--- /dev/null
+From dd1311bcf0e62f0c515115f46a3813370f4a4bb1 Mon Sep 17 00:00:00 2001
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Date: Fri, 29 May 2026 13:58:42 +0200
+Subject: accel/ivpu: Add bounds checks for firmware log indices
+
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+
+commit dd1311bcf0e62f0c515115f46a3813370f4a4bb1 upstream.
+
+Add validation that read and write indices in the firmware log buffer
+are within valid bounds (< data_size) before using them. If
+out-of-bounds indices are encountered (from firmware), clamp them to
+safe values instead of proceeding with invalid offsets.
+
+This prevents potential out-of-bounds buffer access when firmware
+supplies invalid log indices.
+
+Fixes: 1fc1251149a7 ("accel/ivpu: Refactor functions in ivpu_fw_log.c")
+Cc: stable@vger.kernel.org # v6.18+
+Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Link: https://patch.msgid.link/20260529115842.135378-1-andrzej.kacprowski@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_fw_log.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/accel/ivpu/ivpu_fw_log.c
++++ b/drivers/accel/ivpu/ivpu_fw_log.c
+@@ -98,6 +98,11 @@ static void fw_log_print_buffer(struct v
+ u32 log_start = only_new_msgs ? READ_ONCE(log->read_index) : 0;
+ u32 log_end = READ_ONCE(log->write_index);
+
++ if (log_start >= data_size)
++ log_start = 0;
++ if (log_end > data_size)
++ log_end = data_size;
++
+ if (log->wrap_count == log->read_wrap_count) {
+ if (log_end <= log_start) {
+ drm_printf(p, "==== %s \"%s\" log empty ====\n", prefix, log->name);
--- /dev/null
+From fb176425837693f50c5c9fc8db6fbb04af22bd0a Mon Sep 17 00:00:00 2001
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Date: Fri, 29 May 2026 14:08:41 +0200
+Subject: accel/ivpu: Add buffer overflow check in MS get_info_ioctl
+
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+
+commit fb176425837693f50c5c9fc8db6fbb04af22bd0a upstream.
+
+Add validation that the info size returned from the metric stream info
+query is not exceeded when checked against the allocated buffer size.
+If the firmware returns a size larger than the buffer, reject the
+operation with -EOVERFLOW instead of proceeding with an incorrect
+buffer copy.
+
+Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support")
+Cc: stable@vger.kernel.org # v6.18+
+Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Link: https://patch.msgid.link/20260529120841.135852-1-andrzej.kacprowski@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_ms.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/accel/ivpu/ivpu_ms.c
++++ b/drivers/accel/ivpu/ivpu_ms.c
+@@ -282,6 +282,13 @@ int ivpu_ms_get_info_ioctl(struct drm_de
+ if (ret)
+ goto unlock;
+
++ if (info_size > ivpu_bo_size(bo)) {
++ ivpu_warn_ratelimited(vdev, "MS info overflow: %#llx > %#zx\n",
++ info_size, ivpu_bo_size(bo));
++ ret = -EOVERFLOW;
++ goto unlock;
++ }
++
+ if (args->buffer_size < info_size) {
+ ret = -ENOSPC;
+ goto unlock;
--- /dev/null
+From d9faef564438d1e4579c692c046603e7ada7bdf4 Mon Sep 17 00:00:00 2001
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Date: Mon, 1 Jun 2026 18:16:43 +0200
+Subject: accel/ivpu: Fix signed integer truncation in IPC receive
+
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+
+commit d9faef564438d1e4579c692c046603e7ada7bdf4 upstream.
+
+Fix potential buffer overflow where firmware-supplied data_size is cast
+to signed int before being used in min_t(). Large unsigned values
+(>= 0x80000000) become negative, causing unsigned wraparound and
+oversized memcpy operations that can overflow the stack buffer.
+
+Change min_t(int, ...) to min() as both values are unsigned and can be
+handled by min() without explicit cast.
+
+Fixes: 3b434a3445ff ("accel/ivpu: Use threaded IRQ to handle JOB done messages")
+Cc: stable@vger.kernel.org # v6.12+
+Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Link: https://patch.msgid.link/20260601161643.229342-1-andrzej.kacprowski@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_ipc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/accel/ivpu/ivpu_ipc.c
++++ b/drivers/accel/ivpu/ivpu_ipc.c
+@@ -276,7 +276,7 @@ int ivpu_ipc_receive(struct ivpu_device
+ if (ipc_buf)
+ memcpy(ipc_buf, rx_msg->ipc_hdr, sizeof(*ipc_buf));
+ if (rx_msg->jsm_msg) {
+- u32 size = min_t(int, rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg));
++ u32 size = min(rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg));
+
+ if (rx_msg->jsm_msg->result != VPU_JSM_STATUS_SUCCESS) {
+ ivpu_err(vdev, "IPC resp result error: %d\n", rx_msg->jsm_msg->result);
--- /dev/null
+From 84a0f7caafc679f763d3868635837e22bb89651a Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Mon, 11 May 2026 17:02:44 +0900
+Subject: ARM: Do not select HAVE_RUST when KASAN is enabled
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 84a0f7caafc679f763d3868635837e22bb89651a upstream.
+
+When KASAN is enabled, such as with allmodconfig, the build fails when
+building the Rust code with:
+
+ error: kernel-address sanitizer is not supported for this target
+
+ error: aborting due to 1 previous error
+
+ make[4]: *** [rust/Makefile:654: rust/core.o] Error 1
+
+The arm-unknown-linux-gnueabi target does not support KASAN, so avoid
+saying Rust is supported when it is enabled.
+
+Cc: stable@vger.kernel.org
+Fixes: ccb8ce526807 ("ARM: 9441/1: rust: Enable Rust support for ARMv7")
+Link: https://github.com/Rust-for-Linux/linux/issues/1234
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Christian Schrefl <chrisi.schrefl@gmail.com>
+Link: https://patch.msgid.link/20260511-arm-avoid-rust-with-kasan-v1-1-24d55f4a900b@kernel.org
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -134,7 +134,7 @@ config ARM
+ select MMU_GATHER_RCU_TABLE_FREE if SMP && ARM_LPAE
+ select HAVE_REGS_AND_STACK_ACCESS_API
+ select HAVE_RSEQ
+- select HAVE_RUST if CPU_LITTLE_ENDIAN && CPU_32v7
++ select HAVE_RUST if CPU_LITTLE_ENDIAN && CPU_32v7 && !KASAN
+ select HAVE_STACKPROTECTOR
+ select HAVE_SYSCALL_TRACEPOINTS
+ select HAVE_UID16
--- /dev/null
+From 5c65b96b549ea2dcfde497436bf9e048deb87758 Mon Sep 17 00:00:00 2001
+From: Yuqi Xu <xuyq21@lenovo.com>
+Date: Fri, 29 May 2026 16:54:23 +0800
+Subject: Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
+
+From: Yuqi Xu <xuyq21@lenovo.com>
+
+commit 5c65b96b549ea2dcfde497436bf9e048deb87758 upstream.
+
+Existing advertising instances can already hold the maximum extended
+advertising payload. When hci_adv_bcast_annoucement() prepends the
+Broadcast Announcement service data to that payload, the combined data
+may no longer fit in the temporary buffer used to rebuild the
+advertising data.
+
+Reject that case before copying the existing payload and report the
+failure through the device log. This keeps the existing advertising
+data intact and avoids overrunning the temporary buffer.
+
+Fixes: 5725bc608252 ("Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Assisted-by: Codex:GPT-5.4
+Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sync.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -1725,6 +1725,11 @@ static int hci_adv_bcast_annoucement(str
+ /* Generate Broadcast ID */
+ get_random_bytes(bid, sizeof(bid));
+ len = eir_append_service_data(ad, 0, 0x1852, bid, sizeof(bid));
++ if (adv->adv_data_len > sizeof(ad) - len) {
++ bt_dev_err(hdev, "No room for Broadcast Announcement");
++ return -EINVAL;
++ }
++
+ memcpy(ad + len, adv->adv_data, adv->adv_data_len);
+ hci_set_adv_instance_data(hdev, adv->instance, len + adv->adv_data_len,
+ ad, 0, NULL);
--- /dev/null
+From dd214733544427587a95f66dbf3adff072568990 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Thu, 21 May 2026 10:45:17 -0400
+Subject: Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit dd214733544427587a95f66dbf3adff072568990 upstream.
