--- /dev/null
+From 9c954499d43aefac01c5dfb57a82b13d2dcf4b94 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 19 May 2026 16:29:38 +0200
+Subject: fuse: reject fuse_notify() pagecache ops on directories
+
+From: Jann Horn <jannh@google.com>
+
+commit 9c954499d43aefac01c5dfb57a82b13d2dcf4b94 upstream.
+
+The operations FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE allow the
+FUSE daemon to actively write/read pagecache contents.
+
+For directories with FOPEN_CACHE_DIR, the pagecache is used as
+kernel-internal cache storage, and userspace is not supposed to have
+direct access to this cache - in particular, fuse_parse_cache() will hit
+WARN_ON() if the cache contains bogus data.
+
+Reject FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE on anything other than
+regular files with -EINVAL.
+
+Fixes: 5d7bc7e8680c ("fuse: allow using readdir cache")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Link: https://patch.msgid.link/20260519-fuse-dir-pagecache-v2-1-5428fa48e175@google.com
+Acked-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/dev.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1597,6 +1597,10 @@ static int fuse_notify_store(struct fuse
+ inode = fuse_ilookup(fc, nodeid, NULL);
+ if (!inode)
+ goto out_up_killsb;
++ if (!S_ISREG(inode->i_mode)) {
++ err = -EINVAL;
++ goto out_iput;
++ }
+
+ mapping = inode->i_mapping;
+ index = outarg.offset >> PAGE_SHIFT;
+@@ -1768,7 +1772,10 @@ static int fuse_notify_retrieve(struct f
+
+ inode = fuse_ilookup(fc, nodeid, &fm);
+ if (inode) {
+- err = fuse_retrieve(fm, inode, &outarg);
++ if (!S_ISREG(inode->i_mode))
++ err = -EINVAL;
++ else
++ err = fuse_retrieve(fm, inode, &outarg);
+ iput(inode);
+ }
+ up_read(&fc->killsb);
--- /dev/null
+From 729ac5a4b966aac42e08a94dea966f4429008548 Mon Sep 17 00:00:00 2001
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Date: Sat, 16 May 2026 02:41:18 +0300
+Subject: i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
+
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+
+commit 729ac5a4b966aac42e08a94dea966f4429008548 upstream.
+
+On all modern platforms Qualcomm CCI controller provides two I2C masters,
+and on particular boards only one I2C master may be initialized, and in
+such cases the device unbinding or driver removal causes a NULL pointer
+dereference, because cci_halt() is called for all two I2C masters, but
+a completion is initialized only for the single enabled master:
+
+ % rmmod i2c-qcom-cci
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+ <snip>
+ Call trace:
+ __wait_for_common+0x194/0x1a8 (P)
+ wait_for_completion_timeout+0x20/0x2c
+ cci_remove+0xc4/0x138 [i2c_qcom_cci]
+ platform_remove+0x20/0x30
+ device_remove+0x4c/0x80
+ device_release_driver_internal+0x1c8/0x224
+ driver_detach+0x50/0x98
+ bus_remove_driver+0x6c/0xbc
+ driver_unregister+0x30/0x60
+ platform_driver_unregister+0x14/0x20
+ qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci]
+ ....
+
+Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver")
+Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Cc: <stable@vger.kernel.org> # v5.8+
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260515234121.1607425-2-vladimir.zapolskiy@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-qcom-cci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-qcom-cci.c
++++ b/drivers/i2c/busses/i2c-qcom-cci.c
+@@ -683,8 +683,8 @@ static void cci_remove(struct platform_d
+ if (cci->master[i].cci) {
+ i2c_del_adapter(&cci->master[i].adap);
+ of_node_put(cci->master[i].adap.dev.of_node);
++ cci_halt(cci, i);
+ }
+- cci_halt(cci, i);
+ }
+
+ disable_irq(cci->irq);
--- /dev/null
+From a124579c0763da7bc408f4cd7e8f606cadc94855 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guillermo=20Rodr=C3=ADguez?= <guille.rodriguez@gmail.com>
+Date: Tue, 26 May 2026 11:12:09 +0200
+Subject: i2c: stm32f7: fix timing computation ignoring i2c-analog-filter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Guillermo RodrÃguez <guille.rodriguez@gmail.com>
+
+commit a124579c0763da7bc408f4cd7e8f606cadc94855 upstream.
+
+stm32f7_i2c_compute_timing() uses i2c_dev->analog_filter to pick
+the analog filter delay, but i2c_dev->analog_filter is parsed from
+the "i2c-analog-filter" DT property only after the compute_timing
+loop in stm32f7_i2c_setup_timing(), so in practice the timing
+calculations always ignore the analog filter. On an STM32MP1 board
+with clock-frequency = <400000> and i2c-analog-filter set, measured
+SCL frequency was ~382 kHz.
+
+This also affects (widens) the computed SDADEL range. At high bus
+clock speeds, this can select an SDADEL value that violates tVD;DAT
+(data valid time).
+
+Fix by parsing "i2c-analog-filter" before the compute_timing loop.
