--- /dev/null
+From d6854daa67be623860f4e1873fd3d3c275aba4ed Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= <cassiogabrielcontato@gmail.com>
+Date: Thu, 7 May 2026 00:40:51 -0300
+Subject: ALSA: usb-audio: Bound MIDI endpoint descriptor scans
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+commit d6854daa67be623860f4e1873fd3d3c275aba4ed upstream.
+
+snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint
+descriptor size before using baAssocJackID[], but the descriptor walker can
+still return a class-specific endpoint descriptor whose bLength exceeds the
+remaining bytes in the endpoint-extra scan.
+
+That leaves later flexible-array reads bounded by bLength, but not by the
+remaining bytes in the endpoint-extra scan.
+
+Stop walking when bLength is zero or
+extends past the remaining endpoint-extra scan.
+
+Fixes: 5c6cd7021a05 ("ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor")
+Cc: stable@vger.kernel.org
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Link: https://patch.msgid.link/20260507-usb-midi-endpoint-scan-bounds-v1-1-329d7348160e@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/midi.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -1974,15 +1974,17 @@ static struct usb_ms_endpoint_descriptor
+ while (extralen > 3) {
+ struct usb_ms_endpoint_descriptor *ms_ep =
+ (struct usb_ms_endpoint_descriptor *)extra;
++ int length = ms_ep->bLength;
+
+- if (ms_ep->bLength > 3 &&
++ if (!length || length > extralen)
++ break;
++
++ if (length > 3 &&
+ ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT &&
+ ms_ep->bDescriptorSubtype == UAC_MS_GENERAL)
+ return ms_ep;
+- if (!extra[0])
+- break;
+- extralen -= extra[0];
+- extra += extra[0];
++ extralen -= length;
++ extra += length;
+ }
+ return NULL;
+ }
--- /dev/null
+From 5d3cc36b4e77a27ce7b686b7c59c7072bcb3fa8e Mon Sep 17 00:00:00 2001
+From: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Date: Thu, 9 Apr 2026 12:26:02 -0700
+Subject: ceph: fix a buffer leak in __ceph_setxattr()
+
+From: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+
+commit 5d3cc36b4e77a27ce7b686b7c59c7072bcb3fa8e upstream.
+
+The old_blob in __ceph_setxattr() can store
+ci->i_xattrs.prealloc_blob value during the retry.
+However, it is never called the ceph_buffer_put()
+for the old_blob object. This patch fixes the issue of
+the buffer leak.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Reviewed-by: Alex Markuze <amarkuze@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/xattr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -1246,6 +1246,7 @@ retry:
+
+ do_sync:
+ spin_unlock(&ci->i_ceph_lock);
++ ceph_buffer_put(old_blob);
+ do_sync_unlocked:
+ if (lock_snap_rwsem)
+ up_read(&mdsc->snap_rwsem);
--- /dev/null
+From 1ae15b6c7965d137eef21f2cc7d367b29cb88369 Mon Sep 17 00:00:00 2001
+From: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
+Date: Tue, 5 May 2026 14:39:20 +0530
+Subject: drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
+
+From: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
+
+commit 1ae15b6c7965d137eef21f2cc7d367b29cb88369 upstream.
+
+For RGB, set dynamic_range to CTA or VESA based on
+crtc_state->limited_color_range so sinks apply correct
+quantization. YCbCr remains limited (CTA) range.
+(DP v1.4, Table 5-1)
+
+v2:
+- Added Reported-by and Tested-by tags
+
+v3:
+- Add back YCbCr comment(Suraj)
+
+Cc: stable@vger.kernel.org #v5.8+
+Reported-by: DeepChirp <DeepChirp@outlook.com>
+Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/15874
+Tested-by: DeepChirp <DeepChirp@outlook.com>
+Fixes: 9799c4c3b76e ("drm/i915/dp: Add compute routine for DP VSC SDP")
+Assisted-by: GitHub-Copilot:GPT-5.4
+Signed-off-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
+Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
+Link: https://patch.msgid.link/20260505090920.2479112-1-chaitanya.kumar.borah@intel.com
+(cherry picked from commit 38e10ddae6f8d42a2e8437fcd25a1cac51106c64)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_dp.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/intel_dp.c
++++ b/drivers/gpu/drm/i915/display/intel_dp.c
+@@ -1810,8 +1810,13 @@ static void intel_dp_compute_vsc_colorim
+ drm_WARN_ON(&dev_priv->drm,
+ vsc->bpc == 6 && vsc->pixelformat != DP_PIXELFORMAT_RGB);
+
+- /* all YCbCr are always limited range */
+- vsc->dynamic_range = DP_DYNAMIC_RANGE_CTA;
++ /* All YCbCr formats are always limited range. */
++ if (vsc->pixelformat == DP_PIXELFORMAT_RGB)
++ vsc->dynamic_range = crtc_state->limited_color_range ?
