--- /dev/null
+From e19e48d6663d064c2ef53e206b125981164876db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2026 10:57:45 +0800
+Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
+
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+
+[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
+
+While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
+timeout value` warning was observed, accompanied by SMBus controller
+state machine corruption.
+
+The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
+10 ms. The user argument is checked against INT_MAX, but it is
+subsequently multiplied by 10 before being passed to msecs_to_jiffies().
+
+A malicious user can pass a large value (e.g., 429496729) that passes
+the `arg > INT_MAX` check but overflows when multiplied by 10. This
+results in a truncated 32-bit unsigned value that bypasses the
+internal `(int)m < 0` check in `msecs_to_jiffies()`.
+
+The truncated value is then assigned to `client->adapter->timeout`
+(a signed 32-bit int), which is reinterpreted as a negative number.
+When passed to wait_for_completion_timeout(), this negative value
+undergoes sign extension to a 64-bit unsigned long, triggering the
+`schedule_timeout` warning and causing premature returns. This leaves
+the SMBus state machine in an unrecoverable state, constituting a
+local Denial of Service (DoS).
+
+Fix this by bounding the user argument to `INT_MAX / 10`.
+
+Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+[wsa: move the comment as well]
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-dev.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
+index f0bd4ae19df67f..25438ba6bdfb72 100644
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -477,12 +477,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ client->adapter->retries = arg;
+ break;
+ case I2C_TIMEOUT:
+- if (arg > INT_MAX)
++ /*
++ * For historical reasons, user-space sets the timeout value in
++ * units of 10 ms.
++ */
++ if (arg > INT_MAX / 10)
+ return -EINVAL;
+
+- /* For historical reasons, user-space sets the timeout
+- * value in units of 10 ms.
+- */
+ client->adapter->timeout = msecs_to_jiffies(arg * 10);
+ break;
+ default:
+--
+2.53.0
+
ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
+i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
--- /dev/null
+From f14b9824b6fb9b3f6e2a94de10b36ea7fe1a64a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2026 10:57:45 +0800
+Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
+
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+
+[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
+
+While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
+timeout value` warning was observed, accompanied by SMBus controller
+state machine corruption.
+
+The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
+10 ms. The user argument is checked against INT_MAX, but it is
+subsequently multiplied by 10 before being passed to msecs_to_jiffies().
+
+A malicious user can pass a large value (e.g., 429496729) that passes
+the `arg > INT_MAX` check but overflows when multiplied by 10. This
+results in a truncated 32-bit unsigned value that bypasses the
+internal `(int)m < 0` check in `msecs_to_jiffies()`.
+
+The truncated value is then assigned to `client->adapter->timeout`
+(a signed 32-bit int), which is reinterpreted as a negative number.
+When passed to wait_for_completion_timeout(), this negative value
+undergoes sign extension to a 64-bit unsigned long, triggering the
+`schedule_timeout` warning and causing premature returns. This leaves
+the SMBus state machine in an unrecoverable state, constituting a
+local Denial of Service (DoS).
+
+Fix this by bounding the user argument to `INT_MAX / 10`.
+
+Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+[wsa: move the comment as well]
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-dev.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
+index 9fefceb3a95d46..e18d14bf94a9be 100644
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ client->adapter->retries = arg;
+ break;
+ case I2C_TIMEOUT:
+- if (arg > INT_MAX)
++ /*
++ * For historical reasons, user-space sets the timeout value in
++ * units of 10 ms.
++ */
++ if (arg > INT_MAX / 10)
+ return -EINVAL;
+
+- /* For historical reasons, user-space sets the timeout
+- * value in units of 10 ms.
+- */
+ client->adapter->timeout = msecs_to_jiffies(arg * 10);
+ break;
+ default:
+--
+2.53.0
+
ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
+i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
--- /dev/null
+From 2af63b4f342848bc4201b9020bbea401c09cd2da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2026 10:57:45 +0800
+Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
+
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+
+[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
+
+While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
+timeout value` warning was observed, accompanied by SMBus controller
+state machine corruption.
