--- /dev/null
+From 9c954499d43aefac01c5dfb57a82b13d2dcf4b94 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 19 May 2026 16:29:38 +0200
+Subject: fuse: reject fuse_notify() pagecache ops on directories
+
+From: Jann Horn <jannh@google.com>
+
+commit 9c954499d43aefac01c5dfb57a82b13d2dcf4b94 upstream.
+
+The operations FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE allow the
+FUSE daemon to actively write/read pagecache contents.
+
+For directories with FOPEN_CACHE_DIR, the pagecache is used as
+kernel-internal cache storage, and userspace is not supposed to have
+direct access to this cache - in particular, fuse_parse_cache() will hit
+WARN_ON() if the cache contains bogus data.
+
+Reject FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE on anything other than
+regular files with -EINVAL.
+
+Fixes: 5d7bc7e8680c ("fuse: allow using readdir cache")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Link: https://patch.msgid.link/20260519-fuse-dir-pagecache-v2-1-5428fa48e175@google.com
+Acked-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/dev.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1599,6 +1599,10 @@ static int fuse_notify_store(struct fuse
+ inode = fuse_ilookup(fc, nodeid, NULL);
+ if (!inode)
+ goto out_up_killsb;
++ if (!S_ISREG(inode->i_mode)) {
++ err = -EINVAL;
++ goto out_iput;
++ }
+
+ mapping = inode->i_mapping;
+ index = outarg.offset >> PAGE_SHIFT;
+@@ -1770,7 +1774,10 @@ static int fuse_notify_retrieve(struct f
+
+ inode = fuse_ilookup(fc, nodeid, &fm);
+ if (inode) {
+- err = fuse_retrieve(fm, inode, &outarg);
++ if (!S_ISREG(inode->i_mode))
++ err = -EINVAL;
++ else
++ err = fuse_retrieve(fm, inode, &outarg);
+ iput(inode);
+ }
+ up_read(&fc->killsb);
--- /dev/null
+From 729ac5a4b966aac42e08a94dea966f4429008548 Mon Sep 17 00:00:00 2001
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Date: Sat, 16 May 2026 02:41:18 +0300
+Subject: i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
+
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+
+commit 729ac5a4b966aac42e08a94dea966f4429008548 upstream.
+
+On all modern platforms Qualcomm CCI controller provides two I2C masters,
+and on particular boards only one I2C master may be initialized, and in
+such cases the device unbinding or driver removal causes a NULL pointer
+dereference, because cci_halt() is called for all two I2C masters, but
+a completion is initialized only for the single enabled master:
+
+ % rmmod i2c-qcom-cci
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+ <snip>
+ Call trace:
+ __wait_for_common+0x194/0x1a8 (P)
+ wait_for_completion_timeout+0x20/0x2c
+ cci_remove+0xc4/0x138 [i2c_qcom_cci]
+ platform_remove+0x20/0x30
+ device_remove+0x4c/0x80
+ device_release_driver_internal+0x1c8/0x224
+ driver_detach+0x50/0x98
+ bus_remove_driver+0x6c/0xbc
+ driver_unregister+0x30/0x60
+ platform_driver_unregister+0x14/0x20
+ qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci]
+ ....
+
+Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver")
+Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Cc: <stable@vger.kernel.org> # v5.8+
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260515234121.1607425-2-vladimir.zapolskiy@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-qcom-cci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-qcom-cci.c
++++ b/drivers/i2c/busses/i2c-qcom-cci.c
+@@ -683,8 +683,8 @@ static int cci_remove(struct platform_de
+ if (cci->master[i].cci) {
+ i2c_del_adapter(&cci->master[i].adap);
+ of_node_put(cci->master[i].adap.dev.of_node);
++ cci_halt(cci, i);
+ }
+- cci_halt(cci, i);
+ }
+
+ disable_irq(cci->irq);
--- /dev/null
+From a124579c0763da7bc408f4cd7e8f606cadc94855 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guillermo=20Rodr=C3=ADguez?= <guille.rodriguez@gmail.com>
+Date: Tue, 26 May 2026 11:12:09 +0200
+Subject: i2c: stm32f7: fix timing computation ignoring i2c-analog-filter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Guillermo Rodríguez <guille.rodriguez@gmail.com>
+
+commit a124579c0763da7bc408f4cd7e8f606cadc94855 upstream.