+
+Fixes: 83c3408f7b9c ("i2c: stm32f7: support DT binding i2c-analog-filter")
+Signed-off-by: Guillermo RodrÃguez <guille.rodriguez@gmail.com>
+Cc: <stable@vger.kernel.org> # v5.13+
+Acked-by: Alain Volmat <alain.volmat@foss.st.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260526091210.20383-1-guille.rodriguez@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-stm32f7.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-stm32f7.c
++++ b/drivers/i2c/busses/i2c-stm32f7.c
+@@ -680,6 +680,9 @@ static int stm32f7_i2c_setup_timing(stru
+ if (!of_property_read_bool(i2c_dev->dev->of_node, "i2c-digital-filter"))
+ i2c_dev->dnf_dt = STM32F7_I2C_DNF_DEFAULT;
+
++ i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node,
++ "i2c-analog-filter");
++
+ do {
+ ret = stm32f7_i2c_compute_timing(i2c_dev, setup,
+ &i2c_dev->timing);
+@@ -701,9 +704,6 @@ static int stm32f7_i2c_setup_timing(stru
+ return ret;
+ }
+
+- i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node,
+- "i2c-analog-filter");
+-
+ dev_dbg(i2c_dev->dev, "I2C Speed(%i), Clk Source(%i)\n",
+ setup->speed_freq, setup->clock_src);
+ dev_dbg(i2c_dev->dev, "I2C Rise(%i) and Fall(%i) Time\n",
--- /dev/null
+From 656646b3847ac6a21b074a813223feef2aadd6e2 Mon Sep 17 00:00:00 2001
+From: Akhil R <akhilrajeev@nvidia.com>
+Date: Mon, 18 May 2026 17:10:13 +0530
+Subject: i2c: tegra: Fix NOIRQ suspend/resume
+
+From: Akhil R <akhilrajeev@nvidia.com>
+
+commit 656646b3847ac6a21b074a813223feef2aadd6e2 upstream.
+
+The Tegra I2C driver relies on runtime PM to wake up the controller before
+each transfer. However, runtime PM is disabled between the system suspend
+and NOIRQ suspend. If an I2C device initiates a transfer during this
+window, the I2C controller fails to wake up and the transfer fails. To
+handle this, the controller must be kept available for this period to
+allow transfers.
+
+Rework the I2C controller's system PM callbacks such that the controller
+is resumed from runtime suspend during system suspend and it stays
+RPM_ACTIVE throughout the suspend-resume cycle until it is runtime
+suspended back in the system resume. The clocks are disabled in NOIRQ
+suspend and enabled back in NOIRQ resume by calling the controller's
+runtime PM functions directly.
+
+Fixes: 8ebf15e9c869 ("i2c: tegra: Move suspend handling to NOIRQ phase")
+Assisted-by: Cursor:claude-4.6-opus
+Signed-off-by: Akhil R <akhilrajeev@nvidia.com>
+Cc: <stable@vger.kernel.org> # v5.4+
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260518114013.62065-5-akhilrajeev@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-tegra.c | 53 +++++++++++++++++++++++------------------
+ 1 file changed, 30 insertions(+), 23 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-tegra.c
++++ b/drivers/i2c/busses/i2c-tegra.c
+@@ -1889,28 +1889,37 @@ static int __maybe_unused tegra_i2c_runt
+
+ static int __maybe_unused tegra_i2c_suspend(struct device *dev)
+ {
++ /*
++ * Bring the controller up and hold a usage count so it stays
++ * available until the noirq phase.
++ */
++ return pm_runtime_resume_and_get(dev);
++}
++
++static int __maybe_unused tegra_i2c_suspend_noirq(struct device *dev)
++{
+ struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev);
+- int err;
+
+ i2c_mark_adapter_suspended(&i2c_dev->adapter);
+
+- if (!pm_runtime_status_suspended(dev)) {
+- err = tegra_i2c_runtime_suspend(dev);
+- if (err)
+- return err;
+- }
+-
+- return 0;
++ /*
++ * Runtime PM is already disabled at this point, so invoke the
++ * runtime_suspend callback directly to put the controller down.
++ */
++ return tegra_i2c_runtime_suspend(dev);
+ }
+
+-static int __maybe_unused tegra_i2c_resume(struct device *dev)
++static int __maybe_unused tegra_i2c_resume_noirq(struct device *dev)
+ {
+ struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev);
+ int err;
+
+ /*
+- * We need to ensure that clocks are enabled so that registers can be
+- * restored in tegra_i2c_init().
++ * Runtime PM is still disabled at this point, so invoke the
++ * runtime_resume callback directly to bring the controller back up
++ * before re-initializing the hardware. The adapter is then marked
++ * resumed so that consumers can issue transfers from their own
++ * resume_noirq() handlers and onwards.
+ */
+ err = tegra_i2c_runtime_resume(dev);
+ if (err)
+@@ -1920,24 +1929,22 @@ static int __maybe_unused tegra_i2c_resu
+ if (err)
+ return err;
+
+- /*
+- * In case we are runtime suspended, disable clocks again so that we
+- * don't unbalance the clock reference counts during the next runtime
+- * resume transition.
+- */
+- if (pm_runtime_status_suspended(dev)) {
+- err = tegra_i2c_runtime_suspend(dev);
+- if (err)
+- return err;
+- }
+-
+ i2c_mark_adapter_resumed(&i2c_dev->adapter);
+
+ return 0;
+ }
+
++static int __maybe_unused tegra_i2c_resume(struct device *dev)
++{
++ pm_runtime_put(dev);
++
++ return 0;
++}
++
+ static const struct dev_pm_ops tegra_i2c_pm = {
+- SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume)
++ SET_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume)
++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend_noirq,
++ tegra_i2c_resume_noirq)
+ SET_RUNTIME_PM_OPS(tegra_i2c_runtime_suspend, tegra_i2c_runtime_resume,
+ NULL)
+ };
--- /dev/null
+From ad0979fe053e9f2db82da82188256ef6eb41095a Mon Sep 17 00:00:00 2001
+From: Zeyu WANG <zeyu.thomas.wang@gmail.com>
+Date: Wed, 3 Jun 2026 01:09:09 +0800
+Subject: Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
+
+From: Zeyu WANG <zeyu.thomas.wang@gmail.com>
+
+commit ad0979fe053e9f2db82da82188256ef6eb41095a upstream.
