--- /dev/null
+From dd1311bcf0e62f0c515115f46a3813370f4a4bb1 Mon Sep 17 00:00:00 2001
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Date: Fri, 29 May 2026 13:58:42 +0200
+Subject: accel/ivpu: Add bounds checks for firmware log indices
+
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+
+commit dd1311bcf0e62f0c515115f46a3813370f4a4bb1 upstream.
+
+Add validation that read and write indices in the firmware log buffer
+are within valid bounds (< data_size) before using them. If
+out-of-bounds indices are encountered (from firmware), clamp them to
+safe values instead of proceeding with invalid offsets.
+
+This prevents potential out-of-bounds buffer access when firmware
+supplies invalid log indices.
+
+Fixes: 1fc1251149a7 ("accel/ivpu: Refactor functions in ivpu_fw_log.c")
+Cc: stable@vger.kernel.org # v6.18+
+Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Link: https://patch.msgid.link/20260529115842.135378-1-andrzej.kacprowski@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_fw_log.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/accel/ivpu/ivpu_fw_log.c b/drivers/accel/ivpu/ivpu_fw_log.c
+index 337c906b0210..275baf844b56 100644
+--- a/drivers/accel/ivpu/ivpu_fw_log.c
++++ b/drivers/accel/ivpu/ivpu_fw_log.c
+@@ -98,6 +98,11 @@ static void fw_log_print_buffer(struct vpu_tracing_buffer_header *log, const cha
+ u32 log_start = only_new_msgs ? READ_ONCE(log->read_index) : 0;
+ u32 log_end = READ_ONCE(log->write_index);
+
++ if (log_start >= data_size)
++ log_start = 0;
++ if (log_end > data_size)
++ log_end = data_size;
++
+ if (log->wrap_count == log->read_wrap_count) {
+ if (log_end <= log_start) {
+ drm_printf(p, "==== %s \"%s\" log empty ====\n", prefix, log->name);
+--
+2.54.0
+
--- /dev/null
+From fb176425837693f50c5c9fc8db6fbb04af22bd0a Mon Sep 17 00:00:00 2001
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Date: Fri, 29 May 2026 14:08:41 +0200
+Subject: accel/ivpu: Add buffer overflow check in MS get_info_ioctl
+
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+
+commit fb176425837693f50c5c9fc8db6fbb04af22bd0a upstream.
+
+Add validation that the info size returned from the metric stream info
+query is not exceeded when checked against the allocated buffer size.
+If the firmware returns a size larger than the buffer, reject the
+operation with -EOVERFLOW instead of proceeding with an incorrect
+buffer copy.
+
+Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support")
+Cc: stable@vger.kernel.org # v6.18+
+Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Link: https://patch.msgid.link/20260529120841.135852-1-andrzej.kacprowski@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_ms.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/accel/ivpu/ivpu_ms.c
++++ b/drivers/accel/ivpu/ivpu_ms.c
+@@ -282,6 +282,13 @@ int ivpu_ms_get_info_ioctl(struct drm_de
+ if (ret)
+ goto unlock;
+
++ if (info_size > ivpu_bo_size(bo)) {
++ ivpu_warn_ratelimited(vdev, "MS info overflow: %#llx > %#zx\n",
++ info_size, ivpu_bo_size(bo));
++ ret = -EOVERFLOW;
++ goto unlock;
++ }
++
+ if (args->buffer_size < info_size) {
+ ret = -ENOSPC;
+ goto unlock;
--- /dev/null
+From d9faef564438d1e4579c692c046603e7ada7bdf4 Mon Sep 17 00:00:00 2001
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Date: Mon, 1 Jun 2026 18:16:43 +0200
+Subject: accel/ivpu: Fix signed integer truncation in IPC receive
+
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+
+commit d9faef564438d1e4579c692c046603e7ada7bdf4 upstream.
+
+Fix potential buffer overflow where firmware-supplied data_size is cast
+to signed int before being used in min_t(). Large unsigned values
+(>= 0x80000000) become negative, causing unsigned wraparound and
+oversized memcpy operations that can overflow the stack buffer.
+
+Change min_t(int, ...) to min() as both values are unsigned and can be
+handled by min() without explicit cast.
+
+Fixes: 3b434a3445ff ("accel/ivpu: Use threaded IRQ to handle JOB done messages")
+Cc: stable@vger.kernel.org # v6.12+
+Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Link: https://patch.msgid.link/20260601161643.229342-1-andrzej.kacprowski@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_ipc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/accel/ivpu/ivpu_ipc.c
++++ b/drivers/accel/ivpu/ivpu_ipc.c
+@@ -275,7 +275,7 @@ int ivpu_ipc_receive(struct ivpu_device
+ if (ipc_buf)
+ memcpy(ipc_buf, rx_msg->ipc_hdr, sizeof(*ipc_buf));
+ if (rx_msg->jsm_msg) {
+- u32 size = min_t(int, rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg));
++ u32 size = min(rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg));
+
+ if (rx_msg->jsm_msg->result != VPU_JSM_STATUS_SUCCESS) {
+ ivpu_dbg(vdev, IPC, "IPC resp result error: %d\n", rx_msg->jsm_msg->result);
--- /dev/null
+From 5c65b96b549ea2dcfde497436bf9e048deb87758 Mon Sep 17 00:00:00 2001
+From: Yuqi Xu <xuyq21@lenovo.com>
+Date: Fri, 29 May 2026 16:54:23 +0800
+Subject: Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
+
+From: Yuqi Xu <xuyq21@lenovo.com>
+
+commit 5c65b96b549ea2dcfde497436bf9e048deb87758 upstream.
+
+Existing advertising instances can already hold the maximum extended
+advertising payload. When hci_adv_bcast_annoucement() prepends the
+Broadcast Announcement service data to that payload, the combined data
+may no longer fit in the temporary buffer used to rebuild the
+advertising data.
+
+Reject that case before copying the existing payload and report the
+failure through the device log. This keeps the existing advertising
+data intact and avoids overrunning the temporary buffer.
