--- /dev/null
+From 5a658f6a8ad165a8ede2394d2b263e5d41359b7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 14:01:41 +0300
+Subject: Bluetooth: btrtl: Prevent potential NULL dereference
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 324dddea321078a6eeb535c2bff5257be74c9799 ]
+
+The btrtl_initialize() function checks that rtl_load_file() either
+had an error or it loaded a zero length file. However, if it loaded
+a zero length file then the error code is not set correctly. It
+results in an error pointer vs NULL bug, followed by a NULL pointer
+dereference. This was detected by Smatch:
+
+drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR'
+
+Fixes: 26503ad25de8 ("Bluetooth: btrtl: split the device initialization into smaller parts")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btrtl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
+index 3a9afc905f243..77de43d8d7962 100644
+--- a/drivers/bluetooth/btrtl.c
++++ b/drivers/bluetooth/btrtl.c
+@@ -625,6 +625,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
+ rtl_dev_err(hdev, "mandatory config file %s not found",
+ btrtl_dev->ic_info->cfg_name);
+ ret = btrtl_dev->cfg_len;
++ if (!ret)
++ ret = -EINVAL;
+ goto err_free;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 7468f197fc0c6b91e7fe93c55bd927019f92f5df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 13:02:08 -0400
+Subject: Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid
+ address
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit eb73b5a9157221f405b4fe32751da84ee46b7a25 ]
+
+This fixes sending MGMT_EV_DEVICE_FOUND for invalid address
+(00:00:00:00:00:00) which is a regression introduced by
+a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report")
+since in the attempt to skip storing data for extended advertisement it
+actually made the code to skip the entire if statement supposed to send
+MGMT_EV_DEVICE_FOUND without attempting to use the last_addr_adv which
+is garanteed to be invalid for extended advertisement since we never
+store anything on it.
+
+Link: https://github.com/bluez/bluez/issues/1157
+Link: https://github.com/bluez/bluez/issues/1149#issuecomment-2767215658
+Fixes: a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 546795425119b..7f26c1aab9a06 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5644,11 +5644,12 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
+ * event or send an immediate device found event if the data
+ * should not be stored for later.
+ */
+- if (!ext_adv && !has_pending_adv_report(hdev)) {
++ if (!has_pending_adv_report(hdev)) {
+ /* If the report will trigger a SCAN_REQ store it for
+ * later merging.
+ */
+- if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
++ if (!ext_adv && (type == LE_ADV_IND ||
++ type == LE_ADV_SCAN_IND)) {
+ store_pending_adv_report(hdev, bdaddr, bdaddr_type,
+ rssi, flags, data, len);
+ return;
+--
+2.39.5
+
--- /dev/null
+From d9f38dae7583db571d48b0f9cf1526f0ff12c5ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 11:58:08 +0200
+Subject: cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit cfde542df7dd51d26cf667f4af497878ddffd85a ]
+
+Commit 8e461a1cb43d ("cpufreq: schedutil: Fix superfluous updates caused
+by need_freq_update") modified sugov_should_update_freq() to set the
+need_freq_update flag only for drivers with CPUFREQ_NEED_UPDATE_LIMITS
+set, but that flag generally needs to be set when the policy limits
+change because the driver callback may need to be invoked for the new
+limits to take effect.
+
+However, if the return value of cpufreq_driver_resolve_freq() after
+applying the new limits is still equal to the previously selected
+frequency, the driver callback needs to be invoked only in the case
+when CPUFREQ_NEED_UPDATE_LIMITS is set (which means that the driver
+specifically wants its callback to be invoked every time the policy
+limits change).
+
+Update the code accordingly to avoid missing policy limits changes for
+drivers without CPUFREQ_NEED_UPDATE_LIMITS.
+
+Fixes: 8e461a1cb43d ("cpufreq: schedutil: Fix superfluous updates caused by need_freq_update")
+Closes: https://lore.kernel.org/lkml/Z_Tlc6Qs-tYpxWYb@linaro.org/
+Reported-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Christian Loehle <christian.loehle@arm.com>
+Link: https://patch.msgid.link/3010358.e9J7NaK4W3@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/cpufreq_schedutil.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c
+index d8b9e1d25200f..c1307bbdc291b 100644
+--- a/kernel/sched/cpufreq_schedutil.c
++++ b/kernel/sched/cpufreq_schedutil.c
+@@ -90,7 +90,7 @@ static bool sugov_should_update_freq(struct sugov_policy *sg_policy, u64 time)
+
+ if (unlikely(sg_policy->limits_changed)) {
+ sg_policy->limits_changed = false;
+- sg_policy->need_freq_update = cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS);
++ sg_policy->need_freq_update = true;
+ return true;
+ }
+
+@@ -102,10 +102,22 @@ static bool sugov_should_update_freq(struct sugov_policy *sg_policy, u64 time)
+ static bool sugov_update_next_freq(struct sugov_policy *sg_policy, u64 time,
+ unsigned int next_freq)
+ {
+- if (sg_policy->need_freq_update)
++ if (sg_policy->need_freq_update) {
+ sg_policy->need_freq_update = false;
+- else if (sg_policy->next_freq == next_freq)
++ /*
++ * The policy limits have changed, but if the return value of
++ * cpufreq_driver_resolve_freq() after applying the new limits
++ * is still equal to the previously selected frequency, the
++ * driver callback need not be invoked unless the driver
++ * specifically wants that to happen on every update of the
++ * policy limits.
