--- /dev/null
+From 8175fa7af4104238631b64b5c73101e557f1dbee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jun 2026 19:48:35 +0300
+Subject: bonding: limit BOND_MODE_8023AD to Ethernet devices
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 upstream.
+
+BOND_MODE_8023AD makes sense for ARPHRD_ETHER only.
+
+syzbot reported:
+
+ BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
+ BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
+Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497
+
+CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)
+Tainted: [L]=SOFTLOCKUP
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ check_region_inline mm/kasan/generic.c:-1 [inline]
+ kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
+ __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
+ __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
+ __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
+ __dev_mc_add net/core/dev_addr_lists.c:868 [inline]
+ dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886
+ bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180
+ do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963
+ do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165
+ rtnl_changelink net/core/rtnetlink.c:3776 [inline]
+ __rtnl_newlink net/core/rtnetlink.c:3935 [inline]
+ rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072
+ rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
+ netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
+ netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
+ netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
+ netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg+0x21c/0x270 net/socket.c:742
+ ____sys_sendmsg+0x505/0x820 net/socket.c:2592
+ ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646
+ __sys_sendmsg+0x164/0x220 net/socket.c:2678
+ do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
+ __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307
+ do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332
+ entry_SYSENTER_compat_after_hwframe+0x84/0x8e
+ </TASK>
+
+The buggy address belongs to the variable:
+ lacpdu_mcast_addr+0x0/0x40
+
+Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
+Reported-by: syzbot+9c081b17773615f24672@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6966946b.a70a0220.245e30.0002.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Andrew Lunn <andrew+netdev@lunn.ch>
+Acked-by: Jay Vosburgh <jv@jvosburgh.net>
+Link: https://patch.msgid.link/20260113191201.3970737-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Alexey: Replace SLAVE_NL_ERR() with NL_SET_ERR_MSG() and slave_err()
+ because SLAVE_NL_ERR() is not present in linux-5.10.y. ]
+Signed-off-by: Alexey Panov <apanov@astralinux.ru>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 812e1792c232e1..86f0f155e9862c 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1763,6 +1763,13 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
+ */
+ if (!bond_has_slaves(bond)) {
+ if (bond_dev->type != slave_dev->type) {
++ if (slave_dev->type != ARPHRD_ETHER &&
++ BOND_MODE(bond) == BOND_MODE_8023AD) {
++ NL_SET_ERR_MSG(extack, "8023AD mode requires Ethernet devices");
++ slave_err(bond_dev, slave_dev,
++ "Error: 8023AD mode requires Ethernet devices\n");
++ return -EINVAL;
++ }
+ slave_dbg(bond_dev, slave_dev, "change device type from %d to %d\n",
+ bond_dev->type, slave_dev->type);
+
+--
+2.53.0
+
--- /dev/null
+From ec4978746d021110566cee95bfb7ae759b96c746 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jun 2026 19:44:30 +0300
+Subject: ext4: validate p_idx bounds in ext4_ext_correct_indexes
+
+From: Tejas Bharambe <tejas.bharambe@outlook.com>
+
+commit 2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8 upstream.
+
+ext4_ext_correct_indexes() walks up the extent tree correcting
+index entries when the first extent in a leaf is modified. Before
+accessing path[k].p_idx->ei_block, there is no validation that
+p_idx falls within the valid range of index entries for that
+level.
+
+If the on-disk extent header contains a corrupted or crafted
+eh_entries value, p_idx can point past the end of the allocated
+buffer, causing a slab-out-of-bounds read.
+
+Fix this by validating path[k].p_idx against EXT_LAST_INDEX() at
+both access sites: before the while loop and inside it. Return
+-EFSCORRUPTED if the index pointer is out of range, consistent
+with how other bounds violations are handled in the ext4 extent
+tree code.
+
+Reported-by: syzbot+04c4e65cab786a2e5b7e@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=04c4e65cab786a2e5b7e
+Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
+Link: https://patch.msgid.link/JH0PR06MB66326016F9B6AD24097D232B897CA@JH0PR06MB6632.apcprd06.prod.outlook.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+[ Alexey: Adapt goto clean to break because the clean error path is not
+ present in linux-5.10.y and linux-5.15.y. ]
+Signed-off-by: Alexey Panov <apanov@astralinux.ru>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 6d37805d315507..388e47dfb7aa18 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -1731,6 +1731,13 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode,
+ err = ext4_ext_get_access(handle, inode, path + k);
+ if (err)
+ return err;
++ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) {
++ EXT4_ERROR_INODE(inode,
++ "path[%d].p_idx %p > EXT_LAST_INDEX %p",
++ k, path[k].p_idx,
++ EXT_LAST_INDEX(path[k].p_hdr));
++ return -EFSCORRUPTED;
++ }
+ path[k].p_idx->ei_block = border;
+ err = ext4_ext_dirty(handle, inode, path + k);
+ if (err)
+@@ -1743,6 +1750,14 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode,
+ err = ext4_ext_get_access(handle, inode, path + k);
+ if (err)
+ break;
++ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) {
++ EXT4_ERROR_INODE(inode,
++ "path[%d].p_idx %p > EXT_LAST_INDEX %p",
++ k, path[k].p_idx,
++ EXT_LAST_INDEX(path[k].p_hdr));
++ err = -EFSCORRUPTED;
++ break;
++ }
+ path[k].p_idx->ei_block = border;
+ err = ext4_ext_dirty(handle, inode, path + k);
+ if (err)
+--
+2.53.0
+
--- /dev/null
+From 832f045982ddf99a925fd86d481f63ec73e5d468 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jun 2026 20:23:54 +0300
+Subject: nfsd: don't ignore the return code of svc_proc_register()
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit 930b64ca0c511521f0abdd1d57ce52b2a6e3476b upstream.
