--- /dev/null
+From 048c540ee76ded666bda74f9dae1ca3254e0633c Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Date: Mon, 18 May 2026 09:23:44 +0000
+Subject: ASoC: qcom: q6asm-dai: close stream only when running
+
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+
+commit 048c540ee76ded666bda74f9dae1ca3254e0633c upstream.
+
+q6asm_dai_close() and q6asm_dai_compr_free() currently issue CMD_CLOSE
+whenever prtd->state is non-zero.
+
+After prepare() closes an existing stream, the state is updated to
+Q6ASM_STREAM_STOPPED. Since this state is also non-zero, the close and
+free paths can send CMD_CLOSE again for a stream that has already been
+closed.
+
+Restrict CMD_CLOSE to the Q6ASM_STREAM_RUNNING state so the command is
+sent only when the ASM stream is still active.
+
+Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
+Cc: Stable@vger.kernel.org
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260518092347.3446946-3-srinivas.kandagatla@oss.qualcomm.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6asm-dai.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
++++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
+@@ -456,12 +456,12 @@ static int q6asm_dai_close(struct snd_so
+ struct q6asm_dai_rtd *prtd = runtime->private_data;
+
+ if (prtd->audio_client) {
+- if (prtd->state)
++ if (prtd->state == Q6ASM_STREAM_RUNNING) {
+ q6asm_cmd(prtd->audio_client, prtd->stream_id,
+ CMD_CLOSE);
+-
+- q6asm_unmap_memory_regions(substream->stream,
++ q6asm_unmap_memory_regions(substream->stream,
+ prtd->audio_client);
++ }
+ q6asm_audio_client_free(prtd->audio_client);
+ prtd->audio_client = NULL;
+ }
+@@ -678,7 +678,7 @@ static int q6asm_dai_compr_free(struct s
+ struct snd_soc_pcm_runtime *rtd = stream->private_data;
+
+ if (prtd->audio_client) {
+- if (prtd->state) {
++ if (prtd->state == Q6ASM_STREAM_RUNNING) {
+ q6asm_cmd(prtd->audio_client, prtd->stream_id,
+ CMD_CLOSE);
+ if (prtd->next_track_stream_id) {
+@@ -686,11 +686,11 @@ static int q6asm_dai_compr_free(struct s
+ prtd->next_track_stream_id,
+ CMD_CLOSE);
+ }
+- }
+
+- snd_dma_free_pages(&prtd->dma_buffer);
+- q6asm_unmap_memory_regions(stream->direction,
++ q6asm_unmap_memory_regions(stream->direction,
+ prtd->audio_client);
++ }
++ snd_dma_free_pages(&prtd->dma_buffer);
+ q6asm_audio_client_free(prtd->audio_client);
+ prtd->audio_client = NULL;
+ }
--- /dev/null
+From cee3e63e7106c3c81b2053371fdf14240bfba2fc Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Date: Mon, 18 May 2026 09:23:43 +0000
+Subject: ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks
+
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+
+commit cee3e63e7106c3c81b2053371fdf14240bfba2fc upstream.
+
+The q6asm-dai stream state is used by prepare() to decide whether an
+existing stream setup needs to be closed before opening/configuring a new
+one. Updating the state from trigger or asynchronous DSP callbacks can make
+that state stale or incorrect relative to the actual setup lifetime.
+
+In particular, setting Q6ASM_STREAM_STOPPED on STOP or EOS completion can
+make prepare() believe there is no active setup to close, which can result
+in opening/configuring the same stream more than once.
+
+Keep stream state updates tied to prepare(), where the stream is actually
+closed and reopened, and stop changing it from trigger and EOS callbacks.
+
+Fixes: bfbb12dfa144 ("ASoC: qcom: q6asm-dai: perform correct state check before closing")
+Cc: Stable@vger.kernel.org
+Closes: https://lore.kernel.org/all/afS7rTHdc9TyIeLx@rdacayan/
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260518092347.3446946-2-srinivas.kandagatla@oss.qualcomm.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6asm-dai.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
++++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
+@@ -191,7 +191,6 @@ static void event_handler(uint32_t opcod
+ prtd->pcm_count, 0, 0, 0);
+ break;
+ case ASM_CLIENT_EVENT_CMD_EOS_DONE:
+- prtd->state = Q6ASM_STREAM_STOPPED;
+ break;
+ case ASM_CLIENT_EVENT_DATA_WRITE_DONE: {
+ prtd->pcm_irq_pos += prtd->pcm_count;
+@@ -338,7 +337,6 @@ static int q6asm_dai_trigger(struct snd_
+ 0, 0, 0);
+ break;
+ case SNDRV_PCM_TRIGGER_STOP:
+- prtd->state = Q6ASM_STREAM_STOPPED;
+ ret = q6asm_cmd_nowait(prtd->audio_client, prtd->stream_id,
+ CMD_EOS);
+ break;
+@@ -554,8 +552,6 @@ static void compress_event_handler(uint3
+ snd_compr_drain_notify(prtd->cstream);
+ prtd->notify_on_drain = false;
+
+- } else {
+- prtd->state = Q6ASM_STREAM_STOPPED;
+ }
+ spin_unlock_irqrestore(&prtd->lock, flags);
+ break;
+@@ -1018,7 +1014,6 @@ static int q6asm_dai_compr_trigger(struc
+ 0, 0, 0);
+ break;
+ case SNDRV_PCM_TRIGGER_STOP:
+- prtd->state = Q6ASM_STREAM_STOPPED;
+ ret = q6asm_cmd_nowait(prtd->audio_client, prtd->stream_id,
+ CMD_EOS);
+ break;
--- /dev/null
+From 4b4db09f283df65d780bc7cee66cb4a7e9bf4770 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Date: Mon, 18 May 2026 09:23:45 +0000
+Subject: ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params
+
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+
+commit 4b4db09f283df65d780bc7cee66cb4a7e9bf4770 upstream.
+
+Fix error handling in q6asm_dai_compr_set_params() and q6asm_dai_prepare()
+for both CMD_CLOSE and q6asm_unmap_memory_regions().
+
+In both the functions, we are doing q6asm_audio_client_free in failure
+cases, which means if prepare or set_params fail, we can never recover.
+Now open and close are done in respective dai_open/close functions.
+
+Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
+Cc: Stable@vger.kernel.org
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260518092347.3446946-4-srinivas.kandagatla@oss.qualcomm.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6asm-dai.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
++++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
+@@ -239,9 +239,19 @@ static int q6asm_dai_prepare(struct snd_
+ /* rate and channels are sent to audio driver */
+ if (prtd->state == Q6ASM_STREAM_RUNNING) {
+ /* clear the previous setup if any */
+- q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
+- q6asm_unmap_memory_regions(substream->stream,
+- prtd->audio_client);
++ ret = q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
++ if (ret < 0) {
++ dev_err(dev, "Failed to close q6asm stream %d\n", prtd->stream_id);
++ return ret;
++ }
++
++ ret = q6asm_unmap_memory_regions(substream->stream, prtd->audio_client);
++ if (ret < 0) {
++ dev_err(dev, "Failed to unmap memory regions for q6asm stream %d\n",
++ prtd->stream_id);
++ return ret;
++ }
++
+ q6routing_stream_close(soc_prtd->dai_link->id,
+ substream->stream);
+ prtd->state = Q6ASM_STREAM_STOPPED;
+@@ -309,8 +319,6 @@ routing_err:
+ q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
+ open_err:
+ q6asm_unmap_memory_regions(substream->stream, prtd->audio_client);
+- q6asm_audio_client_free(prtd->audio_client);
+- prtd->audio_client = NULL;
+
+ return ret;
+ }
+@@ -912,7 +920,7 @@ static int q6asm_dai_compr_set_params(st
+ prtd->session_id, dir);
+ if (ret) {
+ dev_err(dev, "Stream reg failed ret:%d\n", ret);
+- goto q6_err;
++ goto routing_err;
+ }
+
+ ret = __q6asm_dai_compr_set_codec_params(component, stream,
+@@ -938,11 +946,11 @@ static int q6asm_dai_compr_set_params(st
+ return 0;
+
+ q6_err:
++ q6routing_stream_close(rtd->dai_link->id, dir);
++routing_err:
+ q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
+
+ open_err:
+- q6asm_audio_client_free(prtd->audio_client);
+- prtd->audio_client = NULL;
+ return ret;
+ }
+
--- /dev/null
+From f72eed9b84fb771019a955908132410a9ba9ea3f Mon Sep 17 00:00:00 2001
+From: Yuqi Xu <xuyq21@lenovo.com>
+Date: Wed, 27 May 2026 11:48:15 +0800
+Subject: bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
+
+From: Yuqi Xu <xuyq21@lenovo.com>
+
+commit f72eed9b84fb771019a955908132410a9ba9ea3f upstream.