++ */
++ if (sg_policy->next_freq == next_freq &&
++ !cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS))
++ return false;
++ } else if (sg_policy->next_freq == next_freq) {
+ return false;
++ }
+
+ sg_policy->next_freq = next_freq;
+ sg_policy->last_freq_update_time = time;
+--
+2.39.5
+
--- /dev/null
+From add3b0be10faaf57ce702f1693f5f77726ee8dca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 22:36:46 +0530
+Subject: cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path
+
+From: Abdun Nihaal <abdun.nihaal@gmail.com>
+
+[ Upstream commit 00ffb3724ce743578163f5ade2884374554ca021 ]
+
+In the for loop used to allocate the loc_array and bmap for each port, a
+memory leak is possible when the allocation for loc_array succeeds,
+but the allocation for bmap fails. This is because when the control flow
+goes to the label free_eth_finfo, only the allocations starting from
+(i-1)th iteration are freed.
+
+Fix that by freeing the loc_array in the bmap allocation error path.
+
+Fixes: d915c299f1da ("cxgb4: add skeleton for ethtool n-tuple filters")
+Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20250414170649.89156-1-abdun.nihaal@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
+index 7080cb6c83e4a..0f36319eb3115 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
+@@ -2258,6 +2258,7 @@ int cxgb4_init_ethtool_filters(struct adapter *adap)
+ GFP_KERNEL);
+ if (!eth_filter->port[i].bmap) {
+ ret = -ENOMEM;
++ kvfree(eth_filter->port[i].loc_array);
+ goto free_eth_finfo;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 4458b93e72fdc322e160ae3c5ecf36114d284195 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 16:35:33 -0700
+Subject: igc: cleanup PTP module if probe fails
+
+From: Christopher S M Hall <christopher.s.hall@intel.com>
+
+[ Upstream commit 1f025759ba394dd53e434d2668cb0597886d9b69 ]
+
+Make sure that the PTP module is cleaned up if the igc_probe() fails by
+calling igc_ptp_stop() on exit.
+
+Fixes: d89f88419f99 ("igc: Add skeletal frame for Intel(R) 2.5G Ethernet Controller support")
+Signed-off-by: Christopher S M Hall <christopher.s.hall@intel.com>
+Reviewed-by: Corinna Vinschen <vinschen@redhat.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 65cf7035b02d5..7593e8b7469c5 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -5405,6 +5405,7 @@ static int igc_probe(struct pci_dev *pdev,
+
+ err_register:
+ igc_release_hw_control(adapter);
++ igc_ptp_stop(adapter);
+ err_eeprom:
+ if (!igc_check_reset_block(hw))
+ igc_reset_phy(hw);
+--
+2.39.5
+
--- /dev/null
+From 9e71a936a887786a719d718bdb3fee09e6df47c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 16:35:32 -0700
+Subject: igc: handle the IGC_PTP_ENABLED flag correctly
+
+From: Christopher S M Hall <christopher.s.hall@intel.com>
+
+[ Upstream commit 26a3910afd111f7c1a96dace6dc02f3225063896 ]
+
+All functions in igc_ptp.c called from igc_main.c should check the
+IGC_PTP_ENABLED flag. Adding check for this flag to stop and reset
+functions.
+
+Fixes: 5f2958052c58 ("igc: Add basic skeleton for PTP")
+Signed-off-by: Christopher S M Hall <christopher.s.hall@intel.com>
+Reviewed-by: Corinna Vinschen <vinschen@redhat.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_ptp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
+index 25b238c6a675c..d99f597a83be5 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
+@@ -578,8 +578,12 @@ void igc_ptp_suspend(struct igc_adapter *adapter)
+ **/
+ void igc_ptp_stop(struct igc_adapter *adapter)
+ {
++ if (!(adapter->ptp_flags & IGC_PTP_ENABLED))
++ return;
++
+ igc_ptp_suspend(adapter);
+
++ adapter->ptp_flags &= ~IGC_PTP_ENABLED;
+ if (adapter->ptp_clock) {
+ ptp_clock_unregister(adapter->ptp_clock);
+ netdev_info(adapter->netdev, "PHC removed\n");
+@@ -598,6 +602,9 @@ void igc_ptp_reset(struct igc_adapter *adapter)
+ struct igc_hw *hw = &adapter->hw;
+ unsigned long flags;
+
++ if (!(adapter->ptp_flags & IGC_PTP_ENABLED))
++ return;
++
+ /* reset the tstamp_config */
+ igc_ptp_set_timestamp_mode(adapter, &adapter->tstamp_config);
+
+--
+2.39.5
+
--- /dev/null
+From efa0cef2eb524f69f32ca359973b0b5a73d46d93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 22:04:34 +0200
+Subject: net: b53: enable BPDU reception for management port
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit 36355ddfe8955f226a88a543ed354b9f6b84cd70 ]
+
+For STP to work, receiving BPDUs is essential, but the appropriate bit
+was never set. Without GC_RX_BPDU_EN, the switch chip will filter all
+BPDUs, even if an appropriate PVID VLAN was setup.
