--- /dev/null
+From 5a52c5701a67d5176eb1afbf1bdaf7d6dfeec597 Mon Sep 17 00:00:00 2001
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+Date: Thu, 23 Apr 2026 15:18:55 -0400
+Subject: mmc: core: Fix host controller programming for fixed driver type
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+commit 5a52c5701a67d5176eb1afbf1bdaf7d6dfeec597 upstream.
+
+When using the fixed-emmc-driver-type device tree property, the MMC core
+correctly selects the driver strength for the card but fails to program
+the host controller accordingly. This causes a mismatch where the card
+uses the specified driver type while the host controller defaults to
+Type B (since ios->drv_type remains zero).
+
+Split the driver type programming logic to handle both fixed and dynamic
+driver type selection paths. For fixed driver types, program the host
+controller with the selected drive_strength value. For dynamic selection,
+use the existing drv_type as before.
+
+This ensures both the eMMC device and host controller use matching driver
+strengths, preventing potential signal integrity issues.
+
+Fixes: 6186d06c519e ("mmc: parse new binding for eMMC fixed driver type")
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: Shawn Lin <shawn.lin@rock-chips.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/mmc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/mmc.c
++++ b/drivers/mmc/core/mmc.c
+@@ -1339,7 +1339,9 @@ static void mmc_select_driver_type(struc
+
+ card->drive_strength = drive_strength;
+
+- if (drv_type)
++ if (fixed_drv_type >= 0 && drive_strength)
++ mmc_set_driver_type(card->host, drive_strength);
++ else if (drv_type)
+ mmc_set_driver_type(card->host, drv_type);
+ }
+
--- /dev/null
+From f48ee49726ee4ab545fd2dc644f169c0809b19b3 Mon Sep 17 00:00:00 2001
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Date: Tue, 19 May 2026 14:53:40 +0100
+Subject: mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+commit f48ee49726ee4ab545fd2dc644f169c0809b19b3 upstream.
+
+The RZ/G2H (R8A774E1) SoC was previously handled via the generic
+"renesas,rcar-gen3-sdhi" fallback compatible string. However, because
+the SDHI IP on RZ/G2H is identical with the R-Car H3-N (R8A77951), it
+requires the specific quirks and configuration defined in
+`of_r8a7795_compatible` rather than the generic Gen3 data.
+
+Add the explicit "renesas,sdhi-r8a774e1" match entry to map it correctly.
+Note that the DT binding file renesas,sdhi.yaml does not need an update
+as the entry for this SoC is already present.
+
+Fixes: 31941342888d ("arm64: dts: renesas: r8a774e1: Add SDHI nodes")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Ulf Hansson <ulfh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/renesas_sdhi_internal_dmac.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c
++++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c
+@@ -231,6 +231,7 @@ static const struct renesas_sdhi_of_data
+ static const struct of_device_id renesas_sdhi_internal_dmac_of_match[] = {
+ { .compatible = "renesas,sdhi-r7s9210", .data = &of_rza2_compatible, },
+ { .compatible = "renesas,sdhi-mmc-r8a77470", .data = &of_rcar_gen3_compatible, },
++ { .compatible = "renesas,sdhi-r8a774e1", .data = &of_r8a7795_compatible, },
+ { .compatible = "renesas,sdhi-r8a7795", .data = &of_r8a7795_compatible, },
+ { .compatible = "renesas,sdhi-r8a7796", .data = &of_rcar_gen3_compatible, },
+ { .compatible = "renesas,sdhi-r8a77961", .data = &of_r8a77961_compatible, },
--- /dev/null
+From f595e8e77a51eee35e331f69321766593a845ef2 Mon Sep 17 00:00:00 2001
+From: Jisheng Zhang <jszhang@kernel.org>
+Date: Sun, 24 May 2026 10:34:55 +0800
+Subject: mmc: sdhci: add signal voltage switch in sdhci_resume_host
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+commit f595e8e77a51eee35e331f69321766593a845ef2 upstream.
+
+I met one suspend/resume issue with sdr104 capable sdio wifi card (with
+"keep-power-in-suspend" set in DT property):
+After resuming from suspend to ram, the sdio wifi card stops working.
+Further debug shows that although ios shows the sdio card is at sdr104
+mode, the voltage is still at 3V3. This is due to missing the calling
+of ->start_signal_voltage_switch() in sdhci_resume_host().
+
+Fix this issue by adding ->start_signal_voltage_switch() in
+sdhci_resume_host(). This also matches what we do for
+sdhci_runtime_resume_host().