+
+When bpf_msg_push_data() inserts data in the middle of a scatterlist
+entry, it splits the original entry into a left fragment and a right
+fragment.
+
+The right fragment offset is page-local, but the code advances it with
+`start`, which is the message-global insertion point. For inserts into a
+non-first SG entry, this over-advances the offset and leaves the split
+layout inconsistent.
+
+Advance the right fragment offset by the fragment-local delta,
+`start - offset`, which matches the length removed from the front of the
+original entry.
+
+Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Link: https://patch.msgid.link/8b129d10566aa3eb43f61a8f9757bcf51707d324.1779636774.git.xuyq21@lenovo.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/filter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -2848,7 +2848,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
+
+ psge->length = start - offset;
+ rsge.length -= psge->length;
+- rsge.offset += start;
++ rsge.offset += start - offset;
+
+ sk_msg_iter_var_next(i);
+ sg_unmark_end(psge);
--- /dev/null
+From c0a8899e02ddebd51e2589835182c239c2e224ae Mon Sep 17 00:00:00 2001
+From: Lee Jones <lee@kernel.org>
+Date: Wed, 27 May 2026 17:05:26 +0100
+Subject: HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
+
+From: Lee Jones <lee@kernel.org>
+
+commit c0a8899e02ddebd51e2589835182c239c2e224ae upstream.
+
+wacom_hid_set_device_mode() currently assumes that the HID_DG_INPUTMODE
+usage is always located in the first field (field[0]) of the feature report.
+However, a device can specify HID_DG_INPUTMODE in a different field.
+
+If HID_DG_INPUTMODE is in a field other than the first one and the first
+field has a report_count smaller than the usage_index of HID_DG_INPUTMODE,
+this leads to an out-of-bounds write to r->field[0]->value.
+
+Fix this by storing the field index of HID_DG_INPUTMODE in 'struct
+hid_data' during feature mapping. In wacom_hid_set_device_mode(), use
+this stored field index to access the correct field and add bounds
+checks to ensure both the field index and the value index are within
+valid ranges before writing.
+
+Cc: stable@vger.kernel.org
+Fixes: 5ae6e89f7409 ("HID: wacom: implement the finger part of the HID generic handling")
+Tested-by: Ping Cheng <ping.cheng@wacom.com>
+Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_sys.c | 13 ++++++++++---
+ drivers/hid/wacom_wac.h | 1 +
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -341,6 +341,7 @@ static void wacom_feature_mapping(struct
+
+ hid_data->inputmode = field->report->id;
+ hid_data->inputmode_index = usage->usage_index;
++ hid_data->inputmode_field_index = field->index;
+ break;
+
+ case HID_UP_DIGITIZER:
+@@ -556,9 +557,14 @@ static int wacom_hid_set_device_mode(str
+
+ re = &(hdev->report_enum[HID_FEATURE_REPORT]);
+ r = re->report_id_hash[hid_data->inputmode];
+- if (r) {
+- r->field[0]->value[hid_data->inputmode_index] = 2;
+- hid_hw_request(hdev, r, HID_REQ_SET_REPORT);
++ if (r && hid_data->inputmode_field_index >= 0 &&
++ hid_data->inputmode_field_index < r->maxfield) {
++ struct hid_field *field = r->field[hid_data->inputmode_field_index];
++
++ if (field && hid_data->inputmode_index < field->report_count) {
++ field->value[hid_data->inputmode_index] = 2;
++ hid_hw_request(hdev, r, HID_REQ_SET_REPORT);
++ }
+ }
+ return 0;
+ }
+@@ -2810,6 +2816,7 @@ static int wacom_probe(struct hid_device
+ return error;
+
+ wacom_wac->hid_data.inputmode = -1;
++ wacom_wac->hid_data.inputmode_field_index = -1;
+ wacom_wac->mode_report = -1;
+
+ if (hid_is_usb(hdev)) {
+--- a/drivers/hid/wacom_wac.h
++++ b/drivers/hid/wacom_wac.h
+@@ -297,6 +297,7 @@ struct wacom_shared {
+ struct hid_data {
+ __s16 inputmode; /* InputMode HID feature, -1 if non-existent */
+ __s16 inputmode_index; /* InputMode HID feature index in the report */
++ __s16 inputmode_field_index; /* InputMode HID feature field index in the report */
+ bool sense_state;
+ bool inrange_state;
+ bool invert_state;
--- /dev/null
+From 4c9ad387aa2d6785299722e54224d34764edaeb3 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 13 May 2026 16:53:54 +0200
+Subject: iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 4c9ad387aa2d6785299722e54224d34764edaeb3 upstream.
+
+gcc-16 has gained some more advanced inter-procedual optimization
+techniques that enable it to inline the dummy_tlb_add_page() and
+dummy_tlb_flush() function pointers into a specialized version of
+__arm_v7s_unmap:
+
+WARNING: modpost: vmlinux: section mismatch in reference: __arm_v7s_unmap+0x2cc (section: .text) -> dummy_tlb_add_page (section: .init.text)
+ERROR: modpost: Section mismatches detected.
+
+>From what I can tell, the transformation is correct, as this is only
+called when __arm_v7s_unmap() is called from arm_v7s_do_selftests(),
+which is also __init. Since __arm_v7s_unmap() however is not __init,
+gcc cannot inline the inner function calls directly.
+
+In debug_objects_selftest(), the same thing happens. Both the
+caller and the leaf function are __init, but the IPA pulls
+it into a non-init one:
+
+WARNING: modpost: vmlinux: section mismatch in reference: lookup_object_or_alloc+0x7c (section: .text.lookup_object_or_alloc) -> is_static_object (section: .init.text)
+
+Marking the affected functions as not "__init" would reliably avoid this
+issue but is not a good solution because it removes an otherwise correct
+annotation. I tried marking the functions as 'noinline', but that ended
+up not covering all the affected configurations.
+
+With some more experimenting, I found that marking these functions as
+__attribute__((noipa)) is both logical and reliable.
+
+In order to keep the syntax readable, add a custom macro for this in
+include/linux/compiler_attributes.h next to other related macros and
+use it to annotate both files.
