--- /dev/null
+From 053a401b592be424fea9d57c789f66cd5d8cec11 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sat, 6 Jun 2026 18:11:41 +0200
+Subject: ALSA: timer: Fix UAF at snd_timer_user_params()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 053a401b592be424fea9d57c789f66cd5d8cec11 upstream.
+
+At releasing a timer object, e.g. when a userspace timer
+(CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it
+tries to detach the timer instances and release the resources.
+However, it's still possible that other in-flight tasks are holding
+the timer instance where the to-be-deleted timer object is associated,
+and this may lead to racy accesses.
+
+Fortunately, most of ioctls dealing with the timer instance list
+already have the protection with register_mutex, and this also avoids
+such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the
+concurrent ioctl may lead to use-after-free.
+
+This patch just adds the guard with register_mutex to protect
+snd_timer_user_params() for covering the code path as a quick
+workaround. It's no hot-path but rather a rarely issued ioctl, so the
+performance penalty doesn't matter.
+
+Reported-by: Kyle Zeng <kylebot@openai.com>
+Tested-by: Kyle Zeng <kylebot@openai.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20260606161145.1933447-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1842,6 +1842,7 @@ static int snd_timer_user_params(struct
+ struct snd_timer *t;
+ int err;
+
++ guard(mutex)(®ister_mutex);
+ tu = file->private_data;
+ if (!tu->timeri)
+ return -EBADFD;
--- /dev/null
+From d59ed803715a71fb9582e139d648ece8d66dc743 Mon Sep 17 00:00:00 2001
+From: Karl Mehltretter <kmehltretter@gmail.com>
+Date: Sun, 24 May 2026 06:52:36 +0100
+Subject: ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
+
+From: Karl Mehltretter <kmehltretter@gmail.com>
+
+commit d59ed803715a71fb9582e139d648ece8d66dc743 upstream.
+
+For CPUs before ARMv6, __raw_readw() and __raw_writew() are implemented
+as C volatile halfword accesses so the compiler can generate an access
+sequence that is safe for those machines. With KASAN enabled, those C
+accesses are instrumented as normal memory accesses.
+
+That is not valid for MMIO. On ARM926/VersatilePB with KASAN enabled,
+PL011 probing traps in __asan_store2() while registering the UART, because
+the instrumented writew() tries to check KASAN shadow for an MMIO address.
+
+Keep the existing volatile halfword access, but move the ARMv5 definitions
+into __no_kasan_or_inline functions so raw MMIO halfword accesses are not
+instrumented by KASAN. The ARMv6-and-newer inline assembly path is
+unchanged.
+
+Fixes: 421015713b30 ("ARM: 9017/2: Enable KASan for ARM")
+Cc: stable@vger.kernel.org # v5.11+
+Signed-off-by: Karl Mehltretter <kmehltretter@gmail.com>
+Reviewed-by: Linus Walleij <linusw@kernel.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/include/asm/io.h | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/include/asm/io.h
++++ b/arch/arm/include/asm/io.h
+@@ -56,8 +56,19 @@ void __raw_readsl(const volatile void __
+ * the bus. Rather than special-case the machine, just let the compiler
+ * generate the access for CPUs prior to ARMv6.
+ */
+-#define __raw_readw(a) (__chk_io_ptr(a), *(volatile unsigned short __force *)(a))
+-#define __raw_writew(v,a) ((void)(__chk_io_ptr(a), *(volatile unsigned short __force *)(a) = (v)))
++#define __raw_writew __raw_writew
++static __no_kasan_or_inline void __raw_writew(u16 val, volatile void __iomem *addr)
++{
++ __chk_io_ptr(addr);
++ *(volatile unsigned short __force *)addr = val;
++}
++
++#define __raw_readw __raw_readw
++static __no_kasan_or_inline u16 __raw_readw(const volatile void __iomem *addr)
++{
++ __chk_io_ptr(addr);
++ return *(const volatile unsigned short __force *)addr;
++}
+ #else
+ /*
+ * When running under a hypervisor, we want to avoid I/O accesses with
--- /dev/null
+From 63838c323924fe4a78b2323bd45aa1030f72ca60 Mon Sep 17 00:00:00 2001
+From: Yuho Choi <dbgh9129@gmail.com>
+Date: Sun, 24 May 2026 22:47:09 -0400
+Subject: ARM: socfpga: Fix OF node refcount leak in SMP setup
+
+From: Yuho Choi <dbgh9129@gmail.com>
+
+commit 63838c323924fe4a78b2323bd45aa1030f72ca60 upstream.