+
+Fixes: 5725bc608252 ("Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Assisted-by: Codex:GPT-5.4
+Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sync.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -1725,6 +1725,11 @@ static int hci_adv_bcast_annoucement(str
+ /* Generate Broadcast ID */
+ get_random_bytes(bid, sizeof(bid));
+ len = eir_append_service_data(ad, 0, 0x1852, bid, sizeof(bid));
++ if (adv->adv_data_len > sizeof(ad) - len) {
++ bt_dev_err(hdev, "No room for Broadcast Announcement");
++ return -EINVAL;
++ }
++
+ memcpy(ad + len, adv->adv_data, adv->adv_data_len);
+ hci_set_adv_instance_data(hdev, adv->instance, len + adv->adv_data_len,
+ ad, 0, NULL);
--- /dev/null
+From dd214733544427587a95f66dbf3adff072568990 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Thu, 21 May 2026 10:45:17 -0400
+Subject: Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit dd214733544427587a95f66dbf3adff072568990 upstream.
+
+net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR
+signaling packets up to the channel MTU and dispatches each command
+without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer
+within radio range can send a fixed-channel CID 0x0001 packet that is
+larger than MTUsig and contains many L2CAP_ECHO_REQ commands before
+pairing. In a real-radio stock-kernel run, one 681-byte signaling
+packet containing 168 zero-length ECHO_REQ commands made the target
+transmit 168 ECHO_RSP frames over about 220 ms.
+
+Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can
+force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling
+packet containing packed ECHO_REQ commands.
+
+Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and
+reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP
+carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched.
+
+The Bluetooth Core spec wording for MTUExceeded says the reject
+identifier shall match the first request command in the packet, and
+that packets containing only responses shall be silently discarded.
+Linux intentionally deviates from that prescription: silently
+discarding desynchronizes the peer because the remote stack never
+learns its responses were dropped, and locating the first request
+command requires walking command headers past MTUsig, i.e. processing
+bytes from a packet we have already decided is too large to process.
+We therefore always emit one reject and use the identifier from the
+first command header, a single fixed-offset byte read.
+
+The unrestricted BR/EDR signaling parser and ECHO_REQ response path both
+trace to the initial git import; no later introducing commit is
+available for a Fixes tag.
+
+Cc: stable@vger.kernel.org
+Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
+Link: https://lore.kernel.org/r/20260518002800.1361430-1-michael.bommarito@gmail.com
+Link: https://lore.kernel.org/r/20260520135034.1060859-1-michael.bommarito@gmail.com
+Link: https://lore.kernel.org/r/20260521000555.3712030-1-michael.bommarito@gmail.com
+Assisted-by: Claude:claude-opus-4-7
+Assisted-by: Codex:gpt-5-5-xhigh
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/l2cap.h | 1
+ net/bluetooth/l2cap_core.c | 46 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 47 insertions(+)
+
+--- a/include/net/bluetooth/l2cap.h
++++ b/include/net/bluetooth/l2cap.h
+@@ -33,6 +33,7 @@
+ /* L2CAP defaults */
+ #define L2CAP_DEFAULT_MTU 672
+ #define L2CAP_DEFAULT_MIN_MTU 48
++#define L2CAP_SIG_MTU 48 /* BR/EDR signaling MTU */
+ #define L2CAP_DEFAULT_FLUSH_TO 0xFFFF
+ #define L2CAP_EFS_DEFAULT_FLUSH_TO 0xFFFFFFFF
+ #define L2CAP_DEFAULT_TX_WINDOW 63
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -5575,6 +5575,15 @@ static inline void l2cap_sig_send_rej(st
+ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
+ }
+
++static inline void l2cap_sig_send_mtu_rej(struct l2cap_conn *conn, u8 ident)
++{
++ struct l2cap_cmd_rej_mtu rej;
++
++ rej.reason = cpu_to_le16(L2CAP_REJ_MTU_EXCEEDED);
++ rej.max_mtu = cpu_to_le16(L2CAP_SIG_MTU);
++ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
++}
++
+ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
+ struct sk_buff *skb)
+ {
+@@ -5587,6 +5596,43 @@ static inline void l2cap_sig_channel(str
+ if (hcon->type != ACL_LINK)
+ goto drop;
+
++ /*
++ * Bluetooth Core v5.4, Vol 3, Part A, Section 4: the BR/EDR
++ * signaling channel has a fixed signaling MTU (MTUsig) whose
++ * minimum and default is 48 octets. Section 4.1 says that on
++ * an MTUExceeded command reject the identifier "shall match
++ * the first request command in the L2CAP packet" and that
++ * packets containing only response commands "shall be
++ * silently discarded".
++ *
++ * Linux intentionally deviates from that prescription:
++ *
++ * 1. Silently discarding desynchronizes the peer. The
++ * remote stack never learns its responses were dropped,
++ * so any state machine waiting on a paired response
++ * stalls until its own timer fires.
++ *
++ * 2. Locating "the first request command" requires walking
++ * command headers past MTUsig, i.e. processing bytes
++ * from a packet we have already decided is too large to
++ * process.
++ *
++ * Reject every over-MTUsig signaling packet with one
++ * L2CAP_REJ_MTU_EXCEEDED command reject. The reject's
++ * reason field is what tells the peer that the whole packet
++ * was discarded; the identifier value is informational, so
++ * we use the identifier from the first command header, a
++ * single fixed-offset byte read.
++ */
++ if (skb->len > L2CAP_SIG_MTU) {
++ u8 ident = skb->data[1];
++
++ BT_DBG("signaling packet exceeds MTU: %u > %u",
++ skb->len, L2CAP_SIG_MTU);
++ l2cap_sig_send_mtu_rej(conn, ident);
++ goto drop;
++ }
++
+ while (skb->len >= L2CAP_CMD_HDR_SIZE) {
+ u16 len;
+
--- /dev/null
+From d21ad938398bca695a511307de38a65889e3b354 Mon Sep 17 00:00:00 2001
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Date: Wed, 10 Jun 2026 09:03:14 +0300
+Subject: drm/i915/gem: Fix phys BO pread/pwrite with offset
+
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+
+commit d21ad938398bca695a511307de38a65889e3b354 upstream.
+
+sg_page() returns struct page pointer not (void *) so the scaling
+of pread/pwrite is wrong for phys BO and wrong parts of BO would be
+accessed if non-zero offset is used.
+
+Last impacted platform with overlay or cursor planes using phys
+mapping was Gen3/945G/Lakeport.