++ DP_DYNAMIC_RANGE_CTA : DP_DYNAMIC_RANGE_VESA;
++ else
++ vsc->dynamic_range = DP_DYNAMIC_RANGE_CTA;
++
+ vsc->content_type = DP_CONTENT_TYPE_NOT_DEFINED;
+ }
+
--- /dev/null
+From 4cfe4c0efbdcde742a47813180cc69b132d7598e Mon Sep 17 00:00:00 2001
+From: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
+Date: Thu, 16 Apr 2026 13:31:18 +0200
+Subject: drm/i915: skip __i915_request_skip() for already signaled requests
+
+From: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
+
+commit 4cfe4c0efbdcde742a47813180cc69b132d7598e upstream.
+
+After a GPU reset the HWSP is zeroed, so previously completed
+requests appear incomplete. If such a request is picked up during
+reset_rewind() and marked guilty, i915_request_set_error_once()
+returns early (fence already signaled), leaving fence.error without
+a fatal error code. The subsequent __i915_request_skip() then hits:
+```
+GEM_BUG_ON(!fatal_error(rq->fence.error))
+```
+
+Fixes a kernel BUG observed on Sandy Bridge (Gen6) during
+heartbeat-triggered engine resets.
+```
+kernel BUG at drivers/gpu/drm/i915/i915_request.c:556!
+RIP: __i915_request_skip+0x15e/0x1d0 [i915]
+...
+__i915_request_reset+0x212/0xa70 [i915]
+reset_rewind+0xe4/0x280 [i915]
+intel_gt_reset+0x30d/0x5b0 [i915]
+heartbeat+0x516/0x530 [i915]
+```
+
+Guard __i915_request_skip() with i915_request_signaled(), if the
+fence is already signaled, the ring content is committed and there
+is nothing left to skip.
+
+Fixes: 36e191f0644b ("drm/i915: Apply i915_request_skip() on submission")
+Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/13729
+Signed-off-by: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
+Cc: stable@vger.kernel.org # v5.7+
+Reviewed-by: Krzysztof Karas <krzysztof.karas@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://lore.kernel.org/r/fe76921d35b6ae85aa651822726d0d9815aa5362.1776339012.git.sebastian.brzezinka@intel.com
+(cherry picked from commit 5ba54393dcd7adf75a9f39f5a933b1538349cad5)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gt/intel_reset.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/gt/intel_reset.c
++++ b/drivers/gpu/drm/i915/gt/intel_reset.c
+@@ -144,7 +144,8 @@ void __i915_request_reset(struct i915_re
+ rcu_read_lock(); /* protect the GEM context */
+ if (guilty) {
+ i915_request_set_error_once(rq, -EIO);
+- __i915_request_skip(rq);
++ if (!i915_request_signaled(rq))
++ __i915_request_skip(rq);
+ banned = mark_guilty(rq);
+ } else {
+ i915_request_set_error_once(rq, -EAGAIN);
--- /dev/null
+From 459d75523b71c0ec254d153d8850d0b7008af396 Mon Sep 17 00:00:00 2001
+From: Gyeyoung Baek <gye976@gmail.com>
+Date: Sun, 19 Apr 2026 16:17:16 +0900
+Subject: drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gyeyoung Baek <gye976@gmail.com>
+
+commit 459d75523b71c0ec254d153d8850d0b7008af396 upstream.
+
+dma_resv_wait_timeout() returns a positive 'remaining jiffies' value
+on success, 0 on timeout, and -errno on failure.
+
+panfrost_ioctl_wait_bo() returns this 'long' result from an int-typed
+ioctl handler, so positive values reach userspace as bogus errors.
+Explicitly set ret to 0 on the success path.
+
+Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gyeyoung Baek <gye976@gmail.com>
+Reviewed-by: Adrián Larumbe <adrian.larumbe@collabora.com>
+Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Link: https://patch.msgid.link/fe33f82fded7be1c18e2e0eb2db451d5a738cf39.1776581974.git.gye976@gmail.com
+Signed-off-by: Steven Price <steven.price@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_drv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/panfrost/panfrost_drv.c
++++ b/drivers/gpu/drm/panfrost/panfrost_drv.c
+@@ -330,6 +330,8 @@ panfrost_ioctl_wait_bo(struct drm_device
+ true, timeout);
+ if (!ret)
+ ret = timeout ? -ETIMEDOUT : -EBUSY;
++ else if (ret > 0)
++ ret = 0;
+
+ drm_gem_object_put(gem_obj);
+
--- /dev/null
+From 2cda2e10dc8343ae01eae9e999a876b7e7d37861 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Naval=20Alcal=C3=A1?= <ari@naval.cat>
+Date: Sat, 9 May 2026 10:43:44 +0800
+Subject: iommu/vt-d: Disable DMAR for Intel Q35 IGFX
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Naval Alcalá <ari@naval.cat>
+
+commit 2cda2e10dc8343ae01eae9e999a876b7e7d37861 upstream.