+
+socfpga_smp_prepare_cpus() looks up the Cortex-A9 SCU node with
+of_find_compatible_node(), which returns a node reference that must be
+released with of_node_put().
+
+The function maps the SCU registers and then returns without dropping
+that reference, leaking the node on both the success path and the
+of_iomap() failure path.
+
+Drop the reference once the mapping attempt is complete. The returned
+MMIO mapping does not depend on keeping the device node reference held.
+
+Fixes: 122694a0c712 ("ARM: socfpga: use of_iomap to map the SCU")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-socfpga/platsmp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/mach-socfpga/platsmp.c
++++ b/arch/arm/mach-socfpga/platsmp.c
+@@ -78,6 +78,7 @@ static void __init socfpga_smp_prepare_c
+ }
+
+ socfpga_scu_base_addr = of_iomap(np, 0);
++ of_node_put(np);
+ if (!socfpga_scu_base_addr)
+ return;
+ scu_enable(socfpga_scu_base_addr);
--- /dev/null
+From d930276f2cddd0b7294cac7a8fe7b877f6d9e08d Mon Sep 17 00:00:00 2001
+From: Kyle Meyer <kyle.meyer@hpe.com>
+Date: Fri, 5 Jun 2026 17:25:24 -0500
+Subject: bnxt_en: Fix NULL pointer dereference
+
+From: Kyle Meyer <kyle.meyer@hpe.com>
+
+commit d930276f2cddd0b7294cac7a8fe7b877f6d9e08d upstream.
+
+PCIe errors detected by a Root Port or Downstream Port cause error
+recovery services to run on all subordinate devices regardless of
+administrative state.
+
+The .error_detected() callback, bnxt_io_error_detected(), disables
+and synchronizes IRQs via bnxt_disable_int_sync(), which calls
+bnxt_cp_num_to_irq_num() to map completion rings to IRQs using
+bp->bnapi.
+
+Since bp->bnapi is allocated on NIC open and freed on NIC close, PCIe
+error recovery on a closed NIC can dereference a NULL pointer.
+
+Check if bp->bnapi is NULL before disabling and synchronizing IRQs.
+
+Fixes: e5811b8c09df ("bnxt_en: Add IRQ remapping logic.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kyle Meyer <kyle.meyer@hpe.com>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Link: https://patch.msgid.link/aiNM1CY2-StPilxW@hpe.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -4552,7 +4552,7 @@ static void bnxt_disable_int_sync(struct
+ {
+ int i;
+
+- if (!bp->irq_tbl)
++ if (!bp->irq_tbl || !bp->bnapi)
+ return;
+
+ atomic_inc(&bp->intr_sem);
--- /dev/null
+From 49c3da65961fe9857c831d47fa1989084e87514a Mon Sep 17 00:00:00 2001
+From: Harry Wentland <harry.wentland@amd.com>
+Date: Tue, 5 May 2026 11:50:07 -0400
+Subject: drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info()
+
+From: Harry Wentland <harry.wentland@amd.com>
+
+commit 49c3da65961fe9857c831d47fa1989084e87514a upstream.
+
+[Why & How]
+gpio_bitshift is a uint8_t read directly from the VBIOS GPIO pin table.
+If the value is >= 32, the expression "1 << gpio_bitshift" triggers
+undefined behaviour in C (shift count exceeds type width). On x86 the
+shift is silently masked to 5 bits, producing an incorrect GPIO mask
+that may cause wrong MMIO register bits to be toggled.
