--- /dev/null
+From stable+bounces-259549-greg=kroah.com@vger.kernel.org Mon Jun 1 14:49:55 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2026 08:49:48 -0400
+Subject: hwmon: (pmbus) Add support for guarded PMBus lock
+To: stable@vger.kernel.org
+Cc: Guenter Roeck <linux@roeck-us.net>, Sanman Pradhan <psanman@juniper.net>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260601124949.768588-1-sashal@kernel.org>
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 1814f4d3ff358277a5b6957e7f133c2812dc80ec ]
+
+Add support for guard(pmbus_lock)() and scoped_guard(pmbus_lock)()
+to be able to simplify the PMBus code.
+
+Also introduce pmbus_lock() as pre-requisite for supporting
+guard().
+
+Reviewed-by: Sanman Pradhan <psanman@juniper.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Stable-dep-of: 4e4af55aaca7 ("hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/pmbus/pmbus.h | 5 +++++
+ drivers/hwmon/pmbus/pmbus_core.c | 8 ++++++++
+ 2 files changed, 13 insertions(+)
+
+--- a/drivers/hwmon/pmbus/pmbus.h
++++ b/drivers/hwmon/pmbus/pmbus.h
+@@ -10,6 +10,7 @@
+ #define PMBUS_H
+
+ #include <linux/bitops.h>
++#include <linux/cleanup.h>
+ #include <linux/regulator/driver.h>
+
+ /*
+@@ -563,7 +564,11 @@ int pmbus_get_fan_rate_device(struct i2c
+ int pmbus_get_fan_rate_cached(struct i2c_client *client, int page, int id,
+ enum pmbus_fan_mode mode);
+ int pmbus_lock_interruptible(struct i2c_client *client);
++void pmbus_lock(struct i2c_client *client);
+ void pmbus_unlock(struct i2c_client *client);
++
++DEFINE_GUARD(pmbus_lock, struct i2c_client *, pmbus_lock(_T), pmbus_unlock(_T))
++
+ int pmbus_update_fan(struct i2c_client *client, int page, int id,
+ u8 config, u8 mask, u16 command);
+ struct dentry *pmbus_get_debugfs_dir(struct i2c_client *client);
+--- a/drivers/hwmon/pmbus/pmbus_core.c
++++ b/drivers/hwmon/pmbus/pmbus_core.c
+@@ -3871,6 +3871,14 @@ struct dentry *pmbus_get_debugfs_dir(str
+ }
+ EXPORT_SYMBOL_NS_GPL(pmbus_get_debugfs_dir, "PMBUS");
+
++void pmbus_lock(struct i2c_client *client)
++{
++ struct pmbus_data *data = i2c_get_clientdata(client);
++
++ mutex_lock(&data->update_lock);
++}
++EXPORT_SYMBOL_NS_GPL(pmbus_lock, "PMBUS");
++
+ int pmbus_lock_interruptible(struct i2c_client *client)
+ {
+ struct pmbus_data *data = i2c_get_clientdata(client);
--- /dev/null
+From stable+bounces-259573-greg=kroah.com@vger.kernel.org Mon Jun 1 16:01:37 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2026 09:53:37 -0400
+Subject: hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock
+To: stable@vger.kernel.org
+Cc: Abdurrahman Hussain <abdurrahman@nexthop.ai>, Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>, Guenter Roeck <linux@roeck-us.net>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260601135337.798956-2-sashal@kernel.org>
+
+From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
+
+[ Upstream commit bab8c6fb5af8df7e753d196c1262cb78e92ca872 ]
+
+adm1266_gpio_get(), adm1266_gpio_get_multiple(), and
+adm1266_gpio_dbg_show() all issue PMBus reads against the device but
+none of them take pmbus_lock. The pmbus_core framework holds
+pmbus_lock around its own multi-transaction sequences (notably the
+"set PAGE, then read paged register" pattern used by hwmon
+attributes), so an unlocked GPIO accessor can land between a PAGE
+write and the subsequent paged read in another thread and corrupt
+either side's view of the device state machine.
+
+Take pmbus_lock at the top of each of the three accessors via the
+scope-based guard(). The lock is uncontended in the common case and
+adds only a single mutex round-trip per call.
