--- /dev/null
+From 80bb50e2d459213cccff3111d5ef98ed4238c0d5 Mon Sep 17 00:00:00 2001
+From: Berk Cem Goksel <berkcgoksel@gmail.com>
+Date: Mon, 13 Apr 2026 06:49:41 +0300
+Subject: ALSA: caiaq: take a reference on the USB device in create_card()
+
+From: Berk Cem Goksel <berkcgoksel@gmail.com>
+
+commit 80bb50e2d459213cccff3111d5ef98ed4238c0d5 upstream.
+
+The caiaq driver stores a pointer to the parent USB device in
+cdev->chip.dev but never takes a reference on it. The card's
+private_free callback, snd_usb_caiaq_card_free(), can run
+asynchronously via snd_card_free_when_closed() after the USB
+device has already been disconnected and freed, so any access to
+cdev->chip.dev in that path dereferences a freed usb_device.
+
+On top of the refcounting issue, the current card_free implementation
+calls usb_reset_device(cdev->chip.dev). A reset in a free callback
+is inappropriate: the device is going away, the call takes the
+device lock in a teardown context, and the reset races with the
+disconnect path that the callback is already cleaning up after.
+
+Take a reference on the USB device in create_card() with
+usb_get_dev(), drop it with usb_put_dev() in the free callback,
+and remove the usb_reset_device() call.
+
+Fixes: b04dcbb7f7b1 ("ALSA: caiaq: Use snd_card_free_when_closed() at disconnection")
+Cc: stable@vger.kernel.org
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Signed-off-by: Berk Cem Goksel <berkcgoksel@gmail.com>
+Link: https://patch.msgid.link/20260413034941.1131465-3-berkcgoksel@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/caiaq/device.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/caiaq/device.c
++++ b/sound/usb/caiaq/device.c
+@@ -398,7 +398,7 @@ static void card_free(struct snd_card *c
+ snd_usb_caiaq_input_free(cdev);
+ #endif
+ snd_usb_caiaq_audio_free(cdev);
+- usb_reset_device(cdev->chip.dev);
++ usb_put_dev(cdev->chip.dev);
+ }
+
+ static int create_card(struct usb_device *usb_dev,
+@@ -424,7 +424,7 @@ static int create_card(struct usb_device
+ return err;
+
+ cdev = caiaqdev(card);
+- cdev->chip.dev = usb_dev;
++ cdev->chip.dev = usb_get_dev(usb_dev);
+ cdev->chip.card = card;
+ cdev->chip.usb_id = USB_ID(le16_to_cpu(usb_dev->descriptor.idVendor),
+ le16_to_cpu(usb_dev->descriptor.idProduct));
--- /dev/null
+From 4513d3e0bbc0585b86ccf2631902593ff97e88f5 Mon Sep 17 00:00:00 2001
+From: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
+Date: Thu, 2 Apr 2026 13:36:57 +0800
+Subject: ALSA: usb-audio: apply quirk for MOONDROP JU Jiu
+
+From: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
+
+commit 4513d3e0bbc0585b86ccf2631902593ff97e88f5 upstream.
+
+It(ID 31b2:0111 JU Jiu) reports a MIN value -12800 for volume control, but
+will mute when setting it less than -10880.
+
+Thanks to my girlfriend Kagura for reporting this issue.
+
+Cc: Kagura <me@mail.kagurach.uk>
+Cc: stable@vger.kernel.org
+Signed-off-by: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
+Link: https://patch.msgid.link/20260402-syy-v1-1-068d3bc30ddc@linux.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1199,6 +1199,13 @@ static void volume_control_quirks(struct
+ cval->min = -14208; /* Mute under it */
+ }
+ break;
++ case USB_ID(0x31b2, 0x0111): /* MOONDROP JU Jiu */
++ if (!strcmp(kctl->id.name, "PCM Playback Volume")) {
++ usb_audio_info(chip,
++ "set volume quirk for MOONDROP JU Jiu\n");
++ cval->min = -10880; /* Mute under it */
++ }
++ break;
+ }
+ }
+
--- /dev/null
+From abe4a6d6f606113251868c2c4a06ba904bb41eed Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 13 Mar 2026 10:43:16 -0700
+Subject: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit abe4a6d6f606113251868c2c4a06ba904bb41eed upstream.
+
+When retrieving the PEK CSR, don't attempt to copy the blob to userspace
+if the firmware command failed. If the failure was due to an invalid
+length, i.e. the userspace buffer+length was too small, copying the number
+of bytes _firmware_ requires will overflow the kernel-allocated buffer and
+leak data to userspace.
