--- /dev/null
+From dba101d1996094f95b55756577c12d387d51f62a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Apr 2026 01:26:43 +0000
+Subject: bpf: Free reuseport cBPF prog after RCU grace period.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 18fc650ccd7fe3376eca89203668cfb8268f60df ]
+
+Eulgyu Kim reported the splat below with a repro. [0]
+
+The repro sets up a UDP reuseport group with a cBPF prog and
+replaces it with a new one while another thread is sending
+a UDP packet to the group.
+
+The reuseport prog is freed by sk_reuseport_prog_free().
+bpf_prog_put() is called for "e"BPF prog to destruct through
+multiple stages while cBPF prog is freed immediately by
+bpf_release_orig_filter() and bpf_prog_free().
+
+If a reuseport prog is detached from the setsockopt() path
+(reuseport_attach_prog() or reuseport_detach_prog()),
+sk_reuseport_prog_free() is called without waiting for RCU
+readers to complete, resulting in various bugs.
+
+Let's defer freeing the reuseport cBPF prog after one RCU
+grace period.
+
+Note "e"BPF prog is safe as is unless the fast path starts
+to touch fields destroyed in bpf_prog_put_deferred() and
+__bpf_prog_put_noref().
+
+[0]:
+BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
+Read of size 4 at addr ffffc9000051e004 by task slowme/10208
+CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
+Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+Call Trace:
+ <IRQ>
+ dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
+ udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
+ __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
+ __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
+ __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
+ ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
+ ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ __netif_receive_skb_one_core net/core/dev.c:6181 [inline]
+ __netif_receive_skb net/core/dev.c:6294 [inline]
+ process_backlog+0xaa4/0x1960 net/core/dev.c:6645
+ __napi_poll+0xae/0x340 net/core/dev.c:7709
+ napi_poll net/core/dev.c:7772 [inline]
+ net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
+ handle_softirqs+0x22b/0x870 kernel/softirq.c:622
+ do_softirq+0x76/0xd0 kernel/softirq.c:523
+ </IRQ>
+ <TASK>
+ __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
+ local_bh_enable include/linux/bottom_half.h:33 [inline]
+ rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
+ __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
+ neigh_output include/net/neighbour.h:556 [inline]
+ ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
+ ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
+ udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
+ udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ __sys_sendto+0x554/0x680 net/socket.c:2206
+ __do_sys_sendto net/socket.c:2213 [inline]
+ __se_sys_sendto net/socket.c:2209 [inline]
+ __x64_sys_sendto+0xde/0x100 net/socket.c:2209
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x415a2d
+Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
+RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
+RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
+R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0
+R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0
+ </TASK>
+
+Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
+Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
+Reported-by: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 5fbce37db28323..27550e8b05a655 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -1640,15 +1640,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk)
+ return err;
+ }
+
++static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu)
++{
++ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
++ struct bpf_prog *prog = aux->prog;
++
++ bpf_release_orig_filter(prog);
++ bpf_prog_free(prog);
++}
++
+ void sk_reuseport_prog_free(struct bpf_prog *prog)
+ {
+ if (!prog)
+ return;
+
+- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT)
+- bpf_prog_put(prog);
++ if (bpf_prog_was_classic(prog))
++ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu);
+ else
+- bpf_prog_destroy(prog);
++ bpf_prog_put(prog);
+ }
+
+ struct bpf_scratchpad {
+--
+2.53.0
+
--- /dev/null
+From ed74ef50ca68bf8f00d4a284a48400cfd376ec85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Mar 2022 04:16:42 +0530
+Subject: compiler-clang.h: Add __diag infrastructure for clang
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit f014a00bbeb09cea16017b82448d32a468a6b96f upstream.
+
+Add __diag macros similar to those in compiler-gcc.h, so that warnings
+that need to be adjusted for specific cases but not globally can be
+ignored when building with clang.
+
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20220304224645.3677453-6-memxor@gmail.com
+
+[ Kartikeya: wrote commit message ]
+
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/compiler-clang.h | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
+index d9376e327d665f..fae3775d02b516 100644
+--- a/include/linux/compiler-clang.h
++++ b/include/linux/compiler-clang.h
+@@ -126,3 +126,25 @@
+ #if __has_feature(shadow_call_stack)
+ # define __noscs __attribute__((__no_sanitize__("shadow-call-stack")))
+ #endif
++
++/*
++ * Turn individual warnings and errors on and off locally, depending
++ * on version.
++ */
++#define __diag_clang(version, severity, s) \
++ __diag_clang_ ## version(__diag_clang_ ## severity s)
++
++/* Severity used in pragma directives */
++#define __diag_clang_ignore ignored
++#define __diag_clang_warn warning
++#define __diag_clang_error error
++
++#define __diag_str1(s) #s
++#define __diag_str(s) __diag_str1(s)
++#define __diag(s) _Pragma(__diag_str(clang diagnostic s))
++
++#if CONFIG_CLANG_VERSION >= 110000
++#define __diag_clang_11(s) __diag(s)
++#else
++#define __diag_clang_11(s)
++#endif
+--
+2.53.0
+
--- /dev/null
+From e63d213f19a7f0c5ad532a66da7a82c625c3867f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 May 2026 04:34:14 +0900
+Subject: Disable -Wattribute-alias for clang-23 and newer
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 175db11786bde9061db526bf1ac5107d915f5163 upstream.
+
+Clang recently added support for -Wattribute-alias [1], which results in
+the same warnings that necessitated commit bee20031772a ("disable
+-Wattribute-alias warning for SYSCALL_DEFINEx()") for GCC.
+
+ kernel/time/itimer.c:325:1: error: alias and aliasee have different types 'long (unsigned int)' and 'long (typeof (__builtin_choose_expr((__builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0LL)) || __builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0ULL))), 0LL, 0L)))' (aka 'long (long)') [-Werror,-Wattribute-alias]
+ 325 | SYSCALL_DEFINE1(alarm, unsigned int, seconds)
+ | ^
+ include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
+ 225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
+ 236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:251:18: note: expanded from macro '__SYSCALL_DEFINEx'
+ 251 | __attribute__((alias(__stringify(__se_sys##name)))); \
+ | ^
+ kernel/time/itimer.c:325:1: note: aliasee is declared here
+ include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
+ 225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
+ 236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:255:18: note: expanded from macro '__SYSCALL_DEFINEx'
+ 255 | asmlinkage long __se_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \
+ | ^
+ <scratch space>:16:1: note: expanded from here
+ 16 | __se_sys_alarm
+ | ^
+
+Disable the warnings in the same way for clang-23 and newer. Disable the
+warning about unknown warning options to avoid breaking the build for
+versions of clang-23 that do not have -Wattribute-alias, such as ones
+deployed by vendors like Android or CI systems or when bisecting LLVM
+between llvmorg-23-init and release/23.x.
+
+Cc: stable@vger.kernel.org
+Closes: https://github.com/ClangBuiltLinux/linux/issues/2163
+Link: https://github.com/llvm/llvm-project/commit/40da6920a0d71d49dfa2392b09153600b0759f5e [1]
+Link: https://patch.msgid.link/20260515-syscall-disable-attribute-alias-for-clang-v1-1-9a9d95d41df6@kernel.org
+[nathan: Drop arch/riscv hunk in older trees and address conflicts]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/compat.h | 4 ++++
+ include/linux/compiler-clang.h | 6 ++++++
+ include/linux/compiler_types.h | 4 ++++
+ include/linux/syscalls.h | 4 ++++
+ 4 files changed, 18 insertions(+)
+
+diff --git a/include/linux/compat.h b/include/linux/compat.h
+index 8dffffe846ce54..93c9bbec96acba 100644
+--- a/include/linux/compat.h
++++ b/include/linux/compat.h
+@@ -75,6 +75,10 @@
+ __diag_push(); \
+ __diag_ignore(GCC, 8, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments");\
++ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
++ "Avoid breaking versions without -Wattribute-alias"); \
++ __diag_ignore(clang, 23, "-Wattribute-alias", \
++ "Type aliasing is used to sanitize syscall arguments"); \
+ asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)); \
+ asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
+ __attribute__((alias(__stringify(__se_compat_sys##name)))); \
+diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
+index fae3775d02b516..a8953f9c766bcf 100644
+--- a/include/linux/compiler-clang.h
++++ b/include/linux/compiler-clang.h
+@@ -148,3 +148,9 @@
+ #else
+ #define __diag_clang_11(s)
+ #endif
++
++#if CONFIG_CLANG_VERSION >= 230000
++#define __diag_clang_23(s) __diag(s)
++#else
++#define __diag_clang_23(s)
++#endif
+diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
+index 9cecd02c1280a9..88cc4457297d22 100644
+--- a/include/linux/compiler_types.h
++++ b/include/linux/compiler_types.h
+@@ -320,6 +320,10 @@ struct ftrace_likely_data {
+ #define __diag_GCC(version, severity, string)
+ #endif
+
++#ifndef __diag_clang
++#define __diag_clang(version, severity, string)
++#endif
++
+ #define __diag_push() __diag(push)
+ #define __diag_pop() __diag(pop)
+
+diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
+index a96e924c7b45ed..339a35aad83935 100644
+--- a/include/linux/syscalls.h
++++ b/include/linux/syscalls.h
+@@ -236,6 +236,10 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event)
+ __diag_push(); \
+ __diag_ignore(GCC, 8, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments");\
++ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
++ "Avoid breaking versions without -Wattribute-alias");\
++ __diag_ignore(clang, 23, "-Wattribute-alias", \
++ "Type aliasing is used to sanitize syscall arguments");\
+ asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
+ __attribute__((alias(__stringify(__se_sys##name)))); \
+ ALLOW_ERROR_INJECTION(sys##name, ERRNO); \
+--
+2.53.0
+
--- /dev/null
+From 5caad7b86a7a1651a92e28c7d5df8b6d6114e265 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jun 2026 11:02:23 +0100
+Subject: HID: core: Add printk_ratelimited variants to hid_warn() etc
+
+From: Vicki Pfau <vi@endrift.com>
+
+[ Upstream commit 1d64624243af8329b4b219d8c39e28ea448f9929 ]
+
+hid_warn_ratelimited() is needed. Add the others as part of the block.
+
+Signed-off-by: Vicki Pfau <vi@endrift.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/hid.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index 03627c96d81457..ab56fffb74a200 100644
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -1217,4 +1217,15 @@ do { \
+ #define hid_dbg_once(hid, fmt, ...) \
+ dev_dbg_once(&(hid)->dev, fmt, ##__VA_ARGS__)
+
++#define hid_err_ratelimited(hid, fmt, ...) \
++ dev_err_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
++#define hid_notice_ratelimited(hid, fmt, ...) \
++ dev_notice_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
++#define hid_warn_ratelimited(hid, fmt, ...) \
++ dev_warn_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
++#define hid_info_ratelimited(hid, fmt, ...) \
++ dev_info_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
++#define hid_dbg_ratelimited(hid, fmt, ...) \
++ dev_dbg_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
++
+ #endif
+--
+2.53.0
+
--- /dev/null
+From 651ac05ebcdab9ea3a41e1d85220ad9129d7c490 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jun 2026 11:02:25 +0100
+Subject: HID: core: Fix size_t specifier in hid_report_raw_event()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 4d3a2a466b8d68d852a1f3bbf11204b718428dc4 ]
+
+When building for 32-bit platforms, for which 'size_t' is
+'unsigned int', there are warnings around using the incorrect format
+specifier to print bsize in hid_report_raw_event():
+
+ drivers/hid/hid-core.c:2054:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat]
+ 2053 | hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
+ | ~~~
+ | %zu
+ 2054 | report->id, csize, bsize);
+ | ^~~~~
+ drivers/hid/hid-core.c:2076:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat]
+ 2075 | hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
+ | ~~~
+ | %zu
+ 2076 | report->id, rsize, bsize);
+ | ^~~~~
+
+Use the proper 'size_t' format specifier, '%zu', to clear up the
+warnings.
+
+Cc: stable@vger.kernel.org
+Fixes: 2c85c61d1332 ("HID: pass the buffer size to hid_report_raw_event")
+Reported-by: Miguel Ojeda <ojeda@kernel.org>
+Closes: https://lore.kernel.org/20260516020430.110135-1-ojeda@kernel.org/
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+(cherry picked from commit 3ab135238832446399614e7a4bb796d620717806)
+Signed-off-by: Lee Jones <lee@kernel.org>
+(cherry picked from commit 0f77a993b5426cca1b046c9ab4b2f8355a4d45dc)
+Signed-off-by: Lee Jones <lee@kernel.org>
+(cherry picked from commit 70333a8f866aad8cbd6956e2ec4ace159fa4243b)
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index c73f4ac16fdf24..918c66d5bc93f6 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1793,7 +1793,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data,
+ return 0;
+
+ if (unlikely(bsize < csize)) {
+- hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
++ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %zu)\n",
+ report->id, csize, bsize);
+ return -EINVAL;
+ }
+@@ -1815,7 +1815,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data,
+ rsize = max_buffer_size;
+
+ if (bsize < rsize) {
+- hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
++ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %zu)\n",
+ report->id, rsize, bsize);
+ return -EINVAL;
+ }
+--
+2.53.0
+
--- /dev/null
+From 05c162178d5f6ec2e6f12bc4599977f0fd9b0573 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jun 2026 11:02:24 +0100
+Subject: HID: pass the buffer size to hid_report_raw_event
+
+From: Benjamin Tissoires <bentiss@kernel.org>
+
+[ Upstream commit 2c85c61d1332e1e16f020d76951baf167dcb6f7a ]
+
+commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing
+bogus memset()") enforced the provided data to be at least the size of
+the declared buffer in the report descriptor to prevent a buffer
+overflow. However, we can try to be smarter by providing both the buffer
+size and the data size, meaning that hid_report_raw_event() can make
+better decision whether we should plaining reject the buffer (buffer
+overflow attempt) or if we can safely memset it to 0 and pass it to the
+rest of the stack.