+
+Fixes: ff39c2d68679 ("net: dsa: b53: Add bridge support")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Link: https://patch.msgid.link/20250414200434.194422-1-jonas.gorski@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 2fc33019e814a..d3428e62bef24 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -686,6 +686,15 @@ static void b53_enable_mib(struct b53_device *dev)
+ b53_write8(dev, B53_MGMT_PAGE, B53_GLOBAL_CONFIG, gc);
+ }
+
++static void b53_enable_stp(struct b53_device *dev)
++{
++ u8 gc;
++
++ b53_read8(dev, B53_MGMT_PAGE, B53_GLOBAL_CONFIG, &gc);
++ gc |= GC_RX_BPDU_EN;
++ b53_write8(dev, B53_MGMT_PAGE, B53_GLOBAL_CONFIG, gc);
++}
++
+ static u16 b53_default_pvid(struct b53_device *dev)
+ {
+ if (is5325(dev) || is5365(dev))
+@@ -807,6 +816,7 @@ static int b53_switch_reset(struct b53_device *dev)
+ }
+
+ b53_enable_mib(dev);
++ b53_enable_stp(dev);
+
+ return b53_flush_arl(dev, FAST_AGE_STATIC);
+ }
+--
+2.39.5
+
--- /dev/null
+From f051a81b5ec452539e1f5c8637dc90618d46cfba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Apr 2025 12:40:18 +0200
+Subject: net: openvswitch: fix nested key length validation in the set()
+ action
+
+From: Ilya Maximets <i.maximets@ovn.org>
+
+[ Upstream commit 65d91192aa66f05710cfddf6a14b5a25ee554dba ]
+
+It's not safe to access nla_len(ovs_key) if the data is smaller than
+the netlink header. Check that the attribute is OK first.
+
+Fixes: ccb1352e76cf ("net: Add Open vSwitch kernel components.")
+Reported-by: syzbot+b07a9da40df1576b8048@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b07a9da40df1576b8048
+Tested-by: syzbot+b07a9da40df1576b8048@syzkaller.appspotmail.com
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Reviewed-by: Eelco Chaudron <echaudro@redhat.com>
+Acked-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20250412104052.2073688-1-i.maximets@ovn.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/flow_netlink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
+index cff18a5bbf386..3f8f43dbf44fc 100644
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -2834,7 +2834,8 @@ static int validate_set(const struct nlattr *a,
+ size_t key_len;
+
+ /* There can be only one key in a action */
+- if (nla_total_size(nla_len(ovs_key)) != nla_len(a))
++ if (!nla_ok(ovs_key, nla_len(a)) ||
++ nla_total_size(nla_len(ovs_key)) != nla_len(a))
+ return -EINVAL;
+
+ key_len = nla_len(ovs_key);
+--
+2.39.5
+
--- /dev/null
+From 75ebba55bb4dd15b1eb7f300e3d5c7e003fd9132 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Mar 2025 14:42:21 +0200
+Subject: RDMA/core: Silence oversized kvmalloc() warning
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit 9a0e6f15029e1a8a21e40f06fd05aa52b7f063de ]
+
+syzkaller triggered an oversized kvmalloc() warning.
+Silence it by adding __GFP_NOWARN.
+
+syzkaller log:
+ WARNING: CPU: 7 PID: 518 at mm/util.c:665 __kvmalloc_node_noprof+0x175/0x180
+ CPU: 7 UID: 0 PID: 518 Comm: c_repro Not tainted 6.11.0-rc6+ #6
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:__kvmalloc_node_noprof+0x175/0x180
+ RSP: 0018:ffffc90001e67c10 EFLAGS: 00010246
+ RAX: 0000000000000100 RBX: 0000000000000400 RCX: ffffffff8149d46b
+ RDX: 0000000000000000 RSI: ffff8881030fae80 RDI: 0000000000000002
+ RBP: 000000712c800000 R08: 0000000000000100 R09: 0000000000000000
+ R10: ffffc90001e67c10 R11: 0030ae0601000000 R12: 0000000000000000
+ R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000
+ FS: 00007fde79159740(0000) GS:ffff88813bdc0000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000020000180 CR3: 0000000105eb4005 CR4: 00000000003706b0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ <TASK>
+ ib_umem_odp_get+0x1f6/0x390
+ mlx5_ib_reg_user_mr+0x1e8/0x450
+ ib_uverbs_reg_mr+0x28b/0x440
+ ib_uverbs_write+0x7d3/0xa30
+ vfs_write+0x1ac/0x6c0
+ ksys_write+0x134/0x170
+ ? __sanitizer_cov_trace_pc+0x1c/0x50
+ do_syscall_64+0x50/0x110
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Fixes: 37824952dc8f ("RDMA/odp: Use kvcalloc for the dma_list and page_list")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Link: https://patch.msgid.link/c6cb92379de668be94894f49c2cfa40e73f94d56.1742388096.git.leonro@nvidia.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/umem_odp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/core/umem_odp.c b/drivers/infiniband/core/umem_odp.c
+index af4af4789ef27..dd69b20ed286d 100644
+--- a/drivers/infiniband/core/umem_odp.c
++++ b/drivers/infiniband/core/umem_odp.c
+@@ -78,12 +78,14 @@ static inline int ib_init_umem_odp(struct ib_umem_odp *umem_odp,
+
+ npfns = (end - start) >> PAGE_SHIFT;
+ umem_odp->pfn_list = kvcalloc(
+- npfns, sizeof(*umem_odp->pfn_list), GFP_KERNEL);
++ npfns, sizeof(*umem_odp->pfn_list),
++ GFP_KERNEL | __GFP_NOWARN);
+ if (!umem_odp->pfn_list)
+ return -ENOMEM;
+
+ umem_odp->dma_list = kvcalloc(
+- ndmas, sizeof(*umem_odp->dma_list), GFP_KERNEL);
++ ndmas, sizeof(*umem_odp->dma_list),
++ GFP_KERNEL | __GFP_NOWARN);
+ if (!umem_odp->dma_list) {
+ ret = -ENOMEM;
+ goto out_pfn_list;
+--
+2.39.5
+
--- /dev/null
+From 601017c91f487442cd6c1cf86257fdb4826951b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Mar 2025 19:47:24 +0800
+Subject: RDMA/hns: Fix wrong maximum DMA segment size
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit 9beb2c91fb86e0be70a5833c6730441fa3c9efa8 ]
+
+Set maximum DMA segment size to 2G instead of UINT_MAX due to HW limit.