+
+Intel Q35 integrated graphics (8086:29b2) exhibits broken DMAR
+behaviour similar to other G4x/GM45 devices for which DMAR is
+already disabled via quirks.
+
+When DMAR is enabled, the system may hard lock up during boot or
+early device initialization, requiring a reset.
+
+Add the missing PCI ID to the existing quirk list to disable
+DMAR for this device.
+
+Fixes: 1f76249cc3be ("iommu/vt-d: Declare Broadwell igfx dmar support snafu")
+Cc: stable@vger.kernel.org
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=201185
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216064
+Signed-off-by: Naval Alcalá <ari@naval.cat>
+Link: https://lore.kernel.org/r/20260410161622.13549-1-ari@naval.cat
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/intel/iommu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -4832,6 +4832,9 @@ static void quirk_iommu_igfx(struct pci_
+ dmar_map_gfx = 0;
+ }
+
++/* Q35 integrated gfx dmar support is totally busted. */
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x29b2, quirk_iommu_igfx);
++
+ /* G4x/GM45 integrated gfx dmar support is totally busted. */
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2a40, quirk_iommu_igfx);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e00, quirk_iommu_igfx);
--- /dev/null
+From 28b0a2ab8c82d0bbdeb8013029c67c978ce6e4bf Mon Sep 17 00:00:00 2001
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Date: Tue, 12 May 2026 18:16:40 +0200
+Subject: libceph: Fix potential null-ptr-deref in decode_choose_args()
+
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+
+commit 28b0a2ab8c82d0bbdeb8013029c67c978ce6e4bf upstream.
+
+A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself
+contains a CRUSH map. When decoding this CRUSH map in crush_decode(), an
+array of max_buckets CRUSH buckets is decoded, where some indices may
+not refer to actual buckets and are therefore set to NULL. The received
+CRUSH map may optionally contain choose_args that get decoded in
+decode_choose_args(). When decoding a crush_choose_arg_map, a series of
+choose_args for different buckets is decoded, with the bucket_index
+being read from the incoming message. It is only checked that the bucket
+index does not exceed max_buckets, but not that it doesn't point to an
+index with a NULL bucket. If a (potentially corrupted) message contains
+a crush_choose_arg_map including such a bucket_index, a null pointer
+dereference may occur in the subsequent processing when attempting to
+access the bucket with the given index.
+
+This patch fixes the issue by extending the affected check. Now, it is
+only attempted to access the bucket if it is not NULL.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osdmap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -390,7 +390,8 @@ static int decode_choose_args(void **p,
+ goto fail;
+
+ if (arg->ids_size &&
+- arg->ids_size != c->buckets[bucket_index]->size)
++ (!c->buckets[bucket_index] ||
++ arg->ids_size != c->buckets[bucket_index]->size))
+ goto e_inval;
+ }
+
--- /dev/null
+From 4c79fc2d598694bda845b46229c9d48b65042970 Mon Sep 17 00:00:00 2001
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Date: Wed, 22 Apr 2026 10:47:13 +0200
+Subject: libceph: Fix potential out-of-bounds access in crush_decode()
+
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+
+commit 4c79fc2d598694bda845b46229c9d48b65042970 upstream.
+
+A message of type CEPH_MSG_OSD_MAP containing a crush map with at least
+one bucket has two fields holding the bucket algorithm. If the values
+in these two fields differ, an out-of-bounds access can occur. This is
+the case because the first algorithm field (alg) is used to allocate
+the correct amount of memory for a bucket of this type, while the second
+algorithm field inside the bucket (b->alg) is used in the subsequent
+processing.
