6.12-stable patches

added patches:
	bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_mesh_complete.patch
	net-netpoll-ensure-skb_pool-list-is-always-initialized.patch
	proc-proc_maps_open-allow-proc_mem_open-to-return-null.patch

diff --git a/queue-6.12/bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_mesh_complete.patch b/queue-6.12/bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_mesh_complete.patch
new file mode 100644 (file)
index 0000000..584dca3
--- /dev/null
+++ b/queue-6.12/bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_mesh_complete.patch
@@ -0,0 +1,107 @@
+From e8785404de06a69d89dcdd1e9a0b6ea42dc6d327 Mon Sep 17 00:00:00 2001
+From: Pauli Virtanen <pav@iki.fi>
+Date: Fri, 3 Oct 2025 22:07:32 +0300
+Subject: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete
+
+From: Pauli Virtanen <pav@iki.fi>
+
+commit e8785404de06a69d89dcdd1e9a0b6ea42dc6d327 upstream.
+
+There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to
+memcpy from badly declared on-stack flexible array.
+
+Another crash is in set_mesh_complete() due to double list_del via
+mgmt_pending_valid + mgmt_pending_remove.
+
+Use DEFINE_FLEX to declare the flexible array right, and don't memcpy
+outside bounds.
+
+As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free,
+and also report status on error.
+
+Fixes: 302a1f674c00d ("Bluetooth: MGMT: Fix possible UAFs")
+Signed-off-by: Pauli Virtanen <pav@iki.fi>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/mgmt.h |    2 +-
+ net/bluetooth/mgmt.c         |   26 +++++++++++++++-----------
+ 2 files changed, 16 insertions(+), 12 deletions(-)
+
+--- a/include/net/bluetooth/mgmt.h
++++ b/include/net/bluetooth/mgmt.h
+@@ -847,7 +847,7 @@ struct mgmt_cp_set_mesh {
+       __le16 window;
+       __le16 period;
+       __u8   num_ad_types;
+-      __u8   ad_types[];
++      __u8   ad_types[] __counted_by(num_ad_types);
+ } __packed;
+ #define MGMT_SET_MESH_RECEIVER_SIZE   6
+ 
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -2170,19 +2170,24 @@ static void set_mesh_complete(struct hci
+       sk = cmd->sk;
+ 
+       if (status) {
++              mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
++                              status);
+               mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true,
+                                    cmd_status_rsp, &status);
+-              return;
++              goto done;
+       }
+ 
+-      mgmt_pending_remove(cmd);
+       mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, 0, NULL, 0);
++
++done:
++      mgmt_pending_free(cmd);
+ }
+ 
+ static int set_mesh_sync(struct hci_dev *hdev, void *data)
+ {
+       struct mgmt_pending_cmd *cmd = data;
+-      struct mgmt_cp_set_mesh cp;
++      DEFINE_FLEX(struct mgmt_cp_set_mesh, cp, ad_types, num_ad_types,
++                  sizeof(hdev->mesh_ad_types));
+       size_t len;
+ 
+       mutex_lock(&hdev->mgmt_pending_lock);
+@@ -2192,27 +2197,26 @@ static int set_mesh_sync(struct hci_dev
+               return -ECANCELED;
+       }
+ 
+-      memcpy(&cp, cmd->param, sizeof(cp));
++      len = cmd->param_len;
++      memcpy(cp, cmd->param, min(__struct_size(cp), len));
+ 
+       mutex_unlock(&hdev->mgmt_pending_lock);
+ 
+-      len = cmd->param_len;
+-
+       memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types));
+ 
+-      if (cp.enable)
++      if (cp->enable)
+               hci_dev_set_flag(hdev, HCI_MESH);
+       else
+               hci_dev_clear_flag(hdev, HCI_MESH);
+ 
+-      hdev->le_scan_interval = __le16_to_cpu(cp.period);
+-      hdev->le_scan_window = __le16_to_cpu(cp.window);
++      hdev->le_scan_interval = __le16_to_cpu(cp->period);
++      hdev->le_scan_window = __le16_to_cpu(cp->window);
+ 
+-      len -= sizeof(cp);
++      len -= sizeof(struct mgmt_cp_set_mesh);
+ 
+       /* If filters don't fit, forward all adv pkts */
+       if (len <= sizeof(hdev->mesh_ad_types))
+-              memcpy(hdev->mesh_ad_types, cp.ad_types, len);
++              memcpy(hdev->mesh_ad_types, cp->ad_types, len);
+ 
+       hci_update_passive_scan_sync(hdev);
+       return 0;

