--- /dev/null
+From f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Tue, 12 May 2026 14:28:59 +0100
+Subject: audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
+
+From: Sergio Correia <scorreia@redhat.com>
+
+commit f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2 upstream.
+
+AUDIT_ADD_RULE and AUDIT_DEL_RULE correctly check for AUDIT_LOCKED
+and return -EPERM, but AUDIT_TRIM and AUDIT_MAKE_EQUIV do not. This
+allows a process with CAP_AUDIT_CONTROL to modify directory tree
+watches and equivalence mappings even when the audit configuration
+has been locked, undermining the purpose of the lock.
+
+Add AUDIT_LOCKED checks to both commands.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
+Assisted-by: Claude:claude-opus-4-6
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1466,6 +1466,8 @@ static int audit_receive_msg(struct sk_b
+ err = audit_list_rules_send(skb, seq);
+ break;
+ case AUDIT_TRIM:
++ if (audit_enabled == AUDIT_LOCKED)
++ return -EPERM;
+ audit_trim_trees();
+ audit_log_common_recv_msg(audit_context(), &ab,
+ AUDIT_CONFIG_CHANGE);
+@@ -1478,6 +1480,8 @@ static int audit_receive_msg(struct sk_b
+ size_t msglen = data_len;
+ char *old, *new;
+
++ if (audit_enabled == AUDIT_LOCKED)
++ return -EPERM;
+ err = -EINVAL;
+ if (msglen < 2 * sizeof(u32))
+ break;
--- /dev/null
+From e4a640475e43f406fdfd56d370b1f34b0cbbc18d Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Tue, 12 May 2026 14:28:33 +0100
+Subject: audit: fix incorrect inheritable capability in CAPSET records
+
+From: Sergio Correia <scorreia@redhat.com>
+
+commit e4a640475e43f406fdfd56d370b1f34b0cbbc18d upstream.
+
+__audit_log_capset() records the effective capability set into the
+inheritable field due to a copy-paste error. Every CAPSET audit
+record therefore reports cap_pi (process inheritable) with the value
+of cap_effective instead of cap_inheritable.
+
+This silently corrupts audit data used for compliance and forensic
+analysis: an attacker who modifies inheritable capabilities to
+prepare for a privilege-escalating exec would have the change masked
+in the audit trail.
+
+The bug has been present since the original introduction of CAPSET
+audit records in 2008.
+
+Cc: stable@vger.kernel.org
+Fixes: e68b75a027bb ("When the capset syscall is used it is not possible for audit to record the actual capbilities being added/removed. This patch adds a new record type which emits the target pid and the eff, inh, and perm cap sets.")
+Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
+Assisted-by: Claude:claude-opus-4-6
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/auditsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -2786,7 +2786,7 @@ void __audit_log_capset(const struct cre
+
+ context->capset.pid = task_tgid_nr(current);
+ context->capset.cap.effective = new->cap_effective;
+- context->capset.cap.inheritable = new->cap_effective;
++ context->capset.cap.inheritable = new->cap_inheritable;
+ context->capset.cap.permitted = new->cap_permitted;
+ context->capset.cap.ambient = new->cap_ambient;
+ context->type = AUDIT_CAPSET;
--- /dev/null
+From 5dd74441cbf42c22e874450eb6a6bbb19390a216 Mon Sep 17 00:00:00 2001
+From: Guopeng Zhang <zhangguopeng@kylinos.cn>
+Date: Sat, 9 May 2026 18:20:31 +0800
+Subject: cgroup/cpuset: Reserve DL bandwidth only for root-domain moves
+
+From: Guopeng Zhang <zhangguopeng@kylinos.cn>
+
+commit 5dd74441cbf42c22e874450eb6a6bbb19390a216 upstream.
+
+cpuset_can_attach() currently adds the bandwidth of all migrating
+SCHED_DEADLINE tasks to sum_migrate_dl_bw. If the source and destination
+cpuset effective CPU masks do not overlap, the whole sum is then
+reserved in the destination root domain.
+
+set_cpus_allowed_dl(), however, subtracts bandwidth from the source
+root domain only when the affinity change really moves the task between
+root domains. A DL task can move between cpusets that are still in the
+same root domain, so including that task in sum_migrate_dl_bw can reserve
+destination bandwidth without a matching source-side subtraction.
+
+Share the root-domain move test with set_cpus_allowed_dl(). Keep
+nr_migrate_dl_tasks counting all migrating deadline tasks for cpuset DL
+task accounting, but add to sum_migrate_dl_bw only for tasks that need a
+root-domain bandwidth move. Keep using the destination cpuset effective
+CPU mask and leave the broader can_attach()/attach() transaction model
+unchanged.
+
+Fixes: 2ef269ef1ac0 ("cgroup/cpuset: Free DL BW in case can_attach() fails")
+Cc: stable@vger.kernel.org # v6.10+
+Signed-off-by: Guopeng Zhang <zhangguopeng@kylinos.cn>
+Reviewed-by: Waiman Long <longman@redhat.com>
+Acked-by: Juri Lelli <juri.lelli@redhat.com>
+Tested-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/sched/deadline.h | 9 +++++++++
+ kernel/cgroup/cpuset-internal.h | 1 +
+ kernel/cgroup/cpuset.c | 33 ++++++++++++++++++---------------
+ kernel/sched/deadline.c | 13 ++++++++++---
+ 4 files changed, 38 insertions(+), 18 deletions(-)
+
+--- a/include/linux/sched/deadline.h
++++ b/include/linux/sched/deadline.h
+@@ -33,6 +33,15 @@ struct root_domain;
+ extern void dl_add_task_root_domain(struct task_struct *p);
+ extern void dl_clear_root_domain(struct root_domain *rd);
+ extern void dl_clear_root_domain_cpu(int cpu);
++/*
++ * Return whether moving DL task @p to @new_mask requires moving DL
++ * bandwidth accounting between root domains. This helper is specific to
++ * DL bandwidth move accounting semantics and is shared by
++ * cpuset_can_attach() and set_cpus_allowed_dl() so both paths use the
++ * same source root-domain test.
