]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
6.1-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 13 Jul 2026 13:46:53 +0000 (15:46 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 13 Jul 2026 13:46:53 +0000 (15:46 +0200)
added patches:
6lowpan-fix-nhc-entry-use-after-free-on-error-path.patch
audit-fix-data-races-of-skb_queue_len-readers-on-audit_queue.patch
crypto-amlogic-avoid-double-cleanup-in-meson_crypto_probe.patch
debugobjects-plug-race-against-a-concurrent-oom-disable.patch
fs-ntfs3-validate-dirty-page-table-capacity-in-log_replay-copy_lcns.patch
gpio-eic-sprd-use-raw_spinlock_t-in-the-irq-startup-path.patch
hwrng-virtio-clamp-device-reported-used.len-at-copy_data.patch
io_uring-io-wq-re-check-io_wq_bit_exit-for-each-linked-work-item.patch
ipv4-igmp-remove-multicast-group-from-hash-table-on-device-destruction.patch
ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-smb2_close-then-smb2_cancel.patch
media-staging-ipu3-imgu-add-range-check-for-imgu_css_cfg_acc_stripe.patch
mfd-cros_ec-delay-dev_set_drvdata-until-probe-success.patch
mm-damon-ops-common-handle-extreme-intervals-in-damon_hot_score.patch
net-af_key-initialize-alg_key_len-for-ipcomp-states.patch
net-ipv4-bound-tcp-reordering-sysctl-writes-and-mtu-probe-sizes.patch
netfilter-ctnetlink-use-nf_ct_exp_net-in-expectation-dump.patch
netfilter-ipset-fix-race-between-dump-and-ip_set_list-resize.patch
ntb-epf-avoid-calling-pci_irq_vector-from-hardirq-context.patch
smb-client-restrict-implied-bcc-exemption-to-responses-without-data-area.patch
staging-media-atomisp-reduce-load_primary_binaries-stack-usage.patch
staging-rtl8723bs-fix-oob-read-in-onassocrsp-ie-loop.patch
staging-rtl8723bs-fix-oob-read-in-update_beacon_info-ie-loop.patch
staging-rtl8723bs-fix-oob-reads-in-ie-loops-in-issue_assocreq-and-join_cmd_hdl.patch
staging-rtl8723bs-fix-oob-reads-in-is_ap_in_tkip-ie-loop.patch
staging-rtl8723bs-fix-oob-write-in-ht_caps_handler.patch
staging-rtl8723bs-fix-wep-length-underflow-and-oob-read-in-onauth.patch
staging-vme_user-bound-slave-read-write-to-the-kern_buf-size.patch
staging-vme_user-fix-location-monitor-leak-in-fake-bridge.patch
staging-vme_user-fix-location-monitor-leak-in-tsi148-bridge.patch
tipc-fix-out-of-bounds-read-in-broadcast-gap-ack-blocks.patch
usb-chaoskey-fix-slab-use-after-free-in-chaoskey_release.patch
usb-dwc3-run-gadget-disconnect-from-sleepable-suspend-context.patch
virtio-mmio-fix-device-release-warning-on-module-unload.patch

34 files changed:
queue-6.1/6lowpan-fix-nhc-entry-use-after-free-on-error-path.patch [new file with mode: 0644]
queue-6.1/audit-fix-data-races-of-skb_queue_len-readers-on-audit_queue.patch [new file with mode: 0644]
queue-6.1/crypto-amlogic-avoid-double-cleanup-in-meson_crypto_probe.patch [new file with mode: 0644]
queue-6.1/debugobjects-plug-race-against-a-concurrent-oom-disable.patch [new file with mode: 0644]
queue-6.1/fs-ntfs3-validate-dirty-page-table-capacity-in-log_replay-copy_lcns.patch [new file with mode: 0644]
queue-6.1/gpio-eic-sprd-use-raw_spinlock_t-in-the-irq-startup-path.patch [new file with mode: 0644]
queue-6.1/hwrng-virtio-clamp-device-reported-used.len-at-copy_data.patch [new file with mode: 0644]
queue-6.1/io_uring-io-wq-re-check-io_wq_bit_exit-for-each-linked-work-item.patch [new file with mode: 0644]
queue-6.1/ipv4-igmp-remove-multicast-group-from-hash-table-on-device-destruction.patch [new file with mode: 0644]
queue-6.1/ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-smb2_close-then-smb2_cancel.patch [new file with mode: 0644]
queue-6.1/media-staging-ipu3-imgu-add-range-check-for-imgu_css_cfg_acc_stripe.patch [new file with mode: 0644]
queue-6.1/mfd-cros_ec-delay-dev_set_drvdata-until-probe-success.patch [new file with mode: 0644]
queue-6.1/mm-damon-ops-common-handle-extreme-intervals-in-damon_hot_score.patch [new file with mode: 0644]
queue-6.1/net-af_key-initialize-alg_key_len-for-ipcomp-states.patch [new file with mode: 0644]
queue-6.1/net-ipv4-bound-tcp-reordering-sysctl-writes-and-mtu-probe-sizes.patch [new file with mode: 0644]
queue-6.1/netfilter-ctnetlink-use-nf_ct_exp_net-in-expectation-dump.patch [new file with mode: 0644]
queue-6.1/netfilter-ipset-fix-race-between-dump-and-ip_set_list-resize.patch [new file with mode: 0644]
queue-6.1/ntb-epf-avoid-calling-pci_irq_vector-from-hardirq-context.patch [new file with mode: 0644]
queue-6.1/series
queue-6.1/smb-client-restrict-implied-bcc-exemption-to-responses-without-data-area.patch [new file with mode: 0644]
queue-6.1/staging-media-atomisp-reduce-load_primary_binaries-stack-usage.patch [new file with mode: 0644]
queue-6.1/staging-rtl8723bs-fix-oob-read-in-onassocrsp-ie-loop.patch [new file with mode: 0644]
queue-6.1/staging-rtl8723bs-fix-oob-read-in-update_beacon_info-ie-loop.patch [new file with mode: 0644]
queue-6.1/staging-rtl8723bs-fix-oob-reads-in-ie-loops-in-issue_assocreq-and-join_cmd_hdl.patch [new file with mode: 0644]
queue-6.1/staging-rtl8723bs-fix-oob-reads-in-is_ap_in_tkip-ie-loop.patch [new file with mode: 0644]
queue-6.1/staging-rtl8723bs-fix-oob-write-in-ht_caps_handler.patch [new file with mode: 0644]
queue-6.1/staging-rtl8723bs-fix-wep-length-underflow-and-oob-read-in-onauth.patch [new file with mode: 0644]
queue-6.1/staging-vme_user-bound-slave-read-write-to-the-kern_buf-size.patch [new file with mode: 0644]
queue-6.1/staging-vme_user-fix-location-monitor-leak-in-fake-bridge.patch [new file with mode: 0644]
queue-6.1/staging-vme_user-fix-location-monitor-leak-in-tsi148-bridge.patch [new file with mode: 0644]
queue-6.1/tipc-fix-out-of-bounds-read-in-broadcast-gap-ack-blocks.patch [new file with mode: 0644]
queue-6.1/usb-chaoskey-fix-slab-use-after-free-in-chaoskey_release.patch [new file with mode: 0644]
queue-6.1/usb-dwc3-run-gadget-disconnect-from-sleepable-suspend-context.patch [new file with mode: 0644]
queue-6.1/virtio-mmio-fix-device-release-warning-on-module-unload.patch [new file with mode: 0644]

diff --git a/queue-6.1/6lowpan-fix-nhc-entry-use-after-free-on-error-path.patch b/queue-6.1/6lowpan-fix-nhc-entry-use-after-free-on-error-path.patch
new file mode 100644 (file)
index 0000000..0e38dc7
--- /dev/null
@@ -0,0 +1,66 @@
+From 1720db928e5a58ca7d75ac1d514c3b73fd7061a7 Mon Sep 17 00:00:00 2001
+From: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
+Date: Tue, 9 Jun 2026 16:00:52 +0800
+Subject: 6lowpan: fix NHC entry use-after-free on error path
+
+From: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
+
+commit 1720db928e5a58ca7d75ac1d514c3b73fd7061a7 upstream.
+
+lowpan_nhc_do_uncompression() looks up an NHC descriptor while holding
+lowpan_nhc_lock.  If the descriptor has no uncompress callback, the error
+path drops the lock before printing nhc->name.
+
+lowpan_nhc_del() removes descriptors under the same lock and then relies
+on synchronize_net() before the owning module can be unloaded.  That only
+waits for net RX RCU readers.  lowpan_header_decompress() is also exported
+and can be reached from callers that are not necessarily covered by the net
+core RX critical section, for example the Bluetooth 6LoWPAN L2CAP receive
+path.
+
+This leaves a race where one task drops lowpan_nhc_lock in the error path,
+another task unregisters and frees the matching descriptor after
+synchronize_net() returns, and the first task then dereferences nhc->name
+for the warning.
+
+With the post-unlock window widened, KASAN reports:
+
+  BUG: KASAN: slab-use-after-free in lowpan_nhc_do_uncompression+0x1f4/0x220
+  Read of size 8
+  lowpan_nhc_do_uncompression
+  lowpan_header_decompress
+
+Fix this by printing the warning before dropping lowpan_nhc_lock, so the
+descriptor name is read while unregister is still excluded.  The malformed
+packet is still rejected with -ENOTSUPP.
+
+Fixes: 92aa7c65d295 ("6lowpan: add generic nhc layer interface")
+Cc: stable@vger.kernel.org
+Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
+Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
+Reported-by: Ao Wang <wangao@seu.edu.cn>
+Reported-by: Xuewei Feng <fengxw06@126.com>
+Reported-by: Qi Li <qli01@tsinghua.edu.cn>
+Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
+Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://patch.msgid.link/20260609080054.4541-1-zhaoyz24@mails.tsinghua.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/6lowpan/nhc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/6lowpan/nhc.c
++++ b/net/6lowpan/nhc.c
+@@ -117,9 +117,9 @@ int lowpan_nhc_do_uncompression(struct s
+                               return ret;
+                       }
+               } else {
+-                      spin_unlock_bh(&lowpan_nhc_lock);
+                       netdev_warn(dev, "received nhc id for %s which is not implemented.\n",
+                                   nhc->name);
++                      spin_unlock_bh(&lowpan_nhc_lock);
+                       return -ENOTSUPP;
+               }
+       } else {
diff --git a/queue-6.1/audit-fix-data-races-of-skb_queue_len-readers-on-audit_queue.patch b/queue-6.1/audit-fix-data-races-of-skb_queue_len-readers-on-audit_queue.patch
new file mode 100644 (file)
index 0000000..8092875
--- /dev/null
@@ -0,0 +1,110 @@
+From c9a71daaecb2fb1d8c704545cc0b1c920b9bf5d7 Mon Sep 17 00:00:00 2001
+From: Chi Wang <wangchi@kylinos.cn>
+Date: Fri, 19 Jun 2026 15:42:44 +0800
+Subject: audit: Fix data races of skb_queue_len() readers on audit_queue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chi Wang <wangchi@kylinos.cn>
+
+commit c9a71daaecb2fb1d8c704545cc0b1c920b9bf5d7 upstream.
+
+Multiple readers access audit_queue.qlen via skb_queue_len() without
+holding the queue lock or using READ_ONCE(), while kauditd writes to
+this field via the skb_dequeue() → __skb_unlink() path with WRITE_ONCE()
+protected by a spinlock. This constitutes data races.
+
+All affected skb_queue_len(&audit_queue) call sites:
+  - kauditd_thread() wait_event_freezable() condition
+  - audit_receive_msg() AUDIT_GET handler (s.backlog assignment)
+  - audit_receive() backlog check
+  - audit_log_start() backlog check and pr_warn()
+
+KCSAN reports the following conflicting access pattern (one example):
+==================================================================
+BUG: KCSAN: data-race in audit_log_start / skb_dequeue
+
+write (marked) to 0xffffffff8512ee20 of 4 bytes by task 661 on cpu 57:
+ skb_dequeue+0x70/0xf0
+ kauditd_send_queue+0x71/0x220
+ kauditd_thread+0x1cb/0x430
+ kthread+0x1c2/0x210
+ ret_from_fork+0x162/0x1a0
+ ret_from_fork_asm+0x1a/0x30
+
+read to 0xffffffff8512ee20 of 4 bytes by task 36586 on cpu 1:
+ audit_log_start+0x2a0/0x6b0
+ audit_core_dumps+0x64/0xa0
+ do_coredump+0x14b/0x1260
+ get_signal+0xeb2/0xf70
+ arch_do_signal_or_restart+0x41/0x170
+ exit_to_user_mode_loop+0xa2/0x1c0
+ do_syscall_64+0x1a3/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x76/0xe0
+
+value changed: 0x00000001 -> 0x00000000
+==================================================================
+
+Resolve the race by switching to lockless helper skb_queue_len_lockless(),
+which internally uses READ_ONCE() and properly pairs with the WRITE_ONCE()
+write accesses already present on the writer side.
+
+Cc: stable@vger.kernel.org
+Fixes: 3197542482df ("audit: rework audit_log_start()")
+Signed-off-by: Chi Wang <wangchi@kylinos.cn>
+Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
+[PM: line length tweak]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -910,7 +910,7 @@ main_queue:
+                *       do the multicast send and rotate records from the
+                *       main queue to the retry/hold queues */
+               wait_event_freezable(kauditd_wait,
+-                                   (skb_queue_len(&audit_queue) ? 1 : 0));
++                              (skb_queue_len_lockless(&audit_queue) ? 1 : 0));
+       }
+       return 0;
+@@ -1245,7 +1245,7 @@ static int audit_receive_msg(struct sk_b
+               s.rate_limit               = audit_rate_limit;
+               s.backlog_limit            = audit_backlog_limit;
+               s.lost                     = atomic_read(&audit_lost);
+-              s.backlog                  = skb_queue_len(&audit_queue);
++              s.backlog                  = skb_queue_len_lockless(&audit_queue);
+               s.feature_bitmap           = AUDIT_FEATURE_BITMAP_ALL;
+               s.backlog_wait_time        = audit_backlog_wait_time;
+               s.backlog_wait_time_actual = atomic_read(&audit_backlog_wait_time_actual);
+@@ -1586,7 +1586,7 @@ static void audit_receive(struct sk_buff
+       /* can't block with the ctrl lock, so penalize the sender now */
+       if (audit_backlog_limit &&
+-          (skb_queue_len(&audit_queue) > audit_backlog_limit)) {
++          (skb_queue_len_lockless(&audit_queue) > audit_backlog_limit)) {
+               DECLARE_WAITQUEUE(wait, current);
+               /* wake kauditd to try and flush the queue */
+@@ -1888,7 +1888,7 @@ struct audit_buffer *audit_log_start(str
+               long stime = audit_backlog_wait_time;
+               while (audit_backlog_limit &&
+-                     (skb_queue_len(&audit_queue) > audit_backlog_limit)) {
++                      (skb_queue_len_lockless(&audit_queue) > audit_backlog_limit)) {
+                       /* wake kauditd to try and flush the queue */
+                       wake_up_interruptible(&kauditd_wait);
+@@ -1908,7 +1908,7 @@ struct audit_buffer *audit_log_start(str
+                       } else {
+                               if (audit_rate_check() && printk_ratelimit())
+                                       pr_warn("audit_backlog=%d > audit_backlog_limit=%d\n",
+-                                              skb_queue_len(&audit_queue),
++                                              skb_queue_len_lockless(&audit_queue),
+                                               audit_backlog_limit);
+                               audit_log_lost("backlog limit exceeded");
+                               return NULL;
diff --git a/queue-6.1/crypto-amlogic-avoid-double-cleanup-in-meson_crypto_probe.patch b/queue-6.1/crypto-amlogic-avoid-double-cleanup-in-meson_crypto_probe.patch
new file mode 100644 (file)
index 0000000..54ec00e
--- /dev/null
@@ -0,0 +1,137 @@
+From 6d827ade51a24e18d81afb9f32756d339520a14c Mon Sep 17 00:00:00 2001
+From: Dawei Feng <dawei.feng@seu.edu.cn>
+Date: Fri, 8 May 2026 12:24:16 +0800
+Subject: crypto: amlogic - avoid double cleanup in meson_crypto_probe()
+
+From: Dawei Feng <dawei.feng@seu.edu.cn>
+
+commit 6d827ade51a24e18d81afb9f32756d339520a14c upstream.
+
+When meson_allocate_chanlist() fails after a partial allocation, it already
+unwinds the allocated chanlist state through its local error path.
+meson_crypto_probe() then jump to error_flow and calls
+meson_free_chanlist() again, causing the same per-flow resources to be torn
+down twice. In the reproduced failure path, the second teardown
+re-entered crypto_engine_exit() on an already destroyed worker and KASAN
+reported a slab-use-after-free in kthread_destroy_worker().
+
+Prevent double-free by handling partial allocation failures locally within
+meson_allocate_chanlist() and skipping the outer cleanup path.
+
+The bug was first flagged by an experimental analysis tool we are
+developing for kernel memory-management bugs while analyzing
+v6.13-rc1. The tool is still under development and is not yet publicly
+available.
+
+The bug was reproduced in a QEMU x86_64 guest booted with KASAN on v7.1,
+using the reproducer under tools/testing/meson_crypto_probe. The reproducer
+forces the second dma_alloc_attrs() call in the gxl-crypto probe path to
+return NULL, making meson_allocate_chanlist() fail after partial
+initialization. On the unpatched kernel this reliably triggered a
+slab-use-after-free. With this fix applied, the same reproducer no longer
+emits any KASAN report and the probe fails cleanly with -ENOMEM.