+
+ BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
+ BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
+ BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
+ Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405
+
+ CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY
+ Tainted: [U]=USER, [O]=OOT_MODULE
+ Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120
+ print_address_description ../mm/kasan/report.c:378 [inline]
+ print_report+0xbc/0x260 ../mm/kasan/report.c:482
+ kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595
+ check_region_inline ../mm/kasan/generic.c:-1 [inline]
+ kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200
+ instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
+ _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
+ _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
+ copy_to_user ../include/linux/uaccess.h:236 [inline]
+ sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872
+ sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562
+ vfs_ioctl ../fs/ioctl.c:51 [inline]
+ __do_sys_ioctl ../fs/ioctl.c:597 [inline]
+ __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583
+ do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ </TASK>
+
+WARN if the driver says the command succeeded, but the firmware error code
+says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any
+firwmware error.
+
+Reported-by: Alexander Potapenko <glider@google.com>
+Reported-by: Sebastian Alba Vives <sebasjosue84@gmail.com>
+Fixes: e799035609e1 ("crypto: ccp: Implement SEV_PEK_CSR ioctl command")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/sev-dev.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/ccp/sev-dev.c
++++ b/drivers/crypto/ccp/sev-dev.c
+@@ -458,7 +458,10 @@ cmd:
+
+ ret = __sev_do_cmd_locked(SEV_CMD_PEK_CSR, &data, &argp->error);
+
+- /* If we query the CSR length, FW responded with expected data. */
++ /*
++ * Firmware will returns the length of the CSR blob (either the minimum
++ * required length or the actual length written), return it to the user.
++ */
+ input.length = data.len;
+
+ if (copy_to_user((void __user *)argp->data, &input, sizeof(input))) {
+@@ -466,6 +469,9 @@ cmd:
+ goto e_free_blob;
+ }
+
++ if (ret || WARN_ON_ONCE(argp->error))
++ goto e_free_blob;
++
+ if (blob) {
+ if (copy_to_user(input_address, blob, input.length))
+ ret = -EFAULT;
--- /dev/null
+From 4f685dbfa87c546e51d9dc6cab379d20f275e114 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 13 Mar 2026 10:57:31 -0700
+Subject: crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 4f685dbfa87c546e51d9dc6cab379d20f275e114 upstream.
+
+When retrieving the ID for the CPU, don't attempt to copy the ID blob to
+userspace if the firmware command failed. If the failure was due to an
+invalid length, i.e. the userspace buffer+length was too small, copying
+the number of bytes _firmware_ requires will overflow the kernel-allocated
+buffer and leak data to userspace.
+
+ BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
+ BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
+ BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
+ Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388
+
+ CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY
+ Tainted: [U]=USER, [O]=OOT_MODULE
+ Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120
+ print_address_description ../mm/kasan/report.c:378 [inline]
+ print_report+0xbc/0x260 ../mm/kasan/report.c:482
+ kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595
+ check_region_inline ../mm/kasan/generic.c:-1 [inline]
+ kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200
+ instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
+ _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
+ _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
+ copy_to_user ../include/linux/uaccess.h:236 [inline]
+ sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222
+ sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575
+ vfs_ioctl ../fs/ioctl.c:51 [inline]
+ __do_sys_ioctl ../fs/ioctl.c:597 [inline]
+ __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583
+ do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ </TASK>
+
+WARN if the driver says the command succeeded, but the firmware error code
+says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any
+firwmware error.
+
+Reported-by: Alexander Potapenko <glider@google.com>
+Reported-by: Sebastian Alba Vives <sebasjosue84@gmail.com>
+Fixes: d6112ea0cb34 ("crypto: ccp - introduce SEV_GET_ID2 command")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/sev-dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/crypto/ccp/sev-dev.c
++++ b/drivers/crypto/ccp/sev-dev.c
+@@ -703,6 +703,9 @@ static int sev_ioctl_do_get_id2(struct s
+ goto e_free;
+ }
+
++ if (ret || WARN_ON_ONCE(argp->error))
++ goto e_free;
++
+ if (id_blob) {
+ if (copy_to_user(input_address, id_blob, data.len)) {
+ ret = -EFAULT;
--- /dev/null
+From e76239fed3cffd6d304d8ca3ce23984fd24f57d3 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 13 Mar 2026 10:48:53 -0700
+Subject: crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit e76239fed3cffd6d304d8ca3ce23984fd24f57d3 upstream.
+
+When retrieving the PDH cert, don't attempt to copy the blobs to userspace
+if the firmware command failed. If the failure was due to an invalid
+length, i.e. the userspace buffer+length was too small, copying the number
+of bytes _firmware_ requires will overflow the kernel-allocated buffer and
+leak data to userspace.
