--- /dev/null
+From 053a401b592be424fea9d57c789f66cd5d8cec11 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sat, 6 Jun 2026 18:11:41 +0200
+Subject: ALSA: timer: Fix UAF at snd_timer_user_params()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 053a401b592be424fea9d57c789f66cd5d8cec11 upstream.
+
+At releasing a timer object, e.g. when a userspace timer
+(CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it
+tries to detach the timer instances and release the resources.
+However, it's still possible that other in-flight tasks are holding
+the timer instance where the to-be-deleted timer object is associated,
+and this may lead to racy accesses.
+
+Fortunately, most of ioctls dealing with the timer instance list
+already have the protection with register_mutex, and this also avoids
+such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the
+concurrent ioctl may lead to use-after-free.
+
+This patch just adds the guard with register_mutex to protect
+snd_timer_user_params() for covering the code path as a quick
+workaround. It's no hot-path but rather a rarely issued ioctl, so the
+performance penalty doesn't matter.
+
+Reported-by: Kyle Zeng <kylebot@openai.com>
+Tested-by: Kyle Zeng <kylebot@openai.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20260606161145.1933447-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1791,6 +1791,7 @@ static int snd_timer_user_params(struct
+ struct snd_timer *t;
+ int err;
+
++ guard(mutex)(®ister_mutex);
+ tu = file->private_data;
+ if (!tu->timeri)
+ return -EBADFD;
--- /dev/null
+From da3039e91d1f835874ed6e9a33ea19ee80c2cb92 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sat, 6 Jun 2026 18:11:40 +0200
+Subject: ALSA: timer: Forcibly close timer instances at closing
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit da3039e91d1f835874ed6e9a33ea19ee80c2cb92 upstream.
+
+When snd_timer object is freed via snd_timer_free() and still pending
+snd_timer_instance objects are assigned to the timer object, it tries
+to unlink all instances and just set NULL to each ti->timer, then
+releases the resources immediately. The problem is, however, when
+there are slave timer instances that are associated with a master
+instance linked to this timer: namely, those slave instances still
+point to the freed timer object although the master instance is
+unlinked, which may lead to user-after-free. The bug can be easily
+triggered particularly when a new userspace-driven timers
+(CONFIG_SND_UTIMER) is involved, since it can create and delete the
+timer object via a simple file open/close, while the other
+applications may keep accessing to that timer.
+
+This patch is an attempt to paper over the problem above: now instead
+of just unlinking, call snd_timer_close[_locked]() forcibly for each
+pending timer instance, so that all assigned slave timer instances are
+properly detached, too. Since snd_timer_close() might be called later
+by the driver that created that instance, the check of
+SNDRV_TIMER_IFLG_DEAD is added at the beginning, too.
+
+Reported-by: Kyle Zeng <kylebot@openai.com>
+Tested-by: Kyle Zeng <kylebot@openai.com>
+Fixes: 37745918e0e7 ("ALSA: timer: Introduce virtual userspace-driven timers")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260606161145.1933447-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/timer.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -422,6 +422,8 @@ static void snd_timer_close_locked(struc
+
+ if (timer) {
+ guard(spinlock_irq)(&timer->lock);
++ if (timeri->flags & SNDRV_TIMER_IFLG_DEAD)
++ return; /* already closed */
+ timeri->flags |= SNDRV_TIMER_IFLG_DEAD;
+ }
+
+@@ -964,18 +966,18 @@ EXPORT_SYMBOL(snd_timer_new);
+
+ static int snd_timer_free(struct snd_timer *timer)
+ {
++ struct snd_timer_instance *ti, *n;
++
+ if (!timer)
+ return 0;
+
+ guard(mutex)(®ister_mutex);
+ if (! list_empty(&timer->open_list_head)) {
+- struct list_head *p, *n;
+- struct snd_timer_instance *ti;
+- pr_warn("ALSA: timer %p is busy?\n", timer);
+- list_for_each_safe(p, n, &timer->open_list_head) {
+- list_del_init(p);
+- ti = list_entry(p, struct snd_timer_instance, open_list);
+- ti->timer = NULL;
++ list_for_each_entry_safe(ti, n, &timer->open_list_head, open_list) {
++ struct device *card_dev_to_put = NULL;
++
++ snd_timer_close_locked(ti, &card_dev_to_put);
++ put_device(card_dev_to_put);
+ }
+ }
+ list_del(&timer->device_list);
--- /dev/null
+From d59ed803715a71fb9582e139d648ece8d66dc743 Mon Sep 17 00:00:00 2001
+From: Karl Mehltretter <kmehltretter@gmail.com>
+Date: Sun, 24 May 2026 06:52:36 +0100
+Subject: ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
+
+From: Karl Mehltretter <kmehltretter@gmail.com>
+
+commit d59ed803715a71fb9582e139d648ece8d66dc743 upstream.
+
+For CPUs before ARMv6, __raw_readw() and __raw_writew() are implemented
+as C volatile halfword accesses so the compiler can generate an access
+sequence that is safe for those machines. With KASAN enabled, those C
+accesses are instrumented as normal memory accesses.
+
+That is not valid for MMIO. On ARM926/VersatilePB with KASAN enabled,
+PL011 probing traps in __asan_store2() while registering the UART, because
+the instrumented writew() tries to check KASAN shadow for an MMIO address.
+
+Keep the existing volatile halfword access, but move the ARMv5 definitions
+into __no_kasan_or_inline functions so raw MMIO halfword accesses are not
+instrumented by KASAN. The ARMv6-and-newer inline assembly path is
+unchanged.
+
+Fixes: 421015713b30 ("ARM: 9017/2: Enable KASan for ARM")
+Cc: stable@vger.kernel.org # v5.11+
+Signed-off-by: Karl Mehltretter <kmehltretter@gmail.com>
+Reviewed-by: Linus Walleij <linusw@kernel.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/include/asm/io.h | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/include/asm/io.h
++++ b/arch/arm/include/asm/io.h
+@@ -56,8 +56,19 @@ void __raw_readsl(const volatile void __
+ * the bus. Rather than special-case the machine, just let the compiler
+ * generate the access for CPUs prior to ARMv6.
+ */
+-#define __raw_readw(a) (__chk_io_ptr(a), *(volatile unsigned short __force *)(a))
+-#define __raw_writew(v,a) ((void)(__chk_io_ptr(a), *(volatile unsigned short __force *)(a) = (v)))
++#define __raw_writew __raw_writew
++static __no_kasan_or_inline void __raw_writew(u16 val, volatile void __iomem *addr)
++{
++ __chk_io_ptr(addr);
++ *(volatile unsigned short __force *)addr = val;
++}
++
++#define __raw_readw __raw_readw
++static __no_kasan_or_inline u16 __raw_readw(const volatile void __iomem *addr)
++{
++ __chk_io_ptr(addr);
++ return *(const volatile unsigned short __force *)addr;
++}
+ #else
+ /*
+ * When running under a hypervisor, we want to avoid I/O accesses with
--- /dev/null
+From 77a1f6883dc6e837bb2cb30b9b02e2f94338e2c6 Mon Sep 17 00:00:00 2001
+From: Karl Mehltretter <kmehltretter@gmail.com>
+Date: Sun, 24 May 2026 06:52:35 +0100
+Subject: ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow
+
+From: Karl Mehltretter <kmehltretter@gmail.com>
+
+commit 77a1f6883dc6e837bb2cb30b9b02e2f94338e2c6 upstream.
+
+Commit 44e9a3bb76e5 ("ARM: 9430/1: entry: Do a dummy read from
+VMAP shadow") added a dummy read from the KASAN VMAP stack shadow in
+__switch_to(). The read uses ldr, but the KASAN shadow address is
+byte-granular and is not guaranteed to be word aligned.
+
+ARMv5 faults unaligned word loads. With CONFIG_KASAN_VMALLOC and
+CONFIG_VMAP_STACK enabled, ARM926/VersatilePB crashes in __switch_to()
+with an alignment exception before reaching init.
+
+Use ldrb for the dummy shadow access. The code only needs to fault in the
+shadow mapping if the stack shadow is missing, so a byte load is sufficient
+and matches the granularity of KASAN shadow memory.
+
+Fixes: 44e9a3bb76e5 ("ARM: 9430/1: entry: Do a dummy read from VMAP shadow")
+Cc: stable@vger.kernel.org # v6.13+
+Signed-off-by: Karl Mehltretter <kmehltretter@gmail.com>
+Reviewed-by: Linus Walleij <linusw@kernel.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/kernel/entry-armv.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/entry-armv.S
++++ b/arch/arm/kernel/entry-armv.S
+@@ -567,7 +567,7 @@ ENTRY(__switch_to)
+ @ are using KASAN
+ mov_l r2, KASAN_SHADOW_OFFSET
+ add r2, r2, ip, lsr #KASAN_SHADOW_SCALE_SHIFT
+- ldr r2, [r2]
++ ldrb r2, [r2]
+ #endif
+ #endif
+
--- /dev/null
+From 63838c323924fe4a78b2323bd45aa1030f72ca60 Mon Sep 17 00:00:00 2001
+From: Yuho Choi <dbgh9129@gmail.com>
+Date: Sun, 24 May 2026 22:47:09 -0400
+Subject: ARM: socfpga: Fix OF node refcount leak in SMP setup
+
+From: Yuho Choi <dbgh9129@gmail.com>
+
+commit 63838c323924fe4a78b2323bd45aa1030f72ca60 upstream.
+
+socfpga_smp_prepare_cpus() looks up the Cortex-A9 SCU node with
+of_find_compatible_node(), which returns a node reference that must be
+released with of_node_put().
+
+The function maps the SCU registers and then returns without dropping
+that reference, leaking the node on both the success path and the
+of_iomap() failure path.
+
+Drop the reference once the mapping attempt is complete. The returned
+MMIO mapping does not depend on keeping the device node reference held.
+
+Fixes: 122694a0c712 ("ARM: socfpga: use of_iomap to map the SCU")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-socfpga/platsmp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/mach-socfpga/platsmp.c
++++ b/arch/arm/mach-socfpga/platsmp.c
+@@ -78,6 +78,7 @@ static void __init socfpga_smp_prepare_c
+ }
+
+ socfpga_scu_base_addr = of_iomap(np, 0);
++ of_node_put(np);
+ if (!socfpga_scu_base_addr)
+ return;
+ scu_enable(socfpga_scu_base_addr);
--- /dev/null
+From c594b83457ccdee76d458416fb3bc9348a37592f Mon Sep 17 00:00:00 2001
+From: Alistair Popple <apopple@nvidia.com>
+Date: Thu, 21 May 2026 13:27:30 +1000
+Subject: arm64: mm: call pagetable dtor when freeing hot-removed page tables
+
+From: Alistair Popple <apopple@nvidia.com>
+
+commit c594b83457ccdee76d458416fb3bc9348a37592f upstream.
+
+Since 5e8eb9aeeda3 ("arm64: mm: always call PTE/PMD ctor in
+__create_pgd_mapping()") page-table allocation on ARM64 always calls
+pagetable_{pte,pmd,pud,p4d}_ctor(). This sets the page_type to
+PGTY_table, increments NR_PAGETABLE and possible allocates a PTL. However
+the matching pagetable_dtor() calls were never added.
+
+With DEBUG_VM enabled on kernel versions prior to v6.17 without
+2dfcd1608f3a9 ("mm/page_alloc: let page freeing clear any set page type")
+this leads to the following warning when freeing these pages due to
+page->page_type sharing page->_mapcount:
+
+ BUG: Bad page state in process ... pfn:284fbb
+ page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x284fbb
+ flags: 0x17fffc000000000(node=0|zone=2|lastcpupid=0x1ffff)
+ page_type: f2(table)
+ page dumped because: nonzero mapcount
+ Call trace:
+ bad_page+0x13c/0x160
+ __free_frozen_pages+0x6cc/0x860
+ ___free_pages+0xf4/0x180
+ free_pages+0x54/0x80
+ free_hotplug_page_range.part.0+0x58/0x90
+ free_empty_tables+0x438/0x500
+ __remove_pgd_mapping.constprop.0+0x60/0xa8
+ arch_remove_memory+0x48/0x80
+ try_remove_memory+0x158/0x1d8
+ offline_and_remove_memory+0x138/0x180
+
+It can also lead to leaking the ptl allocation if ALLOC_SPLIT_PTLOCKS is
+defined and incorrect NR_PAGETABLE stats. Fix this by calling
+pagetable_dtor() in free_hotplug_pgtable_page() prior to freeing the page
+to undo the effects of calling pagetable_*_ctor().
+
+Link: https://lore.kernel.org/20260521032730.2104017-1-apopple@nvidia.com
+Fixes: 5e8eb9aeeda3 ("arm64: mm: always call PTE/PMD ctor in __create_pgd_mapping()")
+Signed-off-by: Alistair Popple <apopple@nvidia.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: David Hildenbrand <david@kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/mmu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/mm/mmu.c
++++ b/arch/arm64/mm/mmu.c
+@@ -1447,6 +1447,7 @@ static void free_hotplug_page_range(stru
+
+ static void free_hotplug_pgtable_page(struct page *page)
+ {
++ pagetable_dtor(page_ptdesc(page));
+ free_hotplug_page_range(page, PAGE_SIZE, NULL);
+ }
+
--- /dev/null
+From 4790af1cc2e8871fb31f28c66e42b9a949a23992 Mon Sep 17 00:00:00 2001
+From: Chancel Liu <chancel.liu@nxp.com>
+Date: Mon, 1 Jun 2026 17:33:27 +0900
+Subject: ASoC: fsl_sai: Fix 32 slots TDM broken by integer shift UB in xMR write
+
+From: Chancel Liu <chancel.liu@nxp.com>
+
+commit 4790af1cc2e8871fb31f28c66e42b9a949a23992 upstream.
+
+When configuring 32 slots TDM (channels == slots == 32), the xMR
+(Mask Register) write used:
+~0UL - ((1 << min(channels, slots)) - 1)
+
+The literal "1" is a signed 32-bit int. Shifting it by 32 positions is
+undefined behaviour which may set this register to 0xFFFFFFFF, masking
+all 32 slots.
+
+Use GENMASK_U32() macro instead. For 32 slots this produces a zero mask:
+~GENMASK_U32(31, 0) = ~0xFFFFFFFF = 0x00000000
+Behaviour for fewer than 32 slots is unchanged.