+
+net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR
+signaling packets up to the channel MTU and dispatches each command
+without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer
+within radio range can send a fixed-channel CID 0x0001 packet that is
+larger than MTUsig and contains many L2CAP_ECHO_REQ commands before
+pairing. In a real-radio stock-kernel run, one 681-byte signaling
+packet containing 168 zero-length ECHO_REQ commands made the target
+transmit 168 ECHO_RSP frames over about 220 ms.
+
+Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can
+force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling
+packet containing packed ECHO_REQ commands.
+
+Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and
+reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP
+carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched.
+
+The Bluetooth Core spec wording for MTUExceeded says the reject
+identifier shall match the first request command in the packet, and
+that packets containing only responses shall be silently discarded.
+Linux intentionally deviates from that prescription: silently
+discarding desynchronizes the peer because the remote stack never
+learns its responses were dropped, and locating the first request
+command requires walking command headers past MTUsig, i.e. processing
+bytes from a packet we have already decided is too large to process.
+We therefore always emit one reject and use the identifier from the
+first command header, a single fixed-offset byte read.
+
+The unrestricted BR/EDR signaling parser and ECHO_REQ response path both
+trace to the initial git import; no later introducing commit is
+available for a Fixes tag.
+
+Cc: stable@vger.kernel.org
+Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
+Link: https://lore.kernel.org/r/20260518002800.1361430-1-michael.bommarito@gmail.com
+Link: https://lore.kernel.org/r/20260520135034.1060859-1-michael.bommarito@gmail.com
+Link: https://lore.kernel.org/r/20260521000555.3712030-1-michael.bommarito@gmail.com
+Assisted-by: Claude:claude-opus-4-7
+Assisted-by: Codex:gpt-5-5-xhigh
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/l2cap.h | 1
+ net/bluetooth/l2cap_core.c | 46 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 47 insertions(+)
+
+--- a/include/net/bluetooth/l2cap.h
++++ b/include/net/bluetooth/l2cap.h
+@@ -33,6 +33,7 @@
+ /* L2CAP defaults */
+ #define L2CAP_DEFAULT_MTU 672
+ #define L2CAP_DEFAULT_MIN_MTU 48
++#define L2CAP_SIG_MTU 48 /* BR/EDR signaling MTU */
+ #define L2CAP_DEFAULT_FLUSH_TO 0xFFFF
+ #define L2CAP_EFS_DEFAULT_FLUSH_TO 0xFFFFFFFF
+ #define L2CAP_DEFAULT_TX_WINDOW 63
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -5651,6 +5651,15 @@ static inline void l2cap_sig_send_rej(st
+ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
+ }
+
++static inline void l2cap_sig_send_mtu_rej(struct l2cap_conn *conn, u8 ident)
++{
++ struct l2cap_cmd_rej_mtu rej;
++
++ rej.reason = cpu_to_le16(L2CAP_REJ_MTU_EXCEEDED);
++ rej.max_mtu = cpu_to_le16(L2CAP_SIG_MTU);
++ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
++}
++
+ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
+ struct sk_buff *skb)
+ {
+@@ -5663,6 +5672,43 @@ static inline void l2cap_sig_channel(str
+ if (hcon->type != ACL_LINK)
+ goto drop;
+
++ /*
++ * Bluetooth Core v5.4, Vol 3, Part A, Section 4: the BR/EDR
++ * signaling channel has a fixed signaling MTU (MTUsig) whose
++ * minimum and default is 48 octets. Section 4.1 says that on
++ * an MTUExceeded command reject the identifier "shall match
++ * the first request command in the L2CAP packet" and that
++ * packets containing only response commands "shall be
++ * silently discarded".
++ *
++ * Linux intentionally deviates from that prescription:
++ *
++ * 1. Silently discarding desynchronizes the peer. The
++ * remote stack never learns its responses were dropped,
++ * so any state machine waiting on a paired response
++ * stalls until its own timer fires.
++ *
++ * 2. Locating "the first request command" requires walking
++ * command headers past MTUsig, i.e. processing bytes
++ * from a packet we have already decided is too large to
++ * process.
++ *
++ * Reject every over-MTUsig signaling packet with one
++ * L2CAP_REJ_MTU_EXCEEDED command reject. The reject's
++ * reason field is what tells the peer that the whole packet
++ * was discarded; the identifier value is informational, so
++ * we use the identifier from the first command header, a
++ * single fixed-offset byte read.
++ */
++ if (skb->len > L2CAP_SIG_MTU) {
++ u8 ident = skb->data[1];
++
++ BT_DBG("signaling packet exceeds MTU: %u > %u",
++ skb->len, L2CAP_SIG_MTU);
++ l2cap_sig_send_mtu_rej(conn, ident);
++ goto drop;
++ }
++
+ while (skb->len >= L2CAP_CMD_HDR_SIZE) {
+ u16 len;
+
--- /dev/null
+From d21ad938398bca695a511307de38a65889e3b354 Mon Sep 17 00:00:00 2001
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Date: Wed, 10 Jun 2026 09:03:14 +0300
+Subject: drm/i915/gem: Fix phys BO pread/pwrite with offset
+
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+
+commit d21ad938398bca695a511307de38a65889e3b354 upstream.
+
+sg_page() returns struct page pointer not (void *) so the scaling
+of pread/pwrite is wrong for phys BO and wrong parts of BO would be
+accessed if non-zero offset is used.
+
+Last impacted platform with overlay or cursor planes using phys
+mapping was Gen3/945G/Lakeport.
+
+Reported-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Fixes: c6790dc22312 ("drm/i915: Wean off drm_pci_alloc/drm_pci_free")
+Cc: <stable@vger.kernel.org> # v4.5+
+Cc: Tvrtko Ursulin <tursulin@ursulin.net>
+Cc: Simona Vetter <simona@ffwll.ch>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
+Link: https://patch.msgid.link/20260610060314.26111-1-joonas.lahtinen@linux.intel.com
+(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_phys.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gem/i915_gem_phys.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_phys.c
+@@ -17,6 +17,17 @@
+ #include "i915_gem_tiling.h"
+ #include "i915_scatterlist.h"
+
++/* Abuse scatterlist to store pointer instead of struct page. */
++static inline void __set_phys_vaddr(struct scatterlist *sg, void *vaddr)
++{
++ sg_assign_page(sg, (struct page *)vaddr);
++}
++
++static inline void *__get_phys_vaddr(struct scatterlist *sg)
++{
++ return (void *)sg_page(sg);
++}
++
+ static int i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj)
+ {
+ struct address_space *mapping = obj->base.filp->f_mapping;
+@@ -57,7 +68,7 @@ static int i915_gem_object_get_pages_phy
+ sg->offset = 0;
+ sg->length = obj->base.size;
+
+- sg_assign_page(sg, (struct page *)vaddr);
++ __set_phys_vaddr(sg, vaddr);
+ sg_dma_address(sg) = dma;
+ sg_dma_len(sg) = obj->base.size;
+
+@@ -98,7 +109,7 @@ i915_gem_object_put_pages_phys(struct dr
+ struct sg_table *pages)
+ {
+ dma_addr_t dma = sg_dma_address(pages->sgl);
+- void *vaddr = sg_page(pages->sgl);
++ void *vaddr = __get_phys_vaddr(pages->sgl);
+
+ __i915_gem_object_release_shmem(obj, pages, false);
+
+@@ -138,7 +149,7 @@ i915_gem_object_put_pages_phys(struct dr
+ int i915_gem_object_pwrite_phys(struct drm_i915_gem_object *obj,
+ const struct drm_i915_gem_pwrite *args)
+ {
+- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
+ char __user *user_data = u64_to_user_ptr(args->data_ptr);
+ struct drm_i915_private *i915 = to_i915(obj->base.dev);
+ int err;
+@@ -169,7 +180,7 @@ int i915_gem_object_pwrite_phys(struct d
+ int i915_gem_object_pread_phys(struct drm_i915_gem_object *obj,
+ const struct drm_i915_gem_pread *args)
+ {
+- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
+ char __user *user_data = u64_to_user_ptr(args->data_ptr);
+ int err;
+
--- /dev/null
+From 004e9ecfe6c5384f9e0b2f6f6389d42ec22789af Mon Sep 17 00:00:00 2001
+From: Anton Leontev <leontyevantony@gmail.com>
+Date: Thu, 4 Jun 2026 19:59:38 +0300
+Subject: hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
+
+From: Anton Leontev <leontyevantony@gmail.com>
+
+commit 004e9ecfe6c5384f9e0b2f6f6389d42ec22789af upstream.