+
+Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
+Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-6-e425e4f88139@nexthop.ai
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/pmbus/adm1266.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/hwmon/pmbus/adm1266.c
++++ b/drivers/hwmon/pmbus/adm1266.c
+@@ -173,6 +173,8 @@ static int adm1266_gpio_get(struct gpio_
+ else
+ pmbus_cmd = ADM1266_PDIO_STATUS;
+
++ guard(pmbus_lock)(data->client);
++
+ ret = i2c_smbus_read_block_data(data->client, pmbus_cmd, read_buf);
+ if (ret < 0)
+ return ret;
+@@ -195,6 +197,8 @@ static int adm1266_gpio_get_multiple(str
+ unsigned int gpio_nr;
+ int ret;
+
++ guard(pmbus_lock)(data->client);
++
+ ret = i2c_smbus_read_block_data(data->client, ADM1266_GPIO_STATUS, read_buf);
+ if (ret < 0)
+ return ret;
+@@ -236,6 +240,8 @@ static void adm1266_gpio_dbg_show(struct
+ int ret;
+ int i;
+
++ guard(pmbus_lock)(data->client);
++
+ for (i = 0; i < ADM1266_GPIO_NR; i++) {
+ write_cmd = adm1266_gpio_mapping[i][1];
+ ret = adm1266_pmbus_block_xfer(data, ADM1266_GPIO_CONFIG, 1, &write_cmd, read_buf);
--- /dev/null
+From stable+bounces-259550-greg=kroah.com@vger.kernel.org Mon Jun 1 14:49:58 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2026 08:49:49 -0400
+Subject: hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock
+To: stable@vger.kernel.org
+Cc: Abdurrahman Hussain <abdurrahman@nexthop.ai>, Guenter Roeck <linux@roeck-us.net>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260601124949.768588-2-sashal@kernel.org>
+
+From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
+
+[ Upstream commit 4e4af55aaca7f6d7673d5f9889ad0529db86a048 ]
+
+adm1266_state_read() backs the sequencer_state debugfs entry and
+issues an i2c_smbus_read_word_data(client, ADM1266_READ_STATE)
+against the device without taking pmbus_lock. pmbus_core holds
+pmbus_lock around its own multi-transaction sequences (notably the
+"set PAGE, then read paged register" pattern used by hwmon
+attributes), so an unlocked debugfs reader can land between a PAGE
+write and the subsequent paged read in another thread. READ_STATE
+itself is not paged, so it cannot corrupt PAGE in flight, but the
+same defensive serialisation that applies to the GPIO accessors
+applies here: any direct device access from outside pmbus_core
+should be ordered with respect to pmbus_core's own.
+
+Take pmbus_lock at the top of adm1266_state_read() via the
+scope-based guard().
+
+Fixes: ed1ff457e187 ("hwmon: (pmbus/adm1266) add debugfs for states")
+Cc: stable@vger.kernel.org
+Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
+Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-8-e425e4f88139@nexthop.ai
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/pmbus/adm1266.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hwmon/pmbus/adm1266.c
++++ b/drivers/hwmon/pmbus/adm1266.c
+@@ -328,6 +328,7 @@ static int adm1266_state_read(struct seq
+ struct i2c_client *client = to_i2c_client(dev);
+ int ret;
+
++ guard(pmbus_lock)(client);
+ ret = i2c_smbus_read_word_data(client, ADM1266_READ_STATE);
+ if (ret < 0)
+ return ret;
--- /dev/null
+From stable+bounces-259530-greg=kroah.com@vger.kernel.org Mon Jun 1 13:14:17 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2026 07:05:09 -0400
+Subject: mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()
+To: stable@vger.kernel.org
+Cc: Qing Wang <wangqing7171@gmail.com>, "Vlastimil Babka (SUSE)" <vbabka@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260601110509.447056-1-sashal@kernel.org>
+
+From: Qing Wang <wangqing7171@gmail.com>
+
+[ Upstream commit 67ea9d353d0ba12bdbc9183ff568dead9e949b80 ]
+
+flush_rcu_sheaves_on_cache() calls queue_work_on() in a
+for_each_online_cpu() loop, which requires the cpu to stay online.
+But cpus_read_lock() is not held in kvfree_rcu_barrier_on_cache() and the
+set of "online cpus" is subject to change.
+
+There are two paths that call flush_rcu_sheaves_on_cache():
+
+ // has cpus_read_lock()
+ flush_all_rcu_sheaves()
+ -> flush_rcu_sheaves_on_cache()
+
+ // no cpus_read_lock()
+ kvfree_rcu_barrier_on_cache()
+ -> flush_rcu_sheaves_on_cache()
+
+Fix this by holding cpus_read_lock() in kvfree_rcu_barrier_on_cache().
