--- /dev/null
+From 54f9d645a5453d0bfece0c465d34aaf072ea99fa Mon Sep 17 00:00:00 2001
+From: Jun Seo <jun.seo.93@proton.me>
+Date: Thu, 26 Feb 2026 10:08:20 +0900
+Subject: ALSA: usb-audio: Use correct version for UAC3 header validation
+
+From: Jun Seo <jun.seo.93@proton.me>
+
+commit 54f9d645a5453d0bfece0c465d34aaf072ea99fa upstream.
+
+The entry of the validators table for UAC3 AC header descriptor is
+defined with the wrong protocol version UAC_VERSION_2, while it should
+have been UAC_VERSION_3. This results in the validator never matching
+for actual UAC3 devices (protocol == UAC_VERSION_3), causing their
+header descriptors to bypass validation entirely. A malicious USB
+device presenting a truncated UAC3 header could exploit this to cause
+out-of-bounds reads when the driver later accesses unvalidated
+descriptor fields.
+
+The bug was introduced in the same commit as the recently fixed UAC3
+feature unit sub-type typo, and appears to be from the same copy-paste
+error when the UAC3 section was created from the UAC2 section.
+
+Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jun Seo <jun.seo.93@proton.me>
+Link: https://patch.msgid.link/20260226010820.36529-1-jun.seo.93@proton.me
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/validate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/validate.c
++++ b/sound/usb/validate.c
+@@ -281,7 +281,7 @@ static const struct usb_desc_validator a
+ /* UAC_VERSION_2, UAC2_SAMPLE_RATE_CONVERTER: not implemented yet */
+
+ /* UAC3 */
+- FIXED(UAC_VERSION_2, UAC_HEADER, struct uac3_ac_header_descriptor),
++ FIXED(UAC_VERSION_3, UAC_HEADER, struct uac3_ac_header_descriptor),
+ FIXED(UAC_VERSION_3, UAC_INPUT_TERMINAL,
+ struct uac3_input_terminal_descriptor),
+ FIXED(UAC_VERSION_3, UAC_OUTPUT_TERMINAL,
--- /dev/null
+From ab140365fb62c0bdab22b2f516aff563b2559e3b Mon Sep 17 00:00:00 2001
+From: Lars Ellenberg <lars.ellenberg@linbit.com>
+Date: Thu, 19 Feb 2026 15:20:12 +0100
+Subject: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lars Ellenberg <lars.ellenberg@linbit.com>
+
+commit ab140365fb62c0bdab22b2f516aff563b2559e3b upstream.
+
+Even though we check that we "should" be able to do lc_get_cumulative()
+while holding the device->al_lock spinlock, it may still fail,
+if some other code path decided to do lc_try_lock() with bad timing.
+
+If that happened, we logged "LOGIC BUG for enr=...",
+but still did not return an error.
+
+The rest of the code now assumed that this request has references
+for the relevant activity log extents.
+
+The implcations are that during an active resync, mutual exclusivity of
+resync versus application IO is not guaranteed. And a potential crash
+at this point may not realizs that these extents could have been target
+of in-flight IO and would need to be resynced just in case.
+
+Also, once the request completes, it will give up activity log references it
+does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().
+
+Fix:
+
+Do not crash the kernel for a condition that is harmless during normal
+operation: also catch "e->refcnt == 0", not only "e == NULL"
+when being noisy about "al_complete_io() called on inactive extent %u\n".
+
+And do not try to be smart and "guess" whether something will work, then
+be surprised when it does not.
+Deal with the fact that it may or may not work. If it does not, remember a
+possible "partially in activity log" state (only possible for requests that
+cross extent boundaries), and return an error code from
+drbd_al_begin_io_nonblock().