+
+Then the question is: why this issue hasn't reported and fixed for so
+long time. IMHO, several reasons: Some host controllers just kick off
+the runtime resume for system resume, so they benefit from the well
+supported runtime pm code; Some platforms just use the old sdio wifi
+card which doesn't need signal voltage switch at all, the default
+voltage is 3v3 after resuming.
+
+Fixes: 6308d2905bd3 ("mmc: sdhci: add quirk for keeping card power during suspend")
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulfh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -3760,6 +3760,7 @@ int sdhci_resume_host(struct sdhci_host
+ host->pwr = 0;
+ host->clock = 0;
+ host->reinit_uhs = true;
++ mmc->ops->start_signal_voltage_switch(mmc, &mmc->ios);
+ mmc->ops->set_ios(mmc, &mmc->ios);
+ } else {
+ sdhci_init(host, (mmc->pm_flags & MMC_PM_KEEP_POWER));
--- /dev/null
+From 5eba3e48d78edd7551b992cb7ba687019b3a78da Mon Sep 17 00:00:00 2001
+From: Zhao Zhang <zzhan461@ucr.edu>
+Date: Sat, 30 May 2026 23:57:14 +0800
+Subject: sctp: diag: reject stale associations in dump_one path
+
+From: Zhao Zhang <zzhan461@ucr.edu>
+
+commit 5eba3e48d78edd7551b992cb7ba687019b3a78da upstream.
+
+The SCTP exact sock_diag lookup can hold a transport reference, block on
+lock_sock(sk), and then resume after sctp_association_free() has marked
+the association dead and freed its bind address list.
+
+When that happens, inet_assoc_attr_size() and
+inet_diag_msg_sctpasoc_fill() can still dereference association state
+that is no longer valid for reporting. In particular,
+inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a
+real sctp_sockaddr_entry and trigger an out-of-bounds read from
+unrelated association memory.
+
+Reject the association after taking the socket lock if it has been
+reaped or detached from the endpoint, and report the lookup as stale.
+This keeps the exact dump-one path from formatting torn association
+state.
+
+Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Zhao Zhang <zzhan461@ucr.edu>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Acked-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/fac6043fa20a2ff68e12958c431836f692c51268.1780113823.git.zzhan461@ucr.edu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/diag.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/net/sctp/diag.c
++++ b/net/sctp/diag.c
+@@ -266,15 +266,15 @@ static int sctp_sock_dump_one(struct sct
+
+ lock_sock(sk);
+
+- rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
+- if (!rep) {
+- release_sock(sk);
+- return -ENOMEM;
++ if (ep != assoc->ep || assoc->base.dead) {
++ err = -ESTALE;
++ goto out_unlock;
+ }
+
+- if (ep != assoc->ep) {
+- err = -EAGAIN;
+- goto out;
++ rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
++ if (!rep) {
++ err = -ENOMEM;
++ goto out_unlock;
+ }
+
+ err = inet_sctp_diag_fill(sk, assoc, rep, req, sk_user_ns(NETLINK_CB(skb).sk),
+@@ -289,8 +289,9 @@ static int sctp_sock_dump_one(struct sct
+ return nlmsg_unicast(sock_net(skb->sk)->diag_nlsk, rep, NETLINK_CB(skb).portid);
+
+ out:
+- release_sock(sk);
+ kfree_skb(rep);
++out_unlock:
++ release_sock(sk);
+ return err;
+ }
+
--- /dev/null
+From a5f8a90ac9f77c678a9781c0a464b635e0d63e49 Mon Sep 17 00:00:00 2001
+From: Wyatt Feng <bronzed_45_vested@icloud.com>
+Date: Fri, 5 Jun 2026 13:53:42 +0800
+Subject: sctp: stream: fully roll back denied add-stream state
+
+From: Wyatt Feng <bronzed_45_vested@icloud.com>
+
+commit a5f8a90ac9f77c678a9781c0a464b635e0d63e49 upstream.
+
+When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and
+then lowers outcnt. That leaves removed stream metadata behind, so a
+later re-add can reuse a stale ext and hit a null-pointer dereference in
+the scheduler get path.
+
+Fix the rollback by tearing down the removed stream state the same way
+other stream resizes do. Unschedule the current scheduler state, drop
+the removed stream ext state with sctp_stream_outq_migrate(), and then
+reschedule the remaining streams.
+
+This keeps scheduler-private RR/FC/PRIO lists consistent while fully
+rolling back denied outgoing stream additions.