++ */
++extern bool dl_task_needs_bw_move(struct task_struct *p,
++ const struct cpumask *new_mask);
+
+ extern u64 dl_cookie;
+ extern bool dl_bw_visited(int cpu, u64 cookie);
+--- a/kernel/cgroup/cpuset-internal.h
++++ b/kernel/cgroup/cpuset-internal.h
+@@ -167,6 +167,7 @@ struct cpuset {
+ */
+ int nr_deadline_tasks;
+ int nr_migrate_dl_tasks;
++ /* DL bandwidth that needs destination reservation for this attach. */
+ u64 sum_migrate_dl_bw;
+ /*
+ * CPU used for temporary DL bandwidth allocation during attach;
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -2993,7 +2993,7 @@ static int cpuset_can_attach(struct cgro
+ struct cpuset *cs, *oldcs;
+ struct task_struct *task;
+ bool setsched_check;
+- int ret;
++ int cpu, ret;
+
+ /* used later by cpuset_attach() */
+ cpuset_attach_old_cs = task_cs(cgroup_taskset_first(tset, &css));
+@@ -3038,28 +3038,31 @@ static int cpuset_can_attach(struct cgro
+ }
+
+ if (dl_task(task)) {
++ /*
++ * Count all migrating DL tasks for cpuset task accounting.
++ * Only tasks that need a root-domain bandwidth move
++ * contribute to sum_migrate_dl_bw.
++ */
+ cs->nr_migrate_dl_tasks++;
+- cs->sum_migrate_dl_bw += task->dl.dl_bw;
++ if (dl_task_needs_bw_move(task, cs->effective_cpus))
++ cs->sum_migrate_dl_bw += task->dl.dl_bw;
+ }
+ }
+
+- if (!cs->nr_migrate_dl_tasks)
++ if (!cs->sum_migrate_dl_bw)
+ goto out_success;
+
+- if (!cpumask_intersects(oldcs->effective_cpus, cs->effective_cpus)) {
+- int cpu = cpumask_any_and(cpu_active_mask, cs->effective_cpus);
+-
+- if (unlikely(cpu >= nr_cpu_ids)) {
+- ret = -EINVAL;
+- goto out_unlock;
+- }
++ cpu = cpumask_any_and(cpu_active_mask, cs->effective_cpus);
++ if (unlikely(cpu >= nr_cpu_ids)) {
++ ret = -EINVAL;
++ goto out_unlock;
++ }
+
+- ret = dl_bw_alloc(cpu, cs->sum_migrate_dl_bw);
+- if (ret)
+- goto out_unlock;
++ ret = dl_bw_alloc(cpu, cs->sum_migrate_dl_bw);
++ if (ret)
++ goto out_unlock;
+
+- cs->dl_bw_cpu = cpu;
+- }
++ cs->dl_bw_cpu = cpu;
+
+ out_success:
+ /*
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -3106,20 +3106,18 @@ static void task_woken_dl(struct rq *rq,
+ static void set_cpus_allowed_dl(struct task_struct *p,
+ struct affinity_context *ctx)
+ {
+- struct root_domain *src_rd;
+ struct rq *rq;
+
+ WARN_ON_ONCE(!dl_task(p));
+
+ rq = task_rq(p);
+- src_rd = rq->rd;
+ /*
+ * Migrating a SCHED_DEADLINE task between exclusive
+ * cpusets (different root_domains) entails a bandwidth
+ * update. We already made space for us in the destination
+ * domain (see cpuset_can_attach()).
+ */
+- if (!cpumask_intersects(src_rd->span, ctx->new_mask)) {
++ if (dl_task_needs_bw_move(p, ctx->new_mask)) {
+ struct dl_bw *src_dl_b;
+
+ src_dl_b = dl_bw_of(cpu_of(rq));
+@@ -3136,6 +3134,15 @@ static void set_cpus_allowed_dl(struct t
+ set_cpus_allowed_common(p, ctx);
+ }
+
++bool dl_task_needs_bw_move(struct task_struct *p,
++ const struct cpumask *new_mask)
++{
++ if (!dl_task(p))
++ return false;
++
++ return !cpumask_intersects(task_rq(p)->rd->span, new_mask);
++}
++
+ /* Assumes rq->lock is held */
+ static void rq_online_dl(struct rq *rq)
+ {
--- /dev/null
+From 4a39eda5fdd867fc39f3c039714dd432cee00268 Mon Sep 17 00:00:00 2001
+From: Guopeng Zhang <zhangguopeng@kylinos.cn>
+Date: Sat, 9 May 2026 18:20:30 +0800
+Subject: cgroup/cpuset: Reset DL migration state on can_attach() failure
+
+From: Guopeng Zhang <zhangguopeng@kylinos.cn>
+
+commit 4a39eda5fdd867fc39f3c039714dd432cee00268 upstream.
+
+cpuset_can_attach() accumulates temporary SCHED_DEADLINE migration
+state in the destination cpuset while walking the taskset.
+
+If a later task_can_attach() or security_task_setscheduler() check
+fails, cgroup_migrate_execute() treats cpuset as the failing subsystem
+and does not call cpuset_cancel_attach() for it. The partially
+accumulated state is then left behind and can be consumed by a later
+attach, corrupting cpuset DL task accounting and pending DL bandwidth
+accounting.
+
+Reset the pending DL migration state from the common error exit when
+ret is non-zero. Successful can_attach() keeps the state for
+cpuset_attach() or cpuset_cancel_attach().
