU1
+sees that kprobe functionality is enabled, it must also see that
+perf_events has been assigned.
+
+Link: https://lore.kernel.org/all/20251001022025.44626-1-chenyuan_fl@163.com/
+
+Fixes: 50d780560785 ("tracing/kprobes: Add probe handler dispatcher to support perf and ftrace concurrent use")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+[ Dropped ftrace changes + context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_kprobe.c | 11 +++++++----
+ kernel/trace/trace_probe.h | 9 +++++++--
+ kernel/trace/trace_uprobe.c | 12 ++++++++----
+ 3 files changed, 22 insertions(+), 10 deletions(-)
+
+--- a/kernel/trace/trace_kprobe.c
++++ b/kernel/trace/trace_kprobe.c
+@@ -1782,14 +1782,15 @@ static int kprobe_register(struct trace_
+ static int kprobe_dispatcher(struct kprobe *kp, struct pt_regs *regs)
+ {
+ struct trace_kprobe *tk = container_of(kp, struct trace_kprobe, rp.kp);
++ unsigned int flags = trace_probe_load_flag(&tk->tp);
+ int ret = 0;
+
+ raw_cpu_inc(*tk->nhit);
+
+- if (trace_probe_test_flag(&tk->tp, TP_FLAG_TRACE))
++ if (flags & TP_FLAG_TRACE)
+ kprobe_trace_func(tk, regs);
+ #ifdef CONFIG_PERF_EVENTS
+- if (trace_probe_test_flag(&tk->tp, TP_FLAG_PROFILE))
++ if (flags & TP_FLAG_PROFILE)
+ ret = kprobe_perf_func(tk, regs);
+ #endif
+ return ret;
+@@ -1800,13 +1801,15 @@ static int
+ kretprobe_dispatcher(struct kretprobe_instance *ri, struct pt_regs *regs)
+ {
+ struct trace_kprobe *tk = container_of(ri->rp, struct trace_kprobe, rp);
++ unsigned int flags;
+
+ raw_cpu_inc(*tk->nhit);
+
+- if (trace_probe_test_flag(&tk->tp, TP_FLAG_TRACE))
++ flags = trace_probe_load_flag(&tk->tp);
++ if (flags & TP_FLAG_TRACE)
+ kretprobe_trace_func(tk, ri, regs);
+ #ifdef CONFIG_PERF_EVENTS
+- if (trace_probe_test_flag(&tk->tp, TP_FLAG_PROFILE))
++ if (flags & TP_FLAG_PROFILE)
+ kretprobe_perf_func(tk, ri, regs);
+ #endif
+ return 0; /* We don't tweek kernel, so just return 0 */
+--- a/kernel/trace/trace_probe.h
++++ b/kernel/trace/trace_probe.h
+@@ -251,16 +251,21 @@ struct event_file_link {
+ struct list_head list;
+ };
+
++static inline unsigned int trace_probe_load_flag(struct trace_probe *tp)
++{
++ return smp_load_acquire(&tp->event->flags);
++}
++
+ static inline bool trace_probe_test_flag(struct trace_probe *tp,
+ unsigned int flag)
+ {
+- return !!(tp->event->flags & flag);
++ return !!(trace_probe_load_flag(tp) & flag);
+ }
+
+ static inline void trace_probe_set_flag(struct trace_probe *tp,
+ unsigned int flag)
+ {
+- tp->event->flags |= flag;
++ smp_store_release(&tp->event->flags, tp->event->flags | flag);
+ }
+
+ static inline void trace_probe_clear_flag(struct trace_probe *tp,
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -1484,6 +1484,7 @@ static int uprobe_dispatcher(struct upro
+ struct uprobe_dispatch_data udd;
+ struct uprobe_cpu_buffer *ucb;
+ int dsize, esize;
++ unsigned int flags;
+ int ret = 0;
+
+
+@@ -1504,11 +1505,12 @@ static int uprobe_dispatcher(struct upro
+ ucb = uprobe_buffer_get();
+ store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize);
+
+- if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE))
++ flags = trace_probe_load_flag(&tu->tp);
++ if (flags & TP_FLAG_TRACE)
+ ret |= uprobe_trace_func(tu, regs, ucb, dsize);
+
+ #ifdef CONFIG_PERF_EVENTS
+- if (trace_probe_test_flag(&tu->tp, TP_FLAG_PROFILE))
++ if (flags & TP_FLAG_PROFILE)
+ ret |= uprobe_perf_func(tu, regs, ucb, dsize);
+ #endif
+ uprobe_buffer_put(ucb);
+@@ -1522,6 +1524,7 @@ static int uretprobe_dispatcher(struct u
+ struct uprobe_dispatch_data udd;
+ struct uprobe_cpu_buffer *ucb;
+ int dsize, esize;
++ unsigned int flags;
+
+ tu = container_of(con, struct trace_uprobe, consumer);
+
+@@ -1539,11 +1542,12 @@ static int uretprobe_dispatcher(struct u
+ ucb = uprobe_buffer_get();
+ store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize);
+
+- if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE))
++ flags = trace_probe_load_flag(&tu->tp);
++ if (flags & TP_FLAG_TRACE)
+ uretprobe_trace_func(tu, func, regs, ucb, dsize);
+
+ #ifdef CONFIG_PERF_EVENTS
+- if (trace_probe_test_flag(&tu->tp, TP_FLAG_PROFILE))
++ if (flags & TP_FLAG_PROFILE)
+ uretprobe_perf_func(tu, func, regs, ucb, dsize);
+ #endif
+ uprobe_buffer_put(ucb);
--- /dev/null
+From stable+bounces-185513-greg=kroah.com@vger.kernel.org Mon Oct 13 22:45:50 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 16:41:23 -0400
+Subject: udf: fix uninit-value use in udf_get_fileshortad
+To: stable@vger.kernel.org
+Cc: Gianfranco Trad <gianf.trad@gmail.com>, syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com, Jan Kara <jack@suse.com>, Jan Kara <jack@suse.cz>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251013204124.3599728-1-sashal@kernel.org>
+
+From: Gianfranco Trad <gianf.trad@gmail.com>
+
+[ Upstream commit 264db9d666ad9a35075cc9ed9ec09d021580fbb1 ]
+
+Check for overflow when computing alen in udf_current_aext to mitigate
+later uninit-value use in udf_get_fileshortad KMSAN bug[1].
+After applying the patch reproducer did not trigger any issue[2].
+
+[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
+[2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000
+
+Reported-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
+Tested-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com
+Suggested-by: Jan Kara <jack@suse.com>
+Signed-off-by: Gianfranco Trad <gianf.trad@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20240925074613.8475-3-gianf.trad@gmail.com
+Stable-dep-of: 3bd5e45c2ce3 ("fs: udf: fix OOB read in lengthAllocDescs handling")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/inode.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -2190,12 +2190,15 @@ int8_t udf_current_aext(struct inode *in
+ alen = udf_file_entry_alloc_offset(inode) +
+ iinfo->i_lenAlloc;
+ } else {
++ struct allocExtDesc *header =
++ (struct allocExtDesc *)epos->bh->b_data;
++
+ if (!epos->offset)
+ epos->offset = sizeof(struct allocExtDesc);
+ ptr = epos->bh->b_data + epos->offset;
+- alen = sizeof(struct allocExtDesc) +
+- le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)->
+- lengthAllocDescs);
++ if (check_add_overflow(sizeof(struct allocExtDesc),
++ le32_to_cpu(header->lengthAllocDescs), &alen))
++ return -1;
+ }
+
+ switch (iinfo->i_alloc_type) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