+
+netvsc_copy_to_send_buf() copies page buffer entries into the VMBus
+send buffer using phys_to_virt() on the entry PFN. Entries for the
+RNDIS header and the skb linear data come from kmalloc'd memory and
+are always in the kernel direct map, but entries for skb fragments
+reference page cache or user pages, which on 32-bit x86 with
+CONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page
+phys_to_virt() returns an address outside the direct map and the
+subsequent memcpy() faults on the transmit softirq path, which is
+fatal.
+
+Map the pages with kmap_local_page() instead, handling two properties
+of the page buffer entries:
+
+ - pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity,
+ not a native PFN. Reconstruct the physical address first and derive
+ the native page from it, so the mapping stays correct where
+ PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages).
+
+ - Since commit 41a6328b2c55 ("hv_netvsc: Preserve contiguous PFN
+ grouping in the page buffer array"), an entry describes a full
+ physically contiguous fragment and pb[i].len can exceed PAGE_SIZE,
+ while kmap_local_page() maps a single page. Copy page by page,
+ splitting at native page boundaries.
+
+The copy path only handles packets smaller than the send section size
+(6144 bytes by default); larger packets take the cp_partial path where
+only the RNDIS header is copied. So entries here are bounded by the
+section size and a copy is split at most once on 4K-page systems. On
+!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and
+no mapping work is added.
+
+Fixes: c25aaf814a63 ("hyperv: Enable sendbuf mechanism on the send path")
+Cc: stable@vger.kernel.org
+Signed-off-by: Anton Leontev <leontyevantony@gmail.com>
+Link: https://patch.msgid.link/20260604165938.32033-1-leontyevantony@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/hyperv/netvsc.c
++++ b/drivers/net/hyperv/netvsc.c
+@@ -12,6 +12,7 @@
+ #include <linux/sched.h>
+ #include <linux/wait.h>
+ #include <linux/mm.h>
++#include <linux/highmem.h>
+ #include <linux/delay.h>
+ #include <linux/io.h>
+ #include <linux/slab.h>
+@@ -965,12 +966,22 @@ static void netvsc_copy_to_send_buf(stru
+ }
+
+ for (i = 0; i < page_count; i++) {
+- char *src = phys_to_virt(pb[i].pfn << HV_HYP_PAGE_SHIFT);
+- u32 offset = pb[i].offset;
++ phys_addr_t paddr = (pb[i].pfn << HV_HYP_PAGE_SHIFT) +
++ pb[i].offset;
+ u32 len = pb[i].len;
+
+- memcpy(dest, (src + offset), len);
+- dest += len;
++ while (len) {
++ struct page *page = phys_to_page(paddr);
++ u32 off = offset_in_page(paddr);
++ u32 chunk = min_t(u32, len, PAGE_SIZE - off);
++ char *src = kmap_local_page(page);
++
++ memcpy(dest, src + off, chunk);
++ kunmap_local(src);
++ dest += chunk;
++ paddr += chunk;
++ len -= chunk;
++ }
+ }
+
+ if (padding)
--- /dev/null
+From cbaffe843a942c0d3102e0f9bce0e72b029b2594 Mon Sep 17 00:00:00 2001
+From: Joey Gouly <joey.gouly@arm.com>
+Date: Thu, 4 Jun 2026 11:54:34 +0100
+Subject: KVM: arm64: Restore POR_EL0 access to host EL0
+
+From: Joey Gouly <joey.gouly@arm.com>
+
+commit cbaffe843a942c0d3102e0f9bce0e72b029b2594 upstream.
+
+CPTR_EL2.E0POE was being cleared in __deactivate_cptr_traps_vhe(), which meant
+that any accesses to POR_EL0 from host EL0 would trap and be reported to
+userspace as an Illegal instruction. This would happen after running any VM,
+regardless if it used POE or not.
+
+Signed-off-by: Joey Gouly <joey.gouly@arm.com>
+Link: https://sashiko.dev/#/patchset/20260602155430.2088142-1-maz@kernel.org?part=1
+Link: https://patch.msgid.link/20260604105434.2297268-1-joey.gouly@arm.com
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger,kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/hyp/include/hyp/switch.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/kvm/hyp/include/hyp/switch.h
++++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
+@@ -183,6 +183,8 @@ static inline void __deactivate_cptr_tra
+ val |= CPACR_EL1_ZEN;
+ if (cpus_have_final_cap(ARM64_SME))
+ val |= CPACR_EL1_SMEN;
++ if (cpus_have_final_cap(ARM64_HAS_S1POE))
++ val |= CPACR_EL1_E0POE;
+
+ write_sysreg(val, cpacr_el1);
+ }
--- /dev/null
+From 8618004d3e897c0f1b71d9a9ab860461289bb89a Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 29 May 2026 20:35:39 +0200
+Subject: KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 8618004d3e897c0f1b71d9a9ab860461289bb89a upstream.
+
+When marking a page dirty, complain about not having a running/loaded vCPU
+if and only if the VM is still alive, i.e. its refcount is non-zero. This
+will allow fixing a memory leak for x86 SEV-ES guests without hitting what
+is effectively a false positive on the WARN.
+
+For some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page
+across an exit to userspace, and typically unmaps the page on the next
+KVM_RUN. But if userspace never calls KVM_RUN after such an exit, then KVM
+needs to unmap the page when the vCPU is destroyed, which in turn triggers
+the WARN about not having a running vCPU.
+
+Alternatively, SEV-ES could temporarily load the vCPU to suppress the WARN,
+as is done in nested_vmx_free_vcpu() (but for completely unrelated reasons;
+suppressing WARN from nested_put_vmcs12_pages() is pure happenstance). But
+loading a vCPU during destruction is gross (ideally nVMX code would be
+cleaned up), risks complicating the SEV-ES code (KVM would need to ensure
+the temporarily load()+put() only runs when the vCPU isn't already loaded),
+and is ultimately pointless.
+
+The motivation for the WARN is to guard against KVM dirtying guest memory
+without pushing the corresponding GFN to the active vCPU's dirty ring, e.g.
+to ensure userspace doesn't miss a dirty page. But for the VM's refcount
+to reach zero, there can't be _any_ userspace mappings to the dirty ring,
+as mapping the dirty ring requires doing mmap() on the vCPU FD. I.e. if
+userspace had a valid mapping for the dirty ring, then the vCPU file and
+thus the owning VM would still be alive. And so since userspace can't
+possibly reach the dirty ring, whether or not KVM technically "misses" a
+push to the dirty ring is irrelevant.
+
+Reported-by: Michael Roth <michael.roth@amd.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Michael Roth <michael.roth@amd.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20260501202250.2115252-15-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-ID: <20260529183549.1104619-15-pbonzini@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -3527,7 +3527,8 @@ void mark_page_dirty_in_slot(struct kvm
+ if (WARN_ON_ONCE(vcpu && vcpu->kvm != kvm))
+ return;
+
+- WARN_ON_ONCE(!vcpu && !kvm_arch_allow_write_without_running_vcpu(kvm));
++ WARN_ON_ONCE(!vcpu && refcount_read(&kvm->users_count) &&
++ !kvm_arch_allow_write_without_running_vcpu(kvm));
+ #endif
+
+ if (memslot && kvm_slot_dirty_track_enabled(memslot)) {
--- /dev/null
+From f041dc80de4abbdd0909d871bf64f3f87d2350ff Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 29 May 2026 20:35:41 +0200
+Subject: KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit f041dc80de4abbdd0909d871bf64f3f87d2350ff upstream.
+
+Decouple synchronizing the GHCB SA from freeing/unpinning the SA, so that
+the free/unpin path can be reused when freeing a vCPU.
+
+Opportunistically add a WARN to harden KVM against stomping over (and thus
+leaking) an already-allocated scratch area.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Reviewed-by: Michael Roth <michael.roth@amd.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20260501202250.2115252-17-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-ID: <20260529183549.1104619-17-pbonzini@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/sev.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/kvm/svm/sev.c
++++ b/arch/x86/kvm/svm/sev.c
+@@ -3540,20 +3540,17 @@ void sev_es_unmap_ghcb(struct vcpu_svm *
+ if (!svm->sev_es.ghcb)
+ return;
+
+- if (svm->sev_es.ghcb_sa_free) {
+- /*
+- * The scratch area lives outside the GHCB, so there is a
+- * buffer that, depending on the operation performed, may
+- * need to be synced, then freed.