+
+ BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
+ BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
+ BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
+ Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033
+
+ CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY
+ Tainted: [U]=USER, [O]=OOT_MODULE
+ Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120
+ print_address_description ../mm/kasan/report.c:378 [inline]
+ print_report+0xbc/0x260 ../mm/kasan/report.c:482
+ kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595
+ check_region_inline ../mm/kasan/generic.c:-1 [inline]
+ kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200
+ instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
+ _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
+ _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
+ copy_to_user ../include/linux/uaccess.h:236 [inline]
+ sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347
+ sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568
+ vfs_ioctl ../fs/ioctl.c:51 [inline]
+ __do_sys_ioctl ../fs/ioctl.c:597 [inline]
+ __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583
+ do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ </TASK>
+
+WARN if the driver says the command succeeded, but the firmware error code
+says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any
+firwmware error.
+
+Reported-by: Alexander Potapenko <glider@google.com>
+Reported-by: Sebastian Alba Vives <sebasjosue84@gmail.com>
+Fixes: 76a2b524a4b1 ("crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/sev-dev.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/ccp/sev-dev.c
++++ b/drivers/crypto/ccp/sev-dev.c
+@@ -817,7 +817,10 @@ static int sev_ioctl_do_pdh_export(struc
+ cmd:
+ ret = __sev_do_cmd_locked(SEV_CMD_PDH_CERT_EXPORT, &data, &argp->error);
+
+- /* If we query the length, FW responded with expected data. */
++ /*
++ * Firmware will return the length of the blobs (either the minimum
++ * required length or the actual length written), return 'em to the user.
++ */
+ input.cert_chain_len = data.cert_chain_len;
+ input.pdh_cert_len = data.pdh_cert_len;
+
+@@ -826,6 +829,9 @@ cmd:
+ goto e_free_cert;
+ }
+
++ if (ret || WARN_ON_ONCE(argp->error))
++ goto e_free_cert;
++
+ if (pdh_blob) {
+ if (copy_to_user(input_pdh_cert_address,
+ pdh_blob, input.pdh_cert_len)) {
--- /dev/null
+From 129a45f9755a89f573c6a513a6b9e3d234ce89b0 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <djwong@kernel.org>
+Date: Mon, 23 Feb 2026 15:06:50 -0800
+Subject: fuse: quiet down complaints in fuse_conn_limit_write
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Darrick J. Wong <djwong@kernel.org>
+
+commit 129a45f9755a89f573c6a513a6b9e3d234ce89b0 upstream.
+
+gcc 15 complains about an uninitialized variable val that is passed by
+reference into fuse_conn_limit_write:
+
+ control.c: In function ‘fuse_conn_congestion_threshold_write’:
+ include/asm-generic/rwonce.h:55:37: warning: ‘val’ may be used uninitialized [-Wmaybe-uninitialized]
+ 55 | *(volatile typeof(x) *)&(x) = (val); \
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~
+ include/asm-generic/rwonce.h:61:9: note: in expansion of macro ‘__WRITE_ONCE’
+ 61 | __WRITE_ONCE(x, val); \
+ | ^~~~~~~~~~~~
+ control.c:178:9: note: in expansion of macro ‘WRITE_ONCE’
+ 178 | WRITE_ONCE(fc->congestion_threshold, val);
+ | ^~~~~~~~~~
+ control.c:166:18: note: ‘val’ was declared here
+ 166 | unsigned val;
+ | ^~~
+
+Unfortunately there's enough macro spew involved in kstrtoul_from_user
+that I think gcc gives up on its analysis and sprays the above warning.
+AFAICT it's not actually a bug, but we could just zero-initialize the
+variable to enable using -Wmaybe-uninitialized to find real problems.
+
+Previously we would use some weird uninitialized_var annotation to quiet
+down the warnings, so clearly this code has been like this for quite
+some time.
+
+Cc: stable@vger.kernel.org # v5.9
+Fixes: 3f649ab728cda8 ("treewide: Remove uninitialized_var() usage")
+Signed-off-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/control.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/fuse/control.c
++++ b/fs/fuse/control.c
+@@ -120,7 +120,7 @@ static ssize_t fuse_conn_max_background_
+ const char __user *buf,
+ size_t count, loff_t *ppos)
+ {
+- unsigned val;
++ unsigned int val = 0;
+ ssize_t ret;
+
+ ret = fuse_conn_limit_write(file, buf, count, ppos, &val,
+@@ -162,7 +162,7 @@ static ssize_t fuse_conn_congestion_thre
+ const char __user *buf,
+ size_t count, loff_t *ppos)
+ {
+- unsigned val;
++ unsigned int val = 0;
+ struct fuse_conn *fc;
+ struct fuse_mount *fm;
+ ssize_t ret;
--- /dev/null
+From 51a8de6c50bf947c8f534cd73da4c8f0a13e7bed Mon Sep 17 00:00:00 2001
+From: Samuel Page <sam@bynar.io>
+Date: Mon, 20 Apr 2026 11:01:37 +0200
+Subject: fuse: reject oversized dirents in page cache
+
+From: Samuel Page <sam@bynar.io>
+
+commit 51a8de6c50bf947c8f534cd73da4c8f0a13e7bed upstream.
