--- /dev/null
+From 54f9d645a5453d0bfece0c465d34aaf072ea99fa Mon Sep 17 00:00:00 2001
+From: Jun Seo <jun.seo.93@proton.me>
+Date: Thu, 26 Feb 2026 10:08:20 +0900
+Subject: ALSA: usb-audio: Use correct version for UAC3 header validation
+
+From: Jun Seo <jun.seo.93@proton.me>
+
+commit 54f9d645a5453d0bfece0c465d34aaf072ea99fa upstream.
+
+The entry of the validators table for UAC3 AC header descriptor is
+defined with the wrong protocol version UAC_VERSION_2, while it should
+have been UAC_VERSION_3. This results in the validator never matching
+for actual UAC3 devices (protocol == UAC_VERSION_3), causing their
+header descriptors to bypass validation entirely. A malicious USB
+device presenting a truncated UAC3 header could exploit this to cause
+out-of-bounds reads when the driver later accesses unvalidated
+descriptor fields.
+
+The bug was introduced in the same commit as the recently fixed UAC3
+feature unit sub-type typo, and appears to be from the same copy-paste
+error when the UAC3 section was created from the UAC2 section.
+
+Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jun Seo <jun.seo.93@proton.me>
+Link: https://patch.msgid.link/20260226010820.36529-1-jun.seo.93@proton.me
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/validate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/validate.c
++++ b/sound/usb/validate.c
+@@ -281,7 +281,7 @@ static const struct usb_desc_validator a
+ /* UAC_VERSION_2, UAC2_SAMPLE_RATE_CONVERTER: not implemented yet */
+
+ /* UAC3 */
+- FIXED(UAC_VERSION_2, UAC_HEADER, struct uac3_ac_header_descriptor),
++ FIXED(UAC_VERSION_3, UAC_HEADER, struct uac3_ac_header_descriptor),
+ FIXED(UAC_VERSION_3, UAC_INPUT_TERMINAL,
+ struct uac3_input_terminal_descriptor),
+ FIXED(UAC_VERSION_3, UAC_OUTPUT_TERMINAL,
--- /dev/null
+From ab140365fb62c0bdab22b2f516aff563b2559e3b Mon Sep 17 00:00:00 2001
+From: Lars Ellenberg <lars.ellenberg@linbit.com>
+Date: Thu, 19 Feb 2026 15:20:12 +0100
+Subject: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lars Ellenberg <lars.ellenberg@linbit.com>
+
+commit ab140365fb62c0bdab22b2f516aff563b2559e3b upstream.
+
+Even though we check that we "should" be able to do lc_get_cumulative()
+while holding the device->al_lock spinlock, it may still fail,
+if some other code path decided to do lc_try_lock() with bad timing.
+
+If that happened, we logged "LOGIC BUG for enr=...",
+but still did not return an error.
+
+The rest of the code now assumed that this request has references
+for the relevant activity log extents.
+
+The implcations are that during an active resync, mutual exclusivity of
+resync versus application IO is not guaranteed. And a potential crash
+at this point may not realizs that these extents could have been target
+of in-flight IO and would need to be resynced just in case.
+
+Also, once the request completes, it will give up activity log references it
+does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().
+
+Fix:
+
+Do not crash the kernel for a condition that is harmless during normal
+operation: also catch "e->refcnt == 0", not only "e == NULL"
+when being noisy about "al_complete_io() called on inactive extent %u\n".
+
+And do not try to be smart and "guess" whether something will work, then
+be surprised when it does not.
+Deal with the fact that it may or may not work. If it does not, remember a
+possible "partially in activity log" state (only possible for requests that
+cross extent boundaries), and return an error code from
+drbd_al_begin_io_nonblock().
