--- /dev/null
+From f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Tue, 12 May 2026 14:28:59 +0100
+Subject: audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
+
+From: Sergio Correia <scorreia@redhat.com>
+
+commit f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2 upstream.
+
+AUDIT_ADD_RULE and AUDIT_DEL_RULE correctly check for AUDIT_LOCKED
+and return -EPERM, but AUDIT_TRIM and AUDIT_MAKE_EQUIV do not. This
+allows a process with CAP_AUDIT_CONTROL to modify directory tree
+watches and equivalence mappings even when the audit configuration
+has been locked, undermining the purpose of the lock.
+
+Add AUDIT_LOCKED checks to both commands.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
+Assisted-by: Claude:claude-opus-4-6
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1427,6 +1427,8 @@ static int audit_receive_msg(struct sk_b
+ err = audit_list_rules_send(skb, seq);
+ break;
+ case AUDIT_TRIM:
++ if (audit_enabled == AUDIT_LOCKED)
++ return -EPERM;
+ audit_trim_trees();
+ audit_log_common_recv_msg(audit_context(), &ab,
+ AUDIT_CONFIG_CHANGE);
+@@ -1439,6 +1441,8 @@ static int audit_receive_msg(struct sk_b
+ size_t msglen = data_len;
+ char *old, *new;
+
++ if (audit_enabled == AUDIT_LOCKED)
++ return -EPERM;
+ err = -EINVAL;
+ if (msglen < 2 * sizeof(u32))
+ break;
--- /dev/null
+From e4a640475e43f406fdfd56d370b1f34b0cbbc18d Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Tue, 12 May 2026 14:28:33 +0100
+Subject: audit: fix incorrect inheritable capability in CAPSET records
+
+From: Sergio Correia <scorreia@redhat.com>
+
+commit e4a640475e43f406fdfd56d370b1f34b0cbbc18d upstream.
+
+__audit_log_capset() records the effective capability set into the
+inheritable field due to a copy-paste error. Every CAPSET audit
+record therefore reports cap_pi (process inheritable) with the value
+of cap_effective instead of cap_inheritable.
+
+This silently corrupts audit data used for compliance and forensic
+analysis: an attacker who modifies inheritable capabilities to
+prepare for a privilege-escalating exec would have the change masked
+in the audit trail.
+
+The bug has been present since the original introduction of CAPSET
+audit records in 2008.
+
+Cc: stable@vger.kernel.org
+Fixes: e68b75a027bb ("When the capset syscall is used it is not possible for audit to record the actual capbilities being added/removed. This patch adds a new record type which emits the target pid and the eff, inh, and perm cap sets.")
+Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
+Assisted-by: Claude:claude-opus-4-6
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/auditsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -2845,7 +2845,7 @@ void __audit_log_capset(const struct cre
+
+ context->capset.pid = task_tgid_nr(current);
+ context->capset.cap.effective = new->cap_effective;
+- context->capset.cap.inheritable = new->cap_effective;
++ context->capset.cap.inheritable = new->cap_inheritable;
+ context->capset.cap.permitted = new->cap_permitted;
+ context->capset.cap.ambient = new->cap_ambient;
+ context->type = AUDIT_CAPSET;
--- /dev/null
+From e4c06479d7059888adf2f22bc1ebcf053bf691a2 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 5 May 2026 17:02:45 +0800
+Subject: crypto: af_alg - Cap AEAD AD length to 0x80000000
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit e4c06479d7059888adf2f22bc1ebcf053bf691a2 upstream.
+
+In order to prevent arithmetic overflows when checking the TX
+buffer size, cap the associated data length to 0x80000000.
+
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Fixes: 400c40cf78da ("crypto: algif - add AEAD support")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/af_alg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -585,6 +585,8 @@ static int af_alg_cmsg_send(struct msghd
+ if (cmsg->cmsg_len < CMSG_LEN(sizeof(u32)))
+ return -EINVAL;
+ con->aead_assoclen = *(u32 *)CMSG_DATA(cmsg);
++ if (con->aead_assoclen >= 0x80000000u)
++ return -EINVAL;
+ break;
+
+ default:
--- /dev/null
+From 678b713ece1e853f11e670a84cb887c35e1381b7 Mon Sep 17 00:00:00 2001
+From: Matt Vollrath <tactii@gmail.com>
+Date: Wed, 6 May 2026 14:48:11 -0700
+Subject: i40e: Cleanup PTP pins on probe failure
+
+From: Matt Vollrath <tactii@gmail.com>
+
+commit 678b713ece1e853f11e670a84cb887c35e1381b7 upstream.
+
+PTP pin structs are allocated early in probe, but never cleaned up.