+
+A latter call for the same request will then resume from where we left off.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
+Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/drbd/drbd_actlog.c | 53 ++++++++++++++++---------------------
+ drivers/block/drbd/drbd_interval.h | 5 ++-
+ 2 files changed, 27 insertions(+), 31 deletions(-)
+
+--- a/drivers/block/drbd/drbd_actlog.c
++++ b/drivers/block/drbd/drbd_actlog.c
+@@ -483,38 +483,20 @@ void drbd_al_begin_io(struct drbd_device
+
+ int drbd_al_begin_io_nonblock(struct drbd_device *device, struct drbd_interval *i)
+ {
+- struct lru_cache *al = device->act_log;
+ /* for bios crossing activity log extent boundaries,
+ * we may need to activate two extents in one go */
+ unsigned first = i->sector >> (AL_EXTENT_SHIFT-9);
+ unsigned last = i->size == 0 ? first : (i->sector + (i->size >> 9) - 1) >> (AL_EXTENT_SHIFT-9);
+- unsigned nr_al_extents;
+- unsigned available_update_slots;
+ unsigned enr;
+
+- D_ASSERT(device, first <= last);
+-
+- nr_al_extents = 1 + last - first; /* worst case: all touched extends are cold. */
+- available_update_slots = min(al->nr_elements - al->used,
+- al->max_pending_changes - al->pending_changes);
+-
+- /* We want all necessary updates for a given request within the same transaction
+- * We could first check how many updates are *actually* needed,
+- * and use that instead of the worst-case nr_al_extents */
+- if (available_update_slots < nr_al_extents) {
+- /* Too many activity log extents are currently "hot".
+- *
+- * If we have accumulated pending changes already,
+- * we made progress.
+- *
+- * If we cannot get even a single pending change through,
+- * stop the fast path until we made some progress,
+- * or requests to "cold" extents could be starved. */
+- if (!al->pending_changes)
+- __set_bit(__LC_STARVING, &device->act_log->flags);
+- return -ENOBUFS;
++ if (i->partially_in_al_next_enr) {
++ D_ASSERT(device, first < i->partially_in_al_next_enr);
++ D_ASSERT(device, last >= i->partially_in_al_next_enr);
++ first = i->partially_in_al_next_enr;
+ }
+
++ D_ASSERT(device, first <= last);
++
+ /* Is resync active in this area? */
+ for (enr = first; enr <= last; enr++) {
+ struct lc_element *tmp;
+@@ -529,14 +511,21 @@ int drbd_al_begin_io_nonblock(struct drb
+ }
+ }
+
+- /* Checkout the refcounts.
+- * Given that we checked for available elements and update slots above,
+- * this has to be successful. */
++ /* Try to checkout the refcounts. */
+ for (enr = first; enr <= last; enr++) {
+ struct lc_element *al_ext;
+ al_ext = lc_get_cumulative(device->act_log, enr);
+- if (!al_ext)
+- drbd_info(device, "LOGIC BUG for enr=%u\n", enr);
++
++ if (!al_ext) {
++ /* Did not work. We may have exhausted the possible
++ * changes per transaction. Or raced with someone
++ * "locking" it against changes.
++ * Remember where to continue from.
++ */
++ if (enr > first)
++ i->partially_in_al_next_enr = enr;
++ return -ENOBUFS;
++ }
+ }
+ return 0;
+ }
+@@ -556,7 +545,11 @@ void drbd_al_complete_io(struct drbd_dev
+
+ for (enr = first; enr <= last; enr++) {
+ extent = lc_find(device->act_log, enr);
+- if (!extent) {
++ /* Yes, this masks a bug elsewhere. However, during normal
++ * operation this is harmless, so no need to crash the kernel
++ * by the BUG_ON(refcount == 0) in lc_put().
++ */
++ if (!extent || extent->refcnt == 0) {
+ drbd_err(device, "al_complete_io() called on inactive extent %u\n", enr);
+ continue;
+ }
+--- a/drivers/block/drbd/drbd_interval.h
++++ b/drivers/block/drbd/drbd_interval.h
+@@ -8,12 +8,15 @@
+ struct drbd_interval {
+ struct rb_node rb;
+ sector_t sector; /* start sector of the interval */
+- unsigned int size; /* size in bytes */
+ sector_t end; /* highest interval end in subtree */
++ unsigned int size; /* size in bytes */
+ unsigned int local:1 /* local or remote request? */;
+ unsigned int waiting:1; /* someone is waiting for completion */
+ unsigned int completed:1; /* this has been completed already;
+ * ignore for conflict detection */
++
++ /* to resume a partially successful drbd_al_begin_io_nonblock(); */
++ unsigned int partially_in_al_next_enr;
+ };
+
+ static inline void drbd_clear_interval(struct drbd_interval *i)
--- /dev/null
+From 117942ca43e2e3c3d121faae530989931b7f67e1 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Mon, 16 Feb 2026 11:02:48 -0400
+Subject: IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit 117942ca43e2e3c3d121faae530989931b7f67e1 upstream.