+
+    ==================================================================
+    BUG: KASAN: slab-use-after-free in kthread_destroy_worker+0xb2/0xd0
+    Read of size 8 at addr ff1100010c057a68 by task insmod/265
+
+    CPU: 1 UID: 0 PID: 265 Comm: insmod Tainted: G           O        7.1.0-rc2-00376-g810af9adc907-dirty #10 PREEMPT(lazy)
+    Tainted: [O]=OOT_MODULE
+    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+    Call Trace:
+     <TASK>
+     dump_stack_lvl+0x68/0xa0
+     print_report+0xcb/0x5e0
+     ? __virt_addr_valid+0x21d/0x3f0
+     ? kthread_destroy_worker+0xb2/0xd0
+     ? kthread_destroy_worker+0xb2/0xd0
+     kasan_report+0xca/0x100
+     ? kthread_destroy_worker+0xb2/0xd0
+     kthread_destroy_worker+0xb2/0xd0
+     meson_crypto_probe+0x4d0/0xc10 [amlogic_gxl_crypto]
+     platform_probe+0x99/0x140
+     really_probe+0x1c6/0x6a0
+     ? __pfx___device_attach_driver+0x10/0x10
+     __driver_probe_device+0x248/0x310
+     ? acpi_driver_match_device+0xb0/0x100
+     driver_probe_device+0x48/0x210
+     ? __pfx___device_attach_driver+0x10/0x10
+     __device_attach_driver+0x160/0x320
+     bus_for_each_drv+0x104/0x190
+     ? __pfx_bus_for_each_drv+0x10/0x10
+     ? _raw_spin_unlock_irqrestore+0x2c/0x50
+     __device_attach+0x19d/0x3b0
+     ? __pfx___device_attach+0x10/0x10
+     ? do_raw_spin_unlock+0x53/0x220
+     device_initial_probe+0x78/0xa0
+     bus_probe_device+0x5b/0x130
+     device_add+0xcfd/0x1430
+     ? __pfx_device_add+0x10/0x10
+     ? insert_resource+0x34/0x50
+     ? lock_release+0xc9/0x290
+     platform_device_add+0x24e/0x590
+     ? __pfx_meson_crypto_probe_repro_init+0x10/0x10 [meson_crypto_probe_repro]
+     meson_crypto_probe_repro_init+0x330/0xff0 [meson_crypto_probe_repro]
+     do_one_initcall+0xc0/0x450
+     ? __pfx_do_one_initcall+0x10/0x10
+     ? _raw_spin_unlock_irqrestore+0x2c/0x50
+     ? __create_object+0x59/0x80
+     ? kasan_unpoison+0x27/0x60
+     do_init_module+0x27b/0x7d0
+     ? __pfx_do_init_module+0x10/0x10
+     ? kasan_quarantine_put+0x84/0x1d0
+     ? kfree+0x32c/0x510
+     ? load_module+0x561e/0x5ff0
+     load_module+0x54fe/0x5ff0
+     ? __pfx_load_module+0x10/0x10
+     ? security_file_permission+0x20/0x40
+     ? kernel_read_file+0x23d/0x6e0
+     ? mmap_region+0x235/0x4a0
+     ? __pfx_kernel_read_file+0x10/0x10
+     ? __file_has_perm+0x2c0/0x3e0
+     init_module_from_file+0x158/0x180
+     ? __pfx_init_module_from_file+0x10/0x10
+     ? __lock_acquire+0x45a/0x1ba0
+     ? idempotent_init_module+0x315/0x610
+     ? lock_release+0xc9/0x290
+     ? lockdep_init_map_type+0x4b/0x220
+     ? do_raw_spin_unlock+0x53/0x220
+     idempotent_init_module+0x330/0x610
+     ? __pfx_idempotent_init_module+0x10/0x10
+     ? __pfx_cred_has_capability.isra.0+0x10/0x10
+     ? ksys_mmap_pgoff+0x385/0x520
+     __x64_sys_finit_module+0xbe/0x120
+     do_syscall_64+0x115/0x690
+     entry_SYSCALL_64_after_hwframe+0x77/0x7f
+    RIP: 0033:0x7f7d6d31690d
+    Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f3 b4 0f 00 f7 d8 >
+    RSP: 002b:00007fffc027ac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+    RAX: ffffffffffffffda RBX: 000055f7b81967c0 RCX: 00007f7d6d31690d
+    RDX: 0000000000000000 RSI: 000055f79a0d6cd2 RDI: 0000000000000003
+    RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+    R10: 0000000000000003 R11: 0000000000000246 R12: 000055f79a0d6cd2
+    R13: 000055f7b8196790 R14: 000055f79a0d5888 R15: 000055f7b81968e0
+     </TASK>
+
+Fixes: 48fe583fe541 ("crypto: amlogic - Add crypto accelerator for amlogic GXL")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/amlogic/amlogic-gxl-core.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/amlogic/amlogic-gxl-core.c
++++ b/drivers/crypto/amlogic/amlogic-gxl-core.c
+@@ -272,8 +272,8 @@ static int meson_crypto_probe(struct pla
+       return 0;
+ error_alg:
+       meson_unregister_algs(mc);
+-error_flow:
+       meson_free_chanlist(mc, MAXFLOW - 1);
++error_flow:
+       clk_disable_unprepare(mc->busclk);
+       return err;
+ }
diff --git a/queue-6.1/debugobjects-plug-race-against-a-concurrent-oom-disable.patch b/queue-6.1/debugobjects-plug-race-against-a-concurrent-oom-disable.patch
new file mode 100644 (file)
index 0000000..957fc95
--- /dev/null
@@ -0,0 +1,111 @@
+From b81dde13cc163450dcb402dcc915ef13ba241e01 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@kernel.org>
+Date: Sun, 21 Jun 2026 16:47:44 +0200
+Subject: debugobjects: Plug race against a concurrent OOM disable
+
+From: Thomas Gleixner <tglx@kernel.org>
+
+commit b81dde13cc163450dcb402dcc915ef13ba241e01 upstream.
+
+syzbot reported a puzzling splat:
+
+   WARNING: kernel/time/hrtimer.c:443 at stub_timer+0xa/0x20
+
+stub_timer() is installed as timer callback function in
+hrtimer_fixup_assert_init(), which is invoked when
+debug_object_assert_init() can't find a shadow object. In that case debug
+objects emits a warning about it before invoking the fixup.
+
+Though the provided console log lacks this warning and instead has the
+following a few seconds before the splat:
+
+     ODEBUG: Out of memory. ODEBUG disabled
+
+So the object was looked up in debug_object_assert_init() and the lookup
+failed due a concurrent out of memory situation which disabled debug
+objects and freed the shadow objects:
+
+debug_object_assert_init()
+        if (!debug_objects_enabled)
+               return;                         obj = alloc();
+                                               if (!obj) {
+                                                       // Out of memory
+                                                       debug_objects_enabled = false;
+                                                        free_objects();
+        obj = lookup_or_alloc();
+
+        // The lookup failed because the other side
+        // removed the objects, so this returns
+        // an error code as the object in question
+        // is not statically initialized
+
+       if (!IS_ERR_OR_NULL(obj))
+               return;
+        if (!obj) {
+               debug_oom();
+                return;
+        }
+
+        print(...)
+           if (!debug_objects_enabled)
+                return;
+
+        fixup(...)
+
+The debug object splat is skipped because debug_objects_enabled is false,
+but the fixup callback is invoked unconditionally, which makes the timer
+disfunctional.
+
+This is only a problem in debug_object_assert_init() and
+debug_object_activate() as both have to handle statically initialized
+objects and therefore must handle the error pointer return case
+gracefully. All other places only handle the found/not found case and the
+NULL pointer return is a signal for OOM. Otherwise they get a valid shadow
+object.
+
+Plug the hole by checking whether debug objects are still enabled before
+invoking the print and fixup function in those two places.
+
+Fixes: b84d435cc228 ("debugobjects: Extend to assert that an object is initialized")
+Reported-by: syzbot+5e8dda76ca21dae314b6@syzkaller.appspotmail.com
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/874iiwlzlb.ffs@fw13
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/debugobjects.c |   17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/lib/debugobjects.c
++++ b/lib/debugobjects.c
+@@ -768,6 +768,14 @@ int debug_object_activate(void *addr, co
+       }
+       raw_spin_unlock_irqrestore(&db->lock, flags);
++
++      /*
++       * lookup_object_or_alloc() might have raced with a concurrent
++       * allocation failure which disabled debug objects.
++       */
++      if (!debug_objects_enabled)
++              return 0;
++
+       debug_print_object(&o, "activate");
+       switch (o.state) {
+@@ -945,6 +953,15 @@ void debug_object_assert_init(void *addr
+               return;
+       }
++      /*
++       * lookup_object_or_alloc() might have raced with a concurrent
++       * allocation failure which disabled debug objects. Don't run the fixup
++       * as it might turn a valid object useless. See for example
++       * hrtimer_fixup_assert_init().
++       */
++      if (!debug_objects_enabled)
++              return;
++
+       /* Object is neither tracked nor static. It's not initialized. */
+       debug_print_object(&o, "assert_init");
+       debug_object_fixup(descr->fixup_assert_init, addr, ODEBUG_STATE_NOTAVAILABLE);
diff --git a/queue-6.1/fs-ntfs3-validate-dirty-page-table-capacity-in-log_replay-copy_lcns.patch b/queue-6.1/fs-ntfs3-validate-dirty-page-table-capacity-in-log_replay-copy_lcns.patch
new file mode 100644 (file)
index 0000000..44332a4
--- /dev/null
@@ -0,0 +1,78 @@
+From 57382ec6ac63b63dce2789e835fded28b698ae79 Mon Sep 17 00:00:00 2001
+From: Yunpeng Tian <shionthanatos@gmail.com>
+Date: Mon, 4 May 2026 07:19:43 -0700
+Subject: fs/ntfs3: validate Dirty Page Table capacity in log_replay copy_lcns
+
+From: Yunpeng Tian <shionthanatos@gmail.com>
+
+commit 57382ec6ac63b63dce2789e835fded28b698ae79 upstream.
+
+In the analysis pass of $LogFile journal replay, log_replay() copies
+LCNs from each action log record into an existing Dirty Page Table
+(DPT) entry without bounding the destination index. A crafted NTFS
+image with DPT entry lcns_follow=1 and an action log record with
+lcns_follow=2 produces a kernel slab out-of-bounds write at mount
+time:
+
+  BUG: KASAN: slab-out-of-bounds in log_replay+0x654c/0xdb60
+  Write of size 8 at addr ffff8880095e1040 by task mount
+
+Two attacker-controlled fields can drive j+i past the allocated
+page_lcns[] array:
+
+  1. dp->lcns_follow (capacity) can be smaller than lrh->lcns_follow.
+  2. lrh->target_vcn may be smaller than dp->vcn, making the u64
+     subtraction wrap to a huge size_t.
+
+Validate target VCN delta and per-record LCN count against the
+DPT entry capacity, bail via the existing out: cleanup label with
+-EINVAL.
+
+This mirrors the bounds-check pattern added in commit b2bc7c44ed17
+("fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot")
+and commit 0ca0485e4b2e ("fs/ntfs3: validate rec->used in
+journal-replay file record check").
+
+Fixes: b46acd6a6a62 ("fs/ntfs3: Add NTFS journal")
+Reported-by: Yunpeng Tian <shionthanatos@gmail.com>
+Reported-by: Mingda Zhang <npczmd@qq.com>
+Reported-by: Gongming Wang <gmwgg05@gmail.com>
+Reported-by: Peiyuan Xu <paulbucket12@gmail.com>
+Reported-by: Qinrun Dai <jupmouse@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Yunpeng Tian <shionthanatos@gmail.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/fslog.c |   20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+--- a/fs/ntfs3/fslog.c
++++ b/fs/ntfs3/fslog.c
+@@ -4546,11 +4546,21 @@ copy_lcns:
+                * whole routine a loop, case Lcns do not fit below.
+                */
+               t16 = le16_to_cpu(lrh->lcns_follow);
+-              for (i = 0; i < t16; i++) {
+-                      size_t j = (size_t)(le64_to_cpu(lrh->target_vcn) -
+-                                          le64_to_cpu(dp->vcn));
+-                      dp->page_lcns[j + i] = lrh->page_lcns[i];
+-              }
++                t32 = le32_to_cpu(dp->lcns_follow);
++                if (le64_to_cpu(lrh->target_vcn) < le64_to_cpu(dp->vcn)) {
++                        err = -EINVAL;
++                        goto out;
++                }
++
++                for (i = 0; i < t16; i++) {
++                        size_t j = (size_t)(le64_to_cpu(lrh->target_vcn) -
++                                            le64_to_cpu(dp->vcn));
++                        if (j >= t32 || i >= t32 - j) {
++                                err = -EINVAL;
++                                goto out;
++                        }
++                        dp->page_lcns[j + i] = lrh->page_lcns[i];
++                }
+               goto next_log_record_analyze;
diff --git a/queue-6.1/gpio-eic-sprd-use-raw_spinlock_t-in-the-irq-startup-path.patch b/queue-6.1/gpio-eic-sprd-use-raw_spinlock_t-in-the-irq-startup-path.patch
new file mode 100644 (file)
index 0000000..3690ba0
--- /dev/null
@@ -0,0 +1,84 @@
+From 90f0109019e6817eb40a486671b7722d1544ae29 Mon Sep 17 00:00:00 2001
+From: Runyu Xiao <runyu.xiao@seu.edu.cn>
+Date: Wed, 17 Jun 2026 23:40:35 +0800
+Subject: gpio: eic-sprd: use raw_spinlock_t in the irq startup path
+
+From: Runyu Xiao <runyu.xiao@seu.edu.cn>
+
+commit 90f0109019e6817eb40a486671b7722d1544ae29 upstream.
+
+sprd_eic_irq_unmask() enables the GPIO IRQ and then updates controller
+state through sprd_eic_update(), which takes sprd_eic->lock with
+spin_lock_irqsave().  The callback can be reached from irq_startup()
+while setting up a requested IRQ.  That path is not sleepable, but on
+PREEMPT_RT a regular spinlock_t becomes a sleeping lock.
+
+This issue was found by our static analysis tool and then manually
+reviewed against the current tree.
+
+The grounded PoC kept the request_threaded_irq() -> __setup_irq() ->
+irq_startup() -> sprd_eic_irq_unmask() -> sprd_eic_update() carrier and
+used the original spin_lock_irqsave(&sprd_eic->lock) edge.  Lockdep
+reported:
+
+  BUG: sleeping function called from invalid context
+  hardirqs last disabled at ... __setup_irq.constprop.0 ... [vuln_msv]
+  sprd_rt_spin_lock_irqsave+0x1c/0x30 [vuln_msv]
+  sprd_eic_update.constprop.0+0x48/0x90 [vuln_msv]
+  sprd_eic_irq_unmask.constprop.0+0x35/0x50 [vuln_msv]
+  __setup_irq.constprop.0+0xd/0x30 [vuln_msv]
+
+Convert the Spreadtrum EIC controller lock to raw_spinlock_t.  The
+locked section only serializes MMIO register updates and does not contain
+sleepable operations, so keeping it non-sleeping is appropriate for the
+irqchip callbacks.
+
+Fixes: 25518e024e3a ("gpio: Add Spreadtrum EIC driver support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Link: https://patch.msgid.link/20260617154035.1199948-3-runyu.xiao@seu.edu.cn
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-eic-sprd.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpio/gpio-eic-sprd.c
++++ b/drivers/gpio/gpio-eic-sprd.c
+@@ -94,7 +94,7 @@ struct sprd_eic {
+       struct irq_chip intc;
+       void __iomem *base[SPRD_EIC_MAX_BANK];
+       enum sprd_eic_type type;
+-      spinlock_t lock;
++      raw_spinlock_t lock;
+       int irq;
+ };
+@@ -146,7 +146,7 @@ static void sprd_eic_update(struct gpio_
+       unsigned long flags;
+       u32 tmp;
+-      spin_lock_irqsave(&sprd_eic->lock, flags);
++      raw_spin_lock_irqsave(&sprd_eic->lock, flags);
+       tmp = readl_relaxed(base + reg);
+       if (val)
+@@ -155,7 +155,7 @@ static void sprd_eic_update(struct gpio_
+               tmp &= ~BIT(SPRD_EIC_BIT(offset));
+       writel_relaxed(tmp, base + reg);
+-      spin_unlock_irqrestore(&sprd_eic->lock, flags);
++      raw_spin_unlock_irqrestore(&sprd_eic->lock, flags);
+ }
+ static int sprd_eic_read(struct gpio_chip *chip, unsigned int offset, u16 reg)
+@@ -606,7 +606,7 @@ static int sprd_eic_probe(struct platfor
+       if (!sprd_eic)
+               return -ENOMEM;
+-      spin_lock_init(&sprd_eic->lock);
++      raw_spin_lock_init(&sprd_eic->lock);
+       sprd_eic->type = pdata->type;
+       sprd_eic->irq = platform_get_irq(pdev, 0);
diff --git a/queue-6.1/hwrng-virtio-clamp-device-reported-used.len-at-copy_data.patch b/queue-6.1/hwrng-virtio-clamp-device-reported-used.len-at-copy_data.patch
new file mode 100644 (file)
index 0000000..f347fc5
--- /dev/null
@@ -0,0 +1,120 @@
+From e3046eeada299f917a8ad883af4434bfb86556b1 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Sun, 31 May 2026 10:22:51 -0400
+Subject: hwrng: virtio: clamp device-reported used.len at copy_data()
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit e3046eeada299f917a8ad883af4434bfb86556b1 upstream.
+
+random_recv_done() stores the device-reported used.len directly into
+vi->data_avail.  copy_data() then indexes vi->data[] using
+vi->data_idx (advanced by previous copy_data() calls) and issues a
+memcpy() without re-validating either value against the posted
+buffer size sizeof(vi->data) (SMP_CACHE_BYTES bytes, typically 32
+or 64).