+- */
+- if (svm->sev_es.ghcb_sa_sync) {
+- kvm_write_guest(svm->vcpu.kvm,
+- svm->sev_es.sw_scratch,
+- svm->sev_es.ghcb_sa,
+- svm->sev_es.ghcb_sa_len);
+- svm->sev_es.ghcb_sa_sync = false;
+- }
++ /*
++ * If the scratch area lives outside the GHCB, there's a buffer that,
++ * depending on the operation performed, may need to be synced.
++ */
++ if (svm->sev_es.ghcb_sa_sync) {
++ kvm_write_guest(svm->vcpu.kvm, svm->sev_es.sw_scratch,
++ svm->sev_es.ghcb_sa, svm->sev_es.ghcb_sa_len);
++ svm->sev_es.ghcb_sa_sync = false;
++ }
+
++ if (svm->sev_es.ghcb_sa_free) {
+ kvfree(svm->sev_es.ghcb_sa);
+ svm->sev_es.ghcb_sa = NULL;
+ svm->sev_es.ghcb_sa_free = false;
+@@ -3633,6 +3630,8 @@ static int setup_vmgexit_scratch(struct
+ goto e_scratch;
+ }
+
++ WARN_ON_ONCE(svm->sev_es.ghcb_sa_sync || svm->sev_es.ghcb_sa_free);
++
+ if ((scratch_gpa_beg & PAGE_MASK) == control->ghcb_gpa) {
+ /* Scratch area begins within GHCB */
+ ghcb_scratch_beg = control->ghcb_gpa +
+@@ -3654,6 +3653,8 @@ static int setup_vmgexit_scratch(struct
+ scratch_va = (void *)svm->sev_es.ghcb;
+ scratch_va += (scratch_gpa_beg - control->ghcb_gpa);
+
++ svm->sev_es.ghcb_sa_sync = false;
++ svm->sev_es.ghcb_sa_free = false;
+ svm->sev_es.ghcb_sa_len = ghcb_scratch_end - scratch_gpa_beg;
+ } else {
+ /* GHCB v2 requires the scratch area to be within the GHCB. */
--- /dev/null
+From 3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e Mon Sep 17 00:00:00 2001
+From: Wupeng Ma <mawupeng1@huawei.com>
+Date: Fri, 22 May 2026 09:03:05 +0800
+Subject: mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison
+
+From: Wupeng Ma <mawupeng1@huawei.com>
+
+commit 3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e upstream.
+
+Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can
+trigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock
+when racing with a concurrent unmap:
+
+ thread#0 thread#1
+ -------- --------
+ madvise(folio, MADV_HWPOISON)
+ -> poisons the folio successfully
+ madvise(folio, MADV_HWPOISON) unmap(folio)
+ try_memory_failure_hugetlb
+ get_huge_page_for_hwpoison
+ spin_lock_irq(&hugetlb_lock) <- held
+ __get_huge_page_for_hwpoison
+ hugetlb_update_hwpoison()
+ -> MF_HUGETLB_FOLIO_PRE_POISONED
+ goto out:
+ folio_put()
+ refcount: 1 -> 0
+ free_huge_folio()
+ spin_lock_irqsave(&hugetlb_lock)
+ -> AA DEADLOCK!
+
+The out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop
+the GUP reference while the hugetlb_lock is still held by the hugetlb.c
+wrapper get_huge_page_for_hwpoison(). If concurrent unmap has released
+the page table mapping reference, folio_put() drops the folio refcount to
+zero, triggering free_huge_folio() which attempts to re-acquire the
+non-recursive hugetlb_lock.
+
+Fix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper
+into get_huge_page_for_hwpoison(). Place spin_unlock_irq() before the
+folio_put() at the out: label so the folio is always released outside the
+lock.
+
+[akpm@linux-foundation.org: fix race, rename label per Miaohe]
+ Link: https://sashiko.dev/#/patchset/20260522010305.4099834-1-mawupeng1@huawei.com
+ Link: https://lore.kernel.org/f39f405e-4b4b-8f79-70fe-a2b5b62114eb@huawei.com
+Link: https://lore.kernel.org/20260522010305.4099834-1-mawupeng1@huawei.com
+Fixes: 405ce051236c ("mm/hwpoison: fix race between hugetlb free/demotion and memory_failure_hugetlb()")
+Signed-off-by: Wupeng Ma <mawupeng1@huawei.com>
+Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
+Acked-by: Muchun Song <muchun.song@linux.dev>
+Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Acked-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: David Hildenbrand <david@kernel.org>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Lorenzo Stoakes <ljs@kernel.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Vlastimil Babka <vbabka@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/hugetlb.h | 8 --------
+ include/linux/mm.h | 8 --------
+ mm/hugetlb.c | 11 -----------
+ mm/memory-failure.c | 19 ++++++++++---------
+ 4 files changed, 10 insertions(+), 36 deletions(-)
+
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -156,8 +156,6 @@ long hugetlb_unreserve_pages(struct inod
+ long freed);
+ bool folio_isolate_hugetlb(struct folio *folio, struct list_head *list);
+ int get_hwpoison_hugetlb_folio(struct folio *folio, bool *hugetlb, bool unpoison);
+-int get_huge_page_for_hwpoison(unsigned long pfn, int flags,
+- bool *migratable_cleared);
+ void folio_putback_hugetlb(struct folio *folio);
+ void move_hugetlb_state(struct folio *old_folio, struct folio *new_folio, int reason);
+ void hugetlb_fix_reserve_counts(struct inode *inode);
+@@ -423,12 +421,6 @@ static inline int get_hwpoison_hugetlb_f
+ {
+ return 0;
+ }
+-
+-static inline int get_huge_page_for_hwpoison(unsigned long pfn, int flags,
+- bool *migratable_cleared)
+-{
+- return 0;
+-}
+
+ static inline void folio_putback_hugetlb(struct folio *folio)
+ {
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -4089,8 +4089,6 @@ extern int soft_offline_page(unsigned lo
+ */
+ extern const struct attribute_group memory_failure_attr_group;
+ extern void memory_failure_queue(unsigned long pfn, int flags);
+-extern int __get_huge_page_for_hwpoison(unsigned long pfn, int flags,
+- bool *migratable_cleared);
+ void num_poisoned_pages_inc(unsigned long pfn);
+ void num_poisoned_pages_sub(unsigned long pfn, long i);
+ #else
+@@ -4098,12 +4096,6 @@ static inline void memory_failure_queue(
+ {
+ }
+
+-static inline int __get_huge_page_for_hwpoison(unsigned long pfn, int flags,
+- bool *migratable_cleared)
+-{
+- return 0;
+-}
+-
+ static inline void num_poisoned_pages_inc(unsigned long pfn)
+ {
+ }
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -7838,17 +7838,6 @@ int get_hwpoison_hugetlb_folio(struct fo
+ return ret;
+ }
+
+-int get_huge_page_for_hwpoison(unsigned long pfn, int flags,
+- bool *migratable_cleared)
+-{
+- int ret;
+-
+- spin_lock_irq(&hugetlb_lock);
+- ret = __get_huge_page_for_hwpoison(pfn, flags, migratable_cleared);
+- spin_unlock_irq(&hugetlb_lock);
+- return ret;
+-}
+-
+ /**
+ * folio_putback_hugetlb - unisolate a hugetlb folio
+ * @folio: the isolated hugetlb folio
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -1956,20 +1956,19 @@ void folio_clear_hugetlb_hwpoison(struct
+ folio_free_raw_hwp(folio, true);
+ }
+
+-/*
+- * Called from hugetlb code with hugetlb_lock held.