+
+The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
+10 ms. The user argument is checked against INT_MAX, but it is
+subsequently multiplied by 10 before being passed to msecs_to_jiffies().
+
+A malicious user can pass a large value (e.g., 429496729) that passes
+the `arg > INT_MAX` check but overflows when multiplied by 10. This
+results in a truncated 32-bit unsigned value that bypasses the
+internal `(int)m < 0` check in `msecs_to_jiffies()`.
+
+The truncated value is then assigned to `client->adapter->timeout`
+(a signed 32-bit int), which is reinterpreted as a negative number.
+When passed to wait_for_completion_timeout(), this negative value
+undergoes sign extension to a 64-bit unsigned long, triggering the
+`schedule_timeout` warning and causing premature returns. This leaves
+the SMBus state machine in an unrecoverable state, constituting a
+local Denial of Service (DoS).
+
+Fix this by bounding the user argument to `INT_MAX / 10`.
+
+Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+[wsa: move the comment as well]
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-dev.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
+index dd35f341b16fd3..d10d8fe29a73b9 100644
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ client->adapter->retries = arg;
+ break;
+ case I2C_TIMEOUT:
+- if (arg > INT_MAX)
++ /*
++ * For historical reasons, user-space sets the timeout value in
++ * units of 10 ms.
++ */
++ if (arg > INT_MAX / 10)
+ return -EINVAL;
+
+- /* For historical reasons, user-space sets the timeout
+- * value in units of 10 ms.
+- */
+ client->adapter->timeout = msecs_to_jiffies(arg * 10);
+ break;
+ default:
+--
+2.53.0
+
--- /dev/null
+From 6f27b2a72be10e26a186c566bbfd42a574517088 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 May 2026 14:32:35 +0800
+Subject: ipmi: Fix rcu_read_unlock to srcu_read_unlock in
+ handle_read_event_rsp
+
+From: Rui Qi <qirui.001@bytedance.com>
+
+Fix a bug where rcu_read_unlock() was used instead of srcu_read_unlock()
+in handle_read_event_rsp() when ipmi_alloc_recv_msg() fails.
+
+This mismatch leads to an SRCU read-side critical section imbalance: the
+entry uses srcu_read_lock(&intf->users_srcu) but the error path
+incorrectly calls rcu_read_unlock(), which is a no-op for SRCU and
+leaves the SRCU lock held.
+
+The offending code was restructured in mainline by commit 3be997d5a64a
+("ipmi:msghandler: Remove srcu from the ipmi user structure"), which
+replaced the SRCU locking with a mutex in this function, effectively
+eliminating the mismatch. However, that commit is part of a larger
+SRCU removal series that is not suitable for stable backport. This
+minimal fix addresses the SRCU imbalance for 6.12 and earlier stable
+branches that still carry the original locking scheme.
+
+Fixes: e86ee2d44b44 ("ipmi: Rework locking and shutdown for hot remove")
+Cc: stable@vger.kernel.org
+Signed-off-by: Rui Qi <qirui.001@bytedance.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_msghandler.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
+index 8bc8da7f70bb8e..62d39ea9f00836 100644
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -4396,7 +4396,7 @@ static int handle_read_event_rsp(struct ipmi_smi *intf,
+
+ recv_msg = ipmi_alloc_recv_msg(user);
+ if (IS_ERR(recv_msg)) {
+- rcu_read_unlock();
++ srcu_read_unlock(&intf->users_srcu, index);
+ list_for_each_entry_safe(recv_msg, recv_msg2, &msgs,
+ link) {
+ list_del(&recv_msg->link);
+--
+2.53.0
+
ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
+i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
+ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch
--- /dev/null
+From ba552ad18875cc90f6b8a704c8b3539f7634ab30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2026 10:57:45 +0800
+Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
+
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+
+[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
+
+While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
+timeout value` warning was observed, accompanied by SMBus controller
+state machine corruption.
+
+The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
+10 ms. The user argument is checked against INT_MAX, but it is
+subsequently multiplied by 10 before being passed to msecs_to_jiffies().