+
+Fixes: 770f58d7d2c5 ("ASoC: fsl_sai: Support multiple data channel enable bits")
+Cc: stable@vger.kernel.org
+Signed-off-by: Chancel Liu <chancel.liu@nxp.com>
+Reviewed-by: Shengjiu Wang <shengjiu.wang@gmail.com>
+Link: https://patch.msgid.link/20260601083327.1535185-1-chancel.liu@oss.nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/fsl/fsl_sai.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/fsl/fsl_sai.c
++++ b/sound/soc/fsl/fsl_sai.c
+@@ -746,7 +746,7 @@ static int fsl_sai_hw_params(struct snd_
+ FSL_SAI_CR4_FSD_MSTR, FSL_SAI_CR4_FSD_MSTR);
+
+ regmap_write(sai->regmap, FSL_SAI_xMR(tx),
+- ~0UL - ((1 << min(channels, slots)) - 1));
++ ~GENMASK_U32(min(channels, slots) - 1, 0));
+
+ return 0;
+ }
--- /dev/null
+From d930276f2cddd0b7294cac7a8fe7b877f6d9e08d Mon Sep 17 00:00:00 2001
+From: Kyle Meyer <kyle.meyer@hpe.com>
+Date: Fri, 5 Jun 2026 17:25:24 -0500
+Subject: bnxt_en: Fix NULL pointer dereference
+
+From: Kyle Meyer <kyle.meyer@hpe.com>
+
+commit d930276f2cddd0b7294cac7a8fe7b877f6d9e08d upstream.
+
+PCIe errors detected by a Root Port or Downstream Port cause error
+recovery services to run on all subordinate devices regardless of
+administrative state.
+
+The .error_detected() callback, bnxt_io_error_detected(), disables
+and synchronizes IRQs via bnxt_disable_int_sync(), which calls
+bnxt_cp_num_to_irq_num() to map completion rings to IRQs using
+bp->bnapi.
+
+Since bp->bnapi is allocated on NIC open and freed on NIC close, PCIe
+error recovery on a closed NIC can dereference a NULL pointer.
+
+Check if bp->bnapi is NULL before disabling and synchronizing IRQs.
+
+Fixes: e5811b8c09df ("bnxt_en: Add IRQ remapping logic.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kyle Meyer <kyle.meyer@hpe.com>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Link: https://patch.msgid.link/aiNM1CY2-StPilxW@hpe.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -5629,7 +5629,7 @@ static void bnxt_disable_int_sync(struct
+ {
+ int i;
+
+- if (!bp->irq_tbl)
++ if (!bp->irq_tbl || !bp->bnapi)
+ return;
+
+ atomic_inc(&bp->intr_sem);
--- /dev/null
+From 49c3da65961fe9857c831d47fa1989084e87514a Mon Sep 17 00:00:00 2001
+From: Harry Wentland <harry.wentland@amd.com>
+Date: Tue, 5 May 2026 11:50:07 -0400
+Subject: drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info()
+
+From: Harry Wentland <harry.wentland@amd.com>
+
+commit 49c3da65961fe9857c831d47fa1989084e87514a upstream.
+
+[Why & How]
+gpio_bitshift is a uint8_t read directly from the VBIOS GPIO pin table.
+If the value is >= 32, the expression "1 << gpio_bitshift" triggers
+undefined behaviour in C (shift count exceeds type width). On x86 the
+shift is silently masked to 5 bits, producing an incorrect GPIO mask
+that may cause wrong MMIO register bits to be toggled.
+
+Validate gpio_bitshift before use and return BP_RESULT_BADBIOSTABLE for
+out-of-range values.
+
+Fixes: ae79c310b1a6 ("drm/amd/display: Add DCE12 bios parser support")
+Assisted-by: Copilot:claude-opus-4.6
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Ray Wu <ray.wu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit eadf438ab8d370b9d19acee9359918c85afeb80d)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
++++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+@@ -700,8 +700,10 @@ static enum bp_result bios_parser_get_gp
+ info->offset_en = info->offset + 1;
+ info->offset_mask = info->offset - 1;
+
+- info->mask = (uint32_t) (1 <<
+- header->gpio_pin[i].gpio_bitshift);
++ if (header->gpio_pin[i].gpio_bitshift >= 32)
++ return BP_RESULT_BADBIOSTABLE;
++
++ info->mask = 1u << header->gpio_pin[i].gpio_bitshift;
+ info->mask_y = info->mask + 2;
+ info->mask_en = info->mask + 1;
+ info->mask_mask = info->mask - 1;
--- /dev/null
+From 3f26bb732cc136ab20176697c92f32c9c84cb125 Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Sun, 7 Jun 2026 09:03:03 +0000
+Subject: drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit 3f26bb732cc136ab20176697c92f32c9c84cb125 upstream.
+
+dma_fence_unwrap_for_each() internally calls dma_fence_unwrap_first()
+which does cursor->chain = dma_fence_get(head), taking an extra
+reference. On normal loop completion, dma_fence_unwrap_next()
+releases this via dma_fence_chain_walk() -> dma_fence_put().
+
+When virtio_gpu_do_fence_wait() fails and the function returns early
+from inside the loop, the cursor->chain reference is never released.
+This is the only caller in the entire kernel that does an early return
+inside dma_fence_unwrap_for_each.
+
+Add dma_fence_put(itr.chain) before the early return.
+
+Cc: stable@vger.kernel.org
+Fixes: eba57fb5498f ("drm/virtio: Wait for each dma-fence of in-fence array individually")
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Link: https://patch.msgid.link/20260607090303.92423-1-vulab@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_submit.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/virtio/virtgpu_submit.c
++++ b/drivers/gpu/drm/virtio/virtgpu_submit.c
+@@ -65,8 +65,10 @@ static int virtio_gpu_dma_fence_wait(str
+
+ dma_fence_unwrap_for_each(f, &itr, fence) {
+ err = virtio_gpu_do_fence_wait(submit, f);
+- if (err)
++ if (err) {
++ dma_fence_put(itr.chain);
+ return err;
++ }
+ }
+
+ return 0;
--- /dev/null
+From 40ab6644b99685755f740b872c00ef40d9aa870e Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 3 Jun 2026 21:31:57 +0200
+Subject: fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()
+
+From: Jann Horn <jannh@google.com>
+
+commit 40ab6644b99685755f740b872c00ef40d9aa870e upstream.
+
+may_decode_fh() accesses mount::mnt_ns without holding any locks; that
+means the mount can concurrently be unmounted, and the mnt_namespace can
+concurrently be freed after an RCU grace period.
+
+This race can happens as follows, assuming that the mount point was
+created by open_tree(..., OPEN_TREE_CLONE):
+
+thread 1 thread 2 RCU
+ __do_sys_open_by_handle_at
+ do_handle_open
+ handle_to_path
+ may_decode_fh
+ is_mounted
+ [mount::mnt_ns access]
+ [mount::mnt_ns access]
+__do_sys_close
+ fput_close_sync
+ __fput
+ dissolve_on_fput
+ umount_tree
+ class_namespace_excl_destructor
+ namespace_unlock
+ free_mnt_ns
+ mnt_ns_tree_remove
+ call_rcu(mnt_ns_release_rcu)
+ mnt_ns_release_rcu
+ mnt_ns_release
+ kfree
+ [mnt_namespace::user_ns access] **UAF**
+
+Fix it by taking rcu_read_lock() around the mount::mnt_ns access, like
+in __prepend_path().
+Additionally, document the semantics of mount::mnt_ns, and use WRITE_ONCE()
+for writers that can race with lockless readers.
+
+This bug is unreachable unless one of the following is set:
+
+ - CONFIG_PREEMPTION
+ - CONFIG_RCU_STRICT_GRACE_PERIOD
+
+because it requires an RCU grace period to happen during a syscall without
+an explicit preemption.
+
+This doesn't seem to have interesting security impact; worst-case, it could
+leak the result of an integer comparison to userspace (from the level
+check in cap_capable()), cause an endless loop, or crash the kernel by
+dereferencing an invalid address.
+
+Fixes: 620c266f3949 ("fhandle: relax open_by_handle_at() permission checks")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Link: https://patch.msgid.link/20260603-vfs-fhandle-uaf-fix-v2-1-d05db76a5084@google.com
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fhandle.c | 16 ++++++++++++++--
+ fs/mount.h | 10 +++++++++-
+ fs/namespace.c | 6 +++---
+ 3 files changed, 26 insertions(+), 6 deletions(-)
+
+--- a/fs/fhandle.c
++++ b/fs/fhandle.c
+@@ -287,6 +287,19 @@ static int do_handle_to_path(struct file
+ return 0;
+ }
+
++static bool capable_wrt_mount(struct mount *mount)
++{
++ struct mnt_namespace *mnt_ns;
++
++ /*
++ * For ->mnt_ns access.
++ * The following READ_ONCE() is semantically rcu_dereference().
++ */
++ guard(rcu)();
++ mnt_ns = READ_ONCE(mount->mnt_ns);
++ return ns_capable(mnt_ns->user_ns, CAP_SYS_ADMIN);
++}
++
+ static inline int may_decode_fh(struct handle_to_path_ctx *ctx,
+ unsigned int o_flags)
+ {
+@@ -322,8 +335,7 @@ static inline int may_decode_fh(struct h
+ if (ns_capable(root->mnt->mnt_sb->s_user_ns, CAP_SYS_ADMIN))
+ ctx->flags = HANDLE_CHECK_PERMS;
+ else if (is_mounted(root->mnt) &&
+- ns_capable(real_mount(root->mnt)->mnt_ns->user_ns,
+- CAP_SYS_ADMIN) &&
++ capable_wrt_mount(real_mount(root->mnt)) &&
+ !has_locked_children(real_mount(root->mnt), root->dentry))
+ ctx->flags = HANDLE_CHECK_PERMS | HANDLE_CHECK_SUBTREE;
+ else
+--- a/fs/mount.h
++++ b/fs/mount.h
+@@ -69,7 +69,15 @@ struct mount {
+ struct hlist_head mnt_slave_list;/* list of slave mounts */
+ struct hlist_node mnt_slave; /* slave list entry */
+ struct mount *mnt_master; /* slave is on master->mnt_slave_list */
+- struct mnt_namespace *mnt_ns; /* containing namespace */
++ /*
++ * Containing namespace (active or deactivating, non-refcounted).
++ * Normally protected by namespace_sem.
++ * Can also be accessed locklessly under RCU. RCU readers can't rely on
++ * the namespace still being active, but implicitly hold a passive
++ * reference (because an RCU delay happens between a namespace being
++ * deactivated and the corresponding passive refcount drop).
++ */
++ struct mnt_namespace *mnt_ns;
+ struct mountpoint *mnt_mp; /* where is it mounted */
+ union {
+ struct hlist_node mnt_mp_list; /* list mounts with the same mountpoint */
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1085,7 +1085,7 @@ static void mnt_add_to_ns(struct mnt_nam
+ bool mnt_first_node = true, mnt_last_node = true;
+
+ WARN_ON(mnt_ns_attached(mnt));
+- mnt->mnt_ns = ns;
++ WRITE_ONCE(mnt->mnt_ns, ns);
+ while (*link) {
+ parent = *link;
+ if (mnt->mnt_id_unique < node_to_mount(parent)->mnt_id_unique) {
+@@ -1434,7 +1434,7 @@ EXPORT_SYMBOL(mntget);
+ void mnt_make_shortterm(struct vfsmount *mnt)
+ {
+ if (mnt)
+- real_mount(mnt)->mnt_ns = NULL;
++ WRITE_ONCE(real_mount(mnt)->mnt_ns, NULL);
+ }
+
+ /**
+@@ -1806,7 +1806,7 @@ static void umount_tree(struct mount *mn
+ ns->nr_mounts--;
+ __touch_mnt_namespace(ns);
+ }
+- p->mnt_ns = NULL;
++ WRITE_ONCE(p->mnt_ns, NULL);
+ if (how & UMOUNT_SYNC)
+ p->mnt.mnt_flags |= MNT_SYNC_UMOUNT;
+
--- /dev/null
+From 29e7b925ae6df64894e82ab6419994dc25580a8a Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Tue, 2 Jun 2026 15:46:42 -0400
+Subject: IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 29e7b925ae6df64894e82ab6419994dc25580a8a upstream.
+
+In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done()
+computes the login request payload length as wc->byte_len minus
+ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int.
+A remote iSER initiator can post a login Send work request carrying
+fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows
+and login_req_len becomes negative.
+
+isert_rx_login_req() then reads that negative length back into a signed
+int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the
+min() is signed it keeps the negative value; the value is then passed as
+the memcpy() length and sign-extended to a multi-gigabyte size_t. The
+copy into the 8192-byte login->req_buf runs far out of bounds and
+faults, crashing the target node. The login phase precedes iSCSI
+authentication, so no credentials are required to reach this path.
+
+Reject any login PDU shorter than ISER_HEADERS_LEN before the
+subtraction, mirroring the existing early return on a failed work
+completion, so login_req_len can never go negative. The upper bound was
+already safe: a posted login buffer cannot deliver more than
+ISER_RX_PAYLOAD_SIZE, so the difference stays at or below
+MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing
+lower bound needs to be added.
+
+Fixes: b8d26b3be8b3 ("iser-target: Add iSCSI Extensions for RDMA (iSER) target driver")
+Link: https://patch.msgid.link/r/20260602194642.2273217-1-michael.bommarito@gmail.com
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-8
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -1385,6 +1385,12 @@ isert_login_recv_done(struct ib_cq *cq,
+ ib_dma_sync_single_for_cpu(ib_dev, isert_conn->login_desc->dma_addr,
+ ISER_RX_SIZE, DMA_FROM_DEVICE);
+
++ if (unlikely(wc->byte_len < ISER_HEADERS_LEN)) {
++ isert_dbg("login request length %u is too short\n",
++ wc->byte_len);
++ return;
++ }
++
+ isert_conn->login_req_len = wc->byte_len - ISER_HEADERS_LEN;
+
+ if (isert_conn->conn) {
--- /dev/null
+From 32594b09854970d7ba83eb2dc8c69a2edd158c8e Mon Sep 17 00:00:00 2001
+From: Hyunwoo Kim <imv4bel@gmail.com>
+Date: Tue, 2 Jun 2026 19:21:05 +0900
+Subject: inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+commit 32594b09854970d7ba83eb2dc8c69a2edd158c8e upstream.