+
+Fixes: e0477b34d9d1 ("RDMA: Explicitly pass in the dma_device to ib_register_device")
+Link: https://patch.msgid.link/r/20250327114724.3454268-3-huangjunxian6@hisilicon.com
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
+index f520e43e4e146..3c79668c6b3b5 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_main.c
++++ b/drivers/infiniband/hw/hns/hns_roce_main.c
+@@ -552,7 +552,7 @@ static int hns_roce_register_device(struct hns_roce_dev *hr_dev)
+ if (ret)
+ return ret;
+ }
+- dma_set_max_seg_size(dev, UINT_MAX);
++ dma_set_max_seg_size(dev, SZ_2G);
+ ret = ib_register_device(ib_dev, "hns_%d", dev);
+ if (ret) {
+ dev_err(dev, "ib_register_device failed!\n");
+--
+2.39.5
+
--- /dev/null
+From b8bc32251b825686395b98fbb73766934e20ae75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 20:31:32 +0800
+Subject: RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe()
+
+From: Yue Haibing <yuehaibing@huawei.com>
+
+[ Upstream commit 95ba3850fed03e01b422ab5d7943aeba130c9723 ]
+
+drivers/infiniband/hw/usnic/usnic_ib_main.c:590
+ usnic_ib_pci_probe() warn: passing zero to 'PTR_ERR'
+
+Make usnic_ib_device_add() return NULL on fail path, also remove
+useless NULL check for usnic_ib_discover_pf()
+
+Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver")
+Link: https://patch.msgid.link/r/20250324123132.2392077-1-yuehaibing@huawei.com
+Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/hw/usnic/usnic_ib_main.c b/drivers/infiniband/hw/usnic/usnic_ib_main.c
+index aa2e65fc5cd65..ea3e28e3e0b29 100644
+--- a/drivers/infiniband/hw/usnic/usnic_ib_main.c
++++ b/drivers/infiniband/hw/usnic/usnic_ib_main.c
+@@ -378,7 +378,7 @@ static void *usnic_ib_device_add(struct pci_dev *dev)
+ if (!us_ibdev) {
+ usnic_err("Device %s context alloc failed\n",
+ netdev_name(pci_get_drvdata(dev)));
+- return ERR_PTR(-EFAULT);
++ return NULL;
+ }
+
+ us_ibdev->ufdev = usnic_fwd_dev_alloc(dev);
+@@ -519,8 +519,8 @@ static struct usnic_ib_dev *usnic_ib_discover_pf(struct usnic_vnic *vnic)
+ }
+
+ us_ibdev = usnic_ib_device_add(parent_pci);
+- if (IS_ERR_OR_NULL(us_ibdev)) {
+- us_ibdev = us_ibdev ? us_ibdev : ERR_PTR(-EFAULT);
++ if (!us_ibdev) {
++ us_ibdev = ERR_PTR(-EFAULT);
+ goto out;
+ }
+
+@@ -583,10 +583,10 @@ static int usnic_ib_pci_probe(struct pci_dev *pdev,
+ }
+
+ pf = usnic_ib_discover_pf(vf->vnic);
+- if (IS_ERR_OR_NULL(pf)) {
+- usnic_err("Failed to discover pf of vnic %s with err%ld\n",
+- pci_name(pdev), PTR_ERR(pf));
+- err = pf ? PTR_ERR(pf) : -EFAULT;
++ if (IS_ERR(pf)) {
++ err = PTR_ERR(pf);
++ usnic_err("Failed to discover pf of vnic %s with err%d\n",
++ pci_name(pdev), err);
+ goto out_clean_vnic;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 0e135dcd3441149d7626d39b05310fd47c69ca8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Apr 2025 16:13:34 +0200
+Subject: Revert "wifi: mac80211: Update skb's control block key in
+ ieee80211_tx_dequeue()"
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 0937cb5f345c79d702b4d0d744e2a2529b551cb2 ]
+
+This reverts commit a104042e2bf6528199adb6ca901efe7b60c2c27f.
+
+Since the original bug seems to have been around for years,
+but a new issue was report with the fix, revert the fix for
+now. We have a couple of weeks to figure it out for this
+release, if needed.
+
+Reported-by: Bert Karwatzki <spasswolf@web.de>
+Closes: https://lore.kernel.org/linux-wireless/20250410215527.3001-1-spasswolf@web.de
+Fixes: a104042e2bf6 ("wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 5615575595efb..0d6d12fc3c07e 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3691,7 +3691,6 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
+ * The key can be removed while the packet was queued, so need to call
+ * this here to get the current key.