+
+Fixes: 2ef269ef1ac0 ("cgroup/cpuset: Free DL BW in case can_attach() fails")
+Cc: stable@vger.kernel.org # v6.10+
+Signed-off-by: Guopeng Zhang <zhangguopeng@kylinos.cn>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reviewed-by: Chen Ridong <chenridong@huaweicloud.com>
+Reviewed-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cpuset.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -3050,16 +3050,13 @@ static int cpuset_can_attach(struct cgro
+ int cpu = cpumask_any_and(cpu_active_mask, cs->effective_cpus);
+
+ if (unlikely(cpu >= nr_cpu_ids)) {
+- reset_migrate_dl_data(cs);
+ ret = -EINVAL;
+ goto out_unlock;
+ }
+
+ ret = dl_bw_alloc(cpu, cs->sum_migrate_dl_bw);
+- if (ret) {
+- reset_migrate_dl_data(cs);
++ if (ret)
+ goto out_unlock;
+- }
+
+ cs->dl_bw_cpu = cpu;
+ }
+@@ -3070,7 +3067,10 @@ out_success:
+ * changes which zero cpus/mems_allowed.
+ */
+ cs->attach_in_progress++;
++
+ out_unlock:
++ if (ret)
++ reset_migrate_dl_data(cs);
+ mutex_unlock(&cpuset_mutex);
+ return ret;
+ }
--- /dev/null
+From 345f40166694e60db6d5cf02233814bb27ac5dec Mon Sep 17 00:00:00 2001
+From: sunshaojie <sunshaojie@kylinos.cn>
+Date: Wed, 13 May 2026 18:37:38 +0800
+Subject: cgroup/cpuset: Return only actually allocated CPUs during partition invalidation
+
+From: sunshaojie <sunshaojie@kylinos.cn>
+
+commit 345f40166694e60db6d5cf02233814bb27ac5dec upstream.
+
+In update_parent_effective_cpumask() with partcmd_invalidate, the CPUs
+to return to the parent are computed as:
+
+ adding = cpumask_and(tmp->addmask, xcpus, parent->effective_xcpus);
+
+where xcpus = user_xcpus(cs) which returns cs->exclusive_cpus (if set)
+or cs->cpus_allowed. When exclusive_cpus is not set, user_xcpus(cs) can
+contain CPUs that were never actually granted to the partition due to
+sibling exclusion in compute_excpus(). Consequently, the invalidation
+may return CPUs to the parent that remain in use by sibling partitions,
+causing overlapping effective_cpus and triggering the
+WARN_ON_ONCE(1) in generate_sched_domains().
+
+Use cs->effective_xcpus instead, which reflects the CPUs actually
+granted to this partition.
+
+Reproducer (on a 4-CPU machine):
+
+ cd /sys/fs/cgroup
+ mkdir a1 b1
+
+ # a1 becomes partition root with CPUs 0-1
+ echo "0-1" > a1/cpuset.cpus
+ echo "root" > a1/cpuset.cpus.partition
+
+ # b1 becomes partition root with CPUs 1-2, but sibling exclusion
+ # reduces its effective_xcpus to CPU 2 only
+ echo "1-2" > b1/cpuset.cpus
+ echo "root" > b1/cpuset.cpus.partition
+
+ # b1 changes cpus_allowed to 0-1 -> partition invalidation
+ echo "0-1" > b1/cpuset.cpus
+
+ # Expected: CPUs 2-3 (only CPU 2 returned from b1)
+ # Actual: CPUs 1-3 (CPU 0-1 returned, overlapping with a1)
+ cat cpuset.cpus.effective
+
+dmesg will also show a WARNING from generate_sched_domains() reporting
+overlapping partition root effective_cpus.
+
+Fixes: 2a3602030d80 ("cgroup/cpuset: Don't invalidate sibling partitions on cpuset.cpus conflict")
+Cc: stable@vger.kernel.org # v7.0+
+Signed-off-by: sunshaojie <sunshaojie@kylinos.cn>
+Tested-by: Chen Ridong <chenridong@huaweicloud.com>
+Reviewed-by: Chen Ridong <chenridong@huaweicloud.com>
+Reviewed-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cpuset.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -1718,7 +1718,8 @@ static int update_parent_effective_cpuma
+ */
+ if (is_partition_valid(parent))
+ adding = cpumask_and(tmp->addmask,
+- xcpus, parent->effective_xcpus);
++ cs->effective_xcpus,
++ parent->effective_xcpus);
+ if (old_prs > 0)
+ new_prs = -old_prs;
+
--- /dev/null
+From 796ad622040f7f955ccc3973085e953415920496 Mon Sep 17 00:00:00 2001
+From: Guopeng Zhang <zhangguopeng@kylinos.cn>
+Date: Mon, 11 May 2026 09:31:50 +0800
+Subject: cgroup/dmem: Return -ENOMEM on failed pool preallocation
+
+From: Guopeng Zhang <zhangguopeng@kylinos.cn>
+
+commit 796ad622040f7f955ccc3973085e953415920496 upstream.
+
+get_cg_pool_unlocked() handles allocation failures under dmemcg_lock by
+dropping the lock, preallocating a pool with GFP_KERNEL, and retrying the
+locked lookup and creation path.
+
+If the fallback allocation fails too, pool remains NULL. Since the loop
+condition is while (!pool), the function can keep retrying instead of
+propagating the allocation failure to the caller.
+
+Set pool to ERR_PTR(-ENOMEM) when the fallback allocation fails so the
+loop exits through the existing common return path. The callers already
+handle ERR_PTR() from get_cg_pool_unlocked(), so this restores the
+expected error path.
+
+Fixes: b168ed458dde ("kernel/cgroup: Add "dmem" memory accounting cgroup")
+Cc: stable@vger.kernel.org # v6.14+
+Signed-off-by: Guopeng Zhang <zhangguopeng@kylinos.cn>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/dmem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/cgroup/dmem.c
++++ b/kernel/cgroup/dmem.c
+@@ -602,6 +602,7 @@ get_cg_pool_unlocked(struct dmemcg_state
+ pool = NULL;
+ continue;
+ }
++ pool = ERR_PTR(-ENOMEM);
+ }
+ }
+
--- /dev/null
+From e4c06479d7059888adf2f22bc1ebcf053bf691a2 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 5 May 2026 17:02:45 +0800
+Subject: crypto: af_alg - Cap AEAD AD length to 0x80000000
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit e4c06479d7059888adf2f22bc1ebcf053bf691a2 upstream.