+
+A malicious user can pass a large value (e.g., 429496729) that passes
+the `arg > INT_MAX` check but overflows when multiplied by 10. This
+results in a truncated 32-bit unsigned value that bypasses the
+internal `(int)m < 0` check in `msecs_to_jiffies()`.
+
+The truncated value is then assigned to `client->adapter->timeout`
+(a signed 32-bit int), which is reinterpreted as a negative number.
+When passed to wait_for_completion_timeout(), this negative value
+undergoes sign extension to a 64-bit unsigned long, triggering the
+`schedule_timeout` warning and causing premature returns. This leaves
+the SMBus state machine in an unrecoverable state, constituting a
+local Denial of Service (DoS).
+
+Fix this by bounding the user argument to `INT_MAX / 10`.
+
+Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+[wsa: move the comment as well]
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-dev.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
+index e9577f920286d0..c8715df8b08b1d 100644
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ client->adapter->retries = arg;
+ break;
+ case I2C_TIMEOUT:
+- if (arg > INT_MAX)
++ /*
++ * For historical reasons, user-space sets the timeout value in
++ * units of 10 ms.
++ */
++ if (arg > INT_MAX / 10)
+ return -EINVAL;
+
+- /* For historical reasons, user-space sets the timeout
+- * value in units of 10 ms.
+- */
+ client->adapter->timeout = msecs_to_jiffies(arg * 10);
+ break;
+ default:
+--
+2.53.0
+
--- /dev/null
+From 259e352599f2a4dfb0f04bc6d1021ffd8d019260 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 May 2026 14:32:35 +0800
+Subject: ipmi: Fix rcu_read_unlock to srcu_read_unlock in
+ handle_read_event_rsp
+
+From: Rui Qi <qirui.001@bytedance.com>
+
+Fix a bug where rcu_read_unlock() was used instead of srcu_read_unlock()
+in handle_read_event_rsp() when ipmi_alloc_recv_msg() fails.
+
+This mismatch leads to an SRCU read-side critical section imbalance: the
+entry uses srcu_read_lock(&intf->users_srcu) but the error path
+incorrectly calls rcu_read_unlock(), which is a no-op for SRCU and
+leaves the SRCU lock held.
+
+The offending code was restructured in mainline by commit 3be997d5a64a
+("ipmi:msghandler: Remove srcu from the ipmi user structure"), which
+replaced the SRCU locking with a mutex in this function, effectively
+eliminating the mismatch. However, that commit is part of a larger
+SRCU removal series that is not suitable for stable backport. This
+minimal fix addresses the SRCU imbalance for 6.12 and earlier stable
+branches that still carry the original locking scheme.
+
+Fixes: e86ee2d44b44 ("ipmi: Rework locking and shutdown for hot remove")
+Cc: stable@vger.kernel.org
+Signed-off-by: Rui Qi <qirui.001@bytedance.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_msghandler.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
+index 188722ec0337b3..41ae4dac4eebad 100644
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -4395,7 +4395,7 @@ static int handle_read_event_rsp(struct ipmi_smi *intf,
+
+ recv_msg = ipmi_alloc_recv_msg(user);
+ if (IS_ERR(recv_msg)) {
+- rcu_read_unlock();
++ srcu_read_unlock(&intf->users_srcu, index);
+ list_for_each_entry_safe(recv_msg, recv_msg2, &msgs,
+ link) {
+ list_del(&recv_msg->link);
+--
+2.53.0
+
ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
+i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
+ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch
--- /dev/null
+From ce65f2949f6432822977613ca7101d6a86254f9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2026 10:57:45 +0800
+Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
+
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+
+[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
+
+While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
+timeout value` warning was observed, accompanied by SMBus controller
+state machine corruption.
+
+The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
+10 ms. The user argument is checked against INT_MAX, but it is
+subsequently multiplied by 10 before being passed to msecs_to_jiffies().
+
+A malicious user can pass a large value (e.g., 429496729) that passes
+the `arg > INT_MAX` check but overflows when multiplied by 10. This
+results in a truncated 32-bit unsigned value that bypasses the
+internal `(int)m < 0` check in `msecs_to_jiffies()`.