+
+Reported-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Fixes: c6790dc22312 ("drm/i915: Wean off drm_pci_alloc/drm_pci_free")
+Cc: <stable@vger.kernel.org> # v4.5+
+Cc: Tvrtko Ursulin <tursulin@ursulin.net>
+Cc: Simona Vetter <simona@ffwll.ch>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
+Link: https://patch.msgid.link/20260610060314.26111-1-joonas.lahtinen@linux.intel.com
+(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_phys.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gem/i915_gem_phys.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_phys.c
+@@ -18,6 +18,17 @@
+ #include "i915_gem_tiling.h"
+ #include "i915_scatterlist.h"
+
++/* Abuse scatterlist to store pointer instead of struct page. */
++static inline void __set_phys_vaddr(struct scatterlist *sg, void *vaddr)
++{
++ sg_assign_page(sg, (struct page *)vaddr);
++}
++
++static inline void *__get_phys_vaddr(struct scatterlist *sg)
++{
++ return (void *)sg_page(sg);
++}
++
+ static int i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj)
+ {
+ struct address_space *mapping = obj->base.filp->f_mapping;
+@@ -58,7 +69,7 @@ static int i915_gem_object_get_pages_phy
+ sg->offset = 0;
+ sg->length = obj->base.size;
+
+- sg_assign_page(sg, (struct page *)vaddr);
++ __set_phys_vaddr(sg, vaddr);
+ sg_dma_address(sg) = dma;
+ sg_dma_len(sg) = obj->base.size;
+
+@@ -99,7 +110,7 @@ i915_gem_object_put_pages_phys(struct dr
+ struct sg_table *pages)
+ {
+ dma_addr_t dma = sg_dma_address(pages->sgl);
+- void *vaddr = sg_page(pages->sgl);
++ void *vaddr = __get_phys_vaddr(pages->sgl);
+
+ __i915_gem_object_release_shmem(obj, pages, false);
+
+@@ -139,7 +150,7 @@ i915_gem_object_put_pages_phys(struct dr
+ int i915_gem_object_pwrite_phys(struct drm_i915_gem_object *obj,
+ const struct drm_i915_gem_pwrite *args)
+ {
+- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
+ char __user *user_data = u64_to_user_ptr(args->data_ptr);
+ struct drm_i915_private *i915 = to_i915(obj->base.dev);
+ int err;
+@@ -170,7 +181,7 @@ int i915_gem_object_pwrite_phys(struct d
+ int i915_gem_object_pread_phys(struct drm_i915_gem_object *obj,
+ const struct drm_i915_gem_pread *args)
+ {
+- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
+ char __user *user_data = u64_to_user_ptr(args->data_ptr);
+ int err;
+
--- /dev/null
+From 8618004d3e897c0f1b71d9a9ab860461289bb89a Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 29 May 2026 20:35:39 +0200
+Subject: KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 8618004d3e897c0f1b71d9a9ab860461289bb89a upstream.
+
+When marking a page dirty, complain about not having a running/loaded vCPU
+if and only if the VM is still alive, i.e. its refcount is non-zero. This
+will allow fixing a memory leak for x86 SEV-ES guests without hitting what
+is effectively a false positive on the WARN.
+
+For some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page
+across an exit to userspace, and typically unmaps the page on the next
+KVM_RUN. But if userspace never calls KVM_RUN after such an exit, then KVM
+needs to unmap the page when the vCPU is destroyed, which in turn triggers
+the WARN about not having a running vCPU.
+
+Alternatively, SEV-ES could temporarily load the vCPU to suppress the WARN,
+as is done in nested_vmx_free_vcpu() (but for completely unrelated reasons;
+suppressing WARN from nested_put_vmcs12_pages() is pure happenstance). But
+loading a vCPU during destruction is gross (ideally nVMX code would be
+cleaned up), risks complicating the SEV-ES code (KVM would need to ensure
+the temporarily load()+put() only runs when the vCPU isn't already loaded),
+and is ultimately pointless.
+
+The motivation for the WARN is to guard against KVM dirtying guest memory
+without pushing the corresponding GFN to the active vCPU's dirty ring, e.g.
+to ensure userspace doesn't miss a dirty page. But for the VM's refcount
+to reach zero, there can't be _any_ userspace mappings to the dirty ring,
+as mapping the dirty ring requires doing mmap() on the vCPU FD. I.e. if
+userspace had a valid mapping for the dirty ring, then the vCPU file and
+thus the owning VM would still be alive. And so since userspace can't
+possibly reach the dirty ring, whether or not KVM technically "misses" a
+push to the dirty ring is irrelevant.
+
+Reported-by: Michael Roth <michael.roth@amd.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Michael Roth <michael.roth@amd.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20260501202250.2115252-15-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-ID: <20260529183549.1104619-15-pbonzini@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -3611,7 +3611,8 @@ void mark_page_dirty_in_slot(struct kvm
+ if (WARN_ON_ONCE(vcpu && vcpu->kvm != kvm))
+ return;
+
+- WARN_ON_ONCE(!vcpu && !kvm_arch_allow_write_without_running_vcpu(kvm));
++ WARN_ON_ONCE(!vcpu && refcount_read(&kvm->users_count) &&
++ !kvm_arch_allow_write_without_running_vcpu(kvm));
+ #endif
+
+ if (memslot && kvm_slot_dirty_track_enabled(memslot)) {
--- /dev/null
+From f041dc80de4abbdd0909d871bf64f3f87d2350ff Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 29 May 2026 20:35:41 +0200
+Subject: KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit f041dc80de4abbdd0909d871bf64f3f87d2350ff upstream.
+
+Decouple synchronizing the GHCB SA from freeing/unpinning the SA, so that
+the free/unpin path can be reused when freeing a vCPU.
+
+Opportunistically add a WARN to harden KVM against stomping over (and thus
+leaking) an already-allocated scratch area.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Reviewed-by: Michael Roth <michael.roth@amd.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20260501202250.2115252-17-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-ID: <20260529183549.1104619-17-pbonzini@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/sev.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/kvm/svm/sev.c
++++ b/arch/x86/kvm/svm/sev.c
+@@ -3451,20 +3451,17 @@ void sev_es_unmap_ghcb(struct vcpu_svm *
+ if (!svm->sev_es.ghcb)
+ return;
+
+- if (svm->sev_es.ghcb_sa_free) {
+- /*
+- * The scratch area lives outside the GHCB, so there is a
+- * buffer that, depending on the operation performed, may
+- * need to be synced, then freed.