+
+The Lenovo Yoga Air 14 (83QK) laptop keyboard becomes unresponsive
+after the standard atkbd init sequence. Controlled testing on the
+actual hardware shows the F5 (ATKBD_CMD_RESET_DIS / deactivate)
+command specifically corrupts the EC state, causing zero IRQ1
+interrupts after init.
+
+Skipping only the deactivate command (while keeping F4 ENABLE)
+resolves the issue completely: both keystroke input and CapsLock
+LED toggle work correctly. The reverse test - skipping only F4
+while keeping F5 - makes the problem worse (zero keystroke
+interrupts), confirming F5 is the sole culprit.
+
+Add a DMI quirk entry for LENOVO/83QK using the existing
+atkbd_deactivate_fixup callback, consistent with the existing
+entries for LG Electronics and HONOR FMB-P that address the
+same EC F5 deactivate issue.
+
+Signed-off-by: Zeyu WANG <zeyu.thomas.wang@gmail.com>
+Link: https://patch.msgid.link/20260602170909.14725-1-zeyu.thomas.wang@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/atkbd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/input/keyboard/atkbd.c
++++ b/drivers/input/keyboard/atkbd.c
+@@ -1944,6 +1944,14 @@ static const struct dmi_system_id atkbd_
+ },
+ .callback = atkbd_deactivate_fixup,
+ },
++ {
++ /* Lenovo Yoga Air 14 (83QK) */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "83QK"),
++ },
++ .callback = atkbd_deactivate_fixup,
++ },
+ { }
+ };
+
--- /dev/null
+From fb402386af4cdce108ff991a796386de55439735 Mon Sep 17 00:00:00 2001
+From: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
+Date: Fri, 5 Jun 2026 15:27:21 +0800
+Subject: Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard
+
+From: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
+
+commit fb402386af4cdce108ff991a796386de55439735 upstream.
+
+After commit 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd -
+do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID"), HONOR
+BCC-N, aka HONOR MagicBook 14 2026's internal keyboard stops
+working. Adding the atkbd_deactivate_fixup quirk fixes it.
+
+DMI: HONOR BCC-N/BCC-N-PCB, BIOS 1.04 04/07/2026
+
+Fixes: 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID")
+Reported-by: Hongfei Ren <lcrhf@outlook.com>
+Link: https://github.com/colorcube/Linux-on-Honor-Magicbook-14-Pro/issues/1#issuecomment-4562679891
+Tested-by: Hongfei Ren <lcrhf@outlook.com>
+Cc: stable@kernel.org
+Signed-off-by: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
+Link: https://patch.msgid.link/20260605-honor-v1-1-78e05e491193@linux.dev
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/atkbd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/keyboard/atkbd.c
++++ b/drivers/input/keyboard/atkbd.c
+@@ -1952,6 +1952,13 @@ static const struct dmi_system_id atkbd_
+ },
+ .callback = atkbd_deactivate_fixup,
+ },
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "HONOR"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "BCC-N"),
++ },
++ .callback = atkbd_deactivate_fixup,
++ },
+ { }
+ };
+
--- /dev/null
+From 2e5c6f4fd4001562781e99bbfc7f1f0127187542 Mon Sep 17 00:00:00 2001
+From: Yilin Zhu <zylzyl2333@gmail.com>
+Date: Thu, 30 Apr 2026 13:21:34 +0800
+Subject: ipc/shm: serialize orphan cleanup with shm_nattch updates
+
+From: Yilin Zhu <zylzyl2333@gmail.com>
+
+commit 2e5c6f4fd4001562781e99bbfc7f1f0127187542 upstream.
+
+shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that
+does not serialize all fields tested by shm_may_destroy(). In particular,
+shm_nattch is updated while holding shm_perm.lock, and attach paths can do
+that without holding the rwsem.
+
+Do not decide that an orphaned segment is unused before taking the object
+lock. Move the shm_may_destroy() check under shm_perm.lock, matching the
+other destroy paths, and unlock the segment when it no longer qualifies
+for removal.
+
+Link: https://lore.kernel.org/9d97cc1031de2d0bace0edf3a668818aa2f4eca6.1777410234.git.zylzyl2333@gmail.com
+Fixes: 4c677e2eefdb ("shm: optimize locking and ipc_namespace getting")
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Yilin Zhu <zylzyl2333@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Jeongjun Park <aha310510@gmail.com>
+Cc: Kees Cook <kees@kernel.org>
+Cc: Liam Howlett <liam@infradead.org>
+Cc: Lorenzo Stoakes <ljs@kernel.org>
+Cc: Serge Hallyn <sergeh@kernel.org>
+Cc: Vasiliy Kulikov <segoon@openwall.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ ipc/shm.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -415,15 +415,17 @@ static int shm_try_destroy_orphaned(int
+ * We want to destroy segments without users and with already
+ * exit'ed originating process.