+- */
+-int __get_huge_page_for_hwpoison(unsigned long pfn, int flags,
++static int get_huge_page_for_hwpoison(unsigned long pfn, int flags,
+ bool *migratable_cleared)
+ {
+ struct page *page = pfn_to_page(pfn);
+- struct folio *folio = page_folio(page);
++ struct folio *folio;
+ bool count_increased = false;
+ int ret, rc;
+
++ spin_lock_irq(&hugetlb_lock);
++ folio = page_folio(page);
+ if (!folio_test_hugetlb(folio)) {
+ ret = MF_HUGETLB_NON_HUGEPAGE;
+- goto out;
++ goto out_unlock;
+ } else if (flags & MF_COUNT_INCREASED) {
+ ret = MF_HUGETLB_IN_USED;
+ count_increased = true;
+@@ -1985,13 +1984,13 @@ int __get_huge_page_for_hwpoison(unsigne
+ } else {
+ ret = MF_HUGETLB_RETRY;
+ if (!(flags & MF_NO_RETRY))
+- goto out;
++ goto out_unlock;
+ }
+
+ rc = hugetlb_update_hwpoison(folio, page);
+ if (rc >= MF_HUGETLB_FOLIO_PRE_POISONED) {
+ ret = rc;
+- goto out;
++ goto out_unlock;
+ }
+
+ /*
+@@ -2003,8 +2002,10 @@ int __get_huge_page_for_hwpoison(unsigne
+ *migratable_cleared = true;
+ }
+
++ spin_unlock_irq(&hugetlb_lock);
+ return ret;
+-out:
++out_unlock:
++ spin_unlock_irq(&hugetlb_lock);
+ if (count_increased)
+ folio_put(folio);
+ return ret;
--- /dev/null
+From b837e38c255dd9f8b53511d52e87f1fda32b3dfe Mon Sep 17 00:00:00 2001
+From: Inochi Amaoto <inochiama@gmail.com>
+Date: Thu, 21 May 2026 15:21:20 +0800
+Subject: mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation
+
+From: Inochi Amaoto <inochiama@gmail.com>
+
+commit b837e38c255dd9f8b53511d52e87f1fda32b3dfe upstream.
+
+The previous clock uses roundup_pow_of_two() to calculate the core
+clock frequency. It does not meet the actual hardware meaning.
+The actual frequency is calculated by "ref_clk / ((div >> 1) << 1)".
+
+Fix the clock divider calculation.
+
+Fixes: 92e099104729 ("mmc: Add driver for LiteX's LiteSDCard interface")
+Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
+Reviewed-by: Gabriel Somlo <gsomlo@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulfh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/litex_mmc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/host/litex_mmc.c
++++ b/drivers/mmc/host/litex_mmc.c
+@@ -16,6 +16,7 @@
+ #include <linux/interrupt.h>
+ #include <linux/iopoll.h>
+ #include <linux/litex.h>
++#include <linux/math.h>
+ #include <linux/mod_devicetable.h>
+ #include <linux/module.h>
+ #include <linux/platform_device.h>
+@@ -436,11 +437,10 @@ static void litex_mmc_setclk(struct lite
+ struct device *dev = mmc_dev(host->mmc);
+ u32 div;
+
+- div = freq ? host->ref_clk / freq : 256U;
+- div = roundup_pow_of_two(div);
++ div = freq ? DIV_ROUND_UP(host->ref_clk, freq) : 256U;
+ div = clamp(div, 2U, 256U);
+ dev_dbg(dev, "sd_clk_freq=%d: set to %d via div=%d\n",
+- freq, host->ref_clk / div, div);
++ freq, host->ref_clk / ((div + 1) & ~1U), div);
+ litex_write16(host->sdphy + LITEX_PHY_CLOCKERDIV, div);
+ host->sd_clk = freq;
+ }
--- /dev/null
+From 48fcc895403cc97aa6c776cb65e6aa11290c0b44 Mon Sep 17 00:00:00 2001
+From: Wei Liu <wei.liu@kernel.org>
+Date: Thu, 23 Apr 2026 17:26:26 +0000
+Subject: mshv: add a missing padding field
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wei Liu <wei.liu@kernel.org>
+
+commit 48fcc895403cc97aa6c776cb65e6aa11290c0b44 upstream.
+
+That was missed when importing the header.
+
+Reported-by: Doru Blânzeanu <dblanzeanu@linux.microsoft.com>
+Reported-by: Magnus Kulke <magnuskulke@linux.microsoft.com>
+Fixes: e68bda71a2384 ("hyperv: Add new Hyper-V headers in include/hyperv")
+Cc: stable@kernel.org
+Reviewed-by: Easwar Hariharan <easwar.hariharan@linux.microsoft.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/hyperv/hvhdk.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/hyperv/hvhdk.h
++++ b/include/hyperv/hvhdk.h
+@@ -72,6 +72,7 @@ struct hv_vp_register_page {
+
+ u64 registers[18];
+ };
++ u8 reserved[8];
+ /* Volatile XMM registers (HV_X64_REGISTER_CLASS_XMM) */
+ union {
+ struct {
--- /dev/null
+From c7d573551f9286100a055ef696cde6af54549677 Mon Sep 17 00:00:00 2001
+From: Davide Ornaghi <d.ornaghi97@gmail.com>
+Date: Wed, 10 Jun 2026 12:39:13 +0200
+Subject: netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
+
+From: Davide Ornaghi <d.ornaghi97@gmail.com>
+
+commit c7d573551f9286100a055ef696cde6af54549677 upstream.
+
+NFT_META_BRI_IIFHWADDR declares its destination register with
+len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to
+two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does
+memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and
+leaving the upper 2 bytes of the second register as uninitialised
+nft_do_chain() stack. A downstream load of that register span leaks
+those stale bytes to userspace.
+
+Zero the second register before the memcpy so the full declared span is
+written.
+
+Fixes: cbd2257dc96e ("netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/netfilter/nft_meta_bridge.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c
+index 7763e78abb00..219c40680260 100644
+--- a/net/bridge/netfilter/nft_meta_bridge.c
++++ b/net/bridge/netfilter/nft_meta_bridge.c
+@@ -64,6 +64,8 @@ static void nft_meta_bridge_get_eval(const struct nft_expr *expr,
+ if (!br_dev)
+ goto err;
+
++ /* ETH_ALEN (6) is shorter than the destination register span (8) */
++ dest[1] = 0;
+ memcpy(dest, br_dev->dev_addr, ETH_ALEN);
+ return;
+ default:
+--
+2.54.0
+
--- /dev/null
+From c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristan@talencesecurity.com>
+Date: Wed, 27 May 2026 13:57:50 +0000
+Subject: netfilter: nft_tunnel: fix use-after-free on object destroy
+
+From: Tristan Madani <tristan@talencesecurity.com>
+
+commit c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a upstream.
+
+nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
+kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
+that took a reference via dst_hold() in nft_tunnel_obj_eval() and
+are still queued (e.g. in a netem qdisc) are left with a dangling
+pointer. When these packets are eventually dequeued, dst_release()
+operates on freed memory.
+
+Replace metadata_dst_free() with dst_release() so the metadata_dst
+is freed only after all references are dropped. The dst subsystem
+already handles metadata_dst cleanup in dst_destroy() when
+DST_METADATA is set.
+
+Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
+Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -702,7 +702,7 @@ static void nft_tunnel_obj_destroy(const
+ {
+ struct nft_tunnel_obj *priv = nft_obj_data(obj);
+
+- metadata_dst_free(priv->md);
++ dst_release(&priv->md->dst);
+ }
+
+ static struct nft_object_type nft_tunnel_obj_type;
--- /dev/null
+From ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c Mon Sep 17 00:00:00 2001
+From: Alice Ryhl <aliceryhl@google.com>
+Date: Wed, 27 May 2026 18:18:07 +0000
+Subject: rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES
+
+From: Alice Ryhl <aliceryhl@google.com>
+
+commit ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c upstream.
+
+Due to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the
+uwtable annotation for functions, but not for the module. This means
+that compiler-generated functions such as 'asan.module_ctor' do not
+receive the uwtable annotation.
+
+When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot
+failures because the dwarf information emitted for the kasan
+constructors is wrong, which causes the SCS boot patching code to
+patch the constructor in an illegal manner. Specifically, the paciasp
+instruction is patched, but the autiasp instruction is not. This
+mismatch leads to a crash when the constructor is called during boot.
+
+ ==================================================================
+ BUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90
+ Read of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1
+
+Specifically the faulting instruction is the (*fn)() to invoke the
+constructor in do_ctors() of the init/main.c file.
+
+Once the fix lands in rustc, this flag can be made conditional on the
+rustc version. Note that passing the flag on a rustc with the fix
+present has no effect.
+
+[ The fix [1] has landed for Rust 1.98.0 (expected release on
+ 2026-08-20).
+
+ Thus add a version check as discussed.