+
+Fix this by calling i40e_ptp_free_pins in the error path.
+
+To support this, i40e_ptp_free_pins is added to the header and
+pin_config is correctly nullified after being freed.
+
+This has been an issue since i40e_ptp_alloc_pins was introduced.
+
+Fixes: 1050713026a08 ("i40e: add support for PTP external synchronization clock")
+Reported-by: Kohei Enju <kohei@enjuk.jp>
+Cc: stable@vger.kernel.org
+Signed-off-by: Matt Vollrath <tactii@gmail.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Kohei Enju <kohei@enjuk.jp>
+Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20260506-jk-iwl-net-2026-05-04-v2-2-a5ea4dc837a9@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e.h | 1 +
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
+ drivers/net/ethernet/intel/i40e/i40e_ptp.c | 3 ++-
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e.h
++++ b/drivers/net/ethernet/intel/i40e/i40e.h
+@@ -1262,6 +1262,7 @@ void i40e_ptp_restore_hw_time(struct i40
+ void i40e_ptp_init(struct i40e_pf *pf);
+ void i40e_ptp_stop(struct i40e_pf *pf);
+ int i40e_ptp_alloc_pins(struct i40e_pf *pf);
++void i40e_ptp_free_pins(struct i40e_pf *pf);
+ int i40e_update_adq_vsi_queues(struct i40e_vsi *vsi, int vsi_offset);
+ int i40e_is_vsi_uplink_mode_veb(struct i40e_vsi *vsi);
+ int i40e_get_partition_bw_setting(struct i40e_pf *pf);
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -16300,6 +16300,7 @@ err_vsis:
+ i40e_clear_interrupt_scheme(pf);
+ kfree(pf->vsi);
+ err_switch_setup:
++ i40e_ptp_free_pins(pf);
+ i40e_reset_interrupt_capability(pf);
+ timer_shutdown_sync(&pf->service_timer);
+ err_mac_addr:
+--- a/drivers/net/ethernet/intel/i40e/i40e_ptp.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ptp.c
+@@ -937,12 +937,13 @@ int i40e_ptp_get_ts_config(struct i40e_p
+ *
+ * Release memory allocated for PTP pins.
+ **/
+-static void i40e_ptp_free_pins(struct i40e_pf *pf)
++void i40e_ptp_free_pins(struct i40e_pf *pf)
+ {
+ if (i40e_is_ptp_pin_dev(&pf->hw)) {
+ kfree(pf->ptp_pins);
+ kfree(pf->ptp_caps.pin_config);
+ pf->ptp_pins = NULL;
++ pf->ptp_caps.pin_config = NULL;
+ }
+ }
+
--- /dev/null
+From 577a8d3bae0531f0e5ccfac919cd8192f920a804 Mon Sep 17 00:00:00 2001
+From: Aaron Sacks <contact@xchglabs.com>
+Date: Tue, 12 May 2026 02:07:42 -0400
+Subject: KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
+
+From: Aaron Sacks <contact@xchglabs.com>
+
+commit 577a8d3bae0531f0e5ccfac919cd8192f920a804 upstream.
+
+kvm_reset_dirty_gfn() guards the gfn range with
+
+ if (!memslot || (offset + __fls(mask)) >= memslot->npages)
+ return;
+
+but offset is u64 and the addition is unchecked. The check can be
+silently bypassed by a u64 wrap.
+
+The dirty ring backing those entries is MAP_SHARED at
+KVM_DIRTY_LOG_PAGE_OFFSET of the vcpu fd, so the VMM can rewrite the
+slot and offset fields of any entry between when the kernel pushes
+them and when KVM_RESET_DIRTY_RINGS consumes them. On reset,
+kvm_dirty_ring_reset() re-reads the values via READ_ONCE() and feeds
+them straight back into this check; only the flags handshake is
+treated as the handover, the slot/offset payload is taken on trust.
+
+Crafting two entries
+
+ entry[i].offset = 0xffffffffffffffc1
+ entry[i+1].offset = 0
+
+makes the coalescing loop in kvm_dirty_ring_reset() compute
+
+ delta = (s64)(0 - 0xffffffffffffffc1) = 63
+
+which falls in [0, BITS_PER_LONG), so it folds entry[i+1] into the
+existing mask by setting bit 63. The trailing kvm_reset_dirty_gfn()
+call then sees offset = 0xffffffffffffffc1 and __fls(mask) = 63;
+the sum is 0 in u64 and the bounds check passes.