+
+Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+Acked-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Stable-dep-of: 206342541fc8 ("HID: core: introduce hid_safe_input_report()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+(cherry picked from commit 509c2605065004fc4cd86ee50a9350d402785307)
+[Lee: Backported to linux-6.12.y and beyond]
+Signed-off-by: Lee Jones <lee@kernel.org>
+(cherry picked from commit f9393998660f146970047bda31526aeb96190f28)
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 29 ++++++++++++++++++++++-------
+ drivers/hid/hid-gfrm.c | 4 ++--
+ drivers/hid/hid-logitech-hidpp.c | 2 +-
+ drivers/hid/hid-multitouch.c | 2 +-
+ drivers/hid/hid-primax.c | 2 +-
+ drivers/hid/hid-vivaldi.c | 2 +-
+ drivers/hid/wacom_sys.c | 6 +++---
+ drivers/staging/greybus/hid.c | 2 +-
+ include/linux/hid.h | 4 ++--
+ 9 files changed, 34 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index aa9ae6ccb28a8f..c73f4ac16fdf24 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1775,8 +1775,8 @@ int __hid_request(struct hid_device *hid, struct hid_report *report,
+ }
+ EXPORT_SYMBOL_GPL(__hid_request);
+
+-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
+- int interrupt)
++int hid_report_raw_event(struct hid_device *hid, int type, u8 *data,
++ size_t bufsize, u32 size, int interrupt)
+ {
+ struct hid_report_enum *report_enum = hid->report_enum + type;
+ struct hid_report *report;
+@@ -1784,16 +1784,24 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
+ int max_buffer_size = HID_MAX_BUFFER_SIZE;
+ unsigned int a;
+ u32 rsize, csize = size;
++ size_t bsize = bufsize;
+ u8 *cdata = data;
+ int ret = 0;
+
+ report = hid_get_report(report_enum, data);
+ if (!report)
+- goto out;
++ return 0;
++
++ if (unlikely(bsize < csize)) {
++ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
++ report->id, csize, bsize);
++ return -EINVAL;
++ }
+
+ if (report_enum->numbered) {
+ cdata++;
+ csize--;
++ bsize--;
+ }
+
+ rsize = hid_compute_report_size(report);
+@@ -1806,9 +1814,15 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
+ else if (rsize > max_buffer_size)
+ rsize = max_buffer_size;
+
++ if (bsize < rsize) {
++ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
++ report->id, rsize, bsize);
++ return -EINVAL;
++ }
++
+ if (csize < rsize) {
+ dbg_hid("report %d is too short, (%d < %d)\n", report->id,
+- csize, rsize);
++ csize, rsize);
+ memset(cdata + csize, 0, rsize - csize);
+ }
+
+@@ -1817,7 +1831,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
+ if (hid->claimed & HID_CLAIMED_HIDRAW) {
+ ret = hidraw_report_event(hid, data, size);
+ if (ret)
+- goto out;
++ return ret;
+ }
+
+ if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) {
+@@ -1830,7 +1844,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
+
+ if (hid->claimed & HID_CLAIMED_INPUT)
+ hidinput_report_event(hid, report);
+-out:
++
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(hid_report_raw_event);
+@@ -1851,6 +1865,7 @@ int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int i
+ struct hid_report_enum *report_enum;
+ struct hid_driver *hdrv;
+ struct hid_report *report;
++ size_t bufsize = size;
+ int ret = 0;
+
+ if (!hid)
+@@ -1889,7 +1904,7 @@ int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int i
+ goto unlock;
+ }
+
+- ret = hid_report_raw_event(hid, type, data, size, interrupt);
++ ret = hid_report_raw_event(hid, type, data, bufsize, size, interrupt);
+
+ unlock:
+ up(&hid->driver_input_lock);
+diff --git a/drivers/hid/hid-gfrm.c b/drivers/hid/hid-gfrm.c
+index 699186ff2349e9..d2a56bf92b416e 100644
+--- a/drivers/hid/hid-gfrm.c
++++ b/drivers/hid/hid-gfrm.c
+@@ -66,7 +66,7 @@ static int gfrm_raw_event(struct hid_device *hdev, struct hid_report *report,
+ switch (data[1]) {
+ case GFRM100_SEARCH_KEY_DOWN:
+ ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_dn,
+- sizeof(search_key_dn), 1);
++ sizeof(search_key_dn), sizeof(search_key_dn), 1);
+ break;
+
+ case GFRM100_SEARCH_KEY_AUDIO_DATA:
+@@ -74,7 +74,7 @@ static int gfrm_raw_event(struct hid_device *hdev, struct hid_report *report,
+
+ case GFRM100_SEARCH_KEY_UP:
+ ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_up,
+- sizeof(search_key_up), 1);
++ sizeof(search_key_up), sizeof(search_key_up), 1);
+ break;
+
+ default:
+diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
+index 98562a0ed0c338..d31f2737b13dca 100644
+--- a/drivers/hid/hid-logitech-hidpp.c
++++ b/drivers/hid/hid-logitech-hidpp.c
+@@ -3176,7 +3176,7 @@ static int hidpp10_consumer_keys_raw_event(struct hidpp_device *hidpp,
+ memcpy(&consumer_report[1], &data[3], 4);
+ /* We are called from atomic context */
+ hid_report_raw_event(hidpp->hid_dev, HID_INPUT_REPORT,
+- consumer_report, 5, 1);
++ consumer_report, sizeof(consumer_report), 5, 1);
+
+ return 1;
+ }
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index 948bd59ab5d21f..c3bcc23d7c7ca1 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -449,7 +449,7 @@ static void mt_get_feature(struct hid_device *hdev, struct hid_report *report)
+ }
+
+ ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf,
+- size, 0);
++ size, size, 0);
+ if (ret)
+ dev_warn(&hdev->dev, "failed to report feature\n");
+ }
+diff --git a/drivers/hid/hid-primax.c b/drivers/hid/hid-primax.c
+index 1e6413d07cae21..16e2a811eda9f0 100644
+--- a/drivers/hid/hid-primax.c
++++ b/drivers/hid/hid-primax.c
+@@ -44,7 +44,7 @@ static int px_raw_event(struct hid_device *hid, struct hid_report *report,
+ data[0] |= (1 << (data[idx] - 0xE0));
+ data[idx] = 0;
+ }
+- hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, 0);
++ hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, size, 0);
+ return 1;
+
+ default: /* unknown report */
+diff --git a/drivers/hid/hid-vivaldi.c b/drivers/hid/hid-vivaldi.c
+index d57ec17670379c..fdfea1355ee782 100644
+--- a/drivers/hid/hid-vivaldi.c
++++ b/drivers/hid/hid-vivaldi.c
+@@ -126,7 +126,7 @@ static void vivaldi_feature_mapping(struct hid_device *hdev,
+ }
+
+ ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, report_data,
+- report_len, 0);
++ report_len, report_len, 0);
+ if (ret) {
+ dev_warn(&hdev->dev, "failed to report feature %d\n",
+ field->report->id);
+diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
+index 641898bde9c730..5043bc809aaeb5 100644
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -79,7 +79,7 @@ static void wacom_wac_queue_flush(struct hid_device *hdev,
+ int err;
+
+ size = kfifo_out(fifo, buf, sizeof(buf));
+- err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false);
++ err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, size, false);
+ if (err) {
+ hid_warn(hdev, "%s: unable to flush event due to error %d\n",
+ __func__, err);
+@@ -324,7 +324,7 @@ static void wacom_feature_mapping(struct hid_device *hdev,
+ data, n, WAC_CMD_RETRIES);
+ if (ret == n && features->type == HID_GENERIC) {
+ ret = hid_report_raw_event(hdev,
+- HID_FEATURE_REPORT, data, n, 0);
++ HID_FEATURE_REPORT, data, n, n, 0);
+ } else if (ret == 2 && features->type != HID_GENERIC) {
+ features->touch_max = data[1];
+ } else {
+@@ -386,7 +386,7 @@ static void wacom_feature_mapping(struct hid_device *hdev,
+ data, n, WAC_CMD_RETRIES);
+ if (ret == n) {
+ ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT,
+- data, n, 0);
++ data, n, n, 0);
+ } else {
+ hid_warn(hdev, "%s: could not retrieve sensor offsets\n",
+ __func__);
+diff --git a/drivers/staging/greybus/hid.c b/drivers/staging/greybus/hid.c
+index ed706f39e87a19..d68f60da0dd169 100644
+--- a/drivers/staging/greybus/hid.c
++++ b/drivers/staging/greybus/hid.c
+@@ -201,7 +201,7 @@ static void gb_hid_init_report(struct gb_hid *ghid, struct hid_report *report)
+ * we just need to setup the input fields, so using
+ * hid_report_raw_event is safe.
+ */
+- hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, size, 1);
++ hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, ghid->bufsize, size, 1);
+ }
+
+ static void gb_hid_init_reports(struct gb_hid *ghid)
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index ab56fffb74a200..aaae2fecd4ae6e 100644
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -1175,8 +1175,8 @@ static inline u32 hid_report_len(struct hid_report *report)
+ return DIV_ROUND_UP(report->size, 8) + (report->id > 0);
+ }
+
+-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
+- int interrupt);
++int hid_report_raw_event(struct hid_device *hid, int type, u8 *data,
++ size_t bufsize, u32 size, int interrupt);
+
+ /* HID quirks API */
+ unsigned long hid_lookup_quirk(const struct hid_device *hdev);
+--
+2.53.0
+
--- /dev/null
+bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch
+hid-core-add-printk_ratelimited-variants-to-hid_warn.patch
+hid-pass-the-buffer-size-to-hid_report_raw_event.patch
+hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch
+usb-serial-mct_u232-fix-memory-corruption-with-small.patch
+compiler-clang.h-add-__diag-infrastructure-for-clang.patch
+disable-wattribute-alias-for-clang-23-and-newer.patch
--- /dev/null
+From 88ac9d3ecb476d111f8b9bda679669bc065ef860 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2026 14:11:33 +0200
+Subject: USB: serial: mct_u232: fix memory corruption with small endpoint
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 915b36d701950503c4ea0f6e314b10868e59fce3 upstream.
+
+The driver overrides the maximum transfer size for a specific device
+which only accepts 16 byte packets for its 32 byte bulk-out endpoint.
+
+Make sure to never increase the maximum transfer size to prevent slab
+corruption should a malicious device report a smaller endpoint max
+packet size than expected.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/serial/mct_u232.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
+index 04f16d4a0a68ad..8842a1db72b396 100644
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -378,6 +378,7 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
+ {
+ struct usb_serial *serial = port->serial;
+ struct mct_u232_private *priv;
++ u16 pid;
+
+ /* check first to simplify error handling */
+ if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
+@@ -385,6 +386,16 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
+ return -ENODEV;
+ }
+
++ /*
++ * Compensate for a hardware bug: although the Sitecom U232-P25
++ * device reports a maximum output packet size of 32 bytes,
++ * it seems to be able to accept only 16 bytes (and that's what
++ * SniffUSB says too...)
++ */
++ pid = le16_to_cpu(serial->dev->descriptor.idProduct);
++ if (pid == MCT_U232_SITECOM_PID)
++ port->bulk_out_size = min(16, port->bulk_out_size);
++
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+@@ -412,7 +423,6 @@ static int mct_u232_port_remove(struct usb_serial_port *port)
+
+ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
+ {
+- struct usb_serial *serial = port->serial;
+ struct mct_u232_private *priv = usb_get_serial_port_data(port);
+ int retval = 0;
+ unsigned int control_state;
+@@ -420,15 +430,6 @@ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
+ unsigned char last_lcr;
+ unsigned char last_msr;
+
+- /* Compensate for a hardware bug: although the Sitecom U232-P25
+- * device reports a maximum output packet size of 32 bytes,
+- * it seems to be able to accept only 16 bytes (and that's what
+- * SniffUSB says too...)
+- */
+- if (le16_to_cpu(serial->dev->descriptor.idProduct)
+- == MCT_U232_SITECOM_PID)
+- port->bulk_out_size = 16;
+-
+ /* Do a defined restart: the normal serial device seems to
+ * always turn on DTR and RTS here, so do the same. I'm not
+ * sure if this is really necessary. But it should not harm
+--
+2.53.0
+
--- /dev/null
+From 8ea8029037e453cff485c030fbbcc2cb8585f35f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Apr 2026 01:26:43 +0000
+Subject: bpf: Free reuseport cBPF prog after RCU grace period.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 18fc650ccd7fe3376eca89203668cfb8268f60df ]
+
+Eulgyu Kim reported the splat below with a repro. [0]
+
+The repro sets up a UDP reuseport group with a cBPF prog and
+replaces it with a new one while another thread is sending
+a UDP packet to the group.
+
+The reuseport prog is freed by sk_reuseport_prog_free().
+bpf_prog_put() is called for "e"BPF prog to destruct through
+multiple stages while cBPF prog is freed immediately by
+bpf_release_orig_filter() and bpf_prog_free().
+
+If a reuseport prog is detached from the setsockopt() path
+(reuseport_attach_prog() or reuseport_detach_prog()),
+sk_reuseport_prog_free() is called without waiting for RCU
+readers to complete, resulting in various bugs.
+
+Let's defer freeing the reuseport cBPF prog after one RCU
+grace period.
+
+Note "e"BPF prog is safe as is unless the fast path starts
+to touch fields destroyed in bpf_prog_put_deferred() and
+__bpf_prog_put_noref().
+
+[0]:
+BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
+Read of size 4 at addr ffffc9000051e004 by task slowme/10208
+CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
+Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+Call Trace:
+ <IRQ>
+ dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
+ udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
+ __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
+ __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
+ __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
+ ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
+ ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ __netif_receive_skb_one_core net/core/dev.c:6181 [inline]
+ __netif_receive_skb net/core/dev.c:6294 [inline]
+ process_backlog+0xaa4/0x1960 net/core/dev.c:6645
+ __napi_poll+0xae/0x340 net/core/dev.c:7709
+ napi_poll net/core/dev.c:7772 [inline]
+ net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
+ handle_softirqs+0x22b/0x870 kernel/softirq.c:622
+ do_softirq+0x76/0xd0 kernel/softirq.c:523
+ </IRQ>
+ <TASK>
+ __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
+ local_bh_enable include/linux/bottom_half.h:33 [inline]
+ rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
+ __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
+ neigh_output include/net/neighbour.h:556 [inline]
+ ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
+ ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
+ udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
+ udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ __sys_sendto+0x554/0x680 net/socket.c:2206
+ __do_sys_sendto net/socket.c:2213 [inline]
+ __se_sys_sendto net/socket.c:2209 [inline]
+ __x64_sys_sendto+0xde/0x100 net/socket.c:2209
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x415a2d
+Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
+RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
+RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
+R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0
+R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0
+ </TASK>
+
+Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
+Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
+Reported-by: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 04d1cf57cfe257..6a1210abe4625e 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -1641,15 +1641,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk)
+ return err;
+ }
+
++static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu)
++{
++ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
++ struct bpf_prog *prog = aux->prog;
++
++ bpf_release_orig_filter(prog);
++ bpf_prog_free(prog);
++}
++
+ void sk_reuseport_prog_free(struct bpf_prog *prog)
+ {
+ if (!prog)
+ return;
+
+- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT)
+- bpf_prog_put(prog);
++ if (bpf_prog_was_classic(prog))
++ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu);
+ else
+- bpf_prog_destroy(prog);
++ bpf_prog_put(prog);
+ }
+
+ struct bpf_scratchpad {
+--
+2.53.0
+
--- /dev/null
+From 3db0b1c95e1f02ea465e8d4a19e2fc61b5930b40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Mar 2022 04:16:42 +0530
+Subject: compiler-clang.h: Add __diag infrastructure for clang
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit f014a00bbeb09cea16017b82448d32a468a6b96f upstream.
+
+Add __diag macros similar to those in compiler-gcc.h, so that warnings
+that need to be adjusted for specific cases but not globally can be
+ignored when building with clang.
+
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20220304224645.3677453-6-memxor@gmail.com
+
+[ Kartikeya: wrote commit message ]
+
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/compiler-clang.h | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
+index 3397f6809c8694..7ae9fc072302d4 100644
+--- a/include/linux/compiler-clang.h
++++ b/include/linux/compiler-clang.h
+@@ -119,3 +119,25 @@
+
+ #define __nocfi __attribute__((__no_sanitize__("cfi")))
+ #define __cficanonical __attribute__((__cfi_canonical_jump_table__))
++
++/*
++ * Turn individual warnings and errors on and off locally, depending
++ * on version.