+
+Validate gpio_bitshift before use and return BP_RESULT_BADBIOSTABLE for
+out-of-range values.
+
+Fixes: ae79c310b1a6 ("drm/amd/display: Add DCE12 bios parser support")
+Assisted-by: Copilot:claude-opus-4.6
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Ray Wu <ray.wu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit eadf438ab8d370b9d19acee9359918c85afeb80d)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
++++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+@@ -547,8 +547,10 @@ static enum bp_result bios_parser_get_gp
+ info->offset_en = info->offset + 1;
+ info->offset_mask = info->offset - 1;
+
+- info->mask = (uint32_t) (1 <<
+- header->gpio_pin[i].gpio_bitshift);
++ if (header->gpio_pin[i].gpio_bitshift >= 32)
++ return BP_RESULT_BADBIOSTABLE;
++
++ info->mask = 1u << header->gpio_pin[i].gpio_bitshift;
+ info->mask_y = info->mask + 2;
+ info->mask_en = info->mask + 1;
+ info->mask_mask = info->mask - 1;
--- /dev/null
+From 29e7b925ae6df64894e82ab6419994dc25580a8a Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Tue, 2 Jun 2026 15:46:42 -0400
+Subject: IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 29e7b925ae6df64894e82ab6419994dc25580a8a upstream.
+
+In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done()
+computes the login request payload length as wc->byte_len minus
+ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int.
+A remote iSER initiator can post a login Send work request carrying
+fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows
+and login_req_len becomes negative.
+
+isert_rx_login_req() then reads that negative length back into a signed
+int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the
+min() is signed it keeps the negative value; the value is then passed as
+the memcpy() length and sign-extended to a multi-gigabyte size_t. The
+copy into the 8192-byte login->req_buf runs far out of bounds and
+faults, crashing the target node. The login phase precedes iSCSI
+authentication, so no credentials are required to reach this path.
+
+Reject any login PDU shorter than ISER_HEADERS_LEN before the
+subtraction, mirroring the existing early return on a failed work
+completion, so login_req_len can never go negative. The upper bound was
+already safe: a posted login buffer cannot deliver more than
+ISER_RX_PAYLOAD_SIZE, so the difference stays at or below
+MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing
+lower bound needs to be added.
+
+Fixes: b8d26b3be8b3 ("iser-target: Add iSCSI Extensions for RDMA (iSER) target driver")
+Link: https://patch.msgid.link/r/20260602194642.2273217-1-michael.bommarito@gmail.com
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-8
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -1388,6 +1388,12 @@ isert_login_recv_done(struct ib_cq *cq,
+ ib_dma_sync_single_for_cpu(ib_dev, isert_conn->login_desc->dma_addr,
+ ISER_RX_SIZE, DMA_FROM_DEVICE);
+
++ if (unlikely(wc->byte_len < ISER_HEADERS_LEN)) {
++ isert_dbg("login request length %u is too short\n",
++ wc->byte_len);
++ return;
++ }
++
+ isert_conn->login_req_len = wc->byte_len - ISER_HEADERS_LEN;
+
+ if (isert_conn->conn) {
--- /dev/null
+From d1918b36edcaed0ec4ef6888b2358c6b1ddcff47 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 2 Jun 2026 22:14:09 +1000
+Subject: mptcp: fix retransmission loop when csum is enabled
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit d1918b36edcaed0ec4ef6888b2358c6b1ddcff47 upstream.
+
+Sashiko noted that retransmission with csum enabled can actually
+transmit new data, but currently the relevant code does not update
+accordingly snd_nxt.
+
+The may cause incoming ack drop and an endless retransmission loop.
+
+Address the issue incrementing snd_nxt as needed.