+
+That offset propagates into kvm_arch_mmu_enable_log_dirty_pt_masked()
+unchanged. On the legacy MMU path -- kvm_memslots_have_rmaps() ==
+true, i.e. shadow paging, any VM that has allocated shadow roots, or
+a write-tracked slot -- it reaches gfn_to_rmap(), which indexes
+slot->arch.rmap[0][] with a near-U64_MAX gfn. That is an
+out-of-bounds load of a kvm_rmap_head, followed by a conditional
+clear of PT_WRITABLE_MASK in whatever the loaded pointer points at.
+The path is reachable from any process holding /dev/kvm.
+
+Range-check offset on its own first, so the addition cannot wrap.
+memslot->npages is bounded well below U64_MAX, so once offset <
+npages holds, offset + __fls(mask) (with __fls(mask) < BITS_PER_LONG)
+stays in range.
+
+Fixes: fb04a1eddb1a ("KVM: X86: Implement ring-based dirty memory tracking")
+Cc: stable@vger.kernel.org
+Signed-off-by: Aaron Sacks <contact@xchglabs.com>
+Link: https://patch.msgid.link/20260512060742.1628959-1-contact@xchglabs.com/
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/dirty_ring.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/dirty_ring.c
++++ b/virt/kvm/dirty_ring.c
+@@ -63,7 +63,8 @@ static void kvm_reset_dirty_gfn(struct k
+
+ memslot = id_to_memslot(__kvm_memslots(kvm, as_id), id);
+
+- if (!memslot || (offset + __fls(mask)) >= memslot->npages)
++ if (!memslot || offset >= memslot->npages ||
++ offset + __fls(mask) >= memslot->npages)
+ return;
+
+ KVM_MMU_LOCK(kvm);
--- /dev/null
+From 16d990a15491cf76cd6eef0846e1b4100e63261a Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Wed, 15 Apr 2026 17:26:55 +0800
+Subject: KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit 16d990a15491cf76cd6eef0846e1b4100e63261a upstream.
+
+kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and
+aen_host_forward() index the GAIT by manually multiplying the index
+with sizeof(struct zpci_gaite).
+
+Since aift->gait is already a struct zpci_gaite pointer, this
+double-scales the offset, accessing element aisb*16 instead of aisb.
+
+This causes out-of-bounds accesses when aisb >= 32 (with
+ZPCI_NR_DEVICES=512)
+
+Fix by removing the erroneous sizeof multiplication.
+
+Fixes: 3c5a1b6f0a18 ("KVM: s390: pci: provide routines for enabling/disabling interrupt forwarding")
+Fixes: 73f91b004321 ("KVM: s390: pci: enable host forwarding of Adapter Event Notifications")
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
+Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
+Tested-by: Matthew Rosato <mjrosato@linux.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kvm/interrupt.c | 3 +--
+ arch/s390/kvm/pci.c | 6 ++----
+ 2 files changed, 3 insertions(+), 6 deletions(-)
+
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -3329,8 +3329,7 @@ static void aen_host_forward(unsigned lo
+ struct zpci_gaite *gaite;
+ struct kvm *kvm;
+
+- gaite = (struct zpci_gaite *)aift->gait +
+- (si * sizeof(struct zpci_gaite));
++ gaite = aift->gait + si;
+ if (gaite->count == 0)
+ return;
+ if (gaite->aisb != 0)
+--- a/arch/s390/kvm/pci.c
++++ b/arch/s390/kvm/pci.c
+@@ -292,8 +292,7 @@ static int kvm_s390_pci_aif_enable(struc
+ phys_to_virt(fib->fmt0.aibv));
+
+ spin_lock_irq(&aift->gait_lock);
+- gaite = (struct zpci_gaite *)aift->gait + (zdev->aisb *
+- sizeof(struct zpci_gaite));
++ gaite = aift->gait + zdev->aisb;
+
+ /* If assist not requested, host will get all alerts */
+ if (assist)
+@@ -359,8 +358,7 @@ static int kvm_s390_pci_aif_disable(stru
+ if (zdev->kzdev->fib.fmt0.aibv == 0)
+ goto out;
+ spin_lock_irq(&aift->gait_lock);
+- gaite = (struct zpci_gaite *)aift->gait + (zdev->aisb *
+- sizeof(struct zpci_gaite));
++ gaite = aift->gait + zdev->aisb;
+ isc = gaite->gisc;
+ gaite->count--;
+ if (gaite->count == 0) {
--- /dev/null
+From 2b72f1674e427c56e3772c5ccf785fdda2138820 Mon Sep 17 00:00:00 2001
+From: Qiang Ma <maqianga@uniontech.com>
+Date: Tue, 12 May 2026 09:53:13 +0800
+Subject: KVM: x86: Fix Xen hypercall tracepoint argument assignment
+
+From: Qiang Ma <maqianga@uniontech.com>
+
+commit 2b72f1674e427c56e3772c5ccf785fdda2138820 upstream.