++ */
++#define __diag_clang(version, severity, s) \
++ __diag_clang_ ## version(__diag_clang_ ## severity s)
++
++/* Severity used in pragma directives */
++#define __diag_clang_ignore ignored
++#define __diag_clang_warn warning
++#define __diag_clang_error error
++
++#define __diag_str1(s) #s
++#define __diag_str(s) __diag_str1(s)
++#define __diag(s) _Pragma(__diag_str(clang diagnostic s))
++
++#if CONFIG_CLANG_VERSION >= 110000
++#define __diag_clang_11(s) __diag(s)
++#else
++#define __diag_clang_11(s)
++#endif
+--
+2.53.0
+
--- /dev/null
+From ea9b29762d13e7b412d17b3f3fc451d5152aea11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 May 2026 04:34:14 +0900
+Subject: Disable -Wattribute-alias for clang-23 and newer
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 175db11786bde9061db526bf1ac5107d915f5163 upstream.
+
+Clang recently added support for -Wattribute-alias [1], which results in
+the same warnings that necessitated commit bee20031772a ("disable
+-Wattribute-alias warning for SYSCALL_DEFINEx()") for GCC.
+
+ kernel/time/itimer.c:325:1: error: alias and aliasee have different types 'long (unsigned int)' and 'long (typeof (__builtin_choose_expr((__builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0LL)) || __builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0ULL))), 0LL, 0L)))' (aka 'long (long)') [-Werror,-Wattribute-alias]
+ 325 | SYSCALL_DEFINE1(alarm, unsigned int, seconds)
+ | ^
+ include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
+ 225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
+ 236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:251:18: note: expanded from macro '__SYSCALL_DEFINEx'
+ 251 | __attribute__((alias(__stringify(__se_sys##name)))); \
+ | ^
+ kernel/time/itimer.c:325:1: note: aliasee is declared here
+ include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
+ 225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
+ 236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:255:18: note: expanded from macro '__SYSCALL_DEFINEx'
+ 255 | asmlinkage long __se_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \
+ | ^
+ <scratch space>:16:1: note: expanded from here
+ 16 | __se_sys_alarm
+ | ^
+
+Disable the warnings in the same way for clang-23 and newer. Disable the
+warning about unknown warning options to avoid breaking the build for
+versions of clang-23 that do not have -Wattribute-alias, such as ones
+deployed by vendors like Android or CI systems or when bisecting LLVM
+between llvmorg-23-init and release/23.x.
+
+Cc: stable@vger.kernel.org
+Closes: https://github.com/ClangBuiltLinux/linux/issues/2163
+Link: https://github.com/llvm/llvm-project/commit/40da6920a0d71d49dfa2392b09153600b0759f5e [1]
+Link: https://patch.msgid.link/20260515-syscall-disable-attribute-alias-for-clang-v1-1-9a9d95d41df6@kernel.org
+[nathan: Drop arch/riscv hunk in older trees and address conflicts]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/compat.h | 4 ++++
+ include/linux/compiler-clang.h | 6 ++++++
+ include/linux/compiler_types.h | 4 ++++
+ include/linux/syscalls.h | 4 ++++
+ 4 files changed, 18 insertions(+)
+
+diff --git a/include/linux/compat.h b/include/linux/compat.h
+index d91fb5225dbf48..c5441ac9050f4f 100644
+--- a/include/linux/compat.h
++++ b/include/linux/compat.h
+@@ -72,6 +72,10 @@
+ __diag_push(); \
+ __diag_ignore(GCC, 8, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments");\
++ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
++ "Avoid breaking versions without -Wattribute-alias"); \
++ __diag_ignore(clang, 23, "-Wattribute-alias", \
++ "Type aliasing is used to sanitize syscall arguments"); \
+ asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
+ __attribute__((alias(__stringify(__se_compat_sys##name)))); \
+ ALLOW_ERROR_INJECTION(compat_sys##name, ERRNO); \
+diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
+index 7ae9fc072302d4..f0b218c914f1fb 100644
+--- a/include/linux/compiler-clang.h
++++ b/include/linux/compiler-clang.h
+@@ -141,3 +141,9 @@
+ #else
+ #define __diag_clang_11(s)
+ #endif
++
++#if CONFIG_CLANG_VERSION >= 230000
++#define __diag_clang_23(s) __diag(s)
++#else
++#define __diag_clang_23(s)
++#endif
+diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
+index ca9345e2934d38..2eda6f70169630 100644
+--- a/include/linux/compiler_types.h
++++ b/include/linux/compiler_types.h
+@@ -345,6 +345,10 @@ struct ftrace_likely_data {
+ #define __diag_GCC(version, severity, string)
+ #endif
+
++#ifndef __diag_clang
++#define __diag_clang(version, severity, string)
++#endif
++
+ #define __diag_push() __diag(push)
+ #define __diag_pop() __diag(pop)
+
+diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
+index b8037a46ff41d7..ce63109333a585 100644
+--- a/include/linux/syscalls.h
++++ b/include/linux/syscalls.h
+@@ -239,6 +239,10 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event)
+ __diag_push(); \
+ __diag_ignore(GCC, 8, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments");\
++ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
++ "Avoid breaking versions without -Wattribute-alias");\
++ __diag_ignore(clang, 23, "-Wattribute-alias", \
++ "Type aliasing is used to sanitize syscall arguments");\
+ asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
+ __attribute__((alias(__stringify(__se_sys##name)))); \
+ ALLOW_ERROR_INJECTION(sys##name, ERRNO); \
+--
+2.53.0
+
--- /dev/null
+bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch
+usb-serial-mct_u232-fix-memory-corruption-with-small.patch
+compiler-clang.h-add-__diag-infrastructure-for-clang.patch
+disable-wattribute-alias-for-clang-23-and-newer.patch
--- /dev/null
+From d73a6145c43489a066b42029bb286f7c6fdf65dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2026 14:11:33 +0200
+Subject: USB: serial: mct_u232: fix memory corruption with small endpoint
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 915b36d701950503c4ea0f6e314b10868e59fce3 upstream.
+
+The driver overrides the maximum transfer size for a specific device
+which only accepts 16 byte packets for its 32 byte bulk-out endpoint.
+
+Make sure to never increase the maximum transfer size to prevent slab
+corruption should a malicious device report a smaller endpoint max
+packet size than expected.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/serial/mct_u232.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
+index 5070e6d5cfd9eb..a359669df3dfff 100644
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -378,6 +378,7 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
+ {
+ struct usb_serial *serial = port->serial;
+ struct mct_u232_private *priv;
++ u16 pid;
+
+ /* check first to simplify error handling */
+ if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
+@@ -385,6 +386,16 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
+ return -ENODEV;
+ }
+
++ /*
++ * Compensate for a hardware bug: although the Sitecom U232-P25
++ * device reports a maximum output packet size of 32 bytes,
++ * it seems to be able to accept only 16 bytes (and that's what
++ * SniffUSB says too...)
++ */
++ pid = le16_to_cpu(serial->dev->descriptor.idProduct);
++ if (pid == MCT_U232_SITECOM_PID)
++ port->bulk_out_size = min(16, port->bulk_out_size);
++
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+@@ -410,7 +421,6 @@ static void mct_u232_port_remove(struct usb_serial_port *port)
+
+ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
+ {
+- struct usb_serial *serial = port->serial;
+ struct mct_u232_private *priv = usb_get_serial_port_data(port);
+ int retval = 0;
+ unsigned int control_state;
+@@ -418,15 +428,6 @@ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
+ unsigned char last_lcr;
+ unsigned char last_msr;
+
+- /* Compensate for a hardware bug: although the Sitecom U232-P25
+- * device reports a maximum output packet size of 32 bytes,
+- * it seems to be able to accept only 16 bytes (and that's what
+- * SniffUSB says too...)
+- */
+- if (le16_to_cpu(serial->dev->descriptor.idProduct)
+- == MCT_U232_SITECOM_PID)
+- port->bulk_out_size = 16;
+-
+ /* Do a defined restart: the normal serial device seems to
+ * always turn on DTR and RTS here, so do the same. I'm not
+ * sure if this is really necessary. But it should not harm
+--
+2.53.0
+
--- /dev/null
+From 7eee604a6c31c32601d7a331dfdab430d9a8616c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Apr 2026 01:26:43 +0000
+Subject: bpf: Free reuseport cBPF prog after RCU grace period.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 18fc650ccd7fe3376eca89203668cfb8268f60df ]
+
+Eulgyu Kim reported the splat below with a repro. [0]
+
+The repro sets up a UDP reuseport group with a cBPF prog and
+replaces it with a new one while another thread is sending
+a UDP packet to the group.
+
+The reuseport prog is freed by sk_reuseport_prog_free().
+bpf_prog_put() is called for "e"BPF prog to destruct through
+multiple stages while cBPF prog is freed immediately by
+bpf_release_orig_filter() and bpf_prog_free().
+
+If a reuseport prog is detached from the setsockopt() path
+(reuseport_attach_prog() or reuseport_detach_prog()),
+sk_reuseport_prog_free() is called without waiting for RCU
+readers to complete, resulting in various bugs.
+
+Let's defer freeing the reuseport cBPF prog after one RCU
+grace period.
+
+Note "e"BPF prog is safe as is unless the fast path starts
+to touch fields destroyed in bpf_prog_put_deferred() and
+__bpf_prog_put_noref().
+
+[0]:
+BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
+Read of size 4 at addr ffffc9000051e004 by task slowme/10208
+CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
+Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+Call Trace:
+ <IRQ>
+ dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
+ udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
+ __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
+ __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
+ __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
+ ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
+ ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ __netif_receive_skb_one_core net/core/dev.c:6181 [inline]
+ __netif_receive_skb net/core/dev.c:6294 [inline]
+ process_backlog+0xaa4/0x1960 net/core/dev.c:6645
+ __napi_poll+0xae/0x340 net/core/dev.c:7709
+ napi_poll net/core/dev.c:7772 [inline]
+ net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
+ handle_softirqs+0x22b/0x870 kernel/softirq.c:622
+ do_softirq+0x76/0xd0 kernel/softirq.c:523
+ </IRQ>
+ <TASK>
+ __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
+ local_bh_enable include/linux/bottom_half.h:33 [inline]
+ rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
+ __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
+ neigh_output include/net/neighbour.h:556 [inline]
+ ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
+ ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
+ udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
+ udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ __sys_sendto+0x554/0x680 net/socket.c:2206
+ __do_sys_sendto net/socket.c:2213 [inline]
+ __se_sys_sendto net/socket.c:2209 [inline]
+ __x64_sys_sendto+0xde/0x100 net/socket.c:2209
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x415a2d
+Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
+RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
+RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
+R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0
+R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0
+ </TASK>
+
+Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
+Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
+Reported-by: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 0ea9ede2c44724..3628ea596050f0 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -1643,15 +1643,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk)
+ return err;
+ }
+
++static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu)
++{
++ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
++ struct bpf_prog *prog = aux->prog;
++
++ bpf_release_orig_filter(prog);
++ bpf_prog_free(prog);
++}
++
+ void sk_reuseport_prog_free(struct bpf_prog *prog)
+ {
+ if (!prog)
+ return;
+
+- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT)
+- bpf_prog_put(prog);
++ if (bpf_prog_was_classic(prog))
++ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu);
+ else
+- bpf_prog_destroy(prog);
++ bpf_prog_put(prog);
+ }
+
+ struct bpf_scratchpad {
+--
+2.53.0
+
--- /dev/null
+From c794e16ac93109312d78729d0008649e5148b103 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 May 2026 04:34:14 +0900
+Subject: Disable -Wattribute-alias for clang-23 and newer
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 175db11786bde9061db526bf1ac5107d915f5163 upstream.
+
+Clang recently added support for -Wattribute-alias [1], which results in
+the same warnings that necessitated commit bee20031772a ("disable
+-Wattribute-alias warning for SYSCALL_DEFINEx()") for GCC.
+
+ kernel/time/itimer.c:325:1: error: alias and aliasee have different types 'long (unsigned int)' and 'long (typeof (__builtin_choose_expr((__builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0LL)) || __builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0ULL))), 0LL, 0L)))' (aka 'long (long)') [-Werror,-Wattribute-alias]
+ 325 | SYSCALL_DEFINE1(alarm, unsigned int, seconds)
+ | ^
+ include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
+ 225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
+ 236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:251:18: note: expanded from macro '__SYSCALL_DEFINEx'
+ 251 | __attribute__((alias(__stringify(__se_sys##name)))); \
+ | ^
+ kernel/time/itimer.c:325:1: note: aliasee is declared here
+ include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
+ 225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
+ 236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:255:18: note: expanded from macro '__SYSCALL_DEFINEx'
+ 255 | asmlinkage long __se_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \
+ | ^
+ <scratch space>:16:1: note: expanded from here
+ 16 | __se_sys_alarm
+ | ^
+
+Disable the warnings in the same way for clang-23 and newer. Disable the
+warning about unknown warning options to avoid breaking the build for
+versions of clang-23 that do not have -Wattribute-alias, such as ones
+deployed by vendors like Android or CI systems or when bisecting LLVM
+between llvmorg-23-init and release/23.x.
+
+Cc: stable@vger.kernel.org
+Closes: https://github.com/ClangBuiltLinux/linux/issues/2163
+Link: https://github.com/llvm/llvm-project/commit/40da6920a0d71d49dfa2392b09153600b0759f5e [1]
+Link: https://patch.msgid.link/20260515-syscall-disable-attribute-alias-for-clang-v1-1-9a9d95d41df6@kernel.org
+[nathan: Drop arch/riscv hunk in older trees and address conflicts]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/compat.h | 4 ++++
+ include/linux/compiler-clang.h | 6 ++++++
+ include/linux/compiler_types.h | 4 ++++
+ include/linux/syscalls.h | 4 ++++
+ 4 files changed, 18 insertions(+)
+
+diff --git a/include/linux/compat.h b/include/linux/compat.h
+index 77e84d17521eb8..38f22c9ac9109b 100644
+--- a/include/linux/compat.h
++++ b/include/linux/compat.h
+@@ -72,6 +72,10 @@
+ __diag_push(); \
+ __diag_ignore(GCC, 8, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments");\
++ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
++ "Avoid breaking versions without -Wattribute-alias"); \
++ __diag_ignore(clang, 23, "-Wattribute-alias", \
++ "Type aliasing is used to sanitize syscall arguments"); \
+ asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
+ __attribute__((alias(__stringify(__se_compat_sys##name)))); \
+ ALLOW_ERROR_INJECTION(compat_sys##name, ERRNO); \
+diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
+index f9de53fff3acc4..2fd5b596b36b5c 100644
+--- a/include/linux/compiler-clang.h
++++ b/include/linux/compiler-clang.h
+@@ -144,5 +144,11 @@
+ #define __diag_clang_11(s)
+ #endif
+
++#if CONFIG_CLANG_VERSION >= 230000
++#define __diag_clang_23(s) __diag(s)
++#else
++#define __diag_clang_23(s)
++#endif
++
+ #define __diag_ignore_all(option, comment) \
+ __diag_clang(11, ignore, option)
+diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
+index ef359a76b11f89..7c9883c499cfe1 100644
+--- a/include/linux/compiler_types.h
++++ b/include/linux/compiler_types.h
+@@ -399,6 +399,10 @@ struct ftrace_likely_data {
+ #define __diag_GCC(version, severity, string)
+ #endif
+
++#ifndef __diag_clang
++#define __diag_clang(version, severity, string)
++#endif
++
+ #define __diag_push() __diag(push)
+ #define __diag_pop() __diag(pop)
+
+diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
+index dcce762b48facb..7ff6bc7da1f655 100644
+--- a/include/linux/syscalls.h
++++ b/include/linux/syscalls.h
+@@ -240,6 +240,10 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event)
+ __diag_push(); \
+ __diag_ignore(GCC, 8, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments");\
++ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
++ "Avoid breaking versions without -Wattribute-alias");\
++ __diag_ignore(clang, 23, "-Wattribute-alias", \
++ "Type aliasing is used to sanitize syscall arguments");\
+ asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
+ __attribute__((alias(__stringify(__se_sys##name)))); \
+ ALLOW_ERROR_INJECTION(sys##name, ERRNO); \
+--
+2.53.0
+
--- /dev/null
+From 7c9193103c51ab28e99bdfa51b1d59514cb6d247 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jun 2026 17:55:10 +0800
+Subject: dmaengine: idxd: Fix not releasing workqueue on .release()
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit 3d33de353b1ff9023d5ec73b9becf80ea87af695 ]
+
+The workqueue associated with an DSA/IAA device is not released when
+the object is freed.