+
+The truncated value is then assigned to `client->adapter->timeout`
+(a signed 32-bit int), which is reinterpreted as a negative number.
+When passed to wait_for_completion_timeout(), this negative value
+undergoes sign extension to a 64-bit unsigned long, triggering the
+`schedule_timeout` warning and causing premature returns. This leaves
+the SMBus state machine in an unrecoverable state, constituting a
+local Denial of Service (DoS).
+
+Fix this by bounding the user argument to `INT_MAX / 10`.
+
+Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+[wsa: move the comment as well]
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-dev.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
+index e9577f920286d0..c8715df8b08b1d 100644
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ client->adapter->retries = arg;
+ break;
+ case I2C_TIMEOUT:
+- if (arg > INT_MAX)
++ /*
++ * For historical reasons, user-space sets the timeout value in
++ * units of 10 ms.
++ */
++ if (arg > INT_MAX / 10)
+ return -EINVAL;
+
+- /* For historical reasons, user-space sets the timeout
+- * value in units of 10 ms.
+- */
+ client->adapter->timeout = msecs_to_jiffies(arg * 10);
+ break;
+ default:
+--
+2.53.0
+
--- /dev/null
+From cac4acb1b336b27232ae740be39eaa1034ecb0dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jun 2026 18:48:08 +0900
+Subject: KVM: arm64: Take the SRCU lock for page table walks in fault
+ injection and AT emulation
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit f2ca45b50d4216c9cc7ffabf50d9ad1932209251 ]
+
+walk_s1() and kvm_walk_nested_s2() expect to be called while holding
+kvm->srcu to guard against memslot changes. While this is generally
+the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the
+respective walkers without taking kvm->srcu.
+
+Fix by acquiring kvm->srcu prior to the table walk in both instances.
+
+Cc: stable@vger.kernel.org
+Fixes: 50f77dc87f13 ("KVM: arm64: Populate level on S1PTW SEA injection")
+Fixes: be04cebf3e78 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}")
+Suggested-by: Oliver Upton <oupton@kernel.org>
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Reviewed-by: Oliver Upton <oupton@kernel.org>
+Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+[ Hyunwoo Kim: __kvm_at_s12() still returns void in 6.18.y, so the
+ surrounding context differs from upstream (return; instead of
+ return ret;); the added scoped_guard() is unchanged. ]
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kvm/at.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/kvm/at.c b/arch/arm64/kvm/at.c
+index be26d5aa668c39..e6de6aac6ede20 100644
+--- a/arch/arm64/kvm/at.c
++++ b/arch/arm64/kvm/at.c
+@@ -1528,7 +1528,8 @@ void __kvm_at_s12(struct kvm_vcpu *vcpu, u32 op, u64 vaddr)
+ /* Do the stage-2 translation */
+ ipa = (par & GENMASK_ULL(47, 12)) | (vaddr & GENMASK_ULL(11, 0));
+ out.esr = 0;
+- ret = kvm_walk_nested_s2(vcpu, ipa, &out);
++ scoped_guard(srcu, &vcpu->kvm->srcu)
++ ret = kvm_walk_nested_s2(vcpu, ipa, &out);
+ if (ret < 0)
+ return;
+
+@@ -1623,7 +1624,8 @@ int __kvm_find_s1_desc_level(struct kvm_vcpu *vcpu, u64 va, u64 ipa, int *level)
+ }
+
+ /* Walk the guest's PT, looking for a match along the way */
+- ret = walk_s1(vcpu, &wi, &wr, va);
++ scoped_guard(srcu, &vcpu->kvm->srcu)
++ ret = walk_s1(vcpu, &wi, &wr, va);
+ switch (ret) {
+ case -EINTR:
+ /* We interrupted the walk on a match, return the level */
+--
+2.53.0
+
ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
+i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
+kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch
--- /dev/null
+From a0c0fa10ee209567b685a35881676d4e0fadfa14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2026 10:57:45 +0800
+Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
+
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+
+[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
+
+While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
+timeout value` warning was observed, accompanied by SMBus controller
+state machine corruption.