+
+TRACE_EVENT(kvm_xen_hypercall) stores a5 in __entry->a4 instead of
+__entry->a5.
+
+That overwrites the recorded a4 argument and leaves a5 unset in the
+trace entry. Fix the typo so both arguments are captured correctly.
+
+Signed-off-by: Qiang Ma <maqianga@uniontech.com>
+Link: https://patch.msgid.link/20260512015313.1685784-1-maqianga@uniontech.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/trace.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/trace.h
++++ b/arch/x86/kvm/trace.h
+@@ -140,7 +140,7 @@ TRACE_EVENT(kvm_xen_hypercall,
+ __entry->a2 = a2;
+ __entry->a3 = a3;
+ __entry->a4 = a4;
+- __entry->a4 = a5;
++ __entry->a5 = a5;
+ ),
+
+ TP_printk("cpl %d nr 0x%lx a0 0x%lx a1 0x%lx a2 0x%lx a3 0x%lx a4 0x%lx a5 %lx",
--- /dev/null
+From 2c308cf34284420963607d677d576a2b4124d8bd Mon Sep 17 00:00:00 2001
+From: Zoran Ilievski <goodboy@rexbytes.com>
+Date: Mon, 11 May 2026 08:40:02 +0200
+Subject: net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
+
+From: Zoran Ilievski <goodboy@rexbytes.com>
+
+commit 2c308cf34284420963607d677d576a2b4124d8bd upstream.
+
+The shutdown handler aq_pci_shutdown() unconditionally calls
+pci_wake_from_d3(pdev, false), clearing the PCI PME_En bit even when
+wake-on-LAN has been configured. While aq_nic_shutdown() correctly
+programs the NIC firmware via aq_nic_set_power() to listen for magic
+packets, the PCI subsystem will not propagate the resulting PME wake
+event from D3, so the system never wakes after poweroff.
+
+WOL from suspend (S3) is unaffected because aq_suspend_common() does
+not touch pci_wake_from_d3() and relies on the PM core's wake
+configuration via device_may_wakeup().
+
+This affects all atlantic-supported NICs (AQC107/108/111/112/113);
+users have reported that WOL works if the atlantic driver is never
+loaded, but breaks once it has run its shutdown path.
+
+Pass the configured WOL state to pci_wake_from_d3() instead of a
+literal false, so the PCI PME_En bit is preserved when the user has
+armed WOL via ethtool.
+
+Fixes: 90869ddfefeb ("net: aquantia: Implement pci shutdown callback")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zoran Ilievski <goodboy@rexbytes.com>
+Reviewed-by: Sukhdeep Singh <sukhdeeps@marvell.com>
+Link: https://patch.msgid.link/20260511064002.1857-1-goodboy@rexbytes.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
+@@ -374,7 +374,7 @@ static void aq_pci_shutdown(struct pci_d
+ pci_disable_device(pdev);
+
+ if (system_state == SYSTEM_POWER_OFF) {
+- pci_wake_from_d3(pdev, false);
++ pci_wake_from_d3(pdev, self->aq_hw->aq_nic_cfg->wol);
+ pci_set_power_state(pdev, PCI_D3hot);
+ }
+ }
--- /dev/null
+From eb6317739b1ea3ab28791e1f91b24781905fa815 Mon Sep 17 00:00:00 2001
+From: Li Xiasong <lixiasong1@huawei.com>
+Date: Thu, 7 May 2026 22:04:22 +0800
+Subject: netfilter: nf_conntrack_sip: get helper before allocating expectation
+
+From: Li Xiasong <lixiasong1@huawei.com>
+
+commit eb6317739b1ea3ab28791e1f91b24781905fa815 upstream.
+
+process_register_request() allocates an expectation and then checks
+whether a conntrack helper is available. If helper lookup fails, the
+function returns early and the allocated expectation is left behind.
+
+Reorder the code to fetch and validate helper before calling
+nf_ct_expect_alloc(). This keeps the logic simpler and removes the leak
+path while preserving existing behavior.