+
+Fixes: 637784ade221 ("sctp: introduce priority based stream scheduler")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Acked-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/d78954ecd94954653ee299400e98d74a03a6f7d3.1780603399.git.bronzed_45_vested@icloud.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/stream.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/stream.c
++++ b/net/sctp/stream.c
+@@ -1038,6 +1038,7 @@ struct sctp_chunk *sctp_process_strreset
+ stsn, rtsn, GFP_ATOMIC);
+ } else if (req->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS) {
+ struct sctp_strreset_addstrm *addstrm;
++ const struct sctp_sched_ops *sched;
+ __u16 number;
+
+ addstrm = (struct sctp_strreset_addstrm *)req;
+@@ -1048,7 +1049,10 @@ struct sctp_chunk *sctp_process_strreset
+ for (i = number; i < stream->outcnt; i++)
+ SCTP_SO(stream, i)->state = SCTP_STREAM_OPEN;
+ } else {
+- sctp_stream_shrink_out(stream, number);
++ sched = sctp_sched_ops_from_stream(stream);
++ sched->unsched_all(stream);
++ sctp_stream_outq_migrate(stream, NULL, number);
++ sched->sched_all(stream);
+ stream->outcnt = number;
+ }
+
net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch
net-mv643xx-fix-of-node-refcount.patch
net-rds-clear-i_sends-on-setup-unwind.patch
+mmc-core-fix-host-controller-programming-for-fixed-driver-type.patch
+mmc-renesas_sdhi-add-of-entry-for-rz-g2h-soc.patch
+mmc-sdhci-add-signal-voltage-switch-in-sdhci_resume_host.patch
+sctp-diag-reject-stale-associations-in-dump_one-path.patch
+sctp-stream-fully-roll-back-denied-add-stream-state.patch
+thunderbolt-reject-zero-length-property-entries-in-validator.patch
+thunderbolt-bound-root-directory-content-to-block-size.patch
+thunderbolt-clamp-xdomain-response-data-copy-to-allocation-size.patch
+thunderbolt-limit-xdomain-response-copy-to-actual-frame-size.patch
+slimbus-qcom-ngd-ctrl-avoid-abba-on-tx_lock-ctrl-lock.patch
--- /dev/null
+From 55f2ea9ff83cc27a85526b14bc9b32f96a08d6ec Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Date: Sat, 30 May 2026 21:44:21 +0100
+Subject: slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+commit 55f2ea9ff83cc27a85526b14bc9b32f96a08d6ec upstream.
+
+During the SSR/PDR down notification the tx_lock is taken with the
+intent to provide synchronization with active DMA transfers.
+
+But during this period qcom_slim_ngd_down() is invoked, which ends up in
+slim_report_absent(), which takes the slim_controller lock. In multiple
+other codepaths these two locks are taken in the opposite order (i.e.
+slim_controller then tx_lock).
+
+The result is a lockdep splat, and a possible deadlock:
+
+ rprocctl/449 is trying to acquire lock:
+ ffff00009793e620 (&ctrl->lock){+.+.}-{4:4}, at: slim_report_absent (drivers/slimbus/core.c:322) slimbus
+
+ but task is already holding lock:
+ ffff00009793fb50 (&ctrl->tx_lock){+.+.}-{4:4}, at: qcom_slim_ngd_ssr_pdr_notify (drivers/slimbus/qcom-ngd-ctrl.c:1475) slim_qcom_ngd_ctrl
+
+ which lock already depends on the new lock.
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&ctrl->tx_lock);
+ lock(&ctrl->lock);
+ lock(&ctrl->tx_lock);
+ lock(&ctrl->lock);
+
+The assumption is that the comment refers to the desire to not call
+qcom_slim_ngd_exit_dma() while we have an ongoing DMA TX transaction.
+But any such transaction is initiated and completed within a single
+qcom_slim_ngd_xfer_msg().
+
+Prior to calling qcom_slim_ngd_exit_dma() the slim_controller is torn
+down, all child devices are notified that the slimbus is gone and the
+child devices are removed.
+
+Stop taking the tx_lock in qcom_slim_ngd_ssr_pdr_notify() to avoid the
+deadlock.
+
+Fixes: a899d324863a ("slimbus: qcom-ngd-ctrl: add Sub System Restart support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204421.116824-9-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1394,15 +1394,12 @@ static int qcom_slim_ngd_ssr_pdr_notify(
+ switch (action) {
+ case QCOM_SSR_BEFORE_SHUTDOWN:
+ case SERVREG_SERVICE_STATE_DOWN:
+- /* Make sure the last dma xfer is finished */
+- mutex_lock(&ctrl->tx_lock);
+ if (ctrl->state != QCOM_SLIM_NGD_CTRL_DOWN) {
+ pm_runtime_get_noresume(ctrl->ctrl.dev);
+ ctrl->state = QCOM_SLIM_NGD_CTRL_DOWN;
+ qcom_slim_ngd_down(ctrl);
+ qcom_slim_ngd_exit_dma(ctrl);
+ }
+- mutex_unlock(&ctrl->tx_lock);
+ break;
+ case QCOM_SSR_AFTER_POWERUP:
+ case SERVREG_SERVICE_STATE_UP:
--- /dev/null
+From 65423079c7420e3dbf9a7aa345c243a3f5752e5d Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Mon, 25 May 2026 05:28:26 -0400
+Subject: thunderbolt: Bound root directory content to block size
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 65423079c7420e3dbf9a7aa345c243a3f5752e5d upstream.