+
+Fixes: 47c16ac27d4c ("dmaengine: idxd: fix idxd conf_dev 'struct device' lifetime")
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-7-7ed70658a9d1@intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+[ Remove destroy_workqueue(idxd->wq) from the function idxd_remove() to
+avoid the workqueue is released twice. ]
+Signed-off-by: Wenshan Lan <jetlan9@163.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/idxd/init.c | 1 -
+ drivers/dma/idxd/sysfs.c | 1 +
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c
+index 6059ffc08eace1..2880a0b0f5e67e 100644
+--- a/drivers/dma/idxd/init.c
++++ b/drivers/dma/idxd/init.c
+@@ -813,7 +813,6 @@ static void idxd_remove(struct pci_dev *pdev)
+ if (device_user_pasid_enabled(idxd))
+ iommu_dev_disable_feature(&pdev->dev, IOMMU_DEV_FEAT_SVA);
+ pci_disable_device(pdev);
+- destroy_workqueue(idxd->wq);
+ perfmon_pmu_remove(idxd);
+ put_device(idxd_confdev(idxd));
+ }
+diff --git a/drivers/dma/idxd/sysfs.c b/drivers/dma/idxd/sysfs.c
+index 0689464c4816ab..ea222e1654ab94 100644
+--- a/drivers/dma/idxd/sysfs.c
++++ b/drivers/dma/idxd/sysfs.c
+@@ -1663,6 +1663,7 @@ static void idxd_conf_device_release(struct device *dev)
+ {
+ struct idxd_device *idxd = confdev_to_idxd(dev);
+
++ destroy_workqueue(idxd->wq);
+ kfree(idxd->groups);
+ bitmap_free(idxd->wq_enable_map);
+ kfree(idxd->wqs);
+--
+2.53.0
+
--- /dev/null
+bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch
+usb-serial-mct_u232-fix-memory-corruption-with-small.patch
+dmaengine-idxd-fix-not-releasing-workqueue-on-.relea.patch
+disable-wattribute-alias-for-clang-23-and-newer.patch
--- /dev/null
+From e3e3be4a49abcf9949bd8a97775c9c9eddfb76f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2026 14:11:33 +0200
+Subject: USB: serial: mct_u232: fix memory corruption with small endpoint
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 915b36d701950503c4ea0f6e314b10868e59fce3 upstream.
+
+The driver overrides the maximum transfer size for a specific device
+which only accepts 16 byte packets for its 32 byte bulk-out endpoint.
+
+Make sure to never increase the maximum transfer size to prevent slab
+corruption should a malicious device report a smaller endpoint max
+packet size than expected.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/serial/mct_u232.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
+index 389bbab8182a41..3c1351bb7ca3d8 100644
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -379,6 +379,7 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
+ {
+ struct usb_serial *serial = port->serial;
+ struct mct_u232_private *priv;
++ u16 pid;
+
+ /* check first to simplify error handling */
+ if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
+@@ -386,6 +387,16 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
+ return -ENODEV;
+ }
+
++ /*
++ * Compensate for a hardware bug: although the Sitecom U232-P25
++ * device reports a maximum output packet size of 32 bytes,
++ * it seems to be able to accept only 16 bytes (and that's what
++ * SniffUSB says too...)
++ */
++ pid = le16_to_cpu(serial->dev->descriptor.idProduct);
++ if (pid == MCT_U232_SITECOM_PID)
++ port->bulk_out_size = min(16, port->bulk_out_size);
++
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+@@ -411,7 +422,6 @@ static void mct_u232_port_remove(struct usb_serial_port *port)
+
+ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
+ {
+- struct usb_serial *serial = port->serial;
+ struct mct_u232_private *priv = usb_get_serial_port_data(port);
+ int retval = 0;
+ unsigned int control_state;
+@@ -419,15 +429,6 @@ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
+ unsigned char last_lcr;
+ unsigned char last_msr;
+
+- /* Compensate for a hardware bug: although the Sitecom U232-P25
+- * device reports a maximum output packet size of 32 bytes,
+- * it seems to be able to accept only 16 bytes (and that's what
+- * SniffUSB says too...)
+- */
+- if (le16_to_cpu(serial->dev->descriptor.idProduct)
+- == MCT_U232_SITECOM_PID)
+- port->bulk_out_size = 16;
+-
+ /* Do a defined restart: the normal serial device seems to
+ * always turn on DTR and RTS here, so do the same. I'm not
+ * sure if this is really necessary. But it should not harm
+--
+2.53.0
+
--- /dev/null
+From 118999c3ea67ee7a625d7b705a84a2c5d4544d45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2026 15:53:55 +0200
+Subject: ARM: allow __do_kernel_fault() to report execution of memory faults
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+commit 40b466db1dffb41f0529035c59c5739636d0e5b8 upstream.
+
+Allow __do_kernel_fault() to detect the execution of memory, so we can
+provide the same fault message as do_page_fault() would do. This is
+required when we split the kernel address fault handling from the
+main do_page_fault() code path.
+
+Reviewed-by: Xie Yuanbin <xieyuanbin1@huawei.com>
+Tested-by: Xie Yuanbin <xieyuanbin1@huawei.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/fault.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
+index 4dca7b75ae5e43..1d052d3c767d96 100644
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -176,6 +176,8 @@ __do_kernel_fault(struct mm_struct *mm, unsigned long addr, unsigned int fsr,
+ */
+ if (addr < PAGE_SIZE) {
+ msg = "NULL pointer dereference";
++ } else if (is_permission_fault(fsr) && fsr & FSR_LNX_PF) {
++ msg = "execution of memory";
+ } else {
+ if (is_translation_fault(fsr) &&
+ kfence_handle_page_fault(addr, is_write_fault(fsr), regs))
+--
+2.53.0
+
--- /dev/null
+From 3d00acaa8e5ba357b1706dd0002cc5aa941b2be0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2026 15:53:57 +0200
+Subject: ARM: fix branch predictor hardening
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+commit fd2dee1c6e2256f726ba33fd3083a7be0efc80d3 upstream.
+
+__do_user_fault() may be called with indeterminent interrupt enable
+state, which means we may be preemptive at this point. This causes
+problems when calling harden_branch_predictor(). For example, when
+called from a data abort, do_alignment_fault()->do_bad_area().
+
+Move harden_branch_predictor() out of __do_user_fault() and into the
+calling contexts.
+
+Moving it into do_kernel_address_page_fault(), we can be sure that
+interrupts will be disabled here.
+
+Converting do_translation_fault() to use do_kernel_address_page_fault()
+rather than do_bad_area() means that we keep branch predictor handling
+for translation faults. Interrupts will also be disabled at this call
+site.
+
+do_sect_fault() needs special handling, so detect user mode accesses
+to kernel-addresses, and add an explicit call to branch predictor
+hardening.
+
+Finally, add branch predictor hardening to do_alignment() for the
+faulting case (user mode accessing kernel addresses) before interrupts
+are enabled.
+
+This should cover all cases where harden_branch_predictor() is called,
+ensuring that it is always has interrupts disabled, also ensuring that
+it is called early in each call path.
+
+Reviewed-by: Xie Yuanbin <xieyuanbin1@huawei.com>
+Tested-by: Xie Yuanbin <xieyuanbin1@huawei.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/alignment.c | 6 +++++-
+ arch/arm/mm/fault.c | 39 ++++++++++++++++++++++++++-------------
+ 2 files changed, 31 insertions(+), 14 deletions(-)
+
+diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c
+index 3c6ddb1afdc463..812380f30ae36a 100644
+--- a/arch/arm/mm/alignment.c
++++ b/arch/arm/mm/alignment.c
+@@ -19,10 +19,11 @@
+ #include <linux/init.h>
+ #include <linux/sched/signal.h>
+ #include <linux/uaccess.h>
++#include <linux/unaligned.h>
+
+ #include <asm/cp15.h>
+ #include <asm/system_info.h>
+-#include <linux/unaligned.h>
++#include <asm/system_misc.h>
+ #include <asm/opcodes.h>
+
+ #include "fault.h"
+@@ -809,6 +810,9 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+ int thumb2_32b = 0;
+ int fault;
+
++ if (addr >= TASK_SIZE && user_mode(regs))
++ harden_branch_predictor();
++
+ if (interrupts_enabled(regs))
+ local_irq_enable();
+
+diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
+index 8768c70fd885bc..16b5a7d214808f 100644
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -199,9 +199,6 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig,
+ {
+ struct task_struct *tsk = current;
+
+- if (addr > TASK_SIZE)
+- harden_branch_predictor();
+-
+ #ifdef CONFIG_DEBUG_USER
+ if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) ||
+ ((user_debug & UDBG_BUS) && (sig == SIGBUS))) {
+@@ -270,8 +267,10 @@ do_kernel_address_page_fault(struct mm_struct *mm, unsigned long addr,
+ /*
+ * Fault from user mode for a kernel space address. User mode
+ * should not be faulting in kernel space, which includes the
+- * vector/khelper page. Send a SIGSEGV.
++ * vector/khelper page. Handle the branch predictor hardening
++ * while interrupts are still disabled, then send a SIGSEGV.
+ */
++ harden_branch_predictor();
+ __do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs);
+ } else {
+ /*
+@@ -486,16 +485,20 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+ * We enter here because the first level page table doesn't contain
+ * a valid entry for the address.
+ *
+- * If the address is in kernel space (>= TASK_SIZE), then we are
+- * probably faulting in the vmalloc() area.
++ * If this is a user address (addr < TASK_SIZE), we handle this as a
++ * normal page fault. This leaves the remainder of the function to handle
++ * kernel address translation faults.
+ *
+- * If the init_task's first level page tables contains the relevant
+- * entry, we copy the it to this task. If not, we send the process
+- * a signal, fixup the exception, or oops the kernel.
++ * Since user mode is not permitted to access kernel addresses, pass these
++ * directly to do_kernel_address_page_fault() to handle.
+ *
+- * NOTE! We MUST NOT take any locks for this case. We may be in an
+- * interrupt or a critical region, and should only copy the information
+- * from the master page table, nothing more.
++ * Otherwise, we're probably faulting in the vmalloc() area, so try to fix
++ * that up. Note that we must not take any locks or enable interrupts in
++ * this case.
++ *
++ * If vmalloc() fixup fails, that means the non-leaf page tables did not
++ * contain an entry for this address, so handle this via
++ * do_kernel_address_page_fault().
+ */
+ #ifdef CONFIG_MMU
+ static int __kprobes
+@@ -561,7 +564,8 @@ do_translation_fault(unsigned long addr, unsigned int fsr,
+ return 0;
+
+ bad_area:
+- do_bad_area(addr, fsr, regs);
++ do_kernel_address_page_fault(current->mm, addr, fsr, regs);
++
+ return 0;
+ }
+ #else /* CONFIG_MMU */
+@@ -581,7 +585,16 @@ do_translation_fault(unsigned long addr, unsigned int fsr,
+ static int
+ do_sect_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+ {
++ /*
++ * If this is a kernel address, but from user mode, then userspace
++ * is trying bad stuff. Invoke the branch predictor handling.
++ * Interrupts are disabled here.
++ */
++ if (addr >= TASK_SIZE && user_mode(regs))
++ harden_branch_predictor();
++
+ do_bad_area(addr, fsr, regs);
++
+ return 0;
+ }
+ #endif /* CONFIG_ARM_LPAE */
+--
+2.53.0
+
--- /dev/null
+From 926b0d9847aa8d9515741af254b988ed3722f936 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2026 15:53:56 +0200
+Subject: ARM: fix hash_name() fault
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+commit 7733bc7d299d682f2723dc38fc7f370b9bf973e9 upstream.
+
+Zizhi Wo reports:
+
+"During the execution of hash_name()->load_unaligned_zeropad(), a
+ potential memory access beyond the PAGE boundary may occur. For
+ example, when the filename length is near the PAGE_SIZE boundary.
+ This triggers a page fault, which leads to a call to
+ do_page_fault()->mmap_read_trylock(). If we can't acquire the lock,
+ we have to fall back to the mmap_read_lock() path, which calls
+ might_sleep(). This breaks RCU semantics because path lookup occurs
+ under an RCU read-side critical section."
+
+This is seen with CONFIG_DEBUG_ATOMIC_SLEEP=y and CONFIG_KFENCE=y.
+
+Kernel addresses (with the exception of the vectors/kuser helper
+page) do not have VMAs associated with them. If the vectors/kuser
+helper page faults, then there are two possibilities:
+
+1. if the fault happened while in kernel mode, then we're basically
+ dead, because the CPU won't be able to vector through this page
+ to handle the fault.
+2. if the fault happened while in user mode, that means the page was
+ protected from user access, and we want to fault anyway.
+
+Thus, we can handle kernel addresses from any context entirely
+separately without going anywhere near the mmap lock. This gives us
+an entirely non-sleeping path for all kernel mode kernel address
+faults.
+
+As we handle the kernel address faults before interrupts are enabled,
+this change has the side effect of improving the branch predictor
+hardening, but does not completely solve the issue.
+
+Reported-by: Zizhi Wo <wozizhi@huaweicloud.com>
+Reported-by: Xie Yuanbin <xieyuanbin1@huawei.com>
+Link: https://lore.kernel.org/r/20251126090505.3057219-1-wozizhi@huaweicloud.com
+Reviewed-by: Xie Yuanbin <xieyuanbin1@huawei.com>
+Tested-by: Xie Yuanbin <xieyuanbin1@huawei.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/fault.c | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
+index 1d052d3c767d96..8768c70fd885bc 100644
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -262,6 +262,35 @@ static inline bool ttbr0_usermode_access_allowed(struct pt_regs *regs)
+ }
+ #endif
+
++static int __kprobes
++do_kernel_address_page_fault(struct mm_struct *mm, unsigned long addr,
++ unsigned int fsr, struct pt_regs *regs)
++{
++ if (user_mode(regs)) {
++ /*
++ * Fault from user mode for a kernel space address. User mode
++ * should not be faulting in kernel space, which includes the
++ * vector/khelper page. Send a SIGSEGV.