+
+Currently, nfsd_proc_stat_init() ignores the return value of
+svc_proc_register(). If the procfile creation fails, then the kernel
+will WARN when it tries to remove the entry later.
+
+Fix nfsd_proc_stat_init() to return the same type of pointer as
+svc_proc_register(), and fix up nfsd_net_init() to check that and fail
+the nfsd_net construction if it occurs.
+
+svc_proc_register() can fail if the dentry can't be allocated, or if an
+identical dentry already exists. The second case is pretty unlikely in
+the nfsd_net construction codepath, so if this happens, return -ENOMEM.
+
+Reported-by: syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE@google.com/
+Cc: stable@vger.kernel.org # v6.9
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Vladislav Nikolaev <vlad102nikolaev@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfsctl.c | 9 ++++++++-
+ fs/nfsd/stats.c | 4 ++--
+ fs/nfsd/stats.h | 2 +-
+ 3 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
+index 8178d7d016487a..5cd264171daeee 100644
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -1471,17 +1471,24 @@ static __net_init int nfsd_init_net(struct net *net)
+ retval = nfsd_stat_counters_init(nn);
+ if (retval)
+ goto out_repcache_error;
++
+ memset(&nn->nfsd_svcstats, 0, sizeof(nn->nfsd_svcstats));
+ nn->nfsd_svcstats.program = &nfsd_program;
++ if (!nfsd_proc_stat_init(net)) {
++ retval = -ENOMEM;
++ goto out_proc_error;
++ }
++
+ nn->nfsd_versions = NULL;
+ nn->nfsd4_minorversions = NULL;
+ nfsd4_init_leases_net(nn);
+ get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key));
+ seqlock_init(&nn->writeverf_lock);
+- nfsd_proc_stat_init(net);
+
+ return 0;
+
++out_proc_error:
++ nfsd_stat_counters_destroy(nn);
+ out_repcache_error:
+ nfsd_idmap_shutdown(net);
+ out_idmap_error:
+diff --git a/fs/nfsd/stats.c b/fs/nfsd/stats.c
+index 7a58dba0045c3b..6d1c6067c80e3b 100644
+--- a/fs/nfsd/stats.c
++++ b/fs/nfsd/stats.c
+@@ -113,11 +113,11 @@ void nfsd_stat_counters_destroy(struct nfsd_net *nn)
+ nfsd_percpu_counters_destroy(nn->counter, NFSD_STATS_COUNTERS_NUM);
+ }
+
+-void nfsd_proc_stat_init(struct net *net)
++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net)
+ {
+ struct nfsd_net *nn = net_generic(net, nfsd_net_id);
+
+- svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops);
++ return svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops);
+ }
+
+ void nfsd_proc_stat_shutdown(struct net *net)
+diff --git a/fs/nfsd/stats.h b/fs/nfsd/stats.h
+index 14525e854cbac3..b9329285bc1d79 100644
+--- a/fs/nfsd/stats.h
++++ b/fs/nfsd/stats.h
+@@ -15,7 +15,7 @@ void nfsd_percpu_counters_reset(struct percpu_counter *counters, int num);
+ void nfsd_percpu_counters_destroy(struct percpu_counter *counters, int num);
+ int nfsd_stat_counters_init(struct nfsd_net *nn);
+ void nfsd_stat_counters_destroy(struct nfsd_net *nn);
+-void nfsd_proc_stat_init(struct net *net);
++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net);
+ void nfsd_proc_stat_shutdown(struct net *net);
+
+ static inline void nfsd_stats_rc_hits_inc(struct nfsd_net *nn)
+--
+2.53.0
+
signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
time-fix-off-by-one-in-settimeofday-usec-validation.patch
alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch
+ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch
+bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch
+usbnet-fix-using-smp_processor_id-in-preemptible-cod.patch
+nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch
+wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch
+spi-meson-spicc-fix-double-put-in-remove-path.patch
--- /dev/null
+From 2b73cb8983b7e0f9a86e47087182ec91c663799d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Jun 2026 19:11:29 +0300
+Subject: spi: meson-spicc: Fix double-put in remove path
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+commit 63542bb402b7013171c9f621c28b609eda4dbf1f upstream.
+
+meson_spicc_probe() registers the controller with
+devm_spi_register_controller(), so teardown already drops the
+controller reference via devm cleanup.
+
+Calling spi_controller_put() again in meson_spicc_remove()
+causes a double-put.
+
+Fixes: 8311ee2164c5 ("spi: meson-spicc: fix memory leak in meson_spicc_remove")
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260322-rockchip-v1-1-fac3f0c6dad8@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[ Alexey: Remove the equivalent legacy spi_master_put() call used in
+ linux-5.10.y. ]
+Signed-off-by: Alexey Panov <apanov@astralinux.ru>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-meson-spicc.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/spi/spi-meson-spicc.c b/drivers/spi/spi-meson-spicc.c
+index 6974a1c947aad6..ae818e7df79198 100644
+--- a/drivers/spi/spi-meson-spicc.c
++++ b/drivers/spi/spi-meson-spicc.c
+@@ -863,8 +863,6 @@ static int meson_spicc_remove(struct platform_device *pdev)
+ clk_disable_unprepare(spicc->core);
+ clk_disable_unprepare(spicc->pclk);
+
+- spi_master_put(spicc->master);
+-
+ return 0;
+ }
+
+--
+2.53.0
+
--- /dev/null
+From 73b4cc7a7d68a2c8d5df6ea3897da01f48b9c370 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jun 2026 19:46:44 +0300
+Subject: usbnet: Fix using smp_processor_id() in preemptible code warnings
+
+From: Zqiang <qiang.zhang@linux.dev>
+
+commit 327cd4b68b4398b6c24f10eb2b2533ffbfc10185 upstream.