+
+On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and
+flushes every fragment queue that is not yet complete using
+inet_frag_queue_flush(). That helper frees all the skbs queued on the
+fragment queue but does not set INET_FRAG_COMPLETE, and leaves
+q->fragments_tail and q->last_run_head pointing at the freed skbs.
+The queue itself stays in the rhashtable.
+
+fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups,
+but it cannot stop a fragment that already obtained the queue through
+inet_frag_find() earlier and stalled just before taking the queue lock.
+Once that fragment resumes after the flush and takes the queue lock,
+it passes the INET_FRAG_COMPLETE check and then dereferences the freed
+fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of
+that pointer and, on the append path, writes ->next_frag, causing a
+slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly
+share the same flush path and are affected as well.
+
+Reset rb_fragments, fragments_tail and last_run_head in
+inet_frag_queue_flush() so a flushed queue no longer points at the
+freed skbs. A fragment that resumes after the flush and takes the
+queue lock then finds an empty queue and starts a new run instead of
+dereferencing the freed fragments_tail. ip_frag_reinit() already
+performed this reset after its own flush, so drop the now duplicate
+code there.
+
+Cc: stable@vger.kernel.org
+Fixes: 006a5035b495 ("inet: frags: flush pending skbs in fqdir_pre_exit()")
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Link: https://patch.msgid.link/ah6ukYq5G98LshdA@v4bel
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/inet_fragment.c | 3 +++
+ net/ipv4/ip_fragment.c | 3 ---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/inet_fragment.c
++++ b/net/ipv4/inet_fragment.c
+@@ -328,6 +328,9 @@ void inet_frag_queue_flush(struct inet_f
+ reason = reason ?: SKB_DROP_REASON_FRAG_REASM_TIMEOUT;
+ sum = inet_frag_rbtree_purge(&q->rb_fragments, reason);
+ sub_frag_mem_limit(q->fqdir, sum);
++ q->rb_fragments = RB_ROOT;
++ q->fragments_tail = NULL;
++ q->last_run_head = NULL;
+ }
+ EXPORT_SYMBOL(inet_frag_queue_flush);
+
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -250,9 +250,6 @@ static int ip_frag_reinit(struct ipq *qp
+ qp->q.flags = 0;
+ qp->q.len = 0;
+ qp->q.meat = 0;
+- qp->q.rb_fragments = RB_ROOT;
+- qp->q.fragments_tail = NULL;
+- qp->q.last_run_head = NULL;
+ qp->iif = 0;
+ qp->ecn = 0;
+
--- /dev/null
+From ed46f39c47eb5530a9c161481a2080d3a869cfaf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Cl=C3=A9ment=20L=C3=A9ger?= <cleger@meta.com>
+Date: Thu, 4 Jun 2026 09:07:13 -0700
+Subject: io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Léger <cleger@meta.com>
+
+commit ed46f39c47eb5530a9c161481a2080d3a869cfaf upstream.
+
+When a bundle recv retries inside io_recv_finish(), the merge logic OR
+the saved cflags from the previous iteration with the cflags returned by
+the new iteration:
+ cflags = req->cqe.flags | (cflags & CQE_F_MASK);
+
+Bits listed in CQE_F_MASK are inherited from the new iteration, and all
+other bits (notably IORING_CQE_F_BUFFER and the buffer ID) come from the
+saved cflags. Before this change CQE_F_MASK covered only
+IORING_CQE_F_SOCK_NONEMPTY and IORING_CQE_F_MORE.
+
+When using provided buffer rings (IOU_PBUF_RING_INC) with incremental
+mode, and bundle recv, io_kbuf_inc_commit() can leave the head ring
+entry partially consumed, __io_put_kbufs() then sets
+IORING_CQE_F_BUF_MORE on the returned cflags so userspace knows the
+buffer ID will be reused for subsequent completions.
+
+Because IORING_CQE_F_BUF_MORE was not in CQE_F_MASK, the merge above
+silently dropped it whenever the final retry iteration partially
+consumed the buffer, and the subsequent req->cqe.flags = cflags &
+~CQE_F_MASK save would have left a stale IORING_CQE_F_BUF_MORE in the
+carried-over cflags had one been present. Userspace would then
+wrongfully advance it ring head past an entry the kernel still uses.
+
+Add IORING_CQE_F_BUF_MORE to CQE_F_MASK so it is both inherited from the
+new iteration into the user-visible CQE and stripped from the saved
+cflags between iterations.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Clément Léger <cleger@meta.com>
+Assisted-by: Claude:claude-opus-4.6
+Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental buffer consumption")
+Link: https://patch.msgid.link/20260604160715.2482972-1-cleger@meta.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -839,7 +839,8 @@ int io_recvmsg_prep(struct io_kiocb *req
+ }
+
+ /* bits to clear in old and inherit in new cflags on bundle retry */
+-#define CQE_F_MASK (IORING_CQE_F_SOCK_NONEMPTY|IORING_CQE_F_MORE)
++#define CQE_F_MASK (IORING_CQE_F_SOCK_NONEMPTY|IORING_CQE_F_MORE|\
++ IORING_CQE_F_BUF_MORE)
+
+ /*
+ * Finishes io_recv and io_recvmsg.
--- /dev/null
+From f580d27e8928828693df44ba2db0fffdbe11dfea Mon Sep 17 00:00:00 2001
+From: Gil Portnoy <dddhkts1@gmail.com>
+Date: Mon, 1 Jun 2026 08:27:56 +0900
+Subject: ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
+
+From: Gil Portnoy <dddhkts1@gmail.com>
+
+commit f580d27e8928828693df44ba2db0fffdbe11dfea upstream.
+
+A deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on
+conn->async_requests via setup_async_work(), with cancel_fn =
+smb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock.
+
+When the request is cancelled, the worker frees the file_lock with
+locks_free_lock() and takes the cancelled early-exit, which "goto out"s and never
+reaches release_async_work() -- the only site that unlinks the work from
+conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays
+matchable on async_requests with a live cancel_fn pointing at the freed file_lock,
+until connection teardown finally runs release_async_work().
+
+smb2_cancel() fires cancel_fn unconditionally with no state guard, so a second
+SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs
+smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free:
+
+ BUG: KASAN: slab-use-after-free in __locks_delete_block
+ __locks_delete_block
+ locks_delete_block
+ ksmbd_vfs_posix_lock_unblock
+ smb2_remove_blocked_lock
+ smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn
+ handle_ksmbd_work
+ Allocated by ...: locks_alloc_lock <- smb2_lock
+ Freed by ...: locks_free_lock <- smb2_lock (cancelled branch)
+ ... cache file_lock_cache of size 192
+
+Reproduced on mainline with KASAN by an authenticated SMB client.
+
+Skip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback
+cannot be fired a second time.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -7328,6 +7328,17 @@ int smb2_cancel(struct ksmbd_work *work)
+ le64_to_cpu(hdr->Id.AsyncId))
+ continue;
+
++ /*
++ * A cancelled deferred byte-range lock frees its
++ * file_lock and takes the smb2_lock() early-exit that
++ * skips release_async_work(), so the work stays on
++ * conn->async_requests with a live cancel_fn pointing
++ * at the freed file_lock. Re-firing it on a second
++ * SMB2_CANCEL is a use-after-free.
++ */
++ if (iter->state == KSMBD_WORK_CANCELLED)
++ break;
++
+ ksmbd_debug(SMB,
+ "smb2 with AsyncId %llu cancelled command = 0x%x\n",
+ le64_to_cpu(hdr->Id.AsyncId),
--- /dev/null
+From d6b8b02a27b3dd09ec12144322b3dac46d9bc9ef Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sj@kernel.org>
+Date: Mon, 25 May 2026 09:22:55 -0700
+Subject: mm/damon/ops-common: call folio_test_lru() after folio_get()
+
+From: SeongJae Park <sj@kernel.org>
+
+commit d6b8b02a27b3dd09ec12144322b3dac46d9bc9ef upstream.
+
+damon_get_folio() speculatively calls folio_test_lru() before
+folio_try_get(). The folio can get freed and reallocated to a tail page.
+In the case, VM_BUG_ON_PGFLAGS() in const_folio_flags() can be triggered.
+Remove the speculative call.
+
+Also mark folio_test_lru() check right after folio_try_get() success as no
+more unlikely.
+
+The race should be rare. Also the problem can happen only if the kernel
+has enabled CONFIG_DEBUG_VM_PGFLAGS. No real world report of this issue
+has been made so far. This fix is based on only theoretical analysis.
+That said, a bug is a bug. A similar issue was also fixed via commit
+3203b3ab0fcf ("mm/filemap: don't call folio_test_locked() without a
+reference in next_uptodate_folio()"). I don't expect this change will
+make a meaningful impact to DAMON performance in the real world, though I
+will be happy to be corrected from the real world reports.
+
+The issue was discovered [1] by Sashiko.
+
+
+Link: https://lore.kernel.org/20260525162256.8317-1-sj@kernel.org
+Link: https://lore.kernel.org/20260517234112.89245-1-sj@kernel.org [1]
+Fixes: 3f49584b262c ("mm/damon: implement primitives for the virtual memory address spaces")
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Cc: Fernand Sieber <sieberf@amazon.com>
+Cc: Leonard Foerster <foersleo@amazon.de>
+Cc: Shakeel Butt <shakeel.butt@linux.dev>
+Cc: <stable@vger.kernel.org> # 5.15.x
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/ops-common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/mm/damon/ops-common.c
++++ b/mm/damon/ops-common.c
+@@ -32,9 +32,9 @@ struct folio *damon_get_folio(unsigned l
+ return NULL;
+
+ folio = page_folio(page);
+- if (!folio_test_lru(folio) || !folio_try_get(folio))
++ if (!folio_try_get(folio))
+ return NULL;
+- if (unlikely(page_folio(page) != folio || !folio_test_lru(folio))) {
++ if (unlikely(page_folio(page) != folio) || !folio_test_lru(folio)) {
+ folio_put(folio);
+ folio = NULL;
+ }
--- /dev/null
+From 8d878059924f12c1bc24556a92ec56add74de3c8 Mon Sep 17 00:00:00 2001
+From: Yin Tirui <yintirui@huawei.com>
+Date: Tue, 26 May 2026 18:13:37 +0800
+Subject: mm/huge_memory: update file PMD counter before folio_put()
+
+From: Yin Tirui <yintirui@huawei.com>
+
+commit 8d878059924f12c1bc24556a92ec56add74de3c8 upstream.
+
+__split_huge_pmd_locked() updates the file/shmem RSS counter after
+dropping the PMD mapping's folio reference. If folio_put() drops the last
+reference, mm_counter_file() can later read freed folio state via
+folio_test_swapbacked().
+
+Move the counter update before folio_put().
+
+Link: https://lore.kernel.org/20260526101337.1984081-1-yintirui@huawei.com
+Fixes: fadae2953072 ("thp: use mm_file_counter to determine update which rss counter")
+Signed-off-by: Yin Tirui <yintirui@huawei.com>
+Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
+Acked-by: David Hildenbrand (arm) <david@kernel.org>
+Reviewed-by: Lance Yang <lance.yang@linux.dev>
+Reviewed-by: Dev Jain <dev.jain@arm.com>
+Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: Barry Song <baohua@kernel.org>
+Cc: Chen Jun <chenjun102@huawei.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Liam R. Howlett <liam@infradead.org>
+Cc: Nico Pache <npache@redhat.com>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: Vlastimil Babka <vbabka@kernel.org>
+Cc: Yang Shi <yang.shi@linux.alibaba.com>
+Cc: Zi Yan <ziy@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/huge_memory.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -2877,7 +2877,9 @@ static void __split_huge_pmd_locked(stru
+ if (!folio_test_referenced(folio) && pmd_young(old_pmd))
+ folio_set_referenced(folio);
+ folio_remove_rmap_pmd(folio, page, vma);
++ add_mm_counter(mm, mm_counter_file(folio), -HPAGE_PMD_NR);
+ folio_put(folio);
++ return;
+ }
+ add_mm_counter(mm, mm_counter_file(folio), -HPAGE_PMD_NR);
+ return;
--- /dev/null
+From 40990c87a26e371594475acdc560c93cfae308a1 Mon Sep 17 00:00:00 2001
+From: Yin Tirui <yintirui@huawei.com>
+Date: Tue, 26 May 2026 18:13:55 +0800
+Subject: mm/huge_memory: update file PUD counter before folio_put()
+
+From: Yin Tirui <yintirui@huawei.com>
+
+commit 40990c87a26e371594475acdc560c93cfae308a1 upstream.
+
+__split_huge_pud_locked() updates the file/shmem RSS counter after
+dropping the PUD mapping's folio reference. If folio_put() drops the last
+reference, mm_counter_file() can later read freed folio state via
+folio_test_swapbacked().
+
+Move the counter update before folio_put().
+
+Link: https://lore.kernel.org/20260526101355.1984244-1-yintirui@huawei.com
+Fixes: dbe54153296d ("mm/huge_memory: add vmf_insert_folio_pud()")
+Signed-off-by: Yin Tirui <yintirui@huawei.com>
+Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
+Acked-by: David Hildenbrand (arm) <david@kernel.org>
+Reviewed-by: Lance Yang <lance.yang@linux.dev>
+Reviewed-by: Dev Jain <dev.jain@arm.com>
+Cc: Alistair Popple <apopple@nvidia.com>
+Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: Barry Song <baohua@kernel.org>
+Cc: Chen Jun <chenjun102@huawei.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Liam R. Howlett <liam@infradead.org>
+Cc: Nico Pache <npache@redhat.com>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: Zi Yan <ziy@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/huge_memory.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -2759,9 +2759,9 @@ static void __split_huge_pud_locked(stru
+ if (!folio_test_referenced(folio) && pud_young(old_pud))
+ folio_set_referenced(folio);
+ folio_remove_rmap_pud(folio, page, vma);
+- folio_put(folio);
+ add_mm_counter(vma->vm_mm, mm_counter_file(folio),
+ -HPAGE_PUD_NR);
++ folio_put(folio);
+ }
+
+ void __split_huge_pud(struct vm_area_struct *vma, pud_t *pud,
--- /dev/null
+From bd34fa0257261b76964df1c98f44b3cb4ee14620 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 2 Jun 2026 22:14:18 +1000
+Subject: mptcp: add-addr: always drop other suboptions
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit bd34fa0257261b76964df1c98f44b3cb4ee14620 upstream.