+
+Fix a user triggerable leak on the system call failure path.
+
+Cc: stable@vger.kernel.org
+Fixes: ec34a922d243 ("[PATCH] IB/mthca: Add SRQ implementation")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://patch.msgid.link/2-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mthca/mthca_provider.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/mthca/mthca_provider.c
++++ b/drivers/infiniband/hw/mthca/mthca_provider.c
+@@ -436,6 +436,8 @@ static int mthca_create_srq(struct ib_sr
+
+ if (context && ib_copy_to_udata(udata, &srq->srqn, sizeof(__u32))) {
+ mthca_free_srq(to_mdev(ibsrq->device), srq);
++ mthca_unmap_user_db(to_mdev(ibsrq->device), &context->uar,
++ context->db_tab, ucmd.db_index);
+ return -EFAULT;
+ }
+
+@@ -444,6 +446,7 @@ static int mthca_create_srq(struct ib_sr
+
+ static int mthca_destroy_srq(struct ib_srq *srq, struct ib_udata *udata)
+ {
++ mthca_free_srq(to_mdev(srq->device), to_msrq(srq));
+ if (udata) {
+ struct mthca_ucontext *context =
+ rdma_udata_to_drv_context(
+@@ -454,8 +457,6 @@ static int mthca_destroy_srq(struct ib_s
+ mthca_unmap_user_db(to_mdev(srq->device), &context->uar,
+ context->db_tab, to_msrq(srq)->db_index);
+ }
+-
+- mthca_free_srq(to_mdev(srq->device), to_msrq(srq));
+ return 0;
+ }
+
--- /dev/null
+From e35626f610f3d2b7953ccddf6a77453da22b3a9e Mon Sep 17 00:00:00 2001
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Tue, 24 Feb 2026 21:28:32 +0100
+Subject: net/sched: ets: fix divide by zero in the offload path
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+commit e35626f610f3d2b7953ccddf6a77453da22b3a9e upstream.
+
+Offloading ETS requires computing each class' WRR weight: this is done by
+averaging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned
+int, the same integer size as the individual DRR quanta, can overflow and
+even cause division by zero, like it happened in the following splat:
+
+ Oops: divide error: 0000 [#1] SMP PTI
+ CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full)
+ Tainted: [E]=UNSIGNED_MODULE
+ Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+ RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]
+ Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44
+ RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246
+ RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660
+ RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe
+ R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe
+ R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000
+ FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0
+ Call Trace:
+ <TASK>
+ ets_qdisc_change+0x870/0xf40 [sch_ets]
+ qdisc_create+0x12b/0x540
+ tc_modify_qdisc+0x6d7/0xbd0
+ rtnetlink_rcv_msg+0x168/0x6b0
+ netlink_rcv_skb+0x5c/0x110
+ netlink_unicast+0x1d6/0x2b0
+ netlink_sendmsg+0x22e/0x470
+ ____sys_sendmsg+0x38a/0x3c0
+ ___sys_sendmsg+0x99/0xe0
+ __sys_sendmsg+0x8a/0xf0
+ do_syscall_64+0x111/0xf80
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ RIP: 0033:0x7f440b81c77e
+ Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa
+ RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e
+ RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003
+ RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8
+ R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980
+ </TASK>
+ Modules linked in: sch_ets(E) netdevsim(E)
+ ---[ end trace 0000000000000000 ]---
+ RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]
+ Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44
+ RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246
+ RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660
+ RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe
+ R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe
+ R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000
+ FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0
+ Kernel panic - not syncing: Fatal exception
+ Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+ ---[ end Kernel panic - not syncing: Fatal exception ]---
+
+Fix this using 64-bit integers for 'q_sum' and 'q_psum'.