+
+Syzbot reported the following warning:
+
+BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879
+caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
+CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
+ check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49
+ usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
+ usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708
+ usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417
+ __dev_set_mtu net/core/dev.c:9443 [inline]
+ netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496
+ netif_set_mtu+0xb0/0x160 net/core/dev.c:9520
+ dev_set_mtu+0xae/0x170 net/core/dev_api.c:247
+ dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572
+ dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821
+ sock_do_ioctl+0x19d/0x280 net/socket.c:1204
+ sock_ioctl+0x42f/0x6a0 net/socket.c:1311
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:906 [inline]
+ __se_sys_ioctl fs/ioctl.c:892 [inline]
+ __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+For historical and portability reasons, the netif_rx() is usually
+run in the softirq or interrupt context, this commit therefore add
+local_bh_disable/enable() protection in the usbnet_resume_rx().
+
+Fixes: 43daa96b166c ("usbnet: Stop RX Q on MTU change")
+Link: https://syzkaller.appspot.com/bug?id=81f55dfa587ee544baaaa5a359a060512228c1e1
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Zqiang <qiang.zhang@linux.dev>
+Link: https://patch.msgid.link/20251011070518.7095-1-qiang.zhang@linux.dev
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+[ Alexey: Keep tasklet_schedule() because commit 2c04d279e857 ("net: usb:
+ Convert tasklet API to new bottom half workqueue mechanism") is not present
+ in linux-5.10.y. ]
+Signed-off-by: Alexey Panov <apanov@astralinux.ru>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/usbnet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 4a83228a2db578..4b34544d88aa86 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -684,6 +684,7 @@ void usbnet_resume_rx(struct usbnet *dev)
+ struct sk_buff *skb;
+ int num = 0;
+
++ local_bh_disable();
+ clear_bit(EVENT_RX_PAUSED, &dev->flags);
+
+ while ((skb = skb_dequeue(&dev->rxq_pause)) != NULL) {
+@@ -692,6 +693,7 @@ void usbnet_resume_rx(struct usbnet *dev)
+ }
+
+ tasklet_schedule(&dev->bh);
++ local_bh_enable();
+
+ netif_dbg(dev, rx_status, dev->net,
+ "paused rx queue disabled, %d skbs requeued\n", num);
+--
+2.53.0
+
--- /dev/null
+From b99bdcc6ed86411c6d34428016f74a8e90c680a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jun 2026 21:11:08 +0300
+Subject: wifi: mac80211: check tdls flag in ieee80211_tdls_oper
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+commit 7d73872d949c488a1d7c308031d6a9d89b5e0a8b upstream.
+
+When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the
+station exists but not whether it is actually a TDLS station. This
+allows the operation to proceed for non-TDLS stations, causing
+unintended side effects like modifying channel context and HT
+protection before failing.
+
+Add a check for sta->sta.tdls early in the ENABLE_LINK case, before
+any side effects occur, to ensure the operation is only allowed for
+actual TDLS peers.
+
+Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b
+Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
+Suggested-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Link: https://patch.msgid.link/20260313092417.520807-1-kartikey406@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+[ Alexey: Adapted to the older sta_mtx locking and error-handling flow. ]
+Signed-off-by: Alexey Panov <apanov@astralinux.ru>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tdls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
+index e01e4daeb8cd31..66e32f1d0a989a 100644
+--- a/net/mac80211/tdls.c
++++ b/net/mac80211/tdls.c
+@@ -1380,7 +1380,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev,
+
+ mutex_lock(&local->sta_mtx);
+ sta = sta_info_get(sdata, peer);
+- if (!sta) {
++ if (!sta || !sta->sta.tdls) {
+ mutex_unlock(&local->sta_mtx);
+ ret = -ENOLINK;
+ break;
+--
+2.53.0
+
--- /dev/null
+From bae3a2fa291d838c800804771fca282d1b94e2d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jun 2026 19:44:30 +0300
+Subject: ext4: validate p_idx bounds in ext4_ext_correct_indexes
+
+From: Tejas Bharambe <tejas.bharambe@outlook.com>
+
+commit 2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8 upstream.
+
+ext4_ext_correct_indexes() walks up the extent tree correcting
+index entries when the first extent in a leaf is modified. Before
+accessing path[k].p_idx->ei_block, there is no validation that
+p_idx falls within the valid range of index entries for that
+level.
+
+If the on-disk extent header contains a corrupted or crafted
+eh_entries value, p_idx can point past the end of the allocated
+buffer, causing a slab-out-of-bounds read.
+
+Fix this by validating path[k].p_idx against EXT_LAST_INDEX() at
+both access sites: before the while loop and inside it. Return
+-EFSCORRUPTED if the index pointer is out of range, consistent
+with how other bounds violations are handled in the ext4 extent
+tree code.