++ */
++ __do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs);
++ } else {
++ /*
++ * Fault from kernel mode. Enable interrupts if they were
++ * enabled in the parent context. Section (upper page table)
++ * translation faults are handled via do_translation_fault(),
++ * so we will only get here for a non-present kernel space
++ * PTE or PTE permission fault. This may happen in exceptional
++ * circumstances and need the fixup tables to be walked.
++ */
++ if (interrupts_enabled(regs))
++ local_irq_enable();
++
++ __do_kernel_fault(mm, addr, fsr, regs);
++ }
++
++ return 0;
++}
++
+ static int __kprobes
+ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+ {
+@@ -275,6 +304,12 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+ if (kprobe_page_fault(regs, fsr))
+ return 0;
+
++ /*
++ * Handle kernel addresses faults separately, which avoids touching
++ * the mmap lock from contexts that are not able to sleep.
++ */
++ if (addr >= TASK_SIZE)
++ return do_kernel_address_page_fault(mm, addr, fsr, regs);
+
+ /* Enable interrupts if they were enabled in the parent context. */
+ if (interrupts_enabled(regs))
+--
+2.53.0
+
--- /dev/null
+From d99ba41af61fbe7af8709d9ccc26f1c0c31a4ab4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2026 15:53:54 +0200
+Subject: ARM: group is_permission_fault() with is_translation_fault()
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+commit dea20281ac88226615761c570c8ff7adc18e6ac2 upstream.
+
+Group is_permission_fault() with is_translation_fault(), which is
+needed to use is_permission_fault() in __do_kernel_fault(). As
+this is static inline, there is no need for this to be under
+CONFIG_MMU.
+
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/fault.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
+index ab01b51de5590b..4dca7b75ae5e43 100644
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -128,6 +128,19 @@ static inline bool is_translation_fault(unsigned int fsr)
+ return false;
+ }
+
++static inline bool is_permission_fault(unsigned int fsr)
++{
++ int fs = fsr_fs(fsr);
++#ifdef CONFIG_ARM_LPAE
++ if ((fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL)
++ return true;
++#else
++ if (fs == FS_L1_PERM || fs == FS_L2_PERM)
++ return true;
++#endif
++ return false;
++}
++
+ static void die_kernel_fault(const char *msg, struct mm_struct *mm,
+ unsigned long addr, unsigned int fsr,
+ struct pt_regs *regs)
+@@ -226,19 +239,6 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+ }
+
+ #ifdef CONFIG_MMU
+-static inline bool is_permission_fault(unsigned int fsr)
+-{
+- int fs = fsr_fs(fsr);
+-#ifdef CONFIG_ARM_LPAE
+- if ((fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL)
+- return true;
+-#else
+- if (fs == FS_L1_PERM || fs == FS_L2_PERM)
+- return true;
+-#endif
+- return false;
+-}
+-
+ #ifdef CONFIG_CPU_TTBR0_PAN
+ static inline bool ttbr0_usermode_access_allowed(struct pt_regs *regs)
+ {
+--
+2.53.0
+
--- /dev/null
+From 8d4ccdc3a532a9a74ef0eba9c36c455b3417e6b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Apr 2026 01:26:43 +0000
+Subject: bpf: Free reuseport cBPF prog after RCU grace period.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 18fc650ccd7fe3376eca89203668cfb8268f60df ]
+
+Eulgyu Kim reported the splat below with a repro. [0]
+
+The repro sets up a UDP reuseport group with a cBPF prog and
+replaces it with a new one while another thread is sending
+a UDP packet to the group.
+
+The reuseport prog is freed by sk_reuseport_prog_free().
+bpf_prog_put() is called for "e"BPF prog to destruct through
+multiple stages while cBPF prog is freed immediately by
+bpf_release_orig_filter() and bpf_prog_free().
+
+If a reuseport prog is detached from the setsockopt() path
+(reuseport_attach_prog() or reuseport_detach_prog()),
+sk_reuseport_prog_free() is called without waiting for RCU
+readers to complete, resulting in various bugs.
+
+Let's defer freeing the reuseport cBPF prog after one RCU
+grace period.
+
+Note "e"BPF prog is safe as is unless the fast path starts
+to touch fields destroyed in bpf_prog_put_deferred() and
+__bpf_prog_put_noref().
+
+[0]:
+BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
+Read of size 4 at addr ffffc9000051e004 by task slowme/10208
+CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
+Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+Call Trace:
+ <IRQ>
+ dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
+ udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
+ __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
+ __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
+ __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
+ ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
+ ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ __netif_receive_skb_one_core net/core/dev.c:6181 [inline]
+ __netif_receive_skb net/core/dev.c:6294 [inline]
+ process_backlog+0xaa4/0x1960 net/core/dev.c:6645
+ __napi_poll+0xae/0x340 net/core/dev.c:7709
+ napi_poll net/core/dev.c:7772 [inline]
+ net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
+ handle_softirqs+0x22b/0x870 kernel/softirq.c:622
+ do_softirq+0x76/0xd0 kernel/softirq.c:523
+ </IRQ>
+ <TASK>
+ __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
+ local_bh_enable include/linux/bottom_half.h:33 [inline]
+ rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
+ __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
+ neigh_output include/net/neighbour.h:556 [inline]
+ ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
+ ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
+ udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
+ udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ __sys_sendto+0x554/0x680 net/socket.c:2206
+ __do_sys_sendto net/socket.c:2213 [inline]
+ __se_sys_sendto net/socket.c:2209 [inline]
+ __x64_sys_sendto+0xde/0x100 net/socket.c:2209
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x415a2d
+Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
+RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
+RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
+R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0
+R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0
+ </TASK>
+
+Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
+Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
+Reported-by: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 193ecaa7425ea2..3d71a59072533d 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -1651,15 +1651,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk)
+ return err;
+ }
+
++static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu)
++{
++ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
++ struct bpf_prog *prog = aux->prog;
++
++ bpf_release_orig_filter(prog);
++ bpf_prog_free(prog);
++}
++
+ void sk_reuseport_prog_free(struct bpf_prog *prog)
+ {
+ if (!prog)
+ return;
+
+- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT)
+- bpf_prog_put(prog);
++ if (bpf_prog_was_classic(prog))
++ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu);
+ else
+- bpf_prog_destroy(prog);
++ bpf_prog_put(prog);
+ }
+
+ struct bpf_scratchpad {
+--
+2.53.0
+
--- /dev/null
+From 5b4e8d854b6d27bd7353caf435de8c0972ef82a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Apr 2026 15:41:01 +0200
+Subject: net: phy: micrel: fix LAN8814 QSGMII soft reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Robert Marko <robert.marko@sartura.hr>
+
+[ Upstream commit e027c218c482c6a0ae1948129ccda3b0a2033368 ]
+
+LAN8814 QSGMII soft reset was moved into the probe function to avoid
+triggering it for each of 4 PHY-s in the package.
+
+However, that broke QSGMII link between the MAC and PHY on most LAN8814
+PHY-s, specificaly for us on the Microchip LAN969x switch.
+Reading the QSGMII status registers it was visible that lanes were only
+partially synced.
+
+It looks like the reset timing is crucial, so lets move the reset back
+into the .config_init function but guard it with phy_package_init_once()
+to avoid it being triggered on each of 4 PHY-s in the package.
+Change the probe function to use phy_package_probe_once() for coma and PtP
+setup.
+
+Fixes: 347bf638d39f ("net: phy: micrel: lan8814 fix reset of the QSGMII interface")
+Signed-off-by: Robert Marko <robert.marko@sartura.hr>
+Link: https://patch.msgid.link/20260428134138.1741253-1-robert.marko@sartura.hr
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Joël Esponde <joel.esponde@leroy-agon.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/micrel.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
+index f0c068075322f9..2dca6e8a5fce5c 100644
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -4093,6 +4093,13 @@ static int lan8814_config_init(struct phy_device *phydev)
+ {
+ struct kszphy_priv *lan8814 = phydev->priv;
+
++ if (phy_package_init_once(phydev))
++ /* Reset the PHY */
++ lanphy_modify_page_reg(phydev, LAN8814_PAGE_COMMON_REGS,
++ LAN8814_QSGMII_SOFT_RESET,
++ LAN8814_QSGMII_SOFT_RESET_BIT,
++ LAN8814_QSGMII_SOFT_RESET_BIT);
++
+ /* Disable ANEG with QSGMII PCS Host side */
+ lanphy_modify_page_reg(phydev, LAN8814_PAGE_PORT_REGS,
+ LAN8814_QSGMII_PCS1G_ANEG_CONFIG,
+@@ -4177,13 +4184,7 @@ static int lan8814_probe(struct phy_device *phydev)
+ devm_phy_package_join(&phydev->mdio.dev, phydev,
+ addr, sizeof(struct lan8814_shared_priv));
+
+- if (phy_package_init_once(phydev)) {
+- /* Reset the PHY */
+- lanphy_modify_page_reg(phydev, LAN8814_PAGE_COMMON_REGS,
+- LAN8814_QSGMII_SOFT_RESET,
+- LAN8814_QSGMII_SOFT_RESET_BIT,
+- LAN8814_QSGMII_SOFT_RESET_BIT);
+-
++ if (phy_package_probe_once(phydev)) {
+ err = lan8814_release_coma_mode(phydev);
+ if (err)
+ return err;
+--
+2.53.0
+
--- /dev/null
+bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch
+usb-serial-mct_u232-fix-memory-corruption-with-small.patch
+arm-group-is_permission_fault-with-is_translation_fa.patch
+arm-allow-__do_kernel_fault-to-report-execution-of-m.patch
+arm-fix-hash_name-fault.patch
+arm-fix-branch-predictor-hardening.patch
+net-phy-micrel-fix-lan8814-qsgmii-soft-reset.patch
+wifi-remove-zero-length-arrays.patch
--- /dev/null
+From 8d0fd8b9a42dd7c07484915459a5efe6e3f1ab2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2026 14:11:33 +0200
+Subject: USB: serial: mct_u232: fix memory corruption with small endpoint
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 915b36d701950503c4ea0f6e314b10868e59fce3 upstream.
+
+The driver overrides the maximum transfer size for a specific device
+which only accepts 16 byte packets for its 32 byte bulk-out endpoint.
+
+Make sure to never increase the maximum transfer size to prevent slab
+corruption should a malicious device report a smaller endpoint max
+packet size than expected.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/serial/mct_u232.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
+index d225d7c1455f4f..33d4bbc461be6a 100644
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -378,6 +378,7 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
+ {
+ struct usb_serial *serial = port->serial;
+ struct mct_u232_private *priv;
++ u16 pid;
+
+ /* check first to simplify error handling */
+ if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
+@@ -385,6 +386,16 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
+ return -ENODEV;
+ }
+
++ /*
++ * Compensate for a hardware bug: although the Sitecom U232-P25
++ * device reports a maximum output packet size of 32 bytes,
++ * it seems to be able to accept only 16 bytes (and that's what
++ * SniffUSB says too...)
++ */
++ pid = le16_to_cpu(serial->dev->descriptor.idProduct);
++ if (pid == MCT_U232_SITECOM_PID)
++ port->bulk_out_size = min(16, port->bulk_out_size);
++
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+@@ -410,7 +421,6 @@ static void mct_u232_port_remove(struct usb_serial_port *port)
+
+ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
+ {
+- struct usb_serial *serial = port->serial;
+ struct mct_u232_private *priv = usb_get_serial_port_data(port);
+ int retval = 0;
+ unsigned int control_state;
+@@ -418,15 +428,6 @@ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
+ unsigned char last_lcr;
+ unsigned char last_msr;
+
+- /* Compensate for a hardware bug: although the Sitecom U232-P25
+- * device reports a maximum output packet size of 32 bytes,
+- * it seems to be able to accept only 16 bytes (and that's what
+- * SniffUSB says too...)
+- */
+- if (le16_to_cpu(serial->dev->descriptor.idProduct)
+- == MCT_U232_SITECOM_PID)
+- port->bulk_out_size = 16;
+-
+ /* Do a defined restart: the normal serial device seems to
+ * always turn on DTR and RTS here, so do the same. I'm not
+ * sure if this is really necessary. But it should not harm
+--
+2.53.0
+
--- /dev/null
+From 9624cc1827c137d1d56189e8662b15d37d4a710d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jun 2026 13:32:16 +0000
+Subject: wifi: remove zero-length arrays
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit a85b8544d46390469b6ca72d6bfd3ecb7be985ff upstream.
+
+All of these are really meant to be variable-length, and
+in the case of s1g_beacon it's actually accessed. Make that
+one in particular, and a couple of others (that aren't used
+as arrays now), actually variable.
+
+Reported-by: syzbot+fd222bb38e916df26fa4@syzkaller.appspotmail.com
+Fixes: 1e1f706fc2ce ("wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements")
+Link: https://patch.msgid.link/20250614003037.a3e82e882251.I2e8b58e56ff2a9f8b06c66f036578b7c1d4e4685@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ieee80211.h | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
+index abb069aa5fa54f..85bf3ac6db570b 100644
+--- a/include/linux/ieee80211.h
++++ b/include/linux/ieee80211.h
+@@ -1266,7 +1266,7 @@ struct ieee80211_ext {
+ u8 sa[ETH_ALEN];
+ __le32 timestamp;
+ u8 change_seq;
+- u8 variable[0];
++ u8 variable[];
+ } __packed s1g_beacon;
+ } u;
+ } __packed __aligned(2);
+@@ -1522,7 +1522,7 @@ struct ieee80211_mgmt {
+ u8 action_code;
+ u8 dialog_token;
+ __le16 capability;
+- u8 variable[0];
++ u8 variable[];
+ } __packed tdls_discover_resp;
+ struct {
+ u8 action_code;
+@@ -1690,35 +1690,35 @@ struct ieee80211_tdls_data {
+ struct {
+ u8 dialog_token;
+ __le16 capability;
+- u8 variable[0];
++ u8 variable[];
+ } __packed setup_req;
+ struct {
+ __le16 status_code;
+ u8 dialog_token;
+ __le16 capability;
+- u8 variable[0];
++ u8 variable[];
+ } __packed setup_resp;
+ struct {
+ __le16 status_code;
+ u8 dialog_token;
+- u8 variable[0];
++ u8 variable[];
+ } __packed setup_cfm;
+ struct {
+ __le16 reason_code;
+- u8 variable[0];
++ u8 variable[];
+ } __packed teardown;
+ struct {
+ u8 dialog_token;
+- u8 variable[0];
++ u8 variable[];
+ } __packed discover_req;
+ struct {
+ u8 target_channel;
+ u8 oper_class;
+- u8 variable[0];
++ u8 variable[];
+ } __packed chan_switch_req;
+ struct {
+ __le16 status_code;
+- u8 variable[0];
++ u8 variable[];
+ } __packed chan_switch_resp;
+ } u;
+ } __packed;
+--
+2.53.0
+
--- /dev/null
+From 1d3670d5fb7e50e0c289ef8ac9e72752078bb747 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2026 15:53:55 +0200
+Subject: ARM: allow __do_kernel_fault() to report execution of memory faults
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+commit 40b466db1dffb41f0529035c59c5739636d0e5b8 upstream.
+
+Allow __do_kernel_fault() to detect the execution of memory, so we can
+provide the same fault message as do_page_fault() would do. This is
+required when we split the kernel address fault handling from the
+main do_page_fault() code path.
