6.12-stable patches

added patches:
	squashfs-fix-uninit-value-in-squashfs_get_parent.patch
	tpm-disable-tpm2_tcg_hmac-by-default.patch

diff --git a/queue-6.12/series b/queue-6.12/series
index 3b42b893cb318b016204401d43340b373503cbff..d31c0a122bef36774ed7d06a403d8e6d6c2deb98 100644 (file)
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -222,3 +222,5 @@ smb-client-fix-crypto-buffers-in-non-linear-memory.patch
 revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch
 vhost-vringh-modify-the-return-value-check.patch
 bpf-reject-negative-offsets-for-alu-ops.patch
+tpm-disable-tpm2_tcg_hmac-by-default.patch
+squashfs-fix-uninit-value-in-squashfs_get_parent.patch

diff --git a/queue-6.12/squashfs-fix-uninit-value-in-squashfs_get_parent.patch b/queue-6.12/squashfs-fix-uninit-value-in-squashfs_get_parent.patch
new file mode 100644 (file)
index 0000000..af4b772
--- /dev/null
+++ b/queue-6.12/squashfs-fix-uninit-value-in-squashfs_get_parent.patch
@@ -0,0 +1,119 @@
+From 74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Fri, 19 Sep 2025 00:33:08 +0100
+Subject: Squashfs: fix uninit-value in squashfs_get_parent
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+commit 74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf upstream.
+
+Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug.
+
+This is caused by open_by_handle_at() being called with a file handle
+containing an invalid parent inode number.  In particular the inode number
+is that of a symbolic link, rather than a directory.
+
+Squashfs_get_parent() gets called with that symbolic link inode, and
+accesses the parent member field.
+
+       unsigned int parent_ino = squashfs_i(inode)->parent;
+
+Because non-directory inodes in Squashfs do not have a parent value, this
+is uninitialised, and this causes an uninitialised value access.
+
+The fix is to initialise parent with the invalid inode 0, which will cause
+an EINVAL error to be returned.
+
+Regular inodes used to share the parent field with the block_list_start
+field.  This is removed in this commit to enable the parent field to
+contain the invalid inode number 0.
+
+Link: https://lkml.kernel.org/r/20250918233308.293861-1-phillip@squashfs.org.uk
+Fixes: 122601408d20 ("Squashfs: export operations")
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Reported-by: syzbot+157bdef5cf596ad0da2c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68cc2431.050a0220.139b6.0001.GAE@google.com/
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/inode.c         |    7 +++++++
+ fs/squashfs/squashfs_fs_i.h |    2 +-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/squashfs/inode.c
++++ b/fs/squashfs/inode.c
+@@ -165,6 +165,7 @@ int squashfs_read_inode(struct inode *in
+               squashfs_i(inode)->start = le32_to_cpu(sqsh_ino->start_block);
+               squashfs_i(inode)->block_list_start = block;
+               squashfs_i(inode)->offset = offset;
++              squashfs_i(inode)->parent = 0;
+               inode->i_data.a_ops = &squashfs_aops;
+ 
+               TRACE("File inode %x:%x, start_block %llx, block_list_start "
+@@ -212,6 +213,7 @@ int squashfs_read_inode(struct inode *in
+               squashfs_i(inode)->start = le64_to_cpu(sqsh_ino->start_block);
+               squashfs_i(inode)->block_list_start = block;
+               squashfs_i(inode)->offset = offset;
++              squashfs_i(inode)->parent = 0;
+               inode->i_data.a_ops = &squashfs_aops;
+ 
+               TRACE("File inode %x:%x, start_block %llx, block_list_start "
+@@ -292,6 +294,7 @@ int squashfs_read_inode(struct inode *in
+               inode->i_mode |= S_IFLNK;
+               squashfs_i(inode)->start = block;
+               squashfs_i(inode)->offset = offset;
++              squashfs_i(inode)->parent = 0;
+ 
+               if (type == SQUASHFS_LSYMLINK_TYPE) {
+                       __le32 xattr;
+@@ -329,6 +332,7 @@ int squashfs_read_inode(struct inode *in
+               set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               rdev = le32_to_cpu(sqsh_ino->rdev);
+               init_special_inode(inode, inode->i_mode, new_decode_dev(rdev));
++              squashfs_i(inode)->parent = 0;
+ 
+               TRACE("Device inode %x:%x, rdev %x\n",
+                               SQUASHFS_INODE_BLK(ino), offset, rdev);
+@@ -353,6 +357,7 @@ int squashfs_read_inode(struct inode *in
+               set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               rdev = le32_to_cpu(sqsh_ino->rdev);
+               init_special_inode(inode, inode->i_mode, new_decode_dev(rdev));
++              squashfs_i(inode)->parent = 0;
+ 
+               TRACE("Device inode %x:%x, rdev %x\n",
+                               SQUASHFS_INODE_BLK(ino), offset, rdev);
+@@ -373,6 +378,7 @@ int squashfs_read_inode(struct inode *in
+                       inode->i_mode |= S_IFSOCK;
+               set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               init_special_inode(inode, inode->i_mode, 0);
++              squashfs_i(inode)->parent = 0;
+               break;
+       }
+       case SQUASHFS_LFIFO_TYPE:
+@@ -392,6 +398,7 @@ int squashfs_read_inode(struct inode *in
+               inode->i_op = &squashfs_inode_ops;
+               set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               init_special_inode(inode, inode->i_mode, 0);
++              squashfs_i(inode)->parent = 0;
+               break;
+       }
+       default:
+--- a/fs/squashfs/squashfs_fs_i.h
++++ b/fs/squashfs/squashfs_fs_i.h
+@@ -16,6 +16,7 @@ struct squashfs_inode_info {
+       u64             xattr;
+       unsigned int    xattr_size;
+       int             xattr_count;
++      int             parent;
+       union {
+               struct {
+                       u64             fragment_block;
+@@ -27,7 +28,6 @@ struct squashfs_inode_info {
+                       u64             dir_idx_start;
+                       int             dir_idx_offset;
+                       int             dir_idx_cnt;
+-                      int             parent;
+               };
+       };
+       struct inode    vfs_inode;