+
+A malicious or buggy virtio-rng backend can set used.len beyond
+sizeof(vi->data), steering the memcpy() past the end of the inline
+array into adjacent kmalloc-1k slab bytes.  hwrng_fillfn() mixes
+those bytes into the guest RNG, and guest root can also observe
+them directly via /dev/hwrng.
+
+Concrete impact is inside the guest:
+
+ - Memory-safety / hardening: any virtio-rng backend that
+   over-reports used.len causes the driver to read past vi->data
+   into unrelated slab contents.  hwrng_fillfn() is a kernel thread
+   that runs as soon as the device is probed; no guest userspace
+   interaction is required to first-trigger the OOB.
+
+ - Cross-boundary leak (confidential-compute threat model): a
+   malicious hypervisor cooperating with a malicious or compromised
+   guest root userspace can use /dev/hwrng as a leak channel for
+   guest-kernel heap data.  The host sets a large used.len, guest
+   root reads /dev/hwrng, and the returned bytes contain guest
+   kernel slab contents that were adjacent to vi->data.  In
+   practice, confidential-compute guests (SEV-SNP, TDX) usually
+   disable virtio-rng entirely, so this path is narrow, but the
+   fix is still worth carrying because the underlying
+   memory-safety bug contaminates the guest RNG on any host.
+
+KASAN confirms the OOB on a 7.1-rc4 guest whose virtio-rng backend
+has been patched to report used.len = 0x10000:
+
+  BUG: KASAN: slab-out-of-bounds in virtio_read+0x394/0x5d0
+  Read of size 64 at addr ffff88800ae0ba20 by task hwrng/52
+  Call Trace:
+   __asan_memcpy+0x23/0x60
+   virtio_read+0x394/0x5d0
+   hwrng_fillfn+0xb2/0x470
+   kthread+0x2cc/0x3a0
+  Allocated by task 1:
+   probe_common+0xa5/0x660
+   virtio_dev_probe+0x549/0xbc0
+  The buggy address belongs to the object at ffff88800ae0b800
+   which belongs to the cache kmalloc-1k of size 1024
+  The buggy address is located 0 bytes to the right of
+   allocated 544-byte region [ffff88800ae0b800, ffff88800ae0ba20)
+
+Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
+overflow in USB transport layer"), which hardened
+usb9pfs_rx_complete() against unchecked device-reported length in
+the USB 9p transport.
+
+With the clamp at point of use and array_index_nospec() in place,
+the same harness boots cleanly: copy_data() returns zero for the
+bogus report, the device-supplied bytes after data_idx are
+discarded, and the driver issues a fresh request.
+
+Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.")
+Cc: stable@vger.kernel.org
+Suggested-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Assisted-by: Claude:claude-opus-4-8
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Message-ID: <20260531142251.2792061-1-michael.bommarito@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/hw_random/virtio-rng.c |   23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/hw_random/virtio-rng.c
++++ b/drivers/char/hw_random/virtio-rng.c
+@@ -7,6 +7,7 @@
+ #include <asm/barrier.h>
+ #include <linux/err.h>
+ #include <linux/hw_random.h>
++#include <linux/nospec.h>
+ #include <linux/scatterlist.h>
+ #include <linux/spinlock.h>
+ #include <linux/virtio.h>
+@@ -66,8 +67,26 @@ static void request_entropy(struct virtr
+ static unsigned int copy_data(struct virtrng_info *vi, void *buf,
+                             unsigned int size)
+ {
+-      size = min_t(unsigned int, size, vi->data_avail);
+-      memcpy(buf, vi->data + vi->data_idx, size);
++      unsigned int idx, avail;
++
++      /*
++       * vi->data_avail was set from the device-reported used.len and
++       * vi->data_idx was advanced by previous copy_data() calls.  A
++       * malicious or buggy virtio-rng backend can drive either past
++       * sizeof(vi->data).  Clamp at point of use and harden the index
++       * with array_index_nospec() so the memcpy() below cannot be
++       * steered into adjacent slab memory, including under
++       * speculation.
++       */
++      avail = min_t(unsigned int, vi->data_avail, sizeof(vi->data));
++      if (vi->data_idx >= avail) {
++              vi->data_avail = 0;
++              request_entropy(vi);
++              return 0;
++      }
++      size = min_t(unsigned int, size, avail - vi->data_idx);
++      idx = array_index_nospec(vi->data_idx, sizeof(vi->data));
++      memcpy(buf, vi->data + idx, size);
+       vi->data_idx += size;
+       vi->data_avail -= size;
+       if (vi->data_avail == 0)
diff --git a/queue-6.1/io_uring-io-wq-re-check-io_wq_bit_exit-for-each-linked-work-item.patch b/queue-6.1/io_uring-io-wq-re-check-io_wq_bit_exit-for-each-linked-work-item.patch
new file mode 100644 (file)
index 0000000..8c5f328
--- /dev/null
@@ -0,0 +1,54 @@
+From 29bef9934b2521f787bb15dd1985d4c0d12ae02a Mon Sep 17 00:00:00 2001
+From: Runyu Xiao <runyu.xiao@seu.edu.cn>
+Date: Thu, 28 May 2026 01:22:03 +0800
+Subject: io_uring/io-wq: re-check IO_WQ_BIT_EXIT for each linked work item
+
+From: Runyu Xiao <runyu.xiao@seu.edu.cn>
+
+commit 29bef9934b2521f787bb15dd1985d4c0d12ae02a upstream.
+
+commit 10dc95939817 ("io_uring/io-wq: check IO_WQ_BIT_EXIT inside work
+run loop") fixed the obvious case where io_worker_handle_work() took one
+exit-bit snapshot before draining pending work, but the fix stops one
+level too early.
+
+io_worker_handle_work() now re-checks IO_WQ_BIT_EXIT in its outer work
+run loop, yet it still snapshots that bit once before processing a whole
+dependent linked-work chain. If io_wq_exit_start() sets IO_WQ_BIT_EXIT
+after the first linked item has started, the remaining linked items can
+still reuse stale do_kill = false, skip IO_WQ_WORK_CANCEL, and continue
+running after exit has begun.
+
+Move the check further inside, so it covers linked items too. Note: this
+is a syzbot special as it loves setting up tons of slow linked work on
+weird devices like msr that take forever to read, and immediately close
+the ring. Exit then takes a long time.
+
+Fixes: 10dc95939817 ("io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop")
+Cc: stable@vger.kernel.org
+Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
+Link: https://patch.msgid.link/20260527172203.2043962-1-runyu.xiao@seu.edu.cn
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io-wq.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/io_uring/io-wq.c
++++ b/io_uring/io-wq.c
+@@ -556,7 +556,6 @@ static void io_worker_handle_work(struct
+       struct io_wq *wq = wqe->wq;
+       do {
+-              bool do_kill = test_bit(IO_WQ_BIT_EXIT, &wq->state);
+               struct io_wq_work *work;
+               /*
+@@ -590,6 +589,7 @@ static void io_worker_handle_work(struct
+               /* handle a whole dependent link */
+               do {
++                      bool do_kill = test_bit(IO_WQ_BIT_EXIT, &wq->state);
+                       struct io_wq_work *next_hashed, *linked;
+                       unsigned int hash = io_get_work_hash(work);
diff --git a/queue-6.1/ipv4-igmp-remove-multicast-group-from-hash-table-on-device-destruction.patch b/queue-6.1/ipv4-igmp-remove-multicast-group-from-hash-table-on-device-destruction.patch
new file mode 100644 (file)
index 0000000..0dfc303
--- /dev/null
@@ -0,0 +1,84 @@
+From 7993211bde166471dffac074dc965489f86531f8 Mon Sep 17 00:00:00 2001
+From: Yuyang Huang <yuyanghuang@google.com>
+Date: Thu, 2 Jul 2026 08:50:14 +0900
+Subject: ipv4: igmp: remove multicast group from hash table on device destruction
+
+From: Yuyang Huang <yuyanghuang@google.com>
+
+commit 7993211bde166471dffac074dc965489f86531f8 upstream.
+
+When a device is destroyed under RTNL, ip_mc_destroy_dev() iterates through
+the multicast list and calls ip_ma_put() on each membership, scheduling
+them for RCU reclamation. However, they are not unlinked from the device's
+multicast hash table (mc_hash).
+
+Since the device remains published in dev->ip_ptr until after
+ip_mc_destroy_dev() completes, concurrent RCU readers traversing mc_hash
+can still locate and access the multicast group after its refcount is
+decremented. If the RCU callback runs and frees the group while a reader is
+accessing it, a use-after-free occurs.
+
+Fix this by unlinking the multicast group from mc_hash using
+ip_mc_hash_remove() before scheduling it for reclamation.
+
+BUG: KASAN: slab-use-after-free in ip_check_mc_rcu+0x149/0x3f0
+Read of size 4 at addr ffff888009bf1408 by task mausezahn/2276
+
+Call Trace:
+ <IRQ>
+ dump_stack_lvl+0x67/0x90
+ print_report+0x175/0x7c0
+ kasan_report+0x147/0x180
+ ip_check_mc_rcu+0x149/0x3f0
+ udp_v4_early_demux+0x36d/0x12d0
+ ip_rcv_finish_core+0xb8b/0x1390
+ ip_rcv_finish+0x54/0x120
+ NF_HOOK+0x213/0x2b0
+ __netif_receive_skb+0x126/0x340
+ process_backlog+0x4f2/0xf00
+ __napi_poll+0x92/0x2c0
+ net_rx_action+0x583/0xc60
+ handle_softirqs+0x236/0x7f0
+ do_softirq+0x57/0x80
+ </IRQ>
+
+Allocated by task 2239:
+ kasan_save_track+0x3e/0x80
+ __kasan_kmalloc+0x72/0x90
+ ____ip_mc_inc_group+0x31a/0xa40
+ __ip_mc_join_group+0x334/0x3f0
+ do_ip_setsockopt+0x16fa/0x2010
+ ip_setsockopt+0x3f/0x90
+ do_sock_setsockopt+0x1ad/0x300
+
+Freed by task 0:
+ kasan_save_track+0x3e/0x80
+ kasan_save_free_info+0x40/0x50
+ __kasan_slab_free+0x3a/0x60
+ __rcu_free_sheaf_prepare+0xd4/0x220
+ rcu_free_sheaf+0x36/0x190
+ rcu_core+0x8d9/0x12f0
+ handle_softirqs+0x236/0x7f0
+
+Fixes: e9897071350b ("igmp: hash a hash table to speedup ip_check_mc_rcu()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yuyang Huang <yuyanghuang@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20260701235014.73505-1-yuyanghuang@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/igmp.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -1816,6 +1816,7 @@ void ip_mc_destroy_dev(struct in_device
+ #endif
+       while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) {
++              ip_mc_hash_remove(in_dev, i);
+               in_dev->mc_list = i->next_rcu;
+               in_dev->mc_count--;
+               ip_mc_clear_src(i);
diff --git a/queue-6.1/ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-smb2_close-then-smb2_cancel.patch b/queue-6.1/ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-smb2_close-then-smb2_cancel.patch
new file mode 100644 (file)
index 0000000..d474bee
--- /dev/null
@@ -0,0 +1,83 @@
+From 10f293a07f9e10e988b0ae44e2e99c631f5a68e0 Mon Sep 17 00:00:00 2001
+From: Gil Portnoy <dddhkts1@gmail.com>
+Date: Wed, 10 Jun 2026 19:53:14 +0900
+Subject: ksmbd: fix use-after-free of a deferred file_lock on SMB2_CLOSE then SMB2_CANCEL
+
+From: Gil Portnoy <dddhkts1@gmail.com>
+
+commit 10f293a07f9e10e988b0ae44e2e99c631f5a68e0 upstream.
+
+Commit f580d27e8928 ("ksmbd: fix use-after-free of a deferred file_lock on
+double SMB2_CANCEL") made smb2_cancel() skip a work whose state is
+KSMBD_WORK_CANCELLED, so its cancel_fn cannot be fired a second time. But
+KSMBD_WORK has three states (ACTIVE, CANCELLED, CLOSED), and the same
+freeing producer path is reached for CLOSED too:
+
+  SMB2_CLOSE on the locking handle -> set_close_state_blocked_works() sets
+  the deferred work's state to KSMBD_WORK_CLOSED and wakes the smb2_lock()
+  worker. The worker takes the non-ACTIVE early-exit, locks_free_lock()s
+  the file_lock and, because the state is not KSMBD_WORK_CANCELLED, takes
+  the STATUS_RANGE_NOT_LOCKED branch with "goto out2" -- which, like the
+  cancelled branch, skips release_async_work(). The work stays on
+  conn->async_requests with a live cancel_fn = smb2_remove_blocked_lock
+  pointing at the freed file_lock.
+
+A subsequent SMB2_CANCEL for the same AsyncId then passes the
+KSMBD_WORK_CANCELLED-only guard (its state is KSMBD_WORK_CLOSED), so
+smb2_cancel() fires cancel_fn again over the freed file_lock -- the same
+use-after-free fixed, via SMB2_CLOSE instead of a first SMB2_CANCEL:
+
+  BUG: KASAN: slab-use-after-free in __locks_delete_block
+    __locks_delete_block
+    locks_delete_block
+    ksmbd_vfs_posix_lock_unblock
+    smb2_remove_blocked_lock
+    smb2_cancel                 <- 2nd SMB2_CANCEL fires cancel_fn
+    handle_ksmbd_work
+  Allocated by ...: locks_alloc_lock <- smb2_lock
+  Freed by ...:     locks_free_lock  <- smb2_lock (non-ACTIVE early-exit)
+  ... cache file_lock_cache of size 192
+
+Reproduced on mainline 7.1-rc7 (which already contains f580d27e8928) with
+KASAN by an authenticated SMB client; the double-SMB2_CANCEL control is
+silent on that kernel, so the splat is attributable to the CLOSE trigger.
+
+Only an ACTIVE deferred work may have its cancel_fn fired: both terminal
+states (CANCELLED and CLOSED) reach the smb2_lock() early-exit that frees
+the file_lock and skips release_async_work(). Guard on KSMBD_WORK_ACTIVE
+so any non-active work is skipped.
+
+Fixes: f580d27e8928 ("ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -6816,14 +6816,14 @@ int smb2_cancel(struct ksmbd_work *work)
+                               continue;
+                       /*
+-                       * A cancelled deferred byte-range lock frees its
+-                       * file_lock and takes the smb2_lock() early-exit that
+-                       * skips release_async_work(), so the work stays on
+-                       * conn->async_requests with a live cancel_fn pointing
+-                       * at the freed file_lock.  Re-firing it on a second
+-                       * SMB2_CANCEL is a use-after-free.
++                       * Only an ACTIVE deferred work may have its cancel_fn
++                       * fired.  A CANCELLED or CLOSED work already took the
++                       * smb2_lock() non-ACTIVE early-exit that frees the
++                       * file_lock and skips release_async_work(), so it is
++                       * still on conn->async_requests with a live cancel_fn
++                       * pointing at the freed file_lock.
+                        */
+-                      if (iter->state == KSMBD_WORK_CANCELLED)
++                      if (iter->state != KSMBD_WORK_ACTIVE)
+                               break;
+                       ksmbd_debug(SMB,
diff --git a/queue-6.1/media-staging-ipu3-imgu-add-range-check-for-imgu_css_cfg_acc_stripe.patch b/queue-6.1/media-staging-ipu3-imgu-add-range-check-for-imgu_css_cfg_acc_stripe.patch
new file mode 100644 (file)
index 0000000..e60abe1
--- /dev/null
@@ -0,0 +1,48 @@
+From c32fe4c4918c9aa49f61359e3b42619c4d8686de Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Thu, 7 May 2026 20:58:10 +0000
+Subject: media: staging: ipu3-imgu: Add range check for imgu_css_cfg_acc_stripe
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit c32fe4c4918c9aa49f61359e3b42619c4d8686de upstream.
+
+If the driver's stripe information is invalid it can result in an integer
+underflow. Add a range check to avoid this kind of error.
+
+This patch fixes the following smatch error:
+drivers/staging/media/ipu3/ipu3-css-params.c:1792 imgu_css_cfg_acc_stripe() warn: 'acc->stripe.bds_out_stripes[0]->width - 2 * f' 4294967168 can't fit into 65535 'acc->stripe.bds_out_stripes[1]->offset'
+
+Cc: stable@vger.kernel.org
+Fixes: e11110a5b744 ("media: staging/intel-ipu3: css: Compute and program ccs")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/ipu3/ipu3-css-params.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/media/ipu3/ipu3-css-params.c
++++ b/drivers/staging/media/ipu3/ipu3-css-params.c
+@@ -1770,6 +1770,8 @@ static int imgu_css_cfg_acc_stripe(struc
+               acc->stripe.bds_out_stripes[0].width =
+                       ALIGN(css_pipe->rect[IPU3_CSS_RECT_BDS].width, f);
+       } else {
++              u32 offset;
++
+               /* Image processing is divided into two stripes */
+               acc->stripe.bds_out_stripes[0].width =
+                       acc->stripe.bds_out_stripes[1].width =
+@@ -1788,8 +1790,10 @@ static int imgu_css_cfg_acc_stripe(struc
+                       acc->stripe.bds_out_stripes[1].width += f;
+               }
+               /* Overlap between stripes is IPU3_UAPI_ISP_VEC_ELEMS * 4 */
+-              acc->stripe.bds_out_stripes[1].offset =
+-                      acc->stripe.bds_out_stripes[0].width - 2 * f;
++              offset = acc->stripe.bds_out_stripes[0].width - 2 * f;
++              if (offset > 65535)
++                      return -EINVAL;
++              acc->stripe.bds_out_stripes[1].offset = offset;
+       }
+       acc->stripe.effective_stripes[0].height =
diff --git a/queue-6.1/mfd-cros_ec-delay-dev_set_drvdata-until-probe-success.patch b/queue-6.1/mfd-cros_ec-delay-dev_set_drvdata-until-probe-success.patch
new file mode 100644 (file)
index 0000000..3241f88
--- /dev/null
@@ -0,0 +1,70 @@
+From 8b2c1d41bc36c100b38ce5ee6def246c527eaf8a Mon Sep 17 00:00:00 2001
+From: Andrei Kuchynski <akuchynski@chromium.org>
+Date: Mon, 27 Apr 2026 13:17:21 +0000
+Subject: mfd: cros_ec: Delay dev_set_drvdata() until probe success
+
+From: Andrei Kuchynski <akuchynski@chromium.org>
+
+commit 8b2c1d41bc36c100b38ce5ee6def246c527eaf8a upstream.