+
+Reviewed-by: Xie Yuanbin <xieyuanbin1@huawei.com>
+Tested-by: Xie Yuanbin <xieyuanbin1@huawei.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/fault.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
+index f87f353e5a8b0a..192c8ab196dbab 100644
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -175,6 +175,8 @@ __do_kernel_fault(struct mm_struct *mm, unsigned long addr, unsigned int fsr,
+ */
+ if (addr < PAGE_SIZE) {
+ msg = "NULL pointer dereference";
++ } else if (is_permission_fault(fsr) && fsr & FSR_LNX_PF) {
++ msg = "execution of memory";
+ } else {
+ if (is_translation_fault(fsr) &&
+ kfence_handle_page_fault(addr, is_write_fault(fsr), regs))
+--
+2.53.0
+
--- /dev/null
+From a979e27807915908120a61c03cdd7bc7dbe51be1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2026 15:53:57 +0200
+Subject: ARM: fix branch predictor hardening
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+commit fd2dee1c6e2256f726ba33fd3083a7be0efc80d3 upstream.
+
+__do_user_fault() may be called with indeterminent interrupt enable
+state, which means we may be preemptive at this point. This causes
+problems when calling harden_branch_predictor(). For example, when
+called from a data abort, do_alignment_fault()->do_bad_area().
+
+Move harden_branch_predictor() out of __do_user_fault() and into the
+calling contexts.
+
+Moving it into do_kernel_address_page_fault(), we can be sure that
+interrupts will be disabled here.
+
+Converting do_translation_fault() to use do_kernel_address_page_fault()
+rather than do_bad_area() means that we keep branch predictor handling
+for translation faults. Interrupts will also be disabled at this call
+site.
+
+do_sect_fault() needs special handling, so detect user mode accesses
+to kernel-addresses, and add an explicit call to branch predictor
+hardening.
+
+Finally, add branch predictor hardening to do_alignment() for the
+faulting case (user mode accessing kernel addresses) before interrupts
+are enabled.
+
+This should cover all cases where harden_branch_predictor() is called,
+ensuring that it is always has interrupts disabled, also ensuring that
+it is called early in each call path.
+
+Reviewed-by: Xie Yuanbin <xieyuanbin1@huawei.com>
+Tested-by: Xie Yuanbin <xieyuanbin1@huawei.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/alignment.c | 6 +++++-
+ arch/arm/mm/fault.c | 39 ++++++++++++++++++++++++++-------------
+ 2 files changed, 31 insertions(+), 14 deletions(-)
+
+diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c
+index 3c6ddb1afdc463..812380f30ae36a 100644
+--- a/arch/arm/mm/alignment.c
++++ b/arch/arm/mm/alignment.c
+@@ -19,10 +19,11 @@
+ #include <linux/init.h>
+ #include <linux/sched/signal.h>
+ #include <linux/uaccess.h>
++#include <linux/unaligned.h>
+
+ #include <asm/cp15.h>
+ #include <asm/system_info.h>
+-#include <linux/unaligned.h>
++#include <asm/system_misc.h>
+ #include <asm/opcodes.h>
+
+ #include "fault.h"
+@@ -809,6 +810,9 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+ int thumb2_32b = 0;
+ int fault;
+
++ if (addr >= TASK_SIZE && user_mode(regs))
++ harden_branch_predictor();
++
+ if (interrupts_enabled(regs))
+ local_irq_enable();
+
+diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
+index 0e5b4bc7b21760..ed4330cc3f4e6f 100644
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -198,9 +198,6 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig,
+ {
+ struct task_struct *tsk = current;
+
+- if (addr > TASK_SIZE)
+- harden_branch_predictor();
+-
+ #ifdef CONFIG_DEBUG_USER
+ if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) ||
+ ((user_debug & UDBG_BUS) && (sig == SIGBUS))) {
+@@ -269,8 +266,10 @@ do_kernel_address_page_fault(struct mm_struct *mm, unsigned long addr,
+ /*
+ * Fault from user mode for a kernel space address. User mode
+ * should not be faulting in kernel space, which includes the
+- * vector/khelper page. Send a SIGSEGV.
++ * vector/khelper page. Handle the branch predictor hardening
++ * while interrupts are still disabled, then send a SIGSEGV.
+ */
++ harden_branch_predictor();
+ __do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs);
+ } else {
+ /*
+@@ -485,16 +484,20 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+ * We enter here because the first level page table doesn't contain
+ * a valid entry for the address.
+ *
+- * If the address is in kernel space (>= TASK_SIZE), then we are
+- * probably faulting in the vmalloc() area.
++ * If this is a user address (addr < TASK_SIZE), we handle this as a
++ * normal page fault. This leaves the remainder of the function to handle
++ * kernel address translation faults.
+ *
+- * If the init_task's first level page tables contains the relevant
+- * entry, we copy the it to this task. If not, we send the process
+- * a signal, fixup the exception, or oops the kernel.
++ * Since user mode is not permitted to access kernel addresses, pass these
++ * directly to do_kernel_address_page_fault() to handle.
+ *
+- * NOTE! We MUST NOT take any locks for this case. We may be in an
+- * interrupt or a critical region, and should only copy the information
+- * from the master page table, nothing more.
++ * Otherwise, we're probably faulting in the vmalloc() area, so try to fix
++ * that up. Note that we must not take any locks or enable interrupts in
++ * this case.
++ *
++ * If vmalloc() fixup fails, that means the non-leaf page tables did not
++ * contain an entry for this address, so handle this via
++ * do_kernel_address_page_fault().
+ */
+ #ifdef CONFIG_MMU
+ static int __kprobes
+@@ -560,7 +563,8 @@ do_translation_fault(unsigned long addr, unsigned int fsr,
+ return 0;
+
+ bad_area:
+- do_bad_area(addr, fsr, regs);
++ do_kernel_address_page_fault(current->mm, addr, fsr, regs);
++
+ return 0;
+ }
+ #else /* CONFIG_MMU */
+@@ -580,7 +584,16 @@ do_translation_fault(unsigned long addr, unsigned int fsr,
+ static int
+ do_sect_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+ {
++ /*
++ * If this is a kernel address, but from user mode, then userspace
++ * is trying bad stuff. Invoke the branch predictor handling.
++ * Interrupts are disabled here.
++ */
++ if (addr >= TASK_SIZE && user_mode(regs))
++ harden_branch_predictor();
++
+ do_bad_area(addr, fsr, regs);
++
+ return 0;
+ }
+ #endif /* CONFIG_ARM_LPAE */
+--
+2.53.0
+
--- /dev/null
+From 29185952ab2aa9f4b7296e97b5b1146bcaed0b50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2026 15:53:56 +0200
+Subject: ARM: fix hash_name() fault
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+commit 7733bc7d299d682f2723dc38fc7f370b9bf973e9 upstream.
+
+Zizhi Wo reports:
+
+"During the execution of hash_name()->load_unaligned_zeropad(), a
+ potential memory access beyond the PAGE boundary may occur. For
+ example, when the filename length is near the PAGE_SIZE boundary.
+ This triggers a page fault, which leads to a call to
+ do_page_fault()->mmap_read_trylock(). If we can't acquire the lock,
+ we have to fall back to the mmap_read_lock() path, which calls
+ might_sleep(). This breaks RCU semantics because path lookup occurs
+ under an RCU read-side critical section."
+
+This is seen with CONFIG_DEBUG_ATOMIC_SLEEP=y and CONFIG_KFENCE=y.
+
+Kernel addresses (with the exception of the vectors/kuser helper
+page) do not have VMAs associated with them. If the vectors/kuser
+helper page faults, then there are two possibilities:
+
+1. if the fault happened while in kernel mode, then we're basically
+ dead, because the CPU won't be able to vector through this page
+ to handle the fault.
+2. if the fault happened while in user mode, that means the page was
+ protected from user access, and we want to fault anyway.
+
+Thus, we can handle kernel addresses from any context entirely
+separately without going anywhere near the mmap lock. This gives us
+an entirely non-sleeping path for all kernel mode kernel address
+faults.
+
+As we handle the kernel address faults before interrupts are enabled,
+this change has the side effect of improving the branch predictor
+hardening, but does not completely solve the issue.
+
+Reported-by: Zizhi Wo <wozizhi@huaweicloud.com>
+Reported-by: Xie Yuanbin <xieyuanbin1@huawei.com>
+Link: https://lore.kernel.org/r/20251126090505.3057219-1-wozizhi@huaweicloud.com
+Reviewed-by: Xie Yuanbin <xieyuanbin1@huawei.com>
+Tested-by: Xie Yuanbin <xieyuanbin1@huawei.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/fault.c | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
+index 192c8ab196dbab..0e5b4bc7b21760 100644
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -261,6 +261,35 @@ static inline bool ttbr0_usermode_access_allowed(struct pt_regs *regs)
+ }
+ #endif
+
++static int __kprobes
++do_kernel_address_page_fault(struct mm_struct *mm, unsigned long addr,
++ unsigned int fsr, struct pt_regs *regs)
++{
++ if (user_mode(regs)) {
++ /*
++ * Fault from user mode for a kernel space address. User mode
++ * should not be faulting in kernel space, which includes the
++ * vector/khelper page. Send a SIGSEGV.
++ */
++ __do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs);
++ } else {
++ /*
++ * Fault from kernel mode. Enable interrupts if they were
++ * enabled in the parent context. Section (upper page table)
++ * translation faults are handled via do_translation_fault(),
++ * so we will only get here for a non-present kernel space
++ * PTE or PTE permission fault. This may happen in exceptional
++ * circumstances and need the fixup tables to be walked.
++ */
++ if (interrupts_enabled(regs))
++ local_irq_enable();
++
++ __do_kernel_fault(mm, addr, fsr, regs);
++ }
++
++ return 0;
++}
++
+ static int __kprobes
+ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+ {
+@@ -274,6 +303,12 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+ if (kprobe_page_fault(regs, fsr))
+ return 0;
+
++ /*
++ * Handle kernel addresses faults separately, which avoids touching
++ * the mmap lock from contexts that are not able to sleep.
++ */
++ if (addr >= TASK_SIZE)
++ return do_kernel_address_page_fault(mm, addr, fsr, regs);
+
+ /* Enable interrupts if they were enabled in the parent context. */
+ if (interrupts_enabled(regs))
+--
+2.53.0
+
--- /dev/null
+From 4665ea6b6d801a544c92798b9aa7abc35ed28d31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2026 15:53:54 +0200
+Subject: ARM: group is_permission_fault() with is_translation_fault()
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+commit dea20281ac88226615761c570c8ff7adc18e6ac2 upstream.
+
+Group is_permission_fault() with is_translation_fault(), which is
+needed to use is_permission_fault() in __do_kernel_fault(). As
+this is static inline, there is no need for this to be under
+CONFIG_MMU.
+
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/fault.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
+index 2bc828a1940c05..f87f353e5a8b0a 100644
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -128,6 +128,19 @@ static inline bool is_translation_fault(unsigned int fsr)
+ return false;
+ }
+
++static inline bool is_permission_fault(unsigned int fsr)
++{
++ int fs = fsr_fs(fsr);
++#ifdef CONFIG_ARM_LPAE
++ if ((fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL)
++ return true;
++#else
++ if (fs == FS_L1_PERM || fs == FS_L2_PERM)
++ return true;
++#endif
++ return false;
++}
++
+ static void die_kernel_fault(const char *msg, struct mm_struct *mm,
+ unsigned long addr, unsigned int fsr,
+ struct pt_regs *regs)
+@@ -225,19 +238,6 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+ }
+
+ #ifdef CONFIG_MMU
+-static inline bool is_permission_fault(unsigned int fsr)
+-{
+- int fs = fsr_fs(fsr);
+-#ifdef CONFIG_ARM_LPAE
+- if ((fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL)
+- return true;
+-#else
+- if (fs == FS_L1_PERM || fs == FS_L2_PERM)
+- return true;
+-#endif
+- return false;
+-}
+-
+ #ifdef CONFIG_CPU_TTBR0_PAN
+ static inline bool ttbr0_usermode_access_allowed(struct pt_regs *regs)
+ {
+--
+2.53.0
+
--- /dev/null
+From 04bce6bd62cc6b3f6b6e3580501113b2cad3db0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Apr 2026 01:26:43 +0000
+Subject: bpf: Free reuseport cBPF prog after RCU grace period.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 18fc650ccd7fe3376eca89203668cfb8268f60df ]
+
+Eulgyu Kim reported the splat below with a repro. [0]
+
+The repro sets up a UDP reuseport group with a cBPF prog and
+replaces it with a new one while another thread is sending
+a UDP packet to the group.
+
+The reuseport prog is freed by sk_reuseport_prog_free().
+bpf_prog_put() is called for "e"BPF prog to destruct through
+multiple stages while cBPF prog is freed immediately by
+bpf_release_orig_filter() and bpf_prog_free().
+
+If a reuseport prog is detached from the setsockopt() path
+(reuseport_attach_prog() or reuseport_detach_prog()),
+sk_reuseport_prog_free() is called without waiting for RCU
+readers to complete, resulting in various bugs.
+
+Let's defer freeing the reuseport cBPF prog after one RCU
+grace period.
+
+Note "e"BPF prog is safe as is unless the fast path starts
+to touch fields destroyed in bpf_prog_put_deferred() and
+__bpf_prog_put_noref().
+
+[0]:
+BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
+Read of size 4 at addr ffffc9000051e004 by task slowme/10208
+CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
+Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+Call Trace:
+ <IRQ>
+ dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
+ udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
+ __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
+ __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
+ __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
+ ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
+ ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ __netif_receive_skb_one_core net/core/dev.c:6181 [inline]
+ __netif_receive_skb net/core/dev.c:6294 [inline]
+ process_backlog+0xaa4/0x1960 net/core/dev.c:6645
+ __napi_poll+0xae/0x340 net/core/dev.c:7709
+ napi_poll net/core/dev.c:7772 [inline]
+ net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
+ handle_softirqs+0x22b/0x870 kernel/softirq.c:622
+ do_softirq+0x76/0xd0 kernel/softirq.c:523
+ </IRQ>
+ <TASK>
+ __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
+ local_bh_enable include/linux/bottom_half.h:33 [inline]
+ rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
+ __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
+ neigh_output include/net/neighbour.h:556 [inline]
+ ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
+ ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
+ udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
+ udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ __sys_sendto+0x554/0x680 net/socket.c:2206
+ __do_sys_sendto net/socket.c:2213 [inline]
+ __se_sys_sendto net/socket.c:2209 [inline]
+ __x64_sys_sendto+0xde/0x100 net/socket.c:2209
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x415a2d
+Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
+RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
+RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
+R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0
+R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0
+ </TASK>
+
+Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
+Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
+Reported-by: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index e6dd40e0276ed1..0b61945491054b 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -1660,15 +1660,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk)
+ return err;
+ }
+
++static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu)
++{
++ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
++ struct bpf_prog *prog = aux->prog;
++
++ bpf_release_orig_filter(prog);
++ bpf_prog_free(prog);
++}
++
+ void sk_reuseport_prog_free(struct bpf_prog *prog)
+ {
+ if (!prog)
+ return;
+
+- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT)
+- bpf_prog_put(prog);
++ if (bpf_prog_was_classic(prog))
++ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu);
+ else
+- bpf_prog_destroy(prog);
++ bpf_prog_put(prog);
+ }
+
+ static inline int __bpf_try_make_writable(struct sk_buff *skb,
+--
+2.53.0
+
--- /dev/null
+bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch
+arm-group-is_permission_fault-with-is_translation_fa.patch
+arm-allow-__do_kernel_fault-to-report-execution-of-m.patch
+arm-fix-hash_name-fault.patch
+arm-fix-branch-predictor-hardening.patch
--- /dev/null
+From ea47648b6dfe7d9b309378d27e5e5605c365c91d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jun 2026 17:56:55 +0800
+Subject: Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync
+
+From: Pauli Virtanen <pav@iki.fi>
+
+[ Upstream commit a2639a7f0f5bf7d73f337f8f077c19415c62ed2c ]
+
+hci_conn lookup and field access must be covered by hdev lock in
+set_cig_params_sync, otherwise it's possible it is freed concurrently.