+ *
+- * As shp->* are changed under rwsem, it's safe to skip shp locking.
++ * shm_nattch can be changed under shm_perm.lock without holding the
++ * rwsem, so take the object lock before checking shm_may_destroy().
+ */
+ if (!list_empty(&shp->shm_clist))
+ return 0;
+
+- if (shm_may_destroy(shp)) {
+- shm_lock_by_ptr(shp);
++ shm_lock_by_ptr(shp);
++ if (shm_may_destroy(shp))
+ shm_destroy(ns, shp);
+- }
++ else
++ shm_unlock(shp);
+ return 0;
+ }
+
--- /dev/null
+From 464c6ad2aa16e1e1df9d559289199356493d1e00 Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Sat, 30 May 2026 21:45:26 +0100
+Subject: misc: fastrpc: fix DMA address corruption due to find_vma misuse
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit 464c6ad2aa16e1e1df9d559289199356493d1e00 upstream.
+
+fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided
+pointer and compute a DMA address offset. When the address falls in a gap
+before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows,
+corrupting the DMA address sent to the DSP.
+
+Replace find_vma() with vma_lookup(), which returns NULL when the address
+is not contained within any VMA.
+
+Cc: stable@vger.kernel.org
+Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204528.116920-3-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -1057,7 +1057,7 @@ static int fastrpc_get_args(u32 kernel,
+ pages[i].addr = ctx->maps[i]->phys;
+
+ mmap_read_lock(current->mm);
+- vma = find_vma(current->mm, ctx->args[i].ptr);
++ vma = vma_lookup(current->mm, ctx->args[i].ptr);
+ if (vma)
+ pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) -
+ vma->vm_start;
--- /dev/null
+From 5401fb4fe10fac6134c308495df18ed74aebb9c4 Mon Sep 17 00:00:00 2001
+From: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Date: Sat, 30 May 2026 21:45:27 +0100
+Subject: misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
+
+From: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+
+commit 5401fb4fe10fac6134c308495df18ed74aebb9c4 upstream.
+
+A NULL pointer dereference was observed on Hawi at boot when the DSP
+sends a glink message before fastrpc_rpmsg_probe() has completed
+initialization:
+
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178
+ pc : _raw_spin_lock_irqsave+0x34/0x8c
+ lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
+ ...
+ Call trace:
+ _raw_spin_lock_irqsave+0x34/0x8c (P)
+ fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
+ qcom_glink_native_rx+0x538/0x6a4
+ qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem]
+
+The faulting address 0x178 corresponds to the lock variable inside
+struct fastrpc_channel_ctx, confirming that cctx is NULL when
+fastrpc_rpmsg_callback() attempts to take the spinlock.
+
+There are two issues here. First, dev_set_drvdata() is called before
+spin_lock_init() and idr_init(), leaving a window where the callback
+can retrieve a valid cctx pointer but operate on an uninitialized
+spinlock. Second, the rpmsg channel becomes live as soon as the driver
+is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata()
+is called at all, resulting in dev_get_drvdata() returning NULL.
+
+Fix both issues by moving all cctx initialization ahead of
+dev_set_drvdata() so the structure is fully initialized before it
+becomes visible to the callback, and add a NULL check in
+fastrpc_rpmsg_callback() as a guard against any remaining window.
+
+Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204528.116920-4-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -2392,7 +2392,6 @@ static int fastrpc_rpmsg_probe(struct rp
+
+ kref_init(&data->refcount);
+
+- dev_set_drvdata(&rpdev->dev, data);
+ rdev->dma_mask = &data->dma_mask;
+ dma_set_mask_and_coherent(rdev, DMA_BIT_MASK(32));
+ INIT_LIST_HEAD(&data->users);
+@@ -2401,6 +2400,7 @@ static int fastrpc_rpmsg_probe(struct rp
+ idr_init(&data->ctx_idr);
+ data->domain_id = domain_id;
+ data->rpdev = rpdev;
++ dev_set_drvdata(&rpdev->dev, data);
+
+ err = of_platform_populate(rdev->of_node, NULL, NULL, rdev);
+ if (err)
+@@ -2474,6 +2474,9 @@ static int fastrpc_rpmsg_callback(struct
+ if (len < sizeof(*rsp))
+ return -EINVAL;
+
++ if (!cctx)
++ return -ENODEV;
++
+ ctxid = ((rsp->ctx & FASTRPC_CTXID_MASK) >> 4);
+
+ spin_lock_irqsave(&cctx->lock, flags);
--- /dev/null
+From e85eb5feca8e254905ffa6c57a3c99c89a674a0f Mon Sep 17 00:00:00 2001
+From: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
+Date: Sat, 30 May 2026 21:45:25 +0100
+Subject: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
+
+commit e85eb5feca8e254905ffa6c57a3c99c89a674a0f upstream.
+
+There is a race between fastrpc_device_release() and the workqueue
+that processes DSP responses. When the user closes the file descriptor,
+fastrpc_device_release() frees the fastrpc_user structure. Concurrently,
+an in-flight DSP invocation can complete and fastrpc_rpmsg_callback()
+schedules context cleanup via schedule_work(&ctx->put_work). If the
+workqueue runs fastrpc_context_free() in parallel with or after
+fastrpc_device_release() has freed the user structure, it dereferences
+the freed fastrpc_user. Depending on the state of the context at the
+time of the race, any one of the following accesses can be hit:
+
+ 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...)