+
+This patch fixes the issue by adding a check that compares alg and
+b->alg and aborts the processing in case they differ. Furthermore,
+b->alg is set to 0 in this case, because the destruction of the crush
+map also uses this field to determine the bucket type, which can again
+result in an out-of-bounds access when trying to free the memory pointed
+to by the fields of the bucket. To correctly free the memory allocated
+for the bucket in such a case, the corresponding call to kfree is moved
+from the algorithm-specific crush_destroy_bucket functions to the
+generic crush_destroy_bucket().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/crush/crush.c | 6 +-----
+ net/ceph/osdmap.c | 4 ++++
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/ceph/crush/crush.c
++++ b/net/ceph/crush/crush.c
+@@ -47,7 +47,6 @@ int crush_get_bucket_item_weight(const s
+ void crush_destroy_bucket_uniform(struct crush_bucket_uniform *b)
+ {
+ kfree(b->h.items);
+- kfree(b);
+ }
+
+ void crush_destroy_bucket_list(struct crush_bucket_list *b)
+@@ -55,14 +54,12 @@ void crush_destroy_bucket_list(struct cr
+ kfree(b->item_weights);
+ kfree(b->sum_weights);
+ kfree(b->h.items);
+- kfree(b);
+ }
+
+ void crush_destroy_bucket_tree(struct crush_bucket_tree *b)
+ {
+ kfree(b->h.items);
+ kfree(b->node_weights);
+- kfree(b);
+ }
+
+ void crush_destroy_bucket_straw(struct crush_bucket_straw *b)
+@@ -70,14 +67,12 @@ void crush_destroy_bucket_straw(struct c
+ kfree(b->straws);
+ kfree(b->item_weights);
+ kfree(b->h.items);
+- kfree(b);
+ }
+
+ void crush_destroy_bucket_straw2(struct crush_bucket_straw2 *b)
+ {
+ kfree(b->item_weights);
+ kfree(b->h.items);
+- kfree(b);
+ }
+
+ void crush_destroy_bucket(struct crush_bucket *b)
+@@ -99,6 +94,7 @@ void crush_destroy_bucket(struct crush_b
+ crush_destroy_bucket_straw2((struct crush_bucket_straw2 *)b);
+ break;
+ }
++ kfree(b);
+ }
+
+ /**
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -518,6 +518,10 @@ static struct crush_map *crush_decode(vo
+ b->id = ceph_decode_32(p);
+ b->type = ceph_decode_16(p);
+ b->alg = ceph_decode_8(p);
++ if (b->alg != alg) {
++ b->alg = 0;
++ goto bad;
++ }
+ b->hash = ceph_decode_8(p);
+ b->weight = ceph_decode_32(p);
+ b->size = ceph_decode_32(p);
--- /dev/null
+From 35d0ed82d03e5ee77ea4f31f20e29562a7721649 Mon Sep 17 00:00:00 2001
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Date: Tue, 5 May 2026 11:08:12 +0200
+Subject: libceph: Fix potential out-of-bounds access in osdmap_decode()
+
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+
+commit 35d0ed82d03e5ee77ea4f31f20e29562a7721649 upstream.
+
+When decoding osd_state and osd_weight from an incoming osdmap in
+osdmap_decode(), both are decoded for each osd, i.e., map->max_osd
+times. The ceph_decode_need() check only accounts for
+sizeof(*map->osd_weight) once. This can potentially result in an
+out-of-bounds memory access if the incoming message is corrupted such
+that the max_osd value exceeds the actual content of the osdmap message.
+
+This patch fixes the issue by changing the corresponding part in the
+ceph_decode_need() check to account for
+map->max_osd*sizeof(*map->osd_weight).
+
+Cc: stable@vger.kernel.org
+Fixes: dcbc919a5dc8 ("libceph: switch osdmap decoding to use ceph_decode_entity_addr")
+Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osdmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -1703,7 +1703,7 @@ static int osdmap_decode(void **p, void
+ ceph_decode_need(p, end, 3*sizeof(u32) +
+ map->max_osd*(struct_v >= 5 ? sizeof(u32) :
+ sizeof(u8)) +
+- sizeof(*map->osd_weight), e_inval);
++ map->max_osd*sizeof(*map->osd_weight), e_inval);
+ if (ceph_decode_32(p) != map->max_osd)
+ goto e_inval;
+
--- /dev/null
+From d289478cfc0bcf81c7914200d6abdcb78bd04ded Mon Sep 17 00:00:00 2001
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Date: Tue, 12 May 2026 09:29:30 +0200
+Subject: libceph: handle rbtree insertion error in decode_choose_args()
+
+From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+
+commit d289478cfc0bcf81c7914200d6abdcb78bd04ded upstream.
+
+A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself
+contains a CRUSH map. The received CRUSH map may optionally contain
+choose_args that get decoded in decode_choose_args(). In this function,
+num_choose_arg_maps is read from the message, and a corresponding number
+of crush_choose_arg_maps gets decoded afterwards. Each
+crush_choose_arg_map has a choose_args_index, which serves as the key
+when inserting it into the choose_args rbtree of the decoded crush_map.