+- */
+- if (svm->sev_es.ghcb_sa_sync) {
+- kvm_write_guest(svm->vcpu.kvm,
+- svm->sev_es.sw_scratch,
+- svm->sev_es.ghcb_sa,
+- svm->sev_es.ghcb_sa_len);
+- svm->sev_es.ghcb_sa_sync = false;
+- }
++ /*
++ * If the scratch area lives outside the GHCB, there's a buffer that,
++ * depending on the operation performed, may need to be synced.
++ */
++ if (svm->sev_es.ghcb_sa_sync) {
++ kvm_write_guest(svm->vcpu.kvm, svm->sev_es.sw_scratch,
++ svm->sev_es.ghcb_sa, svm->sev_es.ghcb_sa_len);
++ svm->sev_es.ghcb_sa_sync = false;
++ }
+
++ if (svm->sev_es.ghcb_sa_free) {
+ kvfree(svm->sev_es.ghcb_sa);
+ svm->sev_es.ghcb_sa = NULL;
+ svm->sev_es.ghcb_sa_free = false;
+@@ -3525,6 +3522,8 @@ static int setup_vmgexit_scratch(struct
+ goto e_scratch;
+ }
+
++ WARN_ON_ONCE(svm->sev_es.ghcb_sa_sync || svm->sev_es.ghcb_sa_free);
++
+ if ((scratch_gpa_beg & PAGE_MASK) == control->ghcb_gpa) {
+ /* Scratch area begins within GHCB */
+ ghcb_scratch_beg = control->ghcb_gpa +
+@@ -3546,6 +3545,8 @@ static int setup_vmgexit_scratch(struct
+ scratch_va = (void *)svm->sev_es.ghcb;
+ scratch_va += (scratch_gpa_beg - control->ghcb_gpa);
+
++ svm->sev_es.ghcb_sa_sync = false;
++ svm->sev_es.ghcb_sa_free = false;
+ svm->sev_es.ghcb_sa_len = ghcb_scratch_end - scratch_gpa_beg;
+ } else {
+ /* GHCB v2 requires the scratch area to be within the GHCB. */
--- /dev/null
+From b837e38c255dd9f8b53511d52e87f1fda32b3dfe Mon Sep 17 00:00:00 2001
+From: Inochi Amaoto <inochiama@gmail.com>
+Date: Thu, 21 May 2026 15:21:20 +0800
+Subject: mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation
+
+From: Inochi Amaoto <inochiama@gmail.com>
+
+commit b837e38c255dd9f8b53511d52e87f1fda32b3dfe upstream.
+
+The previous clock uses roundup_pow_of_two() to calculate the core
+clock frequency. It does not meet the actual hardware meaning.
+The actual frequency is calculated by "ref_clk / ((div >> 1) << 1)".
+
+Fix the clock divider calculation.
+
+Fixes: 92e099104729 ("mmc: Add driver for LiteX's LiteSDCard interface")
+Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
+Reviewed-by: Gabriel Somlo <gsomlo@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulfh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/litex_mmc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/host/litex_mmc.c
++++ b/drivers/mmc/host/litex_mmc.c
+@@ -16,6 +16,7 @@
+ #include <linux/interrupt.h>
+ #include <linux/iopoll.h>
+ #include <linux/litex.h>
++#include <linux/math.h>
+ #include <linux/mod_devicetable.h>
+ #include <linux/module.h>
+ #include <linux/platform_device.h>
+@@ -436,11 +437,10 @@ static void litex_mmc_setclk(struct lite
+ struct device *dev = mmc_dev(host->mmc);
+ u32 div;
+
+- div = freq ? host->ref_clk / freq : 256U;
+- div = roundup_pow_of_two(div);
++ div = freq ? DIV_ROUND_UP(host->ref_clk, freq) : 256U;
+ div = clamp(div, 2U, 256U);
+ dev_dbg(dev, "sd_clk_freq=%d: set to %d via div=%d\n",
+- freq, host->ref_clk / div, div);
++ freq, host->ref_clk / ((div + 1) & ~1U), div);
+ litex_write16(host->sdphy + LITEX_PHY_CLOCKERDIV, div);
+ host->sd_clk = freq;
+ }
--- /dev/null
+From c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristan@talencesecurity.com>
+Date: Wed, 27 May 2026 13:57:50 +0000
+Subject: netfilter: nft_tunnel: fix use-after-free on object destroy
+
+From: Tristan Madani <tristan@talencesecurity.com>
+
+commit c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a upstream.
+
+nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
+kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
+that took a reference via dst_hold() in nft_tunnel_obj_eval() and
+are still queued (e.g. in a netem qdisc) are left with a dangling
+pointer. When these packets are eventually dequeued, dst_release()
+operates on freed memory.
+
+Replace metadata_dst_free() with dst_release() so the metadata_dst
+is freed only after all references are dropped. The dst subsystem
+already handles metadata_dst cleanup in dst_destroy() when
+DST_METADATA is set.
+
+Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
+Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -705,7 +705,7 @@ static void nft_tunnel_obj_destroy(const
+ {
+ struct nft_tunnel_obj *priv = nft_obj_data(obj);
+
+- metadata_dst_free(priv->md);
++ dst_release(&priv->md->dst);
+ }
+
+ static struct nft_object_type nft_tunnel_obj_type;
--- /dev/null
+From 8473c3a197b57ff01396f7a2ec6ddf65383820d4 Mon Sep 17 00:00:00 2001
+From: Judith Mendez <jm@ti.com>
+Date: Wed, 13 May 2026 18:11:53 -0500
+Subject: pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init
+
+From: Judith Mendez <jm@ti.com>
+
+commit 8473c3a197b57ff01396f7a2ec6ddf65383820d4 upstream.
+
+Regmap initialization triggers regcache_maple_populate() which attempts
+SPI read to populate cache. SPI read requires mcp->dev and mcp->addr to
+be set, without them, NULL pointer dereference occurs during probe.
+
+Move initialization before mcp23s08_spi_regmap_init() call.