+
+Link: https://lore.kernel.org/all/abRB6g-48ZX6Yl2r@willie-the-truck/
+Cc: Will Deacon <will@kernel.org>
+Cc: Thomas Gleixner <tglx@kernel.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Miguel Ojeda <ojeda@kernel.org>
+Cc: linux-kbuild@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Will Deacon <will@kernel.org>
+Acked-by: Thomas Gleixner <tglx@kernel.org>
+Acked-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/io-pgtable-arm-v7s.c | 18 ++++++++++++------
+ include/linux/compiler_attributes.h | 11 +++++++++++
+ lib/debugobjects.c | 2 +-
+ 3 files changed, 24 insertions(+), 7 deletions(-)
+
+--- a/drivers/iommu/io-pgtable-arm-v7s.c
++++ b/drivers/iommu/io-pgtable-arm-v7s.c
+@@ -894,21 +894,27 @@ struct io_pgtable_init_fns io_pgtable_ar
+
+ static struct io_pgtable_cfg *cfg_cookie __initdata;
+
+-static void __init dummy_tlb_flush_all(void *cookie)
++/*
++ * __noipa prevents gcc from turning indirect iommu_flush_ops calls
++ * into direct calls from a specialized __arm_v7s_unmap() that triggers
++ * a build time section mismatch assertion.
++ */
++static __noipa void __init dummy_tlb_flush_all(void *cookie)
+ {
+ WARN_ON(cookie != cfg_cookie);
+ }
+
+-static void __init dummy_tlb_flush(unsigned long iova, size_t size,
+- size_t granule, void *cookie)
++static __noipa void __init dummy_tlb_flush(unsigned long iova, size_t size,
++ size_t granule, void *cookie)
+ {
+ WARN_ON(cookie != cfg_cookie);
+ WARN_ON(!(size & cfg_cookie->pgsize_bitmap));
+ }
+
+-static void __init dummy_tlb_add_page(struct iommu_iotlb_gather *gather,
+- unsigned long iova, size_t granule,
+- void *cookie)
++static __noipa void __init dummy_tlb_add_page(struct iommu_iotlb_gather *gather,
++ unsigned long iova,
++ size_t granule,
++ void *cookie)
+ {
+ dummy_tlb_flush(iova, granule, granule, cookie);
+ }
+--- a/include/linux/compiler_attributes.h
++++ b/include/linux/compiler_attributes.h
+@@ -384,6 +384,17 @@
+ #endif
+
+ /*
++ * Optional: not supported by clang
++ *
++ * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Attributes.html#index-noipa
++ */
++#if __has_attribute(noipa)
++# define __noipa __attribute__((noipa))
++#else
++# define __noipa
++#endif
++
++/*
+ * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-weak-function-attribute
+ * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-weak-variable-attribute
+ */
+--- a/lib/debugobjects.c
++++ b/lib/debugobjects.c
+@@ -1076,7 +1076,7 @@ struct self_test {
+
+ static __initconst const struct debug_obj_descr descr_type_test;
+
+-static bool __init is_static_object(void *addr)
++static __noipa bool __init is_static_object(void *addr)
+ {
+ struct self_test *obj = addr;
+
--- /dev/null
+From 11b326fb0a374f4654f9be22d0f0f7abd9f7d3fe Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Thu, 21 May 2026 21:05:54 +0800
+Subject: ip6: vti: Use ip6_tnl.net in vti6_changelink().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+commit 11b326fb0a374f4654f9be22d0f0f7abd9f7d3fe upstream.
+
+ip netns add ns1
+ip netns add ns2
+ip -n ns1 link add vti6_test type vti6 remote ::1 local ::2 key 7
+ip -n ns1 link set vti6_test netns ns2
+ip -n ns2 link set vti6_test type vti6 remote ::3 local ::4 key 9
+ip netns del ns2
+ip netns del ns1
+[ 132.495484] ------------[ cut here ]------------
+[ 132.497609] kernel BUG at net/core/dev.c:12376!
+
+Commit 61220ab34948 ("vti6: Enable namespace changing") dropped
+NETIF_F_NETNS_LOCAL from vti6 devices. A vti6 tunnel can then
+move through IFLA_NET_NS_FD. After the move dev_net(dev) points
+at the new netns while t->net stays at the creation netns.
+
+vti6_changelink() and vti6_update() still use dev_net(dev) and
+dev_net(t->dev). They unlink from one per netns hash and relink
+into another. The creation netns is left with a stale entry.
+cleanup_net() of that netns later walks freed memory.
+
+Reachable from an unprivileged user namespace (unshare --user
+--map-root-user --net). Cross tenant scope on container hosts.
+
+Fixes: 61220ab34948 ("vti6: Enable namespace changing")
+Reported-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Cc: stable@vger.kernel.org # v5.15+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20260521130555.3421684-2-maoyixie.tju@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -726,10 +726,11 @@ vti6_tnl_change(struct ip6_tnl *t, const
+ static int vti6_update(struct ip6_tnl *t, struct __ip6_tnl_parm *p,
+ bool keep_mtu)
+ {
+- struct net *net = dev_net(t->dev);
+- struct vti6_net *ip6n = net_generic(net, vti6_net_id);
++ struct net *net = t->net;
++ struct vti6_net *ip6n;
+ int err;
+
++ ip6n = net_generic(net, vti6_net_id);
+ vti6_tnl_unlink(ip6n, t);
+ synchronize_net();
+ err = vti6_tnl_change(t, p, keep_mtu);
+@@ -1043,11 +1044,12 @@ static int vti6_changelink(struct net_de
+ struct nlattr *data[],
+ struct netlink_ext_ack *extack)
+ {
+- struct ip6_tnl *t;
++ struct ip6_tnl *t = netdev_priv(dev);
++ struct net *net = t->net;
+ struct __ip6_tnl_parm p;
+- struct net *net = dev_net(dev);
+- struct vti6_net *ip6n = net_generic(net, vti6_net_id);
++ struct vti6_net *ip6n;
+
++ ip6n = net_generic(net, vti6_net_id);
+ if (dev == ip6n->fb_tnl_dev)
+ return -EINVAL;
+
--- /dev/null
+From 8b484efd5cb4eeef9021a661e198edc5349dacf6 Mon Sep 17 00:00:00 2001
+From: Maoyi Xie <maoyixie.tju@gmail.com>
+Date: Thu, 21 May 2026 21:05:55 +0800
+Subject: ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
+
+From: Maoyi Xie <maoyixie.tju@gmail.com>
+
+commit 8b484efd5cb4eeef9021a661e198edc5349dacf6 upstream.
+
+After patch 1/2 in this series, vti6_update() unlinks and relinks
+the tunnel through t->net. vti6_siocdevprivate() still uses
+dev_net(dev) for the collision lookup. For a tunnel moved through
+IFLA_NET_NS_FD, dev_net(dev) is the new netns, not t->net.
+
+SIOCCHGTUNNEL on a migrated tunnel then runs:
+
+ net = dev_net(dev) /* migrated netns */
+ t = vti6_locate(net, &p1, false) /* misses target in t->net */
+ ...
+ t = netdev_priv(dev)
+ vti6_update(t, &p1, false) /* mutates t->net's hash */
+
+A caller in the migrated netns picks params that match a tunnel
+in the creation netns. The lookup in dev_net(dev) finds nothing.
+vti6_update() prepends the migrated tunnel at the head of the
+creation netns hash bucket for those params. Later lookups in
+the creation netns resolve to the migrated device. xfrm receive
+delivers the matched packets through a device the caller controls.
+
+Reachable from an unprivileged user namespace (unshare --user
+--map-root-user --net). Cross tenant scope on container hosts.
+
+Switch the SIOCCHGTUNNEL path on a non fallback device to use
+t->net for the lookup. The lookup now matches the netns
+vti6_update() operates on.
+
+Also add ns_capable(self->net->user_ns, CAP_NET_ADMIN) before
+the lookup. The check at the top of the case is against
+dev_net(dev)->user_ns, which after migration is the attacker's
+netns. A caller there can pick params absent from self->net,
+the lookup returns NULL, t becomes self, and vti6_update()
+inserts the device into the creation netns hash. The new check
+requires CAP_NET_ADMIN in the creation netns user_ns too.
+
+SIOCADDTUNNEL and SIOCCHGTUNNEL on the fallback device keep
+dev_net(dev), which equals init_net there.