+
+If ec_device_probe() fails, cros_ec_class_release releases memory for the
+cros_ec_dev structure. However, because the drvdata was already set,
+sub-drivers like cros_ec_typec can still retrieve the stale pointer via the
+platform device. This leads to a use-after-free when cros_ec_typec attempts
+to access &typec->ec->ec->dev on a device that has already been released.
+Move dev_set_drvdata() to ensure that the pointer is only made available
+once all initialization steps have succeeded.
+
+ sysfs: cannot create duplicate filename '/class/chromeos/cros_ec'
+ Call trace:
+  sysfs_do_create_link_sd+0x94/0xdc
+  sysfs_create_link+0x30/0x44
+  device_add_class_symlinks+0x90/0x13c
+  device_add+0xf0/0x50c
+  ec_device_probe+0x150/0x4f0
+  platform_probe+0xa0/0xe0
+ ...
+ BUG: KASAN: invalid-access in __memcpy+0x44/0x230
+ Write at addr f5ffff809e2d33ac by task kworker/u32:5/125
+ Pointer tag: [f5], memory tag: [fe]
+ Tainted : [W]=WARN, [O]=OOT_MODULE
+ Hardware name: Google Navi unprovisioned 0x7FFFFFFF/sku0 board/sku3
+ Workqueue: events_unbound deferred_probe_work_func
+ Call trace:
+  __memcpy+0x44/0x230
+  cros_ec_check_features+0x60/0xcc [cros_ec_proto]
+  cros_typec_probe+0xe8/0x6e0 [cros_ec_typec]
+  platform_probe+0xa0/0xe0
+
+Cc: stable@vger.kernel.org
+Fixes: 1c1d152cc5ac ("platform/chrome: cros_ec_dev - utilize new cdev_device_add helper function")
+Co-developed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Andrei Kuchynski <akuchynski@chromium.org>
+Reviewed-by: Benson Leung <bleung@chromium.org>
+Link: https://patch.msgid.link/20260427131721.1165078-1-akuchynski@chromium.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/cros_ec_dev.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mfd/cros_ec_dev.c
++++ b/drivers/mfd/cros_ec_dev.c
+@@ -151,7 +151,6 @@ static int ec_device_probe(struct platfo
+       if (!ec)
+               return retval;
+-      dev_set_drvdata(dev, ec);
+       ec->ec_dev = dev_get_drvdata(dev->parent);
+       ec->dev = dev;
+       ec->cmd_offset = ec_platform->cmd_offset;
+@@ -193,6 +192,8 @@ static int ec_device_probe(struct platfo
+       if (retval)
+               goto failed;
++      dev_set_drvdata(dev, ec);
++
+       /* check whether this EC is a sensor hub. */
+       if (cros_ec_get_sensor_count(ec) > 0) {
+               retval = mfd_add_hotplug_devices(ec->dev,
diff --git a/queue-6.1/mm-damon-ops-common-handle-extreme-intervals-in-damon_hot_score.patch b/queue-6.1/mm-damon-ops-common-handle-extreme-intervals-in-damon_hot_score.patch
new file mode 100644 (file)
index 0000000..a9d874b
--- /dev/null
@@ -0,0 +1,90 @@
+From 35d4a3cf70a855b50e53189ac2f8463e20a02046 Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sj@kernel.org>
+Date: Tue, 23 Jun 2026 06:58:31 -0700
+Subject: mm/damon/ops-common: handle extreme intervals in damon_hot_score()
+
+From: SeongJae Park <sj@kernel.org>
+
+commit 35d4a3cf70a855b50e53189ac2f8463e20a02046 upstream.
+
+Fix three issues in damon_hot_score() that comes from wrong handling of
+extreme (zero or too high) monitoring intervals user setup.
+
+When the user sets sampling interval zero, damon_max_nr_accesses(), which
+is called from damon_hot_score(), causes a divide-by-zero.  Needless to
+say, it is a problem.
+
+When the user sets the aggregation interval zero, the function returns
+zero.  It is wrong, since the real maximum nr_acceses in the setup should
+be one.  Worse yet, it can cause another divide-by-zero from its caller,
+damon_hot_score(), since it uses damon_max_nr_accesses() return value as a
+denominator.
+
+When the user sets the aggregation interval very high, damon_hot_score()
+could return a value out of [0, DAMOS_MAX_SCORE] range.  Since the return
+value is used as an index to the regions_score_histogram array, which is
+DAMOS_MAX_SCORE+1 size, it causes out of bounds array access.
+
+The issues can be relatively easily reproduced like below.  The sysfs
+write permission is required, though.
+
+    # ./damo start --damos_action lru_prio --damos_quota_space 100M \
+            --damos_quota_interval 1s
+    # cd /sys/kernel/mm/damon/admin/kdamonds/0
+    # echo 0 > contexts/0/monitoring_attrs/intervals/sample_us
+    # echo 0 > contexts/0/monitoring_attrs/intervals/aggr_us
+    # echo commit > state
+    # dmesg
+    [...]
+    [  131.329762] Oops: divide error: 0000 [#1] SMP NOPTI
+    [...]
+    [  131.336089] RIP: 0010:damon_hot_score+0x27/0xd0
+    [...]
+
+Fix the divide-by-zero intervals problems by explicitly handling the zero
+intervals in damon_max_nr_accesses().  Fix the out-of-bound array access
+by applying [0, DAMOS_MAX_SCORE] bounds before returning from
+damon_hot_score().
+
+The issue was discovered [1] by Sashiko.
+
+Link: https://lore.kernel.org/20260623135834.67189-1-sj@kernel.org
+Link: https://lore.kernel.org/20260619202459.145010-1-sj@kernel.org [1]
+Fixes: 198f0f4c58b9 ("mm/damon/vaddr,paddr: support pageout prioritization")
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Cc: <stable@vger.kernel.org> # 5.16.x
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/damon.h |    8 ++++++--
+ mm/damon/ops-common.c |    1 +
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/linux/damon.h
++++ b/include/linux/damon.h
+@@ -564,9 +564,13 @@ static inline bool damon_target_has_pid(
+ static inline unsigned int damon_max_nr_accesses(const struct damon_attrs *attrs)
+ {
+-      /* {aggr,sample}_interval are unsigned long, hence could overflow */
+-      return min(attrs->aggr_interval / attrs->sample_interval,
++      unsigned long sample_interval;
++      unsigned long max_nr_accesses;
++
++      sample_interval = attrs->sample_interval ? : 1;
++      max_nr_accesses = min(attrs->aggr_interval / sample_interval,
+                       (unsigned long)UINT_MAX);
++      return max_nr_accesses ? : 1;
+ }
+--- a/mm/damon/ops-common.c
++++ b/mm/damon/ops-common.c
+@@ -121,6 +121,7 @@ int damon_hot_score(struct damon_ctx *c,
+        * Transform it to fit in [0, DAMOS_MAX_SCORE]
+        */
+       hotness = hotness * DAMOS_MAX_SCORE / DAMON_MAX_SUBSCORE;
++      hotness = max(min(hotness, DAMOS_MAX_SCORE), 0);
+       return hotness;
+ }
diff --git a/queue-6.1/net-af_key-initialize-alg_key_len-for-ipcomp-states.patch b/queue-6.1/net-af_key-initialize-alg_key_len-for-ipcomp-states.patch
new file mode 100644 (file)
index 0000000..b274563
--- /dev/null
@@ -0,0 +1,111 @@
+From d129c3177d7b1138fd5066fcc63a698b3ba415b0 Mon Sep 17 00:00:00 2001
+From: Zijing Yin <yzjaurora@gmail.com>
+Date: Mon, 8 Jun 2026 07:44:41 -0700
+Subject: net: af_key: initialize alg_key_len for IPComp states
+
+From: Zijing Yin <yzjaurora@gmail.com>
+
+commit d129c3177d7b1138fd5066fcc63a698b3ba415b0 upstream.
+
+pfkey_msg2xfrm_state() handles the IPComp (SADB_X_SATYPE_IPCOMP) case by
+allocating x->calg and copying only the algorithm name:
+
+       x->calg = kmalloc_obj(*x->calg);
+       if (!x->calg) {
+               err = -ENOMEM;
+               goto out;
+       }
+       strcpy(x->calg->alg_name, a->name);
+       x->props.calgo = sa->sadb_sa_encrypt;
+
+Unlike the authentication (x->aalg) and encryption (x->ealg) branches of
+the same function, the compression branch never initializes
+calg->alg_key_len.  IPComp carries no key and the allocation only
+reserves sizeof(struct xfrm_algo) (i.e. no room for a key), so the field
+is left containing uninitialized slab data.
+
+calg->alg_key_len is later used as a length by xfrm_algo_clone() when an
+IPComp state is cloned during XFRM_MSG_MIGRATE:
+
+       xfrm_state_migrate()
+         xfrm_state_clone_and_setup()
+           x->calg = xfrm_algo_clone(orig->calg);
+             kmemdup(orig, xfrm_alg_len(orig));
+
+where xfrm_alg_len() returns sizeof(*alg) + (alg_key_len + 7) / 8.  With
+a non-zero garbage alg_key_len, kmemdup() reads past the end of the
+68-byte calg object.  Adding an IPComp SA via PF_KEY and then migrating
+it triggers (net-next, KASAN, init_on_alloc=0):
+
+  BUG: KASAN: slab-out-of-bounds in kmemdup_noprof+0x44/0x60
+  Read of size 4164 at addr ff11000025a74980 by task diag2/9287
+  CPU: 3 UID: 0 PID: 9287 Comm: diag2 7.1.0-rc6-g903db046d557 #1
+  Call Trace:
+   <TASK>
+   dump_stack_lvl+0x10e/0x1f0
+   print_report+0xf7/0x600
+   kasan_report+0xe4/0x120
+   kasan_check_range+0x105/0x1b0
+   __asan_memcpy+0x23/0x60
+   kmemdup_noprof+0x44/0x60
+   xfrm_state_migrate+0x70a/0x1da0
+   xfrm_migrate+0x753/0x18a0
+   xfrm_do_migrate+0xb47/0xf10
+   xfrm_user_rcv_msg+0x411/0xb50
+   netlink_rcv_skb+0x158/0x420
+   xfrm_netlink_rcv+0x71/0x90
+   netlink_unicast+0x584/0x850
+   netlink_sendmsg+0x8b0/0xdc0
+   ____sys_sendmsg+0x9f7/0xb90
+   ___sys_sendmsg+0x134/0x1d0
+   __sys_sendmsg+0x16d/0x220
+   do_syscall_64+0x116/0x7d0
+   entry_SYSCALL_64_after_hwframe+0x77/0x7f
+   </TASK>
+
+  Allocated by task 9287:
+   kasan_save_stack+0x33/0x60
+   kasan_save_track+0x14/0x30
+   __kasan_kmalloc+0xaa/0xb0
+   pfkey_add+0x2652/0x2ea0
+   pfkey_process+0x6d0/0x830
+   pfkey_sendmsg+0x42c/0x850
+   __sys_sendto+0x461/0x4b0
+   __x64_sys_sendto+0xe0/0x1c0
+   do_syscall_64+0x116/0x7d0
+   entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+  The buggy address belongs to the object at ff11000025a74980
+   which belongs to the cache kmalloc-96 of size 96
+  The buggy address is located 0 bytes inside of
+   allocated 68-byte region [ff11000025a74980, ff11000025a749c4)
+
+Depending on the uninitialized value the same field can instead request
+an oversized kmemdup() allocation and make the migration clone fail.
+
+The XFRM netlink path is not affected: verify_one_alg() rejects an
+XFRMA_ALG_COMP attribute shorter than xfrm_alg_len(), so a calg added via
+XFRM_MSG_NEWSA is always self-consistent.
+
+Initialize calg->alg_key_len to 0, matching the aalg/ealg branches.
+
+Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijing Yin <yzjaurora@gmail.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/key/af_key.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -1202,6 +1202,7 @@ static struct xfrm_state * pfkey_msg2xfr
+                               goto out;
+                       }
+                       strcpy(x->calg->alg_name, a->name);
++                      x->calg->alg_key_len = 0;
+                       x->props.calgo = sa->sadb_sa_encrypt;
+               } else {
+                       int keysize = 0;
diff --git a/queue-6.1/net-ipv4-bound-tcp-reordering-sysctl-writes-and-mtu-probe-sizes.patch b/queue-6.1/net-ipv4-bound-tcp-reordering-sysctl-writes-and-mtu-probe-sizes.patch
new file mode 100644 (file)
index 0000000..bb62389
--- /dev/null
@@ -0,0 +1,100 @@
+From efb8763d7bbb40cff4cc55a6b62c3095a038149c Mon Sep 17 00:00:00 2001
+From: Wyatt Feng <bronzed_45_vested@icloud.com>
+Date: Mon, 15 Jun 2026 18:31:18 +0800
+Subject: net: ipv4: bound TCP reordering sysctl writes and MTU probe sizes
+
+From: Wyatt Feng <bronzed_45_vested@icloud.com>
+
+commit efb8763d7bbb40cff4cc55a6b62c3095a038149c upstream.
+
+Reject invalid `net.ipv4.tcp_reordering` values before they reach TCP
+socket state. The sysctl is stored as an `int` but copied into the
+`u32` `tp->reordering` field for new sockets, so negative writes wrap
+to large values.
+
+With `tcp_mtu_probing=2`, the wrapped value can overflow the
+`tcp_mtu_probe()` size calculation and drive the MTU probing path into
+an out-of-bounds read. Route `tcp_reordering` writes through
+`proc_dointvec_minmax()` and require it to be at least 1. Also require
+`tcp_max_reordering` to be at least 1 so the configured maximum cannot
+become negative either.
+
+When registering the table for a non-init network namespace, relocate
+`extra2` pointers that refer into `init_net.ipv4` so the
+`tcp_reordering` upper bound follows that namespace's
+`tcp_max_reordering`.
+
+Harden `tcp_mtu_probe()` itself by computing `size_needed` as `u64`.
+This keeps the send queue and window checks from being bypassed through
+signed integer overflow.
+
+Fixes: 91cc17c0e5e5 ("[TCP]: MTUprobe: receiver window & data available checks fixed")
+Cc: stable@vger.kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/1a5b7e1ef4d70fbad8c8ee0b82d8405f3c964a3d.1781395200.git.bronzed_45_vested@icloud.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/sysctl_net_ipv4.c |   10 ++++++++--
+ net/ipv4/tcp_output.c      |    4 ++--
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -938,7 +938,9 @@ static struct ctl_table ipv4_net_table[]
+               .data           = &init_net.ipv4.sysctl_tcp_reordering,
+               .maxlen         = sizeof(int),
+               .mode           = 0644,
+-              .proc_handler   = proc_dointvec
++              .proc_handler   = proc_dointvec_minmax,
++              .extra1         = SYSCTL_ONE,
++              .extra2         = &init_net.ipv4.sysctl_tcp_max_reordering,
+       },
+       {
+               .procname       = "tcp_retries1",
+@@ -1157,7 +1159,8 @@ static struct ctl_table ipv4_net_table[]
+               .data           = &init_net.ipv4.sysctl_tcp_max_reordering,
+               .maxlen         = sizeof(int),
+               .mode           = 0644,
+-              .proc_handler   = proc_dointvec
++              .proc_handler   = proc_dointvec_minmax,
++              .extra1         = SYSCTL_ONE,
+       },
+       {
+               .procname       = "tcp_dsack",
+@@ -1423,6 +1426,9 @@ static __net_init int ipv4_sysctl_init_n
+                                */
+                               table[i].mode &= ~0222;
+                       }
++                      if (table[i].extra2 >= (void *)&init_net.ipv4 &&
++                          table[i].extra2 < (void *)(&init_net.ipv4 + 1))
++                              table[i].extra2 += (void *)net - (void *)&init_net;
+               }
+       }
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2352,7 +2352,7 @@ static int tcp_mtu_probe(struct sock *sk
+       struct sk_buff *skb, *nskb, *next;
+       struct net *net = sock_net(sk);
+       int probe_size;
+-      int size_needed;
++      u64 size_needed;
+       int copy, len;
+       int mss_now;
+       int interval;
+@@ -2376,7 +2376,7 @@ static int tcp_mtu_probe(struct sock *sk
+       mss_now = tcp_current_mss(sk);
+       probe_size = tcp_mtu_to_mss(sk, (icsk->icsk_mtup.search_high +
+                                   icsk->icsk_mtup.search_low) >> 1);
+-      size_needed = probe_size + (tp->reordering + 1) * tp->mss_cache;
++      size_needed = probe_size + (tp->reordering + 1) * (u64)tp->mss_cache;
+       interval = icsk->icsk_mtup.search_high - icsk->icsk_mtup.search_low;
+       /* When misfortune happens, we are reprobing actively,
+        * and then reprobe timer has expired. We stick with current
diff --git a/queue-6.1/netfilter-ctnetlink-use-nf_ct_exp_net-in-expectation-dump.patch b/queue-6.1/netfilter-ctnetlink-use-nf_ct_exp_net-in-expectation-dump.patch
new file mode 100644 (file)
index 0000000..2bf414b
--- /dev/null
@@ -0,0 +1,40 @@
+From a7f57320bbbc67e347bf5fff4b4a9bab980d5956 Mon Sep 17 00:00:00 2001
+From: Pratham Gupta <pratham36gupta@gmail.com>
+Date: Mon, 4 May 2026 22:11:57 -0700
+Subject: netfilter: ctnetlink: use nf_ct_exp_net() in expectation dump
+
+From: Pratham Gupta <pratham36gupta@gmail.com>
+
+commit a7f57320bbbc67e347bf5fff4b4a9bab980d5956 upstream.