+
+__tb_property_parse_dir() does not check that content_offset +
+content_len fits within block_len for the root directory case.
+When rootdir->length equals or exceeds block_len - 2, the entry
+loop reads past the allocated property block.
+
+Add a bounds check after computing content_offset and content_len
+to reject directories whose content extends past the block.
+
+Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/property.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/thunderbolt/property.c
++++ b/drivers/thunderbolt/property.c
+@@ -181,6 +181,10 @@ static struct tb_property_dir *__tb_prop
+ if (is_root) {
+ content_offset = dir_offset + 2;
+ content_len = dir_len;
++ if (content_offset + content_len > block_len) {
++ tb_property_free_dir(dir);
++ return NULL;
++ }
+ } else {
+ if (dir_len < 4) {
+ tb_property_free_dir(dir);
--- /dev/null
+From 322e93448d908434ae5545660fcbe8f5a7a8e141 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Mon, 25 May 2026 05:28:27 -0400
+Subject: thunderbolt: Clamp XDomain response data copy to allocation size
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 322e93448d908434ae5545660fcbe8f5a7a8e141 upstream.
+
+tb_xdp_properties_request() derives the per-packet copy length from
+the response header without checking that it fits in the previously
+allocated data buffer. A malicious peer can set its length field
+larger than the declared data_length, causing memcpy to write past
+the kcalloc allocation.
+
+Clamp the per-packet copy length so that the cumulative offset
+never exceeds data_len.
+
+Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/xdomain.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/thunderbolt/xdomain.c
++++ b/drivers/thunderbolt/xdomain.c
+@@ -370,6 +370,8 @@ static int tb_xdp_properties_request(str
+ }
+ }
+
++ if (req.offset + len > data_len)
++ len = data_len - req.offset;
+ memcpy(data + req.offset, res->data, len * 4);
+ req.offset += len;
+ } while (!data_len || req.offset < data_len);
--- /dev/null
+From 4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Mon, 25 May 2026 05:28:29 -0400
+Subject: thunderbolt: Limit XDomain response copy to actual frame size
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb upstream.
+
+tb_xdomain_copy() copies req->response_size bytes from the received
+packet buffer regardless of the actual frame size. When a short
+response arrives, this reads past the valid frame data in the DMA
+pool buffer into stale contents from previous transactions.
+
+Use the minimum of frame size and expected response size for the
+copy length.
+
+Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/xdomain.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/thunderbolt/xdomain.c
++++ b/drivers/thunderbolt/xdomain.c
+@@ -96,7 +96,9 @@ static bool tb_xdomain_match(const struc
+ static bool tb_xdomain_copy(struct tb_cfg_request *req,
+ const struct ctl_pkg *pkg)
+ {
+- memcpy(req->response, pkg->buffer, req->response_size);
++ size_t len = min_t(size_t, pkg->frame.size, req->response_size);
++
++ memcpy(req->response, pkg->buffer, len);
+ req->result.err = 0;
+ return true;
+ }
--- /dev/null
+From cff8eb65d1eafe7793e54b4d0cf6bf831644630b Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Mon, 25 May 2026 05:28:25 -0400
+Subject: thunderbolt: Reject zero-length property entries in validator
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit cff8eb65d1eafe7793e54b4d0cf6bf831644630b upstream.
+
+tb_property_entry_valid() accepts entries with length == 0 for
+DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes
+validation but causes an underflow in the null-termination logic:
+
+ property->value.text[property->length * 4 - 1] = '\0';
+
+When property->length is 0 this writes to offset -1 relative to
+the allocation.
+
+Reject zero-length entries early in the validator since they have no
+valid representation in the XDomain property protocol.
+
+Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/property.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/thunderbolt/property.c
++++ b/drivers/thunderbolt/property.c
+@@ -59,6 +59,8 @@ static bool tb_property_entry_valid(cons
+ case TB_PROPERTY_TYPE_DIRECTORY:
+ case TB_PROPERTY_TYPE_DATA:
+ case TB_PROPERTY_TYPE_TEXT:
++ if (!entry->length)
++ return false;
+ if (entry->length > block_len)
+ return false;
+ if (check_add_overflow(entry->value, entry->length, &end) ||
projects / thirdparty / kernel / stable-queue.git / commitdiff