+If a (potentially corrupted) message contains two crush_choose_arg_maps
+with the same index, the assertion in insert_choose_arg_map() triggers a
+kernel BUG when trying to insert the second crush_choose_arg_map.
+
+This patch fixes the issue by switching to the non-asserting rbtree
+insertion function and rejecting the message if the insertion fails.
+
+[ idryomov: changelog ]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/osdmap.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -395,7 +395,10 @@ static int decode_choose_args(void **p,
+ goto e_inval;
+ }
+
+- insert_choose_arg_map(&c->choose_args, arg_map);
++ if (!__insert_choose_arg_map(&c->choose_args, arg_map)) {
++ ret = -EEXIST;
++ goto fail;
++ }
+ }
+
+ return 0;
--- /dev/null
+From 108d7f951271cbd36ca36efc5e5d106966f5180c Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Sun, 16 Nov 2025 10:44:11 +0800
+Subject: powerpc/warp: Fix error handling in pika_dtm_thread
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 108d7f951271cbd36ca36efc5e5d106966f5180c upstream.
+
+pika_dtm_thread() acquires client through of_find_i2c_device_by_node()
+but fails to release it in error handling path. This could result in a
+reference count leak, preventing proper cleanup and potentially
+leading to resource exhaustion. Add put_device() to release the
+reference in the error handling path.
+
+Found by code review.
+
+Cc: stable@vger.kernel.org
+Fixes: 3984114f0562 ("powerpc/warp: Platform fix for i2c change")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20251116024411.21968-1-make24@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/44x/warp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/platforms/44x/warp.c
++++ b/arch/powerpc/platforms/44x/warp.c
+@@ -262,6 +262,8 @@ static int pika_dtm_thread(void __iomem
+ schedule_timeout(HZ);
+ }
+
++ put_device(&client->dev);
++
+ return 0;
+ }
+
kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch
kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch
kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch
+smb-client-fix-possible-infinite-loop-and-oob-read-in-symlink_data.patch
+drm-i915-dp-fix-vsc-dynamic-range-signaling-for-rgb-formats.patch
+alsa-usb-audio-bound-midi-endpoint-descriptor-scans.patch
+ceph-fix-a-buffer-leak-in-__ceph_setxattr.patch
+powerpc-warp-fix-error-handling-in-pika_dtm_thread.patch
+libceph-fix-potential-out-of-bounds-access-in-osdmap_decode.patch
+libceph-fix-potential-null-ptr-deref-in-decode_choose_args.patch
+libceph-fix-potential-out-of-bounds-access-in-crush_decode.patch
+libceph-handle-rbtree-insertion-error-in-decode_choose_args.patch
+iommu-vt-d-disable-dmar-for-intel-q35-igfx.patch
+drm-i915-skip-__i915_request_skip-for-already-signaled-requests.patch
+drm-panfrost-fix-wait_bo-ioctl-leaking-positive-return-from-dma_resv_wait_timeout.patch
--- /dev/null
+From 7d9a7f1f96cd617ee9e75bb22217c709038e26b8 Mon Sep 17 00:00:00 2001
+From: Ye Bin <yebin10@huawei.com>
+Date: Thu, 14 May 2026 21:14:18 +0800
+Subject: smb/client: fix possible infinite loop and oob read in symlink_data()
+
+From: Ye Bin <yebin10@huawei.com>
+
+commit 7d9a7f1f96cd617ee9e75bb22217c709038e26b8 upstream.
+
+On 32-bit architectures, the infinite loop is as follows:
+
+ len = p->ErrorDataLength == 0xfffffff8
+ u8 *next = p->ErrorContextData + len
+ next == p
+
+On 32-bit architectures, the out-of-bounds read is as follows:
+
+ len = p->ErrorDataLength == 0xfffffff0
+ u8 *next = p->ErrorContextData + len
+ next == (u8 *)p - 8
+
+Reported-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
+Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2file.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/smb/client/smb2file.c
++++ b/fs/smb/client/smb2file.c
+@@ -48,6 +48,9 @@ static struct smb2_symlink_err_rsp *syml
+ __func__, le32_to_cpu(p->ErrorId));
+
+ len = ALIGN(le32_to_cpu(p->ErrorDataLength), 8);
++ if (len > end - ((u8 *)p + sizeof(*p)))
++ return ERR_PTR(-EINVAL);
++
+ p = (struct smb2_error_context_rsp *)(p->ErrorContextData + len);
+ }
+ } else if (le32_to_cpu(err->ByteCount) >= sizeof(*sym) &&
projects / thirdparty / kernel / stable-queue.git / commitdiff