+
+Why not move cpus_read_lock() from flush_all_rcu_sheaves() into
+flush_rcu_sheaves_on_cache()? The reason is it would introduce a new lock
+order (slab_mutex -> cpu_hotplug_lock). The reverse order
+(cpu_hotplug_lock -> slab_mutex) is established by
+
+- cpuhp_setup_state_nocalls(..., slub_cpu_setup, ...)
+- kmem_cache_destroy()
+
+The two orders together would form an AB-BA deadlock.
+
+Finally, add lockdep_assert_cpus_held() in flush_rcu_sheaves_on_cache()
+to catch the same problem in the future.
+
+Fixes: 0f35040de593 ("mm/slab: introduce kvfree_rcu_barrier_on_cache() for cache destruction")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Qing Wang <wangqing7171@gmail.com>
+Link: https://patch.msgid.link/20260512035035.762317-1-wangqing7171@gmail.com
+Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slab_common.c | 2 ++
+ mm/slub.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/mm/slab_common.c
++++ b/mm/slab_common.c
+@@ -2135,7 +2135,9 @@ EXPORT_SYMBOL_GPL(kvfree_rcu_barrier);
+ void kvfree_rcu_barrier_on_cache(struct kmem_cache *s)
+ {
+ if (s->cpu_sheaves) {
++ cpus_read_lock();
+ flush_rcu_sheaves_on_cache(s);
++ cpus_read_unlock();
+ rcu_barrier();
+ }
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -4203,6 +4203,7 @@ void flush_rcu_sheaves_on_cache(struct k
+ struct slub_flush_work *sfw;
+ unsigned int cpu;
+
++ lockdep_assert_cpus_held();
+ mutex_lock(&flush_lock);
+
+ for_each_online_cpu(cpu) {
cpufreq-intel_pstate-use-correct-scaling-factor-on-raptor-lake-e.patch
xfrm-iptfs-reset-runtime-state-when-cloning-sas.patch
usb-dwc3-xilinx-fix-error-handling-in-zynqmp-init-error-paths.patch
+usb-serial-cypress_m8-fix-memory-corruption-with-small-endpoint.patch
+usb-serial-digi_acceleport-fix-memory-corruption-with-small-endpoints.patch
+usb-serial-mct_u232-fix-memory-corruption-with-small-endpoint.patch
+hwmon-pmbus-add-support-for-guarded-pmbus-lock.patch
+hwmon-pmbus-adm1266-serialize-sequencer_state-debugfs-read-with-pmbus_lock.patch
+hwmon-pmbus-adm1266-serialize-gpio-pmbus-accesses-with-pmbus_lock.patch
+mm-slub-hold-cpus_read_lock-around-flush_rcu_sheaves_on_cache.patch
--- /dev/null
+From johan@kernel.org Thu Jun 4 10:37:20 2026
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 4 Jun 2026 10:36:36 +0200
+Subject: USB: serial: cypress_m8: fix memory corruption with small endpoint
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Message-ID: <20260604083636.2650249-1-johan@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e1a9d791fd66ab2431b9e6f6f835823809869047 upstream.
+
+Make sure that the interrupt-out endpoint max packet size is at least
+eight bytes to avoid user-controlled slab corruption or NULL-pointer
+dereference should a malicious device report a smaller size.
+
+Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
+Cc: stable@vger.kernel.org # 2.6.26
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+[ johan: adjust context for 6.18 ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+
+This one should apply to 6.18 and earlier trees that lack kzalloc_obj().
+
+Johan
+
+
+ drivers/usb/serial/cypress_m8.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/serial/cypress_m8.c
++++ b/drivers/usb/serial/cypress_m8.c
+@@ -445,6 +445,14 @@ static int cypress_generic_port_probe(st
+ return -ENODEV;
+ }
+
++ /*
++ * The buffer must be large enough for the one or two-byte header (and
++ * following data), but assume anything smaller than eight bytes is
++ * broken.
++ */
++ if (port->interrupt_out_size < 8)
++ return -EINVAL;
++
+ priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
--- /dev/null
+From johan@kernel.org Thu Jun 4 14:08:16 2026
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 4 Jun 2026 14:07:58 +0200
+Subject: USB: serial: digi_acceleport: fix memory corruption with small endpoints
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Message-ID: <20260604120758.2769085-1-johan@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+commit cb3560e8eab1dfa1cac1ed52631adf8ec6ff2cd5 upstream.