+
+The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
+10 ms. The user argument is checked against INT_MAX, but it is
+subsequently multiplied by 10 before being passed to msecs_to_jiffies().
+
+A malicious user can pass a large value (e.g., 429496729) that passes
+the `arg > INT_MAX` check but overflows when multiplied by 10. This
+results in a truncated 32-bit unsigned value that bypasses the
+internal `(int)m < 0` check in `msecs_to_jiffies()`.
+
+The truncated value is then assigned to `client->adapter->timeout`
+(a signed 32-bit int), which is reinterpreted as a negative number.
+When passed to wait_for_completion_timeout(), this negative value
+undergoes sign extension to a 64-bit unsigned long, triggering the
+`schedule_timeout` warning and causing premature returns. This leaves
+the SMBus state machine in an unrecoverable state, constituting a
+local Denial of Service (DoS).
+
+Fix this by bounding the user argument to `INT_MAX / 10`.
+
+Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+[wsa: move the comment as well]
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-dev.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
+index 7d337380a05d99..2ee07fc675d63a 100644
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ client->adapter->retries = arg;
+ break;
+ case I2C_TIMEOUT:
+- if (arg > INT_MAX)
++ /*
++ * For historical reasons, user-space sets the timeout value in
++ * units of 10 ms.
++ */
++ if (arg > INT_MAX / 10)
+ return -EINVAL;
+
+- /* For historical reasons, user-space sets the timeout
+- * value in units of 10 ms.
+- */
+ client->adapter->timeout = msecs_to_jiffies(arg * 10);
+ break;
+ default:
+--
+2.53.0
+
--- /dev/null
+From d826d5fc282b691d72dc388d49d024f642c01495 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 May 2026 14:32:35 +0800
+Subject: ipmi: Fix rcu_read_unlock to srcu_read_unlock in
+ handle_read_event_rsp
+
+From: Rui Qi <qirui.001@bytedance.com>
+
+Fix a bug where rcu_read_unlock() was used instead of srcu_read_unlock()
+in handle_read_event_rsp() when ipmi_alloc_recv_msg() fails.
+
+This mismatch leads to an SRCU read-side critical section imbalance: the
+entry uses srcu_read_lock(&intf->users_srcu) but the error path
+incorrectly calls rcu_read_unlock(), which is a no-op for SRCU and
+leaves the SRCU lock held.
+
+The offending code was restructured in mainline by commit 3be997d5a64a
+("ipmi:msghandler: Remove srcu from the ipmi user structure"), which
+replaced the SRCU locking with a mutex in this function, effectively
+eliminating the mismatch. However, that commit is part of a larger
+SRCU removal series that is not suitable for stable backport. This
+minimal fix addresses the SRCU imbalance for 6.12 and earlier stable
+branches that still carry the original locking scheme.
+
+Fixes: e86ee2d44b44 ("ipmi: Rework locking and shutdown for hot remove")
+Cc: stable@vger.kernel.org
+Signed-off-by: Rui Qi <qirui.001@bytedance.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_msghandler.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
+index fc5f9d757b948c..37b84bfa623e99 100644
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -4396,7 +4396,7 @@ static int handle_read_event_rsp(struct ipmi_smi *intf,
+
+ recv_msg = ipmi_alloc_recv_msg(user);
+ if (IS_ERR(recv_msg)) {
+- rcu_read_unlock();
++ srcu_read_unlock(&intf->users_srcu, index);
+ list_for_each_entry_safe(recv_msg, recv_msg2, &msgs,
+ link) {
+ list_del(&recv_msg->link);
+--
+2.53.0
+
ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
+i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
+ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch
--- /dev/null
+From d4d49d7d68259828c44eb97566b49cfcc45b2d80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2026 10:57:45 +0800
+Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
+
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+
+[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
+
+While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
+timeout value` warning was observed, accompanied by SMBus controller
+state machine corruption.
+
+The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
+10 ms. The user argument is checked against INT_MAX, but it is
+subsequently multiplied by 10 before being passed to msecs_to_jiffies().