+ to strip the SID bits from the stored IOVA before passing the
+ physical address to dma_free_coherent().
+
+ 2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to
+ reconstruct the source permission bitmask needed for the
+ qcom_scm_assign_mem() call that returns memory from the DSP VM
+ back to HLOS.
+
+ 3. fastrpc_free_map() acquires map->fl->lock to safely remove the
+ map node from the fl->maps list.
+
+The resulting use-after-free manifests as:
+
+ pc : fastrpc_buf_free+0x38/0x80 [fastrpc]
+ lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]
+ fastrpc_context_free+0xa8/0x1b0 [fastrpc]
+ fastrpc_context_put_wq+0x78/0xa0 [fastrpc]
+ process_one_work+0x180/0x450
+ worker_thread+0x26c/0x388
+
+Add kref-based reference counting to fastrpc_user. Have each invoke
+context take a reference on the user at allocation time and release it
+when the context is freed. Release the initial reference in
+fastrpc_device_release() at file close. Move the teardown of the user
+structure — freeing pending contexts, maps, mmaps, and the channel
+context reference — into the kref release callback fastrpc_user_free(),
+so that it runs only when the last reference is dropped, regardless of
+whether that happens at device close or after the final in-flight
+context completes.
+
+Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter")
+Cc: stable@kernel.org
+Signed-off-by: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204528.116920-2-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 75 +++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 52 insertions(+), 23 deletions(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -305,6 +305,8 @@ struct fastrpc_user {
+ spinlock_t lock;
+ /* lock for allocations */
+ struct mutex mutex;
++ /* Reference count */
++ struct kref refcount;
+ };
+
+ static void fastrpc_free_map(struct kref *ref)
+@@ -473,15 +475,57 @@ static void fastrpc_channel_ctx_put(stru
+ kref_put(&cctx->refcount, fastrpc_channel_ctx_free);
+ }
+
++static void fastrpc_context_put(struct fastrpc_invoke_ctx *ctx);
++
++static void fastrpc_user_free(struct kref *ref)
++{
++ struct fastrpc_user *fl = container_of(ref, struct fastrpc_user, refcount);
++ struct fastrpc_invoke_ctx *ctx, *n;
++ struct fastrpc_map *map, *m;
++ struct fastrpc_buf *buf, *b;
++
++ if (fl->init_mem)
++ fastrpc_buf_free(fl->init_mem);
++
++ list_for_each_entry_safe(ctx, n, &fl->pending, node) {
++ list_del(&ctx->node);
++ fastrpc_context_put(ctx);
++ }
++
++ list_for_each_entry_safe(map, m, &fl->maps, node)
++ fastrpc_map_put(map);
++
++ list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
++ list_del(&buf->node);
++ fastrpc_buf_free(buf);
++ }
++
++ fastrpc_channel_ctx_put(fl->cctx);
++ mutex_destroy(&fl->mutex);
++ kfree(fl);
++}
++
++static void fastrpc_user_get(struct fastrpc_user *fl)
++{
++ kref_get(&fl->refcount);
++}
++
++static void fastrpc_user_put(struct fastrpc_user *fl)
++{
++ kref_put(&fl->refcount, fastrpc_user_free);
++}
++
+ static void fastrpc_context_free(struct kref *ref)
+ {
+ struct fastrpc_invoke_ctx *ctx;
+ struct fastrpc_channel_ctx *cctx;
++ struct fastrpc_user *fl;
+ unsigned long flags;
+ int i;
+
+ ctx = container_of(ref, struct fastrpc_invoke_ctx, refcount);
+ cctx = ctx->cctx;
++ fl = ctx->fl;
+
+ for (i = 0; i < ctx->nbufs; i++)
+ fastrpc_map_put(ctx->maps[i]);
+@@ -497,6 +541,8 @@ static void fastrpc_context_free(struct
+ kfree(ctx->olaps);
+ kfree(ctx);
+
++ /* Release the reference taken in fastrpc_context_alloc() */
++ fastrpc_user_put(fl);
+ fastrpc_channel_ctx_put(cctx);
+ }
+
+@@ -606,6 +652,8 @@ static struct fastrpc_invoke_ctx *fastrp
+
+ /* Released in fastrpc_context_put() */
+ fastrpc_channel_ctx_get(cctx);
++ /* Take a reference to user, released in fastrpc_context_free() */
++ fastrpc_user_get(user);
+
+ ctx->sc = sc;
+ ctx->retval = -1;
+@@ -636,6 +684,7 @@ err_idr:
+ spin_lock(&user->lock);
+ list_del(&ctx->node);
+ spin_unlock(&user->lock);
++ fastrpc_user_put(user);
+ fastrpc_channel_ctx_put(cctx);
+ kfree(ctx->maps);
+ kfree(ctx->olaps);
+@@ -1549,9 +1598,6 @@ static int fastrpc_device_release(struct
+ {
+ struct fastrpc_user *fl = (struct fastrpc_user *)file->private_data;
+ struct fastrpc_channel_ctx *cctx = fl->cctx;
+- struct fastrpc_invoke_ctx *ctx, *n;
+- struct fastrpc_map *map, *m;
+- struct fastrpc_buf *buf, *b;
+ unsigned long flags;
+
+ fastrpc_release_current_dsp_process(fl);
+@@ -1560,28 +1606,10 @@ static int fastrpc_device_release(struct
+ list_del(&fl->user);
+ spin_unlock_irqrestore(&cctx->lock, flags);
+
+- if (fl->init_mem)
+- fastrpc_buf_free(fl->init_mem);