+
+Fixes: 61220ab34948 ("vti6: Enable namespace changing")
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Suggested-by: Xiao Liang <shaw.leon@gmail.com>
+Cc: stable@vger.kernel.org # v5.15+
+Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
+Link: https://patch.msgid.link/20260521130555.3421684-3-maoyixie.tju@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -838,17 +838,24 @@ vti6_siocdevprivate(struct net_device *d
+ if (p.proto != IPPROTO_IPV6 && p.proto != 0)
+ break;
+ vti6_parm_from_user(&p1, &p);
+- t = vti6_locate(net, &p1, cmd == SIOCADDTUNNEL);
+ if (dev != ip6n->fb_tnl_dev && cmd == SIOCCHGTUNNEL) {
++ struct ip6_tnl *self = netdev_priv(dev);
++
++ err = -EPERM;
++ if (!ns_capable(self->net->user_ns, CAP_NET_ADMIN))
++ break;
++ t = vti6_locate(self->net, &p1, false);
+ if (t) {
+ if (t->dev != dev) {
+ err = -EEXIST;
+ break;
+ }
+ } else
+- t = netdev_priv(dev);
++ t = self;
+
+ err = vti6_update(t, &p1, false);
++ } else {
++ t = vti6_locate(net, &p1, cmd == SIOCADDTUNNEL);
+ }
+ if (t) {
+ err = 0;
--- /dev/null
+From f7b52afe3592eae66e160586b45a3f2242972c63 Mon Sep 17 00:00:00 2001
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+Date: Fri, 22 May 2026 17:42:26 +0800
+Subject: ipv6: exthdrs: refresh nh after handling HAO option
+
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+
+commit f7b52afe3592eae66e160586b45a3f2242972c63 upstream.
+
+ip6_parse_tlv() caches skb_network_header(skb) in nh while walking
+IPv6 TLVs.
+
+ipv6_dest_hao() may call pskb_expand_head() for a cloned skb, which can
+move the skb head and invalidate the cached network header pointer.
+Refresh nh after ipv6_dest_hao() returns so any trailing padding or TLVs
+are parsed from the current skb head.
+
+This matches the existing pattern used in ip6_parse_tlv() after helpers
+that can modify skb header storage.
+
+Fixes: a831f5bbc89a ("[IPV6] MIP6: Add inbound interface of home address option.")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
+Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
+Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/7aba1debc2196189172499e5769802b026f8caf8.1779247873.git.zcliangcn@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/exthdrs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/exthdrs.c
++++ b/net/ipv6/exthdrs.c
+@@ -202,6 +202,8 @@ static bool ip6_parse_tlv(bool hopbyhop,
+ case IPV6_TLV_HAO:
+ if (!ipv6_dest_hao(skb, off))
+ return false;
++
++ nh = skb_network_header(skb);
+ break;
+ #endif
+ default:
--- /dev/null
+From d47548a36639095939f4747d4c43f2271366f565 Mon Sep 17 00:00:00 2001
+From: Justin Iurman <justin.iurman@gmail.com>
+Date: Fri, 22 May 2026 13:20:13 +0200
+Subject: ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
+
+From: Justin Iurman <justin.iurman@gmail.com>
+
+commit d47548a36639095939f4747d4c43f2271366f565 upstream.
+
+ipv6_hop_jumbo() calls pskb_trim_rcsum(), which can change skb pointers.
+Let's recompute nh pointer to make sure any change won't mess things up.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Justin Iurman <justin.iurman@gmail.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20260522112013.12342-1-justin.iurman@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/exthdrs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/exthdrs.c
++++ b/net/ipv6/exthdrs.c
+@@ -183,6 +183,8 @@ static bool ip6_parse_tlv(bool hopbyhop,
+ case IPV6_TLV_JUMBO:
+ if (!ipv6_hop_jumbo(skb, off))
+ return false;
++
++ nh = skb_network_header(skb);
+ break;
+ case IPV6_TLV_CALIPSO:
+ if (!ipv6_hop_calipso(skb, off))
--- /dev/null
+From dd433671fef381fdaf7b530c631e6b782d66e224 Mon Sep 17 00:00:00 2001
+From: Qi Tang <tpluszz77@gmail.com>
+Date: Sat, 23 May 2026 22:32:45 +0800
+Subject: ipv6: validate extension header length before copying to cmsg
+
+From: Qi Tang <tpluszz77@gmail.com>
+
+commit dd433671fef381fdaf7b530c631e6b782d66e224 upstream.
+
+ip6_datagram_recv_specific_ctl() builds IPV6_{HOPOPTS,DSTOPTS,RTHDR}
+cmsgs (and their IPV6_2292* legacy counterparts) by trusting the
+on-wire hdrlen byte (ptr[1]) when computing the put_cmsg() length.
+The length was validated only at parse time (ipv6_parse_hopopts(),
+etc.). An nftables payload-write expression can rewrite hdrlen after
+parsing and before the skb reaches recvmsg; the write itself is
+in-bounds but put_cmsg() then reads up to ((hdrlen+1) << 3) = 2040
+bytes from an 8-byte header. nftables is reachable from an
+unprivileged user namespace, so this is an unprivileged
+slab-out-of-bounds read:
+
+ BUG: KASAN: slab-out-of-bounds in put_cmsg+0x3ac/0x540
+ put_cmsg+0x3ac/0x540
+ udpv6_recvmsg+0xca0/0x1250
+ sock_recvmsg+0xdf/0x190
+ ____sys_recvmsg+0x1b1/0x620
+
+Add ipv6_get_exthdr_len() which validates that at least two bytes
+are accessible before reading the hdrlen field, then checks the
+computed length against skb_tail_pointer(skb), returning 0 on
+failure. Extension headers are kept in the linear skb area by
+pskb_may_pull() during input, so skb_tail_pointer() is the correct
+bound.
+
+Use ipv6_get_exthdr_len() at all non-AH call sites: the five
+standalone cmsg blocks (HbH, 2292HbH, 2292DSTOPTS x2, 2292RTHDR)
+and the three standard cases in the extension-header walk loop
+(DSTOPTS, ROUTING, default). AH retains an inline bounds check
+because its length formula differs ((ptr[1]+2)<<2).
+
+The walk loop also gets a pre-read bounds check at the top to
+validate ptr before any case accesses ptr[0] or ptr[1].
+
+When the walk loop detects a corrupted header, return from the
+function instead of continuing to process later socket options.