+
+Fixes: 4e14867d5e91 ("mptcp: tune re-injections for csum enabled mode")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-2-856831229976@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -2539,6 +2539,10 @@ static void __mptcp_retrans(struct sock
+
+ release_sock(ssk);
+
++ /* With csum enabled retransmission can send new data. */
++ if (after64(dfrag->already_sent + dfrag->data_seq, msk->snd_nxt))
++ WRITE_ONCE(msk->snd_nxt, dfrag->already_sent + dfrag->data_seq);
++
+ reset_timer:
+ if (!mptcp_rtx_timer_pending(sk))
+ mptcp_reset_rtx_timer(sk);
--- /dev/null
+From 57132affbc89c02e1bf73fdf5724311bdc9a29da Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 2 Jun 2026 22:14:14 +1000
+Subject: mptcp: sockopt: check timestamping ret value
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 57132affbc89c02e1bf73fdf5724311bdc9a29da upstream.
+
+sock_set_timestamping() can fail for different reasons. The returned
+value should then be checked.
+
+If sock_set_timestamping() fails for at least one subflow, the first
+error is now reported to the userspace, similar to what is done with
+other socket options.
+
+Fixes: 9061f24bf82e ("mptcp: sockopt: propagate timestamp request to subflows")
+Cc: stable@vger.kernel.org
+Reported-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+Closes: https://lore.kernel.org/willemdebruijn.kernel.178a41a53d041@gmail.com
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-7-856831229976@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/sockopt.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/sockopt.c
++++ b/net/mptcp/sockopt.c
+@@ -231,15 +231,19 @@ static int mptcp_setsockopt_sol_socket_t
+
+ mptcp_for_each_subflow(msk, subflow) {
+ struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
++ int err;
+
+ lock_sock(ssk);
+- sock_set_timestamping(ssk, optname, timestamping);
++ err = sock_set_timestamping(ssk, optname, timestamping);
+ release_sock(ssk);
++
++ if (err < 0 && ret == 0)
++ ret = err;
+ }
+
+ release_sock(sk);
+
+- return 0;
++ return ret;
+ }
+
+ static int mptcp_setsockopt_sol_socket_linger(struct mptcp_sock *msk, sockptr_t optval,
--- /dev/null
+From 62c4d31d78294bd61cf3403626b789e854357177 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <brauner@kernel.org>
+Date: Mon, 18 May 2026 10:32:11 +0200
+Subject: pidfd: refuse access to tasks that have started exiting harder
+
+From: Christian Brauner <brauner@kernel.org>
+
+commit 62c4d31d78294bd61cf3403626b789e854357177 upstream.
+
+The recent ptrace fix closed a hole where someone could rely on task->mm
+becoming NULL during do_exit() to bypass dumpability checks. This api
+here leans on on the very same check and so inherits the fix.
+
+But there is no good reason to let it succeed at all once the target has
+entered do_exit(). PF_EXITING is set by exit_signals() at the very top
+of do_exit(), before exit_mm() and exit_files() run. Once we observe it,
+the task is committed to dying and exit_files() will release the fdtable
+shortly.
+
+Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260518-obgleich-petersilie-2d77ccccf9b9@brauner
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/pid.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/kernel/pid.c
++++ b/kernel/pid.c
+@@ -637,10 +637,12 @@ static struct file *__pidfd_fget(struct
+ if (ret)
+ return ERR_PTR(ret);
+
+- if (ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS))
+- file = fget_task(task, fd);
+- else
++ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS))
+ file = ERR_PTR(-EPERM);
++ else if (task->flags & PF_EXITING)
++ file = ERR_PTR(-ESRCH);
++ else
++ file = fget_task(task, fd);
+
+ up_read(&task->signal->exec_update_lock);
+
--- /dev/null
+From 13e91fd076306f5d0cdfa14f53d69e37274723c4 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Tue, 2 Jun 2026 18:04:57 -0400
+Subject: RDMA/srp: bound SRP_RSP sense copy by the received length
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 13e91fd076306f5d0cdfa14f53d69e37274723c4 upstream.
+
+srp_process_rsp() copies sense data from rsp->data + resp_data_len,
+where resp_data_len is the full 32-bit value supplied by the SRP target
+and is never checked against the number of bytes actually received
+(wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so
+at most 96 bytes are copied, but the source offset is not bounded.