+-
+- list_for_each_entry_safe(ctx, n, &fl->pending, node) {
+- list_del(&ctx->node);
+- fastrpc_context_put(ctx);
+- }
+-
+- list_for_each_entry_safe(map, m, &fl->maps, node)
+- fastrpc_map_put(map);
+-
+- list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
+- list_del(&buf->node);
+- fastrpc_buf_free(buf);
+- }
+-
+ fastrpc_session_free(cctx, fl->sctx);
+- fastrpc_channel_ctx_put(cctx);
+-
+- mutex_destroy(&fl->mutex);
+- kfree(fl);
+ file->private_data = NULL;
++ /* Release the reference taken in fastrpc_device_open */
++ fastrpc_user_put(fl);
+
+ return 0;
+ }
+@@ -1626,6 +1654,7 @@ static int fastrpc_device_open(struct in
+ spin_lock_irqsave(&cctx->lock, flags);
+ list_add_tail(&fl->user, &cctx->users);
+ spin_unlock_irqrestore(&cctx->lock, flags);
++ kref_init(&fl->refcount);
+
+ return 0;
+ }
--- /dev/null
+From 07ebe87915d8accdaba20c4f88c5ae430fe62fbb Mon Sep 17 00:00:00 2001
+From: Zhenghang Xiao <kipreyyy@gmail.com>
+Date: Sat, 30 May 2026 21:45:28 +0100
+Subject: misc: fastrpc: fix use-after-free race in fastrpc_map_create
+
+From: Zhenghang Xiao <kipreyyy@gmail.com>
+
+commit 07ebe87915d8accdaba20c4f88c5ae430fe62fbb upstream.
+
+fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The
+caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero)
+on this unprotected pointer. A concurrent MEM_UNMAP can free the map
+between the lock release and the kref operation, resulting in a
+use-after-free on the freed slab object.
+
+Restore the take_ref parameter to fastrpc_map_lookup so the reference
+is acquired atomically under fl->lock before the pointer is exposed to
+the caller.
+
+Fixes: 10df039834f8 ("misc: fastrpc: Skip reference for DMA handles")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204528.116920-5-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 25 +++++++++++--------------
+ 1 file changed, 11 insertions(+), 14 deletions(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -364,7 +364,7 @@ static int fastrpc_map_get(struct fastrp
+
+
+ static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd,
+- struct fastrpc_map **ppmap)
++ struct fastrpc_map **ppmap, bool take_ref)
+ {
+ struct fastrpc_map *map = NULL;
+ struct dma_buf *buf;
+@@ -379,6 +379,12 @@ static int fastrpc_map_lookup(struct fas
+ if (map->fd != fd || map->buf != buf)
+ continue;
+
++ if (take_ref) {
++ ret = fastrpc_map_get(map);
++ if (ret)
++ break;
++ }
++
+ *ppmap = map;
+ ret = 0;
+ break;
+@@ -893,19 +899,10 @@ get_err:
+ static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
+ u64 len, u32 attr, struct fastrpc_map **ppmap)
+ {
+- struct fastrpc_session_ctx *sess = fl->sctx;
+- int err = 0;
++ if (!fastrpc_map_lookup(fl, fd, ppmap, true))
++ return 0;
+
+- if (!fastrpc_map_lookup(fl, fd, ppmap)) {
+- if (!fastrpc_map_get(*ppmap))
+- return 0;
+- dev_dbg(sess->dev, "%s: Failed to get map fd=%d\n",
+- __func__, fd);
+- }
+-
+- err = fastrpc_map_attach(fl, fd, len, attr, ppmap);
+-
+- return err;
++ return fastrpc_map_attach(fl, fd, len, attr, ppmap);
+ }
+
+ /*
+@@ -1172,7 +1169,7 @@ cleanup_fdlist:
+ for (i = 0; i < FASTRPC_MAX_FDLIST; i++) {
+ if (!fdlist[i])
+ break;
+- if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap))
++ if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap, false))
+ fastrpc_map_put(mmap);
+ }
+
--- /dev/null
+From a764b0e8317a863006e05732e1aefe821b9d8c2d Mon Sep 17 00:00:00 2001
+From: ZhaoJinming <zhaojinming@uniontech.com>
+Date: Mon, 1 Jun 2026 16:56:49 +0800
+Subject: net: bonding: fix NULL pointer dereference in bond_do_ioctl()
+
+From: ZhaoJinming <zhaojinming@uniontech.com>
+
+commit a764b0e8317a863006e05732e1aefe821b9d8c2d upstream.
+
+In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which
+can return NULL if the requested interface name does not exist. However,
+the subsequent slave_dbg() call is placed before the NULL check:
+
+ slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
+ slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here
+ if (!slave_dev)
+ return -ENODEV;
+
+The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt,
+(slave_dev)->name, ...) which unconditionally dereferences slave_dev->name
+before the NULL check is performed. This results in a NULL pointer
+dereference kernel oops when a user calls bonding ioctl (e.g.
+SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave
+interface name.
+
+This is reachable from userspace via the bonding ioctl interface with
+CAP_NET_ADMIN capability, making it a potential local denial-of-service
+vector.
+
+Fix by moving the slave_dbg() call after the NULL check.