+
+Cc: stable@vger.kernel.org
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Qi Tang <tpluszz77@gmail.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20260523143245.2281415-1-tpluszz77@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/datagram.c | 54 ++++++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 46 insertions(+), 8 deletions(-)
+
+--- a/net/ipv6/datagram.c
++++ b/net/ipv6/datagram.c
+@@ -618,6 +618,18 @@ void ip6_datagram_recv_common_ctl(struct
+ }
+ }
+
++static u16 ipv6_get_exthdr_len(const struct sk_buff *skb, const u8 *ptr)
++{
++ u16 len;
++
++ if (ptr + 2 > skb_tail_pointer(skb))
++ return 0;
++
++ len = (ptr[1] + 1) << 3;
++
++ return (len <= skb_tail_pointer(skb) - ptr) ? len : 0;
++}
++
+ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg,
+ struct sk_buff *skb)
+ {
+@@ -644,7 +656,10 @@ void ip6_datagram_recv_specific_ctl(stru
+ /* HbH is allowed only once */
+ if (np->rxopt.bits.hopopts && (opt->flags & IP6SKB_HOPBYHOP)) {
+ u8 *ptr = nh + sizeof(struct ipv6hdr);
+- put_cmsg(msg, SOL_IPV6, IPV6_HOPOPTS, (ptr[1]+1)<<3, ptr);
++ u16 len = ipv6_get_exthdr_len(skb, ptr);
++
++ if (len)
++ put_cmsg(msg, SOL_IPV6, IPV6_HOPOPTS, len, ptr);
+ }
+
+ if (opt->lastopt &&
+@@ -665,26 +680,37 @@ void ip6_datagram_recv_specific_ctl(stru
+ unsigned int len;
+ u8 *ptr = nh + off;
+
++ if (ptr + 2 > skb_tail_pointer(skb))
++ return;
++
+ switch (nexthdr) {
+ case IPPROTO_DSTOPTS:
+ nexthdr = ptr[0];
+- len = (ptr[1] + 1) << 3;
++ len = ipv6_get_exthdr_len(skb, ptr);
++ if (!len)
++ return;
+ if (np->rxopt.bits.dstopts)
+ put_cmsg(msg, SOL_IPV6, IPV6_DSTOPTS, len, ptr);
+ break;
+ case IPPROTO_ROUTING:
+ nexthdr = ptr[0];
+- len = (ptr[1] + 1) << 3;
++ len = ipv6_get_exthdr_len(skb, ptr);
++ if (!len)
++ return;
+ if (np->rxopt.bits.srcrt)
+ put_cmsg(msg, SOL_IPV6, IPV6_RTHDR, len, ptr);
+ break;
+ case IPPROTO_AH:
+ nexthdr = ptr[0];
+ len = (ptr[1] + 2) << 2;
++ if (ptr + len > skb_tail_pointer(skb))
++ return;
+ break;
+ default:
+ nexthdr = ptr[0];
+- len = (ptr[1] + 1) << 3;
++ len = ipv6_get_exthdr_len(skb, ptr);
++ if (!len)
++ return;
+ break;
+ }
+
+@@ -706,19 +732,31 @@ void ip6_datagram_recv_specific_ctl(stru
+ }
+ if (np->rxopt.bits.ohopopts && (opt->flags & IP6SKB_HOPBYHOP)) {
+ u8 *ptr = nh + sizeof(struct ipv6hdr);
+- put_cmsg(msg, SOL_IPV6, IPV6_2292HOPOPTS, (ptr[1]+1)<<3, ptr);
++ u16 len = ipv6_get_exthdr_len(skb, ptr);
++
++ if (len)
++ put_cmsg(msg, SOL_IPV6, IPV6_2292HOPOPTS, len, ptr);
+ }
+ if (np->rxopt.bits.odstopts && opt->dst0) {
+ u8 *ptr = nh + opt->dst0;
+- put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr);
++ u16 len = ipv6_get_exthdr_len(skb, ptr);
++
++ if (len)
++ put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, len, ptr);
+ }
+ if (np->rxopt.bits.osrcrt && opt->srcrt) {
+ struct ipv6_rt_hdr *rthdr = (struct ipv6_rt_hdr *)(nh + opt->srcrt);
+- put_cmsg(msg, SOL_IPV6, IPV6_2292RTHDR, (rthdr->hdrlen+1) << 3, rthdr);
++ u16 len = ipv6_get_exthdr_len(skb, (u8 *)rthdr);
++
++ if (len)
++ put_cmsg(msg, SOL_IPV6, IPV6_2292RTHDR, len, rthdr);
+ }
+ if (np->rxopt.bits.odstopts && opt->dst1) {
+ u8 *ptr = nh + opt->dst1;
+- put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr);
++ u16 len = ipv6_get_exthdr_len(skb, ptr);
++
++ if (len)
++ put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, len, ptr);
+ }
+ if (np->rxopt.bits.rxorigdstaddr) {
+ struct sockaddr_in6 sin6;
--- /dev/null
+From e68842b3356471ba56c882209f324613dac47f64 Mon Sep 17 00:00:00 2001
+From: Junrui Luo <moonafterrain@outlook.com>
+Date: Wed, 20 May 2026 11:47:55 +0800
+Subject: macsec: fix replay protection at XPN lower-PN wrap
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+commit e68842b3356471ba56c882209f324613dac47f64 upstream.
+
+In macsec_post_decrypt(), when pn is U32_MAX, pn + 1 overflows u32 to 0
+and the first branch never fires. If next_pn_halves.lower is also in the
+upper half, pn_same_half(pn, lower) is true and the XPN else-if does not
+fire either, leaving next_pn_halves unchanged. An attacker that captures
+the legitimate frame carrying pn == 0xFFFFFFFF on an XPN association
+can then replay it indefinitely, since lowest_pn never rises above
+the captured pn and macsec_decrypt() reconstructs the same IV.
+
+Extend the XPN else-if to also fire when pn + 1 wraps to 0, so receipt
+of pn == U32_MAX advances next_pn_halves to (upper + 1, 0).
+
+Fixes: a21ecf0e0338 ("macsec: Support XPN frame handling - IEEE 802.1AEbw")
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB78813FD49E58F253B989F197AF012@SYBPR01MB7881.ausprd01.prod.outlook.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -800,7 +800,8 @@ static bool macsec_post_decrypt(struct s
+ if (pn + 1 > rx_sa->next_pn_halves.lower) {
+ rx_sa->next_pn_halves.lower = pn + 1;
+ } else if (secy->xpn &&
+- !pn_same_half(pn, rx_sa->next_pn_halves.lower)) {
++ (pn + 1 == 0 ||
++ !pn_same_half(pn, rx_sa->next_pn_halves.lower))) {
+ rx_sa->next_pn_halves.upper++;
+ rx_sa->next_pn_halves.lower = pn + 1;
+ }
--- /dev/null
+From bed6e04be8e6b9133d8b16d5a42d0e0ce674fa9a Mon Sep 17 00:00:00 2001
+From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Date: Mon, 11 May 2026 10:43:14 -0400
+Subject: netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check
+
+From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+
+commit bed6e04be8e6b9133d8b16d5a42d0e0ce674fa9a upstream.
+
+An unintended behavior in the TCP conntrack state machine allows a
+connection to be forced into the CLOSE state using an RST packet with an
+invalid sequence number.
+
+Specifically, after a SYN packet is observed, an RST with an invalid SEQ
+can transition the conntrack entry to TCP_CONNTRACK_CLOSE, regardless of
+whether the RST corresponds to the expected reply direction. The relevant
+code path assumes the RST is a response to an outgoing SYN, but does not
+validate packet direction or ensure that a matching SYN was actually sent
+in the opposite direction.
+
+As a result, a crafted packet sequence consisting of a SYN followed by an
+invalid-sequence RST can prematurely terminate an active NAT entry. This
+makes connection teardown easier than intended.
+
+So, tighten the state transition logic to ensure that RST-triggered
+CLOSE transitions only occur when the RST is a valid response to a
+previously observed SYN in the correct direction.
+
+Cc: stable@vger.kernel.org
+Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
+Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_proto_tcp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -1220,7 +1220,8 @@ int nf_conntrack_tcp_packet(struct nf_co
+ new_state = old_state;
+ }
+ if (((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
+- && ct->proto.tcp.last_index == TCP_SYN_SET)
++ && ct->proto.tcp.last_index == TCP_SYN_SET
++ && ct->proto.tcp.last_dir != dir)
+ || (!test_bit(IPS_ASSURED_BIT, &ct->status)
+ && ct->proto.tcp.last_index == TCP_ACK_SET))
+ && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
--- /dev/null
+From f040e590c035bfd9553fe79ee9585caf1b14d67b Mon Sep 17 00:00:00 2001
+From: Ashutosh Desai <ashutoshdesai993@gmail.com>
+Date: Tue, 5 May 2026 17:07:12 +0000
+Subject: nfc: hci: fix out-of-bounds read in HCP header parsing
+
+From: Ashutosh Desai <ashutoshdesai993@gmail.com>
+
+commit f040e590c035bfd9553fe79ee9585caf1b14d67b upstream.