diff --git a/queue-6.12/net-netpoll-ensure-skb_pool-list-is-always-initialized.patch b/queue-6.12/net-netpoll-ensure-skb_pool-list-is-always-initialized.patch
new file mode 100644 (file)
index 0000000..f819a40
--- /dev/null
+++ b/queue-6.12/net-netpoll-ensure-skb_pool-list-is-always-initialized.patch
@@ -0,0 +1,91 @@
+From f0d0277796db613c124206544b6dbe95b520ab6c Mon Sep 17 00:00:00 2001
+From: John Sperbeck <jsperbeck@google.com>
+Date: Mon, 13 Jan 2025 17:13:54 -0800
+Subject: net: netpoll: ensure skb_pool list is always initialized
+
+From: John Sperbeck <jsperbeck@google.com>
+
+commit f0d0277796db613c124206544b6dbe95b520ab6c upstream.
+
+When __netpoll_setup() is called directly, instead of through
+netpoll_setup(), the np->skb_pool list head isn't initialized.
+If skb_pool_flush() is later called, then we hit a NULL pointer
+in skb_queue_purge_reason().  This can be seen with this repro,
+when CONFIG_NETCONSOLE is enabled as a module:
+
+    ip tuntap add mode tap tap0
+    ip link add name br0 type bridge
+    ip link set dev tap0 master br0
+    modprobe netconsole netconsole=4444@10.0.0.1/br0,9353@10.0.0.2/
+    rmmod netconsole
+
+The backtrace is:
+
+    BUG: kernel NULL pointer dereference, address: 0000000000000008
+    #PF: supervisor write access in kernel mode
+    #PF: error_code(0x0002) - not-present page
+    ... ... ...
+    Call Trace:
+     <TASK>
+     __netpoll_free+0xa5/0xf0
+     br_netpoll_cleanup+0x43/0x50 [bridge]
+     do_netpoll_cleanup+0x43/0xc0
+     netconsole_netdev_event+0x1e3/0x300 [netconsole]
+     unregister_netdevice_notifier+0xd9/0x150
+     cleanup_module+0x45/0x920 [netconsole]
+     __se_sys_delete_module+0x205/0x290
+     do_syscall_64+0x70/0x150
+     entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Move the skb_pool list setup and initial skb fill into __netpoll_setup().
+
+Fixes: 221a9c1df790 ("net: netpoll: Individualize the skb pool")
+Signed-off-by: John Sperbeck <jsperbeck@google.com>
+Reviewed-by: Breno Leitao <leitao@debian.org>
+Link: https://patch.msgid.link/20250114011354.2096812-1-jsperbeck@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/netpoll.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/core/netpoll.c
++++ b/net/core/netpoll.c
+@@ -632,6 +632,8 @@ int __netpoll_setup(struct netpoll *np,
+       const struct net_device_ops *ops;
+       int err;
+ 
++      skb_queue_head_init(&np->skb_pool);
++
+       if (ndev->priv_flags & IFF_DISABLE_NETPOLL) {
+               np_err(np, "%s doesn't support polling, aborting\n",
+                      ndev->name);
+@@ -667,6 +669,9 @@ int __netpoll_setup(struct netpoll *np,
+       strscpy(np->dev_name, ndev->name, IFNAMSIZ);
+       npinfo->netpoll = np;
+ 
++      /* fill up the skb queue */
++      refill_skbs(np);
++
+       /* last thing to do is link it to the net device structure */
+       rcu_assign_pointer(ndev->npinfo, npinfo);
+ 
+@@ -686,8 +691,6 @@ int netpoll_setup(struct netpoll *np)
+       struct in_device *in_dev;
+       int err;
+ 
+-      skb_queue_head_init(&np->skb_pool);
+-
+       rtnl_lock();
+       if (np->dev_name[0]) {
+               struct net *net = current->nsproxy->net_ns;
+@@ -787,9 +790,6 @@ put_noaddr:
+               }
+       }
+ 
+-      /* fill up the skb queue */
+-      refill_skbs(np);
+-
+       err = __netpoll_setup(np, ndev);
+       if (err)
+               goto flush;