+
+When an ADD_ADDR needs to be sent, it could be prepared if there is
+enough remaining space and even if the packet is not a pure ACK. But it
+would be dropped soon after.
+
+Indeed, in mptcp_pm_add_addr_signal(), there is enough space to fit a
+DSS of 20 octets and an ADD_ADDR echo containing an IPv4 address on 8
+octets for example. In this case, the packet would be prepared, the
+MPTCP_ADD_ADDR_ECHO bit would be removed from pm->addr_signal, but the
+option would be silently dropped in mptcp_established_options_add_addr()
+not to override DSS info in the union from 'struct mptcp_out_options',
+and also because mptcp_write_options() will enforce mutually exclusion
+with DSS.
+
+Instead, don't even try to send an ADD_ADDR if it is not a pure ACK.
+Retry for each new packet until a pure-ACK is emitted. That's fine to do
+that, because each time an ADD_ADDR (echo) is scheduled, a pure ACK is
+queued.
+
+This also simplifies the code, and the skb checks can be done earlier,
+before the lock.
+
+Note: also, since commit 6d0060f600ad ("mptcp: Write MPTCP DSS headers
+to outgoing data packets"), opts->ahmac would not have been set to 0
+when other suboptions were not dropped, and when sending an ADD_ADDR
+echo. That would have resulted in sending an ADD_ADDR using garbage
+info, where there was not enough space, instead of an echo one without
+the ADD_ADDR HMAC.
+
+Fixes: 1bff1e43a30e ("mptcp: optimize out option generation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-11-856831229976@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/options.c | 30 +++++++-----------------------
+ net/mptcp/pm.c | 15 ++++-----------
+ net/mptcp/protocol.h | 7 +++----
+ 3 files changed, 14 insertions(+), 38 deletions(-)
+
+--- a/net/mptcp/options.c
++++ b/net/mptcp/options.c
+@@ -661,7 +661,6 @@ static bool mptcp_established_options_ad
+ {
+ struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
+ struct mptcp_sock *msk = mptcp_sk(subflow->conn);
+- bool drop_other_suboptions = false;
+ unsigned int opt_size = *size;
+ struct mptcp_addr_info addr;
+ bool echo;
+@@ -672,36 +671,20 @@ static bool mptcp_established_options_ad
+ */
+ if (!mptcp_pm_should_add_signal(msk) ||
+ (opts->suboptions & (OPTION_MPTCP_MPJ_ACK | OPTION_MPTCP_MPC_ACK)) ||
+- !mptcp_pm_add_addr_signal(msk, skb, opt_size, remaining, &addr,
+- &echo, &drop_other_suboptions))
++ !skb || !skb_is_tcp_pure_ack(skb) ||
++ !mptcp_pm_add_addr_signal(msk, opt_size, remaining, &addr, &echo))
+ return false;
+
+- /*
+- * Later on, mptcp_write_options() will enforce mutually exclusion with
+- * DSS, bail out if such option is set and we can't drop it.
+- */
+- if (drop_other_suboptions)
+- remaining += opt_size;
+- else if (opts->suboptions & OPTION_MPTCP_DSS)
+- return false;
++ remaining += opt_size;
+
+ len = mptcp_add_addr_len(addr.family, echo, !!addr.port);
+ if (remaining < len)
+ return false;
+
+ *size = len;
+- if (drop_other_suboptions) {
+- pr_debug("drop other suboptions\n");
+- opts->suboptions = 0;
+-
+- /* note that e.g. DSS could have written into the memory
+- * aliased by ahmac, we must reset the field here
+- * to avoid appending the hmac even for ADD_ADDR echo
+- * options
+- */
+- opts->ahmac = 0;
+- *size -= opt_size;
+- }
++ pr_debug("drop other suboptions\n");
++ opts->suboptions = 0;
++ *size -= opt_size;
+ opts->addr = addr;
+ opts->suboptions |= OPTION_MPTCP_ADD_ADDR;
+ if (!echo) {
+@@ -711,6 +694,7 @@ static bool mptcp_established_options_ad
+ &opts->addr);
+ } else {
+ MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_ECHOADDTX);
++ opts->ahmac = 0;
+ }
+ pr_debug("addr_id=%d, ahmac=%llu, echo=%d, port=%d\n",
+ opts->addr.id, opts->ahmac, echo, ntohs(opts->addr.port));
+--- a/net/mptcp/pm.c
++++ b/net/mptcp/pm.c
+@@ -885,10 +885,9 @@ void mptcp_pm_mp_fail_received(struct so
+ }
+ }
+
+-bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, const struct sk_buff *skb,
+- unsigned int opt_size, unsigned int remaining,
+- struct mptcp_addr_info *addr, bool *echo,
+- bool *drop_other_suboptions)
++bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, unsigned int opt_size,
++ unsigned int remaining,
++ struct mptcp_addr_info *addr, bool *echo)
+ {
+ bool skip_add_addr = false;
+ int ret = false;
+@@ -906,10 +905,7 @@ bool mptcp_pm_add_addr_signal(struct mpt
+ * plain dup-ack from TCP perspective. The other MPTCP-relevant info,
+ * if any, will be carried by the 'original' TCP ack
+ */
+- if (skb && skb_is_tcp_pure_ack(skb)) {
+- remaining += opt_size;
+- *drop_other_suboptions = true;
+- }
++ remaining += opt_size;
+
+ *echo = mptcp_pm_should_add_signal_echo(msk);
+ if (*echo) {
+@@ -927,9 +923,6 @@ bool mptcp_pm_add_addr_signal(struct mpt
+ if (remaining < mptcp_add_addr_len(family, *echo, port)) {
+ struct net *net = sock_net((struct sock *)msk);
+
+- if (!*drop_other_suboptions)
+- goto out_unlock;
+-
+ if (*echo) {
+ MPTCP_INC_STATS(net, MPTCP_MIB_ECHOADDTXDROP);
+ } else {
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -1180,10 +1180,9 @@ static inline int mptcp_rm_addr_len(cons
+ return TCPOLEN_MPTCP_RM_ADDR_BASE + roundup(rm_list->nr - 1, 4) + 1;
+ }
+
+-bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, const struct sk_buff *skb,
+- unsigned int opt_size, unsigned int remaining,
+- struct mptcp_addr_info *addr, bool *echo,
+- bool *drop_other_suboptions);
++bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, unsigned int opt_size,
++ unsigned int remaining,
++ struct mptcp_addr_info *addr, bool *echo);
+ bool mptcp_pm_rm_addr_signal(struct mptcp_sock *msk, unsigned int remaining,
+ struct mptcp_rm_list *rm_list);
+ int mptcp_pm_get_local_id(struct mptcp_sock *msk, struct sock_common *skc);
--- /dev/null
+From da23be77e1292cd611e736c3aa17da633d7ddce7 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 2 Jun 2026 22:14:11 +1000
+Subject: mptcp: allow subflow rcv wnd to shrink
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit da23be77e1292cd611e736c3aa17da633d7ddce7 upstream.
+
+In MPTCP connection, the `window` field in the TCP header refers to the
+MPTCP-level rcv_nxt and it's right edge should not move backward. Such
+constraint is enforced at DSS option generation time.
+
+At the same time, the TCP stack ensures independently that the TCP-level
+rcv wnd right's edge does not move backward. That in turn causes artificial
+inflating of the MPTCP rcv window when the incoming data is acked at the
+TCP level and is OoO in the MPTCP sequence space (or lands in the backlog).
+
+As a consequence, the incoming traffic can exceed the receiver rcvbuf size
+even when the sender is not misbehaving.
+
+Prevent such scenario forcibly allowing the TCP subflow to shrink the
+TCP-level rcv wnd regardless of the current netns setting.
+
+Fixes: f3589be0c420 ("mptcp: never shrink offered window")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-4-856831229976@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/options.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/mptcp/options.c
++++ b/net/mptcp/options.c
+@@ -566,6 +566,7 @@ static bool mptcp_established_options_ds
+ {
+ struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
+ struct mptcp_sock *msk = mptcp_sk(subflow->conn);
++ struct tcp_sock *tp = tcp_sk(sk);
+ unsigned int dss_size = 0;
+ struct mptcp_ext *mpext;
+ unsigned int ack_size;
+@@ -614,6 +615,12 @@ static bool mptcp_established_options_ds
+ if (dss_size == 0)
+ ack_size += TCPOLEN_MPTCP_DSS_BASE;
+
++ /* The caller is __tcp_transmit_skb(), and will compute the new rcv
++ * wnd soon: ensure that the window can shrink.
++ */
++ if (skb)
++ tp->rcv_wnd = tp->rcv_nxt - tp->rcv_wup;
++
+ dss_size += ack_size;
+
+ *size = ALIGN(dss_size, 4);
--- /dev/null
+From 8ab24fdebc369c0dfb90f82c1650b1e66662bb45 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 2 Jun 2026 22:14:10 +1000
+Subject: mptcp: close TOCTOU race while computing rcv_wnd
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 8ab24fdebc369c0dfb90f82c1650b1e66662bb45 upstream.
+
+The MPTCP output path access locklessly the MPTCP-level ack_seq
+in multiple times, using possibly different values for the data_ack
+in the DSS option and to compute the announced rcv wnd for the same
+packet.
+
+Refactor the cote to avoid inconsistencies which may confuse the
+peer. Also ensure that the MPTCP level rcv wnd is updated only when
+the egress packet actually contains a DSS ack.
+
+Fixes: fa3fe2b15031 ("mptcp: track window announced to peer")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-3-856831229976@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/options.c | 36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+--- a/net/mptcp/options.c
++++ b/net/mptcp/options.c
+@@ -570,7 +570,6 @@ static bool mptcp_established_options_ds
+ struct mptcp_ext *mpext;
+ unsigned int ack_size;
+ bool ret = false;
+- u64 ack_seq;
+
+ opts->csum_reqd = READ_ONCE(msk->csum_enabled);
+ mpext = skb ? mptcp_get_ext(skb) : NULL;
+@@ -601,14 +600,11 @@ static bool mptcp_established_options_ds
+ return ret;
+ }
+
+- ack_seq = READ_ONCE(msk->ack_seq);
+ if (READ_ONCE(msk->use_64bit_ack)) {
+ ack_size = TCPOLEN_MPTCP_DSS_ACK64;
+- opts->ext_copy.data_ack = ack_seq;
+ opts->ext_copy.ack64 = 1;
+ } else {
+ ack_size = TCPOLEN_MPTCP_DSS_ACK32;
+- opts->ext_copy.data_ack32 = (uint32_t)ack_seq;
+ opts->ext_copy.ack64 = 0;
+ }
+ opts->ext_copy.use_ack = 1;
+@@ -1296,19 +1292,14 @@ bool mptcp_incoming_options(struct sock
+ return true;
+ }
+
+-static void mptcp_set_rwin(struct tcp_sock *tp, struct tcphdr *th)
++static u64 mptcp_set_rwin(struct mptcp_sock *msk, struct tcp_sock *tp,
++ struct tcphdr *th, u64 ack_seq)
+ {
+ const struct sock *ssk = (const struct sock *)tp;
+- struct mptcp_subflow_context *subflow;
+- u64 ack_seq, rcv_wnd_old, rcv_wnd_new;
+- struct mptcp_sock *msk;
++ u64 rcv_wnd_old, rcv_wnd_new;
+ u32 new_win;
+ u64 win;
+
+- subflow = mptcp_subflow_ctx(ssk);
+- msk = mptcp_sk(subflow->conn);
+-
+- ack_seq = READ_ONCE(msk->ack_seq);
+ rcv_wnd_new = ack_seq + tp->rcv_wnd;
+
+ rcv_wnd_old = atomic64_read(&msk->rcv_wnd_sent);
+@@ -1360,7 +1351,7 @@ raise_win:
+
+ update_wspace:
+ WRITE_ONCE(msk->old_wspace, tp->rcv_wnd);
+- subflow->rcv_wnd_sent = rcv_wnd_new;
++ return rcv_wnd_new;
+ }
+
+ static void mptcp_track_rwin(struct tcp_sock *tp)
+@@ -1472,13 +1463,25 @@ void mptcp_write_options(struct tcphdr *
+ *ptr++ = mptcp_option(MPTCPOPT_DSS, len, 0, flags);
+
+ if (mpext->use_ack) {
++ struct mptcp_sock *msk;
++ u64 ack_seq;
++
++ /* DSS option is set only by mptcp_established_options,
++ * the caller is __tcp_transmit_skb() and ssk is always
++ * not NULL.
++ */
++ subflow = mptcp_subflow_ctx(ssk);
++ msk = mptcp_sk(subflow->conn);
++ ack_seq = READ_ONCE(msk->ack_seq);
+ if (mpext->ack64) {
+- put_unaligned_be64(mpext->data_ack, ptr);
++ put_unaligned_be64(ack_seq, ptr);
+ ptr += 2;
+ } else {
+- put_unaligned_be32(mpext->data_ack32, ptr);
++ put_unaligned_be32(ack_seq, ptr);
+ ptr += 1;
+ }
++ subflow->rcv_wnd_sent = mptcp_set_rwin(msk, tp, th,
++ ack_seq);
+ }
+
+ if (mpext->use_map) {
+@@ -1706,9 +1709,6 @@ mp_capable_done:
+ i += 4;
+ }
+ }
+-
+- if (tp)
+- mptcp_set_rwin(tp, th);
+ }
+
+ __be32 mptcp_get_reset_option(const struct sk_buff *skb)
--- /dev/null
+From d1918b36edcaed0ec4ef6888b2358c6b1ddcff47 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 2 Jun 2026 22:14:09 +1000
+Subject: mptcp: fix retransmission loop when csum is enabled
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit d1918b36edcaed0ec4ef6888b2358c6b1ddcff47 upstream.
+
+Sashiko noted that retransmission with csum enabled can actually
+transmit new data, but currently the relevant code does not update
+accordingly snd_nxt.
+
+The may cause incoming ack drop and an endless retransmission loop.
+
+Address the issue incrementing snd_nxt as needed.