+
+Reported-by: syzbot+04c4e65cab786a2e5b7e@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=04c4e65cab786a2e5b7e
+Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
+Link: https://patch.msgid.link/JH0PR06MB66326016F9B6AD24097D232B897CA@JH0PR06MB6632.apcprd06.prod.outlook.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+[ Alexey: Adapt goto clean to break because the clean error path is not
+ present in linux-5.10.y and linux-5.15.y. ]
+Signed-off-by: Alexey Panov <apanov@astralinux.ru>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 80b7783c65b41e..e6dbb2dfb3318f 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -1736,6 +1736,13 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode,
+ err = ext4_ext_get_access(handle, inode, path + k);
+ if (err)
+ return err;
++ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) {
++ EXT4_ERROR_INODE(inode,
++ "path[%d].p_idx %p > EXT_LAST_INDEX %p",
++ k, path[k].p_idx,
++ EXT_LAST_INDEX(path[k].p_hdr));
++ return -EFSCORRUPTED;
++ }
+ path[k].p_idx->ei_block = border;
+ err = ext4_ext_dirty(handle, inode, path + k);
+ if (err)
+@@ -1748,6 +1755,14 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode,
+ err = ext4_ext_get_access(handle, inode, path + k);
+ if (err)
+ break;
++ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) {
++ EXT4_ERROR_INODE(inode,
++ "path[%d].p_idx %p > EXT_LAST_INDEX %p",
++ k, path[k].p_idx,
++ EXT_LAST_INDEX(path[k].p_hdr));
++ err = -EFSCORRUPTED;
++ break;
++ }
+ path[k].p_idx->ei_block = border;
+ err = ext4_ext_dirty(handle, inode, path + k);
+ if (err)
+--
+2.53.0
+
--- /dev/null
+From 6b1aec5765e2306339d1ad6ac2246e5e5ba06c32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Mar 2023 18:23:03 +0800
+Subject: fs/ntfs3: Return error for inconsistent extended attributes
+
+From: Edward Lo <loyuantsung@gmail.com>
+
+[ Upstream commit c9db0ff04649aa0b45f497183c957fe260f229f6 ]
+
+ntfs_read_ea is called when we want to read extended attributes. There
+are some sanity checks for the validity of the EAs. However, it fails to
+return a proper error code for the inconsistent attributes, which might
+lead to unpredicted memory accesses after return.
+
+[ 138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0
+[ 138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199
+[ 138.931132]
+[ 138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4
+[ 138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+[ 138.947327] Call Trace:
+[ 138.949557] <TASK>
+[ 138.951539] dump_stack_lvl+0x4d/0x67
+[ 138.956834] print_report+0x16f/0x4a6
+[ 138.960798] ? ntfs_set_ea+0x453/0xbf0
+[ 138.964437] ? kasan_complete_mode_report_info+0x7d/0x200
+[ 138.969793] ? ntfs_set_ea+0x453/0xbf0
+[ 138.973523] kasan_report+0xb8/0x140
+[ 138.976740] ? ntfs_set_ea+0x453/0xbf0
+[ 138.980578] __asan_store4+0x76/0xa0
+[ 138.984669] ntfs_set_ea+0x453/0xbf0
+[ 138.988115] ? __pfx_ntfs_set_ea+0x10/0x10
+[ 138.993390] ? kernel_text_address+0xd3/0xe0
+[ 138.998270] ? __kernel_text_address+0x16/0x50
+[ 139.002121] ? unwind_get_return_address+0x3e/0x60
+[ 139.005659] ? __pfx_stack_trace_consume_entry+0x10/0x10
+[ 139.010177] ? arch_stack_walk+0xa2/0x100
+[ 139.013657] ? filter_irq_stacks+0x27/0x80
+[ 139.017018] ntfs_setxattr+0x405/0x440
+[ 139.022151] ? __pfx_ntfs_setxattr+0x10/0x10
+[ 139.026569] ? kvmalloc_node+0x2d/0x120
+[ 139.030329] ? kasan_save_stack+0x41/0x60
+[ 139.033883] ? kasan_save_stack+0x2a/0x60
+[ 139.037338] ? kasan_set_track+0x29/0x40
+[ 139.040163] ? kasan_save_alloc_info+0x1f/0x30
+[ 139.043588] ? __kasan_kmalloc+0x8b/0xa0
+[ 139.047255] ? __kmalloc_node+0x68/0x150
+[ 139.051264] ? kvmalloc_node+0x2d/0x120
+[ 139.055301] ? vmemdup_user+0x2b/0xa0
+[ 139.058584] __vfs_setxattr+0x121/0x170
+[ 139.062617] ? __pfx___vfs_setxattr+0x10/0x10
+[ 139.066282] __vfs_setxattr_noperm+0x97/0x300
+[ 139.070061] __vfs_setxattr_locked+0x145/0x170
+[ 139.073580] vfs_setxattr+0x137/0x2a0
+[ 139.076641] ? __pfx_vfs_setxattr+0x10/0x10
+[ 139.080223] ? __kasan_check_write+0x18/0x20
+[ 139.084234] do_setxattr+0xce/0x150
+[ 139.087768] setxattr+0x126/0x140
+[ 139.091250] ? __pfx_setxattr+0x10/0x10
+[ 139.094948] ? __virt_addr_valid+0xcb/0x140
+[ 139.097838] ? __call_rcu_common.constprop.0+0x1c7/0x330
+[ 139.102688] ? debug_smp_processor_id+0x1b/0x30
+[ 139.105985] ? kasan_quarantine_put+0x5b/0x190
+[ 139.109980] ? putname+0x84/0xa0
+[ 139.113886] ? __kasan_slab_free+0x11e/0x1b0
+[ 139.117961] ? putname+0x84/0xa0
+[ 139.121316] ? preempt_count_sub+0x1c/0xd0
+[ 139.124427] ? __mnt_want_write+0xae/0x100
+[ 139.127836] ? mnt_want_write+0x8f/0x150
+[ 139.130954] path_setxattr+0x164/0x180
+[ 139.133998] ? __pfx_path_setxattr+0x10/0x10
+[ 139.137853] ? __pfx_ksys_pwrite64+0x10/0x10
+[ 139.141299] ? debug_smp_processor_id+0x1b/0x30
+[ 139.145714] ? fpregs_assert_state_consistent+0x6b/0x80
+[ 139.150796] __x64_sys_setxattr+0x71/0x90
+[ 139.155407] do_syscall_64+0x3f/0x90
+[ 139.159035] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+[ 139.163843] RIP: 0033:0x7f108cae4469
+[ 139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088
+[ 139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc
+[ 139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469
+[ 139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6
+[ 139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618
+[ 139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0
+[ 139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15: 0000000000000000
+
+Signed-off-by: Edward Lo <loyuantsung@gmail.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/xattr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
+index 4a7753384b0e93..5016f0ef75d529 100644
+--- a/fs/ntfs3/xattr.c
++++ b/fs/ntfs3/xattr.c
+@@ -140,6 +140,7 @@ static int ntfs_read_ea(struct ntfs_inode *ni, struct EA_FULL **ea,
+
+ memset(Add2Ptr(ea_p, size), 0, add_bytes);
+
++ err = -EINVAL;
+ /* Check all attributes for consistency. */
+ for (off = 0; off < size; off += ea_size) {
+ const struct EA_FULL *ef = Add2Ptr(ea_p, off);
+--
+2.53.0
+
--- /dev/null
+From 63c6338d6606ac2541aa575a86726846fc25fb92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jun 2026 20:23:54 +0300
+Subject: nfsd: don't ignore the return code of svc_proc_register()
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit 930b64ca0c511521f0abdd1d57ce52b2a6e3476b upstream.