+
+Both nfc_hci_recv_from_llc() and nci_hci_data_received_cb() read
+packet->header from skb->data at function entry without first checking
+that the buffer holds at least one byte. A malicious NFC peer can send
+a 0-byte HCP frame that passes through the SHDLC layer and reaches
+these functions, causing an out-of-bounds heap read of packet->header.
+The same 0-byte frame, if queued as a non-final fragment, also causes
+the reassembly loop to underflow msg_len to UINT_MAX, triggering
+skb_over_panic() when the reassembled skb is written.
+
+Fix this by adding a pskb_may_pull() check at the entry of each
+function before packet->header is first accessed. The existing
+pskb_may_pull() checks before the reassembled hcp_skb is cast to
+struct hcp_packet remain in place to guard the 2-byte HCP message
+header.
+
+Fixes: 8b8d2e08bf0d ("NFC: HCI support")
+Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
+Cc: stable@vger.kernel.org
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
+Link: https://patch.msgid.link/20260505170712.96560-1-ashutoshdesai993@gmail.com
+Signed-off-by: David Heidelberg <david@ixit.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/hci/core.c | 10 ++++++++++
+ net/nfc/nci/hci.c | 10 ++++++++++
+ 2 files changed, 20 insertions(+)
+
+--- a/net/nfc/hci/core.c
++++ b/net/nfc/hci/core.c
+@@ -861,6 +861,11 @@ static void nfc_hci_recv_from_llc(struct
+ struct sk_buff *frag_skb;
+ int msg_len;
+
++ if (!pskb_may_pull(skb, NFC_HCI_HCP_PACKET_HEADER_LEN)) {
++ kfree_skb(skb);
++ return;
++ }
++
+ packet = (struct hcp_packet *)skb->data;
+ if ((packet->header & ~NFC_HCI_FRAGMENT) == 0) {
+ skb_queue_tail(&hdev->rx_hcp_frags, skb);
+@@ -904,6 +909,11 @@ static void nfc_hci_recv_from_llc(struct
+ * unblock waiting cmd context. Otherwise, enqueue to dispatch
+ * in separate context where handler can also execute command.
+ */
++ if (!pskb_may_pull(hcp_skb, NFC_HCI_HCP_HEADER_LEN)) {
++ kfree_skb(hcp_skb);
++ return;
++ }
++
+ packet = (struct hcp_packet *)hcp_skb->data;
+ type = HCP_MSG_GET_TYPE(packet->message.header);
+ if (type == NFC_HCI_HCP_RESPONSE) {
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -439,6 +439,11 @@ void nci_hci_data_received_cb(void *cont
+ return;
+ }
+
++ if (!pskb_may_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN)) {
++ kfree_skb(skb);
++ return;
++ }
++
+ packet = (struct nci_hcp_packet *)skb->data;
+ if ((packet->header & ~NCI_HCI_FRAGMENT) == 0) {
+ skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb);
+@@ -482,6 +487,11 @@ void nci_hci_data_received_cb(void *cont
+ * unblock waiting cmd context. Otherwise, enqueue to dispatch
+ * in separate context where handler can also execute command.
+ */
++ if (!pskb_may_pull(hcp_skb, NCI_HCI_HCP_HEADER_LEN)) {
++ kfree_skb(hcp_skb);
++ return;
++ }
++
+ packet = (struct nci_hcp_packet *)hcp_skb->data;
+ type = NCI_HCP_MSG_GET_TYPE(packet->message.header);
+ if (type == NCI_HCI_HCP_RESPONSE) {
usb-cdc-acm-fix-bit-overlap-and-move-quirk-definitions-to-header.patch
kvm-arm64-pmu-preserve-aarch32-counter-low-bits.patch
kvm-svm-flush-the-current-tlb-when-transitioning-from-xavic-x2avic.patch
+wireguard-send-append-trailer-after-expanding-head.patch
iio-adc-xilinx-xadc-fix-sequencer-mode-in-postdisable-for-dual-mux.patch
iio-dac-max5821-fix-return-value-check-in-powerdown-sync.patch
iio-dac-ad5686-fix-input-raw-value-check.patch
usb-cdns3-plat-fix-unbalanced-pm_runtime_forbid-call-permanently-leaks-the-runtime-pm-usage-counter-across-bind-unbind-cycles.patch
usb-dwc2-fix-use-after-free-in-debug-code.patch
input-elan_i2c-validate-firmware-size-before-use.patch
+bpf-sockmap-fix-tail-fragment-offset-in-bpf_msg_push_data.patch
+macsec-fix-replay-protection-at-xpn-lower-pn-wrap.patch
+ipv6-exthdrs-refresh-nh-pointer-after-ipv6_hop_jumbo.patch
+asoc-qcom-q6asm-dai-fix-error-handling-in-prepare-and-set_params.patch
+ipv6-exthdrs-refresh-nh-after-handling-hao-option.patch
+ip6-vti-use-ip6_tnl.net-in-vti6_siocdevprivate.patch
+ipv6-validate-extension-header-length-before-copying-to-cmsg.patch
+xfrm-input-hold-netns-during-deferred-transport-reinjection.patch
+ip6-vti-use-ip6_tnl.net-in-vti6_changelink.patch
+hid-wacom-fix-oob-write-in-wacom_hid_set_device_mode.patch
+iommu-debugobjects-avoid-gcc-16.1-section-mismatch-warnings.patch
+nfc-hci-fix-out-of-bounds-read-in-hcp-header-parsing.patch
+xfrm-route-migrate-notifications-to-caller-s-netns.patch
+xfrm-ah-use-skb_to_full_sk-in-async-output-callbacks.patch
+netfilter-conntrack-tcp-do-not-force-close-on-invalid-seq-rst-without-direction-check.patch
+asoc-qcom-q6asm-dai-close-stream-only-when-running.patch
+asoc-qcom-q6asm-dai-do-not-set-stream-state-in-event-and-trigger-callbacks.patch
+xfrm-esp-restore-combined-single-frag-length-gate.patch
--- /dev/null
+From f75e3eb08fe31d30a9af6ed80cdd22e6772837e2 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 29 May 2026 19:31:34 +0200
+Subject: wireguard: send: append trailer after expanding head
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit f75e3eb08fe31d30a9af6ed80cdd22e6772837e2 upstream.
+
+With how this is currently written, we add the trailer, zero it out, and
+then add the header space on. If that header space requires a
+reallocation + copy, the zeros in the trailer aren't copied, because the
+skb len hasn't actually been yet expanded to cover that. Instead add the
+padding at the end of the process rather than at the beginning.
+
+Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Link: https://patch.msgid.link/20260529173134.3080773-2-Jason@zx2c4.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireguard/send.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/wireguard/send.c
++++ b/drivers/net/wireguard/send.c
+@@ -177,16 +177,6 @@ static bool encrypt_packet(struct sk_buf
+ trailer_len = padding_len + noise_encrypted_len(0);
+ plaintext_len = skb->len + padding_len;
+
+- /* Expand data section to have room for padding and auth tag. */
+- num_frags = skb_cow_data(skb, trailer_len, &trailer);
+- if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
+- return false;
+-
+- /* Set the padding to zeros, and make sure it and the auth tag are part
+- * of the skb.
+- */
+- memset(skb_tail_pointer(trailer), 0, padding_len);
+-
+ /* Expand head section to have room for our header and the network
+ * stack's headers.
+ */
+@@ -198,6 +188,16 @@ static bool encrypt_packet(struct sk_buf
+ skb_checksum_help(skb)))
+ return false;
+
++ /* Expand data section to have room for padding and auth tag. */
++ num_frags = skb_cow_data(skb, trailer_len, &trailer);
++ if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
++ return false;
++
++ /* Set the padding to zeros, and make sure it and the auth tag are part
++ * of the skb.