+
+Commit 02a3231b6d82 ("netfilter: nf_conntrack_expect: store netns and zone in expectation")
+introduced exp->net so RCU-only expectation paths no longer need to
+dereference exp->master for netns lookups.
+
+Commit 3db5647984de ("netfilter: nf_conntrack_expect: skip expectations in other netns via proc")
+updated the proc path accordingly, but ctnetlink_exp_dump_table() still
+compares against nf_ct_net(exp->master).
+
+Use nf_ct_exp_net(exp) here as well so the netlink dump path matches
+the rest of the March 2026 expectation netns/RCU cleanup.
+
+Fixes: 02a3231b6d82 ("netfilter: nf_conntrack_expect: store netns and zone in expectation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Pratham Gupta <pratham36gupta@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_netlink.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3152,7 +3152,7 @@ restart:
+                       if (l3proto && exp->tuple.src.l3num != l3proto)
+                               continue;
+-                      if (!net_eq(nf_ct_net(exp->master), net))
++                      if (!net_eq(nf_ct_exp_net(exp), net))
+                               continue;
+                       if (cb->args[1]) {
diff --git a/queue-6.1/netfilter-ipset-fix-race-between-dump-and-ip_set_list-resize.patch b/queue-6.1/netfilter-ipset-fix-race-between-dump-and-ip_set_list-resize.patch
new file mode 100644 (file)
index 0000000..8d189df
--- /dev/null
@@ -0,0 +1,77 @@
+From 7cd9103283b26b917360ec99d7d2f2d761bcf1ab Mon Sep 17 00:00:00 2001
+From: Xiang Mei <xmei5@asu.edu>
+Date: Wed, 24 Jun 2026 18:00:06 -0700
+Subject: netfilter: ipset: fix race between dump and ip_set_list resize
+
+From: Xiang Mei <xmei5@asu.edu>
+
+commit 7cd9103283b26b917360ec99d7d2f2d761bcf1ab upstream.
+
+The release path of ip_set_dump_do() and ip_set_dump_done() read
+inst->ip_set_list via ip_set_ref_netlink(), a plain rcu_dereference_raw()
+of the array pointer. These run from netlink_recvmsg() without the nfnl
+mutex and without an RCU read-side critical section.
+
+A concurrent ip_set_create() can grow the array: it publishes the new
+array, calls synchronize_net() and then kvfree()s the old one. Since the
+dump paths read the array outside any RCU reader, synchronize_net() does
+not wait for them and the old array can be freed while they still index
+into it, causing a use-after-free.
+
+The dumped set itself stays pinned via set->ref_netlink, so only the
+array load needs protecting. Take rcu_read_lock() around it, matching
+ip_set_get_byname() and __ip_set_put_byindex().
+
+  BUG: KASAN: slab-use-after-free in ip_set_dump_do (net/netfilter/ipset/ip_set_core.c:1697)
+  Read of size 8 at addr ffff88800b5c4018 by task exploit/150
+  Call Trace:
+   ...
+   kasan_report (mm/kasan/report.c:595)
+   ip_set_dump_do (net/netfilter/ipset/ip_set_core.c:1697)
+   netlink_dump (net/netlink/af_netlink.c:2325)
+   netlink_recvmsg (net/netlink/af_netlink.c:1976)
+   sock_recvmsg (net/socket.c:1159)
+   __sys_recvfrom (net/socket.c:2315)
+   ...
+  Oops: general protection fault, probably for non-canonical address ... KASAN NOPTI
+  KASAN: maybe wild-memory-access in range [0x02d6...d0-0x02d6...d7]
+  RIP: 0010:ip_set_dump_do (net/netfilter/ipset/ip_set_core.c:1698)
+  Kernel panic - not syncing: Fatal exception
+
+Fixes: 8a02bdd50b2e ("netfilter: ipset: Fix calling ip_set() macro at dumping")
+Cc: stable@vger.kernel.org
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Assisted-by: Claude:claude-opus-4-8
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipset/ip_set_core.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -1482,7 +1482,11 @@ ip_set_dump_done(struct netlink_callback
+               struct ip_set_net *inst =
+                       (struct ip_set_net *)cb->args[IPSET_CB_NET];
+               ip_set_id_t index = (ip_set_id_t)cb->args[IPSET_CB_INDEX];
+-              struct ip_set *set = ip_set_ref_netlink(inst, index);
++              struct ip_set *set;
++
++              rcu_read_lock();
++              set = ip_set_ref_netlink(inst, index);
++              rcu_read_unlock();
+               if (set->variant->uref)
+                       set->variant->uref(set, cb, false);
+@@ -1687,7 +1691,9 @@ next_set:
+ release_refcount:
+       /* If there was an error or set is done, release set */
+       if (ret || !cb->args[IPSET_CB_ARG0]) {
++              rcu_read_lock();
+               set = ip_set_ref_netlink(inst, index);
++              rcu_read_unlock();
+               if (set->variant->uref)
+                       set->variant->uref(set, cb, false);
+               pr_debug("release set %s\n", set->name);
diff --git a/queue-6.1/ntb-epf-avoid-calling-pci_irq_vector-from-hardirq-context.patch b/queue-6.1/ntb-epf-avoid-calling-pci_irq_vector-from-hardirq-context.patch
new file mode 100644 (file)
index 0000000..67495a5
--- /dev/null
@@ -0,0 +1,73 @@
+From 4dcddc1c794d1c65eda68f1f8dd04a0fecc0870f Mon Sep 17 00:00:00 2001
+From: Koichiro Den <den@valinux.co.jp>
+Date: Wed, 4 Mar 2026 17:30:28 +0900
+Subject: NTB: epf: Avoid calling pci_irq_vector() from hardirq context
+
+From: Koichiro Den <den@valinux.co.jp>
+
+commit 4dcddc1c794d1c65eda68f1f8dd04a0fecc0870f upstream.
+
+ntb_epf_vec_isr() calls pci_irq_vector() in hardirq context to derive
+the vector number. pci_irq_vector() calls msi_get_virq() that takes a
+mutex and can therefore trigger "scheduling while atomic" splats:
+
+  BUG: scheduling while atomic: kworker/u33:0/55/0x00010001
+  ...
+  Call trace:
+   ...
+   schedule+0x38/0x110
+   schedule_preempt_disabled+0x28/0x50
+   __mutex_lock.constprop.0+0x848/0x908
+   __mutex_lock_slowpath+0x18/0x30
+   mutex_lock+0x4c/0x60
+   msi_domain_get_virq+0xe8/0x138
+   pci_irq_vector+0x2c/0x60
+   ntb_epf_vec_isr+0x28/0x120 [ntb_hw_epf]
+   __handle_irq_event_percpu+0x70/0x3a8
+   handle_irq_event+0x48/0x100
+   handle_edge_irq+0x100/0x1c8
+   ...
+
+Cache the Linux IRQ number for vector 0 when vectors are allocated and
+use it as a base in the ISR. Running the ISR in a threaded IRQ handler
+would also avoid the problem, but that would be unnecessary here.
+
+Fixes: 812ce2f8d14e ("NTB: Add support for EPF PCI Non-Transparent Bridge")
+Signed-off-by: Koichiro Den <den@valinux.co.jp>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Cc: stable@vger.kernel.org # v5.12+
+Link: https://patch.msgid.link/20260304083028.1391068-3-den@valinux.co.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ntb/hw/epf/ntb_hw_epf.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/ntb/hw/epf/ntb_hw_epf.c
++++ b/drivers/ntb/hw/epf/ntb_hw_epf.c
+@@ -92,6 +92,7 @@ struct ntb_epf_dev {
+       int db_val;
+       u64 db_valid_mask;
++      int irq_base;
+ };
+ #define ntb_ndev(__ntb) container_of(__ntb, struct ntb_epf_dev, ntb)
+@@ -318,7 +319,7 @@ static irqreturn_t ntb_epf_vec_isr(int i
+       struct ntb_epf_dev *ndev = dev;
+       int irq_no;
+-      irq_no = irq - pci_irq_vector(ndev->ntb.pdev, 0);
++      irq_no = irq - ndev->irq_base;
+       ndev->db_val = irq_no + 1;
+       if (irq_no == 0)
+@@ -350,6 +351,7 @@ static int ntb_epf_init_isr(struct ntb_e
+               argument &= ~MSIX_ENABLE;
+       }
++      ndev->irq_base = pci_irq_vector(pdev, 0);
+       for (i = 0; i < irq; i++) {
+               ret = request_irq(pci_irq_vector(pdev, i), ntb_epf_vec_isr,
+                                 0, "ntb_epf", ndev);
index 70aa7314dd6bed14989ae1e683a5b5e2a3393880..e065ab7526e0bc2a32f01e2242a0a6cd614a8e7a 100644 (file)
@@ -93,3 +93,36 @@ binder-fix-uaf-in-binder_free_transaction.patch
 usb-xhci-fix-sleep-in-atomic-context-in-xhci_free_streams.patch
 pci-altera-do-not-dispose-parent-irq-mapping.patch
 pci-host-common-request-bus-reassignment-when-not-probe-only.patch
+mm-damon-ops-common-handle-extreme-intervals-in-damon_hot_score.patch
+netfilter-ipset-fix-race-between-dump-and-ip_set_list-resize.patch
+virtio-mmio-fix-device-release-warning-on-module-unload.patch
+hwrng-virtio-clamp-device-reported-used.len-at-copy_data.patch
+usb-chaoskey-fix-slab-use-after-free-in-chaoskey_release.patch
+usb-dwc3-run-gadget-disconnect-from-sleepable-suspend-context.patch
+6lowpan-fix-nhc-entry-use-after-free-on-error-path.patch
+tipc-fix-out-of-bounds-read-in-broadcast-gap-ack-blocks.patch
+staging-vme_user-bound-slave-read-write-to-the-kern_buf-size.patch
+smb-client-restrict-implied-bcc-exemption-to-responses-without-data-area.patch
+staging-vme_user-fix-location-monitor-leak-in-fake-bridge.patch
+staging-vme_user-fix-location-monitor-leak-in-tsi148-bridge.patch
+media-staging-ipu3-imgu-add-range-check-for-imgu_css_cfg_acc_stripe.patch
+staging-media-atomisp-reduce-load_primary_binaries-stack-usage.patch
+staging-rtl8723bs-fix-wep-length-underflow-and-oob-read-in-onauth.patch
+staging-rtl8723bs-fix-oob-read-in-onassocrsp-ie-loop.patch
+staging-rtl8723bs-fix-oob-read-in-update_beacon_info-ie-loop.patch
+staging-rtl8723bs-fix-oob-reads-in-ie-loops-in-issue_assocreq-and-join_cmd_hdl.patch
+staging-rtl8723bs-fix-oob-reads-in-is_ap_in_tkip-ie-loop.patch
+staging-rtl8723bs-fix-oob-write-in-ht_caps_handler.patch
+crypto-amlogic-avoid-double-cleanup-in-meson_crypto_probe.patch
+ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-smb2_close-then-smb2_cancel.patch
+net-af_key-initialize-alg_key_len-for-ipcomp-states.patch
+audit-fix-data-races-of-skb_queue_len-readers-on-audit_queue.patch
+debugobjects-plug-race-against-a-concurrent-oom-disable.patch
+fs-ntfs3-validate-dirty-page-table-capacity-in-log_replay-copy_lcns.patch
+ntb-epf-avoid-calling-pci_irq_vector-from-hardirq-context.patch
+gpio-eic-sprd-use-raw_spinlock_t-in-the-irq-startup-path.patch
+io_uring-io-wq-re-check-io_wq_bit_exit-for-each-linked-work-item.patch
+ipv4-igmp-remove-multicast-group-from-hash-table-on-device-destruction.patch
+net-ipv4-bound-tcp-reordering-sysctl-writes-and-mtu-probe-sizes.patch
+mfd-cros_ec-delay-dev_set_drvdata-until-probe-success.patch
+netfilter-ctnetlink-use-nf_ct_exp_net-in-expectation-dump.patch
diff --git a/queue-6.1/smb-client-restrict-implied-bcc-exemption-to-responses-without-data-area.patch b/queue-6.1/smb-client-restrict-implied-bcc-exemption-to-responses-without-data-area.patch
new file mode 100644 (file)
index 0000000..31e9af5
--- /dev/null
@@ -0,0 +1,202 @@
+From 53b7c271f06be4dd5cfc8c6ef552a8355c891a7f Mon Sep 17 00:00:00 2001
+From: Shoichiro Miyamoto <shoichiro.miyamoto@gmail.com>
+Date: Tue, 7 Jul 2026 20:23:58 +0900
+Subject: smb: client: restrict implied bcc[0] exemption to responses without data area
+
+From: Shoichiro Miyamoto <shoichiro.miyamoto@gmail.com>
+
+commit 53b7c271f06be4dd5cfc8c6ef552a8355c891a7f upstream.
+
+smb2_check_message() has a long-standing quirk that accepts a response
+whose calculated length is one byte larger than the bytes actually
+received ("server can return one byte more due to implied bcc[0]").
+This was introduced to accommodate servers that omit the trailing bcc[0]
+overlap byte when no data area is present.
+
+However, the exemption is applied unconditionally, regardless of whether
+the command actually carries a data area (has_smb2_data_area[]).  When a
+response with a data area is subject to the +1 exemption, the reported
+data can extend one byte beyond the bytes actually received, yet
+smb2_check_message() still accepts it.  The subsequent decoder then reads
+past the end of the receive buffer.  This is reachable during NEGOTIATE
+and SESSION_SETUP, before the session is established.
+
+The resulting out-of-bounds reads are visible under KASAN when mounting
+against a non-conforming server; both the SPNEGO/negTokenInit and the
+NTLMSSP challenge decoders are affected:
+
+  BUG: KASAN: slab-out-of-bounds in asn1_ber_decoder+0x16a7/0x1b00
+  Read of size 1 at addr ffff8880084d67c0 by task mount.cifs/81
+  CPU: 1 UID: 0 PID: 81 Comm: mount.cifs Not tainted 7.1.0-rc6 #1
+  Call Trace:
+   <TASK>
+   dump_stack_lvl+0x4e/0x70
+   print_report+0x157/0x4c9
+   kasan_report+0xce/0x100
+   asn1_ber_decoder+0x16a7/0x1b00
+   decode_negTokenInit+0x19/0x30
+   SMB2_negotiate+0x31d9/0x4c90
+   cifs_negotiate_protocol+0x1f2/0x3f0
+   cifs_get_smb_ses+0x93f/0x17e0
+   cifs_mount_get_session+0x7f/0x3a0
+   cifs_mount+0xb4/0xcf0
+   cifs_smb3_do_mount+0x23a/0x1500
+   smb3_get_tree+0x3b0/0x630
+   vfs_get_tree+0x82/0x2d0
+   fc_mount+0x10/0x1b0
+   path_mount+0x50d/0x1de0
+   __x64_sys_mount+0x20b/0x270
+   do_syscall_64+0xee/0x590
+   entry_SYSCALL_64_after_hwframe+0x77/0x7f
+   </TASK>
+  Allocated by task 85:
+   kmem_cache_alloc_noprof+0x106/0x380
+   mempool_alloc_noprof+0x116/0x1e0
+   cifs_small_buf_get+0x31/0x80
+   allocate_buffers+0x10d/0x2b0
+   cifs_demultiplex_thread+0x1d5/0x1d50
+   kthread+0x2c6/0x390
+   ret_from_fork+0x36e/0x5a0
+   ret_from_fork_asm+0x1a/0x30
+  The buggy address is located 0 bytes to the right of
+   allocated 448-byte region [ffff8880084d6600, ffff8880084d67c0)
+   which belongs to the cache cifs_small_rq of size 448
+
+  BUG: KASAN: slab-out-of-bounds in kmemdup_noprof+0x36/0x50
+  Read of size 329 at addr ffff88800726c678 by task mount.cifs/89
+  CPU: 0 UID: 0 PID: 89 Comm: mount.cifs Tainted: G    B      7.1.0-rc6 #1
+  Call Trace:
+   <TASK>
+   dump_stack_lvl+0x4e/0x70
+   print_report+0x157/0x4c9
+   kasan_report+0xce/0x100
+   kasan_check_range+0x10f/0x1e0
+   __asan_memcpy+0x23/0x60
+   kmemdup_noprof+0x36/0x50
+   decode_ntlmssp_challenge+0x457/0x680
+   SMB2_sess_auth_rawntlmssp_negotiate+0x6f0/0xcb0
+   SMB2_sess_setup+0x219/0x4f0
+   cifs_setup_session+0x248/0xaf0
+   cifs_get_smb_ses+0xf79/0x17e0
+   cifs_mount_get_session+0x7f/0x3a0
+   cifs_mount+0xb4/0xcf0
+   cifs_smb3_do_mount+0x23a/0x1500
+   smb3_get_tree+0x3b0/0x630
+   vfs_get_tree+0x82/0x2d0
+   fc_mount+0x10/0x1b0
+   path_mount+0x50d/0x1de0
+   __x64_sys_mount+0x20b/0x270
+   do_syscall_64+0xee/0x590
+   entry_SYSCALL_64_after_hwframe+0x77/0x7f
+   </TASK>
+  Allocated by task 93:
+   kmem_cache_alloc_noprof+0x106/0x380
+   mempool_alloc_noprof+0x116/0x1e0
+   cifs_small_buf_get+0x31/0x80
+   allocate_buffers+0x10d/0x2b0
+   cifs_demultiplex_thread+0x1d5/0x1d50
+   kthread+0x2c6/0x390
+   ret_from_fork+0x36e/0x5a0
+   ret_from_fork_asm+0x1a/0x30
+  The buggy address is located 120 bytes inside of
+   allocated 448-byte region [ffff88800726c600, ffff88800726c7c0)
+   which belongs to the cache cifs_small_rq of size 448
+
+Restrict the +1 exemption to responses that have no data area, so that
+it still covers the bcc[0] omission it was meant for.  When a data area
+is present, the +1 discrepancy instead means the reported data length
+overruns the received buffer, so the response must be rejected.