+
+stm32f7_i2c_compute_timing() uses i2c_dev->analog_filter to pick
+the analog filter delay, but i2c_dev->analog_filter is parsed from
+the "i2c-analog-filter" DT property only after the compute_timing
+loop in stm32f7_i2c_setup_timing(), so in practice the timing
+calculations always ignore the analog filter. On an STM32MP1 board
+with clock-frequency = <400000> and i2c-analog-filter set, measured
+SCL frequency was ~382 kHz.
+
+This also affects (widens) the computed SDADEL range. At high bus
+clock speeds, this can select an SDADEL value that violates tVD;DAT
+(data valid time).
+
+Fix by parsing "i2c-analog-filter" before the compute_timing loop.
+
+Fixes: 83c3408f7b9c ("i2c: stm32f7: support DT binding i2c-analog-filter")
+Signed-off-by: Guillermo Rodríguez <guille.rodriguez@gmail.com>
+Cc: <stable@vger.kernel.org> # v5.13+
+Acked-by: Alain Volmat <alain.volmat@foss.st.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260526091210.20383-1-guille.rodriguez@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-stm32f7.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-stm32f7.c
++++ b/drivers/i2c/busses/i2c-stm32f7.c
+@@ -673,6 +673,9 @@ static int stm32f7_i2c_setup_timing(stru
+ if (!of_property_read_bool(i2c_dev->dev->of_node, "i2c-digital-filter"))
+ i2c_dev->dnf_dt = STM32F7_I2C_DNF_DEFAULT;
+
++ i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node,
++ "i2c-analog-filter");
++
+ do {
+ ret = stm32f7_i2c_compute_timing(i2c_dev, setup,
+ &i2c_dev->timing);
+@@ -694,9 +697,6 @@ static int stm32f7_i2c_setup_timing(stru
+ return ret;
+ }
+
+- i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node,
+- "i2c-analog-filter");
+-
+ dev_dbg(i2c_dev->dev, "I2C Speed(%i), Clk Source(%i)\n",
+ setup->speed_freq, setup->clock_src);
+ dev_dbg(i2c_dev->dev, "I2C Rise(%i) and Fall(%i) Time\n",
--- /dev/null
+From 656646b3847ac6a21b074a813223feef2aadd6e2 Mon Sep 17 00:00:00 2001
+From: Akhil R <akhilrajeev@nvidia.com>
+Date: Mon, 18 May 2026 17:10:13 +0530
+Subject: i2c: tegra: Fix NOIRQ suspend/resume
+
+From: Akhil R <akhilrajeev@nvidia.com>
+
+commit 656646b3847ac6a21b074a813223feef2aadd6e2 upstream.
+
+The Tegra I2C driver relies on runtime PM to wake up the controller before
+each transfer. However, runtime PM is disabled between the system suspend
+and NOIRQ suspend. If an I2C device initiates a transfer during this
+window, the I2C controller fails to wake up and the transfer fails. To
+handle this, the controller must be kept available for this period to
+allow transfers.
+
+Rework the I2C controller's system PM callbacks such that the controller
+is resumed from runtime suspend during system suspend and it stays
+RPM_ACTIVE throughout the suspend-resume cycle until it is runtime
+suspended back in the system resume. The clocks are disabled in NOIRQ
+suspend and enabled back in NOIRQ resume by calling the controller's
+runtime PM functions directly.