+
+Currently, nfsd_proc_stat_init() ignores the return value of
+svc_proc_register(). If the procfile creation fails, then the kernel
+will WARN when it tries to remove the entry later.
+
+Fix nfsd_proc_stat_init() to return the same type of pointer as
+svc_proc_register(), and fix up nfsd_net_init() to check that and fail
+the nfsd_net construction if it occurs.
+
+svc_proc_register() can fail if the dentry can't be allocated, or if an
+identical dentry already exists. The second case is pretty unlikely in
+the nfsd_net construction codepath, so if this happens, return -ENOMEM.
+
+Reported-by: syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE@google.com/
+Cc: stable@vger.kernel.org # v6.9
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Vladislav Nikolaev <vlad102nikolaev@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfsctl.c | 9 ++++++++-
+ fs/nfsd/stats.c | 4 ++--
+ fs/nfsd/stats.h | 2 +-
+ 3 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
+index ba2eaf3744efa4..cc0dea883fbdb2 100644
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -1460,17 +1460,24 @@ static __net_init int nfsd_init_net(struct net *net)
+ retval = nfsd_stat_counters_init(nn);
+ if (retval)
+ goto out_repcache_error;
++
+ memset(&nn->nfsd_svcstats, 0, sizeof(nn->nfsd_svcstats));
+ nn->nfsd_svcstats.program = &nfsd_program;
++ if (!nfsd_proc_stat_init(net)) {
++ retval = -ENOMEM;
++ goto out_proc_error;
++ }
++
+ nn->nfsd_versions = NULL;
+ nn->nfsd4_minorversions = NULL;
+ nfsd4_init_leases_net(nn);
+ get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key));
+ seqlock_init(&nn->writeverf_lock);
+- nfsd_proc_stat_init(net);
+
+ return 0;
+
++out_proc_error:
++ nfsd_stat_counters_destroy(nn);
+ out_repcache_error:
+ nfsd_idmap_shutdown(net);
+ out_idmap_error:
+diff --git a/fs/nfsd/stats.c b/fs/nfsd/stats.c
+index 7a58dba0045c3b..6d1c6067c80e3b 100644
+--- a/fs/nfsd/stats.c
++++ b/fs/nfsd/stats.c
+@@ -113,11 +113,11 @@ void nfsd_stat_counters_destroy(struct nfsd_net *nn)
+ nfsd_percpu_counters_destroy(nn->counter, NFSD_STATS_COUNTERS_NUM);
+ }
+
+-void nfsd_proc_stat_init(struct net *net)
++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net)
+ {
+ struct nfsd_net *nn = net_generic(net, nfsd_net_id);
+
+- svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops);
++ return svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops);
+ }
+
+ void nfsd_proc_stat_shutdown(struct net *net)
+diff --git a/fs/nfsd/stats.h b/fs/nfsd/stats.h
+index 14525e854cbac3..b9329285bc1d79 100644
+--- a/fs/nfsd/stats.h
++++ b/fs/nfsd/stats.h
+@@ -15,7 +15,7 @@ void nfsd_percpu_counters_reset(struct percpu_counter *counters, int num);
+ void nfsd_percpu_counters_destroy(struct percpu_counter *counters, int num);
+ int nfsd_stat_counters_init(struct nfsd_net *nn);
+ void nfsd_stat_counters_destroy(struct nfsd_net *nn);
+-void nfsd_proc_stat_init(struct net *net);
++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net);
+ void nfsd_proc_stat_shutdown(struct net *net);
+
+ static inline void nfsd_stats_rc_hits_inc(struct nfsd_net *nn)
+--
+2.53.0
+
i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
time-fix-off-by-one-in-settimeofday-usec-validation.patch
+ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch
+fs-ntfs3-return-error-for-inconsistent-extended-attr.patch
+nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch
--- /dev/null
+From 687b9b40eb75da397c90c7a83c3f70e6552a7e17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Mar 2023 18:23:03 +0800
+Subject: fs/ntfs3: Return error for inconsistent extended attributes
+
+From: Edward Lo <loyuantsung@gmail.com>
+
+[ Upstream commit c9db0ff04649aa0b45f497183c957fe260f229f6 ]
+
+ntfs_read_ea is called when we want to read extended attributes. There
+are some sanity checks for the validity of the EAs. However, it fails to
+return a proper error code for the inconsistent attributes, which might
+lead to unpredicted memory accesses after return.