diff --git a/queue-6.12/tpm-disable-tpm2_tcg_hmac-by-default.patch b/queue-6.12/tpm-disable-tpm2_tcg_hmac-by-default.patch
new file mode 100644 (file)
index 0000000..75b8bae
--- /dev/null
+++ b/queue-6.12/tpm-disable-tpm2_tcg_hmac-by-default.patch
@@ -0,0 +1,50 @@
+From 4bddf4587c131d7b8ce8952cd32b284dcda0dd1f Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko@kernel.org>
+Date: Mon, 25 Aug 2025 23:32:23 +0300
+Subject: tpm: Disable TPM2_TCG_HMAC by default
+
+From: Jarkko Sakkinen <jarkko@kernel.org>
+
+commit 4bddf4587c131d7b8ce8952cd32b284dcda0dd1f upstream.
+
+After reading all the feedback, right now disabling the TPM2_TCG_HMAC
+is the right call.
+
+Other views discussed:
+
+A. Having a kernel command-line parameter or refining the feature
+   otherwise. This goes to the area of improvements.  E.g., one
+   example is my own idea where the null key specific code would be
+   replaced with a persistent handle parameter (which can be
+   *unambigously* defined as part of attestation process when
+   done correctly).
+
+B. Removing the code. I don't buy this because that is same as saying
+   that HMAC encryption cannot work at all (if really nitpicking) in
+   any form. Also I disagree on the view that the feature could not
+   be refined to something more reasoable.
+
+Also, both A and B are worst options in terms of backporting.
+
+Thuss, this is the best possible choice.
+
+Cc: stable@vger.kernel.or # v6.10+
+Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation")
+Suggested-by: Chris Fenner <cfenn@google.com>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/Kconfig |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/Kconfig
++++ b/drivers/char/tpm/Kconfig
+@@ -29,7 +29,7 @@ if TCG_TPM
+ 
+ config TCG_TPM2_HMAC
+       bool "Use HMAC and encrypted transactions on the TPM bus"
+-      default X86_64
++      default n
+       select CRYPTO_ECDH
+       select CRYPTO_LIB_AESCFB
+       select CRYPTO_LIB_SHA256