+ */
+- info->control.hw_key = NULL;
+ r = ieee80211_tx_h_select_key(&tx);
+ if (r != TX_CONTINUE) {
+ ieee80211_free_txskb(&local->hw, skb);
+--
+2.39.5
+
--- /dev/null
+From fe6cc97a1fcaa27a9a23ba4bbf930e540663c031 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Apr 2025 15:32:21 +0800
+Subject: riscv: KGDB: Do not inline arch_kgdb_breakpoint()
+
+From: WangYuli <wangyuli@uniontech.com>
+
+[ Upstream commit 3af4bec9c1db3f003be4d5ae09b6a737e4be1612 ]
+
+The arch_kgdb_breakpoint() function defines the kgdb_compiled_break
+symbol using inline assembly.
+
+There's a potential issue where the compiler might inline
+arch_kgdb_breakpoint(), which would then define the kgdb_compiled_break
+symbol multiple times, leading to fail to link vmlinux.o.
+
+This isn't merely a potential compilation problem. The intent here
+is to determine the global symbol address of kgdb_compiled_break,
+and if this function is inlined multiple times, it would logically
+be a grave error.
+
+Link: https://lore.kernel.org/all/4b4187c1-77e5-44b7-885f-d6826723dd9a@sifive.com/
+Link: https://lore.kernel.org/all/5b0adf9b-2b22-43fe-ab74-68df94115b9a@ghiti.fr/
+Link: https://lore.kernel.org/all/23693e7f-4fff-40f3-a437-e06d827278a5@ghiti.fr/
+Fixes: fe89bd2be866 ("riscv: Add KGDB support")
+Co-developed-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: WangYuli <wangyuli@uniontech.com>
+Link: https://lore.kernel.org/r/F22359AFB6FF9FD8+20250411073222.56820-1-wangyuli@uniontech.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/kgdb.h | 9 +--------
+ arch/riscv/kernel/kgdb.c | 8 ++++++++
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/arch/riscv/include/asm/kgdb.h b/arch/riscv/include/asm/kgdb.h
+index 46677daf708bd..cc11c4544cffd 100644
+--- a/arch/riscv/include/asm/kgdb.h
++++ b/arch/riscv/include/asm/kgdb.h
+@@ -19,16 +19,9 @@
+
+ #ifndef __ASSEMBLY__
+
++void arch_kgdb_breakpoint(void);
+ extern unsigned long kgdb_compiled_break;
+
+-static inline void arch_kgdb_breakpoint(void)
+-{
+- asm(".global kgdb_compiled_break\n"
+- ".option norvc\n"
+- "kgdb_compiled_break: ebreak\n"
+- ".option rvc\n");
+-}
+-
+ #endif /* !__ASSEMBLY__ */
+
+ #define DBG_REG_ZERO "zero"
+diff --git a/arch/riscv/kernel/kgdb.c b/arch/riscv/kernel/kgdb.c
+index 963ed7edcff26..b0db3350d243b 100644
+--- a/arch/riscv/kernel/kgdb.c
++++ b/arch/riscv/kernel/kgdb.c
+@@ -273,6 +273,14 @@ void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc)
+ regs->epc = pc;
+ }
+
++noinline void arch_kgdb_breakpoint(void)
++{
++ asm(".global kgdb_compiled_break\n"
++ ".option norvc\n"
++ "kgdb_compiled_break: ebreak\n"
++ ".option rvc\n");
++}
++
+ void kgdb_arch_handle_qxfer_pkt(char *remcom_in_buffer,
+ char *remcom_out_buffer)
+ {
+--
+2.39.5
+
--- /dev/null
+From e9ab6caf73f13ad6130d5bca4acf83aaa7af0af2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Apr 2025 15:32:22 +0800
+Subject: riscv: KGDB: Remove ".option norvc/.option rvc" for
+ kgdb_compiled_break
+
+From: WangYuli <wangyuli@uniontech.com>
+
+[ Upstream commit 550c2aa787d1b06efcb11de1877354502a1237f2 ]
+
+[ Quoting Samuel Holland: ]
+
+ This is a separate issue, but using ".option rvc" here is a bug.
+ It will unconditionally enable the C extension for the rest of
+ the file, even if the kernel is being built with CONFIG_RISCV_ISA_C=n.
+
+[ Quoting Palmer Dabbelt: ]
+
+ We're just looking at the address of kgdb_compiled_break, so it's
+ fine if it ends up as a c.ebreak.
+
+[ Quoting Alexandre Ghiti: ]
+
+ .option norvc is used to prevent the assembler from using compressed
+ instructions, but it's generally used when we need to ensure the
+ size of the instructions that are used, which is not the case here
+ as noted by Palmer since we only care about the address. So yes
+ it will work fine with C enabled :)
+
+So let's just remove them all.