+
+In order to prevent arithmetic overflows when checking the TX
+buffer size, cap the associated data length to 0x80000000.
+
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Fixes: 400c40cf78da ("crypto: algif - add AEAD support")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/af_alg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -586,6 +586,8 @@ static int af_alg_cmsg_send(struct msghd
+ if (cmsg->cmsg_len < CMSG_LEN(sizeof(u32)))
+ return -EINVAL;
+ con->aead_assoclen = *(u32 *)CMSG_DATA(cmsg);
++ if (con->aead_assoclen >= 0x80000000u)
++ return -EINVAL;
+ break;
+
+ default:
--- /dev/null
+From 678b713ece1e853f11e670a84cb887c35e1381b7 Mon Sep 17 00:00:00 2001
+From: Matt Vollrath <tactii@gmail.com>
+Date: Wed, 6 May 2026 14:48:11 -0700
+Subject: i40e: Cleanup PTP pins on probe failure
+
+From: Matt Vollrath <tactii@gmail.com>
+
+commit 678b713ece1e853f11e670a84cb887c35e1381b7 upstream.
+
+PTP pin structs are allocated early in probe, but never cleaned up.
+
+Fix this by calling i40e_ptp_free_pins in the error path.
+
+To support this, i40e_ptp_free_pins is added to the header and
+pin_config is correctly nullified after being freed.
+
+This has been an issue since i40e_ptp_alloc_pins was introduced.
+
+Fixes: 1050713026a08 ("i40e: add support for PTP external synchronization clock")
+Reported-by: Kohei Enju <kohei@enjuk.jp>
+Cc: stable@vger.kernel.org
+Signed-off-by: Matt Vollrath <tactii@gmail.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Kohei Enju <kohei@enjuk.jp>
+Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20260506-jk-iwl-net-2026-05-04-v2-2-a5ea4dc837a9@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e.h | 1 +
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
+ drivers/net/ethernet/intel/i40e/i40e_ptp.c | 3 ++-
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e.h
++++ b/drivers/net/ethernet/intel/i40e/i40e.h
+@@ -1318,6 +1318,7 @@ void i40e_ptp_restore_hw_time(struct i40
+ void i40e_ptp_init(struct i40e_pf *pf);
+ void i40e_ptp_stop(struct i40e_pf *pf);
+ int i40e_ptp_alloc_pins(struct i40e_pf *pf);
++void i40e_ptp_free_pins(struct i40e_pf *pf);
+ int i40e_update_adq_vsi_queues(struct i40e_vsi *vsi, int vsi_offset);
+ int i40e_is_vsi_uplink_mode_veb(struct i40e_vsi *vsi);
+ int i40e_get_partition_bw_setting(struct i40e_pf *pf);
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -16111,6 +16111,7 @@ err_vsis:
+ i40e_clear_interrupt_scheme(pf);
+ kfree(pf->vsi);
+ err_switch_setup:
++ i40e_ptp_free_pins(pf);
+ i40e_reset_interrupt_capability(pf);
+ timer_shutdown_sync(&pf->service_timer);
+ err_mac_addr:
+--- a/drivers/net/ethernet/intel/i40e/i40e_ptp.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ptp.c
+@@ -940,12 +940,13 @@ int i40e_ptp_hwtstamp_get(struct net_dev
+ *
+ * Release memory allocated for PTP pins.
+ **/
+-static void i40e_ptp_free_pins(struct i40e_pf *pf)
++void i40e_ptp_free_pins(struct i40e_pf *pf)
+ {
+ if (i40e_is_ptp_pin_dev(&pf->hw)) {
+ kfree(pf->ptp_pins);
+ kfree(pf->ptp_caps.pin_config);
+ pf->ptp_pins = NULL;
++ pf->ptp_caps.pin_config = NULL;
+ }
+ }
+
--- /dev/null
+From 6c77b9510829a424d1b74409b7db9456e3522871 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 6 May 2026 14:48:13 -0700
+Subject: idpf: fix double free and use-after-free in aux device error paths
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 6c77b9510829a424d1b74409b7db9456e3522871 upstream.
+
+When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or
+idpf_plug_core_aux_dev(), the err_aux_dev_add label calls
+auxiliary_device_uninit() and falls through to err_aux_dev_init. The
+uninit call will trigger put_device(), which invokes the release
+callback (idpf_vport_adev_release / idpf_core_adev_release) that frees
+iadev. The fall-through then reads adev->id from the freed iadev for
+ida_free() and double-frees iadev with kfree().
+
+Free the IDA slot and clear the back-pointer before uninit, while adev
+is still valid, then return immediately.
+
+Commit 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev deinitialization")
+fixed the same use-after-free in the matching unplug path in this file but
+missed both probe error paths.
+
+Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
+Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Cc: Andrew Lunn <andrew+netdev@lunn.ch>
+Cc: stable@kernel.org
+Fixes: be91128c579c ("idpf: implement RDMA vport auxiliary dev create, init, and destroy")
+Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create, init, and destroy")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20260506-jk-iwl-net-2026-05-04-v2-4-a5ea4dc837a9@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/idpf/idpf_idc.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/intel/idpf/idpf_idc.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_idc.c
+@@ -90,7 +90,10 @@ static int idpf_plug_vport_aux_dev(struc
+ return 0;
+
+ err_aux_dev_add:
++ ida_free(&idpf_idc_ida, adev->id);
++ vdev_info->adev = NULL;
+ auxiliary_device_uninit(adev);
++ return ret;
+ err_aux_dev_init:
+ ida_free(&idpf_idc_ida, adev->id);
+ err_ida_alloc:
+@@ -228,7 +231,10 @@ static int idpf_plug_core_aux_dev(struct
+ return 0;
+
+ err_aux_dev_add:
++ ida_free(&idpf_idc_ida, adev->id);
++ cdev_info->adev = NULL;
+ auxiliary_device_uninit(adev);
++ return ret;
+ err_aux_dev_init:
+ ida_free(&idpf_idc_ida, adev->id);
+ err_ida_alloc:
--- /dev/null
+From 577a8d3bae0531f0e5ccfac919cd8192f920a804 Mon Sep 17 00:00:00 2001
+From: Aaron Sacks <contact@xchglabs.com>
+Date: Tue, 12 May 2026 02:07:42 -0400
+Subject: KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
+
+From: Aaron Sacks <contact@xchglabs.com>
+
+commit 577a8d3bae0531f0e5ccfac919cd8192f920a804 upstream.