+
+Cc: stable@vger.kernel.org
+Fixes: f9f4fda15e72 ("pinctrl: mcp23s08: init reg_defaults from HW at probe and switch cache type")
+Signed-off-by: Judith Mendez <jm@ti.com>
+Signed-off-by: Linus Walleij <linusw@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-mcp23s08_spi.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-mcp23s08_spi.c b/drivers/pinctrl/pinctrl-mcp23s08_spi.c
+index 54f61c8cb1c0..5ed368772adb 100644
+--- a/drivers/pinctrl/pinctrl-mcp23s08_spi.c
++++ b/drivers/pinctrl/pinctrl-mcp23s08_spi.c
+@@ -10,6 +10,7 @@
+ #include "pinctrl-mcp23s08.h"
+
+ #define MCP_MAX_DEV_PER_CS 8
++#define MCP23S08_SPI_BASE 0x40
+
+ /*
+ * A given spi_device can represent up to eight mcp23sxx chips
+@@ -173,6 +174,8 @@ static int mcp23s08_probe(struct spi_device *spi)
+ for_each_set_bit(addr, &spi_present_mask, MCP_MAX_DEV_PER_CS) {
+ data->mcp[addr] = &data->chip[--chips];
+ data->mcp[addr]->irq = spi->irq;
++ data->mcp[addr]->dev = dev;
++ data->mcp[addr]->addr = MCP23S08_SPI_BASE | (addr << 1);
+
+ ret = mcp23s08_spi_regmap_init(data->mcp[addr], dev, addr, info);
+ if (ret)
+@@ -184,7 +187,7 @@ static int mcp23s08_probe(struct spi_device *spi)
+ if (!data->mcp[addr]->pinctrl_desc.name)
+ return -ENOMEM;
+
+- ret = mcp23s08_probe_one(data->mcp[addr], dev, 0x40 | (addr << 1),
++ ret = mcp23s08_probe_one(data->mcp[addr], dev, MCP23S08_SPI_BASE | (addr << 1),
+ info->type, -1);
+ if (ret < 0)
+ return ret;
+--
+2.54.0
+
--- /dev/null
+From ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c Mon Sep 17 00:00:00 2001
+From: Alice Ryhl <aliceryhl@google.com>
+Date: Wed, 27 May 2026 18:18:07 +0000
+Subject: rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES
+
+From: Alice Ryhl <aliceryhl@google.com>
+
+commit ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c upstream.
+
+Due to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the
+uwtable annotation for functions, but not for the module. This means
+that compiler-generated functions such as 'asan.module_ctor' do not
+receive the uwtable annotation.
+
+When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot
+failures because the dwarf information emitted for the kasan
+constructors is wrong, which causes the SCS boot patching code to
+patch the constructor in an illegal manner. Specifically, the paciasp
+instruction is patched, but the autiasp instruction is not. This
+mismatch leads to a crash when the constructor is called during boot.
+
+ ==================================================================
+ BUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90
+ Read of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1
+
+Specifically the faulting instruction is the (*fn)() to invoke the
+constructor in do_ctors() of the init/main.c file.
+
+Once the fix lands in rustc, this flag can be made conditional on the
+rustc version. Note that passing the flag on a rustc with the fix
+present has no effect.
+
+[ The fix [1] has landed for Rust 1.98.0 (expected release on
+ 2026-08-20).
+
+ Thus add a version check as discussed.
+
+ - Miguel ]
+
+Fixes: d077242d68a3 ("rust: support for shadow call stack sanitizer")
+Cc: stable@kernel.org
+Link: https://github.com/rust-lang/rust/pull/156973 [1]
+Reported-by: Bo Ye <bo.ye@mediatek.com>
+Debugged-by: Isaac Manjarres <isaacmanjarres@google.com>
+Debugged-by: Sami Tolvanen <samitolvanen@google.com>
+Tested-by: Isaac Manjarres <isaacmanjarres@google.com>
+Signed-off-by: Alice Ryhl <aliceryhl@google.com>
+Link: https://patch.msgid.link/20260527-uwtable-module-flag-v1-1-caa41342be4b@google.com
+[ Adjusted link and comment. - Miguel ]
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -66,6 +66,9 @@ else
+ KBUILD_CFLAGS += -fasynchronous-unwind-tables
+ KBUILD_AFLAGS += -fasynchronous-unwind-tables
+ KBUILD_RUSTFLAGS += -Cforce-unwind-tables=y -Zuse-sync-unwind=n
++# Work around rustc bug on compilers without
++# https://github.com/rust-lang/rust/pull/156973.
++KBUILD_RUSTFLAGS += $(if $(call rustc-min-version,109800),,-Zllvm_module_flag=uwtable:u32:2:max)
+ endif
+
+ ifeq ($(CONFIG_STACKPROTECTOR_PER_TASK),y)
--- /dev/null
+From 4a44b17406cb5a93f90af3df9392b3a45eb336fb Mon Sep 17 00:00:00 2001
+From: Alice Ryhl <aliceryhl@google.com>
+Date: Thu, 7 May 2026 11:14:42 +0000
+Subject: rust: kasan/kbuild: fix rustc-option when cross-compiling
+
+From: Alice Ryhl <aliceryhl@google.com>
+
+commit 4a44b17406cb5a93f90af3df9392b3a45eb336fb upstream.
+
+The Makefile version of rustc-option currently checks whether the option
+exists for the host target instead of the target actually being compiled
+for. It was done this way in commit 46e24a545cdb ("rust: kasan/kbuild:
+fix missing flags on first build") to avoid a circular dependency on
+target.json. However, because of this, rustc-option currently does not
+function when cross-compiling from x86_64 to aarch64 if
+CONFIG_SHADOW_CALL_STACK is enabled. This is because KBUILD_RUSTFLAGS
+contains -Zfixed-x18 under this configuration. Since that flag does not
+exist on the host target, rustc-option runs into a compilation failure
+every time, leading to all flags being rejected as unsupported.
+
+To fix this, update rustc-option to pass a --target parameter so that
+the host target is not used. For targets using target.json, use a
+built-in target that is as close as possible to the target created with
+target.json to avoid the circular dependency on target.json.
+
+One scenario where this causes a boot failure:
+* Cross-compiled from x86_64 to aarch64.
+* With CONFIG_SHADOW_CALL_STACK=y
+* With CONFIG_KASAN_SW_TAGS=y
+* With CONFIG_KASAN_INLINE=n
+Then the resulting kernel image will fail to boot when it first calls
+into Rust code with a crash along the lines of "Unable to handle kernel
+paging request at virtual address 0ffffffc08541796". This is because the
+call threshold is not specified, so rustc will inline kasan operations,
+but the kasan shadow offset is not specified, which leads to the inlined
+kasan instructions being incorrect.