+
+Cc: stable@vger.kernel.org
+Fixes: d35eb52bd2ac ("net: sch_ets: Make the ETS qdisc offloadable")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Link: https://patch.msgid.link/28504887df314588c7255e9911769c36f751edee.1771964872.git.dcaratti@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_ets.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/sched/sch_ets.c
++++ b/net/sched/sch_ets.c
+@@ -115,12 +115,12 @@ static void ets_offload_change(struct Qd
+ struct ets_sched *q = qdisc_priv(sch);
+ struct tc_ets_qopt_offload qopt;
+ unsigned int w_psum_prev = 0;
+- unsigned int q_psum = 0;
+- unsigned int q_sum = 0;
+ unsigned int quantum;
+ unsigned int w_psum;
+ unsigned int weight;
+ unsigned int i;
++ u64 q_psum = 0;
++ u64 q_sum = 0;
+
+ if (!tc_can_offload(dev) || !dev->netdev_ops->ndo_setup_tc)
+ return;
+@@ -138,8 +138,12 @@ static void ets_offload_change(struct Qd
+
+ for (i = 0; i < q->nbands; i++) {
+ quantum = q->classes[i].quantum;
+- q_psum += quantum;
+- w_psum = quantum ? q_psum * 100 / q_sum : 0;
++ if (quantum) {
++ q_psum += quantum;
++ w_psum = div64_u64(q_psum * 100, q_sum);
++ } else {
++ w_psum = 0;
++ }
+ weight = w_psum - w_psum_prev;
+ w_psum_prev = w_psum;
+
--- /dev/null
+From 26a7601471f62b95d56a81c3a8ccb551b5a6630f Mon Sep 17 00:00:00 2001
+From: Kurt Borja <kuurtb@gmail.com>
+Date: Sat, 7 Feb 2026 12:16:34 -0500
+Subject: platform/x86: dell-wmi: Add audio/mic mute key codes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+commit 26a7601471f62b95d56a81c3a8ccb551b5a6630f upstream.
+
+Add audio/mic mute key codes found in Alienware m18 r1 AMD.
+
+Cc: stable@vger.kernel.org
+Tested-by: Olexa Bilaniuk <obilaniu@gmail.com>
+Suggested-by: Olexa Bilaniuk <obilaniu@gmail.com>
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Acked-by: Pali Rohár <pali@kernel.org>
+Link: https://patch.msgid.link/20260207-mute-keys-v2-1-c55e5471c9c1@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/dell/dell-wmi-base.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/platform/x86/dell/dell-wmi-base.c
++++ b/drivers/platform/x86/dell/dell-wmi-base.c
+@@ -79,6 +79,12 @@ static const struct dmi_system_id dell_w
+ static const struct key_entry dell_wmi_keymap_type_0000[] = {
+ { KE_IGNORE, 0x003a, { KEY_CAPSLOCK } },
+
++ /* Audio mute toggle */
++ { KE_KEY, 0x0109, { KEY_MUTE } },
++
++ /* Mic mute toggle */
++ { KE_KEY, 0x0150, { KEY_MICMUTE } },
++
+ /* Meta key lock */
+ { KE_IGNORE, 0xe000, { KEY_RIGHTMETA } },
+
--- /dev/null
+From d1a196e0a6dcddd03748468a0e9e3100790fc85c Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Tue, 3 Mar 2026 12:30:51 +0100
+Subject: platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit d1a196e0a6dcddd03748468a0e9e3100790fc85c upstream.
+
+set_new_password() hex dumps the entire buffer, which contains plaintext
+password data, including current and new passwords. Remove the hex dump
+to avoid leaking credentials.
+
+Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Link: https://patch.msgid.link/20260303113050.58127-2-thorsten.blum@linux.dev
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c
+@@ -93,7 +93,6 @@ int set_new_password(const char *passwor
+ if (ret < 0)
+ goto out;
+
+- print_hex_dump_bytes("set new password data: ", DUMP_PREFIX_NONE, buffer, buffer_size);
+ ret = call_password_interface(wmi_priv.password_attr_wdev, buffer, buffer_size);
+ /* on success copy the new password to current password */
+ if (!ret)
--- /dev/null
+From 1ac22c8eae81366101597d48360718dff9b9d980 Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Mon, 23 Feb 2026 15:27:28 -0800
+Subject: scsi: core: Fix refcount leak for tagset_refcnt
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit 1ac22c8eae81366101597d48360718dff9b9d980 upstream.
+
+This leak will cause a hang when tearing down the SCSI host. For example,
+iscsid hangs with the following call trace:
+
+[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured
+
+PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid"
+ #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4
+ #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f
+ #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0
+ #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f
+ #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b
+ #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp]
+ #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi]
+ #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi]
+ #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6
+ #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef
+
+Fixes: 8fe4ce5836e9 ("scsi: core: Fix a use-after-free")
+Cc: stable@vger.kernel.org
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20260223232728.93350-1-junxiao.bi@oracle.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_scan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/scsi_scan.c
++++ b/drivers/scsi/scsi_scan.c
+@@ -340,6 +340,7 @@ static struct scsi_device *scsi_alloc_sd
+ * since we use this queue depth most of times.