+
+kvm_reset_dirty_gfn() guards the gfn range with
+
+ if (!memslot || (offset + __fls(mask)) >= memslot->npages)
+ return;
+
+but offset is u64 and the addition is unchecked. The check can be
+silently bypassed by a u64 wrap.
+
+The dirty ring backing those entries is MAP_SHARED at
+KVM_DIRTY_LOG_PAGE_OFFSET of the vcpu fd, so the VMM can rewrite the
+slot and offset fields of any entry between when the kernel pushes
+them and when KVM_RESET_DIRTY_RINGS consumes them. On reset,
+kvm_dirty_ring_reset() re-reads the values via READ_ONCE() and feeds
+them straight back into this check; only the flags handshake is
+treated as the handover, the slot/offset payload is taken on trust.
+
+Crafting two entries
+
+ entry[i].offset = 0xffffffffffffffc1
+ entry[i+1].offset = 0
+
+makes the coalescing loop in kvm_dirty_ring_reset() compute
+
+ delta = (s64)(0 - 0xffffffffffffffc1) = 63
+
+which falls in [0, BITS_PER_LONG), so it folds entry[i+1] into the
+existing mask by setting bit 63. The trailing kvm_reset_dirty_gfn()
+call then sees offset = 0xffffffffffffffc1 and __fls(mask) = 63;
+the sum is 0 in u64 and the bounds check passes.
+
+That offset propagates into kvm_arch_mmu_enable_log_dirty_pt_masked()
+unchanged. On the legacy MMU path -- kvm_memslots_have_rmaps() ==
+true, i.e. shadow paging, any VM that has allocated shadow roots, or
+a write-tracked slot -- it reaches gfn_to_rmap(), which indexes
+slot->arch.rmap[0][] with a near-U64_MAX gfn. That is an
+out-of-bounds load of a kvm_rmap_head, followed by a conditional
+clear of PT_WRITABLE_MASK in whatever the loaded pointer points at.
+The path is reachable from any process holding /dev/kvm.
+
+Range-check offset on its own first, so the addition cannot wrap.
+memslot->npages is bounded well below U64_MAX, so once offset <
+npages holds, offset + __fls(mask) (with __fls(mask) < BITS_PER_LONG)
+stays in range.
+
+Fixes: fb04a1eddb1a ("KVM: X86: Implement ring-based dirty memory tracking")
+Cc: stable@vger.kernel.org
+Signed-off-by: Aaron Sacks <contact@xchglabs.com>
+Link: https://patch.msgid.link/20260512060742.1628959-1-contact@xchglabs.com/
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/dirty_ring.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/dirty_ring.c
++++ b/virt/kvm/dirty_ring.c
+@@ -63,7 +63,8 @@ static void kvm_reset_dirty_gfn(struct k
+
+ memslot = id_to_memslot(__kvm_memslots(kvm, as_id), id);
+
+- if (!memslot || (offset + __fls(mask)) >= memslot->npages)
++ if (!memslot || offset >= memslot->npages ||
++ offset + __fls(mask) >= memslot->npages)
+ return;
+
+ KVM_MMU_LOCK(kvm);
--- /dev/null
+From 16d990a15491cf76cd6eef0846e1b4100e63261a Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Wed, 15 Apr 2026 17:26:55 +0800
+Subject: KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit 16d990a15491cf76cd6eef0846e1b4100e63261a upstream.
+
+kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and
+aen_host_forward() index the GAIT by manually multiplying the index
+with sizeof(struct zpci_gaite).
+
+Since aift->gait is already a struct zpci_gaite pointer, this
+double-scales the offset, accessing element aisb*16 instead of aisb.
+
+This causes out-of-bounds accesses when aisb >= 32 (with
+ZPCI_NR_DEVICES=512)
+
+Fix by removing the erroneous sizeof multiplication.
+
+Fixes: 3c5a1b6f0a18 ("KVM: s390: pci: provide routines for enabling/disabling interrupt forwarding")
+Fixes: 73f91b004321 ("KVM: s390: pci: enable host forwarding of Adapter Event Notifications")
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
+Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
+Tested-by: Matthew Rosato <mjrosato@linux.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kvm/interrupt.c | 3 +--
+ arch/s390/kvm/pci.c | 6 ++----
+ 2 files changed, 3 insertions(+), 6 deletions(-)
+
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -3307,8 +3307,7 @@ static void aen_host_forward(unsigned lo
+ struct zpci_gaite *gaite;
+ struct kvm *kvm;
+
+- gaite = (struct zpci_gaite *)aift->gait +
+- (si * sizeof(struct zpci_gaite));
++ gaite = aift->gait + si;
+ if (gaite->count == 0)
+ return;
+ if (gaite->aisb != 0)
+--- a/arch/s390/kvm/pci.c
++++ b/arch/s390/kvm/pci.c
+@@ -290,8 +290,7 @@ static int kvm_s390_pci_aif_enable(struc
+ phys_to_virt(fib->fmt0.aibv));
+
+ spin_lock_irq(&aift->gait_lock);
+- gaite = (struct zpci_gaite *)aift->gait + (zdev->aisb *
+- sizeof(struct zpci_gaite));
++ gaite = aift->gait + zdev->aisb;
+
+ /* If assist not requested, host will get all alerts */
+ if (assist)
+@@ -357,8 +356,7 @@ static int kvm_s390_pci_aif_disable(stru
+ if (zdev->kzdev->fib.fmt0.aibv == 0)
+ goto out;
+ spin_lock_irq(&aift->gait_lock);
+- gaite = (struct zpci_gaite *)aift->gait + (zdev->aisb *
+- sizeof(struct zpci_gaite));
++ gaite = aift->gait + zdev->aisb;
+ isc = gaite->gisc;
+ gaite->count--;
+ if (gaite->count == 0) {
--- /dev/null
+From 2b72f1674e427c56e3772c5ccf785fdda2138820 Mon Sep 17 00:00:00 2001
+From: Qiang Ma <maqianga@uniontech.com>
+Date: Tue, 12 May 2026 09:53:13 +0800
+Subject: KVM: x86: Fix Xen hypercall tracepoint argument assignment
+
+From: Qiang Ma <maqianga@uniontech.com>
+
+commit 2b72f1674e427c56e3772c5ccf785fdda2138820 upstream.