+
+[ 138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0
+[ 138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199
+[ 138.931132]
+[ 138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4
+[ 138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+[ 138.947327] Call Trace:
+[ 138.949557] <TASK>
+[ 138.951539] dump_stack_lvl+0x4d/0x67
+[ 138.956834] print_report+0x16f/0x4a6
+[ 138.960798] ? ntfs_set_ea+0x453/0xbf0
+[ 138.964437] ? kasan_complete_mode_report_info+0x7d/0x200
+[ 138.969793] ? ntfs_set_ea+0x453/0xbf0
+[ 138.973523] kasan_report+0xb8/0x140
+[ 138.976740] ? ntfs_set_ea+0x453/0xbf0
+[ 138.980578] __asan_store4+0x76/0xa0
+[ 138.984669] ntfs_set_ea+0x453/0xbf0
+[ 138.988115] ? __pfx_ntfs_set_ea+0x10/0x10
+[ 138.993390] ? kernel_text_address+0xd3/0xe0
+[ 138.998270] ? __kernel_text_address+0x16/0x50
+[ 139.002121] ? unwind_get_return_address+0x3e/0x60
+[ 139.005659] ? __pfx_stack_trace_consume_entry+0x10/0x10
+[ 139.010177] ? arch_stack_walk+0xa2/0x100
+[ 139.013657] ? filter_irq_stacks+0x27/0x80
+[ 139.017018] ntfs_setxattr+0x405/0x440
+[ 139.022151] ? __pfx_ntfs_setxattr+0x10/0x10
+[ 139.026569] ? kvmalloc_node+0x2d/0x120
+[ 139.030329] ? kasan_save_stack+0x41/0x60
+[ 139.033883] ? kasan_save_stack+0x2a/0x60
+[ 139.037338] ? kasan_set_track+0x29/0x40
+[ 139.040163] ? kasan_save_alloc_info+0x1f/0x30
+[ 139.043588] ? __kasan_kmalloc+0x8b/0xa0
+[ 139.047255] ? __kmalloc_node+0x68/0x150
+[ 139.051264] ? kvmalloc_node+0x2d/0x120
+[ 139.055301] ? vmemdup_user+0x2b/0xa0
+[ 139.058584] __vfs_setxattr+0x121/0x170
+[ 139.062617] ? __pfx___vfs_setxattr+0x10/0x10
+[ 139.066282] __vfs_setxattr_noperm+0x97/0x300
+[ 139.070061] __vfs_setxattr_locked+0x145/0x170
+[ 139.073580] vfs_setxattr+0x137/0x2a0
+[ 139.076641] ? __pfx_vfs_setxattr+0x10/0x10
+[ 139.080223] ? __kasan_check_write+0x18/0x20
+[ 139.084234] do_setxattr+0xce/0x150
+[ 139.087768] setxattr+0x126/0x140
+[ 139.091250] ? __pfx_setxattr+0x10/0x10
+[ 139.094948] ? __virt_addr_valid+0xcb/0x140
+[ 139.097838] ? __call_rcu_common.constprop.0+0x1c7/0x330
+[ 139.102688] ? debug_smp_processor_id+0x1b/0x30
+[ 139.105985] ? kasan_quarantine_put+0x5b/0x190
+[ 139.109980] ? putname+0x84/0xa0
+[ 139.113886] ? __kasan_slab_free+0x11e/0x1b0
+[ 139.117961] ? putname+0x84/0xa0
+[ 139.121316] ? preempt_count_sub+0x1c/0xd0
+[ 139.124427] ? __mnt_want_write+0xae/0x100
+[ 139.127836] ? mnt_want_write+0x8f/0x150
+[ 139.130954] path_setxattr+0x164/0x180
+[ 139.133998] ? __pfx_path_setxattr+0x10/0x10
+[ 139.137853] ? __pfx_ksys_pwrite64+0x10/0x10
+[ 139.141299] ? debug_smp_processor_id+0x1b/0x30
+[ 139.145714] ? fpregs_assert_state_consistent+0x6b/0x80
+[ 139.150796] __x64_sys_setxattr+0x71/0x90
+[ 139.155407] do_syscall_64+0x3f/0x90
+[ 139.159035] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+[ 139.163843] RIP: 0033:0x7f108cae4469
+[ 139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088
+[ 139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc
+[ 139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469
+[ 139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6
+[ 139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618
+[ 139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0
+[ 139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15: 0000000000000000
+
+Signed-off-by: Edward Lo <loyuantsung@gmail.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/xattr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
+index 2e4eea854bda59..7dc650b0b832c2 100644
+--- a/fs/ntfs3/xattr.c
++++ b/fs/ntfs3/xattr.c
+@@ -140,6 +140,7 @@ static int ntfs_read_ea(struct ntfs_inode *ni, struct EA_FULL **ea,
+
+ memset(Add2Ptr(ea_p, size), 0, add_bytes);
+
++ err = -EINVAL;
+ /* Check all attributes for consistency. */
+ for (off = 0; off < size; off += ea_size) {
+ const struct EA_FULL *ef = Add2Ptr(ea_p, off);
+--
+2.53.0
+
signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
time-fix-off-by-one-in-settimeofday-usec-validation.patch
alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch
+fs-ntfs3-return-error-for-inconsistent-extended-attr.patch
--- /dev/null
+From 5cc0896a673f5e7b1d9fe587be5ba6edae2d45bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jun 2026 14:58:44 -0700
+Subject: ima: kexec: move IMA log copy from kexec load to execute
+
+From: Steven Chen <chenste@linux.microsoft.com>
+
+[ Upstream commit 9f0ec4b16f2b41d663f688a8012e9e52b2657eba ]
+
+The IMA log is currently copied to the new kernel during kexec 'load' using
+ima_dump_measurement_list(). However, the IMA measurement list copied at
+kexec 'load' may result in loss of IMA measurements records that only
+occurred after the kexec 'load'. Move the IMA measurement list log copy
+from kexec 'load' to 'execute'
+
+Make the kexec_segment_size variable a local static variable within the
+file, so it can be accessed during both kexec 'load' and 'execute'.