+
+fuse_add_dirent_to_cache() computes a serialized dirent size from the
+server-controlled namelen field and copies the dirent into a single
+page-cache page. The existing logic only checks whether the dirent fits
+in the remaining space of the current page and advances to a fresh page
+if not. It never checks whether the dirent itself exceeds PAGE_SIZE.
+
+As a result, a malicious FUSE server can return a dirent with
+namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB
+page systems this causes memcpy() to overflow the cache page by 24 bytes
+into the following kernel page.
+
+Reject dirents that cannot fit in a single page before copying them into
+the readdir cache.
+
+Fixes: 69e34551152a ("fuse: allow caching readdir")
+Cc: stable@vger.kernel.org # v6.16+
+Assisted-by: Bynario AI
+Signed-off-by: Samuel Page <sam@bynar.io>
+Reported-by: Qi Tang <tpluszz77@gmail.com>
+Reported-by: Zijun Hu <nightu@northwestern.edu>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Link: https://patch.msgid.link/20260420090139.662772-1-mszeredi@redhat.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/readdir.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/fuse/readdir.c
++++ b/fs/fuse/readdir.c
+@@ -41,6 +41,10 @@ static void fuse_add_dirent_to_cache(str
+ unsigned int offset;
+ void *addr;
+
++ /* Dirent doesn't fit in readdir cache page? Skip caching. */
++ if (reclen > PAGE_SIZE)
++ return;
++
+ spin_lock(&fi->rdc.lock);
+ /*
+ * Is cache already completed? Or this entry does not go at the end of
--- /dev/null
+From ac33733b10b484d666f97688561670afd5861383 Mon Sep 17 00:00:00 2001
+From: Anderson Nascimento <anderson@allelesecurity.com>
+Date: Wed, 22 Apr 2026 17:14:35 +0100
+Subject: rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
+
+From: Anderson Nascimento <anderson@allelesecurity.com>
+
+commit ac33733b10b484d666f97688561670afd5861383 upstream.
+
+In rxrpc_preparse(), there are two paths for parsing key payloads: the
+XDR path (for large payloads) and the non-XDR path (for payloads <= 28
+bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly
+validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR
+path fails to do so.
+
+This allows an unprivileged user to provide a very large ticket length.
+When this key is later read via rxrpc_read(), the total
+token size (toksize) calculation results in a value that exceeds
+AFSTOKEN_LENGTH_MAX, triggering a WARN_ON().
+
+[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]
+
+Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse()
+to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,
+bringing it into parity with the XDR parsing logic.
+
+Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing")
+Fixes: 84924aac08a4 ("rxrpc: Fix checker warning")
+Reported-by: Anderson Nascimento <anderson@allelesecurity.com>
+Signed-off-by: Anderson Nascimento <anderson@allelesecurity.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Jeffrey Altman <jaltman@auristor.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/20260422161438.2593376-7-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/key.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/rxrpc/key.c
++++ b/net/rxrpc/key.c
+@@ -755,6 +755,10 @@ static int rxrpc_preparse(struct key_pre
+ if (v1->security_index != RXRPC_SECURITY_RXKAD)
+ goto error;
+
++ ret = -EKEYREJECTED;
++ if (v1->ticket_length > AFSTOKEN_RK_TIX_MAX)
++ goto error;
++
+ plen = sizeof(*token->kad) + v1->ticket_length;
+ prep->quotalen += plen + sizeof(*token);
+
cifs-fix-connections-leak-when-tlink-setup-failed.patch
rxrpc-only-handle-response-during-service-challenge.patch
rxrpc-fix-anonymous-key-handling.patch
+fuse-reject-oversized-dirents-in-page-cache.patch
+fuse-quiet-down-complaints-in-fuse_conn_limit_write.patch
+alsa-usb-audio-apply-quirk-for-moondrop-ju-jiu.patch
+alsa-caiaq-take-a-reference-on-the-usb-device-in-create_card.patch
+crypto-ccp-don-t-attempt-to-copy-csr-to-userspace-if-psp-command-failed.patch
+crypto-ccp-don-t-attempt-to-copy-pdh-cert-to-userspace-if-psp-command-failed.patch
+crypto-ccp-don-t-attempt-to-copy-id-to-userspace-if-psp-command-failed.patch
+rxrpc-fix-missing-validation-of-ticket-length-in-non-xdr-key-preparsing.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