+
+Fixes: 8ebf15e9c869 ("i2c: tegra: Move suspend handling to NOIRQ phase")
+Assisted-by: Cursor:claude-4.6-opus
+Signed-off-by: Akhil R <akhilrajeev@nvidia.com>
+Cc: <stable@vger.kernel.org> # v5.4+
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260518114013.62065-5-akhilrajeev@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-tegra.c | 53 +++++++++++++++++++++++------------------
+ 1 file changed, 30 insertions(+), 23 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-tegra.c
++++ b/drivers/i2c/busses/i2c-tegra.c
+@@ -1874,28 +1874,37 @@ static int __maybe_unused tegra_i2c_runt
+
+ static int __maybe_unused tegra_i2c_suspend(struct device *dev)
+ {
++ /*
++ * Bring the controller up and hold a usage count so it stays
++ * available until the noirq phase.
++ */
++ return pm_runtime_resume_and_get(dev);
++}
++
++static int __maybe_unused tegra_i2c_suspend_noirq(struct device *dev)
++{
+ struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev);
+- int err;
+
+ i2c_mark_adapter_suspended(&i2c_dev->adapter);
+
+- if (!pm_runtime_status_suspended(dev)) {
+- err = tegra_i2c_runtime_suspend(dev);
+- if (err)
+- return err;
+- }
+-
+- return 0;
++ /*
++ * Runtime PM is already disabled at this point, so invoke the
++ * runtime_suspend callback directly to put the controller down.
++ */
++ return tegra_i2c_runtime_suspend(dev);
+ }
+
+-static int __maybe_unused tegra_i2c_resume(struct device *dev)
++static int __maybe_unused tegra_i2c_resume_noirq(struct device *dev)
+ {
+ struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev);
+ int err;
+
+ /*
+- * We need to ensure that clocks are enabled so that registers can be
+- * restored in tegra_i2c_init().
++ * Runtime PM is still disabled at this point, so invoke the
++ * runtime_resume callback directly to bring the controller back up
++ * before re-initializing the hardware. The adapter is then marked
++ * resumed so that consumers can issue transfers from their own
++ * resume_noirq() handlers and onwards.
+ */
+ err = tegra_i2c_runtime_resume(dev);
+ if (err)
+@@ -1905,24 +1914,22 @@ static int __maybe_unused tegra_i2c_resu
+ if (err)
+ return err;
+
+- /*
+- * In case we are runtime suspended, disable clocks again so that we
+- * don't unbalance the clock reference counts during the next runtime
+- * resume transition.
+- */
+- if (pm_runtime_status_suspended(dev)) {
+- err = tegra_i2c_runtime_suspend(dev);
+- if (err)
+- return err;
+- }
+-
+ i2c_mark_adapter_resumed(&i2c_dev->adapter);
+
+ return 0;
+ }
+
++static int __maybe_unused tegra_i2c_resume(struct device *dev)
++{
++ pm_runtime_put(dev);
++
++ return 0;
++}
++
+ static const struct dev_pm_ops tegra_i2c_pm = {
+- SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume)
++ SET_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume)
++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend_noirq,
++ tegra_i2c_resume_noirq)
+ SET_RUNTIME_PM_OPS(tegra_i2c_runtime_suspend, tegra_i2c_runtime_resume,
+ NULL)
+ };
--- /dev/null
+From ad0979fe053e9f2db82da82188256ef6eb41095a Mon Sep 17 00:00:00 2001
+From: Zeyu WANG <zeyu.thomas.wang@gmail.com>
+Date: Wed, 3 Jun 2026 01:09:09 +0800
+Subject: Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
+
+From: Zeyu WANG <zeyu.thomas.wang@gmail.com>
+
+commit ad0979fe053e9f2db82da82188256ef6eb41095a upstream.
+
+The Lenovo Yoga Air 14 (83QK) laptop keyboard becomes unresponsive
+after the standard atkbd init sequence. Controlled testing on the
+actual hardware shows the F5 (ATKBD_CMD_RESET_DIS / deactivate)
+command specifically corrupts the EC state, causing zero IRQ1
+interrupts after init.