+
+Link: https://lore.kernel.org/all/4b4187c1-77e5-44b7-885f-d6826723dd9a@sifive.com/
+Link: https://lore.kernel.org/all/mhng-69513841-5068-441d-be8f-2aeebdc56a08@palmer-ri-x1c9a/
+Link: https://lore.kernel.org/all/23693e7f-4fff-40f3-a437-e06d827278a5@ghiti.fr/
+Fixes: fe89bd2be866 ("riscv: Add KGDB support")
+Cc: Samuel Holland <samuel.holland@sifive.com>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Alexandre Ghiti <alex@ghiti.fr>
+Signed-off-by: WangYuli <wangyuli@uniontech.com>
+Link: https://lore.kernel.org/r/8B431C6A4626225C+20250411073222.56820-2-wangyuli@uniontech.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/kgdb.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/arch/riscv/kernel/kgdb.c b/arch/riscv/kernel/kgdb.c
+index b0db3350d243b..1d83b36967212 100644
+--- a/arch/riscv/kernel/kgdb.c
++++ b/arch/riscv/kernel/kgdb.c
+@@ -276,9 +276,7 @@ void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc)
+ noinline void arch_kgdb_breakpoint(void)
+ {
+ asm(".global kgdb_compiled_break\n"
+- ".option norvc\n"
+- "kgdb_compiled_break: ebreak\n"
+- ".option rvc\n");
++ "kgdb_compiled_break: ebreak\n");
+ }
+
+ void kgdb_arch_handle_qxfer_pkt(char *remcom_in_buffer,
+--
+2.39.5
+
--- /dev/null
+From 40ca8777739a9a58a2857ef0e7f4bc26d2771d44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 17:43:43 +0800
+Subject: scsi: iscsi: Fix missing scsi_host_put() in error path
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 72eea84a1092b50a10eeecfeba4b28ac9f1312ab ]
+
+Add goto to ensure scsi_host_put() is called in all error paths of
+iscsi_set_host_param() function. This fixes a potential memory leak when
+strlen() check fails.
+
+Fixes: ce51c8170084 ("scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20250318094344.91776-1-linmq006@gmail.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index c636a6d3bdcc1..548adbe544444 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -3185,11 +3185,14 @@ iscsi_set_host_param(struct iscsi_transport *transport,
+ }
+
+ /* see similar check in iscsi_if_set_param() */
+- if (strlen(data) > ev->u.set_host_param.len)
+- return -EINVAL;
++ if (strlen(data) > ev->u.set_host_param.len) {
++ err = -EINVAL;
++ goto out;
++ }
+
+ err = transport->set_host_param(shost, ev->u.set_host_param.param,
+ data, ev->u.set_host_param.len);
++out:
+ scsi_host_put(shost);
+ return err;
+ }
+--
+2.39.5
+
bluetooth-hci_uart-fix-another-race-during-initialization.patch
pwm-mediatek-always-use-bus-clock-for-pwm-on-mt7622.patch
hsi-ssi_protocol-fix-use-after-free-vulnerability-in-ssi_protocol-driver-due-to-race-condition.patch
+wifi-at76c50x-fix-use-after-free-access-in-at76_disc.patch
+wifi-mac80211-update-skb-s-control-block-key-in-ieee.patch
+wifi-mac80211-purge-vif-txq-in-ieee80211_do_stop.patch
+wifi-wl1251-fix-memory-leak-in-wl1251_tx_work.patch
+scsi-iscsi-fix-missing-scsi_host_put-in-error-path.patch
+rdma-usnic-fix-passing-zero-to-ptr_err-in-usnic_ib_p.patch
+rdma-hns-fix-wrong-maximum-dma-segment-size.patch
+rdma-core-silence-oversized-kvmalloc-warning.patch
+bluetooth-hci_event-fix-sending-mgmt_ev_device_found.patch
+bluetooth-btrtl-prevent-potential-null-dereference.patch
+revert-wifi-mac80211-update-skb-s-control-block-key-.patch
+igc-handle-the-igc_ptp_enabled-flag-correctly.patch
+igc-cleanup-ptp-module-if-probe-fails.patch
+net-openvswitch-fix-nested-key-length-validation-in-.patch
+cxgb4-fix-memory-leak-in-cxgb4_init_ethtool_filters-.patch
+net-b53-enable-bpdu-reception-for-management-port.patch
+riscv-kgdb-do-not-inline-arch_kgdb_breakpoint.patch
+riscv-kgdb-remove-.option-norvc-.option-rvc-for-kgdb.patch
+cpufreq-sched-fix-the-usage-of-cpufreq_need_update_l.patch
--- /dev/null
+From 02833cd088b4935dc0c94ae7a29989a6ed426e82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Mar 2025 16:01:10 +0530
+Subject: wifi: at76c50x: fix use after free access in at76_disconnect
+
+From: Abdun Nihaal <abdun.nihaal@gmail.com>
+
+[ Upstream commit 27c7e63b3cb1a20bb78ed4a36c561ea4579fd7da ]
+
+The memory pointed to by priv is freed at the end of at76_delete_device
+function (using ieee80211_free_hw). But the code then accesses the udev
+field of the freed object to put the USB device. This may also lead to a
+memory leak of the usb device. Fix this by using udev from interface.
+
+Fixes: 29e20aa6c6af ("at76c50x-usb: fix use after free on failure path in at76_probe()")
+Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
+Link: https://patch.msgid.link/20250330103110.44080-1-abdun.nihaal@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/atmel/at76c50x-usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/atmel/at76c50x-usb.c b/drivers/net/wireless/atmel/at76c50x-usb.c
+index 4042578000331..706de33d0ed49 100644
+--- a/drivers/net/wireless/atmel/at76c50x-usb.c
++++ b/drivers/net/wireless/atmel/at76c50x-usb.c
+@@ -2553,7 +2553,7 @@ static void at76_disconnect(struct usb_interface *interface)
+
+ wiphy_info(priv->hw->wiphy, "disconnecting\n");
+ at76_delete_device(priv);
+- usb_put_dev(priv->udev);
++ usb_put_dev(interface_to_usbdev(interface));
+ dev_info(&interface->dev, "disconnected\n");
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 4c3c9cbcbcb4e27a4c17e86b13ac628779213c07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 17:28:21 +0100
+Subject: wifi: mac80211: Purge vif txq in ieee80211_do_stop()
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 378677eb8f44621ecc9ce659f7af61e5baa94d81 ]
+
+After ieee80211_do_stop() SKB from vif's txq could still be processed.