diff --git a/queue-6.12/proc-proc_maps_open-allow-proc_mem_open-to-return-null.patch b/queue-6.12/proc-proc_maps_open-allow-proc_mem_open-to-return-null.patch
new file mode 100644 (file)
index 0000000..26a90bc
--- /dev/null
+++ b/queue-6.12/proc-proc_maps_open-allow-proc_mem_open-to-return-null.patch
@@ -0,0 +1,47 @@
+From c0e1b774f68bdbea1618e356e30672c7f1e32509 Mon Sep 17 00:00:00 2001
+From: Jialin Wang <wjl.linux@gmail.com>
+Date: Fri, 8 Aug 2025 00:54:55 +0800
+Subject: proc: proc_maps_open allow proc_mem_open to return NULL
+
+From: Jialin Wang <wjl.linux@gmail.com>
+
+commit c0e1b774f68bdbea1618e356e30672c7f1e32509 upstream.
+
+The commit 65c66047259f ("proc: fix the issue of proc_mem_open returning
+NULL") caused proc_maps_open() to return -ESRCH when proc_mem_open()
+returns NULL.  This breaks legitimate /proc/<pid>/maps access for kernel
+threads since kernel threads have NULL mm_struct.
+
+The regression causes perf to fail and exit when profiling a kernel
+thread:
+
+  # perf record -v -g -p $(pgrep kswapd0)
+  ...
+  couldn't open /proc/65/task/65/maps
+
+This patch partially reverts the commit to fix it.
+
+Link: https://lkml.kernel.org/r/20250807165455.73656-1-wjl.linux@gmail.com
+Fixes: 65c66047259f ("proc: fix the issue of proc_mem_open returning NULL")
+Signed-off-by: Jialin Wang <wjl.linux@gmail.com>
+Cc: Penglei Jiang <superman.xpt@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/task_mmu.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -212,8 +212,8 @@ static int proc_maps_open(struct inode *
+ 
+       priv->inode = inode;
+       priv->mm = proc_mem_open(inode, PTRACE_MODE_READ);
+-      if (IS_ERR_OR_NULL(priv->mm)) {
+-              int err = priv->mm ? PTR_ERR(priv->mm) : -ESRCH;
++      if (IS_ERR(priv->mm)) {
++              int err = PTR_ERR(priv->mm);
+ 
+               seq_release_private(inode, file);
+               return err;

diff --git a/queue-6.12/series b/queue-6.12/series
index 1ca8862ecc56055a80e58904956fa9361ac8aec9..c7bdffbad2af9a58fdb0817334059c0627f35598 100644 (file)
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -180,3 +180,6 @@ mm-huge_memory-do-not-change-split_huge_page-target-order-silently.patch
 mm-huge_memory-preserve-pg_has_hwpoisoned-if-a-folio-is-split-to-0-order.patch
 isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch
 net-phy-micrel-fix-lan8814_config_init.patch
+net-netpoll-ensure-skb_pool-list-is-always-initialized.patch
+proc-proc_maps_open-allow-proc_mem_open-to-return-null.patch
+bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_mesh_complete.patch