+
+Skipping only the deactivate command (while keeping F4 ENABLE)
+resolves the issue completely: both keystroke input and CapsLock
+LED toggle work correctly. The reverse test - skipping only F4
+while keeping F5 - makes the problem worse (zero keystroke
+interrupts), confirming F5 is the sole culprit.
+
+Add a DMI quirk entry for LENOVO/83QK using the existing
+atkbd_deactivate_fixup callback, consistent with the existing
+entries for LG Electronics and HONOR FMB-P that address the
+same EC F5 deactivate issue.
+
+Signed-off-by: Zeyu WANG <zeyu.thomas.wang@gmail.com>
+Link: https://patch.msgid.link/20260602170909.14725-1-zeyu.thomas.wang@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/atkbd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/input/keyboard/atkbd.c
++++ b/drivers/input/keyboard/atkbd.c
+@@ -1939,6 +1939,14 @@ static const struct dmi_system_id atkbd_
+ },
+ .callback = atkbd_deactivate_fixup,
+ },
++ {
++ /* Lenovo Yoga Air 14 (83QK) */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "83QK"),
++ },
++ .callback = atkbd_deactivate_fixup,
++ },
+ { }
+ };
+
--- /dev/null
+From fb402386af4cdce108ff991a796386de55439735 Mon Sep 17 00:00:00 2001
+From: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
+Date: Fri, 5 Jun 2026 15:27:21 +0800
+Subject: Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard
+
+From: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
+
+commit fb402386af4cdce108ff991a796386de55439735 upstream.
+
+After commit 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd -
+do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID"), HONOR
+BCC-N, aka HONOR MagicBook 14 2026's internal keyboard stops
+working. Adding the atkbd_deactivate_fixup quirk fixes it.
+
+DMI: HONOR BCC-N/BCC-N-PCB, BIOS 1.04 04/07/2026
+
+Fixes: 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID")
+Reported-by: Hongfei Ren <lcrhf@outlook.com>
+Link: https://github.com/colorcube/Linux-on-Honor-Magicbook-14-Pro/issues/1#issuecomment-4562679891
+Tested-by: Hongfei Ren <lcrhf@outlook.com>
+Cc: stable@kernel.org
+Signed-off-by: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
+Link: https://patch.msgid.link/20260605-honor-v1-1-78e05e491193@linux.dev
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/atkbd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/keyboard/atkbd.c
++++ b/drivers/input/keyboard/atkbd.c
+@@ -1947,6 +1947,13 @@ static const struct dmi_system_id atkbd_
+ },
+ .callback = atkbd_deactivate_fixup,
+ },
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "HONOR"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "BCC-N"),
++ },
++ .callback = atkbd_deactivate_fixup,
++ },
+ { }
+ };
+
--- /dev/null
+From 2e5c6f4fd4001562781e99bbfc7f1f0127187542 Mon Sep 17 00:00:00 2001
+From: Yilin Zhu <zylzyl2333@gmail.com>
+Date: Thu, 30 Apr 2026 13:21:34 +0800
+Subject: ipc/shm: serialize orphan cleanup with shm_nattch updates
+
+From: Yilin Zhu <zylzyl2333@gmail.com>
+
+commit 2e5c6f4fd4001562781e99bbfc7f1f0127187542 upstream.
+
+shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that
+does not serialize all fields tested by shm_may_destroy(). In particular,
+shm_nattch is updated while holding shm_perm.lock, and attach paths can do
+that without holding the rwsem.
+
+Do not decide that an orphaned segment is unused before taking the object
+lock. Move the shm_may_destroy() check under shm_perm.lock, matching the
+other destroy paths, and unlock the segment when it no longer qualifies
+for removal.