++ */
++ memset(skb_tail_pointer(trailer), 0, padding_len);
++
+ /* Only after checksumming can we safely add on the padding at the end
+ * and the header.
+ */
--- /dev/null
+From 79d8be262377f7112cfa3088dfc4142d5a2533f3 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Fri, 15 May 2026 11:45:31 -0400
+Subject: xfrm: ah: use skb_to_full_sk in async output callbacks
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 79d8be262377f7112cfa3088dfc4142d5a2533f3 upstream.
+
+When AH output is offloaded to an asynchronous crypto provider
+(hardware accelerators such as AMD CCP, or a forced-async software
+shim used for testing), the digest completion fires
+ah_output_done() / ah6_output_done() on a workqueue. The egress
+skb at that point may have been originated by a TCP listener
+sending a SYN-ACK, which sets skb->sk to a request_sock via
+skb_set_owner_edemux(); it may also have been originated by an
+inet_timewait_sock retransmit. Neither is a full struct sock, and
+passing the raw skb->sk to xfrm_output_resume() then forwards a
+non-full socket through the rest of the xfrm output chain.
+
+xfrm_output_resume() and its downstream consumers expect a full
+sk where they dereference at all. The natural egress path
+through ah_output_done() does not crash today because the
+consumers that read past sock_common are either gated by
+sk_fullsock() or short-circuit on flags that are clear on a fresh
+request_sock; an exhaustive walk of the 50 most plausible
+consumers under sch_fq, dev_queue_xmit, netfilter, tc-egress and
+cgroup-egress BPF found no current unguarded deref. The bug is
+still a real type confusion that future consumer changes could
+turn into a memory-corruption primitive.
+
+This is the same bug class fixed for ESP in commit 1620c88887b1
+("xfrm: Fix the usage of skb->sk"). Apply the analogous fix to
+AH: convert skb->sk to a full socket pointer (or NULL) via
+skb_to_full_sk() before handing it to xfrm_output_resume().
+
+The same async AH callbacks were touched recently for an
+independent ESN-related ICV layout bug in commit ec54093e6a8f
+("xfrm: ah: account for ESN high bits in async callbacks"); the
+sk type-confusion addressed here is orthogonal. This patch is
+part of an ongoing audit of the AH callback paths; an ah_output
+ihl-validation hardening series is also currently under review on
+netdev.
+
+Reproduced under UML + KASAN + lockdep with a forced-async
+hmac(sha1) shim that registers at priority 9999 and wraps the
+sync in-tree hmac-sha1-lib. With the shim loaded, ah_output_done
+runs on every SYN-ACK egress through a transport-mode AH SA and
+skb->sk arrives as a request_sock (TCP_NEW_SYN_RECV); after this
+patch, xfrm_output_resume() receives the listener (the result of
+sk_to_full_sk()) and consumer derefs land on full-sock fields as
+intended.
+
+Fixes: 9ab1265d5231 ("xfrm: Use actual socket sk instead of skb socket for xfrm_output_resume")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ah4.c | 2 +-
+ net/ipv6/ah6.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ah4.c
++++ b/net/ipv4/ah4.c
+@@ -143,7 +143,7 @@ static void ah_output_done(void *data, i
+ }
+
+ kfree(AH_SKB_CB(skb)->tmp);
+- xfrm_output_resume(skb->sk, skb, err);
++ xfrm_output_resume(skb_to_full_sk(skb), skb, err);
+ }
+
+ static int ah_output(struct xfrm_state *x, struct sk_buff *skb)
+--- a/net/ipv6/ah6.c
++++ b/net/ipv6/ah6.c
+@@ -337,7 +337,7 @@ static void ah6_output_done(void *data,
+ ah6_restore_hdrs(top_iph, iph_ext, extlen);
+
+ kfree(AH_SKB_CB(skb)->tmp);
+- xfrm_output_resume(skb->sk, skb, err);
++ xfrm_output_resume(skb_to_full_sk(skb), skb, err);
+ }
+
+ static int ah6_output(struct xfrm_state *x, struct sk_buff *skb)
--- /dev/null
+From dfa0d7b0ff1eb6b2c416b8fdb9b4f2cefba57a40 Mon Sep 17 00:00:00 2001
+From: Jingguo Tan <tanjingguo@huawei.com>
+Date: Mon, 18 May 2026 17:06:48 +0800
+Subject: xfrm: esp: restore combined single-frag length gate
+
+From: Jingguo Tan <tanjingguo@huawei.com>
+
+commit dfa0d7b0ff1eb6b2c416b8fdb9b4f2cefba57a40 upstream.
+
+The ESP out-of-place fast path appends the trailer in esp_output_head()
+before esp_output_tail() allocates the destination page frag. The
+head-side gate currently checks skb->data_len and tailen separately, but
+the tail code allocates a single destination frag from the combined
+post-trailer skb->data_len.
+
+Reject the page-frag fast path when the combined aligned length exceeds a
+page. Otherwise skb_page_frag_refill() may fall back to a single page while
+the destination sg still spans the combined skb->data_len.
+
+Restore this combined-length page gate for both IPv4 and IPv6.
+
+Fixes: 5bd8baab087d ("esp: limit skb_page_frag_refill use to a single page")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lin Ma <malin89@huawei.com>
+Signed-off-by: Chenyuan Mi <michenyuan@huawei.com>
+Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/esp4.c | 4 ++--
+ net/ipv6/esp6.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -419,8 +419,8 @@ int esp_output_head(struct xfrm_state *x
+ return err;
+ }
+
+- if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
+- ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
++ if (ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) >
++ PAGE_SIZE)
+ goto cow;
+
+ if (!skb_cloned(skb)) {
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -454,8 +454,8 @@ int esp6_output_head(struct xfrm_state *
+ return err;
+ }
+
+- if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
+- ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
++ if (ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) >
++ PAGE_SIZE)
+ goto cow;
+
+ if (!skb_cloned(skb)) {
--- /dev/null
+From c16f74dc1d75d0e2e7670076d5375deda110ebeb Mon Sep 17 00:00:00 2001
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+Date: Fri, 22 May 2026 17:31:55 +0800
+Subject: xfrm: input: hold netns during deferred transport reinjection
+
+From: Zhengchuan Liang <zcliangcn@gmail.com>
+
+commit c16f74dc1d75d0e2e7670076d5375deda110ebeb upstream.
+
+Transport-mode reinjection stores a struct net pointer in skb->cb and
+uses it later from xfrm_trans_reinject(). That pointer must stay valid
+until the deferred callback runs.
+
+Take a netns reference when queueing deferred reinjection work and drop
+it after the callback completes. Use maybe_get_net() so the queueing
+path does not revive a namespace that is already being torn down.
+
+This keeps the existing workqueue design and fixes the netns lifetime
+handling in one place for all users of xfrm_trans_queue_net().