+
+Define kexec_post_load() as a wrapper for calling ima_kexec_post_load() and
+machine_kexec_post_load(). Replace the existing direct call to
+machine_kexec_post_load() with kexec_post_load().
+
+When there is insufficient memory to copy all the measurement logs, copy as
+much of the measurement list as possible.
+
+Co-developed-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
+Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
+Cc: Eric Biederman <ebiederm@xmission.com>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Vivek Goyal <vgoyal@redhat.com>
+Cc: Dave Young <dyoung@redhat.com>
+Signed-off-by: Steven Chen <chenste@linux.microsoft.com>
+Tested-by: Stefan Berger <stefanb@linux.ibm.com> # ppc64/kvm
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+(cherry picked from commit 9f0ec4b16f2b41d663f688a8012e9e52b2657eba)
+Signed-off-by: Sherry Yang <sherry.yang@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kexec_file.c | 11 +++++++-
+ security/integrity/ima/ima_kexec.c | 43 ++++++++++++++++++++----------
+ 2 files changed, 39 insertions(+), 15 deletions(-)
+
+diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
+index a20ceb4d27ccce..909432e804be16 100644
+--- a/kernel/kexec_file.c
++++ b/kernel/kexec_file.c
+@@ -201,6 +201,15 @@ kimage_validate_signature(struct kimage *image)
+ }
+ #endif
+
++static int kexec_post_load(struct kimage *image, unsigned long flags)
++{
++#ifdef CONFIG_IMA_KEXEC
++ if (!(flags & KEXEC_FILE_ON_CRASH))
++ ima_kexec_post_load(image);
++#endif
++ return machine_kexec_post_load(image);
++}
++
+ /*
+ * In file mode list of segments is prepared by kernel. Copy relevant
+ * data from user space, do error checking, prepare segment list
+@@ -428,7 +437,7 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
+
+ kimage_terminate(image);
+
+- ret = machine_kexec_post_load(image);
++ ret = kexec_post_load(image, flags);
+ if (ret)
+ goto out;
+
+diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
+index 4de9834c3e1335..48fe9a7e1f456e 100644
+--- a/security/integrity/ima/ima_kexec.c
++++ b/security/integrity/ima/ima_kexec.c
+@@ -21,6 +21,7 @@
+ #ifdef CONFIG_IMA_KEXEC
+ static bool ima_kexec_update_registered;
+ static struct seq_file ima_kexec_file;
++static size_t kexec_segment_size;
+ static void *ima_kexec_buffer;
+
+ static void ima_free_kexec_file_buf(struct seq_file *sf)
+@@ -84,9 +85,6 @@ static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer,
+ }
+ }
+
+- if (ret < 0)
+- goto out;
+-
+ /*
+ * fill in reserved space with some buffer details
+ * (eg. version, buffer size, number of measurements)
+@@ -106,7 +104,7 @@ static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer,
+
+ *buffer_size = ima_kexec_file.count;
+ *buffer = ima_kexec_file.buf;
+-out:
++
+ return ret;
+ }
+
+@@ -124,9 +122,8 @@ void ima_add_kexec_buffer(struct kimage *image)
+ unsigned long binary_runtime_size;
+
+ /* use more understandable variable names than defined in kbuf */
++ size_t kexec_buffer_size = 0;
+ void *kexec_buffer = NULL;
+- size_t kexec_buffer_size;
+- size_t kexec_segment_size;
+ int ret;
+
+ if (image->type == KEXEC_TYPE_CRASH)
+@@ -154,13 +151,6 @@ void ima_add_kexec_buffer(struct kimage *image)
+ return;
+ }
+
+- ima_dump_measurement_list(&kexec_buffer_size, &kexec_buffer,
+- kexec_segment_size);
+- if (!kexec_buffer) {
+- pr_err("Not enough memory for the kexec measurement buffer.\n");
+- return;
+- }
+-
+ kbuf.buffer = kexec_buffer;
+ kbuf.bufsz = kexec_buffer_size;
+ kbuf.memsz = kexec_segment_size;
+@@ -188,7 +178,32 @@ void ima_add_kexec_buffer(struct kimage *image)
+ static int ima_update_kexec_buffer(struct notifier_block *self,
+ unsigned long action, void *data)
+ {
+- return NOTIFY_OK;
++ size_t buf_size = 0;
++ int ret = NOTIFY_OK;
++ void *buf = NULL;
++
++ if (!kexec_in_progress) {
++ pr_info("No kexec in progress.\n");
++ return ret;
++ }
++
++ if (!ima_kexec_buffer) {
++ pr_err("Kexec buffer not set.\n");
++ return ret;
++ }
++
++ ret = ima_dump_measurement_list(&buf_size, &buf, kexec_segment_size);
++
++ if (ret)
++ pr_err("Dump measurements failed. Error:%d\n", ret);
++
++ if (buf_size != 0)
++ memcpy(ima_kexec_buffer, buf, buf_size);
++
++ kimage_unmap_segment(ima_kexec_buffer);
++ ima_kexec_buffer = NULL;
++
++ return ret;
+ }
+
+ static struct notifier_block update_buffer_nb = {
+--
+2.53.0
+
--- /dev/null
+From 820a804a08847459af2c7f9e6b90c8080f9b7197 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jun 2026 14:58:43 -0700
+Subject: ima: kexec: skip IMA segment validation after kexec soft reboot
+
+From: Steven Chen <chenste@linux.microsoft.com>
+
+[ Upstream commit 9ee8888a80fe2bd20ce929ffbc1dedd57607a778 ]
+
+Currently, the function kexec_calculate_store_digests() calculates and
+stores the digest of the segment during the kexec_file_load syscall,
+where the IMA segment is also allocated.