+
+Link: https://lore.kernel.org/9d97cc1031de2d0bace0edf3a668818aa2f4eca6.1777410234.git.zylzyl2333@gmail.com
+Fixes: 4c677e2eefdb ("shm: optimize locking and ipc_namespace getting")
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Yilin Zhu <zylzyl2333@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Jeongjun Park <aha310510@gmail.com>
+Cc: Kees Cook <kees@kernel.org>
+Cc: Liam Howlett <liam@infradead.org>
+Cc: Lorenzo Stoakes <ljs@kernel.org>
+Cc: Serge Hallyn <sergeh@kernel.org>
+Cc: Vasiliy Kulikov <segoon@openwall.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ ipc/shm.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -402,15 +402,17 @@ static int shm_try_destroy_orphaned(int
+ * We want to destroy segments without users and with already
+ * exit'ed originating process.
+ *
+- * As shp->* are changed under rwsem, it's safe to skip shp locking.
++ * shm_nattch can be changed under shm_perm.lock without holding the
++ * rwsem, so take the object lock before checking shm_may_destroy().
+ */
+ if (!list_empty(&shp->shm_clist))
+ return 0;
+
+- if (shm_may_destroy(shp)) {
+- shm_lock_by_ptr(shp);
++ shm_lock_by_ptr(shp);
++ if (shm_may_destroy(shp))
+ shm_destroy(ns, shp);
+- }
++ else
++ shm_unlock(shp);
+ return 0;
+ }
+
--- /dev/null
+From 464c6ad2aa16e1e1df9d559289199356493d1e00 Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Sat, 30 May 2026 21:45:26 +0100
+Subject: misc: fastrpc: fix DMA address corruption due to find_vma misuse
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit 464c6ad2aa16e1e1df9d559289199356493d1e00 upstream.
+
+fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided
+pointer and compute a DMA address offset. When the address falls in a gap
+before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows,
+corrupting the DMA address sent to the DSP.
+
+Replace find_vma() with vma_lookup(), which returns NULL when the address
+is not contained within any VMA.
+
+Cc: stable@vger.kernel.org
+Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204528.116920-3-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -875,7 +875,7 @@ static int fastrpc_get_args(u32 kernel,
+ pages[i].addr = ctx->maps[i]->phys;
+
+ mmap_read_lock(current->mm);
+- vma = find_vma(current->mm, ctx->args[i].ptr);
++ vma = vma_lookup(current->mm, ctx->args[i].ptr);
+ if (vma)
+ pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) -
+ vma->vm_start;
--- /dev/null
+From e85eb5feca8e254905ffa6c57a3c99c89a674a0f Mon Sep 17 00:00:00 2001
+From: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
+Date: Sat, 30 May 2026 21:45:25 +0100
+Subject: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
+
+commit e85eb5feca8e254905ffa6c57a3c99c89a674a0f upstream.
+
+There is a race between fastrpc_device_release() and the workqueue
+that processes DSP responses. When the user closes the file descriptor,
+fastrpc_device_release() frees the fastrpc_user structure. Concurrently,
+an in-flight DSP invocation can complete and fastrpc_rpmsg_callback()
+schedules context cleanup via schedule_work(&ctx->put_work). If the
+workqueue runs fastrpc_context_free() in parallel with or after
+fastrpc_device_release() has freed the user structure, it dereferences
+the freed fastrpc_user. Depending on the state of the context at the
+time of the race, any one of the following accesses can be hit:
+
+ 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...)
+ to strip the SID bits from the stored IOVA before passing the
+ physical address to dma_free_coherent().
+
+ 2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to
+ reconstruct the source permission bitmask needed for the
+ qcom_scm_assign_mem() call that returns memory from the DSP VM
+ back to HLOS.
+
+ 3. fastrpc_free_map() acquires map->fl->lock to safely remove the
+ map node from the fl->maps list.