+Indeed another concurrent vif schedule_and_wake_txq call could cause
+those packets to be dequeued (see ieee80211_handle_wake_tx_queue())
+without checking the sdata current state.
+
+Because vif.drv_priv is now cleared in this function, this could lead to
+driver crash.
+
+For example in ath12k, ahvif is store in vif.drv_priv. Thus if
+ath12k_mac_op_tx() is called after ieee80211_do_stop(), ahvif->ah can be
+NULL, leading the ath12k_warn(ahvif->ah,...) call in this function to
+trigger the NULL deref below.
+
+ Unable to handle kernel paging request at virtual address dfffffc000000001
+ KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+ batman_adv: bat0: Interface deactivated: brbh1337
+ Mem abort info:
+ ESR = 0x0000000096000004
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x04: level 0 translation fault
+ Data abort info:
+ ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+ CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+ GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+ [dfffffc000000001] address between user and kernel address ranges
+ Internal error: Oops: 0000000096000004 [#1] SMP
+ CPU: 1 UID: 0 PID: 978 Comm: lbd Not tainted 6.13.0-g633f875b8f1e #114
+ Hardware name: HW (DT)
+ pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k]
+ lr : ath12k_mac_op_tx+0x174/0x29b8 [ath12k]
+ sp : ffffffc086ace450
+ x29: ffffffc086ace450 x28: 0000000000000000 x27: 1ffffff810d59ca4
+ x26: ffffff801d05f7c0 x25: 0000000000000000 x24: 000000004000001e
+ x23: ffffff8009ce4926 x22: ffffff801f9c0800 x21: ffffff801d05f7f0
+ x20: ffffff8034a19f40 x19: 0000000000000000 x18: ffffff801f9c0958
+ x17: ffffff800bc0a504 x16: dfffffc000000000 x15: ffffffc086ace4f8
+ x14: ffffff801d05f83c x13: 0000000000000000 x12: ffffffb003a0bf03
+ x11: 0000000000000000 x10: ffffffb003a0bf02 x9 : ffffff8034a19f40
+ x8 : ffffff801d05f818 x7 : 1ffffff0069433dc x6 : ffffff8034a19ee0
+ x5 : ffffff801d05f7f0 x4 : 0000000000000000 x3 : 0000000000000001
+ x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000008
+ Call trace:
+ ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] (P)
+ ieee80211_handle_wake_tx_queue+0x16c/0x260
+ ieee80211_queue_skb+0xeec/0x1d20
+ ieee80211_tx+0x200/0x2c8
+ ieee80211_xmit+0x22c/0x338
+ __ieee80211_subif_start_xmit+0x7e8/0xc60
+ ieee80211_subif_start_xmit+0xc4/0xee0
+ __ieee80211_subif_start_xmit_8023.isra.0+0x854/0x17a0
+ ieee80211_subif_start_xmit_8023+0x124/0x488
+ dev_hard_start_xmit+0x160/0x5a8
+ __dev_queue_xmit+0x6f8/0x3120
+ br_dev_queue_push_xmit+0x120/0x4a8
+ __br_forward+0xe4/0x2b0
+ deliver_clone+0x5c/0xd0
+ br_flood+0x398/0x580
+ br_dev_xmit+0x454/0x9f8
+ dev_hard_start_xmit+0x160/0x5a8
+ __dev_queue_xmit+0x6f8/0x3120
+ ip6_finish_output2+0xc28/0x1b60
+ __ip6_finish_output+0x38c/0x638
+ ip6_output+0x1b4/0x338
+ ip6_local_out+0x7c/0xa8
+ ip6_send_skb+0x7c/0x1b0
+ ip6_push_pending_frames+0x94/0xd0
+ rawv6_sendmsg+0x1a98/0x2898
+ inet_sendmsg+0x94/0xe0
+ __sys_sendto+0x1e4/0x308
+ __arm64_sys_sendto+0xc4/0x140
+ do_el0_svc+0x110/0x280
+ el0_svc+0x20/0x60
+ el0t_64_sync_handler+0x104/0x138
+ el0t_64_sync+0x154/0x158
+
+To avoid that, empty vif's txq at ieee80211_do_stop() so no packet could
+be dequeued after ieee80211_do_stop() (new packets cannot be queued
+because SDATA_STATE_RUNNING is cleared at this point).