+
+Take hdev lock to prevent hci_conn from being deleted or modified
+concurrently. Just RCU lock is not suitable here, as we also want to
+avoid "tearing" in the configuration.
+
+Fixes: a091289218202 ("Bluetooth: hci_conn: Fix hci_le_set_cig_params")
+Signed-off-by: Pauli Virtanen <pav@iki.fi>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+[ Minor context conflict resolved. ]
+Signed-off-by: Alva Lan <alvalan9@foxmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index f51c530a3c4583..ab86cc4a5e3fc8 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1734,9 +1734,13 @@ static int set_cig_params_sync(struct hci_dev *hdev, void *data)
+ struct iso_cig_params pdu;
+ u8 cis_id;
+
++ hci_dev_lock(hdev);
++
+ conn = hci_conn_hash_lookup_cig(hdev, cig_id);
+- if (!conn)
++ if (!conn) {
++ hci_dev_unlock(hdev);
+ return 0;
++ }
+
+ memset(&pdu, 0, sizeof(pdu));
+
+@@ -1776,6 +1780,8 @@ static int set_cig_params_sync(struct hci_dev *hdev, void *data)
+ cis->p_rtn = qos->ucast.in.rtn;
+ }
+
++ hci_dev_unlock(hdev);
++
+ if (!pdu.cp.num_cis)
+ return 0;
+
+--
+2.53.0
+
--- /dev/null
+From 6098ee0b62b3c0aa85bf2f823b6e140c36da0368 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Apr 2026 01:26:43 +0000
+Subject: bpf: Free reuseport cBPF prog after RCU grace period.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 18fc650ccd7fe3376eca89203668cfb8268f60df ]
+
+Eulgyu Kim reported the splat below with a repro. [0]
+
+The repro sets up a UDP reuseport group with a cBPF prog and
+replaces it with a new one while another thread is sending
+a UDP packet to the group.
+
+The reuseport prog is freed by sk_reuseport_prog_free().
+bpf_prog_put() is called for "e"BPF prog to destruct through
+multiple stages while cBPF prog is freed immediately by
+bpf_release_orig_filter() and bpf_prog_free().
+
+If a reuseport prog is detached from the setsockopt() path
+(reuseport_attach_prog() or reuseport_detach_prog()),
+sk_reuseport_prog_free() is called without waiting for RCU
+readers to complete, resulting in various bugs.
+
+Let's defer freeing the reuseport cBPF prog after one RCU
+grace period.
+
+Note "e"BPF prog is safe as is unless the fast path starts
+to touch fields destroyed in bpf_prog_put_deferred() and
+__bpf_prog_put_noref().
+
+[0]:
+BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
+Read of size 4 at addr ffffc9000051e004 by task slowme/10208
+CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
+Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+Call Trace:
+ <IRQ>
+ dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
+ udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
+ __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
+ __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
+ __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
+ ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
+ ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ __netif_receive_skb_one_core net/core/dev.c:6181 [inline]
+ __netif_receive_skb net/core/dev.c:6294 [inline]
+ process_backlog+0xaa4/0x1960 net/core/dev.c:6645
+ __napi_poll+0xae/0x340 net/core/dev.c:7709
+ napi_poll net/core/dev.c:7772 [inline]
+ net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
+ handle_softirqs+0x22b/0x870 kernel/softirq.c:622
+ do_softirq+0x76/0xd0 kernel/softirq.c:523
+ </IRQ>
+ <TASK>
+ __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
+ local_bh_enable include/linux/bottom_half.h:33 [inline]
+ rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
+ __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
+ neigh_output include/net/neighbour.h:556 [inline]
+ ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
+ ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
+ udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
+ udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ __sys_sendto+0x554/0x680 net/socket.c:2206
+ __do_sys_sendto net/socket.c:2213 [inline]
+ __se_sys_sendto net/socket.c:2209 [inline]
+ __x64_sys_sendto+0xde/0x100 net/socket.c:2209
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x415a2d
+Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
+RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
+RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
+R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0
+R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0
+ </TASK>
+
+Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
+Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
+Reported-by: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index c33d896c7a6eef..2922f88311ca66 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -1642,15 +1642,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk)
+ return err;
+ }
+
++static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu)
++{
++ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
++ struct bpf_prog *prog = aux->prog;
++
++ bpf_release_orig_filter(prog);
++ bpf_prog_free(prog);
++}
++
+ void sk_reuseport_prog_free(struct bpf_prog *prog)
+ {
+ if (!prog)
+ return;
+
+- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT)
+- bpf_prog_put(prog);
++ if (bpf_prog_was_classic(prog))
++ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu);
+ else
+- bpf_prog_destroy(prog);
++ bpf_prog_put(prog);
+ }
+
+ struct bpf_scratchpad {
+--
+2.53.0
+
--- /dev/null
+From 3cf57aaba7fcf82208970ff86318850daa0eeb84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 May 2026 04:34:14 +0900
+Subject: Disable -Wattribute-alias for clang-23 and newer
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 175db11786bde9061db526bf1ac5107d915f5163 upstream.
+
+Clang recently added support for -Wattribute-alias [1], which results in
+the same warnings that necessitated commit bee20031772a ("disable
+-Wattribute-alias warning for SYSCALL_DEFINEx()") for GCC.
+
+ kernel/time/itimer.c:325:1: error: alias and aliasee have different types 'long (unsigned int)' and 'long (typeof (__builtin_choose_expr((__builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0LL)) || __builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0ULL))), 0LL, 0L)))' (aka 'long (long)') [-Werror,-Wattribute-alias]
+ 325 | SYSCALL_DEFINE1(alarm, unsigned int, seconds)
+ | ^
+ include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
+ 225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
+ 236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:251:18: note: expanded from macro '__SYSCALL_DEFINEx'
+ 251 | __attribute__((alias(__stringify(__se_sys##name)))); \
+ | ^
+ kernel/time/itimer.c:325:1: note: aliasee is declared here
+ include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
+ 225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
+ 236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
+ | ^
+ include/linux/syscalls.h:255:18: note: expanded from macro '__SYSCALL_DEFINEx'
+ 255 | asmlinkage long __se_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \
+ | ^
+ <scratch space>:16:1: note: expanded from here
+ 16 | __se_sys_alarm
+ | ^
+
+Disable the warnings in the same way for clang-23 and newer. Disable the
+warning about unknown warning options to avoid breaking the build for
+versions of clang-23 that do not have -Wattribute-alias, such as ones
+deployed by vendors like Android or CI systems or when bisecting LLVM
+between llvmorg-23-init and release/23.x.
+
+Cc: stable@vger.kernel.org
+Closes: https://github.com/ClangBuiltLinux/linux/issues/2163
+Link: https://github.com/llvm/llvm-project/commit/40da6920a0d71d49dfa2392b09153600b0759f5e [1]
+Link: https://patch.msgid.link/20260515-syscall-disable-attribute-alias-for-clang-v1-1-9a9d95d41df6@kernel.org
+[nathan: Drop arch/riscv hunk in older trees and address conflicts]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/compat.h | 4 ++++
+ include/linux/compiler-clang.h | 6 ++++++
+ include/linux/compiler_types.h | 4 ++++
+ include/linux/syscalls.h | 4 ++++
+ 4 files changed, 18 insertions(+)
+
+diff --git a/include/linux/compat.h b/include/linux/compat.h
+index 5981d3eadaee1e..7a55636cc98454 100644
+--- a/include/linux/compat.h
++++ b/include/linux/compat.h
+@@ -72,6 +72,10 @@
+ __diag_push(); \
+ __diag_ignore(GCC, 8, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments");\
++ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
++ "Avoid breaking versions without -Wattribute-alias"); \
++ __diag_ignore(clang, 23, "-Wattribute-alias", \
++ "Type aliasing is used to sanitize syscall arguments"); \
+ asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
+ __attribute__((alias(__stringify(__se_compat_sys##name)))); \
+ ALLOW_ERROR_INJECTION(compat_sys##name, ERRNO); \
+diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
+index f9de53fff3acc4..2fd5b596b36b5c 100644
+--- a/include/linux/compiler-clang.h
++++ b/include/linux/compiler-clang.h
+@@ -144,5 +144,11 @@
+ #define __diag_clang_11(s)
+ #endif
+
++#if CONFIG_CLANG_VERSION >= 230000
++#define __diag_clang_23(s) __diag(s)
++#else
++#define __diag_clang_23(s)
++#endif
++
+ #define __diag_ignore_all(option, comment) \
+ __diag_clang(11, ignore, option)
+diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
+index b63da6b03d3382..ed1c107124e4e1 100644
+--- a/include/linux/compiler_types.h
++++ b/include/linux/compiler_types.h
+@@ -486,6 +486,10 @@ struct ftrace_likely_data {
+ #define __diag_GCC(version, severity, string)
+ #endif
+
++#ifndef __diag_clang
++#define __diag_clang(version, severity, string)
++#endif
++
+ #define __diag_push() __diag(push)
+ #define __diag_pop() __diag(pop)
+
+diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
+index 36c592e43d6520..8109d9f0ede62d 100644
+--- a/include/linux/syscalls.h
++++ b/include/linux/syscalls.h
+@@ -242,6 +242,10 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event)
+ __diag_push(); \
+ __diag_ignore(GCC, 8, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments");\
++ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
++ "Avoid breaking versions without -Wattribute-alias");\
++ __diag_ignore(clang, 23, "-Wattribute-alias", \
++ "Type aliasing is used to sanitize syscall arguments");\
+ asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
+ __attribute__((alias(__stringify(__se_sys##name)))); \
+ ALLOW_ERROR_INJECTION(sys##name, ERRNO); \
+--
+2.53.0
+
--- /dev/null
+From 13674af8b61df5b87c70af55b9d837a65443b351 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jun 2026 14:20:22 +0800
+Subject: hwmon: (pmbus/core) Protect regulator operations with mutex
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 754bd2b4a084b90b5e7b630e1f423061a9b9b761 ]
+
+The regulator operations pmbus_regulator_get_voltage(),
+pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage()
+access PMBus registers and shared data but were not protected by
+the update_lock mutex. This could lead to race conditions.
+
+However, adding mutex protection directly to these functions causes
+a deadlock because pmbus_regulator_notify() (which calls
+regulator_notifier_call_chain()) is often called with the mutex
+already held (e.g., from pmbus_fault_handler()). If a regulator
+callback then calls one of the now-protected voltage functions,
+it will attempt to acquire the same mutex.
+
+Rework pmbus_regulator_notify() to utilize a worker function to
+send notifications outside of the mutex protection. Events are
+stored as atomics in a per-page bitmask and processed by the worker.
+
+Initialize the worker and its associated data during regulator
+registration, and ensure it is cancelled on device removal using
+devm_add_action_or_reset().
+
+While at it, remove the unnecessary include of linux/of.h.