+
+Fixes: 4e14867d5e91 ("mptcp: tune re-injections for csum enabled mode")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-2-856831229976@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -2759,6 +2759,10 @@ static void __mptcp_retrans(struct sock
+ msk->bytes_retrans += len;
+ dfrag->already_sent = max(dfrag->already_sent, len);
+
++ /* With csum enabled retransmission can send new data. */
++ if (after64(dfrag->already_sent + dfrag->data_seq, msk->snd_nxt))
++ WRITE_ONCE(msk->snd_nxt, dfrag->already_sent + dfrag->data_seq);
++
+ reset_timer:
+ mptcp_check_and_set_pending(sk);
+
--- /dev/null
+From 14e9fea30b68fc75b2b3d97396a7e6adb544bd2a Mon Sep 17 00:00:00 2001
+From: Tao Cui <cuitao@kylinos.cn>
+Date: Tue, 2 Jun 2026 22:14:12 +1000
+Subject: mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation
+
+From: Tao Cui <cuitao@kylinos.cn>
+
+commit 14e9fea30b68fc75b2b3d97396a7e6adb544bd2a upstream.
+
+The userspace PM increments extra_subflows after __mptcp_subflow_connect()
+succeeds, but __mptcp_subflow_connect() calls mptcp_pm_close_subflow()
+on failure to roll back the pre-increment done by the kernel PM's fill_*()
+helpers. Because the userspace PM hasn't incremented yet at that point,
+this decrement is spurious and causes extra_subflows to underflow.
+
+Fix it by aligning the userspace PM with the kernel PM: increment
+extra_subflows before calling __mptcp_subflow_connect(), so the existing
+error path in subflow.c correctly rolls it back on failure. Also simplify
+the error handling by taking pm.lock only when needed for cleanup.
+
+Fixes: 77e4b94a3de6 ("mptcp: update userspace pm infos")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tao Cui <cuitao@kylinos.cn>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-5-856831229976@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_userspace.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/net/mptcp/pm_userspace.c
++++ b/net/mptcp/pm_userspace.c
+@@ -408,19 +408,21 @@ int mptcp_pm_nl_subflow_create_doit(stru
+ local.flags = entry.flags;
+ local.ifindex = entry.ifindex;
+
++ spin_lock_bh(&msk->pm.lock);
++ msk->pm.extra_subflows++;
++ spin_unlock_bh(&msk->pm.lock);
++
+ lock_sock(sk);
+ err = __mptcp_subflow_connect(sk, &local, &addr_r);
+ release_sock(sk);
+
+- if (err)
++ if (err) {
+ GENL_SET_ERR_MSG_FMT(info, "connect error: %d", err);
+
+- spin_lock_bh(&msk->pm.lock);
+- if (err)
++ spin_lock_bh(&msk->pm.lock);
+ mptcp_userspace_pm_delete_local_addr(msk, &entry);
+- else
+- msk->pm.extra_subflows++;
+- spin_unlock_bh(&msk->pm.lock);
++ spin_unlock_bh(&msk->pm.lock);
++ }
+
+ create_err:
+ sock_put(sk);
--- /dev/null
+From 57132affbc89c02e1bf73fdf5724311bdc9a29da Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 2 Jun 2026 22:14:14 +1000
+Subject: mptcp: sockopt: check timestamping ret value
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 57132affbc89c02e1bf73fdf5724311bdc9a29da upstream.
+
+sock_set_timestamping() can fail for different reasons. The returned
+value should then be checked.
+
+If sock_set_timestamping() fails for at least one subflow, the first
+error is now reported to the userspace, similar to what is done with
+other socket options.
+
+Fixes: 9061f24bf82e ("mptcp: sockopt: propagate timestamp request to subflows")
+Cc: stable@vger.kernel.org
+Reported-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+Closes: https://lore.kernel.org/willemdebruijn.kernel.178a41a53d041@gmail.com
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-7-856831229976@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/sockopt.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/sockopt.c
++++ b/net/mptcp/sockopt.c
+@@ -235,15 +235,19 @@ static int mptcp_setsockopt_sol_socket_t
+
+ mptcp_for_each_subflow(msk, subflow) {
+ struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
++ int err;
+
+ lock_sock(ssk);
+- sock_set_timestamping(ssk, optname, timestamping);
++ err = sock_set_timestamping(ssk, optname, timestamping);
+ release_sock(ssk);
++
++ if (err < 0 && ret == 0)
++ ret = err;
+ }
+
+ release_sock(sk);
+
+- return 0;
++ return ret;
+ }
+
+ static int mptcp_setsockopt_sol_socket_linger(struct mptcp_sock *msk, sockptr_t optval,
--- /dev/null
+From 7690137e70ab0fb1f8b5a30e6f087f8ee908b680 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 2 Jun 2026 22:14:15 +1000
+Subject: mptcp: sockopt: set sockopt on all subflows
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 7690137e70ab0fb1f8b5a30e6f087f8ee908b680 upstream.
+
+The mptcp_setsockopt_all_sf(), currently used only with TCP_MAXSEG,
+stopped when one subflow returned an error.
+
+Even if it is not wrong, this is different from the other helpers trying
+to set the option on all subflows, and then returning an error if at
+least one of them had an issue.
+
+Follow this behaviour, for a question of uniformity.
+
+Fixes: 51c5fd09e1b4 ("mptcp: add TCP_MAXSEG sockopt support")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-8-856831229976@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/sockopt.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/mptcp/sockopt.c
++++ b/net/mptcp/sockopt.c
+@@ -811,10 +811,11 @@ static int mptcp_setsockopt_all_sf(struc
+
+ mptcp_for_each_subflow(msk, subflow) {
+ struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
++ int err;
+
+- ret = tcp_setsockopt(ssk, level, optname, optval, optlen);
+- if (ret)
+- break;
++ err = tcp_setsockopt(ssk, level, optname, optval, optlen);
++ if (err < 0 && ret == 0)
++ ret = err;
+ }
+
+ if (!ret)
--- /dev/null
+From 62c4d31d78294bd61cf3403626b789e854357177 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <brauner@kernel.org>
+Date: Mon, 18 May 2026 10:32:11 +0200
+Subject: pidfd: refuse access to tasks that have started exiting harder
+
+From: Christian Brauner <brauner@kernel.org>
+
+commit 62c4d31d78294bd61cf3403626b789e854357177 upstream.
+
+The recent ptrace fix closed a hole where someone could rely on task->mm
+becoming NULL during do_exit() to bypass dumpability checks. This api
+here leans on on the very same check and so inherits the fix.
+
+But there is no good reason to let it succeed at all once the target has
+entered do_exit(). PF_EXITING is set by exit_signals() at the very top
+of do_exit(), before exit_mm() and exit_files() run. Once we observe it,
+the task is committed to dying and exit_files() will release the fdtable
+shortly.
+
+Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260518-obgleich-petersilie-2d77ccccf9b9@brauner
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/pid.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/kernel/pid.c
++++ b/kernel/pid.c
+@@ -836,10 +836,12 @@ static struct file *__pidfd_fget(struct
+ if (ret)
+ return ERR_PTR(ret);
+
+- if (ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS))
+- file = fget_task(task, fd);
+- else
++ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS))
+ file = ERR_PTR(-EPERM);
++ else if (task->flags & PF_EXITING)
++ file = ERR_PTR(-ESRCH);
++ else
++ file = fget_task(task, fd);
+
+ up_read(&task->signal->exec_update_lock);
+
--- /dev/null
+From 323c98a4ff06aa28114f2bf658fb43eb3b536bbc Mon Sep 17 00:00:00 2001
+From: Yishai Hadas <yishaih@nvidia.com>
+Date: Mon, 25 May 2026 17:21:36 +0300
+Subject: RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc
+
+From: Yishai Hadas <yishaih@nvidia.com>
+
+commit 323c98a4ff06aa28114f2bf658fb43eb3b536bbc upstream.
+
+The cpu_id attribute supplied by user space through
+UVERBS_ATTR_ALLOC_DMAH_CPU_ID is passed directly to cpumask_test_cpu()
+without first verifying that the value is within the valid CPU range.
+
+Passing such untrusted data to cpumask_test_cpu() may lead to an
+out-of-bounds read of the underlying cpumask bitmap: the helper expands
+to a test_bit() that indexes the bitmap by cpu_id / BITS_PER_LONG with
+no bound check.
+
+In addition, on kernels built with CONFIG_DEBUG_PER_CPU_MAPS it trips
+the WARN_ON_ONCE() in cpumask_check(); combined with panic_on_warn this
+turns a bad user input into a machine reboot.
+
+Reject any cpu_id that is not smaller than nr_cpu_ids with -EINVAL
+before it is used.
+
+Reported by Smatch.
+
+Fixes: d83edab562a4 ("RDMA/core: Introduce a DMAH object and its alloc/free APIs")
+Link: https://patch.msgid.link/r/20260525142136.28165-1-yishaih@nvidia.com
+Cc: stable@vger.kernel.org
+Reported-by: Dan Carpenter <error27@gmail.com>
+Closes: https://lore.kernel.org/r/ag68qoAW3P04J7pT@stanley.mountain/
+Signed-off-by: Yishai Hadas <yishaih@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/uverbs_std_types_dmah.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/infiniband/core/uverbs_std_types_dmah.c b/drivers/infiniband/core/uverbs_std_types_dmah.c
+index 453ce656c6f2..97101e093826 100644
+--- a/drivers/infiniband/core/uverbs_std_types_dmah.c
++++ b/drivers/infiniband/core/uverbs_std_types_dmah.c
+@@ -47,6 +47,11 @@ static int UVERBS_HANDLER(UVERBS_METHOD_DMAH_ALLOC)(
+ if (ret)
+ goto err;
+
++ if (dmah->cpu_id >= nr_cpu_ids) {
++ ret = -EINVAL;
++ goto err;
++ }
++
+ if (!cpumask_test_cpu(dmah->cpu_id, current->cpus_ptr)) {
+ ret = -EPERM;
+ goto err;
+--
+2.54.0
+
--- /dev/null
+From 4a1b1ac2744694a2ecd66a84bdb1445f4ef24bee Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Tue, 26 May 2026 12:40:25 -0300
+Subject: RDMA/core: Validate the passed in fops for ib_get_ucaps()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit 4a1b1ac2744694a2ecd66a84bdb1445f4ef24bee upstream.
+
+Sashiko pointed out it is not safe to rely only on the devt because
+char/block alias so if the user finds a block device with the same dev_t
+it can masquerade as a ucap cdev fd.
+
+Test the f_ops to only accept authentic cdevs.
+
+Link: https://patch.msgid.link/r/0-v1-fd9482545e37+1e25-ib_ucaps_fd_ops_jgg@nvidia.com
+Cc: stable@vger.kernel.org
+Fixes: 61e51682816d ("RDMA/uverbs: Introduce UCAP (User CAPabilities) API")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/ucaps.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/core/ucaps.c b/drivers/infiniband/core/ucaps.c
+index 948093260dbd..5155ff0e538e 100644
+--- a/drivers/infiniband/core/ucaps.c
++++ b/drivers/infiniband/core/ucaps.c
+@@ -82,14 +82,12 @@ static int get_ucap_from_devt(dev_t devt, u64 *idx_mask)
+
+ static int get_devt_from_fd(unsigned int fd, dev_t *ret_dev)
+ {
+- struct file *file;
++ CLASS(fd, f)(fd);
+
+- file = fget(fd);
+- if (!file)
++ if (fd_empty(f) || fd_file(f)->f_op != &ucaps_cdev_fops)
+ return -EBADF;
+
+- *ret_dev = file_inode(file)->i_rdev;
+- fput(file);
++ *ret_dev = file_inode(fd_file(f))->i_rdev;
+ return 0;
+ }
+
+--
+2.54.0
+
--- /dev/null
+From 13e91fd076306f5d0cdfa14f53d69e37274723c4 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Tue, 2 Jun 2026 18:04:57 -0400
+Subject: RDMA/srp: bound SRP_RSP sense copy by the received length
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 13e91fd076306f5d0cdfa14f53d69e37274723c4 upstream.
+
+srp_process_rsp() copies sense data from rsp->data + resp_data_len,
+where resp_data_len is the full 32-bit value supplied by the SRP target
+and is never checked against the number of bytes actually received
+(wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so
+at most 96 bytes are copied, but the source offset is not bounded.
+
+A malicious or compromised SRP target on the InfiniBand/RoCE fabric that
+the initiator has logged into can return an SRP_RSP with
+SRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer
+is allocated at the target-chosen max_ti_iu_len, so the source of the
+sense copy lands past the bytes actually received; with resp_data_len
+near 0xFFFFFFFF it is gigabytes past the buffer and the read faults.
+
+Copy the sense data only if it has not been truncated, that is, only if
+the response header, the response data, and the sense region fit within
+the bytes actually received; otherwise drop the sense and log. The
+in-tree iSER and NVMe-RDMA receive paths already bound their parse by
+wc->byte_len; this brings ib_srp into line with them.
+
+Fixes: aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator")
+Link: https://patch.msgid.link/r/20260602220457.2542840-1-michael.bommarito@gmail.com
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-8
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 30 ++++++++++++++++++++++++------
+ 1 file changed, 24 insertions(+), 6 deletions(-)
+
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -1930,7 +1930,8 @@ static int srp_post_recv(struct srp_rdma
+ return ib_post_recv(ch->qp, &wr, NULL);
+ }
+
+-static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp)
++static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp,
++ u32 byte_len)
+ {
+ struct srp_target_port *target = ch->target;
+ struct srp_request *req;
+@@ -1971,10 +1972,27 @@ static void srp_process_rsp(struct srp_r
+ scmnd->result = rsp->status;
+
+ if (rsp->flags & SRP_RSP_FLAG_SNSVALID) {
+- memcpy(scmnd->sense_buffer, rsp->data +
+- be32_to_cpu(rsp->resp_data_len),
+- min_t(int, be32_to_cpu(rsp->sense_data_len),
+- SCSI_SENSE_BUFFERSIZE));
++ u32 resp_len = be32_to_cpu(rsp->resp_data_len);
++ u32 sense_len = be32_to_cpu(rsp->sense_data_len);
++
++ /*
++ * The sense data starts resp_data_len bytes past the
++ * response data area; both lengths come from the
++ * target-controlled response. Copy the sense data
++ * only if it has not been truncated, that is, only if
++ * the full sense region fits within the bytes actually
++ * received. Otherwise the copy source would run past
++ * the receive buffer (sized to the target-chosen
++ * max_ti_iu_len), reading out of bounds.