+
+Note that the -Zsanitizer=kernel-hwaddress parameter itself does not
+lead to a rustc-option failure despite being aarch64-specific because
+RUSTFLAGS_KASAN has not yet been added to KBUILD_RUSTFLAGS when
+rustc-option is evaluated by the kasan Makefile.
+
+Cc: stable@vger.kernel.org
+Fixes: 46e24a545cdb ("rust: kasan/kbuild: fix missing flags on first build")
+Signed-off-by: Alice Ryhl <aliceryhl@google.com>
+Link: https://patch.msgid.link/20260507-rustc-option-cross-v2-1-2f650a49c2b5@google.com
+[ Edited slightly:
+ - Reset variable to avoid using the environment.
+ - Use a simply expanded variable flavor for simplicity.
+ - Export variable so that behavior in sub-`make`s is consistent.
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ This matches other variables. - Miguel ]
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+---
+ Makefile | 3 ++-
+ arch/x86/Makefile | 4 ++++
+ arch/x86/Makefile.um | 8 ++++++++
+ scripts/Makefile.compiler | 2 +-
+ 4 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -568,6 +568,7 @@ KBUILD_RUSTFLAGS := $(rust_common_flags)
+ -Crelocation-model=static \
+ -Zfunction-sections=n \
+ -Wclippy::float_arithmetic
++KBUILD_RUSTFLAGS_OPTION_CHKS :=
+
+ KBUILD_AFLAGS_KERNEL :=
+ KBUILD_CFLAGS_KERNEL :=
+@@ -604,7 +605,7 @@ export KBUILD_USERCFLAGS KBUILD_USERLDFL
+
+ export KBUILD_CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS KBUILD_LDFLAGS
+ export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE
+-export KBUILD_RUSTFLAGS RUSTFLAGS_KERNEL RUSTFLAGS_MODULE
++export KBUILD_RUSTFLAGS RUSTFLAGS_KERNEL RUSTFLAGS_MODULE KBUILD_RUSTFLAGS_OPTION_CHKS
+ export KBUILD_AFLAGS AFLAGS_KERNEL AFLAGS_MODULE
+ export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_RUSTFLAGS_MODULE KBUILD_LDFLAGS_MODULE
+ export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL KBUILD_RUSTFLAGS_KERNEL
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -78,6 +78,10 @@ KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-
+ KBUILD_RUSTFLAGS += --target=$(objtree)/scripts/target.json
+ KBUILD_RUSTFLAGS += -Ctarget-feature=-sse,-sse2,-sse3,-ssse3,-sse4.1,-sse4.2,-avx,-avx2
+
++# The target.json file is not available when invoking rustc-option, so use the
++# built-in target when checking whether flags are supported instead.
++KBUILD_RUSTFLAGS_OPTION_CHKS += --target=x86_64-unknown-none
++
+ #
+ # CFLAGS for compiling floating point code inside the kernel.
+ #
+--- a/arch/x86/Makefile.um
++++ b/arch/x86/Makefile.um
+@@ -14,6 +14,14 @@ endif
+
+ KBUILD_RUSTFLAGS += --target=$(objtree)/scripts/target.json
+
++# The target.json file is not available when invoking rustc-option, so use the
++# built-in target when checking whether flags are supported instead.
++ifeq ($(CONFIG_X86_32),y)
++KBUILD_RUSTFLAGS_OPTION_CHKS += --target=i686-unknown-linux-gnu
++else
++KBUILD_RUSTFLAGS_OPTION_CHKS += --target=x86_64-unknown-linux-gnu
++endif
++
+ ifeq ($(CONFIG_X86_32),y)
+ START := 0x8048000
+
+--- a/scripts/Makefile.compiler
++++ b/scripts/Makefile.compiler
+@@ -80,7 +80,7 @@ ld-option = $(call try-run, $(LD) $(KBUI
+ # TODO: remove RUSTC_BOOTSTRAP=1 when we raise the minimum GNU Make version to 4.4
+ __rustc-option = $(call try-run,\
+ echo '$(pound)![allow(missing_docs)]$(pound)![feature(no_core)]$(pound)![no_core]' | RUSTC_BOOTSTRAP=1\
+- $(1) --sysroot=/dev/null $(filter-out --sysroot=/dev/null --target=%,$(2)) $(3)\
++ $(1) --sysroot=/dev/null $(KBUILD_RUSTFLAGS_OPTION_CHKS) $(filter-out --sysroot=/dev/null --target=%target.json,$(2)) $(3)\
+ --crate-type=rlib --out-dir=$(TMPOUT) --emit=obj=- - >/dev/null,$(3),$(4))
+
+ # rustc-option
--- /dev/null
+From 905b06d32a52afe32fcf5f30cf298c9ea6359f11 Mon Sep 17 00:00:00 2001
+From: Miguel Ojeda <ojeda@kernel.org>
+Date: Sat, 30 May 2026 13:49:25 +0200
+Subject: rust: x86: support Rust >= 1.98.0 target spec
+
+From: Miguel Ojeda <ojeda@kernel.org>
+
+commit 905b06d32a52afe32fcf5f30cf298c9ea6359f11 upstream.
+
+Starting with Rust 1.98.0 (expected 2026-08-20), the target spec will not
+support `x86-softfloat` anymore [1]. Instead, `softfloat` should be used,
+which is an alias. Otherwise, one gets:
+
+ error: error loading target specification: rustc-abi: invalid rustc abi: 'x86-softfloat'. allowed values: 'x86-sse2', 'softfloat' at line 3 column 32
+ |
+ = help: run `rustc --print target-list` for a list of built-in targets
+
+Thus conditionally use one or the other depending on the version.
+
+The alias has existed since Rust 1.95.0 (released 2026-04-16) [2], but
+use the newer version instead to avoid changing how the build works for
+existing compilers, at least until more testing takes place.
+
+Cc: Ralf Jung <post@ralfj.de>
+Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs).