+
+Cc: Sanman Pradhan <psanman@juniper.net>
+Fixes: ddbb4db4ced1b ("hwmon: (pmbus) Add regulator support")
+Reviewed-by: Sanman Pradhan <psanman@juniper.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Fang Wang <32840572@qq.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/pmbus/pmbus_core.c | 117 ++++++++++++++++++++++++-------
+ 1 file changed, 91 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
+index 019c5982ba564b..a61e2fb176da78 100644
+--- a/drivers/hwmon/pmbus/pmbus_core.c
++++ b/drivers/hwmon/pmbus/pmbus_core.c
+@@ -6,6 +6,7 @@
+ * Copyright (c) 2012 Guenter Roeck
+ */
+
++#include <linux/atomic.h>
+ #include <linux/debugfs.h>
+ #include <linux/kernel.h>
+ #include <linux/math64.h>
+@@ -19,8 +20,8 @@
+ #include <linux/pmbus.h>
+ #include <linux/regulator/driver.h>
+ #include <linux/regulator/machine.h>
+-#include <linux/of.h>
+ #include <linux/thermal.h>
++#include <linux/workqueue.h>
+ #include "pmbus.h"
+
+ /*
+@@ -102,6 +103,11 @@ struct pmbus_data {
+
+ struct mutex update_lock;
+
++#if IS_ENABLED(CONFIG_REGULATOR)
++ atomic_t regulator_events[PMBUS_PAGES];
++ struct work_struct regulator_notify_work;
++#endif
++
+ bool has_status_word; /* device uses STATUS_WORD register */
+ int (*read_status)(struct i2c_client *client, int page);
+
+@@ -3056,12 +3062,19 @@ static int pmbus_regulator_get_voltage(struct regulator_dev *rdev)
+ .class = PSC_VOLTAGE_OUT,
+ .convert = true,
+ };
++ int ret;
+
++ mutex_lock(&data->update_lock);
+ s.data = _pmbus_read_word_data(client, s.page, 0xff, PMBUS_READ_VOUT);
+- if (s.data < 0)
+- return s.data;
++ if (s.data < 0) {
++ ret = s.data;
++ goto unlock;
++ }
+
+- return (int)pmbus_reg2data(data, &s) * 1000; /* unit is uV */
++ ret = (int)pmbus_reg2data(data, &s) * 1000; /* unit is uV */
++unlock:
++ mutex_unlock(&data->update_lock);
++ return ret;
+ }
+
+ static int pmbus_regulator_set_voltage(struct regulator_dev *rdev, int min_uv,
+@@ -3078,16 +3091,22 @@ static int pmbus_regulator_set_voltage(struct regulator_dev *rdev, int min_uv,
+ };
+ int val = DIV_ROUND_CLOSEST(min_uv, 1000); /* convert to mV */
+ int low, high;
++ int ret;
+
+ *selector = 0;
+
++ mutex_lock(&data->update_lock);
+ low = pmbus_regulator_get_low_margin(client, s.page);
+- if (low < 0)
+- return low;
++ if (low < 0) {
++ ret = low;
++ goto unlock;
++ }
+
+ high = pmbus_regulator_get_high_margin(client, s.page);
+- if (high < 0)
+- return high;
++ if (high < 0) {
++ ret = high;
++ goto unlock;
++ }
+
+ /* Make sure we are within margins */
+ if (low > val)
+@@ -3097,7 +3116,10 @@ static int pmbus_regulator_set_voltage(struct regulator_dev *rdev, int min_uv,
+
+ val = pmbus_data2reg(data, &s, val);
+
+- return _pmbus_write_word_data(client, s.page, PMBUS_VOUT_COMMAND, (u16)val);
++ ret = _pmbus_write_word_data(client, s.page, PMBUS_VOUT_COMMAND, (u16)val);
++unlock:
++ mutex_unlock(&data->update_lock);
++ return ret;
+ }
+
+ static int pmbus_regulator_list_voltage(struct regulator_dev *rdev,
+@@ -3105,7 +3127,9 @@ static int pmbus_regulator_list_voltage(struct regulator_dev *rdev,
+ {
+ struct device *dev = rdev_get_dev(rdev);
+ struct i2c_client *client = to_i2c_client(dev->parent);
++ struct pmbus_data *data = i2c_get_clientdata(client);
+ int val, low, high;
++ int ret;
+
+ if (selector >= rdev->desc->n_voltages ||
+ selector < rdev->desc->linear_min_sel)
+@@ -3115,18 +3139,29 @@ static int pmbus_regulator_list_voltage(struct regulator_dev *rdev,
+ val = DIV_ROUND_CLOSEST(rdev->desc->min_uV +
+ (rdev->desc->uV_step * selector), 1000); /* convert to mV */
+
++ mutex_lock(&data->update_lock);
++
+ low = pmbus_regulator_get_low_margin(client, rdev_get_id(rdev));
+- if (low < 0)
+- return low;
++ if (low < 0) {
++ ret = low;
++ goto unlock;
++ }
+
+ high = pmbus_regulator_get_high_margin(client, rdev_get_id(rdev));
+- if (high < 0)
+- return high;
++ if (high < 0) {
++ ret = high;
++ goto unlock;
++ }
+
+- if (val >= low && val <= high)
+- return val * 1000; /* unit is uV */
++ if (val >= low && val <= high) {
++ ret = val * 1000; /* unit is uV */
++ goto unlock;
++ }
+
+- return 0;
++ ret = 0;
++unlock:
++ mutex_unlock(&data->update_lock);
++ return ret;
+ }
+
+ const struct regulator_ops pmbus_regulator_ops = {
+@@ -3141,12 +3176,42 @@ const struct regulator_ops pmbus_regulator_ops = {
+ };
+ EXPORT_SYMBOL_NS_GPL(pmbus_regulator_ops, PMBUS);
+
++static void pmbus_regulator_notify_work_cancel(void *data)
++{
++ struct pmbus_data *pdata = data;
++
++ cancel_work_sync(&pdata->regulator_notify_work);
++}
++
++static void pmbus_regulator_notify_worker(struct work_struct *work)
++{
++ struct pmbus_data *data =
++ container_of(work, struct pmbus_data, regulator_notify_work);
++ int i, j;
++
++ for (i = 0; i < data->info->pages; i++) {
++ int event;
++
++ event = atomic_xchg(&data->regulator_events[i], 0);
++ if (!event)
++ continue;
++
++ for (j = 0; j < data->info->num_regulators; j++) {
++ if (i == rdev_get_id(data->rdevs[j])) {
++ regulator_notifier_call_chain(data->rdevs[j],
++ event, NULL);
++ break;
++ }
++ }
++ }
++}
++
+ static int pmbus_regulator_register(struct pmbus_data *data)
+ {
+ struct device *dev = data->dev;
+ const struct pmbus_driver_info *info = data->info;
+ const struct pmbus_platform_data *pdata = dev_get_platdata(dev);
+- int i;
++ int i, ret;
+
+ data->rdevs = devm_kzalloc(dev, sizeof(struct regulator_dev *) * info->num_regulators,
+ GFP_KERNEL);
+@@ -3170,20 +3235,20 @@ static int pmbus_regulator_register(struct pmbus_data *data)
+ info->reg_desc[i].name);
+ }
+
++ INIT_WORK(&data->regulator_notify_work, pmbus_regulator_notify_worker);
++
++ ret = devm_add_action_or_reset(dev, pmbus_regulator_notify_work_cancel, data);
++ if (ret)
++ return ret;
++
+ return 0;
+ }
+
+ static int pmbus_regulator_notify(struct pmbus_data *data, int page, int event)
+ {
+- int j;
+-
+- for (j = 0; j < data->info->num_regulators; j++) {
+- if (page == rdev_get_id(data->rdevs[j])) {
+- regulator_notifier_call_chain(data->rdevs[j], event, NULL);
+- break;
+- }
+- }
+- return 0;
++ atomic_or(event, &data->regulator_events[page]);
++ schedule_work(&data->regulator_notify_work);
++ return 0;
+ }
+ #else
+ static int pmbus_regulator_register(struct pmbus_data *data)
+--
+2.53.0
+
--- /dev/null
+From 6b08f4115ae7c2456349ae4e4b1ac19bdcdd3169 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2026 19:55:44 +0300
+Subject: RDMA/rxe: Fix "trying to register non-static key in
+ rxe_qp_do_cleanup" bug
+
+From: Zhu Yanjun <yanjun.zhu@linux.dev>
+
+commit 1c7eec4d5f3b39cdea2153abaebf1b7229a47072 upstream.
+
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ assign_lock_key kernel/locking/lockdep.c:986 [inline]
+ register_lock_class+0x4a3/0x4c0 kernel/locking/lockdep.c:1300
+ __lock_acquire+0x99/0x1ba0 kernel/locking/lockdep.c:5110
+ lock_acquire kernel/locking/lockdep.c:5866 [inline]
+ lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5823
+ __timer_delete_sync+0x152/0x1b0 kernel/time/timer.c:1644
+ rxe_qp_do_cleanup+0x5c3/0x7e0 drivers/infiniband/sw/rxe/rxe_qp.c:815
+ execute_in_process_context+0x3a/0x160 kernel/workqueue.c:4596
+ __rxe_cleanup+0x267/0x3c0 drivers/infiniband/sw/rxe/rxe_pool.c:232
+ rxe_create_qp+0x3f7/0x5f0 drivers/infiniband/sw/rxe/rxe_verbs.c:604
+ create_qp+0x62d/0xa80 drivers/infiniband/core/verbs.c:1250
+ ib_create_qp_kernel+0x9f/0x310 drivers/infiniband/core/verbs.c:1361
+ ib_create_qp include/rdma/ib_verbs.h:3803 [inline]
+ rdma_create_qp+0x10c/0x340 drivers/infiniband/core/cma.c:1144
+ rds_ib_setup_qp+0xc86/0x19a0 net/rds/ib_cm.c:600
+ rds_ib_cm_initiate_connect+0x1e8/0x3d0 net/rds/ib_cm.c:944
+ rds_rdma_cm_event_handler_cmn+0x61f/0x8c0 net/rds/rdma_transport.c:109
+ cma_cm_event_handler+0x94/0x300 drivers/infiniband/core/cma.c:2184
+ cma_work_handler+0x15b/0x230 drivers/infiniband/core/cma.c:3042
+ process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
+ process_scheduled_works kernel/workqueue.c:3319 [inline]
+ worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
+ kthread+0x3c2/0x780 kernel/kthread.c:464
+ ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+ </TASK>
+
+The root cause is as below:
+
+In the function rxe_create_qp, the function rxe_qp_from_init is called
+to create qp, if this function rxe_qp_from_init fails, rxe_cleanup will
+be called to handle all the allocated resources, including the timers:
+retrans_timer and rnr_nak_timer.
+
+The function rxe_qp_from_init calls the function rxe_qp_init_req to
+initialize the timers: retrans_timer and rnr_nak_timer.
+
+But these timers are initialized in the end of rxe_qp_init_req.
+If some errors occur before the initialization of these timers, this
+problem will occur.
+
+The solution is to check whether these timers are initialized or not.
+If these timers are not initialized, ignore these timers.
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Reported-by: syzbot+4edb496c3cad6e953a31@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=4edb496c3cad6e953a31
+Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Link: https://patch.msgid.link/20250419080741.1515231-1-yanjun.zhu@linux.dev
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+[ Vladislav: keep del_timer_sync() because linux-6.6.y has not renamed it
+ to timer_delete_sync() yet. The actual fix is unchanged: check the timer
+ .function fields before deleting the timers. ]
+Signed-off-by: Vladislav Nikolaev <vlad102nikolaev@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_qp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
+index 287fc8b8f5bafe..8426c261c263a9 100644
+--- a/drivers/infiniband/sw/rxe/rxe_qp.c
++++ b/drivers/infiniband/sw/rxe/rxe_qp.c
+@@ -817,7 +817,12 @@ static void rxe_qp_do_cleanup(struct work_struct *work)
+ spin_unlock_irqrestore(&qp->state_lock, flags);
+ qp->qp_timeout_jiffies = 0;
+
+- if (qp_type(qp) == IB_QPT_RC) {
++ /* In the function timer_setup, .function is initialized. If .function
++ * is NULL, it indicates the function timer_setup is not called, the
++ * timer is not initialized. Or else, the timer is initialized.
++ */
++ if (qp_type(qp) == IB_QPT_RC && qp->retrans_timer.function &&
++ qp->rnr_nak_timer.function) {
+ del_timer_sync(&qp->retrans_timer);
+ del_timer_sync(&qp->rnr_nak_timer);
+ }
+--
+2.53.0
+
--- /dev/null
+bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch
+usb-serial-mct_u232-fix-memory-corruption-with-small.patch
+bluetooth-hci_conn-fix-potential-uaf-in-set_cig_para.patch
+rdma-rxe-fix-trying-to-register-non-static-key-in-rx.patch
+hwmon-pmbus-core-protect-regulator-operations-with-m.patch
+disable-wattribute-alias-for-clang-23-and-newer.patch
--- /dev/null
+From 4f6f6cc2be22a3a24e9b60c92032e362bf085ef1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2026 14:11:33 +0200
+Subject: USB: serial: mct_u232: fix memory corruption with small endpoint
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 915b36d701950503c4ea0f6e314b10868e59fce3 upstream.
+
+The driver overrides the maximum transfer size for a specific device
+which only accepts 16 byte packets for its 32 byte bulk-out endpoint.
+
+Make sure to never increase the maximum transfer size to prevent slab
+corruption should a malicious device report a smaller endpoint max
+packet size than expected.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/serial/mct_u232.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
+index 6c2c4a597fb146..be63f5f3740477 100644
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -379,6 +379,7 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
+ {
+ struct usb_serial *serial = port->serial;
+ struct mct_u232_private *priv;
++ u16 pid;
+
+ /* check first to simplify error handling */
+ if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
+@@ -386,6 +387,16 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
+ return -ENODEV;
+ }
+
++ /*
++ * Compensate for a hardware bug: although the Sitecom U232-P25
++ * device reports a maximum output packet size of 32 bytes,
++ * it seems to be able to accept only 16 bytes (and that's what
++ * SniffUSB says too...)
++ */
++ pid = le16_to_cpu(serial->dev->descriptor.idProduct);
++ if (pid == MCT_U232_SITECOM_PID)
++ port->bulk_out_size = min(16, port->bulk_out_size);
++
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+@@ -411,7 +422,6 @@ static void mct_u232_port_remove(struct usb_serial_port *port)
+
+ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
+ {
+- struct usb_serial *serial = port->serial;
+ struct mct_u232_private *priv = usb_get_serial_port_data(port);
+ int retval = 0;
+ unsigned int control_state;
+@@ -419,15 +429,6 @@ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
+ unsigned char last_lcr;
+ unsigned char last_msr;
+
+- /* Compensate for a hardware bug: although the Sitecom U232-P25
+- * device reports a maximum output packet size of 32 bytes,
+- * it seems to be able to accept only 16 bytes (and that's what
+- * SniffUSB says too...)
+- */
+- if (le16_to_cpu(serial->dev->descriptor.idProduct)
+- == MCT_U232_SITECOM_PID)
+- port->bulk_out_size = 16;
+-
+ /* Do a defined restart: the normal serial device seems to
+ * always turn on DTR and RTS here, so do the same. I'm not
+ * sure if this is really necessary. But it should not harm
+--
+2.53.0
+
--- /dev/null
+From 42eb58be9d4cb4378d5735fcebc86f4e5b045715 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Apr 2026 01:26:43 +0000
+Subject: bpf: Free reuseport cBPF prog after RCU grace period.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 18fc650ccd7fe3376eca89203668cfb8268f60df ]
+
+Eulgyu Kim reported the splat below with a repro. [0]
+
+The repro sets up a UDP reuseport group with a cBPF prog and
+replaces it with a new one while another thread is sending
+a UDP packet to the group.
+
+The reuseport prog is freed by sk_reuseport_prog_free().
+bpf_prog_put() is called for "e"BPF prog to destruct through
+multiple stages while cBPF prog is freed immediately by
+bpf_release_orig_filter() and bpf_prog_free().
+
+If a reuseport prog is detached from the setsockopt() path
+(reuseport_attach_prog() or reuseport_detach_prog()),
+sk_reuseport_prog_free() is called without waiting for RCU
+readers to complete, resulting in various bugs.
+
+Let's defer freeing the reuseport cBPF prog after one RCU
+grace period.
+
+Note "e"BPF prog is safe as is unless the fast path starts
+to touch fields destroyed in bpf_prog_put_deferred() and
+__bpf_prog_put_noref().
+
+[0]:
+BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
+Read of size 4 at addr ffffc9000051e004 by task slowme/10208
+CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
+Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+Call Trace:
+ <IRQ>
+ dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
+ udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
+ __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
+ __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
+ __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
+ ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
+ ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ __netif_receive_skb_one_core net/core/dev.c:6181 [inline]
+ __netif_receive_skb net/core/dev.c:6294 [inline]
+ process_backlog+0xaa4/0x1960 net/core/dev.c:6645
+ __napi_poll+0xae/0x340 net/core/dev.c:7709
+ napi_poll net/core/dev.c:7772 [inline]
+ net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
+ handle_softirqs+0x22b/0x870 kernel/softirq.c:622
+ do_softirq+0x76/0xd0 kernel/softirq.c:523
+ </IRQ>
+ <TASK>
+ __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
+ local_bh_enable include/linux/bottom_half.h:33 [inline]
+ rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
+ __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
+ neigh_output include/net/neighbour.h:556 [inline]
+ ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
+ ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
+ udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
+ udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ __sys_sendto+0x554/0x680 net/socket.c:2206
+ __do_sys_sendto net/socket.c:2213 [inline]
+ __se_sys_sendto net/socket.c:2209 [inline]
+ __x64_sys_sendto+0xde/0x100 net/socket.c:2209
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x415a2d
+Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
+RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
+RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
+R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0
+R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0
+ </TASK>
+
+Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
+Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
+Reported-by: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index e4ed3b343ed9f4..959e84f4b81384 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -1659,15 +1659,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk)
+ return err;
+ }
+
++static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu)
++{
++ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
++ struct bpf_prog *prog = aux->prog;
++
++ bpf_release_orig_filter(prog);
++ bpf_prog_free(prog);
++}
++
+ void sk_reuseport_prog_free(struct bpf_prog *prog)
+ {
+ if (!prog)
+ return;
+
+- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT)
+- bpf_prog_put(prog);
++ if (bpf_prog_was_classic(prog))
++ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu);
+ else
+- bpf_prog_destroy(prog);
++ bpf_prog_put(prog);
+ }
+
+ static inline int __bpf_try_make_writable(struct sk_buff *skb,
+--
+2.53.0
+
--- /dev/null
+bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