+
+Fixes: 093b2bdad322 ("CIFS: Make demultiplex_thread work with SMB2 code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Shoichiro Miyamoto <shoichiro.miyamoto@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2misc.c |   32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+--- a/fs/smb/client/smb2misc.c
++++ b/fs/smb/client/smb2misc.c
+@@ -18,6 +18,8 @@
+ #include "nterr.h"
+ #include "cached_dir.h"
++static unsigned int __smb2_calc_size(void *buf, bool *have_data);
++
+ static int
+ check_smb2_hdr(struct smb2_hdr *shdr, __u64 mid)
+ {
+@@ -143,6 +145,7 @@ smb2_check_message(char *buf, unsigned i
+       int command;
+       __u32 calc_len; /* calculated length */
+       __u64 mid;
++      bool have_data;
+       /* If server is a channel, select the primary channel */
+       pserver = CIFS_SERVER_IS_CHAN(server) ? server->primary_server : server;
+@@ -226,7 +229,8 @@ smb2_check_message(char *buf, unsigned i
+               }
+       }
+-      calc_len = smb2_calc_size(buf);
++      have_data = false;
++      calc_len = __smb2_calc_size(buf, &have_data);
+       /* For SMB2_IOCTL, OutputOffset and OutputLength are optional, so might
+        * be 0, and not a real miscalculation */
+@@ -245,8 +249,13 @@ smb2_check_message(char *buf, unsigned i
+               /* Windows 7 server returns 24 bytes more */
+               if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE)
+                       return 0;
+-              /* server can return one byte more due to implied bcc[0] */
+-              if (calc_len == len + 1)
++              /*
++               * Server can return one byte more due to implied bcc[0].
++               * Allow it only when there is no data area; if data_length > 0
++               * the +1 gap indicates an overreported data length rather than
++               * the bcc[0] omission.
++               */
++              if (calc_len == len + 1 && !have_data)
+                       return 0;
+               /*
+@@ -407,14 +416,17 @@ smb2_get_data_area_len(int *off, int *le
+ /*
+  * Calculate the size of the SMB message based on the fixed header
+  * portion, the number of word parameters and the data portion of the message.
++ * If have_data is non-NULL, it is set to true when a non-empty data area was
++ * found (data_length > 0), allowing callers to distinguish the implied bcc[0]
++ * case (no data area) from an overreported data length.
+  */
+-unsigned int
+-smb2_calc_size(void *buf)
++static unsigned int
++__smb2_calc_size(void *buf, bool *have_data)
+ {
+       struct smb2_pdu *pdu = buf;
+       struct smb2_hdr *shdr = &pdu->hdr;
+       int offset; /* the offset from the beginning of SMB to data area */
+-      int data_length; /* the length of the variable length data area */
++      int data_length = 0; /* the length of the variable length data area */
+       /* Structure Size has already been checked to make sure it is 64 */
+       int len = le16_to_cpu(shdr->StructureSize);
+@@ -447,9 +459,17 @@ smb2_calc_size(void *buf)
+       }
+ calc_size_exit:
+       cifs_dbg(FYI, "SMB2 len %d\n", len);
++      if (have_data)
++              *have_data = (data_length > 0);
+       return len;
+ }
++unsigned int
++smb2_calc_size(void *buf)
++{
++      return __smb2_calc_size(buf, NULL);
++}
++
+ /* Note: caller must free return buffer */
+ __le16 *
+ cifs_convert_path_to_utf16(const char *from, struct cifs_sb_info *cifs_sb)
diff --git a/queue-6.1/staging-media-atomisp-reduce-load_primary_binaries-stack-usage.patch b/queue-6.1/staging-media-atomisp-reduce-load_primary_binaries-stack-usage.patch
new file mode 100644 (file)
index 0000000..8a00b94
--- /dev/null
@@ -0,0 +1,60 @@
+From f4d51e55dd47ef467fbe37d8575e20eee41b092d Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 25 Mar 2026 13:59:43 +0100
+Subject: staging: media: atomisp: reduce load_primary_binaries() stack usage
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit f4d51e55dd47ef467fbe37d8575e20eee41b092d upstream.
+
+The load_primary_binaries() function is overly complex and has som large
+variables on the stack, which can cause warnings depending on CONFIG_FRAME_WARN
+setting:
+
+drivers/staging/media/atomisp/pci/sh_css.c: In function 'load_primary_binaries':
+drivers/staging/media/atomisp/pci/sh_css.c:5260:1: error: the frame size of 1560 bytes is larger than 1536 bytes [-Werror=frame-larger-than=]
+
+Half of the stack usage is for the prim_descr[] array, but only one
+member of the array is used at any given time.
+
+Reduce the stack usage by turning the array into a single structure.
+
+Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/atomisp/pci/sh_css.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/media/atomisp/pci/sh_css.c
++++ b/drivers/staging/media/atomisp/pci/sh_css.c
+@@ -5464,7 +5464,6 @@ static int load_primary_binaries(
+       struct ia_css_capture_settings *mycs;
+       unsigned int i;
+       bool need_extra_yuv_scaler = false;
+-      struct ia_css_binary_descr prim_descr[MAX_NUM_PRIMARY_STAGES];
+       IA_CSS_ENTER_PRIVATE("");
+       assert(pipe);
+@@ -5637,15 +5636,16 @@ static int load_primary_binaries(
+       /* Primary */
+       for (i = 0; i < mycs->num_primary_stage; i++) {
++              struct ia_css_binary_descr prim_descr;
+               struct ia_css_frame_info *local_vf_info = NULL;
+               if (pipe->enable_viewfinder[IA_CSS_PIPE_OUTPUT_STAGE_0] &&
+                   (i == mycs->num_primary_stage - 1))
+                       local_vf_info = &vf_info;
+-              ia_css_pipe_get_primary_binarydesc(pipe, &prim_descr[i],
++              ia_css_pipe_get_primary_binarydesc(pipe, &prim_descr,
+                                                  &prim_in_info, &prim_out_info,
+                                                  local_vf_info, i);
+-              err = ia_css_binary_find(&prim_descr[i], &mycs->primary_binary[i]);
++              err = ia_css_binary_find(&prim_descr, &mycs->primary_binary[i]);
+               if (err) {
+                       IA_CSS_LEAVE_ERR_PRIVATE(err);
+                       return err;
diff --git a/queue-6.1/staging-rtl8723bs-fix-oob-read-in-onassocrsp-ie-loop.patch b/queue-6.1/staging-rtl8723bs-fix-oob-read-in-onassocrsp-ie-loop.patch
new file mode 100644 (file)
index 0000000..571e094
--- /dev/null
@@ -0,0 +1,47 @@
+From f9654207e92283e0acac5d64fe5f8835383b5a23 Mon Sep 17 00:00:00 2001
+From: Alexandru Hossu <hossu.alexandru@gmail.com>
+Date: Fri, 22 May 2026 02:45:29 +0200
+Subject: staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop
+
+From: Alexandru Hossu <hossu.alexandru@gmail.com>
+
+commit f9654207e92283e0acac5d64fe5f8835383b5a23 upstream.
+
+The IE parsing loop in OnAssocRsp() advances by (pIE->length + 2) each
+iteration but only guards on i < pkt_len. When a malicious AP sends an
+AssocResponse whose last IE has only one byte remaining in the frame
+(the element_id byte lands at pkt_len-1), the loop reads pIE->length
+from pframe[pkt_len], which is one byte past the allocated receive buffer.
+
+Additionally, even when the header bytes are in bounds, pIE->length
+itself can extend the data window beyond pkt_len, silently passing a
+truncated IE to the handler functions.
+
+Add two guards at the top of the loop body:
+  1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
+  2. Break if the IE's declared data extends past pkt_len.
+
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
+Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
+Link: https://patch.msgid.link/20260522004531.1038924-6-hossu.alexandru@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_mlme_ext.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
++++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+@@ -1427,7 +1427,11 @@ unsigned int OnAssocRsp(struct adapter *
+       /* to handle HT, WMM, rate adaptive, update MAC reg */
+       /* for not to handle the synchronous IO in the tasklet */
+       for (i = (6 + WLAN_HDR_A3_LEN); i < pkt_len;) {
++              if (i + sizeof(*pIE) > pkt_len)
++                      break;
+               pIE = (struct ndis_80211_var_ie *)(pframe + i);
++              if (i + sizeof(*pIE) + pIE->length > pkt_len)
++                      break;
+               switch (pIE->element_id) {
+               case WLAN_EID_VENDOR_SPECIFIC:
diff --git a/queue-6.1/staging-rtl8723bs-fix-oob-read-in-update_beacon_info-ie-loop.patch b/queue-6.1/staging-rtl8723bs-fix-oob-read-in-update_beacon_info-ie-loop.patch
new file mode 100644 (file)
index 0000000..e617446
--- /dev/null
@@ -0,0 +1,59 @@
+From ed51de4a86e173c3b0ef78e039c2e49e08b11f16 Mon Sep 17 00:00:00 2001
+From: Alexandru Hossu <hossu.alexandru@gmail.com>
+Date: Fri, 22 May 2026 02:45:25 +0200
+Subject: staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop
+
+From: Alexandru Hossu <hossu.alexandru@gmail.com>
+
+commit ed51de4a86e173c3b0ef78e039c2e49e08b11f16 upstream.
+
+The IE parsing loop in update_beacon_info() advances by
+(pIE->length + 2) each iteration but only guards on i < len.
+When a malicious AP sends a Beacon whose last IE has only one byte
+remaining in the frame (the element_id byte lands at len-1), the loop
+reads pIE->length from one byte past the allocated receive buffer.
+
+Additionally, even when the header bytes are in bounds, pIE->length
+itself can extend the data window beyond len, passing a truncated IE
+to the handler functions.
+
+Add two guards at the top of the loop body:
+  1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
+  2. Break if the IE's declared data extends past len.
+
+Also replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length
+for consistency with the sizeof(*pIE) guards added above.
+
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Cc: stable <stable@kernel.org>
+Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
+Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
+Link: https://patch.msgid.link/20260522004531.1038924-2-hossu.alexandru@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_wlan_util.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
++++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+@@ -1336,7 +1336,11 @@ void update_beacon_info(struct adapter *
+       len = pkt_len - (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN);
+       for (i = 0; i < len;) {
++              if (i + sizeof(*pIE) > len)
++                      break;
+               pIE = (struct ndis_80211_var_ie *)(pframe + (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN) + i);
++              if (i + sizeof(*pIE) + pIE->length > len)
++                      break;
+               switch (pIE->element_id) {
+               case WLAN_EID_VENDOR_SPECIFIC:
+@@ -1361,7 +1365,7 @@ void update_beacon_info(struct adapter *
+                       break;
+               }
+-              i += (pIE->length + 2);
++              i += sizeof(*pIE) + pIE->length;
+       }
+ }
diff --git a/queue-6.1/staging-rtl8723bs-fix-oob-reads-in-ie-loops-in-issue_assocreq-and-join_cmd_hdl.patch b/queue-6.1/staging-rtl8723bs-fix-oob-reads-in-ie-loops-in-issue_assocreq-and-join_cmd_hdl.patch
new file mode 100644 (file)
index 0000000..42c42eb
--- /dev/null
@@ -0,0 +1,63 @@
+From ef61d628dfad38fead1fd2e08979ae9126d011d5 Mon Sep 17 00:00:00 2001
+From: Alexandru Hossu <hossu.alexandru@gmail.com>
+Date: Fri, 22 May 2026 02:45:26 +0200
+Subject: staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl()
+
+From: Alexandru Hossu <hossu.alexandru@gmail.com>
+
+commit ef61d628dfad38fead1fd2e08979ae9126d011d5 upstream.
+
+Two IE parsing loops are missing the header bounds checks before they
+dereference pIE->length:
+
+ - issue_assocreq() walks pmlmeinfo->network.ies to build the
+   association request. If the stored IE data ends with only an
+   element_id byte and no length byte, pIE->length is read one byte
+   past the end of the buffer.
+
+ - join_cmd_hdl() walks pnetwork->ies during station join and has
+   the same problem under the same conditions.
+
+Both buffers are filled from AP beacon and probe-response frames, so a
+malicious AP that sends a truncated final IE can trigger the issue.
+
+Apply the two-guard pattern established in update_beacon_info():
+  1. Break if fewer than sizeof(*pIE) bytes remain.
+  2. Break if the IE's declared data extends past the buffer end.
+
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Cc: stable <stable@kernel.org>
+Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
+Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
+Link: https://patch.msgid.link/20260522004531.1038924-3-hossu.alexandru@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_mlme_ext.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
++++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+@@ -2968,7 +2968,11 @@ void issue_assocreq(struct adapter *pada
+       /* vendor specific IE, such as WPA, WMM, WPS */
+       for (i = sizeof(struct ndis_802_11_fix_ie); i < pmlmeinfo->network.ie_length;) {
++              if (i + sizeof(*pIE) > pmlmeinfo->network.ie_length)
++                      break;
+               pIE = (struct ndis_80211_var_ie *)(pmlmeinfo->network.ies + i);
++              if (i + sizeof(*pIE) + pIE->length > pmlmeinfo->network.ie_length)
++                      break;
+               switch (pIE->element_id) {
+               case WLAN_EID_VENDOR_SPECIFIC:
+@@ -5373,7 +5377,11 @@ u8 join_cmd_hdl(struct adapter *padapter
+       /* sizeof(struct ndis_802_11_fix_ie) */
+       for (i = _FIXED_IE_LENGTH_; i < pnetwork->ie_length;) {
++              if (i + sizeof(*pIE) > pnetwork->ie_length)
++                      break;
+               pIE = (struct ndis_80211_var_ie *)(pnetwork->ies + i);
++              if (i + sizeof(*pIE) + pIE->length > pnetwork->ie_length)
++                      break;
+               switch (pIE->element_id) {
+               case WLAN_EID_VENDOR_SPECIFIC:/* Get WMM IE. */
diff --git a/queue-6.1/staging-rtl8723bs-fix-oob-reads-in-is_ap_in_tkip-ie-loop.patch b/queue-6.1/staging-rtl8723bs-fix-oob-reads-in-is_ap_in_tkip-ie-loop.patch
new file mode 100644 (file)
index 0000000..1193b22
--- /dev/null
@@ -0,0 +1,71 @@
+From 3bf39f711ff27c64be8680a8938bcc5001982e81 Mon Sep 17 00:00:00 2001
+From: Alexandru Hossu <hossu.alexandru@gmail.com>
+Date: Fri, 22 May 2026 02:45:30 +0200
+Subject: staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() IE loop
+
+From: Alexandru Hossu <hossu.alexandru@gmail.com>
+
+commit 3bf39f711ff27c64be8680a8938bcc5001982e81 upstream.
+
+The loop in is_ap_in_tkip() iterates over IEs without verifying that
+enough bytes remain before dereferencing the IE header or its payload:
+
+- pIE->element_id and pIE->length are read without checking that
+  i + sizeof(*pIE) <= ie_length, so a truncated IE at the end of the
+  buffer causes an OOB read.
+
+- For WLAN_EID_VENDOR_SPECIFIC the code compares pIE->data + 12,
+  which requires pIE->length >= 16.  For WLAN_EID_RSN it compares
+  pIE->data + 8, requiring pIE->length >= 12.  Neither requirement
+  is checked.
+
+Add the missing IE header and payload bounds checks and guard each
+data access with an explicit pIE->length minimum, matching the
+pattern established in update_beacon_info().
+
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
+Link: https://patch.msgid.link/20260522004531.1038924-7-hossu.alexandru@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_wlan_util.c |   14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
++++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+@@ -1381,15 +1381,23 @@ unsigned int is_ap_in_tkip(struct adapte
+               for (i = sizeof(struct ndis_802_11_fix_ie); i < pmlmeinfo->network.ie_length;) {
+                       pIE = (struct ndis_80211_var_ie *)(pmlmeinfo->network.ies + i);
++                      if (i + sizeof(*pIE) > pmlmeinfo->network.ie_length)
++                              break;
++                      if (i + sizeof(*pIE) + pIE->length > pmlmeinfo->network.ie_length)
++                              break;
++
+                       switch (pIE->element_id) {
+                       case WLAN_EID_VENDOR_SPECIFIC:
+-                              if ((!memcmp(pIE->data, RTW_WPA_OUI, 4)) && (!memcmp((pIE->data + 12), WPA_TKIP_CIPHER, 4)))
++                              if (pIE->length >= 16 &&
++                                  !memcmp(pIE->data, RTW_WPA_OUI, 4) &&
++                                  !memcmp((pIE->data + 12), WPA_TKIP_CIPHER, 4))
+                                       return true;
+                               break;
+                       case WLAN_EID_RSN:
+-                              if (!memcmp((pIE->data + 8), RSN_TKIP_CIPHER, 4))
++                              if (pIE->length >= 12 &&
++                                  !memcmp((pIE->data + 8), RSN_TKIP_CIPHER, 4))
+                                       return true;
+                               break;
+@@ -1397,7 +1405,7 @@ unsigned int is_ap_in_tkip(struct adapte
+                               break;
+                       }
+-                      i += (pIE->length + 2);
++                      i += sizeof(*pIE) + pIE->length;
+               }
+               return false;
diff --git a/queue-6.1/staging-rtl8723bs-fix-oob-write-in-ht_caps_handler.patch b/queue-6.1/staging-rtl8723bs-fix-oob-write-in-ht_caps_handler.patch
new file mode 100644 (file)
index 0000000..8a79fcc
--- /dev/null
@@ -0,0 +1,47 @@
+From f8001e1a516ba3b495728c65b61f799cbfad6bd0 Mon Sep 17 00:00:00 2001
+From: Alexandru Hossu <hossu.alexandru@gmail.com>
+Date: Fri, 22 May 2026 02:45:28 +0200
+Subject: staging: rtl8723bs: fix OOB write in HT_caps_handler()
+
+From: Alexandru Hossu <hossu.alexandru@gmail.com>
+
+commit f8001e1a516ba3b495728c65b61f799cbfad6bd0 upstream.