+ */
+ if (scsi_realloc_sdev_budget_map(sdev, depth)) {
++ kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags);
+ put_device(&starget->dev);
+ kfree(sdev);
+ goto out;
--- /dev/null
+From 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 3 Mar 2026 11:56:02 +0100
+Subject: selftests: mptcp: more stable simult_flows tests
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 upstream.
+
+By default, the netem qdisc can keep up to 1000 packets under its belly
+to deal with the configured rate and delay. The simult flows test-case
+simulates very low speed links, to avoid problems due to slow CPUs and
+the TCP stack tend to transmit at a slightly higher rate than the
+(virtual) link constraints.
+
+All the above causes a relatively large amount of packets being enqueued
+in the netem qdiscs - the longer the transfer, the longer the queue -
+producing increasingly high TCP RTT samples and consequently increasingly
+larger receive buffer size due to DRS.
+
+When the receive buffer size becomes considerably larger than the needed
+size, the tests results can flake, i.e. because minimal inaccuracy in the
+pacing rate can lead to a single subflow usage towards the end of the
+connection for a considerable amount of data.
+
+Address the issue explicitly setting netem limits suitable for the
+configured link speeds and unflake all the affected tests.
+
+Fixes: 1a418cb8e888 ("mptcp: simult flow self-tests")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-1-4b5462b6f016@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/simult_flows.sh | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/simult_flows.sh
++++ b/tools/testing/selftests/net/mptcp/simult_flows.sh
+@@ -234,10 +234,13 @@ run_test()
+ for dev in ns2eth1 ns2eth2; do
+ tc -n $ns2 qdisc del dev $dev root >/dev/null 2>&1
+ done
+- tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1
+- tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2
+- tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1
+- tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2
++
++ # keep the queued pkts number low, or the RTT estimator will see
++ # increasing latency over time.
++ tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1 limit 50
++ tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2 limit 50
++ tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1 limit 50
++ tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2 limit 50
+
+ # time is measured in ms, account for transfer size, aggregated link speed
+ # and header overhead (10%)
can-usb-etas_es58x-correctly-anchor-the-urb-in-the-read-bulk-callback.patch
hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch
x86-efi-defer-freeing-of-boot-services-memory.patch
+platform-x86-dell-wmi-sysman-don-t-hex-dump-plaintext-password-data.patch
+platform-x86-dell-wmi-add-audio-mic-mute-key-codes.patch
+alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch
+wifi-radiotap-reject-radiotap-with-unknown-bits.patch
+wifi-mac80211-fix-null-pointer-dereference-in-mesh_rx_csa_frame.patch
+ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch
+net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch
+squashfs-check-metadata-block-offset-is-within-range.patch
+drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch
+scsi-core-fix-refcount-leak-for-tagset_refcnt.patch
+selftests-mptcp-more-stable-simult_flows-tests.patch
--- /dev/null
+From fdb24a820a5832ec4532273282cbd4f22c291a0d Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Tue, 17 Feb 2026 05:09:55 +0000
+Subject: Squashfs: check metadata block offset is within range
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+commit fdb24a820a5832ec4532273282cbd4f22c291a0d upstream.
+
+Syzkaller reports a "general protection fault in squashfs_copy_data"
+
+This is ultimately caused by a corrupted index look-up table, which
+produces a negative metadata block offset.
+
+This is subsequently passed to squashfs_copy_data (via
+squashfs_read_metadata) where the negative offset causes an out of bounds
+access.
+
+The fix is to check that the offset is within range in
+squashfs_read_metadata. This will trap this and other cases.