+
+Fixes: e2a7420df2e0 ("bonding/main: convert to using slave printk macros")
+Cc: stable@vger.kernel.org # v5.2+
+Signed-off-by: ZhaoJinming <zhaojinming@uniontech.com>
+Link: https://patch.msgid.link/20260601085649.4029067-1-zhaojinming@uniontech.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -4640,11 +4640,11 @@ static int bond_do_ioctl(struct net_devi
+
+ slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
+
+- slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev);
+-
+ if (!slave_dev)
+ return -ENODEV;
+
++ slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev);
++
+ switch (cmd) {
+ case SIOCBONDENSLAVE:
+ res = bond_enslave(bond_dev, slave_dev, NULL);
--- /dev/null
+From 02896a7fa4cd3ec61d60ba30136841e4f04bdeac Mon Sep 17 00:00:00 2001
+From: Nikolay Kuratov <kniv@yandex-team.ru>
+Date: Tue, 26 May 2026 19:29:32 +0300
+Subject: net/mlx5: Reorder completion before putting command entry in cmd_work_handler
+
+From: Nikolay Kuratov <kniv@yandex-team.ru>
+
+commit 02896a7fa4cd3ec61d60ba30136841e4f04bdeac upstream.
+
+Assuming callback != NULL && !page_queue, cmd_work_handler takes
+command entry with refcnt == 1 from mlx5_cmd_invoke.
+If either semaphore timeout or index allocation error happens,
+it does final cmd_ent_put(ent). To avoid access to freed memory,
+notify slotted completion before cmd_ent_put.
+
+This is theoretical issue found by Svace static analyser.
+
+Cc: stable@vger.kernel.org
+Fixes: 485d65e135712 ("net/mlx5: Add a timeout to acquire the command queue semaphore")
+Fixes: 0e2909c6bec90 ("net/mlx5: Fix variable not being completed when function returns")
+Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
+Reviewed-by: Md Haris Iqbal <haris.iqbal@linux.dev>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Acked-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260526162932.501584-1-kniv@yandex-team.ru
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -989,12 +989,13 @@ static void cmd_work_handler(struct work
+ ent->callback(-EBUSY, ent->context);
+ mlx5_free_cmd_msg(dev, ent->out);
+ free_msg(dev, ent->in);
++ complete(&ent->slotted);
+ cmd_ent_put(ent);
+ } else {
+ ent->ret = -EBUSY;
+ complete(&ent->done);
++ complete(&ent->slotted);
+ }
+- complete(&ent->slotted);
+ return;
+ }
+ alloc_ret = cmd_alloc_index(cmd, ent);
+@@ -1004,13 +1005,14 @@ static void cmd_work_handler(struct work
+ ent->callback(-EAGAIN, ent->context);
+ mlx5_free_cmd_msg(dev, ent->out);
+ free_msg(dev, ent->in);
++ complete(&ent->slotted);
+ cmd_ent_put(ent);
+ } else {
+ ent->ret = -EAGAIN;
+ complete(&ent->done);
++ complete(&ent->slotted);
+ }
+ up(&cmd->vars.sem);
+- complete(&ent->slotted);
+ return;
+ }
+ } else {
--- /dev/null
+From 4aacf509e537a711fa71bca9f234e5eb6968850e Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Date: Tue, 2 Jun 2026 09:34:14 +0200
+Subject: net: mv643xx: fix OF node refcount
+
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+
+commit 4aacf509e537a711fa71bca9f234e5eb6968850e upstream.
+
+Platform devices created with platform_device_alloc() call
+platform_device_release() when the last reference to the device's
+kobject is dropped. This function calls of_node_put() unconditionally.
+This works fine for devices created with platform_device_register_full()
+but users of the split approach (platform_device_alloc() +
+platform_device_add()) must bump the reference of the of_node they
+assign manually. Add the missing call to of_node_get().
+
+Cc: stable@vger.kernel.org
+Fixes: 76723bca2802 ("net: mv643xx_eth: add DT parsing support")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260602073414.22500-1-bartosz.golaszewski@oss.qualcomm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
+@@ -2784,7 +2784,7 @@ static int mv643xx_eth_shared_of_add_por
+ goto put_err;
+ }
+ ppdev->dev.coherent_dma_mask = DMA_BIT_MASK(32);
+- ppdev->dev.of_node = pnp;
++ ppdev->dev.of_node = of_node_get(pnp);
+
+ ret = platform_device_add_resources(ppdev, &res, 1);
+ if (ret)
--- /dev/null
+From 20cf0fb715c41111469577e85e35d15f099473e0 Mon Sep 17 00:00:00 2001
+From: Yuqi Xu <xuyq21@lenovo.com>
+Date: Fri, 29 May 2026 21:01:44 +0800
+Subject: net: rds: clear i_sends on setup unwind
+
+From: Yuqi Xu <xuyq21@lenovo.com>
+
+commit 20cf0fb715c41111469577e85e35d15f099473e0 upstream.
+
+The RDS IB connection teardown path is written so it can run during
+partial startup and on repeated shutdown attempts. It uses NULL
+pointers to distinguish resources that are still owned from resources
+that have already been released.
+
+When rds_ib_setup_qp() fails after allocating i_sends but before
+allocating i_recvs, the sends_out path frees i_sends without clearing
+the pointer. A later shutdown pass can still treat that stale pointer
+as a live send ring allocation.