+
+A malicious or compromised SRP target on the InfiniBand/RoCE fabric that
+the initiator has logged into can return an SRP_RSP with
+SRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer
+is allocated at the target-chosen max_ti_iu_len, so the source of the
+sense copy lands past the bytes actually received; with resp_data_len
+near 0xFFFFFFFF it is gigabytes past the buffer and the read faults.
+
+Copy the sense data only if it has not been truncated, that is, only if
+the response header, the response data, and the sense region fit within
+the bytes actually received; otherwise drop the sense and log. The
+in-tree iSER and NVMe-RDMA receive paths already bound their parse by
+wc->byte_len; this brings ib_srp into line with them.
+
+Fixes: aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator")
+Link: https://patch.msgid.link/r/20260602220457.2542840-1-michael.bommarito@gmail.com
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-8
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 30 ++++++++++++++++++++++++------
+ 1 file changed, 24 insertions(+), 6 deletions(-)
+
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -1929,7 +1929,8 @@ static int srp_post_recv(struct srp_rdma
+ return ib_post_recv(ch->qp, &wr, NULL);
+ }
+
+-static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp)
++static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp,
++ u32 byte_len)
+ {
+ struct srp_target_port *target = ch->target;
+ struct srp_request *req;
+@@ -1970,10 +1971,27 @@ static void srp_process_rsp(struct srp_r
+ scmnd->result = rsp->status;
+
+ if (rsp->flags & SRP_RSP_FLAG_SNSVALID) {
+- memcpy(scmnd->sense_buffer, rsp->data +
+- be32_to_cpu(rsp->resp_data_len),
+- min_t(int, be32_to_cpu(rsp->sense_data_len),
+- SCSI_SENSE_BUFFERSIZE));
++ u32 resp_len = be32_to_cpu(rsp->resp_data_len);
++ u32 sense_len = be32_to_cpu(rsp->sense_data_len);
++
++ /*
++ * The sense data starts resp_data_len bytes past the
++ * response data area; both lengths come from the
++ * target-controlled response. Copy the sense data
++ * only if it has not been truncated, that is, only if
++ * the full sense region fits within the bytes actually
++ * received. Otherwise the copy source would run past
++ * the receive buffer (sized to the target-chosen
++ * max_ti_iu_len), reading out of bounds.
++ */
++ if (sizeof(*rsp) + (u64)resp_len + sense_len <= byte_len)
++ memcpy(scmnd->sense_buffer,
++ rsp->data + resp_len,
++ min(sense_len, SCSI_SENSE_BUFFERSIZE));
++ else
++ shost_printk(KERN_ERR, target->scsi_host,
++ "dropping truncated sense data (resp_data_len %u sense_data_len %u, %u bytes received)\n",
++ resp_len, sense_len, byte_len);
+ }
+
+ if (unlikely(rsp->flags & SRP_RSP_FLAG_DIUNDER))
+@@ -2083,7 +2101,7 @@ static void srp_recv_done(struct ib_cq *
+
+ switch (opcode) {
+ case SRP_RSP:
+- srp_process_rsp(ch, iu->buf);
++ srp_process_rsp(ch, iu->buf, wc->byte_len);
+ break;
+
+ case SRP_CRED_REQ:
netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch
bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch
drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch
+xfrm-espintcp-do-not-reuse-an-in-progress-partial-send.patch
+usb-serial-io_ti-fix-heap-overflow-in-get_manuf_info.patch
+usb-serial-io_ti-fix-heap-overflow-in-build_i2c_fw_hdr.patch
+usb-serial-option-add-usb-id-for-dell-wireless-dw5826e-m.patch
+usb-serial-kl5kusb105-fix-bulk-out-buffer-overflow.patch
+alsa-timer-fix-uaf-at-snd_timer_user_params.patch
+drm-amd-display-reject-gpio_bitshift-32-in-bios_parser_get_gpio_pin_info.patch
+rdma-srp-bound-srp_rsp-sense-copy-by-the-received-length.patch
+arm-socfpga-fix-of-node-refcount-leak-in-smp-setup.patch
+arm-9474-1-io-avoid-kasan-instrumentation-of-raw-halfword-i-o.patch
+mptcp-fix-retransmission-loop-when-csum-is-enabled.patch
+mptcp-sockopt-check-timestamping-ret-value.patch
+vsock-vmci-fix-sk_ack_backlog-leak-on-failed-handshake.patch
+bnxt_en-fix-null-pointer-dereference.patch
+ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch
+pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch
--- /dev/null
+From 0fd2b00b2d3d05e3eaa13342b3dfb0fa85c226ae Mon Sep 17 00:00:00 2001
+From: Adrian Korwel <adriank20047@gmail.com>
+Date: Mon, 25 May 2026 09:58:32 -0500
+Subject: USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
+
+From: Adrian Korwel <adriank20047@gmail.com>
+
+commit 0fd2b00b2d3d05e3eaa13342b3dfb0fa85c226ae upstream.