++ */
++ if (sizeof(*rsp) + (u64)resp_len + sense_len <= byte_len)
++ memcpy(scmnd->sense_buffer,
++ rsp->data + resp_len,
++ min(sense_len, SCSI_SENSE_BUFFERSIZE));
++ else
++ shost_printk(KERN_ERR, target->scsi_host,
++ "dropping truncated sense data (resp_data_len %u sense_data_len %u, %u bytes received)\n",
++ resp_len, sense_len, byte_len);
+ }
+
+ if (unlikely(rsp->flags & SRP_RSP_FLAG_DIUNDER))
+@@ -2084,7 +2102,7 @@ static void srp_recv_done(struct ib_cq *
+
+ switch (opcode) {
+ case SRP_RSP:
+- srp_process_rsp(ch, iu->buf);
++ srp_process_rsp(ch, iu->buf, wc->byte_len);
+ break;
+
+ case SRP_CRED_REQ:
--- /dev/null
+From 06fd2bec7aebf393288e4b78924482fe170caabc Mon Sep 17 00:00:00 2001
+From: Tao Cui <cuitao@kylinos.cn>
+Date: Tue, 2 Jun 2026 22:14:13 +1000
+Subject: selftests: mptcp: add test for extra_subflows underflow on userspace PM
+
+From: Tao Cui <cuitao@kylinos.cn>
+
+commit 06fd2bec7aebf393288e4b78924482fe170caabc upstream.
+
+Add a test to verify that when userspace PM fails to create a subflow
+(e.g. using an unreachable address), the extra_subflows counter is not
+decremented below zero.
+
+Fixes: 77e4b94a3de6 ("mptcp: update userspace pm infos")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tao Cui <cuitao@kylinos.cn>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-6-856831229976@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -3924,6 +3924,10 @@ userspace_tests()
+ chk_rm_nr 0 1
+ chk_mptcp_info subflows 0 subflows 0
+ chk_subflows_total 1 1
++ # check counters are not affected by errors at creation time
++ userspace_pm_add_sf $ns2 10.0.12.2 10 2>/dev/null
++ chk_mptcp_info subflows 0 subflows 0
++ chk_subflows_total 1 1
+ kill_events_pids
+ mptcp_lib_kill_group_wait $tests_pid
+ fi
kvm-arm64-restore-por_el0-access-to-host-el0.patch
drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch
hv_netvsc-use-kmap_local_page-in-netvsc_copy_to_send_buf.patch
+ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-double-smb2_cancel.patch
+xfrm-espintcp-do-not-reuse-an-in-progress-partial-send.patch
+xfrm-iptfs-preserve-shared-frag-marker-in-iptfs_consume_frags.patch
+xfrm-iptfs-fix-abba-deadlock-in-iptfs_destroy_state.patch
+usb-serial-io_ti-fix-heap-overflow-in-get_manuf_info.patch
+usb-serial-io_ti-fix-heap-overflow-in-build_i2c_fw_hdr.patch
+usb-serial-option-add-usb-id-for-dell-wireless-dw5826e-m.patch
+usb-serial-kl5kusb105-fix-bulk-out-buffer-overflow.patch
+alsa-timer-forcibly-close-timer-instances-at-closing.patch
+alsa-timer-fix-uaf-at-snd_timer_user_params.patch
+io_uring-net-inherit-ioring_cqe_f_buf_more-across-bundle-recv-retries.patch
+drm-virtio-fix-dma_fence-refcount-leak-on-error-in-virtio_gpu_dma_fence_wait.patch
+drm-amd-display-reject-gpio_bitshift-32-in-bios_parser_get_gpio_pin_info.patch
+mm-huge_memory-update-file-pmd-counter-before-folio_put.patch
+mm-damon-ops-common-call-folio_test_lru-after-folio_get.patch
+mm-huge_memory-update-file-pud-counter-before-folio_put.patch
+rdma-core-validate-the-passed-in-fops-for-ib_get_ucaps.patch
+rdma-core-validate-cpu_id-against-nr_cpu_ids-in-dmah-alloc.patch
+rdma-srp-bound-srp_rsp-sense-copy-by-the-received-length.patch
+zram-fix-use-after-free-in-zram_bvec_write_partial.patch
+udp-clear-skb-dev-before-running-a-sockmap-verdict.patch
+arm-socfpga-fix-of-node-refcount-leak-in-smp-setup.patch
+arm-9474-1-io-avoid-kasan-instrumentation-of-raw-halfword-i-o.patch
+arm-9475-1-entry-use-byte-load-for-kasan-vmap-stack-shadow.patch
+arm64-mm-call-pagetable-dtor-when-freeing-hot-removed-page-tables.patch
+mptcp-fix-retransmission-loop-when-csum-is-enabled.patch
+mptcp-close-toctou-race-while-computing-rcv_wnd.patch
+mptcp-allow-subflow-rcv-wnd-to-shrink.patch
+mptcp-pm-fix-extra_subflows-underflow-on-userspace-pm-subflow-creation.patch
+mptcp-sockopt-check-timestamping-ret-value.patch
+mptcp-sockopt-set-sockopt-on-all-subflows.patch
+selftests-mptcp-add-test-for-extra_subflows-underflow-on-userspace-pm.patch
+mptcp-add-addr-always-drop-other-suboptions.patch
+xfs-fix-error-returns-in-cow-fork-repair.patch
+xfs-fix-rtgroup-cleanup-in-cow-fork-repair.patch
+wifi-iwlwifi-pcie-simplify-the-resume-flow-if-fast-resume-is-not-used.patch
+wifi-nl80211-reject-oversized-ema-rnr-lists.patch
+vsock-vmci-fix-sk_ack_backlog-leak-on-failed-handshake.patch
+timers-migration-fix-livelock-in-tmigr_handle_remote_up.patch
+staging-rtl8723bs-fix-buffer-over-read-in-rtw_update_protection.patch
+asoc-fsl_sai-fix-32-slots-tdm-broken-by-integer-shift-ub-in-xmr-write.patch
+bnxt_en-fix-null-pointer-dereference.patch
+fhandle-fix-uaf-due-to-unlocked-mnt_ns-read-in-may_decode_fh.patch
+ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch
+inet-frags-fix-use-after-free-caused-by-the-fqdir_pre_exit-flush.patch
+pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch
--- /dev/null
+From 514ab98364595007d4557ecc85d7e5f012c504d3 Mon Sep 17 00:00:00 2001
+From: Salman Alghamdi <me@cipherat.com>
+Date: Sat, 9 May 2026 01:26:14 +0300
+Subject: staging: rtl8723bs: fix buffer over-read in rtw_update_protection
+
+From: Salman Alghamdi <me@cipherat.com>
+
+commit 514ab98364595007d4557ecc85d7e5f012c504d3 upstream.
+
+rtw_update_protection() is called with a pointer offset into the
+ies buffer but the full ie_length is passed, causing a potential
+buffer over-read.
+
+Fixes: e945c43df60b ("Staging: rtl8723bs: Delete dead code from update_current_network()")
+Fixes: d3fcee1b78a5 ("staging: rtl8723bs: fix camel case in struct wlan_bssid_ex")
+Reported-by: Luka Gejak <luka.gejak@linux.dev>
+Closes: https://lore.kernel.org/linux-staging/DI2H39EAAFBZ.3KI5NWN02AQ2S@linux.dev
+Cc: stable@vger.kernel.org
+Signed-off-by: Salman Alghamdi <me@cipherat.com>
+Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
+Link: https://patch.msgid.link/20260508222649.23989-1-me@cipherat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_mlme.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
++++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
+@@ -471,8 +471,11 @@ static void update_current_network(struc
+
+ if ((check_fwstate(pmlmepriv, _FW_LINKED) == true) && (is_same_network(&pmlmepriv->cur_network.network, pnetwork, 0))) {
+ update_network(&pmlmepriv->cur_network.network, pnetwork, adapter, true);
++ if (pmlmepriv->cur_network.network.ie_length < sizeof(struct ndis_802_11_fix_ie))
++ return;
++
+ rtw_update_protection(adapter, (pmlmepriv->cur_network.network.ies) + sizeof(struct ndis_802_11_fix_ie),
+- pmlmepriv->cur_network.network.ie_length);
++ pmlmepriv->cur_network.network.ie_length - sizeof(struct ndis_802_11_fix_ie));
+ }
+ }
+
+@@ -1100,8 +1103,11 @@ static void rtw_joinbss_update_network(s
+ break;
+ }
+
++ if (cur_network->network.ie_length < sizeof(struct ndis_802_11_fix_ie))
++ return;
++
+ rtw_update_protection(padapter, (cur_network->network.ies) + sizeof(struct ndis_802_11_fix_ie),
+- (cur_network->network.ie_length));
++ (cur_network->network.ie_length - sizeof(struct ndis_802_11_fix_ie)));
+
+ rtw_update_ht_cap(padapter, cur_network->network.ies, cur_network->network.ie_length, (u8) cur_network->network.configuration.ds_config);
+ }
--- /dev/null
+From d486b4934a8e504376b85cdb3766f306d57aff5b Mon Sep 17 00:00:00 2001
+From: Amit Matityahu <amitmat@amazon.com>
+Date: Wed, 3 Jun 2026 17:01:39 +0000
+Subject: timers/migration: Fix livelock in tmigr_handle_remote_up()
+
+From: Amit Matityahu <amitmat@amazon.com>
+
+commit d486b4934a8e504376b85cdb3766f306d57aff5b upstream.
+
+tmigr_handle_remote_cpu() skips timer_expire_remote() when cpu ==
+smp_processor_id(), assuming the local softirq path already handled this
+CPU's timers.
+
+This assumption is wrong because jiffies can advance after the handling of
+the CPU's global timers in run_timer_base(BASE_GLOBAL) and before
+tmigr_handle_remote() evaluates the expiry times.
+
+As a consequence a timer which expires after the CPU local timer wheel
+advanced and becomes expired in the remote handling is ignored and the
+callback is never invoked and removed from the timer wheel.
+
+What's worse is that fetch_next_timer_interrupt_remote() keeps reporting it
+as expired, and the event is re-queued with expires == now on each
+iteration. The goto-again loop spins indefinitely.
+
+Fix this by calling timer_expire_remote() unconditionally. That's minimal
+overhead for the common case as __run_timer_base() returns immediately if
+there is nothing to expire in the local wheel.
+
+[ tglx: Amend change log and add a comment ]
+
+Fixes: 7ee988770326 ("timers: Implement the hierarchical pull model")
+Reported-by: Alon Kariv <alonka@amazon.com>
+Signed-off-by: Amit Matityahu <amitmat@amazon.com>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260603170139.33628-1-amitmat@amazon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/time/timer_migration.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/kernel/time/timer_migration.c
++++ b/kernel/time/timer_migration.c
+@@ -946,8 +946,12 @@ static void tmigr_handle_remote_cpu(unsi
+ /* Drop the lock to allow the remote CPU to exit idle */
+ raw_spin_unlock_irq(&tmc->lock);
+
+- if (cpu != smp_processor_id())
+- timer_expire_remote(cpu);
++ /*
++ * This can't exclude the local CPU because jiffies might have advanced
++ * after the timer softirq invoked run_timer_base(BASE_GLOBAL) and the
++ * point where the jiffies snapshot @jif was taken in tmigr_handle_remote().
++ */
++ timer_expire_remote(cpu);
+
+ /*
+ * Lock ordering needs to be preserved - timer_base locks before tmigr
--- /dev/null
+From 3c94f241f776562c489876ff506f366224565c21 Mon Sep 17 00:00:00 2001
+From: Sechang Lim <rhkrqnwk98@gmail.com>
+Date: Wed, 3 Jun 2026 16:27:33 +0000
+Subject: udp: clear skb->dev before running a sockmap verdict
+
+From: Sechang Lim <rhkrqnwk98@gmail.com>
+
+commit 3c94f241f776562c489876ff506f366224565c21 upstream.
+
+On the UDP receive path skb->dev is repurposed as dev_scratch (the
+truesize/state cache set by udp_set_dev_scratch()), through the
+union { struct net_device *dev; unsigned long dev_scratch; } in sk_buff.
+
+When a UDP socket is in a sockmap, sk_data_ready is
+sk_psock_verdict_data_ready(), which calls udp_read_skb() -> recv_actor()
+(sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq.
+If that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp,
+bpf_skc_lookup_tcp), bpf_skc_lookup() does:
+
+ if (skb->dev)
+ caller_net = dev_net(skb->dev);
+
+skb->dev still holds the dev_scratch value (a non-NULL integer), so dev_net()
+dereferences it as a struct net_device * and the kernel takes a general
+protection fault on a non-canonical address in softirq:
+
+ Oops: general protection fault, probably for non-canonical address 0x1010000800004a0
+ CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full)
+ RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline]
+ RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047
+ Call Trace:
+ <IRQ>
+ bpf_prog_4675cb904b7071f8+0x12e/0x14e
+ bpf_prog_run_pin_on_cpu+0xc6/0x1f0
+ sk_psock_verdict_recv+0x1ba/0x350
+ udp_read_skb+0x31a/0x370
+ sk_psock_verdict_data_ready+0x2e3/0x600
+ __udp_enqueue_schedule_skb+0x4c8/0x650
+ udpv6_queue_rcv_one_skb+0x3ec/0x740
+ udp6_unicast_rcv_skb+0x11d/0x140
+ ip6_protocol_deliver_rcu+0x61e/0x950
+ ip6_input_finish+0xa9/0x150
+ NF_HOOK+0x286/0x2f0
+ ip6_input+0x117/0x220
+ NF_HOOK+0x286/0x2f0
+ __netif_receive_skb+0x85/0x200
+ process_backlog+0x374/0x9a0
+ __napi_poll+0x4f/0x1c0
+ net_rx_action+0x3b0/0x770
+ handle_softirqs+0x15a/0x460
+ do_softirq+0x57/0x80
+ </IRQ>
+
+The rmem charge that dev_scratch accounted for is released by skb_recv_udp() on
+dequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear
+skb->dev so bpf_skc_lookup() falls back to sock_net(skb->sk), which
+skb_set_owner_sk_safe() set just above.