+
+A latter call for the same request will then resume from where we left off.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
+Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/drbd/drbd_actlog.c | 53 ++++++++++++++++---------------------
+ drivers/block/drbd/drbd_interval.h | 5 ++-
+ 2 files changed, 27 insertions(+), 31 deletions(-)
+
+--- a/drivers/block/drbd/drbd_actlog.c
++++ b/drivers/block/drbd/drbd_actlog.c
+@@ -483,38 +483,20 @@ void drbd_al_begin_io(struct drbd_device
+
+ int drbd_al_begin_io_nonblock(struct drbd_device *device, struct drbd_interval *i)
+ {
+- struct lru_cache *al = device->act_log;
+ /* for bios crossing activity log extent boundaries,
+ * we may need to activate two extents in one go */
+ unsigned first = i->sector >> (AL_EXTENT_SHIFT-9);
+ unsigned last = i->size == 0 ? first : (i->sector + (i->size >> 9) - 1) >> (AL_EXTENT_SHIFT-9);
+- unsigned nr_al_extents;
+- unsigned available_update_slots;
+ unsigned enr;
+
+- D_ASSERT(device, first <= last);
+-
+- nr_al_extents = 1 + last - first; /* worst case: all touched extends are cold. */
+- available_update_slots = min(al->nr_elements - al->used,
+- al->max_pending_changes - al->pending_changes);
+-
+- /* We want all necessary updates for a given request within the same transaction
+- * We could first check how many updates are *actually* needed,
+- * and use that instead of the worst-case nr_al_extents */
+- if (available_update_slots < nr_al_extents) {
+- /* Too many activity log extents are currently "hot".
+- *
+- * If we have accumulated pending changes already,
+- * we made progress.
+- *
+- * If we cannot get even a single pending change through,
+- * stop the fast path until we made some progress,
+- * or requests to "cold" extents could be starved. */
+- if (!al->pending_changes)
+- __set_bit(__LC_STARVING, &device->act_log->flags);
+- return -ENOBUFS;
++ if (i->partially_in_al_next_enr) {
++ D_ASSERT(device, first < i->partially_in_al_next_enr);
++ D_ASSERT(device, last >= i->partially_in_al_next_enr);
++ first = i->partially_in_al_next_enr;
+ }
+
++ D_ASSERT(device, first <= last);
++
+ /* Is resync active in this area? */
+ for (enr = first; enr <= last; enr++) {
+ struct lc_element *tmp;
+@@ -529,14 +511,21 @@ int drbd_al_begin_io_nonblock(struct drb
+ }
+ }
+
+- /* Checkout the refcounts.
+- * Given that we checked for available elements and update slots above,
+- * this has to be successful. */
++ /* Try to checkout the refcounts. */
+ for (enr = first; enr <= last; enr++) {
+ struct lc_element *al_ext;
+ al_ext = lc_get_cumulative(device->act_log, enr);
+- if (!al_ext)
+- drbd_info(device, "LOGIC BUG for enr=%u\n", enr);
++
++ if (!al_ext) {
++ /* Did not work. We may have exhausted the possible
++ * changes per transaction. Or raced with someone
++ * "locking" it against changes.
++ * Remember where to continue from.
++ */
++ if (enr > first)
++ i->partially_in_al_next_enr = enr;
++ return -ENOBUFS;
++ }
+ }
+ return 0;
+ }
+@@ -556,7 +545,11 @@ void drbd_al_complete_io(struct drbd_dev
+
+ for (enr = first; enr <= last; enr++) {
+ extent = lc_find(device->act_log, enr);
+- if (!extent) {
++ /* Yes, this masks a bug elsewhere. However, during normal
++ * operation this is harmless, so no need to crash the kernel
++ * by the BUG_ON(refcount == 0) in lc_put().