+
+The resulting use-after-free manifests as:
+
+ pc : fastrpc_buf_free+0x38/0x80 [fastrpc]
+ lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]
+ fastrpc_context_free+0xa8/0x1b0 [fastrpc]
+ fastrpc_context_put_wq+0x78/0xa0 [fastrpc]
+ process_one_work+0x180/0x450
+ worker_thread+0x26c/0x388
+
+Add kref-based reference counting to fastrpc_user. Have each invoke
+context take a reference on the user at allocation time and release it
+when the context is freed. Release the initial reference in
+fastrpc_device_release() at file close. Move the teardown of the user
+structure — freeing pending contexts, maps, mmaps, and the channel
+context reference — into the kref release callback fastrpc_user_free(),
+so that it runs only when the last reference is dropped, regardless of
+whether that happens at device close or after the final in-flight
+context completes.
+
+Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter")
+Cc: stable@kernel.org
+Signed-off-by: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204528.116920-2-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 75 +++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 52 insertions(+), 23 deletions(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -232,6 +232,8 @@ struct fastrpc_user {
+ spinlock_t lock;
+ /* lock for allocations */
+ struct mutex mutex;
++ /* Reference count */
++ struct kref refcount;
+ };
+
+ static void fastrpc_free_map(struct kref *ref)
+@@ -352,15 +354,57 @@ static void fastrpc_channel_ctx_put(stru
+ kref_put(&cctx->refcount, fastrpc_channel_ctx_free);
+ }
+
++static void fastrpc_context_put(struct fastrpc_invoke_ctx *ctx);
++
++static void fastrpc_user_free(struct kref *ref)
++{
++ struct fastrpc_user *fl = container_of(ref, struct fastrpc_user, refcount);
++ struct fastrpc_invoke_ctx *ctx, *n;
++ struct fastrpc_map *map, *m;
++ struct fastrpc_buf *buf, *b;
++
++ if (fl->init_mem)
++ fastrpc_buf_free(fl->init_mem);
++
++ list_for_each_entry_safe(ctx, n, &fl->pending, node) {
++ list_del(&ctx->node);
++ fastrpc_context_put(ctx);
++ }
++
++ list_for_each_entry_safe(map, m, &fl->maps, node)
++ fastrpc_map_put(map);
++
++ list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
++ list_del(&buf->node);
++ fastrpc_buf_free(buf);
++ }
++
++ fastrpc_channel_ctx_put(fl->cctx);
++ mutex_destroy(&fl->mutex);
++ kfree(fl);
++}
++
++static void fastrpc_user_get(struct fastrpc_user *fl)
++{
++ kref_get(&fl->refcount);
++}
++
++static void fastrpc_user_put(struct fastrpc_user *fl)
++{
++ kref_put(&fl->refcount, fastrpc_user_free);
++}
++
+ static void fastrpc_context_free(struct kref *ref)
+ {
+ struct fastrpc_invoke_ctx *ctx;
+ struct fastrpc_channel_ctx *cctx;
++ struct fastrpc_user *fl;
+ unsigned long flags;
+ int i;
+
+ ctx = container_of(ref, struct fastrpc_invoke_ctx, refcount);
+ cctx = ctx->cctx;
++ fl = ctx->fl;
+
+ for (i = 0; i < ctx->nscalars; i++)
+ fastrpc_map_put(ctx->maps[i]);
+@@ -376,6 +420,8 @@ static void fastrpc_context_free(struct
+ kfree(ctx->olaps);
+ kfree(ctx);
+
++ /* Release the reference taken in fastrpc_context_alloc() */
++ fastrpc_user_put(fl);
+ fastrpc_channel_ctx_put(cctx);