+
+Fixes: e14575fa7529 ("netfilter: nf_conntrack: use rcu accessors where needed")
+Cc: stable@vger.kernel.org
+Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_sip.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_sip.c
++++ b/net/netfilter/nf_conntrack_sip.c
+@@ -1367,6 +1367,10 @@ static int process_register_request(stru
+ goto store_cseq;
+ }
+
++ helper = rcu_dereference(nfct_help(ct)->helper);
++ if (!helper)
++ return NF_DROP;
++
+ exp = nf_ct_expect_alloc(ct);
+ if (!exp) {
+ nf_ct_helper_log(skb, ct, "cannot alloc expectation");
+@@ -1377,10 +1381,6 @@ static int process_register_request(stru
+ if (sip_direct_signalling)
+ saddr = &ct->tuplehash[!dir].tuple.src.u3;
+
+- helper = rcu_dereference(nfct_help(ct)->helper);
+- if (!helper)
+- return NF_DROP;
+-
+ nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
+ saddr, &daddr, proto, NULL, &port);
+ exp->timeout.expires = sip_timeout * HZ;
--- /dev/null
+From 19f94b6fee75b3ef7fbc06f3745b9a771a8a19a4 Mon Sep 17 00:00:00 2001
+From: Li Xiasong <lixiasong1@huawei.com>
+Date: Thu, 7 May 2026 22:04:23 +0800
+Subject: netfilter: nft_ct: fix missing expect put in obj eval
+
+From: Li Xiasong <lixiasong1@huawei.com>
+
+commit 19f94b6fee75b3ef7fbc06f3745b9a771a8a19a4 upstream.
+
+nft_ct_expect_obj_eval() allocates an expectation and may call
+nf_ct_expect_related(), but never drops its local reference.
+
+Add nf_ct_expect_put(exp) before return to balance allocation.
+
+Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_ct.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -1363,6 +1363,8 @@ static void nft_ct_expect_obj_eval(struc
+
+ if (nf_ct_expect_related(exp, 0) != 0)
+ regs->verdict.code = NF_DROP;
++
++ nf_ct_expect_put(exp);
+ }
+
+ static const struct nla_policy nft_ct_expect_policy[NFTA_CT_EXPECT_MAX + 1] = {
net-sched-sch_pie-annotate-more-data-races-in-pie_du.patch
netconsole-avoid-out-of-bounds-access-on-empty-strin.patch
bonding-fix-null-pointer-dereference-in-actor_port_p.patch
+crypto-af_alg-cap-aead-ad-length-to-0x80000000.patch
+i40e-cleanup-ptp-pins-on-probe-failure.patch
+workqueue-fix-wq-cpu_pwq-leak-in-alloc_and_link_pwqs-wq_unbound-path.patch
+netfilter-nf_conntrack_sip-get-helper-before-allocating-expectation.patch
+audit-fix-incorrect-inheritable-capability-in-capset-records.patch
+netfilter-nft_ct-fix-missing-expect-put-in-obj-eval.patch
+net-atlantic-preserve-pci-wake-from-d3-on-shutdown-when-wol-enabled.patch
+audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch
+kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch
+kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch
+kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch
--- /dev/null
+From 0143033dc22cdff912cfc13419f5db92fea3b4cb Mon Sep 17 00:00:00 2001
+From: Breno Leitao <leitao@debian.org>
+Date: Fri, 8 May 2026 09:22:03 -0700
+Subject: workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path
+
+From: Breno Leitao <leitao@debian.org>
+
+commit 0143033dc22cdff912cfc13419f5db92fea3b4cb upstream.
+
+For WQ_UNBOUND workqueues, alloc_and_link_pwqs() allocates wq->cpu_pwq
+via alloc_percpu() and then calls apply_workqueue_attrs_locked(). On
+failure it returns the error directly, bypassing the enomem: label
+which holds the only free_percpu(wq->cpu_pwq) in this function.
+
+The caller's error path kfree()s wq without touching wq->cpu_pwq,
+leaking one percpu pointer table (nr_cpu_ids * sizeof(void *) bytes) per
+failed call.
+
+If kmemleak is enabled, we can see:
+
+ unreferenced object (percpu) 0xc0fffa5b121048 (size 8):
+ comm "insmod", pid 776, jiffies 4294682844
+ backtrace (crc 0):
+ pcpu_alloc_noprof+0x665/0xac0
+ __alloc_workqueue+0x33f/0xa20
+ alloc_workqueue_noprof+0x60/0x100
+
+Route the error through the existing enomem: cleanup and any error
+before this one.
+
+Cc: stable@kernel.org
+Fixes: 636b927eba5b ("workqueue: Make unbound workqueues to use per-cpu pool_workqueues")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/workqueue.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -4683,7 +4683,9 @@ static int alloc_and_link_pwqs(struct wo
+ if (ret)
+ kthread_flush_worker(pwq_release_worker);
+
+- return ret;
++ if (ret)
++ goto enomem;
++ return 0;
+
+ enomem:
+ if (wq->cpu_pwq) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