++ */
++ if (!extent || extent->refcnt == 0) {
+ drbd_err(device, "al_complete_io() called on inactive extent %u\n", enr);
+ continue;
+ }
+--- a/drivers/block/drbd/drbd_interval.h
++++ b/drivers/block/drbd/drbd_interval.h
+@@ -8,12 +8,15 @@
+ struct drbd_interval {
+ struct rb_node rb;
+ sector_t sector; /* start sector of the interval */
+- unsigned int size; /* size in bytes */
+ sector_t end; /* highest interval end in subtree */
++ unsigned int size; /* size in bytes */
+ unsigned int local:1 /* local or remote request? */;
+ unsigned int waiting:1; /* someone is waiting for completion */
+ unsigned int completed:1; /* this has been completed already;
+ * ignore for conflict detection */
++
++ /* to resume a partially successful drbd_al_begin_io_nonblock(); */
++ unsigned int partially_in_al_next_enr;
+ };
+
+ static inline void drbd_clear_interval(struct drbd_interval *i)
--- /dev/null
+From 117942ca43e2e3c3d121faae530989931b7f67e1 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Mon, 16 Feb 2026 11:02:48 -0400
+Subject: IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit 117942ca43e2e3c3d121faae530989931b7f67e1 upstream.
+
+Fix a user triggerable leak on the system call failure path.
+
+Cc: stable@vger.kernel.org
+Fixes: ec34a922d243 ("[PATCH] IB/mthca: Add SRQ implementation")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://patch.msgid.link/2-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mthca/mthca_provider.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/mthca/mthca_provider.c
++++ b/drivers/infiniband/hw/mthca/mthca_provider.c
+@@ -436,6 +436,8 @@ static int mthca_create_srq(struct ib_sr
+
+ if (context && ib_copy_to_udata(udata, &srq->srqn, sizeof(__u32))) {
+ mthca_free_srq(to_mdev(ibsrq->device), srq);
++ mthca_unmap_user_db(to_mdev(ibsrq->device), &context->uar,
++ context->db_tab, ucmd.db_index);
+ return -EFAULT;
+ }
+
+@@ -444,6 +446,7 @@ static int mthca_create_srq(struct ib_sr
+
+ static int mthca_destroy_srq(struct ib_srq *srq, struct ib_udata *udata)
+ {
++ mthca_free_srq(to_mdev(srq->device), to_msrq(srq));
+ if (udata) {
+ struct mthca_ucontext *context =
+ rdma_udata_to_drv_context(
+@@ -454,8 +457,6 @@ static int mthca_destroy_srq(struct ib_s
+ mthca_unmap_user_db(to_mdev(srq->device), &context->uar,
+ context->db_tab, to_msrq(srq)->db_index);
+ }
+-
+- mthca_free_srq(to_mdev(srq->device), to_msrq(srq));
+ return 0;
+ }
+
--- /dev/null
+From e35626f610f3d2b7953ccddf6a77453da22b3a9e Mon Sep 17 00:00:00 2001
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Tue, 24 Feb 2026 21:28:32 +0100
+Subject: net/sched: ets: fix divide by zero in the offload path
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+commit e35626f610f3d2b7953ccddf6a77453da22b3a9e upstream.
+
+Offloading ETS requires computing each class' WRR weight: this is done by
+averaging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned
+int, the same integer size as the individual DRR quanta, can overflow and
+even cause division by zero, like it happened in the following splat:
+
+ Oops: divide error: 0000 [#1] SMP PTI
+ CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full)
+ Tainted: [E]=UNSIGNED_MODULE
+ Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+ RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]
+ Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44
+ RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246
+ RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660
+ RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe
+ R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe
+ R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000
+ FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0
+ Call Trace:
+ <TASK>
+ ets_qdisc_change+0x870/0xf40 [sch_ets]
+ qdisc_create+0x12b/0x540
+ tc_modify_qdisc+0x6d7/0xbd0
+ rtnetlink_rcv_msg+0x168/0x6b0
+ netlink_rcv_skb+0x5c/0x110
+ netlink_unicast+0x1d6/0x2b0
+ netlink_sendmsg+0x22e/0x470
+ ____sys_sendmsg+0x38a/0x3c0
+ ___sys_sendmsg+0x99/0xe0
+ __sys_sendmsg+0x8a/0xf0
+ do_syscall_64+0x111/0xf80
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ RIP: 0033:0x7f440b81c77e
+ Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa
+ RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e
+ RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003
+ RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8
+ R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980
+ </TASK>
+ Modules linked in: sch_ets(E) netdevsim(E)
+ ---[ end trace 0000000000000000 ]---
+ RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]
+ Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44
+ RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246
+ RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660
+ RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe
+ R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe
+ R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000
+ FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0
+ Kernel panic - not syncing: Fatal exception
+ Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+ ---[ end Kernel panic - not syncing: Fatal exception ]---
+
+Fix this using 64-bit integers for 'q_sum' and 'q_psum'.