+ }
+
+@@ -485,6 +531,8 @@ static struct fastrpc_invoke_ctx *fastrp
+
+ /* Released in fastrpc_context_put() */
+ fastrpc_channel_ctx_get(cctx);
++ /* Take a reference to user, released in fastrpc_context_free() */
++ fastrpc_user_get(user);
+
+ ctx->sc = sc;
+ ctx->retval = -1;
+@@ -515,6 +563,7 @@ err_idr:
+ spin_lock(&user->lock);
+ list_del(&ctx->node);
+ spin_unlock(&user->lock);
++ fastrpc_user_put(user);
+ fastrpc_channel_ctx_put(cctx);
+ kfree(ctx->maps);
+ kfree(ctx->olaps);
+@@ -1181,9 +1230,6 @@ static int fastrpc_device_release(struct
+ {
+ struct fastrpc_user *fl = (struct fastrpc_user *)file->private_data;
+ struct fastrpc_channel_ctx *cctx = fl->cctx;
+- struct fastrpc_invoke_ctx *ctx, *n;
+- struct fastrpc_map *map, *m;
+- struct fastrpc_buf *buf, *b;
+ unsigned long flags;
+
+ fastrpc_release_current_dsp_process(fl);
+@@ -1192,28 +1238,10 @@ static int fastrpc_device_release(struct
+ list_del(&fl->user);
+ spin_unlock_irqrestore(&cctx->lock, flags);
+
+- if (fl->init_mem)
+- fastrpc_buf_free(fl->init_mem);
+-
+- list_for_each_entry_safe(ctx, n, &fl->pending, node) {
+- list_del(&ctx->node);
+- fastrpc_context_put(ctx);
+- }
+-
+- list_for_each_entry_safe(map, m, &fl->maps, node)
+- fastrpc_map_put(map);
+-
+- list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
+- list_del(&buf->node);
+- fastrpc_buf_free(buf);
+- }
+-
+ fastrpc_session_free(cctx, fl->sctx);
+- fastrpc_channel_ctx_put(cctx);
+-
+- mutex_destroy(&fl->mutex);
+- kfree(fl);
+ file->private_data = NULL;
++ /* Release the reference taken in fastrpc_device_open */
++ fastrpc_user_put(fl);
+
+ return 0;
+ }
+@@ -1253,6 +1281,7 @@ static int fastrpc_device_open(struct in
+ spin_lock_irqsave(&cctx->lock, flags);
+ list_add_tail(&fl->user, &cctx->users);
+ spin_unlock_irqrestore(&cctx->lock, flags);
++ kref_init(&fl->refcount);
+
+ return 0;
+ }
--- /dev/null
+From a764b0e8317a863006e05732e1aefe821b9d8c2d Mon Sep 17 00:00:00 2001
+From: ZhaoJinming <zhaojinming@uniontech.com>
+Date: Mon, 1 Jun 2026 16:56:49 +0800
+Subject: net: bonding: fix NULL pointer dereference in bond_do_ioctl()
+
+From: ZhaoJinming <zhaojinming@uniontech.com>
+
+commit a764b0e8317a863006e05732e1aefe821b9d8c2d upstream.
+
+In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which
+can return NULL if the requested interface name does not exist. However,
+the subsequent slave_dbg() call is placed before the NULL check:
+
+ slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
+ slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here
+ if (!slave_dev)
+ return -ENODEV;
+
+The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt,
+(slave_dev)->name, ...) which unconditionally dereferences slave_dev->name
+before the NULL check is performed. This results in a NULL pointer
+dereference kernel oops when a user calls bonding ioctl (e.g.
+SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave
+interface name.
+
+This is reachable from userspace via the bonding ioctl interface with
+CAP_NET_ADMIN capability, making it a potential local denial-of-service
+vector.
+
+Fix by moving the slave_dbg() call after the NULL check.