+
+Fixes: 965b57b469a5 ("net: Introduce a new proto_ops ->read_skb()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com>
+Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260603162737.697215-1-rhkrqnwk98@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -2042,6 +2042,14 @@ try_again:
+ }
+
+ WARN_ON_ONCE(!skb_set_owner_sk_safe(skb, sk));
++
++ /*
++ * skb->dev still aliases the UDP rx dev_scratch (its charge was freed
++ * on dequeue above); a sockmap verdict program may deref it via
++ * bpf_sk_lookup_*(), so clear it -> bpf_skc_lookup() uses skb->sk
++ */
++ skb->dev = NULL;
++
+ return recv_actor(sk, skb);
+ }
+ EXPORT_IPV6_MOD(udp_read_skb);
--- /dev/null
+From 0fd2b00b2d3d05e3eaa13342b3dfb0fa85c226ae Mon Sep 17 00:00:00 2001
+From: Adrian Korwel <adriank20047@gmail.com>
+Date: Mon, 25 May 2026 09:58:32 -0500
+Subject: USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
+
+From: Adrian Korwel <adriank20047@gmail.com>
+
+commit 0fd2b00b2d3d05e3eaa13342b3dfb0fa85c226ae upstream.
+
+build_i2c_fw_hdr() allocates a fixed-size buffer of
+(16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then
+copies le16_to_cpu(img_header->Length) bytes into it without
+validating that Length fits within the available space after the
+firmware record header.
+
+img_header->Length is a __le16 from the firmware file and can be
+up to 65535. check_fw_sanity() validates the total firmware size
+but not img_header->Length specifically.
+
+Fix by rejecting images where img_header->Length exceeds the
+available destination space.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/io_ti.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/serial/io_ti.c
++++ b/drivers/usb/serial/io_ti.c
+@@ -844,6 +844,11 @@ static int build_i2c_fw_hdr(u8 *header,
+ /* Pointer to fw_down memory image */
+ img_header = (struct ti_i2c_image_header *)&fw->data[4];
+
++ if (le16_to_cpu(img_header->Length) >
++ buffer_size - sizeof(struct ti_i2c_firmware_rec)) {
++ kfree(buffer);
++ return -EINVAL;
++ }
+ memcpy(buffer + sizeof(struct ti_i2c_firmware_rec),
+ &fw->data[4 + sizeof(struct ti_i2c_image_header)],
+ le16_to_cpu(img_header->Length));
--- /dev/null
+From 183c1076eca43bbb3e7bdf597456f91d81c73e74 Mon Sep 17 00:00:00 2001
+From: Adrian Korwel <adriank20047@gmail.com>
+Date: Mon, 25 May 2026 09:58:31 -0500
+Subject: USB: serial: io_ti: fix heap overflow in get_manuf_info()
+
+From: Adrian Korwel <adriank20047@gmail.com>
+
+commit 183c1076eca43bbb3e7bdf597456f91d81c73e74 upstream.
+
+get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
+device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
+is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.
+
+The Size field comes from the device and is only validated (in
+check_i2c_image()) to make sure the descriptor fits within
+TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size.
+A malicious USB device can therefore set Size to any value up to 16377,
+causing a heap overflow of up to 16367 bytes when plugged into a host
+running this driver.
+
+valid_csum() is called after read_rom() and also iterates
+buffer[0..Size-1], compounding the out-of-bounds access.
+
+Fix by rejecting descriptors with unexpected length before calling
+read_rom().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
+[ johan: amend commit message; also check for short descriptors ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/io_ti.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/serial/io_ti.c
++++ b/drivers/usb/serial/io_ti.c
+@@ -773,6 +773,12 @@ static int get_manuf_info(struct edgepor
+ }
+
+ /* Read the descriptor data */
++ if (le16_to_cpu(rom_desc->Size) != sizeof(struct edge_ti_manuf_descriptor)) {
++ dev_err(dev, "unexpected Edge descriptor length: %u\n",
++ le16_to_cpu(rom_desc->Size));
++ status = -EINVAL;
++ goto exit;
++ }
+ status = read_rom(serial, start_address+sizeof(struct ti_i2c_desc),
+ le16_to_cpu(rom_desc->Size), buffer);
+ if (status)
--- /dev/null
+From 96d47e40bf9db4a9efd5c8fb53287a508d165f14 Mon Sep 17 00:00:00 2001
+From: HyeongJun An <sammiee5311@gmail.com>
+Date: Mon, 8 Jun 2026 18:09:26 +0900
+Subject: USB: serial: kl5kusb105: fix bulk-out buffer overflow
+
+From: HyeongJun An <sammiee5311@gmail.com>
+
+commit 96d47e40bf9db4a9efd5c8fb53287a508d165f14 upstream.
+
+klsi_105_prepare_write_buffer() is called by the generic write path
+with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
+stores a two-byte length header at the start of the buffer and copies
+the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
+passes the full buffer size as the number of bytes to copy:
+
+ count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
+ size, &port->lock);
+
+When the fifo holds at least size bytes, size bytes are copied starting
+two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
+end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
+the header as safe_serial already does.
+
+Writing bulk_out_size or more bytes to the tty triggers a slab
+out-of-bounds write, observed with KASAN by emulating the device with
+dummy_hcd and raw-gadget:
+
+ BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0
+ Write of size 64 at addr ffff888112c62202 by task python3
+ kfifo_copy_out
+ klsi_105_prepare_write_buffer [kl5kusb105]
+ usb_serial_generic_write_start [usbserial]
+ Allocated by task 139:
+ usb_serial_probe [usbserial]
+ The buggy address is located 2 bytes inside of allocated 64-byte region
+
+The out-of-bounds write no longer occurs with this change applied.
+
+Fixes: 60b3013cdaf3 ("USB: kl5usb105: reimplement using generic framework")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-8
+Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/kl5kusb105.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/kl5kusb105.c
++++ b/drivers/usb/serial/kl5kusb105.c
+@@ -330,8 +330,8 @@ static int klsi_105_prepare_write_buffer
+ unsigned char *buf = dest;
+ int count;
+
+- count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size,
+- &port->lock);
++ count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
++ size - KLSI_HDR_LEN, &port->lock);
+ put_unaligned_le16(count, buf);
+
+ return count + KLSI_HDR_LEN;
--- /dev/null
+From 1938fb9fe38c4f04a3f30bea44f8071c80a63be4 Mon Sep 17 00:00:00 2001
+From: Jack Wu <jackbb_wu@compal.com>
+Date: Thu, 4 Jun 2026 10:04:40 +0800
+Subject: USB: serial: option: add usb-id for Dell Wireless DW5826e-m
+
+From: Jack Wu <jackbb_wu@compal.com>
+
+commit 1938fb9fe38c4f04a3f30bea44f8071c80a63be4 upstream.
+
+Add support for Dell DW5826e-m with USB-id 0x413c:0x81ea
+
+T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 8 Spd=480 MxCh= 0
+D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=413c ProdID=81ea Rev= 5.04
+S: Manufacturer=DELL
+S: Product=DW5826e-m Qualcomm Snapdragon X12 Global LTE-A
+S: SerialNumber=358988870177734
+C:* #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
+A: FirstIf#=12 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I:* If#=12 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
+E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I: If#=13 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+I:* If#=13 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Signed-off-by: Jack Wu <jackbb_wu@compal.com>
+Reviewed-by: Lars Melin <larsm17@gmail>
+Cc: stable@vger.kernel.org
+[ johan: reserve also interface 4 ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -202,6 +202,7 @@ static void option_instat_callback(struc
+ #define DELL_PRODUCT_5821E_ESIM 0x81e0
+ #define DELL_PRODUCT_5829E_ESIM 0x81e4
+ #define DELL_PRODUCT_5829E 0x81e6
++#define DELL_PRODUCT_5826E_ESIM 0x81ea
+
+ #define DELL_PRODUCT_FM101R_ESIM 0x8213
+ #define DELL_PRODUCT_FM101R 0x8215
+@@ -1123,6 +1124,8 @@ static const struct usb_device_id option
+ .driver_info = RSVD(0) | RSVD(6) },
+ { USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5829E_ESIM),
+ .driver_info = RSVD(0) | RSVD(6) },
++ { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_5826E_ESIM, 0xff),
++ .driver_info = RSVD(1) | RSVD(4) },
+ { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R, 0xff) },
+ { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R_ESIM, 0xff) },
+ { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_E100A) }, /* ADU-E100, ADU-310 */
--- /dev/null
+From c05fa14db43ebef3bd862ca9d073981c0358b3f0 Mon Sep 17 00:00:00 2001
+From: Raf Dickson <rafdog35@gmail.com>
+Date: Tue, 26 May 2026 10:43:56 +0000
+Subject: vsock/vmci: fix sk_ack_backlog leak on failed handshake
+
+From: Raf Dickson <rafdog35@gmail.com>
+
+commit c05fa14db43ebef3bd862ca9d073981c0358b3f0 upstream.
+
+When vmci_transport_recv_connecting_server() returns an error,
+vmci_transport_recv_listen() calls vsock_remove_pending() but never
+calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented
+permanently.
+
+Repeated handshake failures (malformed packets, queue pair alloc
+failure, event subscribe failure) cause sk_ack_backlog to climb
+toward sk_max_ack_backlog. Once it reaches the limit the listener
+permanently refuses all new connections with -ECONNREFUSED, a
+silent denial of service requiring a process restart to recover.
+
+The two existing sk_acceptq_removed() calls in af_vsock.c do not
+cover this path: line 764 checks vsock_is_pending() which returns
+false after vsock_remove_pending(), and line 1889 is only reached
+on successful accept().
+
+Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on
+the error path.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Cc: stable@vger.kernel.org
+Signed-off-by: Raf Dickson <rafdog35@gmail.com>
+Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20260526104356.469928-1-rafdog35@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/vmci_transport.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/vmci_transport.c
++++ b/net/vmw_vsock/vmci_transport.c
+@@ -972,8 +972,10 @@ static int vmci_transport_recv_listen(st
+ err = -EINVAL;
+ }
+
+- if (err < 0)
++ if (err < 0) {
+ vsock_remove_pending(sk, pending);
++ sk_acceptq_removed(sk);
++ }
+
+ release_sock(pending);
+ vmci_transport_release_pending(pending);
--- /dev/null
+From 093305d801fae6ff9b8bb531fd78b579794c4f80 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Sun, 31 May 2026 13:30:19 +0300
+Subject: wifi: iwlwifi: pcie: simplify the resume flow if fast resume is not used
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 093305d801fae6ff9b8bb531fd78b579794c4f80 upstream.
+
+In most distributions, NetworkManager shuts the device down before
+entering system suspend, so fast suspend is typically not used.
+
+On older devices, resume currently tries to grab NIC access to infer
+whether the device was powered off while suspended. That probe is only
+meaningful for the fast-suspend path where the device is expected to
+remain alive.
+
+Unfortunately, for unclear reasons, grabbing NIC access was harmful as
+reported in the bugzilla ticket below.
+
+Workaround this issue by simply not grabbing NIC access if fast suspend
+is not used.
+
+Cc: stable@vger.kernel.org
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221501
+Assisted-by: GitHub Copilot:gpt-5.3-codex
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Link: https://patch.msgid.link/20260531133005.e2ed9e0cd44f.If283625983a843933e0c01561a421daff184e9e9@changeid
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 56 ++++++++++++++------------
+ 1 file changed, 32 insertions(+), 24 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -1224,33 +1224,41 @@ static int _iwl_pci_resume(struct device
+ if (!trans->op_mode)
+ return 0;
+
+- /*
+- * Scratch value was altered, this means the device was powered off, we
+- * need to reset it completely.
+- * Note: MAC (bits 0:7) will be cleared upon suspend even with wowlan,
+- * but not bits [15:8]. So if we have bits set in lower word, assume
+- * the device is alive.
+- * Alternatively, if the scratch value is 0xFFFFFFFF, then we no longer
+- * have access to the device and consider it powered off.
+- * For older devices, just try silently to grab the NIC.
+- */
+- if (trans->mac_cfg->device_family >= IWL_DEVICE_FAMILY_BZ) {
+- u32 scratch = iwl_read32(trans, CSR_FUNC_SCRATCH);
+-
+- if (!(scratch & CSR_FUNC_SCRATCH_POWER_OFF_MASK) ||
+- scratch == ~0U)
+- device_was_powered_off = true;
+- } else {
++ if (test_bit(STATUS_DEVICE_ENABLED, &trans->status)) {
+ /*
+- * bh are re-enabled by iwl_trans_pcie_release_nic_access,
+- * so re-enable them if _iwl_trans_pcie_grab_nic_access fails.
++ * Scratch value was altered, this means the device was powered
++ * off, we need to reset it completely.
++ * Note: MAC (bits 0:7) will be cleared upon suspend even with
++ * wowlan, but not bits [15:8]. So if we have bits set in lower
++ * word, assume the device is alive.
++ * Alternatively, if the scratch value is 0xFFFFFFFF, then we
++ * no longer have access to the device and consider it powered
++ * off.
++ * For older devices, just try silently to grab the NIC.
+ */
+- local_bh_disable();
+- if (_iwl_trans_pcie_grab_nic_access(trans, true)) {
+- iwl_trans_pcie_release_nic_access(trans);
++ if (trans->mac_cfg->device_family >= IWL_DEVICE_FAMILY_BZ) {
++ u32 scratch = iwl_read32(trans, CSR_FUNC_SCRATCH);
++
++ if (!(scratch & CSR_FUNC_SCRATCH_POWER_OFF_MASK) ||
++ scratch == ~0U) {
++ IWL_DEBUG_WOWLAN(trans,
++ "Scratch 0x%08x indicates device was powered off\n",
++ scratch);
++ device_was_powered_off = true;
++ }
+ } else {
+- device_was_powered_off = true;
+- local_bh_enable();
++ /*
++ * bh are re-enabled by iwl_trans_pcie_release_nic_access,
++ * so re-enable them if _iwl_trans_pcie_grab_nic_access
++ * fails.
++ */
++ local_bh_disable();
++ if (_iwl_trans_pcie_grab_nic_access(trans, true)) {
++ iwl_trans_pcie_release_nic_access(trans);
++ } else {
++ device_was_powered_off = true;
++ local_bh_enable();
++ }
+ }
+ }
+
--- /dev/null
+From 4cd92957e8f8cc4ebfe8a5d4203c14c592fde6b1 Mon Sep 17 00:00:00 2001
+From: Yuqi Xu <xuyuqiabc@gmail.com>
+Date: Fri, 29 May 2026 23:25:37 +0800
+Subject: wifi: nl80211: reject oversized EMA RNR lists
+
+From: Yuqi Xu <xuyuqiabc@gmail.com>
+
+commit 4cd92957e8f8cc4ebfe8a5d4203c14c592fde6b1 upstream.