+
+build_i2c_fw_hdr() allocates a fixed-size buffer of
+(16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then
+copies le16_to_cpu(img_header->Length) bytes into it without
+validating that Length fits within the available space after the
+firmware record header.
+
+img_header->Length is a __le16 from the firmware file and can be
+up to 65535. check_fw_sanity() validates the total firmware size
+but not img_header->Length specifically.
+
+Fix by rejecting images where img_header->Length exceeds the
+available destination space.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/io_ti.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/serial/io_ti.c
++++ b/drivers/usb/serial/io_ti.c
+@@ -843,6 +843,11 @@ static int build_i2c_fw_hdr(u8 *header,
+ /* Pointer to fw_down memory image */
+ img_header = (struct ti_i2c_image_header *)&fw->data[4];
+
++ if (le16_to_cpu(img_header->Length) >
++ buffer_size - sizeof(struct ti_i2c_firmware_rec)) {
++ kfree(buffer);
++ return -EINVAL;
++ }
+ memcpy(buffer + sizeof(struct ti_i2c_firmware_rec),
+ &fw->data[4 + sizeof(struct ti_i2c_image_header)],
+ le16_to_cpu(img_header->Length));
--- /dev/null
+From 183c1076eca43bbb3e7bdf597456f91d81c73e74 Mon Sep 17 00:00:00 2001
+From: Adrian Korwel <adriank20047@gmail.com>
+Date: Mon, 25 May 2026 09:58:31 -0500
+Subject: USB: serial: io_ti: fix heap overflow in get_manuf_info()
+
+From: Adrian Korwel <adriank20047@gmail.com>
+
+commit 183c1076eca43bbb3e7bdf597456f91d81c73e74 upstream.
+
+get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
+device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
+is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.
+
+The Size field comes from the device and is only validated (in
+check_i2c_image()) to make sure the descriptor fits within
+TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size.
+A malicious USB device can therefore set Size to any value up to 16377,
+causing a heap overflow of up to 16367 bytes when plugged into a host
+running this driver.
+
+valid_csum() is called after read_rom() and also iterates
+buffer[0..Size-1], compounding the out-of-bounds access.
+
+Fix by rejecting descriptors with unexpected length before calling
+read_rom().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
+[ johan: amend commit message; also check for short descriptors ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/io_ti.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/serial/io_ti.c
++++ b/drivers/usb/serial/io_ti.c
+@@ -772,6 +772,12 @@ static int get_manuf_info(struct edgepor
+ }
+
+ /* Read the descriptor data */
++ if (le16_to_cpu(rom_desc->Size) != sizeof(struct edge_ti_manuf_descriptor)) {
++ dev_err(dev, "unexpected Edge descriptor length: %u\n",
++ le16_to_cpu(rom_desc->Size));
++ status = -EINVAL;
++ goto exit;
++ }
+ status = read_rom(serial, start_address+sizeof(struct ti_i2c_desc),
+ le16_to_cpu(rom_desc->Size), buffer);
+ if (status)
--- /dev/null
+From 96d47e40bf9db4a9efd5c8fb53287a508d165f14 Mon Sep 17 00:00:00 2001
+From: HyeongJun An <sammiee5311@gmail.com>
+Date: Mon, 8 Jun 2026 18:09:26 +0900
+Subject: USB: serial: kl5kusb105: fix bulk-out buffer overflow
+
+From: HyeongJun An <sammiee5311@gmail.com>
+
+commit 96d47e40bf9db4a9efd5c8fb53287a508d165f14 upstream.