+
+Fixes: ba8c3d6f16a1 ("mac80211: add an intermediate software queue implementation")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://patch.msgid.link/ff7849e268562456274213c0476e09481a48f489.1742833382.git.repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/iface.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index 55e3dfa7505d4..644eabaf10e31 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -595,6 +595,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
+ if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
+ ieee80211_txq_remove_vlan(local, sdata);
+
++ if (sdata->vif.txq)
++ ieee80211_txq_purge(sdata->local, to_txq_info(sdata->vif.txq));
++
+ sdata->bss = NULL;
+
+ if (local->open_count == 0)
+--
+2.39.5
+
--- /dev/null
+From 44b31678aae2b3820711f6053fa65c44c1a853fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 17:28:20 +0100
+Subject: wifi: mac80211: Update skb's control block key in
+ ieee80211_tx_dequeue()
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit a104042e2bf6528199adb6ca901efe7b60c2c27f ]
+
+The ieee80211 skb control block key (set when skb was queued) could have
+been removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue()
+already called ieee80211_tx_h_select_key() to get the current key, but
+the latter do not update the key in skb control block in case it is
+NULL. Because some drivers actually use this key in their TX callbacks
+(e.g. ath1{1,2}k_mac_op_tx()) this could lead to the use after free
+below:
+
+ BUG: KASAN: slab-use-after-free in ath11k_mac_op_tx+0x590/0x61c
+ Read of size 4 at addr ffffff803083c248 by task kworker/u16:4/1440
+
+ CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 Not tainted 6.13.0-ge128f627f404 #2
+ Hardware name: HW (DT)
+ Workqueue: bat_events batadv_send_outstanding_bcast_packet
+ Call trace:
+ show_stack+0x14/0x1c (C)
+ dump_stack_lvl+0x58/0x74
+ print_report+0x164/0x4c0
+ kasan_report+0xac/0xe8
+ __asan_report_load4_noabort+0x1c/0x24
+ ath11k_mac_op_tx+0x590/0x61c
+ ieee80211_handle_wake_tx_queue+0x12c/0x1c8
+ ieee80211_queue_skb+0xdcc/0x1b4c
+ ieee80211_tx+0x1ec/0x2bc
+ ieee80211_xmit+0x224/0x324
+ __ieee80211_subif_start_xmit+0x85c/0xcf8
+ ieee80211_subif_start_xmit+0xc0/0xec4
+ dev_hard_start_xmit+0xf4/0x28c
+ __dev_queue_xmit+0x6ac/0x318c
+ batadv_send_skb_packet+0x38c/0x4b0
+ batadv_send_outstanding_bcast_packet+0x110/0x328
+ process_one_work+0x578/0xc10
+ worker_thread+0x4bc/0xc7c
+ kthread+0x2f8/0x380
+ ret_from_fork+0x10/0x20
+
+ Allocated by task 1906:
+ kasan_save_stack+0x28/0x4c
+ kasan_save_track+0x1c/0x40
+ kasan_save_alloc_info+0x3c/0x4c
+ __kasan_kmalloc+0xac/0xb0
+ __kmalloc_noprof+0x1b4/0x380
+ ieee80211_key_alloc+0x3c/0xb64
+ ieee80211_add_key+0x1b4/0x71c
+ nl80211_new_key+0x2b4/0x5d8
+ genl_family_rcv_msg_doit+0x198/0x240
+ <...>
+
+ Freed by task 1494:
+ kasan_save_stack+0x28/0x4c
+ kasan_save_track+0x1c/0x40
+ kasan_save_free_info+0x48/0x94
+ __kasan_slab_free+0x48/0x60
+ kfree+0xc8/0x31c
+ kfree_sensitive+0x70/0x80
+ ieee80211_key_free_common+0x10c/0x174
+ ieee80211_free_keys+0x188/0x46c
+ ieee80211_stop_mesh+0x70/0x2cc
+ ieee80211_leave_mesh+0x1c/0x60
+ cfg80211_leave_mesh+0xe0/0x280
+ cfg80211_leave+0x1e0/0x244
+ <...>
+
+Reset SKB control block key before calling ieee80211_tx_h_select_key()
+to avoid that.
+
+Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://patch.msgid.link/06aa507b853ca385ceded81c18b0a6dd0f081bc8.1742833382.git.repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 0d6d12fc3c07e..5615575595efb 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3691,6 +3691,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
+ * The key can be removed while the packet was queued, so need to call
+ * this here to get the current key.
+ */
++ info->control.hw_key = NULL;
+ r = ieee80211_tx_h_select_key(&tx);
+ if (r != TX_CONTINUE) {
+ ieee80211_free_txskb(&local->hw, skb);
+--
+2.39.5
+
--- /dev/null
+From 94fdc6f00aa77905717ef67e5ea7b585478786c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Mar 2025 16:15:32 +0530
+Subject: wifi: wl1251: fix memory leak in wl1251_tx_work
+
+From: Abdun Nihaal <abdun.nihaal@gmail.com>
+
+[ Upstream commit a0f0dc96de03ffeefc2a177b7f8acde565cb77f4 ]
+
+The skb dequeued from tx_queue is lost when wl1251_ps_elp_wakeup fails
+with a -ETIMEDOUT error. Fix that by queueing the skb back to tx_queue.
+
+Fixes: c5483b719363 ("wl12xx: check if elp wakeup failed")
+Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
+Reviewed-by: Michael Nemanov <michael.nemanov@ti.com>
+Link: https://patch.msgid.link/20250330104532.44935-1-abdun.nihaal@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl1251/tx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c
+index 98cd39619d579..5771f61392efb 100644
+--- a/drivers/net/wireless/ti/wl1251/tx.c
++++ b/drivers/net/wireless/ti/wl1251/tx.c
+@@ -342,8 +342,10 @@ void wl1251_tx_work(struct work_struct *work)
+ while ((skb = skb_dequeue(&wl->tx_queue))) {
+ if (!woken_up) {
+ ret = wl1251_ps_elp_wakeup(wl);
+- if (ret < 0)
++ if (ret < 0) {
++ skb_queue_head(&wl->tx_queue, skb);
+ goto out;
++ }
+ woken_up = true;
+ }
+
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