+
+ - Miguel ]
+
+Fixes: d077242d68a3 ("rust: support for shadow call stack sanitizer")
+Cc: stable@kernel.org
+Link: https://github.com/rust-lang/rust/pull/156973 [1]
+Reported-by: Bo Ye <bo.ye@mediatek.com>
+Debugged-by: Isaac Manjarres <isaacmanjarres@google.com>
+Debugged-by: Sami Tolvanen <samitolvanen@google.com>
+Tested-by: Isaac Manjarres <isaacmanjarres@google.com>
+Signed-off-by: Alice Ryhl <aliceryhl@google.com>
+Link: https://patch.msgid.link/20260527-uwtable-module-flag-v1-1-caa41342be4b@google.com
+[ Adjusted link and comment. - Miguel ]
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -63,6 +63,9 @@ else
+ KBUILD_CFLAGS += -fasynchronous-unwind-tables
+ KBUILD_AFLAGS += -fasynchronous-unwind-tables
+ KBUILD_RUSTFLAGS += -Cforce-unwind-tables=y -Zuse-sync-unwind=n
++# Work around rustc bug on compilers without
++# https://github.com/rust-lang/rust/pull/156973.
++KBUILD_RUSTFLAGS += $(if $(call rustc-min-version,109800),,-Zllvm_module_flag=uwtable:u32:2:max)
+ endif
+
+ ifeq ($(CONFIG_STACKPROTECTOR_PER_TASK),y)
--- /dev/null
+From 4a44b17406cb5a93f90af3df9392b3a45eb336fb Mon Sep 17 00:00:00 2001
+From: Alice Ryhl <aliceryhl@google.com>
+Date: Thu, 7 May 2026 11:14:42 +0000
+Subject: rust: kasan/kbuild: fix rustc-option when cross-compiling
+
+From: Alice Ryhl <aliceryhl@google.com>
+
+commit 4a44b17406cb5a93f90af3df9392b3a45eb336fb upstream.
+
+The Makefile version of rustc-option currently checks whether the option
+exists for the host target instead of the target actually being compiled
+for. It was done this way in commit 46e24a545cdb ("rust: kasan/kbuild:
+fix missing flags on first build") to avoid a circular dependency on
+target.json. However, because of this, rustc-option currently does not
+function when cross-compiling from x86_64 to aarch64 if
+CONFIG_SHADOW_CALL_STACK is enabled. This is because KBUILD_RUSTFLAGS
+contains -Zfixed-x18 under this configuration. Since that flag does not
+exist on the host target, rustc-option runs into a compilation failure
+every time, leading to all flags being rejected as unsupported.
+
+To fix this, update rustc-option to pass a --target parameter so that
+the host target is not used. For targets using target.json, use a
+built-in target that is as close as possible to the target created with
+target.json to avoid the circular dependency on target.json.
+
+One scenario where this causes a boot failure:
+* Cross-compiled from x86_64 to aarch64.
+* With CONFIG_SHADOW_CALL_STACK=y
+* With CONFIG_KASAN_SW_TAGS=y
+* With CONFIG_KASAN_INLINE=n
+Then the resulting kernel image will fail to boot when it first calls
+into Rust code with a crash along the lines of "Unable to handle kernel
+paging request at virtual address 0ffffffc08541796". This is because the
+call threshold is not specified, so rustc will inline kasan operations,
+but the kasan shadow offset is not specified, which leads to the inlined
+kasan instructions being incorrect.
+
+Note that the -Zsanitizer=kernel-hwaddress parameter itself does not
+lead to a rustc-option failure despite being aarch64-specific because
+RUSTFLAGS_KASAN has not yet been added to KBUILD_RUSTFLAGS when
+rustc-option is evaluated by the kasan Makefile.
+
+Cc: stable@vger.kernel.org
+Fixes: 46e24a545cdb ("rust: kasan/kbuild: fix missing flags on first build")
+Signed-off-by: Alice Ryhl <aliceryhl@google.com>
+Link: https://patch.msgid.link/20260507-rustc-option-cross-v2-1-2f650a49c2b5@google.com
+[ Edited slightly:
+ - Reset variable to avoid using the environment.
+ - Use a simply expanded variable flavor for simplicity.
+ - Export variable so that behavior in sub-`make`s is consistent.
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ This matches other variables. - Miguel ]
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+---
+ Makefile | 3 ++-
+ arch/x86/Makefile | 4 ++++
+ arch/x86/Makefile.um | 8 ++++++++
+ scripts/Makefile.compiler | 2 +-
+ 4 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -603,6 +603,7 @@ KBUILD_RUSTFLAGS := $(rust_common_flags)
+ -Crelocation-model=static \
+ -Zfunction-sections=n \
+ -Wclippy::float_arithmetic
++KBUILD_RUSTFLAGS_OPTION_CHKS :=
+
+ KBUILD_AFLAGS_KERNEL :=
+ KBUILD_CFLAGS_KERNEL :=
+@@ -639,7 +640,7 @@ export KBUILD_USERCFLAGS KBUILD_USERLDFL
+
+ export KBUILD_CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS KBUILD_LDFLAGS
+ export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE
+-export KBUILD_RUSTFLAGS RUSTFLAGS_KERNEL RUSTFLAGS_MODULE
++export KBUILD_RUSTFLAGS RUSTFLAGS_KERNEL RUSTFLAGS_MODULE KBUILD_RUSTFLAGS_OPTION_CHKS
+ export KBUILD_AFLAGS AFLAGS_KERNEL AFLAGS_MODULE
+ export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_RUSTFLAGS_MODULE KBUILD_LDFLAGS_MODULE
+ export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL KBUILD_RUSTFLAGS_KERNEL
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -79,6 +79,10 @@ KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-
+ KBUILD_RUSTFLAGS += --target=$(objtree)/scripts/target.json
+ KBUILD_RUSTFLAGS += -Ctarget-feature=-sse,-sse2,-sse3,-ssse3,-sse4.1,-sse4.2,-avx,-avx2
+
++# The target.json file is not available when invoking rustc-option, so use the
++# built-in target when checking whether flags are supported instead.
++KBUILD_RUSTFLAGS_OPTION_CHKS += --target=x86_64-unknown-none
++
+ #
+ # CFLAGS for compiling floating point code inside the kernel.
+ #
+--- a/arch/x86/Makefile.um
++++ b/arch/x86/Makefile.um
+@@ -14,6 +14,14 @@ endif
+
+ KBUILD_RUSTFLAGS += --target=$(objtree)/scripts/target.json
+
++# The target.json file is not available when invoking rustc-option, so use the
++# built-in target when checking whether flags are supported instead.
++ifeq ($(CONFIG_X86_32),y)
++KBUILD_RUSTFLAGS_OPTION_CHKS += --target=i686-unknown-linux-gnu
++else
++KBUILD_RUSTFLAGS_OPTION_CHKS += --target=x86_64-unknown-linux-gnu
++endif
++
+ ifeq ($(CONFIG_X86_32),y)
+ START := 0x8048000
+
+--- a/scripts/Makefile.compiler
++++ b/scripts/Makefile.compiler
+@@ -80,7 +80,7 @@ ld-option = $(call try-run, $(LD) $(KBUI
+ # TODO: remove RUSTC_BOOTSTRAP=1 when we raise the minimum GNU Make version to 4.4
+ __rustc-option = $(call try-run,\
+ echo '$(pound)![allow(missing_docs)]$(pound)![feature(no_core)]$(pound)![no_core]' | RUSTC_BOOTSTRAP=1\
+- $(1) --sysroot=/dev/null $(filter-out --sysroot=/dev/null --target=%,$(2)) $(3)\
++ $(1) --sysroot=/dev/null $(KBUILD_RUSTFLAGS_OPTION_CHKS) $(filter-out --sysroot=/dev/null --target=%target.json,$(2)) $(3)\
+ --crate-type=rlib --out-dir=$(TMPOUT) --emit=obj=- - >/dev/null,$(3),$(4))
+
+ # rustc-option
--- /dev/null
+From 905b06d32a52afe32fcf5f30cf298c9ea6359f11 Mon Sep 17 00:00:00 2001
+From: Miguel Ojeda <ojeda@kernel.org>
+Date: Sat, 30 May 2026 13:49:25 +0200
+Subject: rust: x86: support Rust >= 1.98.0 target spec
+
+From: Miguel Ojeda <ojeda@kernel.org>
+
+commit 905b06d32a52afe32fcf5f30cf298c9ea6359f11 upstream.