+
+nl80211_parse_rnr_elems() stores the parsed element count in a
+u8-backed cfg80211_rnr_elems::cnt field and uses that count to size
+the flexible array allocation.
+
+Reject nested NL80211_ATTR_EMA_RNR_ELEMS input once the count reaches
+255, before incrementing it again. This keeps the parser aligned with
+the data structure it fills and matches the existing bound check used
+by nl80211_parse_mbssid_elems().
+
+Fixes: dbbb27e183b1 ("cfg80211: support RNR for EMA AP")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Assisted-by: Codex:gpt-5.4
+Signed-off-by: Yuqi Xu <xuyuqiabc@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Link: https://patch.msgid.link/20260529152542.1412734-1-n05ec@lzu.edu.cn
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/nl80211.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -6079,6 +6079,9 @@ nl80211_parse_rnr_elems(struct wiphy *wi
+ if (ret)
+ return ERR_PTR(ret);
+
++ if (num_elems >= 255)
++ return ERR_PTR(-EINVAL);
++
+ num_elems++;
+ }
+
--- /dev/null
+From c381039ade2e161ab08c0eda73c4f8b9a7115928 Mon Sep 17 00:00:00 2001
+From: Wyatt Feng <bronzed_45_vested@icloud.com>
+Date: Wed, 3 Jun 2026 00:46:27 +0800
+Subject: xfrm: espintcp: do not reuse an in-progress partial send
+
+From: Wyatt Feng <bronzed_45_vested@icloud.com>
+
+commit c381039ade2e161ab08c0eda73c4f8b9a7115928 upstream.
+
+espintcp keeps a single in-flight transmit in ctx->partial.
+Before building a new sk_msg, espintcp_sendmsg() first tries to flush
+that state through espintcp_push_msgs().
+
+For blocking callers, espintcp_push_msgs() may return success even when
+the previous partial send is still pending. espintcp_sendmsg() would
+then reinitialize emsg->skmsg and reuse ctx->partial while the old
+transfer still owns that state.
+
+Do not rebuild the send message when ctx->partial is still in progress.
+If espintcp_push_msgs() returns with emsg->len still set, fail the new
+send instead of overwriting the live partial state.
+
+This is a memory-safety fix: reusing the live partial-send state can
+leave a stale offset attached to a new sk_msg and lead to an out-of-
+bounds read in the send path.
+
+tcp_sendmsg_locked() already handles waiting for send buffer memory, so
+the fix here is just to preserve espintcp's one-message-at-a-time
+transmit state.
+
+Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Assisted-by: Codex:GPT-5.4
+Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/espintcp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/xfrm/espintcp.c
++++ b/net/xfrm/espintcp.c
+@@ -349,6 +349,10 @@ static int espintcp_sendmsg(struct sock
+ err = -ENOBUFS;
+ goto unlock;
+ }
++ if (emsg->len) {
++ err = -ENOBUFS;
++ goto unlock;
++ }
+
+ sk_msg_init(&emsg->skmsg);
+ while (1) {
--- /dev/null
+From c8a8a75b733467b00c08b91a38dbaf207a08ed6e Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristmd@gmail.com>
+Date: Tue, 2 Jun 2026 17:16:41 +0000
+Subject: xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()
+
+From: Tristan Madani <tristmd@gmail.com>
+
+commit c8a8a75b733467b00c08b91a38dbaf207a08ed6e upstream.
+
+iptfs_destroy_state() calls hrtimer_cancel() while holding a spinlock
+that the timer callback also acquires, leading to an ABBA deadlock on
+SMP systems.
+
+For the output timer (iptfs_timer):
+ - iptfs_destroy_state() holds x->lock, calls hrtimer_cancel()
+ - iptfs_delay_timer() callback takes x->lock
+
+For the drop timer (drop_timer):
+ - iptfs_destroy_state() holds drop_lock, calls hrtimer_cancel()
+ - iptfs_drop_timer() callback takes drop_lock
+
+Both timers use HRTIMER_MODE_REL_SOFT, so their callbacks run in softirq
+context. When hrtimer_cancel() is called for a soft timer that is
+currently executing on another CPU, hrtimer_cancel_wait_running() spins
+on softirq_expiry_lock -- the same lock held by the softirq running the
+callback. If the callback is blocked waiting for the spinlock held by
+the caller of hrtimer_cancel(), a circular dependency forms:
+
+ CPU 0: holds lock_A -> waits for softirq_expiry_lock
+ CPU 1: holds softirq_expiry_lock -> waits for lock_A
+
+Fix by calling hrtimer_cancel() before acquiring the respective locks.
+hrtimer_cancel() is safe to call without holding any lock and will wait
+for any in-progress callback to complete. For the output timer, the
+lock is still acquired afterwards to drain the packet queue. For the
+drop timer, the lock/unlock pair is removed entirely since it only
+existed to serialize with the timer callback, which hrtimer_cancel()
+already guarantees.
+
+Found by source code audit.
+
+Fixes: 4b3faf610cc6 ("xfrm: iptfs: add new iptfs xfrm mode impl")
+Cc: Christian Hopps <chopps@labn.net>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_iptfs.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/xfrm/xfrm_iptfs.c
++++ b/net/xfrm/xfrm_iptfs.c
+@@ -2731,8 +2731,9 @@ static void iptfs_destroy_state(struct x
+ if (!xtfs)
+ return;
+
+- spin_lock_bh(&xtfs->x->lock);
+ hrtimer_cancel(&xtfs->iptfs_timer);
++
++ spin_lock_bh(&xtfs->x->lock);
+ __skb_queue_head_init(&list);
+ skb_queue_splice_init(&xtfs->queue, &list);
+ spin_unlock_bh(&xtfs->x->lock);
+@@ -2740,9 +2741,7 @@ static void iptfs_destroy_state(struct x
+ while ((skb = __skb_dequeue(&list)))
+ kfree_skb(skb);
+
+- spin_lock_bh(&xtfs->drop_lock);
+ hrtimer_cancel(&xtfs->drop_timer);
+- spin_unlock_bh(&xtfs->drop_lock);
+
+ if (xtfs->ra_newskb)
+ kfree_skb(xtfs->ra_newskb);
--- /dev/null
+From e9096a5a170e7ecd6467bc2e08668ec39897cda7 Mon Sep 17 00:00:00 2001
+From: Takao Sato <takaosato1997@gmail.com>
+Date: Tue, 26 May 2026 13:09:57 -0300
+Subject: xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()
+
+From: Takao Sato <takaosato1997@gmail.com>
+
+commit e9096a5a170e7ecd6467bc2e08668ec39897cda7 upstream.
+
+iptfs_consume_frags() transfers paged fragments from one socket buffer
+to another but fails to propagate the SKBFL_SHARED_FRAG flag. This is
+the same class of bug that was fixed in skb_try_coalesce() for
+CVE-2026-46300: when fragments backed by read-only page-cache pages are
+merged, the marker indicating their shared nature must be preserved so
+that ESP can decide correctly whether in-place encryption is safe.
+
+Apply the same two-line fix used in skb_try_coalesce() to
+iptfs_consume_frags().
+
+Fixes: b96ba312e21c ("xfrm: iptfs: share page fragments of inner packets")
+Cc: stable@vger.kernel.org # 6.14+
+Signed-off-by: Takao Sato <takaosato1997@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_iptfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/xfrm/xfrm_iptfs.c
++++ b/net/xfrm/xfrm_iptfs.c
+@@ -2170,6 +2170,8 @@ static void iptfs_consume_frags(struct s
+ memcpy(&toi->frags[toi->nr_frags], fromi->frags,
+ sizeof(fromi->frags[0]) * fromi->nr_frags);
+ toi->nr_frags += fromi->nr_frags;
++ if (fromi->nr_frags)
++ toi->flags |= fromi->flags & SKBFL_SHARED_FRAG;
+ fromi->nr_frags = 0;
+ from->data_len = 0;
+ from->len = 0;
--- /dev/null
+From fcf4faba9f986b3bb528da11913c9ec5d6e8f689 Mon Sep 17 00:00:00 2001
+From: Yingjie Gao <gaoyingjie@uniontech.com>
+Date: Wed, 27 May 2026 12:31:33 +0800
+Subject: xfs: fix error returns in CoW fork repair
+
+From: Yingjie Gao <gaoyingjie@uniontech.com>
+
+commit fcf4faba9f986b3bb528da11913c9ec5d6e8f689 upstream.
+
+xrep_cow_find_bad() returns success after the cleanup labels even if
+AG setup, btree queries, or bitmap updates failed. This can make
+repair continue with an incomplete bad-file-offset bitmap instead of
+stopping at the original error.
+
+The force-rebuild path has a related cleanup problem. If
+xrep_cow_mark_file_range() fails, the function returns directly and
+skips the scrub AG context and perag cleanup.
+
+Let the force-rebuild path fall through to the existing cleanup code
+and return the saved error after cleanup.
+
+Fixes: dbbdbd008632 ("xfs: repair problems in CoW forks")
+Cc: <stable@vger.kernel.org> # v6.8
+Signed-off-by: Yingjie Gao <gaoyingjie@uniontech.com>
+Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/scrub/cow_repair.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/fs/xfs/scrub/cow_repair.c
++++ b/fs/xfs/scrub/cow_repair.c
+@@ -300,18 +300,15 @@ xrep_cow_find_bad(
+ * on the debugging knob, replace everything in the CoW fork.
+ */
+ if ((sc->sm->sm_flags & XFS_SCRUB_IFLAG_FORCE_REBUILD) ||
+- XFS_TEST_ERROR(sc->mp, XFS_ERRTAG_FORCE_SCRUB_REPAIR)) {
++ XFS_TEST_ERROR(sc->mp, XFS_ERRTAG_FORCE_SCRUB_REPAIR))
+ error = xrep_cow_mark_file_range(xc, xc->irec.br_startblock,
+ xc->irec.br_blockcount);
+- if (error)
+- return error;
+- }
+
+ out_sa:
+ xchk_ag_free(sc, &sc->sa);
+ out_pag:
+ xfs_perag_put(pag);
+- return 0;
++ return error;
+ }
+
+ /*
--- /dev/null
+From c3e073894379532c00cca7ba5762e18fafe29da8 Mon Sep 17 00:00:00 2001
+From: Yingjie Gao <gaoyingjie@uniontech.com>
+Date: Wed, 27 May 2026 12:31:34 +0800
+Subject: xfs: fix rtgroup cleanup in CoW fork repair
+
+From: Yingjie Gao <gaoyingjie@uniontech.com>
+
+commit c3e073894379532c00cca7ba5762e18fafe29da8 upstream.
+
+xrep_cow_find_bad_rt() initializes scrub rtgroup state before the
+force-rebuild path calls xrep_cow_mark_file_range(). If that call
+fails, the code jumps directly to out_rtg, which skips the scrub
+rtgroup cleanup and only drops the local rtgroup reference.
+
+Remove the unnecessary jump so the function falls through to out_sr,
+ensuring the realtime cursors, lock state, and sr->rtg reference are
+released before returning.
+
+Fixes: fd97fe111208 ("xfs: fix CoW forks for realtime files")
+Cc: <stable@vger.kernel.org> # v6.14
+Signed-off-by: Yingjie Gao <gaoyingjie@uniontech.com>
+Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/scrub/cow_repair.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/fs/xfs/scrub/cow_repair.c
++++ b/fs/xfs/scrub/cow_repair.c
+@@ -382,12 +382,9 @@ xrep_cow_find_bad_rt(
+ * CoW fork and then scan for staging extents in the refcountbt.
+ */
+ if ((sc->sm->sm_flags & XFS_SCRUB_IFLAG_FORCE_REBUILD) ||
+- XFS_TEST_ERROR(sc->mp, XFS_ERRTAG_FORCE_SCRUB_REPAIR)) {
++ XFS_TEST_ERROR(sc->mp, XFS_ERRTAG_FORCE_SCRUB_REPAIR))
+ error = xrep_cow_mark_file_range(xc, xc->irec.br_startblock,
+ xc->irec.br_blockcount);
+- if (error)
+- goto out_rtg;
+- }
+
+ out_sr:
+ xchk_rtgroup_btcur_free(&sc->sr);
--- /dev/null
+From 732fd9f0b9c1cdc6dfd77162ded60df005182cc0 Mon Sep 17 00:00:00 2001
+From: Cunlong Li <shenxiaogll@gmail.com>
+Date: Thu, 28 May 2026 10:48:44 +0800
+Subject: zram: fix use-after-free in zram_bvec_write_partial()
+
+From: Cunlong Li <shenxiaogll@gmail.com>
+
+commit 732fd9f0b9c1cdc6dfd77162ded60df005182cc0 upstream.
+
+zram_read_page() picks the sync or async backing device read path based on
+whether the parent bio is NULL. zram_bvec_write_partial() passes its
+parent bio down, so for ZRAM_WB slots the read is dispatched
+asynchronously and zram_read_page() returns 0 while the bio is still in
+flight. The caller then runs memcpy_from_bvec(), zram_write_page() and
+__free_page() on the buffer, leaving the async read to write into a freed
+page.
+
+zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d
+("zram: fix synchronous reads") for the same reason; the write_partial
+counterpart was missed.
+
+Link: https://lore.kernel.org/20260528-zram-v3-1-cab86eef8764@gmail.com
+Fixes: 8e654f8fbff5 ("zram: read page from backing device")
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Cunlong Li <shenxiaogll@gmail.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Yisheng Xie <xieyisheng1@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/zram/zram_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -1915,7 +1915,7 @@ static int zram_bvec_write_partial(struc
+ if (!page)
+ return -ENOMEM;
+
+- ret = zram_read_page(zram, page, index, bio);
++ ret = zram_read_page(zram, page, index, NULL);
+ if (!ret) {
+ memcpy_from_bvec(page_address(page) + offset, bvec);
+ ret = zram_write_page(zram, page, index);
projects / thirdparty / kernel / stable-queue.git / commitdiff