+
+klsi_105_prepare_write_buffer() is called by the generic write path
+with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
+stores a two-byte length header at the start of the buffer and copies
+the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
+passes the full buffer size as the number of bytes to copy:
+
+ count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
+ size, &port->lock);
+
+When the fifo holds at least size bytes, size bytes are copied starting
+two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
+end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
+the header as safe_serial already does.
+
+Writing bulk_out_size or more bytes to the tty triggers a slab
+out-of-bounds write, observed with KASAN by emulating the device with
+dummy_hcd and raw-gadget:
+
+ BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0
+ Write of size 64 at addr ffff888112c62202 by task python3
+ kfifo_copy_out
+ klsi_105_prepare_write_buffer [kl5kusb105]
+ usb_serial_generic_write_start [usbserial]
+ Allocated by task 139:
+ usb_serial_probe [usbserial]
+ The buggy address is located 2 bytes inside of allocated 64-byte region
+
+The out-of-bounds write no longer occurs with this change applied.
+
+Fixes: 60b3013cdaf3 ("USB: kl5usb105: reimplement using generic framework")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-8
+Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/kl5kusb105.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/kl5kusb105.c
++++ b/drivers/usb/serial/kl5kusb105.c
+@@ -357,8 +357,8 @@ static int klsi_105_prepare_write_buffer
+ unsigned char *buf = dest;
+ int count;
+
+- count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size,
+- &port->lock);
++ count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
++ size - KLSI_HDR_LEN, &port->lock);
+ put_unaligned_le16(count, buf);
+
+ return count + KLSI_HDR_LEN;
--- /dev/null
+From 1938fb9fe38c4f04a3f30bea44f8071c80a63be4 Mon Sep 17 00:00:00 2001
+From: Jack Wu <jackbb_wu@compal.com>
+Date: Thu, 4 Jun 2026 10:04:40 +0800
+Subject: USB: serial: option: add usb-id for Dell Wireless DW5826e-m
+
+From: Jack Wu <jackbb_wu@compal.com>
+
+commit 1938fb9fe38c4f04a3f30bea44f8071c80a63be4 upstream.
+
+Add support for Dell DW5826e-m with USB-id 0x413c:0x81ea
+
+T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 8 Spd=480 MxCh= 0
+D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=413c ProdID=81ea Rev= 5.04
+S: Manufacturer=DELL
+S: Product=DW5826e-m Qualcomm Snapdragon X12 Global LTE-A
+S: SerialNumber=358988870177734
+C:* #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
+A: FirstIf#=12 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I:* If#=12 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
+E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I: If#=13 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+I:* If#=13 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Signed-off-by: Jack Wu <jackbb_wu@compal.com>
+Reviewed-by: Lars Melin <larsm17@gmail>
+Cc: stable@vger.kernel.org
+[ johan: reserve also interface 4 ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -202,6 +202,7 @@ static void option_instat_callback(struc
+ #define DELL_PRODUCT_5821E_ESIM 0x81e0
+ #define DELL_PRODUCT_5829E_ESIM 0x81e4
+ #define DELL_PRODUCT_5829E 0x81e6
++#define DELL_PRODUCT_5826E_ESIM 0x81ea
+
+ #define DELL_PRODUCT_FM101R_ESIM 0x8213
+ #define DELL_PRODUCT_FM101R 0x8215
+@@ -1123,6 +1124,8 @@ static const struct usb_device_id option
+ .driver_info = RSVD(0) | RSVD(6) },
+ { USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5829E_ESIM),
+ .driver_info = RSVD(0) | RSVD(6) },
++ { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_5826E_ESIM, 0xff),
++ .driver_info = RSVD(1) | RSVD(4) },
+ { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R, 0xff) },
+ { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R_ESIM, 0xff) },
+ { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_E100A) }, /* ADU-E100, ADU-310 */
--- /dev/null
+From c05fa14db43ebef3bd862ca9d073981c0358b3f0 Mon Sep 17 00:00:00 2001
+From: Raf Dickson <rafdog35@gmail.com>
+Date: Tue, 26 May 2026 10:43:56 +0000
+Subject: vsock/vmci: fix sk_ack_backlog leak on failed handshake
+
+From: Raf Dickson <rafdog35@gmail.com>
+
+commit c05fa14db43ebef3bd862ca9d073981c0358b3f0 upstream.