+
+TRACE_EVENT(kvm_xen_hypercall) stores a5 in __entry->a4 instead of
+__entry->a5.
+
+That overwrites the recorded a4 argument and leaves a5 unset in the
+trace entry. Fix the typo so both arguments are captured correctly.
+
+Signed-off-by: Qiang Ma <maqianga@uniontech.com>
+Link: https://patch.msgid.link/20260512015313.1685784-1-maqianga@uniontech.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/trace.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/trace.h
++++ b/arch/x86/kvm/trace.h
+@@ -154,7 +154,7 @@ TRACE_EVENT(kvm_xen_hypercall,
+ __entry->a2 = a2;
+ __entry->a3 = a3;
+ __entry->a4 = a4;
+- __entry->a4 = a5;
++ __entry->a5 = a5;
+ ),
+
+ TP_printk("cpl %d nr 0x%lx a0 0x%lx a1 0x%lx a2 0x%lx a3 0x%lx a4 0x%lx a5 %lx",
--- /dev/null
+From 3098c076c83ea2913245cb915cdcba98eb24214c Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 6 May 2026 14:35:14 -0700
+Subject: KVM: x86: Swap the dst and src operand for MOVNTDQA
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 3098c076c83ea2913245cb915cdcba98eb24214c upstream.
+
+Swap the MOVNTDQA operands, as MOVNTDQA does NOT in fact have "the same
+characteristics as 0F E7 (MOVNTDQ)"; MOVNTDQA loads from memory and stores
+to registers, while MOVNTDQ loads from registers and stores to memory.
+
+Per the SDM:
+
+ MOVNTDQ - Move packed integer values in xmm1 to m128 using non-temporal
+ hint.
+
+ MOVNTDQA - Move double quadword from m128 to xmm1 using non-temporal hint
+ if WC memory type.
+
+Reported-by: Josh Eads <josheads@google.com>
+Fixes: c57d9bafbd0b ("KVM: x86: Add support for emulating MOVNTDQA")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20260506213514.2781948-1-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/emulate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -4469,7 +4469,7 @@ static const struct opcode opcode_map_0f
+ X16(N), X16(N),
+ /* 0x20 - 0x2f */
+ X8(N),
+- X2(N), GP(SrcReg | DstMem | ModRM | Mov | Aligned, &pfx_0f_e7_0f_38_2a), N, N, N, N, N,
++ X2(N), GP(SrcMem | DstReg | ModRM | Mov | Aligned, &pfx_0f_e7_0f_38_2a), N, N, N, N, N,
+ /* 0x30 - 0x7f */
+ X16(N), X16(N), X16(N), X16(N), X16(N),
+ /* 0x80 - 0xef */
--- /dev/null
+From 2c308cf34284420963607d677d576a2b4124d8bd Mon Sep 17 00:00:00 2001
+From: Zoran Ilievski <goodboy@rexbytes.com>
+Date: Mon, 11 May 2026 08:40:02 +0200
+Subject: net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
+
+From: Zoran Ilievski <goodboy@rexbytes.com>
+
+commit 2c308cf34284420963607d677d576a2b4124d8bd upstream.
+
+The shutdown handler aq_pci_shutdown() unconditionally calls
+pci_wake_from_d3(pdev, false), clearing the PCI PME_En bit even when
+wake-on-LAN has been configured. While aq_nic_shutdown() correctly
+programs the NIC firmware via aq_nic_set_power() to listen for magic
+packets, the PCI subsystem will not propagate the resulting PME wake
+event from D3, so the system never wakes after poweroff.
+
+WOL from suspend (S3) is unaffected because aq_suspend_common() does
+not touch pci_wake_from_d3() and relies on the PM core's wake
+configuration via device_may_wakeup().
+
+This affects all atlantic-supported NICs (AQC107/108/111/112/113);
+users have reported that WOL works if the atlantic driver is never
+loaded, but breaks once it has run its shutdown path.
+
+Pass the configured WOL state to pci_wake_from_d3() instead of a
+literal false, so the PCI PME_En bit is preserved when the user has
+armed WOL via ethtool.
+
+Fixes: 90869ddfefeb ("net: aquantia: Implement pci shutdown callback")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zoran Ilievski <goodboy@rexbytes.com>
+Reviewed-by: Sukhdeep Singh <sukhdeeps@marvell.com>
+Link: https://patch.msgid.link/20260511064002.1857-1-goodboy@rexbytes.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
+@@ -371,7 +371,7 @@ static void aq_pci_shutdown(struct pci_d
+ pci_disable_device(pdev);
+
+ if (system_state == SYSTEM_POWER_OFF) {
+- pci_wake_from_d3(pdev, false);
++ pci_wake_from_d3(pdev, self->aq_hw->aq_nic_cfg->wol);
+ pci_set_power_state(pdev, PCI_D3hot);
+ }
+ }
--- /dev/null
+From 24a08d7d6218d60c033015cf4870b6096446e734 Mon Sep 17 00:00:00 2001
+From: Arthur Kiyanovski <akiyano@amazon.com>
+Date: Thu, 7 May 2026 00:35:15 +0000
+Subject: net: ena: PHC: Check return code before setting timestamp output
+
+From: Arthur Kiyanovski <akiyano@amazon.com>
+
+commit 24a08d7d6218d60c033015cf4870b6096446e734 upstream.