+
+Starting with Rust 1.98.0 (expected 2026-08-20), the target spec will not
+support `x86-softfloat` anymore [1]. Instead, `softfloat` should be used,
+which is an alias. Otherwise, one gets:
+
+ error: error loading target specification: rustc-abi: invalid rustc abi: 'x86-softfloat'. allowed values: 'x86-sse2', 'softfloat' at line 3 column 32
+ |
+ = help: run `rustc --print target-list` for a list of built-in targets
+
+Thus conditionally use one or the other depending on the version.
+
+The alias has existed since Rust 1.95.0 (released 2026-04-16) [2], but
+use the newer version instead to avoid changing how the build works for
+existing compilers, at least until more testing takes place.
+
+Cc: Ralf Jung <post@ralfj.de>
+Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs).
+Link: https://github.com/rust-lang/rust/pull/157151 [1]
+Link: https://github.com/rust-lang/rust/pull/151154 [2]
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Link: https://patch.msgid.link/20260530114925.260754-1-ojeda@kernel.org
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/generate_rust_target.rs | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/scripts/generate_rust_target.rs
++++ b/scripts/generate_rust_target.rs
+@@ -196,7 +196,9 @@ fn main() {
+ }
+ } else if cfg.has("X86_64") {
+ ts.push("arch", "x86_64");
+- if cfg.rustc_version_atleast(1, 86, 0) {
++ if cfg.rustc_version_atleast(1, 98, 0) {
++ ts.push("rustc-abi", "softfloat");
++ } else if cfg.rustc_version_atleast(1, 86, 0) {
+ ts.push("rustc-abi", "x86-softfloat");
+ }
+ ts.push(
+@@ -236,7 +238,9 @@ fn main() {
+ panic!("32-bit x86 only works under UML");
+ }
+ ts.push("arch", "x86");
+- if cfg.rustc_version_atleast(1, 86, 0) {
++ if cfg.rustc_version_atleast(1, 98, 0) {
++ ts.push("rustc-abi", "softfloat");
++ } else if cfg.rustc_version_atleast(1, 86, 0) {
+ ts.push("rustc-abi", "x86-softfloat");
+ }
+ ts.push(
drm-vc4-fix-krealloc-memory-leak.patch
drm-xe-fix-refcount-leak-in-xe_range_fence_insert.patch
accel-amdxdna-fix-mm_struct-reference-leak-in-aie2_p.patch
+netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch
+netfilter-nft_meta_bridge-fix-stale-stack-leak-via-iifhwaddr-register.patch
+tee-shm-fix-shm-leak-in-register_shm_helper.patch
+bluetooth-hci_sync-reject-oversized-broadcast-announcement-prepend.patch
+bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch
+soc-qcom-ice-fix-race-between-qcom_ice_probe-and-of_qcom_ice_get.patch
+mm-memory-failure-fix-hugetlb_lock-aa-deadlock-in-get_huge_page_for_hwpoison.patch
+accel-ivpu-add-bounds-checks-for-firmware-log-indices.patch
+accel-ivpu-add-buffer-overflow-check-in-ms-get_info_ioctl.patch
+accel-ivpu-fix-signed-integer-truncation-in-ipc-receive.patch
+tracing-fix-cfi-violation-in-probestub-being-called-by-tprobes.patch
+tracing-probes-point-the-error-offset-correctly-for-eprobe-argument-error.patch
+rust-x86-support-rust-1.98.0-target-spec.patch
+arm-do-not-select-have_rust-when-kasan-is-enabled.patch
+rust-arm64-set-uwtable-llvm-module-flag-for-config_unwind_tables.patch
+rust-kasan-kbuild-fix-rustc-option-when-cross-compiling.patch
+mmc-litex_mmc-use-div_round_up-for-more-accurate-clock-calculation.patch
+mshv-add-a-missing-padding-field.patch
+kvm-don-t-warn-if-memory-is-dirtied-without-a-vcpu-when-the-vm-is-dying.patch
+kvm-sev-decouple-the-need-to-sync-the-ghcb-sa-from-the-need-to-free-the-sa.patch
+kvm-arm64-restore-por_el0-access-to-host-el0.patch
+drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch
+hv_netvsc-use-kmap_local_page-in-netvsc_copy_to_send_buf.patch
--- /dev/null
+From d922113ef91e6e7e8065e9070f349365341ba32e Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Date: Mon, 18 May 2026 19:22:17 +0530
+Subject: soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get()
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+
+commit d922113ef91e6e7e8065e9070f349365341ba32e upstream.
+
+The current platform driver design causes probe ordering races with
+consumers (UFS, eMMC) due to ICE's dependency on SCM firmware calls. If ICE
+probe fails (missing ICE SCM or DT registers), devm_of_qcom_ice_get() loops
+with -EPROBE_DEFER, leaving consumers non-functional even when ICE should
+be gracefully disabled. devm_of_qcom_ice_get() doesn't know if the ICE
+driver probe has failed due to above reasons or it is waiting for the SCM
+driver.
+
+Moreover, there is no devlink dependency between ICE and consumer drivers
+as 'qcom,ice' is not considered as a DT 'supplier'. So the consumer drivers
+have no idea of when the ICE driver is going to probe.
+
+To address these issues, store the error pointer in a global xarray with
+ice node phandle as a key during probe in addition to the valid ice pointer
+and synchronize both qcom_ice_probe() and of_qcom_ice_get() using a mutex.
+
+If the xarray entry is NULL, then it implies that the driver is not
+probed yet, so return -EPROBE_DEFER. If it has any error pointer, return
+that error pointer directly. Otherwise, add the devlink as usual and return
+the valid pointer to the consumer.
+
+Xarray is used instead of platform drvdata, since driver core frees the
+drvdata during probe failure. So it cannot be used to pass the error
+pointer to the consumers.
+
+Note that this change only fixes the standalone ICE DT node bindings and
+not the ones with 'ice' range embedded in the consumer nodes, where there
+is no issue.