+Link: https://github.com/rust-lang/rust/pull/157151 [1]
+Link: https://github.com/rust-lang/rust/pull/151154 [2]
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Link: https://patch.msgid.link/20260530114925.260754-1-ojeda@kernel.org
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/generate_rust_target.rs | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/scripts/generate_rust_target.rs
++++ b/scripts/generate_rust_target.rs
+@@ -194,7 +194,9 @@ fn main() {
+ }
+ } else if cfg.has("X86_64") {
+ ts.push("arch", "x86_64");
+- if cfg.rustc_version_atleast(1, 86, 0) {
++ if cfg.rustc_version_atleast(1, 98, 0) {
++ ts.push("rustc-abi", "softfloat");
++ } else if cfg.rustc_version_atleast(1, 86, 0) {
+ ts.push("rustc-abi", "x86-softfloat");
+ }
+ ts.push(
+@@ -234,7 +236,9 @@ fn main() {
+ panic!("32-bit x86 only works under UML");
+ }
+ ts.push("arch", "x86");
+- if cfg.rustc_version_atleast(1, 86, 0) {
++ if cfg.rustc_version_atleast(1, 98, 0) {
++ ts.push("rustc-abi", "softfloat");
++ } else if cfg.rustc_version_atleast(1, 86, 0) {
+ ts.push("rustc-abi", "x86-softfloat");
+ }
+ ts.push(
drm-virtio-fix-driver-removal-with-disabled-kms.patch
drm-vc4-fix-krealloc-memory-leak.patch
drm-xe-fix-refcount-leak-in-xe_range_fence_insert.patch
+netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch
+tee-shm-fix-shm-leak-in-register_shm_helper.patch
+bluetooth-hci_sync-reject-oversized-broadcast-announcement-prepend.patch
+bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch
+soc-qcom-ice-fix-race-between-qcom_ice_probe-and-of_qcom_ice_get.patch
+accel-ivpu-add-bounds-checks-for-firmware-log-indices.patch
+accel-ivpu-add-buffer-overflow-check-in-ms-get_info_ioctl.patch
+accel-ivpu-fix-signed-integer-truncation-in-ipc-receive.patch
+tracing-probes-point-the-error-offset-correctly-for-eprobe-argument-error.patch
+rust-x86-support-rust-1.98.0-target-spec.patch
+rust-arm64-set-uwtable-llvm-module-flag-for-config_unwind_tables.patch
+rust-kasan-kbuild-fix-rustc-option-when-cross-compiling.patch
+mmc-litex_mmc-use-div_round_up-for-more-accurate-clock-calculation.patch
+kvm-don-t-warn-if-memory-is-dirtied-without-a-vcpu-when-the-vm-is-dying.patch
+kvm-sev-decouple-the-need-to-sync-the-ghcb-sa-from-the-need-to-free-the-sa.patch
+drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch
+pinctrl-mcp23s08-initialize-mcp-dev-and-mcp-addr-before-regmap-init.patch
--- /dev/null
+From d922113ef91e6e7e8065e9070f349365341ba32e Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Date: Mon, 18 May 2026 19:22:17 +0530
+Subject: soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get()
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+
+commit d922113ef91e6e7e8065e9070f349365341ba32e upstream.
+
+The current platform driver design causes probe ordering races with
+consumers (UFS, eMMC) due to ICE's dependency on SCM firmware calls. If ICE
+probe fails (missing ICE SCM or DT registers), devm_of_qcom_ice_get() loops
+with -EPROBE_DEFER, leaving consumers non-functional even when ICE should
+be gracefully disabled. devm_of_qcom_ice_get() doesn't know if the ICE
+driver probe has failed due to above reasons or it is waiting for the SCM
+driver.
+
+Moreover, there is no devlink dependency between ICE and consumer drivers
+as 'qcom,ice' is not considered as a DT 'supplier'. So the consumer drivers
+have no idea of when the ICE driver is going to probe.
+
+To address these issues, store the error pointer in a global xarray with
+ice node phandle as a key during probe in addition to the valid ice pointer
+and synchronize both qcom_ice_probe() and of_qcom_ice_get() using a mutex.
+
+If the xarray entry is NULL, then it implies that the driver is not
+probed yet, so return -EPROBE_DEFER. If it has any error pointer, return
+that error pointer directly. Otherwise, add the devlink as usual and return
+the valid pointer to the consumer.
+
+Xarray is used instead of platform drvdata, since driver core frees the
+drvdata during probe failure. So it cannot be used to pass the error
+pointer to the consumers.
+
+Note that this change only fixes the standalone ICE DT node bindings and
+not the ones with 'ice' range embedded in the consumer nodes, where there
+is no issue.