+
+ena_phc_gettimex64() is setting the output parameter regardless
+of whether ena_com_phc_get_timestamp() succeeded or failed.
+
+When ena_com_phc_get_timestamp() returns an error, the timestamp
+parameter may contain uninitialized stack memory (e.g., when PHC is
+disabled or in blocked state) or invalid hardware values. Passing
+these to userspace via the PTP ioctl is both a security issue
+(information leak) and a correctness bug.
+
+Fix by checking the return code after releasing the lock and only
+setting the output timestamp on success.
+
+Fixes: e0ea34158ee8 ("net: ena: Add PHC support in the ENA driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://patch.msgid.link/20260507003518.22554-1-akiyano@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_phc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_phc.c
++++ b/drivers/net/ethernet/amazon/ena/ena_phc.c
+@@ -46,9 +46,12 @@ static int ena_phc_gettimex64(struct ptp
+
+ spin_unlock_irqrestore(&phc_info->lock, flags);
+
++ if (rc)
++ return rc;
++
+ *ts = ns_to_timespec64(timestamp_nsec);
+
+- return rc;
++ return 0;
+ }
+
+ static int ena_phc_settime64(struct ptp_clock_info *clock_info,
--- /dev/null
+From e42c755582f0960e684298762f0ab927b3778376 Mon Sep 17 00:00:00 2001
+From: Arthur Kiyanovski <akiyano@amazon.com>
+Date: Fri, 8 May 2026 06:21:21 +0000
+Subject: net: ena: PHC: Fix potential use-after-free in get_timestamp
+
+From: Arthur Kiyanovski <akiyano@amazon.com>
+
+commit e42c755582f0960e684298762f0ab927b3778376 upstream.
+
+Move the phc->active check and resp pointer assignment to after
+acquiring the spinlock. Previously, phc->active was checked without
+holding the lock, and resp was cached from ena_dev->phc.virt_addr
+before the lock was acquired.
+
+If ena_com_phc_destroy() runs between the lockless active check and
+the lock acquisition, it sets active=false, releases the lock, frees
+the DMA memory, and sets virt_addr=NULL. The get_timestamp path would
+then read a NULL virt_addr and dereference it.
+
+With both the active check and the pointer read under the lock,
+destroy cannot free the memory while get_timestamp is using it.
+
+Fixes: e0ea34158ee8 ("net: ena: Add PHC support in the ENA driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://patch.msgid.link/20260508062126.7273-1-akiyano@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_com.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_com.c
++++ b/drivers/net/ethernet/amazon/ena/ena_com.c
+@@ -1782,20 +1782,23 @@ void ena_com_phc_destroy(struct ena_com_
+
+ int ena_com_phc_get_timestamp(struct ena_com_dev *ena_dev, u64 *timestamp)
+ {
+- volatile struct ena_admin_phc_resp *resp = ena_dev->phc.virt_addr;
+ const ktime_t zero_system_time = ktime_set(0, 0);
+ struct ena_com_phc_info *phc = &ena_dev->phc;
++ volatile struct ena_admin_phc_resp *resp;
+ ktime_t expire_time;
+ ktime_t block_time;
+ unsigned long flags = 0;
+ int ret = 0;
+
++ spin_lock_irqsave(&phc->lock, flags);
++
+ if (!phc->active) {
++ spin_unlock_irqrestore(&phc->lock, flags);
+ netdev_err(ena_dev->net_device, "PHC feature is not active in the device\n");
+ return -EOPNOTSUPP;
+ }
+
+- spin_lock_irqsave(&phc->lock, flags);
++ resp = ena_dev->phc.virt_addr;
+
+ /* Check if PHC is in blocked state */
+ if (unlikely(ktime_compare(phc->system_time, zero_system_time))) {
--- /dev/null
+From eb6317739b1ea3ab28791e1f91b24781905fa815 Mon Sep 17 00:00:00 2001
+From: Li Xiasong <lixiasong1@huawei.com>
+Date: Thu, 7 May 2026 22:04:22 +0800
+Subject: netfilter: nf_conntrack_sip: get helper before allocating expectation
+
+From: Li Xiasong <lixiasong1@huawei.com>
+
+commit eb6317739b1ea3ab28791e1f91b24781905fa815 upstream.
+
+process_register_request() allocates an expectation and then checks
+whether a conntrack helper is available. If helper lookup fails, the
+function returns early and the allocated expectation is left behind.
+
+Reorder the code to fetch and validate helper before calling
+nf_ct_expect_alloc(). This keeps the logic simpler and removes the leak
+path while preserving existing behavior.
+
+Fixes: e14575fa7529 ("netfilter: nf_conntrack: use rcu accessors where needed")
+Cc: stable@vger.kernel.org
+Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_sip.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_sip.c
++++ b/net/netfilter/nf_conntrack_sip.c
+@@ -1367,6 +1367,10 @@ static int process_register_request(stru
+ goto store_cseq;
+ }
+
++ helper = rcu_dereference(nfct_help(ct)->helper);
++ if (!helper)
++ return NF_DROP;
++
+ exp = nf_ct_expect_alloc(ct);
+ if (!exp) {
+ nf_ct_helper_log(skb, ct, "cannot alloc expectation");
+@@ -1377,10 +1381,6 @@ static int process_register_request(stru
+ if (sip_direct_signalling)
+ saddr = &ct->tuplehash[!dir].tuple.src.u3;
+
+- helper = rcu_dereference(nfct_help(ct)->helper);
+- if (!helper)
+- return NF_DROP;
+-
+ nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
+ saddr, &daddr, proto, NULL, &port);
+ exp->timeout.expires = sip_timeout * HZ;
--- /dev/null
+From 19f94b6fee75b3ef7fbc06f3745b9a771a8a19a4 Mon Sep 17 00:00:00 2001
+From: Li Xiasong <lixiasong1@huawei.com>
+Date: Thu, 7 May 2026 22:04:23 +0800
+Subject: netfilter: nft_ct: fix missing expect put in obj eval
+
+From: Li Xiasong <lixiasong1@huawei.com>
+
+commit 19f94b6fee75b3ef7fbc06f3745b9a771a8a19a4 upstream.