+
+Fixes: 2afbf43a4aec ("soc: qcom: Make the Qualcomm UFS/SDCC ICE a dedicated driver")
+Reported-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
+Tested-by: Sumit Garg <sumit.garg@oss.qualcomm.com> # OP-TEE as TZ
+Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
+Cc: stable@vger.kernel.org # 6.4
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20260518-qcom-ice-fix-v7-1-2a595382185b@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/ice.c | 38 +++++++++++++++++++++++++++++++-------
+ 1 file changed, 31 insertions(+), 7 deletions(-)
+
+--- a/drivers/soc/qcom/ice.c
++++ b/drivers/soc/qcom/ice.c
+@@ -16,6 +16,7 @@
+ #include <linux/of.h>
+ #include <linux/of_platform.h>
+ #include <linux/platform_device.h>
++#include <linux/xarray.h>
+
+ #include <linux/firmware/qcom/qcom_scm.h>
+
+@@ -100,6 +101,9 @@ struct qcom_ice {
+ bool hwkm_init_complete;
+ };
+
++static DEFINE_XARRAY(ice_handles);
++static DEFINE_MUTEX(ice_mutex);
++
+ static bool qcom_ice_check_supported(struct qcom_ice *ice)
+ {
+ u32 regval = qcom_ice_readl(ice, QCOM_ICE_REG_VERSION);
+@@ -609,6 +613,8 @@ static struct qcom_ice *of_qcom_ice_get(
+ return qcom_ice_create(&pdev->dev, base);
+ }
+
++ guard(mutex)(&ice_mutex);
++
+ /*
+ * If the consumer node does not provider an 'ice' reg range
+ * (legacy DT binding), then it must at least provide a phandle
+@@ -625,12 +631,13 @@ static struct qcom_ice *of_qcom_ice_get(
+ return ERR_PTR(-ENODEV);
+ }
+
+- ice = platform_get_drvdata(pdev);
+- if (!ice) {
+- dev_err(dev, "Cannot get ice instance from %s\n",
+- dev_name(&pdev->dev));
++ ice = xa_load(&ice_handles, pdev->dev.of_node->phandle);
++ if (IS_ERR_OR_NULL(ice)) {
+ platform_device_put(pdev);
+- return ERR_PTR(-EPROBE_DEFER);
++ if (!ice)
++ return ERR_PTR(-EPROBE_DEFER);
++ else
++ return ice;
+ }
+
+ link = device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_SUPPLIER);
+@@ -694,24 +701,40 @@ EXPORT_SYMBOL_GPL(devm_of_qcom_ice_get);
+
+ static int qcom_ice_probe(struct platform_device *pdev)
+ {
++ unsigned long phandle = pdev->dev.of_node->phandle;
+ struct qcom_ice *engine;
+ void __iomem *base;
+
++ guard(mutex)(&ice_mutex);
++
+ base = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(base)) {
+ dev_warn(&pdev->dev, "ICE registers not found\n");
++ /* Store the error pointer for devm_of_qcom_ice_get() */
++ xa_store(&ice_handles, phandle, (__force void *)base, GFP_KERNEL);
+ return PTR_ERR(base);
+ }
+
+ engine = qcom_ice_create(&pdev->dev, base);
+- if (IS_ERR(engine))
++ if (IS_ERR(engine)) {
++ /* Store the error pointer for devm_of_qcom_ice_get() */
++ xa_store(&ice_handles, phandle, engine, GFP_KERNEL);
+ return PTR_ERR(engine);
++ }
+
+- platform_set_drvdata(pdev, engine);
++ xa_store(&ice_handles, phandle, engine, GFP_KERNEL);
+
+ return 0;
+ }
+
++static void qcom_ice_remove(struct platform_device *pdev)
++{
++ unsigned long phandle = pdev->dev.of_node->phandle;
++
++ guard(mutex)(&ice_mutex);
++ xa_store(&ice_handles, phandle, NULL, GFP_KERNEL);
++}
++
+ static const struct of_device_id qcom_ice_of_match_table[] = {
+ { .compatible = "qcom,inline-crypto-engine" },
+ { },
+@@ -720,6 +743,7 @@ MODULE_DEVICE_TABLE(of, qcom_ice_of_matc
+
+ static struct platform_driver qcom_ice_driver = {
+ .probe = qcom_ice_probe,
++ .remove = qcom_ice_remove,
+ .driver = {
+ .name = "qcom-ice",
+ .of_match_table = qcom_ice_of_match_table,
--- /dev/null
+From 26682f5efc276e3ad96d102019472bfbf03833b2 Mon Sep 17 00:00:00 2001
+From: Georgiy Osokin <g.osokin@auroraos.dev>
+Date: Wed, 8 Apr 2026 18:52:03 +0300
+Subject: tee: shm: fix shm leak in register_shm_helper()
+
+From: Georgiy Osokin <g.osokin@auroraos.dev>
+
+commit 26682f5efc276e3ad96d102019472bfbf03833b2 upstream.
+
+register_shm_helper() allocates shm before calling
+iov_iter_npages(). If iov_iter_npages() returns 0, the function
+jumps to err_ctx_put and leaks shm.
+
+This can be triggered by TEE_IOC_SHM_REGISTER with
+struct tee_ioctl_shm_register_data where length is 0.
+
+Jump to err_free_shm instead.
+
+Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration")
+Cc: stable@vger.kernel.org
+Cc: lvc-project@linuxtesting.org
+Signed-off-by: Georgiy Osokin <g.osokin@auroraos.dev>
+Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/tee_shm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tee/tee_shm.c
++++ b/drivers/tee/tee_shm.c
+@@ -435,7 +435,7 @@ register_shm_helper(struct tee_context *
+ num_pages = iov_iter_npages(iter, INT_MAX);
+ if (!num_pages) {
+ ret = ERR_PTR(-ENOMEM);
+- goto err_ctx_put;
++ goto err_free_shm;
+ }
+
+ shm->pages = kcalloc(num_pages, sizeof(*shm->pages), GFP_KERNEL);
--- /dev/null
+From 0652a3daa78723f955b1ebeb621665ce72bec53e Mon Sep 17 00:00:00 2001
+From: Eva Kurchatova <eva.kurchatova@virtuozzo.com>
+Date: Wed, 3 Jun 2026 18:31:42 +0300
+Subject: tracing: Fix CFI violation in probestub being called by tprobes
+
+From: Eva Kurchatova <eva.kurchatova@virtuozzo.com>
+
+commit 0652a3daa78723f955b1ebeb621665ce72bec53e upstream.
+
+The probestub is a function to allow tprobes to hook to a tracepoint to
+gain access to its parameters. The function itself is only referenced by
+the tracepoint structure which lives in the __tracepoint section. objtool
+explicitly ignores that section and when processing functions in the
+kernel, if it detects one that has no references it will seal it to have
+its ENDBR stripped on boot up.
+
+This means when a tprobe is attached to the sched_wakeup tracepoint, when it
+is triggered it will call __probestub_sched_wakeup and due to the missing
+ENDBR on a CFI-enabled machine it will take a #CP exception.
+
+Fix this by adding CFI_NOSEAL annotation to probestub declaration.
+
+Cc: stable@vger.kernel.org
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Link: https://patch.msgid.link/20260603153147.573589-1-eva.kurchatova@virtuozzo.com
+Fixes: d5173f753750 ("objtool: Exclude __tracepoints data from ENDBR checks")
+Signed-off-by: Eva Kurchatova <eva.kurchatova@virtuozzo.com>
+[ Updated change log ]
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/tracepoint.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/include/linux/tracepoint.h
++++ b/include/linux/tracepoint.h
+@@ -20,6 +20,7 @@
+ #include <linux/rcupdate_trace.h>
+ #include <linux/tracepoint-defs.h>
+ #include <linux/static_call.h>
++#include <linux/cfi.h>
+
+ struct module;
+ struct tracepoint;
+@@ -348,6 +349,13 @@ static inline struct tracepoint *tracepo
+ void __probestub_##_name(void *__data, proto) \
+ { \
+ } \
++ /* \
++ * Annotate the probestub 'CFI_NOSEAL' to stop objtool from \
++ * requesting the kernel remove the ENDBR, because the only \
++ * references to the function are in the __tracepoint section, \
++ * that objtool doesn't scan. \
++ */ \
++ CFI_NOSEAL(__probestub_##_name); \
+ DEFINE_STATIC_CALL(tp_func_##_name, __traceiter_##_name); \
+ DEFINE_RUST_DO_TRACE(_name, TP_PROTO(proto), TP_ARGS(args))
+
--- /dev/null
+From 85e0f27dd1396307913ffc5745b0c05137e9beac Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Mon, 25 May 2026 11:21:14 +0900
+Subject: tracing/probes: Point the error offset correctly for eprobe argument error
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 85e0f27dd1396307913ffc5745b0c05137e9beac upstream.
+
+Fix to point the error offset correctly for eprobe argument error.
+In the cleanup commit 1b8b0cd754cd ("tracing/probes: Move event parameter
+fetching code to common parser"), due to incorrect backward compatibility
+aimed at conforming to the test specifications, the error location was set
+to 0 when a non-existent formal parameter was specified for Eprobe.
+However, this should be corrected in both the test and the implementation
+to point correct error position.
+
+Link: https://lore.kernel.org/all/177967567399.209006.1451571244515632097.stgit@devnote2/
+
+Fixes: 1b8b0cd754cd ("tracing/probes: Move event parameter fetching code to common parser")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_probe.c | 2 --
+ tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc | 2 +-
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -962,8 +962,6 @@ static int parse_probe_vars(char *orig_a
+ code->op = FETCH_OP_COMM;
+ return 0;
+ }
+- /* backward compatibility */
+- ctx->offset = 0;
+ goto inval;
+ }
+
+--- a/tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc
++++ b/tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc
+@@ -20,7 +20,7 @@ check_error 'e:foo/^12345678901234567890
+ check_error 'e:foo/^bar.1 syscalls/sys_enter_openat' # BAD_EVENT_NAME
+
+ check_error 'e:foo/bar syscalls/sys_enter_openat arg=^dfd' # BAD_FETCH_ARG
+-check_error 'e:foo/bar syscalls/sys_enter_openat ^arg=$foo' # BAD_ATTACH_ARG
++check_error 'e:foo/bar syscalls/sys_enter_openat arg=^$foo' # BAD_ATTACH_ARG
+
+ if grep -q '<attached-group>\.<attached-event>.*\[if <filter>\]' README; then
+ check_error 'e:foo/bar syscalls/sys_enter_openat if ^' # NO_EP_FILTER
projects / thirdparty / kernel / stable-queue.git / commitdiff