+
+HT_caps_handler() iterates pIE->length bytes and writes into
+HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
+HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
+802.11 AssocResponse frame and is never validated, a malicious AP can
+set it up to 255, causing up to 229 bytes of out-of-bounds writes into
+adjacent fields of struct mlme_ext_info.
+
+Truncate the iteration count to the size of HT_caps.u.HT_cap using
+umin() so that data from a longer-than-expected IE is silently ignored
+rather than written out of bounds, preserving interoperability with APs
+that pad the element. An early return on oversized IEs was considered
+but rejected: it would bypass the pmlmeinfo->HT_caps_enable = 1
+assignment that precedes the loop, silently disabling HT mode for APs
+that append extra bytes to the HT Capabilities IE.
+
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
+Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
+Link: https://patch.msgid.link/20260522004531.1038924-5-hossu.alexandru@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_wlan_util.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
++++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+@@ -979,7 +979,8 @@ void HT_caps_handler(struct adapter *pad
+       pmlmeinfo->HT_caps_enable = 1;
+-      for (i = 0; i < (pIE->length); i++) {
++      for (i = 0; i < umin(pIE->length,
++                           sizeof(pmlmeinfo->HT_caps.u.HT_cap)); i++) {
+               if (i != 2) {
+                       /* Commented by Albert 2010/07/12 */
+                       /* Got the endian issue here. */
diff --git a/queue-6.1/staging-rtl8723bs-fix-wep-length-underflow-and-oob-read-in-onauth.patch b/queue-6.1/staging-rtl8723bs-fix-wep-length-underflow-and-oob-read-in-onauth.patch
new file mode 100644 (file)
index 0000000..9e76fdf
--- /dev/null
@@ -0,0 +1,69 @@
+From a1fc19d61f661d47204f095b593de507884849f7 Mon Sep 17 00:00:00 2001
+From: Alexandru Hossu <hossu.alexandru@gmail.com>
+Date: Fri, 22 May 2026 02:46:05 +0200
+Subject: staging: rtl8723bs: fix WEP length underflow and OOB read in OnAuth()
+
+From: Alexandru Hossu <hossu.alexandru@gmail.com>
+
+commit a1fc19d61f661d47204f095b593de507884849f7 upstream.
+
+OnAuth() has two bugs in the shared-key authentication path.
+
+When the Privacy bit is set, rtw_wep_decrypt() is called without
+verifying that the frame is long enough to contain a valid WEP IV and
+ICV.  Inside rtw_wep_decrypt(), length is computed as:
+
+    length = len - WLAN_HDR_A3_LEN - iv_len
+
+and then passed as (length - 4) to crc32_le().  If len is less than
+WLAN_HDR_A3_LEN + iv_len + icv_len (32 bytes), length - 4 is negative
+and, after the implicit cast to size_t, causes crc32_le() to read far
+beyond the frame buffer.  Add a minimum length check before accessing
+the IV field and calling the decryption path.
+
+When processing a seq=3 response, rtw_get_ie() stores the Challenge
+Text IE length in ie_len, but the subsequent memcmp() always reads 128
+bytes regardless of ie_len.  IEEE 802.11 mandates a challenge text of
+exactly 128 bytes; reject any IE whose length field differs, matching
+the check already applied to OnAuthClient().
+
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
+Link: https://patch.msgid.link/20260522004605.1039209-1-hossu.alexandru@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_mlme_ext.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
++++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+@@ -697,6 +697,9 @@ unsigned int OnAuth(struct adapter *pada
+       if ((pmlmeinfo->state&0x03) != WIFI_FW_AP_STATE)
+               return _FAIL;
++      if (len < WLAN_HDR_A3_LEN)
++              return _FAIL;
++
+       sa = GetAddr2Ptr(pframe);
+       auth_mode = psecuritypriv->dot11AuthAlgrthm;
+@@ -708,6 +711,9 @@ unsigned int OnAuth(struct adapter *pada
+               prxattrib->hdrlen = WLAN_HDR_A3_LEN;
+               prxattrib->encrypt = _WEP40_;
++              if (len < WLAN_HDR_A3_LEN + 8)
++                      return _FAIL;
++
+               iv = pframe+prxattrib->hdrlen;
+               prxattrib->key_index = ((iv[3]>>6)&0x3);
+@@ -812,7 +818,7 @@ unsigned int OnAuth(struct adapter *pada
+                       p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + 4 + _AUTH_IE_OFFSET_, WLAN_EID_CHALLENGE, (int *)&ie_len,
+                                       len - WLAN_HDR_A3_LEN - _AUTH_IE_OFFSET_ - 4);
+-                      if (!p || ie_len <= 0) {
++                      if (!p || ie_len != 128) {
+                               status = WLAN_STATUS_CHALLENGE_FAIL;
+                               goto auth_fail;
+                       }
diff --git a/queue-6.1/staging-vme_user-bound-slave-read-write-to-the-kern_buf-size.patch b/queue-6.1/staging-vme_user-bound-slave-read-write-to-the-kern_buf-size.patch
new file mode 100644 (file)
index 0000000..95ccbef
--- /dev/null
@@ -0,0 +1,85 @@
+From 9f32f38265014fac7f5dc9490fb01a638ce6e121 Mon Sep 17 00:00:00 2001
+From: Michael Tautschnig <tautschn@amazon.com>
+Date: Thu, 18 Jun 2026 13:47:09 +0200
+Subject: staging: vme_user: bound slave read/write to the kern_buf size
+
+From: Michael Tautschnig <tautschn@amazon.com>
+
+commit 9f32f38265014fac7f5dc9490fb01a638ce6e121 upstream.
+
+The SLAVE-path helpers buffer_to_user() and buffer_from_user() copy
+'count' bytes into/out of the fixed-size kern_buf (size_buf ==
+PCI_BUF_SIZE == 0x20000, 128 KiB) using *ppos as the offset, without
+bounding *ppos + count against size_buf.
+
+vme_user_write()/vme_user_read() only clamp count to the VME window size
+(image_size = vme_get_size(resource)), which VME_SET_SLAVE sets from the
+user-supplied slave.size -- validated against the VME address space (up
+to VME_A32_MAX = 4 GiB), not against PCI_BUF_SIZE.  When the window
+exceeds 128 KiB, a write()/read() copies past the kern_buf allocation.
+
+Clamp count against size_buf in both helpers, with an early return when
+*ppos is already at/after the buffer end.  *ppos is >= 0 here (the caller
+rejects negative offsets), so size_buf - *ppos cannot wrap.  This mirrors
+the existing clamp in the MASTER-path helpers resource_to_user() /
+resource_from_user(), and matches the read()/write() convention of a
+short transfer at end-of-buffer.
+
+Found by static analysis (CodeQL taint tracking + CBMC bounded model
+checking) and confirmed dynamically under KASAN with the vme_fake bridge:
+
+  BUG: KASAN: slab-out-of-bounds in _copy_from_user+0x2d/0x80
+  Write of size 262144 at addr ffff888004100000 by task trigger/68
+    _copy_from_user+0x2d/0x80
+    vme_user_write+0x13e/0x240 [vme_user]
+    vfs_write+0x1b8/0x7a0
+    ksys_write+0xb8/0x150
+
+Fixes: f00a86d98a1e ("Staging: vme: add VME userspace driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Michael Tautschnig <tautschn@amazon.com>
+Link: https://patch.msgid.link/20260618114709.72499-1-tautschn@amazon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vme_user/vme_user.c |   22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/drivers/staging/vme_user/vme_user.c
++++ b/drivers/staging/vme_user/vme_user.c
+@@ -153,6 +153,17 @@ static ssize_t buffer_to_user(unsigned i
+ {
+       void *image_ptr;
++      /*
++       * The slave window (image_size) can exceed the fixed kern_buf
++       * (size_buf == PCI_BUF_SIZE), so bound the copy to kern_buf.
++       * *ppos is >= 0 here (checked by the caller), so the
++       * subtraction below cannot wrap.
++       */
++      if (*ppos >= image[minor].size_buf)
++              return 0;
++      if (count > image[minor].size_buf - *ppos)
++              count = image[minor].size_buf - *ppos;
++
+       image_ptr = image[minor].kern_buf + *ppos;
+       if (copy_to_user(buf, image_ptr, (unsigned long)count))
+               return -EFAULT;
+@@ -165,6 +176,17 @@ static ssize_t buffer_from_user(unsigned
+ {
+       void *image_ptr;
++      /*
++       * The slave window (image_size) can exceed the fixed kern_buf
++       * (size_buf == PCI_BUF_SIZE), so bound the copy to kern_buf.
++       * *ppos is >= 0 here (checked by the caller), so the
++       * subtraction below cannot wrap.
++       */
++      if (*ppos >= image[minor].size_buf)
++              return 0;
++      if (count > image[minor].size_buf - *ppos)
++              count = image[minor].size_buf - *ppos;
++
+       image_ptr = image[minor].kern_buf + *ppos;
+       if (copy_from_user(image_ptr, buf, (unsigned long)count))
+               return -EFAULT;
diff --git a/queue-6.1/staging-vme_user-fix-location-monitor-leak-in-fake-bridge.patch b/queue-6.1/staging-vme_user-fix-location-monitor-leak-in-fake-bridge.patch
new file mode 100644 (file)
index 0000000..c8da7fd
--- /dev/null
@@ -0,0 +1,62 @@
+From e8422d89e8af41d87f0e9db564be8e2634f4c602 Mon Sep 17 00:00:00 2001
+From: Hao-Qun Huang <alvinhuang0603@gmail.com>
+Date: Sat, 4 Jul 2026 14:58:15 +0800
+Subject: staging: vme_user: fix location monitor leak in fake bridge
+
+From: Hao-Qun Huang <alvinhuang0603@gmail.com>
+
+commit e8422d89e8af41d87f0e9db564be8e2634f4c602 upstream.
+
+fake_init() allocates a location monitor resource and links it into
+fake_bridge->lm_resources. The init error path frees this list, but
+fake_exit() only frees the slave and master resource lists. Loading
+and unloading the module therefore triggers a kmemleak warning:
+
+  unreferenced object 0xffff8b8b82aebe40 (size 64):
+    comm "init", pid 1, jiffies 4294894572
+    backtrace (crc c1e013ef):
+      kmemleak_alloc+0x4e/0x90
+      __kmalloc_cache_noprof+0x338/0x430
+      0xffffffffc0602246
+      do_one_initcall+0x4f/0x320
+      do_init_module+0x68/0x270
+      load_module+0x2a3b/0x2d90
+
+Free the lm_resources list in fake_exit() as well, before fake_bridge
+is freed.
+
+Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
+Cc: stable <stable@kernel.org>
+Cc: Martyn Welch <martyn@welchs.me.uk>
+Assisted-by: Claude:claude-fable-5
+Signed-off-by: Hao-Qun Huang <alvinhuang0603@gmail.com>
+Link: https://patch.msgid.link/20260704065817.403111-1-alvinhuang0603@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vme_user/vme_fake.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/staging/vme_user/vme_fake.c
++++ b/drivers/staging/vme_user/vme_fake.c
+@@ -1253,6 +1253,7 @@ static void __exit fake_exit(void)
+ {
+       struct list_head *pos = NULL;
+       struct list_head *tmplist;
++      struct vme_lm_resource *lm;
+       struct vme_master_resource *master_image;
+       struct vme_slave_resource *slave_image;
+       int i;
+@@ -1283,6 +1284,13 @@ static void __exit fake_exit(void)
+       fake_crcsr_exit(fake_bridge);
+       /* resources are stored in link list */
++      list_for_each_safe(pos, tmplist, &fake_bridge->lm_resources) {
++              lm = list_entry(pos, struct vme_lm_resource, list);
++              list_del(pos);
++              kfree(lm);
++      }
++
++      /* resources are stored in link list */
+       list_for_each_safe(pos, tmplist, &fake_bridge->slave_resources) {
+               slave_image = list_entry(pos, struct vme_slave_resource, list);
+               list_del(pos);
diff --git a/queue-6.1/staging-vme_user-fix-location-monitor-leak-in-tsi148-bridge.patch b/queue-6.1/staging-vme_user-fix-location-monitor-leak-in-tsi148-bridge.patch
new file mode 100644 (file)
index 0000000..d26489e
--- /dev/null
@@ -0,0 +1,53 @@
+From 151edde741f8bc7f2931c5f44ab376d32b0c8beb Mon Sep 17 00:00:00 2001
+From: Hao-Qun Huang <alvinhuang0603@gmail.com>
+Date: Sat, 4 Jul 2026 14:58:16 +0800
+Subject: staging: vme_user: fix location monitor leak in tsi148 bridge
+
+From: Hao-Qun Huang <alvinhuang0603@gmail.com>
+
+commit 151edde741f8bc7f2931c5f44ab376d32b0c8beb upstream.
+
+tsi148_probe() allocates a location monitor resource and links it into
+tsi148_bridge->lm_resources. The probe error path frees this list, but
+tsi148_remove() only frees the dma, slave and master resource lists, so
+the location monitor resource is leaked on device unbind or module
+unload.
+
+Free the lm_resources list in tsi148_remove() as well, before
+tsi148_bridge is freed.
+
+Fixes: d22b8ed9a3b0 ("Staging: vme: add Tundra TSI148 VME-PCI Bridge driver")
+Cc: stable <stable@kernel.org>
+Cc: Martyn Welch <martyn@welchs.me.uk>
+Assisted-by: Claude:claude-fable-5
+Signed-off-by: Hao-Qun Huang <alvinhuang0603@gmail.com>
+Link: https://patch.msgid.link/20260704065817.403111-2-alvinhuang0603@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vme_user/vme_tsi148.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/staging/vme_user/vme_tsi148.c
++++ b/drivers/staging/vme_user/vme_tsi148.c
+@@ -2548,6 +2548,7 @@ static void tsi148_remove(struct pci_dev
+ {
+       struct list_head *pos = NULL;
+       struct list_head *tmplist;
++      struct vme_lm_resource *lm;
+       struct vme_master_resource *master_image;
+       struct vme_slave_resource *slave_image;
+       struct vme_dma_resource *dma_ctrlr;
+@@ -2606,6 +2607,13 @@ static void tsi148_remove(struct pci_dev
+       tsi148_crcsr_exit(tsi148_bridge, pdev);
+       /* resources are stored in link list */
++      list_for_each_safe(pos, tmplist, &tsi148_bridge->lm_resources) {
++              lm = list_entry(pos, struct vme_lm_resource, list);
++              list_del(pos);
++              kfree(lm);
++      }
++
++      /* resources are stored in link list */
+       list_for_each_safe(pos, tmplist, &tsi148_bridge->dma_resources) {
+               dma_ctrlr = list_entry(pos, struct vme_dma_resource, list);
+               list_del(pos);
diff --git a/queue-6.1/tipc-fix-out-of-bounds-read-in-broadcast-gap-ack-blocks.patch b/queue-6.1/tipc-fix-out-of-bounds-read-in-broadcast-gap-ack-blocks.patch
new file mode 100644 (file)
index 0000000..8ef1c8f
--- /dev/null
@@ -0,0 +1,164 @@
+From 2b66974a1b6134a4bbc3bfed181f7418f688eb54 Mon Sep 17 00:00:00 2001
+From: Samuel Page <sam@bynar.io>
+Date: Thu, 25 Jun 2026 15:38:15 +0100
+Subject: tipc: fix out-of-bounds read in broadcast Gap ACK blocks
+
+From: Samuel Page <sam@bynar.io>
+
+commit 2b66974a1b6134a4bbc3bfed181f7418f688eb54 upstream.
+
+A broadcast PROTOCOL/STATE_MSG can carry a Gap ACK blocks record in its
+data area. tipc_get_gap_ack_blks() only verifies that the record's len
+field is self-consistent with its ugack_cnt/bgack_cnt counts
+(sz == struct_size(p, gacks, ugack_cnt + bgack_cnt)); it does not check
+that the record actually fits in the message data area, msg_data_sz().
+
+The unicast caller tipc_link_proto_rcv() bounds it ("if (glen > dlen)
+break;"), but the broadcast caller tipc_bcast_sync_rcv() discards the
+returned size, so tipc_link_advance_transmq() copies the record off the
+receive skb with an attacker-controlled count:
+
+       this_ga = kmemdup(ga, struct_size(ga, gacks, ga->bgack_cnt),
+                         GFP_ATOMIC);
+
+A TIPC neighbour that negotiated TIPC_GAP_ACK_BLOCK triggers it with one
+ordinary broadcast STATE_MSG (msg_bc_ack_invalid() clear), sized so its
+data area is short, carrying a Gap ACK record with len = 0x400,
+bgack_cnt = 0xff and ugack_cnt = 0. len then equals
+struct_size(p, gacks, 255), so the consistency check passes and ga is
+non-NULL; kmemdup() reads struct_size(ga, gacks, 255) = 1024 bytes out
+of the much smaller skb:
+
+  BUG: KASAN: slab-out-of-bounds in kmemdup_noprof+0x48/0x60
+  Read of size 1024 at addr ffff0000c7030d38 by task poc864/69
+  Call trace:
+   kmemdup_noprof+0x48/0x60
+   tipc_link_advance_transmq+0x86c/0xb80
+   tipc_link_bc_ack_rcv+0x19c/0x1e0
+   tipc_bcast_sync_rcv+0x1c4/0x2c4
+   tipc_rcv+0x85c/0x1340
+   tipc_l2_rcv_msg+0xac/0x104
+  The buggy address belongs to the object at ffff0000c7030d00
+   which belongs to the cache skbuff_small_head of size 704
+  The buggy address is located 56 bytes inside of
+   allocated 704-byte region [ffff0000c7030d00, ffff0000c7030fc0)
+
+The copied-out bytes are subsequently consumed as gap/ack values, but
+the read is already out of bounds at the kmemdup() regardless of how
+they are used.