+
+A malicious user can pass a large value (e.g., 429496729) that passes
+the `arg > INT_MAX` check but overflows when multiplied by 10. This
+results in a truncated 32-bit unsigned value that bypasses the
+internal `(int)m < 0` check in `msecs_to_jiffies()`.
+
+The truncated value is then assigned to `client->adapter->timeout`
+(a signed 32-bit int), which is reinterpreted as a negative number.
+When passed to wait_for_completion_timeout(), this negative value
+undergoes sign extension to a 64-bit unsigned long, triggering the
+`schedule_timeout` warning and causing premature returns. This leaves
+the SMBus state machine in an unrecoverable state, constituting a
+local Denial of Service (DoS).
+
+Fix this by bounding the user argument to `INT_MAX / 10`.
+
+Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+[wsa: move the comment as well]
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-dev.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
+index 7bbe0263411eb7..ccaac5e29f906b 100644
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ client->adapter->retries = arg;
+ break;
+ case I2C_TIMEOUT:
+- if (arg > INT_MAX)
++ /*
++ * For historical reasons, user-space sets the timeout value in
++ * units of 10 ms.
++ */
++ if (arg > INT_MAX / 10)
+ return -EINVAL;
+
+- /* For historical reasons, user-space sets the timeout
+- * value in units of 10 ms.
+- */
+ client->adapter->timeout = msecs_to_jiffies(arg * 10);
+ break;
+ default:
+--
+2.53.0
+
--- /dev/null
+From 971c15264302a47c87e42cb68fba5033109d2522 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jun 2026 21:09:33 +0900
+Subject: KVM: arm64: Take the SRCU lock for page table walks in fault
+ injection and AT emulation
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit f2ca45b50d4216c9cc7ffabf50d9ad1932209251 ]
+
+walk_s1() and kvm_walk_nested_s2() expect to be called while holding
+kvm->srcu to guard against memslot changes. While this is generally
+the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the
+respective walkers without taking kvm->srcu.
+
+Fix by acquiring kvm->srcu prior to the table walk in both instances.
+
+Cc: stable@vger.kernel.org
+Fixes: 50f77dc87f13 ("KVM: arm64: Populate level on S1PTW SEA injection")
+Fixes: be04cebf3e78 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}")
+Suggested-by: Oliver Upton <oupton@kernel.org>
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Reviewed-by: Oliver Upton <oupton@kernel.org>
+Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kvm/at.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/kvm/at.c b/arch/arm64/kvm/at.c
+index a024d9a770dc74..1d563070526c4d 100644
+--- a/arch/arm64/kvm/at.c
++++ b/arch/arm64/kvm/at.c
+@@ -1568,7 +1568,8 @@ int __kvm_at_s12(struct kvm_vcpu *vcpu, u32 op, u64 vaddr)
+ /* Do the stage-2 translation */
+ ipa = (par & GENMASK_ULL(47, 12)) | (vaddr & GENMASK_ULL(11, 0));
+ out.esr = 0;
+- ret = kvm_walk_nested_s2(vcpu, ipa, &out);
++ scoped_guard(srcu, &vcpu->kvm->srcu)
++ ret = kvm_walk_nested_s2(vcpu, ipa, &out);
+ if (ret < 0)
+ return ret;
+
+@@ -1664,7 +1665,8 @@ int __kvm_find_s1_desc_level(struct kvm_vcpu *vcpu, u64 va, u64 ipa, int *level)
+ }
+
+ /* Walk the guest's PT, looking for a match along the way */
+- ret = walk_s1(vcpu, &wi, &wr, va);
++ scoped_guard(srcu, &vcpu->kvm->srcu)
++ ret = walk_s1(vcpu, &wi, &wr, va);
+ switch (ret) {
+ case -EINTR:
+ /* We interrupted the walk on a match, return the level */
+--
+2.53.0
+
fwctl-bnxt_en-move-common-definitions-to-include-lin.patch
fwctl-bnxt_en-refactor-aux-bus-functions-to-be-more-.patch
reapply-bnxt_en-bring-back-rtnl_lock-in-the-bnxt_ope.patch
+i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
+kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