+
+nft_ct_expect_obj_eval() allocates an expectation and may call
+nf_ct_expect_related(), but never drops its local reference.
+
+Add nf_ct_expect_put(exp) before return to balance allocation.
+
+Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_ct.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -1381,6 +1381,8 @@ static void nft_ct_expect_obj_eval(struc
+
+ if (nf_ct_expect_related(exp, 0) != 0)
+ regs->verdict.code = NF_DROP;
++
++ nf_ct_expect_put(exp);
+ }
+
+ static const struct nla_policy nft_ct_expect_policy[NFTA_CT_EXPECT_MAX + 1] = {
--- /dev/null
+From db5dadb562cabb6da49959b473ed0d9645b6f2da Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Mon, 4 May 2026 18:01:37 -0500
+Subject: Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn"
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit db5dadb562cabb6da49959b473ed0d9645b6f2da upstream.
+
+Some older systems don't support CPPC in the firmware and this just makes
+noise for them when booting. Drop back to debug.
+
+This reverts commit 21fb59ab4b9767085f4fe1edbdbe3177fbb9ec97.
+
+Fixes: 21fb59ab4b976 ("ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn")
+Suggested-by: Kim Phillips <kim.phillips@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Tested-by: Kim Phillips <kim.phillips@amd.com>
+Cc: All applicable <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20260504230141.484743-2-mario.limonciello@amd.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/acpi/cppc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/acpi/cppc.c
++++ b/arch/x86/kernel/acpi/cppc.c
+@@ -88,19 +88,19 @@ static void amd_set_max_freq_ratio(void)
+
+ rc = cppc_get_perf_caps(0, &perf_caps);
+ if (rc) {
+- pr_warn("Could not retrieve perf counters (%d)\n", rc);
++ pr_debug("Could not retrieve perf counters (%d)\n", rc);
+ return;
+ }
+
+ rc = amd_get_boost_ratio_numerator(0, &numerator);
+ if (rc) {
+- pr_warn("Could not retrieve highest performance (%d)\n", rc);
++ pr_debug("Could not retrieve highest performance (%d)\n", rc);
+ return;
+ }
+ nominal_perf = perf_caps.nominal_perf;
+
+ if (!nominal_perf) {
+- pr_warn("Could not retrieve nominal performance\n");
++ pr_debug("Could not retrieve nominal performance\n");
+ return;
+ }
+
workqueue-fix-devm_alloc_workqueue-va_list-misuse.patch
net-sched-sch_pie-annotate-more-data-races-in-pie_du.patch
sched-fair-fix-wakeup_preempt_fair-for-not-waking-up.patch
+crypto-af_alg-cap-aead-ad-length-to-0x80000000.patch
+i40e-cleanup-ptp-pins-on-probe-failure.patch
+workqueue-fix-wq-cpu_pwq-leak-in-alloc_and_link_pwqs-wq_unbound-path.patch
+net-ena-phc-fix-potential-use-after-free-in-get_timestamp.patch
+cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch
+netfilter-nf_conntrack_sip-get-helper-before-allocating-expectation.patch
+audit-fix-incorrect-inheritable-capability-in-capset-records.patch
+net-ena-phc-check-return-code-before-setting-timestamp-output.patch
+cgroup-dmem-return-enomem-on-failed-pool-preallocation.patch
+idpf-fix-double-free-and-use-after-free-in-aux-device-error-paths.patch
+cgroup-cpuset-reserve-dl-bandwidth-only-for-root-domain-moves.patch
+revert-acpi-cppc-adjust-debug-messages-in-amd_set_max_freq_ratio-to-warn.patch
+netfilter-nft_ct-fix-missing-expect-put-in-obj-eval.patch
+net-atlantic-preserve-pci-wake-from-d3-on-shutdown-when-wol-enabled.patch
+audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch
+cgroup-cpuset-return-only-actually-allocated-cpus-during-partition-invalidation.patch
+kvm-x86-swap-the-dst-and-src-operand-for-movntdqa.patch
+kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch
+kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch
+kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch
--- /dev/null
+From 0143033dc22cdff912cfc13419f5db92fea3b4cb Mon Sep 17 00:00:00 2001
+From: Breno Leitao <leitao@debian.org>
+Date: Fri, 8 May 2026 09:22:03 -0700
+Subject: workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path
+
+From: Breno Leitao <leitao@debian.org>
+
+commit 0143033dc22cdff912cfc13419f5db92fea3b4cb upstream.
+
+For WQ_UNBOUND workqueues, alloc_and_link_pwqs() allocates wq->cpu_pwq
+via alloc_percpu() and then calls apply_workqueue_attrs_locked(). On
+failure it returns the error directly, bypassing the enomem: label
+which holds the only free_percpu(wq->cpu_pwq) in this function.
+
+The caller's error path kfree()s wq without touching wq->cpu_pwq,
+leaking one percpu pointer table (nr_cpu_ids * sizeof(void *) bytes) per
+failed call.
+
+If kmemleak is enabled, we can see:
+
+ unreferenced object (percpu) 0xc0fffa5b121048 (size 8):
+ comm "insmod", pid 776, jiffies 4294682844
+ backtrace (crc 0):
+ pcpu_alloc_noprof+0x665/0xac0
+ __alloc_workqueue+0x33f/0xa20
+ alloc_workqueue_noprof+0x60/0x100
+
+Route the error through the existing enomem: cleanup and any error
+before this one.
+
+Cc: stable@kernel.org
+Fixes: 636b927eba5b ("workqueue: Make unbound workqueues to use per-cpu pool_workqueues")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/workqueue.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -5629,7 +5629,9 @@ static int alloc_and_link_pwqs(struct wo
+ ret = apply_workqueue_attrs_locked(wq, unbound_std_wq_attrs[highpri]);
+ }
+
+- return ret;
++ if (ret)
++ goto enomem;
++ return 0;
+
+ enomem:
+ if (wq->cpu_pwq) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