+
+Later, the IMA segment will be updated with the measurement log at the
+kexec execute stage when a kexec reboot is initiated. Therefore, the
+digests should be updated for the IMA segment in the normal case. The
+problem is that the content of memory segments carried over to the new
+kernel during the kexec systemcall can be changed at kexec 'execute'
+stage, but the size and the location of the memory segments cannot be
+changed at kexec 'execute' stage.
+
+To address this, skip the calculation and storage of the digest for the
+IMA segment in kexec_calculate_store_digests() so that it is not added
+to the purgatory_sha_regions.
+
+With this change, the IMA segment is not included in the digest
+calculation, storage, and verification.
+
+Cc: Eric Biederman <ebiederm@xmission.com>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Vivek Goyal <vgoyal@redhat.com>
+Cc: Dave Young <dyoung@redhat.com>
+Co-developed-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
+Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
+Signed-off-by: Steven Chen <chenste@linux.microsoft.com>
+Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
+Acked-by: Baoquan He <bhe@redhat.com>
+Tested-by: Stefan Berger <stefanb@linux.ibm.com> # ppc64/kvm
+[zohar@linux.ibm.com: Fixed Signed-off-by tag to match author's email ]
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+(cherry picked from commit 9ee8888a80fe2bd20ce929ffbc1dedd57607a778)
+Signed-off-by: Sherry Yang <sherry.yang@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/kexec.h | 3 +++
+ kernel/kexec_file.c | 22 ++++++++++++++++++++++
+ security/integrity/ima/ima_kexec.c | 3 +++
+ 3 files changed, 28 insertions(+)
+
+diff --git a/include/linux/kexec.h b/include/linux/kexec.h
+index 7d6b12f8b8d058..107e726f2ef3f1 100644
+--- a/include/linux/kexec.h
++++ b/include/linux/kexec.h
+@@ -362,6 +362,9 @@ struct kimage {
+
+ phys_addr_t ima_buffer_addr;
+ size_t ima_buffer_size;
++
++ unsigned long ima_segment_index;
++ bool is_ima_segment_index_set;
+ #endif
+
+ /* Core ELF header buffer */
+diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
+index f852528bdc246a..a20ceb4d27ccce 100644
+--- a/kernel/kexec_file.c
++++ b/kernel/kexec_file.c
+@@ -38,6 +38,21 @@ void set_kexec_sig_enforced(void)
+ }
+ #endif
+
++#ifdef CONFIG_IMA_KEXEC
++static bool check_ima_segment_index(struct kimage *image, int i)
++{
++ if (image->is_ima_segment_index_set && i == image->ima_segment_index)
++ return true;
++ else
++ return false;
++}
++#else
++static bool check_ima_segment_index(struct kimage *image, int i)
++{
++ return false;
++}
++#endif
++
+ static int kexec_calculate_store_digests(struct kimage *image);
+
+ /* Maximum size in bytes for kernel/initrd files. */
+@@ -764,6 +779,13 @@ static int kexec_calculate_store_digests(struct kimage *image)
+ if (ksegment->kbuf == pi->purgatory_buf)
+ continue;
+
++ /*
++ * Skip the segment if ima_segment_index is set and matches
++ * the current index
++ */
++ if (check_ima_segment_index(image, i))
++ continue;
++
+ ret = crypto_shash_update(desc, ksegment->kbuf,
+ ksegment->bufsz);
+ if (ret)
+diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
+index 501b952b36981f..4de9834c3e1335 100644
+--- a/security/integrity/ima/ima_kexec.c
++++ b/security/integrity/ima/ima_kexec.c
+@@ -164,6 +164,7 @@ void ima_add_kexec_buffer(struct kimage *image)
+ kbuf.buffer = kexec_buffer;
+ kbuf.bufsz = kexec_buffer_size;
+ kbuf.memsz = kexec_segment_size;
++ image->is_ima_segment_index_set = false;
+ ret = kexec_add_buffer(&kbuf);
+ if (ret) {
+ pr_err("Error passing over kexec measurement buffer.\n");
+@@ -174,6 +175,8 @@ void ima_add_kexec_buffer(struct kimage *image)
+ image->ima_buffer_addr = kbuf.mem;
+ image->ima_buffer_size = kexec_segment_size;
+ image->ima_buffer = kexec_buffer;
++ image->ima_segment_index = image->nr_segments - 1;
++ image->is_ima_segment_index_set = true;
+
+ kexec_dprintk("kexec measurement buffer for the loaded kernel at 0x%lx.\n",
+ kbuf.mem);
+--
+2.53.0
+
time-fix-off-by-one-in-settimeofday-usec-validation.patch
alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch
alsa-seq-dummy-fix-ump-event-stack-overread.patch
+ima-kexec-skip-ima-segment-validation-after-kexec-so.patch
+ima-kexec-move-ima-log-copy-from-kexec-load-to-execu.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