+
+Add the missing bulk-out buffer size sanity checks to avoid
+out-of-bounds memory accesses or slab corruption should a malicious
+device report smaller buffers than expected.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+
+Should apply also to older trees without kzalloc_obj().
+
+Johan
+
+
+ drivers/usb/serial/digi_acceleport.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/digi_acceleport.c
++++ b/drivers/usb/serial/digi_acceleport.c
+@@ -1229,15 +1229,34 @@ static int digi_port_init(struct usb_ser
+ static int digi_startup(struct usb_serial *serial)
+ {
+ struct digi_serial *serial_priv;
++ int oob_port_num;
+ int ret;
++ int i;
++
++ /*
++ * The port bulk-out buffers must be large enough for header and
++ * buffered data.
++ */
++ for (i = 0; i < serial->type->num_ports; i++) {
++ if (serial->port[i]->bulk_out_size < DIGI_OUT_BUF_SIZE + 2)
++ return -EINVAL;
++ }
++
++ /*
++ * The OOB port bulk-out buffer must be large enough for the two
++ * commands in digi_set_modem_signals().
++ */
++ oob_port_num = serial->type->num_ports;
++ if (serial->port[oob_port_num]->bulk_out_size < 8)
++ return -EINVAL;
+
+ serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
+ if (!serial_priv)
+ return -ENOMEM;
+
+ spin_lock_init(&serial_priv->ds_serial_lock);
+- serial_priv->ds_oob_port_num = serial->type->num_ports;
+- serial_priv->ds_oob_port = serial->port[serial_priv->ds_oob_port_num];
++ serial_priv->ds_oob_port_num = oob_port_num;
++ serial_priv->ds_oob_port = serial->port[oob_port_num];
+
+ ret = digi_port_init(serial_priv->ds_oob_port,
+ serial_priv->ds_oob_port_num);
--- /dev/null
+From johan@kernel.org Thu Jun 4 14:11:44 2026
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 4 Jun 2026 14:11:33 +0200
+Subject: USB: serial: mct_u232: fix memory corruption with small endpoint
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Message-ID: <20260604121133.2771807-1-johan@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 915b36d701950503c4ea0f6e314b10868e59fce3 upstream.
+
+The driver overrides the maximum transfer size for a specific device
+which only accepts 16 byte packets for its 32 byte bulk-out endpoint.
+
+Make sure to never increase the maximum transfer size to prevent slab
+corruption should a malicious device report a smaller endpoint max
+packet size than expected.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/mct_u232.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -378,6 +378,7 @@ static int mct_u232_port_probe(struct us
+ {
+ struct usb_serial *serial = port->serial;
+ struct mct_u232_private *priv;
++ u16 pid;
+
+ /* check first to simplify error handling */
+ if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
+@@ -385,6 +386,16 @@ static int mct_u232_port_probe(struct us
+ return -ENODEV;
+ }
+
++ /*
++ * Compensate for a hardware bug: although the Sitecom U232-P25
++ * device reports a maximum output packet size of 32 bytes,
++ * it seems to be able to accept only 16 bytes (and that's what
++ * SniffUSB says too...)
++ */
++ pid = le16_to_cpu(serial->dev->descriptor.idProduct);
++ if (pid == MCT_U232_SITECOM_PID)
++ port->bulk_out_size = min(16, port->bulk_out_size);
++
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+@@ -410,7 +421,6 @@ static void mct_u232_port_remove(struct
+
+ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
+ {
+- struct usb_serial *serial = port->serial;
+ struct mct_u232_private *priv = usb_get_serial_port_data(port);
+ int retval = 0;
+ unsigned int control_state;
+@@ -418,15 +428,6 @@ static int mct_u232_open(struct tty_str
+ unsigned char last_lcr;
+ unsigned char last_msr;
+
+- /* Compensate for a hardware bug: although the Sitecom U232-P25
+- * device reports a maximum output packet size of 32 bytes,
+- * it seems to be able to accept only 16 bytes (and that's what
+- * SniffUSB says too...)
+- */
+- if (le16_to_cpu(serial->dev->descriptor.idProduct)
+- == MCT_U232_SITECOM_PID)
+- port->bulk_out_size = 16;
+-
+ /* Do a defined restart: the normal serial device seems to
+ * always turn on DTR and RTS here, so do the same. I'm not
+ * sure if this is really necessary. But it should not harm
projects / thirdparty / kernel / stable-queue.git / commitdiff