+
+Fixes: 7b3801927e52 ("xfrm: introduce xfrm_trans_queue_net")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
+Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
+Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Assisted-by: Codex:gpt-5.4
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_input.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -760,9 +760,12 @@ static void xfrm_trans_reinject(struct w
+ spin_unlock_bh(&trans->queue_lock);
+
+ local_bh_disable();
+- while ((skb = __skb_dequeue(&queue)))
+- XFRM_TRANS_SKB_CB(skb)->finish(XFRM_TRANS_SKB_CB(skb)->net,
+- NULL, skb);
++ while ((skb = __skb_dequeue(&queue))) {
++ struct net *net = XFRM_TRANS_SKB_CB(skb)->net;
++
++ XFRM_TRANS_SKB_CB(skb)->finish(net, NULL, skb);
++ put_net(net);
++ }
+ local_bh_enable();
+ }
+
+@@ -771,6 +774,7 @@ int xfrm_trans_queue_net(struct net *net
+ struct sk_buff *))
+ {
+ struct xfrm_trans_tasklet *trans;
++ struct net *hold_net;
+
+ trans = this_cpu_ptr(&xfrm_trans_tasklet);
+
+@@ -779,8 +783,12 @@ int xfrm_trans_queue_net(struct net *net
+
+ BUILD_BUG_ON(sizeof(struct xfrm_trans_cb) > sizeof(skb->cb));
+
++ hold_net = maybe_get_net(net);
++ if (!hold_net)
++ return -ENODEV;
++
+ XFRM_TRANS_SKB_CB(skb)->finish = finish;
+- XFRM_TRANS_SKB_CB(skb)->net = net;
++ XFRM_TRANS_SKB_CB(skb)->net = hold_net;
+ spin_lock_bh(&trans->queue_lock);
+ __skb_queue_tail(&trans->queue, skb);
+ spin_unlock_bh(&trans->queue_lock);
--- /dev/null
+From 7e2a4f7ca0952820731ef7bdadfc9a9e9d3571b4 Mon Sep 17 00:00:00 2001
+From: Maoyi Xie <maoyixie.tju@gmail.com>
+Date: Mon, 4 May 2026 22:27:36 +0800
+Subject: xfrm: route MIGRATE notifications to caller's netns
+
+From: Maoyi Xie <maoyixie.tju@gmail.com>
+
+commit 7e2a4f7ca0952820731ef7bdadfc9a9e9d3571b4 upstream.
+
+xfrm_send_migrate() in net/xfrm/xfrm_user.c and pfkey_send_migrate()
+in net/key/af_key.c both hardcode &init_net for the multicast that
+announces a successful XFRM_MSG_MIGRATE / SADB_X_MIGRATE.
+
+XFRM_MSG_MIGRATE arrives on a per-netns NETLINK_XFRM socket, and the
+rest of the xfrm/af_key netlink path was made netns-aware in 2008.
+The other 14 multicast paths in xfrm_user.c route their event using
+xs_net(x), xp_net(xp) or sock_net(skb->sk); only the migrate path
+was missed.
+
+Two consequences of the init_net hardcoding:
+
+ 1. The notification (selector, old/new endpoint addresses, and the
+ km_address) is delivered to listeners on init_net's
+ XFRMNLGRP_MIGRATE / pfkey BROADCAST_ALL groups rather than on
+ the issuing netns. An IKE daemon running in init_net therefore
+ receives migration notifications originating from any other
+ netns on the host.
+
+ 2. An IKE daemon running inside a non-init netns and subscribed
+ to its own XFRMNLGRP_MIGRATE / pfkey groups never receives the
+ notification of its own migration. IKEv2 MOBIKE / address-update
+ handling inside a netns is silently broken.
+
+Thread struct net through km_migrate() and the xfrm_mgr.migrate
+function pointer, drop the &init_net override in xfrm_send_migrate()
+and pfkey_send_migrate(), and pass the caller's net (already in
+scope in xfrm_migrate() via sock_net(skb->sk)) all the way down.
+struct xfrm_mgr is in-tree only and not exported as a stable API,
+so the function-pointer signature change is internal.
+
+pfkey_broadcast() is already netns-aware via net_generic(net,
+pfkey_net_id) since the pernet conversion. The five other
+pfkey_broadcast() callers in af_key.c already pass xs_net(x),
+sock_net(sk) or a per-netns net, so this only removes the
+&init_net outlier.
+
+Fixes: 5c79de6e79cd ("[XFRM]: User interface for handling XFRM_MSG_MIGRATE")
+Cc: stable@vger.kernel.org # v5.15+
+Signed-off-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/xfrm.h | 3 ++-
+ net/key/af_key.c | 6 +++---
+ net/xfrm/xfrm_policy.c | 2 +-
+ net/xfrm/xfrm_state.c | 4 ++--
+ net/xfrm/xfrm_user.c | 5 ++---
+ 5 files changed, 10 insertions(+), 10 deletions(-)
+
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -608,6 +608,7 @@ struct xfrm_mgr {
+ const struct xfrm_migrate *m,
+ int num_bundles,
+ const struct xfrm_kmaddress *k,
++ struct net *net,
+ const struct xfrm_encap_tmpl *encap);
+ bool (*is_alive)(const struct km_event *c);
+ };
+@@ -1772,7 +1773,7 @@ int xfrm_sk_policy_insert(struct sock *s
+ #ifdef CONFIG_XFRM_MIGRATE
+ int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
+ const struct xfrm_migrate *m, int num_bundles,
+- const struct xfrm_kmaddress *k,
++ const struct xfrm_kmaddress *k, struct net *net,
+ const struct xfrm_encap_tmpl *encap);
+ struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net,
+ u32 if_id);
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -3563,7 +3563,7 @@ static int set_ipsecrequest(struct sk_bu
+ #ifdef CONFIG_NET_KEY_MIGRATE
+ static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
+ const struct xfrm_migrate *m, int num_bundles,
+- const struct xfrm_kmaddress *k,
++ const struct xfrm_kmaddress *k, struct net *net,
+ const struct xfrm_encap_tmpl *encap)
+ {
+ int i;
+@@ -3668,7 +3668,7 @@ static int pfkey_send_migrate(const stru
+ }
+
+ /* broadcast migrate message to sockets */
+- pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, &init_net);
++ pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, net);
+
+ return 0;
+
+@@ -3679,7 +3679,7 @@ err:
+ #else
+ static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
+ const struct xfrm_migrate *m, int num_bundles,
+- const struct xfrm_kmaddress *k,
++ const struct xfrm_kmaddress *k, struct net *net,
+ const struct xfrm_encap_tmpl *encap)
+ {
+ return -ENOPROTOOPT;
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -4595,7 +4595,7 @@ int xfrm_migrate(const struct xfrm_selec
+ }
+
+ /* Stage 5 - announce */
+- km_migrate(sel, dir, type, m, num_migrate, k, encap);
++ km_migrate(sel, dir, type, m, num_migrate, k, net, encap);
+
+ xfrm_pol_put(pol);
+
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -2583,7 +2583,7 @@ EXPORT_SYMBOL(km_policy_expired);
+ #ifdef CONFIG_XFRM_MIGRATE
+ int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
+ const struct xfrm_migrate *m, int num_migrate,
+- const struct xfrm_kmaddress *k,
++ const struct xfrm_kmaddress *k, struct net *net,
+ const struct xfrm_encap_tmpl *encap)
+ {
+ int err = -EINVAL;
+@@ -2594,7 +2594,7 @@ int km_migrate(const struct xfrm_selecto
+ list_for_each_entry_rcu(km, &xfrm_km_list, list) {
+ if (km->migrate) {
+ ret = km->migrate(sel, dir, type, m, num_migrate, k,
+- encap);
++ net, encap);
+ if (!ret)
+ err = ret;
+ }
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -2963,10 +2963,9 @@ out_cancel:
+
+ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
+ const struct xfrm_migrate *m, int num_migrate,
+- const struct xfrm_kmaddress *k,
++ const struct xfrm_kmaddress *k, struct net *net,
+ const struct xfrm_encap_tmpl *encap)
+ {
+- struct net *net = &init_net;
+ struct sk_buff *skb;
+ int err;
+
+@@ -2984,7 +2983,7 @@ static int xfrm_send_migrate(const struc
+ #else
+ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
+ const struct xfrm_migrate *m, int num_migrate,
+- const struct xfrm_kmaddress *k,
++ const struct xfrm_kmaddress *k, struct net *net,
+ const struct xfrm_encap_tmpl *encap)
+ {
+ return -ENOPROTOOPT;
projects / thirdparty / kernel / stable-queue.git / commitdiff