+
+When vmci_transport_recv_connecting_server() returns an error,
+vmci_transport_recv_listen() calls vsock_remove_pending() but never
+calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented
+permanently.
+
+Repeated handshake failures (malformed packets, queue pair alloc
+failure, event subscribe failure) cause sk_ack_backlog to climb
+toward sk_max_ack_backlog. Once it reaches the limit the listener
+permanently refuses all new connections with -ECONNREFUSED, a
+silent denial of service requiring a process restart to recover.
+
+The two existing sk_acceptq_removed() calls in af_vsock.c do not
+cover this path: line 764 checks vsock_is_pending() which returns
+false after vsock_remove_pending(), and line 1889 is only reached
+on successful accept().
+
+Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on
+the error path.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Cc: stable@vger.kernel.org
+Signed-off-by: Raf Dickson <rafdog35@gmail.com>
+Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20260526104356.469928-1-rafdog35@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/vmci_transport.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/vmci_transport.c
++++ b/net/vmw_vsock/vmci_transport.c
+@@ -972,8 +972,10 @@ static int vmci_transport_recv_listen(st
+ err = -EINVAL;
+ }
+
+- if (err < 0)
++ if (err < 0) {
+ vsock_remove_pending(sk, pending);
++ sk_acceptq_removed(sk);
++ }
+
+ release_sock(pending);
+ vmci_transport_release_pending(pending);
--- /dev/null
+From c381039ade2e161ab08c0eda73c4f8b9a7115928 Mon Sep 17 00:00:00 2001
+From: Wyatt Feng <bronzed_45_vested@icloud.com>
+Date: Wed, 3 Jun 2026 00:46:27 +0800
+Subject: xfrm: espintcp: do not reuse an in-progress partial send
+
+From: Wyatt Feng <bronzed_45_vested@icloud.com>
+
+commit c381039ade2e161ab08c0eda73c4f8b9a7115928 upstream.
+
+espintcp keeps a single in-flight transmit in ctx->partial.
+Before building a new sk_msg, espintcp_sendmsg() first tries to flush
+that state through espintcp_push_msgs().
+
+For blocking callers, espintcp_push_msgs() may return success even when
+the previous partial send is still pending. espintcp_sendmsg() would
+then reinitialize emsg->skmsg and reuse ctx->partial while the old
+transfer still owns that state.
+
+Do not rebuild the send message when ctx->partial is still in progress.
+If espintcp_push_msgs() returns with emsg->len still set, fail the new
+send instead of overwriting the live partial state.
+
+This is a memory-safety fix: reusing the live partial-send state can
+leave a stale offset attached to a new sk_msg and lead to an out-of-
+bounds read in the send path.
+
+tcp_sendmsg_locked() already handles waiting for send buffer memory, so
+the fix here is just to preserve espintcp's one-message-at-a-time
+transmit state.
+
+Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Assisted-by: Codex:GPT-5.4
+Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/espintcp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/xfrm/espintcp.c
++++ b/net/xfrm/espintcp.c
+@@ -342,6 +342,10 @@ static int espintcp_sendmsg(struct sock
+ err = -ENOBUFS;
+ goto unlock;
+ }
++ if (emsg->len) {
++ err = -ENOBUFS;
++ goto unlock;
++ }
+
+ sk_msg_init(&emsg->skmsg);
+ while (1) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