+
+Fixes: e2a7420df2e0 ("bonding/main: convert to using slave printk macros")
+Cc: stable@vger.kernel.org # v5.2+
+Signed-off-by: ZhaoJinming <zhaojinming@uniontech.com>
+Link: https://patch.msgid.link/20260601085649.4029067-1-zhaojinming@uniontech.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -4250,11 +4250,11 @@ static int bond_do_ioctl(struct net_devi
+
+ slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
+
+- slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev);
+-
+ if (!slave_dev)
+ return -ENODEV;
+
++ slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev);
++
+ switch (cmd) {
+ case SIOCBONDENSLAVE:
+ res = bond_enslave(bond_dev, slave_dev, NULL);
--- /dev/null
+From 4aacf509e537a711fa71bca9f234e5eb6968850e Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Date: Tue, 2 Jun 2026 09:34:14 +0200
+Subject: net: mv643xx: fix OF node refcount
+
+From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+
+commit 4aacf509e537a711fa71bca9f234e5eb6968850e upstream.
+
+Platform devices created with platform_device_alloc() call
+platform_device_release() when the last reference to the device's
+kobject is dropped. This function calls of_node_put() unconditionally.
+This works fine for devices created with platform_device_register_full()
+but users of the split approach (platform_device_alloc() +
+platform_device_add()) must bump the reference of the of_node they
+assign manually. Add the missing call to of_node_get().
+
+Cc: stable@vger.kernel.org
+Fixes: 76723bca2802 ("net: mv643xx_eth: add DT parsing support")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260602073414.22500-1-bartosz.golaszewski@oss.qualcomm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
+@@ -2777,7 +2777,7 @@ static int mv643xx_eth_shared_of_add_por
+ goto put_err;
+ }
+ ppdev->dev.coherent_dma_mask = DMA_BIT_MASK(32);
+- ppdev->dev.of_node = pnp;
++ ppdev->dev.of_node = of_node_get(pnp);
+
+ ret = platform_device_add_resources(ppdev, &res, 1);
+ if (ret)
--- /dev/null
+From 20cf0fb715c41111469577e85e35d15f099473e0 Mon Sep 17 00:00:00 2001
+From: Yuqi Xu <xuyq21@lenovo.com>
+Date: Fri, 29 May 2026 21:01:44 +0800
+Subject: net: rds: clear i_sends on setup unwind
+
+From: Yuqi Xu <xuyq21@lenovo.com>
+
+commit 20cf0fb715c41111469577e85e35d15f099473e0 upstream.
+
+The RDS IB connection teardown path is written so it can run during
+partial startup and on repeated shutdown attempts. It uses NULL
+pointers to distinguish resources that are still owned from resources
+that have already been released.
+
+When rds_ib_setup_qp() fails after allocating i_sends but before
+allocating i_recvs, the sends_out path frees i_sends without clearing
+the pointer. A later shutdown pass can still treat that stale pointer
+as a live send ring allocation.
+
+Clear i_sends after vfree() in the error unwind path so the existing
+shutdown logic continues to use the correct ownership state.
+
+Fixes: 3b12f73a5c29 ("rds: ib: add error handle")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Allison Henderson <achender@kernel.org>
+Link: https://patch.msgid.link/5a0f7624bb9845a7b67d26166a150b59e7f394ce.1779632468.git.xuyq21@lenovo.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/ib_cm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rds/ib_cm.c
++++ b/net/rds/ib_cm.c
+@@ -656,6 +656,7 @@ static int rds_ib_setup_qp(struct rds_co
+
+ sends_out:
+ vfree(ic->i_sends);
++ ic->i_sends = NULL;
+
+ ack_dma_out:
+ rds_dma_hdr_free(rds_ibdev->dev, ic->i_ack, ic->i_ack_dma,
bnxt_en-fix-null-pointer-dereference.patch
ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch
pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch
+fuse-reject-fuse_notify-pagecache-ops-on-directories.patch
+i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch
+i2c-stm32f7-fix-timing-computation-ignoring-i2c-analog-filter.patch
+i2c-tegra-fix-noirq-suspend-resume.patch
+input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch
+input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch
+ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch
+misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch
+misc-fastrpc-fix-dma-address-corruption-due-to-find_vma-misuse.patch
+net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch
+net-mv643xx-fix-of-node-refcount.patch
+net-rds-clear-i_sends-on-setup-unwind.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