+
+The unicast STATE path drops such a message: "if (glen > dlen) break;"
+skips the rest of STATE_MSG handling and the skb is freed. Make the
+broadcast path drop it too. tipc_bcast_sync_rcv() now bounds the record
+against msg_data_sz() and, when it does not fit, reports it back through
+tipc_node_bc_sync_rcv() to tipc_rcv() so the skb is discarded rather than
+processed. ga is not cleared on this path: ga == NULL already means
+"legacy peer without Selective ACK", a distinct legitimate state.
+
+Fixes: d7626b5acff9 ("tipc: introduce Gap ACK blocks for broadcast link")
+Cc: stable@vger.kernel.org
+Signed-off-by: Samuel Page <sam@bynar.io>
+Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
+Link: https://patch.msgid.link/20260625143815.1525412-1-sam@bynar.io
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/bcast.c |   22 ++++++++++++++--------
+ net/tipc/bcast.h |    2 +-
+ net/tipc/node.c  |   15 ++++++++++++---
+ 3 files changed, 27 insertions(+), 12 deletions(-)
+
+--- a/net/tipc/bcast.c
++++ b/net/tipc/bcast.c
+@@ -497,12 +497,13 @@ void tipc_bcast_ack_rcv(struct net *net,
+  */
+ int tipc_bcast_sync_rcv(struct net *net, struct tipc_link *l,
+                       struct tipc_msg *hdr,
+-                      struct sk_buff_head *retrq)
++                      struct sk_buff_head *retrq, bool *valid)
+ {
+       struct sk_buff_head *inputq = &tipc_bc_base(net)->inputq;
+       struct tipc_gap_ack_blks *ga;
+       struct sk_buff_head xmitq;
+       int rc = 0;
++      u16 glen;
+       __skb_queue_head_init(&xmitq);
+@@ -510,13 +511,18 @@ int tipc_bcast_sync_rcv(struct net *net,
+       if (msg_type(hdr) != STATE_MSG) {
+               tipc_link_bc_init_rcv(l, hdr);
+       } else if (!msg_bc_ack_invalid(hdr)) {
+-              tipc_get_gap_ack_blks(&ga, l, hdr, false);
+-              if (!sysctl_tipc_bc_retruni)
+-                      retrq = &xmitq;
+-              rc = tipc_link_bc_ack_rcv(l, msg_bcast_ack(hdr),
+-                                        msg_bc_gap(hdr), ga, &xmitq,
+-                                        retrq);
+-              rc |= tipc_link_bc_sync_rcv(l, hdr, &xmitq);
++              glen = tipc_get_gap_ack_blks(&ga, l, hdr, false);
++              if (glen > msg_data_sz(hdr)) {
++                      /* Malformed Gap ACK blocks; caller drops the msg */
++                      *valid = false;
++              } else {
++                      if (!sysctl_tipc_bc_retruni)
++                              retrq = &xmitq;
++                      rc = tipc_link_bc_ack_rcv(l, msg_bcast_ack(hdr),
++                                                msg_bc_gap(hdr), ga, &xmitq,
++                                                retrq);
++                      rc |= tipc_link_bc_sync_rcv(l, hdr, &xmitq);
++              }
+       }
+       tipc_bcast_unlock(net);
+--- a/net/tipc/bcast.h
++++ b/net/tipc/bcast.h
+@@ -97,7 +97,7 @@ void tipc_bcast_ack_rcv(struct net *net,
+                       struct tipc_msg *hdr);
+ int tipc_bcast_sync_rcv(struct net *net, struct tipc_link *l,
+                       struct tipc_msg *hdr,
+-                      struct sk_buff_head *retrq);
++                      struct sk_buff_head *retrq, bool *valid);
+ int tipc_nl_add_bc_link(struct net *net, struct tipc_nl_msg *msg,
+                       struct tipc_link *bcl);
+ int tipc_nl_bc_link_set(struct net *net, struct nlattr *attrs[]);
+--- a/net/tipc/node.c
++++ b/net/tipc/node.c
+@@ -1833,12 +1833,15 @@ static void tipc_node_mcast_rcv(struct t
+ }
+ static void tipc_node_bc_sync_rcv(struct tipc_node *n, struct tipc_msg *hdr,
+-                                int bearer_id, struct sk_buff_head *xmitq)
++                                int bearer_id, struct sk_buff_head *xmitq,
++                                bool *valid)
+ {
+       struct tipc_link *ucl;
+       int rc;
+-      rc = tipc_bcast_sync_rcv(n->net, n->bc_entry.link, hdr, xmitq);
++      rc = tipc_bcast_sync_rcv(n->net, n->bc_entry.link, hdr, xmitq, valid);
++      if (!*valid)
++              return;
+       if (rc & TIPC_LINK_DOWN_EVT) {
+               tipc_node_reset_links(n);
+@@ -2142,12 +2145,18 @@ rcv:
+       /* Ensure broadcast reception is in synch with peer's send state */
+       if (unlikely(usr == LINK_PROTOCOL)) {
++              bool valid = true;
++
+               if (unlikely(skb_linearize(skb))) {
+                       tipc_node_put(n);
+                       goto discard;
+               }
+               hdr = buf_msg(skb);
+-              tipc_node_bc_sync_rcv(n, hdr, bearer_id, &xmitq);
++              tipc_node_bc_sync_rcv(n, hdr, bearer_id, &xmitq, &valid);
++              if (!valid) {
++                      tipc_node_put(n);
++                      goto discard;
++              }
+       } else if (unlikely(tipc_link_acked(n->bc_entry.link) != bc_ack)) {
+               tipc_bcast_ack_rcv(net, n->bc_entry.link, hdr);
+       }
diff --git a/queue-6.1/usb-chaoskey-fix-slab-use-after-free-in-chaoskey_release.patch b/queue-6.1/usb-chaoskey-fix-slab-use-after-free-in-chaoskey_release.patch
new file mode 100644 (file)
index 0000000..7482266
--- /dev/null
@@ -0,0 +1,65 @@
+From abf76d3239dee97b66e7241ad04811f1ce562e28 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 9 Jun 2026 13:37:36 -0400
+Subject: USB: chaoskey: Fix slab-use-after-free in chaoskey_release()
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit abf76d3239dee97b66e7241ad04811f1ce562e28 upstream.
+
+The chaoskey driver has a use-after-free bug in its release routine.
+If the user closes the device file after the USB device has been
+unplugged, a debugging log statement will try to access the
+usb_interface structure after it has been deallocated:
+
+       BUG: KASAN: slab-use-after-free in dev_driver_string (drivers/base/core.c:2406)
+       Read of size 8 at addr ffff888168e8a0b8 by task chaoskey_raw_re/10106
+
+       Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+       Call Trace:
+        <TASK>
+        dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
+        print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
+        kasan_report (mm/kasan/report.c:595)
+        dev_driver_string (drivers/base/core.c:2406)
+        __dynamic_dev_dbg (lib/dynamic_debug.c:906)
+        chaoskey_release (drivers/usb/misc/chaoskey.c:323)
+        __fput (fs/file_table.c:510)
+        fput_close_sync (fs/file_table.c:615)
+        __x64_sys_close (fs/open.c:1507 fs/open.c:1492 fs/open.c:1492)
+        do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
+        entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
+
+The driver's last reference to the interface structure is dropped in
+the chaoskey_free() routine, so the code must not use the interface --
+even in a debugging statement -- after that routine returns.
+(Exception: If we know that another reference is held by someone else,
+such as the device core while the disconnect routine runs, there's no
+problem.  Thanks to Johan Hovold for pointing this out.)
+
+Since the bad access is part of an unimportant debugging statement,
+we can fix the problem simply by removing the whole statement.
+
+Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
+Closes: https://lore.kernel.org/linux-usb/20EC9664-054E-438B-B411-2145D347F97B@gmail.com/
+Tested-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Fixes: 66e3e591891d ("usb: Add driver for Altus Metrum ChaosKey device (v2)")
+Cc: stable <stable@kernel.org>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/bb5b1dc6-eb59-43e1-8d26-51e658e88bbe@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/misc/chaoskey.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/usb/misc/chaoskey.c
++++ b/drivers/usb/misc/chaoskey.c
+@@ -321,7 +321,6 @@ bail:
+       mutex_unlock(&dev->lock);
+ destruction:
+       mutex_unlock(&chaoskey_list_lock);
+-      usb_dbg(interface, "release success");
+       return rv;
+ }
diff --git a/queue-6.1/usb-dwc3-run-gadget-disconnect-from-sleepable-suspend-context.patch b/queue-6.1/usb-dwc3-run-gadget-disconnect-from-sleepable-suspend-context.patch
new file mode 100644 (file)
index 0000000..14f4c35
--- /dev/null
@@ -0,0 +1,113 @@
+From 010382937fb69892b3469ac4d30af072262f59e8 Mon Sep 17 00:00:00 2001
+From: Runyu Xiao <runyu.xiao@seu.edu.cn>
+Date: Fri, 12 Jun 2026 13:20:05 +0800
+Subject: usb: dwc3: run gadget disconnect from sleepable suspend context
+
+From: Runyu Xiao <runyu.xiao@seu.edu.cn>
+
+commit 010382937fb69892b3469ac4d30af072262f59e8 upstream.
+
+dwc3_gadget_suspend() takes dwc->lock with IRQs disabled and then calls
+dwc3_disconnect_gadget().  For async callbacks that helper only uses
+plain spin_unlock()/spin_lock(), so the gadget ->disconnect() callback
+still runs with IRQs disabled and any sleepable callback trips Lockdep.
+
+This issue was found by our static analysis tool and then manually
+reviewed against the current tree.
+
+The grounded PoC kept the dwc3_gadget_suspend() ->
+dwc3_disconnect_gadget() -> gadget_driver->disconnect() chain, and
+Lockdep reported:
+
+  BUG: sleeping function called from invalid context
+  gadget_disconnect+0x21/0x39 [vuln_msv]
+  dwc3_gadget_suspend.constprop.0+0x2b/0x42 [vuln_msv]
+
+Keep the disconnect callback selection in one common helper, but add a
+sleepable suspend-side wrapper which snapshots the callback under
+dwc->lock and then runs it after spin_unlock_irqrestore().  The regular
+event path still uses the existing spin_unlock()/spin_lock() window.
+
+Fixes: c8540870af4c ("usb: dwc3: gadget: Improve dwc3_gadget_suspend() and dwc3_gadget_resume()")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://patch.msgid.link/20260612052005.3849659-1-runyu.xiao@seu.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c |   43 ++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 36 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -3784,15 +3784,48 @@ static void dwc3_endpoint_interrupt(stru
+       }
+ }
++static bool dwc3_prepare_disconnect_gadget(struct dwc3 *dwc,
++                                         struct usb_gadget_driver **driver,
++                                         struct usb_gadget **gadget)
++{
++      if (!dwc->async_callbacks || !dwc->gadget_driver ||
++          !dwc->gadget_driver->disconnect)
++              return false;
++
++      *driver = dwc->gadget_driver;
++      *gadget = dwc->gadget;
++
++      return true;
++}
++
+ static void dwc3_disconnect_gadget(struct dwc3 *dwc)
+ {
+-      if (dwc->async_callbacks && dwc->gadget_driver->disconnect) {
++      struct usb_gadget_driver *driver;
++      struct usb_gadget *gadget;
++
++      if (dwc3_prepare_disconnect_gadget(dwc, &driver, &gadget)) {
+               spin_unlock(&dwc->lock);
+-              dwc->gadget_driver->disconnect(dwc->gadget);
++              driver->disconnect(gadget);
+               spin_lock(&dwc->lock);
+       }
+ }
++static void dwc3_disconnect_gadget_sleepable(struct dwc3 *dwc)
++{
++      struct usb_gadget_driver *driver;
++      struct usb_gadget *gadget;
++      unsigned long flags;
++
++      spin_lock_irqsave(&dwc->lock, flags);
++      if (!dwc3_prepare_disconnect_gadget(dwc, &driver, &gadget)) {
++              spin_unlock_irqrestore(&dwc->lock, flags);
++              return;
++      }
++
++      spin_unlock_irqrestore(&dwc->lock, flags);
++      driver->disconnect(gadget);
++}
++
+ static void dwc3_suspend_gadget(struct dwc3 *dwc)
+ {
+       if (dwc->async_callbacks && dwc->gadget_driver->suspend) {
+@@ -4659,7 +4692,6 @@ void dwc3_gadget_exit(struct dwc3 *dwc)
+ int dwc3_gadget_suspend(struct dwc3 *dwc)
+ {
+-      unsigned long flags;
+       int ret;
+       ret = dwc3_gadget_soft_disconnect(dwc);
+@@ -4673,10 +4705,7 @@ int dwc3_gadget_suspend(struct dwc3 *dwc
+               return -EAGAIN;
+       }
+-      spin_lock_irqsave(&dwc->lock, flags);
+-      if (dwc->gadget_driver)
+-              dwc3_disconnect_gadget(dwc);
+-      spin_unlock_irqrestore(&dwc->lock, flags);
++      dwc3_disconnect_gadget_sleepable(dwc);
+       return 0;
+ }
diff --git a/queue-6.1/virtio-mmio-fix-device-release-warning-on-module-unload.patch b/queue-6.1/virtio-mmio-fix-device-release-warning-on-module-unload.patch
new file mode 100644 (file)
index 0000000..dc222b6
--- /dev/null
@@ -0,0 +1,103 @@
+From c687bc35694698ec4c7f92bf929c3d659f0cecb8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 27 Apr 2026 16:37:10 +0200
+Subject: virtio-mmio: fix device release warning on module unload
+
+From: Johan Hovold <johan@kernel.org>
+
+commit c687bc35694698ec4c7f92bf929c3d659f0cecb8 upstream.
+
+Driver core expects devices to be allocated dynamically and complains
+loudly when a device that lacks a release function is freed.
+
+Use __root_device_register() to allocate and register the root device
+instead of open coding using a static device.
+
+Note that root_device_register(), which also creates a link to the
+module, cannot be used as the device is registered when parsing the
+module parameters which happens before the module kobject has been set
+up.
+
+Fixes: 81a054ce0b46 ("virtio-mmio: Devices parameter parsing")
+Cc: stable@vger.kernel.org     # 3.5
+Cc: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Message-ID: <20260427143710.14702-1-johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/virtio/virtio_mmio.c |   26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+--- a/drivers/virtio/virtio_mmio.c
++++ b/drivers/virtio/virtio_mmio.c
+@@ -693,9 +693,7 @@ static int virtio_mmio_remove(struct pla
+ #if defined(CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES)
+-static struct device vm_cmdline_parent = {
+-      .init_name = "virtio-mmio-cmdline",
+-};
++static struct device *vm_cmdline_parent;
+ static int vm_cmdline_parent_registered;
+ static int vm_cmdline_id;
+@@ -703,7 +701,6 @@ static int vm_cmdline_id;
+ static int vm_cmdline_set(const char *device,
+               const struct kernel_param *kp)
+ {
+-      int err;
+       struct resource resources[2] = {};
+       char *str;
+       long long base, size;
+@@ -735,11 +732,10 @@ static int vm_cmdline_set(const char *de
+       resources[1].start = resources[1].end = irq;
+       if (!vm_cmdline_parent_registered) {
+-              err = device_register(&vm_cmdline_parent);
+-              if (err) {
+-                      put_device(&vm_cmdline_parent);
++              vm_cmdline_parent = __root_device_register("virtio-mmio-cmdline", NULL);
++              if (IS_ERR(vm_cmdline_parent)) {
+                       pr_err("Failed to register parent device!\n");
+-                      return err;
++                      return PTR_ERR(vm_cmdline_parent);
+               }
+               vm_cmdline_parent_registered = 1;
+       }
+@@ -750,7 +746,7 @@ static int vm_cmdline_set(const char *de
+                      (unsigned long long)resources[0].end,
+                      (int)resources[1].start);
+-      pdev = platform_device_register_resndata(&vm_cmdline_parent,
++      pdev = platform_device_register_resndata(vm_cmdline_parent,
+                       "virtio-mmio", vm_cmdline_id++,
+                       resources, ARRAY_SIZE(resources), NULL, 0);
+@@ -774,8 +770,12 @@ static int vm_cmdline_get_device(struct
+ static int vm_cmdline_get(char *buffer, const struct kernel_param *kp)
+ {
+       buffer[0] = '\0';
+-      device_for_each_child(&vm_cmdline_parent, buffer,
+-                      vm_cmdline_get_device);
++
++      if (vm_cmdline_parent_registered) {
++              device_for_each_child(vm_cmdline_parent, buffer,
++                              vm_cmdline_get_device);
++      }
++
+       return strlen(buffer) + 1;
+ }
+@@ -797,9 +797,9 @@ static int vm_unregister_cmdline_device(
+ static void vm_unregister_cmdline_devices(void)
+ {
+       if (vm_cmdline_parent_registered) {
+-              device_for_each_child(&vm_cmdline_parent, NULL,
++              device_for_each_child(vm_cmdline_parent, NULL,
+                               vm_unregister_cmdline_device);
+-              device_unregister(&vm_cmdline_parent);
++              root_device_unregister(vm_cmdline_parent);
+               vm_cmdline_parent_registered = 0;
+       }
+ }