+
+Clear i_sends after vfree() in the error unwind path so the existing
+shutdown logic continues to use the correct ownership state.
+
+Fixes: 3b12f73a5c29 ("rds: ib: add error handle")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Allison Henderson <achender@kernel.org>
+Link: https://patch.msgid.link/5a0f7624bb9845a7b67d26166a150b59e7f394ce.1779632468.git.xuyq21@lenovo.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/ib_cm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rds/ib_cm.c
++++ b/net/rds/ib_cm.c
+@@ -656,6 +656,7 @@ static int rds_ib_setup_qp(struct rds_co
+
+ sends_out:
+ vfree(ic->i_sends);
++ ic->i_sends = NULL;
+
+ ack_dma_out:
+ rds_dma_hdr_free(rds_ibdev->dev, ic->i_ack, ic->i_ack_dma,
--- /dev/null
+From ea41020b9018e31c2ea7e9d89021e3e6d7470883 Mon Sep 17 00:00:00 2001
+From: Andre Heider <a.heider@gmail.com>
+Date: Sat, 30 May 2026 21:43:39 +0100
+Subject: nvmem: layouts: onie-tlv: fix hang on unknown types
+
+From: Andre Heider <a.heider@gmail.com>
+
+commit ea41020b9018e31c2ea7e9d89021e3e6d7470883 upstream.
+
+The EEPROM on my board has a vendor specific entry of type 0x41. When
+stumbling upon that, this driver hangs in an endless loop.
+
+Fix it by keep incrementing the offset on unknown entries, so the loop
+will eventually stop.
+
+Fixes: d3c0d12f6474 ("nvmem: layouts: onie-tlv: Add new layout driver")
+Cc: Stable@vger.kernel.org
+Signed-off-by: Andre Heider <a.heider@gmail.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204340.116743-2-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/layouts/onie-tlv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvmem/layouts/onie-tlv.c
++++ b/drivers/nvmem/layouts/onie-tlv.c
+@@ -119,7 +119,7 @@ static int onie_tlv_add_cells(struct dev
+
+ cell.name = onie_tlv_cell_name(tlv.type);
+ if (!cell.name)
+- continue;
++ goto next;
+
+ cell.offset = hdr_len + offset + sizeof(tlv.type) + sizeof(tlv.len);
+ cell.bytes = tlv.len;
+@@ -132,6 +132,7 @@ static int onie_tlv_add_cells(struct dev
+ return ret;
+ }
+
++next:
+ offset += sizeof(tlv) + tlv.len;
+ }
+
--- /dev/null
+From 09a5bf856aa759513afc4afd233d15bcc711b84e Mon Sep 17 00:00:00 2001
+From: Dawei Feng <dawei.feng@seu.edu.cn>
+Date: Thu, 4 Jun 2026 22:37:56 +0800
+Subject: octeontx2-af: fix memory leak in rvu_setup_hw_resources()
+
+From: Dawei Feng <dawei.feng@seu.edu.cn>
+
+commit 09a5bf856aa759513afc4afd233d15bcc711b84e upstream.
+
+If rvu_npc_exact_init() fails in rvu_setup_hw_resources(), the function
+returns directly instead of jumping to the error handling path. This
+causes a resource leak for the previously initialized CGX, NPC, fwdata,
+and MSI-X states.
+
+Fix this by replacing the direct return with goto cgx_err to ensure
+proper cleanup.
+
+The bug was first flagged by an experimental analysis tool we are
+developing for kernel memory-management bugs while analyzing
+v6.13-rc1. The tool is still under development and is not yet publicly
+available. Manual inspection confirms that the bug is still present in
+v7.1-rc6.
+
+An x86_64 allyesconfig build showed no new warnings. As we do not have
+access to Marvell OcteonTX2 RVU AF hardware to test with, no runtime
+testing was able to be performed.
+
+Fixes: 3571fe07a090 ("octeontx2-af: Drop rules for NPC MCAM")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Link: https://patch.msgid.link/20260604143756.1524482-1-dawei.feng@seu.edu.cn
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
+@@ -1130,7 +1130,7 @@ cpt:
+ err = rvu_npc_exact_init(rvu);
+ if (err) {
+ dev_err(rvu->dev, "failed to initialize exact match table\n");
+- return err;
++ goto cgx_err;
+ }
+
+ /* Assign MACs for CGX mapped functions */
ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch
inet-frags-fix-use-after-free-caused-by-the-fqdir_pre_exit-flush.patch
pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch
+fuse-reject-fuse_notify-pagecache-ops-on-directories.patch
+i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch
+i2c-stm32f7-fix-timing-computation-ignoring-i2c-analog-filter.patch
+i2c-tegra-fix-noirq-suspend-resume.patch
+input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch
+input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch
+ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch
+misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch
+misc-fastrpc-fix-use-after-free-race-in-fastrpc_map_create.patch
+misc-fastrpc-fix-dma-address-corruption-due-to-find_vma-misuse.patch
+misc-fastrpc-fix-null-pointer-dereference-in-rpmsg-callback.patch
+net-mlx5-reorder-completion-before-putting-command-entry-in-cmd_work_handler.patch
+net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch
+net-mv643xx-fix-of-node-refcount.patch
+net-rds-clear-i_sends-on-setup-unwind.patch
+nvmem-layouts-onie-tlv-fix-hang-on-unknown-types.patch
+octeontx2-af-fix-memory-leak-in-rvu_setup_hw_resources.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