+
+Cc: stable@vger.kernel.org
+Fixes: d35eb52bd2ac ("net: sch_ets: Make the ETS qdisc offloadable")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Link: https://patch.msgid.link/28504887df314588c7255e9911769c36f751edee.1771964872.git.dcaratti@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_ets.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/sched/sch_ets.c
++++ b/net/sched/sch_ets.c
+@@ -115,12 +115,12 @@ static void ets_offload_change(struct Qd
+ struct ets_sched *q = qdisc_priv(sch);
+ struct tc_ets_qopt_offload qopt;
+ unsigned int w_psum_prev = 0;
+- unsigned int q_psum = 0;
+- unsigned int q_sum = 0;
+ unsigned int quantum;
+ unsigned int w_psum;
+ unsigned int weight;
+ unsigned int i;
++ u64 q_psum = 0;
++ u64 q_sum = 0;
+
+ if (!tc_can_offload(dev) || !dev->netdev_ops->ndo_setup_tc)
+ return;
+@@ -138,8 +138,12 @@ static void ets_offload_change(struct Qd
+
+ for (i = 0; i < q->nbands; i++) {
+ quantum = q->classes[i].quantum;
+- q_psum += quantum;
+- w_psum = quantum ? q_psum * 100 / q_sum : 0;
++ if (quantum) {
++ q_psum += quantum;
++ w_psum = div64_u64(q_psum * 100, q_sum);
++ } else {
++ w_psum = 0;
++ }
+ weight = w_psum - w_psum_prev;
+ w_psum_prev = w_psum;
+
--- /dev/null
+From 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 3 Mar 2026 11:56:02 +0100
+Subject: selftests: mptcp: more stable simult_flows tests
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 upstream.
+
+By default, the netem qdisc can keep up to 1000 packets under its belly
+to deal with the configured rate and delay. The simult flows test-case
+simulates very low speed links, to avoid problems due to slow CPUs and
+the TCP stack tend to transmit at a slightly higher rate than the
+(virtual) link constraints.
+
+All the above causes a relatively large amount of packets being enqueued
+in the netem qdiscs - the longer the transfer, the longer the queue -
+producing increasingly high TCP RTT samples and consequently increasingly
+larger receive buffer size due to DRS.
+
+When the receive buffer size becomes considerably larger than the needed
+size, the tests results can flake, i.e. because minimal inaccuracy in the
+pacing rate can lead to a single subflow usage towards the end of the
+connection for a considerable amount of data.
+
+Address the issue explicitly setting netem limits suitable for the
+configured link speeds and unflake all the affected tests.
+
+Fixes: 1a418cb8e888 ("mptcp: simult flow self-tests")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-1-4b5462b6f016@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/simult_flows.sh | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/simult_flows.sh
++++ b/tools/testing/selftests/net/mptcp/simult_flows.sh
+@@ -235,10 +235,13 @@ run_test()
+ for dev in ns2eth1 ns2eth2; do
+ tc -n $ns2 qdisc del dev $dev root >/dev/null 2>&1
+ done
+- tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1
+- tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2
+- tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1
+- tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2
++
++ # keep the queued pkts number low, or the RTT estimator will see
++ # increasing latency over time.
++ tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1 limit 50
++ tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2 limit 50
++ tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1 limit 50
++ tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2 limit 50
+
+ # time is measure in ms
+ local time=$((size * 8 * 1000 / (( $rate1 + $rate2) * 1024 *1024) ))
can-ucan-fix-infinite-loop-from-zero-length-messages.patch
hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch
x86-efi-defer-freeing-of-boot-services-memory.patch
+alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch
+wifi-radiotap-reject-radiotap-with-unknown-bits.patch
+ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch
+net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch
+squashfs-check-metadata-block-offset-is-within-range.patch
+drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch
+selftests-mptcp-more-stable-simult_flows-tests.patch
--- /dev/null
+From fdb24a820a5832ec4532273282cbd4f22c291a0d Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Tue, 17 Feb 2026 05:09:55 +0000
+Subject: Squashfs: check metadata block offset is within range
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+commit fdb24a820a5832ec4532273282cbd4f22c291a0d upstream.
+
+Syzkaller reports a "general protection fault in squashfs_copy_data"
+
+This is ultimately caused by a corrupted index look-up table, which
+produces a negative metadata block offset.
+
+This is subsequently passed to squashfs_copy_data (via
+squashfs_read_metadata) where the negative offset causes an out of bounds
+access.
+
+The fix is to check that the offset is within range in
+squashfs_read_metadata. This will trap this and other cases.
+
+Link: https://lkml.kernel.org/r/20260217050955.138351-1-phillip@squashfs.org.uk
+Fixes: f400e12656ab ("Squashfs: cache operations")
+Reported-by: syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/699234e2.a70a0220.2c38d7.00e2.GAE@google.com/
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/cache.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/squashfs/cache.c
++++ b/fs/squashfs/cache.c
+@@ -340,6 +340,9 @@ int squashfs_read_metadata(struct super_
+ if (unlikely(length < 0))
+ return -EIO;
+
++ if (unlikely(*offset < 0 || *offset >= SQUASHFS_METADATA_SIZE))
++ return -EIO;
++
+ while (length) {
+ entry = squashfs_cache_get(sb, msblk->block_cache, *block, 0);
+ if (entry->error) {
--- /dev/null
+From c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 17 Feb 2026 13:05:26 +0100
+Subject: wifi: radiotap: reject radiotap with unknown bits
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 upstream.
+
+The radiotap parser is currently only used with the radiotap
+namespace (not with vendor namespaces), but if the undefined
+field 18 is used, the alignment/size is unknown as well. In
+this case, iterator->_next_ns_data isn't initialized (it's
+only set for skipping vendor namespaces), and syzbot points
+out that we later compare against this uninitialized value.
+
+Fix this by moving the rejection of unknown radiotap fields
+down to after the in-namespace lookup, so it will really use
+iterator->_next_ns_data only for vendor namespaces, even in
+case undefined fields are present.
+
+Cc: stable@vger.kernel.org
+Fixes: 33e5a2f776e3 ("wireless: update radiotap parser")
+Reported-by: syzbot+b09c1af8764c0097bb19@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/69944a91.a70a0220.2c38d7.00fc.GAE@google.com
+Link: https://patch.msgid.link/20260217120526.162647-2-johannes@sipsolutions.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/radiotap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/wireless/radiotap.c
++++ b/net/wireless/radiotap.c
+@@ -240,14 +240,14 @@ int ieee80211_radiotap_iterator_next(
+ default:
+ if (!iterator->current_namespace ||
+ iterator->_arg_index >= iterator->current_namespace->n_bits) {
+- if (iterator->current_namespace == &radiotap_ns)
+- return -ENOENT;
+ align = 0;
+ } else {
+ align = iterator->current_namespace->align_size[iterator->_arg_index].align;
+ size = iterator->current_namespace->align_size[iterator->_arg_index].size;
+ }
+ if (!align) {
++ if (iterator->current_namespace == &radiotap_ns)
++ return -ENOENT;
+ /* skip all subsequent data */
+ iterator->_arg = iterator->_next_ns_data;
+ /* give up on this namespace */
projects / thirdparty / kernel / stable-queue.git / commitdiff