+
+Fixes: 2afbf43a4aec ("soc: qcom: Make the Qualcomm UFS/SDCC ICE a dedicated driver")
+Reported-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
+Tested-by: Sumit Garg <sumit.garg@oss.qualcomm.com> # OP-TEE as TZ
+Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
+Cc: stable@vger.kernel.org # 6.4
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20260518-qcom-ice-fix-v7-1-2a595382185b@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/ice.c | 38 +++++++++++++++++++++++++++++++-------
+ 1 file changed, 31 insertions(+), 7 deletions(-)
+
+--- a/drivers/soc/qcom/ice.c
++++ b/drivers/soc/qcom/ice.c
+@@ -16,6 +16,7 @@
+ #include <linux/of.h>
+ #include <linux/of_platform.h>
+ #include <linux/platform_device.h>
++#include <linux/xarray.h>
+
+ #include <linux/firmware/qcom/qcom_scm.h>
+
+@@ -50,6 +51,9 @@ struct qcom_ice {
+ struct clk *core_clk;
+ };
+
++static DEFINE_XARRAY(ice_handles);
++static DEFINE_MUTEX(ice_mutex);
++
+ static bool qcom_ice_check_supported(struct qcom_ice *ice)
+ {
+ u32 regval = qcom_ice_readl(ice, QCOM_ICE_REG_VERSION);
+@@ -288,6 +292,8 @@ struct qcom_ice *of_qcom_ice_get(struct
+ return qcom_ice_create(&pdev->dev, base);
+ }
+
++ guard(mutex)(&ice_mutex);
++
+ /*
+ * If the consumer node does not provider an 'ice' reg range
+ * (legacy DT binding), then it must at least provide a phandle
+@@ -304,12 +310,13 @@ struct qcom_ice *of_qcom_ice_get(struct
+ return ERR_PTR(-ENODEV);
+ }
+
+- ice = platform_get_drvdata(pdev);
+- if (!ice) {
+- dev_err(dev, "Cannot get ice instance from %s\n",
+- dev_name(&pdev->dev));
++ ice = xa_load(&ice_handles, pdev->dev.of_node->phandle);
++ if (IS_ERR_OR_NULL(ice)) {
+ platform_device_put(pdev);
+- return ERR_PTR(-EPROBE_DEFER);
++ if (!ice)
++ return ERR_PTR(-EPROBE_DEFER);
++ else
++ return ice;
+ }
+
+ ice->link = device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_SUPPLIER);
+@@ -374,24 +381,40 @@ EXPORT_SYMBOL_GPL(devm_of_qcom_ice_get);
+
+ static int qcom_ice_probe(struct platform_device *pdev)
+ {
++ unsigned long phandle = pdev->dev.of_node->phandle;
+ struct qcom_ice *engine;
+ void __iomem *base;
+
++ guard(mutex)(&ice_mutex);
++
+ base = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(base)) {
+ dev_warn(&pdev->dev, "ICE registers not found\n");
++ /* Store the error pointer for devm_of_qcom_ice_get() */
++ xa_store(&ice_handles, phandle, (__force void *)base, GFP_KERNEL);
+ return PTR_ERR(base);
+ }
+
+ engine = qcom_ice_create(&pdev->dev, base);
+- if (IS_ERR(engine))
++ if (IS_ERR(engine)) {
++ /* Store the error pointer for devm_of_qcom_ice_get() */
++ xa_store(&ice_handles, phandle, engine, GFP_KERNEL);
+ return PTR_ERR(engine);
++ }
+
+- platform_set_drvdata(pdev, engine);
++ xa_store(&ice_handles, phandle, engine, GFP_KERNEL);
+
+ return 0;
+ }
+
++static void qcom_ice_remove(struct platform_device *pdev)
++{
++ unsigned long phandle = pdev->dev.of_node->phandle;
++
++ guard(mutex)(&ice_mutex);
++ xa_store(&ice_handles, phandle, NULL, GFP_KERNEL);
++}
++
+ static const struct of_device_id qcom_ice_of_match_table[] = {
+ { .compatible = "qcom,inline-crypto-engine" },
+ { },
+@@ -400,6 +423,7 @@ MODULE_DEVICE_TABLE(of, qcom_ice_of_matc
+
+ static struct platform_driver qcom_ice_driver = {
+ .probe = qcom_ice_probe,
++ .remove = qcom_ice_remove,
+ .driver = {
+ .name = "qcom-ice",
+ .of_match_table = qcom_ice_of_match_table,
--- /dev/null
+From 26682f5efc276e3ad96d102019472bfbf03833b2 Mon Sep 17 00:00:00 2001
+From: Georgiy Osokin <g.osokin@auroraos.dev>
+Date: Wed, 8 Apr 2026 18:52:03 +0300
+Subject: tee: shm: fix shm leak in register_shm_helper()
+
+From: Georgiy Osokin <g.osokin@auroraos.dev>
+
+commit 26682f5efc276e3ad96d102019472bfbf03833b2 upstream.
+
+register_shm_helper() allocates shm before calling
+iov_iter_npages(). If iov_iter_npages() returns 0, the function
+jumps to err_ctx_put and leaks shm.
+
+This can be triggered by TEE_IOC_SHM_REGISTER with
+struct tee_ioctl_shm_register_data where length is 0.
+
+Jump to err_free_shm instead.
+
+Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration")
+Cc: stable@vger.kernel.org
+Cc: lvc-project@linuxtesting.org
+Signed-off-by: Georgiy Osokin <g.osokin@auroraos.dev>
+Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/tee_shm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tee/tee_shm.c
++++ b/drivers/tee/tee_shm.c
+@@ -307,7 +307,7 @@ register_shm_helper(struct tee_context *
+ num_pages = iov_iter_npages(iter, INT_MAX);
+ if (!num_pages) {
+ ret = ERR_PTR(-ENOMEM);
+- goto err_ctx_put;
++ goto err_free_shm;
+ }
+
+ shm->pages = kcalloc(num_pages, sizeof(*shm->pages), GFP_KERNEL);
--- /dev/null
+From 85e0f27dd1396307913ffc5745b0c05137e9beac Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Mon, 25 May 2026 11:21:14 +0900
+Subject: tracing/probes: Point the error offset correctly for eprobe argument error
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 85e0f27dd1396307913ffc5745b0c05137e9beac upstream.
+
+Fix to point the error offset correctly for eprobe argument error.
+In the cleanup commit 1b8b0cd754cd ("tracing/probes: Move event parameter
+fetching code to common parser"), due to incorrect backward compatibility
+aimed at conforming to the test specifications, the error location was set
+to 0 when a non-existent formal parameter was specified for Eprobe.
+However, this should be corrected in both the test and the implementation
+to point correct error position.
+
+Link: https://lore.kernel.org/all/177967567399.209006.1451571244515632097.stgit@devnote2/
+
+Fixes: 1b8b0cd754cd ("tracing/probes: Move event parameter fetching code to common parser")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_probe.c | 2 --
+ tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc | 2 +-
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -934,8 +934,6 @@ static int parse_probe_vars(char *orig_a
+ code->op = FETCH_OP_COMM;
+ return 0;
+ }
+- /* backward compatibility */
+- ctx->offset = 0;
+ goto inval;
+ }
+
+--- a/tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc
++++ b/tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc
+@@ -20,7 +20,7 @@ check_error 'e:foo/^12345678901234567890
+ check_error 'e:foo/^bar.1 syscalls/sys_enter_openat' # BAD_EVENT_NAME
+
+ check_error 'e:foo/bar syscalls/sys_enter_openat arg=^dfd' # BAD_FETCH_ARG
+-check_error 'e:foo/bar syscalls/sys_enter_openat ^arg=$foo' # BAD_ATTACH_ARG
++check_error 'e:foo/bar syscalls/sys_enter_openat arg=^$foo' # BAD_ATTACH_ARG
+
+ if grep -q '<attached-group>\.<attached-event>.*\[if <filter>\]' README; then
+ check_error 'e:foo/bar syscalls/sys_enter_openat if ^' # NO_EP_FILTER
projects / thirdparty / kernel / stable-queue.git / commitdiff