+
+Link: https://lkml.kernel.org/r/20260217050955.138351-1-phillip@squashfs.org.uk
+Fixes: f400e12656ab ("Squashfs: cache operations")
+Reported-by: syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/699234e2.a70a0220.2c38d7.00e2.GAE@google.com/
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/cache.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/squashfs/cache.c
++++ b/fs/squashfs/cache.c
+@@ -340,6 +340,9 @@ int squashfs_read_metadata(struct super_
+ if (unlikely(length < 0))
+ return -EIO;
+
++ if (unlikely(*offset < 0 || *offset >= SQUASHFS_METADATA_SIZE))
++ return -EIO;
++
+ while (length) {
+ entry = squashfs_cache_get(sb, msblk->block_cache, *block, 0);
+ if (entry->error) {
--- /dev/null
+From 017c1792525064a723971f0216e6ef86a8c7af11 Mon Sep 17 00:00:00 2001
+From: Vahagn Vardanian <vahagn@redrays.io>
+Date: Mon, 23 Feb 2026 00:00:00 +0000
+Subject: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
+
+From: Vahagn Vardanian <vahagn@redrays.io>
+
+commit 017c1792525064a723971f0216e6ef86a8c7af11 upstream.
+
+In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced
+at lines 1638 and 1642 without a prior NULL check:
+
+ ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
+ ...
+ pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);
+
+The mesh_matches_local() check above only validates the Mesh ID,
+Mesh Configuration, and Supported Rates IEs. It does not verify the
+presence of the Mesh Channel Switch Parameters IE (element ID 118).
+When a received CSA action frame omits that IE, ieee802_11_parse_elems()
+leaves elems->mesh_chansw_params_ie as NULL, and the unconditional
+dereference causes a kernel NULL pointer dereference.
+
+A remote mesh peer with an established peer link (PLINK_ESTAB) can
+trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame
+that includes a matching Mesh ID and Mesh Configuration IE but omits the
+Mesh Channel Switch Parameters IE. No authentication beyond the default
+open mesh peering is required.
+
+Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]
+ CR2: 0000000000000000
+
+Fix by adding a NULL check for mesh_chansw_params_ie after
+mesh_matches_local() returns, consistent with how other optional IEs
+are guarded throughout the mesh code.
+
+The bug has been present since v3.13 (released 2014-01-19).
+
+Fixes: 8f2535b92d68 ("mac80211: process the CSA frame for mesh accordingly")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vahagn Vardanian <vahagn@redrays.io>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mesh.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -1477,6 +1477,9 @@ static void mesh_rx_csa_frame(struct iee
+ if (!mesh_matches_local(sdata, elems))
+ goto free;
+
++ if (!elems->mesh_chansw_params_ie)
++ goto free;
++
+ ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
+ if (!--ifmsh->chsw_ttl)
+ fwd_csa = false;
--- /dev/null
+From c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 17 Feb 2026 13:05:26 +0100
+Subject: wifi: radiotap: reject radiotap with unknown bits
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 upstream.
+
+The radiotap parser is currently only used with the radiotap
+namespace (not with vendor namespaces), but if the undefined
+field 18 is used, the alignment/size is unknown as well. In
+this case, iterator->_next_ns_data isn't initialized (it's
+only set for skipping vendor namespaces), and syzbot points
+out that we later compare against this uninitialized value.
+
+Fix this by moving the rejection of unknown radiotap fields
+down to after the in-namespace lookup, so it will really use
+iterator->_next_ns_data only for vendor namespaces, even in
+case undefined fields are present.
+
+Cc: stable@vger.kernel.org
+Fixes: 33e5a2f776e3 ("wireless: update radiotap parser")
+Reported-by: syzbot+b09c1af8764c0097bb19@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/69944a91.a70a0220.2c38d7.00fc.GAE@google.com
+Link: https://patch.msgid.link/20260217120526.162647-2-johannes@sipsolutions.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/radiotap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/wireless/radiotap.c
++++ b/net/wireless/radiotap.c
+@@ -239,14 +239,14 @@ int ieee80211_radiotap_iterator_next(
+ default:
+ if (!iterator->current_namespace ||
+ iterator->_arg_index >= iterator->current_namespace->n_bits) {
+- if (iterator->current_namespace == &radiotap_ns)
+- return -ENOENT;
+ align = 0;
+ } else {
+ align = iterator->current_namespace->align_size[iterator->_arg_index].align;
+ size = iterator->current_namespace->align_size[iterator->_arg_index].size;
+ }
+ if (!align) {
++ if (iterator->current_namespace == &radiotap_ns)
++ return -ENOENT;
+ /* skip all subsequent data */
+ iterator->_arg = iterator->_next_ns_data;
+ /* give up on this namespace */
projects / thirdparty / kernel / stable-queue.git / commitdiff
